From 6c2295c6f089153cd3ac6fd227b24741edaa674d Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Feb 04 2020 23:13:54 +0000
Subject: import runc-1.0.0-64.rc9.module+el8.1.1+5259+bcdd613a


---

diff --git a/.gitignore b/.gitignore
index 4d97e7f..dc6af45 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/runc-425e105.tar.gz
+SOURCES/runc-d736ef1.tar.gz
diff --git a/.runc.metadata b/.runc.metadata
index 1ff52c1..6c81a25 100644
--- a/.runc.metadata
+++ b/.runc.metadata
@@ -1 +1 @@
-cfbe1abc984f5b0be1413475f888e39304b265ae SOURCES/runc-425e105.tar.gz
+812dbd873389db38f03438166784aee998146d30 SOURCES/runc-d736ef1.tar.gz
diff --git a/SOURCES/1807.patch b/SOURCES/1807.patch
index dcfae56..6d415f0 100644
--- a/SOURCES/1807.patch
+++ b/SOURCES/1807.patch
@@ -1,4 +1,4 @@
-From e3b37893afa498ef6254cc9d94c159b12e04d0b0 Mon Sep 17 00:00:00 2001
+From 3d99c51e1b38a440804a55c9f314f62cc50b8902 Mon Sep 17 00:00:00 2001
 From: Giuseppe Scrivano <gscrivan@redhat.com>
 Date: Fri, 25 May 2018 18:04:06 +0200
 Subject: [PATCH] sd-notify: do not hang when NOTIFY_SOCKET is used with create
@@ -10,21 +10,20 @@ still accessible from the container.
 
 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
 ---
- notify_socket.go | 113 ++++++++++++++++++++++++++++++++++-------------
+ notify_socket.go | 112 ++++++++++++++++++++++++++++++++++-------------
  signals.go       |   4 +-
  start.go         |  13 +++++-
  utils_linux.go   |  12 ++++-
- 4 files changed, 106 insertions(+), 36 deletions(-)
+ 4 files changed, 105 insertions(+), 36 deletions(-)
 
 diff --git a/notify_socket.go b/notify_socket.go
-index b890b5b1c..286ce1ddd 100644
+index e7453c62..d961453a 100644
 --- a/notify_socket.go
 +++ b/notify_socket.go
-@@ -6,11 +6,14 @@ import (
- 	"bytes"
+@@ -7,11 +7,13 @@ import (
  	"fmt"
  	"net"
-+	"os"
+ 	"os"
 +	"path"
  	"path/filepath"
 +	"strconv"
@@ -37,7 +36,7 @@ index b890b5b1c..286ce1ddd 100644
  	"github.com/urfave/cli"
  )
  
-@@ -26,12 +29,12 @@ func newNotifySocket(context *cli.Context, notifySocketHost string, id string) *
+@@ -27,12 +29,12 @@ func newNotifySocket(context *cli.Context, notifySocketHost string, id string) *
  	}
  
  	root := filepath.Join(context.GlobalString("root"), id)
@@ -52,7 +51,7 @@ index b890b5b1c..286ce1ddd 100644
  	}
  
  	return notifySocket
-@@ -43,13 +46,19 @@ func (s *notifySocket) Close() error {
+@@ -44,13 +46,19 @@ func (s *notifySocket) Close() error {
  
  // If systemd is supporting sd_notify protocol, this function will add support
  // for sd_notify protocol from within the container.
@@ -76,7 +75,7 @@ index b890b5b1c..286ce1ddd 100644
  	addr := net.UnixAddr{
  		Name: s.socketPath,
  		Net:  "unixgram",
-@@ -64,45 +73,89 @@ func (s *notifySocket) setupSocket() error {
+@@ -71,45 +79,89 @@ func (s *notifySocket) setupSocket() error {
  	return nil
  }
  
@@ -189,7 +188,7 @@ index b890b5b1c..286ce1ddd 100644
  		}
  	}
 diff --git a/signals.go b/signals.go
-index b67f65a03..dd25e094c 100644
+index b67f65a0..dd25e094 100644
 --- a/signals.go
 +++ b/signals.go
 @@ -70,6 +70,7 @@ func (h *signalHandler) forward(process *libcontainer.Process, tty *tty, detach
@@ -211,7 +210,7 @@ index b67f65a03..dd25e094c 100644
  				}
  			}
 diff --git a/start.go b/start.go
-index 2bb698b20..3a1769a43 100644
+index 2bb698b2..3a1769a4 100644
 --- a/start.go
 +++ b/start.go
 @@ -3,6 +3,7 @@ package main
@@ -242,10 +241,10 @@ index 2bb698b20..3a1769a43 100644
  			return errors.New("cannot start a container that has stopped")
  		case libcontainer.Running:
 diff --git a/utils_linux.go b/utils_linux.go
-index ce50db145..670c0fcba 100644
+index 984e6b0f..46c26246 100644
 --- a/utils_linux.go
 +++ b/utils_linux.go
-@@ -406,7 +406,9 @@ func startContainer(context *cli.Context, spec *specs.Spec, action CtAct, criuOp
+@@ -408,7 +408,9 @@ func startContainer(context *cli.Context, spec *specs.Spec, action CtAct, criuOp
  
  	notifySocket := newNotifySocket(context, os.Getenv("NOTIFY_SOCKET"), id)
  	if notifySocket != nil {
@@ -256,7 +255,7 @@ index ce50db145..670c0fcba 100644
  	}
  
  	container, err := createContainer(context, id, spec)
-@@ -415,10 +417,16 @@ func startContainer(context *cli.Context, spec *specs.Spec, action CtAct, criuOp
+@@ -417,10 +419,16 @@ func startContainer(context *cli.Context, spec *specs.Spec, action CtAct, criuOp
  	}
  
  	if notifySocket != nil {
@@ -274,3 +273,6 @@ index ce50db145..670c0fcba 100644
  	}
  
  	// Support on-demand socket activation by passing file descriptors into the container init process.
+-- 
+2.21.0
+
diff --git a/SOURCES/99-containers.conf b/SOURCES/99-containers.conf
deleted file mode 100644
index 7e2d537..0000000
--- a/SOURCES/99-containers.conf
+++ /dev/null
@@ -1 +0,0 @@
-fs.may_detach_mounts=1
diff --git a/SOURCES/9aef50441511f0e9954d31d5ae84429040032e7c.patch b/SOURCES/9aef50441511f0e9954d31d5ae84429040032e7c.patch
deleted file mode 100644
index b077fb5..0000000
--- a/SOURCES/9aef50441511f0e9954d31d5ae84429040032e7c.patch
+++ /dev/null
@@ -1,179 +0,0 @@
-From 9aef50441511f0e9954d31d5ae84429040032e7c Mon Sep 17 00:00:00 2001
-From: Aleksa Sarai <asarai@suse.de>
-Date: Mon, 30 Sep 2019 00:35:33 +1000
-Subject: [PATCH] vendor: update github.com/opencontainers/selinux
-
-This is a bump to v1.3.0, plus the necessary CVE-2019-16884 mitigation.
-
-Signed-off-by: Aleksa Sarai <asarai@suse.de>
----
- vendor.conf                                   |  2 +-
- .../selinux/go-selinux/label/label_selinux.go | 18 ++++++----
- .../selinux/go-selinux/selinux_linux.go       | 33 +++++++++++++++++++
- .../selinux/go-selinux/selinux_stub.go        | 13 ++++++++
- 4 files changed, 58 insertions(+), 8 deletions(-)
-
-diff --git a/vendor.conf b/vendor.conf
-index e3f8e6d7e..a29764cd7 100644
---- a/vendor.conf
-+++ b/vendor.conf
-@@ -5,7 +5,7 @@
- # Core libcontainer functionality.
- github.com/checkpoint-restore/go-criu v3.11
- github.com/mrunalp/fileutils ed869b029674c0e9ce4c0dfa781405c2d9946d08
--github.com/opencontainers/selinux v1.2.2
-+github.com/opencontainers/selinux       5215b1806f52b1fcc2070a8826c542c9d33cd3cf # v1.3.0 (+ CVE-2019-16884)
- github.com/seccomp/libseccomp-golang 84e90a91acea0f4e51e62bc1a75de18b1fc0790f
- github.com/sirupsen/logrus a3f95b5c423586578a4e099b11a46c2479628cac
- github.com/syndtr/gocapability db04d3cc01c8b54962a58ec7e491717d06cfcc16
-diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go b/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go
-index 1eb9a6bf2..2730fcf4a 100644
---- a/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go
-+++ b/vendor/github.com/opencontainers/selinux/go-selinux/label/label_selinux.go
-@@ -13,11 +13,12 @@ import (
- 
- // Valid Label Options
- var validOptions = map[string]bool{
--	"disable": true,
--	"type":    true,
--	"user":    true,
--	"role":    true,
--	"level":   true,
-+	"disable":  true,
-+	"type":     true,
-+	"filetype": true,
-+	"user":     true,
-+	"role":     true,
-+	"level":    true,
- }
- 
- var ErrIncompatibleLabel = fmt.Errorf("Bad SELinux option z and Z can not be used together")
-@@ -51,13 +52,16 @@ func InitLabels(options []string) (plabel string, mlabel string, Err error) {
- 				return "", mountLabel, nil
- 			}
- 			if i := strings.Index(opt, ":"); i == -1 {
--				return "", "", fmt.Errorf("Bad label option %q, valid options 'disable' or \n'user, role, level, type' followed by ':' and a value", opt)
-+				return "", "", fmt.Errorf("Bad label option %q, valid options 'disable' or \n'user, role, level, type, filetype' followed by ':' and a value", opt)
- 			}
- 			con := strings.SplitN(opt, ":", 2)
- 			if !validOptions[con[0]] {
--				return "", "", fmt.Errorf("Bad label option %q, valid options 'disable, user, role, level, type'", con[0])
-+				return "", "", fmt.Errorf("Bad label option %q, valid options 'disable, user, role, level, type, filetype'", con[0])
- 
- 			}
-+			if con[0] == "filetype" {
-+				mcon["type"] = con[1]
-+			}
- 			pcon[con[0]] = con[1]
- 			if con[0] == "level" || con[0] == "user" {
- 				mcon[con[0]] = con[1]
-diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go
-index d7786c33c..8cdf1b054 100644
---- a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go
-+++ b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go
-@@ -18,6 +18,8 @@ import (
- 	"strings"
- 	"sync"
- 	"syscall"
-+
-+	"golang.org/x/sys/unix"
- )
- 
- const (
-@@ -252,6 +254,12 @@ func getSELinuxPolicyRoot() string {
- 	return filepath.Join(selinuxDir, readConfig(selinuxTypeTag))
- }
- 
-+func isProcHandle(fh *os.File) (bool, error) {
-+	var buf unix.Statfs_t
-+	err := unix.Fstatfs(int(fh.Fd()), &buf)
-+	return buf.Type == unix.PROC_SUPER_MAGIC, err
-+}
-+
- func readCon(fpath string) (string, error) {
- 	if fpath == "" {
- 		return "", ErrEmptyPath
-@@ -263,6 +271,12 @@ func readCon(fpath string) (string, error) {
- 	}
- 	defer in.Close()
- 
-+	if ok, err := isProcHandle(in); err != nil {
-+		return "", err
-+	} else if !ok {
-+		return "", fmt.Errorf("%s not on procfs", fpath)
-+	}
-+
- 	var retval string
- 	if _, err := fmt.Fscanf(in, "%s", &retval); err != nil {
- 		return "", err
-@@ -345,6 +359,12 @@ func writeCon(fpath string, val string) error {
- 	}
- 	defer out.Close()
- 
-+	if ok, err := isProcHandle(out); err != nil {
-+		return err
-+	} else if !ok {
-+		return fmt.Errorf("%s not on procfs", fpath)
-+	}
-+
- 	if val != "" {
- 		_, err = out.Write([]byte(val))
- 	} else {
-@@ -392,6 +412,14 @@ func SetExecLabel(label string) error {
- 	return writeCon(fmt.Sprintf("/proc/self/task/%d/attr/exec", syscall.Gettid()), label)
- }
- 
-+/*
-+SetTaskLabel sets the SELinux label for the current thread, or an error.
-+This requires the dyntransition permission.
-+*/
-+func SetTaskLabel(label string) error {
-+	return writeCon(fmt.Sprintf("/proc/self/task/%d/attr/current", syscall.Gettid()), label)
-+}
-+
- // SetSocketLabel takes a process label and tells the kernel to assign the
- // label to the next socket that gets created
- func SetSocketLabel(label string) error {
-@@ -403,6 +431,11 @@ func SocketLabel() (string, error) {
- 	return readCon(fmt.Sprintf("/proc/self/task/%d/attr/sockcreate", syscall.Gettid()))
- }
- 
-+// PeerLabel retrieves the label of the client on the other side of a socket
-+func PeerLabel(fd uintptr) (string, error) {
-+	return unix.GetsockoptString(int(fd), syscall.SOL_SOCKET, syscall.SO_PEERSEC)
-+}
-+
- // SetKeyLabel takes a process label and tells the kernel to assign the
- // label to the next kernel keyring that gets created
- func SetKeyLabel(label string) error {
-diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go
-index 79b005d19..0c2e1cd38 100644
---- a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go
-+++ b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go
-@@ -96,6 +96,14 @@ func SetExecLabel(label string) error {
- 	return nil
- }
- 
-+/*
-+SetTaskLabel sets the SELinux label for the current thread, or an error.
-+This requires the dyntransition permission.
-+*/
-+func SetTaskLabel(label string) error {
-+        return nil
-+}
-+
- /*
- SetSocketLabel sets the SELinux label that the kernel will use for any programs
- that are executed by the current process thread, or an error.
-@@ -109,6 +117,11 @@ func SocketLabel() (string, error) {
- 	return "", nil
- }
- 
-+// PeerLabel retrieves the label of the client on the other side of a socket
-+func PeerLabel(fd uintptr) (string, error) {
-+	return "", nil
-+}
-+
- // SetKeyLabel takes a process label and tells the kernel to assign the
- // label to the next kernel keyring that gets created
- func SetKeyLabel(label string) error {
diff --git a/SOURCES/d463f6485b809b5ea738f84e05ff5b456058a184.patch b/SOURCES/d463f6485b809b5ea738f84e05ff5b456058a184.patch
deleted file mode 100644
index a751010..0000000
--- a/SOURCES/d463f6485b809b5ea738f84e05ff5b456058a184.patch
+++ /dev/null
@@ -1,140 +0,0 @@
-From d463f6485b809b5ea738f84e05ff5b456058a184 Mon Sep 17 00:00:00 2001
-From: Aleksa Sarai <asarai@suse.de>
-Date: Fri, 27 Sep 2019 12:01:07 +1000
-Subject: [PATCH] *: verify that operations on /proc/... are on procfs
-
-This is an additional mitigation for CVE-2019-16884. The primary problem
-is that Docker can be coerced into bind-mounting a file system on top of
-/proc (resulting in label-related writes to /proc no longer happening).
-
-While we are working on mitigations against permitting the mounts, this
-helps avoid our code from being tricked into writing to non-procfs
-files. This is not a perfect solution (after all, there might be a
-bind-mount of a different procfs file over the target) but in order to
-exploit that you would need to be able to tweak a config.json pretty
-specifically (which thankfully Docker doesn't allow).
-
-Specifically this stops AppArmor from not labeling a process silently
-due to /proc/self/attr/... being incorrectly set, and stops any
-accidental fd leaks because /proc/self/fd/... is not real.
-
-Signed-off-by: Aleksa Sarai <asarai@suse.de>
----
- libcontainer/apparmor/apparmor.go | 10 +++++--
- libcontainer/utils/utils_unix.go  | 44 ++++++++++++++++++++++++-------
- 2 files changed, 42 insertions(+), 12 deletions(-)
-
-diff --git a/libcontainer/apparmor/apparmor.go b/libcontainer/apparmor/apparmor.go
-index 7fff0627f..debfc1e48 100644
---- a/libcontainer/apparmor/apparmor.go
-+++ b/libcontainer/apparmor/apparmor.go
-@@ -6,6 +6,8 @@ import (
- 	"fmt"
- 	"io/ioutil"
- 	"os"
-+
-+	"github.com/opencontainers/runc/libcontainer/utils"
- )
- 
- // IsEnabled returns true if apparmor is enabled for the host.
-@@ -19,7 +21,7 @@ func IsEnabled() bool {
- 	return false
- }
- 
--func setprocattr(attr, value string) error {
-+func setProcAttr(attr, value string) error {
- 	// Under AppArmor you can only change your own attr, so use /proc/self/
- 	// instead of /proc/<tid>/ like libapparmor does
- 	path := fmt.Sprintf("/proc/self/attr/%s", attr)
-@@ -30,6 +32,10 @@ func setprocattr(attr, value string) error {
- 	}
- 	defer f.Close()
- 
-+	if err := utils.EnsureProcHandle(f); err != nil {
-+		return err
-+	}
-+
- 	_, err = fmt.Fprintf(f, "%s", value)
- 	return err
- }
-@@ -37,7 +43,7 @@ func setprocattr(attr, value string) error {
- // changeOnExec reimplements aa_change_onexec from libapparmor in Go
- func changeOnExec(name string) error {
- 	value := "exec " + name
--	if err := setprocattr("exec", value); err != nil {
-+	if err := setProcAttr("exec", value); err != nil {
- 		return fmt.Errorf("apparmor failed to apply profile: %s", err)
- 	}
- 	return nil
-diff --git a/libcontainer/utils/utils_unix.go b/libcontainer/utils/utils_unix.go
-index c96088988..1576f2d4a 100644
---- a/libcontainer/utils/utils_unix.go
-+++ b/libcontainer/utils/utils_unix.go
-@@ -3,33 +3,57 @@
- package utils
- 
- import (
--	"io/ioutil"
-+	"fmt"
- 	"os"
- 	"strconv"
- 
- 	"golang.org/x/sys/unix"
- )
- 
-+// EnsureProcHandle returns whether or not the given file handle is on procfs.
-+func EnsureProcHandle(fh *os.File) error {
-+	var buf unix.Statfs_t
-+	if err := unix.Fstatfs(int(fh.Fd()), &buf); err != nil {
-+		return fmt.Errorf("ensure %s is on procfs: %v", fh.Name(), err)
-+	}
-+	if buf.Type != unix.PROC_SUPER_MAGIC {
-+		return fmt.Errorf("%s is not on procfs", fh.Name())
-+	}
-+	return nil
-+}
-+
-+// CloseExecFrom applies O_CLOEXEC to all file descriptors currently open for
-+// the process (except for those below the given fd value).
- func CloseExecFrom(minFd int) error {
--	fdList, err := ioutil.ReadDir("/proc/self/fd")
-+	fdDir, err := os.Open("/proc/self/fd")
-+	if err != nil {
-+		return err
-+	}
-+	defer fdDir.Close()
-+
-+	if err := EnsureProcHandle(fdDir); err != nil {
-+		return err
-+	}
-+
-+	fdList, err := fdDir.Readdirnames(-1)
- 	if err != nil {
- 		return err
- 	}
--	for _, fi := range fdList {
--		fd, err := strconv.Atoi(fi.Name())
-+	for _, fdStr := range fdList {
-+		fd, err := strconv.Atoi(fdStr)
-+		// Ignore non-numeric file names.
- 		if err != nil {
--			// ignore non-numeric file names
- 			continue
- 		}
--
-+		// Ignore descriptors lower than our specified minimum.
- 		if fd < minFd {
--			// ignore descriptors lower than our specified minimum
- 			continue
- 		}
--
--		// intentionally ignore errors from unix.CloseOnExec
-+		// Intentionally ignore errors from unix.CloseOnExec -- the cases where
-+		// this might fail are basically file descriptors that have already
-+		// been closed (including and especially the one that was created when
-+		// ioutil.ReadDir did the "opendir" syscall).
- 		unix.CloseOnExec(fd)
--		// the cases where this might fail are basically file descriptors that have already been closed (including and especially the one that was created when ioutil.ReadDir did the "opendir" syscall)
- 	}
- 	return nil
- }
diff --git a/SPECS/runc.spec b/SPECS/runc.spec
index 7cf6021..d08a700 100644
--- a/SPECS/runc.spec
+++ b/SPECS/runc.spec
@@ -11,8 +11,8 @@
 
 %if 0%{?rhel} > 7 && ! 0%{?fedora}
 %define gobuild(o:) \
-go build -buildmode pie -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -compressdwarf=false -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '%__global_ldflags'" -a -v -x %{?**};
-%endif # distro
+go build -buildmode pie -compiler gc -tags="rpm_crashtraceback no_openssl ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -compressdwarf=false -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '%__global_ldflags'" -a -v -x %{?**};
+%endif
 
 %global provider github
 %global provider_tld com
@@ -21,23 +21,19 @@ go build -buildmode pie -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-}" -
 # https://github.com/opencontainers/runc
 %global import_path %{provider}.%{provider_tld}/%{project}/%{repo}
 %global git0 https://%{import_path}
-%global commit0 425e105d5a03fabd737a126ad93d62a9eeede87f
+%global commit0 d736ef14f0288d6993a1845745d6756cfc9ddd5a
 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7})
 
 Name: %{repo}
 Version: 1.0.0
-Release: 61.rc8%{?dist}
+Release: 64.rc9%{?dist}
 Summary: CLI for running Open Containers
 ExcludeArch: %{ix86}
 License: ASL 2.0
 URL: %{git0}
 Source0: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz
-Source1: 99-containers.conf
 Patch0: 1807.patch
-Patch1: https://github.com/opencontainers/runc/commit/9aef50441511f0e9954d31d5ae84429040032e7c.patch
-Patch2: https://github.com/opencontainers/runc/commit/d463f6485b809b5ea738f84e05ff5b456058a184.patch
-# If go_compiler is not set to 1, there is no virtual provide. Use golang instead.
-BuildRequires: %{?go_compiler:compiler(go-compiler)}%{!?go_compiler:golang} >= 1.6.2
+BuildRequires: golang >= 1.12.12-4
 BuildRequires: git
 BuildRequires: go-md2man
 BuildRequires: libseccomp-devel
@@ -63,7 +59,7 @@ popd
 pushd GOPATH/src/%{import_path}
 export GOPATH=%{gopath}:$(pwd)/GOPATH
 export BUILDTAGS="selinux seccomp"
-%gobuild -o %{name} %{import_path} 
+%gobuild -o %{name} %{import_path}
 
 pushd man
 ./md2man-all.sh
@@ -93,9 +89,22 @@ install -p -m 0644 contrib/completions/bash/%{name} %{buildroot}%{_datadir}/bash
 %{_datadir}/bash-completion/completions/%{name}
 
 %changelog
-* Mon Nov 25 2019 Jindrich Novy <jnovy@redhat.com> - 1.0.0-61.rc8
-- backport patches for CVE-2019-16884 from upstream
-- Resolves: #1764182
+* Wed Dec 11 2019 Jindrich Novy <jnovy@redhat.com> - 1.0.0-64.rc9
+- use no_openssl in BUILDTAGS (no vendored crypto in runc)
+- Related: RHELPLAN-25138
+
+* Mon Dec 09 2019 Jindrich Novy <jnovy@redhat.com> - 1.0.0-63.rc9
+- be sure to use golang >= 1.12.12-4
+- Related: RHELPLAN-25138
+
+* Thu Nov 28 2019 Jindrich Novy <jnovy@redhat.com> - 1.0.0-62.rc9
+- rebuild because of CVE-2019-9512 and CVE-2019-9514
+- Related: RHELPLAN-25138
+
+* Thu Nov 21 2019 Jindrich Novy <jnovy@redhat.com> - 1.0.0-61.rc9
+- update to runc 1.0.0-rc9 release
+- amend golang deps
+- fixes CVE-2019-16884
 
 * Mon Jun 17 2019 Lokesh Mandvekar <lsm5@redhat.com> - 1.0.0-60.rc8
 - Resolves: #1721247 - enable fips mode