Amazon Linux 2 Security Advisory: ALAS-2019-1324
Advisory Release Date: 2019-10-21 18:01 Pacific
Advisory Updated Date: 2019-10-23 23:47 Pacific
It was discovered that keycloak-httpd-client-install uses a predictable log file name in /tmp. A local attacker could create a symbolic link to a sensitive location, possibly causing data corruption or denial of service.(CVE-2017-15111)
In keycloak-http-client-install prior to version 0.8, the admin password could be provided through a command-line argument. This might result in the password being leaked through shell history, or becoming visible to a local attacker at the time the program is running.(CVE-2017-15112)
Affected Packages:
keycloak-httpd-client-install
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update keycloak-httpd-client-install to update your system.
noarch:
keycloak-httpd-client-install-0.8-1.amzn2.noarch
python2-keycloak-httpd-client-install-0.8-1.amzn2.noarch
src:
keycloak-httpd-client-install-0.8-1.amzn2.src