[1.1] CHANGELOG: fixes for 1.1.5

[kolyshkin]

Changelog fixes:

1. Fix wrong old version in a github compare link.
2. Fix a typo in changelog (found by our CI codespell)
3. Moved 1.1.5 CVEs to a separate "Security" section (by @cyphar, see [1.1] CHANGELOG: fixes for 1.1.5 #3796 (comment))

CI fix:

1. Removed the changelog check for non-ASCII characters, as it was failing the release job:

Run make verify-changelog
# No non-ASCII characters.
>! LC_ALL=C grep -n -P '[\x80-\xFF]' CHANGELOG.md
11:> 囚われた屈辱は
12:> 反撃の嚆矢だ
make: *** [Makefile:150: verify-changelog] Error 1

Improvements

1. Added verify-changelog to localrelease target, as one more way to catch those errors early.

PS need to forward-port these changes as well as 1.1.4 and 1.1.5 changelogs to main branch.

[thaJeztah]

LGTM

[kolyshkin]

CI failure is unrelated; see #3792

[thaJeztah]

LGTM

[cyphar]

Why do we restrict changelog entries to ASCII-only? It's all UTF-8, so I would've expected all of the tools we use for handling changelogs would be able to handle UTF-8 at this point.

I don't really care about the release title either way (the whole release title thing is meant to just be a light-hearted thing to add to each release), but if we ever have a security issue disclosed by someone who has non-ASCII characters in their name we will need to handle this (since we usually include their name in the changelog).

I also just noticed that we should've put the CVEs as a "Security" section. Something like this (apply on top of your current branch):

--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,12 +10,31 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

 > The humiliation of being captured is the beginning of the counterattack.

+### Security
+
+The following CVEs were fixed in this release:
+
+* [CVE-2023-25809][] is a vulnerability involving rootless containers where
+  (under specific configurations), the container would have write access to the
+  `/sys/fs/cgroup/user.slice/...` cgroup hierarchy. No other hierarchies on the
+  host were affected. This vulnerability was discovered by Akihiro Suda.
+
+* [CVE-2023-27561][] was a regression in our protections against tricky `/proc`
+  and `/sys` configurations (where the container mountpoint is a symlink)
+  causing us to be tricked into incorrectly configuring the container, which
+  effectively re-introduced [CVE-2019-19921][]. This regression was present
+  from v1.0.0-rc95 to v1.1.4 and was discovered by @Beuc. (#3785)
+
+* [CVE-2023-28642][] is a different attack vector using the same regression
+  as in [CVE-2023-27561][]. This was reported by Lei Wang.
+
+[CVE-2019-19921]: https://github.com/advisories/GHSA-fh74-hm69-rqjw
+[CVE-2023-25809]: https://github.com/opencontainers/runc/security/advisories/GHSA-m8cg-xc2p-r3fc
+[CVE-2023-27561]: https://github.com/advisories/GHSA-vpvm-3wq2-2wvm
+[CVE-2023-28642]: https://github.com/opencontainers/runc/security/advisories/GHSA-g2j6-57v7-gm8c
+
 ### Fixed

-* Prohibit container's `/proc` and `/sys` to be symlinks (CVE-2019-19921,
-  CVE-2023-27561, CVE-2023-28642, #3785)
-* rootless: rework /sys/fs/cgroup mounts to avoid exposing the host's cgroup
-  hierarchy into the container. (CVE-2023-25809)
 * Fix the inability to use `/dev/null` when inside a container. (#3620)
 * Fix changing the ownership of host's `/dev/null` caused by fd redirection
   (a regression in 1.1.1). (#3674, #3731)

[cyphar]

The DCO bot doesn't like that you have a commit where I'm the author and committer without my DCO. You'll have to add Signed-off-by: Aleksa Sarai <cyphar@cyphar.com> before your DCO.

EDIT: Ah I think that was triggered by me rebasing it. In any case, since I wrote the patch it probably should have my DCO anyway.

[kolyshkin]

Signed-off-by: Aleksa Sarai cyphar@cyphar.com

done

[kolyshkin]

OK, this should make 1.1 CI green again, except for centos-stream-9 which is being fixed in main branch by #3782 and #3788. Once those two are it is merged I'll think about the backport strategy (it's not trivial).

Update: hooray, #3788 is not needed in 1.1!