Closed tschuette22 closed 6 months ago
We do that when new version come out:
edd@rob:~$ docker run --rm -ti rocker/r-base:latest Rscript --version
Rscript (R) version 4.4.0 (2024-04-24)
edd@rob:~$
However some containers are on purpose 'frozen' to a version, and that too is on purpose. Also, with all due respect, this CVE is a non-issue, wrong and should be withdrawn (but nobody has the energy to pursue this).
The R Foundation issued a blog post but somehow I cannot access it right now via https://blog.r-project.org/. I notified my colleagues and I hope the post reappears.
Thank you for the quick response. I was notified by my organisation to verify we're using at least 4.4.0 on all systems because of the issue and was suprised that the Dockerfile of 'latest' as linked on Dockerhub didn't point at 4.4.0. I missed that it is being set as ENV variable when pulling. So sorry for the confusion, this can be closed. I will look into the blog post once it's back up.
Hi,
First, thank you for this awesome project. I believe it would be a good idea to bump the 'latest' version to 4.4.0 to avoid the security vulnerability in RDS data serialization. See: https://www.cve.org/CVERecord?id=CVE-2024-27322