Update submodules from pool/orthanc#1 , pool/gdcm#1 , pool/orthanc-authorization#1 , pool/orthanc-dicomweb#1 , pool/orthanc-gdcm#1 , pool/orthanc-indexer#1 , pool/orthanc-mysql#1 , pool/orthanc-neuro#1 , pool/orthanc-postgresql#1 , pool/orthanc-python#1 , pool/orthanc-stl#1 , pool/orthanc-tcia#1 and create patchinfo.20260209155027397167.93181000773252/_patchinfo

2026-02-09 16:51:36 +01:00
13 changed files with 214 additions and 12 deletions
--- a/2
+++ b/2
--- a/2
+++ b/2
--- a/2
+++ b/2
--- a/2
+++ b/2
--- a/2
+++ b/2
--- a/2
+++ b/2
--- a/2
+++ b/2
--- a/2
+++ b/2
--- a/2
+++ b/2
--- a/2
+++ b/2
--- a/2
+++ b/2
--- a/2
+++ b/2
--- a/patchinfo.20260209155027397167.93181000773252/_patchinfo
+++ b/patchinfo.20260209155027397167.93181000773252/_patchinfo
@@ -0,0 +1,202 @@
+<patchinfo>
+  <issue tracker="cve" id="2024-22391">VUL-0: CVE-2024-22391: gdcm: heap-based buffer overflow in the LookupTable:SetLUT functionality</issue>
+  <issue tracker="cve" id="2024-25569">VUL-0: CVE-2024-25569: gdcm: out-of-bounds read in the RAWCodec:DecodeBytes functionality</issue>
+  <issue tracker="cve" id="2024-22373">VUL-0: CVE-2024-22373: gdcm: out-of-bounds write in the JPEG2000Codec:DecodeByStreamsCommon functionality</issue>
+  <packager>DocB</packager>
+  <rating>important</rating>
+  <category>security</category>
+  <summary>Security update for orthanc, gdcm, orthanc-authorization, orthanc-dicomweb, orthanc-gdcm, orthanc-indexer, orthanc-mysql, orthanc-neuro, orthanc-postgresql, orthanc-python, orthanc-stl, orthanc-tcia</summary>
+  <description>This update for orthanc, gdcm, orthanc-authorization, orthanc-dicomweb, orthanc-gdcm, orthanc-indexer, orthanc-mysql, orthanc-neuro, orthanc-postgresql, orthanc-python, orthanc-stl, orthanc-tcia fixes the following issues:
+
+Changes in orthanc:
+
+- dcmtk 370 breaks TW build
+
+- switch to lua 5.4
+
+- remove out boost component system from framework
+
+- version 1.12.10
+  ' long changelog - see NEWS for details
+
+- Stop trying to pull libboost_system-devel in all orthanc packages.
+
+- remove libboost_system-devel for TW (removed in boost 1.89)
+
+- version 1.12.9
+  * long changelog - see NEWS for details
+
+Changes in gdcm:
+
+- apply fix for poppler 25.10 build error
+
+Changes in orthanc-authorization:
+
+- version 0.10.3
+  * New default permissions for worklists
+  * New default permissions for tools/metrics-prometheus
+  * New default permissions for tools/generate-uid
+
+- version 0.10.2
+  * New default permissions to add/delete modalities through the Rest API
+    https://discourse.orthanc-server.org/t/managing-modalities-using-the-rest-api-and-keycloak/6137
+  * New standard configuration "stl"
+
+- remove libboost_system-devel for TW (removed in boost 1.89)-
+
+- version 0.10.1
+  * Fix audit-logs export in CSV format.
+  * New configuration "ExtraPermissions" to ADD new permissions to
+    the default "Permissions" entries.
+  * Improved handling of "Anonymous" user profiles (when no auth-tokens
+    are provided):  The plugin will now request the auth-service to
+    get an anonymous user profile even if there are no auth-tokens in the
+    HTTP request.
+  * The User profile can now contain a "groups" field if the auth-service
+    provides it.
+  * The User profile can now contain an "id" field if the auth-service
+    provides it.
+  * New experimental feature: audit-logs
+    - Enabled by the "EnableAuditLogs" configuration.
+    - Audit-logs are currently handled by the PostgreSQL plugin and can be
+      browsed through the route /auth/audit-logs.
+    - New default permission "audit-logs" to grant access to the
+      "/auth/audit-logs" route.
+  * Fix: The "server-id" field is now included in all requests sent to the
+    auth-service.
+
+Changes in orthanc-dicomweb:
+
+- version 1.22
+  * framework2.diff added for compatibilty with Orthanc framework &lt;= 1.12.10
+  * Fixed a possible deadlock when using "WadoRsLoaderThreadsCount" &gt; 1 when the HTTP
+    client disconnects while downloading the response.
+  * Fixed "Success: Success" errors when trying to send resources synchronously to a remote DICOMweb
+    server while the Orthanc job engine was busy with other tasks.
+
+- remove libboost_system-devel for TW (removed in boost 1.89)
+
+- version 1.21
+  * New configuration "WadoRsLoaderThreadsCount" to configure how many threads are loading
+    files from the storage when answering to a WADO-RS query.  A value &gt; 1 is meaningful
+    only if the storage is a distributed network storage (e.g object storage plugin).
+    A value of 0 means reading and writing are performed in sequence (default behaviour).
+  * New configuration "EnablePerformanceLogs" to display performance logs.  Currently
+    only showing the time required to execute a WADO-RS query.  For example:
+    WADO-RS: elapsed: 26106623 us, rate: 14.86 instances/s, 155.23Mbps
+  * Fix false errors logs generated e.g when OHIF requests the /dicom-web/studies/../metadata route:
+    "dicom-web:/Configuration.cpp:643] Unsupported return MIME type: application/dicom+json, multipart/related; type=application/octet-stream; transfer-syntax=*, will return DICOM+JSON"
+
+Changes in orthanc-gdcm:
+
+- version 1.8
+  * Prevent transcoding of DICOM images with empty
+    SharedFunctionalGroupsSequence (5200,9229), as this might crash GDCM.
+  * The built-in Orthanc transcoder being usually more stable, the default
+    value of the "RestrictTransferSyntaxes" configuration has been updated
+    to configure the GDCM plugin for J2K transfer syntaxes only since these
+    transfer syntaxes are currently not supported by the built-in Orthanc
+    transcoder.
+    - If "RestrictTransferSyntaxes" is not specified in your configuration,
+      it is now equivalent to
+        "RestrictTransferSyntaxes" : [
+          "1.2.840.10008.1.2.4.90",   // JPEG 2000 Image Compression (Lossless Only)
+          "1.2.840.10008.1.2.4.91",   // JPEG 2000 Image Compression
+          "1.2.840.10008.1.2.4.92",   // JPEG 2000 Part 2 Multicomponent Image Compression (Lossless Only)
+          "1.2.840.10008.1.2.4.93"    // JPEG 2000 Part 2 Multicomponent Image Compression
+        ]
+      which was the recommended configuration.
+    - If "RestrictTransferSyntaxes" is defined but empty, the GDCM plugin will
+      now be used to transcode ALL transfer syntaxes (this was the default
+      behaviour up to version 1.7)
+
+- remove libboost_system-devel for TW (removed in boost 1.89)
+
+- version 1.7
+  * Upgrade to GDCM 3.0.24 for static builds. Fixes:
+    - CVE-2024-22373: https://nvd.nist.gov/vuln/detail/CVE-2024-22373
+    - CVE-2024-22391: https://nvd.nist.gov/vuln/detail/CVE-2024-22391
+    - CVE-2024-25569: https://nvd.nist.gov/vuln/detail/CVE-2024-25569
+
+Changes in orthanc-indexer:
+
+- remove libboost_system-devel for TW (removed in boost 1.89)
+
+Changes in orthanc-mysql:
+
+- remove libboost_system-devel for TW (removed in boost 1.89)
+
+Changes in orthanc-neuro:
+
+- remove libboost_system-devel for TW (removed in boost 1.89)
+
+Changes in orthanc-postgresql:
+
+- version 10.0
+  * update mainly providing new Reserve and Acknowledge primitives
+    for Queues in plugins
+
+- remove libboost_system-devel for TW (removed in boost 1.89)
+
+- version 9.0
+  * DB-scheme rev. 6 - check Orthanc book
+
+- version 8.0
+  * no changelog provided
+  * New DB scheme
+
+Changes in orthanc-python:
+
+- version 7.0
+  * The "orthanc.pyi" stub is now excluded from the "install" step during the build
+  * Wrapped new SCP callbacks:
+    - RegisterFindCallback2()
+    - RegisterMoveCallback3()
+    - RegisterWorklistCallback2()
+    - RegisterStorageCommitmentScpCallback2()
+  * Wrapped new Queues methods:
+    - ReserveQueueValue()
+    - AcknowledgeQueueValue()
+
+- remove libboost_system-devel for TW (removed in boost 1.89)
+
+- remove /usr/orthanc.pyi - unneeded
+
+- version 6.0
+  * The auto-generation of the Python wrapper is now part of the build,
+    to exploit the ORTHANC_PLUGIN_SINCE_SDK macro. This provides backward
+    compatibility with the SDK that is actually installed on the system
+  * Added Windows builder for Python 3.13
+  * Added Docker-based builder scripts for Debian 13 (trixie)
+
+Changes in orthanc-stl:
+
+- patch out libboost-system to fix build error
+
+- remove libboost_system-devel for TW (removed in boost 1.89)
+
+Changes in orthanc-tcia:
+
+- version 1.3
+  * Replaced default base URL of TCIA REST API from
+    "https://services.cancerimagingarchive.net/services/v4/TCIA/query" to
+    "https://nbia.cancerimagingarchive.net/nbia-api/services/v4"
+  * Added configuration option "BaseUrl" to manually configure the base URL
+  * Fix for newer versions of the NBIA cart file format
+  * Upgrade to Orthanc framework 1.12.3
+
+- remove libboost_system-devel for TW (removed in boost 1.89)
+</description>
+  <package>orthanc</package>
+  <package>gdcm</package>
+  <package>orthanc-authorization</package>
+  <package>orthanc-dicomweb</package>
+  <package>orthanc-gdcm</package>
+  <package>orthanc-indexer</package>
+  <package>orthanc-mysql</package>
+  <package>orthanc-neuro</package>
+  <package>orthanc-postgresql</package>
+  <package>orthanc-python</package>
+  <package>orthanc-stl</package>
+  <package>orthanc-tcia</package>
+</patchinfo>