Update containerd dependency to eliminate CVE-2021-25741

[rodrigc]

I recently started using Snyk on one of my projects, and found this

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25741
https://app.snyk.io/vuln/SNYK-GOLANG-K8SIOKUBERNETES-1585630

via this import dependency:

github.com/dhui/dktest@v0.3.10 › github.com/containerd/containerd@v1.6.1 › github.com/Microsoft/hcsshim@v0.9.2 › github.com/containerd/containerd@v1.5.7 › github.com/Microsoft/hcsshim@v0.8.21 › github.com/containerd/containerd@v1.5.1 › github.com/containerd/imgcrypt@v1.1.1 › github.com/Microsoft/hcsshim@v0.8.16 › github.com/containerd/containerd@v1.5.0-beta.4 › github.com/containerd/aufs@v0.0.0-20210316121734-20793ff83c97 › github.com/containerd/containerd@v1.5.0-beta.3 › github.com/Microsoft/hcsshim@v0.8.15 › github.com/containerd/containerd@v1.5.0-beta.1 › github.com/Microsoft/hcsshim/test@v0.0.0-20201218223536-d3e5debf77da › github.com/Microsoft/hcsshim@v0.8.7 › k8s.io/kubernetes@v1.13.0

[zythosec]

@rodrigc could you update containerd to 1.6.3 now that it is the latest release?https://github.com/containerd/containerd/releases/tag/v1.6.3

@dhui any other feedback on this PR? or could we get this merged? thanks!

[rodrigc]

@zythosec updated

[dhui]

The best way to fix these security issues is to update the docker client since dktest doesn't directly depend on containerd.
I've updated docker in this commit: 2b740f0

Can you confirm that this fixes your issue?

EDIT: Once you confirm the issue as fixed, I'll cut a new release.

[zythosec]

@dhui that works for me. Looks like they completely removed their containerd dependency in that version.

[rodrigc]

Ok

[dhui]

v0.3.11 contains the fix for this issue. Thanks for identifying the issue, creating a PR for the fix, and confirming the fix!