-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 18 May 2026 20:33:38 +0200
Source: rsync
Binary: rsync rsync-dbgsym
Architecture: armhf
Version: 3.4.1+ds1-5+deb13u3
Distribution: trixie-security
Urgency: high
Maintainer: armhf Build Daemon (arm-ubc-05) <buildd_arm64-arm-ubc-05@buildd.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description:
 rsync      - fast, versatile, remote (and local) file-copying tool
Changes:
 rsync (3.4.1+ds1-5+deb13u3) trixie-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Address several vulnerabilities
     - CVE-2026-29518: Symlink-race TOCTOU in daemon (use chroot = no)
     - CVE-2026-43617: Authorization bypass via hostname resolution (daemon
       chroot mode)
     - CVE-2026-43618: Integer overflow in compressed-token decoder (info
       disclosure)
     - CVE-2026-43619: Symlink-race conditions in path-based syscalls
     - CVE-2026-43620: Out-of-bounds array read in receiver recv_files()
   * d/t/upstream-tests: Build t_chmod_secure and t_secure_relpath
Checksums-Sha1:
 8ae01cb74c15de1efafc9ec25ed3d3927ebdd66d 550388 rsync-dbgsym_3.4.1+ds1-5+deb13u3_armhf.deb
 5fd6e5705c55f5810b9375bbc60906ada91888ac 6620 rsync_3.4.1+ds1-5+deb13u3_armhf-buildd.buildinfo
 08c5e3cab765ff5a8e5ae9ef17b29887e79620e4 410356 rsync_3.4.1+ds1-5+deb13u3_armhf.deb
Checksums-Sha256:
 7e0e44258b0daa9465c926b8eef4e3f79cf12f442067d663a9e3bf7c2bf1608c 550388 rsync-dbgsym_3.4.1+ds1-5+deb13u3_armhf.deb
 c321eb106b2c6fd494f2a40d6c143f1099f19a9ef5f888aa8d680714559ee251 6620 rsync_3.4.1+ds1-5+deb13u3_armhf-buildd.buildinfo
 6e9459a20a4c4cbc33d56a762f4c48c18fc8a1d39bb4034387ff28bcda4ad3d7 410356 rsync_3.4.1+ds1-5+deb13u3_armhf.deb
Files:
 7ef10a3583c6c542b07de1fa575e8b9c 550388 debug optional rsync-dbgsym_3.4.1+ds1-5+deb13u3_armhf.deb
 4cb7e74e4af864b7d3fb5de5759590a0 6620 net optional rsync_3.4.1+ds1-5+deb13u3_armhf-buildd.buildinfo
 0b91600398830f74da3678c9213d0aa4 410356 net optional rsync_3.4.1+ds1-5+deb13u3_armhf.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE7rv+l3KtZdQea77lnwznazfjXToFAmoM2rQACgkQnwznazfj
XTpwgA/+PIe4g9kt1+187Qs+fQTAsROnpiPOaqFn+EJyihxKAuvSCqoakCUohrG5
mHyJ9itffOT/XeU56fMjBQjrNYvW0ViGLkAAO8+0P+TDpA84BNcGkq0t5gbHj9CJ
183neiENCnIdl36zUxSFlWipTX39Y1xb7IhN4gzV07Zpu7nyvyWtJcDOrwTLnEzl
n4THy0ZsZW08/jA+vEhNnPAflF4BRzgi9fPF+G5pyKTVx3dynmpbuPIgxNDuDLt9
kFi9gBmDQHNFrZ9YTp/Wh9nPClGlveKkhCVZgZQgq5EGFtrFOXNT35gKp57MHjm0
gmi9UlGh5GAr0D0MH8z6nP3xj0/q7jHRnPQz73hre7kFqIEJtypdY/hHGJdXIU0Z
pxY87Qhjo98d3VooyqqWeKZXu4u3pAoNnY7vUdzepjjYcuo31cU0QOPIbFxFsL5c
if+no4320fWu68wUsIyV34aNsh9m2A2TyiiDgXCl+Gzq8Bo557221aT/ajSnq+9n
sPpP4838EByYjScOVqZgXXn40yzpGjWon1Nn56kym7LmPRhsESZgNYMvmWK11N38
lsE2MhrLAabTsBaUxWlC0xmb91vFwEQMmZgnVVNv4N5RjflKeAh3Kv8tyQ/T9qta
4Q4RplPhTfJg0dDv82plygfNCS1p8nMiAHmlsqLSoTDxnSNjqdA=
=AMBy
-----END PGP SIGNATURE-----