1.14.1 LTS Release Update (October 2019)

This is an LTS maintenance release with fixes, as well as Bluetooth qualification listings for the Bluetooth protocol stack included in Zephyr.

Security Vulnerability Related

The following security vulnerability (CVE) was addressed in this release:

  • Fixes CVE-2019-9506: The Bluetooth BR/EDR specification up to and including version 5.1 permits sufficiently low encryption key length and does not prevent an attacker from influencing the key length negotiation. This allows practical brute-force attacks (aka “KNOB”) that can decrypt traffic and inject arbitrary ciphertext without the victim noticing.

Bluetooth

  • Qualification:
    • 1.14.x Host subsystem qualified with QDID 139258
    • 1.14.x Mesh subsystem qualified with QDID 139259
    • 1.14.x Controller component qualified on Nordic nRF52 with QDID 135679

See the Zephyr v1.14.1 release notes for details.