Candidate: CVE-2019-11675
PublicDate: 2019-05-02 06:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11675
 https://bugs.debian.org/928304
Description:
 The groonga-httpd package 6.1.5-1 for Debian sets the /var/log/groonga
 ownership to the groonga account, which might let local users obtain root
 access because of unsafe interaction with logrotate. For example, an
 attacker can exploit a race condition to insert a symlink from
 /var/log/groonga/httpd to /etc/bash_completion.d. NOTE: this is an issue in
 the Debian packaging of the Groonga HTTP server.
Ubuntu-Description:
Notes:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928304
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H [7.0 HIGH]


Patches_groonga:
upstream_groonga: needs-triage
precise/esm_groonga: DNE
trusty/esm_groonga: DNE
xenial_groonga: ignored (end of standard support, was needed)
bionic_groonga: needed
cosmic_groonga: ignored (reached end-of-life)
disco_groonga: ignored (reached end-of-life)
eoan_groonga: not-affected (9.0.1-2)
focal_groonga: not-affected (9.0.1-2)
groovy_groonga: not-affected (9.0.1-2)
hirsute_groonga: not-affected (9.0.1-2)
impish_groonga: not-affected (9.0.1-2)
jammy_groonga: not-affected (9.0.1-2)
devel_groonga: not-affected (9.0.1-2)