Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update github.com/opencontainers/runc to v1.0.3 (fix CVE-2021-43784) #518

Merged
merged 1 commit into from
Dec 9, 2021

Conversation

pjbgf
Copy link
Member

@pjbgf pjbgf commented Dec 9, 2021

Security Advisories fixed:

github.com/opencontainers/runc v1.0.3
IDs: CVE-2021-43784, GO-2021-0085, GO-2021-0087
Links:
GHSA-v95c-p5hm-xq8f

@pjbgf
Copy link
Member Author

pjbgf commented Dec 9, 2021

Is there any specific format we can use to track the CVEs fixed so they can be made explicit in the "release changes"?

@stefanprodan
Copy link
Member

Please undo these changes and bump the version in the replace section, add the CVE numbers there.

Copy link
Member

@stefanprodan stefanprodan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please rebase with upstream main and force push.

Copy link
Member

@stefanprodan stefanprodan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Thanks @pjbgf

PS. After we release source-controller with these changes, you can update IAC too.

@stefanprodan
Copy link
Member

@pjbgf I assumed you've run make test before opening this PR, please do so from now on. The runc update comes with breaking changes:

../home/go/pkg/mod/github.com/deislabs/oras@v0.11.1/pkg/oras/push.go:52:31: not enough arguments in call to remotes.PushContent
	have (context.Context, remotes.Pusher, v1.Descriptor, "github.com/containerd/containerd/content".Store, nil, func(images.Handler) images.Handler)
	want (context.Context, remotes.Pusher, v1.Descriptor, "github.com/containerd/containerd/content".Store, *semaphore.Weighted, platforms.MatchComparer, func(images.Handler)

@stefanprodan stefanprodan self-requested a review December 9, 2021 09:55
Advisories fixed:
github.com/opencontainers/runc: CVE-2021-43784 GO-2021-0085 GO-2021-0087

Signed-off-by: Paulo Gomes <paulo.gomes@weave.works>
@pjbgf
Copy link
Member Author

pjbgf commented Dec 9, 2021

The issue was with the containerd dependency, which I have now removed from the PR. Tested it locally and it is working fine now. 👍

@pjbgf pjbgf changed the title Bump dependencies to patch security advisories Update github.com/opencontainers/runc to v1.0.3 (fix CVE-2021-43784, GO-2021-0085, GO-2021-0087) Dec 9, 2021
@stefanprodan stefanprodan changed the title Update github.com/opencontainers/runc to v1.0.3 (fix CVE-2021-43784, GO-2021-0085, GO-2021-0087) Update github.com/opencontainers/runc to v1.0.3 (fix CVE-2021-43784) Dec 9, 2021
@stefanprodan stefanprodan merged commit bb6794c into fluxcd:main Dec 9, 2021
@pjbgf pjbgf deleted the security-advisories branch December 9, 2021 10:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants