RATATOSKRATATOSK
ログイン

リリース

CNCF graduated・incubatingプロジェクトのリリースノートのAI分析。

プロジェクト: Lima解除 ×

Lima

Kubernetes Core2026年6月19日

Lima v2.1.3 is a security-focused patch release fixing two CVEs: a privilege escalation in QEMU VMs and multiple containerd CVEs bundled via nerdctl v2.3.3. Upgrade promptly.

  • securityPatch QEMU privilege escalation (CVE-2026-53657) immediately

    Any unprivileged user inside a QEMU-backed Lima VM could gain root inside that VM by abusing the guest agent socket. If you share Lima VMs among multiple users or run untrusted workloads, this is high priority. Upgrade to v2.1.3 and restart affected VMs.

  • securitycontainerd CVE batch via nerdctl v2.3.3 — upgrade required

    Five CVEs in containerd are fixed in the bundled nerdctl v2.3.3 (containerd v2.3.2). If your Lima instances run container workloads, the old containerd is exposed. Upgrade Lima and recreate or restart VMs to pick up the new nerdctl binary.

  • breakingcontainerd.user defaults changed for non-Linux guests

    Lima no longer sets containerd.user=true by default on non-Linux guests (macOS, Windows). If you relied on rootless containerd on those platforms without explicitly setting this, validate your VM config after upgrading and set containerd.user=true explicitly if needed.

主な変更 (5)
  • Fixes CVE-2026-53657: arbitrary guest users could escalate to root via the QEMU guest agent socket
  • nerdctl bumped to v2.3.3, which bundles containerd v2.3.2 fixing CVE-2026-50195, CVE-2026-53488, CVE-2026-53492, CVE-2026-53489, CVE-2026-47262
  • Default template image switched from ubuntu-25.10 to ubuntu-26.04
  • containerd.user no longer defaults to true on non-Linux guests (behavior change for macOS/Windows VM workloads)
  • copytool: auto mode now falls back to scp when both source and destination are remote
原文

Lima

Kubernetes Core2026年4月4日

Lima v2.1.1 is a focused patch release adding Windows binary artifacts and fixing a handful of edge-case bugs, with an important bundled nerdctl security update.

  • securityUpdate nerdctl distribution for BuildKit and CNI security fixes

    The bundled nerdctl was bumped from v2.2.1 to v2.2.2, which updates BuildKit to 0.28.1 and CNI plugins to 1.9.1. Both upstream releases include security patches. If you use Lima's nerdctl template for container workloads, upgrade to v2.1.1 promptly and check the BuildKit and CNI plugin release notes to assess CVE impact for your environment.

  • enhancementWindows users can now consume official Lima binaries

    Lima v2.1.1 ships pre-built Windows artifacts for the first time. If your team has Windows developers using Lima (e.g., via WSL2), point them at the official release binaries rather than maintaining custom builds. This simplifies onboarding and keeps everyone on a verified, reproducible build.

  • enhancementFix UID range issues for enterprise/LDAP-managed macOS users

    macOS guests now accept UIDs outside the conventional range. If any users in your org run Lima on corporate-managed Macs with directory-assigned UIDs (common with LDAP or Active Directory integration), this fixes silent failures that were hard to diagnose. No config change needed — just upgrade.

主な変更 (5)
  • Windows binary artifacts now shipped with official releases — no more building from source on Windows
  • macOS guest: unusual UID ranges (outside typical 500–32000) are now accepted, fixing failures for some corporate directory setups
  • Virtualization Framework (vz): `audio.device=none` is now correctly respected instead of being silently ignored
  • nerdctl bumped to v2.2.2, pulling in BuildKit 0.28.1 and CNI plugins 1.9.1 — both carry security fixes
  • AlmaLinux Kitten 10 template gains riscv64 support
原文