A bluez security update has been released for Debian GNU/Linux 8 Extended LTS to address man-in-the-middle attack and information disclosure vulnerabilities.
ELA-445-1 bluez security update
Package bluez
ELA-445-1 bluez security update
Version 5.43-2+deb9u2~deb8u3
Related CVEs CVE-2020-26558 CVE-2021-0129
Two issues have been found in bluez, a package with Bluetooth tools and daemons. One issue is about a man-in-the-middle attack during secure pairing, the other is about information disclosure due to improper access control.
In order to completely fix both issues, you need an updated kernel as well!
For Debian 8 jessie, these problems have been fixed in version 5.43-2+deb9u2~deb8u3.
We recommend that you upgrade your bluez packages.
Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/
