Releases · sylabs/singularity

SingularityCE 4.5.0 contains mostly internal code changes and defense-in-depth hardening. The majority of the changes made since release 4.4.2 do not alter behaviour, with the exception of specific points highlighted below.

Like many other open source projects, SingularityCE is increasingly the target of LLM driven analysis. The changes in 4.5.0 aim to minimise false positives, reduce maintainer burden, and provide defense-in-depth in areas where it is appropriate.

If you are a security researcher working on SingularityCE, please see the new AGENTS.md and SECURITY.md content.

If you are a developer, intending to contribute to SingularityCE, please review the LLM policy in CONTRIBUTING.md.

Behaviour Changes

In setuid mode, root-ownership checks on singularity.conf and the capabilities / ecl configuration now assert that these files are not writable except by the root owner. Management of these files by an administrator group is no longer possible. The files cannot be relocated by symlink.
External helper binaries executed with elevated privileges must also be root-owned, regular executable files that are not writable by group or others.
The majority of files that may be created by SingularityCE (e.g. remote configuration, pulled images), can no longer be created through a dangling symlink.
If ecl.toml is missing, SIF execution is rejected rather than assuming an inactive ECL configuration. The default install ships an activated = false template, so standard installations are unaffected; sites with custom or partial installs must ensure ecl.toml is present and valid.

Developer / API

The following have been removed:
- UpdateDefinitionRaw() from pkg/build/types.
- OptSysCtx() from pkg/ocibundle/native/bundle_linux.go
- CreateLoop() from pkg/ocibundle/tools/loop.go
- pkg/util/copy
- pkg/util/sysctl
- pkg/util/unix
The pkg/build/types and pkg/build/types/parser packages can now be used in programs built without cgo. An os.user fallback for i/p/util/user lookups is used when CGO is not available.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-4.5.0.tar.gz download below to obtain and install SingularityCE 4.5.0. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

Ubuntu 22.04 (jammy)
Ubuntu 24.04 (noble)
RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
RHEL/CentOS/AlmaLinux/Rocky 9 (el9)
RHEL/CentOS/AlmaLinux/Rocky 10 (el10)

These packages were built with Go 1.26.4

Upload-time immutable digests are now provided for release downloads by GitHub. A separate sha256sums file will no longer be provided.

@KoseceMehmet

Security Related Fixes

Fix for CVE-2026-47215 / GHSA-wqcr-7rf3-f64m Incorrect path matching for 'limit container paths' directive

Changed Defaults / Behaviours

Although SingularityCE does not aim to contain execution / prevent host modification when started as the host root user, the following changes have been adopted to permit finer control over the use of external binaries, with a modified default search path when singularity is run as the host root user:

When started as host root, external binaries (except those with explicit configuration entries) are now found using the root search path in singularity.conf. By default this excludes searching the environment $PATH. Add $PATH: to the start of root search path in singularity.conf to restore previous behavior.
When started as non-root / fake root, external binaries (except those with explicit configuration entires) are now found using the user search path in singularity.conf. By default this includes $PATH, so there is no effective behaviour change vs previous versions.

Thank you to @KoseceMehmet for suggesting this change.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-4.4.2.tar.gz download below to obtain and install SingularityCE 4.4.2. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

Ubuntu 22.04 (jammy)
Ubuntu 24.04 (noble)
RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
RHEL/CentOS/AlmaLinux/Rocky 9 (el9)
RHEL/CentOS/AlmaLinux/Rocky 10 (el10)

These packages were built with Go 1.26.4

Upload-time immutable digests are now provided for release downloads by GitHub. A separate sha256sums file will no longer be provided.

Bug Fixes

Use lazy unmount for overlay items that are FUSE mounted, to prevent errors if unmount takes time due to the device being busy. We already use lazy (MNT_DETACH) for kernel mounted overlay items.
Address FUSE unmount error that can occur with short-lived containers on busy systems.
Fix spurious cleanup error message when cleanup is successful.

Requirements / Packaging

Requires Go 1.25.7 or above, due to various dependencies.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-4.4.1.tar.gz download below to obtain and install SingularityCE 4.4.1. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

Ubuntu 22.04 (jammy)
Ubuntu 24.04 (noble)
RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
RHEL/CentOS/AlmaLinux/Rocky 9 (el9)
RHEL/CentOS/AlmaLinux/Rocky 10 (el10)

These packages were built with Go 1.26.1

Upload-time immutable digests are now provided for release downloads by GitHub. A separate sha256sums file will no longer be provided.

This is a new minor version, focused around modernisation of code and bugfix improvements as detailed below.

Bug Fixes

Include the home directory in the --workdir option (which is a modifier of the --contain option). This has always been in the
--workdir usage description but the home directory has not actually been included at least since singularity-2.
Avoid a fatal error when starting fakeroot from suid mode while in an NFS directory.
Support hosts that have /etc/resolv.conf pointing to a symlink under /run, such as those hosts that are running systemd-resolved. In this case, the symlink is copied into the container and the parent directory of the target of the symlink is bind-mounted from the host. The result is that even if the target of the symlink is replaced with a new file, the container sees the update in /etc/resolv.conf.
Correctly escape ENV vars when importing OCI containers to native SIF, so that they match podman / docker behaviour.
Clarify error when trying to build --oci from a non-Dockerfile spec.
When images are pulled implicitly by actions (run/shell/exec...), and the cache is disabled, correctly clean up the temporary files.
Ensure singularity-buildkitd runs effective GC at the start of each run.
Apply --debug flag to buildkit logging correctly.
Avoid OOM by buffering docker-daemon: images via a temporary file instead of memory. Note that the file is created in $TMPDIR - the dependency involved cannot be instructed to use $SINGULARITY_TMPDIR at this time.

New Features & Functionality

Add /etc/resolv.conf to the list of host paths that can be prevented from automatic import into the container with the --no-mount option.

Requirements / Packaging

Requires Go 1.25.6 or above, due to various dependencies.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-4.4.0.tar.gz download below to obtain and install SingularityCE 4.4.0. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

Ubuntu 22.04 (jammy)
Ubuntu 24.04 (noble)
RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
RHEL/CentOS/AlmaLinux/Rocky 9 (el9)
RHEL/CentOS/AlmaLinux/Rocky 10 (el10)

These packages were built with Go 1.26.0

This is a patch release in the 4.3 series.

Bug Fixes

Don't attempt to set relatime on workdir / scratch mounts in OCI-Mode.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-4.3.7.tar.gz download below to obtain and install SingularityCE 4.3.7. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

Ubuntu 22.04 (jammy)
Ubuntu 24.04 (noble)
RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
RHEL/CentOS/AlmaLinux/Rocky 9 (el9)
RHEL/CentOS/AlmaLinux/Rocky 10 (el10)

These packages were built with Go 1.25.6

This is a patch release in the 4.3 series, with security fixes.

Security Related Fixes

Updates bundled CNI plugins to v1.9.0, to fix CVE-2025-67499 Portmap nftables backend can intercept non-local traffic.
Dependencies updated.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-4.3.6.tar.gz download below to obtain and install SingularityCE 4.3.6. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

Ubuntu 22.04 (jammy)
Ubuntu 24.04 (noble)
RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
RHEL/CentOS/AlmaLinux/Rocky 9 (el9)
RHEL/CentOS/AlmaLinux/Rocky 10 (el10)

These packages were built with Go 1.25.5

This is a patch release in the 4.3 series, with security fixes.

Security Related Fixes

Fix for CVE-2025-64750 / GHSA-wwrx-w7c9-rf87 Ineffective application of selinux / apparmor LSM process labels via the --security flag.
Dependencies updated.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-4.3.5.tar.gz download below to obtain and install SingularityCE 4.3.5. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

Ubuntu 22.04 (jammy)
Ubuntu 24.04 (noble)
RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
RHEL/CentOS/AlmaLinux/Rocky 9 (el9)
RHEL/CentOS/AlmaLinux/Rocky 10 (el10)

These packages were built with Go 1.25.4

This is a patch release in the 4.3 series,

Security Related Fixes

GitHub release packages built using Go 1.25.3, due to large number of denial-of-service CVEs fixed in 1.25.2.
All dependencies updated.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-4.3.4.tar.gz download below to obtain and install SingularityCE 4.3.4. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

Ubuntu 22.04 (jammy)
Ubuntu 24.04 (noble)
RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
RHEL/CentOS/AlmaLinux/Rocky 9 (el9)
RHEL/CentOS/AlmaLinux/Rocky 10 (el10)

These packages were built with Go 1.25.3

This is a patch release in the 4.3 series, with dependency updates and the following changes:

Requirements / Packaging

Requires Go 1.24.3 or above, due to various dependencies.
Bundled squashfuse is now 0.6.1.

Changed defaults / behaviours

Use OCI Manifest Schema 1 for ORAS pushes. Addresses errors pushing to Quay,
which applies a must be restriction for the config.mediaType value on
Docker Manifest Schema 2 (spec has a looser should generally be).

Bug fixes

Don't set ineffective mode=777 on workdir bind. Fixes error in OCI-mode with
--workdir and runc >= 1.2.0.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-4.3.3.tar.gz download below to obtain and install SingularityCE 4.3.3. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

Ubuntu 22.04 (jammy)
Ubuntu 24.04 (noble)
RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
RHEL/CentOS/AlmaLinux/Rocky 9 (el9)
RHEL/CentOS/AlmaLinux/Rocky 10 (el10)

These packages were built with Go 1.25.0

This is a patch release in the 4.3 series, with dependency updates and the following changes:

Requirements / Packaging

Ubuntu 20.04 packages dropped - end-of-life.
EL 10 (RHEL/AlmaLinux/Rocky Linux 10) packages introduced.
Build bundled squashfuse against FUSE3 for all packages.
Don't depend on fuse on Ubuntu - installing this package on 22.04 can
cause conflicts with the Ubuntu Desktop package set.

Thanks / Reporting Bugs

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/sylabs/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!

Downloads

Source Code

Please use the singularity-ce-4.3.2.tar.gz download below to obtain and install SingularityCE 4.3.2. The GitHub auto-generated 'Source Code' downloads do not include required dependencies etc.

Packages

RPM / DEB packages are provided for:

Ubuntu 22.04 (jammy)
Ubuntu 24.04 (noble)
RHEL/CentOS/AlmaLinux/Rocky 8 (el8)
RHEL/CentOS/AlmaLinux/Rocky 9 (el9)
RHEL/CentOS/AlmaLinux/Rocky 10 (el10)

These packages were built with Go 1.24.4

Uh oh!

Releases: sylabs/singularity

SingularityCE 4.5.0

Behaviour Changes

Developer / API

Thanks / Reporting Bugs

Downloads

Uh oh!

SingularityCE 4.4.2

Security Related Fixes

Changed Defaults / Behaviours

Thanks / Reporting Bugs

Downloads

Contributors

Uh oh!

SingularityCE 4.4.1

Bug Fixes

Requirements / Packaging

Thanks / Reporting Bugs

Downloads

Uh oh!

SingularityCE 4.4.0

Bug Fixes

New Features & Functionality

Requirements / Packaging

Thanks / Reporting Bugs

Downloads

Uh oh!

SingularityCE 4.3.7

Bug Fixes

Thanks / Reporting Bugs

Downloads

Uh oh!

SingularityCE 4.3.6

Security Related Fixes

Thanks / Reporting Bugs

Downloads

Uh oh!

SingularityCE 4.3.5

Security Related Fixes

Thanks / Reporting Bugs

Downloads

Uh oh!

SingularityCE 4.3.4

Security Related Fixes

Thanks / Reporting Bugs

Downloads

Uh oh!

SingularityCE 4.3.3

Requirements / Packaging

Changed defaults / behaviours

Bug fixes

Thanks / Reporting Bugs

Downloads

Uh oh!

SingularityCE 4.3.2

Requirements / Packaging

Thanks / Reporting Bugs

Downloads

Uh oh!