Security Release - Singularity 3.7.4 is now available

[David Trudgian]

Security Release - Singularity 3.7.4 is now available

https://github.com/sylabs/singularity/releases/tag/v3.7.4

Singularity 3.7.4 is a security release, and all users are encouraged to upgrade. Please see below for details of the security issue.

Note: This release has been coordinated with HPCng, and is identical to hpcng/singularity v3.7.4. The upcoming v3.8.0 release of SingularityCE will be the first independent release following the fork.

As always, please report any bugs via: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: secu...@sylabs.io

v3.7.4 - [2021-05-25]

Security Related Fixes

• CVE-2021-32635: Due to incorrect use of a default URL, singularity action commands (run/shell/exec) specifying a container using a library:// URI will always attempt to retrieve the container from the default remote endpoint (cloud.sylabs.io) rather than the configured remote endpoint. An attacker may be able to push a malicious container to the default remote endpoint with a URI that is identical to the URI used by a victim with a non-default remote endpoint, thus executing the malicious container.
  

Please see the published security advisory at github.com/sylabs/singularity/security/advisories for further detail.