runc - Debian Package Tracker

general

source: runc (main)
version: 1.3.5+ds1-1
maintainer: Debian Go Packaging Team (DMD)
uploaders: Reinhard Tartler [DMD] – Dmitry Smirnov [DMD] – Alexandre Viau [DMD]
arch: all any
std-ver: 4.7.2
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1.0.0~rc93+ds1-5+deb11u5
o-o-sec: 1.0.0~rc93+ds1-5+deb11u3
o-o-p-u: 1.0.0~rc93+ds1-5+deb11u5
oldstable: 1.1.5+ds1-1+deb12u1
old-sec: 1.1.5+ds1-1+deb12u1
stable: 1.1.15+ds1-2
testing: 1.3.5+ds1-1
unstable: 1.3.5+ds1-1

versioned links

1.0.0~rc93+ds1-5+deb11u3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.0.0~rc93+ds1-5+deb11u5: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.1.5+ds1-1+deb12u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.1.15+ds1-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.3.5+ds1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

golang-github-opencontainers-runc-dev
runc (2 bugs: 0, 2, 0, 0)

action needed

3 security issues in trixie high

There are 3 open security issues in trixie.

3 important issues:

CVE-2025-31133: runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7 and below, 1.3.0-rc.1 through 1.3.1, 1.4.0-rc.1 and 1.4.0-rc.2 files, runc would not perform sufficient verification that the source of the bind-mount (i.e., the container's /dev/null) was actually a real /dev/null inode when using the container's /dev/null to mask. This exposes two methods of attack: an arbitrary mount gadget, leading to host information disclosure, host denial of service, container escape, or a bypassing of maskedPaths. This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.
CVE-2025-52565: runc is a CLI tool for spawning and running containers according to the OCI specification. Versions 1.0.0-rc3 through 1.2.7, 1.3.0-rc.1 through 1.3.2, and 1.4.0-rc.1 through 1.4.0-rc.2, due to insufficient checks when bind-mounting `/dev/pts/$n` to `/dev/console` inside the container, an attacker can trick runc into bind-mounting paths which would normally be made read-only or be masked onto a path that the attacker can write to. This attack is very similar in concept and application to CVE-2025-31133, except that it attacks a similar vulnerability in a different target (namely, the bind-mount of `/dev/pts/$n` to `/dev/console` as configured for all containers that allocate a console). This happens after `pivot_root(2)`, so this cannot be used to write to host files directly -- however, as with CVE-2025-31133, this can load to denial of service of the host or a container breakout by providing the attacker with a writable copy of `/proc/sysrq-trigger` or `/proc/sys/kernel/core_pattern` (respectively). This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.
CVE-2025-52881: runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7, 1.3.2 and 1.4.0-rc.2, an attacker can trick runc into misdirecting writes to /proc to other procfs files through the use of a racing container with shared mounts (we have also verified this attack is possible to exploit using a standard Dockerfile with docker buildx build as that also permits triggering parallel execution of containers with custom shared mounts configured). This redirect could be through symbolic links in a tmpfs or theoretically other methods such as regular bind-mounts. While similar, the mitigation applied for the related CVE, CVE-2019-19921, was fairly limited and effectively only caused runc to verify that when LSM labels are written they are actually procfs files. This issue is fixed in versions 1.2.8, 1.3.3, and 1.4.0-rc.3.

Created: 2025-11-05 Last update: 2026-04-01 12:00

4 security issues in bullseye high

There are 4 open security issues in bullseye.

3 important issues:

CVE-2025-31133: runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7 and below, 1.3.0-rc.1 through 1.3.1, 1.4.0-rc.1 and 1.4.0-rc.2 files, runc would not perform sufficient verification that the source of the bind-mount (i.e., the container's /dev/null) was actually a real /dev/null inode when using the container's /dev/null to mask. This exposes two methods of attack: an arbitrary mount gadget, leading to host information disclosure, host denial of service, container escape, or a bypassing of maskedPaths. This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.
CVE-2025-52565: runc is a CLI tool for spawning and running containers according to the OCI specification. Versions 1.0.0-rc3 through 1.2.7, 1.3.0-rc.1 through 1.3.2, and 1.4.0-rc.1 through 1.4.0-rc.2, due to insufficient checks when bind-mounting `/dev/pts/$n` to `/dev/console` inside the container, an attacker can trick runc into bind-mounting paths which would normally be made read-only or be masked onto a path that the attacker can write to. This attack is very similar in concept and application to CVE-2025-31133, except that it attacks a similar vulnerability in a different target (namely, the bind-mount of `/dev/pts/$n` to `/dev/console` as configured for all containers that allocate a console). This happens after `pivot_root(2)`, so this cannot be used to write to host files directly -- however, as with CVE-2025-31133, this can load to denial of service of the host or a container breakout by providing the attacker with a writable copy of `/proc/sysrq-trigger` or `/proc/sys/kernel/core_pattern` (respectively). This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.
CVE-2025-52881: runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7, 1.3.2 and 1.4.0-rc.2, an attacker can trick runc into misdirecting writes to /proc to other procfs files through the use of a racing container with shared mounts (we have also verified this attack is possible to exploit using a standard Dockerfile with docker buildx build as that also permits triggering parallel execution of containers with custom shared mounts configured). This redirect could be through symbolic links in a tmpfs or theoretically other methods such as regular bind-mounts. While similar, the mitigation applied for the related CVE, CVE-2019-19921, was fairly limited and effectively only caused runc to verify that when LSM labels are written they are actually procfs files. This issue is fixed in versions 1.2.8, 1.3.3, and 1.4.0-rc.3.

1 issue postponed or untriaged:

CVE-2024-45310: (postponed; to be fixed through a stable update) runc is a CLI tool for spawning and running containers according to the OCI specification. runc 1.1.13 and earlier, as well as 1.2.0-rc2 and earlier, can be tricked into creating empty files or directories in arbitrary locations in the host filesystem by sharing a volume between two containers and exploiting a race with `os.MkdirAll`. While this could be used to create empty files, existing files would not be truncated. An attacker must have the ability to start containers using some kind of custom volume configuration. Containers using user namespaces are still affected, but the scope of places an attacker can create inodes can be significantly reduced. Sufficiently strict LSM policies (SELinux/Apparmor) can also in principle block this attack -- we suspect the industry standard SELinux policy may restrict this attack's scope but the exact scope of protection hasn't been analysed. This is exploitable using runc directly as well as through Docker and Kubernetes. The issue is fixed in runc v1.1.14 and v1.2.0-rc3. Some workarounds are available. Using user namespaces restricts this attack fairly significantly such that the attacker can only create inodes in directories that the remapped root user/group has write access to. Unless the root user is remapped to an actual user on the host (such as with rootless containers that don't use `/etc/sub[ug]id`), this in practice means that an attacker would only be able to create inodes in world-writable directories. A strict enough SELinux or AppArmor policy could in principle also restrict the scope if a specific label is applied to the runc runtime, though neither the extent to which the standard existing policies block this attack nor what exact policies are needed to sufficiently restrict this attack have been thoroughly tested.

Created: 2025-11-05 Last update: 2026-04-01 12:00

4 security issues in bookworm high

There are 4 open security issues in bookworm.

3 important issues:

CVE-2025-31133: runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7 and below, 1.3.0-rc.1 through 1.3.1, 1.4.0-rc.1 and 1.4.0-rc.2 files, runc would not perform sufficient verification that the source of the bind-mount (i.e., the container's /dev/null) was actually a real /dev/null inode when using the container's /dev/null to mask. This exposes two methods of attack: an arbitrary mount gadget, leading to host information disclosure, host denial of service, container escape, or a bypassing of maskedPaths. This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.
CVE-2025-52565: runc is a CLI tool for spawning and running containers according to the OCI specification. Versions 1.0.0-rc3 through 1.2.7, 1.3.0-rc.1 through 1.3.2, and 1.4.0-rc.1 through 1.4.0-rc.2, due to insufficient checks when bind-mounting `/dev/pts/$n` to `/dev/console` inside the container, an attacker can trick runc into bind-mounting paths which would normally be made read-only or be masked onto a path that the attacker can write to. This attack is very similar in concept and application to CVE-2025-31133, except that it attacks a similar vulnerability in a different target (namely, the bind-mount of `/dev/pts/$n` to `/dev/console` as configured for all containers that allocate a console). This happens after `pivot_root(2)`, so this cannot be used to write to host files directly -- however, as with CVE-2025-31133, this can load to denial of service of the host or a container breakout by providing the attacker with a writable copy of `/proc/sysrq-trigger` or `/proc/sys/kernel/core_pattern` (respectively). This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.
CVE-2025-52881: runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7, 1.3.2 and 1.4.0-rc.2, an attacker can trick runc into misdirecting writes to /proc to other procfs files through the use of a racing container with shared mounts (we have also verified this attack is possible to exploit using a standard Dockerfile with docker buildx build as that also permits triggering parallel execution of containers with custom shared mounts configured). This redirect could be through symbolic links in a tmpfs or theoretically other methods such as regular bind-mounts. While similar, the mitigation applied for the related CVE, CVE-2019-19921, was fairly limited and effectively only caused runc to verify that when LSM labels are written they are actually procfs files. This issue is fixed in versions 1.2.8, 1.3.3, and 1.4.0-rc.3.

1 issue left for the package maintainer to handle:

CVE-2024-45310: (needs triaging) runc is a CLI tool for spawning and running containers according to the OCI specification. runc 1.1.13 and earlier, as well as 1.2.0-rc2 and earlier, can be tricked into creating empty files or directories in arbitrary locations in the host filesystem by sharing a volume between two containers and exploiting a race with `os.MkdirAll`. While this could be used to create empty files, existing files would not be truncated. An attacker must have the ability to start containers using some kind of custom volume configuration. Containers using user namespaces are still affected, but the scope of places an attacker can create inodes can be significantly reduced. Sufficiently strict LSM policies (SELinux/Apparmor) can also in principle block this attack -- we suspect the industry standard SELinux policy may restrict this attack's scope but the exact scope of protection hasn't been analysed. This is exploitable using runc directly as well as through Docker and Kubernetes. The issue is fixed in runc v1.1.14 and v1.2.0-rc3. Some workarounds are available. Using user namespaces restricts this attack fairly significantly such that the attacker can only create inodes in directories that the remapped root user/group has write access to. Unless the root user is remapped to an actual user on the host (such as with rootless containers that don't use `/etc/sub[ug]id`), this in practice means that an attacker would only be able to create inodes in world-writable directories. A strict enough SELinux or AppArmor policy could in principle also restrict the scope if a specific label is applied to the runc runtime, though neither the extent to which the standard existing policies block this attack nor what exact policies are needed to sufficiently restrict this attack have been thoroughly tested.

You can find information about how to handle this issue in the security team's documentation.

Created: 2024-09-03 Last update: 2026-04-01 12:00

1 bug tagged patch in the BTS normal

The BTS contains patches fixing 1 bug, consider including or untagging them.

Created: 2026-04-09 Last update: 2026-04-11 20:30

419 new commits since last upload, is it time to release? normal

vcswatch reports that this package seems to have new commits in its VCS but has not yet updated debian/changelog. You should consider updating the Debian changelog and uploading this new version into the archive.

Here are the relevant commit logs:

commit 030e567013b7065ac53bc223b406c4e1eecc56b5
Author: Reinhard Tartler <siretart@tauware.de>
Date:   Sun Mar 29 20:53:41 2026 -0400

    debian/changelog: upload to unstable

commit f0805cf43016c099e5651801c83633b3ac5a777c
Author: Reinhard Tartler <siretart@tauware.de>
Date:   Sun Mar 29 14:31:54 2026 -0400

    refresh patches

commit d030f0d7adc2caed034cfc7fa18f32d70de5fbb4
Author: Reinhard Tartler <siretart@tauware.de>
Date:   Sun Mar 29 14:29:56 2026 -0400

    debian/changelog: prepare new upload

commit baee933176a42fc5c4adbbcb13892b4ac138f2de
Merge: 937efd8 1c00166
Author: Reinhard Tartler <siretart@tauware.de>
Date:   Sun Mar 29 14:29:28 2026 -0400

    Update upstream source from tag 'upstream/1.3.5+ds1'
    
    Update to upstream version '1.3.5+ds1'
    with Debian dir 49692a5a9f0f4ecbad66579ff9378c8cf1ccef6b

commit 1c00166ba5a26b5a59bc913aaab3eccc0573b468
Merge: fa01a0d 488fc13
Author: Reinhard Tartler <siretart@tauware.de>
Date:   Sun Mar 29 14:29:28 2026 -0400

    New upstream version 1.3.5+ds1

commit 488fc13e1f2d3d73ec36d829fdf2c98e47dc5ae8
Author: Kir Kolyshkin <kolyshkin@gmail.com>
Date:   Mon Mar 16 14:01:23 2026 -0700

    VERSION: release 1.3.5
    
    Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

commit c5f4a413c28801d4cb3f553cf721f177f92ef6cc
Merge: 9183ee6 692817a
Author: Kir Kolyshkin <kolyshkin@gmail.com>
Date:   Tue Mar 17 09:25:22 2026 -0700

    Merge pull request #5181 from kolyshkin/1.3-go126
    
    [1.3] ci: add go 1.26

commit 692817afb24acfe5a983bfe813937b18417c1e27
Author: Kir Kolyshkin <kolyshkin@gmail.com>
Date:   Mon Mar 16 14:13:13 2026 -0700

    ci: add go 1.26
    
    Same as commit b9e3eec in release-1.4 branch.
    
    Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

commit 9183ee6e5a410c13193675910a725b209a2fb903
Merge: abf41c1 3755b0e
Author: Aleksa Sarai <cyphar@cyphar.com>
Date:   Tue Mar 10 20:02:18 2026 +0900

    Merge pull request #5158 from kolyshkin/1.3-5153
    
    [1.3] Revert "Preventing containers from being unable to be deleted"

commit 3755b0e48c2a4323c861922074809e74326c515d
Author: Kir Kolyshkin <kolyshkin@gmail.com>
Date:   Thu Mar 5 18:35:57 2026 -0800

    Revert "Preventing containers from being unable to be deleted"
    
    This fixes random failures to start a container in conmon integration
    tests (see issue 5151).
    
    I guess we need to find another way to fix issue 4645.
    
    This reverts commit 1b39997e73a14f1d8a39efbbf2ec44b89ef6cab3.
    
    Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
    (cherry picked from commit 5996fe143a4ce8cbd117d4a4492dfe9e0ee29b10)
    Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

commit abf41c1f3c49358c337fd1c89a2f2375c565fd65
Merge: ffd5a10 030e224
Author: Kir Kolyshkin <kolyshkin@gmail.com>
Date:   Wed Mar 4 17:14:54 2026 -0800

    Merge pull request #5146 from cyphar/1.3-keyring-fixes
    
    [1.3] keyring fixes

commit 030e224e7fa1f7f3966b6f28f04865a22d90b001
Author: Aleksa Sarai <cyphar@cyphar.com>
Date:   Thu Mar 5 01:10:14 2026 +1100

    keyring: update AkihiroSuda's key
    
    This comes from <https://github.com/AkihiroSuda.gpg> and is a valid
    update of the key metadata.
    
    Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
    (cherry picked from commit 9ad18b1347567fdb32db5a08da031a56901d077f)
    Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>

commit ccea0376624bcf67beb6cd487cac197e1f2e85b6
Author: Aleksa Sarai <cyphar@cyphar.com>
Date:   Thu Mar 5 00:42:04 2026 +1100

    keyring: validate: allow maintainers to have no keys
    
    Some maintainers appear to have removed their PGP keys, which causes
    "gpg --import" during "make validate-keyring" to fail. The solution is
    to switch to a non-fatal warning if no keys were imported.
    
    Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
    (cherry picked from commit 936a59b07f62abddd441c4037938557b61823de8)
    Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>

commit e001bca433591fbe34052b52d01da028d5fb13b9
Author: Aleksa Sarai <cyphar@cyphar.com>
Date:   Tue Mar 3 23:11:37 2026 +1100

    keyring: remove asarai@suse.de key
    
    I no longer work at SUSE and thus this key (and email address) are no
    longer associated with me.
    
    Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
    (cherry picked from commit a691486c83eef6d9b36aeba2380b96217cb46dfe)
    Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>

commit ffd5a10d587ee4b53f7f796baabaa65ee17a4c16
Merge: 1566d1d d6fd945
Author: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Date:   Sun Mar 1 03:21:35 2026 +0900

    Merge pull request #5135 from kolyshkin/1.3-5124
    
    [1.3] tests/int: Disable coredumps for SCMP_ACT_KILL tests

commit d6fd9457e155eadceb4d68430912af8bad27fc5e
Author: Ricardo Branco <rbranco@suse.de>
Date:   Wed Feb 25 13:12:24 2026 +0100

    tests/int: Disable coredumps for SCMP_ACT_KILL tests
    
    SCMP_ACT_KILL terminates the process with a fatal signal, which may
    produce a core dump depending on the host configuration.
    
    While this is harmless on ephemeral CI instances, it can leave unwanted
    core files on developer or customer systems. It also interferes with
    test environments that detect unexpected core dumps.
    
    Signed-off-by: Ricardo Branco <rbranco@suse.de>
    (cherry picked from commit f18e97d312f31f109c5ef2485b62cad04e819529)
    Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

commit 1566d1d0e0a6efa38c02cf03897295afe3ed90ac
Merge: 20f1548 72b10af
Author: Aleksa Sarai <cyphar@cyphar.com>
Date:   Thu Feb 26 17:39:09 2026 +1100

    merge #5126 into opencontainers/runc:release-1.3
    
    Kir Kolyshkin (1):
      ci: update policycoreutils for CentOS 10
    
    LGTMS: AkihiroSuda cyphar

commit 72b10af772c65c7fdc428a45d38f3cc542768088
Author: Kir Kolyshkin <kolyshkin@gmail.com>
Date:   Tue Feb 24 15:13:13 2026 -0800

    ci: update policycoreutils for CentOS 10
    
    When container-selinux 4:2.246.0-1.el10 is installed, it produces the
    following %post script warnings:
    
    > ...
    >   Running scriptlet: container-selinux-4:2.246.0-1.el10.noarch            26/37
    >   Installing       : container-selinux-4:2.246.0-1.el10.noarch            26/37
    >   Running scriptlet: container-selinux-4:2.246.0-1.el10.noarch            26/37
    > libsemanage.semanage_pipe_data: Child process /usr/libexec/selinux/hll/pp failed with code: 255. (No data available).
    > libsemanage.semanage_compile_module: container: libsepol.policydb_read: policydb module version 24 does not match my version range 4-23.
    > libsemanage.semanage_compile_module: container: libsepol.sepol_module_package_read: invalid module in module package (at section 0).
    > libsemanage.semanage_compile_module: container: libsepol.sepol_ppfile_to_module_package: Failed to read policy package.
    > libsemanage.semanage_direct_commit: Failed to compile hll files into cil files. (No data available).
    > semodule:  Failed!
    > ...
    
    For some reason, dnf install still succeeds, but when the selinux tests
    fail with:
    
    > chcon: failed to change context of '/tmp/bats-run-3MMyYP/runc.szTqBc/bundle/runc' to ‘system_u:object_r:container_runtime_exec_t:s0’: Invalid argument
    
    All this is fixed once policycoreutils is added to the list of RPMS so
    it is updated (from 3.9-3.el10 to 3.10-1.el10) during the same
    transaction.
    
    Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
    (cherry picked from commit 3235c5a90a6c865564130d11a8696c0188947df1)
    Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

commit 20f15488eb7f13d8094c36c4715edb7231215cf1
Merge: e669727 bb7d09e
Author: Aleksa Sarai <cyphar@cyphar.com>
Date:   Thu Feb 12 03:29:07 2026 +1100

    merge #5115 into opencontainers/runc:release-1.3
    
    Li Fubang (1):
      libct/specconv: fix partial clear of atime mount flags
    
    LGTMs: rata cyphar

commit bb7d09e63ecced73a8eb26f4c434c0368e704c07
Author: lifubang <lifubang@acmcoder.com>
Date:   Tue Feb 3 03:44:54 2026 +0000

    libct/specconv: fix partial clear of atime mount flags
    
    When parsing mount options into recAttrSet and recAttrClr,
    the code sets attr_clr to individual atime flags (e.g.
    MOUNT_ATTR_NOATIME or MOUNT_ATTR_STRICTATIME) when clearing
    atime attributes. However, this violates the kernel's
    requirement documented in mount_setattr(2)[1]:
    
    > Note that, since the access-time values are an enumeration
    > rather than bit values, a caller wanting to transition to a
    > different access-time setting cannot simply specify the
    > access-time setting in attr_set, but must also include
    > MOUNT_ATTR__ATIME in the attr_clr field.  The kernel will
    > verify that MOUNT_ATTR__ATIME isn't partially set in
    > attr_clr (i.e., either all bits in the MOUNT_ATTR__ATIME
    > bit field are either set or clear), and that attr_set
    > doesn't have any access-time bits set if MOUNT_ATTR__ATIME
    > isn't set in attr_clr.
    
    Passing only a single atime flag (e.g. MOUNT_ATTR_RELATIME) in
    attr_clr causes mount_setattr() to fail with EINVAL.
    
    This change ensures that whenever an atime mode is updated,
    attr_clr includes MOUNT_ATTR__ATIME to properly reset the
    entire access-time attribute field before applying the new mode.
    
    [1] https://man7.org/linux/man-pages/man2/mount_setattr.2.html
    
    Signed-off-by: lifubang <lifubang@acmcoder.com>
    (cherry picked from commit 5560d55bfd84a49441c6812140412f1bcf863a1a)
    Signed-off-by: lifubang <lifubang@acmcoder.com>

commit e6697272478c9c08bcac9edc02b43042ab7c350c
Merge: 478edba 2d03515
Author: Rodrigo Campos Catelin <rodrigo@amutable.com>
Date:   Wed Feb 11 11:03:26 2026 +0100

    Merge pull request #5111 from kolyshkin/1.3-backports
    
    [1.3] misc backports + Go 1.24->1.25

commit 2d035157f10671fa734348e1f1455107f1f99874
Author: Kir Kolyshkin <kolyshkin@gmail.com>
Date:   Tue Feb 10 14:31:04 2026 -0800

    [1.3] ci: remove Go 1.24.x, add 1.25.x
    
    Go 1.24 is no longer supported, and Go 1.25 (which we use in Dockerfile
    for official binaries) is not being tested against.
    
    So remove Go 1.24.x and add Go 1.25.x.
    
    We keep Go 1.23.x is this is a minimally required version for this
    branch.
    
    Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

commit 551ed37e5a149eb166403dddc81e29a379136b52
Author: Kir Kolyshkin <kolyshkin@gmail.com>
Date:   Tue Dec 2 15:31:52 2025 -0800

    ci: bump shellcheck to v0.11.0
    
    Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
    (cherry picked from commit 68771cfe511bae841c5a4654ba16b35df1b88179)
    Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

commit 4bce3cc13cd9f451cfdf6016c035b542e40988a7
Author: Kir Kolyshkin <kolyshkin@gmail.com>
Date:   Tue Dec 2 15:26:48 2025 -0800

    Use Go 1.25 for official builds
    
    (as well as for testing on Cirrus CI)
    
    Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
    (cherry picked from commit 79b97d4642755b8b2668dde91d45a43adac62dfc)
    Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

commit 71624790526b855419473844d5465e7f7c507039
Author: Kir Kolyshkin <kolyshkin@gmail.com>
Date:   Tue Dec 2 15:25:42 2025 -0800

    Bump seccomp to v2.6.0
    
    This version was released almost a year ago.
    
    Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
    (cherry picked from commit f4710e50238952025a9de34f11a91731ec278469)
    Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

commit 3808341ef41602192a40de0fb5ffa2a8cf3bd78c
Author: Kir Kolyshkin <kolyshkin@gmail.com>
Date:   Tue Dec 2 15:22:40 2025 -0800

    ci: bump bats to 1.12.0
    
    This which is already using in CI on Fedora.
    
    Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
    (cherry picked from commit f128234354a111b57a4e58543a55a8edc6c453c2)
    Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

commit f6ad11b287b2f5fb61d532004f3c939dc615aca0
Author: Kir Kolyshkin <kolyshkin@gmail.com>
Date:   Thu Oct 16 12:09:46 2025 -0700

    ci: show criu version in criu-dev testing
    
    Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
    (cherry picked from commit 2a7ce15e68c34e2730958d2169f3205a305323ab)
    Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

commit 09c5eeea739fa63f8ec9ccd835462c929de3c5b0
Author: Kir Kolyshkin <kolyshkin@gmail.com>
Date:   Thu Oct 16 12:02:01 2025 -0700

    ci: bump bats to 1.11.1
    
    Bump bats to the version from Fedora 42 (used in "fedora" job), so we
    have the same version everywhere.
    
    This also fixes an issue introduced by commit d31e6b87 (which forgot to
    bump bats in GHA CI), and adds a note to the yaml in order to avoid the
    same issue in the future.
    
    Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
    (cherry picked from commit 6af1d637bace0493fdb4dad4177da7624ce22ab4)
    Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

commit 478edba3b80dd2aee018f223b36ed6af7784538c
Merge: 2e68e04 13cc7e9
Author: Aleksa Sarai <cyphar@cyphar.com>
Date:   Fri Nov 28 10:34:01 2025 +1100

    merge #5044 into opencontainers/runc:release-1.3
    
    Li Fu Bang (2):
      VERSION: back to development
      VERSION: release 1.3.4
    
    LGTMs: rata cyphar

commit 13cc7e92cffc0a6407bc0f66f5131bc1d33b4aaa
Author: lifubang <lifubang@acmcoder.com>
Date:   Wed Nov 26 14:53:41 2025 +0000

    VERSION: back to development
    
    Signed-off-by: lifubang <lifubang@acmcoder.com>
    Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>

commit d6d73eb8c60246978da649ffe75ce5c8bca8f856
Author: lifubang <lifubang@acmcoder.com>
Date:   Wed Nov 26 14:52:49 2025 +0000

    VERSION: release 1.3.4
    
    Signed-off-by: lifubang <lifubang@acmcoder.com>
    Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>

commit 2e68e04979a10b491dbe2a767d68b6dc6abad754
Merge: cef8c32 e1a6adc
Author: Kir Kolyshkin <kolyshkin@gmail.com>
Date:   Wed Nov 26 17:57:56 2025 -0800

    Merge pull request #5042 from lifubang/backport-5014-fd-leaks-flake-1.3
    
    [1.3] libct/int: TestFdLeaks: deflake

commit e1a6adc946b02246b05914237f9434a9cfdb936f
Author: Kir Kolyshkin <kolyshkin@gmail.com>
Date:   Thu Nov 13 00:34:30 2025 -0800

    libct/int: TestFdLeaks: deflake
    
    Since the recent CVE fixes, TestFdLeaksSystemd sometimes fails:
    
            === RUN   TestFdLeaksSystemd
                exec_test.go:1750: extra fd 9 -> /12224/task/13831/fd
                exec_test.go:1753: found 1 extra fds after container.Run
            --- FAIL: TestFdLeaksSystemd (0.10s)
    
    It might have been caused by the change to the test code in commit
    ff6fe13 ("utils: use safe procfs for /proc/self/fd loop code") -- we are
    now opening a file descriptor during the logic to get a list of file
    descriptors. If the file descriptor happens to be allocated to a
    different number, you'll get an error.
    
    Let's try to filter out the fd used to read a directory.
    
    Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
    (cherry picked from commit 5fbc3bb019d89654c43be3c38f8f91df5f17334b)
    Signed-off-by: lifubang <lifubang@acmcoder.com>

commit cef8c323d00c7018a40f62bdf4a702d78a9bbb2f
Merge: 769fc75 ebea1f8
Author: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Date:   Wed Nov 26 12:48:12 2025 +0900

    Merge pull request #5028 from lifubang/ci-detect-fdleak-try-best-1.3
    
    [1.3] fix fd leaks and detect them as comprehensively as possible

commit ebea1f85533dd1df527f64093aa35b9aef4bb5bc
Author: lifubang <lifubang@acmcoder.com>
Date:   Fri Nov 14 02:56:50 2025 +0000

    integration: verify syscall compatibility after seccomp enforcement
    
    Signed-off-by: lifubang <lifubang@acmcoder.com>
    (cherry picked from commit d8706501cfee6d4777371c2bbee97e1a8d13fb14)
    Signed-off-by: lifubang <lifubang@acmcoder.com>

commit 34e84588af7b9e431828fd97ac8c20e5680d6d73
Author: lifubang <lifubang@acmcoder.com>
Date:   Thu Nov 20 07:13:35 2025 +0000

    downgrade github.com/cyphar/filepath-securejoin from v0.6.0 to v0.5.2
    
    The dependency was initially slated for an upgrade from v0.6.0 to v0.6.1
    to address an fd leak. However, due to compatibility constraints, we
    instead downgrade to v0.5, using v0.5.2 which includes a backported fix
    for the same issue.
    
    Signed-off-by: lifubang <lifubang@acmcoder.com>

commit ae8839acc22f54d1b723c11927dd4acd608dd69e
Author: lifubang <lifubang@acmcoder.com>
Date:   Thu Nov 20 07:12:56 2025 +0000

    bump github.com/opencontainers/s
    elinux from v1.13.0 to v1.13.1
    
    Signed-off-by: lifubang <lifubang@acmcoder.com>

commit 52192a8e24cfd6d0c389ff3c493f30c79f6a8990
Author: lifubang <lifubang@acmcoder.com>
Date:   Tue Nov 18 04:53:19 2025 +0000

    libct: add a defer fd close in createDeviceNode
    
    Signed-off-by: lifubang <lifubang@acmcoder.com>
    (cherry picked from commit 9a5e6262f0bf4e3e654b1a0d71bb804093948f85)
    Signed-off-by: lifubang <lifubang@acmcoder.com>

commit 98dc593f13ca69c809719b9e2c94cd4c62d51886
Author: lifubang <lifubang@acmcoder.com>
Date:   Tue Nov 18 10:15:29 2025 +0000

    libct: always close m.dstFile in mountToRootfs
    
    Signed-off-by: lifubang <lifubang@acmcoder.com>
    (cherry picked from commit e0272886047915899ec06e06665723fc453d3cbf)
    Signed-off-by: lifubang <lifubang@acmcoder.com>

commit 167fa3f8e716569e09b33b8086ba30d201a8593b
Author: lifubang <lifubang@acmcoder.com>
Date:   Wed Nov 19 02:46:17 2025 +0000

    ci: detect file descriptor leaks as comprehensively as possible
    
    Co-authored-by: Aleksa Sarai <cyphar@cyphar.com>
    Signed-off-by: lifubang <lifubang@acmcoder.com>
    (cherry picked from commit ba7f46d7119dc4bf57e2a13017333d1980494ea9)
    Signed-off-by: lifubang <lifubang@acmcoder.com>

commit 769fc75893e2c043ee4c1a083f3e6e3935b56b38
Merge: b1be455 7a5a90e
Author: lfbzhm <lifubang@acmcoder.com>
Date:   Thu Nov 20 17:51:06 2025 +0800

    Merge pull request #4999 from kolyshkin/1.3-check-go
    
    [1.3] check/bump go version in Dockerfile

commit 7a5a90e8075b9869182957474d7cfa371bf39fb6
Author: Kir Kolyshkin <kolyshkin@gmail.com>
Date:   Mon Nov 10 22:55:30 2025 -0800

    Use Go 1.24.x for release binaries
    
    Since Go 1.23 is no longer supported, we should not use it.
    Go 1.23 is still supported and is probably the best bet for
    the release-1.2 branch.
    
    Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

commit 99cc7bcb48a5cbc9e486345dd5c548a7b4f10fae
Author: Kir Kolyshkin <kolyshkin@gmail.com>
Date:   Mon Nov 10 23:45:49 2025 -0800

    ci: add checking Go version from Dockerfile
    
    This is to ensure that Go version in Dockerfile (which is used to build
    release binaries) is:
     - currently supported;
     - used in CI tests.
    
    Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
    (cherry picked from commit df4acc8867a08bd2df2dfec74a5f79fe018c2f4d)
    Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

commit 4b76986b98d34b12d8928313f34e83d4e4341987
Author: Kir Kolyshkin <kolyshkin@gmail.com>
Date:   Mon Nov 10 23:19:15 2025 -0800

    ci: faster git clone
    
    For some reason, some jobs in .github/workflows/validate.yml
    have "fetch-depth: 0" argument to actions/checkout, meaning
    "all history for all branches and tags". Obviously this is
    not needed here.
    
    Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
    (cherry picked from commit e0b00171eb0f338cf024760019abdd4e7dec690f)
    Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
    (cherry picked from commit 0200ccb53d9265c43f203fb98a9862407835eb23)
    Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

commit 59a7a5270c83eee50c3eb3fc5a1e64f68b049768
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Date:   Fri Aug 15 16:40:45 2025 +0000

    build(deps): bump actions/checkout from 4 to 5
    
    Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 5.
    - [Release notes](https://github.com/actions/checkout/releases)
    - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
    - [Commits](https://github.com/actions/checkout/compare/v4...v5)
    
    ---
    updated-dependencies:
    - dependency-name: actions/checkout
      dependency-version: '5'
      dependency-type: direct:production
      update-type: version-update:semver-major
    ...
    
    Signed-off-by: dependabot[bot] <support@github.com>
    (cherry picked from commit cfb22c9a0f0c250e6fc3323d49c5163a078cd6a2)
    Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

commit b1be4553c4b7b861d9dbccb30c584751598c3c3f
Merge: d30192b 9ddb71d
Author: lfbzhm <lifubang@acmcoder.com>
Date:   Thu Nov 20 09:14:16 2025 +0800

    Merge pull request #5031 from cyphar/1.3-5017-ci-pin-parent-cgroup
    
    [1.3] ci: ensure the cgroup parent always exists for rootless

commit 9ddb71d163ba01ce2933d31899330d4da21c7d28
Author: lifubang <lifubang@acmcoder.com>
Date:   Sun Nov 16 12:15:55 2025 +0000

    ci: ensure the cgroup(v1) parent always exists for rootless
    
    On some systems (e.g., AlmaLinux 8), systemd automatically removes cgroup paths
    when they become empty (i.e., contain no processes). To prevent this, we spawn
    a dummy process to pin the cgroup in place.
    Fix: https://github.com/opencontainers/runc/issues/5003
    
    Signed-off-by: lifubang <lifubang@acmcoder.com>
    (cherry picked from commit bba7647d0914dd4ac2f86e42e52ee7f3ca7a20f1)
    Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>

commit 937efd87a20dea89c728e468fccacdcf3dcfb5eb
Author: Reinhard Tartler <siretart@tauware.de>
Date:   Sun Nov 16 11:28:18 2025 -0500

    debian/changelog: update

commit 0f19b30db99b97564550e3d090756281774293a2
Author: Reinhard Tartler <siretart@tauware.de>
Date:   Sun Nov 16 11:34:57 2025 -0500

    debian/control: Drop redundant Rules-Requires-Root

commit 43b2890359442aa33de8c859a7dba197a4b50998
Author: Reinhard Tartler <siretart@tauware.de>
Date:   Sun Nov 16 11:19:12 2025 -0500

    debian/watch: add Dversion-Mangle auto stanza

commit da3c7997051a484e76f7fd262aa766972f365fc4
Author: Reinhard Tartler <siretart@tauware.de>
Date:   Sat Nov 15 12:57:06 2025 -0500

    debian/changelog: udpate

commit b1ac94c14bce3543d3c35e68d42c89932b5dbf92
Author: Reinhard Tartler <siretart@tauware.de>
Date:   Sun Nov 16 05:40:38 2025 -0500

    Add build-conflicts

commit bf8260fa1ec0490381727e3fe9e6c70307ed6b61
Author: Reinhard Tartler <siretart@tauware.de>
Date:   Sat Nov 15 18:35:08 2025 -0500

    debian/copyright: clarify licensing

commit 7f8d8b5c28fc7c2621cd9916eb04383346fe1702
Author: Reinhard Tartler <siretart@tauware.de>
Date:   Sat Nov 15 18:25:10 2025 -0500

    Tighten dependency on cyphar/securejoin

commit c744cf17de955e901ef6d0291b8a9f85772f0ac5
Author: Reinhard Tartler <siretart@tauware.de>
Date:   Sat Nov 15 18:23:00 2025 -0500

    refresh patches

commit 7463b9e2db41f356cc623afc9e666611450d2ce3
Author: Reinhard Tartler <siretart@tauware.de>
Date:   Sat Nov 15 18:22:32 2025 -0500

    libct: use manager.AddPid to add exec to cgroup
    
    The main benefit here is when we are using a systemd cgroup driver,
    we actually ask systemd to add a PID, rather than doing it ourselves.
    This way, we can add rootless exec PID to a cgroup.
    
    This requires newer opencontainers/cgroups and coreos/go-systemd.
    
    Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

commit 5dcb739c8da9614b4f3c336a5470674d80d94087
Author: Reinhard Tartler <siretart@tauware.de>
Date:   Sat Nov 15 18:07:56 2025 -0500

    debian/control: tighten dependency on containerd/console

commit 779fc6b576747c35d2e82b8a0d82561d1ef4e9fd
Merge: c9dfa1a fa01a0d
Author: Reinhard Tartler <siretart@tauware.de>
Date:   Sat Nov 15 12:56:44 2025 -0500

    Update upstream source from tag 'upstream/1.3.3+ds1'
    
    Update to upstream version '1.3.3+ds1'
    with Debian dir 499cf5e8ce32b377a26027d48063c0b84ef13f55

commit d30192b5b0b15450b5383b21daa2cf6279214ebb
Merge: c8787a6 612d46e
Author: Aleksa Sarai <cyphar@cyphar.com>
Date:   Tue Nov 11 15:05:25 2025 +1100

    Merge pull request #4996 from kolyshkin/1.3-4970
    
    [1.3] disable golangci-lint cache

commit c8787a6c5c1e09c91453bf8b4d94fed5af9dfec1
Merge: c565666 daf9664
Author: lfbzhm <lifubang@acmcoder.com>
Date:   Tue Nov 11 09:28:04 2025 +0800

    Merge pull request #4975 from cyphar/1.3-tmpfs-mode
    
    [1.3] rootfs: only set mode= for tmpfs mount if target already existed

commit c5656667e476f2603505dfda67431670e35ef8a9
Merge: 90627f6 b9df996
Author: lfbzhm <lifubang@acmcoder.com>
Date:   Tue Nov 11 09:23:43 2025 +0800

    Merge pull request #4979 from cyphar/1.3-selinux-1.13
    
    [1.3] deps: update to github.com/opencontainers/selinux@v0.13.0

commit 612d46ea37e235d80ac673efe9c379591911080d
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Date:   Mon Nov 10 04:02:58 2025 +0000

    build(deps): bump golangci/golangci-lint-action from 8 to 9
    
    Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 8 to 9.
    - [Release notes](https://github.com/golangci/golangci-lint-action/releases)
    - [Commits](https://github.com/golangci/golangci-lint-action/compare/v8...v9)
    
    ---
    updated-dependencies:
    - dependency-name: golangci/golangci-lint-action
      dependency-version: '9'
      dependency-type: direct:production
      update-type: version-update:semver-major
    ...
    
    Signed-off-by: dependabot[bot] <support@github.com>
    (cherry picked from commit c0db4632d2967aab32abb5d08ba4a064c4a91a32)
    Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

commit 1a40cc91a99db612fcdb5e44920c294e4d7d6d64
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Date:   Mon May 5 04:31:04 2025 +0000

    build(deps): bump golangci/golangci-lint-action from 7 to 8
    
    Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 7 to 8.
    - [Release notes](https://github.com/golangci/golangci-lint-action/releases)
    - [Commits](https://github.com/golangci/golangci-lint-action/compare/v7...v8)
    
    ---
    updated-dependencies:
    - dependency-name: golangci/golangci-lint-action
      dependency-version: '8'
      dependency-type: direct:production
      update-type: version-update:semver-major
    ...
    
    Signed-off-by: dependabot[bot] <support@github.com>
    (cherry picked from commit c1958d88443c6911a1274123005558a5977be884)
    Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

commit be6ea0662f65d11001725997d3ff3a7c982e56c8
Author: Kir Kolyshkin <kolyshkin@gmail.com>
Date:   Wed Nov 5 20:05:05 2025 -0800

    ci: bump golangci-lint to v2.6
    
    Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
    (cherry picked from commit 49780ce7346c84305a17540308e3369782bc193d)
    Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

commit f17a5e1515b39f52a3af1186918b8b3fbd4e8cf0
Author: Kir Kolyshkin <kolyshkin@gmail.com>
Date:   Wed Nov 5 19:58:50 2025 -0800

    ci: disable golangci-lint cache
    
    This will result in slower runs but we are having issues with
    golangci-lint (false positives) that are most probably related
    to caching.
    
    Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
    (cherry picked from commit 96dfa9de54e834ecc1b0baebe0bddbbccb5eb045)
    Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

commit daf9664eb42fd1687a2897d22c90480d0b9cb4ed
Author: Aleksa Sarai <cyphar@cyphar.com>
Date:   Fri Nov 7 14:52:09 2025 +1100

    rootfs: only set mode= for tmpfs mount if target already existed
    
    This was always the intended behaviour but commit 72fbb34f5006 ("rootfs:
    switch to fd-based handling of mountpoint targets") regressed it when
    adding a mechanism to create a file handle to the target if it didn't
    already exist (causing the later stat to always succeed).
    
    A lot of people depend on this functionality, so add some tests to make
    sure we don't break it in the future.
    
    Fixes: 72fbb34f5006 ("rootfs: switch to fd-based handling of mountpoint targets")
    Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
    (cherry picked from commit 9a9719eeb4978e73c64740b3fc796c1b12987b05)
    Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>

commit b9df996b6835ed82cce40ac71101a84b42f42251
Author: Aleksa Sarai <cyphar@cyphar.com>
Date:   Sat Nov 8 02:18:50 2025 +1100

    deps: update to github.com/opencontainers/selinux@v0.13.0
    
    This new version includes the fixes for CVE-2025-52881, so we can remove
    the internal/third_party copy of the library we added in commit
    ed6b1693b8b3 ("selinux: use safe procfs API for labels") as well as the
    "replace" directive in go.mod (which is problematic for "go get"
    installs).
    
    Fixes: ed6b1693b8b3 ("selinux: use safe procfs API for labels")
    Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
    (cherry picked from commit 96f1962f9164b476d787663a3617d792a99cf158)
    Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>

commit 90627f62884b4d34e06a5300c9140ddcbcb9d20e
Merge: 3cf5099 9381215
Author: lfbzhm <lifubang@acmcoder.com>
Date:   Thu Nov 6 11:23:34 2025 +0800

    Merge pull request #4966 from cyphar/1.3-4964-fix-mips
    
    [1.3] libct: fix mips compilation

commit 9381215c1f5d1294e2a8d07aa23ead7edbd531fc
Author: Kir Kolyshkin <kolyshkin@gmail.com>
Date:   Wed Nov 5 17:52:47 2025 -0800

    libct: fix mips compilation
    
    On MIPS arches, Rdev is uint32 so we have to convert it.
    
    Fixes issue 4962.
    
    Fixes: 8476df83 ("libct: add/use isDevNull, verifyDevNull")
    Fixes: de87203e ("console: verify /dev/pts/ptmx before use")
    Fixes: 398955bc ("console: add fallback for pre-TIOCGPTPEER kernels")
    Reported-by: Tianon Gravi <admwiggin@gmail.com>
    Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
    (cherry picked from commit 1b954f1f0676907ed11ad3a1d33ace5c3abdbc5f)
    Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>

commit 3cf50999ce7abe3efd3cffc13f5a1c6be827e20f
Merge: 8b7e3d7 8f6e8b4
Author: Aleksa Sarai <cyphar@cyphar.com>
Date:   Wed Nov 5 20:29:41 2025 +1100

    merge security release into opencontainers/runc:release-1.3
    
    Aleksa Sarai (24):
      VERSION: back to development
      VERSION: release v1.3.3
      rootfs: re-allow dangling symlinks in mount targets
      openat2: improve resilience on busy systems
      selinux: use safe procfs API for labels
      rootfs: switch to fd-based handling of mountpoint targets
      libct/system: use securejoin for /proc/$pid/stat
      init: use securejoin for /proc/self/setgroups
      init: write sysctls using safe procfs API
      utils: remove unneeded EnsureProcHandle
      utils: use safe procfs for /proc/self/fd loop code
      apparmor: use safe procfs API for labels
      ci: add lint to forbid the usage of os.Create
      rootfs: avoid using os.Create for new device inodes
      internal: add wrappers for securejoin.Proc*
      go.mod: update to github.com/cyphar/filepath-securejoin@v0.5.0
      console: verify /dev/pts/ptmx before use
      console: avoid trivial symlink attacks for /dev/console
      console: add fallback for pre-TIOCGPTPEER kernels
      console: use TIOCGPTPEER when allocating peer PTY
      *: switch to safer securejoin.Reopen
      internal: move utils.MkdirAllInRoot to internal/pathrs
      internal/sys: add VerifyInode helper
      internal: linux: add package doc-comment
    
    Li Fubang (1):
      libct: align param type for mountCgroupV1/V2 functions
    
    Kir Kolyshkin (3):
      libct: maskPaths: don't rely on ENOTDIR for mount
      libct: maskPaths: only ignore ENOENT on mount dest
      libct: add/use isDevNull, verifyDevNull
    
    Fixes: CVE-2025-31133 GHSA-9493-h29p-rfm2
    Fixes: CVE-2025-52565 GHSA-qw9x-cqr3-wc7r
    Fixes: CVE-2025-52881 GHSA-cgrx-mc8f-2prm
    Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>

commit 8f6e8b45d6da5ffbbe4ae716677af77f94699c3b
Author: Aleksa Sarai <cyphar@cyphar.com>
Date:   Wed Nov 5 20:06:49 2025 +1100

    VERSION: back to development
    
    Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>

commit c9dfa1adc207c133c998fb0f4b48e58618dfe3af
Author: Reinhard Tartler <siretart@tauware.de>
Date:   Tue Nov 4 18:03:48 2025 -0500

    Tighten dependency on opencontainers/cgroups

commit 4e3ee706f4948d16c971f1123e08b8339cd76f42
Author: Reinhard Tartler <siretart@tauware.de>
Date:   Sat Nov 1 19:14:41 2025 -0400

    debian/changelog: update

commit 0a82835b29a7f13936e76861fb2c5ad57de823c1
Author: Reinhard Tartler <siretart@tauware.de>
Date:   Sat Nov 1 18:01:00 2025 -0400

    gitlab-ci.yml: Use salsa pipeline

commit 7421cdc4db2e46b1c2e456c4483e6cac57ba848e
Author: Reinhard Tartler <siretart@tauware.de>
Date:   Sat Nov 1 17:59:01 2025 -0400

    debian/changelog: update

commit 276d9d4b99add52ae567eb3357a1a318af83124f
Merge: 82c8716 8086446
Author: Reinhard Tartler <siretart@tauware.de>
Date:   Sat Nov 1 17:54:00 2025 -0400

    Update upstream source from tag 'upstream/1.3.2+ds1'
    
    Update to upstream version '1.3.2+ds1'
    with Debian dir 6517952185ece087a8e4a65663c006f1d5926aba

commit 82c8716122e5b202eebc58dfaed72f509d0a49f9
Author: Reinhard Tartler <siretart@tauware.de>
Date:   Sat Nov 1 17:51:13 2025 -0400

    debian/watch: Update to format 5, track 1.3 releases

commit d8e7181efdfc217d9e0a710d9144436bb0f62905
Author: Reinhard Tartler <siretart@tauware.de>
Date:   Fri Sep 19 15:01:34 2025 -0400

    Update changelog for 1.3.0+ds1-4 release

commit 588509b0ceb80f106fdbf5ea2d5575b9856776c1
Author: Reinhard Tartler <siretart@tauware.de>
Date:   Sat Sep 20 05:59:10 2025 -0400

    Unbreak when running in incus
    
    Expands https://github.com/opencontainers/runc/commit/9a7e5a94346df545be991330196ed4d65adcbb26

commit 7fcbbb17e730ceb6150e32ecbc6146a95e501a3d
Author: Reinhard Tartler <siretart@tauware.de>
Date:   Fri Sep 19 15:01:09 2025 -0400

    Add breaks to containers/{common,buildah}
    
    Breaks compilation with:
    
     src/github.com/containers/common/pkg/cgroups/blkio_linux.go:14:2: cannot find package "github.com/opencontainers/runc/libcontainer/cgroups" in any of:
            /usr/lib/go-1.24/src/github.com/opencontainers/runc/libcontainer/cgroups (from $GOROOT)
            /tmp/autopkgtest-lxc.ufg0gx7g/downtmp/autopkgtest_tmp/_build/src/github.com/opencontainers/runc/libcontainer/cgroups (from $GOPATH)
     src/github.com/containers/common/pkg/cgroups/blkio_linux.go:15:2: cannot find package "github.com/opencontainers/runc/libcontainer/cgroups/fs" in any of:
            /usr/lib/go-1.24/src/github.com/opencontainers/runc/libcontainer/cgroups/fs (from $GOROOT)
            /tmp/autopkgtest-lxc.ufg0gx7g/downtmp/autopkgtest_tmp/_build/src/github.com/opencontainers/runc/libcontainer/cgroups/fs (from $GOPATH)
     src/github.com/containers/common/pkg/cgroups/blkio_linux.go:16:2: cannot find package "github.com/opencontainers/runc/libcontainer/cgroups/fs2" in any of:
            /usr/lib/go-1.24/src/github.com/opencontainers/runc/libcontainer/cgroups/fs2 (from $GOROOT)
            /tmp/autopkgtest-lxc.ufg0gx7g/downtmp/autopkgtest_tmp/_build/src/github.com/opencontainers/runc/libcontainer/cgroups/fs2 (from $GOPATH)
    
    This code has been moved out to containerd/cgroups

commit 085e6b86da2e9df040ba80adebdeb6cbce33f025
Author: Reinhard Tartler <siretart@tauware.de>
Date:   Thu Sep 18 06:20:51 2025 -0400

    debian/changelog: update

commit 4d300a5c3fe9ac24179f2a8bd70276f4e9ad480a
Author: Reinhard Tartler <siretart@tauware.de>
Date:   Tue Sep 16 12:39:15 2025 -0400

    gitalb-ci.yml: restrict autopkgtest, reprotest and piuparts to unstable
    
    this can be reverted as soon as all required dependencies can be found in
    unstable

commit e5b6f11208fa34444c50de560f3e57417eb2aa77
Author: Reinhard Tartler <siretart@tauware.de>
Date:   Tue Sep 16 09:15:56 2025 -0400

    Temporarily revert to standard salsa-ci pipeline
    
    This is to allow setting non-standard build flags, such as enabling aptly and
    triggering building reverse dependencies

commit 4163a84b420e152ad0a01228d29e5e2163e8215d
Author: Reinhard Tartler <siretart@tauware.de>
Date:   Mon Sep 15 15:04:50 2025 -0400

    Replace Tim from uploaders with myself, his email bounces

commit a78fe4b00787d502167ee40c90cb43e100a52110
Author: Reinhard Tartler <siretart@tauware.de>
Date:   Mon Sep 15 13:32:00 2025 -0400

    update debian/changelog

commit 10705fb7197bdaad0bdda2cab7141714598ead83
Author: Reinhard Tartler <siretart@tauware.de>
Date:   Mon Sep 15 14:09:51 2025 -0400

    Use Static-Built-Using, as per https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1069256#95

commit 037401beab3635d862f826b118017326c5240103
Author: Reinhard Tartler <siretart@tauware.de>
Date:   Mon Sep 15 13:45:32 2025 -0400

    Bump Standards-Version

commit 8aa199ec1230aaabbe8e8303ae06a8a1865a0526
Author: Reinhard Tartler <siretart@tauware.de>
Date:   Mon Sep 15 13:45:06 2025 -0400

    Add overrides for lintian issues

commit 214c21d8001419747325eeddec8b5ed14e284dac
Author: Reinhard Tartler <siretart@tauware.de>
Date:   Mon Sep 15 13:31:36 2025 -0400

    Fix ftbfs on mips64el in remap-rootfs.go
    
    Forwarded: no

commit a85afc4674996d21933fa22cbba468ecc02a8af8
Author: Reinhard Tartler <siretart@tauware.de>
Date:   Sun Sep 14 17:00:20 2025 -0400

    update debian/changelog

commit a2ac01961afa1c2ee0d807132795d8b3e3cd6ff6
Author: Reinhard Tartler <siretart@tauware.de>
Date:   Sun Sep 14 16:48:32 2025 -0400

    debpend on golang-github-opencontainers-cgroups-dev

commit 5d9956eef4c36b5c0a2bfd0c83a974f0b58b1eb4
Author: Reinhard Tartler <siretart@tauware.de>
Date:   Sun Sep 14 16:50:06 2025 -0400

    Install the VERSION file

commit fc90f5e35a6c135afaa86fc2ec7fc4237630eac8
Author: Reinhard Tartler <siretart@tauware.de>
Date:   Sun Sep 14 16:42:44 2025 -0400

    refresh patches

commit e3ffd01340b75edfa12e1ca14363f08cbf7e647e
Author: Reinhard Tartler <siretart@tauware.de>
Date:   Sun Sep 14 16:31:12 2025 -0400

    debian/changelog: update

commit dd54ffe0dcbf6853203775311d7cca28d17ab338
Author: Reinhard Tartler <siretart@tauware.de>
Date:   Sun Sep 14 16:30:30 2025 -0400

    Build against cilium-ebpf in experimental

commit 601fdcdb8c4208c1a54d417b254df4c916fdae3c
Merge: 05e9d06 34e2709
Author: Reinhard Tartler <siretart@tauware.de>
Date:   Sun Sep 14 16:29:51 2025 -0400

    Update upstream source from tag 'upstream/1.3.0+ds1'
    
    Update to upstream version '1.3.0+ds1'
    with Debian dir 68c07fbbb326e3659c6fc48344bbc86fdf12a8e2

commit 05e9d068ec7697b5102c90a2a7938596f3828c50
Author: Gianfranco Costamagna <locutusofborg@debian.org>
Date:   Sat Feb 8 17:16:04 2025 +0100

    Update changelog, upload to sid

commit 2151a738d016377800c8d8c44c54f94e4cbdf149
Author: Gianfranco Costamagna <locutusofborg@debian.org>
Date:   Sat Feb 8 17:15:00 2025 +0100

    From:  zhangdandan <zhangdandan@loongson.cn> Fix loongarch64 support (Closes: #1095452)

commit 4fe73a4a8390da812ced05ccbb42f960035d91c2
Author: Jochen Sprickerhof <jspricke@debian.org>
Date:   Mon Nov 4 10:45:34 2024 +0100

    Update changelog for 1.1.15+ds1-1 release

commit b60c01045efed4573429010186000d741c2a3dac
Merge: d208b2c ae373d7
Author: Jochen Sprickerhof <jspricke@debian.org>
Date:   Mon Nov 4 10:44:26 2024 +0100

    Update upstream source from tag 'upstream/1.1.15'
    
    Update to upstream version '1.1.15'
    with Debian dir 0a1e5538bda6ec9dbaf201eb7e32e0178d122849

Created: 2025-11-16 Last update: 2026-04-07 23:33

debian/patches: 3 patches to forward upstream low

Among the 8 debian patches available in version 1.3.5+ds1-1 of the package, we noticed the following issues:

3 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2026-03-30 10:00

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.4 instead of 4.7.2).

Created: 2025-12-23 Last update: 2026-03-31 15:01

news

[rss feed]

[2026-04-02] runc 1.3.5+ds1-1 MIGRATED to testing (Debian testing watch)
[2026-03-30] Accepted runc 1.3.5+ds1-1 (source) into unstable (Reinhard Tartler)
[2025-12-08] Accepted runc 1.3.3+ds1-3 (source) into experimental (Reinhard Tartler)
[2025-11-23] runc 1.3.3+ds1-2 MIGRATED to testing (Debian testing watch)
[2025-11-17] Accepted runc 1.3.3+ds1-2 (source) into unstable (Reinhard Tartler)
[2025-11-16] Accepted runc 1.3.3+ds1-1 (source) into experimental (Reinhard Tartler)
[2025-11-04] runc 1.3.2+ds1-1 MIGRATED to testing (Debian testing watch)
[2025-11-02] Accepted runc 1.3.2+ds1-1 (source) into unstable (Reinhard Tartler)
[2025-09-25] runc 1.3.0+ds1-4 MIGRATED to testing (Debian testing watch)
[2025-09-20] Accepted runc 1.3.0+ds1-4 (source) into unstable (Reinhard Tartler)
[2025-09-18] Accepted runc 1.3.0+ds1-3 (source) into unstable (Reinhard Tartler)
[2025-09-15] Accepted runc 1.3.0+ds1-2 (source) into experimental (Reinhard Tartler)
[2025-09-14] Accepted runc 1.3.0+ds1-1 (source) into experimental (Reinhard Tartler)
[2025-02-15] runc 1.1.15+ds1-2 MIGRATED to testing (Debian testing watch)
[2025-02-08] Accepted runc 1.1.15+ds1-2 (source) into unstable (Gianfranco Costamagna)
[2024-11-07] runc 1.1.15+ds1-1 MIGRATED to testing (Debian testing watch)
[2024-11-04] Accepted runc 1.1.15+ds1-1 (source) into unstable (Jochen Sprickerhof)
[2024-10-20] runc 1.1.12+ds1-5.1 MIGRATED to testing (Debian testing watch)
[2024-10-18] Accepted runc 1.1.12+ds1-5.1 (source) into unstable (Gianfranco Costamagna)
[2024-08-20] runc 1.1.12+ds1-5 MIGRATED to testing (Debian testing watch)
[2024-08-20] runc 1.1.12+ds1-5 MIGRATED to testing (Debian testing watch)
[2024-08-17] Accepted runc 1.1.12+ds1-5 (source) into unstable (Reinhard Tartler)
[2024-08-11] Accepted runc 1.0.0~rc93+ds1-5+deb11u5 (source all amd64) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Daniel Leidert)
[2024-08-08] Accepted runc 1.1.12+ds1-4 (source) into experimental (Reinhard Tartler)
[2024-08-08] Accepted runc 1.1.12+ds1-3 (source) into experimental (Reinhard Tartler)
[2024-06-29] Accepted runc 1.0.0~rc93+ds1-5+deb11u4 (source all amd64) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Daniel Leidert)
[2024-03-15] runc 1.1.12+ds1-2 MIGRATED to testing (Debian testing watch)
[2024-02-27] Accepted runc 1.1.12+ds1-2 (source) into unstable (Shengjing Zhu)
[2024-02-19] Accepted runc 1.0.0~rc6+dfsg1-3+deb10u3 (source all amd64) into oldoldstable (Daniel Leidert)
[2024-02-08] runc 1.1.12+ds1-1 MIGRATED to testing (Debian testing watch)

bugs [bug history graph]

all: 4
RC: 0
I&N: 4
M&W: 0
F&P: 0
patch: 1

links

homepage
lintian
buildd: logs, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1.3.3+ds1-2ubuntu1
2 bugs
patches for 1.3.3+ds1-2ubuntu1