-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 23 Aug 2021 11:59:12 +0200 Source: tor Binary: tor tor-dbgsym Architecture: i386 Version: 0.3.5.16-1 Distribution: buster-security Urgency: medium Maintainer: i386 Build Daemon (x86-grnet-01) Changed-By: Peter Palfrader Description: tor - anonymizing overlay network for TCP Changes: tor (0.3.5.16-1) buster-security; urgency=medium . * New upstream version. For a full list see the upstream changelog. It includes: - Resolve an assertion failure caused by a behavior mismatch between our batch-signature verification code and our single-signature verification code. This assertion failure could be triggered remotely, leading to a denial of service attack. We fix this issue by disabling batch verification. Fixes bug 40078; bugfix on 0.2.6.1-alpha. This issue is also tracked as TROVE-2021-007 and CVE-2021-38385. Found by Henry de Valence. Checksums-Sha1: 4342aca6e8d09c79a93c00699467be93ab785fbc 4077184 tor-dbgsym_0.3.5.16-1_i386.deb 49afa7e360b6126366f9236409ad4041b41c5fe9 6937 tor_0.3.5.16-1_i386-buildd.buildinfo cf80651101f9f51c3b8b46977b9b43f00071cd16 1877172 tor_0.3.5.16-1_i386.deb Checksums-Sha256: 4adb7331de54847bb034a6345a3ac325bb84e1ebbe9013d3a6eeba4cbf224d37 4077184 tor-dbgsym_0.3.5.16-1_i386.deb b604f12ba2b858790d8b45a0ffde232edf54ffac33443ceab4f291c2b84730bf 6937 tor_0.3.5.16-1_i386-buildd.buildinfo 068b2207a78293c401ed194d9a46c3f92b60f7be6ca9f7fb0b85a01005e89235 1877172 tor_0.3.5.16-1_i386.deb Files: 590e6c5fa3d839e005c3521fd23d7a3f 4077184 debug optional tor-dbgsym_0.3.5.16-1_i386.deb 95005b7bfe44bf45252de19a4ea64758 6937 net optional tor_0.3.5.16-1_i386-buildd.buildinfo e6db7f0a02f324cc7f3f7bd2f7a66865 1877172 net optional tor_0.3.5.16-1_i386.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEeShLnnjT5e2dm1q4H4Xht4aLclgFAmEjfOQACgkQH4Xht4aL clhx3A//XDg+5xuhoM3LAG361H+vUt/rIMzUrG+5kKJpD+7rheP9NX4fhCiCs40P +Ods6jVaTRU6QEmibYZ8/EDB4/AqoWFlim8Jkc/WDZz6LuMQ80WNObEbBBKehtba rxTzLMee8kbi21hG2ORkr3OoW7EcYcVjGVqwNz7nLKnZMw8NXUuW0FQQgKC7yfvg tSWnKX4jhIgVVvdzD+HlWUnFRL6HNqk5NkVsRN08oSP4zWP9F7F1kn+r0kb8aZis UqIKLe4VU/2hpDJuhj8D5QpRi035q7DfXDygzU6XX9SAdkw38pLBlncvyJ1vjXsL v21qBJ95GzkxWVFzs0j4tKV5g/C4Dx6AruXkO9XZCY+gRwk4gT3v4EagTVrQcqsi zyI+qVzxP6wCE4fN29s6M2f2z8ta3QfejADY9j+1iFUMmKyyu78w41hbSLhVzZpZ xZDAOdC/VWoPHBovcM4Xi+A6jUXjx31zYmxnLEufmlo8tQjhDcZz3fT5mNfhzeEG 5xS9X2J46ViYSLRlmLm/sT44riN6c7gM96YP3QfYARGjWIIoEp2qPAIy20wb33/e BGqdeIAMcPvo8YMNYjgfXJ47s/kSlI1BM5ZUX207QarL1AKwxB3TuOS+Y2qWDCGX vSmxMhwxvAQYLqVnm7T14sIFZ+PT9r2wIoXYGvDUcoA5HpLA8R8= =+EIC -----END PGP SIGNATURE-----