Debian Bug report logs -
#1006406
BlueMirror mesh attacks - CVE-2020-26556, CVE-2020-26557, CVE-2020-26559, CVE-2020-26560
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Bluetooth Maintainers <team+pkg-bluetooth@tracker.debian.org>:
Bug#1006406; Package src:bluez.
(Fri, 25 Feb 2022 02:30:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Ben Hutchings <ben@decadent.org.uk>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Bluetooth Maintainers <team+pkg-bluetooth@tracker.debian.org>.
(Fri, 25 Feb 2022 02:30:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: bluez
Severity: important
Tags: security upstream
X-Debbugs-Cc: Debian Security Team <team@security.debian.org>
Several of the BlueMirror attacks described at
<https://kb.cert.org/vuls/id/799380> involve mesh provisioning, which
seems to implemented entirely in Bluez user-space.
CVE-2020-26556 was already fixed in 5.50-1.1, but I don't see any
mention of the other issues in either the Debian changelog or upstream
commit messages.
I've intentionally not specified a package version because I don't
know whether the current version has been fixed or not.
Ben.
-- System Information:
Debian Release: bookworm/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'oldstable-updates'), (500, 'unstable'), (500, 'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.15.0-3-amd64 (SMP w/2 CPU threads)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Bluetooth Maintainers <team+pkg-bluetooth@tracker.debian.org>:
Bug#1006406; Package src:bluez.
(Fri, 25 Feb 2022 02:33:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Ben Hutchings <ben@decadent.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian Bluetooth Maintainers <team+pkg-bluetooth@tracker.debian.org>.
(Fri, 25 Feb 2022 02:33:02 GMT) (full text, mbox, link).
Message #10 received at 1006406@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: retitle -1 BlueMirror mesh attacks - CVE-2020-26556, CVE-2020-26557, CVE-2020-26559, CVE-2020-26560
On Fri, 2022-02-25 at 03:25 +0100, Ben Hutchings wrote:
> CVE-2020-26556 was already fixed in 5.50-1.1, but I don't see any
> mention of the other issues in either the Debian changelog or upstream
> commit messages.
Oops, that was CVE-2020-0556. So the status of all the mesh
provisioning issues is still unclear.
Ben.
--
Ben Hutchings
Beware of bugs in the above code;
I have only proved it correct, not tried it. - Donald Knuth
[signature.asc (application/pgp-signature, inline)]
Changed Bug title to 'BlueMirror mesh attacks - CVE-2020-26556, CVE-2020-26557, CVE-2020-26559, CVE-2020-26560' from 'BlueMirror mesh attacks - CVE-2020-26557, CVE-2020-26559, CVE-2020-26560'.
Request was from Ben Hutchings <ben@decadent.org.uk>
to 1006406-submit@bugs.debian.org.
(Fri, 25 Feb 2022 02:33:02 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Fri Feb 25 13:06:05 2022;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon