-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 23 Aug 2021 11:29:16 +0200 Source: tor Binary: tor tor-dbgsym Architecture: ppc64el Version: 0.4.5.10-1~deb11u1 Distribution: bullseye-security Urgency: medium Maintainer: ppc64el Build Daemon (ppc64el-osuosl-01) Changed-By: Peter Palfrader Description: tor - anonymizing overlay network for TCP Changes: tor (0.4.5.10-1~deb11u1) bullseye-security; urgency=medium . * Upload fix for TROVE-2021-007/CVE-2021-38385 to bullseye: - Resolve an assertion failure caused by a behavior mismatch between our batch-signature verification code and our single-signature verification code. This assertion failure could be triggered remotely, leading to a denial of service attack. We fix this issue by disabling batch verification. Fixes bug 40078; bugfix on 0.2.6.1-alpha. This issue is also tracked as TROVE-2021-007 and CVE-2021-38385. Found by Henry de Valence. Checksums-Sha1: 8bd3170e372441519b9e07bff87edcaffd4af4f2 5365248 tor-dbgsym_0.4.5.10-1~deb11u1_ppc64el.deb 1673dd877ebe10d5e91a7c798282b62c2a40658d 7275 tor_0.4.5.10-1~deb11u1_ppc64el-buildd.buildinfo b828944c242200159139e653de9aa3489ef7d153 2080576 tor_0.4.5.10-1~deb11u1_ppc64el.deb Checksums-Sha256: 0347e98202bd773a828f48b870671f4b1830c08705c883ea871f9454bc721aeb 5365248 tor-dbgsym_0.4.5.10-1~deb11u1_ppc64el.deb 758fd8514f0c6b38e2dfad002f08673dea57d23d214a88fe79865ef8378b6760 7275 tor_0.4.5.10-1~deb11u1_ppc64el-buildd.buildinfo 3c4493d3a15691bfb86006f334272d4a15c1a71ab205be186b5b08ff332eeaef 2080576 tor_0.4.5.10-1~deb11u1_ppc64el.deb Files: fec34e0083c053a3bda2cd45a7835e6f 5365248 debug optional tor-dbgsym_0.4.5.10-1~deb11u1_ppc64el.deb 3f8942a6cf22d7e78caff66e5614dc63 7275 net optional tor_0.4.5.10-1~deb11u1_ppc64el-buildd.buildinfo 516840eee2902ec97fcad05a9ac96fcf 2080576 net optional tor_0.4.5.10-1~deb11u1_ppc64el.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEzxcBZLbWYROS8SGLQ0vh8H8HxvwFAmEjd3sACgkQQ0vh8H8H xvy8fw//YB1vGUucJLjhcXrCruRRWR7zrNxDpWVL9/h5DLIOAkCP5uUaCjwPQVX9 N/sLzG1dgiLtQg3nmL7tFu8G6xgfUImEPZs8PbjbibvoFG6o99UyDnKo8VP6H6da 2uuo4UWxgH356L9ZynYCzBf4huIUwRMlUljrg0xsFscgsKlRj/7+U9wrR6DiMAwQ E0NUMDItQ7r8s+dk/y6A9Iu38nXXkhRTJ4kYeTsUBEtkcDq5GFRZdzsBmfVTcPfD zbMsD/uw+7gYEfL3Z08xsg5KhDqozMXqcH9iC71q8IDrBsH/UEcYOOHN7Wxt5sk2 i7m8QTR1+uuev/5pgdUGKjaPeB5nr/bh7xmPmSeP8Luf1H4OHamBJ/HsvxfP8VFk kbaC7iqYh+NPN/r9TLulCo9Ys2La5dm74P0D330tg4d1gQ7uKd30eWbbJTCWOVf4 CnxY/F5oBfdM9VF9AI/hDsVSvgVdjHDbj6x9dVTZPrjFpBgPP2vFrqL8ANtCWJ5x uBWyhiKoHehJLrX0ruBV8/zxW672jFIoLys0wnO8nNItVZhKac83jxiClbLxgbK/ VyuIkHKVoWPgWW7YIV/fa80tBT4jJYI/DvdLPGhYgt+TTfnbW+aPbJspIURGEyWi 17lBWT3DC5ibNJstYkTYa9NLjTa7PgohHoaJFWVfQHOSjGm8nbI= =u0p1 -----END PGP SIGNATURE-----