1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.RC

  • Bug#1093047: Bug#1093043: [Debian-med-packaging] Bug#1093043: dcmtk: CV

    From Salvatore Bonaccorso@21:1/5 to All on Sun Jan 26 18:20:01 2025
    Hi Étienne
    On Sat, Jan 18, 2025 at 04:28:55PM +0100, Étienne Mollier wrote:
    Control: found 1093043 3.6.7-9~deb12u1
    Control: found 1093043 3.6.5-1
    Control: found 1093047 3.6.7-9~deb12u1
    Control: found 1093047 3.6.5-1

    Hi Salvatore,

    Thanks for the reports, patches apply without much fuzz to dcmtk
    versions provided in sid, stable and oldstable. I would assume
    they are all affected by CVE-2024-47796 and CVE-2024-52333, in
    doubt.

    Aplogies for the late reply. Thanks for fixing the issues in unstable.

    For bookworm: Can you fix those and ideally as well the other no-dsa
    CVEs in the upcoming point release?

    Regards,
    Salvatore

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From =?utf-8?Q?=C3=89tienne?= Mollier@21:1/5 to All on Mon Jan 27 20:10:03 2025
    Hi Salvatore,

    Salvatore Bonaccorso, on 2025-01-26:
    On Sat, Jan 18, 2025 at 04:28:55PM +0100, Étienne Mollier wrote:
    Thanks for the reports, patches apply without much fuzz to dcmtk
    versions provided in sid, stable and oldstable. I would assume
    they are all affected by CVE-2024-47796 and CVE-2024-52333, in
    doubt.

    Aplogies for the late reply. Thanks for fixing the issues in unstable.

    You don't need to apologize, thank you for having sent the
    status on your end. :)

    I must admit I feel a bit at fault myself as I pondered whether
    to liaise with appropriate teams to follow up on stable without
    having actually acted, and moved on other activities in the
    meantime (added to that I got caught afk as life happens).
    Hopefully the present week will be simpler.

    For bookworm: Can you fix those and ideally as well the other no-dsa
    CVEs in the upcoming point release?

    So that I don't miss any, if I follow correctly the security
    tracker[1], that means the two CVE published lately:

    * CVE-2024-47796
    * CVE-2024-52333

    plus these ones from an earlier time:

    * CVE-2024-27628
    * CVE-2024-28130
    * CVE-2024-34508
    * CVE-2024-34509

    [1]: https://security-tracker.debian.org/tracker/source-package/dcmtk

    The two first shouldn't be too difficult. I haven't looked at
    the four others yet. If all goes well, I should be able to work
    with the Stable release managers upon upcoming weekend, if not
    earlier.

    Have a nice day, :)
    --
    .''`. Étienne Mollier <emollier@debian.org>
    : :' : pgp: 8f91 b227 c7d6 f2b1 948c 8236 793c f67e 8f0d 11da
    `. `' sent from /dev/pts/4, please excuse my verbosity
    `- on air: A.C.T - Wailings From a Building

    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCgAdFiEEj5GyJ8fW8rGUjII2eTz2fo8NEdoFAmeX1zcACgkQeTz2fo8N Edolow//dAbhy3O8/RCBOnGsi8eOq3Mi7oe4AtpxhpOkldclVP0mLIne5C4vzyCy k2AmFE56pxLM+qmQeVyc65qqR31fX7wTD65m7LyptrTe9tMzJ5vLc1NHXkN593LD v33M5nv836xFpaNK1v4zG5y9GHkSKC1XY/s7u8PUdyAeK2jKLqx+76ixeHOoCc3M Bc3jE8e2QTYfc7+KuGe0RYz1ncStgKAWvnbBhqc3gXSIjxNJU1z3k8hAcmeizajf npMSD2gAyB33YsAid93d4XKOjzTg4PDftYgIOR6oy7cTXuUQrcfVksY4cnwR6RiF l31k/d953l9lzjeY/C1t/CIwhu4HjI4lw/3+uOagcpFvDaIGPB9fMHXhQuuGDsRc 6Db5gnD+dmUOhG6A1xxje9zDFoyGI33lh0IygvrXfVQfkuY0mzyJzmLshNSTp3ei wAF2W6/d1SRQkkFadJxQVcivwVBglD0AvaFtfRvOKmYY+GIcPp1CMBolodd5odP2 6odT4bbqIPHbNqIO2lN0A6znr+tQ2eGuwp4yzjymd2QS70Z/jCcUoD74aOtYNbnn 5kpf8RW9yjsZ+GzrOjkF62v/fI5CrQK4gaI80HkLKeyuhk7CM9n0cOOOn1FpFoJF XRlvhzLUbqfCBHhESFWzPfWPfdOomJksV