I’m not sure who performs the builds for the published Docker images, but my security dept has identified the following issues with the Run distribution.
CVE-2021-3517
CVE-2021-3518
CVE-2021-30139
CVE-2017-18640
CVE-2021-3537
CVE-2020-8284
I created an issue in GitHub, but it does not appear that those issues are attended to. Shall we take it on ourselves to create our own container build with updated packages?
HI @DGilmour22
We do keep an eye on these reports, so feel free to keep an eye on the ticket for updates.
In general we don’t guarantee that our CE docker images are ideal for production use so if you want to ensure that this will always work to the standards you’re interested in you can create a pull request for the changes or you can create and host your own images.
So it appears that even Alpine 3.13 doesn’t have the upgraded package for libXML2. I found that if I modified the entries in the /etc/apk/repositories file to 3.14, then the fixed version was able to be installed. (But there isn’t yet a docker image for Alpine at version 3.14) Not sure if we just wait for that one.
On the “create and host your own images”, what do you recommend about testing the Camunda engine itself to ensure that OS changes don’t break it?