Back to bluez PTS page

Accepted bluez 5.50-1.2~deb10u3 (source) into oldstable

To: debian-lts-changes@lists.debian.org, dispatch@tracker.debian.org
Subject: Accepted bluez 5.50-1.2~deb10u3 (source) into oldstable
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Mon, 24 Oct 2022 08:10:22 +0000
Debian: DAK
Debian-architecture: source
Debian-archive-action: accept
Debian-changes: bluez_5.50-1.2~deb10u3_source.changes
Debian-source: bluez
Debian-suite: oldstable
Debian-version: 5.50-1.2~deb10u3
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ftp-master.debian.org; s=smtpauto.seger; h=Date:Message-Id: Content-Transfer-Encoding:Content-Type:Subject:MIME-Version:To:Reply-To:From: Cc:Content-ID:Content-Description:In-Reply-To:References; bh=YVZFUKFjbwE20EWKgqPLhm//qlb79wMj+YbYABbKnRM=; b=ePxCJ8bJHHPRdoB8/GkCN+ImOo sqjGWyPHRq7KXWKXCMCprUxRLUK0r0M3A/dI/fH2oddXOnhHLBSWdnlTjUNmqW8eXfT5cNCWMAZAl 5NbIgD3yp2AzwZ0CdNjH46kPdUqGK9DT6YtojrhyxZsR6cX7Q2QlUll4sphqwV90JtL5MxJDzSsal lhLdV2EOsMZ0XcypESc9IaueBDM+rkejXXsjQCW2vCCKoGLZP118H6mddGwvQFUP60xIUh+w4lmbo 0w7Qt+hL2X6lMHAi+DAx4NruHU6593MEZIBq+vKLqF6jfSrs9dzJ+S4/LUY5UFnQZv+LRuqbGCRS0 wDdrZBGg==;
Mail-followup-to: debian-lts@lists.debian.org
Message-id: <E1omsXO-002ApZ-Ma@seger.debian.org>
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 22 Oct 2022 18:39:32 +0200
Source: bluez
Architecture: source
Version: 5.50-1.2~deb10u3
Distribution: buster-security
Urgency: high
Maintainer: Debian Bluetooth Maintainers <team+pkg-bluetooth@tracker.debian.org>
Changed-By: Sylvain Beucler <beuc@debian.org>
Closes: 998626 1000262 1003712
Changes:
 bluez (5.50-1.2~deb10u3) buster-security; urgency=high
 .
   * Non-maintainer upload by the LTS Security Team.
   * CVE-2019-8921: SDP infoleak, the vulnerability lies in the handling of
     a SVC_ATTR_REQ by the SDP implementation of BlueZ. By crafting a
     malicious CSTATE, it is possible to trick the server into returning
     more bytes than the buffer actually holds, resulting in leaking
     arbitrary heap data.
   * CVE-2019-8922: SDP Heap Overflow; this vulnerability lies in the SDP
     protocol handling of attribute requests as well. By requesting a huge
     number of attributes at the same time, an attacker can overflow the
     static buffer provided to hold the response.
   * CVE-2021-41229: sdp_cstate_alloc_buf allocates memory which will
     always be hung in the singly linked list of cstates and will not be
     freed. This will cause a memory leak over time. The data can be a very
     large object, which can be caused by an attacker continuously sending
     sdp packets and this may cause the service of the target device to
     crash. (Closes: #1000262)
   * CVE-2021-43400: a use-after-free in gatt-database.c can occur when a
     client disconnects during D-Bus processing of a WriteValue
     call. (Closes: #998626)
   * CVE-2022-0204: a heap overflow vulnerability was found in bluez. An
     attacker with local network access could pass specially crafted files
     causing an application to halt or crash, leading to a denial of
     service. (Closes: #1003712)
   * CVE-2022-39176: BlueZ allows physically proximate attackers to obtain
     sensitive information because profiles/audio/avrcp.c does not validate
     params_len.
   * CVE-2022-39177: BlueZ allows physically proximate attackers to cause a
     denial of service because malformed and invalid capabilities can be
     processed in profiles/audio/avdtp.c.
Checksums-Sha1:
 60bf752e20f5eba8322cd241a4e9fcb525f26ee4 2588 bluez_5.50-1.2~deb10u3.dsc
 ed1732599d8d86010c6763ffb042bd4528679620 45776 bluez_5.50-1.2~deb10u3.debian.tar.xz
 81124665b07e3d1e352b3d298d6cb3f44801118b 11614 bluez_5.50-1.2~deb10u3_amd64.buildinfo
Checksums-Sha256:
 3b14cf06b04eb41eb5a2cb9f762250499f552d37e93adbb1a0ff7071a67302b7 2588 bluez_5.50-1.2~deb10u3.dsc
 d0b5c330e59fa1b61d0aee21727a6afb36b2f4d4ffa25e9c730f588e33b7d174 45776 bluez_5.50-1.2~deb10u3.debian.tar.xz
 35b8998471570eadd5e3f8d5b3d49a7b3b021f4103e5910e98fb5597245549ad 11614 bluez_5.50-1.2~deb10u3_amd64.buildinfo
Files:
 050737ce8cf5e8e023b774947d5cf35c 2588 admin optional bluez_5.50-1.2~deb10u3.dsc
 4b66ce7f37cdf5555be10a9db984f992 45776 admin optional bluez_5.50-1.2~deb10u3.debian.tar.xz
 4d8367d17c0014579a60282fcf89cab7 11614 admin optional bluez_5.50-1.2~deb10u3_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmNWQ2gACgkQDTl9HeUl
XjCGZRAAknURiTBDy2rUqdLeeZg9qDJPEwhA7Yos3nzpCATB5Sgl5DS1fH5dMPm/
6ZuX9kU1PdGm/hIfvNgmfZVWBe643MwEYTrvyoPSDPmDXD975tal5++4qnvnuont
u6aPxNwBvjVX/xreGCxDwcNNuXTI+ssCowFbrE/aKaLq4mkzAOHPjB7H579EPXx/
7++wDfxYi2pKnAM9k2rspnL+R96wQ6f89jGDQk8j2UqBkZUCi2gaipldI3Zx5Tvc
fvA3GNsNuwmDBlQEN3xvrkjuaU20tAITWOSOAEQVMVlgra8H3qWK75wHKmx0S9qP
j3xCwdGvtq/O5gafjgztJYl81KO0p/WQMgUIVmhcrVCNRwQDqDCuv0dYeNsBMcvz
4Q3crRg/8rFh2P8a/QxJi+f1A1cMtLX/zfOkY/juNQNeNlZi6JQTBxKAPdZ4N0tn
L2AqEqhJBQEsqK8rmbbQFqBAa3oA4FPr2y1keuSwPGtU8ymA6sy87j1k9cuBWdgS
lp0Nx8rGaSz1NMHSgP2i8pLs5RnXuG2Hhrai+lTfhHiU1yMlH88Sr9PtUuw8G8wm
cCnSZx11Gx3dnmrPuyPkuYu3lCayWaCkvbpatcTZ+UphFpWO5cNIdscpv6WtclCZ
Uk5bSO68q+pHkmI884m95u3ln7RTIEYq3eUCEKTM0FzOyWFAnNU=
=GemB
-----END PGP SIGNATURE-----