Hi Salvatore, On Sun, Feb 20, 2022 at 08:01:34PM +0100, Salvatore Bonaccorso wrote: > > [ Andreas Tille ] > > * Team upload. > > * Version > 3.6.x are closing CVE-2021-33622 > > Closes: #990201 > > Can you help isolate on that? > https://support.sylabs.io/support/solutions/articles/42000087130-3-5-8-security-release-cve-2021-33622- > refers the 3.6.x as beeing affected and so there is the statement that > the issue is not going to be patched in those version: > > > This issue affects open-source Singularity 3.5.x and 3.6.x. These > > versions are no longer supported and will not be patched. Yes, but in the same bug link, this is written as well: | Affected Versions | Singularity 3.5.x - 3.6.x, SingularityPRO <3.5-8. And so I thought it has been fixed in later versions. > https://bugs.debian.org/990201#10 is as well relevant in the context. Since Andreas added this entry, I suppose he somehow forgot about his own findings about the problem; and I did not scrutinize much before upload (as this was not building and that was my primary focus) > So where has this issue bin fixed? But yes, you are right, even at Mitre metadata, I do not find any information about any patch for the bug; i.e. I do not see the "code" that fixes it, and hence I too am skeptical whether or not it is really gone. For the sake of completeness, I have opened a issue upstream[1] [1]: https://github.com/sylabs/singularity/issues/586 Regards, Nilesh
Attachment:
signature.asc
Description: PGP signature