Merge pull request #705 from yeazelm/advisories_10_9_0

Add advisories for runc update

Author: yeazelm

advisories/10.9.0/BRSA-fokfzmhxepqx.toml

@@ -0,0 +1,17 @@
+[advisory]
+id = "BRSA-fokfzmhxepqx"
+title = "runc CVE-2025-52881"
+cve = "CVE-2025-52881"
+severity = "high"
+description = "When applying LSM labels, a race condition could cause runc to write the process labels into a dummy tmpfs file which could result in applying incorrect LSM labels to the container process."
+
+[[advisory.products]]
+package-name = "runc"
+patched-version = "1.2.7"
+patched-epoch = "1"
+
+[updateinfo]
+author = "yeazelm"
+issue-date = 2025-11-05T09:28:38Z
+arches = ["x86_64", "aarch64"]
+version = "10.9.0"

advisories/10.9.0/BRSA-kvjmd7tqofdu.toml

@@ -0,0 +1,17 @@
+[advisory]
+id = "BRSA-kvjmd7tqofdu"
+title = "runc CVE-2025-52565"
+cve = "CVE-2025-52565"
+severity = "high"
+description = "When masking files, runc will bind-mount the container's /dev/console to /dev/pts/$n but a symlink at /dev/pts/$n could force runc to bind-mount the target."
+
+[[advisory.products]]
+package-name = "runc"
+patched-version = "1.2.7"
+patched-epoch = "1"
+
+[updateinfo]
+author = "yeazelm"
+issue-date = 2025-11-05T09:28:38Z
+arches = ["x86_64", "aarch64"]
+version = "10.9.0"

advisories/10.9.0/BRSA-teob8iclrtit.toml

@@ -0,0 +1,17 @@
+[advisory]
+id = "BRSA-teob8iclrtit"
+title = "runc CVE-2025-31133"
+cve = "CVE-2025-31133"
+severity = "high"
+description = "When masking files, runc will bind-mount the container's /dev/null inode on top of the file which could be replaced with another procfs file."
+
+[[advisory.products]]
+package-name = "runc"
+patched-version = "1.2.7"
+patched-epoch = "1"
+
+[updateinfo]
+author = "yeazelm"
+issue-date = 2025-11-05T09:28:38Z
+arches = ["aarch64", "x86_64"]
+version = "10.9.0"