Bug#940848: marked as done (nfs-utils: CVE-2019-3689: root-owned files stored in insecure /var/lib/nfs)
Your message dated Thu, 09 Jul 2020 19:32:11 + with message-id and subject line Bug#940848: fixed in nfs-utils 1:1.3.4-2.5+deb10u1 has caused the Debian Bug report #940848, regarding nfs-utils: CVE-2019-3689: root-owned files stored in insecure /var/lib/nfs to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 940848: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=940848 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: nfs-utils Version: 1:1.3.4-2.5 Severity: normal Tags: security upstream Hi, The following vulnerability was published for nfs-utils. Please note that even thoug the description mentions the SUSE packages in Debian similarly /var/lib/nfs is used. CVE-2019-3689[0]: | The nfs-utils package in SUSE Linux Enterprise Server 12 before and | including version 1.3.0-34.18.1 and in SUSE Linux Enterprise Server 15 | before and including version 2.1.1-6.10.2 the directory /var/lib/nfs | is owned by statd:nogroup. This directory contains files owned and | managed by root. If statd is compromised, it can therefore trick | processes running with root privileges into creating/overwriting files | anywhere on the system if fs.protected_symlinks is not set If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-3689 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3689 [1] https://bugzilla.suse.com/show_bug.cgi?id=1150733 [2] https://build.opensuse.org/request/show/731364 Regards, Salvatore --- End Message --- --- Begin Message --- Source: nfs-utils Source-Version: 1:1.3.4-2.5+deb10u1 Done: Salvatore Bonaccorso We believe that the bug you reported is fixed in the latest version of nfs-utils, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 940...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso (supplier of updated nfs-utils package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Wed, 24 Jun 2020 09:54:47 +0200 Source: nfs-utils Architecture: source Version: 1:1.3.4-2.5+deb10u1 Distribution: buster Urgency: medium Maintainer: Debian kernel team Changed-By: Salvatore Bonaccorso Closes: 940848 Changes: nfs-utils (1:1.3.4-2.5+deb10u1) buster; urgency=medium . * statd: take user-id from /var/lib/nfs/sm (CVE-2019-3689) (Closes: #940848) * Don't make /var/lib/nfs owned by statd. Only sm and sm.bak need to be accessible by statd or sm-notify after they drop privileges. * debian/control: Point Vcs URLs to kernel-team namespace repository Checksums-Sha1: ee5e5d5645393d998faa6f63374f91980a86edb9 2525 nfs-utils_1.3.4-2.5+deb10u1.dsc f91d88dd16909acac2e3b7b4cd8fe8aec2dc6c76 49632 nfs-utils_1.3.4-2.5+deb10u1.debian.tar.xz Checksums-Sha256: e879f6b56f11ff7375f422031a9335c8fa97891c6b8e2f06ca50e2fcae8c0072 2525 nfs-utils_1.3.4-2.5+deb10u1.dsc 20d6f74ead986c1e03bf512716b3db65c9f5d0a8542dee61439093a3ce040850 49632 nfs-utils_1.3.4-2.5+deb10u1.debian.tar.xz Files: 5c119c77a69095b584cb4295c9c2cb57 2525 net optional nfs-utils_1.3.4-2.5+deb10u1.dsc deebc91813640f92f829cc37179b1f29 49632 net optional nfs-utils_1.3.4-2.5+deb10u1.debian.tar.xz -BEGIN PGP SIGNATURE- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl7871VfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89ExrcQAIdx7ZImiEK9KT5lAJUfGQN72Vr2cgZ2 NCt+2W1yvM2NyRb83aGHVkP9YImJfJTyckAVQZ84Z4XB5XUekZRZOeUDKDNQRpTN Zn7d8CMvmPBfDndolqkhNkiyMSOS6rT7+1LtGlvSmD2mIFzjwt/J6OD6jFqv7SFt XmLpqt+NPI7zBL34/eJU7yZ7Gqgg1euctcikK5OzY7F4tpYnGs5wN0aZXAQkjYo1 WusA02bsVma+yhm2v8D3npE9yZYWbvoMhm3+1tv06ITvi+8a2S/MK4haDpZ8ab2K AMKskvw4FGlZAFKgblhUToaEsdZxiTG8wXJLeVGPkWtWJ8uzCjXgG5qNN/PKlCJo mwZ+zWu65jFgWv+BnMNGWq6GzKrXQV07rYZkbb79eWQWGMnimr/4InJ+h96vdRCm 92zJaAEHNuky8G+PjVZkW5ff9gj0DezgklYNaozNMFAjpqo4YDzCHyu6le9HaBJr 1JRCH8p9PaNigI8tpwUf1FaULPeR1cl4tEDxtYHU0igG6E5zoK3D0juVvM+Zc4Rw
Bug#940848: marked as done (nfs-utils: CVE-2019-3689: root-owned files stored in insecure /var/lib/nfs)
Your message dated Fri, 03 Jul 2020 19:02:30 + with message-id and subject line Bug#940848: fixed in nfs-utils 1:1.3.4-2.1+deb9u1 has caused the Debian Bug report #940848, regarding nfs-utils: CVE-2019-3689: root-owned files stored in insecure /var/lib/nfs to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 940848: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=940848 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: nfs-utils Version: 1:1.3.4-2.5 Severity: normal Tags: security upstream Hi, The following vulnerability was published for nfs-utils. Please note that even thoug the description mentions the SUSE packages in Debian similarly /var/lib/nfs is used. CVE-2019-3689[0]: | The nfs-utils package in SUSE Linux Enterprise Server 12 before and | including version 1.3.0-34.18.1 and in SUSE Linux Enterprise Server 15 | before and including version 2.1.1-6.10.2 the directory /var/lib/nfs | is owned by statd:nogroup. This directory contains files owned and | managed by root. If statd is compromised, it can therefore trick | processes running with root privileges into creating/overwriting files | anywhere on the system if fs.protected_symlinks is not set If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-3689 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3689 [1] https://bugzilla.suse.com/show_bug.cgi?id=1150733 [2] https://build.opensuse.org/request/show/731364 Regards, Salvatore --- End Message --- --- Begin Message --- Source: nfs-utils Source-Version: 1:1.3.4-2.1+deb9u1 Done: Salvatore Bonaccorso We believe that the bug you reported is fixed in the latest version of nfs-utils, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 940...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso (supplier of updated nfs-utils package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Wed, 24 Jun 2020 10:20:47 +0200 Source: nfs-utils Architecture: source Version: 1:1.3.4-2.1+deb9u1 Distribution: stretch Urgency: medium Maintainer: Debian kernel team Changed-By: Salvatore Bonaccorso Closes: 940848 Changes: nfs-utils (1:1.3.4-2.1+deb9u1) stretch; urgency=medium . * statd: take user-id from /var/lib/nfs/sm (CVE-2019-3689) (Closes: #940848) * Don't make /var/lib/nfs owned by statd. Only sm and sm.bak need to be accessible by statd or sm-notify after they drop privileges. * debian/control: Point Vcs URLs to kernel-team namespace repository Checksums-Sha1: aee11cb683794ee84198dba94fb81d12fcc2cd5b 2530 nfs-utils_1.3.4-2.1+deb9u1.dsc 93f8fcaf81ccc5b4e05bb0582d01a8e0f2b1ac97 42088 nfs-utils_1.3.4-2.1+deb9u1.debian.tar.bz2 d8e87755c116c91a575859e2cca3a8910611cb1d 6389 nfs-utils_1.3.4-2.1+deb9u1_source.buildinfo Checksums-Sha256: 6dd02e66073346ccc06903269e6ed9d80492b782bd13bdd627235935396bf801 2530 nfs-utils_1.3.4-2.1+deb9u1.dsc abae375c7e75efdec5ea60c7dff494aa07fe73070b6e0b2b0d712d36016af2c0 42088 nfs-utils_1.3.4-2.1+deb9u1.debian.tar.bz2 0ee19f3e8b209c22f492b0c3effb30ed1b3893f5f2486fa637284de191d07586 6389 nfs-utils_1.3.4-2.1+deb9u1_source.buildinfo Files: 6acbd85e0a808a4b757f63e81ddcac54 2530 net standard nfs-utils_1.3.4-2.1+deb9u1.dsc ad3cd9a7ba168668933dc4dd3e8597e7 42088 net standard nfs-utils_1.3.4-2.1+deb9u1.debian.tar.bz2 21f5abc9a9fef86c039f6fadfed73f36 6389 net standard nfs-utils_1.3.4-2.1+deb9u1_source.buildinfo -BEGIN PGP SIGNATURE- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl787dlfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EF60QAIPcNEAhpX+LdGekLUx4vi19Ux/Flmu6 YojoEcpi6stkc5KCZDo+LQ0R6SXasirWrhm4uNmGZNp9HU4i2suLW22pPljiaPXR XNkRf9V+MwGNbvLTxrlr132Vi4LvpayoC//+2CyRnpXJsOv+q30q61c6MEGj9Gdx QqkDm9qB0lQqxle8PqQAbj97fiXxCY5BfA7CK6jm0UqIegMKn40aXA06gpxVQzzn pub+DR+Cy5N6do1GNle9K8zC/TEhoE3Rmv1lL5sB+xI62H1O8R7U3Z/tdOsb9EAv
Bug#940848: marked as done (nfs-utils: CVE-2019-3689: root-owned files stored in insecure /var/lib/nfs)
Your message dated Fri, 13 Mar 2020 13:51:41 + with message-id and subject line Bug#940848: fixed in nfs-utils 1:1.3.4-3 has caused the Debian Bug report #940848, regarding nfs-utils: CVE-2019-3689: root-owned files stored in insecure /var/lib/nfs to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 940848: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=940848 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: nfs-utils Version: 1:1.3.4-2.5 Severity: normal Tags: security upstream Hi, The following vulnerability was published for nfs-utils. Please note that even thoug the description mentions the SUSE packages in Debian similarly /var/lib/nfs is used. CVE-2019-3689[0]: | The nfs-utils package in SUSE Linux Enterprise Server 12 before and | including version 1.3.0-34.18.1 and in SUSE Linux Enterprise Server 15 | before and including version 2.1.1-6.10.2 the directory /var/lib/nfs | is owned by statd:nogroup. This directory contains files owned and | managed by root. If statd is compromised, it can therefore trick | processes running with root privileges into creating/overwriting files | anywhere on the system if fs.protected_symlinks is not set If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-3689 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3689 [1] https://bugzilla.suse.com/show_bug.cgi?id=1150733 [2] https://build.opensuse.org/request/show/731364 Regards, Salvatore --- End Message --- --- Begin Message --- Source: nfs-utils Source-Version: 1:1.3.4-3 Done: Salvatore Bonaccorso We believe that the bug you reported is fixed in the latest version of nfs-utils, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 940...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso (supplier of updated nfs-utils package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Fri, 13 Mar 2020 05:16:46 +0100 Source: nfs-utils Architecture: source Version: 1:1.3.4-3 Distribution: unstable Urgency: medium Maintainer: Debian kernel team Changed-By: Salvatore Bonaccorso Closes: 892654 925089 925943 940848 953441 Changes: nfs-utils (1:1.3.4-3) unstable; urgency=medium . [ Salvatore Bonaccorso ] * nfsiostat: replace 'list' reserved word. Thanks to Matthew Ruffell (Closes: #925943, LP: #1821261) * Remove Anibal Monsalve Salazar from Uploaders on request of MIA team. Thanks to Anibal Monsalve Salazar for all previous work done on nfs-utils. (Closes: #925089) * statd: take user-id from /var/lib/nfs/sm (CVE-2019-3689) (Closes: #940848) * Don't make /var/lib/nfs owned by statd. Only sm and sm.bak need to be accessible by statd or sm-notify after they drop privileges. * debian/control: Point Vcs URLs to kernel-team namespace repository * debian/control: Add myself to Uploaders . [ Andreas Hasenack ] * debian/nfs-utils_env.sh: Fix mismatching [RPC]SVCGSSDOPTS defaults Export SVCGSSDARGS, which is the variable name expected by the rpc-svcgssd systemd service. The old variable is still being exported to prevent upgrades from breaking for those who may have overridden the systemd service to work around the bug. (Closes: #892654) . [ Ben Hutchings ] * debian/control: Remove Daniel Pocock from Uploaders. (Closes: #953441) * debian/control: Delete wrong Homepage fields for binary packages * debian/control: Change Homepage to HTTP-S URL * debian/copyright: Update upstream source URL to match debian/watch Checksums-Sha1: 5123fb77555ff163099dda1c4d13d05004384f0e 2448 nfs-utils_1.3.4-3.dsc 82c52f3de518413c123640f090370f1dce5e1a5e 50348 nfs-utils_1.3.4-3.debian.tar.xz Checksums-Sha256: 7a4b5cd04f0309c9e9184ed4759ec943a7cb3fd4716644492211fac6de4b8af3 2448 nfs-utils_1.3.4-3.dsc 1fe2cfc6fba315350ea39423ebe93d930b913dd360a41edd8d0dfb571a602181 50348 nfs-utils_1.3.4-3.debian.tar.xz Files: 601dc44bba5f6f32b8ec5a6f4f590119
