diff --git a/.cirrus.yml b/.cirrus.yml
index cfd238f154e..76a6a00cc22 100644
--- a/.cirrus.yml
+++ b/.cirrus.yml
@@ -77,7 +77,7 @@ task:
   env:
     HOME: /root
     CIRRUS_WORKING_DIR: /home/runc
-    GO_VERSION: "1.20"
+    GO_VERSION: "1.21"
     BATS_VERSION: "v1.9.0"
     RPMS: gcc git iptables jq glibc-static libseccomp-devel make criu fuse-sshfs
     # yamllint disable rule:key-duplicates
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 53feeece8f4..88f3a572af3 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -121,7 +121,7 @@ jobs:
     - name: install go
       uses: actions/setup-go@v4
       with:
-        go-version: 1.x # Latest stable
+        go-version: 1.21
 
     - name: unit test
       run: sudo -E PATH="$PATH" -- make GOARCH=386 localunittest
diff --git a/Dockerfile b/Dockerfile
index d24756bc1fc..240ca180f28 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,6 +1,6 @@
 ARG GO_VERSION=1.20
 ARG BATS_VERSION=v1.9.0
-ARG LIBSECCOMP_VERSION=2.5.4
+ARG LIBSECCOMP_VERSION=2.5.5
 
 FROM golang:${GO_VERSION}-bullseye
 ARG DEBIAN_FRONTEND=noninteractive
@@ -31,6 +31,7 @@ RUN KEYFILE=/usr/share/keyrings/criu-repo-keyring.gpg; \
         sshfs \
         sudo \
         uidmap \
+        iproute2 \
     && apt-get clean \
     && rm -rf /var/cache/apt /var/lib/apt/lists/* /etc/apt/sources.list.d/*.list
 
diff --git a/script/release_build.sh b/script/release_build.sh
index af238628cbd..06b52dadc31 100755
--- a/script/release_build.sh
+++ b/script/release_build.sh
@@ -19,7 +19,7 @@ set -e
 ## --->
 # Project-specific options and functions. In *theory* you shouldn't need to
 # touch anything else in this script in order to use this elsewhere.
-: "${LIBSECCOMP_VERSION:=2.5.4}"
+: "${LIBSECCOMP_VERSION:=2.5.5}"
 project="runc"
 root="$(readlink -f "$(dirname "${BASH_SOURCE[0]}")/..")"
 
diff --git a/script/seccomp.sh b/script/seccomp.sh
index beea612ac83..7060ed67806 100755
--- a/script/seccomp.sh
+++ b/script/seccomp.sh
@@ -7,7 +7,7 @@ source "$(dirname "${BASH_SOURCE[0]}")/lib.sh"
 
 # sha256 checksums for seccomp release tarballs.
 declare -A SECCOMP_SHA256=(
-	["2.5.4"]=d82902400405cf0068574ef3dc1fe5f5926207543ba1ae6f8e7a1576351dcbdb
+	["2.5.5"]=248a2c8a4d9b9858aa6baf52712c34afefcf9c9e94b76dce02c1c9aa25fb3375
 )
 
 # Due to libseccomp being LGPL we must include its sources,
diff --git a/tests/integration/run.bats b/tests/integration/run.bats
index 88540c763d1..3669f521cfa 100644
--- a/tests/integration/run.bats
+++ b/tests/integration/run.bats
@@ -72,7 +72,7 @@ function teardown() {
 
 	runc run test_tmpfs
 	[ "$status" -eq 0 ]
-	[ "$output" = "$mode" ]
+	[ "${lines[0]}" = "$mode" ]
 }
 
 @test "runc run with tmpfs perms" {
@@ -83,13 +83,13 @@ function teardown() {
 	# Directory is to be created by runc.
 	runc run test_tmpfs
 	[ "$status" -eq 0 ]
-	[ "$output" = "444" ]
+	[ "${lines[0]}" = "444" ]
 
 	# Run a 2nd time with the pre-existing directory.
 	# Ref: https://github.com/opencontainers/runc/issues/3911
 	runc run test_tmpfs
 	[ "$status" -eq 0 ]
-	[ "$output" = "444" ]
+	[ "${lines[0]}" = "444" ]
 
 	# Existing directory, custom perms, no mode on the mount,
 	# so it should use the directory's perms.
@@ -98,7 +98,7 @@ function teardown() {
 	# shellcheck disable=SC2016
 	runc run test_tmpfs
 	[ "$status" -eq 0 ]
-	[ "$output" = "710" ]
+	[ "${lines[0]}" = "710" ]
 
 	# Add back the mode on the mount, and it should use that instead.
 	# Just for fun, use different perms than was used earlier.
@@ -106,7 +106,7 @@ function teardown() {
 	update_config '.mounts[-1].options = ["mode=0410"]'
 	runc run test_tmpfs
 	[ "$status" -eq 0 ]
-	[ "$output" = "410" ]
+	[ "${lines[0]}" = "410" ]
 }
 
 @test "runc run [joining existing container namespaces]" {