-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 20 May 2026 08:10:17 +0200
Source: rsync
Binary: rsync rsync-dbgsym
Architecture: armhf
Version: 3.2.7-1+deb12u5
Distribution: bookworm-security
Urgency: high
Maintainer: armhf Build Daemon (arm-ubc-06) <buildd_arm64-arm-ubc-06@buildd.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description:
 rsync      - fast, versatile, remote (and local) file-copying tool
Changes:
 rsync (3.2.7-1+deb12u5) bookworm-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Address several vulnerabilities
     - CVE-2026-29518: Symlink-race TOCTOU in daemon (use chroot = no)
     - CVE-2026-43617: Authorization bypass via hostname resolution (daemon
       chroot mode)
     - CVE-2026-43618: Integer overflow in compressed-token decoder (info
       disclosure)
     - CVE-2026-43619: Symlink-race conditions in path-based syscalls
     - CVE-2026-43620: Out-of-bounds array read in receiver recv_files()
   * d/t/upstream-tests: Build t_chmod_secure and t_secure_relpath
   * Fix relative paths in aclocal.m4 copy upstream for
     m4/{have_type,header_major_fixed,socklen_t}.m4
Checksums-Sha1:
 d5715d9b5af9edd4854d76f7783f140e8ab8fd78 533956 rsync-dbgsym_3.2.7-1+deb12u5_armhf.deb
 adb5fa180639ec0a5bd0214d4db807018860b18f 6945 rsync_3.2.7-1+deb12u5_armhf-buildd.buildinfo
 ad8934f60786e0d82fdde10be58e008040f8dc7c 400940 rsync_3.2.7-1+deb12u5_armhf.deb
Checksums-Sha256:
 8871b397b7f2ebfc7a660cefc986986911ecda058be2dc277402f9b4cfa3dc6b 533956 rsync-dbgsym_3.2.7-1+deb12u5_armhf.deb
 d0945bc971316d359ec726494f77f5fa2c92fdf6a419322da86c01e86609df75 6945 rsync_3.2.7-1+deb12u5_armhf-buildd.buildinfo
 238e154a94ca24db4ca39516c65d565d0d5b0461bd7331835b78189a3145e486 400940 rsync_3.2.7-1+deb12u5_armhf.deb
Files:
 e01a6b0c909fc7bf691533eda9943957 533956 debug optional rsync-dbgsym_3.2.7-1+deb12u5_armhf.deb
 e80a2b72fa5e313ad8180569010b7d6e 6945 net optional rsync_3.2.7-1+deb12u5_armhf-buildd.buildinfo
 49286a608b97c338cb3e442791bb1ed1 400940 net optional rsync_3.2.7-1+deb12u5_armhf.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEBOUsBrtd5lcy6oRfutMAkCxKbL0FAmoNYtIACgkQutMAkCxK
bL156A//cbphgk0QRmEeFAbsq2BQFzXZWNZFgaAhVBJWgXU6AYyJ+z1Sk2pXA877
IXFnDoxx4CAnaYdz/9AKYjd2nz4XCCevyDWEiNoYFaM42ucy6xvoOVFmW1ecx4E3
Lexw9FL7TeMpItvGkNB+4haPVjTFw2fSUx21IJnfjlk8KIpmg6gCPSDKbKflAFS4
LDrj5sXijR97H1BvgTGcI8hcveP8IQYVqd+COcRozqfCrYJRC+CUD8Su7haFQzdN
heBkKAXC7wZ2w3UALk6IxjwLZd/VjOITsMhHb02mgnTAxlY/aBap5U8pqjBJItH1
EYBm2c14plV11kMYypPb/+mxvtyDX+SfZRGmpoQhRhfhzstFG9uirwdxqLfFHsxq
p/N9nZpaxUymrnBYJt/jzJHduFp4+Rumwc+rc4RC8zuguHTR51rf1aW9cxs67bl7
yNUPmhoHRSKhlTbcYYgffbJwoXjwTqU5+fDV2tG8YTVLYNII3StHejTr6FSfJnru
Yvlyb8eyxH/qI0GhY4LulzOb+mXCSpMkDmngkppUVTDgRPMOPHo6gopIRObudi7e
p1vNGI+vDgTfl2NalZyxu1cQzLyEQ/SwkIpisqnbOZ5mJ7fIncl1/jUYQABkljgW
5hqPOWZU50xIeZfi4ziTY1HaXE2VkfKm3ADTfHoone30zh3l0q4=
=ISa3
-----END PGP SIGNATURE-----