Bug#990077: unblock: apache2/2.4.48-2
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: security@debian.org
Please unblock package apache2
[ Reason ]
In the past we had some problems to follow CVE fixes for Apache2. For
Buster, we had to import the whole http2 module from 2.4.46 into 2.4.38
because it was impossible to apply the upstream fix due to module
changes. This isolated import was really risky but we didn't found a
better way.
Now the story restarts with CVE-2021-31618. The upstream fix is simple
but refers to other changes. In particular the whole SSL stack changed.
Even for Bullseye, there are too many differences between 2.4.46 and
2.4.48 to apply this fix.
Apache2 is RFH for years, but has too many reverse dependencies to be
removed from Bullseye (even if there are some alternatives).
Our current apache2 policy keeps a lot of (maybe unimportant) CVE
opened.
So we decided to follow upstream changes for Bullseye. So this is the
last version which fixes 6 CVEs (one grave)/
[ Impact ]
Multiple security issues.
[ Tests ]
Tests passed (autopkgtest)
[ Risks ]
Patch isn't trivial, but it looks like upstream provides version fully
tested.
[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing
[ Other info ]
The dedbiff contains only debian/* changes. I found not interessant to
provide the real debdiff which is really big.
Cheers,
Yadd
unblock apache2/2.4.48-2
diff --git a/debian/apache2-data.lintian-overrides b/debian/apache2-data.lintian-overrides
index 902735d7..fa617892 100644
--- a/debian/apache2-data.lintian-overrides
+++ b/debian/apache2-data.lintian-overrides
@@ -1 +1,5 @@
debian-changelog-file-is-a-symlink
+package-contains-documentation-outside-usr-share-doc usr/share/apache2/default-site/index.html
+package-contains-documentation-outside-usr-share-doc usr/share/apache2/error/include/bottom.html
+package-contains-documentation-outside-usr-share-doc usr/share/apache2/error/include/spacer.html
+package-contains-documentation-outside-usr-share-doc usr/share/apache2/error/include/top.html
diff --git a/debian/apache2.logrotate b/debian/apache2.logrotate
index 37c5f22e..9d2356da 100644
--- a/debian/apache2.logrotate
+++ b/debian/apache2.logrotate
@@ -1,20 +1,20 @@
/var/log/apache2/*.log {
- daily
- missingok
- rotate 14
- compress
- delaycompress
- notifempty
- create 640 root adm
- sharedscripts
- postrotate
- if invoke-rc.d apache2 status > /dev/null 2>&1; then \
- invoke-rc.d apache2 reload > /dev/null 2>&1; \
- fi;
- endscript
- prerotate
- if [ -d /etc/logrotate.d/httpd-prerotate ]; then \
- run-parts /etc/logrotate.d/httpd-prerotate; \
- fi; \
- endscript
+ daily
+ missingok
+ rotate 14
+ compress
+ delaycompress
+ notifempty
+ create 640 root adm
+ sharedscripts
+ prerotate
+ if [ -d /etc/logrotate.d/httpd-prerotate ]; then
+ run-parts /etc/logrotate.d/httpd-prerotate
+ fi
+ endscript
+ postrotate
+ if pgrep -f ^/usr/sbin/apache2 > /dev/null; then
+ invoke-rc.d apache2 reload
+ fi
+ endscript
}
diff --git a/debian/changelog b/debian/changelog
index fa775057..fef71d5b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,40 @@
-apache2 (2.4.46-6) unstable; urgency=medium
+apache2 (2.4.48-2) unstable; urgency=medium
+
+ * Back to unstable: Apache2 will follow upstream changes for Bullseye
+
+ [ Christian Ehrhardt ]
+ * d/t/control, d/t/check-http2: basic test for http2 (Closes: #884068)
+
+ -- Yadd <yadd@debian.org> Sat, 19 Jun 2021 17:50:29 +0200
+
+apache2 (2.4.48-1) experimental; urgency=medium
+
+ [ Daniel Lewart ]
+ * Update apache2.logrotate (Closes: #979813)
+
+ [ Andreas Hasenack ]
+ * Avoid test suite failure (Closes: #985012)
+
+ [ Yadd ]
+ * Update lintian overrides
+ * Re-export upstream signing key without extra signatures.
+
+ [ Ondřej Surý ]
+ * New upstream version 2.4.48 (Closes: CVE-2019-17567, CVE-2020-13938,
+ CVE-2020-13950, CVE-2020-35452, CVE-2021-26690, CVE-2021-26691,
+ CVE-2021-30641, CVE-2021-31618)
+
+ -- Ondřej Surý <ondrej@debian.org> Tue, 08 Jun 2021 08:29:35 +0200
+
+apache2 (2.4.47-1) experimental; urgency=medium
+
+ * Update upstream keys file
+ * New upstream version 2.4.47
+ * Refresh patches
+
+ -- Yadd <yadd@debian.org> Thu, 29 Apr 2021 08:03:33 +0200
+
+apache2 (2.4.48-1) experimental; urgency=medium
* Fix various low security issues (Closes: CVE-2020-13950, CVE-2020-35452,
CVE-2021-26690, CVE-2021-26691, CVE-2021-30641)
@@ -76,7 +112,7 @@ apache2 (2.4.43-1) unstable; urgency=medium
* Fix logrotate script for multi-instance (Closes: #914606)
[ Xavier Guimard ]
- * New upstream version 2.4.43
+ * New upstream version 2.4.43 (Closes: CVE-2020-1927, CVE-2020-1934)
* Refresh patches
-- Xavier Guimard <yadd@debian.org> Tue, 31 Mar 2020 08:02:12 +0200
@@ -119,7 +155,8 @@ apache2 (2.4.41-2) unstable; urgency=medium
apache2 (2.4.41-1) unstable; urgency=medium
- * New upstream version 2.4.41
+ * New upstream version 2.4.41 (Closes: CVE-2019-9517, CVE-2019-10081,
+ CVE-2019-10082, CVE-2019-10092, CVE-2019-10098)
* Update lintian overrides
* Remove README in usr/share/apache2
* Move httxt2dbm manpage in section 8
@@ -139,7 +176,8 @@ apache2 (2.4.39-1) unstable; urgency=medium
* Do not install /usr/share/apache2/build/config.nice (Closes: #929510)
[ Xavier Guimard ]
- * New upstream version 2.4.39
+ * New upstream version 2.4.39 (Closes: CVE-2019-0196, CVE-2019-0197,
+ CVE-2019-0211, CVE-2019-0215, CVE-2019-0217, CVE-2019-0220)
* Refresh patches
* Remove patches now included in upstream
* Replace duplicate doc files by links using jdupes
@@ -228,7 +266,8 @@ apache2 (2.4.38-1) unstable; urgency=medium
LogFormat directives.
[ Xavier Guimard ]
- * New upstream version 2.4.38 (Closes: #920220, #920302, #920303)
+ * New upstream version 2.4.38 (Closes: #920220, #920302, #920303,
+ CVE-2018-17189, CVE-2018-17199, CVE-2019-0190)
* Refresh patches
* Remove setenvifexpr.diff patch now included in upstream
* Replace libapache2-mod-proxy-uwsgi.{post*,prerm} by a maintscript
diff --git a/debian/control b/debian/control
index 11d92ea8..ac671287 100644
--- a/debian/control
+++ b/debian/control
@@ -3,7 +3,7 @@ Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Uploaders: Stefan Fritsch <sf@debian.org>,
Arno Töll <arno@debian.org>,
Ondřej Surý <ondrej@debian.org>,
- Xavier Guimard <yadd@debian.org>
+ Yadd <yadd@debian.org>
Section: httpd
Priority: optional
Build-Depends: debhelper-compat (= 13),
diff --git a/debian/patches/CVE-2020-13950.patch b/debian/patches/CVE-2020-13950.patch
deleted file mode 100644
index cf0ef992..00000000
--- a/debian/patches/CVE-2020-13950.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-Description: The proxy connection may be NULL during prefetch, don't try to dereference it!
- Still origin->keepalive will be set according to p_conn->close by the caller
- (proxy_http_handler).
-Author: Apache authors
-Origin: upstream, https://svn.apache.org/r1678771
-Bug: <url in upstream bugtracker>
-Forwarded: not-needed
-Reviewed-By: Yadd <yadd@debian.org>
-Last-Update: 2021-06-10
-
---- a/modules/proxy/mod_proxy_http.c
-+++ b/modules/proxy/mod_proxy_http.c
-@@ -577,7 +577,6 @@
- apr_off_t bytes;
- int force10, rv;
- apr_read_type_e block;
-- conn_rec *origin = p_conn->connection;
-
- if (apr_table_get(r->subprocess_env, "force-proxy-request-1.0")) {
- if (req->expecting_100) {
-@@ -637,7 +636,6 @@
- "chunked body with Content-Length (C-L ignored)",
- c->client_ip, c->remote_host ? c->remote_host: "");
- req->old_cl_val = NULL;
-- origin->keepalive = AP_CONN_CLOSE;
- p_conn->close = 1;
- }
-
diff --git a/debian/patches/CVE-2020-35452.patch b/debian/patches/CVE-2020-35452.patch
deleted file mode 100644
index 52042108..00000000
--- a/debian/patches/CVE-2020-35452.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-Description: <short summary of the patch>
-Author: Apache authors
-Origin: upstream, https://github.com/apache/httpd/commit/3b6431e
-Bug: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-35452
-Forwarded: not-needed
-Reviewed-By: Yadd <yadd@debian.org>
-Last-Update: 2021-06-10
-
---- a/modules/aaa/mod_auth_digest.c
-+++ b/modules/aaa/mod_auth_digest.c
-@@ -1422,9 +1422,14 @@
- time_rec nonce_time;
- char tmp, hash[NONCE_HASH_LEN+1];
-
-- if (strlen(resp->nonce) != NONCE_LEN) {
-+ /* Since the time part of the nonce is a base64 encoding of an
-+ * apr_time_t (8 bytes), it should end with a '=', fail early otherwise.
-+ */
-+ if (strlen(resp->nonce) != NONCE_LEN
-+ || resp->nonce[NONCE_TIME_LEN - 1] != '=') {
- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01775)
-- "invalid nonce %s received - length is not %d",
-+ "invalid nonce '%s' received - length is not %d "
-+ "or time encoding is incorrect",
- resp->nonce, NONCE_LEN);
- note_digest_auth_failure(r, conf, resp, 1);
- return HTTP_UNAUTHORIZED;
diff --git a/debian/patches/CVE-2021-26690.patch b/debian/patches/CVE-2021-26690.patch
deleted file mode 100644
index 5ceec1fd..00000000
--- a/debian/patches/CVE-2021-26690.patch
+++ /dev/null
@@ -1,20 +0,0 @@
-Description: <short summary of the patch>
-Author: Apache authors
-Origin: upstream, https://github.com/apache/httpd/commit/67bd9bfe
-Bug: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-26690
-Forwarded: not-needed
-Reviewed-By: Yadd <yadd@debian.org>
-Last-Update: 2021-06-10
-
---- a/modules/session/mod_session.c
-+++ b/modules/session/mod_session.c
-@@ -405,8 +405,8 @@
- char *plast = NULL;
- const char *psep = "=";
- char *key = apr_strtok(pair, psep, &plast);
-- char *val = apr_strtok(NULL, psep, &plast);
- if (key && *key) {
-+ char *val = apr_strtok(NULL, sep, &plast);
- if (!val || !*val) {
- apr_table_unset(z->entries, key);
- }
diff --git a/debian/patches/CVE-2021-26691.patch b/debian/patches/CVE-2021-26691.patch
deleted file mode 100644
index 2d786b16..00000000
--- a/debian/patches/CVE-2021-26691.patch
+++ /dev/null
@@ -1,18 +0,0 @@
-Description: mod_session: account for the '&' in identity_concat().
-Author: Apache authors
-Origin: upstream, https://github.com/apache/httpd/commit/7e09dd71
-Forwarded: not-needed
-Reviewed-By: Yadd <yadd@debian.org>
-Last-Update: 2021-06-10
-
---- a/modules/session/mod_session.c
-+++ b/modules/session/mod_session.c
-@@ -318,7 +318,7 @@
- static int identity_count(void *v, const char *key, const char *val)
- {
- int *count = v;
-- *count += strlen(key) * 3 + strlen(val) * 3 + 1;
-+ *count += strlen(key) * 3 + strlen(val) * 3 + 2;
- return 1;
- }
-
diff --git a/debian/patches/CVE-2021-30641.patch b/debian/patches/CVE-2021-30641.patch
deleted file mode 100644
index 7486e1b3..00000000
--- a/debian/patches/CVE-2021-30641.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-Description: legacy default slash-matching behavior w/ 'MergeSlashes OFF'
-Author: Apache authors
-Origin: upstream, https://github.com/apache/httpd/commit/eb986059
-Bug: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-30641
-Forwarded: not-needed
-Reviewed-By: Yadd <yadd@debian.org>
-Last-Update: 2021-06-10
-
---- a/server/request.c
-+++ b/server/request.c
-@@ -1419,7 +1419,20 @@
-
- cache = prep_walk_cache(AP_NOTE_LOCATION_WALK, r);
- cached = (cache->cached != NULL);
-- entry_uri = r->uri;
-+
-+ /*
-+ * When merge_slashes is set to AP_CORE_CONFIG_OFF the slashes in r->uri
-+ * have not been merged. But for Location walks we always go with merged
-+ * slashes no matter what merge_slashes is set to.
-+ */
-+ if (sconf->merge_slashes != AP_CORE_CONFIG_OFF) {
-+ entry_uri = r->uri;
-+ }
-+ else {
-+ char *uri = apr_pstrdup(r->pool, r->uri);
-+ ap_no2slash(uri);
-+ entry_uri = uri;
-+ }
-
- /* If we have an cache->cached location that matches r->uri,
- * and the vhost's list of locations hasn't changed, we can skip
-@@ -1486,7 +1499,7 @@
- pmatch = apr_palloc(rxpool, nmatch*sizeof(ap_regmatch_t));
- }
-
-- if (ap_regexec(entry_core->r, entry_uri, nmatch, pmatch, 0)) {
-+ if (ap_regexec(entry_core->r, r->uri, nmatch, pmatch, 0)) {
- continue;
- }
-
-@@ -1496,7 +1509,7 @@
- apr_table_setn(r->subprocess_env,
- ((const char **)entry_core->refs->elts)[i],
- apr_pstrndup(r->pool,
-- entry_uri + pmatch[i].rm_so,
-+ r->uri + pmatch[i].rm_so,
- pmatch[i].rm_eo - pmatch[i].rm_so));
- }
- }
diff --git a/debian/patches/CVE-2021-31618.patch b/debian/patches/CVE-2021-31618.patch
deleted file mode 100644
index 12d59c8b..00000000
--- a/debian/patches/CVE-2021-31618.patch
+++ /dev/null
@@ -1,20 +0,0 @@
-Description: fix NULL pointer dereference on specially crafted HTTP/2 request
-Author: Upstream
-Origin: upstream, http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/http2/h2_stream.c?r1=1889759&r2=1889758&pathrev=1889759
-Bug: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-31618
-Bug-Debian: https://bugs.debian.org/989562
-Forwarded: not-needed
-Reviewed-By: Yadd <yadd@debian.org>
-Last-Update: 2021-06-10
-
---- a/modules/http2/h2_stream.c
-+++ b/modules/http2/h2_stream.c
-@@ -638,7 +638,7 @@
-
- static void set_error_response(h2_stream *stream, int http_status)
- {
-- if (!h2_stream_is_ready(stream)) {
-+ if (!h2_stream_is_ready(stream) && stream->rtmp) {
- conn_rec *c = stream->session->c;
- apr_bucket *b;
- h2_headers *response;
diff --git a/debian/patches/build_suexec-custom.patch b/debian/patches/build_suexec-custom.patch
index e03d54be..f3c773a1 100644
--- a/debian/patches/build_suexec-custom.patch
+++ b/debian/patches/build_suexec-custom.patch
@@ -4,7 +4,7 @@ Author: Stefan Fritsch <sf@debian.org>
Last-Update: 2012-02-25
--- a/Makefile.in
+++ b/Makefile.in
-@@ -272,23 +272,26 @@
+@@ -292,23 +292,26 @@
install-suexec: install-suexec-$(INSTALL_SUEXEC)
install-suexec-binary:
diff --git a/debian/patches/fhs_compliance.patch b/debian/patches/fhs_compliance.patch
index be673f96..056d31a6 100644
--- a/debian/patches/fhs_compliance.patch
+++ b/debian/patches/fhs_compliance.patch
@@ -4,7 +4,7 @@ Author: Adam Conrad <adconrad@0c3.net>
Last-Update: 2012-02-25
--- a/configure
+++ b/configure
-@@ -40130,17 +40130,17 @@
+@@ -40439,17 +40439,17 @@
cat >>confdefs.h <<_ACEOF
@@ -27,7 +27,7 @@ Last-Update: 2012-02-25
--- a/configure.in
+++ b/configure.in
-@@ -873,11 +873,11 @@
+@@ -874,11 +874,11 @@
echo $MODLIST | $AWK -f $srcdir/build/build-modules-c.awk > modules.c
APR_EXPAND_VAR(ap_prefix, $prefix)
diff --git a/debian/patches/series b/debian/patches/series
index 8596c419..bb7458ed 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -5,15 +5,9 @@ customize_apxs.patch
build_suexec-custom.patch
reproducible_builds.diff
#mod_proxy_ajp-add-secret-parameter.diff
-buffer-http-request-bodies-for-tlsv13.diff
-tlsv13-add-logno.diff
+#buffer-http-request-bodies-for-tlsv13.diff
+#tlsv13-add-logno.diff
# This patch is applied manually
#suexec-custom.patch
spelling-errors.diff
-CVE-2021-31618.patch
-CVE-2021-30641.patch
-CVE-2021-26691.patch
-CVE-2021-26690.patch
-CVE-2020-35452.patch
-CVE-2020-13950.patch
diff --git a/debian/patches/spelling-errors.diff b/debian/patches/spelling-errors.diff
index 7fe3d085..f7b6e98a 100644
--- a/debian/patches/spelling-errors.diff
+++ b/debian/patches/spelling-errors.diff
@@ -5,7 +5,7 @@ Last-Update: 2020-11-13
--- a/modules/http2/h2_config.c
+++ b/modules/http2/h2_config.c
-@@ -721,7 +721,7 @@
+@@ -730,7 +730,7 @@
else if (!strcasecmp("BEFORE", sdependency)) {
dependency = H2_DEPENDANT_BEFORE;
if (sweight) {
diff --git a/debian/perl-framework/t/apache/expr_string.t b/debian/perl-framework/t/apache/expr_string.t
index a9115eee..66b09030 100644
--- a/debian/perl-framework/t/apache/expr_string.t
+++ b/debian/perl-framework/t/apache/expr_string.t
@@ -7,6 +7,8 @@ use Apache::TestUtil qw(t_write_file t_start_error_log_watch t_finish_error_log_
use File::Spec;
+use Time::HiRes qw(usleep);
+
# test ap_expr
Apache::TestRequest::user_agent(keep_alive => 1);
@@ -62,6 +64,8 @@ foreach my $t (@test_cases) {
'SomeHeader' => 'SomeValue',
'User-Agent' => 'SomeAgent',
'Referer' => 'SomeReferer');
+ ### Sleep here, attempt to avoid intermittent failures. (LP: #1890302)
+ usleep(250000);
my @loglines = t_finish_error_log_watch();
my @evalerrors = grep {/(?:internal evaluation error|flex scanner jammed)/i
diff --git a/debian/tests/check-http2 b/debian/tests/check-http2
new file mode 100644
index 00000000..6bc91251
--- /dev/null
+++ b/debian/tests/check-http2
@@ -0,0 +1,41 @@
+#!/bin/sh
+set -uxe
+
+# http2 is rather new, check that it at least generally works
+# Author: Christian Ehrhardt <christian.ehrhardt@canonical.com>
+
+a2enmod http2
+a2enmod ssl
+a2ensite default-ssl
+# Enable globally
+echo "Protocols h2c h2 http/1.1" >> /etc/apache2/apache2.conf
+service apache2 restart
+
+# Use curl here. wget doesn't work on Debian, even with --no-check-certificate
+# wget on Debian gives me:
+# GnuTLS: A TLS warning alert has been received.
+# Unable to establish SSL connection.
+# Presumably this is due to the self-signed certificate, but I'm not sure how
+# to skip the warning with wget. curl will do for now.
+echo "Hello, world!" > /var/www/html/hello.txt
+
+testapache () {
+ cmd="${1}"
+ result=$(${cmd})
+
+ if [ "$result" != "Hello, world!" ]; then
+ echo "Unexpected result: ${result}" >&2
+ exit 1
+ else
+ echo OK
+ fi
+}
+
+# https shall not affect http
+testapache "curl -s -k http://localhost/hello.txt";
+# https shall not affect https
+testapache "curl -s -k https://localhost/hello.txt";
+#plain http2
+testapache "nghttp --no-verify-peer https://localhost/hello.txt";
+#http2 upgrade
+testapache "nghttp -u --no-verify-peer http://localhost/hello.txt";
diff --git a/debian/tests/control b/debian/tests/control
index be79f603..37ae2ca6 100644
--- a/debian/tests/control
+++ b/debian/tests/control
@@ -23,6 +23,10 @@ Tests: ssl-passphrase
Restrictions: needs-root allow-stderr breaks-testbed
Depends: apache2, curl, expect, ssl-cert
+Tests: check-http2
+Restrictions: needs-root allow-stderr breaks-testbed
+Depends: apache2, curl, ssl-cert, nghttp2-client
+
Tests: chroot
Features: no-build-needed
Restrictions: needs-root allow-stderr breaks-testbed
diff --git a/debian/upstream/signing-key.asc b/debian/upstream/signing-key.asc
index f7b8c0c7..593ba096 100644
--- a/debian/upstream/signing-key.asc
+++ b/debian/upstream/signing-key.asc
@@ -5201,3 +5201,61 @@ R9i/x4rPeMllVGUhnWedlmJP50XTUVKG9RIjDjkXY8n6fWvqlItM7+sG53c82Q6z
2Zvzzqpnur6uMCSE2aZ8
=FKwf
-----END PGP PUBLIC KEY BLOCK-----
+
+pub rsa4096 2021-04-21 [SC]
+ C55A B7B9 139E B226 3CD1 AABC 19B0 33D1 760C 227B
+uid [ ultime ] Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+sub rsa4096 2021-04-21 [E]
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBGCAei8BEADKUPoj6I2OjdZ44486xLrZoApbXP3hOadau8DgXXPO84b0dnCS
+NqvV3aDSXULtSdh+48pVdv0yBtqCeo6pWNBR/aURxxh3vDJNyQVzhDZsdePITwmV
+qkpICUXeuTpyow3ir1+05p0DU6F33TynhZsyHltKmu+GqvxYYrzud+bw9zTN0Z45
+Br/cKF/YE2uVEjq/x440qtSQmFhM7eSQvTv9lo9QgMO+eQXK0Dt4bsfyAZ1q2HAt
+XGup0iwQpoxS1ofdkSxpvCBWklAiNXH0+qHGdVTJlqCp70xpsC2DXhbckCeLi2w7
+GGa3jCNuf6P5uxW+tPlyFm5aFBSDd/3gAsU8G/a3ng3+78peKjatpmTkBJmXpA1E
+cDWFZNKLlS5eE1c2LG+Hgu0yZrvArsJ8dvjbAuYn7uCWLll/Pjy26L9mKwLlJdcl
+TX2rgx7a+yi2nfJwtj0rWWqX95HudUcWRxBVtpCjg6NKzv97dm3wOUOm15xcp0r0
+QAzNtjllOjr3RwTgE4B3j4GFXof92HKS8H+B1/z9ZBbz399fs/wS9o/sDyMVevNP
+88IGihaxPkfTw0UKZz5cR6X1BWlcH3404bVB/LHcq7+c1NUqvRfIlwwwsKGjMCWf
+vv3cDVUvb3mMhvQs0rBEyb71bbKCe3qb10CvOJAmocp1c+YHo5vpQYeMJQARAQAB
+tDJDaHJpc3RvcGhlIEpBSUxMRVQgPGNocmlzdG9waGUuamFpbGxldEB3YW5hZG9v
+LmZyPokCTgQTAQoAOBYhBMVat7kTnrImPNGqvBmwM9F2DCJ7BQJggHovAhsDBQsJ
+CAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJEBmwM9F2DCJ7E4MP/iVC7ZglH2sLi5wv
+YZaXqMib7dau1NmGUocaz57U6lR2WpfhTIiHELtFnmb8eVuJGzzmYaDwaIN/knOw
+vudUGrMI5TjAmgAdj3BswXoJQNGhKhLwtf3yzvabFbp6oPfxq+PgXRMWnDojQ0cC
++VdfavJt4dOq1TrcH20B1GhJUiNxdkwAlVu3hcpdJ4pgIPVxxeozLAU3hLjMXxeo
+j9eVmzTaM/fd0ykbIkMUHfPEdqnmbTPwk2lIMFwcoa7iUdcYIDDWbHvnvVZ+4Uae
+pX6st8QHDva+etW/illgYRGMVsCL6FEtYRe+nTJLdvT81QoovVeoeyKtZNzCdNJb
+WUfqoCoLDQza8ibRpHLleRIQS4zn/TtXpvVwMG5wjZCnEBypmBzriKSt9QrcvVKu
+ROjR9Bizzwj1QUL3fMFoVWLLCt5TkGszZWvfmcjsq4gZhcgCrRp59BpuBa8Khvnf
+l5OgVqttmM6PQcFwJTHKUc5Ltzh0xTXwYl6uSEGSn1DoDlmUSnK3R+x0u61FfiHh
+KvkO/PIdTeA05ihkMRqMtDbPwsghmdXV2wlkcApdr4wXHsuYffvxN1daoUDQXDix
+GgPFRG4eYORYY2hlAo7a4ahUzeCJJQGfrF/E3YojXsIgVIbp+UjlH4kkR9J6F/wl
+NVgU2JF03YSZ9zyq4lSrP6lji2ehuQINBGCAei8BEACvQQIc89CwDOiKAeJCL9WW
+U4O3XX1LwQCzz6W519PrFnQy3194ddT7L0E4gEB9cNBczxSpvMHUiYkynMLZ7i6a
+X4BIVDzOyrN/5S6ZkOddpu9/zGJtupzN68SIpJrIry1zeXVm8Ex3VzfikVFDsxQg
+OkTu4b0YWts4hJbJMa3cTh+pLQQ+vHqKe4z6L3hVfdL2LZ8W9xmDvCBh3Ysz/mZF
+2dI47XdGGgGY/t50MpFJYrPy0JMfyeHdXHwF90pY/MwWr8QeHjlX589P1MMc/5UB
+c1ScFfy40gUryUnRQudN12KEQZDMb4G/8Bz6t4mm8nOspDwwbdHjeZhyrWYZpEd/
+ZV6iywoZ7IBzrdaWzgVs5+DhvJZVudpKlqVip37E9pUYKgMJ2A/asD85HV+yODiF
+uub9t7quSWgKKkP75BfBzKCp0T0y+wRnKWUdnlEg2wK0QJxOjkhKw3uC84tr2dlx
+CHWF0TLKjkUBqnDT3uSY8DMwZxqEyAEQWzBeP7MFsAy2yZChSHrSKN4ZMx57KYxj
+1lsxqFYZo9h9bpar5L77JMkgUtqh+reZYAhMSpk33rgRH5dPpfvn3nkCKgngsxtf
+gD9fPpVQgANTEj6rdvtOIFn1Z1U4B4GonaFTGPr771+6ZolLmpylbJp5kviiAz3f
+CMJ1cVWhIvr/5G88X4jEMQARAQABiQI2BBgBCgAgFiEExVq3uROesiY80aq8GbAz
+0XYMInsFAmCAei8CGwwACgkQGbAz0XYMInsbqA/9HFdq+s1Tk6rluxM3hjnx1HQ8
+R9TStbZqBPrKllOPVNnBpjAShoBKCJ9XbSgzaGVlsDMOXe0wZMjW6TF18igVcA+T
+wMTMcgy8Sq8vL7tv5JRtnhZzpM27Db3floWJMCmQtK7aGBC7MpyiHImRvieuDO9P
+mwhx9mVDx6+VHb8PCnECg9TMQVEtP9Y0E8qgNy1R+axLShwgO1y/g+u3gPJwGr31
+xiR3icaoMuvb+PEFOZk5L1Dh8rIExqbMH5yH9MeJXiGC2w1QX8KH194UbWRtS3zq
+6FrZJ0ZVgoYCvn42icBVt51Nrgl1sqHINBH8ysgK6WvZlw9x22g0tErx3AwGNkrl
+lPZ4ctQOxMQ541nN3IJoywxGfsOst2M4je+wNj6USNmAkg1WaezjqyQScw/oIKYj
+o18dtGUf6Q3MMHe4O550+upz9bJ0eksCYvC0X2jTNuGdfZo9ZDNh3dxBkoNNbHK5
+hc3m7qU68pdYPzqDkmDFIHyXSYXbmB1wTrrZZL1LQ6jE4a3mRT2v61CRglMUuQK7
+yrZTrPOyuBsZSC//PxK93RgH1xfYR8G8dJPlv0pqF6jD1OjBb6nyU8slRsYfataR
+ekJ4VhpVUYgDv8+EzGS9SkgY/DpiyLvPtuhqLXos4ABSwQOEYfG3RhGy7h2B404e
+Ot6BQHeyFl0mtrYT1mI=
+=L7j3
+-----END PGP PUBLIC KEY BLOCK-----
Reply to: