Bluez security alert from Arch 13 September 2017, 01:36:31 I think bluez affects many users and I don't know how may subscribe to arch alerts, but here it is:Arch Linux Security Advisory ASA-201709-3=========================================Severity: HighDate : 2017-09-12CVE-ID : CVE-2017-1000250Package : bluezType : information disclosureRemote : YesLink : https://security.archlinux.org/AVG-396Summary=======The package bluez before version 5.46-2 is vulnerable to informationdisclosure.Resolution==========Upgrade to 5.46-2.# pacman -Syu "bluez>=5.46-2"The problem has been fixed upstream but no release is available yet.Workaround==========None.Description===========An information-disclosure flaw was found in the bluetoothdimplementation of the Service Discovery Protocol (SDP). A speciallycrafted Bluetooth device could, without prior pairing or userinteraction, retrieve portions of the bluetoothd process memory,including potentially sensitive information such as Bluetoothencryption keys.Impact======A remote attacker is able to use a specially crafted Bluetooth deviceto obtain sensitive information such as Bluetooth encryption keys.References==========https://bugs.archlinux.org/task/55603https://www.armis.com/blueborne/http://pkgs.fedoraproject.org/cgit/rpms/bluez.git/plain/0010-Out-of-bounds-heap-read-in-service_search_attr_req-f.patchhttps://security.archlinux.org/CVE-2017-1000250 1 Likes
Re: Bluez security alert from Arch Reply #1 – 13 September 2017, 10:15:41 I updated the package and it will be available in the [world-testing] repo shortly, to upgrade follow the steps below:Uncomment or add the [world-testing] repo to your /etc/pacman.conf configuration fileRun sudo pacman -Syu bluezComment back the [world-testig] repoRegards. 1 Likes
Re: Bluez security alert from Arch Reply #2 – 13 September 2017, 14:17:16 Thanks for patch! It worked well