Author: markphip
Date: Tue Apr 12 10:52:35 2022
New Revision: 1899773
URL: http://svn.apache.org/viewvc?rev=1899773&view=rev
Log:
Prepare for 1.10.8 and 1.14.2 releases
Added:
subversion/site/staging/security/CVE-2021-28544-advisory.txt
subversion/site/staging/security/CVE-2021-28544-advisory.txt.asc
subversion/site/staging/security/CVE-2022-24070-advisory.txt
subversion/site/staging/security/CVE-2022-24070-advisory.txt.asc
Modified:
subversion/site/staging/index.html
subversion/site/staging/news.html
Modified: subversion/site/staging/index.html
URL:
http://svn.apache.org/viewvc/subversion/site/staging/index.html?rev=1899773&r1=1899772&r2=1899773&view=diff
==============================================================================
--- subversion/site/staging/index.html (original)
+++ subversion/site/staging/index.html Tue Apr 12 10:52:35 2022
@@ -70,6 +70,27 @@
<!-- In general, we'll keep only the most recent 3 or 4 news items here. -->
+<div class="h3" id="news-20220412">
+<h3>2022-04-12 — Apache Subversion Security Advisory
+<a class="sectionlink" href="#news-20220412"
+ title="Link to this section">¶</a>
+</h3>
+
+<p>The recent releases of Apache Subversion 1.14.2 and 1.10.8 contain
+ fixes for two security issues:
+ <a href="/security/CVE-2021-28544-advisory.txt">CVE-2021-28544</a> and
+ <a href="/security/CVE-2022-24070-advisory.txt">CVE-2022-24070</a>.
+ These issues affect Subversion 'mod_dav_svn' and 'svnserve' servers
+ only. Subversion clients are not affected. We encourage server
+ operators to upgrade to the latest appropriate version as soon as
+ reasonable. Please see the <a
href="https://lists.apache.org/[email protected]:2022-04";
+ >release announcements</a> for more information about the releases.</p>
+
+<p>To get the latest release from the nearest mirror, please visit our
+ <a href="/download.cgi">download page</a>.</p>
+
+</div> <!-- #news-20220412 -->
+
<div class="h3" id="news-20220412-1.14.2">
<h3>2022-04-12 — Apache Subversion 1.14.2 Released
<a class="sectionlink" href="#news-20220412-1.14.2"
Modified: subversion/site/staging/news.html
URL:
http://svn.apache.org/viewvc/subversion/site/staging/news.html?rev=1899773&r1=1899772&r2=1899773&view=diff
==============================================================================
--- subversion/site/staging/news.html (original)
+++ subversion/site/staging/news.html Tue Apr 12 10:52:35 2022
@@ -26,6 +26,27 @@
<!-- Maybe we could insert H2's to split up the news items by -->
<!-- calendar year if we felt the need to do so. -->
+<div class="h3" id="news-20220412">
+<h3>2022-04-12 — Apache Subversion Security Advisory
+<a class="sectionlink" href="#news-20220412"
+ title="Link to this section">¶</a>
+</h3>
+
+<p>The recent releases of Apache Subversion 1.14.2 and 1.10.8 contain
+ fixes for two security issues:
+ <a href="/security/CVE-2021-28544-advisory.txt">CVE-2021-28544</a> and
+ <a href="/security/CVE-2022-24070-advisory.txt">CVE-2022-24070</a>.
+ These issues affect Subversion 'mod_dav_svn' and 'svnserve' servers
+ only. Subversion clients are not affected. We encourage server
+ operators to upgrade to the latest appropriate version as soon as
+ reasonable. Please see the <a
href="https://lists.apache.org/[email protected]:2022-04";
+ >release announcements</a> for more information about the releases.</p>
+
+<p>To get the latest release from the nearest mirror, please visit our
+ <a href="/download.cgi">download page</a>.</p>
+
+</div> <!-- #news-20220412 -->
+
<div class="h3" id="news-20220412-1.14.2">
<h3>2022-04-12 — Apache Subversion 1.14.2 Released
<a class="sectionlink" href="#news-20220412-1.14.2"
Added: subversion/site/staging/security/CVE-2021-28544-advisory.txt
URL:
http://svn.apache.org/viewvc/subversion/site/staging/security/CVE-2021-28544-advisory.txt?rev=1899773&view=auto
==============================================================================
--- subversion/site/staging/security/CVE-2021-28544-advisory.txt (added)
+++ subversion/site/staging/security/CVE-2021-28544-advisory.txt Tue Apr 12
10:52:35 2022
@@ -0,0 +1,377 @@
+
+ SVN authz protected copyfrom paths regression
+
+Summary:
+========
+
+ Subversion servers reveal 'copyfrom' paths that should be hidden according
+ to configured path-based authorization (authz) rules. When a node has been
+ copied from a protected location, users with access to the copy can see the
+ 'copyfrom' path of the original. This also reveals the fact that the node
+ was copied. Only the 'copyfrom' path is revealed; not its contents. Both
+ httpd and svnserve servers are vulnerable.
+
+Known vulnerable:
+=================
+
+ Subversion httpd servers 1.10.0 through 1.14.1 (inclusive).
+ Subversion svnserve servers 1.10.0 through 1.14.1 (inclusive).
+
+ Repositories that do not use path-based authorization are not affected.
+
+Known fixed:
+============
+
+ Subversion httpd and svnserve servers 1.14.2.
+ Subversion httpd and svnserve servers 1.10.8.
+
+Details:
+========
+
+ When retrieving log messages, the helper function detect_changed() finds
+ and reports on applicable changes, such as when a node has been added by
+ copying. When authz is used, detect_changed() should omit information on
+ nodes that are unreadable per authz rules. In particular, if a node in a
+ readable location has been copied from an unreadable location, the readable
+ node should be reported but its copyfrom path (the path to the unreadable
+ location) should be omitted.
+
+ Due to an implementation error, the above-mentioned copyfrom paths are
+ reported even if they should be omitted. Note that only the path itself is
+ reported, not the contents of the file or directory at that path. Attempts
+ to access the contents are met with an authorization error as expected.
+
+ Example:
+
+ Suppose a file is copied:
+
+ svn cp $REPO/private/file.txt $REPO/public -m "Copy file.txt"
+
+ and the following authz config applies:
+
+ [repo:/]
+ *=rw
+ [repo:/private]
+ *=
+
+ With a vulnerable server, 'svn log' reveals the existence of the original
+ and its path:
+
+ svn log $REPO/public --verbose --limit 1
+
+ ...
+ Changed paths:
+ A /public/file.txt (from /private/file.txt:1)
+ ...
+
+ Non-vulnerable servers do not report this information:
+
+ ...
+ Changed paths:
+ A /public/file.txt
+ ...
+
+ Note that only the path to /private/file.txt is revealed; not its
+ contents. Users who cannot access /private/file.txt according to authz
+ rules will not be able to access its contents.
+
+Severity:
+=========
+
+ CVSSv3.1 Base Score: 4.3
+ CVSSv3.1 Base Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
+
+Recommendations:
+================
+
+ We recommend all users to upgrade to a known fixed release of the
+ Subversion server.
+
+ Users who are unable to upgrade may apply the included patches.
+
+References:
+===========
+
+ CVE-2021-28544 (Subversion)
+
+Reported by:
+============
+
+ Evgeny Kotkov, visualsvn.com
+
+Patches:
+========
+
+ Patch against Subversion 1.14.1:
+[[[
+Index: subversion/libsvn_repos/log.c
+===================================================================
+--- subversion/libsvn_repos/log.c (revision 1890531)
++++ subversion/libsvn_repos/log.c (working copy)
+@@ -337,43 +337,37 @@ detect_changed(svn_repos_revision_access_level_t *
+ if ( (change->change_kind == svn_fs_path_change_add)
+ || (change->change_kind == svn_fs_path_change_replace))
+ {
+- const char *copyfrom_path = change->copyfrom_path;
+- svn_revnum_t copyfrom_rev = change->copyfrom_rev;
+-
+ /* the following is a potentially expensive operation since on FSFS
+ we will follow the DAG from ROOT to PATH and that requires
+ actually reading the directories along the way. */
+ if (!change->copyfrom_known)
+ {
+- SVN_ERR(svn_fs_copied_from(©from_rev, ©from_path,
++ SVN_ERR(svn_fs_copied_from(&change->copyfrom_rev,
&change->copyfrom_path,
+ root, path, iterpool));
+ change->copyfrom_known = TRUE;
+ }
+
+- if (copyfrom_path && SVN_IS_VALID_REVNUM(copyfrom_rev))
++ if (change->copyfrom_path &&
SVN_IS_VALID_REVNUM(change->copyfrom_rev))
+ {
+- svn_boolean_t readable = TRUE;
+-
+ if (callbacks->authz_read_func)
+ {
+ svn_fs_root_t *copyfrom_root;
++ svn_boolean_t readable;
+
+ SVN_ERR(svn_fs_revision_root(©from_root, fs,
+- copyfrom_rev, iterpool));
++ change->copyfrom_rev,
iterpool));
+ SVN_ERR(callbacks->authz_read_func(&readable,
+ copyfrom_root,
+- copyfrom_path,
++ change->copyfrom_path,
+
callbacks->authz_read_baton,
+ iterpool));
+ if (! readable)
+- found_unreadable = TRUE;
++ {
++ found_unreadable = TRUE;
++ change->copyfrom_path = NULL;
++ change->copyfrom_rev = SVN_INVALID_REVNUM;
++ }
+ }
+-
+- if (readable)
+- {
+- change->copyfrom_path = copyfrom_path;
+- change->copyfrom_rev = copyfrom_rev;
+- }
+ }
+ }
+
+Index: subversion/tests/cmdline/authz_tests.py
+===================================================================
+--- subversion/tests/cmdline/authz_tests.py (revision 1890531)
++++ subversion/tests/cmdline/authz_tests.py (working copy)
+@@ -1731,7 +1731,62 @@ def empty_group(sbox):
+ '--username', svntest.main.wc_author,
+ sbox.repo_url)
+
++# test for the bug also known as CVE-2021-28544
++@Skip(svntest.main.is_ra_type_file)
++def log_inaccessible_copyfrom(sbox):
++ "log doesn't leak inaccessible copyfrom paths"
+
++ sbox.build(empty=True)
++ sbox.simple_add_text('secret', 'private')
++ sbox.simple_commit(message='log message for r1')
++ sbox.simple_copy('private', 'public')
++ sbox.simple_commit(message='log message for r2')
++
++ svntest.actions.enable_revprop_changes(sbox.repo_dir)
++ # Remove svn:date and svn:author for predictable output.
++ svntest.actions.run_and_verify_svn(None, [], 'propdel', '--revprop',
++ '-r2', 'svn:date', sbox.repo_url)
++ svntest.actions.run_and_verify_svn(None, [], 'propdel', '--revprop',
++ '-r2', 'svn:author', sbox.repo_url)
++
++ write_restrictive_svnserve_conf(sbox.repo_dir)
++
++ # First test with blanket access.
++ write_authz_file(sbox,
++ {"/" : "* = rw"})
++ expected_output = svntest.verify.ExpectedOutput([
++
"------------------------------------------------------------------------\n",
++ "r2 | (no author) | (no date) | 1 line\n",
++ "Changed paths:\n",
++ " A /public (from /private:1)\n",
++ "\n",
++ "log message for r2\n",
++
"------------------------------------------------------------------------\n",
++ ])
++ svntest.actions.run_and_verify_svn(expected_output, [],
++ 'log', '-r2', '-v',
++ sbox.repo_url)
++
++ # Now test with an inaccessible copy source (/private).
++ write_authz_file(sbox,
++ {"/" : "* = rw"},
++ {"/private" : "* ="})
++ expected_output = svntest.verify.ExpectedOutput([
++
"------------------------------------------------------------------------\n",
++ "r2 | (no author) | (no date) | 1 line\n",
++ "Changed paths:\n",
++ # The copy is shown as a plain add with no copyfrom info.
++ " A /public\n",
++ "\n",
++ # No log message, as the revision is only partially visible.
++ "\n",
++
"------------------------------------------------------------------------\n",
++ ])
++ svntest.actions.run_and_verify_svn(expected_output, [],
++ 'log', '-r2', '-v',
++ sbox.repo_url)
++
++
+ ########################################################################
+ # Run the tests
+
+@@ -1771,6 +1826,7 @@ test_list = [ None,
+ inverted_group_membership,
+ group_member_empty_string,
+ empty_group,
++ log_inaccessible_copyfrom,
+ ]
+ serial_only = True
+
+]]]
+
+ Patch against Subversion 1.10.7:
+[[[
+Index: subversion/libsvn_repos/log.c
+===================================================================
+--- subversion/libsvn_repos/log.c (revision 1890531)
++++ subversion/libsvn_repos/log.c (working copy)
+@@ -337,43 +337,37 @@ detect_changed(svn_repos_revision_access_level_t *
+ if ( (change->change_kind == svn_fs_path_change_add)
+ || (change->change_kind == svn_fs_path_change_replace))
+ {
+- const char *copyfrom_path = change->copyfrom_path;
+- svn_revnum_t copyfrom_rev = change->copyfrom_rev;
+-
+ /* the following is a potentially expensive operation since on FSFS
+ we will follow the DAG from ROOT to PATH and that requires
+ actually reading the directories along the way. */
+ if (!change->copyfrom_known)
+ {
+- SVN_ERR(svn_fs_copied_from(©from_rev, ©from_path,
++ SVN_ERR(svn_fs_copied_from(&change->copyfrom_rev,
&change->copyfrom_path,
+ root, path, iterpool));
+ change->copyfrom_known = TRUE;
+ }
+
+- if (copyfrom_path && SVN_IS_VALID_REVNUM(copyfrom_rev))
++ if (change->copyfrom_path &&
SVN_IS_VALID_REVNUM(change->copyfrom_rev))
+ {
+- svn_boolean_t readable = TRUE;
+-
+ if (callbacks->authz_read_func)
+ {
+ svn_fs_root_t *copyfrom_root;
++ svn_boolean_t readable;
+
+ SVN_ERR(svn_fs_revision_root(©from_root, fs,
+- copyfrom_rev, iterpool));
++ change->copyfrom_rev,
iterpool));
+ SVN_ERR(callbacks->authz_read_func(&readable,
+ copyfrom_root,
+- copyfrom_path,
++ change->copyfrom_path,
+
callbacks->authz_read_baton,
+ iterpool));
+ if (! readable)
+- found_unreadable = TRUE;
++ {
++ found_unreadable = TRUE;
++ change->copyfrom_path = NULL;
++ change->copyfrom_rev = SVN_INVALID_REVNUM;
++ }
+ }
+-
+- if (readable)
+- {
+- change->copyfrom_path = copyfrom_path;
+- change->copyfrom_rev = copyfrom_rev;
+- }
+ }
+ }
+
+Index: subversion/tests/cmdline/authz_tests.py
+===================================================================
+--- subversion/tests/cmdline/authz_tests.py (revision 1890531)
++++ subversion/tests/cmdline/authz_tests.py (working copy)
+@@ -1710,7 +1710,62 @@ def group_member_empty_string(sbox):
+ '--username', svntest.main.wc_author,
+ sbox.repo_url)
+
++# test for the bug also known as CVE-2021-28544
++@Skip(svntest.main.is_ra_type_file)
++def log_inaccessible_copyfrom(sbox):
++ "log doesn't leak inaccessible copyfrom paths"
+
++ sbox.build(empty=True)
++ sbox.simple_add_text('secret', 'private')
++ sbox.simple_commit(message='log message for r1')
++ sbox.simple_copy('private', 'public')
++ sbox.simple_commit(message='log message for r2')
++
++ svntest.actions.enable_revprop_changes(sbox.repo_dir)
++ # Remove svn:date and svn:author for predictable output.
++ svntest.actions.run_and_verify_svn(None, [], 'propdel', '--revprop',
++ '-r2', 'svn:date', sbox.repo_url)
++ svntest.actions.run_and_verify_svn(None, [], 'propdel', '--revprop',
++ '-r2', 'svn:author', sbox.repo_url)
++
++ write_restrictive_svnserve_conf(sbox.repo_dir)
++
++ # First test with blanket access.
++ write_authz_file(sbox,
++ {"/" : "* = rw"})
++ expected_output = svntest.verify.ExpectedOutput([
++
"------------------------------------------------------------------------\n",
++ "r2 | (no author) | (no date) | 1 line\n",
++ "Changed paths:\n",
++ " A /public (from /private:1)\n",
++ "\n",
++ "log message for r2\n",
++
"------------------------------------------------------------------------\n",
++ ])
++ svntest.actions.run_and_verify_svn(expected_output, [],
++ 'log', '-r2', '-v',
++ sbox.repo_url)
++
++ # Now test with an inaccessible copy source (/private).
++ write_authz_file(sbox,
++ {"/" : "* = rw"},
++ {"/private" : "* ="})
++ expected_output = svntest.verify.ExpectedOutput([
++
"------------------------------------------------------------------------\n",
++ "r2 | (no author) | (no date) | 1 line\n",
++ "Changed paths:\n",
++ # The copy is shown as a plain add with no copyfrom info.
++ " A /public\n",
++ "\n",
++ # No log message, as the revision is only partially visible.
++ "\n",
++
"------------------------------------------------------------------------\n",
++ ])
++ svntest.actions.run_and_verify_svn(expected_output, [],
++ 'log', '-r2', '-v',
++ sbox.repo_url)
++
++
+ ########################################################################
+ # Run the tests
+
+@@ -1749,6 +1804,7 @@ test_list = [ None,
+ remove_access_after_commit,
+ inverted_group_membership,
+ group_member_empty_string,
++ log_inaccessible_copyfrom,
+ ]
+ serial_only = True
+
+]]]
Added: subversion/site/staging/security/CVE-2021-28544-advisory.txt.asc
URL:
http://svn.apache.org/viewvc/subversion/site/staging/security/CVE-2021-28544-advisory.txt.asc?rev=1899773&view=auto
==============================================================================
--- subversion/site/staging/security/CVE-2021-28544-advisory.txt.asc (added)
+++ subversion/site/staging/security/CVE-2021-28544-advisory.txt.asc Tue Apr 12
10:52:35 2022
@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+
+iHUEABYKAB0WIQTsJfzBBWGNBK20NCnEQWFnNJo7ywUCYlVXeQAKCRDEQWFnNJo7
+yxb3APoDon1c8sSGW3C3UYnTfn1SazYGAHyGaSHQUr+YhBBEagEAuEJS+aKZk63x
+tcynsH5wxQRrI2EPbCVwulerIkxvvQ4=
+=vaku
+-----END PGP SIGNATURE-----
Added: subversion/site/staging/security/CVE-2022-24070-advisory.txt
URL:
http://svn.apache.org/viewvc/subversion/site/staging/security/CVE-2022-24070-advisory.txt?rev=1899773&view=auto
==============================================================================
--- subversion/site/staging/security/CVE-2022-24070-advisory.txt (added)
+++ subversion/site/staging/security/CVE-2022-24070-advisory.txt Tue Apr 12
10:52:35 2022
@@ -0,0 +1,148 @@
+
+ Subversion's mod_dav_svn is vulnerable to memory corruption
+
+Summary:
+========
+
+ While looking up path-based authorization rules, mod_dav_svn servers
+ may attempt to use memory which has already been freed.
+
+Known vulnerable:
+=================
+
+ Subversion mod_dav_svn servers 1.10.0 through 1.14.1 (inclusive).
+
+ Servers that do not use mod_dav_svn are not affected.
+
+Known fixed:
+============
+
+ Subversion httpd servers 1.14.2.
+ Subversion httpd servers 1.10.8.
+
+Details:
+========
+
+ Server modules for Apache HTTP server (httpd), such as mod_dav_svn,
+ implement several hooks that httpd calls at various times.
+
+ One of these, post_config, may be called more than once during module
+ initialization. The number of calls and the purpose of each call
+ depend on whether the module is loaded at httpd startup or during a
+ later reload of httpd's configuration.
+
+ When httpd loads a module at startup, it performs a configuration
+ check at which time it calls the module's post_config hook for
+ validation purposes. Later, httpd calls the hook again; this is the
+ "real" initialization call.
+
+ In contrast, when httpd loads a module at a later stage, due to
+ reloading its own configuration, it calls the post_config hook only
+ once.
+
+ In vulnerable versions of Subversion, the post_config hook
+ implementation does not take these semantics into account. As a
+ result, it always treats the first call as the "real" call and
+ performs initialization, including caching of pointers which are used
+ later. When the call is in fact for validation only, those pointers
+ subsequently become invalid when the memory allocation pools into
+ which they point are cleared.
+
+ Subsequent operations on the freed (and possibly reused) memory may
+ lead to a segfault crash.
+
+ The affected pointers are used by Subversion when serving requests
+ which require a lookup of path-based authorization (authz) rules.
+ However, even servers which do not make use of authz should be upgraded.
+ The invalid pointers are always present in the running program and could
+ be abused via other unknown attack vectors.
+
+Severity:
+=========
+
+ CVSSv3.1 Base Score: 7.5 (High)
+
+ CVSSv3.1 Base Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
+
+ Exploitation results in denial of service by crashing the HTTPD worker
+ handling the request. The impact of this differs depending on how the
+ Apache HTTPD server is configured, including the choice of MPM (Multi-
+ Processing-Module). If the worker shares its memory address space with
+ the main thread, as is the case with e.g. the Event MPM, the entire
+ HTTPD server process will terminate. If the pre-fork MPM is used, the
+ worker will terminate but the HTTPD server will stay up, and service
+ availability will depend on how frequently the attacker is able to
+ send malicious requests which target the vulnerability.
+
+Recommendations:
+================
+
+ We recommend all users to upgrade to a known fixed release of the
+ Subversion server.
+
+ Users who are unable to upgrade may apply the patch included below.
+
+References:
+===========
+
+ CVE-2022-24070 (Subversion)
+
+ Bug 4480 (Subversion): https://issues.apache.org/jira/browse/SVN-4880
+ Bug 65861 (httpd): https://bz.apache.org/bugzilla/show_bug.cgi?id=65861
+
+ https://cwiki.apache.org/confluence/display/HTTPD/ModuleLife
+
+Reported by:
+============
+
+ Thomas WeiÃschuh, cis-solutions.eu
+
+Patch:
+========
+
+ Patch against Subversion 1.14.1 and 1.10.7:
+[[[
+Index: subversion/libsvn_repos/authz.c
+===================================================================
+--- subversion/libsvn_repos/authz.c (revision 1894733)
++++ subversion/libsvn_repos/authz.c (revision 1894734)
+@@ -130,6 +130,30 @@
+ static svn_object_pool__t *filtered_pool = NULL;
+ static svn_atomic_t authz_pool_initialized = FALSE;
+
++/*
++ * Ensure that we will initialize authz again if the pool which
++ * our authz caches depend on is cleared.
++ *
++ * HTTPD may run pre/post config hooks multiple times and clear
++ * its global configuration pool which our authz pools depend on.
++ * This happens in a non-threaded context during HTTPD's intialization
++ * and HTTPD's main loop, so it is safe to reset static variables here.
++ * (And any applications which cleared this pool while SVN threads
++ * were running would crash no matter what.)
++ *
++ * See issue #4880, "Use-after-free of object-pools in
++ * subversion/libsvn_repos/authz.c when used as httpd module"
++ */
++static apr_status_t
++deinit_authz(void *data)
++{
++ /* The two object pools run their own cleanup handlers. */
++ authz_pool = NULL;
++ filtered_pool = NULL;
++ authz_pool_initialized = FALSE;
++ return APR_SUCCESS;
++}
++
+ /* Implements svn_atomic__err_init_func_t. */
+ static svn_error_t *
+ synchronized_authz_initialize(void *baton, apr_pool_t *pool)
+@@ -143,6 +167,7 @@
+ SVN_ERR(svn_object_pool__create(&authz_pool, multi_threaded, pool));
+ SVN_ERR(svn_object_pool__create(&filtered_pool, multi_threaded, pool));
+
++ apr_pool_cleanup_register(pool, NULL, deinit_authz, apr_pool_cleanup_null);
+ return SVN_NO_ERROR;
+ }
+
+]]]
Added: subversion/site/staging/security/CVE-2022-24070-advisory.txt.asc
URL:
http://svn.apache.org/viewvc/subversion/site/staging/security/CVE-2022-24070-advisory.txt.asc?rev=1899773&view=auto
==============================================================================
--- subversion/site/staging/security/CVE-2022-24070-advisory.txt.asc (added)
+++ subversion/site/staging/security/CVE-2022-24070-advisory.txt.asc Tue Apr 12
10:52:35 2022
@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+
+iHUEABYKAB0WIQTsJfzBBWGNBK20NCnEQWFnNJo7ywUCYlVXjQAKCRDEQWFnNJo7
+y1TaAP4+/K/PVOZ9gHnHELfDgZGQPKdG7b2MvQeaGgo4bWIJEgD/Wlx6mjnXtdst
+y02CcXwI7wlmsQ1s94cxHSkKXESqDgs=
+=cv51
+-----END PGP SIGNATURE-----
