On 2025-09-26 12:43:43 +0000 (+0000), Tomáš Macák wrote: [...]
They came up with list of high criticality CVEs from Oracle Berkeley DB libdb5.3 package, which on your tracker list are marked as “NOT-FOR-US: Oracle”. They argue that package libdb5.3/5.3.28 is installed which is affected accrding to Oracle (https://www.oracle.com/security-alerts/cpuapr2017.html#AppendixTOOL) thus we’re vulnerable
[...]Spot checking a bunch of the ones you listed in Debian's security tracker, it looks like they're either flagged as specific to Oracle's closed source Berkeley DB product:
https://security-tracker.debian.org/tracker/CVE-2016-0689...or Oracle did not supply sufficient public information for anyone to be able to identify what the fix was so that it could be confirmed as affecting Debian much less backported:
https://security-tracker.debian.org/tracker/CVE-2015-2624My perspective as both an upstream free/libre open source software project vulnerability manager as well as a sysadmin responsible for securing a vast number of Internet-connected systems is that BlackDuck's scanner isn't all that useful due to woefully insufficient report context, its inability to identify backported fixes in distributions, and the *terrible* misconception that the existence of a CVE necessarily implies an actual security risk (I've given up disputing the endless flood of useless CVEs I see reported any more).
And Oracle's not helping matters, they're notorious since decades for being intentionally tight-lipped about any security issues they fix in their products.
The other thing to pay attention to is that db5.3 is orphaned and newer versions aren't suitably licensed for main, so BDB has no real future in Debian:
https://bugs.debian.org/1055356In short, I don't think you're going to get any satisfactory answer to your question because the situation itself is unsatisfactory.
-- Jeremy Stanley
Attachment:
signature.asc
Description: PGP signature