From debbugs-submit-bounces@debbugs.gnu.org Thu Dec 13 17:52:20 2018 Received: (at 33730) by debbugs.gnu.org; 13 Dec 2018 22:52:20 +0000 Received: from localhost ([127.0.0.1]:47026 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gXZq8-00005j-Ce for submit@debbugs.gnu.org; Thu, 13 Dec 2018 17:52:20 -0500 Received: from eggs.gnu.org ([208.118.235.92]:36163) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gXZq6-00005V-U1 for 33730@debbugs.gnu.org; Thu, 13 Dec 2018 17:52:19 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gXZpz-0004gK-G1 for 33730@debbugs.gnu.org; Thu, 13 Dec 2018 17:52:12 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:45843) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gXZpz-0004g5-Bn; Thu, 13 Dec 2018 17:52:11 -0500 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=32886 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1gXZpz-0003h5-3x; Thu, 13 Dec 2018 17:52:11 -0500 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Leo Famulari Subject: Re: [bug#33730] [PATCH] gnu: Singularity: Update to 2.6.1 [fixes CVE-2018-19295]. References: Date: Thu, 13 Dec 2018 23:52:09 +0100 In-Reply-To: (Leo Famulari's message of "Thu, 13 Dec 2018 15:48:39 -0500") Message-ID: <87wood82g6.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: 33730 Cc: 33730@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -6.0 (------) Hi Leo, Leo Famulari skribis: > Our Singularity package is not vulnerable to CVE-2018-19295 by default, > becuase that vulnerability is based on the 'mount', 'start', and > 'action' Singularity binaries being installed setuid, which we do not do > in Guix. > > * gnu/packages/linux.scm (singularity): Update to 2.6.1. LGTM. Thanks for the patch and for the analysis! Ludo=E2=80=99.