Skip to content

Apptainer v1.5.1

Choose a tag to compare

View all tags
@DrDaveD DrDaveD released this 04 Jun 15:11
· 210 commits to main since this release
v1.5.1
5213d77
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Security fix

  • Fix for CVE-2026-48785 / GHSA-cr2j-534f-mf3g. Incorrect path matching for limit container paths directive. This is only applicable to suid installations that have paths listed in limit container paths that are string prefixes of other paths which are not desired to be included in the list. For example, if /scratch is in the list but /scratch2 also exists and contains container images, previously the latter would match but now only images under the exactly matching /scratch are included.

Other changes

  • Work around segmentation fault sometimes seen while mksquashfs under proot is creating a SIF file.
  • Update bundled PRoot to version 5.4.0-rootless.3 in order to fix a problem where SIF files could be corrupted when mksquashfs died with a signal. The proot command was not passing back an error exit code.
  • Updated bundled squashfuse_ll to version 0.6.2 in order to fix a crash sometimes seen with apptainer in unprivileged docker.
  • Update bundled fuse2fs to version 1.47.4 instead of patching the bugs in 1.47.3.
  • Fix a crash that happened when /etc/resolv.conf was a symlink while building from a definition file using the localimage bootstrap.
  • Support hosts that have an /etc/resolv.conf symlink pointing to ../run in addition to `/run".
  • Change the download-dependencies script to skip downloading the PRoot source code on architectures that it is known to not support (that is: ppc*, s390*, and riscv*). In those situations Apptainer will skip trying to compile and run proot. As a result original owners and groups of files will not be preserved in SIF images built by unprivileged users, as was the case for all architectures prior to 1.5.0.
  • Fix panic encountered during progress bar update while pulling image.
  • Fix fakeroot overwriting root's username in /etc/passwd with the host user's name, a regression introduced in v1.5.0.
  • Add nonested flag for --mount specifications to prevent individual bind mounts from being passed to nested containers via APPTAINER_BIND. Example: --mount type=bind,source=/data,destination=/mnt,nonested.
Assets 22
Loading