chore(deps): update module github.com/containerd/containerd to v1.6.38 [security]

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	OpenSSF
github.com/containerd/containerd	indirect	patch	v1.6.26 -> v1.6.38

GitHub Vulnerability Alerts

CVE-2024-40635

Impact

A bug was found in containerd where containers launched with a User set as a UID:GID larger than the maximum 32-bit signed integer can cause an overflow condition where the container ultimately runs as root (UID 0). This could cause unexpected behavior for environments that require containers to run as a non-root user.

Patches

This bug has been fixed in the following containerd versions:

• 2.0.4 (Fixed in containerd/containerd@1a43cb6)
• 1.7.27 (Fixed in containerd/containerd@05044ec)
• 1.6.38 (Fixed in containerd/containerd@cf158e8)

Users should update to these versions to resolve the issue.

Workarounds

Ensure that only trusted images are used and that only trusted users have permissions to import images.

Credits

The containerd project would like to thank Benjamin Koltermann and emxll for responsibly disclosing this issue in accordance with the containerd security policy.

References

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40635

For more information

If you have any questions or comments about this advisory:

• Open an issue in containerd
• Email us at security@containerd.io

To report a security issue in containerd:

• Report a new vulnerability
• Email us at security@containerd.io

---

Release Notes

containerd/containerd (github.com/containerd/containerd)

v1.6.38: containerd 1.6.38

Compare Source

Welcome to the v1.6.38 release of containerd!

The thirty-eighth patch release for containerd 1.6 contains various fixes
and updates.

Highlights

• Fix integer overflow in User ID handling (GHSA-265r-hfxg-fhmg)

Container Runtime Interface (CRI)

• Fix fatal map concurrency error in httpstream (#​11319)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Jin Dong
• Akhil Mohan
• Derek McGowan
• Phil Estes
• Akihiro Suda
• Craig Ingram
• Kohei Tokunaga
• Maksym Pavlenko
• Samuel Karp
• ningmingxiao

Changes

19 commits

• cf158e884 Merge commit from fork
• 9639b9625 validate uid/gid
• Prepare release notes for v1.6.38 (#​11539)
  • eee34bac2 Prepare release notes for v1.6.38
• update build to go1.23.7, test go1.24.1 (#​11421)
  • b67a35baf move exclude-dirs to issues.exclude-dirs
  • 2104a41ef update golangci-lint to 1.60.1
  • 820e81adc update build to go1.23.7, test go1.24.1
• Remove hashicorp/go-multierror dependency and fix CI (#​11500)
  • 7cc3b3dce e2e: use the shim bundled with containerd artifact
  • 0733895f3 Remove unnecessary joinError unwrap
  • 054c4cc79 Remove hashicorp/go-multierror
  • ff21be0ee Update go to 1.20 to use its multi error support
  • f63b5fd3f update containerd/project-checks to 1.2.1
• Fix fatal map concurrency error in httpstream (#​11319)
  • abd1692cf fix fatal error: concurrent map iteration and map write
• CI: arm64-8core-32gb -> ubuntu-24.04-arm (#​11438)
  • f5ab73c0a CI: arm64-8core-32gb -> ubuntu-24.04-arm
  • 2cc6b5b0a increase xfs base image size to 300Mb

Dependency Changes

This release has no dependency changes

Previous release can be found at v1.6.37

v1.6.37: containerd 1.6.37

Compare Source

Welcome to the v1.6.37 release of containerd!

The thirty-seventh patch release for containerd 1.6 contains various fixes
and updates.

Highlights

• Update runc binary to v1.2.5 (#​11396)
• Fix the race condition during GC of snapshots when client retries (#​10764)

Container Runtime Interface (CRI)

• Update the container exit log to info level (#​11008)
• Handle teardown failure to avoid blocking cleanup (#​10778)
• Add check for CNI plugins before tearing down pod network (#​10766)

Runtime

• Fix console TTY leak in runc shim (#​11359)
• Fix panic due to nil dereference cgroups v2 (#​11100)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Phil Estes
• Akihiro Suda
• Maksym Pavlenko
• Akhil Mohan
• Austin Vazquez
• Derek McGowan
• Samuel Karp
• Henry Wang
• Jin Dong
• Jing Xu
• Sebastiaan van Stijn
• Wei Fu
• Benjamin Peterson
• Kazuyoshi Kato
• Saket Jajoo
• Sameer
• Zou Nengren
• bo.jiang
• jinda.ljd
• ningmingxiao

Changes

59 commits

• Prepare release notes for v1.6.37 (#​11429)
  • 16ba72ad9 Prepare release notes for v1.6.37
• Fix console TTY leak in runc shim (#​11359)
  • 3e6f219d7 Add integ test to check tty leak
  • bc20f7457 fix master tty leak due to leaking init container object
• Update install-imgcrypt to allow change install repo (#​11418)
  • cbd44298c Update install-imgcrypt to allow change install repo
• Update runc binary to v1.2.5 (#​11396)
  • 9918dc4e3 Update runc binary to v1.2.5
• Update vagrant host OS to fix Vagrant CI runs (#​11348)
  • d92457c71 Remove vagrant scp from the install list
• update runc binary to v1.2.4 (#​11237)
  • 315a23dd9 update runc binary to v1.2.4
• update runc binary to v1.2.3 (#​11144)
  • 79f6df6f4 update runc binary to v1.2.3
• update build to go1.22.10, test go1.23.4 (#​11112)
  • bf89950f5 update build to go1.22.10, test go1.23.4
• Fix panic due to nil dereference cgroups v2 (#​11100)
  • db096794f fix panic due to nil dereference cgroups v2
• Add almalinux/9 in CI (#​11055)
  • 3a0f138b0 add almalinux/9 in CI
• Update the container exit log to info level (#​11008)
  • aca1ca440 add info of exited event
• update runc binary to 1.2.2 (#​11028)
  • 4eaef56a2 update runc binary to 1.2.2
• Revert "Disable vagrant strict dependency checking" (#​11010)
  • f42035a21 Revert "Disable vagrant strict dependency checking"
• update build to go1.22.9, test go1.23.3 (#​10975)
  • 20958cbb0 update build to go1.22.9, test go1.23.3
• backport: Disable vagrant strict dependency checking (#​10966)
  • edb3df5ab Disable vagrant strict dependency checking
• Update critools-version to 1.29 (#​10929)
  • 9eca374a4 Update critools-version to 1.29 in release 1.6
• update runc binary to 1.2.1 (#​10941)
  • 6134f736d update runc binary to 1.2.1
• services/snapshots: include name of snapshotter in debug logs (#​10932)
  • 4e54972f0 services/snapshots: include name of snapshotter in debug logs
• Make TestContainerPids more resilient (#​10937)
  • d7c7a12f3 Make TestContainerPids more resilient
• Add After=dbus.service to containerd.service (#​10860)
  • e6d8e5e9c Add After=dbus.service to containerd.service
• Handle teardown failure to avoid blocking cleanup (#​10778)
  • b1f8b03e7 Handle teardown failure to avoid blocking cleanup
• Switch from actuated.dev to GH Action runners for arm64 (#​10823)
  • ba411483a Switch from actuated.dev to GH Action runners for arm64
  • 8c58f78c2 Update github actions ci to run on forks
• bump golangci/golangci-lint-action from 4 to 6 (#​10819)
  • e4211a530 bump golangci/golangci-lint-action from 4 to 6
• update to go1.23.2,go1.22.8 (#​10809)
  • 1ca261fe4 update to go1.23.2,go1.22.8
• Update runner images to macOS13 (#​10784)
  • 1c96f2391 Update runner images to macOS13
• Bump crun to 1.16.1 (#​10775)
  • 1ba7381cf Bump crun to 1.16
  • afc84d092 CI: bump up crun to 1.15
• Fix the race condition during GC of snapshots when client retries (#​10764)
  • 74951d6cf Fix the race condition during GC of snapshots when client retries
• Add check for CNI plugins before tearing down pod network (#​10766)
  • ca6516ee8 [release/1.6] Add check for CNI plugins before tearing down pod network

Dependency Changes

This release has no dependency changes

Previous release can be found at v1.6.36

v1.6.36: containerd 1.6.36

Compare Source

Welcome to the v1.6.36 release of containerd!

The thirty-sixth patch release for containerd 1.6 contains various fixes
and updates.

Highlights

• Ensure the CRIAPIV1Alpha2 warning's lastOccurrence is accurate (#​10582)

Build and Release Toolchain

• Update to go1.22.7, go1.23.1 (#​10680)

Container Runtime Interface (CRI)

• Cumulative stats can't decrease (#​10671)
• Fix memory leak with kubectl exec >= 1.30.0 (#​10574)

Runtime

• Fix bug where init exits were being dropped (#​10676)
• Update runc binary to 1.1.14 (#​10667)

Deprecations

• Ensure the CRIAPIV1Alpha2 warning's lastOccurrence is accurate (#​10582)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Samuel Karp
• Davanum Srinivas
• Akhil Mohan
• Akihiro Suda
• Laura Brehm
• Sebastiaan van Stijn
• Chris Henzie
• Cory Snider
• Derek McGowan
• James Sturtevant
• Maksym Pavlenko
• Mike Brown
• Phil Estes
• Shengjing Zhu

Changes

32 commits

• Prepare release notes for v1.6.36 (#​10685)
  • 7fee84514 Prepare release notes for v1.6.36
• integration: regression test for issue 10589 (#​10683)
  • ab9fedde2 integration: regression test for issue 10589
  • d0989e952 fifosync: cross-process synchronization
• Fix bug where init exits were being dropped (#​10676)
  • c9617c321 runc-shim: handle pending execs as running
  • 15ad6ac67 runc-shim: refuse to start execs after init exits
  • 7e6a18c24 runc-shim: remove misleading comment
• Update to go1.22.7, go1.23.1 (#​10680)
  • 951af274c update to go1.22.7, go1.23.1
• Cumulative stats can't decrease (#​10671)
  • c8e5b1eb6 Cumulative stats can't decrease
• move builds to go1.22 and testing to go1.23 (#​10595)
  • 0bbc90aee use git clone to install gogo/protobuf
  • 383b2dcd1 move builds to go1.22 and testing to go1.23
• Update runc binary to 1.1.14 (#​10667)
  • fd70da38b update runc binary to 1.1.14
• Fix TestNewBinaryIOCleanup on Go 1.23 and Linux 5.4 (#​10591)
  • 4fd7d4eef Fix TestNewBinaryIOCleanup on Go 1.23 and Linux 5.4
• Fix memory leak with kubectl exec >= 1.30.0 (#​10574)
  • 6f9efd3a9 hide wsstream under internal/ to prevent external use
  • 4694b84e8 golangci-lint should only look for problems in new code
  • 05c2b1413 Run go mod tidy
  • a7b0c015d Add copyright headers
  • 78f079926 switch over references to the new package
  • 64430d636 Fix up some constant references
  • a37b08102 Copy over wsstream from k8s v1.31.0-rc.1 release
• Ensure the CRIAPIV1Alpha2 warning's lastOccurrence is accurate (#​10582)
  • d727961d2 Update CRIAPIV1Alpha2 warning lastOccurrence every call
• update to go1.21.13 / go1.22.6 (#​10577)
  • be0f0db07 update to go1.21.13 / go1.22.6

Dependency Changes

This release has no dependency changes

Previous release can be found at v1.6.35

v1.6.35: containerd 1.6.35

Compare Source

Welcome to the v1.6.35 release of containerd!

The thirty-fifth patch release for containerd 1.6 contains various fixes
and updates.

Highlights

• Regenerate UUID if state is empty in introspection service (#​10511)
• Set stderr to empty string when using terminal on Windows (#​10500)

Container Runtime Interface (CRI)

• Revert HPC working directory fix in pkg/cri/server code (#​10549)
• Make StopPodSandbox RPC idempotent (#​10531)

Runtime

• Fix packaged runc reporting incorrect version (#​10558)
• Ensure /run/containerd gets created with correct perms (#​10535)

Deprecations

• Update warnings for deprecated CRI config fields (#​10525)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Phil Estes
• Samuel Karp
• Kazuyoshi Kato
• Kirtana Ashok
• Sascha Grunert
• Akihiro Suda
• Derek McGowan
• Erikson Tung
• Iceber Gu
• Maksym Pavlenko
• Mauri de Souza Meneguzzo
• Sebastiaan van Stijn
• TinaMor
• Wei Fu
• rongfu.leng

Changes

24 commits

• Prepare release notes for v1.6.35 (#​10565)
  • 849650ab7 Prepare release notes for v1.6.35
• Fix TestNewBinaryIOCleanup failing with gotip (#​10555)
  • 4ec5cd6bd Fix TestNewBinaryIOCleanup failing with gotip
• Fix packaged runc reporting incorrect version (#​10558)
  • 9539b9b7b script/setup/install-runc: fix runc using incorrect version
• Revert HPC working directory fix in pkg/cri/server code (#​10549)
  • c3c2b4eec Revert "[release/1.7]: HPC working directory fix in pkg/cri/server code"
• update auths code comment (#​10537)
  • 65cf37bcb update auths code comment
• Ensure /run/containerd gets created with correct perms (#​10535)
  • b1ef73e76 Ensure /run/containerd is created with correct perms
• Make StopContainer RPC idempotent (#​10530)
  • 7134b03ba Make StopContainer RPC idempotent
• Make StopPodSandbox RPC idempotent (#​10531)
  • 18ea8f288 Make StopPodSandbox RPC idempotent
• Update warnings for deprecated CRI config fields (#​10525)
  • ed87e4787 deprecation: update warnings for CRI config fields
• client: fix tasks with PID 0 cannot be forced to delete (#​10524)
  • 5c8818782 client: fix tasks with PID 0 cannot be forced to delete
• Regenerate UUID if state is empty in introspection service (#​10511)
  • a4846fc0d introspection: regenerate UUID if state is empty
• Set stderr to empty string when using terminal on Windows (#​10500)
  • 484705c62 Set stderr to empty string when using terminal on Windows.

Dependency Changes

This release has no dependency changes

Previous release can be found at v1.6.34

v1.6.34: containerd 1.6.34

Compare Source

Welcome to the v1.6.34 release of containerd!

The thirty-fourth patch release for containerd 1.6 contains various fixes
and updates.

Highlights

• Remove overlayfs volatile option on temp mounts (#​10333)
• Update runc binary to v1.1.13 (#​10335)

Container Runtime Interface (CRI)

• Handle empty DNSConfig differently than unspecified (#​10463)
• Fix HPC working directory in pkg/cri/server code (#​10361)

Runtime

• Prepare release notes for v1.6.34 (#​10480)
• Support for dropping inheritable capabilities (#​10470)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Derek McGowan
• Akihiro Suda
• Sebastiaan van Stijn
• Wei Fu
• Akhil Mohan
• Maksim An
• Maksym Pavlenko
• Mike Brown
• Phil Estes
• Samuel Karp
• Tim Hockin
• Yuanyuan Lei
• krglosse

Changes

26 commits

• Prepare release notes for v1.6.34 (#​10480)
  • b2863e9e7 Prepare release notes for v1.6.34
• Handle empty DNSConfig differently than unspecified (#​10463)
  • b7d06a619 CRI: An empty DNSConfig != unspecified
• Support for dropping inheritable capabilities (#​10470)
  • 8d2739857 Support for dropping inheritable capabilities
• errdefs: denote deprecation as a godoc comment (#​10425)
  • ce685376f errdefs: denote deprecation as a godoc comment
• update to go1.21.12 / go1.22.5 (#​10427)
  • 634ae543d update to go1.21.12 / go1.22.5
• Updating hcsshim vendoring to 0.9.12 to include an important backported fix (#​10398)
  • a0adb2933 Updating hcsshim to 0.9.12
• golangci-lint: enable depguard for packages that moved (#​10368)
  • 3ea0c4983 golangci-lint: enable depguard for packages that moved
• Fix HPC working directory in pkg/cri/server code (#​10361)
  • 086e1f56e [release/1.7]: HPC working directory fix in pkg/cri/server code
• Remove overlayfs volatile option on temp mounts (#​10333)
  • 166283a34 integration: backport upgrade testsuite's utils
  • 990a05d0a *: export RemoveVolatileOption for CRI image volumes
  • a894b5f81 strip-volatile-option-tmp-mounts
• Update runc binary to v1.1.13 (#​10335)
  • f6ef0071b update runc binary to v1.1.13
• Update Fedora and EL linux version in vagrant (#​10339)
  • 89bb437f8 Remove rocklinux 9
  • 01fa3d0d7 Backport version from box string in Vagrantfile
  • 0be3788f5 Update Fedora and EL linux version

Dependency Changes

• github.com/Microsoft/hcsshim v0.9.11 -> v0.9.12

Previous release can be found at v1.6.33

v1.6.33: containerd 1.6.33

Compare Source

Welcome to the v1.6.33 release of containerd!

The thirty-third patch release for containerd 1.6 contains various updates along
with an updated version of Go. Go 1.22.4 and 1.21.11 include a fix for a symlink
time of check to time of use race condition during directory removal.

Highlights

• Update Go version to 1.21.11 (#​10299)
• Migrate log imports to github.com/containerd/log (#​10271)
• Migrate errdefs package to github.com/containerd/errdefs (#​10267)
• Fix usage of "unknown" platform (#​10268)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Derek McGowan
• Phil Estes
• Sebastiaan van Stijn
• Akhil Mohan
• Austin Vazquez
• Samuel Karp

Changes

14 commits

• Prepare release notes for v1.6.33 (#​10300)
  • 97e059626 Prepare release notes for v1.6.33
• Update Go version to 1.21.11 (#​10299)
  • da9a04e54 Includes fix for a symlink race on remove
• Migrate log imports to github.com/containerd/log (#​10271)
  • a389bb305 migrate logs imports to github.com/containerd/log module
• Migrate errdefs package to github.com/containerd/errdefs (#​10267)
  • 615fb03e4 replace uses of github.com/containerd/containerd/errdefs
  • c83be1b9e migrate errdefs package to github.com/containerd/errdefs module
• Fix usage of "unknown" platform (#​10268)
  • d4d489496 core/image: fix usage of "unknown" platform
• Explicitly set release latest to false (#​10263)
  • 5eaf5f881 Explicitly set release latest to false
  • b51f7445d build(deps): bump softprops/action-gh-release from 1 to 2

Changes from containerd/errdefs

6 commits

• Add common files (containerd/errdefs#1)
  • 78f3494 Add Github actions configuration
  • 46f1770 Add go.mod configuration
  • 959121a Add README.md
• Add LICENSE (containerd/errdefs#2)
  • 33a2275 Add LICENSE

Dependency Changes

• github.com/containerd/errdefs v0.1.0 new

Previous release can be found at v1.6.32

v1.6.32: containerd 1.6.32

Compare Source

Welcome to the v1.6.32 release of containerd!

The thirty-second patch release for containerd 1.6 contains various fixes and updates.

Highlights

• Handle unsupported config versions (#​10234)
• Preserve CL_UNPRIVILEGED locked flags during remount of bind mounts (#​10212)
• Update metadata snapshotter to lease on already exists (#​10199)
• Update apparmor template to allow confined runc to kill containers (#​10130)
• Prevent GC from schedule itself with 0 period. (#​10103)
• Configure otel from env instead of config.toml (#​9993)

Container Runtime Interface (CRI)

• Fix snapshotter root path when not under containerd root (#​10127)
• Fix CreatedAt time set to 269 years ago if create network failed (#​10119)
• Fix unexpected order of mounts (#​10045)

Image Distribution

• Update HTTP fallback to better account for TLS timeout and previous attempts (#​10113)
• Fix use of invalid token on retry fetching layer (#​10064)

Deprecations

• Configure otel from env instead of config.toml (#​9993)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Stefan Berger
• Derek McGowan
• Austin Vazquez
• Kazuyoshi Kato
• Phil Estes
• Brian Goff
• Akihiro Suda
• Maksym Pavlenko
• Danny Canter
• Samuel Karp
• Alexandru Matei
• Bin Tang
• Brandon Lum
• Bryant Biggs
• Jimmy Hsiao
• Kirill A. Korinsky
• Paweł Gronowski
• Sebastiaan van Stijn
• Swagat Bora
• Tomáš Virtus
• Tony Fang
• 张钰
• 沈陵

Changes

53 commits

• Prepare release notes for v1.6.32 (#​10255)
  • 085dc4c0d Prepare release notes for v1.6.32
• Bump hcsshim and go-winio for go1.22 compat (#​10245)
  • 06724baad Bump go-winio to fix struct alignment on go1.22
  • b2fdf63b7 Update hcsshim for go1.22 fixes
• Handle unsupported config versions (#​10234)
  • 38607b59c Add check for unsupported config versions
• Preserve CL_UNPRIVILEGED locked flags during remount of bind mounts (#​10212)
  • c65da6997 Preserve CL_UNPRIVILEGED locked flags during remount of bind mounts
• vendor: github.com/containerd/imgcrypt@v1.1.8 (#​10216)
  • 6951203b1 vendor: github.com/containerd/imgcrypt@v1.1.8
• vendor: golang.org/x/net@v0.23.0 (#​10214)
  • a14e5ec8b vendor: golang.org/x/net@v0.23.0
  • fd21d7818 vendor: golang.org/x/net@v0.21.0
  • d276debb0 vendor: golang.org/x/net@v0.20.0
  • f82033dcf vendor: golang.org/x/net@v0.19.0
  • 411c5e5e5 vendor: golang.org/x/term@v0.17.0
  • 6f053bd1f vendor: golang.org/x/sys@v0.18.0
  • cfd8443cb vendor: golang.org/x/sys@v0.17.0
• Update tooling to Go 1.21.10, 1.22.3 for net/http bug fixes (#​10208)
  • 5b4facbd6 Update toolchain to Go 1.21.10 and 1.22.3
• Update metadata snapshotter to lease on already exists (#​10199)
  • 57860c1b6 Add lease test for metadata snapshotter
  • b095401df Update metadata snapshotter to lease on exists
• Update image-spec (#​10185)
  • fd8d35752 Update image-spec to v1.1.0
  • 89b975d81 go.mod: github.com/opencontainers/image-spec v1.1.0-rc3
• Fix snapshotter root path when not under containerd root (#​10127)
  • f3e8b2ca1 CRI: "Fix" imageFSPath behavior
  • 68db74d19 Snapshotters: Export the root path
  • cd9b74640 Add exports to proxy plugin config
  • 83cf026b2 Add platform config to proxy plugins
• Update apparmor template to allow confined runc to kill containers (#​10130)
  • 63c41d003 apparmor: Allow confined runc to kill containers
• Update HTTP fallback to better account for TLS timeout and previous attempts (#​10113)
  • b12c3b0c8 Add deprecated HTTPFallback for package compatibility
  • 239955890 Update HTTPFallback to handle tls handshake timeout
  • b2a0ac0b4 Remove empty default tls configuration in ctr
• update to go1.21.9, go1.22.2 (#​10117)
  • ea9a8c608 update to go1.21.9, go1.22.2
• Fix CreatedAt time set to 269 years ago if create network failed (#​10119)
  • c809fa268 pod: CreatedAt time will be 269 years ago while creating cri network failed.
• Prevent GC from schedule itself with 0 period. (#​10103)
  • 6ddec44bd Prevent GC from schedule itself with 0 period.
• Configure otel from env instead of config.toml (#​9993)
  • 86a1a3a82 vendor: revendor OTEL
  • e15d4a8b8 Changes to configuring otel from env only
  • 2fda262a9 Deprecate otel configs
  • c80347ec5 Adding unit tests to opentelemetry tracing
• Fix use of invalid token on retry fetching layer (#​10064)
  • f1a14a12a fix bug that using invalid token to retry fetching layer
• Fix unexpected order of mounts (#​10045)
  • 9701cf998 fix(cri): fix unexpected order of mounts since go 1.19

Changes from containerd/imgcrypt

89 commits

• CHANGES: Updated CHANGES document for 1.1.8 release (containerd/imgcrypt#122)
  • 956b4d3 CHANGES: Updated CHANGES document for 1.1.8 release
• Synchronize enc-ctr with upstream ctr from containerd v1.6.23 and use containerd v1.6.23 in dependency (containerd/imgcrypt#120)
  • 9e8e1c1 ctr: Sync code with containerd v1.6.23 ctr
  • 7d2cca5 build(deps): bump containerd from 1.6.20 to 1.6.23
• Synchronize enc-ctr with upstream ctr from containerd v1.6.20 (containerd/imgcrypt#119)
  • 0f2559e ctr: Sync code with containerd v1.6.20 ctr
  • c48dd78 cmd: Copy IntToInt32Array into img package and use it
• Update to ocicrypt 1.1.8 and minimum go 1.20 (containerd/imgcrypt#118)
  • 6d48a4e build(deps): bump ocicrypt from 1.1.7 to 1.1.8
  • 1bc94a2 github: Use golangci-lint v1.54.1 and adjust config file
  • 9065f1d github: Test with go 1.21 and go 1.20
  • 74986f3 go.mod: Require go 1.20
• build(deps): bump google.golang.org/grpc from 1.47.0 to 1.53.0 (containerd/imgcrypt#117)
  • a2a8273 build(deps): bump google.golang.org/grpc from 1.47.0 to 1.53.0
• test: Test creating and running of container with key file missing (containerd/imgcrypt#116)
  • 286470a test: Test creating and running of container with key file missing
• Fix some issues in the test script (containerd/imgcrypt#115)
  • aa517cc test: Fix order of parameters and remove unnecessary key parameter
  • ec72311 test: Add comments to test case
  • 2959ec0 test: To be able to run testLocalKeys alone add missing env variable
• build(deps): upgrade github.com/containerd/containerd from 1.6.18 to … (containerd/imgcrypt#112)
  • a7f2760 build(deps): upgrade github.com/containerd/containerd from 1.6.18 to 1.6.20
• ci: Update golangci-lint to v1.52.2 (containerd/imgcrypt#113)
  • 002abac images: Change 'any' to 'anything' to avoid clash with built-in type 'any'
  • 5780ecc images: Replace unused function parameters with '_'
  • 7dc8592 ci: Update golangci-lint to v1.52.2
• build(deps): bump github.com/opencontainers/runc from 1.1.2 to 1.1.5 (containerd/imgcrypt#109)
  • 90e4f77 build(deps): bump github.com/opencontainers/runc from 1.1.2 to 1.1.5
• Abandon go 1.18 (end-of-life) and use 1.19 and 1.20 in tests (containerd/imgcrypt#110)
  • 8fc037f tests: Upgrade toml written by test case to version 2
  • 0b31beb ci: Run tests with go 1.19 and 1.20 (abandon 1.18)
  • 523674c build(deps): Update to minimum required go v1.19
• Update to golang.org/x/net@v0.7.0 and github.com/containers/ocicrypt@v1.1.7 (containerd/imgcrypt#107)
  • 96a2314 build(deps): Upgrade to github.com/containers/ocicrypt@v1.1.7
  • 1c50555 bulid(deps): Update to golang.org/x/net@v0.7.0
  • 9645d39 build(deps): Update to minimum required go v1.18
• build(deps): bump github.com/containerd/containerd from 1.6.12 to 1.6.18 (containerd/imgcrypt#106)
  • 8daaa45 build(deps): bump github.com/containerd/containerd from 1.6.12 to 1.6.18
• README: Fix a typo (containerd/imgcrypt#105)
  • 12e84f5 README: Fix a typo
• build(deps): bump github.com/containerd/containerd from 1.6.8 to 1.6.12 (containerd/imgcrypt#103)
  • 4e5a73e build(deps): bump github.com/containerd/containerd from 1.6.8 to 1.6.12
• Update golangci-lint to v1.50.1 (containerd/imgcrypt#101)
  • 16a071b Update golangci-lint to v1.50.1
• Remove references to package io/ioutil (containerd/imgcrypt#100)
  • 981a3fd Remove references to package io/ioutil
• Update GitHub actions CI workflow (containerd/imgcrypt#99)
  • 06827a1 Update containerd project checks package in CI
  • f6a39e1 Update GitHub actions packages in CI workflow
  • 6383351 Update GitHub actions CI workflow OS runner images
• CI/CD: Run CodeQL on PRs and once a month (containerd/imgcrypt#98)
  • b6e16db CI/CD: Run CodeQL on PRs and once a month
• CHANGES: Updated CHANGES document for 1.1.7 release (containerd/imgcrypt#97)
  • 17e5e7f CHANGES

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ Artifact update notice

File name: app/platform/fabric/e2e-test/specs/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 7 additional dependencies were updated

Details:

Package	Change
cloud.google.com/go	v0.110.4 -> v0.110.7
github.com/Microsoft/hcsshim	v0.9.10 -> v0.9.12
github.com/google/uuid	v1.3.0 -> v1.3.1
github.com/opencontainers/image-spec	v1.1.0-rc2.0.20221005185240-3a7f492d3f1b -> v1.1.0
golang.org/x/oauth2	v0.10.0 -> v0.11.0
google.golang.org/genproto	v0.0.0-20230711160842-782d3b101e98 -> v0.0.0-20230822172742-b8732ec3820d
google.golang.org/grpc	v1.58.3 -> v1.59.0

[sourcery-ai]

Reviewer's Guide by Sourcery

This PR updates the containerd dependency to v1.6.38 to address CVE-2024-40635, a security vulnerability that could allow containers to run as root. It also updates other dependencies for compatibility and bug fixes.

No diagrams generated as the changes look simple and do not need a visual representation.

File-Level Changes

Change	Details	Files
Updated the containerd dependency to address a security vulnerability where containers could run as root due to an integer overflow.	Updated github.com/containerd/containerd from v1.6.26 to v1.6.38.	app/platform/fabric/e2e-test/specs/go.mod app/platform/fabric/e2e-test/specs/go.sum
Updated dependencies to address compatibility issues and incorporate bug fixes.	Updated github.com/Microsoft/hcsshim from v0.9.10 to v0.9.12. Updated github.com/google/uuid from v1.3.0 to v1.3.1. Updated github.com/opencontainers/image-spec from v1.1.0-rc2.0.20221005185240-3a7f492d3f1b to v1.1.0. Updated golang.org/x/oauth2 from v0.10.0 to v0.11.0. Updated google.golang.org/genproto from v0.0.0-20230711160842-782d3b101e98 to v0.0.0-20230822172742-b8732ec3820d. Updated google.golang.org/grpc from v1.58.3 to v1.59.0.	app/platform/fabric/e2e-test/specs/go.mod app/platform/fabric/e2e-test/specs/go.sum

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!
• Generate a plan of action for an issue: Comment @sourcery-ai plan on
  an issue to generate a plan of action for it.

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

We have skipped reviewing this pull request. It seems to have been created by a bot (hey, renovate[bot]!). We assume it knows what it's doing!