diff: https://github.com/opencontainers/runc/compare/v1.1.14...v1.1.15
Release notes:
- The -ENOSYS seccomp stub is now always generated for the native
architecture that runc is running on. This is needed to work around some
arguably specification-incompliant behaviour from Docker on architectures
such as ppc64le, where the allowed architecture list is set to null. This
ensures that we always generate at least one -ENOSYS stub for the native
architecture even with these weird configs. (#4391)
- On a system with older kernel, reading /proc/self/mountinfo may skip some
entries, as a consequence runc may not properly set mount propagation,
causing container mounts leak onto the host mount namespace. (#2404, #4425)
- In order to fix performance issues in the "lightweight" bindfd protection
against [CVE-2019-5736], the temporary ro bind-mount of /proc/self/exe
has been removed. runc now creates a binary copy in all cases. (#4392, #2532)
Signed-off-by: Samuel Karp <samuelkarp@google.com>
This PR adds the trap statement in the install runc script to clean
up the temporary files and ensure we are not leaving them.
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
- https://github.com/golang/go/issues?q=milestone%3AGo1.23.1+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.23.0...go1.23.1
These minor releases include 3 security fixes following the security policy:
- go/parser: stack exhaustion in all Parse* functions
Calling any of the Parse functions on Go source code which contains
deeply nested literals can cause a panic due to stack exhaustion.
This is CVE-2024-34155 and Go issue https://go.dev/issue/69138.
- encoding/gob: stack exhaustion in Decoder.Decode
Calling Decoder.Decode on a message which contains deeply nested
structures can cause a panic due to stack exhaustion.
This is a follow-up to CVE-2022-30635.
Thanks to Md Sakib Anwar of The Ohio State University for reporting
this issue.
This is CVE-2024-34156 and Go issue https://go.dev/issue/69139.
- go/build/constraint: stack exhaustion in Parse
Calling Parse on a "// +build" build tag line with deeply nested
expressions can cause a panic due to stack exhaustion.
This is CVE-2024-34158 and Go issue https://go.dev/issue/69141.
View the release notes for more information:
https://go.dev/doc/devel/release#go1.23.1
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
diff: https://github.com/opencontainers/runc/compare/v1.1.13...v1.1.14
Release Notes:
- Fix CVE-2024-45310, a low-severity attack that allowed
maliciously configured containers to create empty files and directories on
the host.
- Add support for Go 1.23.
- Revert "allow overriding VERSION value in Makefile" and add EXTRA_VERSION.
- rootfs: consolidate mountpoint creation logic.
Signed-off-by: Akhil Mohan <akhilerm@gmail.com>
The OpenSSF scorecard is complaining about these two dependencies being
installed without a patch version specified;
Warn: goCommand not pinned by hash: script/setup/install-dev-tools:27
Warn: goCommand not pinned by hash: script/setup/install-dev-tools:28
While the error indicates it expects a hash, it looks like it's fine
with other modules in the same file, the difference being that those
specify a full version, including path version, e.g.;
919beb1cf7/script/setup/install-dev-tools (L26)
This patch updates `protoc-gen-go` and `protoc-gen-go-grpc` to the latest
patch release for the specified versions.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
runc v1.1.13 introduced an option to customize the version (as printed by the
`--version` flag) through a `VERSION` Make variable / environment variable
(see [1]).
This variable collided with the `VERSION` environment variable used by
containerd for the same purpose, which lead to `runc` binaries built
using the version of containerd;
runc --version
runc version 1.7.20
commit: v1.1.13-0-g58aa9203
...
This patch unsets the `VERSION` variable to bring prevent it from being
inherited and to bring back the previous behavior.
Before this patch:
docker build -t containerd-test -f contrib/Dockerfile.test .
docker run -it --rm --env VERSION=1.7.20 containerd-test sh -c 'script/setup/install-runc && /usr/local/sbin/runc --version'
# ....
HEAD is now at 58aa9203 VERSION: release 1.1.13
go build -trimpath "-buildmode=pie" -tags "seccomp" -ldflags "-X main.gitCommit=v1.1.13-0-g58aa9203 -X main.version=1.7.20 " -o runc .
install -D -m0755 runc /usr/local/sbin/runc
/go/src/github.com/containerd/containerd
runc version 1.7.20
commit: v1.1.13-0-g58aa9203
spec: 1.0.2-dev
go: go1.22.5
libseccomp: 2.5.4
With this patch:
docker build -t containerd-test -f contrib/Dockerfile.test .
docker run -it --rm --env VERSION=1.7.20 containerd-test sh -c 'script/setup/install-runc && /usr/local/sbin/runc --version'
# ....
HEAD is now at 58aa9203 VERSION: release 1.1.13
go build -trimpath "-buildmode=pie" -tags "seccomp" -ldflags "-X main.gitCommit=v1.1.13-0-g58aa9203 -X main.version=v1.1.13 " -o runc .
install -D -m0755 runc /usr/local/sbin/runc
/go/src/github.com/containerd/containerd
runc version v1.1.13
commit: v1.1.13-0-g58aa9203
spec: 1.0.2-dev
go: go1.22.5
libseccomp: 2.5.4
[1]: 6f4d975c40
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This patch release includes just a fix to skip userns tests on host that
don't support the feature. See:
https://github.com/kubernetes-sigs/cri-tools/releases/tag/v1.30.1
This is needed for CI to work fine when we update to runc 1.2 (not yet
released). It is also a blocker for the final runc release to make sure
it works in all known downstreams. This makes it work fine here :)
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
slow_chown is safe to add on all kernels, and when running in old
kernels (as some CI distros on purpose are), we want the expensive
fallback.
Vagrant setup and others use this script to config containerd. This
fixes userns tests with runc 1.2.0-rc.2 when running with old kernels.
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
commit 149ca6880a updated the hcsshim
module to v0.12.4, but did not add a commit to also update the runhcs
binary version.
full diff: https://github.com/microsoft/hcsshim/compare/v0.12.3...v0.12.4
These versions are decoupled since 15b13fb3ea
to allow updating the binary version without updating the module, in cases
where the module doesn't require updates.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Now that we're on runc v1.1.13, we no longer need to pin the
go version fo runc to go1.21
This reverts commit fef78c1024.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/opencontainers/runc/compare/v1.1.12...v1.1.13
Release notes:
* If building with Go 1.22.x, make sure to use 1.22.4 or a later version.
* Support go 1.22.4+.
* runc list: fix race with runc delete.
* Fix set nofile rlimit error.
* libct/cg/fs: fix setting rt_period vs rt_runtime.
* Fix a debug msg for user ns in nsexec.
* script/*: fix gpg usage wrt keyboxd.
* CI fixes and misc backports.
* Fix codespell warnings.
* Silence security false positives from golang/net.
* libcontainer: allow containers to make apps think fips is enabled/disabled for testing.
* allow overriding VERSION value in Makefile.
* Vagrantfile.fedora: bump Fedora to 39.
* ci/cirrus: rm centos stream 8.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Includes fix for a symlink race on remove.
Updates 1.21 to 1.21.11 for runc install which also includes the
symlink fix.
Signed-off-by: Derek McGowan <derek@mcg.dev>
Go 1.22.3 release includes bug fixes for the core net/http package.
Full release notes: https://go.dev/doc/devel/release#go1.22.minor
Signed-off-by: Austin Vazquez <macedonv@amazon.com>
Pulls in kubernetes-sigs/cri-tools PR 1344 (`KEP-3857: Recursive Read-only (RRO) mounts`)
to test PR 9787
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
go1.21.9 (released 2024-04-03) includes a security fix to the net/http
package, as well as bug fixes to the linker, and the go/types and
net/http packages. See the Go 1.21.9 milestone for more details;
https://github.com/golang/go/issues?q=milestone%3AGo1.21.9+label%3ACherryPickApproved
These minor releases include 1 security fixes following the security policy:
- http2: close connections when receiving too many headers
Maintaining HPACK state requires that we parse and process all HEADERS
and CONTINUATION frames on a connection. When a request's headers exceed
MaxHeaderBytes, we don't allocate memory to store the excess headers but
we do parse them. This permits an attacker to cause an HTTP/2 endpoint
to read arbitrary amounts of header data, all associated with a request
which is going to be rejected. These headers can include Huffman-encoded
data which is significantly more expensive for the receiver to decode
than for an attacker to send.
Set a limit on the amount of excess header frames we will process before
closing a connection.
Thanks to Bartek Nowotarski (https://nowotarski.info/) for reporting this issue.
This is CVE-2023-45288 and Go issue https://go.dev/issue/65051.
View the release notes for more information:
https://go.dev/doc/devel/release#go1.22.2
- https://github.com/golang/go/issues?q=milestone%3AGo1.21.9+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.21.8...go1.21.9
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
There are many Kubernetes clusters running on ARM64. Enable ARM64 runner
is to commit to support ARM64 platform officially.
Signed-off-by: Wei Fu <fuweid89@gmail.com>
go1.21.5 (released 2023-12-05) includes security fixes to the go command,
and the net/http and path/filepath packages, as well as bug fixes to the
compiler, the go command, the runtime, and the crypto/rand, net, os, and
syscall packages. See the Go 1.21.5 milestone on our issue tracker for
details:
- https://github.com/golang/go/issues?q=milestone%3AGo1.21.5+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.21.4...go1.21.5
from the security mailing:
[security] Go 1.21.5 and Go 1.20.12 are released
Hello gophers,
We have just released Go versions 1.21.5 and 1.20.12, minor point releases.
These minor releases include 3 security fixes following the security policy:
- net/http: limit chunked data overhead
A malicious HTTP sender can use chunk extensions to cause a receiver
reading from a request or response body to read many more bytes from
the network than are in the body.
A malicious HTTP client can further exploit this to cause a server to
automatically read a large amount of data (up to about 1GiB) when a
handler fails to read the entire body of a request.
Chunk extensions are a little-used HTTP feature which permit including
additional metadata in a request or response body sent using the chunked
encoding. The net/http chunked encoding reader discards this metadata.
A sender can exploit this by inserting a large metadata segment with
each byte transferred. The chunk reader now produces an error if the
ratio of real body to encoded bytes grows too small.
Thanks to Bartek Nowotarski for reporting this issue.
This is CVE-2023-39326 and Go issue https://go.dev/issue/64433.
- cmd/go: go get may unexpectedly fallback to insecure git
Using go get to fetch a module with the ".git" suffix may unexpectedly
fallback to the insecure "git://" protocol if the module is unavailable
via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE
is not set for said module. This only affects users who are not using
the module proxy and are fetching modules directly (i.e. GOPROXY=off).
Thanks to David Leadbeater for reporting this issue.
This is CVE-2023-45285 and Go issue https://go.dev/issue/63845.
- path/filepath: retain trailing \ when cleaning paths like \\?\c:\
Go 1.20.11 and Go 1.21.4 inadvertently changed the definition of the
volume name in Windows paths starting with \\?\, resulting in
filepath.Clean(\\?\c:\) returning \\?\c: rather than \\?\c:\ (among
other effects). The previous behavior has been restored.
This is an update to CVE-2023-45283 and Go issue https://go.dev/issue/64028.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
go1.21.4 (released 2023-11-07) includes security fixes to the path/filepath
package, as well as bug fixes to the linker, the runtime, the compiler, and
the go/types, net/http, and runtime/cgo packages. See the Go 1.21.4 milestone
on our issue tracker for details:
- https://github.com/golang/go/issues?q=milestone%3AGo1.21.4+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.21.3...go1.21.4
from the security mailing:
[security] Go 1.21.4 and Go 1.20.11 are released
Hello gophers,
We have just released Go versions 1.21.4 and 1.20.11, minor point releases.
These minor releases include 2 security fixes following the security policy:
- path/filepath: recognize `\??\` as a Root Local Device path prefix.
On Windows, a path beginning with `\??\` is a Root Local Device path equivalent
to a path beginning with `\\?\`. Paths with a `\??\` prefix may be used to
access arbitrary locations on the system. For example, the path `\??\c:\x`
is equivalent to the more common path c:\x.
The filepath package did not recognize paths with a `\??\` prefix as special.
Clean could convert a rooted path such as `\a\..\??\b` into
the root local device path `\??\b`. It will now convert this
path into `.\??\b`.
`IsAbs` did not report paths beginning with `\??\` as absolute.
It now does so.
VolumeName now reports the `\??\` prefix as a volume name.
`Join(`\`, `??`, `b`)` could convert a seemingly innocent
sequence of path elements into the root local device path
`\??\b`. It will now convert this to `\.\??\b`.
This is CVE-2023-45283 and https://go.dev/issue/63713.
- path/filepath: recognize device names with trailing spaces and superscripts
The `IsLocal` function did not correctly detect reserved names in some cases:
- reserved names followed by spaces, such as "COM1 ".
- "COM" or "LPT" followed by a superscript 1, 2, or 3.
`IsLocal` now correctly reports these names as non-local.
This is CVE-2023-45284 and https://go.dev/issue/63713.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
