Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[1.2] CHANGELOG: add (forward-port) v1.1.15 changes #4493

Merged
merged 1 commit into from
Nov 1, 2024
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 27 additions & 1 deletion CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -300,6 +300,31 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

[cve-2019-5736]: https://github.com/advisories/GHSA-gxmr-w5mj-v8hh

## [1.1.15] - 2024-10-07

> How, dear sir, did you cross the flood? By not stopping, friend, and by not
> straining I crossed the flood.

### Fixed

* The `-ENOSYS` seccomp stub is now always generated for the native
architecture that `runc` is running on. This is needed to work around some
arguably specification-incompliant behaviour from Docker on architectures
such as ppc64le, where the allowed architecture list is set to `null`. This
ensures that we always generate at least one `-ENOSYS` stub for the native
architecture even with these weird configs. (#4391)
* On a system with older kernel, reading `/proc/self/mountinfo` may skip some
entries, as a consequence runc may not properly set mount propagation,
causing container mounts leak onto the host mount namespace. (#2404, #4425)

### Removed

* In order to fix performance issues in the "lightweight" bindfd protection
against [CVE-2019-5736], the temporary `ro` bind-mount of `/proc/self/exe`
has been removed. runc now creates a binary copy in all cases. (#4392, #2532)

[CVE-2019-5736]: https://www.openwall.com/lists/oss-security/2019/02/11/2

## [1.1.14] - 2024-09-03

> 年を取っていいことは、驚かなくなることね。
Expand Down Expand Up @@ -856,7 +881,8 @@ implementation (libcontainer) is *not* covered by this policy.
[1.0.1]: https://github.com/opencontainers/runc/compare/v1.0.0...v1.0.1

<!-- 1.1.z patch releases -->
[Unreleased 1.1.z]: https://github.com/opencontainers/runc/compare/v1.1.14...release-1.1
[Unreleased 1.1.z]: https://github.com/opencontainers/runc/compare/v1.1.15...release-1.1
[1.1.15]: https://github.com/opencontainers/runc/compare/v1.1.14...v1.1.15
[1.1.14]: https://github.com/opencontainers/runc/compare/v1.1.13...v1.1.14
[1.1.13]: https://github.com/opencontainers/runc/compare/v1.1.12...v1.1.13
[1.1.12]: https://github.com/opencontainers/runc/compare/v1.1.11...v1.1.12
Expand Down
Loading