23.0.3¶
Release date |
Name |
Upstream release |
---|---|---|
2023-04-04 |
MCR 23.0.3 |
Moby 23.0.3 and 23.0.2, Docker CLI 23.0.3 and 23.0.2 |
Changelog¶
MCR 23.0.3 combines the Moby 23.0.2 and Moby 23.0.3 upstream releases.
Changes specific to MCR¶
MCR contains the following component versions:
Fipster (Go runtime)
go1.19.7m3
Fixes for Go CVEs: CVE-2022-41724, CVE-2022-41723, CVE-2022-41725, CVE-2022-41722, and CVE-2023-24532.
Fixes for FIPS module CVEs: CVE-2023-0286, CVE-2023-0215, and CVE-2022-4304.
Early backport of Go CL 478660 to solve a regression related to
RLIMIT_NOFILE
.
containerd
v1.6.19
buildx
v0.10.4
cri-dockerd
v0.3.1
Changes from upstream¶
The upstream pull requests detailed in the sections that follow are those that pertain to the MCR product. For the complete list of changes and pull requests upstream, refer to the GitHub milestones.
What is new
The MCR 23.0.3 patch release focuses on the delivery of CVE and bug fixes.
Security
moby/moby#45110 Credentials are now redacted from Git URLs when generating BuildKit buildinfo. Fixes CVE-2023-26054.
Fixed a number of issues that can cause Swarm encrypted overlay networks to fail to uphold their guarantees, addressing CVE-2023-28841, CVE-2023-28840, and CVE-2023-28842.
A lack of kernel support for encrypted overlay networks now reports as an error.
Encrypted overlay networks are eagerly set up, rather than waiting for multiple nodes to attach.
Encrypted overlay networks are now usable on Red Hat Enterprise Linux 9 through the use of the
xt_bpf
kernel module.
Users of Swarm overlay networks should review GHSA-vwm3-crmr-xfxw to ensure that unintentional exposure has not occurred. In addition, you can consult Mirantis
KB000009856
for temporary mitigation instructions.
Bug fixes
containerd/containerd#8087, moby/moby#45043 Resolved a failure to start containers on detection of an AppArmor-enabled kernel, due to missing checks for
apparmor_parser
.moby/moby#45159 Fixed an issued wherein anonymous volumes created by a
VOLUME
line in a Dockerfile were being excluded from volume prune.moby/moby#45155 Fixed an issue wherein errors were not properly propagated during removal of volumes on a Swarm node.
moby/moby#45112 Initiated a temporary fix in BuildKit
COPY --link
by disabling mergeop/diffop optimization.moby/swarmkit#3112, moby/moby#45107 Fixed an issue wherein child tasks were not properly cleaned up following the removal of a parent Swarm job.
moby/swarmkit#3082, moby/moby#45107 Fixed an issue with Swarm service creation logic that prevented a GenericResource and a non-default network from being used together.
moby/swarmkit#3116, moby/moby#45107 Fixed an issue wherein Swarm CSI support required that the CSI plugin offer staging endpoints in order to publish a volume.
containerd/fifo#47, moby/moby#45051 Fixed an issue wherein a panic occurred due to log buffering in a small number of configurations.
moby/moby#45016 Errors that originate in the REST-to-Swarm-gRPC-API translation layer are now logged at the debug level, to reduce redundancy and noise.
moby/moby#45000 Fixed an issue wherein a DNS resolution problem affected containers created with --dns-opt or --dns-search when systemd-resolved was used outside the container.
moby/moby#44980 Fixed a panic that occurred whenever an attempt was made to log a malformed/incorrect DNS query that originated from a container.
docker/cli#4107 Improved the speed of docker ps by allowing users to opt out of size calculations using --size=false.
docker/cli#4092 Extended support for Bash completion to all plugins.
docker/cli#4083 Fixed an issue wherein docker stack deploy failed on Windows when special environment variables set by
cmd.exe
are present.docker/cli#4065 Added forward compatibility for future API versions by considering empty image tags to be the same as
<none>
.docker/cli#4063 Context files are now written atomically to reduce the probability of corruption, with improvements made to the correlating error message.
GitHub milestones¶
The Github milestones offer full detail on the pull requests and changes as they correlate to the upstream Moby 23.0.2 release:
In addition, as a security-only release, Moby 23.0.3 is tracked by a GitHub security advisory rather than a milestone:
Major component versions¶
Version detail for the major components that comprise MCR 23.0.3 is presented in the table below:
Component |
Version |
---|---|
Fipster (Go runtime) |
|
0.10.7-0.20230208155512-4f0ee09c40e2 |
|