23.0.11

Release date	Name	Upstream release
2024-MAY-06	MCR 23.0.11	Moby 23.0.11 and Docker CLI 23.0.10

Changelog

MCR 23.0.11 comprises the Moby 23.0.11 upstream release.

Changes specific to MCR

• MCR contains the following component updates:

  • containerd 1.6.31-rc.1

  • runc 1.1.12-m3

  • cri-dockerd 0.3.13

  • Fipster (Go runtime) go1.21.9m3

What is new

The MCR 23.0.11 patch release focuses on the delivery of CVE and bug fixes.

Security

• The upgrade to cri-dockerd 0.3.13 resolves the following CVE:

  • CVE-2023-45288

• The upgrade to runc/ctr 1.1.12-m3 resolves the following CVEs:

  • CVE-2024-24786

  • CVE-2023-45288

• The upgrade to buildx dependencies resolves the following CVE:

  • CVE-2023-45288

  • CVE-2023-48795

• The upgrade to Fipster resolves the following CVE:

  • CVE-2024-1394

Functional

• The configured Runtime Enforcement mode for Docker Content Trust is reported in docker info under the Server label com.docker.content-trust.mode.

• The Docker Official Images root keys embedded in MCR have been updated to include the key used to sign images in the library/eqmx repository.

Changes from upstream

The upstream pull requests detailed in the sections that follow are those that pertain to the MCR product. For the complete list of changes and pull requests upstream, refer to the GitHub milestones.

Security

• Resolves the following CVE in moby/moby:

  • CVE-2023-45288

  • CVE-2024-29018

Bug fixes

• moby/moby#47515 daemon: overlay2: remove world writable permission from the lower file

• moby/moby#47529 builder-next: fix missing lock in ensurelayer.

• moby/moby#47535 volume: Don’t decrement refcount below 0.

• moby/moby#47699 Fix cases where we are wrapping a nil error.

• containerd/containerd#10038 Fix runc shim to only defer init process exits.

GitHub milestones

The Github milestones offer full detail on the pull requests and changes as they correlate to the upstream Moby 23.0.11 release:

• moby/moby, 23.0.11 milestone

• docker/cli, 23.0.10 milestone

Major component versions

Version detail for the major components that comprise MCR 23.0.11 is presented in the table below:

Component	Version
Moby	23.0.11
Docker CLI	23.0.10
containerd	1.6.31-rc.1
runc	v1.1.12-m3
cri-dockerd	0.3.13
buildx	0.12.0m (4932eecc)
Fipster (Go runtime)	go1.21.9m3
buildkit	0.10.7-m1
rootlesskit	1.1.0

Known issues

Known issues that apply to Moby 23.0.11 and thus also to MCR 23.0.11 include:

• moby/moby#47728 The DNS records for containers on a node that has restarted may not be resolvable by containers on other nodes on the same overlay network. This may also occur without a daemon restart, if the underlay network is experiencing packet loss at the time the container is started. Only recently uncovered, this has been an issue since the advent of the NetworkDB moby component.

• ENGINE-855 Promoting a worker node to the manager role shortly after demoting a different manager node down to a worker role can cause the newly promoted node to fail. The node fails before it becomes a manager and is never joined to the Raft quorum.

  Workaround:

  Wait 30 seconds between demoting a manager node to a worker role and promoting a different worker node to a manager role. If a node promotion fails:

  1. Run the docker node rm command from a different manager node to remove the failed worker node from the cluster.

  2. Run the docker swarm leave command from the failed worker node to have that node exit the cluster. The worker node can now rejoin the cluster as a fresh manager.