Singularity 3.7.3 is a security release. We recommend all users upgrade to this version.
Security Related Fixes
- CVE-2021-29136: A dependency used by Singularity to extract docker/OCI image layers can be tricked into modifying host files by creating a malicious layer that has a symlink with the name "." (or "/"), when running as root. This vulnerability affects a
singularity buildorsingularity pullas root, from a docker or OCI source, as well as the implicit build to SIF that occurs through root use ofrun/exec/shellagainst a malicious docker/OCI image URI.
Thanks / Reporting Bugs
Thanks to our contributors for code, feedback and, testing efforts!
As always, please report any bugs to: https://github.com/hpcng/singularity/issues/new
If you think that you've discovered a security vulnerability please report it to: security@sylabs.io
Have fun!
Downloads
Please use the singularity-3.7.3.tar.gz download below to obtain and install Singularity 3.7.3. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.