CVE-2014-8602: denial of service with endless delegations

Debian Bug report logs - #772622
CVE-2014-8602: denial of service with endless delegations

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Yves-Alexis Perez <corsac@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2014-8602: denial of service with endless delegations

Date: Tue, 09 Dec 2014 09:57:42 +0100

Source: unbound
Severity: grave
Tags: security
Justification: user security hole

Hi,

as you may already know, a vulnerability in several recursive DNS
implementations (bind, pdns-recursor and unbound, maybe others) has been
found by a research.

For unbound, it has been assigned CVE-2014-8602 and more information can
be found on the mailing list post at
https://unbound.net/pipermail/unbound-users/2014-December/003662.html

It's not crystal clear which versions are currently vulnerable so at
first sight I'd say all. Can you prepare updated packages for Wheezy,
Jessie/Sid including only the patch linked in the above mail?

For Wheezy you need to build with -sa (since it's the first security
upload) and target wheezy-security distribution. Then you send us the
debdiff so we can have a quick check, and after our ACK you can upload
to security-master and we release the DSA.

For Jessie, you'll have to make a minimal upload to sid, and ask an
unblock to the release team.

Don't forget to put the CVE number in the changelog.

If you need any help with the above, don't hesitate to contact us.

Regards,
-- 
Yves-Alexis Perez
Debian security team

-- System Information:
Debian Release: 8.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (450, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Message #14 received at 772622@bugs.debian.org (full text, mbox, reply):

From: Robert Edmonds <edmonds@debian.org>

To: Yves-Alexis Perez <corsac@debian.org>, 772622@bugs.debian.org

Subject: Re: Bug#772622: CVE-2014-8602: denial of service with endless delegations

Date: Tue, 9 Dec 2014 11:31:49 -0500

Yves-Alexis Perez wrote:
> Hi,
> 
> as you may already know, a vulnerability in several recursive DNS
> implementations (bind, pdns-recursor and unbound, maybe others) has been
> found by a research.
> 
> For unbound, it has been assigned CVE-2014-8602 and more information can
> be found on the mailing list post at
> https://unbound.net/pipermail/unbound-users/2014-December/003662.html
> 
> It's not crystal clear which versions are currently vulnerable so at
> first sight I'd say all. Can you prepare updated packages for Wheezy,
> Jessie/Sid including only the patch linked in the above mail?
>
> For Wheezy you need to build with -sa (since it's the first security
> upload) and target wheezy-security distribution. Then you send us the
> debdiff so we can have a quick check, and after our ACK you can upload
> to security-master and we release the DSA.
> 
> For Jessie, you'll have to make a minimal upload to sid, and ask an
> unblock to the release team.
> 
> Don't forget to put the CVE number in the changelog.
> 
> If you need any help with the above, don't hesitate to contact us.

AFAIK, all versions prior to 1.5.1 are affected.

I'll work on backporting the fix to the versions in wheezy and
jessie/sid.

Thanks!

-- 
Robert Edmonds
edmonds@debian.org

Message #19 received at 772622-close@bugs.debian.org (full text, mbox, reply):

From: Robert Edmonds <edmonds@debian.org>

To: 772622-close@bugs.debian.org

Subject: Bug#772622: fixed in unbound 1.4.22-3

Date: Tue, 09 Dec 2014 23:24:39 +0000

Source: unbound
Source-Version: 1.4.22-3

We believe that the bug you reported is fixed in the latest version of
unbound, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 772622@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Robert Edmonds <edmonds@debian.org> (supplier of updated unbound package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 09 Dec 2014 17:52:08 -0500
Source: unbound
Binary: unbound unbound-anchor unbound-host libunbound2 libunbound-dev python-unbound
Architecture: amd64 source
Version: 1.4.22-3
Distribution: unstable
Urgency: medium
Maintainer: Robert S. Edmonds <edmonds@debian.org>
Changed-By: Robert Edmonds <edmonds@debian.org>
Closes: 772622
Description: 
 libunbound-dev - static library, header files, and docs for libunbound
 libunbound2 - library implementing DNS resolution and validation
 python-unbound - library implementing DNS resolution and validation (Python bindin
 unbound    - validating, recursive, caching DNS resolver
 unbound-anchor - utility to securely fetch the root DNS trust anchor
 unbound-host - reimplementation of the 'host' command
Changes:
 unbound (1.4.22-3) unstable; urgency=medium
 .
   * Fix CVE-2014-8602: denial of service by making resolver chase endless
     series of delegations; closes: #772622.
Checksums-Sha1: 
 42653c3ea0c5e1775148236039775495910824e6 2277 unbound_1.4.22-3.dsc
 3a637c813988cca7730df3cfe041a08abebe800d 13432 unbound_1.4.22-3.debian.tar.xz
 a110708edcfce2540beae282d1bfeeb823395999 485648 unbound_1.4.22-3_amd64.deb
 46132644e7b0c2fc61e0569468f345f36f907c74 97740 unbound-anchor_1.4.22-3_amd64.deb
 8a5645549932ff245aede1342a93801b9e11af1b 99506 unbound-host_1.4.22-3_amd64.deb
 4266f7f9fab130efb9b9c1e1e4181b93be038cf5 300418 libunbound2_1.4.22-3_amd64.deb
 b10e597ac2af99f3875a125119855a6b2aa4bc7b 4692058 libunbound-dev_1.4.22-3_amd64.deb
 1d69b9686a72dd2b30ab783dd35fe8ca290b41bd 110450 python-unbound_1.4.22-3_amd64.deb
Checksums-Sha256: 
 ee9bf434705f13663528595fec79c0ec5b4d00cb89548ba872d7f1340fdd06e9 2277 unbound_1.4.22-3.dsc
 af46d8847ea08b39130d5fb59f06a07161d0802b08a2b8aff11957580a9fc180 13432 unbound_1.4.22-3.debian.tar.xz
 831a9dc5619b3944c061b0ba5d86a739abb14f5a76cc2d1b35c565a61eb801d2 485648 unbound_1.4.22-3_amd64.deb
 cc01b16d977414e2217cc53c7d3f4041c1a6bd09bc7daf70b49e764c94d7ee19 97740 unbound-anchor_1.4.22-3_amd64.deb
 5d0d3e89728700cb74b12632ed2563ca414bd25317dc601ea8fa743324c22704 99506 unbound-host_1.4.22-3_amd64.deb
 3c95d9e97eecb6e181e4a47fcc76021378b72f8a2bc8693ff3ac00230512c9c9 300418 libunbound2_1.4.22-3_amd64.deb
 9b64c226e8d083f349d708b7348f91ea46c46312c99c64a361f4ed6655f62f23 4692058 libunbound-dev_1.4.22-3_amd64.deb
 8b17c6b95eed222b1ff3d952ebcf402b9571036e8cd98dc89a15f727e729e513 110450 python-unbound_1.4.22-3_amd64.deb
Files: 
 37867b44357630ab9b5bfa5e119382ec 2277 net optional unbound_1.4.22-3.dsc
 346a45a93358408669d9c96c006c6df1 13432 net optional unbound_1.4.22-3.debian.tar.xz
 06fbbd1ac2df382c40eff8e9ba08b2c7 485648 net optional unbound_1.4.22-3_amd64.deb
 d9bec708c50d9caed60e84e65f6ce04d 97740 net optional unbound-anchor_1.4.22-3_amd64.deb
 083449e560376027d33b00293f309b6b 99506 net optional unbound-host_1.4.22-3_amd64.deb
 a4d8605a7f1486f037318511ee5c451d 300418 libs optional libunbound2_1.4.22-3_amd64.deb
 c8d77293f4be50fb66996ca51d36d086 4692058 libdevel optional libunbound-dev_1.4.22-3_amd64.deb
 78b4d1c537a1f5bf37211c6e0336b4e8 110450 python optional python-unbound_1.4.22-3_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJUh4B5AAoJEAGBerCq9s2uS+8P/2Wgz9IvUzZ9t+5y2pJXqeBd
ujLJ5XnnmoO9kGh4O1xj73LQGCDdosatFDt+4CHOjeth9b6nR80Vu0E4zlW5uLmk
vFUurzMIhQQ8XFIWHWXzPHsK2A2jAUBKg9KMPnX18UWyY64hzNxAaD06Y/wF+d+u
dBmFAdt3XNmZWlJX6Z/+XXi+0lxUb8Nsv0nzHQM6p5Y5zWEpujydv2arQiuo4lTN
UIi5zHJtwuqQ00wkFYtyHUHwTI0T9GOCkxeSvXhwUuinNzsrpvMXBKYTq4F6x7lL
ZQbhOAf8DWVwo+hbtqZu9f3o+oa2XmAMsv1xLdbXfpRceWK97fvWeb25T2ysa+a/
IjPHOwetCEtEp3v8m8YWxtwUZ99Ahjvo9dyyqGZDhiLydtq17cqUbGkn3dCgd38v
txq4xUrw2RwUPCtgd6YrW6cX01qaJFpICh4sH+MQxpybWNdFK9wWvyavEYYVKSzk
lNBh9rsnvjEbHTk/jnaNBe6FSiVzyv1sSbKzPY0M6+0zashXaOxA4UKOEonzDuq5
tAXmwC0/zlIqkqN0r1WunYx+5/n4TweufDAKCO2U02fGD2vhemYeh8PKsGokEurc
ipDzvPkBLO2WtxwEvUWHmJEpHM6Os7VaVM80ulHU+g++mrU3y6ivC8oDaurf7zsL
ZvKX1LpYWndiWzbs89aT
=EcIY
-----END PGP SIGNATURE-----

Message #24 received at 772622@bugs.debian.org (full text, mbox, reply):

From: Robert Edmonds <edmonds@debian.org>

To: Yves-Alexis Perez <corsac@debian.org>, 772622@bugs.debian.org

Subject: Re: Bug#772622: CVE-2014-8602: denial of service with endless delegations

Date: Tue, 9 Dec 2014 18:46:55 -0500

[Message part 1 (text/plain, inline)]

Yves-Alexis Perez wrote:
> For Wheezy you need to build with -sa (since it's the first security
> upload) and target wheezy-security distribution. Then you send us the
> debdiff so we can have a quick check, and after our ACK you can upload
> to security-master and we release the DSA.

OK, see attached debdiff for unbound 1.4.17-3+deb7u2.

> For Jessie, you'll have to make a minimal upload to sid, and ask an
> unblock to the release team.

unbound 1.4.22-3 uploaded, unblock request in #772684.

-- 
Robert Edmonds
edmonds@debian.org

[unbound_1.4.17-3+deb7u2.debdiff (text/plain, attachment)]

Message #29 received at 772622@bugs.debian.org (full text, mbox, reply):

From: Yves-Alexis Perez <corsac@debian.org>

To: Robert Edmonds <edmonds@debian.org>

Cc: 772622@bugs.debian.org

Subject: Re: Bug#772622: CVE-2014-8602: denial of service with endless delegations

Date: Wed, 10 Dec 2014 09:27:24 +0100

[Message part 1 (text/plain, inline)]

On mar., 2014-12-09 at 18:46 -0500, Robert Edmonds wrote:
> Yves-Alexis Perez wrote:
> > For Wheezy you need to build with -sa (since it's the first security
> > upload) and target wheezy-security distribution. Then you send us the
> > debdiff so we can have a quick check, and after our ACK you can upload
> > to security-master and we release the DSA.
> 
> OK, see attached debdiff for unbound 1.4.17-3+deb7u2.

Thanks. I think we usually prefer having a separate patch in
debian/patches, but it looks ok. Please upload to security-master.
> 
> > For Jessie, you'll have to make a minimal upload to sid, and ask an
> > unblock to the release team.
> 
> unbound 1.4.22-3 uploaded, unblock request in #772684.
> 
And I see it was unblocked already. Perfect :)
-- 
Yves-Alexis

[signature.asc (application/pgp-signature, inline)]

Message #34 received at 772622@bugs.debian.org (full text, mbox, reply):

From: Robert Edmonds <edmonds@debian.org>

To: Yves-Alexis Perez <corsac@debian.org>, 772622@bugs.debian.org

Subject: Re: Bug#772622: CVE-2014-8602: denial of service with endless delegations

Date: Wed, 10 Dec 2014 10:40:29 -0500

Yves-Alexis Perez wrote:
> On mar., 2014-12-09 at 18:46 -0500, Robert Edmonds wrote:
> > Yves-Alexis Perez wrote:
> > > For Wheezy you need to build with -sa (since it's the first security
> > > upload) and target wheezy-security distribution. Then you send us the
> > > debdiff so we can have a quick check, and after our ACK you can upload
> > > to security-master and we release the DSA.
> > 
> > OK, see attached debdiff for unbound 1.4.17-3+deb7u2.
> 
> Thanks. I think we usually prefer having a separate patch in
> debian/patches, but it looks ok. Please upload to security-master.

OK, uploaded.

-- 
Robert Edmonds
edmonds@debian.org

Message #39 received at 772622@bugs.debian.org (full text, mbox, reply):

From: Yves-Alexis Perez <corsac@debian.org>

To: Robert Edmonds <edmonds@debian.org>

Cc: 772622@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#772622: CVE-2014-8602: denial of service with endless delegations

Date: Wed, 10 Dec 2014 22:34:37 +0100

[Message part 1 (text/plain, inline)]

On mer., 2014-12-10 at 10:40 -0500, Robert Edmonds wrote:
> Yves-Alexis Perez wrote:
> > On mar., 2014-12-09 at 18:46 -0500, Robert Edmonds wrote:
> > > Yves-Alexis Perez wrote:
> > > > For Wheezy you need to build with -sa (since it's the first security
> > > > upload) and target wheezy-security distribution. Then you send us the
> > > > debdiff so we can have a quick check, and after our ACK you can upload
> > > > to security-master and we release the DSA.
> > > 
> > > OK, see attached debdiff for unbound 1.4.17-3+deb7u2.
> > 
> > Thanks. I think we usually prefer having a separate patch in
> > debian/patches, but it looks ok. Please upload to security-master.
> 
> OK, uploaded.
> 
Thanks. Although it seems your _multi.changes might have issue. How
exactly did you made it? It apparently references twice the debian
changes:

b05bf69385554dddaa22629327ac647c384c1585 15413 unbound_1.4.17-3+deb7u2.debian.tar.gz
d4addd58c211ff20d707e52d961befce855cd401 13864 unbound_1.4.17-3+deb7u2.debian.tar.xz

the latter beeing non existent.

Regards,
-- 
Yves-Alexis

[signature.asc (application/pgp-signature, inline)]

Message #44 received at 772622@bugs.debian.org (full text, mbox, reply):

From: Robert Edmonds <edmonds@debian.org>

To: Yves-Alexis Perez <corsac@debian.org>, 772622@bugs.debian.org

Cc: team@security.debian.org

Subject: Re: Bug#772622: CVE-2014-8602: denial of service with endless delegations

Date: Wed, 10 Dec 2014 16:46:54 -0500

Yves-Alexis Perez wrote:
> Thanks. Although it seems your _multi.changes might have issue. How
> exactly did you made it? It apparently references twice the debian
> changes:
> 
> b05bf69385554dddaa22629327ac647c384c1585 15413 unbound_1.4.17-3+deb7u2.debian.tar.gz
> d4addd58c211ff20d707e52d961befce855cd401 13864 unbound_1.4.17-3+deb7u2.debian.tar.xz
> 
> the latter beeing non existent.

Oh, hrm.  I built a source package with git-buildpackage from my sid
environment, generating a _source.changes:

Checksums-Sha1: 
 db46cc396cd2e8827971278f7bbe647f67e1fb79 1480 unbound_1.4.17-3+deb7u2.dsc
 fea4d812c03af4737ef671ac30b7b7400d346516 3585122 unbound_1.4.17.orig.tar.gz
 d4addd58c211ff20d707e52d961befce855cd401 13864 unbound_1.4.17-3+deb7u2.debian.tar.xz

Then I built the source package with a wheezy pbuilder, generating an
_amd64.changes:

Checksums-Sha1: 
 22ac970c5f8cbc50a71bfd9227e643ea12e0a780 1430 unbound_1.4.17-3+deb7u2.dsc
 b05bf69385554dddaa22629327ac647c384c1585 15413 unbound_1.4.17-3+deb7u2.debian.tar.gz
 bca4248d66065d4c906e94cbc73c0ce03c18a2a3 676630 unbound_1.4.17-3+deb7u2_amd64.deb
 d31419811533519ec5e01f16f04b111e3cfd4316 92722 unbound-anchor_1.4.17-3+deb7u2_amd64.deb
 d86e2f4c9d0e3ac7a5941894c51042c5c4e58bba 81086 unbound-host_1.4.17-3+deb7u2_amd64.deb
 5e1f6af75500821edc0aba547a52a3acdb70c08a 309792 libunbound2_1.4.17-3+deb7u2_amd64.deb
 31967459a5d928c7aa660dbbe67176f1bdf0f8fe 3482478 libunbound-dev_1.4.17-3+deb7u2_amd64.deb
 08e60f3154dc1e5985dd202fabf07ebe20136b89 113752 python-unbound_1.4.17-3+deb7u2_amd64.deb

Then I ran mergechanges -f on the two .changes files.

Do you want me to re-build the source package in a pure wheezy
environment?  (And if so, should I re-use the +deb7u2 version number or
bump it to +deb7u3?)

-- 
Robert Edmonds
edmonds@debian.org

Message #49 received at 772622@bugs.debian.org (full text, mbox, reply):

From: Yves-Alexis Perez <corsac@debian.org>

To: Robert Edmonds <edmonds@debian.org>, wb-team@buildd.debian.org

Cc: 772622@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#772622: CVE-2014-8602: denial of service with endless delegations

Date: Wed, 10 Dec 2014 22:59:20 +0100

[Message part 1 (text/plain, inline)]

[WB-team: we have an issue with the unbound amd64 build for DSA 3097-1,
so I'm adding you to the loop, see below]

On mer., 2014-12-10 at 16:46 -0500, Robert Edmonds wrote:
> Yves-Alexis Perez wrote:
> > Thanks. Although it seems your _multi.changes might have issue. How
> > exactly did you made it? It apparently references twice the debian
> > changes:
> > 
> > b05bf69385554dddaa22629327ac647c384c1585 15413 unbound_1.4.17-3+deb7u2.debian.tar.gz
> > d4addd58c211ff20d707e52d961befce855cd401 13864 unbound_1.4.17-3+deb7u2.debian.tar.xz
> > 
> > the latter beeing non existent.
> 
> Oh, hrm.  I built a source package with git-buildpackage from my sid
> environment, generating a _source.changes:
> 
> Checksums-Sha1: 
>  db46cc396cd2e8827971278f7bbe647f67e1fb79 1480 unbound_1.4.17-3+deb7u2.dsc
>  fea4d812c03af4737ef671ac30b7b7400d346516 3585122 unbound_1.4.17.orig.tar.gz
>  d4addd58c211ff20d707e52d961befce855cd401 13864 unbound_1.4.17-3+deb7u2.debian.tar.xz
> 
> Then I built the source package with a wheezy pbuilder, generating an
> _amd64.changes:
> 
> Checksums-Sha1: 
>  22ac970c5f8cbc50a71bfd9227e643ea12e0a780 1430 unbound_1.4.17-3+deb7u2.dsc
>  b05bf69385554dddaa22629327ac647c384c1585 15413 unbound_1.4.17-3+deb7u2.debian.tar.gz
>  bca4248d66065d4c906e94cbc73c0ce03c18a2a3 676630 unbound_1.4.17-3+deb7u2_amd64.deb
>  d31419811533519ec5e01f16f04b111e3cfd4316 92722 unbound-anchor_1.4.17-3+deb7u2_amd64.deb
>  d86e2f4c9d0e3ac7a5941894c51042c5c4e58bba 81086 unbound-host_1.4.17-3+deb7u2_amd64.deb
>  5e1f6af75500821edc0aba547a52a3acdb70c08a 309792 libunbound2_1.4.17-3+deb7u2_amd64.deb
>  31967459a5d928c7aa660dbbe67176f1bdf0f8fe 3482478 libunbound-dev_1.4.17-3+deb7u2_amd64.deb
>  08e60f3154dc1e5985dd202fabf07ebe20136b89 113752 python-unbound_1.4.17-3+deb7u2_amd64.deb
> 
> Then I ran mergechanges -f on the two .changes files.
> 
> Do you want me to re-build the source package in a pure wheezy
> environment?  (And if so, should I re-use the +deb7u2 version number or
> bump it to +deb7u3?)
> 
I think we should be able to schedule a rebuild directly from the
archive, but I'm unsure how.

I'm adding wb-team to the loop so they can have a look (especially the
amd64 people). Also, since the amd64 build is actually there, I'm not
sure a rebuild will be accepted.

Regards,
-- 
Yves-Alexis

[signature.asc (application/pgp-signature, inline)]

Message #54 received at 772622@bugs.debian.org (full text, mbox, reply):

From: Kurt Roeckx <kurt@roeckx.be>

To: Yves-Alexis Perez <corsac@debian.org>

Cc: Robert Edmonds <edmonds@debian.org>, wb-team@buildd.debian.org, 772622@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#772622: CVE-2014-8602: denial of service with endless delegations

Date: Wed, 10 Dec 2014 23:20:36 +0100

On Wed, Dec 10, 2014 at 10:59:20PM +0100, Yves-Alexis Perez wrote:
> 
> [WB-team: we have an issue with the unbound amd64 build for DSA 3097-1,
> so I'm adding you to the loop, see below]
> 
> On mer., 2014-12-10 at 16:46 -0500, Robert Edmonds wrote:
> > Yves-Alexis Perez wrote:
> > > Thanks. Although it seems your _multi.changes might have issue. How
> > > exactly did you made it? It apparently references twice the debian
> > > changes:
> > > 
> > > b05bf69385554dddaa22629327ac647c384c1585 15413 unbound_1.4.17-3+deb7u2.debian.tar.gz
> > > d4addd58c211ff20d707e52d961befce855cd401 13864 unbound_1.4.17-3+deb7u2.debian.tar.xz
> > > 
> > > the latter beeing non existent.
> > 
> > Oh, hrm.  I built a source package with git-buildpackage from my sid
> > environment, generating a _source.changes:
> > 
> > Checksums-Sha1: 
> >  db46cc396cd2e8827971278f7bbe647f67e1fb79 1480 unbound_1.4.17-3+deb7u2.dsc
> >  fea4d812c03af4737ef671ac30b7b7400d346516 3585122 unbound_1.4.17.orig.tar.gz
> >  d4addd58c211ff20d707e52d961befce855cd401 13864 unbound_1.4.17-3+deb7u2.debian.tar.xz
> > 
> > Then I built the source package with a wheezy pbuilder, generating an
> > _amd64.changes:
> > 
> > Checksums-Sha1: 
> >  22ac970c5f8cbc50a71bfd9227e643ea12e0a780 1430 unbound_1.4.17-3+deb7u2.dsc
> >  b05bf69385554dddaa22629327ac647c384c1585 15413 unbound_1.4.17-3+deb7u2.debian.tar.gz
> >  bca4248d66065d4c906e94cbc73c0ce03c18a2a3 676630 unbound_1.4.17-3+deb7u2_amd64.deb
> >  d31419811533519ec5e01f16f04b111e3cfd4316 92722 unbound-anchor_1.4.17-3+deb7u2_amd64.deb
> >  d86e2f4c9d0e3ac7a5941894c51042c5c4e58bba 81086 unbound-host_1.4.17-3+deb7u2_amd64.deb
> >  5e1f6af75500821edc0aba547a52a3acdb70c08a 309792 libunbound2_1.4.17-3+deb7u2_amd64.deb
> >  31967459a5d928c7aa660dbbe67176f1bdf0f8fe 3482478 libunbound-dev_1.4.17-3+deb7u2_amd64.deb
> >  08e60f3154dc1e5985dd202fabf07ebe20136b89 113752 python-unbound_1.4.17-3+deb7u2_amd64.deb
> > 
> > Then I ran mergechanges -f on the two .changes files.
> > 
> > Do you want me to re-build the source package in a pure wheezy
> > environment?  (And if so, should I re-use the +deb7u2 version number or
> > bump it to +deb7u3?)
> > 
> I think we should be able to schedule a rebuild directly from the
> archive, but I'm unsure how.
> 
> I'm adding wb-team to the loop so they can have a look (especially the
> amd64 people). Also, since the amd64 build is actually there, I'm not
> sure a rebuild will be accepted.

It's in installed state.  Is there something you want me to do?
Do a binNMU?


Kurt

Message #59 received at 772622@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Kurt Roeckx <kurt@roeckx.be>

Cc: Yves-Alexis Perez <corsac@debian.org>, Robert Edmonds <edmonds@debian.org>, wb-team@buildd.debian.org, 772622@bugs.debian.org, team@security.debian.org, ansgar@debian.org

Subject: Re: Bug#772622: CVE-2014-8602: denial of service with endless delegations

Date: Wed, 10 Dec 2014 23:31:30 +0100

Hi,

On Wed, Dec 10, 2014 at 11:20:36PM +0100, Kurt Roeckx wrote:
> On Wed, Dec 10, 2014 at 10:59:20PM +0100, Yves-Alexis Perez wrote:
> > 
> > [WB-team: we have an issue with the unbound amd64 build for DSA 3097-1,
> > so I'm adding you to the loop, see below]
> > 
> > On mer., 2014-12-10 at 16:46 -0500, Robert Edmonds wrote:
> > > Yves-Alexis Perez wrote:
> > > > Thanks. Although it seems your _multi.changes might have issue. How
> > > > exactly did you made it? It apparently references twice the debian
> > > > changes:
> > > > 
> > > > b05bf69385554dddaa22629327ac647c384c1585 15413 unbound_1.4.17-3+deb7u2.debian.tar.gz
> > > > d4addd58c211ff20d707e52d961befce855cd401 13864 unbound_1.4.17-3+deb7u2.debian.tar.xz
> > > > 
> > > > the latter beeing non existent.
> > > 
> > > Oh, hrm.  I built a source package with git-buildpackage from my sid
> > > environment, generating a _source.changes:
> > > 
> > > Checksums-Sha1: 
> > >  db46cc396cd2e8827971278f7bbe647f67e1fb79 1480 unbound_1.4.17-3+deb7u2.dsc
> > >  fea4d812c03af4737ef671ac30b7b7400d346516 3585122 unbound_1.4.17.orig.tar.gz
> > >  d4addd58c211ff20d707e52d961befce855cd401 13864 unbound_1.4.17-3+deb7u2.debian.tar.xz
> > > 
> > > Then I built the source package with a wheezy pbuilder, generating an
> > > _amd64.changes:
> > > 
> > > Checksums-Sha1: 
> > >  22ac970c5f8cbc50a71bfd9227e643ea12e0a780 1430 unbound_1.4.17-3+deb7u2.dsc
> > >  b05bf69385554dddaa22629327ac647c384c1585 15413 unbound_1.4.17-3+deb7u2.debian.tar.gz
> > >  bca4248d66065d4c906e94cbc73c0ce03c18a2a3 676630 unbound_1.4.17-3+deb7u2_amd64.deb
> > >  d31419811533519ec5e01f16f04b111e3cfd4316 92722 unbound-anchor_1.4.17-3+deb7u2_amd64.deb
> > >  d86e2f4c9d0e3ac7a5941894c51042c5c4e58bba 81086 unbound-host_1.4.17-3+deb7u2_amd64.deb
> > >  5e1f6af75500821edc0aba547a52a3acdb70c08a 309792 libunbound2_1.4.17-3+deb7u2_amd64.deb
> > >  31967459a5d928c7aa660dbbe67176f1bdf0f8fe 3482478 libunbound-dev_1.4.17-3+deb7u2_amd64.deb
> > >  08e60f3154dc1e5985dd202fabf07ebe20136b89 113752 python-unbound_1.4.17-3+deb7u2_amd64.deb
> > > 
> > > Then I ran mergechanges -f on the two .changes files.
> > > 
> > > Do you want me to re-build the source package in a pure wheezy
> > > environment?  (And if so, should I re-use the +deb7u2 version number or
> > > bump it to +deb7u3?)
> > > 
> > I think we should be able to schedule a rebuild directly from the
> > archive, but I'm unsure how.
> > 
> > I'm adding wb-team to the loop so they can have a look (especially the
> > amd64 people). Also, since the amd64 build is actually there, I'm not
> > sure a rebuild will be accepted.
> 
> It's in installed state.  Is there something you want me to do?
> Do a binNMU?

Actually nothing to do on wb-side, there was/is a problem when
uploading from security-master -> ftp.master

@Robert, from IRC conversation with Ansgar:

[23:23] < ansgar> Corsac: Oh, an interesting bug.  As far as I understand the problem is that the security-master -> ftp-master sync does not work?  
[23:25] < carnil> ansgar: yes  
[23:25] < carnil> ansgar: the issue as I unsterstand: the original _multi.changes contained debian.tar.gz and debian.tar.xz  
[23:25] < carnil> it was accepted into the embargoed queue  
[23:26] < carnil> (the pool though contains only the one referenced in the dsc file, so debian.tar.gz)  
[23:26] < carnil> on the security-master -> ftp-master  
[23:26] < carnil> upload now, the _multi.changes is referencing a non existing file  
[23:26] < ansgar> As the .dsc looks right (it only has one), the uploader can just fix the .changes and upload to ftp-master. Or give me the missing .debian.tar.*. 

Can you do one of the both approaches?

Regards,
Salvatore

Message #64 received at 772622@bugs.debian.org (full text, mbox, reply):

From: Robert Edmonds <edmonds@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 772622@bugs.debian.org

Cc: Kurt Roeckx <kurt@roeckx.be>, Yves-Alexis Perez <corsac@debian.org>, wb-team@buildd.debian.org, team@security.debian.org, ansgar@debian.org

Subject: Re: Bug#772622: CVE-2014-8602: denial of service with endless delegations

Date: Wed, 10 Dec 2014 17:38:39 -0500

Salvatore Bonaccorso wrote:
> [23:26] < ansgar> As the .dsc looks right (it only has one), the uploader can just fix the .changes and upload to ftp-master. Or give me the missing .debian.tar.*. 
> 
> Can you do one of the both approaches?

Hi,

The .debian.tar.* files are available here:

    https://people.debian.org/~edmonds/build/unbound/1.4.17-3+deb7u2/

(Along with all the other original artifacts from the build.)

-- 
Robert Edmonds
edmonds@debian.org

Message #69 received at 772622@bugs.debian.org (full text, mbox, reply):

From: Yves-Alexis Perez <corsac@debian.org>

To: Robert Edmonds <edmonds@debian.org>, ansgar@debian.org

Cc: Salvatore Bonaccorso <carnil@debian.org>, 772622@bugs.debian.org, Kurt Roeckx <kurt@roeckx.be>, team@security.debian.org

Subject: Re: Bug#772622: CVE-2014-8602: denial of service with endless delegations

Date: Thu, 11 Dec 2014 09:06:43 +0100

[Message part 1 (text/plain, inline)]

On mer., 2014-12-10 at 17:38 -0500, Robert Edmonds wrote:
> Salvatore Bonaccorso wrote:
> > [23:26] < ansgar> As the .dsc looks right (it only has one), the uploader can just fix the .changes and upload to ftp-master. Or give me the missing .debian.tar.*. 
> > 
> > Can you do one of the both approaches?
> 
> Hi,
> 
> The .debian.tar.* files are available here:
> 
>     https://people.debian.org/~edmonds/build/unbound/1.4.17-3+deb7u2/
> 
> (Along with all the other original artifacts from the build.)
> 
I guess Ansgar put the debian.tar.xz at the right place, the processing
was successful in the end.

Ansgar: will it not be an issue to have both debian.tar.{gz,xz} in the
archive?

Regards
-- 
Yves-Alexis

[signature.asc (application/pgp-signature, inline)]

Message #74 received at 772622@bugs.debian.org (full text, mbox, reply):

From: Ansgar Burchardt <ansgar@debian.org>

To: Yves-Alexis Perez <corsac@debian.org>

Cc: Robert Edmonds <edmonds@debian.org>, 772622@bugs.debian.org, Kurt Roeckx <kurt@roeckx.be>, team@security.debian.org

Subject: Re: Bug#772622: CVE-2014-8602: denial of service with endless delegations

Date: Thu, 11 Dec 2014 09:35:44 +0100

Hi,

Yves-Alexis Perez <corsac@debian.org> writes:
> I guess Ansgar put the debian.tar.xz at the right place, the processing
> was successful in the end.
>
> Ansgar: will it not be an issue to have both debian.tar.{gz,xz} in the
> archive?

No, the second .debian.tar.* is not kept: it's referenced by the
.changes so dak verifies that it's included in the upload, but then gets
thrown away as it's not referenced by the .dsc. (The throw-away part
then broke syncing it to ftp-master as a file referenced by the .changes
was suddenly gone.)

Ansgar

Message #79 received at 772622@bugs.debian.org (full text, mbox, reply):

From: Yves-Alexis Perez <corsac@debian.org>

To: Ansgar Burchardt <ansgar@debian.org>

Cc: Robert Edmonds <edmonds@debian.org>, 772622@bugs.debian.org, Kurt Roeckx <kurt@roeckx.be>, team@security.debian.org

Subject: Re: Bug#772622: CVE-2014-8602: denial of service with endless delegations

Date: Thu, 11 Dec 2014 10:00:03 +0100

[Message part 1 (text/plain, inline)]

On jeu., 2014-12-11 at 09:35 +0100, Ansgar Burchardt wrote:
> >
> > Ansgar: will it not be an issue to have both debian.tar.{gz,xz} in the
> > archive?
> 
> No, the second .debian.tar.* is not kept: it's referenced by the
> .changes so dak verifies that it's included in the upload, but then gets
> thrown away as it's not referenced by the .dsc. (The throw-away part
> then broke syncing it to ftp-master as a file referenced by the .changes
> was suddenly gone.)

Thanks for the clarification!
-- 
Yves-Alexis

[signature.asc (application/pgp-signature, inline)]

Message #84 received at 772622-close@bugs.debian.org (full text, mbox, reply):

From: Robert Edmonds <edmonds@debian.org>

To: 772622-close@bugs.debian.org

Subject: Bug#772622: fixed in unbound 1.4.17-3+deb7u2

Date: Fri, 12 Dec 2014 09:37:30 +0000

Source: unbound
Source-Version: 1.4.17-3+deb7u2

We believe that the bug you reported is fixed in the latest version of
unbound, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 772622@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Robert Edmonds <edmonds@debian.org> (supplier of updated unbound package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 09 Dec 2014 18:34:57 -0500
Source: unbound
Binary: unbound unbound-anchor unbound-host libunbound2 libunbound-dev python-unbound
Architecture: amd64 source
Version: 1.4.17-3+deb7u2
Distribution: wheezy-security
Urgency: medium
Maintainer: Robert S. Edmonds <edmonds@debian.org>
Changed-By: Robert Edmonds <edmonds@debian.org>
Closes: 772622
Description: 
 libunbound-dev - static library, header files, and docs for libunbound
 libunbound2 - library implementing DNS resolution and validation
 python-unbound - library implementing DNS resolution and validation (Python bindin
 unbound    - validating, recursive, caching DNS resolver
 unbound-anchor - utility to securely fetch the root DNS trust anchor
 unbound-host - reimplementation of the 'host' command
Changes: 
 unbound (1.4.17-3+deb7u2) wheezy-security; urgency=medium
 .
    * Fix CVE-2014-8602: denial of service by making resolver chase endless
      series of delegations; closes: #772622.
Checksums-Sha1: 
 e617fb0ade2fa21c05692e6f434c0f22c59af81e 2299 unbound_1.4.17-3+deb7u2.dsc
 b05bf69385554dddaa22629327ac647c384c1585 15413 unbound_1.4.17-3+deb7u2.debian.tar.gz
 bca4248d66065d4c906e94cbc73c0ce03c18a2a3 676630 unbound_1.4.17-3+deb7u2_amd64.deb
 d31419811533519ec5e01f16f04b111e3cfd4316 92722 unbound-anchor_1.4.17-3+deb7u2_amd64.deb
 d86e2f4c9d0e3ac7a5941894c51042c5c4e58bba 81086 unbound-host_1.4.17-3+deb7u2_amd64.deb
 5e1f6af75500821edc0aba547a52a3acdb70c08a 309792 libunbound2_1.4.17-3+deb7u2_amd64.deb
 31967459a5d928c7aa660dbbe67176f1bdf0f8fe 3482478 libunbound-dev_1.4.17-3+deb7u2_amd64.deb
 08e60f3154dc1e5985dd202fabf07ebe20136b89 113752 python-unbound_1.4.17-3+deb7u2_amd64.deb
 fea4d812c03af4737ef671ac30b7b7400d346516 3585122 unbound_1.4.17.orig.tar.gz
 d4addd58c211ff20d707e52d961befce855cd401 13864 unbound_1.4.17-3+deb7u2.debian.tar.xz
Checksums-Sha256: 
 6fc02e325d59685bcc7ae74e5d42a6b79a89f908620b2e5561695bcec15b3d53 2299 unbound_1.4.17-3+deb7u2.dsc
 9513e9cc81abb98acd49e0c155f2d788484571b6d7ad608b60a7eef14ad7c057 15413 unbound_1.4.17-3+deb7u2.debian.tar.gz
 e12b9bd78bdb2796ac9209e1c1d47d085e348aff515ecc65d9a4710a55a0565e 676630 unbound_1.4.17-3+deb7u2_amd64.deb
 c06d997b5ee56aa38f7c9ba2d1cc3c029fd2e53efe8da41e8ea96c55493cd549 92722 unbound-anchor_1.4.17-3+deb7u2_amd64.deb
 84ad760966151c9bb9b7e6c33803cd5f4e867552706d16477e6a18e31beae427 81086 unbound-host_1.4.17-3+deb7u2_amd64.deb
 4147e59dc6a27d1fe36ea8a0917bae1dbf6a8e23a51cebf4e0a5b332fe997620 309792 libunbound2_1.4.17-3+deb7u2_amd64.deb
 c8f3510052426f3bd29a0721419d645ab1cc2ac02526983dd7b9e57f1212a075 3482478 libunbound-dev_1.4.17-3+deb7u2_amd64.deb
 d489cb444444eabc285dd257b5ee08c5df64235c578e6ee45180d97b732f48d8 113752 python-unbound_1.4.17-3+deb7u2_amd64.deb
 2637d6bda4065d7abf1cd11ee25bfc8e916241153c2d331de99ab6c63df5e3d3 3585122 unbound_1.4.17.orig.tar.gz
 2babbef273c77a0b01997d545067ccf92f5f4a7eef3e4738f0cfaefe9f9dd62b 13864 unbound_1.4.17-3+deb7u2.debian.tar.xz
Files: 
 c364c67f8ace721ffc6066eaf2175c55 2299 net optional unbound_1.4.17-3+deb7u2.dsc
 c02d45882e44978ce909ccc4dc60637e 15413 net optional unbound_1.4.17-3+deb7u2.debian.tar.gz
 1efa21b572bd19d84dbeb7c170cf7e76 676630 net optional unbound_1.4.17-3+deb7u2_amd64.deb
 6bb84d5f71b245d14dc393f10db07282 92722 net optional unbound-anchor_1.4.17-3+deb7u2_amd64.deb
 378e8c0ea1625cf15b8d5f13213dfeca 81086 net optional unbound-host_1.4.17-3+deb7u2_amd64.deb
 b3223d4db22e62f96de93f8a3a18c782 309792 net optional libunbound2_1.4.17-3+deb7u2_amd64.deb
 1d983856d7291caaaf6e0e8587be055b 3482478 libdevel optional libunbound-dev_1.4.17-3+deb7u2_amd64.deb
 66b381bbac31370eadd5ac15ecbc0182 113752 python optional python-unbound_1.4.17-3+deb7u2_amd64.deb
 812d49064a78c92765970a1364736da7 3585122 net optional unbound_1.4.17.orig.tar.gz
 507970988622274770c19652ee5d2ca9 13864 net optional unbound_1.4.17-3+deb7u2.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJUiGdOAAoJEAGBerCq9s2utioP/2dVMDZAIRqAIU18xpiMEwYL
eCdBJVjkE5JZmEcUZher3HCQcmoAq/ndDHkzvLMBRLMuB02cm04HFNKk0o+9Gst2
ZPXvjuRWD+yzuBe65v0R3+3w85+B9FanpI+mzcs47id1ygVlihcd50IDuMr9fJib
rVfyqzMzLeDsY7/035N/53GL3xHijKQkZ4LhZ4da3LJ4lZPLGyoTAtU6Gaegce0y
Kpj2cwtVu0xNR7u/ObtXndvz/vMkHvvbIM2IslYS8hAEPFqEs76gzgX0b7O8Brab
8P6qXZ4cb3vBMMvDovAQBRB1sxso1XHGLz731VJQ8vvqQ9LGYXjJHaTMk9LeRSvv
gkH5Q+UT4yjwHTt5a1O8eEuysKm47TDQ1o8snIS0NJYFSCsKdfZSdDfFubDwVIaO
U5k/cHb4oNxBO5HydAHcUYqBIT/R2LaY9tb5wYntuUCYAc17j5zdS3e6V4h0/OhV
FUQDfPjdBJftK+xhl3rxBc90OLSzOVGLvdiQSBjm15uneLuryUuOt0rWW2QQofb3
2SApWODSsORsblqUNSoTTHqTQHfErat+2oSmu02mZs24g77cnRrl4kbbWhvIRPiY
mmZs4tM4xD3oVPCrB2CZS113Xhkg7z1SfhwJ0OMDKJRaP6Q+gVCFxhqSckd8HtmG
xVMexQzq0S8Ak/ApuWl6
=FSer
-----END PGP SIGNATURE-----

Message #89 received at 772622-close@bugs.debian.org (full text, mbox, reply):

From: Thorsten Alteholz <debian@alteholz.de>

To: 772622-close@bugs.debian.org

Subject: Bug#772622: fixed in unbound 1.4.6-1+squeeze4

Date: Fri, 12 Dec 2014 19:04:13 +0000

Source: unbound
Source-Version: 1.4.6-1+squeeze4

We believe that the bug you reported is fixed in the latest version of
unbound, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 772622@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thorsten Alteholz <debian@alteholz.de> (supplier of updated unbound package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 12 Dec 2014 18:34:57 +0100
Source: unbound
Binary: unbound unbound-host libunbound2 libunbound-dev
Architecture: source i386
Version: 1.4.6-1+squeeze4
Distribution: squeeze-lts
Urgency: high
Maintainer: Robert S. Edmonds <edmonds@debian.org>
Changed-By: Thorsten Alteholz <debian@alteholz.de>
Description: 
 libunbound-dev - static library, header files, and docs for libunbound
 libunbound2 - library implementing DNS resolution and validation
 unbound    - validating, recursive, caching DNS resolver
 unbound-host - reimplementation of the 'host' command
Closes: 772622
Changes: 
 unbound (1.4.6-1+squeeze4) squeeze-lts; urgency=high
 .
    * Fix CVE-2014-8602: denial of service by making resolver chase endless
      series of delegations; closes: #772622.
Checksums-Sha1: 
 350e8eb0b10adb884bf2201aa105a91eeb073cbe 2042 unbound_1.4.6-1+squeeze4.dsc
 b0d7c58f173c5c80cc81345f6766555f96bde20d 4384085 unbound_1.4.6.orig.tar.gz
 8523e9918ea6ec7a0c5b7b174aaa00b88646e141 10486 unbound_1.4.6-1+squeeze4.diff.gz
 ee9552fb5ce7e49ab4647e6f349d3bf8726685ea 769106 unbound_1.4.6-1+squeeze4_i386.deb
 ec1abc9092bc50b40f14cba5055015a51a1dc063 71270 unbound-host_1.4.6-1+squeeze4_i386.deb
 691009d25552457062bd508b95b4d2474b4deee2 284754 libunbound2_1.4.6-1+squeeze4_i386.deb
 d7e9c643806986eb063735e4862fb3ce6310abf8 343418 libunbound-dev_1.4.6-1+squeeze4_i386.deb
Checksums-Sha256: 
 4ade32c711ac6406e38004a36c0fe68d7824dd01cae9f6497166498e5aaf8f8d 2042 unbound_1.4.6-1+squeeze4.dsc
 9c2ce107b551dbd65d007549caea13ecba7dd30d690821f2bafa9da2d047b9de 4384085 unbound_1.4.6.orig.tar.gz
 1bde52b5dda82690a6dac9df0c73f3951359df8de4838a51807a28ca50939716 10486 unbound_1.4.6-1+squeeze4.diff.gz
 c9a5a326068dab686da53261703b51393fa5eab8181246566d361bb86b67c378 769106 unbound_1.4.6-1+squeeze4_i386.deb
 345a958d0c0af98a43e5e59bc55a6c13e5ff64b3e7dd61909cf42af530a5c746 71270 unbound-host_1.4.6-1+squeeze4_i386.deb
 935e287183f4f1d2270c448dbca502c2c2bf3e3af420d207735d15c2ad0cef85 284754 libunbound2_1.4.6-1+squeeze4_i386.deb
 9a6a8d321364cf69040c518fbfe9ad96ceb5f5b7fd842f70c0f9bacc6b708ed3 343418 libunbound-dev_1.4.6-1+squeeze4_i386.deb
Files: 
 0b35805ab7fb30a0e7b0df60e30c242e 2042 net optional unbound_1.4.6-1+squeeze4.dsc
 2cdcfe0ca45373c6b22e274560ae9943 4384085 net optional unbound_1.4.6.orig.tar.gz
 2eecd319645122a5a9b95a3d6420d245 10486 net optional unbound_1.4.6-1+squeeze4.diff.gz
 60febb1fa23f600ae614d43bd36f7ffa 769106 net optional unbound_1.4.6-1+squeeze4_i386.deb
 27c0e6359d129e114c28e75299fb8d3e 71270 net optional unbound-host_1.4.6-1+squeeze4_i386.deb
 037b0aadbd54060bab7441f97492e3d6 284754 net optional libunbound2_1.4.6-1+squeeze4_i386.deb
 096e50b9360da5779efb80682c5970c5 343418 libdevel optional libunbound-dev_1.4.6-1+squeeze4_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQJ8BAEBCgBmBQJUizhMXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5
NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hHBAIP/ixZjvDN9H3BMLMGaSa7vrPB
pia5lkgQzJ3Bt/wDRx4IFdyESgdQNM0RzAZGd3rDU0JjNAgYTLBuLQsU2ldxDI9G
tz/42Vii7XSYsqahBvRDvYTmtEjSsWRqjeQw7Hra05Fqwx36SJD9EkxqmU32UO9H
W4lVe4wOhFkomPVoRp5nVrdjX+szZXyJmfJWOPIry93kb4ZYPL4ujUI/uO8Om/oO
cpAajg8tn44oGQDY6he3zO3lFYNejuHKNsSjEOey54ZFTohjhTUWhUocuek6p7dl
YrQXcaFjBUvyqQwHWuksN9PYXba1yc5AcOVh6WO3TTwM615v8ukCQ+0EmQTJrpcw
ThLi9BhgT0z97ZjGXFYRXj1fEKkt/oacjoPtTjXfLr0YpPXGnsHuT/4dDqWkk/zG
Q4IrnBOzCeFb1EzxH17/bW2+GYiLTjk5xi/vX2HALy2Vdcod/buzs4kdnCFYCF9P
SsT5sMqEgRFa/lvKIF98vedxsX41Pfq99+mYcFpOy7lUD6DLsm2EoIoQV5INhPSb
BFthZe3pjWWApqArnelCc4Dq9MGUc4weWsU+11j0LJLGKt5huUzdGEykCzwFXOXT
8Z3T57Pl5jwMXqINpeUw1AIsTWUeqMQlvEmFs8qVJo6cSR7mMdSaS/pkOwPIzQTu
zvtcfiOoxOzJabkxPOfp
=XTYp
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.