-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 18 May 2026 20:33:38 +0200 Source: rsync Binary: rsync rsync-dbgsym Architecture: armel Version: 3.4.1+ds1-5+deb13u3 Distribution: trixie-security Urgency: high Maintainer: armel Build Daemon (arm-conova-02) Changed-By: Salvatore Bonaccorso Description: rsync - fast, versatile, remote (and local) file-copying tool Changes: rsync (3.4.1+ds1-5+deb13u3) trixie-security; urgency=high . * Non-maintainer upload by the Security Team. * Address several vulnerabilities - CVE-2026-29518: Symlink-race TOCTOU in daemon (use chroot = no) - CVE-2026-43617: Authorization bypass via hostname resolution (daemon chroot mode) - CVE-2026-43618: Integer overflow in compressed-token decoder (info disclosure) - CVE-2026-43619: Symlink-race conditions in path-based syscalls - CVE-2026-43620: Out-of-bounds array read in receiver recv_files() * d/t/upstream-tests: Build t_chmod_secure and t_secure_relpath Checksums-Sha1: bf3a831f1f4d5e6885e9022fc88693fb34ab532a 539664 rsync-dbgsym_3.4.1+ds1-5+deb13u3_armel.deb 5af0fb72cbc83af622e8eb25ab854f2e7a45acae 6606 rsync_3.4.1+ds1-5+deb13u3_armel-buildd.buildinfo 699eaa76a559c5734b6a2c200185b47d22b9f93a 407504 rsync_3.4.1+ds1-5+deb13u3_armel.deb Checksums-Sha256: 9c1fb9b927d5d233c3143df3a0c99ab3e66a1d487ba83ee6db7745c358219eb9 539664 rsync-dbgsym_3.4.1+ds1-5+deb13u3_armel.deb 561486a89ab3d03fa77285b38dbcf8860ddb5e8cd108cf8fab1364cc84d56519 6606 rsync_3.4.1+ds1-5+deb13u3_armel-buildd.buildinfo 1ca98afc417562ce41bedd19ae36865f17fe68364fee1bb1001009444dca3f9d 407504 rsync_3.4.1+ds1-5+deb13u3_armel.deb Files: 7ad355e58566fbf25694d50d0f3ea66f 539664 debug optional rsync-dbgsym_3.4.1+ds1-5+deb13u3_armel.deb 1e573824d05ae53697351a823b3b176f 6606 net optional rsync_3.4.1+ds1-5+deb13u3_armel-buildd.buildinfo 38576a6e670bcb5d5e2a8fecdab3ee44 407504 net optional rsync_3.4.1+ds1-5+deb13u3_armel.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEWHj9K9pO9l4btbD1OQKMdMnEH5MFAmoM2rkACgkQOQKMdMnE H5P9Jg/7Bay09YKHsaqNHB2jyeY1RUi66u0JKJBTlfMwP+pWZO+oHjtgpZiQTFcC DHbb8z/9L+AYbxPLUjg6xko6uqscOGesOBL7oJNVExcfTa99yRO/jyCVlYNjPO5i LxNEnPwOjVX+p0U84pCR6fvO07ZOYYNBT3PQQXlqu+HNcGkz1TK5mFeGACC0AaPT WzX7+Iu1FOoXWDPekh5CfGmzOrTvkSIE4Tv28Yfkt1tMCjv8SzCoN+wxMUE06qrv XTepRDQ5KwiAypfdJ5KqdpzYZ+642olRizyb5+5T4a0vIkCdUsGzg+HlqVEHtUsD lkxzR6oOEqIhhd88ed/saEh9apgs13tozYYL6ZQOSG2/dPyaT6gSva5dUVY4sLoX QLDSKQt0EjwqrHHF8uPSRGDE12irC93NpFlMbtTchnCzRYazkD0mS66ic31zZvNU R+1EetamNAw+rDFj1ltYDhG/JFIRuRgks6tZFrxCA7Zo6DXhfMsfRB4XFlIT7n3E tITxlnM5WAlwDQAvq8djHN+XVLg8j01NanB0YByW8/R+R/e3NizK4ZwAzGkF+sMY 5KhBu3PjYsF/axIwM/TmqA/32puzUMI9eTfGh2UWZY9XSaGCd38eIDnqFKkJVlkg lQbeXjpxYHhZV0FlM/euex7r32J/BrJp0X4vDvbPUw5aLRSjmxM= =EKBm -----END PGP SIGNATURE-----