Skip to content

containerd2: build with default Go toolchain to fix stdlib CVEs#17985

Draft
aadhar-agarwal wants to merge 1 commit into
fasttrack/3.0from
aadagarwal/containerd2-unpin-golang-fasttrack-3.0
Draft

containerd2: build with default Go toolchain to fix stdlib CVEs#17985
aadhar-agarwal wants to merge 1 commit into
fasttrack/3.0from
aadagarwal/containerd2-unpin-golang-fasttrack-3.0

Conversation

@aadhar-agarwal

@aadhar-agarwal aadhar-agarwal commented Jul 11, 2026

Copy link
Copy Markdown
Merge Checklist
  • The toolchain has been rebuilt successfully (or no changes were made to it) — no toolchain changes
  • The toolchain/worker package manifests are up-to-date — N/A
  • Any updated packages successfully build (or no packages were changed) — buddy build 1156440 passed (amd64 + arm64)
  • Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
  • Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
  • All package sources are available — no source change (same v2.2.4 tarball)
  • cgmanifest files are up-to-date and sorted — no dependency/source changes
  • LICENSE-MAP files are up-to-date — no license changes
  • All source files have up-to-date hashes in the *.signatures.json files — no source changes
  • sudo make go-tidy-all and sudo make go-test-coverage pass — N/A (no toolkit changes)
  • Documentation has been updated to match any changes to the build system — N/A
  • Ready to merge
Summary

containerd2 is built with the pinned EOL Go 1.24.13, so its binaries carry unfixed Go standard-library CVEs. This drops the BuildRequires: golang < 1.25 pin to rebuild with the default Go toolchain (1.26.x), and sets GOEXPERIMENT=ms_nocgo_opensslcrypto so the CGO_ENABLED=0 build works with the new toolchain's OpenSSL backend.

Change Log
Does this affect the toolchain?

NO

Associated issues
  • Microsoft ADO work item 63028495.
Links to CVEs
Test Methodology

Drop 'BuildRequires: golang < 1.25' and set GOEXPERIMENT=ms_nocgo_opensslcrypto
(Microsoft Go 1.25+ defaults to systemcrypto which needs CGO_ENABLED=1;
containerd builds CGO_ENABLED=0). Resolves Go stdlib CVE-2026-25679,
CVE-2026-27139, CVE-2026-33811, CVE-2026-39836 (was built on Go 1.24.13).
@microsoft-github-policy-service microsoft-github-policy-service Bot added Packaging fasttrack/3.0 PRs Destined for Azure Linux 3.0 labels Jul 11, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

fasttrack/3.0 PRs Destined for Azure Linux 3.0 Packaging

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant