All errata/sisyphus_e2k/ALT-PU-2021-4542-1
ALT-PU-2021-4542-1

Package update bluez in branch sisyphus_e2k

Version5.62-alt2
Task#0
Published2021-12-09
Max severityHIGH
Severity:

Closed issues (6)

BDU:2022-05703
MEDIUM6.5

Уязвимость стека технологии Bluetooth для Linux BlueZ, связанная с неправильной авторизацией, позволяющая нарушителю получить доступ к конфиденциальным данным

Published: 2022-09-14Modified: 2022-10-13
CVSS 3.xMEDIUM 6.5
CVSS:3.x/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 2.0MEDIUM 6.1
CVSS:2.0/AV:A/AC:L/Au:N/C:C/I:N/A:N
References
BDU:2022-06043
MEDIUM6.5

Уязвимость функции sdp_cstate_alloc_buf стека технологии Bluetooth для Linux BlueZ, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2022-10-03Modified: 2025-10-29
CVSS 3.xMEDIUM 6.5
CVSS:3.x/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 2.0MEDIUM 6.1
CVSS:2.0/AV:A/AC:L/Au:N/C:N/I:N/A:C
References
CVE-2021-3658
MEDIUM6.5

bluetoothd from bluez incorrectly saves adapters' Discoverable status when a device is powered down, and restores it when powered up. If a device is powered down while discoverable, it will be discoverable when powered on again. This could lead to inadvertent exposure of the bluetooth stack to physically nearby attackers.

Published: 2022-03-02Modified: 2026-04-15
CVSS 2.0LOW 3.3
CVSS:2.0/AV:A/AC:L/Au:N/C:P/I:N/A:N
CVSS 3.xMEDIUM 6.5
CVSS:3.x/CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
References
CVE-2021-41229
MEDIUM6.5

BlueZ is a Bluetooth protocol stack for Linux. In affected versions a vulnerability exists in sdp_cstate_alloc_buf which allocates memory which will always be hung in the singly linked list of cstates and will not be freed. This will cause a memory leak over time. The data can be a very large object, which can be caused by an attacker continuously sending sdp packets and this may cause the service of the target device to crash.

Published: 2021-11-12Modified: 2025-11-04
CVSS 2.0LOW 3.3
CVSS:2.0/AV:A/AC:L/Au:N/C:N/I:N/A:P
CVSS 3.xMEDIUM 6.5
CVSS:3.x/CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References
CVE-2022-39176
HIGH8.8

BlueZ before 5.59 allows physically proximate attackers to obtain sensitive information because profiles/audio/avrcp.c does not validate params_len.

Published: 2022-09-02Modified: 2026-04-15
CVSS 3.xHIGH 8.8
CVSS:3.x/CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References
CVE-2022-39177
HIGH8.8

BlueZ before 5.59 allows physically proximate attackers to cause a denial of service because malformed and invalid capabilities can be processed in profiles/audio/avdtp.c.

Published: 2022-09-02Modified: 2026-04-15
CVSS 3.xHIGH 8.8
CVSS:3.x/CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References

Closed bugs (1)