slapd: CVE-2014-9713: dangerous access rule in default config

Debian Bug report logs - #761406
slapd: CVE-2014-9713: dangerous access rule in default config

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Dietrich Clauss <dietrich@clauss-it.com>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: slapd: dangerous access rule in default config

Date: Sat, 13 Sep 2014 17:41:09 +0200

Package: slapd
Version: 2.4.31-1+nmu2
Severity: normal

The configure script sets the following access rules for the LDAP
database:

| olcAccess: to attrs=userPassword,shadowLastChange
|   by self write
|   by anonymous auth
|   by dn="cn=admin,@SUFFIX@" write
|   by * none
| olcAccess: to dn.base="" by * read
| olcAccess: to *
|   by self write
|   by dn="cn=admin,@SUFFIX@" write
|   by * read

When the LDAP is used to authenticate users (e.g. in conjunction with
libnss-ldapd and libpam-ldapd), the rule "olcAccess: to * by self write" allows
the user to change her uidNumber and impersonate another user.

IMO the default config should allow self-write access to userPassword
and shadowLastChange only.  If this is not possible, write access should
at least be limited to attributes which are commonly expected to be
user-writeable, e.g.:

| olcAccess: to attrs=userPassword,shadowLastChange
|   by self write
|   by anonymous auth
|   by dn="cn=admin,@SUFFIX@" write
|   by * none
| olcAccess: to attrs=loginShell,gecos
|   by self write
|   by dn="cn=admin,@SUFFIX@" write
|   by * read
| olcAccess: to dn.base="" by * read
| olcAccess: to *
|   by dn="cn=admin,@SUFFIX@" write
|   by * read

-- System Information:
Debian Release: 7.6
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages slapd depends on:
ii  adduser                     3.113+nmu3
ii  coreutils                   8.13-3.5
ii  debconf [debconf-2.0]       1.5.49
ii  libc6                       2.13-38+deb7u4
ii  libdb5.1                    5.1.29-5
ii  libgcrypt11                 1.5.0-5+deb7u1
ii  libgnutls26                 2.12.20-8+deb7u2
ii  libldap-2.4-2               2.4.31-1+nmu2
ii  libltdl7                    2.4.2-1.1
ii  libodbc1                    2.2.14p2-5
ii  libperl5.14                 5.14.2-21+deb7u1
ii  libsasl2-2                  2.1.25.dfsg1-6+deb7u1
ii  libslp1                     1.2.1-9
ii  libwrap0                    7.6.q-24
ii  lsb-base                    4.1+Debian8+deb7u1
ii  multiarch-support           2.13-38+deb7u4
ii  perl [libmime-base64-perl]  5.14.2-21+deb7u1
ii  psmisc                      22.19-1+deb7u1

Versions of packages slapd recommends:
ii  libsasl2-modules  2.1.25.dfsg1-6+deb7u1

Versions of packages slapd suggests:
ii  ldap-utils  2.4.31-1+nmu2

-- Configuration Files:
/etc/default/slapd changed [not included]

-- debconf information excluded

Message #16 received at 761406@bugs.debian.org (full text, mbox, reply):

From: Ryan Tandy <ryan@nardis.ca>

To: Dietrich Clauss <dietrich@clauss-it.com>, 761406@bugs.debian.org

Subject: Re: [Pkg-openldap-devel] Bug#761406: slapd: dangerous access rule in default config

Date: Sat, 13 Sep 2014 12:05:25 -0700

Control: tags -1 + pending

On 13/09/14 08:41 AM, Dietrich Clauss wrote:
> When the LDAP is used to authenticate users (e.g. in conjunction with
> libnss-ldapd and libpam-ldapd), the rule "olcAccess: to * by self write" allows
> the user to change her uidNumber and impersonate another user.
>
> IMO the default config should allow self-write access to userPassword
> and shadowLastChange only.

Thanks for the report. I've removed the offending 'by self write' in 
git. I'm not sure why that was added in the first place. The default 
slapd.conf didn't have it and I didn't find any comments about it.

I don't think I'm comfortable doing an automated ACL change to existing 
installs. A NEWS.Debian entry suggesting the change (and mentioning how 
to do it) might be appropriate, though.

thanks,
Ryan

Message #25 received at 761406@bugs.debian.org (full text, mbox, reply):

From: Ryan Tandy <ryan@nardis.ca>

To: 761406@bugs.debian.org

Subject: debconf notice or NEWS.Debian entry?

Date: Wed, 17 Sep 2014 21:43:02 -0700

Hi pkg-openldap-devel readers,

On 13/09/14 12:05 PM, Ryan Tandy wrote:
> On 13/09/14 08:41 AM, Dietrich Clauss wrote:
>> When the LDAP is used to authenticate users (e.g. in conjunction with
>> libnss-ldapd and libpam-ldapd), the rule "olcAccess: to * by self
>> write" allows
>> the user to change her uidNumber and impersonate another user.
>>
>> IMO the default config should allow self-write access to userPassword
>> and shadowLastChange only.
>
> Thanks for the report. I've removed the offending 'by self write' in
> git. I'm not sure why that was added in the first place. The default
> slapd.conf didn't have it and I didn't find any comments about it.
>
> I don't think I'm comfortable doing an automated ACL change to existing
> installs. A NEWS.Debian entry suggesting the change (and mentioning how
> to do it) might be appropriate, though.

What do you think: an entry in NEWS.Debian, or a debconf notice 
(conditional on detecting a possibly-vulnerable acl)? It occurs to me 
that the users most likely to be affected by this (default settings, 
haven't reviewed acls) are also the least likely to read apt-listchanges...

Message #30 received at 761406@bugs.debian.org (full text, mbox, reply):

From: Lesley Longhurst <Lesley.Longhurst@opus.co.nz>

To: Ryan Tandy <ryan@nardis.ca>, "761406@bugs.debian.org" <761406@bugs.debian.org>

Subject: RE: Bug#761406: debconf notice or NEWS.Debian entry?

Date: Thu, 18 Sep 2014 05:20:25 +0000

How about a brief debconf notice with a pointer to "further info" which would be an expanded version in NEWS.Debian?

Those same users are also way less likely to understand the issue, so a "words of one syllable approach" would seem sensible to me.

-----Original Message-----
From: Ryan Tandy [mailto:ryan@nardis.ca] 
Sent: Thursday, 18 September 2014 4:43 p.m.
To: 761406@bugs.debian.org
Subject: Bug#761406: debconf notice or NEWS.Debian entry?

Hi pkg-openldap-devel readers,

On 13/09/14 12:05 PM, Ryan Tandy wrote:
> On 13/09/14 08:41 AM, Dietrich Clauss wrote:
>> When the LDAP is used to authenticate users (e.g. in conjunction with 
>> libnss-ldapd and libpam-ldapd), the rule "olcAccess: to * by self 
>> write" allows the user to change her uidNumber and impersonate 
>> another user.
>>
>> IMO the default config should allow self-write access to userPassword 
>> and shadowLastChange only.
>
> Thanks for the report. I've removed the offending 'by self write' in 
> git. I'm not sure why that was added in the first place. The default 
> slapd.conf didn't have it and I didn't find any comments about it.
>
> I don't think I'm comfortable doing an automated ACL change to 
> existing installs. A NEWS.Debian entry suggesting the change (and 
> mentioning how to do it) might be appropriate, though.

What do you think: an entry in NEWS.Debian, or a debconf notice (conditional on detecting a possibly-vulnerable acl)? It occurs to me that the users most likely to be affected by this (default settings, haven't reviewed acls) are also the least likely to read apt-listchanges...

Message #35 received at 761406@bugs.debian.org (full text, mbox, reply):

From: Ryan Tandy <ryan@nardis.ca>

To: debian-l10n-english@lists.debian.org

Cc: 761406@bugs.debian.org

Subject: Please review text for security warning

Date: Sat, 04 Oct 2014 14:59:05 -0700

Dear debian-l10n-english,

Bug #761406 reported a rule included in Debian's default slapd
configuration that granted users more permissions than one might assume,
with possible security consequences. I removed that rule for new
installations, but I don't want to try automatically changing existing
configurations. Instead, I want to show a brief debconf note with a
summary of the problem and a pointer to README.Debian, where there would
be a longer explanation and an example of how to resolve it. I'm writing
to ask for help composing both of those texts.

Summary of the bug:

* Versions 2.4.23-3 through 2.4.39-1.1 are affected. Only new
installations are affected, not those upgraded from earlier versions.
Configurations generated by dpkg-reconfigure are also affected.

* In OpenLDAP, after a user binds to the server under a particular name,
the access rule "to * by self write" says that they may edit any
attributes of the database entry with that name that were not mentioned
in an earlier access rule.

* User entries commonly include Unix user and group numbers. Of course,
allowing someone to change their own uid or gid number is a severe
security violation. (Whether or not privileges can be escalated to root
by setting uid to 0 depends on the client implementation, but it's
certainly possible.)

* The problem extends to other applications as well. Depending on how
the data are used, a user could impersonate others by editing their own
Kerberos principal name, Samba SID, or various other
application-specific attributes.

My current draft for the debconf note (to be shown on upgrade, if an
access rule beginning with "to * by self write" exists) reads:

Description: Please review access control rules
 One or more of your databases contains an access rule that allows users
 to edit most of their own attributes. This may be unsafe, depending on
 how the database is used.
 .
 Please review your access control rules. Refer to
 /usr/share/doc/slapd/README.Debian.gz for more details.

My draft for README.Debian reads:

Dangerous default access control rule

  Previous versions of slapd configured the default database with an
  access control rule of the form:

  to *
    by self write
    by dn="cn=admin,dc=example,dc=com" write
    by * read

  Depending on the how the database and client applications are
  configured, users might be able to impersonate others by editing
  attributes such as their Unix user and group numbers, their Kerberos
  principal name, their Samba security identifier, or other
  application-specific attributes.

  New slapd installations no longer include "by self write", but
  existing configurations will not be automatically modified.

  To list your current access control rules, use the command:

    ldapsearch -Y EXTERNAL -H ldapi:/// -b 'cn=config' '(olcAccess=*)'
olcAccess

  Next, create a text file containing the desired modifications, for
  example:

  dn: olcDatabase={1}hdb,cn=config
  delete: olcAccess
  olcAccess: {2}
  -
  add: olcAccess
  olcAccess: {2}to * by dn="cn=admin,dc=example,dc=com" write by * read

  Adjust the database DN, the administrative DN, and the rule numbers
  according to your configuration.

  Finally, apply the configuration changes from the file:

    ldapmodify -Y EXTERNAL -H ldapi:/// -f mods.ldif

  For more information about access control rules, consult the
  slapd.access(5) man page.

<EOF>

BTW, the next upload of openldap will include these changes:

http://anonscm.debian.org/cgit/pkg-openldap/openldap.git/diff/debian/slapd.templates?id=master&id2=2.4.39-1
http://anonscm.debian.org/cgit/pkg-openldap/openldap.git/diff/debian/slapd.README.Debian?id=master&id2=2.4.39-1

in addition to those from this mail. I assume the upload will trigger a
regular review, but early feedback is always welcome.

Thanks in advance for your help!

Ryan

Message #40 received at 761406@bugs.debian.org (full text, mbox, reply):

From: Justin B Rye <justin.byam.rye@gmail.com>

To: debian-l10n-english@lists.debian.org

Cc: 761406@bugs.debian.org

Subject: Re: Please review text for security warning

Date: Sun, 5 Oct 2014 00:26:50 +0100

Ryan Tandy wrote:
[...] 
> My current draft for the debconf note (to be shown on upgrade, if an
> access rule beginning with "to * by self write" exists) reads:
> 
> Description: Please review access control rules

You also have a "please review" later on.  Maybe this could say
something like

  Description: OpenLDAP access control rule issue

>  One or more of your databases contains an access rule that allows users
>  to edit most of their own attributes. This may be unsafe, depending on
>  how the database is used.
>  .
>  Please review your access control rules. Refer to
>  /usr/share/doc/slapd/README.Debian.gz for more details.

Do you really mean to talk about databases *containing* access rules?
Maybe it should say something like:

   One or more of the databases configured in /etc/openldap/slapd.conf
   has an access rule that allows users to edit most of their own
   attributes. This may be unsafe, depending on how the database is used.

> My draft for README.Debian reads:
> 
> Dangerous default access control rule
> 
>   Previous versions of slapd configured the default database with an
>   access control rule of the form:

If this is being incorporated into an existing README.Debian rather
than a NEWS.Debian it needs some sort of datestamp or version number
or other indicator of what "previous" is relative to:

    Versions of slapd before X.Y-Z configured the default database with
    an access control rule of the form:

> 
>   to *
>     by self write
>     by dn="cn=admin,dc=example,dc=com" write
>     by * read
> 
>   Depending on the how the database and client applications are
                 XXX
Surplus article.

>   configured, users might be able to impersonate others by editing
>   attributes such as their Unix user and group numbers, their Kerberos
>   principal name, their Samba security identifier, or other
>   application-specific attributes.
> 
>   New slapd installations no longer include "by self write", but
>   existing configurations will not be automatically modified.
> 
>   To list your current access control rules, use the command:
> 
>     ldapsearch -Y EXTERNAL -H ldapi:/// -b 'cn=config' '(olcAccess=*)' olcAccess
> 
>   Next, create a text file containing the desired modifications, for
>   example:

Maybe call it "an ldif file" here?
 
>   dn: olcDatabase={1}hdb,cn=config
>   delete: olcAccess
>   olcAccess: {2}
>   -
>   add: olcAccess
>   olcAccess: {2}to * by dn="cn=admin,dc=example,dc=com" write by * read
> 
>   Adjust the database DN, the administrative DN, and the rule numbers
>   according to your configuration.
> 
>   Finally, apply the configuration changes from the file:
> 
>     ldapmodify -Y EXTERNAL -H ldapi:/// -f mods.ldif
> 
>   For more information about access control rules, consult the
>   slapd.access(5) man page.
> 
> <EOF>

That's an alarmingly fragile-looking procedure... is it really
impossible to fix this just by loading a corrected slapd.conf?  Well,
at any rate I can see why you might not want to cram that into a
debconf dialogue!
-- 
JBR	with qualifications in linguistics, experience as a Debian
	sysadmin, and probably no clue about this particular package

Message #45 received at 761406@bugs.debian.org (full text, mbox, reply):

From: Christian PERRIER <bubulle@debian.org>

To: Ryan Tandy <ryan@nardis.ca>

Cc: debian-l10n-english@lists.debian.org, 761406@bugs.debian.org

Subject: Re: Please review text for security warning

Date: Mon, 6 Oct 2014 06:50:41 +0200

[Message part 1 (text/plain, inline)]

Quoting Ryan Tandy (ryan@nardis.ca):

> My current draft for the debconf note (to be shown on upgrade, if an
> access rule beginning with "to * by self write" exists) reads:
> 
> Description: Please review access control rules

You certainly want to use "_Description:" to maake the template translatable.


Please also send a call for translations, preferrably *before*
uploading the package with the new template and leaving about 10 days
for translators to send translations.

"podebconf-report-po" is your friend for this....

[signature.asc (application/pgp-signature, inline)]

Message #50 received at 761406-close@bugs.debian.org (full text, mbox, reply):

From: Ryan Tandy <ryan@nardis.ca>

To: 761406-close@bugs.debian.org

Subject: Bug#761406: fixed in openldap 2.4.40-1

Date: Sun, 19 Oct 2014 22:19:56 +0000

Source: openldap
Source-Version: 2.4.40-1

We believe that the bug you reported is fixed in the latest version of
openldap, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 761406@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ryan Tandy <ryan@nardis.ca> (supplier of updated openldap package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 17 Oct 2014 08:19:28 -0700
Source: openldap
Binary: slapd slapd-smbk5pwd ldap-utils libldap-2.4-2 libldap-2.4-2-dbg libldap2-dev slapd-dbg
Architecture: source amd64
Version: 2.4.40-1
Distribution: unstable
Urgency: low
Maintainer: Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>
Changed-By: Ryan Tandy <ryan@nardis.ca>
Description:
 ldap-utils - OpenLDAP utilities
 libldap-2.4-2 - OpenLDAP libraries
 libldap-2.4-2-dbg - Debugging information for OpenLDAP libraries
 libldap2-dev - OpenLDAP development libraries
 slapd      - OpenLDAP server (slapd)
 slapd-dbg  - Debugging information for the OpenLDAP server (slapd)
 slapd-smbk5pwd - Keeps Samba and Kerberos passwords in sync within slapd.
Closes: 465024 594711 599235 637996 640384 661641 666515 706123 723957 741248 742841 742862 745231 745356 750022 759596 760559 761406 761407 762111 762424
Changes:
 openldap (2.4.40-1) unstable; urgency=low
 .
   [ Ryan Tandy ]
   * New upstream release.
     - fixed ldap_get_dn(3) ldap_ava definition (ITS#7860) (Closes: #465024)
     - fixed slapcat with external schema (ITS#7895) (Closes: #599235)
     - fixed double free with invalid ciphersuite (ITS#7500) (Closes: #640384)
     - fixed modrdn crash on naming attr with no matching rule (ITS#7850)
       (Closes: #666515)
     - fixed slapacl causing unclean database (ITS#7827) (Closes: #741248)
   * slapd.scripts-common:
     - Anchor grep patterns to avoid matching commented lines in ldif files
       under cn=config. (Closes: #723957)
     - Don't silently ignore nonexistent directories that should be dumped.
     - Invoke find, chmod, and chown with -H in case /var/lib/ldap is a
       symlink. (Closes: #742862)
     - When upgrading a database, ignore extra nested directories as they might
       contain other databases. Patch from Kenny Millington. (LP: #1003854)
     - Fix dumping and reloading when multiple databases hold the same suffix,
       thanks Peder Stray. (Closes: #759596, LP: #1362481)
     - Remove trailing dot from slapd/domain. (Closes: #637996)
   * debian/rules:
     - Enable parallel building.
     - Copy libldap-2.4-2.shlibs into place manually, as a workaround for
       #676168. (Closes: #742841)
   * debian/slapd.README.Debian: Add a note about database format upgrades and
     the consequences of missing one. (Closes: #594711)
   * Build with GnuTLS 3 (Closes: #745231, #760559).
   * Drop debian/patches/fix-ftbfs-binutils-gold, no longer needed.
   * Drop debconf-utils from Build-Depends, no longer used (replaced by
     po-debconf). Thanks Johannes Schauer.
   * Acknowledge NMU fixing #729367, thanks to Michael Gilbert.
   * Offer the MDB backend as a choice during initial configuration. (Closes:
     #750022)
   * debian/slapd.init.ldif:
     - Disallow modifying one's own entry by default, except specific
       attributes. (Closes: #761406)
     - Index some more common search attributes by default. (Closes: #762111)
   * Introduce a symbols file for libldap-2.4-2.
   * debian/schema/pmi.schema: Add a copyright clarification. There does not
     appear to be any copyrighted text in this file, only ASN.1 assignments and
     LDAP schema definitions. Fixes a Lintian error on the original.
   * debian/schema/duaconf.schema: Strip Internet-Draft text from
     duaconf.schema.
   * Drop debian/patches/CVE-2013-4449.patch, applied upstream.
   * Update debian/patches/no-AM_INIT_AUTOMAKE with upstream changes.
   * debian/schema/ppolicy.schema: Update with ordering rules added in
     draft-behera-ldap-password-policy-11.
   * Suggest GSSAPI SASL modules. (Closes: #762424)
   * debian/patches/ITS6035-olcauthzregex-needs-restart.patch: Document in
     slapd-config.5 the fact that changes to olcAuthzRegexp only take effect
     after the server is restarted. (Closes: #761407)
   * Add myself to Uploaders.
 .
   [ Jelmer Vernooij ]
   * Depend on heimdal-multidev rather than heimdal-dev. (Closes: #745356,
     #706123)
 .
   [ Updated debconf translations ]
   * Turkish, thanks to Atila KOÇ <akoc@artielektronik.com.tr>.
     (Closes: #661641)
Checksums-Sha1:
 d6c256c02f78a2c9cbe97c51232b86578c6d3a21 2756 openldap_2.4.40-1.dsc
 587baa8257d51f3908975b931f87c8c3e6a17e06 4799804 openldap_2.4.40.orig.tar.gz
 15cc81377a6ad768f2245cd105dd489962ac4170 169835 openldap_2.4.40-1.diff.gz
 17483c43a66aec3b9f6cc35db56f66a418961d80 1402408 slapd_2.4.40-1_amd64.deb
 8cc4be49b008d07289c46b1b15517d5ad8bba551 82142 slapd-smbk5pwd_2.4.40-1_amd64.deb
 3716e3ad77f9ac0c1feae26bfa61c107babe1ad8 187240 ldap-utils_2.4.40-1_amd64.deb
 93bd1210a6ae88ac187d30b6b931f966f9f1a1ae 216892 libldap-2.4-2_2.4.40-1_amd64.deb
 a0f2d60759c5362106724dbc3f5657d9fe75a40d 440406 libldap-2.4-2-dbg_2.4.40-1_amd64.deb
 a0c669dc7135eeb82e53040fc03f832586f9e0d5 322004 libldap2-dev_2.4.40-1_amd64.deb
 42372583cec6bc8060cd46e420374347a79be660 4867878 slapd-dbg_2.4.40-1_amd64.deb
Checksums-Sha256:
 431bda80fca16cbe6cfce206f4a8bcb3e39d042c1b76efba7e070c41a4fed0f9 2756 openldap_2.4.40-1.dsc
 6d3e7ba688382bebca3410125d3f801a7fd2a5da6352b58b0663ef20bc3adbb3 4799804 openldap_2.4.40.orig.tar.gz
 024d5553d530e0aa3223778ad75d680fe3d0bde3a2787c81c6c3396d998c5bfc 169835 openldap_2.4.40-1.diff.gz
 f6512e2db7fe3a3801520b85618c476a665d0705830249f9267ece6654b9f9fe 1402408 slapd_2.4.40-1_amd64.deb
 db9b4c61671385208fbaeca0d29cc20b8822c39e0e9934204968f75aed20206f 82142 slapd-smbk5pwd_2.4.40-1_amd64.deb
 4c871b777b6f066bde2f1be24cda8a5ccf4edde0de075b89a81bc4ced92b5632 187240 ldap-utils_2.4.40-1_amd64.deb
 b9161aafa5b4cb57b4708de6d1a2dfccfec456216183a37dcedb3b68fa39f98b 216892 libldap-2.4-2_2.4.40-1_amd64.deb
 65749fa729f2ac268d42df13283fcf91594803e68bf1d32df0502d8dbf90f26a 440406 libldap-2.4-2-dbg_2.4.40-1_amd64.deb
 25f83faf530602073c67213ca727797466fe12ab1257c37c72a1f30d1230b44d 322004 libldap2-dev_2.4.40-1_amd64.deb
 5ed3396db8827f77479a05366d526ac8d13000e7701b41aa8a0a1c3c3ff07258 4867878 slapd-dbg_2.4.40-1_amd64.deb
Files:
 1e0a323c13852342a69200c9e9b4902f 2756 net optional openldap_2.4.40-1.dsc
 03a8658e62131c0cdbf85dd604e498db 4799804 net optional openldap_2.4.40.orig.tar.gz
 afd82110729ba7b4e49f44f28acaafd3 169835 net optional openldap_2.4.40-1.diff.gz
 bc1d89ce34b65533faa3d2575862e3d3 1402408 net optional slapd_2.4.40-1_amd64.deb
 24642b3b7cc15344a2fda06ba08d9453 82142 net extra slapd-smbk5pwd_2.4.40-1_amd64.deb
 fd0cd57edd9eec1b8de9a85750da82cc 187240 net optional ldap-utils_2.4.40-1_amd64.deb
 fa9d0608ecd546945784d0d7eff2affb 216892 libs standard libldap-2.4-2_2.4.40-1_amd64.deb
 ed3ca41c6573254f6ef129601d963bf9 440406 debug extra libldap-2.4-2-dbg_2.4.40-1_amd64.deb
 5d2fcee0e5cf2625126933529491ead5 322004 libdevel extra libldap2-dev_2.4.40-1_amd64.deb
 68141e603c11f35295d672bf6032dbaf 4867878 debug extra slapd-dbg_2.4.40-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJURDYdAAoJEFC7AtTIpr9hIi0P/RL2VtIYKt9fZyJ192ErnC/W
qEGwLaxaQ2v7eAWSpHraWQ6vmkkRxiQ/nHfukcrmZOEdPY+vqi/MEGBTD8KIiZlc
YmkCwcxMPdhuzg2zVS7HZvJF6Pk2J2vy+6H8cCrYvwqY4ZBI2ZMQ2m0hc9hFKilq
mG37elo++7psUBcEdDeZyGNK7CCew6+vbGkwKWqGoH+qkMWdO4dlG1LI1IDuLM00
F3Nc1ZXFFaJ4h4O19oR1HnwjkdOyY+o0EeoJxYrR3xUrQBF8RwVgIoPo5K4ctzYj
mj97EhgOuztE4KuTtmW4Ww4uoFO9P2K7owFjVB00LeOGhR1IqfdlQLPXPA60uzu7
IjCKjyOllEbCdIKcd9GDshAL/PBeuFdXYLBQLynymDgj1IsARYB+uhSFlCaRZ7+y
zEI9629wMN6u/y87PxIZJ+NO4sT6D0Eg6JF0DOFNKh4B/qRzkJMFrD0FVvKC8TXW
HYJpLvPh4lDZIH1NeO1OVS9N8MPTn419ytlxFDKEh8NStg/Y86p0QIAOFbVHuIOT
u308HwG31b4rPuuD6tuFqZAq18Iy+zuQ+aFqbYCvtVo4NaZPoPjuZx3co1GeI/vc
NQI8RtJzT1wnZ45lmrOWlkj/kRXavbYqMbbNjcSlUWxMH12f55dfL63HDdL9Bj7C
WfP33meWWpoiadQhH65p
=jf4o
-----END PGP SIGNATURE-----

Message #55 received at 761406@bugs.debian.org (full text, mbox, reply):

From: Ryan Tandy <ryan@nardis.ca>

To: 761406@bugs.debian.org

Subject: Re: Bug#761406: marked as done (slapd: dangerous access rule in default config)

Date: Sun, 19 Oct 2014 17:58:06 -0700

[Message part 1 (text/plain, inline)]

Control: reopen -1

On 19/10/14 03:22 PM, Debian Bug Tracking System wrote:
> This means that you claim that the problem has been dealt with.

Only halfway. Still need to deal with fixing existing installs on
upgrade. Almost there...

[signature.asc (application/pgp-signature, attachment)]

Message #64 received at 761406-close@bugs.debian.org (full text, mbox, reply):

From: Ryan Tandy <ryan@nardis.ca>

To: 761406-close@bugs.debian.org

Subject: Bug#761406: fixed in openldap 2.4.40-2

Date: Tue, 21 Oct 2014 21:43:23 +0000

Source: openldap
Source-Version: 2.4.40-2

We believe that the bug you reported is fixed in the latest version of
openldap, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 761406@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ryan Tandy <ryan@nardis.ca> (supplier of updated openldap package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 20 Oct 2014 22:19:24 -0700
Source: openldap
Binary: slapd slapd-smbk5pwd ldap-utils libldap-2.4-2 libldap-2.4-2-dbg libldap2-dev slapd-dbg
Architecture: source
Version: 2.4.40-2
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>
Changed-By: Ryan Tandy <ryan@nardis.ca>
Description:
 ldap-utils - OpenLDAP utilities
 libldap-2.4-2 - OpenLDAP libraries
 libldap-2.4-2-dbg - Debugging information for OpenLDAP libraries
 libldap2-dev - OpenLDAP development libraries
 slapd      - OpenLDAP server (slapd)
 slapd-dbg  - Debugging information for the OpenLDAP server (slapd)
 slapd-smbk5pwd - Keeps Samba and Kerberos passwords in sync within slapd.
Closes: 701111 746727 761406
Changes:
 openldap (2.4.40-2) unstable; urgency=medium
 .
   * Fix typo (chmod/chgrp) in previous changelog, spotted by Ferenc Wagner.
   * debian/patches/contrib-modules-use-dpkg-buildflags: Also use CPPFLAGS from
     dpkg-buildflags. Spotted by Lintian.
   * debian/slapd.init.ldif: Don't bother explicitly granting rights to the
     rootdn, since it already has unlimited privileges. Thanks Ferenc Wagner.
   * Recommend MDB for new installations, per upstream's recommendation.
   * Don't re-create the default DB_CONFIG if there wasn't one in the backup,
     for example if the active backend doesn't use it. Thanks Ferenc Wagner.
   * On upgrade, if an access rule begins with "to * by self write", show a
     debconf note warning that it should be changed. (Closes: #761406)
   * Build and install the lastbind contrib module. (Closes: #701111)
   * Build and install the passwd/sha2 contrib module. (Closes: #746727)
Checksums-Sha1:
 f255aedfeb1ffd74a7cc4ab2819ee8de9ad0965e 2756 openldap_2.4.40-2.dsc
 4a9e02ebcea4854949bd5ef5b6fbb0f21be8aa0c 172175 openldap_2.4.40-2.diff.gz
Checksums-Sha256:
 6d75cf7234c5b999a513e46aafc5a846cd452c3759115a2a77ae3887c0d5ced5 2756 openldap_2.4.40-2.dsc
 c92a2bd3cb60293b841be7e63e702dee4b2a06d528232bf2fa96181c08149b14 172175 openldap_2.4.40-2.diff.gz
Files:
 c81d0e81391ffc689e4e63b78c32d466 2756 net optional openldap_2.4.40-2.dsc
 306c37b6614c77555d213b6caff5a3d0 172175 net optional openldap_2.4.40-2.diff.gz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJURr8yAAoJEKmDSiJSB45OxrIQAKR1ubH5/4s599Ab5Z9mTBpw
WVmwb6I3PDZDzitkYR6aB9X64GMFiOvv8AwcZ6CxkYF+nSuAWS2uE9niZ7jdpFEA
trFn/Bqg7mnyP7gZR5kdXz7tMlR5V008oljgrfVbEaQk35yWUaspp7Oo1UFABNkW
V0rbuFc9FoPbwwZAUVz7q6n9wSJI7XwfmNRcgt/ghVZmQivo0EOwhEeXCJNeyzvW
p2/1NevuIJHzLC+dTavQh5r+k2xXhbEWVpASPlbNTkpadc4vtd7NCYoaJAfATXv9
5mM23my9l0wNNW/OliXc174XjA1RjUZGRkT984NPxTzsRTmd6h44MTsfakgfej7o
fNKPLizuGDupE/CaS8nDwU5Qiq+Q7abr5F4sRcHrC3j6WyFY29HvRs5DqjGXI1x2
tPsz1C8b6YNMpeUVUm2lw3TlFiHzIZV13Hru5ByJc2gDKPJNY3/9or587gH2KTuD
zEy3xT8Azn+jq62A79uEKE4CPGWbl1PSEZksiBvhjEImHiT1LiE81OlReODFDkNi
Slf+zPy8VUQjDYkYxJph//oNFAGrjLBjOcjA1F0A8oBTQ1k2N5yy7w/6/uFVLsi7
M1vM7hmtUjqOQHEw0pDIbuLpEWhZCN3Y3L8Isa7Wfpc4PFvNuvHbAwP93d2sr7Kd
TameINCyBq3AClnAuXdr
=SRLj
-----END PGP SIGNATURE-----

Message #75 received at 761406-close@bugs.debian.org (full text, mbox, reply):

From: Luca Bruno <lucab@debian.org>

To: 761406-close@bugs.debian.org

Subject: Bug#761406: fixed in openldap 2.4.31-2

Date: Fri, 03 Apr 2015 18:17:11 +0000

Source: openldap
Source-Version: 2.4.31-2

We believe that the bug you reported is fixed in the latest version of
openldap, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 761406@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Luca Bruno <lucab@debian.org> (supplier of updated openldap package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 30 Mar 2015 10:03:58 +0200
Source: openldap
Binary: slapd slapd-smbk5pwd ldap-utils libldap-2.4-2 libldap-2.4-2-dbg libldap2-dev slapd-dbg
Architecture: source amd64
Version: 2.4.31-2
Distribution: wheezy-security
Urgency: high
Maintainer: Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>
Changed-By: Luca Bruno <lucab@debian.org>
Description: 
 ldap-utils - OpenLDAP utilities
 libldap-2.4-2 - OpenLDAP libraries
 libldap-2.4-2-dbg - Debugging information for OpenLDAP libraries
 libldap2-dev - OpenLDAP development libraries
 slapd      - OpenLDAP server (slapd)
 slapd-dbg  - Debugging information for the OpenLDAP server (slapd)
 slapd-smbk5pwd - Keeps Samba and Kerberos passwords in sync within slapd.
Closes: 729367 761406 776988
Changes: 
 openldap (2.4.31-2) wheezy-security; urgency=high
 .
   * Team upload.
 .
   [ Ryan Tandy ]
   * debian/slapd.init.ldif: Disallow modifying one's own entry by default,
     except specific attributes. (CVE-2014-9713) (Closes: #761406)
   * debian/slapd.{config,templates}: On upgrade, if an access rule begins with
     "to * by self write", show a debconf note warning that it should be
     changed.
   * debian/slapd.README.debian: Add information about how to remove "to * by
     self write" from existing ACLs.
   * debian/po/*: Add translations of debconf warning.
   * debian/patches/ITS8027-deref-reject-empty-attr-list.patch: Import upstream
     patch to fix a crash when a search includes the Deref control with an
     empty attribute list. (ITS#8027) (CVE-2015-1545) (Closes: #776988)
   * debian/patches/ITS7723-fix-reference-counting.patch: Import upstream patch
     to fix a crash in the rwm overlay when a search is immediately followed by
     an unbind. (ITS#7723) (CVE-2013-4449) (Closes: #729367)
Checksums-Sha1: 
 9902f63ca472c59f2d555e9bb0585a5ce8ee5029 2708 openldap_2.4.31-2.dsc
 864e7b6ba54cc00ef5b834fd5b5739a7900dd6e3 4720612 openldap_2.4.31.orig.tar.gz
 1ac7bc70a573680a9adfbbe01fdb5afdaf52f8fc 168099 openldap_2.4.31-2.diff.gz
 d3047baad3b8bf1f793f80e389bd8645fa772e17 1769812 slapd_2.4.31-2_amd64.deb
 f4be89ee37704de647c8e301d838ef6ac636e253 78818 slapd-smbk5pwd_2.4.31-2_amd64.deb
 d8a5fc72d98b8776cac2171b1289ebc199f37aec 340800 ldap-utils_2.4.31-2_amd64.deb
 47eb041c111803ee66f56500cb4ff1eb7b69b985 242712 libldap-2.4-2_2.4.31-2_amd64.deb
 a4eaa6e7c3ede4532a9f6b361de24cc415978af4 474562 libldap-2.4-2-dbg_2.4.31-2_amd64.deb
 e57cc5d19ff9ee73f439af6598575737a5e8f65f 563556 libldap2-dev_2.4.31-2_amd64.deb
 522d7d30d522090d2eedbfc45a975c8dd30fba0d 5522190 slapd-dbg_2.4.31-2_amd64.deb
Checksums-Sha256: 
 0690c59995d8dc3c105ce4baa7f57e0140a86f5fab899c1b7c0b8d934d4a8c85 2708 openldap_2.4.31-2.dsc
 dff60c1044021217ab97a7bdda5a7016015f042db0fbfd566d52abb266d19239 4720612 openldap_2.4.31.orig.tar.gz
 8c373d066e8eedd2190b0cca883b29e27883a41b2d9da9cdde1970a53b283a5e 168099 openldap_2.4.31-2.diff.gz
 c3d1b5f737e92e8189176a93234a5f54c3e2b3726a91c2abfeaa6e2d5f5a9627 1769812 slapd_2.4.31-2_amd64.deb
 e24189be83741f7c4f00ac1e1580cbc40754df6e0ff9f12b4bbe4f1e54f13a3a 78818 slapd-smbk5pwd_2.4.31-2_amd64.deb
 93fe6de7a0e584d46f02c61e544a70d4b41c2e2845d89ef523e16468779854c8 340800 ldap-utils_2.4.31-2_amd64.deb
 2371d5f91defe83589f018d58b251785598f55eb9ca7049ffcd49b16a3425b73 242712 libldap-2.4-2_2.4.31-2_amd64.deb
 6685d3339470379904402f61c2a8af06b776809dc51e5cb952857d38c175aa70 474562 libldap-2.4-2-dbg_2.4.31-2_amd64.deb
 8763c1c86b9cd0599581970d7b38e0a49262c7063392da30c02827aec27bd7fe 563556 libldap2-dev_2.4.31-2_amd64.deb
 0be8e27341d8453580203a2d4a5553a9972c68bbcf9baf86bbde88e7307dc67d 5522190 slapd-dbg_2.4.31-2_amd64.deb
Files: 
 feb6c408246cb66012d98560b9f751ad 2708 net optional openldap_2.4.31-2.dsc
 a8631b2202d8099143edb57e36b33dea 4720612 net optional openldap_2.4.31.orig.tar.gz
 e53283709fbf76177e1e8d8f615a0edc 168099 net optional openldap_2.4.31-2.diff.gz
 b800ab265241a8f6994a8422cf4b665a 1769812 net optional slapd_2.4.31-2_amd64.deb
 3df4d86033eb493ee7d1625f294e202d 78818 net extra slapd-smbk5pwd_2.4.31-2_amd64.deb
 8a1304eabd47b629cbc7aa5ffec68654 340800 net optional ldap-utils_2.4.31-2_amd64.deb
 f0b95baa0dce9563c39271714430faaf 242712 libs standard libldap-2.4-2_2.4.31-2_amd64.deb
 bb91c1a098c1d11bc09ac5a2cb87ff61 474562 debug extra libldap-2.4-2-dbg_2.4.31-2_amd64.deb
 76738a9b54f5e4451909af772b7e3420 563556 libdevel extra libldap2-dev_2.4.31-2_amd64.deb
 ce404a2da186b4ba83897e00ef3bc513 5522190 debug extra slapd-dbg_2.4.31-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIbBAEBAgAGBQJVGSZtAAoJEKmDSiJSB45OsdMP+MqgPcwt/jYbnVMlRt7GKMbY
DZs6f5KT3H9ELeW7G070EJfD5wy4RdL4erzZYwqSVJiNpA/qxTPM27f2NiIcSxtn
pTpk68Jr/1mUdSoDwYAzGHZ4XmYr+k5Bux17adBH3EAhhja9Rjh4MJyv4+2aZl4G
1YpsVBsSdpb2TkirNHx7DnqhbAOqrVQD1tXU907RnMpLgU2w/QWETL9+ciatuPJr
TwZq3qUi3fdu/98/0fE11udB5hUcXZYBK/yeiCFVzvaecuLp5sUFn3cSjlYPtug9
7c3tmwyiQa5bHkaGtlQdQ9aFN3y1eBG31I/EstC78Ebe+8xA2/mb03jNxeoqtDOb
WFE+4UZLafC6Aa9epqRdp6SiVrK7FXszvAKm9TlfjDlaqRgIh4CNt6RVpxxMIzLg
AKbmAYQ3r/g0xzbKz3nymA+Z6/Yw0nbK72/4EUQ+YQRQmxh4HujSrH8o0JovvBrq
6xRFI/Hc5xehtdHK8T+0zIvEa02OrS64W3sqS0Y4LqNEkVJTBr5AD9iCjMoadOdB
yJd8940rQuW9OorWO6X4DEPzbNyoCPUmOJTE5sKa53bxhw33sRGTcWcMnk9T1EHx
sY2+ZVpbiwhZJdJeTz7hRd8qcmuGs2jV7iajbKOf1HkVfp/8v/j7vcyApHKAwC1x
m38iSTevtGc0ijpBmag=
=TkVF
-----END PGP SIGNATURE-----

Message #80 received at 761406@bugs.debian.org (full text, mbox, reply):

From: Raphael Hertzog <hertzog@debian.org>

To: Luca Bruno <lucab@debian.org>, Ryan Tandy <ryan@nardis.ca>

Cc: debian-lts@lists.debian.org, 761406@bugs.debian.org

Subject: squeeze update of openldap?

Date: Mon, 13 Apr 2015 12:08:16 +0200

Hello Luca & Ryan,

the Debian LTS team would like to fix the security issue which is
currently open in the Squeeze version of openldap:
https://security-tracker.debian.org/tracker/CVE-2014-9713

Would you like to take care of this yourself? We are still understaffed so
any help is always highly appreciated.

If yes, please follow the workflow we have defined here:
http://wiki.debian.org/LTS/Development

If that workflow is a burden to you, feel free to just prepare an
updated source package and send it to debian-lts@lists.debian.org
(via a debdiff, or with an URL pointing to the the source package,
or even with a pointer to your packaging repository), and the members
of the LTS team will take care of the rest. Indicate clearly whether you
have tested the updated package or not.

If you don't want to take care of this update, it's not a problem, we
will do our best with your package. Just let us know whether you would
like to review and/or test the updated package before it gets released.

Thank you very much.

Raphaël Hertzog,
  on behalf of the Debian LTS team.

PS: A member of the LTS team might start working on this update at
any point in time. You can verify whether someone is registered
on this update in this file:
https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Message #85 received at 761406-close@bugs.debian.org (full text, mbox, reply):

From: Ryan Tandy <ryan@nardis.ca>

To: 761406-close@bugs.debian.org

Subject: Bug#761406: fixed in openldap 2.4.23-7.3+deb6u1

Date: Sat, 18 Apr 2015 15:19:15 +0000

Source: openldap
Source-Version: 2.4.23-7.3+deb6u1

We believe that the bug you reported is fixed in the latest version of
openldap, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 761406@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ryan Tandy <ryan@nardis.ca> (supplier of updated openldap package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 17 Apr 2015 18:39:40 -0700
Source: openldap
Binary: slapd slapd-smbk5pwd ldap-utils libldap-2.4-2 libldap-2.4-2-dbg libldap2-dev slapd-dbg
Architecture: source
Version: 2.4.23-7.3+deb6u1
Distribution: squeeze-lts
Urgency: high
Maintainer: Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>
Changed-By: Ryan Tandy <ryan@nardis.ca>
Description:
 ldap-utils - OpenLDAP utilities
 libldap-2.4-2 - OpenLDAP libraries
 libldap-2.4-2-dbg - Debugging information for OpenLDAP libraries
 libldap2-dev - OpenLDAP development libraries
 slapd      - OpenLDAP server (slapd)
 slapd-dbg  - Debugging information for the OpenLDAP server (slapd)
 slapd-smbk5pwd - Keeps Samba and Kerberos passwords in sync within slapd.
Closes: 663644 729367 761406 776988
Changes:
 openldap (2.4.23-7.3+deb6u1) squeeze-lts; urgency=high
 .
   * debian/slapd.init.ldif: Disallow modifying one's own entry by default,
     except specific attributes. (CVE-2014-9713) (Closes: #761406)
   * debian/slapd.{config,templates}: On upgrade, if an access rule begins with
     "to * by self write", show a debconf note warning that it should be
     changed.
   * debian/slapd.README.debian: Add information about how to remove "to * by
     self write" from existing ACLs.
   * debian/po/*: Add translations of debconf warning.
   * debian/patches/ITS7723-fix-reference-counting.patch: Import upstream patch
     to fix a crash in the rwm overlay when a search is immediately followed by
     an unbind. (ITS#7723) (CVE-2013-4449) (Closes: #729367)
   * debian/patches/ITS8027-deref-reject-empty-attr-list.patch: Import upstream
     patch to fix a crash when a search includes the Deref control with an
     empty attribute list. (ITS#8027) (CVE-2015-1545) (Closes: #776988)
   * debian/patches/ITS7143-fix-attr_dup2-when-attrsOnly.patch: Import upstream
     patch to fix a crash when doing an attrsOnly search of a database
     configured with both the rwm and translucent overlays. (ITS#7143)
     (CVE-2012-1164) (Closes: #663644)
Checksums-Sha1:
 1c6613375b3790e37e03e45ebf31e4bc7264366e 2815 openldap_2.4.23-7.3+deb6u1.dsc
 bfc98011bbd0c141a57475e3834c38bc4f93cffe 158490 openldap_2.4.23-7.3+deb6u1.diff.gz
Checksums-Sha256:
 33675c439af8d610864a245cb5f1e64503d31702db306c711fd5da99e0151739 2815 openldap_2.4.23-7.3+deb6u1.dsc
 bb22b677fea356751bf0db75facd99e27ee33fd365b81694a333d2bfceba2ee2 158490 openldap_2.4.23-7.3+deb6u1.diff.gz
Files:
 162d12730ed2e79a03ad36ba527dfce5 2815 net optional openldap_2.4.23-7.3+deb6u1.dsc
 dd93ab71922f8b61ebf20088cf9b8147 158490 net optional openldap_2.4.23-7.3+deb6u1.diff.gz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIVAwUBVTJiLwkauFYGmqocAQrn6w/9HD9K0wcQmVR2F1o2bSfhHtmwexVczipm
WjswT0jPdAxLiZ/QZNJNbqun8Bh6EaHYDJ+6Gs/+Pusok1Ci/pCaFrAHeQq10F7G
8ty1GltHkcz381HcVE9E47hjFvJtGxvDoFcRqOLOgYfFoO2oRsM0x707KKiEljDr
lIhq6YYdwxnYuh5Rl7j45s4HSA0mDMfOBT9u0APozHsYugxJr8P8BCe5B5/CBj8/
l4HKxYPuKHW0AFT8g6eIXttlg6Ar/XztQ+XEsRS8meh5Qses4baokHZlXMvGIBwM
EX3sad5d8gZPPn/YQ5P8qUXJkowujrPVWdKNiEk1DaMlMt3uw+gYz8z/VnRGMaw6
BdZoTgTRjE/FfFC8HLJudCC/700rWMUmDIxozF4ySaK33Ocnws1Q0CeVhhEK2SbH
QvuMjQLkPldaT5wMr0S7UlyE48Jm3RlofFD+SL91HxcCR/3xoj4/ughnREaioHe1
66dhHR99saDEmaGnEs5MUVgM+/achHAZNyiShKOVU7Mcfp5N5PS9EPATwFvLlQTl
uijmtRKO2GoF6+5kCi9PMeVjkQcSx8ZuDZRahx/z/2O5m44i/ay6KHSeJB61iyFw
nVjtGCpHZZq25nj/gzDRjQRtFCm3tH8NyuUMYEC+OpD0RBKbC7xGzOL0pOxvqbQx
VmwZzpVJPuo=
=cvbE
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.