[security-dev] updateCredential will leak

Bill Burke bburke at redhat.com
Sun Aug 11 08:58:05 EDT 2013

updateCredential doesn't update the old one, it creates a new one.  The 
only reason this works is because the password handler query for the 
most current credential.  (Same as TOTP).

This will be a storage leak over time as passwords are reset and tokens 


Bill Burke
JBoss, a division of Red Hat

More information about the security-dev mailing list