Security update for gdcm, orthanc, orthanc-gdcm, orthanc-webviewer
SUSE Patch
security@suse.de
SUSE Security Team
openSUSE-SU-2022:10144-1
Final
1
1
2022-10-12T15:35:18Z
current
2022-10-12T15:35:18Z
2022-10-12T15:35:18Z
cve-database/bin/generate-cvrf.pl
2017-02-24T01:00:00Z
Security update for gdcm, orthanc, orthanc-gdcm, orthanc-webviewer
This update for gdcm, orthanc, orthanc-gdcm, orthanc-webviewer fixes the following issues:
Changes in gdcm:
- Provides/obsoletes moved to lbgdcm-package (Thx DimStar)
- rename of gdcm-libgdcm3_0 to libgdcm3_0 (proposal S. BrĂ¼ns)
- version 3.0.18
no changelog
- version 3.0.12
* support for poppler 22.03 added
- version 3.0.11
* Fix for a significant issue with JPEG-LS and RGB color space
* tons of small bug fixes
- version 3.0.10 (no changelog)
Changes in orthanc-gdcm:
- changed dependency gdcm-libgdcm3_0 -> libgdcm3_0
- Version 1.5
* Take the configuration option 'RestrictTransferSyntaxes' into
account not only for decoding, but also for transcoding
* Upgrade to GDCM 3.0.10 for static builds-
Changes in orthanc:
- version 1.11.2
* Added support for RGBA64 images in tools/create-dicom and /preview
* New configuration 'MaximumStorageMode' to choose between recyling of
old patients (default behavior) and rejection of new incoming data when
the MaximumStorageSize has been reached.
* New sample plugin: 'DelayedDeletion' that will delete files from disk
asynchronously to speed up deletion of large studies.
* Lua: new 'SetHttpTimeout' function
* Lua: new 'OnHeartBeat' callback called at regular interval provided that
you have configured 'LuaHeartBeatPeriod' > 0.
* 'ExtraMainDicomTags' configuration now accepts Dicom Sequences. Sequences are
stored in a dedicated new metadata 'MainDicomSequences'. This should improve
DicomWeb QIDO-RS and avoid warnings like 'Accessing Dicom tags from storage when
accessing series : 0040,0275'.
Main dicom sequences can now be returned in 'MainDicomTags' and in 'RequestedTags'.
* Fix the 'Never' option of the 'StorageAccessOnFind' that was sill accessing
files (bug introduced in 1.11.0).
* Fix the Storage Cache for compressed files (bug introduced in 1.11.1).
* Fix the storage cache that was not used by the Plugin SDK. This fixes the
DicomWeb plugin '/rendered' route performance issues.
* DelayedDeletion plugin: Fix leaking of symbols
* SQLite now closes and deletes WAL and SHM files on exit. This should improve
handling of SQLite DB over network drives.
* Fix static compilation of boost 1.69 on Ubuntu 22.04
* Upgraded dependencies for static builds:
- boost 1.80.0
- dcmtk 3.6.7 (fixes CVE-2022-2119 and CVE-2022-2120)
- openssl 3.0.5
* Housekeeper plugin: Fix resume of previous processing
* Added missing MOVEPatientRootQueryRetrieveInformationModel in
DicomControlUserConnection::SetupPresentationContexts()
* Improved HttpClient error logging (add method + url)
* API version upgraded to 18
* /system is now reporting 'DatabaseServerIdentifier'
* Added an Asynchronous mode to /modalities/../move.
* 'RequestedTags' option can now include DICOM sequences.
* New function in the SDK: 'OrthancPluginGetDatabaseServerIdentifier'
* DicomMap::ParseMainDicomTags has been deprecated -> retrieve 'full' tags
and use DicomMap::FromDicomAsJson instead
- version 1.11.0
* new API version 1.7
* new configuration parameter
* for detailed changelog see NEWS
- version 1.10.1
* for detailed changelog see NEWS
- Version 1.9.7
* New configuration option 'DicomAlwaysAllowMove' to disable verification of
the remote modality in C-MOVE SCP
* API version upgraded to 15
* Added 'Level' option to POST /tools/bulk-modify
* Added missing OpenAPI documentation of 'KeepSource' in '.../modify' and '.../anonymize'
* Added file CITATION.cff
* Linux Standard Base (LSB) builds of Orthanc can load non-LSB builds of plugins
* Fix upload of ZIP archives containing a DICOMDIR file
* Fix computation of the estimated time of arrival in jobs
* Support detection of windowing and rescale in Philips multiframe images
Changes in orthanc-webviewer:
- version 2.8
* Fix XSS inside DICOM in Orthanc Web Viewer (as reported by Stuart
Kurutac, NCC Group)
* framework190.diff removed (covered in actual version)
The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
openSUSE-2022-10144
Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0)
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/K67WDY4JVASQKGAJHGMCE45SJSPPFKPM/
E-Mail link for openSUSE-SU-2022:10144-1
https://www.suse.com/support/security/rating/
SUSE Security Ratings
https://bugzilla.suse.com/1181400
SUSE Bug 1181400
https://www.suse.com/security/cve/CVE-2022-2119/
SUSE CVE CVE-2022-2119 page
https://www.suse.com/security/cve/CVE-2022-2120/
SUSE CVE CVE-2022-2120 page
SUSE Package Hub 15 SP3
openSUSE Leap 15.3
gdcm-3.0.19-bp153.2.8.1
gdcm-applications-3.0.19-bp153.2.8.1
gdcm-devel-3.0.19-bp153.2.8.1
gdcm-examples-3.0.19-bp153.2.8.1
libgdcm3_0-3.0.19-bp153.2.8.1
libsocketxx1_2-3.0.19-bp153.2.8.1
orthanc-1.11.2-bp153.2.13.1
orthanc-devel-1.11.2-bp153.2.13.1
orthanc-doc-1.11.2-bp153.2.13.1
orthanc-gdcm-1.5-bp153.2.6.1
orthanc-source-1.11.2-bp153.2.13.1
orthanc-webviewer-2.8-bp153.2.3.1
python3-gdcm-3.0.19-bp153.2.8.1
gdcm-3.0.19-bp153.2.8.1 as a component of SUSE Package Hub 15 SP3
gdcm-applications-3.0.19-bp153.2.8.1 as a component of SUSE Package Hub 15 SP3
gdcm-devel-3.0.19-bp153.2.8.1 as a component of SUSE Package Hub 15 SP3
gdcm-examples-3.0.19-bp153.2.8.1 as a component of SUSE Package Hub 15 SP3
libgdcm3_0-3.0.19-bp153.2.8.1 as a component of SUSE Package Hub 15 SP3
libsocketxx1_2-3.0.19-bp153.2.8.1 as a component of SUSE Package Hub 15 SP3
orthanc-1.11.2-bp153.2.13.1 as a component of SUSE Package Hub 15 SP3
orthanc-devel-1.11.2-bp153.2.13.1 as a component of SUSE Package Hub 15 SP3
orthanc-doc-1.11.2-bp153.2.13.1 as a component of SUSE Package Hub 15 SP3
orthanc-gdcm-1.5-bp153.2.6.1 as a component of SUSE Package Hub 15 SP3
orthanc-source-1.11.2-bp153.2.13.1 as a component of SUSE Package Hub 15 SP3
orthanc-webviewer-2.8-bp153.2.3.1 as a component of SUSE Package Hub 15 SP3
python3-gdcm-3.0.19-bp153.2.8.1 as a component of SUSE Package Hub 15 SP3
gdcm-3.0.19-bp153.2.8.1 as a component of openSUSE Leap 15.3
gdcm-applications-3.0.19-bp153.2.8.1 as a component of openSUSE Leap 15.3
gdcm-devel-3.0.19-bp153.2.8.1 as a component of openSUSE Leap 15.3
gdcm-examples-3.0.19-bp153.2.8.1 as a component of openSUSE Leap 15.3
libgdcm3_0-3.0.19-bp153.2.8.1 as a component of openSUSE Leap 15.3
libsocketxx1_2-3.0.19-bp153.2.8.1 as a component of openSUSE Leap 15.3
orthanc-1.11.2-bp153.2.13.1 as a component of openSUSE Leap 15.3
orthanc-devel-1.11.2-bp153.2.13.1 as a component of openSUSE Leap 15.3
orthanc-doc-1.11.2-bp153.2.13.1 as a component of openSUSE Leap 15.3
orthanc-gdcm-1.5-bp153.2.6.1 as a component of openSUSE Leap 15.3
orthanc-source-1.11.2-bp153.2.13.1 as a component of openSUSE Leap 15.3
orthanc-webviewer-2.8-bp153.2.3.1 as a component of openSUSE Leap 15.3
python3-gdcm-3.0.19-bp153.2.8.1 as a component of openSUSE Leap 15.3
OFFIS DCMTK's (All versions prior to 3.6.7) service class provider (SCP) is vulnerable to path traversal, allowing an attacker to write DICOM files into arbitrary directories under controlled names. This could allow remote code execution.
CVE-2022-2119
SUSE Package Hub 15 SP3:gdcm-3.0.19-bp153.2.8.1
SUSE Package Hub 15 SP3:gdcm-applications-3.0.19-bp153.2.8.1
SUSE Package Hub 15 SP3:gdcm-devel-3.0.19-bp153.2.8.1
SUSE Package Hub 15 SP3:gdcm-examples-3.0.19-bp153.2.8.1
SUSE Package Hub 15 SP3:libgdcm3_0-3.0.19-bp153.2.8.1
SUSE Package Hub 15 SP3:libsocketxx1_2-3.0.19-bp153.2.8.1
SUSE Package Hub 15 SP3:orthanc-1.11.2-bp153.2.13.1
SUSE Package Hub 15 SP3:orthanc-devel-1.11.2-bp153.2.13.1
SUSE Package Hub 15 SP3:orthanc-doc-1.11.2-bp153.2.13.1
SUSE Package Hub 15 SP3:orthanc-gdcm-1.5-bp153.2.6.1
SUSE Package Hub 15 SP3:orthanc-source-1.11.2-bp153.2.13.1
SUSE Package Hub 15 SP3:orthanc-webviewer-2.8-bp153.2.3.1
SUSE Package Hub 15 SP3:python3-gdcm-3.0.19-bp153.2.8.1
openSUSE Leap 15.3:gdcm-3.0.19-bp153.2.8.1
openSUSE Leap 15.3:gdcm-applications-3.0.19-bp153.2.8.1
openSUSE Leap 15.3:gdcm-devel-3.0.19-bp153.2.8.1
openSUSE Leap 15.3:gdcm-examples-3.0.19-bp153.2.8.1
openSUSE Leap 15.3:libgdcm3_0-3.0.19-bp153.2.8.1
openSUSE Leap 15.3:libsocketxx1_2-3.0.19-bp153.2.8.1
openSUSE Leap 15.3:orthanc-1.11.2-bp153.2.13.1
openSUSE Leap 15.3:orthanc-devel-1.11.2-bp153.2.13.1
openSUSE Leap 15.3:orthanc-doc-1.11.2-bp153.2.13.1
openSUSE Leap 15.3:orthanc-gdcm-1.5-bp153.2.6.1
openSUSE Leap 15.3:orthanc-source-1.11.2-bp153.2.13.1
openSUSE Leap 15.3:orthanc-webviewer-2.8-bp153.2.3.1
openSUSE Leap 15.3:python3-gdcm-3.0.19-bp153.2.8.1
important
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/K67WDY4JVASQKGAJHGMCE45SJSPPFKPM/
https://www.suse.com/security/cve/CVE-2022-2119.html
CVE-2022-2119
https://bugzilla.suse.com/1208637
SUSE Bug 1208637
OFFIS DCMTK's (All versions prior to 3.6.7) service class user (SCU) is vulnerable to relative path traversal, allowing an attacker to write DICOM files into arbitrary directories under controlled names. This could allow remote code execution.
CVE-2022-2120
SUSE Package Hub 15 SP3:gdcm-3.0.19-bp153.2.8.1
SUSE Package Hub 15 SP3:gdcm-applications-3.0.19-bp153.2.8.1
SUSE Package Hub 15 SP3:gdcm-devel-3.0.19-bp153.2.8.1
SUSE Package Hub 15 SP3:gdcm-examples-3.0.19-bp153.2.8.1
SUSE Package Hub 15 SP3:libgdcm3_0-3.0.19-bp153.2.8.1
SUSE Package Hub 15 SP3:libsocketxx1_2-3.0.19-bp153.2.8.1
SUSE Package Hub 15 SP3:orthanc-1.11.2-bp153.2.13.1
SUSE Package Hub 15 SP3:orthanc-devel-1.11.2-bp153.2.13.1
SUSE Package Hub 15 SP3:orthanc-doc-1.11.2-bp153.2.13.1
SUSE Package Hub 15 SP3:orthanc-gdcm-1.5-bp153.2.6.1
SUSE Package Hub 15 SP3:orthanc-source-1.11.2-bp153.2.13.1
SUSE Package Hub 15 SP3:orthanc-webviewer-2.8-bp153.2.3.1
SUSE Package Hub 15 SP3:python3-gdcm-3.0.19-bp153.2.8.1
openSUSE Leap 15.3:gdcm-3.0.19-bp153.2.8.1
openSUSE Leap 15.3:gdcm-applications-3.0.19-bp153.2.8.1
openSUSE Leap 15.3:gdcm-devel-3.0.19-bp153.2.8.1
openSUSE Leap 15.3:gdcm-examples-3.0.19-bp153.2.8.1
openSUSE Leap 15.3:libgdcm3_0-3.0.19-bp153.2.8.1
openSUSE Leap 15.3:libsocketxx1_2-3.0.19-bp153.2.8.1
openSUSE Leap 15.3:orthanc-1.11.2-bp153.2.13.1
openSUSE Leap 15.3:orthanc-devel-1.11.2-bp153.2.13.1
openSUSE Leap 15.3:orthanc-doc-1.11.2-bp153.2.13.1
openSUSE Leap 15.3:orthanc-gdcm-1.5-bp153.2.6.1
openSUSE Leap 15.3:orthanc-source-1.11.2-bp153.2.13.1
openSUSE Leap 15.3:orthanc-webviewer-2.8-bp153.2.3.1
openSUSE Leap 15.3:python3-gdcm-3.0.19-bp153.2.8.1
important
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/K67WDY4JVASQKGAJHGMCE45SJSPPFKPM/
https://www.suse.com/security/cve/CVE-2022-2120.html
CVE-2022-2120
https://bugzilla.suse.com/1208638
SUSE Bug 1208638