Detections
Analytics
openSUSE 16 Security Update : orthanc, gdcm, orthanc-authorization, orthanc-dicomweb, orthanc-gdcm, orthanc-indexer, orthanc-mysql, orthanc-neuro, orthanc-postgresql, orthanc-python, orthanc-stl, orthanc-tcia, orthanc-wsi, python-pyorthanc (openSUSE-SU-2026:20193-1)
critical Nessus Plugin ID 298723
Synopsis
The remote openSUSE host is missing one or more security updates.Description
The remote openSUSE 16 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:20193-1 advisory.Changes in orthanc:
- dcmtk 370 breaks TW build
- switch to lua 5.4
- patch out boost component system from framework
- version 1.12.10 ' long changelog - see NEWS for details
- apply boost patch to source tree
- Stop trying to pull libboost_system-devel in all orthanc packages.
- remove libboost_system-devel for TW (removed in boost 1.89)
- version 1.12.9
* long changelog - see NEWS for details
Changes in gdcm:
- apply fix for poppler 25.10 build error
Changes in orthanc-authorization:
- version 0.10.3
* New default permissions for worklists
* New default permissions for tools/metrics-prometheus
* New default permissions for tools/generate-uid
- version 0.10.2
* New default permissions to add/delete modalities through the Rest API https://discourse.orthanc-server.org/t/managing-modalities-using-the-rest-api-and-keycloak/6137
* New standard configuration stl
- remove libboost_system-devel for TW (removed in boost 1.89)-
- version 0.10.1
* Fix audit-logs export in CSV format.
* New configuration ExtraPermissions to ADD new permissions to the default Permissions entries.
* Improved handling of Anonymous user profiles (when no auth-tokens are provided): The plugin will now request the auth-service to get an anonymous user profile even if there are no auth-tokens in the HTTP request.
* The User profile can now contain a groups field if the auth-service provides it.
* The User profile can now contain an id field if the auth-service provides it.
* New experimental feature: audit-logs
- Enabled by the EnableAuditLogs configuration.
- Audit-logs are currently handled by the PostgreSQL plugin and can be browsed through the route /auth/audit-logs.
- New default permission audit-logs to grant access to the /auth/audit-logs route.
* Fix: The server-id field is now included in all requests sent to the auth-service.
Changes in orthanc-dicomweb:
- version 1.22
* framework2.diff added for compatibilty with Orthanc framework <= 1.12.10
* Fixed a possible deadlock when using WadoRsLoaderThreadsCount > 1 when the HTTP client disconnects while downloading the response.
* Fixed Success: Success errors when trying to send resources synchronously to a remote DICOMweb server while the Orthanc job engine was busy with other tasks.
- remove libboost_system-devel for TW (removed in boost 1.89)
- version 1.21
* New configuration WadoRsLoaderThreadsCount to configure how many threads are loading files from the storage when answering to a WADO-RS query. A value > 1 is meaningful only if the storage is a distributed network storage (e.g object storage plugin).
A value of 0 means reading and writing are performed in sequence (default behaviour).
* New configuration EnablePerformanceLogs to display performance logs. Currently only showing the time required to execute a WADO-RS query. For example:
WADO-RS: elapsed: 26106623 us, rate: 14.86 instances/s, 155.23Mbps
* Fix false errors logs generated e.g when OHIF requests the /dicom-web/studies/../metadata route:
dicom-web:/Configuration.cpp:643] Unsupported return MIME type: application/dicom+json, multipart/related; type=application/octet-stream; transfer-syntax=*, will return DICOM+JSON
Changes in orthanc-gdcm:
- version 1.8
* Prevent transcoding of DICOM images with empty SharedFunctionalGroupsSequence (5200,9229), as this might crash GDCM.
* The built-in Orthanc transcoder being usually more stable, the default value of the RestrictTransferSyntaxes configuration has been updated to configure the GDCM plugin for J2K transfer syntaxes only since these transfer syntaxes are currently not supported by the built-in Orthanc transcoder.
- If RestrictTransferSyntaxes is not specified in your configuration, it is now equivalent to RestrictTransferSyntaxes : [ 1.2.840.10008.1.2.4.90, // JPEG 2000 Image Compression (Lossless Only) 1.2.840.10008.1.2.4.91, // JPEG 2000 Image Compression 1.2.840.10008.1.2.4.92, // JPEG 2000 Part 2 Multicomponent Image Compression (Lossless Only) 1.2.840.10008.1.2.4.93 // JPEG 2000 Part 2 Multicomponent Image Compression ] which was the recommended configuration.
- If RestrictTransferSyntaxes is defined but empty, the GDCM plugin will now be used to transcode ALL transfer syntaxes (this was the default behaviour up to version 1.7)
- remove libboost_system-devel for TW (removed in boost 1.89)
- version 1.7
* Upgrade to GDCM 3.0.24 for static builds. Fixes:
- CVE-2024-22373: https://nvd.nist.gov/vuln/detail/CVE-2024-22373
- CVE-2024-22391: https://nvd.nist.gov/vuln/detail/CVE-2024-22391
- CVE-2024-25569: https://nvd.nist.gov/vuln/detail/CVE-2024-25569
Changes in orthanc-indexer:
- remove libboost_system-devel for TW (removed in boost 1.89)
Changes in orthanc-mysql:
- remove libboost_system-devel for TW (removed in boost 1.89)
Changes in orthanc-neuro:
- remove libboost_system-devel for TW (removed in boost 1.89)
Changes in orthanc-postgresql:
- version 10.0
* update mainly providing new Reserve and Acknowledge primitives for Queues in plugins
- remove libboost_system-devel for TW (removed in boost 1.89)
- version 9.0
* DB-scheme rev. 6 - check Orthanc book
- version 8.0
* no changelog provided
* New DB scheme
Changes in orthanc-python:
- version 7.0
* The orthanc.pyi stub is now excluded from the install step during the build
* Wrapped new SCP callbacks:
- RegisterFindCallback2()
- RegisterMoveCallback3()
- RegisterWorklistCallback2()
- RegisterStorageCommitmentScpCallback2()
* Wrapped new Queues methods:
- ReserveQueueValue()
- AcknowledgeQueueValue()
- remove libboost_system-devel for TW (removed in boost 1.89)
- remove /usr/orthanc.pyi - unneeded
- version 6.0
* The auto-generation of the Python wrapper is now part of the build, to exploit the ORTHANC_PLUGIN_SINCE_SDK macro. This provides backward compatibility with the SDK that is actually installed on the system
* Added Windows builder for Python 3.13
* Added Docker-based builder scripts for Debian 13 (trixie)
Changes in orthanc-stl:
- patch out libboost-system to fix build error
- remove libboost_system-devel for TW (removed in boost 1.89)
Changes in orthanc-tcia:
- version 1.3
* Replaced default base URL of TCIA REST API from https://services.cancerimagingarchive.net/services/v4/TCIA/query to https://nbia.cancerimagingarchive.net/nbia-api/services/v4
* Added configuration option BaseUrl to manually configure the base URL
* Fix for newer versions of the NBIA cart file format
* Upgrade to Orthanc framework 1.12.3
- remove libboost_system-devel for TW (removed in boost 1.89)
Changes in orthanc-wsi:
- fix build error w framework 1.12.10
- version 3.3
* OrthancWSIDicomizer:
- New option --encoding to specify the specific character set of DICOM instances
- Placeholder tags are now automatically inserted when the --dataset option provides incomplete data, ensuring the generated DICOM instances remain valid
- The version of the DICOM-izer is available in DICOM tag SoftwareVersions
- ImagedVolumeWidth and ImagedVolumeHeight are swapped with respect to releases <= 3.2:
https://discourse.orthanc-server.org/t/5912
* Viewer plugin:
- Added rotation button in the viewer
- The viewer displays a label if the description GET parameter is provided
- Upgraded to OpenLayers 10.6.1
- remove libboost_system-devel for TW (removed in boost 1.89)
Changes in python-pyorthanc:
- version 1.22.1
* no changelog provided
Tenable has extracted the preceding description block directly from the SUSE security advisory.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Update the affected packages.See Also
https://www.suse.com/security/cve/CVE-2024-22373
Plugin Details
Severity: Critical
ID: 298723
File Name: openSUSE-2026-20193-1.nasl
Version: 1.1
Type: local
Agent: unix
Family: SuSE Local Security Checks
Published: 2/12/2026
Updated: 2/12/2026
Supported Sensors: Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 6.7
CVSS v2
Risk Factor: Critical
Base Score: 10
Temporal Score: 7.8
Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS Score Source: CVE-2024-22391
CVSS v3
Risk Factor: Critical
Base Score: 9.8
Temporal Score: 8.8
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C
Vulnerability Information
CPE: p-cpe:/a:novell:opensuse:orthanc-devel, p-cpe:/a:novell:opensuse:python3-gdcm, p-cpe:/a:novell:opensuse:orthanc-authorization, p-cpe:/a:novell:opensuse:libgdcm3_0, p-cpe:/a:novell:opensuse:orthanc-source, p-cpe:/a:novell:opensuse:orthanc-gdcm, p-cpe:/a:novell:opensuse:gdcm-examples, p-cpe:/a:novell:opensuse:orthanc-python, p-cpe:/a:novell:opensuse:gdcm, p-cpe:/a:novell:opensuse:python313-pyorthanc, p-cpe:/a:novell:opensuse:orthanc-mysql, p-cpe:/a:novell:opensuse:gdcm-applications, p-cpe:/a:novell:opensuse:gdcm-devel, p-cpe:/a:novell:opensuse:orthanc, p-cpe:/a:novell:opensuse:orthanc-tcia, cpe:/o:novell:opensuse:16.0, p-cpe:/a:novell:opensuse:orthanc-dicomweb, p-cpe:/a:novell:opensuse:orthanc-indexer, p-cpe:/a:novell:opensuse:orthanc-neuro, p-cpe:/a:novell:opensuse:libsocketxx1_2, p-cpe:/a:novell:opensuse:orthanc-postgresql, p-cpe:/a:novell:opensuse:orthanc-stl, p-cpe:/a:novell:opensuse:orthanc-wsi
Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list
Exploit Available: true
Exploit Ease: Exploits are available
Patch Publication Date: 2/10/2026
Vulnerability Publication Date: 4/25/2024