Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package containerd for openSUSE:Factory checked in at 2026-06-23 17:36:08 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/containerd (Old) and /work/SRC/openSUSE:Factory/.containerd.new.1956 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "containerd" Tue Jun 23 17:36:08 2026 rev:76 rq:1361077 version:1.7.33 Changes: -------- --- /work/SRC/openSUSE:Factory/containerd/containerd.changes 2025-11-11 19:18:50.929215315 +0100 +++ /work/SRC/openSUSE:Factory/.containerd.new.1956/containerd.changes 2026-06-23 17:36:50.997878679 +0200 @@ -1,0 +2,31 @@ +Mon Jun 22 10:50:52 UTC 2026 - Dirk Müller <[email protected]> + +- update to 1.7.33 (bsc#1262266, CVE-2026-35469, + bsc#1268355, CVE-2026-46680, + bsc#1268430, CVE-2026-53488, + bsc#1268441, CVE-2026-47262): + * https://github.com/containerd/containerd/releases/tag/v1.7.33 + * https://github.com/containerd/containerd/releases/tag/v1.7.32 + * https://github.com/containerd/containerd/releases/tag/v1.7.31 + * https://github.com/containerd/containerd/releases/tag/v1.7.30 +- drop 0003-CVE-2026-34986-Bump-go-jose-to-v3.0.5.patch (upstream) + +------------------------------------------------------------------- +Thu Jun 18 01:05:00 UTC 2026 - Madhankumar Chellamuthu <[email protected]> + +- Add patch for CVE-2026-34986 (bsc#1262948) + * 0003-CVE-2026-34986-Bump-go-jose-to-v3.0.5.patch + +- Add patch for CVE-2026-39821 (bsc#1266640) + * 0004-CVE-2026-39821-idna-update-from-x-text-fix-ToUnicode.patch + +- Add patch for CVE-2026-33814 (bsc#1265794) + * 0005-CVE-2026-33814-http2-prevent-hanging-Transport-due-t.patch + +------------------------------------------------------------------- +Thu Apr 30 08:48:29 UTC 2026 - Madhankumar Chellamuthu <[email protected]> + +- Add patch for CVE-2026-33186 (bsc#1260296): + * 0002-CVE-2026-33186-containerd-google.golang.org-grpc-aut.patch + +------------------------------------------------------------------- Old: ---- containerd-1.7.29_442cb34b.tar.xz New: ---- 0002-CVE-2026-33186-containerd-google.golang.org-grpc-aut.patch 0004-CVE-2026-39821-idna-update-from-x-text-fix-ToUnicode.patch 0005-CVE-2026-33814-http2-prevent-hanging-Transport-due-t.patch containerd-1.7.33_e8b1a9bc2.tar.xz ----------(New B)---------- New:- Add patch for CVE-2026-33186 (bsc#1260296): * 0002-CVE-2026-33186-containerd-google.golang.org-grpc-aut.patch New:- Add patch for CVE-2026-39821 (bsc#1266640) * 0004-CVE-2026-39821-idna-update-from-x-text-fix-ToUnicode.patch New:- Add patch for CVE-2026-33814 (bsc#1265794) * 0005-CVE-2026-33814-http2-prevent-hanging-Transport-due-t.patch ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ containerd.spec ++++++ --- /var/tmp/diff_new_pack.rZkXDC/_old 2026-06-23 17:36:52.037914918 +0200 +++ /var/tmp/diff_new_pack.rZkXDC/_new 2026-06-23 17:36:52.037914918 +0200 @@ -1,7 +1,7 @@ # # spec file for package containerd # -# Copyright (c) 2025 SUSE LLC and contributors +# Copyright (c) 2026 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -23,14 +23,14 @@ %endif # MANUAL: Update the git_version. -%define git_version 442cb34bda9a6a0fed82a2ca7cade05c5c749582 -%define git_short 442cb34b +%define git_version e8b1a9bc270f9952197c470b8bad573b03a3a608 +%define git_short e8b1a9bc2 %global provider_prefix github.com/containerd/containerd %global import_path %{provider_prefix} Name: containerd -Version: 1.7.29 +Version: 1.7.33 Release: 0 Summary: Standalone OCI Container Daemon License: Apache-2.0 @@ -41,6 +41,9 @@ Source2: %{name}.service # UPSTREAM: Revert <https://github.com/containerd/containerd/pull/7933> to fix build on SLE-12. Patch1: 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch +Patch2: 0002-CVE-2026-33186-containerd-google.golang.org-grpc-aut.patch +Patch4: 0004-CVE-2026-39821-idna-update-from-x-text-fix-ToUnicode.patch +Patch5: 0005-CVE-2026-33814-http2-prevent-hanging-Transport-due-t.patch BuildRequires: fdupes BuildRequires: glibc-devel-static BuildRequires: go >= 1.22 @@ -103,6 +106,9 @@ %if 0%{?sle_version} == 120000 %patch -P 1 -p1 %endif +%patch -P 2 -p1 +%patch -P 4 -p1 +%patch -P 5 -p1 %build %goprep %{import_path} ++++++ 0002-CVE-2026-33186-containerd-google.golang.org-grpc-aut.patch ++++++ >From 6e4e6fdab32c4a993263cea2cfbcbdb48f9fc17c Mon Sep 17 00:00:00 2001 From: rcmadhankumar <[email protected]> Date: Wed, 25 Mar 2026 14:45:45 +0530 Subject: [PATCH] CVE-2026-33186: containerd: google.golang.org/grpc: authorization bypass due to improper validation of the HTTP/2 :path pseudo-header It is an Authorization Bypass (CWE-285) resulting from Improper Input Validation (CWE-20) of the HTTP/2 :path pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the :path omitted the mandatory leading slash (e.g., Service/Method instead of /Service/Method). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official grpc/authz package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with /) failed to match the incoming request, allowing it to bypass the policy if a fallback "allow" rule was present. This affects gRPC-Go servers that meet both of the following criteria: - They use path-based authorization interceptors, such as the official RBAC implementation in google.golang.org/grpc/authz or custom interceptors relying on info.FullMethod or grpc.Method(ctx). - Their security policy contains specific "deny" rules for canonical paths but allows other requests by default (a fallback "allow" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed :path headers directly to the gRPC server. Fix: - Added "outermost" interceptors that validates the path before any other authorization logic runs(pathValidationInterceptor and pathValidationStreamInterceptor) reference: https://github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3 Bugs: bsc#1260296 Fixes: CVE-2026-33186 Signed-off-by: rcmadhankumar <[email protected]> --- services/server/server.go | 34 ++++++++++++++++++++++++++++++++-- 1 file changed, 32 insertions(+), 2 deletions(-) diff --git a/services/server/server.go b/services/server/server.go index 5b772ac94..0ab92b118 100644 --- a/services/server/server.go +++ b/services/server/server.go @@ -64,6 +64,8 @@ import ( "github.com/containerd/containerd/sys" "github.com/containerd/log" "github.com/containerd/platforms" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" ) // CreateTopLevelDirectories creates the top-level root and state directories. @@ -204,9 +206,37 @@ func New(ctx context.Context, config *srvconfig.Config) (*Server, error) { RegisterTTRPC(*ttrpc.Server) error } + // pathValidationInterceptor handles Unary RPCs (simple Request/Response) + pathValidationInterceptor := func(ctx context.Context, req any, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (any, error) { + // If the path is empty or doesn't start with '/', it's a bypass attempt. + if info.FullMethod == "" || info.FullMethod[0] != '/' { + return nil, status.Errorf(codes.Unimplemented, "malformed method name") + } + return handler(ctx, req) + } + + // pathValidationStreamInterceptor handles Streaming RPCs (Logs, Events, etc.) + pathValidationStreamInterceptor := func(srv any, ss grpc.ServerStream, info *grpc.StreamServerInfo, handler grpc.StreamHandler) error { + // Same logic as Unary, but using StreamServerInfo + if info.FullMethod == "" || info.FullMethod[0] != '/' { + return status.Errorf(codes.Unimplemented, "malformed method name") + } + return handler(srv, ss) + } + + // 1. Prepare the security shield options + securityShield := []grpc.ServerOption{ + grpc.ChainUnaryInterceptor(pathValidationInterceptor), + grpc.ChainStreamInterceptor(pathValidationStreamInterceptor), + } + var ( - grpcServer = grpc.NewServer(serverOpts...) - tcpServer = grpc.NewServer(tcpServerOpts...) + // 2. Initialize the gRPC Server + // We append the shield to your existing options and use '...' to unpack them + grpcServer = grpc.NewServer(append(serverOpts, securityShield...)...) + + // 3. Initialize the TCP Server + tcpServer = grpc.NewServer(append(tcpServerOpts, securityShield...)...) grpcServices []grpcService tcpServices []tcpService -- 2.53.0 ++++++ 0004-CVE-2026-39821-idna-update-from-x-text-fix-ToUnicode.patch ++++++ ++++ 30077 lines (skipped) ++++++ 0005-CVE-2026-33814-http2-prevent-hanging-Transport-due-t.patch ++++++ >From 589c5f1ddd7749cc1ce3db71bfbd8f33896b6e96 Mon Sep 17 00:00:00 2001 From: rcmadhankumar <[email protected]> Date: Tue, 2 Jun 2026 13:56:58 +0530 Subject: [PATCH 3/3] CVE-2026-33814: http2: prevent hanging Transport due to bad SETTINGS frame -- CVE-2026-33814 When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0. Fix: http2: prevent hanging Transport due to bad SETTINGS frame This CL backports https://go.dev/cl/761581 to x/net. Change-Id: Ied435a51fdd8664d41dae14d082c39c76a6a6964 Reviewed-on: https://go-review.googlesource.com/c/net/+/761640 LUCI-TryBot-Result: Go LUCI <[email protected]> Reviewed-by: Nicholas Husin <[email protected]> Reviewed-by: Damien Neil <[email protected]> Fixes bsc#1265794 Fixes golang/go#78476 Fixes CVE-2026-33814 Backport of <https://github.com/golang/net/commit/1e71bd86e4a302b4e731bc06da6eb51679c7bd49> --- vendor/golang.org/x/net/http2/transport.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/vendor/golang.org/x/net/http2/transport.go b/vendor/golang.org/x/net/http2/transport.go index f26356b9c..a401b27bd 100644 --- a/vendor/golang.org/x/net/http2/transport.go +++ b/vendor/golang.org/x/net/http2/transport.go @@ -2858,6 +2858,9 @@ func (rl *clientConnReadLoop) processSettingsNoWrite(f *SettingsFrame) error { var seenMaxConcurrentStreams bool err := f.ForeachSetting(func(s Setting) error { + if err := s.Valid(); err != nil { + return err + } switch s.ID { case SettingMaxFrameSize: cc.maxFrameSize = s.Val @@ -2889,9 +2892,6 @@ func (rl *clientConnReadLoop) processSettingsNoWrite(f *SettingsFrame) error { cc.henc.SetMaxDynamicTableSize(s.Val) cc.peerMaxHeaderTableSize = s.Val case SettingEnableConnectProtocol: - if err := s.Valid(); err != nil { - return err - } // If the peer wants to send us SETTINGS_ENABLE_CONNECT_PROTOCOL, // we require that it do so in the first SETTINGS frame. // -- 2.54.0 ++++++ _service ++++++ --- /var/tmp/diff_new_pack.rZkXDC/_old 2026-06-23 17:36:52.149918821 +0200 +++ /var/tmp/diff_new_pack.rZkXDC/_new 2026-06-23 17:36:52.153918960 +0200 @@ -3,8 +3,8 @@ <param name="url">https://github.com/containerd/containerd.git</param> <param name="scm">git</param> <param name="filename">containerd</param> - <param name="versionformat">1.7.29_%h</param> - <param name="revision">v1.7.29</param> + <param name="versionformat">1.7.33_%h</param> + <param name="revision">v1.7.33</param> <param name="exclude">.git</param> </service> <service name="recompress" mode="manual"> ++++++ containerd-1.7.29_442cb34b.tar.xz -> containerd-1.7.33_e8b1a9bc2.tar.xz ++++++ ++++ 23663 lines of diff (skipped)
