feat: compare images to latest

[rwaffen]

No description provided.

[github-actions]

🔍 Vulnerabilities of ci/voxbox-7.32.1:1d2d4d4b36f8d7490a56691383398cdd93fd531c

📦 Image Reference ci/voxbox-7.32.1:1d2d4d4b36f8d7490a56691383398cdd93fd531c

digest	sha256:5353554d86c521673dcdbfc6530da52d08df063e11db56eb89aa31f5c11c9acb
vulnerabilities
size	178 MB
packages	326

📦 Base Image ruby:2-alpine

also known as	2-alpine3.16 2.7-alpine 2.7-alpine3.16 2.7.8-alpine 2.7.8-alpine3.16
digest	sha256:45ca5ff1e098ddc85430bad09d433dfab4be9417477a5778568a7877408f1cd0
vulnerabilities

rexml 3.2.3.1 (gem) pkg:gem/[email protected] Misinterpretation of Input Affected range <3.2.5 Fixed version 3.2.5 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N EPSS Score 0.10% EPSS Percentile 43rd percentile Description The REXML gem before 3.2.5 in Ruby before 2.6.7, 2.7.x before 2.7.3, and 3.x before 3.0.1 does not properly address XML round-trip issues. An incorrect document can be produced after parsing and serializing. Uncontrolled Resource Consumption Affected range <3.3.3 Fixed version 3.3.3 CVSS Score 5.3 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L EPSS Score 0.04% EPSS Percentile 16th percentile Description Impact The REXML gem before 3.3.2 has a DoS vulnerability when it parses an XML that has many entity expansions with SAX2 or pull parser API. If you need to parse untrusted XMLs with SAX2 or pull parser API, you may be impacted to this vulnerability. Patches The REXML gem 3.3.3 or later include the patch to fix the vulnerability. Workarounds Don't parse untrusted XMLs with SAX2 or pull parser API. References https://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/ : This is a similar vulnerability https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41946/: An announce on www.ruby-lang.org Uncontrolled Resource Consumption Affected range <3.3.3 Fixed version 3.3.3 CVSS Score 5.3 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L EPSS Score 0.04% EPSS Percentile 16th percentile Description Impact The REXML gem before 3.3.2 has some DoS vulnerabilities when it parses an XML that has many specific characters such as whitespace character, >] and ]>. If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities. Patches The REXML gem 3.3.3 or later include the patches to fix these vulnerabilities. Workarounds Don't parse untrusted XMLs. References GHSA-vg3r-rm7w-2xgh : This is a similar vulnerability GHSA-4xqq-m2hx-25v8 : This is a similar vulnerability https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41123/: An announce on www.ruby-lang.org Uncontrolled Resource Consumption Affected range <3.2.7 Fixed version 3.2.7 CVSS Score 5.3 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L EPSS Score 0.04% EPSS Percentile 16th percentile Description Impact The REXML gem before 3.2.6 has a DoS vulnerability when it parses an XML that has many <s in an attribute value. If you need to parse untrusted XMLs, you may be impacted to this vulnerability. Patches The REXML gem 3.2.7 or later include the patch to fix this vulnerability. Workarounds Don't parse untrusted XMLs. References https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176/ Uncontrolled Resource Consumption Affected range <3.3.2 Fixed version 3.3.2 CVSS Score 4.3 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L EPSS Score 0.04% EPSS Percentile 10th percentile Description Impact The REXML gem before 3.3.1 has some DoS vulnerabilities when it parses an XML that has many specific characters such as <, 0 and %>. If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities. Patches The REXML gem 3.3.2 or later include the patches to fix these vulnerabilities. Workarounds Don't parse untrusted XMLs. References GHSA-vg3r-rm7w-2xgh : This is a similar vulnerability https://www.ruby-lang.org/en/news/2024/07/16/dos-rexml-cve-2024-39908/

bundler 2.1.4 (gem) pkg:gem/[email protected] Affected range >=1.16.0 <2.2.10 Fixed version 2.2.10 CVSS Score 8.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H EPSS Score 0.97% EPSS Percentile 84th percentile Description Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.17 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application. Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') Affected range <2.2.33 Fixed version 2.2.33 CVSS Score 6.7 CVSS Vector CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H EPSS Score 0.12% EPSS Percentile 46th percentile Description In bundler versions before 2.2.33, when working with untrusted and apparently harmless Gemfile's, it is not expected that they lead to execution of external code, unless that's explicit in the ruby code inside the Gemfile itself. However, if the Gemfile includes gem entries that use the git option with invalid, but seemingly harmless, values with a leading dash, this can be false. To handle dependencies that come from a Git repository instead of a registry, Bundler uses various commands, such as git clone. These commands are being constructed using user input (e.g. the repository URL). When building the commands, Bundler versions before 2.2.33 correctly avoid Command Injection vulnerabilities by passing an array of arguments instead of a command string. However, there is the possibility that a user input starts with a dash (-) and is therefore treated as an optional argument instead of a positional one. This can lead to Code Execution because some of the commands have options that can be leveraged to run arbitrary executables. Since this value comes from the Gemfile file, it can contain any character, including a leading dash. Exploitation To exploit this vulnerability, an attacker has to craft a directory containing a Gemfile file that declares a dependency that is located in a Git repository. This dependency has to have a Git URL in the form of -u./payload. This URL will be used to construct a Git clone command but will be interpreted as the upload-pack argument. Then this directory needs to be shared with the victim, who then needs to run a command that evaluates the Gemfile, such as bundle lock, inside. Impact This vulnerability can lead to Arbitrary Code Execution, which could potentially lead to the takeover of the system. However, as explained above, the exploitability is very low, because it requires a lot of user interaction. It still could put developers at risk when dealing with untrusted files in a way they think is safe, because the exploit still works when the victim tries to make sure nothing can happen, e.g. by manually reviewing the Gemfile (although they would need the weird URL with a leading dash to not raise any flags). This kind of attack vector has been used in the past to target security researchers by sending them projects to collaborate on. Patches Bundler 2.2.33 has patched this problem by inserting -- as an argument before any positional arguments to those Git commands that were affected by this issue. Workarounds Regardless of whether users can upgrade or not, they should review any untrustred Gemfile's before running any bundler commands that may read them, since they can contain arbitrary ruby code. References https://cwe.mitre.org/data/definitions/88.html

rdoc 6.2.1.1 (gem) pkg:gem/[email protected] OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range >=3.11 <6.3.1 Fixed version 6.3.1 CVSS Score 7 CVSS Vector CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.06% EPSS Percentile 29th percentile Description In RDoc, as distributed with Ruby, it is possible to execute arbitrary code via | and tags in a filename.

uri 0.10.0.2 (gem) pkg:gem/[email protected] Inefficient Regular Expression Complexity Affected range <0.10.0.3 Fixed version 0.10.3 CVSS Score 5.3 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L EPSS Score 0.15% EPSS Percentile 51st percentile Description A ReDoS issue was discovered in the URI component before 0.12.2 for Ruby. The URI parser mishandles invalid URLs that have specific characters. There is an increase in execution time for parsing strings to URI objects with rfc2396_parser.rb and rfc3986_parser.rb. NOTE: this issue exists becuse of an incomplete fix for CVE-2023-28755. Version 0.10.3 is also a fixed version. The Ruby advisory recommends updating the uri gem to 0.12.2. In order to ensure compatibility with the bundled version in older Ruby series, you may update as follows instead: For Ruby 3.0: Update to uri 0.10.3 For Ruby 3.1 and 3.2: Update to uri 0.12.2. You can use gem update uri to update it. If you are using bundler, please add gem uri, >= 0.12.2 (or other version mentioned above) to your Gemfile.

curl 8.5.0-r0 (apk) pkg:apk/alpine/[email protected]?os_name=alpine&os_version=3.16 Affected range <8.6.0-r0 Fixed version Not Fixed EPSS Score 0.06% EPSS Percentile 25th percentile Description

[github-actions]

Overview

Image reference	ghcr.io/voxpupuli/voxbox:7-main	ci/voxbox-7.32.1:1d2d4d4b36f8d7490a56691383398cdd93fd531c
- digest	a4990ac6fa97	5353554d86c5
- tag	7-main	1d2d4d4b36f8d7490a56691383398cdd93fd531c
- vulnerabilities
- platform	linux/amd64	linux/amd64
- size	158 MB	178 MB (+20 MB)
- packages	326	326
Base Image	ruby:2-alpine	ruby:2-alpine
- vulnerabilities

Packages and Vulnerabilities (1 package changes and 0 vulnerability changes)

• ♾️ 1 packages changed
• 313 packages unchanged

Changes for packages of type gem (1 changes)

	Package	Version ghcr.io/voxpupuli/voxbox:7-main	Version ci/voxbox-7.32.1:1d2d4d4b36f8d7490a56691383398cdd93fd531c
♾️	rexml	3.3.5	3.3.6

[github-actions]

Outdated

🔍 Vulnerabilities of ci/voxbox:7.32.1

📦 Image Reference ci/voxbox:7.32.1

digest	sha256:5727f7f014e7a13cba05e6038b3e3bc826ff0d4b506e8d57fd7288129a298207
vulnerabilities
size	178 MB
packages	326

📦 Base Image ruby:2-alpine

also known as	2-alpine3.16 2.7-alpine 2.7-alpine3.16 2.7.8-alpine 2.7.8-alpine3.16
digest	sha256:45ca5ff1e098ddc85430bad09d433dfab4be9417477a5778568a7877408f1cd0
vulnerabilities

rexml 3.2.3.1 (gem) pkg:gem/[email protected] Misinterpretation of Input Affected range <3.2.5 Fixed version 3.2.5 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N EPSS Score 0.10% EPSS Percentile 43rd percentile Description The REXML gem before 3.2.5 in Ruby before 2.6.7, 2.7.x before 2.7.3, and 3.x before 3.0.1 does not properly address XML round-trip issues. An incorrect document can be produced after parsing and serializing. Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') Affected range <3.3.6 Fixed version 3.3.6 CVSS Score 5.9 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Description Impact The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same local name attributes. If you need to parse untrusted XMLs with tree parser API like REXML::Document.new, you may be impacted to this vulnerability. If you use other parser APIs such as stream parser API and SAX2 parser API, this vulnerability is not affected. Patches The REXML gem 3.3.6 or later include the patch to fix the vulnerability. Workarounds Don't parse untrusted XMLs with tree parser API. Uncontrolled Resource Consumption Affected range <3.3.3 Fixed version 3.3.3 CVSS Score 5.3 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L EPSS Score 0.04% EPSS Percentile 16th percentile Description Impact The REXML gem before 3.3.2 has a DoS vulnerability when it parses an XML that has many entity expansions with SAX2 or pull parser API. If you need to parse untrusted XMLs with SAX2 or pull parser API, you may be impacted to this vulnerability. Patches The REXML gem 3.3.3 or later include the patch to fix the vulnerability. Workarounds Don't parse untrusted XMLs with SAX2 or pull parser API. References https://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/ : This is a similar vulnerability https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41946/: An announce on www.ruby-lang.org Uncontrolled Resource Consumption Affected range <3.3.3 Fixed version 3.3.3 CVSS Score 5.3 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L EPSS Score 0.04% EPSS Percentile 16th percentile Description Impact The REXML gem before 3.3.2 has some DoS vulnerabilities when it parses an XML that has many specific characters such as whitespace character, >] and ]>. If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities. Patches The REXML gem 3.3.3 or later include the patches to fix these vulnerabilities. Workarounds Don't parse untrusted XMLs. References GHSA-vg3r-rm7w-2xgh : This is a similar vulnerability GHSA-4xqq-m2hx-25v8 : This is a similar vulnerability https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41123/: An announce on www.ruby-lang.org Uncontrolled Resource Consumption Affected range <3.2.7 Fixed version 3.2.7 CVSS Score 5.3 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L EPSS Score 0.04% EPSS Percentile 16th percentile Description Impact The REXML gem before 3.2.6 has a DoS vulnerability when it parses an XML that has many <s in an attribute value. If you need to parse untrusted XMLs, you may be impacted to this vulnerability. Patches The REXML gem 3.2.7 or later include the patch to fix this vulnerability. Workarounds Don't parse untrusted XMLs. References https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176/ Uncontrolled Resource Consumption Affected range <3.3.2 Fixed version 3.3.2 CVSS Score 4.3 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L EPSS Score 0.04% EPSS Percentile 10th percentile Description Impact The REXML gem before 3.3.1 has some DoS vulnerabilities when it parses an XML that has many specific characters such as <, 0 and %>. If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities. Patches The REXML gem 3.3.2 or later include the patches to fix these vulnerabilities. Workarounds Don't parse untrusted XMLs. References GHSA-vg3r-rm7w-2xgh : This is a similar vulnerability https://www.ruby-lang.org/en/news/2024/07/16/dos-rexml-cve-2024-39908/

bundler 2.1.4 (gem) pkg:gem/[email protected] Affected range >=1.16.0 <2.2.10 Fixed version 2.2.10 CVSS Score 8.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H EPSS Score 0.97% EPSS Percentile 84th percentile Description Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.17 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application. Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') Affected range <2.2.33 Fixed version 2.2.33 CVSS Score 6.7 CVSS Vector CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H EPSS Score 0.12% EPSS Percentile 46th percentile Description In bundler versions before 2.2.33, when working with untrusted and apparently harmless Gemfile's, it is not expected that they lead to execution of external code, unless that's explicit in the ruby code inside the Gemfile itself. However, if the Gemfile includes gem entries that use the git option with invalid, but seemingly harmless, values with a leading dash, this can be false. To handle dependencies that come from a Git repository instead of a registry, Bundler uses various commands, such as git clone. These commands are being constructed using user input (e.g. the repository URL). When building the commands, Bundler versions before 2.2.33 correctly avoid Command Injection vulnerabilities by passing an array of arguments instead of a command string. However, there is the possibility that a user input starts with a dash (-) and is therefore treated as an optional argument instead of a positional one. This can lead to Code Execution because some of the commands have options that can be leveraged to run arbitrary executables. Since this value comes from the Gemfile file, it can contain any character, including a leading dash. Exploitation To exploit this vulnerability, an attacker has to craft a directory containing a Gemfile file that declares a dependency that is located in a Git repository. This dependency has to have a Git URL in the form of -u./payload. This URL will be used to construct a Git clone command but will be interpreted as the upload-pack argument. Then this directory needs to be shared with the victim, who then needs to run a command that evaluates the Gemfile, such as bundle lock, inside. Impact This vulnerability can lead to Arbitrary Code Execution, which could potentially lead to the takeover of the system. However, as explained above, the exploitability is very low, because it requires a lot of user interaction. It still could put developers at risk when dealing with untrusted files in a way they think is safe, because the exploit still works when the victim tries to make sure nothing can happen, e.g. by manually reviewing the Gemfile (although they would need the weird URL with a leading dash to not raise any flags). This kind of attack vector has been used in the past to target security researchers by sending them projects to collaborate on. Patches Bundler 2.2.33 has patched this problem by inserting -- as an argument before any positional arguments to those Git commands that were affected by this issue. Workarounds Regardless of whether users can upgrade or not, they should review any untrustred Gemfile's before running any bundler commands that may read them, since they can contain arbitrary ruby code. References https://cwe.mitre.org/data/definitions/88.html

rdoc 6.2.1.1 (gem) pkg:gem/[email protected] OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range >=3.11 <6.3.1 Fixed version 6.3.1 CVSS Score 7 CVSS Vector CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.06% EPSS Percentile 29th percentile Description In RDoc, as distributed with Ruby, it is possible to execute arbitrary code via | and tags in a filename.

uri 0.10.0.2 (gem) pkg:gem/[email protected] Inefficient Regular Expression Complexity Affected range <0.10.0.3 Fixed version 0.10.3 CVSS Score 5.3 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L EPSS Score 0.15% EPSS Percentile 51st percentile Description A ReDoS issue was discovered in the URI component before 0.12.2 for Ruby. The URI parser mishandles invalid URLs that have specific characters. There is an increase in execution time for parsing strings to URI objects with rfc2396_parser.rb and rfc3986_parser.rb. NOTE: this issue exists becuse of an incomplete fix for CVE-2023-28755. Version 0.10.3 is also a fixed version. The Ruby advisory recommends updating the uri gem to 0.12.2. In order to ensure compatibility with the bundled version in older Ruby series, you may update as follows instead: For Ruby 3.0: Update to uri 0.10.3 For Ruby 3.1 and 3.2: Update to uri 0.12.2. You can use gem update uri to update it. If you are using bundler, please add gem uri, >= 0.12.2 (or other version mentioned above) to your Gemfile.

curl 8.5.0-r0 (apk) pkg:apk/alpine/[email protected]?os_name=alpine&os_version=3.16 Affected range <8.6.0-r0 Fixed version Not Fixed EPSS Score 0.06% EPSS Percentile 25th percentile Description

[github-actions]

Outdated

🔍 Vulnerabilities of ci/voxbox:8.8.1

📦 Image Reference ci/voxbox:8.8.1

digest	sha256:d396ef192f240130a7c345977414f3b7c72a208d6c573de902cd183602355c58
vulnerabilities
size	207 MB
packages	380

📦 Base Image ruby:3.2-alpine

also known as	3.2-alpine3.20 3.2.5-alpine 3.2.5-alpine3.20
digest	sha256:a83e5ef29b3f6a5d623d5ab4b0c0e5809bd98add34de2158423e914e6371fcc3
vulnerabilities

rexml 3.3.2 (gem) pkg:gem/[email protected] Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') Affected range <3.3.6 Fixed version 3.3.6 CVSS Score 5.9 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Description Impact The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same local name attributes. If you need to parse untrusted XMLs with tree parser API like REXML::Document.new, you may be impacted to this vulnerability. If you use other parser APIs such as stream parser API and SAX2 parser API, this vulnerability is not affected. Patches The REXML gem 3.3.6 or later include the patch to fix the vulnerability. Workarounds Don't parse untrusted XMLs with tree parser API. Uncontrolled Resource Consumption Affected range <3.3.3 Fixed version 3.3.3 CVSS Score 5.3 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L EPSS Score 0.04% EPSS Percentile 16th percentile Description Impact The REXML gem before 3.3.2 has a DoS vulnerability when it parses an XML that has many entity expansions with SAX2 or pull parser API. If you need to parse untrusted XMLs with SAX2 or pull parser API, you may be impacted to this vulnerability. Patches The REXML gem 3.3.3 or later include the patch to fix the vulnerability. Workarounds Don't parse untrusted XMLs with SAX2 or pull parser API. References https://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/ : This is a similar vulnerability https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41946/: An announce on www.ruby-lang.org Uncontrolled Resource Consumption Affected range <3.3.3 Fixed version 3.3.3 CVSS Score 5.3 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L EPSS Score 0.04% EPSS Percentile 16th percentile Description Impact The REXML gem before 3.3.2 has some DoS vulnerabilities when it parses an XML that has many specific characters such as whitespace character, >] and ]>. If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities. Patches The REXML gem 3.3.3 or later include the patches to fix these vulnerabilities. Workarounds Don't parse untrusted XMLs. References GHSA-vg3r-rm7w-2xgh : This is a similar vulnerability GHSA-4xqq-m2hx-25v8 : This is a similar vulnerability https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41123/: An announce on www.ruby-lang.org

[github-actions]

Outdated

Overview

Image reference	ghcr.io/voxpupuli/voxbox:7-main	ci/voxbox:7.32.1
- digest	a4990ac6fa97	5727f7f014e7
- tag	7-main	7.32.1
- vulnerabilities
- platform	linux/amd64	linux/amd64
- size	158 MB	178 MB (+20 MB)
- packages	326	326
Base Image	ruby:2-alpine	ruby:2-alpine
- vulnerabilities

Packages and Vulnerabilities (4 package changes and 0 vulnerability changes)

• ♾️ 4 packages changed
• 310 packages unchanged

Changes for packages of type gem (4 changes)

	Package	Version ghcr.io/voxpupuli/voxbox:7-main	Version ci/voxbox:7.32.1
♾️	activesupport	7.1.3.4	7.1.4
♾️	beaker-hostgenerator	2.14.2	2.15.0
♾️	minitar	0.12	0.12.1
♾️	rexml	3.3.5	3.3.6
		Removed vulnerabilities (1):

[github-actions]

Outdated

Recommended fixes for local ci/voxbox:7.32.1

Base image is ruby:2-alpine

Name	2.7.8-alpine3.16
Digest	sha256:45ca5ff1e098ddc85430bad09d433dfab4be9417477a5778568a7877408f1cd0
Vulnerabilities
Pushed	1 year ago
Size	21 MB
Packages	97
Flavor	alpine
OS	3.16
Runtime	2.7.8

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

Tag	Details	Pushed	Vulnerabilities
3.2-alpine Major runtime version update Also known as: 3.2.5-alpine 3.2.5-alpine3.20 3.2-alpine3.20	Benefits: Same OS detected Major runtime version update Tag was pushed more recently Image introduces no new vulnerability but removes 17 3.2-alpine was pulled 2.4K times last month Image details: Size: 42 MB Flavor: alpine OS: 3.20 Runtime: 3.2.5	3 weeks ago
3.2-alpine3.19 Major runtime version update Also known as: 3.2.5-alpine3.19	Benefits: Same OS detected Major runtime version update Tag was pushed more recently Image introduces no new vulnerability but removes 17 Image details: Size: 42 MB Flavor: alpine OS: 3.19 Runtime: 3.2.5	3 weeks ago
3.1-alpine Major runtime version update Also known as: 3.1.6-alpine 3.1.6-alpine3.20 3.1-alpine3.20	Benefits: Same OS detected Major runtime version update Tag was pushed more recently Image introduces no new vulnerability but removes 15 3.1-alpine was pulled 2.2K times last month Image details: Size: 40 MB Flavor: alpine OS: 3.20 Runtime: 3.1.6	1 month ago
3.1-alpine3.19 Major runtime version update Also known as: 3.1.6-alpine3.19	Benefits: Same OS detected Major runtime version update Tag was pushed more recently Image introduces no new vulnerability but removes 15 Image details: Size: 40 MB Flavor: alpine OS: 3.19 Runtime: 3.1.6	1 month ago
3-alpine Image introduces no new vulnerability but removes 16 Also known as: 3.3.4-alpine 3.3.4-alpine3.20 3.3-alpine 3.3-alpine3.20 3-alpine3.20 alpine alpine3.20	Benefits: Same OS detected Tag was pushed more recently Image introduces no new vulnerability but removes 16 3-alpine was pulled 2.8K times last month Image details: Size: 45 MB Flavor: alpine OS: 3.20	1 month ago
3-alpine3.19 Image introduces no new vulnerability but removes 16 Also known as: 3.3.4-alpine3.19 3.3-alpine3.19 alpine3.19	Benefits: Same OS detected Tag was pushed more recently Image introduces no new vulnerability but removes 16 Image details: Size: 45 MB Flavor: alpine OS: 3.19	1 month ago

[github-actions]

Outdated

Overview

Image reference	ghcr.io/voxpupuli/voxbox:8-main	ci/voxbox:8.8.1
- digest	961df4728f1c	d396ef192f24
- tag	8-main	8.8.1
- vulnerabilities
- platform	linux/amd64	linux/amd64
- size	185 MB	207 MB (+22 MB)
- packages	380	380
Base Image	ruby:3.2-alpine also known as: • 3.2-alpine3.20 • 3.2.5-alpine • 3.2.5-alpine3.20	ruby:3.2-alpine also known as: • 3.2-alpine3.20 • 3.2.5-alpine • 3.2.5-alpine3.20
- vulnerabilities

Packages and Vulnerabilities (9 package changes and 1 vulnerability changes)

• ♾️ 9 packages changed
• 355 packages unchanged

• ✔️ 1 vulnerabilities removed

Changes for packages of type apk (4 changes)

	Package	Version ghcr.io/voxpupuli/voxbox:8-main	Version ci/voxbox:8.8.1
♾️	pyc	3.12.3-r1	3.12.3-r2
♾️	python3	3.12.3-r1	3.12.3-r2
		Removed vulnerabilities (1):
♾️	python3-pyc	3.12.3-r1	3.12.3-r2
♾️	python3-pycache-pyc0	3.12.3-r1	3.12.3-r2

Changes for packages of type gem (5 changes)

	Package	Version ghcr.io/voxpupuli/voxbox:8-main	Version ci/voxbox:8.8.1
♾️	activesupport	7.2.0	7.2.1
♾️	async-http-faraday	0.18.0	0.19.0
♾️	beaker-hostgenerator	2.14.2	2.15.0
♾️	minitar	0.12	0.12.1
♾️	rexml	3.3.5	3.3.6
		Removed vulnerabilities (1):

[github-actions]

Outdated

Recommended fixes for local ci/voxbox:8.8.1

Base image is ruby:3.2-alpine

Name	3.2.5-alpine3.20
Digest	sha256:a83e5ef29b3f6a5d623d5ab4b0c0e5809bd98add34de2158423e914e6371fcc3
Vulnerabilities
Pushed	3 weeks ago
Size	42 MB
Packages	127
Flavor	alpine
OS	3.20
Runtime	3.2.5

The base image is also available under the supported tag(s): 3.2-alpine3.20, 3.2.5-alpine, 3.2.5-alpine3.20

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

Tag	Details	Pushed	Vulnerabilities
3.3-alpine Image introduces 1 medium vulnerability Also known as: 3.3.4-alpine 3.3.4-alpine3.20 3.3-alpine3.20 3-alpine 3-alpine3.20 alpine alpine3.20	Benefits: Same OS detected Image contains 1 fewer package Image has similar size Image details: Size: 45 MB Flavor: alpine OS: 3.20	1 month ago

[github-actions]

Outdated

🔍 Vulnerabilities of ci/voxbox:8.8.1

📦 Image Reference ci/voxbox:8.8.1

digest	sha256:db4c7f40e51660a9eea0804acba4ea0fdccc98beeb9b731689aff076f7aa7eae
vulnerabilities
size	207 MB
packages	380

📦 Base Image ruby:3.2-alpine

also known as	3.2-alpine3.20 3.2.5-alpine 3.2.5-alpine3.20
digest	sha256:a83e5ef29b3f6a5d623d5ab4b0c0e5809bd98add34de2158423e914e6371fcc3
vulnerabilities

rexml 3.3.2 (gem) pkg:gem/[email protected] Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') Affected range <3.3.6 Fixed version 3.3.6 CVSS Score 5.9 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Description Impact The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same local name attributes. If you need to parse untrusted XMLs with tree parser API like REXML::Document.new, you may be impacted to this vulnerability. If you use other parser APIs such as stream parser API and SAX2 parser API, this vulnerability is not affected. Patches The REXML gem 3.3.6 or later include the patch to fix the vulnerability. Workarounds Don't parse untrusted XMLs with tree parser API. Uncontrolled Resource Consumption Affected range <3.3.3 Fixed version 3.3.3 CVSS Score 5.3 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L EPSS Score 0.04% EPSS Percentile 16th percentile Description Impact The REXML gem before 3.3.2 has a DoS vulnerability when it parses an XML that has many entity expansions with SAX2 or pull parser API. If you need to parse untrusted XMLs with SAX2 or pull parser API, you may be impacted to this vulnerability. Patches The REXML gem 3.3.3 or later include the patch to fix the vulnerability. Workarounds Don't parse untrusted XMLs with SAX2 or pull parser API. References https://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/ : This is a similar vulnerability https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41946/: An announce on www.ruby-lang.org Uncontrolled Resource Consumption Affected range <3.3.3 Fixed version 3.3.3 CVSS Score 5.3 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L EPSS Score 0.04% EPSS Percentile 16th percentile Description Impact The REXML gem before 3.3.2 has some DoS vulnerabilities when it parses an XML that has many specific characters such as whitespace character, >] and ]>. If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities. Patches The REXML gem 3.3.3 or later include the patches to fix these vulnerabilities. Workarounds Don't parse untrusted XMLs. References GHSA-vg3r-rm7w-2xgh : This is a similar vulnerability GHSA-4xqq-m2hx-25v8 : This is a similar vulnerability https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41123/: An announce on www.ruby-lang.org

[github-actions]

🔍 Vulnerabilities of ci/voxbox:7.32.1

📦 Image Reference ci/voxbox:7.32.1

digest	sha256:47cb522e2588db6a585a95ad3e7de2683fb1be18a89bdb4b15f32586ca9cbf7b
vulnerabilities
size	178 MB
packages	326

📦 Base Image ruby:2-alpine

also known as	2-alpine3.16 2.7-alpine 2.7-alpine3.16 2.7.8-alpine 2.7.8-alpine3.16
digest	sha256:45ca5ff1e098ddc85430bad09d433dfab4be9417477a5778568a7877408f1cd0
vulnerabilities

rexml 3.2.3.1 (gem) pkg:gem/[email protected] Misinterpretation of Input Affected range <3.2.5 Fixed version 3.2.5 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N EPSS Score 0.10% EPSS Percentile 43rd percentile Description The REXML gem before 3.2.5 in Ruby before 2.6.7, 2.7.x before 2.7.3, and 3.x before 3.0.1 does not properly address XML round-trip issues. An incorrect document can be produced after parsing and serializing. Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') Affected range <3.3.6 Fixed version 3.3.6 CVSS Score 5.9 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Description Impact The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same local name attributes. If you need to parse untrusted XMLs with tree parser API like REXML::Document.new, you may be impacted to this vulnerability. If you use other parser APIs such as stream parser API and SAX2 parser API, this vulnerability is not affected. Patches The REXML gem 3.3.6 or later include the patch to fix the vulnerability. Workarounds Don't parse untrusted XMLs with tree parser API. Uncontrolled Resource Consumption Affected range <3.3.3 Fixed version 3.3.3 CVSS Score 5.3 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L EPSS Score 0.04% EPSS Percentile 16th percentile Description Impact The REXML gem before 3.3.2 has a DoS vulnerability when it parses an XML that has many entity expansions with SAX2 or pull parser API. If you need to parse untrusted XMLs with SAX2 or pull parser API, you may be impacted to this vulnerability. Patches The REXML gem 3.3.3 or later include the patch to fix the vulnerability. Workarounds Don't parse untrusted XMLs with SAX2 or pull parser API. References https://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/ : This is a similar vulnerability https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41946/: An announce on www.ruby-lang.org Uncontrolled Resource Consumption Affected range <3.3.3 Fixed version 3.3.3 CVSS Score 5.3 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L EPSS Score 0.04% EPSS Percentile 16th percentile Description Impact The REXML gem before 3.3.2 has some DoS vulnerabilities when it parses an XML that has many specific characters such as whitespace character, >] and ]>. If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities. Patches The REXML gem 3.3.3 or later include the patches to fix these vulnerabilities. Workarounds Don't parse untrusted XMLs. References GHSA-vg3r-rm7w-2xgh : This is a similar vulnerability GHSA-4xqq-m2hx-25v8 : This is a similar vulnerability https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41123/: An announce on www.ruby-lang.org Uncontrolled Resource Consumption Affected range <3.2.7 Fixed version 3.2.7 CVSS Score 5.3 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L EPSS Score 0.04% EPSS Percentile 16th percentile Description Impact The REXML gem before 3.2.6 has a DoS vulnerability when it parses an XML that has many <s in an attribute value. If you need to parse untrusted XMLs, you may be impacted to this vulnerability. Patches The REXML gem 3.2.7 or later include the patch to fix this vulnerability. Workarounds Don't parse untrusted XMLs. References https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176/ Uncontrolled Resource Consumption Affected range <3.3.2 Fixed version 3.3.2 CVSS Score 4.3 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L EPSS Score 0.04% EPSS Percentile 10th percentile Description Impact The REXML gem before 3.3.1 has some DoS vulnerabilities when it parses an XML that has many specific characters such as <, 0 and %>. If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities. Patches The REXML gem 3.3.2 or later include the patches to fix these vulnerabilities. Workarounds Don't parse untrusted XMLs. References GHSA-vg3r-rm7w-2xgh : This is a similar vulnerability https://www.ruby-lang.org/en/news/2024/07/16/dos-rexml-cve-2024-39908/

bundler 2.1.4 (gem) pkg:gem/[email protected] Affected range >=1.16.0 <2.2.10 Fixed version 2.2.10 CVSS Score 8.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H EPSS Score 0.97% EPSS Percentile 84th percentile Description Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.17 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application. Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') Affected range <2.2.33 Fixed version 2.2.33 CVSS Score 6.7 CVSS Vector CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H EPSS Score 0.12% EPSS Percentile 46th percentile Description In bundler versions before 2.2.33, when working with untrusted and apparently harmless Gemfile's, it is not expected that they lead to execution of external code, unless that's explicit in the ruby code inside the Gemfile itself. However, if the Gemfile includes gem entries that use the git option with invalid, but seemingly harmless, values with a leading dash, this can be false. To handle dependencies that come from a Git repository instead of a registry, Bundler uses various commands, such as git clone. These commands are being constructed using user input (e.g. the repository URL). When building the commands, Bundler versions before 2.2.33 correctly avoid Command Injection vulnerabilities by passing an array of arguments instead of a command string. However, there is the possibility that a user input starts with a dash (-) and is therefore treated as an optional argument instead of a positional one. This can lead to Code Execution because some of the commands have options that can be leveraged to run arbitrary executables. Since this value comes from the Gemfile file, it can contain any character, including a leading dash. Exploitation To exploit this vulnerability, an attacker has to craft a directory containing a Gemfile file that declares a dependency that is located in a Git repository. This dependency has to have a Git URL in the form of -u./payload. This URL will be used to construct a Git clone command but will be interpreted as the upload-pack argument. Then this directory needs to be shared with the victim, who then needs to run a command that evaluates the Gemfile, such as bundle lock, inside. Impact This vulnerability can lead to Arbitrary Code Execution, which could potentially lead to the takeover of the system. However, as explained above, the exploitability is very low, because it requires a lot of user interaction. It still could put developers at risk when dealing with untrusted files in a way they think is safe, because the exploit still works when the victim tries to make sure nothing can happen, e.g. by manually reviewing the Gemfile (although they would need the weird URL with a leading dash to not raise any flags). This kind of attack vector has been used in the past to target security researchers by sending them projects to collaborate on. Patches Bundler 2.2.33 has patched this problem by inserting -- as an argument before any positional arguments to those Git commands that were affected by this issue. Workarounds Regardless of whether users can upgrade or not, they should review any untrustred Gemfile's before running any bundler commands that may read them, since they can contain arbitrary ruby code. References https://cwe.mitre.org/data/definitions/88.html

rdoc 6.2.1.1 (gem) pkg:gem/[email protected] OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range >=3.11 <6.3.1 Fixed version 6.3.1 CVSS Score 7 CVSS Vector CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.06% EPSS Percentile 29th percentile Description In RDoc, as distributed with Ruby, it is possible to execute arbitrary code via | and tags in a filename.

uri 0.10.0.2 (gem) pkg:gem/[email protected] Inefficient Regular Expression Complexity Affected range <0.10.0.3 Fixed version 0.10.3 CVSS Score 5.3 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L EPSS Score 0.15% EPSS Percentile 51st percentile Description A ReDoS issue was discovered in the URI component before 0.12.2 for Ruby. The URI parser mishandles invalid URLs that have specific characters. There is an increase in execution time for parsing strings to URI objects with rfc2396_parser.rb and rfc3986_parser.rb. NOTE: this issue exists becuse of an incomplete fix for CVE-2023-28755. Version 0.10.3 is also a fixed version. The Ruby advisory recommends updating the uri gem to 0.12.2. In order to ensure compatibility with the bundled version in older Ruby series, you may update as follows instead: For Ruby 3.0: Update to uri 0.10.3 For Ruby 3.1 and 3.2: Update to uri 0.12.2. You can use gem update uri to update it. If you are using bundler, please add gem uri, >= 0.12.2 (or other version mentioned above) to your Gemfile.

curl 8.5.0-r0 (apk) pkg:apk/alpine/[email protected]?os_name=alpine&os_version=3.16 Affected range <8.6.0-r0 Fixed version Not Fixed EPSS Score 0.06% EPSS Percentile 25th percentile Description

[github-actions]

Outdated

Overview

Image reference	ghcr.io/voxpupuli/voxbox:8-main	ci/voxbox:8.8.1
- digest	961df4728f1c	db4c7f40e516
- tag	8-main	8.8.1
- vulnerabilities
- platform	linux/amd64	linux/amd64
- size	185 MB	207 MB (+22 MB)
- packages	380	380
Base Image	ruby:3.2-alpine also known as: • 3.2-alpine3.20 • 3.2.5-alpine • 3.2.5-alpine3.20	ruby:3.2-alpine also known as: • 3.2-alpine3.20 • 3.2.5-alpine • 3.2.5-alpine3.20
- vulnerabilities

Packages and Vulnerabilities (9 package changes and 1 vulnerability changes)

• ♾️ 9 packages changed
• 355 packages unchanged

• ✔️ 1 vulnerabilities removed

Changes for packages of type apk (4 changes)

	Package	Version ghcr.io/voxpupuli/voxbox:8-main	Version ci/voxbox:8.8.1
♾️	pyc	3.12.3-r1	3.12.3-r2
♾️	python3	3.12.3-r1	3.12.3-r2
		Removed vulnerabilities (1):
♾️	python3-pyc	3.12.3-r1	3.12.3-r2
♾️	python3-pycache-pyc0	3.12.3-r1	3.12.3-r2

Changes for packages of type gem (5 changes)

	Package	Version ghcr.io/voxpupuli/voxbox:8-main	Version ci/voxbox:8.8.1
♾️	activesupport	7.2.0	7.2.1
♾️	async-http-faraday	0.18.0	0.19.0
♾️	beaker-hostgenerator	2.14.2	2.15.0
♾️	minitar	0.12	0.12.1
♾️	rexml	3.3.5	3.3.6
		Removed vulnerabilities (1):

[github-actions]

Outdated

Recommended fixes for local ci/voxbox:8.8.1

Base image is ruby:3.2-alpine

Name	3.2.5-alpine3.20
Digest	sha256:a83e5ef29b3f6a5d623d5ab4b0c0e5809bd98add34de2158423e914e6371fcc3
Vulnerabilities
Pushed	3 weeks ago
Size	42 MB
Packages	127
Flavor	alpine
OS	3.20
Runtime	3.2.5

The base image is also available under the supported tag(s): 3.2-alpine3.20, 3.2.5-alpine, 3.2.5-alpine3.20

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

Tag	Details	Pushed	Vulnerabilities
3.3-alpine Image introduces 1 medium vulnerability Also known as: 3.3.4-alpine 3.3.4-alpine3.20 3.3-alpine3.20 3-alpine 3-alpine3.20 alpine alpine3.20	Benefits: Same OS detected Image contains 1 fewer package Image has similar size Image details: Size: 45 MB Flavor: alpine OS: 3.20	1 month ago

[github-actions]

Overview

Image reference	ghcr.io/voxpupuli/voxbox:7-main	ci/voxbox:7.32.1
- digest	a4990ac6fa97	47cb522e2588
- tag	7-main	7.32.1
- vulnerabilities
- platform	linux/amd64	linux/amd64
- size	158 MB	178 MB (+20 MB)
- packages	326	326
Base Image	ruby:2-alpine	ruby:2-alpine
- vulnerabilities

Packages and Vulnerabilities (4 package changes and 0 vulnerability changes)

• ♾️ 4 packages changed
• 310 packages unchanged

Changes for packages of type gem (4 changes)

	Package	Version ghcr.io/voxpupuli/voxbox:7-main	Version ci/voxbox:7.32.1
♾️	activesupport	7.1.3.4	7.1.4
♾️	beaker-hostgenerator	2.14.2	2.15.0
♾️	minitar	0.12	0.12.1
♾️	rexml	3.3.5	3.3.6
		Removed vulnerabilities (1):

[github-actions]

Recommended fixes for local ci/voxbox:7.32.1

Base image is ruby:2-alpine

Name	2.7.8-alpine3.16
Digest	sha256:45ca5ff1e098ddc85430bad09d433dfab4be9417477a5778568a7877408f1cd0
Vulnerabilities
Pushed	1 year ago
Size	21 MB
Packages	97
Flavor	alpine
OS	3.16
Runtime	2.7.8

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

Tag	Details	Pushed	Vulnerabilities
3.2-alpine Major runtime version update Also known as: 3.2.5-alpine 3.2.5-alpine3.20 3.2-alpine3.20	Benefits: Same OS detected Major runtime version update Tag was pushed more recently Image introduces no new vulnerability but removes 17 3.2-alpine was pulled 2.4K times last month Image details: Size: 42 MB Flavor: alpine OS: 3.20 Runtime: 3.2.5	3 weeks ago
3.2-alpine3.19 Major runtime version update Also known as: 3.2.5-alpine3.19	Benefits: Same OS detected Major runtime version update Tag was pushed more recently Image introduces no new vulnerability but removes 17 Image details: Size: 42 MB Flavor: alpine OS: 3.19 Runtime: 3.2.5	3 weeks ago
3.1-alpine Major runtime version update Also known as: 3.1.6-alpine 3.1.6-alpine3.20 3.1-alpine3.20	Benefits: Same OS detected Major runtime version update Tag was pushed more recently Image introduces no new vulnerability but removes 15 3.1-alpine was pulled 2.2K times last month Image details: Size: 40 MB Flavor: alpine OS: 3.20 Runtime: 3.1.6	1 month ago
3.1-alpine3.19 Major runtime version update Also known as: 3.1.6-alpine3.19	Benefits: Same OS detected Major runtime version update Tag was pushed more recently Image introduces no new vulnerability but removes 15 Image details: Size: 40 MB Flavor: alpine OS: 3.19 Runtime: 3.1.6	1 month ago
3-alpine Image introduces no new vulnerability but removes 16 Also known as: 3.3.4-alpine 3.3.4-alpine3.20 3.3-alpine 3.3-alpine3.20 3-alpine3.20 alpine alpine3.20	Benefits: Same OS detected Tag was pushed more recently Image introduces no new vulnerability but removes 16 3-alpine was pulled 2.8K times last month Image details: Size: 45 MB Flavor: alpine OS: 3.20	1 month ago
3-alpine3.19 Image introduces no new vulnerability but removes 16 Also known as: 3.3.4-alpine3.19 3.3-alpine3.19 alpine3.19	Benefits: Same OS detected Tag was pushed more recently Image introduces no new vulnerability but removes 16 Image details: Size: 45 MB Flavor: alpine OS: 3.19	1 month ago

[github-actions]

Outdated

Overview

Image reference	ghcr.io/voxpupuli/voxbox:8-main	ci/voxbox:8.8.1
- digest	961df4728f1c	dabc0efc172d
- tag	8-main	8.8.1
- vulnerabilities
- platform	linux/amd64	linux/amd64
- size	185 MB	207 MB (+22 MB)
- packages	380	380
Base Image	ruby:3.2-alpine also known as: • 3.2-alpine3.20 • 3.2.5-alpine • 3.2.5-alpine3.20	ruby:3.2-alpine also known as: • 3.2-alpine3.20 • 3.2.5-alpine • 3.2.5-alpine3.20
- vulnerabilities

Packages and Vulnerabilities (9 package changes and 1 vulnerability changes)

• ♾️ 9 packages changed
• 355 packages unchanged

• ✔️ 1 vulnerabilities removed

Changes for packages of type apk (4 changes)

	Package	Version ghcr.io/voxpupuli/voxbox:8-main	Version ci/voxbox:8.8.1
♾️	pyc	3.12.3-r1	3.12.3-r2
♾️	python3	3.12.3-r1	3.12.3-r2
		Removed vulnerabilities (1):
♾️	python3-pyc	3.12.3-r1	3.12.3-r2
♾️	python3-pycache-pyc0	3.12.3-r1	3.12.3-r2

Changes for packages of type gem (5 changes)

	Package	Version ghcr.io/voxpupuli/voxbox:8-main	Version ci/voxbox:8.8.1
♾️	activesupport	7.2.0	7.2.1
♾️	async-http-faraday	0.18.0	0.19.0
♾️	beaker-hostgenerator	2.14.2	2.15.0
♾️	minitar	0.12	0.12.1
♾️	rexml	3.3.5	3.3.6
		Removed vulnerabilities (1):

[github-actions]

Outdated

Overview

Image reference	ghcr.io/voxpupuli/voxbox:7-main	ci/voxbox:7.32.1
- digest	a4990ac6fa97	df27a8ceedee
- tag	7-main	7.32.1
- vulnerabilities
- platform	linux/amd64	linux/amd64
- size	158 MB	178 MB (+20 MB)
- packages	326	326
Base Image	ruby:2-alpine	ruby:2-alpine
- vulnerabilities

Packages and Vulnerabilities (4 package changes and 0 vulnerability changes)

• ♾️ 4 packages changed
• 310 packages unchanged

Changes for packages of type gem (4 changes)

	Package	Version ghcr.io/voxpupuli/voxbox:7-main	Version ci/voxbox:7.32.1
♾️	activesupport	7.1.3.4	7.1.4
♾️	beaker-hostgenerator	2.14.2	2.15.0
♾️	minitar	0.12	0.12.1
♾️	rexml	3.3.5	3.3.6
		Removed vulnerabilities (1):

[github-actions]

Outdated

Overview

Image reference	ghcr.io/voxpupuli/voxbox:8-main	ci/voxbox:8.8.1
- digest	961df4728f1c	1816495369ef
- tag	8-main	8.8.1
- vulnerabilities
- platform	linux/amd64	linux/amd64
- size	185 MB	207 MB (+22 MB)
- packages	380	380
Base Image	ruby:3.2-alpine also known as: • 3.2-alpine3.20 • 3.2.5-alpine • 3.2.5-alpine3.20	ruby:3.2-alpine also known as: • 3.2-alpine3.20 • 3.2.5-alpine • 3.2.5-alpine3.20
- vulnerabilities

Packages and Vulnerabilities (9 package changes and 1 vulnerability changes)

• ♾️ 9 packages changed
• 355 packages unchanged

• ✔️ 1 vulnerabilities removed

Changes for packages of type apk (4 changes)

	Package	Version ghcr.io/voxpupuli/voxbox:8-main	Version ci/voxbox:8.8.1
♾️	pyc	3.12.3-r1	3.12.3-r2
♾️	python3	3.12.3-r1	3.12.3-r2
		Removed vulnerabilities (1):
♾️	python3-pyc	3.12.3-r1	3.12.3-r2
♾️	python3-pycache-pyc0	3.12.3-r1	3.12.3-r2

Changes for packages of type gem (5 changes)

	Package	Version ghcr.io/voxpupuli/voxbox:8-main	Version ci/voxbox:8.8.1
♾️	activesupport	7.2.0	7.2.1
♾️	async-http-faraday	0.18.0	0.19.0
♾️	beaker-hostgenerator	2.14.2	2.15.0
♾️	minitar	0.12	0.12.1
♾️	rexml	3.3.5	3.3.6
		Removed vulnerabilities (1):

[github-actions]

Overview

Image reference	ghcr.io/voxpupuli/voxbox:7-main	ci/voxbox:7.32.1
- digest	a4990ac6fa97	d8922138e237
- tag	7-main	7.32.1
- vulnerabilities
- platform	linux/amd64	linux/amd64
- size	158 MB	178 MB (+20 MB)
- packages	326	326
Base Image	ruby:2-alpine	ruby:2-alpine
- vulnerabilities

Packages and Vulnerabilities (4 package changes and 0 vulnerability changes)

• ♾️ 4 packages changed
• 310 packages unchanged

Changes for packages of type gem (4 changes)

	Package	Version ghcr.io/voxpupuli/voxbox:7-main	Version ci/voxbox:7.32.1
♾️	activesupport	7.1.3.4	7.1.4
♾️	beaker-hostgenerator	2.14.2	2.15.0
♾️	minitar	0.12	0.12.1
♾️	rexml	3.3.5	3.3.6
		Removed vulnerabilities (1):