-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Important: Red Hat Quay v3.6.0 security, bug fix and enhancement update
Advisory ID:       RHSA-2021:3917-01
Product:           Red Hat Quay
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:3917
Issue date:        2021-10-19
CVE Names:         CVE-2017-16137 CVE-2017-16138 CVE-2018-1107 
                   CVE-2018-1109 CVE-2018-3721 CVE-2018-3728 
                   CVE-2018-3774 CVE-2018-16492 CVE-2018-21270 
                   CVE-2019-20920 CVE-2019-20922 CVE-2019-1010266 
                   CVE-2020-7608 CVE-2020-8203 CVE-2020-15366 
                   CVE-2020-25648 CVE-2020-26237 CVE-2020-26291 
                   CVE-2020-35653 CVE-2020-35654 CVE-2021-22922 
                   CVE-2021-22923 CVE-2021-22924 CVE-2021-23364 
                   CVE-2021-23368 CVE-2021-23382 CVE-2021-25289 
                   CVE-2021-25290 CVE-2021-25291 CVE-2021-25292 
                   CVE-2021-25293 CVE-2021-27515 CVE-2021-27516 
                   CVE-2021-27921 CVE-2021-27922 CVE-2021-27923 
                   CVE-2021-34552 CVE-2021-36222 CVE-2021-37750 
====================================================================
1. Summary:

An update is now available for Red Hat Quay 3.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Quay 3.6.0 release

Security Fix(es):

* nodejs-url-parse: incorrect hostname in url parsing (CVE-2018-3774)

* python-pillow: insufficent fix for CVE-2020-35654 due to incorrect error
checking in TiffDecode.c (CVE-2021-25289)

* nodejs-urijs: mishandling certain uses of backslash may lead to
confidentiality compromise (CVE-2021-27516)

* nodejs-debug: Regular expression Denial of Service (CVE-2017-16137)

* nodejs-mime: Regular expression Denial of Service (CVE-2017-16138)

* nodejs-is-my-json-valid: ReDoS when validating JSON fields with email
format (CVE-2018-1107)

* nodejs-extend: Prototype pollution can allow attackers to modify object
properties (CVE-2018-16492)

* nodejs-stringstream: out-of-bounds read leading to uninitialized memory
exposure (CVE-2018-21270)

* nodejs-handlebars: lookup helper fails to properly validate templates
allowing for arbitrary JavaScript execution (CVE-2019-20920)

* nodejs-handlebars: an endless loop while processing specially-crafted
templates leads to DoS (CVE-2019-20922)

* nodejs-lodash: prototype pollution in zipObjectDeep function
(CVE-2020-8203)

* nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate
function (CVE-2020-15366)

* nodejs-highlight-js: prototype pollution via a crafted HTML code block
(CVE-2020-26237)

* urijs: Hostname spoofing via backslashes in URL (CVE-2020-26291)

* python-pillow: decoding crafted YCbCr files could result in heap-based
buffer overflow (CVE-2020-35654)

* browserslist: parsing of invalid queries could result in Regular
Expression Denial of Service (ReDoS) (CVE-2021-23364)

* nodejs-postcss: Regular expression denial of service during source map
parsing (CVE-2021-23368)

* nodejs-postcss: ReDoS via getAnnotationURL() and loadAnnotation() in
lib/previous-map.js (CVE-2021-23382)

* python-pillow: negative-offset memcpy with an invalid size in
TiffDecode.c (CVE-2021-25290)

* python-pillow: out-of-bounds read in TiffReadRGBATile in TiffDecode.c
(CVE-2021-25291)

* python-pillow: backtracking regex in PDF parser could be used as a DOS
attack (CVE-2021-25292)

* python-pillow: out-of-bounds read in SGIRleDecode.c (CVE-2021-25293)

* nodejs-url-parse: mishandling certain uses of backslash may lead to
confidentiality compromise (CVE-2021-27515)

* python-pillow: reported size of a contained image is not properly checked
for a BLP container (CVE-2021-27921)

* python-pillow: reported size of a contained image is not properly checked
for an ICNS container (CVE-2021-27922)

* python-pillow: reported size of a contained image is not properly checked
for an ICO container (CVE-2021-27923)

* python-pillow: buffer overflow in Convert.c because it allow an attacker
to pass controlled parameters directly into a convert function
(CVE-2021-34552)

* nodejs-braces: Regular Expression Denial of Service (ReDoS) in
lib/parsers.js (CVE-2018-1109)

* lodash: Prototype pollution in utilities function (CVE-2018-3721)

* hoek: Prototype pollution in utilities function (CVE-2018-3728)

* lodash: uncontrolled resource consumption in Data handler causing denial
of service (CVE-2019-1010266)

* nodejs-yargs-parser: prototype pollution vulnerability (CVE-2020-7608)

* python-pillow: decoding a crafted PCX file could result in buffer
over-read (CVE-2020-35653)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

1500700 - CVE-2017-16138 nodejs-mime: Regular expression Denial of Service
1500705 - CVE-2017-16137 nodejs-debug: Regular expression Denial of Service
1545884 - CVE-2018-3721 lodash: Prototype pollution in utilities function
1545893 - CVE-2018-3728 hoek: Prototype pollution in utilities function
1546357 - CVE-2018-1107 nodejs-is-my-json-valid: ReDoS when validating JSON fields with email format
1547272 - CVE-2018-1109 nodejs-braces: Regular Expression Denial of Service (ReDoS) in lib/parsers.js
1608140 - CVE-2018-16492 nodejs-extend: Prototype pollution can allow attackers to modify object properties
1743096 - CVE-2019-1010266 lodash: uncontrolled resource consumption in Data handler causing denial of service
1840004 - CVE-2020-7608 nodejs-yargs-parser: prototype pollution vulnerability
1857412 - CVE-2020-8203 nodejs-lodash: prototype pollution in zipObjectDeep function
1857977 - CVE-2020-15366 nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function
1882256 - CVE-2019-20922 nodejs-handlebars: an endless loop while processing specially-crafted templates leads to DoS
1882260 - CVE-2019-20920 nodejs-handlebars: lookup helper fails to properly validate templates allowing for arbitrary JavaScript execution
1901662 - CVE-2020-26237 nodejs-highlight-js: prototype pollution via a crafted HTML code block
1915257 - CVE-2020-26291 urijs: Hostname spoofing via backslashes in URL
1915420 - CVE-2020-35653 python-pillow: decoding a crafted PCX file could result in buffer over-read
1915424 - CVE-2020-35654 python-pillow: decoding crafted YCbCr files could result in heap-based buffer overflow
1927293 - CVE-2018-21270 nodejs-stringstream: out-of-bounds read leading to uninitialized memory exposure
1934470 - CVE-2021-27516 nodejs-urijs: mishandling certain uses of backslash may lead to confidentiality compromise
1934474 - CVE-2021-27515 nodejs-url-parse: mishandling certain uses of backslash may lead to confidentiality compromise
1934680 - CVE-2021-25289 python-pillow: insufficent fix for CVE-2020-35654 due to incorrect error checking in TiffDecode.c
1934685 - CVE-2021-25290 python-pillow: negative-offset memcpy with an invalid size in TiffDecode.c
1934692 - CVE-2021-25291 python-pillow: out-of-bounds read in TiffReadRGBATile in TiffDecode.c
1934699 - CVE-2021-25292 python-pillow: backtracking regex in PDF parser could be used as a DOS attack
1934705 - CVE-2021-25293 python-pillow: out-of-bounds read in SGIRleDecode.c
1935384 - CVE-2021-27921 python-pillow: reported size of a contained image is not properly checked for a BLP container
1935396 - CVE-2021-27922 python-pillow: reported size of a contained image is not properly checked for an ICNS container
1935401 - CVE-2021-27923 python-pillow: reported size of a contained image is not properly checked for an ICO container
1940759 - CVE-2018-3774 nodejs-url-parse: incorrect hostname in url parsing
1948763 - CVE-2021-23368 nodejs-postcss: Regular expression denial of service during source map parsing
1954150 - CVE-2021-23382 nodejs-postcss: ReDoS via getAnnotationURL() and loadAnnotation() in lib/previous-map.js
1955619 - CVE-2021-23364 browserslist: parsing of invalid queries could result in Regular Expression Denial of Service (ReDoS)
1982378 - CVE-2021-34552 python-pillow: buffer overflow in Convert.c because it allow an attacker to pass controlled parameters directly into a convert function

5. JIRA issues fixed (https://issues.redhat.com/):

PROJQUAY-1417 - zstd compressed layersPROJQUAY-1449 - As a Quay admin I want to rely on the Operator to auto-scale all stateless parts of Quay
PROJQUAY-1535 -  As a user I can create and use nested repository name structures 
PROJQUAY-1583 - add "disconnected" annotation to operatorsPROJQUAY-1609 - Operator communicates status per managed component
PROJQUAY-1610 - Operator does not make Quay deployment wait on Clair deployment
PROJQUAY-1791 - v1beta CRD EOL
PROJQUAY-1883 - Support OCP Re-encrypt routes
PROJQUAY-1887 - allow either sha or tag in related images
PROJQUAY-1926 - As an admin, I want an API to create first user, so I can automate deployment.
PROJQUAY-1998 - note database deprecations in 3.6 Config Tool
PROJQUAY-2050 - Support OCP Edge-Termination
PROJQUAY-2100 - A customer can update the Operator from 3.3 to 3.6 directly
PROJQUAY-2102 - add clair-4.2 enrichment data to quay UI
PROJQUAY-672 - MutatingAdmissionWebhook Created Automatically for QBO During Install

6. References:

https://access.redhat.com/security/cve/CVE-2017-16137
https://access.redhat.com/security/cve/CVE-2017-16138
https://access.redhat.com/security/cve/CVE-2018-1107
https://access.redhat.com/security/cve/CVE-2018-1109
https://access.redhat.com/security/cve/CVE-2018-3721
https://access.redhat.com/security/cve/CVE-2018-3728
https://access.redhat.com/security/cve/CVE-2018-3774
https://access.redhat.com/security/cve/CVE-2018-16492
https://access.redhat.com/security/cve/CVE-2018-21270
https://access.redhat.com/security/cve/CVE-2019-20920
https://access.redhat.com/security/cve/CVE-2019-20922
https://access.redhat.com/security/cve/CVE-2019-1010266
https://access.redhat.com/security/cve/CVE-2020-7608
https://access.redhat.com/security/cve/CVE-2020-8203
https://access.redhat.com/security/cve/CVE-2020-15366
https://access.redhat.com/security/cve/CVE-2020-25648
https://access.redhat.com/security/cve/CVE-2020-26237
https://access.redhat.com/security/cve/CVE-2020-26291
https://access.redhat.com/security/cve/CVE-2020-35653
https://access.redhat.com/security/cve/CVE-2020-35654
https://access.redhat.com/security/cve/CVE-2021-22922
https://access.redhat.com/security/cve/CVE-2021-22923
https://access.redhat.com/security/cve/CVE-2021-22924
https://access.redhat.com/security/cve/CVE-2021-23364
https://access.redhat.com/security/cve/CVE-2021-23368
https://access.redhat.com/security/cve/CVE-2021-23382
https://access.redhat.com/security/cve/CVE-2021-25289
https://access.redhat.com/security/cve/CVE-2021-25290
https://access.redhat.com/security/cve/CVE-2021-25291
https://access.redhat.com/security/cve/CVE-2021-25292
https://access.redhat.com/security/cve/CVE-2021-25293
https://access.redhat.com/security/cve/CVE-2021-27515
https://access.redhat.com/security/cve/CVE-2021-27516
https://access.redhat.com/security/cve/CVE-2021-27921
https://access.redhat.com/security/cve/CVE-2021-27922
https://access.redhat.com/security/cve/CVE-2021-27923
https://access.redhat.com/security/cve/CVE-2021-34552
https://access.redhat.com/security/cve/CVE-2021-36222
https://access.redhat.com/security/cve/CVE-2021-37750
https://access.redhat.com/security/updates/classification/#important

7. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYW611tzjgjWX9erEAQj3QxAAkLd259XVhcYRMavTwTQ/qAFPEbosGo/S
5qU+jQyyzx6GotqYcLx354UifFxOu6C0FAeW9Hjc7xGuTUyUsBgBBgnN9btVNKOm
o9UBt+QVPKr4J+6c+tVCjGfyiVqeMUSTlKsC+9IGss1yOMF1iXk5+a2cXeT5e9bT
0BTOGT8PEhOlyrhXE8H50A88Pav+16D1P6N1eZW5mzJJijFFxk3j25DZePBHvcjr
ooDynB1HrDqxzikC/iZHU8HwnRY5nAA8Kn2ij5+nWTif7Fz7z6Ma+ZZ9k8V4VBdF
6Y8usTbovnG1JxbifKDMl8CrkSMI334lLIQ3ce/kq8/tXhX6e3IhzQHxFD1jhU9U
tbNsMRAY5NjiFlBi5iDmmcd7MtT/YUaRW+60oOokGp/UWOKcSpyfg5Wcxiw8l7pi
sNbZE1FKYTJ9kogwOTDZGC3VapbSlE1HJvYGGuaVmRH/QMf+UYwWt+1YJRcGkwSs
pbPPOeJQHHN/bF+oC96SnOJggge7zIlNyzdBQoM716qK4oFt6I6rbqARScw2iTd8
f35aPX2eNSVEeAjJHDtNIiTIuBCjlfZKeoNz7zfjBN8eaeHe8gD9DvNyQzz/zTF3
31Hc4NBqIfwZn6+0XpZqqD2+2LQ50pPpnkpyViOSCYNqQMk2N95iOQXI1SSmJCT8
TF78u84S/UQ=JKGu
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2021-3917:01 Important: Red Hat Quay v3.6.0 security,

An update is now available for Red Hat Quay 3

Summary

Quay 3.6.0 release
Security Fix(es):
* nodejs-url-parse: incorrect hostname in url parsing (CVE-2018-3774)
* python-pillow: insufficent fix for CVE-2020-35654 due to incorrect error checking in TiffDecode.c (CVE-2021-25289)
* nodejs-urijs: mishandling certain uses of backslash may lead to confidentiality compromise (CVE-2021-27516)
* nodejs-debug: Regular expression Denial of Service (CVE-2017-16137)
* nodejs-mime: Regular expression Denial of Service (CVE-2017-16138)
* nodejs-is-my-json-valid: ReDoS when validating JSON fields with email format (CVE-2018-1107)
* nodejs-extend: Prototype pollution can allow attackers to modify object properties (CVE-2018-16492)
* nodejs-stringstream: out-of-bounds read leading to uninitialized memory exposure (CVE-2018-21270)
* nodejs-handlebars: lookup helper fails to properly validate templates allowing for arbitrary JavaScript execution (CVE-2019-20920)
* nodejs-handlebars: an endless loop while processing specially-crafted templates leads to DoS (CVE-2019-20922)
* nodejs-lodash: prototype pollution in zipObjectDeep function (CVE-2020-8203)
* nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function (CVE-2020-15366)
* nodejs-highlight-js: prototype pollution via a crafted HTML code block (CVE-2020-26237)
* urijs: Hostname spoofing via backslashes in URL (CVE-2020-26291)
* python-pillow: decoding crafted YCbCr files could result in heap-based buffer overflow (CVE-2020-35654)
* browserslist: parsing of invalid queries could result in Regular Expression Denial of Service (ReDoS) (CVE-2021-23364)
* nodejs-postcss: Regular expression denial of service during source map parsing (CVE-2021-23368)
* nodejs-postcss: ReDoS via getAnnotationURL() and loadAnnotation() in lib/previous-map.js (CVE-2021-23382)
* python-pillow: negative-offset memcpy with an invalid size in TiffDecode.c (CVE-2021-25290)
* python-pillow: out-of-bounds read in TiffReadRGBATile in TiffDecode.c (CVE-2021-25291)
* python-pillow: backtracking regex in PDF parser could be used as a DOS attack (CVE-2021-25292)
* python-pillow: out-of-bounds read in SGIRleDecode.c (CVE-2021-25293)
* nodejs-url-parse: mishandling certain uses of backslash may lead to confidentiality compromise (CVE-2021-27515)
* python-pillow: reported size of a contained image is not properly checked for a BLP container (CVE-2021-27921)
* python-pillow: reported size of a contained image is not properly checked for an ICNS container (CVE-2021-27922)
* python-pillow: reported size of a contained image is not properly checked for an ICO container (CVE-2021-27923)
* python-pillow: buffer overflow in Convert.c because it allow an attacker to pass controlled parameters directly into a convert function (CVE-2021-34552)
* nodejs-braces: Regular Expression Denial of Service (ReDoS) in lib/parsers.js (CVE-2018-1109)
* lodash: Prototype pollution in utilities function (CVE-2018-3721)
* hoek: Prototype pollution in utilities function (CVE-2018-3728)
* lodash: uncontrolled resource consumption in Data handler causing denial of service (CVE-2019-1010266)
* nodejs-yargs-parser: prototype pollution vulnerability (CVE-2020-7608)
* python-pillow: decoding a crafted PCX file could result in buffer over-read (CVE-2020-35653)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.



Summary


Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258

References

https://access.redhat.com/security/cve/CVE-2017-16137 https://access.redhat.com/security/cve/CVE-2017-16138 https://access.redhat.com/security/cve/CVE-2018-1107 https://access.redhat.com/security/cve/CVE-2018-1109 https://access.redhat.com/security/cve/CVE-2018-3721 https://access.redhat.com/security/cve/CVE-2018-3728 https://access.redhat.com/security/cve/CVE-2018-3774 https://access.redhat.com/security/cve/CVE-2018-16492 https://access.redhat.com/security/cve/CVE-2018-21270 https://access.redhat.com/security/cve/CVE-2019-20920 https://access.redhat.com/security/cve/CVE-2019-20922 https://access.redhat.com/security/cve/CVE-2019-1010266 https://access.redhat.com/security/cve/CVE-2020-7608 https://access.redhat.com/security/cve/CVE-2020-8203 https://access.redhat.com/security/cve/CVE-2020-15366 https://access.redhat.com/security/cve/CVE-2020-25648 https://access.redhat.com/security/cve/CVE-2020-26237 https://access.redhat.com/security/cve/CVE-2020-26291 https://access.redhat.com/security/cve/CVE-2020-35653 https://access.redhat.com/security/cve/CVE-2020-35654 https://access.redhat.com/security/cve/CVE-2021-22922 https://access.redhat.com/security/cve/CVE-2021-22923 https://access.redhat.com/security/cve/CVE-2021-22924 https://access.redhat.com/security/cve/CVE-2021-23364 https://access.redhat.com/security/cve/CVE-2021-23368 https://access.redhat.com/security/cve/CVE-2021-23382 https://access.redhat.com/security/cve/CVE-2021-25289 https://access.redhat.com/security/cve/CVE-2021-25290 https://access.redhat.com/security/cve/CVE-2021-25291 https://access.redhat.com/security/cve/CVE-2021-25292 https://access.redhat.com/security/cve/CVE-2021-25293 https://access.redhat.com/security/cve/CVE-2021-27515 https://access.redhat.com/security/cve/CVE-2021-27516 https://access.redhat.com/security/cve/CVE-2021-27921 https://access.redhat.com/security/cve/CVE-2021-27922 https://access.redhat.com/security/cve/CVE-2021-27923 https://access.redhat.com/security/cve/CVE-2021-34552 https://access.redhat.com/security/cve/CVE-2021-36222 https://access.redhat.com/security/cve/CVE-2021-37750 https://access.redhat.com/security/updates/classification/#important

Package List


Severity
Advisory ID: RHSA-2021:3917-01
Product: Red Hat Quay
Advisory URL: https://access.redhat.com/errata/RHSA-2021:3917
Issued Date: : 2021-10-19
CVE Names: CVE-2017-16137 CVE-2017-16138 CVE-2018-1107 CVE-2018-1109 CVE-2018-3721 CVE-2018-3728 CVE-2018-3774 CVE-2018-16492 CVE-2018-21270 CVE-2019-20920 CVE-2019-20922 CVE-2019-1010266 CVE-2020-7608 CVE-2020-8203 CVE-2020-15366 CVE-2020-25648 CVE-2020-26237 CVE-2020-26291 CVE-2020-35653 CVE-2020-35654 CVE-2021-22922 CVE-2021-22923 CVE-2021-22924 CVE-2021-23364 CVE-2021-23368 CVE-2021-23382 CVE-2021-25289 CVE-2021-25290 CVE-2021-25291 CVE-2021-25292 CVE-2021-25293 CVE-2021-27515 CVE-2021-27516 CVE-2021-27921 CVE-2021-27922 CVE-2021-27923 CVE-2021-34552 CVE-2021-36222 CVE-2021-37750

Topic

An update is now available for Red Hat Quay 3.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.


Topic


 

Relevant Releases Architectures


Bugs Fixed

1500700 - CVE-2017-16138 nodejs-mime: Regular expression Denial of Service

1500705 - CVE-2017-16137 nodejs-debug: Regular expression Denial of Service

1545884 - CVE-2018-3721 lodash: Prototype pollution in utilities function

1545893 - CVE-2018-3728 hoek: Prototype pollution in utilities function

1546357 - CVE-2018-1107 nodejs-is-my-json-valid: ReDoS when validating JSON fields with email format

1547272 - CVE-2018-1109 nodejs-braces: Regular Expression Denial of Service (ReDoS) in lib/parsers.js

1608140 - CVE-2018-16492 nodejs-extend: Prototype pollution can allow attackers to modify object properties

1743096 - CVE-2019-1010266 lodash: uncontrolled resource consumption in Data handler causing denial of service

1840004 - CVE-2020-7608 nodejs-yargs-parser: prototype pollution vulnerability

1857412 - CVE-2020-8203 nodejs-lodash: prototype pollution in zipObjectDeep function

1857977 - CVE-2020-15366 nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function

1882256 - CVE-2019-20922 nodejs-handlebars: an endless loop while processing specially-crafted templates leads to DoS

1882260 - CVE-2019-20920 nodejs-handlebars: lookup helper fails to properly validate templates allowing for arbitrary JavaScript execution

1901662 - CVE-2020-26237 nodejs-highlight-js: prototype pollution via a crafted HTML code block

1915257 - CVE-2020-26291 urijs: Hostname spoofing via backslashes in URL

1915420 - CVE-2020-35653 python-pillow: decoding a crafted PCX file could result in buffer over-read

1915424 - CVE-2020-35654 python-pillow: decoding crafted YCbCr files could result in heap-based buffer overflow

1927293 - CVE-2018-21270 nodejs-stringstream: out-of-bounds read leading to uninitialized memory exposure

1934470 - CVE-2021-27516 nodejs-urijs: mishandling certain uses of backslash may lead to confidentiality compromise

1934474 - CVE-2021-27515 nodejs-url-parse: mishandling certain uses of backslash may lead to confidentiality compromise

1934680 - CVE-2021-25289 python-pillow: insufficent fix for CVE-2020-35654 due to incorrect error checking in TiffDecode.c

1934685 - CVE-2021-25290 python-pillow: negative-offset memcpy with an invalid size in TiffDecode.c

1934692 - CVE-2021-25291 python-pillow: out-of-bounds read in TiffReadRGBATile in TiffDecode.c

1934699 - CVE-2021-25292 python-pillow: backtracking regex in PDF parser could be used as a DOS attack

1934705 - CVE-2021-25293 python-pillow: out-of-bounds read in SGIRleDecode.c

1935384 - CVE-2021-27921 python-pillow: reported size of a contained image is not properly checked for a BLP container

1935396 - CVE-2021-27922 python-pillow: reported size of a contained image is not properly checked for an ICNS container

1935401 - CVE-2021-27923 python-pillow: reported size of a contained image is not properly checked for an ICO container

1940759 - CVE-2018-3774 nodejs-url-parse: incorrect hostname in url parsing

1948763 - CVE-2021-23368 nodejs-postcss: Regular expression denial of service during source map parsing

1954150 - CVE-2021-23382 nodejs-postcss: ReDoS via getAnnotationURL() and loadAnnotation() in lib/previous-map.js

1955619 - CVE-2021-23364 browserslist: parsing of invalid queries could result in Regular Expression Denial of Service (ReDoS)

1982378 - CVE-2021-34552 python-pillow: buffer overflow in Convert.c because it allow an attacker to pass controlled parameters directly into a convert function

5. JIRA issues fixed (https://issues.redhat.com/):

PROJQUAY-1417 - zstd compressed layersPROJQUAY-1449 - As a Quay admin I want to rely on the Operator to auto-scale all stateless parts of Quay

PROJQUAY-1535 - As a user I can create and use nested repository name structures

PROJQUAY-1583 - add "disconnected" annotation to operatorsPROJQUAY-1609 - Operator communicates status per managed component

PROJQUAY-1610 - Operator does not make Quay deployment wait on Clair deployment

PROJQUAY-1791 - v1beta CRD EOL

PROJQUAY-1883 - Support OCP Re-encrypt routes

PROJQUAY-1887 - allow either sha or tag in related images

PROJQUAY-1926 - As an admin, I want an API to create first user, so I can automate deployment.

PROJQUAY-1998 - note database deprecations in 3.6 Config Tool

PROJQUAY-2050 - Support OCP Edge-Termination

PROJQUAY-2100 - A customer can update the Operator from 3.3 to 3.6 directly

PROJQUAY-2102 - add clair-4.2 enrichment data to quay UI

PROJQUAY-672 - MutatingAdmissionWebhook Created Automatically for QBO During Install


Related News

11.Locks IsometricPattern Esm H320
2 - 3 min read
The upcoming release of Linux Mint 22 will introduce significant changes, particularly in handling XApp , GNOME applications, and the Software
2.Motherboard Esm H320
2 - 3 min read
German software engineer Lennart Poettering recently presented run0 , a new tool in systemd v256 that aims to address the security concerns
22.Lock ScreenEffect Esm H320
2 - 3 min read
Red Hat recently released its newest enterprise Linux distro, Red Hat Enterprise Linux (RHEL) 9.4 , which introduces several features designed to
8.Locks HexConnections CodeGlobe Esm H320
1 - 2 min read
The latest release of Debian , one of the oldest and most trusted distributions within the Linux ecosystem, redefines security, stability, and
20.Lock AbstractDigital Circular Esm H320
1 - 2 min read
The Ubuntu security team has recently discovered and addressed multiple vulnerabilities in the Apache HTTP Server. The vulnerabilities affected
1.Penguin Landscape Esm H320
1 - 2 min read
A critical vulnerability was discovered in the Linux kernel's netfilter subsystem, specifically within the nf_tables component, posing potential
19.Laptop Bed Esm H320
2 - 3 min read
The release of Google Chrome 124 addresses four vulnerabilities, including a critical security flaw that can enable attackers to execute arbitrary
23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved