Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found 11 articles for you...
198
security advisoryhigh severitysoftware updateArch Linux: ASA-202012-12 High: Blueman Privilege Escalation
The package blueman before version 2.1.4-1 is vulnerable to privilege escalation. . Arch Linux Security Advisory ASA-202012-12 ========================================= Severity: High Date : 2020-12-09 CVE-ID : CVE-2020-15238 Package : blueman Type : privilege escalation Remote : No Link : https://security.archlinux.org/AVG-1259 Summary ====== The package blueman before version 2.1.4-1 is vulnerable to privilege escalation. Resolution ========= Upgrade to 2.1.4-1. # pacman -Syu "blueman> =2.1.4-1" The problem has been fixed upstream in version 2.1.4. Workaround ========= As Polkit-1-support is enabled in Arch, it is possible to limit privileges for the `org.blueman.dhcp.client` action to users that are able to run arbitrary commands as root anyway in /usr/share/polkit-1/rules.d/blueman.rules. Description ========== In Blueman before 2.1.4, the DhcpClient method of the D-Bus interface to blueman-mechanism is prone to an argument injection vulnerability. The impact highly depends on the system configuration. If Polkit-1 is disabled and for versions lower than 2.0.6, any local user can possibly exploit this. If Polkit-1 is enabled for version 2.0.6 and later, a possible attacker needs to be allowed to use the `org.blueman.dhcp.client` action. That is limited to users in the wheel group in the shipped rules file that do have the privileges anyway. On systems with ISC DHCP client (dhclient), attackers can pass arguments to `ip link` with the interface name that can e.g. be used to bring down an interface or add an arbitrary XDP/BPF program. On systems with dhcpcd and without ISC DHCP client, attackers can even run arbitrary scripts by passing `-c/path/to/script` as an interface name. Patches are included in 2.1.4 and master that change the DhcpClient D-Bus method(s) to accept BlueZ network object paths instead of network interface names. A backport to 2.0(.8) is also available. As a workaround, make sure that Polkit-1-support is enabled and limit privileges for the `org.blueman.dhcp.client` actionto users that are able to run arbitrary commands as root anyway in /usr/share/polkit-1/rules.d/blueman.rules. Impact ===== A local attacker might be able to escalate privileges. References ========= https://bugs.archlinux.org/task/68563 https://github.com/blueman-project/blueman/security/advisories/GHSA-jpc9-mgw6-2xwx https://bugs.launchpad.net/ubuntu/+source/blueman/+bug/1897287 https://security.archlinux.org/CVE-2020-15238 . Enhance blueman to rectify a significant privilege escalation vulnerability on Arch Linux. Urgent security update advised.. Arch Linux,Blueman Security,Privilege Escalation Fix,Software Update. . LinuxSecurity.com Team
Dec 17, 2020
ArchLinux
202
security advisorymoderateupdateopenSUSE: 2020:2024-1 Critical: Blueman Local Denial of Service Patch
An update that fixes one vulnerability is now available. . openSUSE Security Update: Security update for blueman ______________________________________________________________________________ Announcement ID: openSUSE-SU-2020:2024-1 Rating: moderate References: #1178196 Cross-References: CVE-2020-15238 Affected Products: openSUSE Backports SLE-15-SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for blueman fixes the following issues: - Update to version 2.1.4 * CVE-2020-15238: Fixed a local denial-of-service in the D-Bus interface (boo#1178196) This update was imported from the openSUSE:Leap:15.2:Update update project. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP2: zypper in -t patch openSUSE-2020-2024=1 Package List: - openSUSE Backports SLE-15-SP2 (aarch64 ppc64le s390x x86_64): blueman-2.1.4-bp152.2.6.1 - openSUSE Backports SLE-15-SP2 (noarch): blueman-lang-2.1.4-bp152.2.6.1 thunar-sendto-blueman-2.1.4-bp152.2.6.1 References: https://www.suse.com/security/cve/CVE-2020-15238.html https://bugzilla.suse.com/1178196 _______________________________________________ openSUSE Security Announce mailing list --
Nov 26, 2020
OpenSUSE
202
security advisorymoderateupdateopenSUSE Leap 15.2: 2020:1997-1 Moderate: Blueman Denial-of-Service
An update that fixes one vulnerability is now available. . openSUSE Security Update: Security update for blueman ______________________________________________________________________________ Announcement ID: openSUSE-SU-2020:1997-1 Rating: moderate References: #1178196 Cross-References: CVE-2020-15238 Affected Products: openSUSE Leap 15.2 openSUSE Backports SLE-15-SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for blueman fixes the following issues: - Update to version 2.1.4 * CVE-2020-15238: Fixed a local denial-of-service in the D-Bus interface (boo#1178196) Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.2: zypper in -t patch openSUSE-2020-1997=1 - openSUSE Backports SLE-15-SP2: zypper in -t patch openSUSE-2020-1997=1 Package List: - openSUSE Leap 15.2 (noarch): blueman-lang-2.1.4-lp152.2.3.1 thunar-sendto-blueman-2.1.4-lp152.2.3.1 - openSUSE Leap 15.2 (x86_64): blueman-2.1.4-lp152.2.3.1 blueman-debuginfo-2.1.4-lp152.2.3.1 blueman-debugsource-2.1.4-lp152.2.3.1 - openSUSE Backports SLE-15-SP2 (aarch64 ppc64le s390x x86_64): blueman-2.1.4-bp152.2.3.1 - openSUSE Backports SLE-15-SP2 (noarch): blueman-lang-2.1.4-bp152.2.3.1 thunar-sendto-blueman-2.1.4-bp152.2.3.1 References: https://www.suse.com/security/cve/CVE-2020-15238.html https://bugzilla.suse.com/1178196 _______________________________________________ openSUSE Security Announce mailing list --
Nov 22, 2020
OpenSUSE
91
security advisoryhigh severitygentooGentoo GLSA: 202011-11 High: Blueman Local Privilege Escalation
A privilege escalation vulnerability has been discovered in Blueman.. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202011-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Blueman: Local privilege escalation Date: November 11, 2020 Bugs: #751556 ID: 202011-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======= A privilege escalation vulnerability has been discovered in Blueman. Background ========= Blueman is a simple and intuitive GTK+ Bluetooth Manager. Affected packages ================ ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-wireless/blueman < 2.1.4 > = 2.1.4 Description ========== Where Polkit is not used and the default permissions have been changed on a specific rule file, control of a local DHCP daemon may be possible. Impact ===== A local attacker may be able to achieve root privilege escalation. Workaround ========= There is no known workaround at this time. Resolution ========= All Blueman users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose "> =net-wireless/blueman-2.1.4" References ========= [ 1 ] CVE-2020-15238 https://nvd.nist.gov/vuln/detail/CVE-2020-15238 Availability =========== This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202011-11 Concerns? ======== Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any securityconcerns should be addressed to
Nov 10, 2020
Gentoo
203
security advisorydenial of serviceprivilege escalationMageia: 2020-0402 Moderate: Blueman Input Sanitization Flaw
Vaisha Bernard discovered that blueman did not properly sanitize input on the D-Bus interface to blueman-mechanism. A local attacker could possibly use this issue to escalate privileges and run arbitrary code or cause a denial of service (CVE-2020-15238). . MGASA-2020-0402 - Updated blueman packages fixes a security vulnerability Publication date: 08 Nov 2020 URL: https://advisories.mageia.org/MGASA-2020-0402.html Type: security Affected Mageia releases: 7 CVE: CVE-2020-15238 Vaisha Bernard discovered that blueman did not properly sanitize input on the D-Bus interface to blueman-mechanism. A local attacker could possibly use this issue to escalate privileges and run arbitrary code or cause a denial of service (CVE-2020-15238). References: - https://bugs.mageia.org/show_bug.cgi?id=27485 - https://ubuntu.com/security/notices/USN-4605-1 - https://www.cve.org/CVERecord?id=CVE-2020-15238 SRPMS: - 7/core/blueman-2.1.4-1.mga7 . MGASA-2020-0403 reports a vulnerability in blueman that could lead to unauthorized privilege elevation and service disruption. Further specifics provided.. mageia blueman privilege escalation denial of service security update. . LinuxSecurity.com Team
Nov 08, 2020
Mageia
89
security advisoryupdateFedoraFedora 31: FEDORA-2020-e083225fa1 Moderate: blueman Privilege Escalation
Update to v2.1.4. Contains security fix for CVE-2020-15238.. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2020-e083225fa1 2020-11-07 00:22:38.030907 --------------------------------------------------------------------------------Name : blueman Product : Fedora 31 Version : 2.1.4 Release : 1.fc31 URL : https://github.com/blueman-project/blueman Summary : GTK+ Bluetooth Manager Description : Blueman is a tool to use Bluetooth devices. It is designed to provide simple, yet effective means for controlling BlueZ API and simplifying bluetooth tasks such as: - Connecting to 3G/EDGE/GPRS via dial-up - Connecting to/Creating bluetooth networks - Connecting to input devices - Connecting to audio devices - Sending/Receiving files via OBEX - Pairing --------------------------------------------------------------------------------Update Information: Update to v2.1.4. Contains security fix for CVE-2020-15238. --------------------------------------------------------------------------------ChangeLog: * Wed Oct 28 2020 Artur Frenszek-Iwicki - 1:2.1.4-1 - Update to v2.1.4 - Update list of dependencies --------------------------------------------------------------------------------References: [ 1 ] Bug #1892436 - CVE-2020-15238 blueman: local privilege escalation in org.blueman.Mechanism D-Bus interface https://bugzilla.redhat.com/show_bug.cgi?id=1892436 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2020-e083225fa1' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be foundat https://fedoraproject.org/security/ --------------------------------------------------------------------------------_______________________________________________ package-announce mailing list --
Nov 06, 2020
•Important
Fedora
89
security advisoryFedoraprivilege escalationFedora 32 blueman Update: 2020-ebabb6bf76 Moderate Privilege Escalation
Update to v2.1.4. Contains security fix for CVE-2020-15238.. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2020-ebabb6bf76 2020-11-06 01:21:08.226065 --------------------------------------------------------------------------------Name : blueman Product : Fedora 32 Version : 2.1.4 Release : 1.fc32 URL : https://github.com/blueman-project/blueman Summary : GTK+ Bluetooth Manager Description : Blueman is a tool to use Bluetooth devices. It is designed to provide simple, yet effective means for controlling BlueZ API and simplifying bluetooth tasks such as: - Connecting to 3G/EDGE/GPRS via dial-up - Connecting to/Creating bluetooth networks - Connecting to input devices - Connecting to audio devices - Sending/Receiving files via OBEX - Pairing --------------------------------------------------------------------------------Update Information: Update to v2.1.4. Contains security fix for CVE-2020-15238. --------------------------------------------------------------------------------ChangeLog: * Wed Oct 28 2020 Artur Frenszek-Iwicki - 1:2.1.4-1 - Update to v2.1.4 - Update list of dependencies --------------------------------------------------------------------------------References: [ 1 ] Bug #1892436 - CVE-2020-15238 blueman: local privilege escalation in org.blueman.Mechanism D-Bus interface https://bugzilla.redhat.com/show_bug.cgi?id=1892436 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2020-ebabb6bf76' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be foundat --------------------------------------------------------------------------------_______________________________________________ package-announce mailing list --
Nov 05, 2020
Fedora
89
security advisorylocal privilege escalationsoftware updateFedora 33: 2020-7c22b25a07 Critical: Blueman Local Escalation Issue
Update to v2.1.4. Contains security fix for CVE-2020-15238.. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2020-7c22b25a07 2020-11-06 01:11:28.092603 --------------------------------------------------------------------------------Name : blueman Product : Fedora 33 Version : 2.1.4 Release : 1.fc33 URL : https://github.com/blueman-project/blueman Summary : GTK+ Bluetooth Manager Description : Blueman is a tool to use Bluetooth devices. It is designed to provide simple, yet effective means for controlling BlueZ API and simplifying bluetooth tasks such as: - Connecting to 3G/EDGE/GPRS via dial-up - Connecting to/Creating bluetooth networks - Connecting to input devices - Connecting to audio devices - Sending/Receiving files via OBEX - Pairing --------------------------------------------------------------------------------Update Information: Update to v2.1.4. Contains security fix for CVE-2020-15238. --------------------------------------------------------------------------------ChangeLog: * Wed Oct 28 2020 Artur Frenszek-Iwicki - 1:2.1.4-1 - Update to v2.1.4 - Update list of dependencies --------------------------------------------------------------------------------References: [ 1 ] Bug #1892436 - CVE-2020-15238 blueman: local privilege escalation in org.blueman.Mechanism D-Bus interface https://bugzilla.redhat.com/show_bug.cgi?id=1892436 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2020-7c22b25a07' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be foundat https://fedoraproject.org/security/ --------------------------------------------------------------------------------_______________________________________________ package-announce mailing list --
Nov 05, 2020
•Critical
Fedora
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!