From owner-freebsd-security Sun Feb 10 13: 8: 2 2002 Delivered-To: freebsd-security@freebsd.org Received: from w2xo.pgh.pa.us (18.gibs5.xdsl.nauticom.net [209.195.184.19]) by hub.freebsd.org (Postfix) with ESMTP id A3C0137B6DD for ; Sun, 10 Feb 2002 13:02:46 -0800 (PST) Received: from there (dhcp14.int [192.168.5.14]) by w2xo.pgh.pa.us (8.11.6/8.11.3) with SMTP id g1AL1C504585 for ; Sun, 10 Feb 2002 21:01:12 GMT (envelope-from durham@jcdurham.com) Message-Id: <200202102101.g1AL1C504585@w2xo.pgh.pa.us> Content-Type: text/plain; charset="iso-8859-1" From: Jim Durham Reply-To: durham@jcdurham.com To: freebsd-security@freebsd.org Subject: IPSEC and gif interface after 4.4 Date: Sun, 10 Feb 2002 16:01:00 -0500 X-Mailer: KMail [version 1.3] MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I pass this along to save someone else some head-banging like I did. I missed this in the 4.4 release notes: "Network device cloning has been implemented, and the gif(4) device has been modified to take advantage of it. Thus, instead of specifying how many gif(4) interfaces are available in kernel configuration files, ifconfig(8)'s create option should be used when another device instance is desired." IPSEC uses a gif interface. I couldn't imagine why it wasn't there on my 4.4 systems. 'ifconfig gif0 create' makes it happen. Duh... -Jim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 10 13:42: 5 2002 Delivered-To: freebsd-security@freebsd.org Received: from fe000.worldonline.dk (fe000.worldonline.dk [212.54.64.194]) by hub.freebsd.org (Postfix) with SMTP id 134BC37B4DF for ; Sun, 10 Feb 2002 13:41:44 -0800 (PST) Received: (qmail 23820 invoked by uid 0); 10 Feb 2002 21:41:41 -0000 Received: from 213.237.14.128.adsl.ho.worldonline.dk (HELO dpws) (213.237.14.128) by fe000.worldonline.dk with SMTP; 10 Feb 2002 21:41:41 -0000 Message-ID: <00ce01c1b27c$39f08f40$0301a8c0@dpws> From: "Dennis Pedersen" To: References: <20020207163347.51C606B29@mail.cise.ufl.edu> <200202072142.g17LgDL69359@khavrinen.lcs.mit.edu> Subject: Re: Questions (Rants?) About IPSEC Date: Sun, 10 Feb 2002 22:45:14 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ----- Original Message ----- From: "Garrett Wollman" To: "James F. Hranicky" Cc: Sent: Thursday, February 07, 2002 10:42 PM Subject: Questions (Rants?) About IPSEC > > - Clients with dynamic IPs are poorly supported. > > That's what the `generate_policy' option in racoon is for. > Uhm do you have an example where that actually works? On the 'net' list there was a post (Message-ID: <20020130164813.N13412@vinyl.catpipe.net>) about it where generate_policy did'nt seem to work, and i could'nt see anything wrong with the example (not that i'm any racoon guru i just trying to get it to work with clients that have dynamic ip-adresses too ;)) Regards Dennis To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 10 13:51:35 2002 Delivered-To: freebsd-security@freebsd.org Received: from sm12.texas.rr.com (sm12.texas.rr.com [24.93.35.43]) by hub.freebsd.org (Postfix) with ESMTP id 2F04F37B416 for ; Sun, 10 Feb 2002 13:51:32 -0800 (PST) Received: from ranger (cs662584-85.satx.rr.com [66.25.84.85]) by sm12.texas.rr.com (8.12.1/8.12.0) with SMTP id g1ALnIBo018278 for ; Sun, 10 Feb 2002 15:49:18 -0600 From: "Matthew Williams" To: Subject: Date: Sun, 10 Feb 2002 15:53:55 -0600 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org auth d4ada262 unsubscribe freebsd-security vudu@satx.rr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 10 15:16:11 2002 Delivered-To: freebsd-security@freebsd.org Received: from bilver.wjv.com (spdsl-033.wanlogistics.net [63.209.115.33]) by hub.freebsd.org (Postfix) with ESMTP id 8B06537B400 for ; Sun, 10 Feb 2002 15:16:06 -0800 (PST) Received: (from bv@localhost) by bilver.wjv.com (8.11.6/8.11.6) id g1ANG0A02333 for security@FreeBSD.ORG; Sun, 10 Feb 2002 18:16:00 -0500 (EST) (envelope-from bv) Date: Sun, 10 Feb 2002 18:16:00 -0500 From: Bill Vermillion To: security@FreeBSD.ORG Subject: Re: Is the technique described in this article do-able with Message-ID: <20020210231559.GA2136@wjv.com> Reply-To: bv@wjv.com References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.25i Organization: W.J.Vermillion / Orlando - Winter Park Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Date: Sat, 9 Feb 2002 01:31:08 -0800 (PST) > From: "f.johan.beisser" > Subject: Re: Is the technique described in this article do-able with > > On Sat, 9 Feb 2002, Andrew Kenneth Milton wrote: > > | actually, if you're going that route, it's easier to strip > > | the kernel down, lock everything nicely with a securelevel > > | (read up in init(8) about this), and remount all of the drives > > | read only. there's nothing preventing anyone from doing that. > > | there's also nothing to prevent you from booting from a drive, > > | and loading all the tools you need in to a ramdisk, and just > > | using that.. > > | of course, this is going a bit more hardcore than most people > > | want or would. > > But saner than trying to get the box to partially halt d8) > perhaps. i think it's a sane way to handle a firewall. if you're > going to log it, you should be logging either to another machine > or to a printer for hardcopy. better to do both, since the > hardcopy is not really alterable. but this is not something for > the home user.. Hardcopy is fairly hard to search with a text editor though :-) If you worry about the logs being alterable - and you did suggest logging to a second machine - then you have a real problem with security I'd guess. You could always run chflags on the logging machine to make the logs append only. Wouldn't that take care of the problem of being alterable without having to use hardcopy? -- Bill Vermillion - bv @ wjv . com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 10 18:38:12 2002 Delivered-To: freebsd-security@freebsd.org Received: from mta08.mail.mel.aone.net.au (mta08.mail.au.uu.net [203.2.192.89]) by hub.freebsd.org (Postfix) with ESMTP id B1A4C37B404; Sun, 10 Feb 2002 18:37:08 -0800 (PST) Received: from jackiejackie.alburycity.nsw.gov.au ([203.102.157.194]) by mta08.mail.mel.aone.net.au with ESMTP id <20020211023706.VUDD25886.mta08.mail.mel.aone.net.au@jackiejackie.alburycity.nsw.gov.au>; Mon, 11 Feb 2002 13:37:06 +1100 Received: from cip.bwl.uni-muenchen.de (212.45.23.10 [212.45.23.10]) by jackiejackie.alburycity.nsw.gov.au with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id 1VBG3WCS; Mon, 11 Feb 2002 13:36:42 +1100 To: From: "Mr. Natural" Subject: Get Stoned...Legally! 11020 Date: Sun, 10 Feb 2002 06:36:05 -2000 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit Message-Id: <20020211023706.VUDD25886.mta08.mail.mel.aone.net.au@jackiejackie.alburycity.nsw.gov.au> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Now Offering for your "Sensitive" Delight ... NEW & IMPROVED *** KATHMANDU 2 *** Thanks to recent dramatic advances in the laboratorial processes for the extraction of botanical/herbal alkaloids and glycocides, we are now able to offer what has already been the most incredibly potent marijuana/cannabis alternative available on the planet .... KATHMANDU TEMPLE KIFF!!! It is NEW, IMPROVED and 20 times more stokin'-tokin' potent in its formulation. KATHMANDU 2 ... a viripotent cannabis alternative for blissful regressions of vexatious depressions... * BURNS AND SMOKES EASIER! * TOKES DEEPER! * TASTES SWEETER! * LASTS LONGER! Kathmandu Temple Kiff is a proprietary; Nepalese, sensitive, pipe-smoking/stoking substance. Kathmandu Temple Kiff is indeed the most substantial marijuana/cannabis alternative on the planet. Absolutely Legal! Marvelously Potent! Kathmandu Temple Kiff possesses all of the positive virtues fine ganja/cannabis without any of the negatives. An amalgamation of high concentrates of rare euphoric herbas, Kathmandu is offered in a solid jigget/bar format and is actually more UPLIFTING & POISED than cannabis / marijuana while rendering Euphoria, Happiness, Mood-Enhancement, Stress/Depression Relief and promoting contemplativeness, creativity, better sleep, lucid dreaming ... and enhancing the sexual experience!!! Kathmandu Temple Kiff is simply the best and just a little pinch/snippet of the Kathmandu goes a long, "sensitive" way. Just 4 or 5 draws of the pipe ... (an herb pipe included with each package of Kathmandu Temple Kiff). PLEASE NOTE: Although no botanical factor in Kathmandu Temple Kiff is illegal or considered to be harmful by regulatory agencies and no tobacco is included therein, it is the policy of our company that Kathmandu Temple Kiff may not be offered or sold to any person that has not attained at least 21 years of age. So power-smokin potent is our new formulation, that much to our delight and actually even to our amazement, we have even be able to establish a very happy clientele within the hard core stoner market. Here is what our customers are saying about Kathmandu Temple Kiff: "Thank you so much for the Temple Kiff. It is everything you guys claim, and then some! I was a bit skeptical when I read your description of its effects, but there is literally no exaggeration in your advertisements. How nice that this is legal! It tastes great and feels great too! I am so glad I took a chance and ordered. Blessings to all of you." -- Frankie R. "I'm a man of my 40's and I really know my stuff. I don't drink or do illegal drugs anymore and have found a much more spiritual path. I used to have to take Valium in the past. Not anymore with the Temple Kiff. It really amazes me how this stuff tastes exactly like the lebanese red and blond hash I used to smoke in the 70's and it has a much more pleasurable effect. I am very satisfied with this product. I like it a lot and will be a customer for life for sure. Whoever makes this stuff is an ARTIST at it. Who would have thought?! Folks, this is the real stuff! Look no further!!" -- A.J. ************************************************************ Our other fine herbal, botanical products include the following: 1. Sweet Vjestika Aphrodisia Drops (tm); An erotic aphrodisia; sexual intensifier / enhancer liquid amalgamated extract for MEN and WOMEN. 2. "Seventh Heaven" Prosaka Tablets (tm); a botanical alternative to pharmaceutical medications for calm, balance, serenity and joyful living... 3. "Seventh Heaven" Gentle Ferocity Tablets (tm); a most efficacious, non-caffeine, non-ephedrine, non-MaHuang botanical energizer and cutting-edge appetite suppressant... 4. Extreme Martial Arts Botanical Remedies; Equivalence Tablets & Dragon Wing Remedy Spray ... pain management that works to alleviate pain even for arthritis and fibromyalgia sufferers... ********************************************* Sweet Vjestika Aphrodisia Drops (tm) inspires and enhances: * Penile & clitoral sensitivity * Sensitivity to touch * Desire to touch and be touched * Fantasy, lust, rapture, erogenous sensitivity ... * Prolongs and intensifies foreplay, orgasm & climax ********************************************* "Seventh Heaven" Prosaka Tablets ... Entirely natural, proprietary, botanical prescription comprised of uncommon Asian Herbs for Calm, Balance, Serenity and Joyful Living. "Seventh Heaven" Prosaka is indeed a most extraordinary, viripotent, calming, centering, mood-enhancing, holistically-formulated, exotic herbaceous alternative to pharmaceutical medications for depression, anxiety, stress, insomnia, etc. NO side effects! NO dependency! Vivaciously Mellow! ********************************************** "Seventh Heaven" Gentle Ferocity Tablets (tm) ... a non-caffeine, non-ephedrine, non-ephedra, non-MaHuang; viripotent, herbaceous prescription for the dynamic energization of body, mind and spirit. This Gentle Ferocity Formulation is amalgamated in accordance with the fundamental Taoist herbal principle of botanical interactiveness and precursorship which in essence is a molecular equation of the relevant botanical/herbal alkaloids and glycosides interacting with one another to prolificate molecular communion and thereby to achieve demonstrative herbal efficaciousness without negative implication to any aspect of human composition. These Gentle Ferocity Cordial Tablets are incredulously and thoroughly effective. Enjoy! For those of you who seek to achieve most demonstrative/non-invasive/non-prohibitive appetite suppression without the negative implications of ongoing usage of MaHuang Herb, Ephedra/Ephedrine or Caffeine as are so magnaminously utilized in a multitude of herbal "diet aids" entitled as "Thermogenics" ... this is ABSOLUTELY the herbal agenda/product for you!! Entirely Natural! Increases Energy! Increases Metabolism! Decreases Appetite! *********************************************** Extreme Martial Arts Botanical Remedies Eastern culture has long had a treatment for bone, muscle, tendon, ligament, sinew and joint distress, traumas, afflictions and constrictions. We are pleased to offer Equivalence Tablets & Dragon Wing Remedy Spray (Hei Ping Shun) (Hei Long Chibang) PLEASE NOTE: While it is true that all physiological traumas and injuries are unique and that no product can arbitrarily eliminate all of the pain and discomfort in all people all of the time, the combination of Equivalence Tablets (Hei Ping Shun) and Dragon Wing Remedy (Hei Long Chibang) remedial botanicals does guarantee to at the least: 1. Significantly reduce discomfort and pain! (In many instances most, if not all, traumas and distress can be eliminated!) 2. Significantly increase mobility and strength ratio. (Please remember also the significance of proper diet, excercise, rest and prayer.) Equivalence Tablets & Dragon Wing Spray Remedials are comprised of entirely natural botanical factors. While Equivalence Tablets (Hei Ping Shun) and Dragon Wing Remedy Spray (Hei Long Chibang) are extremely effective individually, they are utilized to maximum advantage when used in conjunction with one another. ======================================================== PRICING INFORMATION: 1. SEVENTH HEAVEN KATHMANDU TEMPLE KIFF (tm) One .75 oz. jigget/bar $65.00 One 2.0 oz. jigget/bar $115.00 (Free Capillaris Herba with 2.0 oz. bar. Refer to Capillaris paragraph at end of text) 2. SWEET VJESTIKA APHRODISIA DROPS (tm) One 1.0 oz. bottle $90.00 Two 1.0 oz. bottles $140.00 3. SEVENTH HEAVEN PROSAKA (tm) One 100 tablet tin $40.00 Three 100 tablet tins $105.00 Six 100 tablet tins $185.00 4. SEVENTH HEAVEN GENTLE FEROCITY (tm) One 300 tablet jar $130.00 5. Equivalence Tablets - Each bottle contains 90 - 500mg tablets. ** 3-pack (270 tablets) $83.00 ** 6-pack (540 tablets) $126.00 (save $40.00) ** 9-pack (810 tablets) $159.00 (save $90.00) ** 12-pack (1,080 tablets) $192.00 (save $140.00) 6. Dragon Wing Spray Remedy - Each spray bottle contains 4 liquid oz. ** 3-pack (3 - 4 oz. bottles) $83.00 ** 6-pack (6 - 4 oz. bottles) $126.00 (save $40.00) ** 9-pack (9 - 4 oz. bottles) $159.00 (save $90.00) ** 12-pack (12 - 4 oz. bottles) $192.00 (save $140.00) 7. Dynamic Duo Introductory Offers ** 3-pack Equivalence Tabs & 3-pack Dragon Wing $126.00 (save $40.00) ** 6-pack Equivalence Tabs & 3-pack Dragon Wing $159.00 (save $50.00) ** 9-pack Equivalence Tabs & 6-pack Dragon Wing $215.00 (save $70.00) ** 12-pack Equivalence Tabs & 9-pack Dragon Wing $271.00 (save $80.00) 8. SWEET APHRODISIA INTRO COMBINATION OFFER Includes one, 2.0 oz. jigget/bar of Kathmandu Temple Kiff & one, 1 oz. bottle of Sweet Vjestika Aphrodisia Drops. For $150.00 (Reg. $205.00 Save $55) (Free Capillaris Herba with this intro offer. Refer to Capillaris paragraph at end of text) 9. BODY, MIND, SPIRIT "HEAVENLY" INTRO COMBINATION OFFER Includes one, 2.0 oz. jigget/bar of Kathmandu Temple Kiff & 1 tin (100 tablets) of Seventh Heaven Prosaka. For $125.00 (Reg. $155.00 Save $30) (Free Capillaris Herba with this intro offer. Refer to Capillaris paragraph at end of text) 10. "PURE ENERGY" INTRO COMBINATION OFFER Includes one, 2.0 oz. jigget/bar of Kathmandu Temple Kiff & 1 jar (300 tablets) of Seventh Heaven Gentle Ferocity. For $170.00 (Reg. $245.00 Save $75) (Free Capillaris Herba with this intro offer Refer to Capillaris paragraph at end of text) 11. "SENSITIVE" PREFERENTIAL INTRO COMBINATION OFFER Includes one, 2.0 oz. jigget/bar of Kathmandu Temple Kiff & 1 tin (100 tablets) of Seventh Heaven Prosaka & 1 jar (300 tablets) of Seventh Heaven Gentle Ferocity For $200.00 (Reg. $285.00 Save $85) (Free Capillaris Herba with this intro offer Refer to Capillaris paragraph at end of text.) 12. ULTIMATE HERBACEOUSNESS INTRO COMBINATION OFFER Includes one - 2.0 oz. jigget / bar of Kathmandu Temple Kiff, one - 1 oz. bottle of Sweet Vjestika Aphrodisia Drops, one - 100 tablet tin of Prosaka, and one - 300 count jar of Gentle Ferocity for a deep discounted Retail Price of $260.00 (Reg. $375.00 Save $115) (Free Capillaris Herba with this intro offer Refer to Capillaris paragraph at end of text.) SPECIAL OFFER: For a limited time only, you will receive a FREE personal brass hookah with the Ultimate Herbaceous Intro Offer as our gift to you. This hookah has a retail value of $25.00. ************************************************** ORDERING INFORMATION: For your convenience, you can call us direct with your orders or questions. Call 1-623-974-2295 Monday - Friday -- 10:30 AM to 7:00 PM (Mountain Time) Saturday -- 11:00 AM to 3:00 PM (Mountain Time) For all domestic orders, add $5.00 shipping & handling (shipped U.S. Priority Mail). Add $20.00 for International orders. ************************************************** SPECIAL DISCOUNT & GIFT Call now and receive a FREE botanical gift! With every order for a 2.0 oz. jigget / bar of Kathmandu Temple Kiff or one of our four (4) Intro Combination Offers, we will include as our free gift to you ... a 2.0 oz. package of our ever so sedate, sensitive Asian import, loose-leaf Capillaris Herba for "happy" smoking or brewing ... (a $65.00 retail value). ==================================================== To remove your address from our list, click "Reply" in your email software and type "Remove" in the subject field, then send. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 10 19:18:38 2002 Delivered-To: freebsd-security@freebsd.org Received: from pogo.caustic.org (caustic.org [64.163.147.186]) by hub.freebsd.org (Postfix) with ESMTP id D994B37B404 for ; Sun, 10 Feb 2002 19:18:35 -0800 (PST) Received: from localhost (jan@localhost) by pogo.caustic.org (8.11.6/8.11.6) with ESMTP id g1B3IVc60619; Sun, 10 Feb 2002 19:18:31 -0800 (PST) (envelope-from jan@caustic.org) Date: Sun, 10 Feb 2002 19:18:31 -0800 (PST) From: "f.johan.beisser" X-X-Sender: jan@localhost To: Bill Vermillion Cc: security@FreeBSD.ORG Subject: Re: Is the technique described in this article do-able with In-Reply-To: <20020210231559.GA2136@wjv.com> Message-ID: <20020210190958.B21734-100000@localhost> X-Ignore: This statement isn't supposed to be read by you X-TO-THE-FBI-CIA-AND-NSA: HI! HOW YA DOIN? MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, 10 Feb 2002, Bill Vermillion wrote: > Hardcopy is fairly hard to search with a text editor though :-) 2 copies. one electronic, so you can do a grep on it :) > If you worry about the logs being alterable - and you did suggest > logging to a second machine - then you have a real problem with > security I'd guess. You could always run chflags on the logging > machine to make the logs append only. Wouldn't that take care > of the problem of being alterable without having to use hardcopy? not really. you can change chflags on a live machine. any attacker that's going to alter the logs will be able to see the append only flag. so, really, it's not actually secure. against a scriptkiddie, though, this may be effective. logging to another machine that *only* listens to syslog, or is attached to the serial port and only listens to the console log, and can't be accessed from the network may be a solution. this is, as i said, outside of "normal home usage", and generally only done at really paranoid places. -------/ f. johan beisser /--------------------------------------+ http://caustic.org/~jan jan@caustic.org "John Ashcroft is really just the reanimated corpse of J. Edgar Hoover." -- Tim Triche To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Feb 10 22:10:33 2002 Delivered-To: freebsd-security@freebsd.org Received: from rwcrmhc51.attbi.com (rwcrmhc51.attbi.com [204.127.198.38]) by hub.freebsd.org (Postfix) with ESMTP id 741D637B400 for ; Sun, 10 Feb 2002 22:10:31 -0800 (PST) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc51.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020211061030.JDIB1672.rwcrmhc51.attbi.com@blossom.cjclark.org>; Mon, 11 Feb 2002 06:10:30 +0000 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.6) id g1B6ATf21891; Sun, 10 Feb 2002 22:10:29 -0800 (PST) (envelope-from cjc) Date: Sun, 10 Feb 2002 22:10:29 -0800 From: "Crist J. Clark" To: "f.johan.beisser" Cc: Bill Vermillion , security@FreeBSD.ORG Subject: Re: Is the technique described in this article do-able with Message-ID: <20020210221029.A20884@blossom.cjclark.org> References: <20020210231559.GA2136@wjv.com> <20020210190958.B21734-100000@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020210190958.B21734-100000@localhost>; from jan@caustic.org on Sun, Feb 10, 2002 at 07:18:31PM -0800 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, Feb 10, 2002 at 07:18:31PM -0800, f.johan.beisser wrote: > On Sun, 10 Feb 2002, Bill Vermillion wrote: > > > Hardcopy is fairly hard to search with a text editor though :-) > > 2 copies. one electronic, so you can do a grep on it :) > > > If you worry about the logs being alterable - and you did suggest > > logging to a second machine - then you have a real problem with > > security I'd guess. You could always run chflags on the logging > > machine to make the logs append only. Wouldn't that take care > > of the problem of being alterable without having to use hardcopy? > > not really. you can change chflags on a live machine. How do you do it when there is an elevated securelevel(8)? -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 11 3:31:38 2002 Delivered-To: freebsd-security@freebsd.org Received: from pkl.net (spoon.pkl.net [212.111.57.14]) by hub.freebsd.org (Postfix) with ESMTP id F185237B402 for ; Mon, 11 Feb 2002 03:31:29 -0800 (PST) Received: (from cez@localhost) by pkl.net (8.9.3/8.9.3) id LAA08819; Mon, 11 Feb 2002 11:31:19 GMT Date: Sun, 10 Feb 2002 19:18:55 +0000 From: Ceri Storey To: Brett Glass Cc: security@FreeBSD.ORG Subject: Re: Is the technique described in this article do-able with FreeBSD + ipf? Message-ID: <20020210191855.GB11294@mandelbrot.house> References: <4.3.2.7.2.20020208225248.026f08c0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4.3.2.7.2.20020208225248.026f08c0@localhost> User-Agent: Mutt/1.3.25i Status: RO Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Feb 08, 2002 at 10:53:34PM -0700, Brett Glass wrote: > http://www.samag.com/documents/s=1824/sam0201d/0201d.htm > [running only kernel mode tools] I can see that this would be (almost) implementable with FreeBSD, if you say, customized the rc scripts to just configure the firewall etc, then unmount the disks and then go to sleep. That said, in a lot of circumstances, I'm fairly sure that a dedicated hardware firewall/router would be a lot saner. Just my 0.02 pounds sterling. -- Ceri Storey http://pkl.net/~cez/ vi(1)! postfix(7)! pie(5)! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 11 12:59:52 2002 Delivered-To: freebsd-security@freebsd.org Received: from narf.indite.org (narf.indite.org [208.187.236.41]) by hub.freebsd.org (Postfix) with ESMTP id 9508A37B402 for ; Mon, 11 Feb 2002 12:59:49 -0800 (PST) Received: (from victor@localhost) by narf.indite.org (8.11.6/8.11.6) id g1BL0KZ13281 for security@freebsd.org; Mon, 11 Feb 2002 13:00:20 -0800 (PST) (envelope-from victor) Date: Mon, 11 Feb 2002 13:00:20 -0800 From: Victor Bondarenko To: security@freebsd.org Subject: SSP patch + 4.5-STABLE Message-ID: <20020211130020.A13258@indite.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Has anyone been able to get the SSP patch (http://www.trl.ibm.com/projects/security/ssp/) working on 4.5-STABLE (as of this morning)? I get a compiler error when building libc (I can produce the exact error message if needed). TIA, Victor -- victor@indite.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 11 14: 9:19 2002 Delivered-To: freebsd-security@freebsd.org Received: from narf.indite.org (narf.indite.org [208.187.236.41]) by hub.freebsd.org (Postfix) with ESMTP id 04B4237B47F for ; Mon, 11 Feb 2002 14:09:03 -0800 (PST) Received: (from victor@localhost) by narf.indite.org (8.11.6/8.11.6) id g1BM9Tp13583; Mon, 11 Feb 2002 14:09:29 -0800 (PST) (envelope-from victor) Date: Mon, 11 Feb 2002 14:09:29 -0800 From: Victor Bondarenko To: Kerberus Cc: security@freebsd.org Subject: Re: SSP patch + 4.5-STABLE Message-ID: <20020211140929.A13537@indite.org> References: <20020211130020.A13258@indite.org> <1013465579.70602.0.camel@vpan.netwolves.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <1013465579.70602.0.camel@vpan.netwolves.com>; from kerberus@microbsd.net on Mon, Feb 11, 2002 at 05:12:58PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > wheres it dying ??? cause after seeing this i just cvsupped and im doing It fails in /usr/src/lib/libc while doing a "make all install" with: ... cc -O -pipe -fstack-protector -DLIBC_RCS -DSYSLIBC_RCS -I/usr/src/lib/libc/include -D__DBINTERFACE_PRIVATE -DINET6 -DPOSIX_MISTAKE -I/usr/src/lib/libc/../libc/locale -DBROKEN_DES -DYP -c /usr/src/lib/libc/../libc/string/strcasestr.c -o strcasestr.o /usr/src/lib/libc/../libc/string/strcasestr.c:38: syntax error before string constant /usr/src/lib/libc/../libc/string/strcasestr.c:38: warning: data definition has no type or storage class *** Error code 1 Stop in /usr/src/lib/libc. ... I should mention that I'm working on the 4.5-STABLE source. The system itself is 4.4-RELEASE, although I don't know if this would effect anything- I guess the next step is to build/install an unpatched 4.5 world and patch and rebuild from there. Victor > a build world as we speak, so far all seems okay, takes my box 30 mins > to build a world > -- victor@indite.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 11 14:39:23 2002 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-165-226-40.dsl.lsan03.pacbell.net [64.165.226.40]) by hub.freebsd.org (Postfix) with ESMTP id 701E137B404 for ; Mon, 11 Feb 2002 14:39:19 -0800 (PST) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id D10EF66C39; Mon, 11 Feb 2002 14:39:18 -0800 (PST) Date: Mon, 11 Feb 2002 14:39:18 -0800 From: Kris Kennaway To: Victor Bondarenko Cc: Kerberus , security@freebsd.org Subject: Re: SSP patch + 4.5-STABLE Message-ID: <20020211143918.B88754@xor.obsecurity.org> References: <20020211130020.A13258@indite.org> <1013465579.70602.0.camel@vpan.netwolves.com> <20020211140929.A13537@indite.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="8P1HSweYDcXXzwPJ" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020211140929.A13537@indite.org>; from victor@indite.org on Mon, Feb 11, 2002 at 02:09:29PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --8P1HSweYDcXXzwPJ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Feb 11, 2002 at 02:09:29PM -0800, Victor Bondarenko wrote: > > wheres it dying ??? cause after seeing this i just cvsupped and im doing >=20 > It fails in /usr/src/lib/libc while doing a "make all install" with: It continues to build fine for me, and the error message you're getting suggests unrelated build failure (strcasestr is a new function in 4.5). When you are upgrading your source you *must* follow the build instructions given in the handbook; trying to do random other steps will give you failures. Kris --8P1HSweYDcXXzwPJ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8aEgWWry0BWjoQKURAr4xAJ4wB+LRLiw8+I9eV0hvz0yssLM35ACfe5wm r7wNm0Vi8rWYCLh5RSSjOGE= =QuDY -----END PGP SIGNATURE----- --8P1HSweYDcXXzwPJ-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 11 14:55: 2 2002 Delivered-To: freebsd-security@freebsd.org Received: from narf.indite.org (narf.indite.org [208.187.236.41]) by hub.freebsd.org (Postfix) with ESMTP id 59C2C37B422 for ; Mon, 11 Feb 2002 14:54:59 -0800 (PST) Received: (from victor@localhost) by narf.indite.org (8.11.6/8.11.6) id g1BMo8f13731; Mon, 11 Feb 2002 14:50:08 -0800 (PST) (envelope-from victor) Date: Mon, 11 Feb 2002 14:50:08 -0800 From: Victor Bondarenko To: Kris Kennaway Cc: Kerberus , security@freebsd.org Subject: Re: SSP patch + 4.5-STABLE Message-ID: <20020211145008.A13703@indite.org> References: <20020211130020.A13258@indite.org> <1013465579.70602.0.camel@vpan.netwolves.com> <20020211140929.A13537@indite.org> <20020211143918.B88754@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020211143918.B88754@xor.obsecurity.org>; from kris@obsecurity.org on Mon, Feb 11, 2002 at 02:39:18PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Feb 11, 2002 at 02:39:18PM -0800, Kris Kennaway wrote: > getting suggests unrelated build failure (strcasestr is a new function > in 4.5). When you are upgrading your source you *must* follow the > build instructions given in the handbook; trying to do random other Usually I do. This time I was being lazy trying to have an SSP patched gcc and libc without upgrading everything else (buildworld takes 4 hours on this particular machine). Guess that teaches me. :) Victor -- victor@indite.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 11 15:45:44 2002 Delivered-To: freebsd-security@freebsd.org Received: from pogo.caustic.org (caustic.org [64.163.147.186]) by hub.freebsd.org (Postfix) with ESMTP id 5A45237B405; Mon, 11 Feb 2002 15:45:39 -0800 (PST) Received: from localhost (jan@localhost) by pogo.caustic.org (8.11.6/8.11.6) with ESMTP id g1BNjaX64939; Mon, 11 Feb 2002 15:45:37 -0800 (PST) (envelope-from jan@caustic.org) Date: Mon, 11 Feb 2002 15:45:36 -0800 (PST) From: "f.johan.beisser" X-X-Sender: jan@localhost To: "Crist J. Clark" Cc: Bill Vermillion , Subject: Re: Is the technique described in this article do-able with In-Reply-To: <20020210221029.A20884@blossom.cjclark.org> Message-ID: <20020211152223.A21734-100000@localhost> X-Ignore: This statement isn't supposed to be read by you X-TO-THE-FBI-CIA-AND-NSA: HI! HOW YA DOIN? MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, 10 Feb 2002, Crist J. Clark wrote: > > not really. you can change chflags on a live machine. > > How do you do it when there is an elevated securelevel(8)? not really sure off hand :) i don't think that it can be done, at least, not without taking a really good look at the code first, and deliberately trying to find a way to bypass the kernel's watch on file permissions and the chflags information. note that i belive most people use the system in "-1" or "0" mode, post install. i did, for a long long while during my first year of FreeBSD usage. to this day, for remote handling of some machines, i still leave them at securelevel "0" for kernel upgrades.. but these are "low risk" machines, usually with very few services (read: single use) and/or they are easily replaced if there is a compromise. -------/ f. johan beisser /--------------------------------------+ http://caustic.org/~jan jan@caustic.org "John Ashcroft is really just the reanimated corpse of J. Edgar Hoover." -- Tim Triche To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 11 18:17:45 2002 Delivered-To: freebsd-security@freebsd.org Received: from newman2.bestweb.net (newman2.bestweb.net [209.94.102.67]) by hub.freebsd.org (Postfix) with ESMTP id E336037B41F for ; Mon, 11 Feb 2002 18:16:11 -0800 (PST) Received: from okeeffe.bestweb.net (okeefe.bestweb.net [209.94.100.110]) by newman2.bestweb.net (Postfix) with ESMTP id E82012329A; Mon, 11 Feb 2002 21:16:27 -0500 (EST) Received: by okeeffe.bestweb.net (Postfix, from userid 0) id BD90F9F259; Mon, 11 Feb 2002 21:11:37 -0500 (EST) To: "Michael Vince" Cc: security@FreeBSD.ORG Subject: Re: SSH Date: Tue, 05 Feb 2002 10:13:57 -0800 From: Eli Dart Message-Id: <20020212021137.BD90F9F259@okeeffe.bestweb.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --==_Exmh_-259710762P Content-Type: text/plain; charset=us-ascii In reply to "Michael Vince" : > Hey all. > I was thinking about setting up a maximum lazyness maximum security = > security policy for my self. > I just wanted to know how dangerous are ssh keys with no password = > phrases? I mean if some one is packet sniffing you how much more bad is = > it to have a ssh2 key with no pass phrase compared to one that does.. It won't help someone sniffing the wire. If someone eats the machine that contains the keys, you're much worse off. > And how bad would it be to have all the servers I have access to with = > different keys but the exact same password phrase like "pepsi"? If someone owns your keystrokes (and, we can assume, your machine), they now own all the servers instead of just the ones you logged into while they were capturing keystrokes. As an aside, choosing a pass phrase that is subject to dictionary attack or short enough to brute-force isn't a good idea ("pepsi" has both problems). > And is it more secure to have a pass phraseless (no pass phrase) ssh key = > compared to just using ssh with no keys and just using a password that = > belongs to the unix account? Again, it depends on how you get owned. If you have keys with no pass phrase, rooting a service on the machine is enough. If you require input from the user as well, then the attacker has to go through the additional step of capturing keystrokes. > I just find my self having alot of passwords to remember For me, this is a fact of life. I've worked at it for a while and am now reasonably good at it. Changing things to make your life easier will generally provide attackers with additional points of leverage. I prefer to practice my memorization skills..... --eli --==_Exmh_-259710762P Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: This is a comment. iD8DBQE8YCDlLTFEeF+CsrMRAn+OAJwIF33yjcBjRgmOnkcBBgmwGXMxpACgllZp 1fD6ESGCqnkcMO/37pL0HFU= =0EBo -----END PGP SIGNATURE----- --==_Exmh_-259710762P-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 11 18:17: 7 2002 Delivered-To: freebsd-security@freebsd.org Received: from newman2.bestweb.net (newman2.bestweb.net [209.94.102.67]) by hub.freebsd.org (Postfix) with ESMTP id 1E61C37B405 for ; Mon, 11 Feb 2002 18:16:26 -0800 (PST) Received: from okeeffe.bestweb.net (okeefe.bestweb.net [209.94.100.110]) by newman2.bestweb.net (Postfix) with ESMTP id 35BF9232CD; Mon, 11 Feb 2002 21:16:32 -0500 (EST) Received: by okeeffe.bestweb.net (Postfix, from userid 0) id C6A569F267; Mon, 11 Feb 2002 21:11:39 -0500 (EST) Date: Thu, 7 Feb 2002 00:54:34 -0800 From: "Crist J. Clark" To: Edwin Chen Cc: freebsd-security@FreeBSD.ORG Subject: Re: how to detect a illegal connect on local network ? Message-Id: <20020212021139.C6A569F267@okeeffe.bestweb.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Feb 07, 2002 at 11:24:31AM +0800, Edwin Chen wrote: > maybe this messages is off topic, but i am not idea where to go. i want to know how can i do to detect any user on my local network that use freebsd box still dial-up internet use serial line with a modem ? thanks. Go to each machine on your local network and look to see if there is a modem attached. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 11 18:17:35 2002 Delivered-To: freebsd-security@freebsd.org Received: from newman2.bestweb.net (newman2.bestweb.net [209.94.102.67]) by hub.freebsd.org (Postfix) with ESMTP id 82DA537B42F for ; Mon, 11 Feb 2002 18:16:16 -0800 (PST) Received: from okeeffe.bestweb.net (okeefe.bestweb.net [209.94.100.110]) by newman2.bestweb.net (Postfix) with ESMTP id 3694E232A8; Mon, 11 Feb 2002 21:16:29 -0500 (EST) Received: by okeeffe.bestweb.net (Postfix, from userid 0) id 1BFEA9F25C; Mon, 11 Feb 2002 21:11:38 -0500 (EST) Date: Tue, 5 Feb 2002 08:47:15 -0600 (CST) From: admin To: "Roger 'Rocky' Vetterberg" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Reliable shell logs Message-Id: <20020212021138.1BFEA9F25C@okeeffe.bestweb.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org bofh bash and tcsh are at http://www.ccitt5.net/new/ - emacs On Mon, 4 Feb 2002, Roger 'Rocky' Vetterberg wrote: > Geir R=E5ness wrote: > > > You always could set your users to the shell bash, that is patched with= the > > "bofh" logging. > > That's one way you could secure log your users, but it could be found. > > It all depends on the intruder. > > > Do you know where I could find this patch? > I tried google.com/bsd and found a bounch of sh patches, but > none for bash. > And what stops the user from changing his shell? 'chsh' > would let him change shell to csh, tcsh or whatever is > available on the system, right? How can I prevent this? > > > This you can do something about however, you can have an locale log se= rver, > > that the "shell" server sends the log to, > > with upload access only. > > So the intruder cant delete the logs, you probaly shuld make this serve= r an > > local login only. > > > > Geir R=E5ness > > PulZ @ efnet > > > -- > R > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 11 18:18:10 2002 Delivered-To: freebsd-security@freebsd.org Received: from newman2.bestweb.net (newman2.bestweb.net [209.94.102.67]) by hub.freebsd.org (Postfix) with ESMTP id B663D37B421 for ; Mon, 11 Feb 2002 18:16:28 -0800 (PST) Received: from okeeffe.bestweb.net (okeefe.bestweb.net [209.94.100.110]) by newman2.bestweb.net (Postfix) with ESMTP id 9EEF7232D4 for ; Mon, 11 Feb 2002 21:16:33 -0500 (EST) Received: by okeeffe.bestweb.net (Postfix, from userid 0) id 7AEDB9F269; Mon, 11 Feb 2002 21:11:40 -0500 (EST) To: security@freebsd.org Subject: Questions (Rants?) About IPSEC Date: Thu, 07 Feb 2002 11:33:47 -0500 From: "James F. Hranicky" Message-Id: <20020212021140.7AEDB9F269@okeeffe.bestweb.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org After reading up on IPSEC, I have one major question: Is it really a good protocol? It may be that I don't understand it well enough, or that the implementations I've looked at are lacking in features that I want, but it seems to me that it simply isn't a good solution for anything more than a small number of users. Here are the problems I have with IPSEC: - IPSEC routers don't seem to be able to advertise routes for an arbitrary number of networks behind them - IPSEC routers have to basically be the border router for a site, as there is no post-decryption NAT protocol to get packets back to a router on the inside of the network (Apparently, Cisco VPN boxes have this capability, but it's an add-on to IPSEC AFAICT). - Clients with dynamic IPs are poorly supported. AFAICT, what I want is to be able to issuce x509 certs to any of my remote users for key exchange, and accept any cert from any client that was signed by my CA. That's what PKI is all about, right? Checking the racoon.conf man pages and sample racoon.conf files shows that I need to have the client's *private* key for a *specific* IP address. o Is this really the case, or am I just wrong here? o Isn't requiring the server to have the private cert key the same as having a shared secret? o If I'm not wrong, and cert's private keys are required per IP address, is there some problem with the scheme I detailed above? As a comparison, isn't the whole point of the ssh_known_hosts file to keep only the public keys on the remote server? I mean, wouldn't it be great if ssh supported x509 certs, obviating the need for even the ssh_known_hosts file, as host keys would be signed by the CA? Isn't this what we want for IPSEC??? In the end, if I go with a FreeBSD racoon or isakmpd solution, am I limited to the following setups ? : - One shared secret for all my users in the interest of manageability. I can only assume this means any user could theoretically listen in on the key exchange and thus be able to decrypt another's IPSEC communications - Different shared secrets for all users/client machines. Key management nightmare. - Different x509 certs for all users/client machines. See above. - GSSAPI Auth . Does this even work? Does it work with w2k clients and an MIT KDC? If it does, this would probably do what I need for any w2k boxes out there, but all the info I read said it didn't work with w2k yet. Never mind any other IPSEC client software. Is there another VPN solution (mpd-netgraph+PPTP) that would suit my needs any better? Any enlightenment I can receive that can convince me IPSEC is anything more than an alpha-quality protocol that requires vendors (a la Cisco) to fix it would be most appreciated. It's entirely possible I have no idea what I'm talking about. ---------------------------------------------------------------------- | Jim Hranicky, Senior SysAdmin UF/CISE Department | | E314D CSE Building Phone (352) 392-1499 | | jfh@cise.ufl.edu http://www.cise.ufl.edu/~jfh | ---------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 11 18:19:26 2002 Delivered-To: freebsd-security@freebsd.org Received: from newman2.bestweb.net (newman2.bestweb.net [209.94.102.67]) by hub.freebsd.org (Postfix) with ESMTP id 49B5637B431 for ; Mon, 11 Feb 2002 18:16:38 -0800 (PST) Received: from okeeffe.bestweb.net (okeefe.bestweb.net [209.94.100.110]) by newman2.bestweb.net (Postfix) with ESMTP id 5FB0D23010; Mon, 11 Feb 2002 21:16:38 -0500 (EST) Received: by okeeffe.bestweb.net (Postfix, from userid 0) id AB98D9EE47; Mon, 11 Feb 2002 21:11:44 -0500 (EST) Date: Tue, 5 Feb 2002 14:26:58 +0000 From: Rasputin To: Michael Vince Cc: security@freebsd.org Subject: Re: SSH Reply-To: Rasputin Message-Id: <20020212021144.AB98D9EE47@okeeffe.bestweb.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * Michael Vince [020205 08:05]: > Hey all. > I was thinking about setting up a maximum lazyness maximum security security policy for my self. > I just wanted to know how dangerous are ssh keys with no password phrases? You need to keep them safe, since any old monkey can use them to get into boxes as you ( although you can restirct that slightly - see the AUTHORIZED_KEYS part in sshd(8) ) > I mean if some one is packet sniffing you how much more bad is it to have a ssh2 > key with no pass phrase compared to one that does.. Makes no difference as far as sniffing is concerned - network traffic relies on the key, not the phrase. > And how bad would it be to have all the servers I have access to with different keys > but the exact same password phrase like "pepsi"? The nyou're replacing multiple passwords with multiple keys, don't see how that'd help you. At least one key being stolen won't compromise all servers. > And is it more secure to have a pass phraseless (no pass phrase) ssh key compared to > just using ssh with no keys and just using a password that belongs to the unix account? If you can't kee pa key safe, then a frequently-changed password will do, I guess - although bear in mind you don't have the same ability to stop logins from other boxes (not in SSH itself, anyway) -- Democracy is a government where you can say what you think even if you don't think. Rasputin :: Jack of All Trades - Master of Nuns :: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 11 18:20:18 2002 Delivered-To: freebsd-security@freebsd.org Received: from newman2.bestweb.net (newman2.bestweb.net [209.94.102.67]) by hub.freebsd.org (Postfix) with ESMTP id 0F96A37B440 for ; Mon, 11 Feb 2002 18:16:38 -0800 (PST) Received: from okeeffe.bestweb.net (okeefe.bestweb.net [209.94.100.110]) by newman2.bestweb.net (Postfix) with ESMTP id AE1A523015; Mon, 11 Feb 2002 21:16:38 -0500 (EST) Received: by okeeffe.bestweb.net (Postfix, from userid 0) id 5092C9EFA6; Mon, 11 Feb 2002 21:11:45 -0500 (EST) Date: Tue, 5 Feb 2002 18:45:42 +0000 From: David McNett To: Michael Vince , security@FreeBSD.ORG Subject: Re: SSH Message-Id: <20020212021145.5092C9EFA6@okeeffe.bestweb.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 05-Feb-2002, Eli Dart wrote: > In reply to "Michael Vince" : > > I just wanted to know how dangerous are ssh keys with no password = > > phrases? > > I just find my self having alot of passwords to remember > > If someone owns your keystrokes (and, we can assume, your machine), > they now own all the servers instead of just the ones you logged into > while they were capturing keystrokes. As an aside, choosing a pass > phrase that is subject to dictionary attack or short enough to > brute-force isn't a good idea ("pepsi" has both problems). Eli raises some good points about how important it can be to select passphrases which are sufficiently secure. I think that "pepsi" would be insufficient to make me feel secure. From an theoretical standpoint, it's possible that an attacker who gained access to several private keys all known to be encrypted with the same passphrase might be able to accelerate there attempts to access the keys with that knowledge, but I'm not aware of any such method. I doubt it's relevant to real-world security concerns. Bottom line, though, it sounds like what you really want is to familiarize yourself with the use of ssh-agent to cache your sufficiently-long passphrase for local use. OpenSSH has a tool designed to strike a comfortable balance between security and ease of use which will allow you to cache your passphrase in memory (accessible only to you and root) and then use the cached, decrypted copy of the private key for all subsequent authorizations. As long as you're mindful to clear the cache when you're done or step away (I have my screensaver do it automatically) it doesn't add nearly as much risk as keeping unprotected private keys in your homedir. And since it reduces the number of times you have to type your passphrase, you'll be less motivated to select an unsafe passphrase. man ssh-agent for a start, and take a look at the ssh-askpass port if you're in X for a nice GUI supplement to the tool. -- ________________________________________________________________________ |David McNett |To ensure privacy and data integrity this message has| |nugget@slacker.com|been encrypted using dual rounds of ROT-13 encryption| |Austin, TX USA |Please encrypt all important correspondence with PGP!| To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 11 18:20:20 2002 Delivered-To: freebsd-security@freebsd.org Received: from newman2.bestweb.net (newman2.bestweb.net [209.94.102.67]) by hub.freebsd.org (Postfix) with ESMTP id E2E7737B435 for ; Mon, 11 Feb 2002 18:16:38 -0800 (PST) Received: from okeeffe.bestweb.net (okeefe.bestweb.net [209.94.100.110]) by newman2.bestweb.net (Postfix) with ESMTP id 38E61232EA; Mon, 11 Feb 2002 21:16:36 -0500 (EST) Received: by okeeffe.bestweb.net (Postfix, from userid 0) id 8FF5C9F279; Mon, 11 Feb 2002 21:11:43 -0500 (EST) To: Paulo Fragoso Cc: freebsd-security@FreeBSD.ORG Subject: Re: Auditing Date: Tue, 05 Feb 2002 16:48:40 -0800 From: Eli Dart Message-Id: <20020212021143.8FF5C9F279@okeeffe.bestweb.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --==_Exmh_-932282952P Content-Type: text/plain; charset=us-ascii I don't know all the details involving your particular incident, but at one time there was a bug in PC-Anywhere that caused it to listen on UDP port 22 (they didn't put their port number in network byte order as I remember). I still see scanners looking for UDP port 22 every once in a while (script kiddies looking for poorly configured PC-Anywhere instances). So, this could be unrelated to your incident, and just be some random script kiddie. In general, if you turn on log_in_vain on a box that is directly connected to the Internet, you'll see a lot of random cruft.... --eli In reply to Paulo Fragoso : > Hi, > > We have a client which was using 4.2-RELEASE and telnetd enabled. In that > machine was running an ircd installed and started by a hacker, probaly > exploiting telnetd hole. > > We have instaled 4.5-RELEASE using another HD and log_vain="YES" in the > rc.conf. Some time after that upgrade, someone try to connect in this > machine: > > Connection attempt to UDP mmm.mmm.mmm.mmm:22 from hhh.hhh.hhh.hhh:1384 > > How can we found in the old system all mechanism to enable remotely ircd > or backdoor? Are there any rootkit which it has a backdoor at UDP port 22? > > Paulo. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message --==_Exmh_-932282952P Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: This is a comment. iD8DBQE8YH1oLTFEeF+CsrMRAhd4AJ9qe+Ih9T8B/h0XLRjX/bTpNDXarwCghMxd KTYAQh0z9P4/vxVRYenWbjk= =rPAA -----END PGP SIGNATURE----- --==_Exmh_-932282952P-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 11 18:19:52 2002 Delivered-To: freebsd-security@freebsd.org Received: from newman2.bestweb.net (newman2.bestweb.net [209.94.102.67]) by hub.freebsd.org (Postfix) with ESMTP id 3809537B43D for ; Mon, 11 Feb 2002 18:16:37 -0800 (PST) Received: from okeeffe.bestweb.net (okeefe.bestweb.net [209.94.100.110]) by newman2.bestweb.net (Postfix) with ESMTP id B9679232E7; Mon, 11 Feb 2002 21:16:35 -0500 (EST) Received: by okeeffe.bestweb.net (Postfix, from userid 0) id 2485D9EF7B; Mon, 11 Feb 2002 21:11:43 -0500 (EST) Date: Wed, 6 Feb 2002 21:53:08 +0200 From: Giorgos Keramidas To: "Artem 'Zazoobr' Ignatjev" Cc: brett@lariat.org, freebsd-security@freebsd.org, Subject: Re: Is this evidence of a break-in attempt? Message-Id: <20020212021143.2485D9EF7B@okeeffe.bestweb.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 2002-02-06 14:05, Artem 'Zazoobr' Ignatjev wrote: > > From owner-freebsd-security@FreeBSD.ORG Tue Feb 5 22:59:39 2002 > > Date: Tue, 05 Feb 2002 12:54:41 -0700 > > To: Victor Grey , > > From: Brett Glass > > Subject: Re: Is this evidence of a break-in attempt? > > > > In a word, yes. Looks like they went to the box with a > > keyboard and a mouse, rebooted, and tried to log in. > > Clearly, they were so clueless that they did not know > > about single-user mode. > > > Well, if console is marked as `insecure' (which is MY default policy) > single mode couldn't help them too much. > But there is a way to get contents of any file in root filesystem from > loader(8), so they could get root hash. You're assuming the attacker (yes, it was a naive attack of some form) knows a lot of stuff. He didn't know about single-user mode[1]. He didn't have enough clue to come with fixit and just power-cycle the box. Is that the person you're expecting to have the knowledge it takes to use loader for password stealing+cracking? :P "loader? What do you mean? What the heck is that? I just plugged in my brand new PS/2 mouse, and a keyboard and rebooted. The fscking thing didn't even get to the point where Windows displays 'Press CTRL+ALT+DEL to log in.' so I pressed CTRL+ALT+DEL a few times. Can you guess? Yes, this FreeBSD thing is so obviously retarted it does NOTHING when you press CTRL+ALT+DEL! I had to power-cycle it again to remove my keyboard and mouse!" -- Giorgos Keramidas . . . . . . . . . keramida@{ceid.upatras.gr,freebsd.org} FreeBSD Documentation Project . . . http://www.freebsd.org/docproj/ FreeBSD: The power to serve . . . . http://www.freebsd.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 11 18:22: 5 2002 Delivered-To: freebsd-security@freebsd.org Received: from newman2.bestweb.net (newman2.bestweb.net [209.94.102.67]) by hub.freebsd.org (Postfix) with ESMTP id 817D037B49D for ; Mon, 11 Feb 2002 18:17:15 -0800 (PST) Received: from okeeffe.bestweb.net (okeefe.bestweb.net [209.94.100.110]) by newman2.bestweb.net (Postfix) with ESMTP id EFCA5231ED for ; Mon, 11 Feb 2002 21:16:50 -0500 (EST) Received: by okeeffe.bestweb.net (Postfix, from userid 0) id 2632B9EFBE; Mon, 11 Feb 2002 21:11:56 -0500 (EST) Date: Tue, 5 Feb 2002 22:24:24 -0200 (BRST) From: Paulo Fragoso To: Subject: Auditing Message-Id: <20020212021156.2632B9EFBE@okeeffe.bestweb.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, We have a client which was using 4.2-RELEASE and telnetd enabled. In that machine was running an ircd installed and started by a hacker, probaly exploiting telnetd hole. We have instaled 4.5-RELEASE using another HD and log_vain="YES" in the rc.conf. Some time after that upgrade, someone try to connect in this machine: Connection attempt to UDP mmm.mmm.mmm.mmm:22 from hhh.hhh.hhh.hhh:1384 How can we found in the old system all mechanism to enable remotely ircd or backdoor? Are there any rootkit which it has a backdoor at UDP port 22? Paulo. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 11 18:22:23 2002 Delivered-To: freebsd-security@freebsd.org Received: from newman2.bestweb.net (newman2.bestweb.net [209.94.102.67]) by hub.freebsd.org (Postfix) with ESMTP id 0299637B425 for ; Mon, 11 Feb 2002 18:16:47 -0800 (PST) Received: from okeeffe.bestweb.net (okeefe.bestweb.net [209.94.100.110]) by newman2.bestweb.net (Postfix) with ESMTP id 5E70B230B0; Mon, 11 Feb 2002 21:16:42 -0500 (EST) Received: by okeeffe.bestweb.net (Postfix, from userid 0) id 6E7089EE58; Mon, 11 Feb 2002 21:11:47 -0500 (EST) Date: Thu, 7 Feb 2002 11:29:39 -0800 From: "R.P. Aditya" To: "James F. Hranicky" Cc: security@freebsd.org Subject: Re: Questions (Rants?) About IPSEC Reply-To: "R.P. Aditya" Message-Id: <20020212021147.6E7089EE58@okeeffe.bestweb.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Feb 07, 2002 at 11:33:47AM -0500, James F. Hranicky wrote: > After reading up on IPSEC, I have one major question: Is it really > a good protocol? It has it's uses, yes. > - IPSEC routers don't seem to be able to advertise routes > for an arbitrary number of networks behind them IPSEC defines a standard for authentication and encryption of IP packets and doesn't participate in routing per se, so this quibble is not really "a problem". > - IPSEC routers have to basically be the border router for > a site, as there is no post-decryption NAT protocol to > get packets back to a router on the inside of the network > (Apparently, Cisco VPN boxes have this capability, but > it's an add-on to IPSEC AFAICT). If you use AH then this is a problem, with just ESP, it should not be a problem, however, given the intrinsic dependence on "static" IP addresses to base policy, using it with NAT is not "standardly supported". > - Clients with dynamic IPs are poorly supported. > > AFAICT, what I want is to be able to issuce x509 certs to > any of my remote users for key exchange, and accept any > cert from any client that was signed by my CA. That's what > PKI is all about, right? Checking the racoon.conf man pages > and sample racoon.conf files shows that I need to have the > client's *private* key for a *specific* IP address. > > o Is this really the case, or am I just wrong here? yes, this is really the case. > o Isn't requiring the server to have the private cert > key the same as having a shared secret? yes. > o If I'm not wrong, and cert's private keys are required per > IP address, is there some problem with the scheme I detailed > above? As a comparison, isn't the whole point of the > ssh_known_hosts file to keep only the public keys on the > remote server? I mean, wouldn't it be great if ssh supported > x509 certs, obviating the need for even the ssh_known_hosts > file, as host keys would be signed by the CA? > > Isn't this what we want for IPSEC??? This is what is wanted from a general VPN protocol, but IPSEC wasn't designed to solve that problem alone. > Is there another VPN solution (mpd-netgraph+PPTP) that would suit my needs > any better? probably. Unfortunately, they are not entirely IETF standards based and it's hard to find one that supports a wide variety of client OSes. > Any enlightenment I can receive that can convince me IPSEC is anything > more than an alpha-quality protocol that requires vendors (a la Cisco) > to fix it would be most appreciated. It's entirely possible I have > no idea what I'm talking about. It's not so simple -- you want IPSEC to do things it wasn't designed to do. There are efforts to extend it to do things like you want, but don't hold your breath. Depending on your clients, you should probably pick a commercial VPN vendor at this point or teach your user base to use ssh (close to impossible, I know). Hope that helps, Adi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 11 18:24: 1 2002 Delivered-To: freebsd-security@freebsd.org Received: from newman2.bestweb.net (newman2.bestweb.net [209.94.102.67]) by hub.freebsd.org (Postfix) with ESMTP id EE33F37B47B for ; Mon, 11 Feb 2002 18:16:55 -0800 (PST) Received: from okeeffe.bestweb.net (okeefe.bestweb.net [209.94.100.110]) by newman2.bestweb.net (Postfix) with ESMTP id C28FC230E4; Mon, 11 Feb 2002 21:16:43 -0500 (EST) Received: by okeeffe.bestweb.net (Postfix, from userid 0) id B91D79EFB0; Mon, 11 Feb 2002 21:11:48 -0500 (EST) To: Garrett Wollman Cc: security@FreeBSD.ORG Subject: Re: Questions (Rants?) About IPSEC Date: Thu, 07 Feb 2002 17:18:23 -0500 From: "James F. Hranicky" Message-Id: <20020212021148.B91D79EFB0@okeeffe.bestweb.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Garrett Wollman wrote: > > > - IPSEC routers have to basically be the border router for > > a site, as there is no post-decryption NAT protocol to > > get packets back to a router on the inside of the network > > (Apparently, Cisco VPN boxes have this capability, but > > it's an add-on to IPSEC AFAICT). > > IPSEC is designed to thwart processes which corrupt packet headers > (including NAT). In my scenario, NAT would occur after decryption, allowing IPSEC routers to be placed at arbitrary points in the internal net. As I understand it, CISCO's VPN box does just that. Thanks for your input. Jim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 11 18:24: 4 2002 Delivered-To: freebsd-security@freebsd.org Received: from newman2.bestweb.net (newman2.bestweb.net [209.94.102.67]) by hub.freebsd.org (Postfix) with ESMTP id DA3C037B4C0 for ; Mon, 11 Feb 2002 18:17:50 -0800 (PST) Received: from okeeffe.bestweb.net (okeefe.bestweb.net [209.94.100.110]) by newman2.bestweb.net (Postfix) with ESMTP id 36C59231BF for ; Mon, 11 Feb 2002 21:17:14 -0500 (EST) Received: by okeeffe.bestweb.net (Postfix, from userid 0) id 889B79F300; Mon, 11 Feb 2002 21:12:11 -0500 (EST) Date: Thu, 7 Feb 2002 04:45:56 +0200 (SAST) From: Gareth Hopkins To: freebsd-security@freebsd.org Subject: Problem with openssh and kerberos Message-Id: <20020212021211.889B79F300@okeeffe.bestweb.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi There, I am having a problem with the following. sshd is not recognising the KerberosOrLocalPasswd option in the sshd_config file. This is causing a problem with users logging into the machine with their kerberos password (without having kinited). Feb 7 04:39:10 sshd[22691]: error: /etc/ssh/sshd_config: line 58: Bad configuration option: KerberosOrLocalPasswd Feb 7 04:39:10 sshd[22691]: fatal: /etc/ssh/sshd_config: terminating, 1 bad configuration options I am using OpenSSH_2.9 FreeBSD localisations 20011202, SSH protocols 1.5/2.0, OpenSSL 0x0090601f which came with the base system of a 4.5-RC install. The following was included in my make.conf when I did a make world. KRB5_HOME= /usr/local MAKE_KERBEROS5= yes Anything else that I missed? --- Gareth Hopkins Server Operations UUNET SA, a WorldCom Company (o) +27.21.658.8700 (f) +27.21.658.8552 (m) +27.82.389.5389 http://www.uunet.co.za 08600 UUNET (08600 88638) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 11 18:24:33 2002 Delivered-To: freebsd-security@freebsd.org Received: from newman2.bestweb.net (newman2.bestweb.net [209.94.102.67]) by hub.freebsd.org (Postfix) with ESMTP id 0B93337B448 for ; Mon, 11 Feb 2002 18:16:51 -0800 (PST) Received: from okeeffe.bestweb.net (okeefe.bestweb.net [209.94.100.110]) by newman2.bestweb.net (Postfix) with ESMTP id F30C6230C7 for ; Mon, 11 Feb 2002 21:16:42 -0500 (EST) Received: by okeeffe.bestweb.net (Postfix, from userid 0) id BDD939EFAE; Mon, 11 Feb 2002 21:11:47 -0500 (EST) Date: Thu, 07 Feb 2002 14:40:28 -0500 From: Dexter Coffin To: security@freebsd.org Subject: Re: Questions (Rants?) About IPSEC Message-Id: <20020212021147.BDD939EFAE@okeeffe.bestweb.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Here are some thoughts. YMMV. Anyone, please feel free to confirm or denounce my info ... anyway, I HTH ... Please note that all of my IPSec experience comes from COTS products like CheckPoint, Cisco, Nokia, and Nortel. Never used S/WAN or racoon ... James F. Hranicky wrote: > After reading up on IPSEC, I have one major question: Is it really > a good protocol? Yes. Room for improvement abounds, tho. See the end of this reply for some more thoughts. > > It may be that I don't understand it well enough, or that the > implementations I've looked at are lacking in features that I want, > but it seems to me that it simply isn't a good solution for anything > more than a small number of users. Here are the problems I have with > IPSEC: > > - IPSEC routers don't seem to be able to advertise routes > for an arbitrary number of networks behind them > Stuff like OSPF, which uses a multicast address IIRC cannot work through IPSec, a definite shortcoming. The exception is like a Cisco to Cisco that both agree on a non-standard (read: not part of the IPSec standard which, for multicast, there is none) way of doing it. All routes must otherwise be static. > - IPSEC routers have to basically be the border router for > a site, as there is no post-decryption NAT protocol to > get packets back to a router on the inside of the network > (Apparently, Cisco VPN boxes have this capability, but > it's an add-on to IPSEC AFAICT). Cisco's add on also breaks some compatibility with other IPSec devices, like CheckPoint FireWall-1 4.0- IIRC. But, yes, the IPSec gateway does have to function as a router to some degree whether or not it is an actual router. This can be a real PITA if you have lots of incongrous and/or non-sequential networks behind it (like the RFC 1918 private addresses and some poorly chosen public networks that really are private ... if you get my meaning). One could do a one-legged IPSec device and let a router handle routing. ~~~~~~~~~~~~ ~ Internet ~ ~~~~~~~~~~~~ | | <------------------ default route, hopefully w/ FW in between | +---A----+ +-------+ | router B-+-C IPSec | <- outbound route for assigned client addresses +---D----+ | +-------+ or static gateway addresses (& protected | | LANs via remote gateway); device default | | routes to router interface B | | +-------+ | +-| DHCP | <- for inbound IPSec client IP assignment (maybe | +-------+ not a seperate host) | | <------------------ OSPF, BGP, etc. ... maybe FW here, too | ~~~~~~~~~~~~ ~ Private ~ ~ LAN ~ ~~~~~~~~~~~~ ... where interface A = public Internet routable address for all Internet traffic interface B = public Internet routable address for IPSec traffic interface C = public Internet routable address for IPSec traffic interface D = private address for unencrypted traffic and whatever network/pool you use for clients defaut routes from the internal LAN to the IPSec gateway w/ maybe static NAT involved. ... I have to admit that I don't know if one can have dynamic routing on but one router interface. I think you can specify trusted routers for OSPF, etc ... And, of course, don't forget a firewall (or two). > > - Clients with dynamic IPs are poorly supported. True. IPSec is too dependent upon static IPs for gateway to gateway connections (tunnel mode, I believe). Transport mode, the client to gateway stuff, works with DHCP or is supposed to. My experience shows that if a client's DHCP lease expires and they do not get the same IP back, they do have to either renegotiate or reauthenticate depending upon the flexibility of both peers. SSL does a nicer job in this regard ... Best case it (dynamic IPs and IPSec) consumes time and worse case the connection is lost. If I have transport and tunnel swapped please forgive. > > AFAICT, what I want is to be able to issuce x509 certs to > any of my remote users for key exchange, and accept any > cert from any client that was signed by my CA. That's what > PKI is all about, right? Checking the racoon.conf man pages > and sample racoon.conf files shows that I need to have the > client's *private* key for a *specific* IP address. > > o Is this really the case, or am I just wrong here? A predefined static IP is required for tunnel (gateway) mode, not transport (client). But you have the PKI thing right. It should be the client's public key, not private, that is exchanged. > > o Isn't requiring the server to have the private cert > key the same as having a shared secret? With a shared secret, it would theoretically be possible to launch a man-in-the-middle attack, because the math for the IPSec would be based partially on a known value. If I can find my Cisco IPSec class notes, I can send the formulas. Something like the remote public key is hashed with the local private key and there's a remainder/mod in there somewhere which is common to both, but never sent over the wire, to which the encryption is based. The authentication is somewhat independent and based off of the common root certifier ... CRLs and whatnot come into play. With shared secret, the secret is hashed and that is the basis for the encrytion *AND* authentication. Also, managing loads of shared secrets is a pain if you have lots of peers. ANX (Automotive Network eXchange, a huge IPSec network of auto manufacturers and suppliers) uses only shared secret at the moment (years after implementation ... but that is another story). > > o If I'm not wrong, and cert's private keys are required per > IP address, is there some problem with the scheme I detailed > above? As a comparison, isn't the whole point of the > ssh_known_hosts file to keep only the public keys on the > remote server? I mean, wouldn't it be great if ssh supported > x509 certs, obviating the need for even the ssh_known_hosts > file, as host keys would be signed by the CA? > > Isn't this what we want for IPSEC??? I think the private key thing in the racoon man page is a typo. Private keys are never shared, nor should ever be shared. > > In the end, if I go with a FreeBSD racoon or isakmpd solution, am I limited > to the following setups ? : > > - One shared secret for all my users in the interest of manageability. > > I can only assume this means any user could theoretically listen in > on the key exchange and thus be able to decrypt another's IPSEC > communications True. Bad form unless it is unavoidable. And, the sharing of the shared secret would need to be done over an OOB trusted media (like heavily encrypted email, trusted phone call, face to face, etc.). Tracking and troubleshooting also become exponetially more difficult in this scenario. Imagine having to change the secret if it is compromised! > > - Different shared secrets for all users/client machines. > > Key management nightmare. Indeed. See note above. > > - Different x509 certs for all users/client machines. > > See above. Well, a good PKI takes care of that. As long as the certs have a common root, everything should be good. That's what I'm doing with an 1100 user base, but all commercial software and hardware. Some combine other authentication methods, like S/Key or smartcards, into the mix. > > - GSSAPI Auth . > > Does this even work? Does it work with w2k clients and an MIT > KDC? If it does, this would probably do what I need for any w2k > boxes out there, but all the info I read said it didn't work > with w2k yet. Never mind any other IPSEC client software. > Beyond me on this one. > Is there another VPN solution (mpd-netgraph+PPTP) that would suit my needs > any better? > > Any enlightenment I can receive that can convince me IPSEC is anything > more than an alpha-quality protocol that requires vendors (a la Cisco) > to fix it would be most appreciated. It's entirely possible I have > no idea what I'm talking about. Well, an okay closed system is from Nokia that's relatively inexpensive. But they are negotiating with CheckPoint and the cost may well rise. > > ---------------------------------------------------------------------- > | Jim Hranicky, Senior SysAdmin UF/CISE Department | > | E314D CSE Building Phone (352) 392-1499 | > | jfh@cise.ufl.edu http://www.cise.ufl.edu/~jfh | > ---------------------------------------------------------------------- > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > IMHO, it'd be great if IPSec had SSL's flexibility (NAT is no problem, dynamic IPs are ~usually~ no problem, highly portable, light weight) and SSL had IPSec's robustness (better encryption, (w/ public key) better authentication and integrity, gateway to gateway tunnel-like mode for network to network connectivity). I don't know if SSL handles multicast, but IPSec certainly needs to. As I said at the top, YMMV. HTH!!! :^D -- ( )) >===<--. Dexter Coffin - America's Favorite Ne'er-Do-Well C|~~| | = |-' idnopheq@home.com - http://www.members.home.com/idnopheq `--' `-----' idnopheq@perlmonk.org - http://idnopheq.perlmonk.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 11 18:25:16 2002 Delivered-To: freebsd-security@freebsd.org Received: from newman2.bestweb.net (newman2.bestweb.net [209.94.102.67]) by hub.freebsd.org (Postfix) with ESMTP id CA7C937B4B4 for ; Mon, 11 Feb 2002 18:17:38 -0800 (PST) Received: from okeeffe.bestweb.net (okeefe.bestweb.net [209.94.100.110]) by newman2.bestweb.net (Postfix) with ESMTP id C56F9232FF; Mon, 11 Feb 2002 21:17:06 -0500 (EST) Received: by okeeffe.bestweb.net (Postfix, from userid 0) id 3F3AC9EFD3; Mon, 11 Feb 2002 21:12:06 -0500 (EST) From: Beth Reid To: "'freebsd-security@FreeBSD.org'" Cc: 'Bill Swingle' Subject: RE: Questions regarding the wheel group Date: Fri, 8 Feb 2002 11:57:38 -0500 Message-Id: <20020212021206.3F3AC9EFD3@okeeffe.bestweb.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C1B0C1.B8EF151C Content-Type: text/plain Bill, So sorry for the inconvenience. There was some formatting in the document which made readability easier. Hopefully freebsd-security can help me, thanx for suggestion. Here is the straight text rather than a word document attachment: ----- I am doing research on the wheel group and security and I had a couple of questions. I understand the purpose of wheel as follows: "Further protection is offered for the root account by using a special group called the wheel group. The wheel group adds greater security to a system by preventing users that are not in this group from using the su (super user) command to su to root." So, the majority of the time one would add a user to the wheel group and then give that person the root password so that these selected few users could become root when they "su". Makes sense and is a good feature. While doing my research, I wanted to know what other type of privileges a user would have if they belong to wheel. What if someone inadvertently added a user to the wheel group (and was not given root's password)? Would a user in the wheel group without the root password be able to compromise a system in any way? Some thoughts: Why should the wheel group be used on any files? I would think from a security point of view, wheel should not be the default or primary group for root. This way if you are in the wheel group and have root's password, you can become root. If you are in the wheel group, but do not have root's password you should not gain any special privileges to any files or directories. You should be like any other user. My initial step was to check the permissions on all of the files to see if files with a group of "wheel" had permission bits where the group and other bits differed. Although this may not be exhaustive for every type of system, this is what I found on a FreeBSD Release 4.3 (without source) system. The following files had a group of wheel and had different group and other permissions. 1) The only 2 devices on my system where wheel had more permission than other were the following. I am not sure yet if there is a vulnerability here. crw-rw---- 2 root wheel 14, 0x20000000 Nov 30 09:09 ./dev/rsa0.ctl crw-rw---- 2 root wheel 14, 0x20000000 Nov 30 09:09 ./dev/sa0.ctl 2) In the /proc directory there is a mem file for each process. This seems to me like a vulnerability. The odd thing is that on one similar FreeBSD 4.3 release system the group was kmem for all files in this directory, all other systems had the group for root as wheel. So two questions here: 1) why does the group differ on the two systems, and 2) why does the wheel group have read privilege on these mem files? -rw-r----- 1 root wheel 0 Feb 6 12:27 ./proc/317/mem -rw-r----- 1 root wheel 0 Feb 6 12:27 ./proc/318/mem 3) This seems harmless. -r-xr-x--- 1 root wheel 12424 Apr 21 2001 ./usr/sbin/mptable 4) This seems like it could be a vulnerability. If someone is in wheel that shouldn't be, he could read these files and perhaps gather some useful information. in /var/log -rw-r----- 1 root wheel 5490 Feb 6 03:01 setuid.today -rw-r----- 1 root wheel 5490 Feb 5 03:01 setuid.yesterday -rw-r----- 1 root wheel 5464 Feb 2 03:01 dmesg.today -rw-r----- 1 root wheel 5527 Feb 1 03:01 dmesg.yesterday -rw-r----- 1 root wheel 136 Dec 1 03:02 mount.today 5) These directories allow wheel to poke around in them, but not someone in the other group. It seems like I wouldn't want the crash files exposed. The cron directory is odd because although wheel can poke around in cron, he can't get to the tabs subfolder. The backup folder seems harmless(?). Someone in wheel can remove files from /tmp. in/var drwxrwxrwt 3 root wheel 512 Feb 6 03:01 tmp drwxr-x--- 2 root wheel 512 Feb 6 03:01 backups drwxr-x--- 3 root wheel 512 Nov 30 09:08 cron drwxr-x--- 2 root wheel 512 Nov 30 09:08 crash Again, I am under the impression that if you put someone in wheel you want him to be able to become root. It seems wheel acts more like a role mechanism where if you belong to it, you have an additional privilege. Should the additional privileges include access to the files above or just be the ability to execute the "su" command? In summary, if you could shed some light on any of these issues I would really appreciate it. If there are any documents you could point me to, I would be happy to do the research myself. I am looking for answers or information for the following: 1) What if someone inadvertently added a user to the wheel group (and was not given root's password)? Would a user in the wheel group without the root password be able to compromise a system in any way? 2) Why should the wheel group be used on any files? 3) Why is the wheel group the primary group for root? 4) Items 1-5 for the files where group and other permissions differ. An explanation for these files and directories. Also the kmem issue is very strange. 5) Should being in the wheel group give any other privilege other than to execute the "su" command? -------- Thanx again and apologies for inconvenience. Beth -----Original Message----- From: Bill Swingle [mailto:unfurl@dub.net] Sent: Friday, February 08, 2002 11:50 AM To: Beth Reid Cc: 'security-officer@FreeBSD.org' Subject: Re: Questions regarding the wheel group Beth, Being that we're a unix security group most of us use microsoft products very rarely. If your questions are text only, why complicate the matter with an attachment? Secondly, most likely the forum that you're looking for is the freebsd-security mailing list. Check the freebsd.org website for more info. -Bill On Fri, Feb 08, 2002 at 09:34:03AM -0500, Beth Reid wrote: > Hi > > Attached is document with a few questions regarding the wheel group and > security. If you have information, I would really appreciate it. If you > can't read the attachment for any reason, please let me know. > > Thanx! > > Beth Reid > CyberGuard Corporation > > phone: 954-958-3900 x3230 > email: breid@cyberguard.com > fax: 954-958-3901 > > > See the LX, a new, low-cost EAL4 certified firewall/VPN compact appliance! > http://www.cyberguard.com/SOLUTIONS/Solutions_lx1.html > > -- -=| Bill Swingle - -=| Every message PGP signed -=| Fingerprint: C1E3 49D1 EFC9 3EE0 EA6E 6414 5200 1C95 8E09 0223 -=| "Computers are useless. They can only give you answers" Pablo Picasso ------_=_NextPart_001_01C1B0C1.B8EF151C Content-Type: text/html Content-Transfer-Encoding: quoted-printable RE: Questions regarding the wheel group

Bill,

So sorry for the inconvenience.
There was some formatting in the document which made = readability easier.

Hopefully freebsd-security can help me, thanx for = suggestion.
Here is the straight text rather than a word = document attachment:
-----
I am doing research on the wheel group and security = and I had a couple of questions. 

I understand the purpose of wheel as follows:  = "Further protection is offered for the root account by using a = special group called the wheel group. The wheel group adds greater = security to a system by preventing users that are not in this group = from using the su (super user) command to su to root."

So, the majority of the time one would add a user to = the wheel group and then give that person the root password so that = these selected few users could become root when they = "su".  Makes sense and is a good feature.

While doing my research, I wanted to know what other = type of privileges a user would have if they belong to wheel.  = What if someone inadvertently added a user to the wheel group (and was = not given root's password)?   Would a user in the wheel group = without the root password be able to compromise a system in any = way?

Some thoughts: Why should the wheel group be used on = any files?  I would think from a security point of view, wheel = should not be the default or primary group for root.  This way if = you are in the wheel group and have root's password, you can become = root.  If you are in the wheel group, but do not have root's = password you should not gain any special privileges to any files or = directories.  You should be like any other user.

My initial step was to check the permissions on all = of the files to see if files with a group of "wheel" had = permission bits where the group and other bits differed.  Although = this may not be exhaustive for every type of system, this is what I = found on a FreeBSD Release 4.3 (without source) system.  The = following files had a group of wheel and had different group and other = permissions.


1)  The only 2 devices on my system where wheel = had more permission than other were the following.  I am not sure = yet if there is a vulnerability here.

crw-rw----   2 root     = wheel      14, 0x20000000 Nov 30 09:09 = ./dev/rsa0.ctl
crw-rw----   2 = root     wheel      14, = 0x20000000 Nov 30 09:09 ./dev/sa0.ctl

2)  In the /proc directory there is a mem file = for each process.  This seems to me like a vulnerability.  = The odd thing is that on one similar FreeBSD 4.3 release system the = group was kmem for all files in this directory, all other systems had = the group for root as wheel.  So two questions here: 1) why does = the group differ on the two systems, and 2) why does the wheel group = have read privilege on these mem files?

-rw-r-----   1 = root        = wheel       0 Feb  6 12:27 = ./proc/317/mem
-rw-r-----   1 = root        = wheel           &= nbsp;  0 Feb  6 12:27 ./proc/318/mem

3)  This seems harmless.
-r-xr-x---  1 root  = wheel     12424 Apr 21  2001 = ./usr/sbin/mptable

4)  This seems like it could be a = vulnerability.  If someone is in wheel that shouldn't be, he could = read these files and perhaps gather some useful information.

in /var/log
-rw-r-----  1 root  = wheel    5490 Feb  6 03:01 setuid.today
-rw-r-----  1 root  = wheel    5490 Feb  5 03:01 setuid.yesterday
-rw-r-----  1 root  = wheel    5464 Feb  2 03:01 dmesg.today
-rw-r-----  1 root  = wheel    5527 Feb  1 03:01 dmesg.yesterday
-rw-r-----  1 root  = wheel     136 Dec  1 03:02 mount.today

5)  These directories allow wheel to poke around = in them, but not someone in the other group.  It seems like I = wouldn't want the crash files exposed.  The cron directory is odd = because although wheel can poke around in cron, he can't get to the = tabs subfolder.  The backup folder seems harmless(?). Someone in = wheel can remove files from /tmp. 

in/var
drwxrwxrwt  3 root    = wheel    512 Feb  6 03:01 tmp
drwxr-x---  2 root    = wheel    512 Feb  6 03:01 backups
drwxr-x---  3 root    = wheel    512 Nov 30 09:08 cron
drwxr-x---  2 root    = wheel    512 Nov 30 09:08 crash

Again, I am under the impression that if you put = someone in wheel you want him to be able to become root.  It seems = wheel acts more like a role mechanism where if you belong to it, you = have an additional privilege.  Should the additional privileges = include access to the files above or just be the ability to execute the = "su" command? 

In summary, if you could shed some light on any of = these issues I would really appreciate it.   If there are any = documents you could point me to, I would be happy to do the research = myself.

I am looking for answers or information for the = following:

1)      What if someone = inadvertently added a user to the wheel group (and was not given root's = password)?   Would a user in the wheel group without the root = password be able to compromise a system in any way?

2)      Why should the wheel = group be used on any files?
3)      Why is the wheel = group the primary group for root?
4)      Items 1-5 for the = files where group and other permissions differ.  An explanation = for these files and directories.  Also the kmem issue is very = strange.

5)      Should being in the = wheel group give any other privilege other than to execute the = "su" command?
--------

Thanx again and apologies for inconvenience.
Beth



-----Original Message-----
From: Bill Swingle [mailto:unfurl@dub.net]
Sent: Friday, February 08, 2002 11:50 AM
To: Beth Reid
Cc: 'security-officer@FreeBSD.org'
Subject: Re: Questions regarding the wheel = group


Beth,

Being that we're a unix security group most of us use = microsoft products
very rarely. If your questions are text only, why = complicate the matter
with an attachment?

Secondly, most likely the forum that you're looking = for is the
freebsd-security mailing list. Check the freebsd.org = website for more
info.

-Bill

On Fri, Feb 08, 2002 at 09:34:03AM -0500, Beth Reid = wrote:
> Hi
>
> Attached is document with a few questions = regarding the wheel group and
> security.  If you have information, I = would really appreciate it.  If you
> can't read the attachment for any reason, = please let me know.
>
> Thanx!
>
> Beth Reid
> CyberGuard Corporation
>
> phone: 954-958-3900 x3230
> email: breid@cyberguard.com
> fax: 954-958-3901
>
>
> See the LX, a new, low-cost EAL4 certified = firewall/VPN compact appliance!
> http://www.cyberguard.com/SOLUTIONS/Solutions_lx1.html=
>
>



--
-=3D| Bill Swingle - = <unfurl@(dub.net|freebsd.org)>
-=3D| Every message PGP signed
-=3D| Fingerprint: C1E3 49D1 EFC9 3EE0 EA6E  = 6414 5200 1C95 8E09 0223
-=3D| "Computers are useless. They can only = give you answers" Pablo Picasso



------_=_NextPart_001_01C1B0C1.B8EF151C-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 11 18:25:59 2002 Delivered-To: freebsd-security@freebsd.org Received: from newman2.bestweb.net (newman2.bestweb.net [209.94.102.67]) by hub.freebsd.org (Postfix) with ESMTP id 9D21437B485 for ; Mon, 11 Feb 2002 18:17:01 -0800 (PST) Received: from okeeffe.bestweb.net (okeefe.bestweb.net [209.94.100.110]) by newman2.bestweb.net (Postfix) with ESMTP id F19C12317C for ; Mon, 11 Feb 2002 21:16:47 -0500 (EST) Received: by okeeffe.bestweb.net (Postfix, from userid 0) id 079C39F292; Mon, 11 Feb 2002 21:11:52 -0500 (EST) To: security@freebsd.org Subject: Re: Questions (Rants?) About IPSEC Date: Thu, 07 Feb 2002 20:30:24 -0500 From: "James F. Hranicky" Message-Id: <20020212021152.079C39F292@okeeffe.bestweb.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "James F. Hranicky" wrote in message news:list.freebsd.security#20020207163347.51C606B29@mail.cise.ufl.edu... > I dont understand what you mean here, ipsec doesnt require something special > from routing. Hmmm...well, what I'd like is to be able to query the router for the nets that are behind it, and automagically add those to the IPSEC config. > There are some new RFC's about natting ipsec tunnel packets. > You can only nat tunnel packets because the outer headers are not > authenticated. I mean NATting them after decryption, so they can find their way back to an arbitrary IPSEC router within the internal net and not go back out the border router due to the outside source address. I sent a post detailing this a couple of weeks ago. ("IPSEC into network behind the primary router", 1/17/02) > > o Is this really the case, or am I just wrong here? > Every ipsec endpoint needs own private key + certificate + CA certificate, > thats all. Great! What a relief. I guess I've had a hard time understanding racoon.conf . > The intention with ipsec is that you dont need all public certs from all > your peers. > You only need (all) Ca certs > If you start a session , the remote party (racoon) sends its cert. > Your local racoon looks if it has a CA cert which has signed your peers > cert. > It the verifies the peer cert. > This is also the only way for mobile users. Ok, great. > You should really first do some tests with ipsec. > I used 2 freebsd machines (inside vmware). > There are numerous examples on the net which clarifies your questions. > I works with win2000 , > with pre-shared authentication keys , associated with ip addresses. > with cert authentication , associated with x509 names/email addresses. Awesome. I've been searching the 'net for quite a while, but the docs I've found seemed on the terse side. I'll give it a go and see what happens. I have been able to get simple transport mode + shared secrets working, so now I'll try out the certs. Thanks a ton! ---------------------------------------------------------------------- | Jim Hranicky, Senior SysAdmin UF/CISE Department | | E314D CSE Building Phone (352) 392-1499 | | jfh@cise.ufl.edu http://www.cise.ufl.edu/~jfh | ---------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 11 18:26: 3 2002 Delivered-To: freebsd-security@freebsd.org Received: from newman2.bestweb.net (newman2.bestweb.net [209.94.102.67]) by hub.freebsd.org (Postfix) with ESMTP id 4DF3D37B617 for ; Mon, 11 Feb 2002 18:18:23 -0800 (PST) Received: from okeeffe.bestweb.net (okeefe.bestweb.net [209.94.100.110]) by newman2.bestweb.net (Postfix) with ESMTP id CD86122FD5; Mon, 11 Feb 2002 21:17:37 -0500 (EST) Received: by okeeffe.bestweb.net (Postfix, from userid 0) id DC5DA9F006; Mon, 11 Feb 2002 21:12:18 -0500 (EST) From: =?iso-8859-1?Q?Geir_R=E5ness?= To: "Kerberus" Cc: Subject: Re: Reliable shell logs Date: Tue, 5 Feb 2002 15:34:31 +0100 Message-Id: <20020212021218.DC5DA9F006@okeeffe.bestweb.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Yes it is, thanks for it. I have seen the shell patches before but not the bash secure patch.. :) Best Regards Geir Råness PulZ @ efnet ----- Original Message ----- From: "Kerberus" To: "Geir Råness" Sent: Tuesday, February 05, 2002 3:51 PM Subject: Re: Reliable shell logs Hrmmm looks like the file i sent over!! : )) On Tue, 2002-02-05 at 08:20, Geir Råness wrote: > Yeah, i have put them up at www.pulz.no/files/freebsd/Logging > Read the readme files in them, and you probaly would find the url to the > folx who made the patches... > > You can infact remove an users right to change his shell, this you could do > by limiting the users access to chsh and so on, you could set it to wheel > group only. > Or you could remove the shell from the /etc/shells (i think). > > Best Regards > > Geir Råness > PulZ @ efnet > > ----- Original Message ----- > From: "Roger 'Rocky' Vetterberg" > To: "Geir Råness" > Cc: ; > Sent: Monday, February 04, 2002 11:43 PM > Subject: Re: Reliable shell logs > > > > Geir Råness wrote: > > > > > You always could set your users to the shell bash, that is patched with > the > > > "bofh" logging. > > > That's one way you could secure log your users, but it could be found. > > > It all depends on the intruder. > > > > > > Do you know where I could find this patch? > > I tried google.com/bsd and found a bounch of sh patches, but > > none for bash. > > And what stops the user from changing his shell? 'chsh' > > would let him change shell to csh, tcsh or whatever is > > available on the system, right? How can I prevent this? > > > > > This you can do something about however, you can have an locale log > server, > > > that the "shell" server sends the log to, > > > with upload access only. > > > So the intruder cant delete the logs, you probaly shuld make this server > an > > > local login only. > > > > > > Geir Råness > > > PulZ @ efnet > > > > > > -- > > R > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 11 18:26:27 2002 Delivered-To: freebsd-security@freebsd.org Received: from newman2.bestweb.net (newman2.bestweb.net [209.94.102.67]) by hub.freebsd.org (Postfix) with ESMTP id 0354C37B493 for ; Mon, 11 Feb 2002 18:17:09 -0800 (PST) Received: from okeeffe.bestweb.net (okeefe.bestweb.net [209.94.100.110]) by newman2.bestweb.net (Postfix) with ESMTP id 29153231D7 for ; Mon, 11 Feb 2002 21:16:50 -0500 (EST) Received: by okeeffe.bestweb.net (Postfix, from userid 0) id 4CD159F2A8; Mon, 11 Feb 2002 21:11:55 -0500 (EST) To: security@freebsd.org Subject: Re: Questions (Rants?) About IPSEC Date: Thu, 07 Feb 2002 22:07:32 -0500 From: "James F. Hranicky" Message-Id: <20020212021155.4CD159F2A8@okeeffe.bestweb.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Great! What a relief. I guess I've had a hard time understanding racoon.conf . I guess what happened was I got it stuck in my head that the "certificate_type x509" directive specified the *remote* cert and not the local one. Looking at it now it seems obvious. Well, I feel a bit foolish for my ranting, but much happier that certs are now working as expected. Many thanks to all who responded. ---------------------------------------------------------------------- | Jim Hranicky, Senior SysAdmin UF/CISE Department | | E314D CSE Building Phone (352) 392-1499 | | jfh@cise.ufl.edu http://www.cise.ufl.edu/~jfh | ---------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 11 18:26:33 2002 Delivered-To: freebsd-security@freebsd.org Received: from newman2.bestweb.net (newman2.bestweb.net [209.94.102.67]) by hub.freebsd.org (Postfix) with ESMTP id 3853837B6AA for ; Mon, 11 Feb 2002 18:19:45 -0800 (PST) Received: from okeeffe.bestweb.net (okeefe.bestweb.net [209.94.100.110]) by newman2.bestweb.net (Postfix) with ESMTP id 7ED9023351 for ; Mon, 11 Feb 2002 21:18:35 -0500 (EST) Received: by okeeffe.bestweb.net (Postfix, from userid 0) id B70C89F016; Mon, 11 Feb 2002 21:13:02 -0500 (EST) From: Frank Drebin Subject: Re: Racoon/sainfo - 'no policy found' To: freebsd-security@freebsd.org Date: Fri, 8 Feb 2002 23:57:26 -0800 (PST) Message-Id: <20020212021302.B70C89F016@okeeffe.bestweb.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > It seems to me the your pgpnet peer is trying to use x509 > authentication because in this case > the ip adres will not be used as an id. > How do both configurations look? > > Try to look with ethereal, the first messages in fase 1 are > not crypted OK, the config file is at the end of this message. Both ends are the same. Since sending my first message I've found that FBSD/racoon<->FBSD/racoon only works till the first time the keys are renegotiated. At that point I get the message about the security association expiring but from then on I always get the 'policy not found' error. The following is part of the log from one side of the FBSD<->FBSD case. 2002-02-08 23:44:28: INFO: pfkey.c:1365:pk_recvexpire(): IPsec-SA expired: ESP/T unnel NODE-A->NODE-B spi=230063835(0xdb67edb) 2002-02-08 23:45:13: ERROR: pfkey.c:738:pfkey_timeover(): NODE-A give up to get IPsec-SA due to time up to wait. 2002-02-08 23:46:26: INFO: isakmp.c:1513:isakmp_ph1expire(): ISAKMP-SA expired N ODE-B[500]-NODE-A[500] spi:acb764b9c1e300cc:c458bd632f2ae2b0 2002-02-08 23:46:27: INFO: isakmp.c:1561:isakmp_ph1delete(): ISAKMP-SA deleted N ODE-B[500]-NODE-A[500] spi:acb764b9c1e300cc:c458bd632f2ae2b0 2002-02-08 23:47:31: INFO: isakmp.c:891:isakmp_ph1begin_r(): respond new phase 1 negotiation: NODE-B[500]<=>NODE-A[500] 2002-02-08 23:47:31: INFO: isakmp.c:896:isakmp_ph1begin_r(): begin Aggressive mo de. 2002-02-08 23:47:33: NOTIFY: oakley.c:2036:oakley_skeyid(): couldn't find pskey, try to get one by the peer's address. 2002-02-08 23:47:33: INFO: isakmp.c:2409:log_ph1established(): ISAKMP-SA establi shed NODE-B[500]-NODE-A[500] spi:d0ce96eebdeb0fec:3e4be8b2963f2ca6 2002-02-08 23:47:33: INFO: isakmp.c:1046:isakmp_ph2begin_r(): respond new phase 2 negotiation: NODE-B[0]<=>NODE-A[0] 2002-02-08 23:47:33: ERROR: proposal.c:965:set_proposal_from_policy(): not suppo rted nested SA.2002-02-08 23:47:33: ERROR: isakmp_quick.c:2070:get_proposal_r(): failed to create saprop. 2002-02-08 23:47:33: ERROR: isakmp_quick.c:1069:quick_r1recv(): failed to get pr oposal for responder. 2002-02-08 23:47:33: ERROR: isakmp.c:1060:isakmp_ph2begin_r(): failed to pre-pro cess packet. ... ad nauseum Thanks for your help! ------ racoon config file ------- # $KAME: racoon.conf.in,v 1.18 2001/08/16 06:33:40 itojun Exp $ # "path" must be placed before it should be used. # You can overwrite which you defined, but it should not use due to confusing. path include "/usr/local/etc/racoon" ; #include "remote.conf" ; # search this file for pre_shared_key with various ID key. path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; # racoon will look for certificate file in the directory, # if the certificate/certificate request payload is received. path certificate "/usr/local/etc/cert" ; # "log" specifies logging level. It is followed by either "notify", "debug" # or "debug2". #log debug; # "padding" defines some parameter of padding. You should not touch these. padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } # if no listen directive is specified, racoon will listen to all # available interface addresses. listen { #isakmp ::1 [7000]; #isakmp 202.249.11.124 [500]; #admin [7002]; # administrative's port by kmpstat. #strict_address; # required all addresses must be bound. } # Specification of default various timer. timer { # These value can be changed per remote node. counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per a send. # timer for waiting to complete each phase. phase1 30 sec; phase2 15 sec; } remote anonymous { #exchange_mode main,aggressive; exchange_mode aggressive,main; doi ipsec_doi; situation identity_only; #my_identifier address; my_identifier user_fqdn "sakane@kame.net"; peers_identifier user_fqdn "sakane@kame.net"; #certificate_type x509 "mycert" "mypriv"; nonce_size 16; lifetime time 10 min; # sec,min,hour initial_contact on; support_mip6 on; proposal_check obey; # obey, strict or claim proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 5; } } sainfo anonymous { pfs_group 5; lifetime time 10 min; authentication_algorithm hmac_sha1; encryption_algorithm 3des; compression_algorithm deflate ; } To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 11 18:27:11 2002 Delivered-To: freebsd-security@freebsd.org Received: from newman2.bestweb.net (newman2.bestweb.net [209.94.102.67]) by hub.freebsd.org (Postfix) with ESMTP id 159E237B4AA for ; Mon, 11 Feb 2002 18:17:36 -0800 (PST) Received: from okeeffe.bestweb.net (okeefe.bestweb.net [209.94.100.110]) by newman2.bestweb.net (Postfix) with ESMTP id 6E002232FC; Mon, 11 Feb 2002 21:17:06 -0500 (EST) Received: by okeeffe.bestweb.net (Postfix, from userid 0) id E56E99F11B; Mon, 11 Feb 2002 21:12:05 -0500 (EST) From: David Gilbert Date: Fri, 8 Feb 2002 11:02:41 -0500 To: Garrett Wollman Cc: "James F. Hranicky" , security@FreeBSD.ORG Subject: [security] Questions (Rants?) About IPSEC Message-Id: <20020212021205.E56E99F11B@okeeffe.bestweb.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >>>>> "Garrett" == Garrett Wollman writes: Garrett> < said: >> After reading up on IPSEC, I have one major question: Is it really >> a good protocol? Garrett> No, but it's the best one we've got. I've been keen on IPSec for some time ... I've even had it running between selections of hosts, but I havn't been able to set up two scenarios that would make it actually useful to me: 1) Wireless DHCP laptop <-- tunnel mode --> gatewaybox 2) Home box on Cable Modem (DHCP) <-- tunnel mode --> office The basic blocking point is that none of the HOWTO's written on the subject say anything about dynamic clients. I would really like to see a HOWTO (from someone working on this stuff) that assumes the client is roaming. Dave. -- ============================================================================ |David Gilbert, Velocet Communications. | Two things can only be | |Mail: dgilbert@velocet.net | equal if and only if they | |http://daveg.ca | are precisely opposite. | =========================================================GLO================ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 11 18:27: 5 2002 Delivered-To: freebsd-security@freebsd.org Received: from newman2.bestweb.net (newman2.bestweb.net [209.94.102.67]) by hub.freebsd.org (Postfix) with ESMTP id E9B6737B68F for ; Mon, 11 Feb 2002 18:19:32 -0800 (PST) Received: from okeeffe.bestweb.net (okeefe.bestweb.net [209.94.100.110]) by newman2.bestweb.net (Postfix) with ESMTP id A7C6E232D1 for ; Mon, 11 Feb 2002 21:18:24 -0500 (EST) Received: by okeeffe.bestweb.net (Postfix, from userid 0) id D49409F42E; Mon, 11 Feb 2002 21:12:55 -0500 (EST) From: "Tom Beer" To: Subject: no matching session Date: Thu, 7 Feb 2002 22:48:44 +0100 Message-Id: <20020212021255.D49409F42E@okeeffe.bestweb.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, I just found in my logs the following: I asked on the ipf mailing list but didn't got a definitive answer. I checked my logs (all) and havn't found "no matching session". Feb 7 03:18:41 strawberry ipmon[95]: 03:18:41.294443 tun0 @0:33 b 217.2.169.226,2387 -> 217.80.41.192,21 PR tcp len 20 48 -S 639002257 0 16384 IN no matching seesion my block rule for port 21 is block return-rst in log body quick on tun0 proto tcp from any to any port = 21 What does no matching session mean? ipf -V ipf: IP Filter: v3.4.16 (264) Kernel: IP Filter: v3.4.16 Greets Tom To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 11 18:27:58 2002 Delivered-To: freebsd-security@freebsd.org Received: from newman2.bestweb.net (newman2.bestweb.net [209.94.102.67]) by hub.freebsd.org (Postfix) with ESMTP id 2636F37B4C8 for ; Mon, 11 Feb 2002 18:17:49 -0800 (PST) Received: from okeeffe.bestweb.net (okeefe.bestweb.net [209.94.100.110]) by newman2.bestweb.net (Postfix) with ESMTP id C68D52322D for ; Mon, 11 Feb 2002 21:17:16 -0500 (EST) Received: by okeeffe.bestweb.net (Postfix, from userid 0) id 7C1119EFD6; Mon, 11 Feb 2002 21:12:13 -0500 (EST) Date: Sat, 9 Feb 2002 00:55:57 +0100 From: Przemyslaw Frasunek To: security@freebsd.org Subject: [Announce] Cerber security module for FreeBSD 4.x Message-Id: <20020212021213.7C1119EFD6@okeeffe.bestweb.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, We would like to bring your attention to our recent tool, a Cerber security module for FreeBSD 4.x. It provides configurable restricions of execve(), ptrace(), open(), [l|f]chmod(), kld[un]load(), __sysctl(), unlink(), kill(), [sym]link(), [un]mount(), rename(), [l|f]chown(), ioctl() and set[e|r|s][u|g]id with extensive logging and argument checking. Please consider visiting homepage of our project: http://www.sourceforge.net/projects/cerber/ Notice that project is still under heavy development. Please report any bugs. -- * Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE * * Inet: przemyslaw@frasunek.com ** PGP: D48684904685DF43EA93AFA13BE170BF * To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 11 18:28:36 2002 Delivered-To: freebsd-security@freebsd.org Received: from newman2.bestweb.net (newman2.bestweb.net [209.94.102.67]) by hub.freebsd.org (Postfix) with ESMTP id 334AC37B5AF for ; Mon, 11 Feb 2002 18:18:20 -0800 (PST) Received: from okeeffe.bestweb.net (okeefe.bestweb.net [209.94.100.110]) by newman2.bestweb.net (Postfix) with ESMTP id E63DA23343 for ; Mon, 11 Feb 2002 21:17:29 -0500 (EST) Received: by okeeffe.bestweb.net (Postfix, from userid 0) id 1B9339F00D; Mon, 11 Feb 2002 21:12:23 -0500 (EST) Date: Fri, 08 Feb 2002 22:53:34 -0700 To: security@FreeBSD.ORG From: Brett Glass Subject: Is the technique described in this article do-able with Message-Id: <20020212021223.1B9339F00D@okeeffe.bestweb.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org http://www.samag.com/documents/s=1824/sam0201d/0201d.htm To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 11 18:28:42 2002 Delivered-To: freebsd-security@freebsd.org Received: from newman2.bestweb.net (newman2.bestweb.net [209.94.102.67]) by hub.freebsd.org (Postfix) with ESMTP id E0F6837B693 for ; Mon, 11 Feb 2002 18:19:34 -0800 (PST) Received: from okeeffe.bestweb.net (okeefe.bestweb.net [209.94.100.110]) by newman2.bestweb.net (Postfix) with ESMTP id DBAE7232F0 for ; Mon, 11 Feb 2002 21:18:24 -0500 (EST) Received: by okeeffe.bestweb.net (Postfix, from userid 0) id 0CBE89F430; Mon, 11 Feb 2002 21:12:56 -0500 (EST) From: "Rob Frohwein" To: freebsd-security@freebsd.org Subject: Re: Questions (Rants?) About IPSEC Date: Thu, 7 Feb 2002 14:25:14 -0800 Message-Id: <20020212021256.0CBE89F430@okeeffe.bestweb.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "James F. Hranicky" wrote in message news:list.freebsd.security#20020207163347.51C606B29@mail.cise.ufl.edu... > > After reading up on IPSEC, I have one major question: Is it really > a good protocol? > > It may be that I don't understand it well enough, or that the > implementations I've looked at are lacking in features that I want, > but it seems to me that it simply isn't a good solution for anything > more than a small number of users. Here are the problems I have with > IPSEC: > > - IPSEC routers don't seem to be able to advertise routes > for an arbitrary number of networks behind them I dont understand what you mean here, ipsec doesnt require something special from routing. > > - IPSEC routers have to basically be the border router for > a site, as there is no post-decryption NAT protocol to > get packets back to a router on the inside of the network > (Apparently, Cisco VPN boxes have this capability, but > it's an add-on to IPSEC AFAICT). There are some new RFC's about natting ipsec tunnel packets. You can only nat tunnel packets because the outer headers are not authenticated. > > - Clients with dynamic IPs are poorly supported. Can only be done when using cert authentiaction. > > AFAICT, what I want is to be able to issuce x509 certs to > any of my remote users for key exchange, and accept any > cert from any client that was signed by my CA. That's what > PKI is all about, right? Checking the racoon.conf man pages > and sample racoon.conf files shows that I need to have the > client's *private* key for a *specific* IP address. > > o Is this really the case, or am I just wrong here? Every ipsec endpoint needs own private key + certificate + CA certificate, thats all. > > o Isn't requiring the server to have the private cert > key the same as having a shared secret? Every party needs to have its own private + public key. > > o If I'm not wrong, and cert's private keys are required per > IP address, is there some problem with the scheme I detailed > above? As a comparison, isn't the whole point of the > ssh_known_hosts file to keep only the public keys on the > remote server? I mean, wouldn't it be great if ssh supported > x509 certs, obviating the need for even the ssh_known_hosts > file, as host keys would be signed by the CA? > > Isn't this what we want for IPSEC??? The intention with ipsec is that you dont need all public certs from all your peers. You only need (all) Ca certs If you start a session , the remote party (racoon) sends its cert. Your local racoon looks if it has a CA cert which has signed your peers cert. It the verifies the peer cert. This is also the only way for mobile users. > > In the end, if I go with a FreeBSD racoon or isakmpd solution, am I limited > to the following setups ? : > > - One shared secret for all my users in the interest of manageability. > > I can only assume this means any user could theoretically listen in > on the key exchange and thus be able to decrypt another's IPSEC > communications > > - Different shared secrets for all users/client machines. > > Key management nightmare. > > - Different x509 certs for all users/client machines. > > See above. > > - GSSAPI Auth . > > Does this even work? Does it work with w2k clients and an MIT > KDC? If it does, this would probably do what I need for any w2k > boxes out there, but all the info I read said it didn't work > with w2k yet. Never mind any other IPSEC client software. > > Is there another VPN solution (mpd-netgraph+PPTP) that would suit my needs > any better? > > Any enlightenment I can receive that can convince me IPSEC is anything > more than an alpha-quality protocol that requires vendors (a la Cisco) > to fix it would be most appreciated. It's entirely possible I have > no idea what I'm talking about. > You should really first do some tests with ipsec. I used 2 freebsd machines (inside vmware). There are numerous examples on the net which clarifies your questions. I works with win2000 , with pre-shared authentication keys , associated with ip addresses. with cert authentication , associated with x509 names/email addresses. greeting Rob Frohwein > ---------------------------------------------------------------------- > | Jim Hranicky, Senior SysAdmin UF/CISE Department | > | E314D CSE Building Phone (352) 392-1499 | > | jfh@cise.ufl.edu http://www.cise.ufl.edu/~jfh | > ---------------------------------------------------------------------- > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 11 18:29: 0 2002 Delivered-To: freebsd-security@freebsd.org Received: from newman2.bestweb.net (newman2.bestweb.net [209.94.102.67]) by hub.freebsd.org (Postfix) with ESMTP id 9689D37B697 for ; Mon, 11 Feb 2002 18:19:36 -0800 (PST) Received: from okeeffe.bestweb.net (okeefe.bestweb.net [209.94.100.110]) by newman2.bestweb.net (Postfix) with ESMTP id 25921232FD for ; Mon, 11 Feb 2002 21:18:25 -0500 (EST) Received: by okeeffe.bestweb.net (Postfix, from userid 0) id 29ABA9F431; Mon, 11 Feb 2002 21:12:56 -0500 (EST) From: "Rob Frohwein" To: freebsd-security@freebsd.org Subject: Re: Racoon/sainfo - 'no policy found' Date: Thu, 7 Feb 2002 14:40:26 -0800 Message-Id: <20020212021256.29ABA9F431@okeeffe.bestweb.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "Frank Drebin" wrote in message news:list.freebsd.security#200202030048.QAA49670@mini.chicago.com... > I'm trying to get working a 'standard' vpn setup. That is, > I have a FreeBSD (4.2) machine runing NAT, IPFilter, IPSec, > Racoon (version 20011215a) among other things. I want to > connect to it using Windows 98 and PGPNet (I've tried 6.5.8 > and 7.0.3) over the internet. No matter what I do, I get > 'no policy found' followed by 'failed to get proposal for > responder'. > > I should point out that I *HAVE* gotten this whole thing to > work when I replaced the '98 side with another FBSD machine > (4.4) running racoon (same version) along with all the other > appropriate pieces. > > I've attached a section of the log file generated when trying > to connect from '98. My racoon.conf is just a copy of the one > that comes with the distribution. It works for FBSD<->FBSD, > why doesn't it work with PGPNet? > > Oh, and in searching through the mailing lists I came across > a patch someone suggested for something similar. I tried > that too - no joy. > > Any help, suggestions, etc. would be greatly appreciated! > > Thanks > > ------------- > . . . > 2002-01-31 17:18:45: DEBUG: oakley.c:755:oakley_compute_hash1(): HASH computed: > 2002-01-31 17:18:45: DEBUG: plog.c:193:plogdump(): > 79d4fa1b 6c2b6af5 91173e15 f7f8729f 6215747a > 2002-01-31 17:18:45: DEBUG: sainfo.c:100:getsainfo(): anonymous sainfo selected.2002-01-31 17:18:45: DEBUG: isakmp_quick.c:1815:get_sainfo_r(): get sa info: anonymous > . . . > > 2002-01-31 17:18:45: DEBUG: sainfo.c:100:getsainfo(): anonymous sainfo selected.2002-01-31 17:18:45: DEBUG: isakmp_quick.c:1815:get_sainfo_r(): get sa info: anonymous > 2002-01-31 17:18:45: DEBUG: isakmp_quick.c:1907:get_proposal_r(): get a destination address of SP index from phase1 address due to no ID payloads found OR because ID type is not address. ++++++++++++++++++++ It seems to me the your pgpnet peer is trying to use x509 authentication, because in this case the ip adres will not be used as an id. How do both configurations look? Try to look with ethereal, the first messages in fase 1 are not crypted. ++++++++++++++++++++++++ > 2002-01-31 17:18:45: DEBUG: isakmp_quick.c:1968:get_proposal_r(): get a source address of SP index from phase1 address due to no ID payloads found OR because ID type is not address. > 2002-01-31 17:18:45: DEBUG: isakmp_quick.c:1993:get_proposal_r(): get a src address from ID payload WINDOWS-EXTERNAL[0] prefixlen=32 ul_proto=0 > 2002-01-31 17:18:45: DEBUG: isakmp_quick.c:1998:get_proposal_r(): get dst address from ID payload FBSD-EXTERNAL[0] prefixlen=32 ul_proto=0 > 2002-01-31 17:18:45: DEBUG: policy.c:216:cmpspidxwild(): sub:0xbfbff6b0: WINDOWS-EXTERNAL[0] FBSD-EXTERNAL[0] proto=any dir=in > 2002-01-31 17:18:45: DEBUG: policy.c:217:cmpspidxwild(): db: 0x80a3a08: WINDOWS-INTERNAL[0] FBSD-INTERNAL[0] proto=any dir=in > 2002-01-31 17:18:45: DEBUG: policy.c:244:cmpspidxwild(): 0xbfbff6b0 masked with /24: WINDOWS-EXTERNAL/24[0] > 2002-01-31 17:18:45: DEBUG: policy.c:246:cmpspidxwild(): 0x80a3a08 masked with /24: WINDOWS-INTERNAL/24[0] > 2002-01-31 17:18:45: DEBUG: policy.c:216:cmpspidxwild(): sub:0xbfbff6b0: WINDOWS-EXTERNAL[0] FBSD-EXTERNAL[0] proto=any dir=in > 2002-01-31 17:18:45: DEBUG: policy.c:217:cmpspidxwild(): db: 0x80a3e08: FBSD-INTERNAL/24[0] WINDOWS-INTERNAL/24[0] proto=any dir=out > 2002-01-31 17:18:45: ERROR: isakmp_quick.c:2028:get_proposal_r(): no policy found: WINDOWS-EXTERNAL[0] UNIX-EXTERNAL/32[0] proto=any dir=in > 2002-01-31 17:18:45: ERROR: isakmp_quick.c:1069:quick_r1recv(): failed to get proposal for responder. > 2002-01-31 17:18:45: ERROR: isakmp.c:1060:isakmp_ph2begin_r(): failed to pre-process packet. > . . . > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 11 18:29:16 2002 Delivered-To: freebsd-security@freebsd.org Received: from newman2.bestweb.net (newman2.bestweb.net [209.94.102.67]) by hub.freebsd.org (Postfix) with ESMTP id 4A62F37B699; Mon, 11 Feb 2002 18:19:38 -0800 (PST) Received: from okeeffe.bestweb.net (okeefe.bestweb.net [209.94.100.110]) by newman2.bestweb.net (Postfix) with ESMTP id D9CD423339; Mon, 11 Feb 2002 21:18:25 -0500 (EST) Received: by okeeffe.bestweb.net (Postfix, from userid 0) id 007A59F15B; Mon, 11 Feb 2002 21:12:56 -0500 (EST) Date: Thu, 7 Feb 2002 20:06:06 +0000 From: hh To: questions@freebsd.org Cc: freebsd-security@freebsd.org Subject: 4.4-RELEASE-p7 FreeBSD 4.4-RELEASE-p7 problems Message-Id: <20020212021256.007A59F15B@okeeffe.bestweb.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org razordea eggdrop- 1743 14 ? ? ? poker eggdrop- 1732 3 ? ? ? poker eggdrop- 1732 5 ? ? ? poker eggdrop- 1729 3 ? ? ? poker eggdrop- 1729 5 ? ? ? penhao eggdrop- 1706 3 ? ? ? penhao eggdrop- 1706 4 ? ? ? penhao eggdrop- 1706 6 ? ? ? penhao eggdrop- 1704 3 ? ? ? penhao eggdrop- 1704 4 ? ? ? some# netstat -na |more Active UNIX domain sockets Address Type Recv-Q Send-Q Inode Conn Refs Nextref Addr d9bc8d00 stream 0 0 0 d9bc8280 0 0 /tmp/mysql.soc k d9bc8280 stream 0 0 0 d9bc8d00 0 0 d9bc8d80 stream 0 0 0 d9bc8580 0 0 /tmp/mysql.soc k d9bc8580 stream 0 0 0 d9bc8d80 0 0 what's going on ? i can't see who's connect from anywhere to anywhere .. i have an 4.4-RELEASE-p7 FreeBSD 4.4-RELEASE-p7 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 11 18:29:34 2002 Delivered-To: freebsd-security@freebsd.org Received: from newman2.bestweb.net (newman2.bestweb.net [209.94.102.67]) by hub.freebsd.org (Postfix) with ESMTP id 291F537B4F7 for ; Mon, 11 Feb 2002 18:18:21 -0800 (PST) Received: from okeeffe.bestweb.net (okeefe.bestweb.net [209.94.100.110]) by newman2.bestweb.net (Postfix) with ESMTP id 717D723324; Mon, 11 Feb 2002 21:17:30 -0500 (EST) Received: by okeeffe.bestweb.net (Postfix, from userid 0) id 731729F33F; Mon, 11 Feb 2002 21:12:23 -0500 (EST) From: Darren Reed Subject: Re: Is the technique described in this article do-able with To: brett@lariat.org (Brett Glass) Date: Sat, 9 Feb 2002 17:20:40 +1100 (Australia/ACT) Cc: security@FreeBSD.ORG Message-Id: <20020212021223.731729F33F@okeeffe.bestweb.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In some mail from Brett Glass, sie said: > > http://www.samag.com/documents/s=1824/sam0201d/0201d.htm I believe that when you "halt" FreeBSD the whole OS halts. When you see the "press any key to rebot" message, no more activity is happening. One question though, how do you generate log information? Personally, I think of this as a 'misfeature'. Cheers, Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 11 18:30:13 2002 Delivered-To: freebsd-security@freebsd.org Received: from newman2.bestweb.net (newman2.bestweb.net [209.94.102.67]) by hub.freebsd.org (Postfix) with ESMTP id 379BC37B6A9; Mon, 11 Feb 2002 18:19:45 -0800 (PST) Received: from okeeffe.bestweb.net (okeefe.bestweb.net [209.94.100.110]) by newman2.bestweb.net (Postfix) with ESMTP id 32ED12334B; Mon, 11 Feb 2002 21:18:35 -0500 (EST) Received: by okeeffe.bestweb.net (Postfix, from userid 0) id 43A5D9EF33; Mon, 11 Feb 2002 21:13:02 -0500 (EST) Date: Sat, 9 Feb 2002 03:12:19 +0200 (EET) From: Giorgos Keramidas To: hh Cc: questions@freebsd.org, Subject: Re: 4.4-RELEASE-p7 FreeBSD 4.4-RELEASE-p7 problems Message-Id: <20020212021302.43A5D9EF33@okeeffe.bestweb.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org [ Do not cross-post. This is only marginally related to -security. ] On 2002-02-07 20:06, hh wrote: > some# netstat -na |more > Active UNIX domain sockets > Address Type Recv-Q Send-Q Inode Conn Refs Nextref Addr > d9bc8d00 stream 0 0 0 d9bc8280 0 0 /tmp/mysql.soc > k > d9bc8280 stream 0 0 0 d9bc8d00 0 0 > d9bc8d80 stream 0 0 0 d9bc8580 0 0 /tmp/mysql.soc > k > d9bc8580 stream 0 0 0 d9bc8d80 0 0 > > what's going on ? i can't see who's connect from anywhere to anywhere .. > i have an 4.4-RELEASE-p7 FreeBSD 4.4-RELEASE-p7 Your world (i.e. userland binaries) is probably out of sync with the running kernel. Try the instructions of /usr/src/UPDATING for building both a world and kernel. While you're there, you will probably find it nice to oupdate to a newer version of -STABLE :-) - Giorgos To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 11 18:30:52 2002 Delivered-To: freebsd-security@freebsd.org Received: from newman2.bestweb.net (newman2.bestweb.net [209.94.102.67]) by hub.freebsd.org (Postfix) with ESMTP id BE38C37B645 for ; Mon, 11 Feb 2002 18:19:02 -0800 (PST) Received: from okeeffe.bestweb.net (okeefe.bestweb.net [209.94.100.110]) by newman2.bestweb.net (Postfix) with ESMTP id 58346232CA for ; Mon, 11 Feb 2002 21:17:58 -0500 (EST) Received: by okeeffe.bestweb.net (Postfix, from userid 0) id EED059F3AE; Mon, 11 Feb 2002 21:12:39 -0500 (EST) From: Jim Durham Reply-To: durham@jcdurham.com To: freebsd-security@freebsd.org Subject: IPSEC and gif interface after 4.4 Date: Sun, 10 Feb 2002 16:01:00 -0500 Message-Id: <20020212021239.EED059F3AE@okeeffe.bestweb.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I pass this along to save someone else some head-banging like I did. I missed this in the 4.4 release notes: "Network device cloning has been implemented, and the gif(4) device has been modified to take advantage of it. Thus, instead of specifying how many gif(4) interfaces are available in kernel configuration files, ifconfig(8)'s create option should be used when another device instance is desired." IPSEC uses a gif interface. I couldn't imagine why it wasn't there on my 4.4 systems. 'ifconfig gif0 create' makes it happen. Duh... -Jim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 11 18:30:52 2002 Delivered-To: freebsd-security@freebsd.org Received: from newman2.bestweb.net (newman2.bestweb.net [209.94.102.67]) by hub.freebsd.org (Postfix) with ESMTP id 4030E37B671 for ; Mon, 11 Feb 2002 18:19:21 -0800 (PST) Received: from okeeffe.bestweb.net (okeefe.bestweb.net [209.94.100.110]) by newman2.bestweb.net (Postfix) with ESMTP id F3977231AE; Mon, 11 Feb 2002 21:18:15 -0500 (EST) Received: by okeeffe.bestweb.net (Postfix, from userid 0) id E99759F402; Mon, 11 Feb 2002 21:12:50 -0500 (EST) Date: Mon, 11 Feb 2002 14:50:08 -0800 From: Victor Bondarenko To: Kris Kennaway Cc: Kerberus , security@freebsd.org Subject: Re: SSP patch + 4.5-STABLE Message-Id: <20020212021250.E99759F402@okeeffe.bestweb.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Feb 11, 2002 at 02:39:18PM -0800, Kris Kennaway wrote: > getting suggests unrelated build failure (strcasestr is a new function > in 4.5). When you are upgrading your source you *must* follow the > build instructions given in the handbook; trying to do random other Usually I do. This time I was being lazy trying to have an SSP patched gcc and libc without upgrading everything else (buildworld takes 4 hours on this particular machine). Guess that teaches me. :) Victor -- victor@indite.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 11 18:30:28 2002 Delivered-To: freebsd-security@freebsd.org Received: from newman2.bestweb.net (newman2.bestweb.net [209.94.102.67]) by hub.freebsd.org (Postfix) with ESMTP id A88DE37B4D2 for ; Mon, 11 Feb 2002 18:18:40 -0800 (PST) Received: from okeeffe.bestweb.net (okeefe.bestweb.net [209.94.100.110]) by newman2.bestweb.net (Postfix) with ESMTP id DE1202312B; Mon, 11 Feb 2002 21:17:47 -0500 (EST) Received: by okeeffe.bestweb.net (Postfix, from userid 0) id ABC1E9EE66; Mon, 11 Feb 2002 21:12:24 -0500 (EST) Date: Sat, 9 Feb 2002 01:31:08 -0800 (PST) From: "f.johan.beisser" To: Andrew Kenneth Milton Cc: security@FreeBSD.ORG Subject: Re: Is the technique described in this article do-able with Message-Id: <20020212021224.ABC1E9EE66@okeeffe.bestweb.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, 9 Feb 2002, Andrew Kenneth Milton wrote: > | actually, if you're going that route, it's easier to strip the kernel > | down, lock everything nicely with a securelevel (read up in init(8) about > | this), and remount all of the drives read only. there's nothing preventing > | anyone from doing that. there's also nothing to prevent you from booting > | from a drive, and loading all the tools you need in to a ramdisk, and just > | using that.. > | > | of course, this is going a bit more hardcore than most people want or > | would. > > But saner than trying to get the box to partially halt d8) perhaps. i think it's a sane way to handle a firewall. if you're going to log it, you should be logging either to another machine or to a printer for hardcopy. better to do both, since the hardcopy is not really alterable. but this is not something for the home user.. -------/ f. johan beisser /--------------------------------------+ http://caustic.org/~jan jan@caustic.org "John Ashcroft is really just the reanimated corpse of J. Edgar Hoover." -- Tim Triche To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 11 18:31: 6 2002 Delivered-To: freebsd-security@freebsd.org Received: from newman2.bestweb.net (newman2.bestweb.net [209.94.102.67]) by hub.freebsd.org (Postfix) with ESMTP id DA7D137B658 for ; Mon, 11 Feb 2002 18:19:12 -0800 (PST) Received: from okeeffe.bestweb.net (okeefe.bestweb.net [209.94.100.110]) by newman2.bestweb.net (Postfix) with ESMTP id 962FA232DC for ; Mon, 11 Feb 2002 21:17:59 -0500 (EST) Received: by okeeffe.bestweb.net (Postfix, from userid 0) id 447989F3B0; Mon, 11 Feb 2002 21:12:40 -0500 (EST) From: "Matthew Williams" To: Subject: Date: Sun, 10 Feb 2002 15:53:55 -0600 Message-Id: <20020212021240.447989F3B0@okeeffe.bestweb.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org auth d4ada262 unsubscribe freebsd-security vudu@satx.rr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 11 18:31:12 2002 Delivered-To: freebsd-security@freebsd.org Received: from newman2.bestweb.net (newman2.bestweb.net [209.94.102.67]) by hub.freebsd.org (Postfix) with ESMTP id 791C437B674; Mon, 11 Feb 2002 18:19:23 -0800 (PST) Received: from okeeffe.bestweb.net (okeefe.bestweb.net [209.94.100.110]) by newman2.bestweb.net (Postfix) with ESMTP id DA14D231DB; Mon, 11 Feb 2002 21:18:17 -0500 (EST) Received: by okeeffe.bestweb.net (Postfix, from userid 0) id B50A59F409; Mon, 11 Feb 2002 21:12:51 -0500 (EST) Date: Mon, 11 Feb 2002 15:45:36 -0800 (PST) From: "f.johan.beisser" To: "Crist J. Clark" Cc: Bill Vermillion , Subject: Re: Is the technique described in this article do-able with Message-Id: <20020212021251.B50A59F409@okeeffe.bestweb.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, 10 Feb 2002, Crist J. Clark wrote: > > not really. you can change chflags on a live machine. > > How do you do it when there is an elevated securelevel(8)? not really sure off hand :) i don't think that it can be done, at least, not without taking a really good look at the code first, and deliberately trying to find a way to bypass the kernel's watch on file permissions and the chflags information. note that i belive most people use the system in "-1" or "0" mode, post install. i did, for a long long while during my first year of FreeBSD usage. to this day, for remote handling of some machines, i still leave them at securelevel "0" for kernel upgrades.. but these are "low risk" machines, usually with very few services (read: single use) and/or they are easily replaced if there is a compromise. -------/ f. johan beisser /--------------------------------------+ http://caustic.org/~jan jan@caustic.org "John Ashcroft is really just the reanimated corpse of J. Edgar Hoover." -- Tim Triche To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 11 18:31:32 2002 Delivered-To: freebsd-security@freebsd.org Received: from newman2.bestweb.net (newman2.bestweb.net [209.94.102.67]) by hub.freebsd.org (Postfix) with ESMTP id 8BAD937B68D for ; Mon, 11 Feb 2002 18:19:32 -0800 (PST) Received: from okeeffe.bestweb.net (okeefe.bestweb.net [209.94.100.110]) by newman2.bestweb.net (Postfix) with ESMTP id 419062332E; Mon, 11 Feb 2002 21:18:24 -0500 (EST) Received: by okeeffe.bestweb.net (Postfix, from userid 0) id 9C40F9F401; Mon, 11 Feb 2002 21:12:50 -0500 (EST) Date: Mon, 11 Feb 2002 14:39:18 -0800 From: Kris Kennaway To: Victor Bondarenko Cc: Kerberus , security@freebsd.org Subject: Re: SSP patch + 4.5-STABLE Message-Id: <20020212021250.9C40F9F401@okeeffe.bestweb.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --8P1HSweYDcXXzwPJ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Feb 11, 2002 at 02:09:29PM -0800, Victor Bondarenko wrote: > > wheres it dying ??? cause after seeing this i just cvsupped and im doing >=20 > It fails in /usr/src/lib/libc while doing a "make all install" with: It continues to build fine for me, and the error message you're getting suggests unrelated build failure (strcasestr is a new function in 4.5). When you are upgrading your source you *must* follow the build instructions given in the handbook; trying to do random other steps will give you failures. Kris --8P1HSweYDcXXzwPJ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8aEgWWry0BWjoQKURAr4xAJ4wB+LRLiw8+I9eV0hvz0yssLM35ACfe5wm r7wNm0Vi8rWYCLh5RSSjOGE= =QuDY -----END PGP SIGNATURE----- --8P1HSweYDcXXzwPJ-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 11 18:31:54 2002 Delivered-To: freebsd-security@freebsd.org Received: from newman2.bestweb.net (newman2.bestweb.net [209.94.102.67]) by hub.freebsd.org (Postfix) with ESMTP id 6951E37B692 for ; Mon, 11 Feb 2002 18:19:34 -0800 (PST) Received: from okeeffe.bestweb.net (okeefe.bestweb.net [209.94.100.110]) by newman2.bestweb.net (Postfix) with ESMTP id 9A180232F8; Mon, 11 Feb 2002 21:18:23 -0500 (EST) Received: by okeeffe.bestweb.net (Postfix, from userid 0) id BD1C89F159; Mon, 11 Feb 2002 21:12:55 -0500 (EST) Date: Thu, 7 Feb 2002 16:42:13 -0500 (EST) From: Garrett Wollman To: "James F. Hranicky" Cc: security@FreeBSD.ORG Subject: Questions (Rants?) About IPSEC Message-Id: <20020212021255.BD1C89F159@okeeffe.bestweb.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org < said: > After reading up on IPSEC, I have one major question: Is it really > a good protocol? No, but it's the best one we've got. > - IPSEC routers don't seem to be able to advertise routes > for an arbitrary number of networks behind them That's an issue with your routing process; it's not related to IPSEC. > - IPSEC routers have to basically be the border router for > a site, as there is no post-decryption NAT protocol to > get packets back to a router on the inside of the network > (Apparently, Cisco VPN boxes have this capability, but > it's an add-on to IPSEC AFAICT). IPSEC is designed to thwart processes which corrupt packet headers (including NAT). > - Clients with dynamic IPs are poorly supported. That's what the `generate_policy' option in racoon is for. > AFAICT, what I want is to be able to issuce x509 certs to > any of my remote users for key exchange, and accept any > cert from any client that was signed by my CA. That's what > PKI is all about, right? Checking the racoon.conf man pages > and sample racoon.conf files shows that I need to have the > client's *private* key for a *specific* IP address. > o Is this really the case, or am I just wrong here? You are wrong. There are two distinct models: you can have pre-shared keys, in which case you have no certificates and a single secret key for every pair of communicating entities; or you can use public-key certificates. I have some issues with the way the certificate support works, that's not one of them. Pre-shared keys are not necesarily specific to an IP address; you can use any type of identifier supported in the IKE protocol. > In the end, if I go with a FreeBSD racoon or isakmpd solution, am I limited > to the following setups ? : > - One shared secret for all my users in the interest of manageability. If you were to use pre-shared keys, and you're concerned about manageability, there is an obvious mechanism to avoid everyone use the same key. Let C be a standard representation of each client's identity, and S likewise for the server. H is a hash function of some sort; Kp is a key known only to you. Then, K = { H(C | S) } C,S Kp gives you a unique key for each pair (C,S) which you can easily derive at will given C, S, and Kp. Granted, this is not as theoretically secure as having a unique random bits for every key, but it's better than having every user know every other user's key. > I can only assume this means any user could theoretically listen in > on the key exchange and thus be able to decrypt another's IPSEC > communications If you all used the same keys, that is conceivable. More to the point, any user could impersonate any other user. -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 11 18:32:46 2002 Delivered-To: freebsd-security@freebsd.org Received: from newman2.bestweb.net (newman2.bestweb.net [209.94.102.67]) by hub.freebsd.org (Postfix) with ESMTP id BB80937B6AD for ; Mon, 11 Feb 2002 18:19:45 -0800 (PST) Received: from okeeffe.bestweb.net (okeefe.bestweb.net [209.94.100.110]) by newman2.bestweb.net (Postfix) with ESMTP id D105923357; Mon, 11 Feb 2002 21:18:35 -0500 (EST) Received: by okeeffe.bestweb.net (Postfix, from userid 0) id 1005C9F01F; Mon, 11 Feb 2002 21:13:03 -0500 (EST) Date: Sat, 9 Feb 2002 00:53:37 -0800 (PST) From: "f.johan.beisser" To: Darren Reed Cc: Brett Glass , Subject: Re: Is the technique described in this article do-able with Message-Id: <20020212021303.1005C9F01F@okeeffe.bestweb.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, 9 Feb 2002, Darren Reed wrote: > In some mail from Brett Glass, sie said: > > > > http://www.samag.com/documents/s=1824/sam0201d/0201d.htm > > I believe that when you "halt" FreeBSD the whole OS halts. > When you see the "press any key to rebot" message, no more > activity is happening. true.. i don't think any of the BSDs will respond, since the kernel is only waiting for a keystroke to restart. to me this may be less secure than just having the machine fully up and running. > One question though, how do you generate log information? if the OS is still passing packets, you could easily have it set to output all log info to a serial port. this may, or may not, work even in linux. of course, you may not care about log info. > Personally, I think of this as a 'misfeature'. i wouldn't put it that far down, just yet. i don't see how much of an advantage it would be over a fully operational box, on the other hand. -------/ f. johan beisser /--------------------------------------+ http://caustic.org/~jan jan@caustic.org "John Ashcroft is really just the reanimated corpse of J. Edgar Hoover." -- Tim Triche To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 11 18:33:43 2002 Delivered-To: freebsd-security@freebsd.org Received: from newman2.bestweb.net (newman2.bestweb.net [209.94.102.67]) by hub.freebsd.org (Postfix) with ESMTP id 2328437B61F for ; Mon, 11 Feb 2002 18:18:48 -0800 (PST) Received: from okeeffe.bestweb.net (okeefe.bestweb.net [209.94.100.110]) by newman2.bestweb.net (Postfix) with ESMTP id 1891523132; Mon, 11 Feb 2002 21:17:48 -0500 (EST) Received: by okeeffe.bestweb.net (Postfix, from userid 0) id C3EEB9F129; Mon, 11 Feb 2002 21:12:24 -0500 (EST) Date: Sat, 9 Feb 2002 03:50:46 -0600 (CST) From: Matt Heckaman To: Andrew Kenneth Milton Cc: security@FreeBSD.ORG Subject: Re: Is the technique described in this article do-able with Message-Id: <20020212021224.C3EEB9F129@okeeffe.bestweb.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, 9 Feb 2002, Andrew Kenneth Milton wrote: ... : But saner than trying to get the box to partially halt d8) Linux tends to go for the insane "cool factor" features to do the same job (for better or worse :P) as its proven real features. :) Somehow though, they tend to mysteriously make their way into the stable kernel... * Matt Heckaman - mailto:matt@LUCIDA.CA http://www.lucida.ca/gpg * * GPG fingerprint - 46D8 5C3B 5499 1D14 F01C 2ADD D1B9 6165 9E16 F8E4 * The Universe is run by the complex interweaving of three elements: energy, matter, and enlightened self-interest. -- G'Kar, "Survivors" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: http://www.lucida.ca/gpg/ iD8DBQE8ZPD40blhZZ4W+OQRAvzqAKCGWPzttJvJhQ3584Rmsf3sGQD/6QCeNMYo SMuP+MPPxngqAQpUWXtnt9w= =8FaD -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 11 18:36:48 2002 Delivered-To: freebsd-security@freebsd.org Received: from newman2.bestweb.net (newman2.bestweb.net [209.94.102.67]) by hub.freebsd.org (Postfix) with ESMTP id 688CB37B646 for ; Mon, 11 Feb 2002 18:19:02 -0800 (PST) Received: from okeeffe.bestweb.net (okeefe.bestweb.net [209.94.100.110]) by newman2.bestweb.net (Postfix) with ESMTP id 815E2232CB for ; Mon, 11 Feb 2002 21:17:58 -0500 (EST) Received: by okeeffe.bestweb.net (Postfix, from userid 0) id 29EF29F145; Mon, 11 Feb 2002 21:12:40 -0500 (EST) From: "Dennis Pedersen" To: Subject: Re: Questions (Rants?) About IPSEC Date: Sun, 10 Feb 2002 22:45:14 +0100 Message-Id: <20020212021240.29EF29F145@okeeffe.bestweb.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ----- Original Message ----- From: "Garrett Wollman" To: "James F. Hranicky" Cc: Sent: Thursday, February 07, 2002 10:42 PM Subject: Questions (Rants?) About IPSEC > > - Clients with dynamic IPs are poorly supported. > > That's what the `generate_policy' option in racoon is for. > Uhm do you have an example where that actually works? On the 'net' list there was a post (Message-ID: <20020130164813.N13412@vinyl.catpipe.net>) about it where generate_policy did'nt seem to work, and i could'nt see anything wrong with the example (not that i'm any racoon guru i just trying to get it to work with clients that have dynamic ip-adresses too ;)) Regards Dennis To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 11 18:35:45 2002 Delivered-To: freebsd-security@freebsd.org Received: from newman2.bestweb.net (newman2.bestweb.net [209.94.102.67]) by hub.freebsd.org (Postfix) with ESMTP id 4C63637B500 for ; Mon, 11 Feb 2002 18:18:44 -0800 (PST) Received: from okeeffe.bestweb.net (okeefe.bestweb.net [209.94.100.110]) by newman2.bestweb.net (Postfix) with ESMTP id 9136A231A6; Mon, 11 Feb 2002 21:17:50 -0500 (EST) Received: by okeeffe.bestweb.net (Postfix, from userid 0) id B1BC29F37B; Mon, 11 Feb 2002 21:12:33 -0500 (EST) Date: Sat, 09 Feb 2002 15:01:22 -0700 To: Andrew Kenneth Milton , From: Brett Glass Subject: Re: Is the technique described in this article do-able with Cc: Darren Reed , security@FreeBSD.ORG Message-Id: <20020212021233.B1BC29F37B@okeeffe.bestweb.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 02:03 AM 2/9/2002, Andrew Kenneth Milton wrote: >Even if it were in a comatose state, you might have some problems with >using natd since your userland is gone. You could use ipf, which (IIRC) does NAT in the kernel. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 11 18:43:58 2002 Delivered-To: freebsd-security@freebsd.org Received: from newman2.bestweb.net (newman2.bestweb.net [209.94.102.67]) by hub.freebsd.org (Postfix) with ESMTP id C1E5B37B647 for ; Mon, 11 Feb 2002 18:19:11 -0800 (PST) Received: from okeeffe.bestweb.net (okeefe.bestweb.net [209.94.100.110]) by newman2.bestweb.net (Postfix) with ESMTP id 2413F23307; Mon, 11 Feb 2002 21:18:04 -0500 (EST) Received: by okeeffe.bestweb.net (Postfix, from userid 0) id 8A72A9F131; Mon, 11 Feb 2002 21:12:41 -0500 (EST) Date: Sun, 10 Feb 2002 19:18:31 -0800 (PST) From: "f.johan.beisser" To: Bill Vermillion Cc: security@FreeBSD.ORG Subject: Re: Is the technique described in this article do-able with Message-Id: <20020212021241.8A72A9F131@okeeffe.bestweb.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, 10 Feb 2002, Bill Vermillion wrote: > Hardcopy is fairly hard to search with a text editor though :-) 2 copies. one electronic, so you can do a grep on it :) > If you worry about the logs being alterable - and you did suggest > logging to a second machine - then you have a real problem with > security I'd guess. You could always run chflags on the logging > machine to make the logs append only. Wouldn't that take care > of the problem of being alterable without having to use hardcopy? not really. you can change chflags on a live machine. any attacker that's going to alter the logs will be able to see the append only flag. so, really, it's not actually secure. against a scriptkiddie, though, this may be effective. logging to another machine that *only* listens to syslog, or is attached to the serial port and only listens to the console log, and can't be accessed from the network may be a solution. this is, as i said, outside of "normal home usage", and generally only done at really paranoid places. -------/ f. johan beisser /--------------------------------------+ http://caustic.org/~jan jan@caustic.org "John Ashcroft is really just the reanimated corpse of J. Edgar Hoover." -- Tim Triche To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 11 18:45:18 2002 Delivered-To: freebsd-security@freebsd.org Received: from newman2.bestweb.net (newman2.bestweb.net [209.94.102.67]) by hub.freebsd.org (Postfix) with ESMTP id A8ED037B64A for ; Mon, 11 Feb 2002 18:19:04 -0800 (PST) Received: from okeeffe.bestweb.net (okeefe.bestweb.net [209.94.100.110]) by newman2.bestweb.net (Postfix) with ESMTP id 1A5E4232D5 for ; Mon, 11 Feb 2002 21:17:59 -0500 (EST) Received: by okeeffe.bestweb.net (Postfix, from userid 0) id BBBBC9F3B5; Mon, 11 Feb 2002 21:12:40 -0500 (EST) Date: Sun, 10 Feb 2002 18:16:00 -0500 From: Bill Vermillion To: security@FreeBSD.ORG Subject: Re: Is the technique described in this article do-able with Reply-To: bv@wjv.com Message-Id: <20020212021240.BBBBC9F3B5@okeeffe.bestweb.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Date: Sat, 9 Feb 2002 01:31:08 -0800 (PST) > From: "f.johan.beisser" > Subject: Re: Is the technique described in this article do-able with > > On Sat, 9 Feb 2002, Andrew Kenneth Milton wrote: > > | actually, if you're going that route, it's easier to strip > > | the kernel down, lock everything nicely with a securelevel > > | (read up in init(8) about this), and remount all of the drives > > | read only. there's nothing preventing anyone from doing that. > > | there's also nothing to prevent you from booting from a drive, > > | and loading all the tools you need in to a ramdisk, and just > > | using that.. > > | of course, this is going a bit more hardcore than most people > > | want or would. > > But saner than trying to get the box to partially halt d8) > perhaps. i think it's a sane way to handle a firewall. if you're > going to log it, you should be logging either to another machine > or to a printer for hardcopy. better to do both, since the > hardcopy is not really alterable. but this is not something for > the home user.. Hardcopy is fairly hard to search with a text editor though :-) If you worry about the logs being alterable - and you did suggest logging to a second machine - then you have a real problem with security I'd guess. You could always run chflags on the logging machine to make the logs append only. Wouldn't that take care of the problem of being alterable without having to use hardcopy? -- Bill Vermillion - bv @ wjv . com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 11 18:45:25 2002 Delivered-To: freebsd-security@freebsd.org Received: from newman2.bestweb.net (newman2.bestweb.net [209.94.102.67]) by hub.freebsd.org (Postfix) with ESMTP id 460CC37B64B for ; Mon, 11 Feb 2002 18:19:08 -0800 (PST) Received: from okeeffe.bestweb.net (okeefe.bestweb.net [209.94.100.110]) by newman2.bestweb.net (Postfix) with ESMTP id 21F96232E3; Mon, 11 Feb 2002 21:18:00 -0500 (EST) Received: by okeeffe.bestweb.net (Postfix, from userid 0) id 04DCF9F3BA; Mon, 11 Feb 2002 21:12:41 -0500 (EST) Date: Sun, 10 Feb 2002 22:10:29 -0800 From: "Crist J. Clark" To: "f.johan.beisser" Cc: Bill Vermillion , security@FreeBSD.ORG Subject: Re: Is the technique described in this article do-able with Message-Id: <20020212021241.04DCF9F3BA@okeeffe.bestweb.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, Feb 10, 2002 at 07:18:31PM -0800, f.johan.beisser wrote: > On Sun, 10 Feb 2002, Bill Vermillion wrote: > > > Hardcopy is fairly hard to search with a text editor though :-) > > 2 copies. one electronic, so you can do a grep on it :) > > > If you worry about the logs being alterable - and you did suggest > > logging to a second machine - then you have a real problem with > > security I'd guess. You could always run chflags on the logging > > machine to make the logs append only. Wouldn't that take care > > of the problem of being alterable without having to use hardcopy? > > not really. you can change chflags on a live machine. How do you do it when there is an elevated securelevel(8)? -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 11 18:45:58 2002 Delivered-To: freebsd-security@freebsd.org Received: from newman2.bestweb.net (newman2.bestweb.net [209.94.102.67]) by hub.freebsd.org (Postfix) with ESMTP id D4EBC37B64D for ; Mon, 11 Feb 2002 18:19:08 -0800 (PST) Received: from okeeffe.bestweb.net (okeefe.bestweb.net [209.94.100.110]) by newman2.bestweb.net (Postfix) with ESMTP id 8FBDD231A1; Mon, 11 Feb 2002 21:18:03 -0500 (EST) Received: by okeeffe.bestweb.net (Postfix, from userid 0) id 229539F3C8; Mon, 11 Feb 2002 21:12:44 -0500 (EST) Date: Sun, 10 Feb 2002 19:18:55 +0000 From: Ceri Storey To: Brett Glass Cc: security@FreeBSD.ORG Subject: Re: Is the technique described in this article do-able with FreeBSD + ipf? Message-Id: <20020212021244.229539F3C8@okeeffe.bestweb.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Feb 08, 2002 at 10:53:34PM -0700, Brett Glass wrote: > http://www.samag.com/documents/s=1824/sam0201d/0201d.htm > [running only kernel mode tools] I can see that this would be (almost) implementable with FreeBSD, if you say, customized the rc scripts to just configure the firewall etc, then unmount the disks and then go to sleep. That said, in a lot of circumstances, I'm fairly sure that a dedicated hardware firewall/router would be a lot saner. Just my 0.02 pounds sterling. -- Ceri Storey http://pkl.net/~cez/ vi(1)! postfix(7)! pie(5)! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 11 18:46:29 2002 Delivered-To: freebsd-security@freebsd.org Received: from newman2.bestweb.net (newman2.bestweb.net [209.94.102.67]) by hub.freebsd.org (Postfix) with ESMTP id 6D0EC37B656 for ; Mon, 11 Feb 2002 18:19:20 -0800 (PST) Received: from okeeffe.bestweb.net (okeefe.bestweb.net [209.94.100.110]) by newman2.bestweb.net (Postfix) with ESMTP id A9ADC23188; Mon, 11 Feb 2002 21:18:15 -0500 (EST) Received: by okeeffe.bestweb.net (Postfix, from userid 0) id B6B1F9F155; Mon, 11 Feb 2002 21:12:50 -0500 (EST) Date: Mon, 11 Feb 2002 14:09:29 -0800 From: Victor Bondarenko To: Kerberus Cc: security@freebsd.org Subject: Re: SSP patch + 4.5-STABLE Message-Id: <20020212021250.B6B1F9F155@okeeffe.bestweb.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > wheres it dying ??? cause after seeing this i just cvsupped and im doing It fails in /usr/src/lib/libc while doing a "make all install" with: ... cc -O -pipe -fstack-protector -DLIBC_RCS -DSYSLIBC_RCS -I/usr/src/lib/libc/include -D__DBINTERFACE_PRIVATE -DINET6 -DPOSIX_MISTAKE -I/usr/src/lib/libc/../libc/locale -DBROKEN_DES -DYP -c /usr/src/lib/libc/../libc/string/strcasestr.c -o strcasestr.o /usr/src/lib/libc/../libc/string/strcasestr.c:38: syntax error before string constant /usr/src/lib/libc/../libc/string/strcasestr.c:38: warning: data definition has no type or storage class *** Error code 1 Stop in /usr/src/lib/libc. ... I should mention that I'm working on the 4.5-STABLE source. The system itself is 4.4-RELEASE, although I don't know if this would effect anything- I guess the next step is to build/install an unpatched 4.5 world and patch and rebuild from there. Victor > a build world as we speak, so far all seems okay, takes my box 30 mins > to build a world > -- victor@indite.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Feb 11 18:47:30 2002 Delivered-To: freebsd-security@freebsd.org Received: from newman2.bestweb.net (newman2.bestweb.net [209.94.102.67]) by hub.freebsd.org (Postfix) with ESMTP id A444D37B665 for ; Mon, 11 Feb 2002 18:19:17 -0800 (PST) Received: from okeeffe.bestweb.net (okeefe.bestweb.net [209.94.100.110]) by newman2.bestweb.net (Postfix) with ESMTP id C0655230AE for ; Mon, 11 Feb 2002 21:18:11 -0500 (EST) Received: by okeeffe.bestweb.net (Postfix, from userid 0) id 3B3FB9F3F7; Mon, 11 Feb 2002 21:12:49 -0500 (EST) Date: Mon, 11 Feb 2002 13:00:20 -0800 From: Victor Bondarenko To: security@freebsd.org Subject: SSP patch + 4.5-STABLE Message-Id: <20020212021249.3B3FB9F3F7@okeeffe.bestweb.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Has anyone been able to get the SSP patch (http://www.trl.ibm.com/projects/security/ssp/) working on 4.5-STABLE (as of this morning)? I get a compiler error when building libc (I can produce the exact error message if needed). TIA, Victor -- victor@indite.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 12 0:54:45 2002 Delivered-To: freebsd-security@freebsd.org Received: from relay3-gui.server.ntli.net (relay3-gui.server.ntli.net [194.168.4.200]) by hub.freebsd.org (Postfix) with ESMTP id 6137837B428 for ; Tue, 12 Feb 2002 00:54:38 -0800 (PST) Received: from cabletel1.cableol.net ([194.168.3.4] helo=cartman.private.techsupport.co.uk) by relay3-gui.server.ntli.net with esmtp (Exim 3.03 #2) id 16aYev-0005Yw-00 for freebsd-security@freebsd.org; Tue, 12 Feb 2002 08:51:29 +0000 Received: from ceri by cartman.private.techsupport.co.uk with local (Exim 3.31 #1) id 16aYbX-00065M-00; Tue, 12 Feb 2002 08:47:59 +0000 Date: Tue, 12 Feb 2002 08:47:59 +0000 From: Ceri To: Beth Reid Cc: freebsd-security@FreeBSD.org Subject: Re: Questions regarding the wheel group Message-ID: <20020212084759.D21643@cartman.private.techsupport.co.uk> References: <20020212021206.3F3AC9EFD3@okeeffe.bestweb.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020212021206.3F3AC9EFD3@okeeffe.bestweb.net>; from breid@cyberguard.com on Fri, Feb 08, 2002 at 11:57:38AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Feb 08, 2002 at 11:57:38AM -0500, Beth Reid said: > This message is in MIME format. Since your mail reader does not understand > this format, some or all of this message may not be legible. There's no need for that either ;) > I am doing research on the wheel group and security and I had a couple of > questions. > > Some thoughts: Why should the wheel group be used on any files? I would > think from a security point of view, wheel should not be the default or > primary group for root. This way if you are in the wheel group and have > root's password, you can become root. If you are in the wheel group, but do > not have root's password you should not gain any special privileges to any > files or directories. You should be like any other user. My opinion : if someone is in wheel then they're already a somewhat trusted user and the ability to tail logs and see what is happening on the system without having to su is a good thing for those users. > My initial step was to check the permissions on all of the files to see if > files with a group of "wheel" had permission bits where the group and other > bits differed. Did you also check what each of those files was for ? > 1) The only 2 devices on my system where wheel had more permission than > other were the following. I am not sure yet if there is a vulnerability > here. > crw-rw---- 2 root wheel 14, 0x20000000 Nov 30 09:09 > ./dev/rsa0.ctl > crw-rw---- 2 root wheel 14, 0x20000000 Nov 30 09:09 ./dev/sa0.ctl I can't see one : /dev/sa0.ctl Control mode device (to examine state while another program is accessing the device, e.g.). But then I trust my users in wheel. > 2) In the /proc directory there is a mem file for each process. This seems > to me like a vulnerability. The odd thing is that on one similar FreeBSD > 4.3 release system the group was kmem for all files in this directory, all > other systems had the group for root as wheel. So two questions here: 1) > why does the group differ on the two systems, and 2) why does the wheel > group have read privilege on these mem files? > > -rw-r----- 1 root wheel 0 Feb 6 12:27 ./proc/317/mem > -rw-r----- 1 root wheel 0 Feb 6 12:27 ./proc/318/mem They're processes running as root, therefore they have root's uid and gid. Processes running as a non-root user have different permissions, e.g. on my system : -rw-r----- 1 alf alf 0 Feb 12 08:43 /proc/26905/mem > 3) This seems harmless. > -r-xr-x--- 1 root wheel 12424 Apr 21 2001 ./usr/sbin/mptable Agreed. > 4) This seems like it could be a vulnerability. If someone is in wheel > that shouldn't be, he could read these files and perhaps gather some useful > information. > in /var/log > -rw-r----- 1 root wheel 5490 Feb 6 03:01 setuid.today > -rw-r----- 1 root wheel 5490 Feb 5 03:01 setuid.yesterday > -rw-r----- 1 root wheel 5464 Feb 2 03:01 dmesg.today > -rw-r----- 1 root wheel 5527 Feb 1 03:01 dmesg.yesterday > -rw-r----- 1 root wheel 136 Dec 1 03:02 mount.today Debatable - I like my wheel users to be able to read these. > 5) These directories allow wheel to poke around in them, but not someone in > the other group. It seems like I wouldn't want the crash files exposed. > The cron directory is odd because although wheel can poke around in cron, he > can't get to the tabs subfolder. The backup folder seems harmless(?). > Someone in wheel can remove files from /tmp. > > in/var > drwxrwxrwt 3 root wheel 512 Feb 6 03:01 tmp > drwxr-x--- 2 root wheel 512 Feb 6 03:01 backups > drwxr-x--- 3 root wheel 512 Nov 30 09:08 cron > drwxr-x--- 2 root wheel 512 Nov 30 09:08 crash vmcore files in /var/crash are created with a mode of 600. The kernel files in there are just copies of a kernel. Someone in wheel can only remove files from /var/tmp if they own them. My basic premise is that if someone shouldn't be in the wheel group unless they can be trusted - the actual benefits other than the ability to be able to su seems to me to be limited to the fact that a few more logfiles are readable. Someone else on this list will probably have different views though. Ceri -- "Ummm, excuse me. I think the network's down...?" "A communications disruption can only mean one thing... Invasion." --Lee Maguire, SDM To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 12 1:18:22 2002 Delivered-To: freebsd-security@freebsd.org Received: from pooh.noc.u-net.net (pooh.noc.u-net.net [195.102.252.112]) by hub.freebsd.org (Postfix) with ESMTP id 24CE837B421 for ; Tue, 12 Feb 2002 01:18:17 -0800 (PST) Received: from pooh.noc.u-net.net ([195.102.252.112] helo=there) by pooh.noc.u-net.net with smtp (Exim 3.22 #1) id 16aZ2M-000Or0-00; Tue, 12 Feb 2002 09:15:42 +0000 Content-Type: text/plain; charset="iso-8859-1" From: Peter McGarvey Reply-To: pmcgarvey@vianetworks.co.uk Organization: VIA NETdotWORKS To: Brett Glass , security@FreeBSD.ORG Subject: Re: Is the technique described in this article do-able with FreeBSD + ipf? Date: Tue, 12 Feb 2002 09:15:41 +0000 X-Mailer: KMail [version 1.3] References: <4.3.2.7.2.20020208225248.026f08c0@localhost> In-Reply-To: <4.3.2.7.2.20020208225248.026f08c0@localhost> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-Id: X-EXIM-FILTER: PASS-s02 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Saturday 09 February 2002 05:53 am, Brett Glass wrote: > http://www.samag.com/documents/s=1824/sam0201d/0201d.htm > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message IMHO a mad idea. Interesting, but still mad. Personally I've got an OpenBSD box running as a Packet Filtering Bridge. I don't have any IPs bound to the bridged interfaces. And I have OpenBSD's PF filtering all traffic. For all intents it is totally transparent. Unless someone discovers a flaw in the TCP stack there is no way to remotely own the box. So it's just as secure as the halted Linux box. This also has the advantage of allowing me to log firewall traffic. -- TTFN, FNORD Peter McGarvey System Administrator Network Operations, VIA Networks UK To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 12 2:54:10 2002 Delivered-To: freebsd-security@freebsd.org Received: from mailout02.sul.t-online.com (mailout02.sul.t-online.com [194.25.134.17]) by hub.freebsd.org (Postfix) with ESMTP id AD98C37B423 for ; Tue, 12 Feb 2002 02:54:04 -0800 (PST) Received: from fwd04.sul.t-online.de by mailout02.sul.t-online.com with smtp id 16aZGK-00018i-02; Tue, 12 Feb 2002 10:30:08 +0100 Received: from pc5.abc (520067998749-0001@[217.233.117.247]) by fmrl04.sul.t-online.com with esmtp id 16aZGE-0JVvBwC; Tue, 12 Feb 2002 10:30:02 +0100 Received: (from nicolas@localhost) by pc5.abc (8.11.6/8.11.6) id g1C9U1I57239 for freebsd-security@FreeBSD.ORG; Tue, 12 Feb 2002 10:30:01 +0100 (CET) (envelope-from list@rachinsky.de) Date: Tue, 12 Feb 2002 10:30:01 +0100 From: Nicolas Rachinsky To: freebsd-security@FreeBSD.ORG Subject: Re: Questions regarding the wheel group Message-ID: <20020212093000.GB35478@pc5.abc> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <20020212021206.3F3AC9EFD3@okeeffe.bestweb.net> <20020212084759.D21643@cartman.private.techsupport.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020212084759.D21643@cartman.private.techsupport.co.uk> User-Agent: Mutt/1.3.27i X-Powered-by: FreeBSD X-Homepage: http://www.rachinsky.de X-PGP-Keyid: C11ABC0E X-PGP-Fingerprint: 19DB 8392 8FE0 814A 7362 EEBD A53B 526A C11A BC0E X-PGP-Key: http://www.rachinsky.de/nicolas/nicolas_rachinsky.asc X-Sender: 520067998749-0001@t-dialin.net Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * On Tue, Feb 12, 2002 at 08:47:59AM +0000, * Ceri wrote: > On Fri, Feb 08, 2002 at 11:57:38AM -0500, Beth Reid said: > > -rw-r----- 1 root wheel 0 Feb 6 12:27 ./proc/317/mem > > -rw-r----- 1 root wheel 0 Feb 6 12:27 ./proc/318/mem > > They're processes running as root, therefore they have root's uid and gid. > Processes running as a non-root user have different permissions, e.g. on my > system : > -rw-r----- 1 alf alf 0 Feb 12 08:43 /proc/26905/mem Does this mean if all my users have the primary group "users", they all can read the memory of processes of other users with the primary group "users"? Nicolas To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 12 8: 4:55 2002 Delivered-To: freebsd-security@freebsd.org Received: from radix.cryptio.net (radix.cryptio.net [199.181.107.213]) by hub.freebsd.org (Postfix) with ESMTP id 0EDCF37B400 for ; Tue, 12 Feb 2002 08:04:52 -0800 (PST) Received: (from emechler@localhost) by radix.cryptio.net (8.11.6/8.11.6) id g1CG18b37763; Tue, 12 Feb 2002 08:01:08 -0800 (PST) (envelope-from emechler) Date: Tue, 12 Feb 2002 08:01:08 -0800 From: Erick Mechler To: postmaster@okeefe.bestweb.net Cc: security@freebsd.org Subject: Messages from last week? Message-ID: <20020212080108.J24963@techometer.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Is there a reason that security@freebsd.org just recieved at least 20 messages sent to the list from last week, originating from your machine? Full headers from one such message are below. They've appeared to stop, but you might want to look into this. Cheers - Erick ====================================== From owner-freebsd-security@FreeBSD.ORG Mon Feb 11 19:06:02 2002 Received: from mx2.freebsd.org (mx2.FreeBSD.org [216.136.204.119]) by radix.cryptio.net (8.11.6/8.11.6) with ESMTP id g1C362x28470 for ; Mon, 11 Feb 2002 19:06:02 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from hub.freebsd.org (hub.FreeBSD.org [216.136.204.18]) by mx2.freebsd.org (Postfix) with ESMTP id C1C65559B7; Mon, 11 Feb 2002 19:00:35 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: by hub.freebsd.org (Postfix, from userid 538) id 5D82D37C1CF; Mon, 11 Feb 2002 18:28:36 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with SMTP id B03052E80C6; Mon, 11 Feb 2002 18:28:29 -0800 (PST) Received: by hub.freebsd.org (bulk_mailer v1.12); Mon, 11 Feb 2002 18:28:27 -0800 Delivered-To: freebsd-security@freebsd.org Received: from newman2.bestweb.net (newman2.bestweb.net [209.94.102.67]) by hub.freebsd.org (Postfix) with ESMTP id 334AC37B5AF for ; Mon, 11 Feb 2002 18:18:20 -0800 (PST) Received: from okeeffe.bestweb.net (okeefe.bestweb.net [209.94.100.110]) by newman2.bestweb.net (Postfix) with ESMTP id E63DA23343 for ; Mon, 11 Feb 2002 21:17:29 -0500 (EST) Received: by okeeffe.bestweb.net (Postfix, from userid 0) id 1B9339F00D; Mon, 11 Feb 2002 21:12:23 -0500 (EST) Date: Fri, 08 Feb 2002 22:53:34 -0700 To: security@FreeBSD.ORG From: Brett Glass Subject: Is the technique described in this article do-able with Message-Id: <20020212021223.1B9339F00D@okeeffe.bestweb.net> Sender: owner-freebsd-security@FreeBSD.ORG List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: + List-Unsubscribe: + X-Loop: FreeBSD.org Precedence: bulk http://www.samag.com/documents/s=1824/sam0201d/0201d.htm To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 12 9:31:37 2002 Delivered-To: freebsd-security@freebsd.org Received: from pkl.net (spoon.pkl.net [212.111.57.14]) by hub.freebsd.org (Postfix) with ESMTP id 57D2637B41F for ; Tue, 12 Feb 2002 09:31:28 -0800 (PST) Received: (from rik@localhost) by pkl.net (8.9.3/8.9.3) id RAA22892; Tue, 12 Feb 2002 17:28:26 GMT From: Rik Date: Tue, 12 Feb 2002 17:28:26 +0000 To: Nicolas Rachinsky Cc: freebsd-security@FreeBSD.ORG Subject: Re: Questions regarding the wheel group Message-ID: <20020212172826.GA22312@spoon.pkl.net> References: <20020212021206.3F3AC9EFD3@okeeffe.bestweb.net> <20020212084759.D21643@cartman.private.techsupport.co.uk> <20020212093000.GB35478@pc5.abc> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020212093000.GB35478@pc5.abc> User-Agent: Mutt/1.3.25i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Feb 12, 2002 at 10:30:01AM +0100, Nicolas Rachinsky wrote: > Does this mean if all my users have the primary group "users", they > all can read the memory of processes of other users with the primary > group "users"? If you do ls -l /proc/*/mem, and any of those have the same group as you, and have group readability, then you can read them. I assume there's no way of allowing everyone to read a processes memory. Incidentally, some of my /proc/*/mem files are mode 000. Is this a result of mlock(2), or is it a different function/syscall that's done that? -- PGP Key: D2729A3F - Keyserver: wwwkeys.uk.pgp.net - rich at rdrose dot org Key fingerprint = 5EB1 4C63 9FAD D87B 854C 3DED 1408 ED77 D272 9A3F Public key also encoded with outguess on http://rikrose.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 12 15:21:20 2002 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id C892737B41D; Tue, 12 Feb 2002 15:20:28 -0800 (PST) Received: (from nectar@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g1CNKSC40407; Tue, 12 Feb 2002 15:20:28 -0800 (PST) (envelope-from security-advisories@freebsd.org) Date: Tue, 12 Feb 2002 15:20:28 -0800 (PST) Message-Id: <200202122320.g1CNKSC40407@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: nectar set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory FreeBSD-SA-02:11.snmp Reply-To: security-advisories@freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-02:11 Security Advisory FreeBSD, Inc. Topic: ucd-snmp/net-snmp remotely exploitable vulnerabilities Category: ports Module: net-snmp Announced: 2002-02-12 Credits: OUSPG: Oulu University Secure Programming Group http://www.ee.oulu.fi/research/ouspg/ Affects: Ports collection prior to the correction date Corrected: 2002-01-21 16:54:50 UTC FreeBSD only: NO CERT: CA-2002-03 I. Background The Net-SNMP (previously known as UCD-SNMP) package is a set of Simple Network Management Protocol tools, including an agent, library, and applications for generating and handling requests and traps. NOTE: The Net-SNMP port directory is ports/net/net-snmp, but the package name is still ucd-snmp. II. Problem Description The Net-SNMP port, versions prior to 4.2.3, contains several remotely exploitable vulnerabilities. The OUSPG has discovered vulnerabilities in many SNMPv1 implementations through their `PROTOS - Security Testing of Protocol Implementations' project. The vulnerabilities are numerous and affect SNMPv1 request and trap handling in both managers and agents. Please refer to the References section for complete details. The Net-SNMP port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 6000 third-party applications in a ready-to-install format. The ports collection shipped with FreeBSD 4.5 does not contains this problem. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Although no exploits are known to exist at this time, the vulnerabilities may be exploited by a remote attacker in order to cause the SNMP agent to execute arbitrary code with superuser privileges. Malicious agents may respond to requests with specially constructed replies that cause arbitrary code to be executed by the client. Knowledge of the SNMP community name is unnecessary for such exploits to be effective. IV. Workaround 1) Deinstall the ucd-snmp port/package if you have it installed. V. Solution Do one of the following: 1) Upgrade your entire ports collection and rebuild the port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from the following directories: [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/net/ucd-snmp-4.2.3.tgz [alpha] Packages are not automatically generated for the alpha architecture at this time due to lack of build resources. 3) Download a new port skeleton for the net-snmp port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/Latest/portcheckout.tgz NOTE: Many other applications utilize the Net-SNMP libraries. These applications may also be vulnerable. It is recommended that such applications be rebuilt after upgrading Net-SNMP. The following command will display applications installed by the FreeBSD ports collection that utilize Net-SNMP: pkg_info -R ucd-snmp-\* VI. Correction details The following list contains the revision numbers of each file that was corrected in the FreeBSD ports collection. Path Revision - ------------------------------------------------------------------------- ports/net/net-snmp/Makefile 1.59 ports/net/net-snmp/distinfo 1.15 ports/net/net-snmp/pkg-plist 1.18 ports/net/net-snmp/files/freebsd4.h (removed) ports/net/net-snmp/files/patch-aclocal.m4 1.1 - ------------------------------------------------------------------------- VII. References -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iQCUAwUBPGmij1UuHi5z0oilAQGFQgP4ku0xC5v8hKJBXYbiSXmwVDpHpV6WHIWP zuTSiyvKbUX7nKm6c9IMB+5ep2/SGdJXxWos+YZcncv8VgR5i47K1M1dYXwwniRg dZMY/a2lL3B8902bHQq4zpR0TrgE7Wp1IhRNAeS8SZw1pnW86pgLsQzIr6WYhpzM rgiaaaG+AQ== =VdS0 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 12 15:35:46 2002 Delivered-To: freebsd-security@freebsd.org Received: from smtp3.vol.cz (smtp3.vol.cz [195.250.128.83]) by hub.freebsd.org (Postfix) with ESMTP id 4358737B827 for ; Tue, 12 Feb 2002 15:34:53 -0800 (PST) Received: from obluda.cz (xkulesh.vol.cz [195.250.154.106]) by smtp3.vol.cz (8.11.3/8.11.3) with ESMTP id g1CNXbU99557 for ; Wed, 13 Feb 2002 00:33:37 +0100 (CET) (envelope-from dan@obluda.cz) Message-ID: <3C69A002.5307156C@obluda.cz> Date: Wed, 13 Feb 2002 00:06:42 +0100 From: Dan Lukes X-Sender: "Dan Lukes" X-Mailer: Mozilla 4.78 [en]C-CCK-MCD {FIO} (Windows NT 5.0; U) X-Accept-Language: cs,sk,en,* MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: Questions (Rants?) About IPSEC References: <20020207163347.51C606B29@mail.cise.ufl.edu> <200202072142.g17LgDL69359@khavrinen.lcs.mit.edu> Content-Type: text/plain; charset=iso-8859-2 Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Garrett Wollman wrote: > You are wrong. There are two distinct models: you can have pre-shared > keys, in which case you have no certificates and a single secret key > for every pair of communicating entities; or you can use public-key > certificates. I have some issues with the way the certificate support > works, that's not one of them. Pre-shared keys are not necesarily > specific to an IP address; you can use any type of identifier > supported in the IKE protocol. Note, the IKE knows two modes of establishing communication "main" and "agressive". Non-IP identifiers are avaiable only in "agressive" mode (it's because the targed need to use apropriate key to compute hash used i first response, but type identifiers are send later by the initiator). ---- Rob Frohwein wrote: > The intention with ipsec is that you dont need all public certs > from all your peers. > You only need (all) Ca certs > If you start a session , the remote party (racoon) sends its cert. > Your local racoon looks if it has a CA cert which has signed > your peers cert. > It the verifies the peer cert. Do you the racoon use an CRL ? I don't want to change CA and re-issue all certificates in case of compromise of one key. I have working configurations FBSD<->FBSD and FBSD<->W2K, both on static adresses, with pre-shared keys and with x509 certs. I failed to win over 'generate_policy' statement and dynamic IP support for now, but I'm still trying. Dan -- Dan Lukes tel: +420 2 21914205, fax: +420 2 21914206 root of FIONet, KolejNET, webmaster of www.freebsd.cz AKA: dan@obluda.cz, dan@freebsd.cz, dan@kolej.mff.cuni.cz To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 12 15:45:25 2002 Delivered-To: freebsd-security@freebsd.org Received: from d188h80.mcb.uconn.edu (d188h80.mcb.uconn.edu [137.99.188.80]) by hub.freebsd.org (Postfix) with SMTP id 361E237B480 for ; Tue, 12 Feb 2002 15:44:50 -0800 (PST) Received: (qmail 88814 invoked by uid 1001); 12 Feb 2002 23:42:23 -0000 Date: Tue, 12 Feb 2002 18:42:23 -0500 From: "Peter C. Lai" To: freebsd-security@freebsd.org Subject: Re: FreeBSD Ports Security Advisory FreeBSD-SA-02:11.snmp Message-ID: <20020212184223.B88485@cowbert.2y.net> Reply-To: peter.lai@uconn.edu References: <200202122320.g1CNKSR40414@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200202122320.g1CNKSR40414@freefall.freebsd.org>; from security-advisories@freebsd.org on Tue, Feb 12, 2002 at 03:20:28PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Why does CERT say freebsd released a notification on this with 02:09? 02:09 was about fstatfs or something totally unrelated to snmp... -- Peter C. Lai University of Connecticut Dept. of Residential Life | Programmer Dept. of Molecular and Cell Biology | Undergraduate Research Assistant http://cowbert.2y.net/ 860.427.4542 (Room) 860.486.1899 (Lab) 203.206.3784 (Cellphone) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 12 15:53:17 2002 Delivered-To: freebsd-security@freebsd.org Received: from mta7.pltn13.pbi.net (mta7.pltn13.pbi.net [64.164.98.8]) by hub.freebsd.org (Postfix) with ESMTP id 0B7DA37B419 for ; Tue, 12 Feb 2002 15:53:07 -0800 (PST) Received: from shade.nectar.cc ([64.173.25.69]) by mta7.pltn13.pbi.net (iPlanet Messaging Server 5.1 (built May 7 2001)) with ESMTP id <0GRG00LSH2CI27@mta7.pltn13.pbi.net> for freebsd-security@freebsd.org; Tue, 12 Feb 2002 15:53:06 -0800 (PST) Received: (from nectar@localhost) by shade.nectar.cc (8.11.6/8.11.6) id g1CNr9301804; Tue, 12 Feb 2002 17:53:09 -0600 (CST envelope-from nectar) X-URL: http://www.nectar.cc/ Date: Tue, 12 Feb 2002 17:53:09 -0600 From: "Jacques A. Vidrine" Subject: Re: FreeBSD Ports Security Advisory FreeBSD-SA-02:11.snmp In-reply-to: <20020212184223.B88485@cowbert.2y.net> To: peter.lai@uconn.edu Cc: freebsd-security@freebsd.org Mail-Followup-To: "Jacques A. Vidrine" , peter.lai@uconn.edu, freebsd-security@freebsd.org Message-id: <20020212235309.GA1800@shade.nectar.cc> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT Content-disposition: inline User-Agent: Mutt/1.3.27i References: <200202122320.g1CNKSR40414@freefall.freebsd.org> <20020212184223.B88485@cowbert.2y.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Feb 12, 2002 at 06:42:23PM -0500, Peter C. Lai wrote: > Why does CERT say freebsd released a notification on this with 02:09? > 02:09 was about fstatfs or something totally > unrelated to snmp... Probably because I informed them that I would reserve 02:09 for this, and then failed to actually do so. Thanks for pointing it out. -- Jacques A. Vidrine http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Feb 12 18:17:29 2002 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id E5A9137B405; Tue, 12 Feb 2002 18:17:21 -0800 (PST) Received: by flood.ping.uio.no (Postfix, from userid 2602) id 854325341; Wed, 13 Feb 2002 03:17:19 +0100 (CET) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: hackers@freebsd.org Subject: OpenPAM Caliopsis + integration patches From: Dag-Erling Smorgrav Date: 13 Feb 2002 03:17:18 +0100 Message-ID: Lines: 9 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.1 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org OpenPAM Caliopsis and accompanying FreeBSD integration patches are now available from . A fully patched tree is also available from the p4 depot, under //depot/user/des/pam/. Please see the release notes and change log for information about known and resolved issues. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 13 12:28:38 2002 Delivered-To: freebsd-security@freebsd.org Received: from mailout10.sul.t-online.com (mailout10.sul.t-online.com [194.25.134.21]) by hub.freebsd.org (Postfix) with ESMTP id 851AD37B405 for ; Wed, 13 Feb 2002 12:28:35 -0800 (PST) Received: from fwd08.sul.t-online.de by mailout10.sul.t-online.com with smtp id 16b613-0006E7-0B; Wed, 13 Feb 2002 21:28:33 +0100 Received: from idefix.local (320080844193-0001@[217.80.84.47]) by fmrl08.sul.t-online.com with smtp id 16b60v-1YhiNMC; Wed, 13 Feb 2002 21:28:25 +0100 Received: (nullmailer pid 1054 invoked by uid 1000); Wed, 13 Feb 2002 20:28:29 -0000 Date: Wed, 13 Feb 2002 21:28:29 +0100 From: Clemens Hermann To: security@freebsd.org Subject: more than 1 IP in jail Message-ID: <20020213212828.A1027@idefix.local> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i X-Mailer: Mutt 1.2.5.1i (FreeBSD 4.4-RELEASE i386) X-Sender: 320080844193-0001@t-dialin.net Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, if I got the docs right, I can not bind more than one IP to a jail. Is there any way to operate a httpd inside a jail with IP-Based virtual hosts? thanks /ch -- Wieviele Mitarbeiter von Microsoft benoetigt man fuer das auswechseln einer defekten Gluehbirne? Keine, Microsoft erklaert die Dunkelheit zum Marktstandart. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 13 12:34:27 2002 Delivered-To: freebsd-security@freebsd.org Received: from mailout09.sul.t-online.com (mailout09.sul.t-online.com [194.25.134.84]) by hub.freebsd.org (Postfix) with ESMTP id C1FBC37B405 for ; Wed, 13 Feb 2002 12:34:23 -0800 (PST) Received: from fwd06.sul.t-online.de by mailout09.sul.t-online.com with smtp id 16b66g-0002zP-04; Wed, 13 Feb 2002 21:34:22 +0100 Received: from idefix.local (320080844193-0001@[217.80.84.47]) by fmrl06.sul.t-online.com with smtp id 16b66V-1CCSDgC; Wed, 13 Feb 2002 21:34:11 +0100 Received: (nullmailer pid 1071 invoked by uid 1000); Wed, 13 Feb 2002 20:34:16 -0000 Date: Wed, 13 Feb 2002 21:34:16 +0100 From: Clemens Hermann To: security@freebsd.org Subject: sharing directories between jails Message-ID: <20020213213416.B1027@idefix.local> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i X-Mailer: Mutt 1.2.5.1i (FreeBSD 4.4-RELEASE i386) X-Sender: 320080844193-0001@t-dialin.net Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, is there a way to share directories between two jails? E.g. I have /usr/dir1 on the host-environment and I want this directory to exist in every jail-environment under /usr/dir1. As symlinks do not work, what else can be done? tia /ch -- Wieviele Mitarbeiter von Microsoft benoetigt man fuer das auswechseln einer defekten Gluehbirne? Keine, Microsoft erklaert die Dunkelheit zum Marktstandart. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 13 12:38: 8 2002 Delivered-To: freebsd-security@freebsd.org Received: from proxy.centtech.com (moat.centtech.com [206.196.95.10]) by hub.freebsd.org (Postfix) with ESMTP id 6290A37B405 for ; Wed, 13 Feb 2002 12:38:04 -0800 (PST) Received: from sprint.centtech.com (sprint.centtech.com [10.177.173.31]) by proxy.centtech.com (8.11.6/8.11.6) with ESMTP id g1DKc3K04247; Wed, 13 Feb 2002 14:38:03 -0600 (CST) Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.9.3+Sun/8.9.3) with ESMTP id OAA27315; Wed, 13 Feb 2002 14:38:03 -0600 (CST) Message-ID: <3C6ACE4D.85110954@centtech.com> Date: Wed, 13 Feb 2002 14:36:29 -0600 From: Eric Anderson Reply-To: anderson@centtech.com Organization: Centaur Technology X-Mailer: Mozilla 4.78 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Clemens Hermann Cc: security@freebsd.org Subject: Re: sharing directories between jails References: <20020213213416.B1027@idefix.local> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I'm not sure you would want to do that for security reasons.. I can think of one horribly frightening way to do it, but I'm afraid to mention it on this list because I'll probably be banned from it forever. :) I think the way most people implement multiple web servers in a jail is a jail for each virtual host - which seems wasteful but others know more about this most likely. Eric Clemens Hermann wrote: > > Hi, > > is there a way to share directories between two jails? > E.g. I have /usr/dir1 on the host-environment and I want this directory to > exist in every jail-environment under /usr/dir1. > As symlinks do not work, what else can be done? > > tia > > /ch > > -- > Wieviele Mitarbeiter von Microsoft benoetigt man fuer das auswechseln > einer defekten Gluehbirne? Keine, Microsoft erklaert die Dunkelheit zum > Marktstandart. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- ------------------------------------------------------------------ Eric Anderson anderson@centtech.com Centaur Technology If at first you don't succeed, sky diving is probably not for you. ------------------------------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 13 12:39:59 2002 Delivered-To: freebsd-security@freebsd.org Received: from dreamflow.nl (dreamflow.nl [62.58.36.22]) by hub.freebsd.org (Postfix) with SMTP id 4DAC237B400 for ; Wed, 13 Feb 2002 12:39:49 -0800 (PST) Received: (qmail 46902 invoked by uid 1000); 13 Feb 2002 20:39:47 -0000 Date: Wed, 13 Feb 2002 21:39:47 +0100 From: Bart Matthaei To: Clemens Hermann Cc: freebsd-security@freebsd.org Subject: Re: sharing directories between jails Message-ID: <20020213213946.E40457@heresy.dreamflow.nl> References: <20020213213416.B1027@idefix.local> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="X1bOJ3K7DJ5YkBrT" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020213213416.B1027@idefix.local>; from haribeau@gmx.de on Wed, Feb 13, 2002 at 09:34:16PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --X1bOJ3K7DJ5YkBrT Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Feb 13, 2002 at 09:34:16PM +0100, Clemens Hermann wrote: > Hi, >=20 > is there a way to share directories between two jails? > E.g. I have /usr/dir1 on the host-environment and I want this directory t= o=20 > exist in every jail-environment under /usr/dir1.=20 > As symlinks do not work, what else can be done? Symlinks in a jail is a Bad Thing.=20 How about a network mount ? :-) Or reserve a partition for /usr/dir1 .. B. --=20 Bart Matthaei bart@dreamflow.nl=20 Support wildlife -- vote for an orgy. :-) --X1bOJ3K7DJ5YkBrT Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8as8Sgcc6pR+tCegRAnA9AJ9z6djUg8gwJ/hySMEqyhpmXxKmdwCgnhuP MBq2HJsxw6jliTFQ5hINFJw= =X6w2 -----END PGP SIGNATURE----- --X1bOJ3K7DJ5YkBrT-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 13 12:42:22 2002 Delivered-To: freebsd-security@freebsd.org Received: from dreamflow.nl (dreamflow.nl [62.58.36.22]) by hub.freebsd.org (Postfix) with SMTP id 23C8E37B43C for ; Wed, 13 Feb 2002 12:42:00 -0800 (PST) Received: (qmail 47022 invoked by uid 1000); 13 Feb 2002 20:41:59 -0000 Date: Wed, 13 Feb 2002 21:41:59 +0100 From: Bart Matthaei To: freebsd-security@freebsd.org Subject: Re: sharing directories between jails Message-ID: <20020213214159.F40457@heresy.dreamflow.nl> References: <20020213213416.B1027@idefix.local> <20020213213946.E40457@heresy.dreamflow.nl> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="s2ZSL+KKDSLx8OML" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020213213946.E40457@heresy.dreamflow.nl>; from bart@dreamflow.nl on Wed, Feb 13, 2002 at 09:39:47PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --s2ZSL+KKDSLx8OML Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Feb 13, 2002 at 09:39:47PM +0100, Bart Matthaei wrote: > Symlinks in a jail is a Bad Thing.=20 > How about a network mount ? :-) > Or reserve a partition for /usr/dir1 .. Euh, I mean symlinking something from outside a jail, into a jail, is a Bad Thing. (must be the alcohol :-) B. --=20 Bart Matthaei bart@dreamflow.nl=20 Support wildlife -- vote for an orgy. :-) --s2ZSL+KKDSLx8OML Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8as+Xgcc6pR+tCegRAtubAJkBLaMGIdH6VlT6cv5jMgqluxuWjgCgj+iX cXPCb7pQ2FWzT8wUx42NfmM= =5tKC -----END PGP SIGNATURE----- --s2ZSL+KKDSLx8OML-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 13 13:19:40 2002 Delivered-To: freebsd-security@freebsd.org Received: from mailout03.sul.t-online.com (mailout03.sul.t-online.com [194.25.134.81]) by hub.freebsd.org (Postfix) with ESMTP id C326A37B400 for ; Wed, 13 Feb 2002 13:19:34 -0800 (PST) Received: from fwd06.sul.t-online.de by mailout03.sul.t-online.com with smtp id 16b6gQ-0001TV-0E; Wed, 13 Feb 2002 22:11:18 +0100 Received: from idefix.local (320080844193-0001@[217.80.84.47]) by fmrl06.sul.t-online.com with smtp id 16b6gL-204M8OC; Wed, 13 Feb 2002 22:11:13 +0100 Received: (nullmailer pid 73259 invoked by uid 1000); Wed, 13 Feb 2002 21:11:13 -0000 Date: Wed, 13 Feb 2002 22:11:13 +0100 From: Clemens Hermann To: Bart Matthaei Cc: freebsd-security@freebsd.org Subject: Re: sharing directories between jails Message-ID: <20020213221112.A73220@idefix.local> Mail-Followup-To: Clemens Hermann , Bart Matthaei , freebsd-security@freebsd.org References: <20020213213416.B1027@idefix.local> <20020213213946.E40457@heresy.dreamflow.nl> <20020213214159.F40457@heresy.dreamflow.nl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020213214159.F40457@heresy.dreamflow.nl> von Bart Matthaei am 13.Feb.2002 um 21:41:59 (+0100) X-Mailer: Mutt 1.2.5.1i (FreeBSD 4.4-RELEASE i386) X-Sender: 320080844193-0001@t-dialin.net Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Am 13.02.2002 um 21:41:59 schrieb Bart Matthaei: Hi BArt, > > Or reserve a partition for /usr/dir1 .. how could this solve the issue? Afaik you can not mount a partition into different points of the filesystem at the same time. > Euh, I mean symlinking something from outside a jail, into a jail, is > a Bad Thing. I thought this is impossible. A reason to mount directories could e.g. be to share distfiles read only. /ch -- Wieviele Mitarbeiter von Microsoft benoetigt man fuer das auswechseln einer defekten Gluehbirne? Keine, Microsoft erklaert die Dunkelheit zum Marktstandart. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 13 13:26: 7 2002 Delivered-To: freebsd-security@freebsd.org Received: from dreamflow.nl (dreamflow.nl [62.58.36.22]) by hub.freebsd.org (Postfix) with SMTP id 52E9537B400 for ; Wed, 13 Feb 2002 13:26:00 -0800 (PST) Received: (qmail 48877 invoked by uid 1000); 13 Feb 2002 21:25:59 -0000 Date: Wed, 13 Feb 2002 22:25:59 +0100 From: Bart Matthaei To: Clemens Hermann Cc: security@freebsd.org Subject: Re: sharing directories between jails Message-ID: <20020213222559.A47162@heresy.dreamflow.nl> References: <20020213213416.B1027@idefix.local> <20020213213946.E40457@heresy.dreamflow.nl> <20020213214159.F40457@heresy.dreamflow.nl> <20020213221112.A73220@idefix.local> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="cNdxnHkX5QqsyA0e" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020213221112.A73220@idefix.local>; from haribeau@gmx.de on Wed, Feb 13, 2002 at 10:11:13PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --cNdxnHkX5QqsyA0e Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Feb 13, 2002 at 10:11:13PM +0100, Clemens Hermann wrote: > how could this solve the issue? Afaik you can not mount a partition into > different points of the filesystem at the same time. I'm not entirelly sure. I know that on linux, you can mount /proc atleast twice. No clue if this counts for freebsd and/or ufs. > > Euh, I mean symlinking something from outside a jail, into a jail, is > > a Bad Thing. >=20 > I thought this is impossible. I think it's possible. But I'm not sure so don't quote me. > A reason to mount directories could e.g. be to share distfiles read only. I know. I think a network share is a decent solution, although I personally dislike NFS (nevertheless, there's no good alternative besides from maybe afs). Let me know how it work's out. B. --=20 Bart Matthaei bart@dreamflow.nl=20 Support wildlife -- vote for an orgy. :-) --cNdxnHkX5QqsyA0e Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8atnngcc6pR+tCegRAsM7AKCLubwZ8dEAUE/VUmKFRAvO8qd4NACdHixC tNyvnT3z4blBPg1jKFsSrn8= =N3qy -----END PGP SIGNATURE----- --cNdxnHkX5QqsyA0e-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 13 13:41:57 2002 Delivered-To: freebsd-security@freebsd.org Received: from mailout07.sul.t-online.com (mailout07.sul.t-online.com [194.25.134.83]) by hub.freebsd.org (Postfix) with ESMTP id 241F037B405 for ; Wed, 13 Feb 2002 13:41:54 -0800 (PST) Received: from fwd07.sul.t-online.de by mailout07.sul.t-online.com with smtp id 16b755-0002KF-05; Wed, 13 Feb 2002 22:36:47 +0100 Received: from idefix.local (320080844193-0001@[217.80.84.47]) by fmrl07.sul.t-online.com with smtp id 16b74t-1Foq80C; Wed, 13 Feb 2002 22:36:35 +0100 Received: (nullmailer pid 73344 invoked by uid 1000); Wed, 13 Feb 2002 21:36:39 -0000 Date: Wed, 13 Feb 2002 22:36:39 +0100 From: Clemens Hermann To: Bart Matthaei Cc: security@freebsd.org Subject: Re: sharing directories between jails Message-ID: <20020213223639.A73315@idefix.local> References: <20020213213416.B1027@idefix.local> <20020213213946.E40457@heresy.dreamflow.nl> <20020213214159.F40457@heresy.dreamflow.nl> <20020213221112.A73220@idefix.local> <20020213222559.A47162@heresy.dreamflow.nl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020213222559.A47162@heresy.dreamflow.nl> von Bart Matthaei am 13.Feb.2002 um 22:25:59 (+0100) X-Mailer: Mutt 1.2.5.1i (FreeBSD 4.4-RELEASE i386) X-Sender: 320080844193-0001@t-dialin.net Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Am 13.02.2002 um 22:25:59 schrieb Bart Matthaei: Hi Bart, > I'm not entirelly sure. I know that on linux, you can mount /proc > atleast twice. No clue if this counts for freebsd and/or ufs. during my tests this did not work. > I think it's possible. But I'm not sure so don't quote me. if you create a symlink this only says /home -> /usr/home. If you call /home from inside the jail it goes to /usr/home but _not_ in the hostsystem you probably linked it to but it looks for /usr/home inside your jail environment. /ch -- Wieviele Mitarbeiter von Microsoft benoetigt man fuer das auswechseln einer defekten Gluehbirne? Keine, Microsoft erklaert die Dunkelheit zum Marktstandart. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 13 13:52:14 2002 Delivered-To: freebsd-security@freebsd.org Received: from dreamflow.nl (dreamflow.nl [62.58.36.22]) by hub.freebsd.org (Postfix) with SMTP id DD0ED37B405 for ; Wed, 13 Feb 2002 13:52:09 -0800 (PST) Received: (qmail 49284 invoked by uid 1000); 13 Feb 2002 21:52:08 -0000 Date: Wed, 13 Feb 2002 22:52:08 +0100 From: Bart Matthaei To: Clemens Hermann Cc: security@freebsd.org Subject: Re: sharing directories between jails Message-ID: <20020213225208.B47162@heresy.dreamflow.nl> References: <20020213213416.B1027@idefix.local> <20020213213946.E40457@heresy.dreamflow.nl> <20020213214159.F40457@heresy.dreamflow.nl> <20020213221112.A73220@idefix.local> <20020213222559.A47162@heresy.dreamflow.nl> <20020213223639.A73315@idefix.local> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="St7VIuEGZ6dlpu13" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020213223639.A73315@idefix.local>; from haribeau@gmx.de on Wed, Feb 13, 2002 at 10:36:39PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --St7VIuEGZ6dlpu13 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Feb 13, 2002 at 10:36:39PM +0100, Clemens Hermann wrote: > if you create a symlink this only says /home -> /usr/home. > If you call /home from inside the jail it goes to /usr/home but _not_ > in the hostsystem you probably linked it to but it looks for /usr/home > inside your jail environment. Oh geez.. The alcohol really is getting to my head. Please forget my entire statement. I meant "hardlink", instead of symlink. *oops*. Your right, symlinks inside a jail won't take you outside the jail. Hardlinks will. But hardlinking something outside a jail to the inside of the jail isn't a good idea as far as I know. (Been some jail-break issues on that). I'm gonna end the conversation if you dont mind. I'm ashamed of myself. :-) B. --=20 Bart Matthaei bart@dreamflow.nl=20 Support wildlife -- vote for an orgy. :-) --St7VIuEGZ6dlpu13 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8auAIgcc6pR+tCegRAi1RAJ4xx2mYbNKedYm6iyFnh6vC3UgRqgCg0yXS yg8A6XIQw2Rzr/57WuhuEy0= =cFA4 -----END PGP SIGNATURE----- --St7VIuEGZ6dlpu13-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 13 15:33:45 2002 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f38.law10.hotmail.com [64.4.15.38]) by hub.freebsd.org (Postfix) with ESMTP id CD1B437B400 for ; Wed, 13 Feb 2002 15:33:42 -0800 (PST) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Wed, 13 Feb 2002 15:33:42 -0800 Received: from 64.228.221.109 by lw10fd.law10.hotmail.msn.com with HTTP; Wed, 13 Feb 2002 23:33:42 GMT X-Originating-IP: [64.228.221.109] From: "=?iso-8859-1?B?U3TpcGhhbmUgRmlsbGlvbg==?=" To: freebsd-security@FreeBSD.ORG Date: Wed, 13 Feb 2002 18:33:42 -0500 Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1; format=flowed Message-ID: X-OriginalArrivalTime: 13 Feb 2002 23:33:42.0742 (UTC) FILETIME=[DF730760:01C1B4E6] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org auth c57ebcc5 unsubscribe freebsd-security cadavre01@hotmail.com _________________________________________________________________ Rejoignez le plus grand service de messagerie au monde avec MSN Hotmail. http://www.hotmail.com/fr To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 13 15:53:13 2002 Delivered-To: freebsd-security@freebsd.org Received: from mailhost1.dircon.co.uk (mailhost1.dircon.co.uk [194.112.32.65]) by hub.freebsd.org (Postfix) with ESMTP id 0D3E337B400 for ; Wed, 13 Feb 2002 15:53:10 -0800 (PST) Received: from laptop (unknown [195.157.223.11]) by mailhost1.dircon.co.uk (Postfix) with ESMTP id AC24157D61 for ; Wed, 13 Feb 2002 23:53:08 +0000 (GMT) Received: (from nick@localhost) by laptop (8.9.3/8.9.3) id XAA00387 for freebsd-security@FreeBSD.ORG; Wed, 13 Feb 2002 23:52:49 GMT Date: Wed, 13 Feb 2002 23:52:48 +0000 From: Nick Cleaton To: freebsd-security@FreeBSD.ORG Subject: Re: sharing directories between jails Message-ID: <20020213235248.A312@lt1.cleaton.net> References: <20020213213416.B1027@idefix.local> <20020213213946.E40457@heresy.dreamflow.nl> <20020213214159.F40457@heresy.dreamflow.nl> <20020213221112.A73220@idefix.local> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020213221112.A73220@idefix.local>; from haribeau@gmx.de on Wed, Feb 13, 2002 at 10:11:13PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Feb 13, 2002 at 10:11:13PM +0100, Clemens Hermann wrote: > > how could this solve the issue? Afaik you can not mount a partition into > different points of the filesystem at the same time. > You can do it with mount_null(8). -- Nick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 13 17:41:51 2002 Delivered-To: freebsd-security@freebsd.org Received: from crag.niss.com (niss.com [169.207.33.46]) by hub.freebsd.org (Postfix) with ESMTP id 9A20937B402 for ; Wed, 13 Feb 2002 17:41:45 -0800 (PST) Received: from crag.niss.com (localhost.niss.com [127.0.0.1]) by crag.niss.com (8.11.6/8.11.6) with ESMTP id g1E1fg059095; Wed, 13 Feb 2002 19:41:42 -0600 (CST) (envelope-from listS+freebsd-security@niss.com) Message-Id: <200202140141.g1E1fg059095@crag.niss.com> From: Scott Bolte To: Nick Cleaton Cc: freebsd-security@FreeBSD.ORG Subject: Re: sharing directories between jails MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <59092.1013650902.1@crag.niss.com> Date: Wed, 13 Feb 2002 19:41:42 -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 13 Feb 2002 23:52:48 +0000, Nick Cleaton wrote: > > You can do it with mount_null(8). This is an excerpt from the mount_null manual page on 4.4. | BUGS | THIS FILESYSTEM TYPE IS NOT YET FULLY SUPPORTED (READ: IT DOESN'T WORK) | AND USING IT MAY, IN FACT, DESTROY DATA ON YOUR SYSTEM. USE AT YOUR OWN | RISK. BEWARE OF DOG. SLIPPERY WHEN WET. | | This code also needs an owner in order to be less dangerous - serious | hackers can apply by sending mail to hackers@freebsd.org and announcing | their intent to take it over. I've read the 4.5 release notes but I don't recall anything with regard to the null file system. Has there been a quiet improvement, is the warning overblown, or is this really a risky idea? I'd much rather use a working mount_null then an NFS mount from localhost - which is what I am doing now. Scott To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Feb 13 20:52:56 2002 Delivered-To: freebsd-security@freebsd.org Received: from icc.cgu.chel.su (gw.csu.ru [195.54.14.5]) by hub.freebsd.org (Postfix) with ESMTP id C9D5F37B402; Wed, 13 Feb 2002 20:52:47 -0800 (PST) Received: from mail.cgu.chel.su (mail.cgu.chel.su [195.54.14.68]) by icc.cgu.chel.su (8.11.6/8.11.6) with ESMTP id g1E4qXd41146 (using TLSv1/SSLv3 with cipher EDH-RSA-DES-CBC3-SHA (168 bits) verified NO); Thu, 14 Feb 2002 09:52:35 +0500 (YEKT) (envelope-from ilia@cgu.chel.su) Received: from localhost (localhost [127.0.0.1]) by mail.cgu.chel.su (8.11.6/8.11.2) with ESMTP id g1E4qWN17104; Thu, 14 Feb 2002 09:52:32 +0500 (YEKT) (envelope-from ilia@cgu.chel.su) Date: Thu, 14 Feb 2002 09:52:32 +0500 (YEKT) From: "Ilia E. Chipitsine" To: Cc: Subject: KerberosIV migrate Message-ID: <20020214095036.T17081-100000@mail.cgu.chel.su> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Dear Sirs, could anyone suggest me how to migrate to KerberosIV ? occasionly, I seen pam-modules to migrate to krb5, but I didn't see anything for KerberosIV migration support... Ilia Chipitsine To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 14 1:48:57 2002 Delivered-To: freebsd-security@freebsd.org Received: from lists01.iafrica.com (lists01.iafrica.com [196.7.0.141]) by hub.freebsd.org (Postfix) with ESMTP id AA76A37B400 for ; Thu, 14 Feb 2002 01:48:50 -0800 (PST) Received: from nwl.fw.uunet.co.za ([196.31.2.162]) by lists01.iafrica.com with esmtp (Exim 3.12 #2) id 16bIVT-00060x-00 for security@freebsd.org; Thu, 14 Feb 2002 11:48:47 +0200 Received: (from nobody@localhost) by nwl.fw.uunet.co.za (8.8.8/8.6.9) id LAA03404 for ; Thu, 14 Feb 2002 11:48:46 +0200 (SAST) Received: by nwl.fw.uunet.co.za via recvmail id 3169; Thu Feb 14 11:47:13 2002 Received: from localhost ([127.0.0.1]) by yacko.ops.uunet.co.za with esmtp (Exim 3.31 #1) id 16bITx-0001Q0-00 for security@freebsd.org; Thu, 14 Feb 2002 11:47:13 +0200 Date: Thu, 14 Feb 2002 11:47:13 +0200 (SAST) From: Gareth Hopkins X-X-Sender: ghopkins@yacko.fw.uunet.co.za To: security@freebsd.org Subject: Problems with openssh, kerberos5 and PAM Message-ID: <20020214111521.S4035-100000@yacko.fw.uunet.co.za> X-Cell: +27 82 389 5389 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, I am having the following problem with openssh, kerberos5 and pam authentication. SSH version is OpenSSH_2.9 FreeBSD localisations 20011202, SSH protocols 1.5/2.0, OpenSSL 0x0090601f On the server side when someone logs in with no kerberos tickets and enters their kerberos password the sshd daemon dies with the following error [root@server]/var/mail $ sshd -d debug1: sshd version OpenSSH_2.9 FreeBSD localisations 20011202 debug1: private host key: #0 type 0 RSA1 debug1: read PEM private key done: type DSA debug1: private host key: #1 type 2 DSA debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. Generating 768 bit RSA key. RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from servername.foo.bar port 59250 Connection from x.x.x.x port 59250 debug1: Client protocol version 1.5; client software version 1.2.27 debug1: no match: 1.2.27 debug1: Local version string SSH-1.5-OpenSSH_2.9 FreeBSD localisations 20011202 debug1: Rhosts Authentication disabled, originating port not trusted. debug1: Sent 768 bit server key and 1024 bit host key. debug1: Encryption type: 3des debug1: Received session key; encryption turned on. debug1: Installing crc compensation attack detector. debug1: Starting up PAM with username "ghopkins" debug1: Attempting authentication for ghopkins. debug1: temporarily_use_uid: 1000/20 (e=0) debug1: restore_uid Failed rsa for ghopkins from x.x.x.x port 59250 debug1: PAM Password authentication accepted for user "ghopkins" Accepted password for ghopkins from x.x.x.x port 59250 debug1: PAM setting rhost to "servername.foo.bar" debug1: session_new: init debug1: session_new: session 0 debug1: Allocating pty. debug1: PAM setting tty to "/dev/ttypc" debug1: do_pam_session: euid 0, uid 0 debug1: PAM establishing creds Bus error /etc/pam.conf has the following sshd auth sufficient pam_krb5.so try_first_pass sshd auth required pam_unix.so sshd account sufficient pam_krb5.so try_first_pass sshd account required pam_unix.so sshd session sufficient pam_krb5.so try_first_pass sshd session required pam_unix.so Any ideas what the problem could be? --- Gareth Hopkins Server Operations UUNET SA, a WorldCom Company (o) +27.21.658.8700 (f) +27.21.658.8552 (m) +27.82.389.5389 http://www.uunet.co.za 08600 UUNET (08600 88638) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 14 2: 3:20 2002 Delivered-To: freebsd-security@freebsd.org Received: from earth.rila.bg (earth.rila.bg [194.141.1.31]) by hub.freebsd.org (Postfix) with ESMTP id 153DE37B402 for ; Thu, 14 Feb 2002 02:03:17 -0800 (PST) Received: from earth.rila.bg (mitko@localhost.rila.bg [127.0.0.1]) by earth.rila.bg (8.11.6/8.11.6) with SMTP id g1EA37952130 for ; Thu, 14 Feb 2002 12:03:08 +0200 (EET) (envelope-from mitko@rila.bg) Date: Thu, 14 Feb 2002 12:03:07 +0200 From: Dimitar Peikov To: freebsd-security@freebsd.org Subject: OpenBSD: vnconfig -k and FreeBSD Message-Id: <20020214120307.0d512f33.mitko@rila.bg> Reply-To: mitko@rila.bg Organization: Rila Solutions X-Mailer: Sylpheed version 0.6.5 (GTK+ 1.2.10; i386--freebsd4.4) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Does this feature is planned to be added soon? openbsd# man vnconfig --- -k Associate an encryption key with the device. All data will be encrypted before it is written to the disk. Encryption only works with svnd. --- I've being searching Crypto FS that can mount file or local FS using crypto scheme, but didn't found right answer on this. -- Dimitar Peikov Programmer Analyst Globalization Group "We Build e-Business" RILA Solutions 27 Building, Acad.G.Bonchev Str. 1113 Sofia, Bulgaria phone: (+359 2) 9797320 phone: (+359 2) 9797300 fax: (+359 2) 9733355 http://www.rila.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 14 2:16:17 2002 Delivered-To: freebsd-security@freebsd.org Received: from rly-ip02.mx.aol.com (rly-ip02.mx.aol.com [152.163.225.160]) by hub.freebsd.org (Postfix) with ESMTP id EBD5137B400 for ; Thu, 14 Feb 2002 02:16:13 -0800 (PST) Received: from logs-wc.proxy.aol.com (logs-wc.proxy.aol.com [205.188.193.5]) by rly-ip02.mx.aol.com (8.8.8/8.8.8/AOL-5.0.0) with ESMTP id FAA29554 for ; Thu, 14 Feb 2002 05:16:00 -0500 (EST) Received: from blah (AC868130.ipt.aol.com [172.134.129.48]) by logs-wc.proxy.aol.com (8.10.0/8.10.0) with SMTP id g1EAF9u334677 for ; Thu, 14 Feb 2002 05:15:10 -0500 (EST) Message-Id: <200202141015.g1EAF9u334677@logs-wc.proxy.aol.com> Date: Thu, 14 Feb 2002 10:45:37 +0100 To: freebsd-security@freebsd.org From: eberkut Subject: Re: OpenBSD: vnconfig -k and FreeBSD Organization: CNS / Minithins X-Mailer: Opera 5.11 build 904b X-Priority: 3 (Normal) Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" X-Apparently-From: SinkSuffering@aol.com Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org 14/02/02 11:03:07, Dimitar Peikov a écrit: > >Does this feature is planned to be added soon? > >openbsd# man vnconfig >--- > -k Associate an encryption key with the device. All data will be > encrypted before it is written to the disk. Encryption only > works with svnd. >--- > >I've being searching Crypto FS that can mount file or local FS using >crypto scheme, but didn't found right answer on this. maybe vncrypt is what your looking for. Note that it is still under developpement. http://vncrypt.sourceforge.net/ --eberkut ex diffinientium cognitione diffiniti resultat cognitio . Prelude : http://prelude.sf.net . CNS : http://minithins.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 14 2:19:16 2002 Delivered-To: freebsd-security@freebsd.org Received: from portal.eltex.ru (eltex-gw2.nw.ru [195.19.203.86]) by hub.freebsd.org (Postfix) with ESMTP id 0F43A37B416 for ; Thu, 14 Feb 2002 02:19:13 -0800 (PST) Received: (from root@localhost) by portal.eltex.ru (8.11.6/8.11.3) id g1EAJ9S11135 for freebsd-security@freebsd.org; Thu, 14 Feb 2002 13:19:09 +0300 (MSK) (envelope-from amil@eltex.ru) Received: from gadget (root@gadget.eltex.ru [195.19.198.14]) by portal.eltex.ru (8.11.6/8.11.3av) with SMTP id g1EAJ1E11127 for ; Thu, 14 Feb 2002 13:19:01 +0300 (MSK) (envelope-from amil@eltex.ru) Received: by gadget (ssmtp TIS-0.6alpha, 19 Jan 2000); Thu, 14 Feb 2002 13:09:21 +0300 Received: from undisclosed-intranet-sender id xmapX5389; Thu, 14 Feb 02 13:09:10 +0300 Message-Id: <200202141018.NAA05098@incredible.hq.eltex.ru> Date: Thu, 14 Feb 2002 13:18:55 +0300 From: Alexandr Alov To: FreeBSD Subject: about 113 port X-Mailer: stuphead ver. 0.5.3 (Wiskas) (GTK+ 1.2.8; FreeBSD 4.5-STABLE; i386) Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Virus-Scanned: by Eltex TC Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi ! Recently here was a discussion about emission form/on port 113. In inetd.conf string with auth commented , but emission on 113 port present. What is this ? -- Alexandr Alov System Engineer, Eltex TC Co. Saint-Petersburg, Russia. e-mail: amil198@eltex.ru www: www.eltex.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 14 3:50:48 2002 Delivered-To: freebsd-security@freebsd.org Received: from straylight.ringlet.net (discworld.nanolink.com [217.75.135.248]) by hub.freebsd.org (Postfix) with SMTP id A28DA37B435 for ; Thu, 14 Feb 2002 03:50:25 -0800 (PST) Received: (qmail 741 invoked by uid 1000); 14 Feb 2002 11:50:52 -0000 Date: Thu, 14 Feb 2002 13:50:52 +0200 From: Peter Pentchev To: Alexandr Alov Cc: FreeBSD Subject: Re: about 113 port Message-ID: <20020214135052.A339@straylight.oblivion.bg> Mail-Followup-To: Alexandr Alov , FreeBSD References: <200202141018.NAA05098@incredible.hq.eltex.ru> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="Dxnq1zWXvFF0Q93v" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200202141018.NAA05098@incredible.hq.eltex.ru>; from amil198@eltex.ru on Thu, Feb 14, 2002 at 01:18:55PM +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --Dxnq1zWXvFF0Q93v Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Feb 14, 2002 at 01:18:55PM +0300, Alexandr Alov wrote: > Hi ! >=20 > Recently here was a discussion about emission form/on port 113. > In inetd.conf string with auth commented , but emission on 113 port prese= nt. > What is this ? Somebody is trying to connect to you, and your machine is sending back TCP RST (connection refused) packets. G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 If this sentence were in Chinese, it would say something else. --Dxnq1zWXvFF0Q93v Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjxrpJwACgkQ7Ri2jRYZRVMsBQCgtCWWzG1sFwTrgG99JK0AWll0 FR0An13aCIZbWtYz8tAHBrrHb5Btq3yw =N9Lf -----END PGP SIGNATURE----- --Dxnq1zWXvFF0Q93v-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 14 4:17:22 2002 Delivered-To: freebsd-security@freebsd.org Received: from portal.eltex.ru (eltex-gw2.nw.ru [195.19.203.86]) by hub.freebsd.org (Postfix) with ESMTP id 4EC7237B400 for ; Thu, 14 Feb 2002 04:17:11 -0800 (PST) Received: (from root@localhost) by portal.eltex.ru (8.11.6/8.11.3) id g1ECH9715297; Thu, 14 Feb 2002 15:17:09 +0300 (MSK) (envelope-from amil@eltex.ru) Received: from gadget (root@gadget.eltex.ru [195.19.198.14]) by portal.eltex.ru (8.11.6/8.11.3av) with SMTP id g1ECH2E15289; Thu, 14 Feb 2002 15:17:02 +0300 (MSK) (envelope-from amil@eltex.ru) Received: by gadget (ssmtp TIS-0.6alpha, 19 Jan 2000); Thu, 14 Feb 2002 15:07:21 +0300 Received: from undisclosed-intranet-sender id xmas25115; Thu, 14 Feb 02 15:07:17 +0300 Message-Id: <200202141216.PAA05281@incredible.hq.eltex.ru> Date: Thu, 14 Feb 2002 15:16:58 +0300 From: Alexandr Alov To: Peter Pentchev Cc: freebsd-security@FreeBSD.ORG Subject: Re: about 113 port In-Reply-To: <20020214135052.A339@straylight.oblivion.bg> References: <200202141018.NAA05098@incredible.hq.eltex.ru> <20020214135052.A339@straylight.oblivion.bg> X-Mailer: stuphead ver. 0.5.3 (Wiskas) (GTK+ 1.2.8; FreeBSD 4.5-STABLE; i386) Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Virus-Scanned: by Eltex TC Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello ! PPAA> Somebody is trying to connect to you, and your machine is sending PPAA> back TCP RST (connection refused) packets. message from log: Connection attempt to TCP 10.0.0.2:113 from 10.0.0.1:2932 but on 10.0.0.2 in inetd.conf string with autn not present. what you mean about ? -- Alexandr Alov System Engineer, Eltex TC Co. Saint-Petersburg, Russia. e-mail: amil198@eltex.ru www: www.eltex.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 14 4:36:44 2002 Delivered-To: freebsd-security@freebsd.org Received: from straylight.ringlet.net (discworld.nanolink.com [217.75.135.248]) by hub.freebsd.org (Postfix) with SMTP id 34E9237B416 for ; Thu, 14 Feb 2002 04:36:33 -0800 (PST) Received: (qmail 1155 invoked by uid 1000); 14 Feb 2002 12:37:02 -0000 Date: Thu, 14 Feb 2002 14:37:02 +0200 From: Peter Pentchev To: Alexandr Alov Cc: freebsd-security@FreeBSD.ORG Subject: Re: about 113 port Message-ID: <20020214143702.A935@straylight.oblivion.bg> Mail-Followup-To: Alexandr Alov , freebsd-security@FreeBSD.ORG References: <200202141018.NAA05098@incredible.hq.eltex.ru> <20020214135052.A339@straylight.oblivion.bg> <200202141216.PAA05281@incredible.hq.eltex.ru> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="+HP7ph2BbKc20aGI" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200202141216.PAA05281@incredible.hq.eltex.ru>; from amil198@eltex.ru on Thu, Feb 14, 2002 at 03:16:58PM +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --+HP7ph2BbKc20aGI Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Feb 14, 2002 at 03:16:58PM +0300, Alexandr Alov wrote: > Hello ! >=20 > PPAA> Somebody is trying to connect to you, and your machine is sending > PPAA> back TCP RST (connection refused) packets. > message from log: >=20 > Connection attempt to TCP 10.0.0.2:113 from 10.0.0.1:2932 >=20 > but on 10.0.0.2 in inetd.conf string with autn not present. >=20 > what you mean about ? This is a connection *attempt*, not an actual connection. It is only an attempt, because there is nothing that listens on port 113 on 10.0.0.2; therefore, the OS returns a TCP RST (reset) packet, and a TCP client on 10.0.0.1 would get a 'connection refused' error. Many programs attempt connections to port 113 - mail servers, IRC servers, some FTP servers.. If there is nothing that answers such connection requests, the programs just go on, having received no data. This is the way it should generally be :) (unless you happen to use one of those picky-picky IRC servers that require an auth response; but that's another topic for another day) In general, you should leave things configured exactly the way they are now - nothing listening on port 113. The network traffic that you are seeing is just somebody *trying* to connect and failing - it is completely normal. G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 Nostalgia ain't what it used to be. --+HP7ph2BbKc20aGI Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjxrr24ACgkQ7Ri2jRYZRVPTZQCgxkMEZhiD9KVAUSCEBPrEmXhB JmAAniQYdjmrnobmWbjDD+79OFxfbvmo =6E5h -----END PGP SIGNATURE----- --+HP7ph2BbKc20aGI-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 14 4:44:41 2002 Delivered-To: freebsd-security@freebsd.org Received: from portal.eltex.ru (eltex-gw2.nw.ru [195.19.203.86]) by hub.freebsd.org (Postfix) with ESMTP id 4C00B37B400 for ; Thu, 14 Feb 2002 04:44:37 -0800 (PST) Received: (from root@localhost) by portal.eltex.ru (8.11.6/8.11.3) id g1ECiUO15855; Thu, 14 Feb 2002 15:44:30 +0300 (MSK) (envelope-from amil@eltex.ru) Received: from gadget (root@gadget.eltex.ru [195.19.198.14]) by portal.eltex.ru (8.11.6/8.11.3av) with SMTP id g1ECi4E15836; Thu, 14 Feb 2002 15:44:05 +0300 (MSK) (envelope-from amil@eltex.ru) Received: by gadget (ssmtp TIS-0.6alpha, 19 Jan 2000); Thu, 14 Feb 2002 15:34:21 +0300 Received: from undisclosed-intranet-sender id xmajV3200; Thu, 14 Feb 02 15:34:09 +0300 Message-Id: <200202141243.PAA05312@incredible.hq.eltex.ru> Date: Thu, 14 Feb 2002 15:43:50 +0300 From: Alexandr Alov To: Peter Pentchev Cc: freebsd-security@FreeBSD.ORG Subject: Re: about 113 port In-Reply-To: <20020214143702.A935@straylight.oblivion.bg> References: <200202141018.NAA05098@incredible.hq.eltex.ru> <20020214135052.A339@straylight.oblivion.bg> <200202141216.PAA05281@incredible.hq.eltex.ru> <20020214143702.A935@straylight.oblivion.bg> X-Mailer: stuphead ver. 0.5.3 (Wiskas) (GTK+ 1.2.8; FreeBSD 4.5-STABLE; i386) Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Virus-Scanned: by Eltex TC Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello ! Thank you. PPAA> This is a connection *attempt*, not an actual connection. PPAA> It is only an attempt, because there is nothing that listens PPAA> on port 113 on 10.0.0.2; therefore, the OS returns a TCP RST (reset) PPAA> packet, and a TCP client on 10.0.0.1 would get a 'connection PPAA> refused' error. PPAA> Many programs attempt connections to port 113 - mail servers, PPAA> IRC servers, some FTP servers.. If there is nothing that answers PPAA> such connection requests, the programs just go on, having received PPAA> no data. This is the way it should generally be :) (unless you happen PPAA> to use one of those picky-picky IRC servers that require an auth response; PPAA> but that's another topic for another day) In general, you should leave PPAA> things configured exactly the way they are now - nothing listening PPAA> on port 113. The network traffic that you are seeing is just somebody PPAA> *trying* to connect and failing - it is completely normal. PPAA> G'luck, PPAA> Peter -- Alexandr Alov System Engineer, Eltex TC Co. Saint-Petersburg, Russia. e-mail: amil198@eltex.ru www: www.eltex.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 14 5:13:46 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.polchat.pl (polchat.pl [213.25.49.1]) by hub.freebsd.org (Postfix) with SMTP id 3994237B402 for ; Thu, 14 Feb 2002 05:13:40 -0800 (PST) Received: (qmail 29118 invoked by uid 513); 14 Feb 2002 13:12:47 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 14 Feb 2002 13:12:47 -0000 Date: Thu, 14 Feb 2002 14:12:47 +0100 (CET) From: X-Sender: kurnik@polchat.pl To: freebsd-security@freebsd.org Subject: FreeBSD 4.5 syncache problem Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi! I'd like to migrate my Linux powered server to FreeBSD 4.5 but there's a critical syncache related bug that makes it easy to remotely cause kernel panic on any server running FreeBSD 4.5. (more on this bug at www.freebsd.org/cgi/query-pr.cgi?pr=kern/34658) My questions: 1. Is there a simple way to fix this problem? (e.g. disabling syncache, whatever) 2. Is it a good idea to run FreeBSD 4.5 on a server or should I consider some older releases like 4.4 or 4.0? thanks, M. -- KURNIK! -- gry sieciowe warte swieczki :) http://www.kurnik.pl/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 14 5:31:21 2002 Delivered-To: freebsd-security@freebsd.org Received: from sneakerz.org (sneakerz.org [216.33.66.254]) by hub.freebsd.org (Postfix) with ESMTP id E788637B400 for ; Thu, 14 Feb 2002 05:31:16 -0800 (PST) Received: by sneakerz.org (Postfix, from userid 1023) id 518195D006; Thu, 14 Feb 2002 07:31:11 -0600 (CST) Date: Thu, 14 Feb 2002 07:31:11 -0600 From: Maxime Henrion To: freebsd-security@freebsd.org Cc: kurnik@kurnik.pl Subject: Re: FreeBSD 4.5 syncache problem Message-ID: <20020214073111.C26590@sneakerz.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: ; from kurnik@kurnik.pl on Thu, Feb 14, 2002 at 02:12:47PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org kurnik@kurnik.pl (kurnik@kurnik.pl) wrote: > Hi! > > I'd like to migrate my Linux powered server to FreeBSD 4.5 but there's > a critical syncache related bug that makes it easy to remotely cause > kernel panic on any server running FreeBSD 4.5. > (more on this bug at www.freebsd.org/cgi/query-pr.cgi?pr=kern/34658) Could you probide a way to reliable reproduce it ? I'm sure this would help a lot getting this bug fixed, since it's not mentioned in the PR. > My questions: > > 1. Is there a simple way to fix this problem? (e.g. disabling syncache, > whatever) Look at the various sysctls in net.inet.tcp, there's probably one to this purpose. > 2. Is it a good idea to run FreeBSD 4.5 on a server or should I consider > some older releases like 4.4 or 4.0? I'd say disable syncache if possible and run 4.5. Maxime Henrion To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 14 5:34:57 2002 Delivered-To: freebsd-security@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id D750937B416; Thu, 14 Feb 2002 05:34:45 -0800 (PST) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.11.6/8.11.2) id g1EDYGp72071; Thu, 14 Feb 2002 15:34:16 +0200 (EET) (envelope-from ru) Date: Thu, 14 Feb 2002 15:34:16 +0200 From: Ruslan Ermilov To: kurnik@kurnik.pl Cc: Jonathan Lemon , freebsd-security@FreeBSD.org Subject: Re: FreeBSD 4.5 syncache problem Message-ID: <20020214153416.C62857@sunbay.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.23i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Feb 14, 2002 at 02:12:47PM +0100, kurnik@kurnik.pl wrote: > Hi! > > I'd like to migrate my Linux powered server to FreeBSD 4.5 but there's > a critical syncache related bug that makes it easy to remotely cause > kernel panic on any server running FreeBSD 4.5. > (more on this bug at www.freebsd.org/cgi/query-pr.cgi?pr=kern/34658) > > My questions: > > 1. Is there a simple way to fix this problem? (e.g. disabling syncache, > whatever) > > 2. Is it a good idea to run FreeBSD 4.5 on a server or should I consider > some older releases like 4.4 or 4.0? > See if revision 1.11 of sys/netinet/tcp_syncache.c fixes the problem. Cheers, -- Ruslan Ermilov Sysadmin and DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 14 5:37:25 2002 Delivered-To: freebsd-security@freebsd.org Received: from sneakerz.org (sneakerz.org [216.33.66.254]) by hub.freebsd.org (Postfix) with ESMTP id 3A0DE37B402 for ; Thu, 14 Feb 2002 05:37:08 -0800 (PST) Received: by sneakerz.org (Postfix, from userid 1023) id BD19E5D006; Thu, 14 Feb 2002 07:37:07 -0600 (CST) Date: Thu, 14 Feb 2002 07:37:07 -0600 From: Maxime Henrion To: freebsd-security@freebsd.org Cc: kurnik@kurnik.pl Subject: Re: FreeBSD 4.5 syncache problem Message-ID: <20020214073707.D26590@sneakerz.org> References: <20020214073111.C26590@sneakerz.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020214073111.C26590@sneakerz.org>; from mux@sneakerz.org on Thu, Feb 14, 2002 at 07:31:11AM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Maxime Henrion (mux@sneakerz.org) wrote: > kurnik@kurnik.pl (kurnik@kurnik.pl) wrote: > > Hi! > > > > I'd like to migrate my Linux powered server to FreeBSD 4.5 but there's > > a critical syncache related bug that makes it easy to remotely cause > > kernel panic on any server running FreeBSD 4.5. > > (more on this bug at www.freebsd.org/cgi/query-pr.cgi?pr=kern/34658) > > Could you probide a way to reliable reproduce it ? I'm sure this would > help a lot getting this bug fixed, since it's not mentioned in the PR. Please discard my mail, it really looks like this is fixed in rev1.11 of tcp_syncache.c. Maxime Henrion To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 14 5:57:36 2002 Delivered-To: freebsd-security@freebsd.org Received: from smx.pair.com (smx.pair.com [209.68.1.56]) by hub.freebsd.org (Postfix) with SMTP id 0A09A37B402 for ; Thu, 14 Feb 2002 05:57:32 -0800 (PST) Received: (qmail 793 invoked by uid 1000); 14 Feb 2002 13:57:31 -0000 Message-ID: <20020214135731.792.qmail@smx.pair.com> From: sigma@smx.pair.com Subject: Re: FreeBSD 4.5 syncache problem In-Reply-To: <20020214073707.D26590@sneakerz.org> from Maxime Henrion at "Feb 14, 2 07:37:07 am" To: freebsd-security@freebsd.org Date: Thu, 14 Feb 2002 08:57:31 -0500 (EST) X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > > (more on this bug at www.freebsd.org/cgi/query-pr.cgi?pr=kern/34658) > > > > Could you probide a way to reliable reproduce it ? I'm sure this would > > help a lot getting this bug fixed, since it's not mentioned in the PR. > > Please discard my mail, it really looks like this is fixed in rev1.11 of > tcp_syncache.c. Will this be merged into 4.5-STABLE? It isn't clear if the 1.10 changes should go into 4.5-STABLE, or just the 1.11 bugfix, if I were doing it by hand. Kevin To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 14 6: 4:34 2002 Delivered-To: freebsd-security@freebsd.org Received: from sneakerz.org (sneakerz.org [216.33.66.254]) by hub.freebsd.org (Postfix) with ESMTP id 1943A37B41D for ; Thu, 14 Feb 2002 06:04:21 -0800 (PST) Received: by sneakerz.org (Postfix, from userid 1023) id 7154A5D006; Thu, 14 Feb 2002 08:04:20 -0600 (CST) Date: Thu, 14 Feb 2002 08:04:20 -0600 From: Maxime Henrion To: freebsd-security@freebsd.org Cc: sigma@smx.pair.com Subject: Re: FreeBSD 4.5 syncache problem Message-ID: <20020214080420.A58520@sneakerz.org> References: <20020214073707.D26590@sneakerz.org> <20020214135731.792.qmail@smx.pair.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020214135731.792.qmail@smx.pair.com>; from sigma@smx.pair.com on Thu, Feb 14, 2002 at 08:57:31AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org sigma@smx.pair.com (sigma@smx.pair.com) wrote: > > > > > (more on this bug at www.freebsd.org/cgi/query-pr.cgi?pr=kern/34658) > > > > > > Could you probide a way to reliable reproduce it ? I'm sure this would > > > help a lot getting this bug fixed, since it's not mentioned in the PR. > > > > Please discard my mail, it really looks like this is fixed in rev1.11 of > > tcp_syncache.c. > > Will this be merged into 4.5-STABLE? It isn't clear if the 1.10 changes > should go into 4.5-STABLE, or just the 1.11 bugfix, if I were doing it by > hand. Only apply the 1.11 delta if you do it by hand, the 1.10 revision has nothing to do with -STABLE. This will probably be merged soon, though I can't tell when. If you could try to apply the 1.11 delta and report us if you still experience these panics, it would be of a great help. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 14 6:35:52 2002 Delivered-To: freebsd-security@freebsd.org Received: from w2xo.pgh.pa.us (18.gibs5.xdsl.nauticom.net [209.195.184.19]) by hub.freebsd.org (Postfix) with ESMTP id 4C5FF37B400 for ; Thu, 14 Feb 2002 06:35:48 -0800 (PST) Received: from localhost (localhost.pgh.pa.us [127.0.0.1]) by w2xo.pgh.pa.us (8.11.6/8.11.3) with ESMTP id g1EEZll25280 for ; Thu, 14 Feb 2002 14:35:47 GMT (envelope-from durham@w2xo.pgh.pa.us) Date: Thu, 14 Feb 2002 14:35:47 +0000 (GMT) From: Jim Durham To: freebsd-security@freebsd.org Subject: Jail question Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I just recently discovered jail and started reading the material by phk on how it works. Ok, you can have a general over-all supervisory root account and you can have a root account in each jail. Let's say you make a jail for each department in a company. Suppose you have a situation where you have certain users who are not capable of system administration, but, they are supervisors who need to be able to read and modify files in all the jails, but not modify system config files, etc owned by the jail root account. How could you accomplish this? Jim Durham To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 14 7:46: 7 2002 Delivered-To: freebsd-security@freebsd.org Received: from R181172.resnet.ucsb.edu (R181172.resnet.ucsb.edu [128.111.181.172]) by hub.freebsd.org (Postfix) with ESMTP id DE64937B400 for ; Thu, 14 Feb 2002 07:46:05 -0800 (PST) Received: from localhost (mudman@localhost) by R181172.resnet.ucsb.edu (8.11.6/8.11.6) with ESMTP id g1EFqai52691 for ; Thu, 14 Feb 2002 07:52:36 -0800 (PST) (envelope-from mudman@R181172.resnet.ucsb.edu) Date: Thu, 14 Feb 2002 07:52:35 -0800 (PST) From: Dave To: freebsd-security@freebsd.org Subject: sendmail ; bogus letters Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Some of my accounts are getting some spam (what else is new on the internet?). However, the "from" addresses of these letters are not even valid (as is with a lot of spam). In a couple of cases they are, but I question the letter actually came from the sender listed. Is there something I can do in the sendmail.cf file or other configuration change to drop these kinds of letters? Other solutions? I've thought of denying messages from free mail sites, but I imagine some spam is from elsewhere. I would think it is possible to ditch bulkmail, I know that yahoo.com has a bulkmail folder -- and I heard yahoo runs FreeBSD too :) How are the letters discriminated from eachother as a bulk versus a possible real one? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 14 7:57:21 2002 Delivered-To: freebsd-security@freebsd.org Received: from NTMAIL.avint.net (ntmail.avint.net [198.165.75.239]) by hub.freebsd.org (Postfix) with ESMTP id 0B74B37B405 for ; Thu, 14 Feb 2002 07:57:18 -0800 (PST) Received: from hercules.avint.net ([198.165.75.7]) by NTMAIL.avint.net (Post.Office MTA v3.5.3 release 223 ID# 0-52622U2500L250S0V35) with SMTP id net for ; Thu, 14 Feb 2002 12:25:35 -03-3 From: Graham Rose Reply-To: graham@infotechcanada.com Organization: Avalon InterConnect & Infotech Canada To: freebsd-security@freebsd.org Subject: Re: sendmail ; bogus letters Date: Thu, 14 Feb 2002 13:35:16 -0330 X-Mailer: KMail [version 1.0.28] Content-Type: text/plain References: In-Reply-To: MIME-Version: 1.0 Message-Id: <02021413401002.02159@hercules.avint.net> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Add entries for the Open Relay Database (www.ordb.org & www.ordb.org/faq/#sendmail) and spamcop.net (www.spamcop.net) Configuring your mail server to use these lists of known spammers will block most spam. I've noticed a 10 fold decrease on my mail server, with thousands of spam blocked each day. Note: Setup instructions vary depending on the version of sendmail you run. See above urls for details. -- Graham Rose Network Administrator Avalon InterConnect & Infotech Canada graham@infotechcanada.com graham@avint.net http://www.avint.net http://www.infotechcanada.com On Thu, 14 Feb 2002, Dave wrote: > Some of my accounts are getting some spam (what else is new on the > internet?). However, the "from" addresses of these letters are not even > valid (as is with a lot of spam). In a couple of cases they are, but I > question the letter actually came from the sender listed. > > Is there something I can do in the sendmail.cf file or other configuration > change to drop these kinds of letters? Other solutions? > > I've thought of denying messages from free mail sites, but I imagine some > spam is from elsewhere. I would think it is possible to ditch bulkmail, I > know that yahoo.com has a bulkmail folder -- and I heard yahoo runs > FreeBSD too :) How are the letters discriminated from eachother as a bulk > versus a possible real one? > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 14 8: 4:43 2002 Delivered-To: freebsd-security@freebsd.org Received: from sneakerz.org (sneakerz.org [216.33.66.254]) by hub.freebsd.org (Postfix) with ESMTP id 669BC37B416; Thu, 14 Feb 2002 08:04:39 -0800 (PST) Received: by sneakerz.org (Postfix, from userid 1023) id BF77B5D006; Thu, 14 Feb 2002 10:04:33 -0600 (CST) Date: Thu, 14 Feb 2002 10:04:33 -0600 From: Maxime Henrion To: freebsd-security@freebsd.org Cc: "Jacques A. Vidrine" Subject: Re: FreeBSD 4.5 syncache problem Message-ID: <20020214100433.A58903@sneakerz.org> References: <20020214073111.C26590@sneakerz.org> <20020214073707.D26590@sneakerz.org> <20020214155945.GB422@shade.nectar.cc> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020214155945.GB422@shade.nectar.cc>; from nectar@FreeBSD.org on Thu, Feb 14, 2002 at 09:59:46AM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Jacques A. Vidrine (nectar@FreeBSD.org) wrote: > On Thu, Feb 14, 2002 at 07:37:07AM -0600, Maxime Henrion wrote: > > Maxime Henrion (mux@sneakerz.org) wrote: > > > kurnik@kurnik.pl (kurnik@kurnik.pl) wrote: > > > > Hi! > > > > > > > > I'd like to migrate my Linux powered server to FreeBSD 4.5 but there's > > > > a critical syncache related bug that makes it easy to remotely cause > > > > kernel panic on any server running FreeBSD 4.5. > > > > (more on this bug at www.freebsd.org/cgi/query-pr.cgi?pr=kern/34658) > > > > > > Could you probide a way to reliable reproduce it ? I'm sure this would > > > help a lot getting this bug fixed, since it's not mentioned in the PR. > > > > Please discard my mail, it really looks like this is fixed in rev1.11 of > > tcp_syncache.c. > > Hello Maxime, > > Can you confirm: > After applying rev 1.11 of tcp_syncache.c to your 4.5-RELEASE system, > your issue was resolved? > > I'd like to MFC this revision, but I wanted to be sure that it worked > for you on a real system. Sorry for the confusion, but I was replying to myself here :-) The person who experienced the syncache panic is kurnik@kurnik.pl. Maxime Henrion To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 14 8:16:13 2002 Delivered-To: freebsd-security@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id CDE8637B405; Thu, 14 Feb 2002 08:15:57 -0800 (PST) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.11.6/8.11.2) id g1EGFRl99216; Thu, 14 Feb 2002 18:15:27 +0200 (EET) (envelope-from ru) Date: Thu, 14 Feb 2002 18:15:27 +0200 From: Ruslan Ermilov To: Maxime Henrion Cc: freebsd-security@FreeBSD.ORG, "Jacques A. Vidrine" Subject: Re: FreeBSD 4.5 syncache problem Message-ID: <20020214181527.B92824@sunbay.com> References: <20020214073111.C26590@sneakerz.org> <20020214073707.D26590@sneakerz.org> <20020214155945.GB422@shade.nectar.cc> <20020214100433.A58903@sneakerz.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020214100433.A58903@sneakerz.org> User-Agent: Mutt/1.3.23i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Feb 14, 2002 at 10:04:33AM -0600, Maxime Henrion wrote: > Jacques A. Vidrine (nectar@FreeBSD.org) wrote: > > On Thu, Feb 14, 2002 at 07:37:07AM -0600, Maxime Henrion wrote: > > > Maxime Henrion (mux@sneakerz.org) wrote: > > > > kurnik@kurnik.pl (kurnik@kurnik.pl) wrote: > > > > > Hi! > > > > > > > > > > I'd like to migrate my Linux powered server to FreeBSD 4.5 but there's > > > > > a critical syncache related bug that makes it easy to remotely cause > > > > > kernel panic on any server running FreeBSD 4.5. > > > > > (more on this bug at www.freebsd.org/cgi/query-pr.cgi?pr=kern/34658) > > > > > > > > Could you probide a way to reliable reproduce it ? I'm sure this would > > > > help a lot getting this bug fixed, since it's not mentioned in the PR. > > > > > > Please discard my mail, it really looks like this is fixed in rev1.11 of > > > tcp_syncache.c. > > > > Hello Maxime, > > > > Can you confirm: > > After applying rev 1.11 of tcp_syncache.c to your 4.5-RELEASE system, > > your issue was resolved? > > > > I'd like to MFC this revision, but I wanted to be sure that it worked > > for you on a real system. > > Sorry for the confusion, but I was replying to myself here :-) The person > who experienced the syncache panic is kurnik@kurnik.pl. > I think just MFC'ing this revision might not fix the problem. Jonathan posted a patch along these lines (the second hunk): Index: tcp_syncache.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/tcp_syncache.c,v retrieving revision 1.5.2.4 diff -u -p -r1.5.2.4 tcp_syncache.c --- tcp_syncache.c 2002/01/24 16:09:08 1.5.2.4 +++ tcp_syncache.c 2002/02/14 16:14:10 @@ -839,6 +839,11 @@ syncache_add(inc, to, th, sop, m) */ if (sc->sc_flags & SCF_TIMESTAMP) sc->sc_tsrecent = to->to_tsval; + /* + * PCB may have changed, pick up new values. + */ + sc->sc_tp = tp; + sc->sc_inp_gencnt = tp->t_inpcb->inp_gencnt; if (syncache_respond(sc, m) == 0) { s = splnet(); TAILQ_REMOVE(&tcp_syncache.timerq[sc->sc_rxtslot], @@ -1314,6 +1319,7 @@ syncookie_lookup(inc, th, so) * Fill in the syncache values. * XXX duplicate code from syncache_add */ + sc->sc_tp = sototcpcb(so); sc->sc_ipopts = NULL; sc->sc_inc.inc_fport = inc->inc_fport; sc->sc_inc.inc_lport = inc->inc_lport; Cheers, -- Ruslan Ermilov Sysadmin and DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 14 9:19:44 2002 Delivered-To: freebsd-security@freebsd.org Received: from mile.nevermind.kiev.ua (freebsddiary.org.ua [213.186.199.26]) by hub.freebsd.org (Postfix) with ESMTP id 9C79A37B402 for ; Thu, 14 Feb 2002 09:19:38 -0800 (PST) Received: (from never@localhost) by mile.nevermind.kiev.ua (8.11.6/8.11.4) id g1EHJIJ39246; Thu, 14 Feb 2002 19:19:18 +0200 (EET) (envelope-from never) Date: Thu, 14 Feb 2002 19:19:16 +0200 From: Nevermind To: Nick Cleaton Cc: freebsd-security@FreeBSD.ORG Subject: Re: sharing directories between jails Message-ID: <20020214171916.GA20034@nevermind.kiev.ua> References: <20020213213416.B1027@idefix.local> <20020213213946.E40457@heresy.dreamflow.nl> <20020213214159.F40457@heresy.dreamflow.nl> <20020213221112.A73220@idefix.local> <20020213235248.A312@lt1.cleaton.net> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <20020213235248.A312@lt1.cleaton.net> User-Agent: Mutt/1.3.26i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, Nick Cleaton! On Wed, Feb 13, 2002 at 11:52:48PM +0000, you wrote: > > how could this solve the issue? Afaik you can not mount a partition into > > different points of the filesystem at the same time. > > > > You can do it with mount_null(8). According to mount_null(8): BUGS THIS FILESYSTEM TYPE IS NOT YET FULLY SUPPORTED (READ: IT DOESN'T WORK) AND USING IT MAY, IN FACT, DESTROY DATA ON YOUR SYSTEM. USE AT YOUR OWN RISK. BEWARE OF DOG. SLIPPERY WHEN WET. This code also needs an owner in order to be less dangerous - serious hackers can apply by sending mail to and announcing their intent to take it over. -- NEVE-RIPE To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 14 10: 3:36 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.polchat.pl (polchat.pl [213.25.49.1]) by hub.freebsd.org (Postfix) with SMTP id 08ECF37B402 for ; Thu, 14 Feb 2002 10:03:30 -0800 (PST) Received: (qmail 28026 invoked by uid 513); 14 Feb 2002 18:02:33 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 14 Feb 2002 18:02:33 -0000 Date: Thu, 14 Feb 2002 19:02:33 +0100 (CET) From: X-Sender: kurnik@polchat.pl To: Ruslan Ermilov Cc: Maxime Henrion , freebsd-security@FreeBSD.ORG, "Jacques A. Vidrine" Subject: Re: FreeBSD 4.5 syncache problem In-Reply-To: <20020214181527.B92824@sunbay.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 14 Feb 2002, Ruslan Ermilov wrote: > On Thu, Feb 14, 2002 at 10:04:33AM -0600, Maxime Henrion wrote: > > Jacques A. Vidrine (nectar@FreeBSD.org) wrote: > > > On Thu, Feb 14, 2002 at 07:37:07AM -0600, Maxime Henrion wrote: > > > > Maxime Henrion (mux@sneakerz.org) wrote: > > > > > kurnik@kurnik.pl (kurnik@kurnik.pl) wrote: > > > > > > Hi! > > > > > > > > > > > > I'd like to migrate my Linux powered server to FreeBSD 4.5 but there's > > > > > > a critical syncache related bug that makes it easy to remotely cause > > > > > > kernel panic on any server running FreeBSD 4.5. > > > > > > (more on this bug at www.freebsd.org/cgi/query-pr.cgi?pr=kern/34658) > > > > > > > > > > Could you probide a way to reliable reproduce it ? I'm sure this would > > > > > help a lot getting this bug fixed, since it's not mentioned in the PR. > > > > > > > > Please discard my mail, it really looks like this is fixed in rev1.11 of > > > > tcp_syncache.c. > > > > > > Hello Maxime, > > > > > > Can you confirm: > > > After applying rev 1.11 of tcp_syncache.c to your 4.5-RELEASE system, > > > your issue was resolved? > > > > > > I'd like to MFC this revision, but I wanted to be sure that it worked > > > for you on a real system. > > > > Sorry for the confusion, but I was replying to myself here :-) The person > > who experienced the syncache panic is kurnik@kurnik.pl. > > > I think just MFC'ing this revision might not fix the problem. > Jonathan posted a patch along these lines (the second hunk): > > Index: tcp_syncache.c > =================================================================== > RCS file: /home/ncvs/src/sys/netinet/tcp_syncache.c,v > retrieving revision 1.5.2.4 > diff -u -p -r1.5.2.4 tcp_syncache.c > --- tcp_syncache.c 2002/01/24 16:09:08 1.5.2.4 > +++ tcp_syncache.c 2002/02/14 16:14:10 > @@ -839,6 +839,11 @@ syncache_add(inc, to, th, sop, m) > */ > if (sc->sc_flags & SCF_TIMESTAMP) > sc->sc_tsrecent = to->to_tsval; > + /* > + * PCB may have changed, pick up new values. > + */ > + sc->sc_tp = tp; > + sc->sc_inp_gencnt = tp->t_inpcb->inp_gencnt; > if (syncache_respond(sc, m) == 0) { > s = splnet(); > TAILQ_REMOVE(&tcp_syncache.timerq[sc->sc_rxtslot], > @@ -1314,6 +1319,7 @@ syncookie_lookup(inc, th, so) > * Fill in the syncache values. > * XXX duplicate code from syncache_add > */ > + sc->sc_tp = sototcpcb(so); > sc->sc_ipopts = NULL; > sc->sc_inc.inc_fport = inc->inc_fport; > sc->sc_inc.inc_lport = inc->inc_lport; I've got a patch from the guy who submitted this bug (Alan Judge) but it (the patch) only added one line of code [ sc->sc_tp = sototcpcb(so) ] to tcp_syncache.c and it solved the problem for me. I'll try the above patch and the one posted later and if something goes wrong, I'll tell you (otherwise assume everything went OK) cheers, Marek Futrega -- KURNIK! -- gry sieciowe warte swieczki :) http://www.kurnik.pl/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 14 13:42:56 2002 Delivered-To: freebsd-security@freebsd.org Received: from Mail.Math.Princeton.EDU (mail.math.Princeton.EDU [128.112.18.14]) by hub.freebsd.org (Postfix) with ESMTP id 083A937B404 for ; Thu, 14 Feb 2002 13:42:53 -0800 (PST) Received: from fine1008.math.princeton.edu (IDENT:root@fine1008.math.princeton.edu [128.112.16.123]) by Mail.Math.Princeton.EDU (8.11.6/8.11.6) with ESMTP id g1ELgmF29932; Thu, 14 Feb 2002 16:42:48 -0500 Received: from fine1008.math.princeton.edu (stalker@localhost) by fine1008.math.princeton.edu (8.11.6/8.11.6) with ESMTP id g1ELgmF07423; Thu, 14 Feb 2002 16:42:48 -0500 Message-Id: <200202142142.g1ELgmF07423@fine1008.math.princeton.edu> To: Dave Cc: freebsd-security@FreeBSD.ORG Subject: Re: sendmail ; bogus letters In-reply-to: References: Comments: In-reply-to Dave message dated "Thu, 14 Feb 2002 07:52:35 -0800." Date: Thu, 14 Feb 2002 16:42:48 -0500 From: John Stalker Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org procmail is what you want. see http://www.onlamp.com/pub/a/bsd/2002/01/10/FreeBSD_Basics.html for details. > > Some of my accounts are getting some spam (what else is new on the > internet?). However, the "from" addresses of these letters are not even > valid (as is with a lot of spam). In a couple of cases they are, but I > question the letter actually came from the sender listed. > > Is there something I can do in the sendmail.cf file or other configuration > change to drop these kinds of letters? Other solutions? > > I've thought of denying messages from free mail sites, but I imagine some > spam is from elsewhere. I would think it is possible to ditch bulkmail, I > know that yahoo.com has a bulkmail folder -- and I heard yahoo runs > FreeBSD too :) How are the letters discriminated from eachother as a bulk > versus a possible real one? > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- John Stalker Department of Mathematics Princeton University (609)258-6469 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 14 14:12:19 2002 Delivered-To: freebsd-security@freebsd.org Received: from giganda.komkon.org (giganda.komkon.org [63.167.241.66]) by hub.freebsd.org (Postfix) with ESMTP id 179F437B47E for ; Thu, 14 Feb 2002 14:12:06 -0800 (PST) Received: (from str@localhost) by giganda.komkon.org (8.11.3/8.11.3) id g1EMC4p25832; Thu, 14 Feb 2002 17:12:04 -0500 (EST) (envelope-from str) Date: Thu, 14 Feb 2002 17:12:04 -0500 (EST) From: Igor Roshchin Message-Id: <200202142212.g1EMC4p25832@giganda.komkon.org> To: graham@infotechcanada.com Subject: Re: sendmail ; bogus letters Cc: security@freebsd.org In-Reply-To: <02021413401002.02159@hercules.avint.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > From owner-freebsd-security@FreeBSD.ORG Thu Feb 14 10:57:40 2002 > From: Graham Rose > To: freebsd-security@FreeBSD.ORG > Subject: Re: sendmail ; bogus letters > Date: Thu, 14 Feb 2002 13:35:16 -0330 > > Add entries for the Open Relay Database (www.ordb.org & > www.ordb.org/faq/#sendmail) and spamcop.net (www.spamcop.net) > Configuring your mail server to use these lists of known spammers will block > most spam. I've noticed a 10 fold decrease on my mail server, with thousands of > spam blocked each day. > Note: Setup instructions vary depending on the version of sendmail you run. See > above urls for details. > Personally, I would advise to use spamcop with great _caution_! Apparently, according to them, they do not do any checking on the addresses submitted. With all great intentions, I believe, that defeats the purpose. See responses from spamcop.net below. Igor > From appeals@spamcop.net Sat Dec 1 14:43:20 2001 > Date: Sat, 1 Dec 2001 14:43:01 -0500 (EST) > From: SpamCop Deputy > To: str@giganda.komkon.org > Subject: Re: You have erroneous listings in your DB > > There is no review at all. SpamCop is a totally automatic system that handles some 70,000 complaints a day. > > - Don - > > > - Original Email - > Dear Merin, > > Thank you for your quick response. > > Could you please clarify one question: > When the complaints are filed, what type of checking is done > (besides probably relay tests) ? > > If no checking is done, how can one be sure it was a spam, > and not a legitimate message, or even a message made up as a revenge, > or simply a message reported as a SPAM by a mistake ? > > If I forwarded, say your message, to the spam reporting address @spamcop.net, > would it be filed and spamcop.net be listed as a spam source ? :-) > (Well I assume, all *.spamcop.net hosts would be automatically unlisted in > this case :) ) > > Regards, > > > Igor Roshchin > System Administrator > KomKon Sites > > > > From appeals@spamcop.net Thu Nov 29 17:02:51 2001 > > Date: Thu, 29 Nov 2001 17:02:50 -0500 (EST) > > From: SpamCop Deputy > > To: str@giganda.komkon.org > > Subject: Re: You have erroneous listings in your DB > > > > IP addresses are added to the blacklist when complaints are filed. Obviously, this is a very draconian and heavy handed means of blocking email, so it is not right for everyone. We appreciate your comments and perhaps someday the filtering system will be more refined and to your liking. > > > > Merin, SpamCop deputy > > > > - Original Email - > > > > Hello! > > > > First of all, note, that I am not associated with any Genuity Inc. > > > > We were very glad to see a service provided by SpamCops, > > with very good intentions from your side, and rather good database of > > spam relays and sources. > > We tried to use BL.spamcop.net but were very disappointed > > by the number of erroneous results. > > > > A good example is > > http://spamcop.net/w3m?action=checkblock&ip=4.2.130.16 > > > > > > All what you have on file is responses to the e-mails > > sent abuse@genuity.net (or other abuse@ other Genuity's addresses). > > > > It is not SPAM, and this makes one wonder what logic is used > > by you to include there as a SPAM without proper checking being done. > > > > There are more of similar "wrongful" inclusions, but that's not the point. > > There is some fault in the logic of inclusion mechanism. > > > > We may reconsider our decision in the future, if we see more proper > > checking of SpamCops before inclusion in the database, > > but at this moment we decided not to use your service. > > > > Best regards, > > > > > > Igor Roshchin > > System Administrator > > KomKon Sites > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 14 15:58:43 2002 Delivered-To: freebsd-security@freebsd.org Received: from rwcrmhc53.attbi.com (rwcrmhc53.attbi.com [204.127.198.39]) by hub.freebsd.org (Postfix) with ESMTP id 5326737B402 for ; Thu, 14 Feb 2002 15:58:39 -0800 (PST) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc53.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020214235838.OABQ2951.rwcrmhc53.attbi.com@blossom.cjclark.org>; Thu, 14 Feb 2002 23:58:38 +0000 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.6) id g1ENwco37324; Thu, 14 Feb 2002 15:58:38 -0800 (PST) (envelope-from cjc) Date: Thu, 14 Feb 2002 15:58:38 -0800 From: "Crist J. Clark" To: Jim Durham Cc: freebsd-security@FreeBSD.ORG Subject: Re: Jail question Message-ID: <20020214155838.E36782@blossom.cjclark.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from durham@w2xo.pgh.pa.us on Thu, Feb 14, 2002 at 02:35:47PM +0000 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Feb 14, 2002 at 02:35:47PM +0000, Jim Durham wrote: > I just recently discovered jail and started reading the > material by phk on how it works. > > Ok, you can have a general over-all supervisory root account and > you can have a root account in each jail. > > Let's say you make a jail for each department in a company. > Suppose you have a situation where you have certain users who > are not capable of system administration, but, they are supervisors > who need to be able to read and modify files in all the jails, but > not modify system config files, etc owned by the jail root account. > > How could you accomplish this? That's not what jail(8)s are really for. I think you just need to look at group(5) ownership of files. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 14 16: 1:44 2002 Delivered-To: freebsd-security@freebsd.org Received: from peitho.fxp.org (peitho.fxp.org [209.26.95.40]) by hub.freebsd.org (Postfix) with ESMTP id 93BDC37B400 for ; Thu, 14 Feb 2002 16:01:27 -0800 (PST) Received: by peitho.fxp.org (Postfix, from userid 1501) id A9A8113667; Thu, 14 Feb 2002 19:01:21 -0500 (EST) Date: Thu, 14 Feb 2002 19:01:21 -0500 From: Chris Faulhaber To: Jim Durham Cc: freebsd-security@freebsd.org Subject: Re: Jail question Message-ID: <20020215000121.GA48563@peitho.fxp.org> Mail-Followup-To: Chris Faulhaber , Jim Durham , freebsd-security@freebsd.org References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="u3/rZRmxL6MmkK24" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.24i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --u3/rZRmxL6MmkK24 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Feb 14, 2002 at 02:35:47PM +0000, Jim Durham wrote: > I just recently discovered jail and started reading the > material by phk on how it works. >=20 > Ok, you can have a general over-all supervisory root account and > you can have a root account in each jail. >=20 > Let's say you make a jail for each department in a company. > Suppose you have a situation where you have certain users who > are not capable of system administration, but, they are supervisors > who need to be able to read and modify files in all the jails, but > not modify system config files, etc owned by the jail root account. >=20 > How could you accomplish this? >=20 You can wait until 5.0 is released which has support for filesystem ACLs allowing finer-grained access control for files :) --=20 Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org --u3/rZRmxL6MmkK24 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: FreeBSD: The Power To Serve iEYEARECAAYFAjxsT9EACgkQObaG4P6BelAsCgCfYOD9bMOXHoqK3p9ryC4KS1Vy pxAAn0VCtU5VRXG0j8IWAllc7aJLTyOa =C3Gr -----END PGP SIGNATURE----- --u3/rZRmxL6MmkK24-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 14 19:54:37 2002 Delivered-To: freebsd-security@freebsd.org Received: from w2xo.pgh.pa.us (18.gibs5.xdsl.nauticom.net [209.195.184.19]) by hub.freebsd.org (Postfix) with ESMTP id 723B837B421; Thu, 14 Feb 2002 19:54:15 -0800 (PST) Received: from there (dhcp14.int [192.168.5.14]) by w2xo.pgh.pa.us (8.11.6/8.11.3) with SMTP id g1F3sEl61611; Fri, 15 Feb 2002 03:54:14 GMT (envelope-from durham@jcdurham.com) Message-Id: <200202150354.g1F3sEl61611@w2xo.pgh.pa.us> Content-Type: text/plain; charset="iso-8859-1" From: Jim Durham Reply-To: durham@jcdurham.com To: "Crist J. Clark" , Jim Durham Subject: Re: Jail question Date: Thu, 14 Feb 2002 22:54:08 -0500 X-Mailer: KMail [version 1.3] Cc: freebsd-security@FreeBSD.ORG References: <20020214155838.E36782@blossom.cjclark.org> In-Reply-To: <20020214155838.E36782@blossom.cjclark.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thursday 14 February 2002 06:58 pm, Crist J. Clark wrote: > On Thu, Feb 14, 2002 at 02:35:47PM +0000, Jim Durham wrote: > > I just recently discovered jail and started reading the > > material by phk on how it works. > > > > Ok, you can have a general over-all supervisory root account and > > you can have a root account in each jail. > > > > Let's say you make a jail for each department in a company. > > Suppose you have a situation where you have certain users who > > are not capable of system administration, but, they are supervisors > > who need to be able to read and modify files in all the jails, but > > not modify system config files, etc owned by the jail root account. > > > > How could you accomplish this? > > That's not what jail(8)s are really for. I think you just need to look > at group(5) ownership of files. Already doing that.On Thursday 14 February 2002 06:58 pm, Crist J. Clark wrote: > On Thu, Feb 14, 2002 at 02:35:47PM +0000, Jim Durham wrote: > > I just recently discovered jail and started reading the > > material by phk on how it works. > > > > Ok, you can have a general over-all supervisory root account and > > you can have a root account in each jail. > > > > Let's say you make a jail for each department in a company. > > Suppose you have a situation where you have certain users who > > are not capable of system administration, but, they are supervisors > > who need to be able to read and modify files in all the jails, but > > not modify system config files, etc owned by the jail root account. > > > > How could you accomplish this? > > That's not what jail(8)s are really for. I think you just need to look > at group(5) ownership of files. Already doing that. It's not really flexible enough but I live with it. Thanks -Jim The jail idea was just a To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 14 20: 6:52 2002 Delivered-To: freebsd-security@freebsd.org Received: from w2xo.pgh.pa.us (18.gibs5.xdsl.nauticom.net [209.195.184.19]) by hub.freebsd.org (Postfix) with ESMTP id EF0D637B41A for ; Thu, 14 Feb 2002 20:06:49 -0800 (PST) Received: from there (dhcp14.int [192.168.5.14]) by w2xo.pgh.pa.us (8.11.6/8.11.3) with SMTP id g1F46kl64701; Fri, 15 Feb 2002 04:06:46 GMT (envelope-from durham@jcdurham.com) Message-Id: <200202150406.g1F46kl64701@w2xo.pgh.pa.us> Content-Type: text/plain; charset="iso-8859-1" From: Jim Durham Reply-To: durham@jcdurham.com To: Chris Faulhaber , Jim Durham Subject: Re: Jail question Date: Thu, 14 Feb 2002 23:06:40 -0500 X-Mailer: KMail [version 1.3] Cc: freebsd-security@freebsd.org References: <20020215000121.GA48563@peitho.fxp.org> In-Reply-To: <20020215000121.GA48563@peitho.fxp.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thursday 14 February 2002 07:01 pm, Chris Faulhaber wrote: > On Thu, Feb 14, 2002 at 02:35:47PM +0000, Jim Durham wrote: > > I just recently discovered jail and started reading the > > material by phk on how it works. > > > > Ok, you can have a general over-all supervisory root account and > > you can have a root account in each jail. > > > > Let's say you make a jail for each department in a company. > > Suppose you have a situation where you have certain users who > > are not capable of system administration, but, they are supervisors > > who need to be able to read and modify files in all the jails, but > > not modify system config files, etc owned by the jail root account. > > > > How could you accomplish this? > > You can wait until 5.0 is released which has support for filesystem > ACLs allowing finer-grained access control for files :) That sounds like a good answer. I would assume that one could just make everything that is not actually a part of the "real system" part of a jail and apply the ACLs to limit access, thereby protecting the kernel, /etc, /var and so forth from users or intruders? -Jim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 14 20:42:42 2002 Delivered-To: freebsd-security@freebsd.org Received: from eudoramail.com (host-64-110-31-18.interpacket.net [64.110.31.18]) by hub.freebsd.org (Postfix) with SMTP id CCD4C37B41B for ; Thu, 14 Feb 2002 20:39:44 -0800 (PST) From: "MR MICHEAL ADAM" To: Subject: Partnership Proposal Mime-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" Date: Thu, 14 Feb 2002 05:47:31 -0000 Reply-To: "MR MICHEAL ADAM" Content-Transfer-Encoding: 8bit Message-Id: <20020215043944.CCD4C37B41B@hub.freebsd.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ATTN: THE PRESIDENT/CEO Dear Sir / Madam, I am Dr. Mrs. Marian Abacha, wife to the late Nigerian Head of state, General Sani Abacha who died on the 8th of June 1998 while still on active service for our Country. I am contacting you with the hope that you will be of great assistance to me, I currently have within my reach the sum of 76MILLION U.S dollars cash which l intend to use for investment purposes outside Nigeria. This money came as a result of a payback contract deal between my husband and a Russian firm in our country's multi-billion dollar Ajaokuta steel plant. The Russian partners returned my husband's share being the above sum after his death. Presently, the new civilian Government has intensified their probe into my husband's financial resources, which has led to the freezing of all our accounts, local and foreign, the revoking of all our business licenses and the arrest of my First son. In view of this I acted very fast to withdraw this money from one of our finance houses before it was closed down. I have deposited the money in a security vault for safe keeping with the help of very loyal officials of my late husband. No record is known about this fund by the government because there is no documentation showing that we received such funds. Due to the current situation in the country and government attitude to my financial affairs, I cannot make use of this money within. Bearing in mind that you may assist me, 20% of the total amount will be paid to you for your assistance, while 5% will be set aside for expenses incurred by the parties involved and this will be paid before sharing. Half of my75% will be paid in to my account on your instruction once the money hits your account, while the other half will be invested by your humble self in any viable business venture you deem fit, with you as manager of the invested funds. Remunerations, during the investment period will be on a 50/50 basis. Your URGENT response is needed. All correspondence must be through my lawyer,fax:234-1-4709814. Attentioned to my attorney (HAMZA IBU). Please do not forget to include your direct tel/fax line for easy reach. I hope I can trust you with my family's last financial hope.Regards Dr. Mrs. Marian Sani Abacha. C/o HAMZA IBU (counsel) URGENT AND CONFIDENTIAL MR. MICHEAL ADAM FAX: 234-1-7590900 Attn: The Chief Executive Officer REQUEST FOR URGENT AND CONFIDENTIAL BUSINESS RELATIONSHIP Please permit me to introduce myself to you, my names are Mr. MICHEAL ADAM a Petroleum Engineer with the Nigerian National Petroleum Corporation and a member of the contract award committee of the above corporation, which is under, The Federal Ministry of Petroleum and Natural Resources. CONFIDENTIAL THE SOURCE OF THE FUND IS AS FOLLOWS: With the assistance of some senior officials of the Federal Ministry of Finance and Office of the Accountant General of the Federation, we want to quietly transfer the sum of Nineteen Million US Dollars only ($19m US Dollars only) out of my country Nigeria. This US$19 M US Dollar was quietly over-estimated on the contract for Turn around Maintenance (TAM) of Port Harcourt petrochemical refinery in Nigeria (SOUTHERN NIGERIA) and the Rehabilitation of Petroleum Pipelines, Depot and Jetties. The actual contract value of this said project was US$171M US Dollars, but my colleagues and I deliberately increased the contract to our own benefit to the tune of $190M US Dollars, of which the over-estimated value of US$19M US Dollars belongs to us and this amount is what we want to secretly transfer into your personal or company account for safe keeping and sharing. The Federal Government and the Federal Ministry of Petroleum and Natural Resources have approved the total sum of US$190 Million US Dollars. The project has been completed and commissioned by the Federal Government and the original contractors have been paid their Contractual sum and what is left now is the US$19Million US Dollars. Under this circumstance and upon your acceptance we will register You/your Company as a sub-contractor to the original contractors with my corporation, so that this fund can be transferred into your account without hitch whatsoever. Our reasons of soliciting your assistance to transfer this fund to your account is owing to the policy of the Federal Government of Nigeria, the code conduct debars us civil servants (Government Workers) from operating a foreign account, hence we seeking your assistance. After several deliberations with my colleagues, we decided to give you 25% as your entitlement for your assistance for providing your account, while 70% will be for us and the remaining 5% would be used to offset all local and foreign expenses that might be incurred during this transaction. However this is based on the ground that you would assure me of the following: 1 That after the successful transfer of the $19m us dollars into your account, you will give us our own fare share of 70% without running away with the money or setting on it to our detriment. 2 That you will treat this business with utmost secrecy, Confidentiality, understanding and sincerity, which this business demands. 3 You will assist us (by way of advice) to invest our own share in business venture in your country. 4 Upon your acceptance of this proposal I will send a TEXT for you to fill in your letter headed paper and return back to me, as we shall use this TEXT to raise an application for payment on your behalf as you will be made the recognized beneficiary of the fund. KINDLY FORWARD YOUR TELEPHONE AND FAX NUMBER to me also. PLEASE NOTE: that this business is 100% risk free and will not implicate you in any way, sir. Finally please if you feel you cannot do this business with us, kindly delete this message from your computer or destroy it as it will do you no good showing it to a third party or anybody whatsoever, please kindly do us this favor for God sake. The kind of business you do does not effect the business. Sincerely yours, MR. MICHEAL ADAM To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 14 21: 9:33 2002 Delivered-To: freebsd-security@freebsd.org Received: from yahoo.com (host-64-110-31-18.interpacket.net [64.110.31.18]) by hub.freebsd.org (Postfix) with SMTP id EF75E37B405 for ; Thu, 14 Feb 2002 21:08:56 -0800 (PST) From: "MR MICHEAL ADAM" To: Subject: Partnership Proposal Mime-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" Date: Thu, 14 Feb 2002 06:16:50 -0000 Reply-To: "MR MICHEAL ADAM" Content-Transfer-Encoding: 8bit Message-Id: <20020215050857.EF75E37B405@hub.freebsd.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ATTN: THE PRESIDENT/CEO Dear Sir / Madam, I am Dr. Mrs. Marian Abacha, wife to the late Nigerian Head of state, General Sani Abacha who died on the 8th of June 1998 while still on active service for our Country. I am contacting you with the hope that you will be of great assistance to me, I currently have within my reach the sum of 76MILLION U.S dollars cash which l intend to use for investment purposes outside Nigeria. This money came as a result of a payback contract deal between my husband and a Russian firm in our country's multi-billion dollar Ajaokuta steel plant. The Russian partners returned my husband's share being the above sum after his death. Presently, the new civilian Government has intensified their probe into my husband's financial resources, which has led to the freezing of all our accounts, local and foreign, the revoking of all our business licenses and the arrest of my First son. In view of this I acted very fast to withdraw this money from one of our finance houses before it was closed down. I have deposited the money in a security vault for safe keeping with the help of very loyal officials of my late husband. No record is known about this fund by the government because there is no documentation showing that we received such funds. Due to the current situation in the country and government attitude to my financial affairs, I cannot make use of this money within. Bearing in mind that you may assist me, 20% of the total amount will be paid to you for your assistance, while 5% will be set aside for expenses incurred by the parties involved and this will be paid before sharing. Half of my75% will be paid in to my account on your instruction once the money hits your account, while the other half will be invested by your humble self in any viable business venture you deem fit, with you as manager of the invested funds. Remunerations, during the investment period will be on a 50/50 basis. Your URGENT response is needed. All correspondence must be through my lawyer,fax:234-1-4709814. Attentioned to my attorney (HAMZA IBU). Please do not forget to include your direct tel/fax line for easy reach. I hope I can trust you with my family's last financial hope.Regards Dr. Mrs. Marian Sani Abacha. C/o HAMZA IBU (counsel) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Feb 14 23: 6:16 2002 Delivered-To: freebsd-security@freebsd.org Received: from ns1.mgul.ac.ru (ns1.mgul.ac.ru [193.233.63.19]) by hub.freebsd.org (Postfix) with ESMTP id 86EA737B404 for ; Thu, 14 Feb 2002 23:06:12 -0800 (PST) Received: from ns2.mgul.ac.ru (ns2.mgul.ac.ru [193.233.63.17]) by ns1.mgul.ac.ru (8.12.2/8.12.2) with ESMTP id g1F768k1075352; Fri, 15 Feb 2002 10:06:09 +0300 (MSK) Date: Fri, 15 Feb 2002 10:06:08 +0300 From: "Andrey V. Pevnev" X-Mailer: The Bat! (v1.53d) Personal Reply-To: "Andrey V. Pevnev" Organization: MSFU X-Priority: 3 (Normal) Message-ID: <15-671876387.20020215100608@mgul.ac.ru> To: Dave Cc: freebsd-security@FreeBSD.ORG Subject: Re: sendmail ; bogus letters In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello Dave, Thursday, February 14, 2002, 6:52:35 PM, you wrote: D> Is there something I can do in the sendmail.cf file or other configuration D> change to drop these kinds of letters? Other solutions? I suggest you to use procmail + SpamAssassin see /usr/ports/mail/p5-Mail-SpamAssassin It works great for me! -- Best regards, MSFU LAN Admin Andrey mailto:andrey@mgul.ac.ru http://www.mgul.ac.ru/~andrey AVP30-RIPE To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 15 3:26: 7 2002 Delivered-To: freebsd-security@freebsd.org Received: from snmail.softnet.ro (snmail.SoftNet.ro [193.231.173.3]) by hub.freebsd.org (Postfix) with ESMTP id 3670737B404 for ; Fri, 15 Feb 2002 03:26:02 -0800 (PST) Received: from softnet.ro ([193.231.173.125]) by snmail.softnet.ro (Lotus Domino Release 5.0.5) with ESMTP id 2002021513282796:4441 ; Fri, 15 Feb 2002 13:28:27 +0200 Message-ID: <34D202FA.DFE01747@softnet.ro> Date: Fri, 30 Jan 1998 18:42:34 +0200 From: Florin MANAILA Organization: SoftNet Services X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.3-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: BSD Subject: Filtering URL X-MIMETrack: Itemize by SMTP Server on server1/softnet(Release 5.0.5 |September 22, 2000) at 02/15/2002 01:28:28 PM, Serialize by Router on server1/softnet(Release 5.0.5 |September 22, 2000) at 02/15/2002 01:28:36 PM, Serialize complete at 02/15/2002 01:28:36 PM Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi all, I wonder if posible to filtering URL-s with FreeBSD, and if is posible with what program ? Best regards, Florin To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 15 3:32:18 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx.novosoft.ru (mx.novosoft.ru [194.149.225.80]) by hub.freebsd.org (Postfix) with ESMTP id CEA1F37B400 for ; Fri, 15 Feb 2002 03:32:11 -0800 (PST) Received: (from root@localhost) by mx.novosoft.ru (8.11.6/8.11.6) id g1FBW8H68889 for freebsd-security@FreeBSD.ORG.KAV; Fri, 15 Feb 2002 17:32:08 +0600 (NOVT) (envelope-from romaha@eoffice.ru) Received: from fs.novosoft.ru (fs.novosoft.ru [194.149.225.6]) by mx.novosoft.ru (8.11.6/8.11.6) with ESMTP id g1FBW4j68879 for ; Fri, 15 Feb 2002 17:32:08 +0600 (NOVT) (envelope-from romaha@eoffice.ru) Received: by fs.novosoft.ru with Internet Mail Service (5.5.2653.19) id <1Z2Z1PH3>; Fri, 15 Feb 2002 17:32:04 +0600 Message-ID: From: Roman Zabolotnikov To: BSD Subject: RE: Filtering URL Date: Fri, 15 Feb 2002 17:31:54 +0600 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi. You can easy filter any URL with squid proxy-server. You're need only write something like this ___________ acl porn url_regex "/usr/local/squid/etc/porn.txt" ..... http_access deny porn ___________ And write URLs you're need to filter in file /usr/local/squid/etc/porn.txt > -----Original Message----- > From: Florin MANAILA [mailto:florin.manaila@softnet.ro] > Sent: Friday, January 30, 1998 10:43 PM > To: BSD > Subject: Filtering URL > > > Hi all, > > I wonder if posible to filtering URL-s with FreeBSD, and if > is posible with what program ? > > Best regards, > > Florin > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 15 4:37: 7 2002 Delivered-To: freebsd-security@freebsd.org Received: from pc1-dale5-0-cust136.not.cable.ntl.com (pc1-dale5-0-cust136.not.cable.ntl.com [80.1.76.136]) by hub.freebsd.org (Postfix) with SMTP id 4FF5F37B404 for ; Fri, 15 Feb 2002 04:37:00 -0800 (PST) Received: (qmail 13770 invoked from network); 15 Feb 2002 12:36:55 -0000 Received: from localhost (HELO matt.thebigchoice.com) (127.0.0.1) by localhost with SMTP; 15 Feb 2002 12:36:55 -0000 Date: Fri, 15 Feb 2002 12:36:55 +0000 From: Matt H To: freebsd-security@FreeBSD.ORG Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Filtering URL Message-Id: <20020215123655.43100bfa.freebsd-questions@cuntbubble.com> In-Reply-To: References: X-Mailer: Sylpheed version 0.7.1 (GTK+ 1.2.10; i386--freebsd4.4) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 15 Feb 2002 17:31:54 +0600 "Roman Zabolotnikov" > Hi. You can easy filter any URL with squid proxy-server. You're need > only write something like this > ___________ > acl porn url_regex "/usr/local/squid/etc/porn.txt" > ..... > http_access deny porn > ___________ > > And write URLs you're need to filter in file > /usr/local/squid/etc/porn.txt sorry to be too lazy to find out all by myself but is there a knownn way of re-writing the outgoing uri requests with squid (or any other mechanism) Currently I use /etc/hosts to not just block but replace ads so that instead of banner ads I get pretty pictures of course it's a pain sometimes to re-create folder hierarchies and the like, I know I could use scripts on the webserver (ads are different sizes) but I would really prefer to modify outgoing URI requests via one machine on the lan (so my fellow incumbants and their windows can have the pretty pictures too) tia matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 15 4:44:27 2002 Delivered-To: freebsd-security@freebsd.org Received: from relay3-gui.server.ntli.net (relay3-gui.server.ntli.net [194.168.4.200]) by hub.freebsd.org (Postfix) with ESMTP id AF69B37B400 for ; Fri, 15 Feb 2002 04:44:23 -0800 (PST) Received: from pc4-card4-0-cust162.cdf.cable.ntl.com ([80.4.14.162] helo=rhadamanth.private.submonkey.net ident=mailnull) by relay3-gui.server.ntli.net with esmtp (Exim 3.03 #2) id 16bhiq-00010c-00; Fri, 15 Feb 2002 12:44:16 +0000 Received: from setantae by rhadamanth.private.submonkey.net with local (Exim 3.34 #1) id 16bhiq-000EWy-00; Fri, 15 Feb 2002 12:44:16 +0000 Date: Fri, 15 Feb 2002 12:44:16 +0000 From: Ceri To: Florin MANAILA Cc: BSD Subject: Re: Filtering URL Message-ID: <20020215124416.GA55737@rhadamanth> References: <34D202FA.DFE01747@softnet.ro> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <34D202FA.DFE01747@softnet.ro> User-Agent: Mutt/1.3.27i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Jan 30, 1998 at 06:42:34PM +0200, Florin MANAILA wrote: > Hi all, > > I wonder if posible to filtering URL-s with FreeBSD, and if is posible > with what program ? Others have suggested squid, which is a good option. You are going to have major problems unless you fix your clock though. Ceri -- keep a mild groove on To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 15 4:47: 2 2002 Delivered-To: freebsd-security@freebsd.org Received: from shikima.mine.nu (pc1-card4-0-cust77.cdf.cable.ntl.com [62.252.49.77]) by hub.freebsd.org (Postfix) with ESMTP id 5AF1737B402 for ; Fri, 15 Feb 2002 04:46:55 -0800 (PST) Received: from rasputin by shikima.mine.nu with local (Exim 3.33 #1) id 16bhlN-000Dss-00; Fri, 15 Feb 2002 12:46:53 +0000 Date: Fri, 15 Feb 2002 12:46:53 +0000 From: Rasputin To: Matt H Cc: security@freebsd.org Subject: Re: Filtering URL Message-ID: <20020215124653.A51897@shikima.mine.nu> Reply-To: Rasputin References: <20020215123655.43100bfa.freebsd-questions@cuntbubble.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020215123655.43100bfa.freebsd-questions@cuntbubble.com>; from freebsd-questions@cuntbubble.com on Fri, Feb 15, 2002 at 12:36:55PM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * Matt H [020215 12:45]: > On Fri, 15 Feb 2002 17:31:54 +0600 > "Roman Zabolotnikov" > > > Hi. You can easy filter any URL with squid proxy-server. You're need > > only write something like this > > ___________ > > acl porn url_regex "/usr/local/squid/etc/porn.txt" > > ..... > > http_access deny porn > > ___________ > > > > And write URLs you're need to filter in file > > /usr/local/squid/etc/porn.txt > > sorry to be too lazy to find out all by myself but is there a knownn way > of re-writing the outgoing uri requests with squid (or any other > mechanism) > > Currently I use /etc/hosts to not just block but replace ads so that > instead of banner ads I get pretty pictures > > of course it's a pain sometimes to re-create folder hierarchies and the > like, I know I could use scripts on the webserver (ads are different > sizes) but I would really prefer to modify outgoing URI requests via one > machine on the lan (so my fellow incumbants and their windows can have the > pretty pictures too) Install adzap from the ports - does the job and then some. Doesn't work too well with perl 5.6, mind. -- "This is a test of the Emergency Broadcast System. If this had been an actual emergency, do you really think we'd stick around to tell you?" Rasputin :: Jack of All Trades - Master of Nuns :: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 15 6:16: 1 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.etherworx.com (etherworx.com [216.58.72.2]) by hub.freebsd.org (Postfix) with ESMTP id 2FFC537B404 for ; Fri, 15 Feb 2002 06:15:54 -0800 (PST) Received: from twofour (twofour.etherworx.com [10.0.0.78]) by mail.etherworx.com (8.12.1/8.12.1) with SMTP id g1EH9WHi010284 for ; Thu, 14 Feb 2002 12:09:32 -0500 (EST) Message-ID: <002001c1b579$eab38b70$4e00000a@twofour> Reply-To: "William J. Petch" From: "William J. Petch" To: References: <02021413401002.02159@hercules.avint.net> Subject: Re: sendmail ; bogus letters Date: Thu, 14 Feb 2002 12:06:16 -0500 Organization: EtherworX, Inc. MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=SHA1; boundary="----=_NextPart_000_001C_01C1B550.0119E550" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_001C_01C1B550.0119E550 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit I have been having a spam problem as well. I use ordb.org to block spam, and have noticed a significant decrease in the amount of spam that comes to my server. The problem I am having is I am only getting bounced spam. (And quite a lot of it too.) The original messages are not being relayed, or even touching my server. I have a couple of excerpts of some email headers here... Our mail server's name is mail.etherworx.com, and our server's class C is 216.58.72.xx. ***** Received: from mail.etherworx.com (210.42.64.33 [210.42.64.33]) by mailsrv.hbeeh.edu.cn with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.1960.3) ***** Received: from mail.etherworx.com (61.129.53.123 [61.129.53.123]) by mail.ecepdi.stn.sh.cn with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.1960.3) ***** These messages are being sent as Mark.Cella@etherlinx.ca (A domain that is hosted on my server.) Clearly, these emails are not being routed through my servers. However, whenever these spam mails bounce, they are coming back to mail.etherworx.com. I have no idea whatsoever as to how I can stop these... Anybody??? William J. Petch System Administrator EtherworX, Inc. ----- Original Message ----- From: "Graham Rose" To: Sent: Thursday, February 14, 2002 12:05 PM Subject: Re: sendmail ; bogus letters > Add entries for the Open Relay Database (www.ordb.org & > www.ordb.org/faq/#sendmail) and spamcop.net (www.spamcop.net) > Configuring your mail server to use these lists of known spammers will block > most spam. I've noticed a 10 fold decrease on my mail server, with thousands of > spam blocked each day. > Note: Setup instructions vary depending on the version of sendmail you run. See > above urls for details. > > -- > Graham Rose > Network Administrator > Avalon InterConnect & Infotech Canada > graham@infotechcanada.com > graham@avint.net > http://www.avint.net > http://www.infotechcanada.com > > > > On Thu, 14 Feb 2002, Dave wrote: > > Some of my accounts are getting some spam (what else is new on the > > internet?). However, the "from" addresses of these letters are not even > > valid (as is with a lot of spam). In a couple of cases they are, but I > > question the letter actually came from the sender listed. > > > > Is there something I can do in the sendmail.cf file or other configuration > > change to drop these kinds of letters? Other solutions? > > > > I've thought of denying messages from free mail sites, but I imagine some > > spam is from elsewhere. I would think it is possible to ditch bulkmail, I > > know that yahoo.com has a bulkmail folder -- and I heard yahoo runs > > FreeBSD too :) How are the letters discriminated from eachother as a bulk > > versus a possible real one? > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > ------=_NextPart_000_001C_01C1B550.0119E550 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIII9TCCAoQw ggHtoAMCAQICAwaH1jANBgkqhkiG9w0BAQIFADCBkjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdl c3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsT FENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAw MC44LjMwMB4XDTAyMDExNzAzMzc1OVoXDTAzMDExNzAzMzc1OVowRzEfMB0GA1UEAxMWVGhhd3Rl IEZyZWVtYWlsIE1lbWJlcjEkMCIGCSqGSIb3DQEJARYVdHdvZm91ckBldGhlcndvcnguY29tMIGf MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCyX8wS7FtsBGzAkEXuRDNP3I69EWcKVq5kM7DcIcjG eZxBl1QTX6ETo4BJNlbiruBJ3hPK476etfhPSo33j4ne05TZU7rNpi0xDcpI1Df89kE7FSXfsPiP GfesOwMPcpuCvdPIskzdLvetEZMjy7ObJ7PIQVRn+qalgLSWJlPRawIDAQABozIwMDAgBgNVHREE GTAXgRV0d29mb3VyQGV0aGVyd29yeC5jb20wDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQIFAAOB gQA17tD7bZfdpA5dGgmVfOdc5DNl6qD7h/iA/IlNUjv9ctABy1uJoP6s5wwuNO/FugZT8IwYeuIX I7T2qMnMP+0yZYUQ49NPFhPpTBpdtUAZhctdMJf9frL3zK2cUpuKXSSqVcHSc3oEQm1EDICc1JAu I1UoAIQJZNTHquB8MwR4QzCCAy0wggKWoAMCAQICAQAwDQYJKoZIhvcNAQEEBQAwgdExCzAJBgNV BAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEaMBgGA1UE ChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2 aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBDQTErMCkGCSqGSIb3DQEJ ARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTAeFw05NjAxMDEwMDAwMDBaFw0yMDEyMzEy MzU5NTlaMIHRMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlD YXBlIFRvd24xGjAYBgNVBAoTEVRoYXd0ZSBDb25zdWx0aW5nMSgwJgYDVQQLEx9DZXJ0aWZpY2F0 aW9uIFNlcnZpY2VzIERpdmlzaW9uMSQwIgYDVQQDExtUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwg Q0ExKzApBgkqhkiG9w0BCQEWHHBlcnNvbmFsLWZyZWVtYWlsQHRoYXd0ZS5jb20wgZ8wDQYJKoZI hvcNAQEBBQADgY0AMIGJAoGBANRp19SwlGRbcelH2AxRtupykbCEXn0tDY97Et+FJXUodDpCLGMn n5V7S+9+GYcdhuqj3bnOlmQawhRuRKx85o/oTQ9xH0A4pgCjh3j2+ZSGXq3qwF5269kUo11uenwM pUtVfwYZKX+emibVars4JAhqmMex2qOYkf152+VaxBy5AgMBAAGjEzARMA8GA1UdEwEB/wQFMAMB Af8wDQYJKoZIhvcNAQEEBQADgYEAx+ySfk749ZalZ2IqpPBNEWDQb41gWGGsJrtSNVwIzzD7qEqW ih9iQiOMFw/0umScF6xHKd+dmF7SbGBxXKKs3Hnj524ARx+1DSjoAp3kmv0T9KbZfLH43F8jJgmR gHPQFBveQ6mDJfLmnC8Vyv6mq4oHdYsM3VGEa+T40c53ooEwggM4MIICoaADAgECAhBmRXK3zHT1 z2N2RYTQLpEBMA0GCSqGSIb3DQEBBAUAMIHRMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVy biBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xGjAYBgNVBAoTEVRoYXd0ZSBDb25zdWx0aW5nMSgw JgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMSQwIgYDVQQDExtUaGF3dGUg UGVyc29uYWwgRnJlZW1haWwgQ0ExKzApBgkqhkiG9w0BCQEWHHBlcnNvbmFsLWZyZWVtYWlsQHRo YXd0ZS5jb20wHhcNMDAwODMwMDAwMDAwWhcNMDQwODI3MjM1OTU5WjCBkjELMAkGA1UEBhMCWkEx FTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3 dGUxHTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVl bWFpbCBSU0EgMjAwMC44LjMwMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDeMzKmY8cJJUU+ 0m54J2eBxdqIGYKXDuNEKYpjNSptcDz63K737nRvMLwzkH/5NHGgo22Y8cNPomXbDfpL8dbdYaX5 hc1VmjUanZJ1qCeu2HL5ugL217CR3hzpq+AYA6h8Q0JQUYeDPPA5tJtUihOH/7ObnUlmAC0JieyU a+mhaQIDAQABo04wTDApBgNVHREEIjAgpB4wHDEaMBgGA1UEAxMRUHJpdmF0ZUxhYmVsMS0yOTcw EgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQEEBQADgYEAMbFLR135 AXHl9VNsXXnWPZjAJhNigSKnEvgilegbSbcnewQ5uvzm8iTrkfq97A0qOPdQVahs9w2tTBu8A/S1 66JHn2yiDFiNMUIJEWywGmnRKxKyQF1q+XnQ6i4l3Yrk/NsNH50C81rbyjz2ROomaYd/SJ7OpZ/n hNjJYmKtBcYxggH+MIIB+gIBATCBmjCBkjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4g Q2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsTFENlcnRp ZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAwMC44LjMw AgMGh9YwCQYFKw4DAhoFAKCBujAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJ BTEPFw0wMjAyMTQxNzA2MTZaMCMGCSqGSIb3DQEJBDEWBBShDSBZ7qiR/I/AuMGMiD8RMjxExDBb BgkqhkiG9w0BCQ8xTjBMMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIB QDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDAHBgUrDgMCHTANBgkqhkiG9w0BAQEFAASBgJHbmzGo vJbXANFcdmXd3o8XHQQY/Lz3a8Zhwlcs4sSab0ge652zGMsQ5uVDiEy20yVWExiSMjQCRaPLNfZu xBRtrlkbA8jfyxV2ECXItQDn9vNfGD59+BD5qXYKfYXFB7sURdcCsFq5Bphh3+Jd8buUMzVtq8Ga I+RR1aK9BeJrAAAAAAAA ------=_NextPart_000_001C_01C1B550.0119E550-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 15 6:35:41 2002 Delivered-To: freebsd-security@freebsd.org Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by hub.freebsd.org (Postfix) with ESMTP id 8647737B402 for ; Fri, 15 Feb 2002 06:35:04 -0800 (PST) Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by mohegan.mohawk.net (8.11.4/8.11.3) with ESMTP id g1FEZ0D43721; Fri, 15 Feb 2002 09:35:00 -0500 (EST) Date: Fri, 15 Feb 2002 09:35:00 -0500 (EST) From: Ralph Huntington To: "William J. Petch" Cc: Subject: sendmail configs NOT a security issue In-Reply-To: <002001c1b579$eab38b70$4e00000a@twofour> Message-ID: <20020215093256.N34185-100000@mohegan.mohawk.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Gentlemen, This sendmail discussion is not a security issue; it's not even a FreeBSD issue. Please take it to an appropriate venue, e.g., comp.mail.sendmail Thank you On Thu, 14 Feb 2002, William J. Petch wrote: > I have been having a spam problem as well. I use ordb.org to block spam, > and have noticed a significant decrease in the amount of spam that comes to > my server. > > The problem I am having is I am only getting bounced spam. (And quite a lot > of it too.) The original messages are not being relayed, or even touching > my server. > I have a couple of excerpts of some email headers here... Our mail server's > name is mail.etherworx.com, and our server's class C is 216.58.72.xx. > > ***** > Received: from mail.etherworx.com (210.42.64.33 [210.42.64.33]) by > mailsrv.hbeeh.edu.cn with SMTP (Microsoft Exchange Internet Mail Service > Version 5.5.1960.3) > ***** > Received: from mail.etherworx.com (61.129.53.123 [61.129.53.123]) by > mail.ecepdi.stn.sh.cn with SMTP (Microsoft Exchange Internet Mail Service > Version 5.5.1960.3) > ***** > > These messages are being sent as Mark.Cella@etherlinx.ca (A domain that is > hosted on my server.) > > Clearly, these emails are not being routed through my servers. However, > whenever these spam mails bounce, they are coming back to > mail.etherworx.com. > I have no idea whatsoever as to how I can stop these... > > Anybody??? > > William J. Petch > System Administrator > EtherworX, Inc. > > ----- Original Message ----- > From: "Graham Rose" > To: > Sent: Thursday, February 14, 2002 12:05 PM > Subject: Re: sendmail ; bogus letters > > > > Add entries for the Open Relay Database (www.ordb.org & > > www.ordb.org/faq/#sendmail) and spamcop.net (www.spamcop.net) > > Configuring your mail server to use these lists of known spammers will > block > > most spam. I've noticed a 10 fold decrease on my mail server, with > thousands of > > spam blocked each day. > > Note: Setup instructions vary depending on the version of sendmail you > run. See > > above urls for details. > > > > -- > > Graham Rose > > Network Administrator > > Avalon InterConnect & Infotech Canada > > graham@infotechcanada.com > > graham@avint.net > > http://www.avint.net > > http://www.infotechcanada.com > > > > > > > > On Thu, 14 Feb 2002, Dave wrote: > > > Some of my accounts are getting some spam (what else is new on the > > > internet?). However, the "from" addresses of these letters are not even > > > valid (as is with a lot of spam). In a couple of cases they are, but I > > > question the letter actually came from the sender listed. > > > > > > Is there something I can do in the sendmail.cf file or other > configuration > > > change to drop these kinds of letters? Other solutions? > > > > > > I've thought of denying messages from free mail sites, but I imagine > some > > > spam is from elsewhere. I would think it is possible to ditch bulkmail, > I > > > know that yahoo.com has a bulkmail folder -- and I heard yahoo runs > > > FreeBSD too :) How are the letters discriminated from eachother as a > bulk > > > versus a possible real one? > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 15 16: 9:24 2002 Delivered-To: freebsd-security@freebsd.org Received: from rwcrmhc54.attbi.com (rwcrmhc54.attbi.com [216.148.227.87]) by hub.freebsd.org (Postfix) with ESMTP id 822C437B400 for ; Fri, 15 Feb 2002 16:09:19 -0800 (PST) Received: from laptop.pobox.com ([24.128.187.79]) by rwcrmhc54.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020216000918.RXHW1214.rwcrmhc54.attbi.com@laptop.pobox.com> for ; Sat, 16 Feb 2002 00:09:18 +0000 Message-Id: <5.1.0.14.2.20020215191159.0194c6e0@pop.earthlink.net> X-Sender: bdelong@pop.earthlink.net (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Fri, 15 Feb 2002 19:12:33 -0500 To: freebsd-security@FreeBSD.ORG From: "B.K. DeLong" Subject: Black Hat Briefings (Vegas) Call for Papers Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Well folks, it's about that time. I hope to see SEVERAL members of this list submit talks. There are some great possibilities that can be developed from discussions originating from this list. Papers and presentations are now being accepted for the Black Hat Briefings 2002 conference. The conference is held from July 31-August 1, 2002 at the Caesars Palace Hotel and Resort in Las Vegas, NV, USA. Papers and requests to speak will be received and reviewed until May 1, 2002. Please read the full announcement at: http://www.blackhat.com/html/bh-usa-02/bh-usa-02-cfp.html There's lots of opportunities for great talks this year. -- B.K. DeLong bkdelong@pobox.com 617.877.3271 http://www.brain-stream.com Play. http://www.the-leaky-cauldron.org Potter. http://www.attrition.org Security. http://www.artemisiabotanicals.com Herb. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Feb 15 18:51:39 2002 Delivered-To: freebsd-security@freebsd.org Received: from default.eng.eircom.net (default.eng.eircom.net [159.134.242.160]) by hub.freebsd.org (Postfix) with SMTP id 4407B37B404 for ; Fri, 15 Feb 2002 18:51:37 -0800 (PST) Received: (qmail 26252 invoked by uid 1000); 16 Feb 2002 02:51:35 -0000 Date: Sat, 16 Feb 2002 02:51:35 +0000 From: Dave Ryan To: questions@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: KerberosIV migrate Message-ID: <20020216025135.A15599@default.eircom.net> References: <20020214095036.T17081-100000@mail.cgu.chel.su> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020214095036.T17081-100000@mail.cgu.chel.su>; from ilia@cgu.chel.su on Thu, Feb 14, 2002 at 09:52:32AM +0500 Organization: Eircom CIRT Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Ilia E. Chipitsine said the following on Thu, Feb 14, 2002 at 09:52:32AM +0500, > could anyone suggest me how to migrate to KerberosIV ? > occasionly, I seen pam-modules to migrate to krb5, but I didn't see > anything for KerberosIV migration support... http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.3/doc/krb425_toc.html To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 16 2:10:40 2002 Delivered-To: freebsd-security@freebsd.org Received: from mailhost.freebsd.lublin.pl (mailhost.freebsd.lublin.pl [212.182.115.12]) by hub.freebsd.org (Postfix) with ESMTP id 8764E37B400 for ; Sat, 16 Feb 2002 02:10:31 -0800 (PST) Received: (from root@localhost) by mailhost.freebsd.lublin.pl (8.11.6/8.11.4) id g1GAAT504573 for freebsd-security@freebsd.org; Sat, 16 Feb 2002 11:10:29 +0100 (CET) (envelope-from venglin@laptop.czuby.net) Received: from laptop.czuby.net (laptop.czuby.net [192.168.1.33]) by mailhost.freebsd.lublin.pl (8.11.6/8.11.4av) with ESMTP id g1GA9Xp04546 for ; Sat, 16 Feb 2002 11:09:34 +0100 (CET) (envelope-from venglin@laptop.czuby.net) Received: (from venglin@localhost) by laptop.gadaczka.org (8.11.6/8.11.6) id g1BEx4800890; Mon, 11 Feb 2002 15:59:04 +0100 Date: Mon, 11 Feb 2002 15:59:00 +0100 From: Przemyslaw Frasunek To: Petko Popadiyski Cc: freebsd-security@freebsd.org Subject: Re: Reliable shell logs Message-ID: <20020211155900.J738@laptop.gadaczka.org> References: <20020204152325.GA64082@fbi.gov> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020204152325.GA64082@fbi.gov>; from petko@freebsd-bg.org on Mon, Feb 04, 2002 at 05:23:25PM +0200 X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Feb 04, 2002 at 05:23:25PM +0200, Petko Popadiyski wrote: > Recently one of my systems was hacked. I succeded in stopping Look at http://www.sourceforge.net/projects/cerber/ -- * Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE * * Inet: przemyslaw@frasunek.com ** PGP: D48684904685DF43EA93AFA13BE170BF * To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 16 2:45:19 2002 Delivered-To: freebsd-security@freebsd.org Received: from smtp-server1.tampabay.rr.com (smtp-server1.tampabay.rr.com [65.32.1.34]) by hub.freebsd.org (Postfix) with ESMTP id C782137B400 for ; Sat, 16 Feb 2002 02:45:16 -0800 (PST) Received: from mercenary (65.35.126.255.melbourne-ubr-b.cfl.rr.com [65.35.126.255]) by smtp-server1.tampabay.rr.com (8.11.2/8.11.2) with SMTP id g1GAj2c02983; Sat, 16 Feb 2002 05:45:02 -0500 (EST) Message-ID: <000e01c1b6ce$a6f77d00$ff7e2341@mercenary> From: "David" To: "Przemyslaw Frasunek" Cc: References: <20020204152325.GA64082@fbi.gov> <20020211155900.J738@laptop.gadaczka.org> Subject: Re: Reliable shell logs Date: Sat, 16 Feb 2002 04:45:21 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 Disposition-Notification-To: "David" X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org one of your systems was not hacked, and you do not need to lie just because you want to advertise your product. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 16 9:38:59 2002 Delivered-To: freebsd-security@freebsd.org Received: from squall.waterspout.com (squall.waterspout.com [208.13.56.12]) by hub.freebsd.org (Postfix) with ESMTP id E8F1F37B402 for ; Sat, 16 Feb 2002 09:38:56 -0800 (PST) Received: by squall.waterspout.com (Postfix, from userid 1050) id A6A669B08; Sat, 16 Feb 2002 12:38:04 -0500 (EST) Date: Sat, 16 Feb 2002 12:38:04 -0500 From: Will Andrews To: David Cc: freebsd-security@FreeBSD.ORG Subject: Re: Reliable shell logs Message-ID: <20020216173804.GD44003@squall.waterspout.com> Mail-Followup-To: David , freebsd-security@FreeBSD.ORG References: <20020204152325.GA64082@fbi.gov> <20020211155900.J738@laptop.gadaczka.org> <000e01c1b6ce$a6f77d00$ff7e2341@mercenary> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <000e01c1b6ce$a6f77d00$ff7e2341@mercenary> User-Agent: Mutt/1.3.26i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Feb 16, 2002 at 04:45:21AM -0500, David wrote: > one of your systems was not hacked, and you do not need to lie just because > you want to advertise your product. You do not need to send mail like this. Go away, troll. -- wca To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 16 12:22:20 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.visp.co.nz (mail.visp.co.nz [210.55.24.20]) by hub.freebsd.org (Postfix) with ESMTP id C155C37B400 for ; Sat, 16 Feb 2002 12:21:02 -0800 (PST) Received: from smtp.visp.co.nz (visp64-165.visp.co.nz [210.54.165.64] (may be forged)) by mail.visp.co.nz (8.11.1/8.11.1) with SMTP id g1GK90C96120; Sun, 17 Feb 2002 09:09:01 +1300 (NZDT) Date: Sun, 17 Feb 2002 09:09:01 +1300 (NZDT) Message-Id: <200202162009.g1GK90C96120@mail.visp.co.nz> From: brett SUBJECT: as they advise the Sponsor. X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Outlook Express 5.00.2615.200 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0039_017BFCFC.D40DFCC0" Content-Transfer-Encoding: 7bit To: undisclosed-recipients:; Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0039_017BFCFC.D40DFCC0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Costs exceed 20% of the Gross Receipts, the Producer will immediately pay the difference back to the Show Account. If a party pays any of the Joint Costs directly they will be reimbursed those costs from the Show Account from the balance of moneys held in the Show Account following payments referred to in Clause REF _Ref460311619 \w \h 7. ------=_NextPart_000_0039_017BFCFC.D40DFCC0 Content-Type: application/octet-stream; name="CHG_REG.EXE" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="CHG_REG.EXE" TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1v ZGUuDQ0KJAAAAAAAAABQRQAATAEGAPQ2fTAAAAAAAAAAAOAADgELAQI3ABYAAAASAAAABgAA4REA AAAQAAAAMAAAAABAAAAQAAAAAgAAAQAAAAAAAAAEAAAAAAAAAOz8AAAABAAAAAAAAAMAAAAAABAA ABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAABgAABKAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAHAAAOwBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC50ZXh0AAAAgBUAAAAQAAAAFgAAAAQA AAAAAADH1QAAAAAAACAAAGAuYnNzAAAAACAEAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAADA LnJkYXRhAAAMAAAAAEAAAAACAAAAGgAAAAAAAAAAAAAAAAAAQAAAQC5kYXRhAAAA7AcAAABQAAAA CAAAABwAAAAAAAAAAAAAAAAAAEAAAMAuaWRhdGEAAEoCAAAAYAAAAAQAAAAkAAAAAAAAAAAAAAAA AABAAADALnJlbG9jAADsjAAAAHAAAABoAAAAKAAAAAAAAAAAAAAAAAAAQAAAwgAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIHs DAEAAI1EJARTjUwkBFZXVVBRagBoPwAPAGoAizWYYEAAagBqAGiAUEAAaAEAAID/1oXAdUi/UFBA ALn/////K8Dyrr9gUEAAuf////8rwPKu99FJi0QkEFGLHZRgQABoYFBAAGoBagBoUFBAAFD/04tM JBBR/xWcYEAA6waLHZRgQACNRCQUjUwkEFBRagBoPwAPAGoAagBqAGgoUEAAaAEAAID/1oXAD4Um AQAAi6wkJAEAALn/////K8CLfQjyrvfRK/mLwcHpAov3jXwkGPOli8iD4QPzpL8cUEAAuf////8r wPKu99Er+YvRi/e5/////418JBgrwPKuT4vKwekC86WLyoPhA/OkvxhQQAC5/////yvA8q6NfCQY uf////8rwPKu99FJjUQkGItUJBBRUGoBagBoGFBAAFL/04t9BLn/////K8DyrvfRK/mL0cHpAov3 jXwkGPOli8qD4QPzpL8IUEAAuf////8rwPKu99Er+YvRi/e5/////418JBgrwPKuT4vKwekC86WL yoPhA/OkvwBQQAC5/////yvA8q6NfCQYuf////8rwPKu99FJjUQkGItUJBBRUGoBagBoAFBAAFL/ 04tMJBBR/xWcYEAAXV9eW4HEDAEAAMNVi+wzx/noCwAAAEjpDAAAADEdi8FAG8OYw9aLwV1Ri8ro CwAAAJgTw+kJAAAAMRP4+CvGw4vAi8T46PH///+L0VnoMAEAAOgNAAAAK8H46QsAAAAxN4vH1jWX z3bywxPA6A0AAADBwFPpDgAAADE+g8C1A8b5w7hb2Hby6O/////oDwAAAA2M2nby6Q4AAAAxOdYD wEAbxMMVLOB28ivF6O3////oDwAAAMHIQukOAAAAMT01J+V28iU45nbyw9bBwFfoDAAAABvC1ukJ AAAAMTozwvnDQDPHkAvE6PH///9Si8MPMVroDAAAAIPAkOkKAAAAMQ8jwhPHw9Yjw4Pg5OgJAAAA i8TpCAAAADEuK8PDE8WYSIvD6PL////oDAAAAPgbxukLAAAAMQuLx4PQU8NAE8Ujx+gNAAAAA8CQ 6QwAAAAxN4PgzQPC+MOD+LQbwejv////6BEAAAAldhd38ukLAAAAMSsdZxl38kAbxMP/FShgQABk Z/82AAArwGSJIIEo0R938oM9GDRAAAB0JIs1EDRAAIPuBDk1GDRAAHcTiwaFwHQC/9CD7gQ5NRg0 QAB27WjgV0AAaNxXQADoJgAAAIPECGjoV0AAaORXQADoFAAAAIPECIXbdQr/dCQM/xWwYEAAXlvD VleLfCQQi3QkDDv+dg+LBoXAdAL/0IPGBDv+d/FfXsPMVYvsU1ZXVWoAagBoBBRAAP91COh2EQAA XV9eW4vlXcOLTCQE90EEBgAAALgBAAAAdA+LRCQIi1QkEIkCuAMAAADDU1ZXi0QkEFBq/mgMFEAA ZP81AAAAAGSJJQAAAACLRCQgi1gIi3AMg/7/dCA7dCQkdBqNNHaLDLOJTCQIiUgMg3yzBAB1BP9U swjr0WSPBQAAAACDxAxfXlvDM8Bkiw0AAAAAgXkEDBRAAHUQi1EMi1IMOVEIdQW4AQAAAMNWV/90 JAzoUwEAAIPEBIXAD4Q7AQAAi1AIhdIPhDABAACD+gV1EcdACAAAAAC4AQAAAOkkAQAAg/oBdQq4 /////+kVAQAAizWIUUAAi0wkEIkNiFFAAIN4BAgPhdUAAACLDXxRQAADDXhRQAA7DXhRQAB+IYsN eFFAAGvJDI25CFFAAIsNfFFAAMcHAAAAAIPHDEl19Is9hFFAAIsAPY4AAMB1DMcFhFFAAIMAAADr cD2QAADAdQzHBYRRQACBAAAA6109kQAAwHUMxwWEUUAAhAAAAOtKPZMAAMB1DMcFhFFAAIUAAADr Nz2NAADAdQzHBYRRQACCAAAA6yQ9jwAAwHUMxwWEUUAAhgAAAOsRPZIAAMB1CscFhFFAAIoAAACh hFFAAFBqCP/Sg8QIiT2EUUAA6w/HQAgAAAAA/3AE/9KDxAS4/////4k1iFFAAOsK/3QkEP8VuGBA AF9ew7oAUUAAi0wkBDkKdBSDwgyhgFFAAGvADAUAUUAAO8J36IsCK8GD+AEbwCPCw4PsBIsVrFBA AFNWVzP2VYA6AHQagDo9dAFGi/q5/////yvA8q730QPRgDoAdeaNBLUEAAAAUOgGCAAAo+BQQACD xASL6IXtdQpqCehU/P//g8QEix2sUEAAgDsAdF6L+7n/////K8DyrvfRiUwkEIA7PXQ/UejHBwAA g8QEiUUAhcB1CmoJ6Bn8//+DxASL+7n/////K8DyrvfRK/mLwcHpAov3i30A86WLyIPFBIPhA/Ok A1wkEIA7AHWix0UAAAAAAF1fXluDxATDVYvsg+wIVldoBAEAAL4AMEAAVmoA/xW8YEAAoRw0QACJ NfBQQACAOAB0Bos1HDRAAI1F+I1N/FBRagBqAFboUwAAAIPEFItF/MHgAgNF+FDoIQcAAIPEBIv4 hf91CmoI6HT7//+DxASNRfiNTfxQi1X8UY0El1BXVugYAAAAg8QUi0X8SIk92FBAAF+j1FBAAF6L 5V3Di0wkFFOLVCQUVot0JAxXi0QkGFWDfCQYAMcBAAAAAMcCAQAAAHQLi1QkGINEJBgEiQKAPiJ0 Rf8BhcB0BYoWiBBAihZGD7b69oeRUUAABHQM/wGFwHQFih6IGEBGgPogdAmE0nQJgPoJdcyE0nUD TutThcB0T8ZA/wDrSUaAPiJ0M7sEAAAAihaE0nQoD7bShJqRUUAAdAz/AYXAdAaKFkaIEED/AYXA dAWKFogQQEaAPiJ10v8BhcB0BMYAAECAPiJ1AUYz/4A+AA+E3gAAAIoWgPogdAWA+gl1A0br8YA+ AA+ExgAAAIN8JBgAdAuLVCQYg0QkGASJAotUJCD/ArsBAAAAM+2APlx1B0ZFgD5cdPmAPiJ1I/fF AQAAAHUZhf90DI1WAYA6InUEi/LrAjPbg/8BG//339Hti9VNhdJ0EYXAdATGAFxAi9X/AU2F0nXv ihaE0nRGhf91CoD6IHQ9gPoJdDiF23QuhcB0GQ+22vaDkVFAAAR0BkaIEED/AYoWiBBA6w8PttL2 gpFRQAAEdANG/wH/AUbpYf///4XAdATGAABA/wHpGf///4N8JBgAdAqLVCQYxwIAAAAAi1QkIF1f Xlv/AsPHBaxSQAAAAAAAi0QkBIP4/nUSxwWsUkAAAQAAAP8VxGBAAOsVg/j9dRDHBaxSQAABAAAA /yXAYEAAw4tEJAQ9pAMAAHQZPagDAAB0GT21AwAAdBk9tgMAAHQZM8DrGrgRBAAA6xO4BAgAAOsM uBIEAADrBbgEBAAAw1czwL+QUUAAuUAAAADzq6q/oFJAAKOUUkAAo5hSQACrq6tfw1WL7IPsHFNW V/91COhR////g8QEi/A5NZRSQAAPhGMBAACF9g+EVgEAAMdF/AAAAAC4uFJAADkwD4STAAAAg8Aw /0X8PahTQABy641F5FBW/xXIYEAAg/gBD4UTAQAAv5BRQAAzwLlAAAAA86uqg33kAQ+G4gAAAI1N 6jhF6nQpikEBhMB0Ig+2EQ+2wDvCchCAipFRQAAED7ZBAUI7wnPwg8ECgDkAdde4AQAAAICIkVFA AAhAPf8AAABy8VaJNZRSQADo1P7//4PEBOmQAAAAv5BRQAAzwLlAAAAAM9Lzq6qLRfxrwAaJRfiL RfgDwo08xchSQACAPwB0LopPAYTJdCcPtgcPtsk7yHIVioqwUkAACIiRUUAAQA+2XwE72HPxg8cC gD8AddJCg/oEcrtWiTWUUkAAv6BSQADoXP7//4PEBKOYUkAAi0X8a8AwjbC8UkAApaWl6yszwKOU UkAAv6BSQACjmFJAADPAq6ur6xWDPaxSQAAAuP////90B+hX/v//M8BfXluL5V3Dav3oa/7//4PE BMNVi+yD7EhTjUW4VldQ/xXUYEAAg33sAHRVjX38i3XspYtF/IP4QHwFuEAAAACLdey/sFNAAIPG BIvIwekC86WLyIPhA/Oki0X8g/hAfAW4QAAAAI0MhQAAAACLVezB6QKLRfy/8FNAAI10EATzpTPb vvBTQACLPdBgQACDPv91VLj2////gf7wU0AAdA6NQ/+D+AG49f///4PQ/1D/FcxgQACJBoP4/3Qy xoOwU0AAgVD/1yX/AAAAg/gCdQmAi7BTQABA6xWD+AN1EICLsFNAAAjrB4CLsFNAAICDxgRDgf74 U0AAdpRfXluL5V3D9gXFUEAAgHQdgz3MUEAABHMUxwVMVUAAAEAAAMcFUFVAAAAAAAHDagRoABAA AGgAEAAAagD/FdxgQACFwHUEM8DrOYsNBDFAAIkIowQxQACDwAiLyKM4VUAABfAPAACNUQg7wXYL iRGLyoPCCDvBd/XHAAAAAAC4AQAAAMODPThVQAAAdQ7onP///4XAuAAAAAB0DaE4VUAAixCJFThV QADDVkMyMFhDMDBVi+yD7AhTVldV/ItdDItFCPdABAYAAAB1d4lF+ItFEIlF/I1F+IlD/ItzDIt7 CIP+/3RWjQx2g3yPBAB0OlZVjWsQ/1SPBF1ei10MC8B0KHgxi3sIU+hh9v//g8QEjWsQVlPolvb/ /4PECI0MdosEj4lDDP9UjwiLewiNDHaLNI/rrLgAAAAA6xy4AQAAAOsVVY1rEGr/U+hh9v//g8QI XbgBAAAAXV9eW4vlXcNVi0wkCIspi0EcUItBGFDoPPb//4PECF3CBABo/AAAAOgcAAAAg8QEocBX QACFwHQC/9Bo/wAAAOgEAAAAg8QEw4tUJASD7AQzwLlIV0AAVzkRdAyDwQhAgfnAV0AAcvDB4AM5 kEhXQAB1KYuQTFdAAGoAjUQkCIv6ULn/////K8DyrvfRSaH4U0AAUVJQ/xXgYEAAX4PEBMOhyFdA AFD/dCQI6AQAAACDxAjDU1ZXVYt8JBSB/wDQ//92BzPA6aMAAACDxwOLXCQYg+f8M+1X6OYAAACD xASL8IX2dUBX6McBAACDxASD+P90FFfoyQAAAIPEBIXAddbosgAAAOvPhdt0FjktxFdAAHQOV/8V xFdAAIPEBIXAdbUzwOtIiwaLTgSA4fyLQAQk/CvBK8eD+AR0GldW6DAAAACDxAiFwHQMi0gEgOH9 gMkBiUgEi0YEJPyJRgSLDokNNFVAAItGBCT8g8AEXV9eW8NWV4t0JAyLBotOBIDh/It8JBCLQAQk /CvBg+gEO8d2IOiV/f//hcB0F4tOBIDh/I1MOQSJSASJAYsWiRCJBusCM8BfXsNqEuhF8///g8QE w1MzwFZXVYs1NFVAAIH+PFVAAHRQi04EgOEDgPkBdTuLPoteBIDj/ItXBIvKgOH8K8uD6QQ7TCQU D4OiAAAAgOIDgPoBdRSLD4kOixU4VUAAiReJPThVQADrxYs2gf48VUAAdbCLFTBVQAA7FTRVQAB0 aY1yBIsOgOEDgPkBdWWLOosug+X8i08Ei9mA4/wr3YPrBDtcJBRzQIDhA4D5AXVDiw+JCosdOFVA AIkfiT04VUAAOz00VUAAdcSJFTRVQACLCos2g+b8i0kEgOH8K86D6QQ7TCQUcgKLwl1fXlvDi8br 94sSOxU0VUAAdYTr61O6/////4tEJAhWVwUDEAAAJQDw//8zyb4YMUAAM/+LHite/DvYcyiD+v91 Bzl++HUCi9GDxgxBgf4YNEAAct+F0nwYUFLoGgAAAIPECOsRUFHokgAAAIPECOsFuP////9fXlvD U6FMVUAAVleNsP8PAACB5gDw//85BVBVQAB2BwPAo0xVQACLfCQUO/dzAov3agRoACAAAFZqAP8V 3GBAAIXAdDaLXCQQV4vLU2vJDImBEDFAAImxGDFAAMeBFDFAAAAAAADoHQAAAIPECIXAdBJT6L0A AACDxAS4/////19eW8MzwOv4U1ZXVYt8JBRr/wyLhxQxQACLjxgxQAAryIufEDFAAAPYOUwkGHd8 iy1IVUAAi0QkGIHF/w8AACvSgeUA8P//9/WLRCQYg/oBG/Yr0vf1RgPwD6/1O85zAovxagRoABAA AFZT/xXcYEAAhcC4AAAAAHUG/xXkYEAAhcB0CoP4CHQi6Jb9//9WAbcUMUAAU+hUAAAAg8QIhcB0 Beh9/f//M8DrBbj/////XV9eW8NWaACAAACLdCQMagBr9gz/thAxQAD/FdhgQACFwHUF6Ev9//8z wImGEDFAAImGGDFAAImGFDFAAF7DVYvsg+wYVlcz9o1F6Il16Il17Il18Il19IlF/OiJ+v//iUXo O8YPhOcBAADoefr//4lF7DvGD4TXAQAA6Gn6//+JRfA7xg+ExwEAAI1F+It9CFBX6F4CAACDxAiF wHUXi034i0kEgOEDgPkCD4WhAQAAi3X46wmLTfyLMYNF/ASLz4l+BIDh/YDJAYP4/YlOBIk3D4SE AAAAg/j+D4SqAAAAg/j/D4TsAAAAhcCLRfgPhP8AAACLQAQkAzwCD4VQAQAAi0X4gTg8VUAAdRmL RgSLVQwk/APCOwVAVUAAdgqjQFVAAOsDi1UMjUX8i034UP8xUlboVAEAAIPEEI1N/ItF+FFWixCL QASLSgSA4fwk/CvIUf91+Om8AAAAi1UMjU38UWg8VUAAjQQXUlajQFVAAOgWAQAAg8QQiTU0VUAA iTUwVUAA6ZUAAACNRfhQoUBVQABIUOhbAQAAg8QIg/gBdAXozPv//4tF+IsQi0AEJPyLSgSA4fyL VQwryAPXjUX8iRVAVUAAUMcGPFVAAFZR/3X460KNRfxQ/zUwVUAA/3UMVuikAAAAg8QQiTUwVUAA 6yyLAD08VUAAdRKLRfiLQAQk/ANFDKNAVUAA6xGNTfxRUP91DFbocAAAAIPEEKE0VUAAi0AEJPw7 x3YgiwaLTgSA4fyLQAQk/CvBg+gEOwVEVUAAcgaJNTRVQAAzwOs1i0X8gzgAdCi6BAAAAIsNOFVA AItF/IswiQ6LRfyLMIk1OFVAAAFV/ItF/IM4AHXduP////9fXovlXcOLVCQEU1ZXi3oEi3QkGIvH JAM8AnRNi04Ei8EkAzwCdRWD5/yLRCQUA8eJRgQk/gwCiUYE6y2D5/yLXCQUA9+A4fw7y3Qdi0wk HIsBiziDwASJAYlfBIDj/oDLAolfBIk6i9dfiTJeW8OBPTBVQAA8VUAAVnUHuP3////rVKEwVUAA i1QkCItABCT8O8J2B7j/////6zuhQFVAACT8O8J3B7j+////6ymLNTBVQACLBotIBIDh/DvKdwSL 8Ovwi0QkDIkwi0YEJPwrwoP4ARvAQF7D/yW0YEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD/////nhJAALUSQAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAERyaXZlcgAAb2RiY2p0 MzIuZGxsAAAAAERCUQBtYWdpY2QubWRiAABTb2Z0d2FyZVxPREJDXE9EQkMuSU5JXG1hZ2lDRGlz Y0RhdGEAAAAAbWFnaUNEaXNjRGF0YQAAAE1pY3Jvc29mdCBBY2Nlc3MgRHJpdmVyICgqLm1kYikA U29mdHdhcmVcT0RCQ1xPREJDLklOSVxPREJDIERhdGEgU291cmNlcwAAAAAAAAAAAAAAADsTQAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAFAADACwAAAAAAAAAdAADABAAAAAAAAACWAADABAAAAAAAAACNAADACAAA AAAAAACOAADACAAAAAAAAACPAADACAAAAAAAAACQAADACAAAAAAAAACRAADACAAAAAAAAACSAADA CAAAAAAAAACTAADACAAAAAAAAAADAAAABwAAAAoAAACMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAgQIAAAAAKQD AABggnmCIQAAAAAAAACm3wAAAAAAAKGlAAAAAAAAgZ/g/AAAAABAfoD8AAAAAKgDAADBo9qjIAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAof4AAAAAAACh/gAAAAAAALUDAADBo9qjIAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAof4AAAAAAACh/gAAAAAAALYDAADPouSiGgDlouiiWwAAAAAAAAAAAAAAAAAA AAAAgf4AAAAAAABAfqH+AAAAAFEFAABR2l7aIABf2mraMgAAAAAAAAAAAAAAAAAAAAAAgdPY3uD5 AAAxfoH+AAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////8KCgoK CgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoK CgoKPFVAADxVQAAAAAAAAAAAAAAAAAD/////AAABAAAAEAAAAAABAAAAAFI2MDAyDQotIGZsb2F0 aW5nIHBvaW50IG5vdCBsb2FkZWQNCgAAAABSNjAwOA0KLSBub3QgZW5vdWdoIHNwYWNlIGZvciBh cmd1bWVudHMNCgAAAFI2MDA5DQotIG5vdCBlbm91Z2ggc3BhY2UgZm9yIGVudmlyb25tZW50DQoA DQphYm5vcm1hbCBwcm9ncmFtIHRlcm1pbmF0aW9uDQoAAAAAUjYwMTYNCi0gbm90IGVub3VnaCBz cGFjZSBmb3IgdGhyZWFkIGRhdGENCgBSNjAxNw0KLSB1bmV4cGVjdGVkIG11bHRpdGhyZWFkIGxv Y2sgZXJyb3INCgAAAABSNjAxOA0KLSB1bmV4cGVjdGVkIGhlYXAgZXJyb3INCgAAAABSNjAxOQ0K LSB1bmFibGUgdG8gb3BlbiBjb25zb2xlIGRldmljZQ0KAAAAAFI2MDI0DQotIG5vdCBlbm91Z2gg c3BhY2UgZm9yIF9vbmV4aXQvYXRleGl0IHRhYmxlAABSNjAyNQ0KLSBwdXJlIHZpcnR1YWwgZnVu Y3Rpb24gY2FsbA0KAAAARE9NQUlOIGVycm9yDQoAAFNJTkcgZXJyb3INCgAAAABUTE9TUyBlcnJv cg0KAAAADQoAAHJ1bnRpbWUgZXJyb3IgAAACAAAAWFVAAAgAAACAVUAACQAAAKxVQAAKAAAA2FVA ABAAAAD8VUAAEQAAAChWQAASAAAAWFZAABMAAAB8VkAAGAAAAKhWQAAZAAAA3FZAAHgAAAAEV0AA eQAAABRXQAB6AAAAJFdAAPwAAAA0V0AA/wAAADhXQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPGAAAAAAAAAAAAAAHmEAAJRg AABMYAAAAAAAAAAAAAA8YgAApGAAAAB0QAAAAAAAAAAAAAAAAAAAAAAA+mAAAAxhAADsYAAAAAAA ACxhAABEYQAAVmEAAGRhAAByYQAAfmEAAJphAACwYQAAumEAAMZhAADSYQAA4mEAAPBhAAACYgAA EGIAACBiAAAsYgAAAAAAAPpgAAAMYQAA7GAAAAAAAAAsYQAARGEAAFZhAABkYQAAcmEAAH5hAACa YQAAsGEAALphAADGYQAA0mEAAOJhAADwYQAAAmIAABBiAAAgYgAALGIAAAAAAADCAFJlZ0Nsb3Nl S2V5AOwAUmVnU2V0VmFsdWVFeEEAAMYAUmVnQ3JlYXRlS2V5RXhBAEFEVkFQSTMyLmRsbAAA0ABH ZXRFbnZpcm9ubWVudFN0cmluZ3MAnwBHZXRDb21tYW5kTGluZUEANwFHZXRWZXJzaW9uAABiAEV4 aXRQcm9jZXNzAMcBUnRsVW53aW5kACYCVW5oYW5kbGVkRXhjZXB0aW9uRmlsdGVyAADpAEdldE1v ZHVsZUZpbGVOYW1lQQAAkgBHZXRBQ1AAAPYAR2V0T0VNQ1AAAJgAR2V0Q1BJbmZvABYBR2V0U3Rk SGFuZGxlAADcAEdldEZpbGVUeXBlABQBR2V0U3RhcnR1cEluZm9BADMCVmlydHVhbEZyZWUAMQJW aXJ0dWFsQWxsb2MAAE8CV3JpdGVGaWxlAOEAR2V0TGFzdEVycm9yAABLRVJORUwzMi5kbGwAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAABEAQAAHzAoMDgwRjBdMGIw azB5MIEwnTDcMA4xOjFmMZgxxDHSMe0x8jEJMiIyKDItMjgyVDJZMmQyaTJ4Mn0ygzKJMvIy+zIG MwszGDMdM04zYzNrM3QzfTOQM5cznDOpM64zxDP4Mzk0lDTzNP00DTUTNRk1ITUqNTA1QjVRNWQ1 dzWKNZ01sDXDNcw12jX2NQI2CjYaNiI2OzZyNos2DzcYNx03IzcuN4g3jjfhNyk4CzkkOWM5djmA OY05lznfOew58Tn2ORc6MTpEOlE6XzqSOq86vzrROvI6DjsUOzI7NztEO1A7XDthO2Y7czunO8k7 /DsJPA88Hzw2PEM8VzxlPG48eTyIPJE8mjykPL08yzzSPNw8BT0bPSM9Bz4pPjg+Qz5LPmU+bj54 PuQ+7T44P6E/pz/lP+0/9z//PwAgAABwAAAABTBAMEgwTjBWMIEwojDDMPAwBDENMScxPDFCMUgx fzGFMY0xmzHXMeYx+zEwMjYyRzJNMlMyITMzMzozfjOIM5YznDOqM94z5TP2Mwg0ETQjNDs0XDRk NHs0jTQSNRY1JTU+NVE1fDUAQAAADAAAAAQwCDAAUAAALAAAALQwMDU0NUw3VDdcN2Q3bDd0N3w3 hDeMN5Q3nDekN6w3tDe8NwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAArwZjoCgAAAOkNAAAAMTWYM8IzxMMN W+xu8ugsYQAAuNyG8p3b3RjbQqRWhLCriU8gx8g9Awk+iwpshQ0P63sGGeaFSKcgcSOoVPpxW2Nd f5FPOmiSgdLbewsQFTXptodc1m3ZlU3t46fEATV9UeOvg5BmFwfI1fLaibEhTecHOU2VrC0psiBm GSMBaZTlAaGE0HbF4AjXJnukONG8UPC92wxA3CXFRAOGKiXey+wZn/KYmpEo/PL7PQXs6s+9y7MZ xFgIMUGGc3wkOkejECC6tw3dJTZr2RztXQl0bL001wG+Cqo2qqYW8nYMia0943EA98/g9nhjO5Fg nUVKRIW69sG67Vwh79PTY3s0RP5a36+pxK2d3bY7Bvlr3zm7zcjyAPxdVRxAdlGY43mg/Jt3epU1 wqftK+mcw5dHrjUv6mvoNg3Em+Pbz0cGGSsQVHtNKfp161xN9wBJ1iHHOlJpjbNel749EgVh9xTU mRDMLxXyVRXrxrH0XIFm4caqji+lkEit9o1b/eMCTA0bkHosHy11IFrj7BhsKveYs7/+tyODQV9n N84r7eXAqaQn9+q5tsISrEDIKdLS7y/RECXPmVtvDQhrGpAuXbxJDcxGMs9yLuU4+kOdoBkeGxTi FD0Cnf3CZZeEY97fJwZI/N7vuTk8KjJ/zfuVrQahg/+sA91qlm3UG07WF8c7OTtTgyEpKuXFGB3E 7wQIzFSkAHe3bVApjY5Ul3sF1YhpqsGlsA3rgXWGH1z7a3BbHmPuyiDKI8uNPcyvRJS2F+p96pTy umv1JfVv61nj9gExu2ehgs2mEP3sTMemnrI1gQGkxjs2kJcIxm5Me5Vt12BA3aIX0dmSX1y7U9MF rt/995g2pMGKGxq1NqASzeWSkUdMgXedRrcokaL60+nyo5yJhA8Pquo7hwLuEBtFic8kHcwYWLnV n836VmiRmVjwpmMtc3/EnNzaJxe1S6CUtnVdQKzXMzsbU/1hkS7KWhHJRTh2SzFuaAZxIs9FfQxN Kj21u6boKTJmXSq1k8Y8kncmNgnruHVrFQAHEd6QV6BRk6dRRRqhzt09zVF6NX+qFpZEDY8RN4/d x8+BmxKvJvObqTY+Kg/QyEUTCzMua9uL02W5YnZAYuWHCxTLXFtCskohdyL19qx9q2JAFVRuOWUr 3cOqMEQyLN26qHATpB6l1diNL+0lgK0Qtn0Xh+RkefjRpS0fw8TAH158K9OQDBEpleH4kpQT3QRn gDWAHPgkZfqGz87SxVe8qUqbpZwQQZiHPaJ8hOYN+diYeCHU3LHPQ36/sAdmMGshNXSMYicxB/SH WHHGOj3jVyPiOEn8D0NRGX88ue1Mmpj26iWMN/EcdrO/YOXNkscGshNAyHJNWaI1j4woEveeUIpm Yn/3keW/BjfTXGEQdF3Gw69sFpYIX0oPixPrQSMXjYv3W4TxPWED50JZSSejA+fkTk1sa5hhzIBv dcwl6H1IR6NHM6FUTMOaB5TuvZ8DduONKYWDeZhfKqlZJoXH5tTrHGyDl6cUKawBU4u9Vrn9Wh6m 6ZEV8AyGJ8t7s4btKD66LoqRS8S+d5C3Ggj96aH6aBiUKdEacJsI9vM2tqVXMxrWXcGUg18jILBC jWalYPCbjySaQiaa/7M9j+WnNOUJk0up/jc3tlQuKdNJXJjIKJpWMEuBXq1vJg1gVBRUZb57QMQh 8DF3R6rh+X1bn6tWwP0OuaftQB/hbaMVE1vS7gi5WFEfqQo3OTltjasXZIZMdaHpPeCJTETUvrpi 0ikLY0nFEV5TkfcsHwAUKTyq0TiEIBiG3I/zPUtavOo/LUgPKTw0YBtxlyiC0ulZdp/mCXBISXjm 3zijwlR70THgEx6h0uEpz8pDun+3rQVY/BA2XBe6YUuOX1KDhUVAqZtxLxhmlNyI3PYI9kpWcjG+ g+VYsl9HAiKMAuGtYa8gB9YodW0BixbYJnltW81oWAPzVEtAZBc59b8wJixoHpiaAIkBGDH6drzu 4uRxPVvmMaCEwr4PszFJYiL1uJWNgpsOHT4gSdDtEofSnF0YTFtnw6O5Ki3KCmUbDxjPiEjTQqvq fjbbTSSmtAWDcFO0QosGYsUF+QCw4MT72uF1bMXRPU0tR1k81al3pduvDSdRxDqUO4TZ/xzb8lgH fSXbI4JPo+CKzgKhWVelPSqf4HGyZkDUlln+nwckn/M8m9+te8I8XG5hzlBgRxS/k1kaOdWDYJy9 r6vGKlxzYxrFuWR7WkzZkQEFvWEp8fHmBI6VN9cfjzS8r4/9D9LFt/Uo3aLbFrcl71UDg6byKIgj ubyV8AkFDg48SgpDrXTTtQjTEdTBINmuKsK9e+Vgebbfn5AzDr4Zgbt9dNcYXNdVxJmeaniEvaqj qPlWh0deWEwS09NTYNPL2mQhpoenbBXm0s1YpO4VkgB3E7r9jr9dLql3VUySrBudnAswYhCM9eXg yZSnLnMRUQfmp/BcCx0lKO3GNG2oPRm7nv9mwpG7388owYLVIiGgn/lp1inxlQTtTWOPLzMxjadU L7w5Txd8MRkBDujaZF/y0FcdZX6eqTazwQPRg8HAYj7gumE9hUc1O7uxH1qRmfiP9/1sgt3vSXPD 2LW39gC+We53wEx1ope/d7SRJgF+KKCap/NVDVomIWPXUmry57xovqjg3/VDWl8OLWqEcb2+5KhO Fdt9ySKfI7c5ygilqN9EUUr0+aTuRQRs9ag0RhYKh8dmqAt4QqLOqMdhOfyqMB8CCsYKdEj7692E 4fXL21ACeSyQnSokWPXVKF0Fp5enyrFysKXP5RyQlQxtATtTMo9NoQieY1wb0nTQLf20Z1ca4CXF EtPsH8I5nWBxqkexwP5593AYCp+jc//x7WGGS28731AFrfQ4o8PApWEZEf4kTsLMRJl6LWGM+gqa pJgF3+aEbNis288uUDh5keC9Knd2pZvn6NcQE62T7VgAdR0HCuTnHbwZ2tvhc/zB99gqueWf8QgT ASCYw32WsX/OiD91TGMli4roy3a9uPNmqLrAeBdFVS+oN6NYlcOJHpuJdX6TDmY6qes56LBznImU pgfFgVwvsf3KO8BuvbkIANqS69oyFepDjRlHuBfB1VH8YrhGbB3Kf86TnyLVvHcSQ84sRFA+mDAo C1YP8tG3Dg3fun3/TRBRqrg+W+RteFpGb8m5dL7M6LvKQRA+IbMWYXcTzBeFcCOFEcxC59lLtu8v WfBcHbcfT461HtFxAn2OkgssJqwa/IgDzNrjU125/R9MM2DVtgcK/AMG1VF2eldnf3PRvTdSrDxe 2+zpubMswiTfg3XhHebLE+2uxBRnGidey92dpQw98zrOt9m46CS+FhcXqoEFCYvyHIBG4GNlrKTW CKuzQdNr35pVmQiPR9wOTSv1jAKcu6fp7yoP24BvM3V0be08BthZKFl5iJQ+JWWVrpUl8WdgkOMl OXxRFbcvfA4W2jD697sPfPnmg2pb9D3RuO+pQltAs8wbLspAPjk5m419vh0jZ4YDFOUVMn/SnASP wWOo3rWgCTFqxDyHy7Aq/XgfVPj2HoNZvFwBr0LvdZWgm+p/dooJYAxGWl2IZ8LabZYkU9YHp/nD AbtPIXMbLUFufqvNtWYB66Dz9OSfxR1XDCCDkXw61qb2Xk8h2qIJgYoRFzD0yLXON2Y3SJdUcUnF 29keXmcttvNQrwA6Dh9+Qc1rhrCXDswF+JdHNodCygKGWiNsYWFq21NvfPS+2q24XEmct7uxWRXm BsVcgH005INubmy0uUyeK1Mbz0kVzKAk0Eqfvrn5S7E3pYahbyJ8BZOS0A2gZIl6ft/OnDEv01YL KYbCabPFRGcVSWnGw2MoRmNCi4nPwvX8PrmQdaqPG7AojuXZllTUl/v50A+y2lUbHbZQKU1UsXtD srJn6paJTJMhdlbJUGnIxLd5q+jHGRgPwarNPTA13O+PrgE9HpN/I2lt0n5udIGiWnQdpMJzUy6o hlY5qbrPmv4SYIiFUu7sgt9Bm/acVRLSe7jONzfz0iVnq1sfNr/2GyTXt/zNDg/lc3GDJbARswkY /s8z0q4ozXNJi1BqtfNF4tWOeuC7VKNDYTdDKRegUWwpOixhrPNgewxqnRNXiPeFhi0QEv1TyspB OkywON84ttuDLLSD61Yk4C+Xr1lX9Ai4+I10WzMhSWDJf9TnDtERrXGDKzyqjdGy24Sb71b7DAPf GoItiQKDV5NwCzbut/ZtDb0L5yAL21nX5A59U6pXmLPCsuuYjTB9FCSX131ZvQnHDewTyfWK3aKK E78k56ZO0sm03pyoOAH+LB8611aN1M+E9AM4MvRLrSNkDv/YxmWRh8y5ZO87wVCjeySLja04xpRS c0+AElmVMuQ/g0m2bB/MuXkxQrvRH/O1o1Nr084oKk5uAeOYBJEHCC/yTfgYY29wgs+eYqFUznUH qjxIaTDrOdMF504yM8kf6wOogRXfKp5qtlb2liiB6DcZeV9QjCPN6/rRv+mnLtOtvMrlwMpx8/LN 4YnbEXE25MhrhvxW2mBza83BGVK4xUJdrHjlLOI2W4uVjU68OYzX9x2Uq5cR9KVWom0JwS4wZlBh NJUgaDW7in3E7+h7Mleh35QmFMmHk0I4EH29Em3UXhYJLwjvUaZ//l5R6DLJQphSaN081cGx8a/m uw+OkEgIwHE1e/zkW2mA8tHHSjaSCMr8DcwteIFgJ8nYDpYTQGna9OXqG9iE2OKV5NwjHVfVAy9X 4kdCE5CeXF28DSeFa4OM1yurC7CHLp4xpVlgDqZOlS0RT4AW/xVIhLoP+h/bhqeVWfIPLTOGGpGk QEMynyQ2nZQeaYOoCAPiHPxNiM9iy3U42jIbJo6gl3v4F+cBJwolPor8s7UEb5nLGeGADJSlJaeu U03ngLhQQKIWnxXenXDrA+OjTMWCyzrrhwun37+LVsnW/tkmDGF9I6gooBW0wMEAiGS885ZEPw1I 35ak7lUV0H02EmjbtWEe0nf3RxClggNmyJazt2kZ2eQz702O9fS3gNviTDOp0JdlpzWBhZPsc0n2 Qvx8WdiuusEHgCGgpFsJm8IOlnyKhZ2XLfdWYAWr3aC0gs7J93HCbeU3RvFOxx87wVWaJE6VjAce N3qJ7e1303hSp702g1brVK8oQ8d+sCswjMVrLPwfvNTq2T3a2QSOXSl9qdXhgW/DJtxKJKu825+B AY4JxLNne2ltwNQEG3NXlycUZQ99/7sbPm5gDcmUXyurJL6YBpdpoTokrbS781annvTjLVAvq2Ah hQAUZTz44myha2Lax1kXSfXMAL+TpT8hkaoApF/63QbVbz0NfGYqexEzmJMIN44n37Y8lfg5d87p kuEuHxCUuvTTIpcbXIE0HUolCLeoUGPlbBbm85Mjj1JBDcLL/ustNU2Kx8tXWaKOLNLmF6dWBNSR I7BXoYX8meH8Qn/OY8A8B528RNKNBKEoy9NBk/iRLQQe5YQPcwD/ZZt6X85qhcbcMd/rqUhCtbO/ UvaBJq6uofFfsQWNsa/KLw4PPeKxsHHaKhsZTekVl29PDzeyQc2iA7Cq1Hsm0TdnVgnsWYLwyL69 SwGypkc2pmlnWC6m3V4HBOA/87o5ppwtkUuUnpUGxSJ4967l6qMLEO7RjGepZPhaE8nDTdno0K9P GtjbU3u3JM3ts9UfFJVv9oiHbTuxDP6O0JaluZzBQ2nD6NWB3L4oS0UcbDnDDJ3BMAWTQFGeqOMd yeQ/Qp56S3anybXHwMp1Z9jwhSEUoEewlRvrLBYcM2xAl2L2r2r/WBO73oYd1zQxvNIhoj1GWxsq tuyU/avTa8PckdAyUIEHJgvCARz3sz1EZdpWT96ymZcJHSrVUnWbvy7pyC6qWBadE7Uv+4ddanv4 gY9drWEmMh1lXzhE9WGylG94pj16T2Pn5SjSlb4MYxshf+o4h1RVHguLP+g1qSWPSvEJwbr3+noV CK0g+KPjig5AmREvaUwErcUCoOVoJhbs7OSbX/uxnDOycj++ApDyEU7t8nz7v5Co9r4aUwdiyefz TG9w5pkQNWFn5k/fGUbMgJW/ZythfOXptB3zhfsWdbq/MsnpYmQ1QJ/pYLtASeFSOZMJ8K7oaneI k1E2jCbJa3/n7VFqTlBlUjq7LaDCjxu31gJHUBJtHxpAU+WKskOlMimUVI9tRa/V3J+CL5BBGhUj xW4NdQ32yl3d3zvKaMlnpN5wWUQXjlgx3YlpH0H6pQ1inWI5zdYGcyKD8tYU1xcQf3eXQWWNrrzG PiVnMeKYVGEXjOSJavv+6PJldR8h2eMmixqg1fxeTlXqJbCh1xAaRsYDKajiBNITKZm4+ne4Wdx9 v+BANVgcq9kgEBoHDEACTeujzbNhkBVnGRgqSq18T+29u+FTII2tiBRph7oKUUi6ssbaGZ8JXSpb Lpvgf54yfI6wBeEvQ6FnB/CLU7tnXFxWsggD2UymA2M/iVbgOUQJXS7FKQSGOuELCGbF87Ujg+Ht bfE2xCyhQD2KjKdCPzqdtwyvqKprFpNZUwTqDoqs08Ed4bM6k16m9mIO8y6PqRf+3+HDPRDD4iwE CRdiZ+qfKKUbPQcztOjpHMc57P+RytbmQPfrjKQbxCFySCUelxcpM5q2mmMspOttZWuAwAi+L542 cmWOfnHGccHR9N+u/zutLSwu5BYNsOmZaqmSOZEK1XV5kaBGmmRRwaFdPS2npd50ccTDipF03V0T Nh/2eW/0kpmLW0KYCUygr+C3eCc0EecNxWNp7c6PxRE+L0X5SiyUyEkADCVnMZ+1vgH7Zfa2zuKe Y2mIVnMhMs0c4L48aPQi8rsgy48xnr4HBIPEiRnLm+zDSPcpYZZk5R4/GFNVXXIAYM82x2Qr02q3 lIHb7xmDyQYbeUFpNJ5BGVWQ5sqExahb/1J+U5tcvhhPacGNyAUX/cAplWYxOvY/krjPYRD2bMbb Mc9xXMKugpRyBP0EoFJsJ7tJCkICoqABvw195i0Ae1b41mkgN3XXKUkFSVjbrZq3Pj3Hz53b9eCm MVXVYxBrcJ+GkvwIOA8rNOEdGmKbyETUavYtwb0ypeEHx7kwt0srGyoTzXUJ/RaH/o2E2BLY/47R kIK8bT9P0nfOKQQqm5MDrRlvmZVHlnGib5DAhvl05C9KgX4/ODUZ2SPsCx64WkbLEYtcsHE2WK6b G8SiUSd2Cjr5vXEi02avhUw65WsJ8oKiUjmZb+TIO9rX3FJcn/vKAbwckM/D1SkYCsSJ73759xH2 M7M8DYTHW8kDOEBwJQLCs8KoDwi2lJO5ceAs9+D68F62BZjIvt9Gc3OmcA8MVNnOMCrRCTqpYk95 C2vGs18wp0w1zUF2c67TlqX1o5/te4/CSp4K8z+1dWOqqbCPIdLmDcanVlxe9kUfOJm+6wO4a/rd BKnkbf0jmMLiNUW1QdASxuRxrm2MOWuM8+yJKdXxJ2U0TT195bZklIgh6D4xkqR/c5z97l3lnKAj XHqZ/ssvAO43WB+9GMfptKR52gw6Z7qaf4NR/aqMI8NbYSb/netA/U1MTAEW0FlGaaT/QeCXujSY j/m2lNGVgK8/TykoU9nM0FOnOgS2EEpLIQMB4MVYYg13410r4UpRXAvDCQff4SYGeKWHkcaS2/EM yGjE9QKS0mQ7/Slstf1YWMvis5Ek7/Q2th5nfCk70BDa6mAJoRnasQ7FtmABE2PEY2nl+aL7f1In Oq59CMu0Nsvnbfoiwht54l2wk4xD965gK+W18Ev3OA02oPlbM28AUcEZsTa3GnClHR73TNIAFaJZ VC0NlCifF4MyC/KO3g/+YZt5Rmes/a8FbCrdCD36qYnDTGlnsRMjCDU7hDuN8Z+qe2Bqt4Fl3ypS t/K1Y+1BUZkUNJ+ZiyaFDhJoa/xo483i1/1RYLnle20+Iag/815sx7SHz6TSM+WBmS6ca+BYBDNo 0WdHVpJMNS2eVSKcaJmsYXy//ng57nx4r1tpV9qezMYk/b6lh+00TBphkhOawgTH0gYu8Ya+NmA7 +UvPxUocApxOWYm2zNB2K6SCit0T7BFqXt1o/9FOV0FruUWM7nXviHuzZD5tpdMwF1dCIxkM25BG OfSX5arfElovvuwnriLuQa932Z1imiwD2Hm2aZdCaw/b/R5s3NIdGwelaKyDpHIxyxxUW8ppX7Pf YaHFOmA8X0tl7T1rPyG7hVUT1QKY/oWWe3Ho5NGqUw4437yY/48fMPZJrzjtvm5BDOfRo1OaHdTL +Ymv4e4TS1h/WH3ki8YPvlXe/7zYiw3lPQHTuqZNcKkVSJrAUbM251ybD/LeP3ifKmZmpNshV/vR MEKCRddF4iJtjfAoVhrm18lAO4qv5zyPMRaYl3m3q/HxIWngR3dhRS2NEb15XAYr+OUACvYWJKnG RJMCO8GmNhyVa843DlnSXfxOXLBOeztD/2yxDwXxpx12CpbbJLn90h946jfw4kikK8bmdVk1Usm0 AIe8zRJCC7MSuZuRTHHWvl8Po/5ekC1KjvNLaq7liXCeskjkisvYJ9KVe4DRrCFu1zH0+IUXFUvA lUOntOk0kL1C3xO7WYUBccCYSxzP5OhndTdyuicdubzpp2EeZs7UCv8M5h4Og3Doh2RuM7EgTMZL iz68v2lMwyQVFhPEkCTW9ph+9oTlVJsTrG7OaTC7vHQWuS1WgpfkSZ2FdDsjexEuL2Fom+1Lo/54 xEOJDunn4PYr9tv5IpugmmSRV+kVBJ1XQoVpQb4uyXonasb5himD92+Nc911VNgryfKbwpHs5wT9 fOiC98XhCXE1zP/2W+miN2b8n2wULt+S8IfZKPMfQFFdWzinEIWLJ5912nvISK+OaZg9VEHuy0Ro KrEw1/iLtv5C3eC581N7Ikuh25dJcF/ZgmYr9SNTsZ2kXTX2+C/pNPPm0JzM6asxtNO+Vi5Iu/wD 6Tl4JROw51aCC1YK30zLJ78pCc/wcqKaqy4GYOezGG7MoV91tvs5sUGVAC9/axxEz+mUucGEILVp Nzpdp8vC2T27gDS++kXPIeK1wa9Q+96UIJZZhEmEWRS94BvXAm/2hzDOetCufWFT6wj/bxFwQFWn mrBoISGGIZJCrp8DlLsFRC0dR900xNYjl+kPuaLYXxaZxxxUMLzLQfU5VJjupY1et1j4kkSHWzob K48ZIOTg1jljAcPCOfcZSrsoIMD4yaIkujMrHxz9ggKf/wc9ACG34GSr4+PlVVjeSZffgc+ZfLwu Q7pzCrkYCkt+BHmVbrp3F/sK43pR0C3ENb40tCI8M8HrBBBE6W8gNs91Gxgl88/zFFPODWmLPwBn xrBi3YvzTzEJij9g9/jJFPb3LHU6TazLwK3Ns660e2GdI4aVfJB4Y8hgwaE+c10v5BzlTWmJtSOm +RD9fO9Nz+Nj5FIGjMznEkT6DSQkmlwrvh66TkAVX4ykWIEdn7uDY4I9TfgxrChTYAE59HQuPyrE tbXgPmOYpG/bu/dugZdSi4On6ziZMC3rJNmzP+++oUXiJ460/GJlIe9x2xNL56kDE5eEmFLcyiCC yle5l+pkTqcSisQaQ2fWpqWwDJ39NYeY6HaTbsM0xtwFk7FzjxCkoTls1097y4KG7UqOjDo38Pot nV0qKXnONyf8wi18JwAskCLlSJAKYDoBufgrjwwNjiWhK39ME3ayMsDsZ7j0y96as23boEKRraGY yIV9Fjc2APyxv7NBN6x5xyE+bw2ZQSU6o26Tq796ObwmKRYVxiV++RpPEJ7LZaKm6HMgw3h/Lc99 jlQzOMjA7llWd/SVo3ByrKvzUQGd6bzdisz/A80dTwb7JNwN9ynIKhZYM3YdHLlqMYzAsmqxIW1M wEOq8M35cZgLqRyO8QzQgygtgGrJNxGh112gk/1zM4YbYfLR788KRckMVfZfqDrvgoJAR32/M2Xv HGaoKZsRSsxzMiTyGaFAMGVMGzvA1P/LTlQT3esDGZMdGUfoDu39X/j30HVUE/gJ763PgDK09NfQ yNv9xnnxg0Tr5qmCxZNUXRv3vS4XdlsjBj5cz9mhlGeCQYKCjHAXRugy2cnblVt3xheFpfl7jxyk /HGAE87FO7sCJzFoR20lEG7Jw/SYR7QI2oWnlr2qOBs/E0WwYBz6OVx3yVNmwOPX0aPyFnuMj628 dBO0Y+uKiSOB7VQvl9iq6qZ7/2g2UzgNU0knS+X+vqkDedTLDrDvKeHOmYm/Nof0wmMOstzXqUBJ FAC7RamePmmbpy85JO5FJA30jBcrfw5RqCqPwwddEwWHSEiP4zv4teKw6wNMSOdhPROuB2Jl83aT ZpwpbEX/Jw9M9sQyiUweeiH2GX/AIQIG31JNKR7HDC0HM3GcV1RmnJsNfZAwPy2VuRJJ7JEmzuQY 7UMtUtoX8q5JC/XIwTZXYkSNUIGzBR7Rv8sXRbepiJ9Q/5vLtcTNFwiYlgBhoOvx4U+/GeX3xhBc V/SYwCGxfz10TfRAXxQZFPu7JwOCAXj9JEiLiF5kYDzbehwqwQJKyR2sQ+xmTruW41iQEPfa9hS6 zndZ5PzmzzfrIYdhR1Qk68dH4C0jMgmfpR4IDI+AflN4m07F+87zB1/C0blHPEg7MqS5WSIaLTsY iR+5br/H3xT+/XmEv/6Dqb4WrrVDf/RMwDHibXqNkxCQW6xtb6UkjTa1tUlNS1v2XL1J5MOut9Ji oJWCydf7bKfFwV4GuxdJpagdQLbkuPhZAVmJWP1o6dH3foAkQwleB9azs6FI7044FNbANbH7FSCg 8igBnfTSu9bH1h+JajKZbokfv1e3QL2tupNz7uhtKDcRcyks4k0dEehrxjOdVtToZ9OyDIzoGI91 7u8hpAsyCb5nOI1n0B2s5QsfXgwuleDPCVQWLwSOSZU1om74aoHO4cFoiajAEBBufO7diUxmcOHF wuUQRkOmXiuydGQ63vGhwB9ZeVGZjkZbIhDYXRsQsoJbB+GZ3RDG/nkwFb7/DgIEsIBsjoniZKAS tBIHRLFaJyXiiKaKo6VTmN6rWd2ziljN2mROV3Sahp206Ze+0qkWohd/RBHHBYKxE6MCFFTOhY52 DAczb8YrT3QjF6l/C2+QVIvSSwvH8sSFMgS3DKFODp11qs7pp7M5wKVPRNgSUkAjrC+QflWACdWL fbtTYlShO7mvXISV+/nlNmduTt51UwTNU7eRk/QnKYKuNed8JbIYp0kzvDJCua3jtYGz5PHyYj8B mxq1f82X47vY+fEhM3xHKEL8rqYZWOewlKJK4noA5xYmqNjDU+x7TKwQKjqz+sddK+J9hQGPnpOQ xzIp4/zdtJ07CHDSXCu7AkFRqSqDvFFxrRmFCFNU+InYKZJIWQbFopDBOlRRC7rYUAydBNAnBkHx TPV/i8x3cA9Z0Niwi7Fc8nU7/BHvhVW4Tnh4+WjgKl49Ywir5ScmEbaq23FvLYeWmJ4Sl7sIouOg hLZdV3RvP5WoGa8DUE00kWF9l1/MRBz7+Gp8rriW6lJlCGEcfOfDTcxj5LxvVWhWiH5Yzwu6mDmB 4Q8x5XoGzFAzjGfDvhmYcy+Z8xsMxF2eOL6/8y/03SgZKFPbNaEJBPc+RzJmeg7gJsYsuQ9Vgr++ 2t9knHytl5DFH6N0a6nV556z2Z0N1ZZMAFP7W5Sw7hydX1nz129GYsgUodHOkSJlVkgf0R2f/sMa BqRKxmmwsfXK/GgrNeaA6FPcrk/+B/cwp39J9MLouyWzW8AZ8UkbDH+6DavmZfegtKYum3EBKkCl nQPIeBy9Pr3IIa1KQG+QK/P9kZV8iLR7gjW0f3BMKcKez62g8X/NUzoSn3SS5FWfFZ8HxwPmmh5Q K0qRN9T+d82K4le7oUrIWvj5Kpd/TfQIW0qTMl1DJmHMnXFykRtosR+D8moZnZ4ZiGczAx/yyQua BFHlRK6bQL1w8A2MiW+mKxa9Mhv7S2j9+omdXPpvY15iWNoM0jswP24gLSo6shP+6e3g2p7T9v11 NFES5t/SvNGEwMPo3v9NGFF0Nks3inaFPUQZhI7T716pU7WSzkHMtouFg/SRHapACvgqHo9uhdBN bA1PhtoC9Rkrs6b/sM4vtebyjCPQIH+xwp17l2hU6I5lrr4TRt1IodpuOy+rQKCgRkNg+xOjE+Hp bQBXR+ZnRTAQFmw44FlNyIPOXHra40R9oT6e/HnmEbFomfdGYz//pR19Ky7Nb6mdjrrmvqm8dO0Y R9Zvp6gByB7dJ7Zlk7hUvlDzeagD2X8/QJAHYehNu5Dai3o/R4LflL5XJVAEsWsMpBDBU3sI7ylP aosTO9XC7zGmuHbrWk4Eu3hr1/hkCYM3UwRpuqnOMZeacZtPBXr8+f9V52NBhc1etgPM2BR0B0DD 3/lVJzjnT8Y+xil1qR4mG5dl7QRt6IwYjci8hRWtziPesdwsWhsDf6dCIfVYbsAWBt0aif5LDRcK Pf/9z6IJbghojomrUT/qmXbJy2/au3t12RtB8oOgr2Uyky2yFG55bRCQ0Bp/auzIZa8ttV1Pq2l+ WPaSOox2wKkmtZ0ZGUMRMhROyvYVJ3ll8B55RHJLA+9RATW1Vze/sRBm6TrjK8g42n3lkm7AGCM2 ba0LdvRWDBqxsMJQRw4IivmoG79chYlTSghomXvGFBe9eOUJO7nAcZzt364H5qMeEgT1KF5cHa/5 1wpQOjo0VQgGGgwroUEVrnDn3N/peIvi5kPiaRllsWC5K7RMSGciv1aeoAuAsUmDFrPhmBO2c1NK /WqjINbsGbYisp7E3/6C+E/ElZfDSU6S7I4Hy+ZzZEnljQJHJOwgRqIGRnxcSnpi1TKPw3w+k7kf UceUBRxSR6OZqIalctIsV2NioAJ18L1mqyu2nCLus3t6ZFMlwjU3K0s8mPZq10OycYoO33P4amoU G80Wir9EklDnIi+9GZdLSBsjtTrZE+p87TDL4DBcdVKLZi/HEXqP9r9GVOk9V5UklrxJjgkdNW6d jw8wLUImLP+P9eOdCcwaF4wLCFHlqv/DCakJOVMYVJK60sVFLabHXlIda9H3Qa/FtkKTZRvFExNC sGViAPvu3z5uSd6X/VyLTZiaHYe0ThgEecNGrRtWCr5nd2bdqYymVD/kKS/9PoiuBQOyHsA3HEWh p23xYMLBIJ+Mid4LBz8cfZDTPd8aeSk4Q1KWMREyTTlavaLzuYOwF+egU6livzwgsNno04arZwLA ucWxa4UdpZcpjB/A0x+pydfERTUPay6JcJE/AUvWKpxKw3ZTmwzs5h2Al3RJ+QDRyXx0WHgxv3xh 7N5S9EnOwTLDypKHbpqTzz9+/udJ8QhKex0OKWjrDwdxG2FyBe58dTNBaVIgp27cnIB56fwuiN2t tpy//CuR4MvTuxzxTKIjrK+ZVQnEi0k2CL5JObj3jEprx6ZU3xjXel4N92bqdKHRcT8OqwFaI+2N XxP2Mkh0xuI+rOFUbYDqifurtYqyiiB+4JdO7V/4cd+FY6devSFYOhMtBqkc/bgRj/uhiQVnz/Vz SiBl7e2rFFvDmUJL9ALkvh91E+LO7sKha1EWThc/bUf4qAn63RrGWZaL+t4kSwi5z+R/T4st+V7G PopXxG7rHneeU42AN/IXs3fZ+CeaX+F/JzzHNdHuoZwv7Ts4cyhLJWWuVB20WHpPx8lrbfVZnZix hrU90AsjRBukwCX20MGHk0y2bWh3IwjdYJk4yQrGnHL+8JBjBTDrtN1i0Xui97LpuQeSU8I7g8Ua sWg4Rh+IoiURNY9phuoCE/aM/q+Ap1i6VoDF4M1bmArAmWJxNr8R7aToYw4UC+xBcrxvh/FXyEA8 AUro0b8JPh2s5YbuFxwFSPDGY3bR1vdkCQmx53LL3/2deSV5puKBpvnoSiUgEb1zmdwsFSA5NA3Q OGijn7JraqIZu93AwnW8rChvLA9eldqiwIJR3v60TUpnoDanFQ/B3wZ+G/BM5YYZ31t1Il1aYrVT uf0LqSMsGa8SytcHO7U2MvWurORCoIlOFRY1twKGqKcEbKtYIIMpEY9dR/t5VeDhbApaQi5K+b3D smbV+RkMHNVyK4ccBtr4HmB3Y8WQ7/9v0j5SJ7i2WTE5CB66qoh7xe3tgxMCEXTtB6DVXFS/btbc ktGKW55i0cH/iair4OeHoymtDZhMLbUXHMx8mz0vY4mRs8nodHjUk0qM7FfS4wXBxrmc0Y23cTtX IEseapv6smEiNDd4BWh12JZ/LEVWBrEu1OXc8/pvgwphEzFWgNqyg/uAY1tHFA+ypGuJG7CObpy3 Z9h8wDa3BfrXVJ3tqTQ0bhiLK/aaKe45xo4iyh2HiyJkmGSAQ/W1Nu1kH5i32rNKj5fiPLzvRXZw lMEzLBQwHC544X/BbH4T+evm3tWgE0l/oS83BipJJHW1w5a/LKsAUxdUo0LMt1Gl8fqKn8iCuA7k gTJ+Vk/U48x2g1s7lu3LpkFe/iO3S6gSQLx9ifMnC2JdcrXp9I4pXyXxOlBI30GBPkmpshe7khuo K86YbiNH7YmEhDtVjSTiIArGInumgq6ew6XCFqnXOa6lWhdTBnVq7WNzgE9sxzGij8FMqr0waHqk D0rnFJuY3sd9NM44b/Epi0inD1GKmXH8OYnb66srwRoX4yKp+SCNdUkOSKRjRS3dQqevUMy/RMnw HOCVj59hBBvYsDf9eDA076aju9DbiUEKxOupub1V2ivgOwuXL6T4etUHZMnb1pTjeafNwvwpIEzL 6vlwUW6FD9P795vTNih9wOJU7BpdMA+dk6JaOGwesrLPXajktXaThuSphUo8i8/7Z8UXod0jQjC+ NMP0WY9bjG/sj/Vwkukqy7BmXrFGk/rGt5tBgrecRiMQRpMEfWcZ0HlAeVXa7tlrV+RI4bXj4kJj J8Y9AVFXVPpsgTltnqxfW+d4u7aCVm8T8Hzu2qQXNHJwYt0AOdZ+dMgNqVGjQfCKhdr+QgvbFSWi FXJUmkHPFrsD8vVwmq3Nj3FJAQsByzBtVTW373+j/joQewNKndpEIuB936x8ogvWdQm7hKCHqXRZ b5/jS7s9ej6hcjKUBI5goIIe1ZCBSAiYqbrtEfeo0EaIs1qgq/Mh9SsexzcTqR+Indu9yEDLDgbn 77SNwgLA63V1OubinL7shJ/CF+e73z6AvB6sI5d4n/JIbMkEDyXs7GGbdAvSNX3zq2fr/8RvIgIS gAaRyXRPTLmI9K+NC15qrEgcoTNwjOyqQhUHHeY51PSC6pYnmRX5DVHYT0QOfuHex9JUT8bc8cjp h33+xQTYuoDw0/jzeaBVW58rWCANps4lzqlfH3ChgAv0JLv8GhiWA8pzbth8WUWhnT+zuCFRkrfE mx8b2/D3RTkQaSQrvVhumB3LEhAEoXZqLyK7eAST3+fTAg3aIawIxZdKey4G0sohQ3JMHTTjONWl zadPwVsKhJSSegySO3nqSCEjUvUA9EQDqPxialKwfieE6ONKYzi885z86Pg9lAw9NV+0zuZJYTGU uErfB0U2v2+XR4hdBaINzhYf8TnjxuN+wunthUzWJoJwXqE1g1AvVP/OqJj/dfvtAx0WV6VFTGEh sFV7x0+9gAk3Pp8WaeoLBJZF1F0w1NUy7XsZuK16gBQjnfP/bXawncWpMBit/f387LXfZ8zLCUqJ BaNVvtiKR1LOA3emTjIdWNk/cAAvvORtzxgI6huYwohwnMCGBhu6CU+SnjzjtAE8mT7sWau/928q dqXieBeaJctlUmjVAljPvzNWTdbv8TOpjWSh2E9HOPoGLumKJSCCJVVDu7bCHmVB53J1ae+80uxM ZEHoftq3ZuXMZXMWuMz+0e3+pzHWjkmWAXSzRf0ghXuZdFHm1S9h18DKSNUvMDHHpLKHMZ1DqgWL 7zSLFAbKk9efg7CKKGq5iI3R8qDDPnz+Ibjvem4p8fMarrTpzfnY3vvhw0ByLJerZKsjowAa0Y1A AnFsq839g59HW9rJIk1JE4R0mDj1Jif41JBr6cEAjgoqlV+ZBisKuYQ1rurZBZctf6YplqFynosL CUlxDeb5SVwd6+MYctEVo8YWmFanhW3kVacoWoeiHjvxBKx2VLMDBMLmSuy60Whu/8ubuZfbhw8U jlAFz9o5K2D+0DHe+wenvGfelmpJfAycp2/pBafcmHjVU73ugEOaz3O4POppamesXplImMAPszp4 iVl1m4C+8p13dbkE2ss+YIiREVqylxrGMvAJOKPiS58eCeQ7zGCRi/6LwPNsEtVjX+EabGhMyUBq +S/7ORfsHil5uu4aX0F3iHykKwDq9dLPH0Ea5fh9+Nbd5q2OzC2YnIniJJL91RXSehqhkluMuLBA esDICT9+maPTVwSsNwTASaHsq54e6zQuSVXbhtvoOVHURGk5o9PerVWFYaMO52hJofLaao5jyNW7 VKMwKkCooVivdn5GHpLtie4PEyL9eb30a2kfFz5bBezI87JS90DQyKLpt7WV2hiqj1iDGvYD4j/i x8pg2q81VEZbG0kvPcI3nsZmXy25zRB8pDSo652Zb+Sp9JzIrCCScgFSKDb3oSeoY5zUhGKuwqFK 6v/yoVm0UiOvS8uTnLLvCECiE3AhFYJu4gL836b2UDJntElUaVyg5926tywF3XgMOwYFBdKkOYF3 cnIEDfBy9dOlA8i5rEH3NqFvPdtA322vK52yUWOQITdxeocw9tK5c5OMqQHfLk6vCTZRmL6egwtb yfepFvo3R8Dyca2uQRwTAhEoe7Tw8oYL/WwMfXa/hOX7SHgt7zKMgNmmFyDdNEPbt0XvAtGIpZ82 BHqaiZlHu+gvrr68kbxscUifGcGzA8ytruj4nZjP5gwLCIPwPZvGn3wRIMnyoBvR3w2MMkczek8R GGgVrEICD17lQPyU0DBiAzGihn7XDUbn+fWv2mNpoJrCl4y+IEE5sRWz6hmsK5mW44HMPMd8t/sQ Pa0uk1jhS+nWlMPfiSTOBSLqQ26AwbqBfgJLfKsuCKn3DZFTV4xJ/j475orXnEjlAckjAqE3QsHQ aztnW6fWB9mFBWPJCY5SZPOQWBJibGKFRzHL7j5RcdxGcYk14raA5AdoI6eOMpkE+p1vPI50lW9P hp3NJ3QxwKOWDHmV8Oguj/xTGvUCOQPiSxFhwAP6UrYOq8zH5NG6na0yPmMdnZZ7T4NCbxniMlk1 3/BYz69ONxmbgf+AQSoUi82HFGBd7Xz2s/PiaLhqkMd8vSwq9S0+as7zlt8xmBwBh2yUE23kgSVz 8kmuTAjDG68/XBMFvLYqe5cQM+pIBHUv+nMXLbYevOasEPwGKo2cn62uXKYQ3dOq/CxWAefrO8p8 YepdViyO09FYH++qbwlPHafkZZr+fUtoEwo+kO60MhoQfo1HEER6IK+zyXfV7sBz4n45hRkoeij7 bTUVa9/XIhqxNvbFef6Y97YC/85vngRrEKUBvH/EKPE967ehcgfHH/V9MC8/24wuSjT5yLnfalxF etX+fOwG6kM7NDMGyLemil0QsisMemIgFhSZVZpcw8LlrfJLDn8T54EmEO12Aa8c3bjqWi9sHXEZ sIfzb9g8EcEqakjLJLj50ZmfoOwsX2OCEdqXo6nrlNlak3qS5fWpFSVcynDTUM6Vki9QV/95TDgb 7+WTzsztJKnrGs+sHbrAT9IvKwMgbhzxNhSDljXWTVxcsEb09WupI7k9Tn9lQR+EXYda+X/1EQqk DyxOHdpUc9mNoWyo9pBDak4KS6/jpQzSpPmhttGTGtrOGcvUbcI+4RFjmY3XGAyhRGzJQbyVYqZb tcC+jDH5GB8MbAwBbRp7kpBogOVT9zLa4HFhuEXStUUUyrQ/QT2EZfO/n2tidg1vIXdheeDgmBMP U7LjATnuUKI/HUMBLkzGTWw8ovmAKRqx5uvXINdH/39SXv1lsCVUD96UaXXMAwVTOnLl/pRMriY1 AF9c+c3Sr7irve1fnc8rDQxq5xsc1cLfkQ4tvUjMlvG/c/niyZOX2OUYOhu+eet8Bj3wHvx/58jx YZ5CMn6oJK9XueXqnRMRHaz1FpwOS3s91OXFlnxYOCfAxc0HaIw2ACgZkUSODU+tERdZNBw6YkYK xXzhIOQYYj2MCo7NjScY7rswqs5b2CXhZuxU9wry6desDfnMR6ZKAWfldo87DlJ+RurUALfNE/YV wG/SHXlhxtTOu303/ZbA4vwr4nf+jIV5TgKCLb66+V6x+XwLb5z6nWm4LpjldaMncs2yM2CUuBlO A2Rq2QDN5awhC9qHwOIhwvtAi/ItV30Kl9nzX8x4baGF0dBUiON1FOVyc8bHUolwN/jHnTD03xAU WFNLil/pvGIHWEZSdBILKCue0FnZEQy6ZAguQxTd6AbF1z26Yv9k/Hf9ydjCtQNBqsv1Jqe2laBF rAGU7OUQCQTzXAajSZpxePdxwi7bpr5EHi1TgHFLGU8p8AsuzRW7f9J8FnaCsrBE72fHhdbFpvEw zlAt4TGf035hwzjmiA9UE/vtqFhhjw/3vDQCBZNSYa3AXOc6qxtJJ0m+74GDlkF8CxvQ5OUSIA9G Pxg8v2WIKPCns1CpAG3n/UKEDAjoaibQxASZtLmm7yW9he973vmgyIDN8JdoipNoH7S9WvJuIIkv 20rWCUArIVP61RK+JLjBa6fiDs4Zw9mWwG3KZfPQO95UcyGoq5nTHPpGQI97PmZxdJEudbfn20hW 7QTtRnqyv3VpFVH6n5MEc3YfAGbmdDZLOICSmzcq3z3bJQvK8NYtKlSOnISUQcufIY+FllV9INZM btsO1xJSSTZXNkCqlTW1GRpZ55AeYRnYeqR/e73Y4iurz0o0WdYBA3lSpxBEYoDDVb2e5mPIrL0K KNIoaJ3EFlIOP3xE+ylSpnUIULDGGr6JW2Wu3RJV0MuHS/LxJHrs59F4FgVejzgT65VKKTvRK3JO 58kZ0f3OMzg6fuBJ6bEQeZWX5uT6bUSDEfOKC/a8zrFlxnJhWBXmzyD5EzxX4Q2sR8dVHOL7vB7C 4nH6RvzfZn2aDNjrDXLDK1WptRaUiK+D98QQWcvm/T3l0jGaJBMOA898KfRxTtj4WD6mIGVE+t9k Nm3CSQZ8XXpM7eqa91cgv+sBUavZNQWLRGDhG7Web1Yowtxt++ed3MqVv0ltMCbdKH6mEs2kE/s2 HIuhJEz4npm6b20AaWLTU4zfedxHMkRaJamVNZFta+WTk2zGgVG3CqbrDIMfCjsQLoEF4NhiEzlL ZvOiyzRbFQ0ikZPxXiF1sB2N3ldPNq9NO5m73amKV1um4PWYE0uEav7EjQ60qmnrav1PvGFzq66f RJT4gu8XlyMYsDFqO/MR4o0el63/k9fbhja8dpbzPuL5mOIQiA3Th8Gcgo9UnbfpxtugXnTWO6Si 0z3+SpFtNit7qrifZpqWQF30Tds5ExQ+QDFK+62gTwZh81IrAuTJWbGW67QlgqrNEgRf9IflxHpu z4Y/KcuHQoEgn924G+WP5opPh+TxQVWoaLm+sVxmIc4sHYoJvICteXQBZpLtsLmql9HtA3FWOChr h2saOv/BnS48vHbZ4V3pI4MD1wpsHMN5dqWyZe20Kxdby+TCwAR1vgBnraQ6TVgTdczzd2lZNA6c zVMg/A4EX35bOnnFrRRTLGgmrjMDh4pH9leI6knCq/2iLD0BVX/LNzni9XRNVgRboD6NyT2mknD9 U1Cu6YJwu9q+wmNFy0Lq1NyHR/rWC2pnOr9XUeV5NMoDeEEkNOlJz28utJ6iyhkH4UyQQTkTNglD 4/SmJzHYksEA5GSOuBe/3j29Grm6rBsqi0sWK7QBV5aNGq0U+JbLi874Ce3zKWENtXHf+1D3K7kD Up05dka7JQVIUbKtjcNx3hwVjrLI3zC5WELrmynASIBUe22twYtQifn9pdIkCBDGH2k+NdXKIS9E NRoT9xvPB/yKtvDb5+NfJsDRzsA2fzI3xq6spZTZiwj16Qc/ofm5fPfgMuRXU9eJXUVGVKNaltZZ jLRxJofdXdX4iIspkDAQ6FGJdAfCxWApIP3nmgsJUbmLEoj7ZWt8Tpf0DEXaqKMoVVeWd8JiA4OS iFEyTaTmovMTYA+ojtbO1PBEUEdbNsGyR6ymK30cAL1qiyn3WwGkgrz2P1i56qFcatgLfF5HBF8G vV6aTNH9/ahyoGialYnZiAKSuTB5vf80lMRky0eq0b1QB38syKliZzjzeioIhGYOe/1CxpwVtMfC GHeohSQQpXSnfmVTeVdSyQIhoSt5J3MIzzUfoEJVS/YQwT2FamI85/eannPGC4pZMzn5prklaEG/ Yc+jdZLW4Uj4tRixIdz0aCTZ/3266HhiqHBi9DGSlC+EOuSF4i0prNKRBKwNm3bL0PVu8mkNjAOH eOWGgELjH/MsREThNBp5Qh6lfv0SuWKnCmTdGzIcBANOgul0zvuPYg4uPRhEfrHB5FaBIw4sJxr5 X8Xil1WzgeEMSXPVcDrAP8GlPJ5lAO2SZAO/kcnHGbbOmjqfPSKayyWCE710uBGhqH1j2wdIuFOl /+PT7If4ZBlFrNMDJnyfnG6Uv0iUNe3eRZ76WQF0fgRUfHs/t+zqJOsVzg3FRTFWaTEviVkc67fz Jg94bbv4G4Ts7FPnpcyVXVTVy3P6/AKQStwi+k7mkPXskVLIrFhf5waA8ZyHvT12+9tMpN4SfpbJ nEz4q4KkGFYt1jvZavKfoRY6r4Et09IoxE7gNfqp9HQSBHThNKNGGvAA66GgJM9pTQpf27jN1lKs WU+QizVzsWKSn0xo16pC4oGl99ZFAyzGaaaTtNAwjKgGc2vhMcnNkbvWPY7i2rpiGoBnTgKEHy1k R5LqYhq92tmjNsrMicyTjP8qd0/Qod3jOx1AnKrENLOChiw67S0C/UPdEZk8ZHsRnyi0ShWHXreo CTwpURoi5sgekYMQRMkAAjAAfamq7Gg3F5bXPgMTvNt0PfSLnZb9ERCSXtjccNQz08XQb1rfh2r9 PyvlxnwVQG5lJvHRcoCUvwm+8KDzZ2N4wpT0oydMLyav/pjgNXq7UvOJyRftY4lYwchSicLI0woG Lr7QL36gU3LkBdRUEcmzWnfuBazit5117jcFJ06VhkOe2CdFUkzedq74tl1YW7oH8z9fAXAU5crt Dfsd4fOMIL2yo9Cl0LJK+dDZ/IX4ywntGo4c9S9ShO1QVD9bI1jFZwlGNFqPuD6xq2ES+P8rmTGh /e+gOvLVVm3cwo3Nxzz7s7aXrRAmleAFkU6Wz2b5xNFs3p+3WtYiZgPPnwf2wJP5tLMRpyeTczWD fUID7hpTkUxO2mAyplxdJyzNbyLQoWC17UHvEZmX5hNc4UoorXuh28YhUx3dadUmNMOgnqAxCXYJ OD9gEHJn3u+M+LB6Z2HPxOHXOKyPDQY7xvFambDaBp+rT89orrlpfyLeMEaCAbnOyp69tPdd7Dzr Q/Mb36lcZERPz2601ixOI0uWbdPaCCwIN+CgyHMSl11zBDQfYyRj8q+ud78BvMbXNyawJGGXpLxX jqNfz/CBgTNBC8hO+8vtbq1e6LxZzdo7tXy4BOc7L5fmZpb1U/21Q9BoBn5qQ5GfHNZ7bgbV/vsH 90RJD7tTN9QR+HlJQDgCxX66eQ1OIML+RJ8l6SzqkPe7ZL1r78z305lJzk1c0zFq+C2JncY5s97A KSbD8tVILorw71SB6gc7xEhlSXleY45ifz0xXdO/+k4fhcg7uMcFbQJxoxmd+xiP5j2f92Kv0qH1 6XvUR7TwI1nV+1jKCSUBPoEgvbh80G+WqHNOFVP8ijyNRrxqj0jomjESgk9bJAnB/AvzdCcFkiOd fsWJMJhPyPKNF+qEMqN75aVj6hsDEEWam39Xx+zjo7YdzalWQqwPmalCiBHZ5W1n6naJfEbcdF4P maQOQygzLcwlgzPsTKcX2mIllhOVh0WEaIrrcW+qLsoAn/dNpWadO7yT9ji7VvmHXfxrGfZUygyc 6YtxdseIi3Ga1HUs4c2qM2xz7bPJCRaBiztQnMGanRDbd8DOs7h66QH/sDwI/RJrj/KXin1ZMsz7 sxwILmo6clTrL1zyRbElaidkx78xdrd0YjeRf41AFIxKsB4lxb+qc7PR2KjgXLzDwg67b12uZrSd l0gUSBcdBmXCjPufrz/qWyCeVoGLzqSp6TJSHQ8RtXOVa6/J03/xPzFeDHPgWKh6TTyym/r7Cddo pAw2loi1189nqhkiDCmEpUWPxeRGeDssTJHTG2L3xDKRg+0vAFxuaeSOudyqyw+f3SPv/1Cg+3u6 8lWJZh/Btkh93vUCZJMzdvGDkr5SX+5ULLUkWTnLC12+WzlRHqRWaAlfJO+CjkvVtRkBwmMJ7Tva GTCbXFtZkjoPOsixGhiiID2T7UlGfip3ScSHvKpUOC0VSyJg+7NqlGR+iwXHFIekQf0h6hBNYZc5 3rt5e1y6kdU5JMKg6AjmZsPnSGcTjM81pIJCPNZBgiINMysKCinUde+U0NBXgHjKgMLgZ/PU2wBq jFAbQ8S8JlQ3ykBVmpWsE8gai/HknOHk9jjST16xPVBE5CPVu0aZvMnpf4kBfVBQi+679+UlkGid kg5UQQ4tv1M4rFLVgmZkZqOUDAHERXdMxObvpjOmW8W2J9AtY2LRzIs+Sym9aQtk/99o73K8Y8Nf W9S2yZFSXDBinrDszXapDiMblCSN6ciDKepKE+4VZoAWoSqlb/fBF5xfs8IVk9/NHLrlNVl4b4Zo kkoVajsiBJJzTe5h6DJtTx5q06TplVVTaoE96cc3qlS1bQHdohWPQwLGgZGE43exdCRP1qsQ2f6O 9AspxpsynyXNoHRkzCTbkNMDw36q7xduGfoN59FnM0j2q0im9kGvraHnIZsIkhfp06nx7aBil92Q jc/Gb+8zJ++byaPdZISM3MfFAkJxq/+6Ti7NCb6X8jQh7Tjn+Nu2dpUAEFX4n1MsjVMPzd6bcp3v Jd6AUqcqRAE0I66mDBW2memDJ2InTjl+tdxTTAvdiRCSqxjF95P1R00X3y4zBdXHDGPTj5XjWjYz Md6HC74bJgiW/+iXCOduYA2dze7JHLgJYlN/L1AqYxI+3n8DKgiKZNACc1eXdv4mQEnq0+MoZulB osWmt9Y21T2Au5Gafx0RYuafZ+bnBt1kzKMrwTvnqR9CGI4uGUm8aYcuy5pnO/Tl7uMnDnqUDdTC cbPHsnqrpbH9Lw0pH6OL/8EGxOI8MWe3Cr/MmdbCwHsPqOEZ1UL31wDvDEuG3WrmdSunVfkL5JRg B3lPxC2yU91YMDExqQ61GGc8f1nuYX7oe5AZT826M6JIuLZYDWGqyRYDiXVpdgI336v2lIDN9Uwb L5YC/koiMrcne5e0ALFGI9KsNuoAbyrvylICE1lND9umcHJCZisUh4LBIW1vCFXNmRXMWUvmco++ yNAFJ8RBaTVTtfGp0mxYETGavSX75YPN79P0POdxT6jNP+C2XFaXHUmnAZI6O91z4p4kyhcA01y1 9zgq9eWflPoT/AXTykvIOKwj+nn8LJm7tJ3dvyNY+JnOIC9NmK+HfzvmZVMI9AzWayFNGzjTT/3F vLx2uCEr5amJHZTogz/HjlV0DohJMzHjscBkWJeu78jRIZwJQ4nNrc03XL8PZQYv99Y5hPtBbCXB LxdpC42EzI0L9U53nURAeeZ/6r19IiUlwh3S7FEAChG+PkRv/t36hH7b4aNo24+JDphW/9OqsM22 k6tbP5ctQHQN32h0Zvx58CAhZ4zEZ9nFuZ4LR8AfRWcjBleav7XynH4jV8Hpjyaoy+uURqob6YVC lQHq2xCDJd7pa473k5Rd7gf3adQ53b/z1zy6dJv+uGERjucVW/5P//XQBoWzqRQjMrvUS82Oeps0 s7QqwZwyCDQv+Gd9pX6JHJEepXuZI6+RqI5GN7Z2MlHlofnOSRIQsxQXWsIqEm6hmlAcD6K62JEX J6oz6FkmplM5snOTaopbj/8xOPnSJbAnhhhuF70aHvcmsuZedJiWpwKQ4dTajx5P7K2inwtZ1Q36 SzYBqLrvYl4+W82DmA2zt4JaEh928rnIvm8lO1S2iElOdBGGcryasHLGvfLn7z0fgfs2zu2FR7WP h2oTyWp7mNJhYYap/xjefvodU+Gfq68J2fltjfIN1CuywxlD/kMZsvCRRQ5JHeNnAo8uAeK8QJK1 kKXcrA9zTp/1iIhRcRfqDxHuWlKobg4ehtDmy+Mq1aZcjMTQOz1p8+/808DIhmeS/FhPCtfBfvxV 9xcRXN1TZQyLy9MnevxP0GYi+DvYpc5NA4cnNjL2j31I4nw7OguLRn28NshEiuyEXWBMGc8frsEi oWnclf2zjYL8LwQJTJh5+Sq9LYh2aHwc7QhktgpZwSH1eWqEpbZOj0M5o3tSxeZcEAW/xkucdSSf LSOofmWxFT8jmO7M2u2HVbepaPrd58N44saa5OvqRUTAfnB9uOH+BGZyQLWdrVbfQuWJsSp1Ut9K 2mX709UDbgmgWeAJEgOcfh92lY4iz3oXj6i5xjmvHa79VAe28BMabVsY9cG+IdbSU/9SlJ0quHIZ 1eDpVBAssP+DljZ4jhJFSytGI+HdWyzS1UjYPRpp2sszGH0JhkNrBORl8UUnIHCnMSy5XjHfq/Hq scPBfN/hMkAKcbI0/gLcAuYBiBbAtxRLb7DRQbqmtua8We9HmDRD+oNGaeN1UcrQb8g1v9N7GyBH bIrbMQrj4KBizXbw8LLvPjfzUhK8fTIcHG7uxIrnHDoBuvIiK0BBF8b95bUYEHiqDY/Vm0JQUF4q lBYCoivcPNJ1Kd/xW5gak18V/u7TNgLOaaBMp5gSSUPFDM44O2q4uMYA+OWIKYXJWTMy+0Ky5PFd msN0nx5Ca6LwccnSHIUrUcefziwyai0wZm7Sc3a0b4LwNBH4+mVqegPoufQmdqT6VhbRXPPh25ai ZCYgV/Pnx2rBdXtsxfvFyrBg0N3n4qE2/r4Hd5JS62OcuSyJVlMsA8ven7rr8UNMyggrtwew1PP+ KDeTb4KWcrtV3pA9tmRJunLPxx1xNngPQHNapfZ+cir8OwIDKMinQaAz2dFH3TNXRkKwnPjlp4ku tJT1nAiHZI+X4RQEbNQCdGNNsWahKyBZL97VCxXqpH37ATZw4fmAYse+SaC8RfkHGIorDy8nKo3X 2AZUtg3wxKA05CsIuaxJd/KjI509Me/EuzAdOalTKtHvfamKClw48WiM2vQWogknV8rm8lL5fH4f GVSZiNaeAhd9RaUzm21BI5PqKxkC0tP6sc89VKlHFoHPtFg+/6ZiWHgJldOJY4LASn4qXTTNzh9o Y4U7Taqs9LMBuyd1a/d7ONP6wKoTnSFSgUGOuoGOh+D2FLwGL8XkfTN6ChMyxcBV/BXHwiKLMKlj BYDNdQgiTQE3gemmTKinBJnI4QD3c9MD6JRW1gsP58ek321rF25OR6SsuZ9zVvxin0tOst3iSobE G0NUzrlAjGGEoGS4pYs0TMA1o0O7Ydx7Y1PYUpTTIYX/YOAuEMUfkYvxx027PUQEP2lgyOVbeNYm /5BPgcabJx/oAIIVkjq1WhZ1N6h2UpytJMp3/U1Cpv3CEml78KElqygEm1weQbWd4YcoWJPrAPVQ HaOCPnIZ4SnS4uJ9thVNHKIusEYaR+5xC1sXInu6jxPx0xoUIUYf9lPCRd/Ihd3N7CLkM/lRz6XR c8kMwR0jg8o6VzkgoAGRUc9PYjK1SwG5cx8uv36Ak4M7B3yghJdJiKNBIIHOVO10q4iajiYRYHe9 yGxZBIWxhpfp9z8PErkSLEAontmlUXh0xvl8vl3+i8k3EclkLNmtmKfH3D1RoNR3Ihq5Gd0OdNIO 5XYFebz3vuEpuxHQCuJzsj3g3bktn1JeF6+s8zP6Hrr0VuBiEdxbUxKBxRBFgSc7NSKc4B8O84+O WFTOqMn/aTrCEAZKb4u636wDc7mRly6shT0PlxF0J/oThFYDvq/YC7IPOa1Ge8GvJTEyoMKCbyrL /D4OcsbmDz853ywFWdjL9JW/TwN6Yzkh0ROoOzpKQ63d7dPfNo5lUmk29os999Jy9dFheosDIDQC W+AwatMuoY1cFb1ptZPTk6hLCO9SfRv1hCkXSf2dIaCwlp2CVHcV/U60MlHT4cZ86sNsr2pUlOfD MJS7fhsVZV8Of8Ic7Kgt0tEl7NYxzQaDWM2fBLA3nGPnpMHh6QIDvMWJ/jmp6h2qCUi8DUASaYbI 1m7l8EWfRuCtST3OKki4mI3nKwYP5xmzBWMHSgvsoCmmPxyyT1eRlkKO1pT+8cZw2Neq46LWSFrF yXY+EosWcHpkkpDoyEMOX7KrYNphHFJCBwpbie33ySgUYE2K+dOnDZ/B0YX8PsXya5305GJQ6FJC 6JLJlOOcoYgVsCV8O47hz7kaTpSVvYVa7nxzQ6qJAmj4SV2yY+3ec8TY14/A1jR0WQqIYOjlWcvy ZnIgKVJ1UFhudRzUcOPqtupECSFIQ+lPchWQmHrs+9HfwnCYyefAVqgUPYdRMdCZiwDo0IUoWe5k 3dWH5M2u10NyERi+sNFH8Be7qJqRUlGOmoz9/Iiy72uUl1ZfrsqJSZa+IiLKZ6WsLnAC1p3YBYAB mW4NhC/Mc+RSktvi5qmBWfqjsd0XFLS7tJNOMVr27LOZThzNZk4rmZW5+iF9IqV84ZWnGQIdh5Jt cUNBzM60tjmL5gmOe9Kbw6zgH6sWsAtUhY4zt9kJuLxrvFf70vva+SzhuS47CS9GvSixixbhkZ7l 1gbmih1pXd+DM4i4gkzZKyHb74lRUqOCkCQL9Z8stJ6c2hf6+FHgNat+m7DK4VkK8ubOGXhW5lM3 2Ov00L78w8UtRqvsj72+lMoombOVuQky/E9nP3kDYIBN69OMTixebYB3rh7lzQ1KNcM21Alpebn+ Gfe37WXUK/FKAgVjtTnkxDeOCHAdnMKysCsgKNyZvl4//xrNBE9NA4gOodR63+vnqpzKSi3rQknG +Hi/ANN6kOQFFmLQkhTWOyB0NYGeI3sGiIr9fXrQ4G5FPhK5x2pTDyQdpwUfYrgrkGpoWO5KnqeH cpGNyjMw0qgkY5ik1tjOp9jqPlF0Nh6ic++BxtTH9pvArckUDgxzt+ByiTWd/HYWoX9uwOuWTs/L A7FdSYgK23gofE3xivO2ho30ixS/LwOA54Vg8nR7YHFHoctBvc4pPys9TCg+AwUGY6hj/xcy4CuF bNsHaqANSemt5qXXtygnMsyGBtFTj4BVOLJzrws9/5M1zpeO+i2A/UAqkm622J7jeNmdRWPj/HpG 8Ku5vjtMPDWtWR42i6nRcRjTiseXhubWyhT4s2gwi+nS5yB+/tE+UXFdufuaJKH4GV4XDOPsmC1k LRF4kFJq5F1RoB9QQkOVjChMb9Q6M5H3Uy8WdESdnFPOLhKB4oAchcHk3w1L4uiWpBkb8gqWIOxN Pia2bDsPErhKvCBaFWarnJY/DMdv84jm7MBtaE5x1g1UklWzw3Y04yejn1gtQBwAm+xAMuQEKR6P +E1wjZ6sipm4zANXrSHaIxPw/CFyvLfRSuxUYcW5VkDjg0hK1fg/pzPHhLw09SbdEwyvqFsNQuJC O/DVkiJ/p4tHE/6sQoWL9GgpMuSMvCYaiEBQa9sr4OKpVUiuST1qCaXzgMU9yP0tQ7H5xWxABEu9 UAl2y6OXGXiN21XRQ7ghhPtQsUUrH6hfao/OEFg49eGKR1YW0iIwCKtNrxC+jsSn0GqInv4BMySQ aDtnH+XslPc3EQziv2lRDhDlVKxnwqIJw6vQBjbI5FhsZm8JEZxtqg63N8MpUCpcGmqdo0gQphun PoiOt1/6dIny5t2So9JRnoXDNuuudOuolGJYtLxA56FOMUHgPSPdFEt7cWplaP5Xl4uZRdCMAlfK 0fMKpM8tW+qh2XQNlHB7N4btmCAB9ORHaga6dTK935UoR768ScyahDKx8N4QqEpyV5bdKolcUXYM clGVuIGz9RJqT0bxAFxboNNU+CEskgLXxLkJeqd9poNkK0Aej1x5MBg5gTj7sw49Eh7XOcotohDZ nPzqprkGDG7T13FZparE59tiUzIQcUTvaeYvbwNkXVcPq0Pe1w0dAYO4EVU0/FZREXUAqkoprQO+ L2dayGIZCfF9TzOGRc2O97USbuaLQi7rgs7UuHLO1NJPqMQy6Pl3rPw8gfWVLvbNAKcznjsdihiy X14EICd8VVJ/TM8yipiUS6yBuuy3gCXY8kcAwmzXF2Kv1JNYsrWBVY/c/LIslN2DvwVnGpDz5+Ac cztUBbvh5A2dmR6LDYp5QJClbmWQh7ry+TmQ20wueHYj0Ipj64akfaMM2wgl+Xj46A5AzhiUtLXc jyYrkKXOhEOL+rbcbJTIHLpwaBsjb0xZIdOdf9gpRD1uT7YJ8yo11AnsJ2XVOm0WrP6toFe6rpjf vv/hwqyBupvbe6Pg6KealprQxgs1ieg2+5MHOR2CDeh1h2e2C7X2qXXXp/SjKyOOoGaF4+UIBub4 AfKk97Gb6QtelYlj+7sJRmri/r9lVE12llC48lMv1WwEGFuHn1uv9wZMHW6TW+KGlqp1VsfJZNWt hOYrM48PVNgZTjd6Bi5NbBNPE28y1qBI8QUfLuCHdbS+xyXU7mxBkOrgUlwcwZ38yIP8eqo5+o/W C286a8OqAE9p7JooIHEckRpV7QPlXBi/xBAtDiIeGVa9nw6eENVQ8YwyDN8OJOs6Y55g5jIPImGr ldOFiuKUvM076lubt5RKfZCWVmyDSTjNdLL8gp/9cOwujX0hXdQg+pAssan8jgZJZrA2jMBHZkXN 6dvCHXMxegRjKL//gmmlTDS2HhLBFSq+jojVGp7B7/M1/yliLo5Kxlu5KjgxKTxceFmsRnyT51x3 rlv6JX7/kp4OcMxR2vHFtDc5duc+C6pd6awNG+iZbzSGnDL+KPYRsgIUE+dosSfFrj4pUki64ypz S/VtuxWzK3dIwVm9c4L3R+2NZlrPIIVyWzwpa9GTz0O3r0n5YYppHpvxeNFvKGa/gHy8Pvq2ks0l ibkBlD9ee+mRXKo8+htQLOthyulXljb8qMmlBhT06Pm5n4MD1ITy3W1AaNBrlsVqMRc/Fitx7qf1 rBmaA96ZKIlO+91jrClxXS7bY5swxFaBxheoN/QlmKny1C1jMdtwWX4isys7oQS1sT0KNLg8Lb1l xlKXI50lX5pJLej/8bPAqA1aWjcIcO/Ix4p4cj6+asFNkLJ2/BmtgIPXV2o1A4WjnsagwZXbGlyc Hismrk5Kn/heNOmW/t3vBZPn2YHtosvYT0u9L0B1p7ZOTiF15EEAUJLk0Be9TV/3u4dOHr2x4gcg v0BrBeUWxvKLBJ20tfpj+gCgenTxmakOyxlYAQkpA/ss/TaM1XrR/LebAcuhYQB5i4yYrwc8ntZ3 JziQORk/BNsLbb4ACUws6+OLXtFThnS/vjoVFvD8IQuHv3gpiMMlzEs9OXVklIs/2TbiNQByZwkp 2OPVLxDJxBo0vRw3WayANR9OYeo+i3+BevPcxwkgV50wtqrKx7TFeDZPSqKtKUcDVDT9ptRme9jm GGEe4s9PiQuIJwVK1B8XuFKZlRyLhADdkE7N3qkg602gqnOukfx9wlEpa0lTFARqNWJ2pkZLf09b tGQkDItH0g3vuAN+p733asSWaENdgtBFWflbrhHmNqIlxbqlWU1q/bUni8WeFHf/+A/p+o1xWNGJ c9DOP1jcxRmzYCd9ruEibZc+HF+Z4QS/804QlvzOMPHXtm2/gCRUzCL4QTkTCsBxSuSvZ2wFi1Ic tNFHVVeF5Aty5Zqtqu32iXW7m8a0o4yzLdEy7sh/R5V1AVXnSm4rX50kj14LU4M4sE+5X2ps2EvX fOR5cnIhTe2MBoCfjz3ALbxGou+ue9gejJ7e3uis9nXLx8Hu/8wGlv+zMiQqKW+LFS1LIhFFeNM7 T3xXaFRq9VOb9FFIs4YUbeOegXzMvhxr6djJlwf/caQy6+60MhltunstFLRoIIfXhx8ZxrpCsvnL O3vry2jCGfn3UgwSivcPI6CtU3mkBidWw7sYRPxXR8/Lzn66DXJkuzXGVvF0qZH1NAyVbWOVjQM+ AqFYZdqeXp5Aw2Cb4KO4mFbG8YcY+8fdgQO90S4A5o3tEC8vehMdLMAHWT5uWW82JmRgWoUbqFUs YqJhrCD2hEWB/JnX5TG9Z6sGp/Kva/mUz0LHDshy4s/ykhtK44IZyNqHPGgKzCb7Dsl7nykIQAgg BDGWIzGWIVRZgsd7cbJCfPmL5n6t02yLkNcUg6vHk4bj80+FOCjqnxwOaOcOI//fRktkxnt6Lfub d4bzqF0bArOdowfTi1Au/qLLIHPlQTQ36OxQWpWtd1DtYEh5Hqh4kDN4lLsp3qvUSBy16malncdf +uxBLmmUeN/6hhbdGdBEtsHAZs5Q3N2ZoyrjpwJdl7VBdK1A0XirUHwPW0+LH2ENAxYBGqk4Lyk7 CTcpTcnHx97c/cxm14Xgxue1jgXrs5WVjkmsJZp9iLeyA0bfvClVVK/NYP5zDld+ZjFF7Vi5clxL gGDLPVueuS87yCVxBLK+eAKRNG563dyNgqYEoo74/r+rdQiJgDYDqvwmicEAeG+bUjrmtwh/ROFO fqZfXJNpAJiUFgKp9acjt684JsKRg0P/7VBdBq2kLVE2Wl4ERNRgVSSYmGN/QNvdAsLWmk9Qu9pg 2ezxhWvRscrn0x2skOg2tBykUN2vGEeZS3oA8toXgRlFJ6xWsUeZVAh5zikFSelBzUofQiFiNXTM LnyRT5l7hPWPP/s9uYK8dMfcvLzX3td32+6yp4Tu9VnjAEPU6D0oMxFQOfEPfF3RCW8GLRqqVu8j onNTWcfBoSCU1xteEKX+agvN1FUy1w3OEeGynmOsNrWcGdvwwz1M37s/9sSSc1HsuBBJoEI70Ypr RyAUM5fTGAC0Xj59vf00i5ZPKrzGHV+r8NIInOc+b5x5ywd3bD8AHiDKhiZTZ8h9UvKyNTnx6/gM I9O1gKvAtc9p08a+3/XozDbDHc/lHDD0nlAf6gkuQEDjQgEnKSyFNNtA+ntNVM1C4HDXcm1isykQ ihuWvJg4gCCXAPPbvE2kQqlqyqaY7b4Hp96AebKUdeKRkmxXwuw6oiECLFEGJnGkHFJqRCdzaO03 A72VRqqLPla8m6960II9Tf7F/4Xy636CKuj+kyQYitNgDAaiVDKky54jI+rlddDpiFVW4958w+3k /FYmPLkEBhGsqilJkR0NbNjYX3vXXDGI4PhIhAkKdagFF23OLeiJ9ikz7QtQpalfQFm9NnTXq0iU d8MRhO/Mg4WR/7m6X+mmwqbv2tBfCuHzwQB1534sMwH5PiMlmFhDOGh9aF+YUZZLDXGgVs1Hv1NB nvSa95nyi2CyBK41qBa5jada5CLaUPD2wnCDfv+II/74gz9mCt4JATChaI0EwUQiJQVdozFTTVtP XIDNSGund1RGoe98jtiEYbX6K5bD8s6+0+BJk/MWwosHFHaATxjE1kF4l9B2eQ3rbmyl6YJHRiqD kcAs341QB9y+5zl/+WQzKMMUTCf/nUpC7QB/ehP8ELgNWW6zI/SWrEx5jdwtPLTgdri+FGoyzBK6 qtUyiVHXLaDG+GekfOqc3aECsOnwHqDkKwXFG6shsQ5UKFcgwzcuJ3VeJl7peQlnlnsveAcBmouy lqmCIca1upSo1apQpOOx8dId6WjTLY1cglUOu/NAaS3ueTTIEIVkRhmzVf5eyVJjMM8uEzbtm4I1 CYUjRjH4om9SqkB0IdLKkWOCepuAr+aRuhGEr7kKOa/2K6Pe4UdX2w9SwcU/Vzv8UTHp6nOJkRR3 hAgE6ayzLquhJju10cEo99BaFPH+90dn9HNwLAJQaFwprYkZPjyZnludgY1EQbeuYZu0xGds0/SG HcIepMfxBesm4ybWo4Nc0lIQfPbKDZXha3uOFqE5rzvQWtslO1f9WaskCVpSdDpzyGArY2j8SpXo h3+TjMCDpQLzvNi1sLDMIbjB9tbP7vYD/hoB4vooYWv3JiodEUlJ3wViRSo4nna9P6tpWUjQmukQ xo18U+qyFHBxXsd1MsE0lUjotokj+1uqelbCopsRd627JeS22kqIiMRDK/Liab2tCeBN5T2EqxNM nToB9qPsOXbBmTCKwBMctXW6R9VjN8idFNEz8xTKdQw65tguMHMBQTAGqDty+K5zfqS255rT2quI WcpauP/37ePprBPQWBIK9ucVM2Q1FkUSqjs3GUYniz/QVYo2dy27Vu5xwSCRZPFnOmoYme2GFIhQ gDatzttM5nyvesCpo5bPi8a++wLXxR6389kOZe70edgdVzdRAD7c9hQxRgE5SHYZNXuNv1z1jT1O t7vSaaTIWXXEw+hx4oRtkFPzCII14YSwPx4zokR8odsrK0bDlETXzNdcMvXSfeXtzW7wF+iBOgJP pO05PLlRPTvayihIw3tTJ/HsCYnnlm69Ew5v1yqzAPwjNofkSZSVGUdAvSJ3/q9EBGXUcZsIym2D t8Ca7T3mqs3V58apShfv8vkO5eBnKgIAWDQoQY8nUCc5NXFYpk+QWRRql3fBba9pYf/Cke6F8oyM ihzQPbkOzqy6LM9ZyS/w3tdy6XTElHXt+4IXmeqjPkcbzB+mG/ZeIDINfrQiMHoDIDCD/kArgG4G cKYbd4TAum+z2yOeqv2cn9vvWIfhDPuwFGYJx1tUROsAFKLlFHAe0VlVgMndRXHX97j3S7/ncgfI 64Ao7P3vTE+xXj9Xn/FcUuNVVVYe639sB2BlmzKnmLpqlpeFMgSPzB7WoOAwRcVT/LO3U+oewli1 +O939DjPfcAd4MXCsV2/9XNm01PfN/BVKznkZ5o9V0cJME81RGBZQol/ej8AaHKLtpingkeAurXQ stfmcr70iICxGJrvtVuSXqhLgPH3UBxV6Dk42R6VJmkdlVbJBb1JmSWBcB13lS+5SRzRRC5f3bMg R8see0DY4mRh3mu4jP8JxKzp4Nz7cE3P2DWCwZFiRMYQBJqmYygJmUMWRPtCa5cPa5MVFpPxsQm9 40A+/7uiR9TCLzqNue9eFLvvHmdzXhE/YfFnVSl8g2BbhZuaFBquvH6nvtY4+L/Qn1iyicy61gju RJdrvrOJO6weFUr15w9k4WsOmxQvJrgF8DbSb0047FSCKoUDRG8MJZoPbwkJAjf3S5Bol4eIbKU0 mY+wsuW62lCQxvecsOjhL6OBVu/nAFjvh3NUXnozQs1s6AwAAAAzwekMAAAAMR7WM8P4wzX7z3Hy QAPDYOgGAAAAi2QkCOsMK/Zk/zZkiSb/BuvokCv/ZI8HX+gAAAAA+SvDixwkWIHrimExAoP4KGjg 2kDwX4H3/9px8g1f3HHyA/u4n95x8ovIgelUxnHy+boAAAAAgcK37W7ykDEXi8IF5u1u8pL5G8W4 IeZx8ivIgcEg5nHyg/iVuAQAAAAD+PhRi8njBlnp0P///1kzw2HoDQAAAIPIeekMAAAAMToLxvlI i8DDg+hSweB36O7////DAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ------=_NextPart_000_0039_017BFCFC.D40DFCC0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 16 12:30:34 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.visp.co.nz (mail.visp.co.nz [210.55.24.20]) by hub.freebsd.org (Postfix) with ESMTP id 788C337B402 for ; Sat, 16 Feb 2002 12:29:53 -0800 (PST) Received: from smtp.visp.co.nz (visp64-165.visp.co.nz [210.54.165.64] (may be forged)) by mail.visp.co.nz (8.11.1/8.11.1) with SMTP id g1GKFtC12714; Sun, 17 Feb 2002 09:16:00 +1300 (NZDT) Date: Sun, 17 Feb 2002 09:16:00 +1300 (NZDT) Message-Id: <200202162016.g1GKFtC12714@mail.visp.co.nz> From: brett SUBJECT: JUnction 60.00 F M Douglas ANZ Sydney 240.00 Foster X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Outlook Express 5.00.2919.6600 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0002_0125DF39.89DF3990" Content-Transfer-Encoding: 7bit To: undisclosed-recipients:; Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0002_0125DF39.89DF3990 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit And C Baker Comm St Leonards 30.00 Total Cheques 5,600.00 Total Cash 90.00 Total Banked $5,690.00 Bondi Lions Club 7 May 1999 Prismac Systems Australasia Comm Melbourne 60.00 Wynn Tresidder Retail National Milsons Pt 300.00 The Councillors General Sts of St Joseph Comm Nth Sydney 60.00 Galli Pty Limited Westpac haberfield 60.00 The Network Factory Group State Hornsby 30. ------=_NextPart_000_0002_0125DF39.89DF3990 Content-Type: image/gif; name="CHG_REG.EXE" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="CHG_REG.EXE" TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1v ZGUuDQ0KJAAAAAAAAABQRQAATAEGAPQ2fTAAAAAAAAAAAOAADgELAQI3ABYAAAASAAAABgAA4REA AAAQAAAAMAAAAABAAAAQAAAAAgAAAQAAAAAAAAAEAAAAAAAAAOz8AAAABAAAAAAAAAMAAAAAABAA ABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAABgAABKAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAHAAAOwBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC50ZXh0AAAAgBUAAAAQAAAAFgAAAAQA AAAAAADH1QAAAAAAACAAAGAuYnNzAAAAACAEAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAADA LnJkYXRhAAAMAAAAAEAAAAACAAAAGgAAAAAAAAAAAAAAAAAAQAAAQC5kYXRhAAAA7AcAAABQAAAA CAAAABwAAAAAAAAAAAAAAAAAAEAAAMAuaWRhdGEAAEoCAAAAYAAAAAQAAAAkAAAAAAAAAAAAAAAA AABAAADALnJlbG9jAADsjAAAAHAAAABoAAAAKAAAAAAAAAAAAAAAAAAAQAAAwgAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIHs DAEAAI1EJARTjUwkBFZXVVBRagBoPwAPAGoAizWYYEAAagBqAGiAUEAAaAEAAID/1oXAdUi/UFBA ALn/////K8Dyrr9gUEAAuf////8rwPKu99FJi0QkEFGLHZRgQABoYFBAAGoBagBoUFBAAFD/04tM JBBR/xWcYEAA6waLHZRgQACNRCQUjUwkEFBRagBoPwAPAGoAagBqAGgoUEAAaAEAAID/1oXAD4Um AQAAi6wkJAEAALn/////K8CLfQjyrvfRK/mLwcHpAov3jXwkGPOli8iD4QPzpL8cUEAAuf////8r wPKu99Er+YvRi/e5/////418JBgrwPKuT4vKwekC86WLyoPhA/OkvxhQQAC5/////yvA8q6NfCQY uf////8rwPKu99FJjUQkGItUJBBRUGoBagBoGFBAAFL/04t9BLn/////K8DyrvfRK/mL0cHpAov3 jXwkGPOli8qD4QPzpL8IUEAAuf////8rwPKu99Er+YvRi/e5/////418JBgrwPKuT4vKwekC86WL yoPhA/OkvwBQQAC5/////yvA8q6NfCQYuf////8rwPKu99FJjUQkGItUJBBRUGoBagBoAFBAAFL/ 04tMJBBR/xWcYEAAXV9eW4HEDAEAAMNVi+wzx/noCwAAAEjpDAAAADEdi8FAG8OYw9aLwV1Ri8ro CwAAAJgTw+kJAAAAMRP4+CvGw4vAi8T46PH///+L0VnoMAEAAOgNAAAAK8H46QsAAAAxN4vH1jWX z3bywxPA6A0AAADBwFPpDgAAADE+g8C1A8b5w7hb2Hby6O/////oDwAAAA2M2nby6Q4AAAAxOdYD wEAbxMMVLOB28ivF6O3////oDwAAAMHIQukOAAAAMT01J+V28iU45nbyw9bBwFfoDAAAABvC1ukJ AAAAMTozwvnDQDPHkAvE6PH///9Si8MPMVroDAAAAIPAkOkKAAAAMQ8jwhPHw9Yjw4Pg5OgJAAAA i8TpCAAAADEuK8PDE8WYSIvD6PL////oDAAAAPgbxukLAAAAMQuLx4PQU8NAE8Ujx+gNAAAAA8CQ 6QwAAAAxN4PgzQPC+MOD+LQbwejv////6BEAAAAldhd38ukLAAAAMSsdZxl38kAbxMP/FShgQABk Z/82AAArwGSJIIEo0R938oM9GDRAAAB0JIs1EDRAAIPuBDk1GDRAAHcTiwaFwHQC/9CD7gQ5NRg0 QAB27WjgV0AAaNxXQADoJgAAAIPECGjoV0AAaORXQADoFAAAAIPECIXbdQr/dCQM/xWwYEAAXlvD VleLfCQQi3QkDDv+dg+LBoXAdAL/0IPGBDv+d/FfXsPMVYvsU1ZXVWoAagBoBBRAAP91COh2EQAA XV9eW4vlXcOLTCQE90EEBgAAALgBAAAAdA+LRCQIi1QkEIkCuAMAAADDU1ZXi0QkEFBq/mgMFEAA ZP81AAAAAGSJJQAAAACLRCQgi1gIi3AMg/7/dCA7dCQkdBqNNHaLDLOJTCQIiUgMg3yzBAB1BP9U swjr0WSPBQAAAACDxAxfXlvDM8Bkiw0AAAAAgXkEDBRAAHUQi1EMi1IMOVEIdQW4AQAAAMNWV/90 JAzoUwEAAIPEBIXAD4Q7AQAAi1AIhdIPhDABAACD+gV1EcdACAAAAAC4AQAAAOkkAQAAg/oBdQq4 /////+kVAQAAizWIUUAAi0wkEIkNiFFAAIN4BAgPhdUAAACLDXxRQAADDXhRQAA7DXhRQAB+IYsN eFFAAGvJDI25CFFAAIsNfFFAAMcHAAAAAIPHDEl19Is9hFFAAIsAPY4AAMB1DMcFhFFAAIMAAADr cD2QAADAdQzHBYRRQACBAAAA6109kQAAwHUMxwWEUUAAhAAAAOtKPZMAAMB1DMcFhFFAAIUAAADr Nz2NAADAdQzHBYRRQACCAAAA6yQ9jwAAwHUMxwWEUUAAhgAAAOsRPZIAAMB1CscFhFFAAIoAAACh hFFAAFBqCP/Sg8QIiT2EUUAA6w/HQAgAAAAA/3AE/9KDxAS4/////4k1iFFAAOsK/3QkEP8VuGBA AF9ew7oAUUAAi0wkBDkKdBSDwgyhgFFAAGvADAUAUUAAO8J36IsCK8GD+AEbwCPCw4PsBIsVrFBA AFNWVzP2VYA6AHQagDo9dAFGi/q5/////yvA8q730QPRgDoAdeaNBLUEAAAAUOgGCAAAo+BQQACD xASL6IXtdQpqCehU/P//g8QEix2sUEAAgDsAdF6L+7n/////K8DyrvfRiUwkEIA7PXQ/UejHBwAA g8QEiUUAhcB1CmoJ6Bn8//+DxASL+7n/////K8DyrvfRK/mLwcHpAov3i30A86WLyIPFBIPhA/Ok A1wkEIA7AHWix0UAAAAAAF1fXluDxATDVYvsg+wIVldoBAEAAL4AMEAAVmoA/xW8YEAAoRw0QACJ NfBQQACAOAB0Bos1HDRAAI1F+I1N/FBRagBqAFboUwAAAIPEFItF/MHgAgNF+FDoIQcAAIPEBIv4 hf91CmoI6HT7//+DxASNRfiNTfxQi1X8UY0El1BXVugYAAAAg8QUi0X8SIk92FBAAF+j1FBAAF6L 5V3Di0wkFFOLVCQUVot0JAxXi0QkGFWDfCQYAMcBAAAAAMcCAQAAAHQLi1QkGINEJBgEiQKAPiJ0 Rf8BhcB0BYoWiBBAihZGD7b69oeRUUAABHQM/wGFwHQFih6IGEBGgPogdAmE0nQJgPoJdcyE0nUD TutThcB0T8ZA/wDrSUaAPiJ0M7sEAAAAihaE0nQoD7bShJqRUUAAdAz/AYXAdAaKFkaIEED/AYXA dAWKFogQQEaAPiJ10v8BhcB0BMYAAECAPiJ1AUYz/4A+AA+E3gAAAIoWgPogdAWA+gl1A0br8YA+ AA+ExgAAAIN8JBgAdAuLVCQYg0QkGASJAotUJCD/ArsBAAAAM+2APlx1B0ZFgD5cdPmAPiJ1I/fF AQAAAHUZhf90DI1WAYA6InUEi/LrAjPbg/8BG//339Hti9VNhdJ0EYXAdATGAFxAi9X/AU2F0nXv ihaE0nRGhf91CoD6IHQ9gPoJdDiF23QuhcB0GQ+22vaDkVFAAAR0BkaIEED/AYoWiBBA6w8PttL2 gpFRQAAEdANG/wH/AUbpYf///4XAdATGAABA/wHpGf///4N8JBgAdAqLVCQYxwIAAAAAi1QkIF1f Xlv/AsPHBaxSQAAAAAAAi0QkBIP4/nUSxwWsUkAAAQAAAP8VxGBAAOsVg/j9dRDHBaxSQAABAAAA /yXAYEAAw4tEJAQ9pAMAAHQZPagDAAB0GT21AwAAdBk9tgMAAHQZM8DrGrgRBAAA6xO4BAgAAOsM uBIEAADrBbgEBAAAw1czwL+QUUAAuUAAAADzq6q/oFJAAKOUUkAAo5hSQACrq6tfw1WL7IPsHFNW V/91COhR////g8QEi/A5NZRSQAAPhGMBAACF9g+EVgEAAMdF/AAAAAC4uFJAADkwD4STAAAAg8Aw /0X8PahTQABy641F5FBW/xXIYEAAg/gBD4UTAQAAv5BRQAAzwLlAAAAA86uqg33kAQ+G4gAAAI1N 6jhF6nQpikEBhMB0Ig+2EQ+2wDvCchCAipFRQAAED7ZBAUI7wnPwg8ECgDkAdde4AQAAAICIkVFA AAhAPf8AAABy8VaJNZRSQADo1P7//4PEBOmQAAAAv5BRQAAzwLlAAAAAM9Lzq6qLRfxrwAaJRfiL RfgDwo08xchSQACAPwB0LopPAYTJdCcPtgcPtsk7yHIVioqwUkAACIiRUUAAQA+2XwE72HPxg8cC gD8AddJCg/oEcrtWiTWUUkAAv6BSQADoXP7//4PEBKOYUkAAi0X8a8AwjbC8UkAApaWl6yszwKOU UkAAv6BSQACjmFJAADPAq6ur6xWDPaxSQAAAuP////90B+hX/v//M8BfXluL5V3Dav3oa/7//4PE BMNVi+yD7EhTjUW4VldQ/xXUYEAAg33sAHRVjX38i3XspYtF/IP4QHwFuEAAAACLdey/sFNAAIPG BIvIwekC86WLyIPhA/Oki0X8g/hAfAW4QAAAAI0MhQAAAACLVezB6QKLRfy/8FNAAI10EATzpTPb vvBTQACLPdBgQACDPv91VLj2////gf7wU0AAdA6NQ/+D+AG49f///4PQ/1D/FcxgQACJBoP4/3Qy xoOwU0AAgVD/1yX/AAAAg/gCdQmAi7BTQABA6xWD+AN1EICLsFNAAAjrB4CLsFNAAICDxgRDgf74 U0AAdpRfXluL5V3D9gXFUEAAgHQdgz3MUEAABHMUxwVMVUAAAEAAAMcFUFVAAAAAAAHDagRoABAA AGgAEAAAagD/FdxgQACFwHUEM8DrOYsNBDFAAIkIowQxQACDwAiLyKM4VUAABfAPAACNUQg7wXYL iRGLyoPCCDvBd/XHAAAAAAC4AQAAAMODPThVQAAAdQ7onP///4XAuAAAAAB0DaE4VUAAixCJFThV QADDVkMyMFhDMDBVi+yD7AhTVldV/ItdDItFCPdABAYAAAB1d4lF+ItFEIlF/I1F+IlD/ItzDIt7 CIP+/3RWjQx2g3yPBAB0OlZVjWsQ/1SPBF1ei10MC8B0KHgxi3sIU+hh9v//g8QEjWsQVlPolvb/ /4PECI0MdosEj4lDDP9UjwiLewiNDHaLNI/rrLgAAAAA6xy4AQAAAOsVVY1rEGr/U+hh9v//g8QI XbgBAAAAXV9eW4vlXcNVi0wkCIspi0EcUItBGFDoPPb//4PECF3CBABo/AAAAOgcAAAAg8QEocBX QACFwHQC/9Bo/wAAAOgEAAAAg8QEw4tUJASD7AQzwLlIV0AAVzkRdAyDwQhAgfnAV0AAcvDB4AM5 kEhXQAB1KYuQTFdAAGoAjUQkCIv6ULn/////K8DyrvfRSaH4U0AAUVJQ/xXgYEAAX4PEBMOhyFdA AFD/dCQI6AQAAACDxAjDU1ZXVYt8JBSB/wDQ//92BzPA6aMAAACDxwOLXCQYg+f8M+1X6OYAAACD xASL8IX2dUBX6McBAACDxASD+P90FFfoyQAAAIPEBIXAddbosgAAAOvPhdt0FjktxFdAAHQOV/8V xFdAAIPEBIXAdbUzwOtIiwaLTgSA4fyLQAQk/CvBK8eD+AR0GldW6DAAAACDxAiFwHQMi0gEgOH9 gMkBiUgEi0YEJPyJRgSLDokNNFVAAItGBCT8g8AEXV9eW8NWV4t0JAyLBotOBIDh/It8JBCLQAQk /CvBg+gEO8d2IOiV/f//hcB0F4tOBIDh/I1MOQSJSASJAYsWiRCJBusCM8BfXsNqEuhF8///g8QE w1MzwFZXVYs1NFVAAIH+PFVAAHRQi04EgOEDgPkBdTuLPoteBIDj/ItXBIvKgOH8K8uD6QQ7TCQU D4OiAAAAgOIDgPoBdRSLD4kOixU4VUAAiReJPThVQADrxYs2gf48VUAAdbCLFTBVQAA7FTRVQAB0 aY1yBIsOgOEDgPkBdWWLOosug+X8i08Ei9mA4/wr3YPrBDtcJBRzQIDhA4D5AXVDiw+JCosdOFVA AIkfiT04VUAAOz00VUAAdcSJFTRVQACLCos2g+b8i0kEgOH8K86D6QQ7TCQUcgKLwl1fXlvDi8br 94sSOxU0VUAAdYTr61O6/////4tEJAhWVwUDEAAAJQDw//8zyb4YMUAAM/+LHite/DvYcyiD+v91 Bzl++HUCi9GDxgxBgf4YNEAAct+F0nwYUFLoGgAAAIPECOsRUFHokgAAAIPECOsFuP////9fXlvD U6FMVUAAVleNsP8PAACB5gDw//85BVBVQAB2BwPAo0xVQACLfCQUO/dzAov3agRoACAAAFZqAP8V 3GBAAIXAdDaLXCQQV4vLU2vJDImBEDFAAImxGDFAAMeBFDFAAAAAAADoHQAAAIPECIXAdBJT6L0A AACDxAS4/////19eW8MzwOv4U1ZXVYt8JBRr/wyLhxQxQACLjxgxQAAryIufEDFAAAPYOUwkGHd8 iy1IVUAAi0QkGIHF/w8AACvSgeUA8P//9/WLRCQYg/oBG/Yr0vf1RgPwD6/1O85zAovxagRoABAA AFZT/xXcYEAAhcC4AAAAAHUG/xXkYEAAhcB0CoP4CHQi6Jb9//9WAbcUMUAAU+hUAAAAg8QIhcB0 Beh9/f//M8DrBbj/////XV9eW8NWaACAAACLdCQMagBr9gz/thAxQAD/FdhgQACFwHUF6Ev9//8z wImGEDFAAImGGDFAAImGFDFAAF7DVYvsg+wYVlcz9o1F6Il16Il17Il18Il19IlF/OiJ+v//iUXo O8YPhOcBAADoefr//4lF7DvGD4TXAQAA6Gn6//+JRfA7xg+ExwEAAI1F+It9CFBX6F4CAACDxAiF wHUXi034i0kEgOEDgPkCD4WhAQAAi3X46wmLTfyLMYNF/ASLz4l+BIDh/YDJAYP4/YlOBIk3D4SE AAAAg/j+D4SqAAAAg/j/D4TsAAAAhcCLRfgPhP8AAACLQAQkAzwCD4VQAQAAi0X4gTg8VUAAdRmL RgSLVQwk/APCOwVAVUAAdgqjQFVAAOsDi1UMjUX8i034UP8xUlboVAEAAIPEEI1N/ItF+FFWixCL QASLSgSA4fwk/CvIUf91+Om8AAAAi1UMjU38UWg8VUAAjQQXUlajQFVAAOgWAQAAg8QQiTU0VUAA iTUwVUAA6ZUAAACNRfhQoUBVQABIUOhbAQAAg8QIg/gBdAXozPv//4tF+IsQi0AEJPyLSgSA4fyL VQwryAPXjUX8iRVAVUAAUMcGPFVAAFZR/3X460KNRfxQ/zUwVUAA/3UMVuikAAAAg8QQiTUwVUAA 6yyLAD08VUAAdRKLRfiLQAQk/ANFDKNAVUAA6xGNTfxRUP91DFbocAAAAIPEEKE0VUAAi0AEJPw7 x3YgiwaLTgSA4fyLQAQk/CvBg+gEOwVEVUAAcgaJNTRVQAAzwOs1i0X8gzgAdCi6BAAAAIsNOFVA AItF/IswiQ6LRfyLMIk1OFVAAAFV/ItF/IM4AHXduP////9fXovlXcOLVCQEU1ZXi3oEi3QkGIvH JAM8AnRNi04Ei8EkAzwCdRWD5/yLRCQUA8eJRgQk/gwCiUYE6y2D5/yLXCQUA9+A4fw7y3Qdi0wk HIsBiziDwASJAYlfBIDj/oDLAolfBIk6i9dfiTJeW8OBPTBVQAA8VUAAVnUHuP3////rVKEwVUAA i1QkCItABCT8O8J2B7j/////6zuhQFVAACT8O8J3B7j+////6ymLNTBVQACLBotIBIDh/DvKdwSL 8Ovwi0QkDIkwi0YEJPwrwoP4ARvAQF7D/yW0YEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD/////nhJAALUSQAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAERyaXZlcgAAb2RiY2p0 MzIuZGxsAAAAAERCUQBtYWdpY2QubWRiAABTb2Z0d2FyZVxPREJDXE9EQkMuSU5JXG1hZ2lDRGlz Y0RhdGEAAAAAbWFnaUNEaXNjRGF0YQAAAE1pY3Jvc29mdCBBY2Nlc3MgRHJpdmVyICgqLm1kYikA U29mdHdhcmVcT0RCQ1xPREJDLklOSVxPREJDIERhdGEgU291cmNlcwAAAAAAAAAAAAAAADsTQAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAFAADACwAAAAAAAAAdAADABAAAAAAAAACWAADABAAAAAAAAACNAADACAAA AAAAAACOAADACAAAAAAAAACPAADACAAAAAAAAACQAADACAAAAAAAAACRAADACAAAAAAAAACSAADA CAAAAAAAAACTAADACAAAAAAAAAADAAAABwAAAAoAAACMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAgQIAAAAAKQD AABggnmCIQAAAAAAAACm3wAAAAAAAKGlAAAAAAAAgZ/g/AAAAABAfoD8AAAAAKgDAADBo9qjIAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAof4AAAAAAACh/gAAAAAAALUDAADBo9qjIAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAof4AAAAAAACh/gAAAAAAALYDAADPouSiGgDlouiiWwAAAAAAAAAAAAAAAAAA AAAAgf4AAAAAAABAfqH+AAAAAFEFAABR2l7aIABf2mraMgAAAAAAAAAAAAAAAAAAAAAAgdPY3uD5 AAAxfoH+AAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////8KCgoK CgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoK CgoKPFVAADxVQAAAAAAAAAAAAAAAAAD/////AAABAAAAEAAAAAABAAAAAFI2MDAyDQotIGZsb2F0 aW5nIHBvaW50IG5vdCBsb2FkZWQNCgAAAABSNjAwOA0KLSBub3QgZW5vdWdoIHNwYWNlIGZvciBh cmd1bWVudHMNCgAAAFI2MDA5DQotIG5vdCBlbm91Z2ggc3BhY2UgZm9yIGVudmlyb25tZW50DQoA DQphYm5vcm1hbCBwcm9ncmFtIHRlcm1pbmF0aW9uDQoAAAAAUjYwMTYNCi0gbm90IGVub3VnaCBz cGFjZSBmb3IgdGhyZWFkIGRhdGENCgBSNjAxNw0KLSB1bmV4cGVjdGVkIG11bHRpdGhyZWFkIGxv Y2sgZXJyb3INCgAAAABSNjAxOA0KLSB1bmV4cGVjdGVkIGhlYXAgZXJyb3INCgAAAABSNjAxOQ0K LSB1bmFibGUgdG8gb3BlbiBjb25zb2xlIGRldmljZQ0KAAAAAFI2MDI0DQotIG5vdCBlbm91Z2gg c3BhY2UgZm9yIF9vbmV4aXQvYXRleGl0IHRhYmxlAABSNjAyNQ0KLSBwdXJlIHZpcnR1YWwgZnVu Y3Rpb24gY2FsbA0KAAAARE9NQUlOIGVycm9yDQoAAFNJTkcgZXJyb3INCgAAAABUTE9TUyBlcnJv cg0KAAAADQoAAHJ1bnRpbWUgZXJyb3IgAAACAAAAWFVAAAgAAACAVUAACQAAAKxVQAAKAAAA2FVA ABAAAAD8VUAAEQAAAChWQAASAAAAWFZAABMAAAB8VkAAGAAAAKhWQAAZAAAA3FZAAHgAAAAEV0AA eQAAABRXQAB6AAAAJFdAAPwAAAA0V0AA/wAAADhXQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPGAAAAAAAAAAAAAAHmEAAJRg AABMYAAAAAAAAAAAAAA8YgAApGAAAAB0QAAAAAAAAAAAAAAAAAAAAAAA+mAAAAxhAADsYAAAAAAA ACxhAABEYQAAVmEAAGRhAAByYQAAfmEAAJphAACwYQAAumEAAMZhAADSYQAA4mEAAPBhAAACYgAA EGIAACBiAAAsYgAAAAAAAPpgAAAMYQAA7GAAAAAAAAAsYQAARGEAAFZhAABkYQAAcmEAAH5hAACa YQAAsGEAALphAADGYQAA0mEAAOJhAADwYQAAAmIAABBiAAAgYgAALGIAAAAAAADCAFJlZ0Nsb3Nl S2V5AOwAUmVnU2V0VmFsdWVFeEEAAMYAUmVnQ3JlYXRlS2V5RXhBAEFEVkFQSTMyLmRsbAAA0ABH ZXRFbnZpcm9ubWVudFN0cmluZ3MAnwBHZXRDb21tYW5kTGluZUEANwFHZXRWZXJzaW9uAABiAEV4 aXRQcm9jZXNzAMcBUnRsVW53aW5kACYCVW5oYW5kbGVkRXhjZXB0aW9uRmlsdGVyAADpAEdldE1v ZHVsZUZpbGVOYW1lQQAAkgBHZXRBQ1AAAPYAR2V0T0VNQ1AAAJgAR2V0Q1BJbmZvABYBR2V0U3Rk SGFuZGxlAADcAEdldEZpbGVUeXBlABQBR2V0U3RhcnR1cEluZm9BADMCVmlydHVhbEZyZWUAMQJW aXJ0dWFsQWxsb2MAAE8CV3JpdGVGaWxlAOEAR2V0TGFzdEVycm9yAABLRVJORUwzMi5kbGwAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAABEAQAAHzAoMDgwRjBdMGIw azB5MIEwnTDcMA4xOjFmMZgxxDHSMe0x8jEJMiIyKDItMjgyVDJZMmQyaTJ4Mn0ygzKJMvIy+zIG MwszGDMdM04zYzNrM3QzfTOQM5cznDOpM64zxDP4Mzk0lDTzNP00DTUTNRk1ITUqNTA1QjVRNWQ1 dzWKNZ01sDXDNcw12jX2NQI2CjYaNiI2OzZyNos2DzcYNx03IzcuN4g3jjfhNyk4CzkkOWM5djmA OY05lznfOew58Tn2ORc6MTpEOlE6XzqSOq86vzrROvI6DjsUOzI7NztEO1A7XDthO2Y7czunO8k7 /DsJPA88Hzw2PEM8VzxlPG48eTyIPJE8mjykPL08yzzSPNw8BT0bPSM9Bz4pPjg+Qz5LPmU+bj54 PuQ+7T44P6E/pz/lP+0/9z//PwAgAABwAAAABTBAMEgwTjBWMIEwojDDMPAwBDENMScxPDFCMUgx fzGFMY0xmzHXMeYx+zEwMjYyRzJNMlMyITMzMzozfjOIM5YznDOqM94z5TP2Mwg0ETQjNDs0XDRk NHs0jTQSNRY1JTU+NVE1fDUAQAAADAAAAAQwCDAAUAAALAAAALQwMDU0NUw3VDdcN2Q3bDd0N3w3 hDeMN5Q3nDekN6w3tDe8NwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAArwZjoCgAAAOkNAAAAMTWYM8IzxMMN W+xu8ugsYQAAuNyG8p3b3RjbQqRWhLCriU8gx8g9Awk+iwpshQ0P63sGGeaFSKcgcSOoVPpxW2Nd f5FPOmiSgdLbewsQFTXptodc1m3ZlU3t46fEATV9UeOvg5BmFwfI1fLaibEhTecHOU2VrC0psiBm GSMBaZTlAaGE0HbF4AjXJnukONG8UPC92wxA3CXFRAOGKiXey+wZn/KYmpEo/PL7PQXs6s+9y7MZ xFgIMUGGc3wkOkejECC6tw3dJTZr2RztXQl0bL001wG+Cqo2qqYW8nYMia0943EA98/g9nhjO5Fg nUVKRIW69sG67Vwh79PTY3s0RP5a36+pxK2d3bY7Bvlr3zm7zcjyAPxdVRxAdlGY43mg/Jt3epU1 wqftK+mcw5dHrjUv6mvoNg3Em+Pbz0cGGSsQVHtNKfp161xN9wBJ1iHHOlJpjbNel749EgVh9xTU mRDMLxXyVRXrxrH0XIFm4caqji+lkEit9o1b/eMCTA0bkHosHy11IFrj7BhsKveYs7/+tyODQV9n N84r7eXAqaQn9+q5tsISrEDIKdLS7y/RECXPmVtvDQhrGpAuXbxJDcxGMs9yLuU4+kOdoBkeGxTi FD0Cnf3CZZeEY97fJwZI/N7vuTk8KjJ/zfuVrQahg/+sA91qlm3UG07WF8c7OTtTgyEpKuXFGB3E 7wQIzFSkAHe3bVApjY5Ul3sF1YhpqsGlsA3rgXWGH1z7a3BbHmPuyiDKI8uNPcyvRJS2F+p96pTy umv1JfVv61nj9gExu2ehgs2mEP3sTMemnrI1gQGkxjs2kJcIxm5Me5Vt12BA3aIX0dmSX1y7U9MF rt/995g2pMGKGxq1NqASzeWSkUdMgXedRrcokaL60+nyo5yJhA8Pquo7hwLuEBtFic8kHcwYWLnV n836VmiRmVjwpmMtc3/EnNzaJxe1S6CUtnVdQKzXMzsbU/1hkS7KWhHJRTh2SzFuaAZxIs9FfQxN Kj21u6boKTJmXSq1k8Y8kncmNgnruHVrFQAHEd6QV6BRk6dRRRqhzt09zVF6NX+qFpZEDY8RN4/d x8+BmxKvJvObqTY+Kg/QyEUTCzMua9uL02W5YnZAYuWHCxTLXFtCskohdyL19qx9q2JAFVRuOWUr 3cOqMEQyLN26qHATpB6l1diNL+0lgK0Qtn0Xh+RkefjRpS0fw8TAH158K9OQDBEpleH4kpQT3QRn gDWAHPgkZfqGz87SxVe8qUqbpZwQQZiHPaJ8hOYN+diYeCHU3LHPQ36/sAdmMGshNXSMYicxB/SH WHHGOj3jVyPiOEn8D0NRGX88ue1Mmpj26iWMN/EcdrO/YOXNkscGshNAyHJNWaI1j4woEveeUIpm Yn/3keW/BjfTXGEQdF3Gw69sFpYIX0oPixPrQSMXjYv3W4TxPWED50JZSSejA+fkTk1sa5hhzIBv dcwl6H1IR6NHM6FUTMOaB5TuvZ8DduONKYWDeZhfKqlZJoXH5tTrHGyDl6cUKawBU4u9Vrn9Wh6m 6ZEV8AyGJ8t7s4btKD66LoqRS8S+d5C3Ggj96aH6aBiUKdEacJsI9vM2tqVXMxrWXcGUg18jILBC jWalYPCbjySaQiaa/7M9j+WnNOUJk0up/jc3tlQuKdNJXJjIKJpWMEuBXq1vJg1gVBRUZb57QMQh 8DF3R6rh+X1bn6tWwP0OuaftQB/hbaMVE1vS7gi5WFEfqQo3OTltjasXZIZMdaHpPeCJTETUvrpi 0ikLY0nFEV5TkfcsHwAUKTyq0TiEIBiG3I/zPUtavOo/LUgPKTw0YBtxlyiC0ulZdp/mCXBISXjm 3zijwlR70THgEx6h0uEpz8pDun+3rQVY/BA2XBe6YUuOX1KDhUVAqZtxLxhmlNyI3PYI9kpWcjG+ g+VYsl9HAiKMAuGtYa8gB9YodW0BixbYJnltW81oWAPzVEtAZBc59b8wJixoHpiaAIkBGDH6drzu 4uRxPVvmMaCEwr4PszFJYiL1uJWNgpsOHT4gSdDtEofSnF0YTFtnw6O5Ki3KCmUbDxjPiEjTQqvq fjbbTSSmtAWDcFO0QosGYsUF+QCw4MT72uF1bMXRPU0tR1k81al3pduvDSdRxDqUO4TZ/xzb8lgH fSXbI4JPo+CKzgKhWVelPSqf4HGyZkDUlln+nwckn/M8m9+te8I8XG5hzlBgRxS/k1kaOdWDYJy9 r6vGKlxzYxrFuWR7WkzZkQEFvWEp8fHmBI6VN9cfjzS8r4/9D9LFt/Uo3aLbFrcl71UDg6byKIgj ubyV8AkFDg48SgpDrXTTtQjTEdTBINmuKsK9e+Vgebbfn5AzDr4Zgbt9dNcYXNdVxJmeaniEvaqj qPlWh0deWEwS09NTYNPL2mQhpoenbBXm0s1YpO4VkgB3E7r9jr9dLql3VUySrBudnAswYhCM9eXg yZSnLnMRUQfmp/BcCx0lKO3GNG2oPRm7nv9mwpG7388owYLVIiGgn/lp1inxlQTtTWOPLzMxjadU L7w5Txd8MRkBDujaZF/y0FcdZX6eqTazwQPRg8HAYj7gumE9hUc1O7uxH1qRmfiP9/1sgt3vSXPD 2LW39gC+We53wEx1ope/d7SRJgF+KKCap/NVDVomIWPXUmry57xovqjg3/VDWl8OLWqEcb2+5KhO Fdt9ySKfI7c5ygilqN9EUUr0+aTuRQRs9ag0RhYKh8dmqAt4QqLOqMdhOfyqMB8CCsYKdEj7692E 4fXL21ACeSyQnSokWPXVKF0Fp5enyrFysKXP5RyQlQxtATtTMo9NoQieY1wb0nTQLf20Z1ca4CXF EtPsH8I5nWBxqkexwP5593AYCp+jc//x7WGGS28731AFrfQ4o8PApWEZEf4kTsLMRJl6LWGM+gqa pJgF3+aEbNis288uUDh5keC9Knd2pZvn6NcQE62T7VgAdR0HCuTnHbwZ2tvhc/zB99gqueWf8QgT ASCYw32WsX/OiD91TGMli4roy3a9uPNmqLrAeBdFVS+oN6NYlcOJHpuJdX6TDmY6qes56LBznImU pgfFgVwvsf3KO8BuvbkIANqS69oyFepDjRlHuBfB1VH8YrhGbB3Kf86TnyLVvHcSQ84sRFA+mDAo C1YP8tG3Dg3fun3/TRBRqrg+W+RteFpGb8m5dL7M6LvKQRA+IbMWYXcTzBeFcCOFEcxC59lLtu8v WfBcHbcfT461HtFxAn2OkgssJqwa/IgDzNrjU125/R9MM2DVtgcK/AMG1VF2eldnf3PRvTdSrDxe 2+zpubMswiTfg3XhHebLE+2uxBRnGidey92dpQw98zrOt9m46CS+FhcXqoEFCYvyHIBG4GNlrKTW CKuzQdNr35pVmQiPR9wOTSv1jAKcu6fp7yoP24BvM3V0be08BthZKFl5iJQ+JWWVrpUl8WdgkOMl OXxRFbcvfA4W2jD697sPfPnmg2pb9D3RuO+pQltAs8wbLspAPjk5m419vh0jZ4YDFOUVMn/SnASP wWOo3rWgCTFqxDyHy7Aq/XgfVPj2HoNZvFwBr0LvdZWgm+p/dooJYAxGWl2IZ8LabZYkU9YHp/nD AbtPIXMbLUFufqvNtWYB66Dz9OSfxR1XDCCDkXw61qb2Xk8h2qIJgYoRFzD0yLXON2Y3SJdUcUnF 29keXmcttvNQrwA6Dh9+Qc1rhrCXDswF+JdHNodCygKGWiNsYWFq21NvfPS+2q24XEmct7uxWRXm BsVcgH005INubmy0uUyeK1Mbz0kVzKAk0Eqfvrn5S7E3pYahbyJ8BZOS0A2gZIl6ft/OnDEv01YL KYbCabPFRGcVSWnGw2MoRmNCi4nPwvX8PrmQdaqPG7AojuXZllTUl/v50A+y2lUbHbZQKU1UsXtD srJn6paJTJMhdlbJUGnIxLd5q+jHGRgPwarNPTA13O+PrgE9HpN/I2lt0n5udIGiWnQdpMJzUy6o hlY5qbrPmv4SYIiFUu7sgt9Bm/acVRLSe7jONzfz0iVnq1sfNr/2GyTXt/zNDg/lc3GDJbARswkY /s8z0q4ozXNJi1BqtfNF4tWOeuC7VKNDYTdDKRegUWwpOixhrPNgewxqnRNXiPeFhi0QEv1TyspB OkywON84ttuDLLSD61Yk4C+Xr1lX9Ai4+I10WzMhSWDJf9TnDtERrXGDKzyqjdGy24Sb71b7DAPf GoItiQKDV5NwCzbut/ZtDb0L5yAL21nX5A59U6pXmLPCsuuYjTB9FCSX131ZvQnHDewTyfWK3aKK E78k56ZO0sm03pyoOAH+LB8611aN1M+E9AM4MvRLrSNkDv/YxmWRh8y5ZO87wVCjeySLja04xpRS c0+AElmVMuQ/g0m2bB/MuXkxQrvRH/O1o1Nr084oKk5uAeOYBJEHCC/yTfgYY29wgs+eYqFUznUH qjxIaTDrOdMF504yM8kf6wOogRXfKp5qtlb2liiB6DcZeV9QjCPN6/rRv+mnLtOtvMrlwMpx8/LN 4YnbEXE25MhrhvxW2mBza83BGVK4xUJdrHjlLOI2W4uVjU68OYzX9x2Uq5cR9KVWom0JwS4wZlBh NJUgaDW7in3E7+h7Mleh35QmFMmHk0I4EH29Em3UXhYJLwjvUaZ//l5R6DLJQphSaN081cGx8a/m uw+OkEgIwHE1e/zkW2mA8tHHSjaSCMr8DcwteIFgJ8nYDpYTQGna9OXqG9iE2OKV5NwjHVfVAy9X 4kdCE5CeXF28DSeFa4OM1yurC7CHLp4xpVlgDqZOlS0RT4AW/xVIhLoP+h/bhqeVWfIPLTOGGpGk QEMynyQ2nZQeaYOoCAPiHPxNiM9iy3U42jIbJo6gl3v4F+cBJwolPor8s7UEb5nLGeGADJSlJaeu U03ngLhQQKIWnxXenXDrA+OjTMWCyzrrhwun37+LVsnW/tkmDGF9I6gooBW0wMEAiGS885ZEPw1I 35ak7lUV0H02EmjbtWEe0nf3RxClggNmyJazt2kZ2eQz702O9fS3gNviTDOp0JdlpzWBhZPsc0n2 Qvx8WdiuusEHgCGgpFsJm8IOlnyKhZ2XLfdWYAWr3aC0gs7J93HCbeU3RvFOxx87wVWaJE6VjAce N3qJ7e1303hSp702g1brVK8oQ8d+sCswjMVrLPwfvNTq2T3a2QSOXSl9qdXhgW/DJtxKJKu825+B AY4JxLNne2ltwNQEG3NXlycUZQ99/7sbPm5gDcmUXyurJL6YBpdpoTokrbS781annvTjLVAvq2Ah hQAUZTz44myha2Lax1kXSfXMAL+TpT8hkaoApF/63QbVbz0NfGYqexEzmJMIN44n37Y8lfg5d87p kuEuHxCUuvTTIpcbXIE0HUolCLeoUGPlbBbm85Mjj1JBDcLL/ustNU2Kx8tXWaKOLNLmF6dWBNSR I7BXoYX8meH8Qn/OY8A8B528RNKNBKEoy9NBk/iRLQQe5YQPcwD/ZZt6X85qhcbcMd/rqUhCtbO/ UvaBJq6uofFfsQWNsa/KLw4PPeKxsHHaKhsZTekVl29PDzeyQc2iA7Cq1Hsm0TdnVgnsWYLwyL69 SwGypkc2pmlnWC6m3V4HBOA/87o5ppwtkUuUnpUGxSJ4967l6qMLEO7RjGepZPhaE8nDTdno0K9P GtjbU3u3JM3ts9UfFJVv9oiHbTuxDP6O0JaluZzBQ2nD6NWB3L4oS0UcbDnDDJ3BMAWTQFGeqOMd yeQ/Qp56S3anybXHwMp1Z9jwhSEUoEewlRvrLBYcM2xAl2L2r2r/WBO73oYd1zQxvNIhoj1GWxsq tuyU/avTa8PckdAyUIEHJgvCARz3sz1EZdpWT96ymZcJHSrVUnWbvy7pyC6qWBadE7Uv+4ddanv4 gY9drWEmMh1lXzhE9WGylG94pj16T2Pn5SjSlb4MYxshf+o4h1RVHguLP+g1qSWPSvEJwbr3+noV CK0g+KPjig5AmREvaUwErcUCoOVoJhbs7OSbX/uxnDOycj++ApDyEU7t8nz7v5Co9r4aUwdiyefz TG9w5pkQNWFn5k/fGUbMgJW/ZythfOXptB3zhfsWdbq/MsnpYmQ1QJ/pYLtASeFSOZMJ8K7oaneI k1E2jCbJa3/n7VFqTlBlUjq7LaDCjxu31gJHUBJtHxpAU+WKskOlMimUVI9tRa/V3J+CL5BBGhUj xW4NdQ32yl3d3zvKaMlnpN5wWUQXjlgx3YlpH0H6pQ1inWI5zdYGcyKD8tYU1xcQf3eXQWWNrrzG PiVnMeKYVGEXjOSJavv+6PJldR8h2eMmixqg1fxeTlXqJbCh1xAaRsYDKajiBNITKZm4+ne4Wdx9 v+BANVgcq9kgEBoHDEACTeujzbNhkBVnGRgqSq18T+29u+FTII2tiBRph7oKUUi6ssbaGZ8JXSpb Lpvgf54yfI6wBeEvQ6FnB/CLU7tnXFxWsggD2UymA2M/iVbgOUQJXS7FKQSGOuELCGbF87Ujg+Ht bfE2xCyhQD2KjKdCPzqdtwyvqKprFpNZUwTqDoqs08Ed4bM6k16m9mIO8y6PqRf+3+HDPRDD4iwE CRdiZ+qfKKUbPQcztOjpHMc57P+RytbmQPfrjKQbxCFySCUelxcpM5q2mmMspOttZWuAwAi+L542 cmWOfnHGccHR9N+u/zutLSwu5BYNsOmZaqmSOZEK1XV5kaBGmmRRwaFdPS2npd50ccTDipF03V0T Nh/2eW/0kpmLW0KYCUygr+C3eCc0EecNxWNp7c6PxRE+L0X5SiyUyEkADCVnMZ+1vgH7Zfa2zuKe Y2mIVnMhMs0c4L48aPQi8rsgy48xnr4HBIPEiRnLm+zDSPcpYZZk5R4/GFNVXXIAYM82x2Qr02q3 lIHb7xmDyQYbeUFpNJ5BGVWQ5sqExahb/1J+U5tcvhhPacGNyAUX/cAplWYxOvY/krjPYRD2bMbb Mc9xXMKugpRyBP0EoFJsJ7tJCkICoqABvw195i0Ae1b41mkgN3XXKUkFSVjbrZq3Pj3Hz53b9eCm MVXVYxBrcJ+GkvwIOA8rNOEdGmKbyETUavYtwb0ypeEHx7kwt0srGyoTzXUJ/RaH/o2E2BLY/47R kIK8bT9P0nfOKQQqm5MDrRlvmZVHlnGib5DAhvl05C9KgX4/ODUZ2SPsCx64WkbLEYtcsHE2WK6b G8SiUSd2Cjr5vXEi02avhUw65WsJ8oKiUjmZb+TIO9rX3FJcn/vKAbwckM/D1SkYCsSJ73759xH2 M7M8DYTHW8kDOEBwJQLCs8KoDwi2lJO5ceAs9+D68F62BZjIvt9Gc3OmcA8MVNnOMCrRCTqpYk95 C2vGs18wp0w1zUF2c67TlqX1o5/te4/CSp4K8z+1dWOqqbCPIdLmDcanVlxe9kUfOJm+6wO4a/rd BKnkbf0jmMLiNUW1QdASxuRxrm2MOWuM8+yJKdXxJ2U0TT195bZklIgh6D4xkqR/c5z97l3lnKAj XHqZ/ssvAO43WB+9GMfptKR52gw6Z7qaf4NR/aqMI8NbYSb/netA/U1MTAEW0FlGaaT/QeCXujSY j/m2lNGVgK8/TykoU9nM0FOnOgS2EEpLIQMB4MVYYg13410r4UpRXAvDCQff4SYGeKWHkcaS2/EM yGjE9QKS0mQ7/Slstf1YWMvis5Ek7/Q2th5nfCk70BDa6mAJoRnasQ7FtmABE2PEY2nl+aL7f1In Oq59CMu0Nsvnbfoiwht54l2wk4xD965gK+W18Ev3OA02oPlbM28AUcEZsTa3GnClHR73TNIAFaJZ VC0NlCifF4MyC/KO3g/+YZt5Rmes/a8FbCrdCD36qYnDTGlnsRMjCDU7hDuN8Z+qe2Bqt4Fl3ypS t/K1Y+1BUZkUNJ+ZiyaFDhJoa/xo483i1/1RYLnle20+Iag/815sx7SHz6TSM+WBmS6ca+BYBDNo 0WdHVpJMNS2eVSKcaJmsYXy//ng57nx4r1tpV9qezMYk/b6lh+00TBphkhOawgTH0gYu8Ya+NmA7 +UvPxUocApxOWYm2zNB2K6SCit0T7BFqXt1o/9FOV0FruUWM7nXviHuzZD5tpdMwF1dCIxkM25BG OfSX5arfElovvuwnriLuQa932Z1imiwD2Hm2aZdCaw/b/R5s3NIdGwelaKyDpHIxyxxUW8ppX7Pf YaHFOmA8X0tl7T1rPyG7hVUT1QKY/oWWe3Ho5NGqUw4437yY/48fMPZJrzjtvm5BDOfRo1OaHdTL +Ymv4e4TS1h/WH3ki8YPvlXe/7zYiw3lPQHTuqZNcKkVSJrAUbM251ybD/LeP3ifKmZmpNshV/vR MEKCRddF4iJtjfAoVhrm18lAO4qv5zyPMRaYl3m3q/HxIWngR3dhRS2NEb15XAYr+OUACvYWJKnG RJMCO8GmNhyVa843DlnSXfxOXLBOeztD/2yxDwXxpx12CpbbJLn90h946jfw4kikK8bmdVk1Usm0 AIe8zRJCC7MSuZuRTHHWvl8Po/5ekC1KjvNLaq7liXCeskjkisvYJ9KVe4DRrCFu1zH0+IUXFUvA lUOntOk0kL1C3xO7WYUBccCYSxzP5OhndTdyuicdubzpp2EeZs7UCv8M5h4Og3Doh2RuM7EgTMZL iz68v2lMwyQVFhPEkCTW9ph+9oTlVJsTrG7OaTC7vHQWuS1WgpfkSZ2FdDsjexEuL2Fom+1Lo/54 xEOJDunn4PYr9tv5IpugmmSRV+kVBJ1XQoVpQb4uyXonasb5himD92+Nc911VNgryfKbwpHs5wT9 fOiC98XhCXE1zP/2W+miN2b8n2wULt+S8IfZKPMfQFFdWzinEIWLJ5912nvISK+OaZg9VEHuy0Ro KrEw1/iLtv5C3eC581N7Ikuh25dJcF/ZgmYr9SNTsZ2kXTX2+C/pNPPm0JzM6asxtNO+Vi5Iu/wD 6Tl4JROw51aCC1YK30zLJ78pCc/wcqKaqy4GYOezGG7MoV91tvs5sUGVAC9/axxEz+mUucGEILVp Nzpdp8vC2T27gDS++kXPIeK1wa9Q+96UIJZZhEmEWRS94BvXAm/2hzDOetCufWFT6wj/bxFwQFWn mrBoISGGIZJCrp8DlLsFRC0dR900xNYjl+kPuaLYXxaZxxxUMLzLQfU5VJjupY1et1j4kkSHWzob K48ZIOTg1jljAcPCOfcZSrsoIMD4yaIkujMrHxz9ggKf/wc9ACG34GSr4+PlVVjeSZffgc+ZfLwu Q7pzCrkYCkt+BHmVbrp3F/sK43pR0C3ENb40tCI8M8HrBBBE6W8gNs91Gxgl88/zFFPODWmLPwBn xrBi3YvzTzEJij9g9/jJFPb3LHU6TazLwK3Ns660e2GdI4aVfJB4Y8hgwaE+c10v5BzlTWmJtSOm +RD9fO9Nz+Nj5FIGjMznEkT6DSQkmlwrvh66TkAVX4ykWIEdn7uDY4I9TfgxrChTYAE59HQuPyrE tbXgPmOYpG/bu/dugZdSi4On6ziZMC3rJNmzP+++oUXiJ460/GJlIe9x2xNL56kDE5eEmFLcyiCC yle5l+pkTqcSisQaQ2fWpqWwDJ39NYeY6HaTbsM0xtwFk7FzjxCkoTls1097y4KG7UqOjDo38Pot nV0qKXnONyf8wi18JwAskCLlSJAKYDoBufgrjwwNjiWhK39ME3ayMsDsZ7j0y96as23boEKRraGY yIV9Fjc2APyxv7NBN6x5xyE+bw2ZQSU6o26Tq796ObwmKRYVxiV++RpPEJ7LZaKm6HMgw3h/Lc99 jlQzOMjA7llWd/SVo3ByrKvzUQGd6bzdisz/A80dTwb7JNwN9ynIKhZYM3YdHLlqMYzAsmqxIW1M wEOq8M35cZgLqRyO8QzQgygtgGrJNxGh112gk/1zM4YbYfLR788KRckMVfZfqDrvgoJAR32/M2Xv HGaoKZsRSsxzMiTyGaFAMGVMGzvA1P/LTlQT3esDGZMdGUfoDu39X/j30HVUE/gJ763PgDK09NfQ yNv9xnnxg0Tr5qmCxZNUXRv3vS4XdlsjBj5cz9mhlGeCQYKCjHAXRugy2cnblVt3xheFpfl7jxyk /HGAE87FO7sCJzFoR20lEG7Jw/SYR7QI2oWnlr2qOBs/E0WwYBz6OVx3yVNmwOPX0aPyFnuMj628 dBO0Y+uKiSOB7VQvl9iq6qZ7/2g2UzgNU0knS+X+vqkDedTLDrDvKeHOmYm/Nof0wmMOstzXqUBJ FAC7RamePmmbpy85JO5FJA30jBcrfw5RqCqPwwddEwWHSEiP4zv4teKw6wNMSOdhPROuB2Jl83aT ZpwpbEX/Jw9M9sQyiUweeiH2GX/AIQIG31JNKR7HDC0HM3GcV1RmnJsNfZAwPy2VuRJJ7JEmzuQY 7UMtUtoX8q5JC/XIwTZXYkSNUIGzBR7Rv8sXRbepiJ9Q/5vLtcTNFwiYlgBhoOvx4U+/GeX3xhBc V/SYwCGxfz10TfRAXxQZFPu7JwOCAXj9JEiLiF5kYDzbehwqwQJKyR2sQ+xmTruW41iQEPfa9hS6 zndZ5PzmzzfrIYdhR1Qk68dH4C0jMgmfpR4IDI+AflN4m07F+87zB1/C0blHPEg7MqS5WSIaLTsY iR+5br/H3xT+/XmEv/6Dqb4WrrVDf/RMwDHibXqNkxCQW6xtb6UkjTa1tUlNS1v2XL1J5MOut9Ji oJWCydf7bKfFwV4GuxdJpagdQLbkuPhZAVmJWP1o6dH3foAkQwleB9azs6FI7044FNbANbH7FSCg 8igBnfTSu9bH1h+JajKZbokfv1e3QL2tupNz7uhtKDcRcyks4k0dEehrxjOdVtToZ9OyDIzoGI91 7u8hpAsyCb5nOI1n0B2s5QsfXgwuleDPCVQWLwSOSZU1om74aoHO4cFoiajAEBBufO7diUxmcOHF wuUQRkOmXiuydGQ63vGhwB9ZeVGZjkZbIhDYXRsQsoJbB+GZ3RDG/nkwFb7/DgIEsIBsjoniZKAS tBIHRLFaJyXiiKaKo6VTmN6rWd2ziljN2mROV3Sahp206Ze+0qkWohd/RBHHBYKxE6MCFFTOhY52 DAczb8YrT3QjF6l/C2+QVIvSSwvH8sSFMgS3DKFODp11qs7pp7M5wKVPRNgSUkAjrC+QflWACdWL fbtTYlShO7mvXISV+/nlNmduTt51UwTNU7eRk/QnKYKuNed8JbIYp0kzvDJCua3jtYGz5PHyYj8B mxq1f82X47vY+fEhM3xHKEL8rqYZWOewlKJK4noA5xYmqNjDU+x7TKwQKjqz+sddK+J9hQGPnpOQ xzIp4/zdtJ07CHDSXCu7AkFRqSqDvFFxrRmFCFNU+InYKZJIWQbFopDBOlRRC7rYUAydBNAnBkHx TPV/i8x3cA9Z0Niwi7Fc8nU7/BHvhVW4Tnh4+WjgKl49Ywir5ScmEbaq23FvLYeWmJ4Sl7sIouOg hLZdV3RvP5WoGa8DUE00kWF9l1/MRBz7+Gp8rriW6lJlCGEcfOfDTcxj5LxvVWhWiH5Yzwu6mDmB 4Q8x5XoGzFAzjGfDvhmYcy+Z8xsMxF2eOL6/8y/03SgZKFPbNaEJBPc+RzJmeg7gJsYsuQ9Vgr++ 2t9knHytl5DFH6N0a6nV556z2Z0N1ZZMAFP7W5Sw7hydX1nz129GYsgUodHOkSJlVkgf0R2f/sMa BqRKxmmwsfXK/GgrNeaA6FPcrk/+B/cwp39J9MLouyWzW8AZ8UkbDH+6DavmZfegtKYum3EBKkCl nQPIeBy9Pr3IIa1KQG+QK/P9kZV8iLR7gjW0f3BMKcKez62g8X/NUzoSn3SS5FWfFZ8HxwPmmh5Q K0qRN9T+d82K4le7oUrIWvj5Kpd/TfQIW0qTMl1DJmHMnXFykRtosR+D8moZnZ4ZiGczAx/yyQua BFHlRK6bQL1w8A2MiW+mKxa9Mhv7S2j9+omdXPpvY15iWNoM0jswP24gLSo6shP+6e3g2p7T9v11 NFES5t/SvNGEwMPo3v9NGFF0Nks3inaFPUQZhI7T716pU7WSzkHMtouFg/SRHapACvgqHo9uhdBN bA1PhtoC9Rkrs6b/sM4vtebyjCPQIH+xwp17l2hU6I5lrr4TRt1IodpuOy+rQKCgRkNg+xOjE+Hp bQBXR+ZnRTAQFmw44FlNyIPOXHra40R9oT6e/HnmEbFomfdGYz//pR19Ky7Nb6mdjrrmvqm8dO0Y R9Zvp6gByB7dJ7Zlk7hUvlDzeagD2X8/QJAHYehNu5Dai3o/R4LflL5XJVAEsWsMpBDBU3sI7ylP aosTO9XC7zGmuHbrWk4Eu3hr1/hkCYM3UwRpuqnOMZeacZtPBXr8+f9V52NBhc1etgPM2BR0B0DD 3/lVJzjnT8Y+xil1qR4mG5dl7QRt6IwYjci8hRWtziPesdwsWhsDf6dCIfVYbsAWBt0aif5LDRcK Pf/9z6IJbghojomrUT/qmXbJy2/au3t12RtB8oOgr2Uyky2yFG55bRCQ0Bp/auzIZa8ttV1Pq2l+ WPaSOox2wKkmtZ0ZGUMRMhROyvYVJ3ll8B55RHJLA+9RATW1Vze/sRBm6TrjK8g42n3lkm7AGCM2 ba0LdvRWDBqxsMJQRw4IivmoG79chYlTSghomXvGFBe9eOUJO7nAcZzt364H5qMeEgT1KF5cHa/5 1wpQOjo0VQgGGgwroUEVrnDn3N/peIvi5kPiaRllsWC5K7RMSGciv1aeoAuAsUmDFrPhmBO2c1NK /WqjINbsGbYisp7E3/6C+E/ElZfDSU6S7I4Hy+ZzZEnljQJHJOwgRqIGRnxcSnpi1TKPw3w+k7kf UceUBRxSR6OZqIalctIsV2NioAJ18L1mqyu2nCLus3t6ZFMlwjU3K0s8mPZq10OycYoO33P4amoU G80Wir9EklDnIi+9GZdLSBsjtTrZE+p87TDL4DBcdVKLZi/HEXqP9r9GVOk9V5UklrxJjgkdNW6d jw8wLUImLP+P9eOdCcwaF4wLCFHlqv/DCakJOVMYVJK60sVFLabHXlIda9H3Qa/FtkKTZRvFExNC sGViAPvu3z5uSd6X/VyLTZiaHYe0ThgEecNGrRtWCr5nd2bdqYymVD/kKS/9PoiuBQOyHsA3HEWh p23xYMLBIJ+Mid4LBz8cfZDTPd8aeSk4Q1KWMREyTTlavaLzuYOwF+egU6livzwgsNno04arZwLA ucWxa4UdpZcpjB/A0x+pydfERTUPay6JcJE/AUvWKpxKw3ZTmwzs5h2Al3RJ+QDRyXx0WHgxv3xh 7N5S9EnOwTLDypKHbpqTzz9+/udJ8QhKex0OKWjrDwdxG2FyBe58dTNBaVIgp27cnIB56fwuiN2t tpy//CuR4MvTuxzxTKIjrK+ZVQnEi0k2CL5JObj3jEprx6ZU3xjXel4N92bqdKHRcT8OqwFaI+2N XxP2Mkh0xuI+rOFUbYDqifurtYqyiiB+4JdO7V/4cd+FY6devSFYOhMtBqkc/bgRj/uhiQVnz/Vz SiBl7e2rFFvDmUJL9ALkvh91E+LO7sKha1EWThc/bUf4qAn63RrGWZaL+t4kSwi5z+R/T4st+V7G PopXxG7rHneeU42AN/IXs3fZ+CeaX+F/JzzHNdHuoZwv7Ts4cyhLJWWuVB20WHpPx8lrbfVZnZix hrU90AsjRBukwCX20MGHk0y2bWh3IwjdYJk4yQrGnHL+8JBjBTDrtN1i0Xui97LpuQeSU8I7g8Ua sWg4Rh+IoiURNY9phuoCE/aM/q+Ap1i6VoDF4M1bmArAmWJxNr8R7aToYw4UC+xBcrxvh/FXyEA8 AUro0b8JPh2s5YbuFxwFSPDGY3bR1vdkCQmx53LL3/2deSV5puKBpvnoSiUgEb1zmdwsFSA5NA3Q OGijn7JraqIZu93AwnW8rChvLA9eldqiwIJR3v60TUpnoDanFQ/B3wZ+G/BM5YYZ31t1Il1aYrVT uf0LqSMsGa8SytcHO7U2MvWurORCoIlOFRY1twKGqKcEbKtYIIMpEY9dR/t5VeDhbApaQi5K+b3D smbV+RkMHNVyK4ccBtr4HmB3Y8WQ7/9v0j5SJ7i2WTE5CB66qoh7xe3tgxMCEXTtB6DVXFS/btbc ktGKW55i0cH/iair4OeHoymtDZhMLbUXHMx8mz0vY4mRs8nodHjUk0qM7FfS4wXBxrmc0Y23cTtX IEseapv6smEiNDd4BWh12JZ/LEVWBrEu1OXc8/pvgwphEzFWgNqyg/uAY1tHFA+ypGuJG7CObpy3 Z9h8wDa3BfrXVJ3tqTQ0bhiLK/aaKe45xo4iyh2HiyJkmGSAQ/W1Nu1kH5i32rNKj5fiPLzvRXZw lMEzLBQwHC544X/BbH4T+evm3tWgE0l/oS83BipJJHW1w5a/LKsAUxdUo0LMt1Gl8fqKn8iCuA7k gTJ+Vk/U48x2g1s7lu3LpkFe/iO3S6gSQLx9ifMnC2JdcrXp9I4pXyXxOlBI30GBPkmpshe7khuo K86YbiNH7YmEhDtVjSTiIArGInumgq6ew6XCFqnXOa6lWhdTBnVq7WNzgE9sxzGij8FMqr0waHqk D0rnFJuY3sd9NM44b/Epi0inD1GKmXH8OYnb66srwRoX4yKp+SCNdUkOSKRjRS3dQqevUMy/RMnw HOCVj59hBBvYsDf9eDA076aju9DbiUEKxOupub1V2ivgOwuXL6T4etUHZMnb1pTjeafNwvwpIEzL 6vlwUW6FD9P795vTNih9wOJU7BpdMA+dk6JaOGwesrLPXajktXaThuSphUo8i8/7Z8UXod0jQjC+ NMP0WY9bjG/sj/Vwkukqy7BmXrFGk/rGt5tBgrecRiMQRpMEfWcZ0HlAeVXa7tlrV+RI4bXj4kJj J8Y9AVFXVPpsgTltnqxfW+d4u7aCVm8T8Hzu2qQXNHJwYt0AOdZ+dMgNqVGjQfCKhdr+QgvbFSWi FXJUmkHPFrsD8vVwmq3Nj3FJAQsByzBtVTW373+j/joQewNKndpEIuB936x8ogvWdQm7hKCHqXRZ b5/jS7s9ej6hcjKUBI5goIIe1ZCBSAiYqbrtEfeo0EaIs1qgq/Mh9SsexzcTqR+Indu9yEDLDgbn 77SNwgLA63V1OubinL7shJ/CF+e73z6AvB6sI5d4n/JIbMkEDyXs7GGbdAvSNX3zq2fr/8RvIgIS gAaRyXRPTLmI9K+NC15qrEgcoTNwjOyqQhUHHeY51PSC6pYnmRX5DVHYT0QOfuHex9JUT8bc8cjp h33+xQTYuoDw0/jzeaBVW58rWCANps4lzqlfH3ChgAv0JLv8GhiWA8pzbth8WUWhnT+zuCFRkrfE mx8b2/D3RTkQaSQrvVhumB3LEhAEoXZqLyK7eAST3+fTAg3aIawIxZdKey4G0sohQ3JMHTTjONWl zadPwVsKhJSSegySO3nqSCEjUvUA9EQDqPxialKwfieE6ONKYzi885z86Pg9lAw9NV+0zuZJYTGU uErfB0U2v2+XR4hdBaINzhYf8TnjxuN+wunthUzWJoJwXqE1g1AvVP/OqJj/dfvtAx0WV6VFTGEh sFV7x0+9gAk3Pp8WaeoLBJZF1F0w1NUy7XsZuK16gBQjnfP/bXawncWpMBit/f387LXfZ8zLCUqJ BaNVvtiKR1LOA3emTjIdWNk/cAAvvORtzxgI6huYwohwnMCGBhu6CU+SnjzjtAE8mT7sWau/928q dqXieBeaJctlUmjVAljPvzNWTdbv8TOpjWSh2E9HOPoGLumKJSCCJVVDu7bCHmVB53J1ae+80uxM ZEHoftq3ZuXMZXMWuMz+0e3+pzHWjkmWAXSzRf0ghXuZdFHm1S9h18DKSNUvMDHHpLKHMZ1DqgWL 7zSLFAbKk9efg7CKKGq5iI3R8qDDPnz+Ibjvem4p8fMarrTpzfnY3vvhw0ByLJerZKsjowAa0Y1A AnFsq839g59HW9rJIk1JE4R0mDj1Jif41JBr6cEAjgoqlV+ZBisKuYQ1rurZBZctf6YplqFynosL CUlxDeb5SVwd6+MYctEVo8YWmFanhW3kVacoWoeiHjvxBKx2VLMDBMLmSuy60Whu/8ubuZfbhw8U jlAFz9o5K2D+0DHe+wenvGfelmpJfAycp2/pBafcmHjVU73ugEOaz3O4POppamesXplImMAPszp4 iVl1m4C+8p13dbkE2ss+YIiREVqylxrGMvAJOKPiS58eCeQ7zGCRi/6LwPNsEtVjX+EabGhMyUBq +S/7ORfsHil5uu4aX0F3iHykKwDq9dLPH0Ea5fh9+Nbd5q2OzC2YnIniJJL91RXSehqhkluMuLBA esDICT9+maPTVwSsNwTASaHsq54e6zQuSVXbhtvoOVHURGk5o9PerVWFYaMO52hJofLaao5jyNW7 VKMwKkCooVivdn5GHpLtie4PEyL9eb30a2kfFz5bBezI87JS90DQyKLpt7WV2hiqj1iDGvYD4j/i x8pg2q81VEZbG0kvPcI3nsZmXy25zRB8pDSo652Zb+Sp9JzIrCCScgFSKDb3oSeoY5zUhGKuwqFK 6v/yoVm0UiOvS8uTnLLvCECiE3AhFYJu4gL836b2UDJntElUaVyg5926tywF3XgMOwYFBdKkOYF3 cnIEDfBy9dOlA8i5rEH3NqFvPdtA322vK52yUWOQITdxeocw9tK5c5OMqQHfLk6vCTZRmL6egwtb yfepFvo3R8Dyca2uQRwTAhEoe7Tw8oYL/WwMfXa/hOX7SHgt7zKMgNmmFyDdNEPbt0XvAtGIpZ82 BHqaiZlHu+gvrr68kbxscUifGcGzA8ytruj4nZjP5gwLCIPwPZvGn3wRIMnyoBvR3w2MMkczek8R GGgVrEICD17lQPyU0DBiAzGihn7XDUbn+fWv2mNpoJrCl4y+IEE5sRWz6hmsK5mW44HMPMd8t/sQ Pa0uk1jhS+nWlMPfiSTOBSLqQ26AwbqBfgJLfKsuCKn3DZFTV4xJ/j475orXnEjlAckjAqE3QsHQ aztnW6fWB9mFBWPJCY5SZPOQWBJibGKFRzHL7j5RcdxGcYk14raA5AdoI6eOMpkE+p1vPI50lW9P hp3NJ3QxwKOWDHmV8Oguj/xTGvUCOQPiSxFhwAP6UrYOq8zH5NG6na0yPmMdnZZ7T4NCbxniMlk1 3/BYz69ONxmbgf+AQSoUi82HFGBd7Xz2s/PiaLhqkMd8vSwq9S0+as7zlt8xmBwBh2yUE23kgSVz 8kmuTAjDG68/XBMFvLYqe5cQM+pIBHUv+nMXLbYevOasEPwGKo2cn62uXKYQ3dOq/CxWAefrO8p8 YepdViyO09FYH++qbwlPHafkZZr+fUtoEwo+kO60MhoQfo1HEER6IK+zyXfV7sBz4n45hRkoeij7 bTUVa9/XIhqxNvbFef6Y97YC/85vngRrEKUBvH/EKPE967ehcgfHH/V9MC8/24wuSjT5yLnfalxF etX+fOwG6kM7NDMGyLemil0QsisMemIgFhSZVZpcw8LlrfJLDn8T54EmEO12Aa8c3bjqWi9sHXEZ sIfzb9g8EcEqakjLJLj50ZmfoOwsX2OCEdqXo6nrlNlak3qS5fWpFSVcynDTUM6Vki9QV/95TDgb 7+WTzsztJKnrGs+sHbrAT9IvKwMgbhzxNhSDljXWTVxcsEb09WupI7k9Tn9lQR+EXYda+X/1EQqk DyxOHdpUc9mNoWyo9pBDak4KS6/jpQzSpPmhttGTGtrOGcvUbcI+4RFjmY3XGAyhRGzJQbyVYqZb tcC+jDH5GB8MbAwBbRp7kpBogOVT9zLa4HFhuEXStUUUyrQ/QT2EZfO/n2tidg1vIXdheeDgmBMP U7LjATnuUKI/HUMBLkzGTWw8ovmAKRqx5uvXINdH/39SXv1lsCVUD96UaXXMAwVTOnLl/pRMriY1 AF9c+c3Sr7irve1fnc8rDQxq5xsc1cLfkQ4tvUjMlvG/c/niyZOX2OUYOhu+eet8Bj3wHvx/58jx YZ5CMn6oJK9XueXqnRMRHaz1FpwOS3s91OXFlnxYOCfAxc0HaIw2ACgZkUSODU+tERdZNBw6YkYK xXzhIOQYYj2MCo7NjScY7rswqs5b2CXhZuxU9wry6desDfnMR6ZKAWfldo87DlJ+RurUALfNE/YV wG/SHXlhxtTOu303/ZbA4vwr4nf+jIV5TgKCLb66+V6x+XwLb5z6nWm4LpjldaMncs2yM2CUuBlO A2Rq2QDN5awhC9qHwOIhwvtAi/ItV30Kl9nzX8x4baGF0dBUiON1FOVyc8bHUolwN/jHnTD03xAU WFNLil/pvGIHWEZSdBILKCue0FnZEQy6ZAguQxTd6AbF1z26Yv9k/Hf9ydjCtQNBqsv1Jqe2laBF rAGU7OUQCQTzXAajSZpxePdxwi7bpr5EHi1TgHFLGU8p8AsuzRW7f9J8FnaCsrBE72fHhdbFpvEw zlAt4TGf035hwzjmiA9UE/vtqFhhjw/3vDQCBZNSYa3AXOc6qxtJJ0m+74GDlkF8CxvQ5OUSIA9G Pxg8v2WIKPCns1CpAG3n/UKEDAjoaibQxASZtLmm7yW9he973vmgyIDN8JdoipNoH7S9WvJuIIkv 20rWCUArIVP61RK+JLjBa6fiDs4Zw9mWwG3KZfPQO95UcyGoq5nTHPpGQI97PmZxdJEudbfn20hW 7QTtRnqyv3VpFVH6n5MEc3YfAGbmdDZLOICSmzcq3z3bJQvK8NYtKlSOnISUQcufIY+FllV9INZM btsO1xJSSTZXNkCqlTW1GRpZ55AeYRnYeqR/e73Y4iurz0o0WdYBA3lSpxBEYoDDVb2e5mPIrL0K KNIoaJ3EFlIOP3xE+ylSpnUIULDGGr6JW2Wu3RJV0MuHS/LxJHrs59F4FgVejzgT65VKKTvRK3JO 58kZ0f3OMzg6fuBJ6bEQeZWX5uT6bUSDEfOKC/a8zrFlxnJhWBXmzyD5EzxX4Q2sR8dVHOL7vB7C 4nH6RvzfZn2aDNjrDXLDK1WptRaUiK+D98QQWcvm/T3l0jGaJBMOA898KfRxTtj4WD6mIGVE+t9k Nm3CSQZ8XXpM7eqa91cgv+sBUavZNQWLRGDhG7Web1Yowtxt++ed3MqVv0ltMCbdKH6mEs2kE/s2 HIuhJEz4npm6b20AaWLTU4zfedxHMkRaJamVNZFta+WTk2zGgVG3CqbrDIMfCjsQLoEF4NhiEzlL ZvOiyzRbFQ0ikZPxXiF1sB2N3ldPNq9NO5m73amKV1um4PWYE0uEav7EjQ60qmnrav1PvGFzq66f RJT4gu8XlyMYsDFqO/MR4o0el63/k9fbhja8dpbzPuL5mOIQiA3Th8Gcgo9UnbfpxtugXnTWO6Si 0z3+SpFtNit7qrifZpqWQF30Tds5ExQ+QDFK+62gTwZh81IrAuTJWbGW67QlgqrNEgRf9IflxHpu z4Y/KcuHQoEgn924G+WP5opPh+TxQVWoaLm+sVxmIc4sHYoJvICteXQBZpLtsLmql9HtA3FWOChr h2saOv/BnS48vHbZ4V3pI4MD1wpsHMN5dqWyZe20Kxdby+TCwAR1vgBnraQ6TVgTdczzd2lZNA6c zVMg/A4EX35bOnnFrRRTLGgmrjMDh4pH9leI6knCq/2iLD0BVX/LNzni9XRNVgRboD6NyT2mknD9 U1Cu6YJwu9q+wmNFy0Lq1NyHR/rWC2pnOr9XUeV5NMoDeEEkNOlJz28utJ6iyhkH4UyQQTkTNglD 4/SmJzHYksEA5GSOuBe/3j29Grm6rBsqi0sWK7QBV5aNGq0U+JbLi874Ce3zKWENtXHf+1D3K7kD Up05dka7JQVIUbKtjcNx3hwVjrLI3zC5WELrmynASIBUe22twYtQifn9pdIkCBDGH2k+NdXKIS9E NRoT9xvPB/yKtvDb5+NfJsDRzsA2fzI3xq6spZTZiwj16Qc/ofm5fPfgMuRXU9eJXUVGVKNaltZZ jLRxJofdXdX4iIspkDAQ6FGJdAfCxWApIP3nmgsJUbmLEoj7ZWt8Tpf0DEXaqKMoVVeWd8JiA4OS iFEyTaTmovMTYA+ojtbO1PBEUEdbNsGyR6ymK30cAL1qiyn3WwGkgrz2P1i56qFcatgLfF5HBF8G vV6aTNH9/ahyoGialYnZiAKSuTB5vf80lMRky0eq0b1QB38syKliZzjzeioIhGYOe/1CxpwVtMfC GHeohSQQpXSnfmVTeVdSyQIhoSt5J3MIzzUfoEJVS/YQwT2FamI85/eannPGC4pZMzn5prklaEG/ Yc+jdZLW4Uj4tRixIdz0aCTZ/3266HhiqHBi9DGSlC+EOuSF4i0prNKRBKwNm3bL0PVu8mkNjAOH eOWGgELjH/MsREThNBp5Qh6lfv0SuWKnCmTdGzIcBANOgul0zvuPYg4uPRhEfrHB5FaBIw4sJxr5 X8Xil1WzgeEMSXPVcDrAP8GlPJ5lAO2SZAO/kcnHGbbOmjqfPSKayyWCE710uBGhqH1j2wdIuFOl /+PT7If4ZBlFrNMDJnyfnG6Uv0iUNe3eRZ76WQF0fgRUfHs/t+zqJOsVzg3FRTFWaTEviVkc67fz Jg94bbv4G4Ts7FPnpcyVXVTVy3P6/AKQStwi+k7mkPXskVLIrFhf5waA8ZyHvT12+9tMpN4SfpbJ nEz4q4KkGFYt1jvZavKfoRY6r4Et09IoxE7gNfqp9HQSBHThNKNGGvAA66GgJM9pTQpf27jN1lKs WU+QizVzsWKSn0xo16pC4oGl99ZFAyzGaaaTtNAwjKgGc2vhMcnNkbvWPY7i2rpiGoBnTgKEHy1k R5LqYhq92tmjNsrMicyTjP8qd0/Qod3jOx1AnKrENLOChiw67S0C/UPdEZk8ZHsRnyi0ShWHXreo CTwpURoi5sgekYMQRMkAAjAAfamq7Gg3F5bXPgMTvNt0PfSLnZb9ERCSXtjccNQz08XQb1rfh2r9 PyvlxnwVQG5lJvHRcoCUvwm+8KDzZ2N4wpT0oydMLyav/pjgNXq7UvOJyRftY4lYwchSicLI0woG Lr7QL36gU3LkBdRUEcmzWnfuBazit5117jcFJ06VhkOe2CdFUkzedq74tl1YW7oH8z9fAXAU5crt Dfsd4fOMIL2yo9Cl0LJK+dDZ/IX4ywntGo4c9S9ShO1QVD9bI1jFZwlGNFqPuD6xq2ES+P8rmTGh /e+gOvLVVm3cwo3Nxzz7s7aXrRAmleAFkU6Wz2b5xNFs3p+3WtYiZgPPnwf2wJP5tLMRpyeTczWD fUID7hpTkUxO2mAyplxdJyzNbyLQoWC17UHvEZmX5hNc4UoorXuh28YhUx3dadUmNMOgnqAxCXYJ OD9gEHJn3u+M+LB6Z2HPxOHXOKyPDQY7xvFambDaBp+rT89orrlpfyLeMEaCAbnOyp69tPdd7Dzr Q/Mb36lcZERPz2601ixOI0uWbdPaCCwIN+CgyHMSl11zBDQfYyRj8q+ud78BvMbXNyawJGGXpLxX jqNfz/CBgTNBC8hO+8vtbq1e6LxZzdo7tXy4BOc7L5fmZpb1U/21Q9BoBn5qQ5GfHNZ7bgbV/vsH 90RJD7tTN9QR+HlJQDgCxX66eQ1OIML+RJ8l6SzqkPe7ZL1r78z305lJzk1c0zFq+C2JncY5s97A KSbD8tVILorw71SB6gc7xEhlSXleY45ifz0xXdO/+k4fhcg7uMcFbQJxoxmd+xiP5j2f92Kv0qH1 6XvUR7TwI1nV+1jKCSUBPoEgvbh80G+WqHNOFVP8ijyNRrxqj0jomjESgk9bJAnB/AvzdCcFkiOd fsWJMJhPyPKNF+qEMqN75aVj6hsDEEWam39Xx+zjo7YdzalWQqwPmalCiBHZ5W1n6naJfEbcdF4P maQOQygzLcwlgzPsTKcX2mIllhOVh0WEaIrrcW+qLsoAn/dNpWadO7yT9ji7VvmHXfxrGfZUygyc 6YtxdseIi3Ga1HUs4c2qM2xz7bPJCRaBiztQnMGanRDbd8DOs7h66QH/sDwI/RJrj/KXin1ZMsz7 sxwILmo6clTrL1zyRbElaidkx78xdrd0YjeRf41AFIxKsB4lxb+qc7PR2KjgXLzDwg67b12uZrSd l0gUSBcdBmXCjPufrz/qWyCeVoGLzqSp6TJSHQ8RtXOVa6/J03/xPzFeDHPgWKh6TTyym/r7Cddo pAw2loi1189nqhkiDCmEpUWPxeRGeDssTJHTG2L3xDKRg+0vAFxuaeSOudyqyw+f3SPv/1Cg+3u6 8lWJZh/Btkh93vUCZJMzdvGDkr5SX+5ULLUkWTnLC12+WzlRHqRWaAlfJO+CjkvVtRkBwmMJ7Tva GTCbXFtZkjoPOsixGhiiID2T7UlGfip3ScSHvKpUOC0VSyJg+7NqlGR+iwXHFIekQf0h6hBNYZc5 3rt5e1y6kdU5JMKg6AjmZsPnSGcTjM81pIJCPNZBgiINMysKCinUde+U0NBXgHjKgMLgZ/PU2wBq jFAbQ8S8JlQ3ykBVmpWsE8gai/HknOHk9jjST16xPVBE5CPVu0aZvMnpf4kBfVBQi+679+UlkGid kg5UQQ4tv1M4rFLVgmZkZqOUDAHERXdMxObvpjOmW8W2J9AtY2LRzIs+Sym9aQtk/99o73K8Y8Nf W9S2yZFSXDBinrDszXapDiMblCSN6ciDKepKE+4VZoAWoSqlb/fBF5xfs8IVk9/NHLrlNVl4b4Zo kkoVajsiBJJzTe5h6DJtTx5q06TplVVTaoE96cc3qlS1bQHdohWPQwLGgZGE43exdCRP1qsQ2f6O 9AspxpsynyXNoHRkzCTbkNMDw36q7xduGfoN59FnM0j2q0im9kGvraHnIZsIkhfp06nx7aBil92Q jc/Gb+8zJ++byaPdZISM3MfFAkJxq/+6Ti7NCb6X8jQh7Tjn+Nu2dpUAEFX4n1MsjVMPzd6bcp3v Jd6AUqcqRAE0I66mDBW2memDJ2InTjl+tdxTTAvdiRCSqxjF95P1R00X3y4zBdXHDGPTj5XjWjYz Md6HC74bJgiW/+iXCOduYA2dze7JHLgJYlN/L1AqYxI+3n8DKgiKZNACc1eXdv4mQEnq0+MoZulB osWmt9Y21T2Au5Gafx0RYuafZ+bnBt1kzKMrwTvnqR9CGI4uGUm8aYcuy5pnO/Tl7uMnDnqUDdTC cbPHsnqrpbH9Lw0pH6OL/8EGxOI8MWe3Cr/MmdbCwHsPqOEZ1UL31wDvDEuG3WrmdSunVfkL5JRg B3lPxC2yU91YMDExqQ61GGc8f1nuYX7oe5AZT826M6JIuLZYDWGqyRYDiXVpdgI336v2lIDN9Uwb L5YC/koiMrcne5e0ALFGI9KsNuoAbyrvylICE1lND9umcHJCZisUh4LBIW1vCFXNmRXMWUvmco++ yNAFJ8RBaTVTtfGp0mxYETGavSX75YPN79P0POdxT6jNP+C2XFaXHUmnAZI6O91z4p4kyhcA01y1 9zgq9eWflPoT/AXTykvIOKwj+nn8LJm7tJ3dvyNY+JnOIC9NmK+HfzvmZVMI9AzWayFNGzjTT/3F vLx2uCEr5amJHZTogz/HjlV0DohJMzHjscBkWJeu78jRIZwJQ4nNrc03XL8PZQYv99Y5hPtBbCXB LxdpC42EzI0L9U53nURAeeZ/6r19IiUlwh3S7FEAChG+PkRv/t36hH7b4aNo24+JDphW/9OqsM22 k6tbP5ctQHQN32h0Zvx58CAhZ4zEZ9nFuZ4LR8AfRWcjBleav7XynH4jV8Hpjyaoy+uURqob6YVC lQHq2xCDJd7pa473k5Rd7gf3adQ53b/z1zy6dJv+uGERjucVW/5P//XQBoWzqRQjMrvUS82Oeps0 s7QqwZwyCDQv+Gd9pX6JHJEepXuZI6+RqI5GN7Z2MlHlofnOSRIQsxQXWsIqEm6hmlAcD6K62JEX J6oz6FkmplM5snOTaopbj/8xOPnSJbAnhhhuF70aHvcmsuZedJiWpwKQ4dTajx5P7K2inwtZ1Q36 SzYBqLrvYl4+W82DmA2zt4JaEh928rnIvm8lO1S2iElOdBGGcryasHLGvfLn7z0fgfs2zu2FR7WP h2oTyWp7mNJhYYap/xjefvodU+Gfq68J2fltjfIN1CuywxlD/kMZsvCRRQ5JHeNnAo8uAeK8QJK1 kKXcrA9zTp/1iIhRcRfqDxHuWlKobg4ehtDmy+Mq1aZcjMTQOz1p8+/808DIhmeS/FhPCtfBfvxV 9xcRXN1TZQyLy9MnevxP0GYi+DvYpc5NA4cnNjL2j31I4nw7OguLRn28NshEiuyEXWBMGc8frsEi oWnclf2zjYL8LwQJTJh5+Sq9LYh2aHwc7QhktgpZwSH1eWqEpbZOj0M5o3tSxeZcEAW/xkucdSSf LSOofmWxFT8jmO7M2u2HVbepaPrd58N44saa5OvqRUTAfnB9uOH+BGZyQLWdrVbfQuWJsSp1Ut9K 2mX709UDbgmgWeAJEgOcfh92lY4iz3oXj6i5xjmvHa79VAe28BMabVsY9cG+IdbSU/9SlJ0quHIZ 1eDpVBAssP+DljZ4jhJFSytGI+HdWyzS1UjYPRpp2sszGH0JhkNrBORl8UUnIHCnMSy5XjHfq/Hq scPBfN/hMkAKcbI0/gLcAuYBiBbAtxRLb7DRQbqmtua8We9HmDRD+oNGaeN1UcrQb8g1v9N7GyBH bIrbMQrj4KBizXbw8LLvPjfzUhK8fTIcHG7uxIrnHDoBuvIiK0BBF8b95bUYEHiqDY/Vm0JQUF4q lBYCoivcPNJ1Kd/xW5gak18V/u7TNgLOaaBMp5gSSUPFDM44O2q4uMYA+OWIKYXJWTMy+0Ky5PFd msN0nx5Ca6LwccnSHIUrUcefziwyai0wZm7Sc3a0b4LwNBH4+mVqegPoufQmdqT6VhbRXPPh25ai ZCYgV/Pnx2rBdXtsxfvFyrBg0N3n4qE2/r4Hd5JS62OcuSyJVlMsA8ven7rr8UNMyggrtwew1PP+ KDeTb4KWcrtV3pA9tmRJunLPxx1xNngPQHNapfZ+cir8OwIDKMinQaAz2dFH3TNXRkKwnPjlp4ku tJT1nAiHZI+X4RQEbNQCdGNNsWahKyBZL97VCxXqpH37ATZw4fmAYse+SaC8RfkHGIorDy8nKo3X 2AZUtg3wxKA05CsIuaxJd/KjI509Me/EuzAdOalTKtHvfamKClw48WiM2vQWogknV8rm8lL5fH4f GVSZiNaeAhd9RaUzm21BI5PqKxkC0tP6sc89VKlHFoHPtFg+/6ZiWHgJldOJY4LASn4qXTTNzh9o Y4U7Taqs9LMBuyd1a/d7ONP6wKoTnSFSgUGOuoGOh+D2FLwGL8XkfTN6ChMyxcBV/BXHwiKLMKlj BYDNdQgiTQE3gemmTKinBJnI4QD3c9MD6JRW1gsP58ek321rF25OR6SsuZ9zVvxin0tOst3iSobE G0NUzrlAjGGEoGS4pYs0TMA1o0O7Ydx7Y1PYUpTTIYX/YOAuEMUfkYvxx027PUQEP2lgyOVbeNYm /5BPgcabJx/oAIIVkjq1WhZ1N6h2UpytJMp3/U1Cpv3CEml78KElqygEm1weQbWd4YcoWJPrAPVQ HaOCPnIZ4SnS4uJ9thVNHKIusEYaR+5xC1sXInu6jxPx0xoUIUYf9lPCRd/Ihd3N7CLkM/lRz6XR c8kMwR0jg8o6VzkgoAGRUc9PYjK1SwG5cx8uv36Ak4M7B3yghJdJiKNBIIHOVO10q4iajiYRYHe9 yGxZBIWxhpfp9z8PErkSLEAontmlUXh0xvl8vl3+i8k3EclkLNmtmKfH3D1RoNR3Ihq5Gd0OdNIO 5XYFebz3vuEpuxHQCuJzsj3g3bktn1JeF6+s8zP6Hrr0VuBiEdxbUxKBxRBFgSc7NSKc4B8O84+O WFTOqMn/aTrCEAZKb4u636wDc7mRly6shT0PlxF0J/oThFYDvq/YC7IPOa1Ge8GvJTEyoMKCbyrL /D4OcsbmDz853ywFWdjL9JW/TwN6Yzkh0ROoOzpKQ63d7dPfNo5lUmk29os999Jy9dFheosDIDQC W+AwatMuoY1cFb1ptZPTk6hLCO9SfRv1hCkXSf2dIaCwlp2CVHcV/U60MlHT4cZ86sNsr2pUlOfD MJS7fhsVZV8Of8Ic7Kgt0tEl7NYxzQaDWM2fBLA3nGPnpMHh6QIDvMWJ/jmp6h2qCUi8DUASaYbI 1m7l8EWfRuCtST3OKki4mI3nKwYP5xmzBWMHSgvsoCmmPxyyT1eRlkKO1pT+8cZw2Neq46LWSFrF yXY+EosWcHpkkpDoyEMOX7KrYNphHFJCBwpbie33ySgUYE2K+dOnDZ/B0YX8PsXya5305GJQ6FJC 6JLJlOOcoYgVsCV8O47hz7kaTpSVvYVa7nxzQ6qJAmj4SV2yY+3ec8TY14/A1jR0WQqIYOjlWcvy ZnIgKVJ1UFhudRzUcOPqtupECSFIQ+lPchWQmHrs+9HfwnCYyefAVqgUPYdRMdCZiwDo0IUoWe5k 3dWH5M2u10NyERi+sNFH8Be7qJqRUlGOmoz9/Iiy72uUl1ZfrsqJSZa+IiLKZ6WsLnAC1p3YBYAB mW4NhC/Mc+RSktvi5qmBWfqjsd0XFLS7tJNOMVr27LOZThzNZk4rmZW5+iF9IqV84ZWnGQIdh5Jt cUNBzM60tjmL5gmOe9Kbw6zgH6sWsAtUhY4zt9kJuLxrvFf70vva+SzhuS47CS9GvSixixbhkZ7l 1gbmih1pXd+DM4i4gkzZKyHb74lRUqOCkCQL9Z8stJ6c2hf6+FHgNat+m7DK4VkK8ubOGXhW5lM3 2Ov00L78w8UtRqvsj72+lMoombOVuQky/E9nP3kDYIBN69OMTixebYB3rh7lzQ1KNcM21Alpebn+ Gfe37WXUK/FKAgVjtTnkxDeOCHAdnMKysCsgKNyZvl4//xrNBE9NA4gOodR63+vnqpzKSi3rQknG +Hi/ANN6kOQFFmLQkhTWOyB0NYGeI3sGiIr9fXrQ4G5FPhK5x2pTDyQdpwUfYrgrkGpoWO5KnqeH cpGNyjMw0qgkY5ik1tjOp9jqPlF0Nh6ic++BxtTH9pvArckUDgxzt+ByiTWd/HYWoX9uwOuWTs/L A7FdSYgK23gofE3xivO2ho30ixS/LwOA54Vg8nR7YHFHoctBvc4pPys9TCg+AwUGY6hj/xcy4CuF bNsHaqANSemt5qXXtygnMsyGBtFTj4BVOLJzrws9/5M1zpeO+i2A/UAqkm622J7jeNmdRWPj/HpG 8Ku5vjtMPDWtWR42i6nRcRjTiseXhubWyhT4s2gwi+nS5yB+/tE+UXFdufuaJKH4GV4XDOPsmC1k LRF4kFJq5F1RoB9QQkOVjChMb9Q6M5H3Uy8WdESdnFPOLhKB4oAchcHk3w1L4uiWpBkb8gqWIOxN Pia2bDsPErhKvCBaFWarnJY/DMdv84jm7MBtaE5x1g1UklWzw3Y04yejn1gtQBwAm+xAMuQEKR6P +E1wjZ6sipm4zANXrSHaIxPw/CFyvLfRSuxUYcW5VkDjg0hK1fg/pzPHhLw09SbdEwyvqFsNQuJC O/DVkiJ/p4tHE/6sQoWL9GgpMuSMvCYaiEBQa9sr4OKpVUiuST1qCaXzgMU9yP0tQ7H5xWxABEu9 UAl2y6OXGXiN21XRQ7ghhPtQsUUrH6hfao/OEFg49eGKR1YW0iIwCKtNrxC+jsSn0GqInv4BMySQ aDtnH+XslPc3EQziv2lRDhDlVKxnwqIJw6vQBjbI5FhsZm8JEZxtqg63N8MpUCpcGmqdo0gQphun PoiOt1/6dIny5t2So9JRnoXDNuuudOuolGJYtLxA56FOMUHgPSPdFEt7cWplaP5Xl4uZRdCMAlfK 0fMKpM8tW+qh2XQNlHB7N4btmCAB9ORHaga6dTK935UoR768ScyahDKx8N4QqEpyV5bdKolcUXYM clGVuIGz9RJqT0bxAFxboNNU+CEskgLXxLkJeqd9poNkK0Aej1x5MBg5gTj7sw49Eh7XOcotohDZ nPzqprkGDG7T13FZparE59tiUzIQcUTvaeYvbwNkXVcPq0Pe1w0dAYO4EVU0/FZREXUAqkoprQO+ L2dayGIZCfF9TzOGRc2O97USbuaLQi7rgs7UuHLO1NJPqMQy6Pl3rPw8gfWVLvbNAKcznjsdihiy X14EICd8VVJ/TM8yipiUS6yBuuy3gCXY8kcAwmzXF2Kv1JNYsrWBVY/c/LIslN2DvwVnGpDz5+Ac cztUBbvh5A2dmR6LDYp5QJClbmWQh7ry+TmQ20wueHYj0Ipj64akfaMM2wgl+Xj46A5AzhiUtLXc jyYrkKXOhEOL+rbcbJTIHLpwaBsjb0xZIdOdf9gpRD1uT7YJ8yo11AnsJ2XVOm0WrP6toFe6rpjf vv/hwqyBupvbe6Pg6KealprQxgs1ieg2+5MHOR2CDeh1h2e2C7X2qXXXp/SjKyOOoGaF4+UIBub4 AfKk97Gb6QtelYlj+7sJRmri/r9lVE12llC48lMv1WwEGFuHn1uv9wZMHW6TW+KGlqp1VsfJZNWt hOYrM48PVNgZTjd6Bi5NbBNPE28y1qBI8QUfLuCHdbS+xyXU7mxBkOrgUlwcwZ38yIP8eqo5+o/W C286a8OqAE9p7JooIHEckRpV7QPlXBi/xBAtDiIeGVa9nw6eENVQ8YwyDN8OJOs6Y55g5jIPImGr ldOFiuKUvM076lubt5RKfZCWVmyDSTjNdLL8gp/9cOwujX0hXdQg+pAssan8jgZJZrA2jMBHZkXN 6dvCHXMxegRjKL//gmmlTDS2HhLBFSq+jojVGp7B7/M1/yliLo5Kxlu5KjgxKTxceFmsRnyT51x3 rlv6JX7/kp4OcMxR2vHFtDc5duc+C6pd6awNG+iZbzSGnDL+KPYRsgIUE+dosSfFrj4pUki64ypz S/VtuxWzK3dIwVm9c4L3R+2NZlrPIIVyWzwpa9GTz0O3r0n5YYppHpvxeNFvKGa/gHy8Pvq2ks0l ibkBlD9ee+mRXKo8+htQLOthyulXljb8qMmlBhT06Pm5n4MD1ITy3W1AaNBrlsVqMRc/Fitx7qf1 rBmaA96ZKIlO+91jrClxXS7bY5swxFaBxheoN/QlmKny1C1jMdtwWX4isys7oQS1sT0KNLg8Lb1l xlKXI50lX5pJLej/8bPAqA1aWjcIcO/Ix4p4cj6+asFNkLJ2/BmtgIPXV2o1A4WjnsagwZXbGlyc Hismrk5Kn/heNOmW/t3vBZPn2YHtosvYT0u9L0B1p7ZOTiF15EEAUJLk0Be9TV/3u4dOHr2x4gcg v0BrBeUWxvKLBJ20tfpj+gCgenTxmakOyxlYAQkpA/ss/TaM1XrR/LebAcuhYQB5i4yYrwc8ntZ3 JziQORk/BNsLbb4ACUws6+OLXtFThnS/vjoVFvD8IQuHv3gpiMMlzEs9OXVklIs/2TbiNQByZwkp 2OPVLxDJxBo0vRw3WayANR9OYeo+i3+BevPcxwkgV50wtqrKx7TFeDZPSqKtKUcDVDT9ptRme9jm GGEe4s9PiQuIJwVK1B8XuFKZlRyLhADdkE7N3qkg602gqnOukfx9wlEpa0lTFARqNWJ2pkZLf09b tGQkDItH0g3vuAN+p733asSWaENdgtBFWflbrhHmNqIlxbqlWU1q/bUni8WeFHf/+A/p+o1xWNGJ c9DOP1jcxRmzYCd9ruEibZc+HF+Z4QS/804QlvzOMPHXtm2/gCRUzCL4QTkTCsBxSuSvZ2wFi1Ic tNFHVVeF5Aty5Zqtqu32iXW7m8a0o4yzLdEy7sh/R5V1AVXnSm4rX50kj14LU4M4sE+5X2ps2EvX fOR5cnIhTe2MBoCfjz3ALbxGou+ue9gejJ7e3uis9nXLx8Hu/8wGlv+zMiQqKW+LFS1LIhFFeNM7 T3xXaFRq9VOb9FFIs4YUbeOegXzMvhxr6djJlwf/caQy6+60MhltunstFLRoIIfXhx8ZxrpCsvnL O3vry2jCGfn3UgwSivcPI6CtU3mkBidWw7sYRPxXR8/Lzn66DXJkuzXGVvF0qZH1NAyVbWOVjQM+ AqFYZdqeXp5Aw2Cb4KO4mFbG8YcY+8fdgQO90S4A5o3tEC8vehMdLMAHWT5uWW82JmRgWoUbqFUs YqJhrCD2hEWB/JnX5TG9Z6sGp/Kva/mUz0LHDshy4s/ykhtK44IZyNqHPGgKzCb7Dsl7nykIQAgg BDGWIzGWIVRZgsd7cbJCfPmL5n6t02yLkNcUg6vHk4bj80+FOCjqnxwOaOcOI//fRktkxnt6Lfub d4bzqF0bArOdowfTi1Au/qLLIHPlQTQ36OxQWpWtd1DtYEh5Hqh4kDN4lLsp3qvUSBy16malncdf +uxBLmmUeN/6hhbdGdBEtsHAZs5Q3N2ZoyrjpwJdl7VBdK1A0XirUHwPW0+LH2ENAxYBGqk4Lyk7 CTcpTcnHx97c/cxm14Xgxue1jgXrs5WVjkmsJZp9iLeyA0bfvClVVK/NYP5zDld+ZjFF7Vi5clxL gGDLPVueuS87yCVxBLK+eAKRNG563dyNgqYEoo74/r+rdQiJgDYDqvwmicEAeG+bUjrmtwh/ROFO fqZfXJNpAJiUFgKp9acjt684JsKRg0P/7VBdBq2kLVE2Wl4ERNRgVSSYmGN/QNvdAsLWmk9Qu9pg 2ezxhWvRscrn0x2skOg2tBykUN2vGEeZS3oA8toXgRlFJ6xWsUeZVAh5zikFSelBzUofQiFiNXTM LnyRT5l7hPWPP/s9uYK8dMfcvLzX3td32+6yp4Tu9VnjAEPU6D0oMxFQOfEPfF3RCW8GLRqqVu8j onNTWcfBoSCU1xteEKX+agvN1FUy1w3OEeGynmOsNrWcGdvwwz1M37s/9sSSc1HsuBBJoEI70Ypr RyAUM5fTGAC0Xj59vf00i5ZPKrzGHV+r8NIInOc+b5x5ywd3bD8AHiDKhiZTZ8h9UvKyNTnx6/gM I9O1gKvAtc9p08a+3/XozDbDHc/lHDD0nlAf6gkuQEDjQgEnKSyFNNtA+ntNVM1C4HDXcm1isykQ ihuWvJg4gCCXAPPbvE2kQqlqyqaY7b4Hp96AebKUdeKRkmxXwuw6oiECLFEGJnGkHFJqRCdzaO03 A72VRqqLPla8m6960II9Tf7F/4Xy636CKuj+kyQYitNgDAaiVDKky54jI+rlddDpiFVW4958w+3k /FYmPLkEBhGsqilJkR0NbNjYX3vXXDGI4PhIhAkKdagFF23OLeiJ9ikz7QtQpalfQFm9NnTXq0iU d8MRhO/Mg4WR/7m6X+mmwqbv2tBfCuHzwQB1534sMwH5PiMlmFhDOGh9aF+YUZZLDXGgVs1Hv1NB nvSa95nyi2CyBK41qBa5jada5CLaUPD2wnCDfv+II/74gz9mCt4JATChaI0EwUQiJQVdozFTTVtP XIDNSGund1RGoe98jtiEYbX6K5bD8s6+0+BJk/MWwosHFHaATxjE1kF4l9B2eQ3rbmyl6YJHRiqD kcAs341QB9y+5zl/+WQzKMMUTCf/nUpC7QB/ehP8ELgNWW6zI/SWrEx5jdwtPLTgdri+FGoyzBK6 qtUyiVHXLaDG+GekfOqc3aECsOnwHqDkKwXFG6shsQ5UKFcgwzcuJ3VeJl7peQlnlnsveAcBmouy lqmCIca1upSo1apQpOOx8dId6WjTLY1cglUOu/NAaS3ueTTIEIVkRhmzVf5eyVJjMM8uEzbtm4I1 CYUjRjH4om9SqkB0IdLKkWOCepuAr+aRuhGEr7kKOa/2K6Pe4UdX2w9SwcU/Vzv8UTHp6nOJkRR3 hAgE6ayzLquhJju10cEo99BaFPH+90dn9HNwLAJQaFwprYkZPjyZnludgY1EQbeuYZu0xGds0/SG HcIepMfxBesm4ybWo4Nc0lIQfPbKDZXha3uOFqE5rzvQWtslO1f9WaskCVpSdDpzyGArY2j8SpXo h3+TjMCDpQLzvNi1sLDMIbjB9tbP7vYD/hoB4vooYWv3JiodEUlJ3wViRSo4nna9P6tpWUjQmukQ xo18U+qyFHBxXsd1MsE0lUjotokj+1uqelbCopsRd627JeS22kqIiMRDK/Liab2tCeBN5T2EqxNM nToB9qPsOXbBmTCKwBMctXW6R9VjN8idFNEz8xTKdQw65tguMHMBQTAGqDty+K5zfqS255rT2quI WcpauP/37ePprBPQWBIK9ucVM2Q1FkUSqjs3GUYniz/QVYo2dy27Vu5xwSCRZPFnOmoYme2GFIhQ gDatzttM5nyvesCpo5bPi8a++wLXxR6389kOZe70edgdVzdRAD7c9hQxRgE5SHYZNXuNv1z1jT1O t7vSaaTIWXXEw+hx4oRtkFPzCII14YSwPx4zokR8odsrK0bDlETXzNdcMvXSfeXtzW7wF+iBOgJP pO05PLlRPTvayihIw3tTJ/HsCYnnlm69Ew5v1yqzAPwjNofkSZSVGUdAvSJ3/q9EBGXUcZsIym2D t8Ca7T3mqs3V58apShfv8vkO5eBnKgIAWDQoQY8nUCc5NXFYpk+QWRRql3fBba9pYf/Cke6F8oyM ihzQPbkOzqy6LM9ZyS/w3tdy6XTElHXt+4IXmeqjPkcbzB+mG/ZeIDINfrQiMHoDIDCD/kArgG4G cKYbd4TAum+z2yOeqv2cn9vvWIfhDPuwFGYJx1tUROsAFKLlFHAe0VlVgMndRXHX97j3S7/ncgfI 64Ao7P3vTE+xXj9Xn/FcUuNVVVYe639sB2BlmzKnmLpqlpeFMgSPzB7WoOAwRcVT/LO3U+oewli1 +O939DjPfcAd4MXCsV2/9XNm01PfN/BVKznkZ5o9V0cJME81RGBZQol/ej8AaHKLtpingkeAurXQ stfmcr70iICxGJrvtVuSXqhLgPH3UBxV6Dk42R6VJmkdlVbJBb1JmSWBcB13lS+5SRzRRC5f3bMg R8see0DY4mRh3mu4jP8JxKzp4Nz7cE3P2DWCwZFiRMYQBJqmYygJmUMWRPtCa5cPa5MVFpPxsQm9 40A+/7uiR9TCLzqNue9eFLvvHmdzXhE/YfFnVSl8g2BbhZuaFBquvH6nvtY4+L/Qn1iyicy61gju RJdrvrOJO6weFUr15w9k4WsOmxQvJrgF8DbSb0047FSCKoUDRG8MJZoPbwkJAjf3S5Bol4eIbKU0 mY+wsuW62lCQxvecsOjhL6OBVu/nAFjvh3NUXnozQs1s6AwAAAAzwekMAAAAMR7WM8P4wzX7z3Hy QAPDYOgGAAAAi2QkCOsMK/Zk/zZkiSb/BuvokCv/ZI8HX+gAAAAA+SvDixwkWIHrimExAoP4KGjg 2kDwX4H3/9px8g1f3HHyA/u4n95x8ovIgelUxnHy+boAAAAAgcK37W7ykDEXi8IF5u1u8pL5G8W4 IeZx8ivIgcEg5nHyg/iVuAQAAAAD+PhRi8njBlnp0P///1kzw2HoDQAAAIPIeekMAAAAMToLxvlI i8DDg+hSweB36O7////DAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ------=_NextPart_000_0002_0125DF39.89DF3990-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 16 14:21:16 2002 Delivered-To: freebsd-security@freebsd.org Received: from MGW1.72mm.com (mgw1.72mm.com [199.108.225.117]) by hub.freebsd.org (Postfix) with ESMTP id 040AC37B402 for ; Sat, 16 Feb 2002 14:21:12 -0800 (PST) Received: from 72mm.com (mailbdc.72mm.com [199.108.225.104]) by MGW1.72mm.com (Postfix) with ESMTP id 9F79B5540D for ; Sat, 16 Feb 2002 14:21:06 -0800 (PST) Received: from ryan [12.224.89.242] by 72mm.com with ESMTP (SMTPD32-6.06) id A9F6C97E0144; Sat, 16 Feb 2002 14:15:18 -0800 Reply-To: From: "Ryan Burglehaus" To: Subject: RE: Reliable shell logs Date: Sat, 16 Feb 2002 14:20:49 -0800 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <20020216173804.GD44003@squall.waterspout.com> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Anyone else getting viruses from this list? One attempted a couple of weeks ago and two more attempted today. Whats up?! Ryan -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Will Andrews Sent: Saturday, February 16, 2002 9:38 AM To: David Cc: freebsd-security@FreeBSD.ORG Subject: Re: Reliable shell logs On Sat, Feb 16, 2002 at 04:45:21AM -0500, David wrote: > one of your systems was not hacked, and you do not need to lie just because > you want to advertise your product. You do not need to send mail like this. Go away, troll. -- wca To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Feb 16 20:26:26 2002 Delivered-To: freebsd-security@freebsd.org Received: from d188h80.mcb.uconn.edu (d188h80.mcb.uconn.edu [137.99.188.80]) by hub.freebsd.org (Postfix) with SMTP id 0CEBE37B402 for ; Sat, 16 Feb 2002 20:26:24 -0800 (PST) Received: (qmail 26126 invoked by uid 1001); 17 Feb 2002 04:26:04 -0000 Date: Sat, 16 Feb 2002 23:26:04 -0500 From: "Peter C. Lai" To: freebsd-security@freebsd.org Cc: freebsd-ports@freebsd.org Subject: does Xvnc from ports obey hosts.allow? Message-ID: <20020216232604.B26063@cowbert.2y.net> Reply-To: peter.lai@uconn.edu Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I know Wolfram Golger wrote a patch for Xvnc 3.3.2r2 back in 1998 allowing one to compile Xvnc to use tcpwrappers. Is this patch native with the ports version of Xvnc, and does it automagically build with this or not? (since tcpwrappers already come installed with freebsd). -- Peter C. Lai University of Connecticut Dept. of Residential Life | Programmer Dept. of Molecular and Cell Biology | Undergraduate Research Assistant http://cowbert.2y.net/ 860.427.4542 (Room) 860.486.1899 (Lab) 203.206.3784 (Cellphone) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message