-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.0411
                    Red Hat Quay v3.4.0 security update
                              5 February 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Red Hat Quay
Publisher:         Red Hat
Operating System:  Red Hat
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
                   Reduced Security                -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-14040 CVE-2020-11538 CVE-2020-10994
                   CVE-2020-10379 CVE-2020-10378 CVE-2020-10177
                   CVE-2020-8131 CVE-2020-5313 CVE-2020-5312
                   CVE-2020-5311 CVE-2020-5310 CVE-2019-20477
                   CVE-2019-19911 CVE-2019-16789 CVE-2019-16786
                   CVE-2019-16785 CVE-2019-3866 

Reference:         ESB-2021.0206.2

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2021:0420

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat Quay v3.4.0 security update
Advisory ID:       RHSA-2021:0420-01
Product:           Red Hat Quay
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:0420
Issue date:        2021-02-04
CVE Names:         CVE-2019-3866 CVE-2019-16785 CVE-2019-16786 
                   CVE-2019-16789 CVE-2019-19911 CVE-2019-20477 
                   CVE-2020-5310 CVE-2020-5311 CVE-2020-5312 
                   CVE-2020-5313 CVE-2020-8131 CVE-2020-10177 
                   CVE-2020-10378 CVE-2020-10379 CVE-2020-10994 
                   CVE-2020-11538 CVE-2020-14040 
=====================================================================

1. Summary:

Red Hat Quay 3.4.0 is now available with bug fixes and various
enhancements.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Quay 3.4.0 release

Security Fix(es):

* waitress: HTTP request smuggling through LF vs CRLF handling
(CVE-2019-16785)

* waitress: HTTP request smuggling through invalid Transfer-Encoding
(CVE-2019-16786)

* waitress: HTTP Request Smuggling through Invalid whitespace characters in
headers (CVE-2019-16789)

* python-pillow: Integer overflow leading to buffer overflow in
ImagingLibTiffDecode (CVE-2020-5310)

* python-pillow: out-of-bounds write in expandrow in
libImaging/SgiRleDecode.c (CVE-2020-5311)

* python-pillow: improperly restricted operations on memory buffer in
libImaging/PcxDecode.c (CVE-2020-5312)

* python-pillow: two buffer overflows in libImaging/TiffDecode.c due to
small buffers allocated in ImagingLibTiffDecode() (CVE-2020-10379)

* python-pillow: out-of-bounds reads/writes in the parsing of SGI image
files in expandrow/expandrow2 (CVE-2020-11538)

* openstack-mistral: information disclosure in mistral log (CVE-2019-3866)

* python-pillow: uncontrolled resource consumption in FpxImagePlugin.py
(CVE-2019-19911)

* PyYAML: command execution through python/object/apply constructor in
FullLoader (CVE-2019-20477)

* python-pillow: out-of-bounds read in ImagingFliDecode when loading FLI
images (CVE-2020-5313)

* yarn: Arbitrary filesystem write via tar expansion (CVE-2020-8131)

* golang.org/x/text: possibility to trigger an infinite loop in
encoding/unicode could lead to crash (CVE-2020-14040)

* python-pillow: multiple out-of-bounds reads in libImaging/FliDecode.c
(CVE-2020-10177)

* python-pillow: an out-of-bounds read in libImaging/PcxDecode.c can occur
when reading PCX files (CVE-2020-10378)

* python-pillow: multiple out-of-bounds reads via a crafted JP2 file
(CVE-2020-10994)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

1768731 - CVE-2019-3866 openstack-mistral: information disclosure in mistral log
1789532 - CVE-2020-5313 python-pillow: out-of-bounds read in ImagingFliDecode when loading FLI images
1789533 - CVE-2020-5312 python-pillow: improperly restricted operations on memory buffer in libImaging/PcxDecode.c
1789535 - CVE-2020-5311 python-pillow: out-of-bounds write in expandrow in libImaging/SgiRleDecode.c
1789538 - CVE-2020-5310 python-pillow: Integer overflow leading to buffer overflow in ImagingLibTiffDecode
1789540 - CVE-2019-19911 python-pillow: uncontrolled resource consumption in FpxImagePlugin.py
1789807 - CVE-2019-16789 waitress: HTTP Request Smuggling through Invalid whitespace characters in headers
1791415 - CVE-2019-16786 waitress: HTTP request smuggling through invalid Transfer-Encoding
1791420 - CVE-2019-16785 waitress: HTTP request smuggling through LF vs CRLF handling
1806005 - CVE-2019-20477 PyYAML: command execution through python/object/apply constructor in FullLoader
1816261 - CVE-2020-8131 yarn: Arbitrary filesystem write via tar expansion
1852814 - CVE-2020-11538 python-pillow: out-of-bounds reads/writes in the parsing of SGI image files in expandrow/expandrow2
1852820 - CVE-2020-10994 python-pillow: multiple out-of-bounds reads via a crafted JP2 file
1852824 - CVE-2020-10177 python-pillow: multiple out-of-bounds reads in libImaging/FliDecode.c
1852832 - CVE-2020-10378 python-pillow: an out-of-bounds read in libImaging/PcxDecode.c can occur when reading PCX files
1852836 - CVE-2020-10379 python-pillow: two buffer overflows in libImaging/TiffDecode.c due to small buffers allocated in ImagingLibTiffDecode()
1853652 - CVE-2020-14040 golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash

5. References:

https://access.redhat.com/security/cve/CVE-2019-3866
https://access.redhat.com/security/cve/CVE-2019-16785
https://access.redhat.com/security/cve/CVE-2019-16786
https://access.redhat.com/security/cve/CVE-2019-16789
https://access.redhat.com/security/cve/CVE-2019-19911
https://access.redhat.com/security/cve/CVE-2019-20477
https://access.redhat.com/security/cve/CVE-2020-5310
https://access.redhat.com/security/cve/CVE-2020-5311
https://access.redhat.com/security/cve/CVE-2020-5312
https://access.redhat.com/security/cve/CVE-2020-5313
https://access.redhat.com/security/cve/CVE-2020-8131
https://access.redhat.com/security/cve/CVE-2020-10177
https://access.redhat.com/security/cve/CVE-2020-10378
https://access.redhat.com/security/cve/CVE-2020-10379
https://access.redhat.com/security/cve/CVE-2020-10994
https://access.redhat.com/security/cve/CVE-2020-11538
https://access.redhat.com/security/cve/CVE-2020-14040
https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYBweDtzjgjWX9erEAQgOFQ/+JHchzZ0RO/O8aTOdm5eNX8oFUfP2Fo1K
jU0L+GYTIA0lenBvUo3Xs4qhVvwLVQcoCOGBz1Uvg3lnbHmTvH4nAxxMKAfU+utT
adD4oA8J08dzI5zPLsmlrgNENt0SqjSdV836EAC8w2nKvXsm0ylItZ3RBGWgQJqV
X4k/YQUpJWl3PA6+SFuTRq/L5lASULUOBM8TfkYIeK2FEk+a8LVDh37JLtRmc4SS
h6Hnh6/5ARnk4uuCjrz2JMzyAgm+Z63Bra/4UAH9BGp7+6bHr2AY7FvIA++204kB
Da8u6qmdxQIw78NJdE2OdvyIijBxnawglt+TTw+4mqlSpxelAhfdq0opPNLkj0X0
XFzql0fbtpeqxnruaue7L2R0KeCX2U+gfpT0hKiP30teMwrGScnxQIn0EZK73N+l
N6pl5Mg03lUtJW0KKPG4da2ghnDbjVBCs8AYhTLSKSCP78VU346+kC3wmYA+R6Da
mYEtLDfo28rXQFdFxZHC+G/Rm/F8AaY4bx7aaEa+fTAwCHTcPHMisG1VYdzRnfPV
DURTzSztTQXtls0mRVgzaNbOFSSNxHAL7wo3p7Atb2G1Q2e9+xSTrWN6HQfYpu3l
isOMJKCTilPU8urRBfzzlqopyxsQUUC69iS8j3uiIkSai46gjx14PXz0AAbjwhRS
nckOuXCQ1Ig=
=nv1p
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYByYzeNLKJtyKPYoAQg0Yw/+JbYJqvsE83Qh2flj9EZGN9nagsuR1dSb
crI/SO4vm2yVJAg+T9w2a2K5eWG26nb2SYKVvi/vr1bzeY+BdmlFGjN7S6qYvICl
vboVg6pfdh9eKnw2JgWeY+i5AUAfV49O4b1jeuwNhWvzzxUmGN81S+M7HMKU9Mae
QZZWsZuOd0RmucDglkFWQMksnCZsYhVFBLhIYReitZlRnjCVrvSt8/WrEgDq1vCb
1FkXG2QP1qm8YjAeG3AarWbaOYOh+hlbmHDq6ddO+nJZxv5VR92r3l0vZP19BSnl
baAw8nh2RAnwAqnbwELh5q/1bLH1Wc3JJQFoLnGnCQ2+TiNFW02fI5PAc3dV1Qay
4EHGJXHicTPm3OKLcS5xO3L7gngo/aEmYjv28c890HTgWrlF1mg/OxB/dDjfU1w+
N2ETtTMAWVH0tA7tEa39sU2nHrZS1IEJQ9I/7AFv0mQvWFgO7ILsd0NraBnGTAxI
1fgx4KissUfEEMz2qXT5OaNX1YSaEhExaQN+XIUnAuuIzCQm8kZs1HEwGaV1PdGL
4aaHFZCgPNVD2u1XsEUv6+8owgCCKUPywBGhsxUF1QFHrhuYIt5Lkq4HWvX4SVT6
j3mBIR3EC607wJuqZg/dfR0MOK6O2e6oFp/MYLdB+8Z+blnVVDlxqnanuvKXe82V
MMtLpYMU0NE=
=Wse5
-----END PGP SIGNATURE-----