Skip to content

1.14.1
Compare
Choose a tag to compare
@giuseppe giuseppe released this 08 Feb 18:30
· 81 commits to main since this release
1.14.1
This tag was signed with the committer’s verified signature.
giuseppe Giuseppe Scrivano
GPG key ID: 67E38F7A8BA21772
Learn about vigilant mode.
de537a7
This commit was signed with the committer’s verified signature.
giuseppe Giuseppe Scrivano
GPG key ID: 67E38F7A8BA21772
Learn about vigilant mode.
  • there was recently a security vulnerability (CVE-2024-21626) in runc
    that allowed a malicious user to chdir(2) to a /proc/*/fd entry that is
    outside the container rootfs. While crun is not affected directly,
    harden chdir by validating that we are still inside the container
    rootfs.
  • container: attempt to close all the files before execv(2).
    if we leak any fd, it prevents execv to gain access to files outside
    the container rootfs through /proc/self/fd/$fd.
  • fix a regression caused by 1.14 when installing the ebpf filter on a
    kernel older than 5.11.
  • cgroup, systemd: fix segfault if the resources block is not specified.
Assets 22