-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 19 May 2026 09:03:02 +0200
Source: rsync
Binary: rsync rsync-dbgsym
Architecture: source amd64
Version: 3.2.3-4+deb11u4
Distribution: bullseye-security
Urgency: high
Maintainer: Paul Slootman <paul@debian.org>
Changed-By: Thorsten Alteholz <debian@alteholz.de>
Description:
rsync - fast, versatile, remote (and local) file-copying tool
Changes:
rsync (3.2.3-4+deb11u4) bullseye-security; urgency=high
.
* Non-maintainer upload by the LTS Team.
* Address several vulnerabilities
- CVE-2026-29518: Symlink-race TOCTOU in daemon (use chroot = no)
- CVE-2026-43617: Authorization bypass via hostname resolution (daemon
chroot mode)
- CVE-2026-43618: Integer overflow in compressed-token decoder (info
disclosure)
- CVE-2026-43619: Symlink-race conditions in path-based syscalls
- CVE-2026-43620: Out-of-bounds array read in receiver recv_files()
* d/t/upstream-tests: Build t_chmod_secure and t_secure_relpath
Checksums-Sha1:
f713506e5158d0ebaf9384a15e3b856ed6214f9f 2422 rsync_3.2.3-4+deb11u4.dsc
00823f43901e7da39f3f0daf20ec9efae47e959e 1069784 rsync_3.2.3.orig.tar.gz
770d59f01d28374a3ff3603fefe524589a4f3237 195 rsync_3.2.3.orig.tar.gz.asc
9900e3e96945c36cc93fc8ac7b20da4305bb1b4d 96172 rsync_3.2.3-4+deb11u4.debian.tar.xz
0f4be91466593dd49da1f809a4b4aa38fb753e4f 517788 rsync-dbgsym_3.2.3-4+deb11u4_amd64.deb
59092e99b224e488d436d6f39c668cd566346034 6778 rsync_3.2.3-4+deb11u4_amd64.buildinfo
8473d933446d64e9611975223425ef74143b3e56 402576 rsync_3.2.3-4+deb11u4_amd64.deb
Checksums-Sha256:
8b711e0fd02465db26ac6d7727534817251f97e2e2a374dd938980c3fb8f8b36 2422 rsync_3.2.3-4+deb11u4.dsc
becc3c504ceea499f4167a260040ccf4d9f2ef9499ad5683c179a697146ce50e 1069784 rsync_3.2.3.orig.tar.gz
2e363382a60e7faa6762f560756cc0f3b8116c313eea7fe5fbfc5fed5b2f4f74 195 rsync_3.2.3.orig.tar.gz.asc
f3298fca8f6ea018af3575233ce13e39fc29eae8ccab2b3eb81235cabb44ac7f 96172 rsync_3.2.3-4+deb11u4.debian.tar.xz
08edadaf09cb91430c67353f4ae8f01de7d0a80f6600dd3107518a5d7dc43008 517788 rsync-dbgsym_3.2.3-4+deb11u4_amd64.deb
cf6a7ec61a8ffa03dbd22082f3c48fba68bcb597030c266bf7289ad547caa604 6778 rsync_3.2.3-4+deb11u4_amd64.buildinfo
14dd145f06eb35a61858a5743cb35a96d69519ddc35144449df1f362db75a005 402576 rsync_3.2.3-4+deb11u4_amd64.deb
Files:
27ceff8c774dab51c8da0fb00582ccaa 2422 net optional rsync_3.2.3-4+deb11u4.dsc
209f8326f5137d8817a6276d9577a2f1 1069784 net optional rsync_3.2.3.orig.tar.gz
64bb0b6f7331b8535f44e1383156a515 195 net optional rsync_3.2.3.orig.tar.gz.asc
a1b2502fd818f2cd83bd1ff68da9f2ac 96172 net optional rsync_3.2.3-4+deb11u4.debian.tar.xz
b3f11eae4977e9ee944dd978d03996fb 517788 debug optional rsync-dbgsym_3.2.3-4+deb11u4_amd64.deb
cf836d03fc6ce5aa1e7dd8e1f21f30c7 6778 net optional rsync_3.2.3-4+deb11u4_amd64.buildinfo
3ed768be4706121ac47d2b7392e31421 402576 net optional rsync_3.2.3-4+deb11u4_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQKnBAEBCgCRFiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmoNtI1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy
MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcTHGRlYmlhbkBh
bHRlaG9sei5kZQAKCRCW/KwNOHtYR983D/43qY245Hmh/inAOuJ43lCKSgSyBRyn
QJXYSco/STn+boNkt/AyBmsp2eBA2DA0MVnxVpLJxmxJdLPmlav3mhv2ZfgLRn+l
i8HAS3EgWr87bUdKp+6VRT6qun8hy7Mqvyu/AYGkIZGXEH94FSVG0W0oKGXrXQ9f
s0D4PoSSlhO4uLISeO9i44PTWmpOMBLKjJF4bMQWPbIqXY+VtuE8vqy3am0f0nr1
66hDp+mdktoASgd8El4ZWYgHONLxuLdcVP30D22fO7IsZFgDa8z3wd8VZ9LBDMJR
DmXNDJAIukzBBVYjaX0YPvYT33yE99HdyTbVBUn1E6lc5op2+LSir9Mz3Iq8pE9h
yZAuaDU/QDc+zp5gV7Oj1F0ws3y2qtnhaBqBqR8AsIQcskRDoz6tgBwpMojLJhcg
nVoi7S0bTOHAwNZOlU+HquvmSjvUlmflqLE4XHVrjfDDHw6q9pNQl9hIhYZ8k1jd
PIaeRpwcTqbV2bwNKvdJluiTn5BLnTneyJXl7aOEifcc+WztrIkWB7s74LnGquL3
V1Mp/js+4BjBcNKeCkD/gOYx2eDuaOzQwz/T5A0R84CtY8S6zbHVJMJ4Aq/D1nTo
E6YTgSO65EyEHEwOTlfFnebLaWoal8YVQ25nA8ctUFFkusGw4CkSyICMVEUsEwVn
6dOsMKISqq7f2Q==
=EmjZ
-----END PGP SIGNATURE-----
