-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 23 Aug 2021 11:29:16 +0200 Source: tor Binary: tor tor-dbgsym Architecture: amd64 Version: 0.4.5.10-1~deb11u1 Distribution: bullseye-security Urgency: medium Maintainer: amd64 Build Daemon (x86-grnet-01) Changed-By: Peter Palfrader Description: tor - anonymizing overlay network for TCP Changes: tor (0.4.5.10-1~deb11u1) bullseye-security; urgency=medium . * Upload fix for TROVE-2021-007/CVE-2021-38385 to bullseye: - Resolve an assertion failure caused by a behavior mismatch between our batch-signature verification code and our single-signature verification code. This assertion failure could be triggered remotely, leading to a denial of service attack. We fix this issue by disabling batch verification. Fixes bug 40078; bugfix on 0.2.6.1-alpha. This issue is also tracked as TROVE-2021-007 and CVE-2021-38385. Found by Henry de Valence. Checksums-Sha1: 663a78f60fe580164ecbef8b7f5ebef6deea31d9 5495228 tor-dbgsym_0.4.5.10-1~deb11u1_amd64.deb a086d876254823545262a8e50afe882a4a03150b 7302 tor_0.4.5.10-1~deb11u1_amd64-buildd.buildinfo 6e07d4cee86bbffb23984328a21f19116e07c0e3 2019388 tor_0.4.5.10-1~deb11u1_amd64.deb Checksums-Sha256: aaf0c4e0e41f2c14d4884348b4df511e6ea46e0592b09ac9a70d15b6f8ec5b8c 5495228 tor-dbgsym_0.4.5.10-1~deb11u1_amd64.deb 96a5c53403acf7aa981e473e32122b60d72f3badc7230abb1b40411994f30186 7302 tor_0.4.5.10-1~deb11u1_amd64-buildd.buildinfo 7a164da2e3caf78ce0f1eb23ef490b97a8eda8e2c6985503bd6cef1def4909c1 2019388 tor_0.4.5.10-1~deb11u1_amd64.deb Files: 665c83db7f48ac6f34376bd939ab4b24 5495228 debug optional tor-dbgsym_0.4.5.10-1~deb11u1_amd64.deb b7832c0f24ea9b860d17e274dae18ecd 7302 net optional tor_0.4.5.10-1~deb11u1_amd64-buildd.buildinfo 03bfb50aa3cb1b141231fa499e979896 2019388 net optional tor_0.4.5.10-1~deb11u1_amd64.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEeShLnnjT5e2dm1q4H4Xht4aLclgFAmEjdxAACgkQH4Xht4aL clhSWw/9HygIS+i5cLX17tGilpVV5wfsz+sqUovxPd3De+FGZ7mfmnZl+5kqwiZF C6MZAGsnfS5JfCPE36pG7IbWEC4o8BcZX/JUTnGFYObB2/eNTI0f2KcKf6Koppxe RJR53Nrg5A9eSXaDtxx7C6WCnZKBACt9w9Mol8SI6G8HHiI54zbKdjQ1BH1ouLGH 6gdkUT8GM9mLw6psfKDPu4kYU9o99u0O9Xo3NdzJ5kQqvT3f4tFFqtePjx411HIu Ulo/mu+GsSrd+mmnLE0JoVNJaEdcbGzAInI64QEs5rYn3iY2ZbU3NJ8pqSEJIDU+ QfnjhAe1UOVaQFA77F/PbNDfi1qS9E9Qf0reqB1dk2gtWXfnh5D3eQMlOXfs8jzI W0KWUv3bIRjzmPD3cVnHrZi27Z4pxgWMXsv/D8GgQaQ0OEveMVyMoEe8fLzaMslJ hLZ1TaytRsIZoub0FLkaXIranlNPx0g0ZWxJJPy9kKfDYh/mm9aaynSdzzZ9aClp K+Xc8TvmdIRk4xJfzSgQxlGL9jGszJ22sYVI0t3bw2MF1VGdWWsIDGHTHVnHBRka 0DrBZIofGiQTqCUY0fT0swqFXQYZN5/BDifQFn9eDx70i8VdNydG9Y0fNcxE9pU9 D7rwHtQ+5e3uhQDcah5SCsqWZitlRFT8Zo4WqyaN2YnbGMnn1Qo= =JbVm -----END PGP SIGNATURE-----