SingularityPRO 3.7-8 is a security and bugfix release for SingularityPRO 3.7.
No advance update was possible prior to this security notification, as the issue affects upstream software and was publicly disclosed.
Security Fixes
SingularityPRO 3.7-8 packages were built with updated Go 1.17.5 to address the following CVE in the Go core packages, used to build SingularityPRO:
CVE-2021-44717 - syscall: don’t close fd 0 on ForkExec error. When a Go program (such as SingularityPRO) running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one.
No direct exploit for SingularityPRO has been identified at this time, however ForkExec calls are performed for multiple tasks, and users are encouraged to update.
Bug Fixes
Fix source of a script on PATH and scoping of environment variables in definition files (via dependency update).
Correct documentation for sign command r.e. source of key index.
Ensure a local build does not fail unnecessarily if a keyserver config cannot be retrieved from the remote endpoint.
Installation / Upgrade
Installation and upgrade instructions, repository access, and admin/user guides can be found on your customer access page at:
https://repo.sylabs.io/c/<customer-id>
Find your personalized link including the customer-id in your original customer welcome email. Installation pages are provided for RHEL, SLES and Ubuntu. Detailed installation and upgrade instructions can also be found in the admin guide linked from your customer page.
Support
If you have any questions about this release, or require assistance with installation or upgrades please contact your reseller or Sylabs support via support@sylabs.io