The USN-3712-1 and USN-3712-2 libpng vulnerabilities are fixed automatically and installed on SecureDrop production instances. I received the following OSSEC alert.
OSSEC HIDS Notification. 2018 Jul 12 04:34:26 Received From: (app) A.B.C.D->/var/log/dpkg.log Rule: 2902 fired (level 7) -> "New dpkg (Debian Package) installed." Portion of the log(s): 2018-07-12 04:34:25 status installed libpng12-0:amd64 1.2.50-1ubuntu2.14.04.3 --END OF NOTIFICATION