chore(deps): update module github.com/containerd/containerd to v1.6.26 [security]

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	OpenSSF
github.com/containerd/containerd	indirect	minor	v1.3.0 -> v1.6.26

GitHub Vulnerability Alerts

CVE-2020-15257

Impact

Access controls for the shim’s API socket verified that the connecting process had an effective UID of 0, but did not otherwise restrict access to the abstract Unix domain socket. This would allow malicious containers running in the same network namespace as the shim, with an effective UID of 0 but otherwise reduced privileges, to cause new processes to be run with elevated privileges.

Specific Go Packages Affected

github.com/containerd/containerd/cmd

Patches

This vulnerability has been fixed in containerd 1.3.9 and 1.4.3. Users should update to these versions as soon as they are released. It should be noted that containers started with an old version of containerd-shim should be stopped and restarted, as running containers will continue to be vulnerable even after an upgrade.

Workarounds

If you are not providing the ability for untrusted users to start containers in the same network namespace as the shim (typically the "host" network namespace, for example with docker run --net=host or hostNetwork: true in a Kubernetes pod) and run with an effective UID of 0, you are not vulnerable to this issue.

If you are running containers with a vulnerable configuration, you can deny access to all abstract sockets with AppArmor by adding a line similar to deny unix addr=@​**, to your policy.

It is best practice to run containers with a reduced set of privileges, with a non-zero UID, and with isolated namespaces. The containerd maintainers strongly advise against sharing namespaces with the host. Reducing the set of isolation mechanisms used for a container necessarily increases that container's privilege, regardless of what container runtime is used for running that container.

Credits

The containerd maintainers would like to thank Jeff Dileo of NCC Group for responsibly disclosing this issue in accordance with the containerd security policy and for reviewing the patch.

For more information

If you have any questions or comments about this advisory:

• Open an issue
• Email us at security@containerd.io if you think you’ve found a security bug.

CVE-2021-32760

Impact

A bug was found in containerd where pulling and extracting a specially-crafted container image can result in Unix file permission changes for existing files in the host’s filesystem. Changes to file permissions can deny access to the expected owner of the file, widen access to others, or set extended bits like setuid, setgid, and sticky. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process.

Patches

This bug has been fixed in containerd 1.5.4 and 1.4.8. Users should update to these versions as soon as they are released. Running containers do not need to be restarted.

Workarounds

Ensure you only pull images from trusted sources.

Linux security modules (LSMs) like SELinux and AppArmor can limit the files potentially affected by this bug through policies and profiles that prevent containerd from interacting with unexpected files.

For more information

If you have any questions or comments about this advisory:

• Open an issue
• Email us at security@containerd.io if you think you’ve found a security bug.

CVE-2021-41103

Impact

A bug was found in containerd where container root directories and some plugins had insufficiently restricted permissions, allowing otherwise unprivileged Linux users to traverse directory contents and execute programs. When containers included executable programs with extended permission bits (such as setuid), unprivileged Linux users could discover and execute those programs. When the UID of an unprivileged Linux user on the host collided with the file owner or group inside a container, the unprivileged Linux user on the host could discover, read, and modify those files.

Patches

This vulnerability has been fixed in containerd 1.4.11 and containerd 1.5.7. Users should update to these version when they are released and may restart containers or update directory permissions to mitigate the vulnerability.

Workarounds

Limit access to the host to trusted users. Update directory permission on container bundles directories.

For more information

If you have any questions or comments about this advisory:

• Open an issue in github.com/containerd/containerd
• Email us at security@containerd.io

GHSA-5j5w-g665-5m35

Impact

In the OCI Distribution Specification version 1.0.0 and prior and in the OCI Image Specification version 1.0.1 and prior, manifest and index documents are ambiguous without an accompanying Content-Type HTTP header. Versions of containerd prior to 1.4.12 and 1.5.8 treat the Content-Type header as trusted and deserialize the document according to that header. If the Content-Type header changed between pulls of the same ambiguous document (with the same digest), the document may be interpreted differently, meaning that the digest alone is insufficient to unambiguously identify the content of the image.

Patches

This issue has been fixed in containerd 1.4.12 and 1.5.8. Image pulls for manifests that contain a “manifests” field or indices which contain a “layers” field are rejected.

Workarounds

Ensure you only pull images from trusted sources.

References

GHSA-mc8v-mgrf-8f4m
GHSA-77vh-xpmg-72qh

For more information

If you have any questions or comments about this advisory:

• Open an issue in containerd
• Email us at security@containerd.io

CVE-2022-23648

Impact

A bug was found in containerd where containers launched through containerd’s CRI implementation with a specially-crafted image configuration could gain access to read-only copies of arbitrary files and directories on the host. This may bypass any policy-based enforcement on container setup (including a Kubernetes Pod Security Policy) and expose potentially sensitive information. Kubernetes and crictl can both be configured to use containerd’s CRI implementation.

Patches

This bug has been fixed in containerd 1.6.1, 1.5.10 and 1.4.13. Users should update to these versions to resolve the issue.

Workarounds

Ensure that only trusted images are used.

Credits

The containerd project would like to thank Felix Wilhelm of Google Project Zero for responsibly disclosing this issue in accordance with the containerd security policy.

For more information

If you have any questions or comments about this advisory:

• Open an issue in containerd
• Email us at security@containerd.io

CVE-2022-31030

Impact

A bug was found in containerd's CRI implementation where programs inside a container can cause the containerd daemon to consume memory without bound during invocation of the ExecSync API. This can cause containerd to consume all available memory on the computer, denying service to other legitimate workloads. Kubernetes and crictl can both be configured to use containerd's CRI implementation; ExecSync may be used when running probes or when executing processes via an "exec" facility.

Patches

This bug has been fixed in containerd 1.6.6 and 1.5.13. Users should update to these versions to resolve the issue.

Workarounds

Ensure that only trusted images and commands are used.

References

• Similar fix in cri-o's CRI implementation GHSA-fcm2-6c3h-pg6j

Credits

The containerd project would like to thank David Korczynski and Adam Korczynski of ADA Logics for responsibly disclosing this issue in accordance with the containerd security policy during a security audit sponsored by CNCF and facilitated by OSTIF.

For more information

If you have any questions or comments about this advisory:

• Open an issue in containerd
• Email us at security@containerd.io

CVE-2022-23471

Impact

A bug was found in containerd's CRI implementation where a user can exhaust memory on the host. In the CRI stream server, a goroutine is launched to handle terminal resize events if a TTY is requested. If the user's process fails to launch due to, for example, a faulty command, the goroutine will be stuck waiting to send without a receiver, resulting in a memory leak. Kubernetes and crictl can both be configured to use containerd's CRI implementation and the stream server is used for handling container IO.

Patches

This bug has been fixed in containerd 1.6.12 and 1.5.16. Users should update to these versions to resolve the issue.

Workarounds

Ensure that only trusted images and commands are used and that only trusted users have permissions to execute commands in running containers.

For more information

If you have any questions or comments about this advisory:

• Open an issue in containerd
• Email us at security@containerd.io

To report a security issue in containerd:

• Report a new vulnerability
• Email us at security@containerd.io

CVE-2023-25173

Impact

A bug was found in containerd where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container.

Downstream applications that use the containerd client library may be affected as well.

Patches

This bug has been fixed in containerd v1.6.18 and v.1.5.18. Users should update to these versions and recreate containers to resolve this issue. Users who rely on a downstream application that uses containerd's client library should check that application for a separate advisory and instructions.

Workarounds

Ensure that the "USER $USERNAME" Dockerfile instruction is not used. Instead, set the container entrypoint to a value similar to ENTRYPOINT ["su", "-", "user"] to allow su to properly set up supplementary groups.

References

• https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/
• Docker/Moby: CVE-2022-36109, fixed in Docker 20.10.18
• CRI-O: CVE-2022-2995, fixed in CRI-O 1.25.0
• Podman: CVE-2022-2989, fixed in Podman 3.0.1 and 4.2.0
• Buildah: CVE-2022-2990, fixed in Buildah 1.27.1

Note that CVE IDs apply to a particular implementation, even if an issue is common.

For more information

If you have any questions or comments about this advisory:

• Open an issue in containerd
• Email us at security@containerd.io

To report a security issue in containerd:

• Report a new vulnerability
• Email us at security@containerd.io

CVE-2023-25153

Impact

When importing an OCI image, there was no limit on the number of bytes read for certain files. A maliciously crafted image with a large file where a limit was not applied could cause a denial of service.

Patches

This bug has been fixed in containerd 1.6.18 and 1.5.18. Users should update to these versions to resolve the issue.

Workarounds

Ensure that only trusted images are used and that only trusted users have permissions to import images.

Credits

The containerd project would like to thank David Korczynski and Adam Korczynski of ADA Logics for responsibly disclosing this issue in accordance with the containerd security policy during a security fuzzing audit sponsored by CNCF.

For more information

If you have any questions or comments about this advisory:

• Open an issue in containerd
• Email us at security@containerd.io

To report a security issue in containerd:

• Report a new vulnerability
• Email us at security@containerd.io

GHSA-7ww5-4wqc-m92c

/sys/devices/virtual/powercap accessible by default to containers

Intel's RAPL (Running Average Power Limit) feature, introduced by the Sandy Bridge microarchitecture, provides software insights into hardware energy consumption. To facilitate this, Intel introduced the powercap framework in Linux kernel 3.13, which reads values via relevant MSRs (model specific registers) and provides unprivileged userspace access via sysfs. As RAPL is an interface to access a hardware feature, it is only available when running on bare metal with the module compiled into the kernel.

By 2019, it was realized that in some cases unprivileged access to RAPL readings could be exploited as a power-based side-channel against security features including AES-NI (potentially inside a SGX enclave) and KASLR (kernel address space layout randomization). Also known as the PLATYPUS attack, Intel assigned CVE-2020-8694 and CVE-2020-8695, and AMD assigned CVE-2020-12912.

Several mitigations were applied; Intel reduced the sampling resolution via a microcode update, and the Linux kernel prevents access by non-root users since 5.10. However, this kernel-based mitigation does not apply to many container-based scenarios:

• Unless using user namespaces, root inside a container has the same level of privilege as root outside the container, but with a slightly more narrow view of the system
• sysfs is mounted inside containers read-only; however only read access is needed to carry out this attack on an unpatched CPU

While this is not a direct vulnerability in container runtimes, defense in depth and safe defaults are valuable and preferred, especially as this poses a risk to multi-tenant container environments. This is provided by masking /sys/devices/virtual/powercap in the default mount configuration, and adding an additional set of rules to deny it in the default AppArmor profile.

While sysfs is not the only way to read from the RAPL subsystem, other ways of accessing it require additional capabilities such as CAP_SYS_RAWIO which is not available to containers by default, or perf paranoia level less than 1, which is a non-default kernel tunable.

References

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8694
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8695
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12912
• https://platypusattack.com/
• https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=949dd0104c496fa7c14991a23c03c62e44637e71
• https://web.eece.maine.edu/~vweaver/projects/rapl/

CVE-2021-21334

Impact

Containers launched through containerd's CRI implementation (through Kubernetes, crictl, or any other pod/container client that uses the containerd CRI service) that share the same image may receive incorrect environment variables, including values that are defined for other containers. If the affected containers have different security contexts, this may allow sensitive information to be unintentionally shared.

If you are not using containerd’s CRI implementation (through one of the mechanisms described above), you are not vulnerable to this issue.

If you are not launching multiple containers or Kubernetes pods from the same image which have different environment variables, you are not vulnerable to this issue.

If you are not launching multiple containers or Kubernetes pods from the same image in rapid succession, you have reduced likelihood of being vulnerable to this issue

Patches

This vulnerability has been fixed in containerd 1.3.10 and containerd 1.4.4. Users should update to these versions as soon as they are released.

Workarounds

There are no known workarounds.

For more information

If you have any questions or comments about this advisory:

• Open an issue
• Email us at security@containerd.io if you think you’ve found a security bug.

---

Release Notes

containerd/containerd (github.com/containerd/containerd)

v1.6.26: containerd 1.6.26

Compare Source

Welcome to the v1.6.26 release of containerd!

The twenty-sixth patch release for containerd 1.6 contains various fixes and updates.

Notable Updates

• Fix windows default path overwrite issue (#​9441)
• Update push to inherit distribution sources from parent (#​9453)
• Mask /sys/devices/virtual/powercap path in runtime spec and deny in default apparmor profile (GHSA-7ww5-4wqc-m92c)

Deprecation Warnings

• Emit deprecation warning for AUFS snapshotter usage (#​9448)
• Emit deprecation warning for v1 runtime usage (#​9468)
• Emit deprecation warning for CRI v1alpha1 usage (#​9468)

See the changelog for complete list of changes

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Samuel Karp
• Derek McGowan
• Kohei Tokunaga
• Phil Estes
• Bjorn Neergaard
• Sebastiaan van Stijn
• Brian Goff
• Charity Kathure
• Kazuyoshi Kato
• Milas Bowman
• Wei Fu
• ruiwen-zhao

Changes

30 commits

• [release/1.6] Prepare release notes for v1.6.26 (#​9490)
  • ac5c5d3e0 Prepare release notes for v1.6.26
• Github Security Advisory GHSA-7ww5-4wqc-m92c
  • 02f07fe19 contrib/apparmor: deny /sys/devices/virtual/powercap
  • c94577e78 oci/spec: deny /sys/devices/virtual/powercap
• [release/1.6] update to go1.20.12, test go1.21.5 (#​9472)
  • 7cbdfc92e update to go1.20.12, test go1.21.5
  • 024b1cce6 update to go1.20.11, test go1.21.4
• [release/1.6] Add cri-api v1alpha2 usage warning to all api calls (#​9484)
  • 64e56bfde Add cri-api v1alpha2 usage warning to all api calls
• [release/1.6] tasks: emit warning for v1 runtime and runc v1 runtime (#​9468)
  • efefd3bf3 tasks: emit warning for runc v1 runtime
  • 7825689b4 tasks: emit warning for v1 runtime
• [release/1.6] snapshots: emit deprecation warning for aufs (#​9448)
  • 7cfe7052f snapshots: emit deprecation warning for aufs
• [release/1.6] cherry-pick/backport: Update golangci lint (#​9455)
  • a1ae572a2 Fix linter error with updated linter
  • b638791d6 ci: bump up golangci-lint to v1.55.0
  • 2370a2842 Fix linter issues for golangci-lint 1.54.2
  • 8a65e2e31 Bump up golangci-lint to v1.54.2
  • 969f8feb2 Bump up golangci-lint to v1.52.2
• [release/1.6] push: inherit distribution sources from parent (#​9453)
  • 66959fdf5 push: inherit distribution sources from parent
  • b4dcffcfb content: add InfoProvider interface
  • bef4145c1 Change PushContent to require only Provider
• [release/1.6] Bump google.golang.org/grpc to v1.58.3 (#​9408)
  • a5fc21060 vendor: google.golang.org/grpc v1.58.3
  • 4fa05b3d8 Upgrade github.com/klauspost/compress from v1.11.13 to v1.15.9
• [release/1.6] Windows default path overwrite fix (#​9441)
  • ede0ad5e1 Fix windows default path overwrite issue

Dependency Changes

• cloud.google.com/go/compute/metadata v0.2.3 new
• github.com/cespare/xxhash/v2 v2.1.2 -> v2.2.0
• github.com/golang/protobuf v1.5.2 -> v1.5.3
• github.com/klauspost/compress v1.11.13 -> v1.15.9
• go.opencensus.io v0.23.0 -> v0.24.0
• golang.org/x/oauth2 2bc19b1 -> v0.10.0
• golang.org/x/sync v0.1.0 -> v0.3.0
• google.golang.org/grpc v1.50.1 -> v1.58.3
• google.golang.org/protobuf v1.28.1 -> v1.31.0

Previous release can be found at v1.6.25

v1.6.25: containerd 1.6.25

Compare Source

Welcome to the v1.6.25 release of containerd!

The twenty-fifth patch release for containerd 1.6 contains various fixes and updates.

Notable Updates

• Check whether content did not needs to be pushed to remote registry and cross-repo mounted or already existed (#​9111)
• Soft deprecate log package (#​9105)
• Always try to establish tls connection when tls configured (#​9189)
• CRI: stop recommending disable_cgroup (#​9169)
• Allow for images with artifacts layers to pull (#​9150)
• Require plugins to succeed after registering readiness (#​9166)
• Avoid potential deadlock in create handler in containerd-shim-runc-v2 (#​9210)
• Add handling for missing basic auth credentials (#​9236)
• Add a new image label if it is docker schema 1 (#​9267)
• Fix ambiguous tls fallback (#​9300)
• Expose usage of deprecated features (#​9329)
• Fix shimv1 leak issue (#​9345)
• Go version update to 1.20.10(#​9264)
• Update runc to v1.1.10 (#​9360)
• CRI: fix using the pinned label to pin image (#​9382)

See the changelog for complete list of changes

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Samuel Karp
• Derek McGowan
• Sebastiaan van Stijn
• Phil Estes
• Wei Fu
• Kazuyoshi Kato
• Akhil Mohan
• Akihiro Suda
• Chen Yiyang
• Fabian Hoffmann
• Iceber Gu
• Mike Brown
• Paweł Gronowski
• Austin Vazquez
• Fahed Dorgaa
• James Sturtevant
• Kern Walster
• Marat Radchenko
• Qiutong Song
• Tony Fouchard
• ruiwen-zhao

Changes

82 commits

• [release/1.6] Prepare release notes for v1.6.25 (#​9394)
  • 723d26ab2 Prepare release notes for v1.6.25
  • 1f865eba1 update mailmap
• [release/1.6] cri: fix using the pinned label to pin image (#​9382)
  • b49815300 cri: fix update of pinned label for images
  • 751b0c186 cri: fix using the pinned label to pin image
• [Release/1.6] vendor: golang.org/x/net v0.17.0 (#​9387)
  • fb5568608 vendor: golang.org/x/net v0.17.0
  • 61ad86f6f vendor: golang.org/x/text v0.13.0
  • 4b431c844 vendor: golang.org/x/sys v0.13.0
• [Release/1.6] CVE-2022-1996 fix for go-restful (#​9385)
  • 62d402275 Remove CVE-2022-1996 from containerd binary upgrading go-restful to 2.16.0
• [release/1.6] Enhance container image unpack client logs (#​9380)
  • 3e68bf65a Enhance container image unpack client logs
• [release/1.6] update github.com/containerd/nri v0.1.1 (#​9107)
  • 0dd65c826 [release/1.6] update github.com/containerd/nri v0.1.1
• [release/1.6 backport] update runc binary to v1.1.10 (#​9360)
  • c73be2446 update runc binary to v1.1.10
• [release/1.6] Expose usage of cri-api v1alpha2 (#​9357)
  • 746bcf2eb Expose usage of cri-api v1alpha2
• [release/1.6] fix: shimv1 leak issue (#​9345)
  • 8b51a95fb fix: shimv1 leak issue
• [release/1.6] update to go1.20.10, test go1.21.3 (#​9264)
  • 6741f819b [release/1.6] update to go1.20.10, test go1.21.3
  • 49615a0e9 [release/1.6] update to go1.20.9, test go1.21.2
• [release/1.6] cri: add deprecation warnings for mirrors, auths, and configs (#​9355)
  • b68204e53 cri: add deprecation warning for configs
  • ae8c58319 cri: add deprecation warning for auths
  • 455edcad2 cri: add deprecation warning for mirrors
  • 878823f4d cri: add ability to emit deprecation warnings
• [release/1.6] deprecation: new package for deprecations (#​9329)
  • 477b7d6a1 ctr: new deprecations command
  • 24068b813 dynamic: record deprecation for dynamic plugins
  • 218c7a1df server: add ability to record config deprecations
  • dfb9e1deb pull: record deprecation warning for schema 1
  • 90b42da6f introspection: add support for deprecations
  • 0b6766b37 api/introspection: deprecation warnings in server
  • de3cb4c18 warning: new service for deprecations
  • da1b4419b deprecation: new package for deprecations
• [release/1.6] integration: deflake TestIssue9103 (#​9353)
  • bca8a3f65 integration: deflake TestIssue9103
• [release/1.6] ci: Use Vagrant on ubuntu-latest-4-cores (#​9332)
  • 0985f7a43 ci: Use Vagrant on ubuntu-latest-4-cores
• [release/1.6] Fix ambiguous tls fallback (#​9300)
  • 5dd64301c Check scheme and host of request on push redirect
  • 51df21d09 Avoid TLS fallback when protocol is not ambiguous
• [release/1.6] Add a new image label if it is docker schema 1 (#​9267)
  • 8108f0d03 Add a new image label if it is docker schema 1
• [release/1.6 backport] fix protobuf aarch64 (#​9284)
  • 5376afb3d fix protobuf aarch64
• [release/1.6] remotes: add handling for missing basic auth credentials (#​9236)
  • e529741d3 remotes: add handling for missing basic auth credentials
  • ca45b92f4 Add ErrUnexpectedStatus to resolver
  • 77c0175b4 Improve ErrUnexpectedStatus default string
• [release/1.6] Update x/net to 0.13 (#​9130)
  • 275fc594d Bump x/net to 0.13
• [release/1.6] Require plugins to succeed after registering readiness (#​9166)
  • 5223bf39a Require plugins to succeed after registering readiness
  • 8f5eba314 cri: call RegisterReadiness after NewCRIService
• [release/1.6 backport] containerd-shim-runc-v2: avoid potential deadlock in create handler (#​9210)
  • 7b61862e7 *: add runc-fp as runc wrapper to inject failpoint
  • 5238a6470 containerd-shim-runc-v2: avoid potential deadlock in create handler
  • 65e908ee1 containerd-shim-runc-v2: remove unnecessary s.getContainer()
  • 1dd9acecb Uncopypaste parsing of OCI Bundle spec file
  • 71c89ddf2 [release/1.6]: Vagrantfile: install failpoint binaries
• [release/1.6] cri: stop recommending disable_cgroup (#​9169)
  • 7a0c8b6b7 cri: stop recommending disable_cgroup
• [release/1.6] Allow for images with artifacts to pull (#​9150)
  • 8066dd81c Allow for images with artifacts to pull
• [release 1.6] remotes/docker: Fix MountedFrom prefixed with target repository (#​9192)
  • 2fffc344a remotes/docker: Fix MountedFrom prefixed with target repository
• [release/1.6] remotes: always try to establish tls connection when tls configured (#​9189)
  • 6b5912220 remotes: always try to establish tls connection when tls configured
• [release/1.6] Build binaries with 1.21.1 (#​9180)
  • 37c758de1 Build binaries with 1.21.1
• [release/1.6 backport] alias log package to github.com/containerd/log v0.1.0 (#​9105)
  • f1591cc9b alias log package to github.com/containerd/log v0.1.0
  • f68d2d93b vendor: golang.org/x/sys v0.7.0
  • f305fb233 vendor: github.com/stretchr/testify v1.8.4
  • 4e24a30af vendor: github.com/sirupsen/logrus v1.9.3
• [release/1.6] remotes/docker: Add MountedFrom and Exists push status (#​9111)
  • b66c818ba remotes/docker: Add MountedFrom and Exists push status

Changes from containerd/log

9 commits

• Update golangci to 1.49 (#​1)
  • 89c9a54 Update golangci to 1.49
  • cf26711 Update description in README
  • f9f250c Add project details
  • fb7fe3d Add github CI flow
  • 7e13034 Add go module
  • 16a3c76 Rename log import from logtest
  • 698c398 Add README
  • 87c83c4 Add license file

Changes from containerd/nri

3 commits

• [release/0.1 backport] remove containerd as dependency (#​58)
  • 4275101 Task: fix typo in godoc
  • f6acbf1 remove containerd as dependency

Dependency Changes

• github.com/containerd/log v0.1.0 new
• github.com/containerd/nri v0.1.0 -> v0.1.1
• github.com/emicklei/go-restful v2.9.5 -> v2.16.0
• github.com/sirupsen/logrus v1.9.0 -> v1.9.3
• github.com/stretchr/testify v1.8.1 -> v1.8.4
• golang.org/x/crypto 3147a52 -> v0.14.0
• golang.org/x/net v0.8.0 -> v0.17.0
• golang.org/x/sys v0.6.0 -> v0.13.0
• golang.org/x/term v0.6.0 -> v0.13.0
• golang.org/x/text v0.8.0 -> v0.13.0

Previous release can be found at v1.6.24

v1.6.24: containerd 1.6.24

Compare Source

Welcome to the v1.6.24 release of containerd!

The twenty-fourth patch release for containerd 1.6 contains various fixes and updates.

Notable Updates

• CRI: fix leaked shim caused by high IO pressure (#​9004)
• Update to go1.20.8 (#​9073)
• Update runc to v1.1.9 (#​8966)
• Backport: add configurable mount options to overlay snapshotter (#​8961)
• log: cleanups and improvements to decouple more from logrus (#​9002)

See the changelog for complete list of changes

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Sebastiaan van Stijn
• Akihiro Suda
• Wei Fu
• Derek McGowan
• Akhil Mohan
• Cardy.Tang
• Danny Canter
• Kazuyoshi Kato
• Mike Brown
• Phil Estes
• Samuel Karp

Changes

45 commits

• [release/1.6] Prepare release notes for v1.6.24 (#​9087)
  • cdd59290d Prepare release notes for v1.6.24
• [release/1.6 backport] log: cleanups and improvements to decouple more from logrus (#​9002)
  • 33c2d88e7 Revert "log: define G() as a function instead of a variable"
  • 0a7f2975e log: swap logrus functions with their equivalent on default logger
  • 9d175a19b log: add package documentation and summary of package's purpose
  • 96fb65529 log: make Fields type a generic map[string]any
  • bace17e2e log: add log.Entry type
  • dd127885f log: define OutputFormat type
  • 5b4cf2329 log: define G() as a function instead of a variable
  • ee1b4a1e2 log: add all log-levels that are accepted
  • d563a411f log: group "enum" consts and touch-up docs
  • 6e8f4555b log: WithLogger: remove redundant intermediate var
  • c19325559 log: SetFormat: include returns in switch
  • c3c22f8cb log: remove gotest.tools dependency
• [release/1.6] update to go1.20.8 (#​9073)
  • a2c294800 [release/1.6] update to go1.20.8
• [release/1.6 backport] make repositories of install dependencies configurable (#​9024)
  • 0da8dcaa7 make repositories of install dependencies configurable
• [release/1.6 backport] update Golang to go1.20.7, minimum version go1.19 (#​9020)
  • 8e6a9de5b update to go1.20.7, go1.19.12
  • 8b2eb371f Update Go to 1.20.6,1.19.11
  • cff669c7a update go to go1.20.5, go1.19.10
  • f34a22de9 update go to go1.20.4, go1.19.9
  • e8e73065e update go to go1.20.3, go1.19.8
  • 9b3f950d6 Go 1.20.2
  • 17d03ac68 Go 1.20.1
  • 861f65447 go.mod: go 1.19
  • 81fa93784 Stop using math/rand.Read and rand.Seed (deprecated in Go 1.20)
  • 70dc11a6c lint: remove //nolint:dupword that are no longer needed
  • fec784a06 lint: silence "SA1019: tar.TypeRegA has been deprecated... (staticheck)"
  • 6648df1ad lint: silence "type HostFileConfig is unused (unused)"
  • e6b268bc7 golangci-lint v1.51.1
  • c552ccf67 go.mod: golang.org/x/sync v0.1.0
• [releases/1.6] *: fix leaked shim caused by high IO pressure (#​9004)
  • d00af5c3e integration: issue7496 case should work for runc.v2 only
  • 583696e4e Vagrantfile: add strace tool
  • ab21d60d2 pkg/cri/server: add criService as argument when handle exit event
  • a229883cb pkg/cri/server: fix leaked shim issue
  • d8f824200 integration: add case to reproduce #​7496
• [release/1.6] Cherry-pick: [overlay] add configurable mount options to overlay snapshotter (#​8961)
  • 8cd40e1d0 Add configurable mount options to overlay
  • 453fa397a feat: make overlay sync removal configurable
• [release/1.6 backport] update runc binary to v1.1.9 (#​8966)
  • 4cb7764df update runc binary to v1.1.9

Dependency Changes

• golang.org/x/sync 036812b -> v0.1.0

Previous release can be found at v1.6.23

v1.6.23: containerd 1.6.23

Compare Source

Welcome to the v1.6.23 release of containerd!

The twenty-third patch release for containerd 1.6 contains various fixes and updates.

Notable Updates

• **Add stable ABI support in windows platform matcher + update hcsshim tag (#​8854)
• **cri: Don't use rel path for image volumes (#​8927)
• **Upgrade GitHub actions packages in release workflow (#​8908)
• **update to go1.19.12 (#​8905)
• **backport: ro option for userxattr mount check + cherry-pick: Fix ro mount option being passed (#​8888)

See the changelog for complete list of changes

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Kirtana Ashok
• Maksym Pavlenko
• Austin Vazquez
• Ben Foster
• Derek McGowan
• Mike Brown
• Phil Estes
• Rodrigo Campos
• Sebastiaan van Stijn
• Wei Fu

Changes

13 commits

• [release/1.6] Add release notes for v1.6.23 (#​8939)
  • e297a668f Add release notes for v1.6.23
• [release/1.6] Add stable ABI support in windows platform matcher + update hcsshim tag (#​8854)
  • f51bf1960 Add support for stable ABI windows versions
  • 43a02c0b2 Update hcsshim tag to v0.9.10
• [release/1.6] cri: Don't use rel path for image volumes (#​8927)
• cc5b0a21b cri: Don't use rel path for image volumes
• [release/1.6 backport] Upgrade GitHub actions packages in release workflow (#​8908)
  • 4238cff1c Upgrade GitHub actions packages in release workflow
• [release/1.6] update to go1.19.12 (#​8905)
  • 00d1092b7 update to go1.19.12
• [release/1.6] backport: ro option for userxattr mount check + cherry-pick: Fix ro mount option being passed (#​8888)
  • 47d73b2de Fix ro mount option being passed

Dependency Changes

• github.com/Microsoft/hcsshim v0.9.8 -> v0.9.10

Previous release can be found at v1.6.22

v1.6.22: containerd 1.6.22

Compare Source

Welcome to the v1.6.22 release of containerd!

The twenty-second patch release for containerd 1.6 contains various fixes and updates.

Notable Updates

• RunC: Update runc binary to v1.1.8 (#​8842)
• CRI: Fix additionalGids: it should fallback to imageConfig.User when securityContext.RunAsUser,RunAsUsername are empty (#​8823)
• CRI: Write generated CNI config atomically (#​8826)
• Fix concurrent writes for UpdateContainerStats (#​8819)
• Make checkContainerTimestamps less strict on Windows (#​8827)
• Port-Forward: Correctly handle known errors (#​8805)
• Resolve docker.NewResolver race condition (#​8800)
• SecComp: Always allow name_to_handle_at (#​8754)
• Adding support to run hcsshim from local clone (#​8713)
• Pinned image support ([#​8720](https://redirect.github.com/containerd/containe

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ Artifact update notice

File name: app/platform/fabric/e2e-test/specs/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 76 additional dependencies were updated

Details:

Package	Change
cloud.google.com/go	v0.38.0 -> v0.110.4
github.com/Azure/go-autorest/autorest	v0.9.0 -> v0.11.18
github.com/Azure/go-autorest/autorest/adal	v0.5.0 -> v0.9.13
github.com/Azure/go-autorest/autorest/date	v0.1.0 -> v0.3.0
github.com/Azure/go-autorest/autorest/mocks	v0.2.0 -> v0.4.1
github.com/Azure/go-autorest/logger	v0.1.0 -> v0.2.1
github.com/Azure/go-autorest/tracing	v0.5.0 -> v0.6.0
github.com/Microsoft/go-winio	v0.4.15-0.20190919025122-fc70bd9a86b5 -> v0.5.2
github.com/Microsoft/hcsshim	v0.8.7-0.20191101173118-65519b62243c -> v0.9.10
github.com/PuerkitoBio/purell	v1.0.0 -> v1.1.1
github.com/PuerkitoBio/urlesc	v0.0.0-20160726150825-5bd2802263f2 -> v0.0.0-20170810143723-de5bf2ad4578
github.com/blang/semver	v3.1.0+incompatible -> v3.5.1+incompatible
github.com/containerd/cgroups	v0.0.0-20190919134610-bf292b21730f -> v1.0.4
github.com/containerd/continuity	v0.0.0-20190426062206-aaeac12a7ffc -> v0.3.0
github.com/containerd/fifo	v0.0.0-20190226154929-a9fb20d87448 -> v1.0.0
github.com/containerd/go-runc	v0.0.0-20180907222934-5a6d9f37cfa3 -> v1.0.0
github.com/containerd/ttrpc	v0.0.0-20190828154514-0e0f228740de -> v1.1.2
github.com/containerd/typeurl	v0.0.0-20180627222232-a93fcdb778cd -> v1.0.2
github.com/coreos/go-semver	v0.2.0 -> v0.3.0
github.com/elazarl/goproxy	v0.0.0-20170405201442-c4fc26588b6e -> v0.0.0-20180725130230-947c36da3153
github.com/emicklei/go-restful	v0.0.0-20170410110728-ff4f55a20633 -> v2.16.0+incompatible
github.com/evanphx/json-patch	v4.9.0+incompatible -> v4.11.0+incompatible
github.com/ghodss/yaml	v0.0.0-20150909031657-73d445a93680 -> v1.0.0
github.com/go-openapi/jsonpointer	v0.0.0-20160704185906-46af16f9f7b1 -> v0.19.3
github.com/go-openapi/jsonreference	v0.0.0-20160704190145-13c6e3589ad9 -> v0.19.3
github.com/go-openapi/spec	v0.0.0-20160808142527-6aced65f8501 -> v0.19.3
github.com/go-openapi/swag	v0.0.0-20160704191624-1d0bd113de87 -> v0.19.5
github.com/gogo/protobuf	v1.2.2-0.20190723190241-65acae22fc9d -> v1.3.2
github.com/golang/glog	v0.0.0-20160126235308-23def4e6c14b -> v1.1.0
github.com/golang/groupcache	v0.0.0-20160516000752-02826c3e7903 -> v0.0.0-20210331224755-41bb18bfe9da
github.com/golang/mock	v1.2.0 -> v1.6.0
github.com/google/btree	v1.0.0 -> v1.0.1
github.com/google/gofuzz	v1.0.0 -> v1.2.0
github.com/google/uuid	v1.1.1 -> v1.3.0
github.com/googleapis/gax-go/v2	v2.0.4 -> v2.11.0
github.com/googleapis/gnostic	v0.0.0-20170729233727-0c5108395e2d -> v0.5.5
github.com/hashicorp/errwrap	v0.0.0-20141028054710-7554cd9344ce -> v1.1.0
github.com/hashicorp/go-multierror	v0.0.0-20161216184304-ed905158d874 -> v1.1.1
github.com/imdario/mergo	v0.3.5 -> v0.3.12
github.com/json-iterator/go	v1.1.8 -> v1.1.12
github.com/jstemmer/go-junit-report	v0.0.0-20190106144839-af01ea7f8024 -> v0.9.1
github.com/kisielk/errcheck	v1.2.0 -> v1.5.0
github.com/konsorten/go-windows-terminal-sequences	v1.0.2 -> v1.0.3
github.com/kr/pty	v1.1.1 -> v1.1.5
github.com/kr/text	v0.1.0 -> v0.2.0
github.com/modern-go/reflect2	v1.0.1 -> v1.0.2
github.com/morikuni/aec	v0.0.0-20170113033406-39771216ff4c -> v1.0.0
github.com/munnerz/goautoneg	v0.0.0-20120707110453-a547fc61f48d -> v0.0.0-20191010083416-a7dc8b61c822
github.com/opencontainers/go-digest	v1.0.0-rc1 -> v1.0.0
github.com/opencontainers/image-spec	v1.0.2 -> v1.1.0-rc2.0.20221005185240-3a7f492d3f1b
github.com/pelletier/go-toml	v1.2.0 -> v1.9.5
github.com/prometheus/procfs	v0.0.5 -> v0.7.3
github.com/russross/blackfriday	v1.5.2 -> v1.6.0
github.com/sirupsen/logrus	v1.8.1 -> v1.9.3
github.com/spf13/cobra	v0.0.5 -> v1.0.0
github.com/spf13/viper	v1.3.2 -> v1.4.0
github.com/urfave/cli	v1.22.1 -> v1.22.2
github.com/xeipuuv/gojsonschema	v0.0.0-20180618132009-1d523034197f -> v1.2.0
go.opencensus.io	v0.22.0 -> v0.24.0
golang.org/x/lint	v0.0.0-20190313153728-d0100b6bd8b3 -> v0.0.0-20200302205851-738671d3881b
golang.org/x/oauth2	v0.0.0-20190604053449-0f29369cfe45 -> v0.10.0
golang.org/x/time	v0.0.0-20190308202827-9d24e82272b4 -> v0.0.0-20210723032227-1f47c861a9ac
golang.org/x/xerrors	v0.0.0-20200804184101-5ec99f83aff1 -> v0.0.0-20220907171357-04be3eba64a2
google.golang.org/api	v0.4.0 -> v0.126.0
google.golang.org/appengine	v1.5.0 -> v1.6.7
google.golang.org/genproto	v0.0.0-20190425155659-357c62f0e4bb -> v0.0.0-20230711160842-782d3b101e98
google.golang.org/grpc	v1.22.0 -> v1.58.3
gopkg.in/check.v1	v1.0.0-20180628173108-788fd7840127 -> v1.0.0-20200227125254-8fa46927fb4f
honnef.co/go/tools	v0.0.0-20190523083050-ea95bdfd59fc -> v0.0.1-2020.1.3
k8s.io/api	v0.17.16 -> v0.22.5
k8s.io/apimachinery	v0.17.16 -> v0.22.5
k8s.io/client-go	v0.17.16 -> v0.22.5
k8s.io/gengo	v0.0.0-20190128074634-0689ccc1d7d6 -> v0.0.0-20201113003025-83324d819ded
k8s.io/kube-openapi	v0.0.0-20200410145947-bcb3869e6f29 -> v0.0.0-20211109043538-20434351676c
k8s.io/utils	v0.0.0-20191114184206-e782cd3c129f -> v0.0.0-20210930125809-cb0fa318a74b
sigs.k8s.io/yaml	v1.1.0 -> v1.2.0

[sourcery-ai]

Reviewer's Guide by Sourcery

This PR updates the github.com/containerd/containerd module from v1.3.0 to v1.5.16, which includes several security fixes.

No diagrams generated as the changes look simple and do not need a visual representation.

File-Level Changes

Change	Details	Files
Updated the containerd module to address multiple security vulnerabilities.	Updated github.com/containerd/containerd from v1.3.0 to v1.5.16. Updated dependencies to align with the new containerd version. Resolved CVE-2020-15257, CVE-2021-32760, CVE-2021-41103, GHSA-5j5w-g665-5m35, CVE-2022-23648, CVE-2022-31030, and CVE-2022-23471.	app/platform/fabric/e2e-test/specs/go.mod app/platform/fabric/e2e-test/specs/go.sum

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!
• Generate a plan of action for an issue: Comment @sourcery-ai plan on
  an issue to generate a plan of action for it.

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

We have skipped reviewing this pull request. It seems to have been created by a bot (hey, renovate[bot]!). We assume it knows what it's doing!