Sourced from github.com/quic-go/quic-go's releases.

v0.49.0

In this release, we added support for HTTP client traces. We also fixed a large number of bugs that could lead to connection stalls, deadlocks and memory leaks. See the "Major Fixes" section for more details.

New Features

• http3: add support for client traces net/http/httptrace.ClientTrace: #4749. Thanks to @​lRoccoon for the contribution!

Major Fixes

• fix accounting for lost RESET_STREAM frames in the stream, leading to potential connection stalls / deadlocks: #4804. Thanks to @​Wondertan for reporting and testing the fix!
• fix memory leak when the connection ID is rotated when the CONNECTION_CLOSE packet is sent: #4852. Thanks to @​MarcoPolo for debugging this issue and contributing a fix!
• http3: fix QUIC connection re-dialing logic: #4854, #4875, #4879
• trigger sending of a new packet when a MAX_DATA frame (connection-level flow control update) is queued: #4844
• Transport.Close was reworked: calls to Transport.Dial are now canceled, and return the newly introduced ErrTransportClosed, as do calls to Transport.Listen: #4883

Enhancements

• trace dropping of packets by the Transport when no server is set: #4789
• trace dropping of packets that the Transport doesn't send a stateless for: #4826
• drain received packets when the connection is closed: #4773
• add Prometheus metrics for sent and received packets: #4910
• reduce calls to time.Now all over the code base: #4731, #4885, #4886, #4906
• packetize DATA_BLOCKED frames in the same QUIC packet that caused us to block on connection-level flow control: #4845
• packetize STREAM_DATA_BLOCKED frames in the same QUIC packed that caused us to block on stream-level flow control: #4801
• we now don't enforce that only one Transport listens on any given net.PacketConn: #4851

Other Fixes

• drain the server's connection accept queue before returning ErrClosed from Accept: #4846. Thanks to @​sukunrt for discovering this bug and providing very helpful reviews!
• preserve the error returned from SendStream.Write if it is closed after is canceled: #4882
• fix race condition on concurrent calls to Transport.Dial and Transport.Close: #4904
• qlog: fix logging of packet_in_flight on the metrics_updated event: #4895
• fix errors.Is error comparisons: #4824, #4825, #4877
• http3: fix race condition on concurrent calls to http.Response.Body.Close: #4798. Thanks to @​RPRX for the contribution!
• flowcontrol: reset the connection send window on 0-RTT rejection: #4764
• wait for connection to shut down when the Dial context is cancelled: #4872
• http3: the http.Request.Body is now properly closed on all code paths that return a non-nil error: #4874
• NEW_CONNECTION_ID frames are now rejected when zero-length connection IDs are used, as required by the RFC: #4878
• the stream ID of STREAM_DATA_BLOCKED frames is now validated, as required by the RFC: #4836
• fix ECN markings of packets sent in GSO batches when the marking changes: #4835
• the AEAD used to calculate the Retry Integrity Tag is now created lazily, avoiding a panic on initialization when using Go 1.24 FIPS-only mode: #4916
• use a 24h maximum token age as default value for Transport.MaxTokenAge: #4763

Behind the Scenes

In the v0.48.0 release, we started migrating our test suite away from Ginkgo (tracking issue: #3652). This is an absolutely massive endeavor. Before we started, the number of LOC of Ginkgo tests was more than 41,000.

In this release, we're bringing this number down to less than 8,500 LOC: #4736, #4746, #4775, #4783, #4788, #4790, #4795, #4796, #4797, #4799, #4814, #4816, #4817, #4823, #4837, #4842, #4847, #4848, #4849, #4853, #4857, #4860, #4861, #4862, #4863, #4864, #4865, #4869, #4876, #4881, #4907.

There's still a lot of work ahead, but we'll hopefully be able to finish this item in the next couple of months.

... (truncated)

• 275c172 drop initial packets when the handshake is confirmed
• c385cd1 handshake: lazily create the AEAD used for Retry (#4916)
• fb9d8e3 metrics: add Prometheus metrics for sent and received packets (#4910)
• e12f91c clean up MTU probe packet sending logic (#4914)
• a4c9b04 simply PTO probe packet sending logic (#4913)
• d41f974 fix memory leak on connection ID rotation when closing connection (#4852)
• 3023083 migrate the MTU discoverer tests away from Ginkgo (#4907)
• bea70c6 fix flaky TestALPN integration test (#4909)
• eb70424 fix race condition on concurrent use of Transport.Dial and Close (#4904)
• 5d4835e preserve error from SendStream during cancellation and closing (#4882)
• Additional commits viewable in compare view

• 681b4d8 jws: split token into fixed number of parts
• 3f78298 all: upgrade go directive to at least 1.23.0 [generated]
• 109dabf endpoints: add links/provider for Discord
• ac571fa oauth2: fix docs for Config.DeviceAuth
• 314ee5b endpoints: add patreon endpoint
• b9c813b google: add warning about externally-provided credentials
• 49a531d all: make method and struct comments match the names
• See full diff in compare view

Sourced from github.com/containerd/containerd's releases.

containerd 1.7.27

Welcome to the v1.7.27 release of containerd!

The twenty-seventh patch release for containerd 1.7 contains various fixes and updates.

Highlights

• Fix integer overflow in User ID handling (GHSA-265r-hfxg-fhmg)
• Update image type checks to avoid unnecessary logs for attestations (#11538)

Please try out the release binaries and report any issues at https://github.com/containerd/containerd/issues.

Contributors

• Jin Dong
• Akhil Mohan
• Derek McGowan
• Maksym Pavlenko
• Paweł Gronowski
• Phil Estes
• Akihiro Suda
• Craig Ingram
• Krisztian Litkey
• Samuel Karp

Changes

• 05044ec0a Merge commit from fork
• 11504c3fc validate uid/gid
• Prepare release notes for v1.7.27 (#11540)
  • 1be04be6c Prepare release notes for v1.7.27
• Update image type checks to avoid unnecessary logs for attestations (#11538)
  • 82b5c43fe core/remotes: Handle attestations in MakeRefKey
  • 2c670e79b core/images: Ignore attestations when traversing children
• update build to go1.23.7, test go1.24.1 (#11515)
  • a39863c9f update build to go1.23.7, test go1.24.1
• Remove hashicorp/go-multierror dependency and fix CI (#11499)
  • 49537b3a7 e2e: use the shim bundled with containerd artifact
  • fe490b76f Bump up github.com/intel/goresctrl to 0.5.0
  • 13fc9d313 update containerd/project-checks to 1.2.1
  • 585699c94 Remove unnecessary joinError unwrap
  • 4b9df59be Remove hashicorp/go-multierror
• go.{mod,sum}: bump CDI deps to v0.8.1. (#11422)
  • 5ba28f8dc go.{mod,sum}: bump CDI deps to v0.8.1, re-vendor.
• CI: arm64-8core-32gb -> ubuntu-24.04-arm (#11437)
  • 85f10bd92 CI: arm64-8core-32gb -> ubuntu-24.04-arm

... (truncated)

• 05044ec Merge commit from fork
• 0b7f2a5 Merge pull request #11540 from dmcgowan/prepare-1.7.27
• 574a304 Merge pull request #11538 from dmcgowan/backport-11327
• 1be04be Prepare release notes for v1.7.27
• 82b5c43 core/remotes: Handle attestations in MakeRefKey
• 2c670e7 core/images: Ignore attestations when traversing children
• 11504c3 validate uid/gid
• 576178b Merge pull request #11515 from akhilerm/1.7-updatego1.24.1
• a39863c update build to go1.23.7, test go1.24.1
• 8946aa0 Merge pull request #11499 from djdongjin/1-7-remove-hashi-multierror
• Additional commits viewable in compare view

Sourced from github.com/docker/docker's releases.

v28.0.0

28.0.0

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 28.0.0 milestone
• moby/moby, 28.0.0 milestone
• Deprecated and removed features, see Deprecated Features.
• Changes to the Engine API, see API version history.

New

• Add ability to mount an image inside a container via --mount type=image. moby/moby#48798
  • You can also specify --mount type=image,image-subpath=[subpath],... option to mount a specific path from the image. docker/cli#5755
• docker images --tree now shows metadata badges. docker/cli#5744
• docker load, docker save, and docker history now support a --platform flag allowing you to choose a specific platform for single-platform operations on multi-platform images. docker/cli#5331
• Add OOMScoreAdj to docker service create and docker stack. docker/cli#5145
• docker buildx prune now supports reserved-space, max-used-space, min-free-space and keep-bytes filters. moby/moby#48720
• Windows: Add support for running containerd as a child process of the daemon, instead of using a system-installed containerd. moby/moby#47955

Networking

• The docker-proxy binary has been updated, older versions will not work with the updated dockerd. moby/moby#48132
  • Close a window in which the userland proxy (docker-proxy) could accept TCP connections, that would then fail after iptables NAT rules were set up.
  • The executable rootlesskit-docker-proxy is no longer used, it has been removed from the build and distribution.
• DNS nameservers read from the host's /etc/resolv.conf are now always accessed from the host's network namespace. moby/moby#48290
  • When the host's /etc/resolv.conf contains no nameservers and there are no --dns overrides, Google's DNS servers are no longer used, apart from by the default bridge network and in build containers.
• Container interfaces in bridge and macvlan networks now use randomly generated MAC addresses. moby/moby#48808
  • Gratuitous ARP / Neighbour Advertisement messages will be sent when the interfaces are started so that, when IP addresses are reused, they're associated with the newly generated MAC address.
  • IPv6 addresses in the default bridge network are now IPAM-assigned, rather than being derived from the MAC address.
• The deprecated OCI prestart hook is now only used by build containers. For other containers, network interfaces are added to the network namespace after task creation is complete, before the container task is started. moby/moby#47406
• Add a new gw-priority option to docker run, docker container create, and docker network connect. This option will be used by the Engine to determine which network provides the default gateway for a container. On docker run, this option is only available through the extended --network syntax. docker/cli#5664
• Add a new netlabel com.docker.network.endpoint.ifname to customize the interface name used when connecting a container to a network. It's supported by all built-in network drivers on Linux. moby/moby#49155
  • When a container is created with multiple networks specified, there's no guarantee on the order networks will be connected to the container. So, if a custom interface name uses the same prefix as the auto-generated names, for example eth, the container might fail to start.
  • The recommended practice is to use a different prefix, for example en0, or a numerical suffix high enough to never collide, for example eth100.
  • This label can be specified on docker network connect via the --driver-opt flag, for example docker network connect --driver-opt=com.docker.network.endpoint.ifname=foobar ….
  • Or via the long-form --network flag on docker run, for example docker run --network=name=bridge,driver-opt=com.docker.network.endpoint.ifname=foobar …
• If a custom network driver reports capability GwAllocChecker then, before a network is created, it will get a GwAllocCheckerRequest with the network's options. The custom driver may then reply that no gateway IP address should be allocated. moby/moby#49372

Port publishing in bridge networks

• dockerd now requires ipset support in the Linux kernel. moby/moby#48596
  • The iptables and ip6tables rules used to implement port publishing and network isolation have been extensively modified. This enables some of the following functional changes, and is a first step in refactoring to enable native nftables support in a future release. moby/moby#48815
  • If it becomes necessary to downgrade to an earlier version of the daemon, some manual cleanup of the new rules will be necessary. The simplest and surest approach is to reboot the host, or use iptables -F and ip6tables -F to flush all existing iptables rules from the filter table before starting the older version of the daemon. When that is not possible, run the following commands as root:
    • iptables -D FORWARD -m set --match-set docker-ext-bridges-v4 dst -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT; ip6tables -D FORWARD -m set --match-set docker-ext-bridges-v6 dst -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    • iptables -D FORWARD -m set --match-set docker-ext-bridges-v4 dst -j DOCKER; ip6tables -D FORWARD -m set --match-set docker-ext-bridges-v6 dst -j DOCKER
    • If you were previously running with the iptables filter-FORWARD policy set to ACCEPT and need to restore access to unpublished ports, also delete per-bridge-network rules from the DOCKER chains. For example, iptables -D DOCKER ! -i docker0 -o docker0 -j DROP.
• Fix a security issue that was allowing remote hosts to connect directly to a container on its published ports. moby/moby#49325
• Fix a security issue that was allowing neighbor hosts to connect to ports mapped on a loopback address. moby/moby#49325

... (truncated)

• af898ab Merge pull request #49495 from vvoland/update-buildkit
• d67f035 vendor: github.com/moby/buildkit v0.20.0
• 00ab386 Merge pull request #49491 from vvoland/update-buildkit
• 1fde8c4 builder-next: fix cdi manager
• cde9f07 vendor: github.com/moby/buildkit v0.20.0-rc3
• 89e1429 Merge pull request #49490 from thaJeztah/dockerfile_linting
• b2b5590 Dockerfile: fix linting warnings
• 62bc597 Merge pull request #49480 from thaJeztah/docs_api_1.48
• 670cd81 Merge pull request #49485 from vvoland/c8d-list-panic
• a3628f3 docs/api: add documentation for API v1.48
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.