@sandro Good to know, thank you! I don't do that, so that isn't relevant to me personally, but I can see how it would impact others. I'll add a notice to the readme.
Do you have a better idea? My initial approach was to use overlays or somehow override glibc for PHP specifically, but being glibc, that would trigger massive builds of otherwise cached packages for a mere config change. That's when I was made aware of replaceRuntimeDependencies, which seemed to be a good tradeoff.
@mart_w No, not really. Maybe we could supply Hydra with the configuration without this setting and only apply it when deploying. This should easily be possible.
Summing it up, there's a vulnerability (CVE-2024-2961) on glibc that, apparently, can be used to get RCE on servers running PHP.
It's recommended that you update glibc to a patched version.