Security update for orthanc, gdcm, orthanc-authorization, orthanc-dicomweb, orthanc-gdcm, orthanc-indexer, orthanc-mysql, orthanc-neuro, orthanc-postgresql, orthanc-python, orthanc-stl, orthanc-tcia, orthanc-wsi, python-pyorthanc SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2026:20193-1 Final 1 1 2026-02-10T22:29:40Z current 2026-02-10T22:29:40Z 2026-02-10T22:29:40Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for orthanc, gdcm, orthanc-authorization, orthanc-dicomweb, orthanc-gdcm, orthanc-indexer, orthanc-mysql, orthanc-neuro, orthanc-postgresql, orthanc-python, orthanc-stl, orthanc-tcia, orthanc-wsi, python-pyorthanc This update for orthanc, gdcm, orthanc-authorization, orthanc-dicomweb, orthanc-gdcm, orthanc-indexer, orthanc-mysql, orthanc-neuro, orthanc-postgresql, orthanc-python, orthanc-stl, orthanc-tcia, orthanc-wsi, python-pyorthanc fixes the following issues: Changes in orthanc: - dcmtk 370 breaks TW build - switch to lua 5.4 - patch out boost component system from framework - version 1.12.10 ' long changelog - see NEWS for details - apply boost patch to source tree - Stop trying to pull libboost_system-devel in all orthanc packages. - remove libboost_system-devel for TW (removed in boost 1.89) - version 1.12.9 * long changelog - see NEWS for details Changes in gdcm: - apply fix for poppler 25.10 build error Changes in orthanc-authorization: - version 0.10.3 * New default permissions for worklists * New default permissions for tools/metrics-prometheus * New default permissions for tools/generate-uid - version 0.10.2 * New default permissions to add/delete modalities through the Rest API https://discourse.orthanc-server.org/t/managing-modalities-using-the-rest-api-and-keycloak/6137 * New standard configuration "stl" - remove libboost_system-devel for TW (removed in boost 1.89)- - version 0.10.1 * Fix audit-logs export in CSV format. * New configuration "ExtraPermissions" to ADD new permissions to the default "Permissions" entries. * Improved handling of "Anonymous" user profiles (when no auth-tokens are provided): The plugin will now request the auth-service to get an anonymous user profile even if there are no auth-tokens in the HTTP request. * The User profile can now contain a "groups" field if the auth-service provides it. * The User profile can now contain an "id" field if the auth-service provides it. * New experimental feature: audit-logs - Enabled by the "EnableAuditLogs" configuration. - Audit-logs are currently handled by the PostgreSQL plugin and can be browsed through the route /auth/audit-logs. - New default permission "audit-logs" to grant access to the "/auth/audit-logs" route. * Fix: The "server-id" field is now included in all requests sent to the auth-service. Changes in orthanc-dicomweb: - version 1.22 * framework2.diff added for compatibilty with Orthanc framework <= 1.12.10 * Fixed a possible deadlock when using "WadoRsLoaderThreadsCount" > 1 when the HTTP client disconnects while downloading the response. * Fixed "Success: Success" errors when trying to send resources synchronously to a remote DICOMweb server while the Orthanc job engine was busy with other tasks. - remove libboost_system-devel for TW (removed in boost 1.89) - version 1.21 * New configuration "WadoRsLoaderThreadsCount" to configure how many threads are loading files from the storage when answering to a WADO-RS query. A value > 1 is meaningful only if the storage is a distributed network storage (e.g object storage plugin). A value of 0 means reading and writing are performed in sequence (default behaviour). * New configuration "EnablePerformanceLogs" to display performance logs. Currently only showing the time required to execute a WADO-RS query. For example: WADO-RS: elapsed: 26106623 us, rate: 14.86 instances/s, 155.23Mbps * Fix false errors logs generated e.g when OHIF requests the /dicom-web/studies/../metadata route: "dicom-web:/Configuration.cpp:643] Unsupported return MIME type: application/dicom+json, multipart/related; type=application/octet-stream; transfer-syntax=*, will return DICOM+JSON" Changes in orthanc-gdcm: - version 1.8 * Prevent transcoding of DICOM images with empty SharedFunctionalGroupsSequence (5200,9229), as this might crash GDCM. * The built-in Orthanc transcoder being usually more stable, the default value of the "RestrictTransferSyntaxes" configuration has been updated to configure the GDCM plugin for J2K transfer syntaxes only since these transfer syntaxes are currently not supported by the built-in Orthanc transcoder. - If "RestrictTransferSyntaxes" is not specified in your configuration, it is now equivalent to "RestrictTransferSyntaxes" : [ "1.2.840.10008.1.2.4.90", // JPEG 2000 Image Compression (Lossless Only) "1.2.840.10008.1.2.4.91", // JPEG 2000 Image Compression "1.2.840.10008.1.2.4.92", // JPEG 2000 Part 2 Multicomponent Image Compression (Lossless Only) "1.2.840.10008.1.2.4.93" // JPEG 2000 Part 2 Multicomponent Image Compression ] which was the recommended configuration. - If "RestrictTransferSyntaxes" is defined but empty, the GDCM plugin will now be used to transcode ALL transfer syntaxes (this was the default behaviour up to version 1.7) - remove libboost_system-devel for TW (removed in boost 1.89) - version 1.7 * Upgrade to GDCM 3.0.24 for static builds. Fixes: - CVE-2024-22373: https://nvd.nist.gov/vuln/detail/CVE-2024-22373 - CVE-2024-22391: https://nvd.nist.gov/vuln/detail/CVE-2024-22391 - CVE-2024-25569: https://nvd.nist.gov/vuln/detail/CVE-2024-25569 Changes in orthanc-indexer: - remove libboost_system-devel for TW (removed in boost 1.89) Changes in orthanc-mysql: - remove libboost_system-devel for TW (removed in boost 1.89) Changes in orthanc-neuro: - remove libboost_system-devel for TW (removed in boost 1.89) Changes in orthanc-postgresql: - version 10.0 * update mainly providing new Reserve and Acknowledge primitives for Queues in plugins - remove libboost_system-devel for TW (removed in boost 1.89) - version 9.0 * DB-scheme rev. 6 - check Orthanc book - version 8.0 * no changelog provided * New DB scheme Changes in orthanc-python: - version 7.0 * The "orthanc.pyi" stub is now excluded from the "install" step during the build * Wrapped new SCP callbacks: - RegisterFindCallback2() - RegisterMoveCallback3() - RegisterWorklistCallback2() - RegisterStorageCommitmentScpCallback2() * Wrapped new Queues methods: - ReserveQueueValue() - AcknowledgeQueueValue() - remove libboost_system-devel for TW (removed in boost 1.89) - remove /usr/orthanc.pyi - unneeded - version 6.0 * The auto-generation of the Python wrapper is now part of the build, to exploit the ORTHANC_PLUGIN_SINCE_SDK macro. This provides backward compatibility with the SDK that is actually installed on the system * Added Windows builder for Python 3.13 * Added Docker-based builder scripts for Debian 13 (trixie) Changes in orthanc-stl: - patch out libboost-system to fix build error - remove libboost_system-devel for TW (removed in boost 1.89) Changes in orthanc-tcia: - version 1.3 * Replaced default base URL of TCIA REST API from "https://services.cancerimagingarchive.net/services/v4/TCIA/query" to "https://nbia.cancerimagingarchive.net/nbia-api/services/v4" * Added configuration option "BaseUrl" to manually configure the base URL * Fix for newer versions of the NBIA cart file format * Upgrade to Orthanc framework 1.12.3 - remove libboost_system-devel for TW (removed in boost 1.89) Changes in orthanc-wsi: - fix build error w framework 1.12.10 - version 3.3 * OrthancWSIDicomizer: - New option "--encoding" to specify the specific character set of DICOM instances - Placeholder tags are now automatically inserted when the "--dataset" option provides incomplete data, ensuring the generated DICOM instances remain valid - The version of the DICOM-izer is available in DICOM tag "SoftwareVersions" - ImagedVolumeWidth and ImagedVolumeHeight are swapped with respect to releases <= 3.2: https://discourse.orthanc-server.org/t/5912 * Viewer plugin: - Added rotation button in the viewer - The viewer displays a label if the "description" GET parameter is provided - Upgraded to OpenLayers 10.6.1 - remove libboost_system-devel for TW (removed in boost 1.89) Changes in python-pyorthanc: - version 1.22.1 * no changelog provided The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Leap-16.0-packagehub-120 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2024-22373/ SUSE CVE CVE-2024-22373 page https://www.suse.com/security/cve/CVE-2024-22391/ SUSE CVE CVE-2024-22391 page https://www.suse.com/security/cve/CVE-2024-25569/ SUSE CVE CVE-2024-25569 page openSUSE Leap 16.0 gdcm-3.0.24-bp160.2.1 gdcm-applications-3.0.24-bp160.2.1 gdcm-devel-3.0.24-bp160.2.1 gdcm-examples-3.0.24-bp160.2.1 libgdcm3_0-3.0.24-bp160.2.1 libsocketxx1_2-3.0.24-bp160.2.1 orthanc-1.12.10-bp160.1.1 orthanc-authorization-0.10.3-bp160.1.1 orthanc-devel-1.12.10-bp160.1.1 orthanc-dicomweb-1.22-bp160.1.1 orthanc-doc-1.12.10-bp160.1.1 orthanc-gdcm-1.8-bp160.1.1 orthanc-indexer-1.0-bp160.2.1 orthanc-mysql-5.2-bp160.2.1 orthanc-neuro-1.1-bp160.2.1 orthanc-postgresql-10.0-bp160.1.1 orthanc-python-7.0-bp160.1.1 orthanc-source-1.12.10-bp160.1.1 orthanc-stl-1.2-bp160.2.1 orthanc-tcia-1.3-bp160.1.1 orthanc-wsi-3.3-bp160.1.1 python3-gdcm-3.0.24-bp160.2.1 python313-pyorthanc-1.22.1-bp160.1.1 gdcm-3.0.24-bp160.2.1 as a component of openSUSE Leap 16.0 gdcm-applications-3.0.24-bp160.2.1 as a component of openSUSE Leap 16.0 gdcm-devel-3.0.24-bp160.2.1 as a component of openSUSE Leap 16.0 gdcm-examples-3.0.24-bp160.2.1 as a component of openSUSE Leap 16.0 libgdcm3_0-3.0.24-bp160.2.1 as a component of openSUSE Leap 16.0 libsocketxx1_2-3.0.24-bp160.2.1 as a component of openSUSE Leap 16.0 orthanc-1.12.10-bp160.1.1 as a component of openSUSE Leap 16.0 orthanc-authorization-0.10.3-bp160.1.1 as a component of openSUSE Leap 16.0 orthanc-devel-1.12.10-bp160.1.1 as a component of openSUSE Leap 16.0 orthanc-dicomweb-1.22-bp160.1.1 as a component of openSUSE Leap 16.0 orthanc-doc-1.12.10-bp160.1.1 as a component of openSUSE Leap 16.0 orthanc-gdcm-1.8-bp160.1.1 as a component of openSUSE Leap 16.0 orthanc-indexer-1.0-bp160.2.1 as a component of openSUSE Leap 16.0 orthanc-mysql-5.2-bp160.2.1 as a component of openSUSE Leap 16.0 orthanc-neuro-1.1-bp160.2.1 as a component of openSUSE Leap 16.0 orthanc-postgresql-10.0-bp160.1.1 as a component of openSUSE Leap 16.0 orthanc-python-7.0-bp160.1.1 as a component of openSUSE Leap 16.0 orthanc-source-1.12.10-bp160.1.1 as a component of openSUSE Leap 16.0 orthanc-stl-1.2-bp160.2.1 as a component of openSUSE Leap 16.0 orthanc-tcia-1.3-bp160.1.1 as a component of openSUSE Leap 16.0 orthanc-wsi-3.3-bp160.1.1 as a component of openSUSE Leap 16.0 python3-gdcm-3.0.24-bp160.2.1 as a component of openSUSE Leap 16.0 python313-pyorthanc-1.22.1-bp160.1.1 as a component of openSUSE Leap 16.0 An out-of-bounds write vulnerability exists in the JPEG2000Codec::DecodeByStreamsCommon functionality of Mathieu Malaterre Grassroot DICOM 3.0.23. A specially crafted DICOM file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability. CVE-2024-22373 openSUSE Leap 16.0:gdcm-3.0.24-bp160.2.1 openSUSE Leap 16.0:gdcm-applications-3.0.24-bp160.2.1 openSUSE Leap 16.0:gdcm-devel-3.0.24-bp160.2.1 openSUSE Leap 16.0:gdcm-examples-3.0.24-bp160.2.1 openSUSE Leap 16.0:libgdcm3_0-3.0.24-bp160.2.1 openSUSE Leap 16.0:libsocketxx1_2-3.0.24-bp160.2.1 openSUSE Leap 16.0:orthanc-1.12.10-bp160.1.1 openSUSE Leap 16.0:orthanc-authorization-0.10.3-bp160.1.1 openSUSE Leap 16.0:orthanc-devel-1.12.10-bp160.1.1 openSUSE Leap 16.0:orthanc-dicomweb-1.22-bp160.1.1 openSUSE Leap 16.0:orthanc-doc-1.12.10-bp160.1.1 openSUSE Leap 16.0:orthanc-gdcm-1.8-bp160.1.1 openSUSE Leap 16.0:orthanc-indexer-1.0-bp160.2.1 openSUSE Leap 16.0:orthanc-mysql-5.2-bp160.2.1 openSUSE Leap 16.0:orthanc-neuro-1.1-bp160.2.1 openSUSE Leap 16.0:orthanc-postgresql-10.0-bp160.1.1 openSUSE Leap 16.0:orthanc-python-7.0-bp160.1.1 openSUSE Leap 16.0:orthanc-source-1.12.10-bp160.1.1 openSUSE Leap 16.0:orthanc-stl-1.2-bp160.2.1 openSUSE Leap 16.0:orthanc-tcia-1.3-bp160.1.1 openSUSE Leap 16.0:orthanc-wsi-3.3-bp160.1.1 openSUSE Leap 16.0:python3-gdcm-3.0.24-bp160.2.1 openSUSE Leap 16.0:python313-pyorthanc-1.22.1-bp160.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-22373.html CVE-2024-22373 https://bugzilla.suse.com/1223398 SUSE Bug 1223398 A heap-based buffer overflow vulnerability exists in the LookupTable::SetLUT functionality of Mathieu Malaterre Grassroot DICOM 3.0.23. A specially crafted malformed file can lead to memory corruption. An attacker can provide a malicious file to trigger this vulnerability. CVE-2024-22391 openSUSE Leap 16.0:gdcm-3.0.24-bp160.2.1 openSUSE Leap 16.0:gdcm-applications-3.0.24-bp160.2.1 openSUSE Leap 16.0:gdcm-devel-3.0.24-bp160.2.1 openSUSE Leap 16.0:gdcm-examples-3.0.24-bp160.2.1 openSUSE Leap 16.0:libgdcm3_0-3.0.24-bp160.2.1 openSUSE Leap 16.0:libsocketxx1_2-3.0.24-bp160.2.1 openSUSE Leap 16.0:orthanc-1.12.10-bp160.1.1 openSUSE Leap 16.0:orthanc-authorization-0.10.3-bp160.1.1 openSUSE Leap 16.0:orthanc-devel-1.12.10-bp160.1.1 openSUSE Leap 16.0:orthanc-dicomweb-1.22-bp160.1.1 openSUSE Leap 16.0:orthanc-doc-1.12.10-bp160.1.1 openSUSE Leap 16.0:orthanc-gdcm-1.8-bp160.1.1 openSUSE Leap 16.0:orthanc-indexer-1.0-bp160.2.1 openSUSE Leap 16.0:orthanc-mysql-5.2-bp160.2.1 openSUSE Leap 16.0:orthanc-neuro-1.1-bp160.2.1 openSUSE Leap 16.0:orthanc-postgresql-10.0-bp160.1.1 openSUSE Leap 16.0:orthanc-python-7.0-bp160.1.1 openSUSE Leap 16.0:orthanc-source-1.12.10-bp160.1.1 openSUSE Leap 16.0:orthanc-stl-1.2-bp160.2.1 openSUSE Leap 16.0:orthanc-tcia-1.3-bp160.1.1 openSUSE Leap 16.0:orthanc-wsi-3.3-bp160.1.1 openSUSE Leap 16.0:python3-gdcm-3.0.24-bp160.2.1 openSUSE Leap 16.0:python313-pyorthanc-1.22.1-bp160.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-22391.html CVE-2024-22391 https://bugzilla.suse.com/1223400 SUSE Bug 1223400 An out-of-bounds read vulnerability exists in the RAWCodec::DecodeBytes functionality of Mathieu Malaterre Grassroot DICOM 3.0.23. A specially crafted DICOM file can lead to an out-of-bounds read. An attacker can provide a malicious file to trigger this vulnerability. CVE-2024-25569 openSUSE Leap 16.0:gdcm-3.0.24-bp160.2.1 openSUSE Leap 16.0:gdcm-applications-3.0.24-bp160.2.1 openSUSE Leap 16.0:gdcm-devel-3.0.24-bp160.2.1 openSUSE Leap 16.0:gdcm-examples-3.0.24-bp160.2.1 openSUSE Leap 16.0:libgdcm3_0-3.0.24-bp160.2.1 openSUSE Leap 16.0:libsocketxx1_2-3.0.24-bp160.2.1 openSUSE Leap 16.0:orthanc-1.12.10-bp160.1.1 openSUSE Leap 16.0:orthanc-authorization-0.10.3-bp160.1.1 openSUSE Leap 16.0:orthanc-devel-1.12.10-bp160.1.1 openSUSE Leap 16.0:orthanc-dicomweb-1.22-bp160.1.1 openSUSE Leap 16.0:orthanc-doc-1.12.10-bp160.1.1 openSUSE Leap 16.0:orthanc-gdcm-1.8-bp160.1.1 openSUSE Leap 16.0:orthanc-indexer-1.0-bp160.2.1 openSUSE Leap 16.0:orthanc-mysql-5.2-bp160.2.1 openSUSE Leap 16.0:orthanc-neuro-1.1-bp160.2.1 openSUSE Leap 16.0:orthanc-postgresql-10.0-bp160.1.1 openSUSE Leap 16.0:orthanc-python-7.0-bp160.1.1 openSUSE Leap 16.0:orthanc-source-1.12.10-bp160.1.1 openSUSE Leap 16.0:orthanc-stl-1.2-bp160.2.1 openSUSE Leap 16.0:orthanc-tcia-1.3-bp160.1.1 openSUSE Leap 16.0:orthanc-wsi-3.3-bp160.1.1 openSUSE Leap 16.0:python3-gdcm-3.0.24-bp160.2.1 openSUSE Leap 16.0:python313-pyorthanc-1.22.1-bp160.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-25569.html CVE-2024-25569 https://bugzilla.suse.com/1223401 SUSE Bug 1223401