Closed Dipenduroy closed 2 years ago
@Dipenduroy Thanks for the heads up. Reading the CVE, it looks like a SUSE-specific packaging issue. Are you suggesting anything be done here, or is this just a notification?
@chadaustin seems something has to be done indeed, fb-watchman must have requirement for watchman 4.9.0, not allowing to run earlier versions, maybe other points of exploit that might be relevant for this issue
We don't maintain SUSE packaging, so I think Watchman itself is the off the hook.
Filename: fb-watchman:2.0.1 | Reference: CVE-2022-21944 | CVSS Score: 7.8 | Category: CWE-59 | A UNIX Symbolic Link (Symlink) Following vulnerability in the systemd service file for watchman of openSUSE Backports SLE-15-SP3, Factory allows local attackers to escalate to root. This issue affects: openSUSE Backports SLE-15-SP3 watchman versions prior to 4.9.0. openSUSE Factory watchman versions prior to 4.9.0-9.1.