CVE-2017-10140

NameCVE-2017-10140
DescriptionBerkeley DB reads DB_CONFIG from cwd
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1135-1, DLA-1136-1, DLA-1137-1
Debian Bugs872436

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
db (PTS)wheezy5.1.29-5vulnerable
wheezy (security)5.1.29-5+deb7u1fixed
jessie5.1.29-9+deb8u1fixed
db4.7 (PTS)wheezy4.7.25-21vulnerable
wheezy (security)4.7.25-21+deb7u1fixed
db4.8 (PTS)wheezy4.8.30-12vulnerable
wheezy (security)4.8.30-12+deb7u1fixed
db5.3 (PTS)jessie5.3.28-9+deb8u1fixed
stretch5.3.28-12+deb9u1fixed
buster, sid5.3.28-13.1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
dbsource(unstable)(unfixed)
dbsourcejessie5.1.29-9+deb8u1
dbsourcewheezy5.1.29-5+deb7u1DLA-1135-1
db4.0source(unstable)(unfixed)
db4.1source(unstable)(unfixed)
db4.2source(unstable)(unfixed)
db4.3source(unstable)(unfixed)
db4.4source(unstable)(unfixed)
db4.5source(unstable)(unfixed)
db4.6source(unstable)(unfixed)
db4.7source(unstable)(unfixed)
db4.7sourcewheezy4.7.25-21+deb7u1DLA-1137-1
db4.8source(unstable)(unfixed)
db4.8sourcewheezy4.8.30-12+deb7u1DLA-1136-1
db5.1source(unstable)(unfixed)
db5.2source(unstable)(unfixed)
db5.3source(unstable)5.3.28-13.1872436
db5.3sourcejessie5.3.28-9+deb8u1
db5.3sourcestretch5.3.28-12+deb9u1

Notes

http://www.openwall.com/lists/oss-security/2017/08/12/1
Patch as used in Fedora: https://src.fedoraproject.org/rpms/libdb/raw/8047fa8580659fcae740c25e91b490539b8453eb/f/db-5.3.28-cwd-db_config.patch
and is acknowledged by libdb upstream, cf. https://bugzilla.redhat.com/show_bug.cgi?id=1464032#c9

Search for package or bug name: Reporting problems