23.0.14

Release date	Name	Upstream release
2024-JULY-29	MCR 23.0.14	Moby 23.0.14 and Docker CLI 23.0.10

Changelog

MCR 23.0.14 comprises the Moby 23.0.14 upstream release.

Changes specific to MCR

• MCR contains the following component updates:

  • containerd 1.6.33

  • runc 1.1.13-m1

  • cri-dockerd 0.3.15

  • Fipster (Go runtime) go1.21.12m

Changes from upstream

The upstream pull requests detailed in the sections that follow are those that pertain to the MCR product. For the complete list of changes and pull requests upstream, refer to the github-milestones-23.0.14.

What is new

The MCR 23.0.14 patch release focuses on the delivery of CVE and bug fixes.

Bug fixes

Moby

• moby/moby#47891 Do not depend on containerd platform. Parse to return a typed error.

• moby/moby#47988 builder/mobyexporter: Add missing nil check.

containerd

• containerd/containerd#10271 Migrate log imports to github.com/containerd/log.

• containerd/containerd#10267 Migrate errdefs package to github.com/containerd/errdefs.

• containerd/containerd#10268 Fix usage of “unknown” platform.

• containerd/containerd#10263 Explicitly set release latest to false.

• containerd/errdefs#1 Add common files.

cri-dockerd

• Mirantis/cri-dockerd/#373 Add common files.

runc

• opencontainers/runc#4231 runc list: fix race with runc delete.

• opencontainers/runc#4277 Fix set nofile rlimit error.

• opencontainers/runc#4284 libct/cg/fs: fix setting rt_period vs rt_runtime.

• opencontainers/runc#4315 Fix a debug msg for user ns in nsexec.

• opencontainers/runc#4316 script/*: fix gpg usage wrt keyboxd.

• opencontainers/runc#4244 Silence security false positives from golang/net.

• opencontainers/runc#4257 libcontainer: allow containers to make apps think fips is enabled/disabled for testing.

Security

The runc binaries provided here were built with go1.21.11, which includes a security fix for os.RemoveAll to fix a bug that would allow an attacker to trick runc into deleting a directory on the host. We encourage users to update, and if they build runc themselves, make sure they build their binaries using go1.21.11 or later, or go1.22.4 or later.

GitHub milestones

The GitHub milestones offer full detail on the pull requests and changes as they correlate to the upstream Moby 23.0.14 release:

• moby/moby, 23.0.14 milestone

• docker/cli, 23.0.10 milestone

Major component versions

Version detail for the major components that comprise MCR 23.0.14 is presented in the table below:

Component	Version
Moby	23.0.14
Docker CLI	23.0.10
containerd	1.6.33
runc	v1.1.13-m3
cri-dockerd	0.3.15
buildx	0.12.0m (4932eecc)
Fipster (Go runtime)	go1.21.12m1
buildkit	0.10.7-m1
rootlesskit	1.1.0

Known issues

Known issues that apply to Moby 23.0.14 and thus also to MCR 23.0.14 include:

• moby/moby#47728 The DNS records for containers on a node that has restarted may not be resolvable by containers on other nodes on the same overlay network. This may also occur without a daemon restart, if the underlay network is experiencing packet loss at the time the container is started. Only recently uncovered, this has been an issue since the advent of the NetworkDB moby component.