Source: singularity-container Version: 3.1.1+ds-1 Severity: grave Tags: security upstream
Hi, The following vulnerability was published for singularity-container. CVE-2019-11328[0]: | An issue was discovered in Singularity 3.1.0 to 3.2.0-rc2, a malicious | user with local/network access to the host system (e.g. ssh) could | exploit this vulnerability due to insecure permissions allowing a user | to edit files within | `/run/singularity/instances/sing/<user>/<instance>`. The | manipulation of those files can change the behavior of the starter- | suid program when instances are joined resulting in potential | privilege escalation on the host. Could you furthermore check, is this only introduced in the 3.1.0 series really or just are those the versions checked for the issue, but earlier versions might be affected as well? If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-11328 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11328 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
