[Buildroot] [git commit] package/containerd: security bump to version 1.5.11

[Marcus Hoffmann]

Hi Peter,

On 05.04.22 19:28, Peter Korsgaard wrote:
> commit: https://git.buildroot.net/buildroot/commit/?id=2642edb0af08f04fb98f4cb5f88895faded4b325
> branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master
> 
> Fixes the following security issues:
> 
> - CVE-2022-23648: containerd CRI plugin: Insecure handling of image volumes
>    https://github.com/containerd/containerd/security/advisories/GHSA-crp2-qrr5-8pq7
> 
> - CVE-2022-24769: Default inheritable capabilities for linux container
>    should be empty
>    https://github.com/containerd/containerd/security/advisories/GHSA-c9cp-9c75-9v8c
> 
> Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
> ---
>   package/containerd/containerd.hash | 2 +-
>   package/containerd/containerd.mk   | 2 +-
>   2 files changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/package/containerd/containerd.hash b/package/containerd/containerd.hash
> index d5aafe2e70..23dacded88 100644
> --- a/package/containerd/containerd.hash
> +++ b/package/containerd/containerd.hash
> @@ -1,3 +1,3 @@
>   # Computed locally
> -sha256  40c9767af3e87f2c36adf2f563f0a8374e80b30bd2b7aa80058c85912406cef4  containerd-1.5.9.tar.gz
> +sha256  6a289406c1c0583763e5a9754e31a1eced55cd5f162a7bc2a3a315d5eb05c7a1  containerd-1.5.11.tar.gz

I get a different hash for this download, both within buildroot as well 
as downloading the file manually from github:

ERROR: containerd-1.5.11.tar.gz has wrong sha256 hash:
ERROR: expected: 
6a289406c1c0583763e5a9754e31a1eced55cd5f162a7bc2a3a315d5eb05c7a1
ERROR: got     : 
02b79d5e2b07b5e64cd28f1fe84395ee11eef95fc49fd923a9ab93022b148be6
ERROR: Incomplete download, or man-in-the-middle (MITM) attack


Did the file change in the meantime or did something else go wrong here?

Should send a patch changing the hash to 
02b79d5e2b07b5e64cd28f1fe84395ee11eef95fc49fd923a9ab93022b148be6?

 > [...]

Best,
Marcus