[Pkg-bluetooth-maintainers] Bug#875633: bluez: CVE-2017-1000250: information disclosure vulnerability in service_search_attr_req

Salvatore Bonaccorso carnil at debian.org
Tue Sep 12 20:22:18 UTC 2017


Source: bluez
Version: 5.23-2
Severity: grave
Tags: patch upstream security

Hi,

the following vulnerability was published for bluez.

CVE-2017-1000250[0]:
| All versions of the SDP server in BlueZ 5.46 and earlier are
| vulnerable to an information disclosure vulnerability which allows
| remote attackers to obtain sensitive information from the bluetoothd
| process memory. This vulnerability lies in the processing of SDP
| search attribute requests.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-1000250
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000250
[1] https://bugzilla.novell.com/show_bug.cgi?id=1057342
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1489446

Regards,
Salvatore



More information about the Pkg-bluetooth-maintainers mailing list