20.10.16

(2023-04-04)

Components

Component	Version
Mirantis Container Runtime	20.10.16
containerd	1.6.19
runc	1.1.4
cri-dockerd	0.3.1
buildx	0.10.4
Golang runtime	1.19.7m3
buildkit	0.8.3-31.gc0149372
rootlesskit	0.14.4

Security

• Fixed a number of issues that can cause Swarm encrypted overlay networks to fail to uphold their guarantees, addressing CVE-2023-28841, CVE-2023-28840, and CVE-2023-28842.

  • A lack of kernel support for encrypted overlay networks now reports as an error.

  • Encrypted overlay networks are eagerly set up, rather than waiting for multiple nodes to attach.

  • Encrypted overlay networks are now usable on Red Hat Enterprise Linux 9 through the use of the xt_bpf kernel module.

  Users of Swarm overlay networks should review GHSA-vwm3-crmr-xfxw to ensure that unintentional exposure has not occurred. In addition, you can consult Mirantis KB000009856 for temporary mitigation instructions.

Packaging

• Updated Fipster (Go runtime) to version go1.19.7m3.

  • Fixes for Go CVEs: CVE-2022-41724, CVE-2022-41723, CVE-2022-41725, CVE-2022-41722, and CVE-2023-24532.

  • Fixes for FIPS module CVEs: CVE-2023-0286, CVE-2023-0215, and CVE-2022-4304.

  • Early backport of Go CL 478660 to solve a regression related to RLIMIT_NOFILE.

• Updated containerd to version 1.6.19.

• Updated Docker Buildx to v0.10.4.

• Updated cri-dockerd to 0.3.1.