Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update module github.com/opencontainers/runc to v1.1.5 #1412

Closed
wants to merge 1 commit into from
Closed

chore(deps): update module github.com/opencontainers/runc to v1.1.5 #1412

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Apr 6, 2023

Mend Renovate

This PR contains the following updates:

Package Type Update Change
github.com/opencontainers/runc replace patch v1.1.1-0.20220617142545-8b9452f75cbc -> v1.1.5

Release Notes

opencontainers/runc

v1.1.5: runc 1.1.5 -- "囚われた屈辱は 反撃の嚆矢だ"

Compare Source

This is the fifth patch release in the 1.1.z series of runc, which fixes
three CVEs found in runc.

In addition, the following other fixes are included in this release:

  • Fix the inability to use /dev/null when inside a container. (#​3620)
  • Fix changing the ownership of host's /dev/null caused by fd redirection
    (a regression in 1.1.1). (#​3674, #​3731)
  • Fix rare runc exec/enter unshare error on older kernels, including
    CentOS < 7.7. (#​3776)
  • nsexec: Check for errors in write_log(). (#​3721)
Static Linking Notices

The runc binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc acting
as a "work that uses the Library":

The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.

Thanks to all of the contributors who made this release possible:

[Due to the security-critical nature of this release, it was released
without a direct vote but was agreed to by the required number of
maintainers.]

Signed-off-by: Aleksa Sarai cyphar@cyphar.com

v1.1.4: runc 1.1.4 -- "If you look for perfection, you'll never be content."

Compare Source

This is the fourth patch release in the 1.1.z series of runc, primarily
fixing a regression introduced in 1.1.3 related to device rules. It also
fixes a few other bugs.

  • Fix mounting via wrong proc fd. When the user and mount namespaces are
    used, and the bind mount is followed by the cgroup mount in the spec,
    the cgroup was mounted using the bind mount's mount fd. (#​3511)
  • Switch kill() in libcontainer/nsenter to sane_kill(). (#​3536)
  • Fix "permission denied" error from runc run on noexec fs. (#​3541)
  • Fix failed exec after systemctl daemon-reload. Due to a regression
    in v1.1.3, the DeviceAllow=char-pts rwm rule was no longer added and
    was causing an error open /dev/pts/0: operation not permitted: unknown when systemd was reloaded. (#​3554)
Static Linking Notices

The runc binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc acting
as a "work that uses the Library":

The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.

Thanks to all of the contributors who made this release possible:

Signed-off-by: Aleksa Sarai cyphar@cyphar.com

v1.1.3: runc 1.1.3 -- "In the beginning there was nothing, which exploded."

Compare Source

This is the third release of the 1.1.z series of runc, and contains
various minor improvements and bugfixes.

  • Our seccomp -ENOSYS stub now correctly handles multiplexed syscalls on
    s390 and s390x. This solves the issue where syscalls the host kernel did not
    support would return -EPERM despite the existence of the -ENOSYS stub
    code (this was due to how s390x does syscall multiplexing). (#​3478)
  • Retry on dbus disconnect logic in libcontainer/cgroups/systemd now works as
    intended; this fix does not affect runc binary itself but is important for
    libcontainer users such as Kubernetes. (#​3476)
  • Inability to compile with recent clang due to an issue with duplicate
    constants in libseccomp-golang. (#​3477)
  • When using systemd cgroup driver, skip adding device paths that don't exist,
    to stop systemd from emitting warnings about those paths. (#​3504)
  • Socket activation was failing when more than 3 sockets were used. (#​3494)
  • Various CI fixes. (#​3472, #​3479)
  • Allow to bind mount /proc/sys/kernel/ns_last_pid to inside container. (#​3493)
  • runc static binaries are now linked against libseccomp v2.5.4. (#​3481)
Static Linking Notices

The runc binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc acting
as a "work that uses the Library":

The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.

Thanks to all of the contributors who made this release possible:

Signed-off-by: Aleksa Sarai cyphar@cyphar.com

v1.1.2: runc 1.1.2 -- "I should think I’m going to be a perpetual student."

Compare Source

This is the second patch release of the runc 1.1 release branch. It
fixes CVE-2022-29162, a minor security issue (which appears to not be
exploitable) related to process capabilities.

This is a similar bug to the ones found and fixed in Docker and
containerd recently (CVE-2022-24769).

  • A bug was found in runc where runc exec --cap executed processes with
    non-empty inheritable Linux process capabilities, creating an atypical Linux
    environment. For more information, see GHSA-f3fp-gc8g-vw66 and
    CVE-2022-29162.
  • runc spec no longer sets any inheritable capabilities in the created
    example OCI spec (config.json) file.
Static Linking Notices

The runc binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc acting
as a "work that uses the Library":

The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot added the dependencies Pull requests that update a dependency file label Apr 6, 2023
vrothberg
vrothberg reviewed Apr 6, 2023
View reviewed changes
go.mod
@@ -55,6 +55,7 @@ require (
github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d // indirect
github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
github.com/chzyer/readline v1.5.1 // indirect
github.com/cilium/ebpf v0.9.1 // indirect
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This adds ... a lot of ... code.

Need to investigate

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

opencontainers/runc#3452 changed it in runc so we do not have to import so much, I guess there is a regression which added the unwanted imports back in some place.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nevermind this is a downgrade, go versioning is something...
there is a reason this uses a replace here.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for checking. Let's close it

@renovate
chore(deps): update module github.com/opencontainers/runc to v1.1.5
4355380 
Signed-off-by: Renovate Bot <bot@renovateapp.com>
@renovate renovate bot force-pushed the renovate/git.luolix.top-opencontainers-runc-1.x branch from ec40972 to 4355380 Compare April 6, 2023 08:58
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Apr 6, 2023

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: renovate[bot]
Once this PR has been reviewed and has the lgtm label, please ask for approval from luap99. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@vrothberg vrothberg closed this Apr 6, 2023
@renovate
Copy link
Contributor Author

renovate bot commented Apr 6, 2023

Renovate Ignore Notification

As this PR has been closed unmerged, Renovate will now ignore this update (v1.1.5). You will still receive a PR once a newer version is released, so if you wish to permanently ignore this dependency, please add it to the ignoreDeps array of your renovate config.

If this PR was closed by mistake or you changed your mind, you can simply rename this PR and you will soon get a fresh replacement PR opened.

@renovate renovate bot deleted the renovate/git.luolix.top-opencontainers-runc-1.x branch April 6, 2023 11:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vrothberg vrothberg vrothberg left review comments

@Luap99 Luap99 Luap99 left review comments

Assignees

@rhatdan rhatdan

@vrothberg vrothberg

@Luap99 Luap99

Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@vrothberg @Luap99 @rhatdan