RHSA-2021:3917 - Security Advisory

Topic

An update is now available for Red Hat Quay 3.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Quay 3.6.0 release

Security Fix(es):

• nodejs-url-parse: incorrect hostname in url parsing (CVE-2018-3774)
• python-pillow: insufficent fix for CVE-2020-35654 due to incorrect error checking in TiffDecode.c (CVE-2021-25289)
• nodejs-urijs: mishandling certain uses of backslash may lead to confidentiality compromise (CVE-2021-27516)
• nodejs-debug: Regular expression Denial of Service (CVE-2017-16137)
• nodejs-mime: Regular expression Denial of Service (CVE-2017-16138)
• nodejs-is-my-json-valid: ReDoS when validating JSON fields with email format (CVE-2018-1107)
• nodejs-extend: Prototype pollution can allow attackers to modify object properties (CVE-2018-16492)
• nodejs-stringstream: out-of-bounds read leading to uninitialized memory exposure (CVE-2018-21270)
• nodejs-handlebars: lookup helper fails to properly validate templates allowing for arbitrary JavaScript execution (CVE-2019-20920)
• nodejs-handlebars: an endless loop while processing specially-crafted templates leads to DoS (CVE-2019-20922)
• nodejs-lodash: prototype pollution in zipObjectDeep function (CVE-2020-8203)
• nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function (CVE-2020-15366)
• nodejs-highlight-js: prototype pollution via a crafted HTML code block (CVE-2020-26237)
• urijs: Hostname spoofing via backslashes in URL (CVE-2020-26291)
• python-pillow: decoding crafted YCbCr files could result in heap-based buffer overflow (CVE-2020-35654)
• browserslist: parsing of invalid queries could result in Regular Expression Denial of Service (ReDoS) (CVE-2021-23364)
• nodejs-postcss: Regular expression denial of service during source map parsing (CVE-2021-23368)
• nodejs-postcss: ReDoS via getAnnotationURL() and loadAnnotation() in lib/previous-map.js (CVE-2021-23382)
• python-pillow: negative-offset memcpy with an invalid size in TiffDecode.c (CVE-2021-25290)
• python-pillow: out-of-bounds read in TiffReadRGBATile in TiffDecode.c (CVE-2021-25291)
• python-pillow: backtracking regex in PDF parser could be used as a DOS attack (CVE-2021-25292)
• python-pillow: out-of-bounds read in SGIRleDecode.c (CVE-2021-25293)
• nodejs-url-parse: mishandling certain uses of backslash may lead to confidentiality compromise (CVE-2021-27515)
• python-pillow: reported size of a contained image is not properly checked for a BLP container (CVE-2021-27921)
• python-pillow: reported size of a contained image is not properly checked for an ICNS container (CVE-2021-27922)
• python-pillow: reported size of a contained image is not properly checked for an ICO container (CVE-2021-27923)
• python-pillow: buffer overflow in Convert.c because it allow an attacker to pass controlled parameters directly into a convert function (CVE-2021-34552)
• nodejs-braces: Regular Expression Denial of Service (ReDoS) in lib/parsers.js (CVE-2018-1109)
• lodash: Prototype pollution in utilities function (CVE-2018-3721)
• hoek: Prototype pollution in utilities function (CVE-2018-3728)
• lodash: uncontrolled resource consumption in Data handler causing denial of service (CVE-2019-1010266)
• nodejs-yargs-parser: prototype pollution vulnerability (CVE-2020-7608)
• python-pillow: decoding a crafted PCX file could result in buffer over-read (CVE-2020-35653)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat Quay Enterprise 3 x86_64

Fixes

• BZ - 1500700 - CVE-2017-16138 nodejs-mime: Regular expression Denial of Service
• BZ - 1500705 - CVE-2017-16137 nodejs-debug: Regular expression Denial of Service
• BZ - 1545884 - CVE-2018-3721 lodash: Prototype pollution in utilities function
• BZ - 1545893 - CVE-2018-3728 hoek: Prototype pollution in utilities function
• BZ - 1546357 - CVE-2018-1107 nodejs-is-my-json-valid: ReDoS when validating JSON fields with email format
• BZ - 1547272 - CVE-2018-1109 nodejs-braces: Regular Expression Denial of Service (ReDoS) in lib/parsers.js
• BZ - 1608140 - CVE-2018-16492 nodejs-extend: Prototype pollution can allow attackers to modify object properties
• BZ - 1743096 - CVE-2019-1010266 lodash: uncontrolled resource consumption in Data handler causing denial of service
• BZ - 1840004 - CVE-2020-7608 nodejs-yargs-parser: prototype pollution vulnerability
• BZ - 1857412 - CVE-2020-8203 nodejs-lodash: prototype pollution in zipObjectDeep function
• BZ - 1857977 - CVE-2020-15366 nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function
• BZ - 1882256 - CVE-2019-20922 nodejs-handlebars: an endless loop while processing specially-crafted templates leads to DoS
• BZ - 1882260 - CVE-2019-20920 nodejs-handlebars: lookup helper fails to properly validate templates allowing for arbitrary JavaScript execution
• BZ - 1901662 - CVE-2020-26237 nodejs-highlight-js: prototype pollution via a crafted HTML code block
• BZ - 1915257 - CVE-2020-26291 urijs: Hostname spoofing via backslashes in URL
• BZ - 1915420 - CVE-2020-35653 python-pillow: decoding a crafted PCX file could result in buffer over-read
• BZ - 1915424 - CVE-2020-35654 python-pillow: decoding crafted YCbCr files could result in heap-based buffer overflow
• BZ - 1927293 - CVE-2018-21270 nodejs-stringstream: out-of-bounds read leading to uninitialized memory exposure
• BZ - 1934470 - CVE-2021-27516 nodejs-urijs: mishandling certain uses of backslash may lead to confidentiality compromise
• BZ - 1934474 - CVE-2021-27515 nodejs-url-parse: mishandling certain uses of backslash may lead to confidentiality compromise
• BZ - 1934680 - CVE-2021-25289 python-pillow: insufficent fix for CVE-2020-35654 due to incorrect error checking in TiffDecode.c
• BZ - 1934685 - CVE-2021-25290 python-pillow: negative-offset memcpy with an invalid size in TiffDecode.c
• BZ - 1934692 - CVE-2021-25291 python-pillow: out-of-bounds read in TiffReadRGBATile in TiffDecode.c
• BZ - 1934699 - CVE-2021-25292 python-pillow: backtracking regex in PDF parser could be used as a DOS attack
• BZ - 1934705 - CVE-2021-25293 python-pillow: out-of-bounds read in SGIRleDecode.c
• BZ - 1935384 - CVE-2021-27921 python-pillow: reported size of a contained image is not properly checked for a BLP container
• BZ - 1935396 - CVE-2021-27922 python-pillow: reported size of a contained image is not properly checked for an ICNS container
• BZ - 1935401 - CVE-2021-27923 python-pillow: reported size of a contained image is not properly checked for an ICO container
• BZ - 1940759 - CVE-2018-3774 nodejs-url-parse: incorrect hostname in url parsing
• BZ - 1948763 - CVE-2021-23368 nodejs-postcss: Regular expression denial of service during source map parsing
• BZ - 1954150 - CVE-2021-23382 nodejs-postcss: ReDoS via getAnnotationURL() and loadAnnotation() in lib/previous-map.js
• BZ - 1955619 - CVE-2021-23364 browserslist: parsing of invalid queries could result in Regular Expression Denial of Service (ReDoS)
• BZ - 1982378 - CVE-2021-34552 python-pillow: buffer overflow in Convert.c because it allow an attacker to pass controlled parameters directly into a convert function
• PROJQUAY-1417 - zstd compressed layers
• PROJQUAY-1449 - As a Quay admin I want to rely on the Operator to auto-scale all stateless parts of Quay
• PROJQUAY-1535 - As a user I can create and use nested repository name structures
• PROJQUAY-1583 - add "disconnected" annotation to operators
• PROJQUAY-1609 - Operator communicates status per managed component
• PROJQUAY-1610 - Operator does not make Quay deployment wait on Clair deployment
• PROJQUAY-1791 - v1beta CRD EOL
• PROJQUAY-1883 - Support OCP Re-encrypt routes
• PROJQUAY-1887 - allow either sha or tag in related images
• PROJQUAY-1926 - As an admin, I want an API to create first user, so I can automate deployment.
• PROJQUAY-1998 - note database deprecations in 3.6 Config Tool
• PROJQUAY-2050 - Support OCP Edge-Termination
• PROJQUAY-2100 - A customer can update the Operator from 3.3 to 3.6 directly
• PROJQUAY-2102 - add clair-4.2 enrichment data to quay UI
• PROJQUAY-672 - MutatingAdmissionWebhook Created Automatically for QBO During Install

CVEs

• CVE-2017-16137
• CVE-2017-16138
• CVE-2018-1107
• CVE-2018-1109
• CVE-2018-3721
• CVE-2018-3728
• CVE-2018-3774
• CVE-2018-16492
• CVE-2018-21270
• CVE-2019-20920
• CVE-2019-20922
• CVE-2019-1010266
• CVE-2020-7608
• CVE-2020-8203
• CVE-2020-15366
• CVE-2020-25648
• CVE-2020-26237
• CVE-2020-26291
• CVE-2020-35653
• CVE-2020-35654
• CVE-2021-22922
• CVE-2021-22923
• CVE-2021-22924
• CVE-2021-23364
• CVE-2021-23368
• CVE-2021-23382
• CVE-2021-25289
• CVE-2021-25290
• CVE-2021-25291
• CVE-2021-25292
• CVE-2021-25293
• CVE-2021-27515
• CVE-2021-27516
• CVE-2021-27921
• CVE-2021-27922
• CVE-2021-27923
• CVE-2021-34552
• CVE-2021-36222
• CVE-2021-37750

References

• https://access.redhat.com/security/updates/classification/#important