CVE-2017-10140

NameCVE-2017-10140
DescriptionPostfix before 2.11.10, 3.0.x before 3.0.10, 3.1.x before 3.1.6, and 3.2.x before 3.2.2 might allow local users to gain privileges by leveraging undocumented functionality in Berkeley DB 2.x and later, related to reading settings from DB_CONFIG in the current directory.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1135-1, DLA-1136-1, DLA-1137-1
NVD severitymedium
Debian Bugs872436

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
db5.3 (PTS)stretch5.3.28-12+deb9u1fixed
buster5.3.28+dfsg1-0.5fixed
bullseye, sid5.3.28+dfsg1-0.6fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
dbsource(unstable)(unfixed)
dbsourcejessie5.1.29-9+deb8u1
dbsourcewheezy5.1.29-5+deb7u1DLA-1135-1
db4.0source(unstable)(unfixed)
db4.1source(unstable)(unfixed)
db4.2source(unstable)(unfixed)
db4.3source(unstable)(unfixed)
db4.4source(unstable)(unfixed)
db4.5source(unstable)(unfixed)
db4.6source(unstable)(unfixed)
db4.7source(unstable)(unfixed)
db4.7sourcewheezy4.7.25-21+deb7u1DLA-1137-1
db4.8source(unstable)(unfixed)
db4.8sourcewheezy4.8.30-12+deb7u1DLA-1136-1
db5.1source(unstable)(unfixed)
db5.2source(unstable)(unfixed)
db5.3source(unstable)5.3.28-13.1872436
db5.3sourcejessie5.3.28-9+deb8u1
db5.3sourcestretch5.3.28-12+deb9u1

Notes

http://www.openwall.com/lists/oss-security/2017/08/12/1
Patch as used in Fedora: https://src.fedoraproject.org/rpms/libdb/raw/8047fa8580659fcae740c25e91b490539b8453eb/f/db-5.3.28-cwd-db_config.patch
and is acknowledged by libdb upstream, cf. https://bugzilla.redhat.com/show_bug.cgi?id=1464032#c9

Search for package or bug name: Reporting problems