Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(master): release 2.5.1 #39

Merged

Conversation

lotyp
Copy link
Member

@lotyp lotyp commented Apr 10, 2024

🤖 I have created a release beep boop

2.5.1 (2024-04-10)

Bug Fixes


This PR was generated with Release Please. See documentation.

Copy link

github-actions bot commented Apr 10, 2024

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest
digestsha256:fb078e10cb88e49a128b4f02a23c5f1b055fb78f5f1e7bdf58950f08be797912
vulnerabilitiescritical: 0 high: 2 medium: 0 low: 0
size116 MB
packages214
📦 Base Image php:8.1-alpine
also known as
  • 8.1-alpine3.19
  • 8.1-cli-alpine
  • 8.1-cli-alpine3.19
  • 8.1.27-alpine
  • 8.1.27-alpine3.19
  • 8.1.27-cli-alpine
  • 8.1.27-cli-alpine3.19
digestsha256:f9a59a4f072f5f357ad46bf9b44c222649d919765e56f6d01691ee11c1e3cb29
vulnerabilitiescritical: 0 high: 0 medium: 1 low: 0 unspecified: 1
critical: 0 high: 1 medium: 0 low: 0 golang.org/x/net 0.8.0 (golang)

pkg:golang/golang.org/x/[email protected]

high 7.5: CVE--2023--39325 Uncontrolled Resource Consumption

Affected range<0.17.0
Fixed version0.17.0
CVSS Score7.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score0.00152
EPSS Percentile0.50705
Description

A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing.

With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection.

This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2.

The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.

critical: 0 high: 1 medium: 0 low: 0 google.golang.org/grpc 1.54.0 (golang)

pkg:golang/google.golang.org/[email protected]

high 7.5: GHSA--m425--mq94--257g

Affected range<1.56.3
Fixed version1.56.3
CVSS Score7.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Description

Impact

In affected releases of gRPC-Go, it is possible for an attacker to send HTTP/2 requests, cancel them, and send subsequent requests, which is valid by the HTTP/2 protocol, but would cause the gRPC-Go server to launch more concurrent method handlers than the configured maximum stream limit.

Patches

This vulnerability was addressed by #6703 and has been included in patch releases: 1.56.3, 1.57.1, 1.58.3. It is also included in the latest release, 1.59.0.

Along with applying the patch, users should also ensure they are using the grpc.MaxConcurrentStreams server option to apply a limit to the server's resources used for any single connection.

Workarounds

None.

References

#6703

Copy link

github-actions bot commented Apr 10, 2024

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.1-alpine

Name8.1.27-alpine3.19
Digestsha256:f9a59a4f072f5f357ad46bf9b44c222649d919765e56f6d01691ee11c1e3cb29
Vulnerabilitiescritical: 0 high: 0 medium: 1 low: 0 unspecified: 1
Pushed3 weeks ago
Size35 MB
Packages49
Flavoralpine
OS3.19
Runtime8.1.27
The base image is also available under the supported tag(s): 8.1-alpine3.19, 8.1-cli-alpine, 8.1-cli-alpine3.19, 8.1.27-alpine, 8.1.27-alpine3.19, 8.1.27-cli-alpine, 8.1.27-cli-alpine3.19

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

TagDetailsPushedVulnerabilities
8.3-alpine
Minor runtime version update
Also known as:
  • 8.3-cli-alpine
  • 8.3-cli-alpine3.19
  • 8-cli-alpine
  • 8-cli-alpine3.19
  • cli-alpine
  • cli-alpine3.19
  • alpine
  • alpine3.19
  • 8.3-alpine3.19
  • 8-alpine
  • 8-alpine3.19
Benefits:
  • Same OS detected
  • Minor runtime version update
  • Image has similar size
  • Image has same number of vulnerabilities
  • Image contains equal number of packages
Image details:
  • Size: 36 MB
  • Flavor: alpine
  • OS: 3.19
  • Runtime: 8.3
3 weeks ago



8.2-alpine
Minor runtime version update
Also known as:
  • 8.2-cli-alpine
  • 8.2-cli-alpine3.19
  • 8.2-alpine3.19
Benefits:
  • Same OS detected
  • Minor runtime version update
  • Image has similar size
  • Image has same number of vulnerabilities
  • Image contains equal number of packages
  • 8.2-alpine was pulled 1.8K times last month
Image details:
  • Size: 35 MB
  • Flavor: alpine
  • OS: 3.19
  • Runtime: 8.2
3 weeks ago



8.3.2-alpine
Minor runtime version update
Also known as:
  • 8.3.2-cli-alpine
  • 8.3.2-cli-alpine3.19
  • 8.3.2-alpine3.19
Benefits:
  • Same OS detected
  • Minor runtime version update
  • Image has similar size
  • Image contains equal number of packages
Image details:
  • Size: 36 MB
  • Flavor: alpine
  • OS: 3.19
  • Runtime: 8.3.2
2 months ago



8.2.15-alpine
Minor runtime version update
Also known as:
  • 8.2.15-cli-alpine
  • 8.2.15-cli-alpine3.19
  • 8.2.15-alpine3.19
Benefits:
  • Same OS detected
  • Minor runtime version update
  • Image has similar size
  • Image contains equal number of packages
Image details:
  • Size: 35 MB
  • Flavor: alpine
  • OS: 3.19
  • Runtime: 8.2.15
2 months ago



@lotyp lotyp disabled auto-merge April 10, 2024 19:48
@lotyp lotyp merged commit 24d8fcc into master Apr 10, 2024
12 of 13 checks passed
@lotyp lotyp deleted the release-please--branches--master--components--docker-php-dev branch April 10, 2024 19:48
@lotyp
Copy link
Member Author

lotyp commented Apr 10, 2024

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant