From 380b97655a12c1ec22d59819b70fa937482ab9bc Mon Sep 17 00:00:00 2001 From: Jingkang Jiang Date: Wed, 24 Jun 2026 11:23:34 +0800 Subject: [PATCH] fix(deps): bump containerd to v1.7.33 to address CVE-2026-53488 and CVE-2026-47262 Bumps github.com/containerd/containerd from v1.7.32 to v1.7.33. - CVE-2026-53488 (HIGH, GHSA-xhf5-7wjv-pqxp): CRI plugin propagated image config labels to containers without validation, potentially allowing arbitrary command execution on the host. - CVE-2026-47262 (MEDIUM, GHSA-jpcc-p29g-p8mq): a maliciously crafted image could trigger memory exhaustion and OOM-kill the containerd process (DoS). Both are fixed in containerd 1.7.33. This is a semver patch upgrade (API-compatible); only go.mod/go.sum change. Co-Authored-By: Claude Opus 4.8 Signed-off-by: Jingkang Jiang --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 818bc2d..b538457 100644 --- a/go.mod +++ b/go.mod @@ -3,7 +3,7 @@ module github.com/cloudpilot-ai/hermes go 1.25.0 require ( - github.com/containerd/containerd v1.7.32 + github.com/containerd/containerd v1.7.33 github.com/containerd/containerd/api v1.8.0 github.com/containerd/continuity v0.5.0 github.com/containerd/errdefs v1.0.0 diff --git a/go.sum b/go.sum index 7a3fdf1..0738e56 100644 --- a/go.sum +++ b/go.sum @@ -23,8 +23,8 @@ github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDk github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= github.com/containerd/cgroups v1.1.0 h1:v8rEWFl6EoqHB+swVNjVoCJE8o3jX7e8nqBGPLaDFBM= github.com/containerd/cgroups v1.1.0/go.mod h1:6ppBcbh/NOOUU+dMKrykgaBnK9lCIBxHqJDGwsa1mIw= -github.com/containerd/containerd v1.7.32 h1:S54xuVcPxeLaYgaRABtpJ2VyVUVsy0IGf7qHBs+sbY8= -github.com/containerd/containerd v1.7.32/go.mod h1:jdwD6s/BhV4XVJGrvtziNPVA+83n66TwptVaPKprq4E= +github.com/containerd/containerd v1.7.33 h1:iAkYGC/ifR/V+0eR4iXWHNGYUF0DF2PmGV5iz4Irj5M= +github.com/containerd/containerd v1.7.33/go.mod h1:gSbSCVjPCdkfJCjyrzz7aRC+xFlqVbatNpfHfVCYGUM= github.com/containerd/containerd/api v1.8.0 h1:hVTNJKR8fMc/2Tiw60ZRijntNMd1U+JVMyTRdsD2bS0= github.com/containerd/containerd/api v1.8.0/go.mod h1:dFv4lt6S20wTu/hMcP4350RL87qPWLVa/OHOwmmdnYc= github.com/containerd/continuity v0.5.0 h1:7a85HZpCSs+1Zps0Ee3DPSuAWY+0SJM1JNM51nlEVDg=