RHSA-2021:0420: Moderate: Red Hat Quay v3.4.0 security update
First published: Thu Feb 04 2021(Updated: )
Quay 3.4.0 release<br>Security Fix(es):<br><li> waitress: HTTP request smuggling through LF vs CRLF handling (CVE-2019-16785)</li> <li> waitress: HTTP request smuggling through invalid Transfer-Encoding (CVE-2019-16786)</li> <li> waitress: HTTP Request Smuggling through Invalid whitespace characters in headers (CVE-2019-16789)</li> <li> python-pillow: Integer overflow leading to buffer overflow in ImagingLibTiffDecode (CVE-2020-5310)</li> <li> python-pillow: out-of-bounds write in expandrow in libImaging/SgiRleDecode.c (CVE-2020-5311)</li> <li> python-pillow: improperly restricted operations on memory buffer in libImaging/PcxDecode.c (CVE-2020-5312)</li> <li> python-pillow: two buffer overflows in libImaging/TiffDecode.c due to small buffers allocated in ImagingLibTiffDecode() (CVE-2020-10379)</li> <li> python-pillow: out-of-bounds reads/writes in the parsing of SGI image files in expandrow/expandrow2 (CVE-2020-11538)</li> <li> openstack-mistral: information disclosure in mistral log (CVE-2019-3866)</li> <li> python-pillow: uncontrolled resource consumption in FpxImagePlugin.py (CVE-2019-19911)</li> <li> PyYAML: command execution through python/object/apply constructor in FullLoader (CVE-2019-20477)</li> <li> python-pillow: out-of-bounds read in ImagingFliDecode when loading FLI images (CVE-2020-5313)</li> <li> yarn: Arbitrary filesystem write via tar expansion (CVE-2020-8131)</li> <li> golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash (CVE-2020-14040)</li> <li> python-pillow: multiple out-of-bounds reads in libImaging/FliDecode.c (CVE-2020-10177)</li> <li> python-pillow: an out-of-bounds read in libImaging/PcxDecode.c can occur when reading PCX files (CVE-2020-10378)</li> <li> python-pillow: multiple out-of-bounds reads via a crafted JP2 file (CVE-2020-10994)</li> For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Red Hat Quay for IBM Z and LinuxONE |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of RHSA-2021:0420?
The severity of RHSA-2021:0420 is classified as important due to the potential for HTTP request smuggling vulnerabilities.
How do I fix RHSA-2021:0420?
To fix RHSA-2021:0420, you should update your Quay installation to the latest patched version as indicated in the advisory.
What vulnerabilities are addressed in RHSA-2021:0420?
RHSA-2021:0420 addresses critical vulnerabilities related to HTTP request smuggling through LF vs CRLF handling and invalid Transfer-Encoding.
What versions of Quay are affected by RHSA-2021:0420?
RHSA-2021:0420 affects Quay version 3.4.0 and potentially earlier versions that are not patched.
Is it safe to continue using Quay with RHSA-2021:0420 vulnerabilities?
It is not safe to continue using Quay with the vulnerabilities addressed in RHSA-2021:0420; immediate remediation is recommended.
- agent/severity
- agent/weakness
- agent/type
- agent/first-publish-date
- agent/last-modified-date
- agent/remedy
- agent/description
- collector/redhat-errata
- source/Red Hat
- anchor-id/RHSA-2021:0420
- agent/title
- agent/references
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/red hat
- canonical/red hat quay for ibm z and linuxone