Bugzilla – Bug 1093414
VUL-0: CVE-2019-3688: squid: /usr/sbin/pinger packaged with wrong permission
Last modified: 2023-04-06 09:15:13 UTC
I'm using SUSE Linux Enterprise Server 15 RC4 and squid-4.0.23-3.30.x86_64 Just after installation, RPM warns me that it fixed pinger permission: setting /usr/sbin/pinger to squid:root 0750 "= cap_net_raw+ep". (wrong owner/group rootquid, missing capabilities) I checked squid, /etc/permissions.* and squid.rpm and they do not match: # rpm -q squid --dump | grep pinger /usr/sbin/pinger 76488 1525295718 c83b442c035c575b7ea31212ec649b174cd417726c67f272fda0507ad50c50cf 0100750 root squid 0 0 0 X # ls /usr/sbin/pinger -la -rwxr-x--- 1 squid root 76488 mai 2 18:15 /usr/sbin/pinger # grep pinger /etc/permissions.easy /usr/sbin/pinger squid:root 0750 Someone is wrong here. If the right is squid:root (I guess the correct one), it is minor problem and chkstat is fixing the problem and it is just a extra touched file in FS. If it is the opposite, something might not work.
I assigned CVE-2019-3688 to this, please add this to the changelog when you change this
*** Bug 1149108 has been marked as a duplicate of this bug. ***
This is an autogenerated message for OBS integration: This bug (1093414) was mentioned in https://build.opensuse.org/request/show/749269 Factory / permissions
SUSE-SU-2019:3180-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1093414,1150734,1157198 CVE References: CVE-2019-3688,CVE-2019-3690 Sources used: SUSE OpenStack Cloud Crowbar 8 (src): permissions-2015.09.28.1626-17.20.1 SUSE OpenStack Cloud 8 (src): permissions-2015.09.28.1626-17.20.1 SUSE OpenStack Cloud 7 (src): permissions-2015.09.28.1626-17.20.1 SUSE Linux Enterprise Server for SAP 12-SP3 (src): permissions-2015.09.28.1626-17.20.1 SUSE Linux Enterprise Server for SAP 12-SP2 (src): permissions-2015.09.28.1626-17.20.1 SUSE Linux Enterprise Server 12-SP3-LTSS (src): permissions-2015.09.28.1626-17.20.1 SUSE Linux Enterprise Server 12-SP3-BCL (src): permissions-2015.09.28.1626-17.20.1 SUSE Linux Enterprise Server 12-SP2-LTSS (src): permissions-2015.09.28.1626-17.20.1 SUSE Linux Enterprise Server 12-SP2-BCL (src): permissions-2015.09.28.1626-17.20.1 SUSE Enterprise Storage 5 (src): permissions-2015.09.28.1626-17.20.1 SUSE CaaS Platform 3.0 (src): permissions-2015.09.28.1626-17.20.1 HPE Helion Openstack 8 (src): permissions-2015.09.28.1626-17.20.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:3182-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1093414,1150734,1157198 CVE References: CVE-2019-3688,CVE-2019-3690 Sources used: SUSE Linux Enterprise Module for Basesystem 15 (src): permissions-20180125-3.18.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:3183-1: An update that solves two vulnerabilities and has three fixes is now available. Category: security (moderate) Bug References: 1047247,1093414,1097665,1150734,1157198 CVE References: CVE-2019-3688,CVE-2019-3690 Sources used: SUSE Linux Enterprise Server 12-SP5 (src): permissions-20170707-3.14.1 SUSE Linux Enterprise Server 12-SP4 (src): permissions-20170707-3.14.1 SUSE Linux Enterprise Desktop 12-SP4 (src): permissions-20170707-3.14.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2019:2672-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1093414,1150734,1157198 CVE References: CVE-2019-3688,CVE-2019-3690 Sources used: openSUSE Leap 15.1 (src): permissions-20181116-lp151.4.9.1
SUSE-SU-2021:2280-1: An update that solves three vulnerabilities and has 11 fixes is now available. Category: security (moderate) Bug References: 1047247,1050467,1093414,1097665,1123886,1150734,1155939,1157198,1160594,1160764,1161779,1163922,1171883,1182899 CVE References: CVE-2019-3688,CVE-2019-3690,CVE-2020-8013 JIRA References: Sources used: SUSE Linux Enterprise Server 12-SP5 (src): permissions-20170707-6.4.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
This is an autogenerated message for OBS integration: This bug (1093414) was mentioned in https://build.opensuse.org/request/show/931965 15.3 / permissions
openSUSE-SU-2021:1520-1: An update that solves three vulnerabilities and has 27 fixes is now available. Category: security (moderate) Bug References: 1028975,1029961,1093414,1133678,1148788,1150345,1150366,1151190,1157498,1160285,1160764,1161335,1161779,1163588,1167163,1169614,1171164,1171173,1171569,1171580,1171686,1171879,1171882,1173221,1174504,1175720,1175867,1178475,1178476,1183669 CVE References: CVE-2019-3687,CVE-2019-3688,CVE-2020-8013 JIRA References: Sources used: openSUSE Leap 15.3 (src): permissions-20200127-lp153.24.3.1