Re: CVEs in DCMTK

To: Mathieu Malaterre <malat@debian.org>, Debian Med Project List <debian-med@lists.debian.org>
Subject: Re: CVEs in DCMTK
From: Nilesh Patra <nilesh@nileshpatra.info>
Date: Wed, 29 Jun 2022 15:52:23 +0530
Message-id: <[🔎] 00d4e4e7-ab8c-d114-ff8d-822e7cad26ed@nileshpatra.info>
In-reply-to: <[🔎] CA+7wUsy9as8OfJH1StaMJtUudhz3cAU-Ng2d-oHKafW8ynBLMw@mail.gmail.com>
References: <[🔎] CA+7wUswzxHHMDxNksUkt03ro98Sydv4qUHqRy0Gme7H7qvVAhQ@mail.gmail.com> <[🔎] 8343a9d0-fd56-a12b-4e15-3cf9cc241785@nileshpatra.info> <[🔎] CA+7wUsy9as8OfJH1StaMJtUudhz3cAU-Ng2d-oHKafW8ynBLMw@mail.gmail.com>

On 6/29/22 3:27 PM, Mathieu Malaterre wrote:

On Wed, Jun 29, 2022 at 11:51 AM Nilesh Patra <nilesh@nileshpatra.info> wrote:


On 6/29/22 12:18 PM, Mathieu Malaterre wrote:

Hi there,

It turns out there are three CVEs associated with DCMTK version older
than 3.6.7.

* https://www.hipaajournal.com/warning-issued-about-3-high-severity-vulnerabilities-in-offis-dicom-software/

Should we get in touch with debian-security to have them properly
reported ?


Yes.
Not to have them reported, but to coordinate uploads to security queue.

I am not clear about the process.


Ah.
You might wish to read this paragraph[1,2] from dev-ref, explains it clearly.

[1]: https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#security-uploads
[2]: https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#bug-security


Still not clear about the vocabulary. What does "NOT-FOR-US" mean?

Eg:
https://security-tracker.debian.org/tracker/CVE-2022-2119

It seems this contradict paragraph:

* https://security-team.debian.org/security_tracker.html#about

comments?


Seems so, since old version dcmtk is packaged and being vendored. In any case,
I'd suggest following this up with security team.

--
Best,
Nilesh

Reply to:

References:
- CVEs in DCMTK
  - From: Mathieu Malaterre <malat@debian.org>
- Re: CVEs in DCMTK
  - From: Nilesh Patra <nilesh@nileshpatra.info>
- Re: CVEs in DCMTK
  - From: Mathieu Malaterre <malat@debian.org>

Prev by Date: Re: CVEs in DCMTK
Next by Date: We should do an update of all qiime2 modules as soon as possible (Was: Bug#1014100: qiime: autopkgtest needs update for new version of python-decorator)
Previous by thread: Re: CVEs in DCMTK
Next by thread: We should do an update of all qiime2 modules as soon as possible (Was: Bug#1014100: qiime: autopkgtest needs update for new version of python-decorator)
Index(es):
- Date
- Thread