| Package | bluez |
|---|---|
| Version | 5.43-2+deb9u2~deb8u5 (jessie), 5.43-2+deb9u6 (stretch) |
| Related CVEs | CVE-2022-0204 CVE-2022-39176 CVE-2022-39177 |
Several vulnerabilities have been found in BlueZ, the Linux Bluetooth protocol stack.
CVE-2022-0204
A heap overflow vulnerability was found in bluez. An attacker with local network access could pass specially crafted files causing an application to halt or crash, leading to a denial of service.
CVE-2022-39176
BlueZ allows physically proximate attackers to obtain sensitive information because profiles/audio/avrcp.c does not validate params_len.
CVE-2022-39177
BlueZ allows physically proximate attackers to cause a denial of service because malformed and invalid capabilities can be processed in profiles/audio/avdtp.c.
For Debian 8 jessie, these problems have been fixed in version 5.43-2+deb9u2~deb8u5.
For Debian 9 stretch, these problems have been fixed in version 5.43-2+deb9u6.
We recommend that you upgrade your bluez packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.