Your message dated Fri, 8 May 2026 20:52:42 +0200
with message-id <[email protected]>
and subject line Re: Accepted pydicom 3.0.2-1 (source) into unstable
has caused the Debian Bug report #1131492,
regarding pydicom: CVE-2026-32711
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1131492: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131492
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: pydicom
Version: 2.4.3-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 2.4.3-2
Control: found -1 2.3.1-1
Control: found -1 2.0.0-1
Hi,
The following vulnerability was published for pydicom.
CVE-2026-32711[0]:
| pydicom is a pure Python package for working with DICOM files.
| Versions 2.0.0-rc.1 through 3.0.1 are vulnerable to Path Traversal
| through a maliciously crafted DICOMDIR ReferencedFileID when it is
| set to a path outside the File-set root. pydicom resolves the path
| only to confirm that it exists, but does not verify that the
| resolved path remains under the File-set root. Subsequent public
| FileSet operations such as copy(), write(), and
| remove()+write(use_existing=True) use that unchecked path in file
| I/O operations. This allows arbitrary file read/copy and, in some
| flows, move/delete outside the File-set root. This issue has been
| fixed in version 3.0.2.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-32711
https://www.cve.org/CVERecord?id=CVE-2026-32711
[1] https://github.com/pydicom/pydicom/security/advisories/GHSA-v856-2rf8-9f28
[2]
https://github.com/pydicom/pydicom/commit/6414f01a053dff925578799f5a7208d2ae585e82
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: pydicom
Source-Version: 3.0.2-1
On Fri, May 08, 2026 at 06:33:46AM +0000, Debian FTP Masters wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Format: 1.8
> Date: Fri, 08 May 2026 08:08:30 +0200
> Source: pydicom
> Built-For-Profiles: nocheck
> Architecture: source
> Version: 3.0.2-1
> Distribution: unstable
> Urgency: medium
> Maintainer: Debian Med Packaging Team
> <[email protected]>
> Changed-By: Karsten Schöke <[email protected]>
> Changes:
> pydicom (3.0.2-1) unstable; urgency=medium
> .
> * Team upload.
> * New upstream version
> Fix CVE-2026-32711
> * Standards-Version: 4.7.4 (routine-update)
> * d/copyright: Directory adjusted after upstream change.
> * Modernization docu sphinx-build
> * Tests completely reorganized and deactivation moved to pytest.ini.
> * d/control: insert python-pydicom-doc dependency
> * d/rules: remove file-references-package-build-path in sphinx-doc.
> * d/python-pydicom-doc.doc-base: Add metadata for doc package.
> * Add pydicom manpage.
> * sphinx use local inventory references
> * d/rules: Delete unnecessary files
> * d/control: Drop Priority: optional, default since dpkg 1.22.13.
> * d/python3-pydicom.examples: activate examples
> Checksums-Sha1:
> eb7bb8f349e59d6128cc52dca8e17c68641caacd 2670 pydicom_3.0.2-1.dsc
> 122b21d3c3e0f07b66533efc008aae539f1a9b15 2901600 pydicom_3.0.2.orig.tar.gz
> f5c1d00a834d2e074b95deff3983d248f26613b3 8080 pydicom_3.0.2-1.debian.tar.xz
> 6b655a12ae48813cb647c6f7168108c35da727a5 13953
> pydicom_3.0.2-1_amd64.buildinfo
> Checksums-Sha256:
> ecffb4b89f0c49012ca2b00d9fb4f7c1857fda2ca9fe4f5c51b6458b8acb31ef 2670
> pydicom_3.0.2-1.dsc
> ab19d67687ae3a2f57bad235579defcb410ed0b34dff16d28ff4b40112b32f47 2901600
> pydicom_3.0.2.orig.tar.gz
> 1f530fcba7dafeb65ffc01bf87c2c740ec6c4d7681c09e71f715b35fdbfb747d 8080
> pydicom_3.0.2-1.debian.tar.xz
> 96a11661cd1db229b93480d8d862e2bc09d1b98cb18dc57ad73eb4331e470b84 13953
> pydicom_3.0.2-1_amd64.buildinfo
> Files:
> d008d4fe73891a12823ba392b0f23d28 2670 python optional pydicom_3.0.2-1.dsc
> 8245f02cb165c505f0212e362f4f7d1f 2901600 python optional
> pydicom_3.0.2.orig.tar.gz
> b75893f8821aefdacc234e940b4409d8 8080 python optional
> pydicom_3.0.2-1.debian.tar.xz
> 20d47366cf663106260f61367dc7e393 13953 python optional
> pydicom_3.0.2-1_amd64.buildinfo
>
> -----BEGIN PGP SIGNATURE-----
>
> iQIzBAEBCgAdFiEESJcY4TbXsC5S1RQ8jT4KJgRDZUgFAmn9f5gACgkQjT4KJgRD
> ZUii3xAAl5WTaGqkb7kA/EV7Gv02luFFJJGVh9mnOG/+Ue1zk3Ihkf2rxVxRLAHY
> R1H3Y4FwekxoyHptycwx2TX5xWSRcOKVdCuwQCf1wrsDb3HG0sVIZ3y2k47DR+oM
> kBJMdgVDlN3wU2Ddl1HjdEg76+YP5IG2J4LqzquNUYOzZvoIOYecNimC6s98HbeY
> gdYVQWbieMyXCbwv7yBq6zR+GwLMaQNcuUM7yzgGeHgNcASE64n5Uko4tSBPan6O
> 1J2vuwv/Rbo+yFfAQo46RSBTXwFxl+tkdljKND6jHsx8VLGPVqEyJU3PPxR6Bfs/
> MRdmeJ9Tcmp2OKZrXu8QFstpYQ+Cndlq7x1t7cat0UvR9NicdE2iZYEMvvMrdS78
> +qsIIy0+RCyqDsZHtvyrMeEjjdFU8pcbkmHF8LCCeXDOVMg/cBs+0CB/oTDM34AZ
> DtCbtU3S4yYbHn7gunnAY4qD4KKhLRxmqs5nui6zXZYbb8HahkN40QLJjgjRik0Q
> gMfvUGI+dMLhaGDQV39e2zzGOOuxVfhfVMzpv4RSM6i7GlNVYPMl8T3h+ELX972z
> 5TGGJXufQFeWS9FvmfjPCIy3V+L/qZFdjxdYbLb53ZdTLXPSwMsOaZS9caPnnV8c
> yZwbnrYzskt6vJ3xKZ7FbhNdyA24YXueOl+6cg6eiV/X9kMBWOY=
> =oADS
> -----END PGP SIGNATURE-----
--- End Message ---
