openSUSE Security Update: Security update for gdcm, orthanc, orthanc-gdcm, orthanc-webviewer ______________________________________________________________________________ Announcement ID: openSUSE-SU-2022:10145-1 Rating: important References: Cross-References: CVE-2022-2119 CVE-2022-2120 CVSS scores: CVE-2022-2119 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2022-2120 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: openSUSE Backports SLE-15-SP4 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for gdcm, orthanc, orthanc-gdcm, orthanc-webviewer fixes the following issues: Changes in gdcm: - rename of gdcm-libgdcm3_0 to libgdcm3_0 (proposal S. Br��ns) - version 3.0.18 no changelog - version 3.0.12 * support for poppler 22.03 added Changes in orthanc-gdcm: - changed dependency gdcm-libgdcm3_0 -> libgdcm3_0 Changes in orthanc: - version 1.11.2 * Added support for RGBA64 images in tools/create-dicom and /preview * New configuration "MaximumStorageMode" to choose between recyling of old patients (default behavior) and rejection of new incoming data when the MaximumStorageSize has been reached. * New sample plugin: "DelayedDeletion" that will delete files from disk asynchronously to speed up deletion of large studies. * Lua: new "SetHttpTimeout" function * Lua: new "OnHeartBeat" callback called at regular interval provided that you have configured "LuaHeartBeatPeriod" > 0. * "ExtraMainDicomTags" configuration now accepts Dicom Sequences. Sequences are stored in a dedicated new metadata "MainDicomSequences". This should improve DicomWeb QIDO-RS and avoid warnings like "Accessing Dicom tags from storage when accessing series : 0040,0275". Main dicom sequences can now be returned in "MainDicomTags" and in "RequestedTags". * Fix the "Never" option of the "StorageAccessOnFind" that was sill accessing files (bug introduced in 1.11.0). * Fix the Storage Cache for compressed files (bug introduced in 1.11.1). * Fix the storage cache that was not used by the Plugin SDK. This fixes the DicomWeb plugin "/rendered" route performance issues. * DelayedDeletion plugin: Fix leaking of symbols * SQLite now closes and deletes WAL and SHM files on exit. This should improve handling of SQLite DB over network drives. * Fix static compilation of boost 1.69 on Ubuntu 22.04 * Upgraded dependencies for static builds: - boost 1.80.0 - dcmtk 3.6.7 (fixes CVE-2022-2119 and CVE-2022-2120) - openssl 3.0.5 * Housekeeper plugin: Fix resume of previous processing * Added missing MOVEPatientRootQueryRetrieveInformationModel in DicomControlUserConnection::SetupPresentationContexts() * Improved HttpClient error logging (add method + url) * API version upgraded to 18 * /system is now reporting "DatabaseServerIdentifier" * Added an Asynchronous mode to /modalities/../move. * "RequestedTags" option can now include DICOM sequences. * New function in the SDK: "OrthancPluginGetDatabaseServerIdentifier" * DicomMap::ParseMainDicomTags has been deprecated -> retrieve "full" tags and use DicomMap::FromDicomAsJson instead Changes in orthanc-webviewer: - version 2.8 * Fix XSS inside DICOM in Orthanc Web Viewer (as reported by Stuart Kurutac, NCC Group) * framework190.diff removed (covered in actual version) Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP4: zypper in -t patch openSUSE-2022-10145=1 Package List: - openSUSE Backports SLE-15-SP4 (aarch64 ppc64le s390x x86_64): gdcm-3.0.19-bp154.2.5.1 gdcm-applications-3.0.19-bp154.2.5.1 gdcm-applications-debuginfo-3.0.19-bp154.2.5.1 gdcm-debuginfo-3.0.19-bp154.2.5.1 gdcm-debugsource-3.0.19-bp154.2.5.1 gdcm-devel-3.0.19-bp154.2.5.1 gdcm-examples-3.0.19-bp154.2.5.1 libgdcm3_0-3.0.19-bp154.2.5.1 libgdcm3_0-debuginfo-3.0.19-bp154.2.5.1 libsocketxx1_2-3.0.19-bp154.2.5.1 libsocketxx1_2-debuginfo-3.0.19-bp154.2.5.1 orthanc-gdcm-1.5-bp154.2.3.1 orthanc-gdcm-debuginfo-1.5-bp154.2.3.1 orthanc-gdcm-debugsource-1.5-bp154.2.3.1 orthanc-webviewer-2.8-bp154.2.3.1 orthanc-webviewer-debuginfo-2.8-bp154.2.3.1 orthanc-webviewer-debugsource-2.8-bp154.2.3.1 python3-gdcm-3.0.19-bp154.2.5.1 python3-gdcm-debuginfo-3.0.19-bp154.2.5.1 - openSUSE Backports SLE-15-SP4 (aarch64 ppc64le x86_64): orthanc-1.11.2-bp154.2.3.1 orthanc-debuginfo-1.11.2-bp154.2.3.1 orthanc-debugsource-1.11.2-bp154.2.3.1 orthanc-devel-1.11.2-bp154.2.3.1 orthanc-source-1.11.2-bp154.2.3.1 - openSUSE Backports SLE-15-SP4 (noarch): orthanc-doc-1.11.2-bp154.2.3.1 References: https://www.suse.com/security/cve/CVE-2022-2119.html https://www.suse.com/security/cve/CVE-2022-2120.html