orthanc (1.9.2+really1.9.1+dfsg-1+deb11u1) bullseye-security; urgency=high
* Team upload.
* cve-2023-33466.patch: disable file system writes.
This patch backports the option RestApiWriteToFileSystemEnabled to
Orthanc in Debian bullseye. This allows delivering Orthanc without
being vulnerable to arbitrary writes to the file system by
authenticated users, referenced as CVE-2023-33466. The legacy and
vulnerable behaviour can be restored by setting the variable
RestApiWriteToFileSystemEnabled to true in /etc/orthanc/orthanc.json.
(Closes: #1040597)
-- Étienne Mollier <email address hidden> Wed, 19 Jul 2023 16:48:56 +0200