Source: bluez Version: 5.70-1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for bluez. CVE-2023-45866[0]: | Bluetooth HID Hosts in BlueZ may permit an unauthenticated | Peripheral role HID Device to initiate and establish an encrypted | connection, and accept HID keyboard reports, potentially permitting | injection of HID messages when no user interaction has occurred in | the Central role to authorize such access. An example affected | package is bluez 5.64-0ubuntu1 in Ubuntu 22.04LTS. NOTE: in some | cases, a CVE-2020-0556 mitigation would have already addressed this | Bluetooth HID Hosts issue. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-45866 https://www.cve.org/CVERecord?id=CVE-2023-45866 [1] https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=25a471a83e02e1effb15d5a488b3f0085eaeb675 Please adjust the affected versions in the BTS as needed. Regards, Salvatore