Ankur Sinha wrote on 2019/09/13 23:07:
Hello, A CVE[1] in dcmtk was fixed in 3.6.4 which is in F31+. F29 and F30 are still at 3.6.2 however, and need updating. This includes a soname bump ([2] vs [3]), though, so dependent packages will also need to be rebuilt and pushed as updates all at once. sudo dnf repoquery --source --whatrequires 'libdcm*(64bit)' [sudo] password for asinha: Last metadata expiration check: 0:53:07 ago on Fri 13 Sep 2019 14:07:55 BST. OpenImageIO-2.0.7-1.fc30.src.rpm OpenImageIO-2.0.9-1.fc30.src.rpm aeskulap-0.2.2-0.37.beta2.fc30.src.rpm ctk-0.1-0.10.20171224git71799c2.fc29.src.rpm dcmtk-3.6.2-4.fc29.src.rpm gtatool-2.2.0-11.fc28.src.rpm gtatool-2.2.3-1.fc30.src.rpm orthanc-1.5.4-1.fc30.src.rpm They all build correctly in F31 with the new version, so I do not expect any build failures. Could I please solicit the help of a proven-packager to rebuild them all in F29/F30 and push combined updates please? If you maintain any of these packages and have any concerns, please let us know. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1732222 [2] https://koji.fedoraproject.org/koji/rpminfo?rpmID=14644638 [3] https://koji.fedoraproject.org/koji/rpminfo?rpmID=18968192
Well, actually some google search result is that the actual fix seems https://github.com/commontk/DCMTK/commit/40917614e and the tracker is https://support.dcmtk.org/redmine/issues/858 ref: https://nvd.nist.gov/vuln/detail/CVE-2019-1010228 So it seems if the above patch only can be applied, no rebuild is needed. Regards, Mamoru _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
