I'm not a Debian maintainer but it's worth noting that Debian regularly backports security patches to their "stable" packages. This sometimes means your package "version" might report A, even if it has seen backported security patches from version B. But if a scanning tool is only checking software "versions", it may flag your software as vulnerable when it isn't.
Perhaps someone with more knowledge of this specific package and the CVEs will respond, but in the interim you may want to read the specifics of the CVEs and if Debian indicates it's not applicable or has been patched, I would believe that over the scanning tool because your scanner may just be checking the package version. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Marcus Dean Adams Signal: gerowen.81 Mastodon: https://mastodon.social/@gerowen Website: https://marcusadams.me "Civilization is the limitless multiplication of unnecessary necessities." -- Mark Twain Sent from Proton Mail Android -------- Original Message -------- On 9/26/25 09:17, Tomáš Macák - tomas.macak at flowbox.com wrote: > Hi, > > We use Debian (currently bookworm) for hosting our application. One of our > customers is performing thorough security audit test. Amongst others they are > checking SBOM file of OS and reviewing it with BlackDuck > > They came up with list of high criticality CVEs from Oracle Berkeley DB > libdb5.3 package, which on your tracker list are marked as “NOT-FOR-US: > Oracle”. They argue that package libdb5.3/5.3.28 is installed which is > affected accrding to Oracle > (https://www.oracle.com/security-alerts/cpuapr2017.html#AppendixTOOL) thus > we’re vulnerable > > Can you please let us know, if these CVEs > > - Really affect Debian, but since the code is external/Oracle you cannot fix > it – marked NFU > > - Portions of code in CVEs is not present/used in Debian libdb package > > I strongly believe it’s b) but I have very few arguments I can play with ☹ > > I understand for now I cannot simple remove libdb for now as PAM module > depends on it > > The list of CVEs: > > CVE-2016-0682, CVE-2016-0689, CVE-2016-0692, CVE-2016-0694, CVE-2016-3418, > CVE-2017-3604, CVE-2017-3605, CVE-2017-3606, CVE-2017-3607, CVE-2017-3608, > CVE-2017-3609, CVE-2017-3610, CVE-2017-3611, CVE-2017-3612, CVE-2017-3613, > CVE-2017-3614, CVE-2017-3615, CVE-2017-3616, CVE-2017-3617, CVE-2020-2981, > CVE-2015-2583, CVE-2015-2626, CVE-2015-2640, CVE-2015-2654, CVE-2015-4754, > CVE-2015-2624, CVE-2015-4784, CVE-2015-2656, CVE-2015-4787, CVE-2015-4789, > CVE-2015-4785, CVE-2015-4786, CVE-2015-4783, CVE-2015-4764, CVE-2015-4780, > CVE-2015-4790, CVE-2015-4776, CVE-2015-4775, CVE-2015-4778, CVE-2015-4777, > CVE-2015-4782, CVE-2015-4781, CVE-2015-4774 > > Thanks. Tomas
