go1.19.9 (released 2023-05-02) includes three security fixes to the html/template
package, as well as bug fixes to the compiler, the runtime, and the crypto/tls
and syscall packages. See the Go 1.19.9 milestone on our issue tracker for details.

https://github.com/golang/go/issues?q=milestone%3AGo1.19.9+label%3ACherryPickApproved

release notes: https://go.dev/doc/devel/release#go1.19.9
full diff: golang/go@go1.19.8...go1.19.9

from the announcement:

> These minor releases include 3 security fixes following the security policy:
>
>- html/template: improper sanitization of CSS values
>
>   Angle brackets (`<>`) were not considered dangerous characters when inserted
>   into CSS contexts. Templates containing multiple actions separated by a '/'
>   character could result in unexpectedly closing the CSS context and allowing
>   for injection of unexpected HMTL, if executed with untrusted input.
>
>   Thanks to Juho Nurminen of Mattermost for reporting this issue.
>
>   This is CVE-2023-24539 and Go issue https://go.dev/issue/59720.
>
> - html/template: improper handling of JavaScript whitespace
>
>   Not all valid JavaScript whitespace characters were considered to be
>   whitespace. Templates containing whitespace characters outside of the character
>   set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain
>   actions may not be properly sanitized during execution.
>
>   Thanks to Juho Nurminen of Mattermost for reporting this issue.
>
>   This is CVE-2023-24540 and Go issue https://go.dev/issue/59721.
>
> - html/template: improper handling of empty HTML attributes
>
>   Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}")
>   executed with empty input could result in output that would have unexpected
>   results when parsed due to HTML normalization rules. This may allow injection
>   of arbitrary attributes into tags.
>
>   Thanks to Juho Nurminen of Mattermost for reporting this issue.
>
>   This is CVE-2023-29400 and Go issue https://go.dev/issue/59722.

Signed-off-by: Sebastiaan van Stijn <[email protected]>

[23.0] update go to go1.19.9

Treat copying extended attributes from a source filesystem which does
not support extended attributes as a no-op, same as if the file did not
possess the extended attribute. Only fail copying extended attributes if
the source file has the attribute and the destination filesystem does
not support xattrs.

Signed-off-by: Cory Snider <[email protected]>
(cherry picked from commit 2b6761f)
Signed-off-by: Cory Snider <[email protected]>

[23.0 backport] d/graphdriver/copy: support src fs w/o xattr support

…` and vendor

Signed-off-by: Laura Brehm <[email protected]>
(cherry picked from commit e85c69e)
Signed-off-by: Sebastiaan van Stijn <[email protected]>

- server: Fix connection leak when receiving ECONNRESET

full diff: containerd/ttrpc@v1.1.0...v1.1.1

Signed-off-by: Sebastiaan van Stijn <[email protected]>
(cherry picked from commit c733cf2)
Signed-off-by: Sebastiaan van Stijn <[email protected]>

…d3f1b

full diff: opencontainers/image-spec@02efb9a...3a7f492

Signed-off-by: Sebastiaan van Stijn <[email protected]>
(cherry picked from commit 0233029)
Signed-off-by: Sebastiaan van Stijn <[email protected]>

When running hack/vendor.sh, I noticed this file was added to vendor.
I suspect this should've been part of 0233029,
but the vendor check doesn't appear to be catching this.

Signed-off-by: Sebastiaan van Stijn <[email protected]>
(cherry picked from commit 3f09316)
Signed-off-by: Sebastiaan van Stijn <[email protected]>

full diff: containerd/containerd@de33abf...v1.6.20

Signed-off-by: Sebastiaan van Stijn <[email protected]>
(cherry picked from commit 61a0e79)
Signed-off-by: Sebastiaan van Stijn <[email protected]>

Uses containerd from release/1.6 commit containerd/containerd@c0efc63

Signed-off-by: Djordje Lukic <[email protected]>
(cherry picked from commit be4abf9)
Signed-off-by: Sebastiaan van Stijn <[email protected]>

release notes: https://github.com/containerd/containerd/releases/tag/v1.6.21

Notable Updates

- update runc binary to v1.1.7
- Remove entry for container from container store on error
- oci: partially restore comment on read-only mounts for uid/gid uses
- windows: Add ArgsEscaped support for CRI
- oci: Use WithReadonlyTempMount when adding users/groups
- archive: consistently respect value of WithSkipDockerManifest

full diff: containerd/containerd@c0efc63...v1.6.21

Signed-off-by: Sebastiaan van Stijn <[email protected]>
(cherry picked from commit a873134)
Signed-off-by: Sebastiaan van Stijn <[email protected]>

release notes: https://github.com/containerd/containerd/releases/tag/v1.6.21

Notable Updates

- update runc binary to v1.1.7
- Remove entry for container from container store on error
- oci: partially restore comment on read-only mounts for uid/gid uses
- windows: Add ArgsEscaped support for CRI
- oci: Use WithReadonlyTempMount when adding users/groups
- archive: consistently respect value of WithSkipDockerManifest

full diff: containerd/containerd@c0efc63...v1.6.21

Signed-off-by: Sebastiaan van Stijn <[email protected]>

release notes: https://github.com/opencontainers/runc/releases/tag/v1.1.6
full diff: opencontainers/runc@v1.1.5...v1.1.6

This is the sixth patch release in the 1.1.z series of runc, which fixes
a series of cgroup-related issues.

Note that this release can no longer be built from sources using Go
1.16. Using a latest maintained Go 1.20.x or Go 1.19.x release is
recommended. Go 1.17 can still be used.

- systemd cgroup v1 and v2 drivers were deliberately ignoring UnitExist error
  from systemd while trying to create a systemd unit, which in some scenarios
  may result in a container not being added to the proper systemd unit and
  cgroup.
- systemd cgroup v2 driver was incorrectly translating cpuset range from spec's
  resources.cpu.cpus to systemd unit property (AllowedCPUs) in case of more
  than 8 CPUs, resulting in the wrong AllowedCPUs setting.
- systemd cgroup v1 driver was prefixing container's cgroup path with the path
  of PID 1 cgroup, resulting in inability to place PID 1 in a non-root cgroup.
- runc run/start may return "permission denied" error when starting a rootless
  container when the file to be executed does not have executable bit set for
  the user, not taking the CAP_DAC_OVERRIDE capability into account. This is
  a regression in runc 1.1.4, as well as in Go 1.20 and 1.20.1
- cgroup v1 drivers are now aware of misc controller.

Signed-off-by: Sebastiaan van Stijn <[email protected]>
(cherry picked from commit d0efca8)
Signed-off-by: Sebastiaan van Stijn <[email protected]>

release notes: https://github.com/opencontainers/runc/releases/tag/v1.1.7
full diff: opencontainers/runc@v1.1.6...v1.1.7

This is the seventh patch release in the 1.1.z release of runc, and is
the last planned release of the 1.1.z series. It contains a fix for
cgroup device rules with systemd when handling device rules for devices
that don't exist (though for devices whose drivers don't correctly
register themselves in the kernel -- such as the NVIDIA devices -- the
full fix only works with systemd v240+).

- When used with systemd v240+, systemd cgroup drivers no longer skip
  DeviceAllow rules if the device does not exist (a regression introduced
  in runc 1.1.3). This fix also reverts the workaround added in runc 1.1.5,
  removing an extra warning emitted by runc run/start.
- The source code now has a new file, runc.keyring, which contains the keys
  used to sign runc releases.

Signed-off-by: Sebastiaan van Stijn <[email protected]>
(cherry picked from commit 2d0e899)
Signed-off-by: Sebastiaan van Stijn <[email protected]>

…erd_1.6.21

[23.0 backport] vendor: github.com/containerd/containerd v1.6.21

[23.0] update containerd binary to v1.6.21

[23.0 backport] update runc binary to v1.1.7