[med-svn] [Git][med-team/orthanc][debian/bullseye] 4 commits: Salsa CI: switch to the lts-team pipeline for Bullseye

Sun Feb 22 15:24:46 GMT 2026


Paride Legovini pushed to branch debian/bullseye at Debian Med / orthanc


Commits:
7b276cc7 by Paride Legovini at 2026-02-22T16:24:01+01:00
Salsa CI: switch to the lts-team pipeline for Bullseye

- - - - -
183f70ba by Paride Legovini at 2026-02-22T16:24:01+01:00
Disallow colons in HTTP basic usernames (CVE-2025-15581)

- - - - -
e27fa3b4 by Paride Legovini at 2026-02-22T16:24:01+01:00
d/gbp.conf: set debian-branch to debian/bullseye

- - - - -
be28e97c by Paride Legovini at 2026-02-22T16:24:01+01:00
Update changelog for 1.9.2+really1.9.1+dfsg-1+deb11u2 release

- - - - -


5 changed files:

- debian/changelog
- + debian/gbp.conf
- + debian/patches/cve-2025-15581.patch
- debian/patches/series
- debian/salsa-ci.yml


Changes:

=====================================
debian/changelog
=====================================
@@ -1,3 +1,12 @@
+orthanc (1.9.2+really1.9.1+dfsg-1+deb11u2) bullseye-security; urgency=high
+
+  * Non-maintainer upload by the LTS Security Team.
+  * Disallow colons in HTTP basic usernames (CVE-2025-15581)
+  * Salsa CI: switch to the lts-team pipeline for Bullseye
+  * d/gbp.conf: set debian-branch to debian/bullseye
+
+ -- Paride Legovini <paride at debian.org>  Sun, 22 Feb 2026 15:44:49 +0100
+
 orthanc (1.9.2+really1.9.1+dfsg-1+deb11u1) bullseye-security; urgency=high
 
   * Team upload.


=====================================
debian/gbp.conf
=====================================
@@ -0,0 +1,2 @@
+[DEFAULT]
+debian-branch = debian/bullseye


=====================================
debian/patches/cve-2025-15581.patch
=====================================
@@ -0,0 +1,33 @@
+Description: Disallow colons in HTTP basic usernames
+Author: Sebastien Jodogne <s.jodogne at gmail.com>
+Origin: upstream, https://orthanc.uclouvain.be/hg/orthanc/rev/9e5bb00c0525
+Bug: https://orthanc.uclouvain.be/bugs/show_bug.cgi?id=252
+Last-Update: 2026-02-22
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/OrthancFramework/Sources/HttpServer/HttpServer.cpp
++++ b/OrthancFramework/Sources/HttpServer/HttpServer.cpp
+@@ -1794,9 +1794,22 @@
+   void HttpServer::RegisterUser(const char* username,
+                                 const char* password)
+   {
++    const std::string s(username);
++    if (s.find(':') != std::string::npos)
++    {
++      /**
++       * "A user-id containing a colon character is invalid, as the
++       * first colon in a user-pass string separates user-id and
++       * password from one another" (cf. issue 252)
++       * https://datatracker.ietf.org/doc/html/rfc7617
++       **/
++      throw OrthancException(ErrorCode_ParameterOutOfRange, "Usernames for HTTP Basic Authentication "
++                             "cannot contain \":\", but found: \"" + s + "\"");
++    }
++
+     Stop();
+ 
+-    std::string tag = std::string(username) + ":" + std::string(password);
++    std::string tag = s + ":" + std::string(password);
+     std::string encoded;
+     Toolbox::EncodeBase64(encoded, tag);
+     registeredUsers_.insert(encoded);


=====================================
debian/patches/series
=====================================
@@ -1 +1,2 @@
 cve-2023-33466.patch
+cve-2025-15581.patch


=====================================
debian/salsa-ci.yml
=====================================
@@ -1,4 +1,6 @@
 ---
 include:
-  - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
-  - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
+  - https://salsa.debian.org/lts-team/pipeline/raw/master/recipes/bullseye.yml
+
+variables:
+  SALSA_CI_DISABLE_BLHC: 1



View it on GitLab: https://salsa.debian.org/med-team/orthanc/-/compare/cf2e3601b5f11defe6cd80bfbc6297a1d5d949a1...be28e97c0037b9c0b9eba6fe61297f747b345a18

-- 
View it on GitLab: https://salsa.debian.org/med-team/orthanc/-/compare/cf2e3601b5f11defe6cd80bfbc6297a1d5d949a1...be28e97c0037b9c0b9eba6fe61297f747b345a18
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-med-commit/attachments/20260222/d33adbe6/attachment-0001.htm>
