Candidate: CVE-2009-3286
Description:
 There is an issue with O_EXCL creates on NFSv4 that with enough 
 attempts, it is possible for a lingering file from a failed create that 
 is world-writable but only setuid execute as the user who is attempting 
 these creates. Fortunately, root is not susceptible to this bug, so a 
 setuid root file should not be possible. It might be possible to exploit 
 this to gain access as another user though.
References:
 http://www.openwall.com/lists/oss-security/2009/09/21/2
 https://bugzilla.redhat.com/show_bug.cgi?id=524520#c0
Ubuntu-Description:
Notes:
Bugs:
upstream: released (2.6.30-rc1) [79fb54ab]
linux-2.6: released (2.6.30-1)
2.6.18-etch-security: released (2.6.18.dfsg.1-26etch1) [bugfix/all/nfsd4-reindent-do_open_lookup.patch, bugfix/all/nfsd4-fix-open-create-permissions.patch, bugfix/all/nfsd4-de-union-iattr-and-verf.patch]
2.6.24-etch-security: released (2.6.24-6~etchnhalf.9etch1) [bugfix/all/nfsd4-de-union-iattr-and-verf.patch]
2.6.26-lenny-security: released (2.6.26-19lenny1) [bugfix/all/nfsd4-de-union-iattr-and-verf.patch]