See the Docker Official Images FAQ.

Maintained versions are per the Maintenance Policy. This will correspond to the major version number directories in this repository.

The Docker Official Image of MariaDB Server includes binaries from a number of sources:

• gosu from https://github.com/tianon/gosu;
• the Base Image; i.e. Ubuntu or Red Hat's UBI;
• Container Scripts; docker-entrypoint.sh and healthcheck.sh; and
• MariaDB Server; from upstream packages (not from the base image distribution).

gosu, based on the upstream security vulnerability reporting, should be validated using govulncheck to see if any CVE within these libraries are actually used by the gosu executable. This container can pick up a new gosu version after there is a upstream release.

The current gosu released version, 1.17, because of the golang runtime at the time of release, reports one finding with govulncheck, GO-2023-1840 (also labeled CVE-2023-29403). The end of the govulncheck report for GO-2023-1840 states:

"your code doesn't appear to call these vulnerabilities."

The reason that govulncheck reports this is the gosu isn't setuid or setgid which is a key aspect of this vulnerability. docker run --rm mariadb ls -la /usr/local/bin/gosu can be used to validate the lack of setuid/setgid bits. Further more, the gosu will immediately exit if it is run in this vulnerable mode (per upstream author comment).

The base image of MariaDB Server is based on other Docker Official Images, which are periodically updated. When the base Docker Official Image is updated, the MariaDB Server is also updated. Should a freshly pulled current MariaDB Server image be affected by a vulnerability of its base image, please do a vulnerability report with Docker Official Images according to their security policy.

docker-entrypoint.sh/build and healthcheck.sh scripts - Report a Vulnerability.

MariaDB Server upstream packages will process vulnerabilities according to the security policy. When a new MariaDB Server release is published, the Docker Official Image of MariaDB Server will be updated at the same time. Delays in the Docker Official Image may be explained by the FAQ "I see a change merged here that hasn't shown up on Docker Hub yet?".

Vulnerability reports on the content of this repository are encouraged. You can generally expect a reply (acceptance/rejection) within the next business day. An accepted vulnerability should have a fix published on Docker Hub repositories within a week.