Hi, The fix is basically the backport from the bullseye, where the call is being dropped, if the configuration does not explicitly allow it.
If you call export, it returns 403. If this is not the case, please share details. Regards Anton Am Di., 12. Sept. 2023 um 13:30 Uhr schrieb Abhishek Dutt < duttabhish...@gmail.com>: > Hi, > Please look into the vulnerability test that is not supposed to work > today. Moreover, look into the case where the API is not calling the option > and is not included in most options. I am not worried about the case where > option 2 is not working and this has to be done in the case. Therefore I > would request you to check the details: > > 1. DICOM HTTP status 200 OK . > > On Tue, Sep 12, 2023 at 1:50 PM Anton Gladky <gl...@debian.org> wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA512 >> >> - >> ------------------------------------------------------------------------- >> Debian LTS Advisory DLA-3562-1 debian-lts@lists.debian.org >> https://www.debian.org/lts/security/ Anton Gladky >> September 12, 2023 https://wiki.debian.org/LTS >> - >> ------------------------------------------------------------------------- >> >> Package : orthanc >> Version : 1.5.6+dfsg-1+deb10u1 >> CVE ID : CVE-2023-33466 >> Debian Bug : 1040597 >> >> A security vulnerability was identified in Orthanc, a DICOM server used >> for >> medical imaging, whereby authenticated API users had the capability to >> overwrite >> arbitrary files and, in certain configurations, execute unauthorized code. >> >> This update addresses the issue by backporting a safeguard mechanism: the >> RestApiWriteToFileSystemEnabled option is now included, and it is set to >> "true" >> by default in the /etc/orthanc/orthanc.json configuration file. Should >> users >> wish to revert to the previous behavior, they can manually set this option >> to "true" themselves. >> >> For Debian 10 buster, this problem has been fixed in version >> 1.5.6+dfsg-1+deb10u1. >> >> We recommend that you upgrade your orthanc packages. >> >> For the detailed security status of orthanc please refer to >> its security tracker page at: >> https://security-tracker.debian.org/tracker/orthanc >> >> Further information about Debian LTS security advisories, how to apply >> these updates to your system and frequently asked questions can be >> found at: https://wiki.debian.org/LTS >> -----BEGIN PGP SIGNATURE----- >> >> iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmUAHycACgkQ0+Fzg8+n >> /wbzLw/+OwxSnkOEATh2LGqRA4RwOFzCdCZxQvjRL+gzb6dvM2eG9P0aSs5/Ek2e >> kd9uSTRUvgkBoH00ku5QXVytXfiSbzEKZFqowRgCOaCTPfEHJDY6xxzXd8uPdfRY >> ZmaRUuwJDi4Wu0k8HBBZ+47vv8jXCXKLb2Z16aAjKaegCfMINujgMH5N/Ld6RlfX >> i4Gr+f1YTfwIHssEKj7IWGYd5+uoY/RoRbgWcIRWDjWUQ3a+/evTx8k6OV3E978G >> x9PC6loQGDZZLCypdhB6paIyKVpwD66h2AnIG5xAK+awv2SW0lb+SywcnJAqyaHa >> Hu3UvRI3YCSOMVkkuOyQ/GN3PhUOJ0+hhFGsaM9UFWWlZheARpqLSNYHdRRTw5rf >> XNPDiKkieUL4HC0bQQxuSGf3h71OpHIavfPX7OeysgKz3NfjYBl0l4RbmwQi1kNs >> 6zfOSPx+5hJbPGoQssMn1j7TWnWnZTOPPrgWVy/PX1JF6y47465gJeoxIQ8tFqbs >> 8Mx+LeH0HyjteYtVCCMPg1OPATTMSDBzfiY0JUKcowoOanLvL/+0MRH1A2iBcSAw >> HW3xRLA/6AB14iJGDwN7DyFXIkkNk/pLMM/siSMiBDP2NU68+ortlN6Lec+n7QFF >> YJAFJqeaLqTLf2fnJ9oUs9fyD3uBioec3uCqcm3rjTt7rsabpT4= >> =uDem >> -----END PGP SIGNATURE----- >> >> > > -- > Regards, > Abhishek Dutt >
