moby/moby
### [`v20.10.9`](https://togithub.com/moby/moby/releases/v20.10.9)
[Compare Source](https://togithub.com/moby/moby/compare/v20.10.8...v20.10.9)
This release is a security release with security fixes in the CLI, runtime, as
well as updated versions of the containerd.io package and the Go runtime.
#### Client
- [CVE-2021-41092](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41092)
Ensure default auth config has address field set, to prevent credentials being
sent to the default registry.
#### Runtime
- [CVE-2021-41089](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41089)
Create parent directories inside a chroot during `docker cp` to prevent a specially
crafted container from changing permissions of existing files in the host’s filesystem.
- [CVE-2021-41091](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41091)
Lock down file permissions to prevent unprivileged users from discovering and
executing programs in `/var/lib/docker`.
#### Packaging
- Update Golang runtime to Go 1.16.8, which contains fixes for [CVE-2021-36221](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36221)
and [CVE-2021-39293](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39293)
- Update static binaries and containerd.io rpm and deb packages to containerd
v1.4.11 and runc v1.0.2 to address [CVE-2021-41103](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41103).
- Update the bundled buildx version to v0.6.3 for rpm and deb packages.
### [`v20.10.8`](https://togithub.com/moby/moby/releases/v20.10.8)
[Compare Source](https://togithub.com/moby/moby/compare/v20.10.7...v20.10.8)
#### 20.10.8
> **IMPORTANT**
>
> Due to [net/http changes](https://togithub.com/golang/go/issues/40909) in [Go 1.16](https://golang.org/doc/go1.16#net/http), HTTP proxies configured through the `$HTTP_PROXY` environment variable are no longer used for TLS (`https://`) connections. Make sure you also set an `$HTTPS_PROXY` environment variable for handling requests to `https://` URLs. Refer to the [HTTP/HTTPS proxy section in the documentation](https://docs.docker.com/config/daemon/systemd/#httphttps-proxy) to learn how to configure the Docker Daemon to use a proxy server.
##### Deprecation
- Deprecate support for encrypted TLS private keys. Legacy PEM encryption as
specified in RFC 1423 is insecure by design. Because it does not authenticate
the ciphertext, it is vulnerable to padding oracle attacks that can let an
attacker recover the plaintext. Support for encrypted TLS private keys is now
marked as deprecated, and will be removed in an upcoming release. [docker/cli#3219](https://togithub.com/docker/cli/pull/3219)
- Deprecate Kubernetes stack support. Following the deprecation of [Compose on Kubernetes](https://togithub.com/docker/compose-on-kubernetes),
support for Kubernetes in the `stack` and `context` commands in the Docker CLI
is now marked as deprecated, and will be removed in an upcoming release [docker/cli#3174](https://togithub.com/docker/cli/pull/3174).
##### Client
- Fix `Invalid standard handle identifier` errors on Windows [docker/cli#3132](https://togithub.com/docker/cli/pull/3132).
##### Rootless
- Avoid `can't open lock file /run/xtables.lock: Permission denied` error on
SELinux hosts [moby/moby#42462](https://togithub.com/moby/moby/pull/42462).
- Disable overlay2 when running with SELinux to prevent permission denied errors [moby/moby#42462](https://togithub.com/moby/moby/pull/42462).
- Fix `x509: certificate signed by unknown authority` error on openSUSE Tumbleweed [moby/moby#42462](https://togithub.com/moby/moby/pull/42462).
##### Runtime
- Print a warning when using the `--platform` option to pull a single-arch image
that does not match the specified architecture [moby/moby#42633](https://togithub.com/moby/moby/pull/42633).
- Fix incorrect `Your kernel does not support swap memory limit` warning when
running with cgroups v2 [moby/moby#42479](https://togithub.com/moby/moby/pull/42479).
- Windows: Fix a situation where containers were not stopped if `HcsShutdownComputeSystem`
returned an `ERROR_PROC_NOT_FOUND` error [moby/moby#42613](https://togithub.com/moby/moby/pull/42613)
#### Swarm
- Fix a possibility where overlapping IP addresses could exist as a result of the
node failing to clean up its old loadbalancer IPs [moby/moby#42538](https://togithub.com/moby/moby/pull/42538)
- Fix a deadlock in log broker ("dispatcher is stopped") [moby/moby#42537](https://togithub.com/moby/moby/pull/42537)
##### Packaging
> **Known issue**
>
> The `ctr` binary shipping with the static packages of this release is not
> statically linked, and will not run in Docker images using alpine as a base
> image. Users can install the `libc6-compat` package, or download a previous
> version of the `ctr` binary as a workaround. Refer to the containerd ticket
> related to this issue for more details: [containerd/containerd#5824](https://togithub.com/containerd/containerd/issues/5824).
- Remove packaging for Ubuntu 16.04 "Xenial" and Fedora 32, as they reached EOL [docker/docker-ce-packaging#560](https://togithub.com/docker/docker-ce-packaging/pull/560)
- Update Golang runtime to Go 1.16.6
- Update the bundled buildx version to v0.6.1 for rpm and deb packages [docker/docker-ce-packaging#562](https://togithub.com/docker/docker-ce-packaging/pull/562)
- Update static binaries and containerd.io rpm and deb packages to containerd v1.4.9 and runc v1.0.1: [docker/containerd-packaging#241](https://togithub.com/docker/containerd-packaging/pull/241), [docker/containerd-packaging#245](https://togithub.com/docker/containerd-packaging/pull/245), [docker/containerd-packaging#247](https://togithub.com/docker/containerd-packaging/pull/247).
Configuration
📅 Schedule: At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, click this checkbox.
This PR contains the following updates:
v20.10.7+incompatible->v20.10.9Release Notes
moby/moby
### [`v20.10.9`](https://togithub.com/moby/moby/releases/v20.10.9) [Compare Source](https://togithub.com/moby/moby/compare/v20.10.8...v20.10.9) This release is a security release with security fixes in the CLI, runtime, as well as updated versions of the containerd.io package and the Go runtime. #### Client - [CVE-2021-41092](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41092) Ensure default auth config has address field set, to prevent credentials being sent to the default registry. #### Runtime - [CVE-2021-41089](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41089) Create parent directories inside a chroot during `docker cp` to prevent a specially crafted container from changing permissions of existing files in the host’s filesystem. - [CVE-2021-41091](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41091) Lock down file permissions to prevent unprivileged users from discovering and executing programs in `/var/lib/docker`. #### Packaging - Update Golang runtime to Go 1.16.8, which contains fixes for [CVE-2021-36221](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36221) and [CVE-2021-39293](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39293) - Update static binaries and containerd.io rpm and deb packages to containerd v1.4.11 and runc v1.0.2 to address [CVE-2021-41103](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41103). - Update the bundled buildx version to v0.6.3 for rpm and deb packages. ### [`v20.10.8`](https://togithub.com/moby/moby/releases/v20.10.8) [Compare Source](https://togithub.com/moby/moby/compare/v20.10.7...v20.10.8) #### 20.10.8 > **IMPORTANT** > > Due to [net/http changes](https://togithub.com/golang/go/issues/40909) in [Go 1.16](https://golang.org/doc/go1.16#net/http), HTTP proxies configured through the `$HTTP_PROXY` environment variable are no longer used for TLS (`https://`) connections. Make sure you also set an `$HTTPS_PROXY` environment variable for handling requests to `https://` URLs. Refer to the [HTTP/HTTPS proxy section in the documentation](https://docs.docker.com/config/daemon/systemd/#httphttps-proxy) to learn how to configure the Docker Daemon to use a proxy server. ##### Deprecation - Deprecate support for encrypted TLS private keys. Legacy PEM encryption as specified in RFC 1423 is insecure by design. Because it does not authenticate the ciphertext, it is vulnerable to padding oracle attacks that can let an attacker recover the plaintext. Support for encrypted TLS private keys is now marked as deprecated, and will be removed in an upcoming release. [docker/cli#3219](https://togithub.com/docker/cli/pull/3219) - Deprecate Kubernetes stack support. Following the deprecation of [Compose on Kubernetes](https://togithub.com/docker/compose-on-kubernetes), support for Kubernetes in the `stack` and `context` commands in the Docker CLI is now marked as deprecated, and will be removed in an upcoming release [docker/cli#3174](https://togithub.com/docker/cli/pull/3174). ##### Client - Fix `Invalid standard handle identifier` errors on Windows [docker/cli#3132](https://togithub.com/docker/cli/pull/3132). ##### Rootless - Avoid `can't open lock file /run/xtables.lock: Permission denied` error on SELinux hosts [moby/moby#42462](https://togithub.com/moby/moby/pull/42462). - Disable overlay2 when running with SELinux to prevent permission denied errors [moby/moby#42462](https://togithub.com/moby/moby/pull/42462). - Fix `x509: certificate signed by unknown authority` error on openSUSE Tumbleweed [moby/moby#42462](https://togithub.com/moby/moby/pull/42462). ##### Runtime - Print a warning when using the `--platform` option to pull a single-arch image that does not match the specified architecture [moby/moby#42633](https://togithub.com/moby/moby/pull/42633). - Fix incorrect `Your kernel does not support swap memory limit` warning when running with cgroups v2 [moby/moby#42479](https://togithub.com/moby/moby/pull/42479). - Windows: Fix a situation where containers were not stopped if `HcsShutdownComputeSystem` returned an `ERROR_PROC_NOT_FOUND` error [moby/moby#42613](https://togithub.com/moby/moby/pull/42613) #### Swarm - Fix a possibility where overlapping IP addresses could exist as a result of the node failing to clean up its old loadbalancer IPs [moby/moby#42538](https://togithub.com/moby/moby/pull/42538) - Fix a deadlock in log broker ("dispatcher is stopped") [moby/moby#42537](https://togithub.com/moby/moby/pull/42537) ##### Packaging > **Known issue** > > The `ctr` binary shipping with the static packages of this release is not > statically linked, and will not run in Docker images using alpine as a base > image. Users can install the `libc6-compat` package, or download a previous > version of the `ctr` binary as a workaround. Refer to the containerd ticket > related to this issue for more details: [containerd/containerd#5824](https://togithub.com/containerd/containerd/issues/5824). - Remove packaging for Ubuntu 16.04 "Xenial" and Fedora 32, as they reached EOL [docker/docker-ce-packaging#560](https://togithub.com/docker/docker-ce-packaging/pull/560) - Update Golang runtime to Go 1.16.6 - Update the bundled buildx version to v0.6.1 for rpm and deb packages [docker/docker-ce-packaging#562](https://togithub.com/docker/docker-ce-packaging/pull/562) - Update static binaries and containerd.io rpm and deb packages to containerd v1.4.9 and runc v1.0.1: [docker/containerd-packaging#241](https://togithub.com/docker/containerd-packaging/pull/241), [docker/containerd-packaging#245](https://togithub.com/docker/containerd-packaging/pull/245), [docker/containerd-packaging#247](https://togithub.com/docker/containerd-packaging/pull/247).Configuration
📅 Schedule: At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by WhiteSource Renovate. View repository job log here.