Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(master): release 2.8.0 #109

Merged
merged 1 commit into from
Nov 22, 2024
Merged

chore(master): release 2.8.0 #109

merged 1 commit into from
Nov 22, 2024

Conversation

lotyp
Copy link
Member

@lotyp lotyp commented Nov 22, 2024

🤖 I have created a release beep boop

2.8.0 (2024-11-22)

Features

This PR was generated with Release Please. See documentation.

@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 22, 2024
edited
Loading

Outdated

🔍 Vulnerabilities of moby/buildkit:buildx-stable-1

📦 Image Reference moby/buildkit:buildx-stable-1
digestsha256:fe9e882c6ca03172babd2d89a69a225771ffe56ee1c28a7fbd58c57bf4a59034
vulnerabilitiescritical: 0 high: 4 medium: 0 low: 0
size102 MB
packages247
📦 Base Image alpine:05a56cc5acbd9c9c5b7ba5ec88d866a0ddc76b586828f8288d29c57ccaa15a10
also known as
  • 3
  • 3.20
  • 3.20.3
  • latest
digestsha256:029a752048e32e843bd6defe3841186fb8d19a28dae8ec287f433bb9d6d1ad85
vulnerabilitiescritical: 0 high: 0 medium: 1 low: 0
critical: 0 high: 4 medium: 0 low: 0 stdlib 1.22.4 (golang)

pkg:golang/[email protected]

high : CVE--2024--34158

Affected range<1.22.7
Fixed version1.22.7
EPSS Score0.04%
EPSS Percentile17th percentile
Description

Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

high : CVE--2024--34156

Affected range<1.22.7
Fixed version1.22.7
EPSS Score0.04%
EPSS Percentile17th percentile
Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

high : CVE--2024--24791

Affected range>=1.22.0-0
<1.22.5
Fixed version1.22.5
EPSS Score0.04%
EPSS Percentile17th percentile
Description

The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail.

An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.

high : CVE--2022--30635

Affected range<1.22.7
Fixed version1.22.7
EPSS Score0.19%
EPSS Percentile57th percentile
Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 22, 2024
edited
Loading

Outdated

Recommended fixes for image moby/buildkit:buildx-stable-1

Base image is alpine:3

Name3.20.3
Digestsha256:029a752048e32e843bd6defe3841186fb8d19a28dae8ec287f433bb9d6d1ad85
Vulnerabilitiescritical: 0 high: 0 medium: 1 low: 0
Pushed2 months ago
Size3.6 MB
Packages17
OS3.20.3
The base image is also available under the supported tag(s): 3.20, 3.20.3, latest

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 22, 2024
edited
Loading

Outdated

🔍 Vulnerabilities of moby/buildkit:buildx-stable-1

📦 Image Reference moby/buildkit:buildx-stable-1
digestsha256:fe9e882c6ca03172babd2d89a69a225771ffe56ee1c28a7fbd58c57bf4a59034
vulnerabilitiescritical: 0 high: 4 medium: 0 low: 0
size102 MB
packages247
📦 Base Image alpine:05a56cc5acbd9c9c5b7ba5ec88d866a0ddc76b586828f8288d29c57ccaa15a10
also known as
  • 3
  • 3.20
  • 3.20.3
  • latest
digestsha256:029a752048e32e843bd6defe3841186fb8d19a28dae8ec287f433bb9d6d1ad85
vulnerabilitiescritical: 0 high: 0 medium: 1 low: 0
critical: 0 high: 4 medium: 0 low: 0 stdlib 1.22.4 (golang)

pkg:golang/[email protected]

high : CVE--2024--34158

Affected range<1.22.7
Fixed version1.22.7
EPSS Score0.04%
EPSS Percentile17th percentile
Description

Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

high : CVE--2024--34156

Affected range<1.22.7
Fixed version1.22.7
EPSS Score0.04%
EPSS Percentile17th percentile
Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

high : CVE--2024--24791

Affected range>=1.22.0-0
<1.22.5
Fixed version1.22.5
EPSS Score0.04%
EPSS Percentile17th percentile
Description

The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail.

An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.

high : CVE--2022--30635

Affected range<1.22.7
Fixed version1.22.7
EPSS Score0.19%
EPSS Percentile57th percentile
Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

1 similar comment
@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 22, 2024
edited
Loading

Outdated

🔍 Vulnerabilities of moby/buildkit:buildx-stable-1

📦 Image Reference moby/buildkit:buildx-stable-1
digestsha256:fe9e882c6ca03172babd2d89a69a225771ffe56ee1c28a7fbd58c57bf4a59034
vulnerabilitiescritical: 0 high: 4 medium: 0 low: 0
size102 MB
packages247
📦 Base Image alpine:05a56cc5acbd9c9c5b7ba5ec88d866a0ddc76b586828f8288d29c57ccaa15a10
also known as
  • 3
  • 3.20
  • 3.20.3
  • latest
digestsha256:029a752048e32e843bd6defe3841186fb8d19a28dae8ec287f433bb9d6d1ad85
vulnerabilitiescritical: 0 high: 0 medium: 1 low: 0
critical: 0 high: 4 medium: 0 low: 0 stdlib 1.22.4 (golang)

pkg:golang/[email protected]

high : CVE--2024--34158

Affected range<1.22.7
Fixed version1.22.7
EPSS Score0.04%
EPSS Percentile17th percentile
Description

Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

high : CVE--2024--34156

Affected range<1.22.7
Fixed version1.22.7
EPSS Score0.04%
EPSS Percentile17th percentile
Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

high : CVE--2024--24791

Affected range>=1.22.0-0
<1.22.5
Fixed version1.22.5
EPSS Score0.04%
EPSS Percentile17th percentile
Description

The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail.

An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.

high : CVE--2022--30635

Affected range<1.22.7
Fixed version1.22.7
EPSS Score0.19%
EPSS Percentile57th percentile
Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 22, 2024
edited
Loading

Outdated

Recommended fixes for image moby/buildkit:buildx-stable-1

Base image is alpine:3

Name3.20.3
Digestsha256:029a752048e32e843bd6defe3841186fb8d19a28dae8ec287f433bb9d6d1ad85
Vulnerabilitiescritical: 0 high: 0 medium: 1 low: 0
Pushed2 months ago
Size3.6 MB
Packages17
OS3.20.3
The base image is also available under the supported tag(s): 3.20, 3.20.3, latest

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

1 similar comment
@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 22, 2024
edited
Loading

Outdated

Recommended fixes for image moby/buildkit:buildx-stable-1

Base image is alpine:3

Name3.20.3
Digestsha256:029a752048e32e843bd6defe3841186fb8d19a28dae8ec287f433bb9d6d1ad85
Vulnerabilitiescritical: 0 high: 0 medium: 1 low: 0
Pushed2 months ago
Size3.6 MB
Packages17
OS3.20.3
The base image is also available under the supported tag(s): 3.20, 3.20.3, latest

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 22, 2024
edited
Loading

Outdated

🔍 Vulnerabilities of moby/buildkit:buildx-stable-1

📦 Image Reference moby/buildkit:buildx-stable-1
digestsha256:fe9e882c6ca03172babd2d89a69a225771ffe56ee1c28a7fbd58c57bf4a59034
vulnerabilitiescritical: 0 high: 4 medium: 0 low: 0
size102 MB
packages247
📦 Base Image alpine:05a56cc5acbd9c9c5b7ba5ec88d866a0ddc76b586828f8288d29c57ccaa15a10
also known as
  • 3
  • 3.20
  • 3.20.3
  • latest
digestsha256:029a752048e32e843bd6defe3841186fb8d19a28dae8ec287f433bb9d6d1ad85
vulnerabilitiescritical: 0 high: 0 medium: 1 low: 0
critical: 0 high: 4 medium: 0 low: 0 stdlib 1.22.4 (golang)

pkg:golang/[email protected]

high : CVE--2024--34158

Affected range<1.22.7
Fixed version1.22.7
EPSS Score0.04%
EPSS Percentile17th percentile
Description

Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

high : CVE--2024--34156

Affected range<1.22.7
Fixed version1.22.7
EPSS Score0.04%
EPSS Percentile17th percentile
Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

high : CVE--2024--24791

Affected range>=1.22.0-0
<1.22.5
Fixed version1.22.5
EPSS Score0.04%
EPSS Percentile17th percentile
Description

The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail.

An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.

high : CVE--2022--30635

Affected range<1.22.7
Fixed version1.22.7
EPSS Score0.19%
EPSS Percentile57th percentile
Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

1 similar comment
@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 22, 2024
edited
Loading

Outdated

🔍 Vulnerabilities of moby/buildkit:buildx-stable-1

📦 Image Reference moby/buildkit:buildx-stable-1
digestsha256:fe9e882c6ca03172babd2d89a69a225771ffe56ee1c28a7fbd58c57bf4a59034
vulnerabilitiescritical: 0 high: 4 medium: 0 low: 0
size102 MB
packages247
📦 Base Image alpine:05a56cc5acbd9c9c5b7ba5ec88d866a0ddc76b586828f8288d29c57ccaa15a10
also known as
  • 3
  • 3.20
  • 3.20.3
  • latest
digestsha256:029a752048e32e843bd6defe3841186fb8d19a28dae8ec287f433bb9d6d1ad85
vulnerabilitiescritical: 0 high: 0 medium: 1 low: 0
critical: 0 high: 4 medium: 0 low: 0 stdlib 1.22.4 (golang)

pkg:golang/[email protected]

high : CVE--2024--34158

Affected range<1.22.7
Fixed version1.22.7
EPSS Score0.04%
EPSS Percentile17th percentile
Description

Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

high : CVE--2024--34156

Affected range<1.22.7
Fixed version1.22.7
EPSS Score0.04%
EPSS Percentile17th percentile
Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

high : CVE--2024--24791

Affected range>=1.22.0-0
<1.22.5
Fixed version1.22.5
EPSS Score0.04%
EPSS Percentile17th percentile
Description

The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail.

An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.

high : CVE--2022--30635

Affected range<1.22.7
Fixed version1.22.7
EPSS Score0.19%
EPSS Percentile57th percentile
Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 22, 2024
edited
Loading

Outdated

Recommended fixes for image moby/buildkit:buildx-stable-1

Base image is alpine:3

Name3.20.3
Digestsha256:029a752048e32e843bd6defe3841186fb8d19a28dae8ec287f433bb9d6d1ad85
Vulnerabilitiescritical: 0 high: 0 medium: 1 low: 0
Pushed2 months ago
Size3.6 MB
Packages17
OS3.20.3
The base image is also available under the supported tag(s): 3.20, 3.20.3, latest

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

1 similar comment
@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 22, 2024
edited
Loading

Outdated

Recommended fixes for image moby/buildkit:buildx-stable-1

Base image is alpine:3

Name3.20.3
Digestsha256:029a752048e32e843bd6defe3841186fb8d19a28dae8ec287f433bb9d6d1ad85
Vulnerabilitiescritical: 0 high: 0 medium: 1 low: 0
Pushed2 months ago
Size3.6 MB
Packages17
OS3.20.3
The base image is also available under the supported tag(s): 3.20, 3.20.3, latest

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 22, 2024
edited
Loading

Outdated

🔍 Vulnerabilities of moby/buildkit:buildx-stable-1

📦 Image Reference moby/buildkit:buildx-stable-1
digestsha256:fe9e882c6ca03172babd2d89a69a225771ffe56ee1c28a7fbd58c57bf4a59034
vulnerabilitiescritical: 0 high: 4 medium: 0 low: 0
size102 MB
packages247
📦 Base Image alpine:05a56cc5acbd9c9c5b7ba5ec88d866a0ddc76b586828f8288d29c57ccaa15a10
also known as
  • 3
  • 3.20
  • 3.20.3
  • latest
digestsha256:029a752048e32e843bd6defe3841186fb8d19a28dae8ec287f433bb9d6d1ad85
vulnerabilitiescritical: 0 high: 0 medium: 1 low: 0
critical: 0 high: 4 medium: 0 low: 0 stdlib 1.22.4 (golang)

pkg:golang/[email protected]

high : CVE--2024--34158

Affected range<1.22.7
Fixed version1.22.7
EPSS Score0.04%
EPSS Percentile17th percentile
Description

Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

high : CVE--2024--34156

Affected range<1.22.7
Fixed version1.22.7
EPSS Score0.04%
EPSS Percentile17th percentile
Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

high : CVE--2024--24791

Affected range>=1.22.0-0
<1.22.5
Fixed version1.22.5
EPSS Score0.04%
EPSS Percentile17th percentile
Description

The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail.

An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.

high : CVE--2022--30635

Affected range<1.22.7
Fixed version1.22.7
EPSS Score0.19%
EPSS Percentile57th percentile
Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 22, 2024
edited
Loading

Outdated

Recommended fixes for image moby/buildkit:buildx-stable-1

Base image is alpine:3

Name3.20.3
Digestsha256:029a752048e32e843bd6defe3841186fb8d19a28dae8ec287f433bb9d6d1ad85
Vulnerabilitiescritical: 0 high: 0 medium: 1 low: 0
Pushed2 months ago
Size3.6 MB
Packages17
OS3.20.3
The base image is also available under the supported tag(s): 3.20, 3.20.3, latest

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 22, 2024
edited
Loading

Outdated

🔍 Vulnerabilities of moby/buildkit:buildx-stable-1

📦 Image Reference moby/buildkit:buildx-stable-1
digestsha256:fe9e882c6ca03172babd2d89a69a225771ffe56ee1c28a7fbd58c57bf4a59034
vulnerabilitiescritical: 0 high: 4 medium: 0 low: 0
size102 MB
packages247
📦 Base Image alpine:05a56cc5acbd9c9c5b7ba5ec88d866a0ddc76b586828f8288d29c57ccaa15a10
also known as
  • 3
  • 3.20
  • 3.20.3
  • latest
digestsha256:029a752048e32e843bd6defe3841186fb8d19a28dae8ec287f433bb9d6d1ad85
vulnerabilitiescritical: 0 high: 0 medium: 1 low: 0
critical: 0 high: 4 medium: 0 low: 0 stdlib 1.22.4 (golang)

pkg:golang/[email protected]

high : CVE--2024--34158

Affected range<1.22.7
Fixed version1.22.7
EPSS Score0.04%
EPSS Percentile17th percentile
Description

Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

high : CVE--2024--34156

Affected range<1.22.7
Fixed version1.22.7
EPSS Score0.04%
EPSS Percentile17th percentile
Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

high : CVE--2024--24791

Affected range>=1.22.0-0
<1.22.5
Fixed version1.22.5
EPSS Score0.04%
EPSS Percentile17th percentile
Description

The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail.

An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.

high : CVE--2022--30635

Affected range<1.22.7
Fixed version1.22.7
EPSS Score0.19%
EPSS Percentile57th percentile
Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 22, 2024
edited
Loading

Outdated

Recommended fixes for image moby/buildkit:buildx-stable-1

Base image is alpine:3

Name3.20.3
Digestsha256:029a752048e32e843bd6defe3841186fb8d19a28dae8ec287f433bb9d6d1ad85
Vulnerabilitiescritical: 0 high: 0 medium: 1 low: 0
Pushed2 months ago
Size3.6 MB
Packages17
OS3.20.3
The base image is also available under the supported tag(s): 3.20, 3.20.3, latest

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

@lotyp lotyp enabled auto-merge November 22, 2024 21:24
@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 22, 2024
edited
Loading

Outdated

🔍 Vulnerabilities of moby/buildkit:buildx-stable-1

📦 Image Reference moby/buildkit:buildx-stable-1
digestsha256:fe9e882c6ca03172babd2d89a69a225771ffe56ee1c28a7fbd58c57bf4a59034
vulnerabilitiescritical: 0 high: 4 medium: 0 low: 0
size102 MB
packages247
📦 Base Image alpine:05a56cc5acbd9c9c5b7ba5ec88d866a0ddc76b586828f8288d29c57ccaa15a10
also known as
  • 3
  • 3.20
  • 3.20.3
  • latest
digestsha256:029a752048e32e843bd6defe3841186fb8d19a28dae8ec287f433bb9d6d1ad85
vulnerabilitiescritical: 0 high: 0 medium: 1 low: 0
critical: 0 high: 4 medium: 0 low: 0 stdlib 1.22.4 (golang)

pkg:golang/[email protected]

high : CVE--2024--34158

Affected range<1.22.7
Fixed version1.22.7
EPSS Score0.04%
EPSS Percentile17th percentile
Description

Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

high : CVE--2024--34156

Affected range<1.22.7
Fixed version1.22.7
EPSS Score0.04%
EPSS Percentile17th percentile
Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

high : CVE--2024--24791

Affected range>=1.22.0-0
<1.22.5
Fixed version1.22.5
EPSS Score0.04%
EPSS Percentile17th percentile
Description

The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail.

An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.

high : CVE--2022--30635

Affected range<1.22.7
Fixed version1.22.7
EPSS Score0.19%
EPSS Percentile57th percentile
Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 22, 2024
edited
Loading

Outdated

Recommended fixes for image moby/buildkit:buildx-stable-1

Base image is alpine:3

Name3.20.3
Digestsha256:029a752048e32e843bd6defe3841186fb8d19a28dae8ec287f433bb9d6d1ad85
Vulnerabilitiescritical: 0 high: 0 medium: 1 low: 0
Pushed2 months ago
Size3.6 MB
Packages17
OS3.20.3
The base image is also available under the supported tag(s): 3.20, 3.20.3, latest

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 22, 2024
edited
Loading

Outdated

🔍 Vulnerabilities of moby/buildkit:buildx-stable-1

📦 Image Reference moby/buildkit:buildx-stable-1
digestsha256:fe9e882c6ca03172babd2d89a69a225771ffe56ee1c28a7fbd58c57bf4a59034
vulnerabilitiescritical: 0 high: 4 medium: 0 low: 0
size102 MB
packages247
📦 Base Image alpine:05a56cc5acbd9c9c5b7ba5ec88d866a0ddc76b586828f8288d29c57ccaa15a10
also known as
  • 3
  • 3.20
  • 3.20.3
  • latest
digestsha256:029a752048e32e843bd6defe3841186fb8d19a28dae8ec287f433bb9d6d1ad85
vulnerabilitiescritical: 0 high: 0 medium: 1 low: 0
critical: 0 high: 4 medium: 0 low: 0 stdlib 1.22.4 (golang)

pkg:golang/[email protected]

high : CVE--2024--34158

Affected range<1.22.7
Fixed version1.22.7
EPSS Score0.04%
EPSS Percentile17th percentile
Description

Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

high : CVE--2024--34156

Affected range<1.22.7
Fixed version1.22.7
EPSS Score0.04%
EPSS Percentile17th percentile
Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

high : CVE--2024--24791

Affected range>=1.22.0-0
<1.22.5
Fixed version1.22.5
EPSS Score0.04%
EPSS Percentile17th percentile
Description

The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail.

An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.

high : CVE--2022--30635

Affected range<1.22.7
Fixed version1.22.7
EPSS Score0.19%
EPSS Percentile57th percentile
Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 22, 2024
edited
Loading

Outdated

Recommended fixes for image moby/buildkit:buildx-stable-1

Base image is alpine:3

Name3.20.3
Digestsha256:029a752048e32e843bd6defe3841186fb8d19a28dae8ec287f433bb9d6d1ad85
Vulnerabilitiescritical: 0 high: 0 medium: 1 low: 0
Pushed2 months ago
Size3.6 MB
Packages17
OS3.20.3
The base image is also available under the supported tag(s): 3.20, 3.20.3, latest

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 22, 2024
edited
Loading

Outdated

🔍 Vulnerabilities of wayofdev/php-base:latest

📦 Image Reference wayofdev/php-base:latest
digestsha256:dacd47874a894c2d1c8b28d6b1da70a997ae9c43a7625e6366678569b59782e5
vulnerabilitiescritical: 0 high: 0 medium: 0 low: 0
size81 MB
packages99
📦 Base Image php:8-alpine
also known as
  • 8-alpine3.20
  • 8-cli-alpine
  • 8-cli-alpine3.20
  • 8.4-alpine
  • 8.4-alpine3.20
  • 8.4-cli-alpine
  • 8.4-cli-alpine3.20
  • 8.4.1-alpine
  • 8.4.1-alpine3.20
  • 8.4.1-cli-alpine
  • 8.4.1-cli-alpine3.20
  • alpine
  • alpine3.20
  • cli-alpine
  • cli-alpine3.20
  • db33346c0570ac13b47213e8a043fece5c6adf3ee623fd9510c2240e2dcd6e41
digestsha256:5a28a9586b767a3babf285b1bfe3dd7eda5b3ff64a5f79ce3fa93d076c022f60
vulnerabilitiescritical: 0 high: 0 medium: 0 low: 0

@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 22, 2024
edited
Loading

Outdated

Recommended fixes for image wayofdev/php-base:latest

Base image is php:8-alpine

Name8.4.1-alpine3.20
Digestsha256:5a28a9586b767a3babf285b1bfe3dd7eda5b3ff64a5f79ce3fa93d076c022f60
Vulnerabilitiescritical: 0 high: 0 medium: 0 low: 0
Pushed1 day ago
Size44 MB
Packages50
Flavoralpine
OS3.20
Runtime8.4.1
The base image is also available under the supported tag(s): 8-alpine3.20, 8-cli-alpine, 8-cli-alpine3.20, 8.4-alpine, 8.4-alpine3.20, 8.4-cli-alpine, 8.4-cli-alpine3.20, 8.4.1-alpine, 8.4.1-alpine3.20, 8.4.1-cli-alpine, 8.4.1-cli-alpine3.20, alpine, alpine3.20, cli-alpine, cli-alpine3.20

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 22, 2024
edited
Loading

Outdated

🔍 Vulnerabilities of wayofdev/php-base:latest

📦 Image Reference wayofdev/php-base:latest
digestsha256:7f6d1049d1601655257eebf3de11b1368b7d4fddae66158b10d074ec50d438e4
vulnerabilitiescritical: 0 high: 0 medium: 0 low: 0
size99 MB
packages120
📦 Base Image php:8-alpine
also known as
  • 8-alpine3.20
  • 8-cli-alpine
  • 8-cli-alpine3.20
  • 8.4-alpine
  • 8.4-alpine3.20
  • 8.4-cli-alpine
  • 8.4-cli-alpine3.20
  • 8.4.1-alpine
  • 8.4.1-alpine3.20
  • 8.4.1-cli-alpine
  • 8.4.1-cli-alpine3.20
  • alpine
  • alpine3.20
  • cli-alpine
  • cli-alpine3.20
  • db33346c0570ac13b47213e8a043fece5c6adf3ee623fd9510c2240e2dcd6e41
digestsha256:5a28a9586b767a3babf285b1bfe3dd7eda5b3ff64a5f79ce3fa93d076c022f60
vulnerabilitiescritical: 0 high: 0 medium: 0 low: 0

@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 22, 2024
edited
Loading

Outdated

Recommended fixes for image wayofdev/php-base:latest

Base image is php:8-alpine

Name8.4.1-alpine3.20
Digestsha256:5a28a9586b767a3babf285b1bfe3dd7eda5b3ff64a5f79ce3fa93d076c022f60
Vulnerabilitiescritical: 0 high: 0 medium: 0 low: 0
Pushed1 day ago
Size44 MB
Packages50
Flavoralpine
OS3.20
Runtime8.4.1
The base image is also available under the supported tag(s): 8-alpine3.20, 8-cli-alpine, 8-cli-alpine3.20, 8.4-alpine, 8.4-alpine3.20, 8.4-cli-alpine, 8.4-cli-alpine3.20, 8.4.1-alpine, 8.4.1-alpine3.20, 8.4.1-cli-alpine, 8.4.1-cli-alpine3.20, alpine, alpine3.20, cli-alpine, cli-alpine3.20

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

@github-actions GitHub Actions
Copy link

🔍 Vulnerabilities of wayofdev/php-base:latest

📦 Image Reference wayofdev/php-base:latest
digestsha256:e1f35ca7d5d2db186c9b560d64d7feeeca91f7a9e45f6896faaa52e27975bf28
vulnerabilitiescritical: 0 high: 0 medium: 0 low: 0
size75 MB
packages100
📦 Base Image php:8-fpm-alpine
also known as
  • 8-fpm-alpine3.20
  • 8.4-fpm-alpine
  • 8.4-fpm-alpine3.20
  • 8.4.1-fpm-alpine
  • 8.4.1-fpm-alpine3.20
  • fpm-alpine
  • fpm-alpine3.20
digestsha256:fcc2fccfa511b898a78e97e8a978fa41d54242dd54b729f9f9b76ef1398a75ed
vulnerabilitiescritical: 0 high: 0 medium: 0 low: 0

@github-actions GitHub Actions
Copy link

Recommended fixes for image wayofdev/php-base:latest

Base image is php:8-fpm-alpine

Namefpm-alpine3.20
Digestsha256:fcc2fccfa511b898a78e97e8a978fa41d54242dd54b729f9f9b76ef1398a75ed
Vulnerabilitiescritical: 0 high: 0 medium: 0 low: 0
Pushed1 day ago
Size38 MB
Packages51
Flavoralpine
OS3.20
The base image is also available under the supported tag(s): 8-fpm-alpine3.20, 8.4-fpm-alpine, 8.4-fpm-alpine3.20, 8.4.1-fpm-alpine, 8.4.1-fpm-alpine3.20, fpm-alpine, fpm-alpine3.20

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

TagDetailsPushedVulnerabilities
8.3-fpm-alpine
Minor runtime version update
Also known as:
  • 8.3.14-fpm-alpine
  • 8.3.14-fpm-alpine3.20
  • 8.3-fpm-alpine3.20
 Benefits:
  • Same OS detected
  • Minor runtime version update
  • Image is smaller by 3.3 MB
  • Image has same number of vulnerabilities
  • Image contains equal number of packages
Image details:
  • Size: 35 MB
  • Flavor: alpine
  • OS: 3.20
  • Runtime: 8.3.14
 1 day ago



8.2-fpm-alpine
Minor runtime version update
Also known as:
  • 8.2.26-fpm-alpine
  • 8.2.26-fpm-alpine3.20
  • 8.2-fpm-alpine3.20
 Benefits:
  • Same OS detected
  • Minor runtime version update
  • Image is smaller by 3.9 MB
  • Image has same number of vulnerabilities
  • Image contains equal number of packages
  • 8.2-fpm-alpine was pulled 4.1K times last month
Image details:
  • Size: 34 MB
  • Flavor: alpine
  • OS: 3.20
  • Runtime: 8.2.26
 1 day ago



8.1-fpm-alpine
Minor runtime version update
Also known as:
  • 8.1.31-fpm-alpine
  • 8.1.31-fpm-alpine3.20
  • 8.1-fpm-alpine3.20
 Benefits:
  • Same OS detected
  • Minor runtime version update
  • Image is smaller by 4.3 MB
  • Image has same number of vulnerabilities
  • Image contains equal number of packages
  • 8.1-fpm-alpine is the fourth most popular tag with 18K pulls per month
Image details:
  • Size: 34 MB
  • Flavor: alpine
  • OS: 3.20
  • Runtime: 8.1.31
 1 day ago



@way-finder-bot way-finder-bot self-requested a review November 22, 2024 21:42
@way-finder-bot way-finder-bot self-assigned this Nov 22, 2024
@lotyp lotyp merged commit 7c1435c into master Nov 22, 2024
20 checks passed
@lotyp lotyp deleted the release-please--branches--master--components--docker-php-base branch November 22, 2024 21:42
@lotyp
Copy link
Member Author

lotyp commented Nov 22, 2024

🤖 Created releases:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@way-finder-bot way-finder-bot way-finder-bot approved these changes

Assignees

@way-finder-bot way-finder-bot

Labels
autorelease: tagged
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@lotyp @way-finder-bot