20.10.9

(2021-12-21)

Components

Component

Version

Mirantis Container Runtime

20.10.9

containerd

1.5.8

runc

1.0.2

Swarm

  • Fixed an issue wherein updating a service did not roll back on failure (moby/moby#42875).

Runtime

  • Created parent directories inside a chroot during docker cp to prevent a specially-crafted container from changing permissions of existing files in the host filesystem. This fix resolves CVE-2021-41089.

  • Locked down file permissions to prevent unprivileged users from discovering and executing programs in /var/lib/docker, to resolve CVE-2021-41091.

  • Added support for clone3 syscall in the default seccomp policy, to support running containers based on recent versions of Ubuntu (moby/moby/#42836.

  • Windows: Updated hcsshim library to fix a bug in sparse file handling of container layers, which was exposed by recent changes in Windows (moby/moby#42944.

  • Fixed a number of situations wherein docker stop could hang and never resolve (moby/moby#42956).

  • Fixed a FIPS mode memory leak issue that arose in MCR 20.10.8 (FIELD-4523, ENGINE-539, ENGINE-543).

Client

  • Ensured default auth config has address field set, to prevent credentials from being sent to the default registry, to resolve CVE-2021-41092.

Builder

  • Fixed platform-matching logic to repair docker build not finding images in the local image cache on Arm machines when using BuildKit (moby/moby#42954).

Windows

  • Fixed an issue wherein the panic.log file only had the read-only attribute set (moby/moby#42987).

Packaging

  • Updated containerd to version 1.5.8 to resolve CVE-2021-41190.

  • Updated the Golang runtime to Go version 1.16.10.