SingularityCE 4.1.1 Security / Bugfix Release

3 views

Skip to first unread message

David Trudgian

unread,

Feb 1, 2024, 6:52:21 AM2/1/24

to Singularity Community Edition

https://github.com/sylabs/singularity/releases/tag/v4.1.1

SingularityCE is a patch release containing security and bug fixes. The security issues relate to the buildkit dependency used for Dockerfile builds in SingularityCE 4.1.0

Security Related Fixes

Update github.com/moby/buildkit dependency, used for --oci Dockerfile builds, addressing the following upstream CVEs:
- CVE-2024-23650 Possible panic when incorrect parameters sent from frontend
- CVE-2024-23651 Possible race condition with accessing subpaths from cache mounts.
- CVE-2024-23652 Possible host system access from mount stub cleaner.
- CVE-2024-23653 Interactive containers API does not validate entitlements check.

Note also that in OCI-Mode, SingularityCE may call out to runc versions vulnerable to CVE-2024-21626. runc is not bundled with SingularityCE, and should be updated via your Linux distribution's package manager, or manually.

Bug Fixes

Workaround segfault in crun v1.11+ when no resource limits are specified. containers/crun#1402

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: secu...@sylabs.io