A Red Hat Quay v3.6.0 security, bug fix and enhancement update has been released.

RHSA-2021:3917-01: Important: Red Hat Quay v3.6.0 security, bug fix and enhancement update

=====================================================================
Red Hat Security Advisory

Synopsis: Important: Red Hat Quay v3.6.0 security, bug fix and enhancement update
Advisory ID: RHSA-2021:3917-01
Product: Red Hat Quay
Advisory URL:   https://access.redhat.com/errata/RHSA-2021:3917
Issue date: 2021-10-19
CVE Names: CVE-2017-16137 CVE-2017-16138 CVE-2018-1107
CVE-2018-1109 CVE-2018-3721 CVE-2018-3728
CVE-2018-3774 CVE-2018-16492 CVE-2018-21270
CVE-2019-20920 CVE-2019-20922 CVE-2019-1010266
CVE-2020-7608 CVE-2020-8203 CVE-2020-15366
CVE-2020-25648 CVE-2020-26237 CVE-2020-26291
CVE-2020-35653 CVE-2020-35654 CVE-2021-22922
CVE-2021-22923 CVE-2021-22924 CVE-2021-23364
CVE-2021-23368 CVE-2021-23382 CVE-2021-25289
CVE-2021-25290 CVE-2021-25291 CVE-2021-25292
CVE-2021-25293 CVE-2021-27515 CVE-2021-27516
CVE-2021-27921 CVE-2021-27922 CVE-2021-27923
CVE-2021-34552 CVE-2021-36222 CVE-2021-37750
=====================================================================

1. Summary:

An update is now available for Red Hat Quay 3.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Quay 3.6.0 release

Security Fix(es):

* nodejs-url-parse: incorrect hostname in url parsing (CVE-2018-3774)

* python-pillow: insufficent fix for CVE-2020-35654 due to incorrect error
checking in TiffDecode.c (CVE-2021-25289)

* nodejs-urijs: mishandling certain uses of backslash may lead to
confidentiality compromise (CVE-2021-27516)

* nodejs-debug: Regular expression Denial of Service (CVE-2017-16137)

* nodejs-mime: Regular expression Denial of Service (CVE-2017-16138)

* nodejs-is-my-json-valid: ReDoS when validating JSON fields with email
format (CVE-2018-1107)

* nodejs-extend: Prototype pollution can allow attackers to modify object
properties (CVE-2018-16492)

* nodejs-stringstream: out-of-bounds read leading to uninitialized memory
exposure (CVE-2018-21270)

* nodejs-handlebars: lookup helper fails to properly validate templates
allowing for arbitrary JavaScript execution (CVE-2019-20920)

* nodejs-handlebars: an endless loop while processing specially-crafted
templates leads to DoS (CVE-2019-20922)

* nodejs-lodash: prototype pollution in zipObjectDeep function
(CVE-2020-8203)

* nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate
function (CVE-2020-15366)

* nodejs-highlight-js: prototype pollution via a crafted HTML code block
(CVE-2020-26237)

* urijs: Hostname spoofing via backslashes in URL (CVE-2020-26291)

* python-pillow: decoding crafted YCbCr files could result in heap-based
buffer overflow (CVE-2020-35654)

* browserslist: parsing of invalid queries could result in Regular
Expression Denial of Service (ReDoS) (CVE-2021-23364)

* nodejs-postcss: Regular expression denial of service during source map
parsing (CVE-2021-23368)

* nodejs-postcss: ReDoS via getAnnotationURL() and loadAnnotation() in
lib/previous-map.js (CVE-2021-23382)

* python-pillow: negative-offset memcpy with an invalid size in
TiffDecode.c (CVE-2021-25290)

* python-pillow: out-of-bounds read in TiffReadRGBATile in TiffDecode.c
(CVE-2021-25291)

* python-pillow: backtracking regex in PDF parser could be used as a DOS
attack (CVE-2021-25292)

* python-pillow: out-of-bounds read in SGIRleDecode.c (CVE-2021-25293)

* nodejs-url-parse: mishandling certain uses of backslash may lead to
confidentiality compromise (CVE-2021-27515)

* python-pillow: reported size of a contained image is not properly checked
for a BLP container (CVE-2021-27921)

* python-pillow: reported size of a contained image is not properly checked
for an ICNS container (CVE-2021-27922)

* python-pillow: reported size of a contained image is not properly checked
for an ICO container (CVE-2021-27923)

* python-pillow: buffer overflow in Convert.c because it allow an attacker
to pass controlled parameters directly into a convert function
(CVE-2021-34552)

* nodejs-braces: Regular Expression Denial of Service (ReDoS) in
lib/parsers.js (CVE-2018-1109)

* lodash: Prototype pollution in utilities function (CVE-2018-3721)

* hoek: Prototype pollution in utilities function (CVE-2018-3728)

* lodash: uncontrolled resource consumption in Data handler causing denial
of service (CVE-2019-1010266)

* nodejs-yargs-parser: prototype pollution vulnerability (CVE-2020-7608)

* python-pillow: decoding a crafted PCX file could result in buffer
over-read (CVE-2020-35653)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

  https://access.redhat.com/articles/11258

4. Bugs fixed (  https://bugzilla.redhat.com/):

1500700 - CVE-2017-16138 nodejs-mime: Regular expression Denial of Service
1500705 - CVE-2017-16137 nodejs-debug: Regular expression Denial of Service
1545884 - CVE-2018-3721 lodash: Prototype pollution in utilities function
1545893 - CVE-2018-3728 hoek: Prototype pollution in utilities function
1546357 - CVE-2018-1107 nodejs-is-my-json-valid: ReDoS when validating JSON fields with email format
1547272 - CVE-2018-1109 nodejs-braces: Regular Expression Denial of Service (ReDoS) in lib/parsers.js
1608140 - CVE-2018-16492 nodejs-extend: Prototype pollution can allow attackers to modify object properties
1743096 - CVE-2019-1010266 lodash: uncontrolled resource consumption in Data handler causing denial of service
1840004 - CVE-2020-7608 nodejs-yargs-parser: prototype pollution vulnerability
1857412 - CVE-2020-8203 nodejs-lodash: prototype pollution in zipObjectDeep function
1857977 - CVE-2020-15366 nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function
1882256 - CVE-2019-20922 nodejs-handlebars: an endless loop while processing specially-crafted templates leads to DoS
1882260 - CVE-2019-20920 nodejs-handlebars: lookup helper fails to properly validate templates allowing for arbitrary JavaScript execution
1901662 - CVE-2020-26237 nodejs-highlight-js: prototype pollution via a crafted HTML code block
1915257 - CVE-2020-26291 urijs: Hostname spoofing via backslashes in URL
1915420 - CVE-2020-35653 python-pillow: decoding a crafted PCX file could result in buffer over-read
1915424 - CVE-2020-35654 python-pillow: decoding crafted YCbCr files could result in heap-based buffer overflow
1927293 - CVE-2018-21270 nodejs-stringstream: out-of-bounds read leading to uninitialized memory exposure
1934470 - CVE-2021-27516 nodejs-urijs: mishandling certain uses of backslash may lead to confidentiality compromise
1934474 - CVE-2021-27515 nodejs-url-parse: mishandling certain uses of backslash may lead to confidentiality compromise
1934680 - CVE-2021-25289 python-pillow: insufficent fix for CVE-2020-35654 due to incorrect error checking in TiffDecode.c
1934685 - CVE-2021-25290 python-pillow: negative-offset memcpy with an invalid size in TiffDecode.c
1934692 - CVE-2021-25291 python-pillow: out-of-bounds read in TiffReadRGBATile in TiffDecode.c
1934699 - CVE-2021-25292 python-pillow: backtracking regex in PDF parser could be used as a DOS attack
1934705 - CVE-2021-25293 python-pillow: out-of-bounds read in SGIRleDecode.c
1935384 - CVE-2021-27921 python-pillow: reported size of a contained image is not properly checked for a BLP container
1935396 - CVE-2021-27922 python-pillow: reported size of a contained image is not properly checked for an ICNS container
1935401 - CVE-2021-27923 python-pillow: reported size of a contained image is not properly checked for an ICO container
1940759 - CVE-2018-3774 nodejs-url-parse: incorrect hostname in url parsing
1948763 - CVE-2021-23368 nodejs-postcss: Regular expression denial of service during source map parsing
1954150 - CVE-2021-23382 nodejs-postcss: ReDoS via getAnnotationURL() and loadAnnotation() in lib/previous-map.js
1955619 - CVE-2021-23364 browserslist: parsing of invalid queries could result in Regular Expression Denial of Service (ReDoS)
1982378 - CVE-2021-34552 python-pillow: buffer overflow in Convert.c because it allow an attacker to pass controlled parameters directly into a convert function

5. JIRA issues fixed (  https://issues.jboss.org/):

PROJQUAY-1417 - zstd compressed layers
PROJQUAY-1449 - As a Quay admin I want to rely on the Operator to auto-scale all stateless parts of Quay
PROJQUAY-1535 - As a user I can create and use nested repository name structures
PROJQUAY-1583 - add "disconnected" annotation to operators
PROJQUAY-1609 - Operator communicates status per managed component
PROJQUAY-1610 - Operator does not make Quay deployment wait on Clair deployment
PROJQUAY-1791 - v1beta CRD EOL
PROJQUAY-1883 - Support OCP Re-encrypt routes
PROJQUAY-1887 - allow either sha or tag in related images
PROJQUAY-1926 - As an admin, I want an API to create first user, so I can automate deployment.
PROJQUAY-1998 - note database deprecations in 3.6 Config Tool
PROJQUAY-2050 - Support OCP Edge-Termination
PROJQUAY-2100 - A customer can update the Operator from 3.3 to 3.6 directly
PROJQUAY-2102 - add clair-4.2 enrichment data to quay UI
PROJQUAY-672 - MutatingAdmissionWebhook Created Automatically for QBO During Install

6. References:

  https://access.redhat.com/security/cve/CVE-2017-16137
  https://access.redhat.com/security/cve/CVE-2017-16138
  https://access.redhat.com/security/cve/CVE-2018-1107
  https://access.redhat.com/security/cve/CVE-2018-1109
  https://access.redhat.com/security/cve/CVE-2018-3721
  https://access.redhat.com/security/cve/CVE-2018-3728
  https://access.redhat.com/security/cve/CVE-2018-3774
  https://access.redhat.com/security/cve/CVE-2018-16492
  https://access.redhat.com/security/cve/CVE-2018-21270
  https://access.redhat.com/security/cve/CVE-2019-20920
  https://access.redhat.com/security/cve/CVE-2019-20922
  https://access.redhat.com/security/cve/CVE-2019-1010266
  https://access.redhat.com/security/cve/CVE-2020-7608
  https://access.redhat.com/security/cve/CVE-2020-8203
  https://access.redhat.com/security/cve/CVE-2020-15366
  https://access.redhat.com/security/cve/CVE-2020-25648
  https://access.redhat.com/security/cve/CVE-2020-26237
  https://access.redhat.com/security/cve/CVE-2020-26291
  https://access.redhat.com/security/cve/CVE-2020-35653
  https://access.redhat.com/security/cve/CVE-2020-35654
  https://access.redhat.com/security/cve/CVE-2021-22922
  https://access.redhat.com/security/cve/CVE-2021-22923
  https://access.redhat.com/security/cve/CVE-2021-22924
  https://access.redhat.com/security/cve/CVE-2021-23364
  https://access.redhat.com/security/cve/CVE-2021-23368
  https://access.redhat.com/security/cve/CVE-2021-23382
  https://access.redhat.com/security/cve/CVE-2021-25289
  https://access.redhat.com/security/cve/CVE-2021-25290
  https://access.redhat.com/security/cve/CVE-2021-25291
  https://access.redhat.com/security/cve/CVE-2021-25292
  https://access.redhat.com/security/cve/CVE-2021-25293
  https://access.redhat.com/security/cve/CVE-2021-27515
  https://access.redhat.com/security/cve/CVE-2021-27516
  https://access.redhat.com/security/cve/CVE-2021-27921
  https://access.redhat.com/security/cve/CVE-2021-27922
  https://access.redhat.com/security/cve/CVE-2021-27923
  https://access.redhat.com/security/cve/CVE-2021-34552
  https://access.redhat.com/security/cve/CVE-2021-36222
  https://access.redhat.com/security/cve/CVE-2021-37750
  https://access.redhat.com/security/updates/classification/#important

7. Contact:

The Red Hat security contact is . More contact
details at   https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.