Ubuntu Security Notice USN-3413-1

September 12, 2017



bluez vulnerability

A security issue affects these releases of Ubuntu and its derivatives:



- Ubuntu 17.04

- Ubuntu 16.04 LTS

- Ubuntu 14.04 LTS



Summary:



BlueZ could be made to expose sensitive information over bluetooth.



Software Description:

- bluez: Bluetooth tools and daemons



Details:



It was discovered that an information disclosure vulnerability existed

in the Service Discovery Protocol (SDP) implementation in BlueZ. A

physically proximate unauthenticated attacker could use this to

disclose sensitive information. (CVE-2017-1000250)



Update instructions:



The problem can be corrected by updating your system to the following

package versions:



Ubuntu 17.04:

bluez 5.43-0ubuntu1.1

libbluetooth3 5.43-0ubuntu1.1



Ubuntu 16.04 LTS:

bluez 5.37-0ubuntu5.1

libbluetooth3 5.37-0ubuntu5.1



Ubuntu 14.04 LTS:

bluez 4.101-0ubuntu13.3

libbluetooth3 4.101-0ubuntu13.3



In general, a standard system update will make all the necessary changes.



References:

https://www.ubuntu.com/usn/usn-3413-1

CVE-2017-1000250



Package Information:

https://launchpad.net/ubuntu/+source/bluez/5.43-0ubuntu1.1

https://launchpad.net/ubuntu/+source/bluez/5.37-0ubuntu5.1

https://launchpad.net/ubuntu/+source/bluez/4.101-0ubuntu13.3





