Does crio release-1.27 needs go module update of runc to 1.1.12 ? #7760

rppala90 · 2024-02-09T02:40:41Z

rppala90
Feb 9, 2024

The following security issue is fixed in runc 1.1.12 :
GHSA-xr7r-f8xq-vfvv

crio main branch updated its go module dependency of runc to 1.1.12 but I am wondering if a similar change is needed for 1.27 release too.
Seems like crio (especially for exec command) directly uses the binary runc, when the runtime is set to runc.
Hence wondering if it is sufficient to update the runc binary to 1.1.12 leaving the go dependency as is in crio.
Can someone please confirm that crio 1.27-release does not need to update its module dependency of runc to 1.1.12.

Answered by haircommander

Feb 9, 2024

nope! the vulnerability is in the runc binary, not the libcontainer library, so cri-o is not affected.

View full answer

haircommander · 2024-02-09T18:00:37Z

haircommander
Feb 9, 2024
Maintainer

nope! the vulnerability is in the runc binary, not the libcontainer library, so cri-o is not affected.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Does crio release-1.27 needs go module update of runc to 1.1.12 ? #7760

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 1 comment

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Does crio release-1.27 needs go module update of runc to 1.1.12 ? #7760

Uh oh!

Uh oh!

rppala90 Feb 9, 2024

Replies: 1 comment

Uh oh!

haircommander Feb 9, 2024 Maintainer

rppala90
Feb 9, 2024

haircommander
Feb 9, 2024
Maintainer