Red Hat Quay 3.6.0 RHSA-2021-3917-01 Critical: Multiple DoS Vulnerabilities

Quay 3.6.0 release
Security Fix(es):
* nodejs-url-parse: incorrect hostname in url parsing (CVE-2018-3774)
* python-pillow: insufficent fix for CVE-2020-35654 due to incorrect error checking in TiffDecode.c (CVE-2021-25289)
* nodejs-urijs: mishandling certain uses of backslash may lead to confidentiality compromise (CVE-2021-27516)
* nodejs-debug: Regular expression Denial of Service (CVE-2017-16137)
* nodejs-mime: Regular expression Denial of Service (CVE-2017-16138)
* nodejs-is-my-json-valid: ReDoS when validating JSON fields with email format (CVE-2018-1107)
* nodejs-extend: Prototype pollution can allow attackers to modify object properties (CVE-2018-16492)
* nodejs-stringstream: out-of-bounds read leading to uninitialized memory exposure (CVE-2018-21270)
* nodejs-handlebars: lookup helper fails to properly validate templates allowing for arbitrary JavaScript execution (CVE-2019-20920)
* nodejs-handlebars: an endless loop while processing specially-crafted templates leads to DoS (CVE-2019-20922)
* nodejs-lodash: prototype pollution in zipObjectDeep function (CVE-2020-8203)
* nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function (CVE-2020-15366)
* nodejs-highlight-js: prototype pollution via a crafted HTML code block (CVE-2020-26237)
* urijs: Hostname spoofing via backslashes in URL (CVE-2020-26291)
* python-pillow: decoding crafted YCbCr files could result in heap-based buffer overflow (CVE-2020-35654)
* browserslist: parsing of invalid queries could result in Regular Expression Denial of Service (ReDoS) (CVE-2021-23364)
* nodejs-postcss: Regular expression denial of service during source map parsing (CVE-2021-23368)
* nodejs-postcss: ReDoS via getAnnotationURL() and loadAnnotation() in lib/previous-map.js (CVE-2021-23382)
* python-pillow: negative-offset memcpy with an invalid size in TiffDecode.c (CVE-2021-25290)
* python-pillow: out-of-bounds read in TiffReadRGBATile in TiffDecode.c (CVE-2021-25291)
* python-pillow: backtracking regex in PDF parser could be used as a DOS attack (CVE-2021-25292)
* python-pillow: out-of-bounds read in SGIRleDecode.c (CVE-2021-25293)
* nodejs-url-parse: mishandling certain uses of backslash may lead to confidentiality compromise (CVE-2021-27515)
* python-pillow: reported size of a contained image is not properly checked for a BLP container (CVE-2021-27921)
* python-pillow: reported size of a contained image is not properly checked for an ICNS container (CVE-2021-27922)
* python-pillow: reported size of a contained image is not properly checked for an ICO container (CVE-2021-27923)
* python-pillow: buffer overflow in Convert.c because it allow an attacker to pass controlled parameters directly into a convert function (CVE-2021-34552)
* nodejs-braces: Regular Expression Denial of Service (ReDoS) in lib/parsers.js (CVE-2018-1109)
* lodash: Prototype pollution in utilities function (CVE-2018-3721)
* hoek: Prototype pollution in utilities function (CVE-2018-3728)
* lodash: uncontrolled resource consumption in Data handler causing denial of service (CVE-2019-1010266)
* nodejs-yargs-parser: prototype pollution vulnerability (CVE-2020-7608)
* python-pillow: decoding a crafted PCX file could result in buffer over-read (CVE-2020-35653)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.