Bump runc from v1.1.13 to v1.2.4

cache/runc.json

@@ -0,0 +1,7 @@
+{
+  "tagName": "v1.2.4",
+  "url": "https://github.com/opencontainers/runc/releases/tag/v1.2.4",
+  "description": "This is the fourth patch release of the 1.2.z release branch of runc. It\r\nincludes a fix for a regression introduced in 1.2.0 related to the\r\ndefault device list.\r\n\r\n * Re-add tun/tap devices to built-in allowed devices lists.\r\n\r\n   In runc 1.2.0 we removed these devices from the default allow-list\r\n   (which were added seemingly by accident early in Docker's history) as\r\n   a precaution in order to try to reduce the attack surface of device\r\n   inodes available to most containers (#3468). At the time we thought\r\n   that the vast majority of users using tun/tap would already be\r\n   specifying what devices they need (such as by using `--device` with\r\n   Docker/Podman) as opposed to doing the `mknod` manually, and thus\r\n   there would've been no user-visible change.\r\n\r\n   Unfortunately, it seems that this regressed a noticeable number of\r\n   users (and not all higher-level tools provide easy ways to specify\r\n   devices to allow) and so this change needed to be reverted. Users\r\n   that do not need these devices are recommended to explicitly disable\r\n   them by adding deny rules in their container configuration. (#4555,\r\n   #4556)\r\n\r\n\r\n### Static Linking Notices ###\r\n\r\nThe `runc` binary distributed with this release are *statically linked* with\r\nthe following [GNU LGPL-2.1][lgpl-2.1] licensed libraries, with `runc` acting\r\nas a \"work that uses the Library\":\r\n\r\n[lgpl-2.1]: https://www.gnu.org/licenses/old-licenses/lgpl-2.1.en.html\r\n\r\n  - [libseccomp](https://github.com/seccomp/libseccomp)\r\n\r\nThe versions of these libraries were not modified from their upstream versions,\r\nbut in order to comply with the LGPL-2.1 (&sect;6(a)), we have attached the\r\ncomplete source code for those libraries which (when combined with the attached\r\nrunc source code) may be used to exercise your rights under the LGPL-2.1.\r\n\r\nHowever we strongly suggest that you make use of your distribution's packages\r\nor download them from the authoritative upstream sources, especially since\r\nthese libraries are related to the security of your containers.\r\n\r\n<hr>\r\n\r\n\r\nThanks to all of the contributors who made this release possible:\r\n\r\n * Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>\r\n * Aleksa Sarai <cyphar@cyphar.com>\r\n * Kir Kolyshkin <kolyshkin@gmail.com>\r\n * lifubang <lifubang@acmcoder.com>\r\n\r\nSigned-off-by: Aleksa Sarai <cyphar@cyphar.com>",
+  "publishedAt": "2025-01-07T06:29:57Z",
+  "isLatest": true
+}

roles/kubespray-defaults/defaults/main/checksums.yml

@@ -750,27 +750,31 @@ cri_dockerd_archive_checksums:
     0.3.5: 0
 runc_checksums:
   arm:
+    v1.2.4: 0
     v1.1.13: 0
     v1.1.12: 0
     v1.1.11: 0
     v1.1.10: 0
     v1.1.9: 0
     v1.1.8: 0
   arm64:
+    v1.2.4: 285f6c4c3de1d78d9f536a0299ae931219527b2ebd9ad89df5a1072896b7e82a
     v1.1.13: 4b93701752f5338ed51592b38e039aef8c1a59856d1225df21eba84c2830743c
     v1.1.12: 879f910a05c95c10c64ad8eb7d5e3aa8e4b30e65587b3d68e009a3565aed5bb8
     v1.1.11: 9f1ee53f06b78cc4a115ca6ae4eec10567999539ce828a22c5351edba043ed12
     v1.1.10: 4830afd426bdeacbdf9cb8729524aa2ed51790b8c4b28786995925593708f1c8
     v1.1.9: b43e9f561e85906f469eef5a7b7992fc586f750f44a0e011da4467e7008c33a0
     v1.1.8: 7c22cb618116d1d5216d79e076349f93a672253d564b19928a099c20e4acd658
   amd64:
+    v1.2.4: e83565aa78ec8f52a4d2b4eb6c4ca262b74c5f6770c1f43670c3029c20175502
     v1.1.13: bcfc299c1ab255e9d045ffaf2e324c0abaf58f599831a7c2c4a80b33f795de94
     v1.1.12: aadeef400b8f05645768c1476d1023f7875b78f52c7ff1967a6dbce236b8cbd8
     v1.1.11: 77ae134de014613c44d25e6310a57a219a7a91155cd47d069a0f22a2cad5caea
     v1.1.10: 81f73a59be3d122ab484d7dfe9ddc81030f595cc59968f61c113a9a38a2c113a
     v1.1.9: b9bfdd4cb27cddbb6172a442df165a80bfc0538a676fbca1a6a6c8f4c6933b43
     v1.1.8: 1d05ed79854efc707841dfc7afbf3b86546fc1d0b3a204435ca921c14af8385b
   ppc64le:
+    v1.2.4: 141fa41c1f382483ccf374827f99c7843414fceb95e8ceb710aba8bac984d016
     v1.1.13: 4675d51dc0b08ad8e17d3065f2e4ce47760728945f33d3092385e792357e6519
     v1.1.12: 4069d1d57724126e116ad6dbd84409082d1b0afee1ee960b17558f146a742bb6
     v1.1.11: e3d1da41f97db1bb7e9a8d96c9092747c14ee53bc9f160048828e63f3a2d0896

roles/kubespray-defaults/defaults/main/download.yml

@@ -75,7 +75,7 @@ image_arch: "{{ host_architecture | default('amd64') }}"
 
 # Versions
 crun_version: 1.14.4
-runc_version: v1.1.13
+runc_version: v1.2.4
 kata_containers_version: 3.1.3
 youki_version: 0.1.0
 gvisor_version: 20240305

version_diff.json

@@ -0,0 +1,17 @@
+{
+  "runc": {
+    "current_version": "v1.1.13",
+    "latest_version": "v1.2.4",
+    "release": {
+      "tagName": "v1.2.4",
+      "url": "https://github.com/opencontainers/runc/releases/tag/v1.2.4",
+      "description": "This is the fourth patch release of the 1.2.z release branch of runc. It\r\nincludes a fix for a regression introduced in 1.2.0 related to the\r\ndefault device list.\r\n\r\n * Re-add tun/tap devices to built-in allowed devices lists.\r\n\r\n   In runc 1.2.0 we removed these devices from the default allow-list\r\n   (which were added seemingly by accident early in Docker's history) as\r\n   a precaution in order to try to reduce the attack surface of device\r\n   inodes available to most containers (#3468). At the time we thought\r\n   that the vast majority of users using tun/tap would already be\r\n   specifying what devices they need (such as by using `--device` with\r\n   Docker/Podman) as opposed to doing the `mknod` manually, and thus\r\n   there would've been no user-visible change.\r\n\r\n   Unfortunately, it seems that this regressed a noticeable number of\r\n   users (and not all higher-level tools provide easy ways to specify\r\n   devices to allow) and so this change needed to be reverted. Users\r\n   that do not need these devices are recommended to explicitly disable\r\n   them by adding deny rules in their container configuration. (#4555,\r\n   #4556)\r\n\r\n\r\n### Static Linking Notices ###\r\n\r\nThe `runc` binary distributed with this release are *statically linked* with\r\nthe following [GNU LGPL-2.1][lgpl-2.1] licensed libraries, with `runc` acting\r\nas a \"work that uses the Library\":\r\n\r\n[lgpl-2.1]: https://www.gnu.org/licenses/old-licenses/lgpl-2.1.en.html\r\n\r\n  - [libseccomp](https://github.com/seccomp/libseccomp)\r\n\r\nThe versions of these libraries were not modified from their upstream versions,\r\nbut in order to comply with the LGPL-2.1 (&sect;6(a)), we have attached the\r\ncomplete source code for those libraries which (when combined with the attached\r\nrunc source code) may be used to exercise your rights under the LGPL-2.1.\r\n\r\nHowever we strongly suggest that you make use of your distribution's packages\r\nor download them from the authoritative upstream sources, especially since\r\nthese libraries are related to the security of your containers.\r\n\r\n<hr>\r\n\r\n\r\nThanks to all of the contributors who made this release possible:\r\n\r\n * Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>\r\n * Aleksa Sarai <cyphar@cyphar.com>\r\n * Kir Kolyshkin <kolyshkin@gmail.com>\r\n * lifubang <lifubang@acmcoder.com>\r\n\r\nSigned-off-by: Aleksa Sarai <cyphar@cyphar.com>",
+      "publishedAt": "2025-01-07T06:29:57Z",
+      "isLatest": true,
+      "component": "runc",
+      "owner": "opencontainers",
+      "repo": "runc",
+      "release_type": "release"
+    }
+  }
+}