Skip to content

Security: MariaDB/mariadb-docker

SECURITY.md

Security Policy

FAQ

Why does my security scanner show that an image has CVEs?

See the Docker Official Images FAQ.

Supported Versions

Maintained versions are per the Maintenance Policy. This will correspond to the major version number directories in this repository.

Reporting a Vulnerability

The Docker Official Image of MariaDB Server includes binaries from a number of sources:

  • gosu from https://github.com/tianon/gosu;
  • the base container, i.e. Ubuntu;
  • docker-entrypoint.sh/build and healthcheck.sh scripts; and
  • MariaDB upstream packages.

gosu, based on the upstream security vulnerability reporting, should be validated using govulcheck to see if any CVE within these libraries are actually used by the gosu executable. This container can pick up a new gosu version after there is a upstream release.

The base image of MariaDB Server is based on other Docker Official Images, which are periodically updated. When the base Docker Official Image is updated, the MariaDB Server is also updated. Should a freshly pulled current MariaDB Server image be affected by a vulnerability of its base image, please do a vulnerability report with Docker Official Images according to their security policy.

docker-entrypoint.sh/build and healthcheck.sh scripts - Report a Vulnerability.

MariaDB Server upstream packages will process vulnerabilies according to the security policy. When a new MariaDB Server release is published, the Docker Official Image of MariaDB Server will be updated at the same time. Delays in the Docker Official Image may be explained by the FAQ "I see a change merged here that hasn't shown up on Docker Hub yet?".

Vulnerability reports on the content of this repository are encouraged. You can generally expect a reply (acceptance/rejection) within the next business day. An accepted vulnerability should have a fix published on Docker Hub respositories within a week.

There aren’t any published security advisories