All of lore.kernel.org
 help / color / mirror / Atom feed
* [Buildroot] [PATCH 1/1] package/runc: security bump to version 1.0.0-rc95
@ 2021-05-21 20:15 Christian Stewart
  2021-05-21 20:34 ` Yann E. MORIN
  0 siblings, 1 reply; 3+ messages in thread
From: Christian Stewart @ 2021-05-21 20:15 UTC (permalink / raw)
  To: buildroot

Fixes CVE-2021-30465: runc 1.0.0-rc94 and earlier are vulnerable to a symlink
exchange attack whereby an attacker can request a seemingly-innocuous container
configuration that actually results in the host filesystem being bind-mounted
into the container, allowing for a container escape.

Signed-off-by: Christian Stewart <christian@paral.in>
---
 package/runc/runc.hash | 2 +-
 package/runc/runc.mk   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/runc/runc.hash b/package/runc/runc.hash
index d792947d5f..598bd3067f 100644
--- a/package/runc/runc.hash
+++ b/package/runc/runc.hash
@@ -1,3 +1,3 @@
 # Locally computed
-sha256	28378df983a3c586ed3ec8c76a774a9b10f36a0c323590a284b801cce95cc61f  runc-1.0.0-rc92.tar.gz
+sha256  02dac7f1a0dcfe55dd9820df787adedf030060870354915e7bba86f8487ce93c  runc-1.0.0-rc95.tar.gz
 sha256  552a739c3b25792263f731542238b92f6f8d07e9a488eae27e6c4690038a8243  LICENSE
diff --git a/package/runc/runc.mk b/package/runc/runc.mk
index 14689bbde1..62b9f09bf2 100644
--- a/package/runc/runc.mk
+++ b/package/runc/runc.mk
@@ -5,7 +5,7 @@
 ################################################################################
 
 RUNC_VERSION_MAJOR = 1.0.0
-RUNC_VERSION_MINOR = rc92
+RUNC_VERSION_MINOR = rc95
 RUNC_VERSION = $(RUNC_VERSION_MAJOR)-$(RUNC_VERSION_MINOR)
 RUNC_SITE = $(call github,opencontainers,runc,v$(RUNC_VERSION))
 RUNC_LICENSE = Apache-2.0
-- 
2.31.1

^ permalink raw reply related	[flat|nested] 3+ messages in thread
* [Buildroot] [PATCH 1/1] package/runc: security bump to version 1.0.0-rc95
  2021-05-21 20:15 [Buildroot] [PATCH 1/1] package/runc: security bump to version 1.0.0-rc95 Christian Stewart
@ 2021-05-21 20:34 ` Yann E. MORIN
  2021-06-07 21:35   ` Peter Korsgaard
  0 siblings, 1 reply; 3+ messages in thread
From: Yann E. MORIN @ 2021-05-21 20:34 UTC (permalink / raw)
  To: buildroot

Christian, All,

On 2021-05-21 13:15 -0700, Christian Stewart spake thusly:
> Fixes CVE-2021-30465: runc 1.0.0-rc94 and earlier are vulnerable to a symlink
> exchange attack whereby an attacker can request a seemingly-innocuous container
> configuration that actually results in the host filesystem being bind-mounted
> into the container, allowing for a container escape.
> 
> Signed-off-by: Christian Stewart <christian@paral.in>

Applied to master, thanks.

Regards,
Yann E. MORIN.

> ---
>  package/runc/runc.hash | 2 +-
>  package/runc/runc.mk   | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/package/runc/runc.hash b/package/runc/runc.hash
> index d792947d5f..598bd3067f 100644
> --- a/package/runc/runc.hash
> +++ b/package/runc/runc.hash
> @@ -1,3 +1,3 @@
>  # Locally computed
> -sha256	28378df983a3c586ed3ec8c76a774a9b10f36a0c323590a284b801cce95cc61f  runc-1.0.0-rc92.tar.gz
> +sha256  02dac7f1a0dcfe55dd9820df787adedf030060870354915e7bba86f8487ce93c  runc-1.0.0-rc95.tar.gz
>  sha256  552a739c3b25792263f731542238b92f6f8d07e9a488eae27e6c4690038a8243  LICENSE
> diff --git a/package/runc/runc.mk b/package/runc/runc.mk
> index 14689bbde1..62b9f09bf2 100644
> --- a/package/runc/runc.mk
> +++ b/package/runc/runc.mk
> @@ -5,7 +5,7 @@
>  ################################################################################
>  
>  RUNC_VERSION_MAJOR = 1.0.0
> -RUNC_VERSION_MINOR = rc92
> +RUNC_VERSION_MINOR = rc95
>  RUNC_VERSION = $(RUNC_VERSION_MAJOR)-$(RUNC_VERSION_MINOR)
>  RUNC_SITE = $(call github,opencontainers,runc,v$(RUNC_VERSION))
>  RUNC_LICENSE = Apache-2.0
> -- 
> 2.31.1
> 
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'

^ permalink raw reply	[flat|nested] 3+ messages in thread
* [Buildroot] [PATCH 1/1] package/runc: security bump to version 1.0.0-rc95
  2021-05-21 20:34 ` Yann E. MORIN
@ 2021-06-07 21:35   ` Peter Korsgaard
  0 siblings, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2021-06-07 21:35 UTC (permalink / raw)
  To: buildroot

>>>>> "Yann" == Yann E MORIN <yann.morin.1998@free.fr> writes:

 > Christian, All,
 > On 2021-05-21 13:15 -0700, Christian Stewart spake thusly:
 >> Fixes CVE-2021-30465: runc 1.0.0-rc94 and earlier are vulnerable to a symlink
 >> exchange attack whereby an attacker can request a seemingly-innocuous container
 >> configuration that actually results in the host filesystem being bind-mounted
 >> into the container, allowing for a container escape.
 >> 
 >> Signed-off-by: Christian Stewart <christian@paral.in>

Committed to 2021.02.x, thanks.

-- 
Bye, Peter Korsgaard

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-06-07 21:35 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-05-21 20:15 [Buildroot] [PATCH 1/1] package/runc: security bump to version 1.0.0-rc95 Christian Stewart
2021-05-21 20:34 ` Yann E. MORIN
2021-06-07 21:35   ` Peter Korsgaard

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.