Package "lxc"

  lxc (2.0.8-0ubuntu1~16.04.2) xenial; urgency=medium

  * Cherry-pick upstream workaround for ppc64el failure:
    - 0011-utils-fix-ppc64le-builds.patch

 -- Stéphane Graber <email address hidden> Mon, 29 May 2017 14:37:15 -0400

  lxc (2.0.8-0ubuntu1~16.04.1) xenial; urgency=medium

  * New upstream bugfix release (2.0.8) (LP: #1691911):
    - Security fix for CVE-2017-5985 (previously fixed in Ubuntu)

    - All templates have been updated to not set default passwords anymore,
      instead requiring lxc-attach be used to configure users.

      This may affect some automated environments that were relying on our
      default (very much insecure) users.

    - Make lxc-start-ephemeral Python 3.2-compatible
    - Fix typo
    - Allow build without sys/capability.h
    - lxc-opensuse: fix default value for release code
    - util: always malloc for setproctitle
    - util: update setproctitle comments
    - confile: clear lxc.network..ipv{4,6} when empty
    - lxc_setup_tios(): Ignore SIGTTOU and SIGTTIN signals
    - Make lxc-net return non-zero on failure
    - seccomp: allow x32 guests on amd64 hosts.
    - Add HAVE_LIBCAP
    - c/r: only supply --ext-mount-map for bind mounts
    - Added 'mkdir -p' functionality in create_or_remove_cgroup
    - Use LXC_ROOTFS_MOUNT in clonehostname hook
    - squeeze is not a supported release anymore, drop the key
    - start: dumb down SIGCHLD from WARN() to NOTICE()
    - log: fix lxc_unix_epoch_to_utc()
    - cgfsng: make trim() safer
    - seccomp: set SCMP_FLTATR_ATL_TSKIP if available
    - lxc-user-nic: re-order #includes
    - lxc-user-nic: improve + bugfix
    - lxc-user-nic: delete link on failure
    - conf: only try to delete veth when privileged
    - Fix lxc-containers to support multiple bridges
    - Fix mixed tab/spaces in previous patch
    - lxc-alpine: use dl-cdn.a.o as default mirror instead of random one
    - lxc-checkconfig: verify new[ug]idmap are setuid-root
    - [templates] archlinux: resolve conflicting files
    - [templates] archlinux: noneed default_timezone variable
    - python3: Deal with potential NULL char*
    - lxc-download.in / allow setting keyserver from env
    - lxc-download.in / Document keyserver change in help
    - Change variable check to match existing style
    - tree-wide: include directly
    - conf/ile: make sure buffer is large enough
    - tree-wide: include directly
    - tests: Support running on IPv6 networks
    - tests: Kill containers (don't wait for shutdown)
    - Fix opening wrong file in suggest_default_idmap
    - do not set the root password in the debian template
    - do not set insecure passwords
    - don't set a default password for altlinux, gentoo, openmandriva and pld
    - tools: exit with return code of lxc_execute()
    - Keep veth.pair.name on network shutdown
    - Makefile: fix static clang init.lxc build
    - Avoid waiting for bridge interface if disabled in sysconfig/lxc
    - Increased buffer length in print_stats()
    - avoid assigning to a variable which is not POSIX shell proof (bug #1498)
    - remove obsolete note about api stability
    - conf: less error prone pointer access
    - conf: lxc_map_ids() non-functional changes
    - caps: add lxc_{proc,file}_cap_is_set()
    - conf: check for {filecaps,setuid} on new{g,u}idmap
    - conf: improve log when mounting rootfs
    - ls: simplify the judgment condition when list active containers
    - fix typo introduced in #1509
    - attach|unshare: fix the wrong comment
    - caps: skip file capability checks on android
    - autotools: check for cap_get_file
    - caps: return false if caps are not supported
    - conf: non-functional changes to setup_pts()
    - conf: use bind-mount for /dev/ptmx
    - conf: non-functional changes
    - utils: use loop device helpers from LXD
    - create ISSUE_TEMPLATE.md
    - cgroups: improve cgfsng debugging
    - issue template: fix typo
    - conf: close fd in lxc_setup_devpts()
    - conf: non-functional changes
    - utils: tweak lxc_mount_proc_if_needed()
    - Change sshd template to work with Ubuntu 17.04
    - conf: order mount options
    - conf: add MS_LAZYTIME to mount options
    - monitor: report errno on exec() error
    - af unix: allow for maximum socket name
    - commands: avoid NULL pointer dereference
    - commands: non-functional changes
    - lxccontainer: avoid NULL pointer dereference
    - monitor: simplify abstract socket logic
    - precise is not the latest LTS, let's use xenial instead
    - fix the wrong exit status
    - conf: non-functional changes lxc_fill_autodev()
    - conf: remove /dev/console from lxc_fill_autodev()
    - conf: non-functional changes lxc_setup()
    - conf: non-functional changes to console functions
    - conf: improve lxc_setup_dev_console()
    - conf: lxc_setup_ttydir_console()
    - config: remove /dev/console bind mount
    - doc: document console behavior
    - utils: add lxc_unstack_mountpoint()
    - conf: unstack all mounts atop /dev/console
    - console: fail when we cannot allocate peer tty
    - start: remove umount2()
    - conf: non-functional changes
    - utils: handle > 2^31 in lxc_unstack_mountpoint()
    - Install systemd units for CentOS
    - Merge ubuntu and debiancase
    - start: add crucial details about lxc_spawn()

  * Cherry-pick some upstream fixes:
    - conf{,ile}: allow one to clear all config items
    - start: pin rootfs when privileged
    - conf: fix build without libcap
    - start: don't call lxc_map_ids() without id map
    - lxc-attach: allow for situations without /dev/tty
    - utils: fix num parsing functions
    - tests: lxc_safe_{u}int() add corner-case tests

  * Fix broken proxy detection in debian/tests/exercise
  * Only move lxc bash completion from /etc if we installed it there
  * Update tests to deal with cgroupv2 tree (recent systemd)
  * Drop un-needed lintian override

 -- Stéphane Graber <email address hidden> Thu, 18 May 2017 23:08:57 -0400

  lxc (2.0.7-0ubuntu1~16.04.1) xenial; urgency=medium

  * New upstream bugfix release (2.0.7) (LP: #1660844)
    - attach: Close lsm label file descriptor
    - attach: Non-functional changes
    - attach: Simplify lsm_openat()
    - caps: Add lxc_cap_is_set()
    - conf: attach: Save errno across call to close
    - conf: Clearly report to either use drop or keep
    - conf: criu: Add make_anonymous_mount_file()
    - conf: Fix suggest_default_idmap()
    - configure: Add --enable-gnutls option
    - configure: Check for memfd_create()
    - configure: Check whether gettid() is declared
    - configure: Do not allow variable length arrays
    - configure: Remove -Werror=vla
    - configure: Use AC_HEADER_MAJOR to detect major()/minor()/makedev()
    - conf: Non-functional changes
    - conf: Remove thread-unsafe strsignal + improve log
    - init: Add cgroupfs-mount to Should-Start/Stop sysvinit LSB headers
    - log: Add lxc_unix_epoch_to_utc()
    - log: Annotate lxc_unix_epoch_to_utc()
    - log: Drop all timezone conversion functions
    - log: Make sure that date is correctly formatted
    - log: Use lxc_unix_epoch_to_utc()
    - log: Use N/A if getpid() != gettid() when threaded
    - log: Use thread-safe localtime_r()
    - lvm: Suppress warnings about leaked files
    - lxccontainer: Log failure to send sig to init pid
    - monitor: Add more logging
    - monitor: Close mainloop on exit if we opened it
    - monitor: Improve log + set log level to DEBUG
    - monitor: Log which pipe fd is currently used
    - monitor: Make lxc-monitord async signal safe
    - monitor: Non-functional changes
    - python3-lxc: Fix api_test.py on s390x
    - start: Check for CAP_SETGID before setgroups()
    - start: Fix execute and improve setgroups() calls
    - state: Use async signal safe fun in lxc_wait()
    - templates: lxc-debian: Don't read from /usr/lib/systemd on the host
    - templates: lxc-debian: Fix getty service startup
    - templates: lxc-debian: Fix typo with dpkg --print-foreign-architectures
    - templates: lxc-debian: Handle ppc hostarch -> powerpc
    - templates: lxc-opensuse: Change openSUSE default release to Leap 42.2
    - templates: lxc-opensuse: Remove libgcc_s1
    - templates: lxc-opensuse: Remove poweroff.target -> sigpwr.target copy
    - templates: lxc-opensuse: Set to be unconfined by AppArmor
    - templates: lxc-opensuse: Update for Leap 42.2
    - tests; Don't cause test failures on cleanup errors
    - tests: Skip unpriv tests on broken overlay module
    - tools: Improve logging
    - tools: lxc-start: Remove c->is_defined(c) check
    - tools: lxc-start: Set configfile after load_config
    - tools: Only check for O_RDONLY
    - tree-wide: Random macro cleanups
    - tree-wide: Remove any variable length arrays
    - tree-wide: Sic semper assertis!
    - utils: Add macro __LXC_NUMSTRLEN
    - utils: Add uid, gid, group convenience wrappers

  * Cherry-pick upstream bugfix:
    - 0002-Make-lxc-start-ephemeral-Python-3.2-compatible.patch

  * Resolve lintian warnings
    - Drop un-needed overrides
    - Fix typos in debian/control

 -- Stéphane Graber <email address hidden> Tue, 31 Jan 2017 18:37:52 -0500