UbuntuUpdates.org

Package "bluez"

Name: bluez

Description:

Bluetooth tools and daemons
Latest version: 5.53-0ubuntu3.9
Release: focal (20.04)
Level: security
Repository: main
Homepage: http://www.bluez.org

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "bluez"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "bluez" in Focal

Repository Area Version
base main 5.53-0ubuntu3
base universe 5.53-0ubuntu3
security universe 5.53-0ubuntu3.9
updates main 5.53-0ubuntu3.9
updates universe 5.53-0ubuntu3.9

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 5.53-0ubuntu3.9 2025-01-22 17:06:59 UTC

  bluez (5.53-0ubuntu3.9) focal-security; urgency=medium

  * SECURITY UPDATE: code exec via Phone Book Access Profile
    - debian/patches/CVE-2023-502xx.patch: fix not checking counter length
      in obexd/client/pbap.c.
    - CVE-2023-50229
    - CVE-2023-50230

 -- Marc Deslauriers <email address hidden> Tue, 21 Jan 2025 08:14:36 -0500
Source diff to previous version
CVE-2023-50229 BlueZ Phone Book Access Profile Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers
CVE-2023-50230 BlueZ Phone Book Access Profile Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers

Version: 5.53-0ubuntu3.8 2024-06-05 21:07:10 UTC

  bluez (5.53-0ubuntu3.8) focal-security; urgency=medium

  * SECURITY UPDATE: out-of-bounds write
    - debian/patches/CVE-2023-27349.patch: Fix crash while handling
      unsupported events in avrcp.c.
    - CVE-2023-27349

 -- Fabian Toepfer <email address hidden> Wed, 05 Jun 2024 12:10:45 +0200
Source diff to previous version
CVE-2023-27349 BlueZ Audio Profile AVRCP Improper Validation of Array Index Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attacker

Version: 5.53-0ubuntu3.7 2023-12-07 04:06:53 UTC

  bluez (5.53-0ubuntu3.7) focal-security; urgency=medium

  * SECURITY UPDATE: make conf compliant to HID specification
    - debian/patches/CVE-2023-45866.patch: input.conf: Change default of
      ClassicBondedOnly
    - CVE-2023-45866

 -- Nishit Majithia <email address hidden> Wed, 29 Nov 2023 14:41:45 +0530
Source diff to previous version

Version: 5.53-0ubuntu3.6 2022-06-15 18:06:23 UTC

  bluez (5.53-0ubuntu3.6) focal-security; urgency=medium

  * SECURITY UPDATE: various security improvements (LP: #1977968)
    - debian/patches/avdtp-security.patch: check if capabilities are valid
      before attempting to copy them in profiles/audio/avdtp.c.
    - debian/patches/avdtp-security-2.patch: fix size comparison and
      variable misassignment in profiles/audio/avdtp.c.
    - debian/patches/avrcp-security.patch: make sure the number of bytes in
      the params_len matches the remaining bytes received so the code don't
      end up accessing invalid memory in profiles/audio/avrcp.c.
    - No CVE numbers

 -- Marc Deslauriers <email address hidden> Wed, 08 Jun 2022 07:09:00 -0400
Source diff to previous version
1977968 Security update tracking bug

Version: 5.53-0ubuntu3.5 2022-02-08 05:06:28 UTC

  bluez (5.53-0ubuntu3.5) focal-security; urgency=medium

  * SECURITY UPDATE: Integer overflow in gatt server protocol could lead to
    a heap overflow, resulting in denial of service or potential code
    execution.
    - debian/patches/CVE-2022-0204.patch: add length and offset validation in
      write_cb function in src/shared/gatt-server.c.
    - CVE-2022-0204

 -- Ray Veldkamp <email address hidden> Thu, 03 Feb 2022 22:27:07 +1100
CVE-2022-0204 Heap overflow vulnerability in the implementation of the gatt protocol


About   -   Send Feedback to @ubuntu_updates