Reject oversized messages from the sender#171
Merged
dmcgowan merged 3 commits intocontainerd:mainfrom Sep 26, 2024
Merged
Conversation
Reject oversized messages on the sender side, keeping the receiver side rejection intact. This should provide minimal low-level plumbing for clients to attempt application level corrective actions on the requestor side, if the high-level protocol is designed with this in mind. Co-authored-by: Alessio Cantillo <cantillo.trd@gmail.com> Co-authored-by: Qian Zhang <cosmoer@qq.com> Signed-off-by: Krisztian Litkey <krisztian.litkey@intel.com>
Co-authored-by: Alessio Cantillo <cantillo.trd@gmail.com> Co-authored-by: Qian Zhang <cosmoer@qq.com> Signed-off-by: Krisztian Litkey <krisztian.litkey@intel.com>
e67f276 to
d8c00df
Compare
Member
Author
|
Uhmmkay... my intention was/is not to turn this into a Battle of the PRs (#119, #127 and this). I simply ran into this message length limitation myself. But I did in a context where the higher-level protocol was fairly easy to update to allow sending 'multi-part' requests, which were then transparently recombined on the receiving end into a single one and 'handed that up in the communication stack' for processing. Also I did not have the danger of a response overflowing. But since I still considered hitting the size limit a corner case, I wrote an implementation which tries sending everything in a single request and falls back to splitting it up only if it hits the size limit. But for that I was missing a reliable way to detect an overflow, and do it in a way which does not render the underlying transport unusable for sending further messages (which is the case for #127, unconditionally). Hence I ended up rolling this. Unfortunately I did not check if there are pending PRs trying to do the same. Once I noticed it, I tossed in Co-authored-by's for the other attempt's authors. I believe that this version does not suffer from the subject of the unaddressed review comments in the other PRs... |
2268863 to
317417c
Compare
Member
Author
6ed75d9 to
1a59039
Compare
Use a dedicated, grpc Status-compatible error to wrap the unique grpc status code, the size of the rejected message and the maximum allowed size when a message is rejected due to size limitations by the sending side. Signed-off-by: Krisztian Litkey <krisztian.litkey@intel.com>
1a59039 to
b5cd6e4
Compare
dmcgowan
approved these changes
Sep 10, 2024
Member
mikebrow
approved these changes
Sep 26, 2024
Member
There was a problem hiding this comment.
LGTM on the proviso that the follow up prs will handle oversize initiated by the server, if/where > lengthmax was possible before we tag and roll this behavior change into a public release.. IOW revert if we don't get all of the follow ups merged like 172. 172 currently disabling the server side check by default should be good enough given prior server side impls would continue with no behavior changes, unless configured to change where certain ttrpc impls are fixed to handle the max exceeded error... At least that's how I'm reading the golden path here :)
This was referenced Sep 27, 2024
1 task
renovate-sh-app bot
added a commit
to grafana/alloy
that referenced
this pull request
Feb 24, 2026
…9 [SECURITY] (#5497) > ℹ️ **Note** > > This PR body was truncated due to platform limits. This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [github.com/containerd/containerd](https://redirect.github.com/containerd/containerd) | `v1.7.18` → `v1.7.29` |  |  | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. ### GitHub Vulnerability Alerts #### [CVE-2024-40635](https://redirect.github.com/containerd/containerd/security/advisories/GHSA-265r-hfxg-fhmg) ### Impact A bug was found in containerd where containers launched with a User set as a `UID:GID` larger than the maximum 32-bit signed integer can cause an overflow condition where the container ultimately runs as root (UID 0). This could cause unexpected behavior for environments that require containers to run as a non-root user. ### Patches This bug has been fixed in the following containerd versions: * 2.0.4 (Fixed in https://github.com/containerd/containerd/commit/1a43cb6a1035441f9aca8f5666a9b3ef9e70ab20) * 1.7.27 (Fixed in https://github.com/containerd/containerd/commit/05044ec0a9a75232cad458027ca83437aae3f4da) * 1.6.38 (Fixed in https://github.com/containerd/containerd/commit/cf158e884cfe4812a6c371b59e4ea9bc4c46e51a) Users should update to these versions to resolve the issue. ### Workarounds Ensure that only trusted images are used and that only trusted users have permissions to import images. ### Credits The containerd project would like to thank [Benjamin Koltermann](https://redirect.github.com/p4ck3t0) and [emxll](https://redirect.github.com/emxll) for responsibly disclosing this issue in accordance with the [containerd security policy](https://redirect.github.com/containerd/project/blob/main/SECURITY.md). ### References * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40635 ### For more information If you have any questions or comments about this advisory: * Open an issue in [containerd](https://redirect.github.com/containerd/containerd/issues/new/choose) * Email us at [security@containerd.io](mailto:security@containerd.io) To report a security issue in containerd: * [Report a new vulnerability](https://redirect.github.com/containerd/containerd/security/advisories/new) * Email us at [security@containerd.io](mailto:security@containerd.io) #### [CVE-2024-25621](https://redirect.github.com/containerd/containerd/security/advisories/GHSA-pwhc-rpq9-4c8w) ### Impact An overly broad default permission vulnerability was found in containerd. - `/var/lib/containerd` was created with the permission bits 0o711, while it should be created with 0o700 - Allowed local users on the host to potentially access the metadata store and the content store - `/run/containerd/io.containerd.grpc.v1.cri` was created with 0o755, while it should be created with 0o700 - Allowed local users on the host to potentially access the contents of Kubernetes local volumes. The contents of volumes might include setuid binaries, which could allow a local user on the host to elevate privileges on the host. - `/run/containerd/io.containerd.sandbox.controller.v1.shim` was created with 0o711, while it should be created with 0o700 The directory paths may differ depending on the daemon configuration. When the `temp` directory path is specified in the daemon configuration, that directory was also created with 0o711, while it should be created with 0o700. ### Patches This bug has been fixed in the following containerd versions: * 2.2.0 * 2.1.5 * 2.0.7 * 1.7.29 Users should update to these versions to resolve the issue. These updates automatically change the permissions of the existing directories. > [!NOTE] > > `/run/containerd` and `/run/containerd/io.containerd.runtime.v2.task` are still created with 0o711. > This is an expected behavior for supporting userns-remapped containers. ### Workarounds The system administrator on the host can manually chmod the directories to not have group or world accessible permisisons: ``` chmod 700 /var/lib/containerd chmod 700 /run/containerd/io.containerd.grpc.v1.cri chmod 700 /run/containerd/io.containerd.sandbox.controller.v1.shim ``` An alternative mitigation would be to run containerd in [rootless mode](https://redirect.github.com/containerd/containerd/blob/main/docs/rootless.md). ### Credits The containerd project would like to thank David Leadbeater for responsibly disclosing this issue in accordance with the [containerd security policy](https://redirect.github.com/containerd/project/blob/main/SECURITY.md). ### For more information If you have any questions or comments about this advisory: * Open an issue in [containerd](https://redirect.github.com/containerd/containerd/issues/new/choose) * Email us at [security@containerd.io](mailto:security@containerd.io) To report a security issue in containerd: * [Report a new vulnerability](https://redirect.github.com/containerd/containerd/security/advisories/new) #### [CVE-2025-64329](https://redirect.github.com/containerd/containerd/security/advisories/GHSA-m6hq-p25p-ffr2) ### Impact A bug was found in containerd's CRI Attach implementation where a user can exhaust memory on the host due to goroutine leaks. Repetitive calls of CRI Attach (e.g., [`kubectl attach`](https://kubernetes.io/docs/reference/kubectl/generated/kubectl_attach/)) could increase the memory usage of containerd. ### Patches This bug has been fixed in the following containerd versions: * 2.2.0 * 2.1.5 * 2.0.7 * 1.7.29 Users should update to these versions to resolve the issue. ### Workarounds Set up an admission controller to control accesses to `pods/attach` resources. e.g., [Validating Admission Policy](https://kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy/). ### Credits The containerd project would like to thank @​Wheat2018 for responsibly disclosing this issue in accordance with the [containerd security policy](https://redirect.github.com/containerd/project/blob/main/SECURITY.md). ### References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-64329 ### For more information If you have any questions or comments about this advisory: * Open an issue in [containerd](https://redirect.github.com/containerd/containerd/issues/new/choose) * Email us at [security@containerd.io](mailto:security@containerd.io) To report a security issue in containerd: * [Report a new vulnerability](https://redirect.github.com/containerd/containerd/security/advisories/new) --- ### containerd has an integer overflow in User ID handling [CVE-2024-40635](https://nvd.nist.gov/vuln/detail/CVE-2024-40635) / [GHSA-265r-hfxg-fhmg](https://redirect.github.com/advisories/GHSA-265r-hfxg-fhmg) / [GO-2025-3528](https://pkg.go.dev/vuln/GO-2025-3528) <details> <summary>More information</summary> #### Details ##### Impact A bug was found in containerd where containers launched with a User set as a `UID:GID` larger than the maximum 32-bit signed integer can cause an overflow condition where the container ultimately runs as root (UID 0). This could cause unexpected behavior for environments that require containers to run as a non-root user. ##### Patches This bug has been fixed in the following containerd versions: * 2.0.4 (Fixed in https://github.com/containerd/containerd/commit/1a43cb6a1035441f9aca8f5666a9b3ef9e70ab20) * 1.7.27 (Fixed in https://github.com/containerd/containerd/commit/05044ec0a9a75232cad458027ca83437aae3f4da) * 1.6.38 (Fixed in https://github.com/containerd/containerd/commit/cf158e884cfe4812a6c371b59e4ea9bc4c46e51a) Users should update to these versions to resolve the issue. ##### Workarounds Ensure that only trusted images are used and that only trusted users have permissions to import images. ##### Credits The containerd project would like to thank [Benjamin Koltermann](https://redirect.github.com/p4ck3t0) and [emxll](https://redirect.github.com/emxll) for responsibly disclosing this issue in accordance with the [containerd security policy](https://redirect.github.com/containerd/project/blob/main/SECURITY.md). ##### References * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40635 ##### For more information If you have any questions or comments about this advisory: * Open an issue in [containerd](https://redirect.github.com/containerd/containerd/issues/new/choose) * Email us at [security@containerd.io](mailto:security@containerd.io) To report a security issue in containerd: * [Report a new vulnerability](https://redirect.github.com/containerd/containerd/security/advisories/new) * Email us at [security@containerd.io](mailto:security@containerd.io) #### Severity - CVSS Score: Unknown - Vector String: `CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N` #### References - [https://github.com/containerd/containerd/security/advisories/GHSA-265r-hfxg-fhmg](https://redirect.github.com/containerd/containerd/security/advisories/GHSA-265r-hfxg-fhmg) - [https://nvd.nist.gov/vuln/detail/CVE-2024-40635](https://nvd.nist.gov/vuln/detail/CVE-2024-40635) - [https://github.com/containerd/containerd/commit/05044ec0a9a75232cad458027ca83437aae3f4da](https://redirect.github.com/containerd/containerd/commit/05044ec0a9a75232cad458027ca83437aae3f4da) - [https://github.com/containerd/containerd/commit/1a43cb6a1035441f9aca8f5666a9b3ef9e70ab20](https://redirect.github.com/containerd/containerd/commit/1a43cb6a1035441f9aca8f5666a9b3ef9e70ab20) - [https://github.com/containerd/containerd/commit/cf158e884cfe4812a6c371b59e4ea9bc4c46e51a](https://redirect.github.com/containerd/containerd/commit/cf158e884cfe4812a6c371b59e4ea9bc4c46e51a) - [https://github.com/containerd/containerd](https://redirect.github.com/containerd/containerd) - [https://lists.debian.org/debian-lts-announce/2025/05/msg00005.html](https://lists.debian.org/debian-lts-announce/2025/05/msg00005.html) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-265r-hfxg-fhmg) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### containerd has an integer overflow in User ID handling in github.com/containerd/containerd [CVE-2024-40635](https://nvd.nist.gov/vuln/detail/CVE-2024-40635) / [GHSA-265r-hfxg-fhmg](https://redirect.github.com/advisories/GHSA-265r-hfxg-fhmg) / [GO-2025-3528](https://pkg.go.dev/vuln/GO-2025-3528) <details> <summary>More information</summary> #### Details containerd has an integer overflow in User ID handling in github.com/containerd/containerd #### Severity Unknown #### References - [https://github.com/containerd/containerd/security/advisories/GHSA-265r-hfxg-fhmg](https://redirect.github.com/containerd/containerd/security/advisories/GHSA-265r-hfxg-fhmg) - [https://github.com/containerd/containerd/commit/05044ec0a9a75232cad458027ca83437aae3f4da](https://redirect.github.com/containerd/containerd/commit/05044ec0a9a75232cad458027ca83437aae3f4da) - [https://github.com/containerd/containerd/commit/1a43cb6a1035441f9aca8f5666a9b3ef9e70ab20](https://redirect.github.com/containerd/containerd/commit/1a43cb6a1035441f9aca8f5666a9b3ef9e70ab20) - [https://github.com/containerd/containerd/commit/cf158e884cfe4812a6c371b59e4ea9bc4c46e51a](https://redirect.github.com/containerd/containerd/commit/cf158e884cfe4812a6c371b59e4ea9bc4c46e51a) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2025-3528) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)). </details> --- ### containerd affected by a local privilege escalation via wide permissions on CRI directory [CVE-2024-25621](https://nvd.nist.gov/vuln/detail/CVE-2024-25621) / [GHSA-pwhc-rpq9-4c8w](https://redirect.github.com/advisories/GHSA-pwhc-rpq9-4c8w) / [GO-2025-4100](https://pkg.go.dev/vuln/GO-2025-4100) <details> <summary>More information</summary> #### Details ##### Impact An overly broad default permission vulnerability was found in containerd. - `/var/lib/containerd` was created with the permission bits 0o711, while it should be created with 0o700 - Allowed local users on the host to potentially access the metadata store and the content store - `/run/containerd/io.containerd.grpc.v1.cri` was created with 0o755, while it should be created with 0o700 - Allowed local users on the host to potentially access the contents of Kubernetes local volumes. The contents of volumes might include setuid binaries, which could allow a local user on the host to elevate privileges on the host. - `/run/containerd/io.containerd.sandbox.controller.v1.shim` was created with 0o711, while it should be created with 0o700 The directory paths may differ depending on the daemon configuration. When the `temp` directory path is specified in the daemon configuration, that directory was also created with 0o711, while it should be created with 0o700. ##### Patches This bug has been fixed in the following containerd versions: * 2.2.0 * 2.1.5 * 2.0.7 * 1.7.29 Users should update to these versions to resolve the issue. These updates automatically change the permissions of the existing directories. > [!NOTE] > > `/run/containerd` and `/run/containerd/io.containerd.runtime.v2.task` are still created with 0o711. > This is an expected behavior for supporting userns-remapped containers. ##### Workarounds The system administrator on the host can manually chmod the directories to not have group or world accessible permisisons: ``` chmod 700 /var/lib/containerd chmod 700 /run/containerd/io.containerd.grpc.v1.cri chmod 700 /run/containerd/io.containerd.sandbox.controller.v1.shim ``` An alternative mitigation would be to run containerd in [rootless mode](https://redirect.github.com/containerd/containerd/blob/main/docs/rootless.md). ##### Credits The containerd project would like to thank David Leadbeater for responsibly disclosing this issue in accordance with the [containerd security policy](https://redirect.github.com/containerd/project/blob/main/SECURITY.md). ##### For more information If you have any questions or comments about this advisory: * Open an issue in [containerd](https://redirect.github.com/containerd/containerd/issues/new/choose) * Email us at [security@containerd.io](mailto:security@containerd.io) To report a security issue in containerd: * [Report a new vulnerability](https://redirect.github.com/containerd/containerd/security/advisories/new) #### Severity - CVSS Score: Unknown - Vector String: `CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H` #### References - [https://github.com/containerd/containerd/security/advisories/GHSA-pwhc-rpq9-4c8w](https://redirect.github.com/containerd/containerd/security/advisories/GHSA-pwhc-rpq9-4c8w) - [https://nvd.nist.gov/vuln/detail/CVE-2024-25621](https://nvd.nist.gov/vuln/detail/CVE-2024-25621) - [https://github.com/containerd/containerd/commit/7c59e8e9e970d38061a77b586b23655c352bfec5](https://redirect.github.com/containerd/containerd/commit/7c59e8e9e970d38061a77b586b23655c352bfec5) - [https://github.com/containerd/containerd](https://redirect.github.com/containerd/containerd) - [https://github.com/containerd/containerd/blob/main/docs/rootless.md](https://redirect.github.com/containerd/containerd/blob/main/docs/rootless.md) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-pwhc-rpq9-4c8w) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### containerd CRI server: Host memory exhaustion through Attach goroutine leak in github.com/containerd/containerd [CVE-2025-64329](https://nvd.nist.gov/vuln/detail/CVE-2025-64329) / [GHSA-m6hq-p25p-ffr2](https://redirect.github.com/advisories/GHSA-m6hq-p25p-ffr2) / [GO-2025-4108](https://pkg.go.dev/vuln/GO-2025-4108) <details> <summary>More information</summary> #### Details containerd CRI server: Host memory exhaustion through Attach goroutine leak in github.com/containerd/containerd #### Severity Unknown #### References - [https://github.com/containerd/containerd/security/advisories/GHSA-m6hq-p25p-ffr2](https://redirect.github.com/containerd/containerd/security/advisories/GHSA-m6hq-p25p-ffr2) - [https://nvd.nist.gov/vuln/detail/CVE-2025-64329](https://nvd.nist.gov/vuln/detail/CVE-2025-64329) - [https://github.com/containerd/containerd/commit/083b53cd6f19b5de7717b0ce92c11bdf95e612df](https://redirect.github.com/containerd/containerd/commit/083b53cd6f19b5de7717b0ce92c11bdf95e612df) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2025-4108) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)). </details> --- ### containerd affected by a local privilege escalation via wide permissions on CRI directory in github.com/containerd/containerd [CVE-2024-25621](https://nvd.nist.gov/vuln/detail/CVE-2024-25621) / [GHSA-pwhc-rpq9-4c8w](https://redirect.github.com/advisories/GHSA-pwhc-rpq9-4c8w) / [GO-2025-4100](https://pkg.go.dev/vuln/GO-2025-4100) <details> <summary>More information</summary> #### Details containerd affected by a local privilege escalation via wide permissions on CRI directory in github.com/containerd/containerd #### Severity Unknown #### References - [https://github.com/containerd/containerd/security/advisories/GHSA-pwhc-rpq9-4c8w](https://redirect.github.com/containerd/containerd/security/advisories/GHSA-pwhc-rpq9-4c8w) - [https://nvd.nist.gov/vuln/detail/CVE-2024-25621](https://nvd.nist.gov/vuln/detail/CVE-2024-25621) - [https://github.com/containerd/containerd/commit/7c59e8e9e970d38061a77b586b23655c352bfec5](https://redirect.github.com/containerd/containerd/commit/7c59e8e9e970d38061a77b586b23655c352bfec5) - [https://github.com/containerd/containerd/blob/main/docs/rootless.md](https://redirect.github.com/containerd/containerd/blob/main/docs/rootless.md) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2025-4100) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)). </details> --- ### containerd CRI server: Host memory exhaustion through Attach goroutine leak [CVE-2025-64329](https://nvd.nist.gov/vuln/detail/CVE-2025-64329) / [GHSA-m6hq-p25p-ffr2](https://redirect.github.com/advisories/GHSA-m6hq-p25p-ffr2) / [GO-2025-4108](https://pkg.go.dev/vuln/GO-2025-4108) <details> <summary>More information</summary> #### Details ##### Impact A bug was found in containerd's CRI Attach implementation where a user can exhaust memory on the host due to goroutine leaks. Repetitive calls of CRI Attach (e.g., [`kubectl attach`](https://kubernetes.io/docs/reference/kubectl/generated/kubectl_attach/)) could increase the memory usage of containerd. ##### Patches This bug has been fixed in the following containerd versions: * 2.2.0 * 2.1.5 * 2.0.7 * 1.7.29 Users should update to these versions to resolve the issue. ##### Workarounds Set up an admission controller to control accesses to `pods/attach` resources. e.g., [Validating Admission Policy](https://kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy/). ##### Credits The containerd project would like to thank @​Wheat2018 for responsibly disclosing this issue in accordance with the [containerd security policy](https://redirect.github.com/containerd/project/blob/main/SECURITY.md). ##### References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-64329 ##### For more information If you have any questions or comments about this advisory: * Open an issue in [containerd](https://redirect.github.com/containerd/containerd/issues/new/choose) * Email us at [security@containerd.io](mailto:security@containerd.io) To report a security issue in containerd: * [Report a new vulnerability](https://redirect.github.com/containerd/containerd/security/advisories/new) #### Severity - CVSS Score: Unknown - Vector String: `CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N` #### References - [https://github.com/containerd/containerd/security/advisories/GHSA-m6hq-p25p-ffr2](https://redirect.github.com/containerd/containerd/security/advisories/GHSA-m6hq-p25p-ffr2) - [https://nvd.nist.gov/vuln/detail/CVE-2025-64329](https://nvd.nist.gov/vuln/detail/CVE-2025-64329) - [https://github.com/containerd/containerd/commit/083b53cd6f19b5de7717b0ce92c11bdf95e612df](https://redirect.github.com/containerd/containerd/commit/083b53cd6f19b5de7717b0ce92c11bdf95e612df) - [https://github.com/containerd/containerd](https://redirect.github.com/containerd/containerd) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-m6hq-p25p-ffr2) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>containerd/containerd (github.com/containerd/containerd)</summary> ### [`v1.7.29`](https://redirect.github.com/containerd/containerd/releases/tag/v1.7.29): containerd 1.7.29 [Compare Source](https://redirect.github.com/containerd/containerd/compare/v1.7.28...v1.7.29) Welcome to the v1.7.29 release of containerd! The twenty-ninth patch release for containerd 1.7 contains various fixes and updates including security patches. ##### Security Updates - **containerd** - [**GHSA-pwhc-rpq9-4c8w**](https://redirect.github.com/containerd/containerd/security/advisories/GHSA-pwhc-rpq9-4c8w) - [**GHSA-m6hq-p25p-ffr2**](https://redirect.github.com/containerd/containerd/security/advisories/GHSA-m6hq-p25p-ffr2) - **runc** - [**GHSA-qw9x-cqr3-wc7r**](https://redirect.github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r) - [**GHSA-cgrx-mc8f-2prm**](https://redirect.github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm) - [**GHSA-9493-h29p-rfm2**](https://redirect.github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2) ##### Highlights ##### Image Distribution - **Update differ to handle zstd media types** ([#​12018](https://redirect.github.com/containerd/containerd/pull/12018)) ##### Runtime - **Update runc binary to v1.3.3** ([#​12480](https://redirect.github.com/containerd/containerd/pull/12480)) - **Fix lost container logs from quickly closing io** ([#​12375](https://redirect.github.com/containerd/containerd/pull/12375)) Please try out the release binaries and report any issues at <https://github.com/containerd/containerd/issues>. ##### Contributors - Derek McGowan - Akihiro Suda - Phil Estes - Austin Vazquez - Sebastiaan van Stijn - ningmingxiao - Maksym Pavlenko - StepSecurity Bot - wheat2018 ##### Changes <details><summary>38 commits</summary> <p> - [`442cb34bd`](https://redirect.github.com/containerd/containerd/commit/442cb34bda9a6a0fed82a2ca7cade05c5c749582) Merge commit from fork - [`0450f046e`](https://redirect.github.com/containerd/containerd/commit/0450f046e6942e513d0ebf1ef5c2aff13daa187f) Fix directory permissions - [`e5cb6ddb7`](https://redirect.github.com/containerd/containerd/commit/e5cb6ddb7a7730c24253a94d7fdb6bbe13dba6f7) Merge commit from fork - [`c575d1b5f`](https://redirect.github.com/containerd/containerd/commit/c575d1b5f4011f33b32f71ace75367a92b08c750) fix goroutine leak of container Attach - Prepare release notes for v1.7.29 ([#​12486](https://redirect.github.com/containerd/containerd/pull/12486)) - [`1fc2daaf3`](https://redirect.github.com/containerd/containerd/commit/1fc2daaf3ed53f4c9e76fbc5786a6f1ae3bb885f) Prepare release notes for v1.7.29 - Update runc binary to v1.3.3 ([#​12480](https://redirect.github.com/containerd/containerd/pull/12480)) - [`3f5f9f872`](https://redirect.github.com/containerd/containerd/commit/3f5f9f872707a743563d316e85e530193a2e30ac) runc: Update runc binary to v1.3.3 - Update GHA images and bump Go 1.24.9; 1.25.3 ([#​12471](https://redirect.github.com/containerd/containerd/pull/12471)) - [`667409fb6`](https://redirect.github.com/containerd/containerd/commit/667409fb63098cb80280940ab06038114e7712da) ci: bump Go 1.24.9, 1.25.3 - [`294f8c027`](https://redirect.github.com/containerd/containerd/commit/294f8c027b607c4450b3e52f44280581a737a73f) Update GHA runners to use latest images for basic binaries build - [`cf66b4141`](https://redirect.github.com/containerd/containerd/commit/cf66b4141defb757dee0fc5653bfd0a7ba1e8fed) Update GHA runners to use latest image for most jobs - [`fa3e6fa18`](https://redirect.github.com/containerd/containerd/commit/fa3e6fa18aa8dc7e699428958e1fb1d38e832e15) pkg/epoch: extract parsing SOURCE\_DATE\_EPOCH to a function - [`ac334bffc`](https://redirect.github.com/containerd/containerd/commit/ac334bffc4e759f188afb58efd74a603ade0855a) pkg/epoch: fix tests on macOS - [`d04b8721f`](https://redirect.github.com/containerd/containerd/commit/d04b8721fc5bff2677beadb4f3d15d7c0ec989ca) pkg/epoch: replace some fmt.Sprintfs with strconv - CI: update Fedora to 43 ([#​12450](https://redirect.github.com/containerd/containerd/pull/12450)) - [`5cfedbf52`](https://redirect.github.com/containerd/containerd/commit/5cfedbf52300d09f77a51f02a0c784c37284302c) CI: update Fedora to 43 - CI: skip ubuntu-24.04-arm on private repos ([#​12429](https://redirect.github.com/containerd/containerd/pull/12429)) - [`cf99a012d`](https://redirect.github.com/containerd/containerd/commit/cf99a012d6f7fcb51afdea641d87474dae95f50d) CI: skip ubuntu-24.04-arm on private repos - runc:Update runc binary to v1.3.1 ([#​12276](https://redirect.github.com/containerd/containerd/pull/12276)) - [`4c77b8d07`](https://redirect.github.com/containerd/containerd/commit/4c77b8d078a65a5e99e40847a9eaa18a944ff68e) runc:Update runc binary to v1.3.1 - Fix lost container logs from quickly closing io ([#​12375](https://redirect.github.com/containerd/containerd/pull/12375)) - [`d30024db2`](https://redirect.github.com/containerd/containerd/commit/d30024db25590e6ec74b639746a5dc792f5c1403) bugfix:fix container logs lost because io close too quickly - ci: bump Go 1.24.8 ([#​12362](https://redirect.github.com/containerd/containerd/pull/12362)) - [`f4b3d96f3`](https://redirect.github.com/containerd/containerd/commit/f4b3d96f3d83a0ac7bde03ae9eec749aa1936a59) ci: bump Go 1.24.8 - [`334fd8e4b`](https://redirect.github.com/containerd/containerd/commit/334fd8e4b974d88ebea43a998d76760aad49773a) update golangci-lint to v1.64.2 - [`8a67abc4c`](https://redirect.github.com/containerd/containerd/commit/8a67abc4cac67bf806da0b2b55ac7159e91f6996) Drop inactivated linter exportloopref - [`e4dbf08f0`](https://redirect.github.com/containerd/containerd/commit/e4dbf08f0ff3dc9f6b2a9a36eab71d73ac707956) build(deps): bump golangci/golangci-lint-action from 6.3.2 to 6.5.0 - [`d7db2ba06`](https://redirect.github.com/containerd/containerd/commit/d7db2ba063385d06132ec80890eb6c1fe4126692) build(deps): bump golangci/golangci-lint-action from 6.2.0 to 6.3.2 - [`d7182888f`](https://redirect.github.com/containerd/containerd/commit/d7182888f0071cce86d40fcf09cd9a247ac15c41) build(deps): bump golangci/golangci-lint-action from 6.1.1 to 6.2.0 - [`4be6c7e3b`](https://redirect.github.com/containerd/containerd/commit/4be6c7e3b5d5da7be8c1c87e1c16450b7ea8dadb) build(deps): bump actions/cache from 4.1.2 to 4.2.0 - [`a2e097e86`](https://redirect.github.com/containerd/containerd/commit/a2e097e865887382c2fc29ee0cea0053e6152a12) build(deps): bump actions/checkout from 4.2.1 to 4.2.2 - [`6de404d11`](https://redirect.github.com/containerd/containerd/commit/6de404d11b8e237a7867c7fbe535579c5736bfde) build(deps): bump actions/cache from 4.1.1 to 4.1.2 - [`038a25584`](https://redirect.github.com/containerd/containerd/commit/038a25584e7f66272114ec0801b071e6149ef841) \[StepSecurity] ci: Harden GitHub Actions - Update differ to handle zstd media types ([#​12018](https://redirect.github.com/containerd/containerd/pull/12018)) - [`eaeb4b6ac`](https://redirect.github.com/containerd/containerd/commit/eaeb4b6ac581c0704bed0ff96ee7e53170345e84) Update differ to handle zstd media types - ci: bump Go 1.23.12, 1.24.6 ([#​12188](https://redirect.github.com/containerd/containerd/pull/12188)) - [`83c535339`](https://redirect.github.com/containerd/containerd/commit/83c535339bbe253ce9e7a616a90f770994b754e5) ci: bump Go 1.23.12, 1.24.6 </p> </details> ##### Dependency Changes This release has no dependency changes Previous release can be found at [v1.7.28](https://redirect.github.com/containerd/containerd/releases/tag/v1.7.28) ### [`v1.7.28`](https://redirect.github.com/containerd/containerd/releases/tag/v1.7.28): containerd 1.7.28 [Compare Source](https://redirect.github.com/containerd/containerd/compare/v1.7.27...v1.7.28) Welcome to the v1.7.28 release of containerd! The twenty-eighth patch release for containerd 1.7 contains various fixes and updates. ##### Highlights ##### Image Distribution - Refresh OAuth tokens when they expire during registry operations ([#​11721](https://redirect.github.com/containerd/containerd/pull/11721)) - Set default differ for the default unpack config of transfer service ([#​11689](https://redirect.github.com/containerd/containerd/pull/11689)) ##### Runtime - Update runc binary to v1.3.0 ([#​11800](https://redirect.github.com/containerd/containerd/pull/11800)) - Remove invalid error log when stopping container after containerd restart ([#​11620](https://redirect.github.com/containerd/containerd/pull/11620)) Please try out the release binaries and report any issues at <https://github.com/containerd/containerd/issues>. ##### Contributors - Akhil Mohan - Akihiro Suda - Austin Vazquez - Maksym Pavlenko - Phil Estes - Derek McGowan - Kirtana Ashok - Henry Wang - Iain Macdonald - Jin Dong - Swagat Bora - Wei Fu - Yang Yang - madraceee ##### Changes <details><summary>57 commits</summary> <p> - Prepare release notes for v1.7.28 ([#​12134](https://redirect.github.com/containerd/containerd/pull/12134)) - [`b01b809f8`](https://redirect.github.com/containerd/containerd/commit/b01b809f89a27e19ff7531e1b88df07d2f40de97) Prepare release notes for v1.7.28 - ci: bump Go 1.23.11, 1.24.5 ([#​12117](https://redirect.github.com/containerd/containerd/pull/12117)) - [`ce2373176`](https://redirect.github.com/containerd/containerd/commit/ce2373176b0db7cdcc3e289f57aeb59927ad0efb) ci: bump Go 1.23.11, 1.24.5 - Backport windows test fixes ([#​12121](https://redirect.github.com/containerd/containerd/pull/12121)) - [`3c06bcc4d`](https://redirect.github.com/containerd/containerd/commit/3c06bcc4d2f5b55c501f9c5333596c5a6d0a980a) Fix intermittent test failures on Windows CIs - [`c6c0c6854`](https://redirect.github.com/containerd/containerd/commit/c6c0c6854ff663deb46363a8884a9015598c9f9b) Remove WS2025 from CIs due to regression - ci: use fedora 39 archive ([#​12123](https://redirect.github.com/containerd/containerd/pull/12123)) - [`6d7e021cf`](https://redirect.github.com/containerd/containerd/commit/6d7e021cf0f0f6ba1d14f0b4f76ecdf7a005feaa) ci: use fedora/39-cloud-base image from archive - update runners to ubuntu 24.04 ([#​11802](https://redirect.github.com/containerd/containerd/pull/11802)) - [`c362e18cc`](https://redirect.github.com/containerd/containerd/commit/c362e18ccd613b5baf04fff87832b871edfdecd5) CI: install OVMF for Vagrant - [`1d99bec21`](https://redirect.github.com/containerd/containerd/commit/1d99bec213063acdad8d7ad96ea4cbb78ab6b560) CI: fix "Unable to find a source package for vagrant" error - [`dafa3c48d`](https://redirect.github.com/containerd/containerd/commit/dafa3c48dffaff915bea2293eecd949fbdd94228) add debian sources for ubuntu-24 - [`b03301d85`](https://redirect.github.com/containerd/containerd/commit/b03301d851a5492808f36e5233a808a39575a1a0) partial: enable ubuntu 24 runners - [`13fbc5f97`](https://redirect.github.com/containerd/containerd/commit/13fbc5f970d1dee5425443a9b346d56ccc98db45) update release runners to ubuntu 24.04 - go.mod: golang.org/x/\* latest ([#​12096](https://redirect.github.com/containerd/containerd/pull/12096)) - [`da5d1a371`](https://redirect.github.com/containerd/containerd/commit/da5d1a3714ac06f6280740f668ebe95c62863c01) go.mod: golang.org/x/\* latest - Remove additional fuzzers from instrumentation repo ([#​12099](https://redirect.github.com/containerd/containerd/pull/12099)) - [`5fef123ba`](https://redirect.github.com/containerd/containerd/commit/5fef123ba77e3d9fd83f78fd34bdb80549034756) Remove additional fuzzers from CI - backport windows runner and golang toolchain updates ([#​11972](https://redirect.github.com/containerd/containerd/pull/11972)) - [`a35978f5a`](https://redirect.github.com/containerd/containerd/commit/a35978f5af147f279280b34082c3781904bfd4cd) ci: bump golang \[1.23.10, 1.24.4] in build and release - [`df035aa3e`](https://redirect.github.com/containerd/containerd/commit/df035aa3ef3d98eb48310d548439eb59c8b6d887) ci: bump golang \[1.23.9, 1.24.3] in build and release - [`2a6d9fc71`](https://redirect.github.com/containerd/containerd/commit/2a6d9fc71e97ff0d742b21d0f62a05a70126aa21) use go1.23.8 as the default go version - [`15d4d6eba`](https://redirect.github.com/containerd/containerd/commit/15d4d6eba30565274e1ade4d545abab2dbbcf1f9) update to go 1.24.2, 1.23.8 - [`1613a3b1a`](https://redirect.github.com/containerd/containerd/commit/1613a3b1addf8fb8a50cef46860a1b7642d81589) Enable CIs to run on WS2022 and WS2025 - test: added runc v1 tests using vagrant ([#​11896](https://redirect.github.com/containerd/containerd/pull/11896)) - [`60e73122c`](https://redirect.github.com/containerd/containerd/commit/60e73122c1f74524178ff1ea819a893d7cdb4372) test: added runc v1 tests using vagrant - Revert "disable portmap test in ubuntu-22 to make CI happy" ([#​11803](https://redirect.github.com/containerd/containerd/pull/11803)) - [`10e1b515e`](https://redirect.github.com/containerd/containerd/commit/10e1b515ec9c497bcfd7b0758bff3f6c840b303a) Revert "Disable port mapping tests in CRI-in-UserNS" - [`7a680e884`](https://redirect.github.com/containerd/containerd/commit/7a680e88494d90896322e09d4070ed86d221e25b) fix unbound SKIP\_TEST variable error - [`e5f8cc995`](https://redirect.github.com/containerd/containerd/commit/e5f8cc9953f28f1abdc2f7975a9f5833cc83ee9c) Revert "disable portmap test in ubuntu-22 to make CI happy" - Update runc binary to v1.3.0 ([#​11800](https://redirect.github.com/containerd/containerd/pull/11800)) - [`b001469c7`](https://redirect.github.com/containerd/containerd/commit/b001469c70a4489c1453cfe856055b15c536645f) Update runc binary to v1.3.0 - Refresh OAuth tokens when they expire during registry operations ([#​11721](https://redirect.github.com/containerd/containerd/pull/11721)) - [`a6421da84`](https://redirect.github.com/containerd/containerd/commit/a6421da84bb59dcf3680eb472b78f2eae8086f9b) remotes/docker/authorizer.go: invalidate auth tokens when they expire. - \[CI] Fix vagrant ([#​11739](https://redirect.github.com/containerd/containerd/pull/11739)) - [`effc49e8b`](https://redirect.github.com/containerd/containerd/commit/effc49e8b096bebfd73effb9257ad4fd80aa4e84) Fix vagrant setup - Fix CI ([#​11722](https://redirect.github.com/containerd/containerd/pull/11722)) - [`d3e7dd716`](https://redirect.github.com/containerd/containerd/commit/d3e7dd716a7988bf49f92972998a5260fd538505) Skip criu on Arms - [`7cf9ebe94`](https://redirect.github.com/containerd/containerd/commit/7cf9ebe94676a443f5df2802f2c784a93dba6b9a) Disable port mapping tests in CRI-in-UserNS - [`42657a4ed`](https://redirect.github.com/containerd/containerd/commit/42657a4ed1bcc2a5162264cb820d97bdd0a56a6b) disable portmap test in ubuntu-22 to make CI happy - [`b300fd37b`](https://redirect.github.com/containerd/containerd/commit/b300fd37b840dcad8c0635e1f8ce848413441445) add option to skip tests in critest - [`6f4ffad27`](https://redirect.github.com/containerd/containerd/commit/6f4ffad27695c7e297c0052091b0d5e7fad7e48a) Address cgroup mountpoint does not exist - [`cef298331`](https://redirect.github.com/containerd/containerd/commit/cef2983317494d0a7b67e89ef81e083f75102066) Update Ubuntu to 24 - [`2dd9be16e`](https://redirect.github.com/containerd/containerd/commit/2dd9be16e71e97b922ae42b05a7ae837c28563ca) ci: update GitHub Actions release runner to ubuntu-24.04 - Set default differ for the default unpack config of transfer service ([#​11689](https://redirect.github.com/containerd/containerd/pull/11689)) - [`e40e59e4e`](https://redirect.github.com/containerd/containerd/commit/e40e59e4ee8e7fb00213065c6fabbec8d4e7fc7f) Set default differ for the default unpack config of transfer service - silence govulncheck false positives ([#​11679](https://redirect.github.com/containerd/containerd/pull/11679)) - [`ff097d5a4`](https://redirect.github.com/containerd/containerd/commit/ff097d5a4c1a427d10fa989895d05f78c0b52893) silence govulncheck false positives - vendor: github.com/go-jose/go-jose/v3 v3.0.4 ([#​11619](https://redirect.github.com/containerd/containerd/pull/11619)) - [`52dd4dc51`](https://redirect.github.com/containerd/containerd/commit/52dd4dc51070fc93f13f048d3a919ccbf2b042aa) vendor: github.com/go-jose/go-jose/v3 v3.0.4 - Remove invalid error log when stopping container after containerd restart ([#​11620](https://redirect.github.com/containerd/containerd/pull/11620)) - [`24f41d2d5`](https://redirect.github.com/containerd/containerd/commit/24f41d2d5c6514e2f0a6f553f80183ff274ec230) use shimCtx for fifo copy - Update runc binary to v1.2.6 ([#​11584](https://redirect.github.com/containerd/containerd/pull/11584)) - [`1e1e78ad7`](https://redirect.github.com/containerd/containerd/commit/1e1e78ad7cab8d6f50be6bcf0ef7178a2ba3e207) Update runc binary to v1.2.6 - Use RWMutex in NSMap and reduce lock area ([#​11556](https://redirect.github.com/containerd/containerd/pull/11556)) - [`9a8d1d44a`](https://redirect.github.com/containerd/containerd/commit/9a8d1d44a1dee8f805ad0b071b686887222a1fe7) Use RWMutex in NSMap and reduce lock area </p> </details> ##### Dependency Changes - **github.com/go-jose/go-jose/v3** v3.0.3 -> v3.0.4 - **golang.org/x/crypto** v0.31.0 -> v0.40.0 - **golang.org/x/mod** v0.17.0 -> v0.26.0 - **golang.org/x/net** v0.33.0 -> v0.42.0 - **golang.org/x/oauth2** v0.11.0 -> v0.30.0 - **golang.org/x/sync** v0.10.0 -> v0.16.0 - **golang.org/x/sys** v0.28.0 -> v0.34.0 - **golang.org/x/term** v0.27.0 -> v0.33.0 - **golang.org/x/text** v0.21.0 -> v0.27.0 - **golang.org/x/time** [`90d013b`](https://redirect.github.com/containerd/containerd/commit/90d013bbcef8) -> v0.12.0 Previous release can be found at [v1.7.27](https://redirect.github.com/containerd/containerd/releases/tag/v1.7.27) ### [`v1.7.27`](https://redirect.github.com/containerd/containerd/releases/tag/v1.7.27): containerd 1.7.27 [Compare Source](https://redirect.github.com/containerd/containerd/compare/v1.7.26...v1.7.27) Welcome to the v1.7.27 release of containerd! The twenty-seventh patch release for containerd 1.7 contains various fixes and updates. ##### Highlights - Fix integer overflow in User ID handling ([GHSA-265r-hfxg-fhmg](https://redirect.github.com/containerd/containerd/security/advisories/GHSA-265r-hfxg-fhmg)) - Update image type checks to avoid unnecessary logs for attestations ([#​11538](https://redirect.github.com/containerd/containerd/pull/11538)) Please try out the release binaries and report any issues at <https://github.com/containerd/containerd/issues>. ##### Contributors - Jin Dong - Akhil Mohan - Derek McGowan - Maksym Pavlenko - Paweł Gronowski - Phil Estes - Akihiro Suda - Craig Ingram - Krisztian Litkey - Samuel Karp ##### Changes <details><summary>20 commits</summary> <p> - [`05044ec0a`](https://redirect.github.com/containerd/containerd/commit/05044ec0a9a75232cad458027ca83437aae3f4da) Merge commit from fork - [`11504c3fc`](https://redirect.github.com/containerd/containerd/commit/11504c3fc5f45634f2d93d57743a998194430b82) validate uid/gid - Prepare release notes for v1.7.27 ([#​11540](https://redirect.github.com/containerd/containerd/pull/11540)) - [`1be04be6c`](https://redirect.github.com/containerd/containerd/commit/1be04be6c307a7f67423574ca1b9744e57377753) Prepare release notes for v1.7.27 - Update image type checks to avoid unnecessary logs for attestations ([#​11538](https://redirect.github.com/containerd/containerd/pull/11538)) - [`82b5c43fe`](https://redirect.github.com/containerd/containerd/commit/82b5c43fed40d1f32e88215a3f0acbaf8cd9af10) core/remotes: Handle attestations in MakeRefKey - [`2c670e79b`](https://redirect.github.com/containerd/containerd/commit/2c670e79bf19bc7716c8b9f1f82c700ad8233af3) core/images: Ignore attestations when traversing children - update build to go1.23.7, test go1.24.1 ([#​11515](https://redirect.github.com/containerd/containerd/pull/11515)) - [`a39863c9f`](https://redirect.github.com/containerd/containerd/commit/a39863c9fd52abb50895a4b6f653cf501a2e3388) update build to go1.23.7, test go1.24.1 - Remove hashicorp/go-multierror dependency and fix CI ([#​11499](https://redirect.github.com/containerd/containerd/pull/11499)) - [`49537b3a7`](https://redirect.github.com/containerd/containerd/commit/49537b3a75bdcd982e7e26855779b346bb363a54) e2e: use the shim bundled with containerd artifact - [`fe490b76f`](https://redirect.github.com/containerd/containerd/commit/fe490b76fd78cc1461f20aab89951be5f88fc454) Bump up github.com/intel/goresctrl to 0.5.0 - [`13fc9d313`](https://redirect.github.com/containerd/containerd/commit/13fc9d3132fc4c77f6533551049d2d865d4e4b45) update containerd/project-checks to 1.2.1 - [`585699c94`](https://redirect.github.com/containerd/containerd/commit/585699c94f68649a89b0af46d675d6e998d67ccd) Remove unnecessary joinError unwrap - [`4b9df59be`](https://redirect.github.com/containerd/containerd/commit/4b9df59be202a011c4f65604bbeab75eeb85ab46) Remove hashicorp/go-multierror - go.{mod,sum}: bump CDI deps to v0.8.1. ([#​11422](https://redirect.github.com/containerd/containerd/pull/11422)) - [`5ba28f8dc`](https://redirect.github.com/containerd/containerd/commit/5ba28f8dc1d007059ed3eb1a7b55025e72abd525) go.{mod,sum}: bump CDI deps to v0.8.1, re-vendor. - CI: arm64-8core-32gb -> ubuntu-24.04-arm ([#​11437](https://redirect.github.com/containerd/containerd/pull/11437)) - [`85f10bd92`](https://redirect.github.com/containerd/containerd/commit/85f10bd9221f35ef1c2b8ec2d67520f461aa51a0) CI: arm64-8core-32gb -> ubuntu-24.04-arm - [`561ed520e`](https://redirect.github.com/containerd/containerd/commit/561ed520eaef2974aa8008b7a18a0944e6f90872) increase xfs base image size to 300Mb </p> </details> ##### Dependency Changes - **github.com/intel/goresctrl** v0.3.0 -> v0.5.0 - **github.com/prometheus/client\_golang** v1.14.0 -> v1.16.0 - **github.com/prometheus/common** v0.37.0 -> v0.42.0 - **github.com/prometheus/procfs** v0.8.0 -> v0.10.1 - **k8s.io/apimachinery** v0.26.2 -> v0.27.4 - **sigs.k8s.io/json** [`f223a00`](https://redirect.github.com/containerd/containerd/commit/f223a00ba0e2) -> [`bc3834c`](https://redirect.github.com/containerd/containerd/commit/bc3834ca7abd) - **tags.cncf.io/container-device-interface** v0.7.2 -> v0.8.1 - **tags.cncf.io/container-device-interface/specs-go** v0.7.0 -> v0.8.0 Previous release can be found at [v1.7.26](https://redirect.github.com/containerd/containerd/releases/tag/v1.7.26) ### [`v1.7.26`](https://redirect.github.com/containerd/containerd/releases/tag/v1.7.26): containerd 1.7.26 [Compare Source](https://redirect.github.com/containerd/containerd/compare/v1.7.25...v1.7.26) Welcome to the v1.7.26 release of containerd! The twenty-sixth patch release for containerd 1.7 contains various fixes and updates. ##### Highlights - Add support for syncfs after unpack ([#​11267](https://redirect.github.com/containerd/containerd/pull/11267)) - Update runc binary to v1.2.5 ([#​11395](https://redirect.github.com/containerd/containerd/pull/11395)) - Fix race between serve and immediate shutdown on the server ([containerd/ttrpc#175](https://redirect.github.com/containerd/ttrpc/pull/175)) - Reject oversized messages from the sender ([containerd/ttrpc#171](https://redirect.github.com/containerd/ttrpc/pull/171)) ##### Container Runtime Interface (CRI) - Fix fatal concurrency error in port forwarding ([#​11306](https://redirect.github.com/containerd/containerd/pull/11306)) ##### Node Resource Interface (NRI) - Fix initial sync race when registering NRI plugins ([#​11326](https://redirect.github.com/containerd/containerd/pull/11326)) - Add API support for reading Pod IPs ([containerd/nri#119](https://redirect.github.com/containerd/nri/pull/119)) - Fix plugin sync to use multiple messages if ttrpc max message limit is hit ([containerd/nri#111](https://redirect.github.com/containerd/nri/pull/111)) - Update API to pass configured timeouts to plugins. ([containerd/nri#109](https://redirect.github.com/containerd/nri/pull/109)) - Fix mount removal in adjustments ([containerd/nri#107](https://redirect.github.com/containerd/nri/pull/107)) - Close plugin if initial synchronization fails ([containerd/nri#103](https://redirect.github.com/containerd/nri/pull/103)) - Add support for adjusting OOM score ([containerd/nri#94](https://redirect.github.com/containerd/nri/pull/94)) - Add API support for NRI-native CDI injection ([containerd/nri#98](https://redirect.github.com/containerd/nri/pull/98)) - Add support for pids cgroup ([containerd/nri#76](https://redirect.github.com/containerd/nri/pull/76)) ##### Runtime - Fix console TTY leak in runc shim ([#​11250](https://redirect.github.com/containerd/containerd/pull/11250)) Please try out the release binaries and report any issues at <https://github.com/containerd/containerd/issues>. ##### Contributors - Krisztian Litkey - Mike Brown - Samuel Karp - Wei Fu - Phil Estes - Derek McGowan - Iceber Gu - Akhil Mohan - Antonio Ojea - Austin Vazquez - Henry Wang - Jin Dong - Xiaojin Zhang - ningmingxiao - AbdelrahmanElawady - Akihiro Suda - Antti Kervinen - Jing Xu - Jitang Lei - Justin Alvarez - Lei Liu - Maksym Pavlenko - Yang Yang - Yuhang Wei - cormick - jingtao.liang ##### Changes <details><summary>24 commits</summary> <p> - Prepare release notes for v1.7.26 ([#​11356](https://redirect.github.com/containerd/containerd/pull/11356)) - [`ceba197f5`](https://redirect.github.com/containerd/containerd/commit/ceba197f5fa0b76b0f181c24f81c67c43d34bff2) Prepare release notes for v1.7.26 - Upgrade x/net to 0.33.0 to fix vulnerability GHSA-w32m-9786-jp63 ([#​11434](https://redirect.github.com/containerd/containerd/pull/11434)) - [`3486bc8dd`](https://redirect.github.com/containerd/containerd/commit/3486bc8dd19acbde278ed6c4c4fa42c7299e1278) Upgrade x/net to 0.33.0 - update build to go1.23.6, test go1.24.0 ([#​11419](https://redirect.github.com/containerd/containerd/pull/11419)) - [`9025d3075`](https://redirect.github.com/containerd/containerd/commit/9025d3075b91b0806ff15f27f28bbce8af4f1a76) update build to go1.23.6, test go1.24.0 - Update install-imgcrypt to allow change install repo ([#​11358](https://redirect.github.com/containerd/containerd/pull/11358)) - [`83eaab482`](https://redirect.github.com/containerd/containerd/commit/83eaab4822188e019efe68c29a6d77f37f099d6e) Update install-imgcrypt to allow change install repo - Add support for syncfs after unpack ([#​11267](https://redirect.github.com/containerd/containerd/pull/11267)) - [`8bc21cba7`](https://redirect.github.com/containerd/containerd/commit/8bc21cba7516727b294d4dd6a3e8859cbdd146a8) support to syncfs after pull by using diff plugin - Update runc binary to v1.2.5 ([#​11395](https://redirect.github.com/containerd/containerd/pull/11395)) - [`27c472acf`](https://redirect.github.com/containerd/containerd/commit/27c472acf59c4d86e2b446ae554691149ac43661) Update runc binary to v1.2.5 - Move `run.skip-dirs` to `issues.exclude-dirs` in golangci-lint config ([#​11400](https://redirect.github.com/containerd/containerd/pull/11400)) - [`8d8034b66`](https://redirect.github.com/containerd/containerd/commit/8d8034b66e2790ef0149207acb7c92a033d7f1f8) move skip-dirs to issues.exclude-dirs - Fix initial sync race when registering NRI plugins ([#​11326](https://redirect.github.com/containerd/containerd/pull/11326)) - [`11af05177`](https://redirect.github.com/containerd/containerd/commit/11af05177545dbb97d87aa861b15d70ab911307c) cri,nri: block NRI plugin sync. during event processing. - [`d4036cd3d`](https://redirect.github.com/containerd/containerd/commit/d4036cd3d1eb174ea379c8e1d139c25cfe9f18d8) go.{mod,sum}: bump NRI to v0.8.0, re-vendor. - Fix console TTY leak in runc shim ([#​11250](https://redirect.github.com/containerd/containerd/pull/11250)) - [`c3e24e024`](https://redirect.github.com/containerd/containerd/commit/c3e24e0248f0ca83d0bfbb0262862c2a06a632e2) Add integ test to check tty leak - [`4e45a463d`](https://redirect.github.com/containerd/containerd/commit/4e45a463d90fd44f6b92978721779d7b09045cee) fix master tty leak due to leaking init container object - Fix fatal concurrency error in port forwarding ([#​11306](https://redirect.github.com/containerd/containerd/pull/11306)) - [`0fe9f0b52`](https://redirect.github.com/containerd/containerd/commit/0fe9f0b52f7b700689df46d13de36e67b62486e1) fix fatal error: concurrent map iteration and map write - update build to go1.22.11, test go1.23.5 ([#​11298](https://redirect.github.com/containerd/containerd/pull/11298)) - [`441b92636`](https://redirect.github.com/containerd/containerd/commit/441b92636a806d71655945137210126de723e4fe) update build to go1.22.11, test go1.23.5 </p> </details> ##### Changes from containerd/nri <details><summary>77 commits</summary> <p> - Add API support for reading Pod IPs ([containerd/nri#119](https://redirect.github.com/containerd/nri/pull/119)) - [`eaf78a9`](https://redirect.github.com/containerd/nri/commit/eaf78a9afe9ebac28a68d1163dd00183525801a3) api: support Pod IPs - generate: do not set OOMScoreAdj if no adjustment ([containerd/nri#116](https://redirect.github.com/containerd/nri/pull/116)) - [`07bfc18`](https://redirect.github.com/containerd/nri/commit/07bfc18129a3cc9c4b44e1aced9972279a50ddb5) wip: generate: add test for oom score adj - [`b5fc359`](https://redirect.github.com/containerd/nri/commit/b5fc359973c0e8c599b12c1d118546c267894b3b) generate: do not set OOMScoreAdj if no adjustment - device-injector: remove unreachable code. ([containerd/nri#115](https://redirect.github.com/containerd/nri/pull/115)) - [`235aa11`](https://redirect.github.com/containerd/nri/commit/235aa114dffc784073ec8b2f88fbd4ecfba06450) chore: remove unreachable code and fmt files - Fix plugin sync to use multiple messages if ttrpc max message limit is hit ([containerd/nri#111](https://redirect.github.com/containerd/nri/pull/111)) - [`159f575`](https://redirect.github.com/containerd/nri/commit/159f5754db397e32ce886cd07985ffd95f1bd823) template: dump pod/container count in sync message. - [`bf267e3`](https://redirect.github.com/containerd/nri/commit/bf267e336f2ec2f5045fd396fb68f9853d2b5db9) stub: collect/handle split sync messages. - [`ed78ae9`](https://redirect.github.com/containerd/nri/commit/ed78ae9231cb603031f66921559ca6f38ef77bb5) adaptation: use multiple sync messages if necessary. - [`6fd59d6`](https://redirect.github.com/containerd/nri/commit/6fd59d6d7701cdadeae4db0058b3fde84c02e94b) api: add support for multiple sync messages. - [`a7fcccc`](https://redirect.github.com/containerd/nri/commit/a7fcccc4ba35f69ea2af790b6cb4b46385c50ce4) mux: split oversized messages. - [`5fe9b06`](https://redirect.github.com/containerd/nri/commit/5fe9b06401fb7fce78c41b95df04e05dffc22e5b) mux: fix maximum allowed message size. - [`693d64e`](https://redirect.github.com/containerd/nri/commit/693d64e2565cc14c00fae2de904ffc030fc2b894) go.{mod,sum}, plugins: update ttrpc and NRI deps. - Update API to pass configured timeouts to plugins. ([containerd/nri#109](https://redirect.github.com/containerd/nri/pull/109)) - [`320e4e7`](https://redirect.github.com/containerd/nri/commit/320e4e7e52a856b119cfa1c06a4a135ab5f88f56) adaptation: tests for runtime version, timeouts. - [`f86d982`](https://redirect.github.com/containerd/nri/commit/f86d98210749556ef562776fde784d2250d1190e) api,adaptation,stub: let plugin know configured timeouts. - [`cfcd2af`](https://redirect.github.com/containerd/nri/commit/cfcd2af3c80db6667f2d1a291225cc616b6049c3) Makefile: fix ginkgo-tests target. - [`8cd9504`](https://redirect.github.com/containerd/nri/commit/8cd9504a48e1b79625ff5fce3d058c6662bc34d6) adaptation: block plugin sync/registration in test suite. - [`966ac92`](https://redirect.github.com/containerd/nri/commit/966ac92b01fca271373e2088695538dcef0edb2b) adaptation: implement plugin synchronization blocks. - ci: verify that code generation works and results match ([containerd/nri#113](https://redirect.github.com/containerd/nri/pull/113)) - [`f74ce31`](https://redirect.github.com/containerd/nri/commit/f74ce31ef9b048d69702b954912122a0597598a8) ci: verify code generation and generated files in repo - deps: bump gingko to v2.19.1, golang to v1.21.x. ([containerd/nri#110](https://redirect.github.com/containerd/nri/pull/110)) - [`e4d5c36`](https://redirect.github.com/containerd/nri/commit/e4d5c36429c495c5d61d0183ba1c1a908ed598f4) ci: stop testing with golang 1.20.x. - [`6578149`](https://redirect.github.com/containerd/nri/commit/65781492cc1b0cf5a6a6166a81ba638e45b7f93f) go.{mod,sum}: bump golang requirement to 1.21. - [`442e812`](https://redirect.github.com/containerd/nri/commit/442e81239436c53689e14d9a641099a4aeec7cbe) go.{mod,sum}: update to ginkgo v2.19.1. - sync sandboxes and containers after starting the pre-installed plugins ([containerd/nri#43](https://redirect.github.com/containerd/nri/pull/43)) - [`eada085`](https://redirect.github.com/containerd/nri/commit/eada085db3965057686def58fd8993c70030dd7f) ignore pre-installed plugins that did not sync successfully - [`b881bc4`](https://redirect.github.com/containerd/nri/commit/b881bc4ba69e3bfe718939d97f327f3c72670fad) sync sandboxes and containers after starting the pre-installed plugins - Fix mount removal in adjustments ([containerd/nri#107](https://redirect.github.com/containerd/nri/pull/107)) - [`3880f1d`](https://redirect.github.com/containerd/nri/commit/3880f1df504f4b3ceedd3a36172162c886a00564) adaptation: add test case for mount removal. - [`0d3b376`](https://redirect.github.com/containerd/nri/commit/0d3b37631b9fb913e95a9a0efd31b27117208e40) adaptation: fix mount removal in adjustments. - codespell: add codespell config, workflow, fix spelling errors. ([containerd/nri#105](https://redirect.github.com/containerd/nri/pull/105)) - [`df84c47`](https://redirect.github.com/containerd/nri/commit/df84c475025e3fc536701aa99f6ca6d14dbea648) .github: add codespell workflow. - [`a03dc93`](https://redirect.github.com/containerd/nri/commit/a03dc9359c2d526924e56a9d167445a69588d3ae) pkg,plugins,.codespellrc: add codespellrc, fix spelling. - Close plugin if initial synchronization fails ([containerd/nri#103](https://redirect.github.com/containerd/nri/pull/103)) - [`4aec208`](https://redirect.github.com/containerd/nri/commit/4aec208281ac3630b02d737005778527aec8abae) adaptation: log plugin as connected and synchronized. - [`4e60cd0`](https://redirect.github.com/containerd/nri/commit/4e60cd0fb845ffefa9590084bb5261a113ad6858) adaptation: close plugin if initial synchronization fails. - Reset source path of api.pb.go to pkg/api/api.proto ([containerd/nri#104](https://redirect.github.com/containerd/nri/pull/104)) - [`1cc026f`](https://redirect.github.com/containerd/nri/commit/1cc026f8a3773b9e0d4ca80f9c3e978ef7d54bef) Reset source path of api.pb.go to pkg/api/api.proto - Add support for adjusting OOM score ([containerd/nri#94](https://redirect.github.com/containerd/nri/pull/94)) - [`efcb2da`](https://redirect.github.com/containerd/nri/commit/efcb2dad664293bd3fbad1557cac2dcfd15a86dc) NRI plugins support adjust oom\_score\_adj - Add API support for NRI-na </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- ## Need help? You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section. <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4zLjYiLCJ1cGRhdGVkSW5WZXIiOiI0My45LjAiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbImF1dG9tZXJnZS1zZWN1cml0eS11cGRhdGUiLCJzZXZlcml0eTpVTktOT1dOIl19--> Signed-off-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com> Co-authored-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com>
jharvey10
pushed a commit
to grafana/alloy
that referenced
this pull request
Feb 25, 2026
…9 [SECURITY] (#5497) > ℹ️ **Note** > > This PR body was truncated due to platform limits. This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [github.com/containerd/containerd](https://redirect.github.com/containerd/containerd) | `v1.7.18` → `v1.7.29` |  |  | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. ### GitHub Vulnerability Alerts #### [CVE-2024-40635](https://redirect.github.com/containerd/containerd/security/advisories/GHSA-265r-hfxg-fhmg) ### Impact A bug was found in containerd where containers launched with a User set as a `UID:GID` larger than the maximum 32-bit signed integer can cause an overflow condition where the container ultimately runs as root (UID 0). This could cause unexpected behavior for environments that require containers to run as a non-root user. ### Patches This bug has been fixed in the following containerd versions: * 2.0.4 (Fixed in https://github.com/containerd/containerd/commit/1a43cb6a1035441f9aca8f5666a9b3ef9e70ab20) * 1.7.27 (Fixed in https://github.com/containerd/containerd/commit/05044ec0a9a75232cad458027ca83437aae3f4da) * 1.6.38 (Fixed in https://github.com/containerd/containerd/commit/cf158e884cfe4812a6c371b59e4ea9bc4c46e51a) Users should update to these versions to resolve the issue. ### Workarounds Ensure that only trusted images are used and that only trusted users have permissions to import images. ### Credits The containerd project would like to thank [Benjamin Koltermann](https://redirect.github.com/p4ck3t0) and [emxll](https://redirect.github.com/emxll) for responsibly disclosing this issue in accordance with the [containerd security policy](https://redirect.github.com/containerd/project/blob/main/SECURITY.md). ### References * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40635 ### For more information If you have any questions or comments about this advisory: * Open an issue in [containerd](https://redirect.github.com/containerd/containerd/issues/new/choose) * Email us at [security@containerd.io](mailto:security@containerd.io) To report a security issue in containerd: * [Report a new vulnerability](https://redirect.github.com/containerd/containerd/security/advisories/new) * Email us at [security@containerd.io](mailto:security@containerd.io) #### [CVE-2024-25621](https://redirect.github.com/containerd/containerd/security/advisories/GHSA-pwhc-rpq9-4c8w) ### Impact An overly broad default permission vulnerability was found in containerd. - `/var/lib/containerd` was created with the permission bits 0o711, while it should be created with 0o700 - Allowed local users on the host to potentially access the metadata store and the content store - `/run/containerd/io.containerd.grpc.v1.cri` was created with 0o755, while it should be created with 0o700 - Allowed local users on the host to potentially access the contents of Kubernetes local volumes. The contents of volumes might include setuid binaries, which could allow a local user on the host to elevate privileges on the host. - `/run/containerd/io.containerd.sandbox.controller.v1.shim` was created with 0o711, while it should be created with 0o700 The directory paths may differ depending on the daemon configuration. When the `temp` directory path is specified in the daemon configuration, that directory was also created with 0o711, while it should be created with 0o700. ### Patches This bug has been fixed in the following containerd versions: * 2.2.0 * 2.1.5 * 2.0.7 * 1.7.29 Users should update to these versions to resolve the issue. These updates automatically change the permissions of the existing directories. > [!NOTE] > > `/run/containerd` and `/run/containerd/io.containerd.runtime.v2.task` are still created with 0o711. > This is an expected behavior for supporting userns-remapped containers. ### Workarounds The system administrator on the host can manually chmod the directories to not have group or world accessible permisisons: ``` chmod 700 /var/lib/containerd chmod 700 /run/containerd/io.containerd.grpc.v1.cri chmod 700 /run/containerd/io.containerd.sandbox.controller.v1.shim ``` An alternative mitigation would be to run containerd in [rootless mode](https://redirect.github.com/containerd/containerd/blob/main/docs/rootless.md). ### Credits The containerd project would like to thank David Leadbeater for responsibly disclosing this issue in accordance with the [containerd security policy](https://redirect.github.com/containerd/project/blob/main/SECURITY.md). ### For more information If you have any questions or comments about this advisory: * Open an issue in [containerd](https://redirect.github.com/containerd/containerd/issues/new/choose) * Email us at [security@containerd.io](mailto:security@containerd.io) To report a security issue in containerd: * [Report a new vulnerability](https://redirect.github.com/containerd/containerd/security/advisories/new) #### [CVE-2025-64329](https://redirect.github.com/containerd/containerd/security/advisories/GHSA-m6hq-p25p-ffr2) ### Impact A bug was found in containerd's CRI Attach implementation where a user can exhaust memory on the host due to goroutine leaks. Repetitive calls of CRI Attach (e.g., [`kubectl attach`](https://kubernetes.io/docs/reference/kubectl/generated/kubectl_attach/)) could increase the memory usage of containerd. ### Patches This bug has been fixed in the following containerd versions: * 2.2.0 * 2.1.5 * 2.0.7 * 1.7.29 Users should update to these versions to resolve the issue. ### Workarounds Set up an admission controller to control accesses to `pods/attach` resources. e.g., [Validating Admission Policy](https://kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy/). ### Credits The containerd project would like to thank @​Wheat2018 for responsibly disclosing this issue in accordance with the [containerd security policy](https://redirect.github.com/containerd/project/blob/main/SECURITY.md). ### References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-64329 ### For more information If you have any questions or comments about this advisory: * Open an issue in [containerd](https://redirect.github.com/containerd/containerd/issues/new/choose) * Email us at [security@containerd.io](mailto:security@containerd.io) To report a security issue in containerd: * [Report a new vulnerability](https://redirect.github.com/containerd/containerd/security/advisories/new) --- ### containerd has an integer overflow in User ID handling [CVE-2024-40635](https://nvd.nist.gov/vuln/detail/CVE-2024-40635) / [GHSA-265r-hfxg-fhmg](https://redirect.github.com/advisories/GHSA-265r-hfxg-fhmg) / [GO-2025-3528](https://pkg.go.dev/vuln/GO-2025-3528) <details> <summary>More information</summary> #### Details ##### Impact A bug was found in containerd where containers launched with a User set as a `UID:GID` larger than the maximum 32-bit signed integer can cause an overflow condition where the container ultimately runs as root (UID 0). This could cause unexpected behavior for environments that require containers to run as a non-root user. ##### Patches This bug has been fixed in the following containerd versions: * 2.0.4 (Fixed in https://github.com/containerd/containerd/commit/1a43cb6a1035441f9aca8f5666a9b3ef9e70ab20) * 1.7.27 (Fixed in https://github.com/containerd/containerd/commit/05044ec0a9a75232cad458027ca83437aae3f4da) * 1.6.38 (Fixed in https://github.com/containerd/containerd/commit/cf158e884cfe4812a6c371b59e4ea9bc4c46e51a) Users should update to these versions to resolve the issue. ##### Workarounds Ensure that only trusted images are used and that only trusted users have permissions to import images. ##### Credits The containerd project would like to thank [Benjamin Koltermann](https://redirect.github.com/p4ck3t0) and [emxll](https://redirect.github.com/emxll) for responsibly disclosing this issue in accordance with the [containerd security policy](https://redirect.github.com/containerd/project/blob/main/SECURITY.md). ##### References * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40635 ##### For more information If you have any questions or comments about this advisory: * Open an issue in [containerd](https://redirect.github.com/containerd/containerd/issues/new/choose) * Email us at [security@containerd.io](mailto:security@containerd.io) To report a security issue in containerd: * [Report a new vulnerability](https://redirect.github.com/containerd/containerd/security/advisories/new) * Email us at [security@containerd.io](mailto:security@containerd.io) #### Severity - CVSS Score: Unknown - Vector String: `CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N` #### References - [https://github.com/containerd/containerd/security/advisories/GHSA-265r-hfxg-fhmg](https://redirect.github.com/containerd/containerd/security/advisories/GHSA-265r-hfxg-fhmg) - [https://nvd.nist.gov/vuln/detail/CVE-2024-40635](https://nvd.nist.gov/vuln/detail/CVE-2024-40635) - [https://github.com/containerd/containerd/commit/05044ec0a9a75232cad458027ca83437aae3f4da](https://redirect.github.com/containerd/containerd/commit/05044ec0a9a75232cad458027ca83437aae3f4da) - [https://github.com/containerd/containerd/commit/1a43cb6a1035441f9aca8f5666a9b3ef9e70ab20](https://redirect.github.com/containerd/containerd/commit/1a43cb6a1035441f9aca8f5666a9b3ef9e70ab20) - [https://github.com/containerd/containerd/commit/cf158e884cfe4812a6c371b59e4ea9bc4c46e51a](https://redirect.github.com/containerd/containerd/commit/cf158e884cfe4812a6c371b59e4ea9bc4c46e51a) - [https://github.com/containerd/containerd](https://redirect.github.com/containerd/containerd) - [https://lists.debian.org/debian-lts-announce/2025/05/msg00005.html](https://lists.debian.org/debian-lts-announce/2025/05/msg00005.html) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-265r-hfxg-fhmg) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### containerd has an integer overflow in User ID handling in github.com/containerd/containerd [CVE-2024-40635](https://nvd.nist.gov/vuln/detail/CVE-2024-40635) / [GHSA-265r-hfxg-fhmg](https://redirect.github.com/advisories/GHSA-265r-hfxg-fhmg) / [GO-2025-3528](https://pkg.go.dev/vuln/GO-2025-3528) <details> <summary>More information</summary> #### Details containerd has an integer overflow in User ID handling in github.com/containerd/containerd #### Severity Unknown #### References - [https://github.com/containerd/containerd/security/advisories/GHSA-265r-hfxg-fhmg](https://redirect.github.com/containerd/containerd/security/advisories/GHSA-265r-hfxg-fhmg) - [https://github.com/containerd/containerd/commit/05044ec0a9a75232cad458027ca83437aae3f4da](https://redirect.github.com/containerd/containerd/commit/05044ec0a9a75232cad458027ca83437aae3f4da) - [https://github.com/containerd/containerd/commit/1a43cb6a1035441f9aca8f5666a9b3ef9e70ab20](https://redirect.github.com/containerd/containerd/commit/1a43cb6a1035441f9aca8f5666a9b3ef9e70ab20) - [https://github.com/containerd/containerd/commit/cf158e884cfe4812a6c371b59e4ea9bc4c46e51a](https://redirect.github.com/containerd/containerd/commit/cf158e884cfe4812a6c371b59e4ea9bc4c46e51a) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2025-3528) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)). </details> --- ### containerd affected by a local privilege escalation via wide permissions on CRI directory [CVE-2024-25621](https://nvd.nist.gov/vuln/detail/CVE-2024-25621) / [GHSA-pwhc-rpq9-4c8w](https://redirect.github.com/advisories/GHSA-pwhc-rpq9-4c8w) / [GO-2025-4100](https://pkg.go.dev/vuln/GO-2025-4100) <details> <summary>More information</summary> #### Details ##### Impact An overly broad default permission vulnerability was found in containerd. - `/var/lib/containerd` was created with the permission bits 0o711, while it should be created with 0o700 - Allowed local users on the host to potentially access the metadata store and the content store - `/run/containerd/io.containerd.grpc.v1.cri` was created with 0o755, while it should be created with 0o700 - Allowed local users on the host to potentially access the contents of Kubernetes local volumes. The contents of volumes might include setuid binaries, which could allow a local user on the host to elevate privileges on the host. - `/run/containerd/io.containerd.sandbox.controller.v1.shim` was created with 0o711, while it should be created with 0o700 The directory paths may differ depending on the daemon configuration. When the `temp` directory path is specified in the daemon configuration, that directory was also created with 0o711, while it should be created with 0o700. ##### Patches This bug has been fixed in the following containerd versions: * 2.2.0 * 2.1.5 * 2.0.7 * 1.7.29 Users should update to these versions to resolve the issue. These updates automatically change the permissions of the existing directories. > [!NOTE] > > `/run/containerd` and `/run/containerd/io.containerd.runtime.v2.task` are still created with 0o711. > This is an expected behavior for supporting userns-remapped containers. ##### Workarounds The system administrator on the host can manually chmod the directories to not have group or world accessible permisisons: ``` chmod 700 /var/lib/containerd chmod 700 /run/containerd/io.containerd.grpc.v1.cri chmod 700 /run/containerd/io.containerd.sandbox.controller.v1.shim ``` An alternative mitigation would be to run containerd in [rootless mode](https://redirect.github.com/containerd/containerd/blob/main/docs/rootless.md). ##### Credits The containerd project would like to thank David Leadbeater for responsibly disclosing this issue in accordance with the [containerd security policy](https://redirect.github.com/containerd/project/blob/main/SECURITY.md). ##### For more information If you have any questions or comments about this advisory: * Open an issue in [containerd](https://redirect.github.com/containerd/containerd/issues/new/choose) * Email us at [security@containerd.io](mailto:security@containerd.io) To report a security issue in containerd: * [Report a new vulnerability](https://redirect.github.com/containerd/containerd/security/advisories/new) #### Severity - CVSS Score: Unknown - Vector String: `CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H` #### References - [https://github.com/containerd/containerd/security/advisories/GHSA-pwhc-rpq9-4c8w](https://redirect.github.com/containerd/containerd/security/advisories/GHSA-pwhc-rpq9-4c8w) - [https://nvd.nist.gov/vuln/detail/CVE-2024-25621](https://nvd.nist.gov/vuln/detail/CVE-2024-25621) - [https://github.com/containerd/containerd/commit/7c59e8e9e970d38061a77b586b23655c352bfec5](https://redirect.github.com/containerd/containerd/commit/7c59e8e9e970d38061a77b586b23655c352bfec5) - [https://github.com/containerd/containerd](https://redirect.github.com/containerd/containerd) - [https://github.com/containerd/containerd/blob/main/docs/rootless.md](https://redirect.github.com/containerd/containerd/blob/main/docs/rootless.md) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-pwhc-rpq9-4c8w) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### containerd CRI server: Host memory exhaustion through Attach goroutine leak in github.com/containerd/containerd [CVE-2025-64329](https://nvd.nist.gov/vuln/detail/CVE-2025-64329) / [GHSA-m6hq-p25p-ffr2](https://redirect.github.com/advisories/GHSA-m6hq-p25p-ffr2) / [GO-2025-4108](https://pkg.go.dev/vuln/GO-2025-4108) <details> <summary>More information</summary> #### Details containerd CRI server: Host memory exhaustion through Attach goroutine leak in github.com/containerd/containerd #### Severity Unknown #### References - [https://github.com/containerd/containerd/security/advisories/GHSA-m6hq-p25p-ffr2](https://redirect.github.com/containerd/containerd/security/advisories/GHSA-m6hq-p25p-ffr2) - [https://nvd.nist.gov/vuln/detail/CVE-2025-64329](https://nvd.nist.gov/vuln/detail/CVE-2025-64329) - [https://github.com/containerd/containerd/commit/083b53cd6f19b5de7717b0ce92c11bdf95e612df](https://redirect.github.com/containerd/containerd/commit/083b53cd6f19b5de7717b0ce92c11bdf95e612df) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2025-4108) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)). </details> --- ### containerd affected by a local privilege escalation via wide permissions on CRI directory in github.com/containerd/containerd [CVE-2024-25621](https://nvd.nist.gov/vuln/detail/CVE-2024-25621) / [GHSA-pwhc-rpq9-4c8w](https://redirect.github.com/advisories/GHSA-pwhc-rpq9-4c8w) / [GO-2025-4100](https://pkg.go.dev/vuln/GO-2025-4100) <details> <summary>More information</summary> #### Details containerd affected by a local privilege escalation via wide permissions on CRI directory in github.com/containerd/containerd #### Severity Unknown #### References - [https://github.com/containerd/containerd/security/advisories/GHSA-pwhc-rpq9-4c8w](https://redirect.github.com/containerd/containerd/security/advisories/GHSA-pwhc-rpq9-4c8w) - [https://nvd.nist.gov/vuln/detail/CVE-2024-25621](https://nvd.nist.gov/vuln/detail/CVE-2024-25621) - [https://github.com/containerd/containerd/commit/7c59e8e9e970d38061a77b586b23655c352bfec5](https://redirect.github.com/containerd/containerd/commit/7c59e8e9e970d38061a77b586b23655c352bfec5) - [https://github.com/containerd/containerd/blob/main/docs/rootless.md](https://redirect.github.com/containerd/containerd/blob/main/docs/rootless.md) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2025-4100) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)). </details> --- ### containerd CRI server: Host memory exhaustion through Attach goroutine leak [CVE-2025-64329](https://nvd.nist.gov/vuln/detail/CVE-2025-64329) / [GHSA-m6hq-p25p-ffr2](https://redirect.github.com/advisories/GHSA-m6hq-p25p-ffr2) / [GO-2025-4108](https://pkg.go.dev/vuln/GO-2025-4108) <details> <summary>More information</summary> #### Details ##### Impact A bug was found in containerd's CRI Attach implementation where a user can exhaust memory on the host due to goroutine leaks. Repetitive calls of CRI Attach (e.g., [`kubectl attach`](https://kubernetes.io/docs/reference/kubectl/generated/kubectl_attach/)) could increase the memory usage of containerd. ##### Patches This bug has been fixed in the following containerd versions: * 2.2.0 * 2.1.5 * 2.0.7 * 1.7.29 Users should update to these versions to resolve the issue. ##### Workarounds Set up an admission controller to control accesses to `pods/attach` resources. e.g., [Validating Admission Policy](https://kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy/). ##### Credits The containerd project would like to thank @​Wheat2018 for responsibly disclosing this issue in accordance with the [containerd security policy](https://redirect.github.com/containerd/project/blob/main/SECURITY.md). ##### References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-64329 ##### For more information If you have any questions or comments about this advisory: * Open an issue in [containerd](https://redirect.github.com/containerd/containerd/issues/new/choose) * Email us at [security@containerd.io](mailto:security@containerd.io) To report a security issue in containerd: * [Report a new vulnerability](https://redirect.github.com/containerd/containerd/security/advisories/new) #### Severity - CVSS Score: Unknown - Vector String: `CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N` #### References - [https://github.com/containerd/containerd/security/advisories/GHSA-m6hq-p25p-ffr2](https://redirect.github.com/containerd/containerd/security/advisories/GHSA-m6hq-p25p-ffr2) - [https://nvd.nist.gov/vuln/detail/CVE-2025-64329](https://nvd.nist.gov/vuln/detail/CVE-2025-64329) - [https://github.com/containerd/containerd/commit/083b53cd6f19b5de7717b0ce92c11bdf95e612df](https://redirect.github.com/containerd/containerd/commit/083b53cd6f19b5de7717b0ce92c11bdf95e612df) - [https://github.com/containerd/containerd](https://redirect.github.com/containerd/containerd) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-m6hq-p25p-ffr2) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>containerd/containerd (github.com/containerd/containerd)</summary> ### [`v1.7.29`](https://redirect.github.com/containerd/containerd/releases/tag/v1.7.29): containerd 1.7.29 [Compare Source](https://redirect.github.com/containerd/containerd/compare/v1.7.28...v1.7.29) Welcome to the v1.7.29 release of containerd! The twenty-ninth patch release for containerd 1.7 contains various fixes and updates including security patches. ##### Security Updates - **containerd** - [**GHSA-pwhc-rpq9-4c8w**](https://redirect.github.com/containerd/containerd/security/advisories/GHSA-pwhc-rpq9-4c8w) - [**GHSA-m6hq-p25p-ffr2**](https://redirect.github.com/containerd/containerd/security/advisories/GHSA-m6hq-p25p-ffr2) - **runc** - [**GHSA-qw9x-cqr3-wc7r**](https://redirect.github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r) - [**GHSA-cgrx-mc8f-2prm**](https://redirect.github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm) - [**GHSA-9493-h29p-rfm2**](https://redirect.github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2) ##### Highlights ##### Image Distribution - **Update differ to handle zstd media types** ([#​12018](https://redirect.github.com/containerd/containerd/pull/12018)) ##### Runtime - **Update runc binary to v1.3.3** ([#​12480](https://redirect.github.com/containerd/containerd/pull/12480)) - **Fix lost container logs from quickly closing io** ([#​12375](https://redirect.github.com/containerd/containerd/pull/12375)) Please try out the release binaries and report any issues at <https://github.com/containerd/containerd/issues>. ##### Contributors - Derek McGowan - Akihiro Suda - Phil Estes - Austin Vazquez - Sebastiaan van Stijn - ningmingxiao - Maksym Pavlenko - StepSecurity Bot - wheat2018 ##### Changes <details><summary>38 commits</summary> <p> - [`442cb34bd`](https://redirect.github.com/containerd/containerd/commit/442cb34bda9a6a0fed82a2ca7cade05c5c749582) Merge commit from fork - [`0450f046e`](https://redirect.github.com/containerd/containerd/commit/0450f046e6942e513d0ebf1ef5c2aff13daa187f) Fix directory permissions - [`e5cb6ddb7`](https://redirect.github.com/containerd/containerd/commit/e5cb6ddb7a7730c24253a94d7fdb6bbe13dba6f7) Merge commit from fork - [`c575d1b5f`](https://redirect.github.com/containerd/containerd/commit/c575d1b5f4011f33b32f71ace75367a92b08c750) fix goroutine leak of container Attach - Prepare release notes for v1.7.29 ([#​12486](https://redirect.github.com/containerd/containerd/pull/12486)) - [`1fc2daaf3`](https://redirect.github.com/containerd/containerd/commit/1fc2daaf3ed53f4c9e76fbc5786a6f1ae3bb885f) Prepare release notes for v1.7.29 - Update runc binary to v1.3.3 ([#​12480](https://redirect.github.com/containerd/containerd/pull/12480)) - [`3f5f9f872`](https://redirect.github.com/containerd/containerd/commit/3f5f9f872707a743563d316e85e530193a2e30ac) runc: Update runc binary to v1.3.3 - Update GHA images and bump Go 1.24.9; 1.25.3 ([#​12471](https://redirect.github.com/containerd/containerd/pull/12471)) - [`667409fb6`](https://redirect.github.com/containerd/containerd/commit/667409fb63098cb80280940ab06038114e7712da) ci: bump Go 1.24.9, 1.25.3 - [`294f8c027`](https://redirect.github.com/containerd/containerd/commit/294f8c027b607c4450b3e52f44280581a737a73f) Update GHA runners to use latest images for basic binaries build - [`cf66b4141`](https://redirect.github.com/containerd/containerd/commit/cf66b4141defb757dee0fc5653bfd0a7ba1e8fed) Update GHA runners to use latest image for most jobs - [`fa3e6fa18`](https://redirect.github.com/containerd/containerd/commit/fa3e6fa18aa8dc7e699428958e1fb1d38e832e15) pkg/epoch: extract parsing SOURCE\_DATE\_EPOCH to a function - [`ac334bffc`](https://redirect.github.com/containerd/containerd/commit/ac334bffc4e759f188afb58efd74a603ade0855a) pkg/epoch: fix tests on macOS - [`d04b8721f`](https://redirect.github.com/containerd/containerd/commit/d04b8721fc5bff2677beadb4f3d15d7c0ec989ca) pkg/epoch: replace some fmt.Sprintfs with strconv - CI: update Fedora to 43 ([#​12450](https://redirect.github.com/containerd/containerd/pull/12450)) - [`5cfedbf52`](https://redirect.github.com/containerd/containerd/commit/5cfedbf52300d09f77a51f02a0c784c37284302c) CI: update Fedora to 43 - CI: skip ubuntu-24.04-arm on private repos ([#​12429](https://redirect.github.com/containerd/containerd/pull/12429)) - [`cf99a012d`](https://redirect.github.com/containerd/containerd/commit/cf99a012d6f7fcb51afdea641d87474dae95f50d) CI: skip ubuntu-24.04-arm on private repos - runc:Update runc binary to v1.3.1 ([#​12276](https://redirect.github.com/containerd/containerd/pull/12276)) - [`4c77b8d07`](https://redirect.github.com/containerd/containerd/commit/4c77b8d078a65a5e99e40847a9eaa18a944ff68e) runc:Update runc binary to v1.3.1 - Fix lost container logs from quickly closing io ([#​12375](https://redirect.github.com/containerd/containerd/pull/12375)) - [`d30024db2`](https://redirect.github.com/containerd/containerd/commit/d30024db25590e6ec74b639746a5dc792f5c1403) bugfix:fix container logs lost because io close too quickly - ci: bump Go 1.24.8 ([#​12362](https://redirect.github.com/containerd/containerd/pull/12362)) - [`f4b3d96f3`](https://redirect.github.com/containerd/containerd/commit/f4b3d96f3d83a0ac7bde03ae9eec749aa1936a59) ci: bump Go 1.24.8 - [`334fd8e4b`](https://redirect.github.com/containerd/containerd/commit/334fd8e4b974d88ebea43a998d76760aad49773a) update golangci-lint to v1.64.2 - [`8a67abc4c`](https://redirect.github.com/containerd/containerd/commit/8a67abc4cac67bf806da0b2b55ac7159e91f6996) Drop inactivated linter exportloopref - [`e4dbf08f0`](https://redirect.github.com/containerd/containerd/commit/e4dbf08f0ff3dc9f6b2a9a36eab71d73ac707956) build(deps): bump golangci/golangci-lint-action from 6.3.2 to 6.5.0 - [`d7db2ba06`](https://redirect.github.com/containerd/containerd/commit/d7db2ba063385d06132ec80890eb6c1fe4126692) build(deps): bump golangci/golangci-lint-action from 6.2.0 to 6.3.2 - [`d7182888f`](https://redirect.github.com/containerd/containerd/commit/d7182888f0071cce86d40fcf09cd9a247ac15c41) build(deps): bump golangci/golangci-lint-action from 6.1.1 to 6.2.0 - [`4be6c7e3b`](https://redirect.github.com/containerd/containerd/commit/4be6c7e3b5d5da7be8c1c87e1c16450b7ea8dadb) build(deps): bump actions/cache from 4.1.2 to 4.2.0 - [`a2e097e86`](https://redirect.github.com/containerd/containerd/commit/a2e097e865887382c2fc29ee0cea0053e6152a12) build(deps): bump actions/checkout from 4.2.1 to 4.2.2 - [`6de404d11`](https://redirect.github.com/containerd/containerd/commit/6de404d11b8e237a7867c7fbe535579c5736bfde) build(deps): bump actions/cache from 4.1.1 to 4.1.2 - [`038a25584`](https://redirect.github.com/containerd/containerd/commit/038a25584e7f66272114ec0801b071e6149ef841) \[StepSecurity] ci: Harden GitHub Actions - Update differ to handle zstd media types ([#​12018](https://redirect.github.com/containerd/containerd/pull/12018)) - [`eaeb4b6ac`](https://redirect.github.com/containerd/containerd/commit/eaeb4b6ac581c0704bed0ff96ee7e53170345e84) Update differ to handle zstd media types - ci: bump Go 1.23.12, 1.24.6 ([#​12188](https://redirect.github.com/containerd/containerd/pull/12188)) - [`83c535339`](https://redirect.github.com/containerd/containerd/commit/83c535339bbe253ce9e7a616a90f770994b754e5) ci: bump Go 1.23.12, 1.24.6 </p> </details> ##### Dependency Changes This release has no dependency changes Previous release can be found at [v1.7.28](https://redirect.github.com/containerd/containerd/releases/tag/v1.7.28) ### [`v1.7.28`](https://redirect.github.com/containerd/containerd/releases/tag/v1.7.28): containerd 1.7.28 [Compare Source](https://redirect.github.com/containerd/containerd/compare/v1.7.27...v1.7.28) Welcome to the v1.7.28 release of containerd! The twenty-eighth patch release for containerd 1.7 contains various fixes and updates. ##### Highlights ##### Image Distribution - Refresh OAuth tokens when they expire during registry operations ([#​11721](https://redirect.github.com/containerd/containerd/pull/11721)) - Set default differ for the default unpack config of transfer service ([#​11689](https://redirect.github.com/containerd/containerd/pull/11689)) ##### Runtime - Update runc binary to v1.3.0 ([#​11800](https://redirect.github.com/containerd/containerd/pull/11800)) - Remove invalid error log when stopping container after containerd restart ([#​11620](https://redirect.github.com/containerd/containerd/pull/11620)) Please try out the release binaries and report any issues at <https://github.com/containerd/containerd/issues>. ##### Contributors - Akhil Mohan - Akihiro Suda - Austin Vazquez - Maksym Pavlenko - Phil Estes - Derek McGowan - Kirtana Ashok - Henry Wang - Iain Macdonald - Jin Dong - Swagat Bora - Wei Fu - Yang Yang - madraceee ##### Changes <details><summary>57 commits</summary> <p> - Prepare release notes for v1.7.28 ([#​12134](https://redirect.github.com/containerd/containerd/pull/12134)) - [`b01b809f8`](https://redirect.github.com/containerd/containerd/commit/b01b809f89a27e19ff7531e1b88df07d2f40de97) Prepare release notes for v1.7.28 - ci: bump Go 1.23.11, 1.24.5 ([#​12117](https://redirect.github.com/containerd/containerd/pull/12117)) - [`ce2373176`](https://redirect.github.com/containerd/containerd/commit/ce2373176b0db7cdcc3e289f57aeb59927ad0efb) ci: bump Go 1.23.11, 1.24.5 - Backport windows test fixes ([#​12121](https://redirect.github.com/containerd/containerd/pull/12121)) - [`3c06bcc4d`](https://redirect.github.com/containerd/containerd/commit/3c06bcc4d2f5b55c501f9c5333596c5a6d0a980a) Fix intermittent test failures on Windows CIs - [`c6c0c6854`](https://redirect.github.com/containerd/containerd/commit/c6c0c6854ff663deb46363a8884a9015598c9f9b) Remove WS2025 from CIs due to regression - ci: use fedora 39 archive ([#​12123](https://redirect.github.com/containerd/containerd/pull/12123)) - [`6d7e021cf`](https://redirect.github.com/containerd/containerd/commit/6d7e021cf0f0f6ba1d14f0b4f76ecdf7a005feaa) ci: use fedora/39-cloud-base image from archive - update runners to ubuntu 24.04 ([#​11802](https://redirect.github.com/containerd/containerd/pull/11802)) - [`c362e18cc`](https://redirect.github.com/containerd/containerd/commit/c362e18ccd613b5baf04fff87832b871edfdecd5) CI: install OVMF for Vagrant - [`1d99bec21`](https://redirect.github.com/containerd/containerd/commit/1d99bec213063acdad8d7ad96ea4cbb78ab6b560) CI: fix "Unable to find a source package for vagrant" error - [`dafa3c48d`](https://redirect.github.com/containerd/containerd/commit/dafa3c48dffaff915bea2293eecd949fbdd94228) add debian sources for ubuntu-24 - [`b03301d85`](https://redirect.github.com/containerd/containerd/commit/b03301d851a5492808f36e5233a808a39575a1a0) partial: enable ubuntu 24 runners - [`13fbc5f97`](https://redirect.github.com/containerd/containerd/commit/13fbc5f970d1dee5425443a9b346d56ccc98db45) update release runners to ubuntu 24.04 - go.mod: golang.org/x/\* latest ([#​12096](https://redirect.github.com/containerd/containerd/pull/12096)) - [`da5d1a371`](https://redirect.github.com/containerd/containerd/commit/da5d1a3714ac06f6280740f668ebe95c62863c01) go.mod: golang.org/x/\* latest - Remove additional fuzzers from instrumentation repo ([#​12099](https://redirect.github.com/containerd/containerd/pull/12099)) - [`5fef123ba`](https://redirect.github.com/containerd/containerd/commit/5fef123ba77e3d9fd83f78fd34bdb80549034756) Remove additional fuzzers from CI - backport windows runner and golang toolchain updates ([#​11972](https://redirect.github.com/containerd/containerd/pull/11972)) - [`a35978f5a`](https://redirect.github.com/containerd/containerd/commit/a35978f5af147f279280b34082c3781904bfd4cd) ci: bump golang \[1.23.10, 1.24.4] in build and release - [`df035aa3e`](https://redirect.github.com/containerd/containerd/commit/df035aa3ef3d98eb48310d548439eb59c8b6d887) ci: bump golang \[1.23.9, 1.24.3] in build and release - [`2a6d9fc71`](https://redirect.github.com/containerd/containerd/commit/2a6d9fc71e97ff0d742b21d0f62a05a70126aa21) use go1.23.8 as the default go version - [`15d4d6eba`](https://redirect.github.com/containerd/containerd/commit/15d4d6eba30565274e1ade4d545abab2dbbcf1f9) update to go 1.24.2, 1.23.8 - [`1613a3b1a`](https://redirect.github.com/containerd/containerd/commit/1613a3b1addf8fb8a50cef46860a1b7642d81589) Enable CIs to run on WS2022 and WS2025 - test: added runc v1 tests using vagrant ([#​11896](https://redirect.github.com/containerd/containerd/pull/11896)) - [`60e73122c`](https://redirect.github.com/containerd/containerd/commit/60e73122c1f74524178ff1ea819a893d7cdb4372) test: added runc v1 tests using vagrant - Revert "disable portmap test in ubuntu-22 to make CI happy" ([#​11803](https://redirect.github.com/containerd/containerd/pull/11803)) - [`10e1b515e`](https://redirect.github.com/containerd/containerd/commit/10e1b515ec9c497bcfd7b0758bff3f6c840b303a) Revert "Disable port mapping tests in CRI-in-UserNS" - [`7a680e884`](https://redirect.github.com/containerd/containerd/commit/7a680e88494d90896322e09d4070ed86d221e25b) fix unbound SKIP\_TEST variable error - [`e5f8cc995`](https://redirect.github.com/containerd/containerd/commit/e5f8cc9953f28f1abdc2f7975a9f5833cc83ee9c) Revert "disable portmap test in ubuntu-22 to make CI happy" - Update runc binary to v1.3.0 ([#​11800](https://redirect.github.com/containerd/containerd/pull/11800)) - [`b001469c7`](https://redirect.github.com/containerd/containerd/commit/b001469c70a4489c1453cfe856055b15c536645f) Update runc binary to v1.3.0 - Refresh OAuth tokens when they expire during registry operations ([#​11721](https://redirect.github.com/containerd/containerd/pull/11721)) - [`a6421da84`](https://redirect.github.com/containerd/containerd/commit/a6421da84bb59dcf3680eb472b78f2eae8086f9b) remotes/docker/authorizer.go: invalidate auth tokens when they expire. - \[CI] Fix vagrant ([#​11739](https://redirect.github.com/containerd/containerd/pull/11739)) - [`effc49e8b`](https://redirect.github.com/containerd/containerd/commit/effc49e8b096bebfd73effb9257ad4fd80aa4e84) Fix vagrant setup - Fix CI ([#​11722](https://redirect.github.com/containerd/containerd/pull/11722)) - [`d3e7dd716`](https://redirect.github.com/containerd/containerd/commit/d3e7dd716a7988bf49f92972998a5260fd538505) Skip criu on Arms - [`7cf9ebe94`](https://redirect.github.com/containerd/containerd/commit/7cf9ebe94676a443f5df2802f2c784a93dba6b9a) Disable port mapping tests in CRI-in-UserNS - [`42657a4ed`](https://redirect.github.com/containerd/containerd/commit/42657a4ed1bcc2a5162264cb820d97bdd0a56a6b) disable portmap test in ubuntu-22 to make CI happy - [`b300fd37b`](https://redirect.github.com/containerd/containerd/commit/b300fd37b840dcad8c0635e1f8ce848413441445) add option to skip tests in critest - [`6f4ffad27`](https://redirect.github.com/containerd/containerd/commit/6f4ffad27695c7e297c0052091b0d5e7fad7e48a) Address cgroup mountpoint does not exist - [`cef298331`](https://redirect.github.com/containerd/containerd/commit/cef2983317494d0a7b67e89ef81e083f75102066) Update Ubuntu to 24 - [`2dd9be16e`](https://redirect.github.com/containerd/containerd/commit/2dd9be16e71e97b922ae42b05a7ae837c28563ca) ci: update GitHub Actions release runner to ubuntu-24.04 - Set default differ for the default unpack config of transfer service ([#​11689](https://redirect.github.com/containerd/containerd/pull/11689)) - [`e40e59e4e`](https://redirect.github.com/containerd/containerd/commit/e40e59e4ee8e7fb00213065c6fabbec8d4e7fc7f) Set default differ for the default unpack config of transfer service - silence govulncheck false positives ([#​11679](https://redirect.github.com/containerd/containerd/pull/11679)) - [`ff097d5a4`](https://redirect.github.com/containerd/containerd/commit/ff097d5a4c1a427d10fa989895d05f78c0b52893) silence govulncheck false positives - vendor: github.com/go-jose/go-jose/v3 v3.0.4 ([#​11619](https://redirect.github.com/containerd/containerd/pull/11619)) - [`52dd4dc51`](https://redirect.github.com/containerd/containerd/commit/52dd4dc51070fc93f13f048d3a919ccbf2b042aa) vendor: github.com/go-jose/go-jose/v3 v3.0.4 - Remove invalid error log when stopping container after containerd restart ([#​11620](https://redirect.github.com/containerd/containerd/pull/11620)) - [`24f41d2d5`](https://redirect.github.com/containerd/containerd/commit/24f41d2d5c6514e2f0a6f553f80183ff274ec230) use shimCtx for fifo copy - Update runc binary to v1.2.6 ([#​11584](https://redirect.github.com/containerd/containerd/pull/11584)) - [`1e1e78ad7`](https://redirect.github.com/containerd/containerd/commit/1e1e78ad7cab8d6f50be6bcf0ef7178a2ba3e207) Update runc binary to v1.2.6 - Use RWMutex in NSMap and reduce lock area ([#​11556](https://redirect.github.com/containerd/containerd/pull/11556)) - [`9a8d1d44a`](https://redirect.github.com/containerd/containerd/commit/9a8d1d44a1dee8f805ad0b071b686887222a1fe7) Use RWMutex in NSMap and reduce lock area </p> </details> ##### Dependency Changes - **github.com/go-jose/go-jose/v3** v3.0.3 -> v3.0.4 - **golang.org/x/crypto** v0.31.0 -> v0.40.0 - **golang.org/x/mod** v0.17.0 -> v0.26.0 - **golang.org/x/net** v0.33.0 -> v0.42.0 - **golang.org/x/oauth2** v0.11.0 -> v0.30.0 - **golang.org/x/sync** v0.10.0 -> v0.16.0 - **golang.org/x/sys** v0.28.0 -> v0.34.0 - **golang.org/x/term** v0.27.0 -> v0.33.0 - **golang.org/x/text** v0.21.0 -> v0.27.0 - **golang.org/x/time** [`90d013b`](https://redirect.github.com/containerd/containerd/commit/90d013bbcef8) -> v0.12.0 Previous release can be found at [v1.7.27](https://redirect.github.com/containerd/containerd/releases/tag/v1.7.27) ### [`v1.7.27`](https://redirect.github.com/containerd/containerd/releases/tag/v1.7.27): containerd 1.7.27 [Compare Source](https://redirect.github.com/containerd/containerd/compare/v1.7.26...v1.7.27) Welcome to the v1.7.27 release of containerd! The twenty-seventh patch release for containerd 1.7 contains various fixes and updates. ##### Highlights - Fix integer overflow in User ID handling ([GHSA-265r-hfxg-fhmg](https://redirect.github.com/containerd/containerd/security/advisories/GHSA-265r-hfxg-fhmg)) - Update image type checks to avoid unnecessary logs for attestations ([#​11538](https://redirect.github.com/containerd/containerd/pull/11538)) Please try out the release binaries and report any issues at <https://github.com/containerd/containerd/issues>. ##### Contributors - Jin Dong - Akhil Mohan - Derek McGowan - Maksym Pavlenko - Paweł Gronowski - Phil Estes - Akihiro Suda - Craig Ingram - Krisztian Litkey - Samuel Karp ##### Changes <details><summary>20 commits</summary> <p> - [`05044ec0a`](https://redirect.github.com/containerd/containerd/commit/05044ec0a9a75232cad458027ca83437aae3f4da) Merge commit from fork - [`11504c3fc`](https://redirect.github.com/containerd/containerd/commit/11504c3fc5f45634f2d93d57743a998194430b82) validate uid/gid - Prepare release notes for v1.7.27 ([#​11540](https://redirect.github.com/containerd/containerd/pull/11540)) - [`1be04be6c`](https://redirect.github.com/containerd/containerd/commit/1be04be6c307a7f67423574ca1b9744e57377753) Prepare release notes for v1.7.27 - Update image type checks to avoid unnecessary logs for attestations ([#​11538](https://redirect.github.com/containerd/containerd/pull/11538)) - [`82b5c43fe`](https://redirect.github.com/containerd/containerd/commit/82b5c43fed40d1f32e88215a3f0acbaf8cd9af10) core/remotes: Handle attestations in MakeRefKey - [`2c670e79b`](https://redirect.github.com/containerd/containerd/commit/2c670e79bf19bc7716c8b9f1f82c700ad8233af3) core/images: Ignore attestations when traversing children - update build to go1.23.7, test go1.24.1 ([#​11515](https://redirect.github.com/containerd/containerd/pull/11515)) - [`a39863c9f`](https://redirect.github.com/containerd/containerd/commit/a39863c9fd52abb50895a4b6f653cf501a2e3388) update build to go1.23.7, test go1.24.1 - Remove hashicorp/go-multierror dependency and fix CI ([#​11499](https://redirect.github.com/containerd/containerd/pull/11499)) - [`49537b3a7`](https://redirect.github.com/containerd/containerd/commit/49537b3a75bdcd982e7e26855779b346bb363a54) e2e: use the shim bundled with containerd artifact - [`fe490b76f`](https://redirect.github.com/containerd/containerd/commit/fe490b76fd78cc1461f20aab89951be5f88fc454) Bump up github.com/intel/goresctrl to 0.5.0 - [`13fc9d313`](https://redirect.github.com/containerd/containerd/commit/13fc9d3132fc4c77f6533551049d2d865d4e4b45) update containerd/project-checks to 1.2.1 - [`585699c94`](https://redirect.github.com/containerd/containerd/commit/585699c94f68649a89b0af46d675d6e998d67ccd) Remove unnecessary joinError unwrap - [`4b9df59be`](https://redirect.github.com/containerd/containerd/commit/4b9df59be202a011c4f65604bbeab75eeb85ab46) Remove hashicorp/go-multierror - go.{mod,sum}: bump CDI deps to v0.8.1. ([#​11422](https://redirect.github.com/containerd/containerd/pull/11422)) - [`5ba28f8dc`](https://redirect.github.com/containerd/containerd/commit/5ba28f8dc1d007059ed3eb1a7b55025e72abd525) go.{mod,sum}: bump CDI deps to v0.8.1, re-vendor. - CI: arm64-8core-32gb -> ubuntu-24.04-arm ([#​11437](https://redirect.github.com/containerd/containerd/pull/11437)) - [`85f10bd92`](https://redirect.github.com/containerd/containerd/commit/85f10bd9221f35ef1c2b8ec2d67520f461aa51a0) CI: arm64-8core-32gb -> ubuntu-24.04-arm - [`561ed520e`](https://redirect.github.com/containerd/containerd/commit/561ed520eaef2974aa8008b7a18a0944e6f90872) increase xfs base image size to 300Mb </p> </details> ##### Dependency Changes - **github.com/intel/goresctrl** v0.3.0 -> v0.5.0 - **github.com/prometheus/client\_golang** v1.14.0 -> v1.16.0 - **github.com/prometheus/common** v0.37.0 -> v0.42.0 - **github.com/prometheus/procfs** v0.8.0 -> v0.10.1 - **k8s.io/apimachinery** v0.26.2 -> v0.27.4 - **sigs.k8s.io/json** [`f223a00`](https://redirect.github.com/containerd/containerd/commit/f223a00ba0e2) -> [`bc3834c`](https://redirect.github.com/containerd/containerd/commit/bc3834ca7abd) - **tags.cncf.io/container-device-interface** v0.7.2 -> v0.8.1 - **tags.cncf.io/container-device-interface/specs-go** v0.7.0 -> v0.8.0 Previous release can be found at [v1.7.26](https://redirect.github.com/containerd/containerd/releases/tag/v1.7.26) ### [`v1.7.26`](https://redirect.github.com/containerd/containerd/releases/tag/v1.7.26): containerd 1.7.26 [Compare Source](https://redirect.github.com/containerd/containerd/compare/v1.7.25...v1.7.26) Welcome to the v1.7.26 release of containerd! The twenty-sixth patch release for containerd 1.7 contains various fixes and updates. ##### Highlights - Add support for syncfs after unpack ([#​11267](https://redirect.github.com/containerd/containerd/pull/11267)) - Update runc binary to v1.2.5 ([#​11395](https://redirect.github.com/containerd/containerd/pull/11395)) - Fix race between serve and immediate shutdown on the server ([containerd/ttrpc#175](https://redirect.github.com/containerd/ttrpc/pull/175)) - Reject oversized messages from the sender ([containerd/ttrpc#171](https://redirect.github.com/containerd/ttrpc/pull/171)) ##### Container Runtime Interface (CRI) - Fix fatal concurrency error in port forwarding ([#​11306](https://redirect.github.com/containerd/containerd/pull/11306)) ##### Node Resource Interface (NRI) - Fix initial sync race when registering NRI plugins ([#​11326](https://redirect.github.com/containerd/containerd/pull/11326)) - Add API support for reading Pod IPs ([containerd/nri#119](https://redirect.github.com/containerd/nri/pull/119)) - Fix plugin sync to use multiple messages if ttrpc max message limit is hit ([containerd/nri#111](https://redirect.github.com/containerd/nri/pull/111)) - Update API to pass configured timeouts to plugins. ([containerd/nri#109](https://redirect.github.com/containerd/nri/pull/109)) - Fix mount removal in adjustments ([containerd/nri#107](https://redirect.github.com/containerd/nri/pull/107)) - Close plugin if initial synchronization fails ([containerd/nri#103](https://redirect.github.com/containerd/nri/pull/103)) - Add support for adjusting OOM score ([containerd/nri#94](https://redirect.github.com/containerd/nri/pull/94)) - Add API support for NRI-native CDI injection ([containerd/nri#98](https://redirect.github.com/containerd/nri/pull/98)) - Add support for pids cgroup ([containerd/nri#76](https://redirect.github.com/containerd/nri/pull/76)) ##### Runtime - Fix console TTY leak in runc shim ([#​11250](https://redirect.github.com/containerd/containerd/pull/11250)) Please try out the release binaries and report any issues at <https://github.com/containerd/containerd/issues>. ##### Contributors - Krisztian Litkey - Mike Brown - Samuel Karp - Wei Fu - Phil Estes - Derek McGowan - Iceber Gu - Akhil Mohan - Antonio Ojea - Austin Vazquez - Henry Wang - Jin Dong - Xiaojin Zhang - ningmingxiao - AbdelrahmanElawady - Akihiro Suda - Antti Kervinen - Jing Xu - Jitang Lei - Justin Alvarez - Lei Liu - Maksym Pavlenko - Yang Yang - Yuhang Wei - cormick - jingtao.liang ##### Changes <details><summary>24 commits</summary> <p> - Prepare release notes for v1.7.26 ([#​11356](https://redirect.github.com/containerd/containerd/pull/11356)) - [`ceba197f5`](https://redirect.github.com/containerd/containerd/commit/ceba197f5fa0b76b0f181c24f81c67c43d34bff2) Prepare release notes for v1.7.26 - Upgrade x/net to 0.33.0 to fix vulnerability GHSA-w32m-9786-jp63 ([#​11434](https://redirect.github.com/containerd/containerd/pull/11434)) - [`3486bc8dd`](https://redirect.github.com/containerd/containerd/commit/3486bc8dd19acbde278ed6c4c4fa42c7299e1278) Upgrade x/net to 0.33.0 - update build to go1.23.6, test go1.24.0 ([#​11419](https://redirect.github.com/containerd/containerd/pull/11419)) - [`9025d3075`](https://redirect.github.com/containerd/containerd/commit/9025d3075b91b0806ff15f27f28bbce8af4f1a76) update build to go1.23.6, test go1.24.0 - Update install-imgcrypt to allow change install repo ([#​11358](https://redirect.github.com/containerd/containerd/pull/11358)) - [`83eaab482`](https://redirect.github.com/containerd/containerd/commit/83eaab4822188e019efe68c29a6d77f37f099d6e) Update install-imgcrypt to allow change install repo - Add support for syncfs after unpack ([#​11267](https://redirect.github.com/containerd/containerd/pull/11267)) - [`8bc21cba7`](https://redirect.github.com/containerd/containerd/commit/8bc21cba7516727b294d4dd6a3e8859cbdd146a8) support to syncfs after pull by using diff plugin - Update runc binary to v1.2.5 ([#​11395](https://redirect.github.com/containerd/containerd/pull/11395)) - [`27c472acf`](https://redirect.github.com/containerd/containerd/commit/27c472acf59c4d86e2b446ae554691149ac43661) Update runc binary to v1.2.5 - Move `run.skip-dirs` to `issues.exclude-dirs` in golangci-lint config ([#​11400](https://redirect.github.com/containerd/containerd/pull/11400)) - [`8d8034b66`](https://redirect.github.com/containerd/containerd/commit/8d8034b66e2790ef0149207acb7c92a033d7f1f8) move skip-dirs to issues.exclude-dirs - Fix initial sync race when registering NRI plugins ([#​11326](https://redirect.github.com/containerd/containerd/pull/11326)) - [`11af05177`](https://redirect.github.com/containerd/containerd/commit/11af05177545dbb97d87aa861b15d70ab911307c) cri,nri: block NRI plugin sync. during event processing. - [`d4036cd3d`](https://redirect.github.com/containerd/containerd/commit/d4036cd3d1eb174ea379c8e1d139c25cfe9f18d8) go.{mod,sum}: bump NRI to v0.8.0, re-vendor. - Fix console TTY leak in runc shim ([#​11250](https://redirect.github.com/containerd/containerd/pull/11250)) - [`c3e24e024`](https://redirect.github.com/containerd/containerd/commit/c3e24e0248f0ca83d0bfbb0262862c2a06a632e2) Add integ test to check tty leak - [`4e45a463d`](https://redirect.github.com/containerd/containerd/commit/4e45a463d90fd44f6b92978721779d7b09045cee) fix master tty leak due to leaking init container object - Fix fatal concurrency error in port forwarding ([#​11306](https://redirect.github.com/containerd/containerd/pull/11306)) - [`0fe9f0b52`](https://redirect.github.com/containerd/containerd/commit/0fe9f0b52f7b700689df46d13de36e67b62486e1) fix fatal error: concurrent map iteration and map write - update build to go1.22.11, test go1.23.5 ([#​11298](https://redirect.github.com/containerd/containerd/pull/11298)) - [`441b92636`](https://redirect.github.com/containerd/containerd/commit/441b92636a806d71655945137210126de723e4fe) update build to go1.22.11, test go1.23.5 </p> </details> ##### Changes from containerd/nri <details><summary>77 commits</summary> <p> - Add API support for reading Pod IPs ([containerd/nri#119](https://redirect.github.com/containerd/nri/pull/119)) - [`eaf78a9`](https://redirect.github.com/containerd/nri/commit/eaf78a9afe9ebac28a68d1163dd00183525801a3) api: support Pod IPs - generate: do not set OOMScoreAdj if no adjustment ([containerd/nri#116](https://redirect.github.com/containerd/nri/pull/116)) - [`07bfc18`](https://redirect.github.com/containerd/nri/commit/07bfc18129a3cc9c4b44e1aced9972279a50ddb5) wip: generate: add test for oom score adj - [`b5fc359`](https://redirect.github.com/containerd/nri/commit/b5fc359973c0e8c599b12c1d118546c267894b3b) generate: do not set OOMScoreAdj if no adjustment - device-injector: remove unreachable code. ([containerd/nri#115](https://redirect.github.com/containerd/nri/pull/115)) - [`235aa11`](https://redirect.github.com/containerd/nri/commit/235aa114dffc784073ec8b2f88fbd4ecfba06450) chore: remove unreachable code and fmt files - Fix plugin sync to use multiple messages if ttrpc max message limit is hit ([containerd/nri#111](https://redirect.github.com/containerd/nri/pull/111)) - [`159f575`](https://redirect.github.com/containerd/nri/commit/159f5754db397e32ce886cd07985ffd95f1bd823) template: dump pod/container count in sync message. - [`bf267e3`](https://redirect.github.com/containerd/nri/commit/bf267e336f2ec2f5045fd396fb68f9853d2b5db9) stub: collect/handle split sync messages. - [`ed78ae9`](https://redirect.github.com/containerd/nri/commit/ed78ae9231cb603031f66921559ca6f38ef77bb5) adaptation: use multiple sync messages if necessary. - [`6fd59d6`](https://redirect.github.com/containerd/nri/commit/6fd59d6d7701cdadeae4db0058b3fde84c02e94b) api: add support for multiple sync messages. - [`a7fcccc`](https://redirect.github.com/containerd/nri/commit/a7fcccc4ba35f69ea2af790b6cb4b46385c50ce4) mux: split oversized messages. - [`5fe9b06`](https://redirect.github.com/containerd/nri/commit/5fe9b06401fb7fce78c41b95df04e05dffc22e5b) mux: fix maximum allowed message size. - [`693d64e`](https://redirect.github.com/containerd/nri/commit/693d64e2565cc14c00fae2de904ffc030fc2b894) go.{mod,sum}, plugins: update ttrpc and NRI deps. - Update API to pass configured timeouts to plugins. ([containerd/nri#109](https://redirect.github.com/containerd/nri/pull/109)) - [`320e4e7`](https://redirect.github.com/containerd/nri/commit/320e4e7e52a856b119cfa1c06a4a135ab5f88f56) adaptation: tests for runtime version, timeouts. - [`f86d982`](https://redirect.github.com/containerd/nri/commit/f86d98210749556ef562776fde784d2250d1190e) api,adaptation,stub: let plugin know configured timeouts. - [`cfcd2af`](https://redirect.github.com/containerd/nri/commit/cfcd2af3c80db6667f2d1a291225cc616b6049c3) Makefile: fix ginkgo-tests target. - [`8cd9504`](https://redirect.github.com/containerd/nri/commit/8cd9504a48e1b79625ff5fce3d058c6662bc34d6) adaptation: block plugin sync/registration in test suite. - [`966ac92`](https://redirect.github.com/containerd/nri/commit/966ac92b01fca271373e2088695538dcef0edb2b) adaptation: implement plugin synchronization blocks. - ci: verify that code generation works and results match ([containerd/nri#113](https://redirect.github.com/containerd/nri/pull/113)) - [`f74ce31`](https://redirect.github.com/containerd/nri/commit/f74ce31ef9b048d69702b954912122a0597598a8) ci: verify code generation and generated files in repo - deps: bump gingko to v2.19.1, golang to v1.21.x. ([containerd/nri#110](https://redirect.github.com/containerd/nri/pull/110)) - [`e4d5c36`](https://redirect.github.com/containerd/nri/commit/e4d5c36429c495c5d61d0183ba1c1a908ed598f4) ci: stop testing with golang 1.20.x. - [`6578149`](https://redirect.github.com/containerd/nri/commit/65781492cc1b0cf5a6a6166a81ba638e45b7f93f) go.{mod,sum}: bump golang requirement to 1.21. - [`442e812`](https://redirect.github.com/containerd/nri/commit/442e81239436c53689e14d9a641099a4aeec7cbe) go.{mod,sum}: update to ginkgo v2.19.1. - sync sandboxes and containers after starting the pre-installed plugins ([containerd/nri#43](https://redirect.github.com/containerd/nri/pull/43)) - [`eada085`](https://redirect.github.com/containerd/nri/commit/eada085db3965057686def58fd8993c70030dd7f) ignore pre-installed plugins that did not sync successfully - [`b881bc4`](https://redirect.github.com/containerd/nri/commit/b881bc4ba69e3bfe718939d97f327f3c72670fad) sync sandboxes and containers after starting the pre-installed plugins - Fix mount removal in adjustments ([containerd/nri#107](https://redirect.github.com/containerd/nri/pull/107)) - [`3880f1d`](https://redirect.github.com/containerd/nri/commit/3880f1df504f4b3ceedd3a36172162c886a00564) adaptation: add test case for mount removal. - [`0d3b376`](https://redirect.github.com/containerd/nri/commit/0d3b37631b9fb913e95a9a0efd31b27117208e40) adaptation: fix mount removal in adjustments. - codespell: add codespell config, workflow, fix spelling errors. ([containerd/nri#105](https://redirect.github.com/containerd/nri/pull/105)) - [`df84c47`](https://redirect.github.com/containerd/nri/commit/df84c475025e3fc536701aa99f6ca6d14dbea648) .github: add codespell workflow. - [`a03dc93`](https://redirect.github.com/containerd/nri/commit/a03dc9359c2d526924e56a9d167445a69588d3ae) pkg,plugins,.codespellrc: add codespellrc, fix spelling. - Close plugin if initial synchronization fails ([containerd/nri#103](https://redirect.github.com/containerd/nri/pull/103)) - [`4aec208`](https://redirect.github.com/containerd/nri/commit/4aec208281ac3630b02d737005778527aec8abae) adaptation: log plugin as connected and synchronized. - [`4e60cd0`](https://redirect.github.com/containerd/nri/commit/4e60cd0fb845ffefa9590084bb5261a113ad6858) adaptation: close plugin if initial synchronization fails. - Reset source path of api.pb.go to pkg/api/api.proto ([containerd/nri#104](https://redirect.github.com/containerd/nri/pull/104)) - [`1cc026f`](https://redirect.github.com/containerd/nri/commit/1cc026f8a3773b9e0d4ca80f9c3e978ef7d54bef) Reset source path of api.pb.go to pkg/api/api.proto - Add support for adjusting OOM score ([containerd/nri#94](https://redirect.github.com/containerd/nri/pull/94)) - [`efcb2da`](https://redirect.github.com/containerd/nri/commit/efcb2dad664293bd3fbad1557cac2dcfd15a86dc) NRI plugins support adjust oom\_score\_adj - Add API support for NRI-na </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- ## Need help? You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section. <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4zLjYiLCJ1cGRhdGVkSW5WZXIiOiI0My45LjAiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbImF1dG9tZXJnZS1zZWN1cml0eS11cGRhdGUiLCJzZXZlcml0eTpVTktOT1dOIl19--> Signed-off-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com> Co-authored-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com>
jharvey10
pushed a commit
to grafana/alloy
that referenced
this pull request
Feb 26, 2026
…9 [SECURITY] (#5497) > ℹ️ **Note** > > This PR body was truncated due to platform limits. This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [github.com/containerd/containerd](https://redirect.github.com/containerd/containerd) | `v1.7.18` → `v1.7.29` |  |  | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. ### GitHub Vulnerability Alerts #### [CVE-2024-40635](https://redirect.github.com/containerd/containerd/security/advisories/GHSA-265r-hfxg-fhmg) ### Impact A bug was found in containerd where containers launched with a User set as a `UID:GID` larger than the maximum 32-bit signed integer can cause an overflow condition where the container ultimately runs as root (UID 0). This could cause unexpected behavior for environments that require containers to run as a non-root user. ### Patches This bug has been fixed in the following containerd versions: * 2.0.4 (Fixed in https://github.com/containerd/containerd/commit/1a43cb6a1035441f9aca8f5666a9b3ef9e70ab20) * 1.7.27 (Fixed in https://github.com/containerd/containerd/commit/05044ec0a9a75232cad458027ca83437aae3f4da) * 1.6.38 (Fixed in https://github.com/containerd/containerd/commit/cf158e884cfe4812a6c371b59e4ea9bc4c46e51a) Users should update to these versions to resolve the issue. ### Workarounds Ensure that only trusted images are used and that only trusted users have permissions to import images. ### Credits The containerd project would like to thank [Benjamin Koltermann](https://redirect.github.com/p4ck3t0) and [emxll](https://redirect.github.com/emxll) for responsibly disclosing this issue in accordance with the [containerd security policy](https://redirect.github.com/containerd/project/blob/main/SECURITY.md). ### References * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40635 ### For more information If you have any questions or comments about this advisory: * Open an issue in [containerd](https://redirect.github.com/containerd/containerd/issues/new/choose) * Email us at [security@containerd.io](mailto:security@containerd.io) To report a security issue in containerd: * [Report a new vulnerability](https://redirect.github.com/containerd/containerd/security/advisories/new) * Email us at [security@containerd.io](mailto:security@containerd.io) #### [CVE-2024-25621](https://redirect.github.com/containerd/containerd/security/advisories/GHSA-pwhc-rpq9-4c8w) ### Impact An overly broad default permission vulnerability was found in containerd. - `/var/lib/containerd` was created with the permission bits 0o711, while it should be created with 0o700 - Allowed local users on the host to potentially access the metadata store and the content store - `/run/containerd/io.containerd.grpc.v1.cri` was created with 0o755, while it should be created with 0o700 - Allowed local users on the host to potentially access the contents of Kubernetes local volumes. The contents of volumes might include setuid binaries, which could allow a local user on the host to elevate privileges on the host. - `/run/containerd/io.containerd.sandbox.controller.v1.shim` was created with 0o711, while it should be created with 0o700 The directory paths may differ depending on the daemon configuration. When the `temp` directory path is specified in the daemon configuration, that directory was also created with 0o711, while it should be created with 0o700. ### Patches This bug has been fixed in the following containerd versions: * 2.2.0 * 2.1.5 * 2.0.7 * 1.7.29 Users should update to these versions to resolve the issue. These updates automatically change the permissions of the existing directories. > [!NOTE] > > `/run/containerd` and `/run/containerd/io.containerd.runtime.v2.task` are still created with 0o711. > This is an expected behavior for supporting userns-remapped containers. ### Workarounds The system administrator on the host can manually chmod the directories to not have group or world accessible permisisons: ``` chmod 700 /var/lib/containerd chmod 700 /run/containerd/io.containerd.grpc.v1.cri chmod 700 /run/containerd/io.containerd.sandbox.controller.v1.shim ``` An alternative mitigation would be to run containerd in [rootless mode](https://redirect.github.com/containerd/containerd/blob/main/docs/rootless.md). ### Credits The containerd project would like to thank David Leadbeater for responsibly disclosing this issue in accordance with the [containerd security policy](https://redirect.github.com/containerd/project/blob/main/SECURITY.md). ### For more information If you have any questions or comments about this advisory: * Open an issue in [containerd](https://redirect.github.com/containerd/containerd/issues/new/choose) * Email us at [security@containerd.io](mailto:security@containerd.io) To report a security issue in containerd: * [Report a new vulnerability](https://redirect.github.com/containerd/containerd/security/advisories/new) #### [CVE-2025-64329](https://redirect.github.com/containerd/containerd/security/advisories/GHSA-m6hq-p25p-ffr2) ### Impact A bug was found in containerd's CRI Attach implementation where a user can exhaust memory on the host due to goroutine leaks. Repetitive calls of CRI Attach (e.g., [`kubectl attach`](https://kubernetes.io/docs/reference/kubectl/generated/kubectl_attach/)) could increase the memory usage of containerd. ### Patches This bug has been fixed in the following containerd versions: * 2.2.0 * 2.1.5 * 2.0.7 * 1.7.29 Users should update to these versions to resolve the issue. ### Workarounds Set up an admission controller to control accesses to `pods/attach` resources. e.g., [Validating Admission Policy](https://kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy/). ### Credits The containerd project would like to thank @​Wheat2018 for responsibly disclosing this issue in accordance with the [containerd security policy](https://redirect.github.com/containerd/project/blob/main/SECURITY.md). ### References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-64329 ### For more information If you have any questions or comments about this advisory: * Open an issue in [containerd](https://redirect.github.com/containerd/containerd/issues/new/choose) * Email us at [security@containerd.io](mailto:security@containerd.io) To report a security issue in containerd: * [Report a new vulnerability](https://redirect.github.com/containerd/containerd/security/advisories/new) --- ### containerd has an integer overflow in User ID handling [CVE-2024-40635](https://nvd.nist.gov/vuln/detail/CVE-2024-40635) / [GHSA-265r-hfxg-fhmg](https://redirect.github.com/advisories/GHSA-265r-hfxg-fhmg) / [GO-2025-3528](https://pkg.go.dev/vuln/GO-2025-3528) <details> <summary>More information</summary> #### Details ##### Impact A bug was found in containerd where containers launched with a User set as a `UID:GID` larger than the maximum 32-bit signed integer can cause an overflow condition where the container ultimately runs as root (UID 0). This could cause unexpected behavior for environments that require containers to run as a non-root user. ##### Patches This bug has been fixed in the following containerd versions: * 2.0.4 (Fixed in https://github.com/containerd/containerd/commit/1a43cb6a1035441f9aca8f5666a9b3ef9e70ab20) * 1.7.27 (Fixed in https://github.com/containerd/containerd/commit/05044ec0a9a75232cad458027ca83437aae3f4da) * 1.6.38 (Fixed in https://github.com/containerd/containerd/commit/cf158e884cfe4812a6c371b59e4ea9bc4c46e51a) Users should update to these versions to resolve the issue. ##### Workarounds Ensure that only trusted images are used and that only trusted users have permissions to import images. ##### Credits The containerd project would like to thank [Benjamin Koltermann](https://redirect.github.com/p4ck3t0) and [emxll](https://redirect.github.com/emxll) for responsibly disclosing this issue in accordance with the [containerd security policy](https://redirect.github.com/containerd/project/blob/main/SECURITY.md). ##### References * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40635 ##### For more information If you have any questions or comments about this advisory: * Open an issue in [containerd](https://redirect.github.com/containerd/containerd/issues/new/choose) * Email us at [security@containerd.io](mailto:security@containerd.io) To report a security issue in containerd: * [Report a new vulnerability](https://redirect.github.com/containerd/containerd/security/advisories/new) * Email us at [security@containerd.io](mailto:security@containerd.io) #### Severity - CVSS Score: Unknown - Vector String: `CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N` #### References - [https://github.com/containerd/containerd/security/advisories/GHSA-265r-hfxg-fhmg](https://redirect.github.com/containerd/containerd/security/advisories/GHSA-265r-hfxg-fhmg) - [https://nvd.nist.gov/vuln/detail/CVE-2024-40635](https://nvd.nist.gov/vuln/detail/CVE-2024-40635) - [https://github.com/containerd/containerd/commit/05044ec0a9a75232cad458027ca83437aae3f4da](https://redirect.github.com/containerd/containerd/commit/05044ec0a9a75232cad458027ca83437aae3f4da) - [https://github.com/containerd/containerd/commit/1a43cb6a1035441f9aca8f5666a9b3ef9e70ab20](https://redirect.github.com/containerd/containerd/commit/1a43cb6a1035441f9aca8f5666a9b3ef9e70ab20) - [https://github.com/containerd/containerd/commit/cf158e884cfe4812a6c371b59e4ea9bc4c46e51a](https://redirect.github.com/containerd/containerd/commit/cf158e884cfe4812a6c371b59e4ea9bc4c46e51a) - [https://github.com/containerd/containerd](https://redirect.github.com/containerd/containerd) - [https://lists.debian.org/debian-lts-announce/2025/05/msg00005.html](https://lists.debian.org/debian-lts-announce/2025/05/msg00005.html) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-265r-hfxg-fhmg) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### containerd has an integer overflow in User ID handling in github.com/containerd/containerd [CVE-2024-40635](https://nvd.nist.gov/vuln/detail/CVE-2024-40635) / [GHSA-265r-hfxg-fhmg](https://redirect.github.com/advisories/GHSA-265r-hfxg-fhmg) / [GO-2025-3528](https://pkg.go.dev/vuln/GO-2025-3528) <details> <summary>More information</summary> #### Details containerd has an integer overflow in User ID handling in github.com/containerd/containerd #### Severity Unknown #### References - [https://github.com/containerd/containerd/security/advisories/GHSA-265r-hfxg-fhmg](https://redirect.github.com/containerd/containerd/security/advisories/GHSA-265r-hfxg-fhmg) - [https://github.com/containerd/containerd/commit/05044ec0a9a75232cad458027ca83437aae3f4da](https://redirect.github.com/containerd/containerd/commit/05044ec0a9a75232cad458027ca83437aae3f4da) - [https://github.com/containerd/containerd/commit/1a43cb6a1035441f9aca8f5666a9b3ef9e70ab20](https://redirect.github.com/containerd/containerd/commit/1a43cb6a1035441f9aca8f5666a9b3ef9e70ab20) - [https://github.com/containerd/containerd/commit/cf158e884cfe4812a6c371b59e4ea9bc4c46e51a](https://redirect.github.com/containerd/containerd/commit/cf158e884cfe4812a6c371b59e4ea9bc4c46e51a) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2025-3528) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)). </details> --- ### containerd affected by a local privilege escalation via wide permissions on CRI directory [CVE-2024-25621](https://nvd.nist.gov/vuln/detail/CVE-2024-25621) / [GHSA-pwhc-rpq9-4c8w](https://redirect.github.com/advisories/GHSA-pwhc-rpq9-4c8w) / [GO-2025-4100](https://pkg.go.dev/vuln/GO-2025-4100) <details> <summary>More information</summary> #### Details ##### Impact An overly broad default permission vulnerability was found in containerd. - `/var/lib/containerd` was created with the permission bits 0o711, while it should be created with 0o700 - Allowed local users on the host to potentially access the metadata store and the content store - `/run/containerd/io.containerd.grpc.v1.cri` was created with 0o755, while it should be created with 0o700 - Allowed local users on the host to potentially access the contents of Kubernetes local volumes. The contents of volumes might include setuid binaries, which could allow a local user on the host to elevate privileges on the host. - `/run/containerd/io.containerd.sandbox.controller.v1.shim` was created with 0o711, while it should be created with 0o700 The directory paths may differ depending on the daemon configuration. When the `temp` directory path is specified in the daemon configuration, that directory was also created with 0o711, while it should be created with 0o700. ##### Patches This bug has been fixed in the following containerd versions: * 2.2.0 * 2.1.5 * 2.0.7 * 1.7.29 Users should update to these versions to resolve the issue. These updates automatically change the permissions of the existing directories. > [!NOTE] > > `/run/containerd` and `/run/containerd/io.containerd.runtime.v2.task` are still created with 0o711. > This is an expected behavior for supporting userns-remapped containers. ##### Workarounds The system administrator on the host can manually chmod the directories to not have group or world accessible permisisons: ``` chmod 700 /var/lib/containerd chmod 700 /run/containerd/io.containerd.grpc.v1.cri chmod 700 /run/containerd/io.containerd.sandbox.controller.v1.shim ``` An alternative mitigation would be to run containerd in [rootless mode](https://redirect.github.com/containerd/containerd/blob/main/docs/rootless.md). ##### Credits The containerd project would like to thank David Leadbeater for responsibly disclosing this issue in accordance with the [containerd security policy](https://redirect.github.com/containerd/project/blob/main/SECURITY.md). ##### For more information If you have any questions or comments about this advisory: * Open an issue in [containerd](https://redirect.github.com/containerd/containerd/issues/new/choose) * Email us at [security@containerd.io](mailto:security@containerd.io) To report a security issue in containerd: * [Report a new vulnerability](https://redirect.github.com/containerd/containerd/security/advisories/new) #### Severity - CVSS Score: Unknown - Vector String: `CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H` #### References - [https://github.com/containerd/containerd/security/advisories/GHSA-pwhc-rpq9-4c8w](https://redirect.github.com/containerd/containerd/security/advisories/GHSA-pwhc-rpq9-4c8w) - [https://nvd.nist.gov/vuln/detail/CVE-2024-25621](https://nvd.nist.gov/vuln/detail/CVE-2024-25621) - [https://github.com/containerd/containerd/commit/7c59e8e9e970d38061a77b586b23655c352bfec5](https://redirect.github.com/containerd/containerd/commit/7c59e8e9e970d38061a77b586b23655c352bfec5) - [https://github.com/containerd/containerd](https://redirect.github.com/containerd/containerd) - [https://github.com/containerd/containerd/blob/main/docs/rootless.md](https://redirect.github.com/containerd/containerd/blob/main/docs/rootless.md) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-pwhc-rpq9-4c8w) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### containerd CRI server: Host memory exhaustion through Attach goroutine leak in github.com/containerd/containerd [CVE-2025-64329](https://nvd.nist.gov/vuln/detail/CVE-2025-64329) / [GHSA-m6hq-p25p-ffr2](https://redirect.github.com/advisories/GHSA-m6hq-p25p-ffr2) / [GO-2025-4108](https://pkg.go.dev/vuln/GO-2025-4108) <details> <summary>More information</summary> #### Details containerd CRI server: Host memory exhaustion through Attach goroutine leak in github.com/containerd/containerd #### Severity Unknown #### References - [https://github.com/containerd/containerd/security/advisories/GHSA-m6hq-p25p-ffr2](https://redirect.github.com/containerd/containerd/security/advisories/GHSA-m6hq-p25p-ffr2) - [https://nvd.nist.gov/vuln/detail/CVE-2025-64329](https://nvd.nist.gov/vuln/detail/CVE-2025-64329) - [https://github.com/containerd/containerd/commit/083b53cd6f19b5de7717b0ce92c11bdf95e612df](https://redirect.github.com/containerd/containerd/commit/083b53cd6f19b5de7717b0ce92c11bdf95e612df) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2025-4108) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)). </details> --- ### containerd affected by a local privilege escalation via wide permissions on CRI directory in github.com/containerd/containerd [CVE-2024-25621](https://nvd.nist.gov/vuln/detail/CVE-2024-25621) / [GHSA-pwhc-rpq9-4c8w](https://redirect.github.com/advisories/GHSA-pwhc-rpq9-4c8w) / [GO-2025-4100](https://pkg.go.dev/vuln/GO-2025-4100) <details> <summary>More information</summary> #### Details containerd affected by a local privilege escalation via wide permissions on CRI directory in github.com/containerd/containerd #### Severity Unknown #### References - [https://github.com/containerd/containerd/security/advisories/GHSA-pwhc-rpq9-4c8w](https://redirect.github.com/containerd/containerd/security/advisories/GHSA-pwhc-rpq9-4c8w) - [https://nvd.nist.gov/vuln/detail/CVE-2024-25621](https://nvd.nist.gov/vuln/detail/CVE-2024-25621) - [https://github.com/containerd/containerd/commit/7c59e8e9e970d38061a77b586b23655c352bfec5](https://redirect.github.com/containerd/containerd/commit/7c59e8e9e970d38061a77b586b23655c352bfec5) - [https://github.com/containerd/containerd/blob/main/docs/rootless.md](https://redirect.github.com/containerd/containerd/blob/main/docs/rootless.md) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2025-4100) and the [Go Vulnerability Database](https://redirect.github.com/golang/vulndb) ([CC-BY 4.0](https://redirect.github.com/golang/vulndb#license)). </details> --- ### containerd CRI server: Host memory exhaustion through Attach goroutine leak [CVE-2025-64329](https://nvd.nist.gov/vuln/detail/CVE-2025-64329) / [GHSA-m6hq-p25p-ffr2](https://redirect.github.com/advisories/GHSA-m6hq-p25p-ffr2) / [GO-2025-4108](https://pkg.go.dev/vuln/GO-2025-4108) <details> <summary>More information</summary> #### Details ##### Impact A bug was found in containerd's CRI Attach implementation where a user can exhaust memory on the host due to goroutine leaks. Repetitive calls of CRI Attach (e.g., [`kubectl attach`](https://kubernetes.io/docs/reference/kubectl/generated/kubectl_attach/)) could increase the memory usage of containerd. ##### Patches This bug has been fixed in the following containerd versions: * 2.2.0 * 2.1.5 * 2.0.7 * 1.7.29 Users should update to these versions to resolve the issue. ##### Workarounds Set up an admission controller to control accesses to `pods/attach` resources. e.g., [Validating Admission Policy](https://kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy/). ##### Credits The containerd project would like to thank @​Wheat2018 for responsibly disclosing this issue in accordance with the [containerd security policy](https://redirect.github.com/containerd/project/blob/main/SECURITY.md). ##### References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-64329 ##### For more information If you have any questions or comments about this advisory: * Open an issue in [containerd](https://redirect.github.com/containerd/containerd/issues/new/choose) * Email us at [security@containerd.io](mailto:security@containerd.io) To report a security issue in containerd: * [Report a new vulnerability](https://redirect.github.com/containerd/containerd/security/advisories/new) #### Severity - CVSS Score: Unknown - Vector String: `CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N` #### References - [https://github.com/containerd/containerd/security/advisories/GHSA-m6hq-p25p-ffr2](https://redirect.github.com/containerd/containerd/security/advisories/GHSA-m6hq-p25p-ffr2) - [https://nvd.nist.gov/vuln/detail/CVE-2025-64329](https://nvd.nist.gov/vuln/detail/CVE-2025-64329) - [https://github.com/containerd/containerd/commit/083b53cd6f19b5de7717b0ce92c11bdf95e612df](https://redirect.github.com/containerd/containerd/commit/083b53cd6f19b5de7717b0ce92c11bdf95e612df) - [https://github.com/containerd/containerd](https://redirect.github.com/containerd/containerd) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-m6hq-p25p-ffr2) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>containerd/containerd (github.com/containerd/containerd)</summary> ### [`v1.7.29`](https://redirect.github.com/containerd/containerd/releases/tag/v1.7.29): containerd 1.7.29 [Compare Source](https://redirect.github.com/containerd/containerd/compare/v1.7.28...v1.7.29) Welcome to the v1.7.29 release of containerd! The twenty-ninth patch release for containerd 1.7 contains various fixes and updates including security patches. ##### Security Updates - **containerd** - [**GHSA-pwhc-rpq9-4c8w**](https://redirect.github.com/containerd/containerd/security/advisories/GHSA-pwhc-rpq9-4c8w) - [**GHSA-m6hq-p25p-ffr2**](https://redirect.github.com/containerd/containerd/security/advisories/GHSA-m6hq-p25p-ffr2) - **runc** - [**GHSA-qw9x-cqr3-wc7r**](https://redirect.github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r) - [**GHSA-cgrx-mc8f-2prm**](https://redirect.github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm) - [**GHSA-9493-h29p-rfm2**](https://redirect.github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2) ##### Highlights ##### Image Distribution - **Update differ to handle zstd media types** ([#​12018](https://redirect.github.com/containerd/containerd/pull/12018)) ##### Runtime - **Update runc binary to v1.3.3** ([#​12480](https://redirect.github.com/containerd/containerd/pull/12480)) - **Fix lost container logs from quickly closing io** ([#​12375](https://redirect.github.com/containerd/containerd/pull/12375)) Please try out the release binaries and report any issues at <https://github.com/containerd/containerd/issues>. ##### Contributors - Derek McGowan - Akihiro Suda - Phil Estes - Austin Vazquez - Sebastiaan van Stijn - ningmingxiao - Maksym Pavlenko - StepSecurity Bot - wheat2018 ##### Changes <details><summary>38 commits</summary> <p> - [`442cb34bd`](https://redirect.github.com/containerd/containerd/commit/442cb34bda9a6a0fed82a2ca7cade05c5c749582) Merge commit from fork - [`0450f046e`](https://redirect.github.com/containerd/containerd/commit/0450f046e6942e513d0ebf1ef5c2aff13daa187f) Fix directory permissions - [`e5cb6ddb7`](https://redirect.github.com/containerd/containerd/commit/e5cb6ddb7a7730c24253a94d7fdb6bbe13dba6f7) Merge commit from fork - [`c575d1b5f`](https://redirect.github.com/containerd/containerd/commit/c575d1b5f4011f33b32f71ace75367a92b08c750) fix goroutine leak of container Attach - Prepare release notes for v1.7.29 ([#​12486](https://redirect.github.com/containerd/containerd/pull/12486)) - [`1fc2daaf3`](https://redirect.github.com/containerd/containerd/commit/1fc2daaf3ed53f4c9e76fbc5786a6f1ae3bb885f) Prepare release notes for v1.7.29 - Update runc binary to v1.3.3 ([#​12480](https://redirect.github.com/containerd/containerd/pull/12480)) - [`3f5f9f872`](https://redirect.github.com/containerd/containerd/commit/3f5f9f872707a743563d316e85e530193a2e30ac) runc: Update runc binary to v1.3.3 - Update GHA images and bump Go 1.24.9; 1.25.3 ([#​12471](https://redirect.github.com/containerd/containerd/pull/12471)) - [`667409fb6`](https://redirect.github.com/containerd/containerd/commit/667409fb63098cb80280940ab06038114e7712da) ci: bump Go 1.24.9, 1.25.3 - [`294f8c027`](https://redirect.github.com/containerd/containerd/commit/294f8c027b607c4450b3e52f44280581a737a73f) Update GHA runners to use latest images for basic binaries build - [`cf66b4141`](https://redirect.github.com/containerd/containerd/commit/cf66b4141defb757dee0fc5653bfd0a7ba1e8fed) Update GHA runners to use latest image for most jobs - [`fa3e6fa18`](https://redirect.github.com/containerd/containerd/commit/fa3e6fa18aa8dc7e699428958e1fb1d38e832e15) pkg/epoch: extract parsing SOURCE\_DATE\_EPOCH to a function - [`ac334bffc`](https://redirect.github.com/containerd/containerd/commit/ac334bffc4e759f188afb58efd74a603ade0855a) pkg/epoch: fix tests on macOS - [`d04b8721f`](https://redirect.github.com/containerd/containerd/commit/d04b8721fc5bff2677beadb4f3d15d7c0ec989ca) pkg/epoch: replace some fmt.Sprintfs with strconv - CI: update Fedora to 43 ([#​12450](https://redirect.github.com/containerd/containerd/pull/12450)) - [`5cfedbf52`](https://redirect.github.com/containerd/containerd/commit/5cfedbf52300d09f77a51f02a0c784c37284302c) CI: update Fedora to 43 - CI: skip ubuntu-24.04-arm on private repos ([#​12429](https://redirect.github.com/containerd/containerd/pull/12429)) - [`cf99a012d`](https://redirect.github.com/containerd/containerd/commit/cf99a012d6f7fcb51afdea641d87474dae95f50d) CI: skip ubuntu-24.04-arm on private repos - runc:Update runc binary to v1.3.1 ([#​12276](https://redirect.github.com/containerd/containerd/pull/12276)) - [`4c77b8d07`](https://redirect.github.com/containerd/containerd/commit/4c77b8d078a65a5e99e40847a9eaa18a944ff68e) runc:Update runc binary to v1.3.1 - Fix lost container logs from quickly closing io ([#​12375](https://redirect.github.com/containerd/containerd/pull/12375)) - [`d30024db2`](https://redirect.github.com/containerd/containerd/commit/d30024db25590e6ec74b639746a5dc792f5c1403) bugfix:fix container logs lost because io close too quickly - ci: bump Go 1.24.8 ([#​12362](https://redirect.github.com/containerd/containerd/pull/12362)) - [`f4b3d96f3`](https://redirect.github.com/containerd/containerd/commit/f4b3d96f3d83a0ac7bde03ae9eec749aa1936a59) ci: bump Go 1.24.8 - [`334fd8e4b`](https://redirect.github.com/containerd/containerd/commit/334fd8e4b974d88ebea43a998d76760aad49773a) update golangci-lint to v1.64.2 - [`8a67abc4c`](https://redirect.github.com/containerd/containerd/commit/8a67abc4cac67bf806da0b2b55ac7159e91f6996) Drop inactivated linter exportloopref - [`e4dbf08f0`](https://redirect.github.com/containerd/containerd/commit/e4dbf08f0ff3dc9f6b2a9a36eab71d73ac707956) build(deps): bump golangci/golangci-lint-action from 6.3.2 to 6.5.0 - [`d7db2ba06`](https://redirect.github.com/containerd/containerd/commit/d7db2ba063385d06132ec80890eb6c1fe4126692) build(deps): bump golangci/golangci-lint-action from 6.2.0 to 6.3.2 - [`d7182888f`](https://redirect.github.com/containerd/containerd/commit/d7182888f0071cce86d40fcf09cd9a247ac15c41) build(deps): bump golangci/golangci-lint-action from 6.1.1 to 6.2.0 - [`4be6c7e3b`](https://redirect.github.com/containerd/containerd/commit/4be6c7e3b5d5da7be8c1c87e1c16450b7ea8dadb) build(deps): bump actions/cache from 4.1.2 to 4.2.0 - [`a2e097e86`](https://redirect.github.com/containerd/containerd/commit/a2e097e865887382c2fc29ee0cea0053e6152a12) build(deps): bump actions/checkout from 4.2.1 to 4.2.2 - [`6de404d11`](https://redirect.github.com/containerd/containerd/commit/6de404d11b8e237a7867c7fbe535579c5736bfde) build(deps): bump actions/cache from 4.1.1 to 4.1.2 - [`038a25584`](https://redirect.github.com/containerd/containerd/commit/038a25584e7f66272114ec0801b071e6149ef841) \[StepSecurity] ci: Harden GitHub Actions - Update differ to handle zstd media types ([#​12018](https://redirect.github.com/containerd/containerd/pull/12018)) - [`eaeb4b6ac`](https://redirect.github.com/containerd/containerd/commit/eaeb4b6ac581c0704bed0ff96ee7e53170345e84) Update differ to handle zstd media types - ci: bump Go 1.23.12, 1.24.6 ([#​12188](https://redirect.github.com/containerd/containerd/pull/12188)) - [`83c535339`](https://redirect.github.com/containerd/containerd/commit/83c535339bbe253ce9e7a616a90f770994b754e5) ci: bump Go 1.23.12, 1.24.6 </p> </details> ##### Dependency Changes This release has no dependency changes Previous release can be found at [v1.7.28](https://redirect.github.com/containerd/containerd/releases/tag/v1.7.28) ### [`v1.7.28`](https://redirect.github.com/containerd/containerd/releases/tag/v1.7.28): containerd 1.7.28 [Compare Source](https://redirect.github.com/containerd/containerd/compare/v1.7.27...v1.7.28) Welcome to the v1.7.28 release of containerd! The twenty-eighth patch release for containerd 1.7 contains various fixes and updates. ##### Highlights ##### Image Distribution - Refresh OAuth tokens when they expire during registry operations ([#​11721](https://redirect.github.com/containerd/containerd/pull/11721)) - Set default differ for the default unpack config of transfer service ([#​11689](https://redirect.github.com/containerd/containerd/pull/11689)) ##### Runtime - Update runc binary to v1.3.0 ([#​11800](https://redirect.github.com/containerd/containerd/pull/11800)) - Remove invalid error log when stopping container after containerd restart ([#​11620](https://redirect.github.com/containerd/containerd/pull/11620)) Please try out the release binaries and report any issues at <https://github.com/containerd/containerd/issues>. ##### Contributors - Akhil Mohan - Akihiro Suda - Austin Vazquez - Maksym Pavlenko - Phil Estes - Derek McGowan - Kirtana Ashok - Henry Wang - Iain Macdonald - Jin Dong - Swagat Bora - Wei Fu - Yang Yang - madraceee ##### Changes <details><summary>57 commits</summary> <p> - Prepare release notes for v1.7.28 ([#​12134](https://redirect.github.com/containerd/containerd/pull/12134)) - [`b01b809f8`](https://redirect.github.com/containerd/containerd/commit/b01b809f89a27e19ff7531e1b88df07d2f40de97) Prepare release notes for v1.7.28 - ci: bump Go 1.23.11, 1.24.5 ([#​12117](https://redirect.github.com/containerd/containerd/pull/12117)) - [`ce2373176`](https://redirect.github.com/containerd/containerd/commit/ce2373176b0db7cdcc3e289f57aeb59927ad0efb) ci: bump Go 1.23.11, 1.24.5 - Backport windows test fixes ([#​12121](https://redirect.github.com/containerd/containerd/pull/12121)) - [`3c06bcc4d`](https://redirect.github.com/containerd/containerd/commit/3c06bcc4d2f5b55c501f9c5333596c5a6d0a980a) Fix intermittent test failures on Windows CIs - [`c6c0c6854`](https://redirect.github.com/containerd/containerd/commit/c6c0c6854ff663deb46363a8884a9015598c9f9b) Remove WS2025 from CIs due to regression - ci: use fedora 39 archive ([#​12123](https://redirect.github.com/containerd/containerd/pull/12123)) - [`6d7e021cf`](https://redirect.github.com/containerd/containerd/commit/6d7e021cf0f0f6ba1d14f0b4f76ecdf7a005feaa) ci: use fedora/39-cloud-base image from archive - update runners to ubuntu 24.04 ([#​11802](https://redirect.github.com/containerd/containerd/pull/11802)) - [`c362e18cc`](https://redirect.github.com/containerd/containerd/commit/c362e18ccd613b5baf04fff87832b871edfdecd5) CI: install OVMF for Vagrant - [`1d99bec21`](https://redirect.github.com/containerd/containerd/commit/1d99bec213063acdad8d7ad96ea4cbb78ab6b560) CI: fix "Unable to find a source package for vagrant" error - [`dafa3c48d`](https://redirect.github.com/containerd/containerd/commit/dafa3c48dffaff915bea2293eecd949fbdd94228) add debian sources for ubuntu-24 - [`b03301d85`](https://redirect.github.com/containerd/containerd/commit/b03301d851a5492808f36e5233a808a39575a1a0) partial: enable ubuntu 24 runners - [`13fbc5f97`](https://redirect.github.com/containerd/containerd/commit/13fbc5f970d1dee5425443a9b346d56ccc98db45) update release runners to ubuntu 24.04 - go.mod: golang.org/x/\* latest ([#​12096](https://redirect.github.com/containerd/containerd/pull/12096)) - [`da5d1a371`](https://redirect.github.com/containerd/containerd/commit/da5d1a3714ac06f6280740f668ebe95c62863c01) go.mod: golang.org/x/\* latest - Remove additional fuzzers from instrumentation repo ([#​12099](https://redirect.github.com/containerd/containerd/pull/12099)) - [`5fef123ba`](https://redirect.github.com/containerd/containerd/commit/5fef123ba77e3d9fd83f78fd34bdb80549034756) Remove additional fuzzers from CI - backport windows runner and golang toolchain updates ([#​11972](https://redirect.github.com/containerd/containerd/pull/11972)) - [`a35978f5a`](https://redirect.github.com/containerd/containerd/commit/a35978f5af147f279280b34082c3781904bfd4cd) ci: bump golang \[1.23.10, 1.24.4] in build and release - [`df035aa3e`](https://redirect.github.com/containerd/containerd/commit/df035aa3ef3d98eb48310d548439eb59c8b6d887) ci: bump golang \[1.23.9, 1.24.3] in build and release - [`2a6d9fc71`](https://redirect.github.com/containerd/containerd/commit/2a6d9fc71e97ff0d742b21d0f62a05a70126aa21) use go1.23.8 as the default go version - [`15d4d6eba`](https://redirect.github.com/containerd/containerd/commit/15d4d6eba30565274e1ade4d545abab2dbbcf1f9) update to go 1.24.2, 1.23.8 - [`1613a3b1a`](https://redirect.github.com/containerd/containerd/commit/1613a3b1addf8fb8a50cef46860a1b7642d81589) Enable CIs to run on WS2022 and WS2025 - test: added runc v1 tests using vagrant ([#​11896](https://redirect.github.com/containerd/containerd/pull/11896)) - [`60e73122c`](https://redirect.github.com/containerd/containerd/commit/60e73122c1f74524178ff1ea819a893d7cdb4372) test: added runc v1 tests using vagrant - Revert "disable portmap test in ubuntu-22 to make CI happy" ([#​11803](https://redirect.github.com/containerd/containerd/pull/11803)) - [`10e1b515e`](https://redirect.github.com/containerd/containerd/commit/10e1b515ec9c497bcfd7b0758bff3f6c840b303a) Revert "Disable port mapping tests in CRI-in-UserNS" - [`7a680e884`](https://redirect.github.com/containerd/containerd/commit/7a680e88494d90896322e09d4070ed86d221e25b) fix unbound SKIP\_TEST variable error - [`e5f8cc995`](https://redirect.github.com/containerd/containerd/commit/e5f8cc9953f28f1abdc2f7975a9f5833cc83ee9c) Revert "disable portmap test in ubuntu-22 to make CI happy" - Update runc binary to v1.3.0 ([#​11800](https://redirect.github.com/containerd/containerd/pull/11800)) - [`b001469c7`](https://redirect.github.com/containerd/containerd/commit/b001469c70a4489c1453cfe856055b15c536645f) Update runc binary to v1.3.0 - Refresh OAuth tokens when they expire during registry operations ([#​11721](https://redirect.github.com/containerd/containerd/pull/11721)) - [`a6421da84`](https://redirect.github.com/containerd/containerd/commit/a6421da84bb59dcf3680eb472b78f2eae8086f9b) remotes/docker/authorizer.go: invalidate auth tokens when they expire. - \[CI] Fix vagrant ([#​11739](https://redirect.github.com/containerd/containerd/pull/11739)) - [`effc49e8b`](https://redirect.github.com/containerd/containerd/commit/effc49e8b096bebfd73effb9257ad4fd80aa4e84) Fix vagrant setup - Fix CI ([#​11722](https://redirect.github.com/containerd/containerd/pull/11722)) - [`d3e7dd716`](https://redirect.github.com/containerd/containerd/commit/d3e7dd716a7988bf49f92972998a5260fd538505) Skip criu on Arms - [`7cf9ebe94`](https://redirect.github.com/containerd/containerd/commit/7cf9ebe94676a443f5df2802f2c784a93dba6b9a) Disable port mapping tests in CRI-in-UserNS - [`42657a4ed`](https://redirect.github.com/containerd/containerd/commit/42657a4ed1bcc2a5162264cb820d97bdd0a56a6b) disable portmap test in ubuntu-22 to make CI happy - [`b300fd37b`](https://redirect.github.com/containerd/containerd/commit/b300fd37b840dcad8c0635e1f8ce848413441445) add option to skip tests in critest - [`6f4ffad27`](https://redirect.github.com/containerd/containerd/commit/6f4ffad27695c7e297c0052091b0d5e7fad7e48a) Address cgroup mountpoint does not exist - [`cef298331`](https://redirect.github.com/containerd/containerd/commit/cef2983317494d0a7b67e89ef81e083f75102066) Update Ubuntu to 24 - [`2dd9be16e`](https://redirect.github.com/containerd/containerd/commit/2dd9be16e71e97b922ae42b05a7ae837c28563ca) ci: update GitHub Actions release runner to ubuntu-24.04 - Set default differ for the default unpack config of transfer service ([#​11689](https://redirect.github.com/containerd/containerd/pull/11689)) - [`e40e59e4e`](https://redirect.github.com/containerd/containerd/commit/e40e59e4ee8e7fb00213065c6fabbec8d4e7fc7f) Set default differ for the default unpack config of transfer service - silence govulncheck false positives ([#​11679](https://redirect.github.com/containerd/containerd/pull/11679)) - [`ff097d5a4`](https://redirect.github.com/containerd/containerd/commit/ff097d5a4c1a427d10fa989895d05f78c0b52893) silence govulncheck false positives - vendor: github.com/go-jose/go-jose/v3 v3.0.4 ([#​11619](https://redirect.github.com/containerd/containerd/pull/11619)) - [`52dd4dc51`](https://redirect.github.com/containerd/containerd/commit/52dd4dc51070fc93f13f048d3a919ccbf2b042aa) vendor: github.com/go-jose/go-jose/v3 v3.0.4 - Remove invalid error log when stopping container after containerd restart ([#​11620](https://redirect.github.com/containerd/containerd/pull/11620)) - [`24f41d2d5`](https://redirect.github.com/containerd/containerd/commit/24f41d2d5c6514e2f0a6f553f80183ff274ec230) use shimCtx for fifo copy - Update runc binary to v1.2.6 ([#​11584](https://redirect.github.com/containerd/containerd/pull/11584)) - [`1e1e78ad7`](https://redirect.github.com/containerd/containerd/commit/1e1e78ad7cab8d6f50be6bcf0ef7178a2ba3e207) Update runc binary to v1.2.6 - Use RWMutex in NSMap and reduce lock area ([#​11556](https://redirect.github.com/containerd/containerd/pull/11556)) - [`9a8d1d44a`](https://redirect.github.com/containerd/containerd/commit/9a8d1d44a1dee8f805ad0b071b686887222a1fe7) Use RWMutex in NSMap and reduce lock area </p> </details> ##### Dependency Changes - **github.com/go-jose/go-jose/v3** v3.0.3 -> v3.0.4 - **golang.org/x/crypto** v0.31.0 -> v0.40.0 - **golang.org/x/mod** v0.17.0 -> v0.26.0 - **golang.org/x/net** v0.33.0 -> v0.42.0 - **golang.org/x/oauth2** v0.11.0 -> v0.30.0 - **golang.org/x/sync** v0.10.0 -> v0.16.0 - **golang.org/x/sys** v0.28.0 -> v0.34.0 - **golang.org/x/term** v0.27.0 -> v0.33.0 - **golang.org/x/text** v0.21.0 -> v0.27.0 - **golang.org/x/time** [`90d013b`](https://redirect.github.com/containerd/containerd/commit/90d013bbcef8) -> v0.12.0 Previous release can be found at [v1.7.27](https://redirect.github.com/containerd/containerd/releases/tag/v1.7.27) ### [`v1.7.27`](https://redirect.github.com/containerd/containerd/releases/tag/v1.7.27): containerd 1.7.27 [Compare Source](https://redirect.github.com/containerd/containerd/compare/v1.7.26...v1.7.27) Welcome to the v1.7.27 release of containerd! The twenty-seventh patch release for containerd 1.7 contains various fixes and updates. ##### Highlights - Fix integer overflow in User ID handling ([GHSA-265r-hfxg-fhmg](https://redirect.github.com/containerd/containerd/security/advisories/GHSA-265r-hfxg-fhmg)) - Update image type checks to avoid unnecessary logs for attestations ([#​11538](https://redirect.github.com/containerd/containerd/pull/11538)) Please try out the release binaries and report any issues at <https://github.com/containerd/containerd/issues>. ##### Contributors - Jin Dong - Akhil Mohan - Derek McGowan - Maksym Pavlenko - Paweł Gronowski - Phil Estes - Akihiro Suda - Craig Ingram - Krisztian Litkey - Samuel Karp ##### Changes <details><summary>20 commits</summary> <p> - [`05044ec0a`](https://redirect.github.com/containerd/containerd/commit/05044ec0a9a75232cad458027ca83437aae3f4da) Merge commit from fork - [`11504c3fc`](https://redirect.github.com/containerd/containerd/commit/11504c3fc5f45634f2d93d57743a998194430b82) validate uid/gid - Prepare release notes for v1.7.27 ([#​11540](https://redirect.github.com/containerd/containerd/pull/11540)) - [`1be04be6c`](https://redirect.github.com/containerd/containerd/commit/1be04be6c307a7f67423574ca1b9744e57377753) Prepare release notes for v1.7.27 - Update image type checks to avoid unnecessary logs for attestations ([#​11538](https://redirect.github.com/containerd/containerd/pull/11538)) - [`82b5c43fe`](https://redirect.github.com/containerd/containerd/commit/82b5c43fed40d1f32e88215a3f0acbaf8cd9af10) core/remotes: Handle attestations in MakeRefKey - [`2c670e79b`](https://redirect.github.com/containerd/containerd/commit/2c670e79bf19bc7716c8b9f1f82c700ad8233af3) core/images: Ignore attestations when traversing children - update build to go1.23.7, test go1.24.1 ([#​11515](https://redirect.github.com/containerd/containerd/pull/11515)) - [`a39863c9f`](https://redirect.github.com/containerd/containerd/commit/a39863c9fd52abb50895a4b6f653cf501a2e3388) update build to go1.23.7, test go1.24.1 - Remove hashicorp/go-multierror dependency and fix CI ([#​11499](https://redirect.github.com/containerd/containerd/pull/11499)) - [`49537b3a7`](https://redirect.github.com/containerd/containerd/commit/49537b3a75bdcd982e7e26855779b346bb363a54) e2e: use the shim bundled with containerd artifact - [`fe490b76f`](https://redirect.github.com/containerd/containerd/commit/fe490b76fd78cc1461f20aab89951be5f88fc454) Bump up github.com/intel/goresctrl to 0.5.0 - [`13fc9d313`](https://redirect.github.com/containerd/containerd/commit/13fc9d3132fc4c77f6533551049d2d865d4e4b45) update containerd/project-checks to 1.2.1 - [`585699c94`](https://redirect.github.com/containerd/containerd/commit/585699c94f68649a89b0af46d675d6e998d67ccd) Remove unnecessary joinError unwrap - [`4b9df59be`](https://redirect.github.com/containerd/containerd/commit/4b9df59be202a011c4f65604bbeab75eeb85ab46) Remove hashicorp/go-multierror - go.{mod,sum}: bump CDI deps to v0.8.1. ([#​11422](https://redirect.github.com/containerd/containerd/pull/11422)) - [`5ba28f8dc`](https://redirect.github.com/containerd/containerd/commit/5ba28f8dc1d007059ed3eb1a7b55025e72abd525) go.{mod,sum}: bump CDI deps to v0.8.1, re-vendor. - CI: arm64-8core-32gb -> ubuntu-24.04-arm ([#​11437](https://redirect.github.com/containerd/containerd/pull/11437)) - [`85f10bd92`](https://redirect.github.com/containerd/containerd/commit/85f10bd9221f35ef1c2b8ec2d67520f461aa51a0) CI: arm64-8core-32gb -> ubuntu-24.04-arm - [`561ed520e`](https://redirect.github.com/containerd/containerd/commit/561ed520eaef2974aa8008b7a18a0944e6f90872) increase xfs base image size to 300Mb </p> </details> ##### Dependency Changes - **github.com/intel/goresctrl** v0.3.0 -> v0.5.0 - **github.com/prometheus/client\_golang** v1.14.0 -> v1.16.0 - **github.com/prometheus/common** v0.37.0 -> v0.42.0 - **github.com/prometheus/procfs** v0.8.0 -> v0.10.1 - **k8s.io/apimachinery** v0.26.2 -> v0.27.4 - **sigs.k8s.io/json** [`f223a00`](https://redirect.github.com/containerd/containerd/commit/f223a00ba0e2) -> [`bc3834c`](https://redirect.github.com/containerd/containerd/commit/bc3834ca7abd) - **tags.cncf.io/container-device-interface** v0.7.2 -> v0.8.1 - **tags.cncf.io/container-device-interface/specs-go** v0.7.0 -> v0.8.0 Previous release can be found at [v1.7.26](https://redirect.github.com/containerd/containerd/releases/tag/v1.7.26) ### [`v1.7.26`](https://redirect.github.com/containerd/containerd/releases/tag/v1.7.26): containerd 1.7.26 [Compare Source](https://redirect.github.com/containerd/containerd/compare/v1.7.25...v1.7.26) Welcome to the v1.7.26 release of containerd! The twenty-sixth patch release for containerd 1.7 contains various fixes and updates. ##### Highlights - Add support for syncfs after unpack ([#​11267](https://redirect.github.com/containerd/containerd/pull/11267)) - Update runc binary to v1.2.5 ([#​11395](https://redirect.github.com/containerd/containerd/pull/11395)) - Fix race between serve and immediate shutdown on the server ([containerd/ttrpc#175](https://redirect.github.com/containerd/ttrpc/pull/175)) - Reject oversized messages from the sender ([containerd/ttrpc#171](https://redirect.github.com/containerd/ttrpc/pull/171)) ##### Container Runtime Interface (CRI) - Fix fatal concurrency error in port forwarding ([#​11306](https://redirect.github.com/containerd/containerd/pull/11306)) ##### Node Resource Interface (NRI) - Fix initial sync race when registering NRI plugins ([#​11326](https://redirect.github.com/containerd/containerd/pull/11326)) - Add API support for reading Pod IPs ([containerd/nri#119](https://redirect.github.com/containerd/nri/pull/119)) - Fix plugin sync to use multiple messages if ttrpc max message limit is hit ([containerd/nri#111](https://redirect.github.com/containerd/nri/pull/111)) - Update API to pass configured timeouts to plugins. ([containerd/nri#109](https://redirect.github.com/containerd/nri/pull/109)) - Fix mount removal in adjustments ([containerd/nri#107](https://redirect.github.com/containerd/nri/pull/107)) - Close plugin if initial synchronization fails ([containerd/nri#103](https://redirect.github.com/containerd/nri/pull/103)) - Add support for adjusting OOM score ([containerd/nri#94](https://redirect.github.com/containerd/nri/pull/94)) - Add API support for NRI-native CDI injection ([containerd/nri#98](https://redirect.github.com/containerd/nri/pull/98)) - Add support for pids cgroup ([containerd/nri#76](https://redirect.github.com/containerd/nri/pull/76)) ##### Runtime - Fix console TTY leak in runc shim ([#​11250](https://redirect.github.com/containerd/containerd/pull/11250)) Please try out the release binaries and report any issues at <https://github.com/containerd/containerd/issues>. ##### Contributors - Krisztian Litkey - Mike Brown - Samuel Karp - Wei Fu - Phil Estes - Derek McGowan - Iceber Gu - Akhil Mohan - Antonio Ojea - Austin Vazquez - Henry Wang - Jin Dong - Xiaojin Zhang - ningmingxiao - AbdelrahmanElawady - Akihiro Suda - Antti Kervinen - Jing Xu - Jitang Lei - Justin Alvarez - Lei Liu - Maksym Pavlenko - Yang Yang - Yuhang Wei - cormick - jingtao.liang ##### Changes <details><summary>24 commits</summary> <p> - Prepare release notes for v1.7.26 ([#​11356](https://redirect.github.com/containerd/containerd/pull/11356)) - [`ceba197f5`](https://redirect.github.com/containerd/containerd/commit/ceba197f5fa0b76b0f181c24f81c67c43d34bff2) Prepare release notes for v1.7.26 - Upgrade x/net to 0.33.0 to fix vulnerability GHSA-w32m-9786-jp63 ([#​11434](https://redirect.github.com/containerd/containerd/pull/11434)) - [`3486bc8dd`](https://redirect.github.com/containerd/containerd/commit/3486bc8dd19acbde278ed6c4c4fa42c7299e1278) Upgrade x/net to 0.33.0 - update build to go1.23.6, test go1.24.0 ([#​11419](https://redirect.github.com/containerd/containerd/pull/11419)) - [`9025d3075`](https://redirect.github.com/containerd/containerd/commit/9025d3075b91b0806ff15f27f28bbce8af4f1a76) update build to go1.23.6, test go1.24.0 - Update install-imgcrypt to allow change install repo ([#​11358](https://redirect.github.com/containerd/containerd/pull/11358)) - [`83eaab482`](https://redirect.github.com/containerd/containerd/commit/83eaab4822188e019efe68c29a6d77f37f099d6e) Update install-imgcrypt to allow change install repo - Add support for syncfs after unpack ([#​11267](https://redirect.github.com/containerd/containerd/pull/11267)) - [`8bc21cba7`](https://redirect.github.com/containerd/containerd/commit/8bc21cba7516727b294d4dd6a3e8859cbdd146a8) support to syncfs after pull by using diff plugin - Update runc binary to v1.2.5 ([#​11395](https://redirect.github.com/containerd/containerd/pull/11395)) - [`27c472acf`](https://redirect.github.com/containerd/containerd/commit/27c472acf59c4d86e2b446ae554691149ac43661) Update runc binary to v1.2.5 - Move `run.skip-dirs` to `issues.exclude-dirs` in golangci-lint config ([#​11400](https://redirect.github.com/containerd/containerd/pull/11400)) - [`8d8034b66`](https://redirect.github.com/containerd/containerd/commit/8d8034b66e2790ef0149207acb7c92a033d7f1f8) move skip-dirs to issues.exclude-dirs - Fix initial sync race when registering NRI plugins ([#​11326](https://redirect.github.com/containerd/containerd/pull/11326)) - [`11af05177`](https://redirect.github.com/containerd/containerd/commit/11af05177545dbb97d87aa861b15d70ab911307c) cri,nri: block NRI plugin sync. during event processing. - [`d4036cd3d`](https://redirect.github.com/containerd/containerd/commit/d4036cd3d1eb174ea379c8e1d139c25cfe9f18d8) go.{mod,sum}: bump NRI to v0.8.0, re-vendor. - Fix console TTY leak in runc shim ([#​11250](https://redirect.github.com/containerd/containerd/pull/11250)) - [`c3e24e024`](https://redirect.github.com/containerd/containerd/commit/c3e24e0248f0ca83d0bfbb0262862c2a06a632e2) Add integ test to check tty leak - [`4e45a463d`](https://redirect.github.com/containerd/containerd/commit/4e45a463d90fd44f6b92978721779d7b09045cee) fix master tty leak due to leaking init container object - Fix fatal concurrency error in port forwarding ([#​11306](https://redirect.github.com/containerd/containerd/pull/11306)) - [`0fe9f0b52`](https://redirect.github.com/containerd/containerd/commit/0fe9f0b52f7b700689df46d13de36e67b62486e1) fix fatal error: concurrent map iteration and map write - update build to go1.22.11, test go1.23.5 ([#​11298](https://redirect.github.com/containerd/containerd/pull/11298)) - [`441b92636`](https://redirect.github.com/containerd/containerd/commit/441b92636a806d71655945137210126de723e4fe) update build to go1.22.11, test go1.23.5 </p> </details> ##### Changes from containerd/nri <details><summary>77 commits</summary> <p> - Add API support for reading Pod IPs ([containerd/nri#119](https://redirect.github.com/containerd/nri/pull/119)) - [`eaf78a9`](https://redirect.github.com/containerd/nri/commit/eaf78a9afe9ebac28a68d1163dd00183525801a3) api: support Pod IPs - generate: do not set OOMScoreAdj if no adjustment ([containerd/nri#116](https://redirect.github.com/containerd/nri/pull/116)) - [`07bfc18`](https://redirect.github.com/containerd/nri/commit/07bfc18129a3cc9c4b44e1aced9972279a50ddb5) wip: generate: add test for oom score adj - [`b5fc359`](https://redirect.github.com/containerd/nri/commit/b5fc359973c0e8c599b12c1d118546c267894b3b) generate: do not set OOMScoreAdj if no adjustment - device-injector: remove unreachable code. ([containerd/nri#115](https://redirect.github.com/containerd/nri/pull/115)) - [`235aa11`](https://redirect.github.com/containerd/nri/commit/235aa114dffc784073ec8b2f88fbd4ecfba06450) chore: remove unreachable code and fmt files - Fix plugin sync to use multiple messages if ttrpc max message limit is hit ([containerd/nri#111](https://redirect.github.com/containerd/nri/pull/111)) - [`159f575`](https://redirect.github.com/containerd/nri/commit/159f5754db397e32ce886cd07985ffd95f1bd823) template: dump pod/container count in sync message. - [`bf267e3`](https://redirect.github.com/containerd/nri/commit/bf267e336f2ec2f5045fd396fb68f9853d2b5db9) stub: collect/handle split sync messages. - [`ed78ae9`](https://redirect.github.com/containerd/nri/commit/ed78ae9231cb603031f66921559ca6f38ef77bb5) adaptation: use multiple sync messages if necessary. - [`6fd59d6`](https://redirect.github.com/containerd/nri/commit/6fd59d6d7701cdadeae4db0058b3fde84c02e94b) api: add support for multiple sync messages. - [`a7fcccc`](https://redirect.github.com/containerd/nri/commit/a7fcccc4ba35f69ea2af790b6cb4b46385c50ce4) mux: split oversized messages. - [`5fe9b06`](https://redirect.github.com/containerd/nri/commit/5fe9b06401fb7fce78c41b95df04e05dffc22e5b) mux: fix maximum allowed message size. - [`693d64e`](https://redirect.github.com/containerd/nri/commit/693d64e2565cc14c00fae2de904ffc030fc2b894) go.{mod,sum}, plugins: update ttrpc and NRI deps. - Update API to pass configured timeouts to plugins. ([containerd/nri#109](https://redirect.github.com/containerd/nri/pull/109)) - [`320e4e7`](https://redirect.github.com/containerd/nri/commit/320e4e7e52a856b119cfa1c06a4a135ab5f88f56) adaptation: tests for runtime version, timeouts. - [`f86d982`](https://redirect.github.com/containerd/nri/commit/f86d98210749556ef562776fde784d2250d1190e) api,adaptation,stub: let plugin know configured timeouts. - [`cfcd2af`](https://redirect.github.com/containerd/nri/commit/cfcd2af3c80db6667f2d1a291225cc616b6049c3) Makefile: fix ginkgo-tests target. - [`8cd9504`](https://redirect.github.com/containerd/nri/commit/8cd9504a48e1b79625ff5fce3d058c6662bc34d6) adaptation: block plugin sync/registration in test suite. - [`966ac92`](https://redirect.github.com/containerd/nri/commit/966ac92b01fca271373e2088695538dcef0edb2b) adaptation: implement plugin synchronization blocks. - ci: verify that code generation works and results match ([containerd/nri#113](https://redirect.github.com/containerd/nri/pull/113)) - [`f74ce31`](https://redirect.github.com/containerd/nri/commit/f74ce31ef9b048d69702b954912122a0597598a8) ci: verify code generation and generated files in repo - deps: bump gingko to v2.19.1, golang to v1.21.x. ([containerd/nri#110](https://redirect.github.com/containerd/nri/pull/110)) - [`e4d5c36`](https://redirect.github.com/containerd/nri/commit/e4d5c36429c495c5d61d0183ba1c1a908ed598f4) ci: stop testing with golang 1.20.x. - [`6578149`](https://redirect.github.com/containerd/nri/commit/65781492cc1b0cf5a6a6166a81ba638e45b7f93f) go.{mod,sum}: bump golang requirement to 1.21. - [`442e812`](https://redirect.github.com/containerd/nri/commit/442e81239436c53689e14d9a641099a4aeec7cbe) go.{mod,sum}: update to ginkgo v2.19.1. - sync sandboxes and containers after starting the pre-installed plugins ([containerd/nri#43](https://redirect.github.com/containerd/nri/pull/43)) - [`eada085`](https://redirect.github.com/containerd/nri/commit/eada085db3965057686def58fd8993c70030dd7f) ignore pre-installed plugins that did not sync successfully - [`b881bc4`](https://redirect.github.com/containerd/nri/commit/b881bc4ba69e3bfe718939d97f327f3c72670fad) sync sandboxes and containers after starting the pre-installed plugins - Fix mount removal in adjustments ([containerd/nri#107](https://redirect.github.com/containerd/nri/pull/107)) - [`3880f1d`](https://redirect.github.com/containerd/nri/commit/3880f1df504f4b3ceedd3a36172162c886a00564) adaptation: add test case for mount removal. - [`0d3b376`](https://redirect.github.com/containerd/nri/commit/0d3b37631b9fb913e95a9a0efd31b27117208e40) adaptation: fix mount removal in adjustments. - codespell: add codespell config, workflow, fix spelling errors. ([containerd/nri#105](https://redirect.github.com/containerd/nri/pull/105)) - [`df84c47`](https://redirect.github.com/containerd/nri/commit/df84c475025e3fc536701aa99f6ca6d14dbea648) .github: add codespell workflow. - [`a03dc93`](https://redirect.github.com/containerd/nri/commit/a03dc9359c2d526924e56a9d167445a69588d3ae) pkg,plugins,.codespellrc: add codespellrc, fix spelling. - Close plugin if initial synchronization fails ([containerd/nri#103](https://redirect.github.com/containerd/nri/pull/103)) - [`4aec208`](https://redirect.github.com/containerd/nri/commit/4aec208281ac3630b02d737005778527aec8abae) adaptation: log plugin as connected and synchronized. - [`4e60cd0`](https://redirect.github.com/containerd/nri/commit/4e60cd0fb845ffefa9590084bb5261a113ad6858) adaptation: close plugin if initial synchronization fails. - Reset source path of api.pb.go to pkg/api/api.proto ([containerd/nri#104](https://redirect.github.com/containerd/nri/pull/104)) - [`1cc026f`](https://redirect.github.com/containerd/nri/commit/1cc026f8a3773b9e0d4ca80f9c3e978ef7d54bef) Reset source path of api.pb.go to pkg/api/api.proto - Add support for adjusting OOM score ([containerd/nri#94](https://redirect.github.com/containerd/nri/pull/94)) - [`efcb2da`](https://redirect.github.com/containerd/nri/commit/efcb2dad664293bd3fbad1557cac2dcfd15a86dc) NRI plugins support adjust oom\_score\_adj - Add API support for NRI-na </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- ## Need help? You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section. <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4zLjYiLCJ1cGRhdGVkSW5WZXIiOiI0My45LjAiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbImF1dG9tZXJnZS1zZWN1cml0eS11cGRhdGUiLCJzZXZlcml0eTpVTktOT1dOIl19--> Signed-off-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com> Co-authored-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Reject oversized messages on the sender side (keeping the receiver side rejection code intact). Do not forcibly close in
channel.send()the underlying connection when an oversized message is rejected.This should provide minimal low-level means for ttrpc-based applications to detect oversized requests in
client.Call()and attempt an application level recovery/corrective actions, if the high-level protocol is designed with this in mind.