Re: BerkeleyDB CVEs

Sylvain Beucler Fri, 26 Sep 2025 08:57:39 -0700

Hi,

On 26/09/2025 17:18, Carlos Henrique Lima Melara wrote:

On Fri, Sep 26, 2025 at 12:43:43PM +0000, Tomáš Macák wrote:

One of our customers is performing thorough security audit test. Amongst others 
they are checking SBOM file of OS and reviewing it with BlackDuck


They came up with list of high criticality CVEs from Oracle Berkeley DB 
libdb5.3 package, which on your tracker list are marked as “NOT-FOR-US: 
Oracle”. They argue that package libdb5.3/5.3.28 is installed which is affected 
accrding to Oracle 
(https://www.oracle.com/security-alerts/cpuapr2017.html#AppendixTOOL) thus 
we’re vulnerable

Can you please let us know, if these CVEs

   1.  Really affect Debian, but since the code is external/Oracle you cannot 
fix it – marked NFU
   2.  Portions of code in CVEs is not present/used in Debian libdb package

I strongly believe it’s b) but I have very few arguments I can play with ☹


If they paid for the security assessment, isn't part of the job triaging
the report to make sure the CVEs reported aren't false positives
outputed by some automated tool? That's what I would ask your customer.

I understand for now I cannot simple remove libdb for now as PAM module depends 
on it

The list of CVEs:
CVE-2016-0682, CVE-2016-0689, CVE-2016-0692, CVE-2016-0694, CVE-2016-3418, 
CVE-2017-3604, CVE-2017-3605, CVE-2017-3606, CVE-2017-3607, CVE-2017-3608, 
CVE-2017-3609, CVE-2017-3610, CVE-2017-3611, CVE-2017-3612, CVE-2017-3613, 
CVE-2017-3614, CVE-2017-3615, CVE-2017-3616, CVE-2017-3617, CVE-2020-2981, 
CVE-2015-2583, CVE-2015-2626, CVE-2015-2640, CVE-2015-2654, CVE-2015-4754, 
CVE-2015-2624, CVE-2015-4784, CVE-2015-2656, CVE-2015-4787, CVE-2015-4789, 
CVE-2015-4785, CVE-2015-4786, CVE-2015-4783, CVE-2015-4764, CVE-2015-4780, 
CVE-2015-4790, CVE-2015-4776, CVE-2015-4775, CVE-2015-4778, CVE-2015-4777, 
CVE-2015-4782, CVE-2015-4781, CVE-2015-4774


I did look at the first 2 CVEs in the security tracker and they read
[1][2]:

NOT-FOR-US: Oracle Berkeley DB (later closed source releases)

So I'd guess this is true to all others, but again I feel this is part
of the job of the third party doing the security assessment to verify,
not yours and not secteam's.


Additionally, NFU is described at:
https://security-team.debian.org/security_tracker.html#issues-not-for-us-nfu
and should mean Debian doesn't ship affected software _at all_.

Note: later BDB are not closed source but dual-licensed AGPL, thereappears to be a typo here, or maybe that changed since the 2016 triage.

In any case Debian shouldn't be affected, but as Jeremy noted there'slittle information:

https://www.cve.org/CVERecord?id=CVE-2016-0682
"Unspecified vulnerability ... via unknown vectors ..."

Contact Oracle, or BlackDuck since they appear to have information wedon't :)


Cheers!
Sylvain

Re: BerkeleyDB CVEs

Reply via email to