openSUSE Security Update: Security update for gdcm, orthanc, orthanc-gdcm, orthanc-webviewer
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2022:10144-1
Rating:             important
References:         #1181400 
Cross-References:   CVE-2022-2119 CVE-2022-2120
CVSS scores:
                    CVE-2022-2119 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
                    CVE-2022-2120 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products:
                    openSUSE Backports SLE-15-SP3
______________________________________________________________________________

   An update that fixes two vulnerabilities is now available.

Description:

   This update for gdcm, orthanc, orthanc-gdcm, orthanc-webviewer fixes the
   following issues:

   Changes in gdcm:

   - Provides/obsoletes moved to lbgdcm-package (Thx DimStar)
   - rename of gdcm-libgdcm3_0 to libgdcm3_0 (proposal S. Br??ns)

   - version 3.0.18

     no changelog

   - version 3.0.12

     * support for poppler 22.03 added

   - version 3.0.11

     * Fix for a significant issue with JPEG-LS and RGB color space
     * tons of small bug fixes

   - version 3.0.10 (no changelog)

   Changes in orthanc-gdcm:

   - changed dependency gdcm-libgdcm3_0 -> libgdcm3_0

   - Version 1.5

   * Take the configuration option "RestrictTransferSyntaxes" into account
     not only for decoding, but also for transcoding
   * Upgrade to GDCM 3.0.10 for static builds-

   Changes in orthanc:

   - version 1.11.2
     * Added support for RGBA64 images in tools/create-dicom and /preview
     * New configuration "MaximumStorageMode" to choose between recyling of
       old patients (default behavior) and rejection of new incoming data
        when the MaximumStorageSize has been reached.
     * New sample plugin: "DelayedDeletion" that will delete files from disk
       asynchronously to speed up deletion of large studies.
     * Lua: new "SetHttpTimeout" function
     * Lua: new "OnHeartBeat" callback called at regular interval provided
       that you have configured "LuaHeartBeatPeriod" > 0.
     * "ExtraMainDicomTags" configuration now accepts Dicom Sequences.
       Sequences are stored in a dedicated new metadata
       "MainDicomSequences".  This should improve DicomWeb QIDO-RS and avoid
       warnings like "Accessing Dicom tags from storage when accessing series
       : 0040,0275". Main dicom sequences can now be returned in
       "MainDicomTags" and in "RequestedTags".
     * Fix the "Never" option of the "StorageAccessOnFind" that was sill
       accessing files (bug introduced in 1.11.0).
     * Fix the Storage Cache for compressed files (bug introduced in 1.11.1).
     * Fix the storage cache that was not used by the Plugin SDK.  This fixes
       the DicomWeb plugin "/rendered" route performance issues.
     * DelayedDeletion plugin: Fix leaking of symbols
     * SQLite now closes and deletes WAL and SHM files on exit.  This should
       improve handling of SQLite DB over network drives.
     * Fix static compilation of boost 1.69 on Ubuntu 22.04
     * Upgraded dependencies for static builds:
       - boost 1.80.0
       - dcmtk 3.6.7  (fixes CVE-2022-2119 and CVE-2022-2120)
       - openssl 3.0.5
     * Housekeeper plugin: Fix resume of previous processing
     * Added missing MOVEPatientRootQueryRetrieveInformationModel in
       DicomControlUserConnection::SetupPresentationContexts()
     * Improved HttpClient error logging (add method + url)
     * API version upgraded to 18
     * /system is now reporting "DatabaseServerIdentifier"
     * Added an Asynchronous mode to /modalities/../move.
     * "RequestedTags" option can now include DICOM sequences.
     * New function in the SDK: "OrthancPluginGetDatabaseServerIdentifier"
     * DicomMap::ParseMainDicomTags has been deprecated -> retrieve "full"
       tags and use DicomMap::FromDicomAsJson instead

   - version 1.11.0

   * new API version 1.7
   * new configuration parameter
   * for detailed changelog see NEWS

   - version 1.10.1

   * for detailed changelog see NEWS

   - Version 1.9.7

   * New configuration option "DicomAlwaysAllowMove" to disable verification
     of the remote modality in C-MOVE SCP
   * API version upgraded to 15
   * Added "Level" option to POST /tools/bulk-modify
   * Added missing OpenAPI documentation of "KeepSource" in ".../modify" and
     ".../anonymize"
   * Added file CITATION.cff
   * Linux Standard Base (LSB) builds of Orthanc can load non-LSB builds of
     plugins
   * Fix upload of ZIP archives containing a DICOMDIR file
   * Fix computation of the estimated time of arrival in jobs
   * Support detection of windowing and rescale in Philips multiframe images

   Changes in orthanc-webviewer:

   - version 2.8
     * Fix XSS inside DICOM in Orthanc Web Viewer (as reported by Stuart
       Kurutac, NCC Group)
     * framework190.diff removed (covered in actual version)


Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Backports SLE-15-SP3:

      zypper in -t patch openSUSE-2022-10144=1



Package List:

   - openSUSE Backports SLE-15-SP3 (aarch64 ppc64le s390x x86_64):

      gdcm-3.0.19-bp153.2.8.1
      gdcm-applications-3.0.19-bp153.2.8.1
      gdcm-applications-debuginfo-3.0.19-bp153.2.8.1
      gdcm-debuginfo-3.0.19-bp153.2.8.1
      gdcm-debugsource-3.0.19-bp153.2.8.1
      gdcm-devel-3.0.19-bp153.2.8.1
      gdcm-examples-3.0.19-bp153.2.8.1
      libgdcm3_0-3.0.19-bp153.2.8.1
      libgdcm3_0-debuginfo-3.0.19-bp153.2.8.1
      libsocketxx1_2-3.0.19-bp153.2.8.1
      libsocketxx1_2-debuginfo-3.0.19-bp153.2.8.1
      orthanc-gdcm-1.5-bp153.2.6.1
      orthanc-gdcm-debuginfo-1.5-bp153.2.6.1
      orthanc-gdcm-debugsource-1.5-bp153.2.6.1
      orthanc-webviewer-2.8-bp153.2.3.1
      orthanc-webviewer-debuginfo-2.8-bp153.2.3.1
      orthanc-webviewer-debugsource-2.8-bp153.2.3.1
      python3-gdcm-3.0.19-bp153.2.8.1
      python3-gdcm-debuginfo-3.0.19-bp153.2.8.1

   - openSUSE Backports SLE-15-SP3 (aarch64 ppc64le x86_64):

      orthanc-1.11.2-bp153.2.13.1
      orthanc-debuginfo-1.11.2-bp153.2.13.1
      orthanc-debugsource-1.11.2-bp153.2.13.1
      orthanc-devel-1.11.2-bp153.2.13.1
      orthanc-source-1.11.2-bp153.2.13.1

   - openSUSE Backports SLE-15-SP3 (noarch):

      orthanc-doc-1.11.2-bp153.2.13.1


References:

   https://www.suse.com/security/cve/CVE-2022-2119.html
   https://www.suse.com/security/cve/CVE-2022-2120.html
   https://bugzilla.suse.com/1181400

openSUSE: 2022:10144-1 important: gdcm, orthanc, orthanc-gdcm, orthanc-webviewer

October 12, 2022
An update that fixes two vulnerabilities is now available

Description

This update for gdcm, orthanc, orthanc-gdcm, orthanc-webviewer fixes the following issues: Changes in gdcm: - Provides/obsoletes moved to lbgdcm-package (Thx DimStar) - rename of gdcm-libgdcm3_0 to libgdcm3_0 (proposal S. Br??ns) - version 3.0.18 no changelog - version 3.0.12 * support for poppler 22.03 added - version 3.0.11 * Fix for a significant issue with JPEG-LS and RGB color space * tons of small bug fixes - version 3.0.10 (no changelog) Changes in orthanc-gdcm: - changed dependency gdcm-libgdcm3_0 -> libgdcm3_0 - Version 1.5 * Take the configuration option "RestrictTransferSyntaxes" into account not only for decoding, but also for transcoding * Upgrade to GDCM 3.0.10 for static builds- Changes in orthanc: - version 1.11.2 * Added support for RGBA64 images in tools/create-dicom and /preview * New configuration "MaximumStorageMode" to choose between recyling of old patients (default behavior) and rejection of new incoming data when the MaximumStorageSize has been reached. * New sample plugin: "DelayedDeletion" that will delete files from disk asynchronously to speed up deletion of large studies. * Lua: new "SetHttpTimeout" function * Lua: new "OnHeartBeat" callback called at regular interval provided that you have configured "LuaHeartBeatPeriod" > 0. * "ExtraMainDicomTags" configuration now accepts Dicom Sequences. Sequences are stored in a dedicated new metadata "MainDicomSequences". This should improve DicomWeb QIDO-RS and avoid warnings like "Accessing Dicom tags from storage when accessing series : 0040,0275". Main dicom sequences can now be returned in "MainDicomTags" and in "RequestedTags". * Fix the "Never" option of the "StorageAccessOnFind" that was sill accessing files (bug introduced in 1.11.0). * Fix the Storage Cache for compressed files (bug introduced in 1.11.1). * Fix the storage cache that was not used by the Plugin SDK. This fixes the DicomWeb plugin "/rendered" route performance issues. * DelayedDeletion plugin: Fix leaking of symbols * SQLite now closes and deletes WAL and SHM files on exit. This should improve handling of SQLite DB over network drives. * Fix static compilation of boost 1.69 on Ubuntu 22.04 * Upgraded dependencies for static builds: - boost 1.80.0 - dcmtk 3.6.7 (fixes CVE-2022-2119 and CVE-2022-2120) - openssl 3.0.5 * Housekeeper plugin: Fix resume of previous processing * Added missing MOVEPatientRootQueryRetrieveInformationModel in DicomControlUserConnection::SetupPresentationContexts() * Improved HttpClient error logging (add method + url) * API version upgraded to 18 * /system is now reporting "DatabaseServerIdentifier" * Added an Asynchronous mode to /modalities/../move. * "RequestedTags" option can now include DICOM sequences. * New function in the SDK: "OrthancPluginGetDatabaseServerIdentifier" * DicomMap::ParseMainDicomTags has been deprecated -> retrieve "full" tags and use DicomMap::FromDicomAsJson instead - version 1.11.0 * new API version 1.7 * new configuration parameter * for detailed changelog see NEWS - version 1.10.1 * for detailed changelog see NEWS - Version 1.9.7 * New configuration option "DicomAlwaysAllowMove" to disable verification of the remote modality in C-MOVE SCP * API version upgraded to 15 * Added "Level" option to POST /tools/bulk-modify * Added missing OpenAPI documentation of "KeepSource" in ".../modify" and ".../anonymize" * Added file CITATION.cff * Linux Standard Base (LSB) builds of Orthanc can load non-LSB builds of plugins * Fix upload of ZIP archives containing a DICOMDIR file * Fix computation of the estimated time of arrival in jobs * Support detection of windowing and rescale in Philips multiframe images Changes in orthanc-webviewer: - version 2.8 * Fix XSS inside DICOM in Orthanc Web Viewer (as reported by Stuart Kurutac, NCC Group) * framework190.diff removed (covered in actual version)

 

Patch

Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP3: zypper in -t patch openSUSE-2022-10144=1


Package List

- openSUSE Backports SLE-15-SP3 (aarch64 ppc64le s390x x86_64): gdcm-3.0.19-bp153.2.8.1 gdcm-applications-3.0.19-bp153.2.8.1 gdcm-applications-debuginfo-3.0.19-bp153.2.8.1 gdcm-debuginfo-3.0.19-bp153.2.8.1 gdcm-debugsource-3.0.19-bp153.2.8.1 gdcm-devel-3.0.19-bp153.2.8.1 gdcm-examples-3.0.19-bp153.2.8.1 libgdcm3_0-3.0.19-bp153.2.8.1 libgdcm3_0-debuginfo-3.0.19-bp153.2.8.1 libsocketxx1_2-3.0.19-bp153.2.8.1 libsocketxx1_2-debuginfo-3.0.19-bp153.2.8.1 orthanc-gdcm-1.5-bp153.2.6.1 orthanc-gdcm-debuginfo-1.5-bp153.2.6.1 orthanc-gdcm-debugsource-1.5-bp153.2.6.1 orthanc-webviewer-2.8-bp153.2.3.1 orthanc-webviewer-debuginfo-2.8-bp153.2.3.1 orthanc-webviewer-debugsource-2.8-bp153.2.3.1 python3-gdcm-3.0.19-bp153.2.8.1 python3-gdcm-debuginfo-3.0.19-bp153.2.8.1 - openSUSE Backports SLE-15-SP3 (aarch64 ppc64le x86_64): orthanc-1.11.2-bp153.2.13.1 orthanc-debuginfo-1.11.2-bp153.2.13.1 orthanc-debugsource-1.11.2-bp153.2.13.1 orthanc-devel-1.11.2-bp153.2.13.1 orthanc-source-1.11.2-bp153.2.13.1 - openSUSE Backports SLE-15-SP3 (noarch): orthanc-doc-1.11.2-bp153.2.13.1


References

https://www.suse.com/security/cve/CVE-2022-2119.html https://www.suse.com/security/cve/CVE-2022-2120.html https://bugzilla.suse.com/1181400


Severity
Announcement ID: openSUSE-SU-2022:10144-1
Rating: important
Affected Products: openSUSE Backports SLE-15-SP3 .

Related News

24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
28.Lock Globe Esm H320
1 - 2 min read
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
2 - 4 min read
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
2 - 3 min read
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
2 - 3 min read
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved