[ubuntu/jammy-security] runc 1.1.7-0ubuntu1~22.04.2 (Accepted)
Nishit Majithia
nishit.majithia at canonical.com
Wed Jan 31 20:18:54 UTC 2024
runc (1.1.7-0ubuntu1~22.04.2) jammy-security; urgency=medium
* SECURITY UPDATE: container escape vulnerability
- d/p/0001-Fix-File-to-Close.patch: Fix File to Close
- d/p/0002-init-verify-after-chdir-that-cwd-is-inside-the-conta.patch:
init: verify after chdir that cwd is inside the container
- d/p/0003-setns-init-do-explicit-lookup-of-execve-argument-ear.patch:
setns init: do explicit lookup of execve argument early
- d/p/0004-init-close-internal-fds-before-execve.patch: init: close
internal fds before execve
- d/p/0005-cgroup-plug-leaks-of-sys-fs-cgroup-handle.patch: cgroup:
plug leaks of /sys/fs/cgroup handle
- d/p/0006-libcontainer-mark-all-non-stdio-fds-O_CLOEXEC-before.patch:
ibcontainer: mark all non-stdio fds O_CLOEXEC before spawning init
- CVE-2024-21626
runc (1.1.7-0ubuntu1~22.04.1) jammy; urgency=medium
* Backport version from Mantic to Jammy (LP: #2023694).
runc (1.1.7-0ubuntu1) mantic; urgency=medium
* New upstream release (LP: #2018107).
- Update patches in d/patches:
+ test--skip_TestFactoryNewTmpfs.patch: rename to
test--skip-privileged-test-factory_linux_test.go.patch to follow the
Debian patch. Also updated it accordingly to Debian.
+ test--skip-fs-related-cgroups-tests.patch: remove one skipped test,
now it is part of the patch above.
+ fix_cpuset_range_byte_order.patch: removed, applied by upstream.
[Applied in upstream version 1.1.7]
+ lp2013318-fix-device-files-in-containers.patch: removed, fixed by
upstream.
[Fixed in upstream version 1.1.7]
+ CVE-2023-25809.patch: removed, applied by upstream.
[Applied in upstream version 1.1.7]
+ CVE-2023-27561_2023-28642.patch: removed, applied by upstream.
[Applied in upstream version 1.1.7]
* Bump debhelper compatibility level to 12. Now, that Bionic reached EOSS we
can update it to level 12.
- d/control: build depend on debhelper-compat (= 12) instead of debhelper.
- d/compat: removed, not needed anymore.
* d/control: remove unneeded Breaks statement for docker.io.
runc (1.1.4-0ubuntu4) mantic; urgency=medium
* SECURITY UPDATE: Incorrect access control through /sys/fs/cgroup
- debian/patches/CVE-2023-25809.patch: apply MS_RDONLY if
/sys/fs/cgroup is bind-mounted or mask if bind source is unavailable
in libcontainer/rootfs_linux.go.
- CVE-2023-25809
* SECURITY UPDATE: Incorrect access control through /proc and /sys
- debian/patches/CVE-2023-27561_2023-28642.patch: Prohibit /proc and
/sys to be symlinks in libcontainer/rootfs_linux.go.
- CVE-2023-27561
- CVE-2023-28642
runc (1.1.4-0ubuntu3) lunar; urgency=medium
* d/p/lp2013318-fix-device-files-in-containers.patch: Fix inability to use
device files such as /dev/null in containers (LP: #2013318)
runc (1.1.4-0ubuntu2) lunar-proposed; urgency=medium
* Import blockIODevice.patch from Debian (LP: #2009851)
runc (1.1.4-0ubuntu1) lunar; urgency=medium
* New upstream release (LP: #1993442).
* Refresh patches.
Date: 2024-01-24 11:59:15.269682+00:00
Changed-By: Nishit Majithia <nishit.majithia at canonical.com>
https://launchpad.net/ubuntu/+source/runc/1.1.7-0ubuntu1~22.04.2
-------------- next part --------------
Sorry, changesfile not available.
More information about the jammy-changes
mailing list