Fedora has issued an advisory on April 16: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BMX7XV7YNNNOVKKIOOPNENIXY64H4ZEY/ The issue is fixed upstream in 3.7.3: https://github.com/sylabs/singularity/releases/tag/v3.7.3 Another security issue was fixed upstream in 3.7.4: https://github.com/sylabs/singularity/releases/tag/v3.7.4 Mageia 8 is also affected.
CC: (none) => joequantStatus comment: (none) => Fixed upstream in 3.7.4Whiteboard: (none) => MGA8TOO
Component: RPM Packages => SecurityQA Contact: (none) => security
openSUSE has issued an advisory for this today (May 30): https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/U5WJLLGD3LSUWRS73C4NPIWYTMST4QO5/
Fedora has issued an advisory for this on June 4: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/D2IU6GJMCV5CQKUQZLHBP6EHSIZZXC3X/
Fixed in mga9 ( we have the version 3.8.3 )
Version: Cauldron => 8Whiteboard: MGA8TOO => (none)CC: (none) => mageia
for CVE-2021-32635 we are not affected in mga8 see: https://github.com/apptainer/singularity/security/advisories/GHSA-jq42-hfch-42f3 CVE-2021-29136 is now fixed in mga8: src: - singularity-3.7.0-1.1.mga8
Status comment: Fixed upstream in 3.7.4 => (none)Assignee: joequant => qa-bugsCC: (none) => joequant
openSUSE has issued an advisory on December 4: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/L3AGIEOXZIUUEYYMWKJCJCQI7V235UTR/ The issue is fixed upstream in 3.8.5. Mageia 8 is also affected.
Summary: singularity new security issue CVE-2021-29136 and CVE-2021-32635 => singularity new security issue CVE-2021-29136, CVE-2021-32635, CVE-2021-41190Status comment: (none) => Fixed upstream in 3.8.5Assignee: qa-bugs => joequantWhiteboard: (none) => MGA8TOOVersion: 8 => Cauldron
already updated in mga9
Whiteboard: MGA8TOO => (none)Version: Cauldron => 8
New version pushed in mga8: src: - singularity-3.8.5-1.mga8
Assignee: joequant => qa-bugsStatus comment: Fixed upstream in 3.8.5 => (none)
MGA8-64 Plasma on Lenovo B50 in Dutch No installation issues. No previous updates, no wiki, so tried on my own: $ singularity Usage: singularity [global options...] <command> Available Commands: build Build a Singularity image cache Manage the local cache capability Manage Linux capabilities for users and groups completion generate the autocompletion script for the specified shell config Manage various singularity configuration (root user only) delete Deletes requested image from the library exec Run a command within a container inspect Show metadata for an image instance Manage containers running as services key Manage OpenPGP keys oci Manage OCI containers overlay Manage an EXT3 writable overlay image plugin Manage Singularity plugins pull Pull an image from a URI push Upload image to the provided URI remote Manage singularity remote endpoints, keyservers and OCI/Docker registry credentials run Run the user-defined default command within a container run-help Show the user-defined help for an image search Search a Container Library for images shell Run a shell within a container sif siftool is a program for Singularity Image Format (SIF) file manipulation sign Attach digital signature(s) to an image test Run the user-defined tests within a container verify Verify cryptographic signatures attached to an image version Show the version for Singularity Run 'singularity --help' for more detailed usage information. $ singularity version 3.8.5-1.mga8 singularity --help showed a lot of ugly details, so went to Google and found https://singularity-tutorial.github.io/02-basic-usage/ Followed these $ singularity pull library://godlovedc/funny/lolcow INFO: Downloading library image 89.2MiB / 89.2MiB [==============================================================================================================================================================================] 100 % 2.4 MiB/s 0s WARNING: integrity: signature not found for object group 1 WARNING: Skipping container verification [tester8@mach5 testupdates]$ singularity shell lolcow_latest.sif Singularity> cat /etc/os-release NAME="Ubuntu" VERSION="16.04.5 LTS (Xenial Xerus)" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu 16.04.5 LTS" VERSION_ID="16.04" HOME_URL="http://www.ubuntu.com/" SUPPORT_URL="http://help.ubuntu.com/" BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/" VERSION_CODENAME=xenial UBUNTU_CODENAME=xenial Singularity> whoami tester8 Singularity> hostname mach5.hviaene.thuis Singularity> which cowsay /usr/games/cowsay Singularity> cowsay moo _____ < moo > ----- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || Singularity> fortune | cowsay | lolcat ________________________________________ / At once it struck me what quality went \ | to form a man of achievement, | | especially in literature, and which | | Shakespeare possessed so enormously -- | | I mean negative capability, that is, | | when a man is capable of being in | | uncertainties, mysteries, doubts, | | without any irritable reaching after | | fact and reason. | | | \ -- John Keats / ---------------------------------------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || So apparently the thingie works , unless someone wants to dig deeper.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA8-64-OK
More enlightened than any cow I've ever known. Validating, before she does it for me.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0006.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED