Update containerd2 to 2.1.6

[acortelyou]

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

• The toolchain has been rebuilt successfully (or no changes were made to it)
• The toolchain/worker package manifests are up-to-date
• Any updated packages successfully build (or no packages were changed)
• Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
• Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
• All package sources are available
• cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
• LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
• All source files have up-to-date hashes in the *.signatures.json files
• sudo make go-tidy-all and sudo make go-test-coverage pass
• Documentation has been updated to match any changes to the build system
• Ready to merge

---

Summary

Update containerd2 to 2.1.
Containerd 2.0 is EOL and causing problems in AKS 1.35 due to missing feature support.

Change Log

• Bump version from 2.0.0 to 2.1.6
• Remove CVE patches integrated upstream: CVE-2024-45338 (x/net/html DoS, fixed in x/net v0.33.0) CVE-2025-27144 (go-jose DoS, fixed in go-jose v4.0.5) CVE-2024-40635 (UID/GID overflow, fixed in containerd 2.0.4) CVE-2025-22872 (x/net/html XSS, fixed in x/net v0.38.0) CVE-2025-47291 (cgroup hierarchy, fixed in containerd 2.0.5) CVE-2024-25621 (directory permissions, fixed in containerd 2.1.5) CVE-2025-64329 (x/net/html stack DoS, fixed in x/net v0.33.0+) CVE-2025-47911 (x/net/html infinite loop, fixed in x/net v0.45.0) CVE-2025-58190 (goroutine leak in Attach, fixed in containerd 2.1.5)
• Remove fix-credential-leak-in-cri-errors patch (merged upstream PR Upgrade: opendnssec version to 2.1.14-1 #12547)
• Retain multi-snapshotters-support and tardev-support feature patches
• Update signatures.json and cgmanifest.json

Does this affect the toolchain?

YES/NO

Associated issues

• #xxxx

Links to CVEs

• https://nvd.nist.gov/vuln/detail/CVE-YYYY-XXXX

Test Methodology

• Pipeline build id: xxxx

[acortelyou]

Hi team, could someone please upload the source tarballs for these version bumps to the source server per CONTRIBUTING?

containerd 2.1.6

• Source URL: https://github.com/containerd/containerd/archive/v2.1.6.tar.gz
• Destination: azurelinuxsrcstorage.blob.core.windows.net/sources/core/containerd-2.1.6.tar.gz
• SHA256: 9b13537e5d61b9cf301295a807751447cc7c86fd79bb37ac5630455013d353a5

containerd 2.2.2

• Source URL: https://github.com/containerd/containerd/archive/v2.2.2.tar.gz
• Destination: azurelinuxsrcstorage.blob.core.windows.net/sources/core/containerd-2.2.2.tar.gz
• SHA256: d6e8e6424c544cdab9b51cae320c3a9aa5590e8e1ffbd1f862eb395fd8c5bc28

The SRPM build is currently failing with a 404 because the 2.1.6 tarball isn't available on the source server yet. Requesting 2.2.2 as well in anticipation of a follow-up bump. Thanks!