rpms/containerd
1
0
Fork 0
Code Issues 4 Pull requests Projects Releases Packages Wiki Activity Actions

Upstream update available: containerd 2.1.4 → 2.3.1 #6

New issue
Open
opened 2026-05-21 02:10:24 +03:00 by sbelikov · 0 comments
sbelikov commented 2026-05-21 02:10:24 +03:00
Owner
Copy link

Upstream update available: containerd 2.1.42.3.1

Package

  • Package: containerd
  • RPM name: containerd
  • Branch: niceos-5.2
  • Current EVR: 2.1.4-1
  • Update class: minor
  • Compare method: python_rpm
  • Update policy: leaf
  • Risk tags: github-upstream

Upstream

Signals

  • Security-relevant keywords detected: True
  • Policy blocked: False
  • Policy reason: -
  • Labels: ai-summary, bot, needs-build, needs-triage, priority/high, security-release, update/minor, upstream-update, upstream/github

NiceSOFT AI preliminary stability analysis

Risk Assessment & Recommendation for containerd Update (v2.3.1)

1. Key Details

  • Package: containerd
  • Current Version: 2.1.4
  • Latest Update: 2.3.1 (Minor Patch)
  • Risk Tags: github-upstream (security-related)
  • Security Keywords Detected: True (indicating a security-related update)
  • CVE Mentioned: CVE-2026-46680 (linked to the advisory URL)

2. Risk Evaluation

Criteria Assessment
Security Risk High (CVE-2026-46680 is a known vulnerability, though not explicitly confirmed in the data).
ABI/API Changes Low (minor version update; no major API or ABI changes noted).
RPM Packaging Risk Low (minor update; no recompilation or repackage required).
Policy Compliance Not Blocked (update is allowed per policy).

3. Recommendations

  1. Apply the Update

    • Action: Update containerd to 2.3.1 (minor patch).
    • Reason: The update includes a security-related fix (CVE-2026-46680), which addresses a potential vulnerability.

  2. Monitor for Further Updates

    • Action: Track future releases for potential major updates (e.g., 2.4.x).
    • Reason: Minor updates may include critical security fixes or ABI changes.

  3. Verify Security Patch

    • Action: Confirm the CVE-2026-46680 is resolved in 2.3.1 (via advisory URL).
    • Reason: Ensure the patch is applied and the system is protected against the identified vulnerability.

  4. Review RPM Dependencies

    • Action: Check if containerd dependencies (e.g., libcontainer, libseccomp) are compatible with 2.3.1.
    • Reason: Minor updates may require recompilation or repackage if dependencies are outdated.

4. Conclusion

  • Risk Level: High (due to the CVE-2026-46680 and minor update).
  • Action Required: Apply the update and monitor for further changes.
  • Best Practice: Ensure all dependencies are compatible and the security patch is verified.

Final Recommendation: Apply the containerd update to 2.3.1 and monitor for future changes.

Источники, найденные web_search

  1. GitHub release API: containerd/containerd v2.3.1
  2. GitHub tag page: containerd/containerd v2.3.1
  3. GitHub releases page: containerd/containerd
  4. GitHub compare page: containerd/containerd v2.1.4...v2.3.1
  5. containerd/containerd: An open and reliable container runtime - GitHub
  6. containerd - An industry-standard container runtime with an emphasis on ...
  7. containerd – An industry-standard container runtime with an …
  8. containerd - endoflife.date

Upstream release notes / description

Welcome to the v2.3.1 release of containerd!

The first patch release for containerd 2.3 contains various fixes and improvements.

Security Updates

Highlights

  • Fix bug where failed gRPC plugins were not tolerated when starting listeners (#13390)

Image Storage

  • Ensure metadata and mount plugin boltdb files are closed on server shutdown (#13379)

Runtime

  • Fix handling of out-of-range USER values in OCI spec to avoid unexpected username/group lookups (#13447)
  • Fix sandbox task API endpoints for non-runc runtimes and deprecate task fields in Runc options (#13422)
  • Apply hardening to default seccomp socket policy by blocking AF_ALG (#13409)

Snapshotters

  • Disable overlayfs "rebase" capability when running in user namespace (#13394)
  • Fix transfer plugin error when EROFS differ is configured but mkfs.erofs is unavailable (#13364)

Please try out the release binaries and report any issues at
github.com — issues.

Contributors

  • Maksym Pavlenko
  • Akihiro Suda
  • Derek McGowan
  • Paweł Gronowski
  • Brian Goff
  • Austin Vazquez
  • LEI WANG
  • Samuel Karp

Changes

24 commits

  • Prepare release notes for v2.3.1 (#13405)
  • oci: return explicit error for out-of-range USER values (#13447)
    • a05ae7885 oci: return explicit error for out-of-range USER values
  • Prepare release notes for api/v1.11.1 (#13444)
    • da7aef299 Prepare release notes for api/v1.11.1
  • Fix sandbox task API endpoints for non-runc runtimes (#13422)
    • 5282d4e09 Wire task address and version fields
    • e44f5f9ec protos: include task API address to CreateTaskRequest
  • seccomp: Block AF_ALG in default socket policy (#13409)
    • 4d80a31bf seccomp: Block AF_ALG in default socket policy
    • 2ed0d97b6 seccomp: Document socket rule scope and socketcall limitation
  • server: tolerate failed gRPC plugins when starting listeners (#13390)
    • 3a88fdde0 server: tolerate failed gRPC plugins when starting listeners
  • overlay: disable "rebase" capability when running in UserNS (#13394)
    • 2be0710b8 overlay: disable "rebase" capability when running in UserNS
  • Update Go to 1.26.3 (#13374)
  • fix: close boltdb on metadata and mount plugin close (#13379)
    • 1d601271a fix: close boltdb on metadata and mount plugin close
  • Fix optional EROFS differ setup in transfer plugin (#13364)
    • d666d2e42 Refactor transfer unpack configuration setup
    • ccc3bd7b9 Fix optional transfer differ setup

Dependency Changes

  • github.com/containerd/containerd/api v1.11.0 -> v1.11.1

Previous release can be found at v2.3.0

Which file should I download?

  • containerd-<VERSION>-<OS>-<ARCH>.tar.gz: Recommended. Dynamically linked with glibc 2.35 (Ubuntu 22.04).
  • containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz: Statically linked. Expected to be used on Linux distributions that do not use glibc >= 2.35. Not position-independent.

In addition to containerd, typically you will have to install runc
and CNI plugins from their official sites too.

See also the Getting Started documentation.

NiceOS maintainer checklist

  • Confirm that the detected version is a stable upstream release.
  • Check upstream changelog for security fixes, ABI/API changes and build-system changes.
  • Check ABI/API compatibility and reverse dependencies.
  • Download source into NiceOS lookaside storage.
  • Update Version and related fields in SPECS/*.spec only if policy allows it.
  • Regenerate SOURCES/sources.lock.json, manifests, metadata and SBOM.
  • Build SRPM/RPM in a clean NiceOS buildroot.
  • Run package smoke tests.
  • Link PR/build logs and close this issue after update or triage.

Bot metadata

  • Tool: niceos_upstream_monitor.py 2.1.3-local-websearch-github-release-pages
  • Generated at: 2026-06-11T23:12:33Z
<!-- niceos-upstream-monitor:fingerprint=upstream-update:containerd:2.3.1 --> <!-- niceos-upstream-monitor:package=containerd --> <!-- niceos-upstream-monitor:current=2.1.4 --> <!-- niceos-upstream-monitor:latest=2.3.1 --> # Upstream update available: `containerd` `2.1.4` → `2.3.1` ## Package - Package: `containerd` - RPM name: `containerd` - Branch: `niceos-5.2` - Current EVR: `2.1.4-1` - Update class: `minor` - Compare method: `python_rpm` - Update policy: `leaf` - Risk tags: `github-upstream` ## Upstream - Upstream type: `github` - Upstream project: `containerd/containerd` - Upstream URL: <a href="https://github.com/containerd/containerd" target="_blank" rel="noopener noreferrer">github.com — containerd</a> - Detected version: `2.3.1` - Tag/release: `v2.3.1` - Source: `github_release_latest` - Published: `2026-05-20T20:46:56Z` - Release URL: <a href="https://github.com/containerd/containerd/releases/tag/v2.3.1" target="_blank" rel="noopener noreferrer">github.com — v2.3.1</a> - Source URL: <a href="https://api.github.com/repos/containerd/containerd/tarball/v2.3.1" target="_blank" rel="noopener noreferrer">api.github.com — v2.3.1</a> - Pre-release: `False` ## Signals - Security-relevant keywords detected: `True` - Policy blocked: `False` - Policy reason: `-` - Labels: `ai-summary, bot, needs-build, needs-triage, priority/high, security-release, update/minor, upstream-update, upstream/github` ## NiceSOFT AI preliminary stability analysis ### **Risk Assessment & Recommendation for `containerd` Update (v2.3.1)** --- #### **1. Key Details** - **Package**: `containerd` - **Current Version**: `2.1.4` - **Latest Update**: `2.3.1` (Minor Patch) - **Risk Tags**: `github-upstream` (security-related) - **Security Keywords Detected**: `True` (indicating a security-related update) - **CVE Mentioned**: `CVE-2026-46680` (linked to the advisory URL) --- #### **2. Risk Evaluation** | Criteria | Assessment | |---------|-------------| | **Security Risk** | **High** (CVE-2026-46680 is a known vulnerability, though not explicitly confirmed in the data). | | **ABI/API Changes** | **Low** (minor version update; no major API or ABI changes noted). | | **RPM Packaging Risk** | **Low** (minor update; no recompilation or repackage required). | | **Policy Compliance** | **Not Blocked** (update is allowed per policy). | --- #### **3. Recommendations** 1. **Apply the Update** - **Action**: Update `containerd` to `2.3.1` (minor patch). - **Reason**: The update includes a security-related fix (CVE-2026-46680), which addresses a potential vulnerability. 2. **Monitor for Further Updates** - **Action**: Track future releases for potential major updates (e.g., `2.4.x`). - **Reason**: Minor updates may include critical security fixes or ABI changes. 3. **Verify Security Patch** - **Action**: Confirm the CVE-2026-46680 is resolved in `2.3.1` (via advisory URL). - **Reason**: Ensure the patch is applied and the system is protected against the identified vulnerability. 4. **Review RPM Dependencies** - **Action**: Check if `containerd` dependencies (e.g., `libcontainer`, `libseccomp`) are compatible with `2.3.1`. - **Reason**: Minor updates may require recompilation or repackage if dependencies are outdated. --- #### **4. Conclusion** - **Risk Level**: High (due to the CVE-2026-46680 and minor update). - **Action Required**: Apply the update and monitor for further changes. - **Best Practice**: Ensure all dependencies are compatible and the security patch is verified. **Final Recommendation**: Apply the `containerd` update to `2.3.1` and monitor for future changes. ### Источники, найденные web_search 1. <a href="https://github.com/containerd/containerd/releases/tag/v2.3.1" target="_blank" rel="noopener noreferrer">GitHub release API: containerd/containerd v2.3.1</a> 2. <a href="https://github.com/containerd/containerd/tree/v2.3.1" target="_blank" rel="noopener noreferrer">GitHub tag page: containerd/containerd v2.3.1</a> 3. <a href="https://github.com/containerd/containerd/releases" target="_blank" rel="noopener noreferrer">GitHub releases page: containerd/containerd</a> 4. <a href="https://github.com/containerd/containerd/compare/v2.1.4...v2.3.1" target="_blank" rel="noopener noreferrer">GitHub compare page: containerd/containerd v2.1.4...v2.3.1</a> 5. <a href="https://github.com/containerd/containerd" target="_blank" rel="noopener noreferrer">containerd/containerd: An open and reliable container runtime - GitHub</a> 6. <a href="https://containerd.io/releases/" target="_blank" rel="noopener noreferrer">containerd - An industry-standard container runtime with an emphasis on ...</a> 7. <a href="https://containerd.io/" target="_blank" rel="noopener noreferrer">containerd – An industry-standard container runtime with an …</a> 8. <a href="https://endoflife.date/containerd" target="_blank" rel="noopener noreferrer">containerd - endoflife.date</a> ## Upstream release notes / description Welcome to the v2.3.1 release of containerd! The first patch release for containerd 2.3 contains various fixes and improvements. ### Security Updates * <a href="https://github.com/containerd/containerd/security/advisories/GHSA-fqw6-gf59-qr4w" target="_blank" rel="noopener noreferrer">**CVE-2026-46680**</a> ### Highlights * Fix bug where failed gRPC plugins were not tolerated when starting listeners (<a href="https://github.com/containerd/containerd/pull/13390" target="_blank" rel="noopener noreferrer">#13390</a>) #### Image Storage * Ensure metadata and mount plugin boltdb files are closed on server shutdown (<a href="https://github.com/containerd/containerd/pull/13379" target="_blank" rel="noopener noreferrer">#13379</a>) #### Runtime * Fix handling of out-of-range USER values in OCI spec to avoid unexpected username/group lookups (<a href="https://github.com/containerd/containerd/pull/13447" target="_blank" rel="noopener noreferrer">#13447</a>) * Fix sandbox task API endpoints for non-runc runtimes and deprecate task fields in Runc options (<a href="https://github.com/containerd/containerd/pull/13422" target="_blank" rel="noopener noreferrer">#13422</a>) * Apply hardening to default seccomp socket policy by blocking AF_ALG (<a href="https://github.com/containerd/containerd/pull/13409" target="_blank" rel="noopener noreferrer">#13409</a>) #### Snapshotters * Disable overlayfs "rebase" capability when running in user namespace (<a href="https://github.com/containerd/containerd/pull/13394" target="_blank" rel="noopener noreferrer">#13394</a>) * Fix transfer plugin error when EROFS differ is configured but mkfs.erofs is unavailable (<a href="https://github.com/containerd/containerd/pull/13364" target="_blank" rel="noopener noreferrer">#13364</a>) Please try out the release binaries and report any issues at <a href="https://github.com/containerd/containerd/issues" target="_blank" rel="noopener noreferrer">github.com — issues</a>. ### Contributors * Maksym Pavlenko * Akihiro Suda * Derek McGowan * Paweł Gronowski * Brian Goff * Austin Vazquez * LEI WANG * Samuel Karp ### Changes <details><summary>24 commits</summary> <p> * Prepare release notes for v2.3.1 (<a href="https://github.com/containerd/containerd/pull/13405" target="_blank" rel="noopener noreferrer">#13405</a>) * <a href="https://github.com/containerd/containerd/commit/58af9651939577f81969b387b6b2e2aed45ead7d" target="_blank" rel="noopener noreferrer">`58af96519`</a> Prepare release notes for v2.3.1 * <a href="https://github.com/containerd/containerd/commit/8f0b3ca83015873d643db246202b63b8384f14fd" target="_blank" rel="noopener noreferrer">`8f0b3ca83`</a> Update api to v1.11.1 * oci: return explicit error for out-of-range USER values (<a href="https://github.com/containerd/containerd/pull/13447" target="_blank" rel="noopener noreferrer">#13447</a>) * <a href="https://github.com/containerd/containerd/commit/a05ae78850384eb24effbc597ebc5b19a5e4ba04" target="_blank" rel="noopener noreferrer">`a05ae7885`</a> oci: return explicit error for out-of-range USER values * Prepare release notes for api/v1.11.1 (<a href="https://github.com/containerd/containerd/pull/13444" target="_blank" rel="noopener noreferrer">#13444</a>) * <a href="https://github.com/containerd/containerd/commit/da7aef299c57cc1f290700ade8fa0a5fec69a462" target="_blank" rel="noopener noreferrer">`da7aef299`</a> Prepare release notes for api/v1.11.1 * Fix sandbox task API endpoints for non-runc runtimes (<a href="https://github.com/containerd/containerd/pull/13422" target="_blank" rel="noopener noreferrer">#13422</a>) * <a href="https://github.com/containerd/containerd/commit/5282d4e09d3bc8b0957780caa7a4644fac7c86a7" target="_blank" rel="noopener noreferrer">`5282d4e09`</a> Wire task address and version fields * <a href="https://github.com/containerd/containerd/commit/e44f5f9ec610d95a712d230e8a19ae516e0a26ac" target="_blank" rel="noopener noreferrer">`e44f5f9ec`</a> protos: include task API address to CreateTaskRequest * seccomp: Block AF_ALG in default socket policy (<a href="https://github.com/containerd/containerd/pull/13409" target="_blank" rel="noopener noreferrer">#13409</a>) * <a href="https://github.com/containerd/containerd/commit/4d80a31bf637bc15e83e50a15941bf5bb0cb3988" target="_blank" rel="noopener noreferrer">`4d80a31bf`</a> seccomp: Block AF_ALG in default socket policy * <a href="https://github.com/containerd/containerd/commit/2ed0d97b6e58def34684a1bffc2ab6931182f221" target="_blank" rel="noopener noreferrer">`2ed0d97b6`</a> seccomp: Document socket rule scope and socketcall limitation * server: tolerate failed gRPC plugins when starting listeners (<a href="https://github.com/containerd/containerd/pull/13390" target="_blank" rel="noopener noreferrer">#13390</a>) * <a href="https://github.com/containerd/containerd/commit/3a88fdde0c613e62415e61738e946b903f1bf32f" target="_blank" rel="noopener noreferrer">`3a88fdde0`</a> server: tolerate failed gRPC plugins when starting listeners * overlay: disable "rebase" capability when running in UserNS (<a href="https://github.com/containerd/containerd/pull/13394" target="_blank" rel="noopener noreferrer">#13394</a>) * <a href="https://github.com/containerd/containerd/commit/2be0710b81b99f47aa4ef0fa2951cd69f80b7e19" target="_blank" rel="noopener noreferrer">`2be0710b8`</a> overlay: disable "rebase" capability when running in UserNS * Update Go to 1.26.3 (<a href="https://github.com/containerd/containerd/pull/13374" target="_blank" rel="noopener noreferrer">#13374</a>) * <a href="https://github.com/containerd/containerd/commit/3b199c22b13495bd442b32121c2015f301594387" target="_blank" rel="noopener noreferrer">`3b199c22b`</a> Update Go to 1.26.3 * fix: close boltdb on metadata and mount plugin close (<a href="https://github.com/containerd/containerd/pull/13379" target="_blank" rel="noopener noreferrer">#13379</a>) * <a href="https://github.com/containerd/containerd/commit/1d601271a73a649de465ed94fa973564211b7f46" target="_blank" rel="noopener noreferrer">`1d601271a`</a> fix: close boltdb on metadata and mount plugin close * Fix optional EROFS differ setup in transfer plugin (<a href="https://github.com/containerd/containerd/pull/13364" target="_blank" rel="noopener noreferrer">#13364</a>) * <a href="https://github.com/containerd/containerd/commit/d666d2e4261da664a50c7b1663461747ba8ebb2e" target="_blank" rel="noopener noreferrer">`d666d2e42`</a> Refactor transfer unpack configuration setup * <a href="https://github.com/containerd/containerd/commit/ccc3bd7b90be7afce7a903391d2a34b83424c5e0" target="_blank" rel="noopener noreferrer">`ccc3bd7b9`</a> Fix optional transfer differ setup </p> </details> ### Dependency Changes * **github.com/containerd/containerd/api** v1.11.0 -> v1.11.1 Previous release can be found at <a href="https://github.com/containerd/containerd/releases/tag/v2.3.0" target="_blank" rel="noopener noreferrer">v2.3.0</a> ### Which file should I download? * `containerd-<VERSION>-<OS>-<ARCH>.tar.gz`: ✅Recommended. Dynamically linked with glibc 2.35 (Ubuntu 22.04). * `containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz`: Statically linked. Expected to be used on Linux distributions that do not use glibc >= 2.35. Not position-independent. In addition to containerd, typically you will have to install <a href="https://github.com/opencontainers/runc/releases" target="_blank" rel="noopener noreferrer">runc</a> and <a href="https://github.com/containernetworking/plugins/releases" target="_blank" rel="noopener noreferrer">CNI plugins</a> from their official sites too. See also the <a href="https://github.com/containerd/containerd/blob/main/docs/getting-started.md" target="_blank" rel="noopener noreferrer">Getting Started</a> documentation. ## NiceOS maintainer checklist - [ ] Confirm that the detected version is a stable upstream release. - [ ] Check upstream changelog for security fixes, ABI/API changes and build-system changes. - [ ] Check ABI/API compatibility and reverse dependencies. - [ ] Download source into NiceOS lookaside storage. - [ ] Update `Version` and related fields in `SPECS/*.spec` only if policy allows it. - [ ] Regenerate `SOURCES/sources.lock.json`, manifests, metadata and SBOM. - [ ] Build SRPM/RPM in a clean NiceOS buildroot. - [ ] Run package smoke tests. - [ ] Link PR/build logs and close this issue after update or triage. ## Bot metadata - Tool: `niceos_upstream_monitor.py 2.1.3-local-websearch-github-release-pages` - Generated at: `2026-06-11T23:12:33Z`
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
niceos-5.2
No results found.
Labels
Clear labels   
ai-summary
Issue contains local NiceSOFT AI generated preliminary analysis

  
auto-analysis
Created by niceos_cve_create_issues.py

  
bot
Created by automation

  
cve
Created by niceos_cve_create_issues.py

  
match-cpe-range
Created by niceos_cve_create_issues.py

  
needs-build
Needs build verification

  
needs-triage
Needs maintainer triage

  
priority/high
High priority

  
priority/medium
Medium priority

  
security
Created by niceos_cve_create_issues.py

  
security-release
Release notes mention security fixes or CVE

  
severity-high
Created by niceos_cve_create_issues.py

  
source-niceos-scan
Created by niceos_cve_create_issues.py

  
source-nvd
Created by niceos_cve_create_issues.py

  
update/minor
Minor update

  
upstream-update
New upstream version is available

  
upstream/github
GitHub upstream

No labels
ai-summary
auto-analysis
bot
cve
match-cpe-range
needs-build
needs-triage
priority/high
priority/medium
security
security-release
severity-high
source-niceos-scan
source-nvd
update/minor
upstream-update
upstream/github
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
rpms/containerd#6
No description provided.