openSUSE Security Update: Security update for gdcm, orthanc, orthanc-gdcm, orthanc-webviewer ______________________________________________________________________________ Announcement ID: openSUSE-SU-2022:10144-1 Rating: important References: #1181400 Cross-References: CVE-2022-2119 CVE-2022-2120 CVSS scores: CVE-2022-2119 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2022-2120 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: openSUSE Backports SLE-15-SP3 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for gdcm, orthanc, orthanc-gdcm, orthanc-webviewer fixes the following issues: Changes in gdcm: - Provides/obsoletes moved to lbgdcm-package (Thx DimStar) - rename of gdcm-libgdcm3_0 to libgdcm3_0 (proposal S. Br��ns) - version 3.0.18 no changelog - version 3.0.12 * support for poppler 22.03 added - version 3.0.11 * Fix for a significant issue with JPEG-LS and RGB color space * tons of small bug fixes - version 3.0.10 (no changelog) Changes in orthanc-gdcm: - changed dependency gdcm-libgdcm3_0 -> libgdcm3_0 - Version 1.5 * Take the configuration option "RestrictTransferSyntaxes" into account not only for decoding, but also for transcoding * Upgrade to GDCM 3.0.10 for static builds- Changes in orthanc: - version 1.11.2 * Added support for RGBA64 images in tools/create-dicom and /preview * New configuration "MaximumStorageMode" to choose between recyling of old patients (default behavior) and rejection of new incoming data when the MaximumStorageSize has been reached. * New sample plugin: "DelayedDeletion" that will delete files from disk asynchronously to speed up deletion of large studies. * Lua: new "SetHttpTimeout" function * Lua: new "OnHeartBeat" callback called at regular interval provided that you have configured "LuaHeartBeatPeriod" > 0. * "ExtraMainDicomTags" configuration now accepts Dicom Sequences. Sequences are stored in a dedicated new metadata "MainDicomSequences". This should improve DicomWeb QIDO-RS and avoid warnings like "Accessing Dicom tags from storage when accessing series : 0040,0275". Main dicom sequences can now be returned in "MainDicomTags" and in "RequestedTags". * Fix the "Never" option of the "StorageAccessOnFind" that was sill accessing files (bug introduced in 1.11.0). * Fix the Storage Cache for compressed files (bug introduced in 1.11.1). * Fix the storage cache that was not used by the Plugin SDK. This fixes the DicomWeb plugin "/rendered" route performance issues. * DelayedDeletion plugin: Fix leaking of symbols * SQLite now closes and deletes WAL and SHM files on exit. This should improve handling of SQLite DB over network drives. * Fix static compilation of boost 1.69 on Ubuntu 22.04 * Upgraded dependencies for static builds: - boost 1.80.0 - dcmtk 3.6.7 (fixes CVE-2022-2119 and CVE-2022-2120) - openssl 3.0.5 * Housekeeper plugin: Fix resume of previous processing * Added missing MOVEPatientRootQueryRetrieveInformationModel in DicomControlUserConnection::SetupPresentationContexts() * Improved HttpClient error logging (add method + url) * API version upgraded to 18 * /system is now reporting "DatabaseServerIdentifier" * Added an Asynchronous mode to /modalities/../move. * "RequestedTags" option can now include DICOM sequences. * New function in the SDK: "OrthancPluginGetDatabaseServerIdentifier" * DicomMap::ParseMainDicomTags has been deprecated -> retrieve "full" tags and use DicomMap::FromDicomAsJson instead - version 1.11.0 * new API version 1.7 * new configuration parameter * for detailed changelog see NEWS - version 1.10.1 * for detailed changelog see NEWS - Version 1.9.7 * New configuration option "DicomAlwaysAllowMove" to disable verification of the remote modality in C-MOVE SCP * API version upgraded to 15 * Added "Level" option to POST /tools/bulk-modify * Added missing OpenAPI documentation of "KeepSource" in ".../modify" and ".../anonymize" * Added file CITATION.cff * Linux Standard Base (LSB) builds of Orthanc can load non-LSB builds of plugins * Fix upload of ZIP archives containing a DICOMDIR file * Fix computation of the estimated time of arrival in jobs * Support detection of windowing and rescale in Philips multiframe images Changes in orthanc-webviewer: - version 2.8 * Fix XSS inside DICOM in Orthanc Web Viewer (as reported by Stuart Kurutac, NCC Group) * framework190.diff removed (covered in actual version) Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP3: zypper in -t patch openSUSE-2022-10144=1 Package List: - openSUSE Backports SLE-15-SP3 (aarch64 ppc64le s390x x86_64): gdcm-3.0.19-bp153.2.8.1 gdcm-applications-3.0.19-bp153.2.8.1 gdcm-applications-debuginfo-3.0.19-bp153.2.8.1 gdcm-debuginfo-3.0.19-bp153.2.8.1 gdcm-debugsource-3.0.19-bp153.2.8.1 gdcm-devel-3.0.19-bp153.2.8.1 gdcm-examples-3.0.19-bp153.2.8.1 libgdcm3_0-3.0.19-bp153.2.8.1 libgdcm3_0-debuginfo-3.0.19-bp153.2.8.1 libsocketxx1_2-3.0.19-bp153.2.8.1 libsocketxx1_2-debuginfo-3.0.19-bp153.2.8.1 orthanc-gdcm-1.5-bp153.2.6.1 orthanc-gdcm-debuginfo-1.5-bp153.2.6.1 orthanc-gdcm-debugsource-1.5-bp153.2.6.1 orthanc-webviewer-2.8-bp153.2.3.1 orthanc-webviewer-debuginfo-2.8-bp153.2.3.1 orthanc-webviewer-debugsource-2.8-bp153.2.3.1 python3-gdcm-3.0.19-bp153.2.8.1 python3-gdcm-debuginfo-3.0.19-bp153.2.8.1 - openSUSE Backports SLE-15-SP3 (aarch64 ppc64le x86_64): orthanc-1.11.2-bp153.2.13.1 orthanc-debuginfo-1.11.2-bp153.2.13.1 orthanc-debugsource-1.11.2-bp153.2.13.1 orthanc-devel-1.11.2-bp153.2.13.1 orthanc-source-1.11.2-bp153.2.13.1 - openSUSE Backports SLE-15-SP3 (noarch): orthanc-doc-1.11.2-bp153.2.13.1 References: https://www.suse.com/security/cve/CVE-2022-2119.html https://www.suse.com/security/cve/CVE-2022-2120.html https://bugzilla.suse.com/1181400