-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat Quay v3.6.0 security, bug fix and enhancement update Advisory ID: RHSA-2021:3917-01 Product: Red Hat Quay Advisory URL: https://access.redhat.com/errata/RHSA-2021:3917 Issue date: 2021-10-19 CVE Names: CVE-2017-16137 CVE-2017-16138 CVE-2018-1107 CVE-2018-1109 CVE-2018-3721 CVE-2018-3728 CVE-2018-3774 CVE-2018-16492 CVE-2018-21270 CVE-2019-20920 CVE-2019-20922 CVE-2019-1010266 CVE-2020-7608 CVE-2020-8203 CVE-2020-15366 CVE-2020-25648 CVE-2020-26237 CVE-2020-26291 CVE-2020-35653 CVE-2020-35654 CVE-2021-22922 CVE-2021-22923 CVE-2021-22924 CVE-2021-23364 CVE-2021-23368 CVE-2021-23382 CVE-2021-25289 CVE-2021-25290 CVE-2021-25291 CVE-2021-25292 CVE-2021-25293 CVE-2021-27515 CVE-2021-27516 CVE-2021-27921 CVE-2021-27922 CVE-2021-27923 CVE-2021-34552 CVE-2021-36222 CVE-2021-37750 ==================================================================== 1. Summary: An update is now available for Red Hat Quay 3. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Quay 3.6.0 release Security Fix(es): * nodejs-url-parse: incorrect hostname in url parsing (CVE-2018-3774) * python-pillow: insufficent fix for CVE-2020-35654 due to incorrect error checking in TiffDecode.c (CVE-2021-25289) * nodejs-urijs: mishandling certain uses of backslash may lead to confidentiality compromise (CVE-2021-27516) * nodejs-debug: Regular expression Denial of Service (CVE-2017-16137) * nodejs-mime: Regular expression Denial of Service (CVE-2017-16138) * nodejs-is-my-json-valid: ReDoS when validating JSON fields with email format (CVE-2018-1107) * nodejs-extend: Prototype pollution can allow attackers to modify object properties (CVE-2018-16492) * nodejs-stringstream: out-of-bounds read leading to uninitialized memory exposure (CVE-2018-21270) * nodejs-handlebars: lookup helper fails to properly validate templates allowing for arbitrary JavaScript execution (CVE-2019-20920) * nodejs-handlebars: an endless loop while processing specially-crafted templates leads to DoS (CVE-2019-20922) * nodejs-lodash: prototype pollution in zipObjectDeep function (CVE-2020-8203) * nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function (CVE-2020-15366) * nodejs-highlight-js: prototype pollution via a crafted HTML code block (CVE-2020-26237) * urijs: Hostname spoofing via backslashes in URL (CVE-2020-26291) * python-pillow: decoding crafted YCbCr files could result in heap-based buffer overflow (CVE-2020-35654) * browserslist: parsing of invalid queries could result in Regular Expression Denial of Service (ReDoS) (CVE-2021-23364) * nodejs-postcss: Regular expression denial of service during source map parsing (CVE-2021-23368) * nodejs-postcss: ReDoS via getAnnotationURL() and loadAnnotation() in lib/previous-map.js (CVE-2021-23382) * python-pillow: negative-offset memcpy with an invalid size in TiffDecode.c (CVE-2021-25290) * python-pillow: out-of-bounds read in TiffReadRGBATile in TiffDecode.c (CVE-2021-25291) * python-pillow: backtracking regex in PDF parser could be used as a DOS attack (CVE-2021-25292) * python-pillow: out-of-bounds read in SGIRleDecode.c (CVE-2021-25293) * nodejs-url-parse: mishandling certain uses of backslash may lead to confidentiality compromise (CVE-2021-27515) * python-pillow: reported size of a contained image is not properly checked for a BLP container (CVE-2021-27921) * python-pillow: reported size of a contained image is not properly checked for an ICNS container (CVE-2021-27922) * python-pillow: reported size of a contained image is not properly checked for an ICO container (CVE-2021-27923) * python-pillow: buffer overflow in Convert.c because it allow an attacker to pass controlled parameters directly into a convert function (CVE-2021-34552) * nodejs-braces: Regular Expression Denial of Service (ReDoS) in lib/parsers.js (CVE-2018-1109) * lodash: Prototype pollution in utilities function (CVE-2018-3721) * hoek: Prototype pollution in utilities function (CVE-2018-3728) * lodash: uncontrolled resource consumption in Data handler causing denial of service (CVE-2019-1010266) * nodejs-yargs-parser: prototype pollution vulnerability (CVE-2020-7608) * python-pillow: decoding a crafted PCX file could result in buffer over-read (CVE-2020-35653) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 4. Bugs fixed (https://bugzilla.redhat.com/): 1500700 - CVE-2017-16138 nodejs-mime: Regular expression Denial of Service 1500705 - CVE-2017-16137 nodejs-debug: Regular expression Denial of Service 1545884 - CVE-2018-3721 lodash: Prototype pollution in utilities function 1545893 - CVE-2018-3728 hoek: Prototype pollution in utilities function 1546357 - CVE-2018-1107 nodejs-is-my-json-valid: ReDoS when validating JSON fields with email format 1547272 - CVE-2018-1109 nodejs-braces: Regular Expression Denial of Service (ReDoS) in lib/parsers.js 1608140 - CVE-2018-16492 nodejs-extend: Prototype pollution can allow attackers to modify object properties 1743096 - CVE-2019-1010266 lodash: uncontrolled resource consumption in Data handler causing denial of service 1840004 - CVE-2020-7608 nodejs-yargs-parser: prototype pollution vulnerability 1857412 - CVE-2020-8203 nodejs-lodash: prototype pollution in zipObjectDeep function 1857977 - CVE-2020-15366 nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function 1882256 - CVE-2019-20922 nodejs-handlebars: an endless loop while processing specially-crafted templates leads to DoS 1882260 - CVE-2019-20920 nodejs-handlebars: lookup helper fails to properly validate templates allowing for arbitrary JavaScript execution 1901662 - CVE-2020-26237 nodejs-highlight-js: prototype pollution via a crafted HTML code block 1915257 - CVE-2020-26291 urijs: Hostname spoofing via backslashes in URL 1915420 - CVE-2020-35653 python-pillow: decoding a crafted PCX file could result in buffer over-read 1915424 - CVE-2020-35654 python-pillow: decoding crafted YCbCr files could result in heap-based buffer overflow 1927293 - CVE-2018-21270 nodejs-stringstream: out-of-bounds read leading to uninitialized memory exposure 1934470 - CVE-2021-27516 nodejs-urijs: mishandling certain uses of backslash may lead to confidentiality compromise 1934474 - CVE-2021-27515 nodejs-url-parse: mishandling certain uses of backslash may lead to confidentiality compromise 1934680 - CVE-2021-25289 python-pillow: insufficent fix for CVE-2020-35654 due to incorrect error checking in TiffDecode.c 1934685 - CVE-2021-25290 python-pillow: negative-offset memcpy with an invalid size in TiffDecode.c 1934692 - CVE-2021-25291 python-pillow: out-of-bounds read in TiffReadRGBATile in TiffDecode.c 1934699 - CVE-2021-25292 python-pillow: backtracking regex in PDF parser could be used as a DOS attack 1934705 - CVE-2021-25293 python-pillow: out-of-bounds read in SGIRleDecode.c 1935384 - CVE-2021-27921 python-pillow: reported size of a contained image is not properly checked for a BLP container 1935396 - CVE-2021-27922 python-pillow: reported size of a contained image is not properly checked for an ICNS container 1935401 - CVE-2021-27923 python-pillow: reported size of a contained image is not properly checked for an ICO container 1940759 - CVE-2018-3774 nodejs-url-parse: incorrect hostname in url parsing 1948763 - CVE-2021-23368 nodejs-postcss: Regular expression denial of service during source map parsing 1954150 - CVE-2021-23382 nodejs-postcss: ReDoS via getAnnotationURL() and loadAnnotation() in lib/previous-map.js 1955619 - CVE-2021-23364 browserslist: parsing of invalid queries could result in Regular Expression Denial of Service (ReDoS) 1982378 - CVE-2021-34552 python-pillow: buffer overflow in Convert.c because it allow an attacker to pass controlled parameters directly into a convert function 5. JIRA issues fixed (https://issues.jboss.org/): PROJQUAY-1417 - zstd compressed layers PROJQUAY-1449 - As a Quay admin I want to rely on the Operator to auto-scale all stateless parts of Quay PROJQUAY-1535 - As a user I can create and use nested repository name structures PROJQUAY-1583 - add "disconnected" annotation to operators PROJQUAY-1609 - Operator communicates status per managed component PROJQUAY-1610 - Operator does not make Quay deployment wait on Clair deployment PROJQUAY-1791 - v1beta CRD EOL PROJQUAY-1883 - Support OCP Re-encrypt routes PROJQUAY-1887 - allow either sha or tag in related images PROJQUAY-1926 - As an admin, I want an API to create first user, so I can automate deployment. PROJQUAY-1998 - note database deprecations in 3.6 Config Tool PROJQUAY-2050 - Support OCP Edge-Termination PROJQUAY-2100 - A customer can update the Operator from 3.3 to 3.6 directly PROJQUAY-2102 - add clair-4.2 enrichment data to quay UI PROJQUAY-672 - MutatingAdmissionWebhook Created Automatically for QBO During Install 6. References: https://access.redhat.com/security/cve/CVE-2017-16137 https://access.redhat.com/security/cve/CVE-2017-16138 https://access.redhat.com/security/cve/CVE-2018-1107 https://access.redhat.com/security/cve/CVE-2018-1109 https://access.redhat.com/security/cve/CVE-2018-3721 https://access.redhat.com/security/cve/CVE-2018-3728 https://access.redhat.com/security/cve/CVE-2018-3774 https://access.redhat.com/security/cve/CVE-2018-16492 https://access.redhat.com/security/cve/CVE-2018-21270 https://access.redhat.com/security/cve/CVE-2019-20920 https://access.redhat.com/security/cve/CVE-2019-20922 https://access.redhat.com/security/cve/CVE-2019-1010266 https://access.redhat.com/security/cve/CVE-2020-7608 https://access.redhat.com/security/cve/CVE-2020-8203 https://access.redhat.com/security/cve/CVE-2020-15366 https://access.redhat.com/security/cve/CVE-2020-25648 https://access.redhat.com/security/cve/CVE-2020-26237 https://access.redhat.com/security/cve/CVE-2020-26291 https://access.redhat.com/security/cve/CVE-2020-35653 https://access.redhat.com/security/cve/CVE-2020-35654 https://access.redhat.com/security/cve/CVE-2021-22922 https://access.redhat.com/security/cve/CVE-2021-22923 https://access.redhat.com/security/cve/CVE-2021-22924 https://access.redhat.com/security/cve/CVE-2021-23364 https://access.redhat.com/security/cve/CVE-2021-23368 https://access.redhat.com/security/cve/CVE-2021-23382 https://access.redhat.com/security/cve/CVE-2021-25289 https://access.redhat.com/security/cve/CVE-2021-25290 https://access.redhat.com/security/cve/CVE-2021-25291 https://access.redhat.com/security/cve/CVE-2021-25292 https://access.redhat.com/security/cve/CVE-2021-25293 https://access.redhat.com/security/cve/CVE-2021-27515 https://access.redhat.com/security/cve/CVE-2021-27516 https://access.redhat.com/security/cve/CVE-2021-27921 https://access.redhat.com/security/cve/CVE-2021-27922 https://access.redhat.com/security/cve/CVE-2021-27923 https://access.redhat.com/security/cve/CVE-2021-34552 https://access.redhat.com/security/cve/CVE-2021-36222 https://access.redhat.com/security/cve/CVE-2021-37750 https://access.redhat.com/security/updates/classification/#important 7. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYW611tzjgjWX9erEAQj3QxAAkLd259XVhcYRMavTwTQ/qAFPEbosGo/S 5qU+jQyyzx6GotqYcLx354UifFxOu6C0FAeW9Hjc7xGuTUyUsBgBBgnN9btVNKOm o9UBt+QVPKr4J+6c+tVCjGfyiVqeMUSTlKsC+9IGss1yOMF1iXk5+a2cXeT5e9bT 0BTOGT8PEhOlyrhXE8H50A88Pav+16D1P6N1eZW5mzJJijFFxk3j25DZePBHvcjr ooDynB1HrDqxzikC/iZHU8HwnRY5nAA8Kn2ij5+nWTif7Fz7z6Ma+ZZ9k8V4VBdF 6Y8usTbovnG1JxbifKDMl8CrkSMI334lLIQ3ce/kq8/tXhX6e3IhzQHxFD1jhU9U tbNsMRAY5NjiFlBi5iDmmcd7MtT/YUaRW+60oOokGp/UWOKcSpyfg5Wcxiw8l7pi sNbZE1FKYTJ9kogwOTDZGC3VapbSlE1HJvYGGuaVmRH/QMf+UYwWt+1YJRcGkwSs pbPPOeJQHHN/bF+oC96SnOJggge7zIlNyzdBQoM716qK4oFt6I6rbqARScw2iTd8 f35aPX2eNSVEeAjJHDtNIiTIuBCjlfZKeoNz7zfjBN8eaeHe8gD9DvNyQzz/zTF3 31Hc4NBqIfwZn6+0XpZqqD2+2LQ50pPpnkpyViOSCYNqQMk2N95iOQXI1SSmJCT8 TF78u84S/UQ=JKGu -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce