20.10.9¶
(2021-12-21)
Components¶
Component |
Version |
---|---|
Mirantis Container Runtime |
20.10.9 |
containerd |
1.5.8 |
runc |
1.0.2 |
Swarm¶
Fixed an issue wherein updating a service did not roll back on failure (moby/moby#42875).
Runtime¶
Created parent directories inside a chroot during
docker cp
to prevent a specially-crafted container from changing permissions of existing files in the host filesystem. This fix resolves CVE-2021-41089.Locked down file permissions to prevent unprivileged users from discovering and executing programs in
/var/lib/docker
, to resolve CVE-2021-41091.Added support for
clone3
syscall in the default seccomp policy, to support running containers based on recent versions of Ubuntu (moby/moby/#42836.Windows: Updated hcsshim library to fix a bug in sparse file handling of container layers, which was exposed by recent changes in Windows (moby/moby#42944.
Fixed a number of situations wherein
docker stop
could hang and never resolve (moby/moby#42956).Fixed a FIPS mode memory leak issue that arose in MCR 20.10.8 (FIELD-4523, ENGINE-539, ENGINE-543).
Client¶
Ensured default auth config has address field set, to prevent credentials from being sent to the default registry, to resolve CVE-2021-41092.
Builder¶
Fixed platform-matching logic to repair
docker build
not finding images in the local image cache on Arm machines when using BuildKit (moby/moby#42954).
Windows¶
Fixed an issue wherein the
panic.log
file only had the read-only attribute set (moby/moby#42987).
Packaging¶
Updated containerd to version 1.5.8 to resolve CVE-2021-41190.
Updated the Golang runtime to Go version 1.16.10.