|
Hi, We use Debian (currently bookworm) for hosting our application. One of our customers is performing thorough security audit test. Amongst others they are checking SBOM file of OS and reviewing it with BlackDuck They came up with list of high criticality CVEs from Oracle Berkeley DB libdb5.3 package, which on your tracker list are marked as “NOT-FOR-US: Oracle”. They argue that package libdb5.3/5.3.28 is installed which is affected
accrding to Oracle (https://www.oracle.com/security-alerts/cpuapr2017.html#AppendixTOOL) thus we’re vulnerable Can you please let us know, if these CVEs
I strongly believe it’s b) but I have very few arguments I can play with
☹ I understand for now I cannot simple remove libdb for now as PAM module depends on it The list of CVEs: CVE-2016-0682, CVE-2016-0689, CVE-2016-0692, CVE-2016-0694, CVE-2016-3418, CVE-2017-3604, CVE-2017-3605, CVE-2017-3606, CVE-2017-3607, CVE-2017-3608, CVE-2017-3609, CVE-2017-3610, CVE-2017-3611, CVE-2017-3612, CVE-2017-3613,
CVE-2017-3614, CVE-2017-3615, CVE-2017-3616, CVE-2017-3617, CVE-2020-2981, CVE-2015-2583, CVE-2015-2626, CVE-2015-2640, CVE-2015-2654, CVE-2015-4754, CVE-2015-2624, CVE-2015-4784, CVE-2015-2656, CVE-2015-4787, CVE-2015-4789, CVE-2015-4785, CVE-2015-4786, CVE-2015-4783,
CVE-2015-4764, CVE-2015-4780, CVE-2015-4790, CVE-2015-4776, CVE-2015-4775, CVE-2015-4778, CVE-2015-4777, CVE-2015-4782, CVE-2015-4781, CVE-2015-4774 Thanks. Tomas |