RedHat: RHSA-2021-3917:01 Important: Red Hat Quay v3.6.0 security,
Summary
Quay 3.6.0 release
Security Fix(es):
* nodejs-url-parse: incorrect hostname in url parsing (CVE-2018-3774)
* python-pillow: insufficent fix for CVE-2020-35654 due to incorrect error
checking in TiffDecode.c (CVE-2021-25289)
* nodejs-urijs: mishandling certain uses of backslash may lead to
confidentiality compromise (CVE-2021-27516)
* nodejs-debug: Regular expression Denial of Service (CVE-2017-16137)
* nodejs-mime: Regular expression Denial of Service (CVE-2017-16138)
* nodejs-is-my-json-valid: ReDoS when validating JSON fields with email
format (CVE-2018-1107)
* nodejs-extend: Prototype pollution can allow attackers to modify object
properties (CVE-2018-16492)
* nodejs-stringstream: out-of-bounds read leading to uninitialized memory
exposure (CVE-2018-21270)
* nodejs-handlebars: lookup helper fails to properly validate templates
allowing for arbitrary JavaScript execution (CVE-2019-20920)
* nodejs-handlebars: an endless loop while processing specially-crafted
templates leads to DoS (CVE-2019-20922)
* nodejs-lodash: prototype pollution in zipObjectDeep function
(CVE-2020-8203)
* nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate
function (CVE-2020-15366)
* nodejs-highlight-js: prototype pollution via a crafted HTML code block
(CVE-2020-26237)
* urijs: Hostname spoofing via backslashes in URL (CVE-2020-26291)
* python-pillow: decoding crafted YCbCr files could result in heap-based
buffer overflow (CVE-2020-35654)
* browserslist: parsing of invalid queries could result in Regular
Expression Denial of Service (ReDoS) (CVE-2021-23364)
* nodejs-postcss: Regular expression denial of service during source map
parsing (CVE-2021-23368)
* nodejs-postcss: ReDoS via getAnnotationURL() and loadAnnotation() in
lib/previous-map.js (CVE-2021-23382)
* python-pillow: negative-offset memcpy with an invalid size in
TiffDecode.c (CVE-2021-25290)
* python-pillow: out-of-bounds read in TiffReadRGBATile in TiffDecode.c
(CVE-2021-25291)
* python-pillow: backtracking regex in PDF parser could be used as a DOS
attack (CVE-2021-25292)
* python-pillow: out-of-bounds read in SGIRleDecode.c (CVE-2021-25293)
* nodejs-url-parse: mishandling certain uses of backslash may lead to
confidentiality compromise (CVE-2021-27515)
* python-pillow: reported size of a contained image is not properly checked
for a BLP container (CVE-2021-27921)
* python-pillow: reported size of a contained image is not properly checked
for an ICNS container (CVE-2021-27922)
* python-pillow: reported size of a contained image is not properly checked
for an ICO container (CVE-2021-27923)
* python-pillow: buffer overflow in Convert.c because it allow an attacker
to pass controlled parameters directly into a convert function
(CVE-2021-34552)
* nodejs-braces: Regular Expression Denial of Service (ReDoS) in
lib/parsers.js (CVE-2018-1109)
* lodash: Prototype pollution in utilities function (CVE-2018-3721)
* hoek: Prototype pollution in utilities function (CVE-2018-3728)
* lodash: uncontrolled resource consumption in Data handler causing denial
of service (CVE-2019-1010266)
* nodejs-yargs-parser: prototype pollution vulnerability (CVE-2020-7608)
* python-pillow: decoding a crafted PCX file could result in buffer
over-read (CVE-2020-35653)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Summary
Solution
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
References
https://access.redhat.com/security/cve/CVE-2017-16137 https://access.redhat.com/security/cve/CVE-2017-16138 https://access.redhat.com/security/cve/CVE-2018-1107 https://access.redhat.com/security/cve/CVE-2018-1109 https://access.redhat.com/security/cve/CVE-2018-3721 https://access.redhat.com/security/cve/CVE-2018-3728 https://access.redhat.com/security/cve/CVE-2018-3774 https://access.redhat.com/security/cve/CVE-2018-16492 https://access.redhat.com/security/cve/CVE-2018-21270 https://access.redhat.com/security/cve/CVE-2019-20920 https://access.redhat.com/security/cve/CVE-2019-20922 https://access.redhat.com/security/cve/CVE-2019-1010266 https://access.redhat.com/security/cve/CVE-2020-7608 https://access.redhat.com/security/cve/CVE-2020-8203 https://access.redhat.com/security/cve/CVE-2020-15366 https://access.redhat.com/security/cve/CVE-2020-25648 https://access.redhat.com/security/cve/CVE-2020-26237 https://access.redhat.com/security/cve/CVE-2020-26291 https://access.redhat.com/security/cve/CVE-2020-35653 https://access.redhat.com/security/cve/CVE-2020-35654 https://access.redhat.com/security/cve/CVE-2021-22922 https://access.redhat.com/security/cve/CVE-2021-22923 https://access.redhat.com/security/cve/CVE-2021-22924 https://access.redhat.com/security/cve/CVE-2021-23364 https://access.redhat.com/security/cve/CVE-2021-23368 https://access.redhat.com/security/cve/CVE-2021-23382 https://access.redhat.com/security/cve/CVE-2021-25289 https://access.redhat.com/security/cve/CVE-2021-25290 https://access.redhat.com/security/cve/CVE-2021-25291 https://access.redhat.com/security/cve/CVE-2021-25292 https://access.redhat.com/security/cve/CVE-2021-25293 https://access.redhat.com/security/cve/CVE-2021-27515 https://access.redhat.com/security/cve/CVE-2021-27516 https://access.redhat.com/security/cve/CVE-2021-27921 https://access.redhat.com/security/cve/CVE-2021-27922 https://access.redhat.com/security/cve/CVE-2021-27923 https://access.redhat.com/security/cve/CVE-2021-34552 https://access.redhat.com/security/cve/CVE-2021-36222 https://access.redhat.com/security/cve/CVE-2021-37750 https://access.redhat.com/security/updates/classification/#important
Package List
Topic
An update is now available for Red Hat Quay 3.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.
Topic
Relevant Releases Architectures
Bugs Fixed
1500700 - CVE-2017-16138 nodejs-mime: Regular expression Denial of Service
1500705 - CVE-2017-16137 nodejs-debug: Regular expression Denial of Service
1545884 - CVE-2018-3721 lodash: Prototype pollution in utilities function
1545893 - CVE-2018-3728 hoek: Prototype pollution in utilities function
1546357 - CVE-2018-1107 nodejs-is-my-json-valid: ReDoS when validating JSON fields with email format
1547272 - CVE-2018-1109 nodejs-braces: Regular Expression Denial of Service (ReDoS) in lib/parsers.js
1608140 - CVE-2018-16492 nodejs-extend: Prototype pollution can allow attackers to modify object properties
1743096 - CVE-2019-1010266 lodash: uncontrolled resource consumption in Data handler causing denial of service
1840004 - CVE-2020-7608 nodejs-yargs-parser: prototype pollution vulnerability
1857412 - CVE-2020-8203 nodejs-lodash: prototype pollution in zipObjectDeep function
1857977 - CVE-2020-15366 nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function
1882256 - CVE-2019-20922 nodejs-handlebars: an endless loop while processing specially-crafted templates leads to DoS
1882260 - CVE-2019-20920 nodejs-handlebars: lookup helper fails to properly validate templates allowing for arbitrary JavaScript execution
1901662 - CVE-2020-26237 nodejs-highlight-js: prototype pollution via a crafted HTML code block
1915257 - CVE-2020-26291 urijs: Hostname spoofing via backslashes in URL
1915420 - CVE-2020-35653 python-pillow: decoding a crafted PCX file could result in buffer over-read
1915424 - CVE-2020-35654 python-pillow: decoding crafted YCbCr files could result in heap-based buffer overflow
1927293 - CVE-2018-21270 nodejs-stringstream: out-of-bounds read leading to uninitialized memory exposure
1934470 - CVE-2021-27516 nodejs-urijs: mishandling certain uses of backslash may lead to confidentiality compromise
1934474 - CVE-2021-27515 nodejs-url-parse: mishandling certain uses of backslash may lead to confidentiality compromise
1934680 - CVE-2021-25289 python-pillow: insufficent fix for CVE-2020-35654 due to incorrect error checking in TiffDecode.c
1934685 - CVE-2021-25290 python-pillow: negative-offset memcpy with an invalid size in TiffDecode.c
1934692 - CVE-2021-25291 python-pillow: out-of-bounds read in TiffReadRGBATile in TiffDecode.c
1934699 - CVE-2021-25292 python-pillow: backtracking regex in PDF parser could be used as a DOS attack
1934705 - CVE-2021-25293 python-pillow: out-of-bounds read in SGIRleDecode.c
1935384 - CVE-2021-27921 python-pillow: reported size of a contained image is not properly checked for a BLP container
1935396 - CVE-2021-27922 python-pillow: reported size of a contained image is not properly checked for an ICNS container
1935401 - CVE-2021-27923 python-pillow: reported size of a contained image is not properly checked for an ICO container
1940759 - CVE-2018-3774 nodejs-url-parse: incorrect hostname in url parsing
1948763 - CVE-2021-23368 nodejs-postcss: Regular expression denial of service during source map parsing
1954150 - CVE-2021-23382 nodejs-postcss: ReDoS via getAnnotationURL() and loadAnnotation() in lib/previous-map.js
1955619 - CVE-2021-23364 browserslist: parsing of invalid queries could result in Regular Expression Denial of Service (ReDoS)
1982378 - CVE-2021-34552 python-pillow: buffer overflow in Convert.c because it allow an attacker to pass controlled parameters directly into a convert function
5. JIRA issues fixed (https://issues.redhat.com/):
PROJQUAY-1417 - zstd compressed layersPROJQUAY-1449 - As a Quay admin I want to rely on the Operator to auto-scale all stateless parts of Quay
PROJQUAY-1535 - As a user I can create and use nested repository name structures
PROJQUAY-1583 - add "disconnected" annotation to operatorsPROJQUAY-1609 - Operator communicates status per managed component
PROJQUAY-1610 - Operator does not make Quay deployment wait on Clair deployment
PROJQUAY-1791 - v1beta CRD EOL
PROJQUAY-1883 - Support OCP Re-encrypt routes
PROJQUAY-1887 - allow either sha or tag in related images
PROJQUAY-1926 - As an admin, I want an API to create first user, so I can automate deployment.
PROJQUAY-1998 - note database deprecations in 3.6 Config Tool
PROJQUAY-2050 - Support OCP Edge-Termination
PROJQUAY-2100 - A customer can update the Operator from 3.3 to 3.6 directly
PROJQUAY-2102 - add clair-4.2 enrichment data to quay UI
PROJQUAY-672 - MutatingAdmissionWebhook Created Automatically for QBO During Install