Your message dated Fri, 03 Jul 2020 19:02:30 +0000 with message-id <e1jrqxc-000ift...@fasolo.debian.org> and subject line Bug#940848: fixed in nfs-utils 1:1.3.4-2.1+deb9u1 has caused the Debian Bug report #940848, regarding nfs-utils: CVE-2019-3689: root-owned files stored in insecure /var/lib/nfs to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 940848: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=940848 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: nfs-utils Version: 1:1.3.4-2.5 Severity: normal Tags: security upstream Hi, The following vulnerability was published for nfs-utils. Please note that even thoug the description mentions the SUSE packages in Debian similarly /var/lib/nfs is used. CVE-2019-3689[0]: | The nfs-utils package in SUSE Linux Enterprise Server 12 before and | including version 1.3.0-34.18.1 and in SUSE Linux Enterprise Server 15 | before and including version 2.1.1-6.10.2 the directory /var/lib/nfs | is owned by statd:nogroup. This directory contains files owned and | managed by root. If statd is compromised, it can therefore trick | processes running with root privileges into creating/overwriting files | anywhere on the system if fs.protected_symlinks is not set If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-3689 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3689 [1] https://bugzilla.suse.com/show_bug.cgi?id=1150733 [2] https://build.opensuse.org/request/show/731364 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: nfs-utils Source-Version: 1:1.3.4-2.1+deb9u1 Done: Salvatore Bonaccorso <car...@debian.org> We believe that the bug you reported is fixed in the latest version of nfs-utils, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 940...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated nfs-utils package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 24 Jun 2020 10:20:47 +0200 Source: nfs-utils Architecture: source Version: 1:1.3.4-2.1+deb9u1 Distribution: stretch Urgency: medium Maintainer: Debian kernel team <debian-kernel@lists.debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 940848 Changes: nfs-utils (1:1.3.4-2.1+deb9u1) stretch; urgency=medium . * statd: take user-id from /var/lib/nfs/sm (CVE-2019-3689) (Closes: #940848) * Don't make /var/lib/nfs owned by statd. Only sm and sm.bak need to be accessible by statd or sm-notify after they drop privileges. * debian/control: Point Vcs URLs to kernel-team namespace repository Checksums-Sha1: aee11cb683794ee84198dba94fb81d12fcc2cd5b 2530 nfs-utils_1.3.4-2.1+deb9u1.dsc 93f8fcaf81ccc5b4e05bb0582d01a8e0f2b1ac97 42088 nfs-utils_1.3.4-2.1+deb9u1.debian.tar.bz2 d8e87755c116c91a575859e2cca3a8910611cb1d 6389 nfs-utils_1.3.4-2.1+deb9u1_source.buildinfo Checksums-Sha256: 6dd02e66073346ccc06903269e6ed9d80492b782bd13bdd627235935396bf801 2530 nfs-utils_1.3.4-2.1+deb9u1.dsc abae375c7e75efdec5ea60c7dff494aa07fe73070b6e0b2b0d712d36016af2c0 42088 nfs-utils_1.3.4-2.1+deb9u1.debian.tar.bz2 0ee19f3e8b209c22f492b0c3effb30ed1b3893f5f2486fa637284de191d07586 6389 nfs-utils_1.3.4-2.1+deb9u1_source.buildinfo Files: 6acbd85e0a808a4b757f63e81ddcac54 2530 net standard nfs-utils_1.3.4-2.1+deb9u1.dsc ad3cd9a7ba168668933dc4dd3e8597e7 42088 net standard nfs-utils_1.3.4-2.1+deb9u1.debian.tar.bz2 21f5abc9a9fef86c039f6fadfed73f36 6389 net standard nfs-utils_1.3.4-2.1+deb9u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl787dlfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EF60QAIPcNEAhpX+LdGekLUx4vi19Ux/Flmu6 YojoEcpi6stkc5KCZDo+LQ0R6SXasirWrhm4uNmGZNp9HU4i2suLW22pPljiaPXR XNkRf9V+MwGNbvLTxrlr132Vi4LvpayoC//+2CyRnpXJsOv+q30q61c6MEGj9Gdx QqkDm9qB0lQqxle8PqQAbj97fiXxCY5BfA7CK6jm0UqIegMKn40aXA06gpxVQzzn pub+DR+Cy5N6do1GNle9K8zC/TEhoE3Rmv1lL5sB+xI62H1O8R7U3Z/tdOsb9EAv eYXE6FhaetO4SrGffYPMl2SKa3IPm0eI0v8k55zwLs6oMr2Jgp2+DIp85jllN8j3 7UmtfT5jz+HwAwpJn04tvWviGL+OeSrIiYSj3Rm/v/TjEDCImU54n4dfgwAQp0/g igYsjOiXbqPoHhzy54DrUTKCxHNW1Mm2YSCO8F3xWXsePMm+jFYwXf5PdY1AhJaC sObPn6lv+fnBA/0LLYm8YM7MqYp5m6PuPCl4y9HTGTq9b+vA9fqeMARtcp+/4wSG EiYCIpgVDCo7ELYPt/2wWKchxnGCYXoHkvGHqFYweWbbC09Jjo2a7P8Bcm1jOtgc gQZ0ZshvhUt2W1hjbMD3Zbuons58I73DqKGHpOlzamCEiI44mgGdR5IbyAQh5ORM tyoYqJCr9vp5 =m7Bj -----END PGP SIGNATURE-----
--- End Message ---
