openSUSE Security Update: Security update for watchman
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2022:0016-1
Rating:             important
References:         #1181400 #1194470 
Cross-References:   CVE-2022-21944
Affected Products:
                    openSUSE Backports SLE-15-SP3
______________________________________________________________________________

   An update that solves one vulnerability and has one errata
   is now available.

Description:

   This update for watchman fixes the following issues:

   - ship README.suse that explains how to use the template systemd units
   - add user writable bit for systemd service and socket files
   - properly handle state directory creation in /run/watchman/$USER-state.
     The former approach was susceptible to a local privilege escalation
     using symlinks (CVE-2022-21944, boo#1194470).

   - Added hardening to systemd service(s) (boo#1181400). Modified:
     * watchman@.service

   - removed python2 bindings
   - enabled python3 bindings as python3-watchman

   - Changes in 4.8.0:

       * New command `flush-subscriptions` to synchronize subscriptions
         associated with the current session.
       * Enforce socket Unix groups more strongly ??? Watchman will now
         refuse to start if it couldn't gain the right group memberships, as
         can happen for sites that are experiencing intermittent LDAP
         connectivity problems.
       * pywatchman now officially supports Python 3. pywatchman will return
         Unicode strings (possibly with surrogate escapes) by default, but
         can optionally return bytestrings. Note that on Python 3, pywatchman
         requires Watchman 4.8 and above. The Python 2 interface and
         requirements remain unchanged.
       * Prior to 4.8, methods on the Java WatchmanClient that returned
         ListenableFutures would swallow exceptions and hang in an unfinished
         state under situations like socket closure or thread death.  This
         has been fixed, and now ListenableFutures propagate exception
         conditions immediately.  (Note that this is typically unrecoverable,
         and users should create a new WatchmanClient to re-establish
         communication with Watchman.)  See #412.
       * The minimum Java version for the Watchman Java client has always
         been 1.7, but it was incorrectly described to be 1.6.  The Java
         client's build file has been fixed accordingly.
       * Watchman was converted from C to C++.  The conversion exposed
         several concurrency bugs, all of which have now been fixed.
       * Subscription queries are now executed in the context of the client
         thread, which means that subscriptions are dispatched in parallel.
         Previously, subscriptions would be serially dispatched and block the
         disk IO thread.
       * Triggers are now dispatched in parallel and waits are managed in
         their own threads (one thread per trigger).  This improves
         concurrency and resolves a couple of waitpid related issues where
         watchman may not reap spawned children in a timely fashion, or may
         spin on CPU until another child is spawned.
       * Fixed an object lifecycle management issue that could cause a crash
         when aging out old/transient files.
       * Implement an upgraded wire protocol, BSERv2, on the server and in
         pywatchman. BSERv2 can carry information about string encoding over
         the wire. This lets pywatchman convert to Unicode strings on Python
         3. Clients and servers know how to  transparently fall back to
         BSERv1.
     - Changes in 4.9.0:
       * New field: `content.sha1hex`.  This field expands to the SHA1 hash
         of the file contents, expressed in hex digits (40 character hex
         string). Watchman maintains a cache of the content hashes and can
         compute the hash on demand and also heuristically as files are
         changed.  This is useful for tooling that wants to perform more
         intelligent cache invalidation
         or build artifact fetching from content addressed storage.
       * Fixed an issue that resulted in the perf logging thread deadlocking
         when `perf_logger_command` is enabled in the global configuration
       * Fixed an issue where queries larger than 1MB would likely result in
         a PDU error response.
       * Reduced lock contention for subscriptions that do no use the
         advanced settling (`drop`, `defer`) options.
       * Fixed `since` generator behavior when using unix timestamps rather
         than the preferred clock string syntax
       * Improved the reporting of "new" files in watchman results
       * Improved performance of handling changes on case insensitive
         filesystems
       * pywatchman: the python wheel format is used for publishing watchman
         pypi package
       * pywatchman: now watchman path is configurable in python client
       * pywatchman: now python client can be used as a context manager


Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Backports SLE-15-SP3:

      zypper in -t patch openSUSE-2022-16=1



Package List:

   - openSUSE Backports SLE-15-SP3 (aarch64 i586 ppc64le s390x x86_64):

      python3-watchman-1.4.0-bp153.2.3.1
      watchman-4.9.0-bp153.2.3.1


References:

   https://www.suse.com/security/cve/CVE-2022-21944.html
   https://bugzilla.suse.com/1181400
   https://bugzilla.suse.com/1194470

openSUSE: 2022:0016-1 important: watchman

January 17, 2022
An update that solves one vulnerability and has one errata is now available

Description

This update for watchman fixes the following issues: - ship README.suse that explains how to use the template systemd units - add user writable bit for systemd service and socket files - properly handle state directory creation in /run/watchman/$USER-state. The former approach was susceptible to a local privilege escalation using symlinks (CVE-2022-21944, boo#1194470). - Added hardening to systemd service(s) (boo#1181400). Modified: * watchman@.service - removed python2 bindings - enabled python3 bindings as python3-watchman - Changes in 4.8.0: * New command `flush-subscriptions` to synchronize subscriptions associated with the current session. * Enforce socket Unix groups more strongly ??? Watchman will now refuse to start if it couldn't gain the right group memberships, as can happen for sites that are experiencing intermittent LDAP connectivity problems. * pywatchman now officially supports Python 3. pywatchman will return Unicode strings (possibly with surrogate escapes) by default, but can optionally return bytestrings. Note that on Python 3, pywatchman requires Watchman 4.8 and above. The Python 2 interface and requirements remain unchanged. * Prior to 4.8, methods on the Java WatchmanClient that returned ListenableFutures would swallow exceptions and hang in an unfinished state under situations like socket closure or thread death. This has been fixed, and now ListenableFutures propagate exception conditions immediately. (Note that this is typically unrecoverable, and users should create a new WatchmanClient to re-establish communication with Watchman.) See #412. * The minimum Java version for the Watchman Java client has always been 1.7, but it was incorrectly described to be 1.6. The Java client's build file has been fixed accordingly. * Watchman was converted from C to C++. The conversion exposed several concurrency bugs, all of which have now been fixed. * Subscription queries are now executed in the context of the client thread, which means that subscriptions are dispatched in parallel. Previously, subscriptions would be serially dispatched and block the disk IO thread. * Triggers are now dispatched in parallel and waits are managed in their own threads (one thread per trigger). This improves concurrency and resolves a couple of waitpid related issues where watchman may not reap spawned children in a timely fashion, or may spin on CPU until another child is spawned. * Fixed an object lifecycle management issue that could cause a crash when aging out old/transient files. * Implement an upgraded wire protocol, BSERv2, on the server and in pywatchman. BSERv2 can carry information about string encoding over the wire. This lets pywatchman convert to Unicode strings on Python 3. Clients and servers know how to transparently fall back to BSERv1. - Changes in 4.9.0: * New field: `content.sha1hex`. This field expands to the SHA1 hash of the file contents, expressed in hex digits (40 character hex string). Watchman maintains a cache of the content hashes and can compute the hash on demand and also heuristically as files are changed. This is useful for tooling that wants to perform more intelligent cache invalidation or build artifact fetching from content addressed storage. * Fixed an issue that resulted in the perf logging thread deadlocking when `perf_logger_command` is enabled in the global configuration * Fixed an issue where queries larger than 1MB would likely result in a PDU error response. * Reduced lock contention for subscriptions that do no use the advanced settling (`drop`, `defer`) options. * Fixed `since` generator behavior when using unix timestamps rather than the preferred clock string syntax * Improved the reporting of "new" files in watchman results * Improved performance of handling changes on case insensitive filesystems * pywatchman: the python wheel format is used for publishing watchman pypi package * pywatchman: now watchman path is configurable in python client * pywatchman: now python client can be used as a context manager

 

Patch

Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP3: zypper in -t patch openSUSE-2022-16=1


Package List

- openSUSE Backports SLE-15-SP3 (aarch64 i586 ppc64le s390x x86_64): python3-watchman-1.4.0-bp153.2.3.1 watchman-4.9.0-bp153.2.3.1


References

https://www.suse.com/security/cve/CVE-2022-21944.html https://bugzilla.suse.com/1181400 https://bugzilla.suse.com/1194470


Severity
Announcement ID: openSUSE-SU-2022:0016-1
Rating: important
Affected Products: openSUSE Backports SLE-15-SP3 ble.

Related News

5.ShakingHands Esm H320
3 - 5 min read
There has been a promising shift in the tech industry, with major companies pledging to release products with built-in security features. This
18.WifiCutout Landscape Esm H320
2 - 3 min read
A novel attack called TunnelVision has been discovered. It compromises the security of virtually all VPN apps, rendering their purpose useless. The
21.Globe RadiatingCode Esm H320
2 - 3 min read
The recent discovery of a backdoor in XZ Utils , a widely used Linux tool, raises concerns about the security of the open-source ecosystem. While
13.Lock StylizedMotherboard Esm H320
1 - 2 min read
Spiral Linux is a Debian-based distribution that offers a range of desktop environments, making it stand out from other Linux distributions. In
32.Lock Code Circular Esm H320
2 - 3 min read
Two critical security vulnerabilities were found in pgAdmin, the open-source administration tool for PostgreSQL . The vulnerabilities assigned
1.Penguin Landscape Esm H320
2 - 3 min read
The recent release of AlmaLinux 9.4 , closely aligned with Red Hat Enterprise Linux (RHEL) 9.4 , presents Linux admins and infosec professionals
11.Locks IsometricPattern Esm H320
2 - 3 min read
The upcoming release of Linux Mint 22 will introduce significant changes, particularly in handling XApp , GNOME applications, and the Software
2.Motherboard Esm H320
2 - 3 min read
German software engineer Lennart Poettering recently presented run0 , a new tool in systemd v256 that aims to address the security concerns

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved