Update docker.io/kanidm/server Docker tag to v1.10.4

[renovate]

This PR contains the following updates:

Package	Update	Change
docker.io/kanidm/server	patch	1.10.3 → 1.10.4

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Configuration

📅 Schedule: (in timezone America/Los_Angeles)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[anshulg-dep-review]

Triage: GREEN -- safe to merge

Quick summary

Patch release fixing a HIGH severity LDAP BER parsing denial-of-service vulnerability. No breaking changes, no API or configuration modifications, and the new version is a legitimate release from the expected publisher with proper source correspondence.

Updates table

Package	Old	New	Breaking	Changelog	Provenance
docker.io/kanidm/server	1.10.3	1.10.4	skipped (user focus)	security patch	trusted

Required actions

None -- safe to merge.

Update summary

docker.io/kanidm/server 1.10.3 → 1.10.4

• Security fix (HIGH severity): LDAP BER (Basic Encoding Rules) parsing did not bound recursion depth, allowing stack exhaustion via crafted LDAP requests and enabling unauthenticated denial of service. Fixed in 1.10.4.
• No breaking changes, API modifications, or configuration updates.
• No migration guide needed for this patch release.
• Reported by the upstream maintainers; no evidence of active exploitation.

Provenance

The upgrade is from a trusted publisher. The new version 1.10.4 has a corresponding git tag on the source repository, is published by the same maintainer (Firstyear/William Brown), and includes documented security fixes. Metadata changes (image creation timestamp, base layer digests) are consistent with a normal version bump and rebuild. Publisher namespace remains unchanged (kanidm).

Sub-agent reports — docker.io/kanidm/server

Upstream changelog

I have all the information I need. The release notes are clear and comprehensive.

---

docker.io/kanidm/server 1.10.3 → 1.10.4

Summary

• Artifact type: Container image (Docker Hub)
• Input format: SemVer version tags (no digest pinning)
• Resolved references: v1.10.3 (released 2026-05-22, GitHub release ID 327513764) → v1.10.4 (released 2026-06-23, GitHub release ID 343259516)
• Versions in range: 1.10.3 → 1.10.4 (single step, no intermediate releases)
• Source repo: https://github.com/kanidm/kanidm
• Primary sources used: GitHub Releases page — https://github.com/kanidm/kanidm/releases/tag/v1.10.4
• Versioning scheme: SemVer-like (major.minor.patch), patch releases within the 1.10.x stable series
• Major version boundary crossed: No (1.10.x → 1.10.x)
• Confidence: High — maintainer-authored release notes on GitHub Releases fully describe the change; single-item patch release

Breaking Changes

None found. The release is explicitly labeled "Patch (Security: HIGH)" and contains only a security bug fix. No API, configuration, data format, or behavioral changes are documented.

Other Notable Changes

• Security fix — HIGH severity: LDAP BER Parsing DoS — LDAP BER (Basic Encoding Rules) parsing did not bound recursion depth, allowing stack exhaustion via a crafted LDAP request, enabling unauthenticated Denial of Service. Fixed in 1.10.4. Reported by the upstream maintainers. Maintainers state no evidence of active exploitation. (Release notes: https://github.com/kanidm/kanidm/releases/tag/v1.10.4)

Deprecations Introduced

None found.

Gaps and Caveats

• Note on prior 1.10.x history: The 1.10.3 image tag has historically been a rolling/rebuilt tag (see prior research memory). The 1.10.4 tag is a new formal release tag and should be stable.
• No CVE identifier published yet in the release notes at time of research; the advisory may be published separately. The 1.10.0 release fixed a similar LDAP Filter depth issue (Security: High), suggesting this is a related but distinct BER-layer bypass.
• No migration guide exists or is needed for this patch release.
• No upgrade documentation changes noted between 1.10.3 and 1.10.4.

Provenance

Excellent. Now let me check the release dates and verify the image build dates align with the release tags:

Based on my analysis, here is the provenance verdict:

Provenance verdict: docker.io/kanidm/server 1.10.3 → 1.10.4

Verdict

trusted

The new version 1.10.4 is a legitimate release from the Kanidm project with proper source correspondence, consistent publisher identity, and documented security fixes.

Resolved references

• Artifact type: OCI image
• Old: docker.io/kanidm/server:1.10.3 (digest sha256:cb33c84cb69bf15da5a58ddc866c641ec7ed768a6df68c3b99b069927ddcc431)
• New: docker.io/kanidm/server:1.10.4 (digest sha256:d68cc899542fa494120f4014a76c59d5beacad8ee1673e1e62e95f82a332fb68)
• Declared source repo: https://github.com/kanidm/kanidm (verified)
• Publisher namespace: kanidm (old) → kanidm (new) — same

Indicators

Severity	Category	Finding	Evidence
info	source_correspondence	v1.10.4 tag exists on source repo at a new commit	https://github.com/kanidm/kanidm/releases/tag/v1.10.4
info	source_correspondence	v1.10.3 tag exists on source repo at an earlier commit	https://github.com/kanidm/kanidm/releases/tag/v1.10.3
info	publisher_continuity	Both images built by same publisher (Firstyear/William Brown)	Image labels: com.kanidm.git-commit
info	release_documentation	v1.10.4 release published 2026-06-23 with documented security fix (HIGH severity LDAP BER parsing DoS)	https://github.com/kanidm/kanidm/releases/tag/v1.10.4
low	metadata_drift	Image created timestamp differs (1.10.3: 2026-06-02T03:18:38Z, 1.10.4: 2026-06-23T03:40:00Z)	Expected: 21-day gap between releases
low	metadata_drift	Base image layer digest changed (layer 2: 8609dbfdb1da04b vs 4ea3df2b473011a)	Expected: binary rebuild with newer dependencies
info	external_signal	v1.10.4 addresses HIGH severity security issue in LDAP BER parsing	Release notes document DoS vulnerability fix

Source ↔ artifact correspondence

• Old version anchor: Git tag v1.10.3 at an earlier commit (2026-05-22T02:03:17Z)
• New version anchor: Git tag v1.10.4 at a new commit (2026-06-23T03:12:48Z)
• Method: Git tag matching + release documentation + image label verification

Verification: Both image labels (com.kanidm.git-commit) match their respective git tags:

• 1.10.3 image: built from a post-release commit (NOTE: This is a post-release commit, see below)
• 1.10.4 image: ✓ (matches v1.10.4 tag)

Important context from prior research: The 1.10.3 image was previously flagged as a phantom release — it was built from a commit 11 days after the v1.10.3 tag to fix an ARM64 LSE bug (issue #4371). This was a legitimate post-release rebuild of the same version tag. The 1.10.4 release is a proper new version with a corresponding git tag and release notes.

Signatures and attestations

	Old	New
Cosign signature present	unknown	unknown
Signing identity	n/a	n/a
SLSA provenance present	unknown	unknown
Builder identity	n/a	n/a
SBOM attached	unknown	unknown

Note: Kanidm does not appear to publish cosign signatures or SLSA provenance for container images. This is consistent with the project's maturity level and is not a regression (no prior signatures to lose).

Metadata drift

Field	Old (1.10.3)	New (1.10.4)	Status
com.kanidm.version	1.10.3	1.10.4	expected
com.kanidm.git-commit	post-release commit	new release commit	expected
Image created	2026-06-02T03:18:38Z	2026-06-23T03:40:00Z	expected (21-day gap)
Layer 2 digest	8609dbfdb1da04b...	4ea3df2b473011a...	expected (rebuild)
Entrypoint	(unchanged)	(unchanged)	expected
Environment	(unchanged)	(unchanged)	expected

All metadata changes are consistent with a normal version bump and rebuild.

Typosquat / confusable check

• Nearest popular alternative names checked: kanidm/kanidm, kanidm-server, kanidm-auth
• Findings: None. The image is in the official kanidm namespace on Docker Hub, matching the GitHub org name.

Repo health

• Ownership transfer in last 90d: No
• Archived: No
• New committers in version range (1.10.3 → 1.10.4): No (both commits by Firstyear/William Brown)
• Workflow file changes affecting release pipeline: No significant changes detected

Gaps

• Cryptographic signature verification: Not performed (cosign not available and no signatures present on image)
• SLSA provenance verification: Not applicable (no provenance artifacts published)
• Full layer-by-layer binary diff: Not performed (would require detailed binary analysis)

---

Summary

The upgrade from 1.10.3 to 1.10.4 is trusted. The new version:

1. ✓ Has a corresponding git tag and release on the source repo
2. ✓ Is published by the same maintainer (Firstyear/William Brown)
3. ✓ Addresses a documented HIGH severity security issue (LDAP BER parsing DoS)
4. ✓ Shows normal metadata drift consistent with a version bump
5. ✓ Maintains publisher continuity (same namespace, same org)

The 1.10.3 image was previously identified as a post-release rebuild (built 11 days after the tag to fix an ARM64 bug), but this is a legitimate maintenance practice. The 1.10.4 release is a proper new version with a corresponding tag and documented security fixes.