Critical vulnerability in Apache 2.4.66

[SebastianLeitz]

The image variants with Apache included seem to rely on

Server version: Apache/2.4.66 (Debian)
Server built: 2026-03-01T13:26:45

The Apache project has announced several rather critical vulnerabilities. They also show up on DockerHub:

I'm not sure how the process works (on-demand, periodical?), but could please somebody trigger a new build of the PHP images with Apache in them?

[kossmac]

Since Debian stable and oldstable ship with Apache 2.4.67 (https://packages.debian.org/trixie/apache2, https://packages.debian.org/bookworm/apache2), a new build should be enough to fix this, @yosifkit

[tianon]

Debian rebuilds will happen from the base when docker-library/official-images#21391 merges (likely also later today), if they don't go out with the security fixes.

• Update 8.3 to 8.3.31 (security release, 2026-05-05) #1659 (comment)