Skip to content

DLPX-95924 [Backport of DLPX-95843] Ubuntu Security Notification for runC Vulnerabilities (USN-7851-1) #379

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 11, 2025
Merged

DLPX-95924 [Backport of DLPX-95843] Ubuntu Security Notification for runC Vulnerabilities (USN-7851-1) #379

merged 1 commit into from
Nov 11, 2025

Conversation

@prakashsurya
Copy link
Contributor

@prakashsurya prakashsurya commented Nov 11, 2025
edited
Loading

Problem

The runc package version currently on release is 1.3.0, and subject to a security vulnerability.

See also: https://nvd.nist.gov/vuln/detail/CVE-2025-31133

Solution

The solution taken in this PR is to use the runc package from "develop" which has a fix for this vulnerability.

Testing Done

  • git-ab-pre-push -b misc-debs is here

  • Manually installed new runc package on release based engine.. e.g.

$ dpkg -l | grep runc
ii  runc                                                       1.3.0-0ubuntu2~24.04.1                           amd64        Open Container Project - runtime

$ sudo apt-get install ./runc_1.3.3-0ubuntu1~24.04.2_amd64.deb
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Note, selecting 'runc' instead of './runc_1.3.3-0ubuntu1~24.04.2_amd64.deb'
The following packages will be upgraded:
  runc
1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 0 B/8,815 kB of archives.
After this operation, 315 kB of additional disk space will be used.
Get:1 /export/home/delphix/runc_1.3.3-0ubuntu1~24.04.2_amd64.deb runc amd64 1.3.3-0ubuntu1~24.04.2 [8,815 kB]
debconf: delaying package configuration, since apt-utils is not installed
(Reading database ... 210648 files and directories currently installed.)
Preparing to unpack .../runc_1.3.3-0ubuntu1~24.04.2_amd64.deb ...
Unpacking runc (1.3.3-0ubuntu1~24.04.2) over (1.3.0-0ubuntu2~24.04.1) ...
Setting up runc (1.3.3-0ubuntu1~24.04.2) ...
Processing triggers for man-db (2.12.0-4build2) ...

$ dpkg -l | grep runc
ii  runc                                                       1.3.3-0ubuntu1~24.04.2                           amd64        Open Container Project - runtime

$ get-appliance-version
2025.6.0.0

@prakashsurya prakashsurya force-pushed the dlpx/pr/prakashsurya/4899795a-94ee-4dc8-8feb-aef48f4b3d12 branch from f7188d1 to bd9db9d Compare November 11, 2025 00:12
@prakashsurya prakashsurya marked this pull request as ready for review November 11, 2025 00:15
@jfagetti-delphix jfagetti-delphix merged commit e17c5b7 into release Nov 11, 2025
18 checks passed
@jfagetti-delphix jfagetti-delphix deleted the dlpx/pr/prakashsurya/4899795a-94ee-4dc8-8feb-aef48f4b3d12 branch November 11, 2025 04:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sebroy sebroy sebroy approved these changes

@nealquigley nealquigley nealquigley approved these changes

@david-mendez1 david-mendez1 Awaiting requested review from david-mendez1

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@prakashsurya @sebroy @nealquigley @jfagetti-delphix