File singularity.changes of Package singularity

Thu Dec 20 10:13:06 UTC 2018 - Christian Neyers <>

- Update to 2.6.1

- Security related fix in 2.6.1
  * disables instance features for mount commands, disables instance join for
    start command, and disables daemon start for action commands (fixes

Tue Aug  7 07:40:20 UTC 2018 -

- Update to 2.6.0

- Implemented enhancements in 2.6.0
  * Allow admin to specify a non-standard location for mksquashfs binary at
    build time with --with-mksquashfs option #1662
  * --nv option will use nvidia-container-cli if installed #1681
  * nvliblist.conf now has a section for binaries #1681
  * --nv can be made default with all action commands in singularity.conf #1681
  * --nv can be controlled by env vars $SINGULARITY_NV and $SINGULARITY_NV_OFF
  * Refactored travis build and packaging tests #1601
  * Added build and packaging tests for Debian 8/9 and openSUSE 42.3/15.0 #1713
  * Restore shim init process for proper signal handling and child reaping when
    container is initiated in its own PID namespace #1221
  * Add -i option to image.create to specify the inode ratio. #1759
  * Bind /dev/nvidia* into the container when the --nv flag is used in
    conjuction with the --contain flag #1358
  * Add --no-home option to not mount user $HOME if it is not the $CWD and
    mount home = yes is set. #1761
  * Added support for OAUTH2 Docker registries like Azure Container Registry

- Bug fixes in 2.6.0
  * Fix 404 when using Arch Linux bootstrap #1731
  * Fix environment variables clearing while starting instances #1766

Tue Jul  3 15:59:31 UTC 2018 -

- Move completion file to /usr/share/bash-completion/completions/

- Update to 2.5.2

- Security related fixes in 2.5.2
  * Removed the option to use overlay images with singularity mount. This flaw
    could allow a malicious user accessing the host system to access sensitive
    information when coupled with persistent ext3 overlay.
  * Fixed a race condition that might allow a malicious user to bypass
    directory image restrictions, like mounting the host root filesystem as a
    container image.

- Bugfixes in 2.5.2
  * Fix an error in malloc allocation #1620
  * Honor debug flag when pulling from docker hub #1556
  * Fix a bug with passwd abort #1580
  * Allow user to override singularity.conf "mount home = no" with --home
    option #1496
  * Improve debugging output #1535
  * Fix some bugs in bind mounting #1525
  * Define PR_(S|G)ET_NO_NEW_PRIVS in user space so that these features will
    work with kernels that implement them (like Cray systems) #1506
  * Create /dev/fd and standard streams symlinks in /dev when using minimal dev
    mount or when specifying -c/-C/--contain option #1420
  * Fixed * expansion during app runscript creation #1486

Fri May  4 08:16:28 UTC 2018 -

- Update to 2.5.1

- Bugfixes in 2.5.1
  * Corrected a permissions error when attempting to run Singularity from a
    directory on NFS with root_squash enabled
  * Fixed a bug that closed a socket early, preventing correct container
    execution on hosts using identity services like SSSD
  * Fixed a regression that broke the debootstrap agent

Mon Apr 30 15:38:30 UTC 2018 -

- Place license files with %license for newer SUSE versions

- Remove generic build instructions and contribution information from package

- Update to 2.5.0

- Security related fixes in 2.5.0
  Patches are provided to prevent a malicious user with the ability to log in
  to the host system and use the Singularity container runtime from carrying
  out any of the following actions:
  * Create world writable files in root-owned directories on the host system by
    manipulating symbolic links and bind mounts
  * Create folders outside of the container by manipulating symbolic links in
    conjunction with the --nv option or by bypassing check_mounted function with
    relative symlinks
  * Bypass the enable overlay = no option in the singularity.conf configuration
    file by setting an environment variable
  * Exploit buffer overflows in src/util/daemon.c and/or
    src/lib/image/ext3/init.c (reported by Erik Sjölund (DBB, Stockholm
    University, Sweden))
  * Forge of the pid_path to join any Singularity namespace (reported by Erik
    Sjölund (DBB, Stockholm University, Sweden))

- Implemented enhancements in 2.5.0
  * Restore docker-extract aufs whiteout handling that implements correct
    extraction of docker container layers. This adds libarchive-devel as a
    build time dep. At runtime libarchive is needed for whiteout handling. If
    libarchive is not available at runtime will fall back to previous
    extraction method.
  * Changed behavior of SINGULARITYENV_PATH to overwrite container PATH and
    wanting to prepend or append to the container PATH at runtime

- Bug fixes in 2.5.0
  * Support pulls from the NVIDIA cloud docker registry (fix by Justin Riley,
  * Close socket file descriptors in fd_cleanup
  * Fix conflict between --nv and --contain options
  * Throw errors at build and runtime if NO_NEW_PRIVS is not present and working
  * Reset umask to 0022 at start to corrrect several errors
  * Verify docker layers after download with sha256 checksum
  * Do not make excessive requests for auth tokens to docker registries
  * Fixed stripping whitespaces and empty new lines for the app commands (fix by
    Rafal Gumienny, Biozentrum, Basel)
  * Improved the way that working directory is mounted
  * Fixed an out of bounds array in src/lib/image/ext3/init.c

Wed Mar 28 13:05:46 UTC 2018 -

- Move rpmlint fixes from patch file into %prep section of spec file

- Fix rpmlint warnings
  * `non-executable-script`: shub/ only provides definitions
  * `sourced-script-with-shebang`: bash completion file
  * `files-duplicate`: legacy examples

- Remove version update from _service

- Update to 2.4.5

- Changes in 2.4.5
  * Strip authorization header on http redirect to different domain when
    interacting with docker registries.

Wed Mar  7 13:50:25 UTC 2018 -

- Fix rpmlint error `env-script-interpreter` for python

Wed Mar  7 08:46:08 UTC 2018 -

- Update to 2.4.4

- Changes in 2.4.4
  * Removed capability to handle docker layer aufs whiteout files correctly as
    it increased potential attack surface on some distros (with apologies to
    users who requested it).

- Changes in 2.4.3
  * Close file descriptors pointing to a directory #1305
  * Fix permission denied when binding directory located on NFS with root_squash
  * Add capability to support all tar compression formats #1155
  * Handle docker layer aufs whiteout files correctly (requires libarchive).
  * Close file descriptors pointing to a directory #1305
  * Updated output of image.print command #1190
  * Fixed parsing of backslashes in apprun script #1189
  * Fixed parsing of arch keyword from definition file #1217
  * Fixed incompatibility between --pwd and --contain options #1259
  * Updated license information #1267
  * Fix non-root build from docker containers with non-writable file/dir
  * Fix race condition between container exit and cleanupd while removing
    runtime directory

Tue Dec  5 16:54:49 UTC 2017 -

- Adapt network:cluster>singularity to 2.4.2