Update Info


Security update for singularity

Type: security
Severity: important
Issued: 2021-07-08
This update for singularity fixes the following issues:

Update to version 3.7.4  (boo#1186619)

- Fix for CVE-2021-32635:  

  Due to incorrect use of a default URL, singularity action commands
  (run/shell/exec) specifying a container using a library:// URI will always
  attempt to retrieve the container from the default remote endpoint
  (cloud.sylabs.io) rather than the configured remote endpoint. An attacker may
  be able to push a malicious container to the default remote endpoint with a
  URI that is identical to the URI used by a victim with a non-default remote
  endpoint, thus executing the malicious container. 

- Disabled ppc64le builds as these are non pie builds and so not
  suiteable for the distribution in SLE and ppc64le is not relevant
  for openSUSE

Update to version 3.7.3

- Fix for CVE-2021-29136:

  A dependency used to extract docker/OCI image layers can be
  tricked into modifying host files by creating a malicious layer
  that has a symlink with the name "." (or "/"), when running as root.



  • singularity-3.7.4-bp153.2.3.1