chore(deps): update dependency crun to v1.19.1

[renovate]

This PR contains the following updates:

Package	Update	Change
crun	minor	1.11.1 -> 1.19.1

---

Release Notes

containers/crun (crun)

v1.19.1

Compare Source

• linux: fix a hang if there are no reads from the tty. Use non blocking sockets to read and write from the tty so that the "crun exec" process doesn't hang when the terminal is not consuming any data.
• linux: remove the workaround needed to mount a cgroup on top of another cgroup mount. The workaround had the disadvantage to temporarily leak a mount on the host. The alternative that is currently used is to mount a temporary tmpfs between the twoo cgroup mounts.

v1.18.2

Compare Source

• cgroup, systemd: fix a regression when a configuration file includes only one default rule.

v1.18.1

Compare Source

• cgroup: deprecate cgroup v1.
• cgroup: fix regression setting up the devices cgroup on cgroup v1.
• cgroup: fix regression and work again with the default Docker devices configuration on systemd.
• linux: fix setting up user namespace when newuidmap/newgidmap are not available.

v1.16.1

Compare Source

• fix a regression introduced by 1.16 where using 'rshared' rootfs mount propagation and the rootfs itself is a mountpoint.
• inherit user from original process on exec, if not overridden.

v1.14.4

Compare Source

• linux: fix mount of file with recursive flags. Do not assume it is a directory, but check the source type.
• new build for s390x

v1.14.3

Compare Source

• follow up for 1.14.2. Drop the version check for each command.

v1.14.2

Compare Source

• drop check for OCI version. A recent bump in the OCI runtime specs caused crun to fail with every config file. Just drop the check since it doesn't add any value.

v1.14.1

Compare Source

• there was recently a security vulnerability (CVE-2024-21626) in runc
  that allowed a malicious user to chdir(2) to a /proc/*/fd entry that is
  outside the container rootfs. While crun is not affected directly,
  harden chdir by validating that we are still inside the container
  rootfs.
• container: attempt to close all the files before execv(2).
  if we leak any fd, it prevents execv to gain access to files outside
  the container rootfs through /proc/self/fd/$fd.
• fix a regression caused by 1.14 when installing the ebpf filter on a
  kernel older than 5.11.
• cgroup, systemd: fix segfault if the resources block is not specified.

v1.11.2

Compare Source

• fix a regression caused by 1.11.1 where the process crashes if there are no CPU limits configured on cgroup v1.
• fix error code check for the ptsname_r function.

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.