Skip to content

SingularityCE 3.9.1

Compare
Choose a tag to compare
@dtrudg dtrudg released this 22 Nov 17:37
da90882

This is a security release for SingularityCE 3.9, addressing a security issue in SingularityCE's dependencies.

Security Related Fixes

  • CVE-2021-41190 / GHSA-77vh-xpmg-72qh: OCI specifications allow ambiguous documents that contain both "manifests" and "layers" fields. Interpretation depends on the presence / value of a Content-Type header. SingularityCE dependencies handling the retrieval of OCI images have been updated to versions that reject ambiguous documents.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: [email protected]

Have fun!

Downloads

Source Code

Please use the singularity-ce-3.9.1.tar.gz download below to obtain and install SingularityCE 3.9.0. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

⚠️ These packages were built with a Go version (1.17.3) vulnerable to CVE-2021-44717. This is a Go issue, rather than a problem in the SingularityCE code. No direct exploit for SingularityCE has been identified at this time, however ForkExec calls are performed for multiple tasks, and users are encouraged to use updated packages.

RPM / DEB packages are provided for:

  • Ubuntu 18.04 (bionic)
  • Ubuntu 20.04 (focal)
  • RHEL/CentOS 7 (el7)
  • RHEL/CentOS/Alma/Rocky 8 (el8)

Note: the +6.g38b50cb version suffix is introduced by packaging automation added after the 3.9.1 release. There are no code/functionality changes vs the 3.9.1 source code.