commit apptainer for openSUSE:Factory

Sat, 08 Oct 2022 01:24:51 -0700 

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package apptainer for openSUSE:Factory 
checked in at 2022-10-08 01:25:47
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/apptainer (Old)
 and      /work/SRC/openSUSE:Factory/.apptainer.new.2275 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "apptainer"

Sat Oct  8 01:25:47 2022 rev:8 rq:1008781 version:1.1.2

Changes:
--------
--- /work/SRC/openSUSE:Factory/apptainer/apptainer.changes      2022-09-29 
18:13:05.843224806 +0200
+++ /work/SRC/openSUSE:Factory/.apptainer.new.2275/apptainer.changes    
2022-10-08 01:26:15.478371807 +0200
@@ -1,0 +2,10 @@
+Fri Oct  7 12:42:57 UTC 2022 - Christian Goll <[email protected]>
+
+- Udpated to 1.1.2 which fixed CVE-2022-39237
+  * CVE-2022-39237: The sif dependency included in Apptainer before this
+    release does not verify that the hash algorithm(s) used are
+    cryptographically secure when verifying digital signatures. This release
+    updates to sif v2.8.1 which corrects this issue. See the linked advisory
+    for references and a workaround.
+
+-------------------------------------------------------------------

Old:
----
  apptainer-1.1.0.tar.gz

New:
----
  apptainer-1.1.2.tar.gz

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ apptainer.spec ++++++
--- /var/tmp/diff_new_pack.fT7391/_old  2022-10-08 01:26:17.838377219 +0200
+++ /var/tmp/diff_new_pack.fT7391/_new  2022-10-08 01:26:17.842377228 +0200
@@ -25,7 +25,7 @@
 License:        BSD-3-Clause-LBNL
 Group:          Productivity/Clustering/Computing
 Name:           apptainer
-Version:        1.1.0
+Version:        1.1.2
 Release:        0
 # https://spdx.org/licenses/BSD-3-Clause-LBNL.html
 URL:            https://apptainer.org

++++++ apptainer-1.1.0.tar.gz -> apptainer-1.1.2.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/apptainer-1.1.0/CHANGELOG.md 
new/apptainer-1.1.2/CHANGELOG.md
--- old/apptainer-1.1.0/CHANGELOG.md    2022-09-27 16:55:22.000000000 +0200
+++ new/apptainer-1.1.2/CHANGELOG.md    2022-10-06 21:51:39.000000000 +0200
@@ -5,6 +5,19 @@
 and re-branded as Apptainer.
 For older changes see the [archived Singularity change 
log](https://github.com/apptainer/singularity/blob/release-3.8/CHANGELOG.md).
 
+## v1.1.2 - \[2022-10-06\]
+
+- 
[CVE-2022-39237](https://github.com/sylabs/sif/security/advisories/GHSA-m5m3-46gj-wch8):
+  The sif dependency included in Apptainer before this release does not
+  verify that the hash algorithm(s) used are cryptographically secure
+  when verifying digital signatures. This release updates to sif v2.8.1
+  which corrects this issue. See the linked advisory for references and
+  a workaround.
+
+## v1.1.1 - \[2022-10-06\]
+
+Accidentally included no code changes.
+
 ## v1.1.0 - \[2022-09-27\]
 
 ### Changed defaults / behaviours
@@ -40,8 +53,6 @@
   Persistent overlay works when the overlay path points to a regular
   filesystem (known as "sandbox" mode, which is not allowed when in
   setuid mode), or when it points to an EXT3 image.
-  Does not work with a SIF partition because that requires privileges to
-  mount as an ext3 image.
 - Extended the `--fakeroot` option to be useful when `/etc/subuid` and
   `/etc/subgid` mappings have not been set up.
   If they have not been set up, a root-mapped unprivileged user namespace
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/apptainer-1.1.0/INSTALL.md 
new/apptainer-1.1.2/INSTALL.md
--- old/apptainer-1.1.0/INSTALL.md      2022-09-27 16:55:22.000000000 +0200
+++ new/apptainer-1.1.2/INSTALL.md      2022-10-06 21:51:39.000000000 +0200
@@ -136,7 +136,7 @@
 for example:
 
 ```sh
-git checkout v1.1.0
+git checkout v1.1.2
 ```
 
 ## Compiling Apptainer
@@ -250,7 +250,7 @@
 <!-- markdownlint-disable MD013 -->
 
 ```sh
-VERSION=1.1.0  # this is the apptainer version, change as you need
+VERSION=1.1.2  # this is the apptainer version, change as you need
 # Fetch the source
 wget 
https://github.com/apptainer/apptainer/releases/download/v${VERSION}/apptainer-${VERSION}.tar.gz
 ```
@@ -299,7 +299,7 @@
 <!-- markdownlint-disable MD013 -->
 
 ```sh
-VERSION=1.1.0 # this is the latest apptainer version, change as you need
+VERSION=1.1.2 # this is the latest apptainer version, change as you need
 ./mconfig
 make -C builddir rpm
 sudo rpm -ivh ~/rpmbuild/RPMS/x86_64/apptainer-$(echo $VERSION|tr - 
\~)*.x86_64.rpm 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/apptainer-1.1.0/LICENSE_DEPENDENCIES.md 
new/apptainer-1.1.2/LICENSE_DEPENDENCIES.md
--- old/apptainer-1.1.0/LICENSE_DEPENDENCIES.md 2022-09-27 16:55:22.000000000 
+0200
+++ new/apptainer-1.1.2/LICENSE_DEPENDENCIES.md 2022-10-06 21:51:39.000000000 
+0200
@@ -383,6 +383,12 @@
 
 **License URL:** <https://github.com/apptainer/sif/blob/master/v2/LICENSE.md>
 
+## github.com/cloudflare/circl
+
+**License:** BSD-3-Clause
+
+**License URL:** <https://github.com/cloudflare/circl/blob/master/LICENSE>
+
 ## github.com/cyphar/filepath-securejoin
 
 **License:** BSD-3-Clause
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/apptainer-1.1.0/go.mod new/apptainer-1.1.2/go.mod
--- old/apptainer-1.1.0/go.mod  2022-09-27 16:55:22.000000000 +0200
+++ new/apptainer-1.1.2/go.mod  2022-10-06 21:51:39.000000000 +0200
@@ -4,12 +4,12 @@
 
 require (
        github.com/Netflix/go-expect v0.0.0-20220104043353-73e0943537d2
-       github.com/ProtonMail/go-crypto v0.0.0-20220517143526-88bb52951d5b
+       github.com/ProtonMail/go-crypto v0.0.0-20220824120805-4b6e5c587895
        github.com/adigunhammedolalekan/registry-auth 
v0.0.0-20200730122110-8cde180a3a60
        github.com/apex/log v1.9.0
        github.com/apptainer/container-key-client v0.8.0
        github.com/apptainer/container-library-client v1.3.3
-       github.com/apptainer/sif/v2 v2.7.2
+       github.com/apptainer/sif/v2 v2.8.1
        github.com/blang/semver/v4 v4.0.0
        github.com/buger/jsonparser v1.1.1
        github.com/cenkalti/backoff/v4 v4.1.3
@@ -76,6 +76,7 @@
        github.com/bugsnag/panicwrap v1.2.0 // indirect
        github.com/cespare/xxhash/v2 v2.1.2 // indirect
        github.com/cilium/ebpf v0.7.0 // indirect
+       github.com/cloudflare/circl v1.1.0 // indirect
        github.com/containerd/cgroups v1.0.3 // indirect
        github.com/containers/libtrust v0.0.0-20200511145503-9c3a6c22cd9a // 
indirect
        github.com/containers/ocicrypt v1.1.5 // indirect
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/apptainer-1.1.0/go.sum new/apptainer-1.1.2/go.sum
--- old/apptainer-1.1.0/go.sum  2022-09-27 16:55:22.000000000 +0200
+++ new/apptainer-1.1.2/go.sum  2022-10-06 21:51:39.000000000 +0200
@@ -134,8 +134,9 @@
 github.com/Netflix/go-expect v0.0.0-20220104043353-73e0943537d2/go.mod 
h1:HBCaDeC1lPdgDeDbhX8XFpy1jqjK0IBG8W5K+xYqA0w=
 github.com/OneOfOne/xxhash v1.2.2/go.mod 
h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
 github.com/ProtonMail/go-crypto v0.0.0-20210428141323-04723f9f07d7/go.mod 
h1:z4/9nQmJSSwwds7ejkxaJwO37dru3geImFUdJlaLzQo=
-github.com/ProtonMail/go-crypto v0.0.0-20220517143526-88bb52951d5b 
h1:lcbBNuQhppsc7A5gjdHmdlqUqJfgGMylBdGyDs0j7G8=
 github.com/ProtonMail/go-crypto v0.0.0-20220517143526-88bb52951d5b/go.mod 
h1:z4/9nQmJSSwwds7ejkxaJwO37dru3geImFUdJlaLzQo=
+github.com/ProtonMail/go-crypto v0.0.0-20220824120805-4b6e5c587895 
h1:NsReiLpErIPzRrnogAXYwSoU7txA977LjDGrbkewJbg=
+github.com/ProtonMail/go-crypto v0.0.0-20220824120805-4b6e5c587895/go.mod 
h1:UBYPn8k0D56RtnR8RFQMjmh4KrZzWJ5o7Z9SYjossQ8=
 github.com/PuerkitoBio/purell v1.0.0/go.mod 
h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
 github.com/PuerkitoBio/purell v1.1.1/go.mod 
h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
 github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod 
h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
@@ -171,8 +172,8 @@
 github.com/apptainer/container-key-client v0.8.0/go.mod 
h1:wMeJdiMXlPRiwJfUyae2WRHsZlHG9Af6iPQ9TZcBnS8=
 github.com/apptainer/container-library-client v1.3.3 
h1:xd0/27nB8mAtyJAwG/7tTOoWAhjMiZPyZy4fzzQHMak=
 github.com/apptainer/container-library-client v1.3.3/go.mod 
h1:B+ARx/+WaE/E2pkv2qZUQeoEBO89PUpmLKsTJmbM5eQ=
-github.com/apptainer/sif/v2 v2.7.2 
h1:gVzaGxLDadwi/RtevtzdS/jTTzHoUljYWGYz/TQdl9Y=
-github.com/apptainer/sif/v2 v2.7.2/go.mod 
h1:cSKZHNNrtVAzpi4INlGlp6mONYLsvV1z/CjlThKRV2c=
+github.com/apptainer/sif/v2 v2.8.1 
h1:c8WSyIZ/Jujf3GijgkCLNEvwusvNIGn8fUBgkCv/8F0=
+github.com/apptainer/sif/v2 v2.8.1/go.mod 
h1:ELUI9IzDd9fuNN099gwA0bUvoR2I5LSZWYcqCqvLw/0=
 github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod 
h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o=
 github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod 
h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=
 github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod 
h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY=
@@ -229,6 +230,7 @@
 github.com/bugsnag/panicwrap v0.0.0-20151223152923-e2c28503fcd0/go.mod 
h1:D/8v3kj0zr8ZAKg1AQ6crr+5VwKN5eIywRkfhyM/+dE=
 github.com/bugsnag/panicwrap v1.2.0 
h1:OzrKrRvXis8qEvOkfcxNcYbOd2O7xXS2nnKMEMABFQA=
 github.com/bugsnag/panicwrap v1.2.0/go.mod 
h1:D/8v3kj0zr8ZAKg1AQ6crr+5VwKN5eIywRkfhyM/+dE=
+github.com/bwesterb/go-ristretto v1.2.0/go.mod 
h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0=
 github.com/cenkalti/backoff/v3 v3.0.0/go.mod 
h1:cIeZDE3IrqwwJl6VUwCN6trj1oXrTS4rc0ij+ULvLYs=
 github.com/cenkalti/backoff/v3 v3.2.2/go.mod 
h1:cIeZDE3IrqwwJl6VUwCN6trj1oXrTS4rc0ij+ULvLYs=
 github.com/cenkalti/backoff/v4 v4.1.1/go.mod 
h1:scbssz8iZGpm3xbr14ovlUdkxfGXNInqkPWOWmG2CLw=
@@ -259,6 +261,8 @@
 github.com/circonus-labs/circonus-gometrics v2.3.1+incompatible/go.mod 
h1:nmEj6Dob7S7YxXgwXpfOuvO54S+tGdZdw9fuRZt25Ag=
 github.com/circonus-labs/circonusllhist v0.1.3/go.mod 
h1:kMXHVDlOchFAehlya5ePtbp5jckzBHf4XRpQvBOLI+I=
 github.com/client9/misspell v0.3.4/go.mod 
h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
+github.com/cloudflare/circl v1.1.0 
h1:bZgT/A+cikZnKIwn7xL2OBj012Bmvho/o6RpRvv3GKY=
+github.com/cloudflare/circl v1.1.0/go.mod 
h1:prBCrKB9DV4poKZY1l9zBXg2QJY7mvgRvtMxxK7fi4I=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod 
h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod 
h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
 github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod 
h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
@@ -1796,6 +1800,7 @@
 golang.org/x/sys v0.0.0-20210906170528-6f6e22806c34/go.mod 
h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210908233432-aa78b53d3365/go.mod 
h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod 
h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20211007075335-d3039528d8ac/go.mod 
h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211019181941-9d821ace8654/go.mod 
h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod 
h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211116061358-0a5406a5449c/go.mod 
h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

++++++ vendor.tar.gz ++++++
/work/SRC/openSUSE:Factory/apptainer/vendor.tar.gz 
/work/SRC/openSUSE:Factory/.apptainer.new.2275/vendor.tar.gz differ: char 5, 
line 1

Reply via email to