chore(master): release 2.8.7

[lotyp]

🤖 I have created a release beep boop

2.8.7 (2025-01-19)

Dependencies

• deps: update davidanson/markdownlint-cli2-action action to v19.1.0 (#82) (855e24c)

---

This PR was generated with Release Please. See documentation.

[github-actions]

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:ca774ce872eaf8e37e956c5b873439993571dab9cfc49984cd3597fbc2645830
vulnerabilities
platform	linux/amd64
size	104 MB
packages	232

📦 Base Image php:54b5ff554357a1100058bcce13b21851a693ca1636d4d8dae493079075d47ba0

also known as	8.1-fpm-alpine 8.1-fpm-alpine3.21 8.1.31-fpm-alpine 8.1.31-fpm-alpine3.21
digest	sha256:845dccbc2cf56631ba4f1d800eeb7d6a797efdae00a5e1c78b898cd67db26f48
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 0.045% EPSS Percentile 18th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

golang.org/x/net 0.18.0 (golang) pkg:golang/golang.org/x/[email protected] Allocation of Resources Without Limits or Throttling Affected range <0.33.0 Fixed version 0.33.0 CVSS Score 8.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N EPSS Score 0.045% EPSS Percentile 18th percentile Description An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

[github-actions]

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:6fed6af84777566c52560c1219d78cf993ec985f224e3447274c814a96aac5bd
vulnerabilities
platform	linux/amd64
size	108 MB
packages	231

📦 Base Image php:2b53de2fdc87e38f450a4c42f995704c4bc3bc789f010d1a69a860538f12fe60

also known as	8.1-alpine 8.1-alpine3.21 8.1-cli-alpine 8.1-cli-alpine3.21 8.1.31-alpine 8.1.31-alpine3.21 8.1.31-cli-alpine 8.1.31-cli-alpine3.21
digest	sha256:8ed48e85630b00d7dde300f7c205e502495d8a117a254924bf07f4dcac3df52f
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 0.045% EPSS Percentile 18th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

golang.org/x/net 0.18.0 (golang) pkg:golang/golang.org/x/[email protected] Allocation of Resources Without Limits or Throttling Affected range <0.33.0 Fixed version 0.33.0 CVSS Score 8.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N EPSS Score 0.045% EPSS Percentile 18th percentile Description An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

[github-actions]

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.1-fpm-alpine

Name	8.1.31-fpm-alpine3.21
Digest	sha256:845dccbc2cf56631ba4f1d800eeb7d6a797efdae00a5e1c78b898cd67db26f48
Vulnerabilities
Pushed	1 month ago
Size	32 MB
Packages	53
Flavor	alpine
OS	3.21
Runtime	8.1.31

The base image is also available under the supported tag(s): 8.1-fpm-alpine3.21, 8.1.31-fpm-alpine, 8.1.31-fpm-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

Tag	Details	Pushed	Vulnerabilities
8.3-fpm-alpine Minor runtime version update Also known as: 8.3.16-fpm-alpine 8.3.16-fpm-alpine3.21 8.3-fpm-alpine3.21	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 33 MB Flavor: alpine OS: 3.21 Runtime: 8.3.16	2 days ago
8.2-fpm-alpine Minor runtime version update Also known as: 8.2.27-fpm-alpine 8.2.27-fpm-alpine3.21 8.2-fpm-alpine3.21	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages 8.2-fpm-alpine was pulled 4.1K times last month Image details: Size: 32 MB Flavor: alpine OS: 3.21 Runtime: 8.2.27	1 month ago
8.4-fpm-alpine Image has same number of vulnerabilities Also known as: 8.4.3-fpm-alpine 8.4.3-fpm-alpine3.21 8.4-fpm-alpine3.21 8-fpm-alpine 8-fpm-alpine3.21 fpm-alpine fpm-alpine3.21	Benefits: Same OS detected Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 36 MB Flavor: alpine OS: 3.21	2 days ago

[github-actions]

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:411b3c009c746495a3e4aa6437f86b5b2419ec822ae93f2053263e858d69d976
vulnerabilities
platform	linux/amd64
size	104 MB
packages	232

📦 Base Image php:8.2-fpm-alpine

also known as	8.2-fpm-alpine3.21 8.2.27-fpm-alpine 8.2.27-fpm-alpine3.21 c109802edd0ed0eeccdfdd58c646e375847bbccbef7110a2cb4638e74af20c59
digest	sha256:76f65a70210d2d9ff8f8e61305049bf0973d00a91a96f9440c8b5b47ee2e93f5
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 0.045% EPSS Percentile 18th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

golang.org/x/net 0.18.0 (golang) pkg:golang/golang.org/x/[email protected] Allocation of Resources Without Limits or Throttling Affected range <0.33.0 Fixed version 0.33.0 CVSS Score 8.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N EPSS Score 0.045% EPSS Percentile 18th percentile Description An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

[github-actions]

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.1-alpine

Name	8.1.31-alpine3.21
Digest	sha256:8ed48e85630b00d7dde300f7c205e502495d8a117a254924bf07f4dcac3df52f
Vulnerabilities
Pushed	1 month ago
Size	36 MB
Packages	52
Flavor	alpine
OS	3.21
Runtime	8.1.31

The base image is also available under the supported tag(s): 8.1-alpine3.21, 8.1-cli-alpine, 8.1-cli-alpine3.21, 8.1.31-alpine, 8.1.31-alpine3.21, 8.1.31-cli-alpine, 8.1.31-cli-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

Tag	Details	Pushed	Vulnerabilities
8.4-alpine Minor runtime version update Also known as: 8.4.3-cli-alpine 8.4.3-cli-alpine3.21 8.4-cli-alpine 8.4-cli-alpine3.21 8-cli-alpine 8-cli-alpine3.21 cli-alpine cli-alpine3.21 alpine alpine3.21 8.4.3-alpine 8.4.3-alpine3.21 8.4-alpine3.21 8-alpine 8-alpine3.21	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 42 MB Flavor: alpine OS: 3.21 Runtime: 8.4.3	2 days ago
8.3-alpine Minor runtime version update Also known as: 8.3.16-cli-alpine 8.3.16-cli-alpine3.21 8.3-cli-alpine 8.3-cli-alpine3.21 8.3.16-alpine 8.3.16-alpine3.21 8.3-alpine3.21	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 37 MB Flavor: alpine OS: 3.21 Runtime: 8.3.16	2 days ago
8.2-alpine Minor runtime version update Also known as: 8.2.27-cli-alpine 8.2.27-cli-alpine3.21 8.2-cli-alpine 8.2-cli-alpine3.21 8.2.27-alpine 8.2.27-alpine3.21 8.2-alpine3.21	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages 8.2-alpine was pulled 1.8K times last month Image details: Size: 36 MB Flavor: alpine OS: 3.21 Runtime: 8.2.27	1 month ago

[github-actions]

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.2-fpm-alpine

Name	8.2.27-fpm-alpine3.21
Digest	sha256:76f65a70210d2d9ff8f8e61305049bf0973d00a91a96f9440c8b5b47ee2e93f5
Vulnerabilities
Pushed	1 month ago
Size	32 MB
Packages	53
Flavor	alpine
OS	3.21
Runtime	8.2.27

The base image is also available under the supported tag(s): 8.2-fpm-alpine3.21, 8.2.27-fpm-alpine, 8.2.27-fpm-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

Tag	Details	Pushed	Vulnerabilities
8.3-fpm-alpine Minor runtime version update Also known as: 8.3.16-fpm-alpine 8.3.16-fpm-alpine3.21 8.3-fpm-alpine3.21	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 33 MB Flavor: alpine OS: 3.21 Runtime: 8.3.16	2 days ago
8.4-fpm-alpine Image has same number of vulnerabilities Also known as: 8.4.3-fpm-alpine 8.4.3-fpm-alpine3.21 8.4-fpm-alpine3.21 8-fpm-alpine 8-fpm-alpine3.21 fpm-alpine fpm-alpine3.21	Benefits: Same OS detected Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 36 MB Flavor: alpine OS: 3.21	2 days ago

[github-actions]

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:d3c58e6453643f69def51ff9081e7330a490077ccf0566c46b636928371fc3a0
vulnerabilities
platform	linux/amd64
size	110 MB
packages	231

📦 Base Image php:8.3-alpine

also known as	8.3-alpine3.21 8.3-cli-alpine 8.3-cli-alpine3.21 8.3.16-alpine 8.3.16-alpine3.21 8.3.16-cli-alpine 8.3.16-cli-alpine3.21
digest	sha256:1fe9d473ff87ce87bccb628ec41849a8131ee042b5634555dde842a93d13e41c
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 0.045% EPSS Percentile 18th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

golang.org/x/net 0.18.0 (golang) pkg:golang/golang.org/x/[email protected] Allocation of Resources Without Limits or Throttling Affected range <0.33.0 Fixed version 0.33.0 CVSS Score 8.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N EPSS Score 0.045% EPSS Percentile 18th percentile Description An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

[github-actions]

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.3-alpine

Name	8.3.16-alpine3.21
Digest	sha256:1fe9d473ff87ce87bccb628ec41849a8131ee042b5634555dde842a93d13e41c
Vulnerabilities
Pushed	2 days ago
Size	37 MB
Packages	52
Flavor	alpine
OS	3.21
Runtime	8.3.16

The base image is also available under the supported tag(s): 8.3-alpine3.21, 8.3-cli-alpine, 8.3-cli-alpine3.21, 8.3.16-alpine, 8.3.16-alpine3.21, 8.3.16-cli-alpine, 8.3.16-cli-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

Tag	Details	Pushed	Vulnerabilities
8.4-alpine Minor runtime version update Also known as: 8.4.3-cli-alpine 8.4.3-cli-alpine3.21 8.4-cli-alpine 8.4-cli-alpine3.21 8-cli-alpine 8-cli-alpine3.21 cli-alpine cli-alpine3.21 alpine alpine3.21 8.4.3-alpine 8.4.3-alpine3.21 8.4-alpine3.21 8-alpine 8-alpine3.21	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 42 MB Flavor: alpine OS: 3.21 Runtime: 8.4.3	2 days ago

[github-actions]

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:7e6946a3a588f0b197009d3be8c54982813c2c053d7664cf66fd6e976857f62e
vulnerabilities
platform	linux/amd64
size	126 MB
packages	249

📦 Base Image php:2b53de2fdc87e38f450a4c42f995704c4bc3bc789f010d1a69a860538f12fe60

also known as	8.1-alpine 8.1-alpine3.21 8.1-cli-alpine 8.1-cli-alpine3.21 8.1.31-alpine 8.1.31-alpine3.21 8.1.31-cli-alpine 8.1.31-cli-alpine3.21
digest	sha256:8ed48e85630b00d7dde300f7c205e502495d8a117a254924bf07f4dcac3df52f
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 0.045% EPSS Percentile 18th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

golang.org/x/net 0.18.0 (golang) pkg:golang/golang.org/x/[email protected] Allocation of Resources Without Limits or Throttling Affected range <0.33.0 Fixed version 0.33.0 CVSS Score 8.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N EPSS Score 0.045% EPSS Percentile 18th percentile Description An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

[github-actions]

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:1e6699c0fcc522d15b456cdeaf287580d4846366fd70c383245c8b9482721d2b
vulnerabilities
platform	linux/amd64
size	115 MB
packages	231

📦 Base Image php:8-alpine

also known as	8-alpine3.21 8-cli-alpine 8-cli-alpine3.21 8.4-alpine 8.4-alpine3.21 8.4-cli-alpine 8.4-cli-alpine3.21 8.4.3-alpine 8.4.3-alpine3.21 8.4.3-cli-alpine 8.4.3-cli-alpine3.21 81e0beb4d1c873f343c6e1e7d6b85b43904695c5ac664030171c1769358c63f8 alpine alpine3.21 cli-alpine cli-alpine3.21
digest	sha256:170320e6538870c70b6e2c59e0e166e2dbd0c4dda143bdb87a9b145f7c0e57cd
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 0.045% EPSS Percentile 18th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

golang.org/x/net 0.18.0 (golang) pkg:golang/golang.org/x/[email protected] Allocation of Resources Without Limits or Throttling Affected range <0.33.0 Fixed version 0.33.0 CVSS Score 8.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N EPSS Score 0.045% EPSS Percentile 18th percentile Description An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

[github-actions]

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:845e2f0a3dbf1c2a8774d02d829bd78fadf9ec026f9a6148863d6381e555ceeb
vulnerabilities
platform	linux/amd64
size	127 MB
packages	249

📦 Base Image php:0f3e69aa84dedd26dfa550ca4d5dad530b2dd71fe8529ba45d7ce8585587f42e

also known as	8.2-alpine 8.2-alpine3.21 8.2-cli-alpine 8.2-cli-alpine3.21 8.2.27-alpine 8.2.27-alpine3.21 8.2.27-cli-alpine 8.2.27-cli-alpine3.21
digest	sha256:39bf59caddad3b212fdd32aff3462885ccdc18e754a9e392e543b4a35effec7c
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 0.045% EPSS Percentile 18th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

golang.org/x/net 0.18.0 (golang) pkg:golang/golang.org/x/[email protected] Allocation of Resources Without Limits or Throttling Affected range <0.33.0 Fixed version 0.33.0 CVSS Score 8.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N EPSS Score 0.045% EPSS Percentile 18th percentile Description An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

[github-actions]

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8-alpine

Name	8.4.3-alpine3.21
Digest	sha256:170320e6538870c70b6e2c59e0e166e2dbd0c4dda143bdb87a9b145f7c0e57cd
Vulnerabilities
Pushed	2 days ago
Size	42 MB
Packages	52
Flavor	alpine
OS	3.21
Runtime	8.4.3

The base image is also available under the supported tag(s): 8-alpine3.21, 8-cli-alpine, 8-cli-alpine3.21, 8.4-alpine, 8.4-alpine3.21, 8.4-cli-alpine, 8.4-cli-alpine3.21, 8.4.3-alpine, 8.4.3-alpine3.21, 8.4.3-cli-alpine, 8.4.3-cli-alpine3.21, alpine, alpine3.21, cli-alpine, cli-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

[github-actions]

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.1-alpine

Name	8.1.31-alpine3.21
Digest	sha256:8ed48e85630b00d7dde300f7c205e502495d8a117a254924bf07f4dcac3df52f
Vulnerabilities
Pushed	1 month ago
Size	36 MB
Packages	52
Flavor	alpine
OS	3.21
Runtime	8.1.31

The base image is also available under the supported tag(s): 8.1-alpine3.21, 8.1-cli-alpine, 8.1-cli-alpine3.21, 8.1.31-alpine, 8.1.31-alpine3.21, 8.1.31-cli-alpine, 8.1.31-cli-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

Tag	Details	Pushed	Vulnerabilities
8.4-alpine Minor runtime version update Also known as: 8.4.3-cli-alpine 8.4.3-cli-alpine3.21 8.4-cli-alpine 8.4-cli-alpine3.21 8-cli-alpine 8-cli-alpine3.21 cli-alpine cli-alpine3.21 alpine alpine3.21 8.4.3-alpine 8.4.3-alpine3.21 8.4-alpine3.21 8-alpine 8-alpine3.21	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 42 MB Flavor: alpine OS: 3.21 Runtime: 8.4.3	2 days ago
8.3-alpine Minor runtime version update Also known as: 8.3.16-cli-alpine 8.3.16-cli-alpine3.21 8.3-cli-alpine 8.3-cli-alpine3.21 8.3.16-alpine 8.3.16-alpine3.21 8.3-alpine3.21	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 37 MB Flavor: alpine OS: 3.21 Runtime: 8.3.16	2 days ago
8.2-alpine Minor runtime version update Also known as: 8.2.27-cli-alpine 8.2.27-cli-alpine3.21 8.2-cli-alpine 8.2-cli-alpine3.21 8.2.27-alpine 8.2.27-alpine3.21 8.2-alpine3.21	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages 8.2-alpine was pulled 1.8K times last month Image details: Size: 36 MB Flavor: alpine OS: 3.21 Runtime: 8.2.27	1 month ago

[github-actions]

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:f759ef0520844c128d0fe7cc494f4ada77dd004e07a546aefc29f31e89256641
vulnerabilities
platform	linux/amd64
size	106 MB
packages	232

📦 Base Image php:8.3-fpm-alpine

also known as	8.3-fpm-alpine3.21 8.3.16-fpm-alpine 8.3.16-fpm-alpine3.21
digest	sha256:0b84bd208921ecbda2ce7d2dbd577915963534d10625dd009a715423ea636004
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 0.045% EPSS Percentile 18th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

golang.org/x/net 0.18.0 (golang) pkg:golang/golang.org/x/[email protected] Allocation of Resources Without Limits or Throttling Affected range <0.33.0 Fixed version 0.33.0 CVSS Score 8.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N EPSS Score 0.045% EPSS Percentile 18th percentile Description An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

[github-actions]

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.2-alpine

Name	8.2.27-alpine3.21
Digest	sha256:39bf59caddad3b212fdd32aff3462885ccdc18e754a9e392e543b4a35effec7c
Vulnerabilities
Pushed	1 month ago
Size	36 MB
Packages	52
Flavor	alpine
OS	3.21
Runtime	8.2.27

The base image is also available under the supported tag(s): 8.2-alpine3.21, 8.2-cli-alpine, 8.2-cli-alpine3.21, 8.2.27-alpine, 8.2.27-alpine3.21, 8.2.27-cli-alpine, 8.2.27-cli-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

Tag	Details	Pushed	Vulnerabilities
8.4-alpine Minor runtime version update Also known as: 8.4.3-cli-alpine 8.4.3-cli-alpine3.21 8.4-cli-alpine 8.4-cli-alpine3.21 8-cli-alpine 8-cli-alpine3.21 cli-alpine cli-alpine3.21 alpine alpine3.21 8.4.3-alpine 8.4.3-alpine3.21 8.4-alpine3.21 8-alpine 8-alpine3.21	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 42 MB Flavor: alpine OS: 3.21 Runtime: 8.4.3	2 days ago
8.3-alpine Minor runtime version update Also known as: 8.3.16-cli-alpine 8.3.16-cli-alpine3.21 8.3-cli-alpine 8.3-cli-alpine3.21 8.3.16-alpine 8.3.16-alpine3.21 8.3-alpine3.21	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 37 MB Flavor: alpine OS: 3.21 Runtime: 8.3.16	2 days ago

[github-actions]

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:eea4c2af978b766f7e6dc87f73bc70f5237003d74385c65dee59c38fe9cf2234
vulnerabilities
platform	linux/amd64
size	109 MB
packages	231

📦 Base Image php:0f3e69aa84dedd26dfa550ca4d5dad530b2dd71fe8529ba45d7ce8585587f42e

also known as	8.2-alpine 8.2-alpine3.21 8.2-cli-alpine 8.2-cli-alpine3.21 8.2.27-alpine 8.2.27-alpine3.21 8.2.27-cli-alpine 8.2.27-cli-alpine3.21
digest	sha256:39bf59caddad3b212fdd32aff3462885ccdc18e754a9e392e543b4a35effec7c
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 0.045% EPSS Percentile 18th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

golang.org/x/net 0.18.0 (golang) pkg:golang/golang.org/x/[email protected] Allocation of Resources Without Limits or Throttling Affected range <0.33.0 Fixed version 0.33.0 CVSS Score 8.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N EPSS Score 0.045% EPSS Percentile 18th percentile Description An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

[github-actions]

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.3-fpm-alpine

Name	8.3.16-fpm-alpine3.21
Digest	sha256:0b84bd208921ecbda2ce7d2dbd577915963534d10625dd009a715423ea636004
Vulnerabilities
Pushed	2 days ago
Size	33 MB
Packages	53
Flavor	alpine
OS	3.21
Runtime	8.3.16

The base image is also available under the supported tag(s): 8.3-fpm-alpine3.21, 8.3.16-fpm-alpine, 8.3.16-fpm-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

Tag	Details	Pushed	Vulnerabilities
8.4-fpm-alpine Image has same number of vulnerabilities Also known as: 8.4.3-fpm-alpine 8.4.3-fpm-alpine3.21 8.4-fpm-alpine3.21 8-fpm-alpine 8-fpm-alpine3.21 fpm-alpine fpm-alpine3.21	Benefits: Same OS detected Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 36 MB Flavor: alpine OS: 3.21	2 days ago

[github-actions]

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.2-alpine

Name	8.2.27-alpine3.21
Digest	sha256:39bf59caddad3b212fdd32aff3462885ccdc18e754a9e392e543b4a35effec7c
Vulnerabilities
Pushed	1 month ago
Size	36 MB
Packages	52
Flavor	alpine
OS	3.21
Runtime	8.2.27

The base image is also available under the supported tag(s): 8.2-alpine3.21, 8.2-cli-alpine, 8.2-cli-alpine3.21, 8.2.27-alpine, 8.2.27-alpine3.21, 8.2.27-cli-alpine, 8.2.27-cli-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

Tag	Details	Pushed	Vulnerabilities
8.4-alpine Minor runtime version update Also known as: 8.4.3-cli-alpine 8.4.3-cli-alpine3.21 8.4-cli-alpine 8.4-cli-alpine3.21 8-cli-alpine 8-cli-alpine3.21 cli-alpine cli-alpine3.21 alpine alpine3.21 8.4.3-alpine 8.4.3-alpine3.21 8.4-alpine3.21 8-alpine 8-alpine3.21	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 42 MB Flavor: alpine OS: 3.21 Runtime: 8.4.3	2 days ago
8.3-alpine Minor runtime version update Also known as: 8.3.16-cli-alpine 8.3.16-cli-alpine3.21 8.3-cli-alpine 8.3-cli-alpine3.21 8.3.16-alpine 8.3.16-alpine3.21 8.3-alpine3.21	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 37 MB Flavor: alpine OS: 3.21 Runtime: 8.3.16	2 days ago

[github-actions]

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:9227fba606c5d9c6435bf174ac4031b2632ea1e06c6ea7b47fa2a5d28c52c8f2
vulnerabilities
platform	linux/amd64
size	109 MB
packages	232

📦 Base Image php:8-fpm-alpine

also known as	8-fpm-alpine3.21 8.4-fpm-alpine 8.4-fpm-alpine3.21 8.4.3-fpm-alpine 8.4.3-fpm-alpine3.21 fpm-alpine fpm-alpine3.21
digest	sha256:233e88a1d9d93ba47555a69ee03b989e5e07d5046a9936008df523aa982bd4b8
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 0.045% EPSS Percentile 18th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

golang.org/x/net 0.18.0 (golang) pkg:golang/golang.org/x/[email protected] Allocation of Resources Without Limits or Throttling Affected range <0.33.0 Fixed version 0.33.0 CVSS Score 8.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N EPSS Score 0.045% EPSS Percentile 18th percentile Description An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

[github-actions]

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8-fpm-alpine

Name	fpm-alpine3.21
Digest	sha256:233e88a1d9d93ba47555a69ee03b989e5e07d5046a9936008df523aa982bd4b8
Vulnerabilities
Pushed	2 days ago
Size	36 MB
Packages	53
Flavor	alpine
OS	3.21

The base image is also available under the supported tag(s): 8-fpm-alpine3.21, 8.4-fpm-alpine, 8.4-fpm-alpine3.21, 8.4.3-fpm-alpine, 8.4.3-fpm-alpine3.21, fpm-alpine, fpm-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

Tag	Details	Pushed	Vulnerabilities
8.3-fpm-alpine Minor runtime version update Also known as: 8.3.16-fpm-alpine 8.3.16-fpm-alpine3.21 8.3-fpm-alpine3.21	Benefits: Same OS detected Minor runtime version update Image is smaller by 3.3 MB Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 33 MB Flavor: alpine OS: 3.21 Runtime: 8.3.16	2 days ago
8.2-fpm-alpine Minor runtime version update Also known as: 8.2.27-fpm-alpine 8.2.27-fpm-alpine3.21 8.2-fpm-alpine3.21	Benefits: Same OS detected Minor runtime version update Image is smaller by 3.9 MB Image has same number of vulnerabilities Image contains equal number of packages 8.2-fpm-alpine was pulled 4.1K times last month Image details: Size: 32 MB Flavor: alpine OS: 3.21 Runtime: 8.2.27	1 month ago
8.1-fpm-alpine Minor runtime version update Also known as: 8.1.31-fpm-alpine 8.1.31-fpm-alpine3.21 8.1-fpm-alpine3.21	Benefits: Same OS detected Minor runtime version update Image is smaller by 4.4 MB Image has same number of vulnerabilities Image contains equal number of packages 8.1-fpm-alpine is the fourth most popular tag with 18K pulls per month Image details: Size: 32 MB Flavor: alpine OS: 3.21 Runtime: 8.1.31	1 month ago

[github-actions]

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:1cad42fef3cca526d625fb3552912341cc95b73b59c0f4c5e95f81f42a98fc0e
vulnerabilities
platform	linux/amd64
size	128 MB
packages	249

📦 Base Image php:8.3-alpine

also known as	8.3-alpine3.21 8.3-cli-alpine 8.3-cli-alpine3.21 8.3.16-alpine 8.3.16-alpine3.21 8.3.16-cli-alpine 8.3.16-cli-alpine3.21
digest	sha256:1fe9d473ff87ce87bccb628ec41849a8131ee042b5634555dde842a93d13e41c
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 0.045% EPSS Percentile 18th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

golang.org/x/net 0.18.0 (golang) pkg:golang/golang.org/x/[email protected] Allocation of Resources Without Limits or Throttling Affected range <0.33.0 Fixed version 0.33.0 CVSS Score 8.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N EPSS Score 0.045% EPSS Percentile 18th percentile Description An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

[github-actions]

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:26dfb8dd88f9b94366c8603ce067a0b80848ef8c47a6159234021155bcff4576
vulnerabilities
platform	linux/amd64
size	134 MB
packages	249

📦 Base Image php:8-alpine

also known as	8-alpine3.21 8-cli-alpine 8-cli-alpine3.21 8.4-alpine 8.4-alpine3.21 8.4-cli-alpine 8.4-cli-alpine3.21 8.4.3-alpine 8.4.3-alpine3.21 8.4.3-cli-alpine 8.4.3-cli-alpine3.21 81e0beb4d1c873f343c6e1e7d6b85b43904695c5ac664030171c1769358c63f8 alpine alpine3.21 cli-alpine cli-alpine3.21
digest	sha256:170320e6538870c70b6e2c59e0e166e2dbd0c4dda143bdb87a9b145f7c0e57cd
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 0.045% EPSS Percentile 18th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

golang.org/x/net 0.18.0 (golang) pkg:golang/golang.org/x/[email protected] Allocation of Resources Without Limits or Throttling Affected range <0.33.0 Fixed version 0.33.0 CVSS Score 8.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N EPSS Score 0.045% EPSS Percentile 18th percentile Description An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

[github-actions]

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.3-alpine

Name	8.3.16-alpine3.21
Digest	sha256:1fe9d473ff87ce87bccb628ec41849a8131ee042b5634555dde842a93d13e41c
Vulnerabilities
Pushed	2 days ago
Size	37 MB
Packages	52
Flavor	alpine
OS	3.21
Runtime	8.3.16

The base image is also available under the supported tag(s): 8.3-alpine3.21, 8.3-cli-alpine, 8.3-cli-alpine3.21, 8.3.16-alpine, 8.3.16-alpine3.21, 8.3.16-cli-alpine, 8.3.16-cli-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

Tag	Details	Pushed	Vulnerabilities
8.4-alpine Minor runtime version update Also known as: 8.4.3-cli-alpine 8.4.3-cli-alpine3.21 8.4-cli-alpine 8.4-cli-alpine3.21 8-cli-alpine 8-cli-alpine3.21 cli-alpine cli-alpine3.21 alpine alpine3.21 8.4.3-alpine 8.4.3-alpine3.21 8.4-alpine3.21 8-alpine 8-alpine3.21	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 42 MB Flavor: alpine OS: 3.21 Runtime: 8.4.3	2 days ago

[github-actions]

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8-alpine

Name	8.4.3-alpine3.21
Digest	sha256:170320e6538870c70b6e2c59e0e166e2dbd0c4dda143bdb87a9b145f7c0e57cd
Vulnerabilities
Pushed	2 days ago
Size	42 MB
Packages	52
Flavor	alpine
OS	3.21
Runtime	8.4.3

The base image is also available under the supported tag(s): 8-alpine3.21, 8-cli-alpine, 8-cli-alpine3.21, 8.4-alpine, 8.4-alpine3.21, 8.4-cli-alpine, 8.4-cli-alpine3.21, 8.4.3-alpine, 8.4.3-alpine3.21, 8.4.3-cli-alpine, 8.4.3-cli-alpine3.21, alpine, alpine3.21, cli-alpine, cli-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

[lotyp]

🤖 Created releases:

• v2.8.7
  🌻