Re: CVEs in DCMTK
On 6/29/22 3:27 PM, Mathieu Malaterre wrote: On Wed, Jun 29, 2022 at 11:51 AM Nilesh Patra wrote: On 6/29/22 12:18 PM, Mathieu Malaterre wrote: Hi there, It turns out there are three CVEs associated with DCMTK version older than 3.6.7. * https://www.hipaajournal.com/warning-issued-about-3-high-severity-vulnerabilities-in-offis-dicom-software/ Should we get in touch with debian-security to have them properly reported ? Yes. Not to have them reported, but to coordinate uploads to security queue. I am not clear about the process. Ah. You might wish to read this paragraph[1,2] from dev-ref, explains it clearly. [1]: https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#security-uploads [2]: https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#bug-security Still not clear about the vocabulary. What does "NOT-FOR-US" mean? Eg: https://security-tracker.debian.org/tracker/CVE-2022-2119 It seems this contradict paragraph: * https://security-team.debian.org/security_tracker.html#about comments? Seems so, since old version dcmtk is packaged and being vendored. In any case, I'd suggest following this up with security team. -- Best, Nilesh
Re: CVEs in DCMTK
On Wed, Jun 29, 2022 at 11:51 AM Nilesh Patra wrote: > > On 6/29/22 12:18 PM, Mathieu Malaterre wrote: > > Hi there, > > > > It turns out there are three CVEs associated with DCMTK version older > > than 3.6.7. > > > > * > > https://www.hipaajournal.com/warning-issued-about-3-high-severity-vulnerabilities-in-offis-dicom-software/ > > > > Should we get in touch with debian-security to have them properly > > reported ? > > Yes. > Not to have them reported, but to coordinate uploads to security queue. > > > I am not clear about the process. > > Ah. > You might wish to read this paragraph[1,2] from dev-ref, explains it clearly. > > [1]: > https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#security-uploads > [2]: > https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#bug-security Still not clear about the vocabulary. What does "NOT-FOR-US" mean? Eg: https://security-tracker.debian.org/tracker/CVE-2022-2119 It seems this contradict paragraph: * https://security-team.debian.org/security_tracker.html#about comments?
Re: CVEs in DCMTK
On 6/29/22 12:18 PM, Mathieu Malaterre wrote: Hi there, It turns out there are three CVEs associated with DCMTK version older than 3.6.7. * https://www.hipaajournal.com/warning-issued-about-3-high-severity-vulnerabilities-in-offis-dicom-software/ Should we get in touch with debian-security to have them properly reported ? Yes. Not to have them reported, but to coordinate uploads to security queue. I am not clear about the process. Ah. You might wish to read this paragraph[1,2] from dev-ref, explains it clearly. [1]: https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#security-uploads [2]: https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#bug-security -- Best, Nilesh OpenPGP_signature Description: OpenPGP digital signature
Re: CVEs in DCMTK
Hi Mathieu, Am Wed, Jun 29, 2022 at 08:48:12AM +0200 schrieb Mathieu Malaterre: > It turns out there are three CVEs associated with DCMTK version older > than 3.6.7. > > * > https://www.hipaajournal.com/warning-issued-about-3-high-severity-vulnerabilities-in-offis-dicom-software/ Thanks for pointing this out. > Should we get in touch with debian-security to have them properly > reported ? I am not clear about the process. I think the first step is to file an according bug report - may be with debian-security right in CC asking for further advise. Kind regards Andreas. -- http://fam-tille.de
