Skip to content

fix(security): update vulnerability-updates [security] #724

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
sahidvelji merged 1 commit into from
Jul 12, 2025
Merged

fix(security): update vulnerability-updates [security] #724

sahidvelji merged 1 commit into from
Jul 12, 2025

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Jul 10, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
github.com/containerd/containerd v1.7.18 -> v1.7.27 age confidence
github.com/docker/docker v27.0.3+incompatible -> v27.1.1+incompatible age confidence
github.com/getkin/kin-openapi v0.124.0 -> v0.131.0 age confidence
golang.org/x/net v0.26.0 -> v0.38.0 age confidence
golang.org/x/net v0.25.0 -> v0.38.0 age confidence
golang.org/x/net v0.33.0 -> v0.38.0 age confidence

GitHub Vulnerability Alerts

CVE-2024-40635

Impact

A bug was found in containerd where containers launched with a User set as a UID:GID larger than the maximum 32-bit signed integer can cause an overflow condition where the container ultimately runs as root (UID 0). This could cause unexpected behavior for environments that require containers to run as a non-root user.

Patches

This bug has been fixed in the following containerd versions:

Users should update to these versions to resolve the issue.

Workarounds

Ensure that only trusted images are used and that only trusted users have permissions to import images.

Credits

The containerd project would like to thank Benjamin Koltermann and emxll for responsibly disclosing this issue in accordance with the containerd security policy.

References

For more information

If you have any questions or comments about this advisory:

To report a security issue in containerd:

CVE-2024-41110

A security vulnerability has been detected in certain versions of Docker Engine, which could allow an attacker to bypass authorization plugins (AuthZ) under specific circumstances. The base likelihood of this being exploited is low. This advisory outlines the issue, identifies the affected versions, and provides remediation steps for impacted users.

Impact

Using a specially-crafted API request, an Engine API client could make the daemon forward the request or response to an authorization plugin without the body. In certain circumstances, the authorization plugin may allow a request which it would have otherwise denied if the body had been forwarded to it.

A security issue was discovered In 2018, where an attacker could bypass AuthZ plugins using a specially crafted API request. This could lead to unauthorized actions, including privilege escalation. Although this issue was fixed in Docker Engine v18.09.1 in January 2019, the fix was not carried forward to later major versions, resulting in a regression. Anyone who depends on authorization plugins that introspect the request and/or response body to make access control decisions is potentially impacted.

Docker EE v19.03.x and all versions of Mirantis Container Runtime are not vulnerable.

Vulnerability details

  • AuthZ bypass and privilege escalation: An attacker could exploit a bypass using an API request with Content-Length set to 0, causing the Docker daemon to forward the request without the body to the AuthZ plugin, which might approve the request incorrectly.
  • Initial fix: The issue was fixed in Docker Engine v18.09.1 January 2019..
  • Regression: The fix was not included in Docker Engine v19.03 or newer versions. This was identified in April 2024 and patches were released for the affected versions on July 23, 2024. The issue was assigned CVE-2024-41110.

Patches

  • docker-ce v27.1.1 containes patches to fix the vulnerability.
  • Patches have also been merged into the master, 19.0, 20.0, 23.0, 24.0, 25.0, 26.0, and 26.1 release branches.

Remediation steps

  • If you are running an affected version, update to the most recent patched version.
  • Mitigation if unable to update immediately:
    • Avoid using AuthZ plugins.
    • Restrict access to the Docker API to trusted parties, following the principle of least privilege.

References

CVE-2025-30153

Summary

When validating a request with a multipart/form-data schema, if the OpenAPI schema allows it, an attacker can upload a crafted ZIP file (e.g., a ZIP bomb), causing the server to consume all available system memory.

Details

The root cause comes from the ZipFileBodyDecoder, which is registered automatically by the module (contrary to what the documentation says.

PoC

To reproduce the vulnerability, you can use the following OpenAPI schema:

openapi: 3.0.0
info:
  title: 'Validator'
  version: 0.0.1
paths:
  /:
    post:
      requestBody:
        required: true
        content:
          multipart/form-data:
            schema:
              type: object
              required:
                - file
              properties:
                file:
                  type: string
                  format: binary
      responses:
        '200':
          description: Created

And this code to validate the request (nothing fancy, it basically only calls the openapi3filter.ValidateRequest function`):

package main

import (
	"fmt"
	"log"
	"net/http"

	"github.com/getkin/kin-openapi/openapi3filter"
	legacyrouter "github.com/getkin/kin-openapi/routers/legacy"

	"github.com/getkin/kin-openapi/openapi3"
)

func handler(w http.ResponseWriter, r *http.Request) {
	loader := openapi3.NewLoader()

	doc, err := loader.LoadFromFile("schema.yaml")
	if err != nil {
		http.Error(w, "Failed to load OpenAPI document", http.StatusInternalServerError)
		return
	}

	if err := doc.Validate(r.Context()); err != nil {
		http.Error(w, "Invalid OpenAPI document", http.StatusBadRequest)
		return
	}

	router, err := legacyrouter.NewRouter(doc)
	if err != nil {
		http.Error(w, "Failed to create router", http.StatusInternalServerError)
		return
	}

	route, pathParams, err := router.FindRoute(r)
	if err != nil {
		http.Error(w, "Failed to find route", http.StatusNotFound)
		return
	}

	input := &openapi3filter.RequestValidationInput{
		Request:     r,
		QueryParams: r.URL.Query(),
		Route:       route,
		PathParams:  pathParams,
	}

	if err := openapi3filter.ValidateRequest(r.Context(), input); err != nil {
		http.Error(w, fmt.Sprintf("Request validation failed: %v", err), http.StatusBadRequest)
		return
	}

	w.Write([]byte("request ok !"))
}

func main() {
	http.HandleFunc("/", handler)
	log.Fatal(http.ListenAndServe(":8080", nil))

}

We also need to create a zip bomb. This command will create a 4.7GB file and compress it to to 4.7MB zip archive:

perl -e 'print "0" x 5000000000' > /tmp/bigfile.txt; zip -9 /tmp/bomb.zip /tmp/bigfile.txt

Run the PoC provided, and upload the zip bomb with curl localhost:8080/ -F file="@​/tmp/bomb.zip;type=application/zip" -v.

Observe the memory consumption of the test server during and after the upload (it jumped to a bit over 22GB in my testing, with only a 4.7MB input file, you can reduce the size of the generated file to not kill your test machine when reproducing.)

Impact

An attacker can trigger an out-of-memory (OOM) condition, leading to server crashes or degraded performance.
It seems to only be exploitable if the OpenAPI schema allows for multipart upload.

Remediation

I see at least 2 potential fixes/improvements:

  • Do not register by default the zip file decoder (I honestly was a bit surprised to see it was enabled by default, it seems to be quite a niche use-case ?)
  • Update ZipFileBodyDecoder to enforce a maximum size of the decompressed archive and bailout as soon as it's reached (probably with a small default value and allow the users to configure it through the input options ?)

CVE-2025-22870

Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.

CVE-2025-22872

The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. , , etc contexts).

Release Notes

containerd/containerd (github.com/containerd/containerd)

v1.7.27: containerd 1.7.27

Compare Source

Welcome to the v1.7.27 release of containerd!

The twenty-seventh patch release for containerd 1.7 contains various fixes
and updates.

Highlights
  • Fix integer overflow in User ID handling (GHSA-265r-hfxg-fhmg)
  • Update image type checks to avoid unnecessary logs for attestations (#​11538)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors
  • Jin Dong
  • Akhil Mohan
  • Derek McGowan
  • Maksym Pavlenko
  • Paweł Gronowski
  • Phil Estes
  • Akihiro Suda
  • Craig Ingram
  • Krisztian Litkey
  • Samuel Karp
Changes
20 commits

  • 05044ec0a Merge commit from fork
  • 11504c3fc validate uid/gid
  • Prepare release notes for v1.7.27 (#​11540)
    • 1be04be6c Prepare release notes for v1.7.27
  • Update image type checks to avoid unnecessary logs for attestations (#​11538)
    • 82b5c43fe core/remotes: Handle attestations in MakeRefKey
    • 2c670e79b core/images: Ignore attestations when traversing children
  • update build to go1.23.7, test go1.24.1 (#​11515)
    • a39863c9f update build to go1.23.7, test go1.24.1
  • Remove hashicorp/go-multierror dependency and fix CI (#​11499)
    • 49537b3a7 e2e: use the shim bundled with containerd artifact
    • fe490b76f Bump up github.com/intel/goresctrl to 0.5.0
    • 13fc9d313 update containerd/project-checks to 1.2.1
    • 585699c94 Remove unnecessary joinError unwrap
    • 4b9df59be Remove hashicorp/go-multierror
  • go.{mod,sum}: bump CDI deps to v0.8.1. (#​11422)
    • 5ba28f8dc go.{mod,sum}: bump CDI deps to v0.8.1, re-vendor.
  • CI: arm64-8core-32gb -> ubuntu-24.04-arm (#​11437)
    • 85f10bd92 CI: arm64-8core-32gb -> ubuntu-24.04-arm
    • 561ed520e increase xfs base image size to 300Mb

Dependency Changes
  • github.com/intel/goresctrl v0.3.0 -> v0.5.0
  • github.com/prometheus/client_golang v1.14.0 -> v1.16.0
  • github.com/prometheus/common v0.37.0 -> v0.42.0
  • github.com/prometheus/procfs v0.8.0 -> v0.10.1
  • k8s.io/apimachinery v0.26.2 -> v0.27.4
  • sigs.k8s.io/json f223a00 -> bc3834c
  • tags.cncf.io/container-device-interface v0.7.2 -> v0.8.1
  • tags.cncf.io/container-device-interface/specs-go v0.7.0 -> v0.8.0

Previous release can be found at v1.7.26

v1.7.26: containerd 1.7.26

Compare Source

Welcome to the v1.7.26 release of containerd!

The twenty-sixth patch release for containerd 1.7 contains various fixes
and updates.

Highlights
Container Runtime Interface (CRI)
  • Fix fatal concurrency error in port forwarding (#​11306)
Node Resource Interface (NRI)
Runtime
  • Fix console TTY leak in runc shim (#​11250)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors
  • Krisztian Litkey
  • Mike Brown
  • Samuel Karp
  • Wei Fu
  • Phil Estes
  • Derek McGowan
  • Iceber Gu
  • Akhil Mohan
  • Antonio Ojea
  • Austin Vazquez
  • Henry Wang
  • Jin Dong
  • Xiaojin Zhang
  • ningmingxiao
  • AbdelrahmanElawady
  • Akihiro Suda
  • Antti Kervinen
  • Jing Xu
  • Jitang Lei
  • Justin Alvarez
  • Lei Liu
  • Maksym Pavlenko
  • Yang Yang
  • Yuhang Wei
  • cormick
  • jingtao.liang
Changes
24 commits

  • Prepare release notes for v1.7.26 (#​11356)
    • ceba197f5 Prepare release notes for v1.7.26
  • Upgrade x/net to 0.33.0 to fix vulnerability GHSA-w32m-9786-jp63 (#​11434)
  • update build to go1.23.6, test go1.24.0 (#​11419)
    • 9025d3075 update build to go1.23.6, test go1.24.0
  • Update install-imgcrypt to allow change install repo (#​11358)
    • 83eaab482 Update install-imgcrypt to allow change install repo
  • Add support for syncfs after unpack (#​11267)
    • 8bc21cba7 support to syncfs after pull by using diff plugin
  • Update runc binary to v1.2.5 (#​11395)
  • Move run.skip-dirs to issues.exclude-dirs in golangci-lint config (#​11400)
    • 8d8034b66 move skip-dirs to issues.exclude-dirs
  • Fix initial sync race when registering NRI plugins (#​11326)
    • 11af05177 cri,nri: block NRI plugin sync. during event processing.
    • d4036cd3d go.{mod,sum}: bump NRI to v0.8.0, re-vendor.
  • Fix console TTY leak in runc shim (#​11250)
    • c3e24e024 Add integ test to check tty leak
    • 4e45a463d fix master tty leak due to leaking init container object
  • Fix fatal concurrency error in port forwarding (#​11306)
    • 0fe9f0b52 fix fatal error: concurrent map iteration and map write
  • update build to go1.22.11, test go1.23.5 (#​11298)
    • 441b92636 update build to go1.22.11, test go1.23.5

Changes from containerd/nri
77 commits

  • Add API support for reading Pod IPs (containerd/nri#119)
  • generate: do not set OOMScoreAdj if no adjustment (containerd/nri#116)
  • 07bfc18 wip: generate: add test for oom score adj
  • b5fc359 generate: do not set OOMScoreAdj if no adjustment
  • device-injector: remove unreachable code. (containerd/nri#115)
    • 235aa11 chore: remove unreachable code and fmt files
  • Fix plugin sync to use multiple messages if ttrpc max message limit is hit (containerd/nri#111)
    • 159f575 template: dump pod/container count in sync message.
    • bf267e3 stub: collect/handle split sync messages.
    • ed78ae9 adaptation: use multiple sync messages if necessary.
    • 6fd59d6 api: add support for multiple sync messages.
    • a7fcccc mux: split oversized messages.
    • 5fe9b06 mux: fix maximum allowed message size.
    • 693d64e go.{mod,sum}, plugins: update ttrpc and NRI deps.
  • Update API to pass configured timeouts to plugins. (containerd/nri#109)
    • 320e4e7 adaptation: tests for runtime version, timeouts.
    • f86d982 api,adaptation,stub: let plugin know configured timeouts.
    • cfcd2af Makefile: fix ginkgo-tests target.
    • 8cd9504 adaptation: block plugin sync/registration in test suite.
    • 966ac92 adaptation: implement plugin synchronization blocks.
  • ci: verify that code generation works and results match (containerd/nri#113)
    • f74ce31 ci: verify code generation and generated files in repo
  • deps: bump gingko to v2.19.1, golang to v1.21.x. (containerd/nri#110)
    • e4d5c36 ci: stop testing with golang 1.20.x.
    • 6578149 go.{mod,sum}: bump golang requirement to 1.21.
    • 442e812 go.{mod,sum}: update to ginkgo v2.19.1.
  • sync sandboxes and containers after starting the pre-installed plugins (containerd/nri#43)
    • eada085 ignore pre-installed plugins that did not sync successfully
    • b881bc4 sync sandboxes and containers after starting the pre-installed plugins
  • Fix mount removal in adjustments (containerd/nri#107)
    • 3880f1d adaptation: add test case for mount removal.
    • 0d3b376 adaptation: fix mount removal in adjustments.
  • codespell: add codespell config, workflow, fix spelling errors. (containerd/nri#105)
    • df84c47 .github: add codespell workflow.
    • a03dc93 pkg,plugins,.codespellrc: add codespellrc, fix spelling.
  • Close plugin if initial synchronization fails (containerd/nri#103)
    • 4aec208 adaptation: log plugin as connected and synchronized.
    • 4e60cd0 adaptation: close plugin if initial synchronization fails.
  • Reset source path of api.pb.go to pkg/api/api.proto (containerd/nri#104)
    • 1cc026f Reset source path of api.pb.go to pkg/api/api.proto
  • Add support for adjusting OOM score (containerd/nri#94)
    • efcb2da NRI plugins support adjust oom_score_adj
  • Add API support for NRI-native CDI injection (containerd/nri#98)
    • 8783973 device-injector: clarify precedence of annotations.
    • 4eb7075 pkg/adaptation: fix grammatical mistakes in comments.
    • 4bd8da8 device-injector: add support for CDI injection.
    • 44773bd runtime-tools/generate: add support CDI injection.
    • 65282fe adaptation: add CDI device injection unit test.
    • 01f3b7a adaptation: add support for native CDI injection.
    • f1aa58f api: add support for native CDI device injection.
  • types: Fix a typo (containerd/nri#101)
  • Add support for pids cgroup (containerd/nri#76)
  • stub: support restart after stub stopped (containerd/nri#91)
    • 242661f stub: support re-start after stub stopped
  • stop closed plugins that will be removed (containerd/nri#89)
    • ba398fa stop closed plugins that will be removed
  • plugins/device-injector: fix a small typo in README.md. (containerd/nri#97)
    • f96a550 device-injector: small grammar fix in README.md.
  • plugins/template: fix a typo in a comment. (containerd/nri#96)
    • 5680921 plugins/template: fix typo in a comment.
  • go.{mod,sum}, .github: bump minimum golang version to 1.20. (containerd/nri#88)
    • 2c3608d .golangci.yml: silence dot-import errors for tests.
    • 8f56974 pkg/{adaptation,api,net,stub}: fix linter errors.
    • e863892 .github: bump golangci-lint to v1.58.0.
    • 674cb41 .github: bump setup-go to v5.
    • 9106283 .github: test with golang 1.20.x, 1.21.x, 1.22.3 in CI.
    • a9778ad plugins: bump golang version to 1.20.
    • 8e86065 go.{mod.sum}: bump golang version to 1.20.
  • network device injector plugin (containerd/nri#82)
    • ff774e6 network device injector plugin
  • Modify hook-injector plugin to monitor directories to match cri-o (containerd/nri#84)
    • 06841c2 Modify hook-injector plugin to monitor directories to match cri-o
  • docs: fix broken link to sample plugins in README.md (containerd/nri#81)
    • 2791e93 docs: fix broken link to sample plugins in README.md

Changes from containerd/ttrpc
11 commits

Dependency Changes
  • github.com/containerd/nri v0.6.1 -> v0.8.0
  • github.com/containerd/ttrpc v1.2.5 -> v1.2.7
  • github.com/go-logr/logr v1.3.0 -> v1.4.2
  • golang.org/x/net v0.25.0 -> v0.33.0

Previous release can be found at v1.7.25

v1.7.25: containerd 1.7.25

Compare Source

Welcome to the v1.7.25 release of containerd!

The twenty-fifth patch release for containerd 1.7 contains various fixes
and updates.

Highlights
  • Update runc binary to v1.2.4 (#​11238)
  • Fix proto conflicts and update to 1.8 API (#​11184)
Container Runtime Interface (CRI)
  • Fix ip_pref configuration option (#​11223)
Runtime
  • Fix panic due to nil dereference cgroups v2 (#​11099)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors
  • Akihiro Suda
  • Derek McGowan
  • Sebastiaan van Stijn
  • Wei Fu
  • Maksym Pavlenko
  • Akhil Mohan
  • Henry Wang
  • Jin Dong
  • Phil Estes
  • Sam Edwards
  • Samuel Karp
  • Brian Goff
  • David Son
  • Kohei Tokunaga
  • Pierre Gimalac
  • Yang Yang
  • bo.jiang
Changes
32 commits

  • Prepare release notes for v1.7.25 (#​11243)
    • bda53fc60 Prepare release notes for v1.7.25
  • Update runc binary to v1.2.4 (#​11238)
  • Reduce shim plugin log level (#​11224)
    • 99c973791 runtime/v2: reduce shim plugin log
  • Fix ip_pref configuration option (#​11223)
    • 0cfc1edf3 Fix "even if IPv4 comes first" test to have IPv4 first
    • 53d1fd0d9 Don't use To16() != nil to detect IPv6 addresses
  • Add a build tag to disable std plugin import (#​11202) (#​11203)
    • 2b12ef2f4 chore: add a build tag to disable containerd plugin import
  • bump github.com/containerd/continuity from 0.4.2 to 0.4.4 (#​11216)
    • b99091838 build(deps): bump github.com/containerd/continuity from 0.4.3 to 0.4.4
    • 9f48f7af0 build(deps): bump google.golang.org/protobuf from 1.33.0 to 1.35.2
    • 79172ba16 go.mod: github.com/containerd/continuity v0.4.3
  • deps: update golang.org/x/ (#​11178)
    • 2dfbe2c7c vendor: update golang.org/x/crypto dependencies
  • Fix proto conflicts and update to 1.8 API (#​11184)
  • update runc binary to v1.2.3 (#​11143)
  • update build to go1.22.10, test go1.23.4 (#​11111)
    • 4c0db6ad6 update build to go1.22.10, test go1.23.4
  • Fix panic due to nil dereference cgroups v2 (#​11099)
    • a40aa60a5 fix panic due to nil dereference cgroups v2
  • Move rockylinux 9.4 to almalinux/9 in CI (#​11054)
    • b1ef1dda7 move rocky 9.4 to almalinux/9 in CI

Changes from containerd/continuity
40 commits

Dependency Changes
  • github.com/containerd/containerd/api v1.7.19 -> v1.8.0
  • github.com/containerd/continuity v0.4.2 -> v0.4.4
  • golang.org/x/crypto v0.21.0 -> v0.31.0
  • golang.org/x/mod v0.12.0 -> v0.17.0
  • golang.org/x/net v0.23.0 -> v0.25.0
  • golang.org/x/sync v0.5.0 -> v0.10.0
  • golang.org/x/sys v0.18.0 -> v0.28.0
  • golang.org/x/term v0.18.0 -> v0.27.0
  • golang.org/x/text v0.14.0 -> v0.21.0
  • google.golang.org/genproto/googleapis/rpc 995d672 -> c3f9821
  • google.golang.org/protobuf v1.33.0 -> v1.35.2

Previous release can be found at v1.7.24

v1.7.24: containerd 1.7.24

Compare Source

Welcome to the v1.7.24 release of containerd!

The twenty-fourth patch release for containerd 1.7 contains various fixes
and updates.

Highlights
  • Update runc binary to 1.2.2 (#​11027)
  • Fix "invalid metric type" error message for cgroup v1 (#​10814)
Container Runtime Interface (CRI)
  • Update the container exit log to info level (#​11007)
Image Distribution
  • Fix retry logic and concurrency issue with http fallback (#​11032)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors
  • Derek McGowan
  • Phil Estes
  • Akhil Mohan
  • Akihiro Suda
  • Maksym Pavlenko
  • Austin Vazquez
  • Samuel Karp
  • Benjamin Peterson
  • Davanum Srinivas
  • Iceber Gu
  • Mike Brown
  • Sebastiaan van Stijn
  • Tõnis Tiigi
  • ningmingxiao
Changes
36 commits

  • Prepare release notes for v1.7.24 (#​11036)
    • 936f8e2de Prepare release notes for v1.7.24
  • Update the container exit log to info level (#​11007)
  • Fix retry logic and concurrency issue with http fallback (#​11032)
    • 10af0d60f Adds a mutex to protect fallback host
    • e426ec51b Use unix and windows specific connection error checks
    • 49c9f303b Allow fallback across default ports
  • local: avoid writing to content root on readonly store (#​10913)
    • ddf2b03ed local: avoid writing to content root on readonly store
  • Update runc binary to 1.2.2 (#​11027)
  • Revert "Disable vagrant strict dependency checking" (#​11011)
    • 23a31ce63 Revert "Disable vagrant strict dependency checking"
  • testutil: avoid conflict with continuity/testutil (#​10956)
    • 4bd411f8c testutil: avoid conflict with continuity/testutil
  • update cri-tools to v1.29.0 (#​10969)
  • update build to go1.22.9, test go1.23.3 (#​10974)
    • 56a7d31cb update build to go1.22.9, test go1.23.3
  • ci: disable marking 1.7 releases as latest (#​10962)
    • 205940716 ci: disable marking 1.7 releases as latest
  • Avoid arch info in the sed/replace when building cri-cni-containerd.tar.gz (#​10976)
    • b7bb8d515 Avoid arch info in the sed/replace when building cri-cni-containerd.tar.gz
  • backport: Disable vagrant strict dependency checking (#​10965)
    • 860a51384 Disable vagrant strict dependency checking
  • Update runc binary to 1.2.1 (#​10940)
  • services/snapshots: include name of snapshotter in debug logs (#​10931)
    • 5bd0834ce services/snapshots: include name of snapshotter in debug logs
  • Make TestContainerPids more resilient (#​10936)
    • 455787bf8 Make TestContainerPids more resilient
  • Add After=dbus.service to containerd.service (#​10859)
    • cb82e52a4 Add After=dbus.service to containerd.service
  • Fix "invalid metric type" error message for cgroup v1 (#​10814)
    • d6f577843 metrics: Use UnmarshalTo instead of UnmarshalAny

Dependency Changes

This release has no dependency changes

Previous release can be found at v1.7.23

v1.7.23: containerd 1.7.23

Compare Source

Welcome to the v1.7.23 release of containerd!

The twenty-third patch release for containerd 1.7 contains various fixes
and updates.

Highlights
Container Runtime Interface (CRI)
  • Add check for CNI plugins before tearing down pod network (#​10767)
Image Distribution
  • Fix the race condition during GC of snapshots when client retries (#​10763)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors
  • Derek McGowan
  • Austin Vazquez
  • Phil Estes
  • Akihiro Suda
  • Samuel Karp
  • Maksym Pavlenko
  • Kern Walster
  • Kir Kolyshkin
  • Saket Jajoo
  • Sameer
  • Wei Fu
  • Zou Nengren
  • bo.jiang
Changes
37 commits

  • Prepare release notes for v1.7.23 (#​10802)
    • 921f554af Prepare release notes for v1.7.23
  • Revert "update runc binary to 1.1.15" (#​10826)
    • 8f16d6588 Revert "update runc binary to 1.1.15"
  • Switch from actuated.dev to GH Action runners for arm64 ([#&#

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the renovate label Jul 10, 2025
@renovate
Copy link
Contributor Author

renovate bot commented Jul 10, 2025

ℹ Artifact update notice

File name: providers/flagd/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 3 additional dependencies were updated

Details:

Package Change
github.com/Microsoft/hcsshim v0.11.5 -> v0.11.7
github.com/containerd/errdefs v0.1.0 -> v0.3.0
github.com/moby/sys/user v0.1.0 -> v0.3.0
File name: providers/flipt/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 1 additional dependency was updated

Details:

Package Change
golang.org/x/sys v0.28.0 -> v0.31.0
File name: providers/harness/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 2 additional dependencies were updated

Details:

Package Change
github.com/go-openapi/jsonpointer v0.20.2 -> v0.21.0
github.com/go-openapi/swag v0.22.8 -> v0.23.0

@renovate renovate bot requested review from a team as code owners July 10, 2025 01:22
@renovate renovate bot added the renovate label Jul 10, 2025
@renovate renovate bot force-pushed the renovate/vulnerability-updates branch from d049c1a to 62102ac Compare July 10, 2025 01:26
@renovate renovate bot force-pushed the renovate/vulnerability-updates branch from 62102ac to 6396eda Compare July 10, 2025 15:24
@sahidvelji sahidvelji merged commit 629a535 into main Jul 12, 2025
5 checks passed
@renovate renovate bot deleted the renovate/vulnerability-updates branch July 12, 2025 22:12
This was referenced Jul 10, 2025
Merged
Merged
Merged
Merged
gioddiggi pushed a commit to gioddiggi/go-sdk-contrib that referenced this pull request Jul 19, 2025
@renovate @gioddiggi
fix(security): update vulnerability-updates [security] (open-feature#724
09e6e2f 
)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Giovanni De Giorgio <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@renovate-approve renovate-approve[bot] renovate-approve[bot] approved these changes

@sahidvelji sahidvelji sahidvelji approved these changes

@renovate-approve-2 renovate-approve-2[bot] renovate-approve-2[bot] approved these changes

Assignees

@markphelps markphelps

@davejohnston davejohnston

@bacherfl bacherfl

@Kavindu-Dodan Kavindu-Dodan

@matthewelwell matthewelwell

@gagantrivedi gagantrivedi

@toddbaert toddbaert

@liran2000 liran2000

Labels

renovate

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

10 participants

@sahidvelji @markphelps @davejohnston @bacherfl @Kavindu-Dodan @matthewelwell @gagantrivedi @toddbaert @liran2000