@@ -9,7 +9,31 @@ _With the release of `v3.0.0`, we're introducing a new changelog format in an at
99
1010_ The old changelog can be found in the ` release-2.6 ` branch_
1111
12- # Changes since v3.6.2
12+ # v3.6.3 - [ 2020-09-15]
13+
14+ ## Security related fixes
15+
16+ Singularity 3.6.3 addresses the following security issues.
17+
18+ - [ CVE-2020 -25039] ( https://github.com/hpcng/singularity/security/advisories/GHSA-w6v2-qchm-grj7 ) :
19+ When a Singularity action command (run, shell, exec) is run with
20+ the fakeroot or user namespace option, Singularity will extract a
21+ container image to a temporary sandbox directory. Due to insecure
22+ permissions on the temporary directory it is possible for any user
23+ with access to the system to read the contents of the
24+ image. Additionally, if the image contains a world-writable file
25+ or directory, it is possible for a user to inject arbitrary
26+ content into the running container.
27+
28+ - [ CVE-2020 -25040] ( https://github.com/hpcng/singularity/security/advisories/GHSA-jv9c-w74q-6762 ) :
29+ When a Singularity command that results in a container build
30+ operation is executed, it is possible for a user with access to
31+ the system to read the contents of the image during the
32+ build. Additionally, if the image contains a world-writable file
33+ or directory, it is possible for a user to inject arbitrary
34+ content into the running build, which in certain circumstances may
35+ enable arbitrary code execution during the build and/or when the
36+ built container is run.
1337
1438## Bug Fixes
1539
0 commit comments