Source: bluez Version: 5.55-3 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerabilities were published for bluez. CVE-2021-0129[0], and CVE-2020-26558[1]: | Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification | 2.1 through 5.2 may permit a nearby man-in-the-middle attacker to | identify the Passkey used during pairing (in the Passkey | authentication procedure) by reflection of the public key and the | authentication evidence of the initiating device, potentially | permitting this attacker to complete authenticated pairing with the | responding device using the correct Passkey for the pairing session. | The attack methodology determines the Passkey value one bit at a time. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-0129 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-0129 [1] https://security-tracker.debian.org/tracker/CVE-2020-26558 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26558 [2] https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00517.html [3] https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=00da0fb4972cf59e1c075f313da81ea549cb8738 Please adjust the affected versions in the BTS as needed. Regards, Salvatore