From 269d0d8b7b13487af7344d85cea6fd98e69eb659 Mon Sep 17 00:00:00 2001 From: David Trudgian Date: Tue, 6 Apr 2021 16:15:32 -0500 Subject: [PATCH] 3.7.3 CHANGELOG and INSTALL changes --- CHANGELOG.md | 12 ++++++++++++ INSTALL.md | 4 ++-- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index bf256886ae..48d9b83d9b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,18 @@ _With the release of `v3.0.0`, we're introducing a new changelog format in an at _The old changelog can be found in the `release-2.6` branch_ +# v3.7.3 - [2021-04-06] + +## Security Related Fixes + + - [CVE-2021-29136](https://github.com/opencontainers/umoci/security/advisories/GHSA-9m95-8hx6-7p9v): + A dependency used by Singularity to extract docker/OCI image layers + can be tricked into modifying host files by creating a malicious + layer that has a symlink with the name "." (or "/"), when running + as root. This vulnerability affects a `singularity build` or + `singularity pull` as root, from a docker or OCI source. + + # v3.7.2 - [2021-03-09] ## Bug Fixes diff --git a/INSTALL.md b/INSTALL.md index 27748f73ae..56f08aeab2 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -133,7 +133,7 @@ as shown above. Then download the latest and use it to install the RPM like this: ``` -$ export VERSION=3.7.2 # this is the singularity version, change as you need +$ export VERSION=3.7.3 # this is the singularity version, change as you need $ wget https://github.com/sylabs/singularity/releases/download/v${VERSION}/singularity-${VERSION}.tar.gz && \ rpmbuild -tb singularity-${VERSION}.tar.gz && \ @@ -149,7 +149,7 @@ tarball and use it to install Singularity: $ cd $GOPATH/src/github.com/sylabs/singularity && \ ./mconfig && \ make -C builddir rpm && \ - sudo rpm -ivh ~/rpmbuild/RPMS/x86_64/singularity-3.7.2*.x86_64.rpm # or whatever version you built + sudo rpm -ivh ~/rpmbuild/RPMS/x86_64/singularity-3.7.3*.x86_64.rpm # or whatever version you built ``` To build an rpm with an alternative install prefix set RPMPREFIX on the