Skip to content

weekly portage stable package updates 2026-07-06 security edition#4132

Merged
tormath1 merged 4 commits into
mainfrom
tormath1/weekly-portage-stable-package-updates-2026-07-06-security
Jul 6, 2026
Merged

weekly portage stable package updates 2026-07-06 security edition#4132
tormath1 merged 4 commits into
mainfrom
tormath1/weekly-portage-stable-package-updates-2026-07-06-security

Conversation

@tormath1

@tormath1 tormath1 commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

In this PR, we extract security updates from the weekly update.

Testing done

Manually emerged

Closes:


It's from Gentoo commit c57f55232814e5968dac23710b7c8927cb6b7e5e.

Signed-off-by: Flatcar Buildbot <buildbot@flatcar-linux.org>
Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
Copilot AI review requested due to automatic review settings July 6, 2026 09:49
@tormath1 tormath1 self-assigned this Jul 6, 2026
@tormath1 tormath1 added the main label Jul 6, 2026
@tormath1 tormath1 moved this to ✅ Testing / in Review in Flatcar tactical, release planning, and roadmap Jul 6, 2026
@tormath1 tormath1 moved this from ✅ Testing / in Review to ⚒️ In Progress in Flatcar tactical, release planning, and roadmap Jul 6, 2026

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the portage-stable package set with a focus on security-related bumps, primarily refreshing OpenSSL ebuilds/manifests (including new patching where needed) and aligning container runtime dependencies (containerd → newer runc).

Changes:

  • Update OpenSSL ebuilds across multiple maintained branches, including verify-sig key dependency bumps and build/install logic alignment for newer OpenSSL series.
  • Refresh OpenSSL distfiles in dev-libs/openssl/Manifest, add an x86 AVX2 guard patch for 4.0.1, and drop no-longer-used patch files/older ebuilds.
  • Add runc-1.3.6 and bump containerd’s minimum required runc version accordingly, with corresponding Manifest updates.

Reviewed changes

Copilot reviewed 19 out of 20 changed files in this pull request and generated no comments.

Show a summary per file
File Description
sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-4.0.9999.ebuild Bump verify-sig OpenSSL key dependency version for the OpenSSL 4.0 live ebuild.
sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-4.0.1.ebuild Update OpenSSL 4.0.1 ebuild logic (sysroot/multibuild flow) and apply new x86 AVX2-related patch.
sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.6.9999.ebuild Bump verify-sig OpenSSL key dependency version for the OpenSSL 3.6 live ebuild.
sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.6.3.ebuild Update OpenSSL 3.6.3 ebuild logic to the newer sysroot/multibuild-based flow.
sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.5.9999.ebuild Bump verify-sig OpenSSL key dependency version for the OpenSSL 3.5 live ebuild.
sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.5.7.ebuild Bump verify-sig OpenSSL key dependency version and drop obsolete ppc64 patch application.
sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.4.9999.ebuild Bump verify-sig OpenSSL key dependency version for the OpenSSL 3.4 live ebuild.
sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.4.6.ebuild Bump verify-sig OpenSSL key dependency version for OpenSSL 3.4.6.
sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.0.9999.ebuild Bump verify-sig OpenSSL key dependency version for the OpenSSL 3.0 live ebuild.
sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.0.21.ebuild Bump verify-sig OpenSSL key dependency version for OpenSSL 3.0.21.
sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.3.7.ebuild Remove the OpenSSL 3.3.7 ebuild from the snapshot.
sdk_container/src/third_party/portage-stable/dev-libs/openssl/Manifest Update OpenSSL distfile list and checksums to match the new version set.
sdk_container/src/third_party/portage-stable/dev-libs/openssl/files/openssl-4.0.1-x86-avx2.patch Add patch to constrain AVX2 base64 path to x86_64 builds.
sdk_container/src/third_party/portage-stable/dev-libs/openssl/files/openssl-3.5.5-ppc64.patch Remove obsolete OpenSSL ppc64 patch file.
sdk_container/src/third_party/portage-stable/dev-libs/openssl/files/openssl-3.5.5-ppc64-be.patch Remove obsolete OpenSSL ppc64 big-endian patch file.
sdk_container/src/third_party/portage-stable/dev-libs/openssl/files/openssl-3.3.2-silence-warning.patch Remove unused OpenSSL patch file previously tied to older versions.
sdk_container/src/third_party/portage-stable/app-containers/runc/runc-1.3.6.ebuild Add runc 1.3.6 ebuild.
sdk_container/src/third_party/portage-stable/app-containers/runc/Manifest Update runc distfile checksums for 1.3.6.
sdk_container/src/third_party/portage-stable/app-containers/containerd/Manifest Update containerd distfile entry (2.2.5).
sdk_container/src/third_party/portage-stable/app-containers/containerd/containerd-2.2.5.ebuild Bump containerd’s minimum runc dependency to >=1.3.6.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@dongsupark

Copy link
Copy Markdown
Member

Thanks. We should be able to close flatcar/Flatcar#2178, as runc gets bumped to 1.3.6.

@krnowak krnowak left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Package automation didn't report anything else worth mentioning - the ebuilds didn't change in significant way.

@@ -0,0 +1,2 @@
- openssl ([3.5.7](https://openssl-library.org/news/openssl-3.5-notes/))

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- openssl ([3.5.7](https://openssl-library.org/news/openssl-3.5-notes/))
- base, dev: openssl ([3.5.7](https://openssl-library.org/news/openssl-3.5-notes/))

@@ -0,0 +1,2 @@
- openssl ([3.5.7](https://openssl-library.org/news/openssl-3.5-notes/))
- sysext-containerd: containerd ([2.2.5](https://github.com/containerd/containerd/releases/tag/v2.2.5))

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- sysext-containerd: containerd ([2.2.5](https://github.com/containerd/containerd/releases/tag/v2.2.5))
- sysext-containerd: containerd ([2.2.5](https://github.com/containerd/containerd/releases/tag/v2.2.5) (includes [2.2.4](https://github.com/containerd/containerd/releases/tag/v2.2.4), [2.2.3](https://github.com/containerd/containerd/releases/tag/v2.2.3)))

@krnowak

krnowak commented Jul 6, 2026

Copy link
Copy Markdown
Member

Thanks. We should be able to close flatcar/Flatcar#2178, as runc gets bumped to 1.3.6.

There is no runc bump happening - we are currently running 1.4.0-r1, which seems to be still vulnerable.

@krnowak

krnowak commented Jul 6, 2026

Copy link
Copy Markdown
Member

I think cherry-picking app-container/runc from weekly updates branch should be enough - we have accept keywords in line for 1.4* line of releases.

It's from Gentoo commit 92ad322050427f76c2b3575e947c9c4453bc30a4.

Signed-off-by: Flatcar Buildbot <buildbot@flatcar-linux.org>
Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
@tormath1 tormath1 force-pushed the tormath1/weekly-portage-stable-package-updates-2026-07-06-security branch from c2fc555 to 03235b2 Compare July 6, 2026 13:07
Copilot AI review requested due to automatic review settings July 6, 2026 13:07

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 23 out of 23 changed files in this pull request and generated 2 comments.

tormath1 added 2 commits July 6, 2026 15:24
Upstream PR is opened

Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
@tormath1 tormath1 force-pushed the tormath1/weekly-portage-stable-package-updates-2026-07-06-security branch from 03235b2 to 84d959f Compare July 6, 2026 13:25
@tormath1

tormath1 commented Jul 6, 2026

Copy link
Copy Markdown
Contributor Author

I think cherry-picking app-container/runc from weekly updates branch should be enough - we have accept keywords in line for 1.4* line of releases.

Ok done, runc commit has been cherry-picked, runc security issue has been linked and CI has been restarted.

@tormath1 tormath1 marked this pull request as ready for review July 6, 2026 13:43
@tormath1 tormath1 requested a review from a team as a code owner July 6, 2026 13:43
Copilot AI review requested due to automatic review settings July 6, 2026 13:43

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 23 out of 23 changed files in this pull request and generated 1 comment.

@chewi chewi left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You missed my additional containerd commit to require Go >=1.25, but that's no big deal, we'll have that anyway.

@krnowak

krnowak commented Jul 6, 2026

Copy link
Copy Markdown
Member

pkg auto reports and some quick comments:

  • app-containers/containerd: [SYSEXT-CONTAINERD]
    • from 2.2.2 to 2.2.5
    • build dependencies:
      • added a dependency 'sec-policy/selinux-docker' for USE 'selinux?'
    • runtime dependencies:
      • changes for app-containers/runc:
        • changed version constraint from >=1.3.4 to >=1.3.6
    • TODO: review ebuild.diff
    • TODO: review occurrences
    • release notes: TODO

This will fail the build, because we enable selinux for app-containers/containerd in coreos/base/package.use, but don't have sec-policy/selinux-docker imported in portage-stable. Also, why on earth it is a build dependency?

  • app-containers/runc: [SYSEXT-CONTAINERD]
    • from 1.4.0-r1 to 1.4.3
    • package became unstable on 'amd64'
      • TODO: add/update accept keywords for this package in overlay profiles
    • package became unstable on 'arm64'
      • TODO: add/update accept keywords for this package in overlay profiles
    • removed IUSE flag 'kmem'
      • TODO: describe removed IUSE flag
    • dependencies:
      • dropped a dependency 'sys-libs/libapparmor' for USE 'apparmor?'
    • TODO: review ebuild.diff
    • TODO: review occurrences
    • release notes: TODO

kmem USE flag is dropped, and its only use in the ebuild was $(usex kmem '' 'nokmem'), which means that nothing is passed to the build system if kmem is enabled (and it was by default)

  • dev-libs/openssl: [PROD] [DEV]
    • from 3.5.6 to 3.5.7
    • build dependencies:
      • changes for sec-keys/openpgp-keys-openssl with USE conditionals 'verify-sig?':
        • changed version constraint from >=20240920 to >=20260415
    • TODO: review ebuild.diff
    • TODO: review other.diff
    • TODO: review occurrences
    • release notes: TODO

@chewi

chewi commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

This will fail the build, because we enable selinux for app-containers/containerd in coreos/base/package.use, but don't have sec-policy/selinux-docker imported in portage-stable. Also, why on earth it is a build dependency?

It looks like it was added to BDEPEND instead of RDEPEND in the latest version in gentoo/gentoo@ab0ae3b by mistake. @thesamesam, please can you confirm?

@thesamesam

Copy link
Copy Markdown

Yes, a mistake - please fix it up if you can.

I was wondering about the apparmor thing too but didn't have a chance to check that.

@chewi

chewi commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Fixed in gentoo/gentoo@890b6da.

@tormath1

tormath1 commented Jul 6, 2026

Copy link
Copy Markdown
Contributor Author

@krnowak thanks for providing additional informations.

This will fail the build, because we enable selinux for app-containers/containerd in coreos/base/package.use, but don't have sec-policy/selinux-docker imported in portage-stable. Also, why on earth it is a build dependency?

The build did not fail because it seems we did not ask for selinux for containerd:

That said, the CI looks good and downloaded image gives:

Flatcar Container Linux by Kinvolk developer 9999.0.101+tormath1-security for QEMU
Last login: Mon Jul  6 17:04:37 UTC 2026 on tty1
core@localhost ~ $ openssl version
OpenSSL 3.5.7 9 Jun 2026 (Library: OpenSSL 3.5.7 9 Jun 2026)
core@localhost ~ $ containerd --version
containerd github.com/containerd/containerd/v2 v2.2.5 e53c7c1516c3b2bff98eb76f1f4117477e6f4e66
core@localhost ~ $ runc --version
runc version 1.4.3
commit: bb14dabeb7185bb72c8c86735d090dcb20f36587
spec: 1.3.0
go: go1.26.3-X:nodwarf5
libseccomp: 2.6.0

I'll merge the PR once the CI will be fully green.

@chewi

chewi commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

The build did not fail because it seems we did not ask for selinux for containerd:

That's probably because it was BDEPEND and we don't enable selinux for the SDK.

@chewi

chewi commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

On closer inspection, you're right, we only enable it on runc for some reason.

@tormath1 tormath1 merged commit c2f4958 into main Jul 6, 2026
24 of 26 checks passed
@github-project-automation github-project-automation Bot moved this from ⚒️ In Progress to Implemented in Flatcar tactical, release planning, and roadmap Jul 6, 2026
@tormath1 tormath1 deleted the tormath1/weekly-portage-stable-package-updates-2026-07-06-security branch July 6, 2026 18:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

Development

Successfully merging this pull request may close these issues.

6 participants