Generated release notes:

containerd 1.2.12

Welcome to the v1.2.12 release of containerd!

The twelfth patch release for containerd 1.2 includes an updated runc with
a fix for CVE-2019-19921, an updated version of the opencontainers/selinux
dependency, which includes a fix for CVE-2019-16884, an updated version of the
gopkg.in/yaml.v2 dependency to address CVE-2019-11253, and a Golang update.

Notable Updates

• Update the runc vendor to v1.0.0-rc10 which includes a mitigation for CVE-2019-19921.

• Update the opencontainers/selinux which includes a mitigation for CVE-2019-16884.

• Update Golang runtime to 1.12.16, mitigating the CVE-2020-0601 certificate verification bypass on Windows, and CVE-2020-7919, which only affects 32-bit architectures.

• Update Golang runtime to 1.12.15, which includes a fix to the runtime (Go 1.12.14, Go 1.12.15) and and the net/http package (Go 1.12.15)

• A fix to prevent SIGSEGV when starting containerd-shim containerd/containerd#3960

• Fixes to exec containerd/containerd#3755

  • Prevent docker exec hanging if an earlier docker exec left a zombie process
  • Prevent High system load/CPU utilization with liveness and readiness probes
  • Prevent Docker healthcheck causing high CPU utilization

• CRI fixes:

  • Update the gopkg.in/yaml.v2 vendor to v2.2.8 with a mitigation for CVE-2019-11253

API

• Fix API filters to properly handle and return parse errors containerd/containerd#3950

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Sebastiaan van Stijn
• Lantao Liu
• Phil Estes
• Davanum Srinivas
• Derek McGowan
• Michael Crosby
• Mike Brown
• Maksym Pavlenko
• Akihiro Suda
• Wei Fu
• unknown

Changes

• 35c414af Prepare v1.2.12 release
• 7018df22 Merge pull request #3996 from thaJeztah/1.2_bump_containerd_cri
• 9c7bd507 Merge pull request #3997 from thaJeztah/1.2_backport_dockerfile_test_fixes
• 89c589bf Merge pull request #3995 from thaJeztah/1.2_backport_bump_grpc
• 8761b1bf Update name for btrfs headers package
• 5db3987e Fix dependency in BUILDING.md
• 94561168 [release/1.2] vendor: bump containerd/cri b1052f3b73fb9f0a6805d3c20e884a4cef265a38
• 520c8cb8 bump google.golang.org/grpc v1.23.1
• a558638e Merge pull request #3993 from thaJeztah/1.2_update_containerd_cri
• c12aaf0e vendor: bump gopkg.in/yaml.v2 v2.2.8
• 9d1954f2 vendor: bump containerd/cri b075cc4e9f394780dbed101601c48dcc3d37c828 (release/1.2 branch)
• 92b40b62 Merge pull request #3988 from thaJeztah/1.2_bump_golang_1.12.16
• 1bc2590d vendor: update golang.org/x/crypto 69ecbb4d6d5dab05e49161c6e77ea40a030884e1
• 44b5bac0 Update Golang 1.12.16 (CVE-2020-0601, CVE-2020-7919)
• 72769740 Merge pull request #3982 from dims/bump-opencontainers/selinux-for-CVE-2019-16884-release-1.2
• 4c03d5df Pick up fix for CVE-2019-16884 in opencontainers/selinux
• 318111bd Merge pull request #3977 from dims/update-to-new-rc10-of-opencontainers/runc-release-1.2
• 87648d2a Bump to opencontainers/runc new version - v1.0.0-rc10
• 701a8d0d Merge pull request #3968 from thaJeztah/1.2_bump_golang_1.12.15
• f106ae4a Update Golang 1.12.15
• 625b11b6 Merge pull request #3960 from fuweid/cp-3559
• 4288ba10 runtime: only check killall for init process
• 28d16271 Merge pull request #3918 from thaJeztah/1.2_bump_golang_1.12.14
• e7b06baa Update Golang 1.12.14
• b584375b Merge pull request #3909 from estesp/cp-3898-1.2
• 34978bf3 Disable criu tests in Travis CI
• 79f4c650 Merge pull request #3755 from thaJeztah/1.2_backport_avoid_unnecessary_runc_state
• ec48c950 Merge pull request #3856 from fuweid/cp-1.2-3853
• de8ed89b Fix cleanup error on content client test
• 0877136a Use cached state instead of runc state.
• f71f6d39 Robust pid locking for shim processes
• 42aba6e0 Add timeout for I/O waitgroups

Changes from containerd/cri

• b1052f3b Merge pull request #1392 from dims/sync-vendors-with-containerd-in-release/1.2
• 6adfc229 Merge pull request #1389 from dims/update-opencontainers/selinux-in-release/1.2
• 6f8dc60e Sync vendors with containerd 1.2.11
• ae6b4816 pick up fix for CVE-2019-19921 in opencontainers/selinux
• b075cc4e Merge pull request #1388 from thaJeztah/1.2_bump_yaml
• b1a3e1e9 [release/1.2] vendor: bump gopkg.in/yaml.v2 v2.2.8
• 5420c6fb Merge pull request #1354 from Random-Liu/cherrypick-#1351-release-1.2
• 12b09431 Better handle unknown state.
• 57022a55 Merge pull request #1321 from Random-Liu/cherrypick-#1319-release-1.2
• c229ad5c Fix containerd build, use libbtrfs-dev when available.
• 80959d35 Merge pull request #1313 from Random-Liu/cherrypick-#1312-release-1.2
• 6a7a8275 Update based on default xenial distro.
• 69a876d4 Merge pull request #1305 from Random-Liu/sync-vendor-release-1.2
• b638ad99 Sync vendors with containerd.

Dependency Changes

Previous release can be found at v1.2.11

• github.com/containerd/cri bab7348fcfcc -> b1052f3b73fb
• github.com/opencontainers/runc d736ef14f028 -> dc9208a3303f
• github.com/opencontainers/selinux v1.2.2 -> 5215b1806f52
• golang.org/x/crypto 49796115aa4b -> 69ecbb4d6d5d
• google.golang.org/appengine 54a98f90d1c4 new
• google.golang.org/grpc 6eaf6f47437a -> 39e8a7b072a6
• gopkg.in/yaml.v2 v2.2.1 -> 53403b58ad1b

Also need to include #3988 and #3993

And (from slack chat with @dmcgowan);

### API
* Fix API filters to properly handle and return parse errors [containerd/containerd#3950](https://github.com/containerd/containerd/pull/3950)

Also probably good to vendor before release;

• [release/1.2] Sync vendors with containerd 1.2.11 cri#1392 Sync vendors with containerd 1.2.11
• pick up fix for CVE-2019-19921 in opencontainers/selinux cri#1389 pick up fix for CVE-2019-19921 in opencontainers/selinux

@thaJeztah those both appear to be complete and I just compared cri 1.2 branch with our release/1.2 branch and it seems correct; anything else we are waiting on?

nope; I think we should be done. I'll update this PR to add the missing changes to the changelog

Updated, and moved out of draft 👍

Codecov Report

Merging #3984 into release/1.2 will not change coverage.
The diff coverage is n/a.

@@             Coverage Diff              @@
##           release/1.2    #3984   +/-   ##
============================================
  Coverage        44.19%   44.19%           
============================================
  Files              100      100           
  Lines            10847    10847           
============================================
  Hits              4794     4794           
  Misses            5313     5313           
  Partials           740      740

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 7018df2...79d6576. Read the comment docs.

rebased, as some changes went into the branch

@dmcgowan we didn't merge yet; merge whenever you're ready

This is ready to go, I'll merge it in a bit when ready to do the release. I want to make sure the 1.3.x is also ready to go. I'll open up that PR shortly