SingularityCE 4.4.2 Security Release
1 view
Skip to first unread message
David Trudgian
Jun 4, 2026, 12:12:47 PM (2 days ago) Jun 4
to Singularity Community Edition
Security Related Fixes
- Fix for CVE-2026-47215 / GHSA-wqcr-7rf3-f64m Incorrect path matching for 'limit container paths' directive
Although SingularityCE does not aim to contain execution / prevent host modification when started as the host root user, the following changes have been adopted to permit finer control over the use of external binaries, with a modified default search path when singularity is run as the host root user:
- When started as host root, external binaries (except those with explicit configuration entries) are now found using the root search path in singularity.conf. By default this excludes searching the environment $PATH. Add $PATH: to the start of root search path in singularity.conf to restore previous behavior.
- When started as non-root / fake root, external binaries (except those with explicit configuration entires) are now found using the user search path in singularity.conf. By default this includes $PATH, so there is no effective behaviour change vs previous versions.
Thank you to @KoseceMehmet for suggesting this change.
Thanks / Reporting BugsThanks to our contributors for code, feedback and, testing efforts!
As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new
If you think that you've discovered a security vulnerability please report it to: secu...@sylabs.io
Have fun!
Reply all
Reply to author
Forward
0 new messages