Skip to content

OSG-SEC-2018-12-12 Critical vulnerability in Singularity Update 2

Dear OSG Security Contacts,

This is a follow up on our previous announcement “OSG-SEC-2018-12-12 Critical vulnerability in Singularity”. The latest released version of singularity[1] fixes that OSG-SEC-2018-12-12 Critical vulnerability in Singularity.

Singularity 3.x is now considered ready for production use, and has been moved to the release repositories as of OSG Release 3.4.31 [2]. Singularity 3.x no longer contains a setuid binary for building container images, so it is no longer vulnerable to the above security flaw.

WHAT YOU SHOULD DO:

Use the following command to update Singularity to 3.2.1, which was released in OSG Release 3.4.31 [2]:

yum install singularity

Note that in Singularity 3.x, singularity-runtime has been merged into the main singularity package, so the above command will remove the singularity-runtime package if you have it installed.

REFERENCES

[1] https://github.com/sylabs/singularity/releases/tag/v3.2.1 [2] https://opensciencegrid.org/docs/release/3.4/release-3-4-31/

Please contact the OSG security team at [email protected] if you have any questions or concerns.

OSG Security Team