Debian alert DLA-2692-1 (bluez)

From:
             
 
Thorsten Alteholz <debian@alteholz.de>
To:
             
 
debian-lts-announce@lists.debian.org
Subject:
             
 
[SECURITY] [DLA 2692-1] bluez security update
Date:
             
 
Sat, 26 Jun 2021 23:26:46 +0000
Message-ID:
             
 
<alpine.DEB.2.21.2106262324460.20191@postfach.intern.alteholz.me>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-2692-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                    Thorsten Alteholz
June 27, 2021                                 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : bluez
Version        : 5.43-2+deb9u4
CVE ID         : CVE-2020-26558 CVE-2021-0129


Two issues have been found in bluez, a package with Bluetooth tools and 
daemons. One issue is about a man-in-the-middle attack during secure 
pairing, the  other is about information disclosure due to improper access 
control.

In order to completely fix both issues, you need an updated kernel as 
well! For Debian 9 Stretch this has been uploaded some days ago.


For Debian 9 stretch, these problems have been fixed in version
5.43-2+deb9u4.

We recommend that you upgrade your bluez packages.

For the detailed security status of bluez please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/bluez

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmDXt7ZfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy
MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7
WEdicQ//elZQc67ewyknK0VVuzR4Gm13jxBGOi6ZkQaaQ9H7AjJEftQtkbqk4aYG
JGj5gwghRW8wXurFcaBiV+Ek8Oxo9HmX7WcaugZolaSSOblV95esbdF7Tj0McjV2
/BD4MKTMc5kBAo2KFmoSfBFllMCZ8ErEOtx76G00kBDe7kJi7aBuRArlx0YiNDyu
YLdfwa7U8ASAOGFVIqumQpBFBv1vH2cOqmEgt6moM73cgoBJE7Mcjp5WU/4jdwJn
kUMk486ubGZSN/1yHeCqgvohnombACNE8yjJAhytGweycBWR8iZEaQYLNn5/Kx4m
54+wN0Jqdec3HceoQhpchQXZo5NL7x39bWhSZhfdbri8pcYX7eYD1T8j/o8MsEwK
COCv+kQnpNcmY+xICGLRRKCQsG93CMSHy/PNgpvQTKMWwKLOxVO5yFvdrBWz3tfI
05nwfFcHRkVaKcwOAPQV3l2bFf96H2Zop7xmkNTTsLBHW596+dENoOqzMijBiaV4
Iw+8aR2dhy3yxzhmsrMf/svNKR6aUU28Bwp6BCPQeqNQsrg3sUuw6933lJIx9aWI
FcNAb6DAx74lYJawMUyokHgKTlpPyIbHW+osKxj0PWGf87D4FCI4bdELH/KGlfuU
QExMVbtxNpxs92xECqMmZND8R8qp7rGP2+KHCY0yelByGs9VhXY=
=7lQ2
-----END PGP SIGNATURE-----