Marked for autoremoval on 12 August: #964779, #965040high
Version 3.5.2+ds1-1 of singularity-container is marked for autoremoval from testing on Wed 12 Aug 2020. It is affected by #964779, #965040. You should try to prevent the removal by fixing these RC bugs.
CVE-2020-13845: Sylabs Singularity 3.0 through 3.5 has Improper Validation of an Integrity Check Value. Image integrity is not validated when an ECL policy is enforced. The fingerprint required by the ECL is compared against the signature object descriptor(s) in the SIF file, rather than to a cryptographically validated signature.
CVE-2020-13846: Sylabs Singularity 3.5.0 through 3.5.3 fails to report an error in a Status Code.
CVE-2020-13847: Sylabs Singularity 3.0 through 3.5 lacks support for an Integrity Check. Singularity's sign and verify commands do not sign metadata found in the global header or data object descriptors of a SIF file.
CVE-2020-13845: Sylabs Singularity 3.0 through 3.5 has Improper Validation of an Integrity Check Value. Image integrity is not validated when an ECL policy is enforced. The fingerprint required by the ECL is compared against the signature object descriptor(s) in the SIF file, rather than to a cryptographically validated signature.
CVE-2020-13846: Sylabs Singularity 3.5.0 through 3.5.3 fails to report an error in a Status Code.
CVE-2020-13847: Sylabs Singularity 3.0 through 3.5 lacks support for an Integrity Check. Singularity's sign and verify commands do not sign metadata found in the global header or data object descriptors of a SIF file.
![[bug history graph]](https://qa.debian.org/data/bts/graphs/s/singularity-container.png){kind=link}