-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat Quay v3.3.3 bug fix and security update
Advisory ID:       RHSA-2021:0050-01
Product:           Red Hat Quay
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:0050
Issue date:        2021-01-11
CVE Names:         CVE-2018-20843 CVE-2019-5018 CVE-2019-8625 
                   CVE-2019-8710 CVE-2019-8720 CVE-2019-8743 
                   CVE-2019-8764 CVE-2019-8766 CVE-2019-8769 
                   CVE-2019-8771 CVE-2019-8782 CVE-2019-8783 
                   CVE-2019-8808 CVE-2019-8811 CVE-2019-8812 
                   CVE-2019-8813 CVE-2019-8814 CVE-2019-8815 
                   CVE-2019-8816 CVE-2019-8819 CVE-2019-8820 
                   CVE-2019-8823 CVE-2019-8835 CVE-2019-8844 
                   CVE-2019-8846 CVE-2019-13050 CVE-2019-13627 
                   CVE-2019-14889 CVE-2019-15165 CVE-2019-15903 
                   CVE-2019-16168 CVE-2019-16935 CVE-2019-19221 
                   CVE-2019-19906 CVE-2019-19956 CVE-2019-20218 
                   CVE-2019-20387 CVE-2019-20388 CVE-2019-20454 
                   CVE-2019-20807 CVE-2019-20907 CVE-2019-20916 
                   CVE-2020-1730 CVE-2020-1751 CVE-2020-1752 
                   CVE-2020-1971 CVE-2020-3862 CVE-2020-3864 
                   CVE-2020-3865 CVE-2020-3867 CVE-2020-3868 
                   CVE-2020-3885 CVE-2020-3894 CVE-2020-3895 
                   CVE-2020-3897 CVE-2020-3899 CVE-2020-3900 
                   CVE-2020-3901 CVE-2020-3902 CVE-2020-6405 
                   CVE-2020-7595 CVE-2020-8492 CVE-2020-9327 
                   CVE-2020-9802 CVE-2020-9803 CVE-2020-9805 
                   CVE-2020-9806 CVE-2020-9807 CVE-2020-9843 
                   CVE-2020-9850 CVE-2020-9862 CVE-2020-9893 
                   CVE-2020-9894 CVE-2020-9895 CVE-2020-9915 
                   CVE-2020-9925 CVE-2020-10018 CVE-2020-10029 
                   CVE-2020-11793 CVE-2020-13630 CVE-2020-13631 
                   CVE-2020-13632 CVE-2020-14382 CVE-2020-14391 
                   CVE-2020-14422 CVE-2020-15503 CVE-2020-24659 
                   CVE-2020-27831 CVE-2020-27832 
=====================================================================

1. Summary:

Red Hat Quay v3.3.3 is now available with bug fixes and security updates.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE
link(s) in the References section.

Note: Red Hat Quay v3.3.2 was not released publicly.

2. Description:

This release of Red Hat Quay v3.3.3 includes:

Security Update(s):

* quay: persistent XSS in repository notification display (CVE-2020-27832)

* quay: email notifications authorization bypass (CVE-2020-27831)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Bug Fix(es):
* NVD feed fixed in Clair-v2 (clair-jwt image)

3. Solution:

Download the release images via:

quay.io/redhat/quay:v3.3.3
quay.io/redhat/clair-jwt:v3.3.3
quay.io/redhat/quay-builder:v3.3.3
quay.io/redhat/clair:v3.3.3

4. Bugs fixed (https://bugzilla.redhat.com/):

1905758 - CVE-2020-27831 quay: email notifications authorization bypass
1905784 - CVE-2020-27832 quay: persistent XSS in repository notification display

5. JIRA issues fixed (https://issues.jboss.org/):

PROJQUAY-1124 - NVD feed is broken for latest Clair v2 version

6. References:

https://access.redhat.com/security/cve/CVE-2018-20843
https://access.redhat.com/security/cve/CVE-2019-5018
https://access.redhat.com/security/cve/CVE-2019-8625
https://access.redhat.com/security/cve/CVE-2019-8710
https://access.redhat.com/security/cve/CVE-2019-8720
https://access.redhat.com/security/cve/CVE-2019-8743
https://access.redhat.com/security/cve/CVE-2019-8764
https://access.redhat.com/security/cve/CVE-2019-8766
https://access.redhat.com/security/cve/CVE-2019-8769
https://access.redhat.com/security/cve/CVE-2019-8771
https://access.redhat.com/security/cve/CVE-2019-8782
https://access.redhat.com/security/cve/CVE-2019-8783
https://access.redhat.com/security/cve/CVE-2019-8808
https://access.redhat.com/security/cve/CVE-2019-8811
https://access.redhat.com/security/cve/CVE-2019-8812
https://access.redhat.com/security/cve/CVE-2019-8813
https://access.redhat.com/security/cve/CVE-2019-8814
https://access.redhat.com/security/cve/CVE-2019-8815
https://access.redhat.com/security/cve/CVE-2019-8816
https://access.redhat.com/security/cve/CVE-2019-8819
https://access.redhat.com/security/cve/CVE-2019-8820
https://access.redhat.com/security/cve/CVE-2019-8823
https://access.redhat.com/security/cve/CVE-2019-8835
https://access.redhat.com/security/cve/CVE-2019-8844
https://access.redhat.com/security/cve/CVE-2019-8846
https://access.redhat.com/security/cve/CVE-2019-13050
https://access.redhat.com/security/cve/CVE-2019-13627
https://access.redhat.com/security/cve/CVE-2019-14889
https://access.redhat.com/security/cve/CVE-2019-15165
https://access.redhat.com/security/cve/CVE-2019-15903
https://access.redhat.com/security/cve/CVE-2019-16168
https://access.redhat.com/security/cve/CVE-2019-16935
https://access.redhat.com/security/cve/CVE-2019-19221
https://access.redhat.com/security/cve/CVE-2019-19906
https://access.redhat.com/security/cve/CVE-2019-19956
https://access.redhat.com/security/cve/CVE-2019-20218
https://access.redhat.com/security/cve/CVE-2019-20387
https://access.redhat.com/security/cve/CVE-2019-20388
https://access.redhat.com/security/cve/CVE-2019-20454
https://access.redhat.com/security/cve/CVE-2019-20807
https://access.redhat.com/security/cve/CVE-2019-20907
https://access.redhat.com/security/cve/CVE-2019-20916
https://access.redhat.com/security/cve/CVE-2020-1730
https://access.redhat.com/security/cve/CVE-2020-1751
https://access.redhat.com/security/cve/CVE-2020-1752
https://access.redhat.com/security/cve/CVE-2020-1971
https://access.redhat.com/security/cve/CVE-2020-3862
https://access.redhat.com/security/cve/CVE-2020-3864
https://access.redhat.com/security/cve/CVE-2020-3865
https://access.redhat.com/security/cve/CVE-2020-3867
https://access.redhat.com/security/cve/CVE-2020-3868
https://access.redhat.com/security/cve/CVE-2020-3885
https://access.redhat.com/security/cve/CVE-2020-3894
https://access.redhat.com/security/cve/CVE-2020-3895
https://access.redhat.com/security/cve/CVE-2020-3897
https://access.redhat.com/security/cve/CVE-2020-3899
https://access.redhat.com/security/cve/CVE-2020-3900
https://access.redhat.com/security/cve/CVE-2020-3901
https://access.redhat.com/security/cve/CVE-2020-3902
https://access.redhat.com/security/cve/CVE-2020-6405
https://access.redhat.com/security/cve/CVE-2020-7595
https://access.redhat.com/security/cve/CVE-2020-8492
https://access.redhat.com/security/cve/CVE-2020-9327
https://access.redhat.com/security/cve/CVE-2020-9802
https://access.redhat.com/security/cve/CVE-2020-9803
https://access.redhat.com/security/cve/CVE-2020-9805
https://access.redhat.com/security/cve/CVE-2020-9806
https://access.redhat.com/security/cve/CVE-2020-9807
https://access.redhat.com/security/cve/CVE-2020-9843
https://access.redhat.com/security/cve/CVE-2020-9850
https://access.redhat.com/security/cve/CVE-2020-9862
https://access.redhat.com/security/cve/CVE-2020-9893
https://access.redhat.com/security/cve/CVE-2020-9894
https://access.redhat.com/security/cve/CVE-2020-9895
https://access.redhat.com/security/cve/CVE-2020-9915
https://access.redhat.com/security/cve/CVE-2020-9925
https://access.redhat.com/security/cve/CVE-2020-10018
https://access.redhat.com/security/cve/CVE-2020-10029
https://access.redhat.com/security/cve/CVE-2020-11793
https://access.redhat.com/security/cve/CVE-2020-13630
https://access.redhat.com/security/cve/CVE-2020-13631
https://access.redhat.com/security/cve/CVE-2020-13632
https://access.redhat.com/security/cve/CVE-2020-14382
https://access.redhat.com/security/cve/CVE-2020-14391
https://access.redhat.com/security/cve/CVE-2020-14422
https://access.redhat.com/security/cve/CVE-2020-15503
https://access.redhat.com/security/cve/CVE-2020-24659
https://access.redhat.com/security/cve/CVE-2020-27831
https://access.redhat.com/security/cve/CVE-2020-27832
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBX/v/8tzjgjWX9erEAQjpBA//cBROsr6OlFT9Ug7n2kXtMABJl3pOA2Tb
b18R3acHG6GWpZw/+rrJlmkP/M39CaaZLIJuoI5R2vAx1OvjLFBrgER2tELKP9WW
c1c9Zyp1JOtaOaQIvGbO9D5PnyT8V/VD7SFj8/vCl4zjR+wxAFxfmaWlM3kiXb5w
rKQb1kBakB+OwGCDwi28J8ogS4jCCWROPndLdyRCfgtKFg0GWJ58ZmkC2v2tu/S2
8fejJZ7QcELjZiYcAjI/7ISWdqBZ9+sjHAQMe8GqtEwBs0jAEOAS43yrkmrOXZZ8
kv2jjdjFomzsHe3HnHOGRjLvAhtLIhZOGLH7HdC2EIClYlCr4ET+rlSfcDJmhefY
h+Cz6WOqURcM7vNBwz1cVl+dFjsyC/mV1+yDNDYr6giw7apOcu03CZzjVZEyT1wW
zw9Lnjafis4puyZjMTN5hi3guAP7hinpdBvnsCceGYbO37wbZnIzmbPQ27epAcUM
HamtyjBSsiowZbcvpAlDH733UjRFXEbbg6KcryDImR2fZIICHBbzYNmrC1vTCyCR
MXGTraJQ4YrHaFn9WQqd4gSjvTld7GEWLQ3l8xbUrqKa2HOy3Twpu5zFB1BfiJh0
/mpnu+K+QiIIJHHq299y8Syq3G33iFtDSfqPWG8rAPpqFmhl4hdTpPpVDnWPVM9z
qTma8bI94e4=
=rKFh
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce