Merge pull request #17035 from thaJeztah/23.0.3_release_notes

engine: add 23.0.3 release notes

engine/release-notes/23.0.md

@@ -41,6 +41,37 @@ Changing the version format is a stepping-stone towards Go module compatibility,
 but the repository doesn't yet use Go modules, and still requires using a "+incompatible" version.
 Work continues towards Go module compatibility in a future release.
 
+## 23.0.3
+
+{% include release-date.html date="2023-04-04" %}
+
+> **Note**
+> 
+> Due to an issue with CentOS 9 Stream's package repositories, packages for
+> CentOS 9 are currently unavailable. Packages for CentOS 9 may be added later,
+> or as part of the next (23.0.4) patch release.
+
+### Bug fixes and enhancements
+
+- Fixed a number of issues that can cause Swarm encrypted overlay networks
+  to fail to uphold their guarantees, addressing [CVE-2023-28841](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28841),
+  [CVE-2023-28840](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28840), and
+  [CVE-2023-28842](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28842).
+  - A lack of kernel support for encrypted overlay networks now reports
+    as an error.
+  - Encrypted overlay networks are eagerly set up, rather than waiting for
+    multiple nodes to attach.
+  - Encrypted overlay networks are now usable on Red Hat Enterprise Linux 9
+    through the use of the `xt_bpf` kernel module.
+  - Users of Swarm overlay networks should review [GHSA-vwm3-crmr-xfxw](https://github.com/moby/moby/security/advisories/GHSA-vwm3-crmr-xfxw)
+    to ensure that unintentional exposure has not occurred.
+
+### Packaging Updates
+
+- Upgrade `containerd` to [v1.6.20](https://github.com/containerd/containerd/releases/tag/v1.6.20).
+- Upgrade `runc` to [v1.1.5](https://github.com/opencontainers/runc/releases/tag/v1.1.5).
+
+
 ## 23.0.2
 
 {% include release-date.html date="2023-03-28" %}