Your message dated Mon, 27 Dec 2021 01:33:27 +0000
with message-id <[email protected]>
and subject line Bug#1000262: fixed in bluez 5.62-2
has caused the Debian Bug report #1000262,
regarding bluez: CVE-2021-41229: memory leak in the SDP protocol handling
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1000262: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1000262
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: bluez
Version: 5.61-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for bluez.
CVE-2021-41229[0]:
| BlueZ is a Bluetooth protocol stack for Linux. In affected versions a
| vulnerability exists in sdp_cstate_alloc_buf which allocates memory
| which will always be hung in the singly linked list of cstates and
| will not be freed. This will cause a memory leak over time. The data
| can be a very large object, which can be caused by an attacker
| continuously sending sdp packets and this may cause the service of the
| target device to crash.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-41229
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41229
[1] https://github.com/bluez/bluez/security/advisories/GHSA-3fqg-r8j5-f5xq
[2]
https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=e79417ed7185b150a056d4eb3a1ab528b91d2fc0
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: bluez
Source-Version: 5.62-2
Done: Nobuhiro Iwamatsu <[email protected]>
We believe that the bug you reported is fixed in the latest version of
bluez, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nobuhiro Iwamatsu <[email protected]> (supplier of updated bluez package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 27 Dec 2021 08:29:34 +0900
Source: bluez
Architecture: source
Version: 5.62-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Bluetooth Maintainers <[email protected]>
Changed-By: Nobuhiro Iwamatsu <[email protected]>
Closes: 1000262
Changes:
bluez (5.62-2) unstable; urgency=medium
.
* Add debian/patches/sdpd-Fix-leaking-buffers-stored-in-cstates-cache.patch
to fix CVE-2021-41229. (Closes: #1000262)
Thanks for pointing out the mistake, Salvatore.
Checksums-Sha1:
3bbb374d9916ced5fe530f77cb2f0c5542e6093c 2735 bluez_5.62-2.dsc
1d3e13790408857b4a3d8eb07a9bd2f0abb58a5f 43104 bluez_5.62-2.debian.tar.xz
a6180841fd61a98bb550e2984e089ca0876e66a9 13002 bluez_5.62-2_amd64.buildinfo
Checksums-Sha256:
ad60cbe5437100a7f224f6053630d72c3f778119ac7740e92274195b51467a90 2735
bluez_5.62-2.dsc
6e31fe6329707312cc5a4ce570456dda286f775a904473dc09e9d83d74b3ca17 43104
bluez_5.62-2.debian.tar.xz
d8217c4f9e9569c49ef21e0196517937341420458d303b572fd7bffca0a93d73 13002
bluez_5.62-2_amd64.buildinfo
Files:
ace9ce80440226353f09040cdf634321 2735 admin optional bluez_5.62-2.dsc
3406e64e130263dc8dfac2dd96dd1713 43104 admin optional
bluez_5.62-2.debian.tar.xz
c93c88bf36cdc938617601c50b06e413 13002 admin optional
bluez_5.62-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEXmKe5SMhlzV7hM9DMiR/u0CtH6YFAmHJA40ACgkQMiR/u0Ct
H6ZoZRAAg/0WDIPa1BWOt1kyt4BCwzzazuVNQzjmdUWIcsrGY2xgFlY64NIPVX8Y
6a2VOVPcqCgpTjeNxPHnSb3ydYskoIciItcsD9JNkbjsrOUKM22sngxtRl3TOFLL
7SUIybnUgpiU/Xh11O82dD8taFYq5OtYqwSevjtjpKwk9C3lJNAWS7U3cqo8lRcZ
Fux6USlhiLkNwICl+Rqu8SCqFJRRyO/3Sr2uTYxy9AtF3NbgpH78YuI4xFihDE3Y
WMjDPtU+qleRIvfbyzZTo1MB8PgVO2maMlp4ay035xxkCPqPEofykyBYuyAJOr/F
ohJe7AM8PAGHs02m4I7FWMVCIE9/HrsTpTAxGaGYzQcY+vgATg1E9U6EEWXARVDz
XlkAhcv3lpkQz0YL0YJLrtVSRQBqFa3GRWF9d3xgsNg9ZCeaQIG7dHMZHXdLCWZY
uJJBQRgOl1Vm3nulexL+vddhD+cleWHqVh51xFOiK41wJrxNXqWuBx2189LxQSxx
IedSxR6toMuwwZ6Y4TME03TJCQ7cndzTEPC6henjn+9e2FGUKkOXPTVKsV0TLSP8
DkDF1enVMPaEviQ2Fwfd0up2s5okX4wNSkeyrsJkSKC1aRJV2xW4/oTfyksc1yq5
EeFlCrPRp3ymDweZrMzHIEdMMthnZ6Xk87Qm6RoHujbrOb3I82Y=
=sF3c
-----END PGP SIGNATURE-----
--- End Message ---
