singularity-3.8.5-2 available in EPEL and Fedora
20 views
Skip to first unread message
Dave Dykstra
Dec 24, 2021, 9:57:12 AM12/24/21
to singu...@lbl.gov, wlcg-co...@cern.ch
singularity-3.8.5-2 has now been promoted to the stable epel & Fedora
updates yum repositories.
Dave
On Thu, Dec 16, 2021 at 09:07:30AM -0600, Dave Dykstra wrote:
> singularity-3.8.5-2, which has been recompiled with go 1.16.12, is
> now available in epel-testing and Fedora testing yum repositories.
> I encourage everyone to upgrade. If you do and it works fine, please
> provide karma at
> https://bodhi.fedoraproject.org/updates/?search=singularity
>
> If 3 people provide positive karma for a particular OS version it can be
> promoted to stable sooner, otherwise they should be promoted in about a
> week.
>
> Dave
>
>
> On Tue, Dec 14, 2021 at 05:55:20PM -0600, Dave Dykstra wrote:
> > All previously built packages of singularity may be vulnerable to a
> > golang CVE, detailed in this release announcement of go 1.16.12 and
> > 1.17.5, which has a fix:
> > https://groups.google.com/g/golang-announce/c/hcmEScgc00k
> >
> > The problem was with syscall.ForkExec, and even though there is no
> > specific known exploit, singularity uses that system call so it might be
> > affected. This is what the announcement says:
> >
> > syscall: don’t close fd 0 on ForkExec error
> >
> > When a Go program running on a Unix system is out of file
> > descriptors and calls syscall.ForkExec (including indirectly by
> > using the os/exec package), syscall.ForkExec can close file
> > descriptor 0 as it fails. If this happens (or can be provoked)
> > repeatedly, it can result in misdirected I/O such as writing network
> > traffic intended for one connection to a different connection, or
> > content intended for one file to a different one.
> >
> > It also says "For users who cannot immediately update to the new
> > release, the bug can be mitigated by raising the per-process file
> > descriptor limit" but an intentional attempt to trigger this bug can
> > probably get around that, so it would be safest to recompile all
> > singularity installations with golang 1.16.12 or 1.17.5, particularly
> > those that are setuid installations.
> >
> > I am rebuilding the EPEL & Fedora rpms and will send a separate
> > announcement when they are available.
> >
> > Dave Dykstra
> > Apptainer security lead
updates yum repositories.
Dave
On Thu, Dec 16, 2021 at 09:07:30AM -0600, Dave Dykstra wrote:
> singularity-3.8.5-2, which has been recompiled with go 1.16.12, is
> now available in epel-testing and Fedora testing yum repositories.
> I encourage everyone to upgrade. If you do and it works fine, please
> provide karma at
> https://bodhi.fedoraproject.org/updates/?search=singularity
>
> If 3 people provide positive karma for a particular OS version it can be
> promoted to stable sooner, otherwise they should be promoted in about a
> week.
>
> Dave
>
>
> On Tue, Dec 14, 2021 at 05:55:20PM -0600, Dave Dykstra wrote:
> > All previously built packages of singularity may be vulnerable to a
> > golang CVE, detailed in this release announcement of go 1.16.12 and
> > 1.17.5, which has a fix:
> > https://groups.google.com/g/golang-announce/c/hcmEScgc00k
> >
> > The problem was with syscall.ForkExec, and even though there is no
> > specific known exploit, singularity uses that system call so it might be
> > affected. This is what the announcement says:
> >
> > syscall: don’t close fd 0 on ForkExec error
> >
> > When a Go program running on a Unix system is out of file
> > descriptors and calls syscall.ForkExec (including indirectly by
> > using the os/exec package), syscall.ForkExec can close file
> > descriptor 0 as it fails. If this happens (or can be provoked)
> > repeatedly, it can result in misdirected I/O such as writing network
> > traffic intended for one connection to a different connection, or
> > content intended for one file to a different one.
> >
> > It also says "For users who cannot immediately update to the new
> > release, the bug can be mitigated by raising the per-process file
> > descriptor limit" but an intentional attempt to trigger this bug can
> > probably get around that, so it would be safest to recompile all
> > singularity installations with golang 1.16.12 or 1.17.5, particularly
> > those that are setuid installations.
> >
> > I am rebuilding the EPEL & Fedora rpms and will send a separate
> > announcement when they are available.
> >
> > Dave Dykstra
> > Apptainer security lead
Reply all
Reply to author
Forward
0 new messages