-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 23 Aug 2021 11:59:12 +0200 Source: tor Binary: tor tor-dbgsym Architecture: amd64 Version: 0.3.5.16-1 Distribution: buster-security Urgency: medium Maintainer: amd64 / i386 Build Daemon (x86-csail-01) Changed-By: Peter Palfrader Description: tor - anonymizing overlay network for TCP Changes: tor (0.3.5.16-1) buster-security; urgency=medium . * New upstream version. For a full list see the upstream changelog. It includes: - Resolve an assertion failure caused by a behavior mismatch between our batch-signature verification code and our single-signature verification code. This assertion failure could be triggered remotely, leading to a denial of service attack. We fix this issue by disabling batch verification. Fixes bug 40078; bugfix on 0.2.6.1-alpha. This issue is also tracked as TROVE-2021-007 and CVE-2021-38385. Found by Henry de Valence. Checksums-Sha1: a4f38b31618a04e43b5d7636a8e8ccf742791e1b 4877596 tor-dbgsym_0.3.5.16-1_amd64.deb 55bc03652a8067bb238e862011b13c9031b11223 6977 tor_0.3.5.16-1_amd64-buildd.buildinfo 3d9ef242b41ec749dbce82ca5eb2c781d46386b4 1807900 tor_0.3.5.16-1_amd64.deb Checksums-Sha256: 1f466d06424b460d88868dff286d3d94f8cecbbcf746c98cf7c303377b2a2b91 4877596 tor-dbgsym_0.3.5.16-1_amd64.deb 60a76af6296433b4bfd49b356796f4492b8cda75e45a15f8ab4dcb2596ae6680 6977 tor_0.3.5.16-1_amd64-buildd.buildinfo 468733b54b952e9f9edda29f5313940a29585dfb65fe3d0499e6d062b439d4e6 1807900 tor_0.3.5.16-1_amd64.deb Files: 63dfd231edfa3d40e088fa5030b74b66 4877596 debug optional tor-dbgsym_0.3.5.16-1_amd64.deb 9f0f43199f132f43f2293564ef1ceb62 6977 net optional tor_0.3.5.16-1_amd64-buildd.buildinfo d390b3c96fd6dbb40452e865405b7025 1807900 net optional tor_0.3.5.16-1_amd64.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEgTtIulJqCiUOC8/RqX+JKfZgT24FAmEjfJoACgkQqX+JKfZg T27s+Q/8CitPO2e2jVZOxnXt14Uz4UlB8tdzcQ+vP2qBvfbqGMoLCHmIh2ewVtRn 52ZtQMbCsBcbe7CunFBOU8rcgDrSFujU/KlaRxrZdCCTqJ8e5/oPEQtNoGHJtjux XoDMjMrdz55E53uVwVTbjrLJTMFbhqd+bV1MXaWiRDQNZ/44FipBZGlBu4jaaVYS Mfz/mU1jUiyTP9KBUrj3kh0CNffst3NVku4TAy/AVpQl9ZJiCa0ZZY8xLEOCX7cX Ba0tkV3jOEwBHlSB2zfMbbbSKp7mgbzFybv1WD8IghEEcctN8tPOB3/6PM7kY/0W yR8TrlmqOulPAxhNx1mpOM87za+irzgEMkS+Xun8vm8o9lUGLHFWHuoEHPuoA9ae yGmjpR2ey89jcrkCHDuawvTbXYqbTE4I9elEVcz96D3GW9plpQsQ/U5JhyhLzQhq dTvCNAiGF1CnVkFzFMZOS+Zsc3mTYS078RCHn8KeW0NtcX/22KQSLi1QKl0ZSALT ESVPf+6u883fOi/96b8C/drhErhiZ2GpmrHq1t3cWsC6B3VfQwqc5RgMEFNuoY3c q28jgC5UmRiv7XJPtxl4gd9aavrYdxeQBa9fIKjbNYVh+VijOfZiDb+hHBRlxlkW PJB1eKJnsgg+ZMayA9GXYyF7CXP0VPNO4K0B80gXiT+mYnZbnGk= =3tDM -----END PGP SIGNATURE-----