On Wed, Oct 15, 2025 at 9:14 AM Juraj Longauer <[email protected]> wrote: > > A follow up questions if I may... > > May I assume that when the CRITICAL CVE is identified on Berkeley DB > (libdb5.3) and enough information is shared the package maintainer will fix > it? > I talked to maintainer and he mentioned that library is now orphaned which > suggests that the fix will not be developed? > Bastian Germann: "...The request was placed better at the Security Team. I > have orphaned the pkg." > https://packages.debian.org/bookworm/libdb5.3
I seem to recall BerkleyDB changed its licensing way back when, and it caused projects like Debian and Fedora to freeze the version at the old, downlevel version. I doubt the package will be updated, even with a maintainer (until the license changes to something more amenable to FOSS). Or, I could be mis-remembering things because I am getting old... Jeff
