-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.0099
              Red Hat Quay v3.3.3 bug fix and security update
                              12 January 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Red Hat Quay v3.3.3
Publisher:         Red Hat
Operating System:  Red Hat
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated      
                   Access Privileged Data          -- Existing Account            
                   Denial of Service               -- Remote/Unauthenticated      
                   Cross-site Scripting            -- Remote with User Interaction
                   Access Confidential Data        -- Remote/Unauthenticated      
                   Reduced Security                -- Remote/Unauthenticated      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-27832 CVE-2020-27831 CVE-2020-24659
                   CVE-2020-15503 CVE-2020-14422 CVE-2020-14391
                   CVE-2020-14382 CVE-2020-13632 CVE-2020-13631
                   CVE-2020-13630 CVE-2020-11793 CVE-2020-10029
                   CVE-2020-10018 CVE-2020-9925 CVE-2020-9915
                   CVE-2020-9895 CVE-2020-9894 CVE-2020-9893
                   CVE-2020-9862 CVE-2020-9850 CVE-2020-9843
                   CVE-2020-9807 CVE-2020-9806 CVE-2020-9805
                   CVE-2020-9803 CVE-2020-9802 CVE-2020-9327
                   CVE-2020-8492 CVE-2020-7595 CVE-2020-6405
                   CVE-2020-3902 CVE-2020-3901 CVE-2020-3900
                   CVE-2020-3899 CVE-2020-3897 CVE-2020-3895
                   CVE-2020-3894 CVE-2020-3885 CVE-2020-3868
                   CVE-2020-3867 CVE-2020-3865 CVE-2020-3864
                   CVE-2020-3862 CVE-2020-1971 CVE-2020-1752
                   CVE-2020-1751 CVE-2020-1730 CVE-2019-20916
                   CVE-2019-20907 CVE-2019-20807 CVE-2019-20454
                   CVE-2019-20388 CVE-2019-20387 CVE-2019-20218
                   CVE-2019-19956 CVE-2019-19906 CVE-2019-19221
                   CVE-2019-16935 CVE-2019-16168 CVE-2019-15903
                   CVE-2019-15165 CVE-2019-14889 CVE-2019-13627
                   CVE-2019-13050 CVE-2019-8846 CVE-2019-8844
                   CVE-2019-8835 CVE-2019-8823 CVE-2019-8820
                   CVE-2019-8819 CVE-2019-8816 CVE-2019-8815
                   CVE-2019-8814 CVE-2019-8813 CVE-2019-8812
                   CVE-2019-8811 CVE-2019-8808 CVE-2019-8783
                   CVE-2019-8782 CVE-2019-8771 CVE-2019-8769
                   CVE-2019-8766 CVE-2019-8764 CVE-2019-8743
                   CVE-2019-8720 CVE-2019-8710 CVE-2019-8625
                   CVE-2019-5018 CVE-2018-20843 

Reference:         ASB-2020.0226
                   ASB-2019.0307
                   ESB-2021.0089
                   ESB-2020.4514

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2021:0050

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat Quay v3.3.3 bug fix and security update
Advisory ID:       RHSA-2021:0050-01
Product:           Red Hat Quay
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:0050
Issue date:        2021-01-11
CVE Names:         CVE-2018-20843 CVE-2019-5018 CVE-2019-8625 
                   CVE-2019-8710 CVE-2019-8720 CVE-2019-8743 
                   CVE-2019-8764 CVE-2019-8766 CVE-2019-8769 
                   CVE-2019-8771 CVE-2019-8782 CVE-2019-8783 
                   CVE-2019-8808 CVE-2019-8811 CVE-2019-8812 
                   CVE-2019-8813 CVE-2019-8814 CVE-2019-8815 
                   CVE-2019-8816 CVE-2019-8819 CVE-2019-8820 
                   CVE-2019-8823 CVE-2019-8835 CVE-2019-8844 
                   CVE-2019-8846 CVE-2019-13050 CVE-2019-13627 
                   CVE-2019-14889 CVE-2019-15165 CVE-2019-15903 
                   CVE-2019-16168 CVE-2019-16935 CVE-2019-19221 
                   CVE-2019-19906 CVE-2019-19956 CVE-2019-20218 
                   CVE-2019-20387 CVE-2019-20388 CVE-2019-20454 
                   CVE-2019-20807 CVE-2019-20907 CVE-2019-20916 
                   CVE-2020-1730 CVE-2020-1751 CVE-2020-1752 
                   CVE-2020-1971 CVE-2020-3862 CVE-2020-3864 
                   CVE-2020-3865 CVE-2020-3867 CVE-2020-3868 
                   CVE-2020-3885 CVE-2020-3894 CVE-2020-3895 
                   CVE-2020-3897 CVE-2020-3899 CVE-2020-3900 
                   CVE-2020-3901 CVE-2020-3902 CVE-2020-6405 
                   CVE-2020-7595 CVE-2020-8492 CVE-2020-9327 
                   CVE-2020-9802 CVE-2020-9803 CVE-2020-9805 
                   CVE-2020-9806 CVE-2020-9807 CVE-2020-9843 
                   CVE-2020-9850 CVE-2020-9862 CVE-2020-9893 
                   CVE-2020-9894 CVE-2020-9895 CVE-2020-9915 
                   CVE-2020-9925 CVE-2020-10018 CVE-2020-10029 
                   CVE-2020-11793 CVE-2020-13630 CVE-2020-13631 
                   CVE-2020-13632 CVE-2020-14382 CVE-2020-14391 
                   CVE-2020-14422 CVE-2020-15503 CVE-2020-24659 
                   CVE-2020-27831 CVE-2020-27832 
=====================================================================

1. Summary:

Red Hat Quay v3.3.3 is now available with bug fixes and security updates.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE
link(s) in the References section.

Note: Red Hat Quay v3.3.2 was not released publicly.

2. Description:

This release of Red Hat Quay v3.3.3 includes:

Security Update(s):

* quay: persistent XSS in repository notification display (CVE-2020-27832)

* quay: email notifications authorization bypass (CVE-2020-27831)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Bug Fix(es):
* NVD feed fixed in Clair-v2 (clair-jwt image)

3. Solution:

Download the release images via:

quay.io/redhat/quay:v3.3.3
quay.io/redhat/clair-jwt:v3.3.3
quay.io/redhat/quay-builder:v3.3.3
quay.io/redhat/clair:v3.3.3

4. Bugs fixed (https://bugzilla.redhat.com/):

1905758 - CVE-2020-27831 quay: email notifications authorization bypass
1905784 - CVE-2020-27832 quay: persistent XSS in repository notification display

5. JIRA issues fixed (https://issues.jboss.org/):

PROJQUAY-1124 - NVD feed is broken for latest Clair v2 version

6. References:

https://access.redhat.com/security/cve/CVE-2018-20843
https://access.redhat.com/security/cve/CVE-2019-5018
https://access.redhat.com/security/cve/CVE-2019-8625
https://access.redhat.com/security/cve/CVE-2019-8710
https://access.redhat.com/security/cve/CVE-2019-8720
https://access.redhat.com/security/cve/CVE-2019-8743
https://access.redhat.com/security/cve/CVE-2019-8764
https://access.redhat.com/security/cve/CVE-2019-8766
https://access.redhat.com/security/cve/CVE-2019-8769
https://access.redhat.com/security/cve/CVE-2019-8771
https://access.redhat.com/security/cve/CVE-2019-8782
https://access.redhat.com/security/cve/CVE-2019-8783
https://access.redhat.com/security/cve/CVE-2019-8808
https://access.redhat.com/security/cve/CVE-2019-8811
https://access.redhat.com/security/cve/CVE-2019-8812
https://access.redhat.com/security/cve/CVE-2019-8813
https://access.redhat.com/security/cve/CVE-2019-8814
https://access.redhat.com/security/cve/CVE-2019-8815
https://access.redhat.com/security/cve/CVE-2019-8816
https://access.redhat.com/security/cve/CVE-2019-8819
https://access.redhat.com/security/cve/CVE-2019-8820
https://access.redhat.com/security/cve/CVE-2019-8823
https://access.redhat.com/security/cve/CVE-2019-8835
https://access.redhat.com/security/cve/CVE-2019-8844
https://access.redhat.com/security/cve/CVE-2019-8846
https://access.redhat.com/security/cve/CVE-2019-13050
https://access.redhat.com/security/cve/CVE-2019-13627
https://access.redhat.com/security/cve/CVE-2019-14889
https://access.redhat.com/security/cve/CVE-2019-15165
https://access.redhat.com/security/cve/CVE-2019-15903
https://access.redhat.com/security/cve/CVE-2019-16168
https://access.redhat.com/security/cve/CVE-2019-16935
https://access.redhat.com/security/cve/CVE-2019-19221
https://access.redhat.com/security/cve/CVE-2019-19906
https://access.redhat.com/security/cve/CVE-2019-19956
https://access.redhat.com/security/cve/CVE-2019-20218
https://access.redhat.com/security/cve/CVE-2019-20387
https://access.redhat.com/security/cve/CVE-2019-20388
https://access.redhat.com/security/cve/CVE-2019-20454
https://access.redhat.com/security/cve/CVE-2019-20807
https://access.redhat.com/security/cve/CVE-2019-20907
https://access.redhat.com/security/cve/CVE-2019-20916
https://access.redhat.com/security/cve/CVE-2020-1730
https://access.redhat.com/security/cve/CVE-2020-1751
https://access.redhat.com/security/cve/CVE-2020-1752
https://access.redhat.com/security/cve/CVE-2020-1971
https://access.redhat.com/security/cve/CVE-2020-3862
https://access.redhat.com/security/cve/CVE-2020-3864
https://access.redhat.com/security/cve/CVE-2020-3865
https://access.redhat.com/security/cve/CVE-2020-3867
https://access.redhat.com/security/cve/CVE-2020-3868
https://access.redhat.com/security/cve/CVE-2020-3885
https://access.redhat.com/security/cve/CVE-2020-3894
https://access.redhat.com/security/cve/CVE-2020-3895
https://access.redhat.com/security/cve/CVE-2020-3897
https://access.redhat.com/security/cve/CVE-2020-3899
https://access.redhat.com/security/cve/CVE-2020-3900
https://access.redhat.com/security/cve/CVE-2020-3901
https://access.redhat.com/security/cve/CVE-2020-3902
https://access.redhat.com/security/cve/CVE-2020-6405
https://access.redhat.com/security/cve/CVE-2020-7595
https://access.redhat.com/security/cve/CVE-2020-8492
https://access.redhat.com/security/cve/CVE-2020-9327
https://access.redhat.com/security/cve/CVE-2020-9802
https://access.redhat.com/security/cve/CVE-2020-9803
https://access.redhat.com/security/cve/CVE-2020-9805
https://access.redhat.com/security/cve/CVE-2020-9806
https://access.redhat.com/security/cve/CVE-2020-9807
https://access.redhat.com/security/cve/CVE-2020-9843
https://access.redhat.com/security/cve/CVE-2020-9850
https://access.redhat.com/security/cve/CVE-2020-9862
https://access.redhat.com/security/cve/CVE-2020-9893
https://access.redhat.com/security/cve/CVE-2020-9894
https://access.redhat.com/security/cve/CVE-2020-9895
https://access.redhat.com/security/cve/CVE-2020-9915
https://access.redhat.com/security/cve/CVE-2020-9925
https://access.redhat.com/security/cve/CVE-2020-10018
https://access.redhat.com/security/cve/CVE-2020-10029
https://access.redhat.com/security/cve/CVE-2020-11793
https://access.redhat.com/security/cve/CVE-2020-13630
https://access.redhat.com/security/cve/CVE-2020-13631
https://access.redhat.com/security/cve/CVE-2020-13632
https://access.redhat.com/security/cve/CVE-2020-14382
https://access.redhat.com/security/cve/CVE-2020-14391
https://access.redhat.com/security/cve/CVE-2020-14422
https://access.redhat.com/security/cve/CVE-2020-15503
https://access.redhat.com/security/cve/CVE-2020-24659
https://access.redhat.com/security/cve/CVE-2020-27831
https://access.redhat.com/security/cve/CVE-2020-27832
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBX/v/8tzjgjWX9erEAQjpBA//cBROsr6OlFT9Ug7n2kXtMABJl3pOA2Tb
b18R3acHG6GWpZw/+rrJlmkP/M39CaaZLIJuoI5R2vAx1OvjLFBrgER2tELKP9WW
c1c9Zyp1JOtaOaQIvGbO9D5PnyT8V/VD7SFj8/vCl4zjR+wxAFxfmaWlM3kiXb5w
rKQb1kBakB+OwGCDwi28J8ogS4jCCWROPndLdyRCfgtKFg0GWJ58ZmkC2v2tu/S2
8fejJZ7QcELjZiYcAjI/7ISWdqBZ9+sjHAQMe8GqtEwBs0jAEOAS43yrkmrOXZZ8
kv2jjdjFomzsHe3HnHOGRjLvAhtLIhZOGLH7HdC2EIClYlCr4ET+rlSfcDJmhefY
h+Cz6WOqURcM7vNBwz1cVl+dFjsyC/mV1+yDNDYr6giw7apOcu03CZzjVZEyT1wW
zw9Lnjafis4puyZjMTN5hi3guAP7hinpdBvnsCceGYbO37wbZnIzmbPQ27epAcUM
HamtyjBSsiowZbcvpAlDH733UjRFXEbbg6KcryDImR2fZIICHBbzYNmrC1vTCyCR
MXGTraJQ4YrHaFn9WQqd4gSjvTld7GEWLQ3l8xbUrqKa2HOy3Twpu5zFB1BfiJh0
/mpnu+K+QiIIJHHq299y8Syq3G33iFtDSfqPWG8rAPpqFmhl4hdTpPpVDnWPVM9z
qTma8bI94e4=
=rKFh
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX/0RHuNLKJtyKPYoAQgdhhAAnSA1zR/uzK/k1zdVkyX747PKqcdYX2QO
FZQxZoRzFLX6pfHQA8eALUtUTn5WcooaqNgRtJNj4DN/d7nrx0P/ZMC5TyIkcaCz
kTdAjJ22q8ufY7ePB0z4EDuZZ3zc0h6dQLLxcp9+3CH/90YpglQUi+YejRWLshFZ
4eavmXbegqAIkTKJGAt1+/oriodyfsFTUXZzlzTybaZ5QI67TpwY0+3EFgcd3Huj
76naeNw4XgfCsZqbk3elL6jxuWdDejB/OKpy9j17WB5stFcMJqMZmr5yDoqCeDJl
ONYD8rtRkIxswX/NbKgmQL+xSELA6b1ynMr3Lasng0Yny9T78731kOeScoStbFuk
/AxpPGqzju2x1ZSV/jxh3hv6CHUMPx7h5xN/ZXxZTtUXpdQvcOfCUf54ENTsMsVA
lTLcC/PrBluifs0hPFU2J5OHZvUiHcdI+esyoIW0vPtkn8jF42F6jXHnE++DZ2BM
E3Vil5TSBp/bsDTX0KLlZlHJeTEomBKWK0LeNQZgGjRJI6lpc0ow3c6f/7pUGr8j
S01bN6tu3SLgNd4UGlVD+uHG9Qm4Uom841DcoX8kMpzDiT6mFWB0lXjXx8IW+HFh
aZgZhG1LkTTTSGPi0VRXaVFBH4PCvRdsRbp1q1eokn01Ry8hy/dBjGe2qDG13Uo5
7X0z/+9/uMY=
=uiyz
-----END PGP SIGNATURE-----