From 935bd589a356f51e5c97d111877bd2052f0c9da5 Mon Sep 17 00:00:00 2001 From: Christian Stewart Date: Sun, 23 Jan 2022 23:14:53 -0800 Subject: [PATCH] package/containerd: security bump to version 1.5.9 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit CVE-2021-43816: "Unprivileged pod using `hostPath` can side-step active LSM when it is SELinux" Containers launched through containerd’s CRI implementation on Linux systems which use the SELinux security module and containerd versions since v1.5.0 can cause arbitrary files and directories on the host to be relabeled to match the container process label through the use of specially-configured bind mounts in a hostPath volume. This relabeling elevates permissions for the container, granting full read/write access over the affected files and directories. Kubernetes and crictl can both be configured to use containerd’s CRI implementation. https://github.com/advisories/GHSA-mvff-h3cj-wj9c https://github.com/containerd/containerd/releases/tag/v1.5.9 Signed-off-by: Christian Stewart Signed-off-by: Thomas Petazzoni --- package/containerd/containerd.hash | 2 +- package/containerd/containerd.mk | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/package/containerd/containerd.hash b/package/containerd/containerd.hash index f1a6709554..d5aafe2e70 100644 --- a/package/containerd/containerd.hash +++ b/package/containerd/containerd.hash @@ -1,3 +1,3 @@ # Computed locally -sha256 a41ab8d39393c9456941b477c33bb1b221a29b635f1c9a99523aab2f5e74f790 containerd-1.5.8.tar.gz +sha256 40c9767af3e87f2c36adf2f563f0a8374e80b30bd2b7aa80058c85912406cef4 containerd-1.5.9.tar.gz sha256 4bbe3b885e8cd1907ab4cf9a41e862e74e24b5422297a4f2fe524e6a30ada2b4 LICENSE diff --git a/package/containerd/containerd.mk b/package/containerd/containerd.mk index cd975db274..8976e12f1a 100644 --- a/package/containerd/containerd.mk +++ b/package/containerd/containerd.mk @@ -4,7 +4,7 @@ # ################################################################################ -CONTAINERD_VERSION = 1.5.8 +CONTAINERD_VERSION = 1.5.9 CONTAINERD_SITE = $(call github,containerd,containerd,v$(CONTAINERD_VERSION)) CONTAINERD_LICENSE = Apache-2.0 CONTAINERD_LICENSE_FILES = LICENSE