-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 18 May 2026 20:33:38 +0200
Source: rsync
Binary: rsync rsync-dbgsym
Architecture: s390x
Version: 3.4.1+ds1-5+deb13u3
Distribution: trixie-security
Urgency: high
Maintainer: s390x Build Daemon (ziehrer) <buildd_s390x-ziehrer@buildd.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description:
 rsync      - fast, versatile, remote (and local) file-copying tool
Changes:
 rsync (3.4.1+ds1-5+deb13u3) trixie-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Address several vulnerabilities
     - CVE-2026-29518: Symlink-race TOCTOU in daemon (use chroot = no)
     - CVE-2026-43617: Authorization bypass via hostname resolution (daemon
       chroot mode)
     - CVE-2026-43618: Integer overflow in compressed-token decoder (info
       disclosure)
     - CVE-2026-43619: Symlink-race conditions in path-based syscalls
     - CVE-2026-43620: Out-of-bounds array read in receiver recv_files()
   * d/t/upstream-tests: Build t_chmod_secure and t_secure_relpath
Checksums-Sha1:
 814d0b14b71216a9e379961135c76e06982563bc 548096 rsync-dbgsym_3.4.1+ds1-5+deb13u3_s390x.deb
 55c260e8551d1639b21df06c2455ffbe6b2a32ed 6616 rsync_3.4.1+ds1-5+deb13u3_s390x-buildd.buildinfo
 56fcae0fd870e7719095bdc2fc486259a51d6965 429104 rsync_3.4.1+ds1-5+deb13u3_s390x.deb
Checksums-Sha256:
 5a20e942446dd37a749863d129bd8ff5b2f4564733df33dfee4e5d9842b0058e 548096 rsync-dbgsym_3.4.1+ds1-5+deb13u3_s390x.deb
 e72bae403202164c6068965ae0660f29cacfc03f1a9f532819d7bc29ca7e7a30 6616 rsync_3.4.1+ds1-5+deb13u3_s390x-buildd.buildinfo
 3fcb53fc7ad16212afcf16a154f94dc36e0875ed00758494e772b4c60014c0f3 429104 rsync_3.4.1+ds1-5+deb13u3_s390x.deb
Files:
 19152a807d5e4d2fc4cc041eb64939e8 548096 debug optional rsync-dbgsym_3.4.1+ds1-5+deb13u3_s390x.deb
 cc12783a91a9c7a8906c378fd4699b7a 6616 net optional rsync_3.4.1+ds1-5+deb13u3_s390x-buildd.buildinfo
 536c2b37afb8dfe624718f8168cbd0b5 429104 net optional rsync_3.4.1+ds1-5+deb13u3_s390x.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEl0BM/nR+Oj597wRWMWUFebkHnoQFAmoM2m0ACgkQMWUFebkH
noR7TA//UfPEsEwcTuln7hNMYus18uQ2nnoCF4k6x+jP7tE3HZ4F4EXQuaKVEpYP
FPauNxrXcQZqa6yULJWzlNld8kTa0cIQAG602/zf9i3xNDpJIO45SvDsFxFjwvXC
x4gAIdtd+coq7P/dgR5y8IM3WxoNqllnaJz6hy8rq3b/Am6zo9e6Th0AyLwWOAZc
HTiZ5v2wsrnh5a8ln1qDGzGAAK4JKSjNn0I4AjasyQw0Ix1D68KTVxgi8mP6Grl3
vvRfWyaYap/7XdNbyYFIRD2nbZ42Evhw80cvavPGyAEeUIAFzz/HoQkHx473BRY0
3J48QDAywnoyz09mFzWN5TMQNFKK9nIAST/xlwwtU7iNGGqLAjGwNP0W0WMcNU+e
0MM0BTbnFZhfGgQUeH0k2dyt0ui/awxMAJ5f3sTldMG11AVLxIKyxt6ZgT5WMQYK
q/9cqegguXlJBDgQt1SLy+7Lw7lY2vzo7R8c22vpot4Fp1nVDJA2stgpkRviSIzM
zbvAt4lXTwHRSlhDTA162CRa4u36cq38NUR7XJ6w+XoLHDSBFTVj7JJ0JFL+/mnu
3pw2ln2pBtyOemqrL4bPx0mUH4iBrK7s/5sL29EFA+HF8WqZx8V5fzGzZlKuovx5
Rzcsg+WgWofigmBEZ6Kc30B7DGNQyccagPPR3WbFQ0/qUQcgi2o=
=mLcF
-----END PGP SIGNATURE-----