-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 18 May 2026 20:33:38 +0200
Source: rsync
Binary: rsync rsync-dbgsym
Architecture: amd64
Version: 3.4.1+ds1-5+deb13u3
Distribution: trixie-security
Urgency: high
Maintainer: all / amd64 / i386 Build Daemon (x86-grnet-03) <buildd_amd64-x86-grnet-03@buildd.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description:
 rsync      - fast, versatile, remote (and local) file-copying tool
Changes:
 rsync (3.4.1+ds1-5+deb13u3) trixie-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Address several vulnerabilities
     - CVE-2026-29518: Symlink-race TOCTOU in daemon (use chroot = no)
     - CVE-2026-43617: Authorization bypass via hostname resolution (daemon
       chroot mode)
     - CVE-2026-43618: Integer overflow in compressed-token decoder (info
       disclosure)
     - CVE-2026-43619: Symlink-race conditions in path-based syscalls
     - CVE-2026-43620: Out-of-bounds array read in receiver recv_files()
   * d/t/upstream-tests: Build t_chmod_secure and t_secure_relpath
Checksums-Sha1:
 a7c58991c89731a04f0c7832fa04b4b99f0c0dcd 553364 rsync-dbgsym_3.4.1+ds1-5+deb13u3_amd64.deb
 2f2b8aaf059c943f59866a7637ba961aca2f8b5e 6754 rsync_3.4.1+ds1-5+deb13u3_amd64-buildd.buildinfo
 7cb1fc9b7fed9a2b1ac949a8a3a0789f1ba7f595 432964 rsync_3.4.1+ds1-5+deb13u3_amd64.deb
Checksums-Sha256:
 54393ab37fbe28010aff181cc32b6d4a9a5c811a99bcd4c45afee7695aae0297 553364 rsync-dbgsym_3.4.1+ds1-5+deb13u3_amd64.deb
 07c3e2df1aa27060085ccfdf7378ae4c3467cf20d2c8a8063c6cb426d86a5ae7 6754 rsync_3.4.1+ds1-5+deb13u3_amd64-buildd.buildinfo
 fee3fa3b5924cc7e0964603945e0edfd63b7f29fc3cd4cf7613ad970e05a55be 432964 rsync_3.4.1+ds1-5+deb13u3_amd64.deb
Files:
 1f326daa8f6f20ff23afd7dadaf19581 553364 debug optional rsync-dbgsym_3.4.1+ds1-5+deb13u3_amd64.deb
 6f57e89cccd37fd2823ad751a9f1ba0c 6754 net optional rsync_3.4.1+ds1-5+deb13u3_amd64-buildd.buildinfo
 ae38ddc1d451d5b6fc746bfad0f2cc12 432964 net optional rsync_3.4.1+ds1-5+deb13u3_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE5ZI1lXv5WjhHIVjsN8Ugyu9dQiQFAmoM2roACgkQN8Ugyu9d
QiQ86w//cE49p+LZCzCHAUJWtODJ/2gB56W7BAjoKb+KiUKQpXCLqgG8kYb8dGEz
TwJR4hPELVz9hFtiU3xLXz2mDsPcuzw7OVHdh8Gfl2w3210oNBhQJgQ1rfWRjBLK
zJqoqmhLsR45TORtih6IUiagzKHvoS+k8HwsCdiRzJBHZKMhiPvJCZLJ7a8ob0wa
SwXnZdHjYGD5XKWeLljfTg0qF4zKXGQOfGrsvQyxvnXAunsplhkHjK0qVx6Q3IUo
qZWXsOQ3oEALdYJtB3J3c7p/zGf8JTI26nPoKy0jvvEGkIE7bSz5vXY4zL7zV2ia
pE+rw8boGctvila6EA2UxbTo6GULoxRgdovxuKI59d2B/Y7V6a3wrRfM4nsy7iRb
/s/LCa+wNjuOJlyaEIMFG+TaQVMQN8FCYbOB6Re6N/Rc+G3eK2+G9AI3/fAg/aa1
N61i0BJuoE2IFDc9NcIxubofSUwSD8VZOAjsc454NNMVW7VOO4Vxt8hwItEDHdCc
CcGY9wYD7EZBgadeyg8tG7ILTUfa36AIoqEpK57mxMg9M/KlgZg40i9883l20ucr
wO330SiQVoXiKmTH+AkcqfJC1jEsFGDA6N75tPiswpYNe8lf1W3fKiSSYOav3+mz
DQV0bGjdRKCM3V7GND2k7h8ZyHUnYt6919b/yYtJQlGFZOHDGDA=
=0OpQ
-----END PGP SIGNATURE-----