Welcome to the v1.2.12 release of containerd!

The twelfth patch release for containerd 1.2 includes an updated runc with
a fix for CVE-2019-19921, an updated version of the opencontainers/selinux
dependency, which includes a fix for CVE-2019-16884, an updated version of the
gopkg.in/yaml.v2 dependency to address CVE-2019-11253, and a Golang update.

Notable Updates

• Update the runc vendor to v1.0.0-rc10 which includes a mitigation for CVE-2019-19921.

• Update the opencontainers/selinux which includes a mitigation for CVE-2019-16884.

• Update Golang runtime to 1.12.16, mitigating the CVE-2020-0601 certificate verification bypass on Windows, and CVE-2020-7919, which only affects 32-bit architectures.

• Update Golang runtime to 1.12.15, which includes a fix to the runtime (Go 1.12.14, Go 1.12.15) and and the net/http package (Go 1.12.15)

• A fix to prevent SIGSEGV when starting containerd-shim containerd/containerd#3960

• Fixes to exec containerd/containerd#3755

  • Prevent docker exec hanging if an earlier docker exec left a zombie process
  • Prevent High system load/CPU utilization with liveness and readiness probes
  • Prevent Docker healthcheck causing high CPU utilization

• CRI fixes:

  • Update the gopkg.in/yaml.v2 vendor to v2.2.8 with a mitigation for CVE-2019-11253

API

• Fix API filters to properly handle and return parse errors containerd/containerd#3950

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Sebastiaan van Stijn
• Lantao Liu
• Phil Estes
• Derek McGowan
• Davanum Srinivas
• Michael Crosby
• Mike Brown
• Maksym Pavlenko
• Akihiro Suda
• Reid Li
• Wei Fu

Changes

• 35bd7a5f69 Merge pull request #3984 from thaJeztah/release_1.2.12
• 79d65767e4 Prepare v1.2.12 release
• 9be62a7ee9 Update mailmap
• 7018df2284 Merge pull request #3996 from thaJeztah/1.2_bump_containerd_cri
• 9c7bd5072d Merge pull request #3997 from thaJeztah/1.2_backport_dockerfile_test_fixes
• 89c589bf03 Merge pull request #3995 from thaJeztah/1.2_backport_bump_grpc
• 8761b1bf86 Update name for btrfs headers package
• 5db3987ebf Fix dependency in BUILDING.md
• 945611681c [release/1.2] vendor: bump containerd/cri b1052f3b73fb9f0a6805d3c20e884a4cef265a38
• 520c8cb846 bump google.golang.org/grpc v1.23.1
• a558638ee7 Merge pull request #3993 from thaJeztah/1.2_update_containerd_cri
• c12aaf0e59 vendor: bump gopkg.in/yaml.v2 v2.2.8
• 9d1954f2ec vendor: bump containerd/cri b075cc4e9f394780dbed101601c48dcc3d37c828 (release/1.2 branch)
• 92b40b6254 Merge pull request #3988 from thaJeztah/1.2_bump_golang_1.12.16
• 1bc2590d98 vendor: update golang.org/x/crypto 69ecbb4d6d5dab05e49161c6e77ea40a030884e1
• 44b5bac0c0 Update Golang 1.12.16 (CVE-2020-0601, CVE-2020-7919)
• 7276974071 Merge pull request #3982 from dims/bump-opencontainers/selinux-for-CVE-2019-16884-release-1.2
• 4c03d5dfb8 Pick up fix for CVE-2019-16884 in opencontainers/selinux
• 318111bdfe Merge pull request #3977 from dims/update-to-new-rc10-of-opencontainers/runc-release-1.2
• 87648d2a7b Bump to opencontainers/runc new version - v1.0.0-rc10
• 701a8d0db8 Merge pull request #3968 from thaJeztah/1.2_bump_golang_1.12.15
• f106ae4ab5 Update Golang 1.12.15
• 625b11b6e1 Merge pull request #3960 from fuweid/cp-3559
• 4288ba10fd runtime: only check killall for init process
• 28d162717f Merge pull request #3918 from thaJeztah/1.2_bump_golang_1.12.14
• e7b06baa68 Update Golang 1.12.14
• b584375bdf Merge pull request #3909 from estesp/cp-3898-1.2
• 34978bf3bd Disable criu tests in Travis CI
• 79f4c650d5 Merge pull request #3755 from thaJeztah/1.2_backport_avoid_unnecessary_runc_state
• ec48c95015 Merge pull request #3856 from fuweid/cp-1.2-3853
• de8ed89b12 Fix cleanup error on content client test
• 0877136a97 Use cached state instead of runc state.
• f71f6d39b6 Robust pid locking for shim processes
• 42aba6e0fe Add timeout for I/O waitgroups

Changes from containerd/cri

• b1052f3b Merge pull request #1392 from dims/sync-vendors-with-containerd-in-release/1.2
• 6adfc229 Merge pull request #1389 from dims/update-opencontainers/selinux-in-release/1.2
• 6f8dc60e Sync vendors with containerd 1.2.11
• ae6b4816 pick up fix for CVE-2019-19921 in opencontainers/selinux
• b075cc4e Merge pull request #1388 from thaJeztah/1.2_bump_yaml
• b1a3e1e9 [release/1.2] vendor: bump gopkg.in/yaml.v2 v2.2.8
• 5420c6fb Merge pull request #1354 from Random-Liu/cherrypick-#1351-release-1.2
• 12b09431 Better handle unknown state.
• 57022a55 Merge pull request #1321 from Random-Liu/cherrypick-#1319-release-1.2
• c229ad5c Fix containerd build, use libbtrfs-dev when available.
• 80959d35 Merge pull request #1313 from Random-Liu/cherrypick-#1312-release-1.2
• 6a7a8275 Update based on default xenial distro.
• 69a876d4 Merge pull request #1305 from Random-Liu/sync-vendor-release-1.2
• b638ad99 Sync vendors with containerd.

Dependency Changes

Previous release can be found at v1.2.11

• github.com/containerd/cri bab7348fcfcc795e0dda2cc02e8cac6316c85edc -> b1052f3b73fb9f0a6805d3c20e884a4cef265a38
• github.com/opencontainers/runc d736ef14f0288d6993a1845745d6756cfc9ddd5a -> dc9208a3303feef5b3839f4323d9beb36df0a9dd
• github.com/opencontainers/selinux v1.2.2 -> 5215b1806f52b1fcc2070a8826c542c9d33cd3cf
• golang.org/x/crypto 49796115aa4b964c318aad4f3084fdb41e9aa067 -> 69ecbb4d6d5dab05e49161c6e77ea40a030884e1
• google.golang.org/appengine 54a98f90d1c46b7731eb8fb305d2a321c30ef610 new
• google.golang.org/grpc 6eaf6f47437a6b4e2153a190160ef39a92c7eceb -> 39e8a7b072a67ca2a75f57fa2e0d50995f5b22f6
• gopkg.in/yaml.v2 v2.2.1 -> 53403b58ad1b561927d19068c655246f2db79d48