RHSA-2026:22465 - Security Advisory

Topic

Red Hat Quay 3.17.2 is now available with bug fixes.

Description

Quay 3.17.2

Solution

Before applying this update, make sure all previously released errata relevant
to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat Quay

Fixes

• PROJQUAY-10510 - Quay new UI Verify User can't sign in with OIDC provider
• PROJQUAY-10575 - Cancel Repository Mirroring log: null Not applicable Not applicable
• PROJQUAY-10873 - Mirror pods will be terminated and cannot be restarted after the securityContext is overwritten
• PROJQUAY-10931 - "None" option in repository permissions dropdown menu can't be selected in Create robot account pop-up window
• PROJQUAY-11162 - Clair's indexer needs O_TMPFILE for cleanup
• PROJQUAY-11175 - Cancel a organization mirror process will trigger an endless stream of log "Organization mirror sync failed - Sync cancelled:" [3.17]
• PROJQUAY-11205 - Quay's is_jwt() rejects RFC 9068 access tokens with typ: at+jwt
• PROJQUAY-11236 - The string entered in the repository filter will automatically be displayed in unreasonable places
• PROJQUAY-11297 - [redhat-3.17] Quay new UI Login page branding logo is invisible
• PROJQUAY-11330 - Quay 3.17 New UI change_tag_immutability action missing from usage logs chart
• PROJQUAY-11332 - config-tool: malformed struct tag on DistributedStorageArgs.Signature breaks storage config serialization
• PROJQUAY-11333 - Ensure that we don't send artifacts for scanning
• PROJQUAY-11374 - "None" option in repository permissions dropdown menu can't be selected in Create robot account pop-up window
• PROJQUAY-11392 - Deleting org mirror config leaves repositories stuck in ORG_MIRROR state
• PROJQUAY-11414 - Org mirror "Cancel Sync" clean the "Next Sync Date" value
• PROJQUAY-11442 - Quay new UI: manifest track vertical line appears on pages where no tags share the same digest
• PROJQUAY-11485 - UI disallows creation of proxy configuration even if organization mirroring is turned off
• PROJQUAY-11502 - Searching for a non-existent repository will permanently display a circular loading spinner on the page
• PROJQUAY-11504 - Cancel Repository Mirroring log: null Not applicable Not applicable
• PROJQUAY-11523 - Repo Mirror tag pattern change requires re-entering credentials for private repos
• PROJQUAY-11532 - nginx returns a 404 http code instead of 502 due to missing 502.html page
• PROJQUAY-11543 - Quay new UI Verify User can't sign in with OIDC provider
• PROJQUAY-11559 - Quay 3.17.2 New UI superuser Change Log page missing v3.17.2 release notes
• PROJQUAY-7340 - Passwords exposed in skopeo commands

CVEs

• CVE-2025-62718
• CVE-2026-27459
• CVE-2026-29063
• CVE-2026-29074
• CVE-2026-32280
• CVE-2026-32281
• CVE-2026-32282
• CVE-2026-32286
• CVE-2026-32589
• CVE-2026-32590
• CVE-2026-33186
• CVE-2026-33747
• CVE-2026-33894
• CVE-2026-34986
• CVE-2026-39892
• CVE-2026-40192
• CVE-2026-40895
• CVE-2026-42033
• CVE-2026-42035
• CVE-2026-42039
• CVE-2026-42041
• CVE-2026-42043
• CVE-2026-42044
• CVE-2026-4427

References

• https://access.redhat.com/security/updates/classification/