Your message dated Sat, 23 Sep 2017 10:02:20 +0000
with message-id <[email protected]>
and subject line Bug#875633: fixed in bluez 5.43-2+deb9u1
has caused the Debian Bug report #875633,
regarding bluez: CVE-2017-1000250: information disclosure vulnerability in
service_search_attr_req
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
875633: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=875633
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: bluez
Version: 5.23-2
Severity: grave
Tags: patch upstream security
Hi,
the following vulnerability was published for bluez.
CVE-2017-1000250[0]:
| All versions of the SDP server in BlueZ 5.46 and earlier are
| vulnerable to an information disclosure vulnerability which allows
| remote attackers to obtain sensitive information from the bluetoothd
| process memory. This vulnerability lies in the processing of SDP
| search attribute requests.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-1000250
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000250
[1] https://bugzilla.novell.com/show_bug.cgi?id=1057342
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1489446
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: bluez
Source-Version: 5.43-2+deb9u1
We believe that the bug you reported is fixed in the latest version of
bluez, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated bluez package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 13 Sep 2017 09:16:27 +0200
Source: bluez
Binary: libbluetooth3 libbluetooth3-dbg libbluetooth-dev bluetooth bluez
bluez-dbg bluez-cups bluez-obexd bluez-hcidump bluez-test-tools
bluez-test-scripts
Architecture: source
Version: 5.43-2+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Debian Bluetooth Maintainers
<[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 875633
Description:
bluetooth - Bluetooth support
bluez - Bluetooth tools and daemons
bluez-cups - Bluetooth printer driver for CUPS
bluez-dbg - Bluetooth tools and daemons (with debugging symbols)
bluez-hcidump - Analyses Bluetooth HCI packets
bluez-obexd - bluez obex daemon
bluez-test-scripts - test scripts of bluez
bluez-test-tools - test tools of bluez
libbluetooth-dev - Development files for using the BlueZ Linux Bluetooth
library
libbluetooth3 - Library to use the BlueZ Linux Bluetooth stack
libbluetooth3-dbg - Library to use the BlueZ Linux Bluetooth stack with
debugging sym
Changes:
bluez (5.43-2+deb9u1) stretch-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* CVE-2017-1000250: information disclosure vulnerability in
service_search_attr_req (Closes: #875633)
Checksums-Sha1:
42a67f0392a8fa7f75638f0916ada036f2942157 2936 bluez_5.43-2+deb9u1.dsc
e5ca9b8167b1c2d8482cd4589c5d9f09bd4495b6 2544442 bluez_5.43.orig.tar.gz
5cc6fd08f1e3b0ade2fedf4593a463c0f53c80a1 27520
bluez_5.43-2+deb9u1.debian.tar.xz
Checksums-Sha256:
d941df34d00a75f7b6bf8176c050286aae0a8b7b4f1218bcc2e99e8c5f356220 2936
bluez_5.43-2+deb9u1.dsc
0f3307b45e116ea2b20cacb5cfd7afda5df25dc36f632290739ece4b7f7d7dc1 2544442
bluez_5.43.orig.tar.gz
accc70c658907ca0a8f95d297d6bf7fe2a52b421bd94494a64af8e5decf0dbda 27520
bluez_5.43-2+deb9u1.debian.tar.xz
Files:
ddf32e5a0d60e387712071c91d730bf1 2936 admin optional bluez_5.43-2+deb9u1.dsc
e5b74adbd4a3a7f8da2b01c925173732 2544442 admin optional bluez_5.43.orig.tar.gz
201fb9ae4a1573b2f4dd16f8c9984184 27520 admin optional
bluez_5.43-2+deb9u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlm43x1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89ERkIP/jVTgcVgpqx/j/WFbYsTXX+VNZ87ewCW
5GRR6l4hoU7VsdBV7z1tTf8QFom4u4NUmZo0gNOllcZjviZeTDlwGleYcwYdZ8sU
RH26kWjbVJ8psDWGSoc5S+1QY1KByBouSNaTrOZ8dU4vnZJskuQhTnLRFm4KK4nS
nYZ0RQuHKzhmLUHaRPIIVWWPgrzwYvVGTHgw1fg74RizdEJvAPVIA7MyxSKiyMkP
FkeQ90u2Q2/GUDKQmnPK6Jt9vJgwStsF42+8Ixts3NfsJXHrZW4EqixiQVxV+Kgi
HE6gxld2xAZuoyZHO9K7eU6dsFdV2O2Owln3vbt8C6cwtc92wBdhvFkh7LP1XAU7
WeXaqbcA1j25crDEzciEntVqdJz6SIkf2vlHQZ3AYVOosUYEgDotvOLvQj1qxRKu
hTxA31uxk3+isrI0bfn4dEi/4yseMdO2+J6awNtambYa1Ca3nnvGa9FdAZQMqBoZ
0+Xt9NtRe0Kz1FgKemWTVPUpC/yxPUVxfhPiE6+D+6LwqFc+pK2EsXP5YngUa04o
hkQ9q4059lyUVzsAdCmwTKvRuoN/yqJny7MzBfgpZV7qwwciDPBfYrzNlxU9cGN3
rZTfDdP9AtM2ERmLNuQLRirxRrKSuwXVBC/cba0aqVLpNA/AK9MesT/D8RrSR9vQ
1FQqgfvT7V8q
=2BRG
-----END PGP SIGNATURE-----
--- End Message ---
