Has fix for CVE-2021-33622 been propagated? #586
Comments
|
A fix for CVE-2021-33622 was only released for SingularityPRO 3.5 because the precise issue covered by that CVE was not present in Singularity 3.7, which was the supported open source release at that time. Open source Singularity 3.5.x - 3.6.x were affected by this CVE, but we only support and provide fixes for the latest open source SingularityCE version, which was 3.7 at the time. There is no patch and no changelog entry for the CVE as it was not present in 3.7. A similar, but different, issue was present in open-source 3.7 as CVE-2021-32635. This was fixed in release 3.7.4 - see GHSA-5mv9-q7fq-9394 I'll ensure the community link is fixed. Thanks. See https://sylabs.io/singularity#community |
|
Note that this information was communicated on the SingularityCE mailing list at the time the issue was dealt with (June 9th 2021) https://groups.google.com/g/singularity-ce/c/OSK5BIHSkbE/m/6dc0DEMiAgAJ I strongly advise joining the list / google group if you are using SingularityCE in production. |
I would have done this, but that link gives me a "Page not found"
Type of issue
Question regarding fix for CVE-2021-33622
Description of issue
It is written that this issue has been fixed in PRO edition, but there has been no mention of this being fixed in CE edition -- wanted to enquire if it has been fixed in later versions(as the report mentions version 3.5.x-3.6.x)? There is no mention about this CVE fixing in the changelog either. Any answer is appreciated
The text was updated successfully, but these errors were encountered: