Bugzilla – Bug 1186619
VUL-0: CVE-2021-32635: singularity: Action commands against library URIs ignore configured remote endpoint
Last modified: 2021-11-08 14:37:05 UTC
In singularity 3.7.2 and 3.7.3, action commands against library:// URIs erroneously always used the default remote endpoint (cloud.sylabs.io). An attacker may be able to push a malicious container to the default remote endpoint with a URI that is identical to the URI used by a victim with a non-default remote endpoint, thus executing the malicious container. References: https://bugzilla.redhat.com/show_bug.cgi?id=1965512 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-32635
Affected package: - openSUSE:Factory/singularity 3.7.2
Will update factory packages,
This is an autogenerated message for OBS integration: This bug (1186619) was mentioned in https://build.opensuse.org/request/show/897439 Backports:SLE-15-SP3 / singularity https://build.opensuse.org/request/show/897440 Backports:SLE-15-SP2 / singularity
openSUSE-RU-2021:0867-1: An update that fixes two vulnerabilities is now available. Category: recommended (moderate) Bug References: 1186619 CVE References: CVE-2021-29136,CVE-2021-32635 JIRA References: Sources used: openSUSE Backports SLE-15-SP2 (src): singularity-3.7.4-bp152.2.24.1
openSUSE-SU-2021:0987-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1186619 CVE References: CVE-2021-29136,CVE-2021-32635 JIRA References: Sources used: openSUSE Backports SLE-15-SP3 (src): singularity-3.7.4-bp153.2.3.1
This is an autogenerated message for OBS integration: This bug (1186619) was mentioned in https://build.opensuse.org/request/show/927451 15.3 / singularity