Bug 2080613

Summary: dcmtk-3.6.7 is available
Product: [Fedora] Fedora Reporter: Upstream Release Monitoring <upstream-release-monitoring>
Component: dcmtkAssignee: Ankur Sinha (FranciscoD) <sanjay.ankur>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: benmwebb, igor.raits, neuro-sig, sanjay.ankur, troels
Target Milestone: ---Keywords: FutureFeature, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: dcmtk-3.6.7-1.fc37 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-08-04 18:59:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Update to 3.6.7 (#2080613)
none
Fixed patch for 3.6.7 release none

Description Upstream Release Monitoring 2022-04-30 14:02:45 UTC 
Latest upstream release: 3.6.7
Current version/release in rawhide: 3.6.6-11.fc37
URL: https://github.com

Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/


More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring


Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream.


Based on the information from Anitya: https://release-monitoring.org/project/18627/
Comment 1 Upstream Release Monitoring 2022-04-30 14:02:52 UTC 
Created attachment 1876185 [details]
Update to 3.6.7 (#2080613)
Comment 2 Upstream Release Monitoring 2022-04-30 14:06:55 UTC 
the-new-hotness/release-monitoring.org's scratch build of dcmtk-3.6.7-1.fc34.src.rpm for rawhide failed http://koji.fedoraproject.org/koji/taskinfo?taskID=86450970
Comment 3 Ben Webb 2022-07-12 18:34:21 UTC 
Created attachment 1896461 [details]
Fixed patch for 3.6.7 release
Comment 4 Ben Webb 2022-07-12 18:38:19 UTC 
Looks like the automated update for 3.6.7 didn't work; I've attached a proposed patch for 3.6.7, which builds on my own (x86_64) system at least. Happy to help to get the 3.6.7 update built and tested.

Note that a number of security issues have been reported against 3.6.6, and Tenable security scans on our network are complaining about our Fedora boxes with this package: https://www.tenable.com/plugins/nessus/162601
Comment 5 Ankur Sinha (FranciscoD) 2022-07-13 09:28:56 UTC 
Thanks Ben,

Upstream notes that odd number releases indicate development snapshots, and only even number releases are to be considered official releases:
https://github.com/DCMTK/dcmtk/blob/master/CMake/dcmtkPrepare.cmake#L32

So we tend to limit our updates to even number releases only. (Since the soname changes each release, we'll also need to re-build all dependent packages)

Does the tool that reports the security issues note that 3.6.7 includes the necessary fixes, by any chance?

Cheers,
Comment 6 Ankur Sinha (FranciscoD) 2022-07-13 13:02:53 UTC 
The following packages will need to be rebuilt for the soname bump:

ctk
OpenImageIO
Comment 7 Ben Webb 2022-07-13 17:49:08 UTC 
> Upstream notes that odd number releases indicate development snapshots

Hopefully in that case upstream can also be persuaded to make a 3.6.8 release soon which includes these security fixes.

> Since the soname changes each release, we'll also need to re-build all dependent packages

Yes, I had to rebuild OpenImageIO on my machine in order to work with the 3.6.7 update (but it was a simple rebuild, no source code changes required).

> Does the tool that reports the security issues note that 3.6.7 includes the necessary fixes, by any chance?

Yes, the three CVEs linked from the URL I included all claim "All versions prior to 3.6.7" are affected.
Comment 8 Fedora Admin user for bugzilla script actions 2022-07-22 00:10:16 UTC 
This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component.
Comment 9 Ankur Sinha (FranciscoD) 2022-08-01 14:16:55 UTC 
These two commits address the CVEs, so we'll try to backport them first:

- https://github.com/DCMTK/dcmtk/commit/3e996a2749a9355c9b680fa464ecfd9ab9ff567f
- https://github.com/DCMTK/dcmtk/commit/f06a867513524664a1b03dfcf812d8b60fdd02cc

Cheers,
Comment 10 Ankur Sinha (FranciscoD) 2022-08-02 19:08:52 UTC 
I was working on backporting the patches, and noticed that there are other CVEs reported on bugzilla that are also fixed in 3.6.7

- https://github.com/DCMTK/dcmtk/commit/5c14bf53fb42ceca12bbcc0016e8704b1580920d
- https://github.com/DCMTK/dcmtk/commit/a9697dfeb672b0b9412c00c7d36d801e27ec85cb

So I think I'll just bite the bullet and update to 3.6.7 and rebuild the two packages for all Fedoras.

I'll go open a ticket with FESCo now for an exception.
Comment 11 Fedora Update System 2022-08-04 18:55:25 UTC 
FEDORA-2022-73bf8ee661 has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2022-73bf8ee661
Comment 12 Fedora Update System 2022-08-04 18:59:41 UTC 
FEDORA-2022-73bf8ee661 has been pushed to the Fedora 37 stable repository.
If problem still persists, please make note of it in this bug report.