Description of problem: apptainer uses github.com/apptainer/container-library-client as a bundled Go dependency. This dependency is a fork of github.com/sylabs/scs-library-client and is vulnerable to CVE-2022-23538 that has been disclosed by the authors of github.com/sylabs/scs-library-client and fixed upstream there. Ref: https://github.com/sylabs/scs-library-client/security/advisories/GHSA-7p8m-22h4-9pj7 A bz issue (2161860) has been raised for singularity-ce regarding the CVE in github.com/sylabs/scs-library-client. However one is not raised for apptainer, likely because the dependency is forked. In addition, apptainer does not declare its bundled Go dependencies with provides. Version-Release number of selected component (if applicable): 1.1.4-2 (current epel stable) 1.1.5-1 (in epel testing). How reproducible: Always Steps to Reproduce: 1. Examine CVE information at https://github.com/sylabs/scs-library-client/security/advisories/GHSA-7p8m-22h4-9pj7 2. Confirm existence of issue in apptainer dependency github.com/apptainer/container-library-client which is a fork of the project reporting the CVE.
Thanks, DT. It will be in the next release.
FEDORA-EPEL-2023-1eae057392 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-1eae057392
FEDORA-2023-677d58bb20 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2023-677d58bb20
FEDORA-EPEL-2023-5f32ecbc71 has been submitted as an update to Fedora EPEL 9. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-5f32ecbc71
FEDORA-EPEL-2023-b020c7de04 has been submitted as an update to Fedora EPEL 8. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-b020c7de04
FEDORA-2023-01ff262091 has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2023-01ff262091
FEDORA-2023-01ff262091 has been pushed to the Fedora 37 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-01ff262091` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-01ff262091 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-EPEL-2023-5f32ecbc71 has been pushed to the Fedora EPEL 9 testing repository. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-5f32ecbc71 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-EPEL-2023-1eae057392 has been pushed to the Fedora EPEL 7 testing repository. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-1eae057392 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-EPEL-2023-b020c7de04 has been pushed to the Fedora EPEL 8 testing repository. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-b020c7de04 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2023-677d58bb20 has been pushed to the Fedora 36 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-677d58bb20` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-677d58bb20 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-EPEL-2023-5f32ecbc71 has been pushed to the Fedora EPEL 9 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-EPEL-2023-b020c7de04 has been pushed to the Fedora EPEL 8 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2023-01ff262091 has been pushed to the Fedora 37 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-EPEL-2023-1eae057392 has been pushed to the Fedora EPEL 7 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2023-677d58bb20 has been pushed to the Fedora 36 stable repository. If problem still persists, please make note of it in this bug report.