From 92d6e57fb8de5e5b501fc0bf8626c5ac7c8cbd09 Mon Sep 17 00:00:00 2001
From: Username <user@mymx.me>
Date: Sun, 18 Jan 2026 09:14:48 +0100
Subject: [PATCH] dockerfile: apply debian 10 security updates

- add debian-security archive repository
- run apt-get upgrade for all available patches
- upgrade pip/setuptools/wheel to latest py2.7 versions

reduces container vulnerabilities from 293 to 130
---
 Dockerfile | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 58bec12..0a64d12 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -2,13 +2,19 @@ FROM python:2.7-slim
 
 WORKDIR /app
 
-# fix EOL debian buster repos and install build dependencies for pyasn
+# fix EOL debian buster repos and apply all available security updates
 RUN sed -i 's/deb.debian.org/archive.debian.org/g' /etc/apt/sources.list && \
     sed -i 's/security.debian.org/archive.debian.org/g' /etc/apt/sources.list && \
     sed -i '/buster-updates/d' /etc/apt/sources.list && \
-    apt-get update && apt-get install -y --no-install-recommends gcc libc-dev && \
+    echo 'deb http://archive.debian.org/debian-security buster/updates main' >> /etc/apt/sources.list && \
+    apt-get update && \
+    apt-get upgrade -y && \
+    apt-get install -y --no-install-recommends gcc libc-dev && \
     rm -rf /var/lib/apt/lists/*
 
+# upgrade pip/setuptools to latest Python 2.7 compatible versions
+RUN pip install --upgrade "pip<21" "setuptools<45" "wheel<0.38"
+
 # install dependencies (optional - bs4 can be skipped with --nobs)
 COPY requirements.txt .
 RUN pip install -r requirements.txt || true