Latest upstream release: 3.6.7 Current version/release in rawhide: 3.6.6-11.fc37 URL: https://github.com Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/ More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from Anitya: https://release-monitoring.org/project/18627/
Created attachment 1876185 [details] Update to 3.6.7 (#2080613)
the-new-hotness/release-monitoring.org's scratch build of dcmtk-3.6.7-1.fc34.src.rpm for rawhide failed http://koji.fedoraproject.org/koji/taskinfo?taskID=86450970
Created attachment 1896461 [details] Fixed patch for 3.6.7 release
Looks like the automated update for 3.6.7 didn't work; I've attached a proposed patch for 3.6.7, which builds on my own (x86_64) system at least. Happy to help to get the 3.6.7 update built and tested. Note that a number of security issues have been reported against 3.6.6, and Tenable security scans on our network are complaining about our Fedora boxes with this package: https://www.tenable.com/plugins/nessus/162601
Thanks Ben, Upstream notes that odd number releases indicate development snapshots, and only even number releases are to be considered official releases: https://github.com/DCMTK/dcmtk/blob/master/CMake/dcmtkPrepare.cmake#L32 So we tend to limit our updates to even number releases only. (Since the soname changes each release, we'll also need to re-build all dependent packages) Does the tool that reports the security issues note that 3.6.7 includes the necessary fixes, by any chance? Cheers,
The following packages will need to be rebuilt for the soname bump: ctk OpenImageIO
> Upstream notes that odd number releases indicate development snapshots Hopefully in that case upstream can also be persuaded to make a 3.6.8 release soon which includes these security fixes. > Since the soname changes each release, we'll also need to re-build all dependent packages Yes, I had to rebuild OpenImageIO on my machine in order to work with the 3.6.7 update (but it was a simple rebuild, no source code changes required). > Does the tool that reports the security issues note that 3.6.7 includes the necessary fixes, by any chance? Yes, the three CVEs linked from the URL I included all claim "All versions prior to 3.6.7" are affected.
This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component.
These two commits address the CVEs, so we'll try to backport them first: - https://github.com/DCMTK/dcmtk/commit/3e996a2749a9355c9b680fa464ecfd9ab9ff567f - https://github.com/DCMTK/dcmtk/commit/f06a867513524664a1b03dfcf812d8b60fdd02cc Cheers,
I was working on backporting the patches, and noticed that there are other CVEs reported on bugzilla that are also fixed in 3.6.7 - https://github.com/DCMTK/dcmtk/commit/5c14bf53fb42ceca12bbcc0016e8704b1580920d - https://github.com/DCMTK/dcmtk/commit/a9697dfeb672b0b9412c00c7d36d801e27ec85cb So I think I'll just bite the bullet and update to 3.6.7 and rebuild the two packages for all Fedoras. I'll go open a ticket with FESCo now for an exception.
FEDORA-2022-73bf8ee661 has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2022-73bf8ee661
FEDORA-2022-73bf8ee661 has been pushed to the Fedora 37 stable repository. If problem still persists, please make note of it in this bug report.