First published: Thu Feb 04 2021(Updated: )
Quay 3.4.0 release<br>Security Fix(es):<br><li> waitress: HTTP request smuggling through LF vs CRLF handling (CVE-2019-16785)</li> <li> waitress: HTTP request smuggling through invalid Transfer-Encoding (CVE-2019-16786)</li> <li> waitress: HTTP Request Smuggling through Invalid whitespace characters in headers (CVE-2019-16789)</li> <li> python-pillow: Integer overflow leading to buffer overflow in ImagingLibTiffDecode (CVE-2020-5310)</li> <li> python-pillow: out-of-bounds write in expandrow in libImaging/SgiRleDecode.c (CVE-2020-5311)</li> <li> python-pillow: improperly restricted operations on memory buffer in libImaging/PcxDecode.c (CVE-2020-5312)</li> <li> python-pillow: two buffer overflows in libImaging/TiffDecode.c due to small buffers allocated in ImagingLibTiffDecode() (CVE-2020-10379)</li> <li> python-pillow: out-of-bounds reads/writes in the parsing of SGI image files in expandrow/expandrow2 (CVE-2020-11538)</li> <li> openstack-mistral: information disclosure in mistral log (CVE-2019-3866)</li> <li> python-pillow: uncontrolled resource consumption in FpxImagePlugin.py (CVE-2019-19911)</li> <li> PyYAML: command execution through python/object/apply constructor in FullLoader (CVE-2019-20477)</li> <li> python-pillow: out-of-bounds read in ImagingFliDecode when loading FLI images (CVE-2020-5313)</li> <li> yarn: Arbitrary filesystem write via tar expansion (CVE-2020-8131)</li> <li> golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash (CVE-2020-14040)</li> <li> python-pillow: multiple out-of-bounds reads in libImaging/FliDecode.c (CVE-2020-10177)</li> <li> python-pillow: an out-of-bounds read in libImaging/PcxDecode.c can occur when reading PCX files (CVE-2020-10378)</li> <li> python-pillow: multiple out-of-bounds reads via a crafted JP2 file (CVE-2020-10994)</li> For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Affected Software | Affected Version | How to fix |
---|
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.