deps(deps): update github artifact actions (major)

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
actions/download-artifact	action	major	v4 -> v6
actions/upload-artifact	action	major	v4 -> v5

---

Release Notes

actions/download-artifact (actions/download-artifact)

v6

Compare Source

v5

Compare Source

actions/upload-artifact (actions/upload-artifact)

v5

Compare Source

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:72b7dfa62ae0d07a69ff1d58aa983104f0c33897033d38c17ff051c98b8f9512
vulnerabilities
platform	linux/amd64
size	109 MB
packages	247

📦 Base Image php:8.1-alpine

also known as	8.1-alpine3.21 8.1-cli-alpine 8.1-cli-alpine3.21 8.1.33-alpine 8.1.33-alpine3.21 8.1.33-cli-alpine 8.1.33-cli-alpine3.21 84499e7665570bbef8ca20d15c642d8d9485a887d6be7a8b335ca33b5d3126f0
digest	sha256:6ed5103426b2c742dcc4721afa9864e7faaedcbb84c92410762d0c5162a8bdb2
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 38.497% EPSS Percentile 97th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance. Affected range <0.35.0 Fixed version 0.35.0 EPSS Score 0.127% EPSS Percentile 33rd percentile Description SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

[github-actions]

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:b763079158741fef7590119484b50f9f5611eb6dc585b41240fd880f9a08f5f9
vulnerabilities
platform	linux/amd64
size	108 MB
packages	250

📦 Base Image php:2bc2a355c610a5ce2f4854d785c740aafe346f652caa7a4960796338a17a0ffe

also known as	8.3-fpm-alpine 8.3-fpm-alpine3.22 8.3.24-fpm-alpine 8.3.24-fpm-alpine3.22
digest	sha256:994a36314a28fed17d2d9d66ff694817dcf51343c7d42e1890ec75b3406a3caf
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 38.497% EPSS Percentile 97th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance. Affected range <0.35.0 Fixed version 0.35.0 EPSS Score 0.127% EPSS Percentile 33rd percentile Description SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

stdlib 1.24.3 (golang) pkg:golang/[email protected] Affected range >=1.24.0-0 <1.24.4 Fixed version 1.24.4 EPSS Score 0.012% EPSS Percentile 1st percentile Description Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which contain policy graphs, which are rather uncommon.

[github-actions]

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:4cdedf1109da796ce7d8d2b1e9bbb1a22d91e5841e2d7eba836c2824552776b4
vulnerabilities
platform	linux/amd64
size	131 MB
packages	284

📦 Base Image php:8.2-alpine

also known as	8.2-alpine3.22 8.2-cli-alpine 8.2-cli-alpine3.22 8.2.29-alpine 8.2.29-alpine3.22 8.2.29-cli-alpine 8.2.29-cli-alpine3.22 d8f4974194fb8fae35528e5ff3f03ca3566ee2e502f953b7817e0cbefebf8a0d
digest	sha256:cdee2ae021443a0806843448eb174a188d6e6d85377a2e5a9bcd44161001fb8d
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 38.497% EPSS Percentile 97th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance. Affected range <0.35.0 Fixed version 0.35.0 EPSS Score 0.127% EPSS Percentile 33rd percentile Description SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

stdlib 1.24.3 (golang) pkg:golang/[email protected] Affected range >=1.24.0-0 <1.24.4 Fixed version 1.24.4 EPSS Score 0.012% EPSS Percentile 1st percentile Description Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which contain policy graphs, which are rather uncommon.

[github-actions]

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.1-alpine

Name	8.1.33-alpine3.21
Digest	sha256:6ed5103426b2c742dcc4721afa9864e7faaedcbb84c92410762d0c5162a8bdb2
Vulnerabilities
Pushed	5 days ago
Size	36 MB
Packages	59
Flavor	alpine
OS	3.21
Runtime	8.1.33

The base image is also available under the supported tag(s): 8.1-alpine3.21, 8.1-cli-alpine, 8.1-cli-alpine3.21, 8.1.33-alpine, 8.1.33-alpine3.21, 8.1.33-cli-alpine, 8.1.33-cli-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

Tag	Details	Pushed	Vulnerabilities
8.1-alpine3.22 Patch runtime version update Also known as: 8.1.33-cli-alpine3.22 8.1-cli-alpine3.22 8.1.33-alpine3.22	Benefits: Patch runtime version update Same OS detected Image has similar size Image has same number of vulnerabilities Image contains similar number of packages Image details: Size: 36 MB Flavor: alpine OS: 3.22 Runtime: 8.1.33	5 days ago
8.4-alpine Minor runtime version update Also known as: 8.4.11-cli-alpine 8.4.11-cli-alpine3.22 8.4-cli-alpine 8.4-cli-alpine3.22 8-cli-alpine 8-cli-alpine3.22 cli-alpine cli-alpine3.22 alpine alpine3.22 8.4.11-alpine 8.4.11-alpine3.22 8.4-alpine3.22 8-alpine 8-alpine3.22	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains similar number of packages Image details: Size: 42 MB Flavor: alpine OS: 3.22 Runtime: 8.4.11	5 days ago
8.4-alpine3.21 Minor runtime version update Also known as: 8.4.11-cli-alpine3.21 8.4-cli-alpine3.21 8-cli-alpine3.21 cli-alpine3.21 alpine3.21 8.4.11-alpine3.21 8-alpine3.21	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 42 MB Flavor: alpine OS: 3.21 Runtime: 8.4.11	5 days ago
8.3-alpine Minor runtime version update Also known as: 8.3.24-cli-alpine 8.3.24-cli-alpine3.22 8.3-cli-alpine 8.3-cli-alpine3.22 8.3.24-alpine 8.3.24-alpine3.22 8.3-alpine3.22	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains similar number of packages Image details: Size: 37 MB Flavor: alpine OS: 3.22 Runtime: 8.3.24	5 days ago
8.3-alpine3.21 Minor runtime version update Also known as: 8.3.24-cli-alpine3.21 8.3-cli-alpine3.21 8.3.24-alpine3.21	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 37 MB Flavor: alpine OS: 3.21 Runtime: 8.3.24	5 days ago
8.2-alpine Minor runtime version update Also known as: 8.2.29-cli-alpine 8.2.29-cli-alpine3.22 8.2-cli-alpine 8.2-cli-alpine3.22 8.2.29-alpine 8.2.29-alpine3.22 8.2-alpine3.22	Benefits: Same OS detected Minor runtime version update Image has similar size Image has same number of vulnerabilities Image contains similar number of packages 8.2-alpine was pulled 1.8K times last month Image details: Size: 37 MB Flavor: alpine OS: 3.22 Runtime: 8.2.29	5 days ago
8.2-alpine3.21 Minor runtime version update Also known as: 8.2.29-cli-alpine3.21 8.2-cli-alpine3.21 8.2.29-alpine3.21	Benefits: Same OS detected Minor runtime version update Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 36 MB Flavor: alpine OS: 3.21 Runtime: 8.2.29	5 days ago

[github-actions]

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.3-fpm-alpine

Name	8.3.24-fpm-alpine3.22
Digest	sha256:994a36314a28fed17d2d9d66ff694817dcf51343c7d42e1890ec75b3406a3caf
Vulnerabilities
Pushed	5 days ago
Size	33 MB
Packages	61
Flavor	alpine
OS	3.22
Runtime	8.3.24

The base image is also available under the supported tag(s): 8.3-fpm-alpine3.22, 8.3.24-fpm-alpine, 8.3.24-fpm-alpine3.22

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

Tag	Details	Pushed	Vulnerabilities
8.4-fpm-alpine Image has same number of vulnerabilities Also known as: 8.4.11-fpm-alpine 8.4.11-fpm-alpine3.22 8.4-fpm-alpine3.22 8-fpm-alpine 8-fpm-alpine3.22 fpm-alpine fpm-alpine3.22	Benefits: Same OS detected Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 37 MB Flavor: alpine OS: 3.22	5 days ago

[github-actions]

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.2-alpine

Name	8.2.29-alpine3.22
Digest	sha256:cdee2ae021443a0806843448eb174a188d6e6d85377a2e5a9bcd44161001fb8d
Vulnerabilities
Pushed	5 days ago
Size	37 MB
Packages	60
Flavor	alpine
OS	3.22
Runtime	8.2.29

The base image is also available under the supported tag(s): 8.2-alpine3.22, 8.2-cli-alpine, 8.2-cli-alpine3.22, 8.2.29-alpine, 8.2.29-alpine3.22, 8.2.29-cli-alpine, 8.2.29-cli-alpine3.22

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

Tag	Details	Pushed	Vulnerabilities
8.4-alpine Minor runtime version update Also known as: 8.4.11-cli-alpine 8.4.11-cli-alpine3.22 8.4-cli-alpine 8.4-cli-alpine3.22 8-cli-alpine 8-cli-alpine3.22 cli-alpine cli-alpine3.22 alpine alpine3.22 8.4.11-alpine 8.4.11-alpine3.22 8.4-alpine3.22 8-alpine 8-alpine3.22	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 42 MB Flavor: alpine OS: 3.22 Runtime: 8.4.11	5 days ago
8.3-alpine Minor runtime version update Also known as: 8.3.24-cli-alpine 8.3.24-cli-alpine3.22 8.3-cli-alpine 8.3-cli-alpine3.22 8.3.24-alpine 8.3.24-alpine3.22 8.3-alpine3.22	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 37 MB Flavor: alpine OS: 3.22 Runtime: 8.3.24	5 days ago

[github-actions]

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:c26356f10d91294f1623e4fc0d9bed1968405bb2b5d6a4847d8cbfbd2de68044
vulnerabilities
platform	linux/amd64
size	104 MB
packages	248

📦 Base Image php:8.1-fpm-alpine

also known as	8.1-fpm-alpine3.21 8.1.33-fpm-alpine 8.1.33-fpm-alpine3.21 da3eabe89d0c6c833838e3480d063d65f38577bc37dc976948b9352f3fb3d2fb
digest	sha256:4268ab6c629f48d1f77ff76b70355c1f384d95028c301d7a9d07a5f1644d4072
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 38.497% EPSS Percentile 97th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance. Affected range <0.35.0 Fixed version 0.35.0 EPSS Score 0.127% EPSS Percentile 33rd percentile Description SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

[github-actions]

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:c4d75c09ad7943481a4ab4c2f67db0a1b521c430ea785803b1c1b3b41d108644
vulnerabilities
platform	linux/amd64
size	132 MB
packages	284

📦 Base Image php:8.3-alpine

also known as	8.3-alpine3.22 8.3-cli-alpine 8.3-cli-alpine3.22 8.3.24-alpine 8.3.24-alpine3.22 8.3.24-cli-alpine 8.3.24-cli-alpine3.22 b026e7d2fc6d7801e1af55dc42c7409b2f38d6b42c32494e9276b6ef40a28ee3
digest	sha256:f43a903b3e7fb97ce6ecdc8ab54c4beeebc913c38697740c6e9dd0d69fc37322
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 38.497% EPSS Percentile 97th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance. Affected range <0.35.0 Fixed version 0.35.0 EPSS Score 0.127% EPSS Percentile 33rd percentile Description SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

stdlib 1.24.3 (golang) pkg:golang/[email protected] Affected range >=1.24.0-0 <1.24.4 Fixed version 1.24.4 EPSS Score 0.012% EPSS Percentile 1st percentile Description Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which contain policy graphs, which are rather uncommon.

[github-actions]

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:b555d8c6ce34bb55ea5cf7a400277d3592f64ec23ebd0f0bda82a303fede23d5
vulnerabilities
platform	linux/amd64
size	127 MB
packages	265

📦 Base Image php:8.1-alpine

also known as	8.1-alpine3.21 8.1-cli-alpine 8.1-cli-alpine3.21 8.1.33-alpine 8.1.33-alpine3.21 8.1.33-cli-alpine 8.1.33-cli-alpine3.21 84499e7665570bbef8ca20d15c642d8d9485a887d6be7a8b335ca33b5d3126f0
digest	sha256:6ed5103426b2c742dcc4721afa9864e7faaedcbb84c92410762d0c5162a8bdb2
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 38.497% EPSS Percentile 97th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance. Affected range <0.35.0 Fixed version 0.35.0 EPSS Score 0.127% EPSS Percentile 33rd percentile Description SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

setuptools 70.3.0 (pypi) pkg:pypi/[email protected] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Affected range <78.1.1 Fixed version 78.1.1 CVSS Score 7.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P EPSS Score 0.139% EPSS Percentile 35th percentile Description Summary A path traversal vulnerability in PackageIndex was fixed in setuptools version 78.1.1 Details def _download_url(self, url, tmpdir): # Determine download filename # name, _fragment = egg_info_for_url(url) if name: while '..' in name: name = name.replace('..', '.').replace('\\', '_') else: name = "__downloaded__" # default if URL has no path contents if name.endswith('.[egg.zip](http://egg.zip/)'): name = name[:-4] # strip the extra .zip before download --> filename = os.path.join(tmpdir, name) Here: https://github.com/pypa/setuptools/blob/6ead555c5fb29bc57fe6105b1bffc163f56fd558/setuptools/package_index.py#L810C1-L825C88 os.path.join() discards the first argument tmpdir if the second begins with a slash or drive letter. name is derived from a URL without sufficient sanitization. While there is some attempt to sanitize by replacing instances of '..' with '.', it is insufficient. Risk Assessment As easy_install and package_index are deprecated, the exploitation surface is reduced. However, it seems this could be exploited in a similar fashion like GHSA-r9hx-vwmv-q579, and as described by POC 4 in GHSA-cx63-2mw6-8hw5 report: via malicious URLs present on the pages of a package index. Impact An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to RCE depending on the context. References https://huntr.com/bounties/d6362117-ad57-4e83-951f-b8141c6e7ca5 pypa/setuptools#4946

[github-actions]

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:2598ccec405242b4ed03e6c393d04b7d0d29cdeac5028a2351e16c6131158cec
vulnerabilities
platform	linux/amd64
size	108 MB
packages	250

📦 Base Image php:3effc26a4a8524994f6fd9e3c99f564bfdee610687d2d1d455996608118a910f

also known as	8.2-fpm-alpine 8.2-fpm-alpine3.22 8.2.29-fpm-alpine 8.2.29-fpm-alpine3.22
digest	sha256:a992b4453c7ffe21584867dced3a8b82c896603a10bfe3f7ec734729e26fcda5
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 38.497% EPSS Percentile 97th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance. Affected range <0.35.0 Fixed version 0.35.0 EPSS Score 0.127% EPSS Percentile 33rd percentile Description SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

stdlib 1.24.3 (golang) pkg:golang/[email protected] Affected range >=1.24.0-0 <1.24.4 Fixed version 1.24.4 EPSS Score 0.012% EPSS Percentile 1st percentile Description Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which contain policy graphs, which are rather uncommon.

[github-actions]

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.2-fpm-alpine

Name	8.2.29-fpm-alpine3.22
Digest	sha256:a992b4453c7ffe21584867dced3a8b82c896603a10bfe3f7ec734729e26fcda5
Vulnerabilities
Pushed	5 days ago
Size	32 MB
Packages	61
Flavor	alpine
OS	3.22
Runtime	8.2.29

The base image is also available under the supported tag(s): 8.2-fpm-alpine3.22, 8.2.29-fpm-alpine, 8.2.29-fpm-alpine3.22

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

Tag	Details	Pushed	Vulnerabilities
8.3-fpm-alpine Minor runtime version update Also known as: 8.3.24-fpm-alpine 8.3.24-fpm-alpine3.22 8.3-fpm-alpine3.22	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 33 MB Flavor: alpine OS: 3.22 Runtime: 8.3.24	5 days ago
8.4-fpm-alpine Image has same number of vulnerabilities Also known as: 8.4.11-fpm-alpine 8.4.11-fpm-alpine3.22 8.4-fpm-alpine3.22 8-fpm-alpine 8-fpm-alpine3.22 fpm-alpine fpm-alpine3.22	Benefits: Same OS detected Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 37 MB Flavor: alpine OS: 3.22	5 days ago

[github-actions]

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.1-fpm-alpine

Name	8.1.33-fpm-alpine3.21
Digest	sha256:4268ab6c629f48d1f77ff76b70355c1f384d95028c301d7a9d07a5f1644d4072
Vulnerabilities
Pushed	5 days ago
Size	32 MB
Packages	60
Flavor	alpine
OS	3.21
Runtime	8.1.33

The base image is also available under the supported tag(s): 8.1-fpm-alpine3.21, 8.1.33-fpm-alpine, 8.1.33-fpm-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

Tag	Details	Pushed	Vulnerabilities
8.1-fpm-alpine3.22 Patch runtime version update Also known as: 8.1.33-fpm-alpine3.22	Benefits: Patch runtime version update Same OS detected Image has similar size Image has same number of vulnerabilities Image contains similar number of packages Image details: Size: 32 MB Flavor: alpine OS: 3.22 Runtime: 8.1.33	5 days ago
8.3-fpm-alpine Minor runtime version update Also known as: 8.3.24-fpm-alpine 8.3.24-fpm-alpine3.22 8.3-fpm-alpine3.22	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains similar number of packages Image details: Size: 33 MB Flavor: alpine OS: 3.22 Runtime: 8.3.24	5 days ago
8.3-fpm-alpine3.21 Minor runtime version update Also known as: 8.3.24-fpm-alpine3.21	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 33 MB Flavor: alpine OS: 3.21 Runtime: 8.3.24	5 days ago
8.2-fpm-alpine Minor runtime version update Also known as: 8.2.29-fpm-alpine 8.2.29-fpm-alpine3.22 8.2-fpm-alpine3.22	Benefits: Same OS detected Minor runtime version update Image has similar size Image has same number of vulnerabilities Image contains similar number of packages 8.2-fpm-alpine was pulled 4.1K times last month Image details: Size: 32 MB Flavor: alpine OS: 3.22 Runtime: 8.2.29	5 days ago
8.2-fpm-alpine3.21 Minor runtime version update Also known as: 8.2.29-fpm-alpine3.21	Benefits: Same OS detected Minor runtime version update Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 32 MB Flavor: alpine OS: 3.21 Runtime: 8.2.29	5 days ago
8.4-fpm-alpine Image has same number of vulnerabilities Also known as: 8.4.11-fpm-alpine 8.4.11-fpm-alpine3.22 8.4-fpm-alpine3.22 8-fpm-alpine 8-fpm-alpine3.22 fpm-alpine fpm-alpine3.22	Benefits: Same OS detected Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains similar number of packages Image details: Size: 37 MB Flavor: alpine OS: 3.22	5 days ago
8.4-fpm-alpine3.21 Image has same number of vulnerabilities Also known as: 8.4.11-fpm-alpine3.21 8-fpm-alpine3.21 fpm-alpine3.21	Benefits: Same OS detected Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 36 MB Flavor: alpine OS: 3.21	5 days ago

[github-actions]

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.1-alpine

Name	8.1.33-alpine3.21
Digest	sha256:6ed5103426b2c742dcc4721afa9864e7faaedcbb84c92410762d0c5162a8bdb2
Vulnerabilities
Pushed	5 days ago
Size	36 MB
Packages	59
Flavor	alpine
OS	3.21
Runtime	8.1.33

The base image is also available under the supported tag(s): 8.1-alpine3.21, 8.1-cli-alpine, 8.1-cli-alpine3.21, 8.1.33-alpine, 8.1.33-alpine3.21, 8.1.33-cli-alpine, 8.1.33-cli-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

Tag	Details	Pushed	Vulnerabilities
8.1-alpine3.22 Patch runtime version update Also known as: 8.1.33-cli-alpine3.22 8.1-cli-alpine3.22 8.1.33-alpine3.22	Benefits: Patch runtime version update Same OS detected Image has similar size Image has same number of vulnerabilities Image contains similar number of packages Image details: Size: 36 MB Flavor: alpine OS: 3.22 Runtime: 8.1.33	5 days ago
8.4-alpine Minor runtime version update Also known as: 8.4.11-cli-alpine 8.4.11-cli-alpine3.22 8.4-cli-alpine 8.4-cli-alpine3.22 8-cli-alpine 8-cli-alpine3.22 cli-alpine cli-alpine3.22 alpine alpine3.22 8.4.11-alpine 8.4.11-alpine3.22 8.4-alpine3.22 8-alpine 8-alpine3.22	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains similar number of packages Image details: Size: 42 MB Flavor: alpine OS: 3.22 Runtime: 8.4.11	5 days ago
8.4-alpine3.21 Minor runtime version update Also known as: 8.4.11-cli-alpine3.21 8.4-cli-alpine3.21 8-cli-alpine3.21 cli-alpine3.21 alpine3.21 8.4.11-alpine3.21 8-alpine3.21	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 42 MB Flavor: alpine OS: 3.21 Runtime: 8.4.11	5 days ago
8.3-alpine Minor runtime version update Also known as: 8.3.24-cli-alpine 8.3.24-cli-alpine3.22 8.3-cli-alpine 8.3-cli-alpine3.22 8.3.24-alpine 8.3.24-alpine3.22 8.3-alpine3.22	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains similar number of packages Image details: Size: 37 MB Flavor: alpine OS: 3.22 Runtime: 8.3.24	5 days ago
8.3-alpine3.21 Minor runtime version update Also known as: 8.3.24-cli-alpine3.21 8.3-cli-alpine3.21 8.3.24-alpine3.21	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 37 MB Flavor: alpine OS: 3.21 Runtime: 8.3.24	5 days ago
8.2-alpine Minor runtime version update Also known as: 8.2.29-cli-alpine 8.2.29-cli-alpine3.22 8.2-cli-alpine 8.2-cli-alpine3.22 8.2.29-alpine 8.2.29-alpine3.22 8.2-alpine3.22	Benefits: Same OS detected Minor runtime version update Image has similar size Image has same number of vulnerabilities Image contains similar number of packages 8.2-alpine was pulled 1.8K times last month Image details: Size: 37 MB Flavor: alpine OS: 3.22 Runtime: 8.2.29	5 days ago
8.2-alpine3.21 Minor runtime version update Also known as: 8.2.29-cli-alpine3.21 8.2-cli-alpine3.21 8.2.29-alpine3.21	Benefits: Same OS detected Minor runtime version update Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 36 MB Flavor: alpine OS: 3.21 Runtime: 8.2.29	5 days ago

[github-actions]

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.3-alpine

Name	8.3.24-alpine3.22
Digest	sha256:f43a903b3e7fb97ce6ecdc8ab54c4beeebc913c38697740c6e9dd0d69fc37322
Vulnerabilities
Pushed	5 days ago
Size	37 MB
Packages	60
Flavor	alpine
OS	3.22
Runtime	8.3.24

The base image is also available under the supported tag(s): 8.3-alpine3.22, 8.3-cli-alpine, 8.3-cli-alpine3.22, 8.3.24-alpine, 8.3.24-alpine3.22, 8.3.24-cli-alpine, 8.3.24-cli-alpine3.22

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

Tag	Details	Pushed	Vulnerabilities
8.4-alpine Minor runtime version update Also known as: 8.4.11-cli-alpine 8.4.11-cli-alpine3.22 8.4-cli-alpine 8.4-cli-alpine3.22 8-cli-alpine 8-cli-alpine3.22 cli-alpine cli-alpine3.22 alpine alpine3.22 8.4.11-alpine 8.4.11-alpine3.22 8.4-alpine3.22 8-alpine 8-alpine3.22	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 42 MB Flavor: alpine OS: 3.22 Runtime: 8.4.11	5 days ago

[github-actions]

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:d39c905ebf9ffd8d3bf485d98a4a67d502b5618653aa5c91a0a8b2a9c41d9f37
vulnerabilities
platform	linux/amd64
size	112 MB
packages	250

📦 Base Image php:639b54f0afafe1a50d5dfdf4306b05aa09357ed7292390e3ed242ecfc57cc7e0

also known as	8-fpm-alpine 8-fpm-alpine3.22 8.4-fpm-alpine 8.4-fpm-alpine3.22 8.4.11-fpm-alpine 8.4.11-fpm-alpine3.22 fpm-alpine fpm-alpine3.22
digest	sha256:dd4b38d02d63413f45aea06eaaf1ac2410b7cbe81b017efd3d6feefb142809b2
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 38.497% EPSS Percentile 97th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance. Affected range <0.35.0 Fixed version 0.35.0 EPSS Score 0.127% EPSS Percentile 33rd percentile Description SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

stdlib 1.24.3 (golang) pkg:golang/[email protected] Affected range >=1.24.0-0 <1.24.4 Fixed version 1.24.4 EPSS Score 0.012% EPSS Percentile 1st percentile Description Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which contain policy graphs, which are rather uncommon.

[github-actions]

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8-fpm-alpine

Name	fpm-alpine3.22
Digest	sha256:dd4b38d02d63413f45aea06eaaf1ac2410b7cbe81b017efd3d6feefb142809b2
Vulnerabilities
Pushed	5 days ago
Size	37 MB
Packages	61
Flavor	alpine
OS	3.22

The base image is also available under the supported tag(s): 8-fpm-alpine3.22, 8.4-fpm-alpine, 8.4-fpm-alpine3.22, 8.4.11-fpm-alpine, 8.4.11-fpm-alpine3.22, fpm-alpine, fpm-alpine3.22

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

Tag	Details	Pushed	Vulnerabilities
8.3-fpm-alpine Minor runtime version update Also known as: 8.3.24-fpm-alpine 8.3.24-fpm-alpine3.22 8.3-fpm-alpine3.22	Benefits: Same OS detected Minor runtime version update Image is smaller by 3.3 MB Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 33 MB Flavor: alpine OS: 3.22 Runtime: 8.3.24	5 days ago
8.2-fpm-alpine Minor runtime version update Also known as: 8.2.29-fpm-alpine 8.2.29-fpm-alpine3.22 8.2-fpm-alpine3.22	Benefits: Same OS detected Minor runtime version update Image is smaller by 4.0 MB Image has same number of vulnerabilities Image contains equal number of packages 8.2-fpm-alpine was pulled 4.1K times last month Image details: Size: 32 MB Flavor: alpine OS: 3.22 Runtime: 8.2.29	5 days ago
8.1-fpm-alpine3.22 Minor runtime version update Also known as: 8.1.33-fpm-alpine3.22	Benefits: Same OS detected Minor runtime version update Image is smaller by 4.5 MB Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 32 MB Flavor: alpine OS: 3.22 Runtime: 8.1.33	5 days ago

[github-actions]

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:4673c81118537722678f18a07ded7f184fbb520b527f1295762627e210f7a386
vulnerabilities
platform	linux/amd64
size	112 MB
packages	249

📦 Base Image php:8.2-alpine

also known as	8.2-alpine3.22 8.2-cli-alpine 8.2-cli-alpine3.22 8.2.29-alpine 8.2.29-alpine3.22 8.2.29-cli-alpine 8.2.29-cli-alpine3.22 d8f4974194fb8fae35528e5ff3f03ca3566ee2e502f953b7817e0cbefebf8a0d
digest	sha256:cdee2ae021443a0806843448eb174a188d6e6d85377a2e5a9bcd44161001fb8d
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 38.497% EPSS Percentile 97th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance. Affected range <0.35.0 Fixed version 0.35.0 EPSS Score 0.127% EPSS Percentile 33rd percentile Description SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

stdlib 1.24.3 (golang) pkg:golang/[email protected] Affected range >=1.24.0-0 <1.24.4 Fixed version 1.24.4 EPSS Score 0.012% EPSS Percentile 1st percentile Description Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which contain policy graphs, which are rather uncommon.

[github-actions]

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.2-alpine

Name	8.2.29-alpine3.22
Digest	sha256:cdee2ae021443a0806843448eb174a188d6e6d85377a2e5a9bcd44161001fb8d
Vulnerabilities
Pushed	5 days ago
Size	37 MB
Packages	60
Flavor	alpine
OS	3.22
Runtime	8.2.29

The base image is also available under the supported tag(s): 8.2-alpine3.22, 8.2-cli-alpine, 8.2-cli-alpine3.22, 8.2.29-alpine, 8.2.29-alpine3.22, 8.2.29-cli-alpine, 8.2.29-cli-alpine3.22

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

Tag	Details	Pushed	Vulnerabilities
8.4-alpine Minor runtime version update Also known as: 8.4.11-cli-alpine 8.4.11-cli-alpine3.22 8.4-cli-alpine 8.4-cli-alpine3.22 8-cli-alpine 8-cli-alpine3.22 cli-alpine cli-alpine3.22 alpine alpine3.22 8.4.11-alpine 8.4.11-alpine3.22 8.4-alpine3.22 8-alpine 8-alpine3.22	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 42 MB Flavor: alpine OS: 3.22 Runtime: 8.4.11	5 days ago
8.3-alpine Minor runtime version update Also known as: 8.3.24-cli-alpine 8.3.24-cli-alpine3.22 8.3-cli-alpine 8.3-cli-alpine3.22 8.3.24-alpine 8.3.24-alpine3.22 8.3-alpine3.22	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 37 MB Flavor: alpine OS: 3.22 Runtime: 8.3.24	5 days ago

[github-actions]

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:65c973126d63a946cbbd43f193ae47598f3228197250b6136f91eae2a5a395a9
vulnerabilities
platform	linux/amd64
size	113 MB
packages	249

📦 Base Image php:8.3-alpine

also known as	8.3-alpine3.22 8.3-cli-alpine 8.3-cli-alpine3.22 8.3.24-alpine 8.3.24-alpine3.22 8.3.24-cli-alpine 8.3.24-cli-alpine3.22 b026e7d2fc6d7801e1af55dc42c7409b2f38d6b42c32494e9276b6ef40a28ee3
digest	sha256:f43a903b3e7fb97ce6ecdc8ab54c4beeebc913c38697740c6e9dd0d69fc37322
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 38.497% EPSS Percentile 97th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance. Affected range <0.35.0 Fixed version 0.35.0 EPSS Score 0.127% EPSS Percentile 33rd percentile Description SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

stdlib 1.24.3 (golang) pkg:golang/[email protected] Affected range >=1.24.0-0 <1.24.4 Fixed version 1.24.4 EPSS Score 0.012% EPSS Percentile 1st percentile Description Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which contain policy graphs, which are rather uncommon.

[github-actions]

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.3-alpine

Name	8.3.24-alpine3.22
Digest	sha256:f43a903b3e7fb97ce6ecdc8ab54c4beeebc913c38697740c6e9dd0d69fc37322
Vulnerabilities
Pushed	5 days ago
Size	37 MB
Packages	60
Flavor	alpine
OS	3.22
Runtime	8.3.24

The base image is also available under the supported tag(s): 8.3-alpine3.22, 8.3-cli-alpine, 8.3-cli-alpine3.22, 8.3.24-alpine, 8.3.24-alpine3.22, 8.3.24-cli-alpine, 8.3.24-cli-alpine3.22

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

Tag	Details	Pushed	Vulnerabilities
8.4-alpine Minor runtime version update Also known as: 8.4.11-cli-alpine 8.4.11-cli-alpine3.22 8.4-cli-alpine 8.4-cli-alpine3.22 8-cli-alpine 8-cli-alpine3.22 cli-alpine cli-alpine3.22 alpine alpine3.22 8.4.11-alpine 8.4.11-alpine3.22 8.4-alpine3.22 8-alpine 8-alpine3.22	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 42 MB Flavor: alpine OS: 3.22 Runtime: 8.4.11	5 days ago

[github-actions]

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:b3ed7334ec4753eb0d80e6f0865fd87cd4aa1dd47223d16de5649670cf3ad937
vulnerabilities
platform	linux/amd64
size	118 MB
packages	249

📦 Base Image php:8-alpine

also known as	8-alpine3.22 8-cli-alpine 8-cli-alpine3.22 8.4-alpine 8.4-alpine3.22 8.4-cli-alpine 8.4-cli-alpine3.22 8.4.11-alpine 8.4.11-alpine3.22 8.4.11-cli-alpine 8.4.11-cli-alpine3.22 alpine alpine3.22 cli-alpine cli-alpine3.22 e4f9bb894d0d59558802c50d63685a084b2b4fb7eb77398e783423beab34d48f
digest	sha256:4ff5194e9fa697591425fa74e939879cde8c0d0da6a53b4b247cc47f43eb7d91
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 38.497% EPSS Percentile 97th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance. Affected range <0.35.0 Fixed version 0.35.0 EPSS Score 0.127% EPSS Percentile 33rd percentile Description SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

stdlib 1.24.3 (golang) pkg:golang/[email protected] Affected range >=1.24.0-0 <1.24.4 Fixed version 1.24.4 EPSS Score 0.012% EPSS Percentile 1st percentile Description Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which contain policy graphs, which are rather uncommon.

[github-actions]

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:916d7361c0f20ed880e4bcdbb74829544f9cea1db691339ab5c8dd1251e693b1
vulnerabilities
platform	linux/amd64
size	137 MB
packages	284

📦 Base Image php:8-alpine

also known as	8-alpine3.22 8-cli-alpine 8-cli-alpine3.22 8.4-alpine 8.4-alpine3.22 8.4-cli-alpine 8.4-cli-alpine3.22 8.4.11-alpine 8.4.11-alpine3.22 8.4.11-cli-alpine 8.4.11-cli-alpine3.22 alpine alpine3.22 cli-alpine cli-alpine3.22 e4f9bb894d0d59558802c50d63685a084b2b4fb7eb77398e783423beab34d48f
digest	sha256:4ff5194e9fa697591425fa74e939879cde8c0d0da6a53b4b247cc47f43eb7d91
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 38.497% EPSS Percentile 97th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance. Affected range <0.35.0 Fixed version 0.35.0 EPSS Score 0.127% EPSS Percentile 33rd percentile Description SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

stdlib 1.24.3 (golang) pkg:golang/[email protected] Affected range >=1.24.0-0 <1.24.4 Fixed version 1.24.4 EPSS Score 0.012% EPSS Percentile 1st percentile Description Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which contain policy graphs, which are rather uncommon.

[github-actions]

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8-alpine

Name	8.4.11-alpine3.22
Digest	sha256:4ff5194e9fa697591425fa74e939879cde8c0d0da6a53b4b247cc47f43eb7d91
Vulnerabilities
Pushed	5 days ago
Size	42 MB
Packages	60
Flavor	alpine
OS	3.22
Runtime	8.4.11

The base image is also available under the supported tag(s): 8-alpine3.22, 8-cli-alpine, 8-cli-alpine3.22, 8.4-alpine, 8.4-alpine3.22, 8.4-cli-alpine, 8.4-cli-alpine3.22, 8.4.11-alpine, 8.4.11-alpine3.22, 8.4.11-cli-alpine, 8.4.11-cli-alpine3.22, alpine, alpine3.22, cli-alpine, cli-alpine3.22

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

[github-actions]

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8-alpine

Name	8.4.11-alpine3.22
Digest	sha256:4ff5194e9fa697591425fa74e939879cde8c0d0da6a53b4b247cc47f43eb7d91
Vulnerabilities
Pushed	5 days ago
Size	42 MB
Packages	60
Flavor	alpine
OS	3.22
Runtime	8.4.11

The base image is also available under the supported tag(s): 8-alpine3.22, 8-cli-alpine, 8-cli-alpine3.22, 8.4-alpine, 8.4-alpine3.22, 8.4-cli-alpine, 8.4-cli-alpine3.22, 8.4.11-alpine, 8.4.11-alpine3.22, 8.4.11-cli-alpine, 8.4.11-cli-alpine3.22, alpine, alpine3.22, cli-alpine, cli-alpine3.22

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

[github-actions]

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:1bd6b57867ff76dd295293dbb25f144b774c6d6991967a0fd5ad6e19d59922f9
vulnerabilities
platform	linux/amd64
size	128 MB
packages	265

📦 Base Image php:8.1-alpine

also known as	8.1-alpine3.21 8.1-cli-alpine 8.1-cli-alpine3.21 8.1.33-alpine 8.1.33-alpine3.21 8.1.33-cli-alpine 8.1.33-cli-alpine3.21 aeda52007687158f88915a60b395065c946a772587552d11e8e49511924585c9
digest	sha256:b2694ec936f57efe2633da0a83e055af8e7ccf4a08274fb299396c8a2fa12285
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 47.048% EPSS Percentile 98th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance. Affected range <0.35.0 Fixed version 0.35.0 EPSS Score 0.242% EPSS Percentile 47th percentile Description SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

setuptools 70.3.0 (pypi) pkg:pypi/[email protected] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Affected range <78.1.1 Fixed version 78.1.1 CVSS Score 7.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P EPSS Score 0.077% EPSS Percentile 24th percentile Description Summary A path traversal vulnerability in PackageIndex was fixed in setuptools version 78.1.1 Details def _download_url(self, url, tmpdir): # Determine download filename # name, _fragment = egg_info_for_url(url) if name: while '..' in name: name = name.replace('..', '.').replace('\\', '_') else: name = "__downloaded__" # default if URL has no path contents if name.endswith('.[egg.zip](http://egg.zip/)'): name = name[:-4] # strip the extra .zip before download --> filename = os.path.join(tmpdir, name) Here: https://github.com/pypa/setuptools/blob/6ead555c5fb29bc57fe6105b1bffc163f56fd558/setuptools/package_index.py#L810C1-L825C88 os.path.join() discards the first argument tmpdir if the second begins with a slash or drive letter. name is derived from a URL without sufficient sanitization. While there is some attempt to sanitize by replacing instances of '..' with '.', it is insufficient. Risk Assessment As easy_install and package_index are deprecated, the exploitation surface is reduced. However, it seems this could be exploited in a similar fashion like GHSA-r9hx-vwmv-q579, and as described by POC 4 in GHSA-cx63-2mw6-8hw5 report: via malicious URLs present on the pages of a package index. Impact An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to RCE depending on the context. References https://huntr.com/bounties/d6362117-ad57-4e83-951f-b8141c6e7ca5 pypa/setuptools#4946

[github-actions]

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.1-alpine

Name	8.1.33-alpine3.21
Digest	sha256:b2694ec936f57efe2633da0a83e055af8e7ccf4a08274fb299396c8a2fa12285
Vulnerabilities
Pushed	2 months ago
Size	36 MB
Packages	59
Flavor	alpine
OS	3.21
Runtime	8.1.33

The base image is also available under the supported tag(s): 8.1-alpine3.21, 8.1-cli-alpine, 8.1-cli-alpine3.21, 8.1.33-alpine, 8.1.33-alpine3.21, 8.1.33-cli-alpine, 8.1.33-cli-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

Tag	Details	Pushed	Vulnerabilities
8.1-alpine3.22 Patch runtime version update Also known as: 8.1.33-cli-alpine3.22 8.1-cli-alpine3.22 8.1.33-alpine3.22	Benefits: Patch runtime version update Same OS detected Image has similar size Image has same number of vulnerabilities Image contains similar number of packages Image details: Size: 36 MB Flavor: alpine OS: 3.22 Runtime: 8.1.33	2 months ago
8.4-alpine Minor runtime version update Also known as: 8.4.13-cli-alpine 8.4.13-cli-alpine3.22 8.4-cli-alpine 8.4-cli-alpine3.22 8-cli-alpine 8-cli-alpine3.22 cli-alpine cli-alpine3.22 alpine alpine3.22 8.4.13-alpine 8.4.13-alpine3.22 8.4-alpine3.22 8-alpine 8-alpine3.22	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains similar number of packages Image details: Size: 41 MB Flavor: alpine OS: 3.22 Runtime: 8.4.13	4 weeks ago
8.4-alpine3.21 Minor runtime version update Also known as: 8.4.13-cli-alpine3.21 8.4-cli-alpine3.21 8-cli-alpine3.21 cli-alpine3.21 alpine3.21 8.4.13-alpine3.21 8-alpine3.21	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 41 MB Flavor: alpine OS: 3.21 Runtime: 8.4.13	4 weeks ago
8.3-alpine Minor runtime version update Also known as: 8.3.26-cli-alpine 8.3.26-cli-alpine3.22 8.3-cli-alpine 8.3-cli-alpine3.22 8.3.26-alpine 8.3.26-alpine3.22 8.3-alpine3.22	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains similar number of packages Image details: Size: 37 MB Flavor: alpine OS: 3.22 Runtime: 8.3.26	4 weeks ago
8.3-alpine3.21 Minor runtime version update Also known as: 8.3.26-cli-alpine3.21 8.3-cli-alpine3.21 8.3.26-alpine3.21	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 37 MB Flavor: alpine OS: 3.21 Runtime: 8.3.26	4 weeks ago
8.2-alpine Minor runtime version update Also known as: 8.2.29-cli-alpine 8.2.29-cli-alpine3.22 8.2-cli-alpine 8.2-cli-alpine3.22 8.2.29-alpine 8.2.29-alpine3.22 8.2-alpine3.22	Benefits: Same OS detected Minor runtime version update Image has similar size Image has same number of vulnerabilities Image contains similar number of packages 8.2-alpine was pulled 1.8K times last month Image details: Size: 37 MB Flavor: alpine OS: 3.22 Runtime: 8.2.29	2 months ago
8.2-alpine3.21 Minor runtime version update Also known as: 8.2.29-cli-alpine3.21 8.2-cli-alpine3.21 8.2.29-alpine3.21	Benefits: Same OS detected Minor runtime version update Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 36 MB Flavor: alpine OS: 3.21 Runtime: 8.2.29	2 months ago

[github-actions]

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:4103a611fffa9e94eca6a98e7c21223537064653ba031578808b583b668cf48f
vulnerabilities
platform	linux/amd64
size	132 MB
packages	284

📦 Base Image php:8.2-alpine

also known as	8.2-alpine3.22 8.2-cli-alpine 8.2-cli-alpine3.22 8.2.29-alpine 8.2.29-alpine3.22 8.2.29-cli-alpine 8.2.29-cli-alpine3.22 df7d2aca7d453249829e16923877c821823065f32a24e0eb2c66e7a12fd7b54b
digest	sha256:8c201df34c610be6d54a158ac62310c15b7370bfb3777508188c07513787caa0
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 47.048% EPSS Percentile 98th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance. Affected range <0.35.0 Fixed version 0.35.0 EPSS Score 0.242% EPSS Percentile 47th percentile Description SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

[github-actions]

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:a6431dab3dbc9699179a7f7ad5de442b9747238e7b2e33c72a339808913fd74a
vulnerabilities
platform	linux/amd64
size	117 MB
packages	249

📦 Base Image php:8-alpine

also known as	8-alpine3.22 8-cli-alpine 8-cli-alpine3.22 8.4-alpine 8.4-alpine3.22 8.4-cli-alpine 8.4-cli-alpine3.22 8.4.13-alpine 8.4.13-alpine3.22 8.4.13-cli-alpine 8.4.13-cli-alpine3.22 alpine alpine3.22 cli-alpine cli-alpine3.22 fccdb165b72cc548a2b0efc5655b3307e7eea6db96216a117a60e80fae4ed828
digest	sha256:7312bec7f935c80133ef7028fbf6d82d312be50fb833aa7f7fee0d405996352b
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 47.048% EPSS Percentile 98th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance. Affected range <0.35.0 Fixed version 0.35.0 EPSS Score 0.242% EPSS Percentile 47th percentile Description SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

[github-actions]

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.2-alpine

Name	8.2.29-alpine3.22
Digest	sha256:8c201df34c610be6d54a158ac62310c15b7370bfb3777508188c07513787caa0
Vulnerabilities
Pushed	2 months ago
Size	37 MB
Packages	60
Flavor	alpine
OS	3.22
Runtime	8.2.29

The base image is also available under the supported tag(s): 8.2-alpine3.22, 8.2-cli-alpine, 8.2-cli-alpine3.22, 8.2.29-alpine, 8.2.29-alpine3.22, 8.2.29-cli-alpine, 8.2.29-cli-alpine3.22

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

Tag	Details	Pushed	Vulnerabilities
8.4-alpine Minor runtime version update Also known as: 8.4.13-cli-alpine 8.4.13-cli-alpine3.22 8.4-cli-alpine 8.4-cli-alpine3.22 8-cli-alpine 8-cli-alpine3.22 cli-alpine cli-alpine3.22 alpine alpine3.22 8.4.13-alpine 8.4.13-alpine3.22 8.4-alpine3.22 8-alpine 8-alpine3.22	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 41 MB Flavor: alpine OS: 3.22 Runtime: 8.4.13	4 weeks ago
8.3-alpine Minor runtime version update Also known as: 8.3.26-cli-alpine 8.3.26-cli-alpine3.22 8.3-cli-alpine 8.3-cli-alpine3.22 8.3.26-alpine 8.3.26-alpine3.22 8.3-alpine3.22	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 37 MB Flavor: alpine OS: 3.22 Runtime: 8.3.26	4 weeks ago

[github-actions]

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8-alpine

Name	8.4.13-alpine3.22
Digest	sha256:7312bec7f935c80133ef7028fbf6d82d312be50fb833aa7f7fee0d405996352b
Vulnerabilities
Pushed	4 weeks ago
Size	41 MB
Packages	60
Flavor	alpine
OS	3.22
Runtime	8.4.13

The base image is also available under the supported tag(s): 8-alpine3.22, 8-cli-alpine, 8-cli-alpine3.22, 8.4-alpine, 8.4-alpine3.22, 8.4-cli-alpine, 8.4-cli-alpine3.22, 8.4.13-alpine, 8.4.13-alpine3.22, 8.4.13-cli-alpine, 8.4.13-cli-alpine3.22, alpine, alpine3.22, cli-alpine, cli-alpine3.22

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

[github-actions]

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:d674b81964539733346146e8400e465cccdfabd2b63229e2e5328ef0ec22e58f
vulnerabilities
platform	linux/amd64
size	108 MB
packages	250

📦 Base Image php:8.2-fpm-alpine

also known as	8.2-fpm-alpine3.22 8.2.29-fpm-alpine 8.2.29-fpm-alpine3.22 b4744cb64815673d45790b5eafa8eaf53ff99079651a94c25b9c42d388ece840
digest	sha256:f3f076fbd8eeaa1c1df6e657068d0a45df9584f4290d3e8442c04bc60bc5c36d
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 47.048% EPSS Percentile 98th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance. Affected range <0.35.0 Fixed version 0.35.0 EPSS Score 0.242% EPSS Percentile 47th percentile Description SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

[github-actions]

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:90c9144780b703a0223a9866162a18222cce461da522f1c42636ef0072a00997
vulnerabilities
platform	linux/amd64
size	132 MB
packages	284

📦 Base Image php:74ac207bc0116b73c198b79097c2361bd6912313efa113924e020d0c351b6e34

also known as	8.3-alpine 8.3-alpine3.22 8.3-cli-alpine 8.3-cli-alpine3.22 8.3.26-alpine 8.3.26-alpine3.22 8.3.26-cli-alpine 8.3.26-cli-alpine3.22
digest	sha256:990340d4a014d0090ec564f95d4fdca42b3cbeeaf8b9f0ac9105c1707cff72aa
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 47.048% EPSS Percentile 98th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance. Affected range <0.35.0 Fixed version 0.35.0 EPSS Score 0.242% EPSS Percentile 47th percentile Description SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

[github-actions]

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:ff30ff82e353e9493b561e9966259e5184fc3af155bed373a2f8c53d5de6bdaf
vulnerabilities
platform	linux/amd64
size	112 MB
packages	249

📦 Base Image php:8.2-alpine

also known as	8.2-alpine3.22 8.2-cli-alpine 8.2-cli-alpine3.22 8.2.29-alpine 8.2.29-alpine3.22 8.2.29-cli-alpine 8.2.29-cli-alpine3.22 df7d2aca7d453249829e16923877c821823065f32a24e0eb2c66e7a12fd7b54b
digest	sha256:8c201df34c610be6d54a158ac62310c15b7370bfb3777508188c07513787caa0
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 47.048% EPSS Percentile 98th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance. Affected range <0.35.0 Fixed version 0.35.0 EPSS Score 0.242% EPSS Percentile 47th percentile Description SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

[github-actions]

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.2-alpine

Name	8.2.29-alpine3.22
Digest	sha256:8c201df34c610be6d54a158ac62310c15b7370bfb3777508188c07513787caa0
Vulnerabilities
Pushed	2 months ago
Size	37 MB
Packages	60
Flavor	alpine
OS	3.22
Runtime	8.2.29

The base image is also available under the supported tag(s): 8.2-alpine3.22, 8.2-cli-alpine, 8.2-cli-alpine3.22, 8.2.29-alpine, 8.2.29-alpine3.22, 8.2.29-cli-alpine, 8.2.29-cli-alpine3.22

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

Tag	Details	Pushed	Vulnerabilities
8.4-alpine Minor runtime version update Also known as: 8.4.13-cli-alpine 8.4.13-cli-alpine3.22 8.4-cli-alpine 8.4-cli-alpine3.22 8-cli-alpine 8-cli-alpine3.22 cli-alpine cli-alpine3.22 alpine alpine3.22 8.4.13-alpine 8.4.13-alpine3.22 8.4-alpine3.22 8-alpine 8-alpine3.22	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 41 MB Flavor: alpine OS: 3.22 Runtime: 8.4.13	4 weeks ago
8.3-alpine Minor runtime version update Also known as: 8.3.26-cli-alpine 8.3.26-cli-alpine3.22 8.3-cli-alpine 8.3-cli-alpine3.22 8.3.26-alpine 8.3.26-alpine3.22 8.3-alpine3.22	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 37 MB Flavor: alpine OS: 3.22 Runtime: 8.3.26	4 weeks ago

[github-actions]

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.2-fpm-alpine

Name	8.2.29-fpm-alpine3.22
Digest	sha256:f3f076fbd8eeaa1c1df6e657068d0a45df9584f4290d3e8442c04bc60bc5c36d
Vulnerabilities
Pushed	2 months ago
Size	32 MB
Packages	61
Flavor	alpine
OS	3.22
Runtime	8.2.29

The base image is also available under the supported tag(s): 8.2-fpm-alpine3.22, 8.2.29-fpm-alpine, 8.2.29-fpm-alpine3.22

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

Tag	Details	Pushed	Vulnerabilities
8.3-fpm-alpine Minor runtime version update Also known as: 8.3.26-fpm-alpine 8.3.26-fpm-alpine3.22 8.3-fpm-alpine3.22	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 33 MB Flavor: alpine OS: 3.22 Runtime: 8.3.26	4 weeks ago
8.4-fpm-alpine Image has same number of vulnerabilities Also known as: 8.4.13-fpm-alpine 8.4.13-fpm-alpine3.22 8.4-fpm-alpine3.22 8-fpm-alpine 8-fpm-alpine3.22 fpm-alpine fpm-alpine3.22	Benefits: Same OS detected Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 36 MB Flavor: alpine OS: 3.22	4 weeks ago

[github-actions]

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.3-alpine

Name	8.3.26-alpine3.22
Digest	sha256:990340d4a014d0090ec564f95d4fdca42b3cbeeaf8b9f0ac9105c1707cff72aa
Vulnerabilities
Pushed	4 weeks ago
Size	37 MB
Packages	60
Flavor	alpine
OS	3.22
Runtime	8.3.26

The base image is also available under the supported tag(s): 8.3-alpine3.22, 8.3-cli-alpine, 8.3-cli-alpine3.22, 8.3.26-alpine, 8.3.26-alpine3.22, 8.3.26-cli-alpine, 8.3.26-cli-alpine3.22

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

Tag	Details	Pushed	Vulnerabilities
8.4-alpine Minor runtime version update Also known as: 8.4.13-cli-alpine 8.4.13-cli-alpine3.22 8.4-cli-alpine 8.4-cli-alpine3.22 8-cli-alpine 8-cli-alpine3.22 cli-alpine cli-alpine3.22 alpine alpine3.22 8.4.13-alpine 8.4.13-alpine3.22 8.4-alpine3.22 8-alpine 8-alpine3.22	Benefits: Same OS detected Minor runtime version update Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 41 MB Flavor: alpine OS: 3.22 Runtime: 8.4.13	4 weeks ago

[github-actions]

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:f31620c1c8ad168ad3d6148969d24d1d354dd01d92a802e95315dc66de9aee8d
vulnerabilities
platform	linux/amd64
size	112 MB
packages	250

📦 Base Image php:8-fpm-alpine

also known as	8-fpm-alpine3.22 8.4-fpm-alpine 8.4-fpm-alpine3.22 8.4.13-fpm-alpine 8.4.13-fpm-alpine3.22 be12027ae933c17a29d9cf56e2480967afd04719fa2f20358ea1ad257a435605 fpm-alpine fpm-alpine3.22
digest	sha256:4efaf7966df90365b41e71d5085b1c49348acb80bc5e0aa709de2b9b5f4dcb35
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 47.048% EPSS Percentile 98th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance. Affected range <0.35.0 Fixed version 0.35.0 EPSS Score 0.242% EPSS Percentile 47th percentile Description SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

[github-actions]

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:05df23153e866aa6ffa2d37f7e814252b0d4b8f5b7791a71857b5ea02520dfa4
vulnerabilities
platform	linux/amd64
size	109 MB
packages	247

📦 Base Image php:8.1-alpine

also known as	8.1-alpine3.21 8.1-cli-alpine 8.1-cli-alpine3.21 8.1.33-alpine 8.1.33-alpine3.21 8.1.33-cli-alpine 8.1.33-cli-alpine3.21 aeda52007687158f88915a60b395065c946a772587552d11e8e49511924585c9
digest	sha256:b2694ec936f57efe2633da0a83e055af8e7ccf4a08274fb299396c8a2fa12285
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 47.048% EPSS Percentile 98th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance. Affected range <0.35.0 Fixed version 0.35.0 EPSS Score 0.242% EPSS Percentile 47th percentile Description SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

[github-actions]

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:5c7aaca0dcf009f689cf92fd06e848628ce0d9cf0c617dcac7790a1b40c2d4fc
vulnerabilities
platform	linux/amd64
size	105 MB
packages	248

📦 Base Image php:8.1-fpm-alpine

also known as	8.1-fpm-alpine3.21 8.1.33-fpm-alpine 8.1.33-fpm-alpine3.21 a5705c7e8a9637ec417dc448b6afb91982a252f2f08a056af3166d3e0b36cc0e
digest	sha256:3f6d33709f6648a334f44757f43bc6c9e4c4390b4ff555199f28377601455de9
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 47.048% EPSS Percentile 98th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance. Affected range <0.35.0 Fixed version 0.35.0 EPSS Score 0.242% EPSS Percentile 47th percentile Description SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

[github-actions]

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:30f9b30846c852d96b7b308244fa7fefd3ebc560ca686927f020a0cf713438b2
vulnerabilities
platform	linux/amd64
size	136 MB
packages	284

📦 Base Image php:8-alpine

also known as	8-alpine3.22 8-cli-alpine 8-cli-alpine3.22 8.4-alpine 8.4-alpine3.22 8.4-cli-alpine 8.4-cli-alpine3.22 8.4.13-alpine 8.4.13-alpine3.22 8.4.13-cli-alpine 8.4.13-cli-alpine3.22 alpine alpine3.22 cli-alpine cli-alpine3.22 fccdb165b72cc548a2b0efc5655b3307e7eea6db96216a117a60e80fae4ed828
digest	sha256:7312bec7f935c80133ef7028fbf6d82d312be50fb833aa7f7fee0d405996352b
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 47.048% EPSS Percentile 98th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance. Affected range <0.35.0 Fixed version 0.35.0 EPSS Score 0.242% EPSS Percentile 47th percentile Description SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

[github-actions]

Outdated

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:878a71d005b14dd0c4b32159fce5279ba26cc29f1eb69aff35ddc1bc399bf228
vulnerabilities
platform	linux/amd64
size	109 MB
packages	250

📦 Base Image php:7594c2581e3f8fffcf0f16338d2f97a001a068e7c7285197b721ad5d6cb2eced

also known as	8.3-fpm-alpine 8.3-fpm-alpine3.22 8.3.26-fpm-alpine 8.3.26-fpm-alpine3.22
digest	sha256:23bc3071de0155cc91ed48be24ca498a730460a6fa5bd0d517eaba07e753204b
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 47.048% EPSS Percentile 98th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance. Affected range <0.35.0 Fixed version 0.35.0 EPSS Score 0.242% EPSS Percentile 47th percentile Description SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

[github-actions]

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.1-fpm-alpine

Name	8.1.33-fpm-alpine3.21
Digest	sha256:3f6d33709f6648a334f44757f43bc6c9e4c4390b4ff555199f28377601455de9
Vulnerabilities
Pushed	2 months ago
Size	32 MB
Packages	60
Flavor	alpine
OS	3.21
Runtime	8.1.33

The base image is also available under the supported tag(s): 8.1-fpm-alpine3.21, 8.1.33-fpm-alpine, 8.1.33-fpm-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

Tag	Details	Pushed	Vulnerabilities
8.1-fpm-alpine3.22 Patch runtime version update Also known as: 8.1.33-fpm-alpine3.22	Benefits: Patch runtime version update Same OS detected Image has similar size Image has same number of vulnerabilities Image contains similar number of packages Image details: Size: 32 MB Flavor: alpine OS: 3.22 Runtime: 8.1.33	2 months ago
8.3-fpm-alpine Minor runtime version update Also known as: 8.3.26-fpm-alpine 8.3.26-fpm-alpine3.22 8.3-fpm-alpine3.22	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains similar number of packages Image details: Size: 33 MB Flavor: alpine OS: 3.22 Runtime: 8.3.26	4 weeks ago
8.3-fpm-alpine3.21 Minor runtime version update Also known as: 8.3.26-fpm-alpine3.21	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 33 MB Flavor: alpine OS: 3.21 Runtime: 8.3.26	4 weeks ago
8.2-fpm-alpine Minor runtime version update Also known as: 8.2.29-fpm-alpine 8.2.29-fpm-alpine3.22 8.2-fpm-alpine3.22	Benefits: Same OS detected Minor runtime version update Image has similar size Image has same number of vulnerabilities Image contains similar number of packages 8.2-fpm-alpine was pulled 4.1K times last month Image details: Size: 32 MB Flavor: alpine OS: 3.22 Runtime: 8.2.29	2 months ago
8.2-fpm-alpine3.21 Minor runtime version update Also known as: 8.2.29-fpm-alpine3.21	Benefits: Same OS detected Minor runtime version update Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 32 MB Flavor: alpine OS: 3.21 Runtime: 8.2.29	2 months ago
8.4-fpm-alpine Image has same number of vulnerabilities Also known as: 8.4.13-fpm-alpine 8.4.13-fpm-alpine3.22 8.4-fpm-alpine3.22 8-fpm-alpine 8-fpm-alpine3.22 fpm-alpine fpm-alpine3.22	Benefits: Same OS detected Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains similar number of packages Image details: Size: 36 MB Flavor: alpine OS: 3.22	4 weeks ago
8.4-fpm-alpine3.21 Image has same number of vulnerabilities Also known as: 8.4.13-fpm-alpine3.21 8-fpm-alpine3.21 fpm-alpine3.21	Benefits: Same OS detected Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 36 MB Flavor: alpine OS: 3.21	4 weeks ago

[github-actions]

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8-fpm-alpine

Name	fpm-alpine3.22
Digest	sha256:4efaf7966df90365b41e71d5085b1c49348acb80bc5e0aa709de2b9b5f4dcb35
Vulnerabilities
Pushed	4 weeks ago
Size	36 MB
Packages	61
Flavor	alpine
OS	3.22

The base image is also available under the supported tag(s): 8-fpm-alpine3.22, 8.4-fpm-alpine, 8.4-fpm-alpine3.22, 8.4.13-fpm-alpine, 8.4.13-fpm-alpine3.22, fpm-alpine, fpm-alpine3.22

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

Tag	Details	Pushed	Vulnerabilities
8.3-fpm-alpine Minor runtime version update Also known as: 8.3.26-fpm-alpine 8.3.26-fpm-alpine3.22 8.3-fpm-alpine3.22	Benefits: Same OS detected Minor runtime version update Image is smaller by 2.7 MB Tag was pushed more recently Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 33 MB Flavor: alpine OS: 3.22 Runtime: 8.3.26	4 weeks ago
8.2-fpm-alpine Minor runtime version update Also known as: 8.2.29-fpm-alpine 8.2.29-fpm-alpine3.22 8.2-fpm-alpine3.22	Benefits: Same OS detected Minor runtime version update Image is smaller by 3.3 MB Image has same number of vulnerabilities Image contains equal number of packages 8.2-fpm-alpine was pulled 4.1K times last month Image details: Size: 32 MB Flavor: alpine OS: 3.22 Runtime: 8.2.29	2 months ago
8.1-fpm-alpine3.22 Minor runtime version update Also known as: 8.1.33-fpm-alpine3.22	Benefits: Same OS detected Minor runtime version update Image is smaller by 3.8 MB Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 32 MB Flavor: alpine OS: 3.22 Runtime: 8.1.33	2 months ago

[github-actions]

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.3-fpm-alpine

Name	8.3.26-fpm-alpine3.22
Digest	sha256:23bc3071de0155cc91ed48be24ca498a730460a6fa5bd0d517eaba07e753204b
Vulnerabilities
Pushed	4 weeks ago
Size	33 MB
Packages	61
Flavor	alpine
OS	3.22
Runtime	8.3.26

The base image is also available under the supported tag(s): 8.3-fpm-alpine3.22, 8.3.26-fpm-alpine, 8.3.26-fpm-alpine3.22

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

Tag	Details	Pushed	Vulnerabilities
8.4-fpm-alpine Image has same number of vulnerabilities Also known as: 8.4.13-fpm-alpine 8.4.13-fpm-alpine3.22 8.4-fpm-alpine3.22 8-fpm-alpine 8-fpm-alpine3.22 fpm-alpine fpm-alpine3.22	Benefits: Same OS detected Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 36 MB Flavor: alpine OS: 3.22	4 weeks ago

[github-actions]

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8-alpine

Name	8.4.13-alpine3.22
Digest	sha256:7312bec7f935c80133ef7028fbf6d82d312be50fb833aa7f7fee0d405996352b
Vulnerabilities
Pushed	4 weeks ago
Size	41 MB
Packages	60
Flavor	alpine
OS	3.22
Runtime	8.4.13

The base image is also available under the supported tag(s): 8-alpine3.22, 8-cli-alpine, 8-cli-alpine3.22, 8.4-alpine, 8.4-alpine3.22, 8.4-cli-alpine, 8.4-cli-alpine3.22, 8.4.13-alpine, 8.4.13-alpine3.22, 8.4.13-cli-alpine, 8.4.13-cli-alpine3.22, alpine, alpine3.22, cli-alpine, cli-alpine3.22

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

[github-actions]

Outdated

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.1-alpine

Name	8.1.33-alpine3.21
Digest	sha256:b2694ec936f57efe2633da0a83e055af8e7ccf4a08274fb299396c8a2fa12285
Vulnerabilities
Pushed	2 months ago
Size	36 MB
Packages	59
Flavor	alpine
OS	3.21
Runtime	8.1.33

The base image is also available under the supported tag(s): 8.1-alpine3.21, 8.1-cli-alpine, 8.1-cli-alpine3.21, 8.1.33-alpine, 8.1.33-alpine3.21, 8.1.33-cli-alpine, 8.1.33-cli-alpine3.21

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

Tag	Details	Pushed	Vulnerabilities
8.1-alpine3.22 Patch runtime version update Also known as: 8.1.33-cli-alpine3.22 8.1-cli-alpine3.22 8.1.33-alpine3.22	Benefits: Patch runtime version update Same OS detected Image has similar size Image has same number of vulnerabilities Image contains similar number of packages Image details: Size: 36 MB Flavor: alpine OS: 3.22 Runtime: 8.1.33	2 months ago
8.4-alpine Minor runtime version update Also known as: 8.4.13-cli-alpine 8.4.13-cli-alpine3.22 8.4-cli-alpine 8.4-cli-alpine3.22 8-cli-alpine 8-cli-alpine3.22 cli-alpine cli-alpine3.22 alpine alpine3.22 8.4.13-alpine 8.4.13-alpine3.22 8.4-alpine3.22 8-alpine 8-alpine3.22	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains similar number of packages Image details: Size: 41 MB Flavor: alpine OS: 3.22 Runtime: 8.4.13	4 weeks ago
8.4-alpine3.21 Minor runtime version update Also known as: 8.4.13-cli-alpine3.21 8.4-cli-alpine3.21 8-cli-alpine3.21 cli-alpine3.21 alpine3.21 8.4.13-alpine3.21 8-alpine3.21	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 41 MB Flavor: alpine OS: 3.21 Runtime: 8.4.13	4 weeks ago
8.3-alpine Minor runtime version update Also known as: 8.3.26-cli-alpine 8.3.26-cli-alpine3.22 8.3-cli-alpine 8.3-cli-alpine3.22 8.3.26-alpine 8.3.26-alpine3.22 8.3-alpine3.22	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains similar number of packages Image details: Size: 37 MB Flavor: alpine OS: 3.22 Runtime: 8.3.26	4 weeks ago
8.3-alpine3.21 Minor runtime version update Also known as: 8.3.26-cli-alpine3.21 8.3-cli-alpine3.21 8.3.26-alpine3.21	Benefits: Same OS detected Minor runtime version update Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 37 MB Flavor: alpine OS: 3.21 Runtime: 8.3.26	4 weeks ago
8.2-alpine Minor runtime version update Also known as: 8.2.29-cli-alpine 8.2.29-cli-alpine3.22 8.2-cli-alpine 8.2-cli-alpine3.22 8.2.29-alpine 8.2.29-alpine3.22 8.2-alpine3.22	Benefits: Same OS detected Minor runtime version update Image has similar size Image has same number of vulnerabilities Image contains similar number of packages 8.2-alpine was pulled 1.8K times last month Image details: Size: 37 MB Flavor: alpine OS: 3.22 Runtime: 8.2.29	2 months ago
8.2-alpine3.21 Minor runtime version update Also known as: 8.2.29-cli-alpine3.21 8.2-cli-alpine3.21 8.2.29-alpine3.21	Benefits: Same OS detected Minor runtime version update Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 36 MB Flavor: alpine OS: 3.21 Runtime: 8.2.29	2 months ago

[github-actions]

🔍 Vulnerabilities of wayofdev/php-dev:latest

📦 Image Reference wayofdev/php-dev:latest

digest	sha256:02dca8f081cb69f27eaf624b3513dbe363aa84c37a4fcdf94888ea8f69e06e2e
vulnerabilities
platform	linux/amd64
size	113 MB
packages	249

📦 Base Image php:74ac207bc0116b73c198b79097c2361bd6912313efa113924e020d0c351b6e34

also known as	8.3-alpine 8.3-alpine3.22 8.3-cli-alpine 8.3-cli-alpine3.22 8.3.26-alpine 8.3.26-alpine3.22 8.3.26-cli-alpine 8.3.26-cli-alpine3.22
digest	sha256:990340d4a014d0090ec564f95d4fdca42b3cbeeaf8b9f0ac9105c1707cff72aa
vulnerabilities

golang.org/x/crypto 0.17.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Authorization Affected range <0.31.0 Fixed version 0.31.0 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 47.048% EPSS Percentile 98th percentile Description Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance. Affected range <0.35.0 Fixed version 0.35.0 EPSS Score 0.242% EPSS Percentile 47th percentile Description SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

[github-actions]

Recommended fixes for image wayofdev/php-dev:latest

Base image is php:8.3-alpine

Name	8.3.26-alpine3.22
Digest	sha256:990340d4a014d0090ec564f95d4fdca42b3cbeeaf8b9f0ac9105c1707cff72aa
Vulnerabilities
Pushed	4 weeks ago
Size	37 MB
Packages	60
Flavor	alpine
OS	3.22
Runtime	8.3.26

The base image is also available under the supported tag(s): 8.3-alpine3.22, 8.3-cli-alpine, 8.3-cli-alpine3.22, 8.3.26-alpine, 8.3.26-alpine3.22, 8.3.26-cli-alpine, 8.3.26-cli-alpine3.22

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

Tag	Details	Pushed	Vulnerabilities
8.4-alpine Minor runtime version update Also known as: 8.4.13-cli-alpine 8.4.13-cli-alpine3.22 8.4-cli-alpine 8.4-cli-alpine3.22 8-cli-alpine 8-cli-alpine3.22 cli-alpine cli-alpine3.22 alpine alpine3.22 8.4.13-alpine 8.4.13-alpine3.22 8.4-alpine3.22 8-alpine 8-alpine3.22	Benefits: Same OS detected Minor runtime version update Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Image details: Size: 41 MB Flavor: alpine OS: 3.22 Runtime: 8.4.13	4 weeks ago