CVE-2023-45866

NameCVE-2023-45866
DescriptionBluetooth HID Hosts in BlueZ may permit an unauthenticated Peripheral ...
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3689-1, DSA-5584-1
Debian Bugs1057914

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
bluez (PTS)bullseye5.55-3.1+deb11u1fixed
bullseye (security)5.55-3.1+deb11u2fixed
bookworm5.66-1+deb12u2fixed
bookworm (security)5.66-1+deb12u1fixed
trixie5.82-1.1fixed
forky, sid5.85-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
bluezsourceexperimental5.70-1.1~exp0
bluezsourcebuster5.50-1.2~deb10u4DLA-3689-1
bluezsourcebullseye5.55-3.1+deb11u1DSA-5584-1
bluezsourcebookworm5.66-1+deb12u1DSA-5584-1
bluezsource(unstable)5.70-1.11057914

Notes

https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=25a471a83e02e1effb15d5a488b3f0085eaeb675
The fix for CVE-2020-0556 allows to set manually the "ClassicBondedOnly"
configuration options but defaulted to false.
Search for package or bug name: Reporting problems