-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 18 May 2026 20:33:38 +0200
Source: rsync
Binary: rsync rsync-dbgsym
Architecture: i386
Version: 3.4.1+ds1-5+deb13u3
Distribution: trixie-security
Urgency: high
Maintainer: amd64 / i386 Build Daemon (x86-ubc-01) <buildd_amd64-x86-ubc-01@buildd.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description:
 rsync      - fast, versatile, remote (and local) file-copying tool
Changes:
 rsync (3.4.1+ds1-5+deb13u3) trixie-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Address several vulnerabilities
     - CVE-2026-29518: Symlink-race TOCTOU in daemon (use chroot = no)
     - CVE-2026-43617: Authorization bypass via hostname resolution (daemon
       chroot mode)
     - CVE-2026-43618: Integer overflow in compressed-token decoder (info
       disclosure)
     - CVE-2026-43619: Symlink-race conditions in path-based syscalls
     - CVE-2026-43620: Out-of-bounds array read in receiver recv_files()
   * d/t/upstream-tests: Build t_chmod_secure and t_secure_relpath
Checksums-Sha1:
 30059be565ad5c4620ebda08eb94db160ca6f51f 485716 rsync-dbgsym_3.4.1+ds1-5+deb13u3_i386.deb
 10f36f5499bafe37de0c81e6e84d89c6d168b0aa 6655 rsync_3.4.1+ds1-5+deb13u3_i386-buildd.buildinfo
 6b5b82ba323872fca7d8629ae81c7efefefaca87 442200 rsync_3.4.1+ds1-5+deb13u3_i386.deb
Checksums-Sha256:
 c2b26393069cebe32c189c8a2846742dd064030eb00755698eeba42bfe35c267 485716 rsync-dbgsym_3.4.1+ds1-5+deb13u3_i386.deb
 ecf3e9f0d10a2c62507d3d5f5b6b43fb932270784674b12ab74a2d95d4d0a720 6655 rsync_3.4.1+ds1-5+deb13u3_i386-buildd.buildinfo
 01aef32ce60d27c578432c49058412e0f94da824553330adb247550fc945a53a 442200 rsync_3.4.1+ds1-5+deb13u3_i386.deb
Files:
 075bd334eeb78785b2f9beb279253137 485716 debug optional rsync-dbgsym_3.4.1+ds1-5+deb13u3_i386.deb
 714365bc42bdef5843228eae14ba27f1 6655 net optional rsync_3.4.1+ds1-5+deb13u3_i386-buildd.buildinfo
 8120fa9e742cc4bb676ba7161e4f5da4 442200 net optional rsync_3.4.1+ds1-5+deb13u3_i386.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEmtr4KUMaso2EQ6NrTwt/65ON6zcFAmoM2s4ACgkQTwt/65ON
6zcq9g/+LadrWIi0P0WCyIdkydZchAr/90WMk4HZYMtcS97b2hk/zdLyymJcl1Dl
54yVaocABK2bITlmqUXQLuE8L3DhyHJyVCVDsPzyINJABXDkxzJ/dkl9EXi8YYTD
dA3nWZJIrNL7qYgrylmFXInMLQYCzp5Vn0lt0QLNba3a6pSCx8BOEcMMByXscs56
tyTkBAU2e3tawbPVssNnrMyUijjrcH0+wwa4CKMuhi2DYN0x0xNGg0bPDKRVBe2G
Gv3RPrnaiwepHpKecjV6CuKfZEABYqL15oyvoIrJsjIXjf8I31ek4R4pb+Bc9591
6xGsgg4GSIiCGO82ptmQgL8ue0TwRq26sJot6AiP4l6BwwUoWPj98k6AxbVR9YMZ
0OvGeKus5bCw7DOJ63MCOnIZKIKBPimLFlrY93NKz4fM9zPTt8fcl5yzJNZPLsn3
Xfccl9rNH08vNjURkKFAqAglN4GKhG4RztCqO4wUAHd++b1jLbd/Zo4RBBAhPI1W
sH9bZ91ocx4Ljzhy2Yof+3r5S8pOIHJKOlFNVdg2OYPEf6dfqgQAFyoLk8nFxDQu
Af7b0dymc8RUpfOwMDOoMT672gpOlMDLZn10fP2ScwpLerxiJxLRnSPMJMS37rlc
8yp9qrmcKYaUyTMnZquKlh4Jb01fADvyeu55wybv1xRpOZE10c0=
=UXie
-----END PGP SIGNATURE-----