public inbox for buildroot@busybox.net
 help / color / mirror / Atom feed
From: Thomas Perale via buildroot <buildroot@buildroot.org>
To: Thomas Perale <thomas.perale@mind.be>
Cc: buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH 1/1] package/containerd: security bump to v2.0.7
Date: Fri,  6 Mar 2026 20:53:02 +0100	[thread overview]
Message-ID: <20260306195302.7339-1-thomas.perale@mind.be> (raw)
In-Reply-To: <20260225094824.270893-1-thomas.perale@mind.be>

In reply of:
> For more information on the version bump, see:
>   - https://github.com/containerd/containerd/releases/tag/v2.0.7
>   - https://github.com/containerd/containerd/releases/tag/v2.0.6
>   - https://github.com/containerd/containerd/releases/tag/v2.0.5
>   - https://github.com/containerd/containerd/releases/tag/v2.0.4
>   - https://github.com/containerd/containerd/releases/tag/v2.0.3
> 
> Fixes the following vulnerabilities:
> 
> - CVE-2024-25621:
>     Versions 2.0.0-beta.0 through 2.0.6 have an overly broad default
>     permission vulnerability. Directory paths `/var/lib/containerd`,
>     `/run/containerd/io.containerd.grpc.v1.cri` and
>     `/run/containerd/io.containerd.sandbox.controller.v1.shim` were all
>     created with incorrect permissions.
> 
>     https://www.cve.org/CVERecord?id=CVE-2024-25621
> 
> - CVE-2024-40635:
>     A bug was found in containerd prior to versions 2.0.4 where
>     containers launched with a User set as a `UID:GID` larger than the
>     maximum 32-bit signed integer can cause an overflow condition where
>     the container ultimately runs as root (UID 0). This could cause
>     unexpected behavior for environments that require containers to run
>     as a non-root user.
> 
>     https://www.cve.org/CVERecord?id=CVE-2024-40635
> 
> - CVE-2025-47291:
>     A bug was found in the containerd's CRI implementation where
>     containerd, starting in version 2.0.1 and prior to version 2.0.5,
>     doesn't put usernamespaced containers under the Kubernetes' cgroup
>     hierarchy, therefore some Kubernetes limits are not honored. This
>     may cause a denial of service of the Kubernetes node.
> 
>     https://www.cve.org/CVERecord?id=CVE-2025-47291
> 
> - CVE-2025-64329:
>     Versions 2.0.0-beta.0 through 2.0.6 contain a bug in the CRI Attach
>     implementation where a user can exhaust memory on the host due to
>     goroutine leaks.
> 
>     https://www.cve.org/CVERecord?id=CVE-2025-64329
> 
> Signed-off-by: Thomas Perale <thomas.perale@mind.be>

Applied to 2025.02.x & 2025.11.x. Thanks

> ---
>  package/containerd/containerd.hash | 2 +-
>  package/containerd/containerd.mk   | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/package/containerd/containerd.hash b/package/containerd/containerd.hash
> index 4ec78897d9..0916c603bb 100644
> --- a/package/containerd/containerd.hash
> +++ b/package/containerd/containerd.hash
> @@ -1,3 +1,3 @@
>  # Computed locally
> -sha256  472747a7a6b360a0864bab0ee00a8a6f51da5795171e6a60ab17aa80cbd850a2  containerd-2.0.2-go2.tar.gz
> +sha256  2bbf9fedcf4ab31736fcb3ce224ef22610a87da9d53bbd8f6d205710fd849831  containerd-2.0.7-go2.tar.gz
>  sha256  4bbe3b885e8cd1907ab4cf9a41e862e74e24b5422297a4f2fe524e6a30ada2b4  LICENSE
> diff --git a/package/containerd/containerd.mk b/package/containerd/containerd.mk
> index 2ef70ab5d7..a334f0fdac 100644
> --- a/package/containerd/containerd.mk
> +++ b/package/containerd/containerd.mk
> @@ -4,7 +4,7 @@
>  #
>  ################################################################################
>  
> -CONTAINERD_VERSION = 2.0.2
> +CONTAINERD_VERSION = 2.0.7
>  CONTAINERD_SITE = $(call github,containerd,containerd,v$(CONTAINERD_VERSION))
>  CONTAINERD_LICENSE = Apache-2.0
>  CONTAINERD_LICENSE_FILES = LICENSE
> -- 
> 2.53.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

      parent reply	other threads:[~2026-03-06 19:53 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-02-25  9:48 [Buildroot] [PATCH 1/1] package/containerd: security bump to v2.0.7 Thomas Perale via buildroot
2026-02-25  9:48 ` [Buildroot] [PATCH] package/wireshark: security bump to v4.4.13 Thomas Perale via buildroot
2026-02-25  9:57   ` Thomas Perale via buildroot
2026-02-25 21:10 ` [Buildroot] [PATCH 1/1] package/containerd: security bump to v2.0.7 Julien Olivain via buildroot
2026-03-06 19:53 ` Thomas Perale via buildroot [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260306195302.7339-1-thomas.perale@mind.be \
    --to=buildroot@buildroot.org \
    --cc=thomas.perale@mind.be \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox