openSUSE Security Update: Security update for singularity
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2020:1100-1
Rating:             important
References:         #1174148 #1174150 #1174152 
Cross-References:   CVE-2020-13845 CVE-2020-13846 CVE-2020-13847
                   
Affected Products:
                    openSUSE Backports SLE-15-SP2
______________________________________________________________________________

   An update that fixes three vulnerabilities is now available.

Description:

   This update for singularity fixes the following issues:

   - New version 3.6.0. This version introduces a new signature format for
     SIF images, and changes to the signing / verification code to address
     the following security problems:
     - CVE-2020-13845, boo#1174150 In Singularity 3.x versions below 3.6.0,
       issues allow the ECL to be bypassed by a malicious user.
     - CVE-2020-13846, boo#1174148 In Singularity 3.5 the --all / -a option
       to singularity verify returns success even when some objects in a SIF
       container are not signed,
     or cannot be verified.
     - CVE-2020-13847, boo#1174152 In Singularity 3.x versions below 3.6.0,
       Singularity's sign and verify commands do not sign metadata found in
       the global header or data object descriptors of a SIF file, allowing
       an attacker to cause unexpected behavior. A signed container may
       verify successfully, even when it has been modified in ways that could
       be exploited to cause malicious behavior.

   - New features / functionalities
     - A new '--legacy-insecure' flag to verify allows verification of SIF
       signatures in the old, insecure format.
     - A new '-l / --logs' flag for instance list that shows the paths to
       instance STDERR / STDOUT log files.
     - The --json output of instance list now include paths to STDERR /
       STDOUT log files.
     - Singularity now supports the execution of minimal Docker/OCI
       containers that do not contain /bin/sh, e.g. docker://hello-world.
     - A new cache structure is used that is concurrency safe on a filesystem
       that supports atomic rename. If you downgrade to Singularity 3.5 or
       older after using 3.6 you will need to run singularity cache clean.
     - A plugin system rework adds new hook points that will allow the
       development of plugins that modify behavior of the runtime. An image
       driver concept is introduced for plugins to support new ways of
       handling image and
     overlay mounts. Plugins built for <=3.5 are not compatible with 3.6.
     - The --bind flag can now bind directories from a SIF or ext3 image into
       a container.
     - The --fusemount feature to mount filesystems to a container via FUSE
       drivers is now a supported feature (previously an experimental hidden
       flag).
     - This permits users to mount e.g. sshfs and cvmfs filesystems to the
       container at runtime.
     - A new -c/--config flag allows an alternative singularity.conf to be
       specified by the root user, or all users in an unprivileged
       installation.
     - A new --env flag allows container environment variables to be set via
       the Singularity command line.
     - A new --env-file flag allows container environment variables to be set
       from a specified file.
     - A new --days flag for cache clean allows removal of items older than a
       specified number of days. Replaces the --name flag which is not
       generally useful as the cache entries are stored by hash, not a
       friendly name.

   - Changed defaults / behaviours    - New signature format (see security fixes above).
    - Fixed spacing of singularity instance list to be dynamically changing
      based off of input lengths instead of fixed number of spaces to account
      for long instance names.
    - Environment variables prefixed with SINGULARITYENV_ always take
      precedence over variables without SINGULARITYENV_ prefix.
    - The %post build section inherits environment variables from the base
      image.
    - %files from ... will now follow symlinks for sources that are directly
      specified, or directly resolved from a glob pattern. It will not follow
      symlinks found through directory traversal. This mirrors Docker
      multi-stage COPY behaviour.
    - Restored the CWD mount behaviour of v2, implying that CWD path is not
      recreated inside container and any symlinks in the CWD path are not
      resolved anymore to determine the destination path inside container.
    - The %test build section is executed the same manner as singularity test
      image.
    --fusemount with the container: default directive will foreground the
     FUSE process. Use container-daemon: for previous behavior.

   - Deprecate -a / --all option to sign/verify as new signature behavior
     makes this the default.
   - For more information about upstream changes, please check:
     https://github.com/apptainer/singularity/blob/master/CHANGELOG.md
   - Removed --name flag for cache clean; replaced with --days.

   This update was imported from the openSUSE:Leap:15.2:Update update project.


Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Backports SLE-15-SP2:

      zypper in -t patch openSUSE-2020-1100=1



Package List:

   - openSUSE Backports SLE-15-SP2 (aarch64 ppc64le s390x x86_64):

      singularity-3.6.0-bp152.2.4.1


References:

   https://www.suse.com/security/cve/CVE-2020-13845.html
   https://www.suse.com/security/cve/CVE-2020-13846.html
   https://www.suse.com/security/cve/CVE-2020-13847.html
   https://bugzilla.suse.com/1174148
   https://bugzilla.suse.com/1174150
   https://bugzilla.suse.com/1174152

--

openSUSE: 2020:1100-1: important: singularity

September 18, 2020
An update that fixes three vulnerabilities is now available.

Description

This update for singularity fixes the following issues: - New version 3.6.0. This version introduces a new signature format for SIF images, and changes to the signing / verification code to address the following security problems: - CVE-2020-13845, boo#1174150 In Singularity 3.x versions below 3.6.0, issues allow the ECL to be bypassed by a malicious user. - CVE-2020-13846, boo#1174148 In Singularity 3.5 the --all / -a option to singularity verify returns success even when some objects in a SIF container are not signed, or cannot be verified. - CVE-2020-13847, boo#1174152 In Singularity 3.x versions below 3.6.0, Singularity's sign and verify commands do not sign metadata found in the global header or data object descriptors of a SIF file, allowing an attacker to cause unexpected behavior. A signed container may verify successfully, even when it has been modified in ways that could be exploited to cause malicious behavior. - New features / functionalities - A new '--legacy-insecure' flag to verify allows verification of SIF signatures in the old, insecure format. - A new '-l / --logs' flag for instance list that shows the paths to instance STDERR / STDOUT log files. - The --json output of instance list now include paths to STDERR / STDOUT log files. - Singularity now supports the execution of minimal Docker/OCI containers that do not contain /bin/sh, e.g. docker://hello-world. - A new cache structure is used that is concurrency safe on a filesystem that supports atomic rename. If you downgrade to Singularity 3.5 or older after using 3.6 you will need to run singularity cache clean. - A plugin system rework adds new hook points that will allow the development of plugins that modify behavior of the runtime. An image driver concept is introduced for plugins to support new ways of handling image and overlay mounts. Plugins built for <=3.5 are not compatible with 3.6. - The --bind flag can now bind directories from a SIF or ext3 image into a container. - The --fusemount feature to mount filesystems to a container via FUSE drivers is now a supported feature (previously an experimental hidden flag). - This permits users to mount e.g. sshfs and cvmfs filesystems to the container at runtime. - A new -c/--config flag allows an alternative singularity.conf to be specified by the root user, or all users in an unprivileged installation. - A new --env flag allows container environment variables to be set via the Singularity command line. - A new --env-file flag allows container environment variables to be set from a specified file. - A new --days flag for cache clean allows removal of items older than a specified number of days. Replaces the --name flag which is not generally useful as the cache entries are stored by hash, not a friendly name. - Changed defaults / behaviours - New signature format (see security fixes above). - Fixed spacing of singularity instance list to be dynamically changing based off of input lengths instead of fixed number of spaces to account for long instance names. - Environment variables prefixed with SINGULARITYENV_ always take precedence over variables without SINGULARITYENV_ prefix. - The %post build section inherits environment variables from the base image. - %files from ... will now follow symlinks for sources that are directly specified, or directly resolved from a glob pattern. It will not follow symlinks found through directory traversal. This mirrors Docker multi-stage COPY behaviour. - Restored the CWD mount behaviour of v2, implying that CWD path is not recreated inside container and any symlinks in the CWD path are not resolved anymore to determine the destination path inside container. - The %test build section is executed the same manner as singularity test image. --fusemount with the container: default directive will foreground the FUSE process. Use container-daemon: for previous behavior. - Deprecate -a / --all option to sign/verify as new signature behavior makes this the default. - For more information about upstream changes, please check: https://github.com/apptainer/singularity/blob/master/CHANGELOG.md - Removed --name flag for cache clean; replaced with --days. This update was imported from the openSUSE:Leap:15.2:Update update project.

 

Patch

Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP2: zypper in -t patch openSUSE-2020-1100=1


Package List

- openSUSE Backports SLE-15-SP2 (aarch64 ppc64le s390x x86_64): singularity-3.6.0-bp152.2.4.1


References

https://www.suse.com/security/cve/CVE-2020-13845.html https://www.suse.com/security/cve/CVE-2020-13846.html https://www.suse.com/security/cve/CVE-2020-13847.html https://bugzilla.suse.com/1174148 https://bugzilla.suse.com/1174150 https://bugzilla.suse.com/1174152--


Severity
Announcement ID: openSUSE-SU-2020:1100-1
Rating: important
Affected Products: openSUSE Backports SLE-15-SP2

Related News

5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
28.Lock Globe Esm H320
1 - 2 min read
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
2 - 4 min read
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
2 - 3 min read
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
2 - 3 min read
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
8.Locks HexConnections CodeGlobe Esm H320
2 - 3 min read
Canonical has launched Ubuntu Pro for Devices , a comprehensive offering emphasizing security and compliance for IoT device deployments. This
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved