Update idtools to use Mkdir funcs from moby sys/user package
Add deprecation exception to golanci until move off idtools is complete
Signed-off-by: Derek McGowan <derek@mcg.dev>
The runc libcontainer/cgroups package was moved to a separate
module; switch our use of the runc module to use the new
location.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This release removes deprecated functions from the `label` package,
and improves documentation and error reporting of `SetCreateKey`.
Relevant changes:
-label: remove deprecated stuff
-Improve SetKeyCreate error reporting
full diff: https://github.com/opencontainers/selinux/compare/v1.11.1...v1.12.0
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This is the sixth patch release in the 1.2.z series of runc.
It primarily fixes an issue with runc exec vs time namespace,
and a compatibility issue with older kernels.
* Fix a stall issue that would happen if setting `O_CLOEXEC` with
`CloseExecFrom` failed.
* `runc` now properly handles joining time namespaces (such as with
`runc exec`). Previously we would attempt to set the time offsets
when joining, which would fail.
* Handle `EINTR` retries correctly for socket-related direct
`golang.org/x/sys/unix` system calls.
* We no longer use `F_SEAL_FUTURE_WRITE` when sealing the runc binary, as it
turns out this had some unfortunate bugs in older kernel versions and was
never necessary in the first place.
* Remove `Fexecve` helper from `libcontainer/system`. Runc 1.2.1 removed
runc-dmz, but we forgot to remove this helper added only for that.
* Use Go 1.23 for official builds, run CI with Go 1.24 and drop Ubuntu 20.04
from CI. We need to drop Ubuntu 20.04 from CI because Github Actions
announced it's already deprecated and it will be discontinued soon.
full diff: https://github.com/opencontainers/runc/compare/v1.2.5...v1.2.6
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/golang/net/compare/v0.35.0...v0.36.0
Version v0.36.0 of golang.org/x/net fixes a vulnerability in the
golang.org/x/net/proxy and golang.org/x/net/http/httpproxy packages
which could cause the proxy to be bypassed.
Matching of hosts against proxy patterns could improperly treat an IPv6
zone ID as a hostname component. For example, when the NO_PROXY
environment variable was set to "*.example.com", a request to
"[::1%25.example.com]:80` would incorrectly match and not be proxied.
Thanks to Juho Forsén of Mattermost for reporting this issue.
This is CVE-2025-22870 and Go issue https://go.dev/issue/71984.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
We have tagged version v0.27.0 of golang.org/x/oauth2 in order to address
a security issue.
jws: unexpected memory consumption during token parsing
Version v0.27.0 of golang.org/x/oauth2 fixes a vulnerability in the
golang.org/x/oauth2/jws package which could cause a denial of service.
An attacker can pass a malicious malformed token which causes unexpected
memory to be consumed during parsing.
Thanks to jub0bs for reporting this issue.
This is CVE-2025-22868 and Go issue https://go.dev/issue/71490.
full diff: https://github.com/golang/oauth2/compare/v0.26.0...v0.27.0
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
No code changes, only comments (warnings) added;
- google: add warning about externally-provided credentials
> Important: If you accept a credential configuration (credential JSON/File/Stream) from an
> external source for authentication to Google Cloud Platform, you must validate it before
> providing it to any Google API or library. Providing an unvalidated credential configuration to
> Google APIs can compromise the security of your systems and data. For more information, refer to
> [Validate credential configurations from external sources](https://cloud.google.com/docs/authentication/external/externally-sourced-credentials).
full diff: https://github.com/golang/oauth2/compare/v0.23.0...v0.26.0
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
We have tagged version v0.35.0 of golang.org/x/crypto in order to address
a security issue. Version v0.35.0 of golang.org/x/crypto fixes a vulnerability
in the golang.org/x/crypto/ssh package which could cause a denial of service.
SSH servers which implement file transfer protocols are vulnerable to a denial
of service attack from clients which complete the key exchange slowly, or not
at all, causing pending content to be read into memory, but never transmitted.
Thanks to Yuichi Watanabe for reporting this issue.
This is CVE-2025-22869 and Go issue https://go.dev/issue/71931.
full diff: https://github.com/golang/crypto/compare/v0.31.0...v0.35.0
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Relevant changes:
- Update remote content to break up writes to avoid grpc message size limits
- Move CDI device spec out of the OCI package
- Remove deprecated WithCDIDevices in oci spec opts
full diff: https://github.com/containerd/containerd/compare/v2.0.2...v2.0.3
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Changes in runc code are not impacting code we use;
- libcontainer/utils.MkdirAllInRootOpen is not used
- libcontainer/utils.MkdirAllInRoot is not used
Similarly, while filepath-securejoin is imported, the functions using it
in runc (cgroups.FindCgroupMountpoint, are not used in our codebase, so
these changes don't affect our code; `tryDefaultPath` uses securejoin,
which is used by `FindCgroupMountpoint`, but not used in our codebase.
diffs:
- https://github.com/opencontainers/runc/compare/v1.2.4...v1.2.5
- https://github.com/cyphar/filepath-securejoin/compare/v0.3.5...v0.4.1
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
not the latest-latest version, but v1.1.58 is used elsewhere, and I saw
some fixes in v1.1.59 and v1.1.60, and v1.1.61 was docs-only changes.
- Allow use of fs.FS for $INCLUDE and wrap errors
- Add NXT record
- Add ISDN record
- Fix counting of escape sequences when splitting TXT string
- IsDomainName: check for escape as last character
- Add a hook to catch invalid messages
- Fix possible out-of-bounds read in endingToTxtSlice
full diff: https://github.com/miekg/dns/compare/v1.1.57...v1.1.61
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
