A CVE has been requested for a security issue fixed upstream in blueman: http://openwall.com/lists/oss-security/2015/12/18/6 The upstream commit to fix the issue is linked in the message above. Given the timestamp, it wouldn't have been included in the 2.0.2 release. Mageia 5 is also likely affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO
blueman-2.0.3-1.mga6 is submitted and should hit mirrors soon for Cauldron. Will update blueman ( which is still old git) for Mga5 to 2.0.3 stable version
Thanks Atilla.
Version: Cauldron => 5Whiteboard: MGA5TOO => (none)
I have uploaded a updated blueman package for Mageia 5. Suggested advisory: ======================== Updated blueman-2.0.3-1.mga5 package fixes a a privilege escalation vulnerability which effects blueman in mga5.(mga#17361) This update also provides a stable release of blueman instead of a old git snapshot. References: http://openwall.com/lists/oss-security/2015/12/18/6 https://github.com/blueman-project/blueman/issues/416 https://bugs.mageia.org/show_bug.cgi?id=17361 ======================== Updated packages in core/updates_testing: ======================== blueman-2.0.3-1.mga5 Source RPMs: blueman-2.0.3-1.mga5.src.rpm
Assignee: tarakbumba => qa-bugs
CVE-2015-8612: http://openwall.com/lists/oss-security/2015/12/19/1 Suggested advisory: ======================== Updated blueman package fixes security vulnerability: Privilege escalation vulnerability in blueman before 2.0.3 in the dbus API (CVE-2015-8612). References: http://openwall.com/lists/oss-security/2015/12/19/1 https://github.com/blueman-project/blueman/issues/416
Summary: blueman new privilege escalation security issue => blueman new privilege escalation security issue CVE-2015-8612
Debian has issued an advisory for this on December 18: https://www.debian.org/security/2015/dsa-3427
URL: (none) => http://lwn.net/Vulnerabilities/668770/
mga5 x86_64 Probably no PoC for this. Before the update both blueman and bluedevil were installed. I had never had much luck with blueman so have moved to bluedevil which was much more reliable. To test the update I uninstalled bluedevil and removed the blueman applet. Installed the update and ran the blueman-manager which placed the applet on the panel and allowed bluetooth to be enabled. Added an audio device and connected to it immediately. Switched off and tried again. An immediate connection, so this is good for 64-bits. Thanks for that Attila.
CC: (none) => tarazed25
Whiteboard: (none) => MGA5-64-OK
mga5 i586 vbox KDE, Mate, LXDE, GNOME Classic Neither blueman nor bluedevil were able to see the hardware adapter in virtualbox. Is bluetooth supported in vbox? virtualbox-guest-additions is installed.
(In reply to Len Lawrence from comment #7) > Is bluetooth supported in vbox? I would be shocked if it was.
I had been wondering if it had anything to do with the USB adapter but it appears not so I shall take your word for it. Have to leave the i586 test to somebody else unless I can resurrect my only piece of 32bit hardware which has been been about to drop into the bin.
mga5 i586 Mate Managed to get the old laptop running and up-to-date. Could not get Bluetooth running before the update but it connected fine to my Bose SLIII speaker after the update. So it is fine for both architectures. Validating this.
Whiteboard: MGA5-64-OK => MGA5-64-OK MGA5-32-OK
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Whiteboard: MGA5-64-OK MGA5-32-OK => MGA5-64-OK MGA5-32-OK advisory
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0491.html
Status: NEW => RESOLVEDResolution: (none) => FIXED