[SECURITY] [DLA 3564-1] e2guardian security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian LTS Advisory DLA-3564-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Chris Lamb September 12, 2023https://wiki.debian.org/LTS - - Package: e2guardian Version: 5.3.1-1+deb10u1 CVE ID : CVE-2021-44273 Debian Bug : 1003125 It was discovered that there was a potential Man In the Middle (MITM) vulnerability in e2guardian, a web content filtering engine. Validation of SSL certificates was missing in e2guardian's own MITM prevention engine. In standalone mode (ie. acting as a proxy or a transparent proxy) with SSL MITM enabled, e2guardian did not validate hostnames in certificates of the web servers that it connected to, and thus was itself vulnerable to MITM attacks. For Debian 10 buster, this problem has been fixed in version 5.3.1-1+deb10u1. We recommend that you upgrade your e2guardian packages. For the detailed security status of e2guardian please refer to its security tracker page at: https://security-tracker.debian.org/tracker/e2guardian Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmUApDsACgkQHpU+J9Qx HljMzg/+IL8XIAaKSfQoCYV4PsKr/YHAo8O+P1HN/EDUVF8Kth3iE03XHSxk4e96 ix02h53t/fgNR2M+dy6z1BEhYWvu5QM0qnkAo6SIKNPlOJk1QfBgGimPpmQbb5TN MVere1MRa2MZxxeT4XObnVZJNXWOTe7yNFGnMY0pK90GL/ZCDPO81R5v+9llxLk1 t3k1V5jk/bDSFWBkyRdzMoD8bBpKTKOIpz4nzSbXF/BypiTsd8KACSleb/3BMPxE o/89QyGYjuKa/Qx/ZXRurYltRFIHZkSVmMwsuKgLJ0CX38lGwFtUTLTjtm/4oSPc T+ALjMlMDxmPyblj3c2qhYYoco33CNku6bqDyFVTaMkSAgUdKsDX/ISRfbcCqvZs hO8FuuqsBd6JfVRU9LTv87ckGy0x/94DkuQh8/npi03M9LQuN5MAcpJNk2xMLwdO BxnQ6U3dFMbP1OCWRCNtLO1i/iEsCUGVgAupDQo8icjii+Kkt67O2MjDXxktbu6g Xa1nIB1teVmK9h1mYIJ0st6wpuPN6fqC2t1WttVAFiTTTSZrNX9K1CfD9Eq9+aeM rpfvyXJ8dqMEEMHstqHjnAOm82JGt2X7xI05U80c0Z0SSO6Ry4ZQzQqj7ycwI1C3 7l1OHLA8Xi4V+WK3sUn2WJH2bm2cqV3U852wF8VbLSOs8RyMrMU= =yzbl -END PGP SIGNATURE-
Accepted e2guardian 5.3.1-1+deb10u1 (source amd64) into oldoldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Tue, 12 Sep 2023 10:37:46 -0700 Source: e2guardian Binary: e2guardian e2guardian-dbgsym Architecture: source amd64 Version: 5.3.1-1+deb10u1 Distribution: buster-security Urgency: high Maintainer: Debian Edu Packaging Team Changed-By: Chris Lamb Description: e2guardian - Web content filtering (Dansguardian fork) Closes: 1003125 Changes: e2guardian (5.3.1-1+deb10u1) buster-security; urgency=high . * Non-maintainer upload by the Debian LTS team. * CVE-2021-44273: Validation of SSL certificates was missing in e2guardian's MITM prevention engine. In standalone mode (ie. acting as a proxy or a transparent proxy) with SSL MITM enabled, e2guardian did not validate hostnames in certificates of the web servers that it connected to, and thus was itself vulnerable to MITM attacks. (Closes: #1003125) Checksums-Sha1: 3b56fc19787db2bed51143782025b7e6aa73fba8 2155 e2guardian_5.3.1-1+deb10u1.dsc c99b0554ca963c9000ce373d66010940f112012b 2008811 e2guardian_5.3.1.orig.tar.gz be30b6d3070c16dd8affea3ca6bf2a47561b97ce 14156 e2guardian_5.3.1-1+deb10u1.debian.tar.xz ccaaf016895362dd7481686af0340b176ac64ff5 6704404 e2guardian-dbgsym_5.3.1-1+deb10u1_amd64.deb 427bec77de5bbb590cd81b4f0feb365b67db6515 6158 e2guardian_5.3.1-1+deb10u1_amd64.buildinfo f47dea15351c4a9fe615a0b6ab9a79abdd0247f1 782608 e2guardian_5.3.1-1+deb10u1_amd64.deb Checksums-Sha256: 8969719276306797b39c421450695083a25a70d6c299ba84d7c003c6cfaddb7b 2155 e2guardian_5.3.1-1+deb10u1.dsc 3ccab41663b63c6a654fd9f7bf44f8598689e9940b02434a724dc137961633a9 2008811 e2guardian_5.3.1.orig.tar.gz 30a5e9cfac02340ae43fe996bad739062cec3be8b34ef23dcca40b7b3c1d266c 14156 e2guardian_5.3.1-1+deb10u1.debian.tar.xz d4f392e4a663d2e44b5abaf53fc6103158f14839bbbe9814639599459831babe 6704404 e2guardian-dbgsym_5.3.1-1+deb10u1_amd64.deb c5dc8a1be366c3d8d3c73375443ce752c0b3d748dc852098e37202bc14838b4a 6158 e2guardian_5.3.1-1+deb10u1_amd64.buildinfo 4545ddda5be82c0a7d55c00c5ca7d10163e4814bb5baa98fca0c0cb10abde6b4 782608 e2guardian_5.3.1-1+deb10u1_amd64.deb Files: b187a49812d4b5acf89fdb492e82a0c5 2155 web optional e2guardian_5.3.1-1+deb10u1.dsc 00e599650c9ceb9a70b900c4dd16ca84 2008811 web optional e2guardian_5.3.1.orig.tar.gz 989512fe03d7e7bd795f5c05a7e572bf 14156 web optional e2guardian_5.3.1-1+deb10u1.debian.tar.xz 261e96d522c03600cd7ed26f6e7ce22f 6704404 debug optional e2guardian-dbgsym_5.3.1-1+deb10u1_amd64.deb b514964f4bde74381b61e5ad89adfe49 6158 web optional e2guardian_5.3.1-1+deb10u1_amd64.buildinfo 2471a5d96f02e5c69fa294eb6194fb20 782608 web optional e2guardian_5.3.1-1+deb10u1_amd64.deb -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmUApLQACgkQHpU+J9Qx HlieoxAAiyCQz7M43dyCXDCTCICSpdPH1KCZaMajjRwjRtVFLqlZf91sNm3y0lnU VXtNqz/fUg0+4ZR8cVqrTDEteQL6/1wpXDHT74nfuMdzVSxSR9U91fdcqYVLqjku XlZEB2//agVQuZD/utPgFUb/pcRPwFoXUhYZFerpCDl8fE6D5agnmafvh69udcqr 4yWSBONSUmKtbtjPLRGJFCEsv/men4J6wxaHyo0B9ub9G9XqdzKfFSvHv4l5cC7J /uibl4kizdSk+HSz+8snXVuJm67kOy8vrVl/AZwo9+U5cYFUXOp0Vd3PWqBaBpgy x1YMpurxGMC/90L8kV4E5h1EaO0OJ33DZzn8EL1pmgA+81xpiiizGIzNbH8+0llQ rY9KOC+tG41CaWzwgl5WdPs+PpFcljENVV2HXYAHJ6CRPIfHl3B9KAauVs1JCZXU MhzBMP0FhiwEorrMi8RGA1jDrAw8N1gAruoI+RA/5KL74xbiku+RBXpa17fxF1Xx QqcuSQkiDYI61AX0p31u4Sx3wq2zE2J2+x9yI1HYbwsSf+pcEkWKvnq4oTBkzwAU rIVK3yErCi9OhPazK94LKy55GVgbeucakos0FB1UhJobi5xFlcKS8s6KZoskDGuK GclvuFcfQKQzv7PaLTkbKaR3Zzjn2zc587akT5msOEQGppBCwXs= =57+D -END PGP SIGNATURE-
Re: [SECURITY] [DLA 3562-1] orthanc security update
Hi, The fix is basically the backport from the bullseye, where the call is being dropped, if the configuration does not explicitly allow it. If you call export, it returns 403. If this is not the case, please share details. Regards Anton Am Di., 12. Sept. 2023 um 13:30 Uhr schrieb Abhishek Dutt < duttabhish...@gmail.com>: > Hi, > Please look into the vulnerability test that is not supposed to work > today. Moreover, look into the case where the API is not calling the option > and is not included in most options. I am not worried about the case where > option 2 is not working and this has to be done in the case. Therefore I > would request you to check the details: > > 1. DICOM HTTP status 200 OK . > > On Tue, Sep 12, 2023 at 1:50 PM Anton Gladky wrote: > >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA512 >> >> - >> - >> Debian LTS Advisory DLA-3562-1debian-lts@lists.debian.org >> https://www.debian.org/lts/security/ Anton Gladky >> September 12, 2023https://wiki.debian.org/LTS >> - >> - >> >> Package: orthanc >> Version: 1.5.6+dfsg-1+deb10u1 >> CVE ID : CVE-2023-33466 >> Debian Bug : 1040597 >> >> A security vulnerability was identified in Orthanc, a DICOM server used >> for >> medical imaging, whereby authenticated API users had the capability to >> overwrite >> arbitrary files and, in certain configurations, execute unauthorized code. >> >> This update addresses the issue by backporting a safeguard mechanism: the >> RestApiWriteToFileSystemEnabled option is now included, and it is set to >> "true" >> by default in the /etc/orthanc/orthanc.json configuration file. Should >> users >> wish to revert to the previous behavior, they can manually set this option >> to "true" themselves. >> >> For Debian 10 buster, this problem has been fixed in version >> 1.5.6+dfsg-1+deb10u1. >> >> We recommend that you upgrade your orthanc packages. >> >> For the detailed security status of orthanc please refer to >> its security tracker page at: >> https://security-tracker.debian.org/tracker/orthanc >> >> Further information about Debian LTS security advisories, how to apply >> these updates to your system and frequently asked questions can be >> found at: https://wiki.debian.org/LTS >> -BEGIN PGP SIGNATURE- >> >> iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmUAHycACgkQ0+Fzg8+n >> /wbzLw/+OwxSnkOEATh2LGqRA4RwOFzCdCZxQvjRL+gzb6dvM2eG9P0aSs5/Ek2e >> kd9uSTRUvgkBoH00ku5QXVytXfiSbzEKZFqowRgCOaCTPfEHJDY6xxzXd8uPdfRY >> ZmaRUuwJDi4Wu0k8HBBZ+47vv8jXCXKLb2Z16aAjKaegCfMINujgMH5N/Ld6RlfX >> i4Gr+f1YTfwIHssEKj7IWGYd5+uoY/RoRbgWcIRWDjWUQ3a+/evTx8k6OV3E978G >> x9PC6loQGDZZLCypdhB6paIyKVpwD66h2AnIG5xAK+awv2SW0lb+SywcnJAqyaHa >> Hu3UvRI3YCSOMVkkuOyQ/GN3PhUOJ0+hhFGsaM9UFWWlZheARpqLSNYHdRRTw5rf >> XNPDiKkieUL4HC0bQQxuSGf3h71OpHIavfPX7OeysgKz3NfjYBl0l4RbmwQi1kNs >> 6zfOSPx+5hJbPGoQssMn1j7TWnWnZTOPPrgWVy/PX1JF6y47465gJeoxIQ8tFqbs >> 8Mx+LeH0HyjteYtVCCMPg1OPATTMSDBzfiY0JUKcowoOanLvL/+0MRH1A2iBcSAw >> HW3xRLA/6AB14iJGDwN7DyFXIkkNk/pLMM/siSMiBDP2NU68+ortlN6Lec+n7QFF >> YJAFJqeaLqTLf2fnJ9oUs9fyD3uBioec3uCqcm3rjTt7rsabpT4= >> =uDem >> -END PGP SIGNATURE- >> >> > > -- > Regards, > Abhishek Dutt >
Re: [SECURITY] [DLA 3562-1] orthanc security update
Hi, Please look into the vulnerability test that is not supposed to work today. Moreover, look into the case where the API is not calling the option and is not included in most options. I am not worried about the case where option 2 is not working and this has to be done in the case. Therefore I would request you to check the details: 1. DICOM HTTP status 200 OK . On Tue, Sep 12, 2023 at 1:50 PM Anton Gladky wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > - - > Debian LTS Advisory DLA-3562-1debian-lts@lists.debian.org > https://www.debian.org/lts/security/ Anton Gladky > September 12, 2023https://wiki.debian.org/LTS > - - > > Package: orthanc > Version: 1.5.6+dfsg-1+deb10u1 > CVE ID : CVE-2023-33466 > Debian Bug : 1040597 > > A security vulnerability was identified in Orthanc, a DICOM server used for > medical imaging, whereby authenticated API users had the capability to > overwrite > arbitrary files and, in certain configurations, execute unauthorized code. > > This update addresses the issue by backporting a safeguard mechanism: the > RestApiWriteToFileSystemEnabled option is now included, and it is set to > "true" > by default in the /etc/orthanc/orthanc.json configuration file. Should > users > wish to revert to the previous behavior, they can manually set this option > to "true" themselves. > > For Debian 10 buster, this problem has been fixed in version > 1.5.6+dfsg-1+deb10u1. > > We recommend that you upgrade your orthanc packages. > > For the detailed security status of orthanc please refer to > its security tracker page at: > https://security-tracker.debian.org/tracker/orthanc > > Further information about Debian LTS security advisories, how to apply > these updates to your system and frequently asked questions can be > found at: https://wiki.debian.org/LTS > -BEGIN PGP SIGNATURE- > > iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmUAHycACgkQ0+Fzg8+n > /wbzLw/+OwxSnkOEATh2LGqRA4RwOFzCdCZxQvjRL+gzb6dvM2eG9P0aSs5/Ek2e > kd9uSTRUvgkBoH00ku5QXVytXfiSbzEKZFqowRgCOaCTPfEHJDY6xxzXd8uPdfRY > ZmaRUuwJDi4Wu0k8HBBZ+47vv8jXCXKLb2Z16aAjKaegCfMINujgMH5N/Ld6RlfX > i4Gr+f1YTfwIHssEKj7IWGYd5+uoY/RoRbgWcIRWDjWUQ3a+/evTx8k6OV3E978G > x9PC6loQGDZZLCypdhB6paIyKVpwD66h2AnIG5xAK+awv2SW0lb+SywcnJAqyaHa > Hu3UvRI3YCSOMVkkuOyQ/GN3PhUOJ0+hhFGsaM9UFWWlZheARpqLSNYHdRRTw5rf > XNPDiKkieUL4HC0bQQxuSGf3h71OpHIavfPX7OeysgKz3NfjYBl0l4RbmwQi1kNs > 6zfOSPx+5hJbPGoQssMn1j7TWnWnZTOPPrgWVy/PX1JF6y47465gJeoxIQ8tFqbs > 8Mx+LeH0HyjteYtVCCMPg1OPATTMSDBzfiY0JUKcowoOanLvL/+0MRH1A2iBcSAw > HW3xRLA/6AB14iJGDwN7DyFXIkkNk/pLMM/siSMiBDP2NU68+ortlN6Lec+n7QFF > YJAFJqeaLqTLf2fnJ9oUs9fyD3uBioec3uCqcm3rjTt7rsabpT4= > =uDem > -END PGP SIGNATURE- > > -- Regards, Abhishek Dutt
[SECURITY] [DLA 3562-1] orthanc security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3562-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Anton Gladky September 12, 2023https://wiki.debian.org/LTS - - Package: orthanc Version: 1.5.6+dfsg-1+deb10u1 CVE ID : CVE-2023-33466 Debian Bug : 1040597 A security vulnerability was identified in Orthanc, a DICOM server used for medical imaging, whereby authenticated API users had the capability to overwrite arbitrary files and, in certain configurations, execute unauthorized code. This update addresses the issue by backporting a safeguard mechanism: the RestApiWriteToFileSystemEnabled option is now included, and it is set to "true" by default in the /etc/orthanc/orthanc.json configuration file. Should users wish to revert to the previous behavior, they can manually set this option to "true" themselves. For Debian 10 buster, this problem has been fixed in version 1.5.6+dfsg-1+deb10u1. We recommend that you upgrade your orthanc packages. For the detailed security status of orthanc please refer to its security tracker page at: https://security-tracker.debian.org/tracker/orthanc Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmUAHycACgkQ0+Fzg8+n /wbzLw/+OwxSnkOEATh2LGqRA4RwOFzCdCZxQvjRL+gzb6dvM2eG9P0aSs5/Ek2e kd9uSTRUvgkBoH00ku5QXVytXfiSbzEKZFqowRgCOaCTPfEHJDY6xxzXd8uPdfRY ZmaRUuwJDi4Wu0k8HBBZ+47vv8jXCXKLb2Z16aAjKaegCfMINujgMH5N/Ld6RlfX i4Gr+f1YTfwIHssEKj7IWGYd5+uoY/RoRbgWcIRWDjWUQ3a+/evTx8k6OV3E978G x9PC6loQGDZZLCypdhB6paIyKVpwD66h2AnIG5xAK+awv2SW0lb+SywcnJAqyaHa Hu3UvRI3YCSOMVkkuOyQ/GN3PhUOJ0+hhFGsaM9UFWWlZheARpqLSNYHdRRTw5rf XNPDiKkieUL4HC0bQQxuSGf3h71OpHIavfPX7OeysgKz3NfjYBl0l4RbmwQi1kNs 6zfOSPx+5hJbPGoQssMn1j7TWnWnZTOPPrgWVy/PX1JF6y47465gJeoxIQ8tFqbs 8Mx+LeH0HyjteYtVCCMPg1OPATTMSDBzfiY0JUKcowoOanLvL/+0MRH1A2iBcSAw HW3xRLA/6AB14iJGDwN7DyFXIkkNk/pLMM/siSMiBDP2NU68+ortlN6Lec+n7QFF YJAFJqeaLqTLf2fnJ9oUs9fyD3uBioec3uCqcm3rjTt7rsabpT4= =uDem -END PGP SIGNATURE-