runc (1.0.0~rc93+ds1-5+deb11u5) bullseye; urgency=medium * Non-maintainer upload by the Debian LTS Team. * d/changelog: Cleaned up the last entry for 1.0.0~rc93+ds1-5+deb11u4 removing some superflous entries. * d/patches/CVE-2023-27561-and-CVE-2023-28642: Added to fix CVE-2023-27561 and CVE-2023-27561. - It was found that the fix for CVE-2021-30465 introduced a regression in regards to CVE-2019-19921 which results in an incorrect access control leading to privilege escalation and bypassing apparmor. -- Daniel Leidert Fri, 28 Jun 2024 00:56:20 +0200 runc (1.0.0~rc93+ds1-5+deb11u4) bullseye; urgency=medium * Non-maintainer upload by the Debian LTS Team. * d/patches/0025-Fix-busybox-tarball-url-in-integration-test.patch: Updated. - Fixed download URLs again. * d/patches/CVE-2021-43784.patch: Added to fix CVE-2021-43784. - When writing netlink messages, it is possible to have a byte array larger than UINT16_MAX which would result in the length field overflowing and allowing user-controlled data to be parsed as control characters (such as creating custom mount points, changing which set of namespaces to allow, and so on). * d/patches/0027-Fix-test-for-newer-kernels.patch: Added. - Fix test for newer kernels. * d/patches/CVE-2023-25809.patch: Added to fix CVE-2023-25809. - It was found that rootless runc makes `/sys/fs/cgroup` writable under specific conditions. A container may then gain the write access to user-owned cgroup hierarchy `/sys/fs/cgroup/user.slice/...` on the host. -- Daniel Leidert Fri, 28 Jun 2024 00:16:20 +0200 runc (1.0.0~rc93+ds1-5+deb11u3) bullseye-security; urgency=high * Team upload. * CVE-2024-21626: several container breakouts due to internally leaked fds -- Shengjing Zhu Fri, 02 Feb 2024 23:14:13 +0800 runc (1.0.0~rc93+ds1-5+deb11u2) bullseye; urgency=medium * Backport upstream patch: - do not set inheritable capabilities, Fixes: CVE-2022-29162 -- Reinhard Tartler Mon, 13 Jun 2022 07:06:00 -0400 runc (1.0.0~rc93+ds1-5+deb11u1) bullseye; urgency=medium * Team upload. * backport upstream patch: Honor seccomp defaultErrnoRet, Closes: #1012030 -- Reinhard Tartler Sun, 12 Jun 2022 14:49:36 -0400 runc (1.0.0~rc93+ds1-5) unstable; urgency=high * Team upload. * Replace CVE-2021-30465 patchset with the one on oss-security mailing list, which can be applied cleanly on 1.0.0~rc93. -- Shengjing Zhu Thu, 20 May 2021 02:46:14 +0800 runc (1.0.0~rc93+ds1-4) unstable; urgency=high * Team upload. * Backport patches for CVE-2021-30465 (Closes: #988768) To apply CVE-2021-30465 patch clearly, following PR are backported as well: + https://github.com/opencontainers/runc/pull/2798 + https://github.com/opencontainers/runc/pull/2818 -- Shengjing Zhu Thu, 20 May 2021 02:13:01 +0800 runc (1.0.0~rc93+ds1-3) unstable; urgency=medium * Team upload. * Backport patch to fix regression in rc93. Fix `runc init` stuck when system is under heavy load. -- Shengjing Zhu Sat, 10 Apr 2021 17:52:31 +0800 runc (1.0.0~rc93+ds1-2) unstable; urgency=medium * Team upload. * Drop compatibility patch. No longer used * Skip one integration test when no /dev/kmsg in testbed -- Shengjing Zhu Mon, 08 Feb 2021 19:00:36 +0800 runc (1.0.0~rc93+ds1-1) unstable; urgency=medium * Team upload. * New upstream version 1.0.0~rc93+ds1 -- Shengjing Zhu Thu, 04 Feb 2021 11:05:23 +0800 runc (1.0.0~rc92.425.g7e3c3e8c+ds1-1) experimental; urgency=medium * Team upload. * Add umoci to test control * New upstream version 1.0.0~rc92.425.g7e3c3e8c+ds1 * Add golang-golang-x-net-dev to Build-Depends -- Shengjing Zhu Wed, 03 Feb 2021 14:51:28 +0800 runc (1.0.0~rc92.372.gc69ae759+ds1-1) experimental; urgency=medium * Team upload. * New upstream version 1.0.0~rc92.372.gc69ae759+ds1 * Update Standards-Version to 4.5.1 (no changes) * Move section to admin * No need protobuf-compiler in Build-Depends * Mark integration test in autopkgtest as flaky. The testbed on debci.d.n currently is broken with cgroups, but may be fixed later. -- Shengjing Zhu Sat, 23 Jan 2021 23:21:11 +0800 runc (1.0.0~rc92.346.g49cc2a22+ds1-1) experimental; urgency=medium * Team upload. * New upstream version 1.0.0~rc92.346.g49cc2a22+ds1 * Change repacksuffix to ds * Vendor github.com/urfave/cli v1.22.1. Regression https://github.com/urfave/cli/issues/1092 * Drop obsoleted build tags: apparmor and selinux * Bump golang-github-opencontainers-selinux-dev to 1.8.0 * Add golang-github-willf-bitset-dev to Depends * Wrap integration test with script command * Disable TestParseCgroups when schroot doesn't have cgroup -- Shengjing Zhu Sun, 17 Jan 2021 21:20:30 +0800 runc (1.0.0~rc92.249.g636f23dd+dfsg1-3) experimental; urgency=medium * Team upload. * Try to create /dev/tty in autopkgtest env. -- Shengjing Zhu Wed, 18 Nov 2020 01:56:47 +0800 runc (1.0.0~rc92.249.g636f23dd+dfsg1-2) experimental; urgency=medium * Team upload. * Fix intelRdtManager patch -- Shengjing Zhu Sun, 15 Nov 2020 22:54:54 +0800 runc (1.0.0~rc92.249.g636f23dd+dfsg1-1) experimental; urgency=medium * Team upload. [ Dmitry Smirnov ] * CI: customised CI * Tightened dependency on "golang-github-pkg-errors-dev" golang-github-pkg-errors-dev (>= 0.9.1~) [ Shengjing Zhu ] * New upstream snapshot For testing the upcoming 1.0.0~rc93 release * Bump golang-github-moby-sys-dev version * Drop libapparmor-dev from Build-Depends * Add integration test to autopkgtest * Add patch to export IntelRdtManager to keep compatibility -- Shengjing Zhu Sun, 15 Nov 2020 19:50:02 +0800 runc (1.0.0~rc92+dfsg1-5) unstable; urgency=medium * Team upload. * Fix Breaks, should be podman instead of libpod -- Shengjing Zhu Thu, 27 Aug 2020 09:10:35 +0800 runc (1.0.0~rc92+dfsg1-4) unstable; urgency=medium * Team upload. * Add Breaks libpod << 2.0.4+dfsg2-5. * Drop GetClockTicks patch. -- Shengjing Zhu Tue, 25 Aug 2020 23:58:32 +0800 runc (1.0.0~rc92+dfsg1-3) unstable; urgency=medium * Team upload. * Bump golang-gocapability-dev to git20200815. * Upload to unstable. -- Shengjing Zhu Sun, 23 Aug 2020 01:32:45 +0800 runc (1.0.0~rc92+dfsg1-2) experimental; urgency=medium * Team upload. * Add patch to fix build with gccgo. Buildd chooses gccgo in experimental chroot -- Shengjing Zhu Thu, 20 Aug 2020 02:44:25 +0800 runc (1.0.0~rc92+dfsg1-1) experimental; urgency=medium * Team upload. * New upstream version 1.0.0~rc92 * Excluded all vendor files * Update Build-Depends for new version * Remove ambient tag which is no longer used * Skip privileged cgroup test -- Shengjing Zhu Tue, 18 Aug 2020 00:46:22 +0800 runc (1.0.0~rc10+dfsg2-1) unstable; urgency=medium * Team upload. * Add golang-github-mrunalp-fileutils-dev to Depends * Unvendor github.com/cilium/ebpf * Remove vendor/github.com/coreos/pkg from Files-Excluded. No longer present in upstream tarball * Add golang-github-cilium-ebpf-dev to Build-Depends * Add /usr/bin/runc symlink (Closes: #958866) * Add missing Depends in -dev package. Also remove golang-golang-x-tools from Build-Depends Since it's only used in previous vendor library. * Update maintainer address to team+pkg-go@tracker.debian.org * Exclude contrib/cmd when building. The command recvtty has no real usage * Add runc bash-completion script * Add lintian overrides for manpage-without-executable * Add Rules-Requires-Root -- Shengjing Zhu Mon, 27 Apr 2020 00:57:29 +0800 runc (1.0.0~rc10+dfsg1-1) unstable; urgency=medium * New upstream release. + fixed CVE-2019-19921. * Un-vendored "golang-github-checkpoint-restore-go-criu-dev". * Build-Depends += "golang-golang-x-tools". * Standards-Version: 4.5.0. -- Dmitry Smirnov Sun, 26 Jan 2020 20:24:01 +1100 runc (1.0.0~rc9+dfsg1-1) unstable; urgency=medium * New upstream release. + fixed CVE-2019-16884. * Recommends += "criu" (Closes: #912821). Thanks, Qian Cai. * (Build-)Depends: = golang-github-docker-go-units-dev (>= 0.4.0~) = golang-github-opencontainers-selinux-dev (>= 1.3.0~) = golang-github-seccomp-libseccomp-golang-dev (>= 0.9.1~) = golang-gocapability-dev (>= 0.0+git20180916~) -- Dmitry Smirnov Wed, 09 Oct 2019 19:09:07 +1100 runc (1.0.0~rc8+dfsg1-1) unstable; urgency=medium * New upstream release. * Standards-Version: 4.4.0. * DH & compat to version 12. * (Build-)Depends: + golang-github-cyphar-filepath-securejoin-dev = golang-github-coreos-go-systemd-dev (>= 20~) -- Dmitry Smirnov Tue, 10 Sep 2019 00:22:06 +1000 runc (1.0.0~rc6+dfsg1-3) unstable; urgency=medium * Team upload. [ Shengjing Zhu ] * Improve patch for CVE-2019-5736 based on upstream commits. Now the patch includes following commits: + 2d4a37b nsenter: cloned_binary: userspace copy fallback if sendfile fails + 16612d7 nsenter: cloned_binary: try to ro-bind /proc/self/exe before copying + af9da0a nsenter: cloned_binary: use the runc statedir for O_TMPFILE + 2429d59 nsenter: cloned_binary: expand and add pre-3.11 fallbacks + 5b775bf nsenter: cloned_binary: detect and handle short copies + bb7d8b1 nsexec (CVE-2019-5736): avoid parsing environ + 0a8e411 nsenter: clone /proc/self/exe to avoid exposing host binary to container [ Arnaud Rebillout ] * Add version and gitcommit to the ldflags (Closes: #909644) Note that we fill the git commit with something that is NOT a git commit at all, instead we use it as a placeholder for the debian version. The debian version is a relevant information for the user, and it's nice to be able to show it, some way or another. -- Shengjing Zhu Sun, 10 Mar 2019 17:51:44 +0800 runc (1.0.0~rc6+dfsg1-2) unstable; urgency=medium * Team upload. * Apply upstream patch addressing CVE-2019-5736 (Closes: #922050) Thanks Noah Meyerhans! -- Shengjing Zhu Tue, 12 Feb 2019 23:45:09 +0800 runc (1.0.0~rc6+dfsg1-1) unstable; urgency=medium * Standards-Version: 4.3.0. * New upstream release. -- Dmitry Smirnov Fri, 25 Jan 2019 07:55:34 +1100 runc (1.0.0~rc5+dfsg1-4) unstable; urgency=medium * New patch to disable Hugetlb tests. -- Dmitry Smirnov Thu, 27 Sep 2018 08:16:11 +1000 runc (1.0.0~rc5+dfsg1-3) unstable; urgency=medium * TAGS += ambient * New patch to fix FTBFS on mips* architectures. -- Dmitry Smirnov Mon, 18 Jun 2018 11:47:25 +1000 runc (1.0.0~rc5+dfsg1-2) unstable; urgency=medium * New patch to fix integer overflow on i686. * Build with "selinux" tag (Closes: #865993). Thanks, Laurent Bigonville. * Added myself to uploaders. -- Dmitry Smirnov Sat, 16 Jun 2018 22:12:23 +1000 runc (1.0.0~rc5+dfsg1-1) unstable; urgency=medium * Team upload. [ Arnaud Rebillout ] * Set minimum requirement for golang-gocapability-dev. And drop the alternative name golang-github-syndtr-gocapability-dev, this name never existed in the first place. [ Dmitry Smirnov ] * New upstream release * Testsuite: autopkgtest-pkg-go * Standards-Version: 4.1.4; Priority: optional * debhelper to version 11; compat to version 10. * Added "XS-Go-Import-Path". * (Build-)Depends: - golang-github-codegangsta-cli-dev - golang-github-coreos-pkg-dev - golang-golang-x-sys-dev - golang-logrus-dev + golang-github-containerd-console-dev + golang-github-pkg-errors-dev + golang-github-sirupsen-logrus-dev + golang-github-urfave-cli-dev -- Dmitry Smirnov Fri, 15 Jun 2018 21:48:18 +1000 runc (1.0.0~rc4+dfsg1-6) unstable; urgency=medium [ Michael Stapelberg ] * update debian/gitlab-ci.yml (using salsa.debian.org/go-team/ci/cmd/ci) [ Dmitry Smirnov ] * Removed myself from uploaders. [ Balint Reczey ] * Team upload * Stop using unix.SIGUNUSED which has been removed from golang.org/x/sys (Closes: #889704) -- Balint Reczey Tue, 10 Apr 2018 18:40:56 +0200 runc (1.0.0~rc4+dfsg1-5) unstable; urgency=medium * Vcs-* urls: pkg-go-team -> go-team. -- Alexandre Viau Mon, 05 Feb 2018 23:05:40 -0500 runc (1.0.0~rc4+dfsg1-4) unstable; urgency=medium * Point vcs-* urls to packages subgroup. -- Alexandre Viau Thu, 25 Jan 2018 15:23:12 -0500 runc (1.0.0~rc4+dfsg1-3) unstable; urgency=medium * Change my email to @debian.org. * Move to salsa.debian.org. -- Alexandre Viau Fri, 29 Dec 2017 00:34:59 -0500 runc (1.0.0~rc4+dfsg1-2) unstable; urgency=medium * Mark runc breaking docker.io (<= 1.13.1~ds1-2) (Closes: #877146) -- Balint Reczey Sat, 30 Sep 2017 11:50:52 -0400 runc (1.0.0~rc4+dfsg1-1) unstable; urgency=medium * Team Upload * Update watch file to match release candidates * Update Files-Excuded and d/control to match dependencies of rc4 * New upstream release candidate 1.0.0-rc4 * Drop obsoleted patches * Drop outdated README.source * Require at least final 1.0.0 release of golang-github-opencontainers-specs-dev (Closes: #858250) * Fix typo in golang-github-opencontainers-runc-dev package description (Closes: #873760) -- Balint Reczey Sat, 30 Sep 2017 11:50:50 -0400 runc (1.0.0~rc2+git20170201.133.9df8b30-3) unstable; urgency=medium * Replace golang-go with golang-any in Build-Depends -- Konstantinos Margaritis Wed, 09 Aug 2017 15:00:55 +0300 runc (1.0.0~rc2+git20170201.133.9df8b30-2) unstable; urgency=medium * Patch to make libcontainer ignore cgroup2 hierarchy. Patch pulled from https://github.com/opencontainers/runc/pull/1266. -- Vincent Bernat Fri, 30 Jun 2017 07:10:34 +0200 runc (1.0.0~rc2+git20170201.133.9df8b30-1) unstable; urgency=medium * New upstream snapshot for Docker 1.13.1. -- Tim Potter Wed, 24 May 2017 11:36:40 +1000 runc (1.0.0~rc2+git20161109.131.5137186-2) unstable; urgency=medium * Add Breaks line to binary package to avoid messing up previous Docker installs. -- Tim Potter Fri, 24 Feb 2017 09:49:06 +1100 runc (1.0.0~rc2+git20161109.131.5137186-1) unstable; urgency=medium * New upstream snapshot. * Refresh backported patch for CVE-2016-9962. -- Tim Potter Wed, 15 Feb 2017 09:08:52 +1100 runc (0.1.1+dfsg1-2) unstable; urgency=medium * Team upload. * Backport patch for CVE-2016-9962 (Closes: #850951) -- Tianon Gravi Wed, 01 Feb 2017 07:17:54 -0800 runc (0.1.1+dfsg1-1) unstable; urgency=medium * New upstream release [June 2016]. * testworks: disabled privileged and failing tests. * Build with "apparmor seccomp" tags (Closes: #830818); Build-Depends += "libapparmor-dev". -- Dmitry Smirnov Wed, 13 Jul 2016 23:00:43 +1000 runc (0.1.0+dfsg1-1) unstable; urgency=medium * Dropped dependency on "golang-docker-dev" in favour of bundled (or build time sub-vendored) "github.com/docker/docker" in order to avoid circular dependency with Docker. * Standards-Version: 3.9.8. * Corrected Vcs-Git URL. -- Dmitry Smirnov Sun, 12 Jun 2016 17:56:45 +1000 runc (0.1.0+dfsg-1) unstable; urgency=medium [ Tim Potter ] * Team upload * New upstream release [April 2016] = golang-github-opencontainers-specs-dev (>= 0.5.0~) * De-vendor new dependencies; pquerna/ffjson appears unused -- Dmitry Smirnov Sat, 23 Apr 2016 07:59:18 +1000 runc (0.0.9+dfsg-1) unstable; urgency=medium * New upstream release [March 2016]. * (Build-)Depends: = golang-github-opencontainers-specs-dev (>= 0.4.0~) = golang-github-codegangsta-cli-dev (>= 0.0~git20151221~) - help2man + go-md2man * Install upstream man pages. * Install "runc" binary to "/usr/sbin". -- Dmitry Smirnov Sat, 16 Apr 2016 17:23:48 +1000 runc (0.0.8+dfsg-2) unstable; urgency=medium * (Build-)Depends: + golang-github-docker-go-units-dev + golang-github-seccomp-libseccomp-golang-dev -- Dmitry Smirnov Wed, 23 Mar 2016 20:05:01 +1100 runc (0.0.8+dfsg-1) unstable; urgency=medium * New upstream release [February 2016]. * Build-Depends: + golang-github-vishvananda-netlink-dev * Updated Vcs URLs. * Standards-Version: 3.9.7. -- Dmitry Smirnov Fri, 26 Feb 2016 18:19:24 +1100 runc (0.0.4~dfsg-1) unstable; urgency=medium * New upstream release (Closes: #802507). * Dropped obsolete lintian-overrides. -- Dmitry Smirnov Wed, 21 Oct 2015 09:02:42 +1100 runc (0.0.3~dfsg2-1) unstable; urgency=low * Initial release (Closes: #796486). Thanks, Alexandre Viau. -- Dmitry Smirnov Sun, 06 Sep 2015 18:06:34 +1000