chore(master): release 2.8.4

[lotyp]

🤖 I have created a release beep boop

2.8.4 (2024-12-16)

Dependencies

• deps: update wagoid/commitlint-github-action action to v6.2.0 (#75) (7b8fb50)

---

This PR was generated with Release Please. See documentation.

[github-actions]

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:da96ba24ceee3df3449311ed9c6fa06f2f1038fd4bde633c105b7c5046b65086
vulnerabilities
platform	linux/amd64
size	109 MB
packages	231

📦 Base Image php:8.2-alpine

also known as	8.2-alpine3.21 8.2-cli-alpine 8.2-cli-alpine3.21 8.2.26-alpine 8.2.26-alpine3.21 8.2.26-cli-alpine 8.2.26-cli-alpine3.21
digest	sha256:e33a9aa217ea6f2f3891b2c01158e38f860f3ede767870953b6685cd2fa12c9e
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 0.045% EPSS Percentile 18th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

[github-actions]

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.2-alpine

Name	8.2.26-alpine3.21
Digest	sha256:e33a9aa217ea6f2f3891b2c01158e38f860f3ede767870953b6685cd2fa12c9e
Vulnerabilities
Pushed	1 week ago
Size	36 MB
Packages	52
Flavor	alpine
OS	3.21
Runtime	8.2.26

The base image is also available under the supported tag(s): 8.2-alpine3.21, 8.2-cli-alpine, 8.2-cli-alpine3.21, 8.2.26-alpine, 8.2.26-alpine3.21, 8.2.26-cli-alpine, 8.2.26-cli-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

Tag	Details	Pushed	Vulnerabilities
8.4-alpine Minor runtime version update Also known as: 8.4.1-cli-alpine 8.4.1-cli-alpine3.21 8.4-cli-alpine 8.4-cli-alpine3.21 8-cli-alpine 8-cli-alpine3.21 cli-alpine cli-alpine3.21 alpine alpine3.21 8.4.1-alpine 8.4.1-alpine3.21 8.4-alpine3.21 8-alpine 8-alpine3.21	Benefits: Same OS detected Minor runtime version update Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 42 MB Flavor: alpine OS: 3.21 Runtime: 8.4.1	1 week ago
8.3-alpine Minor runtime version update Also known as: 8.3.14-cli-alpine 8.3.14-cli-alpine3.21 8.3-cli-alpine 8.3-cli-alpine3.21 8.3.14-alpine 8.3.14-alpine3.21 8.3-alpine3.21	Benefits: Same OS detected Minor runtime version update Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 37 MB Flavor: alpine OS: 3.21 Runtime: 8.3.14	1 week ago

[github-actions]

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:714689277f376c2edb51938eac253df3db7f1997d6a6445dd542983381d6d59e
vulnerabilities
platform	linux/amd64
size	128 MB
packages	249

📦 Base Image php:8.2-alpine

also known as	8.2-alpine3.21 8.2-cli-alpine 8.2-cli-alpine3.21 8.2.26-alpine 8.2.26-alpine3.21 8.2.26-cli-alpine 8.2.26-cli-alpine3.21
digest	sha256:e33a9aa217ea6f2f3891b2c01158e38f860f3ede767870953b6685cd2fa12c9e
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 0.045% EPSS Percentile 18th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

[github-actions]

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:f53e0f6a2733abf4152d003d15b1f0435c162885be1ec57acdadbddeb538eccd
vulnerabilities
platform	linux/amd64
size	115 MB
packages	231

📦 Base Image php:8-alpine

also known as	8-alpine3.21 8-cli-alpine 8-cli-alpine3.21 8.4-alpine 8.4-alpine3.21 8.4-cli-alpine 8.4-cli-alpine3.21 8.4.1-alpine 8.4.1-alpine3.21 8.4.1-cli-alpine 8.4.1-cli-alpine3.21 alpine alpine3.21 cli-alpine cli-alpine3.21
digest	sha256:6338c0bc70c8a8b1699fafac1cb0cb15d71825b2b8e7b131989d6f239daa8615
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 0.045% EPSS Percentile 18th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

[github-actions]

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:227faa6354dbf7196f5539e7e01b32d151f3e105610a7628599486d28e8c0645
vulnerabilities
platform	linux/amd64
size	110 MB
packages	231

📦 Base Image php:8.3-alpine

also known as	8.3-alpine3.21 8.3-cli-alpine 8.3-cli-alpine3.21 8.3.14-alpine 8.3.14-alpine3.21 8.3.14-cli-alpine 8.3.14-cli-alpine3.21
digest	sha256:41ab576a7fd2702a4921f50bc69be52460414e1d3a2d6e70676180e9ae8d4b78
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 0.045% EPSS Percentile 18th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

[github-actions]

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8-alpine

Name	8.4.1-alpine3.21
Digest	sha256:6338c0bc70c8a8b1699fafac1cb0cb15d71825b2b8e7b131989d6f239daa8615
Vulnerabilities
Pushed	1 week ago
Size	42 MB
Packages	52
Flavor	alpine
OS	3.21
Runtime	8.4.1

The base image is also available under the supported tag(s): 8-alpine3.21, 8-cli-alpine, 8-cli-alpine3.21, 8.4-alpine, 8.4-alpine3.21, 8.4-cli-alpine, 8.4-cli-alpine3.21, 8.4.1-alpine, 8.4.1-alpine3.21, 8.4.1-cli-alpine, 8.4.1-cli-alpine3.21, alpine, alpine3.21, cli-alpine, cli-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

[github-actions]

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.2-alpine

Name	8.2.26-alpine3.21
Digest	sha256:e33a9aa217ea6f2f3891b2c01158e38f860f3ede767870953b6685cd2fa12c9e
Vulnerabilities
Pushed	1 week ago
Size	36 MB
Packages	52
Flavor	alpine
OS	3.21
Runtime	8.2.26

The base image is also available under the supported tag(s): 8.2-alpine3.21, 8.2-cli-alpine, 8.2-cli-alpine3.21, 8.2.26-alpine, 8.2.26-alpine3.21, 8.2.26-cli-alpine, 8.2.26-cli-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

Tag	Details	Pushed	Vulnerabilities
8.4-alpine Minor runtime version update Also known as: 8.4.1-cli-alpine 8.4.1-cli-alpine3.21 8.4-cli-alpine 8.4-cli-alpine3.21 8-cli-alpine 8-cli-alpine3.21 cli-alpine cli-alpine3.21 alpine alpine3.21 8.4.1-alpine 8.4.1-alpine3.21 8.4-alpine3.21 8-alpine 8-alpine3.21	Benefits: Same OS detected Minor runtime version update Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 42 MB Flavor: alpine OS: 3.21 Runtime: 8.4.1	1 week ago
8.3-alpine Minor runtime version update Also known as: 8.3.14-cli-alpine 8.3.14-cli-alpine3.21 8.3-cli-alpine 8.3-cli-alpine3.21 8.3.14-alpine 8.3.14-alpine3.21 8.3-alpine3.21	Benefits: Same OS detected Minor runtime version update Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 37 MB Flavor: alpine OS: 3.21 Runtime: 8.3.14	1 week ago

[github-actions]

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.3-alpine

Name	8.3.14-alpine3.21
Digest	sha256:41ab576a7fd2702a4921f50bc69be52460414e1d3a2d6e70676180e9ae8d4b78
Vulnerabilities
Pushed	1 week ago
Size	37 MB
Packages	52
Flavor	alpine
OS	3.21
Runtime	8.3.14

The base image is also available under the supported tag(s): 8.3-alpine3.21, 8.3-cli-alpine, 8.3-cli-alpine3.21, 8.3.14-alpine, 8.3.14-alpine3.21, 8.3.14-cli-alpine, 8.3.14-cli-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

Tag	Details	Pushed	Vulnerabilities
8.4-alpine Minor runtime version update Also known as: 8.4.1-cli-alpine 8.4.1-cli-alpine3.21 8.4-cli-alpine 8.4-cli-alpine3.21 8-cli-alpine 8-cli-alpine3.21 cli-alpine cli-alpine3.21 alpine alpine3.21 8.4.1-alpine 8.4.1-alpine3.21 8.4-alpine3.21 8-alpine 8-alpine3.21	Benefits: Same OS detected Minor runtime version update Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 42 MB Flavor: alpine OS: 3.21 Runtime: 8.4.1	1 week ago

[github-actions]

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:bbc32f90c91aea5b1ed00b4a080501d81b041af2851ba63d9f4df9f3da0cf6da
vulnerabilities
platform	linux/amd64
size	128 MB
packages	249

📦 Base Image php:8.3-alpine

also known as	8.3-alpine3.21 8.3-cli-alpine 8.3-cli-alpine3.21 8.3.14-alpine 8.3.14-alpine3.21 8.3.14-cli-alpine 8.3.14-cli-alpine3.21
digest	sha256:41ab576a7fd2702a4921f50bc69be52460414e1d3a2d6e70676180e9ae8d4b78
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 0.045% EPSS Percentile 18th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

[github-actions]

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:7a7cdd61f20ead3b440912ee5d7d1b5d6eb985833cbc67733590107a383fd5e8
vulnerabilities
platform	linux/amd64
size	109 MB
packages	231

📦 Base Image php:8.1-alpine

also known as	8.1-alpine3.21 8.1-cli-alpine 8.1-cli-alpine3.21 8.1.31-alpine 8.1.31-alpine3.21 8.1.31-cli-alpine 8.1.31-cli-alpine3.21
digest	sha256:b217029b5db5f0784a5e00c57280685a4c2f009a970e6b32bb415eba6ca5ae7c
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 0.045% EPSS Percentile 18th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

[github-actions]

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.3-alpine

Name	8.3.14-alpine3.21
Digest	sha256:41ab576a7fd2702a4921f50bc69be52460414e1d3a2d6e70676180e9ae8d4b78
Vulnerabilities
Pushed	1 week ago
Size	37 MB
Packages	52
Flavor	alpine
OS	3.21
Runtime	8.3.14

The base image is also available under the supported tag(s): 8.3-alpine3.21, 8.3-cli-alpine, 8.3-cli-alpine3.21, 8.3.14-alpine, 8.3.14-alpine3.21, 8.3.14-cli-alpine, 8.3.14-cli-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

Tag	Details	Pushed	Vulnerabilities
8.4-alpine Minor runtime version update Also known as: 8.4.1-cli-alpine 8.4.1-cli-alpine3.21 8.4-cli-alpine 8.4-cli-alpine3.21 8-cli-alpine 8-cli-alpine3.21 cli-alpine cli-alpine3.21 alpine alpine3.21 8.4.1-alpine 8.4.1-alpine3.21 8.4-alpine3.21 8-alpine 8-alpine3.21	Benefits: Same OS detected Minor runtime version update Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 42 MB Flavor: alpine OS: 3.21 Runtime: 8.4.1	1 week ago

[github-actions]

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.1-alpine

Name	8.1.31-alpine3.21
Digest	sha256:b217029b5db5f0784a5e00c57280685a4c2f009a970e6b32bb415eba6ca5ae7c
Vulnerabilities
Pushed	5 days ago
Size	36 MB
Packages	52
Flavor	alpine
OS	3.21
Runtime	8.1.31

The base image is also available under the supported tag(s): 8.1-alpine3.21, 8.1-cli-alpine, 8.1-cli-alpine3.21, 8.1.31-alpine, 8.1.31-alpine3.21, 8.1.31-cli-alpine, 8.1.31-cli-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

Tag	Details	Pushed	Vulnerabilities
8.4-alpine Minor runtime version update Also known as: 8.4.1-cli-alpine 8.4.1-cli-alpine3.21 8.4-cli-alpine 8.4-cli-alpine3.21 8-cli-alpine 8-cli-alpine3.21 cli-alpine cli-alpine3.21 alpine alpine3.21 8.4.1-alpine 8.4.1-alpine3.21 8.4-alpine3.21 8-alpine 8-alpine3.21	Benefits: Same OS detected Minor runtime version update Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 42 MB Flavor: alpine OS: 3.21 Runtime: 8.4.1	1 week ago
8.3-alpine Minor runtime version update Also known as: 8.3.14-cli-alpine 8.3.14-cli-alpine3.21 8.3-cli-alpine 8.3-cli-alpine3.21 8.3.14-alpine 8.3.14-alpine3.21 8.3-alpine3.21	Benefits: Same OS detected Minor runtime version update Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 37 MB Flavor: alpine OS: 3.21 Runtime: 8.3.14	1 week ago
8.2-alpine Minor runtime version update Also known as: 8.2.26-cli-alpine 8.2.26-cli-alpine3.21 8.2-cli-alpine 8.2-cli-alpine3.21 8.2.26-alpine 8.2.26-alpine3.21 8.2-alpine3.21	Benefits: Same OS detected Minor runtime version update Image has similar size Image has same number of vulnerabilities Image contains equal number of packages 8.2-alpine was pulled 1.8K times last month Image details: Size: 36 MB Flavor: alpine OS: 3.21 Runtime: 8.2.26	1 week ago

[github-actions]

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:a950761a33a99f212360927e5fe38439a82b6b7aff28dd1eba3e0f2b73324770
vulnerabilities
platform	linux/amd64
size	104 MB
packages	232

📦 Base Image php:8.1-fpm-alpine

also known as	8.1-fpm-alpine3.21 8.1.31-fpm-alpine 8.1.31-fpm-alpine3.21
digest	sha256:fa457eee5e53a8d4aff21bd0d78a3cbcd7f98b8def81218a8f0d98dd8cbd029b
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 0.045% EPSS Percentile 18th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

[github-actions]

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:9d23f80dacfa94c29f51fdee9fcfd1b2519f825e202c3371a0dd4073897b198e
vulnerabilities
platform	linux/amd64
size	127 MB
packages	249

📦 Base Image php:8.1-alpine

also known as	8.1-alpine3.21 8.1-cli-alpine 8.1-cli-alpine3.21 8.1.31-alpine 8.1.31-alpine3.21 8.1.31-cli-alpine 8.1.31-cli-alpine3.21
digest	sha256:b217029b5db5f0784a5e00c57280685a4c2f009a970e6b32bb415eba6ca5ae7c
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 0.045% EPSS Percentile 18th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

[github-actions]

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:9b7ce0551a44f0f04625886e812b9142ddc4ef23278481ce9c2ca6d62ea101da
vulnerabilities
platform	linux/amd64
size	105 MB
packages	232

📦 Base Image php:8.3-fpm-alpine

also known as	8.3-fpm-alpine3.21 8.3.14-fpm-alpine 8.3.14-fpm-alpine3.21
digest	sha256:2195efdc39294f113863a8af61fac333817b0382b7421252fc975605260f6668
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 0.045% EPSS Percentile 18th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

[github-actions]

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:62779c3efddf7e28546bbde0835bcacf4547657236d558e8a203d51d3fe488a5
vulnerabilities
platform	linux/amd64
size	134 MB
packages	249

📦 Base Image php:8-alpine

also known as	8-alpine3.21 8-cli-alpine 8-cli-alpine3.21 8.4-alpine 8.4-alpine3.21 8.4-cli-alpine 8.4-cli-alpine3.21 8.4.1-alpine 8.4.1-alpine3.21 8.4.1-cli-alpine 8.4.1-cli-alpine3.21 alpine alpine3.21 cli-alpine cli-alpine3.21
digest	sha256:6338c0bc70c8a8b1699fafac1cb0cb15d71825b2b8e7b131989d6f239daa8615
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 0.045% EPSS Percentile 18th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

[github-actions]

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.1-alpine

Name	8.1.31-alpine3.21
Digest	sha256:b217029b5db5f0784a5e00c57280685a4c2f009a970e6b32bb415eba6ca5ae7c
Vulnerabilities
Pushed	5 days ago
Size	36 MB
Packages	52
Flavor	alpine
OS	3.21
Runtime	8.1.31

The base image is also available under the supported tag(s): 8.1-alpine3.21, 8.1-cli-alpine, 8.1-cli-alpine3.21, 8.1.31-alpine, 8.1.31-alpine3.21, 8.1.31-cli-alpine, 8.1.31-cli-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

Tag	Details	Pushed	Vulnerabilities
8.4-alpine Minor runtime version update Also known as: 8.4.1-cli-alpine 8.4.1-cli-alpine3.21 8.4-cli-alpine 8.4-cli-alpine3.21 8-cli-alpine 8-cli-alpine3.21 cli-alpine cli-alpine3.21 alpine alpine3.21 8.4.1-alpine 8.4.1-alpine3.21 8.4-alpine3.21 8-alpine 8-alpine3.21	Benefits: Same OS detected Minor runtime version update Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 42 MB Flavor: alpine OS: 3.21 Runtime: 8.4.1	1 week ago
8.3-alpine Minor runtime version update Also known as: 8.3.14-cli-alpine 8.3.14-cli-alpine3.21 8.3-cli-alpine 8.3-cli-alpine3.21 8.3.14-alpine 8.3.14-alpine3.21 8.3-alpine3.21	Benefits: Same OS detected Minor runtime version update Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 37 MB Flavor: alpine OS: 3.21 Runtime: 8.3.14	1 week ago
8.2-alpine Minor runtime version update Also known as: 8.2.26-cli-alpine 8.2.26-cli-alpine3.21 8.2-cli-alpine 8.2-cli-alpine3.21 8.2.26-alpine 8.2.26-alpine3.21 8.2-alpine3.21	Benefits: Same OS detected Minor runtime version update Image has similar size Image has same number of vulnerabilities Image contains equal number of packages 8.2-alpine was pulled 1.8K times last month Image details: Size: 36 MB Flavor: alpine OS: 3.21 Runtime: 8.2.26	1 week ago

[github-actions]

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.3-fpm-alpine

Name	8.3.14-fpm-alpine3.21
Digest	sha256:2195efdc39294f113863a8af61fac333817b0382b7421252fc975605260f6668
Vulnerabilities
Pushed	1 week ago
Size	33 MB
Packages	53
Flavor	alpine
OS	3.21
Runtime	8.3.14

The base image is also available under the supported tag(s): 8.3-fpm-alpine3.21, 8.3.14-fpm-alpine, 8.3.14-fpm-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

Tag	Details	Pushed	Vulnerabilities
8.4-fpm-alpine Image has same number of vulnerabilities Also known as: 8.4.1-fpm-alpine 8.4.1-fpm-alpine3.21 8.4-fpm-alpine3.21 8-fpm-alpine 8-fpm-alpine3.21 fpm-alpine fpm-alpine3.21	Benefits: Same OS detected Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 36 MB Flavor: alpine OS: 3.21	1 week ago

[github-actions]

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.1-fpm-alpine

Name	8.1.31-fpm-alpine3.21
Digest	sha256:fa457eee5e53a8d4aff21bd0d78a3cbcd7f98b8def81218a8f0d98dd8cbd029b
Vulnerabilities
Pushed	5 days ago
Size	32 MB
Packages	53
Flavor	alpine
OS	3.21
Runtime	8.1.31

The base image is also available under the supported tag(s): 8.1-fpm-alpine3.21, 8.1.31-fpm-alpine, 8.1.31-fpm-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

Tag	Details	Pushed	Vulnerabilities
8.3-fpm-alpine Minor runtime version update Also known as: 8.3.14-fpm-alpine 8.3.14-fpm-alpine3.21 8.3-fpm-alpine3.21	Benefits: Same OS detected Minor runtime version update Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 33 MB Flavor: alpine OS: 3.21 Runtime: 8.3.14	1 week ago
8.2-fpm-alpine Minor runtime version update Also known as: 8.2.26-fpm-alpine 8.2.26-fpm-alpine3.21 8.2-fpm-alpine3.21	Benefits: Same OS detected Minor runtime version update Image has similar size Image has same number of vulnerabilities Image contains equal number of packages 8.2-fpm-alpine was pulled 4.1K times last month Image details: Size: 32 MB Flavor: alpine OS: 3.21 Runtime: 8.2.26	1 week ago
8.4-fpm-alpine Image has same number of vulnerabilities Also known as: 8.4.1-fpm-alpine 8.4.1-fpm-alpine3.21 8.4-fpm-alpine3.21 8-fpm-alpine 8-fpm-alpine3.21 fpm-alpine fpm-alpine3.21	Benefits: Same OS detected Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 36 MB Flavor: alpine OS: 3.21	1 week ago

[github-actions]

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:51586a2b23cde4551ffa341ff10c269c22bdae29c7a1ba90e0c64dd0ef68731a
vulnerabilities
platform	linux/amd64
size	109 MB
packages	232

📦 Base Image php:8-fpm-alpine

also known as	8-fpm-alpine3.21 8.4-fpm-alpine 8.4-fpm-alpine3.21 8.4.1-fpm-alpine 8.4.1-fpm-alpine3.21 fpm-alpine fpm-alpine3.21
digest	sha256:661709ebd2995433800a6f617072d40a0c52a4f3abfae1db4d4a3e280b3ddaea
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 0.045% EPSS Percentile 18th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

[github-actions]

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8-alpine

Name	8.4.1-alpine3.21
Digest	sha256:6338c0bc70c8a8b1699fafac1cb0cb15d71825b2b8e7b131989d6f239daa8615
Vulnerabilities
Pushed	1 week ago
Size	42 MB
Packages	52
Flavor	alpine
OS	3.21
Runtime	8.4.1

The base image is also available under the supported tag(s): 8-alpine3.21, 8-cli-alpine, 8-cli-alpine3.21, 8.4-alpine, 8.4-alpine3.21, 8.4-cli-alpine, 8.4-cli-alpine3.21, 8.4.1-alpine, 8.4.1-alpine3.21, 8.4.1-cli-alpine, 8.4.1-cli-alpine3.21, alpine, alpine3.21, cli-alpine, cli-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

[github-actions]

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8-fpm-alpine

Name	fpm-alpine3.21
Digest	sha256:661709ebd2995433800a6f617072d40a0c52a4f3abfae1db4d4a3e280b3ddaea
Vulnerabilities
Pushed	1 week ago
Size	36 MB
Packages	53
Flavor	alpine
OS	3.21

The base image is also available under the supported tag(s): 8-fpm-alpine3.21, 8.4-fpm-alpine, 8.4-fpm-alpine3.21, 8.4.1-fpm-alpine, 8.4.1-fpm-alpine3.21, fpm-alpine, fpm-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

Tag	Details	Pushed	Vulnerabilities
8.1-fpm-alpine Minor runtime version update Also known as: 8.1.31-fpm-alpine 8.1.31-fpm-alpine3.21 8.1-fpm-alpine3.21	Benefits: Same OS detected Minor runtime version update Image is smaller by 4.3 MB Tag was pushed more recently Image has same number of vulnerabilities Image contains equal number of packages 8.1-fpm-alpine is the fourth most popular tag with 18K pulls per month Image details: Size: 32 MB Flavor: alpine OS: 3.21 Runtime: 8.1.31	5 days ago
8.3-fpm-alpine Minor runtime version update Also known as: 8.3.14-fpm-alpine 8.3.14-fpm-alpine3.21 8.3-fpm-alpine3.21	Benefits: Same OS detected Minor runtime version update Image is smaller by 3.3 MB Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 33 MB Flavor: alpine OS: 3.21 Runtime: 8.3.14	1 week ago
8.2-fpm-alpine Minor runtime version update Also known as: 8.2.26-fpm-alpine 8.2.26-fpm-alpine3.21 8.2-fpm-alpine3.21	Benefits: Same OS detected Minor runtime version update Image is smaller by 3.9 MB Image has same number of vulnerabilities Image contains equal number of packages 8.2-fpm-alpine was pulled 4.1K times last month Image details: Size: 32 MB Flavor: alpine OS: 3.21 Runtime: 8.2.26	1 week ago

[github-actions]

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:4ecceb6f6de632c46665087cf4afb69a8688badcf78d7a967e55daba1c1279c2
vulnerabilities
platform	linux/amd64
size	105 MB
packages	232

📦 Base Image php:8.2-fpm-alpine

also known as	8.2-fpm-alpine3.21 8.2.26-fpm-alpine 8.2.26-fpm-alpine3.21
digest	sha256:c40255b7011a41c628d0120383a267bc9d7426eab0cc538ae0d58c935000ae20
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 0.045% EPSS Percentile 18th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

[github-actions]

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.2-fpm-alpine

Name	8.2.26-fpm-alpine3.21
Digest	sha256:c40255b7011a41c628d0120383a267bc9d7426eab0cc538ae0d58c935000ae20
Vulnerabilities
Pushed	1 week ago
Size	32 MB
Packages	53
Flavor	alpine
OS	3.21
Runtime	8.2.26

The base image is also available under the supported tag(s): 8.2-fpm-alpine3.21, 8.2.26-fpm-alpine, 8.2.26-fpm-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

Tag	Details	Pushed	Vulnerabilities
8.3-fpm-alpine Minor runtime version update Also known as: 8.3.14-fpm-alpine 8.3.14-fpm-alpine3.21 8.3-fpm-alpine3.21	Benefits: Same OS detected Minor runtime version update Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 33 MB Flavor: alpine OS: 3.21 Runtime: 8.3.14	1 week ago
8.4-fpm-alpine Image has same number of vulnerabilities Also known as: 8.4.1-fpm-alpine 8.4.1-fpm-alpine3.21 8.4-fpm-alpine3.21 8-fpm-alpine 8-fpm-alpine3.21 fpm-alpine fpm-alpine3.21	Benefits: Same OS detected Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 36 MB Flavor: alpine OS: 3.21	1 week ago

[lotyp]

🤖 Created releases:

• v2.8.4
  🌻