Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

deps(deps): update ansible/ansible-lint action to v24.12.2 #73

Merged
merged 1 commit into from
Dec 12, 2024

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Dec 12, 2024

This PR contains the following updates:

Package Type Update Change
ansible/ansible-lint action patch v24.12.1 -> v24.12.2

Release Notes

ansible/ansible-lint (ansible/ansible-lint)

v24.12.2

Compare Source

Enhancements

Bugfixes

Note this this changelog entry contains changes also included in the two yanked releases before it.


Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested a review from lotyp as a code owner December 12, 2024 14:52
@renovate renovate bot enabled auto-merge (squash) December 12, 2024 14:52
@github-actions github-actions bot added the type: maintenance For maintenance, refactor and testing (perf, chore, style, revert, refactor, test, build, ci) label Dec 12, 2024
Copy link

github-actions bot commented Dec 12, 2024

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest
digestsha256:c0d6d4730cfca59d049895e624c510682e76bc79939b644e3ce6eab182b0184d
vulnerabilitiescritical: 0 high: 1 medium: 0 low: 0
size105 MB
packages232
📦 Base Image php:8.2-fpm-alpine
also known as
  • 8.2-fpm-alpine3.21
  • 8.2.26-fpm-alpine
  • 8.2.26-fpm-alpine3.21
digestsha256:c40255b7011a41c628d0120383a267bc9d7426eab0cc538ae0d58c935000ae20
vulnerabilitiescritical: 1 high: 0 medium: 0 low: 0
critical: 0 high: 1 medium: 0 low: 0 golang.org/x/crypto 0.17.0 (golang)

pkg:golang/golang.org/x/[email protected]

high : CVE--2024--45337 Improper Authorization

Affected range<0.31.0
Fixed version0.31.0
Description

Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass.

The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions.

For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key.

Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth.

Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

Copy link

github-actions bot commented Dec 12, 2024

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest
digestsha256:b980610ff08021c99c29712deb98cf3a35f042f69bd03791de036425496095ba
vulnerabilitiescritical: 0 high: 1 medium: 0 low: 0
size110 MB
packages231
📦 Base Image php:8.3-alpine
also known as
  • 8.3-alpine3.21
  • 8.3-cli-alpine
  • 8.3-cli-alpine3.21
  • 8.3.14-alpine
  • 8.3.14-alpine3.21
  • 8.3.14-cli-alpine
  • 8.3.14-cli-alpine3.21
digestsha256:41ab576a7fd2702a4921f50bc69be52460414e1d3a2d6e70676180e9ae8d4b78
vulnerabilitiescritical: 1 high: 0 medium: 0 low: 0
critical: 0 high: 1 medium: 0 low: 0 golang.org/x/crypto 0.17.0 (golang)

pkg:golang/golang.org/x/[email protected]

high : CVE--2024--45337 Improper Authorization

Affected range<0.31.0
Fixed version0.31.0
Description

Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass.

The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions.

For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key.

Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth.

Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

Copy link

github-actions bot commented Dec 12, 2024

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.2-fpm-alpine

Name8.2.26-fpm-alpine3.21
Digestsha256:c40255b7011a41c628d0120383a267bc9d7426eab0cc538ae0d58c935000ae20
Vulnerabilitiescritical: 1 high: 0 medium: 0 low: 0
Pushed5 days ago
Size32 MB
Packages53
Flavoralpine
OS3.21
Runtime8.2.26
The base image is also available under the supported tag(s): 8.2-fpm-alpine3.21, 8.2.26-fpm-alpine, 8.2.26-fpm-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

TagDetailsPushedVulnerabilities
8.3-fpm-alpine
Minor runtime version update
Also known as:
  • 8.3.14-fpm-alpine
  • 8.3.14-fpm-alpine3.21
  • 8.3-fpm-alpine3.21
Benefits:
  • Same OS detected
  • Minor runtime version update
  • Image has similar size
  • Image has same number of vulnerabilities
  • Image contains equal number of packages
Image details:
  • Size: 33 MB
  • Flavor: alpine
  • OS: 3.21
  • Runtime: 8.3.14
5 days ago



8.4-fpm-alpine
Image has same number of vulnerabilities
Also known as:
  • 8.4.1-fpm-alpine
  • 8.4.1-fpm-alpine3.21
  • 8.4-fpm-alpine3.21
  • 8-fpm-alpine
  • 8-fpm-alpine3.21
  • fpm-alpine
  • fpm-alpine3.21
Benefits:
  • Same OS detected
  • Image has similar size
  • Image has same number of vulnerabilities
  • Image contains equal number of packages
Image details:
  • Size: 36 MB
  • Flavor: alpine
  • OS: 3.21
5 days ago



Copy link

github-actions bot commented Dec 12, 2024

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.3-alpine

Name8.3.14-alpine3.21
Digestsha256:41ab576a7fd2702a4921f50bc69be52460414e1d3a2d6e70676180e9ae8d4b78
Vulnerabilitiescritical: 1 high: 0 medium: 0 low: 0
Pushed5 days ago
Size37 MB
Packages52
Flavoralpine
OS3.21
Runtime8.3.14
The base image is also available under the supported tag(s): 8.3-alpine3.21, 8.3-cli-alpine, 8.3-cli-alpine3.21, 8.3.14-alpine, 8.3.14-alpine3.21, 8.3.14-cli-alpine, 8.3.14-cli-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

TagDetailsPushedVulnerabilities
8.4-alpine
Minor runtime version update
Also known as:
  • 8.4.1-cli-alpine
  • 8.4.1-cli-alpine3.21
  • 8.4-cli-alpine
  • 8.4-cli-alpine3.21
  • 8-cli-alpine
  • 8-cli-alpine3.21
  • cli-alpine
  • cli-alpine3.21
  • alpine
  • alpine3.21
  • 8.4.1-alpine
  • 8.4.1-alpine3.21
  • 8.4-alpine3.21
  • 8-alpine
  • 8-alpine3.21
Benefits:
  • Same OS detected
  • Minor runtime version update
  • Image has similar size
  • Image has same number of vulnerabilities
  • Image contains equal number of packages
Image details:
  • Size: 42 MB
  • Flavor: alpine
  • OS: 3.21
  • Runtime: 8.4.1
5 days ago



Copy link

github-actions bot commented Dec 12, 2024

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest
digestsha256:191cfc65137a9903b3180d08cc18d2e799ee63db2804784b929d9556185bc695
vulnerabilitiescritical: 0 high: 1 medium: 0 low: 0
size109 MB
packages232
📦 Base Image php:8-fpm-alpine
also known as
  • 8-fpm-alpine3.21
  • 8.4-fpm-alpine
  • 8.4-fpm-alpine3.21
  • 8.4.1-fpm-alpine
  • 8.4.1-fpm-alpine3.21
  • fpm-alpine
  • fpm-alpine3.21
digestsha256:661709ebd2995433800a6f617072d40a0c52a4f3abfae1db4d4a3e280b3ddaea
vulnerabilitiescritical: 1 high: 0 medium: 0 low: 0
critical: 0 high: 1 medium: 0 low: 0 golang.org/x/crypto 0.17.0 (golang)

pkg:golang/golang.org/x/[email protected]

high : CVE--2024--45337 Improper Authorization

Affected range<0.31.0
Fixed version0.31.0
Description

Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass.

The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions.

For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key.

Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth.

Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

Copy link

github-actions bot commented Dec 12, 2024

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest
digestsha256:7ca2d49f9001b021f79e9d175423b0f9b6b0c3d2da8285dce5d6d4b37f5b414b
vulnerabilitiescritical: 0 high: 1 medium: 0 low: 0
size134 MB
packages249
📦 Base Image php:8-alpine
also known as
  • 8-alpine3.21
  • 8-cli-alpine
  • 8-cli-alpine3.21
  • 8.4-alpine
  • 8.4-alpine3.21
  • 8.4-cli-alpine
  • 8.4-cli-alpine3.21
  • 8.4.1-alpine
  • 8.4.1-alpine3.21
  • 8.4.1-cli-alpine
  • 8.4.1-cli-alpine3.21
  • alpine
  • alpine3.21
  • cli-alpine
  • cli-alpine3.21
digestsha256:6338c0bc70c8a8b1699fafac1cb0cb15d71825b2b8e7b131989d6f239daa8615
vulnerabilitiescritical: 1 high: 0 medium: 0 low: 0
critical: 0 high: 1 medium: 0 low: 0 golang.org/x/crypto 0.17.0 (golang)

pkg:golang/golang.org/x/[email protected]

high : CVE--2024--45337 Improper Authorization

Affected range<0.31.0
Fixed version0.31.0
Description

Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass.

The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions.

For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key.

Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth.

Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

Copy link

github-actions bot commented Dec 12, 2024

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest
digestsha256:e5d671df39d24fd409fe5c383f157b54f36acaee8d44bd4baf5142a3639273a2
vulnerabilitiescritical: 0 high: 1 medium: 0 low: 0
size115 MB
packages231
📦 Base Image php:8-alpine
also known as
  • 8-alpine3.21
  • 8-cli-alpine
  • 8-cli-alpine3.21
  • 8.4-alpine
  • 8.4-alpine3.21
  • 8.4-cli-alpine
  • 8.4-cli-alpine3.21
  • 8.4.1-alpine
  • 8.4.1-alpine3.21
  • 8.4.1-cli-alpine
  • 8.4.1-cli-alpine3.21
  • alpine
  • alpine3.21
  • cli-alpine
  • cli-alpine3.21
digestsha256:6338c0bc70c8a8b1699fafac1cb0cb15d71825b2b8e7b131989d6f239daa8615
vulnerabilitiescritical: 1 high: 0 medium: 0 low: 0
critical: 0 high: 1 medium: 0 low: 0 golang.org/x/crypto 0.17.0 (golang)

pkg:golang/golang.org/x/[email protected]

high : CVE--2024--45337 Improper Authorization

Affected range<0.31.0
Fixed version0.31.0
Description

Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass.

The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions.

For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key.

Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth.

Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

Copy link

github-actions bot commented Dec 12, 2024

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest
digestsha256:08b2c9b77556e546161ea00065442037b4e45ffab2adcaee51b06350479f269f
vulnerabilitiescritical: 0 high: 1 medium: 0 low: 0
size109 MB
packages231
📦 Base Image php:8.2-alpine
also known as
  • 8.2-alpine3.21
  • 8.2-cli-alpine
  • 8.2-cli-alpine3.21
  • 8.2.26-alpine
  • 8.2.26-alpine3.21
  • 8.2.26-cli-alpine
  • 8.2.26-cli-alpine3.21
digestsha256:e33a9aa217ea6f2f3891b2c01158e38f860f3ede767870953b6685cd2fa12c9e
vulnerabilitiescritical: 1 high: 0 medium: 0 low: 0
critical: 0 high: 1 medium: 0 low: 0 golang.org/x/crypto 0.17.0 (golang)

pkg:golang/golang.org/x/[email protected]

high : CVE--2024--45337 Improper Authorization

Affected range<0.31.0
Fixed version0.31.0
Description

Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass.

The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions.

For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key.

Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth.

Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

Copy link

github-actions bot commented Dec 12, 2024

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest
digestsha256:66dce80eca8726632027290677fa5722cf51b73a993ac71a43bc79d22e0e9a6a
vulnerabilitiescritical: 0 high: 1 medium: 0 low: 0
size128 MB
packages249
📦 Base Image php:8.3-alpine
also known as
  • 8.3-alpine3.21
  • 8.3-cli-alpine
  • 8.3-cli-alpine3.21
  • 8.3.14-alpine
  • 8.3.14-alpine3.21
  • 8.3.14-cli-alpine
  • 8.3.14-cli-alpine3.21
digestsha256:41ab576a7fd2702a4921f50bc69be52460414e1d3a2d6e70676180e9ae8d4b78
vulnerabilitiescritical: 1 high: 0 medium: 0 low: 0
critical: 0 high: 1 medium: 0 low: 0 golang.org/x/crypto 0.17.0 (golang)

pkg:golang/golang.org/x/[email protected]

high : CVE--2024--45337 Improper Authorization

Affected range<0.31.0
Fixed version0.31.0
Description

Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass.

The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions.

For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key.

Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth.

Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

Copy link

github-actions bot commented Dec 12, 2024

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.2-alpine

Name8.2.26-alpine3.21
Digestsha256:e33a9aa217ea6f2f3891b2c01158e38f860f3ede767870953b6685cd2fa12c9e
Vulnerabilitiescritical: 1 high: 0 medium: 0 low: 0
Pushed5 days ago
Size36 MB
Packages52
Flavoralpine
OS3.21
Runtime8.2.26
The base image is also available under the supported tag(s): 8.2-alpine3.21, 8.2-cli-alpine, 8.2-cli-alpine3.21, 8.2.26-alpine, 8.2.26-alpine3.21, 8.2.26-cli-alpine, 8.2.26-cli-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

TagDetailsPushedVulnerabilities
8.4-alpine
Minor runtime version update
Also known as:
  • 8.4.1-cli-alpine
  • 8.4.1-cli-alpine3.21
  • 8.4-cli-alpine
  • 8.4-cli-alpine3.21
  • 8-cli-alpine
  • 8-cli-alpine3.21
  • cli-alpine
  • cli-alpine3.21
  • alpine
  • alpine3.21
  • 8.4.1-alpine
  • 8.4.1-alpine3.21
  • 8.4-alpine3.21
  • 8-alpine
  • 8-alpine3.21
Benefits:
  • Same OS detected
  • Minor runtime version update
  • Image has similar size
  • Image has same number of vulnerabilities
  • Image contains equal number of packages
Image details:
  • Size: 42 MB
  • Flavor: alpine
  • OS: 3.21
  • Runtime: 8.4.1
5 days ago



8.3-alpine
Minor runtime version update
Also known as:
  • 8.3.14-cli-alpine
  • 8.3.14-cli-alpine3.21
  • 8.3-cli-alpine
  • 8.3-cli-alpine3.21
  • 8.3.14-alpine
  • 8.3.14-alpine3.21
  • 8.3-alpine3.21
Benefits:
  • Same OS detected
  • Minor runtime version update
  • Image has similar size
  • Image has same number of vulnerabilities
  • Image contains equal number of packages
Image details:
  • Size: 37 MB
  • Flavor: alpine
  • OS: 3.21
  • Runtime: 8.3.14
5 days ago



Copy link

github-actions bot commented Dec 12, 2024

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8-fpm-alpine

Namefpm-alpine3.21
Digestsha256:661709ebd2995433800a6f617072d40a0c52a4f3abfae1db4d4a3e280b3ddaea
Vulnerabilitiescritical: 1 high: 0 medium: 0 low: 0
Pushed5 days ago
Size36 MB
Packages53
Flavoralpine
OS3.21
The base image is also available under the supported tag(s): 8-fpm-alpine3.21, 8.4-fpm-alpine, 8.4-fpm-alpine3.21, 8.4.1-fpm-alpine, 8.4.1-fpm-alpine3.21, fpm-alpine, fpm-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

TagDetailsPushedVulnerabilities
8.1-fpm-alpine
Minor runtime version update
Also known as:
  • 8.1.31-fpm-alpine
  • 8.1.31-fpm-alpine3.21
  • 8.1-fpm-alpine3.21
Benefits:
  • Same OS detected
  • Minor runtime version update
  • Image is smaller by 4.3 MB
  • Tag was pushed more recently
  • Image has same number of vulnerabilities
  • Image contains equal number of packages
  • 8.1-fpm-alpine is the fourth most popular tag with 18K pulls per month
Image details:
  • Size: 32 MB
  • Flavor: alpine
  • OS: 3.21
  • Runtime: 8.1.31
1 day ago



8.3-fpm-alpine
Minor runtime version update
Also known as:
  • 8.3.14-fpm-alpine
  • 8.3.14-fpm-alpine3.21
  • 8.3-fpm-alpine3.21
Benefits:
  • Same OS detected
  • Minor runtime version update
  • Image is smaller by 3.3 MB
  • Image has same number of vulnerabilities
  • Image contains equal number of packages
Image details:
  • Size: 33 MB
  • Flavor: alpine
  • OS: 3.21
  • Runtime: 8.3.14
5 days ago



8.2-fpm-alpine
Minor runtime version update
Also known as:
  • 8.2.26-fpm-alpine
  • 8.2.26-fpm-alpine3.21
  • 8.2-fpm-alpine3.21
Benefits:
  • Same OS detected
  • Minor runtime version update
  • Image is smaller by 3.9 MB
  • Image has same number of vulnerabilities
  • Image contains equal number of packages
  • 8.2-fpm-alpine was pulled 4.1K times last month
Image details:
  • Size: 32 MB
  • Flavor: alpine
  • OS: 3.21
  • Runtime: 8.2.26
5 days ago



Copy link

github-actions bot commented Dec 12, 2024

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8-alpine

Name8.4.1-alpine3.21
Digestsha256:6338c0bc70c8a8b1699fafac1cb0cb15d71825b2b8e7b131989d6f239daa8615
Vulnerabilitiescritical: 1 high: 0 medium: 0 low: 0
Pushed5 days ago
Size42 MB
Packages52
Flavoralpine
OS3.21
Runtime8.4.1
The base image is also available under the supported tag(s): 8-alpine3.21, 8-cli-alpine, 8-cli-alpine3.21, 8.4-alpine, 8.4-alpine3.21, 8.4-cli-alpine, 8.4-cli-alpine3.21, 8.4.1-alpine, 8.4.1-alpine3.21, 8.4.1-cli-alpine, 8.4.1-cli-alpine3.21, alpine, alpine3.21, cli-alpine, cli-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

1 similar comment
Copy link

github-actions bot commented Dec 12, 2024

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8-alpine

Name8.4.1-alpine3.21
Digestsha256:6338c0bc70c8a8b1699fafac1cb0cb15d71825b2b8e7b131989d6f239daa8615
Vulnerabilitiescritical: 1 high: 0 medium: 0 low: 0
Pushed5 days ago
Size42 MB
Packages52
Flavoralpine
OS3.21
Runtime8.4.1
The base image is also available under the supported tag(s): 8-alpine3.21, 8-cli-alpine, 8-cli-alpine3.21, 8.4-alpine, 8.4-alpine3.21, 8.4-cli-alpine, 8.4-cli-alpine3.21, 8.4.1-alpine, 8.4.1-alpine3.21, 8.4.1-cli-alpine, 8.4.1-cli-alpine3.21, alpine, alpine3.21, cli-alpine, cli-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

Copy link

github-actions bot commented Dec 12, 2024

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.3-alpine

Name8.3.14-alpine3.21
Digestsha256:41ab576a7fd2702a4921f50bc69be52460414e1d3a2d6e70676180e9ae8d4b78
Vulnerabilitiescritical: 1 high: 0 medium: 0 low: 0
Pushed5 days ago
Size37 MB
Packages52
Flavoralpine
OS3.21
Runtime8.3.14
The base image is also available under the supported tag(s): 8.3-alpine3.21, 8.3-cli-alpine, 8.3-cli-alpine3.21, 8.3.14-alpine, 8.3.14-alpine3.21, 8.3.14-cli-alpine, 8.3.14-cli-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

TagDetailsPushedVulnerabilities
8.4-alpine
Minor runtime version update
Also known as:
  • 8.4.1-cli-alpine
  • 8.4.1-cli-alpine3.21
  • 8.4-cli-alpine
  • 8.4-cli-alpine3.21
  • 8-cli-alpine
  • 8-cli-alpine3.21
  • cli-alpine
  • cli-alpine3.21
  • alpine
  • alpine3.21
  • 8.4.1-alpine
  • 8.4.1-alpine3.21
  • 8.4-alpine3.21
  • 8-alpine
  • 8-alpine3.21
Benefits:
  • Same OS detected
  • Minor runtime version update
  • Image has similar size
  • Image has same number of vulnerabilities
  • Image contains equal number of packages
Image details:
  • Size: 42 MB
  • Flavor: alpine
  • OS: 3.21
  • Runtime: 8.4.1
5 days ago



Copy link

github-actions bot commented Dec 12, 2024

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest
digestsha256:f0a092b6d98865efc81081256ea92722758900a7d687ee518d43a6eb62871306
vulnerabilitiescritical: 0 high: 1 medium: 0 low: 0
size127 MB
packages249
📦 Base Image php:8.1-alpine
also known as
  • 8.1-alpine3.21
  • 8.1-cli-alpine
  • 8.1-cli-alpine3.21
  • 8.1.31-alpine
  • 8.1.31-alpine3.21
  • 8.1.31-cli-alpine
  • 8.1.31-cli-alpine3.21
digestsha256:b217029b5db5f0784a5e00c57280685a4c2f009a970e6b32bb415eba6ca5ae7c
vulnerabilitiescritical: 1 high: 0 medium: 0 low: 0
critical: 0 high: 1 medium: 0 low: 0 golang.org/x/crypto 0.17.0 (golang)

pkg:golang/golang.org/x/[email protected]

high : CVE--2024--45337 Improper Authorization

Affected range<0.31.0
Fixed version0.31.0
Description

Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass.

The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions.

For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key.

Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth.

Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

Copy link

github-actions bot commented Dec 12, 2024

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest
digestsha256:9db2530b094f02e1f536b51e5c1692afd2ff398df2fd19a91789ff3393b0b647
vulnerabilitiescritical: 0 high: 1 medium: 0 low: 0
size109 MB
packages231
📦 Base Image php:8.1-alpine
also known as
  • 8.1-alpine3.21
  • 8.1-cli-alpine
  • 8.1-cli-alpine3.21
  • 8.1.31-alpine
  • 8.1.31-alpine3.21
  • 8.1.31-cli-alpine
  • 8.1.31-cli-alpine3.21
digestsha256:b217029b5db5f0784a5e00c57280685a4c2f009a970e6b32bb415eba6ca5ae7c
vulnerabilitiescritical: 1 high: 0 medium: 0 low: 0
critical: 0 high: 1 medium: 0 low: 0 golang.org/x/crypto 0.17.0 (golang)

pkg:golang/golang.org/x/[email protected]

high : CVE--2024--45337 Improper Authorization

Affected range<0.31.0
Fixed version0.31.0
Description

Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass.

The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions.

For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key.

Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth.

Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

Copy link

github-actions bot commented Dec 12, 2024

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.1-alpine

Name8.1.31-alpine3.21
Digestsha256:b217029b5db5f0784a5e00c57280685a4c2f009a970e6b32bb415eba6ca5ae7c
Vulnerabilitiescritical: 1 high: 0 medium: 0 low: 0
Pushed1 day ago
Size36 MB
Packages52
Flavoralpine
OS3.21
Runtime8.1.31
The base image is also available under the supported tag(s): 8.1-alpine3.21, 8.1-cli-alpine, 8.1-cli-alpine3.21, 8.1.31-alpine, 8.1.31-alpine3.21, 8.1.31-cli-alpine, 8.1.31-cli-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

TagDetailsPushedVulnerabilities
8.4-alpine
Minor runtime version update
Also known as:
  • 8.4.1-cli-alpine
  • 8.4.1-cli-alpine3.21
  • 8.4-cli-alpine
  • 8.4-cli-alpine3.21
  • 8-cli-alpine
  • 8-cli-alpine3.21
  • cli-alpine
  • cli-alpine3.21
  • alpine
  • alpine3.21
  • 8.4.1-alpine
  • 8.4.1-alpine3.21
  • 8.4-alpine3.21
  • 8-alpine
  • 8-alpine3.21
Benefits:
  • Same OS detected
  • Minor runtime version update
  • Image has similar size
  • Image has same number of vulnerabilities
  • Image contains equal number of packages
Image details:
  • Size: 42 MB
  • Flavor: alpine
  • OS: 3.21
  • Runtime: 8.4.1
5 days ago



8.3-alpine
Minor runtime version update
Also known as:
  • 8.3.14-cli-alpine
  • 8.3.14-cli-alpine3.21
  • 8.3-cli-alpine
  • 8.3-cli-alpine3.21
  • 8.3.14-alpine
  • 8.3.14-alpine3.21
  • 8.3-alpine3.21
Benefits:
  • Same OS detected
  • Minor runtime version update
  • Image has similar size
  • Image has same number of vulnerabilities
  • Image contains equal number of packages
Image details:
  • Size: 37 MB
  • Flavor: alpine
  • OS: 3.21
  • Runtime: 8.3.14
5 days ago



8.2-alpine
Minor runtime version update
Also known as:
  • 8.2.26-cli-alpine
  • 8.2.26-cli-alpine3.21
  • 8.2-cli-alpine
  • 8.2-cli-alpine3.21
  • 8.2.26-alpine
  • 8.2.26-alpine3.21
  • 8.2-alpine3.21
Benefits:
  • Same OS detected
  • Minor runtime version update
  • Image has similar size
  • Image has same number of vulnerabilities
  • Image contains equal number of packages
  • 8.2-alpine was pulled 1.8K times last month
Image details:
  • Size: 36 MB
  • Flavor: alpine
  • OS: 3.21
  • Runtime: 8.2.26
5 days ago



1 similar comment
Copy link

github-actions bot commented Dec 12, 2024

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.1-alpine

Name8.1.31-alpine3.21
Digestsha256:b217029b5db5f0784a5e00c57280685a4c2f009a970e6b32bb415eba6ca5ae7c
Vulnerabilitiescritical: 1 high: 0 medium: 0 low: 0
Pushed1 day ago
Size36 MB
Packages52
Flavoralpine
OS3.21
Runtime8.1.31
The base image is also available under the supported tag(s): 8.1-alpine3.21, 8.1-cli-alpine, 8.1-cli-alpine3.21, 8.1.31-alpine, 8.1.31-alpine3.21, 8.1.31-cli-alpine, 8.1.31-cli-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

TagDetailsPushedVulnerabilities
8.4-alpine
Minor runtime version update
Also known as:
  • 8.4.1-cli-alpine
  • 8.4.1-cli-alpine3.21
  • 8.4-cli-alpine
  • 8.4-cli-alpine3.21
  • 8-cli-alpine
  • 8-cli-alpine3.21
  • cli-alpine
  • cli-alpine3.21
  • alpine
  • alpine3.21
  • 8.4.1-alpine
  • 8.4.1-alpine3.21
  • 8.4-alpine3.21
  • 8-alpine
  • 8-alpine3.21
Benefits:
  • Same OS detected
  • Minor runtime version update
  • Image has similar size
  • Image has same number of vulnerabilities
  • Image contains equal number of packages
Image details:
  • Size: 42 MB
  • Flavor: alpine
  • OS: 3.21
  • Runtime: 8.4.1
5 days ago



8.3-alpine
Minor runtime version update
Also known as:
  • 8.3.14-cli-alpine
  • 8.3.14-cli-alpine3.21
  • 8.3-cli-alpine
  • 8.3-cli-alpine3.21
  • 8.3.14-alpine
  • 8.3.14-alpine3.21
  • 8.3-alpine3.21
Benefits:
  • Same OS detected
  • Minor runtime version update
  • Image has similar size
  • Image has same number of vulnerabilities
  • Image contains equal number of packages
Image details:
  • Size: 37 MB
  • Flavor: alpine
  • OS: 3.21
  • Runtime: 8.3.14
5 days ago



8.2-alpine
Minor runtime version update
Also known as:
  • 8.2.26-cli-alpine
  • 8.2.26-cli-alpine3.21
  • 8.2-cli-alpine
  • 8.2-cli-alpine3.21
  • 8.2.26-alpine
  • 8.2.26-alpine3.21
  • 8.2-alpine3.21
Benefits:
  • Same OS detected
  • Minor runtime version update
  • Image has similar size
  • Image has same number of vulnerabilities
  • Image contains equal number of packages
  • 8.2-alpine was pulled 1.8K times last month
Image details:
  • Size: 36 MB
  • Flavor: alpine
  • OS: 3.21
  • Runtime: 8.2.26
5 days ago



Copy link

github-actions bot commented Dec 12, 2024

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest
digestsha256:77d70ff0e2b71b91916b99a5ef417f428681820dbf5317ae5731727db43c1006
vulnerabilitiescritical: 0 high: 1 medium: 0 low: 0
size105 MB
packages232
📦 Base Image php:8.3-fpm-alpine
also known as
  • 8.3-fpm-alpine3.21
  • 8.3.14-fpm-alpine
  • 8.3.14-fpm-alpine3.21
digestsha256:2195efdc39294f113863a8af61fac333817b0382b7421252fc975605260f6668
vulnerabilitiescritical: 1 high: 0 medium: 0 low: 0
critical: 0 high: 1 medium: 0 low: 0 golang.org/x/crypto 0.17.0 (golang)

pkg:golang/golang.org/x/[email protected]

high : CVE--2024--45337 Improper Authorization

Affected range<0.31.0
Fixed version0.31.0
Description

Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass.

The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions.

For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key.

Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth.

Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

Copy link

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest
digestsha256:7df257c2c0b592ac258fbe4dc2ebe6c48f43222bfd398f905637b4bb4c659947
vulnerabilitiescritical: 0 high: 1 medium: 0 low: 0
size128 MB
packages249
📦 Base Image php:8.2-alpine
also known as
  • 8.2-alpine3.21
  • 8.2-cli-alpine
  • 8.2-cli-alpine3.21
  • 8.2.26-alpine
  • 8.2.26-alpine3.21
  • 8.2.26-cli-alpine
  • 8.2.26-cli-alpine3.21
digestsha256:e33a9aa217ea6f2f3891b2c01158e38f860f3ede767870953b6685cd2fa12c9e
vulnerabilitiescritical: 1 high: 0 medium: 0 low: 0
critical: 0 high: 1 medium: 0 low: 0 golang.org/x/crypto 0.17.0 (golang)

pkg:golang/golang.org/x/[email protected]

high : CVE--2024--45337 Improper Authorization

Affected range<0.31.0
Fixed version0.31.0
Description

Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass.

The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions.

For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key.

Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth.

Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

Copy link

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest
digestsha256:b5f6b82296a570dc724272dbfcccc309d0c0d81bfd60150479e8474934e505c8
vulnerabilitiescritical: 0 high: 1 medium: 0 low: 0
size104 MB
packages232
📦 Base Image php:8.1-fpm-alpine
also known as
  • 8.1-fpm-alpine3.21
  • 8.1.31-fpm-alpine
  • 8.1.31-fpm-alpine3.21
digestsha256:fa457eee5e53a8d4aff21bd0d78a3cbcd7f98b8def81218a8f0d98dd8cbd029b
vulnerabilitiescritical: 1 high: 0 medium: 0 low: 0
critical: 0 high: 1 medium: 0 low: 0 golang.org/x/crypto 0.17.0 (golang)

pkg:golang/golang.org/x/[email protected]

high : CVE--2024--45337 Improper Authorization

Affected range<0.31.0
Fixed version0.31.0
Description

Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass.

The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions.

For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key.

Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth.

Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

Copy link

github-actions bot commented Dec 12, 2024

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.3-fpm-alpine

Name8.3.14-fpm-alpine3.21
Digestsha256:2195efdc39294f113863a8af61fac333817b0382b7421252fc975605260f6668
Vulnerabilitiescritical: 1 high: 0 medium: 0 low: 0
Pushed5 days ago
Size33 MB
Packages53
Flavoralpine
OS3.21
Runtime8.3.14
The base image is also available under the supported tag(s): 8.3-fpm-alpine3.21, 8.3.14-fpm-alpine, 8.3.14-fpm-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

TagDetailsPushedVulnerabilities
8.4-fpm-alpine
Image has same number of vulnerabilities
Also known as:
  • 8.4.1-fpm-alpine
  • 8.4.1-fpm-alpine3.21
  • 8.4-fpm-alpine3.21
  • 8-fpm-alpine
  • 8-fpm-alpine3.21
  • fpm-alpine
  • fpm-alpine3.21
Benefits:
  • Same OS detected
  • Image has similar size
  • Image has same number of vulnerabilities
  • Image contains equal number of packages
Image details:
  • Size: 36 MB
  • Flavor: alpine
  • OS: 3.21
5 days ago



Copy link

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.1-fpm-alpine

Name8.1.31-fpm-alpine3.21
Digestsha256:fa457eee5e53a8d4aff21bd0d78a3cbcd7f98b8def81218a8f0d98dd8cbd029b
Vulnerabilitiescritical: 1 high: 0 medium: 0 low: 0
Pushed1 day ago
Size32 MB
Packages53
Flavoralpine
OS3.21
Runtime8.1.31
The base image is also available under the supported tag(s): 8.1-fpm-alpine3.21, 8.1.31-fpm-alpine, 8.1.31-fpm-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

TagDetailsPushedVulnerabilities
8.3-fpm-alpine
Minor runtime version update
Also known as:
  • 8.3.14-fpm-alpine
  • 8.3.14-fpm-alpine3.21
  • 8.3-fpm-alpine3.21
Benefits:
  • Same OS detected
  • Minor runtime version update
  • Image has similar size
  • Image has same number of vulnerabilities
  • Image contains equal number of packages
Image details:
  • Size: 33 MB
  • Flavor: alpine
  • OS: 3.21
  • Runtime: 8.3.14
5 days ago



8.2-fpm-alpine
Minor runtime version update
Also known as:
  • 8.2.26-fpm-alpine
  • 8.2.26-fpm-alpine3.21
  • 8.2-fpm-alpine3.21
Benefits:
  • Same OS detected
  • Minor runtime version update
  • Image has similar size
  • Image has same number of vulnerabilities
  • Image contains equal number of packages
  • 8.2-fpm-alpine was pulled 4.1K times last month
Image details:
  • Size: 32 MB
  • Flavor: alpine
  • OS: 3.21
  • Runtime: 8.2.26
5 days ago



8.4-fpm-alpine
Image has same number of vulnerabilities
Also known as:
  • 8.4.1-fpm-alpine
  • 8.4.1-fpm-alpine3.21
  • 8.4-fpm-alpine3.21
  • 8-fpm-alpine
  • 8-fpm-alpine3.21
  • fpm-alpine
  • fpm-alpine3.21
Benefits:
  • Same OS detected
  • Image has similar size
  • Image has same number of vulnerabilities
  • Image contains equal number of packages
Image details:
  • Size: 36 MB
  • Flavor: alpine
  • OS: 3.21
5 days ago



Copy link

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.2-alpine

Name8.2.26-alpine3.21
Digestsha256:e33a9aa217ea6f2f3891b2c01158e38f860f3ede767870953b6685cd2fa12c9e
Vulnerabilitiescritical: 1 high: 0 medium: 0 low: 0
Pushed5 days ago
Size36 MB
Packages52
Flavoralpine
OS3.21
Runtime8.2.26
The base image is also available under the supported tag(s): 8.2-alpine3.21, 8.2-cli-alpine, 8.2-cli-alpine3.21, 8.2.26-alpine, 8.2.26-alpine3.21, 8.2.26-cli-alpine, 8.2.26-cli-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

TagDetailsPushedVulnerabilities
8.4-alpine
Minor runtime version update
Also known as:
  • 8.4.1-cli-alpine
  • 8.4.1-cli-alpine3.21
  • 8.4-cli-alpine
  • 8.4-cli-alpine3.21
  • 8-cli-alpine
  • 8-cli-alpine3.21
  • cli-alpine
  • cli-alpine3.21
  • alpine
  • alpine3.21
  • 8.4.1-alpine
  • 8.4.1-alpine3.21
  • 8.4-alpine3.21
  • 8-alpine
  • 8-alpine3.21
Benefits:
  • Same OS detected
  • Minor runtime version update
  • Image has similar size
  • Image has same number of vulnerabilities
  • Image contains equal number of packages
Image details:
  • Size: 42 MB
  • Flavor: alpine
  • OS: 3.21
  • Runtime: 8.4.1
5 days ago



8.3-alpine
Minor runtime version update
Also known as:
  • 8.3.14-cli-alpine
  • 8.3.14-cli-alpine3.21
  • 8.3-cli-alpine
  • 8.3-cli-alpine3.21
  • 8.3.14-alpine
  • 8.3.14-alpine3.21
  • 8.3-alpine3.21
Benefits:
  • Same OS detected
  • Minor runtime version update
  • Image has similar size
  • Image has same number of vulnerabilities
  • Image contains equal number of packages
Image details:
  • Size: 37 MB
  • Flavor: alpine
  • OS: 3.21
  • Runtime: 8.3.14
5 days ago



@way-finder-bot way-finder-bot self-requested a review December 12, 2024 14:55
@way-finder-bot way-finder-bot self-assigned this Dec 12, 2024
@renovate renovate bot merged commit cc300d0 into master Dec 12, 2024
20 checks passed
@renovate renovate bot deleted the renovate/ansible-ansible-lint-24.x branch December 12, 2024 14:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
type: maintenance For maintenance, refactor and testing (perf, chore, style, revert, refactor, test, build, ci)
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant