Ubuntu has issued an advisory on November 23:
The issues are fixed upstream in 5.62.
Fixed upstream in 5.62
The updated packages fix security vulnerabilities:
BlueZ is a Bluetooth protocol stack for Linux. In affected versions a vulnerability exists in sdp_cstate_alloc_buf which allocates memory which will always be hung in the singly linked list of cstates and will not be freed. This will cause a memory leak over time. The data can be a very large object, which can be caused by an attacker continuously sending sdp packets and this may cause the service of the target device to crash. (CVE-2021-41229)
An issue was discovered in gatt-database.c in BlueZ 5.61. A use-after-free can occur when a client disconnects during D-Bus processing of a WriteValue call. (CVE-2021-43400)
Updated packages in core/updates_testing:
Fixed upstream in 5.62 =>
BlueZ stack installed - USB BT audio device working. Added an HP Officejet 100 mobile printer and printed A5 and A4 test pages via CUPS.
Updated the six packages using qarepo and MageiaUpdate. rfkill prompt came up immediately - all it needed was the root password. BT audio speaker connected immediately. Printed an ODT document from LibreOffice on the bluetooth printer without any reconfiguration.
Sample of applications requiring lib64bluez3:
blueman was used originally to add the BT widget in the Mate panel and manage bluetooth services. None of the others is installed. Installed ardour without any idea what it was.
Ran a trace on ardour6 and opened an empty project in the vain hope that some bluetooth plugin might register but there was nothing.
However, bluetooth continues to work, with no regressions.
Validating. Advisory in Comment 1.