Sourced from github.com/ethereum/go-ethereum's releases.

Moisture Filters (v1.16.8)

This is a security fix release and is recommended for all users. It resolves two p2p vulnerabilities reported through the Ethereum Foundation bug bounty program.

---

As with all our previous releases, you can find the:

• Pre-built binaries for all platforms on our downloads page.
• Docker images published under ethereum/client-go (use "stable" tag).
• Ubuntu packages in our Launchpad PPA repository.
• macOS packages in our Homebrew Tap repository.

Ballistic Drift Stabilizer (v1.16.7)

This is a re-roll of v1.16.6, including an important fix in the KZG cryptography library.

This release enables the Fusaka hardfork on Ethereum mainnet.

The Fusaka fork is scheduled to occur at 2025-12-03 21:49:11 UTC. Please upgrade your node to v1.16.7 in time for the fork.

This release also enables two blob-parameter-only (BPO) upgrades. These upgrades change protocol parameters to increase the available blob capacity.

• BPO1 on2025-12-09
• BPO2 on 2026-01-07

Fusaka

• Set mainnet timestamps for Osaka (#33063)
• Enable Fusaka for geth --dev mode (#32917)

RPC

• Add eth_sendRawTransactionSync which waits until either a timeout or the transaction is mined. This feature is mostly useful on L2s with lower blocktimes. (#32830, #32930, #32929)
• Add support for eth_simulateV1 in ethclient (#32856)
• Fix for an issue that might crash debug_traceCall (#33015)
• Fix for an issuer where local transactions were not persisted to the journal (#32921)

Core

• Fix for a cryptographic vulnerability in c-kzg-4844. This is only exploitable post-Fusaka. (#33093)
• Add geth --genesis flag as an alternative to running geth init genesis.json (#32844)
• Fix for receipt insertion during ERA file import. (#32934)
• Work on getting the trie node history in order to serve historical eth_getProof request with the new path-based archive node. (#32907, #32914, #32937)
• Further work on cmd/keeper, our guest program for zkVMs (#32816)
• Various optimizations (#32971, #32916, #32965, #32946)

... (truncated)

• abeb78c Merge branch 'dos-fixes' into release/1.16
• ce43eb9 version: release go-ethereum v1.16.8 stable
• 638741b crypto/ecies: use aes blocksize
• fdfd123 core/txpool: drop peers on invalid KZG proofs
• 8ecb686 version: begin v1.16.8 release cycle
• b9f3a3d Merge branch 'master' into release/1.16
• 07129d2 version: release go-ethereum v1.16.7 stable
• 653f8d4 go.mod: update to c-kzg v2.1.5 (#33093)
• 5b77af3 version: begin v1.16.7 release cycle
• 386c3de Merge branch 'master' into release/1.16
• Additional commits viewable in compare view

Sourced from github.com/go-viper/mapstructure/v2's releases.

v2.4.0

What's Changed

• refactor: replace interface{} with any by @​sagikazarmark in go-viper/mapstructure#115
• build(deps): bump github/codeql-action from 3.29.0 to 3.29.2 by @​dependabot[bot] in go-viper/mapstructure#114
• Generic tests by @​sagikazarmark in go-viper/mapstructure#118
• Fix godoc reference link in README.md by @​peczenyj in go-viper/mapstructure#107
• feat: add StringToTimeLocationHookFunc to convert strings to *time.Location by @​ErfanMomeniii in go-viper/mapstructure#117
• feat: add back previous StringToSlice as a weak function by @​sagikazarmark in go-viper/mapstructure#119

New Contributors

• @​ErfanMomeniii made their first contribution in go-viper/mapstructure#117

Full Changelog: go-viper/mapstructure@v2.3.0...v2.4.0

v2.3.0

What's Changed

• build(deps): bump actions/checkout from 4.1.7 to 4.2.0 by @​dependabot in go-viper/mapstructure#46
• build(deps): bump golangci/golangci-lint-action from 6.1.0 to 6.1.1 by @​dependabot in go-viper/mapstructure#47
• [enhancement] Add check for reflect.Value in ComposeDecodeHookFunc by @​mahadzaryab1 in go-viper/mapstructure#52
• build(deps): bump actions/setup-go from 5.0.2 to 5.1.0 by @​dependabot in go-viper/mapstructure#51
• build(deps): bump actions/checkout from 4.2.0 to 4.2.2 by @​dependabot in go-viper/mapstructure#50
• build(deps): bump actions/setup-go from 5.1.0 to 5.2.0 by @​dependabot in go-viper/mapstructure#55
• build(deps): bump actions/setup-go from 5.2.0 to 5.3.0 by @​dependabot in go-viper/mapstructure#58
• ci: add Go 1.24 to the test matrix by @​sagikazarmark in go-viper/mapstructure#74
• build(deps): bump golangci/golangci-lint-action from 6.1.1 to 6.5.0 by @​dependabot in go-viper/mapstructure#72
• build(deps): bump golangci/golangci-lint-action from 6.5.0 to 6.5.1 by @​dependabot in go-viper/mapstructure#76
• build(deps): bump actions/setup-go from 5.3.0 to 5.4.0 by @​dependabot in go-viper/mapstructure#78
• feat: add decode hook for netip.Prefix by @​tklauser in go-viper/mapstructure#85
• Updates by @​sagikazarmark in go-viper/mapstructure#86
• build(deps): bump github/codeql-action from 2.13.4 to 3.28.15 by @​dependabot in go-viper/mapstructure#87
• build(deps): bump actions/setup-go from 5.4.0 to 5.5.0 by @​dependabot in go-viper/mapstructure#93
• build(deps): bump github/codeql-action from 3.28.15 to 3.28.17 by @​dependabot in go-viper/mapstructure#92
• build(deps): bump github/codeql-action from 3.28.17 to 3.28.19 by @​dependabot in go-viper/mapstructure#97
• build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2 by @​dependabot in go-viper/mapstructure#96
• Update README.md by @​peczenyj in go-viper/mapstructure#90
• Add omitzero tag. by @​Crystalix007 in go-viper/mapstructure#98
• Use error structs instead of duplicated strings by @​m1k1o in go-viper/mapstructure#102
• build(deps): bump github/codeql-action from 3.28.19 to 3.29.0 by @​dependabot in go-viper/mapstructure#101
• feat: add common error interface by @​sagikazarmark in go-viper/mapstructure#105
• update linter by @​sagikazarmark in go-viper/mapstructure#106
• Feature allow unset pointer by @​rostislaved in go-viper/mapstructure#80

New Contributors

• @​tklauser made their first contribution in go-viper/mapstructure#85
• @​peczenyj made their first contribution in go-viper/mapstructure#90
• @​Crystalix007 made their first contribution in go-viper/mapstructure#98
• @​rostislaved made their first contribution in go-viper/mapstructure#80

Full Changelog: go-viper/mapstructure@v2.2.1...v2.3.0

• b9794a5 Merge pull request #119 from go-viper/string-to-weak-slice
• 17cdcb0 feat: add back previous StringToSlice as a weak function
• 3caca36 Merge pull request #117 from ErfanMomeniii/main
• 9a861bc Merge pull request #107 from peczenyj/patch-2
• 86ed5b5 refactor: update
• ace5b4e chore: add interface any linter
• 1a4f1ae Merge pull request #118 from go-viper/generic-tests
• a268909 fix: lint
• 17f1fd4 test: add more comments
• b48c856 test: expand tests
• Additional commits viewable in compare view

• 4e0068c go.mod: update golang.org/x dependencies
• e79546e ssh: curb GSSAPI DoS risk by limiting number of specified OIDs
• f91f7a7 ssh/agent: prevent panic on malformed constraint
• 2df4153 acme/autocert: let automatic renewal work with short lifetime certs
• bcf6a84 acme: pass context to request
• b4f2b62 ssh: fix error message on unsupported cipher
• 79ec3a5 ssh: allow to bind to a hostname in remote forwarding
• 122a78f go.mod: update golang.org/x dependencies
• c0531f9 all: eliminate vet diagnostics
• 0997000 all: fix some comments
• Additional commits viewable in compare view

Sourced from github.com/docker/docker's releases.

v25.0.13

25.0.13

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestone:

• moby/moby, 25.0.13 milestone
• Changes to the Engine API, see API version history.

Bug fixes and enhancements

• Prevent restoration of iptables rules for deleted networks and containers on firewalld reload. moby/moby#50445
• Fix Swarm services becoming unreachable from published ports after a firewalld reload. moby/moby#50445
• Improve the reliability of the Swarm overlay network control plane by fixing longstanding issues with NetworkDB. moby/moby#50511
• Improve the reliability of Swarm overlay container networks by fixing longstanding issues with the overlay network driver. moby/moby#50551

v25.0.12

25.0.12

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestone:

• moby/moby, 25.0.12 milestone
• Changes to the Engine API, see API version history.

Bug fixes and enhancements

• Fix an issue where all new tasks in the Swarm could get stuck in the PENDING state forever after scaling up a service with placement preferences. moby/moby#50203
• Fix an issue which made DNS service discovery for Swarm services unreliable. moby/moby#50230

Packaging updates

• Update Go toolchain to go1.23.9. moby/moby#50053

v25.0.11

25.0.11

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestone:

• moby/moby, 25.0.11 milestone
• Changes to the Engine API, see API version history.

Networking

• [25.0] Backport network fixes by @​dperny in moby/moby#50005

Known Issues

• Some Swarm services are not discoverable over DNS moby/moby#50129

Full Changelog: moby/moby@v25.0.10...v25.0.11

v25.0.10

25.0.10

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestone:

... (truncated)

• 165516e Merge pull request #50551 from corhere/backport-25.0/libn/all-the-overlay-fixes
• f099e91 libnetwork: handle coalesced endpoint events
• bace1b8 libnetwork/d/overlay: handle coalesced peer updates
• f9e5429 libn/d/win/overlay: dedupe NetworkDB definitions
• fc3df55 libn/d/overlay: extract hashable address types
• b22872a libnetwork/driverapi: make EventNotify optional
• c7e17ae libn/networkdb: report prev value in update events
• d60c71a libnetwork/d/overlay: fix logical race conditions
• ad54b8f libn/d/overlay: fix encryption race conditions
• 8075689 libn/d/overlay: inline secMapWalk into only caller
• Additional commits viewable in compare view

Sourced from github.com/hashicorp/go-getter's releases.

v1.7.9

What's Changed

• Speed up XZ decompression by 5x with bufio wrapper by @​vsarunas in hashicorp/go-getter#520
• Fix CI Workflow by @​mohanmanikanta2299 in hashicorp/go-getter#522
• test: Remove use of "mitchellh/go-testing-interface" for stdlib by @​jrasell in hashicorp/go-getter#523
• fix: url redact of multiple sshkey by @​dduzgun-security in hashicorp/go-getter#528
• Publish arm binaries by @​sethvargo in hashicorp/go-getter#525
• fix errcheck lint errors and run it as part of pr checks by @​abhijeetviswa in hashicorp/go-getter#530
• fix additional lint errors and increase linter scope by @​abhijeetviswa in hashicorp/go-getter#531
• IND-3728 enabling dependabot by @​KaushikiAnand in hashicorp/go-getter#529
• fix: go-getter subdir paths by @​dduzgun-security in hashicorp/go-getter#540

New Contributors

• @​vsarunas made their first contribution in hashicorp/go-getter#520
• @​jrasell made their first contribution in hashicorp/go-getter#523
• @​sethvargo made their first contribution in hashicorp/go-getter#525
• @​abhijeetviswa made their first contribution in hashicorp/go-getter#530
• @​KaushikiAnand made their first contribution in hashicorp/go-getter#529

Full Changelog: hashicorp/go-getter@v1.7.8...v1.7.9

• e702211 Merge pull request #532 from hashicorp/dependabot/github_actions/actions-8948...
• df0a14f [chore] : Bump the actions group with 8 updates
• 87541b2 fix: go-getter subdir paths (#540)
• 3713030 [Compliance] - PR Template Changes Required
• af2dd3c Merge pull request #529 from hashicorp/dependabot-intge
• bf52629 updating dependabot.yml
• 1f63e10 changelog added, updated dependabot.yaml
• 45af459 fix additional lint errors and increase linter scope
• c8c6aba fix errcheck lint errors and run it as part of pr checks
• 9b76f98 copywrite header added
• Additional commits viewable in compare view

Sourced from github.com/opencontainers/runc's releases.

runc v1.2.8 -- "鳥籠の中に囚われた屈辱を"

[!NOTE] Some vendors were given a pre-release version of this release. This public release includes two extra patches to fix regressions discovered very late during the embargo period and were thus not included in the pre-release versions. Please update to this version.

This release contains fixes for three high-severity security vulnerabilities in runc (CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881). All three vulnerabilities ultimately allow (through different methods) for full container breakouts by bypassing runc's restrictions for writing to arbitrary /proc files.

Security

• CVE-2025-31133 exploits an issue with how masked paths are implemented in runc. When masking files, runc will bind-mount the container's /dev/null inode on top of the file. However, if an attacker can replace /dev/null with a symlink to some other procfs file, runc will instead bind-mount the symlink target read-write. This issue affected all known runc versions.

• CVE-2025-52565 is very similar in concept and application to CVE-2025-31133, except that it exploits a flaw in /dev/console bind-mounts. When creating the /dev/console bind-mount (to /dev/pts/$n), if an attacker replaces /dev/pts/$n with a symlink then runc will bind-mount the symlink target over /dev/console. This issue affected all versions of runc >= 1.0.0-rc3.

• CVE-2025-52881 is a more sophisticated variant of CVE-2019-19921, which was a flaw that allowed an attacker to trick runc into writing the LSM process labels for a container process into a dummy tmpfs file and thus not apply the correct LSM labels to the container process. The mitigation we applied for CVE-2019-19921 was fairly limited and effectively only caused runc to verify that when we write LSM labels that those labels are actual procfs files. This issue affects all known runc versions.

Static Linking Notices

The runc binary distributed with this release are statically linked with the following GNU LGPL-2.1 licensed libraries, with runc acting as a "work that uses the Library":

• libseccomp

... (truncated)

Sourced from github.com/opencontainers/runc's changelog.

[1.2.8] - 2025-11-05

鳥籠の中に囚われた屈辱を

Security

This release includes fixes for the following high-severity security issues:

• CVE-2025-31133 exploits an issue with how masked paths are implemented in runc. When masking files, runc will bind-mount the container's /dev/null inode on top of the file. However, if an attacker can replace /dev/null with a symlink to some other procfs file, runc will instead bind-mount the symlink target read-write. This issue affected all known runc versions.

• CVE-2025-52565 is very similar in concept and application to CVE-2025-31133, except that it exploits a flaw in /dev/console bind-mounts. When creating the /dev/console bind-mount (to /dev/pts/$n), if an attacker replaces /dev/pts/$n with a symlink then runc will bind-mount the symlink target over /dev/console. This issue affected all versions of runc >= 1.0.0-rc3.

• CVE-2025-52881 is a more sophisticated variant of CVE-2019-19921, which was a flaw that allowed an attacker to trick runc into writing the LSM process labels for a container process into a dummy tmpfs file and thus not apply the correct LSM labels to the container process. The mitigation we applied for CVE-2019-19921 was fairly limited and effectively only caused runc to verify that when we write LSM labels that those labels are actual procfs files. This issue affects all known runc versions.

[1.4.0-rc.2] - 2025-10-10

私の役目は信じるかどうかではない。行うかどうかだ。

libcontainer API

• The deprecated libcontainer/userns package has been removed; use github.com/moby/sys/userns instead. (#4910, #4911)

Added

• Allow setting user.* sysctls for user-namespaced containers, as they are namespaced and thus safe to configure. (#4889, #4892)
• Add support for using clone3(2)'s CLONE_INTO_CGROUP flag when configuring the runc exec process. This also included some internal changes to how we add processes to containers. (#4822, #4812, #4920)
• Add support for configuring the NUMA pmemory policy for a container with set_mempolicy(2)opencontainers/runtime-spec#1282#4726, #4915)

... (truncated)

• eeb7e60 VERSION: release v1.2.8
• cdee962 merge private security patches into ghsa-release-1.2.8
• b4cb2f5 rootfs: re-allow dangling symlinks in mount targets
• ee56b85 openat2: improve resilience on busy systems
• 2462b68 Merge pull request #4943 from lifubang/backport-1.2-4934-4937
• 99e41a5 ci: only run lint-extra job on PRs to main
• f2a1c98 CI: remove deprecated lima-vm/lima-actions/ssh
• 8f90185 selinux: use safe procfs API for labels
• 948d6e9 rootfs: switch to fd-based handling of mountpoint targets
• 7aa42ad libct: align param type for mountCgroupV1/V2 functions
• Additional commits viewable in compare view

• 7184815 Preparation of release v0.5.14
• 88ddf1d Address Security Issue GHSA-jc7w-c686-c4v9
• c8314b8 Add new package xio with WriteCloserStack
• 4f11dce Update README.md and SECURITY.md to address security questions
• f56ebbf TODO.md: fix a typo
• See full diff in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.