Does crio release-1.27 needs go module update of runc to 1.1.12 ?

[rppala90]

The following security issue is fixed in runc 1.1.12 :
GHSA-xr7r-f8xq-vfvv

crio main branch updated its go module dependency of runc to 1.1.12 but I am wondering if a similar change is needed for 1.27 release too.
Seems like crio (especially for exec command) directly uses the binary runc, when the runtime is set to runc.
Hence wondering if it is sufficient to update the runc binary to 1.1.12 leaving the go dependency as is in crio.
Can someone please confirm that crio 1.27-release does not need to update its module dependency of runc to 1.1.12.

[haircommander]

nope! the vulnerability is in the runc binary, not the libcontainer library, so cri-o is not affected.