Security update for singularity SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2018:3316-1 Final 1 1 2018-10-23T07:33:03Z current 2018-10-23T07:33:03Z 2018-10-23T07:33:03Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for singularity Singularity was updated to version 2.6.0, bringing features, bugfixes and security fixes. Security issues fixed: - CVE-2018-12021: Fixed access control on systems supporting overlay file system (boo#1100333). Highlights of 2.6.0: - Allow admin to specify a non-standard location for mksquashfs binary at build time with '--with-mksquashfs' option #1662 - '--nv' option will use [nvidia-container-cli](https://github.com/NVIDIA/libnvidia-container) if installed #1681 - [nvliblist.conf] (https://github.com/singularityware/singularity/blob/master/etc/nvliblist.conf) now has a section for binaries #1681 - '--nv' can be made default with all action commands in singularity.conf #1681 - '--nv' can be controlled by env vars '$SINGULARITY_NV' and '$SINGULARITY_NV_OFF' #1681 - Restore shim init process for proper signal handling and child reaping when container is initiated in its own PID namespace #1221 - Add '-i' option to image.create to specify the inode ratio. #1759 - Bind '/dev/nvidia*' into the container when the '--nv' flag is used in conjuction with the '--contain' flag #1358 - Add '--no-home' option to not mount user $HOME if it is not the $CWD and 'mount home = yes' is set. #1761 - Added support for OAUTH2 Docker registries like Azure Container Registry #1622 Highlights of 2.5.2: - a new `build` command was added to replace `create` + `bootstrap` - default image format is squashfs, eliminating the need to specify a size - a `localimage` can be used as a build base, including ext3, sandbox, and other squashfs images - singularity hub can now be used as a base with the uri - Restore docker-extract aufs whiteout handling that implements correct extraction of docker container layers. Bug fixes: - Fix 404 when using Arch Linux bootstrap #1731 - Fix environment variables clearing while starting instances #1766 - several more bug fixes, see CHANGELOG.md for details The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) http://lists.opensuse.org/opensuse-security-announce/2018-10/msg00048.html E-Mail link for openSUSE-SU-2018:3316-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings SUSE Package Hub for SUSE Linux Enterprise 15 libsingularity1-2.6.0-bp150.3.3.1 singularity-2.6.0-bp150.3.3.1 singularity-devel-2.6.0-bp150.3.3.1 libsingularity1-2.6.0-bp150.3.3.1 as a component of SUSE Package Hub for SUSE Linux Enterprise 15 singularity-2.6.0-bp150.3.3.1 as a component of SUSE Package Hub for SUSE Linux Enterprise 15 singularity-devel-2.6.0-bp150.3.3.1 as a component of SUSE Package Hub for SUSE Linux Enterprise 15 Singularity 2.3.0 through 2.5.1 is affected by an incorrect access control on systems supporting overlay file system. When using the overlay option, a malicious user may access sensitive information by exploiting a few specific Singularity features. CVE-2018-12021 SUSE Package Hub for SUSE Linux Enterprise 15:libsingularity1-2.6.0-bp150.3.3.1 SUSE Package Hub for SUSE Linux Enterprise 15:singularity-2.6.0-bp150.3.3.1 SUSE Package Hub for SUSE Linux Enterprise 15:singularity-devel-2.6.0-bp150.3.3.1 moderate Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2018-10/msg00048.html https://www.suse.com/security/cve/CVE-2018-12021.html CVE-2018-12021 https://bugzilla.suse.com/1100333 SUSE Bug 1100333 https://bugzilla.suse.com/1111411 SUSE Bug 1111411