SingularityPRO 3.5-10 Security Release



SingularityPRO 3.5-10 is a security release for SingularityPRO 3.5. It is a rebuild which addresses an issue in the Go core packages, used to build SingularityPRO. There are no changes to functionality.

No advance update was possible prior to this security notification, as the issue affects upstream software and was publicly disclosed.

Security Fixes

SingularityPRO 3.5-10 packages were built with updated Go 1.17.5 to address the following CVE in the Go core packages:

  • CVE-2021-44717 - syscall: don’t close fd 0 on ForkExec error. When a Go program (such as SingularityPRO) running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one.

No direct exploit for SingularityPRO has been identified at this time, however ForkExec calls are performed for multiple tasks, and users are encouraged to update.

Installation / Upgrade


Installation and upgrade instructions, repository access, and admin/user guides can be found on your customer access page at:


https://repo.sylabs.io/c/<customer-id>


Find your personalized link including the customer-id in your original customer welcome email. Installation pages are provided for RHEL, SLES and Ubuntu. Detailed installation and upgrade instructions can also be found in the admin guide linked from your customer page.


Support


If you have any questions about this release, or require assistance with installation or upgrades please contact your reseller or Sylabs support via [email protected]