Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update github.com/opencontainers/runc to v1.0.3 (fix CVE-2021-43784) #518

Merged
merged 1 commit into from
Dec 9, 2021
Merged

Update github.com/opencontainers/runc to v1.0.3 (fix CVE-2021-43784) #518

merged 1 commit into from
Dec 9, 2021

Conversation

pjbgf
Copy link
Member

@pjbgf pjbgf commented Dec 9, 2021
edited
Loading

Security Advisories fixed:

github.com/opencontainers/runc v1.0.3
IDs: CVE-2021-43784, GO-2021-0085, GO-2021-0087
Links:
GHSA-v95c-p5hm-xq8f

@pjbgf
Copy link
Member Author

pjbgf commented Dec 9, 2021

Is there any specific format we can use to track the CVEs fixed so they can be made explicit in the "release changes"?

@stefanprodan
Copy link
Member

Please undo these changes and bump the version in the replace section, add the CVE numbers there.

stefanprodan
stefanprodan requested changes Dec 9, 2021
View reviewed changes
Copy link
Member

@stefanprodan stefanprodan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please rebase with upstream main and force push.

stefanprodan
stefanprodan approved these changes Dec 9, 2021
View reviewed changes
Copy link
Member

@stefanprodan stefanprodan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Thanks @pjbgf

PS. After we release source-controller with these changes, you can update IAC too.

@stefanprodan
Copy link
Member

@pjbgf I assumed you've run make test before opening this PR, please do so from now on. The runc update comes with breaking changes:

../home/go/pkg/mod/github.com/deislabs/oras@v0.11.1/pkg/oras/push.go:52:31: not enough arguments in call to remotes.PushContent
	have (context.Context, remotes.Pusher, v1.Descriptor, "github.com/containerd/containerd/content".Store, nil, func(images.Handler) images.Handler)
	want (context.Context, remotes.Pusher, v1.Descriptor, "github.com/containerd/containerd/content".Store, *semaphore.Weighted, platforms.MatchComparer, func(images.Handler)

@stefanprodan stefanprodan self-requested a review December 9, 2021 09:55
Bump dependencies to patch security advisories
058788b 
Advisories fixed:
github.com/opencontainers/runc: CVE-2021-43784 GO-2021-0085 GO-2021-0087

Signed-off-by: Paulo Gomes <paulo.gomes@weave.works>
@pjbgf
Copy link
Member Author

pjbgf commented Dec 9, 2021

The issue was with the containerd dependency, which I have now removed from the PR. Tested it locally and it is working fine now. 👍

@pjbgf pjbgf changed the title Bump dependencies to patch security advisories Update github.com/opencontainers/runc to v1.0.3 (fix CVE-2021-43784, GO-2021-0085, GO-2021-0087) Dec 9, 2021
@stefanprodan stefanprodan changed the title Update github.com/opencontainers/runc to v1.0.3 (fix CVE-2021-43784, GO-2021-0085, GO-2021-0087) Update github.com/opencontainers/runc to v1.0.3 (fix CVE-2021-43784) Dec 9, 2021
@stefanprodan stefanprodan merged commit bb6794c into fluxcd:main Dec 9, 2021
@pjbgf pjbgf deleted the security-advisories branch December 9, 2021 10:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stefanprodan stefanprodan stefanprodan approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@pjbgf @stefanprodan