Skip to content

Singularity 3.6.4

Compare
Choose a tag to compare
@dtrudg dtrudg released this 13 Oct 14:57
· 908 commits to master since this release
eba3dea

Singularity 3.6.4 is an important security release. Please read the release notes below carefully.

Security related fixes

Singularity 3.6.4 addresses the following security issues.

  • CVE-2020-15229: Due to insecure handling of path traversal and the lack of path sanitization within unsquashfs (a distribution provided utility used by Singularity), it is possible to overwrite/create files on the host filesystem during the extraction of a crafted squashfs filesystem. Affects unprivileged execution of SIF / SquashFS images, and image builds from SIF / SquashFS images.

Please see the published security advisories at https://github.com/hpcng/singularity/security/advisories for full detail of these security issues.

Bug Fixes

  • Update scs-library-client to support library:// backends using a 3rd party S3 object store that does not strictly conform to v4 signature spec.

Patches against prior versions

In keeping with their commitment to the open source community to release security patches incorporated into SingularityPRO, Sylabs is releasing the following diffs that contain security content only:

3.1: https://repo.sylabs.io/security/2020/CVE-2020-15229-31.diff
3.5: https://repo.sylabs.io/security/2020/CVE-2020-15229-35.diff

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/hpcng/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: [email protected]

Have fun!