runc 1.1.13 -- "There is no certainty in the world. This is the only certainty I have."
This is the thirteenth patch release in the 1.1.z release branch of runc. It
brings in Go 1.22.x compatibility and fixes a few issues, including an
occasional wrong nofile rlimit in runc exec, and a race between runc list and
runc delete.
NOTE that if using Go 1.22.x to build runc, make sure to use 1.22.4 or a later version.
For more details, see issue #4233.
- Support go 1.22.4+. (#4313)
- runc list: fix race with runc delete. (#4231)
- Fix set nofile rlimit error. (#4277, #4299)
- libct/cg/fs: fix setting rt_period vs rt_runtime. (#4284)
- Fix a debug msg for user ns in nsexec. (#4315)
- script/*: fix gpg usage wrt keyboxd. (#4316)
- CI fixes and misc backports. (#4241)
- Fix codespell warnings. (#4300)
- Silence security false positives from golang/net. (#4244)
- libcontainer: allow containers to make apps think fips is enabled/disabled for testing. (#4257)
- allow overriding VERSION value in Makefile. (#4270)
- Vagrantfile.fedora: bump Fedora to 39. (#4261)
- ci/cirrus: rm centos stream 8. (#4305, #4308)
Security
- The
runc
binaries provided here were built with go1.21.11, which includes a
security fix foros.RemoveAll
to fix a bug that would allow an attacker to
trick runc into deleting a directory on the host. We encourage users to update,
and if they buildrunc
themselves, make sure they build their binaries using
go1.21.11 or later, or go1.22.4 or later.
Static Linking Notices
The runc
binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc
acting
as a "work that uses the Library":
The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.
However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.
Thanks to all of the contributors who made this release possible:
- Akhil Mohan [email protected]
- Akihiro Suda [email protected]
- Aleksa Sarai [email protected]
- Kir Kolyshkin [email protected]
- Sohan Kunkerkar [email protected]
- TTFISH [email protected]
- kychen [email protected]
- lifubang [email protected]
- ls-ggg [email protected]
Signed-off-by: Kir Kolyshkin [email protected]