Re: Re: BerkeleyDB CVEs

To: "debian-security@lists.debian.org" <debian-security@lists.debian.org>
Subject: Re: Re: BerkeleyDB CVEs
From: Jeffrey Walton <noloader@gmail.com>
Date: Wed, 15 Oct 2025 09:42:19 -0400
Message-id: <[🔎] CAH8yC8nhvwXZrRyGmaNYKgX3ACAZ=QNt4cz655vL1s1TBwzH3Q@mail.gmail.com>
Reply-to: noloader@gmail.com
In-reply-to: <[🔎] AS8PR01MB8796060A86A93DDBAD51C94E93E8A@AS8PR01MB8796.eurprd01.prod.exchangelabs.com>
References: <[🔎] AS8PR01MB8796060A86A93DDBAD51C94E93E8A@AS8PR01MB8796.eurprd01.prod.exchangelabs.com>

On Wed, Oct 15, 2025 at 9:14 AM Juraj Longauer
<juraj.longauer@flowbox.com> wrote:
>
> A follow up questions if I may...
>
> May I assume that when the CRITICAL CVE is identified on Berkeley DB (libdb5.3) and enough information is shared the package maintainer will fix it?
> I talked to maintainer and he mentioned that library is now orphaned which suggests that the fix will not be developed?
> Bastian Germann: "...The request was placed better at the Security Team. I have orphaned the pkg."
> https://packages.debian.org/bookworm/libdb5.3

I seem to recall BerkleyDB changed its licensing way back when, and it
caused projects like Debian and Fedora to freeze the version at the
old, downlevel version.  I doubt the package will be updated, even
with a maintainer (until the license changes to something more
amenable to FOSS).

Or, I could be mis-remembering things because I am getting old...

Jeff

Reply to:

References:
- Re: Re: BerkeleyDB CVEs
  - From: Juraj Longauer <juraj.longauer@flowbox.com>

Prev by Date: Re: Re: BerkeleyDB CVEs
Next by Date: Re: Status of Intel CET in Debian
Previous by thread: Re: Re: BerkeleyDB CVEs
Next by thread: Upcoming stable point release (13.2)
Index(es):
- Date
- Thread