Merge pull request #40 from vigh-m/3p-updates

Bump containerd to latest upstream
bottlerocket-os · Jul 23, 2024 · c7832b4 · c7832b4
2 parents 733f865 + eb429bb
commit c7832b4
Show file tree

Hide file tree

Showing 7 changed files with 81 additions and 53 deletions.
diff --git a/advisories/staging/BRSA-zqgip7w0.toml b/advisories/staging/BRSA-zqgip7w0.toml
@@ -0,0 +1,16 @@
+[advisory]
+id = "BRSA-zqgip7w0"
+title = "containerd CVE-2023-47108"
+cve = "CVE-2023-47108"
+severity = "high"
+description = "The grpc Unary Server Interceptor in containerd's OpenTelemetry-Go dependency adds labels `net.peer.sock.addr` and `net.peer.sock.port` that have unbound cardinality. This flaw could lead to server memory exhaustion." 
+
+[[advisory.products]]
+package-name = "containerd"
+patched-version = "1.17.20"
+
+[updateinfo]
+author = "vighmah"
+issue-date = 2024-07-22T20:29:07Z
+arches = ["x86_64", "aarch64"]
+version = "staging"
diff --git a/packages/containerd/Cargo.toml b/packages/containerd/Cargo.toml
@@ -12,8 +12,8 @@ path = "../packages.rs"
 releases-url = "https://github.com/containerd/containerd/releases"
 
 [[package.metadata.build-package.external-files]]
-url = "https://github.com/containerd/containerd/archive/v1.7.17/containerd-1.7.17.tar.gz"
-sha512 = "78ed36ee43def3b83a1e0e8cc7da1e96517dd08c3fb19d2cdaf0e739d5a4188d313cd1f4f2a02701eb79cdcbfea5deba14030b438a0b07b08ec30510f4bb7660"
+url = "https://github.com/containerd/containerd/archive/v1.7.20/containerd-1.7.20.tar.gz"
+sha512 = "b8be3a073c1716d66cd97162b0f40cab68094df9f8a9eaf81fa617c552d51f536d41d2823838e01e4e3936fe0ae8af0352531b1682623c25dc2318cd9af32985"
 
 # RPM BuildRequires
 [build-dependencies]

diff --git a/packages/containerd/containerd.spec b/packages/containerd/containerd.spec
@@ -2,9 +2,9 @@
 %global gorepo containerd
 %global goimport %{goproject}/%{gorepo}
 
-%global gover 1.7.17
+%global gover 1.7.20
 %global rpmver %{gover}
-%global gitrev 3a4de459a68952ffb703bbe7f2290861a75b6b67
+%global gitrev 8fc6bcff51318944179630522a095cc9dbf9f353
 
 %global _dwz_low_mem_die_limit 0
 

diff --git a/packages/runc/Cargo.toml b/packages/runc/Cargo.toml
@@ -12,9 +12,9 @@ path = "../packages.rs"
 releases-url = "https://github.com/opencontainers/runc/releases/"
 
 [[package.metadata.build-package.external-files]]
-url = "https://github.com/opencontainers/runc/releases/download/v1.1.12/runc.tar.xz"
-path = "runc-v1.1.12.tar.xz"
-sha512 = "61afae94dc78253c2f6b305b48ddf76c71813f5735e69fde7f3ae6f51539f10131a37a0917cbcb23b303490c62ac78dafd79eb2a6f2849ec17638f3bd5833136"
+url = "https://github.com/opencontainers/runc/releases/download/v1.1.13/runc.tar.xz"
+path = "runc-v1.1.13.tar.xz"
+sha512 = "cd8efd87f62a73d6bbfa83e950ef41106de0080169956c4a106a9f291953051488f3c13348a8e6b5a83d18ba666e6878cf1e07b6217ca641bdb282aa257e6976"
 
 [build-dependencies]
 glibc = { path = "../glibc" }

diff --git a/packages/runc/runc.spec b/packages/runc/runc.spec
@@ -1,8 +1,8 @@
 %global goproject github.com/opencontainers
 %global gorepo runc
 %global goimport %{goproject}/%{gorepo}
-%global commit 51d5e94601ceffbbd85688df1c928ecccbfa4685
-%global gover 1.1.12
+%global commit 58aa9203c123022138b22cf96540c284876a7910
+%global gover 1.1.13
 
 %global _dwz_low_mem_die_limit 0
 

diff --git a/sources/host-ctr/go.mod b/sources/host-ctr/go.mod
@@ -5,9 +5,9 @@ go 1.22.0
 toolchain go1.22.2
 
 require (
-	github.com/aws/aws-sdk-go v1.53.13
+	github.com/aws/aws-sdk-go v1.54.20
 	github.com/awslabs/amazon-ecr-containerd-resolver v0.0.0-20240521172427-b580afd02343
-	github.com/containerd/containerd v1.7.17
+	github.com/containerd/containerd v1.7.20
 	github.com/opencontainers/runtime-spec v1.2.0
 	github.com/pelletier/go-toml v1.9.5
 	github.com/pkg/errors v0.9.1
@@ -27,20 +27,23 @@ require (
 	github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20230306123547-8075edf89bb0 // indirect
 	github.com/Masterminds/semver/v3 v3.2.1 // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
-	github.com/Microsoft/hcsshim v0.11.5 // indirect
+	github.com/Microsoft/hcsshim v0.11.7 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/blang/semver/v4 v4.0.0 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/cilium/ebpf v0.15.0 // indirect
 	github.com/containerd/cgroups v1.1.0 // indirect
 	github.com/containerd/cgroups/v3 v3.0.2 // indirect
+	github.com/containerd/containerd/api v1.7.19 // indirect
 	github.com/containerd/continuity v0.4.3 // indirect
+	github.com/containerd/errdefs v0.1.0 // indirect
 	github.com/containerd/fifo v1.1.0 // indirect
 	github.com/containerd/go-cni v1.1.9 // indirect
 	github.com/containerd/imgcrypt v1.1.11 // indirect
 	github.com/containerd/log v0.1.0 // indirect
 	github.com/containerd/nri v0.6.1 // indirect
-	github.com/containerd/ttrpc v1.2.4 // indirect
+	github.com/containerd/platforms v0.2.1 // indirect
+	github.com/containerd/ttrpc v1.2.5 // indirect
 	github.com/containerd/typeurl v1.0.2 // indirect
 	github.com/containerd/typeurl/v2 v2.1.1 // indirect
 	github.com/containernetworking/cni v1.2.0 // indirect
@@ -49,6 +52,7 @@ require (
 	github.com/coreos/go-systemd/v22 v22.5.0 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.4 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/distribution/reference v0.6.0 // indirect
 	github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c // indirect
 	github.com/docker/go-metrics v0.0.1 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
@@ -104,22 +108,22 @@ require (
 	go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352 // indirect
 	go.opencensus.io v0.24.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.45.0 // indirect
-	go.opentelemetry.io/otel v1.19.0 // indirect
-	go.opentelemetry.io/otel/metric v1.19.0 // indirect
-	go.opentelemetry.io/otel/trace v1.19.0 // indirect
-	golang.org/x/crypto v0.23.0 // indirect
+	go.opentelemetry.io/otel v1.21.0 // indirect
+	go.opentelemetry.io/otel/metric v1.21.0 // indirect
+	go.opentelemetry.io/otel/trace v1.21.0 // indirect
+	golang.org/x/crypto v0.24.0 // indirect
 	golang.org/x/exp v0.0.0-20240530194437-404ba88c7ed0 // indirect
 	golang.org/x/mod v0.17.0 // indirect
-	golang.org/x/net v0.25.0 // indirect
+	golang.org/x/net v0.26.0 // indirect
 	golang.org/x/oauth2 v0.20.0 // indirect
 	golang.org/x/sync v0.7.0 // indirect
-	golang.org/x/sys v0.20.0 // indirect
-	golang.org/x/term v0.20.0 // indirect
-	golang.org/x/text v0.15.0 // indirect
+	golang.org/x/sys v0.21.0 // indirect
+	golang.org/x/term v0.21.0 // indirect
+	golang.org/x/text v0.16.0 // indirect
 	golang.org/x/time v0.5.0 // indirect
-	google.golang.org/genproto v0.0.0-20230822172742-b8732ec3820d // indirect
+	google.golang.org/genproto v0.0.0-20231211222908-989df2bf70f3 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20240528184218-531527333157 // indirect
-	google.golang.org/grpc v1.64.0 // indirect
+	google.golang.org/grpc v1.64.1 // indirect
 	google.golang.org/protobuf v1.34.1 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect