Your submission was sent successfully! Close

CVE-2019-3689

Published: 19 September 2019

The nfs-utils package in SUSE Linux Enterprise Server 12 before and including version 1.3.0-34.18.1 and in SUSE Linux Enterprise Server 15 before and including version 2.1.1-6.10.2 the directory /var/lib/nfs is owned by statd:nogroup. This directory contains files owned and managed by root. If statd is compromised, it can therefore trick processes running with root privileges into creating/overwriting files anywhere on the system.

Priority

Low

CVSS 3 base score: 9.8

Status

Package Release Status
nfs-utils
Launchpad, Ubuntu, Debian
bionic
Released (1:1.3.4-2.1ubuntu5.3)
disco Ignored
(reached end-of-life)
eoan
Released (1:1.3.4-2.5ubuntu2.1)
focal
Released (1:1.3.4-2.5ubuntu3.3)
groovy
Released (1:1.3.4-2.5ubuntu5)
hirsute
Released (1:1.3.4-2.5ubuntu5)
impish
Released (1:1.3.4-2.5ubuntu5)
jammy
Released (1:1.3.4-2.5ubuntu5)
precise Ignored
(end of ESM support, was needs-triage)
trusty Needs triage

upstream
Released (1:1.3.4-3)
xenial
Released (1:1.2.8-9ubuntu12.3)
Patches:
upstream: https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commitdiff;h=fee2cc29e888f2ced6a76990923aef19d326dc0e
vendor: https://salsa.debian.org/debian/nfs-utils/-/commit/5eb61fb20053ed69a7396d44928e5bc66d86ef43
vendor: https://salsa.debian.org/debian/nfs-utils/-/commit/e63eb85dd956dce5df1f112e01a421c1cc8b3483