Adrian Bunk pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
a18296f4 by Adrian Bunk at 2024-09-07T16:44:11+03:00
Reserve DLA-3879-1 for bluez
- - - - -
3 changed files:
- data/CVE/list
- data/DLA/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -35441,14 +35441,12 @@ CVE-2023-50231 (NETGEAR ProSAFE Network Management
System saveNodeLabel Cross-Si
CVE-2023-50230 (BlueZ Phone Book Access Profile Heap-based Buffer Overflow
Remote Code ...)
- bluez 5.70-1
[bookworm] - bluez 5.66-1+deb12u2
- [bullseye] - bluez <no-dsa> (Minor issue)
[buster] - bluez <postponed> (Minor issue; can be fixed in next update)
NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1812/
NOTE:
https://github.com/bluez/bluez/commit/5ab5352531a9cc7058cce569607f3a6831464443
(5.70)
CVE-2023-50229 (BlueZ Phone Book Access Profile Heap-based Buffer Overflow
Remote Code ...)
- bluez 5.70-1
[bookworm] - bluez 5.66-1+deb12u2
- [bullseye] - bluez <no-dsa> (Minor issue)
[buster] - bluez <postponed> (Minor issue; can be fixed in next update)
NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1811/
NOTE:
https://github.com/bluez/bluez/commit/5ab5352531a9cc7058cce569607f3a6831464443
(5.70)
@@ -116798,7 +116796,6 @@ CVE-2023-27349 (BlueZ Audio Profile AVRCP Improper
Validation of Array Index Rem
{DLA-3820-1}
- bluez 5.68-1
[bookworm] - bluez 5.66-1+deb12u2
- [bullseye] - bluez <no-dsa> (Minor issue)
NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-386/
NOTE:
https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=f54299a850676d92c3dafd83e9174fcfe420ccc9
(5.67)
CVE-2023-27348 (PDF-XChange Editor TIF File Parsing Use-After-Free Remote Code
Executi ...)
@@ -162194,7 +162191,6 @@ CVE-2022-39178 (Webvendome - webvendome Internal
Server IP Disclosure. Send GET
CVE-2022-39177 (BlueZ before 5.59 allows physically proximate attackers to
cause a den ...)
{DLA-3157-1}
- bluez 5.61-1
- [bullseye] - bluez <no-dsa> (Minor issue)
NOTE:
https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=e2b0f0d8d63e1223bb714a9efb37e2257818268b
(5.59)
NOTE:
https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=7a80d2096f1b7125085e21448112aa02f49f5e9a
(5.59)
NOTE:
https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=0388794dc5fdb73a4ea88bcf148de0a12b4364d4
(5.60)
@@ -162203,7 +162199,6 @@ CVE-2022-39177 (BlueZ before 5.59 allows physically
proximate attackers to cause
CVE-2022-39176 (BlueZ before 5.59 allows physically proximate attackers to
obtain sens ...)
{DLA-3157-1}
- bluez 5.61-1
- [bullseye] - bluez <no-dsa> (Minor issue)
NOTE:
https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=e2b0f0d8d63e1223bb714a9efb37e2257818268b
(5.59)
NOTE:
https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=7a80d2096f1b7125085e21448112aa02f49f5e9a
(5.59)
NOTE:
https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=0388794dc5fdb73a4ea88bcf148de0a12b4364d4
(5.60)
@@ -209910,7 +209905,6 @@ CVE-2022-0205 (The YOP Poll WordPress plugin before
6.3.5 does not sanitise and
CVE-2022-0204 (A heap overflow vulnerability was found in bluez in versions
prior to ...)
{DLA-3157-1}
- bluez 5.64-1 (bug #1003712)
- [bullseye] - bluez <no-dsa> (Minor issue)
[stretch] - bluez <no-dsa> (Minor issue)
NOTE:
https://github.com/bluez/bluez/security/advisories/GHSA-479m-xcq5-9g2q
NOTE: Fixed by:
https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=591c546c536b42bef696d027f64aa22434f8c3f0
(5.63)
@@ -223507,7 +223501,6 @@ CVE-2021-3929 (A DMA reentrancy issue was found in
the NVM Express Controller (N
CVE-2021-43400 (An issue was discovered in gatt-database.c in BlueZ 5.61. A
use-after- ...)
{DLA-3157-1}
- bluez 5.62-1 (bug #998626)
- [bullseye] - bluez <no-dsa> (Minor issue; can be fixed in point release)
[stretch] - bluez <ignored> (invasive patch, requires post-stretch
revamps)
NOTE: Introduced by:
https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=93b64d9ca8a2bb663e37904d4b2c702c58a36e4f
(5.40)
NOTE: Fixed by:
https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=838c0dc7641e1c991c0f3027bf94bee4606012f8
(5.62)
@@ -231403,7 +231396,6 @@ CVE-2021-41230 (Pomerium is an open source
identity-aware access proxy. In affec
CVE-2021-41229 (BlueZ is a Bluetooth protocol stack for Linux. In affected
versions a ...)
{DLA-3157-1 DLA-2827-1}
- bluez 5.62-2 (bug #1000262)
- [bullseye] - bluez <no-dsa> (Minor issue)
NOTE:
https://github.com/bluez/bluez/security/advisories/GHSA-3fqg-r8j5-f5xq
NOTE: Introduced by:
https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=d939483328489fb835bb425d36f7c7c73d52c388
(4.0)
NOTE: Fixed by:
https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=e79417ed7185b150a056d4eb3a1ab528b91d2fc0
@@ -241798,7 +241790,6 @@ CVE-2021-3659 (A NULL pointer dereference flaw was
found in the Linux kernel\u20
NOTE:
https://git.kernel.org/linus/1165affd484889d4986cf3b724318935a0b120d8
CVE-2021-3658 (bluetoothd from bluez incorrectly saves adapters' Discoverable
status ...)
- bluez 5.61-1 (bug #991596)
- [bullseye] - bluez <no-dsa> (Minor issue)
[buster] - bluez <not-affected> (Vulnerable code introduced later)
[stretch] - bluez <not-affected> (Vulnerable code introduced later)
NOTE: Introduced by
https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=d04eb02f9bad8795297210ef80e262be16ea8f07
(5.51)
=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[07 Sep 2024] DLA-3879-1 bluez - security update
+ {CVE-2021-3658 CVE-2021-41229 CVE-2021-43400 CVE-2022-0204
CVE-2022-39176 CVE-2022-39177 CVE-2023-27349 CVE-2023-50229 CVE-2023-50230}
+ [bullseye] - bluez 5.55-3.1+deb11u2
[05 Sep 2024] DLA-3878-1 libxml2 - security update
{CVE-2016-3709 CVE-2022-2309}
[bullseye] - libxml2 2.9.10+dfsg-6.7+deb11u5
=====================================
data/dla-needed.txt
=====================================
@@ -44,12 +44,6 @@ bind9
NOTE: 20240815:
https://lists.debian.org/debian-security/2024/07/msg00009.html
NOTE: 20240815: pu request not in the BTS yet, coordinate with maintainer
(Beuc/front-desk)
--
-bluez (Adrian Bunk)
- NOTE: 20240815: Added by Front-Desk (Beuc)
- NOTE: 20240815: Follow fixes from DLA-3157-1 (5 CVEs)
- NOTE: 20240815: Follow fixes from DLA-3820-1 (1 CVE)
- NOTE: 20240815: Follow fixes from bookworm 12.6 (3 CVEs) (Beuc/front-desk)
---
cacti
NOTE: 20240522: Added by oldstable Security Team (jmm)
NOTE: 20240815: A bookworm DSA is planned (Beuc/front-desk)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a18296f4e7460910857a6ad323dc146bbe06f4d4
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a18296f4e7460910857a6ad323dc146bbe06f4d4
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
