From owner-freebsd-ruby@FreeBSD.ORG  Sat Jun  2 05:59:02 2012
Return-Path: <owner-freebsd-ruby@FreeBSD.ORG>
Delivered-To: ruby@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 228A4106566B
	for <ruby@freebsd.org>; Sat,  2 Jun 2012 05:59:02 +0000 (UTC)
	(envelope-from lists@eitanadler.com)
Received: from mail-ob0-f182.google.com (mail-ob0-f182.google.com
	[209.85.214.182])
	by mx1.freebsd.org (Postfix) with ESMTP id C4E7F8FC14
	for <ruby@freebsd.org>; Sat,  2 Jun 2012 05:59:01 +0000 (UTC)
Received: by obcni5 with SMTP id ni5so5030142obc.13
	for <ruby@freebsd.org>; Fri, 01 Jun 2012 22:59:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=eitanadler.com; s=0xdeadbeef;
	h=mime-version:in-reply-to:references:from:date:message-id:subject:to
	:cc:content-type;
	bh=cxoC7FlyazGm2Ob3gulvdHz8S1MPGGlKZbJb+JWkhTc=;
	b=Oa3wZqtebjdv2OLzhg6YTdBbheWVazMVWAT1NhSXgMccp06SwikA4WQ8LEo2BuyYor
	dkkcGxtvdJtsIVH53fjBDAGBxPq68NoqGBBAYZdl4fWl4wUoELf+b4/0QaI3J+xaA9w5
	o6QGhMWsMbLfJ2ZZpBp8QOltapqxegNUuBr4Y=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=google.com; s=20120113;
	h=mime-version:in-reply-to:references:from:date:message-id:subject:to
	:cc:content-type:x-gm-message-state;
	bh=cxoC7FlyazGm2Ob3gulvdHz8S1MPGGlKZbJb+JWkhTc=;
	b=VEo9oL/JZ868uNBYF2RoGpo+C7hWEo31uZG1LID/kSxf3L7uEwuVuVe/dRylXcbxmL
	R/ypnzEGekIhL+mvtkbJzt0kryqa+sbInlmE3RXz7rdHN+Ws9u/4ed5BgBAu2bJv9FFS
	kYDUKa2iX4uToHo1EexefTZNGYe6e1JMf/K8qdP2e9oSYoLW5YQCQaGWrMVarYTQvOS5
	ekNDw9ikqAUwSkbgCraECfjn6bYGtlU3pRbMA/rJQ420HES7uEx+WUNjcvkVcf/V0m4V
	UJhXVzV3wbLWrfaGGOzqlGfmkCJeULZDLDcGtQuxzgopmLMwIz4pHRR1Foraykw919It
	eUSg==
Received: by 10.182.48.100 with SMTP id k4mr5105980obn.21.1338616741328; Fri,
	01 Jun 2012 22:59:01 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.182.204.69 with HTTP; Fri, 1 Jun 2012 22:58:30 -0700 (PDT)
In-Reply-To: <20120531191529.GB79783@higgins.local>
References: <20120531191529.GB79783@higgins.local>
From: Eitan Adler <lists@eitanadler.com>
Date: Sat, 2 Jun 2012 01:58:30 -0400
Message-ID: <CAF6rxgku5-4QOWNuwZyPesMZZLvLcZHFUW_bzSA=avKtVPk11A@mail.gmail.com>
To: ruby@freebsd.org
Content-Type: multipart/mixed; boundary=f46d044789735b776204c176ff36
X-Gm-Message-State: ALoCoQkqc17BwHkEt1TwKvkc4qjzyuk1ygjgWYm9VHh3AP4KuvsMn+96vKNbTAB0jJ81n+zFabG5
Cc: ports-security@freebsd.org
Subject: Fwd: [oss-security] Unsafe Query Generation Risk in Ruby on Rails
	(CVE-2012-2660)
X-BeenThere: freebsd-ruby@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: FreeBSD-specific Ruby discussions <freebsd-ruby.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ruby>,
	<mailto:freebsd-ruby-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ruby>
List-Post: <mailto:freebsd-ruby@freebsd.org>
List-Help: <mailto:freebsd-ruby-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ruby>,
	<mailto:freebsd-ruby-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 02 Jun 2012 05:59:02 -0000

--f46d044789735b776204c176ff36
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

A vulnerability has been found in a port you maintain. Please commit
an update and write up a VuXML report. If you need help feel free to
email ports-security@freebsd.org,


---------- Forwarded message ----------
From: Aaron Patterson <tenderlove@ruby-lang.org>
Date: 31 May 2012 15:15
Subject: [oss-security] Unsafe Query Generation Risk in Ruby on Rails
(CVE-2012-2660)
To: oss-security@lists.openwall.com


Unsafe Query Generation Risk in Ruby on Rails

There is a vulnerability when Active Record is used in conjunction
with parameter parsing from Rack via Action Pack. This vulnerability
has been assigned the CVE identifier CVE-2012-2660.

Versions Affected: =C2=A0ALL versions
Not affected: =C2=A0 =C2=A0 =C2=A0 NONE
Fixed Versions: =C2=A0 =C2=A0 3.2.4, 3.1.5, 3.0.13

Impact
------
Due to the way Active Record interprets parameters in combination with
the way that Rack parses query parameters, it is possible for an
attacker to issue unexpected database queries with "IS NULL" where
clauses. =C2=A0This issue does *not* let an attacker insert arbitrary
values into an SQL query, however they can cause the query to check
for NULL where most users wouldn't expect it.

For example, a system has password reset with token functionality:

=C2=A0 =C2=A0unless params[:token].nil?
=C2=A0 =C2=A0 =C2=A0user =3D User.find_by_token(params[:token])
=C2=A0 =C2=A0 =C2=A0user.reset_password!
=C2=A0 =C2=A0end

An attacker can craft a request such that `params[:token]` will return
`[nil]`. =C2=A0The `[nil]` value will bypass the test for nil, but will
still add an "IS NULL" clause to the SQL query.

All users running an affected release should either upgrade or use one
of the work arounds immediately.

Releases
--------
The FIXED releases are available at the normal locations.

Workarounds
-----------
This problem can be mitigated by testing for `[nil]`. =C2=A0For example:

=C2=A0 =C2=A0unless params[:token].nil? || params[:token] =3D=3D [nil]
=C2=A0 =C2=A0 =C2=A0user =3D User.find_by_token(params[:token])
=C2=A0 =C2=A0 =C2=A0user.reset_password!
=C2=A0 =C2=A0end

Another possible workaround is to cast to a known type and test
against that type. =C2=A0For example:

=C2=A0 =C2=A0unless params[:token].to_s.empty?
=C2=A0 =C2=A0 =C2=A0user =3D User.find_by_token(params[:token])
=C2=A0 =C2=A0 =C2=A0user.reset_password!
=C2=A0 =C2=A0end

Patches
-------
To aid users who aren't able to upgrade immediately we have provided
patches for the two supported release series. =C2=A0They are in git-am
format and consist of a single changeset.

* 3-0-null_param.patch - Patch for 3.0 series
* 3-1-null_param.patch - Patch for 3.1 series
* 3-2-null_param.patch - Patch for 3.2 series

Please note that only the 3.1.x and 3.2.x series are supported at
present. =C2=A0Users of earlier unsupported releases are advised to upgrade
as soon as possible as we cannot guarantee the continued availability
of security fixes for unsupported releases.

Credits
-------

Thanks to Ben Murphy for reporting the vulnerability to us, and to
Chad Pyne of thoughtbot for helping us verify the fix.

--
Aaron Patterson
http://tenderlovemaking.com/


--=20
Eitan Adler

--f46d044789735b776204c176ff36
Content-Type: text/plain; charset=us-ascii; name="3-0-null_param.patch"
Content-Disposition: attachment; filename="3-0-null_param.patch"
Content-Transfer-Encoding: base64
X-Attachment-Id: bd5d2f42f17b0493_0.0.1

RnJvbSBjMjAyNjM4MjI1NTE5YjVlMWEwM2ViZTUyM2IxMDljOTQ4ZmIwZTUyIE1vbiBTZXAgMTcg
MDA6MDA6MDAgMjAwMQ0KRnJvbTogQWFyb24gUGF0dGVyc29uIDxhYXJvbi5wYXR0ZXJzb25AZ21h
aWwuY29tPg0KRGF0ZTogV2VkLCAzMCBNYXkgMjAxMiAxNToxMzowMyAtMDcwMA0KU3ViamVjdDog
W1BBVENIXSBTdHJpcCBbbmlsXSBmcm9tIHBhcmFtZXRlcnMgaGFzaC4gVGhhbmtzIHRvIEJlbiBN
dXJwaHkgZm9yDQogcmVwb3J0aW5nIHRoaXMhDQoNCkNWRS0yMDEyLTI2NjANCg0KQ29uZmxpY3Rz
Og0KDQoJYWN0aW9ucGFjay9saWIvYWN0aW9uX2Rpc3BhdGNoL2h0dHAvcmVxdWVzdC5yYg0KLS0t
DQogYWN0aW9ucGFjay9saWIvYWN0aW9uX2Rpc3BhdGNoL2h0dHAvcmVxdWVzdC5yYiAgICAgfCAg
IDIyICsrKysrKysrKysrKysrKysrKysrDQogLi4uL2Rpc3BhdGNoL3JlcXVlc3QvcXVlcnlfc3Ry
aW5nX3BhcnNpbmdfdGVzdC5yYiAgfCAgICA3ICsrKysrLQ0KIDIgZmlsZXMgY2hhbmdlZCwgMjgg
aW5zZXJ0aW9ucygrKSwgMSBkZWxldGlvbnMoLSkNCg0KZGlmZiAtLWdpdCBhL2FjdGlvbnBhY2sv
bGliL2FjdGlvbl9kaXNwYXRjaC9odHRwL3JlcXVlc3QucmIgYi9hY3Rpb25wYWNrL2xpYi9hY3Rp
b25fZGlzcGF0Y2gvaHR0cC9yZXF1ZXN0LnJiDQppbmRleCA3Yzg1NTdiLi45ODViNzMwIDEwMDY0
NA0KLS0tIGEvYWN0aW9ucGFjay9saWIvYWN0aW9uX2Rpc3BhdGNoL2h0dHAvcmVxdWVzdC5yYg0K
KysrIGIvYWN0aW9ucGFjay9saWIvYWN0aW9uX2Rpc3BhdGNoL2h0dHAvcmVxdWVzdC5yYg0KQEAg
LTI1Nyw1ICsyNTcsMjcgQEAgbW9kdWxlIEFjdGlvbkRpc3BhdGNoDQogICAgIGRlZiBsb2NhbD8N
CiAgICAgICBMT0NBTEhPU1QuYW55PyB7IHxsb2NhbF9pcHwgbG9jYWxfaXAgPT09IHJlbW90ZV9h
ZGRyICYmIGxvY2FsX2lwID09PSByZW1vdGVfaXAgfQ0KICAgICBlbmQNCisNCisgICAgcHJvdGVj
dGVkDQorDQorICAgICMgUmVtb3ZlIG5pbHMgZnJvbSB0aGUgcGFyYW1zIGhhc2gNCisgICAgZGVm
IGRlZXBfbXVuZ2UoaGFzaCkNCisgICAgICBoYXNoLmVhY2hfdmFsdWUgZG8gfHZ8DQorICAgICAg
ICBjYXNlIHYNCisgICAgICAgIHdoZW4gQXJyYXkNCisgICAgICAgICAgdi5ncmVwKEhhc2gpIHsg
fHh8IGRlZXBfbXVuZ2UoeCkgfQ0KKyAgICAgICAgd2hlbiBIYXNoDQorICAgICAgICAgIGRlZXBf
bXVuZ2UodikNCisgICAgICAgIGVuZA0KKyAgICAgIGVuZA0KKw0KKyAgICAgIGtleXMgPSBoYXNo
LmtleXMuZmluZF9hbGwgeyB8a3wgaGFzaFtrXSA9PSBbbmlsXSB9DQorICAgICAga2V5cy5lYWNo
IHsgfGt8IGhhc2hba10gPSBuaWwgfQ0KKyAgICAgIGhhc2gNCisgICAgZW5kDQorDQorICAgIGRl
ZiBwYXJzZV9xdWVyeShxcykNCisgICAgICBkZWVwX211bmdlKHN1cGVyKQ0KKyAgICBlbmQNCiAg
IGVuZA0KIGVuZA0KZGlmZiAtLWdpdCBhL2FjdGlvbnBhY2svdGVzdC9kaXNwYXRjaC9yZXF1ZXN0
L3F1ZXJ5X3N0cmluZ19wYXJzaW5nX3Rlc3QucmIgYi9hY3Rpb25wYWNrL3Rlc3QvZGlzcGF0Y2gv
cmVxdWVzdC9xdWVyeV9zdHJpbmdfcGFyc2luZ190ZXN0LnJiDQppbmRleCAwNzFkODBjLi5jN2Fi
NzAwIDEwMDY0NA0KLS0tIGEvYWN0aW9ucGFjay90ZXN0L2Rpc3BhdGNoL3JlcXVlc3QvcXVlcnlf
c3RyaW5nX3BhcnNpbmdfdGVzdC5yYg0KKysrIGIvYWN0aW9ucGFjay90ZXN0L2Rpc3BhdGNoL3Jl
cXVlc3QvcXVlcnlfc3RyaW5nX3BhcnNpbmdfdGVzdC5yYg0KQEAgLTgxLDcgKzgxLDEyIEBAIGNs
YXNzIFF1ZXJ5U3RyaW5nUGFyc2luZ1Rlc3QgPCBBY3Rpb25Db250cm9sbGVyOjpJbnRlZ3JhdGlv
blRlc3QNCiAgIGVuZA0KIA0KICAgdGVzdCAicXVlcnkgc3RyaW5nIHdpdGhvdXQgZXF1YWwiIGRv
DQotICAgIGFzc2VydF9wYXJzZXMoeyAiYWN0aW9uIiA9PiBuaWwgfSwgImFjdGlvbiIpDQorICAg
IGFzc2VydF9wYXJzZXMoeyJhY3Rpb24iID0+IG5pbH0sICJhY3Rpb24iKQ0KKyAgICBhc3NlcnRf
cGFyc2VzKHsiYWN0aW9uIiA9PiB7ImZvbyIgPT4gbmlsfX0sICJhY3Rpb25bZm9vXSIpDQorICAg
IGFzc2VydF9wYXJzZXMoeyJhY3Rpb24iID0+IHsiZm9vIiA9PiB7ICJiYXIiID0+IG5pbCB9fX0s
ICJhY3Rpb25bZm9vXVtiYXJdIikNCisgICAgYXNzZXJ0X3BhcnNlcyh7ImFjdGlvbiIgPT4geyJm
b28iID0+IHsgImJhciIgPT4gbmlsIH19fSwgImFjdGlvbltmb29dW2Jhcl1bXSIpDQorICAgIGFz
c2VydF9wYXJzZXMoeyJhY3Rpb24iID0+IHsiZm9vIiA9PiBuaWx9fSwgImFjdGlvbltmb29dW10i
KQ0KKyAgICBhc3NlcnRfcGFyc2VzKHsiYWN0aW9uIj0+eyJmb28iPT5beyJiYXIiPT5uaWx9XX19
LCAiYWN0aW9uW2Zvb11bXVtiYXJdIikNCiAgIGVuZA0KIA0KICAgdGVzdCAicXVlcnkgc3RyaW5n
IHdpdGggZW1wdHkga2V5IiBkbw0KLS0gDQoxLjcuNS40DQoNCg==
--f46d044789735b776204c176ff36
Content-Type: text/plain; charset=us-ascii; name="3-1-null_param.patch"
Content-Disposition: attachment; filename="3-1-null_param.patch"
Content-Transfer-Encoding: base64
X-Attachment-Id: bd5d2f42f17b0493_0.0.2

RnJvbSA1YjgzYmJmYWI3ZDU3NzBlZDU2MzY2ZDczOWZmNjJhYzcwNDI1MDA4IE1vbiBTZXAgMTcg
MDA6MDA6MDAgMjAwMQ0KRnJvbTogQWFyb24gUGF0dGVyc29uIDxhYXJvbi5wYXR0ZXJzb25AZ21h
aWwuY29tPg0KRGF0ZTogV2VkLCAzMCBNYXkgMjAxMiAxNToxMzowMyAtMDcwMA0KU3ViamVjdDog
W1BBVENIXSBTdHJpcCBbbmlsXSBmcm9tIHBhcmFtZXRlcnMgaGFzaC4gVGhhbmtzIHRvIEJlbiBN
dXJwaHkgZm9yDQogcmVwb3J0aW5nIHRoaXMhDQoNCkNWRS0yMDEyLTI2NjANCi0tLQ0KIGFjdGlv
bnBhY2svbGliL2FjdGlvbl9kaXNwYXRjaC9odHRwL3JlcXVlc3QucmIgICAgIHwgICAyMiArKysr
KysrKysrKysrKysrKysrKw0KIC4uLi9kaXNwYXRjaC9yZXF1ZXN0L3F1ZXJ5X3N0cmluZ19wYXJz
aW5nX3Rlc3QucmIgIHwgICAgNyArKysrKy0NCiAyIGZpbGVzIGNoYW5nZWQsIDI4IGluc2VydGlv
bnMoKyksIDEgZGVsZXRpb25zKC0pDQoNCmRpZmYgLS1naXQgYS9hY3Rpb25wYWNrL2xpYi9hY3Rp
b25fZGlzcGF0Y2gvaHR0cC9yZXF1ZXN0LnJiIGIvYWN0aW9ucGFjay9saWIvYWN0aW9uX2Rpc3Bh
dGNoL2h0dHAvcmVxdWVzdC5yYg0KaW5kZXggYzQ5Y2M1Ni4uOWUxZGM0YiAxMDA2NDQNCi0tLSBh
L2FjdGlvbnBhY2svbGliL2FjdGlvbl9kaXNwYXRjaC9odHRwL3JlcXVlc3QucmINCisrKyBiL2Fj
dGlvbnBhY2svbGliL2FjdGlvbl9kaXNwYXRjaC9odHRwL3JlcXVlc3QucmINCkBAIC0yNjcsNiAr
MjY3LDI4IEBAIG1vZHVsZSBBY3Rpb25EaXNwYXRjaA0KICAgICAgIExPQ0FMSE9TVC5hbnk/IHsg
fGxvY2FsX2lwfCBsb2NhbF9pcCA9PT0gcmVtb3RlX2FkZHIgJiYgbG9jYWxfaXAgPT09IHJlbW90
ZV9pcCB9DQogICAgIGVuZA0KIA0KKyAgICBwcm90ZWN0ZWQNCisNCisgICAgIyBSZW1vdmUgbmls
cyBmcm9tIHRoZSBwYXJhbXMgaGFzaA0KKyAgICBkZWYgZGVlcF9tdW5nZShoYXNoKQ0KKyAgICAg
IGhhc2guZWFjaF92YWx1ZSBkbyB8dnwNCisgICAgICAgIGNhc2Ugdg0KKyAgICAgICAgd2hlbiBB
cnJheQ0KKyAgICAgICAgICB2LmdyZXAoSGFzaCkgeyB8eHwgZGVlcF9tdW5nZSh4KSB9DQorICAg
ICAgICB3aGVuIEhhc2gNCisgICAgICAgICAgZGVlcF9tdW5nZSh2KQ0KKyAgICAgICAgZW5kDQor
ICAgICAgZW5kDQorDQorICAgICAga2V5cyA9IGhhc2gua2V5cy5maW5kX2FsbCB7IHxrfCBoYXNo
W2tdID09IFtuaWxdIH0NCisgICAgICBrZXlzLmVhY2ggeyB8a3wgaGFzaFtrXSA9IG5pbCB9DQor
ICAgICAgaGFzaA0KKyAgICBlbmQNCisNCisgICAgZGVmIHBhcnNlX3F1ZXJ5KHFzKQ0KKyAgICAg
IGRlZXBfbXVuZ2Uoc3VwZXIpDQorICAgIGVuZA0KKw0KICAgICBwcml2YXRlDQogDQogICAgIGRl
ZiBjaGVja19tZXRob2QobmFtZSkNCmRpZmYgLS1naXQgYS9hY3Rpb25wYWNrL3Rlc3QvZGlzcGF0
Y2gvcmVxdWVzdC9xdWVyeV9zdHJpbmdfcGFyc2luZ190ZXN0LnJiIGIvYWN0aW9ucGFjay90ZXN0
L2Rpc3BhdGNoL3JlcXVlc3QvcXVlcnlfc3RyaW5nX3BhcnNpbmdfdGVzdC5yYg0KaW5kZXggZjZh
MTQ3NS4uMTgxZjUxYSAxMDA2NDQNCi0tLSBhL2FjdGlvbnBhY2svdGVzdC9kaXNwYXRjaC9yZXF1
ZXN0L3F1ZXJ5X3N0cmluZ19wYXJzaW5nX3Rlc3QucmINCisrKyBiL2FjdGlvbnBhY2svdGVzdC9k
aXNwYXRjaC9yZXF1ZXN0L3F1ZXJ5X3N0cmluZ19wYXJzaW5nX3Rlc3QucmINCkBAIC04MSw3ICs4
MSwxMiBAQCBjbGFzcyBRdWVyeVN0cmluZ1BhcnNpbmdUZXN0IDwgQWN0aW9uRGlzcGF0Y2g6Oklu
dGVncmF0aW9uVGVzdA0KICAgZW5kDQogDQogICB0ZXN0ICJxdWVyeSBzdHJpbmcgd2l0aG91dCBl
cXVhbCIgZG8NCi0gICAgYXNzZXJ0X3BhcnNlcyh7ICJhY3Rpb24iID0+IG5pbCB9LCAiYWN0aW9u
IikNCisgICAgYXNzZXJ0X3BhcnNlcyh7ImFjdGlvbiIgPT4gbmlsfSwgImFjdGlvbiIpDQorICAg
IGFzc2VydF9wYXJzZXMoeyJhY3Rpb24iID0+IHsiZm9vIiA9PiBuaWx9fSwgImFjdGlvbltmb29d
IikNCisgICAgYXNzZXJ0X3BhcnNlcyh7ImFjdGlvbiIgPT4geyJmb28iID0+IHsgImJhciIgPT4g
bmlsIH19fSwgImFjdGlvbltmb29dW2Jhcl0iKQ0KKyAgICBhc3NlcnRfcGFyc2VzKHsiYWN0aW9u
IiA9PiB7ImZvbyIgPT4geyAiYmFyIiA9PiBuaWwgfX19LCAiYWN0aW9uW2Zvb11bYmFyXVtdIikN
CisgICAgYXNzZXJ0X3BhcnNlcyh7ImFjdGlvbiIgPT4geyJmb28iID0+IG5pbH19LCAiYWN0aW9u
W2Zvb11bXSIpDQorICAgIGFzc2VydF9wYXJzZXMoeyJhY3Rpb24iPT57ImZvbyI9Plt7ImJhciI9
Pm5pbH1dfX0sICJhY3Rpb25bZm9vXVtdW2Jhcl0iKQ0KICAgZW5kDQogDQogICB0ZXN0ICJxdWVy
eSBzdHJpbmcgd2l0aCBlbXB0eSBrZXkiIGRvDQotLSANCjEuNy41LjQNCg0K
--f46d044789735b776204c176ff36
Content-Type: text/plain; charset=us-ascii; name="3-2-null_param.patch"
Content-Disposition: attachment; filename="3-2-null_param.patch"
Content-Transfer-Encoding: base64
X-Attachment-Id: bd5d2f42f17b0493_0.0.3

RnJvbSBkZmY2ZGIxODg0MGUyZmQxZGQzZjNlNGVmMGFlN2E5YTM5ODZkMDFkIE1vbiBTZXAgMTcg
MDA6MDA6MDAgMjAwMQ0KRnJvbTogQWFyb24gUGF0dGVyc29uIDxhYXJvbi5wYXR0ZXJzb25AZ21h
aWwuY29tPg0KRGF0ZTogV2VkLCAzMCBNYXkgMjAxMiAxNToxMzowMyAtMDcwMA0KU3ViamVjdDog
W1BBVENIXSBTdHJpcCBbbmlsXSBmcm9tIHBhcmFtZXRlcnMgaGFzaC4gVGhhbmtzIHRvIEJlbiBN
dXJwaHkgZm9yDQogcmVwb3J0aW5nIHRoaXMhDQoNCkNWRS0yMDEyLTI2NjANCi0tLQ0KIGFjdGlv
bnBhY2svbGliL2FjdGlvbl9kaXNwYXRjaC9odHRwL3JlcXVlc3QucmIgICAgIHwgICAyMiArKysr
KysrKysrKysrKysrKysrKw0KIC4uLi9kaXNwYXRjaC9yZXF1ZXN0L3F1ZXJ5X3N0cmluZ19wYXJz
aW5nX3Rlc3QucmIgIHwgICAgNyArKysrKy0NCiAyIGZpbGVzIGNoYW5nZWQsIDI4IGluc2VydGlv
bnMoKyksIDEgZGVsZXRpb25zKC0pDQoNCmRpZmYgLS1naXQgYS9hY3Rpb25wYWNrL2xpYi9hY3Rp
b25fZGlzcGF0Y2gvaHR0cC9yZXF1ZXN0LnJiIGIvYWN0aW9ucGFjay9saWIvYWN0aW9uX2Rpc3Bh
dGNoL2h0dHAvcmVxdWVzdC5yYg0KaW5kZXggODIwOTIxMi4uYWRiYjVkMSAxMDA2NDQNCi0tLSBh
L2FjdGlvbnBhY2svbGliL2FjdGlvbl9kaXNwYXRjaC9odHRwL3JlcXVlc3QucmINCisrKyBiL2Fj
dGlvbnBhY2svbGliL2FjdGlvbl9kaXNwYXRjaC9odHRwL3JlcXVlc3QucmINCkBAIC0yNDcsNiAr
MjQ3LDI4IEBAIG1vZHVsZSBBY3Rpb25EaXNwYXRjaA0KICAgICAgIExPQ0FMSE9TVC5hbnk/IHsg
fGxvY2FsX2lwfCBsb2NhbF9pcCA9PT0gcmVtb3RlX2FkZHIgJiYgbG9jYWxfaXAgPT09IHJlbW90
ZV9pcCB9DQogICAgIGVuZA0KIA0KKyAgICBwcm90ZWN0ZWQNCisNCisgICAgIyBSZW1vdmUgbmls
cyBmcm9tIHRoZSBwYXJhbXMgaGFzaA0KKyAgICBkZWYgZGVlcF9tdW5nZShoYXNoKQ0KKyAgICAg
IGhhc2guZWFjaF92YWx1ZSBkbyB8dnwNCisgICAgICAgIGNhc2Ugdg0KKyAgICAgICAgd2hlbiBB
cnJheQ0KKyAgICAgICAgICB2LmdyZXAoSGFzaCkgeyB8eHwgZGVlcF9tdW5nZSh4KSB9DQorICAg
ICAgICB3aGVuIEhhc2gNCisgICAgICAgICAgZGVlcF9tdW5nZSh2KQ0KKyAgICAgICAgZW5kDQor
ICAgICAgZW5kDQorDQorICAgICAga2V5cyA9IGhhc2gua2V5cy5maW5kX2FsbCB7IHxrfCBoYXNo
W2tdID09IFtuaWxdIH0NCisgICAgICBrZXlzLmVhY2ggeyB8a3wgaGFzaFtrXSA9IG5pbCB9DQor
ICAgICAgaGFzaA0KKyAgICBlbmQNCisNCisgICAgZGVmIHBhcnNlX3F1ZXJ5KHFzKQ0KKyAgICAg
IGRlZXBfbXVuZ2Uoc3VwZXIpDQorICAgIGVuZA0KKw0KICAgICBwcml2YXRlDQogDQogICAgIGRl
ZiBjaGVja19tZXRob2QobmFtZSkNCmRpZmYgLS1naXQgYS9hY3Rpb25wYWNrL3Rlc3QvZGlzcGF0
Y2gvcmVxdWVzdC9xdWVyeV9zdHJpbmdfcGFyc2luZ190ZXN0LnJiIGIvYWN0aW9ucGFjay90ZXN0
L2Rpc3BhdGNoL3JlcXVlc3QvcXVlcnlfc3RyaW5nX3BhcnNpbmdfdGVzdC5yYg0KaW5kZXggZjZh
MTQ3NS4uMTgxZjUxYSAxMDA2NDQNCi0tLSBhL2FjdGlvbnBhY2svdGVzdC9kaXNwYXRjaC9yZXF1
ZXN0L3F1ZXJ5X3N0cmluZ19wYXJzaW5nX3Rlc3QucmINCisrKyBiL2FjdGlvbnBhY2svdGVzdC9k
aXNwYXRjaC9yZXF1ZXN0L3F1ZXJ5X3N0cmluZ19wYXJzaW5nX3Rlc3QucmINCkBAIC04MSw3ICs4
MSwxMiBAQCBjbGFzcyBRdWVyeVN0cmluZ1BhcnNpbmdUZXN0IDwgQWN0aW9uRGlzcGF0Y2g6Oklu
dGVncmF0aW9uVGVzdA0KICAgZW5kDQogDQogICB0ZXN0ICJxdWVyeSBzdHJpbmcgd2l0aG91dCBl
cXVhbCIgZG8NCi0gICAgYXNzZXJ0X3BhcnNlcyh7ICJhY3Rpb24iID0+IG5pbCB9LCAiYWN0aW9u
IikNCisgICAgYXNzZXJ0X3BhcnNlcyh7ImFjdGlvbiIgPT4gbmlsfSwgImFjdGlvbiIpDQorICAg
IGFzc2VydF9wYXJzZXMoeyJhY3Rpb24iID0+IHsiZm9vIiA9PiBuaWx9fSwgImFjdGlvbltmb29d
IikNCisgICAgYXNzZXJ0X3BhcnNlcyh7ImFjdGlvbiIgPT4geyJmb28iID0+IHsgImJhciIgPT4g
bmlsIH19fSwgImFjdGlvbltmb29dW2Jhcl0iKQ0KKyAgICBhc3NlcnRfcGFyc2VzKHsiYWN0aW9u
IiA9PiB7ImZvbyIgPT4geyAiYmFyIiA9PiBuaWwgfX19LCAiYWN0aW9uW2Zvb11bYmFyXVtdIikN
CisgICAgYXNzZXJ0X3BhcnNlcyh7ImFjdGlvbiIgPT4geyJmb28iID0+IG5pbH19LCAiYWN0aW9u
W2Zvb11bXSIpDQorICAgIGFzc2VydF9wYXJzZXMoeyJhY3Rpb24iPT57ImZvbyI9Plt7ImJhciI9
Pm5pbH1dfX0sICJhY3Rpb25bZm9vXVtdW2Jhcl0iKQ0KICAgZW5kDQogDQogICB0ZXN0ICJxdWVy
eSBzdHJpbmcgd2l0aCBlbXB0eSBrZXkiIGRvDQotLSANCjEuNy41LjQNCg0K
--f46d044789735b776204c176ff36
Content-Type: application/pgp-signature
Content-Disposition: attachment
Content-Transfer-Encoding: base64
X-Attachment-Id: bd5d2f42f17b0493_0.1

LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0NClZlcnNpb246IEdudVBHIHYxLjQuMTIgKERh
cndpbikNCg0KaVFFY0JBRUJBZ0FHQlFKUHg4TlJBQW9KRUpVeGNMeTAvNi9HMlYwSUFKUTlnYy9T
djkxbWhkR200YzBKaUVVbw0KOG13c084U1g2czNLUHd4dUljanRKME95QlZweDFNaU84MnllYWVk
R3ZGeHpKd1ZCVEcwdnduMmdBRisrSTgyMQ0KQ0tacW1ldUZYVFIyWHdwZTZ6NW1EcTlsWGFxWDRz
cDZhOG5ERlJza1NOSkZ3N3lQRUxQelUzVjZxblJ5YnpHdA0KMjlQNHQxaU9tdFVBczBtNWo4bG9p
Y3pIeFd6THJkVldMMk1JbnJPYlo0a0UwZm43MEVnVjBVaDNVRk42QThLUQ0KOEZURzIrOXRZYS9s
Y2taQVVoNG1IQ015UzFwWWNXVlVWN3o5c0pzbmJyYS9KK0dFWTY4L3Nrd2pmdHZiZjNZVQ0KK2Rp
OW1hRlhISGx3T1FuMXVCcWdEVnVuWEFXYmplMGZJdk9IZUdkakhYKzYzbERKNmt1WTU3UHRuQmRw
SmtRPQ0KPS9EOGcNCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQ0K
--f46d044789735b776204c176ff36--