Version in base suite: 1.4.12~ds1-1~deb11u1 Base version: containerd_1.4.12~ds1-1~deb11u1 Target version: containerd_1.4.13~ds1-1~deb11u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/c/containerd/containerd_1.4.12~ds1-1~deb11u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/c/containerd/containerd_1.4.13~ds1-1~deb11u1.dsc .github/workflows/ci.yml | 12 ++--- .github/workflows/nightly.yml | 4 - .github/workflows/release.yml | 2 .travis.yml | 2 .zuul/playbooks/containerd-build/run.yaml | 2 Vagrantfile | 2 contrib/Dockerfile.test | 2 contrib/gce/cloud-init/master.yaml | 3 - contrib/gce/cloud-init/node.yaml | 3 - debian/changelog | 7 +++ debian/gitlab-ci.yml | 6 ++ releases/v1.4.13.toml | 21 ++++++++++ script/setup/install-critools | 3 - script/setup/install-dev-tools | 10 +--- script/setup/runc-version | 2 vendor.conf | 4 - vendor/github.com/containerd/cri/README.md | 2 vendor/github.com/containerd/cri/pkg/containerd/opts/container.go | 6 +- version/version.go | 2 19 files changed, 66 insertions(+), 29 deletions(-) diff -Nru containerd-1.4.12~ds1/.github/workflows/ci.yml containerd-1.4.13~ds1/.github/workflows/ci.yml --- containerd-1.4.12~ds1/.github/workflows/ci.yml 2021-11-17 19:52:12.000000000 +0000 +++ containerd-1.4.13~ds1/.github/workflows/ci.yml 2022-03-02 18:03:17.000000000 +0000 @@ -26,7 +26,7 @@ - name: Install Go uses: actions/setup-go@v2 with: - go-version: '1.16.10' + go-version: '1.16.14' - name: Set env shell: bash @@ -82,7 +82,7 @@ steps: - uses: actions/setup-go@v2 with: - go-version: '1.16.10' + go-version: '1.16.14' - name: Set env shell: bash @@ -128,7 +128,7 @@ steps: - uses: actions/setup-go@v2 with: - go-version: '1.16.10' + go-version: '1.16.14' - name: Set env shell: bash @@ -166,7 +166,7 @@ steps: - uses: actions/setup-go@v2 with: - go-version: '1.16.10' + go-version: '1.16.14' - name: Set env shell: bash @@ -199,7 +199,7 @@ steps: - uses: actions/setup-go@v2 with: - go-version: '1.16.10' + go-version: '1.16.14' - name: Set env shell: bash @@ -285,7 +285,7 @@ steps: - uses: actions/setup-go@v2 with: - go-version: '1.16.10' + go-version: '1.16.14' - name: Set env shell: bash diff -Nru containerd-1.4.12~ds1/.github/workflows/nightly.yml containerd-1.4.13~ds1/.github/workflows/nightly.yml --- containerd-1.4.12~ds1/.github/workflows/nightly.yml 2021-11-17 19:52:12.000000000 +0000 +++ containerd-1.4.13~ds1/.github/workflows/nightly.yml 2022-03-02 18:03:17.000000000 +0000 @@ -14,7 +14,7 @@ steps: - uses: actions/setup-go@v2 with: - go-version: '1.16.10' + go-version: '1.16.14' - name: Checkout uses: actions/checkout@v1 @@ -138,7 +138,7 @@ steps: - uses: actions/setup-go@v2 with: - go-version: '1.16.10' + go-version: '1.16.14' - name: Checkout uses: actions/checkout@v1 diff -Nru containerd-1.4.12~ds1/.github/workflows/release.yml containerd-1.4.13~ds1/.github/workflows/release.yml --- containerd-1.4.12~ds1/.github/workflows/release.yml 2021-11-17 19:52:12.000000000 +0000 +++ containerd-1.4.13~ds1/.github/workflows/release.yml 2022-03-02 18:03:17.000000000 +0000 @@ -62,7 +62,7 @@ - name: Install Go uses: actions/setup-go@v2 with: - go-version: '1.16.10' + go-version: '1.16.14' - name: Set env shell: bash diff -Nru containerd-1.4.12~ds1/.travis.yml containerd-1.4.13~ds1/.travis.yml --- containerd-1.4.12~ds1/.travis.yml 2021-11-17 19:52:12.000000000 +0000 +++ containerd-1.4.13~ds1/.travis.yml 2022-03-02 18:03:17.000000000 +0000 @@ -15,7 +15,7 @@ - linux go: - - "1.16.10" + - "1.16.14" env: - TRAVIS_GOOS=linux TEST_RUNTIME=io.containerd.runc.v1 TRAVIS_CGO_ENABLED=1 TRAVIS_DISTRO=bionic GOPROXY=direct diff -Nru containerd-1.4.12~ds1/.zuul/playbooks/containerd-build/run.yaml containerd-1.4.13~ds1/.zuul/playbooks/containerd-build/run.yaml --- containerd-1.4.12~ds1/.zuul/playbooks/containerd-build/run.yaml 2021-11-17 19:52:12.000000000 +0000 +++ containerd-1.4.13~ds1/.zuul/playbooks/containerd-build/run.yaml 2022-03-02 18:03:17.000000000 +0000 @@ -2,7 +2,7 @@ become: yes roles: - role: config-golang - go_version: '1.16.10' + go_version: '1.16.14' arch: arm64 tasks: - name: Build containerd diff -Nru containerd-1.4.12~ds1/Vagrantfile containerd-1.4.13~ds1/Vagrantfile --- containerd-1.4.12~ds1/Vagrantfile 2021-11-17 19:52:12.000000000 +0000 +++ containerd-1.4.13~ds1/Vagrantfile 2022-03-02 18:03:17.000000000 +0000 @@ -77,7 +77,7 @@ config.vm.provision "install-golang", type: "shell", run: "once" do |sh| sh.upload_path = "/tmp/vagrant-install-golang" sh.env = { - 'GO_VERSION': ENV['GO_VERSION'] || "1.16.10", + 'GO_VERSION': ENV['GO_VERSION'] || "1.16.14", } sh.inline = <<~SHELL #!/usr/bin/env bash diff -Nru containerd-1.4.12~ds1/contrib/Dockerfile.test containerd-1.4.13~ds1/contrib/Dockerfile.test --- containerd-1.4.12~ds1/contrib/Dockerfile.test 2021-11-17 19:52:12.000000000 +0000 +++ containerd-1.4.13~ds1/contrib/Dockerfile.test 2022-03-02 18:03:17.000000000 +0000 @@ -10,7 +10,7 @@ # # docker build -t containerd-test --build-arg RUNC_VERSION=v1.0.0-rc93 -f Dockerfile.test ../ -ARG GOLANG_VERSION=1.16.10 +ARG GOLANG_VERSION=1.16.14 FROM golang:${GOLANG_VERSION} AS golang-base RUN mkdir -p /go/src/github.com/containerd/containerd diff -Nru containerd-1.4.12~ds1/contrib/gce/cloud-init/master.yaml containerd-1.4.13~ds1/contrib/gce/cloud-init/master.yaml --- containerd-1.4.12~ds1/contrib/gce/cloud-init/master.yaml 2021-11-17 19:52:12.000000000 +0000 +++ containerd-1.4.13~ds1/contrib/gce/cloud-init/master.yaml 2022-03-02 18:03:17.000000000 +0000 @@ -75,7 +75,8 @@ content: | [Unit] Description=Download and install k8s binaries and configurations - After=network-online.target + After=network-online.target containerd.target + Wants=network-online.target containerd.target [Service] Type=oneshot diff -Nru containerd-1.4.12~ds1/contrib/gce/cloud-init/node.yaml containerd-1.4.13~ds1/contrib/gce/cloud-init/node.yaml --- containerd-1.4.12~ds1/contrib/gce/cloud-init/node.yaml 2021-11-17 19:52:12.000000000 +0000 +++ containerd-1.4.13~ds1/contrib/gce/cloud-init/node.yaml 2022-03-02 18:03:17.000000000 +0000 @@ -69,7 +69,8 @@ content: | [Unit] Description=Download and install k8s binaries and configurations - After=network-online.target + After=network-online.target containerd.target + Wants=network-online.target containerd.target [Service] Type=oneshot diff -Nru containerd-1.4.12~ds1/debian/changelog containerd-1.4.13~ds1/debian/changelog --- containerd-1.4.12~ds1/debian/changelog 2021-11-23 10:42:16.000000000 +0000 +++ containerd-1.4.13~ds1/debian/changelog 2022-03-02 18:21:10.000000000 +0000 @@ -1,3 +1,10 @@ +containerd (1.4.13~ds1-1~deb11u1) bullseye; urgency=high + + * New upstream version 1.4.13~ds1 + CVE-2022-23648: CRI plugin: insecure handling of image volumes. + + -- Shengjing Zhu Thu, 03 Mar 2022 02:21:10 +0800 + containerd (1.4.12~ds1-1~deb11u1) bullseye; urgency=medium * New upstream version 1.4.12~ds1 diff -Nru containerd-1.4.12~ds1/debian/gitlab-ci.yml containerd-1.4.13~ds1/debian/gitlab-ci.yml --- containerd-1.4.12~ds1/debian/gitlab-ci.yml 1970-01-01 00:00:00.000000000 +0000 +++ containerd-1.4.13~ds1/debian/gitlab-ci.yml 2022-03-02 18:21:10.000000000 +0000 @@ -0,0 +1,6 @@ +# auto-generated, DO NOT MODIFY. +# The authoritative copy of this file lives at: +# https://salsa.debian.org/go-team/infra/pkg-go-tools/blob/master/config/gitlabciyml.go +--- +include: + - https://salsa.debian.org/go-team/infra/pkg-go-tools/-/raw/master/pipeline/test-archive.yml diff -Nru containerd-1.4.12~ds1/releases/v1.4.13.toml containerd-1.4.13~ds1/releases/v1.4.13.toml --- containerd-1.4.12~ds1/releases/v1.4.13.toml 1970-01-01 00:00:00.000000000 +0000 +++ containerd-1.4.13~ds1/releases/v1.4.13.toml 2022-03-02 18:03:17.000000000 +0000 @@ -0,0 +1,21 @@ +# commit to be tagged for new release +commit = "HEAD" + +project_name = "containerd" +github_repo = "containerd/containerd" +match_deps = "^github.com/(containerd/[a-zA-Z0-9-]+)$" + +# previous release +previous = "v1.4.12" + +pre_release = false + +preface = """\ +The thirteenth patch release for containerd 1.4 is a security release to address +[CVE-2022-23648](https://github.com/containerd/containerd/security/advisories/GHSA-crp2-qrr5-8pq7). + +### Notable Updates + +* **Use fs.RootPath when mounting volumes** ([GHSA-crp2-qrr5-8pq7](https://github.com/containerd/containerd/security/advisories/GHSA-crp2-qrr5-8pq7)) + +See the changelog for complete list of changes""" diff -Nru containerd-1.4.12~ds1/script/setup/install-critools containerd-1.4.13~ds1/script/setup/install-critools --- containerd-1.4.12~ds1/script/setup/install-critools 2021-11-17 19:52:12.000000000 +0000 +++ containerd-1.4.13~ds1/script/setup/install-critools 2022-03-02 18:03:17.000000000 +0000 @@ -20,7 +20,8 @@ # set -eu -o pipefail -go get -u github.com/onsi/ginkgo/ginkgo +GO111MODULE=on go install github.com/onsi/ginkgo/ginkgo@v1.16.5 + CRITEST_COMMIT=53ad8bb7f97e1b1d1c0c0634e43a3c2b8b07b718 git clone https://github.com/kubernetes-sigs/cri-tools.git "$GOPATH"/src/github.com/kubernetes-sigs/cri-tools cd "$GOPATH"/src/github.com/kubernetes-sigs/cri-tools diff -Nru containerd-1.4.12~ds1/script/setup/install-dev-tools containerd-1.4.13~ds1/script/setup/install-dev-tools --- containerd-1.4.12~ds1/script/setup/install-dev-tools 2021-11-17 19:52:12.000000000 +0000 +++ containerd-1.4.13~ds1/script/setup/install-dev-tools 2022-03-02 18:03:17.000000000 +0000 @@ -20,15 +20,13 @@ # set -eu -o pipefail -# install the `protobuild` binary in $GOPATH/bin; requires module-aware install -# to pin dependencies -GO111MODULE=on go get github.com/stevvooe/protobuild +# install `protobuild` and other commands +GO111MODULE=on go install github.com/stevvooe/protobuild@v0.1.0 +GO111MODULE=on go install github.com/cpuguy83/go-md2man/v2@v2.0.0 +GO111MODULE=on go install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.23.8 # the following packages need to exist in $GOPATH so we can't use # go modules-aware mode of `go get` for these includes used during # proto building GO111MODULE=off go get -d github.com/gogo/googleapis || true GO111MODULE=off go get -d github.com/gogo/protobuf || true - -GO111MODULE=on go get github.com/cpuguy83/go-md2man/v2@v2.0.0 -GO111MODULE=on go get github.com/golangci/golangci-lint/cmd/golangci-lint@v1.23.8 diff -Nru containerd-1.4.12~ds1/script/setup/runc-version containerd-1.4.13~ds1/script/setup/runc-version --- containerd-1.4.12~ds1/script/setup/runc-version 2021-11-17 19:52:12.000000000 +0000 +++ containerd-1.4.13~ds1/script/setup/runc-version 2022-03-02 18:03:17.000000000 +0000 @@ -1 +1 @@ -v1.0.2 +v1.0.3 diff -Nru containerd-1.4.12~ds1/vendor/github.com/containerd/cri/README.md containerd-1.4.13~ds1/vendor/github.com/containerd/cri/README.md --- containerd-1.4.12~ds1/vendor/github.com/containerd/cri/README.md 2021-11-17 19:52:12.000000000 +0000 +++ containerd-1.4.13~ds1/vendor/github.com/containerd/cri/README.md 2022-03-02 18:03:17.000000000 +0000 @@ -88,7 +88,7 @@ backport version of `libseccomp-dev` is required. See [travis.yml](.travis.yml) for an example on trusty. * **btrfs development library.** Required by containerd btrfs support. `btrfs-tools`(Ubuntu, Debian) / `btrfs-progs-devel`(Fedora, CentOS, RHEL) 2. Install **`pkg-config`** (required for linking with `libseccomp`). -3. Install and setup a Go 1.15.5 development environment. +3. Install and setup a Go 1.15.14 development environment. 4. Make a local clone of this repository. 5. Install binary dependencies by running the following command from your cloned `cri/` project directory: ```bash diff -Nru containerd-1.4.12~ds1/vendor/github.com/containerd/cri/pkg/containerd/opts/container.go containerd-1.4.13~ds1/vendor/github.com/containerd/cri/pkg/containerd/opts/container.go --- containerd-1.4.12~ds1/vendor/github.com/containerd/cri/pkg/containerd/opts/container.go 2021-11-17 19:52:12.000000000 +0000 +++ containerd-1.4.13~ds1/vendor/github.com/containerd/cri/pkg/containerd/opts/container.go 2022-03-02 18:03:17.000000000 +0000 @@ -20,7 +20,6 @@ "context" "io/ioutil" "os" - "path/filepath" "github.com/containerd/containerd" "github.com/containerd/containerd/containers" @@ -88,7 +87,10 @@ }() for host, volume := range volumeMounts { - src := filepath.Join(root, volume) + src, err := fs.RootPath(root, volume) + if err != nil { + return errors.Wrapf(err, "rootpath on root %s, volume %s", root, volume) + } if _, err := os.Stat(src); err != nil { if os.IsNotExist(err) { // Skip copying directory if it does not exist. diff -Nru containerd-1.4.12~ds1/vendor.conf containerd-1.4.13~ds1/vendor.conf --- containerd-1.4.12~ds1/vendor.conf 2021-11-17 19:52:12.000000000 +0000 +++ containerd-1.4.13~ds1/vendor.conf 2022-03-02 18:03:17.000000000 +0000 @@ -30,7 +30,7 @@ github.com/Microsoft/go-winio v0.4.19 github.com/Microsoft/hcsshim v0.8.21 github.com/opencontainers/go-digest v1.0.0 -github.com/opencontainers/image-spec v1.0.1 +github.com/opencontainers/image-spec v1.0.2 github.com/opencontainers/runc v1.0.0-rc94 github.com/opencontainers/runtime-spec 4d89ac9fbff6c455f46a5bb59c6b1bb7184a5e43 # v1.0.3-0.20200728170252-4d89ac9fbff6 github.com/pkg/errors v0.9.1 @@ -57,7 +57,7 @@ github.com/cilium/ebpf 1c8d4c9ef7759622653a1d319284a44652333b28 # cri dependencies -github.com/containerd/cri 3b02bec1603179debe2cde54509b2bfc45fc27d3 # release/1.4 +github.com/containerd/cri 8f1a8a1fb9ebd821a1afe3b3ff3adec7bd33cfdf # release/1.4 github.com/davecgh/go-spew v1.1.1 github.com/docker/docker 4634ce647cf2ce2c6031129ccd109e557244986f github.com/docker/spdystream 449fdfce4d962303d702fec724ef0ad181c92528 diff -Nru containerd-1.4.12~ds1/version/version.go containerd-1.4.13~ds1/version/version.go --- containerd-1.4.12~ds1/version/version.go 2021-11-17 19:52:12.000000000 +0000 +++ containerd-1.4.13~ds1/version/version.go 2022-03-02 18:03:17.000000000 +0000 @@ -23,7 +23,7 @@ Package = "github.com/containerd/containerd" // Version holds the complete version number. Filled in at linking time. - Version = "1.4.12+unknown" + Version = "1.4.13+unknown" // Revision is filled with the VCS (e.g. git) revision being used to build // the program at linking time.