Stay Secure with the Latest Linux Advisories

security advisorysecurity issuebuffer overflow

Debian: DSA-4647-1 BlueZ Security Update: Device Impersonation Risk

It was reported that the BlueZ's HID and HOGP profile implementations don't specifically require bonding between the device and the host. Malicious devices can take advantage of this flaw to connect to a target host and impersonate an existing HID device without security or to cause . - ------------------------------------------------------------------------- Debian Security Advisory DSA-4647-1 This email address is being protected from spambots. You need JavaScript enabled to view it. https://www.debian.org/security/ Salvatore Bonaccorso March 26, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : bluez CVE ID : CVE-2020-0556 Debian Bug : 953770 It was reported that the BlueZ's HID and HOGP profile implementations don't specifically require bonding between the device and the host. Malicious devices can take advantage of this flaw to connect to a target host and impersonate an existing HID device without security or to cause an SDP or GATT service discovery to take place which would allow HID reports to be injected to the input subsystem from a non-bonded source. For the HID profile an new configuration option (ClassicBondedOnly) is introduced to make sure that input connections only come from bonded device connections. The options defaults to 'false' to maximize device compatibility. For the oldstable distribution (stretch), this problem has been fixed in version 5.43-2+deb9u2. For the stable distribution (buster), this problem has been fixed in version 5.50-1.2~deb10u1. We recommend that you upgrade your bluez packages. For the detailed security status of bluez please refer to its security tracker page at: https://security-tracker.debian.org/tracker/source-package/bluez Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it. . The latestBlueZ security patch DSA-4648-1 addresses concerns regarding possible threats associated with device spoofing vulnerabilities.. Device Impersonation Risk, BlueZ Security Flaw, Debian Security Update. . Severity: Important. LinuxSecurity.com Team

Mar 26, 2020 •Important Debian