CVE handling in published images

[lirshindalman]

Hi

First of all, thank you for maintaining and publishing these great images they’re super helpful!

I’d like to use a few of the Alpine cdxgen images, but I noticed that some of them currently include vulnerabilities (CVEs) for which recent fixes have been released.
I came across a few critical severity CVEs that were published in the past few days, as well as several high severity CVEs for which fixes have already been available for some time.

What is your usual policy or timeline regarding patching images that contain medium, high or critical severity CVEs?

[malice00]

We rebuild & redeploy the last 2 released images every weekend, so it should pick up most fixes automatically -- except maybe for our pinned packages, but those are very few.
Or you could use our nightly images, those are build at least once a day, sometimes even more often.

Would you like to share which image(s) and CVEs you mean, so we can double-check if those are no longer in our images?

[lirshindalman]

Thank you for the informative response.
I was mainly referring to several Alpine-based images that appear to include critical and high-severity vulnerabilities.

Based on the latest check I ran a few days ago the most critical issues are CVE-2025-58050 and CVE-2025-55315.
CVE-2025-58050 affects: alpine-java21, alpine-php84, alpine-ruby34, alpine-ruby345, alpine-ruby344, and the cdxgen-alpine-ruby* and cdxgen-alpine-php84 images.
CVE-2025-55315 affects: alpine-dotnet9.

In addition, several of these images also include High-severity vulnerabilities - CVE-2025-32988, CVE-2025-5245, CVE-2025-5244, CVE-2025-24294, CVE-2025-59343 - which further increase their overall risk level.

Thanks!

[malice00]

In already released images, we do not update the version of the base-container. If this is something you need, you should better switch to the nightlies (tag master), these are updated within 3 days of the release of the new base-image.

As for CVEs in software packages (those installed with apk), these are not pinned and get updated during mentioned rebuilds, so these are normally available within 1 day.

Updates to our Node dependencies obviously need testing (and a cool-down time -- see events of the last couple of weeks), so these are merged & released manually, as new versions.