diff --git a/nfs-utils.changes b/nfs-utils.changes
index 20878c6..e43f0b6 100644
--- a/nfs-utils.changes
+++ b/nfs-utils.changes
@@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Mon Sep 16 23:43:37 UTC 2019 - Neil Brown <nfbrown@suse.com>
+
+- Don't make /var/lib/nfs owned by statd.
+  Only sm sm.bak and state need to be accessible by
+  statd.  Providing they get created, the parent
+  directory can be root-owned.
+  (bsc#1150733 CVE-2019-3689)
+
 -------------------------------------------------------------------
 Mon Sep 16 05:56:12 UTC 2019 - Neil Brown <nfbrown@suse.com>
 
diff --git a/nfs-utils.spec b/nfs-utils.spec
index 8e33ce1..eb016f9 100644
--- a/nfs-utils.spec
+++ b/nfs-utils.spec
@@ -344,7 +344,7 @@ fi
 %{_mandir}/man8/blkmapd.8%{ext_man}
 %{_mandir}/man8/rpc.svcgssd.8%{ext_man}
 %{_fillupdir}/sysconfig.nfs
-%attr(0711,statd,nogroup) %dir %{_localstatedir}/lib/nfs
+%dir %{_localstatedir}/lib/nfs
 %dir %{_localstatedir}/lib/nfs/rpc_pipefs
 %dir %{_localstatedir}/lib/nfs/v4recovery
 %attr(0700,statd,nogroup) %dir %{_localstatedir}/lib/nfs/sm