Fedora has issued an advisory on November 13: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/RLZUCXXSKY5T73XN3MMNBCFSJ7XJ44VH/ It doesn't explicitly highlight the security issue(s) fixed, but it sounds like any security issues fixed may actually be in libell and/or iwd, which Fedora has separate packages (and advisories) for. Perhaps those are bundled components in our build, however.
> security issues fixed may actually be in libell and/or iwd I cannot find anything like these either in bluez dependencies nor our SRPMs. Admit to being lost when it comes to relating libraries to SRPMs. Assigning globally, CC DavidG as recent committer.
Assignee: bugsquad => pkg-bugsCC: (none) => geiger.david68210, lewyssmith
Apparently there are more security fixes upstream, post-5.53: https://www.openwall.com/lists/oss-security/2020/03/12/4 https://www.openwall.com/lists/oss-security/2020/03/13/2
Whiteboard: (none) => MGA7TOOSummary: bluez possible new security issue(s) fixed upstream in 5.52 => bluez possible new security issue(s) fixed upstream in 5.52 and later
(In reply to David Walser from comment #2) > Apparently there are more security fixes upstream, post-5.53: > https://www.openwall.com/lists/oss-security/2020/03/12/4 > https://www.openwall.com/lists/oss-security/2020/03/13/2 This got CVE-2020-0556 and fixed upstream in 5.54. Debian and Ubuntu have issued advisories for this on March 26 and 30: https://www.debian.org/security/2020/dsa-4647 https://usn.ubuntu.com/4311-1/ They both added the same 4 patches to 5.50 (which we have). We can either add those patches and ignore Comment 0 or upgrade to 5.54.
Source RPM: bluez-5.50-6.mga8.src.rpm => bluez-5.50-5.mga7.src.rpmVersion: Cauldron => 7Summary: bluez possible new security issue(s) fixed upstream in 5.52 and later => bluez possible new security issue(s) fixed upstream in 5.52 and later (including CVE-2020-0556)Status comment: (none) => Fixed upstream in 5.54Whiteboard: MGA7TOO => (none)
RedHat has issued an advisory on March 31: https://access.redhat.com/errata/RHSA-2020:1101 This issue was fixed upstream in 5.51.
Summary: bluez possible new security issue(s) fixed upstream in 5.52 and later (including CVE-2020-0556) => bluez possible new security issue(s) fixed upstream (including CVE-2018-10910 and CVE-2020-0556)
Suggested advisory: ======================== The updated packages fix security vulnerabilities: A bug in Bluez may allow for the Bluetooth Discoverable state being set to on when no Bluetooth agent is registered with the system. This situation could lead to the unauthorized pairing of certain Bluetooth devices without any form of authentication. Versions before bluez 5.51 are vulnerable. (CVE-2018-10910) Improper access control in subsystem for BlueZ before version 5.54 may allow an unauthenticated user to potentially enable escalation of privilege and denial of service via adjacent access. (CVE-2020-0556) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10910 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0556 https://www.openwall.com/lists/oss-security/2020/03/12/4 https://www.openwall.com/lists/oss-security/2020/03/13/2 https://www.debian.org/security/2020/dsa-4647 https://usn.ubuntu.com/4311-1/ https://access.redhat.com/errata/RHSA-2020:1101 ======================== Updated packages in core/updates_testing: ======================== bluez-5.54-1.mga7 bluez-cups-5.54-1.mga7 bluez-hid2hci-5.54-1.mga7 lib(64)bluez3-5.54-1.mga7 lib(64)bluez-devel-5.54-1.mga7 from SRPMS: bluez-5.54-1.mga7.src.rpm
CC: (none) => nicolas.salgueroAssignee: pkg-bugs => qa-bugsStatus: NEW => ASSIGNED
Status comment: Fixed upstream in 5.54 => (none)
MGA7-64 Plasma on Lenovo B50 No installation issues Switched bluetooth on on my smartphone, usedsPlasma systemsettings to setup bluetooth here and the connection process worked. The laptop is also visible in the smartphone. Turned to dolphin - Network - Bluetooth and there I see the smartphone. opening it gives an icon "Send file", but clicking on that throws an error. This seems to be a known issue, see https://bugs.kde.org/show_bug.cgi?id=409179 Tried to do the same thing via the Bluetooth applet on the panel, the "Send file" gives no feedback, but I do not see anything appearing in the smartphone "Received files". At least the connection seems to be there, that's as far as I go.
Whiteboard: (none) => MGA7-64-OKCC: (none) => herman.viaene
CC: lewyssmith => (none)
Validating. Advisory in Comment 5.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
CC: (none) => tmbKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0152.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED