20.10.14

(2022-11-17)

Components

Component	Version
Mirantis Container Runtime	20.10.14
containerd	1.6.9
runc	1.1.4
cri-dockerd	0.2.3
buildx	0.9.1
Golang runtime	1.18.7
registry-cli plugin	0.1.0-rc2 (deprecated)
buildkit	0.8.3-31.gc0149372
rootlesskit	0.14.4
docker app plugin	0.9.1-beta3 (deprecated)

Deprecation

• Deprecated support for the registry-cli plugin.

• Deprecated support for the docker app plugin.

Important

Mirantis will remove deprecated components in a future MCR release.

Daemon

• Fixed a bug wherein the use of docker volume prune removed volumes that were still in use if the daemon was running with “live restore” and was restarted (moby/moby#44238).

• Updated handling of image:tag@digest references. When pulling an image using image:tag@digest (“pull by digest”), image resolution occurs through the content-addressable digest and the image and tag are not used. While expected, this can lead to confusing behavior, and can also potentially be exploited through social engineering to run an image that is already present in the local image store. MCR now checks whether the digest matches the repository name that is used to pull the image.

• Fixed a security vulnerability related to supplementary group permissions that can allow a container process to bypass primary group restrictions within the container CVE-2022-36109, GHSA-rc4r-wh2q-q6c4.

• Added support to seccomp for Landlock syscalls in the default policy (moby/moby#43991).

• Updated the default seccomp policy to support new syscalls that were introduced in kernel 5.12 - 5.16 (moby/moby#43991).

• Fixed an issue wherein cache lookup for image manifests failed, which resulted in a redundant roundtrip to the image registry (moby/moby#44109).

• Fixed an issue wherein exec processes and healthchecks were not terminated once they timed out (moby/moby#44018).

Client

• Added mitigation for CVE-2022-39253 when using the classic Builder with a Git URL as the build context.

Builder

• Updated handling of image:tag@digest references. Refer to the Daemon section of these release notes for details.

• Added mitigation to the classic Builder and updated BuildKit to v0.8. 3-31-gc0149372, for CVE-2022-39253.

• Fixed an issue that can result in a panic during docker builder prune or docker system prune (moby/moby#44122).

• Fixed an issue where file capabilities were not preserved during build (moby/moby#43876).

• Fixed an issue that can result in a panic caused by a concurrent map read and map write (moby/moby#44067).

Packaging

• Updated Golang to version 1.18.7, which resolves CVE-2022-2879, CVE-2022-2280, and CVE-2022-41715.

• Updated containerd to version 1.6.9.

• Added support for RHEL 9, and Rocky 9.

• Updated Docker Buildx to v0.9.1.