Your message dated Sun, 19 Dec 2021 00:48:39 +0000
with message-id <[email protected]>
and subject line Bug#1000262: fixed in bluez 5.62-1
has caused the Debian Bug report #1000262,
regarding bluez: CVE-2021-41229: memory leak in the SDP protocol handling
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1000262: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1000262
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: bluez
Version: 5.61-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for bluez.
CVE-2021-41229[0]:
| BlueZ is a Bluetooth protocol stack for Linux. In affected versions a
| vulnerability exists in sdp_cstate_alloc_buf which allocates memory
| which will always be hung in the singly linked list of cstates and
| will not be freed. This will cause a memory leak over time. The data
| can be a very large object, which can be caused by an attacker
| continuously sending sdp packets and this may cause the service of the
| target device to crash.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-41229
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41229
[1] https://github.com/bluez/bluez/security/advisories/GHSA-3fqg-r8j5-f5xq
[2]
https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=e79417ed7185b150a056d4eb3a1ab528b91d2fc0
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: bluez
Source-Version: 5.62-1
Done: Nobuhiro Iwamatsu <[email protected]>
We believe that the bug you reported is fixed in the latest version of
bluez, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nobuhiro Iwamatsu <[email protected]> (supplier of updated bluez package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 14 Dec 2021 09:23:03 +0900
Source: bluez
Architecture: source
Version: 5.62-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Bluetooth Maintainers <[email protected]>
Changed-By: Nobuhiro Iwamatsu <[email protected]>
Closes: 980896 998626 1000262
Changes:
bluez (5.62-1) unstable; urgency=medium
.
* Update to 5.62. (Closes: #1000262, #998626)
Fixed CVE-2021-43400 and CVE-2021-41229.
* Reduce Build-Depends: (Closes: #980896)
+ Annotate check with <!nocheck>.
+ libcap-ng-dev is no longer used. We no longer pass --enable-capng.
+ Thanks to Helmut Grohne <[email protected]>.
Checksums-Sha1:
15e73921175d3f643e31eb58d19d03515aea4287 2735 bluez_5.62-1.dsc
ba5342a8008bf3d084b87208b413f7efe95a0524 1758764 bluez_5.62.orig.tar.xz
e3c02fafb5ad2c1e7d2f81b5a9cee0f35a1fc83a 39712 bluez_5.62-1.debian.tar.xz
7735227f9922a9ea0895b112d6841202d7500b83 13002 bluez_5.62-1_amd64.buildinfo
Checksums-Sha256:
97f6bb7c63498ecb32db384fb4eae7704c490b582892360840849cfc732c29b1 2735
bluez_5.62-1.dsc
5715a5d815e228a2b431454176d48599d4ef2ca86105e5858a706436dcc47dea 1758764
bluez_5.62.orig.tar.xz
72c3c5b4aeb37eb1fe8cc8ac5f243db9b79cac1501514a7797f2a4e7d04fa95a 39712
bluez_5.62-1.debian.tar.xz
bf5b51ae063ab19cf1349b286e2f8b69bc8b102011091aefb5a9d39648907917 13002
bluez_5.62-1_amd64.buildinfo
Files:
5c9af5283ed31a998845311952e2e775 2735 admin optional bluez_5.62-1.dsc
8722660aca7a7e55c58057266b45b5f9 1758764 admin optional bluez_5.62.orig.tar.xz
6915a1f55c19686e110cdec17bece998 39712 admin optional
bluez_5.62-1.debian.tar.xz
cfdbd95e30fd3ef84451ed4a4b8db625 13002 admin optional
bluez_5.62-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEXmKe5SMhlzV7hM9DMiR/u0CtH6YFAmG4VzoACgkQMiR/u0Ct
H6Y49A/9FVAYH2j9f1RDtLK17uHXIMapWPOlhIzgWNH0fvO5DPOhcqZCsuQrR8Zd
D/+tUpLNbsEMr5qZivNSrnnMll+J0K/SncyaKMxG7J6l0tju2tfa00kN3gTuVu61
ojcsMj5KCrZlImv3iOBhxvGbg/FlcTIhrrYfQ7BO7dOMNgqFfzRW95aWeAejUm5H
hQd9wSmJcrkQWQNthcgT6d5+B6eCfsbENoVnq4/CjVcwmcx0UtnLCIezSthLY2ER
GzKYpgjV+t4O5joQLmGNJvnq1BJQsiNvy35MK1GG0ZHjMlqE6FhMINsV+qqWje/h
FS2HJp+HSdRNoaOKtXpQemnfLQDs4eJkJG6Zpyb44/4k0WLRWf4Q4DGll05QmnxW
2fUoRWTa150lQhrrkRltxIwITspiJI2R+FqPbLp90eaKf/U/ebSbLHApZrkprInL
HwzA2GGprUHNN8DWs2saFWfZH2VE/H747BTT8sKkJP7znsnr+W/SVhfXEdYaYTw/
aORNL6IMh3hdC6ggv4JtrmVyTBCvCwuYIAiO9HrFq6rw2+BXLCezEhSugffFUMAM
UjJoBxvA7xK/rzMIo6ljYQqtS0CP3crkwXSqXzp8u5omzxiMYkGJrgNx1JG0ksl6
44oM8qpKmflsdjK29/RWsXiZ+yiRIZe9ByBuS0Gto0L6VMYr8YE=
=C6QS
-----END PGP SIGNATURE-----
--- End Message ---
