RLSA-2024:9413

The bluez packages contain the following utilities for use in Bluetooth applications: hcitool, hciattach, hciconfig, bluetoothd, l2ping, start scripts (Rocky Enterprise Software Foundation), and pcmcia configuration files.

Security Fix(es):

• bluez: unauthorized HID device connections allows keystroke injection and arbitrary commands execution (CVE-2023-45866)

• BlueZ: Audio Profile AVRCP Improper Validation of Array Index Remote Code Execution Vulnerability (CVE-2023-27349)

• bluez: phone book access profile heap-based buffer overflow remote code execution vulnerability (CVE-2023-51596)

• bluez: OBEX library out-of-bounds read information disclosure vulnerability (CVE-2023-51594)

• bluez: audio profile avrcp parsemediafolder out-of-bounds read information disclosure vulnerability (CVE-2023-51592)

• bluez: audio profile avrcp parsemediaelement out-of-bounds read information disclosure vulnerability (CVE-2023-51589)

• bluez: avrcpparseattribute_list out-of-bounds read information disclosure vulnerability (CVE-2023-51580)

• bluez: AVRCP stack-based buffer overflow remote code execution vulnerability (CVE-2023-44431)

• bluez: phone book access profile heap-based buffer overflow remote code execution vulnerability (CVE-2023-50230)

• bluez: phone book access profile heap-based buffer overflow remote code execution vulnerability (CVE-2023-50229)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Rocky Linux 9.5 Release Notes linked from the References section.