Hello, The maintainer of the apptainer package has submitted updates to version 1.1.8-1 against epel-testing:
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-18a0e3fa23 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-44ff2475c4 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-b31211e2ce I believe that the update should be considered an incompatible upgrade, requiring the incompatible upgrades policy to be followed, as it significantly changes behaviour for users who have the apptainer-setuid sub-package installed. The update now disallows, by default, workflows that involve ext format container images and overlays: ``` # Before update $ apptainer exec sif-overlay.sif /bin/date Wed Apr 26 09:12:37 BST 2023 # Update to the testing package $ sudo dnf update --enablerepo=epel-testing apptainer-suid # After update $ apptainer exec sif-overlay.sif /bin/date FATAL: configuration disallows users from mounting SIF extfs partition in setuid mode, try --userns ``` I understand that the update is related to a security issue that upstream has published: CVE-2023-30549 - https://github.com/apptainer/apptainer/security/advisories/GHSA-j4rf-7357-f4cg However, I don't think this exempts the update from the incompatible upgrades policy? I'd also like to note that CVE-2023-30549 is dependent on and potentially a duplicate of CVE-2022-1184, which has been patched in EL8 and EL9, but admittedly not in EL7. Thanks, DT _______________________________________________ epel-devel mailing list -- epel-devel@lists.fedoraproject.org To unsubscribe send an email to epel-devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/epel-devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
