clone/codex
1
0
Fork 0
mirror of https://github.com/openai/codex.git synced 2026-05-23 12:34:25 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
xli-codex/generate-python-sdk
codex/codex-rs/vendor/bubblewrap/NEWS.md
Michael Bolin 123ec8b035 vendor: update bubblewrap to 0.11.2 (#21389) 
## Why

`codex-rs/vendor/bubblewrap` had fallen behind upstream, and upstream
`v0.11.2` is the current Bubblewrap release. The release is a security
update for `CVE-2026-41163`, affecting setuid Bubblewrap builds, and
deprecates setuid support in favor of the default non-setuid build mode.

## What changed

- Refreshed the vendored Bubblewrap sources under
`codex-rs/vendor/bubblewrap` to upstream `v0.11.2`.
- Brought in the upstream `-Dsupport_setuid` build option, which
defaults setuid support off.
- Updated vendored release notes and documentation files included with
Bubblewrap.

## Verification

Not run locally; this PR only refreshes the vendored upstream Bubblewrap
source snapshot.

Upstream release:
https://github.com/containers/bubblewrap/releases/tag/v0.11.2
2026-05-06 18:10:30 +00:00

99 lines
3.1 KiB
Markdown
Raw Permalink Blame History

bubblewrap 0.11.2
=================
Released: 2026-04-23
Bug fixes:
* In setuid mode, don't run the low-privileged parts parts of the setup
as dumpable, as that allows it to be ptraced which can lead to problems.
This is CVE-2026-41163, and was reported by François Diakhate.
Enhancements:
* New build option `-Dsupport_setuid`, which if set to false (which
is the default) disables the support for setuid. Binaries built
with this will refuse to run if made setuid. We recommend building
normal bubblewrap binaries like this, which allows you to safely
ignore any security issues that only affect setuid mode.
bubblewrap 0.11.1
=================
Released: 2026-03-21
Bug fixes:
* Reset disposition of `SIGCHLD`, restoring normal subprocess management
if bwrap was run from a process that was ignoring that signal,
such as Erlang or volumeicon (#705, Joel Pelaez Jorge)
* Don't ignore `--userns 0`, `--userns2 0` or `--pidns 0` if used
(#731, Daniel Cazares).
Note that using a fd number ≥ 3 for these purposes is still
preferred, to avoid confusion with the stdin, stdout, stderr
that will be inherited by the command inside the container.
* Fix grammar in an error message (#694, J. Neuschäfer)
* Fix a broken link in the documentation (#729, Aaron Brooks)
Internal changes:
* Enable user namespaces in Github Actions configuration, fixing a CI
regression with newer Ubuntu (#728, Joel Pelaez Jorge)
* Clarify comments (#737, Simon McVittie)
bubblewrap 0.11.0
=================
Released: 2024-10-30
Dependencies:
* Remove the Autotools build system. Meson ≥ 0.49.0 is now required
at build-time. (#625, Hugo Osvaldo Barrera)
* For users of bash-completion, bash-completion ≥ 2.10 is recommended.
With older bash-completion, bubblewrap might install completions
outside its `${prefix}` unless overridden with `-Dbash_completion_dir=…`.
Enhancements:
* New `--overlay`, `--tmp-overlay`, `--ro-overlay` and `--overlay-src`
options allow creation of overlay mounts.
This feature is not available when bubblewrap is installed setuid.
(#412, #663; Ryan Hendrickson, William Manley, Simon McVittie)
* New `--level-prefix` option produces output that can be parsed by
tools like `logger --prio-prefix` and `systemd-cat --level-prefix=1`
(#646, Simon McVittie)
Bug fixes:
* Handle `EINTR` when doing I/O on files or sockets (#657, Simon McVittie)
* Don't make assumptions about alignment of socket control message data
(#637, Simon McVittie)
* Silence some Meson deprecation warnings (#647, @Sertonix)
* Update URLs in documentation to https (#566, @TotalCaesar659)
* Improve tests' compatibility with busybox (#627, @Sertonix)
* Improve compatibility with Meson < 1.3.0 (#664, Simon McVittie)
Internal changes:
* Consistently use `<stdbool.h>` for booleans (#660, Simon McVittie)
* Avoid `-Wshadow` compiler warnings (#661, Simon McVittie)
* Update Github Actions configuration (#658, Simon McVittie)
----
See also <https://github.com/containers/bubblewrap/releases>
Reference in New Issue View Git Blame Copy Permalink