Paride Legovini pushed to branch debian/bullseye at Debian Med / orthanc
Commits: 7b276cc7 by Paride Legovini at 2026-02-22T16:24:01+01:00 Salsa CI: switch to the lts-team pipeline for Bullseye - - - - - 183f70ba by Paride Legovini at 2026-02-22T16:24:01+01:00 Disallow colons in HTTP basic usernames (CVE-2025-15581) - - - - - e27fa3b4 by Paride Legovini at 2026-02-22T16:24:01+01:00 d/gbp.conf: set debian-branch to debian/bullseye - - - - - be28e97c by Paride Legovini at 2026-02-22T16:24:01+01:00 Update changelog for 1.9.2+really1.9.1+dfsg-1+deb11u2 release - - - - - 5 changed files: - debian/changelog - + debian/gbp.conf - + debian/patches/cve-2025-15581.patch - debian/patches/series - debian/salsa-ci.yml Changes: ===================================== debian/changelog ===================================== @@ -1,3 +1,12 @@ +orthanc (1.9.2+really1.9.1+dfsg-1+deb11u2) bullseye-security; urgency=high + + * Non-maintainer upload by the LTS Security Team. + * Disallow colons in HTTP basic usernames (CVE-2025-15581) + * Salsa CI: switch to the lts-team pipeline for Bullseye + * d/gbp.conf: set debian-branch to debian/bullseye + + -- Paride Legovini <[email protected]> Sun, 22 Feb 2026 15:44:49 +0100 + orthanc (1.9.2+really1.9.1+dfsg-1+deb11u1) bullseye-security; urgency=high * Team upload. ===================================== debian/gbp.conf ===================================== @@ -0,0 +1,2 @@ +[DEFAULT] +debian-branch = debian/bullseye ===================================== debian/patches/cve-2025-15581.patch ===================================== @@ -0,0 +1,33 @@ +Description: Disallow colons in HTTP basic usernames +Author: Sebastien Jodogne <[email protected]> +Origin: upstream, https://orthanc.uclouvain.be/hg/orthanc/rev/9e5bb00c0525 +Bug: https://orthanc.uclouvain.be/bugs/show_bug.cgi?id=252 +Last-Update: 2026-02-22 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/OrthancFramework/Sources/HttpServer/HttpServer.cpp ++++ b/OrthancFramework/Sources/HttpServer/HttpServer.cpp +@@ -1794,9 +1794,22 @@ + void HttpServer::RegisterUser(const char* username, + const char* password) + { ++ const std::string s(username); ++ if (s.find(':') != std::string::npos) ++ { ++ /** ++ * "A user-id containing a colon character is invalid, as the ++ * first colon in a user-pass string separates user-id and ++ * password from one another" (cf. issue 252) ++ * https://datatracker.ietf.org/doc/html/rfc7617 ++ **/ ++ throw OrthancException(ErrorCode_ParameterOutOfRange, "Usernames for HTTP Basic Authentication " ++ "cannot contain \":\", but found: \"" + s + "\""); ++ } ++ + Stop(); + +- std::string tag = std::string(username) + ":" + std::string(password); ++ std::string tag = s + ":" + std::string(password); + std::string encoded; + Toolbox::EncodeBase64(encoded, tag); + registeredUsers_.insert(encoded); ===================================== debian/patches/series ===================================== @@ -1 +1,2 @@ cve-2023-33466.patch +cve-2025-15581.patch ===================================== debian/salsa-ci.yml ===================================== @@ -1,4 +1,6 @@ --- include: - - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml - - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml + - https://salsa.debian.org/lts-team/pipeline/raw/master/recipes/bullseye.yml + +variables: + SALSA_CI_DISABLE_BLHC: 1 View it on GitLab: https://salsa.debian.org/med-team/orthanc/-/compare/cf2e3601b5f11defe6cd80bfbc6297a1d5d949a1...be28e97c0037b9c0b9eba6fe61297f747b345a18 -- View it on GitLab: https://salsa.debian.org/med-team/orthanc/-/compare/cf2e3601b5f11defe6cd80bfbc6297a1d5d949a1...be28e97c0037b9c0b9eba6fe61297f747b345a18 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-med-commit mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-med-commit
