#1006406 BlueMirror mesh attacks - CVE-2020-26556, CVE-2020-26557, CVE-2020-26559, CVE-2020-26560

Package:
src:bluez
Source:
bluez
Submitter:
Ben Hutchings
Date:
2022-02-25 02:33:02 UTC
Severity:
important
Tags:
#1006406#5
Date:
2022-02-25 02:25:56 UTC
From:
To:
Several of the BlueMirror attacks described at
<https://kb.cert.org/vuls/id/799380> involve mesh provisioning, which
seems to implemented entirely in Bluez user-space.

CVE-2020-26556 was already fixed in 5.50-1.1, but I don't see any
mention of the other issues in either the Debian changelog or upstream
commit messages.

I've intentionally not specified a package version because I don't
know whether the current version has been fixed or not.

Ben.
#1006406#10
Date:
2022-02-25 02:31:58 UTC
From:
To:
Control: retitle -1 BlueMirror mesh attacks - CVE-2020-26556, CVE-2020-26557, CVE-2020-26559, CVE-2020-26560

Oops, that was CVE-2020-0556.  So the status of all the mesh
provisioning issues is still unclear.

Ben.