EPEL/Fedora builds of Singularity 3.7.4 security release available
3 views
Skip to first unread message
Dave Dykstra
May 26, 2021, 2:16:23 PM5/26/21
to singu...@lbl.gov, wlcg-co...@cern.ch
EPEL and Fedora builds of Singularity 3.7.4 are available at
https://bodhi.fedoraproject.org/updates/?search=singularity
At this time they are pending getting into testing, but if you click on
an individual build and then the tab "Builds" it will take you to where
you can download the rpm from koji. They should be in the testing yum
repo by tomorrow. Please give Karma if you test it and it works.
Dave
On Wed, May 26, 2021 at 10:33:50AM -0700, Krishna Muriki wrote:
> https://github.com/hpcng/singularity/releases/tag/v3.7.4
>
> Singularity 3.7.4 is a security release. We recommend all users upgrade to
> this version.
> *Security Related Fixes*
>
> - CVE-2021-32635
> <https://github.com/hpcng/singularity/security/advisories/GHSA-jq42-hfch-42f3 >:
> Due to incorrect use of a default URL, singularity action commands
> (run/shell/exec) specifying a container using a library:// URI will always
> attempt to retrieve the container from the default remote endpoint (
> cloud.sylabs.io) rather than the configured remote endpoint. An attacker
> may be able to push a malicious container to the default remote endpoint
> with a URI that is identical to the URI used by a victim with a non-default
> remote endpoint, thus executing the malicious container.
>
> *Thanks / Reporting Bugs*
>
> Thanks to our contributors
> <https://github.com/hpcng/singularity/graphs/contributors > for code,
> feedback and testing efforts!
>
> As always, please report any bugs to:
> https://github.com/hpcng/singularity/issues/new
>
> If you think that you've discovered a security vulnerability please report
> it to: singularit...@hpcng.org
https://bodhi.fedoraproject.org/updates/?search=singularity
At this time they are pending getting into testing, but if you click on
an individual build and then the tab "Builds" it will take you to where
you can download the rpm from koji. They should be in the testing yum
repo by tomorrow. Please give Karma if you test it and it works.
Dave
On Wed, May 26, 2021 at 10:33:50AM -0700, Krishna Muriki wrote:
> https://github.com/hpcng/singularity/releases/tag/v3.7.4
>
> Singularity 3.7.4 is a security release. We recommend all users upgrade to
> this version.
> *Security Related Fixes*
>
> - CVE-2021-32635
> <https://github.com/hpcng/singularity/security/advisories/GHSA-jq42-hfch-42f3 >:
> Due to incorrect use of a default URL, singularity action commands
> (run/shell/exec) specifying a container using a library:// URI will always
> attempt to retrieve the container from the default remote endpoint (
> cloud.sylabs.io) rather than the configured remote endpoint. An attacker
> may be able to push a malicious container to the default remote endpoint
> with a URI that is identical to the URI used by a victim with a non-default
> remote endpoint, thus executing the malicious container.
>
> *Thanks / Reporting Bugs*
>
> Thanks to our contributors
> <https://github.com/hpcng/singularity/graphs/contributors > for code,
> feedback and testing efforts!
>
> As always, please report any bugs to:
> https://github.com/hpcng/singularity/issues/new
>
> If you think that you've discovered a security vulnerability please report
> it to: singularit...@hpcng.org
Reply all
Reply to author
Forward
0 new messages