Merge pull request #1250 from dtrudg/3.10.5

dtrudg · web-flow · commit 25989dbe42aa · 2023-01-17T14:05:58.000Z
docs: Bump for 3.10.5 release
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -6,7 +6,7 @@ orbs:
 parameters:
   go-version:
     type: string
-    default: '1.19.3'
+    default: '1.19.5'
 
 executors:
   node:
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,18 @@
 # SingularityCE Changelog
 
+## 3.10.5 \[2022-01-17\]
+
+### Security Related Fixes
+
+- [CVE-2022-23538](https://github.com/sylabs/scs-library-client/security/advisories/GHSA-7p8m-22h4-9pj7):
+  The github.com/sylabs/scs-library-client dependency included in SingularityCE
+  \>=3.10.0, \<3.10.5 may leak user credentials to a third-party service via HTTP
+  redirect. This issue is limited to `library://` access to specific Singularity
+  Enterprise 1.x or 3rd party library configurations, which implement a
+  concurrent multi-part download flow. Access to Singularity Enterprise 2.x, or
+  Singularity Container Services (cloud.sylabs.io), does not trigger the
+  vulnerable flow. See the linked advisory for full details.
+
 ## 3.10.4 \[2022-11-10\]
 
 ### Bug Fixes
diff --git a/INSTALL.md b/INSTALL.md
@@ -56,7 +56,7 @@ _**NOTE:** if you are updating Go from a older version, make sure you remove
 `/usr/local/go` before reinstalling it._
 
 ```sh
-export VERSION=1.19.3 OS=linux ARCH=amd64  # change this as you need
+export VERSION=1.19.5 OS=linux ARCH=amd64  # change this as you need
 
 wget -O /tmp/go${VERSION}.${OS}-${ARCH}.tar.gz \
   https://dl.google.com/go/go${VERSION}.${OS}-${ARCH}.tar.gz
@@ -114,11 +114,11 @@ cd singularity
 By default your clone will be on the `main` branch which is where development
 of SingularityCE happens. To build a specific version of SingularityCE, check
 out a [release tag](https://github.com/sylabs/singularity/tags) before
-compiling. E.g. to build the 3.10.4 release checkout the
-`v3.10.4` tag:
+compiling. E.g. to build the 3.10.5 release checkout the
+`v3.10.5` tag:
 
 ```sh
-git checkout --recurse-submodules v3.10.4
+git checkout --recurse-submodules v3.10.5
 ```
 
 ## Compiling SingularityCE
@@ -169,7 +169,7 @@ build and install the RPM like this:
 <!-- markdownlint-disable MD013 -->
 
 ```sh
-export VERSION=3.10.4  # this is the singularity version, change as you need
+export VERSION=3.10.5  # this is the singularity version, change as you need
 
 # Fetch the source
 wget https://github.com/sylabs/singularity/releases/download/v${VERSION}/singularity-ce-${VERSION}.tar.gz
diff --git a/LICENSE.md b/LICENSE.md
@@ -17,7 +17,7 @@ reserved.
 
 Copyright (c) 2017, SingularityWare, LLC. All rights reserved.
 
-Copyright (c) 2018-2022, Sylabs, Inc. All rights reserved.
+Copyright (c) 2018-2023, Sylabs, Inc. All rights reserved.
 
 Copyright (c) Contributors to the Apptainer project, established as Apptainer a
 Series of LF Projects LLC.
