Thanks to visit codestin.com
Credit goes to Github.com

Skip to content

chore(deps): update module github.com/containerd/containerd/v2 to v2.0.7 [security] (main) #45

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
anaconda-renovate wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): update module github.com/containerd/containerd/v2 to v2.0.7 [security] (main) #45

anaconda-renovate wants to merge 1 commit into from

Conversation

@anaconda-renovate
Copy link

@anaconda-renovate anaconda-renovate bot commented Nov 7, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
github.com/containerd/containerd/v2 v2.0.5 -> v2.0.7 age confidence

containerd affected by a local privilege escalation via wide permissions on CRI directory in github.com/containerd/containerd

CVE-2024-25621 / GHSA-pwhc-rpq9-4c8w / GO-2025-4100

More information

Details

containerd affected by a local privilege escalation via wide permissions on CRI directory in github.com/containerd/containerd

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

containerd CRI server: Host memory exhaustion through Attach goroutine leak

CVE-2025-64329 / GHSA-m6hq-p25p-ffr2 / GO-2025-4108

More information

Details

Impact

A bug was found in containerd's CRI Attach implementation where a user can exhaust memory on the host due to goroutine leaks.

Repetitive calls of CRI Attach (e.g., kubectl attach) could increase the memory usage of containerd.

Patches

This bug has been fixed in the following containerd versions:

  • 2.2.0
  • 2.1.5
  • 2.0.7
  • 1.7.29

Users should update to these versions to resolve the issue.

Workarounds

Set up an admission controller to control accesses to pods/attach resources.
e.g., Validating Admission Policy.

Credits

The containerd project would like to thank @​Wheat2018 for responsibly disclosing this issue in accordance with the containerd security policy.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-64329

For more information

If you have any questions or comments about this advisory:

To report a security issue in containerd:

Severity

  • CVSS Score: 6.9 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

containerd affected by a local privilege escalation via wide permissions on CRI directory

CVE-2024-25621 / GHSA-pwhc-rpq9-4c8w / GO-2025-4100

More information

Details

Impact

An overly broad default permission vulnerability was found in containerd.

  • /var/lib/containerd was created with the permission bits 0o711, while it should be created with 0o700
    • Allowed local users on the host to potentially access the metadata store and the content store
  • /run/containerd/io.containerd.grpc.v1.cri was created with 0o755, while it should be created with 0o700
    • Allowed local users on the host to potentially access the contents of Kubernetes local volumes. The contents of volumes might include setuid binaries, which could allow a local user on the host to elevate privileges on the host.
  • /run/containerd/io.containerd.sandbox.controller.v1.shim was created with 0o711, while it should be created with 0o700

The directory paths may differ depending on the daemon configuration.
When the temp directory path is specified in the daemon configuration, that directory was also created with 0o711, while it should be created with 0o700.

Patches

This bug has been fixed in the following containerd versions:

  • 2.2.0
  • 2.1.5
  • 2.0.7
  • 1.7.29

Users should update to these versions to resolve the issue.
These updates automatically change the permissions of the existing directories.

[!NOTE]

/run/containerd and /run/containerd/io.containerd.runtime.v2.task are still created with 0o711.
This is an expected behavior for supporting userns-remapped containers.

Workarounds

The system administrator on the host can manually chmod the directories to not
have group or world accessible permisisons:

chmod 700 /var/lib/containerd
chmod 700 /run/containerd/io.containerd.grpc.v1.cri
chmod 700 /run/containerd/io.containerd.sandbox.controller.v1.shim

An alternative mitigation would be to run containerd in rootless mode.

Credits

The containerd project would like to thank David Leadbeater for responsibly disclosing this issue in accordance with the containerd security policy.

For more information

If you have any questions or comments about this advisory:

To report a security issue in containerd:

Severity

  • CVSS Score: 7.3 / 10 (High)
  • Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

containerd CRI server: Host memory exhaustion through Attach goroutine leak in github.com/containerd/containerd

CVE-2025-64329 / GHSA-m6hq-p25p-ffr2 / GO-2025-4108

More information

Details

containerd CRI server: Host memory exhaustion through Attach goroutine leak in github.com/containerd/containerd

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

Release Notes

containerd/containerd (github.com/containerd/containerd/v2)

v2.0.7: containerd 2.0.7

Compare Source

Welcome to the v2.0.7 release of containerd!

The seventh patch release for containerd 2.0 includes various bug fixes and updates.

Security Updates
Highlights
Container Runtime Interface (CRI)
  • Disable event subscriber during task cleanup (#​12406)
  • Add SystemdCgroup to default runtime options (#​12254)
  • Fix userns with container image VOLUME mounts that need copy (#​12241)
Image Distribution
  • Add dial timeout field to hosts toml configuration (#​12136)
Runtime
  • Update runc binary to v1.3.3 (#​12479)
  • Fix lost container logs from quickly closing io (#​12376)
  • Create bootstrap.json with 0644 permission (#​12184)
  • Fix pidfd leak in UnshareAfterEnterUserns (#​12178)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors
  • Austin Vazquez
  • Phil Estes
  • Rodrigo Campos
  • Wei Fu
  • Akihiro Suda
  • Derek McGowan
  • Maksym Pavlenko
  • ningmingxiao
  • Kirtana Ashok
  • Akhil Mohan
  • Andrew Halaney
  • Jin Dong
  • Jose Fernandez
  • Mike Baynton
  • Philip Laine
  • Swagat Bora
  • wheat2018
Changes
56 commits

  • Prepare release notes for v2.0.7 (#​12482)
  • Update runc binary to v1.3.3 (#​12479)
    • b46dc6a67 runc: Update runc binary to v1.3.3
  • ci: bump Go 1.24.9; 1.25.3 (#​12361)
    • 5e9c82178 Update GHA runners to use latest images for basic binaries build
    • 7f59248dc Update GHA runners to use latest image for most jobs
    • e1373e8a8 ci: bump Go 1.24.9, 1.25.3
    • e1a910a6a ci: bump Go 1.24.8; 1.25.2
    • fd04b7f17 move exclude-dirs to issues.exclude-dirs
    • b49377975 update golangci-lint to v1.64.2
    • 6e45022a1 build(deps): bump golangci/golangci-lint-action from 6.3.2 to 6.5.0
    • 09ce0f2a1 build(deps): bump golangci/golangci-lint-action from 6.2.0 to 6.3.2
    • de63a740b build(deps): bump golangci/golangci-lint-action from 6.1.1 to 6.2.0
  • Fix lost container logs from quickly closing io (#​12376)
    • f953ee8a3 bugfix:fix container logs lost because io close too quickly
  • CI: update Fedora to 43 (#​12448)
  • Disable event subscriber during task cleanup (#​12406)
    • 2a2329cbd cri/server/podsandbox: disable event subscriber
  • CI: skip ubuntu-24.04-arm on private repos (#​12428)
    • dfb954743 CI: skip ubuntu-24.04-arm on private repos
  • Remove additional fuzzers from instrumentation repo (#​12420)
    • f6b02f6bb Remove additional fuzzers from CI
  • runc:Update runc binary to v1.3.1 (#​12275)
    • 75c13ee3f runc:Update runc binary to v1.3.1
  • Add SystemdCgroup to default runtime options (#​12254)
    • 427cdd06c add SystemdCgroup to default runtime options
  • install-runhcs-shim: fetch target commit instead of tags (#​12255)
    • 0b35e19fb install-runhcs-shim: fetch target commit instead of tags
  • Fix userns with container image VOLUME mounts that need copy (#​12241)
    • 3212afc2f integration: Add test for directives with userns
    • b855c6e10 cri: Fix userns with Dockerfile VOLUME mounts that need copy
  • Fix overlayfs issues related to user namespace (#​12223)
    • 05c0c99f4 core/mount: Retry unmounting idmapped directories
    • afdede4ce core/mount: Test cleanup of DoPrepareIDMappedOverlay()
    • 47205f814 core/mount: Properly cleanup on doPrepareIDMappedOverlay errors
    • 6f4abd970 core/mount: Don't call nil function on errors
    • a2f0d65d7 core/mount: Only idmap once per overlayfs, not per layer
    • 1c32accd7 Make ovl idmap mounts read-only
  • ci: bump Go 1.23.12, 1.24.6 (#​12187)
  • Create bootstrap.json with 0644 permission (#​12184)
    • 009622e04 fix: create bootstrap.json with 0644 permission
  • Fix pidfd leak in UnshareAfterEnterUserns (#​12178)
    • 5bec0a332 sys: fix pidfd leak in UnshareAfterEnterUserns
  • Fix windows test failures (#​12120)
    • 2a2488131 Fix intermittent test failures on Windows CIs
    • 018470948 Remove WS2025 from CIs due to regression
  • Add dial timeout field to hosts toml configuration (#​12136)
    • b50cbbc98 Add dial timeout field to hosts toml configuration

Dependency Changes

This release has no dependency changes

Previous release can be found at v2.0.6

Which file should I download?
  • containerd-<VERSION>-<OS>-<ARCH>.tar.gz: ✅Recommended. Dynamically linked with glibc 2.31 (Ubuntu 20.04).
  • containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz: Statically linked. Expected to be used on non-glibc Linux distributions. Not position-independent.

In addition to containerd, typically you will have to install runc
and CNI plugins from their official sites too.

See also the Getting Started documentation.

v2.0.6: containerd 2.0.6

Compare Source

Welcome to the v2.0.6 release of containerd!

The sixth patch release for containerd 2.0 includes various bug fixes and updates.

Highlights
  • Update containerd config dump to reflect plugin config migrations (#​11772)
Container Runtime Interface (CRI)
  • Fix containerd panic when sandbox extension is missing (#​12077)
  • Fix the panic caused by the failure of RunPodSandbox (#​12047)
  • Add extension to sandbox metadata store on create sandbox (#​11808)
  • Fix issue where Prometheus metric names changed for CRI (#​11750)
  • Fix issue preventing some v2 shims from shutting down properly (#​11741)
Go client
  • Fix lazy gRPC connection mode waiting for connect on client creation (#​12080)
Image Distribution
  • Fix cross-repo mount fallback after authorization failure (#​11832)
Runtime
  • Fix container io to close after runtime create failure (#​12051)
  • Fix incompatibility with some pre-v3 shims (#​11973)
  • Update runc binary to v1.3.0 (#​11801)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors
  • Derek McGowan
  • Phil Estes
  • Austin Vazquez
  • Wei Fu
  • Akihiro Suda
  • Maksym Pavlenko
  • Samuel Karp
  • Yang Yang
  • Akhil Mohan
  • ningmingxiao
  • Alberto Garcia Hierro
  • Chris Henzie
  • HirazawaUi
  • Jin Dong
  • Kirtana Ashok
  • Paweł Gronowski
  • Vinayak Goyal
Changes
49 commits

  • Prepare release notes for v2.0.6 (#​12145)
  • ci: bump Go 1.23.11, 1.24.5 (#​12116)
  • go.mod: golang.org/x/* latest (#​12097)
  • Fix lazy gRPC connection mode waiting for connect on client creation (#​12080)
    • bed6d1401 client/New: Don't unlazy the gRPC connection implicitly
  • Fix containerd panic when sandbox extension is missing (#​12077)
    • 8094fa21a cri:fix containerd panic when can't find sandbox extension
  • Fix container io to close after runtime create failure (#​12051)
    • 552f717be bugfix:close container io when runtime create failed
  • Fix the panic caused by the failure of RunPodSandbox (#​12047)
    • c4394d05a Fix the panic caused by the failure of RunPodSandbox
  • ci: bump golang [1.23.10, 1.24.4] in build and release (#​11969)
    • 54f923a30 ci: bump golang [1.23.10, 1.24.4] in build and release
    • 2de777dfe ci: bump golang [1.23.9, 1.24.3] in build and release
  • Enable CIs to run on WS2022 and WS2025 (#​11970)
    • 9724cd5ea Enable CIs to run on WS2022 and WS2025
  • Fix incompatibility with some pre-v3 shims (#​11973)
    • 7fc3151fc *: properly shutdown non-groupable shims to prevent resource leaks
    • 4396336a1 core/runtime: should invoke shim binary
    • 10bcc6929 Revert "not set sandbox id when use podsandbox type"
    • f38eb62b6 integration: add testcase to recover ungroupable shim
    • 2358561d5 Update release upgrade tests to test 1.7 and 2.0
    • 8931b1464 Fix upgrade test runtime config
  • Fetch image with default platform only in TestExportAndImportMultiLayer (#​11944)
    • fc9235910 Fetch image with default platform only in TestExportAndImportMultiLayer
  • Add extension to sandbox metadata store on create sandbox (#​11808)
    • f8679737e store extension when create sandbox in store
  • Fix cross-repo mount fallback after authorization failure (#​11832)
    • cbfa66223 fix(docker pusher): if authorizing a cross-repo mount fails, fall back
  • .github: do not mark 2.0 releases as latest (#​11820)
    • 7bf4d0a40 .github: do not mark 2.0 releases as latest
  • Update runc binary to v1.3.0 (#​11801)
  • Revert "disable portmap test in ubuntu-22 to make CI happy" (#​11784)
    • 7cf3c604e fix unbound SKIP_TEST variable error
    • 827be7c9d Revert "disable portmap test in ubuntu-22 to make CI happy"
  • Update containerd config dump to reflect plugin config migrations (#​11772)
    • 626a57dd7 fix: update containerd config dump to reflect plugin config migrations.
  • core/transfer/local: should not mark completed if it's not found (#​11768)
    • 983dd336f core/transfer/local: should not mark complete if it's not found
  • Fix issue where Prometheus metric names changed for CRI (#​11750)
    • d2a30ea0c Revert criserver metrics subsystem back to cri
  • Fix issue preventing some v2 shims from shutting down properly (#​11741)
    • e9804ee0e not set sandbox id when use podsandbox type
  • [CI] Fix vagrant (#​11740)

Dependency Changes
  • golang.org/x/crypto v0.36.0 -> v0.40.0
  • golang.org/x/exp aacd6d4 -> 6ae5c78
  • golang.org/x/mod v0.21.0 -> v0.26.0
  • golang.org/x/net v0.37.0 -> v0.42.0
  • golang.org/x/oauth2 v0.28.0 -> v0.30.0
  • golang.org/x/sync v0.12.0 -> v0.16.0
  • golang.org/x/sys v0.31.0 -> v0.34.0
  • golang.org/x/term v0.30.0 -> v0.33.0
  • golang.org/x/text v0.23.0 -> v0.27.0
  • golang.org/x/time v0.3.0 -> v0.12.0

Previous release can be found at v2.0.5

Which file should I download?
  • containerd-<VERSION>-<OS>-<ARCH>.tar.gz: ✅Recommended. Dynamically linked with glibc 2.31 (Ubuntu 20.04).
  • containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz: Statically linked. Expected to be used on non-glibc Linux distributions. Not position-independent.

In addition to containerd, typically you will have to install runc
and CNI plugins from their official sites too.

See also the Getting Started documentation.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@anaconda-renovate
Copy link
Author

anaconda-renovate bot commented Nov 7, 2025

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 3 additional dependencies were updated

Details:

Package Change
golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0 -> v0.0.0-20250711185948-6ae5c78190dc
golang.org/x/mod v0.25.0 -> v0.26.0
golang.org/x/tools v0.34.0 -> v0.35.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

area/security dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant