Mirantis Container Runtime
Fixed an issue wherein updating a service did not roll back on failure (moby/moby#42875).
Created parent directories inside a chroot during
docker cpto prevent a specially-crafted container from changing permissions of existing files in the host filesystem. This fix resolves CVE-2021-41089.
Locked down file permissions to prevent unprivileged users from discovering and executing programs in
/var/lib/docker, to resolve CVE-2021-41091.
Added support for
clone3syscall in the default seccomp policy, to support running containers based on recent versions of Ubuntu (moby/moby/#42836.
Windows: Updated hcsshim library to fix a bug in sparse file handling of container layers, which was exposed by recent changes in Windows (moby/moby#42944.
Fixed a number of situations wherein
docker stopcould hang and never resolve (moby/moby#42956).
Fixed a FIPS mode memory leak issue that arose in MCR 20.10.8 (FIELD-4523, ENGINE-539, ENGINE-543).
Ensured default auth config has address field set, to prevent credentials from being sent to the default registry, to resolve CVE-2021-41092.
Fixed platform-matching logic to repair
docker buildnot finding images in the local image cache on Arm machines when using BuildKit (moby/moby#42954).
Fixed an issue wherein the
panic.logfile only had the read-only attribute set (moby/moby#42987).
Updated containerd to version 1.5.8 to resolve CVE-2021-41190.
Updated the Golang runtime to Go version 1.16.10.