From f8cfa7947cd0a2750bd0b4ebf616044a98a07a24 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Tue, 4 Feb 2020 10:16:14 +0100 Subject: [PATCH] [19.03] Update containerd binary to v1.2.12 full diff: https://github.com/containerd/containerd/compare/v1.2.11...v1.2.12 Welcome to the v1.2.12 release of containerd! The twelfth patch release for containerd 1.2 includes an updated runc with a fix for CVE-2019-19921, an updated version of the opencontainers/selinux dependency, which includes a fix for CVE-2019-16884, an updated version of the gopkg.in/yaml.v2 dependency to address CVE-2019-11253, and a Golang update. Notable Updates - Update the runc vendor to v1.0.0-rc10 which includes a mitigation for CVE-2019-19921. - Update the opencontainers/selinux which includes a mitigation for CVE-2019-16884. - Update Golang runtime to 1.12.16, mitigating the CVE-2020-0601 certificate verification bypass on Windows, and CVE-2020-7919, which only affects 32-bit architectures. - Update Golang runtime to 1.12.15, which includes a fix to the runtime (Go 1.12.14, Go 1.12.15) and and the net/http package (Go 1.12.15) - A fix to prevent SIGSEGV when starting containerd-shim containerd/containerd#3960 - Fixes to exec containerd/containerd#3755 - Prevent docker exec hanging if an earlier docker exec left a zombie process - Prevent High system load/CPU utilization with liveness and readiness probes - Prevent Docker healthcheck causing high CPU utilization CRI fixes: - Update the gopkg.in/yaml.v2 vendor to v2.2.8 with a mitigation for CVE-2019-11253 API - Fix API filters to properly handle and return parse errors containerd/containerd#3950 Signed-off-by: Sebastiaan van Stijn --- hack/dockerfile/install/containerd.installer | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hack/dockerfile/install/containerd.installer b/hack/dockerfile/install/containerd.installer index 9e812086772ad..c6e9a62d6dc25 100755 --- a/hack/dockerfile/install/containerd.installer +++ b/hack/dockerfile/install/containerd.installer @@ -4,7 +4,7 @@ # containerd is also pinned in vendor.conf. When updating the binary # version you may also need to update the vendor version to pick up bug # fixes or new APIs. -CONTAINERD_COMMIT=f772c10a585ced6be8f86e8c58c2b998412dd963 # v1.2.11 +CONTAINERD_COMMIT=35bd7a5f69c13e1563af8a93431411cd9ecf5021 # v1.2.12 install_containerd() { echo "Install containerd version $CONTAINERD_COMMIT"