The nfs-utils package in SUSE Linux Enterprise Server 12 before and including version 1.3.0-34.18.1 and in SUSE Linux Enterprise Server 15 before and including version 2.1.1-6.10.2 the directory /var/lib/nfs is owned by statd:nogroup. This directory contains files owned and managed by root. If statd is compromised, it can therefore trick processes running with root privileges into creating/overwriting files anywhere on the system. Reference: https://bugzilla.suse.com/show_bug.cgi?id=1150733 Upstream commit: https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commitdiff;h=fee2cc29e888f2ced6a76990923aef19d326dc0e
Created nfs-utils tracking bugs for this issue: Affects: fedora-all [bug 1850196]
Statement: This issue did not affect the versions of nfs-utils as shipped with Red Hat Enterprise Linux 6, 7, and 8 as /var/lib/nfs directory is owned by root:root.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-3689