Skip to content

Commit 867917d

Browse files
cypharcyphar
committed
merge #4489 into opencontainers/runc:main
Kir Kolyshkin (1): CHANGELOG: add (forward-port) v1.1.15 changes LGTMs: lifubang cyphar
2 parents 68bef80 + f9fd70b commit 867917d

File tree

1 file changed

+27
-1
lines changed

1 file changed

+27
-1
lines changed

CHANGELOG.md

Lines changed: 27 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -300,6 +300,31 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
300300

301301
[cve-2019-5736]: https://github.com/advisories/GHSA-gxmr-w5mj-v8hh
302302

303+
## [1.1.15] - 2024-10-07
304+
305+
> How, dear sir, did you cross the flood? By not stopping, friend, and by not
306+
> straining I crossed the flood.
307+
308+
### Fixed
309+
310+
* The `-ENOSYS` seccomp stub is now always generated for the native
311+
architecture that `runc` is running on. This is needed to work around some
312+
arguably specification-incompliant behaviour from Docker on architectures
313+
such as ppc64le, where the allowed architecture list is set to `null`. This
314+
ensures that we always generate at least one `-ENOSYS` stub for the native
315+
architecture even with these weird configs. (#4391)
316+
* On a system with older kernel, reading `/proc/self/mountinfo` may skip some
317+
entries, as a consequence runc may not properly set mount propagation,
318+
causing container mounts leak onto the host mount namespace. (#2404, #4425)
319+
320+
### Removed
321+
322+
* In order to fix performance issues in the "lightweight" bindfd protection
323+
against [CVE-2019-5736], the temporary `ro` bind-mount of `/proc/self/exe`
324+
has been removed. runc now creates a binary copy in all cases. (#4392, #2532)
325+
326+
[CVE-2019-5736]: https://www.openwall.com/lists/oss-security/2019/02/11/2
327+
303328
## [1.1.14] - 2024-09-03
304329

305330
> 年を取っていいことは、驚かなくなることね。
@@ -856,7 +881,8 @@ implementation (libcontainer) is *not* covered by this policy.
856881
[1.0.1]: https://github.com/opencontainers/runc/compare/v1.0.0...v1.0.1
857882

858883
<!-- 1.1.z patch releases -->
859-
[Unreleased 1.1.z]: https://github.com/opencontainers/runc/compare/v1.1.14...release-1.1
884+
[Unreleased 1.1.z]: https://github.com/opencontainers/runc/compare/v1.1.15...release-1.1
885+
[1.1.15]: https://github.com/opencontainers/runc/compare/v1.1.14...v1.1.15
860886
[1.1.14]: https://github.com/opencontainers/runc/compare/v1.1.13...v1.1.14
861887
[1.1.13]: https://github.com/opencontainers/runc/compare/v1.1.12...v1.1.13
862888
[1.1.12]: https://github.com/opencontainers/runc/compare/v1.1.11...v1.1.12

0 commit comments

Comments
 (0)