| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bump runc to to v1.1.15-2-g068337925cd4:
068337925cd4 Merge pull request #4422 from rata/release-1.1.15
9f4baaac61d1 VERSION: back to development
bc20cb4497af VERSION: release 1.1.15
2790485e3eca CHANGELOG: Remove empty changed line
ed38aea9dc58 Merge pull request #4425 from kolyshkin/1.1-fix-mount-leak
65aa700fc371 [1.1] runc run: fix mount leak
a4cebd3549ec Merge pull request #4423 from rata/1-1-fix-CI
719e2bc2c376 increase memory.max in cgroups.bats
3216d3b72e15 merge #4391 into opencontainers/runc:release-1.1
bd671b6a1361 Merge pull request #4392 from cyphar/1.1-remove-bindfd
614ce12f0e97 [1.1] nsenter: cloned_binary: remove bindfd logic entirely
618e149e4ae5 [1.1] seccomp: patchbpf: always include native architecture in stub
d85b58388f40 [1.1] seccomp: patchbpf: rename nativeArch -> linuxAuditArch
6223a65d5d6f [1.1] libct/seccomp/patchbpf: rm duplicated code
2655e7c5a859 VERSION: back to development
2c9f5602f0ba VERSION: release 1.1.14
a86c3d88370a Merge commit from fork
f0b652ea61ff [1.1] rootfs: try to scope MkdirAll to stay inside the rootfs
8781993968fd [1.1] rootfs: consolidate mountpoint creation logic
6419fbabfbd6 Merge pull request #4382 from rata/Makefile-override-fixes
0514204d6fcc Makefile: Add EXTRA_VERSION
18cdc3476f91 Revert "allow overriding VERSION value in Makefile"
f3f71a9347f0 Merge pull request #4372 from kolyshkin/1.1-go123
7f75aec407e8 [1.1] Add Go 1.23, drop 1.21
931f46304b3d Merge pull request #4361 from austinvazquez/backport-protobuf-updates-to-1.1
1f587049fd85 build(deps): bump google.golang.org/protobuf from 1.32.0 to 1.33.0
31f29447d3fb build(deps): bump google.golang.org/protobuf from 1.31.0 to 1.32.0
ac5fc48ad18c build(deps): bump google.golang.org/protobuf from 1.30.0 to 1.31.0
3b5bf8f2a9fa build(deps): bump google.golang.org/protobuf from 1.29.1 to 1.30.0
81461edc125b build(deps): bump google.golang.org/protobuf from 1.29.0 to 1.29.1
2a9acb99b4a9 build(deps): bump google.golang.org/protobuf from 1.28.1 to 1.29.0
19c47f652dd1 build(deps): bump google.golang.org/protobuf from 1.28.0 to 1.28.1
88f54b20fc46 build(deps): bump google.golang.org/protobuf from 1.27.1 to 1.28.0
615068f17a31 Merge pull request #4334 from cyphar/1.1-rootfs-mountfd
a0292ca6ffb3 [1.1] rootfs: fix 'can we mount on top of /proc' check
b36a0f453712 Merge pull request #4336 from cyphar/1.1-rm-c7
5b89027afc11 [1.1] ci/cirrus: switch from CentOS to Almalinux
ed406952fc28 Merge pull request #4318 from lifubang/release-1.1.13
ec1bc45d462c VERSION: back to development
58aa9203c123 VERSION: release 1.1.13
2b3a2472d189 Merge pull request #4316 from lifubang/backport-4189
3507adac19ff Merge pull request #4315 from lifubang/backport-4311
0f7150ade8ca script/*: fix gpg usage wrt keyboxd
80186fec5cf4 fix a debug msg for user ns in nsexec
8407d3c6021c Merge pull request #4313 from kolyshkin/1.1-backport-4292
7219e0afffcd Dockerfile: bump Debian to 12, Go to 1.21
c9beabc8d8d5 ci: switch to go 1.22 as main version
4578c6c5dbdb libct/nsenter: stop blacklisting go 1.22+
c488d13a5331 use go mod instead of go get in spec.bats
ae85f058ccff ci/gha: bump golangci-lint to v1.57
327e07e96814 ci/gha: bump golangci-lint to v1.54
65bdf604ddb9 libct/user: gofumpt -w
4d097af534a0 ci/gha: bump golangci-lint-action from 5 to 6
fb236084374b ci/gha: bump golangci/golangci-lint-action to v5
8bfc75a25d2b CI: run apt with -y
e546ddeec869 ci/gha: switch some jobs to ubuntu-22.04
0d19e78b847a build(deps): bump actions/setup-go from 4 to 5
b36844518a36 build(deps): bump actions/checkout from 3 to 4
cb2d85dcde5f build(deps): bump tim-actions/commit-message-checker-with-regex
25e27d7eef28 build(deps): bump actions/upload-artifact from 3 to 4
2ac8b11f48a0 build(deps): bump golangci/golangci-lint-action from 3 to 4
7d86e7d9eceb Merge pull request #4299 from kolyshkin/1.1-4290
096e6f88f0f0 [1.1] libct/system: ClearRlimitNofileCache for go 1.23
14181f438e35 Merge pull request #4308 from kolyshkin/1.1-rm-cs8
fc7af59a6b1f ci/cirrus: rm centos stream 8
a1610b56a4a3 Merge pull request #4305 from lifubang/backport-cs8eol
9629fd9554a2 ci: workaround for centos stream 8 being EOLed
20ef9762dae9 Merge pull request #4300 from lifubang/backport-codespell-2.3.0
3b7fcf76ef7e ci: pin codespell
f8f7defa85f4 Fix codespell warnings
a12f444afbb8 Merge pull request #4284 from kolyshkin/1.1-fix-4094
860f05f307f4 libct/cg/fs: fix setting rt_period vs rt_runtime
9244703011d5 Merge pull request #4277 from lifubang/backport-4265-nofilerlimit
51dc97286443 Merge pull request #4231 from kolyshkin/1.1-3349
c918058bb76c fix comments for ClearRlimitNofileCache
2992049dc31c update/add some tests for rlimit
d7a29a3b3367 libct: clean cached rlimit nofile in go runtime
42c2ab2b7cb9 use go 1.18 in go.mod
83ecd11c29ac runc exec: setupRlimits after syscall.rlimit.init() completed
fbddb715edbb libct: fix a comment
debf52aa5b52 deprecate libct.system.Execv
986edbe60ff9 list: use Info(), fix race with delete
09214f21da8e list: getContainers: less indentation
007abf31f87a Merge pull request #4270 from akhilerm/backport-1.1-4269
6f4d975c402d allow overriding VERSION value in Makefile
e8bb71e147d6 Merge pull request #4257 from sohankunkerkar/release-1.1
6379b58d9701 libcontainer: force apps to think fips is enabled/disabled for testing
5bfff6ae24d0 Merge pull request #4261 from kolyshkin/1.1-4256
265e73718063 Vagrantfile.fedora: bump Fedora to 39
b0691cafe392 Merge pull request #4244 from kycheng/chore/net-cve
59056a0213e7 silence security false positives from golang/net
148fdabd7053 Merge pull request #4241 from kolyshkin/1.1.13-ci-fixes
452bf88ebf5b build: update libseccomp to v2.5.5
3fada6eca4e6 tests/int: fix flaky "runc run with tmpfs perm"
aae41a4b79d3 Fix integration tests failure when calling "ip"
82a8b979ef1a update go version to 1.21 in cirrus ci
03271050eb94 ci/gha/cross-i386: pin Go to 1.21
Signed-off-by: Jonas Gorski <jonas.gorski@bisdn.de>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bump runc to to v1.1.15-2-g068337925cd4:
068337925cd4 Merge pull request #4422 from rata/release-1.1.15
9f4baaac61d1 VERSION: back to development
bc20cb4497af VERSION: release 1.1.15
2790485e3eca CHANGELOG: Remove empty changed line
ed38aea9dc58 Merge pull request #4425 from kolyshkin/1.1-fix-mount-leak
65aa700fc371 [1.1] runc run: fix mount leak
a4cebd3549ec Merge pull request #4423 from rata/1-1-fix-CI
719e2bc2c376 increase memory.max in cgroups.bats
3216d3b72e15 merge #4391 into opencontainers/runc:release-1.1
bd671b6a1361 Merge pull request #4392 from cyphar/1.1-remove-bindfd
614ce12f0e97 [1.1] nsenter: cloned_binary: remove bindfd logic entirely
618e149e4ae5 [1.1] seccomp: patchbpf: always include native architecture in stub
d85b58388f40 [1.1] seccomp: patchbpf: rename nativeArch -> linuxAuditArch
6223a65d5d6f [1.1] libct/seccomp/patchbpf: rm duplicated code
2655e7c5a859 VERSION: back to development
2c9f5602f0ba VERSION: release 1.1.14
a86c3d88370a Merge commit from fork
f0b652ea61ff [1.1] rootfs: try to scope MkdirAll to stay inside the rootfs
8781993968fd [1.1] rootfs: consolidate mountpoint creation logic
6419fbabfbd6 Merge pull request #4382 from rata/Makefile-override-fixes
0514204d6fcc Makefile: Add EXTRA_VERSION
18cdc3476f91 Revert "allow overriding VERSION value in Makefile"
f3f71a9347f0 Merge pull request #4372 from kolyshkin/1.1-go123
7f75aec407e8 [1.1] Add Go 1.23, drop 1.21
931f46304b3d Merge pull request #4361 from austinvazquez/backport-protobuf-updates-to-1.1
1f587049fd85 build(deps): bump google.golang.org/protobuf from 1.32.0 to 1.33.0
31f29447d3fb build(deps): bump google.golang.org/protobuf from 1.31.0 to 1.32.0
ac5fc48ad18c build(deps): bump google.golang.org/protobuf from 1.30.0 to 1.31.0
3b5bf8f2a9fa build(deps): bump google.golang.org/protobuf from 1.29.1 to 1.30.0
81461edc125b build(deps): bump google.golang.org/protobuf from 1.29.0 to 1.29.1
2a9acb99b4a9 build(deps): bump google.golang.org/protobuf from 1.28.1 to 1.29.0
19c47f652dd1 build(deps): bump google.golang.org/protobuf from 1.28.0 to 1.28.1
88f54b20fc46 build(deps): bump google.golang.org/protobuf from 1.27.1 to 1.28.0
615068f17a31 Merge pull request #4334 from cyphar/1.1-rootfs-mountfd
a0292ca6ffb3 [1.1] rootfs: fix 'can we mount on top of /proc' check
b36a0f453712 Merge pull request #4336 from cyphar/1.1-rm-c7
5b89027afc11 [1.1] ci/cirrus: switch from CentOS to Almalinux
ed406952fc28 Merge pull request #4318 from lifubang/release-1.1.13
ec1bc45d462c VERSION: back to development
58aa9203c123 VERSION: release 1.1.13
2b3a2472d189 Merge pull request #4316 from lifubang/backport-4189
3507adac19ff Merge pull request #4315 from lifubang/backport-4311
0f7150ade8ca script/*: fix gpg usage wrt keyboxd
80186fec5cf4 fix a debug msg for user ns in nsexec
8407d3c6021c Merge pull request #4313 from kolyshkin/1.1-backport-4292
7219e0afffcd Dockerfile: bump Debian to 12, Go to 1.21
c9beabc8d8d5 ci: switch to go 1.22 as main version
4578c6c5dbdb libct/nsenter: stop blacklisting go 1.22+
c488d13a5331 use go mod instead of go get in spec.bats
ae85f058ccff ci/gha: bump golangci-lint to v1.57
327e07e96814 ci/gha: bump golangci-lint to v1.54
65bdf604ddb9 libct/user: gofumpt -w
4d097af534a0 ci/gha: bump golangci-lint-action from 5 to 6
fb236084374b ci/gha: bump golangci/golangci-lint-action to v5
8bfc75a25d2b CI: run apt with -y
e546ddeec869 ci/gha: switch some jobs to ubuntu-22.04
0d19e78b847a build(deps): bump actions/setup-go from 4 to 5
b36844518a36 build(deps): bump actions/checkout from 3 to 4
cb2d85dcde5f build(deps): bump tim-actions/commit-message-checker-with-regex
25e27d7eef28 build(deps): bump actions/upload-artifact from 3 to 4
2ac8b11f48a0 build(deps): bump golangci/golangci-lint-action from 3 to 4
7d86e7d9eceb Merge pull request #4299 from kolyshkin/1.1-4290
096e6f88f0f0 [1.1] libct/system: ClearRlimitNofileCache for go 1.23
14181f438e35 Merge pull request #4308 from kolyshkin/1.1-rm-cs8
fc7af59a6b1f ci/cirrus: rm centos stream 8
a1610b56a4a3 Merge pull request #4305 from lifubang/backport-cs8eol
9629fd9554a2 ci: workaround for centos stream 8 being EOLed
20ef9762dae9 Merge pull request #4300 from lifubang/backport-codespell-2.3.0
3b7fcf76ef7e ci: pin codespell
f8f7defa85f4 Fix codespell warnings
a12f444afbb8 Merge pull request #4284 from kolyshkin/1.1-fix-4094
860f05f307f4 libct/cg/fs: fix setting rt_period vs rt_runtime
9244703011d5 Merge pull request #4277 from lifubang/backport-4265-nofilerlimit
51dc97286443 Merge pull request #4231 from kolyshkin/1.1-3349
c918058bb76c fix comments for ClearRlimitNofileCache
2992049dc31c update/add some tests for rlimit
d7a29a3b3367 libct: clean cached rlimit nofile in go runtime
42c2ab2b7cb9 use go 1.18 in go.mod
83ecd11c29ac runc exec: setupRlimits after syscall.rlimit.init() completed
fbddb715edbb libct: fix a comment
debf52aa5b52 deprecate libct.system.Execv
986edbe60ff9 list: use Info(), fix race with delete
09214f21da8e list: getContainers: less indentation
007abf31f87a Merge pull request #4270 from akhilerm/backport-1.1-4269
6f4d975c402d allow overriding VERSION value in Makefile
Signed-off-by: Jonas Gorski <jonas.gorski@bisdn.de>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bump runc to version v1.1.12-2-ga9833ff3 with the following squashed
cherry-picks from master:
da840d8845cb runc-docker: update to 1.1.12
22877e9bd046 runc-docker: update to 1.1.11
22989818f3af runc-docker: update to 1.9.0
dddc423fa370 runc-docker: update to 1.1.8
248be027d611 runc-docker: update to 1.1.7-tip
4aa2aadb01e5 runc-docker: update to 1.1.7
195db7f7c536 runc-docker: update to 1.1.5
13ad8548dea1 runc-docker: update to 1.1.0-tip
c25d16577d12 runc-docker: update to 1.4.0-tip
Signed-off-by: Jonas Gorski <jonas.gorski@bisdn.de>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bump runc to version v1.1.12-14-ge8bb71e1 with the following squashed
cherry-picks from master:
4cea448064d4 runc-opencontainers: update to 1.1.12
9213f05f5591 runc-opencontainers: update to 1.1.12
e4b6616a90e0 runc-opencontainers: update to 1.1.11
62ac94c50dff runc-opencontainers: update to 1.1.10
606fe98a9811 runc-opencontainers: update to 1.9.0
ea3b6a83981a runc-opencontainers: update to 1.1.8
5dda7078ba85 runc-opencontainers: update to 1.1.7-tip
b3fd5097ab34 runc-opencontainers: update to 1.1.7
ae91a8666a73 runc-opencontainers: update to 1.1.5
969daee49f1d runc-opencontainers: update to 1.1.0-tip
f281ad2d9650 runc-opencontainers: update to 1.4.0-tip
Signed-off-by: Jonas Gorski <jonas.gorski@bisdn.de>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
Upstream-Status: Backport from https://github.com/kubernetes/kubernetes/commit/6622b002f70a153100d1c286fbcea721160da192
Reference: https://github.com/kubernetes/kubernetes/issues/128885
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
import patch from debian to fix
CVE-2024-11584
Upstream-Status: Backport [import from debian 22.4.2-1+deb12u3
Upstream commit
https://github.com/canonical/cloud-init/commit/8b45006c4765fd75f20ce244571b563dbc49d4f2]
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
| |
Upstream-Status: Backport from https://github.com/containerd/containerd/commit/c575d1b5f4011f33b32f71ace75367a92b08c750
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
| |
Upstream-Status: Backport from https://github.com/containerd/containerd/commit/0450f046e6942e513d0ebf1ef5c2aff13daa187f
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
Upstream-commit: https://github.com/kubernetes/kubernetes/commit/2e6eaa1fbedd776ea9357b4f472c66dec01955b5
Reference: https://github.com/kubernetes/kubernetes/pull/133467
https://github.com/aks-lts/kubernetes/pull/62/commits/152330ef541b23a027c779597496b62c287fb363
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
| |
Upstream-Status: Backport from https://github.com/containerd/containerd/commit/9639b9625554183d0c4d8d072dccb84fedd2320f
Signed-off-by: Theo GAIGE <tgaige.opensource@witekio.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
| |
Upstream-Status: Backport from https://github.com/canonical/cloud-init/commit/f43937f0b462734eb9c76700491c18fe4133c8e1
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
A flaw was found in CRI-O that involves an experimental annotation leading to a
container being unconfined. This may allow a pod to specify and get any amount
of memory/cpu, circumventing the kubernetes scheduler and potentially resulting
in a denial of service in the node.
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
After backporting the CVE-2024-35195 in poky, parts of python3-requests
got updated to 2.32.0 which is incompatible with the current
docker-compose command.
This patch will fix the following error message:
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/bin/docker-compose", line 8, in <module>
sys.exit(main())
File "/usr/lib/python3.10/site-packages/compose/cli/main.py", line 81, in main
command_func()
File "/usr/lib/python3.10/site-packages/compose/cli/main.py", line 200, in perform_command
project = project_from_options('.', options)
File "/usr/lib/python3.10/site-packages/compose/cli/command.py", line 60, in project_from_options
return get_project(
File "/usr/lib/python3.10/site-packages/compose/cli/command.py", line 152, in get_project
client = get_client(
File "/usr/lib/python3.10/site-packages/compose/cli/docker_client.py", line 41, in get_client
client = docker_client(
File "/usr/lib/python3.10/site-packages/compose/cli/docker_client.py", line 170, in docker_client
client = APIClient(use_ssh_client=not use_paramiko_ssh, **kwargs)
File "/usr/lib/python3.10/site-packages/docker/api/client.py", line 197, in __init__
self._version = self._retrieve_server_version()
File "/usr/lib/python3.10/site-packages/docker/api/client.py", line 221, in _retrieve_server_version
raise DockerException(
docker.errors.DockerException: Error while fetching server API version: Not supported URL scheme http+docker
Signed-off-by: Christian Ege <christian.ege@ifm.com>
Reference: https://github.com/graugans/meta-virtualization/commit/4149812ca9581a313de27c45a0f2dfa7bd8f53df
Signed-off-by: Libo Chen <libo.chen.cn@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
IBM Spectrum Fusion HCI 2.5.2 through 2.7.2 could allow an
attacker to perform unauthorized actions in RGW for Ceph due
to improper bucket access. IBM X-Force ID: 266807.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2023-43040
Upstream patch:
https://github.com/ceph/ceph/commit/98bfb71cb38899333deb58dd2562037450fd7fa8
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This upgrade fixes:
CVE-2024-11218
Changes in this Upgrade:
=========================
This upgrade from Buildah 1.26.8 to 1.26.9 includes important security and stability fixes:
- Fixes CVE-2024-11218
- Resolves TOCTOU error when bind and cache mounts use "src" values
- Fixes cache locks with multiple mounts
- Enhances volume handling and mount label options
For full details, refer to:
https://github.com/containers/buildah/releases/tag/v1.26.9
Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
On criu version 3.17:
When use "criu restore -d -D checkpoint" to restore, the error is:
1272: Error (criu/cr-restore.c:1498): 1295 killed by signal 11: Segmentation fault
The root casue is that the glibc updated and criu should adjust to glibc __rseq_size semantic change.
Signed-off-by: Guocai He <guocai.he.cn@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
| |
Backport patch to fix CVE-2025-24976.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
| |
This reverts commit 76f2999987fa3ea30a823de3bd79d0cc0e0c287f.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This upgrade fixes a few CVEs:
- CVE-2023-27561
- CVE-2023-25809
- CVE-2023-28642
- CVE-2024-21626 and other bug fixes
Changelog:
==========
https://github.com/opencontainers/runc/blob/v1.1.12/CHANGELOG.md
Adjusted existing patches to align with v1.1.12
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
| |
Backport patch to fix CVE-2024-9676.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
| |
Backport patch to fix CVE-2024-9676.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
| |
Backport patch to fix CVE-2024-9676.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* because it rdepends on podman with the same restriction
* BTW: .gitignore has:
build*/
which gets triggered for buildah as well:
meta-virtualization $ git add ./recipes-containers/buildah/buildah_git.bb
The following paths are ignored by one of your .gitignore files:
recipes-containers/buildah
I've adjusted it to /build*/ only.
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
| |
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
check_by_ssh in Nagios nagios-plugins 2.4.5 allows arbitrary command execution
via ProxyCommand, LocalCommand, and PermitLocalCommand with \${IFS}. This has
been categorized both as fixed in e8810de, and as intended behavior.
Refer:
https://nvd.nist.gov/vuln/detail/CVE-2023-37154
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
| |
This reverts commit 460ea78d7f8d5d16799d0b7334b95d8170c9e338.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
CVE-2023-37154:
check_by_ssh in Nagios nagios-plugins 2.4.5 allows arbitrary command execution"x$with_unrestricted_ssh_options" = xyes ; then
++ AC_DEFINE(HAVE_UNRESTRICTED_SSH_OPTIONS,[1],[Allow SSH to use options that run local commands.])
++fi
++
+ AC_ARG_WITH([ipv6],
+ [AS_HELP_STRING([--with-ipv6], [support IPv6 @<:@default@check>@])],
+ [], [with_ipv6=check])
+diff --git a/plugins/check_by_ssh.c b/plugins/check_by_ssh.c
+index b6f3130..6cc6c7a 100644
+--- a/plugins/check_by_ssh.c
++++ b/plugins/check_by_ssh.c
+@@ -27,7 +27,7 @@
+ *****************************************************************************/
+
+ const char *progname = "check_by_ssh";
+-const char *copyright = "2000-2014";
++const char *copyright = "2000-";
+ const char *email = "devel@nagios-plugins.org";
+
+ #include "common.h"
+@@ -299,6 +299,16 @@ process_arguments (int argc, char **argv)
+ skip_stderr = atoi (optarg);
+ break;
+ case 'o': /* Extra options for the ssh command */
++
++ /* Don't allow the user to run commands local to the nagios server, unless they decide otherwise at compile time. */
++#ifndef HAVE_UNRESTRICTED_SSH_OPTIONS
++ if ( strcasestr(optarg, "ProxyCommand") != NULL
++ || strcasestr(optarg, "PermitLocalCommand") != NULL
++ || strcasestr(optarg, "LocalCommand") != NULL) {
++ break;
++ }
++#endif
++
+ comm_append("-o");
+ comm_append(optarg);
+ break;
+--
+2.23.0
+
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
| |
* master was renamed to main long time ago
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
| |
We no longer need our own pinned version of this recipe, and
it causes us issues with meta-python.
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Upstream-commit:
https://github.com/kubernetes/kubernetes/commit/7da6d72c05dffb3b87e62e2bc8c3228ea12ba1b9
& https://github.com/kubernetes/kubernetes/commit/a53faf5e17ed0b0771a605c6401ba4cbf297b59a
Reference:
https://github.com/kubernetes/kubernetes/issues/119339
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
Use dup3 instead for riscv64 as there is no dup2 on riscv64 linux
to fix the below build failure:
vendor/github.com/bugsnag/panicwrap/dup2.go:10:9: undefined: syscall.Dup2
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The upstream project has made the "interesting" decision to
delete the stable branch and move to "main" for recent
releases. So rather than being able to simply switch for our
updates, we have to switch to main on all releases that had
podman-compose recipes using the stable branch.
Luckily, the commit hashes haven't changed, so we only have
to modify the branch in the SRC_URI.
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
Upstream-Status: Backport from [https://launchpad.net/ubuntu/+source/libvirt/8.0.0-1ubuntu7.10]
import Ubuntu patches to fix
CVE-2024-1441
CVE-2024-2496
Signed-off-by: Ashish Sharma <asharma@mvista.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
| |
* introduced in:
https://lists.yoctoproject.org/g/meta-virtualization/message/8715
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
| |
Upstream-Status: Backport [https://gitlab.com/libvirt/libvirt/-/commit/8a3f8d957507c1f8223fdcf25a3ff885b15557f2]
Signed-off-by: Ashish Sharma <asharma@mvista.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
| |
Upstream-Status: Backport [https://github.com/kubernetes/kubernetes/pull/124325/commits/3f0922513d235d8bdebe79f0d07da769c04211b8]
Signed-off-by: Ashish Sharma <asharma@mvista.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Includes security fixes for - CVE-2023-3966 and CVE-2023-5366
commits short logs:
0bea06d99 (tag: v2.17.9) Set release date for 2.17.9.
b8657dada netdev-offload-tc: Check geneve metadata length.
e235a421f odp: ND: Follow Open Flow spec converting from OF to DP.
002cba9f1 dpdk: Use DPDK 21.11.6 release for OVS 2.17.
ee889659d github: Update versions of action dependencies (Node.js 20).
bf717d0f3 ovs-atomic: Fix inclusion of Clang header by GCC 14.
9bbc2cf8a ovsdb-idl.at: Test IDL behavior during database conversion.
049189584 tests: Use _DAEMONIZE macro's to start tcpdump.
30099c5d9 tests-ovsdb: Switch OVSDB_START_IDLTEST to macro.
f4b4d650a python: idl: Handle monitor_canceled.
d6caa6ed0 vconn: Count vconn_sent regardless of log level.
b0eb66a69 backtrace: Fix error in log_backtrace() documentation.
bb89735b2 ovsdb: trigger: Do not allow conversion in read-only mode.
a79ee883a ovsdb: jsonrpc-server: Fix the DSCP value in default options.
4f01f2f7d jsonrpc: Sort JSON objects while printing debug messages.
3cae42bc5 tests: ovsdb: Use diff -up format for replay test.
a7036f6a1 ovsdb-server.at: Enbale debug logs in active-backup tests.
c944a30fe ovsdb: transaction: Don't try to diff unchanged columns.
5c0dc9602 ovsdb: transaction: Avoid diffs for different type references.
eabd4cb2f ci: Update the GitHub Ubuntu runner image to Ubuntu 22.04.
c462aabb3 netdev-afxdp: Disable -Wfree-nonheap-object on receive.
b3f8c32ed ovsdb-idl: Preserve change_seqno when deleting rows.
d254aedad tunnel: Do not carry source port from a previous tunnel.
1857c569e netdev-offload-tc: Fix offload of tunnel key tp_src.
0a0c500d7 cirrus: Update from FreeBSD 12 to 14.
74633888d dpdk: Use DPDK 21.11.5 release for OVS 2.17.
b5e54aa16 ovs-ofctl: Correctly mark the CT flush commands.
1d3609a48 mcast-snooping: Flush flood and report ports when deleting interfaces.
df101fe1e mcast-snooping: Test per port explicit flooding.
8313ebbb3 flake8: Fix E721 check failures.
f73208151 build-aux: Enable flake8 checks for python extraction scripts.
8b6a8fcb0 build-aux/extract-ofp-msgs: Fix flake8 and syntax errors.
80e922644 build-aux/extract-ofp-fields: Fix flake8 and syntax errors.
1508e7abc build-aux/extract-ofp-errors: Fix flake8 and syntax errors.
98fc48e4d build-aux/extract-ofp-actions: Fix flake8 and syntax errors.
d52231171 automake: Move build-aux EXTRA_DIST updates to their own file.
8868756b8 netdev-offload: Fix Clang's static analyzer 'Division by zero' warnings.
46e9cacaa ofp-table: Fix count_common_prefix_run() function.
8e6d1cd04 vswitch.xml: Add entry for dpdkvhostuser userspace-tso.
7838778ad vswitch.xml: Add dpdkvhostuser group status.
a3a039507 tests: Use ping timeout instead of deadline.
3351b149c tests/system-traffic: Ensure no name resolution for tcpdump.
bce17b0bb tc: Improve logging of mismatched actions.
af934924f ofproto-dpif-upcall: Pause revalidators when purging.
48fa54747 db-ctl-base: Fix memory leak of db commands.
7fb2197e1 Prepare for 2.17.9.
275be1eb9 (tag: v2.17.8) Set release date for 2.17.8.
be1a8f7ec conntrack: Remove nat_conn introducing key directionality.
f179c7c07 conntrack: simplify cleanup path
fac770a0a netdev-dpdk: Document status options for VF MAC address.
79ab2eeb1 netdev-offload-dpdk: Fix flushing of a physdev.
4ced485f8 connmgr: Fix ofconn configuration on vswitchd startup.
3c39cfe03 python: idl: Fix last-id update from a monitor reply.
a6207b2bc ofproto-dpif-xlate: Fix recirculation with patch port and controller.
a141b62c2 ofproto-dpif-xlate: Don't reinstall removed XC_LEARN rule.
586e73dac configure: Avoid deprecated AC_PROG_CC_C99 if possible.
bd95fe3d7 tests: Fix time dependency in overlapping flows modification test.
123b7aaa7 python: Use build to generate PEP517 compatible archives.
41d2e7e9a python: Use twine to upload sdist package to pypi.org.
66d5562e3 python: Rename build related code to ovs_build_helpers.
c880faea8 dpif-netdev: Fix length calculation of netdet_flow_key.
8c7aa5f58 doc: Fix description of max_len for controller action.
34ff03c3c docs: Fix rendering of VLAN Comparison Chart.
93412e00e docs: Run tbl preprocessor in manpage-check rule.
6929485d3 docs: Add `nowarn` region option to tables.
08b6b83a3 tests: Add clang-analyzer-results to gitignore.
c252b1f8a ci: Add jobs to test -std=c99 builds.
242bb2624 tests: Fix order of includes in barrier/id-fpool/mpsc-queue tests.
292eca58c sflow: Always enable _BSD_SOURCE.
82aa3fb01 compiler.h: Don't use asm and typeof with non-GNU compilers.
a45b3afbf ovs.tmac: Fix troff warning in versions above groff-1.23.
a336ef712 connmgr: Count unsent async messages.
a74b7dfb9 dpif-netdev: Fix dpif_netdev_flow_put.
f04bfd5e4 ofproto-dpif-xlate: Reduce stack usage in recursive xlate functions.
29990edbc cirrus: Update to FreeBSD 13.2.
65bb82369 ci: Fix OPTS not being passed to OSX builds.
fe98b0c1f ovsdb-tool: Fix json leak while showing clustered log.
44722bbda ovsdb-server: Fix excessive memory usage on DB open.
9db221fcd tests: Add ovsdb execution cases for set size constraints.
3cfe388cb ovsdb: relay: Fix handling of XOR updates with size constraints.
f4d15497f ovsdb: file: Fix diff application to a default column value.
7864ed557 ovsdb: file: Fix inability to read diffs that violate type size.
97d91ad2d ovs-tcpdump: Clear auto-assigned ipv6 address of mirror port.
dba7482e0 ofproto-dpif: Fix removal of renamed datapath ports.
a1ca9e589 ofproto-dpif-upcall: Mirror packets that are modified.
5d976536b vswitchd: Wait for a bridge exit before replying to exit unixctl.
e206df08d Prepare for 2.17.8.
f15de6508 (tag: v2.17.7) Set release date for 2.17.7.
4b10b0b87 fatal-signal: Don't share signal fds/handles with forked process.
e01ea8e7e cpu: Fix cpuid check for some AMD processors.
111c7be31 tc: Fix crash on malformed reply from kernel.
75152d3d6 netdev-dpdk: Fix warning with gcc 13.
5285dad18 utilities/bashcomp: Fix PS1 generation on new bash.
ebe7bd7b6 netdev-offload-dpdk: Fix crash in debug log.
4937a5341 stream-ssl: Disable alerts on unexpected EOF.
fe99e6b97 tests: layer3-tunnels: Skip bareudp tests if not supported by kernel.
a375055f2 ovs-fields: Modify the width of tpa and spa.
749769be3 netdev-vport: RCU-fy tunnel config.
c423fa5f6 smap: Make argument of smap_add_ipv6 constant.
2db06ee6f netdev-vport: Fix unsafe handling of GRE sequence number.
51d804aa4 dpctl: Fix dereferencing null pointer in parse_ct_limit_zones().
80b15d142 netdev-offload: Fix deadlock/recursive use of the netdev_hmap_rwlock rwlock.
0d3c27e90 ofproto-dpif-xlate: Fix use-after-free when xlate_actions().
8eb24943c tc: Fix cleaning chains.
cbe5852d7 python-stream: Handle SSL error in do_handshake.
be3caf455 dpif-netlink: Fix memory leak dpif_netlink_open().
b7e1593f4 ofp-parse: Check ranges on string to uint32_t conversion.
70cb45c66 learning-switch: Fix coredump of OpenFlow15 learning-switch.
b08224194 ovsdb: Allow conversion records with no data in a clustered storage.
efcdf6c0d ovsdb: Check for ephemeral columns before writing a new schema.
bf39ea3c7 ovsdb-tool: Fix cluster-to-standalone for DB conversion records.
4f82f8903 ovs-tcpdump: Stdout is shutdown before ovs-tcpdump exit.
77116d990 Prepare for 2.17.7.
Reference:
https://www.openvswitch.org/releases/NEWS-2.17.9.txt
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Update upx recipe from 3.96 to 4.2.2 release:
* Use the gitsm fetcher to get the source code.
* Add a note to keep using the git repository.
* Update the homepage.
* Drop the build dependencies as they're useless. UPX builds using the
vendor subdirectory, statically linking the libraries.
Fixes CVEs:
* https://www.cve.org/CVERecord?id=CVE-2023-23456 A heap-based buffer overflow
issue was discovered in UPX in PackTmt::pack() in p_tmt.cpp file. The flow
allows an attacker to cause a denial of service (abort) via a crafted file.
* https://www.cve.org/CVERecord?id=CVE-2023-23457 A Segmentation fault was found
in UPX in PackLinuxElf64::invert_pt_dynamic() in p_lx_elf.cpp. An attacker with
a crafted input file allows invalid memory address access that could lead to a
denial of service.
* https://www.cve.org/CVERecord?id=CVE-2021-46179 Reachable Assertion
vulnerability in upx before 4.0.0 allows attackers to cause a denial of service
via crafted file passed to the the readx function.
* https://www.cve.org/CVERecord?id=CVE-2021-43317 A heap-based buffer overflows
was discovered in upx, during the generic pointer 'p' points to an inaccessible
address in func get_le32(). The problem is essentially caused in
PackLinuxElf64::elf_lookup() at p_lx_elf.cpp:5404
* https://www.cve.org/CVERecord?id=CVE-2021-43316 A heap-based buffer overflow
was discovered in upx, during the generic pointer 'p' points to an inaccessible
address in func get_le64().
* https://www.cve.org/CVERecord?id=CVE-2021-43315 A heap-based buffer overflows
was discovered in upx, during the generic pointer 'p' points to an inaccessible
address in func get_le32(). The problem is essentially caused in
PackLinuxElf32::elf_lookup() at p_lx_elf.cpp:5349
* https://www.cve.org/CVERecord?id=CVE-2021-43314 A heap-based buffer overflows
was discovered in upx, during the generic pointer 'p' points to an inaccessible
address in func get_le32(). The problem is essentially caused in
PackLinuxElf32::elf_lookup() at p_lx_elf.cpp:5368
* https://www.cve.org/CVERecord?id=CVE-2021-43313 A heap-based buffer overflow
was discovered in upx, during the variable 'bucket' points to an inaccessible
address. The issue is being triggered in the function
PackLinuxElf32::invert_pt_dynamic at p_lx_elf.cpp:1688.
* https://www.cve.org/CVERecord?id=CVE-2021-43312 A heap-based buffer overflow
was discovered in upx, during the variable 'bucket' points to an inaccessible
address. The issue is being triggered in the function
PackLinuxElf64::invert_pt_dynamic at p_lx_elf.cpp:5239.
* https://www.cve.org/CVERecord?id=CVE-2021-43311 A heap-based buffer overflow
was discovered in upx, during the generic pointer 'p' points to an inaccessible
address in func get_le32(). The problem is essentially caused in
PackLinuxElf32::elf_lookup() at p_lx_elf.cpp:5382.
* https://www.cve.org/CVERecord?id=CVE-2021-30501 An assertion abort was found
in upx MemBuffer::alloc() in mem.cpp, in version UPX 4.0.0. The flow allows
attackers to cause a denial of service (abort) via a crafted file.
* https://www.cve.org/CVERecord?id=CVE-2021-30500 Null pointer dereference was
found in upx PackLinuxElf::canUnpack() in p_lx_elf.cpp,in version UPX 4.0.0.
That allow attackers to execute arbitrary code and cause a denial of service
via a crafted file.
* https://www.cve.org/CVERecord?id=CVE-2021-20285 A flaw was found in upx
canPack in p_lx_elf.cpp in UPX 3.96. This flaw allows attackers to cause a
denial of service (SEGV or buffer overflow and application crash) or possibly
have unspecified other impacts via a crafted ELF. The highest threat from this
vulnerability is to system availability.
* https://www.cve.org/CVERecord?id=CVE-2020-27802 An floating point exception
was discovered in the elf_lookup function in p_lx_elf.cpp in UPX 4.0.0 via a
crafted Mach-O file.
* https://www.cve.org/CVERecord?id=CVE-2020-27801 A heap-based buffer over-read
was discovered in the get_le64 function in bele.h in UPX 4.0.0 via a crafted
Mach-O file.
* https://www.cve.org/CVERecord?id=CVE-2020-27800 A heap-based buffer over-read
was discovered in the get_le32 function in bele.h in UPX 4.0.0 via a crafted
Mach-O file.
* https://www.cve.org/CVERecord?id=CVE-2020-27799 A heap-based buffer over-read
was discovered in the acc_ua_get_be32 function in miniacc.h in UPX 4.0.0 via a
crafted Mach-O file.
* https://www.cve.org/CVERecord?id=CVE-2020-27798 An invalid memory address
reference was discovered in the adjABS function in p_lx_elf.cpp in UPX 4.0.0
via a crafted Mach-O file.
* https://www.cve.org/CVERecord?id=CVE-2020-27797 An invalid memory address
reference was discovered in the elf_lookup function in p_lx_elf.cpp in UPX
4.0.0 via a crafted Mach-O file.
* https://www.cve.org/CVERecord?id=CVE-2020-27796 A heap-based buffer over-read
was discovered in the invert_pt_dynamic function in p_lx_elf.cpp in UPX 4.0.0
via a crafted Mach-O file.
Signed-off-by: Fathi Boudra <fathi.boudra@linaro.org>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Clean dir ${B}/plugins before do_compile to avoid cni generated binaries
like /usr/libexec/cni/bridge has wrong dynamic linker path and reports
error like: /usr/libexec/cni/bridge: no such file or directory".
Reproduce steps:
1. bitbake cni
2. enable usrmerge feature in local.conf
3. bitbake cni
After step 2, GOBUILDFLAGS changed,
"-I /lib64/ld-linux-aarch64.so.1" -> "/usr/lib/ld-linux-aarch64.so.1"
But "go build" seems only check if the cached packagefile changed, since
all not changed, the dynamic linker still use the old one, maybe go
build should improve this.
Clean dir ${B}/plugins to trigger rebuild of the binaries here.
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When building cni, we get textrel QA issue like below:
cni: ELF binary /usr/libexec/cni/macvlan has relocations in .text
The problem could be solved by adding '-buildmode=pie' to ${GO}.
In go.bbclass, this flag is added to GOBUILDFLAGS conditionally,
that is, if the arch is not mips nor riscv32, this '-buildmode=pie'
is added to GOBUILDFLAGS. So make use of that.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
| |
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Users may be able to launch containers using images that are restricted by
ImagePolicyWebhook when using ephemeral containers, Kubernetes clusters are
only affected if the ImagePolicyWebhook admission plugin is used together
with ephemeral containers.
Users may be able to launch containers that bypass the mountable secrets
policy enforced by the ServiceAccount admission plugin when using ephemeral
containers. The policy ensures pods running with a service account may only
reference secrets specified in the service account's secrets field. Kuberenetes
clusters are only affected if the ServiceAccount admission plugin and the
`kubernetes.io/enforce-mountab'le-secrets` annotation are used teogether with
ephemeralcontainers.
CVE: CVE-2023-2727, CVE-2023-2728
Affected Versions
1.27.0 - v1.27.2
v1.26.0 - v1.26.5
v1.25.0 - v1.25.10
<= v1.24.14
master branch(kubernetes v1.28.2) is not impacted
mickledore branch(kubernetes v1.27.5) is not impacted
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-2727
https://nvd.nist.gov/vuln/detail/CVE-2023-2728
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A security issue was discovered in Kubelet that allows pods to bypass the
seccomp profile enforcement. Pods that use localhost type for seccomp profile
but specify an empty profile field, are affected by this issue. In this
scenario, this vulnerability allows the pod to run in unconfined (seccomp
disabled) mode. This bug affects Kubelet.
CVE: CVE-2023-2431
Affected Versions
v1.27.0 - v1.27.1
v1.26.0 - v1.26.4
v1.25.0 - v1.25.9
<= v1.24.13
master branch(kubernetes v1.28.2) is not impacted
mickledore branch(kubernetes v1.27.5) is not impacted
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-2431
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adjust patches and .bb to fix below error which occurs with devtool modify command -
ERROR: Applying patch '0001-hack-lib-golang.sh-use-CC-from-environment.patch' on
target directory
CmdError('sh -c \'PATCHFILE="0001-hack-lib-golang.sh-use-CC-from-environment.patch"
git -c user.name="OpenEmbedded" -c user.email="oe.patch@oe" commit -F /tmp/tmp_ptvioq3
--author="Koen Kooi <koen.kooi@linaro.org>"
--date="Mon, 23 Jul 2018 15:28:02 +0200"\'', 0, 'stdout: On branch devtool
Changes not staged for commit:
(use "git add <file>..." to update what will be committed)
(use "git restore <file>..." to discard changes in working directory)
(commit or discard the untracked or modified content in submodules)
\tmodified: src/import (modified content)
no changes added to commit (use "git add" and/or "git commit -a")
stderr: ')
This error is not seen on master branch, fixed with below commit -
[https://git.yoctoproject.org/meta-virtualization/commit/?id=d9af46db9aa9060c1ec10118b2cccabfc8264904]
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The recipe *podman* requires the distro feature *ipv6*. Using a distro
without it causes the build of *packagegroup-container* fails, even if
*packagegroup-podman* is not used:
ERROR: Nothing RPROVIDES 'podman' (but /build/../work/layers-3rdparty/meta-virtualization/recipes-core/packagegroups/packagegroup-container.bb RDEPENDS on or otherwise requires it)
podman was skipped: missing required distro feature 'ipv6' (not in DISTRO_FEATURES)
NOTE: Runtime target 'podman' is unbuildable, removing...
Missing or unbuildable dependency chain was: ['podman']
NOTE: Runtime target 'packagegroup-docker' is unbuildable, removing...
Missing or unbuildable dependency chain was: ['packagegroup-docker', 'podman']
Signed-off-by: Jörg Sommer <joerg.sommer@navimatix.de>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* fixes:
ERROR: nerdctl-v1.3.0-r0 do_package: QA Issue: nerdctl: Files/directories were installed but not shipped in any package:
/bin
/bin/nerdctl
Please set FILES such that these items are packaged. Alternatively if they are unneeded, avoid installing them or delete them within do_install.
nerdctl: 2 installed and not shipped files. [installed-vs-shipped]
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
| |
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
| |
The project has renamed the master branch to main.
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
| |
The project has renamed the master branch to main.
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
* fix my prevous commit where I've missed this update corresponding
to SRCREV_moby change in docker-moby recipe.
* also re-order the patches in SRC_URI to match docker-moby, so
that they are easier to compare
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
|
