Deprecated support for the registry-cli plugin.
Deprecated support for the docker app plugin.
Mirantis will remove deprecated components in a future MCR release.
Fixed a bug wherein the use of docker volume prune removed volumes that were still in use if the daemon was running with “live restore” and was restarted (moby/moby#44238).
Updated handling of
image:tag@digestreferences. When pulling an image using
image:tag@digest(“pull by digest”), image resolution occurs through the content-addressable digest and the image and tag are not used. While expected, this can lead to confusing behavior, and can also potentially be exploited through social engineering to run an image that is already present in the local image store. MCR now checks whether the digest matches the repository name that is used to pull the image.
Fixed a security vulnerability related to supplementary group permissions that can allow a container process to bypass primary group restrictions within the container CVE-2022-36109, GHSA-rc4r-wh2q-q6c4.
Added support to seccomp for Landlock syscalls in the default policy (moby/moby#43991).
Updated the default seccomp policy to support new syscalls that were introduced in kernel 5.12 - 5.16 (moby/moby#43991).
Fixed an issue wherein cache lookup for image manifests failed, which resulted in a redundant roundtrip to the image registry (moby/moby#44109).
Fixed an issue wherein
execprocesses and healthchecks were not terminated once they timed out (moby/moby#44018).
Added mitigation for CVE-2022-39253 when using the classic Builder with a Git URL as the build context.
Updated handling of
image:tag@digestreferences. Refer to the Daemon section of these release notes for details.
Fixed an issue that can result in a panic during docker builder prune or docker system prune (moby/moby#44122).
Fixed an issue where file capabilities were not preserved during build (moby/moby#43876).
Fixed an issue that can result in a panic caused by a concurrent map read and map write (moby/moby#44067).