FreeBSD Security Advisory FreeBSD-SA-19:07.mds [REVISED]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:07.mdsSecurity Advisory The FreeBSD Project Topic: Microarchitectural Data Sampling (MDS) Category: core Module: kernel Announced: 2019-05-14 Credits:Refer to Intel's security advisory at the URL below for detailed acknowledgements. Affects:All supported versions of FreeBSD. Corrected: 2019-05-14 17:04:00 UTC (stable/12, 12.0-STABLE) 2019-05-14 23:19:08 UTC (releng/12.0, 12.0-RELEASE-p4) 2019-05-14 17:05:02 UTC (stable/11, 11.3-PRERELEASE) 2019-05-14 23:20:16 UTC (releng/11.2, 11.2-RELEASE-p10) CVE Name: CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. 0. Revision history v1.0 2019-05-14 Initial release. v1.1 2019-05-15 Fixed date on microcode update package. v1.2 2019-05-15 Userland startup microcode update details added. Add language specifying which manufacturers is affected. I. Background Modern processors make use of speculative execution, an optimization technique which performs some action in advance of knowing whether the result will actually be used. II. Problem Description On some Intel processors utilizing speculative execution a local process may be able to infer stale information from microarchitectural buffers to obtain a memory disclosure. III. Impact An attacker may be able to read secret data from the kernel or from a process when executing untrusted code (for example, in a web browser). IV. Workaround No workaround is available. Only Intel x86 based processors are affected. x86 processors from other manufacturers (eg, AMD) are not believed to be vulnerable. Systems with users or processors in different trust domains should disable Hyper-Threading by setting the machdep.hyperthreading_allowed tunable to 0: # echo 'machdep.hyperthreading_allowed=0 >> /boot/loader.conf' # shutdown -r +10min "Security update" V. Solution Perform one of the following: Update CPU microcode, upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, evaluate mitigation and Hyper Threading controls, and reboot the system. New CPU microcode may be available in a BIOS update from your system vendor, or by installing the devcpu-data package or sysutils/devcpu-data port. Ensure that the BIOS update or devcpu-data package is dated after 2019-05-14. If using the package or port the Intel microcode update can be applied at boot time (only on FreeBSD 12 and later) by adding the following lines to the system's /boot/loader.conf: cpu_microcode_load="YES" cpu_microcode_name="/boot/firmware/intel-ucode.bin" To automatically load microcode during userland startup (supported on all FreeBSD versions), add the following to /etc/rc.conf: microcode_update_enable="YES" 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Follow additional details under "Mitigation Configuration" below. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 12.0-STABLE] # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12-stable.patch # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12-stable.patch.asc # gpg --verify mds.12-stable.patch.asc [FreeBSD 12.0-RELEASE] # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12.0.patch # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12.0.patch.asc # gpg --verify mds.12.0.patch.asc [FreeBSD 11.3-PRERELEASE] # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11-stable.patch # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11-stable.patch.asc # gpg --verify mds.11-stable.patch.asc [FreeBSD 11.2-RELEASE] # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11.2.patch # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11.2.patch.asc # gpg --verify mds.11.2.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html>. Mitigation Configuration Systems with users, processes, or virtual machines in
FreeBSD Security Advisory FreeBSD-SA-19:07.mds
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:07.mdsSecurity Advisory The FreeBSD Project Topic: Microarchitectural Data Sampling (MDS) Category: core Module: kernel Announced: 2019-05-14 Credits:Refer to Intel's security advisory at the URL below for detailed acknowledgements. Affects:All supported versions of FreeBSD. Corrected: 2019-05-14 17:04:00 UTC (stable/12, 12.0-STABLE) 2019-05-15 13:44:27 UTC (releng/12.0, 12.0-RELEASE-p5) 2019-05-14 17:05:02 UTC (stable/11, 11.3-PRERELEASE) 2019-05-14 23:20:16 UTC (releng/11.2, 11.2-RELEASE-p10) CVE Name: CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. 0. Revision history v1.0 2019-05-14 Initial release. v1.1 2019-05-15 Fixed date on microcode update package. v1.2 2019-05-15 Userland startup microcode update details added. Add language specifying which manufacturers is affected. v1.3 2019-05-15 Minor quoting nit for the HT disable loader config. v2.0 2019-05-15 Rerelease 12.0-RELEASE patch as -p5 due to i386 panic bug. I. Background Modern processors make use of speculative execution, an optimization technique which performs some action in advance of knowing whether the result will actually be used. II. Problem Description On some Intel processors utilizing speculative execution a local process may be able to infer stale information from microarchitectural buffers to obtain a memory disclosure. III. Impact An attacker may be able to read secret data from the kernel or from a process when executing untrusted code (for example, in a web browser). IV. Workaround No workaround is available. Only Intel x86 based processors are affected. x86 processors from other manufacturers (eg, AMD) are not believed to be vulnerable. Systems with users or processors in different trust domains should disable Hyper-Threading by setting the machdep.hyperthreading_allowed tunable to 0: # echo 'machdep.hyperthreading_allowed=0' >> /boot/loader.conf # shutdown -r +10min "Security update" V. Solution Perform one of the following: Update CPU microcode, upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, evaluate mitigation and Hyper Threading controls, and reboot the system. New CPU microcode may be available in a BIOS update from your system vendor, or by installing the devcpu-data package or sysutils/devcpu-data port. Ensure that the BIOS update or devcpu-data package is dated after 2019-05-14. If using the package or port the Intel microcode update can be applied at boot time (only on FreeBSD 12 and later) by adding the following lines to the system's /boot/loader.conf: cpu_microcode_load="YES" cpu_microcode_name="/boot/firmware/intel-ucode.bin" To automatically load microcode during userland startup (supported on all FreeBSD versions), add the following to /etc/rc.conf: microcode_update_enable="YES" 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Follow additional details under "Mitigation Configuration" below. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [*** v2.0 NOTE *** Only applies to 12.0-RELEASE ***] Due to an error in the 12.0-RELEASE affecting the i386 architecture, a new set of patches is being released. If your 12.0-RELEASE sources are not yet patched using the initially published patch, then you need to apply the mds.12.0.patch. If your sources are already updated, or patched with the patch from the initial advisory, then you need to apply the incremental patch, named mds.12.0.p4p5.patch [FreeBSD 12.0-STABLE] # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12-stable.patch # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12-stable.patch.asc # gpg --verify mds.12-stable.patch.asc [FreeBSD 12.0-RELEASE, not patched with initial SA-19:07.mds patch] # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12.0.patch # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12.0.patch.asc # gpg --verify mds.12.0.patch.asc [FreeBSD 12.0-RELEASE, patched with initial
SEC Consult SA-20190515-0 :: Authorization Bypass in RSA NetWitness (@sec_consult)
SEC Consult Vulnerability Lab Security Advisory < 20190515-0 > === title: Authorization Bypass product: RSA NetWitness vulnerable version: <10.6.6.1, <11.2.1.1 fixed version: 10.6.6.1, 11.2.1.1 CVE number: CVE-2019-3724 impact: Medium homepage: https://www.rsa.com found: 2018-09-18 by: Mantas Juskauskas (Office Vilnius) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com === Vendor description: --- "RSA provides more than 30,000 customers around the world with the essential security capabilities to protect their most valuable assets from cyber threats. With RSA's award-winning products, organizations effectively detect, investigate, and respond to advanced attacks; confirm and manage identities; and ultimately, reduce IP theft, fraud, and cybercrime." Source: https://www.rsa.com/en-us/company/about Business recommendation: By exploiting the vulnerability documented in this advisory an unauthorized attacker can access an administrative resource that may contain plain text credentials to a 3rd party system. The vendor provides a patch which should be installed on affected systems. Vulnerability overview/description: --- The authorization mechanism provided by the platform is prone to an authorization bypass vulnerability, which can be easily exploited by authenticated (but low privileged) remote attackers for gaining access to administrative information including plaintext passwords. Proof of concept: - A logged-in low privileged user (e.g. with role Analyst) is able to access an administrative resource by calling the following URL: https://[host]/admin/system/whois/properties After the above URL is accessed, the server returns the following HTTP response that contains sensitive information to a 3rd party whois service including plaintext passwords: HTTP/1.1 200 OK Server: nginx Date: [snip] Content-Type: application/json;charset=UTF-8 Connection: close X-Frame-Options: SAMEORIGIN Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 ; includeSubDomains X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Set-Cookie: [snip] Content-Length: 795 {"success":true,"data":{"queryUrl":"https://[snip]","authUrl":"https://[snip]","userId":"[snip]","pw":"[snip]","allowedRequests":100,"allowedRequestsInterval":60,"queueMaxSize":10,"cacheMaxSize":5,"refreshInterval":30,"waitForHttpRequests":true,"settings":{"query-url":"https://[snip]","queue-max-size":10,"password":"[snip]","allowed-requests":100,"auth-url":"https://[snip]","user-id":"[snip]","refresh-interval-seconds":{"seconds":2592000,"milliSeconds":259200},"cache-max-size":5,"wait-for-http-request":true,"allowed-requests-interval-seconds":{"seconds":60,"milliSeconds":6 Vulnerable / tested versions: - The identified vulnerability has been verified to exist in the RSA NetWitness platform, version 11.1.0.1. According to the vendor, platform version 10 is also affected. The following versions are vulnerable: * <10.6.6.1 * <11.2.1.1 Vendor contact timeline: 2018-10-01: Contacting vendor through PGP via sec...@dell.com 2018-10-02: Vendor acknowledges the information was received, forwards the info to the relevant department 2018-10-11: Vendor confirms the impact of the authorization issue, starts to work on the remediation timeline 2018-10-15: Vendor provides additional information 2018-10-22: Contacting vendor to provide the remediation timeline 2018-10-23: Further email exchange related to the remediation timeline 2019-01-18: Vendor provides an update on the fix timeline 2019-03-05: Asking for a status update 2019-03-06: Vendor provides a status update on the release, patch for platform version 11 will be released in March, version 10 Mid-April 2019-04-01: Asking for a specific release date & further status update 2019-04-01: Vendor: release is scheduled for 23rd April 2019, but may change, they will inform us 2019-05
FreeBSD Security Advisory FreeBSD-SA-19:07.mds
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:07.mdsSecurity Advisory The FreeBSD Project Topic: Microarchitectural Data Sampling (MDS) Category: core Module: kernel Announced: 2019-05-14 Credits:Refer to Intel's security advisory at the URL below for detailed acknowledgements. Affects:All supported versions of FreeBSD. Corrected: 2019-05-14 17:04:00 UTC (stable/12, 12.0-STABLE) 2019-05-14 23:19:08 UTC (releng/12.0, 12.0-RELEASE-p4) 2019-05-14 17:05:02 UTC (stable/11, 11.3-PRERELEASE) 2019-05-14 23:20:16 UTC (releng/11.2, 11.2-RELEASE-p10) CVE Name: CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background Modern processors make use of speculative execution, an optimization technique which performs some action in advance of knowing whether the result will actually be used. II. Problem Description On some Intel processors utilizing speculative execution a local process may be able to infer stale information from microarchitectural buffers to obtain a memory disclosure. III. Impact An attacker may be able to read secret data from the kernel or from a process when executing untrusted code (for example, in a web browser). IV. Workaround No workaround is available. Systems with users or processors in different trust domains should disable Hyper-Threading by setting the machdep.hyperthreading_allowed tunable to 0: # echo 'machdep.hyperthreading_allowed=0 >> /boot/loader.conf' # shutdown V. Solution Perform one of the following: Update CPU microcode, upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, evaluate mitigation and Hyper Threading controls, and reboot the system. New CPU microcode may be available in a BIOS update from your system vendor, or by installing the devcpu-data package or sysutils/devcpu-data port. Ensure that the BIOS update or devcpu-data package is dated after 2014-05-14. If using the package or port the microcode update can be applied at boot time by adding the following lines to the system's /boot/loader.conf: cpu_microcode_load="YES" cpu_microcode_name="/boot/firmware/intel-ucode.bin" Microcode updates can also be applied while the system is running. See cpucontrol(8) for details. 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Follow additional details under "Mitigation Configuration" below. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 12.0-STABLE] # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12-stable.patch # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12-stable.patch.asc # gpg --verify mds.12-stable.patch.asc [FreeBSD 12.0-RELEASE] # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12.0.patch # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12.0.patch.asc # gpg --verify mds.12.0.patch.asc [FreeBSD 11.3-PRERELEASE] # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11-stable.patch # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11-stable.patch.asc # gpg --verify mds.11-stable.patch.asc [FreeBSD 11.2-RELEASE] # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11.2.patch # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11.2.patch.asc # gpg --verify mds.11.2.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html>. Mitigation Configuration Systems with users, processes, or virtual machines in different trust domains should disable Hyper-Threading by setting the machdep.hyperthreading_allowed tunable to 0: # echo machdep.hyperthreading_allowed=0 >> /boot/loader.conf To activate the MDS mitigation set the hw.mds_disable sysctl. The settings are: 0 - mitigation disabled 1 - VERW instruction (microcode) mitigation enabled 2 - Software sequence mitigation enabled (not recommended) 3 - Automatic VERW or Software selection Automatic mode uses the VERW instruction if supported by the CPU / microcode, or
FreeBSD Security Advisory FreeBSD-SA-19:05.pf
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:05.pf Security Advisory The FreeBSD Project Topic: IPv6 fragment reassembly panic in pf(4) Category: contrib Module: pf Announced: 2019-05-14 Credits:Synacktiv Affects:All supported versions of FreeBSD Corrected: 2019-03-01 18:12:05 UTC (stable/12, 12.0-STABLE) 2019-05-14 23:10:21 UTC (releng/12.0, 12.0-RELEASE-p4) 2019-03-01 18:12:07 UTC (stable/11, 11.3-PRERELEASE) 2019-05-14 23:10:21 UTC (releng/11.2, 11.2-RELEASE-p10) CVE Name: CVE-2019-5597 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background pf(4) is an Internet Protocol packet filter originally written for OpenBSD. In addition to filtering packets, it also has packet normalization capabilities. II. Problem Description A bug in the pf(4) IPv6 fragment reassembly logic incorrectly uses the last extension header offset from the last received packet instead of from the first packet. III. Impact Malicious IPv6 packets with different IPv6 extensions could cause a kernel panic or potentially a filtering rule bypass. IV. Workaround Only systems leveraging the pf(4) firewall and include packet scrubbing using the recommended 'scrub all in' or similar are affected. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Afterwards, reboot the system. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Afterwards, reboot the system. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-19:05/pf.patch # fetch https://security.FreeBSD.org/patches/SA-19:05/pf.patch.asc # gpg --verify pf.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r344706 releng/12.0/ r347591 stable/11/r344707 releng/11.2/ r347591 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision=NN> VII. References https://www.synacktiv.com/ressources/Synacktiv_OpenBSD_PacketFilter_CVE-2019-5597_ipv6_frag.pdf> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5597> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-19:05.pf.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlzbTsNfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cL1cxAAjYy90WBfuBkU/FddQWMJkXOn2YqABFxY/BfFpJEbGrnXXuxz9YJByK3b 6ikWq5HcxgL/9ek6QULwEOoNvms8tT4m4waJOLa3hZPoPlgD2ArgvdcEI00R/8T9 Z+k1YlT0oLOY4XbVynPGNmiFNTAcsg7Ognp9yam3kmPZTMGYm6cKIBy1idrzCCmI nj0SscyoL4Z09kSWe3UOitjh8cpxqGuvGosCb7YGPl6yTSalBUgP44Lyg7jS4nrZ xjZxqhAfp7tk9peF4rov8apZIsrBF5GMaahnIGIwZzmRn/E1pND9qx1lB1Uh7rfR nb8OmwbshJTWdnS1GXyLxRGJOd0zmh+YZ10ygZAQTM5sNaxfn6pWJFmr2S/mR+kN RG/Bhj+lN7jh1eUNdwk/pAm0aZZ+J8GX4/QOrqPfGDko/s/S7YwJB/DKR/14uPY7 Fwcgv4tvgoRstSKHdIe45d7/N0SgQCS/EfzVIO5XPQtkrk9/zalQubionijObr1Q ARVl7H5M7m7kP8PJz/vRNvhar0c0xTk9ov2JDxKHKTd+7D78LQEAFvEGPIFREBsY VBW8BqZbuVcsgrhr/YWFE3TEw4O0YbnY5g9wmVv+d/pdDngLuTsfbNEsAQewWcu/ dYefeBMKBukyLUKtLYHjVAhUlL3hF3j/aBu498F6LRCzFcaoIOQ=
[SECURITY] [DSA 4447-1] intel-microcode security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4447-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff May 15, 2019 https://www.debian.org/security/faq - - Package: intel-microcode CVE ID : CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091 This update ships updated CPU microcode for most types of Intel CPUs. It provides mitigations for the MSBDS, MFBDS, MLPDS and MDSUM hardware vulnerabilities. To fully resolve these vulnerabilities it is also necessary to update the Linux kernel packages as released in DSA . For the stable distribution (stretch), these problems have been fixed in version 3.20190514.1~deb9u1. We recommend that you upgrade your intel-microcode packages. For the detailed security status of intel-microcode please refer to its security tracker page at: https://security-tracker.debian.org/tracker/intel-microcode Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlzb2WsACgkQEMKTtsN8 TjZ+PBAAqVaw+/6ZsLEwj4aPlI0XrDP1MEWLHSFyOpOluNKaHSfCR1MopjdmSykT 91es+HCLISwbpuhPy8a+rPEZnSwnQczuXJITMVnW0Z9noUvTf/BnN/dAdwTa8Ka8 DkhBnvmc5gOkdcG7il+PaI1byZ5/6S+znqhDiN4VSZg3h1LhJMk9h9kUjQS+W6uC qA4JGdJsqeQShngE8njGetwCaf29+e2OQ3RfuDp+6XgsQln2ZOi7r69Bj5VmH5jB yYzMMp8n0jMKelzqP9HtniL/P/75foDhQrP95k8gFaeRaLTEIb0NNLP1JpiaVKtn +c+1yMN6R7JG86AOlNOq/xUHv3pkuP9i2PBEga/956nQZf9g9/5tc6/K0dgHl4Yx zn1SKQrKdXVqtvYx6boh3cPqoJ99W32GijQHr2N8ezjdmW7SHMGtpnSVO88nDbH4 JVdxVhtY4JCsDJxYIwb6T4p3TSGIzN0T7y5/YqItqObmblLpg8jASWNkrepH3jqY a9swwMelQTsop5LFTwgYbTznXSEE+AorFTc+hOvScR4ZSr8kPVK/nf/m+h5Zj68B Lx/nnOQZFYySrNBKMfMLCXmrmMWP3ZavMiiEJL4GbWfNFAEJH4P+2UwsjwyEVW3h NrRAdm0MqsY86tHBWmDGhNMYjShKm/vG5mMpWg5r3AG3IhG1x/U= =PWZK -END PGP SIGNATURE-
FreeBSD Security Advisory FreeBSD-SA-19:06.pf
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:06.pf Security Advisory The FreeBSD Project Topic: ICMP/ICMP6 packet filter bypass in pf Category: contrib Module: pf Announced: 2019-05-14 Credits:Synacktiv Affects:All supported versions of FreeBSD Corrected: 2019-03-21 14:17:10 UTC (stable/12, 12.0-STABLE) 2019-05-14 23:12:22 UTC (releng/12.0, 12.0-RELEASE-p4) 2019-03-21 14:17:12 UTC (stable/11, 11.3-PRERELEASE) 2019-05-14 23:12:22 UTC (releng/11.2, 11.2-RELEASE-p10) CVE Name: CVE-2019-5598 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background pf(4) is an Internet Protocol packet filter originally written for OpenBSD. In addition to filtering packets, it also has packet normalization capabilities. II. Problem Description States in pf(4) let ICMP and ICMP6 packets pass if they have a packet in their payload matching an existing condition. pf(4) does not check if the outer ICMP or ICMP6 packet has the same destination IP as the source IP of the inner protocol packet. III. Impact A maliciously crafted ICMP/ICMP6 packet could bypass the packet filter rules and be passed to a host that would otherwise be unavailable. IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Afterwards, reboot the system. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Afterwards, reboot the system. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-19:06/pf.patch # fetch https://security.FreeBSD.org/patches/SA-19:06/pf.patch.asc # gpg --verify pf.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r345377 releng/12.0/ r347593 stable/11/r345378 releng/11.2/ r347593 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision=NN> VII. References https://www.synacktiv.com/posts/systems/icmp-reachable.html> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5598> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-19:06.pf.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlzbTsdfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cIjXA/9FevC+Ygihzb0J9MN0znEM883dk5sPCSvMwiivsNRkDMXreYqPXU+Fkt0 iV1OZ8tKwKAihm+iGJ5mzS5l40wWF1oDcqJrC0myICdvreraoJKZvTLhgGIBqKkE b8yIuzPueWdnnudoAzTV38RhyaP2aOb44OMUNPQZsEB/6hHsNvp9m6yAua/F+x9+ N9J38Y/C6udsNfhqDeuCI4G8yiN33XfFiRbF+31rt3s0rUm6KGNsJanJe8dNAEvE DN4tA4+MORnQ7QTLgOobGuLFhWJ2urC6psH8duO72hcSTzSkTZpxrC3f6SW8RlZ+ Pbr4LZ6FA3bZp/sCmWPOot94hotBDr03MZwrxURokeDHZU1nUBsw0rmTG4aypujl JrGPOAp89TtqrR0zV8DhpGO/RWoBeMDf7ZGvIplOIEF5rijQWEyC5pnYlBKPfSdm UTxcN9RoJCfz7O4KLAAqhHiuu6xc+CqlQH1dvyLbqGVv9LzUQlziTNsbQ4cGryuj g1TztU0VfpvHDkAKBh0iHwkoUqDSut3K19rFAQ3zkM/EodqSTkE1OG77pmsjYaVq AfcnN/se8lklq0lKi3BwNvVIWTjhMAwY63otVxvVD4wrJrgQH8NKgOeYuGBreXeW Uv569bIhR0/vsyGJK/SMKxBiAGfzkE7LqDMJqdXLsompX97nOwI= =m3as -END PGP SIGNATURE-
FreeBSD Security Advisory FreeBSD-SA-19:03.wpa
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:03.wpaSecurity Advisory The FreeBSD Project Topic: Multiple vulnerabilities in hostapd and wpa_supplicant Category: contrib Module: wpa Announced: 2019-05-14 Affects:All supported versions of FreeBSD. Corrected: 2019-05-01 01:42:38 UTC (stable/12, 12.0-STABLE) 2019-05-14 22:57:29 UTC (releng/12.0, 12.0-RELEASE-p4) 2019-05-01 01:43:17 UTC (stable/11, 11.2-STABLE) 2019-05-14 22:59:32 UTC (releng/11.2, 11.2-RELEASE-p10) CVE Name: CVE-2019-9494, CVE-2019-9495, CVE-2019-9496, CVE-2019-9497, CVE-2019-9498, CVE-2019-9499, CVE-2019-11555 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background Wi-Fi Protected Access II (WPA2) is a security protocol developed by the Wi-Fi Alliance to secure wireless computer networks. hostapd(8) and wpa_supplicant(8) are implementations of user space daemon for access points and wireless client that implements the WPA2 protocol. II. Problem Description Multiple vulnerabilities exist in the hostapd(8) and wpa_supplicant(8) implementations. For more details, please see the reference URLs in the References section below. III. Impact Security of the wireless network may be compromised. For more details, please see the reference URLS in the References section below. IV. Workaround No workaround is available, but systems not using hostapd(8) or wpa_supplicant(8) are not affected. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Afterwards, restart hostapd(8) or wpa_supplicant(8). 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Afterwards, restart hostapd(8) or wpa_supplicant(8). 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 12.0] # fetch https://security.FreeBSD.org/patches/SA-19:03/wpa-12.patch # fetch https://security.FreeBSD.org/patches/SA-19:03/wpa-12.patch.asc # gpg --verify wpa-12.patch.asc [FreeBSD 11.2] # fetch https://security.FreeBSD.org/patches/SA-19:03/wpa-11.patch # fetch https://security.FreeBSD.org/patches/SA-19:03/wpa-11.patch.asc # gpg --verify wpa-11.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in https://www.FreeBSD.org/handbook/makeworld.html>. Restart the applicable daemons, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r346980 releng/12.0/ r347587 stable/11/r346981 releng/11.2/ r347588 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision=NN> VII. References https://w1.fi/security/2019-1> https://w1.fi/security/2019-2> https://w1.fi/security/2019-3> https://w1.fi/security/2019-4> https://w1.fi/security/2019-5> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9494> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9495> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9496> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9497> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9498> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9499> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11555> The latest revision of this advisory is available at
FreeBSD Security Advisory FreeBSD-SA-19:04.ntp
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:04.ntpSecurity Advisory The FreeBSD Project Topic: Authenticated denial of service in ntpd Category: contrib Module: ntp Announced: 2019-05-14 Credits:Magnus Stubman Affects:All supported versions of FreeBSD Corrected: 2019-03-07 13:45:36 UTC (stable/12, 12.0-STABLE) 2019-05-14 23:02:56 UTC (releng/12.0, 12.0-RELEASE-p4) 2019-03-07 13:45:36 UTC (stable/11, 11.3-PRERELEASE) 2019-05-14 23:06:26 UTC (releng/11.2, 11.2-RELEASE-p10) CVE Name: CVE-2019-8936 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP) used to synchronize the time of a computer system to a reference time source. The ntpd(8) daemon uses a protocol called mode 6 to both get status information from the running ntpd(8) daemon and configure it on the fly. This protocol is typically used by the ntpq(8) program, among others. II. Problem Description A crafted malicious authenticated mode 6 packet from a permitted network address can trigger a NULL pointer dereference. Note for this attack to work, the sending system must be on an address from which the target ntpd(8) accepts mode 6 packets, and must use a private key that is specifically listed as being used for mode 6 authorization. III. Impact The ntpd daemon can crash due to the NULL pointer dereference, causing a denial of service. IV. Workaround Use 'restrict noquery' in the ntpd configuration to limit addresses that can send mode 6 queries. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Afterwards, restart the ntpd service: # service ntpd restart 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 12.0] # fetch https://security.FreeBSD.org/patches/SA-19:04/ntp.patch # fetch https://security.FreeBSD.org/patches/SA-19:04/ntp.patch.asc # gpg --verify ntp.patch.asc [FreeBSD 11.2-RELEASE/11.3-PRERELEASE] # fetch https://security.FreeBSD.org/patches/SA-19:04/ntp-11.2.patch # fetch https://security.FreeBSD.org/patches/SA-19:04/ntp-11.2.patch.asc # gpg --verify ntp-11.2.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in https://www.FreeBSD.org/handbook/makeworld.html>. Restart the ntpd service, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r344884 releng/12.0/ r347589 stable/11/r344884 releng/11.2/ r347590 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision=NN> VII. References http://support.ntp.org/bin/view/Main/SecurityNotice#March_2019_ntp_4_2_8p13_NTP_Rele> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8936> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-19:04.ntp.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlzbTrdfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cLGtw/8CNAYnLxARrMUK1QeC9sE7EaboYInSOgaunfK2Uw5tJk9b4GwWWjCSE0C
[SECURITY] [DSA 4446-1] lemonldap-ng security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4446-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff May 14, 2019 https://www.debian.org/security/faq - - Package: lemonldap-ng CVE ID : CVE-2019-12046 It was discovered that the Lemonldap::NG web SSO system performed insuffient validation of session tokens if the "tokenUseGlobalStorage" option is enabled, which could grant users with access to the main session database access to an anonymous session. For the stable distribution (stretch), this problem has been fixed in version 1.9.7-3+deb9u1. We recommend that you upgrade your lemonldap-ng packages. For the detailed security status of lemonldap-ng please refer to its security tracker page at: https://security-tracker.debian.org/tracker/lemonldap-ng Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlzbL3AACgkQEMKTtsN8 TjZnyg/+OgtJMGgRLtuAlYm5vWJmmxwqw+Yqyvl9FHBI535Yfr5/F6b7cvXfn4A2 L0bSKYceLUmXT0D+8EIp6DxhhOiEEs5ME4PhboX4MJT79ln8CqCxngLmgTX4bh2T kc5uEEkJoHwNf15vi1HIRPiRtv8f0gTFGZa9yAhR6XqrdqMLGtTYwR338r1wPr65 0gcGFNgUCL/JoI+QZSE5QyN/pseAiO32YbP4WkoIOukWlYanYQht4R2hQePU9b+p tghcXyBEQ3Z2Z1F+SirkuIDuYOhPD3Uws+8cLVhX/CnVdjqDMc83kwSqBt6t1EEb SGToAYXuIReR7MVZ6aBaEgkdFEouyvBh8JtlLAnm7CC0VLkG50cTOCHQjczezT/F 7YcdQ1EksXoa9IWb35PrmiLPw7iKnrTaIFfFH1+hJPjHst5QJ6pzwM4kDfY77Tpd +RjgPDRo+1sYBHSqG26dWhkuqNXNjr3AMl3G+IZXdBy7LIiRvsV5fN6SZaGCNOhd mtiJPtUxBigpNKtzkg0R72Jp9bOaYE8jqHdQfnOdtYiy2Kn+F7kwgm+dEfvMqHU8 rhBREAIf66DoXZGPZR7WH+8rLLyQgpq4qsEq2fTQZygpCUDBE4EXhEU4l+3jvFuH 9q00FcRAlT/u9rRqmTv0Z825zRztrdUasq/xrAQeOwJk0QFhJfU= =SGxM -END PGP SIGNATURE-
[SECURITY] [DSA 4444-1] linux security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA--1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso May 14, 2019 https://www.debian.org/security/faq - - Package: linux CVE ID : CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091 Debian Bug : 928125 Multiple researchers have discovered vulnerabilities in the way the Intel processor designs have implemented speculative forwarding of data filled into temporary microarchitectural structures (buffers). This flaw could allow an attacker controlling an unprivileged process to read sensitive information, including from the kernel and all other processes running on the system or cross guest/host boundaries to read host memory. See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html for more details. To fully resolve these vulnerabilities it is also necessary to install updated CPU microcode. An updated intel-microcode package (only available in Debian non-free) will be provided via a separate DSA. The updated CPU microcode may also be available as part of a system firmware ("BIOS") update. In addition, this update includes a fix for a regression causing deadlocks inside the loopback driver, which was introduced by the update to 4.9.168 in the last Stretch point release. For the stable distribution (stretch), these problems have been fixed in version 4.9.168-1+deb9u2. We recommend that you upgrade your linux packages. For the detailed security status of linux please refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlzbK/hfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0RDbhAAkCG4A3Yx+lAGMIgm9lXWeacyTFQ7RhS0NzQ+7rewiQZti4JphoEnuub1 sq9GH041twKbQQKJiuRD7AvKIzt8hfziQVBvIs+Nojp3fOHU9TIDqqENmfBYflkQ qvP/tP5vqXREMihV6zGAzK47lfIvEztAQYiZymD4zMzWF0QrY/9/uEQFgwgD5AaP xvreR+M2tsWQR3MZOAfWlTbX9nSbyV2K7nULs5y+g0ko8sbJDxNhfKO/6yauSiHK pq6I3Fg56PsNtse/r/II9jlGE9DYvC+cI9vRNEBZep9A0dmRqN8j3sk0jmNVfi/F Tm3jWFgtRtaa6ANMeBHIBQzkGjML6GbE68Iyf0+EGZ7ZrXSeAIi4InYFCNJA7w5/ K0Nu2nCMAaxVwYPAO7mvNxAnKgOPLE+e7fYNlqztpHOO/nXNmOG7zknqstlkS+Vc LfsjAiqtAGw6PubdXMSc5BVrdQQTmT3tvqg4BW2i3bWeaW43MyQRc1cizplVrNLt KKgC1qNLGIvSZLejDF5KXX8VT50UEa05QshRHWu9Ckkvid2hedzipZkTsN5tsRoc XuCtYsbZqawHmExfyryqtkhTc4pti2nvHPzcMpJtmXtdkkvxh3ZYXbTR0vsSwJHt rLY3ms+Sw/DT0kdXgEb1gz4prezXcINgPhGDiP/hbRaQnsP2x7U= =ukU9 -END PGP SIGNATURE-
[SECURITY] [DSA 4445-1] drupal7 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4445-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff May 14, 2019 https://www.debian.org/security/faq - - Package: drupal7 CVE ID : CVE-2019-11831 It was discovered that incomplete validation in a Phar processing library embedded in Drupal, a fully-featured content management framework, could result in information disclosure. For additional information, please refer to the upstream advisory at https://www.drupal.org/sa-core-2019-007. For the stable distribution (stretch), this problem has been fixed in version 7.52-2+deb9u9. We recommend that you upgrade your drupal7 packages. For the detailed security status of drupal7 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/drupal7 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlzbL2sACgkQEMKTtsN8 TjbL6A/7BHHBGJ4tjqKczWx0deQkhAMaomeuWsKO6t9Xt2Ec8YVCnazZGCem5DtP NBrFy4K1WvCBsZs5qjcAWpTZIFvrmJHLKNq3/cLHJ/L6r8Qx7TZahSlIltHGYZ0l 4AKkLeKWhfvV2gOpnrnvOzYnejW+ovmA9Pft2P9hbAY9PUIHQA4qSm3o2zRydMFC 67M/Hu9Dziby31nIFenJE29AmWJXGli8SlQtppx12bYJZrW3syCrlXSQ+cDEplN+ NaXlV3qtc49Q6cI+CEgeB0TEsDAaIJprIDpGVDqOKL6FOoKdDkuQdWdQPddpD+DX qAiuopTX7fg9PauONKQGDVJ5wc7T5rRJRFTdqeE04+ONanmQrzYCngBkSMqis+rn 8jgyjhrx5V9sUlBXnQZuf/G2zajqPHQSi1enxLiNOV+HJ/6ZHVzo8nwYa7r5RIyM xp398w/11HnBRUjNUjPQ+/RitUkKmFQcW7pTNqwcXagX+Gyi5kzEpL3xm6FG83ne sh8H1z4hLT5R2YjztVJOnlulGTfRRZD3Yctueu8alwMnwGmBZY2cHWOHFnnuw5en ZSfuxI7u72Y7QkSdYMDPWY1y7zHWjVtDtZzVI3bJQBZuNFlz1hb2CAXe76/TZuP2 MyphZUbHoYAx5SNtpGpekes/CvFJwdgTu+IVinjNd33IThOk53M= =dTdm -END PGP SIGNATURE-