VERSION: release v1.3.3

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
This commit is contained in:
Aleksa Sarai
2025-11-05 20:06:20 +11:00
parent b370bafce9
commit d842d77194
2 changed files with 42 additions and 2 deletions
+41 -1
View File
@@ -6,6 +6,45 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
## [Unreleased 1.3.z]
## [1.3.3] - 2025-11-05
> 奴らに支配されていた恐怖を
### Security
This release includes fixes for the following high-severity security issues:
* [CVE-2025-31133][] exploits an issue with how masked paths are implemented in
runc. When masking files, runc will bind-mount the container's `/dev/null`
inode on top of the file. However, if an attacker can replace `/dev/null`
with a symlink to some other procfs file, runc will instead bind-mount the
symlink target read-write. This issue affected all known runc versions.
* [CVE-2025-52565][] is very similar in concept and application to
[CVE-2025-31133][], except that it exploits a flaw in `/dev/console`
bind-mounts. When creating the `/dev/console` bind-mount (to `/dev/pts/$n`),
if an attacker replaces `/dev/pts/$n` with a symlink then runc will
bind-mount the symlink target over `/dev/console`. This issue affected all
versions of runc >= 1.0.0-rc3.
* [CVE-2025-52881][] is a more sophisticated variant of [CVE-2019-19921][],
which was a flaw that allowed an attacker to trick runc into writing the LSM
process labels for a container process into a dummy tmpfs file and thus not
apply the correct LSM labels to the container process. The mitigation we
applied for [CVE-2019-19921][] was fairly limited and effectively only caused
runc to verify that when we write LSM labels that those labels are actual
procfs files. This issue affects all known runc versions.
### Added
* `runc update` now supports configuring per-device weights and iops. (#4775,
#4807, #4825, #4931)
[CVE-2019-19921]: https://github.com/opencontainers/runc/security/advisories/GHSA-fh74-hm69-rqjw
[CVE-2025-31133]: https://github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2
[CVE-2025-52565]: https://github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r
[CVE-2025-52881]: https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm
## [1.3.2] - 2025-10-02
> Ночь, улица, фонарь, аптека...
@@ -1178,7 +1217,8 @@ implementation (libcontainer) is *not* covered by this policy.
[1.2.0-rc.1]: https://github.com/opencontainers/runc/compare/v1.1.0...v1.2.0-rc.1
<!-- 1.3.z patch releases -->
[Unreleased 1.3.z]: https://github.com/opencontainers/runc/compare/v1.3.2...release-1.3
[Unreleased 1.3.z]: https://github.com/opencontainers/runc/compare/v1.3.3...release-1.3
[1.3.3]: https://github.com/opencontainers/runc/compare/v1.3.2...v1.3.3
[1.3.2]: https://github.com/opencontainers/runc/compare/v1.3.1...v1.3.2
[1.3.1]: https://github.com/opencontainers/runc/compare/v1.3.0...v1.3.1
[1.3.0-rc.2]: https://github.com/opencontainers/runc/compare/v1.3.0-rc.1...v1.3.0-rc.2
+1 -1
View File
@@ -1 +1 @@
1.3.2+dev
1.3.3