sylabs/singularity: Singularity 2.6.1
Creators
- Gregory M. Kurtzer1
- cclerget
- Michael Bauer2
- Vanessa Sochat3
- Yannick Cote
- Eduardo Arango2
- David Godlove4
- ikaneshiro
- tri-adam
- DrDaveD
- David Trudgian
- Jason Stover
- Brian P Bockelman5
- Daniele Tamino
- Carl Madison
- Dave Love
- Justin Cook2
- Satrajit Ghosh6
- Amanda Duffy7
- Jacob Chappell
- Yaroslav Halchenko8
- Tru Huynh9
- Felix Abecassis10
- Mike Gray11
- wpoely86
- Oliver Freyermuth
- Mark Egan-Fuller
- Dexter12
- Olivier Sallou13
- Maciej Sieczka
- 1. Singularity Labs
- 2. @sylabs
- 3. Stanford University
- 4. Sylabs Inc
- 5. University of Nebraska-Lincoln
- 6. MIT
- 7. Lenovo
- 8. Dartmouth College, @Debian, @DataLad, @PyMVPA, @fail2ban
- 9. Unité de Bioinformatique Structurale, Institut Pasteur
- 10. NVIDIA
- 11. Self
- 12. CESNET
- 13. IRISA
Description
Greetings Singularity containerizers!
The 2.6.1 release contains fixes for a high severity security issue affecting Singularity 2.4.0 through 2.6.0 on modern distributions managed with systemd where mount points are mounted with shared mount propagation by default (CVE-2018-19295). A malicious user with local/network access to the host system (e.g. ssh) could exploit this vulnerability to mount arbitrary directories into the host mount namespace resulting in privilege escalation on the host.
Singularity 2.6.1 should be installed immediately, and all previous versions of Singularity should be removed. The vulnerability addressed in this release affects systems on which the / mount point or any exploitable mount point (eg: /run, /var ...) are set shared. If you are unable to upgrade immediately, you should set mount --make-rprivate / so that / and all mount points belonging to / are no longer mounted shared. This change must be repeated on every reboot.
- disables instance features for mount commands, disables instance join for start command, and disables daemon start for action commands
Great thanks to Matthias Gerstner of the SUSE security team for confidentially reporting this vulnerability to Sylabs!
As always, please report any bugs to: https://github.com/singularityware/singularity/issues/new
If you think that you've discovered a security vulnerability, please email the Sylabs team at: security@sylabs.io
Files
sylabs/singularity-2.6.1.zip
Files
(554.8 kB)
| Name | Size | Download all |
|---|---|---|
|
md5:aa86c354f99cb5502ffd3a807d2776fc
|
554.8 kB | Preview Download |
Additional details
Related works
- Is supplement to
- https://github.com/sylabs/singularity/tree/2.6.1 (URL)