-
Notifications
You must be signed in to change notification settings - Fork 567
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix CVE-2024-3154 in package cri-o (#9284)
- Loading branch information
Showing
2 changed files
with
43 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,38 @@ | ||
| From 976ab1f4c916099fc1f2e6569f13e45df2f26b4f Mon Sep 17 00:00:00 2001 | ||
| From: Peter Hunt <[email protected]> | ||
| Date: Tue, 26 Mar 2024 12:07:17 -0400 | ||
| Subject: [PATCH] annotations: add OCI runtime specific annotations to the | ||
| AllowedAnnotations | ||
|
|
||
| meaning an admin would have to opt-into allowing them to be used | ||
|
|
||
| Signed-off-by: Peter Hunt <[email protected]> | ||
| --- | ||
| pkg/annotations/annotations.go | 13 +++++++++++++ | ||
| 1 file changed, 13 insertions(+) | ||
|
|
||
| diff --git a/pkg/annotations/annotations.go b/pkg/annotations/annotations.go | ||
| index 51920eb..e517f18 100644 | ||
| --- a/pkg/annotations/annotations.go | ||
| +++ b/pkg/annotations/annotations.go | ||
| @@ -48,4 +48,17 @@ var AllAllowedAnnotations = []string{ | ||
| OCISeccompBPFHookAnnotation, | ||
| rdt.RdtContainerAnnotation, | ||
| TrySkipVolumeSELinuxLabelAnnotation, | ||
| + // Keep in sync with | ||
| + // https://github.com/opencontainers/runc/blob/3db0871f1cf25c7025861ba0d51d25794cb21623/features.go#L67 | ||
| + // Once runc 1.2 is released, we can use the `runc features` command to get this programatically, | ||
| + // but we should hardcode these for now to prevent misuse. | ||
| + "bundle", | ||
| + "org.systemd.property.", | ||
| + "org.criu.config", | ||
| + | ||
| + // Simiarly, keep in sync with | ||
| + // https://github.com/containers/crun/blob/475a3fd0be/src/libcrun/container.c#L362-L366 | ||
| + "module.wasm.image/variant", | ||
| + "io.kubernetes.cri.container-type", | ||
| + "run.oci.", | ||
| } | ||
| -- | ||
| 2.33.8 | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -26,7 +26,7 @@ Summary: OCI-based implementation of Kubernetes Container Runtime Interfa | |
| # Define macros for further referenced sources | ||
| Name: cri-o | ||
| Version: 1.22.3 | ||
| Release: 1%{?dist} | ||
| Release: 2%{?dist} | ||
| License: ASL 2.0 | ||
| Vendor: Microsoft Corporation | ||
| Distribution: Mariner | ||
|
|
@@ -63,6 +63,7 @@ Patch7: CVE-2022-21698.patch | |
| Patch8: CVE-2023-44487.patch | ||
| Patch9: CVE-2024-28180.patch | ||
| Patch10: CVE-2024-21626.patch | ||
| Patch11: CVE-2024-3154.patch | ||
| BuildRequires: btrfs-progs-devel | ||
| BuildRequires: device-mapper-devel | ||
| BuildRequires: fdupes | ||
|
|
@@ -215,6 +216,9 @@ mkdir -p /opt/cni/bin | |
| %{_fillupdir}/sysconfig.kubelet | ||
|
|
||
| %changelog | ||
| * Mon Jun 03 2024 Bala <[email protected]> - 1.22.3-2 | ||
| - Patch CVE-2024-3154 | ||
|
|
||
| * Thu May 21 2024 Henry Li <[email protected]> - 1.22.3-1 | ||
| - Upgrade to 1.22.3 to resolve regressed CVE-2022-0811 | ||
| - Updated vendor source tar | ||
|
|
||