Your message dated Thu, 09 Jul 2020 19:32:11 +0000 with message-id <e1jtchd-0001du...@fasolo.debian.org> and subject line Bug#940848: fixed in nfs-utils 1:1.3.4-2.5+deb10u1 has caused the Debian Bug report #940848, regarding nfs-utils: CVE-2019-3689: root-owned files stored in insecure /var/lib/nfs to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 940848: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=940848 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: nfs-utils Version: 1:1.3.4-2.5 Severity: normal Tags: security upstream Hi, The following vulnerability was published for nfs-utils. Please note that even thoug the description mentions the SUSE packages in Debian similarly /var/lib/nfs is used. CVE-2019-3689[0]: | The nfs-utils package in SUSE Linux Enterprise Server 12 before and | including version 1.3.0-34.18.1 and in SUSE Linux Enterprise Server 15 | before and including version 2.1.1-6.10.2 the directory /var/lib/nfs | is owned by statd:nogroup. This directory contains files owned and | managed by root. If statd is compromised, it can therefore trick | processes running with root privileges into creating/overwriting files | anywhere on the system if fs.protected_symlinks is not set If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-3689 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3689 [1] https://bugzilla.suse.com/show_bug.cgi?id=1150733 [2] https://build.opensuse.org/request/show/731364 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: nfs-utils Source-Version: 1:1.3.4-2.5+deb10u1 Done: Salvatore Bonaccorso <car...@debian.org> We believe that the bug you reported is fixed in the latest version of nfs-utils, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 940...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated nfs-utils package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 24 Jun 2020 09:54:47 +0200 Source: nfs-utils Architecture: source Version: 1:1.3.4-2.5+deb10u1 Distribution: buster Urgency: medium Maintainer: Debian kernel team <debian-kernel@lists.debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 940848 Changes: nfs-utils (1:1.3.4-2.5+deb10u1) buster; urgency=medium . * statd: take user-id from /var/lib/nfs/sm (CVE-2019-3689) (Closes: #940848) * Don't make /var/lib/nfs owned by statd. Only sm and sm.bak need to be accessible by statd or sm-notify after they drop privileges. * debian/control: Point Vcs URLs to kernel-team namespace repository Checksums-Sha1: ee5e5d5645393d998faa6f63374f91980a86edb9 2525 nfs-utils_1.3.4-2.5+deb10u1.dsc f91d88dd16909acac2e3b7b4cd8fe8aec2dc6c76 49632 nfs-utils_1.3.4-2.5+deb10u1.debian.tar.xz Checksums-Sha256: e879f6b56f11ff7375f422031a9335c8fa97891c6b8e2f06ca50e2fcae8c0072 2525 nfs-utils_1.3.4-2.5+deb10u1.dsc 20d6f74ead986c1e03bf512716b3db65c9f5d0a8542dee61439093a3ce040850 49632 nfs-utils_1.3.4-2.5+deb10u1.debian.tar.xz Files: 5c119c77a69095b584cb4295c9c2cb57 2525 net optional nfs-utils_1.3.4-2.5+deb10u1.dsc deebc91813640f92f829cc37179b1f29 49632 net optional nfs-utils_1.3.4-2.5+deb10u1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl7871VfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89ExrcQAIdx7ZImiEK9KT5lAJUfGQN72Vr2cgZ2 NCt+2W1yvM2NyRb83aGHVkP9YImJfJTyckAVQZ84Z4XB5XUekZRZOeUDKDNQRpTN Zn7d8CMvmPBfDndolqkhNkiyMSOS6rT7+1LtGlvSmD2mIFzjwt/J6OD6jFqv7SFt XmLpqt+NPI7zBL34/eJU7yZ7Gqgg1euctcikK5OzY7F4tpYnGs5wN0aZXAQkjYo1 WusA02bsVma+yhm2v8D3npE9yZYWbvoMhm3+1tv06ITvi+8a2S/MK4haDpZ8ab2K AMKskvw4FGlZAFKgblhUToaEsdZxiTG8wXJLeVGPkWtWJ8uzCjXgG5qNN/PKlCJo mwZ+zWu65jFgWv+BnMNGWq6GzKrXQV07rYZkbb79eWQWGMnimr/4InJ+h96vdRCm 92zJaAEHNuky8G+PjVZkW5ff9gj0DezgklYNaozNMFAjpqo4YDzCHyu6le9HaBJr 1JRCH8p9PaNigI8tpwUf1FaULPeR1cl4tEDxtYHU0igG6E5zoK3D0juVvM+Zc4Rw zZNq2XxiRfOcpfakvAKh8gQR4RvCIqdo0rhuZ8RIqDm6dyP9GkPEtrXRX4K5NNzb YxWx6Cn/nvDa9nh2dWEJma5OXSobfYt19f9hr95nynRXk+M9ksRRAvGrCkIxyR2o IqKdAU8H5CAk =BDi/ -----END PGP SIGNATURE-----
--- End Message ---
