Quay 3.6.0 release
Security Fix(es):
nodejs-url-parse: incorrect hostname in url parsing (CVE-2018-3774)
python-pillow: insufficent fix for CVE-2020-35654 due to incorrect error checking in TiffDecode.c (CVE-2021-25289)
nodejs-urijs: mishandling certain uses of backslash may lead to confidentiality compromise (CVE-2021-27516)
nodejs-debug: Regular expression Denial of Service (CVE-2017-16137)
nodejs-mime: Regular expression Denial of Service (CVE-2017-16138)
nodejs-is-my-json-valid: ReDoS when validating JSON fields with email format (CVE-2018-1107)
nodejs-extend: Prototype pollution can allow attackers to modify object properties (CVE-2018-16492)
nodejs-stringstream: out-of-bounds read leading to uninitialized memory exposure (CVE-2018-21270)
nodejs-handlebars: lookup helper fails to properly validate templates allowing for arbitrary JavaScript execution (CVE-2019-20920)
nodejs-handlebars: an endless loop while processing specially-crafted templates leads to DoS (CVE-2019-20922)
nodejs-lodash: prototype pollution in zipObjectDeep function (CVE-2020-8203)
nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function (CVE-2020-15366)
nodejs-highlight-js: prototype pollution via a crafted HTML code block (CVE-2020-26237)
urijs: Hostname spoofing via backslashes in URL (CVE-2020-26291)
python-pillow: decoding crafted YCbCr files could result in heap-based buffer overflow (CVE-2020-35654)
browserslist: parsing of invalid queries could result in Regular Expression Denial of Service (ReDoS) (CVE-2021-23364)
nodejs-postcss: Regular expression denial of service during source map parsing (CVE-2021-23368)
nodejs-postcss: ReDoS via getAnnotationURL() and loadAnnotation() in lib/previous-map.js (CVE-2021-23382)
python-pillow: negative-offset memcpy with an invalid size in TiffDecode.c (CVE-2021-25290)
python-pillow: out-of-bounds read in TiffReadRGBATile in TiffDecode.c (CVE-2021-25291)
python-pillow: backtracking regex in PDF parser could be used as a DOS attack (CVE-2021-25292)
python-pillow: out-of-bounds read in SGIRleDecode.c (CVE-2021-25293)
nodejs-url-parse: mishandling certain uses of backslash may lead to confidentiality compromise (CVE-2021-27515)
python-pillow: reported size of a contained image is not properly checked for a BLP container (CVE-2021-27921)
python-pillow: reported size of a contained image is not properly checked for an ICNS container (CVE-2021-27922)
python-pillow: reported size of a contained image is not properly checked for an ICO container (CVE-2021-27923)
python-pillow: buffer overflow in Convert.c because it allow an attacker to pass controlled parameters directly into a convert function (CVE-2021-34552)
nodejs-braces: Regular Expression Denial of Service (ReDoS) in lib/parsers.js (CVE-2018-1109)
lodash: Prototype pollution in utilities function (CVE-2018-3721)
hoek: Prototype pollution in utilities function (CVE-2018-3728)
lodash: uncontrolled resource consumption in Data handler causing denial of service (CVE-2019-1010266)
nodejs-yargs-parser: prototype pollution vulnerability (CVE-2020-7608)
python-pillow: decoding a crafted PCX file could result in buffer over-read (CVE-2020-35653)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.