Closed jpayne3506 closed 2 months ago
Hi, I noticed that there is an indirect dependency vulnerability on your 1.1.0 release that is correlated to a CVE regarding runc versions <= 1.1.11
https://github.com/checkpoint-restore/checkpointctl/blob/3ba5cad0bd5feb3f87d898b2749326206c6ffede/go.mod#L9-L21
The use of github.com/opencontainers/runtime-spec v1.1.0 is the cause and it looks like you have patched it on main.
github.com/opencontainers/runtime-spec v1.1.0
https://github.com/checkpoint-restore/checkpointctl/blob/6c3a2639a9d64c7cb7ba3477977d26d930f963c6/go.mod#L9
Is there any timetable for the next release/patch of checkpointctl?
A release would be no problem, but isn't the CVE about runc and not the runtime-spec.
As Adrian mentioned above, CVE-2024-21626 is a vulnerability in runc and it has been fixed with v1.1.12.
@jpayne3506 checkpointctl doesn't use runc or any functionality related to runc init or runc exec. It should not be affected by this CVE.
checkpointctl
runc init
runc exec
Hi, I noticed that there is an indirect dependency vulnerability on your 1.1.0 release that is correlated to a CVE regarding runc versions <= 1.1.11
https://github.com/checkpoint-restore/checkpointctl/blob/3ba5cad0bd5feb3f87d898b2749326206c6ffede/go.mod#L9-L21
The use of
github.com/opencontainers/runtime-spec v1.1.0
is the cause and it looks like you have patched it on main.https://github.com/checkpoint-restore/checkpointctl/blob/6c3a2639a9d64c7cb7ba3477977d26d930f963c6/go.mod#L9
Is there any timetable for the next release/patch of checkpointctl?