github/kata-containers
1
0
Fork 2
mirror of https://github.com/kata-containers/kata-containers.git synced 2026-05-18 05:36:24 +00:00
Code Issues Projects Releases Wiki Activity
Files
a3d6829ed4023dec126be0b0c19efd16939359b2
kata-containers/versions.yaml
Zvonko Kaiser 803531dd9c kernel: Bump Kernel Version 
Copy Fail" (CVE-2026-31431) is a high-severity local privilege escalation (LPE)
vulnerability found in the Linux kernel in April 2026, which affects all major
Linux distributions—including those using Long Term Support (LTS) kernels—released since 2017.
The bug allows an unprivileged user to gain root access, escape containers,
and modify the in-memory page cache reliably using a tiny 732-byte script

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2026-05-01 14:21:49 +00:00

508 lines
17 KiB
YAML
Raw Blame History

#
# Copyright (c) 2018-2023 Intel Corporation
#
# SPDX-License-Identifier: Apache-2.0
#
---
description: |
This file contains version details that are used by various
repositories for setting up the correct environment to run
tests and package components.
format: |
Each entry in this file MUST conform to the following format:
<group>:
description: "<brief-description>"
notes: "<notes>"
<project>:
description: "<brief-description>"
notes: "<notes>"
url: "<project-url>"
issue: "<bug-url>"
commit: "<commit>"
version: "<version>"
uscan-opts: "<optional uscan options>"
uscan-url: "<url regex for uscan to list versions>"
release: "<version>"
branch: "<git-branch>"
meta:
<key-1>: "<value-1>"
<key-n>: "<value-n>"
Notes:
- All sections (except "meta") MUST include a description where
applicable. This is expected to be a brief summary.
- A section MAY specify a "notes" section which may be multi-line.
It is expected to be expand on the information specified in
"description".
- All sections (except "meta") MUST include a URL where applicable.
- A section MAY specify a bug URL using the "issue" field.
- A section MAY define a "meta" section to store additional
information about a project or group.
- Each entry MUST specify ATLEAST one of "commit", "version", "release"
and "branch".
- WARNING: Gotcha alert! Remember to double-quote all strings
(except multi-line strings)! This avoids the possibility of a
version containing a period being treated as a floating point
number (and truncated!)
- NOTE: For the uscan related entries, refer to the following uscan pages:
https://manpages.debian.org/stretch/devscripts/uscan.1.en.html
https://wiki.debian.org/debian/watch
Particularly note the 'Common mistakes' section.
Also note, if you place the uscan strings on single lines in this file then
'\'s need to be '\'d, so are replaced with '\\', but this does not apply
for '>-' multi line entries, which can then use the normal uscan syntax.
assets:
description: "Additional required system elements"
hypervisor:
description: "Component used to create virtual machines"
cloud_hypervisor:
description: "Cloud Hypervisor is an open source Virtual Machine Monitor"
url: "https://github.com/cloud-hypervisor/cloud-hypervisor"
uscan-url: >-
https://github.com/cloud-hypervisor/cloud-hypervisor/tags.*/v?(\d\S+)\.tar\.gz
version: "v51.1"
firecracker:
description: "Firecracker micro-VMM"
url: "https://github.com/firecracker-microvm/firecracker"
uscan-url: >-
https://github.com/firecracker-microvm/firecracker/tags
.*/v?(\d\S+)\.tar\.gz
version: "v1.12.1"
qemu:
description: "VMM that uses KVM"
url: "https://github.com/qemu/qemu"
version: "v10.2.1"
tag: "v10.2.1"
# Do not include any non-full release versions
# Break the line *without CR or space being appended*, to appease
# yamllint, and note the deliberate ' ' at the end of the expression.
uscan-opts: "opts=uversionmangle=s/(\\d)[_\\.\\-\\+]?\
((RC|rc|pre|dev|beta|alpha)\\d*)$/$1~$2/ "
uscan-url: >-
https://github.com/qemu/qemu/tags
.*/v?(\d\S+)\.tar\.gz
qemu-cca-experimental:
description: "QEMU with experimental CCA support"
url: "https://git.codelinaro.org/linaro/dcap/qemu.git"
tag: "97345ddc501d3eb45bbbf15d97608fba0c2c0c7b"
qemu-snp-experimental:
description: "QEMU with GPU+SNP support"
url: "https://github.com/confidential-containers/qemu.git"
tag: "gpu-snp-20260107"
qemu-tdx-experimental:
description: "QEMU with GPU+TDX support"
url: "https://github.com/confidential-containers/qemu.git"
tag: "gpu-tdx-20260107"
stratovirt:
description: "StratoVirt is an lightweight opensource VMM"
url: "https://github.com/openeuler-mirror/stratovirt"
version: "v2.3.0"
image:
description: |
Root filesystem disk image used to boot the guest virtual
machine.
url: "https://github.com/kata-containers/kata-containers/tools/osbuilder"
architecture:
aarch64:
name: "ubuntu"
version: "noble" # 24.04 LTS
confidential:
name: "ubuntu"
version: "noble" # 24.04 LTS
nvidia-gpu:
name: "ubuntu"
version: "noble" # 24.04 LTS
nvidia-gpu-confidential:
name: "ubuntu"
version: "noble" # 24.04 LTS
ppc64le:
name: "ubuntu"
version: "noble" # 24.04 LTS
s390x:
name: "ubuntu"
version: "noble" # 24.04 LTS
confidential:
name: "ubuntu"
version: "noble" # 24.04 LTS
x86_64:
name: "ubuntu"
version: "noble" # 24.04 LTS
confidential:
name: "ubuntu"
version: "noble" # 24.04 LTS
mariner:
name: "cbl-mariner"
version: "3.0"
nvidia-gpu:
name: "ubuntu"
version: "noble" # 24.04 LTS
nvidia-gpu-confidential:
name: "ubuntu"
version: "noble" # 24.04 LTS
initrd:
description: |
Root filesystem initrd used to boot the guest virtual
machine.
url: "https://github.com/kata-containers/kata-containers/tools/osbuilder"
architecture:
aarch64:
name: "alpine"
version: "3.22"
confidential:
name: "ubuntu"
version: "noble" # 24.04 LTS
nvidia-gpu:
name: "ubuntu"
version: "noble" # 24.04 LTS
nvidia-gpu-confidential:
name: "ubuntu"
version: "noble" # 24.04 LTS
# Do not use Alpine on ppc64le & s390x, the agent cannot use musl because
# there is no such Rust target
ppc64le:
name: "ubuntu"
version: "noble" # 24.04 LTS
s390x:
name: "ubuntu"
version: "noble" # 24.04 LTS
confidential:
name: "ubuntu"
version: "noble" # 24.04 LTS
x86_64:
name: "alpine"
version: "3.22"
confidential:
name: "ubuntu"
version: "noble" # 24.04 LTS
nvidia-gpu:
name: "ubuntu"
version: "noble" # 24.04 LTS
nvidia-gpu-confidential:
name: "ubuntu"
version: "noble" # 24.04 LTS
kernel:
description: "Linux kernel optimised for virtual machines"
url: "https://cdn.kernel.org/pub/linux/kernel/v6.x/"
version: "v6.18.15"
nvidia:
description: "Linux kernel optimised for virtual machines"
url: "https://cdn.kernel.org/pub/linux/kernel/v6.x/"
version: "v6.18.15"
kernel-arm-experimental:
description: "Linux kernel with cpu/mem hotplug support on arm64"
url: "https://cdn.kernel.org/pub/linux/kernel/v5.x/"
version: "v5.15.138"
confidential:
description: "Linux kernel with RME support on arm64"
url: "https://gitlab.arm.com/linux-arm/linux-cca"
version: "v6.15.0-rc1-916aeec68dd4500a1cdf4ebf214c5620955daf3f"
ref: "916aeec68dd4500a1cdf4ebf214c5620955daf3f"
kernel-dragonball-experimental:
description: "Linux kernel with Dragonball VMM optimizations like upcall"
url: "https://cdn.kernel.org/pub/linux/kernel/v6.x/"
version: "v6.18.22"
externals:
description: "Third-party projects used by the system"
nvrc:
# yamllint disable-line rule:line-length
desc: "The NVRC project provides a Rust binary that implements a simple init system for microVMs"
version: "v0.1.4"
url: "https://github.com/NVIDIA/nvrc/releases/download/"
nvidia:
desc: "NVIDIA compute stack"
driver:
desc: "NVIDIA kernel driver"
version: "595.58.03"
# yamllint disable-line rule:line-length
url: "https://github.com/NVIDIA/open-gpu-kernel-modules/archive/refs/tags/"
cuda:
desc: "NVIDIA CUDA repository"
repo:
x86_64:
# yamllint disable-line rule:line-length
url: "https://developer.download.nvidia.com/compute/cuda/repos/ubuntu2404/x86_64/"
pkg: "cuda-keyring_1.1-1_all.deb"
aarch64:
# yamllint disable-line rule:line-length
url: "https://developer.download.nvidia.com/compute/cuda/repos/ubuntu2404/sbsa/"
pkg: "cuda-keyring_1.1-1_all.deb"
tools:
desc: "NVIDIA container toolkit and tools repository"
repo:
x86_64:
# yamllint disable-line rule:line-length
url: "https://developer.download.nvidia.com/compute/cuda/repos/ubuntu2404/x86_64/"
pkg: "cuda-keyring_1.1-1_all.deb"
aarch64:
# yamllint disable-line rule:line-length
url: "https://developer.download.nvidia.com/compute/cuda/repos/ubuntu2404/sbsa/"
pkg: "cuda-keyring_1.1-1_all.deb"
ctk:
version: "1.18.1-1"
url: "https://github.com/NVIDIA/nvidia-container-toolkit"
nvat:
desc: "NVIDIA Attestation SDK"
version: "2026.03.02"
url: "https://github.com/NVIDIA/attestation-sdk"
busybox:
desc: "The Swiss Army Knife of Embedded Linux"
version: "1.36.1"
url: "https://busybox.net/downloads"
helm:
description: "Kubernetes package manager"
url: "https://get.helm.sh/"
version: "v4.0.4"
cni-plugins:
description: "CNI network plugins"
url: "https://github.com/containernetworking/plugins"
version: "v1.2.0"
coco-guest-components:
description: "Provides attested key unwrapping for image decryption"
url: "https://github.com/confidential-containers/guest-components/"
version: "de3f6ff62aa736619b80d99dfca5bc3d2c9a799d"
toolchain: "1.90.0"
coco-trustee:
description: "Provides attestation and secret delivery components"
url: "https://github.com/confidential-containers/trustee"
version: "22788122660d6e9be3e4bf52704282de5fcc0a2a"
# image and image_tag must be in sync
image: "ghcr.io/confidential-containers/staged-images/kbs"
image_tag: "22788122660d6e9be3e4bf52704282de5fcc0a2a"
toolchain: "1.90.0"
containerd:
description: |
Containerd for Kubernetes Container Runtime Interface.
url: "github.com/containerd/containerd"
tarball_url: "https://github.com/containerd/containerd/releases/download"
# containerd from v1.5.0 used the path unix socket
# instead of abstract socket, thus kata wouldn's support the containerd's
# version older than them.
version: "v1.7.25"
lts: "v1.7"
active: "v2.2"
critools:
description: "CLI tool for Container Runtime Interface (CRI)"
url: "https://github.com/kubernetes-sigs/cri-tools"
version: "1.23.0"
# As we don't want to disrupt what we have on the `tests` repo, let's
# create a "latest" entry and use that for the GitHub actions tests.
latest: "v1.29"
runc:
description: "CLI tool for spawning and running containers"
url: "https://github.com/opencontainers/runc"
latest: "v1.2"
cryptsetup:
description: "A utility used to setup disk encryption, integrity protection"
url: "https://gitlab.com/cryptsetup/cryptsetup"
version: "v2.8.1"
gperf:
description: "GNU gperf is a perfect hash function generator"
url: "https://ftp.gnu.org.uk/gnu/gperf/"
version: "3.3"
hadolint:
description: "the dockerfile linter used by static-checks"
url: "https://github.com/hadolint/hadolint"
version: "2.12.0"
lvm2:
description: "LVM2 and device-mapper tools and libraries"
url: "https://github.com/lvmteam/lvm2"
version: "v2_03_38"
kubernetes:
description: "Kubernetes project container manager"
url: "https://github.com/kubernetes/kubernetes"
# regexp formed to match 'd.tar.gz', deliberately to not match any alpha or
# beta type releases
uscan-url: >-
https://github.com/kubernetes/kubernetes/tags
.*/v?([\d\.]+)\.tar\.gz
version: "1.23.1-00"
kustomize:
description: "Kubernetes native configuration management"
url: "https://github.com/kubernetes-sigs/kustomize"
version: "v5.3.0"
checksum:
amd64: "3ab32f92360d752a2a53e56be073b649abc1e7351b912c0fb32b960d1def854c"
arm64: "a1ec622d4adeb483e3cdabd70f0d66058b1e4bcec013c4f74f370666e1e045d8"
# yamllint disable-line rule:line-length
ppc64le: "946b1aa9325e7234157881fe2098e59c05c6834e56205bf6ec0a9a5fc83c9cc4"
s390x: "0b1a00f0e33efa2ecaa6cda9eeb63141ddccf97a912425974d6b65e66cf96cd4"
libseccomp:
description: "High level interface to Linux seccomp filter"
url: "https://github.com/seccomp/libseccomp"
version: "2.6.0"
pause:
description: "Kubernetes pause container image"
repo: "docker://registry.k8s.io/pause"
version: "3.10"
nydus:
description: "Nydus image acceleration service"
url: "https://github.com/dragonflyoss/image-service"
version: "v2.2.3"
nydus-snapshotter:
description: "Snapshotter for Nydus image acceleration service"
url: "https://github.com/containerd/nydus-snapshotter"
version: "v0.15.15"
opa:
description: "Open Policy Agent"
url: "https://github.com/open-policy-agent/opa"
version: "v1.9.0"
ovmf:
description: "Firmware, implementation of UEFI for virtual machines."
url: "https://github.com/tianocore/edk2"
x86_64:
description: "Vanilla firmware build"
version: "edk2-stable202508"
package: "OvmfPkg/OvmfPkgX64.dsc"
package_output_dir: "OvmfX64"
sev:
# Used by AMD SEV-SNP for measured direct boot
description: "AmdSev build needed for SEV measured direct boot."
version: "edk2-stable202508"
package: "OvmfPkg/AmdSev/AmdSevX64.dsc"
package_output_dir: "AmdSev"
tdx:
description: "UEFI for Intel TDX virtual machines."
version: "edk2-stable202511"
package: "OvmfPkg/IntelTdx/IntelTdxX64.dsc"
package_output_dir: "IntelTdx"
arm64:
description: "UEFI for arm64 virtual machines."
version: "edk2-stable202508"
package: "ArmVirtPkg/ArmVirtQemu.dsc"
package_output_dir: "ArmVirtQemu-AARCH64"
cca:
description: "UEFI for arm64 CCA virtual machines."
version: "cca/2025-02-06"
url: "https://git.codelinaro.org/linaro/dcap/edk2"
package: "ArmVirtPkg/ArmVirtQemu.dsc"
package_output_dir: "ArmVirtQemu-AARCH64"
protoc:
description: "Protobuf compiler"
url: "https://github.com/protocolbuffers/protobuf/releases"
version: "v21.12"
protoc-gen-go:
description: "Protobuf Go compiler"
url: "https://github.com/protocolbuffers/protobuf-go/releases"
version: "v1.28.1"
ttrpc:
description: "ttRPC libary and code generation utilities"
url: "https://github.com/containerd/ttrpc/releases"
version: "v1.2.7"
virtiofsd:
description: "vhost-user virtio-fs device backend written in Rust"
url: "https://gitlab.com/virtio-fs/virtiofsd"
version: "v1.13.3"
toolchain: "1.85.1"
meta:
# From https://gitlab.com/virtio-fs/virtiofsd/-/releases/v1.13.1,
# this is the link labelled virtiofsd-v1.13.1.zip
#
# yamllint disable-line rule:line-length
binary: "https://gitlab.com/-/project/21523468/uploads/05d4925181301a59b8c322cd9f9d44a7/virtiofsd-v1.13.1.zip"
xurls:
description: |
Tool used by the CI to check URLs in documents and code comments.
url: "mvdan.cc/xurls/v2/cmd/xurls"
version: "v2.5.0"
languages:
description: |
Details of programming languages required to build system
components.
golang:
description: "Google's 'go' language"
notes: "'version' is the default minimum version used by this project."
# When updating this, also update in go.mod files.
version: "1.25.9"
meta:
description: |
'newest-version' is the latest version known to work when
building Kata
newest-version: "1.25.9"
rust:
description: "Rust language"
notes: "'version' is the default minimum version used by this project."
# Keep in sync with rust-toolchain.toml
version: "1.93"
meta:
description: |
'newest-version' is the latest version known to work when
building Kata
newest-version: "1.93"
golangci-lint:
description: "golangci-lint"
notes: "'version' is the default minimum version used by this project."
url: "github.com/golangci/golangci-lint"
version: "2.9.0"
meta:
description: |
'newest-version' is the latest version known to work when
building Kata
newest-version: "2.9.0"
docker_images:
description: "Docker images used for testing"
nginx:
description: "Proxy server for HTTP, HTTPS, SMTP, POP3 and IMAP protocols"
registry: "quay.io/kata-containers/nginx"
# yamllint disable-line rule:line-length
digest: "sha256:a905609e0f9adc2607f06da2f76893c6da07caa396c41f2806fee162064cfb4b" # 1.15-alpine
Reference in New Issue View Git Blame Copy Permalink