Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <>
Subject: Accepted rsync 3.4.1+ds1-5+deb13u3 (source) into stable-security
Date: Wed, 20 May 2026 13:13:57 +0000
Signed by: Salvatore Bonaccorso <carnil@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 18 May 2026 20:33:38 +0200
Source: rsync
Architecture: source
Version: 3.4.1+ds1-5+deb13u3
Distribution: trixie-security
Urgency: high
Maintainer: Samuel Henrique <samueloph@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Changes:
 rsync (3.4.1+ds1-5+deb13u3) trixie-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Address several vulnerabilities
     - CVE-2026-29518: Symlink-race TOCTOU in daemon (use chroot = no)
     - CVE-2026-43617: Authorization bypass via hostname resolution (daemon
       chroot mode)
     - CVE-2026-43618: Integer overflow in compressed-token decoder (info
       disclosure)
     - CVE-2026-43619: Symlink-race conditions in path-based syscalls
     - CVE-2026-43620: Out-of-bounds array read in receiver recv_files()
   * d/t/upstream-tests: Build t_chmod_secure and t_secure_relpath
Checksums-Sha1:
 fed005bb705f99431c388556911bf6885fbe6a0f 2379 rsync_3.4.1+ds1-5+deb13u3.dsc
 0afa2bd51aad7d236910c4144aa01963cdb4eb3a 646840 rsync_3.4.1+ds1.orig.tar.xz
 b1b63be19fd2f84886489e7d3fb9ccdba57ea9d5 88284 rsync_3.4.1+ds1-5+deb13u3.debian.tar.xz
 f5de26e4442e94981e0aa4a1726cd7bd01653f1c 6825 rsync_3.4.1+ds1-5+deb13u3_source.buildinfo
Checksums-Sha256:
 34ff65b88f32742174616e5b5e4b4ca8d0e0a90aa20b7ab446344062baab0b12 2379 rsync_3.4.1+ds1-5+deb13u3.dsc
 bb9e2dda7e79d9639bc04bdafff6bb0b06a606ed915358b574696384215c9e5c 646840 rsync_3.4.1+ds1.orig.tar.xz
 8af184808b59d8b6b866393b80c2b02525dd418ebe2fe574191be02b30464018 88284 rsync_3.4.1+ds1-5+deb13u3.debian.tar.xz
 1fbc30379773f97b808ad5d53965290641065bbb7e71f85afb0aee3dba84ce1c 6825 rsync_3.4.1+ds1-5+deb13u3_source.buildinfo
Files:
 299a1222d76a16823dcdcb2e90d18f98 2379 net optional rsync_3.4.1+ds1-5+deb13u3.dsc
 6ed869a0c4012385c8da8cc272cab3b8 646840 net optional rsync_3.4.1+ds1.orig.tar.xz
 5a0010314d22a8ed68b39ae3fb2e4073 88284 net optional rsync_3.4.1+ds1-5+deb13u3.debian.tar.xz
 206bf69529a6938d7c7913a96cf45bd8 6825 net optional rsync_3.4.1+ds1-5+deb13u3_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmoM03dfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89Eoz8QAJu0PJRJ75ZApJLual4ANyAN004ck6F6
tNn9bJWmtiMpH2X8otBck6dwSpLsURK4gXxv47axOqwkwpgtDmym7W6DRVTRRlIN
4LNFTnCURmBxaaM72MxQdpjHzlugE3PzRQvOBT7fr3+QL/O0a2pGOxuKbgL0t7pt
bQxh9zpU5e2j6mMHP6c9V5/O2yQY3kSv3e+KOuYhMPUlK4EaAxzGErDAE9ERVwDO
K8lGFsRiQWnnN5ZMzwelQvU3JmH++ACR6HL7gSlvdCN/FrpShGiWY3k0B8TWlwqb
pgDzIx+ByQmsIOxxCr4IpJJtt0KPe7rjlRCiVHJuw8ZvnS9YkBVta+LUV1Z2fFAJ
njPGied4WniRO6yoe3h1MRyQ9e6xYTJkfwidEAzZL5TFJxmNzE3rN6lZdOecYASS
lmEZ6ENgdx8QDnO1F8Yrf2F6LorbQHs7nFkyUPOOj6NSBjTz0tqpsPROTXfuAEUt
LibqSaFGONuMn9MzY7QIlt6G/21IsIs9txzse5o1fBys57N1FF9GCo3R0/O+D1gQ
qje2SVEexlRVGZ2JCnYlJ+FCpE5NUVuwYGJWRU2cJHlrbfn8CKDZ7Cd9DflifiKP
hJyOyfXac9gY7g6lMH6qbs88NZ1PIgjMDqbm5+AdckYMDQiBiPqoInRgZl98vrXZ
alj5DooO9H7a
=Ks/k
-----END PGP SIGNATURE-----
News for package rsync
