fix(deps): update module github.com/containerd/containerd to v1.7.27 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/containerd/containerd	v1.7.25 -> v1.7.27

GitHub Vulnerability Alerts

CVE-2024-40635

Impact

A bug was found in containerd where containers launched with a User set as a UID:GID larger than the maximum 32-bit signed integer can cause an overflow condition where the container ultimately runs as root (UID 0). This could cause unexpected behavior for environments that require containers to run as a non-root user.

Patches

This bug has been fixed in the following containerd versions:

• 2.0.4 (Fixed in containerd/containerd@1a43cb6)
• 1.7.27 (Fixed in containerd/containerd@05044ec)
• 1.6.38 (Fixed in containerd/containerd@cf158e8)

Users should update to these versions to resolve the issue.

Workarounds

Ensure that only trusted images are used and that only trusted users have permissions to import images.

Credits

The containerd project would like to thank Benjamin Koltermann and emxll for responsibly disclosing this issue in accordance with the containerd security policy.

References

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40635

For more information

If you have any questions or comments about this advisory:

• Open an issue in containerd
• Email us at security@containerd.io

To report a security issue in containerd:

• Report a new vulnerability
• Email us at security@containerd.io

---

Release Notes

containerd/containerd (github.com/containerd/containerd)

v1.7.27

Compare Source

v1.7.26: containerd 1.7.26

Compare Source

Welcome to the v1.7.26 release of containerd!

The twenty-sixth patch release for containerd 1.7 contains various fixes
and updates.

Highlights

• Add support for syncfs after unpack (#​11267)
• Update runc binary to v1.2.5 (#​11395)
• Fix race between serve and immediate shutdown on the server (containerd/ttrpc#175)
• Reject oversized messages from the sender (containerd/ttrpc#171)

Container Runtime Interface (CRI)

• Fix fatal concurrency error in port forwarding (#​11306)

Node Resource Interface (NRI)

• Fix initial sync race when registering NRI plugins (#​11326)
• Add API support for reading Pod IPs (containerd/nri#119)
• Fix plugin sync to use multiple messages if ttrpc max message limit is hit (containerd/nri#111)
• Update API to pass configured timeouts to plugins. (containerd/nri#109)
• Fix mount removal in adjustments (containerd/nri#107)
• Close plugin if initial synchronization fails (containerd/nri#103)
• Add support for adjusting OOM score (containerd/nri#94)
• Add API support for NRI-native CDI injection (containerd/nri#98)
• Add support for pids cgroup (containerd/nri#76)

Runtime

• Fix console TTY leak in runc shim (#​11250)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Krisztian Litkey
• Mike Brown
• Samuel Karp
• Wei Fu
• Phil Estes
• Derek McGowan
• Iceber Gu
• Akhil Mohan
• Antonio Ojea
• Austin Vazquez
• Henry Wang
• Jin Dong
• Xiaojin Zhang
• ningmingxiao
• AbdelrahmanElawady
• Akihiro Suda
• Antti Kervinen
• Jing Xu
• Jitang Lei
• Justin Alvarez
• Lei Liu
• Maksym Pavlenko
• Yang Yang
• Yuhang Wei
• cormick
• jingtao.liang

Changes

24 commits

• Prepare release notes for v1.7.26 (#​11356)
  • ceba197f5 Prepare release notes for v1.7.26
• Upgrade x/net to 0.33.0 to fix vulnerability GHSA-w32m-9786-jp63 (#​11434)
  • 3486bc8dd Upgrade x/net to 0.33.0
• update build to go1.23.6, test go1.24.0 (#​11419)
  • 9025d3075 update build to go1.23.6, test go1.24.0
• Update install-imgcrypt to allow change install repo (#​11358)
  • 83eaab482 Update install-imgcrypt to allow change install repo
• Add support for syncfs after unpack (#​11267)
  • 8bc21cba7 support to syncfs after pull by using diff plugin
• Update runc binary to v1.2.5 (#​11395)
  • 27c472acf Update runc binary to v1.2.5
• Move run.skip-dirs to issues.exclude-dirs in golangci-lint config (#​11400)
  • 8d8034b66 move skip-dirs to issues.exclude-dirs
• Fix initial sync race when registering NRI plugins (#​11326)
  • 11af05177 cri,nri: block NRI plugin sync. during event processing.
  • d4036cd3d go.{mod,sum}: bump NRI to v0.8.0, re-vendor.
• Fix console TTY leak in runc shim (#​11250)
  • c3e24e024 Add integ test to check tty leak
  • 4e45a463d fix master tty leak due to leaking init container object
• Fix fatal concurrency error in port forwarding (#​11306)
  • 0fe9f0b52 fix fatal error: concurrent map iteration and map write
• update build to go1.22.11, test go1.23.5 (#​11298)
  • 441b92636 update build to go1.22.11, test go1.23.5

Changes from containerd/nri

77 commits

• Add API support for reading Pod IPs (containerd/nri#119)
  • eaf78a9 api: support Pod IPs
• generate: do not set OOMScoreAdj if no adjustment (containerd/nri#116)
• 07bfc18 wip: generate: add test for oom score adj
• b5fc359 generate: do not set OOMScoreAdj if no adjustment
• device-injector: remove unreachable code. (containerd/nri#115)
  • 235aa11 chore: remove unreachable code and fmt files
• Fix plugin sync to use multiple messages if ttrpc max message limit is hit (containerd/nri#111)
  • 159f575 template: dump pod/container count in sync message.
  • bf267e3 stub: collect/handle split sync messages.
  • ed78ae9 adaptation: use multiple sync messages if necessary.
  • 6fd59d6 api: add support for multiple sync messages.
  • a7fcccc mux: split oversized messages.
  • 5fe9b06 mux: fix maximum allowed message size.
  • 693d64e go.{mod,sum}, plugins: update ttrpc and NRI deps.
• Update API to pass configured timeouts to plugins. (containerd/nri#109)
  • 320e4e7 adaptation: tests for runtime version, timeouts.
  • f86d982 api,adaptation,stub: let plugin know configured timeouts.
  • cfcd2af Makefile: fix ginkgo-tests target.
  • 8cd9504 adaptation: block plugin sync/registration in test suite.
  • 966ac92 adaptation: implement plugin synchronization blocks.
• ci: verify that code generation works and results match (containerd/nri#113)
  • f74ce31 ci: verify code generation and generated files in repo
• deps: bump gingko to v2.19.1, golang to v1.21.x. (containerd/nri#110)
  • e4d5c36 ci: stop testing with golang 1.20.x.
  • 6578149 go.{mod,sum}: bump golang requirement to 1.21.
  • 442e812 go.{mod,sum}: update to ginkgo v2.19.1.
• sync sandboxes and containers after starting the pre-installed plugins (containerd/nri#43)
  • eada085 ignore pre-installed plugins that did not sync successfully
  • b881bc4 sync sandboxes and containers after starting the pre-installed plugins
• Fix mount removal in adjustments (containerd/nri#107)
  • 3880f1d adaptation: add test case for mount removal.
  • 0d3b376 adaptation: fix mount removal in adjustments.
• codespell: add codespell config, workflow, fix spelling errors. (containerd/nri#105)
  • df84c47 .github: add codespell workflow.
  • a03dc93 pkg,plugins,.codespellrc: add codespellrc, fix spelling.
• Close plugin if initial synchronization fails (containerd/nri#103)
  • 4aec208 adaptation: log plugin as connected and synchronized.
  • 4e60cd0 adaptation: close plugin if initial synchronization fails.
• Reset source path of api.pb.go to pkg/api/api.proto (containerd/nri#104)
  • 1cc026f Reset source path of api.pb.go to pkg/api/api.proto
• Add support for adjusting OOM score (containerd/nri#94)
  • efcb2da NRI plugins support adjust oom_score_adj
• Add API support for NRI-native CDI injection (containerd/nri#98)
  • 8783973 device-injector: clarify precedence of annotations.
  • 4eb7075 pkg/adaptation: fix grammatical mistakes in comments.
  • 4bd8da8 device-injector: add support for CDI injection.
  • 44773bd runtime-tools/generate: add support CDI injection.
  • 65282fe adaptation: add CDI device injection unit test.
  • 01f3b7a adaptation: add support for native CDI injection.
  • f1aa58f api: add support for native CDI device injection.
• types: Fix a typo (containerd/nri#101)
  • 8434439 types: Fix a typo
• Add support for pids cgroup (containerd/nri#76)
  • 1719502 support pids cgroup
• stub: support restart after stub stopped (containerd/nri#91)
  • 242661f stub: support re-start after stub stopped
• stop closed plugins that will be removed (containerd/nri#89)
  • ba398fa stop closed plugins that will be removed
• plugins/device-injector: fix a small typo in README.md. (containerd/nri#97)
  • f96a550 device-injector: small grammar fix in README.md.
• plugins/template: fix a typo in a comment. (containerd/nri#96)
  • 5680921 plugins/template: fix typo in a comment.
• go.{mod,sum}, .github: bump minimum golang version to 1.20. (containerd/nri#88)
  • 2c3608d .golangci.yml: silence dot-import errors for tests.
  • 8f56974 pkg/{adaptation,api,net,stub}: fix linter errors.
  • e863892 .github: bump golangci-lint to v1.58.0.
  • 674cb41 .github: bump setup-go to v5.
  • 9106283 .github: test with golang 1.20.x, 1.21.x, 1.22.3 in CI.
  • a9778ad plugins: bump golang version to 1.20.
  • 8e86065 go.{mod.sum}: bump golang version to 1.20.
• network device injector plugin (containerd/nri#82)
  • ff774e6 network device injector plugin
• Modify hook-injector plugin to monitor directories to match cri-o (containerd/nri#84)
  • 06841c2 Modify hook-injector plugin to monitor directories to match cri-o
• docs: fix broken link to sample plugins in README.md (containerd/nri#81)
  • 2791e93 docs: fix broken link to sample plugins in README.md

Changes from containerd/ttrpc

11 commits

• Add MD.Clone function (containerd/ttrpc#177)
  • 430f734 Add MD.Clone
• Fix race between serve and immediate shutdown on the server (containerd/ttrpc#175)
  • c4d96d5 server: fix Serve() vs. immediate Shutdown() race.
  • ed6c3ba server_test: add Serve()/Shutdown() race test.
• Reject oversized messages from the sender (containerd/ttrpc#171)
  • b5cd6e4 channel: allow discovery of overflown message size.
  • d8c00df channel_test: update oversize message test.
  • de273bf channel: reject oversized messages on the sender side.
• server_test: fix error message in TestOversizeCall. (containerd/ttrpc#170)
  • 84e1784 server_test: fix error message in TestOversizeCall.

Dependency Changes

• github.com/containerd/nri v0.6.1 -> v0.8.0
• github.com/containerd/ttrpc v1.2.5 -> v1.2.7
• github.com/go-logr/logr v1.3.0 -> v1.4.2
• golang.org/x/net v0.25.0 -> v0.33.0

Previous release can be found at v1.7.25

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 1 additional dependency was updated

Details:

Package	Change
github.com/containerd/ttrpc	v1.2.5 -> v1.2.7

[coveralls]

coverage: 69.587% (+0.6%) from 68.992%
when pulling defaf57 on renovate/go-github.com-containerd-containerd-vulnerability
into 930193a on master.