search

siderolabs / bldr

Mozilla Public License 2.0
60 stars 16 forks source link

chore: update module github.com/containerd/containerd to v1.6.18 [security] - autoclosed #129

Closed renovate[bot] closed 1 year ago

renovate[bot] commented 1 year ago

Update Request | Renovate Bot

This PR contains the following updates:

Package Type Update Change
github.com/containerd/containerd require patch v1.6.15 -> v1.6.18

GitHub Vulnerability Alerts

CVE-2023-25173

Impact

A bug was found in containerd where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container.

Downstream applications that use the containerd client library may be affected as well.

Patches

This bug has been fixed in containerd v1.6.18 and v.1.5.18. Users should update to these versions and recreate containers to resolve this issue. Users who rely on a downstream application that uses containerd's client library should check that application for a separate advisory and instructions.

Workarounds

Ensure that the "USER $USERNAME" Dockerfile instruction is not used. Instead, set the container entrypoint to a value similar to ENTRYPOINT ["su", "-", "user"] to allow su to properly set up supplementary groups.

References

Note that CVE IDs apply to a particular implementation, even if an issue is common.

For more information

If you have any questions or comments about this advisory:

To report a security issue in containerd:

CVE-2023-25153

Impact

When importing an OCI image, there was no limit on the number of bytes read for certain files. A maliciously crafted image with a large file where a limit was not applied could cause a denial of service.

Patches

This bug has been fixed in containerd 1.6.18 and 1.5.18. Users should update to these versions to resolve the issue.

Workarounds

Ensure that only trusted images are used and that only trusted users have permissions to import images.

Credits

The containerd project would like to thank David Korczynski and Adam Korczynski of ADA Logics for responsibly disclosing this issue in accordance with the containerd security policy during a security fuzzing audit sponsored by CNCF.

For more information

If you have any questions or comments about this advisory:

To report a security issue in containerd:

Release Notes

containerd/containerd ### [`v1.6.18`](https://togithub.com/containerd/containerd/releases/tag/v1.6.18): containerd 1.6.18 [Compare Source](https://togithub.com/containerd/containerd/compare/v1.6.17...v1.6.18) Welcome to the v1.6.18 release of containerd! The eighteenth patch release for containerd 1.6 includes fixes for CVE-2023-25153 and CVE-2023-25173 along with a security update for Go. ##### Notable Updates - **Fix OCI image importer memory exhaustion** ([GHSA-259w-8hf6-59c2](https://togithub.com/containerd/containerd/security/advisories/GHSA-259w-8hf6-59c2)) - **Fix supplementary groups not being set up properly** ([GHSA-hmfx-3pcx-653p](https://togithub.com/containerd/containerd/security/advisories/GHSA-hmfx-3pcx-653p)) - **Revert removal of `/sbin/apparmor_parser` check** ([#​8087](https://togithub.com/containerd/containerd/pull/8087)) - **Update Go to 1.19.6** ([#​8111](https://togithub.com/containerd/containerd/pull/8111)) See the changelog for complete list of changes Please try out the release binaries and report any issues at https://github.com/containerd/containerd/issues. ##### Contributors - Akihiro Suda - Derek McGowan - Ye Sijun - Samuel Karp - Bjorn Neergaard - Wei Fu - Brian Goff - Iceber Gu - Kazuyoshi Kato - Phil Estes - Swagat Bora ##### Changes
24 commits

- \[release/1.6] Prepare release notes for v1.6.18 ([#​8118](https://togithub.com/containerd/containerd/pull/8118)) - [`44e61d764`](https://togithub.com/containerd/containerd/commit/44e61d7641f71f44353263306a4967276933173b) Add release notes for v1.6.18 - Github Security Advisory [GHSA-hmfx-3pcx-653p](https://togithub.com/containerd/containerd/security/advisories/GHSA-hmfx-3pcx-653p) - [`286a01f35`](https://togithub.com/containerd/containerd/commit/286a01f350a2298b4fdd7e2a0b31c04db3937ea8) oci: fix additional GIDs - [`301823453`](https://togithub.com/containerd/containerd/commit/301823453d788ce409e222e88a27d7faf2c2093d) oci: fix loop iterator aliasing - [`0070ab70f`](https://togithub.com/containerd/containerd/commit/0070ab70fa58045d25fc6ebab27edcae328e38f1) oci: skip checking gid for WithAppendAdditionalGroups - [`16d52de64`](https://togithub.com/containerd/containerd/commit/16d52de64d9b0b0e4bf7e11226199281561a3d96) refactor: reduce duplicate code - [`b45e30292`](https://togithub.com/containerd/containerd/commit/b45e30292ce9b214158fa403a6165aabbf5b23f0) add WithAdditionalGIDs test - [`0a06c284a`](https://togithub.com/containerd/containerd/commit/0a06c284aec5860a58a803b5da83def3462dc3a0) add WithAppendAdditionalGroups helper - Github Security Advisory [GHSA-259w-8hf6-59c2](https://togithub.com/containerd/containerd/security/advisories/GHSA-259w-8hf6-59c2) - [`84936fd1f`](https://togithub.com/containerd/containerd/commit/84936fd1f6a0670ab8c7665cb87fae6b87b0b908) importer: stream oci-layout and manifest.json - \[1.6] Add fallback for windows platforms without osversion ([#​8106](https://togithub.com/containerd/containerd/pull/8106)) - [`b327af6a4`](https://togithub.com/containerd/containerd/commit/b327af6a4f635611d8b59beec94db0beace48063) Add fallback for windows platforms without osversion - \[release/1.6] Go 1.19.6 ([#​8111](https://togithub.com/containerd/containerd/pull/8111)) - [`54ead5b7b`](https://togithub.com/containerd/containerd/commit/54ead5b7b71a0f458566e42eac28eb274286af47) Go 1.19.6 - \[release/1.6] ctr/run: flags --detach and --rm cannot be specified together ([#​8094](https://togithub.com/containerd/containerd/pull/8094)) - [`2b4b35ab4`](https://togithub.com/containerd/containerd/commit/2b4b35ab49b0cea79f76c4f52923c74cfc26ccfb) ctr/run: flags --detach and --rm cannot be specified together - \[release/1.6] Fix retry logic within devmapper device deactivation ([#​8088](https://togithub.com/containerd/containerd/pull/8088)) - [`d5284157b`](https://togithub.com/containerd/containerd/commit/d5284157b8af78a2d85e78bd3106695a4e4c995b) Fix retry logic within devmapper device deactivation - \[release/1.6 backport] Revert `apparmor_parser` regression ([#​8087](https://togithub.com/containerd/containerd/pull/8087)) - [`624ff636b`](https://togithub.com/containerd/containerd/commit/624ff636b8b463fc48e6ba3c861f98a0c00dbb71) pkg/apparmor: clarify Godoc - [`3a0a35b36`](https://togithub.com/containerd/containerd/commit/3a0a35b36297685d1a38bfa823005a2cb77a40dd) Revert "Don't check for apparmor_parser to be present" - \[release/1.6] CI: skip some jobs when `repo != containerd/containerd` ([#​8083](https://togithub.com/containerd/containerd/pull/8083)) - [`664a938a3`](https://togithub.com/containerd/containerd/commit/664a938a33ccbbc0ab70ca5f9455e452b910e767) CI: skip some jobs when `repo != containerd/containerd`

##### Dependency Changes This release has no dependency changes Previous release can be found at [v1.6.17](https://togithub.com/containerd/containerd/releases/tag/v1.6.17) ### [`v1.6.17`](https://togithub.com/containerd/containerd/releases/tag/v1.6.17): containerd 1.6.17 [Compare Source](https://togithub.com/containerd/containerd/compare/v1.6.16...v1.6.17) Welcome to the v1.6.17 release of containerd! The seventeenth patch release for containerd 1.6 includes various updates. ##### Notable Updates - **Add network plugin metrics** ([#​8018](https://togithub.com/containerd/containerd/pull/8018)) - **Update mkdir permission on /etc/cni to 0755 instead of 0700** ([#​8030](https://togithub.com/containerd/containerd/pull/8030)) - **Export remote snapshotter label handler** ([#​8054](https://togithub.com/containerd/containerd/pull/8054)) - **Add support for default hosts.toml configuration** ([#​8065](https://togithub.com/containerd/containerd/pull/8065)) See the changelog for complete list of changes Please try out the release binaries and report any issues at https://github.com/containerd/containerd/issues. ##### Contributors - Derek McGowan - Akihiro Suda - Jess - Antonio Ojea - Kohei Tokunaga - Phil Estes - Wei Fu ##### Changes
11 commits

- \[release/1.6] Prepare release notes for v1.6.17 ([#​8080](https://togithub.com/containerd/containerd/pull/8080)) - [`a1aa9b900`](https://togithub.com/containerd/containerd/commit/a1aa9b900ce9e276a210a48aa5dc8b8832a44c2e) Prepare release notes for v1.6.17 - \[1.6] Backport default registry hosts config ([#​8065](https://togithub.com/containerd/containerd/pull/8065)) - [`1436641b8`](https://togithub.com/containerd/containerd/commit/1436641b8dc77f24f4ec57d238344bc6bb857081) Support default hosts.toml configuration - [`87acecd04`](https://togithub.com/containerd/containerd/commit/87acecd0409103c266c5eda932e809e6717e7859) Update hosts doc - \[release/1.6 backport] Export remote snapshotter label handler ([#​8054](https://togithub.com/containerd/containerd/pull/8054)) - [`a6544ed7d`](https://togithub.com/containerd/containerd/commit/a6544ed7dc114b7542041eea91abbc7fe9a466a0) Export remote snapshotter label handler - \[release/1.6] cri: mkdir /etc/cni with 0755, not 0700 ([#​8030](https://togithub.com/containerd/containerd/pull/8030)) - [`ae02a24a3`](https://togithub.com/containerd/containerd/commit/ae02a24a39ddd6764eb7f98de677f11d8bdd1919) cri: mkdir /etc/cni with 0755, not 0700 - \[release/1.6] add network plugin metrics ([#​8018](https://togithub.com/containerd/containerd/pull/8018)) - [`6c6cc5ec1`](https://togithub.com/containerd/containerd/commit/6c6cc5ec107f10ccf4d4acbfe89d572a52d58a92) add network plugin metrics

##### Dependency Changes This release has no dependency changes Previous release can be found at [v1.6.16](https://togithub.com/containerd/containerd/releases/tag/v1.6.16) ### [`v1.6.16`](https://togithub.com/containerd/containerd/releases/tag/v1.6.16): containerd 1.6.16 [Compare Source](https://togithub.com/containerd/containerd/compare/v1.6.15...v1.6.16) Welcome to the v1.6.16 release of containerd! The sixteenth patch release for containerd 1.6 includes various bug fixes and updates. ##### Notable Updates - **Fix push error propagation** ([#​7990](https://togithub.com/containerd/containerd/pull/7990)) - **Fix slice append error with HugepageLimits for Linux** ([#​7995](https://togithub.com/containerd/containerd/pull/7995)) - **Update default seccomp profile for PKU and CAP_SYS_NICE** ([#​8001](https://togithub.com/containerd/containerd/pull/8001)) - **Fix overlayfs error when upperdirlabel option is set** ([#​8002](https://togithub.com/containerd/containerd/pull/8002)) See the changelog for complete list of changes Please try out the release binaries and report any issues at https://github.com/containerd/containerd/issues. ##### Contributors - Akihiro Suda - Derek McGowan - Samuel Karp - Sebastiaan van Stijn - Phil Estes - Craig Ingram - Justin Chadwell - Qasim Sarfraz - Wei Fu - bin liu - cardy.tang - rongfu.leng ##### Changes
30 commits

- \[release/1.6] Prepare v1.6.16 ([#​8016](https://togithub.com/containerd/containerd/pull/8016)) - [`d3c595aa3`](https://togithub.com/containerd/containerd/commit/d3c595aa387e2d7ad3cd08313579ec86c876f738) Prepare release notes for v1.6.16 - \[release/1.6 backport] Fix tx closed error when upperdirlabel specified ([#​8002](https://togithub.com/containerd/containerd/pull/8002)) - [`8c704036a`](https://togithub.com/containerd/containerd/commit/8c704036a81b13b25ab7073e2715075b6ec39e94) Fix tx closed error when upperdirlabel specified - \[release/1.6 backport] assorted test-fixes ([#​8000](https://togithub.com/containerd/containerd/pull/8000)) - [`91a68edd7`](https://togithub.com/containerd/containerd/commit/91a68edd775bba554a9eac7e04898b22069db5aa) cri: Fix TestUpdateOCILinuxResource for host w/o swap controller - [`5594f706e`](https://togithub.com/containerd/containerd/commit/5594f706e67462c4a29f68e6958341ba35d06826) Fix TestUpdateContainerResources_Memory\* on cgroup v2 hosts - \[release/1.6 backport] seccomp updates ([#​8001](https://togithub.com/containerd/containerd/pull/8001)) - [`7037f5313`](https://togithub.com/containerd/containerd/commit/7037f531304821b7b1943f2c7821d94035b54d76) seccomp: add get_mempolicy, mbind, set_mempolicy, with CAP_SYS_NICE - [`d22919a1c`](https://togithub.com/containerd/containerd/commit/d22919a1cb8180885a6f38fa7851a487aebd2440) seccomp: seccomp: add syscalls related to PKU in default policy - \[release/1.6 backport] Harden GITHUB_TOKEN permissions ([#​7999](https://togithub.com/containerd/containerd/pull/7999)) - [`8b8a21fe4`](https://togithub.com/containerd/containerd/commit/8b8a21fe4dbc7b940a802cb8d099a4084dae6ee9) Harden GITHUB_TOKEN permissions - \[release/1.6 backport] assorted updates to Vagrantfile ([#​7996](https://togithub.com/containerd/containerd/pull/7996)) - [`8009948bb`](https://togithub.com/containerd/containerd/commit/8009948bb2dee8eb2c021d8a467572927ed0657d) Vagrantfile: fix comments about SELinux - [`550424f92`](https://togithub.com/containerd/containerd/commit/550424f929d7f9ae8fd59bd520719d0d8f00f2b3) Vagrantfile: install-rootless-podman: remove `setenforce 0` - [`2c32f8559`](https://togithub.com/containerd/containerd/commit/2c32f85599ec121702329ffddd50f99dbe491370) CI: update Fedora to 37 - [`556bb0cc8`](https://togithub.com/containerd/containerd/commit/556bb0cc8a01ece740d28749bcc6d76360117167) Vagrantfile: explicitly specify rsync as the shared folder driver - [`edfac1834`](https://togithub.com/containerd/containerd/commit/edfac183479d3a98147d1652b4ee198f522330a5) fix install cni script - [`91d5e53fb`](https://togithub.com/containerd/containerd/commit/91d5e53fbc3d5acfdd8ca4328cec1a20359b22f8) Vagrantfile: dump containerd log after critest - \[release/1.6 backport] Fix slice append error ([#​7995](https://togithub.com/containerd/containerd/pull/7995)) - [`ab193eb20`](https://togithub.com/containerd/containerd/commit/ab193eb20bade0c7fff74a33a3b91f2517af05c6) pkg/cri: optimize slice initialization - [`e6cf5ec58`](https://togithub.com/containerd/containerd/commit/e6cf5ec58d395332985f15084527676d70b21f1c) Fix slice append error - \[release/1.6] update to go1.18.10 ([#​7992](https://togithub.com/containerd/containerd/pull/7992)) - [`6a8a6531f`](https://togithub.com/containerd/containerd/commit/6a8a6531fd4f778089376749386c934b436484f7) \[release/1.6] update to go1.18.10 - \[release/1.6 backport] release/Dockerfile: set DEBIAN_FRONTEND=noninteractive ([#​7991](https://togithub.com/containerd/containerd/pull/7991)) - [`d0dc7988a`](https://togithub.com/containerd/containerd/commit/d0dc7988ab9b30be8a05fae1fc064164418e653d) release/Dockerfile: set DEBIAN_FRONTEND=noninteractive - \[release/1.6 backport] pushWriter: correctly propagate errors ([#​7990](https://togithub.com/containerd/containerd/pull/7990)) - [`1584c2581`](https://togithub.com/containerd/containerd/commit/1584c2581017414e673e4df05f63bc6b67edd424) pushWriter: correctly propagate errors - \[release/1.6] mod: update github.com/pelletier/go-toml@v1.9.5 ([#​7942](https://togithub.com/containerd/containerd/pull/7942)) - [`545f22091`](https://togithub.com/containerd/containerd/commit/545f220910082c4236a8751854c640e7f7dc3e69) mod: update github.com/pelletier/go-toml@v1.9.5

##### Dependency Changes - **github.com/pelletier/go-toml** v1.9.3 -> v1.9.5 Previous release can be found at [v1.6.15](https://togithub.com/containerd/containerd/releases/tag/v1.6.15)

Configuration

šŸ“… Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

šŸš¦ Automerge: Disabled by config. Please merge this manually once you are satisfied.

ā™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

šŸ”• Ignore: Close this PR and you won't be reminded about this update again.

This PR has been generated by Mend Renovate. View repository job log here.