deps(deps): update e1himself/goss-installation-action action to v1.3.0

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
e1himself/goss-installation-action	action	minor	v1.2.1 -> v1.3.0

---

Release Notes

e1himself/goss-installation-action (e1himself/goss-installation-action)

v1.3.0

Compare Source

What's Changed

• Add support for Github Runner platforms and architectures other than linux-x64 by @​mlipscombe in #​27

New Contributors

• @​mlipscombe made their first contribution in #​27

Full Changelog: e1himself/goss-installation-action@v1...v1.3.0

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:4c13dcfba6291d2953f78f2a02cdd9fc0f4927e9988d29ce4d693adce9e44c8c
vulnerabilities
platform	linux/amd64
size	105 MB
packages	248

📦 Base Image php:8.1-fpm-alpine

also known as	8.1-fpm-alpine3.21 8.1.33-fpm-alpine 8.1.33-fpm-alpine3.21 a5705c7e8a9637ec417dc448b6afb91982a252f2f08a056af3166d3e0b36cc0e
digest	sha256:3f6d33709f6648a334f44757f43bc6c9e4c4390b4ff555199f28377601455de9
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/crypto@0.17.0 Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 47.048% EPSS Percentile 98th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/crypto@v0.31.0 enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance. Affected range <0.35.0 Fixed version 0.35.0 EPSS Score 0.242% EPSS Percentile 47th percentile Description SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

[github-actions]

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:7cebb550311908105e915a3a76897497ea38c204e28996a819bd4c42bfc8e4bd
vulnerabilities
platform	linux/amd64
size	109 MB
packages	250

📦 Base Image php:7594c2581e3f8fffcf0f16338d2f97a001a068e7c7285197b721ad5d6cb2eced

also known as	8.3-fpm-alpine 8.3-fpm-alpine3.22 8.3.26-fpm-alpine 8.3.26-fpm-alpine3.22
digest	sha256:23bc3071de0155cc91ed48be24ca498a730460a6fa5bd0d517eaba07e753204b
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/crypto@0.17.0 Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 47.048% EPSS Percentile 98th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/crypto@v0.31.0 enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance. Affected range <0.35.0 Fixed version 0.35.0 EPSS Score 0.242% EPSS Percentile 47th percentile Description SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

[github-actions]

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.1-fpm-alpine

Name	8.1.33-fpm-alpine3.21
Digest	sha256:3f6d33709f6648a334f44757f43bc6c9e4c4390b4ff555199f28377601455de9
Vulnerabilities
Pushed	2 months ago
Size	32 MB
Packages	60
Flavor	alpine
OS	3.21
Runtime	8.1.33

The base image is also available under the supported tag(s): 8.1-fpm-alpine3.21, 8.1.33-fpm-alpine, 8.1.33-fpm-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

Tag	Details	Pushed	Vulnerabilities
8.1-fpm-alpine3.22 Patch runtime version update Also known as: 8.1.33-fpm-alpine3.22	Benefits: Patch runtime version update Same OS detected Image has similar size Image has same number of vulnerabilities Image contains similar number of packages Image details: Size: 32 MB Flavor: alpine OS: 3.22 Runtime: 8.1.33	2 months ago
8.3-fpm-alpine Minor runtime version update Also known as: 8.3.27-fpm-alpine 8.3.27-fpm-alpine3.22 8.3-fpm-alpine3.22	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image introduces no new vulnerability but removes 5 Image contains similar number of packages Image details: Size: 33 MB Flavor: alpine OS: 3.22 Runtime: 8.3.27	1 day ago
8.3-fpm-alpine3.21 Minor runtime version update Also known as: 8.3.27-fpm-alpine3.21	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image introduces no new vulnerability but removes 5 Image contains equal number of packages Image details: Size: 33 MB Flavor: alpine OS: 3.21 Runtime: 8.3.27	1 day ago
8.2-fpm-alpine Minor runtime version update Also known as: 8.2.29-fpm-alpine 8.2.29-fpm-alpine3.22 8.2-fpm-alpine3.22	Benefits: Same OS detected Minor runtime version update Image has similar size Image has same number of vulnerabilities Image contains similar number of packages 8.2-fpm-alpine was pulled 4.1K times last month Image details: Size: 32 MB Flavor: alpine OS: 3.22 Runtime: 8.2.29	2 months ago
8.2-fpm-alpine3.21 Minor runtime version update Also known as: 8.2.29-fpm-alpine3.21	Benefits: Same OS detected Minor runtime version update Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 32 MB Flavor: alpine OS: 3.21 Runtime: 8.2.29	2 months ago
8.4-fpm-alpine Image introduces no new vulnerability but removes 5 Also known as: 8.4.14-fpm-alpine 8.4.14-fpm-alpine3.22 8.4-fpm-alpine3.22 8-fpm-alpine 8-fpm-alpine3.22 fpm-alpine fpm-alpine3.22	Benefits: Same OS detected Tag was pushed more recently Image has similar size Image introduces no new vulnerability but removes 5 Image contains similar number of packages Image details: Size: 36 MB Flavor: alpine OS: 3.22	1 day ago
8.4-fpm-alpine3.21 Image introduces no new vulnerability but removes 5 Also known as: 8.4.14-fpm-alpine3.21 8-fpm-alpine3.21 fpm-alpine3.21	Benefits: Same OS detected Tag was pushed more recently Image has similar size Image introduces no new vulnerability but removes 5 Image contains equal number of packages Image details: Size: 36 MB Flavor: alpine OS: 3.21	1 day ago

[github-actions]

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:13fd8e909c90f6844e3ec67eb8a959069dc6d16cd3ac2d4c65537647e57cb37c
vulnerabilities
platform	linux/amd64
size	112 MB
packages	249

📦 Base Image php:8.2-alpine

also known as	8.2-alpine3.22 8.2-cli-alpine 8.2-cli-alpine3.22 8.2.29-alpine 8.2.29-alpine3.22 8.2.29-cli-alpine 8.2.29-cli-alpine3.22 df7d2aca7d453249829e16923877c821823065f32a24e0eb2c66e7a12fd7b54b
digest	sha256:8c201df34c610be6d54a158ac62310c15b7370bfb3777508188c07513787caa0
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/crypto@0.17.0 Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 47.048% EPSS Percentile 98th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/crypto@v0.31.0 enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance. Affected range <0.35.0 Fixed version 0.35.0 EPSS Score 0.242% EPSS Percentile 47th percentile Description SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

[github-actions]

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:40d29ae9a215d58b07e3f44c1dab978b14260a38962444d46300896a1c36a723
vulnerabilities
platform	linux/amd64
size	112 MB
packages	250

📦 Base Image php:8-fpm-alpine

also known as	8-fpm-alpine3.22 8.4-fpm-alpine 8.4-fpm-alpine3.22 8.4.13-fpm-alpine 8.4.13-fpm-alpine3.22 be12027ae933c17a29d9cf56e2480967afd04719fa2f20358ea1ad257a435605 fpm-alpine fpm-alpine3.22
digest	sha256:4efaf7966df90365b41e71d5085b1c49348acb80bc5e0aa709de2b9b5f4dcb35
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/crypto@0.17.0 Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 47.048% EPSS Percentile 98th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/crypto@v0.31.0 enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance. Affected range <0.35.0 Fixed version 0.35.0 EPSS Score 0.242% EPSS Percentile 47th percentile Description SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

[github-actions]

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:0b862d763887c25d2dff39f8b5dc6ea4916990afa53d18c494e5264757057051
vulnerabilities
platform	linux/amd64
size	117 MB
packages	249

📦 Base Image php:8-alpine

also known as	8-alpine3.22 8-cli-alpine 8-cli-alpine3.22 8.4-alpine 8.4-alpine3.22 8.4-cli-alpine 8.4-cli-alpine3.22 8.4.13-alpine 8.4.13-alpine3.22 8.4.13-cli-alpine 8.4.13-cli-alpine3.22 alpine alpine3.22 cli-alpine cli-alpine3.22 fccdb165b72cc548a2b0efc5655b3307e7eea6db96216a117a60e80fae4ed828
digest	sha256:7312bec7f935c80133ef7028fbf6d82d312be50fb833aa7f7fee0d405996352b
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/crypto@0.17.0 Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 47.048% EPSS Percentile 98th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/crypto@v0.31.0 enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance. Affected range <0.35.0 Fixed version 0.35.0 EPSS Score 0.242% EPSS Percentile 47th percentile Description SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

[github-actions]

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.3-fpm-alpine

Name	8.3.26-fpm-alpine3.22
Digest	sha256:23bc3071de0155cc91ed48be24ca498a730460a6fa5bd0d517eaba07e753204b
Vulnerabilities
Pushed	4 weeks ago
Size	33 MB
Packages	61
Flavor	alpine
OS	3.22
Runtime	8.3.26

The base image is also available under the supported tag(s): 8.3-fpm-alpine3.22

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

Tag	Details	Pushed	Vulnerabilities
8.3-fpm-alpine Newer image for same tag Also known as: 8.3.27-fpm-alpine 8.3.27-fpm-alpine3.22 8.3-fpm-alpine3.22	Benefits: Patch runtime version update Same OS detected Newer image for same tag Tag was pushed more recently Image has similar size Image introduces no new vulnerability but removes 5 Image contains equal number of packages Image details: Size: 33 MB Flavor: alpine OS: 3.22 Runtime: 8.3.27	1 day ago

Change base image

Tag	Details	Pushed	Vulnerabilities
8.4-fpm-alpine Image introduces no new vulnerability but removes 5 Also known as: 8.4.14-fpm-alpine 8.4.14-fpm-alpine3.22 8.4-fpm-alpine3.22 8-fpm-alpine 8-fpm-alpine3.22 fpm-alpine fpm-alpine3.22	Benefits: Same OS detected Tag was pushed more recently Image has similar size Image introduces no new vulnerability but removes 5 Image contains equal number of packages Image details: Size: 36 MB Flavor: alpine OS: 3.22	1 day ago

[github-actions]

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8-fpm-alpine

Name	fpm-alpine3.22
Digest	sha256:4efaf7966df90365b41e71d5085b1c49348acb80bc5e0aa709de2b9b5f4dcb35
Vulnerabilities
Pushed	4 weeks ago
Size	36 MB
Packages	61
Flavor	alpine
OS	3.22

The base image is also available under the supported tag(s): 8-fpm-alpine3.22, 8.4-fpm-alpine, 8.4-fpm-alpine3.22, fpm-alpine, fpm-alpine3.22

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

Tag	Details	Pushed	Vulnerabilities
8-fpm-alpine Newer image for same tag Also known as: 8.4.14-fpm-alpine 8.4.14-fpm-alpine3.22 8.4-fpm-alpine 8.4-fpm-alpine3.22 8-fpm-alpine3.22 fpm-alpine fpm-alpine3.22	Benefits: Same OS detected Newer image for same tag Tag was pushed more recently Image has similar size Image introduces no new vulnerability but removes 5 Image contains equal number of packages 8-fpm-alpine was pulled 4.8K times last month Image details: Size: 36 MB Flavor: alpine OS: 3.22	1 day ago

Change base image

Tag	Details	Pushed	Vulnerabilities
8.3-fpm-alpine Minor runtime version update Also known as: 8.3.27-fpm-alpine 8.3.27-fpm-alpine3.22 8.3-fpm-alpine3.22	Benefits: Same OS detected Minor runtime version update Image is smaller by 2.7 MB Tag was pushed more recently Image introduces no new vulnerability but removes 5 Image contains equal number of packages Image details: Size: 33 MB Flavor: alpine OS: 3.22 Runtime: 8.3.27	1 day ago
8.2-fpm-alpine Minor runtime version update Also known as: 8.2.29-fpm-alpine 8.2.29-fpm-alpine3.22 8.2-fpm-alpine3.22	Benefits: Same OS detected Minor runtime version update Image is smaller by 3.3 MB Image has same number of vulnerabilities Image contains equal number of packages 8.2-fpm-alpine was pulled 4.1K times last month Image details: Size: 32 MB Flavor: alpine OS: 3.22 Runtime: 8.2.29	2 months ago
8.1-fpm-alpine3.22 Minor runtime version update Also known as: 8.1.33-fpm-alpine3.22	Benefits: Same OS detected Minor runtime version update Image is smaller by 3.8 MB Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 32 MB Flavor: alpine OS: 3.22 Runtime: 8.1.33	2 months ago

[github-actions]

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.2-alpine

Name	8.2.29-alpine3.22
Digest	sha256:8c201df34c610be6d54a158ac62310c15b7370bfb3777508188c07513787caa0
Vulnerabilities
Pushed	2 months ago
Size	37 MB
Packages	60
Flavor	alpine
OS	3.22
Runtime	8.2.29

The base image is also available under the supported tag(s): 8.2-alpine3.22, 8.2-cli-alpine, 8.2-cli-alpine3.22, 8.2.29-alpine, 8.2.29-alpine3.22, 8.2.29-cli-alpine, 8.2.29-cli-alpine3.22

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

Tag	Details	Pushed	Vulnerabilities
8.4.14-alpine Minor runtime version update Also known as: 8.4.14-cli-alpine 8.4.14-cli-alpine3.22 8.4-cli-alpine 8.4-cli-alpine3.22 8-cli-alpine 8-cli-alpine3.22 cli-alpine alpine alpine3.22 8.4.14-alpine3.22 8-alpine 8-alpine3.22	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image introduces no new vulnerability but removes 5 Image contains equal number of packages Image details: Size: 41 MB Flavor: alpine OS: 3.22 Runtime: 8.4.14	1 day ago
8.4-alpine Minor runtime version update Also known as: cli-alpine3.22 8.4-alpine3.22	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 41 MB Flavor: alpine OS: 3.22 Runtime: 8.4	4 weeks ago
8.3-alpine Minor runtime version update Also known as: 8.3.27-cli-alpine 8.3.27-cli-alpine3.22 8.3-cli-alpine 8.3-cli-alpine3.22 8.3.27-alpine 8.3.27-alpine3.22 8.3-alpine3.22	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image introduces no new vulnerability but removes 5 Image contains equal number of packages Image details: Size: 37 MB Flavor: alpine OS: 3.22 Runtime: 8.3.27	1 day ago

[github-actions]

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8-alpine

Name	8.4.13-alpine3.22
Digest	sha256:7312bec7f935c80133ef7028fbf6d82d312be50fb833aa7f7fee0d405996352b
Vulnerabilities
Pushed	4 weeks ago
Size	41 MB
Packages	60
Flavor	alpine
OS	3.22
Runtime	8.4.13

The base image is also available under the supported tag(s): 8-alpine3.22, 8-cli-alpine, 8-cli-alpine3.22, 8.4-alpine, 8.4-alpine3.22, 8.4-cli-alpine, 8.4-cli-alpine3.22, alpine, alpine3.22, cli-alpine, cli-alpine3.22

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

Tag	Details	Pushed	Vulnerabilities
8-alpine Newer image for same tag Also known as: 8.4.14-cli-alpine 8.4.14-cli-alpine3.22 8.4-cli-alpine 8.4-cli-alpine3.22 8-cli-alpine 8-cli-alpine3.22 cli-alpine alpine alpine3.22 8.4.14-alpine 8.4.14-alpine3.22 8-alpine3.22	Benefits: Same OS detected Minor runtime version update Newer image for same tag Tag was pushed more recently Image has similar size Image introduces no new vulnerability but removes 5 Image contains equal number of packages 8-alpine was pulled 1.6K times last month Image details: Size: 41 MB Flavor: alpine OS: 3.22 Runtime: 8.4.14	1 day ago

Change base image

✅ There are no tag recommendations at this time.

[github-actions]

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:f3854f995b4b14c24d053408b76c43abbdfe29a2e88fdb0771fbc24842ff2062
vulnerabilities
platform	linux/amd64
size	113 MB
packages	249

📦 Base Image php:74ac207bc0116b73c198b79097c2361bd6912313efa113924e020d0c351b6e34

also known as	8.3-alpine 8.3-alpine3.22 8.3-cli-alpine 8.3-cli-alpine3.22 8.3.26-alpine 8.3.26-alpine3.22 8.3.26-cli-alpine 8.3.26-cli-alpine3.22
digest	sha256:990340d4a014d0090ec564f95d4fdca42b3cbeeaf8b9f0ac9105c1707cff72aa
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/crypto@0.17.0 Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 47.048% EPSS Percentile 98th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/crypto@v0.31.0 enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance. Affected range <0.35.0 Fixed version 0.35.0 EPSS Score 0.242% EPSS Percentile 47th percentile Description SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

[github-actions]

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:5ee06ea16a66ccb3dbddca56e2c147498758754017e1229437faf274795c03aa
vulnerabilities
platform	linux/amd64
size	132 MB
packages	284

📦 Base Image php:8.2-alpine

also known as	8.2-alpine3.22 8.2-cli-alpine 8.2-cli-alpine3.22 8.2.29-alpine 8.2.29-alpine3.22 8.2.29-cli-alpine 8.2.29-cli-alpine3.22 df7d2aca7d453249829e16923877c821823065f32a24e0eb2c66e7a12fd7b54b
digest	sha256:8c201df34c610be6d54a158ac62310c15b7370bfb3777508188c07513787caa0
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/crypto@0.17.0 Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 47.048% EPSS Percentile 98th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/crypto@v0.31.0 enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance. Affected range <0.35.0 Fixed version 0.35.0 EPSS Score 0.242% EPSS Percentile 47th percentile Description SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

[github-actions]

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.2-alpine

Name	8.2.29-alpine3.22
Digest	sha256:8c201df34c610be6d54a158ac62310c15b7370bfb3777508188c07513787caa0
Vulnerabilities
Pushed	2 months ago
Size	37 MB
Packages	60
Flavor	alpine
OS	3.22
Runtime	8.2.29

The base image is also available under the supported tag(s): 8.2-alpine3.22, 8.2-cli-alpine, 8.2-cli-alpine3.22, 8.2.29-alpine, 8.2.29-alpine3.22, 8.2.29-cli-alpine, 8.2.29-cli-alpine3.22

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

Tag	Details	Pushed	Vulnerabilities
8.4.14-alpine Minor runtime version update Also known as: 8.4.14-cli-alpine 8.4.14-cli-alpine3.22 8.4-cli-alpine 8.4-cli-alpine3.22 8-cli-alpine 8-cli-alpine3.22 cli-alpine alpine alpine3.22 8.4.14-alpine3.22 8-alpine 8-alpine3.22	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image introduces no new vulnerability but removes 5 Image contains equal number of packages Image details: Size: 41 MB Flavor: alpine OS: 3.22 Runtime: 8.4.14	1 day ago
8.4-alpine Minor runtime version update Also known as: cli-alpine3.22 8.4-alpine3.22	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 41 MB Flavor: alpine OS: 3.22 Runtime: 8.4	4 weeks ago
8.3-alpine Minor runtime version update Also known as: 8.3.27-cli-alpine 8.3.27-cli-alpine3.22 8.3-cli-alpine 8.3-cli-alpine3.22 8.3.27-alpine 8.3.27-alpine3.22 8.3-alpine3.22	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image introduces no new vulnerability but removes 5 Image contains equal number of packages Image details: Size: 37 MB Flavor: alpine OS: 3.22 Runtime: 8.3.27	1 day ago

[github-actions]

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.3-alpine

Name	8.3.26-alpine3.22
Digest	sha256:990340d4a014d0090ec564f95d4fdca42b3cbeeaf8b9f0ac9105c1707cff72aa
Vulnerabilities
Pushed	4 weeks ago
Size	37 MB
Packages	60
Flavor	alpine
OS	3.22
Runtime	8.3.26

The base image is also available under the supported tag(s): 8.3-alpine3.22, 8.3-cli-alpine, 8.3-cli-alpine3.22

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

Tag	Details	Pushed	Vulnerabilities
8.3-alpine Newer image for same tag Also known as: 8.3.27-cli-alpine 8.3.27-cli-alpine3.22 8.3-cli-alpine 8.3-cli-alpine3.22 8.3.27-alpine 8.3.27-alpine3.22 8.3-alpine3.22	Benefits: Patch runtime version update Same OS detected Newer image for same tag Tag was pushed more recently Image has similar size Image introduces no new vulnerability but removes 5 Image contains equal number of packages Image details: Size: 37 MB Flavor: alpine OS: 3.22 Runtime: 8.3.27	1 day ago

Change base image

Tag	Details	Pushed	Vulnerabilities
8.4.14-alpine Minor runtime version update Also known as: 8.4.14-cli-alpine 8.4.14-cli-alpine3.22 8.4-cli-alpine 8.4-cli-alpine3.22 8-cli-alpine 8-cli-alpine3.22 cli-alpine alpine alpine3.22 8.4.14-alpine3.22 8-alpine 8-alpine3.22	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image introduces no new vulnerability but removes 5 Image contains equal number of packages Image details: Size: 41 MB Flavor: alpine OS: 3.22 Runtime: 8.4.14	1 day ago
8.4-alpine Minor runtime version update Also known as: cli-alpine3.22 8.4-alpine3.22	Benefits: Same OS detected Minor runtime version update Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 41 MB Flavor: alpine OS: 3.22 Runtime: 8.4	4 weeks ago

[github-actions]

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:4489ab33f4f931cf978067cf635261cdc57a2f5fbe83964818dcf4239e6edcd4
vulnerabilities
platform	linux/amd64
size	136 MB
packages	284

📦 Base Image php:8-alpine

also known as	8-alpine3.22 8-cli-alpine 8-cli-alpine3.22 8.4-alpine 8.4-alpine3.22 8.4-cli-alpine 8.4-cli-alpine3.22 8.4.13-alpine 8.4.13-alpine3.22 8.4.13-cli-alpine 8.4.13-cli-alpine3.22 alpine alpine3.22 cli-alpine cli-alpine3.22 fccdb165b72cc548a2b0efc5655b3307e7eea6db96216a117a60e80fae4ed828
digest	sha256:7312bec7f935c80133ef7028fbf6d82d312be50fb833aa7f7fee0d405996352b
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/crypto@0.17.0 Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 47.048% EPSS Percentile 98th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/crypto@v0.31.0 enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance. Affected range <0.35.0 Fixed version 0.35.0 EPSS Score 0.242% EPSS Percentile 47th percentile Description SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

[github-actions]

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8-alpine

Name	8.4.13-alpine3.22
Digest	sha256:7312bec7f935c80133ef7028fbf6d82d312be50fb833aa7f7fee0d405996352b
Vulnerabilities
Pushed	4 weeks ago
Size	41 MB
Packages	60
Flavor	alpine
OS	3.22
Runtime	8.4.13

The base image is also available under the supported tag(s): 8-alpine3.22, 8-cli-alpine, 8-cli-alpine3.22, 8.4-alpine, 8.4-alpine3.22, 8.4-cli-alpine, 8.4-cli-alpine3.22, alpine, alpine3.22, cli-alpine, cli-alpine3.22

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

Tag	Details	Pushed	Vulnerabilities
8-alpine Newer image for same tag Also known as: 8.4.14-cli-alpine 8.4.14-cli-alpine3.22 8.4-cli-alpine 8.4-cli-alpine3.22 8-cli-alpine 8-cli-alpine3.22 cli-alpine alpine alpine3.22 8.4.14-alpine 8.4.14-alpine3.22 8-alpine3.22	Benefits: Same OS detected Minor runtime version update Newer image for same tag Tag was pushed more recently Image has similar size Image introduces no new vulnerability but removes 5 Image contains equal number of packages 8-alpine was pulled 1.6K times last month Image details: Size: 41 MB Flavor: alpine OS: 3.22 Runtime: 8.4.14	1 day ago

Change base image

✅ There are no tag recommendations at this time.

[github-actions]

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:a2e83709f7a622f5a4f6612ddeb9b5256867289e361bd6027ada161a11686ca9
vulnerabilities
platform	linux/amd64
size	109 MB
packages	247

📦 Base Image php:8.1-alpine

also known as	8.1-alpine3.21 8.1-cli-alpine 8.1-cli-alpine3.21 8.1.33-alpine 8.1.33-alpine3.21 8.1.33-cli-alpine 8.1.33-cli-alpine3.21 aeda52007687158f88915a60b395065c946a772587552d11e8e49511924585c9
digest	sha256:b2694ec936f57efe2633da0a83e055af8e7ccf4a08274fb299396c8a2fa12285
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/crypto@0.17.0 Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 47.048% EPSS Percentile 98th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/crypto@v0.31.0 enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance. Affected range <0.35.0 Fixed version 0.35.0 EPSS Score 0.242% EPSS Percentile 47th percentile Description SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

[github-actions]

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:4554a2ce7e7f270b4575e22b1ef1d897a4fed961e66405f766f7063f4cba47ad
vulnerabilities
platform	linux/amd64
size	132 MB
packages	284

📦 Base Image php:74ac207bc0116b73c198b79097c2361bd6912313efa113924e020d0c351b6e34

also known as	8.3-alpine 8.3-alpine3.22 8.3-cli-alpine 8.3-cli-alpine3.22 8.3.26-alpine 8.3.26-alpine3.22 8.3.26-cli-alpine 8.3.26-cli-alpine3.22
digest	sha256:990340d4a014d0090ec564f95d4fdca42b3cbeeaf8b9f0ac9105c1707cff72aa
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/crypto@0.17.0 Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 47.048% EPSS Percentile 98th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/crypto@v0.31.0 enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance. Affected range <0.35.0 Fixed version 0.35.0 EPSS Score 0.242% EPSS Percentile 47th percentile Description SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

[github-actions]

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.1-alpine

Name	8.1.33-alpine3.21
Digest	sha256:b2694ec936f57efe2633da0a83e055af8e7ccf4a08274fb299396c8a2fa12285
Vulnerabilities
Pushed	2 months ago
Size	36 MB
Packages	59
Flavor	alpine
OS	3.21
Runtime	8.1.33

The base image is also available under the supported tag(s): 8.1-alpine3.21, 8.1-cli-alpine, 8.1-cli-alpine3.21, 8.1.33-alpine, 8.1.33-alpine3.21, 8.1.33-cli-alpine, 8.1.33-cli-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

Tag	Details	Pushed	Vulnerabilities
8.1-alpine3.22 Patch runtime version update Also known as: 8.1.33-cli-alpine3.22 8.1-cli-alpine3.22 8.1.33-alpine3.22	Benefits: Patch runtime version update Same OS detected Image has similar size Image has same number of vulnerabilities Image contains similar number of packages Image details: Size: 36 MB Flavor: alpine OS: 3.22 Runtime: 8.1.33	2 months ago
8.4.14-alpine Minor runtime version update Also known as: 8.4.14-cli-alpine 8.4.14-cli-alpine3.22 8.4-cli-alpine 8.4-cli-alpine3.22 8-cli-alpine 8-cli-alpine3.22 cli-alpine alpine alpine3.22 8.4.14-alpine3.22 8-alpine 8-alpine3.22	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image introduces no new vulnerability but removes 5 Image contains similar number of packages Image details: Size: 41 MB Flavor: alpine OS: 3.22 Runtime: 8.4.14	1 day ago
8.4.14-alpine3.21 Minor runtime version update Also known as: 8.4.14-cli-alpine3.21 8.4-cli-alpine3.21 8-cli-alpine3.21 alpine3.21 8-alpine3.21	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image introduces no new vulnerability but removes 5 Image contains equal number of packages Image details: Size: 41 MB Flavor: alpine OS: 3.21 Runtime: 8.4.14	1 day ago
8.4-alpine Minor runtime version update Also known as: cli-alpine3.22 8.4-alpine3.22	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains similar number of packages Image details: Size: 41 MB Flavor: alpine OS: 3.22 Runtime: 8.4	4 weeks ago
8.4-alpine3.21 Minor runtime version update Also known as: cli-alpine3.21	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 41 MB Flavor: alpine OS: 3.21 Runtime: 8.4	4 weeks ago
8.3-alpine Minor runtime version update Also known as: 8.3.27-cli-alpine 8.3.27-cli-alpine3.22 8.3-cli-alpine 8.3-cli-alpine3.22 8.3.27-alpine 8.3.27-alpine3.22 8.3-alpine3.22	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image introduces no new vulnerability but removes 5 Image contains similar number of packages Image details: Size: 37 MB Flavor: alpine OS: 3.22 Runtime: 8.3.27	1 day ago
8.3-alpine3.21 Minor runtime version update Also known as: 8.3.27-cli-alpine3.21 8.3-cli-alpine3.21 8.3.27-alpine3.21	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image introduces no new vulnerability but removes 5 Image contains equal number of packages Image details: Size: 37 MB Flavor: alpine OS: 3.21 Runtime: 8.3.27	1 day ago
8.2-alpine Minor runtime version update Also known as: 8.2.29-cli-alpine 8.2.29-cli-alpine3.22 8.2-cli-alpine 8.2-cli-alpine3.22 8.2.29-alpine 8.2.29-alpine3.22 8.2-alpine3.22	Benefits: Same OS detected Minor runtime version update Image has similar size Image has same number of vulnerabilities Image contains similar number of packages 8.2-alpine was pulled 1.8K times last month Image details: Size: 37 MB Flavor: alpine OS: 3.22 Runtime: 8.2.29	2 months ago
8.2-alpine3.21 Minor runtime version update Also known as: 8.2.29-cli-alpine3.21 8.2-cli-alpine3.21 8.2.29-alpine3.21	Benefits: Same OS detected Minor runtime version update Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 36 MB Flavor: alpine OS: 3.21 Runtime: 8.2.29	2 months ago

[github-actions]

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.3-alpine

Name	8.3.26-alpine3.22
Digest	sha256:990340d4a014d0090ec564f95d4fdca42b3cbeeaf8b9f0ac9105c1707cff72aa
Vulnerabilities
Pushed	4 weeks ago
Size	37 MB
Packages	60
Flavor	alpine
OS	3.22
Runtime	8.3.26

The base image is also available under the supported tag(s): 8.3-alpine3.22, 8.3-cli-alpine, 8.3-cli-alpine3.22

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

Tag	Details	Pushed	Vulnerabilities
8.3-alpine Newer image for same tag Also known as: 8.3.27-cli-alpine 8.3.27-cli-alpine3.22 8.3-cli-alpine 8.3-cli-alpine3.22 8.3.27-alpine 8.3.27-alpine3.22 8.3-alpine3.22	Benefits: Patch runtime version update Same OS detected Newer image for same tag Tag was pushed more recently Image has similar size Image introduces no new vulnerability but removes 5 Image contains equal number of packages Image details: Size: 37 MB Flavor: alpine OS: 3.22 Runtime: 8.3.27	1 day ago

Change base image

Tag	Details	Pushed	Vulnerabilities
8.4.14-alpine Minor runtime version update Also known as: 8.4.14-cli-alpine 8.4.14-cli-alpine3.22 8.4-cli-alpine 8.4-cli-alpine3.22 8-cli-alpine 8-cli-alpine3.22 cli-alpine alpine alpine3.22 8.4.14-alpine3.22 8-alpine 8-alpine3.22	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image introduces no new vulnerability but removes 5 Image contains equal number of packages Image details: Size: 41 MB Flavor: alpine OS: 3.22 Runtime: 8.4.14	1 day ago
8.4-alpine Minor runtime version update Also known as: cli-alpine3.22 8.4-alpine3.22	Benefits: Same OS detected Minor runtime version update Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 41 MB Flavor: alpine OS: 3.22 Runtime: 8.4	4 weeks ago

[github-actions]

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:0d83d840a0d1432d29742f3453bd1c554d68dccd2a487a154245f17929e18269
vulnerabilities
platform	linux/amd64
size	128 MB
packages	265

📦 Base Image php:8.1-alpine

also known as	8.1-alpine3.21 8.1-cli-alpine 8.1-cli-alpine3.21 8.1.33-alpine 8.1.33-alpine3.21 8.1.33-cli-alpine 8.1.33-cli-alpine3.21 aeda52007687158f88915a60b395065c946a772587552d11e8e49511924585c9
digest	sha256:b2694ec936f57efe2633da0a83e055af8e7ccf4a08274fb299396c8a2fa12285
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/crypto@0.17.0 Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 47.048% EPSS Percentile 98th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/crypto@v0.31.0 enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance. Affected range <0.35.0 Fixed version 0.35.0 EPSS Score 0.242% EPSS Percentile 47th percentile Description SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

setuptools 70.3.0 (pypi) pkg:pypi/setuptools@70.3.0 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Affected range <78.1.1 Fixed version 78.1.1 CVSS Score 7.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P EPSS Score 0.077% EPSS Percentile 24th percentile Description Summary A path traversal vulnerability in PackageIndex was fixed in setuptools version 78.1.1 Details def _download_url(self, url, tmpdir): # Determine download filename # name, _fragment = egg_info_for_url(url) if name: while '..' in name: name = name.replace('..', '.').replace('\\', '_') else: name = "__downloaded__" # default if URL has no path contents if name.endswith('.[egg.zip](http://egg.zip/)'): name = name[:-4] # strip the extra .zip before download --> filename = os.path.join(tmpdir, name) Here: https://github.com/pypa/setuptools/blob/6ead555c5fb29bc57fe6105b1bffc163f56fd558/setuptools/package_index.py#L810C1-L825C88 os.path.join() discards the first argument tmpdir if the second begins with a slash or drive letter. name is derived from a URL without sufficient sanitization. While there is some attempt to sanitize by replacing instances of '..' with '.', it is insufficient. Risk Assessment As easy_install and package_index are deprecated, the exploitation surface is reduced. However, it seems this could be exploited in a similar fashion like GHSA-r9hx-vwmv-q579, and as described by POC 4 in GHSA-cx63-2mw6-8hw5 report: via malicious URLs present on the pages of a package index. Impact An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to RCE depending on the context. References https://huntr.com/bounties/d6362117-ad57-4e83-951f-b8141c6e7ca5 pypa/setuptools#4946

[github-actions]

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:dd5d4d8f826098912c505670a70fd0f4294603103d2eb7b2979791ea383518e2
vulnerabilities
platform	linux/amd64
size	108 MB
packages	250

📦 Base Image php:8.2-fpm-alpine

also known as	8.2-fpm-alpine3.22 8.2.29-fpm-alpine 8.2.29-fpm-alpine3.22 b4744cb64815673d45790b5eafa8eaf53ff99079651a94c25b9c42d388ece840
digest	sha256:f3f076fbd8eeaa1c1df6e657068d0a45df9584f4290d3e8442c04bc60bc5c36d
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/crypto@0.17.0 Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 47.048% EPSS Percentile 98th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/crypto@v0.31.0 enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance. Affected range <0.35.0 Fixed version 0.35.0 EPSS Score 0.242% EPSS Percentile 47th percentile Description SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

[github-actions]

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.1-alpine

Name	8.1.33-alpine3.21
Digest	sha256:b2694ec936f57efe2633da0a83e055af8e7ccf4a08274fb299396c8a2fa12285
Vulnerabilities
Pushed	2 months ago
Size	36 MB
Packages	59
Flavor	alpine
OS	3.21
Runtime	8.1.33

The base image is also available under the supported tag(s): 8.1-alpine3.21, 8.1-cli-alpine, 8.1-cli-alpine3.21, 8.1.33-alpine, 8.1.33-alpine3.21, 8.1.33-cli-alpine, 8.1.33-cli-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

Tag	Details	Pushed	Vulnerabilities
8.1-alpine3.22 Patch runtime version update Also known as: 8.1.33-cli-alpine3.22 8.1-cli-alpine3.22 8.1.33-alpine3.22	Benefits: Patch runtime version update Same OS detected Image has similar size Image has same number of vulnerabilities Image contains similar number of packages Image details: Size: 36 MB Flavor: alpine OS: 3.22 Runtime: 8.1.33	2 months ago
8.4.14-alpine Minor runtime version update Also known as: 8.4.14-cli-alpine 8.4.14-cli-alpine3.22 8.4-cli-alpine 8.4-cli-alpine3.22 8-cli-alpine 8-cli-alpine3.22 cli-alpine alpine alpine3.22 8.4.14-alpine3.22 8-alpine 8-alpine3.22	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image introduces no new vulnerability but removes 5 Image contains similar number of packages Image details: Size: 41 MB Flavor: alpine OS: 3.22 Runtime: 8.4.14	1 day ago
8.4.14-alpine3.21 Minor runtime version update Also known as: 8.4.14-cli-alpine3.21 8.4-cli-alpine3.21 8-cli-alpine3.21 alpine3.21 8-alpine3.21	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image introduces no new vulnerability but removes 5 Image contains equal number of packages Image details: Size: 41 MB Flavor: alpine OS: 3.21 Runtime: 8.4.14	1 day ago
8.4-alpine Minor runtime version update Also known as: cli-alpine3.22 8.4-alpine3.22	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains similar number of packages Image details: Size: 41 MB Flavor: alpine OS: 3.22 Runtime: 8.4	4 weeks ago
8.4-alpine3.21 Minor runtime version update Also known as: cli-alpine3.21	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 41 MB Flavor: alpine OS: 3.21 Runtime: 8.4	4 weeks ago
8.3-alpine Minor runtime version update Also known as: 8.3.27-cli-alpine 8.3.27-cli-alpine3.22 8.3-cli-alpine 8.3-cli-alpine3.22 8.3.27-alpine 8.3.27-alpine3.22 8.3-alpine3.22	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image introduces no new vulnerability but removes 5 Image contains similar number of packages Image details: Size: 37 MB Flavor: alpine OS: 3.22 Runtime: 8.3.27	1 day ago
8.3-alpine3.21 Minor runtime version update Also known as: 8.3.27-cli-alpine3.21 8.3-cli-alpine3.21 8.3.27-alpine3.21	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image introduces no new vulnerability but removes 5 Image contains equal number of packages Image details: Size: 37 MB Flavor: alpine OS: 3.21 Runtime: 8.3.27	1 day ago
8.2-alpine Minor runtime version update Also known as: 8.2.29-cli-alpine 8.2.29-cli-alpine3.22 8.2-cli-alpine 8.2-cli-alpine3.22 8.2.29-alpine 8.2.29-alpine3.22 8.2-alpine3.22	Benefits: Same OS detected Minor runtime version update Image has similar size Image has same number of vulnerabilities Image contains similar number of packages 8.2-alpine was pulled 1.8K times last month Image details: Size: 37 MB Flavor: alpine OS: 3.22 Runtime: 8.2.29	2 months ago
8.2-alpine3.21 Minor runtime version update Also known as: 8.2.29-cli-alpine3.21 8.2-cli-alpine3.21 8.2.29-alpine3.21	Benefits: Same OS detected Minor runtime version update Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 36 MB Flavor: alpine OS: 3.21 Runtime: 8.2.29	2 months ago

[github-actions]

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.2-fpm-alpine

Name	8.2.29-fpm-alpine3.22
Digest	sha256:f3f076fbd8eeaa1c1df6e657068d0a45df9584f4290d3e8442c04bc60bc5c36d
Vulnerabilities
Pushed	2 months ago
Size	32 MB
Packages	61
Flavor	alpine
OS	3.22
Runtime	8.2.29

The base image is also available under the supported tag(s): 8.2-fpm-alpine3.22, 8.2.29-fpm-alpine, 8.2.29-fpm-alpine3.22

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

Tag	Details	Pushed	Vulnerabilities
8.3-fpm-alpine Minor runtime version update Also known as: 8.3.27-fpm-alpine 8.3.27-fpm-alpine3.22 8.3-fpm-alpine3.22	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image introduces no new vulnerability but removes 5 Image contains equal number of packages Image details: Size: 33 MB Flavor: alpine OS: 3.22 Runtime: 8.3.27	1 day ago
8.4-fpm-alpine Image introduces no new vulnerability but removes 5 Also known as: 8.4.14-fpm-alpine 8.4.14-fpm-alpine3.22 8.4-fpm-alpine3.22 8-fpm-alpine 8-fpm-alpine3.22 fpm-alpine fpm-alpine3.22	Benefits: Same OS detected Tag was pushed more recently Image has similar size Image introduces no new vulnerability but removes 5 Image contains equal number of packages Image details: Size: 36 MB Flavor: alpine OS: 3.22	1 day ago