fix(deps): update module github.com/containerd/containerd to v2 [security] (alauda-3.18.6)

[alaudaa-renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/containerd/containerd	v1.7.31 -> v2.0.0

---

containerd user ID handling bypass allows runAsNonRoot evasion

CVE-2026-46680 / GHSA-fqw6-gf59-qr4w

More information

Details

Impact

A bug was found in containerd where containers launched with a numeric User directive that cannot be parsed as a 32-bit integer are incorrectly treated as a username. If a crafted image provides an /etc/passwd file mapping this large numeric string to root, the container ultimately runs as root (UID 0). This allows the Kubernetes runAsNonRoot restriction to be bypassed, causing unexpected behavior for environments that require containers to run as a non-root user.

Patches

This bug has been fixed in the following containerd versions:

• 2.3.1
• 2.2.4
• 2.0.9
• 1.7.32

Note: The containerd 2.1 release has reached its end of life and a fixed version is not provided.

Users should update to these versions to resolve the issue.

Workarounds

Ensure that only trusted images are used and that only trusted users have permissions to import images. Alternatively, enforcing a specific numeric runAsUser in the Kubernetes Pod securityContext overrides the USER directive in the image and prevents the bypass. Newer versions of Kubernetes, starting with 1.34, also appear to enforce runAsNonRoot properly regardless of this bug.

Credits

The containerd project would like to thank Lei Wang (@​ssst0n3) for responsibly disclosing this issue in accordance with the containerd security policy.

Resources

• GHSA-265r-hfxg-fhmg (CVE-2024-40635)

For more information

If there are any questions or comments about this advisory:

• Open an issue in containerd
• Send an email to security@containerd.io

To report a security issue in containerd:

• Report a new vulnerability
• Send an email to security@containerd.io

Severity

• CVSS Score: Unknown
• Vector String: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

• https://github.com/containerd/containerd/security/advisories/GHSA-fqw6-gf59-qr4w
• https://github.com/containerd/containerd

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

containerd/containerd (github.com/containerd/containerd)

v2.0.0: containerd 2.0.0

Compare Source

Welcome to the v2.0.0 release of containerd!

The first major release of containerd 2.x focuses on the continued stability of
containerd's core feature set with an easy upgrade from containerd 1.x. This
release includes the stabilization of new features added in the last 1.x release
as well as the removal of features which were deprecated in 1.x. The goal is to
support the vast community of containerd users well into the future along with
their ever increasing deployment footprints and variety of use cases.

See containerd 2.0 documentation for details on what is new and has changed in this release.

Highlights

• Allow sections of Plugins to be merged, and not overwritten as entire sections. (#​9982)
• Add Update API for sandbox controller (#​9903)
• Configure otel from env instead of config.toml (#​8970)
• Enable NRI by default (#​9744)
• Add PluginInfo to introspection API (#​9442)
• Remove overlayfs volatile option on temp mounts (#​9555)
• Expose usage of deprecated features (#​9258)
• Use Intel ISA-L's igzip if available (#​9200)
• Introduce top level config migration (#​9223)
• Add image delete target (#​8989)
• Remove LimitNOFILE from containerd.service (#​8924)
• Add support for image expiration during garbage collection (#​9022)
• Reduce the contention between ref lock and boltdb lock in content store (#​8792)
• Remove "containerd.io/restart.logpath" label (#​8264)
• Remove aufs snapshotter (#​8263)
• Fix deadlock during NRI plugin registration (containerd/nri#79)
• Support arm64/v9 and minor variants (containerd/platforms#8)
• Fix deadlock when writing to pipe blocks (containerd/ttrpc#168)

Build and Release Toolchain

• Generate attestation for artifacts during release (#​10543)
• Remove cri-containerd-*.tar.gz release bundles (#​9096)

Container Runtime Interface (CRI)

• Use 'UserSpecifiedImage' from CRI to set the image-name annotation (#​10747)
• Fine-grained SupplementalGroups control (#​9737)
• Add support to set loopback to up (#​10238)
• KEP-3857: Recursive Read-only (RRO) mounts (#​9787)
• Add support for multiple subscribers to CRI container events (#​9661)
• Enable CDI by default (#​9621)
• Remove non-sandboxed CRI implementation (#​9228)
• Add support for userns in stateless and stateful pods with idmap mounts (KEP-127, k8s >= 1.27) (#​8287)
• Use sandboxed CRI by default (#​8994)
• Implement RuntimeConfig CRI call (#​8722)
• Add support for user namespaces (KEP-127) (#​8803)
• Remove CRI v1alpha2 (#​8276)

Go client

• Add api Go module and move all protos under api (#​10151)
• Move packages based on contributing guide (#​9365)
• Generalize plugin library (#​9214)
• Use github.com/containerd/log (#​9086)

Image Distribution

• Support to syncfs after pull by using diff plugin (#​10284)
• Skip "unknown" in image platform listing (#​10257)
• Update unpacker to fetch all provided content (#​10202)
• Enable Transfer service API to support plain HTTP (#​10024)
• Enable Transfer service to use registry configuration directory (#​9908)
• Disable the support for Schema 1 images (#​9765)
• Update Transfer service to add OCI descriptors to Progress structure (#​9630)
• Update import and export to allow references to missing content (#​9554)
• Add option to perform syncfs after pull (#​9401)
• Add image verifier transfer service plugin system based on a binary directory (#​8493)

Runtime

• Implement RuntimeStatus.features.supplemental_groups_policy from KEP-3619 (#​10410)
• Add pprof to runc-shim (#​10242)
• Provide runtime options in plugin info (#​10251)
• Store bootstrap parameters in sandbox metadata (#​9736)
• Update apparmor to allow confined runc to kill containers (#​10123)
• Support vsock connection to task api (#​9738)
• Update RuntimeDefault seccomp profile to disallow io_uring related syscalls (#​9320)
• Switch runc shim to task service v3 and fix restore (#​9233)
• Add sandboxer configuration and move sandbox controllers to plugins (#​8268)
• Add annotations to CreateSandbox request (#​8960)
• Add SandboxMetrics (#​8680)
• Publish sandbox events (#​8602)
• Remove the CriuPath field from runc's options (#​8279)
• Remove io.containerd.runtime.v1.linux and io.containerd.runc.v1 (#​8262)

Security Advisories

• [medium] RAPL accessible to a container GHSA-7ww5-4wqc-m92c

Breaking

• Remove disable_cgroup from CRI config (#​10594)
• Disable the support for Schema 1 images (#​9765)
• Update RuntimeDefault seccomp profile to disallow io_uring related syscalls (#​9320)
• Move client to subpackage (#​9316)
• Remove LimitNOFILE from containerd.service (#​8924)
• Remove CRI v1alpha2 (#​8276)
• Remove io.containerd.runtime.v1.linux and io.containerd.runc.v1 (#​8262)
• Remove "containerd.io/restart.logpath" label (#​8264)
• Remove aufs snapshotter (#​8263)

Deprecations

• Update warnings for deprecated CRI config fields (#​10509)
• Add type alias for event Envelope (#​10279)
• Postpone removal of deprecated CRI config properties (#​9966)
• Deprecate go-plugin configuration option (#​9238)
• CNI conf_template in CRI is no longer deprecated (#​8637)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Derek McGowan
• Akihiro Suda
• Maksym Pavlenko
• Wei Fu
• Phil Estes
• Sebastiaan van Stijn
• Samuel Karp
• Krisztian Litkey
• Kazuyoshi Kato
• Austin Vazquez
• Rodrigo Campos
• Danny Canter
• Abel Feng
• Mike Brown
• Kirtana Ashok
• Akhil Mohan
• Iceber Gu
• Gabriel Adrian Samfira
• Jin Dong
• Kohei Tokunaga
• Bjorn Neergaard
• Brian Goff
• Justin Chadwell
• rongfu.leng
• James Sturtevant
• Davanum Srinivas
• Paul "TBBle" Hampson
• Henry Wang
• Enrico Weigelt
• Laura Brehm
• Marat Radchenko
• Paweł Gronowski
• Shingo Omura
• Hsing-Yu (David) Chen
• Ilya Hanov
• Cardy.Tang
• Swagat Bora
• Aditi Sharma
• Amit Barve
• Bryant Biggs
• Evan Lezar
• James Jenkins
• Jordan Liggitt
• Kay Yan
• Markus Lehtonen
• Nashwan Azhari
• Shuaiyi Zhang
• Vinayak Goyal
• helen
• Alexandru Matei
• Anthony Nandaa
• Avi Deitcher
• Charity Kathure
• Cory Snider
• Ed Bartosh
• Etienne Champetier
• Kevin Parsons
• Michael Zappa
• Milas Bowman
• lengrongfu
• ningmingxiao
• yanggang
• zounengren
• Aditya Ramani
• Adrian Reber
• Amir M. Ghazanfari
• Antonio Ojea
• Artem Khramov
• Brad Davidson
• Chen Yiyang
• Chongyi Zheng
• Christian Muehlhaeuser
• Djordje Lukic
• Edgar Lee
• Eric Lin
• Ethan Lowman
• Jiang Liu
• June Rhodes
• Kern Walster
• Lei Jitang
• Lucas Rattz
• Mahamed Ali
• Maksim An
• Michael Crosby
• Peteris Rudzusiks
• Ray Burgemeestre
• Sam Edwards
• Samruddhi Khandale
• Sascha Grunert
• Steve Griffith
• Tony Fang
• Tõnis Tiigi
• VERNOU Cédric
• Vishal Reddy Gurrala
• Xiaojin Zhang
• Yang Yang
• hang.jiang
• harshitasao
• jerryzhuang
• roman-kiselenko
• zhanluxianshen
• Aaron Lehmann
• AbdelrahmanElawady
• Adrien Delorme
• Alex Couture-Beil
• Alex Ellis
• Alex Rodriguez
• Angelos Kolaitis
• Antonio Huete Jimenez
• Antti Kervinen
• Arash Haghighat
• Arkin Modi
• Ben Foster
• Benjamin Peterson
• Bin Tang
• Bin Xin
• BinBin He
• Brennan Kinney
• Changqing Li
• ChengenH
• ChengyuZhu6
• Christian Stewart
• Colin O'Dell
• Craig Ingram
• Daisy Rong
• David Porter
• David Son
• Derek Nola
• Eng Zer Jun
• Erikson Tung
• Fabiano Fidêncio
• Fahed Dorgaa
• Gabriela Cervantes
• Gary McDonald
• Iain Macdonald
• James Lakin
• Jan Dubois
• Jaroslav Jindrak
• Javier Maestro
• Jian Wang
• Jiongchi Yu
• Julien Balestra
• Kir Kolyshkin
• Kirill A. Korinsky
• Konstantin Khlebnikov
• Lei Liu
• Matteo Pulcini
• Mauri de Souza Meneguzzo
• Mike Baynton
• Niklas Gehlen
• Pan Yibo
• Paul Meyer
• Qasim Sarfraz
• Qiutong Song
• Reinhard Tartler
• Robbie Buxton
• Robert-André Mauchin
• Ruihua Wen
• Saket Jajoo
• Sameer
• Shengjing Zhu
• Shiming Zhang
• Shukui Yang
• StepSecurity Bot
• Talon
• Tariq Ibrahim
• Tianon Gravi
• Tim Hockin
• TinaMor
• Tobias Klauser
• Tomáš Virtus
• Wang Xinwen
• William Chen
• Xinyang Ge
• Yibo Zhuang
• Yuhang Wei
• Yury Gargay
• Zechun Chen
• Zhang Tianyang
• Zoe
• baijia
• bo.jiang
• bzsuni
• charles-chenzz
• chschumacher1994
• cormick
• guangli.bao
• guangwu
• jinda.ljd
• jingtao.liang
• krglosse
• pigletfly
• rokkiter
• wangxiang
• zhangpeng
• zhaojizhuang
• 吴小白
• 张钰
• 沈陵
• 谭九鼎

Dependency Changes

• dario.cat/mergo v1.0.1 new
• github.com/AdaLogics/go-fuzz-headers 1f10f66 -> e8a1dd7
• github.com/AdamKorcz/go-118-fuzz-build 5330a85 -> 2b5cbb2
• github.com/Microsoft/go-winio v0.6.0 -> v0.6.2
• github.com/Microsoft/hcsshim v0.10.0-rc.7 -> v0.12.9
• github.com/cenkalti/backoff/v4 v4.2.0 -> v4.3.0
• github.com/cespare/xxhash/v2 v2.2.0 -> v2.3.0
• github.com/checkpoint-restore/checkpointctl v1.3.0 new
• github.com/checkpoint-restore/go-criu/v7 v7.2.0 new
• github.com/cilium/ebpf v0.9.1 -> v0.11.0
• github.com/containerd/cgroups/v3 v3.0.1 -> v3.0.3
• github.com/containerd/console v1.0.3 -> v1.0.4
• github.com/containerd/containerd/api v1.8.0 new
• github.com/containerd/continuity v0.3.0 -> v0.4.4
• github.com/containerd/errdefs v1.0.0 new
• github.com/containerd/errdefs/pkg v0.3.0 new
• github.com/containerd/go-cni v1.1.9 -> v1.1.10
• github.com/containerd/go-runc v1.0.0 -> v1.1.0
• github.com/containerd/imgcrypt/v2 v2.0.0-rc.1 new
• github.com/containerd/log v0.1.0 new
• github.com/containerd/nri v0.3.0 -> v0.8.0
• github.com/containerd/otelttrpc ea5083f new
• github.com/containerd/platforms v1.0.0-rc.0 new
• github.com/containerd/plugin v1.0.0 new
• github.com/containerd/ttrpc v1.2.1 -> v1.2.6
• github.com/containerd/typeurl/v2 v2.1.0 -> v2.2.2
• github.com/containerd/zfs/v2 v2.0.0-rc.0 new
• github.com/containernetworking/cni v1.1.2 -> v1.2.3
• github.com/containernetworking/plugins v1.2.0 -> v1.5.1
• github.com/containers/ocicrypt v1.1.6 -> v1.2.0
• github.com/cpuguy83/go-md2man/v2 v2.0.2 -> v2.0.5
• github.com/davecgh/go-spew v1.1.1 -> d8f796a
• github.com/distribution/reference v0.6.0 new
• github.com/emicklei/go-restful/v3 v3.10.1 -> v3.11.0
• github.com/felixge/httpsnoop v1.0.4 new
• github.com/fsnotify/fsnotify v1.6.0 -> v1.7.0
• github.com/fxamacker/cbor/v2 v2.7.0 new
• github.com/go-jose/go-jose/v4 v4.0.4 new
• github.com/go-logr/logr v1.2.3 -> v1.4.2
• github.com/golang/protobuf v1.5.2 -> v1.5.4
• github.com/google/go-cmp v0.5.9 -> v0.6.0
• github.com/google/uuid v1.3.0 -> v1.6.0
• github.com/gorilla/websocket v1.5.0 new
• github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus v1.0.1 new
• github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.1.0 new
• github.com/grpc-ecosystem/grpc-gateway/v2 v2.7.0 -> v2.22.0
• github.com/intel/goresctrl v0.3.0 -> v0.8.0
• github.com/klauspost/compress v1.16.0 -> v1.17.11
• github.com/mdlayher/socket v0.4.1 new
• github.com/mdlayher/vsock v1.2.1 new
• github.com/mistifyio/go-zfs/v3 v3.0.1 new
• github.com/moby/spdystream v0.2.0 -> v0.4.0
• github.com/moby/sys/mountinfo v0.6.2 -> v0.7.2
• github.com/moby/sys/sequential v0.5.0 -> v0.6.0
• github.com/moby/sys/signal v0.7.0 -> v0.7.1
• github.com/moby/sys/symlink v0.2.0 -> v0.3.0
• github.com/moby/sys/user v0.3.0 new
• github.com/moby/sys/userns v0.1.0 new
• github.com/munnerz/goautoneg a7dc8b6 new
• github.com/mxk/go-flowrate cca7078 new
• github.com/opencontainers/image-spec 3a7f492 -> v1.1.0
• github.com/opencontainers/runtime-spec v1.1.0-rc.1 -> v1.2.0
• github.com/opencontainers/runtime-tools 946c877 -> 2e043c6
• github.com/opencontainers/selinux v1.11.0 -> v1.11.1
• github.com/pelletier/go-toml/v2 v2.2.3 new
• github.com/pmezard/go-difflib v1.0.0 -> 5d4384e
• github.com/prometheus/client_golang v1.14.0 -> v1.20.5
• github.com/prometheus/client_model v0.3.0 -> v0.6.1
• github.com/prometheus/common v0.37.0 -> v0.55.0
• github.com/prometheus/procfs v0.8.0 -> v0.15.1
• github.com/sirupsen/logrus v1.9.0 -> v1.9.3
• github.com/stefanberger/go-pkcs11uri 78d3cae -> 7828495
• github.com/stretchr/testify v1.8.2 -> v1.9.0
• github.com/urfave/cli/v2 v2.27.5 new
• github.com/vishvananda/netlink v1.2.1-beta.2 -> v1.3.0
• github.com/vishvananda/netns 2eb08e3 -> v0.0.4
• github.com/x448/float16 v0.8.4 new
• github.com/xrash/smetrics 686a1a2 new
• go.etcd.io/bbolt v1.3.7 -> v1.3.11
• go.mozilla.org/pkcs7 432b235 -> v0.9.0
• go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.40.0 -> v0.56.0
• go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.56.0 new
• go.opentelemetry.io/otel v1.14.0 -> v1.31.0
• go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.14.0 -> v1.31.0
• go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.14.0 -> v1.31.0
• go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.14.0 -> v1.31.0
• go.opentelemetry.io/otel/metric v0.37.0 -> v1.31.0
• go.opentelemetry.io/otel/sdk v1.14.0 -> v1.31.0
• go.opentelemetry.io/otel/trace v1.14.0 -> v1.31.0
• go.opentelemetry.io/proto/otlp v0.19.0 -> v1.3.1
• golang.org/x/crypto v0.1.0 -> v0.28.0
• golang.org/x/exp aacd6d4 new
• golang.org/x/mod v0.7.0 -> v0.21.0
• golang.org/x/net v0.7.0 -> v0.30.0
• golang.org/x/oauth2 v0.4.0 -> v0.22.0
• golang.org/x/sync v0.1.0 -> v0.8.0
• golang.org/x/sys v0.6.0 -> v0.26.0
• golang.org/x/term v0.5.0 -> v0.25.0
• golang.org/x/text v0.7.0 -> v0.19.0
• golang.org/x/time 90d013b -> v0.3.0
• google.golang.org/genproto/googleapis/api 5fefd90 new
• google.golang.org/genproto/googleapis/rpc 324edc3 new
• google.golang.org/grpc v1.53.0 -> v1.67.1
• google.golang.org/protobuf v1.28.1 -> v1.35.1
• k8s.io/api v0.26.2 -> v0.31.2
• k8s.io/apimachinery v0.26.2 -> v0.31.2
• k8s.io/apiserver v0.26.2 -> v0.31.2
• k8s.io/client-go v0.26.2 -> v0.31.2
• k8s.io/component-base v0.26.2 -> v0.31.2
• k8s.io/cri-api v0.26.2 -> v0.31.2
• k8s.io/klog/v2 v2.90.1 -> v2.130.1
• k8s.io/kubelet v0.31.2 new
• k8s.io/utils a5ecb01 -> 18e509b
• sigs.k8s.io/json f223a00 -> bc3834c
• sigs.k8s.io/structured-merge-diff/v4 v4.2.3 -> v4.4.1
• sigs.k8s.io/yaml v1.3.0 -> v1.4.0
• tags.cncf.io/container-device-interface v0.8.0 new
• tags.cncf.io/container-device-interface/specs-go v0.8.0 new

Previous release can be found at v1.7.0

Which file should I download?

• containerd-<VERSION>-<OS>-<ARCH>.tar.gz: ✅Recommended. Dynamically linked with glibc 2.31 (Ubuntu 20.04).
• containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz: Statically linked. Expected to be used on non-glibc Linux distributions. Not position-independent.

In addition to containerd, typically you will have to install runc
and CNI plugins from their official sites too.

See also the Getting Started documentation.

---

Configuration

📅 Schedule: Branch creation - "" in timezone Asia/Shanghai, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[nanjingfm]

Closing this stale Renovate PR. It attempts a major-version move to github.com/containerd/containerd/v2 v2.0.0 and fails build because the code still imports github.com/containerd/containerd/remotes. The security fix for alauda-3.18.6 has been applied via #91 by updating the 1.7.x line to github.com/containerd/containerd v1.7.32.