From 6c52b3fc541fb26fe8c374d5f58112a0a5dbda66 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Tue, 7 Jan 2025 10:11:22 +1100 Subject: [PATCH 1/2] VERSION: release v1.2.4 Signed-off-by: Aleksa Sarai --- CHANGELOG.md | 24 +++++++++++++++++++++++- VERSION | 2 +- 2 files changed, 24 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6193d35678b..c84210743fe 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,27 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased 1.2.z] +## [1.2.4] - 2025-01-07 + +> Христос се роди! + +### Fixed + * Re-add tun/tap devices to built-in allowed devices lists. + + In runc 1.2.0 we removed these devices from the default allow-list (which + were added seemingly by accident early in Docker's history) as a precaution + in order to try to reduce the attack surface of device inodes available to + most containers (#3468). At the time we thought that the vast majority of + users using tun/tap would already be specifying what devices they need (such + as by using `--device` with Docker/Podman) as opposed to doing the `mknod` + manually, and thus there would've been no user-visible change. + + Unfortunately, it seems that this regressed a noticeable number of users + (and not all higher-level tools provide easy ways to specify devices to + allow) and so this change needed to be reverted. Users that do not need + these devices are recommended to explicitly disable them by adding deny + rules in their container configuration. (#4555, #4556) + ## [1.2.3] - 2024-12-12 > Winter is not a season, it's a celebration. @@ -951,7 +972,8 @@ implementation (libcontainer) is *not* covered by this policy. [1.1.0-rc.1]: https://github.com/opencontainers/runc/compare/v1.0.0...v1.1.0-rc.1 -[Unreleased 1.2.z]: https://github.com/opencontainers/runc/compare/v1.2.3...release-1.2 +[Unreleased 1.2.z]: https://github.com/opencontainers/runc/compare/v1.2.4...release-1.2 +[1.2.4]: https://github.com/opencontainers/runc/compare/v1.2.3...v1.2.4 [1.2.3]: https://github.com/opencontainers/runc/compare/v1.2.2...v1.2.3 [1.2.2]: https://github.com/opencontainers/runc/compare/v1.2.1...v1.2.2 [1.2.1]: https://github.com/opencontainers/runc/compare/v1.2.0...v1.2.1 diff --git a/VERSION b/VERSION index ae2ee4f707c..e8ea05db814 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.2.3+dev +1.2.4 From 48ea72789898333b4b17b2318f2ca22c53a57d29 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Tue, 7 Jan 2025 10:11:33 +1100 Subject: [PATCH 2/2] VERSION: back to development Signed-off-by: Aleksa Sarai --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index e8ea05db814..c9ce2ed870e 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.2.4 +1.2.4+dev