This is an advisory to users of DCMTK 3.6.0 and earlier: A vulnerability has been discovered in the association negotiation code that can be abused to cause a buffer overflow. This may cause the application to crash or to possibly execute malicious code provided by the caller). The issue, which is located in dcmnet/libsrc/dulparse.cc, has been fixed by commit 1b6bb76
on Dec 14, 2015. User who want to fix this vulnerability while continuing to use DCMTK 3.6.0 are advised to back-port this commit to their DCMTK 3.6.0 source tree, which is straightforward.