chore(deps): update dependency containerd/containerd to v1.7.19

[uniget-bot]

This PR contains the following updates:

Package	Update	Change
containerd/containerd	patch	1.7.18 -> 1.7.19

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

containerd/containerd (containerd/containerd)

v1.7.19: containerd 1.7.19

Compare Source

Welcome to the v1.7.19 release of containerd!

The nineteenth patch release for containerd 1.7 contains various updates and
splits the main module from the api module in preparation for the same change
in containerd 2.0. Splitting the modules will allow 1.7 and 2.x to both exist
as transitive dependencies without running into API registration errors.
Projects should use this version as the minimum 1.7 version in preparing to
use containerd 2.0 or to be imported alongside it.

Highlights

• Fix support for OTLP config (#​10360)
• Add API go module (#​10189)
• Remove overlayfs volatile option on temp mounts (#​10332)
• Update runc binary to v1.1.13 (#​10336)
• Migrate platforms package to github.com/containerd/platforms (#​10292)
• Migrate reference/docker package to github.com/distribution/reference (#​10316)

Container Runtime Interface (CRI)

• Fix panic in NRI from nil CRI reference (#​10406)
• Fix Windows HPC working directory (#​10306)

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Derek McGowan
• Sebastiaan van Stijn
• Wei Fu
• Phil Estes
• Akhil Mohan
• Akihiro Suda
• Brian Goff
• Kirtana Ashok
• Maksym Pavlenko
• Samuel Karp
• Austin Vazquez
• Danny Canter
• Kazuyoshi Kato
• Maksim An
• Yuanyuan Lei
• krglosse

Changes

70 commits

• Prepare release notes for v1.7.19 (#​10391)
  • 74a3d2901 Prepare release notes for v1.7.19
• Fix panic in NRI from nil CRI reference (#​10406)
  • 7f5d3c5f4 cri: ensure NRI API never has nil CRI
• Windows: Supply windows shim version via file (#​10403)
  • 6efc5bb89 update runhcs binary to v0.11.7
  • 945ae09fd Windows: Supply windows shim version via file
• reference: deprecate SplitObject (#​10397)
  • dba53578c pkg/reference: deprecate SplitObject
• Updating hcsshim vendoring to 0.11.7 to include an important backported fix (#​10396)
  • 415dd74a8 updating hcsshim to 0.11.7
• reference: reduce allocations and improve GoDoc (#​10395)
  • 5ad1d2e75 pkg/reference: Spec.Digest(): inline SplitObject code
  • 57ce09b42 pkg/reference: SplitObject: add proper GoDoc
  • 78ac93fed pkg/reference: SplitObject: zero allocations
  • b074e3a7c pkg/reference: Spec.String(): use string-concatenation instead of sprintf
• Update api version to v1.7.19 (#​10387)
  • 0eb786de6 Update api version to v1.7.19
• Prepare release notes for api v1.7.19 (#​10386)
  • 436feeb0d Prepare api release for v1.7.19
  • 83822d144 Add api release action
• : api: update github.com/containerd/ttrpc v1.2.5 to align with containerd 1.7 module (#​10364)
  • 2a6aa6ddf [release/1.7] api: update github.com/containerd/ttrpc v1.2.5
• vendor: github.com/containerd/ttrpc v1.2.5 (#​10373)
  • 37926b10d vendor: github.com/containerd/ttrpc v1.2.5
• golangci-lint fix typo in depguard message (#​10371)
  • a522e267e golangci-lint fix typo in depguard message
• Fix support for OTLP config (#​10360)
  • 1ce1c8f3e 1.7: Add back support for OTLP config from toml
• remove imports of errdefs package, and add depguard linter (#​10367)
  • 136e1b72d golangci-lint: enable depguard for packages that moved
  • f5ce2f204 remove imports of errdefs package
• Add API go module (#​10189)
  • 3be919f3c Add support for 1.8 interfaces
  • 5b87eb502 Add go mod replace when proto changes happen
  • a3a7431bc Add api go submodule
  • 61b3e2261 Alias protobuf plugin to new api types package
  • 4b82470f6 refactor: move plugin/fieldpath to api/types/
• Remove overlayfs volatile option on temp mounts (#​10332)
  • 24ce9e431 integration: backport upgrade testsuite's utils
  • 79500d5cb *: export RemoveVolatileOption for CRI image volumes
  • bb80bd768 strip-volatile-option-tmp-mounts
• Update runc binary to v1.1.13 (#​10336)
  • 6dce90b15 update runc binary to v1.1.13
• Fail integration test early when a plugin load fails (#​10311)
  • 884094be8 devmapper plugin: skip plugin when not configured
  • 40012b644 Fail integration test early when a plugin load fails
• Migrate platforms package to github.com/containerd/platforms (#​10292)
  • 869b78677 vendor: github.com/containerd/platforms v0.2.1
  • 6ccdf6977 platforms: mark aliases as deprecated
  • 19a056163 adjust default platform for backward-compatibility
  • 6ff3e09d2 migrate platforms package to github.com/containerd/platforms
• go.mod: github.com/klauspost/compress v1.16.7 (#​10326)
  • 327a3ac61 go.mod: github.com/klauspost/compress v1.16.7
  • d0d1264a6 vendor: github.com/klauspost/compress v1.16.5
• Use Github Actions to run Vagrant CI (#​10325)
  • 02b8dd5ff Remove cirrus configuration
  • 31d951bf5 Run vagrant integration tests as github actions
• Migrate reference/docker package to github.com/distribution/reference (#​10316)
  • 97abbe9cb build(deps): bump github.com/distribution/reference from 0.5.0 to 0.6.0
  • a00a2d20a reference/docker: remove deprecated SplitHostname
  • b38c0f2ef replace reference/docker for github.com/distribution/reference v0.5.0
• build(deps): bump go.etcd.io/bbolt from 1.3.9 to 1.3.10 (#​10315)
  • fef432bfe build(deps): bump go.etcd.io/bbolt from 1.3.9 to 1.3.10
  • 487c61bfb vendor: go.etcd.io/bbolt v1.3.9
  • 7211f87c4 build(deps): bump golang.org/x/sync from 0.4.0 to 0.5.0
  • e908c3e6f vendor: golang.org/x/sync v0.4.0
  • d814be5ce build(deps): bump go.etcd.io/bbolt from 1.3.7 to 1.3.8
• Fix Windows HPC working directory (#​10306)
  • 33b62936e [release/1.7]: HPC working directory fix in pkg/cri/server code

Changes from containerd/platforms

21 commits

• Remove hcsshim import from repo (containerd/platforms#10)
  • f680838 Remove hcsshim import from repo
• Fix windows matching when os version is empty (containerd/platforms#11)
  • 983ba15 Update windows matcher to not compare empty os version
  • 17c859f Add tests for osversion matching with no version
• Add format for platform string (containerd/platforms#6)
  • 38a74d2 Add grammar for platform string
• downgrade minimum required version of hcsshim to v0.10.0 (containerd/platforms#5)
  • 724b9f8 downgrade minimum required version of hcsshim to v0.10.0
• enable linter on windows (containerd/platforms#4)
  • f6dd384 enable linter on windows
• fix grammar and highlights in README (containerd/platforms#3)
  • cb03428 fix grammar and highlights in README
• Fix link in README (containerd/platforms#1)
  • 5b937b0 Fix link in README
• Update Windows linter version (containerd/platforms#2)
  • 129b256 Update linter to skip Windows
  • 18e3da6 Add Github actions CI
  • ed29dfd Remove space at end of readme
  • b3f80ee Add go module
  • 8ff004c Add license and readme

Changes from containerd/ttrpc

4 commits

• switch to github.com/containerd/log for logs (containerd/ttrpc#169)
  • 4785c70 switch to github.com/containerd/log for logs
• Fix CI build status badge in readme (containerd/ttrpc#162)
  • e0f3ead Fix CI build status badge in readme

Dependency Changes

• github.com/Microsoft/hcsshim v0.11.5 -> v0.11.7
• github.com/containerd/containerd/api v1.7.19 new
• github.com/containerd/platforms v0.2.1 new
• github.com/containerd/ttrpc v1.2.4 -> v1.2.5
• github.com/distribution/reference v0.6.0 new
• github.com/klauspost/compress v1.16.0 -> v1.16.7
• go.etcd.io/bbolt v1.3.7 -> v1.3.10
• golang.org/x/sync v0.3.0 -> v0.5.0

Previous release can be found at v1.7.18

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[nicholasdille-bot]

Auto-approved because label type/renovate is present.

[github-actions]

🔍 Vulnerabilities of ghcr.io/uniget-org/tools/containerd:1.7.19

📦 Image Reference ghcr.io/uniget-org/tools/containerd:1.7.19

digest	sha256:4f2aa6e4dfa478808b190bbaf0b917eece88a360f43ae07b2c133a36f45af8bd
vulnerabilities
platform	linux/amd64
size	49 MB
packages	131

go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc 0.45.0 (golang) pkg:golang/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc@0.45.0 Allocation of Resources Without Limits or Throttling Affected range <0.46.0 Fixed version 0.46.0 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Description Summary The grpc Unary Server Interceptor opentelemetry-go-contrib/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go // UnaryServerInterceptor returns a grpc.UnaryServerInterceptor suitable // for use in a grpc.NewServer call. func UnaryServerInterceptor(opts ...Option) grpc.UnaryServerInterceptor { out of the box adds labels net.peer.sock.addr net.peer.sock.port that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent. Details An attacker can easily flood the peer address and port for requests. PoC Apply the attached patch to the example and run the client multiple times. Observe how each request will create a unique histogram and how the memory consumption increases during it. Impact In order to be affected, the program has to configure a metrics pipeline, use UnaryServerInterceptor, and does not filter any client IP address and ports via middleware or proxies, etc. Others It is similar to already reported vulnerabilities. GHSA-rcjv-mgp8-qvmr (open-telemetry/opentelemetry-go-contrib) GHSA-5r5m-65gx-7vrh (open-telemetry/opentelemetry-go-contrib) GHSA-cg3q-j54f-5p7p (prometheus/client_golang) Workaround for affected versions As a workaround to stop being affected, a view removing the attributes can be used. The other possibility is to disable grpc metrics instrumentation by passing otelgrpc.WithMeterProvider option with noop.NewMeterProvider. Solution provided by upgrading In PR #4322, to be released with v0.46.0, the attributes were removed. References #4322

k8s.io/apiserver 0.26.2 (golang) pkg:golang/k8s.io/apiserver@0.26.2 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <1.15.10 Fixed version 1.15.10, 1.16.7, 1.17.3 CVSS Score 4.3 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L Description The Kubernetes API server component has been found to be vulnerable to a denial of service attack via successful API requests.

stdlib 1.21.11 (golang) pkg:golang/stdlib@1.21.11 Affected range <1.21.12 Fixed version 1.21.12 Description The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.

[github-actions]

Attempting automerge. See https://github.com/uniget-org/tools/actions/runs/9773313273.

[github-actions]

PR is clean and can be merged. See https://github.com/uniget-org/tools/actions/runs/9773313273.