SUSE 5185 Published by

A gdcm, orthanc, orthanc-gdcm, orthanc-webviewer security update has been released for SUSE Linux Enterprise 15 SP3.



openSUSE-SU-2022:10144-1: important: Security update for gdcm, orthanc, orthanc-gdcm, orthanc-webviewer


openSUSE Security Update: Security update for gdcm, orthanc, orthanc-gdcm, orthanc-webviewer
______________________________________________________________________________

Announcement ID: openSUSE-SU-2022:10144-1
Rating: important
References: #1181400
Cross-References: CVE-2022-2119 CVE-2022-2120
CVSS scores:
CVE-2022-2119 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2022-2120 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products:
openSUSE Backports SLE-15-SP3
______________________________________________________________________________

An update that fixes two vulnerabilities is now available.

Description:

This update for gdcm, orthanc, orthanc-gdcm, orthanc-webviewer fixes the
following issues:

Changes in gdcm:

- Provides/obsoletes moved to lbgdcm-package (Thx DimStar)
- rename of gdcm-libgdcm3_0 to libgdcm3_0 (proposal S. Br??ns)

- version 3.0.18

no changelog

- version 3.0.12

* support for poppler 22.03 added

- version 3.0.11

* Fix for a significant issue with JPEG-LS and RGB color space
* tons of small bug fixes

- version 3.0.10 (no changelog)

Changes in orthanc-gdcm:

- changed dependency gdcm-libgdcm3_0 -> libgdcm3_0

- Version 1.5

* Take the configuration option "RestrictTransferSyntaxes" into account
not only for decoding, but also for transcoding
* Upgrade to GDCM 3.0.10 for static builds-

Changes in orthanc:

- version 1.11.2
* Added support for RGBA64 images in tools/create-dicom and /preview
* New configuration "MaximumStorageMode" to choose between recyling of
old patients (default behavior) and rejection of new incoming data
when the MaximumStorageSize has been reached.
* New sample plugin: "DelayedDeletion" that will delete files from disk
asynchronously to speed up deletion of large studies.
* Lua: new "SetHttpTimeout" function
* Lua: new "OnHeartBeat" callback called at regular interval provided
that you have configured "LuaHeartBeatPeriod" > 0.
* "ExtraMainDicomTags" configuration now accepts Dicom Sequences.
Sequences are stored in a dedicated new metadata
"MainDicomSequences". This should improve DicomWeb QIDO-RS and avoid
warnings like "Accessing Dicom tags from storage when accessing series
: 0040,0275". Main dicom sequences can now be returned in
"MainDicomTags" and in "RequestedTags".
* Fix the "Never" option of the "StorageAccessOnFind" that was sill
accessing files (bug introduced in 1.11.0).
* Fix the Storage Cache for compressed files (bug introduced in 1.11.1).
* Fix the storage cache that was not used by the Plugin SDK. This fixes
the DicomWeb plugin "/rendered" route performance issues.
* DelayedDeletion plugin: Fix leaking of symbols
* SQLite now closes and deletes WAL and SHM files on exit. This should
improve handling of SQLite DB over network drives.
* Fix static compilation of boost 1.69 on Ubuntu 22.04
* Upgraded dependencies for static builds:
- boost 1.80.0
- dcmtk 3.6.7 (fixes CVE-2022-2119 and CVE-2022-2120)
- openssl 3.0.5
* Housekeeper plugin: Fix resume of previous processing
* Added missing MOVEPatientRootQueryRetrieveInformationModel in
DicomControlUserConnection::SetupPresentationContexts()
* Improved HttpClient error logging (add method + url)
* API version upgraded to 18
* /system is now reporting "DatabaseServerIdentifier"
* Added an Asynchronous mode to /modalities/../move.
* "RequestedTags" option can now include DICOM sequences.
* New function in the SDK: "OrthancPluginGetDatabaseServerIdentifier"
* DicomMap::ParseMainDicomTags has been deprecated -> retrieve "full"
tags and use DicomMap::FromDicomAsJson instead

- version 1.11.0

* new API version 1.7
* new configuration parameter
* for detailed changelog see NEWS

- version 1.10.1

* for detailed changelog see NEWS

- Version 1.9.7

* New configuration option "DicomAlwaysAllowMove" to disable verification
of the remote modality in C-MOVE SCP
* API version upgraded to 15
* Added "Level" option to POST /tools/bulk-modify
* Added missing OpenAPI documentation of "KeepSource" in ".../modify" and
".../anonymize"
* Added file CITATION.cff
* Linux Standard Base (LSB) builds of Orthanc can load non-LSB builds of
plugins
* Fix upload of ZIP archives containing a DICOMDIR file
* Fix computation of the estimated time of arrival in jobs
* Support detection of windowing and rescale in Philips multiframe images

Changes in orthanc-webviewer:

- version 2.8
* Fix XSS inside DICOM in Orthanc Web Viewer (as reported by Stuart
Kurutac, NCC Group)
* framework190.diff removed (covered in actual version)

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP3:

zypper in -t patch openSUSE-2022-10144=1


Package List:

- openSUSE Backports SLE-15-SP3 (aarch64 ppc64le s390x x86_64):

gdcm-3.0.19-bp153.2.8.1
gdcm-applications-3.0.19-bp153.2.8.1
gdcm-applications-debuginfo-3.0.19-bp153.2.8.1
gdcm-debuginfo-3.0.19-bp153.2.8.1
gdcm-debugsource-3.0.19-bp153.2.8.1
gdcm-devel-3.0.19-bp153.2.8.1
gdcm-examples-3.0.19-bp153.2.8.1
libgdcm3_0-3.0.19-bp153.2.8.1
libgdcm3_0-debuginfo-3.0.19-bp153.2.8.1
libsocketxx1_2-3.0.19-bp153.2.8.1
libsocketxx1_2-debuginfo-3.0.19-bp153.2.8.1
orthanc-gdcm-1.5-bp153.2.6.1
orthanc-gdcm-debuginfo-1.5-bp153.2.6.1
orthanc-gdcm-debugsource-1.5-bp153.2.6.1
orthanc-webviewer-2.8-bp153.2.3.1
orthanc-webviewer-debuginfo-2.8-bp153.2.3.1
orthanc-webviewer-debugsource-2.8-bp153.2.3.1
python3-gdcm-3.0.19-bp153.2.8.1
python3-gdcm-debuginfo-3.0.19-bp153.2.8.1

- openSUSE Backports SLE-15-SP3 (aarch64 ppc64le x86_64):

orthanc-1.11.2-bp153.2.13.1
orthanc-debuginfo-1.11.2-bp153.2.13.1
orthanc-debugsource-1.11.2-bp153.2.13.1
orthanc-devel-1.11.2-bp153.2.13.1
orthanc-source-1.11.2-bp153.2.13.1

- openSUSE Backports SLE-15-SP3 (noarch):

orthanc-doc-1.11.2-bp153.2.13.1

References:

  https://www.suse.com/security/cve/CVE-2022-2119.html
  https://www.suse.com/security/cve/CVE-2022-2120.html
  https://bugzilla.suse.com/1181400