@@ -47,6 +47,82 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
4747 * Remove tun/tap from the default device rules. (#3468 )
4848 * specconv: avoid mapping "acl" to MS_POSIXACL. (#3739 )
4949
50+ ## [ 1.1.12] - 2024-01-31
51+
52+ > Now you're thinking with Portals™!
53+
54+ ### Security
55+
56+ * Fix [ CVE-2024 -21626] [ cve-2024-21626 ] , a container breakout attack that took
57+ advantage of a file descriptor that was leaked internally within runc (but
58+ never leaked to the container process). In addition to fixing the leak,
59+ several strict hardening measures were added to ensure that future internal
60+ leaks could not be used to break out in this manner again. Based on our
61+ research, while no other container runtime had a similar leak, none had any
62+ of the hardening steps we've introduced (and some runtimes would not check
63+ for any file descriptors that a calling process may have leaked to them,
64+ allowing for container breakouts due to basic user error).
65+
66+ [ cve-2024-21626 ] : https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv
67+
68+ ## [ 1.1.11] - 2024-01-01
69+
70+ > Happy New Year!
71+
72+ ### Fixed
73+
74+ * Fix several issues with userns path handling. (#4122 , #4124 , #4134 , #4144 )
75+
76+ ### Changed
77+
78+ * Support memory.peak and memory.swap.peak in cgroups v2.
79+ Add ` swapOnlyUsage ` in ` MemoryStats ` . This field reports swap-only usage.
80+ For cgroupv1, ` Usage ` and ` Failcnt ` are set by subtracting memory usage
81+ from memory+swap usage. For cgroupv2, ` Usage ` , ` Limit ` , and ` MaxUsage `
82+ are set. (#4000 , #4010 , #4131 )
83+ * build(deps): bump github.com/cyphar/filepath-securejoin. (#4140 )
84+
85+ ## [ 1.1.10] - 2023-10-31
86+
87+ > Śruba, przykręcona we śnie, nie zmieni sytuacji, jaka panuje na jawie.
88+
89+ ### Added
90+
91+ * Support for ` hugetlb.<pagesize>.rsvd ` limiting and accounting. Fixes the
92+ issue of postres failing when hugepage limits are set. (#3859 , #4077 )
93+
94+ ### Fixed
95+
96+ * Fixed permissions of a newly created directories to not depend on the value
97+ of umask in tmpcopyup feature implementation. (#3991 , #4060 )
98+ * libcontainer: cgroup v1 GetStats now ignores missing ` kmem.limit_in_bytes `
99+ (fixes the compatibility with Linux kernel 6.1+). (#4028 )
100+ * Fix a semi-arbitrary cgroup write bug when given a malicious hugetlb
101+ configuration. This issue is not a security issue because it requires a
102+ malicious ` config.json ` , which is outside of our threat model. (#4103 )
103+ * Various CI fixes. (#4081 , #4055 )
104+
105+ ## [ 1.1.9] - 2023-08-10
106+
107+ > There is a crack in everything. That's how the light gets in.
108+
109+ ### Added
110+
111+ * Added go 1.21 to the CI matrix; other CI updates. (#3976 , #3958 )
112+
113+ ### Fixed
114+
115+ * Fixed losing sticky bit on tmpfs (a regression in 1.1.8). (#3952 , #3961 )
116+ * intelrdt: fixed ignoring ClosID on some systems. (#3550 , #3978 )
117+
118+ ### Changed
119+
120+ * Sum ` anon ` and ` file ` from ` memory.stat ` for cgroupv2 root usage,
121+ as the root does not have ` memory.current ` for cgroupv2.
122+ This aligns cgroupv2 root usage more closely with cgroupv1 reporting.
123+ Additionally, report root swap usage as sum of swap and memory usage,
124+ aligned with v1 and existing non-root v2 reporting. (#3933 )
125+
50126## [ 1.1.8] - 2023-07-20
51127
52128> 海纳百川 有容乃大
0 commit comments