-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 23 Aug 2021 11:59:12 +0200 Source: tor Binary: tor tor-dbgsym Architecture: arm64 Version: 0.3.5.16-1 Distribution: buster-security Urgency: medium Maintainer: arm Build Daemon (arm-ubc-02) Changed-By: Peter Palfrader Description: tor - anonymizing overlay network for TCP Changes: tor (0.3.5.16-1) buster-security; urgency=medium . * New upstream version. For a full list see the upstream changelog. It includes: - Resolve an assertion failure caused by a behavior mismatch between our batch-signature verification code and our single-signature verification code. This assertion failure could be triggered remotely, leading to a denial of service attack. We fix this issue by disabling batch verification. Fixes bug 40078; bugfix on 0.2.6.1-alpha. This issue is also tracked as TROVE-2021-007 and CVE-2021-38385. Found by Henry de Valence. Checksums-Sha1: 4809ead975ed87cb73de6511e5568c87276f3bb0 4485196 tor-dbgsym_0.3.5.16-1_arm64.deb bb5ce0dc163575040eddf613a2884bb74c2d3820 6900 tor_0.3.5.16-1_arm64-buildd.buildinfo dd710c17d8af14f25daf6b8d63a51d32becf6518 1736004 tor_0.3.5.16-1_arm64.deb Checksums-Sha256: 1a09d1cb98d5abffbf1700be0286a944bf2bd239838e38c762b64e5f1d5434c0 4485196 tor-dbgsym_0.3.5.16-1_arm64.deb a4c48c248691c82d79aafab25471557ab54f2fb47bf85c7dee258f5a7b70e7e9 6900 tor_0.3.5.16-1_arm64-buildd.buildinfo 4704e55324296f1da3799372c2911e92eb8891d3ceac099484c9e5ae283bd790 1736004 tor_0.3.5.16-1_arm64.deb Files: 21c521ea75c7949ee40c71c1a8c367a4 4485196 debug optional tor-dbgsym_0.3.5.16-1_arm64.deb 2f56bd43e9fd4d3851401674e4907a95 6900 net optional tor_0.3.5.16-1_arm64-buildd.buildinfo af1810c86aee9108777e71664c12175e 1736004 net optional tor_0.3.5.16-1_arm64.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEacaZJEoOkCBqMc0ik7/kqR9yTgQFAmEjfT0ACgkQk7/kqR9y TgT1oQ/9FAYxYADHZACtUKCusytQLQYIJtdfB5PIPNrsU7Gotvp6BInUbICqdV30 wWxqR6STpN9y9fRlPFw5AKYzifDH9R7bgsOF1PHN240BDIOnWnRLpBQaDm+lhmuB xdn/k/LbR5/9Xe1hxVQ6IDWhWMFu2ZHuuCJdx3ootc02WtrikqNkJmEiCct4HX9a OjEhrIz7Ar0Zt9Dc1xFwDVekVCaTnQ8Riupdvz9ejK/Ye1QREcYHiwQp2noKJI7/ 9+oCg0+d6f0VOZUDyRAFCfQYYIuUJobuG7JWxjvhYzdbjRnLAHGmWZYG4SXfJg3C 65AbJrEcXCKjThRm0X35eYA56XcbeC3dyFcHV6b4X/ar3NrvxFTQKhufiy1HQwEt 0MhbdohJKi2RdDXT6e3YkLVakCiL09Wx1b4WJyFHwbC/Row1Zyvch9w0H6WGlI5U vpgMquz+ghYRxB2F6BlePaN6KB2CSWFTFVBGBwgjp3xXXGneuL875FJx+Qiv+zBh cXfoymWw4+ORS9UKPYxdcJUsBbxL3ri2DfGeNUuLs37QdGKXaqv9G1ixWRgZK0aE ENa8CGiOsvm5QlX48WSwbo1WoyyuGJnqrfJNERi4sZKvldpcaDHB6Q0GNciqvaj/ ZHSWhf6QFWzXs3fBpDZmUbCLOI3AQFZcyNsVqZSnD7A3XHqR1iY= =CFuE -----END PGP SIGNATURE-----