Re: BerkeleyDB CVEs

To: Tomáš Macák <tomas.macak@flowbox.com>
Cc: "debian-security@lists.debian.org" <debian-security@lists.debian.org>
Subject: Re: BerkeleyDB CVEs
From: Sylvain Beucler <beuc@beuc.net>
Date: Fri, 26 Sep 2025 17:56:45 +0200
Message-id: <[🔎] f11a9d1a-be69-4956-9922-d749750e9578@beuc.net>
In-reply-to: <[🔎] nzlnd66xsjjq7bq6pjeevgvu6kzyzmkse5juyqabh3wg77c44p@mw2qoxxcxrjj>
References: <[🔎] VI0PR01MB10625678930E8ECF64AF92C9AFD1EA@VI0PR01MB10625.eurprd01.prod.exchangelabs.com> <[🔎] nzlnd66xsjjq7bq6pjeevgvu6kzyzmkse5juyqabh3wg77c44p@mw2qoxxcxrjj>

Hi,

On 26/09/2025 17:18, Carlos Henrique Lima Melara wrote:

On Fri, Sep 26, 2025 at 12:43:43PM +0000, Tomáš Macák wrote:

One of our customers is performing thorough security audit test. Amongst others they are checking SBOM file of OS and reviewing it with BlackDuck

They came up with list of high criticality CVEs from Oracle Berkeley DB libdb5.3 package, which on your tracker list are marked as “NOT-FOR-US: Oracle”. They argue that package libdb5.3/5.3.28 is installed which is affected accrding to Oracle (https://www.oracle.com/security-alerts/cpuapr2017.html#AppendixTOOL) thus we’re vulnerable

Can you please let us know, if these CVEs

   1.  Really affect Debian, but since the code is external/Oracle you cannot fix it – marked NFU
   2.  Portions of code in CVEs is not present/used in Debian libdb package

I strongly believe it’s b) but I have very few arguments I can play with ☹


If they paid for the security assessment, isn't part of the job triaging
the report to make sure the CVEs reported aren't false positives
outputed by some automated tool? That's what I would ask your customer.

I understand for now I cannot simple remove libdb for now as PAM module depends on it

The list of CVEs:
CVE-2016-0682, CVE-2016-0689, CVE-2016-0692, CVE-2016-0694, CVE-2016-3418, CVE-2017-3604, CVE-2017-3605, CVE-2017-3606, CVE-2017-3607, CVE-2017-3608, CVE-2017-3609, CVE-2017-3610, CVE-2017-3611, CVE-2017-3612, CVE-2017-3613, CVE-2017-3614, CVE-2017-3615, CVE-2017-3616, CVE-2017-3617, CVE-2020-2981, CVE-2015-2583, CVE-2015-2626, CVE-2015-2640, CVE-2015-2654, CVE-2015-4754, CVE-2015-2624, CVE-2015-4784, CVE-2015-2656, CVE-2015-4787, CVE-2015-4789, CVE-2015-4785, CVE-2015-4786, CVE-2015-4783, CVE-2015-4764, CVE-2015-4780, CVE-2015-4790, CVE-2015-4776, CVE-2015-4775, CVE-2015-4778, CVE-2015-4777, CVE-2015-4782, CVE-2015-4781, CVE-2015-4774


I did look at the first 2 CVEs in the security tracker and they read
[1][2]:

NOT-FOR-US: Oracle Berkeley DB (later closed source releases)

So I'd guess this is true to all others, but again I feel this is part
of the job of the third party doing the security assessment to verify,
not yours and not secteam's.


Additionally, NFU is described at:
https://security-team.debian.org/security_tracker.html#issues-not-for-us-nfu
and should mean Debian doesn't ship affected software _at all_.

Note: later BDB are not closed source but dual-licensed AGPL, thereappears to be a typo here, or maybe that changed since the 2016 triage.

In any case Debian shouldn't be affected, but as Jeremy noted there'slittle information:

https://www.cve.org/CVERecord?id=CVE-2016-0682
"Unspecified vulnerability ... via unknown vectors ..."

Contact Oracle, or BlackDuck since they appear to have information wedon't :)


Cheers!
Sylvain

Reply to:

References:
- BerkeleyDB CVEs
  - From: Tomáš Macák <tomas.macak@flowbox.com>
- Re: BerkeleyDB CVEs
  - From: Carlos Henrique Lima Melara <charles@debian.org>

Prev by Date: Re: BerkeleyDB CVEs
Next by Date: Re: ftp.debian.org: remove armel from forky and unstable
Previous by thread: Re: BerkeleyDB CVEs
Next by thread: On the status of rust/go packages
Index(es):
- Date
- Thread