serversideup/php is a downstream distributor. We package PHP, NGINX, Apache, Composer, the base operating system, and related tooling into production-ready Docker images. We do not maintain those upstream projects ourselves — this policy explains what belongs here and what belongs upstream.
For anything in scope below, please use GitHub's private vulnerability reporting to open a confidential report. Please include:
- The affected image tag and digest (e.g.
serversideup/php:8.4-fpm-nginx@sha256:…) - Steps to reproduce and the impact
- Any suggested mitigation, if you have one
Do not disclose details publicly (issues, discussions, social media) before a fix is released.
Vulnerabilities in what we author and ship:
- Entrypoint scripts, healthchecks, helper scripts, and S6 service definitions in
src/ - Default configs we ship for PHP-FPM, NGINX, Apache, and FrankenPHP
- Insecure defaults: ports, file permissions, the
www-datauser model, SSL defaults - Build pipeline integrity (GitHub Actions workflows, tag assembly, image publishing)
- Documentation that materially misleads users about a security-relevant setting
Vulnerabilities in software we package but do not maintain belong with the upstream project, not here:
| Component | Where to report |
|---|---|
| PHP itself | The PHP project (security mailing list: security@php.net) |
| NGINX | NGINX security advisories |
| Apache HTTP Server | Apache HTTPD security |
| Composer | composer/composer on GitHub |
| Debian / Alpine base packages | The respective distribution security teams |
If an upstream CVE is already publicly disclosed, you don't need to file with us — we pick up upstream patches on our weekly rebuilds (Tuesday 08:00 UTC) for floating tags. See How our releases work for the full cadence and which tags receive rebuilds.
Our images bundle third-party software, each with its own support window. Before reporting an issue (or pinning to a particular version), confirm the component is still receiving security fixes from its maintainers:
| Component | Lifecycle reference |
|---|---|
| PHP | endoflife.date/php |
| Debian | endoflife.date/debian |
| Alpine Linux | endoflife.date/alpine-linux |
| NGINX | endoflife.date/nginx |
| Apache HTTP Server | endoflife.date/apache |
| Composer | endoflife.date/composer |
We continue to publish images for end-of-life PHP versions and operating system bases so legacy applications have a path into containers — but those bases will not receive new upstream security fixes. Use them as a stepping stone, not a destination. See Choosing an image — Operating Systems for the trade-off.
For the full release model, how floating vs. version-pinned tags behave, and how to apply your own patches to a pinned image, see the Upgrade Guide.
For the EOL trade-off when picking an operating system base, see Choosing an image — Operating Systems.