Request 897440: Incident singularity - openSUSE Build Service

Overview

Request 897440 accepted

- Update to version 3.7.4 (boo#1186619)
Fix for CVE-2021-32635:
Due to incorrect use of a default URL, singularity action commands
(run/shell/exec) specifying a container using a library:// URI will always
attempt to retrieve the container from the default remote endpoint
(cloud.sylabs.io) rather than the configured remote endpoint. An attacker may
be able to push a malicious container to the default remote endpoint with a
URI that is identical to the URI used by a victim with a non-default remote
endpoint, thus executing the malicious container.
- Disabled ppc64le builds as these are non pie builds and so not
suiteable for the distribution in SLE and ppc64le is not relevant
for openSUSE

Created by mslacken almost 3 years ago
In state accepted

Incident singularity

Comments for request 897440 1

Leap Reviewbot (leaper) - almost 3 years ago

network:cluster/singularity@2890369126c94e5c92929bfba2ec7f41 -> openSUSE:Backports:SLE-15-SP2:Update/singularity

expected origin is 'openSUSE:Leap:15.2:Update' (changed)

Login required, please login in order to comment

Request History

mslacken created request almost 3 years ago

- Update to version 3.7.4 (boo#1186619)
Fix for CVE-2021-32635:
Due to incorrect use of a default URL, singularity action commands
(run/shell/exec) specifying a container using a library:// URI will always
attempt to retrieve the container from the default remote endpoint
(cloud.sylabs.io) rather than the configured remote endpoint. An attacker may
be able to push a malicious container to the default remote endpoint with a
URI that is identical to the URI used by a victim with a non-default remote
endpoint, thus executing the malicious container.
- Disabled ppc64le builds as these are non pie builds and so not
suiteable for the distribution in SLE and ppc64le is not relevant
for openSUSE

maintbot added factory-source as a reviewer almost 3 years ago

maintbot accepted review almost 3 years ago

ok

factory-auto accepted review almost 3 years ago

Check script succeeded

licensedigger accepted review almost 3 years ago

ok

factory-source added backports-reviewers as a reviewer almost 3 years ago

Automated review failed. Needs fallback reviewer.

factory-source accepted review almost 3 years ago

review failed

bigironman accepted review almost 3 years ago

LGTM

bigironman approved review almost 3 years ago

LGTM

msmeissn moved maintenance target to openSUSE:Maintenance:16396 almost 3 years ago

msmeissn accepted request almost 3 years ago

ok

openSUSE Build Service is sponsored by