New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[release/1.5 backport] update runc binary to v1.1.2 #6935
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this vagrant https://github.com/containerd/containerd/runs/6413173243?check_suite_focus=true#step:4:901 ...
also needs Phil's fix
#6915 needs a 1.5 cherry pick
Should be able to rebase on |
This is the second patch release of the runc 1.1 release branch. It fixes CVE-2022-29162, a minor security issue (which appears to not be exploitable) related to process capabilities. This is a similar bug to the ones found and fixed in Docker and containerd recently (CVE-2022-24769). - A bug was found in runc where runc exec --cap executed processes with non-empty inheritable Linux process capabilities, creating an atypical Linux environment. For more information, see GHSA-f3fp-gc8g-vw66 and CVE-2022-29162. - runc spec no longer sets any inheritable capabilities in the created example OCI spec (config.json) file. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit 25858d6) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
oh! thanks for the reminder; rebased 👍 |
/retest |
still some unhappy CI 😢 |
/retest |
jackpot 🥳 green now! |
This is the second patch release of the runc 1.1 release branch. It
fixes CVE-2022-29162, a minor security issue (which appears to not be
exploitable) related to process capabilities.
This is a similar bug to the ones found and fixed in Docker and
containerd recently (CVE-2022-24769).
non-empty inheritable Linux process capabilities, creating an atypical Linux
environment. For more information, see GHSA-f3fp-gc8g-vw66 and CVE-2022-29162.
example OCI spec (config.json) file.
Signed-off-by: Sebastiaan van Stijn github@gone.nl
(cherry picked from commit 25858d6)
Signed-off-by: Sebastiaan van Stijn github@gone.nl