Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

oracle-oval логотип

ELSA-2016-1293

Опубликовано: 23 июн. 2016
Источник: oracle-oval
Платформа: Oracle Linux 7

Описание

ELSA-2016-1293: setroubleshoot and setroubleshoot-plugins security update (IMPORTANT)

setroubleshoot [3.2.24-4.0.1]

  • Add setroubleshoot-oracle-enterprise.patch to change bug reporting URL to linux.oracle.com

[3.2.24-4]

  • Catch all subprocess module exceptions

[3.2.24-3]

  • Use subprocess.check_output() with a sequence of program arguments

[3.2.24-2]

  • Do not use dangerous shell=True

setroubleshoot-plugins [3.0.59-2.0.1]

  • Add setroubleshoot-plugins-oracle-config.patch to use oracle url
  • Add setroubleshoot-plugins-oracle-po.patch to use oracle url for po

[3.0.59-2]

  • Don't use commands.get*output() Resolves: CVE-2016-4444, CVE-2016-4446

Обновленные пакеты

Oracle Linux 7

Oracle Linux x86_64

setroubleshoot

3.2.24-4.0.1.el7_2

setroubleshoot-plugins

3.0.59-2.0.1.el7_2

setroubleshoot-server

3.2.24-4.0.1.el7_2

Связанные CVE

CVE-2016-4446
CVE-2016-4444
CVE-2016-4989

Ссылки на источники

Связанные уязвимости

oracle-oval логотип

ELSA-2016-1267

oracle-oval
около 9 лет назад

ELSA-2016-1267: setroubleshoot and setroubleshoot-plugins security update (IMPORTANT)

redhat логотип

CVE-2016-4446

redhat
около 9 лет назад

The allow_execstack plugin for setroubleshoot allows local users to execute arbitrary commands by triggering an execstack SELinux denial with a crafted filename, related to the commands.getoutput function.

nvd логотип

CVE-2016-4446

CVSS3: 7
nvd
больше 8 лет назад

The allow_execstack plugin for setroubleshoot allows local users to execute arbitrary commands by triggering an execstack SELinux denial with a crafted filename, related to the commands.getoutput function.

github логотип

GHSA-chj8-3w35-5698

CVSS3: 7
github
больше 3 лет назад

The allow_execstack plugin for setroubleshoot allows local users to execute arbitrary commands by triggering an execstack SELinux denial with a crafted filename, related to the commands.getoutput function.

redhat логотип

CVE-2016-4989

redhat
около 9 лет назад

setroubleshoot allows local users to bypass an intended container protection mechanism and execute arbitrary commands by (1) triggering an SELinux denial with a crafted file name, which is handled by the _set_tpath function in audit_data.py or via a crafted (2) local_id or (3) analysis_id field in a crafted XML document to the run_fix function in SetroubleshootFixit.py, related to the subprocess.check_output and commands.getstatusoutput functions, a different vulnerability than CVE-2016-4445.