Update to containerd 1.5.9

Status changed to 'Confirmed' because the bug affects multiple users.

Hello, CVE-2021-41103 was fixed in https://ubuntu.com/security/notices/USN-5100-1

While we intend to address CVE-2021-41190 with an update, in the meantime a workaround is to only use registries that you trust to give you valid data.

Thanks

Updated the summary and title of this bug, since we would like to see this package upgraded to version 1.5.9 now. Upgrading to 1.5.9 would not only address the most recent CVE (CVE-2021-43816), but it would also address CVE-2021-41190 and bring in several bugfixes, such as this one for Buildpacks: https://github.com/containerd/containerd/issues/6123

Hello,

I think that's a fair ask. We likely have a plan to upgrade the whole container stack (containerd, runc, and docker.io) for the 22.04 cycle, so that should happen soon. And once that happens, we'd backport the same as we've been doing.

Subscribing this bug to Lucas Kanashiro, who generally takes care of the whole stack. Also adding the server-todo tag. TIA! \o/

Would it be possible to get to the latest released 1.5.x before the whole container stack gets upgraded?

@furlongm we try to always ship the latest version to our users, so yes, this is our plan.

This bug was fixed in the package containerd - 1.5.9-0ubuntu1

---------------
containerd (1.5.9-0ubuntu1) jammy; urgency=medium

  * New upstream release (LP: #1946851, #1955413).
  * Remove patches applied by upstream.

 -- Lucas Kanashiro <email address hidden> Mon, 10 Jan 2022 16:27:26 -0300

Thank you for adding this to Jammy!

Is it possible to bring the new version in for Bionic and Focal as well?

Thank you in advance.

Great work! I second for the new version in Focal, thanks!

The backport to LTS releases is in my todo list. I added tasks for those series so you can track it in this bug.

I am tracking the backport of the entire container stack (docker.io, containerd and runc) in this bug:

https://bugs.launchpad.net/ubuntu/+source/runc/+bug/1960449

Please refer to that when checking the status of the backport.

Hello Marcus, or anyone else affected,

Accepted containerd into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/containerd/1.5.9-0ubuntu1~20.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Marcus, or anyone else affected,

Accepted containerd into impish-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/containerd/1.5.9-0ubuntu1~21.10.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-impish to verification-done-impish. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-impish. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Verifying this as per bug #1960449. This should probably have been a duplicate of that bug.

This bug was fixed in the package containerd - 1.5.9-0ubuntu1~20.04.1

---------------
containerd (1.5.9-0ubuntu1~20.04.1) focal; urgency=medium

  * Backport version 1.5.9-0ubuntu1 from Jammy (LP: #1955413, #1960449).
    - d/rules: set GO111MODULE to off.

 -- Lucas Kanashiro <email address hidden> Wed, 09 Feb 2022 17:23:51 -0300

The verification of the Stable Release Update for containerd has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package containerd - 1.5.9-0ubuntu1~21.10.1

---------------
containerd (1.5.9-0ubuntu1~21.10.1) impish; urgency=medium

  * Backport version 1.5.9-0ubuntu1 from Jammy (LP: #1955413, #1960449).

 -- Lucas Kanashiro <email address hidden> Wed, 09 Feb 2022 17:15:51 -0300

Hello Marcus, or anyone else affected,

Accepted containerd into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/containerd/1.5.9-0ubuntu1~18.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

containerd DEP-8 tests are still passing (the version in bionic-proposed):

autopkgtest [12:13:16]: @@@@@@@@@@@@@@@@@@@@ summary
basic-smoke PASS

This bug was fixed in the package containerd - 1.5.9-0ubuntu1~18.04.1

---------------
containerd (1.5.9-0ubuntu1~18.04.1) bionic; urgency=medium

  * Backport version 1.5.9-0ubuntu1 from Jammy (LP: #1955413, #1960449).
    - d/control: do not b-d on libbtrfs-dev, it is not available in Bionic.
    - d/control: b-d on golang-1.13-go instead of golang-go.
    - d/rules: set GO111MODULE to off, to avoid Internet connection during the
      build.

 -- Lucas Kanashiro <email address hidden> Wed, 09 Feb 2022 17:38:58 -0300