Stay Secure with the Latest Linux Advisories

security advisorysecurity issueupdate

openSUSE Leap 15.1: 2020:1037-1 Important: Singularity Security Issues

An update that solves 5 vulnerabilities and has one errata is now available.. openSUSE Security Update: Security update for singularity ______________________________________________________________________________ Announcement ID: openSUSE-SU-2020:1037-1 Rating: important References: #1125369 #1128598 #1159550 #1174148 #1174150 #1174152 Cross-References: CVE-2019-11328 CVE-2019-19724 CVE-2020-13845 CVE-2020-13846 CVE-2020-13847 Affected Products: openSUSE Leap 15.1 ______________________________________________________________________________ An update that solves 5 vulnerabilities and has one errata is now available. Description: This update for singularity fixes the following issues: - New version 3.6.0. This version introduces a new signature format for SIF images, and changes to the signing / verification code to address the following security problems: - CVE-2020-13845, boo#1174150 In Singularity 3.x versions below 3.6.0, issues allow the ECL to be bypassed by a malicious user. - CVE-2020-13846, boo#1174148 In Singularity 3.5 the --all / -a option to singularity verify returns success even when some objects in a SIF container are not signed, or cannot be verified. - CVE-2020-13847, boo#1174152 In Singularity 3.x versions below 3.6.0, Singularity's sign and verify commands do not sign metadata found in the global header or data object descriptors of a SIF file, allowing an attacker to cause unexpected behavior. A signed container may verify successfully, even when it has been modified in ways that could be exploited to cause malicious behavior. - New features / functionalities - A new '--legacy-insecure' flag to verify allows verification of SIF signatures in the old, insecure format. - A new '-l / --logs' flag for instance list that shows the paths to instance STDERR / STDOUT log files. - The --json output of instance list now include paths to STDERR / STDOUT log files. - Singularity now supports the execution of minimal Docker/OCI containers that do not contain /bin/sh, e.g. docker://hello-world. - A new cache structure is used that is concurrency safe on a filesystem that supports atomic rename. If you downgrade to Singularity 3.5 or older after using 3.6 you will need to run singularity cache clean. - A plugin system rework adds new hook points that will allow the development of plugins that modify behavior of the runtime. An image driver concept is introduced for plugins to support new ways of handling image and overlay mounts. Plugins built for

Jul 23, 2020 •Important OpenSUSE