Background:

Tags in the official-images are only built through an update to the Dockerfile and build context (like a version bump) or as a result of its base image being updated (ie, an image FROM debian:trixie would be rebuilt when an updated debian:trixie is built).

Official Images FAQ:

Though not every CVE is removed from the images, we take CVEs seriously and try to ensure that images contain the most up-to-date packages available within a reasonable time frame

- https://github.com/docker-library/faq/tree/e5475a9b3d7c34b8a1e3902df0f4959c5b33e593#why-does-my-security-scanner-show-that-an-image-has-cves

To ensure that we don't push contentless image changes, we rely on periodic base image updates.

We strive to publish updated images at least monthly for Debian. We also rebuild earlier if there is a critical security need. Many Official Images are maintained by the community or their respective upstream projects, like Ubuntu, Alpine, and Oracle Linux, and are subject to their own maintenance schedule.

- from the same FAQ link

A rebuild of all Alpine images happened just yesterday (caused by docker-library/official-images#20046), so it is unfortunate that it just missed these package updates from last night/this morning. We have no current plans to try to trigger any extra rebuilds since it is a very manual process to do so. If users need updated packages, then we recommend a short Dockerfile FROM postgres:... that upgrades the packages that they need.

Alpine 3.22 build log: https://build.alpinelinux.org/buildlogs/build-3-22-x86_64/main/libxml2/libxml2-2.13.9-r0.log
- started Wed, 08 Oct 2025 23:05:19 +0000
Alpine 3.21 build log: https://build.alpinelinux.org/buildlogs/build-3-21-x86_64/main/libxml2/libxml2-2.13.9-r0.log
- started Thu, 09 Oct 2025 09:07:17 +0000

Critical and High CVE- vulnerabilities #1368

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions