Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <>
Subject: Accepted rsync 3.2.7-1+deb12u5 (source) into oldstable-security
Date: Wed, 20 May 2026 13:13:52 +0000
Signed by: Salvatore Bonaccorso <carnil@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 20 May 2026 08:10:17 +0200
Source: rsync
Architecture: source
Version: 3.2.7-1+deb12u5
Distribution: bookworm-security
Urgency: high
Maintainer: Paul Slootman <paul@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Changes:
 rsync (3.2.7-1+deb12u5) bookworm-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Address several vulnerabilities
     - CVE-2026-29518: Symlink-race TOCTOU in daemon (use chroot = no)
     - CVE-2026-43617: Authorization bypass via hostname resolution (daemon
       chroot mode)
     - CVE-2026-43618: Integer overflow in compressed-token decoder (info
       disclosure)
     - CVE-2026-43619: Symlink-race conditions in path-based syscalls
     - CVE-2026-43620: Out-of-bounds array read in receiver recv_files()
   * d/t/upstream-tests: Build t_chmod_secure and t_secure_relpath
   * Fix relative paths in aclocal.m4 copy upstream for
     m4/{have_type,header_major_fixed,socklen_t}.m4
Checksums-Sha1:
 fea3c00dfe788afa98baa333aaf046f7145dfd96 2556 rsync_3.2.7-1+deb12u5.dsc
 3cb7d490300764b5b666a009c671ddfe588ceda7 99476 rsync_3.2.7-1+deb12u5.debian.tar.xz
 398089896ee158b5dec3cade63be4446a4b0c930 6809 rsync_3.2.7-1+deb12u5_source.buildinfo
Checksums-Sha256:
 c41380342e40579738251f538868a5d0c09134010f176d2d11b05e353f95b950 2556 rsync_3.2.7-1+deb12u5.dsc
 cc31f8e90ff3e9f4553b501c3e2dec4b6b9017f189bbafdc2366d71fc783d5b3 99476 rsync_3.2.7-1+deb12u5.debian.tar.xz
 e5a7757608f6a9dc1b7f7b48ee01897dd4517c5589433ee61b9b9d99ad36c2c3 6809 rsync_3.2.7-1+deb12u5_source.buildinfo
Files:
 4e9a474d80f22b279bc23711377618ec 2556 net optional rsync_3.2.7-1+deb12u5.dsc
 8b84b28b53e12325e56dba1e8fc15c2f 99476 net optional rsync_3.2.7-1+deb12u5.debian.tar.xz
 45f3f73e1024aeb16d4f1f3f07faf4c0 6809 net optional rsync_3.2.7-1+deb12u5_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmoNXMNfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EbesP/iBu7KTZ9fhg+icLv8juQTgSRfYXZCpo
+OjQ249ZPbSAJrIOPTYfvxJMpPnXPG4ViSc7QZdB+TiA0jCOOQXrTAvIIkuciEqa
8fSR1BIHaWXl4BjLzpvOZY9IIxS0+VZ4ZIc9Z4VJPDtltqAlTZsTTArgWbw+TPZ0
4oujDgq9sEQw0BgVfoTWkFlIv+p7t6ylLJtRbZFyJnacnMFeEagxuM0XufK9goUW
ekrGeHyKnq4njL4C9adj97QVt4kkVJgbrLy0XW2opBgXOyzXnO392QubS+6hS9lo
NHJbacEnItl5rV2xx0a2ZkYcfQIIhI500RXARKuKxaqEU5vBq9Z1mchKEk7R0bB5
Knrnm5U2rllqd3J6Z+2YpKi9f2wLUXz429Y5mz0Ct44RLIfcu/jaIBcOIKhmZgrq
2UBhsZe4GOfwXXjERGqKrd/9uLXVFhDaMpIuikJEN+r05tpF7sEWI14Fv5lv1Qg1
wQeREaMqoGl5mfJY1mZmwMjPXQIdfAEdz32b6ua+iTH2dv8fJZbG/w4R6YG8puA0
5wPJBfknqfAM3DgT2nem8NBCDYRLz6mr4YEACcd2iRbFc8dFyP5MEuQVLl7lHXTW
FnH4NtzqjzkoOgqxtWHdPA9/NfwtYUIQFTPlQNCUouyZXxG389xP1SHodVISxbjN
0gTg78ZKpHhM
=AnLw
-----END PGP SIGNATURE-----
News for package rsync
