fix(deps): update module github.com/containerd/containerd/v2 to v2.1.5 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/containerd/containerd/v2	v2.1.4 -> v2.1.5

GitHub Vulnerability Alerts

CVE-2024-25621

Impact

An overly broad default permission vulnerability was found in containerd.

• /var/lib/containerd was created with the permission bits 0o711, while it should be created with 0o700
  • Allowed local users on the host to potentially access the metadata store and the content store
• /run/containerd/io.containerd.grpc.v1.cri was created with 0o755, while it should be created with 0o700
  • Allowed local users on the host to potentially access the contents of Kubernetes local volumes. The contents of volumes might include setuid binaries, which could allow a local user on the host to elevate privileges on the host.
• /run/containerd/io.containerd.sandbox.controller.v1.shim was created with 0o711, while it should be created with 0o700

The directory paths may differ depending on the daemon configuration.
When the temp directory path is specified in the daemon configuration, that directory was also created with 0o711, while it should be created with 0o700.

Patches

This bug has been fixed in the following containerd versions:

• 2.2.0
• 2.1.5
• 2.0.7
• 1.7.29

Users should update to these versions to resolve the issue.
These updates automatically change the permissions of the existing directories.

Note

/run/containerd and /run/containerd/io.containerd.runtime.v2.task are still created with 0o711.
This is an expected behavior for supporting userns-remapped containers.

Workarounds

The system administrator on the host can manually chmod the directories to not
have group or world accessible permisisons:

chmod 700 /var/lib/containerd
chmod 700 /run/containerd/io.containerd.grpc.v1.cri
chmod 700 /run/containerd/io.containerd.sandbox.controller.v1.shim

An alternative mitigation would be to run containerd in rootless mode.

Credits

The containerd project would like to thank David Leadbeater for responsibly disclosing this issue in accordance with the containerd security policy.

For more information

If you have any questions or comments about this advisory:

• Open an issue in containerd
• Email us at [email protected]

To report a security issue in containerd:

• Report a new vulnerability

CVE-2025-64329

Impact

A bug was found in containerd's CRI Attach implementation where a user can exhaust memory on the host due to goroutine leaks.

Repetitive calls of CRI Attach (e.g., kubectl attach) could increase the memory usage of containerd.

Patches

This bug has been fixed in the following containerd versions:

• 2.2.0
• 2.1.5
• 2.0.7
• 1.7.29

Users should update to these versions to resolve the issue.

Workarounds

Set up an admission controller to control accesses to pods/attach resources.
e.g., Validating Admission Policy.

Credits

The containerd project would like to thank @​Wheat2018 for responsibly disclosing this issue in accordance with the containerd security policy.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-64329

For more information

If you have any questions or comments about this advisory:

• Open an issue in containerd
• Email us at [email protected]

To report a security issue in containerd:

• Report a new vulnerability

---

Release Notes

containerd/containerd (github.com/containerd/containerd/v2)

v2.1.5: containerd 2.1.5

Compare Source

Welcome to the v2.1.5 release of containerd!

The fifth patch release for containerd 2.1 contains various fixes and updates.

Security Updates

• containerd

  • GHSA-pwhc-rpq9-4c8w
  • GHSA-m6hq-p25p-ffr2

• runc

  • GHSA-qw9x-cqr3-wc7r
  • GHSA-cgrx-mc8f-2prm
  • GHSA-9493-h29p-rfm2

Highlights

Container Runtime Interface (CRI)

• Disable event subscriber during task cleanup (#​12410)
• Add SystemdCgroup to default runtime options (#​12253)
• Fix userns with container image VOLUME mounts that need copy (#​12242)

Image Distribution

• Ensure errContentRangeIgnored error when range-get request is ignored (#​12312)

Runtime

• Update runc binary to v1.3.3 (#​12478)

Deprecations

• Postpone v2.2 deprecation items to v2.3 (#​12431)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Phil Estes
• Akihiro Suda
• Derek McGowan
• Austin Vazquez
• Rodrigo Campos
• Maksym Pavlenko
• Wei Fu
• ningmingxiao
• Akhil Mohan
• Henry Wang
• Andrew Halaney
• Divya Rani
• Jose Fernandez
• Swagat Bora
• wheat2018

Changes

58 commits

• Prepare release notes for v2.1.5 (#​12483)
  • fc5bdfeac Prepare release notes for v2.1.5
  • c578c26bf Update mailmap
  • 46a4a03fb Merge commit from fork
  • 232786c90 Fix directory permissions
  • 239ab877d Merge commit from fork
  • 0766796e8 fix goroutine leak of container Attach
• Update runc binary to v1.3.3 (#​12478)
  • 3d713d3d0 runc: Update runc binary to v1.3.3
• Update GHA runners to use latest images for basic binaries build (#​12470)
  • de4221cb7 Update GHA runners to use latest images for basic binaries build
• ci: bump Go 1.24.9, 1.25.3 (#​12467)
  • 2045b1920 ci: bump Go 1.24.9, 1.25.3
• Update GHA runners to use latest image for most jobs (#​12468)
  • 21ec7cc7d Update GHA runners to use latest image for most jobs
• CI: update Fedora to 43 (#​12449)
  • 893b5f92e CI: update Fedora to 43
• Postpone v2.2 deprecation items to v2.3 (#​12431)
  • 6374a8f9d Postpone v2.2 deprecation items to v2.3
• CI: skip ubuntu-24.04-arm on private repos (#​12427)
  • 98e0e73de CI: skip ubuntu-24.04-arm on private repos
• Disable event subscriber during task cleanup (#​12410)
  • a3770cf83 cri/server/podsandbox: disable event subscriber
• Fix lost container logs from quickly closing io (#​12377)
  • 7d9f09ba0 bugfix:fix container logs lost because io close too quickly
• ci: bump Go 1.24.8 (#​12360)
  • d1cab3cc5 ci: bump Go 1.24.8
• Prevent goroutine hangs during ProgressTracker shutdown (#​12336)
  • 9b57a4d35 Prevent goroutine hangs during ProgressTracker shutdown
• Ensure errContentRangeIgnored error when range-get request is ignored (#​12312)
  • ca3de4fe7 Ensure errContentRangeIgnored error when range-get request is ignored by registry
• Remove additional fuzzers from instrumentation repo (#​12313)
  • dfffe3d9c Remove additional fuzzers from CI
• update release builds to 1.24.7 and add 1.25.1 to CI (#​12258)
  • c54585ba7 update release builds to 1.24.7 and add 1.25.1 to CI
• runc:Update runc binary to v1.3.1 (#​12277)
  • f0a48ce38 runc:Update runc binary to v1.3.1
• Add SystemdCgroup to default runtime options (#​12253)
  • f13f8c431 add SystemdCgroup to default runtime options
• install-runhcs-shim: fetch target commit instead of tags (#​12256)
  • 42bb71e1e install-runhcs-shim: fetch target commit instead of tags
• Fix userns with container image VOLUME mounts that need copy (#​12242)
  • 10944e19f integration: Add test for directives with userns
  • 41d74aee2 cri: Fix userns with Dockerfile VOLUME mounts that need copy
• Fix overlayfs issues related to user namespace (#​12222)
  • f40bfc46b core/mount: Retry unmounting idmapped directories
  • 1f51d2dea core/mount: Test cleanup of DoPrepareIDMappedOverlay()
  • 8fbf8c503 core/mount: Properly cleanup on doPrepareIDMappedOverlay errors
  • b9d678e15 core/mount: Don't call nil function on errors
  • 583fe2d24 core/mount: Only idmap once per overlayfs, not per layer
• Add documentation for cgroup_writable field (#​12229)
  • 4832b4d15 Add documentation for cgroup_writable field
• fix: create bootstrap.json with 0644 permission (#​12183)
  • 3c174cf64 fix: create bootstrap.json with 0644 permission
• ci: bump Go 1.23.12, 1.24.6 (#​12186)
  • 74b0505eb ci: bump Go 1.23.12, 1.24.6
• sys: fix pidfd leak in UnshareAfterEnterUserns (#​12179)
  • 5ef6ea747 sys: fix pidfd leak in UnshareAfterEnterUserns

Dependency Changes

This release has no dependency changes

Previous release can be found at v2.1.4

Which file should I download?

• containerd-<VERSION>-<OS>-<ARCH>.tar.gz: ✅Recommended. Dynamically linked with glibc 2.35 (Ubuntu 22.04).
• containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz: Statically linked. Expected to be used on Linux distributions that do not use glibc >= 2.35. Not position-independent.

In addition to containerd, typically you will have to install runc
and CNI plugins from their official sites too.

See also the Getting Started documentation.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

@@            Coverage Diff             @@
##             main      #58      +/-   ##
==========================================
- Coverage   20.40%   20.31%   -0.10%     
==========================================
  Files           8        8              
  Lines        1083      886     -197     
==========================================
- Hits          221      180      -41     
+ Misses        840      684     -156     
  Partials       22       22              

Flag	Coverage Δ
unittests	20.31% <ø> (-0.10%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.
see 7 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.