Skip to content

containerd2: build with default Go toolchain to fix stdlib CVEs#17985

Merged
jslobodzian merged 1 commit into
fasttrack/3.0from
aadagarwal/containerd2-unpin-golang-fasttrack-3.0
Jul 14, 2026
Merged

containerd2: build with default Go toolchain to fix stdlib CVEs#17985
jslobodzian merged 1 commit into
fasttrack/3.0from
aadagarwal/containerd2-unpin-golang-fasttrack-3.0

Conversation

@aadhar-agarwal

@aadhar-agarwal aadhar-agarwal commented Jul 11, 2026

Copy link
Copy Markdown
Merge Checklist
  • The toolchain has been rebuilt successfully
  • The toolchain/worker package manifests are up-to-date
  • Any updated packages successfully build
  • Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
  • Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
  • All package sources are available
  • cgmanifest files are up-to-date and sorted
  • LICENSE-MAP files are up-to-date
  • All source files have up-to-date hashes in the *.signatures.json files
  • sudo make go-tidy-all and sudo make go-test-coverage pass
  • Documentation has been updated to match any changes to the build system
  • Ready to merge
Summary

containerd2 is built with BuildRequires: golang < 1.25, so its binaries carry unfixed Go standard-library CVEs. This drops the BuildRequires: golang < 1.25 pin to rebuild with the default Go toolchain (1.26.x), and sets GOEXPERIMENT=ms_nocgo_opensslcrypto so the CGO_ENABLED=0 build works with the new toolchain's OpenSSL backend.

Change Log
Does this affect the toolchain?

NO

Associated issues
  • Microsoft ADO work item 63028495.
Links to CVEs
Test Methodology
  • Validated on an Azure Linux VM that the containerd binaries were built with Go 1.26.x and that govulncheck no longer reports the four targeted stdlib CVEs.

@microsoft-github-policy-service microsoft-github-policy-service Bot added Packaging fasttrack/3.0 PRs Destined for Azure Linux 3.0 labels Jul 11, 2026
Drop 'BuildRequires: golang < 1.25' and set GOEXPERIMENT=ms_nocgo_opensslcrypto
(Microsoft Go 1.25+ defaults to systemcrypto which needs CGO_ENABLED=1;
containerd builds CGO_ENABLED=0). Resolves Go stdlib CVE-2026-25679,
CVE-2026-27139, CVE-2026-33811, CVE-2026-39836 (was built on Go 1.24.13).
@aadhar-agarwal aadhar-agarwal force-pushed the aadagarwal/containerd2-unpin-golang-fasttrack-3.0 branch from c398dee to 485647a Compare July 13, 2026 01:17
@aadhar-agarwal aadhar-agarwal marked this pull request as ready for review July 14, 2026 05:12
@aadhar-agarwal aadhar-agarwal requested a review from a team as a code owner July 14, 2026 05:12
BuildRequires: make
BuildRequires: systemd-rpm-macros

Requires: runc >= 1.2.2

@christopherco christopherco Jul 14, 2026

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

question: Given the new requirement for OpenSSL stack at runtime, is a Requires: openssl-libs needed?

Note: We're likely installing containerd on systems that have OpenSSL present already, so we might be fine without it.

@jslobodzian jslobodzian left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed via fasttrack-prs skill: spec review PASS, Fast-track 3.0 PR-check build succeeded.

@jslobodzian jslobodzian merged commit 307991a into fasttrack/3.0 Jul 14, 2026
30 checks passed
@jslobodzian jslobodzian deleted the aadagarwal/containerd2-unpin-golang-fasttrack-3.0 branch July 14, 2026 14:59
@CBL-Mariner-Bot

Copy link
Copy Markdown
Collaborator

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

fasttrack/3.0 PRs Destined for Azure Linux 3.0 Packaging

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants