Security update for bluez SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2021:2291-1 Final 1 1 2021-07-12T15:20:47Z current 2021-07-12T15:20:47Z 2021-07-12T15:20:47Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for bluez This update for bluez fixes the following issues: - CVE-2021-0129,CVE-2020-26558: Check bluetooth security flags (bsc#1186463). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-SLE-15.3-2021-2291 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/FGEHNTYN7DOZBN7IPNNCVSIU2JNPC226/ E-Mail link for openSUSE-SU-2021:2291-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1186463 SUSE Bug 1186463 https://www.suse.com/security/cve/CVE-2020-26558/ SUSE CVE CVE-2020-26558 page https://www.suse.com/security/cve/CVE-2021-0129/ SUSE CVE CVE-2021-0129 page openSUSE Leap 15.3 bluez-5.55-3.3.1 bluez-auto-enable-devices-5.55-3.3.1 bluez-cups-5.55-3.3.1 bluez-deprecated-5.55-3.3.1 bluez-devel-5.55-3.3.1 bluez-devel-32bit-5.55-3.3.1 bluez-test-5.55-3.3.1 libbluetooth3-5.55-3.3.1 libbluetooth3-32bit-5.55-3.3.1 bluez-5.55-3.3.1 as a component of openSUSE Leap 15.3 bluez-auto-enable-devices-5.55-3.3.1 as a component of openSUSE Leap 15.3 bluez-cups-5.55-3.3.1 as a component of openSUSE Leap 15.3 bluez-deprecated-5.55-3.3.1 as a component of openSUSE Leap 15.3 bluez-devel-5.55-3.3.1 as a component of openSUSE Leap 15.3 bluez-devel-32bit-5.55-3.3.1 as a component of openSUSE Leap 15.3 bluez-test-5.55-3.3.1 as a component of openSUSE Leap 15.3 libbluetooth3-5.55-3.3.1 as a component of openSUSE Leap 15.3 libbluetooth3-32bit-5.55-3.3.1 as a component of openSUSE Leap 15.3 Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication procedure) by reflection of the public key and the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. The attack methodology determines the Passkey value one bit at a time. CVE-2020-26558 openSUSE Leap 15.3:bluez-5.55-3.3.1 openSUSE Leap 15.3:bluez-auto-enable-devices-5.55-3.3.1 openSUSE Leap 15.3:bluez-cups-5.55-3.3.1 openSUSE Leap 15.3:bluez-deprecated-5.55-3.3.1 openSUSE Leap 15.3:bluez-devel-32bit-5.55-3.3.1 openSUSE Leap 15.3:bluez-devel-5.55-3.3.1 openSUSE Leap 15.3:bluez-test-5.55-3.3.1 openSUSE Leap 15.3:libbluetooth3-32bit-5.55-3.3.1 openSUSE Leap 15.3:libbluetooth3-5.55-3.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/FGEHNTYN7DOZBN7IPNNCVSIU2JNPC226/ https://www.suse.com/security/cve/CVE-2020-26558.html CVE-2020-26558 https://bugzilla.suse.com/1179610 SUSE Bug 1179610 https://bugzilla.suse.com/1186463 SUSE Bug 1186463 Improper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access. CVE-2021-0129 openSUSE Leap 15.3:bluez-5.55-3.3.1 openSUSE Leap 15.3:bluez-auto-enable-devices-5.55-3.3.1 openSUSE Leap 15.3:bluez-cups-5.55-3.3.1 openSUSE Leap 15.3:bluez-deprecated-5.55-3.3.1 openSUSE Leap 15.3:bluez-devel-32bit-5.55-3.3.1 openSUSE Leap 15.3:bluez-devel-5.55-3.3.1 openSUSE Leap 15.3:bluez-test-5.55-3.3.1 openSUSE Leap 15.3:libbluetooth3-32bit-5.55-3.3.1 openSUSE Leap 15.3:libbluetooth3-5.55-3.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/FGEHNTYN7DOZBN7IPNNCVSIU2JNPC226/ https://www.suse.com/security/cve/CVE-2021-0129.html CVE-2021-0129 https://bugzilla.suse.com/1186463 SUSE Bug 1186463