Source: singularity-container Version: 3.5.2+ds1-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>
Hi, The following vulnerabilities were published for singularity-container. CVE-2020-13845[0]: | Sylabs Singularity 3.0 through 3.5 has Improper Validation of an | Integrity Check Value. Image integrity is not validated when an ECL | policy is enforced. The fingerprint required by the ECL is compared | against the signature object descriptor(s) in the SIF file, rather | than to a cryptographically validated signature. CVE-2020-13846[1]: | Sylabs Singularity 3.5.0 through 3.5.3 fails to report an error in a | Status Code. CVE-2020-13847[2]: | Sylabs Singularity 3.0 through 3.5 lacks support for an Integrity | Check. Singularity's sign and verify commands do not sign metadata | found in the global header or data object descriptors of a SIF file. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-13845 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13845 [1] https://security-tracker.debian.org/tracker/CVE-2020-13846 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13846 [2] https://security-tracker.debian.org/tracker/CVE-2020-13847 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13847 Regards, Salvatore
