CVE-2019-3688

NameCVE-2019-3688
DescriptionThe /usr/sbin/pinger binary packaged with squid in SUSE Linux Enterprise Server 15 before and including version 4.8-5.8.1 and in SUSE Linux Enterprise Server 12 before and including 3.5.21-26.17.1 had squid:root, 0750 permissions. This allowed an attacker that compromissed the squid user to gain persistence by changing the binary
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
squid (PTS)buster4.6-1+deb10u1fixed
buster (security)4.6-1+deb10u2fixed
bullseye4.11-2fixed
sid4.11-5fixed
squid3 (PTS)jessie3.4.8-6+deb8u5fixed
jessie (security)3.4.8-6+deb8u9fixed
stretch (security), stretch3.5.23-5+deb9u1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
squidsource(unstable)(not affected)
squid3source(unstable)(not affected)

Notes

- squid <not-affected> (/usr/lib/squid/pinger permissions are root:root)
- squid3 <not-affected> (/usr/lib/squid/pinger permissions are root:root)

Search for package or bug name: Reporting problems