It was reported that the BlueZ's HID profile implementation is not inline with the HID specification which mandates the use of Security Mode 4. The HID profile configuration option ClassicBondedOnly now defaults to "true" to make sure that input connections only come from bonded device connections.
https://security-tracker.debian.org/tracker/DSA-5584-1
Continue reading...
https://security-tracker.debian.org/tracker/DSA-5584-1
Continue reading...