Bugzilla – Bug 1013712
VUL-0: CVE-2016-9798: bluez,bluez-hcidump: use-after-free in conf_opt()
Last modified: 2020-09-16 11:02:27 UTC
In BlueZ 5.42, a use-after-free was identified in "conf_opt" function in "tools/parser/l2cap.c" source file. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash. References: https://bugzilla.redhat.com/show_bug.cgi?id=1401522 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9798 http://www.cvedetails.com/cve/CVE-2016-9798/
Created attachment 704866 [details] dump file to reproduce the issue
Only SLE-12* codestreams are affected. The code in question is not yet contained in SLE-11 versions. QA reproducer: I've been able to reproduce the issue using the attached dump file and the following command: valgrind /usr/sbin/hcidump -a -r cve-2016-9798 The program will not crash but valgrind will print errors about invalid read accesses.
bugbot adjusting priority
(In reply to Matthias Gerstner from comment #2) > Only SLE-12* codestreams are affected. The code in question is not yet > contained in SLE-11 versions. Would you please let me know which version in SLE-11 ? is it bluez-4.99 or bluez-4.22? > > QA reproducer: > > I've been able to reproduce the issue using the attached dump file and the > following command: > > valgrind /usr/sbin/hcidump -a -r cve-2016-9798 > > The program will not crash but valgrind will print errors about invalid read > accesses.
> Would you please let me know which version in SLE-11 ? is it bluez-4.99 or > bluez-4.22? We currently have three codestreams for SLE-11 with following versions for bluez: SUSE:SLE-11-SP1:Update/bluez/bluez.spec:Version: 4.51 SUSE:SLE-11-SP3:Update/bluez/bluez.spec:Version: 4.99 SUSE:SLE-11-SP4:Update/bluez/bluez.spec:Version: 4.99 Most of the current bugs regarding bluez affect the 'hcidump' tool which is not contained in these versions of bluez. Instead there is a separate package bluez-hcidump that exists only for one codestream: ./SUSE:SLE-11-SP1:Update/bluez-hcidump/bluez-hcidump.spec:Version: 1.42
SUSE-SU-2019:1339-1: An update that fixes 5 vulnerabilities is now available. Category: security (moderate) Bug References: 1013708,1013712,1013893,1015171,1015173 CVE References: CVE-2016-9797,CVE-2016-9798,CVE-2016-9802,CVE-2016-9917,CVE-2016-9918 Sources used: SUSE Linux Enterprise Workstation Extension 12-SP4 (src): bluez-5.13-5.12.1 SUSE Linux Enterprise Workstation Extension 12-SP3 (src): bluez-5.13-5.12.1 SUSE Linux Enterprise Software Development Kit 12-SP4 (src): bluez-5.13-5.12.1 SUSE Linux Enterprise Software Development Kit 12-SP3 (src): bluez-5.13-5.12.1 SUSE Linux Enterprise Server 12-SP4 (src): bluez-5.13-5.12.1 SUSE Linux Enterprise Server 12-SP3 (src): bluez-5.13-5.12.1 SUSE Linux Enterprise Desktop 12-SP4 (src): bluez-5.13-5.12.1 SUSE Linux Enterprise Desktop 12-SP3 (src): bluez-5.13-5.12.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:1353-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 1013708,1013712,1013893,1015171 CVE References: CVE-2016-9797,CVE-2016-9798,CVE-2016-9802,CVE-2016-9917 Sources used: SUSE Linux Enterprise Workstation Extension 15 (src): bluez-5.48-5.16.1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src): bluez-5.48-5.16.1 SUSE Linux Enterprise Module for Desktop Applications 15 (src): bluez-5.48-5.16.1 SUSE Linux Enterprise Module for Basesystem 15 (src): bluez-5.48-5.16.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2019:1476-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 1013708,1013712,1013893,1015171 CVE References: CVE-2016-9797,CVE-2016-9798,CVE-2016-9802,CVE-2016-9917 Sources used: openSUSE Leap 15.1 (src): bluez-5.48-lp151.8.3.1 openSUSE Leap 15.0 (src): bluez-5.48-lp150.4.13.1
The bug was not fixed after applying the update: Before: ------- sles15:/work/bluez # valgrind hcidump -a -r cve-2016-9798 > cve-2016-9798.txt ==29674== Memcheck, a memory error detector ==29674== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==29674== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info ==29674== Command: hcidump -a -r cve-2016-9798 ==29674== ==29674== Conditional jump or move depends on uninitialised value(s) ==29674== at 0x11DE54: ??? (in /usr/bin/hcidump) ==29674== by 0x11EA63: ??? (in /usr/bin/hcidump) ==29674== by 0x11D5F4: ??? (in /usr/bin/hcidump) ==29674== by 0x10F1AA: ??? (in /usr/bin/hcidump) ==29674== by 0x4E5AF89: (below main) (in /lib64/libc-2.26.so) ==29674== ==29674== Conditional jump or move depends on uninitialised value(s) ==29674== at 0x11DE6D: ??? (in /usr/bin/hcidump) ==29674== by 0x11EA63: ??? (in /usr/bin/hcidump) ==29674== by 0x11D5F4: ??? (in /usr/bin/hcidump) ==29674== by 0x10F1AA: ??? (in /usr/bin/hcidump) ==29674== by 0x4E5AF89: (below main) (in /lib64/libc-2.26.so) ==29674== ==29674== Use of uninitialised value of size 8 ==29674== at 0x11DE7D: ??? (in /usr/bin/hcidump) ==29674== by 0x11EA63: ??? (in /usr/bin/hcidump) ==29674== by 0x11D5F4: ??? (in /usr/bin/hcidump) ==29674== by 0x10F1AA: ??? (in /usr/bin/hcidump) ==29674== by 0x4E5AF89: (below main) (in /lib64/libc-2.26.so) ==29674== ==29674== Use of uninitialised value of size 8 ==29674== at 0x4E85B21: _itoa_word (in /lib64/libc-2.26.so) ==29674== by 0x4E89460: vfprintf (in /lib64/libc-2.26.so) ==29674== by 0x4F4172B: __printf_chk (in /lib64/libc-2.26.so) ==29674== by 0x11E1BA: ??? (in /usr/bin/hcidump) ==29674== by 0x11EA63: ??? (in /usr/bin/hcidump) ==29674== by 0x11D5F4: ??? (in /usr/bin/hcidump) ==29674== by 0x10F1AA: ??? (in /usr/bin/hcidump) ==29674== by 0x4E5AF89: (below main) (in /lib64/libc-2.26.so) ==29674== ==29674== Conditional jump or move depends on uninitialised value(s) ==29674== at 0x4E85B28: _itoa_word (in /lib64/libc-2.26.so) ==29674== by 0x4E89460: vfprintf (in /lib64/libc-2.26.so) ==29674== by 0x4F4172B: __printf_chk (in /lib64/libc-2.26.so) ==29674== by 0x11E1BA: ??? (in /usr/bin/hcidump) ==29674== by 0x11EA63: ??? (in /usr/bin/hcidump) ==29674== by 0x11D5F4: ??? (in /usr/bin/hcidump) ==29674== by 0x10F1AA: ??? (in /usr/bin/hcidump) ==29674== by 0x4E5AF89: (below main) (in /lib64/libc-2.26.so) ==29674== ==29674== Conditional jump or move depends on uninitialised value(s) ==29674== at 0x4E89EF0: vfprintf (in /lib64/libc-2.26.so) ==29674== by 0x4F4172B: __printf_chk (in /lib64/libc-2.26.so) ==29674== by 0x11E1BA: ??? (in /usr/bin/hcidump) ==29674== by 0x11EA63: ??? (in /usr/bin/hcidump) ==29674== by 0x11D5F4: ??? (in /usr/bin/hcidump) ==29674== by 0x10F1AA: ??? (in /usr/bin/hcidump) ==29674== by 0x4E5AF89: (below main) (in /lib64/libc-2.26.so) ==29674== ==29674== Conditional jump or move depends on uninitialised value(s) ==29674== at 0x4E89F6C: vfprintf (in /lib64/libc-2.26.so) ==29674== by 0x4F4172B: __printf_chk (in /lib64/libc-2.26.so) ==29674== by 0x11E1BA: ??? (in /usr/bin/hcidump) ==29674== by 0x11EA63: ??? (in /usr/bin/hcidump) ==29674== by 0x11D5F4: ??? (in /usr/bin/hcidump) ==29674== by 0x10F1AA: ??? (in /usr/bin/hcidump) ==29674== by 0x4E5AF89: (below main) (in /lib64/libc-2.26.so) ==29674== ==29674== Conditional jump or move depends on uninitialised value(s) ==29674== at 0x4E89D72: vfprintf (in /lib64/libc-2.26.so) ==29674== by 0x4F4172B: __printf_chk (in /lib64/libc-2.26.so) ==29674== by 0x11E1BA: ??? (in /usr/bin/hcidump) ==29674== by 0x11EA63: ??? (in /usr/bin/hcidump) ==29674== by 0x11D5F4: ??? (in /usr/bin/hcidump) ==29674== by 0x10F1AA: ??? (in /usr/bin/hcidump) ==29674== by 0x4E5AF89: (below main) (in /lib64/libc-2.26.so) ==29674== ==29674== Use of uninitialised value of size 8 ==29674== at 0x4E85B7B: _itoa_word (in /lib64/libc-2.26.so) ==29674== by 0x4E89460: vfprintf (in /lib64/libc-2.26.so) ==29674== by 0x4F4172B: __printf_chk (in /lib64/libc-2.26.so) ==29674== by 0x11E1BA: ??? (in /usr/bin/hcidump) ==29674== by 0x11EA63: ??? (in /usr/bin/hcidump) ==29674== by 0x11D5F4: ??? (in /usr/bin/hcidump) ==29674== by 0x10F1AA: ??? (in /usr/bin/hcidump) ==29674== by 0x4E5AF89: (below main) (in /lib64/libc-2.26.so) ==29674== ==29674== Conditional jump or move depends on uninitialised value(s) ==29674== at 0x4E85B85: _itoa_word (in /lib64/libc-2.26.so) ==29674== by 0x4E89460: vfprintf (in /lib64/libc-2.26.so) ==29674== by 0x4F4172B: __printf_chk (in /lib64/libc-2.26.so) ==29674== by 0x11E1BA: ??? (in /usr/bin/hcidump) ==29674== by 0x11EA63: ??? (in /usr/bin/hcidump) ==29674== by 0x11D5F4: ??? (in /usr/bin/hcidump) ==29674== by 0x10F1AA: ??? (in /usr/bin/hcidump) ==29674== by 0x4E5AF89: (below main) (in /lib64/libc-2.26.so) ==29674== ==29674== Conditional jump or move depends on uninitialised value(s) ==29674== at 0x4E89518: vfprintf (in /lib64/libc-2.26.so) ==29674== by 0x4F4172B: __printf_chk (in /lib64/libc-2.26.so) ==29674== by 0x11E1BA: ??? (in /usr/bin/hcidump) ==29674== by 0x11EA63: ??? (in /usr/bin/hcidump) ==29674== by 0x11D5F4: ??? (in /usr/bin/hcidump) ==29674== by 0x10F1AA: ??? (in /usr/bin/hcidump) ==29674== by 0x4E5AF89: (below main) (in /lib64/libc-2.26.so) ==29674== ==29674== Conditional jump or move depends on uninitialised value(s) ==29674== at 0x11DEF4: ??? (in /usr/bin/hcidump) ==29674== by 0x11EA63: ??? (in /usr/bin/hcidump) ==29674== by 0x11D5F4: ??? (in /usr/bin/hcidump) ==29674== by 0x10F1AA: ??? (in /usr/bin/hcidump) ==29674== by 0x4E5AF89: (below main) (in /lib64/libc-2.26.so) ==29674== ==29674== Conditional jump or move depends on uninitialised value(s) ==29674== at 0x11DF0D: ??? (in /usr/bin/hcidump) ==29674== by 0x11EA63: ??? (in /usr/bin/hcidump) ==29674== by 0x11D5F4: ??? (in /usr/bin/hcidump) ==29674== by 0x10F1AA: ??? (in /usr/bin/hcidump) ==29674== by 0x4E5AF89: (below main) (in /lib64/libc-2.26.so) ==29674== ==29674== Use of uninitialised value of size 8 ==29674== at 0x11DE40: ??? (in /usr/bin/hcidump) ==29674== by 0x11EA63: ??? (in /usr/bin/hcidump) ==29674== by 0x11D5F4: ??? (in /usr/bin/hcidump) ==29674== by 0x10F1AA: ??? (in /usr/bin/hcidump) ==29674== by 0x4E5AF89: (below main) (in /lib64/libc-2.26.so) ==29674== ==29674== Use of uninitialised value of size 8 ==29674== at 0x11DE63: ??? (in /usr/bin/hcidump) ==29674== by 0x11EA63: ??? (in /usr/bin/hcidump) ==29674== by 0x11D5F4: ??? (in /usr/bin/hcidump) ==29674== by 0x10F1AA: ??? (in /usr/bin/hcidump) ==29674== by 0x4E5AF89: (below main) (in /lib64/libc-2.26.so) ==29674== ==29674== Use of uninitialised value of size 8 ==29674== at 0x11E1A0: ??? (in /usr/bin/hcidump) ==29674== by 0x11EA63: ??? (in /usr/bin/hcidump) ==29674== by 0x11D5F4: ??? (in /usr/bin/hcidump) ==29674== by 0x10F1AA: ??? (in /usr/bin/hcidump) ==29674== by 0x4E5AF89: (below main) (in /lib64/libc-2.26.so) ==29674== ==29674== Use of uninitialised value of size 8 ==29674== at 0x11DEF0: ??? (in /usr/bin/hcidump) ==29674== by 0x11EA63: ??? (in /usr/bin/hcidump) ==29674== by 0x11D5F4: ??? (in /usr/bin/hcidump) ==29674== by 0x10F1AA: ??? (in /usr/bin/hcidump) ==29674== by 0x4E5AF89: (below main) (in /lib64/libc-2.26.so) ==29674== ==29674== Invalid read of size 1 ==29674== at 0x11DE40: ??? (in /usr/bin/hcidump) ==29674== by 0x11EA63: ??? (in /usr/bin/hcidump) ==29674== by 0x120F10: ??? (in /usr/bin/hcidump) ==29674== by 0x11D5F4: ??? (in /usr/bin/hcidump) ==29674== by 0x10F1AA: ??? (in /usr/bin/hcidump) ==29674== by 0x4E5AF89: (below main) (in /lib64/libc-2.26.so) ==29674== Address 0x51f57e4 is 12 bytes before an unallocated block of size 4,188,144 in arena "client" ==29674== ==29674== Invalid read of size 1 ==29674== at 0x11DE50: ??? (in /usr/bin/hcidump) ==29674== by 0x11EA63: ??? (in /usr/bin/hcidump) ==29674== by 0x120F10: ??? (in /usr/bin/hcidump) ==29674== by 0x11D5F4: ??? (in /usr/bin/hcidump) ==29674== by 0x10F1AA: ??? (in /usr/bin/hcidump) ==29674== by 0x4E5AF89: (below main) (in /lib64/libc-2.26.so) ==29674== Address 0x51f57e3 is 13 bytes before an unallocated block of size 4,188,144 in arena "client" ==29674== ==29674== Invalid read of size 1 ==29674== at 0x11DE63: ??? (in /usr/bin/hcidump) ==29674== by 0x11EA63: ??? (in /usr/bin/hcidump) ==29674== by 0x120F10: ??? (in /usr/bin/hcidump) ==29674== by 0x11D5F4: ??? (in /usr/bin/hcidump) ==29674== by 0x10F1AA: ??? (in /usr/bin/hcidump) ==29674== by 0x4E5AF89: (below main) (in /lib64/libc-2.26.so) ==29674== Address 0x51f57e3 is 13 bytes before an unallocated block of size 4,188,144 in arena "client" ==29674== ==29674== Invalid read of size 1 ==29674== at 0x11E1A0: ??? (in /usr/bin/hcidump) ==29674== by 0x11EA63: ??? (in /usr/bin/hcidump) ==29674== by 0x120F10: ??? (in /usr/bin/hcidump) ==29674== by 0x11D5F4: ??? (in /usr/bin/hcidump) ==29674== by 0x10F1AA: ??? (in /usr/bin/hcidump) ==29674== by 0x4E5AF89: (below main) (in /lib64/libc-2.26.so) ==29674== Address 0x51f57e4 is 12 bytes before an unallocated block of size 4,188,144 in arena "client" ==29674== ==29674== Invalid read of size 1 ==29674== at 0x11DEF0: ??? (in /usr/bin/hcidump) ==29674== by 0x11EA63: ??? (in /usr/bin/hcidump) ==29674== by 0x120F10: ??? (in /usr/bin/hcidump) ==29674== by 0x11D5F4: ??? (in /usr/bin/hcidump) ==29674== by 0x10F1AA: ??? (in /usr/bin/hcidump) ==29674== by 0x4E5AF89: (below main) (in /lib64/libc-2.26.so) ==29674== Address 0x51f57e3 is 13 bytes before an unallocated block of size 4,188,144 in arena "client" ==29674== ==29674== Syscall param read(buf) points to unaddressable byte(s) ==29674== at 0x4F23C61: read (in /lib64/libc-2.26.so) ==29674== by 0x10F5AD: ??? (in /usr/bin/hcidump) ==29674== by 0x10F32D: ??? (in /usr/bin/hcidump) ==29674== by 0x4E5AF89: (below main) (in /lib64/libc-2.26.so) ==29674== Address 0x51f56ac is 0 bytes after a block of size 1,500 alloc'd ==29674== at 0x4C2E01F: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==29674== by 0x10F0B8: ??? (in /usr/bin/hcidump) ==29674== by 0x4E5AF89: (below main) (in /lib64/libc-2.26.so) ==29674== ==29674== ==29674== HEAP SUMMARY: ==29674== in use at exit: 14 bytes in 1 blocks ==29674== total heap usage: 5 allocs, 4 frees, 5,714 bytes allocated ==29674== ==29674== LEAK SUMMARY: ==29674== definitely lost: 0 bytes in 0 blocks ==29674== indirectly lost: 0 bytes in 0 blocks ==29674== possibly lost: 0 bytes in 0 blocks ==29674== still reachable: 14 bytes in 1 blocks ==29674== suppressed: 0 bytes in 0 blocks ==29674== Rerun with --leak-check=full to see details of leaked memory ==29674== ==29674== For counts of detected and suppressed errors, rerun with: -v ==29674== Use --track-origins=yes to see where uninitialised values come from ==29674== ERROR SUMMARY: 82206 errors from 23 contexts (suppressed: 0 from 0) After: ------ ==27845== Syscall param read(buf) points to unaddressable byte(s) ==27845== at 0x4F23C61: read (in /lib64/libc-2.26.so) ==27845== by 0x10F84D: ??? (in /usr/bin/hcidump) ==27845== by 0x10F33D: ??? (in /usr/bin/hcidump) ==27845== by 0x4E5AF89: (below main) (in /lib64/libc-2.26.so) ==27845== Address 0x51f4aac is 0 bytes after a block of size 1,500 alloc'd ==27845== at 0x4C2E01F: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==27845== by 0x10F0C8: ??? (in /usr/bin/hcidump) ==27845== by 0x4E5AF89: (below main) (in /lib64/libc-2.26.so) ==27845== ==27845== ==27845== HEAP SUMMARY: ==27845== in use at exit: 14 bytes in 1 blocks ==27845== total heap usage: 5 allocs, 4 frees, 2,642 bytes allocated ==27845== ==27845== LEAK SUMMARY: ==27845== definitely lost: 0 bytes in 0 blocks ==27845== indirectly lost: 0 bytes in 0 blocks ==27845== possibly lost: 0 bytes in 0 blocks ==27845== still reachable: 14 bytes in 1 blocks ==27845== suppressed: 0 bytes in 0 blocks ==27845== Rerun with --leak-check=full to see details of leaked memory ==27845== ==27845== For counts of detected and suppressed errors, rerun with: -v ==27845== Use --track-origins=yes to see where uninitialised values come from ==27845== ERROR SUMMARY: 82206 errors from 23 contexts (suppressed: 0 from 0)
Created attachment 821491 [details] CVE-2016-9798-hcidump-Fixed-malformed-segment-frame-length.patch (In reply to Alexandre Makoto Tanno from comment #21) [..snip] Yes, thanks for your information, this issue should be fixed but I use that wrong PoC file (the same with CVE-2016-9797) to debug, so that didn't fixed by lastest patch I post. And this issue is caused by Segment L2CAP packet into the payload of many HCI data packets. L2CAP SDUs whose length field does not match the actual frame length.
SUSE-SU-2019:1353-2: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 1013708,1013712,1013893,1015171 CVE References: CVE-2016-9797,CVE-2016-9798,CVE-2016-9802,CVE-2016-9917 Sources used: SUSE Linux Enterprise Workstation Extension 15-SP1 (src): bluez-5.48-5.16.1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src): bluez-5.48-5.16.1 SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src): bluez-5.48-5.16.1 SUSE Linux Enterprise Module for Basesystem 15-SP1 (src): bluez-5.48-5.16.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:2915-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1013712 CVE References: CVE-2016-9798 Sources used: SUSE Linux Enterprise Workstation Extension 12-SP5 (src): bluez-5.13-5.15.3 SUSE Linux Enterprise Workstation Extension 12-SP4 (src): bluez-5.13-5.15.3 SUSE Linux Enterprise Software Development Kit 12-SP5 (src): bluez-5.13-5.15.3 SUSE Linux Enterprise Software Development Kit 12-SP4 (src): bluez-5.13-5.15.3 SUSE Linux Enterprise Server 12-SP5 (src): bluez-5.13-5.15.3 SUSE Linux Enterprise Server 12-SP4 (src): bluez-5.13-5.15.3 SUSE Linux Enterprise Desktop 12-SP4 (src): bluez-5.13-5.15.3 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:3046-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1013712 CVE References: CVE-2016-9798 Sources used: SUSE Linux Enterprise Workstation Extension 15-SP1 (src): bluez-5.48-5.19.1 SUSE Linux Enterprise Workstation Extension 15 (src): bluez-5.48-5.19.1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src): bluez-5.48-5.19.1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src): bluez-5.48-5.19.1 SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src): bluez-5.48-5.19.1 SUSE Linux Enterprise Module for Desktop Applications 15 (src): bluez-5.48-5.19.1 SUSE Linux Enterprise Module for Basesystem 15-SP1 (src): bluez-5.48-5.19.1 SUSE Linux Enterprise Module for Basesystem 15 (src): bluez-5.48-5.19.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2019:2585-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1013712 CVE References: CVE-2016-9798 Sources used: openSUSE Leap 15.0 (src): bluez-5.48-lp150.4.16.1
openSUSE-SU-2019:2588-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1013712 CVE References: CVE-2016-9798 Sources used: openSUSE Leap 15.1 (src): bluez-5.48-lp151.8.6.1
Done