23.0.9¶
Release date |
Name |
Upstream release |
---|---|---|
2024-JAN-31 |
MCR 23.0.9 |
Moby 23.0.9 and Docker CLI 23.0.9 |
Changelog¶
MCR 23.0.9 comprises the Moby 23.0.9 upstream release.
Changes specific to MCR¶
Fixed an issue that pertains to the enabling of FIPS for Swarm. Users need to be aware that with this fix in place, FIPS-disabled nodes can no longer join a FIPS-enabled cluster.
Fixed an issue that prevented docker exec from working in FIPS mode.
MCR contains the following component updates:
containerd 1.6.28-rc.1
cri-dockerd 0.3.9
buildx 0.12.0m (4932eecc)
Fipster (Go runtime)
1.20.12m1
Changes from upstream¶
The upstream pull requests detailed in the sections that follow are those that pertain to the MCR product. For the complete list of changes and pull requests upstream, refer to the GitHub milestones.
What is new
The MCR 23.0.9 patch release focuses on the delivery of CVE and bug fixes.
Security
The upgrade to cri-dockerd 0.3.9 resolves the following CVEs:
The upgrade to runc/ctr 1.1.11-rc1 resolves the following CVEs:
The upgrade to containerd 1.6.28-rc.1 resolves the following CVEs:
The upgrade to buildx 0.12.0m resolves the following CVE:
Bug fixes
moby/moby#46621
client.ContainerWait
previously returned the wrong error when context is cancelled.containerd/containerd#9613 Update of shim pidfile permissions to 0644.
containerd/containerd#9441 Fixed windows default path overwrite issue.
containerd/containerd#9453 Update of push to inherit distribution sources from parent.
containerd/containerd/GHSA-7ww5-4wqc-m92c Mask
/sys/devices/virtual/powercap
path in runtime spec and deny in default apparmor profile.containerd/containerd#9111 Check whether content actually needed to be pushed to remote registry, and also whether the cross-repo was mounted or already existed.
containerd/containerd#9105 Soft deprecate log package.
containerd/containerd/#9189 Always try to establish the TLS connection when TLS is configured.
containerd/containerd/#9169 CRI: stop recommending
disable_cgroup
.containerd/containerd/#9150 Allow images with artifacts layers to pull.
containerd/containerd/#9166 Require plugins to succeed after registering readiness.
containerd/containerd/#9210 Circumvent potential deadlock in create handler in
containerd-shim-runc-v2
.containerd/containerd/#9236 Added handling for missing basic auth credentials.
containerd/containerd/#9267 Addition of a new image label if it is docker schema 1.
containerd/containerd/#9300 Fixed ambiguous TLS fallback.
containerd/containerd/#9329 Expose usage of deprecated features
containerd/containerd/#9345 Fixed shimv1 leak issue.
containerd/containerd/#9382 CRI: fix using the pinned label to pin image.
GitHub milestones¶
The Github milestones offer full detail on the pull requests and changes as they correlate to the upstream Moby 23.0.9 release:
Major component versions¶
Version detail for the major components that comprise MCR 23.0.9 is presented in the table below:
Component |
Version |
---|---|
Fipster (Go runtime) |
|
0.10.7 |
|