[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: BerkeleyDB CVEs

I'm not a Debian maintainer but it's worth noting that Debian regularly backports security patches to their "stable" packages. This sometimes means your package "version" might report A, even if it has seen backported security patches from version B. But if a scanning tool is only checking software "versions", it may flag your software as vulnerable when it isn't.

Perhaps someone with more knowledge of this specific package and the CVEs will respond, but in the interim you may want to read the specifics of the CVEs and if Debian indicates it's not applicable or has been patched, I would believe that over the scanning tool because your scanner may just be checking the package version.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Marcus Dean Adams

Signal: gerowen.81

Mastodon: https://mastodon.social/@gerowen

Website: https://marcusadams.me

"Civilization is the limitless multiplication
of unnecessary necessities."

-- Mark Twain

Sent from Proton Mail Android



-------- Original Message --------
On 9/26/25 09:17, Tomáš Macák - tomas.macak at flowbox.com wrote:

Hi,

 

We use Debian (currently bookworm) for hosting our application. One of our customers is performing thorough security audit test. Amongst others they are checking SBOM file of OS and reviewing it with BlackDuck

 

They came up with list of high criticality CVEs from Oracle Berkeley DB libdb5.3 package, which on your tracker list are marked as “NOT-FOR-US: Oracle”. They argue that package libdb5.3/5.3.28 is installed which is affected accrding to Oracle (https://www.oracle.com/security-alerts/cpuapr2017.html#AppendixTOOL) thus we’re vulnerable

 

Can you please let us know, if these CVEs

  1. Really affect Debian, but since the code is external/Oracle you cannot fix it – marked NFU
  2. Portions of code in CVEs is not present/used in Debian libdb package

 

I strongly believe it’s b) but I have very few arguments I can play with

 

I understand for now I cannot simple remove libdb for now as PAM module depends on it

 

The list of CVEs:

CVE-2016-0682, CVE-2016-0689, CVE-2016-0692, CVE-2016-0694, CVE-2016-3418, CVE-2017-3604, CVE-2017-3605, CVE-2017-3606, CVE-2017-3607, CVE-2017-3608, CVE-2017-3609, CVE-2017-3610, CVE-2017-3611, CVE-2017-3612, CVE-2017-3613, CVE-2017-3614, CVE-2017-3615, CVE-2017-3616, CVE-2017-3617, CVE-2020-2981, CVE-2015-2583, CVE-2015-2626, CVE-2015-2640, CVE-2015-2654, CVE-2015-4754, CVE-2015-2624, CVE-2015-4784, CVE-2015-2656, CVE-2015-4787, CVE-2015-4789, CVE-2015-4785, CVE-2015-4786, CVE-2015-4783, CVE-2015-4764, CVE-2015-4780, CVE-2015-4790, CVE-2015-4776, CVE-2015-4775, CVE-2015-4778, CVE-2015-4777, CVE-2015-4782, CVE-2015-4781, CVE-2015-4774

 

Thanks. Tomas

Reply to: