Your message dated Fri, 13 Mar 2020 13:51:41 +0000 with message-id <e1jckiz-000czy...@fasolo.debian.org> and subject line Bug#940848: fixed in nfs-utils 1:1.3.4-3 has caused the Debian Bug report #940848, regarding nfs-utils: CVE-2019-3689: root-owned files stored in insecure /var/lib/nfs to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 940848: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=940848 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: nfs-utils Version: 1:1.3.4-2.5 Severity: normal Tags: security upstream Hi, The following vulnerability was published for nfs-utils. Please note that even thoug the description mentions the SUSE packages in Debian similarly /var/lib/nfs is used. CVE-2019-3689[0]: | The nfs-utils package in SUSE Linux Enterprise Server 12 before and | including version 1.3.0-34.18.1 and in SUSE Linux Enterprise Server 15 | before and including version 2.1.1-6.10.2 the directory /var/lib/nfs | is owned by statd:nogroup. This directory contains files owned and | managed by root. If statd is compromised, it can therefore trick | processes running with root privileges into creating/overwriting files | anywhere on the system if fs.protected_symlinks is not set If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-3689 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3689 [1] https://bugzilla.suse.com/show_bug.cgi?id=1150733 [2] https://build.opensuse.org/request/show/731364 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: nfs-utils Source-Version: 1:1.3.4-3 Done: Salvatore Bonaccorso <car...@debian.org> We believe that the bug you reported is fixed in the latest version of nfs-utils, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 940...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated nfs-utils package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 13 Mar 2020 05:16:46 +0100 Source: nfs-utils Architecture: source Version: 1:1.3.4-3 Distribution: unstable Urgency: medium Maintainer: Debian kernel team <debian-kernel@lists.debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 892654 925089 925943 940848 953441 Changes: nfs-utils (1:1.3.4-3) unstable; urgency=medium . [ Salvatore Bonaccorso ] * nfsiostat: replace 'list' reserved word. Thanks to Matthew Ruffell <matthew.ruff...@canonical.com> (Closes: #925943, LP: #1821261) * Remove Anibal Monsalve Salazar from Uploaders on request of MIA team. Thanks to Anibal Monsalve Salazar for all previous work done on nfs-utils. (Closes: #925089) * statd: take user-id from /var/lib/nfs/sm (CVE-2019-3689) (Closes: #940848) * Don't make /var/lib/nfs owned by statd. Only sm and sm.bak need to be accessible by statd or sm-notify after they drop privileges. * debian/control: Point Vcs URLs to kernel-team namespace repository * debian/control: Add myself to Uploaders . [ Andreas Hasenack ] * debian/nfs-utils_env.sh: Fix mismatching [RPC]SVCGSSDOPTS defaults Export SVCGSSDARGS, which is the variable name expected by the rpc-svcgssd systemd service. The old variable is still being exported to prevent upgrades from breaking for those who may have overridden the systemd service to work around the bug. (Closes: #892654) . [ Ben Hutchings ] * debian/control: Remove Daniel Pocock from Uploaders. (Closes: #953441) * debian/control: Delete wrong Homepage fields for binary packages * debian/control: Change Homepage to HTTP-S URL * debian/copyright: Update upstream source URL to match debian/watch Checksums-Sha1: 5123fb77555ff163099dda1c4d13d05004384f0e 2448 nfs-utils_1.3.4-3.dsc 82c52f3de518413c123640f090370f1dce5e1a5e 50348 nfs-utils_1.3.4-3.debian.tar.xz Checksums-Sha256: 7a4b5cd04f0309c9e9184ed4759ec943a7cb3fd4716644492211fac6de4b8af3 2448 nfs-utils_1.3.4-3.dsc 1fe2cfc6fba315350ea39423ebe93d930b913dd360a41edd8d0dfb571a602181 50348 nfs-utils_1.3.4-3.debian.tar.xz Files: 601dc44bba5f6f32b8ec5a6f4f590119 2448 net optional nfs-utils_1.3.4-3.dsc 02c6bb37e6cd52c50eb9731ebdbbeeff 50348 net optional nfs-utils_1.3.4-3.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl5rjDxfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EdwgP/1sF6DkUTMssdrfvPGJqjTwI1iNVV3Xd suLAHfP+gOBsZ4PoLae6NovKWbGaRObocjGOn5q7wxxxt3Ql54NrMhXNssQu9nm2 laL3WnvRxCkzeI7vAKPCmiN5XhNgdG32a94pCFeWx0xzYMp1aW8J5hhEyHvJOSLi kjGElwtADMZSo5gm13rHy1MbI0rgksabYdC0zLZbGAhErGtxosgmRQBJ1ycBZAs4 McHi27OzDOWe3J815uxoiBiENQIzHnSUGHueRndSQaLIBycg5gnpHDs6KTbfk3YS kMP7QCsivZ/UFLYwltlZOXi0HghvLcpzjaK8Nir9MJx7C7FygNz/FO8CM2zMvoVE yhqomgHWZ2zNpouHFnVtGLRT720obEGbX5YFinBgB6sFmXTqTSi8qKR+mJ1EQ6t9 cRj1U7JrBCdcGAR+nzqRVCgsaLZxH42GU5rkaHwngXRFOrNPRsz6KcYjzi1cFfia K7oufVruVJU7cC5RJwEsIIw9nEchFOeg0xeqd3G8JVxwfaZBHU48dmLzzsGe8oVw ET3ZS5a094SwemUxqJaqLaKElS5k8OONtY/sGJZ0yI0F31S+nwsvWAX2FynkWX2R RfQNo0mLIlGx7R/DaEVo3Uy0DgYEfCRleOYpreOevEQLdlg3Vv54h+t34E23t6Vv Zh28LLLtxhum =4jIY -----END PGP SIGNATURE-----
--- End Message ---
