cvelistv5 - cve-2022-39237

CVE-2022-39237 (GCVE-0-2022-39237)

Vulnerability from cvelistv5 – Published: 2022-10-06 00:00 – Updated: 2025-04-23 16:53

Summary

syslabs/sif is the Singularity Image Format (SIF) reference implementation. In versions prior to 2.8.1the `github.com/sylabs/sif/v2/pkg/integrity` package did not verify that the hash algorithm(s) used are cryptographically secure when verifying digital signatures. A patch is available in version >= v2.8.1 of the module. Users are encouraged to upgrade. Users unable to upgrade may independently validate that the hash algorithm(s) used for metadata digest(s) and signature hash are cryptographically secure.

Severity ?

6.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

CWE

CWE-347 - Improper Verification of Cryptographic Signature

Assigner

GitHub_M

References

URL

	Vendor	Product	Version
	sylabs	sif	Affected: < 2.8.1

GSD-2022-39237

Vulnerability from gsd - Updated: 2023-12-13 01:19

Details

Aliases

CVE-2022-39237

Aliases

CVE-2022-39237

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-39237",
    "description": "syslabs/sif is the Singularity Image Format (SIF) reference implementation. In versions prior to 2.8.1the `github.com/sylabs/sif/v2/pkg/integrity` package did not verify that the hash algorithm(s) used are cryptographically secure when verifying digital signatures. A patch is available in version \u003e= v2.8.1 of the module. Users are encouraged to upgrade. Users unable to upgrade may independently validate that the hash algorithm(s) used for metadata digest(s) and signature hash are cryptographically secure.",
    "id": "GSD-2022-39237",
    "references": [
      "https://www.suse.com/security/cve/CVE-2022-39237.html"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-39237"
      ],
      "details": "syslabs/sif is the Singularity Image Format (SIF) reference implementation. In versions prior to 2.8.1the `github.com/sylabs/sif/v2/pkg/integrity` package did not verify that the hash algorithm(s) used are cryptographically secure when verifying digital signatures. A patch is available in version \u003e= v2.8.1 of the module. Users are encouraged to upgrade. Users unable to upgrade may independently validate that the hash algorithm(s) used for metadata digest(s) and signature hash are cryptographically secure.",
      "id": "GSD-2022-39237",
      "modified": "2023-12-13T01:19:20.662373Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2022-39237",
        "STATE": "PUBLIC",
        "TITLE": "Digital Signature Hash Algorithms Not Validated in sylabs/sif"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "sif",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003c 2.8.1"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "sylabs"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "syslabs/sif is the Singularity Image Format (SIF) reference implementation. In versions prior to 2.8.1the `github.com/sylabs/sif/v2/pkg/integrity` package did not verify that the hash algorithm(s) used are cryptographically secure when verifying digital signatures. A patch is available in version \u003e= v2.8.1 of the module. Users are encouraged to upgrade. Users unable to upgrade may independently validate that the hash algorithm(s) used for metadata digest(s) and signature hash are cryptographically secure."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 6.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-347: Improper Verification of Cryptographic Signature"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/sylabs/sif/security/advisories/GHSA-m5m3-46gj-wch8",
            "refsource": "CONFIRM",
            "url": "https://github.com/sylabs/sif/security/advisories/GHSA-m5m3-46gj-wch8"
          },
          {
            "name": "https://github.com/sylabs/sif/commit/07fb86029a12e3210f6131e065570124605daeaa",
            "refsource": "MISC",
            "url": "https://github.com/sylabs/sif/commit/07fb86029a12e3210f6131e065570124605daeaa"
          },
          {
            "name": "GLSA-202210-19",
            "refsource": "GENTOO",
            "url": "https://security.gentoo.org/glsa/202210-19"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-m5m3-46gj-wch8",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003cv2.8.1",
          "affected_versions": "All versions before 2.8.1",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-327",
            "CWE-937"
          ],
          "date": "2023-07-14",
          "description": "syslabs/sif is the Singularity Image Format (SIF) reference implementation. In versions prior to 2.8.1the `github.com/sylabs/sif/v2/pkg/integrity` package does not verify that the hash algorithm(s) used are cryptographically secure when verifying digital signatures. A patch is available in version \u003e= v2.8.1 of the module. Users are encouraged to upgrade. Users unable to upgrade may independently validate that the hash algorithm(s) used for metadata digest(s) and signature hash are cryptographically secure.",
          "fixed_versions": [
            "v2.8.1"
          ],
          "identifier": "CVE-2022-39237",
          "identifiers": [
            "CVE-2022-39237",
            "GHSA-m5m3-46gj-wch8"
          ],
          "not_impacted": "",
          "package_slug": "go/github.com/sylabs/sif",
          "pubdate": "2022-10-06",
          "solution": "Upgrade to version 2.8.1 or above.",
          "title": "Use of a Broken or Risky Cryptographic Algorithm",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2022-39237",
            "https://github.com/sylabs/sif/security/advisories/GHSA-m5m3-46gj-wch8",
            "https://github.com/sylabs/sif/commit/07fb86029a12e3210f6131e065570124605daeaa"
          ],
          "uuid": "2a790b1c-e0e5-4f19-b1f5-7c4aee6c8691",
          "versions": [
            {
              "commit": {
                "sha": "7eb02f320d582fd0c80e1048eee5bbde30e92e5c",
                "tags": [
                  "v2.8.1"
                ],
                "timestamp": "20221006115214"
              },
              "number": "v2.8.1"
            }
          ]
        },
        {
          "affected_range": "\u003cv2.8.1",
          "affected_versions": "All versions before 2.8.1",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-327",
            "CWE-937"
          ],
          "date": "2022-10-07",
          "description": "syslabs/sif is the Singularity Image Format (SIF) reference implementation. In versions prior to 2.8.1the `github.com/sylabs/sif/v2/pkg/integrity` package does not verify that the hash algorithm(s) used are cryptographically secure when verifying digital signatures. A patch is available in version \u003e= v2.8.1 of the module. Users are encouraged to upgrade. Users unable to upgrade may independently validate that the hash algorithm(s) used for metadata digest(s) and signature hash are cryptographically secure.",
          "fixed_versions": [
            "v2.8.1"
          ],
          "identifier": "CVE-2022-39237",
          "identifiers": [
            "GHSA-m5m3-46gj-wch8",
            "CVE-2022-39237"
          ],
          "not_impacted": "All versions starting from 2.8.1",
          "package_slug": "go/github.com/sylabs/sif/v2",
          "pubdate": "2022-10-06",
          "solution": "Upgrade to version 2.8.1 or above.",
          "title": "Use of a Broken or Risky Cryptographic Algorithm",
          "urls": [
            "https://github.com/sylabs/sif/security/advisories/GHSA-m5m3-46gj-wch8",
            "https://nvd.nist.gov/vuln/detail/CVE-2022-39237",
            "https://github.com/sylabs/sif/commit/07fb86029a12e3210f6131e065570124605daeaa",
            "https://github.com/sylabs/sif/releases/tag/v2.8.1",
            "https://nvd.nist.gov/vuln/detail/cve-2004-2761",
            "https://nvd.nist.gov/vuln/detail/cve-2005-4900",
            "https://github.com/advisories/GHSA-m5m3-46gj-wch8"
          ],
          "uuid": "0b7f5d89-242e-4dc9-9cfc-92da8d2310bd",
          "versions": [
            {
              "commit": {
                "sha": "7eb02f320d582fd0c80e1048eee5bbde30e92e5c",
                "tags": [
                  "v2.8.1"
                ],
                "timestamp": "20221006115214"
              },
              "number": "v2.8.1"
            }
          ]
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:sylabs:singularity_image_format:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.8.1",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2022-39237"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "syslabs/sif is the Singularity Image Format (SIF) reference implementation. In versions prior to 2.8.1the `github.com/sylabs/sif/v2/pkg/integrity` package did not verify that the hash algorithm(s) used are cryptographically secure when verifying digital signatures. A patch is available in version \u003e= v2.8.1 of the module. Users are encouraged to upgrade. Users unable to upgrade may independently validate that the hash algorithm(s) used for metadata digest(s) and signature hash are cryptographically secure."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-327"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/sylabs/sif/security/advisories/GHSA-m5m3-46gj-wch8",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://github.com/sylabs/sif/security/advisories/GHSA-m5m3-46gj-wch8"
            },
            {
              "name": "https://github.com/sylabs/sif/commit/07fb86029a12e3210f6131e065570124605daeaa",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/sylabs/sif/commit/07fb86029a12e3210f6131e065570124605daeaa"
            },
            {
              "name": "GLSA-202210-19",
              "refsource": "GENTOO",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://security.gentoo.org/glsa/202210-19"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2023-07-14T17:24Z",
      "publishedDate": "2022-10-06T18:16Z"
    }
  }
}

GHSA-M5M3-46GJ-WCH8

Vulnerability from github – Published: 2022-10-06 19:54 – Updated: 2023-01-10 16:09

Summary

SIF's Digital Signature Hash Algorithms Not Validated

Details

Impact

The github.com/sylabs/sif/v2/pkg/integrity package does not verify that the hash algorithm(s) used are cryptographically secure when verifying digital signatures.

Patches

A patch is available in version >= v2.8.1 of the module. Users are encouraged to upgrade.

The patch is commit https://github.com/sylabs/sif/commit/07fb86029a12e3210f6131e065570124605daeaa

Workarounds

Users may independently validate that the hash algorithm(s) used for metadata digest(s) and signature hash are cryptographically secure.

References

For more information

If you have any questions or comments about this advisory:

Open an issue in github.com/sylabs/sif
Email us at security@sylabs.io

Severity ?

6.3 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/sylabs/sif/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.8.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-39237"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-327",
      "CWE-347"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-10-06T19:54:55Z",
    "nvd_published_at": "2022-10-06T18:16:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nThe `github.com/sylabs/sif/v2/pkg/integrity` package does not verify that the hash algorithm(s) used are cryptographically secure when verifying digital signatures.\n\n### Patches\n\nA patch is available in version \u003e= v2.8.1 of the module. Users are encouraged to upgrade.\n\nThe patch is commit https://github.com/sylabs/sif/commit/07fb86029a12e3210f6131e065570124605daeaa\n\n### Workarounds\n\nUsers may independently validate that the hash algorithm(s) used for metadata digest(s) and signature hash are cryptographically secure.\n\n### References\n\n* [CVE-2004-2761](https://nvd.nist.gov/vuln/detail/cve-2004-2761)\n* [CVE-2005-4900](https://nvd.nist.gov/vuln/detail/cve-2005-4900)\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [github.com/sylabs/sif](https://github.com/sylabs/sif/issues/new)\n* Email us at [security@sylabs.io](mailto:security@sylabs.io)",
  "id": "GHSA-m5m3-46gj-wch8",
  "modified": "2023-01-10T16:09:12Z",
  "published": "2022-10-06T19:54:55Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/sylabs/sif/security/advisories/GHSA-m5m3-46gj-wch8"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39237"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sylabs/sif/commit/07fb86029a12e3210f6131e065570124605daeaa"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/sylabs/sif"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sylabs/sif/releases/tag/v2.8.1"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/cve-2004-2761"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/cve-2005-4900"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2022-1045"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202210-19"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "SIF\u0027s Digital Signature Hash Algorithms Not Validated"
}

OPENSUSE-SU-2024:14059-1

Vulnerability from csaf_opensuse - Published: 2024-06-20 00:00 - Updated: 2024-06-20 00:00

Summary

singularity-ce-4.1.3-1.1 on GA media

Notes

Title of the patch

singularity-ce-4.1.3-1.1 on GA media

Description of the patch

These are all security issues fixed in the singularity-ce-4.1.3-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames

openSUSE-Tumbleweed-2024-14059

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "singularity-ce-4.1.3-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the singularity-ce-4.1.3-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2024-14059",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_14059-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-23538 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-23538/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-39237 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-39237/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-21626 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-21626/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-23650 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-23650/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-23651 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-23651/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-23652 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-23652/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-23653 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-23653/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-3727 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-3727/"
      }
    ],
    "title": "singularity-ce-4.1.3-1.1 on GA media",
    "tracking": {
      "current_release_date": "2024-06-20T00:00:00Z",
      "generator": {
        "date": "2024-06-20T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2024:14059-1",
      "initial_release_date": "2024-06-20T00:00:00Z",
      "revision_history": [
        {
          "date": "2024-06-20T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "singularity-ce-4.1.3-1.1.aarch64",
                "product": {
                  "name": "singularity-ce-4.1.3-1.1.aarch64",
                  "product_id": "singularity-ce-4.1.3-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "singularity-ce-4.1.3-1.1.ppc64le",
                "product": {
                  "name": "singularity-ce-4.1.3-1.1.ppc64le",
                  "product_id": "singularity-ce-4.1.3-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "singularity-ce-4.1.3-1.1.s390x",
                "product": {
                  "name": "singularity-ce-4.1.3-1.1.s390x",
                  "product_id": "singularity-ce-4.1.3-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "singularity-ce-4.1.3-1.1.x86_64",
                "product": {
                  "name": "singularity-ce-4.1.3-1.1.x86_64",
                  "product_id": "singularity-ce-4.1.3-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "singularity-ce-4.1.3-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.aarch64"
        },
        "product_reference": "singularity-ce-4.1.3-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "singularity-ce-4.1.3-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.ppc64le"
        },
        "product_reference": "singularity-ce-4.1.3-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "singularity-ce-4.1.3-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.s390x"
        },
        "product_reference": "singularity-ce-4.1.3-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "singularity-ce-4.1.3-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.x86_64"
        },
        "product_reference": "singularity-ce-4.1.3-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2022-23538",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-23538"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "github.com/sylabs/scs-library-client is the Go client for the Singularity Container Services (SCS) Container Library Service. When the scs-library-client is used to pull a container image, with authentication, the HTTP Authorization header sent by the client to the library service may be incorrectly leaked to an S3 backing storage provider. This occurs in a specific flow, where the library service redirects the client to a backing S3 storage server, to perform a multi-part concurrent download. Depending on site configuration, the S3 service may be provided by a third party. An attacker with access to the S3 service may be able to extract user credentials, allowing them to impersonate the user. The vulnerable multi-part concurrent download flow, with redirect to S3, is only used when communicating with a Singularity Enterprise 1.x installation, or third party server implementing this flow. Interaction with Singularity Enterprise 2.x, and Singularity Container Services (cloud.sylabs.io), does not trigger the vulnerable flow. We encourage all users to update. Users who interact with a Singularity Enterprise 1.x installation, using a 3rd party S3 storage service, are advised to revoke and recreate their authentication tokens within Singularity Enterprise. There is no workaround available at this time.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.aarch64",
          "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.ppc64le",
          "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.s390x",
          "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-23538",
          "url": "https://www.suse.com/security/cve/CVE-2022-23538"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.aarch64",
            "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.ppc64le",
            "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.s390x",
            "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.6,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.aarch64",
            "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.ppc64le",
            "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.s390x",
            "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-20T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2022-23538"
    },
    {
      "cve": "CVE-2022-39237",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-39237"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "syslabs/sif is the Singularity Image Format (SIF) reference implementation. In versions prior to 2.8.1the `github.com/sylabs/sif/v2/pkg/integrity` package did not verify that the hash algorithm(s) used are cryptographically secure when verifying digital signatures. A patch is available in version \u003e= v2.8.1 of the module. Users are encouraged to upgrade. Users unable to upgrade may independently validate that the hash algorithm(s) used for metadata digest(s) and signature hash are cryptographically secure.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.aarch64",
          "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.ppc64le",
          "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.s390x",
          "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-39237",
          "url": "https://www.suse.com/security/cve/CVE-2022-39237"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1209493 for CVE-2022-39237",
          "url": "https://bugzilla.suse.com/1209493"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.aarch64",
            "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.ppc64le",
            "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.s390x",
            "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.aarch64",
            "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.ppc64le",
            "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.s390x",
            "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-20T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2022-39237"
    },
    {
      "cve": "CVE-2024-21626",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-21626"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem (\"attack 2\"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run (\"attack 1\"). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes (\"attack 3a\" and \"attack 3b\"). runc 1.1.12 includes patches for this issue. ",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.aarch64",
          "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.ppc64le",
          "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.s390x",
          "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-21626",
          "url": "https://www.suse.com/security/cve/CVE-2024-21626"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1218894 for CVE-2024-21626",
          "url": "https://bugzilla.suse.com/1218894"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.aarch64",
            "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.ppc64le",
            "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.s390x",
            "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.aarch64",
            "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.ppc64le",
            "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.s390x",
            "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-20T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2024-21626"
    },
    {
      "cve": "CVE-2024-23650",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-23650"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. A malicious BuildKit client or frontend could craft a request that could lead to BuildKit daemon crashing with a panic. The issue has been fixed in v0.12.5. As a workaround, avoid using BuildKit frontends from untrusted sources.\n",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.aarch64",
          "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.ppc64le",
          "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.s390x",
          "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-23650",
          "url": "https://www.suse.com/security/cve/CVE-2024-23650"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1219437 for CVE-2024-23650",
          "url": "https://bugzilla.suse.com/1219437"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.aarch64",
            "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.ppc64le",
            "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.s390x",
            "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.2,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.aarch64",
            "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.ppc64le",
            "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.s390x",
            "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-20T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2024-23650"
    },
    {
      "cve": "CVE-2024-23651",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-23651"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Two malicious build steps running in parallel sharing the same cache mounts with subpaths could cause a race condition that can lead to files from the host system being accessible to the build container. The issue has been fixed in v0.12.5. Workarounds include, avoiding using BuildKit frontend from an untrusted source or building an untrusted Dockerfile containing cache mounts with --mount=type=cache,source=... options.\n",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.aarch64",
          "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.ppc64le",
          "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.s390x",
          "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-23651",
          "url": "https://www.suse.com/security/cve/CVE-2024-23651"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1219267 for CVE-2024-23651",
          "url": "https://bugzilla.suse.com/1219267"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.aarch64",
            "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.ppc64le",
            "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.s390x",
            "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.aarch64",
            "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.ppc64le",
            "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.s390x",
            "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-20T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2024-23651"
    },
    {
      "cve": "CVE-2024-23652",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-23652"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. A malicious BuildKit frontend or Dockerfile using RUN --mount could trick the feature that removes empty files created for the mountpoints into removing a file outside the container, from the host system. The issue has been fixed in v0.12.5. Workarounds include avoiding using BuildKit frontends from an untrusted source or building an untrusted Dockerfile containing RUN --mount feature.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.aarch64",
          "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.ppc64le",
          "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.s390x",
          "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-23652",
          "url": "https://www.suse.com/security/cve/CVE-2024-23652"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1219268 for CVE-2024-23652",
          "url": "https://bugzilla.suse.com/1219268"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.aarch64",
            "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.ppc64le",
            "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.s390x",
            "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.7,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.aarch64",
            "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.ppc64le",
            "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.s390x",
            "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-20T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2024-23652"
    },
    {
      "cve": "CVE-2024-23653",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-23653"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. In addition to running containers as build steps, BuildKit also provides APIs for running interactive containers based on built images. It was possible to use these APIs to ask BuildKit to run a container with elevated privileges. Normally, running such containers is only allowed if special `security.insecure` entitlement is enabled both by buildkitd configuration and allowed by the user initializing the build request. The issue has been fixed in v0.12.5 . Avoid using BuildKit frontends from untrusted sources. \n",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.aarch64",
          "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.ppc64le",
          "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.s390x",
          "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-23653",
          "url": "https://www.suse.com/security/cve/CVE-2024-23653"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1219438 for CVE-2024-23653",
          "url": "https://bugzilla.suse.com/1219438"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.aarch64",
            "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.ppc64le",
            "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.s390x",
            "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.aarch64",
            "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.ppc64le",
            "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.s390x",
            "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-20T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2024-23653"
    },
    {
      "cve": "CVE-2024-3727",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-3727"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "A flaw was found in the github.com/containers/image library. This flaw allows attackers to trigger unexpected authenticated registry accesses on behalf of a victim user, causing resource exhaustion, local path traversal, and other attacks.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.aarch64",
          "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.ppc64le",
          "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.s390x",
          "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-3727",
          "url": "https://www.suse.com/security/cve/CVE-2024-3727"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1224112 for CVE-2024-3727",
          "url": "https://bugzilla.suse.com/1224112"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.aarch64",
            "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.ppc64le",
            "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.s390x",
            "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.3,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.aarch64",
            "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.ppc64le",
            "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.s390x",
            "openSUSE Tumbleweed:singularity-ce-4.1.3-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-20T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2024-3727"
    }
  ]
}

OPENSUSE-SU-2024:12389-1

Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00

Summary

apptainer-1.1.2-1.1 on GA media

Notes

Title of the patch

apptainer-1.1.2-1.1 on GA media

Description of the patch

These are all security issues fixed in the apptainer-1.1.2-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames

openSUSE-Tumbleweed-2024-12389

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "apptainer-1.1.2-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the apptainer-1.1.2-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2024-12389",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_12389-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-39237 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-39237/"
      }
    ],
    "title": "apptainer-1.1.2-1.1 on GA media",
    "tracking": {
      "current_release_date": "2024-06-15T00:00:00Z",
      "generator": {
        "date": "2024-06-15T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2024:12389-1",
      "initial_release_date": "2024-06-15T00:00:00Z",
      "revision_history": [
        {
          "date": "2024-06-15T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "apptainer-1.1.2-1.1.aarch64",
                "product": {
                  "name": "apptainer-1.1.2-1.1.aarch64",
                  "product_id": "apptainer-1.1.2-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "apptainer-1.1.2-1.1.ppc64le",
                "product": {
                  "name": "apptainer-1.1.2-1.1.ppc64le",
                  "product_id": "apptainer-1.1.2-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "apptainer-1.1.2-1.1.s390x",
                "product": {
                  "name": "apptainer-1.1.2-1.1.s390x",
                  "product_id": "apptainer-1.1.2-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "apptainer-1.1.2-1.1.x86_64",
                "product": {
                  "name": "apptainer-1.1.2-1.1.x86_64",
                  "product_id": "apptainer-1.1.2-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "apptainer-1.1.2-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:apptainer-1.1.2-1.1.aarch64"
        },
        "product_reference": "apptainer-1.1.2-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "apptainer-1.1.2-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:apptainer-1.1.2-1.1.ppc64le"
        },
        "product_reference": "apptainer-1.1.2-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "apptainer-1.1.2-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:apptainer-1.1.2-1.1.s390x"
        },
        "product_reference": "apptainer-1.1.2-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "apptainer-1.1.2-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:apptainer-1.1.2-1.1.x86_64"
        },
        "product_reference": "apptainer-1.1.2-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2022-39237",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-39237"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "syslabs/sif is the Singularity Image Format (SIF) reference implementation. In versions prior to 2.8.1the `github.com/sylabs/sif/v2/pkg/integrity` package did not verify that the hash algorithm(s) used are cryptographically secure when verifying digital signatures. A patch is available in version \u003e= v2.8.1 of the module. Users are encouraged to upgrade. Users unable to upgrade may independently validate that the hash algorithm(s) used for metadata digest(s) and signature hash are cryptographically secure.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:apptainer-1.1.2-1.1.aarch64",
          "openSUSE Tumbleweed:apptainer-1.1.2-1.1.ppc64le",
          "openSUSE Tumbleweed:apptainer-1.1.2-1.1.s390x",
          "openSUSE Tumbleweed:apptainer-1.1.2-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-39237",
          "url": "https://www.suse.com/security/cve/CVE-2022-39237"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1209493 for CVE-2022-39237",
          "url": "https://bugzilla.suse.com/1209493"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:apptainer-1.1.2-1.1.aarch64",
            "openSUSE Tumbleweed:apptainer-1.1.2-1.1.ppc64le",
            "openSUSE Tumbleweed:apptainer-1.1.2-1.1.s390x",
            "openSUSE Tumbleweed:apptainer-1.1.2-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:apptainer-1.1.2-1.1.aarch64",
            "openSUSE Tumbleweed:apptainer-1.1.2-1.1.ppc64le",
            "openSUSE Tumbleweed:apptainer-1.1.2-1.1.s390x",
            "openSUSE Tumbleweed:apptainer-1.1.2-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2022-39237"
    }
  ]
}

OPENSUSE-SU-2023:0018-1

Vulnerability from csaf_opensuse - Published: 2023-01-15 17:01 - Updated: 2023-01-15 17:01

Summary

Security update for apptainer

Notes

Title of the patch

Security update for apptainer

Description of the patch

This update for apptainer fixes the following issues: Updated to 1.1.2 which fixed CVE-2022-39237 * CVE-2022-39237: The sif dependency included in Apptainer before this release does not verify that the hash algorithm(s) used are cryptographically secure when verifying digital signatures. This release updates to sif v2.8.1 which corrects this issue. See the linked advisory for references and a workaround. Updated to version 1.1.0 * added squashfuse-0.1.105.tar.gz and 70.patch for the build of squashfuse_ll which will be removed as soon as the multithread patch is incoperated * Change squash mounts to prefer to use squashfuse_ll instead of squashfuse, if available, for improved performance. squashfuse_ll is not available in factory. * Also, for even better parallel performance, include a patched multithreaded version of squashfuse_ll in * Imply adding ${prefix}/libexec/apptainer/bin to the binary path in apptainer.conf, which is used for searching for helper executables. It is implied as the first directory of $PATH if present (which is at the beginning of binary path by default) or just as the first directory if $PATH is not included in binary path. ${prefix}/libexec/apptainer/bin. * Add --unsquash action flag to temporarily convert a SIF file to a sandbox before running. In previous versions this was the default when running a SIF file without setuid or with fakeroot, but now the default is to instead mount with squashfuse. * Add --sparse flag to overlay create command to allow generation of a sparse ext3 overlay image. * Support for a custom hashbang in the %test section of an Apptainer recipe (akin to the runscript and start sections). * When using fakeroot in setuid mode, have the image drivers first enter the the container's user namespace to avoid write errors with overlays. * Skip trying to use kernel overlayfs when using writable overlay and the lower layer is FUSE, because of a kernel bug introduced in kernel 5.15. * Add additional hidden options to the action command for testing different fakeroot modes with --fakeroot: --ignore-subuid, --ignore-fakeroot-command, and --ignore-userns. - Updated to version 1.1.0-rc2 with following changes: * Fixed longstanding bug in the underlay logic when there are nested bind points separated by more than one path level, for example /var and /var/lib/yum, and the path didn't exist in the container image. The bug only caused an error when there was a directory in the container image that didn't exist on the host. * Improved wildcard matching in the %files directive of build definition files by replacing usage of sh with the mvdan.cc library. * Replaced checks for compatible filesystem types when using fuse-overlayfs with an INFO message when an incompatible filesystem type causes it to be unwritable by a fakeroot user. * The --nvccli option now works without --fakeroot. In that case the option can be used with --writable-tmpfs instead of --writable, and --writable-tmpfs is implied if neither option is given. Note that also /usr/bin has to be writable by the user, so without --fakeroot that probably requires a sandbox image that was built with --fix-perms. * The --nvccli option implies --nv. * Configure squashfuse to always show files to be owned by the current user. That's especially important for fakeroot to prevent most of the files from looking like they are owned by user 65534. * The fakeroot command can now be used even if $PATH is empty in the environment of the apptainer command. * Allow the newuidmap command to be missing if the current user is not listed in /etc/subuid. * Require the uidmap package in Debian packaging. * Improved error handling of unsupported pass protected PEM files with encrypted containers. * Ensure bootstrap_history directory is populated with previous definition files, present in source containers used in a build. * Add additional options to the build command for testing different fakeroot modes: --userns like the action flag and hidden options --ignore-subuid, --ignore-fakeroot-command, and --ignore-userns. * Require root user early when building an encrypted container. - removed upstream incorated patch fix-32bit-compilation.patch - Updated to version 1.1.0-rc1 which enables apptainer to run without suid and additional groups. Although this is a prerelease this is a major advantage justifying its use. * Added a squashfuse image driver that enables mounting SIF files without using setuid-root. Requires the squashfuse command and unprivileged user namespaces. * Added a fuse2fs image driver that enables mounting EXT3 files and EXT3 SIF overlay partitions without using setuid-root. Requires the fuse2fs command and unprivileged user namespaces. * Added the ability to use persistent overlay (--overlay) and --writable-tmpfs without using setuid-root. This requires unprivileged user namespaces and either a new enough kernel (>= 5.11) or the fuse-overlayfs command. Persistent overlay works when the overlay path points to a regular filesystem (known as 'sandbox' mode, which is not allowed when in setuid mode), or when it points to an EXT3 image. Does not work with a SIF partition because that requires privileges to mount as an ext3 image. * Extended the --fakeroot option to be useful when /etc/subuid and /etc/subgid mappings have not been set up. If they have not been set up, a root-mapped unprivileged user namespace (the equivalent of unshare -r) and/or the fakeroot command from the host will be tried. Together they emulate the mappings pretty well but they are simpler to administer. This feature is especially useful with the --overlay and --writable-tmpfs options and for building containers unprivileged, because they allow installing packages that assume they're running as root. A limitation on using it with --overlay and --writable-tmpfs however is that when only the fakeroot command can be used (because there are no user namespaces available, in suid mode) then the base image has to be a sandbox. This feature works nested inside of an apptainer container, where another apptainer command will also be in the fakeroot environment without requesting the --fakeroot option again, or it can be used inside an apptainer container that was not started with --fakeroot. However, the fakeroot command uses LD_PRELOAD and so needs to be bound into the container which requires a compatible libc. For that reason it doesn't work when the host and container operating systems are of very different vintages. If that's a problem and you want to use only an unprivileged root-mapped namespace even when the fakeroot command is installed, just run apptainer with unshare -r. * Made the --fakeroot option be implied when an unprivileged user builds a container from a definition file. When /etc/subuid and /etc/subgid mappings are not available, all scriptlets are run in a root-mapped unprivileged namespace (when possible) and the %post scriptlet is additionally run with the fakeroot command. When unprivileged user namespaces are not available, such that only the fakeroot command can be used, the --fix-perms option is implied to allow writing into directories. * Added a --fakeroot option to the apptainer overlay create command to make an overlay EXT3 image file that works with the fakeroot that comes from unprivileged root-mapped namespaces. This is not needed with the fakeroot that comes with /etc/sub[ug]id mappings nor with the fakeroot that comes with only the fakeroot command in suid flow. * $HOME is now used to find the user's configuration and cache by default. If that is not set it will fall back to the previous behavior of looking up the home directory in the password file. The value of $HOME inside the container still defaults to the home directory in the password file and can still be overridden by the --home option. * When starting a container, if the user has specified the cwd by using the --pwd flag, if there is a problem an error is returned instead of defaulting to a different directory. * Nesting of bind mounts now works even when a --bind option specified a different source and destination with a colon between them. Now the APPTAINER_BIND environment variable makes sure the bind source is from the bind destination so it will be succesfully re-bound into a nested apptainer container. * The warning about more than 50 bind mounts required for an underlay bind has been changed to an info message. * oci mount sets Process.Terminal: true when creating an OCI config.json, so that oci run provides expected interactive behavior by default. The default hostname for oci mount containers is now apptainer instead of mrsdalloway. * systemd is now supported and used as the default cgroups manager. Set systemd cgroups = no in apptainer.conf to manage cgroups directly via the cgroupfs. * Added a new action flag --no-eval which: + Prevents shell evaluation of APPTAINERENV_ / --env / --env-file environment variables as they are injected in the container, to match OCI behavior. Applies to all containers. + Prevents shell evaluation of the values of CMD / ENTRYPOINT and command line arguments for containers run or built directly from an OCI/Docker source. Applies to newly built containers only, use apptainer inspect to check version that container was built with. * Added --no-eval to the list of flags set by the OCI/Docker --compat mode. * sinit process has been renamed to appinit. * Added --keysdir to key command to provide an alternative way of setting local keyring path. The existing reading of the keyring path from environment variable 'APPTAINER_KEYSDIR' is untouched. * apptainer key push will output the key server's response if included in order to help guide users through any identity verification the server may require. * ECL no longer requires verification for all signatures, but only when signature verification would alter the expected behavior of the list: + At least one matching signature included in a whitelist must be validated, but other unvalidated signatures do not cause ECL to fail. + All matching signatures included in a whitestrict must be validated, but unvalidated signatures not in the whitestrict do not cause ECL to fail. + Signature verification is not checked for a blacklist; unvalidated signatures can still block execution via ECL, and unvalidated signatures not in the blacklist do not cause ECL to fail. - New features / functionalities * Non-root users can now use --apply-cgroups with run/shell/exec to limit container resource usage on a system using cgroups v2 and the systemd cgroups manager. * Native cgroups v2 resource limits can be specified using the [unified] key in a cgroups toml file applied via --apply-cgroups. * Added --cpu*, --blkio*, --memory*, --pids-limit flags to apply cgroups resource limits to a container directly. Added instance stats command. * The --no-mount flag & APPTAINER_NO_MOUNT env var can now be used to disable a bind path entry from apptainer.conf by specifying the absolute path to the destination of the bind. * Apptainer now supports the riscv64 architecture. * remote add --insecure may now be used to configure endpoints that are only accessible via http. Alternatively the environment variable APPTAINER_ADD_INSECURE can be set to true to allow http remotes to be added wihtout the --insecure flag. Specifying https in the remote URI overrules both --insecure and APPTAINER_ADD_INSECURE. * Gpu flags --nv and --rocm can now be used from an apptainer nested inside another apptainer container. * Added --public, --secret, and --both flags to the key remove command to support removing secret keys from the apptainer keyring. * Debug output can now be enabled by setting the APPTAINER_DEBUG env var. * Debug output is now shown for nested apptainer calls, in wrapped unsquashfs image extraction, and build stages. - Bug fixes * Remove warning message about SINGULARITY and APPTAINER variables having different values when the SINGULARITY variable is not set. * Add specific error for unreadable image / overlay file. * Pass through a literal \n in host environment variables to the container. * Fix loop device creation with loop-control when running inside docker containers. * Fix the issue that the oras protocol would ignore the --no-https/--nohttps flag. - File changes * Removed useful_error_message.patch as not needed any more * Added fix-32bit-compilation.patch from upstream - Update to version 1.0.3: * Process redirects that can come from sregistry with a library:// URL. * Fix inspect --deffile and inspect --all to correctly show definition files in sandbox container images instead of empty output. This has a side effect of also fixing the storing of definition files in the metadata of sif files built by Apptainer, because that metadata is constructed by doing inspect --all. - Update to version 1.0.2: + Fixed `FATAL` error thrown by user configuration migration code that caused users with inaccessible home directories to be unable to use `apptainer` commands. + Do not truncate environment variables with commas. + Use HEAD request when checking digest of remote OCI image sources, with GET as a fall-back. Greatly reduces Apptainer's impact on Docker Hub API limits. - Updated to v1.0.1 with following bug fixes * Don't prompt for y/n to overwrite an existing file when build is called from a non-interactive environment. Fail with an error. * Preload NSS libraries prior to mountspace name creation to avoid circumstances that can cause loading those libraries from the container image instead of the host, for example in the startup environment. * Fix race condition where newly created loop devices can sometimes not be opened. * Support nvidia-container-cli v1.8.0 and above, via fix to capability set. - Updated to v1.0.0-rc1 changes to singularity 3.9.5 are * The primary executable has been changed from singularity to apptainer. However, a singularity command symlink alias has been created pointing to the apptainer command. The contents of containers are unchanged and continue to use the singularity name for startup scripts, etc. * The per-user configuration directory has changed from ~/.singularity to ~/.apptainer. The first time the apptainer command accesses the user configuration directory, relevant configuration is automatically imported from the old directory to the new one. * Environment variables have all been changed to have an APPTAINER prefix instead of a SINGULARITY prefix. However, SINGULARITY prefix variables are still recognized. If only a SINGULARITY prefix variable exists, a warning will be printed about deprecated usage and then the value will be used. If both prefixes exist and the value is the same, no warning is printed; this is the recommended method to set environment variables for those who need to support both apptainer and singularity. If both prefixes exist for the same variable and the value is different then a warning is also printed. * The default SylabsCloud remote endpoint has been removed and replaced by one called DefaultRemote which has no defined server for the library:// URI. System administrators may restore the old default if they wish by adding it to /etc/apptainer/remote.yaml with a URI of cloud.sylabs.io and setting it there as the Active remote, or users can add it to their own configuration with the commands apptainer remote add SylabsCloud cloud.sylabs.io and apptainer remote use SylabsCloud. * The DefaultRemote's key server is https://keys.openpgp.org instead of the Sylabs key server * The apptainer build --remote option has been removed because there is no standard protocol or non-commercial service that supports it. - New Features: * Honor image binds and user binds in the order they're given instead of always doing image binds first. * Experimental support for checkpointing of instances using DMTCP has been added. Additional flags --dmtcp-launch and --dmtcp-restart has been added to the apptainer instance start command, and a checkpoint command group has been added to manage the checkpoint state. A new /etc/apptainer/dmtcp-conf.yaml configuration file is also added. Limitations are that it can only work with dynamically linked applications and the container has to be based on glibc. * --writable-tmpfs can be used with apptainer build to run the %test section of the build with a ephemeral tmpfs overlay, permitting tests that write to the container filesystem. * The --compat flag for actions is a new short-hand to enable a number of options that increase OCI/Docker compatibility. Infers --containall, --no-init, --no-umask, --writable-tmpfs. Does not use user, uts, or network namespaces as these may not be supported on many installations. * The experimental --nvccli flag will use nvidia-container-cli to setup the container for Nvidia GPU operation. Apptainer will not bind GPU libraries itself. Environment variables that are used with Nvidia's docker-nvidia runtime to configure GPU visibility / driver capabilities & requirements are parsed by the --nvccli flag from the environment of the calling user. By default, the compute and utility GPU capabilities are configured. The use nvidia-container-cli option in apptainer.conf can be set to yes to always use nvidia-container-cli when supported. --nvccli is not supported in the setuid workflow, and it requires being used in combination with --writable in user namespace mode. Please see documentation for more details. * The --apply-cgroups flag can be used to apply cgroups resource and device restrictions on a system using the v2 unified cgroups hierarchy. The resource restrictions must still be specified in the v1 / OCI format, which will be translated into v2 cgroups resource restrictions, and eBPF device restrictions. * A new --mount flag and APPTAINER_MOUNT environment variable can be used to specify bind mounts in type=bind,source=<src>,destination=<dst>[,options...] format. This improves CLI compatibility with other runtimes, and allows binding paths containing : and , characters (using CSV style escaping). * Perform concurrent multi-part downloads for library:// URIs. Uses 3 concurrent downloads by default, and is configurable in apptainer.conf or via environment variables. - Explicit dependcy on go1.16.12 or go1.17.5 which fix (CVE-2021-44717) and (CVE-2021-44716) that may affect singualrity - inital commit of apptainer which is a singularity fork

Patchnames

openSUSE-2023-18

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for apptainer",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for apptainer fixes the following issues:\n\nUpdated to 1.1.2 which fixed CVE-2022-39237\n\n  * CVE-2022-39237: The sif dependency included in Apptainer before this\n    release does not verify that the hash algorithm(s) used are\n    cryptographically secure when verifying digital signatures. This release\n    updates to sif v2.8.1 which corrects this issue. See the linked advisory\n    for references and a workaround.\n\nUpdated to version 1.1.0\n\n  * added squashfuse-0.1.105.tar.gz and 70.patch for the build of squashfuse_ll\n    which will be removed as soon as the multithread patch is incoperated\n  * Change squash mounts to prefer to use squashfuse_ll instead of squashfuse,\n    if available, for improved performance. squashfuse_ll is not available\n    in factory.\n  * Also, for even better parallel performance, include a patched\n    multithreaded version of squashfuse_ll in\n  * Imply adding ${prefix}/libexec/apptainer/bin to the binary path in\n    apptainer.conf, which is used for searching for helper executables. It is\n    implied as the first directory of $PATH if present (which is at the\n    beginning of binary path by default) or just as the first directory if\n    $PATH is not included in binary path.\n    ${prefix}/libexec/apptainer/bin.\n  * Add --unsquash action flag to temporarily convert a SIF file to a sandbox\n    before running. In previous versions this was the default when running a\n    SIF file without setuid or with fakeroot, but now the default is to instead\n    mount with squashfuse.\n  * Add --sparse flag to overlay create command to allow generation of a sparse\n    ext3 overlay image.\n  * Support for a custom hashbang in the %test section of an Apptainer recipe\n    (akin to the runscript and start sections).\n  * When using fakeroot in setuid mode, have the image drivers first enter the\n    the container\u0027s user namespace to avoid write errors with overlays.\n  * Skip trying to use kernel overlayfs when using writable overlay and the\n    lower layer is FUSE, because of a kernel bug introduced in kernel 5.15.\n  * Add additional hidden options to the action command for testing different\n    fakeroot modes with --fakeroot: --ignore-subuid, --ignore-fakeroot-command,\n    and --ignore-userns.\n\n- Updated to version 1.1.0-rc2 with following changes:\n\n  * Fixed longstanding bug in the underlay logic when there are nested bind\n    points separated by more than one path level, for example /var and\n    /var/lib/yum, and the path didn\u0027t exist in the container image. The bug\n    only caused an error when there was a directory in the container image that\n    didn\u0027t exist on the host.\n  * Improved wildcard matching in the %files directive of build definition\n    files by replacing usage of sh with the mvdan.cc library.\n  * Replaced checks for compatible filesystem types when using fuse-overlayfs\n    with an INFO message when an incompatible filesystem type causes it to be\n    unwritable by a fakeroot user.\n  * The --nvccli option now works without --fakeroot. In that case the option\n    can be used with --writable-tmpfs instead of --writable, and\n    --writable-tmpfs is implied if neither option is given. Note that also\n    /usr/bin has to be writable by the user, so without --fakeroot that\n    probably requires a sandbox image that was built with --fix-perms.\n  * The --nvccli option implies --nv.\n  * Configure squashfuse to always show files to be owned by the current user.\n    That\u0027s especially important for fakeroot to prevent most of the files from\n    looking like they are owned by user 65534.\n  * The fakeroot command can now be used even if $PATH is empty in the\n    environment of the apptainer command.\n  * Allow the newuidmap command to be missing if the current user is not listed\n    in /etc/subuid.\n  * Require the uidmap package in Debian packaging.\n  * Improved error handling of unsupported pass protected PEM files with\n    encrypted containers.\n  * Ensure bootstrap_history directory is populated with previous definition\n    files, present in source containers used in a build.\n  * Add additional options to the build command for testing different fakeroot\n    modes: --userns like the action flag and hidden options --ignore-subuid,\n    --ignore-fakeroot-command, and --ignore-userns.\n  * Require root user early when building an encrypted container.\n- removed upstream incorated patch fix-32bit-compilation.patch\n\n- Updated to version 1.1.0-rc1 which enables apptainer to run without\n  suid and additional groups. Although this is a prerelease this is \n  a major advantage justifying its use.\n  * Added a squashfuse image driver that enables mounting SIF files without\n    using setuid-root. Requires the squashfuse command and unprivileged user\n    namespaces.\n  * Added a fuse2fs image driver that enables mounting EXT3 files and EXT3 SIF\n    overlay partitions without using setuid-root. Requires the fuse2fs command\n    and unprivileged user namespaces.\n  * Added the ability to use persistent overlay (--overlay) and\n    --writable-tmpfs without using setuid-root. This requires unprivileged user\n    namespaces and either a new enough kernel (\u003e= 5.11) or the fuse-overlayfs\n    command. Persistent overlay works when the overlay path points to a regular\n    filesystem (known as \u0027sandbox\u0027 mode, which is not allowed when in setuid\n    mode), or when it points to an EXT3 image. Does not work with a SIF\n    partition because that requires privileges to mount as an ext3 image.\n  * Extended the --fakeroot option to be useful when /etc/subuid and\n    /etc/subgid mappings have not been set up. If they have not been set up, a\n    root-mapped unprivileged user namespace (the equivalent of unshare -r)\n    and/or the fakeroot command from the host will be tried. Together they\n    emulate the mappings pretty well but they are simpler to administer. This\n    feature is especially useful with the --overlay and --writable-tmpfs\n    options and for building containers unprivileged, because they allow\n    installing packages that assume they\u0027re running as root. A limitation on\n    using it with --overlay and --writable-tmpfs however is that when only the\n    fakeroot command can be used (because there are no user namespaces\n    available, in suid mode) then the base image has to be a sandbox. This\n    feature works nested inside of an apptainer container, where another\n    apptainer command will also be in the fakeroot environment without\n    requesting the --fakeroot option again, or it can be used inside an\n    apptainer container that was not started with --fakeroot. However, the\n    fakeroot command uses LD_PRELOAD and so needs to be bound into the\n    container which requires a compatible libc. For that reason it doesn\u0027t work\n    when the host and container operating systems are of very different\n    vintages. If that\u0027s a problem and you want to use only an unprivileged\n    root-mapped namespace even when the fakeroot command is installed, just run\n    apptainer with unshare -r.\n  * Made the --fakeroot option be implied when an unprivileged user builds a\n    container from a definition file. When /etc/subuid and /etc/subgid mappings\n    are not available, all scriptlets are run in a root-mapped unprivileged\n    namespace (when possible) and the %post scriptlet is additionally run with\n    the fakeroot command. When unprivileged user namespaces are not available,\n    such that only the fakeroot command can be used, the --fix-perms option is\n    implied to allow writing into directories.\n  * Added a --fakeroot option to the apptainer overlay create command to make\n    an overlay EXT3 image file that works with the fakeroot that comes from\n    unprivileged root-mapped namespaces. This is not needed with the fakeroot\n    that comes with /etc/sub[ug]id mappings nor with the fakeroot that comes\n    with only the fakeroot command in suid flow.\n  * $HOME is now used to find the user\u0027s configuration and cache by default. If\n    that is not set it will fall back to the previous behavior of looking up\n    the home directory in the password file. The value of $HOME inside the\n    container still defaults to the home directory in the password file and can\n    still be overridden by the --home option.\n  * When starting a container, if the user has specified the cwd by using the\n    --pwd flag, if there is a problem an error is returned instead of\n    defaulting to a different directory.\n  * Nesting of bind mounts now works even when a --bind option specified a\n    different source and destination with a colon between them. Now the\n    APPTAINER_BIND environment variable makes sure the bind source is from the\n    bind destination so it will be succesfully re-bound into a nested apptainer\n    container.\n  * The warning about more than 50 bind mounts required for an underlay bind\n    has been changed to an info message.\n  * oci mount sets Process.Terminal: true when creating an OCI config.json, so\n    that oci run provides expected interactive behavior by default.\n    The default hostname for oci mount containers is now apptainer instead of mrsdalloway.\n  * systemd is now supported and used as the default cgroups manager. Set\n    systemd cgroups = no in apptainer.conf to manage cgroups directly via the\n    cgroupfs.\n  * Added a new action flag --no-eval which:\n      + Prevents shell evaluation of APPTAINERENV_ / --env / --env-file\n        environment variables as they are injected in the container, to match\n        OCI behavior. Applies to all containers.  \n      + Prevents shell evaluation of the values of CMD / ENTRYPOINT and command\n        line arguments for containers run or built directly from an OCI/Docker\n        source. Applies to newly built containers only, use apptainer inspect\n        to check version that container was built with.\n  * Added --no-eval to the list of flags set by the OCI/Docker --compat mode.\n  * sinit process has been renamed to appinit.\n  * Added --keysdir to key command to provide an alternative way of setting\n    local keyring path. The existing reading of the keyring path from\n    environment variable \u0027APPTAINER_KEYSDIR\u0027 is untouched.\n  * apptainer key push will output the key server\u0027s response if included in\n    order to help guide users through any identity verification the server may\n    require.\n  * ECL no longer requires verification for all signatures, but only when\n    signature verification would alter the expected behavior of the list:\n      + At least one matching signature included in a whitelist must be\n        validated, but other unvalidated signatures do not cause ECL to fail.\n      + All matching signatures included in a whitestrict must be validated,\n        but unvalidated signatures not in the whitestrict do not cause ECL to\n        fail.\n      + Signature verification is not checked for a blacklist; unvalidated\n        signatures can still block execution via ECL, and unvalidated\n        signatures not in the blacklist do not cause ECL to fail.\n- New features / functionalities\n  * Non-root users can now use --apply-cgroups with run/shell/exec to limit\n    container resource usage on a system using cgroups v2 and the systemd\n    cgroups manager.\n  * Native cgroups v2 resource limits can be specified using the [unified] key\n    in a cgroups toml file applied via --apply-cgroups.\n  * Added --cpu*, --blkio*, --memory*, --pids-limit flags to apply cgroups\n    resource limits to a container directly.\n    Added instance stats command.\n  * The --no-mount flag \u0026 APPTAINER_NO_MOUNT env var can now be used to disable\n    a bind path entry from apptainer.conf by specifying the absolute path to\n    the destination of the bind.\n  * Apptainer now supports the riscv64 architecture.\n  * remote add --insecure may now be used to configure endpoints that are only\n    accessible via http. Alternatively the environment variable\n    APPTAINER_ADD_INSECURE can be set to true to allow http remotes to be added\n    wihtout the --insecure flag. Specifying https in the remote URI overrules\n    both --insecure and APPTAINER_ADD_INSECURE.\n  * Gpu flags --nv and --rocm can now be used from an apptainer nested inside\n    another apptainer container.\n  * Added --public, --secret, and --both flags to the key remove command to\n    support removing secret keys from the apptainer keyring.\n  * Debug output can now be enabled by setting the APPTAINER_DEBUG env var.\n  * Debug output is now shown for nested apptainer calls, in wrapped unsquashfs\n    image extraction, and build stages.\n- Bug fixes\n  * Remove warning message about SINGULARITY and APPTAINER variables having\n    different values when the SINGULARITY variable is not set.\n  * Add specific error for unreadable image / overlay file.\n  * Pass through a literal \\n in host environment variables to the container.\n  * Fix loop device creation with loop-control when running inside docker containers.\n  * Fix the issue that the oras protocol would ignore the --no-https/--nohttps flag.\n- File changes\n  * Removed useful_error_message.patch as not needed any more\n  * Added fix-32bit-compilation.patch from upstream\n\n- Update to version 1.0.3:\n  * Process redirects that can come from sregistry with a library:// URL.\n  * Fix inspect --deffile and inspect --all to correctly show definition files\n    in sandbox container images instead of empty output. This has a side effect\n    of also fixing the storing of definition files in the metadata of sif files\n    built by Apptainer, because that metadata is constructed by doing inspect\n    --all.\n\n- Update to version 1.0.2:\n  + Fixed `FATAL` error thrown by user configuration migration code\n    that caused users with inaccessible home directories to be\n    unable to use `apptainer` commands.\n  + Do not truncate environment variables with commas.\n  + Use HEAD request when checking digest of remote OCI image\n    sources, with GET as a fall-back. Greatly reduces Apptainer\u0027s\n    impact on Docker Hub API limits.\n\n- Updated to v1.0.1 with following bug fixes\n  * Don\u0027t prompt for y/n to overwrite an existing file when build is called\n    from a non-interactive environment. Fail with an error.\n  * Preload NSS libraries prior to mountspace name creation to avoid\n    circumstances that can cause loading those libraries from the container\n    image instead of the host, for example in the startup environment.\n  * Fix race condition where newly created loop devices can sometimes not be opened.\n  * Support nvidia-container-cli v1.8.0 and above, via fix to capability set.\n\n- Updated to v1.0.0-rc1 changes to singularity 3.9.5 are\n  * The primary executable has been changed from singularity to apptainer.\n    However, a singularity command symlink alias has been created pointing to\n    the apptainer command. The contents of containers are unchanged and\n    continue to use the singularity name for startup scripts, etc. \n  * The per-user configuration directory has changed from ~/.singularity to\n    ~/.apptainer. The first time the apptainer command accesses the user\n    configuration directory, relevant configuration is automatically imported\n    from the old directory to the new one.\n  * Environment variables have all been changed to have an APPTAINER prefix\n    instead of a SINGULARITY prefix. However, SINGULARITY prefix variables are\n    still recognized. If only a SINGULARITY prefix variable exists, a warning\n    will be printed about deprecated usage and then the value will be used. If\n    both prefixes exist and the value is the same, no warning is printed; this\n    is the recommended method to set environment variables for those who need\n    to support both apptainer and singularity. If both prefixes exist for the\n    same variable and the value is different then a warning is also printed.\n *  The default SylabsCloud remote endpoint has been removed and replaced by\n    one called DefaultRemote which has no defined server for the library://\n    URI. System administrators may restore the old default if they wish by\n    adding it to /etc/apptainer/remote.yaml with a URI of cloud.sylabs.io and\n    setting it there as the Active remote, or users can add it to their own\n    configuration with the commands apptainer remote add SylabsCloud\n    cloud.sylabs.io and apptainer remote use SylabsCloud.\n  * The DefaultRemote\u0027s key server is https://keys.openpgp.org instead of the\n    Sylabs key server\n  * The apptainer build --remote option has been removed because there is no\n    standard protocol or non-commercial service that supports it.\n- New Features:\n  * Honor image binds and user binds in the order they\u0027re given instead of\n    always doing image binds first.\n  * Experimental support for checkpointing of instances using DMTCP has been\n    added. Additional flags --dmtcp-launch and --dmtcp-restart has been added\n    to the apptainer instance start command, and a checkpoint command group has\n    been added to manage the checkpoint state. A new\n    /etc/apptainer/dmtcp-conf.yaml configuration file is also added.\n    Limitations are that it can only work with dynamically linked applications\n    and the container has to be based on glibc.\n  * --writable-tmpfs can be used with apptainer build to run the %test section\n    of the build with a ephemeral tmpfs overlay, permitting tests that write to\n    the container filesystem.\n  * The --compat flag for actions is a new short-hand to enable a number of\n    options that increase OCI/Docker compatibility. Infers --containall,\n    --no-init, --no-umask, --writable-tmpfs. Does not use user, uts, or network\n    namespaces as these may not be supported on many installations.\n  * The experimental --nvccli flag will use nvidia-container-cli to setup the\n    container for Nvidia GPU operation. Apptainer will not bind GPU libraries\n    itself. Environment variables that are used with Nvidia\u0027s docker-nvidia\n    runtime to configure GPU visibility / driver capabilities \u0026 requirements\n    are parsed by the --nvccli flag from the environment of the calling user.\n    By default, the compute and utility GPU capabilities are configured. The\n    use nvidia-container-cli option in apptainer.conf can be set to yes to\n    always use nvidia-container-cli when supported. --nvccli is not supported\n    in the setuid workflow, and it requires being used in combination with\n    --writable in user namespace mode. Please see documentation for more\n    details.\n  * The --apply-cgroups flag can be used to apply cgroups resource and device\n    restrictions on a system using the v2 unified cgroups hierarchy. The\n    resource restrictions must still be specified in the v1 / OCI format, which\n    will be translated into v2 cgroups resource restrictions, and eBPF device\n    restrictions. \n  * A new --mount flag and APPTAINER_MOUNT environment variable can be used to\n    specify bind mounts in\n    type=bind,source=\u003csrc\u003e,destination=\u003cdst\u003e[,options...] format. This improves\n    CLI compatibility with other runtimes, and allows binding paths containing\n    : and , characters (using CSV style escaping).\n  * Perform concurrent multi-part downloads for library:// URIs. Uses 3\n    concurrent downloads by default, and is configurable in apptainer.conf or\n    via environment variables.\n\n- Explicit dependcy on go1.16.12 or go1.17.5 which fix \n  (CVE-2021-44717) and (CVE-2021-44716) that may affect singualrity\n\n- inital commit of apptainer which is a singularity fork ",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-2023-18",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2023_0018-1.json"
      },
      {
        "category": "self",
        "summary": "URL for openSUSE-SU-2023:0018-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6WS5CSKKNIOV4MCZX36E2OGOEC5EKPNG/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for openSUSE-SU-2023:0018-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6WS5CSKKNIOV4MCZX36E2OGOEC5EKPNG/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2021-44716 page",
        "url": "https://www.suse.com/security/cve/CVE-2021-44716/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2021-44717 page",
        "url": "https://www.suse.com/security/cve/CVE-2021-44717/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-39237 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-39237/"
      }
    ],
    "title": "Security update for apptainer",
    "tracking": {
      "current_release_date": "2023-01-15T17:01:16Z",
      "generator": {
        "date": "2023-01-15T17:01:16Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2023:0018-1",
      "initial_release_date": "2023-01-15T17:01:16Z",
      "revision_history": [
        {
          "date": "2023-01-15T17:01:16Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "apptainer-1.1.2-lp154.2.1.aarch64",
                "product": {
                  "name": "apptainer-1.1.2-lp154.2.1.aarch64",
                  "product_id": "apptainer-1.1.2-lp154.2.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "apptainer-1.1.2-lp154.2.1.i586",
                "product": {
                  "name": "apptainer-1.1.2-lp154.2.1.i586",
                  "product_id": "apptainer-1.1.2-lp154.2.1.i586"
                }
              }
            ],
            "category": "architecture",
            "name": "i586"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "apptainer-1.1.2-lp154.2.1.s390x",
                "product": {
                  "name": "apptainer-1.1.2-lp154.2.1.s390x",
                  "product_id": "apptainer-1.1.2-lp154.2.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "apptainer-1.1.2-lp154.2.1.x86_64",
                "product": {
                  "name": "apptainer-1.1.2-lp154.2.1.x86_64",
                  "product_id": "apptainer-1.1.2-lp154.2.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Leap 15.4",
                "product": {
                  "name": "openSUSE Leap 15.4",
                  "product_id": "openSUSE Leap 15.4",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:leap:15.4"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "apptainer-1.1.2-lp154.2.1.aarch64 as component of openSUSE Leap 15.4",
          "product_id": "openSUSE Leap 15.4:apptainer-1.1.2-lp154.2.1.aarch64"
        },
        "product_reference": "apptainer-1.1.2-lp154.2.1.aarch64",
        "relates_to_product_reference": "openSUSE Leap 15.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "apptainer-1.1.2-lp154.2.1.i586 as component of openSUSE Leap 15.4",
          "product_id": "openSUSE Leap 15.4:apptainer-1.1.2-lp154.2.1.i586"
        },
        "product_reference": "apptainer-1.1.2-lp154.2.1.i586",
        "relates_to_product_reference": "openSUSE Leap 15.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "apptainer-1.1.2-lp154.2.1.s390x as component of openSUSE Leap 15.4",
          "product_id": "openSUSE Leap 15.4:apptainer-1.1.2-lp154.2.1.s390x"
        },
        "product_reference": "apptainer-1.1.2-lp154.2.1.s390x",
        "relates_to_product_reference": "openSUSE Leap 15.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "apptainer-1.1.2-lp154.2.1.x86_64 as component of openSUSE Leap 15.4",
          "product_id": "openSUSE Leap 15.4:apptainer-1.1.2-lp154.2.1.x86_64"
        },
        "product_reference": "apptainer-1.1.2-lp154.2.1.x86_64",
        "relates_to_product_reference": "openSUSE Leap 15.4"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2021-44716",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2021-44716"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 15.4:apptainer-1.1.2-lp154.2.1.aarch64",
          "openSUSE Leap 15.4:apptainer-1.1.2-lp154.2.1.i586",
          "openSUSE Leap 15.4:apptainer-1.1.2-lp154.2.1.s390x",
          "openSUSE Leap 15.4:apptainer-1.1.2-lp154.2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2021-44716",
          "url": "https://www.suse.com/security/cve/CVE-2021-44716"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1193597 for CVE-2021-44716",
          "url": "https://bugzilla.suse.com/1193597"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 15.4:apptainer-1.1.2-lp154.2.1.aarch64",
            "openSUSE Leap 15.4:apptainer-1.1.2-lp154.2.1.i586",
            "openSUSE Leap 15.4:apptainer-1.1.2-lp154.2.1.s390x",
            "openSUSE Leap 15.4:apptainer-1.1.2-lp154.2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 15.4:apptainer-1.1.2-lp154.2.1.aarch64",
            "openSUSE Leap 15.4:apptainer-1.1.2-lp154.2.1.i586",
            "openSUSE Leap 15.4:apptainer-1.1.2-lp154.2.1.s390x",
            "openSUSE Leap 15.4:apptainer-1.1.2-lp154.2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2023-01-15T17:01:16Z",
          "details": "important"
        }
      ],
      "title": "CVE-2021-44716"
    },
    {
      "cve": "CVE-2021-44717",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2021-44717"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Go before 1.16.12 and 1.17.x before 1.17.5 on UNIX allows write operations to an unintended file or unintended network connection as a consequence of erroneous closing of file descriptor 0 after file-descriptor exhaustion.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 15.4:apptainer-1.1.2-lp154.2.1.aarch64",
          "openSUSE Leap 15.4:apptainer-1.1.2-lp154.2.1.i586",
          "openSUSE Leap 15.4:apptainer-1.1.2-lp154.2.1.s390x",
          "openSUSE Leap 15.4:apptainer-1.1.2-lp154.2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2021-44717",
          "url": "https://www.suse.com/security/cve/CVE-2021-44717"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1193598 for CVE-2021-44717",
          "url": "https://bugzilla.suse.com/1193598"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 15.4:apptainer-1.1.2-lp154.2.1.aarch64",
            "openSUSE Leap 15.4:apptainer-1.1.2-lp154.2.1.i586",
            "openSUSE Leap 15.4:apptainer-1.1.2-lp154.2.1.s390x",
            "openSUSE Leap 15.4:apptainer-1.1.2-lp154.2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 15.4:apptainer-1.1.2-lp154.2.1.aarch64",
            "openSUSE Leap 15.4:apptainer-1.1.2-lp154.2.1.i586",
            "openSUSE Leap 15.4:apptainer-1.1.2-lp154.2.1.s390x",
            "openSUSE Leap 15.4:apptainer-1.1.2-lp154.2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2023-01-15T17:01:16Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2021-44717"
    },
    {
      "cve": "CVE-2022-39237",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-39237"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "syslabs/sif is the Singularity Image Format (SIF) reference implementation. In versions prior to 2.8.1the `github.com/sylabs/sif/v2/pkg/integrity` package did not verify that the hash algorithm(s) used are cryptographically secure when verifying digital signatures. A patch is available in version \u003e= v2.8.1 of the module. Users are encouraged to upgrade. Users unable to upgrade may independently validate that the hash algorithm(s) used for metadata digest(s) and signature hash are cryptographically secure.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 15.4:apptainer-1.1.2-lp154.2.1.aarch64",
          "openSUSE Leap 15.4:apptainer-1.1.2-lp154.2.1.i586",
          "openSUSE Leap 15.4:apptainer-1.1.2-lp154.2.1.s390x",
          "openSUSE Leap 15.4:apptainer-1.1.2-lp154.2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-39237",
          "url": "https://www.suse.com/security/cve/CVE-2022-39237"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1209493 for CVE-2022-39237",
          "url": "https://bugzilla.suse.com/1209493"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 15.4:apptainer-1.1.2-lp154.2.1.aarch64",
            "openSUSE Leap 15.4:apptainer-1.1.2-lp154.2.1.i586",
            "openSUSE Leap 15.4:apptainer-1.1.2-lp154.2.1.s390x",
            "openSUSE Leap 15.4:apptainer-1.1.2-lp154.2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 15.4:apptainer-1.1.2-lp154.2.1.aarch64",
            "openSUSE Leap 15.4:apptainer-1.1.2-lp154.2.1.i586",
            "openSUSE Leap 15.4:apptainer-1.1.2-lp154.2.1.s390x",
            "openSUSE Leap 15.4:apptainer-1.1.2-lp154.2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2023-01-15T17:01:16Z",
          "details": "important"
        }
      ],
      "title": "CVE-2022-39237"
    }
  ]
}

CNVD-2022-87947

Vulnerability from cnvd - Published: 2022-12-15

Title

Singularity Image Format加密问题漏洞

Description

Singularity Image Format是Singularity的一个压缩的squashfs文件系统，它具有块的组织结构，包括元数据和用于容器的定义文件，首标，分区的内容，签名（如果存在的话），以及当然，二进制文件本身的容器。Singular是德国Singular开源的一个用于多项式计算的计算机代数系统。 Singularity Image Format 2.8.1之前的版本存在加密问题漏洞，该漏洞源于其位于“github.com/sylabs/sif/v2/pkg/integrity”包在验证数字签名时，不验证使用的哈希算法是安全的。攻击者可利用漏洞绕过数字签名。

Severity

高

Patch Name

Singularity Image Format加密问题漏洞的补丁

Patch Description

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://github.com/sylabs/sif/security/advisories/GHSA-m5m3-46gj-wch8

Reference

https://github.com/sylabs/sif/security/advisories/GHSA-m5m3-46gj-wch8

Impacted products

Name
Singularity Singularity Image Format <2.8.1

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2022-39237",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2022-39237"
    }
  },
  "description": "Singularity Image Format\u662fSingularity\u7684\u4e00\u4e2a\u538b\u7f29\u7684squashfs\u6587\u4ef6\u7cfb\u7edf\uff0c\u5b83\u5177\u6709\u5757\u7684\u7ec4\u7ec7\u7ed3\u6784\uff0c\u5305\u62ec\u5143\u6570\u636e\u548c\u7528\u4e8e\u5bb9\u5668\u7684\u5b9a\u4e49\u6587\u4ef6\uff0c\u9996\u6807\uff0c\u5206\u533a\u7684\u5185\u5bb9\uff0c\u7b7e\u540d\uff08\u5982\u679c\u5b58\u5728\u7684\u8bdd\uff09\uff0c\u4ee5\u53ca\u5f53\u7136\uff0c\u4e8c\u8fdb\u5236\u6587\u4ef6\u672c\u8eab\u7684\u5bb9\u5668\u3002Singular\u662f\u5fb7\u56fdSingular\u5f00\u6e90\u7684\u4e00\u4e2a\u7528\u4e8e\u591a\u9879\u5f0f\u8ba1\u7b97\u7684\u8ba1\u7b97\u673a\u4ee3\u6570\u7cfb\u7edf\u3002\n\nSingularity Image Format 2.8.1\u4e4b\u524d\u7684\u7248\u672c\u5b58\u5728\u52a0\u5bc6\u95ee\u9898\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5176\u4f4d\u4e8e\u201cgithub.com/sylabs/sif/v2/pkg/integrity\u201d\u5305\u5728\u9a8c\u8bc1\u6570\u5b57\u7b7e\u540d\u65f6\uff0c\u4e0d\u9a8c\u8bc1\u4f7f\u7528\u7684\u54c8\u5e0c\u7b97\u6cd5\u662f\u5b89\u5168\u7684\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u6f0f\u6d1e\u7ed5\u8fc7\u6570\u5b57\u7b7e\u540d\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://github.com/sylabs/sif/security/advisories/GHSA-m5m3-46gj-wch8",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2022-87947",
  "openTime": "2022-12-15",
  "patchDescription": "Singularity Image Format\u662fSingularity\u7684\u4e00\u4e2a\u538b\u7f29\u7684squashfs\u6587\u4ef6\u7cfb\u7edf\uff0c\u5b83\u5177\u6709\u5757\u7684\u7ec4\u7ec7\u7ed3\u6784\uff0c\u5305\u62ec\u5143\u6570\u636e\u548c\u7528\u4e8e\u5bb9\u5668\u7684\u5b9a\u4e49\u6587\u4ef6\uff0c\u9996\u6807\uff0c\u5206\u533a\u7684\u5185\u5bb9\uff0c\u7b7e\u540d\uff08\u5982\u679c\u5b58\u5728\u7684\u8bdd\uff09\uff0c\u4ee5\u53ca\u5f53\u7136\uff0c\u4e8c\u8fdb\u5236\u6587\u4ef6\u672c\u8eab\u7684\u5bb9\u5668\u3002Singular\u662f\u5fb7\u56fdSingular\u5f00\u6e90\u7684\u4e00\u4e2a\u7528\u4e8e\u591a\u9879\u5f0f\u8ba1\u7b97\u7684\u8ba1\u7b97\u673a\u4ee3\u6570\u7cfb\u7edf\u3002\r\n\r\nSingularity Image Format 2.8.1\u4e4b\u524d\u7684\u7248\u672c\u5b58\u5728\u52a0\u5bc6\u95ee\u9898\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5176\u4f4d\u4e8e\u201cgithub.com/sylabs/sif/v2/pkg/integrity\u201d\u5305\u5728\u9a8c\u8bc1\u6570\u5b57\u7b7e\u540d\u65f6\uff0c\u4e0d\u9a8c\u8bc1\u4f7f\u7528\u7684\u54c8\u5e0c\u7b97\u6cd5\u662f\u5b89\u5168\u7684\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u6f0f\u6d1e\u7ed5\u8fc7\u6570\u5b57\u7b7e\u540d\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Singularity Image Format\u52a0\u5bc6\u95ee\u9898\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Singularity Singularity Image Format \u003c2.8.1"
  },
  "referenceLink": "https://github.com/sylabs/sif/security/advisories/GHSA-m5m3-46gj-wch8",
  "serverity": "\u9ad8",
  "submitTime": "2022-10-10",
  "title": "Singularity Image Format\u52a0\u5bc6\u95ee\u9898\u6f0f\u6d1e"
}

FKIE_CVE-2022-39237

Vulnerability from fkie_nvd - Published: 2022-10-06 18:16 - Updated: 2024-11-21 07:17

Severity ?

6.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/sylabs/sif/commit/07fb86029a12e3210f6131e065570124605daeaa	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/sylabs/sif/security/advisories/GHSA-m5m3-46gj-wch8	Third Party Advisory
security-advisories@github.com	https://security.gentoo.org/glsa/202210-19	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/sylabs/sif/commit/07fb86029a12e3210f6131e065570124605daeaa	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/sylabs/sif/security/advisories/GHSA-m5m3-46gj-wch8	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://security.gentoo.org/glsa/202210-19	Third Party Advisory

Impacted products

	Vendor	Product	Version
	sylabs	singularity_image_format	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:sylabs:singularity_image_format:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "55B4B89E-C630-4A9C-9AE5-8EB9FBCC5336",
              "versionEndExcluding": "2.8.1",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "syslabs/sif is the Singularity Image Format (SIF) reference implementation. In versions prior to 2.8.1the `github.com/sylabs/sif/v2/pkg/integrity` package did not verify that the hash algorithm(s) used are cryptographically secure when verifying digital signatures. A patch is available in version \u003e= v2.8.1 of the module. Users are encouraged to upgrade. Users unable to upgrade may independently validate that the hash algorithm(s) used for metadata digest(s) and signature hash are cryptographically secure."
    },
    {
      "lang": "es",
      "value": "syslabs/sif es la implementaci\u00f3n de referencia del Formato de Imagen de Singularidad (SIF). En las versiones anteriores a 2.8.1, el paquete \"github.com/sylabs/sif/v2/pkg/integrity\" no verificaba que los algoritmos hash usados fueran criptogr\u00e1ficamente seguros cuando eran verificadas las firmas digitales. Se presenta un parche disponible en versiones posteriores a v2.8.1 incluy\u00e9ndola, del m\u00f3dulo. Es recomendado a usuarios actualizar. Los usuarios que no puedan actualizarse pueden comprobar de forma independiente que los algoritmos de hash usados para el resumen de metadatos y el hash de la firma son criptogr\u00e1ficamente seguros"
    }
  ],
  "id": "CVE-2022-39237",
  "lastModified": "2024-11-21T07:17:50.937",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 6.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-10-06T18:16:10.160",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/sylabs/sif/commit/07fb86029a12e3210f6131e065570124605daeaa"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/sylabs/sif/security/advisories/GHSA-m5m3-46gj-wch8"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.gentoo.org/glsa/202210-19"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/sylabs/sif/commit/07fb86029a12e3210f6131e065570124605daeaa"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/sylabs/sif/security/advisories/GHSA-m5m3-46gj-wch8"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.gentoo.org/glsa/202210-19"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-347"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-327"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2022-39237 (GCVE-0-2022-39237)

GSD-2022-39237

GHSA-M5M3-46GJ-WCH8

Impact

Patches

Workarounds

References

For more information

OPENSUSE-SU-2024:14059-1

OPENSUSE-SU-2024:12389-1

OPENSUSE-SU-2023:0018-1

CNVD-2022-87947

FKIE_CVE-2022-39237

Tags

Sightings

Nomenclature