Accepted bluez 5.43-2+deb9u5 (source) into oldoldstable
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 26 Nov 2021 19:05:30 +0100
Source: bluez
Binary: libbluetooth3 libbluetooth3-dbg libbluetooth-dev bluetooth bluez bluez-dbg bluez-cups bluez-obexd bluez-hcidump bluez-test-tools bluez-test-scripts
Architecture: source
Version: 5.43-2+deb9u5
Distribution: stretch-security
Urgency: high
Maintainer: Debian Bluetooth Maintainers <pkg-bluetooth-maintainers@lists.alioth.debian.org>
Changed-By: Sylvain Beucler <beuc@debian.org>
Description:
bluetooth - Bluetooth support
bluez - Bluetooth tools and daemons
bluez-cups - Bluetooth printer driver for CUPS
bluez-dbg - Bluetooth tools and daemons (with debugging symbols)
bluez-hcidump - Analyses Bluetooth HCI packets
bluez-obexd - bluez obex daemon
bluez-test-scripts - test scripts of bluez
bluez-test-tools - test tools of bluez
libbluetooth-dev - Development files for using the BlueZ Linux Bluetooth library
libbluetooth3 - Library to use the BlueZ Linux Bluetooth stack
libbluetooth3-dbg - Library to use the BlueZ Linux Bluetooth stack with debugging sym
Changes:
bluez (5.43-2+deb9u5) stretch-security; urgency=high
.
* Non-maintainer upload by the LTS Security Team.
* CVE-2017-1000250: replace RedHat's early patch with upstream's, so as
to minimize conflicts with new CVE fixes
* CVE-2019-8921: SDP infoleak, the vulnerability lies in the handling of
a SVC_ATTR_REQ by the SDP implementation of BlueZ. By crafting a
malicious CSTATE, it is possible to trick the server into returning
more bytes than the buffer actually holds, resulting in leaking
arbitrary heap data.
* CVE-2019-8922: SDP Heap Overflow; this vulnerability lies in the SDP
protocol handling of attribute requests as well. By requesting a huge
number of attributes at the same time, an attacker can overflow the
static buffer provided to hold the response.
* CVE-2021-41229: sdp_cstate_alloc_buf allocates memory which will
always be hung in the singly linked list of cstates and will not be
freed. This will cause a memory leak over time. The data can be a very
large object, which can be caused by an attacker continuously sending
sdp packets and this may cause the service of the target device to
crash.
Checksums-Sha1:
234087d4d7ba3956f6045943160c71c8c19d3a37 2781 bluez_5.43-2+deb9u5.dsc
a18cf83678d8d10af5554f6252d447080663bd3b 36396 bluez_5.43-2+deb9u5.debian.tar.xz
a53a00e87221af985d37451411b07bf28c52f2b1 9769 bluez_5.43-2+deb9u5_amd64.buildinfo
Checksums-Sha256:
526d6b274a9a3387f23571534b91b0c1c12b15af5f235ecc3ac87a869ac3df25 2781 bluez_5.43-2+deb9u5.dsc
55da5ce6879559f830bf5754acf75ee067ca6ccd73e002d0fb1237813bba77e4 36396 bluez_5.43-2+deb9u5.debian.tar.xz
b1f6ff3c0c715ef36aac6ce0b9c0434be2f6f3cb271a2b7ddfe0665537267230 9769 bluez_5.43-2+deb9u5_amd64.buildinfo
Files:
526806a8751845210881456491da01d5 2781 admin optional bluez_5.43-2+deb9u5.dsc
79a1956af046c5f0a70debef10345b76 36396 admin optional bluez_5.43-2+deb9u5.debian.tar.xz
c5042dc5420723cbe1d969879904021d 9769 admin optional bluez_5.43-2+deb9u5_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIyBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmGiAmcACgkQDTl9HeUl
XjAreA/1Eov8mn8ogAk3GojUBBzZMsqEULUKV/LuwBUpQNHsGqsgwdwWCxIT8+SG
oIYP1o6bwQq/ZkNhbUDNtQcFYG5GW/LwaKlcFDUDKM0ZG60yxL049U8XhzDbFbMM
93QPjOh8dFRCSVWDBDwYAE7wD5sLsYZDwxW2yu/OPKhuZLKwKqUEpcGoa+gfNgp3
UDJiAlpQ+oWmsGdbj0q8149beRvI2IaXqnZzEONot8tHjSI4ZICXep3nNgyCqVgb
dpfMqOGP7SQnfniGY2Wu5cIWzdXFpo6a4BOSpeL5dKMqjgNBGyomyI3VEsOScTkv
ztV0ZzDpUZDhT2PCzKhCfvJEnFRFlEy4/ShQmfnzij8TZqZrZV908LXA2nTIgw1I
lFGNkjNLzhQ79Fk9EY1ydnkryFsia3cn6J6kZF3TVxcQfQG0qMPvDnLPB12t6dGx
ztagwXnxCayZszcsdoFB/i5Qz6TyraNzjTemmJiSFx896wWZOf3oD49Q6q1qo9jL
gCtFewgkgMlB9SzxWmQBd3afaj+1R1T3ktT6yPtbSWB6cw7HP8SZYgkEZFBLRO08
4309bs9bFeWbrFMP5qOqG8all3wsBQ2o9cGK5NGIIl+uzLm8vWqwQXpx7UNsJnkY
pGglP5g3iwEO3UOXF5lJ6B9EOZ8ONbSafRCI5pmZ12elA9KUXA==
=IioE
-----END PGP SIGNATURE-----