Unfortunately, there are also breaking changes in this release:
The type of Metadata.Tools has changed from *[]Tool to *ToolsChoice, to facilitate the deprecation of Tool in the spec
ToolsChoice holds both legacy *[]Tool, as well as the new *[]Component and *[]Service fields
The Tool type, as well as the ToolsChoice.Tools field are marked as deprecated
During encoding and decoding, it is asserted that only one of both options can be present, in accordance with the "One of" constraint of the spec
When encoding to lower spec versions than v1.5 (using EncodeVersion), Components and Services are automatically converted to legacy Tools
It is strongly recommended to use Components and Services. However, when consuming BOMs, applications should still expect legacy Tools to be present, and handle them accordingly.
Changelog
Fixes
64eb0c84b3d909db47c5154c17d075f68b0c85ae: fix: remove format linters that require extra tooling (@nscuro)
Building and Packaging
696aa66151e800a672c9ec860f30d8716ae6a025: build(deps): bump actions/checkout from 3.5.3 to 4.1.0 (@dependabot[bot])
b50b319d1580d5b624cfc866bc108b589b328157: build(deps): bump actions/checkout from 4.1.0 to 4.1.1 (@dependabot[bot])
5cad1b0a7dad106950790fad960be5f7e62b2110: build(deps): bump actions/setup-go from 4.1.0 to 5.0.0 (@dependabot[bot])
b0910619560e5b0b0fae51dc97c4a343983873fb: build(deps): bump gitpod/workspace-go from d3603c7 to 94ae638 (@dependabot[bot])
9e310b6d641245c89aa01f07a21b50c38f04b087: build(deps): bump gitpod/workspace-go from f37c673 to d3603c7 (@dependabot[bot])
89494fd98291ca8115e02cab78e2e47360352f00: build(deps): bump goreleaser/goreleaser-action from 4.4.0 to 5.0.0 (@dependabot[bot])
Others
61dd91e0bbe730454bef42bc0c1b0a3f97411c02: feat(spec1-5): add support for machine learning (@nscuro)
f831960f0887c1f60681924e4d4382cd4bb52ff0: feat(spec1-5): update valid-vulnerability test snapshots (@nscuro)
ffc9a4eb9204f5a31b7fb1d6cd907e6cc3e93578: ci: enable more linters (@mmorel-35)
runc 1.1.12 -- "Now you're thinking with Portals™!"
This is the twelfth patch release in the 1.1.z release branch of runc.
It fixes a high-severity container breakout vulnerability involving
leaked file descriptors, and users are strongly encouraged to update as
soon as possible.
Fix CVE-2024-21626, a container breakout attack that took advantage of
a file descriptor that was leaked internally within runc (but never
leaked to the container process).
In addition to fixing the leak, several strict hardening measures were
added to ensure that future internal leaks could not be used to break
out in this manner again.
Based on our research, while no other container runtime had a similar
leak, none had any of the hardening steps we've introduced (and some
runtimes would not check for any file descriptors that a calling
process may have leaked to them, allowing for container breakouts due
to basic user error).
Static Linking Notices
The runc binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc acting
as a "work that uses the Library":
The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.
However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.
Thanks to all of the contributors who made this release possible:
Fix CVE-2024-21626, a container breakout attack that took
advantage of a file descriptor that was leaked internally within runc (but
never leaked to the container process). In addition to fixing the leak,
several strict hardening measures were added to ensure that future internal
leaks could not be used to break out in this manner again. Based on our
research, while no other container runtime had a similar leak, none had any
of the hardening steps we've introduced (and some runtimes would not check
for any file descriptors that a calling process may have leaked to them,
allowing for container breakouts due to basic user error).
Support memory.peak and memory.swap.peak in cgroups v2.
Add swapOnlyUsage in MemoryStats. This field reports swap-only usage.
For cgroupv1, Usage and Failcnt are set by subtracting memory usage
from memory+swap usage. For cgroupv2, Usage, Limit, and MaxUsage
are set. (#4000, #4010, #4131)
Bumps the go-modules group with 26 updates:
1.30.01.31.10.18.00.18.10.7.20.8.00.0.0-20230412183729-8602f1afc5740.0.11.0.61.1.01.3.61.3.71.7.111.7.130.8.00.8.10.4.00.5.05.10.15.11.00.17.00.19.01.4.01.6.01.17.41.17.51.1.101.1.124.1.194.1.210.4.40.4.60.2.00.3.03.23.113.24.12.15.02.15.10.26.00.27.01.2.31.2.40.19.00.20.00.5.00.6.00.16.10.17.01.59.01.61.01.31.01.32.0Updates
github.com/onsi/gomegafrom 1.30.0 to 1.31.1Release notes
Sourced from github.com/onsi/gomega's releases.
Changelog
Sourced from github.com/onsi/gomega's changelog.
Commits
762b171v1.31.126661b8tidy up go.sumbde8f7abump dependencies24e958dShow how to import the format sub packagead1a367Update test in case keeping msg is desirede0dd999Inverted arguments order of FailureMessage of BeComparableToMatcherba8bba2v1.31.0121c37fAsync assertions include context cancellation cause if presentdee1e3cBump minimum go version49005fedocs: fix typo in example usage "occured" -> "occurred"Updates
github.com/paketo-buildpacks/occamfrom 0.18.0 to 0.18.1Commits
1d68391tests: adding tests for NewContainerFromInspectOutput function13e5704fix: avoid accessing undefined host ports on while creating a new container f...0fb0353Bump github.com/containerd/containerd from 1.7.7 to 1.7.11Updates
github.com/CycloneDX/cyclonedx-gofrom 0.7.2 to 0.8.0Release notes
Sourced from github.com/CycloneDX/cyclonedx-go's releases.
Commits
b9654aeMerge pull request #90 from CycloneDX/spec-v1.564eb0c8fix: remove format linters that require extra toolingc7a84acfeat(spec1-5): handle deprecation of toolsf856daafeat(spec1-5): add support for formulation2fbde0efeat(spec1-5): add support for identity, occurrences, and callstack evidence61dd91efeat(spec1-5): add support for machine learningf831960feat(spec1-5): updatevalid-vulnerabilitytest snapshotsfe3a904feat(spec1-5): add support for ssvc scoring method7d2713ffeat(spec1-5): add support for vulnerability proof of concept2ae5445feat(spec1-5): add support for additional compositions and composition identityUpdates
github.com/anchore/stereoscopefrom 0.0.0-20230412183729-8602f1afc574 to 0.0.1Commits
Updates
github.com/andybalholm/brotlifrom 1.0.6 to 1.1.0Commits
17e5901Make my matchfinder work more accessible.cf812c0matchfinder: add M01b6cf36matchfinder: remove MultiHash265f3afmatchfinder: penalize score for overlapping matchesa8d524amatchfinder: replace Score function with DistanceBitCost578645ematchfinder: add MultiHash24b2bfamatchfinder.M4: add Score function4a024e3matchfinder.M4: add match chain3a1c5cdFix typo in comment.0d2aef3matchfinder.M4: factor out extendMatch2Updates
github.com/cloudflare/circlfrom 1.3.6 to 1.3.7Release notes
Sourced from github.com/cloudflare/circl's releases.
Commits
c48866bReleasing CIRCL v1.3.775ef91ekyber: remove division by q in ciphertext compression899732abuild(deps): bump golang.org/x/cryptoUpdates
github.com/containerd/containerdfrom 1.7.11 to 1.7.13Release notes
Sourced from github.com/containerd/containerd's releases.
... (truncated)
Commits
7c3aca7Merge pull request #9724 from dmcgowan/prepare-v1.7.13b97e611Prepare release notes for v1.7.132e7fa14Update runc binary to v1.1.12cbda56bMerge pull request #9693 from k8s-infra-cherrypick-robot/cherry-pick-9684-to-...1bed378seccomp: kernel 6.71944259Merge pull request #9685 from elezar/dependency-update-container-device-inter...14628d4Update container-device-interface to v0.6.28c780b7Merge pull request #9658 from vvoland/contentprovider-1.78364779content: Add InfoReaderProvider71909c1Merge pull request #9632 from dmcgowan/prepare-v1.7.12Updates
github.com/docker/docker-credential-helpersfrom 0.8.0 to 0.8.1Release notes
Sourced from github.com/docker/docker-credential-helpers's releases.
Commits
292722bMerge pull request #308 from thaJeztah/update_golang_1.21.6979dcc4Merge pull request #309 from thaJeztah/update_golangcif411a65Dockerfile: update golangci-lint to v1.55.29629bd7update to go1.21.6f642c26Merge pull request #306 from thaJeztah/err_checks8fc3306Merge pull request #307 from thaJeztah/bump_wincred6a3e64cmove trimming whitespace to error-check helpers218f178vendor: github.com/danieljoos/wincred v1.2.1Updates
github.com/docker/go-connectionsfrom 0.4.0 to 0.5.0Commits
fa09c95Merge pull request #108 from thaJeztah/carry_67a67a58Swap CloseRead and CloseWrite481d3d2Merge pull request #107 from thaJeztah/drop_legacy_go9548f9ftlsconfig: remove deprecated io/ioutilc564c21drop support for go1.17 and older7cbebcfgha: update actions2cf423ftlsconfig: move allTLSVersions vardca283btlsconfig: drop support for go1.12 and older21876c5tlsconfig: drop support for go1.6 and older4d174dbtlsconfig: drop support for go1.4 and olderUpdates
github.com/go-git/go-git/v5from 5.10.1 to 5.11.0Release notes
Sourced from github.com/go-git/go-git/v5's releases.
Commits
5d08d3bMerge pull request #958 from pjbgf/workval5bd1d8fbuild: Ensure checkout is the first operationb2c1982git: worktree, Align validation with upstream rulescec7da6Merge pull request #953 from pjbgf/alternates8b47cebstorage: filesystem, Add option to set a specific FS for alternates4f61489Merge pull request #941 from djmoch/filestats-renameae552ceMerge pull request #939 from dhoizner/fix-pull-after-shallowcc1895bMerge pull request #950 from aymanbagabas/validate-refde1d5a5git: validate reference namesd87110bMerge pull request #948 from go-git/dependabot/go_modules/cli/go-git/github.c...Updates
github.com/google/go-containerregistryfrom 0.17.0 to 0.19.0Release notes
Sourced from github.com/google/go-containerregistry's releases.
Commits
8dadbe7Work around docker v25 tarballs (#1872)a0658aaAlways print pushed digest in crane push (#1860)55ffb00fix: goreleaser config (#1764)Updates
github.com/google/uuidfrom 1.4.0 to 1.6.0Release notes
Sourced from github.com/google/uuid's releases.
Changelog
Sourced from github.com/google/uuid's changelog.
Commits
0f11ee6chore(master): release 1.6.0 (#151)16939dachore(tests): add strict monotonicity test case for uuid v7. (#154)016b199fix: fix typo in version 7 uuid documentation (#153)1d8b6eaci: set token permissions to github workflows (#143)a2b2b32fix: Monotonicity in UUIDv7 (#150)c58770efeat: add Max UUID constant (#149)4d47f8echore(master): release 1.5.0 (#145)9ee7366feat: Validate UUID without creating new UUID (#141)b35aa6aadd uuid version 6 and 7 (#139)Updates
github.com/klauspost/compressfrom 1.17.4 to 1.17.5Release notes
Sourced from github.com/klauspost/compress's releases.
Commits
6662a21s2: Document and test how to peek the stream for skippable blocks (#918)3deb878s2: Fix up AddSkippableBlock more (#919)6ac58c9s2: Fix incorrect length encoded by writer.AddSkippableBlock (#917)515f153s2: Fix callbacks for skippable blocks and disallow 0xfe (Padding) for custom...01b2a79zstd: Limit default window to 8MB (#913)32312d5flate: Fix reset with dictionary on custom window encodes (#912)d9b6e1ezstd: Tweak noasm FSE decoder (#910)85452d2zstd: Add Frame header encoding and stripping (#908)eabf71dbuild(deps): bump the github-actions group with 1 update (#906)f6216d3Update README.md (#905)Updates
github.com/opencontainers/runcfrom 1.1.10 to 1.1.12Release notes
Sourced from github.com/opencontainers/runc's releases.
... (truncated)
Changelog
Sourced from github.com/opencontainers/runc's changelog.
Commits
51d5e94VERSION: release 1.1.122a4ed3emerge 1.1-ghsa-xr7r-f8xq-vfvv into release-1.1e9665f4init: don't special-case logrus fds683ad2flibcontainer: mark all non-stdio fds O_CLOEXEC before spawning initb6633f4cgroup: plug leaks of /sys/fs/cgroup handle284ba30init: close internal fds before execvefbe3eedsetns init: do explicit lookup of execve argument early0994249init: verify after chdir that cwd is inside the container506552aFix File to Close099ff69merge #4177 into opencontainers/runc:release-1.1Updates
github.com/pierrec/lz4/v4from 4.1.19 to 4.1.21Commits
294e765Merge pull request #216 from evanphx/b-fix-tests6e17a24Reverts bc1239ba, no longer needed to conform to legacy9542ba5CI: update go versions to more recent onesd9eb671cmd/lz4c: update go.mod and fix issue #214219b252Merge pull request #213 from corneliusroemer/patch-158c6073Update README.md: add@latestto cli install commande974631Merge pull request #211 from oakad/issue_2107613989CompressingReader: support older Go versions4a80a2fCompressingReader: account for possible out buffer statef2ece5bCompressingReader: make sure to clear out bufferUpdates
github.com/rivo/unisegfrom 0.4.4 to 0.4.6Commits
f302f7fClarifications and improvements in the package documentation.0b9a924Improved performance by using switch statements instead of maps for state tra...e258aa1Switched from transition map to switch statement to improve performance.b74d4dcSome performance improvements by fast-tracking property search on ASCII chara...97691fcMerge pull request #47 from junegunn/eastasian-ambiguous1f39ebcAdd comment272e3f0Allow configuring the width of East Asian ambiguous width characters3628fa1Merge pull request #42 from meowgorithm/unicode-v15.0.03050bb8Update Unicode version numbers in README and doc comments to 15.0.05509479Upgrade to Unicode v15.0.0 (and regnerate accordingly)Updates
github.com/sassoftware/go-rpmutilsfrom 0.2.0 to 0.3.0Release notes
Sourced from github.com/sassoftware/go-rpmutils's releases.
Commits
d2036ffchore: update dependencies and remove refs to ioutilbceacf4feat: support RPMs with a payload digest but no SIG_MD5 (#28)277b154Add CONFLICT tagsd2202c0Fix non-continuous link groupsUpdates
github.com/shirou/gopsutil/v3from 3.23.11 to 3.24.1Release notes
Sourced from github.com/shirou/gopsutil/v3's releases.