CVE-2018-10910

NameCVE-2018-10910
DescriptionA bug in Bluez may allow for the Bluetooth Discoverable state being set to on when no Bluetooth agent is registered with the system. This situation could lead to the unauthorized pairing of certain Bluetooth devices without any form of authentication. Versions before bluez 5.51 are vulnerable.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitylow
Debian Bugs925369

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
bluez (PTS)stretch5.43-2+deb9u2vulnerable
stretch (security)5.43-2+deb9u4vulnerable
buster, buster (security)5.50-1.2~deb10u1vulnerable
bullseye, sid5.55-3.1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
bluezsource(unstable)5.54-1low925369

Notes

[buster] - bluez <ignored> (Minor issue)
[stretch] - bluez <ignored> (Minor issue, does not affected Gnome Bluetooth in stretch)
[jessie] - bluez <no-dsa> (Minor issue because in gnome-bluetooth <= 3.26 the D-Bus calls were synchronous and thus the issue in bluez will have no actual affect)
https://bugzilla.redhat.com/show_bug.cgi?id=1606203
https://bugzilla.redhat.com/show_bug.cgi?id=1602985
Bug in src:bluez itself and would need fixing there, but it is workaroundable in
gnome-bluetooth: https://gitlab.gnome.org/GNOME/gnome-bluetooth/commit/6b5086d42ea64d46277f3c93b43984f331d12f89
workaround in gnome-bluetooth landed in 3.28.2, BlueZ fixed in 5.51

Search for package or bug name: Reporting problems