23.0.3

Release date	Name	Upstream release
2023-04-04	MCR 23.0.3	Moby 23.0.3 and 23.0.2, Docker CLI 23.0.3 and 23.0.2

Changelog

MCR 23.0.3 combines the Moby 23.0.2 and Moby 23.0.3 upstream releases.

Changes specific to MCR

• MCR contains the following component versions:

  • Fipster (Go runtime) go1.19.7m3

    • Fixes for Go CVEs: CVE-2022-41724, CVE-2022-41723, CVE-2022-41725, CVE-2022-41722, and CVE-2023-24532.

    • Fixes for FIPS module CVEs: CVE-2023-0286, CVE-2023-0215, and CVE-2022-4304.

    • Early backport of Go CL 478660 to solve a regression related to RLIMIT_NOFILE.

  • containerd v1.6.19

  • buildx v0.10.4

  • cri-dockerd v0.3.1

Changes from upstream

The upstream pull requests detailed in the sections that follow are those that pertain to the MCR product. For the complete list of changes and pull requests upstream, refer to the GitHub milestones.

What is new

The MCR 23.0.3 patch release focuses on the delivery of CVE and bug fixes.

Security

• moby/moby#45110 Credentials are now redacted from Git URLs when generating BuildKit buildinfo. Fixes CVE-2023-26054.

• Fixed a number of issues that can cause Swarm encrypted overlay networks to fail to uphold their guarantees, addressing CVE-2023-28841, CVE-2023-28840, and CVE-2023-28842.

  • A lack of kernel support for encrypted overlay networks now reports as an error.

  • Encrypted overlay networks are eagerly set up, rather than waiting for multiple nodes to attach.

  • Encrypted overlay networks are now usable on Red Hat Enterprise Linux 9 through the use of the xt_bpf kernel module.

  Users of Swarm overlay networks should review GHSA-vwm3-crmr-xfxw to ensure that unintentional exposure has not occurred. In addition, you can consult Mirantis KB000009856 for temporary mitigation instructions.

Bug fixes

• containerd/containerd#8087, moby/moby#45043 Resolved a failure to start containers on detection of an AppArmor-enabled kernel, due to missing checks for apparmor_parser.

• moby/moby#45159 Fixed an issued wherein anonymous volumes created by a VOLUME line in a Dockerfile were being excluded from volume prune.

• moby/moby#45155 Fixed an issue wherein errors were not properly propagated during removal of volumes on a Swarm node.

• moby/moby#45112 Initiated a temporary fix in BuildKit COPY --link by disabling mergeop/diffop optimization.

• moby/swarmkit#3112, moby/moby#45107 Fixed an issue wherein child tasks were not properly cleaned up following the removal of a parent Swarm job.

• moby/swarmkit#3082, moby/moby#45107 Fixed an issue with Swarm service creation logic that prevented a GenericResource and a non-default network from being used together.

• moby/swarmkit#3116, moby/moby#45107 Fixed an issue wherein Swarm CSI support required that the CSI plugin offer staging endpoints in order to publish a volume.

• containerd/fifo#47, moby/moby#45051 Fixed an issue wherein a panic occurred due to log buffering in a small number of configurations.

• moby/moby#45016 Errors that originate in the REST-to-Swarm-gRPC-API translation layer are now logged at the debug level, to reduce redundancy and noise.

• moby/moby#45000 Fixed an issue wherein a DNS resolution problem affected containers created with --dns-opt or --dns-search when systemd-resolved was used outside the container.

• moby/moby#44980 Fixed a panic that occurred whenever an attempt was made to log a malformed/incorrect DNS query that originated from a container.

• docker/cli#4107 Improved the speed of docker ps by allowing users to opt out of size calculations using --size=false.

• docker/cli#4092 Extended support for Bash completion to all plugins.

• docker/cli#4083 Fixed an issue wherein docker stack deploy failed on Windows when special environment variables set by cmd.exe are present.

• docker/cli#4065 Added forward compatibility for future API versions by considering empty image tags to be the same as <none>.

• docker/cli#4063 Context files are now written atomically to reduce the probability of corruption, with improvements made to the correlating error message.

GitHub milestones

The Github milestones offer full detail on the pull requests and changes as they correlate to the upstream Moby 23.0.2 release:

• docker/cli, 23.0.2 milestone

• moby/moby, 23.0.2 milestone

In addition, as a security-only release, Moby 23.0.3 is tracked by a GitHub security advisory rather than a milestone:

• moby/moby, GHSA-232p-vwff-86mp advisory

Major component versions

Version detail for the major components that comprise MCR 23.0.3 is presented in the table below:

Component	Version
Moby	23.0.3
Docker CLI	23.0.3
containerd	1.6.19
runc	1.1.4
cri-dockerd	0.3.1
buildx	0.10.4
Fipster (Go runtime)	go1.19.7m3
buildkit	0.10.7-0.20230208155512-4f0ee09c40e2
rootlesskit	1.1.0