Your message dated Tue, 07 Jul 2026 18:04:20 +0000
with message-id <[email protected]>
and subject line Bug#1141411: fixed in dcmtk 3.7.0+really3.7.0-7
has caused the Debian Bug report #1141411,
regarding dcmtk: CVE-2026-50003 CVE-2026-50254 CVE-2026-35505 CVE-2026-52868 
CVE-2026-44628
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1141411: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1141411
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: dcmtk
Version: 3.7.0+really3.7.0-6
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerabilities were published for dcmtk.

I still filled this as RC level, but I'm unsure if they really would
warrant a security advisory, in particular the critical rated one
needs to connect to a malicious DICOM server.

CVE-2026-50003[0]:
| A malicious or compromised server can make a DCMTK client using bit-
| preserving C-GET storage mode write files outside the chosen output
| directory, using both relative (../) paths and absolute paths.


CVE-2026-50254[1]:
| An unauthenticated remote attacker can repeatedly send a single
| crafted connection request to leak memory. Against storescp in its
| default single-process mode, memory grows quickly and the service is
| eventually killed, after which it stops accepting connections until
| an operator restarts it.


CVE-2026-35505[2]:
| An unauthenticated remote attacker can repeatedly send crafted
| connection requests to leak memory. In single-process deployments
| the memory grows until the service is killed and the port stops
| responding until restart.


CVE-2026-52868[3]:
| An unauthenticated attacker can read worklist records from a
| directory outside the intended per-AE worklist storage area. In a
| multi-area deployment, this can cross departmental or clinic data
| separation.


CVE-2026-44628[4]:
| An unauthenticated attacker can crash the worklist server with a
| single crafted query when the server has a valid Called AE Title /
| storage directory, the expected lockfile, and at least one matching
| worklist record.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-50003
    https://www.cve.org/CVERecord?id=CVE-2026-50003
[1] https://security-tracker.debian.org/tracker/CVE-2026-50254
    https://www.cve.org/CVERecord?id=CVE-2026-50254
[2] https://security-tracker.debian.org/tracker/CVE-2026-35505
    https://www.cve.org/CVERecord?id=CVE-2026-35505
[3] https://security-tracker.debian.org/tracker/CVE-2026-52868
    https://www.cve.org/CVERecord?id=CVE-2026-52868
[4] https://security-tracker.debian.org/tracker/CVE-2026-44628
    https://www.cve.org/CVERecord?id=CVE-2026-44628
[5] https://www.openwall.com/lists/oss-security/2026/07/01/1

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Source: dcmtk
Source-Version: 3.7.0+really3.7.0-7
Done: Étienne Mollier <[email protected]>

We believe that the bug you reported is fixed in the latest version of
dcmtk, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Étienne Mollier <[email protected]> (supplier of updated dcmtk package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 06 Jul 2026 22:39:03 +0200
Source: dcmtk
Architecture: source
Version: 3.7.0+really3.7.0-7
Distribution: unstable
Urgency: medium
Maintainer: Debian Med Packaging Team 
<[email protected]>
Changed-By: Étienne Mollier <[email protected]>
Closes: 1141411
Changes:
 dcmtk (3.7.0+really3.7.0-7) unstable; urgency=medium
 .
   * d/patches/CVE-2026-*.patch: new security patches.
     This change includes a patch queue addressing CVE-2026-50003,
     CVE-2026-50254, CVE-2026-35505, CVE-2026-52868 and CVE-2026-44628.
     The latter CVE-2026-44628 is divided into two patches to match
     upstream's commits.  These changes fix a range of issues, including
     risks of path traversals, denial of services and information leaks.
     (Closes: #1141411)
Checksums-Sha1:
 1108823ab77648a1c446c4cf058d1b48dc56707d 2709 dcmtk_3.7.0+really3.7.0-7.dsc
 b8a38f363993c2f5f29aa01a3865cdea4c236497 51128 
dcmtk_3.7.0+really3.7.0-7.debian.tar.xz
Checksums-Sha256:
 b722bb3eb7f5a2dd3e701763c36e2a565dc0b67afc907c461a1a62a151d1241b 2709 
dcmtk_3.7.0+really3.7.0-7.dsc
 2544bcd5292b280e96fa8494b60077158016f5253d850a9540dbb8298b6c6a45 51128 
dcmtk_3.7.0+really3.7.0-7.debian.tar.xz
Files:
 ba7d24c891b1df26cec26e4c0b8bc1ee 2709 science optional 
dcmtk_3.7.0+really3.7.0-7.dsc
 d8b97f92c74e39bc07e645f6535403ec 51128 science optional 
dcmtk_3.7.0+really3.7.0-7.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQJIBAEBCgAyFiEEj5GyJ8fW8rGUjII2eTz2fo8NEdoFAmpNO8QUHGVtb2xsaWVy
QGRlYmlhbi5vcmcACgkQeTz2fo8NEdrJVxAAgi2N4NKZSEdBU3jl7V9MIOWHPySY
JBYc9G3xtffZEPVbP0yGgh9R6askth3Gj/KJMHuL89EJPm8zWCLcTQVvGL/OdNny
6/Qz4V7MuCl5SL4EBZ15/Hp1uzmK6bq0Oo+MLImkWcaQXi17mHYyruqU9vRhLwWa
2DY15B82DAl+c5swQDnYyj0jflXJedJpcJCw63mvQNE76jcFj4wt8qgvmXXlQT6r
Xnx0tkt5EFmizQdC263NiW0+GONsKY9+FqSv2yTpKPfPzcPMDtSX/IziyUgDDz5r
sQOctdLZFbbrScz8s5HMMUN/MbrFZq9/sU8uIP4pJKEcZCU+l2XQ0E4xKwEgWXB+
oQVXGM8k/2XXMSA85PJ9w0W6tOh2OWFEfVP71seJfQvAHY/I+3tgG2kjU2v6pXGa
vW7BtuEzZdVOuAGEtV1keemGI4MqHM54QEgm1vBxfwGs5ypM1ieEBl7vLPc1P7Z4
TzCfbSRehbZFgHP6wRDZbzeNGGnCXbSdUT0Sa1YorFkv8etWD8sOXhoJ165Kg2UC
pAVoMVd4UrmiySa3jXvrOs469EYjXNyL2Ei9PCfjuZMnUzu4OPWC/aV5mQTC8BJq
GqtAvEoCdVFl2JQFvXzfcgoc9D470wM0k7BiY7GYyd/zPPF0hLviwhgfxUsAo+Pr
QTs7AWyyl7uFQuY=
=f0F7
-----END PGP SIGNATURE-----

Attachment: pgp6MBT4ZWlsl.pgp
Description: PGP signature


--- End Message ---

Reply via email to