Bug#965040: singularity-container: CVE-2020-13845 CVE-2020-13846 CVE-2020-13847
Source: singularity-container
Version: 3.5.2+ds1-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: Debian Security Team <team@security.debian.org>
Hi,
The following vulnerabilities were published for singularity-container.
CVE-2020-13845[0]:
| Sylabs Singularity 3.0 through 3.5 has Improper Validation of an
| Integrity Check Value. Image integrity is not validated when an ECL
| policy is enforced. The fingerprint required by the ECL is compared
| against the signature object descriptor(s) in the SIF file, rather
| than to a cryptographically validated signature.
CVE-2020-13846[1]:
| Sylabs Singularity 3.5.0 through 3.5.3 fails to report an error in a
| Status Code.
CVE-2020-13847[2]:
| Sylabs Singularity 3.0 through 3.5 lacks support for an Integrity
| Check. Singularity's sign and verify commands do not sign metadata
| found in the global header or data object descriptors of a SIF file.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-13845
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13845
[1] https://security-tracker.debian.org/tracker/CVE-2020-13846
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13846
[2] https://security-tracker.debian.org/tracker/CVE-2020-13847
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13847
Regards,
Salvatore
Reply to: