sozotech
You are correct this would have needed to be done on all nodes in the cluster.
The web server containers are built from vendor images, we don't distribute them. This was a very new vulnerability and new images had not been released by the vendors - this was an interim workaround.
As for the PHP containers, Enhance will always pull the latest version of system packages for the underlying o/s every time the appcd
package is updated. This happens via Ubuntu's package manager.
If you have a lot of servers, if you don't use automation (puppet/ansible/etc) then you could set up Ubuntu "unattended upgrades" to update the kernel + Enhance packages.