I am using clair to scan my docker images and I see that there are a lot of High priority bugs flagged for my image python:2.7-stretch which is based off Debian:stretch. Now most of these are fixed in a newer version of stretch (called stretch security). But I do not see a corresponding debian:stretch-security version released in dockerhub. Is there a way to fix these bugs or should one wait for debian to fix them in their base images?
The solution is to do an 'apt upgrade' inside the container which will pull in the updated packages and any CVE bugs which have a fix available should get updated. This will then leave my image with only bugs for which no fix has been released.