Security Release - Singularity 3.7.4 is now available
Singularity 3.7.4 is a security release, and all users are encouraged to upgrade. Please see below for details of the security issue.
Note: This release has been coordinated with HPCng, and is identical to hpcng/singularity v3.7.4. The upcoming v3.8.0 release of SingularityCE will be the first independent release following the fork.
As always, please report any bugs via: https://github.com/sylabs/singularity/issues/new
If you think that you've discovered a security vulnerability please report it to: secu...@sylabs.io
CVE-2021-32635: Due to incorrect use of a default URL, singularity action commands (run/shell/exec) specifying a container using a library:// URI will always attempt to retrieve the container from the default remote endpoint (cloud.sylabs.io) rather than the configured remote endpoint. An attacker may be able to push a malicious container to the default remote endpoint with a URI that is identical to the URI used by a victim with a non-default remote endpoint, thus executing the malicious container.
Please see the published security advisory at github.com/sylabs/singularity/security/advisories for further detail.