Fix vulnerabilities about drupal HOT 4 CLOSED

We get these reports quite often, and they usually involve a large amount of digging which ends up in very little which is actionable. See docker-library/official-images#2740 for a fairly recent example where I dove into a lot of these reports and found most of them to be either false positives or out of our hands (because Debian upstream hasn't patched the vulnerabilities either, for whatever reason, although usually because they looked into it and deemed it to be a minor issue).

If there are actionable items we can resolve, we're happy to do so (and do so actively). In fact, we just updated Debian with docker-library/official-images#2888 so any packages from apt that have CVE fixes will naturally get updated as we rebuild all images descending from Debian over the next day or so.

Thanks!

from drupal.

Thanks @yosifkit I completely understand the complexity here.

This was originally investigated as there was a minor delay between the release of a critical application vulnerability fixed in the latest release 8.3.1.

It was also mentioned on another thread that this official image should be used more for demo purposes rather than for production applications, would you agree with this?

from drupal.

I don't see any reason why this image should only be used for demo purposes. We try to keep it as up to date as possible and if there are ways the image could be improved for production and non-production use we are definitely open to it.

from drupal.

Thanks @yosifkit looks more of an upstream issue so will close this one off.

from drupal.