runc (1.0.0~rc6+dfsg1-3+deb10u3) buster-security; urgency=medium

  * Non-maintainer upload by the Debian LTS Team.
  * d/patches/CVE-2021-43784.patch: Added to fix CVE-2021-43784.
    - When writing netlink messages, it is possible to have a byte array larger
      than UINT16_MAX which would result in the length field overflowing and
      allowing user-controlled data to be parsed as control characters (such as
      creating custom mount points, changing which set of namespaces to allow,
      and so on).
  * d/patches/CVE-2024-21626.patch: Added to fix CVE-2024-21626.
    - Due to an internal file descriptor leak, an attacker could cause a
      newly-spawned container process (from runc exec) to have a working
      directory in the host filesystem namespace, allowing for a container
      escape, or for a container process to gain access to the host filesystem
      through runc run, or to overwrite semi-arbitrary host binaries, allowing
      for complete container escapes.

 -- Daniel Leidert <dleidert@debian.org>  Mon, 19 Feb 2024 00:02:56 +0100

runc (1.0.0~rc6+dfsg1-3+deb10u2) buster-security; urgency=high
  
  * Non-maintainer upload by the LTS Security Team.
  * Skip cgroup test that fails with current buildd kernel
    (5.10.0-21/bullseye)

 -- Sylvain Beucler <beuc@debian.org>  Mon, 27 Mar 2023 12:17:23 +0200

runc (1.0.0~rc6+dfsg1-3+deb10u1) buster-security; urgency=high

  * Non-maintainer upload by the LTS Security Team.
  * CVE-2019-16884: runc, as used in Docker and other products, allows
    AppArmor and SELinux restriction bypass because
    libcontainer/rootfs_linux.go incorrectly checks mount targets, and
    thus a malicious Docker image can mount over a /proc
    directory. (Closes: #942026)
  * CVE-2019-19921: runc has Incorrect Access Control leading to
    Escalation of Privileges, related to libcontainer/rootfs_linux.go. To
    exploit this, an attacker must be able to spawn two containers with
    custom volume-mount configurations, and be able to run custom
    images. (This vulnerability does not affect Docker due to an
    implementation detail that happens to block the attack.)
  * CVE-2021-30465: runc allows a Container Filesystem Breakout via
    Directory Traversal. To exploit the vulnerability, an attacker must be
    able to create multiple containers with a fairly specific mount
    configuration. The problem occurs via a symlink-exchange attack that
    relies on a race condition. (Closes: #988768)
  * CVE-2022-29162: `runc exec --cap` created processes with non-empty
    inheritable Linux process capabilities, creating an atypical Linux
    environment and enabling programs with inheritable file capabilities
    to elevate those capabilities to the permitted set during
    execve(2). This bug did not affect the container security sandbox as
    the inheritable set never contained more capabilities than were
    included in the container's bounding set.
  * CVE-2023-27561: CVE-2019-19921 was re-introduced by the fix for
    CVE-2021-30465.

 -- Sylvain Beucler <beuc@debian.org>  Sat, 25 Mar 2023 16:47:22 +0100

runc (1.0.0~rc6+dfsg1-3) unstable; urgency=medium

  * Team upload.

  [ Shengjing Zhu ]
  * Improve patch for CVE-2019-5736 based on upstream commits.
    Now the patch includes following commits:
    + 2d4a37b nsenter: cloned_binary: userspace copy fallback if sendfile fails
    + 16612d7 nsenter: cloned_binary: try to ro-bind /proc/self/exe before
              copying
    + af9da0a nsenter: cloned_binary: use the runc statedir for O_TMPFILE
    + 2429d59 nsenter: cloned_binary: expand and add pre-3.11 fallbacks
    + 5b775bf nsenter: cloned_binary: detect and handle short copies
    + bb7d8b1 nsexec (CVE-2019-5736): avoid parsing environ
    + 0a8e411 nsenter: clone /proc/self/exe to avoid exposing host binary to
              container

  [ Arnaud Rebillout ]
  * Add version and gitcommit to the ldflags (Closes: #909644)
    Note that we fill the git commit with something that is NOT a git commit
    at all, instead we use it as a placeholder for the debian version. The
    debian version is a relevant information for the user, and it's nice to
    be able to show it, some way or another.

 -- Shengjing Zhu <zhsj@debian.org>  Sun, 10 Mar 2019 17:51:44 +0800

runc (1.0.0~rc6+dfsg1-2) unstable; urgency=medium

  * Team upload.
  * Apply upstream patch addressing CVE-2019-5736 (Closes: #922050)
    Thanks Noah Meyerhans!

 -- Shengjing Zhu <zhsj@debian.org>  Tue, 12 Feb 2019 23:45:09 +0800

runc (1.0.0~rc6+dfsg1-1) unstable; urgency=medium

  * Standards-Version: 4.3.0.
  * New upstream release.

 -- Dmitry Smirnov <onlyjob@debian.org>  Fri, 25 Jan 2019 07:55:34 +1100

runc (1.0.0~rc5+dfsg1-4) unstable; urgency=medium

  * New patch to disable Hugetlb tests.

 -- Dmitry Smirnov <onlyjob@debian.org>  Thu, 27 Sep 2018 08:16:11 +1000

runc (1.0.0~rc5+dfsg1-3) unstable; urgency=medium

  * TAGS += ambient
  * New patch to fix FTBFS on mips* architectures.

 -- Dmitry Smirnov <onlyjob@debian.org>  Mon, 18 Jun 2018 11:47:25 +1000

runc (1.0.0~rc5+dfsg1-2) unstable; urgency=medium

  * New patch to fix integer overflow on i686.
  * Build with "selinux" tag (Closes: #865993).
    Thanks, Laurent Bigonville.
  * Added myself to uploaders.

 -- Dmitry Smirnov <onlyjob@debian.org>  Sat, 16 Jun 2018 22:12:23 +1000

runc (1.0.0~rc5+dfsg1-1) unstable; urgency=medium

  * Team upload.

  [ Arnaud Rebillout ]
  * Set minimum requirement for golang-gocapability-dev.
    And drop the alternative name golang-github-syndtr-gocapability-dev,
    this name never existed in the first place.

  [ Dmitry Smirnov ]
  * New upstream release
  * Testsuite: autopkgtest-pkg-go
  * Standards-Version: 4.1.4; Priority: optional
  * debhelper to version 11; compat to version 10.
  * Added "XS-Go-Import-Path".
  * (Build-)Depends:
    - golang-github-codegangsta-cli-dev
    - golang-github-coreos-pkg-dev
    - golang-golang-x-sys-dev
    - golang-logrus-dev
    + golang-github-containerd-console-dev
    + golang-github-pkg-errors-dev
    + golang-github-sirupsen-logrus-dev
    + golang-github-urfave-cli-dev

 -- Dmitry Smirnov <onlyjob@debian.org>  Fri, 15 Jun 2018 21:48:18 +1000

runc (1.0.0~rc4+dfsg1-6) unstable; urgency=medium

  [ Michael Stapelberg ]
  * update debian/gitlab-ci.yml (using salsa.debian.org/go-team/ci/cmd/ci)

  [ Dmitry Smirnov ]
  * Removed myself from uploaders.

  [ Balint Reczey ]
  * Team upload
  * Stop using unix.SIGUNUSED which has been removed from golang.org/x/sys
    (Closes: #889704)

 -- Balint Reczey <rbalint@ubuntu.com>  Tue, 10 Apr 2018 18:40:56 +0200

runc (1.0.0~rc4+dfsg1-5) unstable; urgency=medium

  * Vcs-* urls: pkg-go-team -> go-team.

 -- Alexandre Viau <aviau@debian.org>  Mon, 05 Feb 2018 23:05:40 -0500

runc (1.0.0~rc4+dfsg1-4) unstable; urgency=medium

  * Point vcs-* urls to packages subgroup.

 -- Alexandre Viau <aviau@debian.org>  Thu, 25 Jan 2018 15:23:12 -0500

runc (1.0.0~rc4+dfsg1-3) unstable; urgency=medium

  * Change my email to @debian.org.
  * Move to salsa.debian.org.

 -- Alexandre Viau <aviau@debian.org>  Fri, 29 Dec 2017 00:34:59 -0500

runc (1.0.0~rc4+dfsg1-2) unstable; urgency=medium

  * Mark runc breaking docker.io (<= 1.13.1~ds1-2) (Closes: #877146)

 -- Balint Reczey <rbalint@ubuntu.com>  Sat, 30 Sep 2017 11:50:52 -0400

runc (1.0.0~rc4+dfsg1-1) unstable; urgency=medium

  * Team Upload
  * Update watch file to match release candidates
  * Update Files-Excuded and d/control to match dependencies of rc4
  * New upstream release candidate 1.0.0-rc4
  * Drop obsoleted patches
  * Drop outdated README.source
  * Require at least final 1.0.0 release of
    golang-github-opencontainers-specs-dev (Closes: #858250)
  * Fix typo in golang-github-opencontainers-runc-dev package description
    (Closes: #873760)

 -- Balint Reczey <rbalint@ubuntu.com>  Sat, 30 Sep 2017 11:50:50 -0400

runc (1.0.0~rc2+git20170201.133.9df8b30-3) unstable; urgency=medium

  * Replace golang-go with golang-any in Build-Depends

 -- Konstantinos Margaritis <markos@debian.org>  Wed, 09 Aug 2017 15:00:55 +0300

runc (1.0.0~rc2+git20170201.133.9df8b30-2) unstable; urgency=medium

  * Patch to make libcontainer ignore cgroup2 hierarchy. Patch pulled from
    https://github.com/opencontainers/runc/pull/1266.

 -- Vincent Bernat <bernat@debian.org>  Fri, 30 Jun 2017 07:10:34 +0200

runc (1.0.0~rc2+git20170201.133.9df8b30-1) unstable; urgency=medium

  * New upstream snapshot for Docker 1.13.1.

 -- Tim Potter <tpot@hpe.com>  Wed, 24 May 2017 11:36:40 +1000

runc (1.0.0~rc2+git20161109.131.5137186-2) unstable; urgency=medium

  * Add Breaks line to binary package to avoid messing up previous
    Docker installs.

 -- Tim Potter <tpot@hpe.com>  Fri, 24 Feb 2017 09:49:06 +1100

runc (1.0.0~rc2+git20161109.131.5137186-1) unstable; urgency=medium

  * New upstream snapshot.
  * Refresh backported patch for CVE-2016-9962.

 -- Tim Potter <tpot@hpe.com>  Wed, 15 Feb 2017 09:08:52 +1100

runc (0.1.1+dfsg1-2) unstable; urgency=medium

  * Team upload.
  * Backport patch for CVE-2016-9962 (Closes: #850951)

 -- Tianon Gravi <tianon@debian.org>  Wed, 01 Feb 2017 07:17:54 -0800

runc (0.1.1+dfsg1-1) unstable; urgency=medium

  * New upstream release [June 2016].
  * testworks: disabled privileged and failing tests.
  * Build with "apparmor seccomp" tags (Closes: #830818);
    Build-Depends += "libapparmor-dev".

 -- Dmitry Smirnov <onlyjob@debian.org>  Wed, 13 Jul 2016 23:00:43 +1000

runc (0.1.0+dfsg1-1) unstable; urgency=medium

  * Dropped dependency on "golang-docker-dev" in favour of bundled
    (or build time sub-vendored) "github.com/docker/docker" in order
    to avoid circular dependency with Docker.
  * Standards-Version: 3.9.8.
  * Corrected Vcs-Git URL.

 -- Dmitry Smirnov <onlyjob@debian.org>  Sun, 12 Jun 2016 17:56:45 +1000

runc (0.1.0+dfsg-1) unstable; urgency=medium

  [ Tim Potter ]
  * Team upload
  * New upstream release [April 2016]
    = golang-github-opencontainers-specs-dev (>= 0.5.0~)
  * De-vendor new dependencies; pquerna/ffjson appears unused

 -- Dmitry Smirnov <onlyjob@debian.org>  Sat, 23 Apr 2016 07:59:18 +1000

runc (0.0.9+dfsg-1) unstable; urgency=medium

  * New upstream release [March 2016].
  * (Build-)Depends:
    = golang-github-opencontainers-specs-dev (>= 0.4.0~)
    = golang-github-codegangsta-cli-dev (>= 0.0~git20151221~)
    - help2man
    + go-md2man
  * Install upstream man pages.
  * Install "runc" binary to "/usr/sbin".

 -- Dmitry Smirnov <onlyjob@debian.org>  Sat, 16 Apr 2016 17:23:48 +1000

runc (0.0.8+dfsg-2) unstable; urgency=medium

  * (Build-)Depends:
    + golang-github-docker-go-units-dev
    + golang-github-seccomp-libseccomp-golang-dev

 -- Dmitry Smirnov <onlyjob@debian.org>  Wed, 23 Mar 2016 20:05:01 +1100

runc (0.0.8+dfsg-1) unstable; urgency=medium

  * New upstream release [February 2016].
  * Build-Depends:
    + golang-github-vishvananda-netlink-dev
  * Updated Vcs URLs.
  * Standards-Version: 3.9.7.

 -- Dmitry Smirnov <onlyjob@debian.org>  Fri, 26 Feb 2016 18:19:24 +1100

runc (0.0.4~dfsg-1) unstable; urgency=medium

  * New upstream release (Closes: #802507).
  * Dropped obsolete lintian-overrides.

 -- Dmitry Smirnov <onlyjob@debian.org>  Wed, 21 Oct 2015 09:02:42 +1100

runc (0.0.3~dfsg2-1) unstable; urgency=low

  * Initial release (Closes: #796486).
    Thanks, Alexandre Viau.

 -- Dmitry Smirnov <onlyjob@debian.org>  Sun, 06 Sep 2015 18:06:34 +1000
