Merge pull request #6003 from DrDaveD/changelog-3.8.0-rc.2

Add v3.7.4 CHANGELOG for 3.8.0-rc.2

Author: kmuriki

CHANGELOG.md

@@ -10,7 +10,7 @@ _With the release of `v3.0.0`, we're introducing a new changelog format in an at
 _The old changelog can be found in the `release-2.6` branch_
 
 
-# v3.8.0 - [2021-05-21]
+# v3.8.0-rc.2 Release Candidate - [2021-05-26]
 
 > :warning: Go module was renamed from `github.com/sylabs/singularity` to `github.com/hpcng/singularity`
 
@@ -54,6 +54,20 @@ of `make test` for ease of use:
     and `E2E_DOCKER_PASSWORD` environment variables.
 
 
+# v3.7.4 - [2021-05-26]
+
+## Security Related Fixes
+
+  - [CVE-2021-32635](https://github.com/hpcng/singularity/security/advisories/GHSA-jq42-hfch-42f3):
+    Due to incorrect use of a default URL, singularity action commands
+    (run/shell/exec) specifying a container using a library:// URI will
+    always attempt to retrieve the container from the default remote
+    endpoint (cloud.sylabs.io) rather than the configured remote
+    endpoint.  An attacker may be able to push a malicious container to
+    the default remote endpoint with a URI that is identical to the URI
+    used by a victim with a non-default remote endpoint, thus executing
+    the malicious container.
+
 # v3.7.3 - [2021-04-06]
 
 ## Security Related Fixes