orthanc - Debian Package Tracker

general

source: orthanc (main)
version: 1.12.11+dfsg-7
maintainer: Debian Med Packaging Team (archive) (DMD) (LowNMU)
uploaders: Andreas Tille [DMD] – Sebastien Jodogne [DMD] [DM]
arch: all any
std-ver: 4.7.4
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1.9.2+really1.9.1+dfsg-1+deb11u1
o-o-sec: 1.9.2+really1.9.1+dfsg-1+deb11u2
oldstable: 1.10.1+dfsg-2+deb12u1
old-sec: 1.10.1+dfsg-2+deb12u1
stable: 1.12.7+dfsg-4
testing: 1.12.11+dfsg-7
unstable: 1.12.11+dfsg-7

versioned links

1.9.2+really1.9.1+dfsg-1+deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.9.2+really1.9.1+dfsg-1+deb11u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.10.1+dfsg-2+deb12u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.12.7+dfsg-4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.12.11+dfsg-7: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

liborthancframework-dev
liborthancframework1
liborthancframework1.12.11
orthanc (1 bugs: 0, 0, 1, 0)
orthanc-dev
orthanc-doc

action needed

1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:

CVE-2026-10528: A security flaw has been discovered in Orthanc DICOM Server up to 1.12.11. This issue affects the function DcmItem::read of the file OrthancFramework/Sources/DicomParsing/FromDcmtkBridge.cpp of the component DCMTK Parser. Performing a manipulation results in stack-based buffer overflow. Attacking locally is a requirement. The exploit has been released to the public and may be used for attacks. The patch is named bae99026ca97. To fix this issue, it is recommended to deploy a patch.

Created: 2026-06-02 Last update: 2026-06-02 20:00

1 security issue in forky high

There is 1 open security issue in forky.

1 important issue:

CVE-2026-10528: A security flaw has been discovered in Orthanc DICOM Server up to 1.12.11. This issue affects the function DcmItem::read of the file OrthancFramework/Sources/DicomParsing/FromDcmtkBridge.cpp of the component DCMTK Parser. Performing a manipulation results in stack-based buffer overflow. Attacking locally is a requirement. The exploit has been released to the public and may be used for attacks. The patch is named bae99026ca97. To fix this issue, it is recommended to deploy a patch.

Created: 2026-06-02 Last update: 2026-06-02 20:00

11 security issues in bullseye high

There are 11 open security issues in bullseye.

10 important issues:

CVE-2026-5437: An out-of-bounds read vulnerability exists in `DicomStreamReader` during DICOM meta-header parsing. When processing malformed metadata structures, the parser may read beyond the bounds of the allocated metadata buffer. Although this issue does not typically crash the server or expose data directly to the attacker, it reflects insufficient input validation in the parsing logic.
CVE-2026-5438: A gzip decompression bomb vulnerability exists when Orthanc processes HTTP request with `Content-Encoding: gzip`. The server does not enforce limits on decompressed size and allocates memory based on attacker-controlled compression metadata. A specially crafted gzip payload can trigger excessive memory allocation and exhaust system memory.
CVE-2026-5439: A memory exhaustion vulnerability exists in ZIP archive processing. Orthanc automatically extracts ZIP archives uploaded to certain endpoints and trusts metadata fields describing the uncompressed size of archived files. An attacker can craft a small ZIP archive containing a forged size value, causing the server to allocate extremely large buffers during extraction.
CVE-2026-5440: A memory exhaustion vulnerability exists in the HTTP server due to unbounded use of the `Content-Length` header. The server allocates memory directly based on the attacker supplied header value without enforcing an upper limit. A crafted HTTP request containing an extremely large `Content-Length` value can trigger excessive memory allocation and server termination, even without sending a request body.
CVE-2026-5441: An out-of-bounds read vulnerability exists in the `DecodePsmctRle1` function of `DicomImageDecoder.cpp`. The `PMSCT_RLE1` decompression routine, which decodes the proprietary Philips Compression format, does not properly validate escape markers placed near the end of the compressed data stream. A crafted sequence at the end of the buffer can cause the decoder to read beyond the allocated memory region and leak heap data into the rendered image output.
CVE-2026-5442: A heap buffer overflow vulnerability exists in the DICOM image decoder. Dimension fields are encoded using Value Representation (VR) Unsigned Long (UL), instead of the expected VR Unsigned Short (US), which allows extremely large dimensions to be processed. This causes an integer overflow during frame size calculation and results in out-of-bounds memory access during image decoding.
CVE-2026-5443: A heap buffer overflow vulnerability exists during the decoding of `PALETTE COLOR` DICOM images. Pixel length validation uses 32-bit multiplication for width and height calculations. If these values overflow, the validation check incorrectly succeeds, allowing the decoder to read and write to memory beyond allocated buffers.
CVE-2026-5444: A heap buffer overflow vulnerability exists in the PAM image parsing logic. When Orthanc processes a crafted PAM image embedded in a DICOM file, image dimensions are multiplied using 32-bit unsigned arithmetic. Specially chosen values can cause an integer overflow during buffer size calculation, resulting in the allocation of a small buffer followed by a much larger write operation during pixel processing.
CVE-2026-5445: An out-of-bounds read vulnerability exists in the `DecodeLookupTable` function within `DicomImageDecoder.cpp`. The lookup-table decoding logic used for `PALETTE COLOR` images does not validate pixel indices against the lookup table size. Crafted images containing indices larger than the palette size cause the decoder to read beyond allocated lookup table memory and expose heap contents in the output image.
CVE-2026-10528: A security flaw has been discovered in Orthanc DICOM Server up to 1.12.11. This issue affects the function DcmItem::read of the file OrthancFramework/Sources/DicomParsing/FromDcmtkBridge.cpp of the component DCMTK Parser. Performing a manipulation results in stack-based buffer overflow. Attacking locally is a requirement. The exploit has been released to the public and may be used for attacks. The patch is named bae99026ca97. To fix this issue, it is recommended to deploy a patch.

1 issue postponed or untriaged:

CVE-2024-22725: (needs triaging) Orthanc versions before 1.12.2 are affected by a reflected cross-site scripting (XSS) vulnerability. The vulnerability was present in the server's error reporting.

Created: 2026-04-09 Last update: 2026-06-02 20:00

4 new commits since last upload, is it time to release? normal

vcswatch reports that this package seems to have new commits in its VCS but has not yet updated debian/changelog. You should consider updating the Debian changelog and uploading this new version into the archive.

Here are the relevant commit logs:

commit 753c2721d08327872c0fb1bba2de942336196a0e
Merge: 8da6d10 da73c0a
Author: Andreas Tille <tille@debian.org>
Date:   Tue May 26 10:28:32 2026 +0200

    Merge branch 'sysusers' into 'master'
    
    Install and use sysusers.d/tmpfiles.d config files
    
    See merge request med-team/orthanc!2

commit 8da6d10431ef1e0e219d5f547b3583dbe0261df0
Author: Andreas Tille <tille@debian.org>
Date:   Tue May 26 07:20:02 2026 +0200

    Permit failure of blhc in Salsa CI

commit da73c0ae0494a6ef9a38ca196258e346132dc28e
Author: Luca Boccassi <luca.boccassi@gmail.com>
Date:   Mon May 25 22:35:06 2026 +0100

    Install and use sysusers.d/tmpfiles.d config files
    
    sysusers.d/tmpfiles.d config files allow a package to use declarative
    configuration instead of manually written maintainer scripts. This also
    allows image-based systems to be created with /usr/ only, and also
    allows for factory resetting a system and recreating /etc/ on boot.
    
    https://www.freedesktop.org/software/systemd/man/latest/sysusers.d.html
    https://www.freedesktop.org/software/systemd/man/latest/tmpfiles.d.html

commit 0dee5e235d4dd52045cf1ecf5c26a9eef017379a
Author: Luca Boccassi <luca.boccassi@gmail.com>
Date:   Mon May 25 22:19:42 2026 +0100

    Stop deleting system user on remove/purge
    
    This is widely considered bad practice, as the kernel recycles
    UIDs/GIDs. So any potential leftover file/directory can then become
    owned by the next user/group that gets added, with unpredictable
    consequences.

Created: 2026-05-26 Last update: 2026-06-03 01:01

Multiarch hinter reports 2 issue(s) low

There are issues with the multiarch metadata for this package.

orthanc-doc could be marked Multi-Arch: foreign
orthanc-dev could be converted to Architecture: all and marked Multi-Arch: foreign

Created: 2016-09-14 Last update: 2026-06-05 20:02

11 low-priority security issues in trixie low

There are 11 open security issues in trixie.

11 issues left for the package maintainer to handle:

CVE-2026-5437: (needs triaging) An out-of-bounds read vulnerability exists in `DicomStreamReader` during DICOM meta-header parsing. When processing malformed metadata structures, the parser may read beyond the bounds of the allocated metadata buffer. Although this issue does not typically crash the server or expose data directly to the attacker, it reflects insufficient input validation in the parsing logic.
CVE-2026-5438: (needs triaging) A gzip decompression bomb vulnerability exists when Orthanc processes HTTP request with `Content-Encoding: gzip`. The server does not enforce limits on decompressed size and allocates memory based on attacker-controlled compression metadata. A specially crafted gzip payload can trigger excessive memory allocation and exhaust system memory.
CVE-2026-5439: (needs triaging) A memory exhaustion vulnerability exists in ZIP archive processing. Orthanc automatically extracts ZIP archives uploaded to certain endpoints and trusts metadata fields describing the uncompressed size of archived files. An attacker can craft a small ZIP archive containing a forged size value, causing the server to allocate extremely large buffers during extraction.
CVE-2026-5440: (needs triaging) A memory exhaustion vulnerability exists in the HTTP server due to unbounded use of the `Content-Length` header. The server allocates memory directly based on the attacker supplied header value without enforcing an upper limit. A crafted HTTP request containing an extremely large `Content-Length` value can trigger excessive memory allocation and server termination, even without sending a request body.
CVE-2026-5441: (needs triaging) An out-of-bounds read vulnerability exists in the `DecodePsmctRle1` function of `DicomImageDecoder.cpp`. The `PMSCT_RLE1` decompression routine, which decodes the proprietary Philips Compression format, does not properly validate escape markers placed near the end of the compressed data stream. A crafted sequence at the end of the buffer can cause the decoder to read beyond the allocated memory region and leak heap data into the rendered image output.
CVE-2026-5442: (needs triaging) A heap buffer overflow vulnerability exists in the DICOM image decoder. Dimension fields are encoded using Value Representation (VR) Unsigned Long (UL), instead of the expected VR Unsigned Short (US), which allows extremely large dimensions to be processed. This causes an integer overflow during frame size calculation and results in out-of-bounds memory access during image decoding.
CVE-2026-5443: (needs triaging) A heap buffer overflow vulnerability exists during the decoding of `PALETTE COLOR` DICOM images. Pixel length validation uses 32-bit multiplication for width and height calculations. If these values overflow, the validation check incorrectly succeeds, allowing the decoder to read and write to memory beyond allocated buffers.
CVE-2026-5444: (needs triaging) A heap buffer overflow vulnerability exists in the PAM image parsing logic. When Orthanc processes a crafted PAM image embedded in a DICOM file, image dimensions are multiplied using 32-bit unsigned arithmetic. Specially chosen values can cause an integer overflow during buffer size calculation, resulting in the allocation of a small buffer followed by a much larger write operation during pixel processing.
CVE-2026-5445: (needs triaging) An out-of-bounds read vulnerability exists in the `DecodeLookupTable` function within `DicomImageDecoder.cpp`. The lookup-table decoding logic used for `PALETTE COLOR` images does not validate pixel indices against the lookup table size. Crafted images containing indices larger than the palette size cause the decoder to read beyond allocated lookup table memory and expose heap contents in the output image.
CVE-2025-15581: (needs triaging) Orthanc versions before 1.12.10 are affected by an authorisation logic flaw in the application's HTTP Basic Authentication implementation. Successful exploitation could result in Privilege Escalation, potentially allowing full administrative access.
CVE-2026-10528: (needs triaging) A security flaw has been discovered in Orthanc DICOM Server up to 1.12.11. This issue affects the function DcmItem::read of the file OrthancFramework/Sources/DicomParsing/FromDcmtkBridge.cpp of the component DCMTK Parser. Performing a manipulation results in stack-based buffer overflow. Attacking locally is a requirement. The exploit has been released to the public and may be used for attacks. The patch is named bae99026ca97. To fix this issue, it is recommended to deploy a patch.

You can find information about how to handle these issues in the security team's documentation.

Created: 2026-02-19 Last update: 2026-06-02 20:00

12 low-priority security issues in bookworm low

There are 12 open security issues in bookworm.

12 issues left for the package maintainer to handle:

CVE-2026-5437: (needs triaging) An out-of-bounds read vulnerability exists in `DicomStreamReader` during DICOM meta-header parsing. When processing malformed metadata structures, the parser may read beyond the bounds of the allocated metadata buffer. Although this issue does not typically crash the server or expose data directly to the attacker, it reflects insufficient input validation in the parsing logic.
CVE-2026-5438: (needs triaging) A gzip decompression bomb vulnerability exists when Orthanc processes HTTP request with `Content-Encoding: gzip`. The server does not enforce limits on decompressed size and allocates memory based on attacker-controlled compression metadata. A specially crafted gzip payload can trigger excessive memory allocation and exhaust system memory.
CVE-2026-5439: (needs triaging) A memory exhaustion vulnerability exists in ZIP archive processing. Orthanc automatically extracts ZIP archives uploaded to certain endpoints and trusts metadata fields describing the uncompressed size of archived files. An attacker can craft a small ZIP archive containing a forged size value, causing the server to allocate extremely large buffers during extraction.
CVE-2026-5440: (needs triaging) A memory exhaustion vulnerability exists in the HTTP server due to unbounded use of the `Content-Length` header. The server allocates memory directly based on the attacker supplied header value without enforcing an upper limit. A crafted HTTP request containing an extremely large `Content-Length` value can trigger excessive memory allocation and server termination, even without sending a request body.
CVE-2026-5441: (needs triaging) An out-of-bounds read vulnerability exists in the `DecodePsmctRle1` function of `DicomImageDecoder.cpp`. The `PMSCT_RLE1` decompression routine, which decodes the proprietary Philips Compression format, does not properly validate escape markers placed near the end of the compressed data stream. A crafted sequence at the end of the buffer can cause the decoder to read beyond the allocated memory region and leak heap data into the rendered image output.
CVE-2026-5442: (needs triaging) A heap buffer overflow vulnerability exists in the DICOM image decoder. Dimension fields are encoded using Value Representation (VR) Unsigned Long (UL), instead of the expected VR Unsigned Short (US), which allows extremely large dimensions to be processed. This causes an integer overflow during frame size calculation and results in out-of-bounds memory access during image decoding.
CVE-2026-5443: (needs triaging) A heap buffer overflow vulnerability exists during the decoding of `PALETTE COLOR` DICOM images. Pixel length validation uses 32-bit multiplication for width and height calculations. If these values overflow, the validation check incorrectly succeeds, allowing the decoder to read and write to memory beyond allocated buffers.
CVE-2026-5444: (needs triaging) A heap buffer overflow vulnerability exists in the PAM image parsing logic. When Orthanc processes a crafted PAM image embedded in a DICOM file, image dimensions are multiplied using 32-bit unsigned arithmetic. Specially chosen values can cause an integer overflow during buffer size calculation, resulting in the allocation of a small buffer followed by a much larger write operation during pixel processing.
CVE-2026-5445: (needs triaging) An out-of-bounds read vulnerability exists in the `DecodeLookupTable` function within `DicomImageDecoder.cpp`. The lookup-table decoding logic used for `PALETTE COLOR` images does not validate pixel indices against the lookup table size. Crafted images containing indices larger than the palette size cause the decoder to read beyond allocated lookup table memory and expose heap contents in the output image.
CVE-2024-22725: (needs triaging) Orthanc versions before 1.12.2 are affected by a reflected cross-site scripting (XSS) vulnerability. The vulnerability was present in the server's error reporting.
CVE-2025-15581: (needs triaging) Orthanc versions before 1.12.10 are affected by an authorisation logic flaw in the application's HTTP Basic Authentication implementation. Successful exploitation could result in Privilege Escalation, potentially allowing full administrative access.
CVE-2026-10528: (needs triaging) A security flaw has been discovered in Orthanc DICOM Server up to 1.12.11. This issue affects the function DcmItem::read of the file OrthancFramework/Sources/DicomParsing/FromDcmtkBridge.cpp of the component DCMTK Parser. Performing a manipulation results in stack-based buffer overflow. Attacking locally is a requirement. The exploit has been released to the public and may be used for attacks. The patch is named bae99026ca97. To fix this issue, it is recommended to deploy a patch.

You can find information about how to handle these issues in the security team's documentation.

Created: 2024-01-24 Last update: 2026-06-02 20:00

testing migrations

This package will soon be part of the auto-protobuf transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.
This package will soon be part of the auto-openssl transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.

news

[rss feed]

[2026-05-18] orthanc 1.12.11+dfsg-7 MIGRATED to testing (Debian testing watch)
[2026-05-04] Accepted orthanc 1.12.11+dfsg-7 (source) into unstable (Sebastien Jodogne)
[2026-05-02] orthanc 1.12.11+dfsg-6 MIGRATED to testing (Debian testing watch)
[2026-04-28] Accepted orthanc 1.12.11+dfsg-6 (source) into unstable (Sebastien Jodogne)
[2026-04-27] orthanc 1.12.11+dfsg-4 MIGRATED to testing (Debian testing watch)
[2026-04-27] Accepted orthanc 1.12.11+dfsg-5 (source amd64 all) into unstable (Debian FTP Masters) (signed by: Andreas Tille)
[2026-04-24] Accepted orthanc 1.12.11+dfsg-4 (source) into unstable (Sebastien Jodogne)
[2026-04-17] Accepted orthanc 1.12.11+dfsg-3 (source) into unstable (Sebastien Jodogne)
[2026-04-14] Accepted orthanc 1.12.11+dfsg-2 (source) into unstable (Sebastien Jodogne)
[2026-04-14] Accepted orthanc 1.12.11+dfsg-1 (source) into unstable (Sebastien Jodogne)
[2026-04-13] Accepted orthanc 1.12.10+dfsg-5 (source) into unstable (Sebastien Jodogne)
[2026-04-11] Accepted orthanc 1.12.10+dfsg-4 (source) into unstable (Sebastien Jodogne)
[2026-04-11] Accepted orthanc 1.12.10+dfsg-3 (source) into unstable (Étienne Mollier)
[2026-03-19] orthanc 1.12.10+dfsg-2 MIGRATED to testing (Debian testing watch)
[2026-03-16] Accepted orthanc 1.12.10+dfsg-2 (source) into unstable (Sebastien Jodogne)
[2026-02-28] Accepted orthanc 1.9.2+really1.9.1+dfsg-1+deb11u2 (source) into oldoldstable-security (Paride Legovini)
[2025-11-29] orthanc 1.12.10+dfsg-1 MIGRATED to testing (Debian testing watch)
[2025-11-26] Accepted orthanc 1.12.10+dfsg-1 (source) into unstable (Sebastien Jodogne)
[2025-09-23] orthanc 1.12.9+dfsg-2 MIGRATED to testing (Debian testing watch)
[2025-09-21] Accepted orthanc 1.12.9+dfsg-2 (source) into unstable (Sebastien Jodogne)
[2025-08-19] Accepted orthanc 1.12.9+dfsg-1 (source) into unstable (Sebastien Jodogne)
[2025-05-06] orthanc 1.12.7+dfsg-4 MIGRATED to testing (Debian testing watch)
[2025-04-23] Accepted orthanc 1.12.7+dfsg-4 (source) into unstable (Étienne Mollier)
[2025-04-22] Accepted orthanc 1.12.7+dfsg-3 (source) into unstable (Sebastien Jodogne)
[2025-04-22] Accepted orthanc 1.12.7+dfsg-2 (source) into unstable (Sebastien Jodogne)
[2025-04-07] Accepted orthanc 1.12.7+dfsg-1 (source) into unstable (Sebastien Jodogne)
[2025-02-26] orthanc 1.12.6+dfsg-1 MIGRATED to testing (Debian testing watch)
[2025-02-24] Accepted orthanc 1.12.6+dfsg-1 (source) into unstable (Sebastien Jodogne)
[2025-02-18] orthanc 1.12.5+dfsg-2 MIGRATED to testing (Debian testing watch)
[2025-02-15] Accepted orthanc 1.12.5+dfsg-2 (source) into unstable (Sebastien Jodogne)

bugs [bug history graph]

all: 2
RC: 0
I&N: 1
M&W: 1
F&P: 0
patch: 0

links

homepage
lintian
buildd: logs, reproducibility, cross
popcon
browse source code
other distros
security tracker
screenshots
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1.12.10+dfsg-2
2 bugs