At several places in the code a wrong length of ACSE data structures received over the network can cause overflows or underflows when processing those data structures. Related checks have been added at various places in order to prevent such (possible) attacks. The bug will affect all DCMTK-based server applications that accept incoming DICOM network connections. According to the reports only <= 3.6.0 versions are affected. References: http://seclists.org/oss-sec/2016/q4/700 http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5384.php Upstream patch: https://github.com/commontk/DCMTK/commit/1b6bb76