Latest Docker image still contains serious security vulnerability

[joonas-fi]

Docker-based distribution is endorsed as a first-class citizen in README.

Docker images haven't been updated in a year. Therefore, all Gun's Docker users have this critical vulnerability: GHSA-886v-mm6p-4m66

This vulnerability is serious and could easily lead to compromise of user's server and/or any related API keys like AWS credentials. The vulnerability allows malicious users to read any files from the filesystem.

What makes this worse is that I'm seeing "docker build: automated", "master" and "latest" terms tossed around in README / DockerHub which could trick some users into thinking the user gets up-to-date software (which is clearly not the case).

Docker-using users have been vulnerable 150+ days since this vulnerability was disclosed to the project maintainer.

Please take your users' security seriously and either update the "latest", "master" DockerHub tags or delete them to protect the users.

[amark]

@joonas-fi thanks.

I don't know how to do any Docker stuff :/ gonna try tagging some people in the community:

@hillct

@mhelander (do you know how? sorry to burden you with so much)

@rm-rf-etc you mentioned docker the other day right?

@joonas-fi what timeline do you suggest it get fixed within, or else I'll need to delete it from the README by?

[amark]

yay @rm-rf-etc taking this! You're my hero!!! 🎉 🎉

[amark]

@hillct do you have the login for Docker Hub?

[amark]

Ok, Docker Hub now says it was updated 3 hours ago, confirmed one of the latest, thanks @hillct @rm-rf-etc ! So this is fixed now. Thanks again @joonas-fi . :)