From 8bd78a9977e604c4d5f67a7415d7b8b8c109cdc4 Mon Sep 17 00:00:00 2001 From: lifubang Date: Wed, 26 Nov 2025 16:04:16 +0000 Subject: [PATCH 1/2] VERSION: release 1.4.0 Signed-off-by: lifubang Signed-off-by: Aleksa Sarai --- CHANGELOG.md | 29 ++++++++++++++++++++++++++++- VERSION | 2 +- 2 files changed, 29 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a678fa45d6e..79cc3784b5f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,15 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased 1.4.z] +## [1.4.0] - 2025-11-27 + +> 路漫漫其修远兮,吾将上下而求索! + +### Deprecated ### +- Deprecate cgroup v1. (#4956) +- Deprecate `CleanPath`, `StripRoot`, `WithProcfd`, and `WithProcfdFile` from + `libcontainer/utils`. (#4985) + ### Breaking ### - The handling of `pids.limit` has been updated to match the newer guidance from the OCI runtime specification. In particular, now a maximum limit value @@ -21,6 +30,23 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - cgroups: improve `cpuacct.usage_all` resilience when parsing data from patched kernels (such as the Tencent kernels). (opencontainers/cgroups#46, opencontainers/cgroups#50) +- libct: close child fds on `prepareCgroupFD` error. (#4936) +- libct: fix mips compilation. (#4962, #4967) +- When configuring a `tmpfs` mount, only set the `mode=` argument if the target + path already existed. This fixes a regression introduced in our + [CVE-2025-52881][] mitigation patches. (#4971, #4976) +- Fix various file descriptor leaks and add additional tests to detect them as + comprehensively as possible. (#5007, #5021, #5034) +- The "hallucination" helpers added as part of the [CVE-2025-52881][] + mitigation have been made more generic and now apply to all of our `pathrs` + helper functions, which should ensure we will not regress dangling symlink + users. (#4985) + +### Changed +- libct: switch to `(*CPUSet).Fill`. (#4927) +- docs/spec-conformance.md: update for spec v1.3.0. (#4948) + +[CVE-2025-52881]: https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm ## [1.4.0-rc.3] - 2025-11-05 @@ -1392,7 +1418,8 @@ implementation (libcontainer) is *not* covered by this policy. [1.3.0-rc.1]: https://github.com/opencontainers/runc/compare/v1.2.0...v1.3.0-rc.1 -[Unreleased 1.4.z]: https://github.com/opencontainers/runc/compare/v1.4.0-rc.3...release-1.4 +[Unreleased 1.4.z]: https://github.com/opencontainers/runc/compare/v1.4.0...release-1.4 +[1.4.0]: https://github.com/opencontainers/runc/compare/v1.4.0-rc.3...v1.4.0 [1.4.0-rc.3]: https://github.com/opencontainers/runc/compare/v1.4.0-rc.2...v1.4.0-rc.3 [1.4.0-rc.2]: https://github.com/opencontainers/runc/compare/v1.4.0-rc.1...v1.4.0-rc.2 [1.4.0-rc.1]: https://github.com/opencontainers/runc/compare/v1.3.0...v1.4.0-rc.1 diff --git a/VERSION b/VERSION index bbf8f68b834..88c5fb891dc 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.4.0-rc.3+dev +1.4.0 From ead7182a412af8fc607098e41afdbb7476813700 Mon Sep 17 00:00:00 2001 From: lifubang Date: Wed, 26 Nov 2025 16:04:32 +0000 Subject: [PATCH 2/2] VERSION: back to development Signed-off-by: lifubang Signed-off-by: Aleksa Sarai --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index 88c5fb891dc..11da7992069 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.4.0 +1.4.0+dev