[Debian-med-packaging] Wheezy update of dcmtk?
Sébastien Jodogne
s.jodogne at gmail.com
Mon Dec 19 08:10:39 UTC 2016
Dear all,
On Sun, Dec 18, 2016 at 10:47:05PM +0100, Markus Koschany wrote:
> > Hello dear maintainer(s),
> >
> > the Debian LTS team would like to fix the security issues which are
> > currently open in the Wheezy version of dcmtk:
> > https://security-tracker.debian.org/tracker/CVE-2015-8979
> >
> > Would you like to take care of this yourself?
>
> I personally feel not capable to do so and Mathieu left the team - so I
> would be astonished (but definitely happy!) if he would step in for this
> task. If you do not receive a positive response from Gert I doubt that
> anybody else from the team would take over.
I personally consider this issue as severe, as any DCMTK 3.6.0-based DICOM
SCP (server) is affected (including the well-known Horos/OsiriX viewer).
Orthanc was also affected by this problem. Orthanc 1.2.0 was released last
week in order to fix this vulnerability in its static builds (notably for
Windows and OS X). The patch we applied can be found at the following
location:
https://bitbucket.org/sjodogne/orthanc/src/eb363ec95d863989abf5a59174ff3164c2831f2e/Resources/Patches/dcmtk-3.6.0-dulparse-vulnerability.patch?at=default&fileviewer=file-view-default
As this patch is very simple (six lines of code), it should be easy to
backport it to the DCMTK Debian package.
Unfortunately, I do not know how to fix such issues in Wheezy, and I am
currently under heavy pressure wrt. the Orthanc upstream project... maybe
someone could do this backporting job?
HTH,
Sébastien-
--
Sébastien Jodogne
Mail: s.jodogne at gmail.com
Web: http://www.sjodogne.be/
Twitter: https://twitter.com/sjodogne
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/debian-med-packaging/attachments/20161219/4525d68e/attachment.html>
More information about the Debian-med-packaging
mailing list