[Buildroot] [PATCH v1 1/3] package/runc: bump to version 1.0.0-rc93

[Buildroot] [PATCH v1 1/3] package/runc: bump to version 1.0.0-rc93

[Christian Stewart]

https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc93

Signed-off-by: Christian Stewart <christian@paral.in>
---
 package/runc/runc.hash | 2 +-
 package/runc/runc.mk   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/runc/runc.hash b/package/runc/runc.hash
index d792947d5f..afe396368d 100644
--- a/package/runc/runc.hash
+++ b/package/runc/runc.hash
@@ -1,3 +1,3 @@
 # Locally computed
-sha256	28378df983a3c586ed3ec8c76a774a9b10f36a0c323590a284b801cce95cc61f  runc-1.0.0-rc92.tar.gz
+sha256  e42456078d2f76c925cdd656e4f423b918525d8188521de05e893b6bb473a6f8  runc-1.0.0-rc93.tar.gz
 sha256  552a739c3b25792263f731542238b92f6f8d07e9a488eae27e6c4690038a8243  LICENSE
diff --git a/package/runc/runc.mk b/package/runc/runc.mk
index c0de2783e4..ba2ab3081a 100644
--- a/package/runc/runc.mk
+++ b/package/runc/runc.mk
@@ -10,7 +10,7 @@ RUNC_LICENSE = Apache-2.0
 RUNC_LICENSE_FILES = LICENSE
 RUNC_CPE_ID_VENDOR = linuxfoundation
 RUNC_CPE_ID_VERSION = 1.0.0
-RUNC_CPE_ID_UPDATE = rc92
+RUNC_CPE_ID_UPDATE = rc93
 
 RUNC_LDFLAGS = -X main.version=$(RUNC_VERSION)
 RUNC_TAGS = cgo static_build
-- 
2.30.0

[Buildroot] [PATCH v1 2/3] package/docker-engine: security bump to version 20.10.3

[Christian Stewart]

Security fixes:

 - CVE-2021-21285 Prevent an invalid image from crashing docker daemon
 - CVE-2021-21284 Lock down file permissions to prevent remapped root from accessing docker state
 - Ensure AppArmor and SELinux profiles are applied when building with BuildKit

Signed-off-by: Christian Stewart <christian@paral.in>
---
 package/docker-engine/docker-engine.hash | 2 +-
 package/docker-engine/docker-engine.mk   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/docker-engine/docker-engine.hash b/package/docker-engine/docker-engine.hash
index 2519ddaecd..69ebd113ea 100644
--- a/package/docker-engine/docker-engine.hash
+++ b/package/docker-engine/docker-engine.hash
@@ -1,3 +1,3 @@
 # Locally calculated
-sha256  f0fda46a82bf8f624eb349370358891d3bc65ef3e320675226f17dba8f62566d  docker-engine-20.10.1.tar.gz
+sha256  62bb03f197b8a064da568e62639f6834f91c8cfc9273126a978847becc214c31  docker-engine-20.10.3.tar.gz
 sha256  7c87873291f289713ac5df48b1f2010eb6963752bbd6b530416ab99fc37914a8  LICENSE
diff --git a/package/docker-engine/docker-engine.mk b/package/docker-engine/docker-engine.mk
index 058960119a..bbc97af8b5 100644
--- a/package/docker-engine/docker-engine.mk
+++ b/package/docker-engine/docker-engine.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-DOCKER_ENGINE_VERSION = 20.10.1
+DOCKER_ENGINE_VERSION = 20.10.3
 DOCKER_ENGINE_SITE = $(call github,moby,moby,v$(DOCKER_ENGINE_VERSION))
 
 DOCKER_ENGINE_LICENSE = Apache-2.0
-- 
2.30.0

[Buildroot] [PATCH v1 3/3] package/docker-cli: bump to version 20.10.3

[Christian Stewart]

Client fixes:

 - Check contexts before importing them to reduce risk of extracted files escaping context store

Signed-off-by: Christian Stewart <christian@paral.in>
---
 package/docker-cli/docker-cli.hash | 2 +-
 package/docker-cli/docker-cli.mk   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/docker-cli/docker-cli.hash b/package/docker-cli/docker-cli.hash
index cf5e80825f..95b15b539b 100644
--- a/package/docker-cli/docker-cli.hash
+++ b/package/docker-cli/docker-cli.hash
@@ -1,3 +1,3 @@
 # Locally calculated
-sha256  4ee7cc9c3f6287ca834166aaa1a945790c54d9a8345a1b449a193d9c739f2a7d  docker-cli-20.10.1.tar.gz
+sha256  aafba3765d9013cb75810b4f4334525f0e74e82ef073b4df9e8b524f3794e60a  docker-cli-20.10.3.tar.gz
 sha256  2d81ea060825006fc8f3fe28aa5dc0ffeb80faf325b612c955229157b8c10dc0  LICENSE
diff --git a/package/docker-cli/docker-cli.mk b/package/docker-cli/docker-cli.mk
index 0d1ec02ad7..d90c3b7d10 100644
--- a/package/docker-cli/docker-cli.mk
+++ b/package/docker-cli/docker-cli.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-DOCKER_CLI_VERSION = 20.10.1
+DOCKER_CLI_VERSION = 20.10.3
 DOCKER_CLI_SITE = $(call github,docker,cli,v$(DOCKER_CLI_VERSION))
 
 DOCKER_CLI_LICENSE = Apache-2.0
-- 
2.30.0

[Buildroot] [PATCH v1 1/3] package/runc: bump to version 1.0.0-rc93

[Peter Korsgaard]

>>>>> "Christian" == Christian Stewart <christian@paral.in> writes:

 > https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc93

Is this meant for master or next?

It is in the same series as security bumps, but I see the release notes
talks about a feature-rich release?

It also mentions the following:

For packagers the following changes have been made which will have impact on
your packaging of runc:

    The "selinux" and "apparmor" buildtags have been removed, and now all runc
    builds will have SELinux and AppArmor support enabled. Note that "seccomp"
    is still optional (though we very highly recommend you enable it).

But I see no changes related to this?

-- 
Bye, Peter Korsgaard

[Buildroot] [PATCH v1 2/3] package/docker-engine: security bump to version 20.10.3

[Peter Korsgaard]

>>>>> "Christian" == Christian Stewart <christian@paral.in> writes:

 > Security fixes:
 >  - CVE-2021-21285 Prevent an invalid image from crashing docker daemon
 >  - CVE-2021-21284 Lock down file permissions to prevent remapped root from accessing docker state
 >  - Ensure AppArmor and SELinux profiles are applied when building with BuildKit

 > Signed-off-by: Christian Stewart <christian@paral.in>

Committed, thanks. For 2020.02.x / 2020.11.x I will instead bump to
19.03.15, which includes the same fixes.

-- 
Bye, Peter Korsgaard

[Buildroot] [PATCH v1 3/3] package/docker-cli: bump to version 20.10.3

[Peter Korsgaard]

>>>>> "Christian" == Christian Stewart <christian@paral.in> writes:

 > Client fixes:
 >  - Check contexts before importing them to reduce risk of extracted files escaping context store

 > Signed-off-by: Christian Stewart <christian@paral.in>

Committed, thanks.

-- 
Bye, Peter Korsgaard

[Buildroot] [PATCH v1 1/3] package/runc: bump to version 1.0.0-rc93

[Christian Stewart]

Hi Peter,

On Thu, Feb 11, 2021 at 7:49 AM Peter Korsgaard <peter@korsgaard.com> wrote:
>
> >>>>> "Christian" == Christian Stewart <christian@paral.in> writes:
>
>  > https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc93
>
> Is this meant for master or next?

Master.

> It is in the same series as security bumps, but I see the release notes
> talks about a feature-rich release?

Runc is now on their 93rd release candidate. Now is not the time to
decide to stop at #92.

> It also mentions the following:
>
> For packagers the following changes have been made which will have impact on
> your packaging of runc:
>
>     The "selinux" and "apparmor" buildtags have been removed, and now all runc
>     builds will have SELinux and AppArmor support enabled. Note that "seccomp"
>     is still optional (though we very highly recommend you enable it).
>
> But I see no changes related to this?

I don't have seccomp enabled on my systems, and docker + runc is still
working as per this series.

Additionally, I see that there are still conditional build tags
"linux,cgo,seccomp" in the code, which exclude seccomp unless the
seccomp build tag is set. So I don't think that the note in the
release notes is accurate - you still need the "seccomp" build tag for
runc to have seccomp support.

So everything is fine to merge this to master as-is. (Tested as well).

Best regards,
Christian Stewart