Skip to content

Singularity 3.6.4
Compare
Choose a tag to compare
@dtrudg dtrudg released this 13 Oct 14:57
· 908 commits to master since this release
v3.6.4
eba3dea
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

Singularity 3.6.4 is an important security release. Please read the release notes below carefully.

Security related fixes

Singularity 3.6.4 addresses the following security issues.

  • CVE-2020-15229: Due to insecure handling of path traversal and the lack of path sanitization within unsquashfs (a distribution provided utility used by Singularity), it is possible to overwrite/create files on the host filesystem during the extraction of a crafted squashfs filesystem. Affects unprivileged execution of SIF / SquashFS images, and image builds from SIF / SquashFS images.

Please see the published security advisories at https://github.com/hpcng/singularity/security/advisories for full detail of these security issues.

Bug Fixes

  • Update scs-library-client to support library:// backends using a 3rd party S3 object store that does not strictly conform to v4 signature spec.

Patches against prior versions

In keeping with their commitment to the open source community to release security patches incorporated into SingularityPRO, Sylabs is releasing the following diffs that contain security content only:

3.1: https://repo.sylabs.io/security/2020/CVE-2020-15229-31.diff
3.5: https://repo.sylabs.io/security/2020/CVE-2020-15229-35.diff

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/hpcng/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Assets 4