[ubuntu/xenial-security] bluez 5.37-0ubuntu5.3 (Accepted)

Marc Deslauriers marc.deslauriers at canonical.com
Mon Mar 30 17:44:47 UTC 2020

bluez (5.37-0ubuntu5.3) xenial-security; urgency=medium

  * SECURITY UPDATE: buffer overflow in parse_line function
    - debian/patches/CVE-2016-7837.patch: make sure we don't write past the
      end of the array in tools/csr.c.
    - CVE-2016-7837
  * SECURITY UPDATE: privilege escalation via improper access control
    - debian/patches/CVE-2020-0556-pre1.patch: use .accept and .disconnect
      instead of attio in profiles/input/hog.c, src/device.c, src/device.h.
    - debian/patches/CVE-2020-0556-1.patch: HOGP must only accept data from
      bonded devices in profiles/input/hog.c.
    - debian/patches/CVE-2020-0556-2.patch: HID accepts bonded device
      connections only in profiles/input/device.c, profiles/input/device.h,
      profiles/input/input.conf, profiles/input/manager.c.
    - debian/patches/CVE-2020-0556-3.patch: attempt to set security level
      if not bonded in profiles/input/hog.c.
    - debian/patches/CVE-2020-0556-4.patch: add LEAutoSecurity setting to
      input.conf in profiles/input/device.h, profiles/input/hog.c,
      profiles/input/input.conf, profiles/input/manager.c.
    - CVE-2020-0556

Date: 2020-03-30 17:10:51.010196+00:00
Changed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
-------------- next part --------------
Sorry, changesfile not available.

More information about the Xenial-changes mailing list