CVE-2021-29499

NameCVE-2021-29499
DescriptionSIF is an open source implementation of the Singularity Container Image Format. The `siftool new` command and func siftool.New() produce predictable UUID identifiers due to insecure randomness in the version of the `github.com/satori/go.uuid` module used as a dependency. A patch is available in version >= v1.2.3 of the module. Users are encouraged to upgrade. As a workaround, users passing CreateInfo struct should ensure the `ID` field is generated using a version of `github.com/satori/go.uuid` that is not vulnerable to this issue.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs991664

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
golang-github-sylabs-sif (PTS)bullseye1.0.9-2.1vulnerable
bookworm2.8.3-1fixed
sid, trixie2.20.0-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
golang-github-sylabs-sifsourceexperimental2.3.1-1
golang-github-sylabs-sifsource(unstable)2.3.1-2991664

Notes

[bullseye] - golang-github-sylabs-sif <no-dsa> (Minor issue)
https://github.com/sylabs/sif/security/advisories/GHSA-4gh8-x3vv-phhg
Search for package or bug name: Reporting problems