OSG-SEC-2018-12-12 Critical vulnerability in Singularity Update 2
Dear OSG Security Contacts,
This is a follow up on our previous announcement “OSG-SEC-2018-12-12 Critical vulnerability in Singularity”. The latest released version of singularity[1] fixes that OSG-SEC-2018-12-12 Critical vulnerability in Singularity.
Singularity 3.x is now considered ready for production use, and has been moved to the release repositories as of OSG Release 3.4.31 [2]. Singularity 3.x no longer contains a setuid binary for building container images, so it is no longer vulnerable to the above security flaw.
WHAT YOU SHOULD DO:
Use the following command to update Singularity to 3.2.1, which was released in OSG Release 3.4.31 [2]:
yum install singularity
Note that in Singularity 3.x, singularity-runtime has been merged into the main singularity package, so the above command will remove the singularity-runtime package if you have it installed.
REFERENCES
[1] https://github.com/sylabs/singularity/releases/tag/v3.2.1 [2] https://opensciencegrid.org/docs/release/3.4/release-3-4-31/
Please contact the OSG security team at [email protected] if you have any questions or concerns.
OSG Security Team