Your submission was sent successfully! Close

CVE-2019-3689

Published: 19 September 2019

The nfs-utils package in SUSE Linux Enterprise Server 12 before and including version 1.3.0-34.18.1 and in SUSE Linux Enterprise Server 15 before and including version 2.1.1-6.10.2 the directory /var/lib/nfs is owned by statd:nogroup. This directory contains files owned and managed by root. If statd is compromised, it can therefore trick processes running with root privileges into creating/overwriting files anywhere on the system.

Priority

Low

CVSS 3 base score: 9.8

Status

Package Release Status
nfs-utils
Launchpad, Ubuntu, Debian
Upstream
Released (1:1.3.4-3)
Ubuntu 21.10 (Impish Indri)
Released (1:1.3.4-2.5ubuntu5)
Ubuntu 21.04 (Hirsute Hippo)
Released (1:1.3.4-2.5ubuntu5)
Ubuntu 20.04 LTS (Focal Fossa)
Released (1:1.3.4-2.5ubuntu3.3)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (1:1.3.4-2.1ubuntu5.3)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (1:1.2.8-9ubuntu12.3)
Ubuntu 14.04 ESM (Trusty Tahr) Needs triage

Patches:
Upstream: https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commitdiff;h=fee2cc29e888f2ced6a76990923aef19d326dc0e
Vendor: https://salsa.debian.org/debian/nfs-utils/-/commit/5eb61fb20053ed69a7396d44928e5bc66d86ef43
Vendor: https://salsa.debian.org/debian/nfs-utils/-/commit/e63eb85dd956dce5df1f112e01a421c1cc8b3483