Issued:
2021-02-04
Updated:
2021-02-04

RHSA-2021:0420 - Moderate: Red Hat Quay v3.4.0 security update

Synopsis

Moderate: Red Hat Quay v3.4.0 security update

Type/Severity

Security Advisory Moderate

Topic

Red Hat Quay 3.4.0 is now available with bug fixes and various enhancements.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Quay 3.4.0 release

Security Fix(es):

  • waitress: HTTP request smuggling through LF vs CRLF handling (CVE-2019-16785)

  • waitress: HTTP request smuggling through invalid Transfer-Encoding (CVE-2019-16786)

  • waitress: HTTP Request Smuggling through Invalid whitespace characters in headers (CVE-2019-16789)

  • python-pillow: Integer overflow leading to buffer overflow in ImagingLibTiffDecode (CVE-2020-5310)

  • python-pillow: out-of-bounds write in expandrow in libImaging/SgiRleDecode.c (CVE-2020-5311)

  • python-pillow: improperly restricted operations on memory buffer in libImaging/PcxDecode.c (CVE-2020-5312)

  • python-pillow: two buffer overflows in libImaging/TiffDecode.c due to small buffers allocated in ImagingLibTiffDecode() (CVE-2020-10379)

  • python-pillow: out-of-bounds reads/writes in the parsing of SGI image files in expandrow/expandrow2 (CVE-2020-11538)

  • openstack-mistral: information disclosure in mistral log (CVE-2019-3866)

  • python-pillow: uncontrolled resource consumption in FpxImagePlugin.py (CVE-2019-19911)

  • PyYAML: command execution through python/object/apply constructor in FullLoader (CVE-2019-20477)

  • python-pillow: out-of-bounds read in ImagingFliDecode when loading FLI images (CVE-2020-5313)

  • yarn: Arbitrary filesystem write via tar expansion (CVE-2020-8131)

  • golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash (CVE-2020-14040)

  • python-pillow: multiple out-of-bounds reads in libImaging/FliDecode.c (CVE-2020-10177)

  • python-pillow: an out-of-bounds read in libImaging/PcxDecode.c can occur when reading PCX files (CVE-2020-10378)

  • python-pillow: multiple out-of-bounds reads via a crafted JP2 file (CVE-2020-10994)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

ProductVersionArch
Red Hat Quay Enterprise3x86_64

Fixes

CVEs

References

Additional information