-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 23 Aug 2021 11:44:12 CEST Source: tor Architecture: source Version: 0.4.5.10-1~deb11u1 Distribution: bullseye-security Urgency: medium Maintainer: Peter Palfrader Changed-By: Peter Palfrader Changes: tor (0.4.5.10-1~deb11u1) bullseye-security; urgency=medium . * Upload fix for TROVE-2021-007/CVE-2021-38385 to bullseye: - Resolve an assertion failure caused by a behavior mismatch between our batch-signature verification code and our single-signature verification code. This assertion failure could be triggered remotely, leading to a denial of service attack. We fix this issue by disabling batch verification. Fixes bug 40078; bugfix on 0.2.6.1-alpha. This issue is also tracked as TROVE-2021-007 and CVE-2021-38385. Found by Henry de Valence. Checksums-Sha256: 95231d175beecfd897a973c984ce544849c12e062df2a81c9ae341478f21c473 2000 tor_0.4.5.10-1~deb11u1.dsc 1c3cb7deb4bc6b0dda7d839b5de086b68551e9ead81e7a13ce68849d75f7a9f1 53294 tor_0.4.5.10-1~deb11u1.diff.gz 8fe32222f8f2b4e65c6f50ac32eb4dfca59b8af71d0d16781f7ee5bec4c00743 7870323 tor_0.4.5.10.orig.tar.gz Checksums-Sha1: 16dc1d2ec416c97acdda643f32eed4bc3b479b16 2000 tor_0.4.5.10-1~deb11u1.dsc f6d7ffe2fb8c35a1ffc9be6d1dbf1acbdee3d3db 53294 tor_0.4.5.10-1~deb11u1.diff.gz 289f4d35b742d376fb7e6a3b3d5ab0e265da0771 7870323 tor_0.4.5.10.orig.tar.gz Files: ef8ec29d1fcbc14512bf714e8a9ff90a 2000 net optional tor_0.4.5.10-1~deb11u1.dsc 95b680fc63c62454a8598f17fb622ecb 53294 net optional tor_0.4.5.10-1~deb11u1.diff.gz 8b64b79f12f5debe3dc7efb5d75f8673 7870323 net optional tor_0.4.5.10.orig.tar.gz -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEZI5W7zrm8w5X0SHVIw/UyqaI+y8FAmEjboUACgkQIw/UyqaI +y8PRQgApJPW/dyPx1pI+DZc8k/IevvMtFTJ2HGoNmyb2tVJvgJ/ZD10UwjUCPmN AF9+hlDeiwf5u4ycFEYvFdUm2EjmNls3gIHdusesW8mW686fSiZeUu8GTIuACeQ+ 7DChMGOgrflrvrmUjbYTdHcJKBytAG4cD40FYE1M7ZJwmh9DR6l2XlFUZcYiXrAn QTeuLQOyzMaL8qj/H6v2pipnwPZehwEJ+fXVzWZa0YQByoK0sxy2LcveQF5VB4tH ga1ELXJkiH3Ar+3JrpE9TmhzWoDbl54MfLha8rekDHuLiGq646izMb/G4bOyMTpR FGvnA15jTNxpoTBmDTkGaSXfeBLiMA== =Hjts -----END PGP SIGNATURE-----