RHSA-2019:1245 - Security Advisory

Topic

An update is now available for Red Hat Quay 3.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

Red Hat Quay is a secure, private container registry that builds, analyzes
and distributes container images. It provides a high level of automation
and customization.

Description

Security Fix(es):

• A flaw was found in the way the DES/3DES cipher was used as part of the

TLS/SSL protocol. A man-in-the-middle attacker could use this flaw to recover some plaintext data by capturing large amounts of encrypted traffic between TLS/SSL server and client if the communication used a DES/3DES based ciphersuite. (CVE-2016-2183)

Bug Fix(es):

• Running Quay in config mode now works in a disconnected option which doesn't require pulling resources from the Internet.
• Quay's security scan endpoint is now enabled at startup for viewing results of Clair container image scans.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat Quay Enterprise 3 x86_64

Fixes

• BZ - 1369383 - CVE-2016-2183 SSL/TLS: Birthday attack against 64-bit block ciphers (SWEET32)
• BZ - 1709477 - Quay 3.0.2 errata

CVEs

• CVE-2016-2183

References

• https://access.redhat.com/security/updates/classification/#moderate