On Mon, May 20, 2019 at 2:14 PM Ron Gutierrez <[email protected]> wrote: > Hi, > > We need to run an upgraded version of runc to pickup a bug fix related to a > race condition that occurs under heavy load. This bug fix was included in the > runc 1.0-rc7 release. This release also contained the runc vulnerability > patch (CVE-2019-5736). We were hoping that by upgrading to the latest stable > we would receive a runc bump along with the Docker version bump to 18.06.3 > but it doesn't look like that is the case. It looks like the runc used by > CoreOS is a self packaged version and you applied the CVE patch without also > doing a version bump. > > Are there any short term plans to bump the runc version to >= 1.0-rc7?
No, see https://github.com/coreos/coreos-overlay/pull/3477 . > Is there a way for us to easily override the runc package on our CoreOS > builds? You can create your own Docker torcx image based on that PR and use the versions you want. I don't know of issues with runc specifiically, but updating in general beyond 18.06 causes random segfaults (mostly with resource limiting flags). > If so, would this be relatively safe or are there known issues with that > version of runc and that is why a version bump wasn't done for the > CVE-2019-5736 patch? There was a version bump to 18.06.3 for the CVE. The Container Linux runc version always matches the one shipped with the Docker version. Thanks. David -- You received this message because you are subscribed to the Google Groups "CoreOS Dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/coreos-dev/CA%2BsZQ%2BnAAc9MDax44BXa3%2BYEyNdpw%3DE1aRKsHoG-Ax%2B0AuLBgg%40mail.gmail.com.
