20.10.9¶

(2021-12-21)

Components¶

Fixed an issue wherein updating a service did not roll back on failure (moby/moby#42875).

Created parent directories inside a chroot during docker cp to prevent a specially-crafted container from changing permissions of existing files in the host filesystem. This fix resolves CVE-2021-41089.
Locked down file permissions to prevent unprivileged users from discovering and executing programs in /var/lib/docker, to resolve CVE-2021-41091.
Added support for clone3 syscall in the default seccomp policy, to support running containers based on recent versions of Ubuntu (moby/moby/#42836.
Windows: Updated hcsshim library to fix a bug in sparse file handling of container layers, which was exposed by recent changes in Windows (moby/moby#42944.
Fixed a number of situations wherein docker stop could hang and never resolve (moby/moby#42956).
Fixed a FIPS mode memory leak issue that arose in MCR 20.10.8 (FIELD-4523, ENGINE-539, ENGINE-543).

Ensured default auth config has address field set, to prevent credentials from being sent to the default registry, to resolve CVE-2021-41092.

Fixed platform-matching logic to repair docker build not finding images in the local image cache on Arm machines when using BuildKit (moby/moby#42954).

Fixed an issue wherein the panic.log file only had the read-only attribute set (moby/moby#42987).