Bump github.com/opencontainers/runc from 1.3.3 to 1.4.2

[dependabot]

Bumps github.com/opencontainers/runc from 1.3.3 to 1.4.2.

Release notes

Sourced from github.com/opencontainers/runc's releases.

runc v1.4.2 -- "Я — Земля! Я своих провожаю питомцев"

This is the second patch release of the 1.4.z release series of runc.

Fixed

• A regression in runc v1.3.0 which can result in a stuck runc exec or runc run when the container process runs for a short time. (#5208, #5210, #5216)

• Mount sources that need to be open on the host are now closed earlier during container start, reducing the total amount of used file descriptors and helping to avoid hitting the open files limit when handling many such mounts. (#5177, #5201)

Static Linking Notices

The runc binary distributed with this release are statically linked with the following GNU LGPL-2.1 licensed libraries, with runc acting as a "work that uses the Library":

• libseccomp

The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.

---

Thanks to the following contributors for making this release possible:

• Ayato Tokubi atokubi@redhat.com
• Akihiro Suda akihiro.suda.cz@hco.ntt.co.jp
• Aleksa Sarai cyphar@cyphar.com
• Kir Kolyshkin kolyshkin@gmail.com
• Li Fubang lifubang@acmcoder.com
• Rodrigo Campos Catelin rodrigo@amutable.com

Signed-off-by: Kir Kolyshkin kolyshkin@gmail.com

runc v1.4.0 -- "路漫漫其修远兮，吾将上下而求索！"

This is the first release of the 1.4.z release branch of runc. It contains a few fixes for issues found in 1.4.0-rc.3. This version of runc supports runtime-spec v1.3 (see [docs/spec-conformance.md][] for the few features that are still missing).

... (truncated)

Changelog

Sourced from github.com/opencontainers/runc's changelog.

[1.4.2] - 2026-04-02

Я — Земля! Я своих провожаю питомцев.

Fixed

• A regression in runc v1.3.0 which can result in a stuck runc exec or runc run when the container process runs for a short time. (#5208, #5210, #5216)
• Mount sources that need to be open on the host are now closed earlier during container start, reducing the total amount of used file descriptors and helping to avoid hitting the open files limit when handling many such mounts. (#5177, #5201)

[1.4.1] - 2026-03-12

La guerre n'est pas une aventure. La guerre est une maladie. Comme le typhus.

Deprecated

• libcontainer/configs.MPOL_* constants added in runc [1.4.0][]. (#5110, #5055)

Added

• Preliminary loong64 support. (#5062, #4938)

Fixed

• libct: fix panic in initSystemdProps when processing certain systemd properties in the OCI spec. (#5161, #5133)
• libct: fix several file descriptor leaks on error paths. (#5168, #5009)
• Remove unnecessary crypto/tls dependency by open-coding the systemd socket activation logic, allowing us to more easily avoid false positive CVE warnings. (#5093, #5057)
• Remove legacy os.Is* error usage, improving error type detection to make our error fallback paths more robust. (#5162, #5061)
• Go 1.26 has started enforcing a restriction of os/exec.Cmd which caused issues with our usage of CLONE_INTO_CGROUP (on newer kernels). This has now been resolved. (#5116, #5091)
• Recursive atime-related mount flags (rrelatime et al.) are now applied properly. (#5114, #5098)
• Fix a regression in runc exec due to CLONE_INTO_CGROUP in the (inadvisable) scenario where a container is configured without cgroup namespaces and with /sys/fs/cgroup mounted rw. (#5117, #5101)
• On machines with more than 1024 CPU cores, our logic for resetting the CPU affinity will now correctly reset the affinity onto all available cores (not just the first 1024). (#5149, #5025)
• PR #4757 caused a regression that resulted in spurious cannot start a container that has stopped errors when running runc create and has thus been reverted. (#5157, #5153, #5151, #4645, #4757)

Changed

• Previously we made an attempt to make our runc.armhf release binaries work with ARMv6 (which would allow runc to work on the original Raspberry Pi).

... (truncated)

Commits

• c241c0b VERSION: release v1.4.2
• 95f27e8 Merge pull request #5216 from lifubang/backport-5210-1.4
• 39791ae Fix SIGCHLD race in signal handler setup
• 226ff03 Merge pull request #5201 from lifubang/backport-5177-1.4
• 9de77a9 test: check mount source fds are cleaned up with idmapped mounts
• e4a82fc libct: close mount source fd as soon as possible
• 87db634 libct: add a nil check for mountError
• d4305dc Merge pull request #5187 from kolyshkin/1.4-5159
• 63605fc ci: add conmon tests run
• 0daa003 Merge pull request #5178 from kolyshkin/1.4-5175
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)