Skip to content

update runc to v1.0.0-rc10 (CVE-2019-19921)#40404

Merged
cpuguy83 merged 2 commits intomoby:masterfrom
AkihiroSuda:runc-rc10
Jan 25, 2020
Merged

update runc to v1.0.0-rc10 (CVE-2019-19921)#40404
cpuguy83 merged 2 commits intomoby:masterfrom
AkihiroSuda:runc-rc10

Conversation

@AkihiroSuda
Copy link
Copy Markdown
Member

@AkihiroSuda AkihiroSuda commented Jan 24, 2020
edited
Loading

runc v1.0.0-rc10 release note: https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc10

Notable changes:

Full changes: opencontainers/runc@v1.0.0-rc9...v1.0.0-rc10

Also updates go-selinux: opencontainers/selinux@3a1f366...5215b18
(See containerd/cri#1383 (comment))

@AkihiroSuda AkihiroSuda requested a review from tianon as a code owner January 24, 2020 07:28
@derek derek bot added the invalid label Jan 24, 2020
@derek

This comment has been minimized.

Sign in to view
@thaJeztah
Copy link
Copy Markdown
Member

thaJeztah commented Jan 24, 2020

Could you

  • update the commit message to say v1.0.0-rc10 instead of just rc10 ?
  • should the binary and vendor changes be in separate commits? (so that we can cherry-pick separate if needed)

Also the commit message for the binary update should probably contain some details about the changes, as this update of runc includes opencontainers/runc#2207, which fixes: CVE-2019-19921 (as reported in opencontainers/runc#2197)

Given, I don't think the CVE affects docker, but it might still be useful to have

Are there other notable changes? This is the full diff upstream; opencontainers/runc@v1.0.0-rc9...v1.0.0-rc10

Finally; should we wait for containerd/containerd#3973 to be merged (and backported to a containerd release) so that we can update both?

thaJeztah
thaJeztah requested changes Jan 24, 2020
View reviewed changes
Copy link
Copy Markdown
Member

@thaJeztah thaJeztah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

see my comment 🤗

@AkihiroSuda
update runc binary to v1.0.0-rc10 (CVE-2019-19921)
cd43c1d 
Notable changes:
* Fix CVE-2019-19921 (Volume mount race condition with shared mounts): opencontainers/runc#2207
* Fix exec FIFO race: opencontainers/runc#2185
* Basic support for cgroup v2.  Almost feature-complete, but still missing support for systemd mode in rootless.
  See also opencontainers/runc#2209 for the known issues.

Full changes: opencontainers/runc@v1.0.0-rc9...v1.0.0-rc10

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
@AkihiroSuda AkihiroSuda changed the title update runc to rc10 update runc to v1.0.0-rc10 (CVE-2019-19921) Jan 24, 2020
@AkihiroSuda
Copy link
Copy Markdown
Member Author

AkihiroSuda commented Jan 24, 2020

updated

@AkihiroSuda
update runc library to v1.0.0-rc10 (CVE-2019-19921)
6d68080 
Notable changes:
* Fix CVE-2019-19921 (Volume mount race condition with shared mounts): opencontainers/runc#2207
* Fix exec FIFO race: opencontainers/runc#2185
* Basic support for cgroup v2.  Almost feature-complete, but still missing support for systemd mode in rootless.
  See also opencontainers/runc#2209 for the known issues.

Full changes: opencontainers/runc@v1.0.0-rc9...v1.0.0-rc10

Also updates go-selinux: opencontainers/selinux@3a1f366...5215b18
(See containerd/cri#1383 (comment))

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
@AkihiroSuda
Copy link
Copy Markdown
Member Author

AkihiroSuda commented Jan 24, 2020

Finally; should we wait for containerd/containerd#3973 to be merged (and backported to a containerd release) so that we can update both?

Seems not worth doing. If we need, we can do in a separate PR.

thaJeztah
thaJeztah approved these changes Jan 25, 2020
View reviewed changes
Copy link
Copy Markdown
Member

@thaJeztah thaJeztah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

tao12345666333
tao12345666333 approved these changes Jan 25, 2020
View reviewed changes
Copy link
Copy Markdown
Contributor

@tao12345666333 tao12345666333 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

cpuguy83
cpuguy83 approved these changes Jan 25, 2020
View reviewed changes
Copy link
Copy Markdown
Member

@cpuguy83 cpuguy83 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@cpuguy83 cpuguy83 merged commit af72c25 into moby:master Jan 25, 2020
@thaJeztah thaJeztah mentioned this pull request Feb 4, 2020
Merged
@thaJeztah thaJeztah added this to the 20.03.0 milestone Apr 2, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cpuguy83 cpuguy83 cpuguy83 approved these changes

@thaJeztah thaJeztah thaJeztah approved these changes

@tianon tianon Awaiting requested review from tianon tianon is a code owner

+1 more reviewer

@tao12345666333 tao12345666333 tao12345666333 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

area/runtime Runtime impact/changelog process/cherry-picked

Projects

None yet

Milestone

20.10.0

Development

Successfully merging this pull request may close these issues.

4 participants

@AkihiroSuda @thaJeztah @cpuguy83 @tao12345666333