Release 4.3: Bug Fixes, Security Improvements, and Depdendency Updates

.github/workflows/action_update-dockerhub-readme.yml

@@ -14,7 +14,7 @@ jobs:
     name: Push README to Docker Hub
     steps:
       - name: git checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           ref: main
 

.github/workflows/scheduled-task_update-sponsors.yml

@@ -8,7 +8,7 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout 🛎️
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Generate Sponsors 💖
         uses: JamesIves/github-sponsors-readme-action@v1

.github/workflows/service_docker-build-and-publish.yml

@@ -39,7 +39,7 @@ jobs:
       php-version-map-json: ${{ steps.get-php-versions.outputs.php-version-map-json }}
     steps:
     - name: Check out code
-      uses: actions/checkout@v5
+      uses: actions/checkout@v6
       with:
         ref: ${{ inputs.ref }}
 
@@ -67,25 +67,25 @@ jobs:
         echo "${MATRIX_JSON}" | jq '.'
 
     - name: Upload the php-versions.yml file
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@v6
       with:
         name: php-versions.yml
         path: ${{ inputs.php-versions-file }}
 
   docker-publish:
     needs: setup-matrix
-    runs-on: depot-ubuntu-24.04-4
+    runs-on: depot-ubuntu-24.04-8
     strategy:
       matrix: ${{fromJson(needs.setup-matrix.outputs.php-version-map-json)}}
 
     steps:
       - name: Check out code.
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           ref: ${{ inputs.ref }}
 
       - name: Download PHP Versions file
-        uses: actions/download-artifact@v5
+        uses: actions/download-artifact@v7
         with:
           name: php-versions.yml
           path: ./artifacts

scripts/conf/php-versions-base-config.yml

@@ -35,42 +35,43 @@ php_versions:
       - minor: "8.1"
         base_os:
           - name: alpine3.21
+          - name: alpine3.22
           - name: bookworm
           - name: trixie
         patch_versions:
-          # - 8.1.28 # Pull latest from Official PHP source
+          # - 8.1.34 # Pull latest from Official PHP source
       - minor: "8.2"
         base_os:
-          - name: alpine3.21
           - name: alpine3.22
+          - name: alpine3.23
           - name: bookworm
           - name: trixie
         patch_versions:
-        #   - 8.2.18 # Pull latest from Official PHP source
+        #   - 8.2.30 # Pull latest from Official PHP source
       - minor: "8.3"
         base_os:
-          - name: alpine3.21
           - name: alpine3.22
+          - name: alpine3.23
           - name: bookworm
           - name: trixie
         patch_versions:
-          # - 8.3.6 # Pull latest from Official PHP source
+          # - 8.3.29 # Pull latest from Official PHP source
       - minor: "8.4"
         base_os:
-          - name: alpine3.21
           - name: alpine3.22
+          - name: alpine3.23
           - name: bookworm
           - name: trixie
         patch_versions:
-        #   - 8.4.1 # Pull latest from Official PHP source
+        #   - 8.4.16 # Pull latest from Official PHP source
       - minor: "8.5"
         base_os:
-          - name: alpine3.21
           - name: alpine3.22
+          - name: alpine3.23
           - name: bookworm
           - name: trixie
         patch_versions:
-        #   - 8.5.0 # Pull latest from Official PHP source
+        #   - 8.5.1 # Pull latest from Official PHP source
 
 operating_systems:
   - family: alpine
@@ -94,27 +95,31 @@ operating_systems:
       - name: "Alpine 3.20"
         version: alpine3.20
         number: 3.20
-        nginx_version: 1.28.0-r1
+        nginx_version: 1.28.1-r1
       - name: "Alpine 3.21"
         version: alpine3.21
         number: 3.21
-        nginx_version: 1.28.0-r1
+        nginx_version: 1.28.1-r1
       - name: "Alpine 3.22"
         version: alpine3.22
         number: 3.22
-        nginx_version: 1.28.0-r1
+        nginx_version: 1.28.1-r1
+      - name: "Alpine 3.23"
+        version: alpine3.23
+        number: 3.23
+        nginx_version: 1.28.1-r1
   - family: debian
     default: true
     versions:
       - name: "Debian Bullseye"
         version: bullseye
         number: 11
-        nginx_version: 1.28.0-1~bullseye
+        nginx_version: 1.28.1-1~bullseye
       - name: "Debian Bookworm"
         version: bookworm
         number: 12
-        nginx_version: 1.28.0-1~bookworm
+        nginx_version: 1.28.1-1~bookworm
       - name: "Debian Trixie"
         version: trixie
         number: 13
-        nginx_version: 1.28.0-1~trixie
+        nginx_version: 1.28.1-1~trixie

src/common/usr/local/bin/docker-php-serversideup-install-php-ext-installer

@@ -11,7 +11,7 @@ script_name="docker-php-serversideup-install-php-ext-installer"
 ############
 # Environment variables
 ############
-PHP_EXT_INSTALLER_VERSION="2.9.18"
+PHP_EXT_INSTALLER_VERSION="2.9.27"
 
 ############
 # Main

src/variations/fpm-apache/etc/apache2/conf-available/security.conf

@@ -1,98 +1,83 @@
+##
+# Security Configuration
+##
+
+# This configuration follows security best practices from:
 #
-# Disable access to the entire file system except for the directories that
-# are explicitly allowed later.
+#   H5BP Server Configs (Apache)
+#   https://github.com/h5bp/server-configs-apache
 #
-# This currently breaks the configurations that come with some web application
-# Debian packages.
+#   OWASP Secure Headers Project
+#   https://owasp.org/www-project-secure-headers/
 #
-#<Directory />
-#   AllowOverride None
-#   Require all denied
-#</Directory>
-
+#   RFC 8615 - Well-Known URIs
+#   https://www.rfc-editor.org/rfc/rfc8615
+#
+# ##############################################################################
 
-# Changing the following options will not really affect the security of the
-# server, but might make attacks slightly more difficult in some cases.
+# ------------------------------------------------------------------------------
+# | Server Software Information                                                |
+# ------------------------------------------------------------------------------
 
-#
-# ServerTokens
-# This directive configures what you return as the Server HTTP response
-# Header. The default is 'Full' which sends information about the OS-Type
-# and compiled in modules.
-# Set to one of:  Full | OS | Minimal | Minor | Major | Prod
-# where Full conveys the most information, and Prod the least.
-#ServerTokens Minimal
-# ServerTokens OS
-# #ServerTokens Full
+# Minimize information sent about the server
+# https://httpd.apache.org/docs/current/mod/core.html#servertokens
 ServerTokens Prod
 
-#
-# Optionally add a line containing the server version and virtual host
-# name to server-generated pages (internal error documents, FTP directory
-# listings, mod_status and mod_info output etc., but not CGI generated
-# documents or custom error documents).
-# Set to "EMail" to also include a mailto: link to the ServerAdmin.
-# Set to one of:  On | Off | EMail
+# Disable server signature on error pages
+# https://httpd.apache.org/docs/current/mod/core.html#serversignature
 ServerSignature Off
-# ServerSignature On
 
-#
-# Allow TRACE method
-#
-# Set to "extended" to also reflect the request body (only for testing and
-# diagnostic purposes).
-#
-# Set to one of:  On | Off | extended
+# Disable TRACE HTTP method to prevent XST attacks
+# https://owasp.org/www-community/attacks/Cross_Site_Tracing
 TraceEnable Off
-#TraceEnable On
 
-#
-# Forbid access to version control directories
-#
-# If you use version control systems in your document root, you should
-# probably deny access to their directories. For example, for subversion:
-#
-<DirectoryMatch "/\.git">
-   Require all denied
+# ------------------------------------------------------------------------------
+# | Security Headers                                                           |
+# ------------------------------------------------------------------------------
+
+# Prevent clickjacking attacks by disabling iframe embedding
+# https://owasp.org/www-project-secure-headers/#x-frame-options
+Header always set X-Frame-Options "SAMEORIGIN"
+
+# Prevent MIME type sniffing attacks
+# https://owasp.org/www-project-secure-headers/#x-content-type-options
+Header always set X-Content-Type-Options "nosniff"
+
+# Control referrer information sent with requests
+# https://owasp.org/www-project-secure-headers/#referrer-policy
+Header always set Referrer-Policy "strict-origin-when-cross-origin"
+
+# Enable HTTP Strict Transport Security (HSTS)
+# https://owasp.org/www-project-secure-headers/#strict-transport-security
+Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
+
+# ------------------------------------------------------------------------------
+# | File Access Restrictions                                                   |
+# ------------------------------------------------------------------------------
+
+# Block PHP execution in storage directory to prevent uploaded malicious PHP files from running
+# Reference: Livewire arbitrary file upload (GHSA-29cq-5w36-x7w3)
+<LocationMatch "^/storage/.*\.php$">
+    Require all denied
+</LocationMatch>
+
+# Block access to all hidden files and directories (dotfiles)
+# EXCEPT for the "/.well-known/" directory which is required by RFC 8615
+# for ACME challenges, security.txt, and other standardized endpoints.
+# https://www.rfc-editor.org/rfc/rfc8615
+# https://github.com/h5bp/server-configs-apache
+<DirectoryMatch "/\.(?!well-known/)">
+    Require all denied
 </DirectoryMatch>
 
-# Prevent Apache from serving Gitlab files
-<FilesMatch "\.gitlab-ci.yml$">
-   Require all denied
+# Block access to files that may expose sensitive information
+# Based on H5BP server configs: https://github.com/h5bp/server-configs-apache
+<FilesMatch "(^#.*#|\.(bak|conf|config|dist|inc|ini|log|sh|sql|sw[op])|~)$">
+    Require all denied
 </FilesMatch>
 
 # Disable XML-RPC on all wordpress sites
 <Files xmlrpc.php>
    Require all denied
 # allow from xxx.xxx.xxx.xxx
-</Files>
-
-#
-# Setting this header will prevent MSIE from interpreting files as something
-# else than declared by the content type in the HTTP headers.
-# Requires mod_headers to be enabled.
-#
-Header always set X-Content-Type-Options: "nosniff"
-
-#
-# Setting this header will prevent other sites from embedding pages from this
-# site as frames. This defends against clickjacking attacks.
-# Requires mod_headers to be enabled.
-#
-Header always set X-Frame-Options: "sameorigin"
-
-#
-# Referrer policy
-#
-Header always set Referrer-Policy "no-referrer-when-downgrade"
-
-#
-# Content Security Policy
-# UPDATE - September 2020: Commenting this out until we grasp better security requirements
-# 
-#Header always set Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'"
-
-#
-# Strict-Transport-Security Policy (set HSTS)
-#
-Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
+</Files>

src/variations/fpm-nginx/etc/nginx/server-opts.d/security.conf

@@ -1,24 +1,51 @@
+##
+# Security Configuration
+##
+
+# This configuration follows security best practices from:
+#
+#   H5BP Server Configs (nginx)
+#   https://github.com/h5bp/server-configs-nginx
 #
-# Security Headers
+#   OWASP Secure Headers Project
+#   https://owasp.org/www-project-secure-headers/
 #
+#   RFC 8615 - Well-Known URIs
+#   https://www.rfc-editor.org/rfc/rfc8615
+#
+# ##############################################################################
 
-# Prevent IFRAME spoofing attacks
+# Prevent clickjacking attacks by disabling iframe embedding
+# https://owasp.org/www-project-secure-headers/#x-frame-options
 add_header X-Frame-Options           "SAMEORIGIN" always;
 
-# Prevent MIME attacks
+# Prevent MIME type sniffing attacks
+# https://owasp.org/www-project-secure-headers/#x-content-type-options
 add_header X-Content-Type-Options    "nosniff" always;
 
-# Prevent Referrer URL from being leaked
-add_header Referrer-Policy           "no-referrer-when-downgrade" always;
-
-# Configure Content Security Policy
-# UPDATE - September 2020: Commenting this out until we grasp better security requirements
-#add_header Content-Security-Policy   "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
+# Control referrer information sent with requests
+# https://owasp.org/www-project-secure-headers/#referrer-policy
+add_header Referrer-Policy           "strict-origin-when-cross-origin" always;
 
-# Enable HSTS
+# Enable HTTP Strict Transport Security (HSTS)
+# https://owasp.org/www-project-secure-headers/#strict-transport-security
 add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
 
-# Prevent access to . files (the well-known directory)
+# ------------------------------------------------------------------------------
+# | File Access Restrictions                                                   |
+# ------------------------------------------------------------------------------
+
+# Block access to hidden files and directories (dotfiles)
+# EXCEPT for the "/.well-known/" directory which is required by RFC 8615
+# for ACME challenges, security.txt, and other standardized endpoints.
+# https://www.rfc-editor.org/rfc/rfc8615
+# https://github.com/h5bp/server-configs-nginx
 location ~ /\.(?!well-known) {
     deny all;
+}
+
+# Block access to files that may expose sensitive information
+# Based on H5BP server configs: https://github.com/h5bp/server-configs-nginx
+location ~* (?:#.*#|\.(?:bak|conf|config|dist|inc|ini|log|sh|sql|sw[op])|~)$ {
+    deny all;
 }

src/variations/fpm-nginx/etc/nginx/site-opts.d/http.conf.template

@@ -30,6 +30,12 @@ location / {
     try_files $uri $uri/ /index.php?$query_string;
 }
 
+# Block PHP execution in storage directory to prevent uploaded malicious PHP files from running
+# Reference: Livewire arbitrary file upload (GHSA-29cq-5w36-x7w3)
+location ~* ^/storage/.*\.php$ {
+    deny all;
+}
+
 # Pass "*.php" files to PHP-FPM
 location ~ \.php$ {
     fastcgi_pass   127.0.0.1:9000;