Your message dated Fri, 27 Aug 2021 11:17:50 +0000 with message-id <e1mjzrq-000enn...@fasolo.debian.org> and subject line Bug#989614: fixed in bluez 5.50-1.2~deb10u2 has caused the Debian Bug report #989614, regarding bluez: CVE-2021-0129 CVE-2020-26558 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 989614: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989614 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: bluez Version: 5.55-3 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerabilities were published for bluez. CVE-2021-0129[0], and CVE-2020-26558[1]: | Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification | 2.1 through 5.2 may permit a nearby man-in-the-middle attacker to | identify the Passkey used during pairing (in the Passkey | authentication procedure) by reflection of the public key and the | authentication evidence of the initiating device, potentially | permitting this attacker to complete authenticated pairing with the | responding device using the correct Passkey for the pairing session. | The attack methodology determines the Passkey value one bit at a time. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-0129 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-0129 [1] https://security-tracker.debian.org/tracker/CVE-2020-26558 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26558 [2] https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00517.html [3] https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=00da0fb4972cf59e1c075f313da81ea549cb8738 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: bluez Source-Version: 5.50-1.2~deb10u2 Done: Salvatore Bonaccorso <car...@debian.org> We believe that the bug you reported is fixed in the latest version of bluez, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 989...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated bluez package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 04 Aug 2021 21:18:19 +0200 Source: bluez Architecture: source Version: 5.50-1.2~deb10u2 Distribution: buster-security Urgency: high Maintainer: Debian Bluetooth Maintainers <team+pkg-blueto...@tracker.debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 989614 Changes: bluez (5.50-1.2~deb10u2) buster-security; urgency=high . * Non-maintainer upload by the Security Team. * shared/att: Fix possible crash on disconnect (CVE-2020-27153) * shared/gatt-server: Fix not properly checking for secure flags (CVE-2020-26558, CVE-2021-0129) (Closes: #989614) Checksums-Sha1: b1939f4558483a6adc479cb39361b57d8aa221d3 2743 bluez_5.50-1.2~deb10u2.dsc cd93e98eeef7263faede3c384eaa7118ed2f0564 37256 bluez_5.50-1.2~deb10u2.debian.tar.xz Checksums-Sha256: d4864490bd5a9050d023093239ca66646d4c78fe096ae068e48a97aac124e2a1 2743 bluez_5.50-1.2~deb10u2.dsc 18c395479b13d98a3801ee9307285899f6c1e437ddb0c00593fed0d371241cf2 37256 bluez_5.50-1.2~deb10u2.debian.tar.xz Files: 767328844a7b15f37e122a32fc828d53 2743 admin optional bluez_5.50-1.2~deb10u2.dsc 84b1f2011a0eecbca8ab9b753e917ca1 37256 admin optional bluez_5.50-1.2~deb10u2.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmEK+X1fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89ELzIP/2s0vQwQhl9byMVmRwYKa9jg21c37P5R HyEZJOGw00pVLwlWTQNxsA3DnMc/yyWYGnhuBtkUeQ3hK0/de3iwTqrS4r1iHItm WxHMgaMrc/TEYGe26eBwZ8OiEP6zW3zE+TrbYOrC4lo0951oWdW40Wn7KA4LHQSM gpLdvoQMu2ApNhTYpqo49thBAEoBnrTrds7Zj2Hfe9Qzjd7R+7rVnK4iQk+TsEgm UNMQsLY82o+alFPm4Of2ZJ6/H2rGJFQe/zyh6OoEOcawwG/u7fKQj6I5wAMqrhn8 rBLO/lfoHjihoFojRIyCKO27k5CVNJfBzfWsre+uyu3GPQRku8CHnFayzjj/spJT mGCdthwMmkof//BJC9yMvXHobveFn4dZ0jLc9kXkTUUW+bZmWO2s96g9s3r9HWtD JUJUrhOutX93CSFLCLY9207jwVSxRMhbZr49aqXLo40Md0vh6G9KDBuxkjA/X7Rw 6r7AxKq8TuC8Hh/vOtI45jNFXWE20S0/YnxSVhgi2HnCnXftqoTZ0u3nTgad/j0u WjYIFDHOSKICC/XIBKNgQIUiNdHpzWsfTw/93m9UB0TU70ZyB+aMXfsMitQnIqbF eO3/p6TG0Q2Hv5B/xXMBm6ESi6oXNbzRVWRMbuc+CB1QUk3RUZZPC9d1Auc36nkw 5yb1tkeB5yFq =sbpS -----END PGP SIGNATURE-----
--- End Message ---
