Overview
Request 821122 accepted
- New version 3.6.0. This version introduces a new signature format
for SIF images, and changes to the signing / verification code to address
the following security problems:
- CVE-2020-13845, bsc#1174150
In Singularity 3.x versions below 3.6.0, issues allow the ECL to
be bypassed by a malicious user.
- CVE-2020-13846, bsc#1174148
In Singularity 3.5 the --all / -a option to singularity verify
returns success even when some objects in a SIF container are not signed,
or cannot be verified.
- CVE-2020-13847, bsc#1174152
In Singularity 3.x versions below 3.6.0, Singularity's sign and verify
commands do not sign metadata found in the global header or data object
descriptors of a SIF file, allowing an attacker to cause unexpected
behavior. A signed container may verify successfully, even when it has
been modified in ways that could be exploited to cause malicious behavior.
- New features / functionalities
- A new '--legacy-insecure' flag to verify allows verification of SIF
signatures in the old, insecure format.
- A new '-l / --logs' flag for instance list that shows the paths
to instance STDERR / STDOUT log files.
- The --json output of instance list now include paths to
STDERR / STDOUT log files.
- Changed defaults / behaviours
- New signature format (see security fixes above).
- Fixed spacing of singularity instance list to be dynamically changing
based off of input lengths instead of fixed number of spaces to account
for long instance names.
- Deprecate -a / --all option to sign/verify as new signature behavior
makes this the default.
Request History
anag created request
- New version 3.6.0. This version introduces a new signature format
for SIF images, and changes to the signing / verification code to address
the following security problems:
- CVE-2020-13845, bsc#1174150
In Singularity 3.x versions below 3.6.0, issues allow the ECL to
be bypassed by a malicious user.
- CVE-2020-13846, bsc#1174148
In Singularity 3.5 the --all / -a option to singularity verify
returns success even when some objects in a SIF container are not signed,
or cannot be verified.
- CVE-2020-13847, bsc#1174152
In Singularity 3.x versions below 3.6.0, Singularity's sign and verify
commands do not sign metadata found in the global header or data object
descriptors of a SIF file, allowing an attacker to cause unexpected
behavior. A signed container may verify successfully, even when it has
been modified in ways that could be exploited to cause malicious behavior.
- New features / functionalities
- A new '--legacy-insecure' flag to verify allows verification of SIF
signatures in the old, insecure format.
- A new '-l / --logs' flag for instance list that shows the paths
to instance STDERR / STDOUT log files.
- The --json output of instance list now include paths to
STDERR / STDOUT log files.
- Changed defaults / behaviours
- New signature format (see security fixes above).
- Fixed spacing of singularity instance list to be dynamically changing
based off of input lengths instead of fixed number of spaces to account
for long instance names.
- Deprecate -a / --all option to sign/verify as new signature behavior
makes this the default.
licensedigger accepted review
ok
factory-auto accepted review
Check script succeeded
maintbot accepted review
ok
maintbot approved review
ok
rfrohl moved maintenance target to openSUSE:Maintenance:13358
rfrohl accepted request
accepted request 821122:Thanks!
For information about the update, see https://build.opensuse.org/project/maintenance_incidents/openSUSE:Maintenance
network:cluster/singularity@5e378b735944b2319755acb60d7401d4 -> openSUSE:Leap:15.2:Update/singularity
expected origin is 'None' (unchanged)