chore(deps): module github.com/containerd/containerd to v1.6.26 [security] #9
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Chore Dependencies Request
This PR contains the following updates:
v1.6.15
->v1.6.26
GitHub Vulnerability Alerts
CVE-2023-25173
Impact
A bug was found in containerd where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container.
Downstream applications that use the containerd client library may be affected as well.
Patches
This bug has been fixed in containerd v1.6.18 and v.1.5.18. Users should update to these versions and recreate containers to resolve this issue. Users who rely on a downstream application that uses containerd's client library should check that application for a separate advisory and instructions.
Workarounds
Ensure that the
"USER $USERNAME"
Dockerfile instruction is not used. Instead, set the container entrypoint to a value similar toENTRYPOINT ["su", "-", "user"]
to allowsu
to properly set up supplementary groups.References
Note that CVE IDs apply to a particular implementation, even if an issue is common.
For more information
If you have any questions or comments about this advisory:
To report a security issue in containerd:
CVE-2023-25153
Impact
When importing an OCI image, there was no limit on the number of bytes read for certain files. A maliciously crafted image with a large file where a limit was not applied could cause a denial of service.
Patches
This bug has been fixed in containerd 1.6.18 and 1.5.18. Users should update to these versions to resolve the issue.
Workarounds
Ensure that only trusted images are used and that only trusted users have permissions to import images.
Credits
The containerd project would like to thank David Korczynski and Adam Korczynski of ADA Logics for responsibly disclosing this issue in accordance with the containerd security policy during a security fuzzing audit sponsored by CNCF.
For more information
If you have any questions or comments about this advisory:
To report a security issue in containerd:
GHSA-7ww5-4wqc-m92c
/sys/devices/virtual/powercap accessible by default to containers
Intel's RAPL (Running Average Power Limit) feature, introduced by the Sandy Bridge microarchitecture, provides software insights into hardware energy consumption. To facilitate this, Intel introduced the powercap framework in Linux kernel 3.13, which reads values via relevant MSRs (model specific registers) and provides unprivileged userspace access via
sysfs
. As RAPL is an interface to access a hardware feature, it is only available when running on bare metal with the module compiled into the kernel.By 2019, it was realized that in some cases unprivileged access to RAPL readings could be exploited as a power-based side-channel against security features including AES-NI (potentially inside a SGX enclave) and KASLR (kernel address space layout randomization). Also known as the PLATYPUS attack, Intel assigned CVE-2020-8694 and CVE-2020-8695, and AMD assigned CVE-2020-12912.
Several mitigations were applied; Intel reduced the sampling resolution via a microcode update, and the Linux kernel prevents access by non-root users since 5.10. However, this kernel-based mitigation does not apply to many container-based scenarios:
sysfs
is mounted inside containers read-only; however only read access is needed to carry out this attack on an unpatched CPUWhile this is not a direct vulnerability in container runtimes, defense in depth and safe defaults are valuable and preferred, especially as this poses a risk to multi-tenant container environments. This is provided by masking
/sys/devices/virtual/powercap
in the default mount configuration, and adding an additional set of rules to deny it in the default AppArmor profile.While
sysfs
is not the only way to read from the RAPL subsystem, other ways of accessing it require additional capabilities such asCAP_SYS_RAWIO
which is not available to containers by default, orperf
paranoia level less than 1, which is a non-default kernel tunable.References
Release Notes
containerd/containerd (github.com/containerd/containerd)
v1.6.26
: containerd 1.6.26Compare Source
Welcome to the v1.6.26 release of containerd!
The twenty-sixth patch release for containerd 1.6 contains various fixes and updates.
Notable Updates
/sys/devices/virtual/powercap
path in runtime spec and deny in default apparmor profile (GHSA-7ww5-4wqc-m92c)Deprecation Warnings
See the changelog for complete list of changes
Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.
Contributors
Changes
30 commits
ac5c5d3e0
Prepare release notes for v1.6.2602f07fe19
contrib/apparmor: deny /sys/devices/virtual/powercapc94577e78
oci/spec: deny /sys/devices/virtual/powercap7cbdfc92e
update to go1.20.12, test go1.21.5024b1cce6
update to go1.20.11, test go1.21.464e56bfde
Add cri-api v1alpha2 usage warning to all api callsefefd3bf3
tasks: emit warning for runc v1 runtime7825689b4
tasks: emit warning for v1 runtime7cfe7052f
snapshots: emit deprecation warning for aufsa1ae572a2
Fix linter error with updated linterb638791d6
ci: bump up golangci-lint to v1.55.02370a2842
Fix linter issues for golangci-lint 1.54.28a65e2e31
Bump up golangci-lint to v1.54.2969f8feb2
Bump up golangci-lint to v1.52.266959fdf5
push: inherit distribution sources from parentb4dcffcfb
content: add InfoProvider interfacebef4145c1
Change PushContent to require only Providera5fc21060
vendor: google.golang.org/grpc v1.58.34fa05b3d8
Upgrade github.com/klauspost/compress from v1.11.13 to v1.15.9ede0ad5e1
Fix windows default path overwrite issueDependency Changes
2bc19b1
-> v0.10.0Previous release can be found at v1.6.25
v1.6.25
: containerd 1.6.25Compare Source
Welcome to the v1.6.25 release of containerd!
The twenty-fifth patch release for containerd 1.6 contains various fixes and updates.
Notable Updates
See the changelog for complete list of changes
Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.
Contributors
Changes
82 commits
723d26ab2
Prepare release notes for v1.6.251f865eba1
update mailmapb49815300
cri: fix update of pinned label for images751b0c186
cri: fix using the pinned label to pin imagefb5568608
vendor: golang.org/x/net v0.17.061ad86f6f
vendor: golang.org/x/text v0.13.04b431c844
vendor: golang.org/x/sys v0.13.062d402275
Remove CVE-2022-1996 from containerd binary upgrading go-restful to 2.16.03e68bf65a
Enhance container image unpack client logs0dd65c826
[release/1.6] update github.com/containerd/nri v0.1.1c73be2446
update runc binary to v1.1.10746bcf2eb
Expose usage of cri-api v1alpha28b51a95fb
fix: shimv1 leak issue6741f819b
[release/1.6] update to go1.20.10, test go1.21.349615a0e9
[release/1.6] update to go1.20.9, test go1.21.2b68204e53
cri: add deprecation warning for configsae8c58319
cri: add deprecation warning for auths455edcad2
cri: add deprecation warning for mirrors878823f4d
cri: add ability to emit deprecation warnings477b7d6a1
ctr: new deprecations command24068b813
dynamic: record deprecation for dynamic plugins218c7a1df
server: add ability to record config deprecationsdfb9e1deb
pull: record deprecation warning for schema 190b42da6f
introspection: add support for deprecations0b6766b37
api/introspection: deprecation warnings in serverde3cb4c18
warning: new service for deprecationsda1b4419b
deprecation: new package for deprecationsbca8a3f65
integration: deflake TestIssue91030985f7a43
ci: Use Vagrant on ubuntu-latest-4-cores5dd64301c
Check scheme and host of request on push redirect51df21d09
Avoid TLS fallback when protocol is not ambiguous8108f0d03
Add a new image label if it is docker schema 15376afb3d
fix protobuf aarch64e529741d3
remotes: add handling for missing basic auth credentialsca45b92f4
Add ErrUnexpectedStatus to resolver77c0175b4
Improve ErrUnexpectedStatus default string275fc594d
Bump x/net to 0.135223bf39a
Require plugins to succeed after registering readiness8f5eba314
cri: call RegisterReadiness after NewCRIService7b61862e7
*: add runc-fp as runc wrapper to inject failpoint5238a6470
containerd-shim-runc-v2: avoid potential deadlock in create handler65e908ee1
containerd-shim-runc-v2: remove unnecessarys.getContainer()
1dd9acecb
Uncopypaste parsing of OCI Bundle spec file71c89ddf2
[release/1.6]: Vagrantfile: install failpoint binaries7a0c8b6b7
cri: stop recommending disable_cgroup8066dd81c
Allow for images with artifacts to pull2fffc344a
remotes/docker: Fix MountedFrom prefixed with target repository6b5912220
remotes: always try to establish tls connection when tls configured37c758de1
Build binaries with 1.21.1f1591cc9b
alias log package to github.com/containerd/log v0.1.0f68d2d93b
vendor: golang.org/x/sys v0.7.0f305fb233
vendor: github.com/stretchr/testify v1.8.44e24a30af
vendor: github.com/sirupsen/logrus v1.9.3b66c818ba
remotes/docker: Add MountedFrom and Exists push statusChanges from containerd/log
9 commits
89c9a54
Update golangci to 1.49cf26711
Update description in READMEf9f250c
Add project detailsfb7fe3d
Add github CI flow7e13034
Add go module16a3c76
Rename log import from logtest698c398
Add README87c83c4
Add license fileChanges from containerd/nri
3 commits
4275101
Task: fix typo in godocf6acbf1
remove containerd as dependencyDependency Changes
3147a52
-> v0.14.0Previous release can be found at v1.6.24
v1.6.24
: containerd 1.6.24Compare Source
Welcome to the v1.6.24 release of containerd!
The twenty-fourth patch release for containerd 1.6 contains various fixes and updates.
Notable Updates
See the changelog for complete list of changes
Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.
Contributors
Changes
45 commits
cdd59290d
Prepare release notes for v1.6.2433c2d88e7
Revert "log: define G() as a function instead of a variable"0a7f2975e
log: swap logrus functions with their equivalent on default logger9d175a19b
log: add package documentation and summary of package's purpose96fb65529
log: make Fields type a generic map[string]anybace17e2e
log: add log.Entry typedd127885f
log: define OutputFormat type5b4cf2329
log: define G() as a function instead of a variableee1b4a1e2
log: add all log-levels that are acceptedd563a411f
log: group "enum" consts and touch-up docs6e8f4555b
log: WithLogger: remove redundant intermediate varc19325559
log: SetFormat: include returns in switchc3c22f8cb
log: remove gotest.tools dependencya2c294800
[release/1.6] update to go1.20.80da8dcaa7
make repositories of install dependencies configurable8e6a9de5b
update to go1.20.7, go1.19.128b2eb371f
Update Go to 1.20.6,1.19.11cff669c7a
update go to go1.20.5, go1.19.10f34a22de9
update go to go1.20.4, go1.19.9e8e73065e
update go to go1.20.3, go1.19.89b3f950d6
Go 1.20.217d03ac68
Go 1.20.1861f65447
go.mod: go 1.1981fa93784
Stop using math/rand.Read and rand.Seed (deprecated in Go 1.20)70dc11a6c
lint: remove//nolint:dupword
that are no longer neededfec784a06
lint: silence "SA1019: tar.TypeRegA has been deprecated... (staticheck)"6648df1ad
lint: silence "typeHostFileConfig
is unused (unused)"e6b268bc7
golangci-lint v1.51.1c552ccf67
go.mod: golang.org/x/sync v0.1.0d00af5c3e
integration: issue7496 case should work for runc.v2 only583696e4e
Vagrantfile: add strace toolab21d60d2
pkg/cri/server: add criService as argument when handle exit eventa229883cb
pkg/cri/server: fix leaked shim issued8f824200
integration: add case to reproduce #74968cd40e1d0
Add configurable mount options to overlay453fa397a
feat: make overlay sync removal configurable4cb7764df
update runc binary to v1.1.9Dependency Changes
036812b
-> v0.1.0Previous release can be found at v1.6.23
v1.6.23
: containerd 1.6.23Compare Source
Welcome to the v1.6.23 release of containerd!
The twenty-third patch release for containerd 1.6 contains various fixes and updates.
Notable Updates
See the changelog for complete list of changes
Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.
Contributors
Changes
13 commits
e297a668f
Add release notes for v1.6.23f51bf1960
Add support for stable ABI windows versions43a02c0b2
Update hcsshim tag to v0.9.10cc5b0a21b
cri: Don't use rel path for image volumes4238cff1c
Upgrade GitHub actions packages in release workflow00d1092b7
update to go1.19.1247d73b2de
Fix ro mount option being passedDependency Changes
Previous release can be found at v1.6.22
v1.6.22
: containerd 1.6.22Compare Source
Welcome to the v1.6.22 release of containerd!
The twenty-second patch release for containerd 1.6 contains various fixes and updates.
Notable Updates
UpdateContainerStats
(#8819)name_to_handle_at
(#8754)close()
io beforecancel()
(#8659)See the changelog for complete list of changes
Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.
Contributors
Changes
95 commits
0770a4601
[release/1.6] Add release notes for v1.6.22512a672af
migrate to community owned bucketb585ff155
cri: memory.memsw.limit_in_bytes: no such file or directorya322077bf
go.mod: github.com/emicklei/go-restful/v3 v3.10.1b3ac068eb
update runc binary to v1.1.86e2bcb6dd
ci: remove libseccomp-dev installation for nightlycd06f23af
capture desc variable in range variable just in case that it run in parallel mode30f5c6a1f
Use t.TempDir instead of os.MkdirTemp59d8363ef
fix userstr for dditionalGids on Linuxd75bf78c2
ctr: update WritePidFile to use atomicfile5f70b23c1
shim: WritePidFile & WriteAddress use atomicfile505d444b0
cri: write generated CNI config atomically on Unixb2d2d3829
atomicfile: new package for atomic file writes9f650143f
Fix concurrent writes for UpdateContainerStats568ce91ca
Make checkContainerTimestamps less strict on Windowsd2f47192a
dependency: bump go.etcd.io/bbolt to v1.3.7fb56dc245
[release/1.6] vendor: github.com/stretchr/testify v1.8.17fbd5dc89
Move logrus setup code to log package59a143670
release: Add "cri-containerd.DEPRECATED.txt" in the deprecated cri-containerd-* bundles5b51b79e2
[release/1.6] fix remaining "v1 config" plugin IDsb7cf26d8d
docs: Fix sample config.toml syntaxfcdaf0966
docs: migrate config v1 to v2728d5c5f0
Use version 2 config and mention containerd config command81aa14718
[release/1.6] update go to go1.19.1117cd86629
[release/1.6] update go to go1.19.10fdb65f214
bugfix(port-forward): Correctly handle known errorsb5784af66
Change http.Header copy to builtin Clone31c466f82
Resolve docker.NewResolver race conditionbe6406ca6
vendor: github.com/containerd/zfs v1.1.09f1260074
[release/1.6] vendor gotest.tools/v3 v3.5.0526e9e0ce
Bump grpc to v1.50.10e7d2d121
go.mod: github.com/sirupsen/logrus v1.9.05b153c621
go.mod: github.com/moby/sys/mountinfo v0.6.29dee60960
go.mod: github.com/moby/sys/mountinfo v0.6.007ea7b9e7
seccomp: always allow name_to_handle_at1dae51fed
Update ginkgo to match cri-tools' versionTestShimOOMScore
(#8749)bd76ab978
integration/client: add timeout toTestShimOOMScore
8e14eccb2
](https://redirect.github.com/containerd/conConfiguration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.