Accepting request 1155623 from Virtualization:containers

OBS-URL: https://build.opensuse.org/request/show/1155623
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/crun?expand=0&rev=21

crun-1.14.4.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:fd6af195a73ae9bf3aea1a6c976a914492324c828542f35a7f1570a659f2e512
+size 750596

crun-1.14.4.tar.xz.asc

@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCAAdFiEEr2D8o82qberRV+o6Z+OPeouiF3IFAmXgwjsACgkQZ+OPeoui
+F3Id+Af+K6mOhnP9KMUu6z6wLGyJS2YFGzFQ/3CIWi66WKa7NrMs2NzLrabmUFQ6
+xW7+DlE76un8/W0PbDKYxFsH6Eahtu2RzkWLA8rJ98G4PVaJh66eP1hd6HMbKdYA
+AD84RGtvH9oPe+9I8yRa+tMrjfusBdyyL7ybeOwCerin8JF1LJQElmu/zJHJatFw
+HNxhS0TlVl05yNPnRpj0xQVww0EukFE9jkZs6sFjCWGtzfKv8u5naVcZi8Nn/yuN
+KzodEDURQgN5ubx9wnLXblWvtOoAZ+Sifsm5pnxPcs7CPaBH5CZarmVkIrwd5GgP
+spk24m6s2hm//b/diiaLwI3WkGCBog==
+=gxi5
+-----END PGP SIGNATURE-----

crun-1.14.tar.xz.asc

@@ -1,11 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQEzBAABCAAdFiEEr2D8o82qberRV+o6Z+OPeouiF3IFAmWxP6sACgkQZ+OPeoui
-F3KW9Af/Y7/+zpxWQ07p0TEVj4+ay61UDzALUMW76vI73+PV4EheBPMHnUAJtaxL
-2CY10m2tlE55S3QZ9/66j+TCQ7DheXGv1fMCWVg99whqmrO9a0JH/XACyj64lqAc
-igUvcnzH3sQvLaTVQWxX7aBGZKWFumSBzHJeFx6TxkYCJb5/o4O1Fcv0IBW5+T80
-6yHcYe07zNXOmdp7QflxxZ+B79wP+bKvGvSiBPZ5zysEap+e8UMxlDf5C+YaLIZq
-LgHpVkN/TF8PJb8meX3qxbWgzOswz4+sa/4VOAkwfENLUWMM1TqHhf4rQAxrWmIY
-hNVDEcKOwlwSChJqn6NBaKj1Rc3Jng==
-=LYzP
------END PGP SIGNATURE-----

crun.changes

@@ -1,3 +1,37 @@
+-------------------------------------------------------------------
+Wed Mar  6 10:06:50 UTC 2024 - Dan Čermák <dcermak@suse.com>
+
+- New upstream release 1.14.4
+
+* crun-1.14.4
+
+- linux: fix mount of file with recursive flags.  Do not assume it is
+  a directory, but check the source type.
+
+* crun-1.14.3
+
+- follow up for 1.14.2.  Drop the version check for each command.
+
+* crun-1.14.2
+
+- crun: drop check for OCI version.  A recent bump in the OCI runtime
+  specs caused crun to fail with every config file.  Just drop the
+  check since it doesn't add any value.
+
+* crun-1.14.1
+
+- there was recently a security vulnerability (CVE-2024-21626) in runc
+  that allowed a malicious user to chdir(2) to a /proc/*/fd entry that is
+  outside the container rootfs.  While crun is not affected directly,
+  harden chdir by validating that we are still inside the container
+  rootfs.
+- container: attempt to close all the files before execv(2).
+  if we leak any fd, it prevents execv to gain access to files outside
+  the container rootfs through /proc/self/fd/$fd.
+- fix a regression caused by 1.14 when installing the ebpf filter on a
+  kernel older than 5.11.
+- cgroup, systemd: fix segfault if the resources block is not specified.
+
 -------------------------------------------------------------------
 Sat Jan 27 16:21:04 UTC 2024 - Andrea Manzini <andrea.manzini@suse.com>
 

crun.spec

@@ -23,7 +23,7 @@
 %endif
 
 Name:           crun
-Version:        1.14
+Version:        1.14.4
 Release:        0
 Summary:        OCI runtime written in C
 License:        GPL-2.0-or-later