CVE-2017-1000250 — bluez - security update

Description

All versions of the SDP server in BlueZ 5.46 and earlier are vulnerable to an information disclosure vulnerability which allows remote attackers to obtain sensitive information from the bluetoothd process memory. This vulnerability lies in the processing of SDP search attribute requests.

How to fix CVE-2017-1000250

To remediate CVE-2017-1000250, upgrade the affected package to a fixed version below.

—upgrade to 5.36-r1 or later
—upgrade to 5.46-1 or later
—upgrade to 4.99-2+deb7u1 or later
—upgrade to 5.23-2+deb8u1 or later

Is CVE-2017-1000250 being exploited?

Moderate — EPSS is 34.9%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (4)

from 0, < 5.36-r1
from 0, < 5.46-1
from 0, < 4.99-2+deb7u1
from 0, < 5.23-2+deb8u1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References (2)

ADVISORYsecurity.alpinelinux.org/vuln/CVE-2017-1000250
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2017-1000250