Your message dated Sat, 08 Jul 2023 13:21:45 +0000
with message-id <[email protected]>
and subject line Bug#1040597: fixed in orthanc 1.12.1+dfsg-1
has caused the Debian Bug report #1040597,
regarding orthanc: CVE-2023-33466
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1040597: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040597
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: orthanc
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
The following vulnerability was published for orthanc.
CVE-2023-33466[0]:
| Orthanc before 1.12.0 allows authenticated users with access to the
| Orthanc API to overwrite arbitrary files on the file system, and in
| specific deployment scenarios allows the attacker to overwrite the
| configuration, which can be exploited to trigger Remote Code
| Execution (RCE).
https://discourse.orthanc-server.org/t/security-advisory-for-orthanc-deployments-running-versions-before-1-12-0/3568
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-33466
https://www.cve.org/CVERecord?id=CVE-2023-33466
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: orthanc
Source-Version: 1.12.1+dfsg-1
Done: Étienne Mollier <[email protected]>
We believe that the bug you reported is fixed in the latest version of
orthanc, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Étienne Mollier <[email protected]> (supplier of updated orthanc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 08 Jul 2023 14:43:05 +0200
Source: orthanc
Architecture: source
Version: 1.12.1+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Med Packaging Team
<[email protected]>
Changed-By: Étienne Mollier <[email protected]>
Closes: 1040597
Changes:
orthanc (1.12.1+dfsg-1) unstable; urgency=medium
.
* Team upload.
.
[ Jodogne ]
* Added dependency on "libssl-dev", as civetweb requires the symbolic link
"/usr/lib/x86_64-linux-gnu/libcrypto.so" to be present to start HTTPS
.
[ Andreas Tille ]
* New upstream version 1.11.2+dfsg
* Standards-Version: 4.6.2 (routine-update)
* Drop unneeded Breaks+Replaces
.
[ Étienne Mollier ]
* New upstream version 1.12.1+dfsg:
- fix CVE-2023-33466. (Closes: #1040597)
* d/control: build depends on protobuf-compiler and libprotobuf-dev.
* d/{orthanc.install,rules}: deploy new plugins: DelayedDeletion, Housekeeper
and MultitenantDicom.
* d/{control,orthanc.init}: remove dependency on obsolete package lsb-base.
It used to provide /lib/lsb/init-functions, which moved to sysvinit-utils
which is essential, so guaranteed to be available.
Checksums-Sha1:
174eb4d609f65fff4589612c3547303688a849ec 2746 orthanc_1.12.1+dfsg-1.dsc
c82863e5d34cba58bcb648ca2a152561ecd1b896 1071392
orthanc_1.12.1+dfsg.orig.tar.xz
e67143efd0dc92da216525547616b034b0ce9010 230880
orthanc_1.12.1+dfsg-1.debian.tar.xz
Checksums-Sha256:
2ce0bab8a116be9efedf93193f562cdcddddb48a9aa443275212cf9d7ba8e995 2746
orthanc_1.12.1+dfsg-1.dsc
b62e8db2ea3e0219067a60390a9ae9201066bfe8c4aad2d833e4c28c7e3c5178 1071392
orthanc_1.12.1+dfsg.orig.tar.xz
953d6ab3f2fc4be23ba0b9adc3cab9b3a7165e5f4d32fcb839b57f1bd21321e6 230880
orthanc_1.12.1+dfsg-1.debian.tar.xz
Files:
665d05c98857c75f4602149826a5e5cb 2746 science optional
orthanc_1.12.1+dfsg-1.dsc
8e46d0c06d7d7754b992037724f13929 1071392 science optional
orthanc_1.12.1+dfsg.orig.tar.xz
d1f3881ca12b18d3b43a7e177c15cb0b 230880 science optional
orthanc_1.12.1+dfsg-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEEj5GyJ8fW8rGUjII2eTz2fo8NEdoFAmSpX/YUHGVtb2xsaWVy
QGRlYmlhbi5vcmcACgkQeTz2fo8NEdpEsg/+PTOvqYTsf+aGz7G13u62XzkifEm5
E5fOauyCt3+3K2m8POtUjE9yXkPt/F4yRaddsRzyRI7mB39c9MOSOZZcUrJMw8mG
e41/SN5CV1Q7jMdOe1flK3/Fsb+PBoOVpO1Duzh4owuQHW9z6r+e/hOKqm2DHx1j
Nj2Mc2NfhsZ5Cv//AZkBpFGZQZaS4CIIXnwkP9WpT9C6zMuWiaUtS51f77UpzKvR
z41MNJSdRjaMNfnj3bf+od6qTst/hhSnUErfUKq68TmhSaAoLEaD8LiDVUMyO7Jl
a/dQZUJb+B4No7NcVFjTWyX2EZb/Hf/j9Yi4q66I19kg6kq61npyGW+AUoA3nOK9
mDsRYBhF92NikFxJvgqOQHUW2WpqvtUIPt+obCHLfQv4dGngquflUEvVcbT0freT
X6bEQ2BgBiE86zKh433SvItYtjqjy1vN9blJHdpiHeaPX2lLmBPS6PyNeQPuVx4+
KlE/ej9J5OSpiU65gJPVCDs/JMMFhkNAZMSCwEQC0OyGiG22fzg4W2iEGFQXcjAl
K8eAVvEYMHC3X3XHOWm0+t22oqKvDZ0/kg+/jSV/Z5ZECU7xWNdfBy7NRnm83ySc
mFM1wA9kBzZfFFZcPpL4TwEUPPtpAD0xE1fF7nVEqNYC7fPY7G3Ul01yQwrFSvI1
vcjDNgpeMA7m3L4=
=DKIx
-----END PGP SIGNATURE-----
--- End Message ---
