RedHat: RHSA-2019-1245:01 Moderate: Red Hat Quay 3.0.2 security and bug fix
Summary
Security Fix(es):
* A flaw was found in the way the DES/3DES cipher was used as part of the
TLS/SSL protocol. A man-in-the-middle attacker could use this flaw to
recover some plaintext data by capturing large amounts of encrypted traffic
between TLS/SSL server and client if the communication used a DES/3DES
based ciphersuite. (CVE-2016-2183)
Bug Fix(es):
* Running Quay in config mode now works in a disconnected option which
doesn't require pulling resources from the Internet.
* Quay's security scan endpoint is now enabled at startup for viewing
results of Clair container image scans.
Summary
Solution
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
References
https://access.redhat.com/security/cve/CVE-2016-2183 https://access.redhat.com/security/updates/classification/#moderate
Package List
Topic
An update is now available for Red Hat Quay 3.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.Red Hat Quay is a secure, private container registry that builds, analyzesand distributes container images. It provides a high level of automationand customization.
Topic
Relevant Releases Architectures
Bugs Fixed
1369383 - CVE-2016-2183 SSL/TLS: Birthday attack against 64-bit block ciphers (SWEET32)
1709477 - Quay 3.0.2 errata