v1.4.21

Known Issues:

• The upgrade to runc 1.2.8 can cause workloads to fail due to missing syscall permissions. We are investigating.

Fixed CVEs:

• CVE-2025-31133: runc: container escape via 'masked path' abuse due to mount race conditions
• CVE-2025-52565: runc: container escape with malicious config due to /dev/console mount and related races
• CVE-2025-52881: runc: opencontainers/selinux: container escape and denial of service due to arbitrary write gadgets and procfs write redirects

Package Updates:

• Updates golang-1-linux from 1.24.2 to 1.25.3

Updates:

• Updates runc from 1.2.6 to 1.2.8

What's Changed

• Randomize errand job name during tests to avoid cgroup conflicts by @rajathagasthya in #179
• Move integration2 tests to integration package by @rajathagasthya in #180
• Bump golangci/golangci-lint-action from 7 to 8 by @dependabot[bot] in #181
• Use new opencontainers/cgroups package by @ystros in #182
• Bump actions/checkout from 4 to 5 by @dependabot[bot] in #184
• Bump actions/setup-go from 5 to 6 by @dependabot[bot] in #185
• Increase open file limit in spec by @ystros in #187
• Pin back to runc v1.2 for CVE fixes by @ystros in #191
• ci: Use GHCR image for golang-release by @ystros in #192
• Bump golangci/golangci-lint-action from 8 to 9 by @dependabot[bot] in #190
• docs: add warning about unmounting shared volumes by @KauzClay in #189
• Rewrite hanging test in Ginkgo v2 style by @ystros in #193

New Contributors

• @rajathagasthya made their first contribution in #179
• @KauzClay made their first contribution in #189

Full Changelog: v1.4.20...v1.4.21