RHSA-2019:2966 - Security Advisory
Important: Red Hat Quay v3.1.1 security update
Security Advisory: Important
Updated Quay packages that fix several bugs and add various enhancements are now available.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Quay 3.1.1 errata release, including:
- HTTP/2: large amount of data requests leads to denial of service (CVE-2019-9511)
- HTTP/2: flood using PING frames results in unbounded memory growth (CVE-2019-9512)
- HTTP/2: flood using PRIORITY frames resulting in excessive resource consumption (CVE-2019-9513)
- HTTP/2: flood using HEADERS frames results in unbounded memory growth (CVE-2019-9514)
- HTTP/2: 0-length headers lead to denial of service (CVE-2019-9516)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
- Fixed repository mirror credentials properly escaped to allow special characters
- Fixed repository mirror UI cancel button enabled
- Fixed repository mirror UI change next sync date
Please download the release images via:
- Red Hat Quay Enterprise 3 x86_64
- BZ - 1735645 - CVE-2019-9512 HTTP/2: flood using PING frames results in unbounded memory growth
- BZ - 1735741 - CVE-2019-9513 HTTP/2: flood using PRIORITY frames results in excessive resource consumption
- BZ - 1735744 - CVE-2019-9514 HTTP/2: flood using HEADERS frames results in unbounded memory growth
- BZ - 1741860 - CVE-2019-9511 HTTP/2: large amount of data requests leads to denial of service
- BZ - 1741864 - CVE-2019-9516 HTTP/2: 0-length headers lead to denial of service
- BZ - 1750473 - Quay 3.1.1 errata
The Red Hat security contact is email@example.com. More contact details at https://access.redhat.com/security/team/contact/.