chore(deps): bump github.com/containerd/containerd from 1.7.27 to 1.7.29
Closed
Number: #17677
Type: Pull Request
State: Closed
Type: Pull Request
State: Closed
Author:
![dependabot[bot]](https://github.com/dependabot.png)
dependabot[bot]
Association: Unknown
Comments: 5
dependabot[bot]Association: Unknown
Comments: 5
Created:
November 06, 2025 at 03:22 PM UTC
(7 months ago)
(7 months ago)
Updated:
December 05, 2025 at 09:26 AM UTC
(7 months ago)
(7 months ago)
Closed:
November 06, 2025 at 06:29 PM UTC
(7 months ago)
(7 months ago)
Time to Close:
about 3 hours
Labels:
dependencies ci-all-qa-tests auto-merge auto-retest backport release-4.7 backport release-4.8 backport release-4.9
dependencies ci-all-qa-tests auto-merge auto-retest backport release-4.7 backport release-4.8 backport release-4.9
Description:
Bumps github.com/containerd/containerd from 1.7.27 to 1.7.29.
Release notes
Sourced from github.com/containerd/containerd's releases.
containerd 1.7.29
Welcome to the v1.7.29 release of containerd!
The twenty-ninth patch release for containerd 1.7 contains various fixes and updates including security patches.
Security Updates
containerd
runc
Highlights
Image Distribution
- Update differ to handle zstd media types (#12018)
Runtime
Please try out the release binaries and report any issues at https://github.com/containerd/containerd/issues.
Contributors
- Derek McGowan
- Akihiro Suda
- Phil Estes
- Austin Vazquez
- Sebastiaan van Stijn
- ningmingxiao
- Maksym Pavlenko
- StepSecurity Bot
- wheat2018
Changes
... (truncated)
Commits
442cb34Merge commit from forke5cb6ddMerge commit from fork9772966Merge pull request #12486 from dmcgowan/prepare-v1.7.291fc2daaPrepare release notes for v1.7.2993f710aMerge pull request #12480 from k8s-infra-cherrypick-robot/cherry-pick-12475-t...68d04beMerge pull request #12471 from austinvazquez/1_7_update_ci_go_and_images3f5f9f8runc: Update runc binary to v1.3.3667409fci: bump Go 1.24.9, 1.25.3294f8c0Update GHA runners to use latest images for basic binaries buildcf66b41Update GHA runners to use latest image for most jobs- Additional commits viewable in compare view
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot will merge this PR once CI passes on it, as requested by @rhacs-bot.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the Security Alerts page.
Package Dependencies
Package:
github.com/containerd/containerd
Ecosystem:
go
go
Version Change:
1.7.27 → 1.7.29
Update Type:
Patch
Patch
Security Advisories
containerd CRI server: Host memory exhaustion through Attach goroutine leak
GHSA-m6hq-p25p-ffr2
CVE-2025-64329
MODERATE
### Impact
A bug was found in containerd's CRI Attach implementation where a user can exhaust memory on the host due to goroutine leaks.
Repetitive calls of CRI Attach (e.g., [`kubectl attach`](...
containerd affected by a local privilege escalation via wide permissions on CRI directory
GHSA-pwhc-rpq9-4c8w
CVE-2024-25621
HIGH
### Impact
An overly broad default permission vulnerability was found in containerd.
- `/var/lib/containerd` was created with the permission bits 0o711, while it should be created with 0o700
- ...
runc container escape and denial of service due to arbitrary write gadgets and procfs write redirects
GHSA-cgrx-mc8f-2prm
CVE-2025-52881
HIGH
### Impact ###
This attack is primarily a more sophisticated version of CVE-2019-19921, which was a flaw which allowed an attacker to trick runc into writing the LSM process labels for a container...
runc container escape with malicious config due to /dev/console mount and related races
GHSA-qw9x-cqr3-wc7r
CVE-2025-52565
HIGH
### Impact ###
This attack is very similar in concept and application to CVE-2025-31133, except that it attacks a similar vulnerability in a different target (namely, the bind-mount of `/dev/pts/$n...
runc container escape via "masked path" abuse due to mount race conditions
GHSA-9493-h29p-rfm2
CVE-2025-31133
HIGH
### Impact ###
The OCI runtime specification has a `maskedPaths` feature that allows for files or directories to be "masked" by placing a mount on top of them to conceal their contents. This is p...
Technical Details
| ID: | 11765961 |
| UUID: | 3596297393 |
| Node ID: | PR_kwDOGd6UEM6x7Oti |
| Host: | GitHub |
| Repository: | stackrox/stackrox |