chore(deps): update dependency containerd/containerd to v1.7.17

[uniget-bot]

This PR contains the following updates:

Package	Update	Change
containerd/containerd	patch	1.7.16 -> 1.7.17

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

containerd/containerd (containerd/containerd)

v1.7.17: containerd 1.7.17

Compare Source

Welcome to the v1.7.17 release of containerd!

The seventeenth patch release for containerd 1.7 contains various fixes and updates.

Highlights

• Use LOOP_CONFIGURE when creating loop devices (#​10209)
• Update unpacker to fetch all provided content (#​10233)
• Preserve CL_UNPRIVILEGED locked flags during remount of bind mounts (#​10210)
• Update metadata snapshotter to lease on already exists (#​10198)
• Handle unsupported config versions (#​10165)
• Fix deadlock when writing to pipe blocks (containerd/ttrpc#168)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Stefan Berger
• Derek McGowan
• Austin Vazquez
• Alexandru Matei
• Maksym Pavlenko
• Akihiro Suda
• Bryant Biggs
• Kevin Parsons
• Kirtana Ashok
• Phil Estes
• Kazuyoshi Kato
• Kohei Tokunaga
• Swagat Bora

Changes

43 commits

• Prepare release notes for v1.7.17 (#​10235)
  • 114b07b97 Prepare release notes for v1.7.17
• Use LOOP_CONFIGURE when creating loop devices (#​10209)
  • 803aaa680 Remove internal LoopConfig struct
  • 7bd3be948 Swap internal ioctl implementation with golang.org/x/sys
  • a0739dc0e Use LOOP_CONFIGURE when creating loop devices
• Update unpacker to fetch all provided content (#​10233)
  • 1573ea598 Update ctr image pull all platforms
  • 32b594f1b Update unpacker to always fetch all
• Update hcsshim tag to v0.11.5 (#​10232)
  • 5a03a3aee Update hcsshim tag to v0.11.5
• Update ttrpc tag to 1.2.4 (#​10221)
  • 9a1eda40f update ttrpc tag to 1.2.4
• Preserve CL_UNPRIVILEGED locked flags during remount of bind mounts (#​10210)
  • ad85652fa Preserve CL_UNPRIVILEGED locked flags during remount of bind mounts
• Update instrumentation fuzzer with new flag (#​10229)
  • 582f3f43d Update instrumentation fuzzer with new flag
• vendor: github.com/containerd/imgcrypt@v1.1.8 (#​10215)
  • a5d13689b vendor: github.com/containerd/imgcrypt@v1.1.8
• vendor: golang.org/x/net@v0.23.0 (#​10211)
  • f853bc129 vendor: golang.org/x/net@v0.23.0
  • 837972979 vendor: golang.org/x/net@v0.21.0
  • 56aa87792 vendor: golang.org/x/net@v0.20.0
  • 4e6335ebd vendor: golang.org/x/net@v0.19.0
  • 1c6c745c6 vendor: golang.org/x/term@v0.17.0
  • 1077d38c9 vendor: golang.org/x/sys@v0.18.0
• Update tooling to Go 1.21.10, 1.22.3 for net/http bug fixes (#​10207)
  • c53b635f9 Update toolchain to Go 1.21.10 and 1.22.3
• vendor: golang.org/x/crypto@v0.18.0 (#​10204)
  • 4b52104f0 vendor: golang.org/x/crypto@v0.18.0
  • 2f65c83b0 vendor: golang.org/x/term@v0.16.0
  • 8a76171f7 vendor: golang.org/x/sys@v0.16.0
  • d45778523 vendor: golang.org/x/term@v0.15.0, golang.org/x/text@v0.14.0
  • 24038de8c vendor: golang.org/x/sys@v0.15.0
• Update metadata snapshotter to lease on already exists (#​10198)
  • eb930375c Add lease test for metadata snapshotter
  • 9f6c61ab9 Update metadata snapshotter to lease on exists
• Update grpc and image-spec dependencies (#​10180)
  • 24dd403ab Update image-spec to v1.1.0
  • 189b69e24 go.mod: github.com/opencontainers/image-spec v1.1.0-rc3
  • 388fb336b Update grpc to v1.59.0
• Handle unsupported config versions (#​10165)
  • 00347b7fa Add check for unsupported config versions

Changes from containerd/imgcrypt

53 commits

• CHANGES: Updated CHANGES document for 1.1.8 release (containerd/imgcrypt#122)
  • 956b4d3 CHANGES: Updated CHANGES document for 1.1.8 release
• Synchronize enc-ctr with upstream ctr from containerd v1.6.23 and use containerd v1.6.23 in dependency (containerd/imgcrypt#120)
  • 9e8e1c1 ctr: Sync code with containerd v1.6.23 ctr
  • 7d2cca5 build(deps): bump containerd from 1.6.20 to 1.6.23
• Synchronize enc-ctr with upstream ctr from containerd v1.6.20 (containerd/imgcrypt#119)
  • 0f2559e ctr: Sync code with containerd v1.6.20 ctr
  • c48dd78 cmd: Copy IntToInt32Array into img package and use it
• Update to ocicrypt 1.1.8 and minimum go 1.20 (containerd/imgcrypt#118)
  • 6d48a4e build(deps): bump ocicrypt from 1.1.7 to 1.1.8
  • 1bc94a2 github: Use golangci-lint v1.54.1 and adjust config file
  • 9065f1d github: Test with go 1.21 and go 1.20
  • 74986f3 go.mod: Require go 1.20
• build(deps): bump google.golang.org/grpc from 1.47.0 to 1.53.0 (containerd/imgcrypt#117)
  • a2a8273 build(deps): bump google.golang.org/grpc from 1.47.0 to 1.53.0
• test: Test creating and running of container with key file missing (containerd/imgcrypt#116)
  • 286470a test: Test creating and running of container with key file missing
• Fix some issues in the test script (containerd/imgcrypt#115)
  • aa517cc test: Fix order of parameters and remove unnecessary key parameter
  • ec72311 test: Add comments to test case
  • 2959ec0 test: To be able to run testLocalKeys alone add missing env variable
• build(deps): upgrade github.com/containerd/containerd from 1.6.18 to … (containerd/imgcrypt#112)
  • a7f2760 build(deps): upgrade github.com/containerd/containerd from 1.6.18 to 1.6.20
• ci: Update golangci-lint to v1.52.2 (containerd/imgcrypt#113)
  • 002abac images: Change 'any' to 'anything' to avoid clash with built-in type 'any'
  • 5780ecc images: Replace unused function parameters with '_'
  • 7dc8592 ci: Update golangci-lint to v1.52.2
• build(deps): bump github.com/opencontainers/runc from 1.1.2 to 1.1.5 (containerd/imgcrypt#109)
  • 90e4f77 build(deps): bump github.com/opencontainers/runc from 1.1.2 to 1.1.5
• Abandon go 1.18 (end-of-life) and use 1.19 and 1.20 in tests (containerd/imgcrypt#110)
  • 8fc037f tests: Upgrade toml written by test case to version 2
  • 0b31beb ci: Run tests with go 1.19 and 1.20 (abandon 1.18)
  • 523674c build(deps): Update to minimum required go v1.19
• Update to golang.org/x/net@v0.7.0 and github.com/containers/ocicrypt@v1.1.7 (containerd/imgcrypt#107)
  • 96a2314 build(deps): Upgrade to github.com/containers/ocicrypt@v1.1.7
  • 1c50555 bulid(deps): Update to golang.org/x/net@v0.7.0
  • 9645d39 build(deps): Update to minimum required go v1.18
• build(deps): bump github.com/containerd/containerd from 1.6.12 to 1.6.18 (containerd/imgcrypt#106)
  • 8daaa45 build(deps): bump github.com/containerd/containerd from 1.6.12 to 1.6.18
• README: Fix a typo (containerd/imgcrypt#105)
  • 12e84f5 README: Fix a typo
• build(deps): bump github.com/containerd/containerd from 1.6.8 to 1.6.12 (containerd/imgcrypt#103)
  • 4e5a73e build(deps): bump github.com/containerd/containerd from 1.6.8 to 1.6.12
• Update golangci-lint to v1.50.1 (containerd/imgcrypt#101)
  • 16a071b Update golangci-lint to v1.50.1
• Remove references to package io/ioutil (containerd/imgcrypt#100)
  • 981a3fd Remove references to package io/ioutil
• Update GitHub actions CI workflow (containerd/imgcrypt#99)
  • 06827a1 Update containerd project checks package in CI
  • f6a39e1 Update GitHub actions packages in CI workflow
  • 6383351 Update GitHub actions CI workflow OS runner images
• CI/CD: Run CodeQL on PRs and once a month (containerd/imgcrypt#98)
  • b6e16db CI/CD: Run CodeQL on PRs and once a month

Changes from containerd/ttrpc

10 commits

• Bump google.golang.org/protobuf from 1.31.0 to 1.33.0 (containerd/ttrpc#166)
  • 272c857 Bump google.golang.org/protobuf from 1.31.0 to 1.33.0
• Fix deadlock when writing to pipe blocks (containerd/ttrpc#168)
  • 1b4f6f8 client: Fix deadlock when writing to pipe blocks
• Bump golang.org/x/net from 0.17.0 to 0.23.0 (containerd/ttrpc#167)
  • 13b8289 Bump golang.org/x/net from 0.17.0 to 0.23.0
• Update GitHub Actions CI to resolve deprecation warnings (containerd/ttrpc#161)
  • 589a593 Update GitHub Actions CI to resolve deprecation warnings
• Fix proto3 generation error (containerd/ttrpc#158)
  • 73b6a91 Add optional feature in protobuf compiler

Dependency Changes

• github.com/Microsoft/go-winio v0.6.1 -> v0.6.2
• github.com/Microsoft/hcsshim v0.11.4 -> v0.11.5
• github.com/containerd/imgcrypt v1.1.7 -> v1.1.8
• github.com/containerd/ttrpc v1.2.3 -> v1.2.4
• github.com/containers/ocicrypt v1.1.6 -> v1.1.10
• github.com/go-jose/go-jose/v3 v3.0.3 new
• github.com/google/uuid v1.3.0 -> v1.3.1
• github.com/opencontainers/image-spec 3a7f492 -> v1.1.0
• github.com/stefanberger/go-pkcs11uri 78d3cae -> 7828495
• golang.org/x/crypto v0.14.0 -> v0.21.0
• golang.org/x/mod v0.11.0 -> v0.12.0
• golang.org/x/net v0.17.0 -> v0.23.0
• golang.org/x/oauth2 v0.10.0 -> v0.11.0
• golang.org/x/sys v0.13.0 -> v0.18.0
• golang.org/x/term v0.13.0 -> v0.18.0
• golang.org/x/text v0.13.0 -> v0.14.0
• google.golang.org/genproto 782d3b1 -> b8732ec
• google.golang.org/genproto/googleapis/api 782d3b1 -> b8732ec
• google.golang.org/genproto/googleapis/rpc cbb8c96 -> b8732ec
• google.golang.org/grpc v1.58.3 -> v1.59.0

Previous release can be found at v1.7.16

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[nicholasdille-bot]

Auto-approved because label type/renovate is present.

[github-actions]

🔍 Vulnerabilities of ghcr.io/uniget-org/tools/containerd:1.7.17

📦 Image Reference ghcr.io/uniget-org/tools/containerd:1.7.17

digest	sha256:d8ac7f90756b09640958dab44eafbe2b7aaf2594508140e452889693ac6884c8
vulnerabilities
platform	linux/amd64
size	49 MB
packages	127

go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc 0.45.0 (golang) pkg:golang/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc@0.45.0 Allocation of Resources Without Limits or Throttling Affected range <0.46.0 Fixed version 0.46.0 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Description Summary The grpc Unary Server Interceptor opentelemetry-go-contrib/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go // UnaryServerInterceptor returns a grpc.UnaryServerInterceptor suitable // for use in a grpc.NewServer call. func UnaryServerInterceptor(opts ...Option) grpc.UnaryServerInterceptor { out of the box adds labels net.peer.sock.addr net.peer.sock.port that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent. Details An attacker can easily flood the peer address and port for requests. PoC Apply the attached patch to the example and run the client multiple times. Observe how each request will create a unique histogram and how the memory consumption increases during it. Impact In order to be affected, the program has to configure a metrics pipeline, use UnaryServerInterceptor, and does not filter any client IP address and ports via middleware or proxies, etc. Others It is similar to already reported vulnerabilities. GHSA-rcjv-mgp8-qvmr (open-telemetry/opentelemetry-go-contrib) GHSA-5r5m-65gx-7vrh (open-telemetry/opentelemetry-go-contrib) GHSA-cg3q-j54f-5p7p (prometheus/client_golang) Workaround for affected versions As a workaround to stop being affected, a view removing the attributes can be used. The other possibility is to disable grpc metrics instrumentation by passing otelgrpc.WithMeterProvider option with noop.NewMeterProvider. Solution provided by upgrading In PR #4322, to be released with v0.46.0, the attributes were removed. References #4322

k8s.io/apiserver 0.26.2 (golang) pkg:golang/k8s.io/apiserver@0.26.2 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <1.15.10 Fixed version 1.15.10, 1.16.7, 1.17.3 CVSS Score 4.3 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L Description The Kubernetes API server component has been found to be vulnerable to a denial of service attack via successful API requests.

[github-actions]

Attempting automerge. See https://github.com/uniget-org/tools/actions/runs/9121602843.

[github-actions]

PR is clean and can be merged. See https://github.com/uniget-org/tools/actions/runs/9121602843.