SingularityPRO 3.7-7 Security & Bugfix Release



SingularityPRO 3.7-7 is a security and bugfix release for SingularityPRO 3.7. It addresses an issue affecting the OCI distribution-spec / image-spec, by updating dependencies that SingularityPRO uses to retrieve OCI images from registries.

Security Fixes

  • CVE-2021-41190 / GHSA-77vh-xpmg-72qh: OCI specifications allow ambiguous documents that contain both "manifests" and "layers" fields. Interpretation depends on the presence / value of a Content-Type header. SingularityPRO dependencies handling the retrieval of OCI images have been updated to versions that reject ambiguous documents.

Bug Fixes

  • Update oras-go dependency to address push failures to some registry configurations.

  • Implement context cancellation when a signal is received in several CLI commands.

  • Ensure invalid values passed to config global --set cannot lead to an empty configuration file being written.

New Features

  • Ability to perform concurrent multi-part downloads for library:// URIs. Disabled by default, and is configurable in singularity.conf or via environment variables.

Installation / Upgrade


Installation and upgrade instructions, repository access, and admin/user guides can be found on your customer access page at:


https://repo.sylabs.io/c/<customer-id>


Find your personalized link including the customer-id in your original customer welcome email. Installation pages are provided for RHEL, SLES and Ubuntu. Detailed installation and upgrade instructions can also be found in the admin guide linked from your customer page.



Support


If you have any questions about this release, or require assistance with installation or upgrades please contact your reseller or Sylabs support via support@sylabs.io