CVE-2019-3689

NameCVE-2019-3689
DescriptionThe nfs-utils package in SUSE Linux Enterprise Server 12 before and including version 1.3.0-34.18.1 and in SUSE Linux Enterprise Server 15 before and including version 2.1.1-6.10.2 the directory /var/lib/nfs is owned by statd:nogroup. This directory contains files owned and managed by root. If statd is compromised, it can therefore trick processes running with root privileges into creating/overwriting files anywhere on the system.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-1965-1, ELA-179-1
Debian Bugs940848

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
nfs-utils (PTS)jessie, jessie (lts)1:1.2.8-9+deb8u1fixed
stretch1:1.3.4-2.1+deb9u1fixed
buster1:1.3.4-2.5+deb10u1fixed
bullseye1:1.3.4-6+deb11u1fixed
bookworm1:2.6.2-4fixed
sid, trixie1:2.8.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
nfs-utilssourcewheezy1.2.6-4+deb7u1ELA-179-1
nfs-utilssourcejessie1:1.2.8-9+deb8u1DLA-1965-1
nfs-utilssourcestretch1:1.3.4-2.1+deb9u1
nfs-utilssourcebuster1:1.3.4-2.5+deb10u1
nfs-utilssource(unstable)1:1.3.4-3940848

Notes

https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commitdiff;h=fee2cc29e888f2ced6a76990923aef19d326dc0e

Search for package or bug name: Reporting problems