| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2024121709-CVE-2024-53144-ee57@gregkh>
Date: Tue, 17 Dec 2024 16:55:10 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: CVE-2024-53144: Bluetooth: hci_event: Align BR/EDR JUST_WORKS paring with LE
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_event: Align BR/EDR JUST_WORKS paring with LE
This aligned BR/EDR JUST_WORKS method with LE which since 92516cd97fd4
("Bluetooth: Always request for user confirmation for Just Works")
always request user confirmation with confirm_hint set since the
likes of bluetoothd have dedicated policy around JUST_WORKS method
(e.g. main.conf:JustWorksRepairing).
CVE: CVE-2024-8805
The Linux kernel CVE team has assigned CVE-2024-53144 to this issue.
Affected and fixed versions
===========================
Issue introduced in 3.16 with commit ba15a58b179e and fixed in 6.1.113 with commit d17c631ba04e
Issue introduced in 3.16 with commit ba15a58b179e and fixed in 6.6.55 with commit 830c03e58beb
Issue introduced in 3.16 with commit ba15a58b179e and fixed in 6.10.14 with commit ad7adfb95f64
Issue introduced in 3.16 with commit ba15a58b179e and fixed in 6.11.3 with commit 5291ff856d2c
Issue introduced in 3.16 with commit ba15a58b179e and fixed in 6.12 with commit b25e11f978b6
Issue introduced in 3.2.61 with commit 373d1dfcffc6
Issue introduced in 3.4.98 with commit bc96ff59b2f1
Issue introduced in 3.10.48 with commit 6ab84785311d
Issue introduced in 3.12.25 with commit 778763287ded
Issue introduced in 3.14.12 with commit 9a5fcacabde0
Issue introduced in 3.15.5 with commit 039da39a6161
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2024-53144
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
net/bluetooth/hci_event.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/d17c631ba04e960eb6f8728b10d585de20ac4f71
https://git.kernel.org/stable/c/830c03e58beb70b99349760f822e505ecb4eeb7e
https://git.kernel.org/stable/c/ad7adfb95f64a761e4784381e47bee1a362eb30d
https://git.kernel.org/stable/c/5291ff856d2c5177b4fe9c18828312be30213193
https://git.kernel.org/stable/c/b25e11f978b63cb7857890edb3a698599cddb10e
Powered by blists - more mailing lists