RHSA-2023:7341 - Security Advisory

Topic

An update is now available for Red Hat Quay 3.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

An update is now available for Red Hat Quay 3.

Security Fix(es):

• python-werkzeug: high resource usage when parsing multipart form data with many fields (CVE-2023-25577)
• flask: Possible disclosure of permanent session cookie due to missing Vary: Cookie header (CVE-2023-30861)
• python-cryptography: memory corruption via immutable objects (CVE-2023-23931)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat Quay for IBM Power, little endian 3 ppc64le
• Red Hat Quay for IBM Z and LinuxONE 3 s390x
• Red Hat Quay 3 x86_64

Fixes

• BZ - 2170242 - CVE-2023-25577 python-werkzeug: high resource usage when parsing multipart form data with many fields
• BZ - 2171817 - CVE-2023-23931 python-cryptography: memory corruption via immutable objects
• BZ - 2196643 - CVE-2023-30861 flask: Possible disclosure of permanent session cookie due to missing Vary: Cookie header
• PROJQUAY-2462 - Consider changing the type of the removed_tag_expiration_s from integer to bigint
• PROJQUAY-2803 - Quay should notify Clair when manifests are garbage collected
• PROJQUAY-3906 - Quay can see the push image on Console after push image get error "Quota has been exceeded on namespace"
• PROJQUAY-4126 - Clair database growing
• PROJQUAY-5021 - Remove the config editor
• PROJQUAY-5212 - Quay 3.8.1 can't mirror OCI images from Docker Hub
• PROJQUAY-5489 - Pushing an artifact to Quay with oras binary results in a 502
• PROJQUAY-5506 - Auto-Pruning Policies for Organizations
• PROJQUAY-5598 - Log auditing tries to write to the database in read-only mode
• PROJQUAY-5957 - Core UI Functionality: Teams & Membership
• PROJQUAY-5958 - Core UI Functionality: Tag History, Labels, & Expiration
• PROJQUAY-5959 - Core UI Functionality: Settings & Permissions
• PROJQUAY-5960 - Core UI Functionality: Robot Accounts
• PROJQUAY-5963 - Core UI Functionality: Default Permissions
• PROJQUAY-6010 - Registry quota total worker fails to start due to import
• PROJQUAY-6048 - Poor UI performance with quotas enabled
• PROJQUAY-6184 - ui: Add missing props for Create robot account modal

CVEs

• CVE-2023-23931
• CVE-2023-25577
• CVE-2023-30861

References

• https://access.redhat.com/security/updates/classification/#important