package/containerd: security bump to v2.0.7
For more information on the version bump, see:
- https://github.com/containerd/containerd/releases/tag/v2.0.7
- https://github.com/containerd/containerd/releases/tag/v2.0.6
- https://github.com/containerd/containerd/releases/tag/v2.0.5
- https://github.com/containerd/containerd/releases/tag/v2.0.4
- https://github.com/containerd/containerd/releases/tag/v2.0.3
Fixes the following vulnerabilities:
- CVE-2024-25621:
Versions 2.0.0-beta.0 through 2.0.6 have an overly broad default
permission vulnerability. Directory paths `/var/lib/containerd`,
`/run/containerd/io.containerd.grpc.v1.cri` and
`/run/containerd/io.containerd.sandbox.controller.v1.shim` were all
created with incorrect permissions.
https://www.cve.org/CVERecord?id=CVE-2024-25621
- CVE-2024-40635:
A bug was found in containerd prior to versions 2.0.4 where
containers launched with a User set as a `UID:GID` larger than the
maximum 32-bit signed integer can cause an overflow condition where
the container ultimately runs as root (UID 0). This could cause
unexpected behavior for environments that require containers to run
as a non-root user.
https://www.cve.org/CVERecord?id=CVE-2024-40635
- CVE-2025-47291:
A bug was found in the containerd's CRI implementation where
containerd, starting in version 2.0.1 and prior to version 2.0.5,
doesn't put usernamespaced containers under the Kubernetes' cgroup
hierarchy, therefore some Kubernetes limits are not honored. This
may cause a denial of service of the Kubernetes node.
https://www.cve.org/CVERecord?id=CVE-2025-47291
- CVE-2025-64329:
Versions 2.0.0-beta.0 through 2.0.6 contain a bug in the CRI Attach
implementation where a user can exhaust memory on the host due to
goroutine leaks.
https://www.cve.org/CVERecord?id=CVE-2025-64329
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Thomas Perale
49e180d3d5