Issued:

2021-10-19

Updated:

2021-10-19

RHSA-2021:3917 - Important: Red Hat Quay v3.6.0 security, bug fix and enhancement update

Synopsis

Important: Red Hat Quay v3.6.0 security, bug fix and enhancement update

Type/Severity

Security Advisory Important

Topic

An update is now available for Red Hat Quay 3.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Quay 3.6.0 release

Security Fix(es):

• nodejs-url-parse: incorrect hostname in url parsing (CVE-2018-3774)

• python-pillow: insufficent fix for CVE-2020-35654 due to incorrect error checking in TiffDecode.c (CVE-2021-25289)

• nodejs-urijs: mishandling certain uses of backslash may lead to confidentiality compromise (CVE-2021-27516)

• nodejs-debug: Regular expression Denial of Service (CVE-2017-16137)

• nodejs-mime: Regular expression Denial of Service (CVE-2017-16138)

• nodejs-is-my-json-valid: ReDoS when validating JSON fields with email format (CVE-2018-1107)

• nodejs-extend: Prototype pollution can allow attackers to modify object properties (CVE-2018-16492)

• nodejs-stringstream: out-of-bounds read leading to uninitialized memory exposure (CVE-2018-21270)

• nodejs-handlebars: lookup helper fails to properly validate templates allowing for arbitrary JavaScript execution (CVE-2019-20920)

• nodejs-handlebars: an endless loop while processing specially-crafted templates leads to DoS (CVE-2019-20922)

• nodejs-lodash: prototype pollution in zipObjectDeep function (CVE-2020-8203)

• nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function (CVE-2020-15366)

• nodejs-highlight-js: prototype pollution via a crafted HTML code block (CVE-2020-26237)

• urijs: Hostname spoofing via backslashes in URL (CVE-2020-26291)

• python-pillow: decoding crafted YCbCr files could result in heap-based buffer overflow (CVE-2020-35654)

• browserslist: parsing of invalid queries could result in Regular Expression Denial of Service (ReDoS) (CVE-2021-23364)

• nodejs-postcss: Regular expression denial of service during source map parsing (CVE-2021-23368)

• nodejs-postcss: ReDoS via getAnnotationURL() and loadAnnotation() in lib/previous-map.js (CVE-2021-23382)

• python-pillow: negative-offset memcpy with an invalid size in TiffDecode.c (CVE-2021-25290)

• python-pillow: out-of-bounds read in TiffReadRGBATile in TiffDecode.c (CVE-2021-25291)

• python-pillow: backtracking regex in PDF parser could be used as a DOS attack (CVE-2021-25292)

• python-pillow: out-of-bounds read in SGIRleDecode.c (CVE-2021-25293)

• nodejs-url-parse: mishandling certain uses of backslash may lead to confidentiality compromise (CVE-2021-27515)

• python-pillow: reported size of a contained image is not properly checked for a BLP container (CVE-2021-27921)

• python-pillow: reported size of a contained image is not properly checked for an ICNS container (CVE-2021-27922)

• python-pillow: reported size of a contained image is not properly checked for an ICO container (CVE-2021-27923)

• python-pillow: buffer overflow in Convert.c because it allow an attacker to pass controlled parameters directly into a convert function (CVE-2021-34552)

• nodejs-braces: Regular Expression Denial of Service (ReDoS) in lib/parsers.js (CVE-2018-1109)

• lodash: Prototype pollution in utilities function (CVE-2018-3721)

• hoek: Prototype pollution in utilities function (CVE-2018-3728)

• lodash: uncontrolled resource consumption in Data handler causing denial of service (CVE-2019-1010266)

• nodejs-yargs-parser: prototype pollution vulnerability (CVE-2020-7608)

• python-pillow: decoding a crafted PCX file could result in buffer over-read (CVE-2020-35653)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

Fixes

• This content is not included.BZ - 1500700
• This content is not included.BZ - 1500705
• This content is not included.BZ - 1545884
• This content is not included.BZ - 1545893
• This content is not included.BZ - 1546357
• This content is not included.BZ - 1547272
• This content is not included.BZ - 1608140
• This content is not included.BZ - 1743096
• This content is not included.BZ - 1840004
• This content is not included.BZ - 1857412
• This content is not included.BZ - 1857977
• This content is not included.BZ - 1882256
• This content is not included.BZ - 1882260
• This content is not included.BZ - 1901662
• This content is not included.BZ - 1915257
• This content is not included.BZ - 1915420
• This content is not included.BZ - 1915424
• This content is not included.BZ - 1927293
• This content is not included.BZ - 1934470
• This content is not included.BZ - 1934474
• This content is not included.BZ - 1934680
• This content is not included.BZ - 1934685
• This content is not included.BZ - 1934692
• This content is not included.BZ - 1934699
• This content is not included.BZ - 1934705
• This content is not included.BZ - 1935384
• This content is not included.BZ - 1935396
• This content is not included.BZ - 1935401
• This content is not included.BZ - 1940759
• This content is not included.BZ - 1948763
• This content is not included.BZ - 1954150
• This content is not included.BZ - 1955619
• This content is not included.BZ - 1982378
• This content is not included.PROJQUAY-1417
• This content is not included.PROJQUAY-1449
• This content is not included.PROJQUAY-1535
• This content is not included.PROJQUAY-1583
• This content is not included.PROJQUAY-1609
• This content is not included.PROJQUAY-1610
• This content is not included.PROJQUAY-1791
• This content is not included.PROJQUAY-1883
• This content is not included.PROJQUAY-1887
• This content is not included.PROJQUAY-1926
• This content is not included.PROJQUAY-1998
• This content is not included.PROJQUAY-2050
• This content is not included.PROJQUAY-2100
• This content is not included.PROJQUAY-2102
• This content is not included.PROJQUAY-672

CVEs

• CVE-2017-16137
• CVE-2017-16138
• CVE-2018-1107
• CVE-2018-1109
• CVE-2018-3721
• CVE-2018-3728
• CVE-2018-3774
• CVE-2018-16492
• CVE-2018-21270
• CVE-2019-20920
• CVE-2019-20922
• CVE-2019-1010266
• CVE-2020-7608
• CVE-2020-8203
• CVE-2020-15366
• CVE-2020-25648
• CVE-2020-26237
• CVE-2020-26291
• CVE-2020-35653
• CVE-2020-35654
• CVE-2021-22922
• CVE-2021-22923
• CVE-2021-22924
• CVE-2021-23364
• CVE-2021-23368
• CVE-2021-23382
• CVE-2021-25289
• CVE-2021-25290
• CVE-2021-25291
• CVE-2021-25292
• CVE-2021-25293
• CVE-2021-27515
• CVE-2021-27516
• CVE-2021-27921
• CVE-2021-27922
• CVE-2021-27923
• CVE-2021-34552
• CVE-2021-36222
• CVE-2021-37750

References

• https://access.redhat.com/security/updates/classification/#important

Additional information

• The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
• Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.