Comments (4)
We get these reports quite often, and they usually involve a large amount of digging which ends up in very little which is actionable. See docker-library/official-images#2740 for a fairly recent example where I dove into a lot of these reports and found most of them to be either false positives or out of our hands (because Debian upstream hasn't patched the vulnerabilities either, for whatever reason, although usually because they looked into it and deemed it to be a minor issue).
If there are actionable items we can resolve, we're happy to do so (and do so actively). In fact, we just updated Debian with docker-library/official-images#2888 so any packages from apt that have CVE fixes will naturally get updated as we rebuild all images descending from Debian over the next day or so.
Thanks!
from drupal.
Thanks @yosifkit I completely understand the complexity here.
This was originally investigated as there was a minor delay between the release of a critical application vulnerability fixed in the latest release 8.3.1
.
It was also mentioned on another thread that this official image should be used more for demo purposes rather than for production applications, would you agree with this?
from drupal.
I don't see any reason why this image should only be used for demo purposes. We try to keep it as up to date as possible and if there are ways the image could be improved for production and non-production use we are definitely open to it.
from drupal.
Thanks @yosifkit looks more of an upstream issue so will close this one off.
from drupal.
Related Issues (20)
- When using fpm, it is not clear how to make image styles work HOT 1
- Add PHP 8.1 to Drupal ^9.3
- When can we expect 9.3.14? HOT 2
- Add Drupal 9.4 (and remove 9.2) HOT 1
- D9 images don't allow for easy silent composer requires HOT 2
- How can I manage composer files? HOT 1
- docker: drupal site doesnt survive a restart HOT 1
- Drupal fails after updating docker image to >=9.4.6 because of composer HOT 2
- add example for how to install modules HOT 3
- drupal:9.4-php8.1-apache-buster comes with apache version Apache/2.4.38 (Debian) which has Security issue. HOT 5
- Add Drupal 9.5 (and remove 9.3)
- Add Drupal 10.0.0 HOT 1
- Remove opcache.fast_shutdown from PHP settings section HOT 2
- "Failed to get available update data" in Drupal 7.94 HOT 3
- Inquiry for apache compile option HOT 1
- Docker compose volumes not working. HOT 3
- Set the default php.ini (prod or dev) HOT 6
- New docker latest:php8.2-fpm-* images not functional HOT 1
- Add php8.3 [Postponed]
- 10.2.0 released
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from drupal.