From bb71ad503ca4d164f7043d5e62b45031249a2239 Mon Sep 17 00:00:00 2001 From: Kir Kolyshkin Date: Tue, 29 Oct 2024 17:04:19 -0700 Subject: [PATCH] CHANGELOG: add (forward-port) v1.1.15 changes Those are taken from commit bc20cb44. Signed-off-by: Kir Kolyshkin --- CHANGELOG.md | 28 +++++++++++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9d6c9990e4a..f1df15d9e95 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -300,6 +300,31 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 [cve-2019-5736]: https://github.com/advisories/GHSA-gxmr-w5mj-v8hh +## [1.1.15] - 2024-10-07 + +> How, dear sir, did you cross the flood? By not stopping, friend, and by not +> straining I crossed the flood. + +### Fixed + + * The `-ENOSYS` seccomp stub is now always generated for the native + architecture that `runc` is running on. This is needed to work around some + arguably specification-incompliant behaviour from Docker on architectures + such as ppc64le, where the allowed architecture list is set to `null`. This + ensures that we always generate at least one `-ENOSYS` stub for the native + architecture even with these weird configs. (#4391) + * On a system with older kernel, reading `/proc/self/mountinfo` may skip some + entries, as a consequence runc may not properly set mount propagation, + causing container mounts leak onto the host mount namespace. (#2404, #4425) + +### Removed + + * In order to fix performance issues in the "lightweight" bindfd protection + against [CVE-2019-5736], the temporary `ro` bind-mount of `/proc/self/exe` + has been removed. runc now creates a binary copy in all cases. (#4392, #2532) + +[CVE-2019-5736]: https://www.openwall.com/lists/oss-security/2019/02/11/2 + ## [1.1.14] - 2024-09-03 > 年を取っていいことは、驚かなくなることね。 @@ -856,7 +881,8 @@ implementation (libcontainer) is *not* covered by this policy. [1.0.1]: https://github.com/opencontainers/runc/compare/v1.0.0...v1.0.1 -[Unreleased 1.1.z]: https://github.com/opencontainers/runc/compare/v1.1.14...release-1.1 +[Unreleased 1.1.z]: https://github.com/opencontainers/runc/compare/v1.1.15...release-1.1 +[1.1.15]: https://github.com/opencontainers/runc/compare/v1.1.14...v1.1.15 [1.1.14]: https://github.com/opencontainers/runc/compare/v1.1.13...v1.1.14 [1.1.13]: https://github.com/opencontainers/runc/compare/v1.1.12...v1.1.13 [1.1.12]: https://github.com/opencontainers/runc/compare/v1.1.11...v1.1.12