Source: bluez Version: 5.61-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for bluez. CVE-2021-41229[0]: | BlueZ is a Bluetooth protocol stack for Linux. In affected versions a | vulnerability exists in sdp_cstate_alloc_buf which allocates memory | which will always be hung in the singly linked list of cstates and | will not be freed. This will cause a memory leak over time. The data | can be a very large object, which can be caused by an attacker | continuously sending sdp packets and this may cause the service of the | target device to crash. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-41229 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41229 [1] https://github.com/bluez/bluez/security/advisories/GHSA-3fqg-r8j5-f5xq [2] https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=e79417ed7185b150a056d4eb3a1ab528b91d2fc0 Regards, Salvatore
