-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2022.6033
                   Jenkins Security Advisory 2022-11-15
                             18 November 2022

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Jenkins Plugins
Publisher:         Jenkins
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Resolution:        Patch/Upgrade
CVE Names:         CVE-2022-45401 CVE-2022-45400 CVE-2022-45399
                   CVE-2022-45398 CVE-2022-45397 CVE-2022-45396
                   CVE-2022-45395 CVE-2022-45394 CVE-2022-45393
                   CVE-2022-45392 CVE-2022-45391 CVE-2022-45390
                   CVE-2022-45389 CVE-2022-45388 CVE-2022-45387
                   CVE-2022-45386 CVE-2022-45385 CVE-2022-45384
                   CVE-2022-45383 CVE-2022-45382 CVE-2022-45381
                   CVE-2022-45380 CVE-2022-45379 CVE-2022-38666
                   CVE-2022-33980  

Original Bulletin: 
   https://www.jenkins.io/security/advisory/2022-11-15/

Comment: CVSS (Max):  9.8* CVE-2022-33980 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
         CVSS Source: [NVD], Red Hat
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
         * Not all CVSS available when published

- --------------------------BEGIN INCLUDED TEXT--------------------

Jenkins Security Advisory 2022-11-15  

This advisory announces vulnerabilities in the following Jenkins deliverables:

  o Associated Files Plugin
  o BART Plugin
  o CCCC Plugin
  o CloudBees Docker Hub/Registry Notification Plugin
  o Cluster Statistics Plugin
  o Config Rotator Plugin
  o Delete log Plugin
  o JAPEX Plugin
  o JUnit Plugin
  o loader.io Plugin
  o Naginator Plugin
  o NS-ND Integration Performance Publisher Plugin
  o NS-ND Integration Performance Publisher Plugin
  o OSF Builder Suite : : XML Linter Plugin
  o Pipeline Utility Steps Plugin
  o Pipeline Utility Steps Plugin
  o Reverse Proxy Auth Plugin
  o Script Security Plugin
  o SourceMonitor Plugin
  o Support Core Plugin
  o Violations Plugin
  o XP-Dev Plugin

Descriptions  

Whole-script approval in Script Security Plugin vulnerable to SHA-1 collisions 
 

SECURITY-2564 / CVE-2022-45379
Severity (CVSS): High
Affected plugin: script-security
Description:

Script Security Plugin 1189.vb_a_b_7c8fd5fde and earlier stores whole-script
approvals as the SHA-1 hash of the approved script. SHA-1 no longer meets the
security standards for producing a cryptographically secure message digest.

Script Security Plugin 1190.v65867a_a_47126 uses SHA-512 for new whole-script
approvals. Previously approved scripts will have their SHA-1 based whole-script
approval replaced with a corresponding SHA-512 whole-script approval when the
script is next used.

 Whole-script approval only stores the SHA-1 or SHA-512 hash, so it is not
 possible to migrate all previously approved scripts automatically on startup.

Administrators concerned about SHA-1 collision attacks on the whole-script
approval feature are able to revoke all previous (SHA-1) script approvals on
the In-Process Script Approval page.

Stored XSS vulnerability in JUnit Plugin  

SECURITY-2888 / CVE-2022-45380
Severity (CVSS): High
Affected plugin: junit
Description:

JUnit Plugin 1159.v0b_396e1e07dd and earlier converts HTTP(S) URLs in test
report output to clickable links.

This is done in an unsafe manner, resulting in a stored cross-site scripting
(XSS) vulnerability exploitable by attackers with Item/Configure permission.

JUnit Plugin 1160.vf1f01a_a_ea_b_7f no longer converts URLs to clickable links.

Remote code execution vulnerability in Pipeline Utility Steps Plugin  

SECURITY-2948 / CVE-2022-33980
Severity (CVSS): High
Affected plugin: pipeline-utility-steps
Description:

Pipeline Utility Steps Plugin implements a readProperties Pipeline step that
supports interpolation of variables using the Apache Commons Configuration
library.

Pipeline Utility Steps Plugin 2.13.0 and earlier does not restrict the set of
enabled prefix interpolators and bundles versions of this library with the
vulnerability CVE-2022-33980.

This vulnerability allows attackers able to configure Pipelines to execute
arbitrary code in the context of the Jenkins controller JVM.

Pipeline Utility Steps Plugin 2.13.1 bundles version 2.8.0 of the Apache
Commons Configuration library, which disables the problematic prefix
interpolators by default.

Arbitrary file read vulnerability in Pipeline Utility Steps Plugin  

SECURITY-2949 / CVE-2022-45381
Severity (CVSS): High
Affected plugin: pipeline-utility-steps
Description:

Pipeline Utility Steps Plugin implements a readProperties Pipeline step that
supports interpolation of variables using the Apache Commons Configuration
library.

Pipeline Utility Steps Plugin 2.13.1 and earlier does not restrict the set of
enabled prefix interpolators and bundles versions of this library that enable
the file: prefix interpolator by default.

This allows attackers able to configure Pipelines to read arbitrary files from
the Jenkins controller file system.

Pipeline Utility Steps Plugin 2.13.2 restricts the set of prefix interpolators
enabled by default to base64Decoder:, base64Encoder:, date:, urlDecoder:, and
urlEncoder:.

Administrators can set the Java system property
org.jenkinsci.plugins.pipeline.utility.steps.conf.ReadPropertiesStepExecution.CUSTOM_PREFIX_INTERPOLATOR_LOOKUPS
to customize which prefix interpolators are enabled.

Stored XSS vulnerability in Naginator Plugin  

SECURITY-2946 / CVE-2022-45382
Severity (CVSS): High
Affected plugin: naginator
Description:

Naginator Plugin 1.18.1 and earlier does not escape display names of source
builds in builds that were triggered via Retry action.

This results in a stored cross-site scripting (XSS) vulnerability exploitable
by attackers able to edit build display names.

Naginator Plugin 1.18.2 escapes display names of source builds.

Incorrect permission checks in Support Core Plugin  

SECURITY-2804 / CVE-2022-45383
Severity (CVSS): Medium
Affected plugin: support-core
Description:

Support Core Plugin defines the permission Support/DownloadBundle that allows
users without Overall/Administer permission to create and download support
bundles containing a limited set of diagnostic information.

Support Core Plugin 1206.v14049fa_b_d860 and earlier does not correctly perform
permission checks in several HTTP endpoints.

This allows attackers with Support/DownloadBundle permission to download a
previously created support bundle containing information limited to users with
Overall/Administer permission.

Support Core Plugin 1206.1208.v9b_7a_1d48db_0f deprecates the Support/
DownloadBundle permission. The Overall/Administer permission is now required to
download support bundles.

Password stored in plain text by Reverse Proxy Auth Plugin  

SECURITY-2094 / CVE-2022-45384
Severity (CVSS): Low
Affected plugin: reverse-proxy-auth-plugin
Description:

Reverse Proxy Auth Plugin 1.7.3 and earlier stores the LDAP manager password
unencrypted in the global config.xml file on the Jenkins controller as part of
its configuration.

This password can be viewed by attackers with access to the Jenkins controller
file system.

Reverse Proxy Auth Plugin 1.7.4 stores the LDAP manager password encrypted once
its configuration is saved again.

Lack of authentication mechanism for webhook in CloudBees Docker Hub/Registry
Notification Plugin  

SECURITY-2843 / CVE-2022-45385
Severity (CVSS): Medium
Affected plugin: dockerhub-notification
Description:

CloudBees Docker Hub/Registry Notification Plugin provides several webhook
endpoints that can be used to trigger builds when Docker images used by a job
have been rebuilt.

In CloudBees Docker Hub/Registry Notification Plugin 2.6.2 and earlier, these
endpoints can be accessed without authentication.

This allows unauthenticated attackers to trigger builds of jobs corresponding
to the attacker-specified repository.

CloudBees Docker Hub/Registry Notification Plugin 2.6.2.1 requires a token as a
part of webhook URLs, which will act as authentication for the webhook
endpoint. As a result, all webhook URLs in the plugin will be different after
updating the plugin.

Administrators can set the Java system property
org.jenkinsci.plugins.registry.notification.webhook.JSONWebHook.DO_NOT_REQUIRE_API_TOKEN
to true to disable this fix.

Passwords stored in plain text by NS-ND Integration Performance Publisher
Plugin  

SECURITY-2912 / CVE-2022-45392
Severity (CVSS): Medium
Affected plugin: cavisson-ns-nd-integration
Description:

NS-ND Integration Performance Publisher Plugin 4.8.0.143 and earlier stores
passwords unencrypted in job config.xml files on the Jenkins controller as part
of its configuration.

These passwords can be viewed by attackers with Item/Extended Read permission
or access to the Jenkins controller file system.

NS-ND Integration Performance Publisher Plugin 4.8.0.146 stores passwords
encrypted once job configurations are saved again.

SSL/TLS certificate validation globally and unconditionally disabled by NS-ND
Integration Performance Publisher Plugin  

SECURITY-2910 (1) / CVE-2022-45391
Severity (CVSS): Medium
Affected plugin: cavisson-ns-nd-integration
Description:

NS-ND Integration Performance Publisher Plugin 4.8.0.143 and earlier globally
and unconditionally disables SSL/TLS certificate and hostname validation for
the entire Jenkins controller JVM.

NS-ND Integration Performance Publisher Plugin 4.8.0.146 no longer disables SSL
/TLS certificate and hostname validation globally.

SSL/TLS certificate validation unconditionally disabled by NS-ND Integration
Performance Publisher Plugin  

SECURITY-2910 (2) / CVE-2022-38666
Severity (CVSS): Medium
Affected plugin: cavisson-ns-nd-integration
Description:

NS-ND Integration Performance Publisher Plugin 4.8.0.146 and earlier
unconditionally disables SSL/TLS certificate and hostname validation for
several features.

As of publication of this advisory, there is no fix. Learn why we announce
this.

XXE vulnerability on agents in Violations Plugin  

SECURITY-766 / CVE-2022-45386
Severity (CVSS): Medium
Affected plugin: violations
Description:

Violations Plugin 0.7.11 and earlier does not configure its XML parser to
prevent XML external entity (XXE) attacks.

This allows attackers to to control XML input files for the 'Report Violations'
post-build step to have agent processes parse a crafted file that uses external
entities for extraction of secrets from the Jenkins agent or server-side
request forgery.

 Because Jenkins agent processes usually execute build tools whose input
 (source code, build scripts, etc.) is controlled externally, this
 vulnerability only has a real impact in very narrow circumstances: when
 attackers can control XML files, but are unable to change build steps,
 Jenkinsfiles, test code that gets executed on the agents, or similar.

As of publication of this advisory, there is no fix. Learn why we announce
this.

Stored XSS vulnerability in BART Plugin  

SECURITY-2802 / CVE-2022-45387
Severity (CVSS): High
Affected plugin: bart
Description:

BART Plugin 1.0.3 and earlier does not escape the parsed content of build logs
before rendering it on the Jenkins UI.

This results in a stored cross-site scripting (XSS) vulnerability exploitable
by attackers with Item/Configure permission.

As of publication of this advisory, there is no fix. Learn why we announce
this.

Arbitrary file read vulnerability in Config Rotator Plugin  

SECURITY-2842 / CVE-2022-45388
Severity (CVSS): High
Affected plugin: config-rotator
Description:

Config Rotator Plugin 2.0.1 and earlier does not restrict a file name query
parameter in an HTTP endpoint.

This allows unauthenticated attackers to read arbitrary files with .xml
extension on the Jenkins controller file system.

As of publication of this advisory, there is no fix. Learn why we announce
this.

Lack of authentication mechanism for webhook in XP-Dev Plugin  

SECURITY-2853 / CVE-2022-45389
Severity (CVSS): Medium
Affected plugin: xpdev
Description:

XP-Dev Plugin provides a webhook endpoint at /xpdev-webhook that can be used to
trigger builds configured to use a specified repository.

In XP-Dev Plugin 1.0 and earlier, this endpoint can be accessed without
authentication.

This allows unauthenticated attackers to trigger builds of jobs corresponding
to an attacker-specified repository.

As of publication of this advisory, there is no fix. Learn why we announce
this.

Missing permission check in loader.io Plugin allows enumerating credentials IDs
 

SECURITY-2857 / CVE-2022-45390
Severity (CVSS): Medium
Affected plugin: loaderio-jenkins-plugin
Description:

loader.io Plugin 1.0.1 and earlier does not perform a permission check in an
HTTP endpoint.

This allows attackers with Overall/Read permission to enumerate credentials IDs
of credentials stored in Jenkins. Those can be used as part of an attack to
capture the credentials using another vulnerability.

As of publication of this advisory, there is no fix. Learn why we announce
this.

CSRF vulnerability and missing permission check in Delete log Plugin  

SECURITY-2920 / CVE-2022-45393 (CSRF), CVE-2022-45394 (missing permission
check)
Severity (CVSS): Medium
Affected plugin: delete-log-plugin
Description:

Delete log Plugin 1.0 and earlier does not perform a permission check in an
HTTP endpoint.

This allows attackers with Item/Read permission to delete build logs.

Additionally, this HTTP endpoint does not require POST requests, resulting in a
cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix. Learn why we announce
this.

XXE vulnerability on agents in CCCC Plugin  

SECURITY-2921 / CVE-2022-45395
Severity (CVSS): Medium
Affected plugin: cccc
Description:

CCCC Plugin 0.6 and earlier does not configure its XML parser to prevent XML
external entity (XXE) attacks.

This allows attackers able to control the contents of the report file for the
'Publish CCCC Report' post-build step to have agent processes parse a crafted
file that uses external entities for extraction of secrets from the Jenkins
agent or server-side request forgery.

 Because Jenkins agent processes usually execute build tools whose input
 (source code, build scripts, etc.) is controlled externally, this
 vulnerability only has a real impact in very narrow circumstances: when
 attackers can control XML files, but are unable to change build steps,
 Jenkinsfiles, test code that gets executed on the agents, or similar.

As of publication of this advisory, there is no fix. Learn why we announce
this.

XXE vulnerability on agents in SourceMonitor Plugin  

SECURITY-2927 / CVE-2022-45396
Severity (CVSS): Medium
Affected plugin: sourcemonitor
Description:

SourceMonitor Plugin 0.2 and earlier does not configure its XML parser to
prevent XML external entity (XXE) attacks.

This allows attackers able to control XML input files for the 'Publish
SourceMonitor results' post-build step to have agent processes parse a crafted
file that uses external entities for extraction of secrets from the Jenkins
agent or server-side request forgery.

 Because Jenkins agent processes usually execute build tools whose input
 (source code, build scripts, etc.) is controlled externally, this
 vulnerability only has a real impact in very narrow circumstances: when
 attackers can control XML files, but are unable to change build steps,
 Jenkinsfiles, test code that gets executed on the agents, or similar.

As of publication of this advisory, there is no fix. Learn why we announce
this.

XXE vulnerability on agents in OSF Builder Suite : : XML Linter Plugin  

SECURITY-2937 / CVE-2022-45397
Severity (CVSS): Medium
Affected plugin: osf-builder-suite-xml-linter
Description:

OSF Builder Suite : : XML Linter 1.0.2 and earlier does not configure its XML
parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control XML files that get processed by the 'OSF
Builder Suite : : XML Linter' build step to have agent processes parse a
crafted file that uses external entities for extraction of secrets from the
Jenkins agent or server-side request forgery.

 Because Jenkins agent processes usually execute build tools whose input
 (source code, build scripts, etc.) is controlled externally, this
 vulnerability only has a real impact in very narrow circumstances: when
 attackers can control XML files, but are unable to change build steps,
 Jenkinsfiles, test code that gets executed on the agents, or similar.

As of publication of this advisory, there is no fix. Learn why we announce
this.

CSRF vulnerability and missing permission check in Cluster Statistics Plugin  

SECURITY-2938 / CVE-2022-45398 (CSRF), CVE-2022-45399 (missing permission
check)
Severity (CVSS): Medium
Affected plugin: cluster-stats
Description:

Cluster Statistics Plugin 0.4.6 and earlier does not perform a permission check
in an HTTP endpoint.

This allows attackers with Overall/Read permission to delete recorded Jenkins
Cluster Statistics.

Additionally, this HTTP endpoint does not require POST requests, resulting in a
cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix. Learn why we announce
this.

XXE vulnerability in JAPEX Plugin  

SECURITY-2941 / CVE-2022-45400
Severity (CVSS): High
Affected plugin: japex
Description:

JAPEX Plugin 1.7 and earlier does not configure its XML parser to prevent XML
external entity (XXE) attacks.

This allows attackers able to control XML input files for the 'Record Japex
test report' post-build step to have Jenkins parse a crafted file that uses
external entities for extraction of secrets from the Jenkins controller or
server-side request forgery.

As of publication of this advisory, there is no fix. Learn why we announce
this.

Stored XSS vulnerability in Associated Files Plugin  

SECURITY-2947 / CVE-2022-45401
Severity (CVSS): High
Affected plugin: associated-files
Description:

Associated Files Plugin 0.2.1 and earlier does not escape names of associated
files.

This results in a stored cross-site scripting (XSS) vulnerability exploitable
by attackers with Item/Configure permission.

As of publication of this advisory, there is no fix. Learn why we announce
this.

Severity  

  o SECURITY-766: Medium
  o SECURITY-2094: Low
  o SECURITY-2564: High
  o SECURITY-2802: High
  o SECURITY-2804: Medium
  o SECURITY-2842: High
  o SECURITY-2843: Medium
  o SECURITY-2853: Medium
  o SECURITY-2857: Medium
  o SECURITY-2888: High
  o SECURITY-2910 (1): Medium
  o SECURITY-2910 (2): Medium
  o SECURITY-2912: Medium
  o SECURITY-2920: Medium
  o SECURITY-2921: Medium
  o SECURITY-2927: Medium
  o SECURITY-2937: Medium
  o SECURITY-2938: Medium
  o SECURITY-2941: High
  o SECURITY-2946: High
  o SECURITY-2947: High
  o SECURITY-2948: High
  o SECURITY-2949: High

Affected Versions  

  o Associated Files Plugin up to and including 0.2.1
  o BART Plugin up to and including 1.0.3
  o CCCC Plugin up to and including 0.6
  o CloudBees Docker Hub/Registry Notification Plugin up to and including 2.6.2
  o Cluster Statistics Plugin up to and including 0.4.6
  o Config Rotator Plugin up to and including 2.0.1
  o Delete log Plugin up to and including 1.0
  o JAPEX Plugin up to and including 1.7
  o JUnit Plugin up to and including 1159.v0b_396e1e07dd
  o loader.io Plugin up to and including 1.0.1
  o Naginator Plugin up to and including 1.18.1
  o NS-ND Integration Performance Publisher Plugin up to and including
    4.8.0.143
  o NS-ND Integration Performance Publisher Plugin up to and including
    4.8.0.146
  o OSF Builder Suite : : XML Linter Plugin up to and including 1.0.2
  o Pipeline Utility Steps Plugin up to and including 2.13.0
  o Pipeline Utility Steps Plugin up to and including 2.13.1
  o Reverse Proxy Auth Plugin up to and including 1.7.3
  o Script Security Plugin up to and including 1189.vb_a_b_7c8fd5fde
  o SourceMonitor Plugin up to and including 0.2
  o Support Core Plugin up to and including 1206.v14049fa_b_d860
  o Violations Plugin up to and including 0.7.11
  o XP-Dev Plugin up to and including 1.0

Fix  

  o CloudBees Docker Hub/Registry Notification Plugin should be updated to
    version 2.6.2.1
  o JUnit Plugin should be updated to version 1160.vf1f01a_a_ea_b_7f
  o Naginator Plugin should be updated to version 1.18.2
  o NS-ND Integration Performance Publisher Plugin should be updated to version
    4.8.0.146
  o Pipeline Utility Steps Plugin should be updated to version 2.13.1
  o Pipeline Utility Steps Plugin should be updated to version 2.13.2
  o Reverse Proxy Auth Plugin should be updated to version 1.7.4
  o Script Security Plugin should be updated to version 1190.v65867a_a_47126
  o Support Core Plugin should be updated to version 1206.1208.v9b_7a_1d48db_0f

These versions include fixes to the vulnerabilities described above. All prior
versions are considered to be affected by these vulnerabilities unless
otherwise indicated.

As of publication of this advisory, no fixes are available for the following
plugins:

  o Associated Files Plugin
  o BART Plugin
  o CCCC Plugin
  o Cluster Statistics Plugin
  o Config Rotator Plugin
  o Delete log Plugin
  o JAPEX Plugin
  o loader.io Plugin
  o NS-ND Integration Performance Publisher Plugin
  o OSF Builder Suite : : XML Linter Plugin
  o SourceMonitor Plugin
  o Violations Plugin
  o XP-Dev Plugin

Learn why we announce these issues.

Credit  

The Jenkins project would like to thank the reporters for discovering and
reporting these vulnerabilities:

  o Adrien Lecharpentier, CloudBees, Inc. for SECURITY-2804
  o CC Bomber, Kitri BoB for SECURITY-2920, SECURITY-2921, SECURITY-2927,
    SECURITY-2937, SECURITY-2938, SECURITY-2941, SECURITY-2946, SECURITY-2947
  o Daniel Beck, CloudBees, Inc. for SECURITY-766, SECURITY-2564, SECURITY-2910
    (1), SECURITY-2910 (2), SECURITY-2912
  o James Nord, CloudBees, Inc. for SECURITY-2949
  o Jesse Glick, CloudBees, Inc. for SECURITY-2094
  o Kevin Guerroudj, CloudBees, Inc. for SECURITY-2842, SECURITY-2843,
    SECURITY-2853
  o Valdes Che Zogou, CloudBees, Inc. for SECURITY-2802, SECURITY-2857
  o Wadeck Follonier, CloudBees, Inc. for SECURITY-2888

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBY3coaskNZI30y1K9AQjQbhAAnNisNQoIe2fG8WM2EUyOrKe7iYzbWIzT
YQFJSVGME3T2G40uAVhrrxyn4n2ePm+tcDWGjSjNmiftjwx7arcC8DEpc4XCH9To
5UaAyo818H3o0jPHy988vKyiYDWZaPyuZixw6f+M0t48rMmBL7oWJaKfmpo+8Wt6
K7xbe6ephE4E7CqTKzZEg9rcf4BF75cL2dWvBzYzBtFYTJA+lPzFor/yX7v72gOg
tGE5ijwiA/sDdJFopn/SKPksGxQkW9BmoihVGYvSeljqeCV5Wr+nKVlMqwP1lFRi
r1eVYF/wsoPzFc2zorEbKCXhouTw04cAN20AKfCWO3LclUNsX2w/K4JgPePtP1m5
nbmQ4qZoOngj4djO8TggiMgUfkEs30lbGn/4I91LRLTp7j0xP7Yeq7IuoZjIRX/V
rRkuX53yyB6lYA+ReKHnPHBz1tyPoj/LSXrqrtxX3mCbUzoWQfL0KwVKtomWa9yE
QGG9q0Hx7Q1q1jsYy390pi2lpHMKU7ThhYvKO/0TpDiKlEEApxZu7QlghxtLkRND
ccRmYP2dwndxbEQvpansDNwgenNYAFNQBcpVAYwWAn3iM4I2kvbIbHfyHSLmhNRs
+FQXARd9geA4ImJ6TErPBn7miglBooTeQ4QEKTv7Giuv+b+riHtQkqH5R0b6HLlG
2iQ8XSMQeGw=
=pkQ8
-----END PGP SIGNATURE-----