v4.3.4
🔐 Security Update for NGINX users
Note
CVEs below are in nginx/nginx upstream, not in this repo. This PR only bumps the NGINX we install.
Important
If you are running a 7.4-fpm-nginx-alpine or 8.0-fpm-nginx-alpine, you will still be vulnerable because PHP no longer is providing image updates. See our SECURITY.md for more information why we still provide old versions.
Upstream CVEs (NGINX 1.28.3)
| CVE | CVSS 3.1 | NVD | nginx | Issue | F5 advisory |
|---|---|---|---|---|---|
| CVE-2026-27654 | 8.2 | High | Med | ngx_http_dav_module buffer overflow |
K000160382 |
| CVE-2026-27784 | 7.8 | High | Med | ngx_http_mp4_module (32-bit; mp4) |
K000160364 |
| CVE-2026-32647 | 7.8 | High | Med | ngx_http_mp4_module crafted MP4 |
K000160366 |
| CVE-2026-27651 | 7.5 | High | Low | Mail auth CRAM-MD5/APOP, Auth-Wait |
K000160383 |
| CVE-2026-28755 | 5.4 | Med | Med | Stream OCSP bypass | K000160368 |
| CVE-2026-28753 | 3.7 | Low | Med | ngx_mail_smtp_module CRLF / DNS |
K000160367 |
Fixed in 1.28.3+ stable (1.29.7+ mainline) per nginx.org advisories.
What's Changed
- (docs) Remove healthcheck from frankenphp configuration by @emaia in #661
- Security: Update NGINX version for Alpine and Debian configurations to 1.28.3 by @jaydrogers in #666
New Contributors
Full Changelog: v4.3.3...v4.3.4
Contributors
emaia and jaydrogers