Security update for gdcm, orthanc, orthanc-gdcm, orthanc-webviewer (important)

An update that fixes two vulnerabilities is now available.

Description:

This update for gdcm, orthanc, orthanc-gdcm, orthanc-webviewer fixes the
following issues:

Changes in gdcm:

• Provides/obsoletes moved to lbgdcm-package (Thx DimStar)

• rename of gdcm-libgdcm3_0 to libgdcm3_0 (proposal S. Br��ns)

• version 3.0.18

  no changelog

• version 3.0.12

  • support for poppler 22.03 added

• version 3.0.11

  • Fix for a significant issue with JPEG-LS and RGB color space
  • tons of small bug fixes

• version 3.0.10 (no changelog)

Changes in orthanc-gdcm:

• changed dependency gdcm-libgdcm3_0 -> libgdcm3_0

• Version 1.5

• Take the configuration option “RestrictTransferSyntaxes” into account
  not only for decoding, but also for transcoding
• Upgrade to GDCM 3.0.10 for static builds-

Changes in orthanc:

• version 1.11.2

  • Added support for RGBA64 images in tools/create-dicom and /preview
  • New configuration “MaximumStorageMode” to choose between recyling of
    old patients (default behavior) and rejection of new incoming data
    when the MaximumStorageSize has been reached.
  • New sample plugin: “DelayedDeletion” that will delete files from disk
    asynchronously to speed up deletion of large studies.
  • Lua: new “SetHttpTimeout” function
  • Lua: new “OnHeartBeat” callback called at regular interval provided
    that you have configured “LuaHeartBeatPeriod” > 0.
  • “ExtraMainDicomTags” configuration now accepts Dicom Sequences.
    Sequences are stored in a dedicated new metadata
    “MainDicomSequences”. This should improve DicomWeb QIDO-RS and avoid
    warnings like “Accessing Dicom tags from storage when accessing series
    : 0040,0275”. Main dicom sequences can now be returned in
    “MainDicomTags” and in “RequestedTags”.
  • Fix the “Never” option of the “StorageAccessOnFind” that was sill
    accessing files (bug introduced in 1.11.0).
  • Fix the Storage Cache for compressed files (bug introduced in 1.11.1).
  • Fix the storage cache that was not used by the Plugin SDK. This fixes
    the DicomWeb plugin “/rendered” route performance issues.
  • DelayedDeletion plugin: Fix leaking of symbols
  • SQLite now closes and deletes WAL and SHM files on exit. This should
    improve handling of SQLite DB over network drives.
  • Fix static compilation of boost 1.69 on Ubuntu 22.04
  • Upgraded dependencies for static builds:
    • boost 1.80.0
    • dcmtk 3.6.7 (fixes CVE-2022-2119 and CVE-2022-2120)
    • openssl 3.0.5
  • Housekeeper plugin: Fix resume of previous processing
  • Added missing MOVEPatientRootQueryRetrieveInformationModel in
    DicomControlUserConnection::SetupPresentationContexts()
  • Improved HttpClient error logging (add method + url)
  • API version upgraded to 18
  • /system is now reporting “DatabaseServerIdentifier”
  • Added an Asynchronous mode to /modalities/…/move.
  • “RequestedTags” option can now include DICOM sequences.
  • New function in the SDK: “OrthancPluginGetDatabaseServerIdentifier”
  • DicomMap::ParseMainDicomTags has been deprecated -> retrieve “full”
    tags and use DicomMap::FromDicomAsJson instead

• version 1.11.0

• new API version 1.7
• new configuration parameter
• for detailed changelog see NEWS

• version 1.10.1

• for detailed changelog see NEWS

• Version 1.9.7

• New configuration option “DicomAlwaysAllowMove” to disable verification
  of the remote modality in C-MOVE SCP
• API version upgraded to 15
• Added “Level” option to POST /tools/bulk-modify
• Added missing OpenAPI documentation of “KeepSource” in “…/modify” and
  “…/anonymize”
• Added file CITATION.cff
• Linux Standard Base (LSB) builds of Orthanc can load non-LSB builds of
  plugins
• Fix upload of ZIP archives containing a DICOMDIR file
• Fix computation of the estimated time of arrival in jobs
• Support detection of windowing and rescale in Philips multiframe images

Changes in orthanc-webviewer:

• version 2.8
  • Fix XSS inside DICOM in Orthanc Web Viewer (as reported by Stuart
    Kurutac, NCC Group)
  • framework190.diff removed (covered in actual version)

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

• openSUSE Backports SLE-15-SP3:

  zypper in -t patch openSUSE-2022-10144=1