23.0.10

Release date	Name	Upstream release
2024-MAR-20	MCR 23.0.10	Moby 23.0.10 and Docker CLI 23.0.10

Important

Following the initial MCR 23.0.10 patch release, as testing and internal usage continued, it was discovered that Mirantis customers on Linux could be impacted by an upstream race condition issue in the 1.6.30-rc.1 version of containerd. To remedy the matter, Mirantis quickly replaced that version of containerd with a new version, containerd 1.6.30~rc.2.

Mirantis recommends that you check the containerd version on your MCR 23.0.10 deployment. If you have containerd 1.6.30-rc.1, download and install containerd 1.6.30-rc.2.

To learn more about the upstream race container issue, refer to Mirantis patches containerd to address race condition on the Mirantis blog.

Changelog

MCR 23.0.10 comprises the Moby 23.0.10 upstream release.

Changes specific to MCR

• MCR contains the following component updates:

  • containerd 1.6.30~rc.2

  • runc 1.1.12-rc1.m1

  • cri-dockerd 0.3.11

  • Fipster (Go runtime) go1.21.8m1

What is new

The MCR 23.0.10 patch release focuses on the delivery of CVE and bug fixes.

Security

• The upgrade to cri-dockerd 0.3.11 resolves the following CVEs:

  • CVE-2020-8694

  • CVE-2020-8695

  • CVE-2020-12912

  • CVE-2024-24786

  • CVE-2023-48795

  • CVE-2024-21626

• The upgrade to runc/ctr 1.1.12-m1 resolves the following CVEs:

  • CVE-2024-24786

• The upgrade to containerd 1.6.30~rc.2 resolves the following CVEs:

  • CVE-2024-24786

  • CVE-2023-48795

• The upgrade to buildkit 0.10.7-m1 resolves the following CVE:

  • CVE-2024-23651

  • CVE-2024-23652

  • CVE-2024-23653

• Resolves the following CVEs in rootlesskit:

  • CVE-2022-41721

  • CVE-2023-39325

  • CVE-2023-44487

  • CVE-2022-41723

  • CVE-2023-3978

  • CVE-2022-41717

Changes from upstream

The upstream pull requests detailed in the sections that follow are those that pertain to the MCR product. For the complete list of changes and pull requests upstream, refer to the GitHub milestones.

Security

• Resolves the following CVE in moby/dockerd:

  • CVE-2024-24557

• Resolves the following CVE in Golang:

  • CVE-2024-24783

  • CVE-2023-45290

  • CVE-2023-45288

  • CVE-2023-45289

Bug fixes

• moby/moby#47307 Docker build cache broken after v24.0.7 when building “ltsc2019/1809” Windows container images on Windows 11.

• moby/moby#47325 Plugins: Fix panic when fetching by digest.

• containerd/containerd#9726 CRI pause image is not pinned when it’s pulled by ctr.

• containerd/containerd#7802 Containerd v1.6.12 slow memory leak when pod readiness probe gets stuck forever.

• containerd/containerd#9745 Glob pattern matching not applied to relative paths.

• containerd/containerd#9719 TaskExit event can be sent for an exec process after TaskExit is sent for the init process.

GitHub milestones

The Github milestones offer full detail on the pull requests and changes as they correlate to the upstream Moby 23.0.10 release:

• docker/cli, 23.0.10 milestone

• moby/moby, 23.0.10 milestone

Major component versions

Version detail for the major components that comprise MCR 23.0.10 is presented in the table below:

Component	Version
Moby	23.0.10
containerd	1.6.30~rc.2
runc	v1.1.12-rc1.m1
cri-dockerd	0.3.11
buildx	0.12.0m (4932eecc)
Fipster (Go runtime)	go1.21.8m1
buildkit	0.10.7-m1
rootlesskit	1.1.0