Your message dated Thu, 04 Jun 2026 04:04:02 +0000
with message-id <[email protected]>
and subject line Bug#1133001: fixed in dcmtk 3.7.0+really3.7.0-3
has caused the Debian Bug report #1133001,
regarding dcmtk: CVE-2026-5663
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1133001: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1133001
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: dcmtk
Version: 3.7.0+really3.6.9-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for dcmtk.
CVE-2026-5663[0]:
| A security flaw has been discovered in OFFIS DCMTK up to 3.7.0. This
| impacts the function executeOnReception/executeOnEndOfStudy of the
| file dcmnet/apps/storescp.cc of the component storescp. Performing a
| manipulation results in os command injection. Remote exploitation of
| the attack is possible. The patch is named
| edbb085e45788dccaf0e64d71534cfca925784b8. Applying a patch is the
| recommended action to fix this issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-5663
https://www.cve.org/CVERecord?id=CVE-2026-5663
[1]
https://github.com/DCMTK/dcmtk/commit/edbb085e45788dccaf0e64d71534cfca925784b8
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: dcmtk
Source-Version: 3.7.0+really3.7.0-3
Done: Étienne Mollier <[email protected]>
We believe that the bug you reported is fixed in the latest version of
dcmtk, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Étienne Mollier <[email protected]> (supplier of updated dcmtk package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 03 Jun 2026 21:54:21 +0200
Source: dcmtk
Architecture: source
Version: 3.7.0+really3.7.0-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Med Packaging Team
<[email protected]>
Changed-By: Étienne Mollier <[email protected]>
Closes: 1133001
Changes:
dcmtk (3.7.0+really3.7.0-3) unstable; urgency=medium
.
* Team upload.
.
[ Pino Toscano ]
* d/patches/hurd.patch: new, fix the build on GNU/Hurd.
.
[ Étienne Mollier ]
* CVE-2026-5663.patch: new: fix CVE-2026-5663.
This change introduces guardrails to prevent risks of shell code
injection. (Closes: #1133001)
* CVE-2026-10528-partial.patch: new: fix needed by orthanc.
This patch introduce the part of the mitigation against CVE-2026-10528
affecting orthanc that needs to be applied on the side of dcmtk. See
also Debian bug #1138713.
Checksums-Sha1:
a912ac97babd6d3be9b5583bf02bbfee1740a77a 2669 dcmtk_3.7.0+really3.7.0-3.dsc
2a944aa00856f2c78c720844f89f33106929a361 41284
dcmtk_3.7.0+really3.7.0-3.debian.tar.xz
Checksums-Sha256:
c84feadadfd8dad5e57395ee3ed7dde4a06b057eca09ec3d87e6dded5712d7e2 2669
dcmtk_3.7.0+really3.7.0-3.dsc
1af665a84c05b1132e7362e17fbc0c291d9bc6ce8c52e90a7d9acb9d1d0bb7d2 41284
dcmtk_3.7.0+really3.7.0-3.debian.tar.xz
Files:
22cfb8b218efbfd5b91887bcd62ebdd1 2669 science optional
dcmtk_3.7.0+really3.7.0-3.dsc
aff3c2e783fb0b392614c9a6bb2cd5e9 41284 science optional
dcmtk_3.7.0+really3.7.0-3.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEEj5GyJ8fW8rGUjII2eTz2fo8NEdoFAmog83UUHGVtb2xsaWVy
QGRlYmlhbi5vcmcACgkQeTz2fo8NEdo3KQ//S46tKck2mpDmxhUALq78EHnJtFwJ
GdY0SvLZ/qLp39NDVYuhOWDKl8wiEzvRIrwkanLKHYXcCtWPzY50aas9E9tYhXzi
L84eJJeredAq5zYIIYjogVPjOonQRr2F3FAyWMLOXLDu5khdXULdr1yqF0NzVRhI
n+QbeK3uOsAHl9uz/H2IlaFLbJYuJeaFMwZmqKN+9DLdGMllNeIODwtqaHMayaoB
naE6Q7u+In9A4GtoNpjnQZY1fAj9EMeHoCJljcUdJ0hahLuVtS7Rwzf/fYwNt0NW
LTtCk0Q4XwZXEe4pgpmV/L/BsECyC6lKPxQXTg7NDGFUGIoMEWdQn0TUBPWnEcR/
p5z0GmZ2RW8fud/Yj1BnlGVrh05VbFxremew14CkRmInZnWc8roDUuBbnnOSkoX6
fhiKkKXHM4vORQ29626Cae6SG/QU61uP8PIEvnEIiDTpjbbji69TZh+869J399ld
QZO/4Qw0Ewu9amJEsxDzOd1zrL2cYMaW+v6JB15oSRe5WGJMUZIV8sC0Eiv5W4am
tj591iYMpJtDd6vvHoAEy7vJ43IAMKq65zT4T0Zg34tN2EtEJZYGcvD3J/ymTwU4
wn0hFKx+juZiu9kTJGq2Pzd+61Wz4iztEn/FfK2G+DQIpsYdPnKW/iNPUMyLJkEe
5LtmNgYPKQ3L6pk=
=5cEv
-----END PGP SIGNATURE-----
pgprRmveitg8I.pgp
Description: PGP signature
--- End Message ---
