ALSA-2024:9413

The bluez packages contain the following utilities for use in Bluetooth applications: hcitool, hciattach, hciconfig, bluetoothd, l2ping, start scripts (AlmaLinux), and pcmcia configuration files.

Security Fix(es):

• bluez: unauthorized HID device connections allows keystroke injection and arbitrary commands execution (CVE-2023-45866)
• BlueZ: Audio Profile AVRCP Improper Validation of Array Index Remote Code Execution Vulnerability (CVE-2023-27349)
• bluez: phone book access profile heap-based buffer overflow remote code execution vulnerability (CVE-2023-51596)
• bluez: OBEX library out-of-bounds read information disclosure vulnerability (CVE-2023-51594)
• bluez: audio profile avrcp parsemediafolder out-of-bounds read information disclosure vulnerability (CVE-2023-51592)
• bluez: audio profile avrcp parsemediaelement out-of-bounds read information disclosure vulnerability (CVE-2023-51589)
• bluez: avrcpparseattribute_list out-of-bounds read information disclosure vulnerability (CVE-2023-51580)
• bluez: AVRCP stack-based buffer overflow remote code execution vulnerability (CVE-2023-44431)
• bluez: phone book access profile heap-based buffer overflow remote code execution vulnerability (CVE-2023-50230)
• bluez: phone book access profile heap-based buffer overflow remote code execution vulnerability (CVE-2023-50229)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.