Univention Bugzilla – Bug 51696
nfs-utils: Multiple issues (4.4)
Last modified: 2020-08-31 08:28:34 CEST
New Debian nfs-utils 1:1.3.4-2.1+deb9u1A~4.4.5.202007221413 fixes: This update addresses the following issue: * root-owned files stored in insecure /var/lib/nfs (CVE-2019-3689)
--- mirror/ftp/4.3/unmaintained/4.3-0/source/nfs-utils_1.3.4-2.1A~4.3.0.201711222152.dsc +++ apt/ucs_4.4-0-errata4.4-5/source/nfs-utils_1.3.4-2.1+deb9u1A~4.4.5.202007221413.dsc @@ -1,7 +1,14 @@ -1:1.3.4-2.1A~4.3.0.201711222152 [Wed, 22 Nov 2017 21:55:00 +0100] Univention builddaemon <buildd@univention.de>: +1:1.3.4-2.1+deb9u1A~4.4.5.202007221413 [Wed, 22 Jul 2020 14:22:08 +0200] Univention builddaemon <buildd@univention.de>: - * UCS auto build. The following patches have been applied to the original source package - 00-add_ucr_autostart + * UCS auto build. No patches were applied to the original source package + +1:1.3.4-2.1+deb9u1 [Wed, 24 Jun 2020 10:20:47 +0200] Salvatore Bonaccorso <carnil@debian.org>: + + * statd: take user-id from /var/lib/nfs/sm (CVE-2019-3689) (Closes: #940848) + * Don't make /var/lib/nfs owned by statd. + Only sm and sm.bak need to be accessible by statd or sm-notify after + they drop privileges. + * debian/control: Point Vcs URLs to kernel-team namespace repository 1:1.3.4-2.1 [Mon, 20 Mar 2017 16:07:55 +0100] Andreas Henriksson <andreas@fatal.se>: <http://10.200.17.11/4.4-5/#358274526059583325>
Due to Bug #49600 patches were not applied. r19109 | Bug #51696: nfs-utils Package: nfs-utils Version: 1:1.3.4-2.1+deb9u1A~4.4.0.202007231312 Branch: ucs_4.4-0 Scope: errata4.4-5
Package: nfs-utils Version: 1:1.3.4-2.1+deb9u1A~4.4.5.202007231320 Branch: ucs_4.4-0 Scope: errata4.4-5
--- mirror/ftp/4.3/unmaintained/4.3-0/source/nfs-utils_1.3.4-2.1A~4.3.0.201711222152.dsc +++ apt/ucs_4.4-0-errata4.4-5/source/nfs-utils_1.3.4-2.1+deb9u1A~4.4.5.202007231320.dsc @@ -1,7 +1,15 @@ -1:1.3.4-2.1A~4.3.0.201711222152 [Wed, 22 Nov 2017 21:55:00 +0100] Univention builddaemon <buildd@univention.de>: +1:1.3.4-2.1+deb9u1A~4.4.5.202007231320 [Thu, 23 Jul 2020 13:20:00 +0200] Univention builddaemon <buildd@univention.de>: * UCS auto build. The following patches have been applied to the original source package 00-add_ucr_autostart + +1:1.3.4-2.1+deb9u1 [Wed, 24 Jun 2020 10:20:47 +0200] Salvatore Bonaccorso <carnil@debian.org>: + + * statd: take user-id from /var/lib/nfs/sm (CVE-2019-3689) (Closes: #940848) + * Don't make /var/lib/nfs owned by statd. + Only sm and sm.bak need to be accessible by statd or sm-notify after + they drop privileges. + * debian/control: Point Vcs URLs to kernel-team namespace repository 1:1.3.4-2.1 [Mon, 20 Mar 2017 16:07:55 +0100] Andreas Henriksson <andreas@fatal.se>: <http://10.200.17.11/4.4-5/#599132343461923437>
OK: yaml OK: announce_errata OK: patch OK: piuparts [4.4-5] 57d0956cb8 Bug #51696: nfs-utils 1:1.3.4-2.1+deb9u1A~4.4.5.202007231320 doc/errata/staging/nfs-utils.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) [4.4-5] d1c4804bc4 Bug #51696: nfs-utils 1:1.3.4-2.1+deb9u1A~4.4.5.202007221413 doc/errata/staging/nfs-utils.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) [4.4-5] dedcc07a34 Bug #51696: nfs-utils 1:1.3.4-2.1+deb9u1A~4.4.5.202007221413 doc/errata/staging/nfs-utils.yaml | 12 ++++++++++++ 1 file changed, 12 insertions(+)
<https://errata.software-univention.de/#/?erratum=4.4x667>