-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 18 May 2026 20:33:38 +0200
Source: rsync
Binary: rsync rsync-dbgsym
Architecture: arm64
Version: 3.4.1+ds1-5+deb13u3
Distribution: trixie-security
Urgency: high
Maintainer: arm64 Build Daemon (arm-conova-04) <buildd_arm64-arm-conova-04@buildd.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description:
 rsync      - fast, versatile, remote (and local) file-copying tool
Changes:
 rsync (3.4.1+ds1-5+deb13u3) trixie-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Address several vulnerabilities
     - CVE-2026-29518: Symlink-race TOCTOU in daemon (use chroot = no)
     - CVE-2026-43617: Authorization bypass via hostname resolution (daemon
       chroot mode)
     - CVE-2026-43618: Integer overflow in compressed-token decoder (info
       disclosure)
     - CVE-2026-43619: Symlink-race conditions in path-based syscalls
     - CVE-2026-43620: Out-of-bounds array read in receiver recv_files()
   * d/t/upstream-tests: Build t_chmod_secure and t_secure_relpath
Checksums-Sha1:
 f782fb6d130209d0d11dfd650e8b1070fa99f3e6 547776 rsync-dbgsym_3.4.1+ds1-5+deb13u3_arm64.deb
 6752e30d7d4b07677baf4802274833c5a4dd919e 6738 rsync_3.4.1+ds1-5+deb13u3_arm64-buildd.buildinfo
 71dfae506ceab835060660fa56eeff819f008a57 414060 rsync_3.4.1+ds1-5+deb13u3_arm64.deb
Checksums-Sha256:
 0945acc6eb7049f765b1210be5a55b7d5d86bdf4232d9bc81a813fbebd006d15 547776 rsync-dbgsym_3.4.1+ds1-5+deb13u3_arm64.deb
 120df6ecc9b9125724cf6772555d9385bd320d04033f961673c2e7b2f34b7846 6738 rsync_3.4.1+ds1-5+deb13u3_arm64-buildd.buildinfo
 172d2fdf663842132654c866ce7863277c79486cd81766fa855ff9581c85f806 414060 rsync_3.4.1+ds1-5+deb13u3_arm64.deb
Files:
 f0da6f31727069b12fb2ba71e7f7b571 547776 debug optional rsync-dbgsym_3.4.1+ds1-5+deb13u3_arm64.deb
 f2db97849d3d0b2ccb2b782c49c7be5d 6738 net optional rsync_3.4.1+ds1-5+deb13u3_arm64-buildd.buildinfo
 9614695e969174eba14a76dc0ad99605 414060 net optional rsync_3.4.1+ds1-5+deb13u3_arm64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEYxmcRLDHP0tCCM0oScpU3dYulLgFAmoM2qQACgkQScpU3dYu
lLhKGg//frL3jnDr3t/Uew3xGBGw+5CyWjT61ab9Db3IxzPGhKLp9NIH123M83y3
DB0qGpntrLqdYx0ve8oe+mBtgr/0B5rRwEty5zkF9v51E3SJtU9jfmP/uaT0zyIv
36Ffw6KNkWNCV0biSpj1P+QPVL31BEhzS5h7KsHLTOu9QrEr97Ri8AsSZSVRB3Vd
ZSmOUwNAGbS2YR6i7rQT3c92/monxrrgnbgUDLps1JRLRwQfYegqqvLaGxz2CsHN
5bBruMPxyKXp8klHH2JlSF659EkObMCBGohuDPrD5ULLQ943YDfKn0L093nCsf8F
0vj40SbnhadwA3JJ7h62tuWjR1HLmitf6DLPPccX8lGdlgFRbMtR8o/l6oaW944D
OWVq96BAOe6lsfeY/B34ZbGUmGClstwBMnpd2l19O9qQ5O8a5vHaOBHt1rCgVZ7Q
K9k+mN2eBKC551P9xY4YSpUA0nHHh+jHJchaihn5gGtaEIdDbsur43l8gziuZEh1
0nxi1tX5KOePxjOSM9TRp6DuQnKichc6BPWBGceJikaFKDELqeaMIQtko+gXGFLy
Lp1Mx+sPKS19DSAzPa8h1jbuda4EeokY86pmBiTxG7Hr4yy/Z4lZ3EDBkTR5Slgf
fdu84GIkXEv14B8A/N7MTrjfpuQ/uzIx2QGCL6eoaRsXtgsCHls=
=4HD2
-----END PGP SIGNATURE-----