SUSE 5055 Published by

A gdcm, orthanc, orthanc-gdcm, orthanc-webviewer security update has been released for SUSE Linux Enterprise 15 SP4.



openSUSE-SU-2022:10145-1: important: Security update for gdcm, orthanc, orthanc-gdcm, orthanc-webviewer


openSUSE Security Update: Security update for gdcm, orthanc, orthanc-gdcm, orthanc-webviewer
______________________________________________________________________________

Announcement ID: openSUSE-SU-2022:10145-1
Rating: important
References:
Cross-References: CVE-2022-2119 CVE-2022-2120
CVSS scores:
CVE-2022-2119 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2022-2120 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products:
openSUSE Backports SLE-15-SP4
______________________________________________________________________________

An update that fixes two vulnerabilities is now available.

Description:

This update for gdcm, orthanc, orthanc-gdcm, orthanc-webviewer fixes the
following issues:

Changes in gdcm:

- rename of gdcm-libgdcm3_0 to libgdcm3_0 (proposal S. Br??ns)

- version 3.0.18

no changelog

- version 3.0.12

* support for poppler 22.03 added

Changes in orthanc-gdcm:

- changed dependency gdcm-libgdcm3_0 -> libgdcm3_0

Changes in orthanc:

- version 1.11.2
* Added support for RGBA64 images in tools/create-dicom and /preview
* New configuration "MaximumStorageMode" to choose between recyling of
old patients (default behavior) and rejection of new incoming data
when the MaximumStorageSize has been reached.
* New sample plugin: "DelayedDeletion" that will delete files from disk
asynchronously to speed up deletion of large studies.
* Lua: new "SetHttpTimeout" function
* Lua: new "OnHeartBeat" callback called at regular interval provided
that you have configured "LuaHeartBeatPeriod" > 0.
* "ExtraMainDicomTags" configuration now accepts Dicom Sequences.
Sequences are stored in a dedicated new metadata
"MainDicomSequences". This should improve DicomWeb QIDO-RS and avoid
warnings like "Accessing Dicom tags from storage when accessing series
: 0040,0275". Main dicom sequences can now be returned in
"MainDicomTags" and in "RequestedTags".
* Fix the "Never" option of the "StorageAccessOnFind" that was sill
accessing files (bug introduced in 1.11.0).
* Fix the Storage Cache for compressed files (bug introduced in 1.11.1).
* Fix the storage cache that was not used by the Plugin SDK. This fixes
the DicomWeb plugin "/rendered" route performance issues.
* DelayedDeletion plugin: Fix leaking of symbols
* SQLite now closes and deletes WAL and SHM files on exit. This should
improve handling of SQLite DB over network drives.
* Fix static compilation of boost 1.69 on Ubuntu 22.04
* Upgraded dependencies for static builds:
- boost 1.80.0
- dcmtk 3.6.7 (fixes CVE-2022-2119 and CVE-2022-2120)
- openssl 3.0.5
* Housekeeper plugin: Fix resume of previous processing
* Added missing MOVEPatientRootQueryRetrieveInformationModel in
DicomControlUserConnection::SetupPresentationContexts()
* Improved HttpClient error logging (add method + url)
* API version upgraded to 18
* /system is now reporting "DatabaseServerIdentifier"
* Added an Asynchronous mode to /modalities/../move.
* "RequestedTags" option can now include DICOM sequences.
* New function in the SDK: "OrthancPluginGetDatabaseServerIdentifier"
* DicomMap::ParseMainDicomTags has been deprecated -> retrieve "full"
tags and use DicomMap::FromDicomAsJson instead

Changes in orthanc-webviewer:

- version 2.8

* Fix XSS inside DICOM in Orthanc Web Viewer (as reported by Stuart
Kurutac, NCC Group)
* framework190.diff removed (covered in actual version)

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP4:

zypper in -t patch openSUSE-2022-10145=1


Package List:

- openSUSE Backports SLE-15-SP4 (aarch64 ppc64le s390x x86_64):

gdcm-3.0.19-bp154.2.5.1
gdcm-applications-3.0.19-bp154.2.5.1
gdcm-applications-debuginfo-3.0.19-bp154.2.5.1
gdcm-debuginfo-3.0.19-bp154.2.5.1
gdcm-debugsource-3.0.19-bp154.2.5.1
gdcm-devel-3.0.19-bp154.2.5.1
gdcm-examples-3.0.19-bp154.2.5.1
libgdcm3_0-3.0.19-bp154.2.5.1
libgdcm3_0-debuginfo-3.0.19-bp154.2.5.1
libsocketxx1_2-3.0.19-bp154.2.5.1
libsocketxx1_2-debuginfo-3.0.19-bp154.2.5.1
orthanc-gdcm-1.5-bp154.2.3.1
orthanc-gdcm-debuginfo-1.5-bp154.2.3.1
orthanc-gdcm-debugsource-1.5-bp154.2.3.1
orthanc-webviewer-2.8-bp154.2.3.1
orthanc-webviewer-debuginfo-2.8-bp154.2.3.1
orthanc-webviewer-debugsource-2.8-bp154.2.3.1
python3-gdcm-3.0.19-bp154.2.5.1
python3-gdcm-debuginfo-3.0.19-bp154.2.5.1

- openSUSE Backports SLE-15-SP4 (aarch64 ppc64le x86_64):

orthanc-1.11.2-bp154.2.3.1
orthanc-debuginfo-1.11.2-bp154.2.3.1
orthanc-debugsource-1.11.2-bp154.2.3.1
orthanc-devel-1.11.2-bp154.2.3.1
orthanc-source-1.11.2-bp154.2.3.1

- openSUSE Backports SLE-15-SP4 (noarch):

orthanc-doc-1.11.2-bp154.2.3.1

References:

  https://www.suse.com/security/cve/CVE-2022-2119.html
  https://www.suse.com/security/cve/CVE-2022-2120.html