CVE-2017-10140

NameCVE-2017-10140
DescriptionBerkeley DB reads DB_CONFIG from cwd
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
Debian Bugs872436

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
db (PTS)wheezy5.1.29-5vulnerable
jessie5.1.29-9vulnerable
db4.7 (PTS)wheezy4.7.25-21vulnerable
db4.8 (PTS)wheezy4.8.30-12vulnerable
db5.3 (PTS)jessie5.3.28-9vulnerable
stretch5.3.28-12vulnerable
buster, sid5.3.28-13vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
dbsource(unstable)(unfixed)
db4.0source(unstable)(unfixed)
db4.1source(unstable)(unfixed)
db4.2source(unstable)(unfixed)
db4.3source(unstable)(unfixed)
db4.4source(unstable)(unfixed)
db4.5source(unstable)(unfixed)
db4.6source(unstable)(unfixed)
db4.7source(unstable)(unfixed)
db4.8source(unstable)(unfixed)
db5.1source(unstable)(unfixed)
db5.2source(unstable)(unfixed)
db5.3source(unstable)(unfixed)872436

Notes

http://www.openwall.com/lists/oss-security/2017/08/12/1
Patch as used in Fedora: https://src.fedoraproject.org/rpms/libdb/raw/8047fa8580659fcae740c25e91b490539b8453eb/f/db-5.3.28-cwd-db_config.patch
and is acknowledged by libdb upstream, cf. https://bugzilla.redhat.com/show_bug.cgi?id=1464032#c9

Search for package or bug name: Reporting problems