-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat Quay v3.6.0 security, bug fix and enhancement update
Advisory ID:       RHSA-2021:3917-01
Product:           Red Hat Quay
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:3917
Issue date:        2021-10-19
CVE Names:         CVE-2017-16137 CVE-2017-16138 CVE-2018-1107 
                   CVE-2018-1109 CVE-2018-3721 CVE-2018-3728 
                   CVE-2018-3774 CVE-2018-16492 CVE-2018-21270 
                   CVE-2019-20920 CVE-2019-20922 CVE-2019-1010266 
                   CVE-2020-7608 CVE-2020-8203 CVE-2020-15366 
                   CVE-2020-25648 CVE-2020-26237 CVE-2020-26291 
                   CVE-2020-35653 CVE-2020-35654 CVE-2021-22922 
                   CVE-2021-22923 CVE-2021-22924 CVE-2021-23364 
                   CVE-2021-23368 CVE-2021-23382 CVE-2021-25289 
                   CVE-2021-25290 CVE-2021-25291 CVE-2021-25292 
                   CVE-2021-25293 CVE-2021-27515 CVE-2021-27516 
                   CVE-2021-27921 CVE-2021-27922 CVE-2021-27923 
                   CVE-2021-34552 CVE-2021-36222 CVE-2021-37750 
=====================================================================

1. Summary:

An update is now available for Red Hat Quay 3.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Quay 3.6.0 release

Security Fix(es):

* nodejs-url-parse: incorrect hostname in url parsing (CVE-2018-3774)

* python-pillow: insufficent fix for CVE-2020-35654 due to incorrect error
checking in TiffDecode.c (CVE-2021-25289)

* nodejs-urijs: mishandling certain uses of backslash may lead to
confidentiality compromise (CVE-2021-27516)

* nodejs-debug: Regular expression Denial of Service (CVE-2017-16137)

* nodejs-mime: Regular expression Denial of Service (CVE-2017-16138)

* nodejs-is-my-json-valid: ReDoS when validating JSON fields with email
format (CVE-2018-1107)

* nodejs-extend: Prototype pollution can allow attackers to modify object
properties (CVE-2018-16492)

* nodejs-stringstream: out-of-bounds read leading to uninitialized memory
exposure (CVE-2018-21270)

* nodejs-handlebars: lookup helper fails to properly validate templates
allowing for arbitrary JavaScript execution (CVE-2019-20920)

* nodejs-handlebars: an endless loop while processing specially-crafted
templates leads to DoS (CVE-2019-20922)

* nodejs-lodash: prototype pollution in zipObjectDeep function
(CVE-2020-8203)

* nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate
function (CVE-2020-15366)

* nodejs-highlight-js: prototype pollution via a crafted HTML code block
(CVE-2020-26237)

* urijs: Hostname spoofing via backslashes in URL (CVE-2020-26291)

* python-pillow: decoding crafted YCbCr files could result in heap-based
buffer overflow (CVE-2020-35654)

* browserslist: parsing of invalid queries could result in Regular
Expression Denial of Service (ReDoS) (CVE-2021-23364)

* nodejs-postcss: Regular expression denial of service during source map
parsing (CVE-2021-23368)

* nodejs-postcss: ReDoS via getAnnotationURL() and loadAnnotation() in
lib/previous-map.js (CVE-2021-23382)

* python-pillow: negative-offset memcpy with an invalid size in
TiffDecode.c (CVE-2021-25290)

* python-pillow: out-of-bounds read in TiffReadRGBATile in TiffDecode.c
(CVE-2021-25291)

* python-pillow: backtracking regex in PDF parser could be used as a DOS
attack (CVE-2021-25292)

* python-pillow: out-of-bounds read in SGIRleDecode.c (CVE-2021-25293)

* nodejs-url-parse: mishandling certain uses of backslash may lead to
confidentiality compromise (CVE-2021-27515)

* python-pillow: reported size of a contained image is not properly checked
for a BLP container (CVE-2021-27921)

* python-pillow: reported size of a contained image is not properly checked
for an ICNS container (CVE-2021-27922)

* python-pillow: reported size of a contained image is not properly checked
for an ICO container (CVE-2021-27923)

* python-pillow: buffer overflow in Convert.c because it allow an attacker
to pass controlled parameters directly into a convert function
(CVE-2021-34552)

* nodejs-braces: Regular Expression Denial of Service (ReDoS) in
lib/parsers.js (CVE-2018-1109)

* lodash: Prototype pollution in utilities function (CVE-2018-3721)

* hoek: Prototype pollution in utilities function (CVE-2018-3728)

* lodash: uncontrolled resource consumption in Data handler causing denial
of service (CVE-2019-1010266)

* nodejs-yargs-parser: prototype pollution vulnerability (CVE-2020-7608)

* python-pillow: decoding a crafted PCX file could result in buffer
over-read (CVE-2020-35653)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

1500700 - CVE-2017-16138 nodejs-mime: Regular expression Denial of Service
1500705 - CVE-2017-16137 nodejs-debug: Regular expression Denial of Service
1545884 - CVE-2018-3721 lodash: Prototype pollution in utilities function
1545893 - CVE-2018-3728 hoek: Prototype pollution in utilities function
1546357 - CVE-2018-1107 nodejs-is-my-json-valid: ReDoS when validating JSON fields with email format
1547272 - CVE-2018-1109 nodejs-braces: Regular Expression Denial of Service (ReDoS) in lib/parsers.js
1608140 - CVE-2018-16492 nodejs-extend: Prototype pollution can allow attackers to modify object properties
1743096 - CVE-2019-1010266 lodash: uncontrolled resource consumption in Data handler causing denial of service
1840004 - CVE-2020-7608 nodejs-yargs-parser: prototype pollution vulnerability
1857412 - CVE-2020-8203 nodejs-lodash: prototype pollution in zipObjectDeep function
1857977 - CVE-2020-15366 nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function
1882256 - CVE-2019-20922 nodejs-handlebars: an endless loop while processing specially-crafted templates leads to DoS
1882260 - CVE-2019-20920 nodejs-handlebars: lookup helper fails to properly validate templates allowing for arbitrary JavaScript execution
1901662 - CVE-2020-26237 nodejs-highlight-js: prototype pollution via a crafted HTML code block
1915257 - CVE-2020-26291 urijs: Hostname spoofing via backslashes in URL
1915420 - CVE-2020-35653 python-pillow: decoding a crafted PCX file could result in buffer over-read
1915424 - CVE-2020-35654 python-pillow: decoding crafted YCbCr files could result in heap-based buffer overflow
1927293 - CVE-2018-21270 nodejs-stringstream: out-of-bounds read leading to uninitialized memory exposure
1934470 - CVE-2021-27516 nodejs-urijs: mishandling certain uses of backslash may lead to confidentiality compromise
1934474 - CVE-2021-27515 nodejs-url-parse: mishandling certain uses of backslash may lead to confidentiality compromise
1934680 - CVE-2021-25289 python-pillow: insufficent fix for CVE-2020-35654 due to incorrect error checking in TiffDecode.c
1934685 - CVE-2021-25290 python-pillow: negative-offset memcpy with an invalid size in TiffDecode.c
1934692 - CVE-2021-25291 python-pillow: out-of-bounds read in TiffReadRGBATile in TiffDecode.c
1934699 - CVE-2021-25292 python-pillow: backtracking regex in PDF parser could be used as a DOS attack
1934705 - CVE-2021-25293 python-pillow: out-of-bounds read in SGIRleDecode.c
1935384 - CVE-2021-27921 python-pillow: reported size of a contained image is not properly checked for a BLP container
1935396 - CVE-2021-27922 python-pillow: reported size of a contained image is not properly checked for an ICNS container
1935401 - CVE-2021-27923 python-pillow: reported size of a contained image is not properly checked for an ICO container
1940759 - CVE-2018-3774 nodejs-url-parse: incorrect hostname in url parsing
1948763 - CVE-2021-23368 nodejs-postcss: Regular expression denial of service during source map parsing
1954150 - CVE-2021-23382 nodejs-postcss: ReDoS via getAnnotationURL() and loadAnnotation() in lib/previous-map.js
1955619 - CVE-2021-23364 browserslist: parsing of invalid queries could result in Regular Expression Denial of Service (ReDoS)
1982378 - CVE-2021-34552 python-pillow: buffer overflow in Convert.c because it allow an attacker to pass controlled parameters directly into a convert function

5. JIRA issues fixed (https://issues.jboss.org/):

PROJQUAY-1417 - zstd compressed layers
PROJQUAY-1449 - As a Quay admin I want to rely on the Operator to auto-scale all stateless parts of Quay
PROJQUAY-1535 -  As a user I can create and use nested repository name structures 
PROJQUAY-1583 - add "disconnected" annotation to operators
PROJQUAY-1609 - Operator communicates status per managed component
PROJQUAY-1610 - Operator does not make Quay deployment wait on Clair deployment
PROJQUAY-1791 - v1beta CRD EOL
PROJQUAY-1883 - Support OCP Re-encrypt routes
PROJQUAY-1887 - allow either sha or tag in related images
PROJQUAY-1926 - As an admin, I want an API to create first user, so I can automate deployment.
PROJQUAY-1998 - note database deprecations in 3.6 Config Tool
PROJQUAY-2050 - Support OCP Edge-Termination
PROJQUAY-2100 - A customer can update the Operator from 3.3 to 3.6 directly
PROJQUAY-2102 - add clair-4.2 enrichment data to quay UI
PROJQUAY-672 - MutatingAdmissionWebhook Created Automatically for QBO During Install

6. References:

https://access.redhat.com/security/cve/CVE-2017-16137
https://access.redhat.com/security/cve/CVE-2017-16138
https://access.redhat.com/security/cve/CVE-2018-1107
https://access.redhat.com/security/cve/CVE-2018-1109
https://access.redhat.com/security/cve/CVE-2018-3721
https://access.redhat.com/security/cve/CVE-2018-3728
https://access.redhat.com/security/cve/CVE-2018-3774
https://access.redhat.com/security/cve/CVE-2018-16492
https://access.redhat.com/security/cve/CVE-2018-21270
https://access.redhat.com/security/cve/CVE-2019-20920
https://access.redhat.com/security/cve/CVE-2019-20922
https://access.redhat.com/security/cve/CVE-2019-1010266
https://access.redhat.com/security/cve/CVE-2020-7608
https://access.redhat.com/security/cve/CVE-2020-8203
https://access.redhat.com/security/cve/CVE-2020-15366
https://access.redhat.com/security/cve/CVE-2020-25648
https://access.redhat.com/security/cve/CVE-2020-26237
https://access.redhat.com/security/cve/CVE-2020-26291
https://access.redhat.com/security/cve/CVE-2020-35653
https://access.redhat.com/security/cve/CVE-2020-35654
https://access.redhat.com/security/cve/CVE-2021-22922
https://access.redhat.com/security/cve/CVE-2021-22923
https://access.redhat.com/security/cve/CVE-2021-22924
https://access.redhat.com/security/cve/CVE-2021-23364
https://access.redhat.com/security/cve/CVE-2021-23368
https://access.redhat.com/security/cve/CVE-2021-23382
https://access.redhat.com/security/cve/CVE-2021-25289
https://access.redhat.com/security/cve/CVE-2021-25290
https://access.redhat.com/security/cve/CVE-2021-25291
https://access.redhat.com/security/cve/CVE-2021-25292
https://access.redhat.com/security/cve/CVE-2021-25293
https://access.redhat.com/security/cve/CVE-2021-27515
https://access.redhat.com/security/cve/CVE-2021-27516
https://access.redhat.com/security/cve/CVE-2021-27921
https://access.redhat.com/security/cve/CVE-2021-27922
https://access.redhat.com/security/cve/CVE-2021-27923
https://access.redhat.com/security/cve/CVE-2021-34552
https://access.redhat.com/security/cve/CVE-2021-36222
https://access.redhat.com/security/cve/CVE-2021-37750
https://access.redhat.com/security/updates/classification/#important

7. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYW611tzjgjWX9erEAQj3QxAAkLd259XVhcYRMavTwTQ/qAFPEbosGo/S
5qU+jQyyzx6GotqYcLx354UifFxOu6C0FAeW9Hjc7xGuTUyUsBgBBgnN9btVNKOm
o9UBt+QVPKr4J+6c+tVCjGfyiVqeMUSTlKsC+9IGss1yOMF1iXk5+a2cXeT5e9bT
0BTOGT8PEhOlyrhXE8H50A88Pav+16D1P6N1eZW5mzJJijFFxk3j25DZePBHvcjr
ooDynB1HrDqxzikC/iZHU8HwnRY5nAA8Kn2ij5+nWTif7Fz7z6Ma+ZZ9k8V4VBdF
6Y8usTbovnG1JxbifKDMl8CrkSMI334lLIQ3ce/kq8/tXhX6e3IhzQHxFD1jhU9U
tbNsMRAY5NjiFlBi5iDmmcd7MtT/YUaRW+60oOokGp/UWOKcSpyfg5Wcxiw8l7pi
sNbZE1FKYTJ9kogwOTDZGC3VapbSlE1HJvYGGuaVmRH/QMf+UYwWt+1YJRcGkwSs
pbPPOeJQHHN/bF+oC96SnOJggge7zIlNyzdBQoM716qK4oFt6I6rbqARScw2iTd8
f35aPX2eNSVEeAjJHDtNIiTIuBCjlfZKeoNz7zfjBN8eaeHe8gD9DvNyQzz/zTF3
31Hc4NBqIfwZn6+0XpZqqD2+2LQ50pPpnkpyViOSCYNqQMk2N95iOQXI1SSmJCT8
TF78u84S/UQ=
=JKGu
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce