23.0.9

Release date	Name	Upstream release
2024-JAN-31	MCR 23.0.9	Moby 23.0.9 and Docker CLI 23.0.9

Changelog

MCR 23.0.9 comprises the Moby 23.0.9 upstream release.

Changes specific to MCR

Fixed an issue that pertains to the enabling of FIPS for Swarm. Users need to be aware that with this fix in place, FIPS-disabled nodes can no longer join a FIPS-enabled cluster.

Fixed an issue that prevented docker exec from working in FIPS mode.

• MCR contains the following component updates:

  • containerd 1.6.28-rc.1

  • cri-dockerd 0.3.9

  • buildx 0.12.0m (4932eecc)

  • Fipster (Go runtime) 1.20.12m1

Changes from upstream

The upstream pull requests detailed in the sections that follow are those that pertain to the MCR product. For the complete list of changes and pull requests upstream, refer to the GitHub milestones.

What is new

The MCR 23.0.9 patch release focuses on the delivery of CVE and bug fixes.

Security

• The upgrade to cri-dockerd 0.3.9 resolves the following CVEs:

  • CVE-2023-3676

  • CVE-2023-3955

  • CVE-2023-5528

  • CVE-2023-47108

  • CVE-2023-45142

  • CVE-2023-2431

  • CVE-2020-8561

  • CVE-2020-8554

  • CVE-2023-2728

  • CVE-2023-2727

  • CVE-2019-11255

• The upgrade to runc/ctr 1.1.11-rc1 resolves the following CVEs:

  • CVE-2023-39325

  • CVE-2023-44487

• The upgrade to containerd 1.6.28-rc.1 resolves the following CVEs:

  • CVE-2023-47108

  • CVE-2023-44487

  • GHSA-7ww5-4wgc-m92c

• The upgrade to buildx 0.12.0m resolves the following CVE:

  • CVE-2023-44487

Bug fixes

• moby/moby#46621 client.ContainerWait previously returned the wrong error when context is cancelled.

• containerd/containerd#9613 Update of shim pidfile permissions to 0644.

• containerd/containerd#9441 Fixed windows default path overwrite issue.

• containerd/containerd#9453 Update of push to inherit distribution sources from parent.

• containerd/containerd/GHSA-7ww5-4wqc-m92c Mask /sys/devices/virtual/powercap path in runtime spec and deny in default apparmor profile.

• containerd/containerd#9111 Check whether content actually needed to be pushed to remote registry, and also whether the cross-repo was mounted or already existed.

• containerd/containerd#9105 Soft deprecate log package.

• containerd/containerd/#9189 Always try to establish the TLS connection when TLS is configured.

• containerd/containerd/#9169 CRI: stop recommending disable_cgroup.

• containerd/containerd/#9150 Allow images with artifacts layers to pull.

• containerd/containerd/#9166 Require plugins to succeed after registering readiness.

• containerd/containerd/#9210 Circumvent potential deadlock in create handler in containerd-shim-runc-v2.

• containerd/containerd/#9236 Added handling for missing basic auth credentials.

• containerd/containerd/#9267 Addition of a new image label if it is docker schema 1.

• containerd/containerd/#9300 Fixed ambiguous TLS fallback.

• containerd/containerd/#9329 Expose usage of deprecated features

• containerd/containerd/#9345 Fixed shimv1 leak issue.

• containerd/containerd/#9382 CRI: fix using the pinned label to pin image.

GitHub milestones

The Github milestones offer full detail on the pull requests and changes as they correlate to the upstream Moby 23.0.9 release:

• docker/cli, 23.0.9 milestone

• moby/moby, 23.0.9 milestone

Major component versions

Version detail for the major components that comprise MCR 23.0.9 is presented in the table below:

Component	Version
Moby	23.0.9
containerd	1.6.28-rc.1
runc	1.1.11-rc1
cri-dockerd	0.3.9
buildx	0.12.0m (4932eecc)
Fipster (Go runtime)	go1.20.12m1
buildkit	0.10.7
rootlesskit	1.1.0