openSUSE-SU-2026:20730-1

Описание

This update for apptainer fixes the following issues:

Changes in apptainer:

• Fix CVE-2026-34986 (bsc#1262956) * github.com/go-jose/go-jose/v4@v4.1.4 CVE-2026-33186 GO-2026-4762 (bsc#1260311) * google.golang.org/grpc@v1.79.3 CVE-2026-24137 GO-2026-4358 (bsc#1264177) * github.com/sigstore/sigstore@v1.10.4 Fix fallout: github.com/moby/go-archive@v0.1.0 github.com/containers/image/v5=github.com/containers/image/v5@v5.36.0

• Fix HTML parser misimplementation of a part of the HTML specification for table related tags (CVE-2025-58190, GO-2026-4441, bsc#1258048).

• Fix issue where the HTML parser takes a very long time or even never returns (CVE-2025-47911, GO-2026-4440, bsc#1258047).

• Update ot 1.4.5

  • Fix for moderate severity GO-2025-4176 / CVE-2025-65105 / GHSA-j3rw-fx6g-q46j (bsc#1255462): Ineffective application of selinux / apparmor --security option. Updates of a few dependent go libraries for related security fixes.
  • Other fix Run FUSE processes in a separate process group. This detaches them from the main process so they don't receive signals such as interrupts sent to a terminal there. This was not a problem with interactive shells because they start their own group, but was a problem with some programs with interactive Read/Eval/Print/Loops such as python. An interrupt there would kill the FUSE processes.

• From 1.4.4

  • By applying patches to the bundled fuse2fs, allow again the possibility of using a non-writable ext3 image file as an overlay. Fixes regression introduced in 1.4.3.
  • If an overlay or bound data image is asked to be mounted writable but the user has no write access to the image, show a warning message instead of silently switching to readonly.
  • Avoid a fatal error when starting fakeroot from suid mode while in an NFS directory.
  • Fix 32-bit builds which were accidentally broken by a library upgrade that was done for a minor security issue.

• Fix CVEs:

  • GO-2025-4135 - CVE-2025-47914 Malformed constraint may cause denial of service in golang.org/x/crypto/ssh/agent.
  • GO-2025-4134 - CVE-2025-58181 - bsc#1253924 Unbounded memory consumption in golang.org/x/crypto/ssh.
  • GO-2025-4116 - CVE-2025-47913 Potential denial of service in golang.org/x/crypto/ssh/agent.
  • GO-2025-3595 - CVE-2025-22872 Incorrect Neutralization of Input During Web Page Generation in x/net.
  • GO-2025-3503 - CVE-2025-22870 HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net.
  • GO-2025-3487 - CVE-2025-22869 Potential denial of service in golang.org/x/crypto.
  • GO-2025-3485 - CVE-2025-27144 DoS in go-jose Parsing in github.com/go-jose/go-jose.
  • GO-2025-3754 - CVE-2025-8556 CIRCL-Fourq: Missing and wrong validation can lead to incorrect results in github.com/cloudflare/circl.

• No need for binutils-gold for aarch64

• Update to 1.4.3

  • Corrected the mconfig -s option for statically building apptainer and starter binaries.
  • Resolved an issue where the Makefile generated by mconfig -b failed when the build directory was not a subdirectory of the Apptainer source code.
  • Fixed %files in definition files to correctly copy symlinks pointing above the destination directory but within the destination stage root filesystem.
  • Addressed a typo in nvliblist.conf ( libnvoptix.so.1 was corrected to libnvoptix.so).
  • Prevented timeouts during cleanup after building gocryptfs-encrypted SIF files.
  • Fixed a bug that prevented build with --passphrase or --pem-path (without --encrypt) from implying fakeroot.
  • Resolved a hang when copying files between build stages while using suid mode without user namespaces.
  • Fixed issues with running and building containers of different architectures than the host via binfmt_misc when using rootless fakeroot.
  • Corrected "target: no such file or directory" errors when extracting layers from certain OCI images that manipulate hard links across layers.
  • Fixed a crash when executing a privilege-encrypted container as root.
  • Improved documentation for the remote list command.
  • Removed the fakerootcallback functionality.
  • Updated the default pacman confURL for Bootstrap: arch container builds.
  • Updated bundled fuse programs to their latest releases.
  • Changed the default message level from silent to normal in nested apptainer executions of a build's %post section, and suppressed an unnecessary warning.
  • Invalid environment variables are now ignored when pulling oci/docker containers.

• Add definition file for SLE 16 (SLE-16.def).

• Remove definition files for SLE15 SP5 (SLE-15SP5.def) and SP6 (SLE-15SP6.def).

• Update to 1.4.2

  • Restore looking for registry mirrors in /etc/containers/registry.conf and related files. This had been inadvertently dropped beginning in 1.4.0.
  • Fix use of the image cache when the home directory contains @ characters. Previously it would assume that it was the start of a digest in the oci-dir.
  • Fix signature verification failures on unsigned images.
  • Add additional .deb packages to the release assets that include the label trixie+ to indicate that they are for installing on Debian 13 or later. Those packages are necessary to work with the new libfuse3 library in Debian13. They also support libsubid, unlike the default packages because they are built on Debian 11 which doesn't have that library.
  • Add automatic triggering of Ubuntu PPA builds whenever there's a new apptainer release.

• Update to 1.4.1

  • Fix the use of libsubid which had been broken by the revision applied in 1.4.0-rc.2.
  • Fix a bug introduced in 1.4.0 that caused arm64 to be mis-converted to arm64v8 and resulted in a failure when pulling OCI containers.
  • Fix user database lookup in master process preventing instance from starting correctly on systems using winbind.
  • Check for existence of /run/systemd/system when verifying cgroups can be used via systemd manager.
  • Add a clear error message if someone tries to use privileged network options while not using setuid mode.
  • Allow multi-arch oci-archive files that have a nested index with the manifest. This is the default format (both for Docker and OCI) when using nerdctl save.
  • Test if docker-archive is actually an oci-archive (since Docker version 25), and if it is oci then use the OCI parser to avoid bugs in the Docker parser. Save the daemon-daemon references to a temporary docker-archive, to benefit from the same improvements also for those references. Parse as oci-archive.

• New Features & Functionality in from ineherited 1.4.0

  • Add new build option --mksquashfs-args to pass additional arguments to the mksquashfs command when building SIF files. If a compression method other than gzip is selected, the SIF file might not work with older installations of Apptainer or Singularity, so an INFO message about that is printed. On the other hand, an INFO message that was printed (twice) when running an image with non-gzip compression has been removed.
  • If the mksquashfs version is new enough (version 4.6 in Leaep 16.0), then show a percentage progress bar (with ETA) during SIF creation in the default log level. If the mksquashfs version is older, then in verbose or debug log level show the output of mksquashfs with its own progress bar.
  • Statistics are now normally available for instances that are started by non-root users on cgroups v2 systems. The instance will be started in the current cgroup. Information about configuration issues that prevent collection of statistics are displayed as INFO messages by default.
  • Add a --sandbox option to apptainer pull.
  • Add configuration file binding to the --nv option. Files that are recognized in the NVIDIA Container Toolkit, including files for EGL ICD, were added to the default nvliblist.conf.
  • It is now possible to use multiple environment variable files using the --env-file flag. Files can be specified as a comma-separated list or by using the flag multiple times. Variables defined in later files take precedence over earlier files.
  • The registry login and registry logout commands now support a --authfile <path> option, which causes OCI credentials to be written to / removed from a custom file located at <path> instead of the default location ($HOME/.apptainer/docker-config.json). The commands pull, push, run, exec, shell and instance start can now also be passed a --authfile <path> option, to read OCI registry credentials from this custom file.
  • A new --netns-path option takes a path to a network namespace to join when starting a container. The root user may join any network namespace. An unprivileged user can only join a network namespace specified in the new allow netns paths directive in apptainer.conf, if they are also listed in allow net users / allow net groups and apptainer is installed with setuid privileges. Not supported with --fakeroot.
  • apptainer.conf now accepts setting the following options: allow ipc ns -- Default value is yes; when set to no, it will disable the use of the --ipc flag. allow uts ns -- Default value is yes; when set to no, it will invalidate the use of the --uts and --hostname flags. allow user ns -- Default value is yes; when set to no, it will disable creation of user namespaces. Note that this will prevent execution of containers with the --userns or --fakeroot flags and with unprivileged installations of Apptainer.

• Changed defaults / behaviours

  • Label the starter process seen in ps with the image filename, for example: Apptainer runtime parent: example.sif.
  • Remove runtime and compute libraries from rocmliblist.conf. They should instead be provided by the container image.
  • Allow overriding the build architecture with --arch and --arch-variant, to build images for another architecture than the current host arch. This requires that the host has been set up to support multiple architectures (binfmt_misc).
  • Complete the previously partial support for the riscv64 architecture.
  • Show a warning message if changing directory to the cwd fails, instead of silently switching to the home directory or /.
  • Write starter messages to stderr when an instance fails to start. Previously they were incorrectly written to stdout.
  • Skip attempting to bind inaccessible mount points when handling the mount hostfs = yes configuration option.
  • Fix storage of credentials for docker.io to behave the same as for index.docker.io.
  • Change message log level from warning to debug when environment variables set inside a container or by APPTAINERENV have a different value than the environment variable on the host.
  • Change the default message level from silent to the normal level in the nested apptainer that executes a build's %post section, and suppress an unnecessary warning message.
  • Ignore invalid environment variables when pulling oci/docker containers.
  • Remove the little-known fakerootcallback functionality.
  • Update the default pacman confURL for Bootstrap: arch container builds.
  • Update the bundled fuse programs to their latest releases.

• Bug fixes

  • Fix the mconfig -s option to build the apptainer and starter binaries statically as documented.
  • %files from in a definition file will now correctly copy symlinks that %point to a target above the destination directory but inside the %destination stage root filesystem.
  • Fixed typo in nvliblist.conf (libnvoptix.so.1 -> libnvoptix.so).
  • Avoid timeouts when cleaning up from building gocryptfs-encrypted SIF files.
  • Fix bug that prevented build with --passphrase or --pem-path but without --encrypt from implying fakeroot.
  • Fix hang when copying files between build stages while using suid mode without user namespaces.
  • Fix running and building containers of different architectures than the host via binfmt_misc when using rootless fakeroot.
  • Fix target: no such file or directory error when extracting layers from certain OCI images that manipulate hard links across layers.
  • Fix the crash that happened when executing a privilege-encrypted container as root.

• Fix CVE-2024-45338, CVE-2025-22870, CVE-2024-45337, CVE-2025-22869, CVE-2025-27144 CVE-2024-41110

  • GO-2024-3333 CVE-2024-45338 (bsc#1234794) GO-2025-3503 CVE-2025-22870 (bsc#1238611): Update to: golang.org/x/net@v0.36.0
  • GO-2024-3321 CVE-2024-45337 (bsc#1234595) GO-2025-3487 CVE-2025-22869 (bsc#1239341): Update to: golang.org/x/crypto@v0.35.0
  • GO-2025-3485 CVE-2025-27144 (bsc#1237679): Update to: github.com/go-jose/go-jose/v3@v3.0.4
  • GO-2024-3005 CVE-2024-41110 (bsc#1228324): Update to: github.com/docker/docker@v25.0.6+incompatible

• Update golang.org/x/net to v0.23 to fix CVE-2023-45288 (bnc#1236528).

• Update to version 1.3.6

  • Avoid using kernel overlayfs when the lower layer is a sandbox on an incompatible filesystem type such as GPFS or Lustre. For those cases use fuse-overlayfs instead. This fixes a regression introduced in 1.3.0. The regression didn't much impact Lustre because kernel overlayfs refused to try to use it and Apptainer proceeded to use fuse-overlayfs anyway, but with GPFS the kernel overlayfs allowed mounting but returned stale file handle errors.

• Version 1.3.5

  • Fix a regression introduced in 1.3.4 that overwrote existing standard /.singularity.d files such as runscript in container images even if they had been modified.
  • Skip attempting to bind inaccessible mount points when handling the mount hostfs = yes configuration option.
  • Support parsing nested variables defined inside %arguments section of definition files.
  • Ignore invalid environment variables when pulling oci/docker containers.

• Version 1.3.4

  • Fixed sif-embedded overlay partitions for containers that are larger than 2 gigabytes.
  • Fixed the failure when starting apptainer with instance --fakeroot.
  • apptainer build -B ... can now be used to mount custom resolv.conf and hosts files from non-standard outside locations. This can be used to run apptainer build in a nix-build sandbox that has no /etc/resolv.conf.
  • Fixed failing builds from local images that have symbolic links for paths that are part of the base container environment (e.g. /var/tmp -> /tmp).
  • Show info messages suggesting to use enable underlay = preferred or the --underlay flag when overlay is implied for bind mounts but the kernel is too old to support fuse mounts in user namespaces and so tries to use fusermount.
  • When someone uses a yum bootstrap to build a container without using subuid-based fakeroot or root, warn that it is unlikely to work.
  • Allow a writable --overlay to be used with --nvccli instead of --writable-tmpfs.
  • If an error "no descriptor found for reference" is seen while getting an oci container, retry the operation up to five times.
  • Make fakeroot Recommended for SUSE rpms instead of Required.
  • Allow bind mounts onto existing files on r/o NFS filesystems.
  • If an error is seen in the %post section when building a container using fakeroot mode 3 (with the fakeroot command) then show a message suggesting using --ignore-fakeroot-command and referring to the documentation about how to install and use it inside the container definition file.
  • Show a more helpful error message when using fakeroot in suid mode and there's an /etc/subuid mapping even though user namespaces are not available (user namespaces are required for /etc/subuid mapping).

• Version 1.3.3

  • Added libcudadebugger.so to nvliblist.conf to support cuda-gdb in CUDA 12+.
  • Ensure opened/kept file descriptors in stage 1 are not closed during the Go garbage collection to avoid "bad file descriptor" errors at startup.
  • Fixed a segmentation violation issue when running Apptainer checkpoint.
  • Fixed an issue that Apptainer won't read default docker credentials.

• Version 1.3.2

  • Fix for CVE-2024-3727 in a dependent library which describes a flaw that can allow attackers to trigger unexpected authenticated registry accesses due to object digest values not being validated in all cases.
  • Fixed the issue when nesting apptainer instance start inside a container on cgroups-v2 capable host.
  • Fixed the issue that oras download progress bar gets stuck when downloading large images.

• Version 1.3.1

  • Make 'apptainer build' work with signed Docker containers.
  • Fixed regression introduced in 1.3.0 that prevented closing cryptsetup and the corresponding loop device after running an encrypted sif container file in suid mode.
  • Stopped binding over the default timezone in the container with the host's timezone, which led to unexpected behavior if the application changed timezones.
  • Added progress bars for oras:// push and pull.
  • Hide Instance stats will not be available message under --sharens mode.
  • Fix problem where credentials locally stored with registry login command were not usable in some execution flows. Run registry login again with latest version to ensure credentials are stored correctly.
  • Make runscript timeout configurable.
  • Return invalid bind path mount options during bind path parsing.
  • Make the INFO message more helpful when a running background process at exit time causes a FUSE mount to not shut down cleanly.
  • Fixed the wrong mediaType in the oras push manifest.

• Add Apptainer definition template for SLE15-SP7.

• Make sure, build is reproducible by setting the GNU build ID to one derived from the Go one. See https://pkg.go.dev/cmd/link.

• Use go-jose version with fix for CVE-2024-28180 (bsc#1235211).