Sourced from github.com/opencontainers/runc's releases.
runc 1.1.12 -- "Now you're thinking with Portals™!"
This is the twelfth patch release in the 1.1.z release branch of runc. It fixes a high-severity container breakout vulnerability involving leaked file descriptors, and users are strongly encouraged to update as soon as possible.
Fix CVE-2024-21626, a container breakout attack that took advantage of a file descriptor that was leaked internally within runc (but never leaked to the container process).
In addition to fixing the leak, several strict hardening measures were added to ensure that future internal leaks could not be used to break out in this manner again.
Based on our research, while no other container runtime had a similar leak, none had any of the hardening steps we've introduced (and some runtimes would not check for any file descriptors that a calling process may have leaked to them, allowing for container breakouts due to basic user error).
Static Linking Notices
The
runcbinary distributed with this release are statically linked with the following GNU LGPL-2.1 licensed libraries, withruncacting as a "work that uses the Library":The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.
However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.
Thanks to all of the contributors who made this release possible:
- Aleksa Sarai cyphar@cyphar.com
- hang.jiang hang.jiang@daocloud.io
- lfbzhm lifubang@acmcoder.com
Signed-off-by: Aleksa Sarai cyphar@cyphar.com
... (truncated)
Sourced from github.com/opencontainers/runc's changelog.
[1.1.12] - 2024-01-31
Now you're thinking with Portals™!
Security
- Fix CVE-2024-21626, a container breakout attack that took advantage of a file descriptor that was leaked internally within runc (but never leaked to the container process). In addition to fixing the leak, several strict hardening measures were added to ensure that future internal leaks could not be used to break out in this manner again. Based on our research, while no other container runtime had a similar leak, none had any of the hardening steps we've introduced (and some runtimes would not check for any file descriptors that a calling process may have leaked to them, allowing for container breakouts due to basic user error).
[1.1.11] - 2024-01-01
Happy New Year!
Fixed
Changed
- Support memory.peak and memory.swap.peak in cgroups v2. Add
swapOnlyUsageinMemoryStats. This field reports swap-only usage. For cgroupv1,UsageandFailcntare set by subtracting memory usage from memory+swap usage. For cgroupv2,Usage,Limit, andMaxUsageare set. (#4000, #4010, #4131)- build(deps): bump github.com/cyphar/filepath-securejoin. (#4140)
[1.1.10] - 2023-10-31
Śruba, przykręcona we śnie, nie zmieni sytuacji, jaka panuje na jawie.
Added
- Support for
hugetlb.<pagesize>.rsvdlimiting and accounting. Fixes the issue of postres failing when hugepage limits are set. (#3859, #4077)Fixed
... (truncated)
51d5e94
VERSION: release 1.1.122a4ed3e
merge 1.1-ghsa-xr7r-f8xq-vfvv into release-1.1e9665f4
init: don't special-case logrus fds683ad2f
libcontainer: mark all non-stdio fds O_CLOEXEC before spawning initb6633f4
cgroup: plug leaks of /sys/fs/cgroup handle284ba30
init: close internal fds before execvefbe3eed
setns init: do explicit lookup of execve argument early0994249
init: verify after chdir that cwd is inside the container506552a
Fix File to Close099ff69
merge #4177
into opencontainers/runc:release-1.1