-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 23 Aug 2021 11:59:12 +0200 Source: tor Binary: tor tor-dbgsym Architecture: armhf Version: 0.3.5.16-1 Distribution: buster-security Urgency: medium Maintainer: arm Build Daemon (arm-ubc-04) Changed-By: Peter Palfrader Description: tor - anonymizing overlay network for TCP Changes: tor (0.3.5.16-1) buster-security; urgency=medium . * New upstream version. For a full list see the upstream changelog. It includes: - Resolve an assertion failure caused by a behavior mismatch between our batch-signature verification code and our single-signature verification code. This assertion failure could be triggered remotely, leading to a denial of service attack. We fix this issue by disabling batch verification. Fixes bug 40078; bugfix on 0.2.6.1-alpha. This issue is also tracked as TROVE-2021-007 and CVE-2021-38385. Found by Henry de Valence. Checksums-Sha1: 8010f5305bf18cd439160156dcd14f2c9946d4b8 4385784 tor-dbgsym_0.3.5.16-1_armhf.deb 21bb401ed179c895d156d3e68a9ca3705b664f61 6834 tor_0.3.5.16-1_armhf-buildd.buildinfo 2559788e35124579b2fc108d781e90cbcb5d7d51 1739360 tor_0.3.5.16-1_armhf.deb Checksums-Sha256: 6b8d526bd492b42a64fc7363d803f02dbf516eee7794c121eee071e782de6e8b 4385784 tor-dbgsym_0.3.5.16-1_armhf.deb 4d9aa983cce189ecaca5eba82d0ad2e8cb22d724106f254ca708f9cb362cb00e 6834 tor_0.3.5.16-1_armhf-buildd.buildinfo fc75997fded815c7c636ff007593c47b2f390ac45993b6b48f7b4d9a7544abec 1739360 tor_0.3.5.16-1_armhf.deb Files: 6ed9aa5bec0524d01435d760faab80f4 4385784 debug optional tor-dbgsym_0.3.5.16-1_armhf.deb 9e05a3d34b0a635e85c8a806abe4d458 6834 net optional tor_0.3.5.16-1_armhf-buildd.buildinfo 41495200855c616269b137108374d344 1739360 net optional tor_0.3.5.16-1_armhf.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEnkOoRyjJ0+t2tN7OjOf+cynECFcFAmEjfkAACgkQjOf+cynE CFeKXw/+NnihnPCDUMNvTVlimZK/GjjXEbUyixPWuwRK5sGE65to7LnHHpPGkMqK Uvb5j7H6y/iVrv/fDQIZO6XwsqRw48Pv9ELXnMsR3BRzTrZhyxUJlWu256gpjoJk b853G93Xr2YZE3U2Cu+wWMDn6N483LxalJmCBUsqr68Tylr6vl7l75Xrf4veB8kd zZNiwhmOooz8RwnflRTDYDrlKE93Ssv80P7nIij79I86ZS4oDVSuUHRhx4C1zk+i EtvLogUXnWYD2KXuhheZjsXlSZgio+4EB5hjCDR3g+wOu1w4GpG79Idjb5blTzyW nyCL94f/veaigyXMgNM0qhZKPoNZIAXUsNFUubfPI8TbIj75U5Nn0rhqj62Q849S k2az1f/TFCWTTCS0KYbp8g7T0gK5kw1Dc3Cej/SyK2yFITP72sT9WzsMXAAaKpEU AgKoVTcLJMcP0hrSP8WVtT9G0Nqo1FNMR9symNldxI3Ffb74K00Pf6YyZt8WNr2Z Rn8OzD63yG0yYEvUb5s/OOtA3iVBFIGg+ePuykiA6664kUgK0nmk6M7bNrF7Kad5 /L3Pe6a/mG6/rHXNspPTFVVH3jcbQOgCyiNE0Ks5Q4APNB7+h0aOy8Z8QIQesT1O JXwtgdHiOVyeydeRUapFwi0/YJ4JnNkDmsj5J2JRkuvhSSPYIrY= =EhQn -----END PGP SIGNATURE-----