chore(master): release 2.0.11

[lotyp]

🤖 I have created a release beep boop

2.0.11 (2024-12-12)

Dependencies

• deps: update ansible/ansible-lint action to v24.12.2 (#59) (19be1f1)

---

This PR was generated with Release Please. See documentation.

[github-actions]

Outdated

🔍 Vulnerabilities of moby/buildkit:buildx-stable-1

📦 Image Reference moby/buildkit:buildx-stable-1

digest	sha256:160b1df1c7a7cc91192c28e715fa038e6f914d00e87af71c5806014eb4f6e434
vulnerabilities
size	104 MB
packages	239

📦 Base Image alpine:05a56cc5acbd9c9c5b7ba5ec88d866a0ddc76b586828f8288d29c57ccaa15a10

also known as	3 3.20 3.20.3 latest
digest	sha256:029a752048e32e843bd6defe3841186fb8d19a28dae8ec287f433bb9d6d1ad85
vulnerabilities

curl 8.11.0-r2 (apk) pkg:apk/alpine/[email protected]?os_name=alpine&os_version=3.20 Affected range <8.11.1-r0 Fixed version 8.11.1-r0 Description

stdlib 1.22.4 (golang) pkg:golang/[email protected] Affected range <1.22.7 Fixed version 1.22.7 EPSS Score 0.04% EPSS Percentile 18th percentile Description Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion. Affected range <1.22.7 Fixed version 1.22.7 EPSS Score 0.04% EPSS Percentile 18th percentile Description Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635. Affected range >=1.22.0-0 <1.22.5 Fixed version 1.22.5 EPSS Score 0.04% EPSS Percentile 18th percentile Description The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail. Affected range <1.22.7 Fixed version 1.22.7 EPSS Score 0.19% EPSS Percentile 57th percentile Description Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

golang.org/x/crypto 0.27.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

[github-actions]

Outdated

Recommended fixes for image moby/buildkit:buildx-stable-1

Base image is alpine:3

Name	3.20.3
Digest	sha256:029a752048e32e843bd6defe3841186fb8d19a28dae8ec287f433bb9d6d1ad85
Vulnerabilities
Pushed	3 months ago
Size	3.6 MB
Packages	17
OS	3.20.3

The base image is also available under the supported tag(s): 3.20, 3.20.3, latest

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

Tag	Details	Pushed	Vulnerabilities
3 Newer image for same tag Also known as: 3.21.0 3.21 latest	Benefits: Newer image for same tag Minor OS version update Tag is preferred tag Tag was pushed more recently Image has similar size Tag is latest Image introduces no new vulnerability but removes 1 3 was pulled 251K times last month Image details: Size: 3.6 MB OS: 3.21.0	1 week ago

Change base image

✅ There are no tag recommendations at this time.

[github-actions]

🔍 Vulnerabilities of moby/buildkit:buildx-stable-1

📦 Image Reference moby/buildkit:buildx-stable-1

digest	sha256:160b1df1c7a7cc91192c28e715fa038e6f914d00e87af71c5806014eb4f6e434
vulnerabilities
size	104 MB
packages	239

📦 Base Image alpine:05a56cc5acbd9c9c5b7ba5ec88d866a0ddc76b586828f8288d29c57ccaa15a10

also known as	3 3.20 3.20.3 latest
digest	sha256:029a752048e32e843bd6defe3841186fb8d19a28dae8ec287f433bb9d6d1ad85
vulnerabilities

curl 8.11.0-r2 (apk) pkg:apk/alpine/[email protected]?os_name=alpine&os_version=3.20 Affected range <8.11.1-r0 Fixed version 8.11.1-r0 Description

stdlib 1.22.4 (golang) pkg:golang/[email protected] Affected range <1.22.7 Fixed version 1.22.7 EPSS Score 0.04% EPSS Percentile 18th percentile Description Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion. Affected range <1.22.7 Fixed version 1.22.7 EPSS Score 0.04% EPSS Percentile 18th percentile Description Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635. Affected range >=1.22.0-0 <1.22.5 Fixed version 1.22.5 EPSS Score 0.04% EPSS Percentile 18th percentile Description The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail. Affected range <1.22.7 Fixed version 1.22.7 EPSS Score 0.19% EPSS Percentile 57th percentile Description Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

golang.org/x/crypto 0.27.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

[github-actions]

Recommended fixes for image moby/buildkit:buildx-stable-1

Base image is alpine:3

Name	3.20.3
Digest	sha256:029a752048e32e843bd6defe3841186fb8d19a28dae8ec287f433bb9d6d1ad85
Vulnerabilities
Pushed	3 months ago
Size	3.6 MB
Packages	17
OS	3.20.3

The base image is also available under the supported tag(s): 3.20, 3.20.3, latest

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

Tag	Details	Pushed	Vulnerabilities
3 Newer image for same tag Also known as: 3.21.0 3.21 latest	Benefits: Newer image for same tag Minor OS version update Tag is preferred tag Tag was pushed more recently Image has similar size Tag is latest Image introduces no new vulnerability but removes 1 3 was pulled 251K times last month Image details: Size: 3.6 MB OS: 3.21.0	1 week ago

Change base image

✅ There are no tag recommendations at this time.

[lotyp]

🤖 Created releases:

• v2.0.11
  🌻