containerd2: Backport fix for credential leak in CRI error logs (#15579)

Backports a fix for a credential leak vulnerability in containerd2's CRI error handling. When image pulls fail from private registries using URL-based authentication (e.g., Azure Blob Storage with SAS tokens), sensitive query parameters were being exposed in both containerd logs and Kubernetes pod events (visible via kubectl describe pod).

Author: aadhar-agarwal

SPECS/containerd2/containerd2.spec

@@ -5,7 +5,7 @@
 Summary: Industry-standard container runtime
 Name: %{upstream_name}2
 Version: 2.0.0
-Release: 16%{?dist}
+Release: 17%{?dist}
 License: ASL 2.0
 Group: Tools/Container
 URL: https://www.containerd.io
@@ -25,6 +25,7 @@ Patch5:	multi-snapshotters-support.patch
 Patch6:	tardev-support.patch
 Patch7: CVE-2024-25621.patch
 Patch8: CVE-2025-64329.patch
+Patch9: fix-credential-leak-in-cri-errors.patch
 %{?systemd_requires}
 
 BuildRequires: golang < 1.25
@@ -100,6 +101,9 @@ fi
 %dir /opt/containerd/lib
 
 %changelog
+* Tue Jan 21 2026 Aadhar Agarwal <aadagarwal@microsoft.com> - 2.0.0-17
+- Backport fix for credential leak in CRI error logs
+
 * Mon Nov 24 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 2.0.0-16
 - Patch for CVE-2025-64329