Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2014.1800
Multiple vulnerabilities in products running Junos
9 October 2014
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Junos
Publisher: Juniper Networks
Operating System: Juniper
Impact/Access: Denial of Service -- Remote/Unauthenticated
Unauthorised Access -- Remote/Unauthenticated
Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2014-6380 CVE-2014-6379 CVE-2014-6378
CVE-2014-5139 CVE-2014-3818 CVE-2014-3512
CVE-2014-3511 CVE-2014-3509
Reference: ASB-2014.0096
ESB-2014.1796
ESB-2014.1646
ESB-2014.1550
ESB-2014.1335
ESB-2014.1334
ESB-2014.1467.2
Original Bulletin:
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10649
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10652
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10653
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10654
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10655
Comment: This bulletin contains five (5) Juniper Networks security
advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
2014-10 Security Bulletin: Junos: Multiple vulnerabilities in OpenSSL (OpenSSL
Security Advisory 20140806)
Categories:
Junos
Router Products
Security Products
Switch Products
SIRT Advisory
Security Advisories ID: JSA10649
Last Updated: 08 Oct 2014
Version: 1.0
PRODUCT AFFECTED:
This issue can affect any product or platform running Junos OS 13.3R1 or
later.
PROBLEM:
The OpenSSL project released a security advisory on 2014-08-06 that contained
nine security issues. The following four issues affect Junos:
CVE-2014-5139: Crash with SRP ciphersuite in Server Hello message
CVE-2014-3509: Race condition in ssl_parse_serverhello_tlsext
CVE-2014-3511: OpenSSL TLS protocol downgrade attack
CVE-2014-3512: SRP buffer overrun
More information about each of these vulnerabilities may be found in the
OpenSSL Security Advisory 20140806 under Related Links below.
SOLUTION:
The following software releases have been updated to resolve this specific
issue: Junos OS 13.3R3-S2, 13.3R4, 14.1R2-S2, 14.2R1, and all subsequent
releases.
While only Junos OS 13.3R1 and higher versions are vulnerable to the issues
announced by OpenSSL on 2014-08-06, Juniper also upgraded OpenSSL to 0.9.8zb
in Junos OS 13.2 and earlier releases. Updated releases specifically include:
Junos OS 11.4R12-S4, 12.1X44-D45, 12.1X46-D30, 12.1X47-D15, 12.2R9,
12.2X50-D70, 12.3R8, 12.3R9, 13.1R4-S3, 13.1X49-D55, 13.1X50-D30, 13.2R5-S1,
13.2X50-D20, 13.2X51-D30, and 13.2X52-D20.
This issue is being tracked as PR 1016458 and is visible on the Customer
Support website.
KB16765 - "In which releases are vulnerabilities fixed?" describes which
release vulnerabilities are fixed as per our End of Engineering and End of
Life support policies.
WORKAROUND:
Since SSL is used for remote network configuration and management applications
such as J-Web and SSL Service for JUNOScript (XNM-SSL), viable workarounds for
this issue in Junos may include:
Disabling J-Web
Disable SSL service for JUNOScript and only use Netconf, which makes use of
SSH, to make configuration changes
Limit access to J-Web and XNM-SSL from only trusted networks
IMPLEMENTATION:
How to obtain fixed software:
Security vulnerabilities in Junos are fixed in the next available Maintenance
Release of each supported Junos version. In some cases, a Maintenance Release
is not planned to be available in an appropriate time-frame. For these cases,
Service Releases are made available in order to be more timely. Security
Advisory and Security Notices will indicate which Maintenance and Service
Releases contain fixes for the issues described. Upon request to JTAC,
customers will be provided download instructions for a Service Release.
Although Juniper does not provide formal Release Note documentation for a
Service Release, a list of "PRs fixed" can be provided on request.
RELATED LINKS:
KB16613: Overview of the Juniper Networks SIRT Monthly Security Bulletin
Publication Process
KB16765: In which releases are vulnerabilities fixed?
KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories
Report a Vulnerability - How to Contact the Juniper Networks Security Incident
Response Team
OpenSSL Security Advisory 20140806
CVSS SCORE:
5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
RISK LEVEL:
Medium
RISK ASSESSMENT:
Information for how Juniper Networks uses CVSS can be found at KB 16446
"Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories."
ACKNOWLEDGEMENTS:
- ----------------------------------------------------------------------------
2014-10 Security Bulletin: Junos: Receipt of malformed RSVP packet may lead to
denial of service (CVE-2014-6378)
Categories:
Junos
Router Products
Security Products
Switch Products
SIRT Advisory
Security Advisories ID: JSA10652
Last Updated: 08 Oct 2014
Version: 1.0
PRODUCT AFFECTED:
This issue can affect any product or platform running Junos OS with RSVP
enabled.
PROBLEM:
Receipt of a crafted or malformed RSVP packet may cause the rpd (routing
protocol daemon) to hang or crash. When rpd is unavailable, routing updates
cannot be processed which can lead to an extended network outage.
This issue only occurs during processing of RSVP PATH messages. If RSVP is not
enabled on an interface, then the issue cannot be triggered via that
interface.
This issue was found during internal product security testing.
Juniper SIRT is not aware of any malicious exploitation of this vulnerability.
No other Juniper Networks products or platforms are affected by this issue.
This issue has been assigned CVE-2014-6378.
SOLUTION:
The following software releases have been updated to resolve this specific
issue: Junos OS 11.4R12-S4, 12.1X44-D35, 12.1X45-D30, 12.1X46-D25,
12.1X47-D10, 12.2R9, 12.2X50-D70, 12.3R7, 13.1R4-S3, 13.1X49-D55, 13.1X50-D30,
13.2R5, 13.2X50-D20, 13.2X51-D26, 13.2X51-D30, 13.2X52-D15, 13.3R3, 14.1R1,
and all subsequent releases.
This issue is being tracked via PRs 954509 and 954508 which are visible on the
Customer Support website.
KB16765 - "In which releases are vulnerabilities fixed?" describes which
release vulnerabilities are fixed as per our End of Engineering and End of
Life support policies.
WORKAROUND:
Only enable RSVP on specific trusted interfaces as required for MPLS.
Use access lists or firewall filters to limit access to the router via MPLS TE
RSVP only from trusted nodes.
IMPLEMENTATION:
How to obtain fixed software:
Security vulnerabilities in Junos are fixed in the next available Maintenance
Release of each supported Junos version. In some cases, a Maintenance Release
is not planned to be available in an appropriate time-frame. For these cases,
Service Releases are made available in order to be more timely. Security
Advisory and Security Notices will indicate which Maintenance and Service
Releases contain fixes for the issues described. Upon request to JTAC,
customers will be provided download instructions for a Service Release.
Although Juniper does not provide formal Release Note documentation for a
Service Release, a list of "PRs fixed" can be provided on request.
RELATED LINKS:
KB16613: Overview of the Juniper Networks SIRT Monthly Security Bulletin
Publication Process
KB16765: In which releases are vulnerabilities fixed?
KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories
Report a Vulnerability - How to Contact the Juniper Networks Security Incident
Response Team
CVE-2014-6378: Receipt of malformed RSVP packet may lead to denial of service
CVSS SCORE:
7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
RISK LEVEL:
High
RISK ASSESSMENT:
Information for how Juniper Networks uses CVSS can be found at KB 16446
"Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories."
ACKNOWLEDGEMENTS:
- --------------------------------------------------------------------------
2014-10 Security Bulletin: Junos: BGP UPDATE with crafted transitive
attributes causes memory corruption and leads to RPD core (CVE-2014-3818)
Categories:
Junos
Router Products
Security Products
Switch Products
SIRT Advisory
Security Advisories ID: JSA10653
Last Updated: 08 Oct 2014
Version: 1.0
PRODUCT AFFECTED:
This issue can affect any product or platform running Junos OS 9.1 and later
releases with BGP configured and enabled.
PROBLEM:
A BGP UPDATE containing a specifically crafted set of transitive attributes
can cause corruption of memory ultimately leading to an RPD routing process
crash and restart. The crash was only achieved through in-house routing
protocol fuzz testing. This issue only affects routers supporting 4-byte AS
numbers, introduced starting with Junos OS 9.1. Additionally, the router is
only vulnerable if the BGP peer does not support 4-byte AS numbers.
This issue was found during internal product security testing.
Juniper SIRT is not aware of any malicious exploitation of this vulnerability.
No other Juniper Networks products or platforms are affected by this issue.
This issue has been assigned CVE-2014-3818.
SOLUTION:
The following software releases have been updated to resolve this specific
issue: Junos OS 11.4R11, 12.1R10, 12.1X44-D40, 12.1X46-D30, 12.1X47-D11,
12.1X47-D15, 12.1X48-D41, 12.1X48-D62, 12.2R8, 12.2X50-D70, 12.3R6, 13.1R4-S2,
13.1X49-D49, 13.1X50-D30, 13.2R4, 13.2X50-D20, 13.2X51-D25, 13.2X52-D15,
13.3R2, 14.1R1, and all subsequent releases.
This issue is being tracked as PR 953037 and is visible on the Customer
Support website.
KB16765 - "In which releases are vulnerabilities fixed?" describes which
release vulnerabilities are fixed as per our End of Engineering and End of
Life support policies.
WORKAROUND:
No known workaround exists for this issue.
IMPLEMENTATION:
How to obtain fixed software:
Security vulnerabilities in Junos are fixed in the next available Maintenance
Release of each supported Junos version. In some cases, a Maintenance Release
is not planned to be available in an appropriate time-frame. For these cases,
Service Releases are made available in order to be more timely. Security
Advisory and Security Notices will indicate which Maintenance and Service
Releases contain fixes for the issues described. Upon request to JTAC,
customers will be provided download instructions for a Service Release.
Although Juniper does not provide formal Release Note documentation for a
Service Release, a list of "PRs fixed" can be provided on request.
RELATED LINKS:
KB16613: Overview of the Juniper Networks SIRT Monthly Security Bulletin
Publication Process
KB16765: In which releases are vulnerabilities fixed?
KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories
Report a Vulnerability - How to Contact the Juniper Networks Security Incident
Response Team
CVE-2014-3818: BGP UPDATE with crafted transitive attributes causes memory
corruption and leads to RPD core
CVSS SCORE:
7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
RISK LEVEL:
High
RISK ASSESSMENT:
Information for how Juniper Networks uses CVSS can be found at KB 16446
"Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories."
ACKNOWLEDGEMENTS:
- --------------------------------------------------------------------------
2014-10 Security Bulletin: Junos: RADIUS accounting servers create additional
entries in pam_radius.conf (CVE-2014-6379)
Categories:
Junos
Router Products
Security Products
Switch Products
RADIUS
SIRT Advisory
Security Advisories ID: JSA10654
Last Updated: 08 Oct 2014
Version: 1.0
PRODUCT AFFECTED:
This issue can affect any product or platform running Junos OS configured for
RADIUS authentication and accounting.
PROBLEM:
In Junos, when a RADIUS authentication server is configured under [system
radius-server], an entry is created in /var/etc/pam_radius.conf. An issue was
discovered where RADIUS accounting servers configured under [system accounting
destination radius] are also propagated to pam_radius.conf. This can cause
authentication requests to be sent to the RADIUS accounting server which may
allow for unintended successful authentication. If the same RADIUS server is
used for both authentication and accounting a common configuration the issue
is less severe since RADIUS authentication is sent to the intended server
despite the duplicate entries. However, if the RADIUS authentication server is
later removed from the configuration, the duplicate entry created by
configuration of the RADIUS accounting server will remain in pam_radius.conf,
also leading to possible unintended authentication success.
This issue was found during internal product security testing.
Juniper SIRT is not aware of any malicious exploitation of this vulnerability.
No other Juniper Networks products or platforms are affected by this issue.
This issue has been assigned CVE-2014-6379.
SOLUTION:
The following software releases have been updated to resolve this specific
issue: Junos OS 11.4R12, 12.1R10, 12.1X44-D35, 12.1X45-D25, 12.1X46-D20,
12.1X47-D10, 12.2R8, 12.2X50-D70, 12.3R6, 13.1R4-S3, 13.1X49-D55, 13.1X50-D30,
13.2R4, 13.2X50-D20, 13.2X51-D26, 13.2X51-D30, 13.2X52-D15, 13.3R2, 14.1R1,
and all subsequent releases.
This issue is being tracked as PR 947307 and is visible on the Customer
Support website.
KB16765 - "In which releases are vulnerabilities fixed?" describes which
release vulnerabilities are fixed as per our End of Engineering and End of
Life support policies.
WORKAROUND:
No viable workaround exists for this issue. Manual edits to pam_radius.conf
will be overwritten when the configuration is committed. Duplicate entries
will, however, be cleaned up after upgrading to a fixed release.
IMPLEMENTATION:
How to obtain fixed software:
Security vulnerabilities in Junos are fixed in the next available Maintenance
Release of each supported Junos version. In some cases, a Maintenance Release
is not planned to be available in an appropriate time-frame. For these cases,
Service Releases are made available in order to be more timely. Security
Advisory and Security Notices will indicate which Maintenance and Service
Releases contain fixes for the issues described. Upon request to JTAC,
customers will be provided download instructions for a Service Release.
Although Juniper does not provide formal Release Note documentation for a
Service Release, a list of "PRs fixed" can be provided on request.
RELATED LINKS:
KB16613: Overview of the Juniper Networks SIRT Monthly Security Bulletin
Publication Process
KB16765: In which releases are vulnerabilities fixed?
KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories
Report a Vulnerability - How to Contact the Juniper Networks Security Incident
Response Team
CVE-2014-6379: RADIUS accounting servers create additional entries in
pam_radius.conf
CVSS SCORE:
5.5 (AV:N/AC:L/Au:S/C:P/I:P/A:N)
RISK LEVEL:
Medium
RISK ASSESSMENT:
Information for how Juniper Networks uses CVSS can be found at KB 16446
"Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories."
- ---------------------------------------------------------------------------
2014-10 Security Bulletin: Junos: Crafted fragmented packets can lead to FPCs
resetting or going offline (CVE-2014-6380)
Categories:
Junos
Router Products
Security Products
Switch Products
SIRT Advisory
Security Advisories ID: JSA10655
Last Updated: 08 Oct 2014
Version: 1.0
PRODUCT AFFECTED:
This issue can affect any product or platform utilizing an em interface for
communications, including M, T, MX, high-end SRX, EX, QFX and PTX Series.
PROBLEM:
Traffic between the RE and transit interfaces is carried over an internal
network between the PFEs and REs. Some REs use em interfaces (usually, em0 and
em1) to connect to this network. Receipt of a carefully crafted set of
fragmented packets, destined to the router, can cause the em driver to become
permanently blocked when trying to formulate a reply. This will cause the RE
to be unable to communicate over the private network that connects the FPCs
and REs eventually causing all FPCs to go offline and stay offline. Systems
with redundant REs will failover, but would then be subject to the same issue.
For systems without modular FPCs (for example, MX80), the FPC will reboot and
clear the em0 interface output queue. However, additional crafted fragments
will cause the issue to reoccur.
This issue is applicable to IPv4, IPv6, and CLNP fragmentation and reassembly
scenarios. Transit traffic does not trigger this issue. Additionally, CLNP is
only vulnerable if clns-routing or ESIS is explicitly configured,
This issue is specific to em interfaces. J Series and SRX Branch models do not
have an em0 interface, and are therefore not affected by this issue. In
addition, some REs (e.g. K2RE based systems) may use an em driver for their
"fxp0" interface. On such REs, reply traffic sent out the fxp0 interface may
trigger the same condition on that interface. Refer to the "Supported Routing
Engines by Router" link below for more information about internal Ethernet
interface types for specific platforms. Customers can confirm the presence of
em interfaces by typing:
% pciconf -l | grep em
em0@pci3:0:0: class="0x020000" card=0x00901059 chip=0x10d38086 rev=0x00
hdr=0x00
em1@pci4:0:0: class="0x020000" card=0x00901059 chip=0x10d38086 rev=0x00
hdr=0x00
em2@pci5:0:0: class="0x020000" card=0x00901059 chip=0x10d38086 rev=0x00
hdr=0x00
This issue was found during internal product security testing.
Juniper SIRT is not aware of any malicious exploitation of this vulnerability.
No other Juniper Networks products or platforms are affected by this issue.
This issue has been assigned CVE-2014-6380.
SOLUTION:
The following software releases have been updated to resolve this specific
issue: Junos OS 11.4R11, 12.1R9, 12.1X44-D30, 12.1X45-D20, 12.1X46-D15,
12.1X47-D10, 12.2R8, 12.2X50-D70, 12.3R6, 13.1R4, 13.1X49-D55, 13.1X50-D30,
13.2R4, 13.2X50-D20, 13.2X51-D15, 13.2X52-D15, 13.3R1, and all subsequent
releases.
This issue is being tracked as PR 942437 and is visible on the Customer
Support website.
KB16765 - "In which releases are vulnerabilities fixed?" describes which
release vulnerabilities are fixed as per our End of Engineering and End of
Life support policies.
WORKAROUND:
Today's network infrastructure typically will not have fragmented packets
destined for the router's control or management plane. In most cases, it is
safe to apply packet filters which will prevent fragmented packets from
arriving on the router. Usually, fragmented packets received by a router
indicate a problem with the network or a DoS attack against the router. In
either case, fragmented packets should be dropped to protect the router's
control and management plane.
Below is a sample firewall filter to demonstrate this recommendation for IPv4
traffic:
[edit firewall family inet filter fragment]
user@junos# show
term first-frag {
from {
first-fragment; }
then {
discard;
}
}
term next-frag {
from {
is-fragment;
}
then {
discard;
}
}
And for IPv6:
[edit firewall family inet6 filter fragment6]
user@junos# show
term fragment-headers {
from {
next-header [ hop-by-hop dstopts routing fragment ah esp ];
}
then {
discard;
}
}
Caution: Some routing protocols, such as BGP and OSPF, may rely upon
fragmented traffic being received by the RE. In addition, proper operation of
IPv6 multicast may require that the router accept some traffic with hop-by-hop
headers. As with any control plane firewall filter, perform careful testing in
your environment to ensure that dropping all fragmented traffic will not have
a negative impact. If necessary, add explicit exceptions for fragmented BGP
and/or OSPF traffic to the sample IPv4 firewall filter above, or add limited
exceptions to the IPv6 firewall filter above to allow hop-by-hop headers for
multicast control traffic (such as MLD).
Note that some platforms most notably the EX Series do not support the
'first-fragment' filter criterion. In these cases, simply discarding all
fragments via 'is-fragment' will be sufficient. Additionally, the EX-8200 does
not support either criteria, in which case the only option is to upgrade.
For CLNP, disabling CLNS routing and ESIS, which are disabled by default, will
mitigate this issue.
IMPLEMENTATION:
How to obtain fixed software:
Security vulnerabilities in Junos are fixed in the next available Maintenance
Release of each supported Junos version. In some cases, a Maintenance Release
is not planned to be available in an appropriate time-frame. For these cases,
Service Releases are made available in order to be more timely. Security
Advisory and Security Notices will indicate which Maintenance and Service
Releases contain fixes for the issues described. Upon request to JTAC,
customers will be provided download instructions for a Service Release.
Although Juniper does not provide formal Release Note documentation for a
Service Release, a list of "PRs fixed" can be provided on request.
RELATED LINKS:
KB16613: Overview of the Juniper Networks SIRT Monthly Security Bulletin
Publication Process
KB16765: In which releases are vulnerabilities fixed?
KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories
Report a Vulnerability - How to Contact the Juniper Networks Security Incident
Response Team
RFC6192: Protecting the Router Control Plane
Junos Reference: Supported Routing Engines by Router
CVE-2014-6380: Crafted fragmented packets can lead to FPCs resetting or going
offline
CVSS SCORE:
7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
RISK LEVEL:
High
RISK ASSESSMENT:
Information for how Juniper Networks uses CVSS can be found at KB 16446
"Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories."
ACKNOWLEDGEMENTS:
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVDXtSBLndAQH1ShLAQJGXBAAmT8HHrxhiNllq+MqO6XXMzs4vrYgV1Ki
k0KYVAWMgKn1fHXU85YTxjwfFvoE5aEFdze8j8hC5t4mI3R+k2dAyQ74R2Dxik1S
yx5lCB/YzA29M1aRXTSEaAdTrcKgU7Q2MCB40VwHNidpRNwVy4UmtCwg+VEeyOE3
ca6JMoF+66YF5YuIl+vbTlv+kM2JVXCHvC5RquM7/1fz93Kur7BbS3UGXQYU4Ah5
LgvfK6H/t8HUaNO/FKjZETPDOCt7Rra7jstKuI8QpxcKpbBLuiE1nmeZZqWGJm4A
LkJfRaqzLuvS6cCmrrLx619rbYok/J4l/ZA/IdWJO6/AkL9yKd6M5tTjv7YRGl5/
cVtGBWTXzG04OIxaLA+Bv1SX3E5Xr0wmxphIAlICpk3V3TllmnTCmIbHVVDwKSQ/
Ybnjy24o/jg8dbNzeaNofiblXC+i23i5yI6txr/HAkODCUxulnzdFm37SXlgUWLh
vdqjfFWYtHtN8e5S21odReJCipBoZkgoVD8B1Kz0+YYunpeYlAPfyZHIYAs+32CZ
GOCVvt+eSn/A6ZQIrqE45L2w7Y9G/bkUB6aIs9nRnMu/1P34cqBM7fzzkcBTuXCv
DxvrABTqKuXsxzftxOMj3esTPNkiDq3l+lsu65EnnfeW7BzePwfTXLn8XOYR6N85
tyCOf9D+TNE=
=BBDd
-----END PGP SIGNATURE-----