-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 23 Aug 2021 11:29:16 +0200 Source: tor Binary: tor tor-dbgsym Architecture: armel Version: 0.4.5.10-1~deb11u1 Distribution: bullseye-security Urgency: medium Maintainer: armel Build Daemon (hasse) Changed-By: Peter Palfrader Description: tor - anonymizing overlay network for TCP Changes: tor (0.4.5.10-1~deb11u1) bullseye-security; urgency=medium . * Upload fix for TROVE-2021-007/CVE-2021-38385 to bullseye: - Resolve an assertion failure caused by a behavior mismatch between our batch-signature verification code and our single-signature verification code. This assertion failure could be triggered remotely, leading to a denial of service attack. We fix this issue by disabling batch verification. Fixes bug 40078; bugfix on 0.2.6.1-alpha. This issue is also tracked as TROVE-2021-007 and CVE-2021-38385. Found by Henry de Valence. Checksums-Sha1: 6903986c7b226df7cee4fa3d4291e6575889f8dc 5020212 tor-dbgsym_0.4.5.10-1~deb11u1_armel.deb 0c570cc418493ec152dfce9bf0b6d541c8cb4b96 7134 tor_0.4.5.10-1~deb11u1_armel-buildd.buildinfo 2e04996392ceb2a823d9988881f726a3da8ee62b 1915320 tor_0.4.5.10-1~deb11u1_armel.deb Checksums-Sha256: 3f046586370ed7f862fdcca9f75b54ae7f8afb89b7b00c56850d973b50f3f0fd 5020212 tor-dbgsym_0.4.5.10-1~deb11u1_armel.deb 7ddafddc2302e128c815e997cbd4e3dbbdc0011d2093f056f2a0d6e012db5ac0 7134 tor_0.4.5.10-1~deb11u1_armel-buildd.buildinfo a09543c01c0cc8edcc101c7ba67743bfb628520c3f84f64b05d510bd16c5434d 1915320 tor_0.4.5.10-1~deb11u1_armel.deb Files: 9f9ef50b945b32b2e814b22e1cf1d062 5020212 debug optional tor-dbgsym_0.4.5.10-1~deb11u1_armel.deb d9a62ccb396458c00c3661c09a83ff8e 7134 net optional tor_0.4.5.10-1~deb11u1_armel-buildd.buildinfo 0e2147c7ea9446429842488d98cb5c05 1915320 net optional tor_0.4.5.10-1~deb11u1_armel.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEUIkhcOYqmlkAgWW58uIzZMfb6yEFAmEjfxIACgkQ8uIzZMfb 6yFInQ//Ubl2DrzDzQXLOmNrUjvETxCoqNS7MtO8th7EI4VeE27XHEhP2qriNJXR s8LXK8OucSBgWzcRm9Evxc4iZ7pr/MVU6Et+9c6+icfPsj3aUFOTo8OYCdEhBEVc htDdeFdr5TG5lY9HjSZNPQ+IxV1xdFIxnyMmbMgvpxntgRJefKpQby5dtWn/Q2uX mhoVB903cQEcqF2G+FatKxLNbJA2tt6wPm45rBwsA+d8EsLAK+Nf6Qr5px39GNGg F/sJu0dx9yZ+iPfl1PatIMUcI4YT5zmRhIHcMm2wQ2WE1vscT2m/vatDYYhHHJdw npSxP/nYDKD6zpNY2sKqWPu58dtALfLaunniD7sxwjlLiW4lCMqUDzdUs5VbeDyR vrHJYfRvulpKeq+KJmcCUk3IBiZr7REH0xdi18QU39cF/QYtAqcZMcj2yJpN6ye1 16S7yHqhajEI46Z0qA2KC5/6ijGeCM4vCcoNWteZY9nGp98KD3uE+wk1AIa0+XEh cnUcKlgZNSdQoYM2qnhGqLlzirhbvE2laFQEhQEwZ3wtFEqIGYF2OqbwsLaiAatj o4S0tXo8wpVrGeaFRfNRAwZjyzVd4xUidcDLg2dvrHbmuKZnsbGGKw9tUrtoH3mW QEl/NyOtit3KspoVhNqoRcnba924Tuv/9ikoEEKFWlvKcrOumuA= =uJXh -----END PGP SIGNATURE-----