v3.6.3 release CHANGELOG.md / INSTALL.md entries

sylabs · Sep 14, 2020 · 74f0352 · 74f0352
1 parent 17aa470
commit 74f0352
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 3 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,7 +9,31 @@ _With the release of `v3.0.0`, we're introducing a new changelog format in an at
 
 _The old changelog can be found in the `release-2.6` branch_
 
-# Changes since v3.6.2
+# v3.6.3 - [2020-09-15]
+
+## Security related fixes
+
+Singularity 3.6.3 addresses the following security issues.
+
+  - [CVE-2020-25039](https://github.com/hpcng/singularity/security/advisories/GHSA-w6v2-qchm-grj7):
+    When a Singularity action command (run, shell, exec) is run with
+    the fakeroot or user namespace option, Singularity will extract a
+    container image to a temporary sandbox directory. Due to insecure
+    permissions on the temporary directory it is possible for any user
+    with access to the system to read the contents of the
+    image. Additionally, if the image contains a world-writable file
+    or directory, it is possible for a user to inject arbitrary
+    content into the running container.
+
+  - [CVE-2020-25040](https://github.com/hpcng/singularity/security/advisories/GHSA-jv9c-w74q-6762):
+    When a Singularity command that results in a container build
+    operation is executed, it is possible for a user with access to
+    the system to read the contents of the image during the
+    build. Additionally, if the image contains a world-writable file
+    or directory, it is possible for a user to inject arbitrary
+    content into the running build, which in certain circumstances may
+    enable arbitrary code execution during the build and/or when the
+    built container is run.
 
 ## Bug Fixes
 

diff --git a/INSTALL.md b/INSTALL.md
@@ -89,7 +89,7 @@ $ mkdir -p ${GOPATH}/src/github.com/sylabs && \
 To build a stable version of Singularity, check out a [release tag](https://github.com/sylabs/singularity/tags) before compiling:
 
 ```
-$ git checkout v3.6.2
+$ git checkout v3.6.3
 ```
 
 ## Compiling Singularity
@@ -132,7 +132,7 @@ as shown above.  Then download the latest
 and use it to install the RPM like this: 
 
 ```
-$ export VERSION=3.6.2  # this is the singularity version, change as you need
+$ export VERSION=3.6.3  # this is the singularity version, change as you need
 
 $ wget https://github.com/sylabs/singularity/releases/download/v${VERSION}/singularity-${VERSION}.tar.gz && \
     rpmbuild -tb singularity-${VERSION}.tar.gz && \