This release includes fixes for several high and medium severity security issues. It also contains a whole slew of bug fixes including the much awaited docker aufs whiteout file fix. It's a new release instead of a point release because it adds a new dependency to handle this bug, includes some new (albeit minor) feature enhancements, and changes the behavior of a few environment variables (see below). Singularity 2.5 should be installed immediately and all previous versions of Singularity should be removed. Many of the vulnerabilities fixed in this release are expected to affect all Linux distributions regardless of whether they implement overlayfs. There are no mitigations or workarounds for these issues outside of updating Singularity. Additionally, Singularity 2.5 drops support for hosts that do not support the prctl() function PR_SET_NO_NEW_PRIVS. The PR_SET_NO_NEW_PRIVS feature was added to prctl() in the Linux 3.5 kernel. Various distributions have since backported this feature to currently maintained kernels (for example, Red Hat added this feature to RHEL 6.7 with the 2.6.32-504.16.2 kernel). Kernels that do not have this feature are inherently insecure in many ways. They do not implement container runtimes securely. Blocks have therefore been put in place to prevent Singularity 2.5 from building or running on vulnerable kernels. References: https://github.com/singularityware/singularity/releases
Created singularity tracking bugs for this issue: Affects: epel-all [bug 1585620] Affects: fedora-all [bug 1585619]
Andrej, A fix is pending but we're waiting on bbockelm to get admin privileges on the package so he can accept my pull request as detailed in bug #1457856. Can you help with that? Dave
(In reply to Dave Dykstra from comment #2) > Andrej, > > A fix is pending but we're waiting on bbockelm to get admin privileges on > the package so he can accept my pull request as detailed in bug #1457856. > Can you help with that? > > Dave Hi Dave, I tried looking at the problem, but I seem to lack any kind of privileges to resolve it. Mailing the original maintainer looks to be the most straightforward way here.
I didn't know that the attempt to give bbockelm admin rights that I posted about hadn't worked. As far as I can tell, the second attempt has worked. Please confirm.
Yes, thank you! Brian was able to merge the PR and we are proceeding, tracked in bug #1457856. Andrej, please set this ticket to depend on that one, I can't do it.
Given there are some minor breaks in the CLI for building images (and there's a pretty significant version jump), I've filed a ticket with FESCo (https://pagure.io/fesco/issue/1904; since it's security-related I marked it as private) for permission to rebase to 2.5.1 across the different versions. I have builds across all active branches for 2.5.1. I will push to Bodhi for EL6 / EPEL7 / FC28 / FC29 to allow some folks to test the update (and disable auto-push until FESCo responds).
FESCo approved the the rebase. We have sufficient karma on EPEL7 so I will push that forward. I will badger a few other folks on mailing lists to get at least some positive karma on the remaining platforms.