Hi, We need to run an upgraded version of runc to pickup a bug fix related to a race condition that occurs under heavy load. This bug fix was included in the runc 1.0-rc7 release. This release also contained the runc vulnerability patch (CVE-2019-5736). We were hoping that by upgrading to the latest stable we would receive a runc bump along with the Docker version bump to 18.06.3 but it doesn't look like that is the case. It looks like the runc used by CoreOS is a self packaged version and you applied the CVE patch without also doing a version bump.
Are there any short term plans to bump the runc version to >= 1.0-rc7? Is there a way for us to easily override the runc package on our CoreOS builds? If so, would this be relatively safe or are there known issues with that version of runc and that is why a version bump wasn't done for the CVE-2019-5736 patch? -- You received this message because you are subscribed to the Google Groups "CoreOS Dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/coreos-dev/60374788-391d-46e8-a47b-1412c68dbd56%40googlegroups.com.
