Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

deps(deps): update wagoid/commitlint-github-action action to v6.2.0 #75

Merged
merged 1 commit into from
Dec 16, 2024

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Dec 16, 2024

This PR contains the following updates:

Package Type Update Change
wagoid/commitlint-github-action action minor v6.1.2 -> v6.2.0

Release Notes

wagoid/commitlint-github-action (wagoid/commitlint-github-action)

v6.2.0

Compare Source


Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot enabled auto-merge (squash) December 16, 2024 13:27
@renovate renovate bot requested a review from lotyp as a code owner December 16, 2024 13:27
@github-actions github-actions bot added the type: maintenance For maintenance, refactor and testing (perf, chore, style, revert, refactor, test, build, ci) label Dec 16, 2024
Copy link

github-actions bot commented Dec 16, 2024

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest
digestsha256:a8b666b3c86a8ab68c93a29cec53cf2eb28c7049cebcc65653c1dec6038886cb
vulnerabilitiescritical: 1 high: 0 medium: 0 low: 0
platformlinux/amd64
size105 MB
packages232
📦 Base Image php:8.2-fpm-alpine
also known as
  • 8.2-fpm-alpine3.21
  • 8.2.26-fpm-alpine
  • 8.2.26-fpm-alpine3.21
digestsha256:c40255b7011a41c628d0120383a267bc9d7426eab0cc538ae0d58c935000ae20
vulnerabilitiescritical: 0 high: 0 medium: 0 low: 1
critical: 1 high: 0 medium: 0 low: 0 golang.org/x/crypto 0.17.0 (golang)

pkg:golang/golang.org/x/[email protected]

critical 9.1: CVE--2024--45337 Improper Authorization

Affected range<0.31.0
Fixed version0.31.0
CVSS Score9.1
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score0.045%
EPSS Percentile18th percentile
Description

Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass.

The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions.

For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key.

Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth.

Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

Copy link

github-actions bot commented Dec 16, 2024

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.2-fpm-alpine

Name8.2.26-fpm-alpine3.21
Digestsha256:c40255b7011a41c628d0120383a267bc9d7426eab0cc538ae0d58c935000ae20
Vulnerabilitiescritical: 0 high: 0 medium: 0 low: 1
Pushed1 week ago
Size32 MB
Packages53
Flavoralpine
OS3.21
Runtime8.2.26
The base image is also available under the supported tag(s): 8.2-fpm-alpine3.21, 8.2.26-fpm-alpine, 8.2.26-fpm-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

TagDetailsPushedVulnerabilities
8.3-fpm-alpine
Minor runtime version update
Also known as:
  • 8.3.14-fpm-alpine
  • 8.3.14-fpm-alpine3.21
  • 8.3-fpm-alpine3.21
Benefits:
  • Same OS detected
  • Minor runtime version update
  • Image has similar size
  • Image has same number of vulnerabilities
  • Image contains equal number of packages
Image details:
  • Size: 33 MB
  • Flavor: alpine
  • OS: 3.21
  • Runtime: 8.3.14
1 week ago



8.4-fpm-alpine
Image has same number of vulnerabilities
Also known as:
  • 8.4.1-fpm-alpine
  • 8.4.1-fpm-alpine3.21
  • 8.4-fpm-alpine3.21
  • 8-fpm-alpine
  • 8-fpm-alpine3.21
  • fpm-alpine
  • fpm-alpine3.21
Benefits:
  • Same OS detected
  • Image has similar size
  • Image has same number of vulnerabilities
  • Image contains equal number of packages
Image details:
  • Size: 36 MB
  • Flavor: alpine
  • OS: 3.21
1 week ago



Copy link

github-actions bot commented Dec 16, 2024

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest
digestsha256:d00e05ab98b004d0ff64bdf7bafaa6a8e9d092171612bbd645f5ea525cf33c8d
vulnerabilitiescritical: 1 high: 0 medium: 0 low: 0
platformlinux/amd64
size104 MB
packages232
📦 Base Image php:8.1-fpm-alpine
also known as
  • 8.1-fpm-alpine3.21
  • 8.1.31-fpm-alpine
  • 8.1.31-fpm-alpine3.21
digestsha256:fa457eee5e53a8d4aff21bd0d78a3cbcd7f98b8def81218a8f0d98dd8cbd029b
vulnerabilitiescritical: 0 high: 0 medium: 0 low: 1
critical: 1 high: 0 medium: 0 low: 0 golang.org/x/crypto 0.17.0 (golang)

pkg:golang/golang.org/x/[email protected]

critical 9.1: CVE--2024--45337 Improper Authorization

Affected range<0.31.0
Fixed version0.31.0
CVSS Score9.1
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score0.045%
EPSS Percentile18th percentile
Description

Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass.

The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions.

For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key.

Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth.

Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

Copy link

github-actions bot commented Dec 16, 2024

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest
digestsha256:077c91f9ac018f647e2a52a62b3c388d0699542a3f3ed6b06d1a2ad126b1bc38
vulnerabilitiescritical: 1 high: 0 medium: 0 low: 0
platformlinux/amd64
size109 MB
packages231
📦 Base Image php:8.1-alpine
also known as
  • 8.1-alpine3.21
  • 8.1-cli-alpine
  • 8.1-cli-alpine3.21
  • 8.1.31-alpine
  • 8.1.31-alpine3.21
  • 8.1.31-cli-alpine
  • 8.1.31-cli-alpine3.21
digestsha256:b217029b5db5f0784a5e00c57280685a4c2f009a970e6b32bb415eba6ca5ae7c
vulnerabilitiescritical: 0 high: 0 medium: 0 low: 1
critical: 1 high: 0 medium: 0 low: 0 golang.org/x/crypto 0.17.0 (golang)

pkg:golang/golang.org/x/[email protected]

critical 9.1: CVE--2024--45337 Improper Authorization

Affected range<0.31.0
Fixed version0.31.0
CVSS Score9.1
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score0.045%
EPSS Percentile18th percentile
Description

Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass.

The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions.

For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key.

Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth.

Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

Copy link

github-actions bot commented Dec 16, 2024

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest
digestsha256:e5b6ec19b4fbde3e4e5d0a991f37e9aeb405d9128e6fc9b77dcedf0ad104a550
vulnerabilitiescritical: 1 high: 0 medium: 0 low: 0
platformlinux/amd64
size128 MB
packages249
📦 Base Image php:8.2-alpine
also known as
  • 8.2-alpine3.21
  • 8.2-cli-alpine
  • 8.2-cli-alpine3.21
  • 8.2.26-alpine
  • 8.2.26-alpine3.21
  • 8.2.26-cli-alpine
  • 8.2.26-cli-alpine3.21
digestsha256:e33a9aa217ea6f2f3891b2c01158e38f860f3ede767870953b6685cd2fa12c9e
vulnerabilitiescritical: 0 high: 0 medium: 0 low: 1
critical: 1 high: 0 medium: 0 low: 0 golang.org/x/crypto 0.17.0 (golang)

pkg:golang/golang.org/x/[email protected]

critical 9.1: CVE--2024--45337 Improper Authorization

Affected range<0.31.0
Fixed version0.31.0
CVSS Score9.1
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score0.045%
EPSS Percentile18th percentile
Description

Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass.

The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions.

For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key.

Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth.

Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

Copy link

github-actions bot commented Dec 16, 2024

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.1-alpine

Name8.1.31-alpine3.21
Digestsha256:b217029b5db5f0784a5e00c57280685a4c2f009a970e6b32bb415eba6ca5ae7c
Vulnerabilitiescritical: 0 high: 0 medium: 0 low: 1
Pushed5 days ago
Size36 MB
Packages52
Flavoralpine
OS3.21
Runtime8.1.31
The base image is also available under the supported tag(s): 8.1-alpine3.21, 8.1-cli-alpine, 8.1-cli-alpine3.21, 8.1.31-alpine, 8.1.31-alpine3.21, 8.1.31-cli-alpine, 8.1.31-cli-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

TagDetailsPushedVulnerabilities
8.4-alpine
Minor runtime version update
Also known as:
  • 8.4.1-cli-alpine
  • 8.4.1-cli-alpine3.21
  • 8.4-cli-alpine
  • 8.4-cli-alpine3.21
  • 8-cli-alpine
  • 8-cli-alpine3.21
  • cli-alpine
  • cli-alpine3.21
  • alpine
  • alpine3.21
  • 8.4.1-alpine
  • 8.4.1-alpine3.21
  • 8.4-alpine3.21
  • 8-alpine
  • 8-alpine3.21
Benefits:
  • Same OS detected
  • Minor runtime version update
  • Image has similar size
  • Image has same number of vulnerabilities
  • Image contains equal number of packages
Image details:
  • Size: 42 MB
  • Flavor: alpine
  • OS: 3.21
  • Runtime: 8.4.1
1 week ago



8.3-alpine
Minor runtime version update
Also known as:
  • 8.3.14-cli-alpine
  • 8.3.14-cli-alpine3.21
  • 8.3-cli-alpine
  • 8.3-cli-alpine3.21
  • 8.3.14-alpine
  • 8.3.14-alpine3.21
  • 8.3-alpine3.21
Benefits:
  • Same OS detected
  • Minor runtime version update
  • Image has similar size
  • Image has same number of vulnerabilities
  • Image contains equal number of packages
Image details:
  • Size: 37 MB
  • Flavor: alpine
  • OS: 3.21
  • Runtime: 8.3.14
1 week ago



8.2-alpine
Minor runtime version update
Also known as:
  • 8.2.26-cli-alpine
  • 8.2.26-cli-alpine3.21
  • 8.2-cli-alpine
  • 8.2-cli-alpine3.21
  • 8.2.26-alpine
  • 8.2.26-alpine3.21
  • 8.2-alpine3.21
Benefits:
  • Same OS detected
  • Minor runtime version update
  • Image has similar size
  • Image has same number of vulnerabilities
  • Image contains equal number of packages
  • 8.2-alpine was pulled 1.8K times last month
Image details:
  • Size: 36 MB
  • Flavor: alpine
  • OS: 3.21
  • Runtime: 8.2.26
1 week ago



Copy link

github-actions bot commented Dec 16, 2024

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest
digestsha256:a947bb6b28d689dd3bd76752d632daf8b0ece2415afdd69b373e8ab46c09a4db
vulnerabilitiescritical: 1 high: 0 medium: 0 low: 0
platformlinux/amd64
size127 MB
packages249
📦 Base Image php:8.1-alpine
also known as
  • 8.1-alpine3.21
  • 8.1-cli-alpine
  • 8.1-cli-alpine3.21
  • 8.1.31-alpine
  • 8.1.31-alpine3.21
  • 8.1.31-cli-alpine
  • 8.1.31-cli-alpine3.21
digestsha256:b217029b5db5f0784a5e00c57280685a4c2f009a970e6b32bb415eba6ca5ae7c
vulnerabilitiescritical: 0 high: 0 medium: 0 low: 1
critical: 1 high: 0 medium: 0 low: 0 golang.org/x/crypto 0.17.0 (golang)

pkg:golang/golang.org/x/[email protected]

critical 9.1: CVE--2024--45337 Improper Authorization

Affected range<0.31.0
Fixed version0.31.0
CVSS Score9.1
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score0.045%
EPSS Percentile18th percentile
Description

Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass.

The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions.

For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key.

Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth.

Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

Copy link

github-actions bot commented Dec 16, 2024

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.1-fpm-alpine

Name8.1.31-fpm-alpine3.21
Digestsha256:fa457eee5e53a8d4aff21bd0d78a3cbcd7f98b8def81218a8f0d98dd8cbd029b
Vulnerabilitiescritical: 0 high: 0 medium: 0 low: 1
Pushed5 days ago
Size32 MB
Packages53
Flavoralpine
OS3.21
Runtime8.1.31
The base image is also available under the supported tag(s): 8.1-fpm-alpine3.21, 8.1.31-fpm-alpine, 8.1.31-fpm-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

TagDetailsPushedVulnerabilities
8.3-fpm-alpine
Minor runtime version update
Also known as:
  • 8.3.14-fpm-alpine
  • 8.3.14-fpm-alpine3.21
  • 8.3-fpm-alpine3.21
Benefits:
  • Same OS detected
  • Minor runtime version update
  • Image has similar size
  • Image has same number of vulnerabilities
  • Image contains equal number of packages
Image details:
  • Size: 33 MB
  • Flavor: alpine
  • OS: 3.21
  • Runtime: 8.3.14
1 week ago



8.2-fpm-alpine
Minor runtime version update
Also known as:
  • 8.2.26-fpm-alpine
  • 8.2.26-fpm-alpine3.21
  • 8.2-fpm-alpine3.21
Benefits:
  • Same OS detected
  • Minor runtime version update
  • Image has similar size
  • Image has same number of vulnerabilities
  • Image contains equal number of packages
  • 8.2-fpm-alpine was pulled 4.1K times last month
Image details:
  • Size: 32 MB
  • Flavor: alpine
  • OS: 3.21
  • Runtime: 8.2.26
1 week ago



8.4-fpm-alpine
Image has same number of vulnerabilities
Also known as:
  • 8.4.1-fpm-alpine
  • 8.4.1-fpm-alpine3.21
  • 8.4-fpm-alpine3.21
  • 8-fpm-alpine
  • 8-fpm-alpine3.21
  • fpm-alpine
  • fpm-alpine3.21
Benefits:
  • Same OS detected
  • Image has similar size
  • Image has same number of vulnerabilities
  • Image contains equal number of packages
Image details:
  • Size: 36 MB
  • Flavor: alpine
  • OS: 3.21
1 week ago



Copy link

github-actions bot commented Dec 16, 2024

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.1-alpine

Name8.1.31-alpine3.21
Digestsha256:b217029b5db5f0784a5e00c57280685a4c2f009a970e6b32bb415eba6ca5ae7c
Vulnerabilitiescritical: 0 high: 0 medium: 0 low: 1
Pushed5 days ago
Size36 MB
Packages52
Flavoralpine
OS3.21
Runtime8.1.31
The base image is also available under the supported tag(s): 8.1-alpine3.21, 8.1-cli-alpine, 8.1-cli-alpine3.21, 8.1.31-alpine, 8.1.31-alpine3.21, 8.1.31-cli-alpine, 8.1.31-cli-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

TagDetailsPushedVulnerabilities
8.4-alpine
Minor runtime version update
Also known as:
  • 8.4.1-cli-alpine
  • 8.4.1-cli-alpine3.21
  • 8.4-cli-alpine
  • 8.4-cli-alpine3.21
  • 8-cli-alpine
  • 8-cli-alpine3.21
  • cli-alpine
  • cli-alpine3.21
  • alpine
  • alpine3.21
  • 8.4.1-alpine
  • 8.4.1-alpine3.21
  • 8.4-alpine3.21
  • 8-alpine
  • 8-alpine3.21
Benefits:
  • Same OS detected
  • Minor runtime version update
  • Image has similar size
  • Image has same number of vulnerabilities
  • Image contains equal number of packages
Image details:
  • Size: 42 MB
  • Flavor: alpine
  • OS: 3.21
  • Runtime: 8.4.1
1 week ago



8.3-alpine
Minor runtime version update
Also known as:
  • 8.3.14-cli-alpine
  • 8.3.14-cli-alpine3.21
  • 8.3-cli-alpine
  • 8.3-cli-alpine3.21
  • 8.3.14-alpine
  • 8.3.14-alpine3.21
  • 8.3-alpine3.21
Benefits:
  • Same OS detected
  • Minor runtime version update
  • Image has similar size
  • Image has same number of vulnerabilities
  • Image contains equal number of packages
Image details:
  • Size: 37 MB
  • Flavor: alpine
  • OS: 3.21
  • Runtime: 8.3.14
1 week ago



8.2-alpine
Minor runtime version update
Also known as:
  • 8.2.26-cli-alpine
  • 8.2.26-cli-alpine3.21
  • 8.2-cli-alpine
  • 8.2-cli-alpine3.21
  • 8.2.26-alpine
  • 8.2.26-alpine3.21
  • 8.2-alpine3.21
Benefits:
  • Same OS detected
  • Minor runtime version update
  • Image has similar size
  • Image has same number of vulnerabilities
  • Image contains equal number of packages
  • 8.2-alpine was pulled 1.8K times last month
Image details:
  • Size: 36 MB
  • Flavor: alpine
  • OS: 3.21
  • Runtime: 8.2.26
1 week ago



Copy link

github-actions bot commented Dec 16, 2024

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.2-alpine

Name8.2.26-alpine3.21
Digestsha256:e33a9aa217ea6f2f3891b2c01158e38f860f3ede767870953b6685cd2fa12c9e
Vulnerabilitiescritical: 0 high: 0 medium: 0 low: 1
Pushed1 week ago
Size36 MB
Packages52
Flavoralpine
OS3.21
Runtime8.2.26
The base image is also available under the supported tag(s): 8.2-alpine3.21, 8.2-cli-alpine, 8.2-cli-alpine3.21, 8.2.26-alpine, 8.2.26-alpine3.21, 8.2.26-cli-alpine, 8.2.26-cli-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

TagDetailsPushedVulnerabilities
8.4-alpine
Minor runtime version update
Also known as:
  • 8.4.1-cli-alpine
  • 8.4.1-cli-alpine3.21
  • 8.4-cli-alpine
  • 8.4-cli-alpine3.21
  • 8-cli-alpine
  • 8-cli-alpine3.21
  • cli-alpine
  • cli-alpine3.21
  • alpine
  • alpine3.21
  • 8.4.1-alpine
  • 8.4.1-alpine3.21
  • 8.4-alpine3.21
  • 8-alpine
  • 8-alpine3.21
Benefits:
  • Same OS detected
  • Minor runtime version update
  • Image has similar size
  • Image has same number of vulnerabilities
  • Image contains equal number of packages
Image details:
  • Size: 42 MB
  • Flavor: alpine
  • OS: 3.21
  • Runtime: 8.4.1
1 week ago



8.3-alpine
Minor runtime version update
Also known as:
  • 8.3.14-cli-alpine
  • 8.3.14-cli-alpine3.21
  • 8.3-cli-alpine
  • 8.3-cli-alpine3.21
  • 8.3.14-alpine
  • 8.3.14-alpine3.21
  • 8.3-alpine3.21
Benefits:
  • Same OS detected
  • Minor runtime version update
  • Image has similar size
  • Image has same number of vulnerabilities
  • Image contains equal number of packages
Image details:
  • Size: 37 MB
  • Flavor: alpine
  • OS: 3.21
  • Runtime: 8.3.14
1 week ago



Copy link

github-actions bot commented Dec 16, 2024

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest
digestsha256:107e50f94179679d2194bdb0137c2e3f763774767dde842f44a6ae92014a7ed1
vulnerabilitiescritical: 1 high: 0 medium: 0 low: 0
platformlinux/amd64
size110 MB
packages231
📦 Base Image php:8.3-alpine
also known as
  • 8.3-alpine3.21
  • 8.3-cli-alpine
  • 8.3-cli-alpine3.21
  • 8.3.14-alpine
  • 8.3.14-alpine3.21
  • 8.3.14-cli-alpine
  • 8.3.14-cli-alpine3.21
digestsha256:41ab576a7fd2702a4921f50bc69be52460414e1d3a2d6e70676180e9ae8d4b78
vulnerabilitiescritical: 0 high: 0 medium: 0 low: 1
critical: 1 high: 0 medium: 0 low: 0 golang.org/x/crypto 0.17.0 (golang)

pkg:golang/golang.org/x/[email protected]

critical 9.1: CVE--2024--45337 Improper Authorization

Affected range<0.31.0
Fixed version0.31.0
CVSS Score9.1
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score0.045%
EPSS Percentile18th percentile
Description

Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass.

The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions.

For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key.

Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth.

Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

Copy link

github-actions bot commented Dec 16, 2024

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest
digestsha256:0c2e364e45378d7d3624d6081c71acd974a6f33ee894e3fd1f69b544cfede278
vulnerabilitiescritical: 1 high: 0 medium: 0 low: 0
platformlinux/amd64
size109 MB
packages231
📦 Base Image php:8.2-alpine
also known as
  • 8.2-alpine3.21
  • 8.2-cli-alpine
  • 8.2-cli-alpine3.21
  • 8.2.26-alpine
  • 8.2.26-alpine3.21
  • 8.2.26-cli-alpine
  • 8.2.26-cli-alpine3.21
digestsha256:e33a9aa217ea6f2f3891b2c01158e38f860f3ede767870953b6685cd2fa12c9e
vulnerabilitiescritical: 0 high: 0 medium: 0 low: 1
critical: 1 high: 0 medium: 0 low: 0 golang.org/x/crypto 0.17.0 (golang)

pkg:golang/golang.org/x/[email protected]

critical 9.1: CVE--2024--45337 Improper Authorization

Affected range<0.31.0
Fixed version0.31.0
CVSS Score9.1
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score0.045%
EPSS Percentile18th percentile
Description

Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass.

The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions.

For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key.

Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth.

Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

Copy link

github-actions bot commented Dec 16, 2024

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.3-alpine

Name8.3.14-alpine3.21
Digestsha256:41ab576a7fd2702a4921f50bc69be52460414e1d3a2d6e70676180e9ae8d4b78
Vulnerabilitiescritical: 0 high: 0 medium: 0 low: 1
Pushed1 week ago
Size37 MB
Packages52
Flavoralpine
OS3.21
Runtime8.3.14
The base image is also available under the supported tag(s): 8.3-alpine3.21, 8.3-cli-alpine, 8.3-cli-alpine3.21, 8.3.14-alpine, 8.3.14-alpine3.21, 8.3.14-cli-alpine, 8.3.14-cli-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

TagDetailsPushedVulnerabilities
8.4-alpine
Minor runtime version update
Also known as:
  • 8.4.1-cli-alpine
  • 8.4.1-cli-alpine3.21
  • 8.4-cli-alpine
  • 8.4-cli-alpine3.21
  • 8-cli-alpine
  • 8-cli-alpine3.21
  • cli-alpine
  • cli-alpine3.21
  • alpine
  • alpine3.21
  • 8.4.1-alpine
  • 8.4.1-alpine3.21
  • 8.4-alpine3.21
  • 8-alpine
  • 8-alpine3.21
Benefits:
  • Same OS detected
  • Minor runtime version update
  • Image has similar size
  • Image has same number of vulnerabilities
  • Image contains equal number of packages
Image details:
  • Size: 42 MB
  • Flavor: alpine
  • OS: 3.21
  • Runtime: 8.4.1
1 week ago



Copy link

github-actions bot commented Dec 16, 2024

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.2-alpine

Name8.2.26-alpine3.21
Digestsha256:e33a9aa217ea6f2f3891b2c01158e38f860f3ede767870953b6685cd2fa12c9e
Vulnerabilitiescritical: 0 high: 0 medium: 0 low: 1
Pushed1 week ago
Size36 MB
Packages52
Flavoralpine
OS3.21
Runtime8.2.26
The base image is also available under the supported tag(s): 8.2-alpine3.21, 8.2-cli-alpine, 8.2-cli-alpine3.21, 8.2.26-alpine, 8.2.26-alpine3.21, 8.2.26-cli-alpine, 8.2.26-cli-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

TagDetailsPushedVulnerabilities
8.4-alpine
Minor runtime version update
Also known as:
  • 8.4.1-cli-alpine
  • 8.4.1-cli-alpine3.21
  • 8.4-cli-alpine
  • 8.4-cli-alpine3.21
  • 8-cli-alpine
  • 8-cli-alpine3.21
  • cli-alpine
  • cli-alpine3.21
  • alpine
  • alpine3.21
  • 8.4.1-alpine
  • 8.4.1-alpine3.21
  • 8.4-alpine3.21
  • 8-alpine
  • 8-alpine3.21
Benefits:
  • Same OS detected
  • Minor runtime version update
  • Image has similar size
  • Image has same number of vulnerabilities
  • Image contains equal number of packages
Image details:
  • Size: 42 MB
  • Flavor: alpine
  • OS: 3.21
  • Runtime: 8.4.1
1 week ago



8.3-alpine
Minor runtime version update
Also known as:
  • 8.3.14-cli-alpine
  • 8.3.14-cli-alpine3.21
  • 8.3-cli-alpine
  • 8.3-cli-alpine3.21
  • 8.3.14-alpine
  • 8.3.14-alpine3.21
  • 8.3-alpine3.21
Benefits:
  • Same OS detected
  • Minor runtime version update
  • Image has similar size
  • Image has same number of vulnerabilities
  • Image contains equal number of packages
Image details:
  • Size: 37 MB
  • Flavor: alpine
  • OS: 3.21
  • Runtime: 8.3.14
1 week ago



Copy link

github-actions bot commented Dec 16, 2024

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest
digestsha256:b694b94d6c047a1421bb909d0ce85e6bc6f644f9391611c5f9b507c952d90bb4
vulnerabilitiescritical: 1 high: 0 medium: 0 low: 0
platformlinux/amd64
size115 MB
packages231
📦 Base Image php:8-alpine
also known as
  • 8-alpine3.21
  • 8-cli-alpine
  • 8-cli-alpine3.21
  • 8.4-alpine
  • 8.4-alpine3.21
  • 8.4-cli-alpine
  • 8.4-cli-alpine3.21
  • 8.4.1-alpine
  • 8.4.1-alpine3.21
  • 8.4.1-cli-alpine
  • 8.4.1-cli-alpine3.21
  • alpine
  • alpine3.21
  • cli-alpine
  • cli-alpine3.21
digestsha256:6338c0bc70c8a8b1699fafac1cb0cb15d71825b2b8e7b131989d6f239daa8615
vulnerabilitiescritical: 0 high: 0 medium: 0 low: 1
critical: 1 high: 0 medium: 0 low: 0 golang.org/x/crypto 0.17.0 (golang)

pkg:golang/golang.org/x/[email protected]

critical 9.1: CVE--2024--45337 Improper Authorization

Affected range<0.31.0
Fixed version0.31.0
CVSS Score9.1
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score0.045%
EPSS Percentile18th percentile
Description

Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass.

The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions.

For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key.

Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth.

Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

Copy link

github-actions bot commented Dec 16, 2024

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest
digestsha256:1baa8745c9272d6608ffed7a42ca39007101abf0e3808866d52763e5f1d66657
vulnerabilitiescritical: 1 high: 0 medium: 0 low: 0
platformlinux/amd64
size105 MB
packages232
📦 Base Image php:8.3-fpm-alpine
also known as
  • 8.3-fpm-alpine3.21
  • 8.3.14-fpm-alpine
  • 8.3.14-fpm-alpine3.21
digestsha256:2195efdc39294f113863a8af61fac333817b0382b7421252fc975605260f6668
vulnerabilitiescritical: 0 high: 0 medium: 0 low: 1
critical: 1 high: 0 medium: 0 low: 0 golang.org/x/crypto 0.17.0 (golang)

pkg:golang/golang.org/x/[email protected]

critical 9.1: CVE--2024--45337 Improper Authorization

Affected range<0.31.0
Fixed version0.31.0
CVSS Score9.1
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score0.045%
EPSS Percentile18th percentile
Description

Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass.

The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions.

For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key.

Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth.

Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

Copy link

github-actions bot commented Dec 16, 2024

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8-alpine

Name8.4.1-alpine3.21
Digestsha256:6338c0bc70c8a8b1699fafac1cb0cb15d71825b2b8e7b131989d6f239daa8615
Vulnerabilitiescritical: 0 high: 0 medium: 0 low: 1
Pushed1 week ago
Size42 MB
Packages52
Flavoralpine
OS3.21
Runtime8.4.1
The base image is also available under the supported tag(s): 8-alpine3.21, 8-cli-alpine, 8-cli-alpine3.21, 8.4-alpine, 8.4-alpine3.21, 8.4-cli-alpine, 8.4-cli-alpine3.21, 8.4.1-alpine, 8.4.1-alpine3.21, 8.4.1-cli-alpine, 8.4.1-cli-alpine3.21, alpine, alpine3.21, cli-alpine, cli-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

Copy link

github-actions bot commented Dec 16, 2024

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.3-fpm-alpine

Name8.3.14-fpm-alpine3.21
Digestsha256:2195efdc39294f113863a8af61fac333817b0382b7421252fc975605260f6668
Vulnerabilitiescritical: 0 high: 0 medium: 0 low: 1
Pushed1 week ago
Size33 MB
Packages53
Flavoralpine
OS3.21
Runtime8.3.14
The base image is also available under the supported tag(s): 8.3-fpm-alpine3.21, 8.3.14-fpm-alpine, 8.3.14-fpm-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

TagDetailsPushedVulnerabilities
8.4-fpm-alpine
Image has same number of vulnerabilities
Also known as:
  • 8.4.1-fpm-alpine
  • 8.4.1-fpm-alpine3.21
  • 8.4-fpm-alpine3.21
  • 8-fpm-alpine
  • 8-fpm-alpine3.21
  • fpm-alpine
  • fpm-alpine3.21
Benefits:
  • Same OS detected
  • Image has similar size
  • Image has same number of vulnerabilities
  • Image contains equal number of packages
Image details:
  • Size: 36 MB
  • Flavor: alpine
  • OS: 3.21
1 week ago



Copy link

github-actions bot commented Dec 16, 2024

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest
digestsha256:1d85ac17a0b0195411d6aabfaccb1747c7f3d921e6e04b7e785f174ed1a76323
vulnerabilitiescritical: 1 high: 0 medium: 0 low: 0
platformlinux/amd64
size128 MB
packages249
📦 Base Image php:8.3-alpine
also known as
  • 8.3-alpine3.21
  • 8.3-cli-alpine
  • 8.3-cli-alpine3.21
  • 8.3.14-alpine
  • 8.3.14-alpine3.21
  • 8.3.14-cli-alpine
  • 8.3.14-cli-alpine3.21
digestsha256:41ab576a7fd2702a4921f50bc69be52460414e1d3a2d6e70676180e9ae8d4b78
vulnerabilitiescritical: 0 high: 0 medium: 0 low: 1
critical: 1 high: 0 medium: 0 low: 0 golang.org/x/crypto 0.17.0 (golang)

pkg:golang/golang.org/x/[email protected]

critical 9.1: CVE--2024--45337 Improper Authorization

Affected range<0.31.0
Fixed version0.31.0
CVSS Score9.1
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score0.045%
EPSS Percentile18th percentile
Description

Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass.

The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions.

For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key.

Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth.

Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

Copy link

github-actions bot commented Dec 16, 2024

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.3-alpine

Name8.3.14-alpine3.21
Digestsha256:41ab576a7fd2702a4921f50bc69be52460414e1d3a2d6e70676180e9ae8d4b78
Vulnerabilitiescritical: 0 high: 0 medium: 0 low: 1
Pushed1 week ago
Size37 MB
Packages52
Flavoralpine
OS3.21
Runtime8.3.14
The base image is also available under the supported tag(s): 8.3-alpine3.21, 8.3-cli-alpine, 8.3-cli-alpine3.21, 8.3.14-alpine, 8.3.14-alpine3.21, 8.3.14-cli-alpine, 8.3.14-cli-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

TagDetailsPushedVulnerabilities
8.4-alpine
Minor runtime version update
Also known as:
  • 8.4.1-cli-alpine
  • 8.4.1-cli-alpine3.21
  • 8.4-cli-alpine
  • 8.4-cli-alpine3.21
  • 8-cli-alpine
  • 8-cli-alpine3.21
  • cli-alpine
  • cli-alpine3.21
  • alpine
  • alpine3.21
  • 8.4.1-alpine
  • 8.4.1-alpine3.21
  • 8.4-alpine3.21
  • 8-alpine
  • 8-alpine3.21
Benefits:
  • Same OS detected
  • Minor runtime version update
  • Image has similar size
  • Image has same number of vulnerabilities
  • Image contains equal number of packages
Image details:
  • Size: 42 MB
  • Flavor: alpine
  • OS: 3.21
  • Runtime: 8.4.1
1 week ago



Copy link

github-actions bot commented Dec 16, 2024

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest
digestsha256:73bf6073689a4e94c5fea1bcd9eda23039c95b3ab8434749b98e10ba5a94b71c
vulnerabilitiescritical: 1 high: 0 medium: 0 low: 0
platformlinux/amd64
size134 MB
packages249
📦 Base Image php:8-alpine
also known as
  • 8-alpine3.21
  • 8-cli-alpine
  • 8-cli-alpine3.21
  • 8.4-alpine
  • 8.4-alpine3.21
  • 8.4-cli-alpine
  • 8.4-cli-alpine3.21
  • 8.4.1-alpine
  • 8.4.1-alpine3.21
  • 8.4.1-cli-alpine
  • 8.4.1-cli-alpine3.21
  • alpine
  • alpine3.21
  • cli-alpine
  • cli-alpine3.21
digestsha256:6338c0bc70c8a8b1699fafac1cb0cb15d71825b2b8e7b131989d6f239daa8615
vulnerabilitiescritical: 0 high: 0 medium: 0 low: 1
critical: 1 high: 0 medium: 0 low: 0 golang.org/x/crypto 0.17.0 (golang)

pkg:golang/golang.org/x/[email protected]

critical 9.1: CVE--2024--45337 Improper Authorization

Affected range<0.31.0
Fixed version0.31.0
CVSS Score9.1
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score0.045%
EPSS Percentile18th percentile
Description

Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass.

The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions.

For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key.

Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth.

Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

Copy link

github-actions bot commented Dec 16, 2024

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8-alpine

Name8.4.1-alpine3.21
Digestsha256:6338c0bc70c8a8b1699fafac1cb0cb15d71825b2b8e7b131989d6f239daa8615
Vulnerabilitiescritical: 0 high: 0 medium: 0 low: 1
Pushed1 week ago
Size42 MB
Packages52
Flavoralpine
OS3.21
Runtime8.4.1
The base image is also available under the supported tag(s): 8-alpine3.21, 8-cli-alpine, 8-cli-alpine3.21, 8.4-alpine, 8.4-alpine3.21, 8.4-cli-alpine, 8.4-cli-alpine3.21, 8.4.1-alpine, 8.4.1-alpine3.21, 8.4.1-cli-alpine, 8.4.1-cli-alpine3.21, alpine, alpine3.21, cli-alpine, cli-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

Copy link

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest
digestsha256:981f6a20b6bf1401767f9c7258db81ae50629a969e6883235dd3064b0b0b0831
vulnerabilitiescritical: 1 high: 0 medium: 0 low: 0
platformlinux/amd64
size109 MB
packages232
📦 Base Image php:8-fpm-alpine
also known as
  • 8-fpm-alpine3.21
  • 8.4-fpm-alpine
  • 8.4-fpm-alpine3.21
  • 8.4.1-fpm-alpine
  • 8.4.1-fpm-alpine3.21
  • fpm-alpine
  • fpm-alpine3.21
digestsha256:661709ebd2995433800a6f617072d40a0c52a4f3abfae1db4d4a3e280b3ddaea
vulnerabilitiescritical: 0 high: 0 medium: 0 low: 1
critical: 1 high: 0 medium: 0 low: 0 golang.org/x/crypto 0.17.0 (golang)

pkg:golang/golang.org/x/[email protected]

critical 9.1: CVE--2024--45337 Improper Authorization

Affected range<0.31.0
Fixed version0.31.0
CVSS Score9.1
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score0.045%
EPSS Percentile18th percentile
Description

Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass.

The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions.

For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key.

Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth.

Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

Copy link

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8-fpm-alpine

Namefpm-alpine3.21
Digestsha256:661709ebd2995433800a6f617072d40a0c52a4f3abfae1db4d4a3e280b3ddaea
Vulnerabilitiescritical: 0 high: 0 medium: 0 low: 1
Pushed1 week ago
Size36 MB
Packages53
Flavoralpine
OS3.21
The base image is also available under the supported tag(s): 8-fpm-alpine3.21, 8.4-fpm-alpine, 8.4-fpm-alpine3.21, 8.4.1-fpm-alpine, 8.4.1-fpm-alpine3.21, fpm-alpine, fpm-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

TagDetailsPushedVulnerabilities
8.1-fpm-alpine
Minor runtime version update
Also known as:
  • 8.1.31-fpm-alpine
  • 8.1.31-fpm-alpine3.21
  • 8.1-fpm-alpine3.21
Benefits:
  • Same OS detected
  • Minor runtime version update
  • Image is smaller by 4.3 MB
  • Tag was pushed more recently
  • Image has same number of vulnerabilities
  • Image contains equal number of packages
  • 8.1-fpm-alpine is the fourth most popular tag with 18K pulls per month
Image details:
  • Size: 32 MB
  • Flavor: alpine
  • OS: 3.21
  • Runtime: 8.1.31
5 days ago



8.3-fpm-alpine
Minor runtime version update
Also known as:
  • 8.3.14-fpm-alpine
  • 8.3.14-fpm-alpine3.21
  • 8.3-fpm-alpine3.21
Benefits:
  • Same OS detected
  • Minor runtime version update
  • Image is smaller by 3.3 MB
  • Image has same number of vulnerabilities
  • Image contains equal number of packages
Image details:
  • Size: 33 MB
  • Flavor: alpine
  • OS: 3.21
  • Runtime: 8.3.14
1 week ago



8.2-fpm-alpine
Minor runtime version update
Also known as:
  • 8.2.26-fpm-alpine
  • 8.2.26-fpm-alpine3.21
  • 8.2-fpm-alpine3.21
Benefits:
  • Same OS detected
  • Minor runtime version update
  • Image is smaller by 3.9 MB
  • Image has same number of vulnerabilities
  • Image contains equal number of packages
  • 8.2-fpm-alpine was pulled 4.1K times last month
Image details:
  • Size: 32 MB
  • Flavor: alpine
  • OS: 3.21
  • Runtime: 8.2.26
1 week ago



@way-finder-bot way-finder-bot self-requested a review December 16, 2024 13:29
@way-finder-bot way-finder-bot self-assigned this Dec 16, 2024
@renovate renovate bot merged commit 7b8fb50 into master Dec 16, 2024
20 checks passed
@renovate renovate bot deleted the renovate/wagoid-commitlint-github-action-6.x branch December 16, 2024 13:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
type: maintenance For maintenance, refactor and testing (perf, chore, style, revert, refactor, test, build, ci)
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant