setroubleshoot-plugins-3.0.40-3.1.0.1.AXS4, setroubleshoot-3.0.47-12.0.1.AXS4

エラータID: AXSA:2016-543:01

Release date: 
Friday, July 8, 2016 - 11:47
Subject: 
setroubleshoot-plugins-3.0.40-3.1.0.1.AXS4, setroubleshoot-3.0.47-12.0.1.AXS4
Affected Channels: 
Asianux Server 4 for x86_64
Asianux Server 4 for x86
Severity: 
High
Description: 

setroubleshoot
setroubleshoot GUI. Application that allows you to view setroubleshoot-server
messages.
Provides tools to help diagnose SELinux problems. When AVC messages
are generated an alert can be generated that will give information
about the problem and help track its resolution. Alerts can be configured
to user preference. The same tools can be run on existing log files.

setroubleshoot-plugins
This package provides a set of analysis plugins for use with
setroubleshoot. Each plugin has the capacity to analyze SELinux AVC
data and system data to provide user friendly reports describing how
to interpret SELinux AVC denials.

Security issues fixed with this release:

CVE-2016-4444
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2016-4445
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2016-4446
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2016-4989
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.

Solution: 

Update packages.

CVEs: 
CVE-2016-4444
The allow_execmod plugin for setroubleshoot before 3.2.23 allows local users to execute arbitrary commands by triggering an execmod SELinux denial with a crafted binary filename, related to the commands.getstatusoutput function.
CVE-2016-4445
The fix_lookup_id function in sealert in setroubleshoot before 3.2.23 allows local users to execute arbitrary commands as root by triggering an SELinux denial with a crafted file name, related to executing external commands with the commands.getstatusoutput function.
CVE-2016-4446
The allow_execstack plugin for setroubleshoot allows local users to execute arbitrary commands by triggering an execstack SELinux denial with a crafted filename, related to the commands.getoutput function.
CVE-2016-4989
setroubleshoot allows local users to bypass an intended container protection mechanism and execute arbitrary commands by (1) triggering an SELinux denial with a crafted file name, which is handled by the _set_tpath function in audit_data.py or via a crafted (2) local_id or (3) analysis_id field in a crafted XML document to the run_fix function in SetroubleshootFixit.py, related to the subprocess.check_output and commands.getstatusoutput functions, a different vulnerability than CVE-2016-4445.
Additional Info: 

N/A

Download: 

SRPMS
  1. setroubleshoot-plugins-3.0.40-3.1.0.1.AXS4.src.rpm
    MD5: c39627d9f1943bb7161df46c60a7effb
    SHA-256: 62ab7de45fe0c3b2af1ac8fca3a4cd0e271fb919fee1e1cda88312af03d3efe8
    Size: 2.02 MB
  2. setroubleshoot-3.0.47-12.0.1.AXS4.src.rpm
    MD5: 2dd89b9c710cfb7fa86c2d6483b8996d
    SHA-256: 7f13c4671518a71a956cd4f48407df84f94d22591028576fee895740063c2061
    Size: 1.52 MB

Asianux Server 4 for x86
  1. setroubleshoot-plugins-3.0.40-3.1.0.1.AXS4.noarch.rpm
    MD5: 8cbdc64c0be18b5a6638f6029a894a2d
    SHA-256: 71fa35b1e16edc46e6764d2f24069977972622ab1b3db6f8534112731c85d918
    Size: 505.59 kB
  2. setroubleshoot-3.0.47-12.0.1.AXS4.i686.rpm
    MD5: d2b37f1aa0907762da608ddcf8a8caab
    SHA-256: 8bc7063bf2c5cc0dba364358194ee96d7f0e3b5a39adea1b0e9ef077e5467737
    Size: 118.28 kB
  3. setroubleshoot-server-3.0.47-12.0.1.AXS4.i686.rpm
    MD5: 6186a39dd6b458a2f33160e5cb37fc4f
    SHA-256: e606ab3f2824cab6c029765347b90a94d1a5a8d9b21e0d011ad3de2211682938
    Size: 1.29 MB

Asianux Server 4 for x86_64
  1. setroubleshoot-plugins-3.0.40-3.1.0.1.AXS4.noarch.rpm
    MD5: b2186e2e625a4f493d2c9fcf74f1f266
    SHA-256: ba49916e58827871f325ad9819eaf9694c06fcd4941919b517424139f1e6ecd4
    Size: 505.16 kB
  2. setroubleshoot-3.0.47-12.0.1.AXS4.x86_64.rpm
    MD5: 3b5c0047c6b58f35fed7a5b961cc3e40
    SHA-256: 7aee797d9a2bbf29c5db5355e86d4d5d2efd29e25fb2d36c06ae065b5b8915de
    Size: 118.29 kB
  3. setroubleshoot-server-3.0.47-12.0.1.AXS4.x86_64.rpm
    MD5: aa8c7d4284830ba6e4c12975fb772804
    SHA-256: 590675e05b6cc5548c8a73438fd0ab97fb9ed6085f375027f34d4c30f4a4a3a2
    Size: 1.29 MB