Skip to content

Commit 1967515

Browse files
vvolandvvoland
committed
Dockerfile: update runc binary to v1.3.3
Update the version used in CI and for the static binaries. - release notes: https://github.com/opencontainers/runc/releases/tag/v1.3.3 - full diff: opencontainers/runc@v1.3.2...v1.3.3 This release contains fixes for three high-severity security vulnerabilities in runc (CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881). All three vulnerabilities ultimately allow (through different methods) for full container breakouts by bypassing runc's restrictions for writing to arbitrary /proc files. Signed-off-by: Paweł Gronowski <[email protected]> (cherry picked from commit 35f6a78) Signed-off-by: Paweł Gronowski <[email protected]>
1 parent 4489660 commit 1967515

2 files changed

Lines changed: 3 additions & 6 deletions

File tree

Dockerfile

Lines changed: 2 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -260,9 +260,8 @@ WORKDIR /usr/src/runc
260260
RUN git init . && git remote add origin "https://github.com/opencontainers/runc.git"
261261
# RUNC_VERSION should match the version that is used by the containerd version
262262
# that is used. If you need to update runc, open a pull request in the containerd
263-
# project first, and update both after that is merged. When updating RUNC_VERSION,
264-
# consider updating runc in vendor.mod accordingly.
265-
ARG RUNC_VERSION=v1.3.0
263+
# project first, and update both after that is merged.
264+
ARG RUNC_VERSION=v1.3.3
266265
RUN git fetch -q --depth 1 origin "${RUNC_VERSION}" +refs/tags/*:refs/tags/* && git checkout -q FETCH_HEAD
267266

268267
FROM base AS runc-build

hack/dockerfile/install/runc.installer

Lines changed: 1 addition & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -7,9 +7,7 @@ set -e
77
# The version of runc should match the version that is used by the containerd
88
# version that is used. If you need to update runc, open a pull request in
99
# the containerd project first, and update both after that is merged.
10-
#
11-
# When updating RUNC_VERSION, consider updating runc in vendor.mod accordingly
12-
: "${RUNC_VERSION:=v1.3.0}"
10+
: "${RUNC_VERSION:=v1.3.3}"
1311

1412
install_runc() {
1513
RUNC_BUILDTAGS="${RUNC_BUILDTAGS:-"seccomp"}"

0 commit comments

Comments
 (0)