CRI-O v1.29.4

CRI-O v1.29.4

The release notes have been generated for the commit range
v1.29.3...v1.29.4 on Tue, 30 Apr 2024 14:32:17 UTC.

Downloads

Download one of our static release bundles via our Google Cloud Bucket:

To verify the artifact signatures via cosign, run:

> export COSIGN_EXPERIMENTAL=1
> cosign verify-blob cri-o.amd64.v1.29.4.tar.gz \
    --certificate-identity https://github.com/cri-o/cri-o/.github/workflows/test.yml@refs/tags/v1.29.4 \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    --certificate-github-workflow-repository cri-o/cri-o \
    --certificate-github-workflow-ref refs/tags/v1.29.4 \
    --signature cri-o.amd64.v1.29.4.tar.gz.sig \
    --certificate cri-o.amd64.v1.29.4.tar.gz.cert

To verify the bill of materials (SBOM) in SPDX format using the bom tool, run:

> tar xfz cri-o.amd64.v1.29.4.tar.gz
> bom validate -e cri-o.amd64.v1.29.4.tar.gz.spdx -d cri-o

Changelog since v1.29.3

Changes by Kind

Feature

Updates pinned images list on config reload (#7976, @roman-kiselenko)

Bug or Regression

Fix CVE-2024-3154 , a security flaw where CRI-O allowed users to specify annotations that changed specific fields in the runtime. One consequence is a user can change the systemd properties of the container, allowing unsafe properties to be set by the runtime (#8085, @haircommander)

Uncategorized

Keep track of exec calls for a container, and make sure to kill them when a container is being stopped (#8072, @openshift-cherrypick-robot)
Updates pinned images list on config reload (#8073, @sohankunkerkar)

Dependencies

Added

Nothing has changed.

Changed

github.com/containers/ocicrypt: v1.1.9 → v1.1.10

Removed