See the Docker Official Images FAQ.
Maintained versions are per Maintaince Policy. This will correspond to the major version number directories in this repository.
The Docker Official Image of MariaDB Server includes binaries from a number of sources:
gosufrom https://github.com/tianon/gosu;- the base container, i.e. Ubuntu;
docker-entrypoint.sh/build andhealthcheck.shscripts; and- MariaDB upstream packages.
gosu, based on the upstream security vulnerability reporting, should be validated using govulcheck to see if any CVE within these libraries are actually used by the gosu executable. This container can pick up a new gosu version after there is a upstream release.
The base image of MariaDB Server is based on other Docker Official Images, which are periodically updated. When the base Docker Official Image is updated, the MariaDB Server is also updated. Should a freshly pulled current MariaDB Server image be affected by a vulnerability of its base image, please do a vulnerability report with Docker Official Images according to their security policy.
docker-entrypoint.sh/build and healthcheck.sh scripts - Report a Vulnerability.
MariaDB Server upstream packages will process vulnerabilies according to the security policy. When a new MariaDB Server release is published, the Docker Official Image of MariaDB Server will be updated at the same time. Delays in the Docker Official Image may be explained by the FAQ "I see a change merged here that hasn't shown up on Docker Hub yet?".
Vulnerability reports on the content of this repository are encouraged. You can generally expect a reply (acceptance/rejection) within the next business day. An accepted vulnerability should have a fix published on Docker Hub respositories within a week.