singularity: 2.5.1 -> 2.5.2 #43157
Merged
singularity: 2.5.1 -> 2.5.2 #43157
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Semi-automatic update generated by https://github.com/ryantm/nixpkgs-update tools. This update was made based on information from https://repology.org/metapackage/singularity/versions. <details><summary>Version release notes (from GitHub)</summary> Greetings Singularity containerizers! This release contains fixes for a _high severity_ security issue affecting Singularity 2.3.0 through 2.5.1 on kernels that support overlay file systems (CVE-2018-12021). A malicious user with network access to the host system (e.g. ssh) could exploit this vulnerability to access sensitive information on disk and bypass directory image restrictions like those preventing the root file system from being mounted into the container. Singularity 2.5.2 should be installed immediately, and all previous versions of Singularity should be removed. The vulnerability addressed in this release affects kernels that support overlayfs. If you are unable to upgrade immediately, you should set `enable overlay = no` in `singularity.conf`. In addition, this release contains a large number of bug fixes. Details follow: ## [Security related fixes](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-12021) - Removed the option to use overlay images with `singularity mount`. This flaw could allow a malicious user accessing the host system to access sensitive information when coupled with persistent ext3 overlay. - Fixed a race condition that might allow a malicious user to bypass directory image restrictions, like mounting the host root filesystem as a container image ## Bug fixes - Fix an error in malloc allocation NixOS#1620 - Honor debug flag when pulling from docker hub NixOS#1556 - Fix a bug with passwd abort NixOS#1580 - Allow user to override singularity.conf "mount home = no" with --home option NixOS#1496 - Improve debugging output NixOS#1535 - Fix some bugs in bind mounting NixOS#1525 - Define PR_(S|G)ET_NO_NEW_PRIVS in user space so that these features will work with kernels that implement them (like Cray systems) NixOS#1506 - Create /dev/fd and standard streams symlinks in /dev when using minimal dev mount or when specifying -c/-C/--contain option NixOS#1420 - Fixed * expansion during app runscript creation NixOS#1486 As always, please report any bugs to: https://github.com/singularityware/singularity/issues/new</details> These checks were done: - built on NixOS - /nix/store/3igwiqi311c18w13y5r7zrgpcnzylg9l-singularity-2.5.2/bin/singularity passed the binary check. - Warning: no invocation of /nix/store/3igwiqi311c18w13y5r7zrgpcnzylg9l-singularity-2.5.2/bin/run-singularity had a zero exit code or showed the expected version - 1 of 2 passed binary check by having a zero exit code. - 0 of 2 passed binary check by having the new version present in output. - found 2.5.2 with grep in /nix/store/3igwiqi311c18w13y5r7zrgpcnzylg9l-singularity-2.5.2 - directory tree listing: https://gist.github.com/ed6db09ad43a19c6abf2d35d15ef489c - du listing: https://gist.github.com/9bd23f4d6ee86a9eb2ba7ec5c986741d
GrahamcOfBorg
added
10.rebuild-darwin: 0
|
No attempt on x86_64-darwin (full log) The following builds were skipped because they don't evaluate on x86_64-darwin: singularity Partial log (click to expand)
|
|
Success on x86_64-linux (full log) Attempted: singularity Partial log (click to expand)
|
|
Success on aarch64-linux (full log) Attempted: singularity Partial log (click to expand)
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Semi-automatic update generated by https://github.com/ryantm/nixpkgs-update tools.
This update was made based on information from https://repology.org/metapackage/singularity/versions.
Version release notes (from GitHub)
Greetings Singularity containerizers!This release contains fixes for a high severity security issue affecting Singularity 2.3.0 through 2.5.1 on kernels that support overlay file systems (CVE-2018-12021). A malicious user with network access to the host system (e.g. ssh) could exploit this vulnerability to access sensitive information on disk and bypass directory image restrictions like those preventing the root file system from being mounted into the container.
Singularity 2.5.2 should be installed immediately, and all previous versions of Singularity should be removed. The vulnerability addressed in this release affects kernels that support overlayfs. If you are unable to upgrade immediately, you should set
enable overlay = noinsingularity.conf.In addition, this release contains a large number of bug fixes. Details follow:
Security related fixes
singularity mount. Thisflaw could allow a malicious user accessing the host system to access
sensitive information when coupled with persistent ext3 overlay.
image restrictions, like mounting the host root filesystem as a container
image
Bug fixes
gupnp-tools and releated packages: fix and update #1496
work with kernels that implement them (like Cray systems) Add node-webkit, app runtime based on Chromium and node.js #1506
mount or when specifying -c/-C/--contain option Fixed a code typo in the documentation #1420
systemon different OSX versions #1486As always, please report any bugs to:
https://github.com/singularityware/singularity/issues/new
These checks were done:
meta.description for singularity is: '"Designed around the notion of extreme mobility of compute and reproducible science, Singularity enables users to have full control of their operating system environment"'.
cc @jbedo for testing.
This build is cached with Cachix. To use the cache follow these instructions:
One time setup in nixpkgs Git checkout:
Test this build: