Apply available focal security updates at build time

Add DEBIAN_FRONTEND=noninteractive apt-get upgrade -y between the PGDG
source removal and the r-base install so the image picks up whatever
patches are still flowing into focal-updates and focal-security. Tidy
the layer with apt-get clean and rm -rf /var/lib/apt/lists/*.

ESM-only CVEs are not covered (no Pro token inside the build). The
longer-term fix is to rebase catmaid/catmaid-standalone on jammy or
noble; see the Trivy scan report for what we're inheriting from
focal in the meantime.

Author: Robbie1977

Dockerfile

@@ -37,9 +37,18 @@ RUN chmod +x /opt/VFB/*.sh
 # Ubuntu 20.04 hit standard EOL — its Release file is gone, so apt-get
 # update aborts. Postgres is already installed in the base image, so we
 # just disable the PGDG source before running update.
+#
+# focal is past standard support; we apply what patches still flow into
+# focal-updates/focal-security with apt-get upgrade. ESM-only CVEs (e.g.
+# many libssl, openssh, glibc fixes after April 2025) require an Ubuntu
+# Pro token which we don't ship; the longer-term fix is to rebase
+# catmaid-standalone on jammy or noble.
 RUN rm -f /etc/apt/sources.list.d/pgdg.list /etc/apt/sources.list.d/postgresql.list \
     && apt-get update \
-    && apt-get install -y r-base
+    && DEBIAN_FRONTEND=noninteractive apt-get upgrade -y \
+    && apt-get install -y r-base \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*
 
 ENV INSTANCE_MEMORY=65000