[release/1.2 backport] bump libseccomp-golang v0.9.1#3376
Merged
crosbymichael merged 1 commit intocontainerd:release/1.2from Jun 26, 2019
Merged
Conversation
full diff: seccomp/libseccomp-golang@32f571b...689e3c1 Release notes: * Version 0.9.1 - May 21, 2019 - Minimum supported version of libseccomp bumped to v2.2.0 (seccomp/libseccomp-golang@fc02980) - PowerPC and S390(x) architectures are unavailable below library version v2.3.0 and will return errors if used with incompatible libraries - Use Libseccomp's `seccomp_version` API to retrieve library version - Unconditionally set TSync attribute for filters, due to Go's heavily threaded nature - Fix [CVE-2017-18367](https://nvd.nist.gov/vuln/detail/CVE-2017-18367) - Multiple syscall arguments were incorrectly combined with logical-OR, instead of logical-AND (seccomp/libseccomp-golang@06e7a29) - Fix a failure to build on Debian-based distributions due to CGo code - Fix unit test failures on 32-bit architectures - Improve several errors to be more verbose about their causes - Add support for SCMP_ACT_LOG (with libseccomp versions 2.4.x and higher), permitting syscalls but logging their execution - Add support for SCMP_FLTATR_CTL_LOG (with libseccomp versions 2.4.x and higher), logging not-allowed actions when they are denied Signed-off-by: Sebastiaan van Stijn <[email protected]> (cherry picked from commit bb41ef8) Signed-off-by: Sebastiaan van Stijn <[email protected]>
Codecov Report
@@ Coverage Diff @@
## release/1.2 #3376 +/- ##
===============================================
- Coverage 47.44% 43.81% -3.64%
===============================================
Files 92 101 +9
Lines 8437 10780 +2343
===============================================
+ Hits 4003 4723 +720
- Misses 3704 5321 +1617
- Partials 730 736 +6
Continue to review full report at Codecov.
|
estesp
approved these changes
Jun 26, 2019
Member
estesp
left a comment
estesp
left a comment
There was a problem hiding this comment.
LGTM
Required backport to fix known CVE
Member
Author
|
FWIW; I discussed the vendor bump with @justincormack, and he thought that the actual vendor in containerd, containerd/cri, and dockerd are not critical for the CVE itself; the version in runc is the important one, but turned out that it was already patched (there was some confusion about that). Bumping the vendored files in these branches would still be good to have (IMO) to take away any doubt (and possibly security scanners finding a vulnerable version of the dependency). If there's concerns about updating these files here, feel free to close |
Member
|
LGTM |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
backport of #3371 for the 1.2 branch
full diff: seccomp/libseccomp-golang@32f571b...689e3c1
Release notes:
seccomp_versionAPI to retrieve library versionSigned-off-by: Sebastiaan van Stijn [email protected]
(cherry picked from commit bb41ef8)
Signed-off-by: Sebastiaan van Stijn [email protected]