From b47fb3fda43e62fdcb9c5cfb3e1ae70b1be6e7b8 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Wed, 13 Mar 2024 17:39:03 +1100 Subject: [PATCH] changelog: sync changelog entries up to runc 1.1.12 Signed-off-by: Aleksa Sarai --- CHANGELOG.md | 82 +++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 81 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 32ca5f881..1e3a43b89 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -99,6 +99,82 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 * Remove tun/tap from the default device rules. (#3468) * specconv: avoid mapping "acl" to MS_POSIXACL. (#3739) +## [1.1.12] - 2024-01-31 + +> Now you're thinking with Portals™! + +### Security + +* Fix [CVE-2024-21626][cve-2024-21626], a container breakout attack that took + advantage of a file descriptor that was leaked internally within runc (but + never leaked to the container process). In addition to fixing the leak, + several strict hardening measures were added to ensure that future internal + leaks could not be used to break out in this manner again. Based on our + research, while no other container runtime had a similar leak, none had any + of the hardening steps we've introduced (and some runtimes would not check + for any file descriptors that a calling process may have leaked to them, + allowing for container breakouts due to basic user error). + +[cve-2024-21626]: https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv + +## [1.1.11] - 2024-01-01 + +> Happy New Year! + +### Fixed + +* Fix several issues with userns path handling. (#4122, #4124, #4134, #4144) + +### Changed + + * Support memory.peak and memory.swap.peak in cgroups v2. + Add `swapOnlyUsage` in `MemoryStats`. This field reports swap-only usage. + For cgroupv1, `Usage` and `Failcnt` are set by subtracting memory usage + from memory+swap usage. For cgroupv2, `Usage`, `Limit`, and `MaxUsage` + are set. (#4000, #4010, #4131) + * build(deps): bump github.com/cyphar/filepath-securejoin. (#4140) + +## [1.1.10] - 2023-10-31 + +> Śruba, przykręcona we śnie, nie zmieni sytuacji, jaka panuje na jawie. + +### Added + +* Support for `hugetlb..rsvd` limiting and accounting. Fixes the + issue of postres failing when hugepage limits are set. (#3859, #4077) + +### Fixed + +* Fixed permissions of a newly created directories to not depend on the value + of umask in tmpcopyup feature implementation. (#3991, #4060) +* libcontainer: cgroup v1 GetStats now ignores missing `kmem.limit_in_bytes` + (fixes the compatibility with Linux kernel 6.1+). (#4028) +* Fix a semi-arbitrary cgroup write bug when given a malicious hugetlb + configuration. This issue is not a security issue because it requires a + malicious `config.json`, which is outside of our threat model. (#4103) +* Various CI fixes. (#4081, #4055) + +## [1.1.9] - 2023-08-10 + +> There is a crack in everything. That's how the light gets in. + +### Added + +* Added go 1.21 to the CI matrix; other CI updates. (#3976, #3958) + +### Fixed + +* Fixed losing sticky bit on tmpfs (a regression in 1.1.8). (#3952, #3961) +* intelrdt: fixed ignoring ClosID on some systems. (#3550, #3978) + +### Changed + + * Sum `anon` and `file` from `memory.stat` for cgroupv2 root usage, + as the root does not have `memory.current` for cgroupv2. + This aligns cgroupv2 root usage more closely with cgroupv1 reporting. + Additionally, report root swap usage as sum of swap and memory usage, + aligned with v1 and existing non-root v2 reporting. (#3933) + ## [1.1.8] - 2023-07-20 > 海纳百川 有容乃大 @@ -528,7 +604,11 @@ implementation (libcontainer) is *not* covered by this policy. [1.0.1]: https://github.com/opencontainers/runc/compare/v1.0.0...v1.0.1 -[Unreleased 1.1.z]: https://github.com/opencontainers/runc/compare/v1.1.8...release-1.1 +[Unreleased 1.1.z]: https://github.com/opencontainers/runc/compare/v1.1.12...release-1.1 +[1.1.12]: https://github.com/opencontainers/runc/compare/v1.1.11...v1.1.12 +[1.1.11]: https://github.com/opencontainers/runc/compare/v1.1.10...v1.1.11 +[1.1.10]: https://github.com/opencontainers/runc/compare/v1.1.9...v1.1.10 +[1.1.9]: https://github.com/opencontainers/runc/compare/v1.1.8...v1.1.9 [1.1.8]: https://github.com/opencontainers/runc/compare/v1.1.7...v1.1.8 [1.1.7]: https://github.com/opencontainers/runc/compare/v1.1.6...v1.1.7 [1.1.6]: https://github.com/opencontainers/runc/compare/v1.1.5...v1.1.6