-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 23 Aug 2021 11:29:16 +0200 Source: tor Binary: tor tor-dbgsym Architecture: i386 Version: 0.4.5.10-1~deb11u1 Distribution: bullseye-security Urgency: medium Maintainer: amd64 / i386 Build Daemon (x86-ubc-02) Changed-By: Peter Palfrader Description: tor - anonymizing overlay network for TCP Changes: tor (0.4.5.10-1~deb11u1) bullseye-security; urgency=medium . * Upload fix for TROVE-2021-007/CVE-2021-38385 to bullseye: - Resolve an assertion failure caused by a behavior mismatch between our batch-signature verification code and our single-signature verification code. This assertion failure could be triggered remotely, leading to a denial of service attack. We fix this issue by disabling batch verification. Fixes bug 40078; bugfix on 0.2.6.1-alpha. This issue is also tracked as TROVE-2021-007 and CVE-2021-38385. Found by Henry de Valence. Checksums-Sha1: 3488b33638cf79099efb5703f50cbd47b14c1404 4492804 tor-dbgsym_0.4.5.10-1~deb11u1_i386.deb 82b0fdc248cd837fe1aa1650bd807c17616fe854 7225 tor_0.4.5.10-1~deb11u1_i386-buildd.buildinfo f8669d155b7411627454d10b75d62a5dde959a80 2092052 tor_0.4.5.10-1~deb11u1_i386.deb Checksums-Sha256: 4e7553615c4f30cc1d7d2bf290b7dd87d8d3eeabebc4fd209ad284ed571ed0c8 4492804 tor-dbgsym_0.4.5.10-1~deb11u1_i386.deb fd79a25cb8de5df2ebb36e49940341e58a45d051dabffab330d32df7d486ac36 7225 tor_0.4.5.10-1~deb11u1_i386-buildd.buildinfo e36fc768539b4b095d6b55566bbea2de4aa46242e06836e5b8bb046323fd9438 2092052 tor_0.4.5.10-1~deb11u1_i386.deb Files: ddbe60149aa60e786e1959352d602af2 4492804 debug optional tor-dbgsym_0.4.5.10-1~deb11u1_i386.deb b557472cd3b62e896f41351363c5eb09 7225 net optional tor_0.4.5.10-1~deb11u1_i386-buildd.buildinfo e383a108db932629854ae913dcbd62ae 2092052 net optional tor_0.4.5.10-1~deb11u1_i386.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEN7duNU9NP062TWmbN0rYXSImzT0FAmEjeBYACgkQN0rYXSIm zT1zlQ/9E3tAVddWTcjUk6bS9a8EmbxFQ3H9588m/Cz8w3uOQhkiiWsy3JIe9KQw A3qSWu0wjZSr715jSKsGgwPQbVaHgOtcxX7zQ8SdiHGoWEuwuZlXESsrGrQQfDFm eU7AmqKFdqXhk7P0B+AgtTPwg+l7gdkFXgiNrpqrXLAP9vu48o2heuXeUbp8FcA9 yjOVk6MLTKiPxjMQ5AyWCWB3xQZZkmkwuqilh+ZU6PMevbS+yTJfXv+nop1MXy7j lMUcSHdXCETlfweVYMl07uSD4zQlG1vTg1IGyp/1UH+VVrkYSzcmJgp7V03CkwKB 3N0btCNvAvuGEK3xHi5IJWYPN6A7ruJJ5LsBeU+7Y+nWSWPkxQDEd0e5VlT11urW D37r8PMzMaBGEsw5kliGJM8vmwRDCTFwzJhDWTZnNGOTNil1KCqMbVb3A/8j2ncE FJTpALZ3Y15UZT0Qc/OjxrJW2pVGa+sbTdXwEOxntTn5J9i5cibv5vbP76W75ARI vWkfWjdZPwwBTg5UBb77AaY/LO3Wzxb/+K9f9gaxqIAfzSliTHuZl4pqMNYU/+et fXGhqs9/Mw0Ks7hjs3mVMoIVrrcOhrPkE7l8KNLFP651zgMChe/aqnMqBXrVGaMZ aq/jET05LRjG9Hj7UXcoYJYII9cf43I8Ii6hPNdG2tYeedryvVk= =RT7C -----END PGP SIGNATURE-----