Remediating base image vulnerabilities

I’m trying to build a base image that pulls from php:7.3-fpm, which is built on debian:buster-slim. The php:7.3-fpm base image has vulnerabilities out of the box, like https://security-tracker.debian.org/tracker/CVE-2019-3844 and https://security-tracker.debian.org/tracker/CVE-2019-19603. From the look of it, there are no fixes for them other than changing the base OS. Is my understanding correct? I assumed that any high severity vulnerabilities would have fixes available on buster but that doesn’t seem to be the case. How do I go about fixing these things? I thought adding an apt-get upgrade to the Dockerfile may do the trick, but no upgrades are performed. Maybe there’s a repository out there I can add to /etc/apt/sources.list? Any insight would be greatly appreciated!