Overview
Request 861676 accepted
- Update to 1.11.5:
runtime: Security fixes included:
- Readonly bind-mounts are now mounted read-only on the host.
With this fix, mounts are protected at VM boundary not just
the guest kernel. If a container escape were to occur, one
would be able to write to a directory or file that was
mounted read-only.
- Certain annotations in kata can be used to execute
pre-exiting binaries. This could be used to execute arbitrary
binaries with the onus of validating these paths left to the
stack about Kata. In this release, we added appropriate
validations so that an admin can configure a list of file
system paths that can be used to filter annotations that
represent valid file names.
- Created by RBrownSUSE
- In state accepted
-
Package maintainers:
mvedovati,
rhafer, and
sgrunert
Request History
RBrownSUSE created request
- Update to 1.11.5:
runtime: Security fixes included:
- Readonly bind-mounts are now mounted read-only on the host.
With this fix, mounts are protected at VM boundary not just
the guest kernel. If a container escape were to occur, one
would be able to write to a directory or file that was
mounted read-only.
- Certain annotations in kata can be used to execute
pre-exiting binaries. This could be used to execute arbitrary
binaries with the onus of validating these paths left to the
stack about Kata. In this release, we added appropriate
validations so that an admin can configure a list of file
system paths that can be used to filter annotations that
represent valid file names.
RBrownSUSE accepted request
