diff --git a/SPECS/containerd2/CVE-2024-40635.patch b/SPECS/containerd2/CVE-2024-40635.patch deleted file mode 100644 index a7604073e8a..00000000000 --- a/SPECS/containerd2/CVE-2024-40635.patch +++ /dev/null @@ -1,174 +0,0 @@ -From 07a0b5419c408e70ed90179ea3e5825d986f80af Mon Sep 17 00:00:00 2001 -From: Craig Ingram -Date: Tue, 11 Mar 2025 14:52:44 +0000 -Subject: [PATCH] (cherry picked from commit - de1341c201ffb0effebbf51d00376181968c8779) - ---- - pkg/oci/spec_opts.go | 24 +++++++-- - pkg/oci/spec_opts_linux_test.go | 92 +++++++++++++++++++++++++++++++++ - 2 files changed, 112 insertions(+), 4 deletions(-) - -diff --git a/pkg/oci/spec_opts.go b/pkg/oci/spec_opts.go -index 3b85d764ae10..f7b298122957 100644 ---- a/pkg/oci/spec_opts.go -+++ b/pkg/oci/spec_opts.go -@@ -22,6 +22,7 @@ import ( - "encoding/json" - "errors" - "fmt" -+ "math" - "os" - "path/filepath" - "runtime" -@@ -593,6 +594,20 @@ func WithUser(userstr string) SpecOpts { - defer ensureAdditionalGids(s) - setProcess(s) - s.Process.User.AdditionalGids = nil -+ // While the Linux kernel allows the max UID to be MaxUint32 - 2, -+ // and the OCI Runtime Spec has no definition about the max UID, -+ // the runc implementation is known to require the UID to be <= MaxInt32. -+ // -+ // containerd follows runc's limitation here. -+ // -+ // In future we may relax this limitation to allow MaxUint32 - 2, -+ // or, amend the OCI Runtime Spec to codify the implementation limitation. -+ const ( -+ minUserID = 0 -+ maxUserID = math.MaxInt32 -+ minGroupID = 0 -+ maxGroupID = math.MaxInt32 -+ ) - - // For LCOW it's a bit harder to confirm that the user actually exists on the host as a rootfs isn't - // mounted on the host and shared into the guest, but rather the rootfs is constructed entirely in the -@@ -611,8 +626,8 @@ func WithUser(userstr string) SpecOpts { - switch len(parts) { - case 1: - v, err := strconv.Atoi(parts[0]) -- if err != nil { -- // if we cannot parse as a uint they try to see if it is a username -+ if err != nil || v < minUserID || v > maxUserID { -+ // if we cannot parse as an int32 then try to see if it is a username - return WithUsername(userstr)(ctx, client, c, s) - } - return WithUserID(uint32(v))(ctx, client, c, s) -@@ -623,12 +638,13 @@ func WithUser(userstr string) SpecOpts { - ) - var uid, gid uint32 - v, err := strconv.Atoi(parts[0]) -- if err != nil { -+ if err != nil || v < minUserID || v > maxUserID { - username = parts[0] - } else { - uid = uint32(v) - } -- if v, err = strconv.Atoi(parts[1]); err != nil { -+ v, err = strconv.Atoi(parts[1]) -+ if err != nil || v < minGroupID || v > maxGroupID { - groupname = parts[1] - } else { - gid = uint32(v) -diff --git a/pkg/oci/spec_opts_linux_test.go b/pkg/oci/spec_opts_linux_test.go -index 9299fa1807b6..d34af356b103 100644 ---- a/pkg/oci/spec_opts_linux_test.go -+++ b/pkg/oci/spec_opts_linux_test.go -@@ -33,6 +33,98 @@ import ( - "golang.org/x/sys/unix" - ) - -+//nolint:gosec -+func TestWithUser(t *testing.T) { -+ t.Parallel() -+ -+ expectedPasswd := `root:x:0:0:root:/root:/bin/ash -+guest:x:405:100:guest:/dev/null:/sbin/nologin -+` -+ expectedGroup := `root:x:0:root -+bin:x:1:root,bin,daemon -+daemon:x:2:root,bin,daemon -+sys:x:3:root,bin,adm -+guest:x:100:guest -+` -+ td := t.TempDir() -+ apply := fstest.Apply( -+ fstest.CreateDir("/etc", 0777), -+ fstest.CreateFile("/etc/passwd", []byte(expectedPasswd), 0777), -+ fstest.CreateFile("/etc/group", []byte(expectedGroup), 0777), -+ ) -+ if err := apply.Apply(td); err != nil { -+ t.Fatalf("failed to apply: %v", err) -+ } -+ c := containers.Container{ID: t.Name()} -+ testCases := []struct { -+ user string -+ expectedUID uint32 -+ expectedGID uint32 -+ err string -+ }{ -+ { -+ user: "0", -+ expectedUID: 0, -+ expectedGID: 0, -+ }, -+ { -+ user: "root:root", -+ expectedUID: 0, -+ expectedGID: 0, -+ }, -+ { -+ user: "guest", -+ expectedUID: 405, -+ expectedGID: 100, -+ }, -+ { -+ user: "guest:guest", -+ expectedUID: 405, -+ expectedGID: 100, -+ }, -+ { -+ user: "guest:nobody", -+ err: "no groups found", -+ }, -+ { -+ user: "405:100", -+ expectedUID: 405, -+ expectedGID: 100, -+ }, -+ { -+ user: "405:2147483648", -+ err: "no groups found", -+ }, -+ { -+ user: "-1000", -+ err: "no users found", -+ }, -+ { -+ user: "2147483648", -+ err: "no users found", -+ }, -+ } -+ for _, testCase := range testCases { -+ testCase := testCase -+ t.Run(testCase.user, func(t *testing.T) { -+ t.Parallel() -+ s := Spec{ -+ Version: specs.Version, -+ Root: &specs.Root{ -+ Path: td, -+ }, -+ Linux: &specs.Linux{}, -+ } -+ err := WithUser(testCase.user)(context.Background(), nil, &c, &s) -+ if err != nil { -+ assert.EqualError(t, err, testCase.err) -+ } -+ assert.Equal(t, testCase.expectedUID, s.Process.User.UID) -+ assert.Equal(t, testCase.expectedGID, s.Process.User.GID) -+ }) -+ } -+} -+ - //nolint:gosec - func TestWithUserID(t *testing.T) { - t.Parallel() diff --git a/SPECS/containerd2/CVE-2024-45338.patch b/SPECS/containerd2/CVE-2024-45338.patch deleted file mode 100644 index c2fb46031c5..00000000000 --- a/SPECS/containerd2/CVE-2024-45338.patch +++ /dev/null @@ -1,80 +0,0 @@ -From 8e66b04771e35c4e4125e8c60334b34e2423effb Mon Sep 17 00:00:00 2001 -From: Roland Shoemaker -Date: Wed, 04 Dec 2024 09:35:55 -0800 -Subject: [PATCH] html: use strings.EqualFold instead of lowering ourselves - -Instead of using strings.ToLower and == to check case insensitive -equality, just use strings.EqualFold, even when the strings are only -ASCII. This prevents us unnecessarily lowering extremely long strings, -which can be a somewhat expensive operation, even if we're only -attempting to compare equality with five characters. - -Thanks to Guido Vranken for reporting this issue. - -Fixes golang/go#70906 -Fixes CVE-2024-45338 - -Change-Id: I323b919f912d60dab6a87cadfdcac3e6b54cd128 -Reviewed-on: https://go-review.googlesource.com/c/net/+/637536 -LUCI-TryBot-Result: Go LUCI -Auto-Submit: Gopher Robot -Reviewed-by: Roland Shoemaker -Reviewed-by: Tatiana Bradley ---- - vendor/golang.org/x/net/html/doctype.go | 2 +- - vendor/golang.org/x/net/html/foreign.go | 3 +-- - vendor/golang.org/x/net/html/parse.go | 4 ++-- - 3 files changed, 4 insertions(+), 5 deletions(-) - -diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go -index c484e5a..bca3ae9 100644 ---- a/vendor/golang.org/x/net/html/doctype.go -+++ b/vendor/golang.org/x/net/html/doctype.go -@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) { - } - } - if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" && -- strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" { -+ strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") { - quirks = true - } - } -diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go -index 9da9e9d..e8515d8 100644 ---- a/vendor/golang.org/x/net/html/foreign.go -+++ b/vendor/golang.org/x/net/html/foreign.go -@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool { - if n.Data == "annotation-xml" { - for _, a := range n.Attr { - if a.Key == "encoding" { -- val := strings.ToLower(a.Val) -- if val == "text/html" || val == "application/xhtml+xml" { -+ if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") { - return true - } - } -diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go -index 038941d..cb012d8 100644 ---- a/vendor/golang.org/x/net/html/parse.go -+++ b/vendor/golang.org/x/net/html/parse.go -@@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool { - if p.tok.DataAtom == a.Input { - for _, t := range p.tok.Attr { - if t.Key == "type" { -- if strings.ToLower(t.Val) == "hidden" { -+ if strings.EqualFold(t.Val, "hidden") { - // Skip setting framesetOK = false - return true - } -@@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool { - return inHeadIM(p) - case a.Input: - for _, t := range p.tok.Attr { -- if t.Key == "type" && strings.ToLower(t.Val) == "hidden" { -+ if t.Key == "type" && strings.EqualFold(t.Val, "hidden") { - p.addElement() - p.oe.pop() - return true --- -2.25.1 - diff --git a/SPECS/containerd2/CVE-2025-22872.patch b/SPECS/containerd2/CVE-2025-22872.patch deleted file mode 100644 index c4c75f054fd..00000000000 --- a/SPECS/containerd2/CVE-2025-22872.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 072aace3657090fc2cd827741839d229aafd693e Mon Sep 17 00:00:00 2001 -From: Aninda -Date: Thu, 22 May 2025 10:01:10 -0400 -Subject: [PATCH] Address CVE-2025-22872 -Upstream Patch Reference: https://github.com/golang/net/commit/e1fcd82abba34df74614020343be8eb1fe85f0d9 - ---- - vendor/golang.org/x/net/html/token.go | 18 ++++++++++++++++-- - 1 file changed, 16 insertions(+), 2 deletions(-) - -diff --git a/vendor/golang.org/x/net/html/token.go b/vendor/golang.org/x/net/html/token.go -index 3c57880..6598c1f 100644 ---- a/vendor/golang.org/x/net/html/token.go -+++ b/vendor/golang.org/x/net/html/token.go -@@ -839,8 +839,22 @@ func (z *Tokenizer) readStartTag() TokenType { - if raw { - z.rawTag = strings.ToLower(string(z.buf[z.data.start:z.data.end])) - } -- // Look for a self-closing token like "
". -- if z.err == nil && z.buf[z.raw.end-2] == '/' { -+ // Look for a self-closing token (e.g.
). -+ // -+ // Originally, we did this by just checking that the last character of the -+ // tag (ignoring the closing bracket) was a solidus (/) character, but this -+ // is not always accurate. -+ // -+ // We need to be careful that we don't misinterpret a non-self-closing tag -+ // as self-closing, as can happen if the tag contains unquoted attribute -+ // values (i.e.

). -+ // -+ // To avoid this, we check that the last non-bracket character of the tag -+ // (z.raw.end-2) isn't the same character as the last non-quote character of -+ // the last attribute of the tag (z.pendingAttr[1].end-1), if the tag has -+ // attributes. -+ nAttrs := len(z.attr) -+ if z.err == nil && z.buf[z.raw.end-2] == '/' && (nAttrs == 0 || z.raw.end-2 != z.attr[nAttrs-1][1].end-1) { - return SelfClosingTagToken - } - return StartTagToken --- -2.34.1 - diff --git a/SPECS/containerd2/CVE-2025-27144.patch b/SPECS/containerd2/CVE-2025-27144.patch deleted file mode 100644 index 734158a6a89..00000000000 --- a/SPECS/containerd2/CVE-2025-27144.patch +++ /dev/null @@ -1,49 +0,0 @@ -From fa324fa38481f9d2da9109cb5983326f62ff7507 Mon Sep 17 00:00:00 2001 -From: Kanishk-Bansal -Date: Fri, 28 Feb 2025 07:45:53 +0000 -Subject: [PATCH] CVE-2025-27144 -Upstream Ref: https://github.com/go-jose/go-jose/commit/c9ed84d8f0cfadcfad817150158caca6fcbc518b - ---- - vendor/github.com/go-jose/go-jose/v4/jwe.go | 5 +++-- - vendor/github.com/go-jose/go-jose/v4/jws.go | 5 +++-- - 2 files changed, 6 insertions(+), 4 deletions(-) - -diff --git a/vendor/github.com/go-jose/go-jose/v4/jwe.go b/vendor/github.com/go-jose/go-jose/v4/jwe.go -index 89f03ee..9f1322d 100644 ---- a/vendor/github.com/go-jose/go-jose/v4/jwe.go -+++ b/vendor/github.com/go-jose/go-jose/v4/jwe.go -@@ -288,10 +288,11 @@ func ParseEncryptedCompact( - keyAlgorithms []KeyAlgorithm, - contentEncryption []ContentEncryption, - ) (*JSONWebEncryption, error) { -- parts := strings.Split(input, ".") -- if len(parts) != 5 { -+ // Five parts is four separators -+ if strings.Count(input, ".") != 4 { - return nil, fmt.Errorf("go-jose/go-jose: compact JWE format must have five parts") - } -+ parts := strings.SplitN(input, ".", 5) - - rawProtected, err := base64.RawURLEncoding.DecodeString(parts[0]) - if err != nil { -diff --git a/vendor/github.com/go-jose/go-jose/v4/jws.go b/vendor/github.com/go-jose/go-jose/v4/jws.go -index 3a91230..d09d8ba 100644 ---- a/vendor/github.com/go-jose/go-jose/v4/jws.go -+++ b/vendor/github.com/go-jose/go-jose/v4/jws.go -@@ -327,10 +327,11 @@ func parseSignedCompact( - payload []byte, - signatureAlgorithms []SignatureAlgorithm, - ) (*JSONWebSignature, error) { -- parts := strings.Split(input, ".") -- if len(parts) != 3 { -+ // Three parts is two separators -+ if strings.Count(input, ".") != 2 { - return nil, fmt.Errorf("go-jose/go-jose: compact JWS format must have three parts") - } -+ parts := strings.SplitN(input, ".", 3) - - if parts[1] != "" && payload != nil { - return nil, fmt.Errorf("go-jose/go-jose: payload is not detached") --- -2.34.1 diff --git a/SPECS/containerd2/CVE-2025-47291.patch b/SPECS/containerd2/CVE-2025-47291.patch deleted file mode 100644 index 5393e181fb1..00000000000 --- a/SPECS/containerd2/CVE-2025-47291.patch +++ /dev/null @@ -1,220 +0,0 @@ -From 0bb95c53ec07aad729470844c8f0e5ab2838a8db Mon Sep 17 00:00:00 2001 -From: dj_palli -Date: Mon, 2 Jun 2025 14:45:30 +0000 -Subject: [PATCH] Address CVE-2025-47291 - -Upstream patch URL : https://github.com/containerd/containerd/commit/ec3567d6b369cde39739b41db8763a19d6f35c39 - ---- - client/container.go | 3 ++- - client/task.go | 27 ++++++++++++++++++++++ - client/task_opts.go | 27 ++++++++-------------- - client/task_opts_unix.go | 48 +++++++++++++--------------------------- - 4 files changed, 53 insertions(+), 52 deletions(-) - -diff --git a/client/container.go b/client/container.go -index b9cf25e..5763ae6 100644 ---- a/client/container.go -+++ b/client/container.go -@@ -279,7 +279,8 @@ func (c *container) NewTask(ctx context.Context, ioCreate cio.Creator, opts ...N - } - } - info := TaskInfo{ -- runtime: r.Runtime.Name, -+ runtime: r.Runtime.Name, -+ runtimeOptions: r.Runtime.Options, - } - for _, o := range opts { - if err := o(ctx, c.client, &info); err != nil { -diff --git a/client/task.go b/client/task.go -index 20312a9..152babe 100644 ---- a/client/task.go -+++ b/client/task.go -@@ -146,6 +146,10 @@ type TaskInfo struct { - - // runtime is the runtime name for the container, and cannot be changed. - runtime string -+ // runtimeOptions is the runtime options for the container, and when task options are set, -+ // they will be based on the runtimeOptions. -+ // https://github.com/containerd/containerd/issues/11568 -+ runtimeOptions typeurl.Any - } - - // Runtime name for the container -@@ -153,6 +157,29 @@ func (i *TaskInfo) Runtime() string { - return i.runtime - } - -+// getRuncOptions returns a reference to the runtime options for use by the task. -+// If the set of options is not set by the opts passed into the NewTask creation -+// this function first attempts to initialize the runtime options with a copy of the runtimeOptions, -+// otherwise an empty set of options is assigned and returned -+func (i *TaskInfo) getRuncOptions() (*options.Options, error) { -+ if i.Options != nil { -+ opts, ok := i.Options.(*options.Options) -+ if !ok { -+ return nil, errors.New("invalid runtime v2 options format") -+ } -+ return opts, nil -+ } -+ -+ opts := &options.Options{} -+ if i.runtimeOptions != nil && i.runtimeOptions.GetValue() != nil { -+ if err := typeurl.UnmarshalTo(i.runtimeOptions, opts); err != nil { -+ return nil, fmt.Errorf("failed to get runtime v2 options: %w", err) -+ } -+ } -+ i.Options = opts -+ return opts, nil -+} -+ - // Task is the executable object within containerd - type Task interface { - Process -diff --git a/client/task_opts.go b/client/task_opts.go -index 8e94d4c..27bde35 100644 ---- a/client/task_opts.go -+++ b/client/task_opts.go -@@ -54,12 +54,9 @@ func WithRuntimePath(absRuntimePath string) NewTaskOpts { - // usually it is served inside a sandbox, and we can get it from sandbox status. - func WithTaskAPIEndpoint(address string, version uint32) NewTaskOpts { - return func(ctx context.Context, client *Client, info *TaskInfo) error { -- if info.Options == nil { -- info.Options = &options.Options{} -- } -- opts, ok := info.Options.(*options.Options) -- if !ok { -- return errors.New("invalid runtime v2 options format") -+ opts, err := info.getRuncOptions() -+ if err != nil { -+ return err - } - opts.TaskApiAddress = address - opts.TaskApiVersion = version -@@ -119,12 +116,9 @@ func WithCheckpointImagePath(path string) CheckpointTaskOpts { - // WithRestoreImagePath sets image path for create option - func WithRestoreImagePath(path string) NewTaskOpts { - return func(ctx context.Context, c *Client, ti *TaskInfo) error { -- if ti.Options == nil { -- ti.Options = &options.Options{} -- } -- opts, ok := ti.Options.(*options.Options) -- if !ok { -- return errors.New("invalid runtime v2 options format") -+ opts, err := ti.getRuncOptions() -+ if err != nil { -+ return err - } - opts.CriuImagePath = path - return nil -@@ -134,12 +128,9 @@ func WithRestoreImagePath(path string) NewTaskOpts { - // WithRestoreWorkPath sets criu work path for create option - func WithRestoreWorkPath(path string) NewTaskOpts { - return func(ctx context.Context, c *Client, ti *TaskInfo) error { -- if ti.Options == nil { -- ti.Options = &options.Options{} -- } -- opts, ok := ti.Options.(*options.Options) -- if !ok { -- return errors.New("invalid runtime v2 options format") -+ opts, err := ti.getRuncOptions() -+ if err != nil { -+ return err - } - opts.CriuWorkPath = path - return nil -diff --git a/client/task_opts_unix.go b/client/task_opts_unix.go -index d33e302..26b5c17 100644 ---- a/client/task_opts_unix.go -+++ b/client/task_opts_unix.go -@@ -20,20 +20,14 @@ package client - - import ( - "context" -- "errors" -- -- "github.com/containerd/containerd/api/types/runc/options" - ) - - // WithNoNewKeyring causes tasks not to be created with a new keyring for secret storage. - // There is an upper limit on the number of keyrings in a linux system - func WithNoNewKeyring(ctx context.Context, c *Client, ti *TaskInfo) error { -- if ti.Options == nil { -- ti.Options = &options.Options{} -- } -- opts, ok := ti.Options.(*options.Options) -- if !ok { -- return errors.New("invalid v2 shim create options format") -+ opts, err := ti.getRuncOptions() -+ if err != nil { -+ return err - } - opts.NoNewKeyring = true - return nil -@@ -41,12 +35,9 @@ func WithNoNewKeyring(ctx context.Context, c *Client, ti *TaskInfo) error { - - // WithNoPivotRoot instructs the runtime not to you pivot_root - func WithNoPivotRoot(_ context.Context, _ *Client, ti *TaskInfo) error { -- if ti.Options == nil { -- ti.Options = &options.Options{} -- } -- opts, ok := ti.Options.(*options.Options) -- if !ok { -- return errors.New("invalid v2 shim create options format") -+ opts, err := ti.getRuncOptions() -+ if err != nil { -+ return err - } - opts.NoPivotRoot = true - return nil -@@ -55,12 +46,9 @@ func WithNoPivotRoot(_ context.Context, _ *Client, ti *TaskInfo) error { - // WithShimCgroup sets the existing cgroup for the shim - func WithShimCgroup(path string) NewTaskOpts { - return func(ctx context.Context, c *Client, ti *TaskInfo) error { -- if ti.Options == nil { -- ti.Options = &options.Options{} -- } -- opts, ok := ti.Options.(*options.Options) -- if !ok { -- return errors.New("invalid v2 shim create options format") -+ opts, err := ti.getRuncOptions() -+ if err != nil { -+ return err - } - opts.ShimCgroup = path - return nil -@@ -70,12 +58,9 @@ func WithShimCgroup(path string) NewTaskOpts { - // WithUIDOwner allows console I/O to work with the remapped UID in user namespace - func WithUIDOwner(uid uint32) NewTaskOpts { - return func(ctx context.Context, c *Client, ti *TaskInfo) error { -- if ti.Options == nil { -- ti.Options = &options.Options{} -- } -- opts, ok := ti.Options.(*options.Options) -- if !ok { -- return errors.New("invalid v2 shim create options format") -+ opts, err := ti.getRuncOptions() -+ if err != nil { -+ return err - } - opts.IoUid = uid - return nil -@@ -85,12 +70,9 @@ func WithUIDOwner(uid uint32) NewTaskOpts { - // WithGIDOwner allows console I/O to work with the remapped GID in user namespace - func WithGIDOwner(gid uint32) NewTaskOpts { - return func(ctx context.Context, c *Client, ti *TaskInfo) error { -- if ti.Options == nil { -- ti.Options = &options.Options{} -- } -- opts, ok := ti.Options.(*options.Options) -- if !ok { -- return errors.New("invalid v2 shim create options format") -+ opts, err := ti.getRuncOptions() -+ if err != nil { -+ return err - } - opts.IoGid = gid - return nil --- -2.45.2 - diff --git a/SPECS/containerd2/containerd2.signatures.json b/SPECS/containerd2/containerd2.signatures.json index d49f7f913eb..2d5fd73d4a9 100644 --- a/SPECS/containerd2/containerd2.signatures.json +++ b/SPECS/containerd2/containerd2.signatures.json @@ -1,7 +1,7 @@ { - "Signatures": { - "containerd.service": "a07bfcf412669b06673190b0779f48e652c9adcf1758289e849a00802804eec8", - "containerd.toml": "5b3821236f09b4c858e0e098bbe1400f4dbbb47d360e39d21c61858b088c2896", - "containerd-2.0.0.tar.gz": "346d644e1b96e1f4a39bfe9d1eb0eb01ca676f806c12d95e5dbe35325bbc1780" - } -} \ No newline at end of file + "Signatures": { + "containerd.service": "a07bfcf412669b06673190b0779f48e652c9adcf1758289e849a00802804eec8", + "containerd.toml": "5b3821236f09b4c858e0e098bbe1400f4dbbb47d360e39d21c61858b088c2896", + "containerd-2.0.6.tar.gz": "6f13034d9871b755469150b47e0d51ac45b46a4b40c850848bfd80a5b698063a" + } +} diff --git a/SPECS/containerd2/containerd2.spec b/SPECS/containerd2/containerd2.spec index 8bc7b48f0bf..e04092c1770 100644 --- a/SPECS/containerd2/containerd2.spec +++ b/SPECS/containerd2/containerd2.spec @@ -4,8 +4,8 @@ Summary: Industry-standard container runtime Name: %{upstream_name}2 -Version: 2.0.0 -Release: 14%{?dist} +Version: 2.0.6 +Release: 1%{?dist} License: ASL 2.0 Group: Tools/Container URL: https://www.containerd.io @@ -16,11 +16,6 @@ Source0: https://github.com/containerd/containerd/archive/v%{version}.tar.gz#/%{ Source1: containerd.service Source2: containerd.toml -Patch0: CVE-2024-45338.patch -Patch1: CVE-2025-27144.patch -Patch2: CVE-2024-40635.patch -Patch3: CVE-2025-22872.patch -Patch4: CVE-2025-47291.patch Patch5: multi-snapshotters-support.patch Patch6: tardev-support.patch %{?systemd_requires} @@ -98,6 +93,9 @@ fi %dir /opt/containerd/lib %changelog +* Thu Oct 23 2025 CBL-Mariner Servicing Account - 2.0.6-1 +- Auto-upgrade to 2.0.6 - none + * Sun Aug 31 2025 Andrew Phelps - 2.0.0-14 - Set BR for golang to < 1.25 diff --git a/SPECS/runc/runc.signatures.json b/SPECS/runc/runc.signatures.json index 18a8b03544d..b42d28af450 100644 --- a/SPECS/runc/runc.signatures.json +++ b/SPECS/runc/runc.signatures.json @@ -1,5 +1,5 @@ { - "Signatures": { - "runc-1.2.2.tar.gz": "0eabc936d481d123be92c429588f9d1de7cafd36b37a8a5085b1412e758796a1" - } + "Signatures": { + "runc-1.3.0.tar.gz": "3262492ce42bea0919ee1a2d000b6f303fd14877295bc38d094876b55fdd448b" + } } diff --git a/SPECS/runc/runc.spec b/SPECS/runc/runc.spec index 8523a32c790..c4aff5846ae 100644 --- a/SPECS/runc/runc.spec +++ b/SPECS/runc/runc.spec @@ -2,7 +2,7 @@ Summary: CLI tool for spawning and running containers per OCI spec. Name: runc # update "commit_hash" above when upgrading version -Version: 1.2.2 +Version: 1.3.0 Release: 1%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation @@ -43,6 +43,9 @@ make install-man DESTDIR=%{buildroot} PREFIX=%{_prefix} %{_mandir}/* %changelog +* Thu Oct 23 2025 CBL-Mariner Servicing Account - 1.3.0-1 +- Auto-upgrade to 1.3.0 - none + * Mon Nov 25 2024 Nan Liu - 1.2.2-1 - Bump version to 1.2.2 - Remove the golang version constraint diff --git a/cgmanifest.json b/cgmanifest.json index b73a37e4482..40a441e9012 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -2057,8 +2057,8 @@ "type": "other", "other": { "name": "containerd2", - "version": "2.0.0", - "downloadUrl": "https://github.com/containerd/containerd/archive/v2.0.0.tar.gz" + "version": "2.0.6", + "downloadUrl": "https://github.com/containerd/containerd/archive/v2.0.6.tar.gz" } } }, @@ -27454,8 +27454,8 @@ "type": "other", "other": { "name": "runc", - "version": "1.2.2", - "downloadUrl": "https://github.com/opencontainers/runc/archive/v1.2.2.tar.gz" + "version": "1.3.0", + "downloadUrl": "https://github.com/opencontainers/runc/archive/v1.3.0.tar.gz" } } },