SUSE 5150 Published by

A watchman security update has been released for SUSE Linux Enterprise 15 SP3.



openSUSE-SU-2022:0016-1: important: Security update for watchman


openSUSE Security Update: Security update for watchman
______________________________________________________________________________

Announcement ID: openSUSE-SU-2022:0016-1
Rating: important
References: #1181400 #1194470
Cross-References: CVE-2022-21944
Affected Products:
openSUSE Backports SLE-15-SP3
______________________________________________________________________________

An update that solves one vulnerability and has one errata
is now available.

Description:

This update for watchman fixes the following issues:

- ship README.suse that explains how to use the template systemd units
- add user writable bit for systemd service and socket files
- properly handle state directory creation in /run/watchman/$USER-state.
The former approach was susceptible to a local privilege escalation
using symlinks (CVE-2022-21944, boo#1194470).

- Added hardening to systemd service(s) (boo#1181400). Modified:
* watchman@.service

- removed python2 bindings
- enabled python3 bindings as python3-watchman

- Changes in 4.8.0:

* New command `flush-subscriptions` to synchronize subscriptions
associated with the current session.
* Enforce socket Unix groups more strongly ??? Watchman will now
refuse to start if it couldn't gain the right group memberships, as
can happen for sites that are experiencing intermittent LDAP
connectivity problems.
* pywatchman now officially supports Python 3. pywatchman will return
Unicode strings (possibly with surrogate escapes) by default, but
can optionally return bytestrings. Note that on Python 3, pywatchman
requires Watchman 4.8 and above. The Python 2 interface and
requirements remain unchanged.
* Prior to 4.8, methods on the Java WatchmanClient that returned
ListenableFutures would swallow exceptions and hang in an unfinished
state under situations like socket closure or thread death. This
has been fixed, and now ListenableFutures propagate exception
conditions immediately. (Note that this is typically unrecoverable,
and users should create a new WatchmanClient to re-establish
communication with Watchman.) See #412.
* The minimum Java version for the Watchman Java client has always
been 1.7, but it was incorrectly described to be 1.6. The Java
client's build file has been fixed accordingly.
* Watchman was converted from C to C++. The conversion exposed
several concurrency bugs, all of which have now been fixed.
* Subscription queries are now executed in the context of the client
thread, which means that subscriptions are dispatched in parallel.
Previously, subscriptions would be serially dispatched and block the
disk IO thread.
* Triggers are now dispatched in parallel and waits are managed in
their own threads (one thread per trigger). This improves
concurrency and resolves a couple of waitpid related issues where
watchman may not reap spawned children in a timely fashion, or may
spin on CPU until another child is spawned.
* Fixed an object lifecycle management issue that could cause a crash
when aging out old/transient files.
* Implement an upgraded wire protocol, BSERv2, on the server and in
pywatchman. BSERv2 can carry information about string encoding over
the wire. This lets pywatchman convert to Unicode strings on Python
3. Clients and servers know how to transparently fall back to
BSERv1.
- Changes in 4.9.0:
* New field: `content.sha1hex`. This field expands to the SHA1 hash
of the file contents, expressed in hex digits (40 character hex
string). Watchman maintains a cache of the content hashes and can
compute the hash on demand and also heuristically as files are
changed. This is useful for tooling that wants to perform more
intelligent cache invalidation
or build artifact fetching from content addressed storage.
* Fixed an issue that resulted in the perf logging thread deadlocking
when `perf_logger_command` is enabled in the global configuration
* Fixed an issue where queries larger than 1MB would likely result in
a PDU error response.
* Reduced lock contention for subscriptions that do no use the
advanced settling (`drop`, `defer`) options.
* Fixed `since` generator behavior when using unix timestamps rather
than the preferred clock string syntax
* Improved the reporting of "new" files in watchman results
* Improved performance of handling changes on case insensitive
filesystems
* pywatchman: the python wheel format is used for publishing watchman
pypi package
* pywatchman: now watchman path is configurable in python client
* pywatchman: now python client can be used as a context manager

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP3:

zypper in -t patch openSUSE-2022-16=1


Package List:

- openSUSE Backports SLE-15-SP3 (aarch64 i586 ppc64le s390x x86_64):

python3-watchman-1.4.0-bp153.2.3.1
watchman-4.9.0-bp153.2.3.1

References:

  https://www.suse.com/security/cve/CVE-2022-21944.html
  https://bugzilla.suse.com/1181400
  https://bugzilla.suse.com/1194470