runc (1.1.7-0ubuntu1~20.04.5) focal-security; urgency=medium

  * No change rebuild due to golang-1.21 update

 -- Nishit Majithia <nishit.majithia@canonical.com>  Wed, 10 Jul 2024 08:58:11 +0530

runc (1.1.7-0ubuntu1~20.04.4) focal; urgency=medium

  * d/t/control: remove basic-smoke test since it depends on runc binary now
    provided by src:runc-app.

 -- Lucas Kanashiro <kanashiro@ubuntu.com>  Mon, 06 May 2024 16:53:24 -0300

runc (1.1.7-0ubuntu1~20.04.3) focal; urgency=medium

  * Do not provide the runc binary package anymore (LP: #2022390).
    The runc binary package is now provided by src:runc-app.
    - d/control: remove the containerd binary package paragraph.
    - d/containerd.*: remove all files related to the containerd binary
      package.
    - d/p/test--skip-fs-related-cgroups-tests.patch: skip a new cgroups test
      trying to write to /sys/fs/cgroup/memory.
    - d/golang-github-opencontainers-runc-dev.install: fix path of library
      files.

 -- Lucas Kanashiro <kanashiro@ubuntu.com>  Wed, 13 Mar 2024 18:07:43 -0300

runc (1.1.7-0ubuntu1~20.04.2) focal-security; urgency=medium

  * SECURITY UPDATE: container escape vulnerability
    - d/p/0001-Fix-File-to-Close.patch: Fix File to Close
    - d/p/0002-init-verify-after-chdir-that-cwd-is-inside-the-conta.patch:
      init: verify after chdir that cwd is inside the container
    - d/p/0003-setns-init-do-explicit-lookup-of-execve-argument-ear.patch:
      setns init: do explicit lookup of execve argument early
    - d/p/0004-init-close-internal-fds-before-execve.patch: init: close
      internal fds before execve
    - d/p/0005-cgroup-plug-leaks-of-sys-fs-cgroup-handle.patch: cgroup:
      plug leaks of /sys/fs/cgroup handle
    - d/p/0006-libcontainer-mark-all-non-stdio-fds-O_CLOEXEC-before.patch:
      ibcontainer: mark all non-stdio fds O_CLOEXEC before spawning init
    - CVE-2024-21626

 -- Nishit Majithia <nishit.majithia@canonical.com>  Wed, 24 Jan 2024 16:33:42 +0530

runc (1.1.7-0ubuntu1~20.04.1) focal; urgency=medium

  * Backport version from Mantic to Focal (LP: #2023694).
    - Build with Go 1.18
      + d/control: b-d on golang-1.18-go intead of golang-any
      + d/rules: add Go 1.18 to $PATH

 -- Lucas Kanashiro <kanashiro@ubuntu.com>  Fri, 30 Jun 2023 17:49:24 -0300

runc (1.1.7-0ubuntu1) mantic; urgency=medium

  * New upstream release (LP: #2018107).
    - Update patches in d/patches:
      + test--skip_TestFactoryNewTmpfs.patch: rename to
        test--skip-privileged-test-factory_linux_test.go.patch to follow the
        Debian patch. Also updated it accordingly to Debian.
      + test--skip-fs-related-cgroups-tests.patch: remove one skipped test,
        now it is part of the patch above.
      + fix_cpuset_range_byte_order.patch: removed, applied by upstream.
        [Applied in upstream version 1.1.7]
      + lp2013318-fix-device-files-in-containers.patch: removed, fixed by
        upstream.
        [Fixed in upstream version 1.1.7]
      + CVE-2023-25809.patch: removed, applied by upstream.
        [Applied in upstream version 1.1.7]
      + CVE-2023-27561_2023-28642.patch: removed, applied by upstream.
        [Applied in upstream version 1.1.7]
  * Bump debhelper compatibility level to 12. Now, that Bionic reached EOSS we
    can update it to level 12.
    - d/control: build depend on debhelper-compat (= 12) instead of debhelper.
    - d/compat: removed, not needed anymore.
  * d/control: remove unneeded Breaks statement for docker.io.

 -- Lucas Kanashiro <kanashiro@ubuntu.com>  Mon, 12 Jun 2023 17:39:01 -0300

runc (1.1.4-0ubuntu4) mantic; urgency=medium

  * SECURITY UPDATE: Incorrect access control through /sys/fs/cgroup
    - debian/patches/CVE-2023-25809.patch: apply MS_RDONLY if
      /sys/fs/cgroup is bind-mounted or mask if bind source is unavailable
      in libcontainer/rootfs_linux.go.
    - CVE-2023-25809
  * SECURITY UPDATE: Incorrect access control through /proc and /sys
    - debian/patches/CVE-2023-27561_2023-28642.patch: Prohibit /proc and
      /sys to be symlinks in libcontainer/rootfs_linux.go.
    - CVE-2023-27561
    - CVE-2023-28642

 -- David Fernandez Gonzalez <david.fernandezgonzalez@canonical.com>  Mon, 15 May 2023 13:20:53 +0200

runc (1.1.4-0ubuntu3) lunar; urgency=medium

  * d/p/lp2013318-fix-device-files-in-containers.patch: Fix inability to use
    device files such as /dev/null in containers (LP: #2013318)

 -- Lena Voytek <lena.voytek@canonical.com>  Thu, 06 Apr 2023 10:57:46 -0700

runc (1.1.4-0ubuntu2) lunar-proposed; urgency=medium

  * Import blockIODevice.patch from Debian (LP: #2009851)

 -- Reinhard Tartler <siretart@tauware.de>  Fri, 24 Mar 2023 19:05:09 -0400

runc (1.1.4-0ubuntu1) lunar; urgency=medium

  * New upstream release (LP: #1993442).
  * Refresh patches.

 -- Lucas Kanashiro <kanashiro@ubuntu.com>  Wed, 16 Nov 2022 11:59:36 -0300

runc (1.1.2-0ubuntu1.1) kinetic; urgency=medium

  * d/p/fix_cpuset_range_byte_order.patch: fix byte order while parsing cpuset
    range to bits (LP: #1993221)

 -- Chengen Du <chengen.du@canonical.com>  Mon, 17 Oct 2022 15:59:43 +0800

runc (1.1.2-0ubuntu1) kinetic; urgency=medium

  * New upstream release.

 -- Lucas Kanashiro <kanashiro@ubuntu.com>  Thu, 12 May 2022 16:15:38 -0300

runc (1.1.0-0ubuntu1) jammy; urgency=medium

  * New upstream release.
  * Refresh patches:
    - d/p/test--skip_TestFactoryNewTmpfs.patch
    - d/p/test--skip-fs-related-cgroups-tests.patch
  * Remove patch not needed anymore:
    - d/p/test--skip-Hugetlb.patch

 -- Lucas Kanashiro <kanashiro@ubuntu.com>  Wed, 09 Feb 2022 11:46:31 -0300

runc (1.0.3-0ubuntu1) jammy; urgency=medium

  * New upstream release (LP: #1946899).
  * d/rules: remove DH_GOLANG_INSTALL_EXTRA, the directories listed there do
    not exist anymore.

 -- Lucas Kanashiro <kanashiro@ubuntu.com>  Mon, 10 Jan 2022 11:51:10 -0300

runc (1.0.1-0ubuntu2) impish; urgency=medium

  * d/p/test--skip-fs-related-cgroups-tests.patch: skip a new cgroups related
    test. It requires permission to write in /sys/fs/cgroup/memory during its
    execution.

 -- Lucas Kanashiro <kanashiro@ubuntu.com>  Mon, 09 Aug 2021 11:40:32 -0300

runc (1.0.1-0ubuntu1) impish; urgency=medium

  * New upstream release.
  * d/watch: adjust regex to correctly match the tarball files on Github.
  * d/p/test--skip-fs-related-cgroups-tests.patch: update according to the
    upstream changes.
  * d/s/lintian-overrides: remove it, the override there is not needed.

 -- Lucas Kanashiro <kanashiro@ubuntu.com>  Thu, 05 Aug 2021 11:48:36 -0300

runc (1.0.0~rc95-0ubuntu1) impish; urgency=medium

  * New upstream release.
    - Several regressions were found in 1.0.0-rc93 by upstream and fixed in
      this new release.
      + Ensure the scratch pipe is read during ExportBPF (LP: #1927219).
    - Drop patches applied by upstream:
      + d/patches/CVE-2021-30465/*.patch
      + d/patches/fix-patchpbf-test-on-32-bit.patch
  * d/rules: set VERSION variable when building runc (LP: #1929106).

 -- Lucas Kanashiro <kanashiro@ubuntu.com>  Thu, 20 May 2021 10:40:14 -0300

runc (1.0.0~rc93-0ubuntu2) impish; urgency=medium

  * SECURITY UPDATE: symlink exchange attack
    - debian/patches/CVE-2021-30465/*.patch: upstream patches to add mount
      destination validation.
    - CVE-2021-30465

 -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Wed, 05 May 2021 14:27:26 -0400

runc (1.0.0~rc93-0ubuntu1) hirsute; urgency=medium

  * New upstream release (LP: #1919182).
    - runc now has special handling for seccomp profiles to avoid making new
      syscalls unusable for glibc (LP: #1916485).
  * Remove patch addressing a bug fixed by upstream:
    - debian/patches/test--fix_TestGetAdditionalGroups.patch
  * Refresh patch:
    - debian/patches/test--skip-fs-related-cgroups-test.patch
  * Backport upstream patch to fix patchpbf test on armhf:
    - debian/patches/fix-patchpbf-test-on-32-bit.patch

 -- Lucas Kanashiro <kanashiro@ubuntu.com>  Tue, 10 Mar 2021 09:30:36 -0300

runc (1.0.0~rc92-0ubuntu1) hirsute; urgency=medium

  * New upstream release.
  * Refresh patches.
  * Add patch to skip tests relying on cgroups fs mountpoints.
  * Update VCS links to point to Github where the packaging work is done.

 -- Lucas Kanashiro <kanashiro@ubuntu.com>  Tue, 12 Jan 2021 17:30:36 -0300

runc (1.0.0~rc10-0ubuntu3) hirsute; urgency=medium

  * No-change rebuild using new golang

 -- Steve Langasek <steve.langasek@ubuntu.com>  Wed, 11 Nov 2020 22:25:13 +0000

runc (1.0.0~rc10-0ubuntu2) groovy; urgency=medium

  * No-change rebuild using new golang

 -- Steve Langasek <steve.langasek@ubuntu.com>  Tue, 22 Sep 2020 08:55:00 +0000

runc (1.0.0~rc10-0ubuntu1) focal; urgency=medium

  [ Lucas Kanashiro ]
  * Run dh_golang_autopkgtest with isolation-machine restriction (LP: #1856083)
    - d/control: remove Testsuite field since we are now overwriting the
      autodep8 test definition.
    - d/t/control: overwrite autodep8 test definition to add isolation-machine
      restriction.
  * d/t/control: Use commas in Restrictions field of basic-smoke test

  [ Tianon Gravi ]
  * Update to 1.0.0-rc10 upstream release

 -- Tianon Gravi <tianon@debian.org>  Tue, 18 Feb 2020 09:06:24 +1300

runc (1.0.0~rc8+git20190923.3e425f80-0ubuntu1) eoan; urgency=medium

  * New upstream snapshot, fixing CVE-2019-16884.

 -- Michael Hudson-Doyle <michael.hudson@ubuntu.com>  Mon, 30 Sep 2019 14:12:18 +1300

runc (1.0.0~rc8-0ubuntu1) eoan; urgency=medium

  * New upstream version.

 -- Michael Hudson-Doyle <michael.hudson@ubuntu.com>  Wed, 18 Sep 2019 10:49:47 +0200

runc (1.0.0~rc7+git20190403.029124da-0ubuntu1) disco; urgency=medium

  * New upstream version.
  * Fix dependencies of golang-github-opencontainers-runc-dev package.

 -- Michael Hudson-Doyle <michael.hudson@ubuntu.com>  Fri, 12 Apr 2019 12:29:03 +1200

runc (1.0.0~rc6+git20190307.2b18fe1d-0ubuntu1) disco; urgency=medium

  * Update to https://github.com/opencontainers/runc/commit/2b18fe1d885ee5083ef9f0838fee39b62d653e30
    - See also:
        https://github.com/containerd/containerd/blob/v1.2.5/RUNC.md
        https://github.com/containerd/containerd/blob/v1.2.5/vendor.conf#L23
  * d/patches/0001-nsenter-clone-proc-self-exe-to-avoid-exposing-host-b.patch:
    dropped, applied upstream.

 -- Michael Hudson-Doyle <michael.hudson@ubuntu.com>  Thu, 14 Mar 2019 11:12:22 +1300

runc (1.0.0~rc6+git20181203.96ec2177-0ubuntu1) disco; urgency=medium

  * Add "basic-smoke" autopkgtest to verify basic functionality

 -- Tianon Gravi <tianon@debian.org>  Thu, 14 Feb 2019 14:23:13 -0800

runc (1.0.0~rc6+git20181203.96ec2177-0~ubuntu2) disco; urgency=medium

  * d/patches/0001-nsenter-clone-proc-self-exe-to-avoid-exposing-host-b.patch:
    Apply upstream fix for CVE-2019-5736.

 -- Michael Hudson-Doyle <michael.hudson@ubuntu.com>  Tue, 12 Feb 2019 11:52:37 +1300

runc (1.0.0~rc6+git20181203.96ec2177-0~ubuntu1) disco; urgency=medium

  * Update to https://github.com/opencontainers/runc/commit/96ec2177ae841256168fcf76954f7177af9446eb
    - See also:
        https://github.com/containerd/containerd/blob/v1.2.2/RUNC.md
        https://github.com/containerd/containerd/blob/v1.2.2/vendor.conf#L23

 -- Tianon Gravi <tianon@debian.org>  Thu, 17 Jan 2019 21:06:43 -0800

runc (1.0.0~rc5+dfsg1-4) unstable; urgency=medium

  * New patch to disable Hugetlb tests.

 -- Dmitry Smirnov <onlyjob@debian.org>  Thu, 27 Sep 2018 08:16:11 +1000

runc (1.0.0~rc5+dfsg1-3) unstable; urgency=medium

  * TAGS += ambient
  * New patch to fix FTBFS on mips* architectures.

 -- Dmitry Smirnov <onlyjob@debian.org>  Mon, 18 Jun 2018 11:47:25 +1000

runc (1.0.0~rc5+dfsg1-2) unstable; urgency=medium

  * New patch to fix integer overflow on i686.
  * Build with "selinux" tag (Closes: #865993).
    Thanks, Laurent Bigonville.
  * Added myself to uploaders.

 -- Dmitry Smirnov <onlyjob@debian.org>  Sat, 16 Jun 2018 22:12:23 +1000

runc (1.0.0~rc5+dfsg1-1) unstable; urgency=medium

  * Team upload.

  [ Arnaud Rebillout ]
  * Set minimum requirement for golang-gocapability-dev.
    And drop the alternative name golang-github-syndtr-gocapability-dev,
    this name never existed in the first place.

  [ Dmitry Smirnov ]
  * New upstream release
  * Testsuite: autopkgtest-pkg-go
  * Standards-Version: 4.1.4; Priority: optional
  * debhelper to version 11; compat to version 10.
  * Added "XS-Go-Import-Path".
  * (Build-)Depends:
    - golang-github-codegangsta-cli-dev
    - golang-github-coreos-pkg-dev
    - golang-golang-x-sys-dev
    - golang-logrus-dev
    + golang-github-containerd-console-dev
    + golang-github-pkg-errors-dev
    + golang-github-sirupsen-logrus-dev
    + golang-github-urfave-cli-dev

 -- Dmitry Smirnov <onlyjob@debian.org>  Fri, 15 Jun 2018 21:48:18 +1000

runc (1.0.0~rc4+dfsg1-6) unstable; urgency=medium

  [ Michael Stapelberg ]
  * update debian/gitlab-ci.yml (using salsa.debian.org/go-team/ci/cmd/ci)

  [ Dmitry Smirnov ]
  * Removed myself from uploaders.

  [ Balint Reczey ]
  * Team upload
  * Stop using unix.SIGUNUSED which has been removed from golang.org/x/sys
    (Closes: #889704)

 -- Balint Reczey <rbalint@ubuntu.com>  Tue, 10 Apr 2018 18:40:56 +0200

runc (1.0.0~rc4+dfsg1-5) unstable; urgency=medium

  * Vcs-* urls: pkg-go-team -> go-team.

 -- Alexandre Viau <aviau@debian.org>  Mon, 05 Feb 2018 23:05:40 -0500

runc (1.0.0~rc4+dfsg1-4) unstable; urgency=medium

  * Point vcs-* urls to packages subgroup.

 -- Alexandre Viau <aviau@debian.org>  Thu, 25 Jan 2018 15:23:12 -0500

runc (1.0.0~rc4+dfsg1-3) unstable; urgency=medium

  * Change my email to @debian.org.
  * Move to salsa.debian.org.

 -- Alexandre Viau <aviau@debian.org>  Fri, 29 Dec 2017 00:34:59 -0500

runc (1.0.0~rc4+dfsg1-2) unstable; urgency=medium

  * Mark runc breaking docker.io (<= 1.13.1~ds1-2) (Closes: #877146)

 -- Balint Reczey <rbalint@ubuntu.com>  Sat, 30 Sep 2017 11:50:52 -0400

runc (1.0.0~rc4+dfsg1-1) unstable; urgency=medium

  * Team Upload
  * Update watch file to match release candidates
  * Update Files-Excuded and d/control to match dependencies of rc4
  * New upstream release candidate 1.0.0-rc4
  * Drop obsoleted patches
  * Drop outdated README.source
  * Require at least final 1.0.0 release of
    golang-github-opencontainers-specs-dev (Closes: #858250)
  * Fix typo in golang-github-opencontainers-runc-dev package description
    (Closes: #873760)

 -- Balint Reczey <rbalint@ubuntu.com>  Sat, 30 Sep 2017 11:50:50 -0400

runc (1.0.0~rc2+git20170201.133.9df8b30-3) unstable; urgency=medium

  * Replace golang-go with golang-any in Build-Depends

 -- Konstantinos Margaritis <markos@debian.org>  Wed, 09 Aug 2017 15:00:55 +0300

runc (1.0.0~rc2+git20170201.133.9df8b30-2) unstable; urgency=medium

  * Patch to make libcontainer ignore cgroup2 hierarchy. Patch pulled from
    https://github.com/opencontainers/runc/pull/1266.

 -- Vincent Bernat <bernat@debian.org>  Fri, 30 Jun 2017 07:10:34 +0200

runc (1.0.0~rc2+git20170201.133.9df8b30-1) unstable; urgency=medium

  * New upstream snapshot for Docker 1.13.1.

 -- Tim Potter <tpot@hpe.com>  Wed, 24 May 2017 11:36:40 +1000

runc (1.0.0~rc2+git20161109.131.5137186-2) unstable; urgency=medium

  * Add Breaks line to binary package to avoid messing up previous
    Docker installs.

 -- Tim Potter <tpot@hpe.com>  Fri, 24 Feb 2017 09:49:06 +1100

runc (1.0.0~rc2+git20161109.131.5137186-1) unstable; urgency=medium

  * New upstream snapshot.
  * Refresh backported patch for CVE-2016-9962.

 -- Tim Potter <tpot@hpe.com>  Wed, 15 Feb 2017 09:08:52 +1100

runc (0.1.1+dfsg1-2) unstable; urgency=medium

  * Team upload.
  * Backport patch for CVE-2016-9962 (Closes: #850951)

 -- Tianon Gravi <tianon@debian.org>  Wed, 01 Feb 2017 07:17:54 -0800

runc (0.1.1+dfsg1-1) unstable; urgency=medium

  * New upstream release [June 2016].
  * testworks: disabled privileged and failing tests.
  * Build with "apparmor seccomp" tags (Closes: #830818);
    Build-Depends += "libapparmor-dev".

 -- Dmitry Smirnov <onlyjob@debian.org>  Wed, 13 Jul 2016 23:00:43 +1000

runc (0.1.0+dfsg1-1) unstable; urgency=medium

  * Dropped dependency on "golang-docker-dev" in favour of bundled
    (or build time sub-vendored) "github.com/docker/docker" in order
    to avoid circular dependency with Docker.
  * Standards-Version: 3.9.8.
  * Corrected Vcs-Git URL.

 -- Dmitry Smirnov <onlyjob@debian.org>  Sun, 12 Jun 2016 17:56:45 +1000

runc (0.1.0+dfsg-1) unstable; urgency=medium

  [ Tim Potter ]
  * Team upload
  * New upstream release [April 2016]
    = golang-github-opencontainers-specs-dev (>= 0.5.0~)
  * De-vendor new dependencies; pquerna/ffjson appears unused

 -- Dmitry Smirnov <onlyjob@debian.org>  Sat, 23 Apr 2016 07:59:18 +1000

runc (0.0.9+dfsg-1) unstable; urgency=medium

  * New upstream release [March 2016].
  * (Build-)Depends:
    = golang-github-opencontainers-specs-dev (>= 0.4.0~)
    = golang-github-codegangsta-cli-dev (>= 0.0~git20151221~)
    - help2man
    + go-md2man
  * Install upstream man pages.
  * Install "runc" binary to "/usr/sbin".

 -- Dmitry Smirnov <onlyjob@debian.org>  Sat, 16 Apr 2016 17:23:48 +1000

runc (0.0.8+dfsg-2) unstable; urgency=medium

  * (Build-)Depends:
    + golang-github-docker-go-units-dev
    + golang-github-seccomp-libseccomp-golang-dev

 -- Dmitry Smirnov <onlyjob@debian.org>  Wed, 23 Mar 2016 20:05:01 +1100

runc (0.0.8+dfsg-1) unstable; urgency=medium

  * New upstream release [February 2016].
  * Build-Depends:
    + golang-github-vishvananda-netlink-dev
  * Updated Vcs URLs.
  * Standards-Version: 3.9.7.

 -- Dmitry Smirnov <onlyjob@debian.org>  Fri, 26 Feb 2016 18:19:24 +1100

runc (0.0.4~dfsg-1) unstable; urgency=medium

  * New upstream release (Closes: #802507).
  * Dropped obsolete lintian-overrides.

 -- Dmitry Smirnov <onlyjob@debian.org>  Wed, 21 Oct 2015 09:02:42 +1100

runc (0.0.3~dfsg2-1) unstable; urgency=low

  * Initial release (Closes: #796486).
    Thanks, Alexandre Viau.

 -- Dmitry Smirnov <onlyjob@debian.org>  Sun, 06 Sep 2015 18:06:34 +1000
