* [meta-virtualization][kirkstone][PATCH 1/2] containerd-opencontainers: fix CVE-2024-25621 @ 2025-11-10 11:30 vanusuri 2025-11-10 11:30 ` [meta-virtualization][kirkstone][PATCH 2/2] containerd-opencontainers: fix CVE-2025-64329 vanusuri 2025-11-19 23:28 ` [meta-virtualization][kirkstone][PATCH 1/2] containerd-opencontainers: fix CVE-2024-25621 Bruce Ashfield 0 siblings, 2 replies; 6+ messages in thread From: vanusuri @ 2025-11-10 11:30 UTC (permalink / raw) To: meta-virtualization; +Cc: Vijay Anusuri From: Vijay Anusuri <vanusuri@mvista.com> Upstream-Status: Backport from https://github.com/containerd/containerd/commit/0450f046e6942e513d0ebf1ef5c2aff13daa187f Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> --- .../CVE-2024-25621.patch | 103 ++++++++++++++++++ .../containerd-opencontainers_git.bb | 1 + 2 files changed, 104 insertions(+) create mode 100644 recipes-containers/containerd/containerd-opencontainers/CVE-2024-25621.patch diff --git a/recipes-containers/containerd/containerd-opencontainers/CVE-2024-25621.patch b/recipes-containers/containerd/containerd-opencontainers/CVE-2024-25621.patch new file mode 100644 index 00000000..4ae9bb63 --- /dev/null +++ b/recipes-containers/containerd/containerd-opencontainers/CVE-2024-25621.patch @@ -0,0 +1,103 @@ +From 0450f046e6942e513d0ebf1ef5c2aff13daa187f Mon Sep 17 00:00:00 2001 +From: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp> +Date: Mon, 27 Oct 2025 16:42:59 +0900 +Subject: [PATCH] Fix directory permissions + +- Create /var/lib/containerd with 0o700 (was: 0o711). +- Create config.TempDir with 0o700 (was: 0o711). +- Create /run/containerd/io.containerd.grpc.v1.cri with 0o700 (was: 0o755). +- Create /run/containerd/io.containerd.sandbox.controller.v1.shim with 0o700 (was: 0o711). +- Leave /run/containerd and /run/containerd/io.containerd.runtime.v2.task created with 0o711, + as required by userns-remapped containers. + /run/containerd/io.containerd.runtime.v2.task/<NS>/<ID> is created with: + - 0o700 for non-userns-remapped containers + - 0o710 for userns-remapped containers with the remapped root group as the owner group. + +Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp> +(cherry picked from commit 51b0cf11dc5af7ed1919beba259e644138b28d96) +Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp> + +Upstream-Status: Backport [https://github.com/containerd/containerd/commit/0450f046e6942e513d0ebf1ef5c2aff13daa187f] +CVE: CVE-2024-25621 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + pkg/cri/cri.go | 8 ++++++++ + runtime/v2/manager.go | 2 ++ + services/server/server.go | 14 ++++++++++++-- + 3 files changed, 22 insertions(+), 2 deletions(-) + +diff --git a/pkg/cri/cri.go b/pkg/cri/cri.go +index 7182716b6..dec810196 100644 +--- a/pkg/cri/cri.go ++++ b/pkg/cri/cri.go +@@ -19,6 +19,7 @@ package cri + import ( + "flag" + "fmt" ++ "os" + "path/filepath" + + "github.com/containerd/containerd" +@@ -68,6 +69,13 @@ func initCRIService(ic *plugin.InitContext) (interface{}, error) { + return nil, fmt.Errorf("invalid plugin config: %w", err) + } + ++ if err := os.MkdirAll(ic.State, 0700); err != nil { ++ return nil, err ++ } ++ // chmod is needed for upgrading from an older release that created the dir with 0755 ++ if err := os.Chmod(ic.State, 0700); err != nil { ++ return nil, err ++ } + c := criconfig.Config{ + PluginConfig: *pluginConfig, + ContainerdRootDir: filepath.Dir(ic.Root), +diff --git a/runtime/v2/manager.go b/runtime/v2/manager.go +index 1927cbb3f..1f26bbeac 100644 +--- a/runtime/v2/manager.go ++++ b/runtime/v2/manager.go +@@ -109,6 +109,8 @@ type ManagerConfig struct { + // NewShimManager creates a manager for v2 shims + func NewShimManager(ctx context.Context, config *ManagerConfig) (*ShimManager, error) { + for _, d := range []string{config.Root, config.State} { ++ // root: the parent of this directory is created as 0700, not 0711. ++ // state: the parent of this directory is created as 0711 too, so as to support userns-remapped containers. + if err := os.MkdirAll(d, 0711); err != nil { + return nil, err + } +diff --git a/services/server/server.go b/services/server/server.go +index 857cc9c76..bc2ddbf1f 100644 +--- a/services/server/server.go ++++ b/services/server/server.go +@@ -82,16 +82,26 @@ func CreateTopLevelDirectories(config *srvconfig.Config) error { + return errors.New("root and state must be different paths") + } + +- if err := sys.MkdirAllWithACL(config.Root, 0711); err != nil { ++ if err := sys.MkdirAllWithACL(config.Root, 0700); err != nil { ++ return err ++ } ++ // chmod is needed for upgrading from an older release that created the dir with 0o711 ++ if err := os.Chmod(config.Root, 0700); err != nil { + return err + } + ++ // For supporting userns-remapped containers, the state dir cannot be just mkdired with 0o700. ++ // Each of plugins creates a dedicated directory beneath the state dir with appropriate permission bits. + if err := sys.MkdirAllWithACL(config.State, 0711); err != nil { + return err + } + + if config.TempDir != "" { +- if err := sys.MkdirAllWithACL(config.TempDir, 0711); err != nil { ++ if err := sys.MkdirAllWithACL(config.TempDir, 0700); err != nil { ++ return err ++ } ++ // chmod is needed for upgrading from an older release that created the dir with 0o711 ++ if err := os.Chmod(config.Root, 0700); err != nil { + return err + } + if runtime.GOOS == "windows" { +-- +2.25.1 + diff --git a/recipes-containers/containerd/containerd-opencontainers_git.bb b/recipes-containers/containerd/containerd-opencontainers_git.bb index dd621705..264d37a6 100644 --- a/recipes-containers/containerd/containerd-opencontainers_git.bb +++ b/recipes-containers/containerd/containerd-opencontainers_git.bb @@ -10,6 +10,7 @@ SRC_URI = "git://github.com/containerd/containerd;branch=release/1.6;protocol=ht file://0001-Makefile-allow-GO_BUILD_FLAGS-to-be-externally-speci.patch \ file://0001-build-don-t-use-gcflags-to-define-trimpath.patch \ file://CVE-2024-40635.patch \ + file://CVE-2024-25621.patch \ " # Apache-2.0 for containerd -- 2.25.1 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* [meta-virtualization][kirkstone][PATCH 2/2] containerd-opencontainers: fix CVE-2025-64329 2025-11-10 11:30 [meta-virtualization][kirkstone][PATCH 1/2] containerd-opencontainers: fix CVE-2024-25621 vanusuri @ 2025-11-10 11:30 ` vanusuri 2025-12-02 1:11 ` Bruce Ashfield 2025-11-19 23:28 ` [meta-virtualization][kirkstone][PATCH 1/2] containerd-opencontainers: fix CVE-2024-25621 Bruce Ashfield 1 sibling, 1 reply; 6+ messages in thread From: vanusuri @ 2025-11-10 11:30 UTC (permalink / raw) To: meta-virtualization; +Cc: Vijay Anusuri From: Vijay Anusuri <vanusuri@mvista.com> Upstream-Status: Backport from https://github.com/containerd/containerd/commit/c575d1b5f4011f33b32f71ace75367a92b08c750 Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> --- .../CVE-2025-64329.patch | 80 +++++++++++++++++++ .../containerd-opencontainers_git.bb | 1 + 2 files changed, 81 insertions(+) create mode 100644 recipes-containers/containerd/containerd-opencontainers/CVE-2025-64329.patch diff --git a/recipes-containers/containerd/containerd-opencontainers/CVE-2025-64329.patch b/recipes-containers/containerd/containerd-opencontainers/CVE-2025-64329.patch new file mode 100644 index 00000000..a3cc5e85 --- /dev/null +++ b/recipes-containers/containerd/containerd-opencontainers/CVE-2025-64329.patch @@ -0,0 +1,80 @@ +From c575d1b5f4011f33b32f71ace75367a92b08c750 Mon Sep 17 00:00:00 2001 +From: wheat2018 <1151937289@qq.com> +Date: Tue, 13 Aug 2024 15:56:31 +0800 +Subject: [PATCH] fix goroutine leak of container Attach + +The monitor goroutine (runs (*ContainerIO).Attach.func1) of Attach will +never finish if it attaches to a container without any stdout or stderr +output. Wait for http context cancel and break the pipe actively to +address the issue. + +Signed-off-by: wheat2018 <1151937289@qq.com> +Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp> +(cherry picked from commit a0d0f0ef68935338d2c710db164fa7820f692530) +Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp> + +Excluded pkg/cri/sbserver/container_attach.go changes as the file not +present in our current vrsion 1.6.19 + +Upstream-Status: Backport [https://github.com/containerd/containerd/commit/c575d1b5f4011f33b32f71ace75367a92b08c750] +CVE: CVE-2025-64329 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + pkg/cri/io/container_io.go | 14 +++++++++++--- + pkg/cri/server/container_attach.go | 2 +- + 2 files changed, 12 insertions(+), 4 deletions(-) + +diff --git a/pkg/cri/io/container_io.go b/pkg/cri/io/container_io.go +index 70bc8b789..e1584100f 100644 +--- a/pkg/cri/io/container_io.go ++++ b/pkg/cri/io/container_io.go +@@ -17,6 +17,7 @@ + package io + + import ( ++ "context" + "errors" + "io" + "strings" +@@ -134,7 +135,7 @@ func (c *ContainerIO) Pipe() { + + // Attach attaches container stdio. + // TODO(random-liu): Use pools.Copy in docker to reduce memory usage? +-func (c *ContainerIO) Attach(opts AttachOptions) { ++func (c *ContainerIO) Attach(ctx context.Context, opts AttachOptions) { + var wg sync.WaitGroup + key := util.GenerateID() + stdinKey := streamKey(c.id, "attach-"+key, Stdin) +@@ -175,8 +176,15 @@ func (c *ContainerIO) Attach(opts AttachOptions) { + } + + attachStream := func(key string, close <-chan struct{}) { +- <-close +- logrus.Infof("Attach stream %q closed", key) ++ select { ++ case <-close: ++ logrus.Infof("Attach stream %q closed", key) ++ case <-ctx.Done(): ++ logrus.Infof("Attach client of %q cancelled", key) ++ // Avoid writeGroup heap up ++ c.stdoutGroup.Remove(key) ++ c.stderrGroup.Remove(key) ++ } + // Make sure stdin gets closed. + if stdinStreamRC != nil { + stdinStreamRC.Close() +diff --git a/pkg/cri/server/container_attach.go b/pkg/cri/server/container_attach.go +index a95215051..3625229f9 100644 +--- a/pkg/cri/server/container_attach.go ++++ b/pkg/cri/server/container_attach.go +@@ -79,6 +79,6 @@ func (c *criService) attachContainer(ctx context.Context, id string, stdin io.Re + }, + } + // TODO(random-liu): Figure out whether we need to support historical output. +- cntr.IO.Attach(opts) ++ cntr.IO.Attach(ctx, opts) + return nil + } +-- +2.25.1 + diff --git a/recipes-containers/containerd/containerd-opencontainers_git.bb b/recipes-containers/containerd/containerd-opencontainers_git.bb index 264d37a6..05683d26 100644 --- a/recipes-containers/containerd/containerd-opencontainers_git.bb +++ b/recipes-containers/containerd/containerd-opencontainers_git.bb @@ -11,6 +11,7 @@ SRC_URI = "git://github.com/containerd/containerd;branch=release/1.6;protocol=ht file://0001-build-don-t-use-gcflags-to-define-trimpath.patch \ file://CVE-2024-40635.patch \ file://CVE-2024-25621.patch \ + file://CVE-2025-64329.patch \ " # Apache-2.0 for containerd -- 2.25.1 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [meta-virtualization][kirkstone][PATCH 2/2] containerd-opencontainers: fix CVE-2025-64329 2025-11-10 11:30 ` [meta-virtualization][kirkstone][PATCH 2/2] containerd-opencontainers: fix CVE-2025-64329 vanusuri @ 2025-12-02 1:11 ` Bruce Ashfield 2025-12-02 2:48 ` Vijay Anusuri 0 siblings, 1 reply; 6+ messages in thread From: Bruce Ashfield @ 2025-12-02 1:11 UTC (permalink / raw) To: vanusuri; +Cc: meta-virtualization This patch says 2/2, but I can't find patch 1/2. What was the subject of 1/2 ? Or rather than just telling me the subject, if you resend it, that would be great. Bruce In message: [meta-virtualization][kirkstone][PATCH 2/2] containerd-opencontainers: fix CVE-2025-64329 on 10/11/2025 Vijay Anusuri via lists.yoctoproject.org wrote: > From: Vijay Anusuri <vanusuri@mvista.com> > > Upstream-Status: Backport from https://github.com/containerd/containerd/commit/c575d1b5f4011f33b32f71ace75367a92b08c750 > > Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> > --- > .../CVE-2025-64329.patch | 80 +++++++++++++++++++ > .../containerd-opencontainers_git.bb | 1 + > 2 files changed, 81 insertions(+) > create mode 100644 recipes-containers/containerd/containerd-opencontainers/CVE-2025-64329.patch > > diff --git a/recipes-containers/containerd/containerd-opencontainers/CVE-2025-64329.patch b/recipes-containers/containerd/containerd-opencontainers/CVE-2025-64329.patch > new file mode 100644 > index 00000000..a3cc5e85 > --- /dev/null > +++ b/recipes-containers/containerd/containerd-opencontainers/CVE-2025-64329.patch > @@ -0,0 +1,80 @@ > +From c575d1b5f4011f33b32f71ace75367a92b08c750 Mon Sep 17 00:00:00 2001 > +From: wheat2018 <1151937289@qq.com> > +Date: Tue, 13 Aug 2024 15:56:31 +0800 > +Subject: [PATCH] fix goroutine leak of container Attach > + > +The monitor goroutine (runs (*ContainerIO).Attach.func1) of Attach will > +never finish if it attaches to a container without any stdout or stderr > +output. Wait for http context cancel and break the pipe actively to > +address the issue. > + > +Signed-off-by: wheat2018 <1151937289@qq.com> > +Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp> > +(cherry picked from commit a0d0f0ef68935338d2c710db164fa7820f692530) > +Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp> > + > +Excluded pkg/cri/sbserver/container_attach.go changes as the file not > +present in our current vrsion 1.6.19 > + > +Upstream-Status: Backport [https://github.com/containerd/containerd/commit/c575d1b5f4011f33b32f71ace75367a92b08c750] > +CVE: CVE-2025-64329 > +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> > +--- > + pkg/cri/io/container_io.go | 14 +++++++++++--- > + pkg/cri/server/container_attach.go | 2 +- > + 2 files changed, 12 insertions(+), 4 deletions(-) > + > +diff --git a/pkg/cri/io/container_io.go b/pkg/cri/io/container_io.go > +index 70bc8b789..e1584100f 100644 > +--- a/pkg/cri/io/container_io.go > ++++ b/pkg/cri/io/container_io.go > +@@ -17,6 +17,7 @@ > + package io > + > + import ( > ++ "context" > + "errors" > + "io" > + "strings" > +@@ -134,7 +135,7 @@ func (c *ContainerIO) Pipe() { > + > + // Attach attaches container stdio. > + // TODO(random-liu): Use pools.Copy in docker to reduce memory usage? > +-func (c *ContainerIO) Attach(opts AttachOptions) { > ++func (c *ContainerIO) Attach(ctx context.Context, opts AttachOptions) { > + var wg sync.WaitGroup > + key := util.GenerateID() > + stdinKey := streamKey(c.id, "attach-"+key, Stdin) > +@@ -175,8 +176,15 @@ func (c *ContainerIO) Attach(opts AttachOptions) { > + } > + > + attachStream := func(key string, close <-chan struct{}) { > +- <-close > +- logrus.Infof("Attach stream %q closed", key) > ++ select { > ++ case <-close: > ++ logrus.Infof("Attach stream %q closed", key) > ++ case <-ctx.Done(): > ++ logrus.Infof("Attach client of %q cancelled", key) > ++ // Avoid writeGroup heap up > ++ c.stdoutGroup.Remove(key) > ++ c.stderrGroup.Remove(key) > ++ } > + // Make sure stdin gets closed. > + if stdinStreamRC != nil { > + stdinStreamRC.Close() > +diff --git a/pkg/cri/server/container_attach.go b/pkg/cri/server/container_attach.go > +index a95215051..3625229f9 100644 > +--- a/pkg/cri/server/container_attach.go > ++++ b/pkg/cri/server/container_attach.go > +@@ -79,6 +79,6 @@ func (c *criService) attachContainer(ctx context.Context, id string, stdin io.Re > + }, > + } > + // TODO(random-liu): Figure out whether we need to support historical output. > +- cntr.IO.Attach(opts) > ++ cntr.IO.Attach(ctx, opts) > + return nil > + } > +-- > +2.25.1 > + > diff --git a/recipes-containers/containerd/containerd-opencontainers_git.bb b/recipes-containers/containerd/containerd-opencontainers_git.bb > index 264d37a6..05683d26 100644 > --- a/recipes-containers/containerd/containerd-opencontainers_git.bb > +++ b/recipes-containers/containerd/containerd-opencontainers_git.bb > @@ -11,6 +11,7 @@ SRC_URI = "git://github.com/containerd/containerd;branch=release/1.6;protocol=ht > file://0001-build-don-t-use-gcflags-to-define-trimpath.patch \ > file://CVE-2024-40635.patch \ > file://CVE-2024-25621.patch \ > + file://CVE-2025-64329.patch \ > " > > # Apache-2.0 for containerd > -- > 2.25.1 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#9437): https://lists.yoctoproject.org/g/meta-virtualization/message/9437 > Mute This Topic: https://lists.yoctoproject.org/mt/116217320/1050810 > Group Owner: meta-virtualization+owner@lists.yoctoproject.org > Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [bruce.ashfield@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- > ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [meta-virtualization][kirkstone][PATCH 2/2] containerd-opencontainers: fix CVE-2025-64329 2025-12-02 1:11 ` Bruce Ashfield @ 2025-12-02 2:48 ` Vijay Anusuri 2025-12-02 4:45 ` Bruce Ashfield 0 siblings, 1 reply; 6+ messages in thread From: Vijay Anusuri @ 2025-12-02 2:48 UTC (permalink / raw) To: Bruce Ashfield; +Cc: meta-virtualization [-- Attachment #1: Type: text/plain, Size: 6633 bytes --] Hi Bruce, Patch 1/2 (containerd-opencontainers: fix CVE-2024-25621) appears to have already been merged. Patch 1/2 : https://git.yoctoproject.org/meta-virtualization/commit/?h=kirkstone&id=9f4afbb21a91eab9917a25811f1d2ba7d223e071 Patch 2/2 : https://git.yoctoproject.org/meta-virtualization/commit/?h=kirkstone&id=4da521b4440f57b10ba70091ee0e31b1085e665e Since the patches were merged, I wanted to confirm with you before resending them. If you would still like me to resend the patches, I can do so. Thanks & Regards, Vijay On Tue, Dec 2, 2025 at 6:41 AM Bruce Ashfield <bruce.ashfield@gmail.com> wrote: > This patch says 2/2, but I can't find patch 1/2. What was the > subject of 1/2 ? Or rather than just telling me the subject, if > you resend it, that would be great. > > Bruce > > In message: [meta-virtualization][kirkstone][PATCH 2/2] > containerd-opencontainers: fix CVE-2025-64329 > on 10/11/2025 Vijay Anusuri via lists.yoctoproject.org wrote: > > > From: Vijay Anusuri <vanusuri@mvista.com> > > > > Upstream-Status: Backport from > https://github.com/containerd/containerd/commit/c575d1b5f4011f33b32f71ace75367a92b08c750 > > > > Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> > > --- > > .../CVE-2025-64329.patch | 80 +++++++++++++++++++ > > .../containerd-opencontainers_git.bb | 1 + > > 2 files changed, 81 insertions(+) > > create mode 100644 > recipes-containers/containerd/containerd-opencontainers/CVE-2025-64329.patch > > > > diff --git > a/recipes-containers/containerd/containerd-opencontainers/CVE-2025-64329.patch > b/recipes-containers/containerd/containerd-opencontainers/CVE-2025-64329.patch > > new file mode 100644 > > index 00000000..a3cc5e85 > > --- /dev/null > > +++ > b/recipes-containers/containerd/containerd-opencontainers/CVE-2025-64329.patch > > @@ -0,0 +1,80 @@ > > +From c575d1b5f4011f33b32f71ace75367a92b08c750 Mon Sep 17 00:00:00 2001 > > +From: wheat2018 <1151937289@qq.com> > > +Date: Tue, 13 Aug 2024 15:56:31 +0800 > > +Subject: [PATCH] fix goroutine leak of container Attach > > + > > +The monitor goroutine (runs (*ContainerIO).Attach.func1) of Attach will > > +never finish if it attaches to a container without any stdout or stderr > > +output. Wait for http context cancel and break the pipe actively to > > +address the issue. > > + > > +Signed-off-by: wheat2018 <1151937289@qq.com> > > +Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp> > > +(cherry picked from commit a0d0f0ef68935338d2c710db164fa7820f692530) > > +Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp> > > + > > +Excluded pkg/cri/sbserver/container_attach.go changes as the file not > > +present in our current vrsion 1.6.19 > > + > > +Upstream-Status: Backport [ > https://github.com/containerd/containerd/commit/c575d1b5f4011f33b32f71ace75367a92b08c750 > ] > > +CVE: CVE-2025-64329 > > +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> > > +--- > > + pkg/cri/io/container_io.go | 14 +++++++++++--- > > + pkg/cri/server/container_attach.go | 2 +- > > + 2 files changed, 12 insertions(+), 4 deletions(-) > > + > > +diff --git a/pkg/cri/io/container_io.go b/pkg/cri/io/container_io.go > > +index 70bc8b789..e1584100f 100644 > > +--- a/pkg/cri/io/container_io.go > > ++++ b/pkg/cri/io/container_io.go > > +@@ -17,6 +17,7 @@ > > + package io > > + > > + import ( > > ++ "context" > > + "errors" > > + "io" > > + "strings" > > +@@ -134,7 +135,7 @@ func (c *ContainerIO) Pipe() { > > + > > + // Attach attaches container stdio. > > + // TODO(random-liu): Use pools.Copy in docker to reduce memory usage? > > +-func (c *ContainerIO) Attach(opts AttachOptions) { > > ++func (c *ContainerIO) Attach(ctx context.Context, opts AttachOptions) { > > + var wg sync.WaitGroup > > + key := util.GenerateID() > > + stdinKey := streamKey(c.id, "attach-"+key, Stdin) > > +@@ -175,8 +176,15 @@ func (c *ContainerIO) Attach(opts AttachOptions) { > > + } > > + > > + attachStream := func(key string, close <-chan struct{}) { > > +- <-close > > +- logrus.Infof("Attach stream %q closed", key) > > ++ select { > > ++ case <-close: > > ++ logrus.Infof("Attach stream %q closed", key) > > ++ case <-ctx.Done(): > > ++ logrus.Infof("Attach client of %q cancelled", key) > > ++ // Avoid writeGroup heap up > > ++ c.stdoutGroup.Remove(key) > > ++ c.stderrGroup.Remove(key) > > ++ } > > + // Make sure stdin gets closed. > > + if stdinStreamRC != nil { > > + stdinStreamRC.Close() > > +diff --git a/pkg/cri/server/container_attach.go > b/pkg/cri/server/container_attach.go > > +index a95215051..3625229f9 100644 > > +--- a/pkg/cri/server/container_attach.go > > ++++ b/pkg/cri/server/container_attach.go > > +@@ -79,6 +79,6 @@ func (c *criService) attachContainer(ctx > context.Context, id string, stdin io.Re > > + }, > > + } > > + // TODO(random-liu): Figure out whether we need to support > historical output. > > +- cntr.IO.Attach(opts) > > ++ cntr.IO.Attach(ctx, opts) > > + return nil > > + } > > +-- > > +2.25.1 > > + > > diff --git a/recipes-containers/containerd/ > containerd-opencontainers_git.bb b/recipes-containers/containerd/ > containerd-opencontainers_git.bb > > index 264d37a6..05683d26 100644 > > --- a/recipes-containers/containerd/containerd-opencontainers_git.bb > > +++ b/recipes-containers/containerd/containerd-opencontainers_git.bb > > @@ -11,6 +11,7 @@ SRC_URI = "git:// > github.com/containerd/containerd;branch=release/1.6;protocol=ht > > file://0001-build-don-t-use-gcflags-to-define-trimpath.patch > \ > > file://CVE-2024-40635.patch \ > > file://CVE-2024-25621.patch \ > > + file://CVE-2025-64329.patch \ > > " > > > > # Apache-2.0 for containerd > > -- > > 2.25.1 > > > > > > > -=-=-=-=-=-=-=-=-=-=-=- > > Links: You receive all messages sent to this group. > > View/Reply Online (#9437): > https://lists.yoctoproject.org/g/meta-virtualization/message/9437 > > Mute This Topic: https://lists.yoctoproject.org/mt/116217320/1050810 > > Group Owner: meta-virtualization+owner@lists.yoctoproject.org > > Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub > [bruce.ashfield@gmail.com] > > -=-=-=-=-=-=-=-=-=-=-=- > > > > [-- Attachment #2: Type: text/html, Size: 10116 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [meta-virtualization][kirkstone][PATCH 2/2] containerd-opencontainers: fix CVE-2025-64329 2025-12-02 2:48 ` Vijay Anusuri @ 2025-12-02 4:45 ` Bruce Ashfield 0 siblings, 0 replies; 6+ messages in thread From: Bruce Ashfield @ 2025-12-02 4:45 UTC (permalink / raw) To: Vijay Anusuri; +Cc: meta-virtualization It looks like I also merged this one. I see it on the branch now that I've looked. Bruce In message: Re: [meta-virtualization][kirkstone][PATCH 2/2] containerd-opencontainers: fix CVE-2025-64329 on 02/12/2025 Vijay Anusuri wrote: > Hi Bruce, > > Patch 1/2 (containerd-opencontainers: fix CVE-2024-25621) appears to have > already been merged. > > Patch 1/2 : https://git.yoctoproject.org/meta-virtualization/commit/?h= > kirkstone&id=9f4afbb21a91eab9917a25811f1d2ba7d223e071 > Patch 2/2 : https://git.yoctoproject.org/meta-virtualization/commit/?h= > kirkstone&id=4da521b4440f57b10ba70091ee0e31b1085e665e > > Since the patches were merged, I wanted to confirm with you before resending > them. > If you would still like me to resend the patches, I can do so. > > Thanks & Regards, > Vijay > > On Tue, Dec 2, 2025 at 6:41 AM Bruce Ashfield <bruce.ashfield@gmail.com> wrote: > > This patch says 2/2, but I can't find patch 1/2. What was the > subject of 1/2 ? Or rather than just telling me the subject, if > you resend it, that would be great. > > Bruce > > In message: [meta-virtualization][kirkstone][PATCH 2/2] > containerd-opencontainers: fix CVE-2025-64329 > on 10/11/2025 Vijay Anusuri via lists.yoctoproject.org wrote: > > > From: Vijay Anusuri <vanusuri@mvista.com> > > > > Upstream-Status: Backport from https://github.com/containerd/containerd/ > commit/c575d1b5f4011f33b32f71ace75367a92b08c750 > > > > Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> > > --- > > .../CVE-2025-64329.patch | 80 +++++++++++++++++++ > > .../containerd-opencontainers_git.bb | 1 + > > 2 files changed, 81 insertions(+) > > create mode 100644 recipes-containers/containerd/ > containerd-opencontainers/CVE-2025-64329.patch > > > > diff --git a/recipes-containers/containerd/containerd-opencontainers/ > CVE-2025-64329.patch b/recipes-containers/containerd/ > containerd-opencontainers/CVE-2025-64329.patch > > new file mode 100644 > > index 00000000..a3cc5e85 > > --- /dev/null > > +++ b/recipes-containers/containerd/containerd-opencontainers/ > CVE-2025-64329.patch > > @@ -0,0 +1,80 @@ > > +From c575d1b5f4011f33b32f71ace75367a92b08c750 Mon Sep 17 00:00:00 2001 > > +From: wheat2018 <1151937289@qq.com> > > +Date: Tue, 13 Aug 2024 15:56:31 +0800 > > +Subject: [PATCH] fix goroutine leak of container Attach > > + > > +The monitor goroutine (runs (*ContainerIO).Attach.func1) of Attach will > > +never finish if it attaches to a container without any stdout or stderr > > +output. Wait for http context cancel and break the pipe actively to > > +address the issue. > > + > > +Signed-off-by: wheat2018 <1151937289@qq.com> > > +Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp> > > +(cherry picked from commit a0d0f0ef68935338d2c710db164fa7820f692530) > > +Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp> > > + > > +Excluded pkg/cri/sbserver/container_attach.go changes as the file not > > +present in our current vrsion 1.6.19 > > + > > +Upstream-Status: Backport [https://github.com/containerd/containerd/ > commit/c575d1b5f4011f33b32f71ace75367a92b08c750] > > +CVE: CVE-2025-64329 > > +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> > > +--- > > + pkg/cri/io/container_io.go | 14 +++++++++++--- > > + pkg/cri/server/container_attach.go | 2 +- > > + 2 files changed, 12 insertions(+), 4 deletions(-) > > + > > +diff --git a/pkg/cri/io/container_io.go b/pkg/cri/io/container_io.go > > +index 70bc8b789..e1584100f 100644 > > +--- a/pkg/cri/io/container_io.go > > ++++ b/pkg/cri/io/container_io.go > > +@@ -17,6 +17,7 @@ > > + package io > > + > > + import ( > > ++ "context" > > + "errors" > > + "io" > > + "strings" > > +@@ -134,7 +135,7 @@ func (c *ContainerIO) Pipe() { > > + > > + // Attach attaches container stdio. > > + // TODO(random-liu): Use pools.Copy in docker to reduce memory usage? > > +-func (c *ContainerIO) Attach(opts AttachOptions) { > > ++func (c *ContainerIO) Attach(ctx context.Context, opts AttachOptions) { > > + var wg sync.WaitGroup > > + key := util.GenerateID() > > + stdinKey := streamKey(c.id, "attach-"+key, Stdin) > > +@@ -175,8 +176,15 @@ func (c *ContainerIO) Attach(opts AttachOptions) { > > + } > > + > > + attachStream := func(key string, close <-chan struct{}) { > > +- <-close > > +- logrus.Infof("Attach stream %q closed", key) > > ++ select { > > ++ case <-close: > > ++ logrus.Infof("Attach stream %q closed", key) > > ++ case <-ctx.Done(): > > ++ logrus.Infof("Attach client of %q cancelled", key) > > ++ // Avoid writeGroup heap up > > ++ c.stdoutGroup.Remove(key) > > ++ c.stderrGroup.Remove(key) > > ++ } > > + // Make sure stdin gets closed. > > + if stdinStreamRC != nil { > > + stdinStreamRC.Close() > > +diff --git a/pkg/cri/server/container_attach.go b/pkg/cri/server/ > container_attach.go > > +index a95215051..3625229f9 100644 > > +--- a/pkg/cri/server/container_attach.go > > ++++ b/pkg/cri/server/container_attach.go > > +@@ -79,6 +79,6 @@ func (c *criService) attachContainer(ctx > context.Context, id string, stdin io.Re > > + }, > > + } > > + // TODO(random-liu): Figure out whether we need to support > historical output. > > +- cntr.IO.Attach(opts) > > ++ cntr.IO.Attach(ctx, opts) > > + return nil > > + } > > +-- > > +2.25.1 > > + > > diff --git a/recipes-containers/containerd/ > containerd-opencontainers_git.bb b/recipes-containers/containerd/ > containerd-opencontainers_git.bb > > index 264d37a6..05683d26 100644 > > --- a/recipes-containers/containerd/containerd-opencontainers_git.bb > > +++ b/recipes-containers/containerd/containerd-opencontainers_git.bb > > @@ -11,6 +11,7 @@ SRC_URI = "git://github.com/containerd/containerd; > branch=release/1.6;protocol=ht > > file://0001-build-don-t-use-gcflags-to-define-trimpath.patch > \ > > file://CVE-2024-40635.patch \ > > file://CVE-2024-25621.patch \ > > + file://CVE-2025-64329.patch \ > > " > > > > # Apache-2.0 for containerd > > -- > > 2.25.1 > > > > > > > -=-=-=-=-=-=-=-=-=-=-=- > > Links: You receive all messages sent to this group. > > View/Reply Online (#9437): https://lists.yoctoproject.org/g/ > meta-virtualization/message/9437 > > Mute This Topic: https://lists.yoctoproject.org/mt/116217320/1050810 > > Group Owner: meta-virtualization+owner@lists.yoctoproject.org > > Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [ > bruce.ashfield@gmail.com] > > -=-=-=-=-=-=-=-=-=-=-=- > > > > ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [meta-virtualization][kirkstone][PATCH 1/2] containerd-opencontainers: fix CVE-2024-25621 2025-11-10 11:30 [meta-virtualization][kirkstone][PATCH 1/2] containerd-opencontainers: fix CVE-2024-25621 vanusuri 2025-11-10 11:30 ` [meta-virtualization][kirkstone][PATCH 2/2] containerd-opencontainers: fix CVE-2025-64329 vanusuri @ 2025-11-19 23:28 ` Bruce Ashfield 1 sibling, 0 replies; 6+ messages in thread From: Bruce Ashfield @ 2025-11-19 23:28 UTC (permalink / raw) To: vanusuri; +Cc: meta-virtualization merged. Bruce In message: [meta-virtualization][kirkstone][PATCH 1/2] containerd-opencontainers: fix CVE-2024-25621 on 10/11/2025 Vijay Anusuri via lists.yoctoproject.org wrote: > From: Vijay Anusuri <vanusuri@mvista.com> > > Upstream-Status: Backport from https://github.com/containerd/containerd/commit/0450f046e6942e513d0ebf1ef5c2aff13daa187f > > Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> > --- > .../CVE-2024-25621.patch | 103 ++++++++++++++++++ > .../containerd-opencontainers_git.bb | 1 + > 2 files changed, 104 insertions(+) > create mode 100644 recipes-containers/containerd/containerd-opencontainers/CVE-2024-25621.patch > > diff --git a/recipes-containers/containerd/containerd-opencontainers/CVE-2024-25621.patch b/recipes-containers/containerd/containerd-opencontainers/CVE-2024-25621.patch > new file mode 100644 > index 00000000..4ae9bb63 > --- /dev/null > +++ b/recipes-containers/containerd/containerd-opencontainers/CVE-2024-25621.patch > @@ -0,0 +1,103 @@ > +From 0450f046e6942e513d0ebf1ef5c2aff13daa187f Mon Sep 17 00:00:00 2001 > +From: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp> > +Date: Mon, 27 Oct 2025 16:42:59 +0900 > +Subject: [PATCH] Fix directory permissions > + > +- Create /var/lib/containerd with 0o700 (was: 0o711). > +- Create config.TempDir with 0o700 (was: 0o711). > +- Create /run/containerd/io.containerd.grpc.v1.cri with 0o700 (was: 0o755). > +- Create /run/containerd/io.containerd.sandbox.controller.v1.shim with 0o700 (was: 0o711). > +- Leave /run/containerd and /run/containerd/io.containerd.runtime.v2.task created with 0o711, > + as required by userns-remapped containers. > + /run/containerd/io.containerd.runtime.v2.task/<NS>/<ID> is created with: > + - 0o700 for non-userns-remapped containers > + - 0o710 for userns-remapped containers with the remapped root group as the owner group. > + > +Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp> > +(cherry picked from commit 51b0cf11dc5af7ed1919beba259e644138b28d96) > +Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp> > + > +Upstream-Status: Backport [https://github.com/containerd/containerd/commit/0450f046e6942e513d0ebf1ef5c2aff13daa187f] > +CVE: CVE-2024-25621 > +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> > +--- > + pkg/cri/cri.go | 8 ++++++++ > + runtime/v2/manager.go | 2 ++ > + services/server/server.go | 14 ++++++++++++-- > + 3 files changed, 22 insertions(+), 2 deletions(-) > + > +diff --git a/pkg/cri/cri.go b/pkg/cri/cri.go > +index 7182716b6..dec810196 100644 > +--- a/pkg/cri/cri.go > ++++ b/pkg/cri/cri.go > +@@ -19,6 +19,7 @@ package cri > + import ( > + "flag" > + "fmt" > ++ "os" > + "path/filepath" > + > + "github.com/containerd/containerd" > +@@ -68,6 +69,13 @@ func initCRIService(ic *plugin.InitContext) (interface{}, error) { > + return nil, fmt.Errorf("invalid plugin config: %w", err) > + } > + > ++ if err := os.MkdirAll(ic.State, 0700); err != nil { > ++ return nil, err > ++ } > ++ // chmod is needed for upgrading from an older release that created the dir with 0755 > ++ if err := os.Chmod(ic.State, 0700); err != nil { > ++ return nil, err > ++ } > + c := criconfig.Config{ > + PluginConfig: *pluginConfig, > + ContainerdRootDir: filepath.Dir(ic.Root), > +diff --git a/runtime/v2/manager.go b/runtime/v2/manager.go > +index 1927cbb3f..1f26bbeac 100644 > +--- a/runtime/v2/manager.go > ++++ b/runtime/v2/manager.go > +@@ -109,6 +109,8 @@ type ManagerConfig struct { > + // NewShimManager creates a manager for v2 shims > + func NewShimManager(ctx context.Context, config *ManagerConfig) (*ShimManager, error) { > + for _, d := range []string{config.Root, config.State} { > ++ // root: the parent of this directory is created as 0700, not 0711. > ++ // state: the parent of this directory is created as 0711 too, so as to support userns-remapped containers. > + if err := os.MkdirAll(d, 0711); err != nil { > + return nil, err > + } > +diff --git a/services/server/server.go b/services/server/server.go > +index 857cc9c76..bc2ddbf1f 100644 > +--- a/services/server/server.go > ++++ b/services/server/server.go > +@@ -82,16 +82,26 @@ func CreateTopLevelDirectories(config *srvconfig.Config) error { > + return errors.New("root and state must be different paths") > + } > + > +- if err := sys.MkdirAllWithACL(config.Root, 0711); err != nil { > ++ if err := sys.MkdirAllWithACL(config.Root, 0700); err != nil { > ++ return err > ++ } > ++ // chmod is needed for upgrading from an older release that created the dir with 0o711 > ++ if err := os.Chmod(config.Root, 0700); err != nil { > + return err > + } > + > ++ // For supporting userns-remapped containers, the state dir cannot be just mkdired with 0o700. > ++ // Each of plugins creates a dedicated directory beneath the state dir with appropriate permission bits. > + if err := sys.MkdirAllWithACL(config.State, 0711); err != nil { > + return err > + } > + > + if config.TempDir != "" { > +- if err := sys.MkdirAllWithACL(config.TempDir, 0711); err != nil { > ++ if err := sys.MkdirAllWithACL(config.TempDir, 0700); err != nil { > ++ return err > ++ } > ++ // chmod is needed for upgrading from an older release that created the dir with 0o711 > ++ if err := os.Chmod(config.Root, 0700); err != nil { > + return err > + } > + if runtime.GOOS == "windows" { > +-- > +2.25.1 > + > diff --git a/recipes-containers/containerd/containerd-opencontainers_git.bb b/recipes-containers/containerd/containerd-opencontainers_git.bb > index dd621705..264d37a6 100644 > --- a/recipes-containers/containerd/containerd-opencontainers_git.bb > +++ b/recipes-containers/containerd/containerd-opencontainers_git.bb > @@ -10,6 +10,7 @@ SRC_URI = "git://github.com/containerd/containerd;branch=release/1.6;protocol=ht > file://0001-Makefile-allow-GO_BUILD_FLAGS-to-be-externally-speci.patch \ > file://0001-build-don-t-use-gcflags-to-define-trimpath.patch \ > file://CVE-2024-40635.patch \ > + file://CVE-2024-25621.patch \ > " > > # Apache-2.0 for containerd > -- > 2.25.1 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#9436): https://lists.yoctoproject.org/g/meta-virtualization/message/9436 > Mute This Topic: https://lists.yoctoproject.org/mt/116217319/1050810 > Group Owner: meta-virtualization+owner@lists.yoctoproject.org > Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [bruce.ashfield@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- > In message: [meta-virtualization][kirkstone][PATCH 2/2] containerd-opencontainers: fix CVE-2025-64329 on 10/11/2025 Vijay Anusuri via lists.yoctoproject.org wrote: > From: Vijay Anusuri <vanusuri@mvista.com> > > Upstream-Status: Backport from https://github.com/containerd/containerd/commit/c575d1b5f4011f33b32f71ace75367a92b08c750 > > Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> > --- > .../CVE-2025-64329.patch | 80 +++++++++++++++++++ > .../containerd-opencontainers_git.bb | 1 + > 2 files changed, 81 insertions(+) > create mode 100644 recipes-containers/containerd/containerd-opencontainers/CVE-2025-64329.patch > > diff --git a/recipes-containers/containerd/containerd-opencontainers/CVE-2025-64329.patch b/recipes-containers/containerd/containerd-opencontainers/CVE-2025-64329.patch > new file mode 100644 > index 00000000..a3cc5e85 > --- /dev/null > +++ b/recipes-containers/containerd/containerd-opencontainers/CVE-2025-64329.patch > @@ -0,0 +1,80 @@ > +From c575d1b5f4011f33b32f71ace75367a92b08c750 Mon Sep 17 00:00:00 2001 > +From: wheat2018 <1151937289@qq.com> > +Date: Tue, 13 Aug 2024 15:56:31 +0800 > +Subject: [PATCH] fix goroutine leak of container Attach > + > +The monitor goroutine (runs (*ContainerIO).Attach.func1) of Attach will > +never finish if it attaches to a container without any stdout or stderr > +output. Wait for http context cancel and break the pipe actively to > +address the issue. > + > +Signed-off-by: wheat2018 <1151937289@qq.com> > +Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp> > +(cherry picked from commit a0d0f0ef68935338d2c710db164fa7820f692530) > +Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp> > + > +Excluded pkg/cri/sbserver/container_attach.go changes as the file not > +present in our current vrsion 1.6.19 > + > +Upstream-Status: Backport [https://github.com/containerd/containerd/commit/c575d1b5f4011f33b32f71ace75367a92b08c750] > +CVE: CVE-2025-64329 > +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> > +--- > + pkg/cri/io/container_io.go | 14 +++++++++++--- > + pkg/cri/server/container_attach.go | 2 +- > + 2 files changed, 12 insertions(+), 4 deletions(-) > + > +diff --git a/pkg/cri/io/container_io.go b/pkg/cri/io/container_io.go > +index 70bc8b789..e1584100f 100644 > +--- a/pkg/cri/io/container_io.go > ++++ b/pkg/cri/io/container_io.go > +@@ -17,6 +17,7 @@ > + package io > + > + import ( > ++ "context" > + "errors" > + "io" > + "strings" > +@@ -134,7 +135,7 @@ func (c *ContainerIO) Pipe() { > + > + // Attach attaches container stdio. > + // TODO(random-liu): Use pools.Copy in docker to reduce memory usage? > +-func (c *ContainerIO) Attach(opts AttachOptions) { > ++func (c *ContainerIO) Attach(ctx context.Context, opts AttachOptions) { > + var wg sync.WaitGroup > + key := util.GenerateID() > + stdinKey := streamKey(c.id, "attach-"+key, Stdin) > +@@ -175,8 +176,15 @@ func (c *ContainerIO) Attach(opts AttachOptions) { > + } > + > + attachStream := func(key string, close <-chan struct{}) { > +- <-close > +- logrus.Infof("Attach stream %q closed", key) > ++ select { > ++ case <-close: > ++ logrus.Infof("Attach stream %q closed", key) > ++ case <-ctx.Done(): > ++ logrus.Infof("Attach client of %q cancelled", key) > ++ // Avoid writeGroup heap up > ++ c.stdoutGroup.Remove(key) > ++ c.stderrGroup.Remove(key) > ++ } > + // Make sure stdin gets closed. > + if stdinStreamRC != nil { > + stdinStreamRC.Close() > +diff --git a/pkg/cri/server/container_attach.go b/pkg/cri/server/container_attach.go > +index a95215051..3625229f9 100644 > +--- a/pkg/cri/server/container_attach.go > ++++ b/pkg/cri/server/container_attach.go > +@@ -79,6 +79,6 @@ func (c *criService) attachContainer(ctx context.Context, id string, stdin io.Re > + }, > + } > + // TODO(random-liu): Figure out whether we need to support historical output. > +- cntr.IO.Attach(opts) > ++ cntr.IO.Attach(ctx, opts) > + return nil > + } > +-- > +2.25.1 > + > diff --git a/recipes-containers/containerd/containerd-opencontainers_git.bb b/recipes-containers/containerd/containerd-opencontainers_git.bb > index 264d37a6..05683d26 100644 > --- a/recipes-containers/containerd/containerd-opencontainers_git.bb > +++ b/recipes-containers/containerd/containerd-opencontainers_git.bb > @@ -11,6 +11,7 @@ SRC_URI = "git://github.com/containerd/containerd;branch=release/1.6;protocol=ht > file://0001-build-don-t-use-gcflags-to-define-trimpath.patch \ > file://CVE-2024-40635.patch \ > file://CVE-2024-25621.patch \ > + file://CVE-2025-64329.patch \ > " > > # Apache-2.0 for containerd > -- > 2.25.1 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#9437): https://lists.yoctoproject.org/g/meta-virtualization/message/9437 > Mute This Topic: https://lists.yoctoproject.org/mt/116217320/1050810 > Group Owner: meta-virtualization+owner@lists.yoctoproject.org > Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [bruce.ashfield@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- > ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2025-12-02 4:46 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2025-11-10 11:30 [meta-virtualization][kirkstone][PATCH 1/2] containerd-opencontainers: fix CVE-2024-25621 vanusuri 2025-11-10 11:30 ` [meta-virtualization][kirkstone][PATCH 2/2] containerd-opencontainers: fix CVE-2025-64329 vanusuri 2025-12-02 1:11 ` Bruce Ashfield 2025-12-02 2:48 ` Vijay Anusuri 2025-12-02 4:45 ` Bruce Ashfield 2025-11-19 23:28 ` [meta-virtualization][kirkstone][PATCH 1/2] containerd-opencontainers: fix CVE-2024-25621 Bruce Ashfield
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.