2026.28

Released 2026-05-21

Changes

Mitigation for CVE-2026-46333

This release includes mitigation for CVE-2026-46333, disabling ptrace for non-root users.

Relay proxy improvements

Updates to the relay proxy for essentials and standard stacks. This allows for Wordpress to be installed at /var/www/html.

Fix bad permissions for opensearch

Updates to the nfs-server fix-shared-permissions command to exclude opensearch and redis directories.

PHP logging improvements

Use REQUEST_URI instead of %r%Q%q for URI logging in PHP-FPM container logs. This avoids the problem of all logs containing the path of the front controller (usually /index.php).

Reduced PHP attack surface

Setting cgi.fix_pathinfo = 0 for essentials and standard packages. This disallows old-style PHP paths such as /entry.php/some/path, which are not expected to be used in modern environments.

Component upgrades

Component	Previous	Current
Debian	13.4	13.5
Varnish	6.0.17	6.0.18

Artifacts matrix

Image Type	Family / Variant	OS	Packages	Architectures	URI
Container	php-fpm:8.1-arm64	Debian 13.2	8.1.34, composer-2.9.8	arm64	public.ecr.aws/webscale/php-fpm:8.1-arm64-2026.28
Container	php-fpm:8.2-arm64	Debian 13.5	8.2.31, composer-2.9.8	arm64	public.ecr.aws/webscale/php-fpm:8.2-arm64-2026.28
Container	php-fpm:8.3-arm64	Debian 13.5	8.3.31, composer-2.9.8	arm64	public.ecr.aws/webscale/php-fpm:8.3-arm64-2026.28
Container	php-fpm:8.4-arm64	Debian 13.5	8.4.21, composer-2.9.8	arm64	public.ecr.aws/webscale/php-fpm:8.4-arm64-2026.28
Container	php-fpm:8.5-arm64	Debian 13.5	8.5.6, composer-2.9.8	arm64	public.ecr.aws/webscale/php-fpm:8.5-arm64-2026.28
Container	php-fpm:8.1-deb	Debian 13.2	8.1.34, composer-2.9.8	amd64	public.ecr.aws/webscale/php-fpm:8.1-deb-2026.28
Container	php-fpm:8.2-deb	Debian 13.5	8.2.31, composer-2.9.8	amd64	public.ecr.aws/webscale/php-fpm:8.2-deb-2026.28
Container	php-fpm:8.3-deb	Debian 13.5	8.3.31, composer-2.9.8	amd64	public.ecr.aws/webscale/php-fpm:8.3-deb-2026.28
Container	php-fpm:8.4-deb	Debian 13.5	8.4.21, composer-2.9.8	amd64	public.ecr.aws/webscale/php-fpm:8.4-deb-2026.28
Container	php-fpm:8.1	Alpine 3.21.7	8.1.34, composer-2.9.8	amd64	public.ecr.aws/webscale/php-fpm:8.1-2026.28
Container	php-fpm:8.2	Alpine 3.23.4	8.2.31, composer-2.9.8	amd64	public.ecr.aws/webscale/php-fpm:8.2-2026.28
Container	php-fpm:8.3	Alpine 3.23.4	8.3.31, composer-2.9.8	amd64	public.ecr.aws/webscale/php-fpm:8.3-2026.28
Container	php-fpm:8.4	Alpine 3.23.4	8.4.21, composer-2.9.8	amd64	public.ecr.aws/webscale/php-fpm:8.4-2026.28
Container	rabbitmq	Ubuntu 24.04.4 LTS	4.3.0	arm64	public.ecr.aws/webscale/rabbitmq:2026.28
Container	varnish	Debian 12.14	6.0.18	arm64	public.ecr.aws/webscale/varnish:2026.28

Table of Contents