diff -Nru bluez-5.53/debian/changelog bluez-5.53/debian/changelog
--- bluez-5.53/debian/changelog	2022-06-08 11:09:00.000000000 +0000
+++ bluez-5.53/debian/changelog	2023-11-29 09:11:45.000000000 +0000
@@ -1,3 +1,12 @@
+bluez (5.53-0ubuntu3.7) focal-security; urgency=medium
+
+  * SECURITY UPDATE: make conf compliant to HID specification
+    - debian/patches/CVE-2023-45866.patch: input.conf: Change default of
+      ClassicBondedOnly
+    - CVE-2023-45866
+
+ -- Nishit Majithia <nishit.majithia@canonical.com>  Wed, 29 Nov 2023 14:41:45 +0530
+
 bluez (5.53-0ubuntu3.6) focal-security; urgency=medium
 
   * SECURITY UPDATE: various security improvements (LP: #1977968)
diff -Nru bluez-5.53/debian/patches/CVE-2023-45866.patch bluez-5.53/debian/patches/CVE-2023-45866.patch
--- bluez-5.53/debian/patches/CVE-2023-45866.patch	1970-01-01 00:00:00.000000000 +0000
+++ bluez-5.53/debian/patches/CVE-2023-45866.patch	2023-11-29 08:58:15.000000000 +0000
@@ -0,0 +1,45 @@
+From 25a471a83e02e1effb15d5a488b3f0085eaeb675 Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Tue, 10 Oct 2023 13:03:12 -0700
+Subject: input.conf: Change default of ClassicBondedOnly
+
+This changes the default of ClassicBondedOnly since defaulting to false
+is not inline with HID specification which mandates the of Security Mode
+4:
+
+BLUETOOTH SPECIFICATION Page 84 of 123
+Human Interface Device (HID) Profile:
+
+  5.4.3.4.2 Security Modes
+  Bluetooth HID Hosts shall use Security Mode 4 when interoperating with
+  Bluetooth HID devices that are compliant to the Bluetooth Core
+  Specification v2.1+EDR[6].
+---
+ profiles/input/device.c   | 2 +-
+ profiles/input/input.conf | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+(limited to 'profiles/input')
+
+--- bluez-5.53.orig/profiles/input/device.c
++++ bluez-5.53/profiles/input/device.c
+@@ -92,7 +92,7 @@ struct input_device {
+ 
+ static int idle_timeout = 0;
+ static bool uhid_enabled = false;
+-static bool classic_bonded_only = false;
++static bool classic_bonded_only = true;
+ 
+ void input_set_idle_timeout(int timeout)
+ {
+--- bluez-5.53.orig/profiles/input/input.conf
++++ bluez-5.53/profiles/input/input.conf
+@@ -17,7 +17,7 @@
+ # platforms may want to make sure that input connections only come from bonded
+ # device connections. Several older mice have been known for not supporting
+ # pairing/encryption.
+-# Defaults to false to maximize device compatibility.
++# Defaults to true for security.
+ #ClassicBondedOnly=true
+ 
+ # LE upgrade security
diff -Nru bluez-5.53/debian/patches/series bluez-5.53/debian/patches/series
--- bluez-5.53/debian/patches/series	2022-06-08 11:09:00.000000000 +0000
+++ bluez-5.53/debian/patches/series	2023-11-29 08:57:59.000000000 +0000
@@ -32,3 +32,4 @@
 avdtp-security.patch
 avdtp-security-2.patch
 avrcp-security.patch
+CVE-2023-45866.patch