[Debian-med-packaging] Bug#1122926: dcmtk: CVE-2025-14607 and CVE-2025-14841

[Markus Koschany]

Hi Étienne,

Am Dienstag, dem 10.02.2026 um 23:27 +0100 schrieb Étienne Mollier:
> Hi Markus,
> 
> > I have prepared security updates for bookworm and trixie and could also fix
> > unstable via targeted patches. I would rather not package a new upstream
> > release though. I believe the release team would be in favor of addressing
> > these issues in unstable and testing first before I am going to fix
> > bookworm
> > and trixie. What do you think? 
> 
> I rediscovered work in progress staging in a directory on my
> machine to proceed to a dcmtk upstream upgrade in unstable.
> I've never finished, probably due to running into other duties
> AFK.  I'm not sure how much work is left to have the package
> into an uploadable state.  I'm okay with rebasing my work on top
> of your NMU/Team upload with targeted changes, so that getting
> the newer upstream release does not go in the way of shipping
> the necessary security patches.

If you have already started to work on a new upstream release, then I suggest
to continue this path because I assume users prefer that anyway in unstable or
testing. Version 3.7.0 includes the fixes for these two CVE. If you won't have
the time to upload a new upstream version in February then I can prepare a NMU
with two targeted patches based on the current version in unstable. We don't
need to rebase your work though because, like I said, the new upstream version
will fix the problem anyway.

> 
> Thanks for your help with fixing the security issues of dcmtk in
> stable release!
> 
> Have a nice day,  :)

Cheers,

Markus

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: This is a digitally signed message part
URL: <http://alioth-lists.debian.net/pipermail/debian-med-packaging/attachments/20260210/8b7aed93/attachment-0001.sig>