Fedora has issued an advisory today (August 30): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2Z7WVDK43MKWOS23BIN4VCQRQRXHGSDB/ It's not clear what the issues are, and the upstream changes for 3.6.7 are here: https://dicom.offis.de/download/dcmtk/dcmtk367/ANNOUNCE Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOO
It sounds like there is a soname bump in 3.6.7, and they had to rebuild openimageio as a result: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WF2FCZOYXVZ4ETCHO62JWUP4D55UWJCV/
No particular packager evident for this, so another to assign globally.
Assignee: bugsquad => pkg-bugs
Ubuntu has issued an advisory for this February 22: https://ubuntu.com/security/notices/USN-5882-1 It looks like all of the issues are fixed upstream in 3.6.7 except for CVE-2022-43272 which needs an additional patch.
Severity: normal => majorStatus comment: (none) => Patches available from UbuntuSummary: dcmtk new security issue(s) fixed upstream in 3.6.7 => dcmtk new security issues fixed upstream in 3.6.7 (CVE-2021-4168[7-9], CVE-2021-41690, CVE-2022-2119, CVE-2022-212[01]) plus CVE-2022-43272
Done for both Cauldron and mga8!
CC: (none) => geiger.david68210
Assigning to QA!
Version: Cauldron => 8Assignee: pkg-bugs => qa-bugs
Packages in 8/Core/Updates_testing: ====================== libdcmtk15-3.6.5-3.1.mga8 lib64dcmtk15-3.6.5-3.1.mga8 libdcmtk-devel-3.6.5-3.1.mga8 lib64dcmtk-devel-3.6.5-3.1.mga8 dcmtk-3.6.5-3.1.mga8 From SRPMS: dcmtk-3.6.5-3.1.mga8.src.rpm
Whiteboard: MGA8TOO => (none)Status comment: Patches available from Ubuntu => (none)
MGA8-64 MATE on Acer Aspire 5253 No installation issues No wiki, no previous updates. Info on dcmtk reads "This is a collection of libraries ....." so tried to find something dependent on it. # urpmq --whatrequires dcmtk dcmtk lib64dcmtk-devel lib64dcmtk-devel # urpmq --whatrequires-recursive dcmtk dcmtk lib64dcmtk-devel lib64dcmtk-devel lib64openimageio-devel lib64openshadinglanguage1.10-devel So gave up and decided on OK on clean install.
Whiteboard: (none) => MGA8-64-OKCC: (none) => herman.viaene
I got a little farther than you, Herman, but not really enough to say so. I've learned recently that sometimes a recursive search on one of the "lib64" packages is more fruitful, so I tried "urpmq --whatrequires-recursive lib64dcmtk15" and came up with two possibilities: Blender and openimageio. The description tells me that dcmtk is used for manipulating DICOM files, used mostly with 3D medical images. I found some samples on the web, and tried to view them, first with Blender, then with iv, an image viewer that's part of openimageio. I failed with both, both before and after the update. Blender is a complex program, and learning how to use it effectively would be a career-building exercise, something I'm not ready to pursue. Also, there is an open bug about it crashing when attempting to export images, and I don't know if that would affect importing these images as well, so I can't trust it. Openimageio is a simpler command line interface, but still, being unfamiliar with working with 3D images, I strongly believe my failures with even that were due to user error. So I'm going to go with our clean installs, and validate. If this needs further testing, I'll need extensive hand-holding if I am to do it.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0083.html
Status: NEW => RESOLVEDResolution: (none) => FIXED