deps(deps): update ansible/ansible-lint action to v25.1.2

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
ansible/ansible-lint	action	patch	v25.1.1 -> v25.1.2

---

Release Notes

ansible/ansible-lint (ansible/ansible-lint)

v25.1.2

Compare Source

Bugfixes

• Require ansible-compat>=25.1.2 (#​4512) @​ssbarnea
• Improve output with broken multiline playbooks (#​4506) @​ssbarnea
• Avoid broken referencing dependency (#​4505) @​ssbarnea
• Clarify partial-become rule description (#​4500) @​alisonlhart
• Allow linter to capture and display initialization warnings (#​4504) @​ssbarnea
• Update ansible-compat to v25.1.1 (#​4499) @​audgirka

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:1d0c64a0f8c3f1efddc4e6efe13485072c31f262fd0b1f7a69dd172fe94ba427
vulnerabilities
platform	linux/amd64
size	115 MB
packages	231

📦 Base Image php:8-alpine

also known as	8-alpine3.21 8-cli-alpine 8-cli-alpine3.21 8.4-alpine 8.4-alpine3.21 8.4-cli-alpine 8.4-cli-alpine3.21 8.4.3-alpine 8.4.3-alpine3.21 8.4.3-cli-alpine 8.4.3-cli-alpine3.21 81e0beb4d1c873f343c6e1e7d6b85b43904695c5ac664030171c1769358c63f8 alpine alpine3.21 cli-alpine cli-alpine3.21
digest	sha256:170320e6538870c70b6e2c59e0e166e2dbd0c4dda143bdb87a9b145f7c0e57cd
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 0.045% EPSS Percentile 18th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

golang.org/x/net 0.18.0 (golang) pkg:golang/golang.org/x/[email protected] Allocation of Resources Without Limits or Throttling Affected range <0.33.0 Fixed version 0.33.0 CVSS Score 8.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N EPSS Score 0.045% EPSS Percentile 18th percentile Description An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

[github-actions]

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:e42770503c2e9475d778dbd6d6cc145a59159e961af273f5ca85e37d2cf9050f
vulnerabilities
platform	linux/amd64
size	108 MB
packages	231

📦 Base Image php:2b53de2fdc87e38f450a4c42f995704c4bc3bc789f010d1a69a860538f12fe60

also known as	8.1-alpine 8.1-alpine3.21 8.1-cli-alpine 8.1-cli-alpine3.21 8.1.31-alpine 8.1.31-alpine3.21 8.1.31-cli-alpine 8.1.31-cli-alpine3.21
digest	sha256:8ed48e85630b00d7dde300f7c205e502495d8a117a254924bf07f4dcac3df52f
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 0.045% EPSS Percentile 18th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

golang.org/x/net 0.18.0 (golang) pkg:golang/golang.org/x/[email protected] Allocation of Resources Without Limits or Throttling Affected range <0.33.0 Fixed version 0.33.0 CVSS Score 8.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N EPSS Score 0.045% EPSS Percentile 18th percentile Description An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

[github-actions]

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:5e61215696cf7186ce4217001e4b0bdd237885c70f451f8fffe891cca9a10c9b
vulnerabilities
platform	linux/amd64
size	106 MB
packages	232

📦 Base Image php:8.3-fpm-alpine

also known as	8.3-fpm-alpine3.21 8.3.16-fpm-alpine 8.3.16-fpm-alpine3.21
digest	sha256:0b84bd208921ecbda2ce7d2dbd577915963534d10625dd009a715423ea636004
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 0.045% EPSS Percentile 18th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

golang.org/x/net 0.18.0 (golang) pkg:golang/golang.org/x/[email protected] Allocation of Resources Without Limits or Throttling Affected range <0.33.0 Fixed version 0.33.0 CVSS Score 8.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N EPSS Score 0.045% EPSS Percentile 18th percentile Description An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

[github-actions]

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:a6d756f779336c59008abba2ea7719ef647fbd462f9fcb0cd107b6b791d18d0e
vulnerabilities
platform	linux/amd64
size	104 MB
packages	232

📦 Base Image php:8.2-fpm-alpine

also known as	8.2-fpm-alpine3.21 8.2.27-fpm-alpine 8.2.27-fpm-alpine3.21 c109802edd0ed0eeccdfdd58c646e375847bbccbef7110a2cb4638e74af20c59
digest	sha256:76f65a70210d2d9ff8f8e61305049bf0973d00a91a96f9440c8b5b47ee2e93f5
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 0.045% EPSS Percentile 18th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

golang.org/x/net 0.18.0 (golang) pkg:golang/golang.org/x/[email protected] Allocation of Resources Without Limits or Throttling Affected range <0.33.0 Fixed version 0.33.0 CVSS Score 8.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N EPSS Score 0.045% EPSS Percentile 18th percentile Description An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

[github-actions]

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8-alpine

Name	8.4.3-alpine3.21
Digest	sha256:170320e6538870c70b6e2c59e0e166e2dbd0c4dda143bdb87a9b145f7c0e57cd
Vulnerabilities
Pushed	2 weeks ago
Size	42 MB
Packages	52
Flavor	alpine
OS	3.21
Runtime	8.4.3

The base image is also available under the supported tag(s): 8-alpine3.21, 8-cli-alpine, 8-cli-alpine3.21, 8.4-alpine, 8.4-alpine3.21, 8.4-cli-alpine, 8.4-cli-alpine3.21, 8.4.3-alpine, 8.4.3-alpine3.21, 8.4.3-cli-alpine, 8.4.3-cli-alpine3.21, alpine, alpine3.21, cli-alpine, cli-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

[github-actions]

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.2-fpm-alpine

Name	8.2.27-fpm-alpine3.21
Digest	sha256:76f65a70210d2d9ff8f8e61305049bf0973d00a91a96f9440c8b5b47ee2e93f5
Vulnerabilities
Pushed	1 month ago
Size	32 MB
Packages	53
Flavor	alpine
OS	3.21
Runtime	8.2.27

The base image is also available under the supported tag(s): 8.2-fpm-alpine3.21, 8.2.27-fpm-alpine, 8.2.27-fpm-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

Tag	Details	Pushed	Vulnerabilities
8.3-fpm-alpine Minor runtime version update Also known as: 8.3.16-fpm-alpine 8.3.16-fpm-alpine3.21 8.3-fpm-alpine3.21	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 33 MB Flavor: alpine OS: 3.21 Runtime: 8.3.16	2 weeks ago
8.4-fpm-alpine Image has same number of vulnerabilities Also known as: 8.4.3-fpm-alpine 8.4.3-fpm-alpine3.21 8.4-fpm-alpine3.21 8-fpm-alpine 8-fpm-alpine3.21 fpm-alpine fpm-alpine3.21	Benefits: Same OS detected Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 36 MB Flavor: alpine OS: 3.21	2 weeks ago

[github-actions]

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.1-alpine

Name	8.1.31-alpine3.21
Digest	sha256:8ed48e85630b00d7dde300f7c205e502495d8a117a254924bf07f4dcac3df52f
Vulnerabilities
Pushed	1 month ago
Size	36 MB
Packages	52
Flavor	alpine
OS	3.21
Runtime	8.1.31

The base image is also available under the supported tag(s): 8.1-alpine3.21, 8.1-cli-alpine, 8.1-cli-alpine3.21, 8.1.31-alpine, 8.1.31-alpine3.21, 8.1.31-cli-alpine, 8.1.31-cli-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

Tag	Details	Pushed	Vulnerabilities
8.4-alpine Minor runtime version update Also known as: 8.4.3-cli-alpine 8.4.3-cli-alpine3.21 8.4-cli-alpine 8.4-cli-alpine3.21 8-cli-alpine 8-cli-alpine3.21 cli-alpine cli-alpine3.21 alpine alpine3.21 8.4.3-alpine 8.4.3-alpine3.21 8.4-alpine3.21 8-alpine 8-alpine3.21	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 42 MB Flavor: alpine OS: 3.21 Runtime: 8.4.3	2 weeks ago
8.3-alpine Minor runtime version update Also known as: 8.3.16-cli-alpine 8.3.16-cli-alpine3.21 8.3-cli-alpine 8.3-cli-alpine3.21 8.3.16-alpine 8.3.16-alpine3.21 8.3-alpine3.21	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 37 MB Flavor: alpine OS: 3.21 Runtime: 8.3.16	2 weeks ago
8.2-alpine Minor runtime version update Also known as: 8.2.27-cli-alpine 8.2.27-cli-alpine3.21 8.2-cli-alpine 8.2-cli-alpine3.21 8.2.27-alpine 8.2.27-alpine3.21 8.2-alpine3.21	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages 8.2-alpine was pulled 1.8K times last month Image details: Size: 36 MB Flavor: alpine OS: 3.21 Runtime: 8.2.27	1 month ago

[github-actions]

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.3-fpm-alpine

Name	8.3.16-fpm-alpine3.21
Digest	sha256:0b84bd208921ecbda2ce7d2dbd577915963534d10625dd009a715423ea636004
Vulnerabilities
Pushed	2 weeks ago
Size	33 MB
Packages	53
Flavor	alpine
OS	3.21
Runtime	8.3.16

The base image is also available under the supported tag(s): 8.3-fpm-alpine3.21, 8.3.16-fpm-alpine, 8.3.16-fpm-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

Tag	Details	Pushed	Vulnerabilities
8.4-fpm-alpine Image has same number of vulnerabilities Also known as: 8.4.3-fpm-alpine 8.4.3-fpm-alpine3.21 8.4-fpm-alpine3.21 8-fpm-alpine 8-fpm-alpine3.21 fpm-alpine fpm-alpine3.21	Benefits: Same OS detected Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 36 MB Flavor: alpine OS: 3.21	2 weeks ago

[github-actions]

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:56417e7191042a15243d20ac7f6658edb4ea634d1e49775901b40933efee09fc
vulnerabilities
platform	linux/amd64
size	109 MB
packages	231

📦 Base Image php:0f3e69aa84dedd26dfa550ca4d5dad530b2dd71fe8529ba45d7ce8585587f42e

also known as	8.2-alpine 8.2-alpine3.21 8.2-cli-alpine 8.2-cli-alpine3.21 8.2.27-alpine 8.2.27-alpine3.21 8.2.27-cli-alpine 8.2.27-cli-alpine3.21
digest	sha256:39bf59caddad3b212fdd32aff3462885ccdc18e754a9e392e543b4a35effec7c
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 0.045% EPSS Percentile 18th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

golang.org/x/net 0.18.0 (golang) pkg:golang/golang.org/x/[email protected] Allocation of Resources Without Limits or Throttling Affected range <0.33.0 Fixed version 0.33.0 CVSS Score 8.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N EPSS Score 0.045% EPSS Percentile 18th percentile Description An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

[github-actions]

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:ead76830cb286f06382a5968cec64dfe54f24772edd6b1b2744ed44860bfd10b
vulnerabilities
platform	linux/amd64
size	128 MB
packages	249

📦 Base Image php:8.3-alpine

also known as	8.3-alpine3.21 8.3-cli-alpine 8.3-cli-alpine3.21 8.3.16-alpine 8.3.16-alpine3.21 8.3.16-cli-alpine 8.3.16-cli-alpine3.21
digest	sha256:1fe9d473ff87ce87bccb628ec41849a8131ee042b5634555dde842a93d13e41c
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 0.045% EPSS Percentile 18th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

golang.org/x/net 0.18.0 (golang) pkg:golang/golang.org/x/[email protected] Allocation of Resources Without Limits or Throttling Affected range <0.33.0 Fixed version 0.33.0 CVSS Score 8.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N EPSS Score 0.045% EPSS Percentile 18th percentile Description An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

[github-actions]

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:ab32419eb151b998cf8c10bc23a2a30647a00683bb64926d12c5b2b0981f425d
vulnerabilities
platform	linux/amd64
size	109 MB
packages	232

📦 Base Image php:8-fpm-alpine

also known as	8-fpm-alpine3.21 8.4-fpm-alpine 8.4-fpm-alpine3.21 8.4.3-fpm-alpine 8.4.3-fpm-alpine3.21 fpm-alpine fpm-alpine3.21
digest	sha256:233e88a1d9d93ba47555a69ee03b989e5e07d5046a9936008df523aa982bd4b8
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 0.045% EPSS Percentile 18th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

golang.org/x/net 0.18.0 (golang) pkg:golang/golang.org/x/[email protected] Allocation of Resources Without Limits or Throttling Affected range <0.33.0 Fixed version 0.33.0 CVSS Score 8.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N EPSS Score 0.045% EPSS Percentile 18th percentile Description An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

[github-actions]

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:e8ff511cd9ac47aa16e9c30c4f023445a6acf6f99bd83f5d937a61a9b54e05b8
vulnerabilities
platform	linux/amd64
size	127 MB
packages	249

📦 Base Image php:0f3e69aa84dedd26dfa550ca4d5dad530b2dd71fe8529ba45d7ce8585587f42e

also known as	8.2-alpine 8.2-alpine3.21 8.2-cli-alpine 8.2-cli-alpine3.21 8.2.27-alpine 8.2.27-alpine3.21 8.2.27-cli-alpine 8.2.27-cli-alpine3.21
digest	sha256:39bf59caddad3b212fdd32aff3462885ccdc18e754a9e392e543b4a35effec7c
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 0.045% EPSS Percentile 18th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

golang.org/x/net 0.18.0 (golang) pkg:golang/golang.org/x/[email protected] Allocation of Resources Without Limits or Throttling Affected range <0.33.0 Fixed version 0.33.0 CVSS Score 8.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N EPSS Score 0.045% EPSS Percentile 18th percentile Description An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

[github-actions]

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.2-alpine

Name	8.2.27-alpine3.21
Digest	sha256:39bf59caddad3b212fdd32aff3462885ccdc18e754a9e392e543b4a35effec7c
Vulnerabilities
Pushed	1 month ago
Size	36 MB
Packages	52
Flavor	alpine
OS	3.21
Runtime	8.2.27

The base image is also available under the supported tag(s): 8.2-alpine3.21, 8.2-cli-alpine, 8.2-cli-alpine3.21, 8.2.27-alpine, 8.2.27-alpine3.21, 8.2.27-cli-alpine, 8.2.27-cli-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

Tag	Details	Pushed	Vulnerabilities
8.4-alpine Minor runtime version update Also known as: 8.4.3-cli-alpine 8.4.3-cli-alpine3.21 8.4-cli-alpine 8.4-cli-alpine3.21 8-cli-alpine 8-cli-alpine3.21 cli-alpine cli-alpine3.21 alpine alpine3.21 8.4.3-alpine 8.4.3-alpine3.21 8.4-alpine3.21 8-alpine 8-alpine3.21	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 42 MB Flavor: alpine OS: 3.21 Runtime: 8.4.3	2 weeks ago
8.3-alpine Minor runtime version update Also known as: 8.3.16-cli-alpine 8.3.16-cli-alpine3.21 8.3-cli-alpine 8.3-cli-alpine3.21 8.3.16-alpine 8.3.16-alpine3.21 8.3-alpine3.21	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 37 MB Flavor: alpine OS: 3.21 Runtime: 8.3.16	2 weeks ago

[github-actions]

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.3-alpine

Name	8.3.16-alpine3.21
Digest	sha256:1fe9d473ff87ce87bccb628ec41849a8131ee042b5634555dde842a93d13e41c
Vulnerabilities
Pushed	2 weeks ago
Size	37 MB
Packages	52
Flavor	alpine
OS	3.21
Runtime	8.3.16

The base image is also available under the supported tag(s): 8.3-alpine3.21, 8.3-cli-alpine, 8.3-cli-alpine3.21, 8.3.16-alpine, 8.3.16-alpine3.21, 8.3.16-cli-alpine, 8.3.16-cli-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

Tag	Details	Pushed	Vulnerabilities
8.4-alpine Minor runtime version update Also known as: 8.4.3-cli-alpine 8.4.3-cli-alpine3.21 8.4-cli-alpine 8.4-cli-alpine3.21 8-cli-alpine 8-cli-alpine3.21 cli-alpine cli-alpine3.21 alpine alpine3.21 8.4.3-alpine 8.4.3-alpine3.21 8.4-alpine3.21 8-alpine 8-alpine3.21	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 42 MB Flavor: alpine OS: 3.21 Runtime: 8.4.3	2 weeks ago

[github-actions]

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8-fpm-alpine

Name	fpm-alpine3.21
Digest	sha256:233e88a1d9d93ba47555a69ee03b989e5e07d5046a9936008df523aa982bd4b8
Vulnerabilities
Pushed	2 weeks ago
Size	36 MB
Packages	53
Flavor	alpine
OS	3.21

The base image is also available under the supported tag(s): 8-fpm-alpine3.21, 8.4-fpm-alpine, 8.4-fpm-alpine3.21, 8.4.3-fpm-alpine, 8.4.3-fpm-alpine3.21, fpm-alpine, fpm-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

Tag	Details	Pushed	Vulnerabilities
8.3-fpm-alpine Minor runtime version update Also known as: 8.3.16-fpm-alpine 8.3.16-fpm-alpine3.21 8.3-fpm-alpine3.21	Benefits: Same OS detected Minor runtime version update Image is smaller by 3.3 MB Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 33 MB Flavor: alpine OS: 3.21 Runtime: 8.3.16	2 weeks ago
8.2-fpm-alpine Minor runtime version update Also known as: 8.2.27-fpm-alpine 8.2.27-fpm-alpine3.21 8.2-fpm-alpine3.21	Benefits: Same OS detected Minor runtime version update Image is smaller by 3.9 MB Image has same number of vulnerabilities Image contains equal number of packages 8.2-fpm-alpine was pulled 4.1K times last month Image details: Size: 32 MB Flavor: alpine OS: 3.21 Runtime: 8.2.27	1 month ago
8.1-fpm-alpine Minor runtime version update Also known as: 8.1.31-fpm-alpine 8.1.31-fpm-alpine3.21 8.1-fpm-alpine3.21	Benefits: Same OS detected Minor runtime version update Image is smaller by 4.4 MB Image has same number of vulnerabilities Image contains equal number of packages 8.1-fpm-alpine is the fourth most popular tag with 18K pulls per month Image details: Size: 32 MB Flavor: alpine OS: 3.21 Runtime: 8.1.31	1 month ago

[github-actions]

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.2-alpine

Name	8.2.27-alpine3.21
Digest	sha256:39bf59caddad3b212fdd32aff3462885ccdc18e754a9e392e543b4a35effec7c
Vulnerabilities
Pushed	1 month ago
Size	36 MB
Packages	52
Flavor	alpine
OS	3.21
Runtime	8.2.27

The base image is also available under the supported tag(s): 8.2-alpine3.21, 8.2-cli-alpine, 8.2-cli-alpine3.21, 8.2.27-alpine, 8.2.27-alpine3.21, 8.2.27-cli-alpine, 8.2.27-cli-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

Tag	Details	Pushed	Vulnerabilities
8.4-alpine Minor runtime version update Also known as: 8.4.3-cli-alpine 8.4.3-cli-alpine3.21 8.4-cli-alpine 8.4-cli-alpine3.21 8-cli-alpine 8-cli-alpine3.21 cli-alpine cli-alpine3.21 alpine alpine3.21 8.4.3-alpine 8.4.3-alpine3.21 8.4-alpine3.21 8-alpine 8-alpine3.21	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 42 MB Flavor: alpine OS: 3.21 Runtime: 8.4.3	2 weeks ago
8.3-alpine Minor runtime version update Also known as: 8.3.16-cli-alpine 8.3.16-cli-alpine3.21 8.3-cli-alpine 8.3-cli-alpine3.21 8.3.16-alpine 8.3.16-alpine3.21 8.3-alpine3.21	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 37 MB Flavor: alpine OS: 3.21 Runtime: 8.3.16	2 weeks ago

[github-actions]

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:1e72c8f790eb44314c988776ef524326153356681e7a24c7964539e4115c5711
vulnerabilities
platform	linux/amd64
size	110 MB
packages	231

📦 Base Image php:8.3-alpine

also known as	8.3-alpine3.21 8.3-cli-alpine 8.3-cli-alpine3.21 8.3.16-alpine 8.3.16-alpine3.21 8.3.16-cli-alpine 8.3.16-cli-alpine3.21
digest	sha256:1fe9d473ff87ce87bccb628ec41849a8131ee042b5634555dde842a93d13e41c
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 0.045% EPSS Percentile 18th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

golang.org/x/net 0.18.0 (golang) pkg:golang/golang.org/x/[email protected] Allocation of Resources Without Limits or Throttling Affected range <0.33.0 Fixed version 0.33.0 CVSS Score 8.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N EPSS Score 0.045% EPSS Percentile 18th percentile Description An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

[github-actions]

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:85164a481b2dd73015380cef8b3f870d0ceae957a61c3c8e48ec763d0102b034
vulnerabilities
platform	linux/amd64
size	104 MB
packages	232

📦 Base Image php:54b5ff554357a1100058bcce13b21851a693ca1636d4d8dae493079075d47ba0

also known as	8.1-fpm-alpine 8.1-fpm-alpine3.21 8.1.31-fpm-alpine 8.1.31-fpm-alpine3.21
digest	sha256:845dccbc2cf56631ba4f1d800eeb7d6a797efdae00a5e1c78b898cd67db26f48
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 0.045% EPSS Percentile 18th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

golang.org/x/net 0.18.0 (golang) pkg:golang/golang.org/x/[email protected] Allocation of Resources Without Limits or Throttling Affected range <0.33.0 Fixed version 0.33.0 CVSS Score 8.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N EPSS Score 0.045% EPSS Percentile 18th percentile Description An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

[github-actions]

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.3-alpine

Name	8.3.16-alpine3.21
Digest	sha256:1fe9d473ff87ce87bccb628ec41849a8131ee042b5634555dde842a93d13e41c
Vulnerabilities
Pushed	2 weeks ago
Size	37 MB
Packages	52
Flavor	alpine
OS	3.21
Runtime	8.3.16

The base image is also available under the supported tag(s): 8.3-alpine3.21, 8.3-cli-alpine, 8.3-cli-alpine3.21, 8.3.16-alpine, 8.3.16-alpine3.21, 8.3.16-cli-alpine, 8.3.16-cli-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

Tag	Details	Pushed	Vulnerabilities
8.4-alpine Minor runtime version update Also known as: 8.4.3-cli-alpine 8.4.3-cli-alpine3.21 8.4-cli-alpine 8.4-cli-alpine3.21 8-cli-alpine 8-cli-alpine3.21 cli-alpine cli-alpine3.21 alpine alpine3.21 8.4.3-alpine 8.4.3-alpine3.21 8.4-alpine3.21 8-alpine 8-alpine3.21	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 42 MB Flavor: alpine OS: 3.21 Runtime: 8.4.3	2 weeks ago

[github-actions]

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.1-fpm-alpine

Name	8.1.31-fpm-alpine3.21
Digest	sha256:845dccbc2cf56631ba4f1d800eeb7d6a797efdae00a5e1c78b898cd67db26f48
Vulnerabilities
Pushed	1 month ago
Size	32 MB
Packages	53
Flavor	alpine
OS	3.21
Runtime	8.1.31

The base image is also available under the supported tag(s): 8.1-fpm-alpine3.21, 8.1.31-fpm-alpine, 8.1.31-fpm-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

Tag	Details	Pushed	Vulnerabilities
8.3-fpm-alpine Minor runtime version update Also known as: 8.3.16-fpm-alpine 8.3.16-fpm-alpine3.21 8.3-fpm-alpine3.21	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 33 MB Flavor: alpine OS: 3.21 Runtime: 8.3.16	2 weeks ago
8.2-fpm-alpine Minor runtime version update Also known as: 8.2.27-fpm-alpine 8.2.27-fpm-alpine3.21 8.2-fpm-alpine3.21	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages 8.2-fpm-alpine was pulled 4.1K times last month Image details: Size: 32 MB Flavor: alpine OS: 3.21 Runtime: 8.2.27	1 month ago
8.4-fpm-alpine Image has same number of vulnerabilities Also known as: 8.4.3-fpm-alpine 8.4.3-fpm-alpine3.21 8.4-fpm-alpine3.21 8-fpm-alpine 8-fpm-alpine3.21 fpm-alpine fpm-alpine3.21	Benefits: Same OS detected Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 36 MB Flavor: alpine OS: 3.21	2 weeks ago

[github-actions]

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:ab61d60af2e5cba41d0f8ad3a76f695cd8fe3f4730bbdcc1dd62bef4c7deedf4
vulnerabilities
platform	linux/amd64
size	126 MB
packages	249

📦 Base Image php:2b53de2fdc87e38f450a4c42f995704c4bc3bc789f010d1a69a860538f12fe60

also known as	8.1-alpine 8.1-alpine3.21 8.1-cli-alpine 8.1-cli-alpine3.21 8.1.31-alpine 8.1.31-alpine3.21 8.1.31-cli-alpine 8.1.31-cli-alpine3.21
digest	sha256:8ed48e85630b00d7dde300f7c205e502495d8a117a254924bf07f4dcac3df52f
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 0.045% EPSS Percentile 18th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

golang.org/x/net 0.18.0 (golang) pkg:golang/golang.org/x/[email protected] Allocation of Resources Without Limits or Throttling Affected range <0.33.0 Fixed version 0.33.0 CVSS Score 8.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N EPSS Score 0.045% EPSS Percentile 18th percentile Description An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

[github-actions]

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:4ae54fba0d8ec96c48ee570df63b64f22c6f694fa7f08f3dc6d6707a14f29968
vulnerabilities
platform	linux/amd64
size	134 MB
packages	249

📦 Base Image php:8-alpine

also known as	8-alpine3.21 8-cli-alpine 8-cli-alpine3.21 8.4-alpine 8.4-alpine3.21 8.4-cli-alpine 8.4-cli-alpine3.21 8.4.3-alpine 8.4.3-alpine3.21 8.4.3-cli-alpine 8.4.3-cli-alpine3.21 81e0beb4d1c873f343c6e1e7d6b85b43904695c5ac664030171c1769358c63f8 alpine alpine3.21 cli-alpine cli-alpine3.21
digest	sha256:170320e6538870c70b6e2c59e0e166e2dbd0c4dda143bdb87a9b145f7c0e57cd
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 0.045% EPSS Percentile 18th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

golang.org/x/net 0.18.0 (golang) pkg:golang/golang.org/x/[email protected] Allocation of Resources Without Limits or Throttling Affected range <0.33.0 Fixed version 0.33.0 CVSS Score 8.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N EPSS Score 0.045% EPSS Percentile 18th percentile Description An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

[github-actions]

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8-alpine

Name	8.4.3-alpine3.21
Digest	sha256:170320e6538870c70b6e2c59e0e166e2dbd0c4dda143bdb87a9b145f7c0e57cd
Vulnerabilities
Pushed	2 weeks ago
Size	42 MB
Packages	52
Flavor	alpine
OS	3.21
Runtime	8.4.3

The base image is also available under the supported tag(s): 8-alpine3.21, 8-cli-alpine, 8-cli-alpine3.21, 8.4-alpine, 8.4-alpine3.21, 8.4-cli-alpine, 8.4-cli-alpine3.21, 8.4.3-alpine, 8.4.3-alpine3.21, 8.4.3-cli-alpine, 8.4.3-cli-alpine3.21, alpine, alpine3.21, cli-alpine, cli-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

[github-actions]

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.1-alpine

Name	8.1.31-alpine3.21
Digest	sha256:8ed48e85630b00d7dde300f7c205e502495d8a117a254924bf07f4dcac3df52f
Vulnerabilities
Pushed	1 month ago
Size	36 MB
Packages	52
Flavor	alpine
OS	3.21
Runtime	8.1.31

The base image is also available under the supported tag(s): 8.1-alpine3.21, 8.1-cli-alpine, 8.1-cli-alpine3.21, 8.1.31-alpine, 8.1.31-alpine3.21, 8.1.31-cli-alpine, 8.1.31-cli-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

Tag	Details	Pushed	Vulnerabilities
8.4-alpine Minor runtime version update Also known as: 8.4.3-cli-alpine 8.4.3-cli-alpine3.21 8.4-cli-alpine 8.4-cli-alpine3.21 8-cli-alpine 8-cli-alpine3.21 cli-alpine cli-alpine3.21 alpine alpine3.21 8.4.3-alpine 8.4.3-alpine3.21 8.4-alpine3.21 8-alpine 8-alpine3.21	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 42 MB Flavor: alpine OS: 3.21 Runtime: 8.4.3	2 weeks ago
8.3-alpine Minor runtime version update Also known as: 8.3.16-cli-alpine 8.3.16-cli-alpine3.21 8.3-cli-alpine 8.3-cli-alpine3.21 8.3.16-alpine 8.3.16-alpine3.21 8.3-alpine3.21	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 37 MB Flavor: alpine OS: 3.21 Runtime: 8.3.16	2 weeks ago
8.2-alpine Minor runtime version update Also known as: 8.2.27-cli-alpine 8.2.27-cli-alpine3.21 8.2-cli-alpine 8.2-cli-alpine3.21 8.2.27-alpine 8.2.27-alpine3.21 8.2-alpine3.21	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages 8.2-alpine was pulled 1.8K times last month Image details: Size: 36 MB Flavor: alpine OS: 3.21 Runtime: 8.2.27	1 month ago