[SECURITY] [DLA 1720-1] liblivemedia security update

[Hugo Lefeuvre]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Package: liblivemedia
Version: 2014.01.13-1+deb8u3
CVE ID : CVE-2019-9215
Debian Bug : 924655

It was discovered that liblivemedia, the LIVE555 RTSP server library,
is vulnerable to an invalid memory access when processing the
Authorization header field. Remote attackers could leverage this
vulnerability to possibly trigger code execution or denial of service
(OOB access and application crash) via a crafted HTTP header.

For Debian 8 "Jessie", this problem has been fixed in version
2014.01.13-1+deb8u3.

We recommend that you upgrade your liblivemedia packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQEzBAEBCgAdFiEEUFZhdgIWqBhwqCvuZYVUZx9w0DQFAlyP98kACgkQZYVUZx9w
0DQ/dAgAl7x/KjMZpvuL1MiK6PSDQUwMxGRS4vnSTOyw0svg+/fDh0jzmcZG2HOp
5NdX0fjfqsfkRLw46BLHwF65rDXhEuxJ8c1GqxxMZ/uZOnXkbfpQFELNYyqpigm7
SkE51CCS1mJILmAuBKuRequ1rrhl7v+lbvoiMOlC99g4o8XJsin3kVmdTdoyZRSc
F6SE63IoXJGMf/JyFWt4aLqaX5VOhBMbjDle/5JJieXr1oNNbtgOfcPzqUzQ1/zg
9KHrV/1KOjOx/bwlupP8oTKEtua4N57k/3WuYskKhApZyVNTXPABEjZnJ5DXUeDm
gn8EfA+F2KTB5jORXx3DrzAUxcW9bw==
=sXeH
-END PGP SIGNATURE-

Accepted libjpeg-turbo 1:1.3.1-12+deb8u2 (source all amd64) into oldstable

[Chris Lamb]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Mon, 18 Mar 2019 14:45:00 -0400
Source: libjpeg-turbo
Binary: libjpeg-dev libjpeg62-turbo-dev libjpeg62-turbo libjpeg62-turbo-dbg 
libturbojpeg1 libturbojpeg1-dbg libturbojpeg1-dev libjpeg-turbo-progs 
libjpeg-turbo-progs-dbg
Architecture: source all amd64
Version: 1:1.3.1-12+deb8u2
Distribution: jessie-security
Urgency: high
Maintainer: Ondřej Surý 
Changed-By: Chris Lamb 
Description:
 libjpeg-dev - Development files for the JPEG library [dummy package]
 libjpeg-turbo-progs - Programs for manipulating JPEG files
 libjpeg-turbo-progs-dbg - Programs for manipulating JPEG files (debugging 
symbols)
 libjpeg62-turbo - libjpeg-turbo JPEG runtime library
 libjpeg62-turbo-dbg - Debugging symbols for the libjpeg-turbo JPEG library
 libjpeg62-turbo-dev - Development files for the libjpeg-turbo JPEG library
 libturbojpeg1 - TurboJPEG runtime library - SIMD optimized
 libturbojpeg1-dbg - TurboJPEG runtime library - SIMD optimized (debugging 
symbols)
 libturbojpeg1-dev - Development files for the TurboJPEG library
Closes: 924678
Changes:
 libjpeg-turbo (1:1.3.1-12+deb8u2) jessie-security; urgency=high
 .
   * CVE-2018-14498: Fix a denial of service vulnerability via a heap-based
 buffer overread that could be triggered by a specially-crafted bitmap
 file. (Closes: #924678)
Checksums-Sha1:
 320291d9eaef11805c34e22e870f8ea4066d2d31 2562 libjpeg-turbo_1.3.1-12+deb8u2.dsc
 5fa19252e5ca992cfa40446a0210ceff55fbe468 1390282 
libjpeg-turbo_1.3.1.orig.tar.gz
 f3562f301ba3a167a3ca4d2b9aec5e1a508ebc63 81956 
libjpeg-turbo_1.3.1-12+deb8u2.debian.tar.xz
 54619f36526bc8df73dab1037108502e973906a1 49706 
libjpeg-dev_1.3.1-12+deb8u2_all.deb
 d349dfbdb9e709f2c0ac72ebb68f9bbcda5a1242 455828 
libjpeg62-turbo-dev_1.3.1-12+deb8u2_amd64.deb
 7600fb787bed3144af59411fc7bd2ccbae68d566 116762 
libjpeg62-turbo_1.3.1-12+deb8u2_amd64.deb
 8cf5d0215f7fccead397dd556b37572d08bb3bf7 318764 
libjpeg62-turbo-dbg_1.3.1-12+deb8u2_amd64.deb
 0af9e0cb94e9eff38cb16a07f41d7f1bb8117596 126990 
libturbojpeg1_1.3.1-12+deb8u2_amd64.deb
 e8ac17278f1e9320a19e7324dff0814e2514ea0a 355070 
libturbojpeg1-dbg_1.3.1-12+deb8u2_amd64.deb
 1482ce2114442229ed655bb5b380155ffd2124d0 496508 
libturbojpeg1-dev_1.3.1-12+deb8u2_amd64.deb
 19bcf7a052427280a42a3c2ee25e3b3b0dd10e73 83386 
libjpeg-turbo-progs_1.3.1-12+deb8u2_amd64.deb
 a43e8a80f5c17ef8e8c8d1c359339052d41aed37 188074 
libjpeg-turbo-progs-dbg_1.3.1-12+deb8u2_amd64.deb
Checksums-Sha256:
 fcf692f2e671abb057b6364af915e05ba2b1638c019305938f0e21e1bb94ad0e 2562 
libjpeg-turbo_1.3.1-12+deb8u2.dsc
 c132907417ddc40ed552fe53d6b91d5fecbb14a356a60ddc7ea50d6be9666fb9 1390282 
libjpeg-turbo_1.3.1.orig.tar.gz
 7878e86dcfdc6239bc35bfecf5409fdd968f4f9b2e1979e60261854d788ddbda 81956 
libjpeg-turbo_1.3.1-12+deb8u2.debian.tar.xz
 ec1287db036d61cb5d72a8a82295423e8ce459192e62a408b3c52b6f088f844f 49706 
libjpeg-dev_1.3.1-12+deb8u2_all.deb
 0e189cfacd978d8069a084a7d6a6e40b9e8cb7189239d7f540e48c535a2011a6 455828 
libjpeg62-turbo-dev_1.3.1-12+deb8u2_amd64.deb
 0853e63d525ed8ca9b30d8aad9018c6daefb65066ca532b0d4a96e9069bd0862 116762 
libjpeg62-turbo_1.3.1-12+deb8u2_amd64.deb
 7616b01b3cee0eaedcdd966ee60c6e50981f7eb575d9889cff0cacea829abd34 318764 
libjpeg62-turbo-dbg_1.3.1-12+deb8u2_amd64.deb
 ecba128aa28c0e8685d8c85e1fa9dad70120a3f6c6d70c4cd3a27e3cc9889968 126990 
libturbojpeg1_1.3.1-12+deb8u2_amd64.deb
 b945003d8772af3c26caef1a3193e7fb3a14ea6f8afa8bc5d4114cee795511ba 355070 
libturbojpeg1-dbg_1.3.1-12+deb8u2_amd64.deb
 45659084c505de23be6d469d80de098ea4da45a1a1f09c12d4d7fb20d95a9a34 496508 
libturbojpeg1-dev_1.3.1-12+deb8u2_amd64.deb
 b01cea6f473e06bcbce0c03a5b9ca2b9a13810ef72eee933d890371a402eff50 83386 
libjpeg-turbo-progs_1.3.1-12+deb8u2_amd64.deb
 fd75f20f15d13ec5fef5c29a16427e8f9130f1db9c30ee79f8554ef94db26dad 188074 
libjpeg-turbo-progs-dbg_1.3.1-12+deb8u2_amd64.deb
Files:
 4014c4c5f9378fabc3ec4351098decf6 2562 graphics optional 
libjpeg-turbo_1.3.1-12+deb8u2.dsc
 2c3a68129dac443a72815ff5bb374b05 1390282 graphics optional 
libjpeg-turbo_1.3.1.orig.tar.gz
 9719a162f1be87822a3b414b79cfb4f6 81956 graphics optional 
libjpeg-turbo_1.3.1-12+deb8u2.debian.tar.xz
 c6efab2ab3f0e91812161862447e2e7a 49706 libdevel optional 
libjpeg-dev_1.3.1-12+deb8u2_all.deb
 ca64965c3056145c45e662fcf9d60d05 455828 libdevel optional 
libjpeg62-turbo-dev_1.3.1-12+deb8u2_amd64.deb
 677323c15c73811f99f6e792f85c7a36 116762 libs optional 
libjpeg62-turbo_1.3.1-12+deb8u2_amd64.deb
 bd1c0a658a239606d8b8789c5df1f8a3 318764 debug extra 
libjpeg62-turbo-dbg_1.3.1-12+deb8u2_amd64.deb
 7ff453f0bbe1ba8065e532d08d81318a 126990 libs optional 
libturbojpeg1_1.3.1-12+deb8u2_amd64.deb
 b7c3154c82ae6449ba1dc2bf947bdeb1 355070 debug extra 
libturbojpeg1-dbg_1.3.1-12+deb8u2_amd64.deb
 564db6e7759ced832c7d629632196650 496508 libdevel optional 
libturbojpeg1-dev_1.3.1-12+deb8u2_amd64.deb
 51830d6f2d5632713f8e49e5a94f28a8 83386 graphics optional 
libjpeg-turbo-progs_1.3.1-12+deb8u2_amd64.deb
 

[SECURITY] [DLA 1719-1] libjpeg-turbo security update

[Chris Lamb]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Package: libjpeg-turbo
Version: 1:1.3.1-12+deb8u2
CVE ID : CVE-2018-14498
Debian Bug : #924678

It was discovered that there was a denial of service vulnerability in
the libjpeg-turbo CPU-optimised JPEG image library. A heap-based
buffer over-read could be triggered by a specially-crafted bitmap
(BMP) file.

For Debian 8 "Jessie", this issue has been fixed in libjpeg-turbo
version 1:1.3.1-12+deb8u2.

We recommend that you upgrade your libjpeg-turbo packages.


Regards,

- -- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAlyP7UQACgkQHpU+J9Qx
HljTZhAAuGWwBEfN5h45N6Xe+m9zYUNKy8mC3w47jbJNdhcf9S2rQjdQ4Qw9Fuwc
inff+c9aDpXMUpAn/s/ZQun7RFejuWC1HQJK06EaVbhPUOxB/lb4JdQ7Sd5VvyfU
lDfYd7VIZ+vwK+zqqzyN1v5GzQ6Sj/o34EIkOpYObpC2OavosXMFGKpr7GANBsPC
QeFKAqqMdugCW8e/09BQyBuDfQbEWtqUjrZTqBDgpODJ/2uO04bmunjI/ISWYWSh
Ru2apcRJaN7qIKbNqV2fuwTQvq1HnGtksGXPOPzWopdCPuriLXQmMOVXsSAPZDQ1
odPideJHmOwP8KPf63je3Rauy9ZHjbBeAGsb9e74qbVCx94g7R4Ii6Vci9LscXcG
tMyvNwUX3/iIP9HMsiLPqpCGqDkg5tDucBluiYs+cTL5N6xjFvMr8Qkm6qmCChAs
NAK7Y9QAc36+xH4ydIjlYwxMicBu3qvF6QSzuiZh+H6u1pXFgQPp59O9ASajTUF7
6aRBXzcbOUcJh2nHEmShP+XJpUmPsdehkYYKsnADBPUuUjkl6XqvnObWHVJBNyQq
/FtsxhFVPl/OpGNTuZ0euxr+xBlqrQOSXxiHkXo1yBQ3PP3Bsv2gFkeWi+trL5fB
X9BppMMJ+FrYMT1Omzi+R0Sl3SWU2cOIpnzcIJ6w48KC0+UXNMg=
=2tm6
-END PGP SIGNATURE-

Accepted liblivemedia 2014.01.13-1+deb8u3 (source amd64) into oldstable

[Hugo Lefeuvre]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Mon, 18 Mar 2019 09:18:27 +0100
Source: liblivemedia
Binary: liblivemedia-dev libbasicusageenvironment0 libgroupsock1 liblivemedia23 
libusageenvironment1 livemedia-utils
Architecture: source amd64
Version: 2014.01.13-1+deb8u3
Distribution: jessie-security
Urgency: high
Maintainer: Debian Multimedia Maintainers 

Changed-By: Hugo Lefeuvre 
Description:
 libbasicusageenvironment0 - multimedia RTSP streaming library 
(BasicUsageEnvironment class)
 libgroupsock1 - multimedia RTSP streaming library (network interfaces and 
sockets
 liblivemedia-dev - multimedia RTSP streaming library (development files)
 liblivemedia23 - multimedia RTSP streaming library
 libusageenvironment1 - multimedia RTSP streaming library (UsageEnvironment 
classes)
 livemedia-utils - multimedia RTSP streaming tools
Changes:
 liblivemedia (2014.01.13-1+deb8u3) jessie-security; urgency=high
 .
   * Non-maintainer upload by the LTS Team.
   * CVE-2019-9215: malformed headers lead to invalid memory access
 in the parseAuthorizationHeader function.
Checksums-Sha1:
 2ca7ad84a98d067723eb1d2706d014bd9dd3eb6e 2139 
liblivemedia_2014.01.13-1+deb8u3.dsc
 e617930d23ef55381613121c2ea921ce59b9ee0e 595705 
liblivemedia_2014.01.13.orig.tar.gz
 c0240e89fb3dbf8536d745fab4cdcc23bc2e0650 12344 
liblivemedia_2014.01.13-1+deb8u3.debian.tar.xz
 b17ec8db7a412ba220b571e745319e9f29e176ba 677864 
liblivemedia-dev_2014.01.13-1+deb8u3_amd64.deb
 085a225c78f14021b7e639f7ca23526901055bc9 21246 
libbasicusageenvironment0_2014.01.13-1+deb8u3_amd64.deb
 953a71bca7f72a9eb60a9b1f5ded0f5a26edbcae 27206 
libgroupsock1_2014.01.13-1+deb8u3_amd64.deb
 d1e8d5db16b39089b4923a882e5332e23fbf7b5c 288054 
liblivemedia23_2014.01.13-1+deb8u3_amd64.deb
 a4bf304051be08d582bd7ef89b44079cf1aad92f 11990 
libusageenvironment1_2014.01.13-1+deb8u3_amd64.deb
 a6b1ce71125b267703ddc6f6f0dbf8545fedd56c 60488 
livemedia-utils_2014.01.13-1+deb8u3_amd64.deb
Checksums-Sha256:
 6cf997b96b9b0c83aabcafa7d702cebbad54ec868726b47795d999ac34d9f357 2139 
liblivemedia_2014.01.13-1+deb8u3.dsc
 d751a3a608e17b552c63d144c2856af5c23fbe31d340e71e589153e8204bb44e 595705 
liblivemedia_2014.01.13.orig.tar.gz
 802d9bf0d19d0575a6b22b767ff6c6b48fcb703ae23a3d0d5d548b3c9657e28e 12344 
liblivemedia_2014.01.13-1+deb8u3.debian.tar.xz
 01cb7008ccc699300b8afd21e1db6f0fda253fb38e79186ab638dc2746367b15 677864 
liblivemedia-dev_2014.01.13-1+deb8u3_amd64.deb
 7f9ecae302a9debfb701e756b448b236f0c0adc4e78809251e303542425f1083 21246 
libbasicusageenvironment0_2014.01.13-1+deb8u3_amd64.deb
 65884133bb936e00d15b4494d01bff8cb9146758fffcd26b163282877bb4728c 27206 
libgroupsock1_2014.01.13-1+deb8u3_amd64.deb
 f4a83281e46e8751c7415a8229c1edbd1750bb51c0126797643716409bddd4ed 288054 
liblivemedia23_2014.01.13-1+deb8u3_amd64.deb
 b2e0a34ef2f4304172f8308c1107789f13b8fcdf0c6053c782ea11eff002c129 11990 
libusageenvironment1_2014.01.13-1+deb8u3_amd64.deb
 630ec26c3fd2c9992be9020f2771b9e70b2f0ad05ba44f2263061ede25290cf3 60488 
livemedia-utils_2014.01.13-1+deb8u3_amd64.deb
Files:
 8496712fcde64cb43ee06160ba16b73e 2139 libs optional 
liblivemedia_2014.01.13-1+deb8u3.dsc
 6eb9942cc8df01d5cd2d7c23ea36bd40 595705 libs optional 
liblivemedia_2014.01.13.orig.tar.gz
 643c941e521605be84733b1dd135c4cc 12344 libs optional 
liblivemedia_2014.01.13-1+deb8u3.debian.tar.xz
 ca2868798dce72b0d4239280e8f57d40 677864 libdevel optional 
liblivemedia-dev_2014.01.13-1+deb8u3_amd64.deb
 52a38ac46dd7672b877f44e16985cbd9 21246 libs optional 
libbasicusageenvironment0_2014.01.13-1+deb8u3_amd64.deb
 98e7fe3959452339cd2116cce2e18f7c 27206 libs optional 
libgroupsock1_2014.01.13-1+deb8u3_amd64.deb
 9a149829b897d57acc4dd918a8f3ce00 288054 libs optional 
liblivemedia23_2014.01.13-1+deb8u3_amd64.deb
 79fbac5f23840288fb40fa25d05bf0f8 11990 libs optional 
libusageenvironment1_2014.01.13-1+deb8u3_amd64.deb
 7b4a94b84111e1c41f85de998690f5f0 60488 net optional 
livemedia-utils_2014.01.13-1+deb8u3_amd64.deb

-BEGIN PGP SIGNATURE-

iQEzBAEBCgAdFiEEUFZhdgIWqBhwqCvuZYVUZx9w0DQFAlyPyN0ACgkQZYVUZx9w
0DTmcQf+IaXFo5tpQ9+U0iwwvnjomVqkJ9O/xwyXbhUMtQ418zOV6zdz+ocsVv72
6CNhGc/vBTYZyIkosbc6BUQx7XIX2QH0DWO+UDHObPzcvRsXA72srLAU5BhRweXt
itlo1mbiT60G4Rvz7mV6Kl6/kFHdXa6yZTUa95c9SEJCkb6704lFGsj65Y1E5D3v
eMb5IBIqLBHiZRuyUQ8/C6do1yWNOZYY8xzGBZIW3lVfovr1I6+4QLT/VA7KLUp2
QShokPggN1j8NIPs6r/O+YF1DeM9aRAfKRWYi6fX4WpsVUQ7iBInF8LMj7xUTM2I
9/mDb2bTpjblavKeMJRxthQy6b7ENw==
=R+pU
-END PGP SIGNATURE-

Re: DLAs in the website: some updates and issues

[Sylvain Beucler]

Hi,

On Thu, Mar 07, 2019 at 08:02:18PM +0100, Laura Arjona Reina wrote:
> El 5/3/19 a las 16:07, Markus Koschany escribió:
> > thank your for your work on our website. Ideally we would like to make
> > the whole process fully automatic without the need for any manual
> > interaction. 
> 
> This is being discussed in #859123: automate import of DLAs and DSAs in
> www.debian.org
> 
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859123
> 
> In particular, I think this message from Lev Lamberov is relevant:
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859123#20
> 
> > Can you tell us more about the current work flow of our DSA
> > announcements on the front page? 
> 
> DSAs are manually imported by a web team member or a security team
> member, using the parse_advisory.pl script.
> 
> > Does someone from the webteam reviews
> > the generation by hand? 
> 
> Usually yes, but also, as it is noted in Lev's message, I think the
> format of DSA is more standard.

I had a look at parse-dla.pl / parse-advisory.pl, and let's face it:
it's a bunch of ad-hoc regexps that happen to work. Most of the times.

I couldn't find a satisfying way to fix the trailing 
recurring bug.


> > I'm sure we can improve the current parse-dla.pl
> > script and fix those markup bugs. We also thought about downloading the
> > announcements from  https://lists.debian.org/debian-lts-announce/ and
> > then create the DLA on the web page automatically. Is this a viable plan?
> > 
> 
> I don't know.
> 
> I guess that if the security team does not that already it's probably
> because of a reason (or maybe because nobody in the web team could find
> the time+skills+motivation needed to make it possible...).

So the core issue is taking a text mail and automagically generate a
HTML equivalent.

Lev suggested 4 months ago that LTS and DebSec work on a common
mark-up format.  We could attempt to switch to MarkDown, but from
experience it breaks easily, especially wrt newlines.

Alternatively, a simple answer would be to keep the headers parsing
(Package/Version/CVE ID/Debian Bug) but import the free-form
description text verbatim as a monospace block (such as ).
i.e. stop coping with ul/li, just auto-link https://... bits.

I don't suggest merely linking the list archives, since AFAIU there is
demand for advisories translations (if there isn't, though, a link
would be enough IMHO).

What do you think?

Cheers!
Sylvain

[SECURITY] [DLA 1718-1] sqlalchemy security update

[Sylvain Beucler]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Package: sqlalchemy
Version: 0.9.8+dfsg-0.1+deb8u1
CVE ID : CVE-2019-7164 CVE-2019-7548
Debian Bug : 922669


Two vulnerabilities were discovered in SQLALchemy, a Python SQL
Toolkit and Object Relational Mapper.

CVE-2019-7164

SQLAlchemy allows SQL Injection via the order_by parameter.

CVE-2019-7548

SQLAlchemy has SQL Injection when the group_by parameter can be controlled.

The SQLAlchemy project warns that these security fixes break the
seldom-used text coercion feature.

For Debian 8 "Jessie", these problems have been fixed in version
0.9.8+dfsg-0.1+deb8u1.

We recommend that you upgrade your sqlalchemy packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQEzBAEBCgAdFiEEQic8GuN/xDR88HkSj/HLbo2JBZ8FAlyPnDwACgkQj/HLbo2J
BZ/qqgf9HVfWEeJd9mN/NcJ2/6VILPt7lyDNKuAircBJt4Ya9wTxGpvN3Vknt2ry
Z0oCMBz/z8EHNnlDyJHP4QGKrKXK2obwwVFfaOeel1b4OK6Aj3UMBzbEGypCn7y/
4GzWeQhJcejbhIc8xgJc8/NSqdjeJ7buxV2fny/L+3RNy3UDmLkTqKOaPn0vOau1
N5cOaazYhUvfBmdQCF5cebI5CCOWmpreOGm8QDbwHJAxO6VFtZyMdByQOOYCv80r
kQRuon9ia1qwqyVK8WjkDcV9pZxEI5dH7UN6+Eaum+ZAF+sJ/A3oNcc3iWB9N6JV
KXcPBxTWcIIQJTK+zWOvU1TJ0VTSww==
=JGde
-END PGP SIGNATURE-

Re: DLAs in the website: some updates and issues

[Sylvain Beucler]

Hi,

On 18/03/2019 09:55, Brian May wrote:
> Laura Arjona Reina  writes:
>
>> Other option is, instead of looking at the html code, doing
>>
>> make dla-123-1.en.html
>>
>> and open the resulting html file with a web browser.
> This command did not work for me, I had to use "make -C 2019
> dla-1716.en.html" instead.
>
> Which leads me to a 2nd point, after reading the wiki page
> 
> I was expecting a filename like:
>
> 2019/dla-1716-1.*
>
> but parse-dla.pl gave me instead:
>
> 2019/dla-1716.*
>
> I notice this seems to match the existing convention, so maybe this is
> an error in the wiki?
I confirm.

These instructions are pretty new. I made fixes a few weeks ago but I
overlooked this "-1".

Fixed the wiki page when testing for my work today :)

Cheers!
Sylvain

Accepted sqlalchemy 0.9.8+dfsg-0.1+deb8u1 (source all amd64) into oldstable

[Sylvain Beucler]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Mon, 18 Mar 2019 13:37:16 +0100
Source: sqlalchemy
Binary: python-sqlalchemy python-sqlalchemy-ext python-sqlalchemy-doc 
python3-sqlalchemy python3-sqlalchemy-ext
Architecture: source all amd64
Version: 0.9.8+dfsg-0.1+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Piotr Ożarowski 
Changed-By: Sylvain Beucler 
Description:
 python-sqlalchemy - SQL toolkit and Object Relational Mapper for Python
 python-sqlalchemy-doc - documentation for the SQLAlchemy Python library
 python-sqlalchemy-ext - SQL toolkit and Object Relational Mapper for Python - 
C extension
 python3-sqlalchemy - SQL toolkit and Object Relational Mapper for Python 3
 python3-sqlalchemy-ext - SQL toolkit and Object Relational Mapper for Python3 
- C extensio
Changes:
 sqlalchemy (0.9.8+dfsg-0.1+deb8u1) jessie-security; urgency=high
 .
   * Non-maintainer upload by the Debian LTS Team.
   * Fix CVE-2019-7164 and CVE-2019-7548: SQL injection in order_by()
 and group_by().  Upstream warns that this breaks the seldom-used
 text coercion feature.
Checksums-Sha1:
 7af7b09c601484e2de64bdf2d3b200b7a026a685 2259 
sqlalchemy_0.9.8+dfsg-0.1+deb8u1.dsc
 06daf537f9de34a2fdaf60c9752568086962b8c8 4046697 
sqlalchemy_0.9.8+dfsg.orig.tar.gz
 dd4cc74d02361304f3751c3aa74dad6313d6803e 14880 
sqlalchemy_0.9.8+dfsg-0.1+deb8u1.debian.tar.xz
 406f20eec097a5895d95db03fd3830fa171eeeb8 605028 
python-sqlalchemy_0.9.8+dfsg-0.1+deb8u1_all.deb
 1ae3e2642d4b01006717c367bcdd631fe0bb78f4 1252150 
python-sqlalchemy-doc_0.9.8+dfsg-0.1+deb8u1_all.deb
 325028e61a068b6cc6cdde56b7dd6a8cacc3224c 600836 
python3-sqlalchemy_0.9.8+dfsg-0.1+deb8u1_all.deb
 b3d69d90f6f9d7eb4a2ea6bcd121f73d1aa15255 18878 
python-sqlalchemy-ext_0.9.8+dfsg-0.1+deb8u1_amd64.deb
 9e0e8dbb24e34210ea9bf7fb207e76c15e43 19024 
python3-sqlalchemy-ext_0.9.8+dfsg-0.1+deb8u1_amd64.deb
Checksums-Sha256:
 e5da06049e47e8ca61e845f8de3bef2e9584059881283f22f7442c026814f8ce 2259 
sqlalchemy_0.9.8+dfsg-0.1+deb8u1.dsc
 0371ca90d1abadb109c73f1ac096c17f0bbff9fb43d66f3346806f6d6b9c110d 4046697 
sqlalchemy_0.9.8+dfsg.orig.tar.gz
 f59040e2f5bf79b5c370cae3f4c2f236513ba706731f67e32834cd620d90bdc5 14880 
sqlalchemy_0.9.8+dfsg-0.1+deb8u1.debian.tar.xz
 2fecf43ffe517fd9be4b66c745e4dfa98cea4dc7b62cfcd9c7385d58461dd6ed 605028 
python-sqlalchemy_0.9.8+dfsg-0.1+deb8u1_all.deb
 2287e0f736e1bdbf266e7d0419fc3e690e06ec171471831b48d05264e479bc6f 1252150 
python-sqlalchemy-doc_0.9.8+dfsg-0.1+deb8u1_all.deb
 5b30d4f84f0b9ef952c5a0121e33d355e32c3b524987ff2894749f77c3b05ea5 600836 
python3-sqlalchemy_0.9.8+dfsg-0.1+deb8u1_all.deb
 b58bb8085db43332b4f6d8a3f413264117d48bb0110a6b7b46aeb030e0ad6b99 18878 
python-sqlalchemy-ext_0.9.8+dfsg-0.1+deb8u1_amd64.deb
 70c5ed7d383f40727516a4fe879c6ece027516380b1b2e635e8038e30898e03a 19024 
python3-sqlalchemy-ext_0.9.8+dfsg-0.1+deb8u1_amd64.deb
Files:
 f7a4ca0046cb16b67d9d11ecaf76e0ac 2259 python optional 
sqlalchemy_0.9.8+dfsg-0.1+deb8u1.dsc
 9064e03b4ec453ef7f181b8bf7ddaa9c 4046697 python optional 
sqlalchemy_0.9.8+dfsg.orig.tar.gz
 03422aff739ffc9312d12672b325401b 14880 python optional 
sqlalchemy_0.9.8+dfsg-0.1+deb8u1.debian.tar.xz
 fe63296bd572d5a4aded8e760b26b866 605028 python optional 
python-sqlalchemy_0.9.8+dfsg-0.1+deb8u1_all.deb
 c287764d65d83b9e52736d5a593cfbe2 1252150 doc extra 
python-sqlalchemy-doc_0.9.8+dfsg-0.1+deb8u1_all.deb
 6eb8662bcdadb0d6594d3c0bed49f596 600836 python optional 
python3-sqlalchemy_0.9.8+dfsg-0.1+deb8u1_all.deb
 d245257b24621d703f31d00c117b0057 18878 python optional 
python-sqlalchemy-ext_0.9.8+dfsg-0.1+deb8u1_amd64.deb
 6516f1d09bb2a957af334575315e5765 19024 python optional 
python3-sqlalchemy-ext_0.9.8+dfsg-0.1+deb8u1_amd64.deb

-BEGIN PGP SIGNATURE-

iQEzBAEBCgAdFiEEQic8GuN/xDR88HkSj/HLbo2JBZ8FAlyPl/cACgkQj/HLbo2J
BZ8RwQf9EzfO8c39QD4VtZnSykgh6fzgQ3T2tiq5SFL4RW3J8N3wl4RGzQbNOyLL
o38MLN9uogvaZVvmTBxgDf+lB7uf48o+xYwuNAspSn8gxcmCY2TfKBtmKf99Y0YP
oHrCMpy3eai+fCQEy/N2Rvhm92aQqXZhVBkW/kuJVgyiPOZAp9OGxNqUUmN8iUd0
iLjF6qZiO7QFwxgMgAE7glWiOsaomsXtRtVQwuqRlTcPPToPS8jekL7k/kUl315P
OT1nu7uqc8P1GVlCpucEV3lfM77lc9ee4q/te3tQMpsRGbmVnegKwMm7L45jaVNC
GrIKxazVKASL9gj/SsTgTIZEwJCxqg==
=sBX6
-END PGP SIGNATURE-

Re: DLAs in the website: some updates and issues

[Brian May]

Laura Arjona Reina  writes:

> Other option is, instead of looking at the html code, doing
>
> make dla-123-1.en.html
>
> and open the resulting html file with a web browser.

This command did not work for me, I had to use "make -C 2019
dla-1716.en.html" instead.

Which leads me to a 2nd point, after reading the wiki page

I was expecting a filename like:

2019/dla-1716-1.*

but parse-dla.pl gave me instead:

2019/dla-1716.*

I notice this seems to match the existing convention, so maybe this is
an error in the wiki?

Regards
-- 
Brian May 

[SECURITY] [DLA 1717-1] rdflib security update

[Brian May]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Package: rdflib
Version: 4.1.2-3+deb8u1
CVE ID : CVE-2019-7653
Debian Bug : #921751


The CLI tools in python-rdflib-tools can load python modules
found in the current directory. This happens because "python -m"
appends the current directory in the python path.

For Debian 8 "Jessie", this problem has been fixed in version
4.1.2-3+deb8u1.

We recommend that you upgrade your rdflib packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEKpwfR8DOwu5vyB4TKpJZkldkSvoFAlyPO24ACgkQKpJZkldk
SvpuLw//S2zb9NiB9sMKVyZkLLLh4++DmJc5CSIdtquSkzfwGOV0AvD4Jr5Ls9nk
v1VjVSNM1Nty93x5XEeAJHZCO+YAUKFTGjMEhn3Mry380UAiZzZquvIR15xohDaT
hhslKlVOgSSM8BhEM42Vyd27zsoZ3DJkFg7kE45f7hEkfz8KKrK8ZAYbF8d3LqmC
TQuhv1vUbOyKgnMVXYQwuX7yLTWyu0CRCc6co2n2K1YZyfb6wIhXzAty8EAFu4SR
Mg75itoOhrx/75drLLn4/T/zttYQL+Zf9rbFYI8En8vW/57o4jnrR9KldBigmjKD
YmNb8ESdmOW06ElDVvJdIY55yCt5Uc0F/2ZV9DrotEdMi0kONznU0A1aqx95CU0R
r/D+yyAM+kVOVsg4Xvm5e0rs/g8UxIbfwrzEYfqqOp/nEdMSW/Gz8A9XtD4N2m5U
XHfSoM7Grm0I0hTRhcbKTID9rIaZYEQpQFyeJ9eEGPcDSTVORRLJIXVfuJ5DyjO9
4GoBLI+QB2Xd4AVObdMFtPFKBVSH/wSFD4+8utlLyWUi5BR+2Gp84m6Z8qMBSTBW
Cc6pg4Aj4yslTKaOjM15B+/gqWwxzE2BMOxP+fP0I5ho5WVFiIq+2HnFW3t3ZHV0
fpk6HBpuyGecbS3lqmTOumc7Gur+rJVfJ+5aBMVfoYh64wcu1dU=
=wwN5
-END PGP SIGNATURE-

Accepted rdflib 4.1.2-3+deb8u1 (source amd64 all) into oldstable

[Brian May]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Fri, 08 Mar 2019 07:38:55 +1100
Source: rdflib
Binary: python-rdflib python3-rdflib python-rdflib-doc python-rdflib-tools
Architecture: source amd64 all
Version: 4.1.2-3+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Christian M. Amsüss 
Changed-By: Brian May 
Description:
 python-rdflib - Python library containing an RDF triple store and RDF 
parsers/ser
 python-rdflib-doc - Python library containing an RDF triple store and RDF 
parsers/ser
 python-rdflib-tools - Python library containing an RDF triple store and RDF 
parsers/ser
 python3-rdflib - Python 3 library containing an RDF triple store and RDF 
parsers/s
Changes:
 rdflib (4.1.2-3+deb8u1) jessie-security; urgency=high
 .
   * Non-maintainer upload by the LTS Team.
   * CVE-2019-7653:  The Debian package had a custom wrapper that can load
 Python modules from the current working directory, allowing code injection.
 This is because "python -m" looks in this directory. This version uses the
 easy_install provided scripts instead of our our custom scripts.
   * Remove html5lib and SPARQLWrapper from upstream install_requires, because
 this information was not checked with previous wrapper,
 these are only included for Python 2.7, and
 they are not listed in the depends header.
Checksums-Sha1:
 1b60cab367da48a573a42374b48d2eeb5e3b26cb 2460 rdflib_4.1.2-3+deb8u1.dsc
 5699cab47a413a32a984e9691ad57960c184aa6e 894937 rdflib_4.1.2.orig.tar.gz
 7312a1ab29e27ac068bce9834d970c2f85a0fc73 27724 
rdflib_4.1.2-3+deb8u1.debian.tar.xz
 a46f8c55a64585f486acc8ef2e562ef28f3eac7e 243828 
python-rdflib_4.1.2-3+deb8u1_amd64.deb
 b684ac40575c5891d42043d47f63fd88d1ff8d29 242736 
python3-rdflib_4.1.2-3+deb8u1_amd64.deb
 569d59326e3750c5dfdb4aef116db1b9845e0305 604178 
python-rdflib-doc_4.1.2-3+deb8u1_all.deb
 97f7312629b9a767c8e73a77dd307b1c3fa7910b 24964 
python-rdflib-tools_4.1.2-3+deb8u1_amd64.deb
Checksums-Sha256:
 52e4830336afae88607c933f4a772e3badc1d2a77f27e51b14d72c31079b5bf5 2460 
rdflib_4.1.2-3+deb8u1.dsc
 58ee60b561076829578e16eb4a47606f56079f44669340f1ed88c0a5f37c5aea 894937 
rdflib_4.1.2.orig.tar.gz
 201d73c09ff1ed9a591b79453386295d2baf4d75001cc9d0615e5c15dd7ec86c 27724 
rdflib_4.1.2-3+deb8u1.debian.tar.xz
 6fcd37f95a03b228ec41984a63db781300b70b421deb30047875dda6157039fc 243828 
python-rdflib_4.1.2-3+deb8u1_amd64.deb
 11773f578370889b11d43e09071fa3a6f031ed6e638cec4d67f9ea7c7b334c0b 242736 
python3-rdflib_4.1.2-3+deb8u1_amd64.deb
 f3c8f69373f1e4d9d799a7215662cf7898f1b3863069cd620153e35218d1a231 604178 
python-rdflib-doc_4.1.2-3+deb8u1_all.deb
 b109af8772f3ec37637959bb9d60b4accdf365d8c93a29e41ed5b137fc787474 24964 
python-rdflib-tools_4.1.2-3+deb8u1_amd64.deb
Files:
 2786d4a9bbe9c99da5178006faa95744 2460 python optional rdflib_4.1.2-3+deb8u1.dsc
 5c284061f1f2a086b0782644afbaac59 894937 python optional 
rdflib_4.1.2.orig.tar.gz
 1f0af093698c2e66a38a069c53da27a8 27724 python optional 
rdflib_4.1.2-3+deb8u1.debian.tar.xz
 843ee3ead42541a9a892a75787b2fabd 243828 python optional 
python-rdflib_4.1.2-3+deb8u1_amd64.deb
 ff41ec60b58d04a59158a73dd2675035 242736 python optional 
python3-rdflib_4.1.2-3+deb8u1_amd64.deb
 ab61c5cc6593b020502f4b8cc840a85c 604178 doc optional 
python-rdflib-doc_4.1.2-3+deb8u1_all.deb
 d531afce23f65873014b5365072f6c9d 24964 python optional 
python-rdflib-tools_4.1.2-3+deb8u1_amd64.deb

-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEKpwfR8DOwu5vyB4TKpJZkldkSvoFAlyPOW0ACgkQKpJZkldk
SvrXkg/8Dqq2LLEc7JdQkL6Lre2Sr7KAwaLKASsq8z1D5S/FYAIWmTJuufVMWtUJ
HcBN50q5jiRGBAMulRRiaSQBtTv++zRYd0cgD77u1gBHCY7WY1fCur0uhpExnQVv
ngzXLoCMu8a0QWsRDI2pJIAFOPzTmiMCD4e1dHBK0jtXuASxb8ohHqVZozZ1js/l
xw21VoDmwKOQnEZxpoC04eUuy/RkMaB632JwchefeBIryVLcRbkI5FCdleZqaXt7
EsHhlwfwJ6mclW8IGKlswTp2dPcRwYeszf30mTpe1NeJBJV9U1UrYzuiduOY8ojs
z88W5+C8d0WHqbEwILAxEFY/z3jNoUOlS/4IFfN3JFl0/7uWxZRAnazJmEmTbxZj
/i8EclPg2p+Y3ciM4Gtx7dXE/2n3sb1k+6zK3jMl5rQuJaNk+SQIB+OKxp2hPDir
VlouFpRXmYxgUZB2szMub7rheYPsskCAVEGPd/drDDtutx9UJN8LkQgDJEWBCYoT
FffHJj5LeMvQjzFB7nJavT0ONiKd4x0bVEz24IsFykpRpnfFW+U1LeNJazH0GCFq
xaFMExJRako+frnaXHyg4rHur0QjAeZFiIaIcZwO4pC4qedpjjEtPr7y8fjNnviQ
HVSsse1e65TS7gqUi+byKbjR8XnPHOtr0FdGmMNE9iKTy03Jn3c=
=fIq/
-END PGP SIGNATURE-

[SECURITY] [DLA 1716-1] ikiwiki security update

[Brian May]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Package: ikiwiki
Version: 3.20141016.4+deb8u1
CVE ID : CVE-2019-9187

The ikiwiki maintainers discovered that the aggregate plugin did not use
LWPx::ParanoidAgent. On sites where the aggregate plugin is enabled, authorized
wiki editors could tell ikiwiki to fetch potentially undesired URIs even if
LWPx::ParanoidAgent was installed:

local files via file: URIs
other URI schemes that might be misused by attackers, such as gopher:
hosts that resolve to loopback IP addresses (127.x.x.x)
hosts that resolve to RFC 1918 IP addresses (192.168.x.x etc.)

This could be used by an attacker to publish information that should not have
been accessible, cause denial of service by requesting "tarpit" URIs that are
slow to respond, or cause undesired side-effects if local web servers implement
"unsafe" GET requests. (CVE-2019-9187)

Additionally, if liblwpx-paranoidagent-perl is not installed, the
blogspam, openid and pinger plugins would fall back to LWP, which is
susceptible to similar attacks. This is unlikely to be a practical problem for
the blogspam plugin because the URL it requests is under the control of the
wiki administrator, but the openid plugin can request URLs controlled by
unauthenticated remote users, and the pinger plugin can request URLs controlled
by authorized wiki editors.

This is addressed in ikiwiki 3.20190228 as follows, with the same fixes
backported to Debian 9 in version 3.20170111.1:

* URI schemes other than http: and https: are not accepted, preventing access
  to file:, gopher:, etc.

* If a proxy is configured in the ikiwiki setup file, it is used for all
  outgoing http: and https: requests. In this case the proxy is responsible for
  blocking any requests that are undesired, including loopback or RFC 1918
  addresses.

* If a proxy is not configured, and liblwpx-paranoidagent-perl is installed, it
  will be used. This prevents loopback and RFC 1918 IP addresses, and sets a
  timeout to avoid denial of service via "tarpit" URIs.

* Otherwise, the ordinary LWP user-agent will be used. This allows requests to
  loopback and RFC 1918 IP addresses, and has less robust timeout behaviour.
  We are not treating this as a vulnerability: if this behaviour is not
  acceptable for your site, please make sure to install LWPx::ParanoidAgent or
  disable the affected plugins.

For Debian 8 "Jessie", this problem has been fixed in version
3.20141016.4+deb8u1.

We recommend that you upgrade your ikiwiki packages. In addition it is also
recommended that you have liblwpx-paranoidagent-perl installed, which listed in
the recommends field of ikiwiki.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEKpwfR8DOwu5vyB4TKpJZkldkSvoFAlyPOxMACgkQKpJZkldk
SvoxIhAAhHxmfgAqOieaGfoB/CvszocV3l43v/W8AWdgKfwp83RE8bf+gzR7Jzp6
mgrItSHBBZebCSPwRoJgLAYD2gtwvt+rWimURA+nDHbKsgcyM6Vv9MWAKDzWweJQ
WlLr5AlPzA85WKAN5+N2yD2MH4jX8CodQWEITf2Y1eJNftm/Ld7hc/+I3Ec1VbPW
JQXqB+JBPKB1KTM2b15/N+lPoczOikHEEZEFzcIfavKE28KiQjvFPgscn69K5/t5
838GqRjIpMHGFUg+KI+UsvArpWuNIKe3f2PZurnBNZ6mcrFDMHHGeYmHFvoMNvZG
OtOmxe6lbwVWnvaj5PjaLiKQjJrt+F//qIqA44kCqOqHhCIuGMy1MYHvq2XYvlC2
nMIKN1wZcRfR8s4zi5+42g4EZdExCatTFZWS2H/CqxSHLGp/jIIftrNMdl1IyQX2
TQdfYi503ve6pe9suiQ/ldyAX9RbPHiQEhloZQ22xbv8Mqwd/icksCAiZINPL5dO
s/1wXPL5p/Mvg8g1lNwUdwcBGV9p8FG+lUnfVXEtyn3/bBIX7zQKpIqp8tT4FqHV
wnai5YzLSR6G8yrpUG5PTEKQiEyzEG5sZn9lCR/xp90OXROadgtrAyY++i5LbRyk
iobz4vRAp5b0JD913B+wpaCWztSaH8g4e7scdTY6737xPI24A7k=
=kwVR
-END PGP SIGNATURE-

Accepted ikiwiki 3.20141016.4+deb8u1 (source all) into oldstable

[Brian May]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Thu, 07 Mar 2019 17:35:55 +1100
Source: ikiwiki
Binary: ikiwiki
Architecture: source all
Version: 3.20141016.4+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Simon McVittie 
Changed-By: Brian May 
Description:
 ikiwiki- a wiki compiler
Changes:
 ikiwiki (3.20141016.4+deb8u1) jessie-security; urgency=high
 .
   * Non-maintainer upload by the LTS Team.
   * CVE-2019-9187: Fix server-side request forgery via aggregate plugin.
Checksums-Sha1:
 79e0597afff8d1b6927decbe8c4457fa143e6047 2173 ikiwiki_3.20141016.4+deb8u1.dsc
 7309f6c2e75b45d220d5b2565e8bc3e80ffa9137 3369052 
ikiwiki_3.20141016.4+deb8u1.tar.gz
 77dab97cc9ab8a4c59dc64d2e629a8660526a59d 1431204 
ikiwiki_3.20141016.4+deb8u1_all.deb
Checksums-Sha256:
 4362ff9f7feb4259cbc50631efca26cfdfc409d6984d8249e87eeeb98adb1d31 2173 
ikiwiki_3.20141016.4+deb8u1.dsc
 601097223997efd8c2e10bced6301d6eaab6b3cf3d22bd71a2b2667776675794 3369052 
ikiwiki_3.20141016.4+deb8u1.tar.gz
 f6e8459bd3d330f329e28c90c3b4f649673095334c48d60f9b83c441fb8c3d6d 1431204 
ikiwiki_3.20141016.4+deb8u1_all.deb
Files:
 75ba08d9adc0bd4ac8beeb3fc414a5ab 2173 web optional 
ikiwiki_3.20141016.4+deb8u1.dsc
 3fab345d83bd68f6b2981b341cfe0d2e 3369052 web optional 
ikiwiki_3.20141016.4+deb8u1.tar.gz
 9a065a2c7654c5882e96bd62130b8363 1431204 web optional 
ikiwiki_3.20141016.4+deb8u1_all.deb

-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEKpwfR8DOwu5vyB4TKpJZkldkSvoFAlyPMwkACgkQKpJZkldk
SvrKhRAAk1BwRbcn7xX+pmYA/DovVEQtIvT04Ql2IH9G+0am4xG8V57/BOsrAqZf
AS28u3YgrpcxsCfLlL5hghtkYMg1X83Zi4va5v/jzf3jakUjlvCfEMVXZQxkzuLZ
ZmWvxLJMVDdUbd5HXSGG/8oztlpu6/rb+VM3mYaqptYqGgnwMGWmN+EMp4i3xmEZ
7jctk7XDHY1ZxWpeUEclCWHZr/DRq+WQG8BAJap6VhHvLYljbLqlbv485xklw5mq
iP+ADI9nK+1QN8B8yM5Hf7g2Jv0nx6FfhoR1tHMKT/aBeatz84PCOnW7iJfZwHCJ
UQ+gsXBn7/9yvCVr1eZmF50o2RgB0ovzfmatEoevYcvNhbSOw+1vdldfKXzUtub8
QIRZM/XZVoL3lgji3DNuSREvJ9Ab39Cqpf+9p/gGbNYHMWBjdYQWOJbnOA8laKFh
bG83tWtUb6z1BrmgD9XHHe9ZTBy+FemHjWSg8qmUsPPHvnZRWMNrt9LPpl31KkLN
fyeNJX2Cmk6dwev6gdPxCBLV33xckkyFUwC2Pl0tVZqDbA8TjgC8Nk+vGNHsf6D/
hWgTy7WZ8JogLXYtnzZpRDzAsF7hAa8zMHX03GsCE1vHqJZLEwB7UecOxdcK93wy
he2y0RAguVvEistJ4GtnKFF0v8OXhZYBRZl935nZ8YE2W7z8V3w=
=/Sn5
-END PGP SIGNATURE-