Skip to content

fix(deps): update module github.com/containerd/containerd to v1.7.29 [security] (v1.4) #4303

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: v1.4
Choose a base branch
from
Open

fix(deps): update module github.com/containerd/containerd to v1.7.29 [security] (v1.4) #4303

wants to merge 1 commit into from

Conversation

@cilium-renovate
Copy link
Contributor

@cilium-renovate cilium-renovate bot commented Nov 6, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
github.com/containerd/containerd v1.7.27 -> v1.7.29 age confidence

containerd CRI server: Host memory exhaustion through Attach goroutine leak

CVE-2025-64329 / GHSA-m6hq-p25p-ffr2 / GO-2025-4108

More information

Details

Impact

A bug was found in containerd's CRI Attach implementation where a user can exhaust memory on the host due to goroutine leaks.

Repetitive calls of CRI Attach (e.g., kubectl attach) could increase the memory usage of containerd.

Patches

This bug has been fixed in the following containerd versions:

  • 2.2.0
  • 2.1.5
  • 2.0.7
  • 1.7.29

Users should update to these versions to resolve the issue.

Workarounds

Set up an admission controller to control accesses to pods/attach resources.
e.g., Validating Admission Policy.

Credits

The containerd project would like to thank @​Wheat2018 for responsibly disclosing this issue in accordance with the containerd security policy.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-64329

For more information

If you have any questions or comments about this advisory:

To report a security issue in containerd:

Severity

  • CVSS Score: 6.9 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

containerd affected by a local privilege escalation via wide permissions on CRI directory in github.com/containerd/containerd

CVE-2024-25621 / GHSA-pwhc-rpq9-4c8w / GO-2025-4100

More information

Details

containerd affected by a local privilege escalation via wide permissions on CRI directory in github.com/containerd/containerd

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

containerd affected by a local privilege escalation via wide permissions on CRI directory

CVE-2024-25621 / GHSA-pwhc-rpq9-4c8w / GO-2025-4100

More information

Details

Impact

An overly broad default permission vulnerability was found in containerd.

  • /var/lib/containerd was created with the permission bits 0o711, while it should be created with 0o700
    • Allowed local users on the host to potentially access the metadata store and the content store
  • /run/containerd/io.containerd.grpc.v1.cri was created with 0o755, while it should be created with 0o700
    • Allowed local users on the host to potentially access the contents of Kubernetes local volumes. The contents of volumes might include setuid binaries, which could allow a local user on the host to elevate privileges on the host.
  • /run/containerd/io.containerd.sandbox.controller.v1.shim was created with 0o711, while it should be created with 0o700

The directory paths may differ depending on the daemon configuration.
When the temp directory path is specified in the daemon configuration, that directory was also created with 0o711, while it should be created with 0o700.

Patches

This bug has been fixed in the following containerd versions:

  • 2.2.0
  • 2.1.5
  • 2.0.7
  • 1.7.29

Users should update to these versions to resolve the issue.
These updates automatically change the permissions of the existing directories.

[!NOTE]

/run/containerd and /run/containerd/io.containerd.runtime.v2.task are still created with 0o711.
This is an expected behavior for supporting userns-remapped containers.

Workarounds

The system administrator on the host can manually chmod the directories to not
have group or world accessible permisisons:

chmod 700 /var/lib/containerd
chmod 700 /run/containerd/io.containerd.grpc.v1.cri
chmod 700 /run/containerd/io.containerd.sandbox.controller.v1.shim

An alternative mitigation would be to run containerd in rootless mode.

Credits

The containerd project would like to thank David Leadbeater for responsibly disclosing this issue in accordance with the containerd security policy.

For more information

If you have any questions or comments about this advisory:

To report a security issue in containerd:

Severity

  • CVSS Score: 7.3 / 10 (High)
  • Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

containerd CRI server: Host memory exhaustion through Attach goroutine leak in github.com/containerd/containerd

CVE-2025-64329 / GHSA-m6hq-p25p-ffr2 / GO-2025-4108

More information

Details

containerd CRI server: Host memory exhaustion through Attach goroutine leak in github.com/containerd/containerd

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

Release Notes

containerd/containerd (github.com/containerd/containerd)

v1.7.29: containerd 1.7.29

Compare Source

Welcome to the v1.7.29 release of containerd!

The twenty-ninth patch release for containerd 1.7 contains various fixes
and updates including security patches.

Security Updates
Highlights
Image Distribution
  • Update differ to handle zstd media types (#​12018)
Runtime
  • Update runc binary to v1.3.3 (#​12480)
  • Fix lost container logs from quickly closing io (#​12375)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors
  • Derek McGowan
  • Akihiro Suda
  • Phil Estes
  • Austin Vazquez
  • Sebastiaan van Stijn
  • ningmingxiao
  • Maksym Pavlenko
  • StepSecurity Bot
  • wheat2018
Changes
38 commits

  • 442cb34bd Merge commit from fork
  • 0450f046e Fix directory permissions
  • e5cb6ddb7 Merge commit from fork
  • c575d1b5f fix goroutine leak of container Attach
  • Prepare release notes for v1.7.29 (#​12486)
    • 1fc2daaf3 Prepare release notes for v1.7.29
  • Update runc binary to v1.3.3 (#​12480)
    • 3f5f9f872 runc: Update runc binary to v1.3.3
  • Update GHA images and bump Go 1.24.9; 1.25.3 (#​12471)
    • 667409fb6 ci: bump Go 1.24.9, 1.25.3
    • 294f8c027 Update GHA runners to use latest images for basic binaries build
    • cf66b4141 Update GHA runners to use latest image for most jobs
    • fa3e6fa18 pkg/epoch: extract parsing SOURCE_DATE_EPOCH to a function
    • ac334bffc pkg/epoch: fix tests on macOS
    • d04b8721f pkg/epoch: replace some fmt.Sprintfs with strconv
  • CI: update Fedora to 43 (#​12450)
  • CI: skip ubuntu-24.04-arm on private repos (#​12429)
    • cf99a012d CI: skip ubuntu-24.04-arm on private repos
  • runc:Update runc binary to v1.3.1 (#​12276)
    • 4c77b8d07 runc:Update runc binary to v1.3.1
  • Fix lost container logs from quickly closing io (#​12375)
    • d30024db2 bugfix:fix container logs lost because io close too quickly
  • ci: bump Go 1.24.8 (#​12362)
    • f4b3d96f3 ci: bump Go 1.24.8
    • 334fd8e4b update golangci-lint to v1.64.2
    • 8a67abc4c Drop inactivated linter exportloopref
    • e4dbf08f0 build(deps): bump golangci/golangci-lint-action from 6.3.2 to 6.5.0
    • d7db2ba06 build(deps): bump golangci/golangci-lint-action from 6.2.0 to 6.3.2
    • d7182888f build(deps): bump golangci/golangci-lint-action from 6.1.1 to 6.2.0
    • 4be6c7e3b build(deps): bump actions/cache from 4.1.2 to 4.2.0
    • a2e097e86 build(deps): bump actions/checkout from 4.2.1 to 4.2.2
    • 6de404d11 build(deps): bump actions/cache from 4.1.1 to 4.1.2
    • 038a25584 [StepSecurity] ci: Harden GitHub Actions
  • Update differ to handle zstd media types (#​12018)
    • eaeb4b6ac Update differ to handle zstd media types
  • ci: bump Go 1.23.12, 1.24.6 (#​12188)

Dependency Changes

This release has no dependency changes

Previous release can be found at v1.7.28

v1.7.28: containerd 1.7.28

Compare Source

Welcome to the v1.7.28 release of containerd!

The twenty-eighth patch release for containerd 1.7 contains various fixes
and updates.

Highlights
Image Distribution
  • Refresh OAuth tokens when they expire during registry operations (#​11721)
  • Set default differ for the default unpack config of transfer service (#​11689)
Runtime
  • Update runc binary to v1.3.0 (#​11800)
  • Remove invalid error log when stopping container after containerd restart (#​11620)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors
  • Akhil Mohan
  • Akihiro Suda
  • Austin Vazquez
  • Maksym Pavlenko
  • Phil Estes
  • Derek McGowan
  • Kirtana Ashok
  • Henry Wang
  • Iain Macdonald
  • Jin Dong
  • Swagat Bora
  • Wei Fu
  • Yang Yang
  • madraceee
Changes
57 commits

  • Prepare release notes for v1.7.28 (#​12134)
    • b01b809f8 Prepare release notes for v1.7.28
  • ci: bump Go 1.23.11, 1.24.5 (#​12117)
  • Backport windows test fixes (#​12121)
    • 3c06bcc4d Fix intermittent test failures on Windows CIs
    • c6c0c6854 Remove WS2025 from CIs due to regression
  • ci: use fedora 39 archive (#​12123)
    • 6d7e021cf ci: use fedora/39-cloud-base image from archive
  • update runners to ubuntu 24.04 (#​11802)
    • c362e18cc CI: install OVMF for Vagrant
    • 1d99bec21 CI: fix "Unable to find a source package for vagrant" error
    • dafa3c48d add debian sources for ubuntu-24
    • b03301d85 partial: enable ubuntu 24 runners
    • 13fbc5f97 update release runners to ubuntu 24.04
  • go.mod: golang.org/x/* latest (#​12096)
  • Remove additional fuzzers from instrumentation repo (#​12099)
    • 5fef123ba Remove additional fuzzers from CI
  • backport windows runner and golang toolchain updates (#​11972)
    • a35978f5a ci: bump golang [1.23.10, 1.24.4] in build and release
    • df035aa3e ci: bump golang [1.23.9, 1.24.3] in build and release
    • 2a6d9fc71 use go1.23.8 as the default go version
    • 15d4d6eba update to go 1.24.2, 1.23.8
    • 1613a3b1a Enable CIs to run on WS2022 and WS2025
  • test: added runc v1 tests using vagrant (#​11896)
    • 60e73122c test: added runc v1 tests using vagrant
  • Revert "disable portmap test in ubuntu-22 to make CI happy" (#​11803)
    • 10e1b515e Revert "Disable port mapping tests in CRI-in-UserNS"
    • 7a680e884 fix unbound SKIP_TEST variable error
    • e5f8cc995 Revert "disable portmap test in ubuntu-22 to make CI happy"
  • Update runc binary to v1.3.0 (#​11800)
  • Refresh OAuth tokens when they expire during registry operations (#​11721)
    • a6421da84 remotes/docker/authorizer.go: invalidate auth tokens when they expire.
  • [CI] Fix vagrant (#​11739)
  • Fix CI (#​11722)
    • d3e7dd716 Skip criu on Arms
    • 7cf9ebe94 Disable port mapping tests in CRI-in-UserNS
    • 42657a4ed disable portmap test in ubuntu-22 to make CI happy
    • b300fd37b add option to skip tests in critest
    • 6f4ffad27 Address cgroup mountpoint does not exist
    • cef298331 Update Ubuntu to 24
    • 2dd9be16e ci: update GitHub Actions release runner to ubuntu-24.04
  • Set default differ for the default unpack config of transfer service (#​11689)
    • e40e59e4e Set default differ for the default unpack config of transfer service
  • silence govulncheck false positives (#​11679)
    • ff097d5a4 silence govulncheck false positives
  • vendor: github.com/go-jose/go-jose/v3 v3.0.4 (#​11619)
    • 52dd4dc51 vendor: github.com/go-jose/go-jose/v3 v3.0.4
  • Remove invalid error log when stopping container after containerd restart (#​11620)
  • Update runc binary to v1.2.6 (#​11584)
  • Use RWMutex in NSMap and reduce lock area (#​11556)
    • 9a8d1d44a Use RWMutex in NSMap and reduce lock area

Dependency Changes
  • github.com/go-jose/go-jose/v3 v3.0.3 -> v3.0.4
  • golang.org/x/crypto v0.31.0 -> v0.40.0
  • golang.org/x/mod v0.17.0 -> v0.26.0
  • golang.org/x/net v0.33.0 -> v0.42.0
  • golang.org/x/oauth2 v0.11.0 -> v0.30.0
  • golang.org/x/sync v0.10.0 -> v0.16.0
  • golang.org/x/sys v0.28.0 -> v0.34.0
  • golang.org/x/term v0.27.0 -> v0.33.0
  • golang.org/x/text v0.21.0 -> v0.27.0
  • golang.org/x/time 90d013b -> v0.12.0

Previous release can be found at v1.7.27

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@cilium-renovate cilium-renovate bot requested a review from a team as a code owner November 6, 2025 15:47
@cilium-renovate cilium-renovate bot added release-blocker This PR or issue is blocking the next release. release-note/dependency This PR updates one or multiple dependencies labels Nov 6, 2025
@cilium-renovate cilium-renovate bot requested review from tixxdz and removed request for a team November 6, 2025 15:47
@cilium-renovate cilium-renovate bot added the release-blocker This PR or issue is blocking the next release. label Nov 6, 2025
@cilium-renovate
Copy link
Contributor Author

cilium-renovate bot commented Nov 6, 2025

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: undefined
Command failed: make protogen
go: downloading google.golang.org/grpc v1.71.1
go: downloading golang.org/x/net v0.38.0
go: downloading google.golang.org/genproto/googleapis/rpc v0.0.0-20250407143221-ac9807e6c755
go: downloading go.opentelemetry.io/otel v1.34.0
go: downloading go.opentelemetry.io/otel/sdk/metric v1.34.0
go: downloading go.opentelemetry.io/otel/sdk v1.34.0
go: downloading go.opentelemetry.io/otel/metric v1.34.0
go: downloading go.opentelemetry.io/otel/trace v1.34.0
go: downloading golang.org/x/text v0.23.0
make: *** [Makefile:30: __check-breaking_local] Error 100
make[1]: *** [Makefile:34: all] Error 2
make: *** [Makefile:384: protogen] Error 2

@cilium-renovate cilium-renovate bot added the release-note/dependency This PR updates one or multiple dependencies label Nov 6, 2025
@cilium-renovate @sayboras
fix(deps): update module github.com/containerd/containerd to v1.7.29 …
afbad01 
…[security]

Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com>
Signed-off-by: Tam Mach <[email protected]>
@sayboras sayboras force-pushed the renovate/v1.4-go-github.com-containerd-containerd-vulnerability branch from 34d7ca7 to afbad01 Compare November 11, 2025 11:41
sayboras added a commit that referenced this pull request Nov 22, 2025
@sayboras
renovate: Update the branch for breaking change check
91f4eea 
This is mainly for renovate post upgrade task. Renovate config is only
available in main branch, and it's hard to pass respective branch for
BUF_BREAKING_AGAINST_BRANCH, unlike in github action with (ref_name
and base_ref).

#4303 (comment)
@sayboras sayboras mentioned this pull request Nov 22, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tixxdz tixxdz Awaiting requested review from tixxdz tixxdz was automatically assigned from cilium/tetragon-reviewers

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

release-blocker This PR or issue is blocking the next release. release-note/dependency This PR updates one or multiple dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant