setroubleshoot-plugins-3.0.59-2.0.1.el7.AXS7, setroubleshoot-3.2.24-4.0.1.el7.AXS7
エラータID: AXSA:2016-547:01
リリース日:
2016/07/11 Monday - 17:24
題名:
setroubleshoot-plugins-3.0.59-2.0.1.el7.AXS7, setroubleshoot-3.2.24-4.0.1.el7.AXS7
影響のあるチャネル:
Asianux Server 7 for x86_64
Severity:
High
Description:
[修正内容]
以下項目について対処しました。
[Security Fix]
- 現時点では CVE-2016-4444, CVE-2016-4446, CVE-2016-4989 の情報が公開されておりません。CVE の情報が公開され次第情報をアップデートいたします。
一部CVEの翻訳文はJVNからの引用になります。
http://jvndb.jvn.jp/
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2016-4444
The allow_execmod plugin for setroubleshoot before 3.2.23 allows local users to execute arbitrary commands by triggering an execmod SELinux denial with a crafted binary filename, related to the commands.getstatusoutput function.
The allow_execmod plugin for setroubleshoot before 3.2.23 allows local users to execute arbitrary commands by triggering an execmod SELinux denial with a crafted binary filename, related to the commands.getstatusoutput function.
CVE-2016-4446
The allow_execstack plugin for setroubleshoot allows local users to execute arbitrary commands by triggering an execstack SELinux denial with a crafted filename, related to the commands.getoutput function.
The allow_execstack plugin for setroubleshoot allows local users to execute arbitrary commands by triggering an execstack SELinux denial with a crafted filename, related to the commands.getoutput function.
CVE-2016-4989
setroubleshoot allows local users to bypass an intended container protection mechanism and execute arbitrary commands by (1) triggering an SELinux denial with a crafted file name, which is handled by the _set_tpath function in audit_data.py or via a crafted (2) local_id or (3) analysis_id field in a crafted XML document to the run_fix function in SetroubleshootFixit.py, related to the subprocess.check_output and commands.getstatusoutput functions, a different vulnerability than CVE-2016-4445.
setroubleshoot allows local users to bypass an intended container protection mechanism and execute arbitrary commands by (1) triggering an SELinux denial with a crafted file name, which is handled by the _set_tpath function in audit_data.py or via a crafted (2) local_id or (3) analysis_id field in a crafted XML document to the run_fix function in SetroubleshootFixit.py, related to the subprocess.check_output and commands.getstatusoutput functions, a different vulnerability than CVE-2016-4445.
追加情報:
N/A
ダウンロード:
SRPMS
- setroubleshoot-plugins-3.0.59-2.0.1.el7.AXS7.src.rpm
MD5: 31895480a1d9565217b2f2f8bc921ae2
SHA-256: c3740540dca724fcbd8052c69ddbdc529b4d730ce60a26e9120367063277bcfa
Size: 2.38 MB - setroubleshoot-3.2.24-4.0.1.el7.AXS7.src.rpm
MD5: 2d9a893faf6ca064e2c956079f02a8b1
SHA-256: 43e3ae5d7e5bad646c2172ce1c5d9a2107569f70df8f8d6696564a82ca0797ca
Size: 1.44 MB
Asianux Server 7 for x86_64
- setroubleshoot-plugins-3.0.59-2.0.1.el7.AXS7.noarch.rpm
MD5: ba1826ac2075ed5539f923bee6919796
SHA-256: 343ea984a3c295477fdbaf07471041e0ba30f2a6e62d08e61a79fcb90a7564c4
Size: 585.96 kB - setroubleshoot-3.2.24-4.0.1.el7.AXS7.x86_64.rpm
MD5: d0040a4f23d6e95a5428c17a67006e70
SHA-256: 75ec95b6840488970fb4a9915ad4d1ea31c1b4e4352ffa4e1d1c0250ba07c3a9
Size: 126.30 kB - setroubleshoot-server-3.2.24-4.0.1.el7.AXS7.x86_64.rpm
MD5: b3aea85b27eca6a890127bcd248fd612
SHA-256: 5e066fde65f0f552ec5461b08d8abf4ae051a89e9a304df169acc620eb577c7c
Size: 344.52 kB
English