Re: BerkeleyDB CVEs

To: Tomáš Macák <tomas.macak@flowbox.com>
Cc: "debian-security@lists.debian.org" <debian-security@lists.debian.org>
Subject: Re: BerkeleyDB CVEs
From: Carlos Henrique Lima Melara <charles@debian.org>
Date: Fri, 26 Sep 2025 12:18:51 -0300
Message-id: <[🔎] nzlnd66xsjjq7bq6pjeevgvu6kzyzmkse5juyqabh3wg77c44p@mw2qoxxcxrjj>
In-reply-to: <[🔎] VI0PR01MB10625678930E8ECF64AF92C9AFD1EA@VI0PR01MB10625.eurprd01.prod.exchangelabs.com>
References: <[🔎] VI0PR01MB10625678930E8ECF64AF92C9AFD1EA@VI0PR01MB10625.eurprd01.prod.exchangelabs.com>

Hi Tomas,

First disclaimer is that I'm not from Debian's security team.

On Fri, Sep 26, 2025 at 12:43:43PM +0000, Tomáš Macák wrote:
> We use Debian (currently bookworm) for hosting our application.

That's awesome! You might want to add yourselves in
https://www.debian.org/users/, check the "Submissions" section in the
end of the page.

> One of our customers is performing thorough security audit test. Amongst others they are checking SBOM file of OS and reviewing it with BlackDuck
> 
> They came up with list of high criticality CVEs from Oracle Berkeley DB libdb5.3 package, which on your tracker list are marked as “NOT-FOR-US: Oracle”. They argue that package libdb5.3/5.3.28 is installed which is affected accrding to Oracle (https://www.oracle.com/security-alerts/cpuapr2017.html#AppendixTOOL) thus we’re vulnerable
> 
> Can you please let us know, if these CVEs
> 
>   1.  Really affect Debian, but since the code is external/Oracle you cannot fix it – marked NFU
>   2.  Portions of code in CVEs is not present/used in Debian libdb package
> 
> I strongly believe it’s b) but I have very few arguments I can play with ☹

If they paid for the security assessment, isn't part of the job triaging
the report to make sure the CVEs reported aren't false positives
outputed by some automated tool? That's what I would ask your customer.

> I understand for now I cannot simple remove libdb for now as PAM module depends on it
> 
> The list of CVEs:
> CVE-2016-0682, CVE-2016-0689, CVE-2016-0692, CVE-2016-0694, CVE-2016-3418, CVE-2017-3604, CVE-2017-3605, CVE-2017-3606, CVE-2017-3607, CVE-2017-3608, CVE-2017-3609, CVE-2017-3610, CVE-2017-3611, CVE-2017-3612, CVE-2017-3613, CVE-2017-3614, CVE-2017-3615, CVE-2017-3616, CVE-2017-3617, CVE-2020-2981, CVE-2015-2583, CVE-2015-2626, CVE-2015-2640, CVE-2015-2654, CVE-2015-4754, CVE-2015-2624, CVE-2015-4784, CVE-2015-2656, CVE-2015-4787, CVE-2015-4789, CVE-2015-4785, CVE-2015-4786, CVE-2015-4783, CVE-2015-4764, CVE-2015-4780, CVE-2015-4790, CVE-2015-4776, CVE-2015-4775, CVE-2015-4778, CVE-2015-4777, CVE-2015-4782, CVE-2015-4781, CVE-2015-4774

I did look at the first 2 CVEs in the security tracker and they read
[1][2]:

NOT-FOR-US: Oracle Berkeley DB (later closed source releases)

So I'd guess this is true to all others, but again I feel this is part
of the job of the third party doing the security assessment to verify,
not yours and not secteam's.

Hopefuly I was able to help somewhat on what to answer your customer.

Cheers,
Charles

[1] https://security-tracker.debian.org/tracker/CVE-2016-0682
[2] https://security-tracker.debian.org/tracker/CVE-2016-0689

Reply to:

Follow-Ups:
- Re: BerkeleyDB CVEs
  - From: Sylvain Beucler <beuc@beuc.net>

References:
- BerkeleyDB CVEs
  - From: Tomáš Macák <tomas.macak@flowbox.com>

Prev by Date: Re: BerkeleyDB CVEs
Next by Date: Re: BerkeleyDB CVEs
Previous by thread: Re: BerkeleyDB CVEs
Next by thread: Re: BerkeleyDB CVEs
Index(es):
- Date
- Thread