Sourced from github.com/opencontainers/runc's\r\nreleases.
\r\n\r\n\r\nrunc 1.1.12 -- "Now you're thinking with Portals™!"
\r\nThis is the twelfth patch release in the 1.1.z release branch of\r\nrunc.\r\nIt fixes a high-severity container breakout vulnerability involving\r\nleaked file descriptors, and users are strongly encouraged to update as\r\nsoon as possible.
\r\n\r\n
\r\n- \r\n
\r\nFix CVE-2024-21626,\r\na container breakout attack that took advantage of\r\na file descriptor that was leaked internally within runc (but never\r\nleaked to the container process).
\r\nIn addition to fixing the leak, several strict hardening measures\r\nwere\r\nadded to ensure that future internal leaks could not be used to break\r\nout in this manner again.
\r\nBased on our research, while no other container runtime had a similar\r\nleak, none had any of the hardening steps we've introduced (and some\r\nruntimes would not check for any file descriptors that a calling\r\nprocess may have leaked to them, allowing for container breakouts due\r\nto basic user error).
\r\nStatic Linking Notices
\r\nThe
\r\nrunc
binary distributed with this release are\r\nstatically linked with\r\nthe following GNU\r\nLGPL-2.1 licensed libraries, withrunc
acting\r\nas a "work that uses the Library":\r\n
\r\n- libseccomp
\r\nThe versions of these libraries were not modified from their upstream\r\nversions,\r\nbut in order to comply with the LGPL-2.1 (§6(a)), we have attached the\r\ncomplete source code for those libraries which (when combined with the\r\nattached\r\nrunc source code) may be used to exercise your rights under the\r\nLGPL-2.1.
\r\nHowever we strongly suggest that you make use of your distribution's\r\npackages\r\nor download them from the authoritative upstream sources, especially\r\nsince\r\nthese libraries are related to the security of your containers.
\r\n\r\nThanks to all of the contributors who made this release possible:
\r\n\r\n
\r\n- Aleksa Sarai cyphar@cyphar.com
\r\n- hang.jiang hang.jiang@daocloud.io
\r\n- lfbzhm lifubang@acmcoder.com
\r\nSigned-off-by: Aleksa Sarai cyphar@cyphar.com
\r\n\r\n
... (truncated)
\r\nSourced from github.com/opencontainers/runc's\r\nchangelog.
\r\n\r\n\r\n[1.1.12] - 2024-01-31
\r\n\r\n\r\nNow you're thinking with Portals™!
\r\nSecurity
\r\n\r\n
\r\n- Fix CVE-2024-21626,\r\na container breakout attack that took\r\nadvantage of a file descriptor that was leaked internally within runc\r\n(but\r\nnever leaked to the container process). In addition to fixing the leak,\r\nseveral strict hardening measures were added to ensure that future\r\ninternal\r\nleaks could not be used to break out in this manner again. Based on our\r\nresearch, while no other container runtime had a similar leak, none had\r\nany\r\nof the hardening steps we've introduced (and some runtimes would not\r\ncheck\r\nfor any file descriptors that a calling process may have leaked to them,\r\nallowing for container breakouts due to basic user error).
\r\n[1.1.11] - 2024-01-01
\r\n\r\n\r\nHappy New Year!
\r\nFixed
\r\n\r\nChanged
\r\n\r\n
\r\n- Support memory.peak and memory.swap.peak in cgroups v2.\r\nAdd
\r\nswapOnlyUsage
inMemoryStats
. This field\r\nreports swap-only usage.\r\nFor cgroupv1,Usage
andFailcnt
are set by\r\nsubtracting memory usage\r\nfrom memory+swap usage. For cgroupv2,Usage
,\r\nLimit
, andMaxUsage
\r\nare set. (#4000,\r\n#4010,\r\n#4131)- build(deps): bump github.com/cyphar/filepath-securejoin. (#4140)
\r\n[1.1.10] - 2023-10-31
\r\n\r\n\r\nŚruba, przykręcona we śnie, nie zmieni sytuacji, jaka panuje na\r\njawie.
\r\nAdded
\r\n\r\n
\r\n- Support for
\r\nhugetlb.<pagesize>.rsvd
limiting and\r\naccounting. Fixes the\r\nissue of postres failing when hugepage limits are set. (#3859,\r\n#4077)Fixed
\r\n\r\n\r\n
... (truncated)
\r\n51d5e94
\r\nVERSION: release 1.1.122a4ed3e
\r\nmerge 1.1-ghsa-xr7r-f8xq-vfvv into release-1.1e9665f4
\r\ninit: don't special-case logrus fds683ad2f
\r\nlibcontainer: mark all non-stdio fds O_CLOEXEC before spawning initb6633f4
\r\ncgroup: plug leaks of /sys/fs/cgroup handle284ba30
\r\ninit: close internal fds before execvefbe3eed
\r\nsetns init: do explicit lookup of execve argument early0994249
\r\ninit: verify after chdir that cwd is inside the container506552a
\r\nFix File to Close099ff69
\r\nmerge #4177\r\ninto opencontainers/runc:release-1.1