-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 23 Aug 2021 11:29:16 +0200 Source: tor Binary: tor tor-dbgsym Architecture: arm64 Version: 0.4.5.10-1~deb11u1 Distribution: bullseye-security Urgency: medium Maintainer: arm Build Daemon (arm-ubc-02) Changed-By: Peter Palfrader Description: tor - anonymizing overlay network for TCP Changes: tor (0.4.5.10-1~deb11u1) bullseye-security; urgency=medium . * Upload fix for TROVE-2021-007/CVE-2021-38385 to bullseye: - Resolve an assertion failure caused by a behavior mismatch between our batch-signature verification code and our single-signature verification code. This assertion failure could be triggered remotely, leading to a denial of service attack. We fix this issue by disabling batch verification. Fixes bug 40078; bugfix on 0.2.6.1-alpha. This issue is also tracked as TROVE-2021-007 and CVE-2021-38385. Found by Henry de Valence. Checksums-Sha1: 128ca5eaf950e98e5d776345c15a4f7da07ca558 5196164 tor-dbgsym_0.4.5.10-1~deb11u1_arm64.deb cc7ce7d984ed589fac09d49f07987e012db6d0d8 7205 tor_0.4.5.10-1~deb11u1_arm64-buildd.buildinfo 6bc22c44aa81f7bef069b80f1fef7137528b73a5 1931716 tor_0.4.5.10-1~deb11u1_arm64.deb Checksums-Sha256: 2746a2ce7ed3d95fa1cb4bf0d71e57d3f079b32ced79107384d7ad66d3177ced 5196164 tor-dbgsym_0.4.5.10-1~deb11u1_arm64.deb f0236b24cf4c7c532da58de8bb727d604df997a2011f3d514d6ff7da5b065915 7205 tor_0.4.5.10-1~deb11u1_arm64-buildd.buildinfo c4eee091442dc80c3bf8afabad5a814af11886e4373730f13661d725aca1f5ad 1931716 tor_0.4.5.10-1~deb11u1_arm64.deb Files: 4b9f91636d65a702ac769d9debd4d555 5196164 debug optional tor-dbgsym_0.4.5.10-1~deb11u1_arm64.deb d23c5cd8d4fda0a1e8f6c3131049c255 7205 net optional tor_0.4.5.10-1~deb11u1_arm64-buildd.buildinfo d369051f101dfb5a110ecdb0685e0603 1931716 net optional tor_0.4.5.10-1~deb11u1_arm64.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEacaZJEoOkCBqMc0ik7/kqR9yTgQFAmEjeKsACgkQk7/kqR9y TgRNyRAAsNZnGyySxEJibeQZkxCS8AqfYy1TNhQ4bvTI3JR+x2GJOMwx/0+w1dg5 Iyl6yPU/p9UQ7lO7FsqIcqX7mLfs24h5ASImdMvy3XfJNV0RJtK7STpo287V/CsN vl0yqk8nm5Mb8qsOVirJbbjCHVbc0iyTTKhzcbkWPeXlaSEOhX2kYmUgQFc0fhFR 84TJP6brO27eVT9NKiZIESiJOjYmzjA4tbQ/ZPfIEw8J44yHh73jiIbPSAAF2Lr/ +nBcFtyJkEneX0CQxP3A7OhrKEDMCBsGwV2ArByySYZfsBA9MiCZbvbt8ps/eTJf 5QhjZqJR1PP0dcPwAC3K3WKsmWoq6LcdCukuxyQ9Ljo6P7RYTj3PcrtG41z1nhnN +audpL1IpceOPMHbNyFOmzR/yBUO4Si/Nn+0XC/uJjik+XAhmePXp3/Uh8WW8ggQ 4wply3pHQfHXZ98R8+CtVz5PIpKAQOSmPZ//g2DptY6fRTb7EouVzw6Yb9Xi5eRE 5THRUHPNwyL6Hy1IfZ5ENo8ACZ3AVLRg8P1KKN/fhcXPNArltJWo8OJ8INXg3udY gwDLl5ENb7PXyKbfFOHWIbVLFEDUNIuZlIhjkhSAJSt31pbHwwPYH2Usn1OY2vmM y8PfRgDZ8LoZSp+P0nkra0uZzL46rGlWseIBDSR4lgQnxNcgVpM= =DC0K -----END PGP SIGNATURE-----