Skip to content

build(deps): Bump github.com/opencontainers/runc from 1.4.2 to 1.4.3#1900

Merged
cdesiniotis merged 1 commit into
mainfrom
dependabot/go_modules/github.com/opencontainers/runc-1.4.3
Jul 7, 2026
Merged

build(deps): Bump github.com/opencontainers/runc from 1.4.2 to 1.4.3#1900
cdesiniotis merged 1 commit into
mainfrom
dependabot/go_modules/github.com/opencontainers/runc-1.4.3

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 23, 2026

Copy link
Copy Markdown
Contributor

Bumps github.com/opencontainers/runc from 1.4.2 to 1.4.3.

Changelog

Sourced from github.com/opencontainers/runc's changelog.

[1.4.3] - 2026-06-13

The best way to irritate him is to feed his grandmother to the Ravenous Bugblatter Beast of Traal.

Security

This release includes a fix for the following low-severity security issue:

  • CVE-2026-41579 allowed a malicious image with a /dev symlink to have limited write access to the host filesystem in ways that our analysis indicates was too limited to be problematic in practice. This bug was very similar to those fixed in [CVE-2025-31133][], [CVE-2025-52565][], [CVE-2025-31133][] and was simply missed at the time when we hardened the rootfs preparation code. We have conducted a deeper audit and not found any other problematic cases.

Fixed

Changed

  • When masking directories with maskPaths, runc will now reuse a single tmpfs instance (which is not writable) to reduce the number tmpfs superblocks that need to be reaped when containers die (in particular, Kubernetes applies masks to per-CPU sysfs directories which get expensive quickly). (#5275, #5281)

[1.3.6] - 2026-06-13

On no account should you allow a Vogon to read poetry at you.

Security

This release includes a fix for the following low-severity security issue:

  • CVE-2026-41579 allowed a malicious image with a /dev symlink to have limited write access to the host filesystem in ways that our analysis indicates was too limited to be problematic in practice. This bug was very similar to those fixed in [CVE-2025-31133][], [CVE-2025-52565][], [CVE-2025-31133][] and was simply missed at the time when we hardened the rootfs preparation code. We have conducted a deeper audit and not found any other problematic cases.

    This patchset required backports for #5190 and #5285, which were primarily code reorganisations that were already backported to runc 1.4 and 1.5.

... (truncated)

Commits
  • bb14dab VERSION: release v1.4.3
  • 31d72bf merge CVE-2026-41579 fixes into release-1.4
  • b2b50a4 rootfs: make cgroupv1 subsystem symlinks fd-based
  • a7343f8 rootfs: make /dev initialisation code fd-based
  • 5f2f6b5 rootfs: switch createDevices argument order
  • 6a7de4e Merge pull request #5304 from ricardobranco777/1.4-5295
  • a753597 Update busybox:glibc in integration tests to latest (1.38.0) builds
  • 3d7f708 Update busybox:glibc in integration tests to latest (1.37.0) builds
  • c6454ef tests/int: relax testPids fork error match string
  • cae4907 tests/int: build TestPids pipelines programmatically
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Issue/PR Pull about a dependency file go Pull requests that update Go code labels Jun 23, 2026
@copy-pr-bot

copy-pr-bot Bot commented Jun 23, 2026

Copy link
Copy Markdown

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

@tariq1890 tariq1890 requested a review from cdesiniotis June 23, 2026 21:41
@tariq1890

Copy link
Copy Markdown
Contributor

@dependabot rebase

@dependabot dependabot Bot force-pushed the dependabot/go_modules/github.com/opencontainers/runc-1.4.3 branch 2 times, most recently from 9c7955f to 30efb9e Compare July 7, 2026 20:03
@cdesiniotis

Copy link
Copy Markdown
Contributor

@dependabot rebase

Bumps [github.com/opencontainers/runc](https://github.com/opencontainers/runc) from 1.4.2 to 1.4.3.
- [Release notes](https://github.com/opencontainers/runc/releases)
- [Changelog](https://github.com/opencontainers/runc/blob/main/CHANGELOG.md)
- [Commits](opencontainers/runc@v1.4.2...v1.4.3)

---
updated-dependencies:
- dependency-name: github.com/opencontainers/runc
  dependency-version: 1.4.3
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/go_modules/github.com/opencontainers/runc-1.4.3 branch from 30efb9e to f33562b Compare July 7, 2026 20:09
@cdesiniotis

Copy link
Copy Markdown
Contributor

/ok to test f33562b

@coveralls

Copy link
Copy Markdown

Coverage Report for CI Build 28895690601

Coverage remained the same at 43.913%

Details

  • Coverage remained the same as the base build.
  • Patch coverage: No coverable lines changed in this PR.
  • No coverage regressions found.

Uncovered Changes

No uncovered changes found.

Coverage Regressions

No coverage regressions found.


Coverage Stats

Coverage Status
Relevant Lines: 15073
Covered Lines: 6619
Line Coverage: 43.91%
Coverage Strength: 0.49 hits per line

💛 - Coveralls

@cdesiniotis cdesiniotis enabled auto-merge July 7, 2026 20:19
@cdesiniotis cdesiniotis merged commit f9513d7 into main Jul 7, 2026
20 checks passed
@cdesiniotis cdesiniotis deleted the dependabot/go_modules/github.com/opencontainers/runc-1.4.3 branch July 7, 2026 20:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Issue/PR Pull about a dependency file go Pull requests that update Go code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants