-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 23 Aug 2021 11:59:12 +0200 Source: tor Binary: tor tor-dbgsym Architecture: s390x Version: 0.3.5.16-1 Distribution: buster-security Urgency: medium Maintainer: s390x Build Daemon (zani) Changed-By: Peter Palfrader Description: tor - anonymizing overlay network for TCP Changes: tor (0.3.5.16-1) buster-security; urgency=medium . * New upstream version. For a full list see the upstream changelog. It includes: - Resolve an assertion failure caused by a behavior mismatch between our batch-signature verification code and our single-signature verification code. This assertion failure could be triggered remotely, leading to a denial of service attack. We fix this issue by disabling batch verification. Fixes bug 40078; bugfix on 0.2.6.1-alpha. This issue is also tracked as TROVE-2021-007 and CVE-2021-38385. Found by Henry de Valence. Checksums-Sha1: 1a23d422aec520dc6723d1285a7934e167db821a 4698096 tor-dbgsym_0.3.5.16-1_s390x.deb 9286578719564a340f462b6271f0a8458b066c06 6868 tor_0.3.5.16-1_s390x-buildd.buildinfo 2ca525fb4afdb507122f3aaa10f2b2950480e092 1685320 tor_0.3.5.16-1_s390x.deb Checksums-Sha256: 5680500ee4314a2e1104e633d001d3328d94eb75ead10d5655d03423b0256fa4 4698096 tor-dbgsym_0.3.5.16-1_s390x.deb 2ac975176e085fbf524fb8d9f27073dd08b6c55d933f80e1afcc55be46575efd 6868 tor_0.3.5.16-1_s390x-buildd.buildinfo 9c3eb808af0c5e1212bcf66f7f7600e8497580c346fb735399abe38572ae7f72 1685320 tor_0.3.5.16-1_s390x.deb Files: 4e594a5ec6289d37821274890e4b543a 4698096 debug optional tor-dbgsym_0.3.5.16-1_s390x.deb 202b1abf13e6d2ed02c37909238e3c3c 6868 net optional tor_0.3.5.16-1_s390x-buildd.buildinfo cdaea2d39e31b271fcf1a70236b829cd 1685320 net optional tor_0.3.5.16-1_s390x.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEojOFpcHXAua7nE2yC6cttUtB7SYFAmEjfIAACgkQC6cttUtB 7SZiWxAAheES+YrQXnOMdccpMBEtN0GluJYKepySczFsOUol68SGWtYwn/EXXXkM as0/n4cstCOT3wSmdkgvxa1WYdmGGyBFPNL7coE0IrmYmNpRmYJ/xJzbB4XnIdzU BsoE9AAfAdMpamd5s+H9/p9OkVbCXoxvGVZVSn7WK4gMLFQcRyYL2RkGFhWgE4iI jFVraKmJxRDDG6kzeTcHvd2USEytMcbJNcfWQAEilr1B3RkxCeqTInRwMvhpKef8 x4B8Wt6QBNGnEKNDqVSGaOCOyeAAoJaFw6g7xOIsmDt1EcgNidFnWfVCYwRrO8co Ykd+nTjzjvYMiebvy2IbHa46avpBGscmq4PIye7TAUFr4iEQvWm+RvZc5P39ScO1 5YIjsSKSJGlLzA+iprydaNf9qpSYXtLiBAfG7s/H3cDi2nbTm1H29FpC6yZdioGn Q4XmFbOL1xmrEAyvG7Ws+g86OyOomw9oUmsVEXleUubzn7Q96pttELulElkEkxTT 314AcxvShRc2EcI7IezLa8NMWimNJEWOmvs4OMLfBtudu7D8zWd3Qg36x55muoAf C8q44Yq8gKMiRbIU1gX2CAjQdy9RGLjMPcjrJ2K5S+rq22FwNZoe4NYiQtrQMH/0 wQmna0LgJ7gXMDUZWar3KdsUgcAQW+vSBCyxeztnaFJnT8IAqik= =syV9 -----END PGP SIGNATURE-----