Skip to content

[v0.35.0m-base] vendor: github.com/containerd/containerd/v2 v2.2.5 to fix CVEs#12

Merged
smerkviladze merged 2 commits into
Mirantis:v0.35.0m-basefrom
smerkviladze:v0.35.0m-base-bump-containerd
Jul 13, 2026
Merged

[v0.35.0m-base] vendor: github.com/containerd/containerd/v2 v2.2.5 to fix CVEs#12
smerkviladze merged 2 commits into
Mirantis:v0.35.0m-basefrom
smerkviladze:v0.35.0m-base-bump-containerd

Conversation

@smerkviladze

@smerkviladze smerkviladze commented Jul 13, 2026

Copy link
Copy Markdown
Collaborator

Base: v0.35.0m1 tag

Cherry-picks:

Updates golang.org/x/* dependencies and github.com/containerd/containerd/v2 to v2.2.5.

For ENGINE-1793

tonistiigi and others added 2 commits July 13, 2026 17:31
vendor: update golang.org/x/* dependencies
(cherry picked from commit 1d805d2)
Signed-off-by: Sopho Merkviladze <smerkviladze@mirantis.com>
- full diff: containerd/containerd@v2.2.4...v2.2.5
- release notes: https://github.com/containerd/containerd/releases/tag/v2.2.5

The fifth patch release for containerd 2.2 contains various fixes
and updates including security patches.

-  CVE-2026-50195 / [GHSA-cvxm-645q-p574] CRI: checkpoint import allows local image tag poisoning
-  CVE-2026-53488 / [GHSA-xhf5-7wjv-pqxp] CRI: image-config LABEL flows to host-root command execution from an image pull
-  CVE-2026-53492 / [GHSA-33vj-92qq-66hc] CRI: CDI annotation smuggling during CRI checkpoint restore
-  CVE-2026-53489 / [GHSA-rgh6-rfwx-v388] CRI: Arbitrary host file read via symlink following in CRI checkpoint restore
-  CVE-2026-47262 / [GHSA-jpcc-p29g-p8mq] containerd image-triggered runtime DoS via unbounded group parsing

[GHSA-cvxm-645q-p574]: GHSA-cvxm-645q-p574
[GHSA-xhf5-7wjv-pqxp]: GHSA-xhf5-7wjv-pqxp
[GHSA-33vj-92qq-66hc]: GHSA-33vj-92qq-66hc
[GHSA-rgh6-rfwx-v388]: GHSA-rgh6-rfwx-v388
[GHSA-jpcc-p29g-p8mq]: GHSA-jpcc-p29g-p8mq

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit e1e5963)
Signed-off-by: Sopho Merkviladze <smerkviladze@mirantis.com>
@smerkviladze smerkviladze marked this pull request as ready for review July 13, 2026 15:56
@smerkviladze smerkviladze requested review from corhere and dperny July 13, 2026 15:56
@smerkviladze smerkviladze merged commit 73d1f5c into Mirantis:v0.35.0m-base Jul 13, 2026
167 of 282 checks passed
@smerkviladze smerkviladze deleted the v0.35.0m-base-bump-containerd branch July 13, 2026 16:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants