Hi, We use Debian (currently bookworm) for hosting our application. One of our customers is performing thorough security audit test. Amongst others they are checking SBOM file of OS and reviewing it with BlackDuck
They came up with list of high criticality CVEs from Oracle Berkeley DB libdb5.3 package, which on your tracker list are marked as “NOT-FOR-US: Oracle”. They argue that package libdb5.3/5.3.28 is installed which is affected accrding to Oracle (https://www.oracle.com/security-alerts/cpuapr2017.html#AppendixTOOL) thus we’re vulnerable Can you please let us know, if these CVEs 1. Really affect Debian, but since the code is external/Oracle you cannot fix it – marked NFU 2. Portions of code in CVEs is not present/used in Debian libdb package I strongly believe it’s b) but I have very few arguments I can play with ☹ I understand for now I cannot simple remove libdb for now as PAM module depends on it The list of CVEs: CVE-2016-0682, CVE-2016-0689, CVE-2016-0692, CVE-2016-0694, CVE-2016-3418, CVE-2017-3604, CVE-2017-3605, CVE-2017-3606, CVE-2017-3607, CVE-2017-3608, CVE-2017-3609, CVE-2017-3610, CVE-2017-3611, CVE-2017-3612, CVE-2017-3613, CVE-2017-3614, CVE-2017-3615, CVE-2017-3616, CVE-2017-3617, CVE-2020-2981, CVE-2015-2583, CVE-2015-2626, CVE-2015-2640, CVE-2015-2654, CVE-2015-4754, CVE-2015-2624, CVE-2015-4784, CVE-2015-2656, CVE-2015-4787, CVE-2015-4789, CVE-2015-4785, CVE-2015-4786, CVE-2015-4783, CVE-2015-4764, CVE-2015-4780, CVE-2015-4790, CVE-2015-4776, CVE-2015-4775, CVE-2015-4778, CVE-2015-4777, CVE-2015-4782, CVE-2015-4781, CVE-2015-4774 Thanks. Tomas
