Sync from SUSE:SLFO:Main crun revision e8794ef350405739029860a9f1b0b0a2

crun-1.14.tar.xz.asc

@@ -1,11 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQEzBAABCAAdFiEEr2D8o82qberRV+o6Z+OPeouiF3IFAmWxP6sACgkQZ+OPeoui
-F3KW9Af/Y7/+zpxWQ07p0TEVj4+ay61UDzALUMW76vI73+PV4EheBPMHnUAJtaxL
-2CY10m2tlE55S3QZ9/66j+TCQ7DheXGv1fMCWVg99whqmrO9a0JH/XACyj64lqAc
-igUvcnzH3sQvLaTVQWxX7aBGZKWFumSBzHJeFx6TxkYCJb5/o4O1Fcv0IBW5+T80
-6yHcYe07zNXOmdp7QflxxZ+B79wP+bKvGvSiBPZ5zysEap+e8UMxlDf5C+YaLIZq
-LgHpVkN/TF8PJb8meX3qxbWgzOswz4+sa/4VOAkwfENLUWMM1TqHhf4rQAxrWmIY
-hNVDEcKOwlwSChJqn6NBaKj1Rc3Jng==
-=LYzP
------END PGP SIGNATURE-----

crun-1.15.tar.gz.asc

@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCAAdFiEEr2D8o82qberRV+o6Z+OPeouiF3IFAmYzfXgACgkQZ+OPeoui
+F3KNlAf+JPTyqSazEqx+TWdxHwXhzdfaWzgJ7O0mtM3KruCKIodvF+V/tsIDJrwc
+gF5tGgLVBD9Tlt+wzCSaoWbxEbz2eZmDRNVtxZt6e/QfHSID8PzVm8jVZiBMmy8n
+wPs3chVGM/T0Fh+8hBv2fmueYWPnSMnA4SSxp6eNjAYt5H59OXyVRw5hk0lQTzQQ
+U+GeMRTRVkorNq8dZ+LdPHg8+u5ndPCD93wfdelK2wI2X4UlAcTA2qcuL1MowCCC
+fqPigsOGiRNjzDCfptbCrG778nZu32AGn4ohBXmxoLDbfz2X3ZjgySzSZaVb/D7S
+R4c3fkxsV7PNXt6sNx+J8UAGntztBA==
+=pgGE
+-----END PGP SIGNATURE-----

crun.changes

@@ -1,3 +1,49 @@
+-------------------------------------------------------------------
+Thu May 30 12:30:26 UTC 2024 - Dario Faggioli <dfaggioli@suse.com>
+
+- New upstream release 1.15
+  * fix a mount point leak under /run/crun, add a retry mechanism to unmount the directory if the removal failed with EBUSY.
+  * linux: cgroups: fix potential mount leak when /sys/fs/cgroup is already mounted, causing the posthooks to not run.
+  * release: build s390x binaries using musl libc.
+  * features: add support for potentiallyUnsafeConfigAnnotations.
+  * handlers: add option to load wasi-nn plugin for wasmedge.
+  * linux: fix "harden chdir()" security measure. The previous check was not correct.
+  * crun: add option --keep to the run command. When specified the container is not automatically deleted when it exits. 
+
+-------------------------------------------------------------------
+Wed Mar  6 10:06:50 UTC 2024 - Dan Čermák <dcermak@suse.com>
+
+- New upstream release 1.14.4
+
+* crun-1.14.4
+
+- linux: fix mount of file with recursive flags.  Do not assume it is
+  a directory, but check the source type.
+
+* crun-1.14.3
+
+- follow up for 1.14.2.  Drop the version check for each command.
+
+* crun-1.14.2
+
+- crun: drop check for OCI version.  A recent bump in the OCI runtime
+  specs caused crun to fail with every config file.  Just drop the
+  check since it doesn't add any value.
+
+* crun-1.14.1
+
+- there was recently a security vulnerability (CVE-2024-21626) in runc
+  that allowed a malicious user to chdir(2) to a /proc/*/fd entry that is
+  outside the container rootfs.  While crun is not affected directly,
+  harden chdir by validating that we are still inside the container
+  rootfs.
+- container: attempt to close all the files before execv(2).
+  if we leak any fd, it prevents execv to gain access to files outside
+  the container rootfs through /proc/self/fd/$fd.
+- fix a regression caused by 1.14 when installing the ebpf filter on a
+  kernel older than 5.11.
+- cgroup, systemd: fix segfault if the resources block is not specified.
+
 -------------------------------------------------------------------
 Sat Jan 27 16:21:04 UTC 2024 - Andrea Manzini <andrea.manzini@suse.com>
 

crun.spec

@@ -23,13 +23,13 @@
 %endif
 
 Name:           crun
-Version:        1.14
+Version:        1.15
 Release:        0
 Summary:        OCI runtime written in C
 License:        GPL-2.0-or-later
 URL:            https://github.com/containers/crun
-Source0:        %{URL}/releases/download/%{version}/%{name}-%{version}.tar.xz
+Source0:        %{URL}/releases/download/%{version}/%{name}-%{version}.tar.gz
-Source1:        %{URL}/releases/download/%{version}/%{name}-%{version}.tar.xz.asc
+Source1:        %{URL}/releases/download/%{version}/%{name}-%{version}.tar.gz.asc
 Source2:        crun.keyring
 # We always run autogen.sh
 BuildRequires:  autoconf