Skip to content

[28.x backport] Dockerfile: update runc binary to v1.3.3#51394

Merged
thaJeztah merged 2 commits intomoby:28.xfrom
vvoland:51393-28.x
Nov 5, 2025
Merged

[28.x backport] Dockerfile: update runc binary to v1.3.3#51394
thaJeztah merged 2 commits intomoby:28.xfrom
vvoland:51393-28.x

Conversation

@vvoland
Copy link
Copy Markdown
Contributor

@vvoland vvoland commented Nov 5, 2025
edited
Loading

Dockerfile: update runc binary to v1.3.3

Update the version used in CI and for the static binaries.

This release contains fixes for three high-severity security
vulnerabilities in runc (CVE-2025-31133, CVE-2025-52565, and
CVE-2025-52881). All three vulnerabilities ultimately allow (through
different methods) for full container breakouts by bypassing runc's
restrictions for writing to arbitrary /proc files.

Update runc to [v1.3.3](https://github.com/opencontainers/runc/releases/tag/v1.3.3)

@vvoland
Dockerfile: update runc binary to v1.3.3
1967515 
Update the version used in CI and for the static binaries.

- release notes: https://github.com/opencontainers/runc/releases/tag/v1.3.3
- full diff: opencontainers/runc@v1.3.2...v1.3.3

This release contains fixes for three high-severity security
vulnerabilities in runc (CVE-2025-31133, CVE-2025-52565, and
CVE-2025-52881). All three vulnerabilities ultimately allow (through
different methods) for full container breakouts by bypassing runc's
restrictions for writing to arbitrary /proc files.

Signed-off-by: Paweł Gronowski <[email protected]>
(cherry picked from commit 35f6a78)
Signed-off-by: Paweł Gronowski <[email protected]>
@vvoland vvoland self-assigned this Nov 5, 2025
@vvoland vvoland requested a review from tianon as a code owner November 5, 2025 10:00
@vvoland vvoland added this to the 28.5.2 milestone Nov 5, 2025
@vvoland
integration-cli: Adjust nofile limits
bd98008 
runc v1.3.3 needs more file descriptors now.

Signed-off-by: Paweł Gronowski <[email protected]>
@thaJeztah
Copy link
Copy Markdown
Member

thaJeztah commented Nov 5, 2025

Looks like we missed #51329 as intermediate 😅

@vvoland vvoland requested a review from thaJeztah November 5, 2025 11:40
@vvoland
Copy link
Copy Markdown
Contributor Author

vvoland commented Nov 5, 2025

It's not needed now 😅

@thaJeztah
Copy link
Copy Markdown
Member

thaJeztah commented Nov 5, 2025

Yeah, not an issue; I just added it in the description as "includes"

thaJeztah
thaJeztah approved these changes Nov 5, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@thaJeztah thaJeztah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@thaJeztah thaJeztah merged commit 33cc06f into moby:28.x Nov 5, 2025
192 of 193 checks passed
@vvoland vvoland added impact/changelog area/packaging kind/other Not a feature, bugfix or enhancement. and removed kind/bugfix PR's that fix bugs labels Nov 5, 2025
This was referenced Nov 7, 2025
Open
Closed
@jtgasper3 jtgasper3 mentioned this pull request Nov 13, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@thaJeztah thaJeztah thaJeztah approved these changes

@tianon tianon Awaiting requested review from tianon tianon is a code owner

Assignees

@vvoland vvoland

Labels

area/dependencies area/packaging area/security impact/changelog kind/other Not a feature, bugfix or enhancement. status/2-code-review

Projects

None yet

Milestone

28.5.2

Development

Successfully merging this pull request may close these issues.

2 participants

@vvoland @thaJeztah