updating changelog with security information

apptainer · Jul 3, 2018 · 4d6044d · 4d6044d
1 parent 2185886
commit 4d6044d
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 10 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -14,19 +14,27 @@ and changes prior to that are (unfortunately) done retrospectively. Critical ite
 
 ## [v2.5.2](https://github.com/singularityware/singularity/releases/tag/2.5.2) (2018-07-03)
 
+### [Security related fixes](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-12021)
+ - Removed the option to use overlay images with `singularity mount`.  This 
+   flaw could allow a malicious user accessing the host system to access
+   sensitive information when coupled with persistent ext3 overlay.
+ - Fixed a race condition that might allow a malicious user to bypass directory 
+   image restrictions, like mounting the host root filesystem as a container 
+   image
+
 ### Bug fixes
- - fix an error in malloc allocation #1620
- - honor debug flag when pulling from docker hub #1556
- - fix a bug with passwd abort #1580
- - allow user to override singularity.conf "mount home = no" with --home option
+ - Fix an error in malloc allocation #1620
+ - Honor debug flag when pulling from docker hub #1556
+ - Fix a bug with passwd abort #1580
+ - Allow user to override singularity.conf "mount home = no" with --home option
    #1496
  - Improve debugging output #1535
  - Fix some bugs in bind mounting #1525
  - Define PR_(S|G)ET_NO_NEW_PRIVS in user space so that these features will 
    work with kernels that implement them (like Cray systems) #1506
  - Create /dev/fd and standard streams symlinks in /dev when using minimal dev
    mount or when specifying -c/-C/--contain option #1420
- - fixed * expansion during app runscript creation #1486
+ - Fixed * expansion during app runscript creation #1486
 
 ## [v2.5.1](https://github.com/singularityware/singularity/releases/tag/2.5.1) (2018-05-03)
 

diff --git a/debian/changelog b/debian/changelog
@@ -1,17 +1,25 @@
 singularity-container (2.5.2) unstable; urgency=high
 
-  * fix an error in malloc allocation #1620
-  * honor debug flag when pulling from docker hub #1556
-  * fix a bug with passwd abort #1580
-  * allow user to override singularity.conf "mount home = no" with --home option
+  * Removed the option to use overlay images with `singularity mount`.  This
+  * flaw could allow a malicious user accessing the host system to access
+  * sensitive information when coupled with persistent ext3 overlay.
+  * Fixed a race condition that might allow a malicious user to bypass 
+    directory
+  * image restrictions, like mounting the host root filesystem as a container
+  * image
+  * Fix an error in malloc allocation #1620
+  * Honor debug flag when pulling from docker hub #1556
+  * Fix a bug with passwd abort #1580
+  * Allow user to override singularity.conf "mount home = no" with --home 
+    option
   * #1496
   * Improve debugging output #1535
   * Fix some bugs in bind mounting #1525
   * Define PR_(S|G)ET_NO_NEW_PRIVS in user space so that these features will
   * work with kernels that implement them (like Cray systems) #1506
   * Create /dev/fd and standard streams symlinks in /dev when using minimal dev
   * mount or when specifying -c/-C/--contain option #1420
-  * fixed * expansion during app runscript creation #1486
+  * Fixed * expansion during app runscript creation #1486
 
 singularity-container (2.5.1) unstable; urgency=high