DT is correct, this change is subject to the EPEL incompatible change
policy. apptainer-suid-1.1.8 by default disables mounting of ext3
filesystems, because of CVE-2023-30549
https://github.com/apptainer/apptainer/security/advisories/GHSA-j4rf-7357-f…
Most users don't use this feature, but a significant minority does.
Apptainer has a non-setuid alternative for the same functionality if
unprivileged user namespaces are available.
The summary of the CVE is that the way that apptainer & singularity
allow mounts of ext3 filesystems in setuid mode raises the severity of
many ext4 filesystem CVEs (ext3 filesystems are implemented by the ext4
driver). OS vendors consider those CVEs to be low or moderate priority
because they assume that users do not have write access to the
underlying bits of the filesystem, but apptainer/singularity setuid mode
gives that access to users by default (before this release of apptainer).
Since vendors don't see urgency to patch low/moderate CVEs, it can take
a very long time for them to patch them and in fact RHEL7 is not patched
for one in particular. All this information came from a reliable source,
the owner of the ext4 kernel driver.
I am sorry to see that I have already done one step too many according
to the incompatible changes policy, and have made the release available
to epel-testing. However, I think it's important to make it available
that way for system administrators to install early. The large High
Energy Physics community that I represent has security teams that want
to be able to notify their site administrators to upgrade to respond to
this high severity CVE, and it would be so much better if the
announcement they send can say to install from epel-testing rather than
having to provide URLs to download from koji.
So, to the EPEL Steering Committee members: must I unpublish this update
from testing, or may I leave it there and send an announcement to
epel-announce that it is there and pending approval by the committee?
The bodhi settings are set so they won't get auto-updated by karma or
time.
And another question: should I submit an epel ticket for this? The
policy doesn't mention that.
Dave
On Wed, Apr 26, 2023 at 09:41:16AM +0100, David Trudgian wrote:
> Subject: Re: apptainer 1.1.8-1 appears to be an incompatible upgrade for apptainer-suid users
>
> Hello,
>
> The maintainer of the apptainer package has submitted updates to version 1.1.8-1 against epel-testing:
>
> https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-18a0e3fa23
> https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-44ff2475c4
> https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-b31211e2ce
>
> I believe that the update should be considered an incompatible upgrade, requiring the incompatible upgrades policy to be followed, as it significantly changes behaviour for users who have the apptainer-setuid sub-package installed.
>
> The update now disallows, by default, workflows that involve ext format container images and overlays:
>
> ```
> # Before update
> $ apptainer exec sif-overlay.sif /bin/date
> Wed Apr 26 09:12:37 BST 2023
>
> # Update to the testing package
> $ sudo dnf update --enablerepo=epel-testing apptainer-suid
>
> # After update
> $ apptainer exec sif-overlay.sif /bin/date
> FATAL: configuration disallows users from mounting SIF extfs partition in setuid mode, try --userns
> ```
>
> I understand that the update is related to a security issue that upstream has published:
>
> CVE-2023-30549 - https://github.com/apptainer/apptainer/security/advisories/GHSA-j4rf-7357-f…
>
> However, I don't think this exempts the update from the incompatible upgrades policy?
>
> I'd also like to note that CVE-2023-30549 is dependent on and potentially a duplicate of CVE-2022-1184, which has been patched in EL8 and EL9, but admittedly not in EL7.
>
> Thanks,
>
> DT
>
>
The apptainer-suid package version 1.1.8 now in epel-testing has an
incompatible change because of a security vulnerability. The change is
that a new option "allow setuid-mount extfs" was added which defaults to
no, preventing ordinary users from mounting ext3 filesystems in
setuid-root mode. Those filesystems are used by a subset of users
primarily for the overlay feature which adds changes on top of a base
container image. If unprivileged user namespaces are enabled, users
will be able to still mount ext3 filesystems by using the "-u/--userns"
option or if the apptainer-suid package is removed. If system
administrators review the vulnerability description at
https://github.com/apptainer/apptainer/security/advisories/GHSA-j4rf-7357-f…
and decide they still want to allow setuid-root access to this feature,
they can enable it by setting "allow setuid-mount extfs = yes" in
/etc/apptainer/apptainer.conf.
This package will not be promoted to the epel repository for at least
two weeks, pending approval by the EPEL Steering Committee according to
the EPEL incompatible change policy.
Apptainer 1.1.8 release notes are at
https://github.com/apptainer/apptainer/releases/tag/v1.1.8
Dave
Hello EPEL packagers,
The latest version of the Rust packaging toolchain will soon be
available for EPEL 9 (i.e. rust2rpm v24, rust-packaging v24, and
cargo2rpm v0.1). This is a major upgrade from rust2rpm v21 which is
currently in EPEL 9, but also comes with the drawback that it now
requires Python >= 3.10.
However, I have split the Rust packaging tools into three separate
projects (previously everything was in a monorepo) to make packaging
them easier:
The two components which are needed at build-time (RPM macros + the
cargo2rpm Python module that powers them) can still be built for EPEL
9, as cargo2rpm has no third-party dependencies and only needs Python
>= 3.10, and will hence be built with python3.11 on EPEL 9 as soon as
that is available.
The spec generator (rust2rpm) has also been split off from
rust-packaging into a separate package, which will *not* be available
on EPEL 9. rust2rpm requires Python >= 3.10, but it also has a few
non-trivial third-party dependencies (most notably, jinja2). Since
most Rust packagers primarily work on Fedora, I don't think the effort
of packaging all missing dependencies for Python 3.11 just to make
/usr/bin/rust2rpm available for EPEL 9 would be worth it.
There are three Pull Requests which will implement this update:
https://src.fedoraproject.org/rpms/cargo2rpm/pull-request/1https://src.fedoraproject.org/rpms/rust-packaging/pull-request/6https://src.fedoraproject.org/rpms/epel-rpm-macros/pull-request/65
(kudos to @gotmax23!)
These changes (i.e. rust-packaging v24 + cargo2rpm) have now been live
in "production" in Fedora for over a week, and based on user and CI
feedback, I expect these updates to cause no regressions on EPEL 9.
Fabio
The following Fedora EPEL 7 Security updates need testing:
Age URL
5 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-30f3deb00a chromium-112.0.5615.165-1.el7
3 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-18a0e3fa23 apptainer-1.1.8-1.el7
The following builds have been pushed to Fedora EPEL 7 updates-testing
baresip-3.1.0-1.el7
libre-3.1.0-1.el7
zarafa-7.1.14-6.el7
Details about builds:
================================================================================
baresip-3.1.0-1.el7 (FEDORA-EPEL-2023-f0cf349021)
Modular SIP user-agent with audio and video support
--------------------------------------------------------------------------------
Update Information:
# Baresip v3.1.0 (2023-04-27) - config: add `net_af` config setting - gzrtp: RX
thread - safe stop - ci: avoid hardcoded OpenSSL path on macOS - fix cmake
modules - cmake/mqtt: fix `MOSQUITTO_LIBRARY` - mc: send module event whenever
receiver is stopped - menu: limit early audio TX streams - call: check if SIP
UPDATE is allowed, but always update local media - account: increase line
handler size to 1024 characters - cmake: avoid include of `/usr/local/include` -
call,audio: respect SDP media dir on audio start similar to video - video:
refactor paced and burst sending - ctrl_dbus,ice,png_vf: Fix format string usage
- menu limit early video - play: flush of the aubuf directly before the replay
starts - stream: fix setting of RTP tos for IPv6 - call: only flush audio stream
when stream starts - menu: use busy tone when call declined (scode 603) - ua:
incoming DTMF `key=0` should be reported as DTMF end - video: fix possible 32bit
overflow - ua: deref call on `reset_transp` fail - uag: avoid transport reset if
local address has not changed - ci: add gcc-12 for Ubuntu 22.04 (ubuntu-latest)
- docs: remove librem from README files # libre v3.1.0 (2023-04-27) - ci:
bump mingw openssl to 3.1.0 - thread: add `cnd_timedwait()` - Add tls and http
apis for post handshake - ci/sanitizers: add multi thread testing - ci/win: use
separate retest step - thread: fix `pthread_setname_np` thread pointer deref -
ci: add FreeBSD test - cmake: bump minimum version of OpenSSL to 1.1.1 - ci:
avoid hardcoded OpenSSL path on macOS - sip,uri,test: Escape SIP URIs - udp: add
a lock for the helpers list - rem/vidmix: add position index handling - aubuf:
set auframe fields correct in read_auframe loop - list: refactor/optimize
`list_insert_sorted` - ci/freebsd: remove openssl-devel - tmr: add
`tmr_continue()` - ci,cmake: replace C99 check by strict C99 and C11 checks -
atomic: Fix missing memory order arguments in MSVC atomic functions - thread:
remove win32 `SetThreadDescription`
--------------------------------------------------------------------------------
ChangeLog:
* Thu Apr 27 2023 Robert Scheck <robert(a)fedoraproject.org> 3.1.0-1
- Upgrade to 3.1.0 (#2190310)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2190309 - libre-3.1.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2190309
[ 2 ] Bug #2190310 - baresip-3.1.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2190310
--------------------------------------------------------------------------------
================================================================================
libre-3.1.0-1.el7 (FEDORA-EPEL-2023-f0cf349021)
Generic library for real-time communications
--------------------------------------------------------------------------------
Update Information:
# Baresip v3.1.0 (2023-04-27) - config: add `net_af` config setting - gzrtp: RX
thread - safe stop - ci: avoid hardcoded OpenSSL path on macOS - fix cmake
modules - cmake/mqtt: fix `MOSQUITTO_LIBRARY` - mc: send module event whenever
receiver is stopped - menu: limit early audio TX streams - call: check if SIP
UPDATE is allowed, but always update local media - account: increase line
handler size to 1024 characters - cmake: avoid include of `/usr/local/include` -
call,audio: respect SDP media dir on audio start similar to video - video:
refactor paced and burst sending - ctrl_dbus,ice,png_vf: Fix format string usage
- menu limit early video - play: flush of the aubuf directly before the replay
starts - stream: fix setting of RTP tos for IPv6 - call: only flush audio stream
when stream starts - menu: use busy tone when call declined (scode 603) - ua:
incoming DTMF `key=0` should be reported as DTMF end - video: fix possible 32bit
overflow - ua: deref call on `reset_transp` fail - uag: avoid transport reset if
local address has not changed - ci: add gcc-12 for Ubuntu 22.04 (ubuntu-latest)
- docs: remove librem from README files # libre v3.1.0 (2023-04-27) - ci:
bump mingw openssl to 3.1.0 - thread: add `cnd_timedwait()` - Add tls and http
apis for post handshake - ci/sanitizers: add multi thread testing - ci/win: use
separate retest step - thread: fix `pthread_setname_np` thread pointer deref -
ci: add FreeBSD test - cmake: bump minimum version of OpenSSL to 1.1.1 - ci:
avoid hardcoded OpenSSL path on macOS - sip,uri,test: Escape SIP URIs - udp: add
a lock for the helpers list - rem/vidmix: add position index handling - aubuf:
set auframe fields correct in read_auframe loop - list: refactor/optimize
`list_insert_sorted` - ci/freebsd: remove openssl-devel - tmr: add
`tmr_continue()` - ci,cmake: replace C99 check by strict C99 and C11 checks -
atomic: Fix missing memory order arguments in MSVC atomic functions - thread:
remove win32 `SetThreadDescription`
--------------------------------------------------------------------------------
ChangeLog:
* Thu Apr 27 2023 Robert Scheck <robert(a)fedoraproject.org> 3.1.0-1
- Upgrade to 3.1.0 (#2190309)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2190309 - libre-3.1.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2190309
[ 2 ] Bug #2190310 - baresip-3.1.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2190310
--------------------------------------------------------------------------------
================================================================================
zarafa-7.1.14-6.el7 (FEDORA-EPEL-2023-342b96903b)
Open Source Edition of the Zarafa Collaboration Platform
--------------------------------------------------------------------------------
Update Information:
- Backported patch from Debian to fix CVE-2022-26562 (#2192126)
--------------------------------------------------------------------------------
ChangeLog:
* Sun Apr 30 2023 Robert Scheck <robert(a)fedoraproject.org> 7.1.14-6
- Backported patch from Debian to fix CVE-2022-26562 (#2192126)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2192126 - CVE-2022-26562: zarafa: Missing account validation in ECPAMAuthenticateUser()
https://bugzilla.redhat.com/show_bug.cgi?id=2192126
--------------------------------------------------------------------------------