From xen-announce-bounces@lists.xen.org Wed Sep 05 10:07:18 2012 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 05 Sep 2012 10:07:18 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1T9CTb-00008z-2Z; Wed, 05 Sep 2012 10:04:51 +0000 Received: from mail27.messagelabs.com ([193.109.254.147]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1T9CSv-00007T-2W for xen-announce@lists.xen.org; Wed, 05 Sep 2012 10:04:09 +0000 X-Env-Sender: Ian.Jackson@eu.citrix.com X-Msg-Ref: server-3.tower-27.messagelabs.com!1346839442!8838284!1 X-Originating-IP: [62.200.22.115] X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor: VHJ1c3RlZCBJUDogNjIuMjAwLjIyLjExNSA9PiAxMTE5ODY=\n X-StarScan-Received: X-StarScan-Version: 6.6.1.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 21060 invoked from network); 5 Sep 2012 10:04:02 -0000 Received: from smtp.ctxuk.citrix.com (HELO SMTP.EU.CITRIX.COM) (62.200.22.115) by server-3.tower-27.messagelabs.com with RC4-SHA encrypted SMTP; 5 Sep 2012 10:04:02 -0000 X-IronPort-AV: E=Sophos;i="4.80,372,1344211200"; d="scan'208";a="14353831" Received: from lonpmailmx01.citrite.net ([10.30.203.162]) by LONPIPO01.EU.CITRIX.COM with ESMTP/TLS/RC4-MD5; 05 Sep 2012 10:04:02 +0000 Received: from norwich.cam.xci-test.com (10.80.248.129) by smtprelay.citrix.com (10.30.203.162) with Microsoft SMTP Server id 8.3.279.1; Wed, 5 Sep 2012 11:04:02 +0100 Received: from mariner.cam.xci-test.com ([10.80.2.22] helo=mariner.uk.xensource.com ident=Debian-exim) by norwich.cam.xci-test.com with esmtp (Exim 4.72) (envelope-from ) id 1T9CSo-0001oI-5l for xen-announce@lists.xen.org; Wed, 05 Sep 2012 10:04:02 +0000 Received: from iwj by mariner.uk.xensource.com with local (Exim 4.72) (envelope-from ) id 1T9CSo-0003Wq-24 for xen-announce@lists.xen.org; Wed, 05 Sep 2012 11:04:02 +0100 Resent-Message-ID: <20551.9105.965458.184425@mariner.uk.xensource.com> Resent-Date: Wed, 5 Sep 2012 11:04:01 +0100 Resent-To: xen-announce@lists.xen.org Resent-From: Xen.org security team MIME-Version: 1.0 Thread-Topic: Xen Security Advisory 12 (CVE-2012-3494) - hypercall set_debugreg vulnerability Thread-Index: Ac2LSkqNOZy+VpGcQOWdEgcZjtLbvw== Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: x-sbrs: 5.6 x-mesageid: 14353067 x-ironport-server: LONPIP01.CITRITE.NET x-remote-ip: 50.57.168.107 x-policy: $ACCEPTED x-ironport-anti-spam-filtered: true x-ironport-anti-spam-result: Ak8CAO4cR1AyOahrnGdsb2JhbABFhgW1FyIBAQEBAQgURIJKVjUCJgIEDiwiDQ+IAwSmPgFuUYljiFiBIY9ggRIDjmKMQ4NniUs x-ironport-av: E=Sophos;i="4.80,372,1344211200"; d="scan'208";a="14353051" x-originating-ip: [62.200.22.115] x-viruschecked: Checked x-env-sender: Ian.Jackson@eu.citrix.com x-msg-ref: server-14.tower-174.messagelabs.com!1346837936!22387493!1 x-starscan-version: 6.6.1.3; banners=-,-,- x-spamreason: No, hits=0.0 required=7.0 tests=sa_preprocessor: VHJ1c3RlZCBJUDogNjIuMjAwLjIyLjExNSA9PiAxMTE5ODY=\n Content-Type: multipart/mixed; boundary="_002_E1T9C4K0003Su2pmarinerukxensourcecom_" From: Xen.org security team To: "xen-announce@lists.xen.org" , "xen-devel@lists.xen.org" , "xen-users@lists.xen.org" , "oss-security@lists.openwall.com" Date: Wed, 5 Sep 2012 05:38:44 -0400 X-Mailman-Approved-At: Wed, 05 Sep 2012 10:04:49 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 12 (CVE-2012-3494) - hypercall set_debugreg vulnerability X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --_002_E1T9C4K0003Su2pmarinerukxensourcecom_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 LS0tLS1CRUdJTiBQR1AgU0lHTkVEIE1FU1NBR0UtLS0tLQ0KSGFzaDogU0hBMQ0KDQogICAgICAg ICAgICBYZW4gU2VjdXJpdHkgQWR2aXNvcnkgQ1ZFLTIwMTItMzQ5NCAvIFhTQS0xMg0KICAgICAg ICAgICAgICAgICAgICAgICAgICAgICB2ZXJzaW9uIDMNCg0KCSAgICAgIGh5cGVyY2FsbCBzZXRf ZGVidWdyZWcgdnVsbmVyYWJpbGl0eQ0KDQpVUERBVEVTIElOIFZFUlNJT04gMw0KPT09PT09PT09 PT09PT09PT09PT0NCg0KUHVibGljIHJlbGVhc2UuDQoNCklTU1VFIERFU0NSSVBUSU9ODQo9PT09 PT09PT09PT09PT09PQ0KDQpzZXRfZGVidWdyZWcgYWxsb3dzIHdyaXRlcyB0byByZXNlcnZlZCBi aXRzIG9mIHRoZSBEUjcgZGVidWcgY29udHJvbA0KcmVnaXN0ZXIgb24geDg2LTY0Lg0KDQpJTVBB Q1QNCj09PT09PQ0KDQpBIG1hbGljaW91cyBndWVzdCBjYW4gY2F1c2UgdGhlIGhvc3QgdG8gY3Jh c2gsIGxlYWRpbmcgdG8gYSBEb1MuDQoNCklmIHRoZSB2dWxuZXJhYmxlIGh5cGVydmlzb3IgaXMg cnVuIG9uIGZ1dHVyZSBoYXJkd2FyZSwgdGhlIGltcGFjdCBvZg0KdGhlIHZ1bG5lcmFiaWxpdHkg bWlnaHQgYmUgd2lkZW5lZCBkZXBlbmRpbmcgb24gdGhlIGZ1dHVyZSBhc3NpZ25tZW50DQpvZiB0 aGUgY3VycmVudGx5LXJlc2VydmVkIGRlYnVnIHJlZ2lzdGVyIGJpdHMuDQoNClZVTE5FUkFCTEUg U1lTVEVNUw0KPT09PT09PT09PT09PT09PT09DQoNCkFsbCBzeXN0ZW1zIHJ1bm5pbmcgNjQtYml0 IHBhcmF2aXJ0dWFsaXNlZCBndWVzdHMuDQoNClRoZSB2dWxuZXJhYmlsaXR5IGRhdGVzIGJhY2sg dG8gYXQgbGVhc3QgWGVuIDQuMC4gIDQuMCwgNC4xLCB0aGUgNC4yDQpSQ3MsIGFuZCB4ZW4tdW5z dGFibGUuaGcgYXJlIGFsbCB2dWxuZXJhYmxlLg0KDQpNSVRJR0FUSU9ODQo9PT09PT09PT09DQoN ClRoaXMgaXNzdWUgY2FuIGJlIG1pdGlnYXRlZCBieSBlbnN1cmluZyAoaW5zaWRlIHRoZSBndWVz dCkgdGhhdCB0aGUNCmtlcm5lbCBpcyB0cnVzdHdvcnRoeSwgb3IgYnkgcnVubmluZyBvbmx5IDMy LWJpdCBvciBIVk0gZ3Vlc3RzLg0KDQpSRVNPTFVUSU9ODQo9PT09PT09PT09DQoNCkFwcGx5aW5n IHRoZSBhcHByb3ByaWF0ZSBhdHRhY2hlZCBwYXRjaCB3aWxsIHJlc29sdmUgdGhlIGlzc3VlLg0K DQpQQVRDSCBJTkZPUk1BVElPTg0KPT09PT09PT09PT09PT09PT0NCg0KVGhlIGF0dGFjaGVkIHBh dGNoIHJlc29sdmVzIHRoaXMgaXNzdWU6DQoNCiBYZW4gdW5zdGFibGUsIDQuMSBhbmQgNC4wCQl4 c2ExMi1hbGwucGF0Y2gNCg0KJCBzaGEyNTZzdW0geHNhMTItYWxsLnBhdGNoDQoyNDE1ZWUxMzNl MjhiMWM4NDhjNWFlM2NlNzY2Y2MyYTY3MDA5YmFkOGQwMjY4NzkwMzBhNjUxMWI4NWRiYzEzICB4 c2ExMi1hbGwucGF0Y2gNCi0tLS0tQkVHSU4gUEdQIFNJR05BVFVSRS0tLS0tDQpWZXJzaW9uOiBH bnVQRyB2MS40LjEwIChHTlUvTGludXgpDQoNCmlRRWNCQUVCQWdBR0JRSlFSeDArQUFvSkVJUCtG TWxYNkN2Wm5NQUgvMGZjbTluZmlDaG9reWRDeXFYZ2RLdEoNClUyTnFlcUt6RVA2ZW13TEUrY3Zj KzJFQlA0MGZpQlhzTkFUVmRYYzZWeDE1ZXl6U01mSkQzbmRZRjlPYUtNVkgNCk1WUDZLVS90eUsx Ry85V2dRSzlQSEJqL0t6cDhod3JZMFF3NDVvZDd6K1I3WE1HaWVMSDlsMU8xeHdrTkNZRHcNClI4 WHkyR0k5SXFzWExOcHd5M0JGWVN5R1lJWDlvOC9hQng0WnhIQ1Y4SDBPWVVXdjVoREdaWlZYUERx R20xMWMNCk4rcW1VYVBWMlFsVzhBb3d3MVNpd1c1RSsvQ3B5SlQ1K2F3RU1nWjRJT0hQYkNCWEpm eVhidzRhTU0ycTVTb2UNCm1TdHF2UEtMNEgxMFNhaGF5Z2RqeE8rZTROcUNIYW8wcllVWFhwVXIr YWlrSVh2RWVhcnVrcDNGZXpSNUlVRT0NCj0vTG1aDQotLS0tLUVORCBQR1AgU0lHTkFUVVJFLS0t LS0NCg== --_002_E1T9C4K0003Su2pmarinerukxensourcecom_ Content-Type: application/octet-stream; name="xsa12-all.patch" Content-Description: xsa12-all.patch Content-Disposition: attachment; filename="xsa12-all.patch"; size=1075; creation-date="Wed, 05 Sep 2012 09:39:05 GMT"; modification-date="Wed, 05 Sep 2012 09:39:05 GMT" Content-Transfer-Encoding: base64 eGVuOiBwcmV2ZW50IGEgNjQgYml0IGd1ZXN0IHNldHRpbmcgcmVzZXJ2ZWQgYml0cyBpbiBEUjcK ClRoZSB1cHBlciAzMiBiaXRzIG9mIHRoaXMgcmVnaXN0ZXIgYXJlIHJlc2VydmVkIGFuZCBzaG91 bGQgYmUgd3JpdHRlbiBhcwp6ZXJvLgoKVGhpcyBpcyBYU0EtMTIgLyBDVkUtMjAxMi0zNDk0CgpT aWduZWQtb2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+ClJldmlld2VkLWJ5 OiBJYW4gQ2FtcGJlbGwgPGlhbi5jYW1wYmVsbEBjaXRyaXguY29tPgoKZGlmZiAtciAzNTNiYzA4 MDFiMTEgeGVuL2luY2x1ZGUvYXNtLXg4Ni9kZWJ1Z3JlZy5oCi0tLSBhL3hlbi9pbmNsdWRlL2Fz bS14ODYvZGVidWdyZWcuaAlNb24gQXVnIDA2IDEyOjI4OjAzIDIwMTIgKzAxMDAKKysrIGIveGVu L2luY2x1ZGUvYXNtLXg4Ni9kZWJ1Z3JlZy5oCVdlZCBBdWcgMTUgMTI6MDA6MjEgMjAxMiArMDEw MApAQCAtNTgsNyArNTgsNyBAQAogICAgV2UgY2FuIHNsb3cgdGhlIGluc3RydWN0aW9uIHBpcGVs aW5lIGZvciBpbnN0cnVjdGlvbnMgY29taW5nIHZpYSB0aGUKICAgIGdkdCBvciB0aGUgbGR0IGlm IHdlIHdhbnQgdG8uICBJIGFtIG5vdCBzdXJlIHdoeSB0aGlzIGlzIGFuIGFkdmFudGFnZSAqLwog Ci0jZGVmaW5lIERSX0NPTlRST0xfUkVTRVJWRURfWkVSTyAoMHgwMDAwZDgwMHVsKSAvKiBSZXNl cnZlZCwgcmVhZCBhcyB6ZXJvICovCisjZGVmaW5lIERSX0NPTlRST0xfUkVTRVJWRURfWkVSTyAo fjB4ZmZmZjI3ZmZ1bCkgLyogUmVzZXJ2ZWQsIHJlYWQgYXMgemVybyAqLwogI2RlZmluZSBEUl9D T05UUk9MX1JFU0VSVkVEX09ORSAgKDB4MDAwMDA0MDB1bCkgLyogUmVzZXJ2ZWQsIHJlYWQgYXMg b25lICovCiAjZGVmaW5lIERSX0xPQ0FMX0VYQUNUX0VOQUJMRSAgICAoMHgwMDAwMDEwMHVsKSAv KiBMb2NhbCBleGFjdCBlbmFibGUgKi8KICNkZWZpbmUgRFJfR0xPQkFMX0VYQUNUX0VOQUJMRSAg ICgweDAwMDAwMjAwdWwpIC8qIEdsb2JhbCBleGFjdCBlbmFibGUgKi8K --_002_E1T9C4K0003Su2pmarinerukxensourcecom_ Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --_002_E1T9C4K0003Su2pmarinerukxensourcecom_-- From xen-announce-bounces@lists.xen.org Wed Sep 05 10:07:18 2012 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 05 Sep 2012 10:07:18 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1T9CTb-00008z-2Z; Wed, 05 Sep 2012 10:04:51 +0000 Received: from mail27.messagelabs.com ([193.109.254.147]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1T9CSv-00007T-2W for xen-announce@lists.xen.org; Wed, 05 Sep 2012 10:04:09 +0000 X-Env-Sender: Ian.Jackson@eu.citrix.com X-Msg-Ref: server-3.tower-27.messagelabs.com!1346839442!8838284!1 X-Originating-IP: [62.200.22.115] X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor: VHJ1c3RlZCBJUDogNjIuMjAwLjIyLjExNSA9PiAxMTE5ODY=\n X-StarScan-Received: X-StarScan-Version: 6.6.1.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 21060 invoked from network); 5 Sep 2012 10:04:02 -0000 Received: from smtp.ctxuk.citrix.com (HELO SMTP.EU.CITRIX.COM) (62.200.22.115) by server-3.tower-27.messagelabs.com with RC4-SHA encrypted SMTP; 5 Sep 2012 10:04:02 -0000 X-IronPort-AV: E=Sophos;i="4.80,372,1344211200"; d="scan'208";a="14353831" Received: from lonpmailmx01.citrite.net ([10.30.203.162]) by LONPIPO01.EU.CITRIX.COM with ESMTP/TLS/RC4-MD5; 05 Sep 2012 10:04:02 +0000 Received: from norwich.cam.xci-test.com (10.80.248.129) by smtprelay.citrix.com (10.30.203.162) with Microsoft SMTP Server id 8.3.279.1; Wed, 5 Sep 2012 11:04:02 +0100 Received: from mariner.cam.xci-test.com ([10.80.2.22] helo=mariner.uk.xensource.com ident=Debian-exim) by norwich.cam.xci-test.com with esmtp (Exim 4.72) (envelope-from ) id 1T9CSo-0001oI-5l for xen-announce@lists.xen.org; Wed, 05 Sep 2012 10:04:02 +0000 Received: from iwj by mariner.uk.xensource.com with local (Exim 4.72) (envelope-from ) id 1T9CSo-0003Wq-24 for xen-announce@lists.xen.org; Wed, 05 Sep 2012 11:04:02 +0100 Resent-Message-ID: <20551.9105.965458.184425@mariner.uk.xensource.com> Resent-Date: Wed, 5 Sep 2012 11:04:01 +0100 Resent-To: xen-announce@lists.xen.org Resent-From: Xen.org security team MIME-Version: 1.0 Thread-Topic: Xen Security Advisory 12 (CVE-2012-3494) - hypercall set_debugreg vulnerability Thread-Index: Ac2LSkqNOZy+VpGcQOWdEgcZjtLbvw== Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: x-sbrs: 5.6 x-mesageid: 14353067 x-ironport-server: LONPIP01.CITRITE.NET x-remote-ip: 50.57.168.107 x-policy: $ACCEPTED x-ironport-anti-spam-filtered: true x-ironport-anti-spam-result: Ak8CAO4cR1AyOahrnGdsb2JhbABFhgW1FyIBAQEBAQgURIJKVjUCJgIEDiwiDQ+IAwSmPgFuUYljiFiBIY9ggRIDjmKMQ4NniUs x-ironport-av: E=Sophos;i="4.80,372,1344211200"; d="scan'208";a="14353051" x-originating-ip: [62.200.22.115] x-viruschecked: Checked x-env-sender: Ian.Jackson@eu.citrix.com x-msg-ref: server-14.tower-174.messagelabs.com!1346837936!22387493!1 x-starscan-version: 6.6.1.3; banners=-,-,- x-spamreason: No, hits=0.0 required=7.0 tests=sa_preprocessor: VHJ1c3RlZCBJUDogNjIuMjAwLjIyLjExNSA9PiAxMTE5ODY=\n Content-Type: multipart/mixed; boundary="_002_E1T9C4K0003Su2pmarinerukxensourcecom_" From: Xen.org security team To: "xen-announce@lists.xen.org" , "xen-devel@lists.xen.org" , "xen-users@lists.xen.org" , "oss-security@lists.openwall.com" Date: Wed, 5 Sep 2012 05:38:44 -0400 X-Mailman-Approved-At: Wed, 05 Sep 2012 10:04:49 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 12 (CVE-2012-3494) - hypercall set_debugreg vulnerability X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --_002_E1T9C4K0003Su2pmarinerukxensourcecom_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 LS0tLS1CRUdJTiBQR1AgU0lHTkVEIE1FU1NBR0UtLS0tLQ0KSGFzaDogU0hBMQ0KDQogICAgICAg ICAgICBYZW4gU2VjdXJpdHkgQWR2aXNvcnkgQ1ZFLTIwMTItMzQ5NCAvIFhTQS0xMg0KICAgICAg ICAgICAgICAgICAgICAgICAgICAgICB2ZXJzaW9uIDMNCg0KCSAgICAgIGh5cGVyY2FsbCBzZXRf ZGVidWdyZWcgdnVsbmVyYWJpbGl0eQ0KDQpVUERBVEVTIElOIFZFUlNJT04gMw0KPT09PT09PT09 PT09PT09PT09PT0NCg0KUHVibGljIHJlbGVhc2UuDQoNCklTU1VFIERFU0NSSVBUSU9ODQo9PT09 PT09PT09PT09PT09PQ0KDQpzZXRfZGVidWdyZWcgYWxsb3dzIHdyaXRlcyB0byByZXNlcnZlZCBi aXRzIG9mIHRoZSBEUjcgZGVidWcgY29udHJvbA0KcmVnaXN0ZXIgb24geDg2LTY0Lg0KDQpJTVBB Q1QNCj09PT09PQ0KDQpBIG1hbGljaW91cyBndWVzdCBjYW4gY2F1c2UgdGhlIGhvc3QgdG8gY3Jh c2gsIGxlYWRpbmcgdG8gYSBEb1MuDQoNCklmIHRoZSB2dWxuZXJhYmxlIGh5cGVydmlzb3IgaXMg cnVuIG9uIGZ1dHVyZSBoYXJkd2FyZSwgdGhlIGltcGFjdCBvZg0KdGhlIHZ1bG5lcmFiaWxpdHkg bWlnaHQgYmUgd2lkZW5lZCBkZXBlbmRpbmcgb24gdGhlIGZ1dHVyZSBhc3NpZ25tZW50DQpvZiB0 aGUgY3VycmVudGx5LXJlc2VydmVkIGRlYnVnIHJlZ2lzdGVyIGJpdHMuDQoNClZVTE5FUkFCTEUg U1lTVEVNUw0KPT09PT09PT09PT09PT09PT09DQoNCkFsbCBzeXN0ZW1zIHJ1bm5pbmcgNjQtYml0 IHBhcmF2aXJ0dWFsaXNlZCBndWVzdHMuDQoNClRoZSB2dWxuZXJhYmlsaXR5IGRhdGVzIGJhY2sg dG8gYXQgbGVhc3QgWGVuIDQuMC4gIDQuMCwgNC4xLCB0aGUgNC4yDQpSQ3MsIGFuZCB4ZW4tdW5z dGFibGUuaGcgYXJlIGFsbCB2dWxuZXJhYmxlLg0KDQpNSVRJR0FUSU9ODQo9PT09PT09PT09DQoN ClRoaXMgaXNzdWUgY2FuIGJlIG1pdGlnYXRlZCBieSBlbnN1cmluZyAoaW5zaWRlIHRoZSBndWVz dCkgdGhhdCB0aGUNCmtlcm5lbCBpcyB0cnVzdHdvcnRoeSwgb3IgYnkgcnVubmluZyBvbmx5IDMy LWJpdCBvciBIVk0gZ3Vlc3RzLg0KDQpSRVNPTFVUSU9ODQo9PT09PT09PT09DQoNCkFwcGx5aW5n IHRoZSBhcHByb3ByaWF0ZSBhdHRhY2hlZCBwYXRjaCB3aWxsIHJlc29sdmUgdGhlIGlzc3VlLg0K DQpQQVRDSCBJTkZPUk1BVElPTg0KPT09PT09PT09PT09PT09PT0NCg0KVGhlIGF0dGFjaGVkIHBh dGNoIHJlc29sdmVzIHRoaXMgaXNzdWU6DQoNCiBYZW4gdW5zdGFibGUsIDQuMSBhbmQgNC4wCQl4 c2ExMi1hbGwucGF0Y2gNCg0KJCBzaGEyNTZzdW0geHNhMTItYWxsLnBhdGNoDQoyNDE1ZWUxMzNl MjhiMWM4NDhjNWFlM2NlNzY2Y2MyYTY3MDA5YmFkOGQwMjY4NzkwMzBhNjUxMWI4NWRiYzEzICB4 c2ExMi1hbGwucGF0Y2gNCi0tLS0tQkVHSU4gUEdQIFNJR05BVFVSRS0tLS0tDQpWZXJzaW9uOiBH bnVQRyB2MS40LjEwIChHTlUvTGludXgpDQoNCmlRRWNCQUVCQWdBR0JRSlFSeDArQUFvSkVJUCtG TWxYNkN2Wm5NQUgvMGZjbTluZmlDaG9reWRDeXFYZ2RLdEoNClUyTnFlcUt6RVA2ZW13TEUrY3Zj KzJFQlA0MGZpQlhzTkFUVmRYYzZWeDE1ZXl6U01mSkQzbmRZRjlPYUtNVkgNCk1WUDZLVS90eUsx Ry85V2dRSzlQSEJqL0t6cDhod3JZMFF3NDVvZDd6K1I3WE1HaWVMSDlsMU8xeHdrTkNZRHcNClI4 WHkyR0k5SXFzWExOcHd5M0JGWVN5R1lJWDlvOC9hQng0WnhIQ1Y4SDBPWVVXdjVoREdaWlZYUERx R20xMWMNCk4rcW1VYVBWMlFsVzhBb3d3MVNpd1c1RSsvQ3B5SlQ1K2F3RU1nWjRJT0hQYkNCWEpm eVhidzRhTU0ycTVTb2UNCm1TdHF2UEtMNEgxMFNhaGF5Z2RqeE8rZTROcUNIYW8wcllVWFhwVXIr YWlrSVh2RWVhcnVrcDNGZXpSNUlVRT0NCj0vTG1aDQotLS0tLUVORCBQR1AgU0lHTkFUVVJFLS0t LS0NCg== --_002_E1T9C4K0003Su2pmarinerukxensourcecom_ Content-Type: application/octet-stream; name="xsa12-all.patch" Content-Description: xsa12-all.patch Content-Disposition: attachment; filename="xsa12-all.patch"; size=1075; creation-date="Wed, 05 Sep 2012 09:39:05 GMT"; modification-date="Wed, 05 Sep 2012 09:39:05 GMT" Content-Transfer-Encoding: base64 eGVuOiBwcmV2ZW50IGEgNjQgYml0IGd1ZXN0IHNldHRpbmcgcmVzZXJ2ZWQgYml0cyBpbiBEUjcK ClRoZSB1cHBlciAzMiBiaXRzIG9mIHRoaXMgcmVnaXN0ZXIgYXJlIHJlc2VydmVkIGFuZCBzaG91 bGQgYmUgd3JpdHRlbiBhcwp6ZXJvLgoKVGhpcyBpcyBYU0EtMTIgLyBDVkUtMjAxMi0zNDk0CgpT aWduZWQtb2ZmLWJ5OiBKYW4gQmV1bGljaCA8amJldWxpY2hAc3VzZS5jb20+ClJldmlld2VkLWJ5 OiBJYW4gQ2FtcGJlbGwgPGlhbi5jYW1wYmVsbEBjaXRyaXguY29tPgoKZGlmZiAtciAzNTNiYzA4 MDFiMTEgeGVuL2luY2x1ZGUvYXNtLXg4Ni9kZWJ1Z3JlZy5oCi0tLSBhL3hlbi9pbmNsdWRlL2Fz bS14ODYvZGVidWdyZWcuaAlNb24gQXVnIDA2IDEyOjI4OjAzIDIwMTIgKzAxMDAKKysrIGIveGVu L2luY2x1ZGUvYXNtLXg4Ni9kZWJ1Z3JlZy5oCVdlZCBBdWcgMTUgMTI6MDA6MjEgMjAxMiArMDEw MApAQCAtNTgsNyArNTgsNyBAQAogICAgV2UgY2FuIHNsb3cgdGhlIGluc3RydWN0aW9uIHBpcGVs aW5lIGZvciBpbnN0cnVjdGlvbnMgY29taW5nIHZpYSB0aGUKICAgIGdkdCBvciB0aGUgbGR0IGlm IHdlIHdhbnQgdG8uICBJIGFtIG5vdCBzdXJlIHdoeSB0aGlzIGlzIGFuIGFkdmFudGFnZSAqLwog Ci0jZGVmaW5lIERSX0NPTlRST0xfUkVTRVJWRURfWkVSTyAoMHgwMDAwZDgwMHVsKSAvKiBSZXNl cnZlZCwgcmVhZCBhcyB6ZXJvICovCisjZGVmaW5lIERSX0NPTlRST0xfUkVTRVJWRURfWkVSTyAo fjB4ZmZmZjI3ZmZ1bCkgLyogUmVzZXJ2ZWQsIHJlYWQgYXMgemVybyAqLwogI2RlZmluZSBEUl9D T05UUk9MX1JFU0VSVkVEX09ORSAgKDB4MDAwMDA0MDB1bCkgLyogUmVzZXJ2ZWQsIHJlYWQgYXMg b25lICovCiAjZGVmaW5lIERSX0xPQ0FMX0VYQUNUX0VOQUJMRSAgICAoMHgwMDAwMDEwMHVsKSAv KiBMb2NhbCBleGFjdCBlbmFibGUgKi8KICNkZWZpbmUgRFJfR0xPQkFMX0VYQUNUX0VOQUJMRSAg ICgweDAwMDAwMjAwdWwpIC8qIEdsb2JhbCBleGFjdCBlbmFibGUgKi8K --_002_E1T9C4K0003Su2pmarinerukxensourcecom_ Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --_002_E1T9C4K0003Su2pmarinerukxensourcecom_-- From xen-announce-bounces@lists.xen.org Wed Sep 05 10:18:51 2012 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 05 Sep 2012 10:18:51 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1T9Cew-0000y2-93; Wed, 05 Sep 2012 10:16:34 +0000 Received: from mail27.messagelabs.com ([193.109.254.147]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1T9Ccb-0000c6-IO; Wed, 05 Sep 2012 10:14:09 +0000 X-Env-Sender: Ian.Jackson@eu.citrix.com X-Msg-Ref: server-3.tower-27.messagelabs.com!1346840028!8841583!1 X-Originating-IP: [62.200.22.115] X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor: VHJ1c3RlZCBJUDogNjIuMjAwLjIyLjExNSA9PiAxMTE5ODY=\n X-StarScan-Received: X-StarScan-Version: 6.6.1.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 32669 invoked from network); 5 Sep 2012 10:13:50 -0000 Received: from smtp.eu.citrix.com (HELO SMTP.EU.CITRIX.COM) (62.200.22.115) by server-3.tower-27.messagelabs.com with RC4-SHA encrypted SMTP; 5 Sep 2012 10:13:50 -0000 X-IronPort-AV: E=Sophos;i="4.80,372,1344211200"; d="scan'208";a="14354132" Received: from lonpmailmx01.citrite.net ([10.30.203.162]) by LONPIPO01.EU.CITRIX.COM with ESMTP/TLS/RC4-MD5; 05 Sep 2012 10:13:31 +0000 Received: from norwich.cam.xci-test.com (10.80.248.129) by smtprelay.citrix.com (10.30.203.162) with Microsoft SMTP Server id 8.3.279.1; Wed, 5 Sep 2012 11:13:31 +0100 Received: from mariner.cam.xci-test.com ([10.80.2.22] helo=mariner.uk.xensource.com ident=Debian-exim) by norwich.cam.xci-test.com with esmtp (Exim 4.72) (envelope-from ) id 1T9Cbz-0001sP-5Y; Wed, 05 Sep 2012 10:13:31 +0000 Received: from iwj by mariner.uk.xensource.com with local (Exim 4.72) (envelope-from ) id 1T9Cbz-0003ZK-24; Wed, 05 Sep 2012 11:13:31 +0100 Date: Wed, 5 Sep 2012 11:13:31 +0100 Message-ID: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team X-Mailman-Approved-At: Wed, 05 Sep 2012 10:16:32 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 13 (CVE-2012-3495) - hypercall physdev_get_free_pirq vulnerability X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2012-3495 / XSA-13 version 3 hypercall physdev_get_free_pirq vulnerability UPDATES IN VERSION 3 ==================== Public release. Credit Matthew Daley. ISSUE DESCRIPTION ================= PHYSDEVOP_get_free_pirq does not check that its call to get_free_pirq succeeded, and if it fails will use the error code as an array index. IMPACT ====== A malicious guest might be able to cause the host to crash, leading to a DoS, depending on the exact memory layout. Privilege escalation is a theoretical possibility which cannot be ruled out, but is considered unlikely. VULNERABLE SYSTEMS ================== All Xen systems. Xen 4.1 is vulnerable. Other versions of Xen are not vulnerable. MITIGATION ========== This issue can be mitigated by ensuring (inside the guest) that the kernel is trustworthy and avoiding situations where something might repeatedly cause the attempted allocation of a physical irq. RESOLUTION ========== Applying the appropriate attached patch will resolve the issue. CREDIT ====== Thanks to Matthew Daley for finding this vulnerability (and that in XSA-12) and notifying the Xen.org security team. PATCH INFORMATION ================= The attached patches resolve this issue Xen 4.1, 4.1.x xsa13-xen-4.1.patch $ sha256sum xsa13-*.patch ad6e3e40ff56c7c25a94d8d9763d4b49f07802b90b4362ddbe4c86bf285c1239 xsa13-xen-4.1.patch -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQRyVqAAoJEIP+FMlX6CvZjrcH/A0xq4dTMtJpUc1WHyUi2aXd 5ap+AA8w0XHLdosXnbxnsTCSsAdkUeBlPkqZAoGxrCGYrzP83T0cPrz8qjzN64KE Jaei9prTk7VFHa9aAz3OqFYjYd/d21CxI4goGJ4Z0tygys4lmkDeex2kEAj5dq7b 0FLj6aIAVFYI3mWMztx4poOrz/BSCMk1YtrV5hZaY8i7Y6nhaOsPISveS0Dv4FPm YDGc93ykhOwEWCNqWFQGVndRihgUWQIUcb7f2SUfOC/FvbcJHGlP4Aojl4LUePqM bi/CR9cPESr7x1+1vcGUZybXALsRMBCJPrx1td3OCgqx8bwAbsQIszuFaWTtajY= =s7wG -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa13-xen-4.1.patch" Content-Disposition: attachment; filename="xsa13-xen-4.1.patch" Content-Transfer-Encoding: base64 eGVuOiBoYW5kbGUgb3V0LW9mLXBpcnEgY29uZGl0aW9uIGNvcnJlY3RseSBp biBQSFlTREVWT1BfZ2V0X2ZyZWVfcGlycQoKVGhpcyBpcyBYU0EtMTMgLyBD VkUtMjAxMi0zNDk1CgpTaWduZWQtb2ZmLWJ5OiBJYW4gQ2FtcGJlbGwgPGlh bi5jYW1wYmVsbEBjaXRyaXguY29tPgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1 bGljaCA8SkJldWxpY2hAc3VzZS5jb20+CgpkaWZmIC1yIDEyMjVhZmYwNWRk MiB4ZW4vYXJjaC94ODYvcGh5c2Rldi5jCi0tLSBhL3hlbi9hcmNoL3g4Ni9w aHlzZGV2LmMJVGh1IEF1ZyAwOSAxNjo0ODowNyAyMDEyICswMTAwCisrKyBi L3hlbi9hcmNoL3g4Ni9waHlzZGV2LmMJVGh1IEF1ZyAxNiAxMTowNzozNiAy MDEyICswMTAwCkBAIC01ODcsMTEgKzU4NywxNiBAQCByZXRfdCBkb19waHlz ZGV2X29wKGludCBjbWQsIFhFTl9HVUVTVF9ICiAgICAgICAgICAgICBicmVh azsKIAogICAgICAgICBzcGluX2xvY2soJmQtPmV2ZW50X2xvY2spOwotICAg ICAgICBvdXQucGlycSA9IGdldF9mcmVlX3BpcnEoZCwgb3V0LnR5cGUsIDAp OwotICAgICAgICBkLT5hcmNoLnBpcnFfaXJxW291dC5waXJxXSA9IFBJUlFf QUxMT0NBVEVEOworICAgICAgICByZXQgPSBnZXRfZnJlZV9waXJxKGQsIG91 dC50eXBlLCAwKTsKKyAgICAgICAgaWYgKCByZXQgPj0gMCApCisgICAgICAg ICAgICBkLT5hcmNoLnBpcnFfaXJxW3JldF0gPSBQSVJRX0FMTE9DQVRFRDsK ICAgICAgICAgc3Bpbl91bmxvY2soJmQtPmV2ZW50X2xvY2spOwogCi0gICAg ICAgIHJldCA9IGNvcHlfdG9fZ3Vlc3QoYXJnLCAmb3V0LCAxKSA/IC1FRkFV TFQgOiAwOworICAgICAgICBpZiAoIHJldCA+PSAwICkKKyAgICAgICAgewor ICAgICAgICAgICAgb3V0LnBpcnEgPSByZXQ7CisgICAgICAgICAgICByZXQg PSBjb3B5X3RvX2d1ZXN0KGFyZywgJm91dCwgMSkgPyAtRUZBVUxUIDogMDsK KyAgICAgICAgfQogCiAgICAgICAgIHJjdV91bmxvY2tfZG9tYWluKGQpOwog ICAgICAgICBicmVhazsK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Wed Sep 05 10:18:51 2012 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 05 Sep 2012 10:18:51 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1T9Cew-0000y2-93; Wed, 05 Sep 2012 10:16:34 +0000 Received: from mail27.messagelabs.com ([193.109.254.147]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1T9Ccb-0000c6-IO; Wed, 05 Sep 2012 10:14:09 +0000 X-Env-Sender: Ian.Jackson@eu.citrix.com X-Msg-Ref: server-3.tower-27.messagelabs.com!1346840028!8841583!1 X-Originating-IP: [62.200.22.115] X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor: VHJ1c3RlZCBJUDogNjIuMjAwLjIyLjExNSA9PiAxMTE5ODY=\n X-StarScan-Received: X-StarScan-Version: 6.6.1.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 32669 invoked from network); 5 Sep 2012 10:13:50 -0000 Received: from smtp.eu.citrix.com (HELO SMTP.EU.CITRIX.COM) (62.200.22.115) by server-3.tower-27.messagelabs.com with RC4-SHA encrypted SMTP; 5 Sep 2012 10:13:50 -0000 X-IronPort-AV: E=Sophos;i="4.80,372,1344211200"; d="scan'208";a="14354132" Received: from lonpmailmx01.citrite.net ([10.30.203.162]) by LONPIPO01.EU.CITRIX.COM with ESMTP/TLS/RC4-MD5; 05 Sep 2012 10:13:31 +0000 Received: from norwich.cam.xci-test.com (10.80.248.129) by smtprelay.citrix.com (10.30.203.162) with Microsoft SMTP Server id 8.3.279.1; Wed, 5 Sep 2012 11:13:31 +0100 Received: from mariner.cam.xci-test.com ([10.80.2.22] helo=mariner.uk.xensource.com ident=Debian-exim) by norwich.cam.xci-test.com with esmtp (Exim 4.72) (envelope-from ) id 1T9Cbz-0001sP-5Y; Wed, 05 Sep 2012 10:13:31 +0000 Received: from iwj by mariner.uk.xensource.com with local (Exim 4.72) (envelope-from ) id 1T9Cbz-0003ZK-24; Wed, 05 Sep 2012 11:13:31 +0100 Date: Wed, 5 Sep 2012 11:13:31 +0100 Message-ID: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team X-Mailman-Approved-At: Wed, 05 Sep 2012 10:16:32 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 13 (CVE-2012-3495) - hypercall physdev_get_free_pirq vulnerability X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2012-3495 / XSA-13 version 3 hypercall physdev_get_free_pirq vulnerability UPDATES IN VERSION 3 ==================== Public release. Credit Matthew Daley. ISSUE DESCRIPTION ================= PHYSDEVOP_get_free_pirq does not check that its call to get_free_pirq succeeded, and if it fails will use the error code as an array index. IMPACT ====== A malicious guest might be able to cause the host to crash, leading to a DoS, depending on the exact memory layout. Privilege escalation is a theoretical possibility which cannot be ruled out, but is considered unlikely. VULNERABLE SYSTEMS ================== All Xen systems. Xen 4.1 is vulnerable. Other versions of Xen are not vulnerable. MITIGATION ========== This issue can be mitigated by ensuring (inside the guest) that the kernel is trustworthy and avoiding situations where something might repeatedly cause the attempted allocation of a physical irq. RESOLUTION ========== Applying the appropriate attached patch will resolve the issue. CREDIT ====== Thanks to Matthew Daley for finding this vulnerability (and that in XSA-12) and notifying the Xen.org security team. PATCH INFORMATION ================= The attached patches resolve this issue Xen 4.1, 4.1.x xsa13-xen-4.1.patch $ sha256sum xsa13-*.patch ad6e3e40ff56c7c25a94d8d9763d4b49f07802b90b4362ddbe4c86bf285c1239 xsa13-xen-4.1.patch -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQRyVqAAoJEIP+FMlX6CvZjrcH/A0xq4dTMtJpUc1WHyUi2aXd 5ap+AA8w0XHLdosXnbxnsTCSsAdkUeBlPkqZAoGxrCGYrzP83T0cPrz8qjzN64KE Jaei9prTk7VFHa9aAz3OqFYjYd/d21CxI4goGJ4Z0tygys4lmkDeex2kEAj5dq7b 0FLj6aIAVFYI3mWMztx4poOrz/BSCMk1YtrV5hZaY8i7Y6nhaOsPISveS0Dv4FPm YDGc93ykhOwEWCNqWFQGVndRihgUWQIUcb7f2SUfOC/FvbcJHGlP4Aojl4LUePqM bi/CR9cPESr7x1+1vcGUZybXALsRMBCJPrx1td3OCgqx8bwAbsQIszuFaWTtajY= =s7wG -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa13-xen-4.1.patch" Content-Disposition: attachment; filename="xsa13-xen-4.1.patch" Content-Transfer-Encoding: base64 eGVuOiBoYW5kbGUgb3V0LW9mLXBpcnEgY29uZGl0aW9uIGNvcnJlY3RseSBp biBQSFlTREVWT1BfZ2V0X2ZyZWVfcGlycQoKVGhpcyBpcyBYU0EtMTMgLyBD VkUtMjAxMi0zNDk1CgpTaWduZWQtb2ZmLWJ5OiBJYW4gQ2FtcGJlbGwgPGlh bi5jYW1wYmVsbEBjaXRyaXguY29tPgpTaWduZWQtb2ZmLWJ5OiBKYW4gQmV1 bGljaCA8SkJldWxpY2hAc3VzZS5jb20+CgpkaWZmIC1yIDEyMjVhZmYwNWRk MiB4ZW4vYXJjaC94ODYvcGh5c2Rldi5jCi0tLSBhL3hlbi9hcmNoL3g4Ni9w aHlzZGV2LmMJVGh1IEF1ZyAwOSAxNjo0ODowNyAyMDEyICswMTAwCisrKyBi L3hlbi9hcmNoL3g4Ni9waHlzZGV2LmMJVGh1IEF1ZyAxNiAxMTowNzozNiAy MDEyICswMTAwCkBAIC01ODcsMTEgKzU4NywxNiBAQCByZXRfdCBkb19waHlz ZGV2X29wKGludCBjbWQsIFhFTl9HVUVTVF9ICiAgICAgICAgICAgICBicmVh azsKIAogICAgICAgICBzcGluX2xvY2soJmQtPmV2ZW50X2xvY2spOwotICAg ICAgICBvdXQucGlycSA9IGdldF9mcmVlX3BpcnEoZCwgb3V0LnR5cGUsIDAp OwotICAgICAgICBkLT5hcmNoLnBpcnFfaXJxW291dC5waXJxXSA9IFBJUlFf QUxMT0NBVEVEOworICAgICAgICByZXQgPSBnZXRfZnJlZV9waXJxKGQsIG91 dC50eXBlLCAwKTsKKyAgICAgICAgaWYgKCByZXQgPj0gMCApCisgICAgICAg ICAgICBkLT5hcmNoLnBpcnFfaXJxW3JldF0gPSBQSVJRX0FMTE9DQVRFRDsK ICAgICAgICAgc3Bpbl91bmxvY2soJmQtPmV2ZW50X2xvY2spOwogCi0gICAg ICAgIHJldCA9IGNvcHlfdG9fZ3Vlc3QoYXJnLCAmb3V0LCAxKSA/IC1FRkFV TFQgOiAwOworICAgICAgICBpZiAoIHJldCA+PSAwICkKKyAgICAgICAgewor ICAgICAgICAgICAgb3V0LnBpcnEgPSByZXQ7CisgICAgICAgICAgICByZXQg PSBjb3B5X3RvX2d1ZXN0KGFyZywgJm91dCwgMSkgPyAtRUZBVUxUIDogMDsK KyAgICAgICAgfQogCiAgICAgICAgIHJjdV91bmxvY2tfZG9tYWluKGQpOwog ICAgICAgICBicmVhazsK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Wed Sep 05 10:53:54 2012 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 05 Sep 2012 10:53:54 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1T9DDG-0002wT-KY; Wed, 05 Sep 2012 10:52:02 +0000 Received: from mail6.bemta4.messagelabs.com ([85.158.143.247]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1T9D0m-0002DK-Io for xen-announce@lists.xen.org; Wed, 05 Sep 2012 10:39:08 +0000 Received: from [85.158.143.35:39618] by server-3.bemta-4.messagelabs.com id 68/1C-08232-BCB27405; Wed, 05 Sep 2012 10:39:07 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-4.tower-21.messagelabs.com!1346841534!6292152!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.6.1.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 28614 invoked from network); 5 Sep 2012 10:38:59 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-4.tower-21.messagelabs.com with AES256-SHA encrypted SMTP; 5 Sep 2012 10:38:59 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1T9D0R-0000nI-AY; Wed, 05 Sep 2012 10:38:47 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1T9D0R-0004Zb-5d; Wed, 05 Sep 2012 10:38:47 +0000 Date: Wed, 05 Sep 2012 10:38:47 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team X-Mailman-Approved-At: Wed, 05 Sep 2012 10:52:01 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 14 (CVE-2012-3496) - XENMEM_populate_physmap DoS vulnerability X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2012-3496 / XSA-14 version 3 XENMEM_populate_physmap DoS vulnerability UPDATES IN VERSION 3 ==================== Public release. Credit Matthew Daley. ISSUE DESCRIPTION ================= XENMEM_populate_physmap can be called with invalid flags. By calling it with MEMF_populate_on_demand flag set, a BUG can be triggered if a translating paging mode is not being used. IMPACT ====== A malicious guest kernel can crash the host. VULNERABLE SYSTEMS ================== All Xen systems running PV guests. Systems running only HVM guests are not vulnerable. The vulnerability dates back to at least Xen 4.0. 4.0, 4.1, the 4.2 RCs, and xen-unstable.hg are all vulnerable. MITIGATION ========== This issue can be mitigated by ensuring that the guest kernel is trustworthy or by running only HVM guests. RESOLUTION ========== Applying the appropriate attached patch will resolve the issue. CREDIT ====== Thanks to Matthew Daley for finding this vulnerability (and that in XSA-12) and notifying the Xen.org security team. PATCH INFORMATION ================= The attached patches resolve this issue xen-unstable xsa14-unstable.patch Xen 4.1, 4.1.x, 4.0, 4.0.x, 3.4 and 3.4.x xsa14-xen-3.4-and-4.x.patch $ sha256sum xsa14-*.patch 7a2e119b114708420c3484ecc338c7a198097f40e0d38854756dfa69c4c859a8 xsa14-unstable.patch 41a1ee1da7e990dc93b75fad0d46b66a2bda472e9aa288c91d1dc5d15d2c2012 xsa14-xen-3.4-and-4.x.patch -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQRyVAAAoJEIP+FMlX6CvZF0IH/RV88Xqc9SdwrDZ7w6uwsRt+ 2keNPNyDBYxoYeqEqP9q/zICmxEqHMk/1zvSksimuIoiblliYQPHcJjhYhiBA8aX tarL2byKK+AE/1xvgh1BZiizCR6UV33Zi2PNdB3aaLizh82+70Lbx4ZtDg3zCpEo cvXGyMrNwzxMS+7ORuBAC9gtMke3sBeLua4KvGMhuByDIbW+9/7124YSGo30vFa3 VHmZ8995ishkSQyzgvZVLMQ+y2G1GofUqa4gPRcNoMCULKGGkqJCyHPZfuAOY+w+ 0Cy/WDIE1HZd6DIn+09IoHe+StkyPgqYkai+QYwxS+JW/vpns82fpsAtmOF64tg= =EONA -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa14-unstable.patch" Content-Disposition: attachment; filename="xsa14-unstable.patch" Content-Transfer-Encoding: base64 eGVuOiBEb24ndCBCVUdfT04oKSBQb0Qgb3BlcmF0aW9ucyBvbiBhIG5vbi10 cmFuc2xhdGVkIGd1ZXN0LgoKVGhpcyBpcyBYU0EtMTQgLyBDVkUtMjAxMi0z NDk2CgpTaWduZWQtb2ZmLWJ5OiBUaW0gRGVlZ2FuIDx0aW1AeGVuLm9yZz4K UmV2aWV3ZWQtYnk6IElhbiBDYW1wYmVsbCA8aWFuLmNhbXBiZWxsQGNpdHJp eC5jb20+ClRlc3RlZC1ieTogSWFuIENhbXBiZWxsIDxpYW4uY2FtcGJlbGxA Y2l0cml4LmNvbT4KCmRpZmYgLXIgMzUzYmMwODAxYjExIHhlbi9hcmNoL3g4 Ni9tbS9wMm0tcG9kLmMKLS0tIGEveGVuL2FyY2gveDg2L21tL3AybS1wb2Qu YwlNb24gQXVnIDA2IDEyOjI4OjAzIDIwMTIgKzAxMDAKKysrIGIveGVuL2Fy Y2gveDg2L21tL3AybS1wb2QuYwlXZWQgQXVnIDE1IDEyOjA2OjQzIDIwMTIg KzAxMDAKQEAgLTExMTcsNyArMTExNyw4IEBAIGd1ZXN0X3BoeXNtYXBfbWFy a19wb3B1bGF0ZV9vbl9kZW1hbmQoc3QKICAgICBtZm5fdCBvbWZuOwogICAg IGludCByYyA9IDA7CiAKLSAgICBCVUdfT04oIXBhZ2luZ19tb2RlX3RyYW5z bGF0ZShkKSk7CisgICAgaWYgKCAhcGFnaW5nX21vZGVfdHJhbnNsYXRlKGQp ICkKKyAgICAgICAgcmV0dXJuIC1FSU5WQUw7CiAKICAgICByYyA9IHAybV9n Zm5fY2hlY2tfbGltaXQoZCwgZ2ZuLCBvcmRlcik7CiAgICAgaWYgKCByYyAh PSAwICkK --=separator Content-Type: application/octet-stream; name="xsa14-xen-3.4-and-4.x.patch" Content-Disposition: attachment; filename="xsa14-xen-3.4-and-4.x.patch" Content-Transfer-Encoding: base64 eGVuOiBEb24ndCBCVUdfT04oKSBQb0Qgb3BlcmF0aW9ucyBvbiBhIG5vbi10 cmFuc2xhdGVkIGd1ZXN0LgoKVGhpcyBpcyBYU0EtMTQgLyBDVkUtMjAxMi0z NDk2CgpTaWduZWQtb2ZmLWJ5OiBUaW0gRGVlZ2FuIDx0aW1AeGVuLm9yZz4K UmV2aWV3ZWQtYnk6IElhbiBDYW1wYmVsbCA8aWFuLmNhbXBiZWxsQGNpdHJp eC5jb20+ClRlc3RlZC1ieTogSWFuIENhbXBiZWxsIDxpYW4uY2FtcGJlbGxA Y2l0cml4LmNvbT4KCmRpZmYgLXIgMTIyNWFmZjA1ZGQyIHhlbi9hcmNoL3g4 Ni9tbS9wMm0uYwotLS0gYS94ZW4vYXJjaC94ODYvbW0vcDJtLmMJVGh1IEF1 ZyAwOSAxNjo0ODowNyAyMDEyICswMTAwCisrKyBiL3hlbi9hcmNoL3g4Ni9t bS9wMm0uYwlXZWQgQXVnIDE1IDEyOjEwOjMzIDIwMTIgKzAxMDAKQEAgLTI0 MTQsNyArMjQxNCw4IEBAIGd1ZXN0X3BoeXNtYXBfbWFya19wb3B1bGF0ZV9v bl9kZW1hbmQoc3QKICAgICBpbnQgcG9kX2NvdW50ID0gMDsKICAgICBpbnQg cmMgPSAwOwogCi0gICAgQlVHX09OKCFwYWdpbmdfbW9kZV90cmFuc2xhdGUo ZCkpOworICAgIGlmICggIXBhZ2luZ19tb2RlX3RyYW5zbGF0ZShkKSApCisg ICAgICAgIHJldHVybiAtRUlOVkFMOwogCiAgICAgcmMgPSBnZm5fY2hlY2tf bGltaXQoZCwgZ2ZuLCBvcmRlcik7CiAgICAgaWYgKCByYyAhPSAwICkK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Wed Sep 05 10:53:54 2012 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 05 Sep 2012 10:53:54 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1T9DDG-0002wT-KY; Wed, 05 Sep 2012 10:52:02 +0000 Received: from mail6.bemta4.messagelabs.com ([85.158.143.247]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1T9D0m-0002DK-Io for xen-announce@lists.xen.org; Wed, 05 Sep 2012 10:39:08 +0000 Received: from [85.158.143.35:39618] by server-3.bemta-4.messagelabs.com id 68/1C-08232-BCB27405; Wed, 05 Sep 2012 10:39:07 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-4.tower-21.messagelabs.com!1346841534!6292152!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.6.1.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 28614 invoked from network); 5 Sep 2012 10:38:59 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-4.tower-21.messagelabs.com with AES256-SHA encrypted SMTP; 5 Sep 2012 10:38:59 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1T9D0R-0000nI-AY; Wed, 05 Sep 2012 10:38:47 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1T9D0R-0004Zb-5d; Wed, 05 Sep 2012 10:38:47 +0000 Date: Wed, 05 Sep 2012 10:38:47 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team X-Mailman-Approved-At: Wed, 05 Sep 2012 10:52:01 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 14 (CVE-2012-3496) - XENMEM_populate_physmap DoS vulnerability X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2012-3496 / XSA-14 version 3 XENMEM_populate_physmap DoS vulnerability UPDATES IN VERSION 3 ==================== Public release. Credit Matthew Daley. ISSUE DESCRIPTION ================= XENMEM_populate_physmap can be called with invalid flags. By calling it with MEMF_populate_on_demand flag set, a BUG can be triggered if a translating paging mode is not being used. IMPACT ====== A malicious guest kernel can crash the host. VULNERABLE SYSTEMS ================== All Xen systems running PV guests. Systems running only HVM guests are not vulnerable. The vulnerability dates back to at least Xen 4.0. 4.0, 4.1, the 4.2 RCs, and xen-unstable.hg are all vulnerable. MITIGATION ========== This issue can be mitigated by ensuring that the guest kernel is trustworthy or by running only HVM guests. RESOLUTION ========== Applying the appropriate attached patch will resolve the issue. CREDIT ====== Thanks to Matthew Daley for finding this vulnerability (and that in XSA-12) and notifying the Xen.org security team. PATCH INFORMATION ================= The attached patches resolve this issue xen-unstable xsa14-unstable.patch Xen 4.1, 4.1.x, 4.0, 4.0.x, 3.4 and 3.4.x xsa14-xen-3.4-and-4.x.patch $ sha256sum xsa14-*.patch 7a2e119b114708420c3484ecc338c7a198097f40e0d38854756dfa69c4c859a8 xsa14-unstable.patch 41a1ee1da7e990dc93b75fad0d46b66a2bda472e9aa288c91d1dc5d15d2c2012 xsa14-xen-3.4-and-4.x.patch -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQRyVAAAoJEIP+FMlX6CvZF0IH/RV88Xqc9SdwrDZ7w6uwsRt+ 2keNPNyDBYxoYeqEqP9q/zICmxEqHMk/1zvSksimuIoiblliYQPHcJjhYhiBA8aX tarL2byKK+AE/1xvgh1BZiizCR6UV33Zi2PNdB3aaLizh82+70Lbx4ZtDg3zCpEo cvXGyMrNwzxMS+7ORuBAC9gtMke3sBeLua4KvGMhuByDIbW+9/7124YSGo30vFa3 VHmZ8995ishkSQyzgvZVLMQ+y2G1GofUqa4gPRcNoMCULKGGkqJCyHPZfuAOY+w+ 0Cy/WDIE1HZd6DIn+09IoHe+StkyPgqYkai+QYwxS+JW/vpns82fpsAtmOF64tg= =EONA -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa14-unstable.patch" Content-Disposition: attachment; filename="xsa14-unstable.patch" Content-Transfer-Encoding: base64 eGVuOiBEb24ndCBCVUdfT04oKSBQb0Qgb3BlcmF0aW9ucyBvbiBhIG5vbi10 cmFuc2xhdGVkIGd1ZXN0LgoKVGhpcyBpcyBYU0EtMTQgLyBDVkUtMjAxMi0z NDk2CgpTaWduZWQtb2ZmLWJ5OiBUaW0gRGVlZ2FuIDx0aW1AeGVuLm9yZz4K UmV2aWV3ZWQtYnk6IElhbiBDYW1wYmVsbCA8aWFuLmNhbXBiZWxsQGNpdHJp eC5jb20+ClRlc3RlZC1ieTogSWFuIENhbXBiZWxsIDxpYW4uY2FtcGJlbGxA Y2l0cml4LmNvbT4KCmRpZmYgLXIgMzUzYmMwODAxYjExIHhlbi9hcmNoL3g4 Ni9tbS9wMm0tcG9kLmMKLS0tIGEveGVuL2FyY2gveDg2L21tL3AybS1wb2Qu YwlNb24gQXVnIDA2IDEyOjI4OjAzIDIwMTIgKzAxMDAKKysrIGIveGVuL2Fy Y2gveDg2L21tL3AybS1wb2QuYwlXZWQgQXVnIDE1IDEyOjA2OjQzIDIwMTIg KzAxMDAKQEAgLTExMTcsNyArMTExNyw4IEBAIGd1ZXN0X3BoeXNtYXBfbWFy a19wb3B1bGF0ZV9vbl9kZW1hbmQoc3QKICAgICBtZm5fdCBvbWZuOwogICAg IGludCByYyA9IDA7CiAKLSAgICBCVUdfT04oIXBhZ2luZ19tb2RlX3RyYW5z bGF0ZShkKSk7CisgICAgaWYgKCAhcGFnaW5nX21vZGVfdHJhbnNsYXRlKGQp ICkKKyAgICAgICAgcmV0dXJuIC1FSU5WQUw7CiAKICAgICByYyA9IHAybV9n Zm5fY2hlY2tfbGltaXQoZCwgZ2ZuLCBvcmRlcik7CiAgICAgaWYgKCByYyAh PSAwICkK --=separator Content-Type: application/octet-stream; name="xsa14-xen-3.4-and-4.x.patch" Content-Disposition: attachment; filename="xsa14-xen-3.4-and-4.x.patch" Content-Transfer-Encoding: base64 eGVuOiBEb24ndCBCVUdfT04oKSBQb0Qgb3BlcmF0aW9ucyBvbiBhIG5vbi10 cmFuc2xhdGVkIGd1ZXN0LgoKVGhpcyBpcyBYU0EtMTQgLyBDVkUtMjAxMi0z NDk2CgpTaWduZWQtb2ZmLWJ5OiBUaW0gRGVlZ2FuIDx0aW1AeGVuLm9yZz4K UmV2aWV3ZWQtYnk6IElhbiBDYW1wYmVsbCA8aWFuLmNhbXBiZWxsQGNpdHJp eC5jb20+ClRlc3RlZC1ieTogSWFuIENhbXBiZWxsIDxpYW4uY2FtcGJlbGxA Y2l0cml4LmNvbT4KCmRpZmYgLXIgMTIyNWFmZjA1ZGQyIHhlbi9hcmNoL3g4 Ni9tbS9wMm0uYwotLS0gYS94ZW4vYXJjaC94ODYvbW0vcDJtLmMJVGh1IEF1 ZyAwOSAxNjo0ODowNyAyMDEyICswMTAwCisrKyBiL3hlbi9hcmNoL3g4Ni9t bS9wMm0uYwlXZWQgQXVnIDE1IDEyOjEwOjMzIDIwMTIgKzAxMDAKQEAgLTI0 MTQsNyArMjQxNCw4IEBAIGd1ZXN0X3BoeXNtYXBfbWFya19wb3B1bGF0ZV9v bl9kZW1hbmQoc3QKICAgICBpbnQgcG9kX2NvdW50ID0gMDsKICAgICBpbnQg cmMgPSAwOwogCi0gICAgQlVHX09OKCFwYWdpbmdfbW9kZV90cmFuc2xhdGUo ZCkpOworICAgIGlmICggIXBhZ2luZ19tb2RlX3RyYW5zbGF0ZShkKSApCisg ICAgICAgIHJldHVybiAtRUlOVkFMOwogCiAgICAgcmMgPSBnZm5fY2hlY2tf bGltaXQoZCwgZ2ZuLCBvcmRlcik7CiAgICAgaWYgKCByYyAhPSAwICkK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Wed Sep 05 11:18:59 2012 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 05 Sep 2012 11:18:59 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1T9Dbk-0005cM-OB; Wed, 05 Sep 2012 11:17:20 +0000 Received: from mail27.messagelabs.com ([193.109.254.147]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1T9DYi-00053C-Vt; Wed, 05 Sep 2012 11:14:13 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-5.tower-27.messagelabs.com!1346843573!6253309!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.6.1.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 16021 invoked from network); 5 Sep 2012 11:12:55 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-5.tower-27.messagelabs.com with AES256-SHA encrypted SMTP; 5 Sep 2012 11:12:55 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1T9DXL-0001Cr-Dg; Wed, 05 Sep 2012 11:12:47 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1T9DXL-0005Qu-97; Wed, 05 Sep 2012 11:12:47 +0000 Date: Wed, 05 Sep 2012 11:12:47 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team X-Mailman-Approved-At: Wed, 05 Sep 2012 11:17:18 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 17 (CVE-2012-3515) - Qemu VT100 emulation vulnerability X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2012-3515 / XSA-17 version 2 Qemu VT100 emulation vulnerability UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= The device model used by fully virtualised (HVM) domains, qemu, does not properly handle escape VT100 sequences when emulating certain devices with a virtual console backend. IMPACT ====== An attacker who has sufficient privilege to access a vulnerable device within a guest can overwrite portions of the device model's address space. This can allow them to escalate their privileges to that of the device model process. VULNERABLE SYSTEMS ================== All Xen systems running HVM guests are potentially vulnerable to this depending on the specific guest configuration. The default configuration is vulnerable. Guests using either the traditional "qemu-xen" or upstream qemu device models are vulnerable. MITIGATION ========== This issue can be avoided by only running PV guests or by configuring HVM guests to not use the virtual console('vc') backend for any device. For serial devices specify in your guest configuration: serial = 'none' in your guest configuration. For parallel port devices the syntax is toolstack specific. For xend specify in your guest configuration: parallel = 'none' For xl specify in your guest configuration: xl: device_model_args = ['-parallel', 'none'] In both cases the default is to use the vulnerable 'vc' mode. You can confirm whether or not you are vulnerable by pressing Ctrl-Alt- (for digit N) while connected to either the VNC or SDL console. If you are able to switch to a window displaying "serial" or "parallel" then you are vulnerable. The issue can also be mitigated by enabling the stub domain device model. In this case the attacked can only potentially gain control of the stub domain and not of the entire system. To enable stub domains specify in your guest configuration: device_model = "stubdom-dm" RESOLUTION ========== Applying the appropriate attached patch(es) will resolve the issue. PATCH INFORMATION ================= The attached patches resolve this issue Traditional qemu tree Xen 4.0, 4.1 and unstable xsa17-qemu-xen-traditional-all.patch Upstream qemu tree (present in unstable only) Xen unstable xsa17-qemu-xen-unstable.patch $ sha256sum xsa17-*.patch 60215322d3fbbc2054dfc160a20d9e0811af88487c4edc2f6ea81dcd5cedf039 xsa17-qemu-xen-traditional-all.patch 7b4bb59e7757080e7806a8b8eeb6b78fa0ffdfbfb28a7a379f7edff285bffd88 xsa17-qemu-xen-unstable.patch -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQRx1PAAoJEIP+FMlX6CvZUqUH/jeAAvQnoBp6YKzm78XSnnmk GI2C/LhH0xqR3wFoEmWeMsiO4lrGrASX6T31NTvHa8sOtFqlNpTfRhwQybwYR3aa cz9/4y2a54hD95P1nVmPF0PddmSP47QSpRdCj0projq1UGxIdwEhkNeSoM8h7dXO MegqZClsvJMKd8XEcjBF5Qg7u9vLrXilCx5+It7XNE31Jxpkr/fozBb7FnNtDGJj s4RN/UDU4Pu68XyZ7Dc5xEFdJW48tz4BIlxxXavILBRFSE1VEf7Gc8H9CsUtBPWB C/LCUjpHkAOmqdgFhiLnZ2u+2s79U0dtPDJMNmqaGgWH+AqGkU9Nq8XXODTyY9k= =gnuE -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa17-qemu-xen-traditional-all.patch" Content-Disposition: attachment; filename="xsa17-qemu-xen-traditional-all.patch" Content-Transfer-Encoding: base64 Y29uc29sZTogYm91bmRzIGNoZWNrIHdoZW5ldmVyIGNoYW5naW5nIHRoZSBj dXJzb3IgZHVlIHRvIGFuIGVzY2FwZSBjb2RlCgpUaGlzIGlzIFhTQS0xNyAv IENWRS0yMDEyLTM1MTUKClNpZ25lZC1vZmYtYnk6IElhbiBDYW1wYmVsbCA8 aWFuLmNhbXBiZWxsQGNpdHJpeC5jb20+CgpkaWZmIC0tZ2l0IGEvY29uc29s ZS5jIGIvY29uc29sZS5jCmluZGV4IDVlNmUzZDAuLjk5ODRkNmYgMTAwNjQ0 Ci0tLSBhL2NvbnNvbGUuYworKysgYi9jb25zb2xlLmMKQEAgLTc5NCw2ICs3 OTQsMjYgQEAgc3RhdGljIHZvaWQgY29uc29sZV9jbGVhcl94eShUZXh0Q29u c29sZSAqcywgaW50IHgsIGludCB5KQogICAgIHVwZGF0ZV94eShzLCB4LCB5 KTsKIH0KIAorLyogc2V0IGN1cnNvciwgY2hlY2tpbmcgYm91bmRzICovCitz dGF0aWMgdm9pZCBzZXRfY3Vyc29yKFRleHRDb25zb2xlICpzLCBpbnQgeCwg aW50IHkpCit7CisgICAgaWYgKHggPCAwKSB7CisgICAgICAgIHggPSAwOwor ICAgIH0KKyAgICBpZiAoeSA8IDApIHsKKyAgICAgICAgeSA9IDA7CisgICAg fQorICAgIGlmICh5ID49IHMtPmhlaWdodCkgeworICAgICAgICB5ID0gcy0+ aGVpZ2h0IC0gMTsKKyAgICB9CisgICAgaWYgKHggPj0gcy0+d2lkdGgpIHsK KyAgICAgICAgeCA9IHMtPndpZHRoIC0gMTsKKyAgICB9CisKKyAgICBzLT54 ID0geDsKKyAgICBzLT55ID0geTsKK30KKwogc3RhdGljIHZvaWQgY29uc29s ZV9wdXRjaGFyKFRleHRDb25zb2xlICpzLCBpbnQgY2gpCiB7CiAgICAgVGV4 dENlbGwgKmM7CkBAIC04NjksNyArODg5LDggQEAgc3RhdGljIHZvaWQgY29u c29sZV9wdXRjaGFyKFRleHRDb25zb2xlICpzLCBpbnQgY2gpCiAgICAgICAg ICAgICAgICAgICAgIHMtPmVzY19wYXJhbXNbcy0+bmJfZXNjX3BhcmFtc10g KiAxMCArIGNoIC0gJzAnOwogICAgICAgICAgICAgfQogICAgICAgICB9IGVs c2UgewotICAgICAgICAgICAgcy0+bmJfZXNjX3BhcmFtcysrOworICAgICAg ICAgICAgaWYgKHMtPm5iX2VzY19wYXJhbXMgPCBNQVhfRVNDX1BBUkFNUykK KyAgICAgICAgICAgICAgICBzLT5uYl9lc2NfcGFyYW1zKys7CiAgICAgICAg ICAgICBpZiAoY2ggPT0gJzsnKQogICAgICAgICAgICAgICAgIGJyZWFrOwog I2lmZGVmIERFQlVHX0NPTlNPTEUKQEAgLTg4Myw1OSArOTA0LDM3IEBAIHN0 YXRpYyB2b2lkIGNvbnNvbGVfcHV0Y2hhcihUZXh0Q29uc29sZSAqcywgaW50 IGNoKQogICAgICAgICAgICAgICAgIGlmIChzLT5lc2NfcGFyYW1zWzBdID09 IDApIHsKICAgICAgICAgICAgICAgICAgICAgcy0+ZXNjX3BhcmFtc1swXSA9 IDE7CiAgICAgICAgICAgICAgICAgfQotICAgICAgICAgICAgICAgIHMtPnkg LT0gcy0+ZXNjX3BhcmFtc1swXTsKLSAgICAgICAgICAgICAgICBpZiAocy0+ eSA8IDApIHsKLSAgICAgICAgICAgICAgICAgICAgcy0+eSA9IDA7Ci0gICAg ICAgICAgICAgICAgfQorICAgICAgICAgICAgICAgIHNldF9jdXJzb3Iocywg cy0+eCwgcy0+eSAtIHMtPmVzY19wYXJhbXNbMF0pOwogICAgICAgICAgICAg ICAgIGJyZWFrOwogICAgICAgICAgICAgY2FzZSAnQic6CiAgICAgICAgICAg ICAgICAgLyogbW92ZSBjdXJzb3IgZG93biAqLwogICAgICAgICAgICAgICAg IGlmIChzLT5lc2NfcGFyYW1zWzBdID09IDApIHsKICAgICAgICAgICAgICAg ICAgICAgcy0+ZXNjX3BhcmFtc1swXSA9IDE7CiAgICAgICAgICAgICAgICAg fQotICAgICAgICAgICAgICAgIHMtPnkgKz0gcy0+ZXNjX3BhcmFtc1swXTsK LSAgICAgICAgICAgICAgICBpZiAocy0+eSA+PSBzLT5oZWlnaHQpIHsKLSAg ICAgICAgICAgICAgICAgICAgcy0+eSA9IHMtPmhlaWdodCAtIDE7Ci0gICAg ICAgICAgICAgICAgfQorICAgICAgICAgICAgICAgIHNldF9jdXJzb3Iocywg cy0+eCwgcy0+eSArIHMtPmVzY19wYXJhbXNbMF0pOwogICAgICAgICAgICAg ICAgIGJyZWFrOwogICAgICAgICAgICAgY2FzZSAnQyc6CiAgICAgICAgICAg ICAgICAgLyogbW92ZSBjdXJzb3IgcmlnaHQgKi8KICAgICAgICAgICAgICAg ICBpZiAocy0+ZXNjX3BhcmFtc1swXSA9PSAwKSB7CiAgICAgICAgICAgICAg ICAgICAgIHMtPmVzY19wYXJhbXNbMF0gPSAxOwogICAgICAgICAgICAgICAg IH0KLSAgICAgICAgICAgICAgICBzLT54ICs9IHMtPmVzY19wYXJhbXNbMF07 Ci0gICAgICAgICAgICAgICAgaWYgKHMtPnggPj0gcy0+d2lkdGgpIHsKLSAg ICAgICAgICAgICAgICAgICAgcy0+eCA9IHMtPndpZHRoIC0gMTsKLSAgICAg ICAgICAgICAgICB9CisgICAgICAgICAgICAgICAgc2V0X2N1cnNvcihzLCBz LT54ICsgcy0+ZXNjX3BhcmFtc1swXSwgcy0+eSk7CiAgICAgICAgICAgICAg ICAgYnJlYWs7CiAgICAgICAgICAgICBjYXNlICdEJzoKICAgICAgICAgICAg ICAgICAvKiBtb3ZlIGN1cnNvciBsZWZ0ICovCiAgICAgICAgICAgICAgICAg aWYgKHMtPmVzY19wYXJhbXNbMF0gPT0gMCkgewogICAgICAgICAgICAgICAg ICAgICBzLT5lc2NfcGFyYW1zWzBdID0gMTsKICAgICAgICAgICAgICAgICB9 Ci0gICAgICAgICAgICAgICAgcy0+eCAtPSBzLT5lc2NfcGFyYW1zWzBdOwot ICAgICAgICAgICAgICAgIGlmIChzLT54IDwgMCkgewotICAgICAgICAgICAg ICAgICAgICBzLT54ID0gMDsKLSAgICAgICAgICAgICAgICB9CisgICAgICAg ICAgICAgICAgc2V0X2N1cnNvcihzLCBzLT54IC0gcy0+ZXNjX3BhcmFtc1sw XSwgcy0+eSk7CiAgICAgICAgICAgICAgICAgYnJlYWs7CiAgICAgICAgICAg ICBjYXNlICdHJzoKICAgICAgICAgICAgICAgICAvKiBtb3ZlIGN1cnNvciB0 byBjb2x1bW4gKi8KLSAgICAgICAgICAgICAgICBzLT54ID0gcy0+ZXNjX3Bh cmFtc1swXSAtIDE7Ci0gICAgICAgICAgICAgICAgaWYgKHMtPnggPCAwKSB7 Ci0gICAgICAgICAgICAgICAgICAgIHMtPnggPSAwOwotICAgICAgICAgICAg ICAgIH0KKyAgICAgICAgICAgICAgICBzZXRfY3Vyc29yKHMsIHMtPmVzY19w YXJhbXNbMF0gLSAxLCBzLT55KTsKICAgICAgICAgICAgICAgICBicmVhazsK ICAgICAgICAgICAgIGNhc2UgJ2YnOgogICAgICAgICAgICAgY2FzZSAnSCc6 CiAgICAgICAgICAgICAgICAgLyogbW92ZSBjdXJzb3IgdG8gcm93LCBjb2x1 bW4gKi8KLSAgICAgICAgICAgICAgICBzLT54ID0gcy0+ZXNjX3BhcmFtc1sx XSAtIDE7Ci0gICAgICAgICAgICAgICAgaWYgKHMtPnggPCAwKSB7Ci0gICAg ICAgICAgICAgICAgICAgIHMtPnggPSAwOwotICAgICAgICAgICAgICAgIH0K LSAgICAgICAgICAgICAgICBzLT55ID0gcy0+ZXNjX3BhcmFtc1swXSAtIDE7 Ci0gICAgICAgICAgICAgICAgaWYgKHMtPnkgPCAwKSB7Ci0gICAgICAgICAg ICAgICAgICAgIHMtPnkgPSAwOwotICAgICAgICAgICAgICAgIH0KKyAgICAg ICAgICAgICAgICBzZXRfY3Vyc29yKHMsIHMtPmVzY19wYXJhbXNbMV0gLSAx LCBzLT5lc2NfcGFyYW1zWzBdIC0gMSk7CiAgICAgICAgICAgICAgICAgYnJl YWs7CiAgICAgICAgICAgICBjYXNlICdKJzoKICAgICAgICAgICAgICAgICBz d2l0Y2ggKHMtPmVzY19wYXJhbXNbMF0pIHsK --=separator Content-Type: application/octet-stream; name="xsa17-qemu-xen-unstable.patch" Content-Disposition: attachment; filename="xsa17-qemu-xen-unstable.patch" Content-Transfer-Encoding: base64 Y29uc29sZTogYm91bmRzIGNoZWNrIHdoZW5ldmVyIGNoYW5naW5nIHRoZSBj dXJzb3IgZHVlIHRvIGFuIGVzY2FwZSBjb2RlCgpUaGlzIGlzIFhTQS0xNyAv IENWRS0yMDEyLTM1MTUKClNpZ25lZC1vZmYtYnk6IElhbiBDYW1wYmVsbCA8 aWFuLmNhbXBiZWxsQGNpdHJpeC5jb20+CgpkaWZmIC0tZ2l0IGEvY29uc29s ZS5jIGIvY29uc29sZS5jCmluZGV4IGVkNmE2NTMuLmJmYWQzNjAgMTAwNjQ0 Ci0tLSBhL2NvbnNvbGUuYworKysgYi9jb25zb2xlLmMKQEAgLTg0MSw2ICs4 NDEsMjYgQEAgc3RhdGljIHZvaWQgY29uc29sZV9jbGVhcl94eShUZXh0Q29u c29sZSAqcywgaW50IHgsIGludCB5KQogICAgIHVwZGF0ZV94eShzLCB4LCB5 KTsKIH0KIAorLyogc2V0IGN1cnNvciwgY2hlY2tpbmcgYm91bmRzICovCitz dGF0aWMgdm9pZCBzZXRfY3Vyc29yKFRleHRDb25zb2xlICpzLCBpbnQgeCwg aW50IHkpCit7CisgICAgaWYgKHggPCAwKSB7CisgICAgICAgIHggPSAwOwor ICAgIH0KKyAgICBpZiAoeSA8IDApIHsKKyAgICAgICAgeSA9IDA7CisgICAg fQorICAgIGlmICh5ID49IHMtPmhlaWdodCkgeworICAgICAgICB5ID0gcy0+ aGVpZ2h0IC0gMTsKKyAgICB9CisgICAgaWYgKHggPj0gcy0+d2lkdGgpIHsK KyAgICAgICAgeCA9IHMtPndpZHRoIC0gMTsKKyAgICB9CisKKyAgICBzLT54 ID0geDsKKyAgICBzLT55ID0geTsKK30KKwogc3RhdGljIHZvaWQgY29uc29s ZV9wdXRjaGFyKFRleHRDb25zb2xlICpzLCBpbnQgY2gpCiB7CiAgICAgVGV4 dENlbGwgKmM7CkBAIC05MTIsNyArOTMyLDggQEAgc3RhdGljIHZvaWQgY29u c29sZV9wdXRjaGFyKFRleHRDb25zb2xlICpzLCBpbnQgY2gpCiAgICAgICAg ICAgICAgICAgICAgIHMtPmVzY19wYXJhbXNbcy0+bmJfZXNjX3BhcmFtc10g KiAxMCArIGNoIC0gJzAnOwogICAgICAgICAgICAgfQogICAgICAgICB9IGVs c2UgewotICAgICAgICAgICAgcy0+bmJfZXNjX3BhcmFtcysrOworICAgICAg ICAgICAgaWYgKHMtPm5iX2VzY19wYXJhbXMgPCBNQVhfRVNDX1BBUkFNUykK KyAgICAgICAgICAgICAgICBzLT5uYl9lc2NfcGFyYW1zKys7CiAgICAgICAg ICAgICBpZiAoY2ggPT0gJzsnKQogICAgICAgICAgICAgICAgIGJyZWFrOwog I2lmZGVmIERFQlVHX0NPTlNPTEUKQEAgLTkyNiw1OSArOTQ3LDM3IEBAIHN0 YXRpYyB2b2lkIGNvbnNvbGVfcHV0Y2hhcihUZXh0Q29uc29sZSAqcywgaW50 IGNoKQogICAgICAgICAgICAgICAgIGlmIChzLT5lc2NfcGFyYW1zWzBdID09 IDApIHsKICAgICAgICAgICAgICAgICAgICAgcy0+ZXNjX3BhcmFtc1swXSA9 IDE7CiAgICAgICAgICAgICAgICAgfQotICAgICAgICAgICAgICAgIHMtPnkg LT0gcy0+ZXNjX3BhcmFtc1swXTsKLSAgICAgICAgICAgICAgICBpZiAocy0+ eSA8IDApIHsKLSAgICAgICAgICAgICAgICAgICAgcy0+eSA9IDA7Ci0gICAg ICAgICAgICAgICAgfQorICAgICAgICAgICAgICAgIHNldF9jdXJzb3Iocywg cy0+eCwgcy0+eSAtIHMtPmVzY19wYXJhbXNbMF0pOwogICAgICAgICAgICAg ICAgIGJyZWFrOwogICAgICAgICAgICAgY2FzZSAnQic6CiAgICAgICAgICAg ICAgICAgLyogbW92ZSBjdXJzb3IgZG93biAqLwogICAgICAgICAgICAgICAg IGlmIChzLT5lc2NfcGFyYW1zWzBdID09IDApIHsKICAgICAgICAgICAgICAg ICAgICAgcy0+ZXNjX3BhcmFtc1swXSA9IDE7CiAgICAgICAgICAgICAgICAg fQotICAgICAgICAgICAgICAgIHMtPnkgKz0gcy0+ZXNjX3BhcmFtc1swXTsK LSAgICAgICAgICAgICAgICBpZiAocy0+eSA+PSBzLT5oZWlnaHQpIHsKLSAg ICAgICAgICAgICAgICAgICAgcy0+eSA9IHMtPmhlaWdodCAtIDE7Ci0gICAg ICAgICAgICAgICAgfQorICAgICAgICAgICAgICAgIHNldF9jdXJzb3Iocywg cy0+eCwgcy0+eSArIHMtPmVzY19wYXJhbXNbMF0pOwogICAgICAgICAgICAg ICAgIGJyZWFrOwogICAgICAgICAgICAgY2FzZSAnQyc6CiAgICAgICAgICAg ICAgICAgLyogbW92ZSBjdXJzb3IgcmlnaHQgKi8KICAgICAgICAgICAgICAg ICBpZiAocy0+ZXNjX3BhcmFtc1swXSA9PSAwKSB7CiAgICAgICAgICAgICAg ICAgICAgIHMtPmVzY19wYXJhbXNbMF0gPSAxOwogICAgICAgICAgICAgICAg IH0KLSAgICAgICAgICAgICAgICBzLT54ICs9IHMtPmVzY19wYXJhbXNbMF07 Ci0gICAgICAgICAgICAgICAgaWYgKHMtPnggPj0gcy0+d2lkdGgpIHsKLSAg ICAgICAgICAgICAgICAgICAgcy0+eCA9IHMtPndpZHRoIC0gMTsKLSAgICAg ICAgICAgICAgICB9CisgICAgICAgICAgICAgICAgc2V0X2N1cnNvcihzLCBz LT54ICsgcy0+ZXNjX3BhcmFtc1swXSwgcy0+eSk7CiAgICAgICAgICAgICAg ICAgYnJlYWs7CiAgICAgICAgICAgICBjYXNlICdEJzoKICAgICAgICAgICAg ICAgICAvKiBtb3ZlIGN1cnNvciBsZWZ0ICovCiAgICAgICAgICAgICAgICAg aWYgKHMtPmVzY19wYXJhbXNbMF0gPT0gMCkgewogICAgICAgICAgICAgICAg ICAgICBzLT5lc2NfcGFyYW1zWzBdID0gMTsKICAgICAgICAgICAgICAgICB9 Ci0gICAgICAgICAgICAgICAgcy0+eCAtPSBzLT5lc2NfcGFyYW1zWzBdOwot ICAgICAgICAgICAgICAgIGlmIChzLT54IDwgMCkgewotICAgICAgICAgICAg ICAgICAgICBzLT54ID0gMDsKLSAgICAgICAgICAgICAgICB9CisgICAgICAg ICAgICAgICAgc2V0X2N1cnNvcihzLCBzLT54IC0gcy0+ZXNjX3BhcmFtc1sw XSwgcy0+eSk7CiAgICAgICAgICAgICAgICAgYnJlYWs7CiAgICAgICAgICAg ICBjYXNlICdHJzoKICAgICAgICAgICAgICAgICAvKiBtb3ZlIGN1cnNvciB0 byBjb2x1bW4gKi8KLSAgICAgICAgICAgICAgICBzLT54ID0gcy0+ZXNjX3Bh cmFtc1swXSAtIDE7Ci0gICAgICAgICAgICAgICAgaWYgKHMtPnggPCAwKSB7 Ci0gICAgICAgICAgICAgICAgICAgIHMtPnggPSAwOwotICAgICAgICAgICAg ICAgIH0KKyAgICAgICAgICAgICAgICBzZXRfY3Vyc29yKHMsIHMtPmVzY19w YXJhbXNbMF0gLSAxLCBzLT55KTsKICAgICAgICAgICAgICAgICBicmVhazsK ICAgICAgICAgICAgIGNhc2UgJ2YnOgogICAgICAgICAgICAgY2FzZSAnSCc6 CiAgICAgICAgICAgICAgICAgLyogbW92ZSBjdXJzb3IgdG8gcm93LCBjb2x1 bW4gKi8KLSAgICAgICAgICAgICAgICBzLT54ID0gcy0+ZXNjX3BhcmFtc1sx XSAtIDE7Ci0gICAgICAgICAgICAgICAgaWYgKHMtPnggPCAwKSB7Ci0gICAg ICAgICAgICAgICAgICAgIHMtPnggPSAwOwotICAgICAgICAgICAgICAgIH0K LSAgICAgICAgICAgICAgICBzLT55ID0gcy0+ZXNjX3BhcmFtc1swXSAtIDE7 Ci0gICAgICAgICAgICAgICAgaWYgKHMtPnkgPCAwKSB7Ci0gICAgICAgICAg ICAgICAgICAgIHMtPnkgPSAwOwotICAgICAgICAgICAgICAgIH0KKyAgICAg ICAgICAgICAgICBzZXRfY3Vyc29yKHMsIHMtPmVzY19wYXJhbXNbMV0gLSAx LCBzLT5lc2NfcGFyYW1zWzBdIC0gMSk7CiAgICAgICAgICAgICAgICAgYnJl YWs7CiAgICAgICAgICAgICBjYXNlICdKJzoKICAgICAgICAgICAgICAgICBz d2l0Y2ggKHMtPmVzY19wYXJhbXNbMF0pIHsK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Wed Sep 05 11:18:59 2012 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 05 Sep 2012 11:18:59 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1T9Dbk-0005cM-OB; Wed, 05 Sep 2012 11:17:20 +0000 Received: from mail27.messagelabs.com ([193.109.254.147]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1T9DYi-00053C-Vt; Wed, 05 Sep 2012 11:14:13 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-5.tower-27.messagelabs.com!1346843573!6253309!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.6.1.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 16021 invoked from network); 5 Sep 2012 11:12:55 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-5.tower-27.messagelabs.com with AES256-SHA encrypted SMTP; 5 Sep 2012 11:12:55 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1T9DXL-0001Cr-Dg; Wed, 05 Sep 2012 11:12:47 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1T9DXL-0005Qu-97; Wed, 05 Sep 2012 11:12:47 +0000 Date: Wed, 05 Sep 2012 11:12:47 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team X-Mailman-Approved-At: Wed, 05 Sep 2012 11:17:18 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 17 (CVE-2012-3515) - Qemu VT100 emulation vulnerability X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2012-3515 / XSA-17 version 2 Qemu VT100 emulation vulnerability UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= The device model used by fully virtualised (HVM) domains, qemu, does not properly handle escape VT100 sequences when emulating certain devices with a virtual console backend. IMPACT ====== An attacker who has sufficient privilege to access a vulnerable device within a guest can overwrite portions of the device model's address space. This can allow them to escalate their privileges to that of the device model process. VULNERABLE SYSTEMS ================== All Xen systems running HVM guests are potentially vulnerable to this depending on the specific guest configuration. The default configuration is vulnerable. Guests using either the traditional "qemu-xen" or upstream qemu device models are vulnerable. MITIGATION ========== This issue can be avoided by only running PV guests or by configuring HVM guests to not use the virtual console('vc') backend for any device. For serial devices specify in your guest configuration: serial = 'none' in your guest configuration. For parallel port devices the syntax is toolstack specific. For xend specify in your guest configuration: parallel = 'none' For xl specify in your guest configuration: xl: device_model_args = ['-parallel', 'none'] In both cases the default is to use the vulnerable 'vc' mode. You can confirm whether or not you are vulnerable by pressing Ctrl-Alt- (for digit N) while connected to either the VNC or SDL console. If you are able to switch to a window displaying "serial" or "parallel" then you are vulnerable. The issue can also be mitigated by enabling the stub domain device model. In this case the attacked can only potentially gain control of the stub domain and not of the entire system. To enable stub domains specify in your guest configuration: device_model = "stubdom-dm" RESOLUTION ========== Applying the appropriate attached patch(es) will resolve the issue. PATCH INFORMATION ================= The attached patches resolve this issue Traditional qemu tree Xen 4.0, 4.1 and unstable xsa17-qemu-xen-traditional-all.patch Upstream qemu tree (present in unstable only) Xen unstable xsa17-qemu-xen-unstable.patch $ sha256sum xsa17-*.patch 60215322d3fbbc2054dfc160a20d9e0811af88487c4edc2f6ea81dcd5cedf039 xsa17-qemu-xen-traditional-all.patch 7b4bb59e7757080e7806a8b8eeb6b78fa0ffdfbfb28a7a379f7edff285bffd88 xsa17-qemu-xen-unstable.patch -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQRx1PAAoJEIP+FMlX6CvZUqUH/jeAAvQnoBp6YKzm78XSnnmk GI2C/LhH0xqR3wFoEmWeMsiO4lrGrASX6T31NTvHa8sOtFqlNpTfRhwQybwYR3aa cz9/4y2a54hD95P1nVmPF0PddmSP47QSpRdCj0projq1UGxIdwEhkNeSoM8h7dXO MegqZClsvJMKd8XEcjBF5Qg7u9vLrXilCx5+It7XNE31Jxpkr/fozBb7FnNtDGJj s4RN/UDU4Pu68XyZ7Dc5xEFdJW48tz4BIlxxXavILBRFSE1VEf7Gc8H9CsUtBPWB C/LCUjpHkAOmqdgFhiLnZ2u+2s79U0dtPDJMNmqaGgWH+AqGkU9Nq8XXODTyY9k= =gnuE -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa17-qemu-xen-traditional-all.patch" Content-Disposition: attachment; filename="xsa17-qemu-xen-traditional-all.patch" Content-Transfer-Encoding: base64 Y29uc29sZTogYm91bmRzIGNoZWNrIHdoZW5ldmVyIGNoYW5naW5nIHRoZSBj dXJzb3IgZHVlIHRvIGFuIGVzY2FwZSBjb2RlCgpUaGlzIGlzIFhTQS0xNyAv IENWRS0yMDEyLTM1MTUKClNpZ25lZC1vZmYtYnk6IElhbiBDYW1wYmVsbCA8 aWFuLmNhbXBiZWxsQGNpdHJpeC5jb20+CgpkaWZmIC0tZ2l0IGEvY29uc29s ZS5jIGIvY29uc29sZS5jCmluZGV4IDVlNmUzZDAuLjk5ODRkNmYgMTAwNjQ0 Ci0tLSBhL2NvbnNvbGUuYworKysgYi9jb25zb2xlLmMKQEAgLTc5NCw2ICs3 OTQsMjYgQEAgc3RhdGljIHZvaWQgY29uc29sZV9jbGVhcl94eShUZXh0Q29u c29sZSAqcywgaW50IHgsIGludCB5KQogICAgIHVwZGF0ZV94eShzLCB4LCB5 KTsKIH0KIAorLyogc2V0IGN1cnNvciwgY2hlY2tpbmcgYm91bmRzICovCitz dGF0aWMgdm9pZCBzZXRfY3Vyc29yKFRleHRDb25zb2xlICpzLCBpbnQgeCwg aW50IHkpCit7CisgICAgaWYgKHggPCAwKSB7CisgICAgICAgIHggPSAwOwor ICAgIH0KKyAgICBpZiAoeSA8IDApIHsKKyAgICAgICAgeSA9IDA7CisgICAg fQorICAgIGlmICh5ID49IHMtPmhlaWdodCkgeworICAgICAgICB5ID0gcy0+ aGVpZ2h0IC0gMTsKKyAgICB9CisgICAgaWYgKHggPj0gcy0+d2lkdGgpIHsK KyAgICAgICAgeCA9IHMtPndpZHRoIC0gMTsKKyAgICB9CisKKyAgICBzLT54 ID0geDsKKyAgICBzLT55ID0geTsKK30KKwogc3RhdGljIHZvaWQgY29uc29s ZV9wdXRjaGFyKFRleHRDb25zb2xlICpzLCBpbnQgY2gpCiB7CiAgICAgVGV4 dENlbGwgKmM7CkBAIC04NjksNyArODg5LDggQEAgc3RhdGljIHZvaWQgY29u c29sZV9wdXRjaGFyKFRleHRDb25zb2xlICpzLCBpbnQgY2gpCiAgICAgICAg ICAgICAgICAgICAgIHMtPmVzY19wYXJhbXNbcy0+bmJfZXNjX3BhcmFtc10g KiAxMCArIGNoIC0gJzAnOwogICAgICAgICAgICAgfQogICAgICAgICB9IGVs c2UgewotICAgICAgICAgICAgcy0+bmJfZXNjX3BhcmFtcysrOworICAgICAg ICAgICAgaWYgKHMtPm5iX2VzY19wYXJhbXMgPCBNQVhfRVNDX1BBUkFNUykK KyAgICAgICAgICAgICAgICBzLT5uYl9lc2NfcGFyYW1zKys7CiAgICAgICAg ICAgICBpZiAoY2ggPT0gJzsnKQogICAgICAgICAgICAgICAgIGJyZWFrOwog I2lmZGVmIERFQlVHX0NPTlNPTEUKQEAgLTg4Myw1OSArOTA0LDM3IEBAIHN0 YXRpYyB2b2lkIGNvbnNvbGVfcHV0Y2hhcihUZXh0Q29uc29sZSAqcywgaW50 IGNoKQogICAgICAgICAgICAgICAgIGlmIChzLT5lc2NfcGFyYW1zWzBdID09 IDApIHsKICAgICAgICAgICAgICAgICAgICAgcy0+ZXNjX3BhcmFtc1swXSA9 IDE7CiAgICAgICAgICAgICAgICAgfQotICAgICAgICAgICAgICAgIHMtPnkg LT0gcy0+ZXNjX3BhcmFtc1swXTsKLSAgICAgICAgICAgICAgICBpZiAocy0+ eSA8IDApIHsKLSAgICAgICAgICAgICAgICAgICAgcy0+eSA9IDA7Ci0gICAg ICAgICAgICAgICAgfQorICAgICAgICAgICAgICAgIHNldF9jdXJzb3Iocywg cy0+eCwgcy0+eSAtIHMtPmVzY19wYXJhbXNbMF0pOwogICAgICAgICAgICAg ICAgIGJyZWFrOwogICAgICAgICAgICAgY2FzZSAnQic6CiAgICAgICAgICAg ICAgICAgLyogbW92ZSBjdXJzb3IgZG93biAqLwogICAgICAgICAgICAgICAg IGlmIChzLT5lc2NfcGFyYW1zWzBdID09IDApIHsKICAgICAgICAgICAgICAg ICAgICAgcy0+ZXNjX3BhcmFtc1swXSA9IDE7CiAgICAgICAgICAgICAgICAg fQotICAgICAgICAgICAgICAgIHMtPnkgKz0gcy0+ZXNjX3BhcmFtc1swXTsK LSAgICAgICAgICAgICAgICBpZiAocy0+eSA+PSBzLT5oZWlnaHQpIHsKLSAg ICAgICAgICAgICAgICAgICAgcy0+eSA9IHMtPmhlaWdodCAtIDE7Ci0gICAg ICAgICAgICAgICAgfQorICAgICAgICAgICAgICAgIHNldF9jdXJzb3Iocywg cy0+eCwgcy0+eSArIHMtPmVzY19wYXJhbXNbMF0pOwogICAgICAgICAgICAg ICAgIGJyZWFrOwogICAgICAgICAgICAgY2FzZSAnQyc6CiAgICAgICAgICAg ICAgICAgLyogbW92ZSBjdXJzb3IgcmlnaHQgKi8KICAgICAgICAgICAgICAg ICBpZiAocy0+ZXNjX3BhcmFtc1swXSA9PSAwKSB7CiAgICAgICAgICAgICAg ICAgICAgIHMtPmVzY19wYXJhbXNbMF0gPSAxOwogICAgICAgICAgICAgICAg IH0KLSAgICAgICAgICAgICAgICBzLT54ICs9IHMtPmVzY19wYXJhbXNbMF07 Ci0gICAgICAgICAgICAgICAgaWYgKHMtPnggPj0gcy0+d2lkdGgpIHsKLSAg ICAgICAgICAgICAgICAgICAgcy0+eCA9IHMtPndpZHRoIC0gMTsKLSAgICAg ICAgICAgICAgICB9CisgICAgICAgICAgICAgICAgc2V0X2N1cnNvcihzLCBz LT54ICsgcy0+ZXNjX3BhcmFtc1swXSwgcy0+eSk7CiAgICAgICAgICAgICAg ICAgYnJlYWs7CiAgICAgICAgICAgICBjYXNlICdEJzoKICAgICAgICAgICAg ICAgICAvKiBtb3ZlIGN1cnNvciBsZWZ0ICovCiAgICAgICAgICAgICAgICAg aWYgKHMtPmVzY19wYXJhbXNbMF0gPT0gMCkgewogICAgICAgICAgICAgICAg ICAgICBzLT5lc2NfcGFyYW1zWzBdID0gMTsKICAgICAgICAgICAgICAgICB9 Ci0gICAgICAgICAgICAgICAgcy0+eCAtPSBzLT5lc2NfcGFyYW1zWzBdOwot ICAgICAgICAgICAgICAgIGlmIChzLT54IDwgMCkgewotICAgICAgICAgICAg ICAgICAgICBzLT54ID0gMDsKLSAgICAgICAgICAgICAgICB9CisgICAgICAg ICAgICAgICAgc2V0X2N1cnNvcihzLCBzLT54IC0gcy0+ZXNjX3BhcmFtc1sw XSwgcy0+eSk7CiAgICAgICAgICAgICAgICAgYnJlYWs7CiAgICAgICAgICAg ICBjYXNlICdHJzoKICAgICAgICAgICAgICAgICAvKiBtb3ZlIGN1cnNvciB0 byBjb2x1bW4gKi8KLSAgICAgICAgICAgICAgICBzLT54ID0gcy0+ZXNjX3Bh cmFtc1swXSAtIDE7Ci0gICAgICAgICAgICAgICAgaWYgKHMtPnggPCAwKSB7 Ci0gICAgICAgICAgICAgICAgICAgIHMtPnggPSAwOwotICAgICAgICAgICAg ICAgIH0KKyAgICAgICAgICAgICAgICBzZXRfY3Vyc29yKHMsIHMtPmVzY19w YXJhbXNbMF0gLSAxLCBzLT55KTsKICAgICAgICAgICAgICAgICBicmVhazsK ICAgICAgICAgICAgIGNhc2UgJ2YnOgogICAgICAgICAgICAgY2FzZSAnSCc6 CiAgICAgICAgICAgICAgICAgLyogbW92ZSBjdXJzb3IgdG8gcm93LCBjb2x1 bW4gKi8KLSAgICAgICAgICAgICAgICBzLT54ID0gcy0+ZXNjX3BhcmFtc1sx XSAtIDE7Ci0gICAgICAgICAgICAgICAgaWYgKHMtPnggPCAwKSB7Ci0gICAg ICAgICAgICAgICAgICAgIHMtPnggPSAwOwotICAgICAgICAgICAgICAgIH0K LSAgICAgICAgICAgICAgICBzLT55ID0gcy0+ZXNjX3BhcmFtc1swXSAtIDE7 Ci0gICAgICAgICAgICAgICAgaWYgKHMtPnkgPCAwKSB7Ci0gICAgICAgICAg ICAgICAgICAgIHMtPnkgPSAwOwotICAgICAgICAgICAgICAgIH0KKyAgICAg ICAgICAgICAgICBzZXRfY3Vyc29yKHMsIHMtPmVzY19wYXJhbXNbMV0gLSAx LCBzLT5lc2NfcGFyYW1zWzBdIC0gMSk7CiAgICAgICAgICAgICAgICAgYnJl YWs7CiAgICAgICAgICAgICBjYXNlICdKJzoKICAgICAgICAgICAgICAgICBz d2l0Y2ggKHMtPmVzY19wYXJhbXNbMF0pIHsK --=separator Content-Type: application/octet-stream; name="xsa17-qemu-xen-unstable.patch" Content-Disposition: attachment; filename="xsa17-qemu-xen-unstable.patch" Content-Transfer-Encoding: base64 Y29uc29sZTogYm91bmRzIGNoZWNrIHdoZW5ldmVyIGNoYW5naW5nIHRoZSBj dXJzb3IgZHVlIHRvIGFuIGVzY2FwZSBjb2RlCgpUaGlzIGlzIFhTQS0xNyAv IENWRS0yMDEyLTM1MTUKClNpZ25lZC1vZmYtYnk6IElhbiBDYW1wYmVsbCA8 aWFuLmNhbXBiZWxsQGNpdHJpeC5jb20+CgpkaWZmIC0tZ2l0IGEvY29uc29s ZS5jIGIvY29uc29sZS5jCmluZGV4IGVkNmE2NTMuLmJmYWQzNjAgMTAwNjQ0 Ci0tLSBhL2NvbnNvbGUuYworKysgYi9jb25zb2xlLmMKQEAgLTg0MSw2ICs4 NDEsMjYgQEAgc3RhdGljIHZvaWQgY29uc29sZV9jbGVhcl94eShUZXh0Q29u c29sZSAqcywgaW50IHgsIGludCB5KQogICAgIHVwZGF0ZV94eShzLCB4LCB5 KTsKIH0KIAorLyogc2V0IGN1cnNvciwgY2hlY2tpbmcgYm91bmRzICovCitz dGF0aWMgdm9pZCBzZXRfY3Vyc29yKFRleHRDb25zb2xlICpzLCBpbnQgeCwg aW50IHkpCit7CisgICAgaWYgKHggPCAwKSB7CisgICAgICAgIHggPSAwOwor ICAgIH0KKyAgICBpZiAoeSA8IDApIHsKKyAgICAgICAgeSA9IDA7CisgICAg fQorICAgIGlmICh5ID49IHMtPmhlaWdodCkgeworICAgICAgICB5ID0gcy0+ aGVpZ2h0IC0gMTsKKyAgICB9CisgICAgaWYgKHggPj0gcy0+d2lkdGgpIHsK KyAgICAgICAgeCA9IHMtPndpZHRoIC0gMTsKKyAgICB9CisKKyAgICBzLT54 ID0geDsKKyAgICBzLT55ID0geTsKK30KKwogc3RhdGljIHZvaWQgY29uc29s ZV9wdXRjaGFyKFRleHRDb25zb2xlICpzLCBpbnQgY2gpCiB7CiAgICAgVGV4 dENlbGwgKmM7CkBAIC05MTIsNyArOTMyLDggQEAgc3RhdGljIHZvaWQgY29u c29sZV9wdXRjaGFyKFRleHRDb25zb2xlICpzLCBpbnQgY2gpCiAgICAgICAg ICAgICAgICAgICAgIHMtPmVzY19wYXJhbXNbcy0+bmJfZXNjX3BhcmFtc10g KiAxMCArIGNoIC0gJzAnOwogICAgICAgICAgICAgfQogICAgICAgICB9IGVs c2UgewotICAgICAgICAgICAgcy0+bmJfZXNjX3BhcmFtcysrOworICAgICAg ICAgICAgaWYgKHMtPm5iX2VzY19wYXJhbXMgPCBNQVhfRVNDX1BBUkFNUykK KyAgICAgICAgICAgICAgICBzLT5uYl9lc2NfcGFyYW1zKys7CiAgICAgICAg ICAgICBpZiAoY2ggPT0gJzsnKQogICAgICAgICAgICAgICAgIGJyZWFrOwog I2lmZGVmIERFQlVHX0NPTlNPTEUKQEAgLTkyNiw1OSArOTQ3LDM3IEBAIHN0 YXRpYyB2b2lkIGNvbnNvbGVfcHV0Y2hhcihUZXh0Q29uc29sZSAqcywgaW50 IGNoKQogICAgICAgICAgICAgICAgIGlmIChzLT5lc2NfcGFyYW1zWzBdID09 IDApIHsKICAgICAgICAgICAgICAgICAgICAgcy0+ZXNjX3BhcmFtc1swXSA9 IDE7CiAgICAgICAgICAgICAgICAgfQotICAgICAgICAgICAgICAgIHMtPnkg LT0gcy0+ZXNjX3BhcmFtc1swXTsKLSAgICAgICAgICAgICAgICBpZiAocy0+ eSA8IDApIHsKLSAgICAgICAgICAgICAgICAgICAgcy0+eSA9IDA7Ci0gICAg ICAgICAgICAgICAgfQorICAgICAgICAgICAgICAgIHNldF9jdXJzb3Iocywg cy0+eCwgcy0+eSAtIHMtPmVzY19wYXJhbXNbMF0pOwogICAgICAgICAgICAg ICAgIGJyZWFrOwogICAgICAgICAgICAgY2FzZSAnQic6CiAgICAgICAgICAg ICAgICAgLyogbW92ZSBjdXJzb3IgZG93biAqLwogICAgICAgICAgICAgICAg IGlmIChzLT5lc2NfcGFyYW1zWzBdID09IDApIHsKICAgICAgICAgICAgICAg ICAgICAgcy0+ZXNjX3BhcmFtc1swXSA9IDE7CiAgICAgICAgICAgICAgICAg fQotICAgICAgICAgICAgICAgIHMtPnkgKz0gcy0+ZXNjX3BhcmFtc1swXTsK LSAgICAgICAgICAgICAgICBpZiAocy0+eSA+PSBzLT5oZWlnaHQpIHsKLSAg ICAgICAgICAgICAgICAgICAgcy0+eSA9IHMtPmhlaWdodCAtIDE7Ci0gICAg ICAgICAgICAgICAgfQorICAgICAgICAgICAgICAgIHNldF9jdXJzb3Iocywg cy0+eCwgcy0+eSArIHMtPmVzY19wYXJhbXNbMF0pOwogICAgICAgICAgICAg ICAgIGJyZWFrOwogICAgICAgICAgICAgY2FzZSAnQyc6CiAgICAgICAgICAg ICAgICAgLyogbW92ZSBjdXJzb3IgcmlnaHQgKi8KICAgICAgICAgICAgICAg ICBpZiAocy0+ZXNjX3BhcmFtc1swXSA9PSAwKSB7CiAgICAgICAgICAgICAg ICAgICAgIHMtPmVzY19wYXJhbXNbMF0gPSAxOwogICAgICAgICAgICAgICAg IH0KLSAgICAgICAgICAgICAgICBzLT54ICs9IHMtPmVzY19wYXJhbXNbMF07 Ci0gICAgICAgICAgICAgICAgaWYgKHMtPnggPj0gcy0+d2lkdGgpIHsKLSAg ICAgICAgICAgICAgICAgICAgcy0+eCA9IHMtPndpZHRoIC0gMTsKLSAgICAg ICAgICAgICAgICB9CisgICAgICAgICAgICAgICAgc2V0X2N1cnNvcihzLCBz LT54ICsgcy0+ZXNjX3BhcmFtc1swXSwgcy0+eSk7CiAgICAgICAgICAgICAg ICAgYnJlYWs7CiAgICAgICAgICAgICBjYXNlICdEJzoKICAgICAgICAgICAg ICAgICAvKiBtb3ZlIGN1cnNvciBsZWZ0ICovCiAgICAgICAgICAgICAgICAg aWYgKHMtPmVzY19wYXJhbXNbMF0gPT0gMCkgewogICAgICAgICAgICAgICAg ICAgICBzLT5lc2NfcGFyYW1zWzBdID0gMTsKICAgICAgICAgICAgICAgICB9 Ci0gICAgICAgICAgICAgICAgcy0+eCAtPSBzLT5lc2NfcGFyYW1zWzBdOwot ICAgICAgICAgICAgICAgIGlmIChzLT54IDwgMCkgewotICAgICAgICAgICAg ICAgICAgICBzLT54ID0gMDsKLSAgICAgICAgICAgICAgICB9CisgICAgICAg ICAgICAgICAgc2V0X2N1cnNvcihzLCBzLT54IC0gcy0+ZXNjX3BhcmFtc1sw XSwgcy0+eSk7CiAgICAgICAgICAgICAgICAgYnJlYWs7CiAgICAgICAgICAg ICBjYXNlICdHJzoKICAgICAgICAgICAgICAgICAvKiBtb3ZlIGN1cnNvciB0 byBjb2x1bW4gKi8KLSAgICAgICAgICAgICAgICBzLT54ID0gcy0+ZXNjX3Bh cmFtc1swXSAtIDE7Ci0gICAgICAgICAgICAgICAgaWYgKHMtPnggPCAwKSB7 Ci0gICAgICAgICAgICAgICAgICAgIHMtPnggPSAwOwotICAgICAgICAgICAg ICAgIH0KKyAgICAgICAgICAgICAgICBzZXRfY3Vyc29yKHMsIHMtPmVzY19w YXJhbXNbMF0gLSAxLCBzLT55KTsKICAgICAgICAgICAgICAgICBicmVhazsK ICAgICAgICAgICAgIGNhc2UgJ2YnOgogICAgICAgICAgICAgY2FzZSAnSCc6 CiAgICAgICAgICAgICAgICAgLyogbW92ZSBjdXJzb3IgdG8gcm93LCBjb2x1 bW4gKi8KLSAgICAgICAgICAgICAgICBzLT54ID0gcy0+ZXNjX3BhcmFtc1sx XSAtIDE7Ci0gICAgICAgICAgICAgICAgaWYgKHMtPnggPCAwKSB7Ci0gICAg ICAgICAgICAgICAgICAgIHMtPnggPSAwOwotICAgICAgICAgICAgICAgIH0K LSAgICAgICAgICAgICAgICBzLT55ID0gcy0+ZXNjX3BhcmFtc1swXSAtIDE7 Ci0gICAgICAgICAgICAgICAgaWYgKHMtPnkgPCAwKSB7Ci0gICAgICAgICAg ICAgICAgICAgIHMtPnkgPSAwOwotICAgICAgICAgICAgICAgIH0KKyAgICAg ICAgICAgICAgICBzZXRfY3Vyc29yKHMsIHMtPmVzY19wYXJhbXNbMV0gLSAx LCBzLT5lc2NfcGFyYW1zWzBdIC0gMSk7CiAgICAgICAgICAgICAgICAgYnJl YWs7CiAgICAgICAgICAgICBjYXNlICdKJzoKICAgICAgICAgICAgICAgICBz d2l0Y2ggKHMtPmVzY19wYXJhbXNbMF0pIHsK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Wed Sep 05 11:19:00 2012 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 05 Sep 2012 11:19:00 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1T9Dbl-0005dX-Ep; Wed, 05 Sep 2012 11:17:21 +0000 Received: from mail27.messagelabs.com ([193.109.254.147]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1T9DYt-000551-Ug; Wed, 05 Sep 2012 11:14:24 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-15.tower-27.messagelabs.com!1346843656!2698197!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.6.1.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 31598 invoked from network); 5 Sep 2012 11:14:17 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-15.tower-27.messagelabs.com with AES256-SHA encrypted SMTP; 5 Sep 2012 11:14:17 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1T9DYh-0001EZ-BG; Wed, 05 Sep 2012 11:14:11 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1T9DYh-0005Tm-0t; Wed, 05 Sep 2012 11:14:11 +0000 Date: Wed, 05 Sep 2012 11:14:11 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team X-Mailman-Approved-At: Wed, 05 Sep 2012 11:17:18 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 18 (CVE-2012-3516) - grant table entry swaps have inadequate bounds checking X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2012-3516 / XSA-18 version 2 grant table entry swaps have inadequate bounds checking UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= The grant table hypercall's GNTTABOP_swap_grant_ref sub-operation does not perform adequate checks on the input grant references. IMPACT ====== A malicious guest kernel or administrator can crash the host. It may be possible for an attacker to swap a valid grant reference, which they control, with an invalid one allowing them to write abitrary values to hypervisor memory. This could potentially lead to a privilege escalation. VULNERABLE SYSTEMS ================== Xen-unstable, including Xen 4.2 release candidates are vulnerable to this issue. Xen 4.1 and earlier do not include this hypercall and are therefore not vulnerable. MITIGATION ========== The only mitigation is not to run guests which have untrusted administrators. RESOLUTION ========== Applying the attached patch will resolve the issue. PATCH INFORMATION ================= The attached patch resolves this issue Xen unstable xsa18-unstable.patch $ sha256sum xsa18-unstable.patch ad354a1964fc52b0e48d405514156935cc8dfcb5bdaee307e3e74afcc0ca8914 xsa18-unstable.patch -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQRzP3AAoJEIP+FMlX6CvZ350H/jfmrx6a1pNYF3KYtVVIXu1y ZERi/qxji162XGvB+7gdq+IdhLYAeWXRFF309U1FwcRxaQJPRAT024q6Hs+ITr9i L7OnSP9s+UHT4251X3UlOnEfQyKF6NKJIYbamQbfVIvVPdUtNLj4SKYqxlvjyyc3 DpqiARD5f9+i7OkcojvhXszlbMgbpSQ8TYCW5De0dTkZgKQYq2hRuYf/1hmZ1lJt vFEkTCFxO7uxoH6gulyuEjszDYFAUmE3xdxKbT11mIkwnS1wfgp4Ob5H0ioSDNJo oOxqt4KsuNXHDW/B8QlxnQejKBL0INtmOjh7GMox4bvxg4gP57ZlDweC2lkR37c= =dD8C -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa18-unstable.patch" Content-Disposition: attachment; filename="xsa18-unstable.patch" Content-Transfer-Encoding: base64 eGVuL2dudHRhYjogVmFsaWRhdGUgaW5wdXQgdG8gR05UVEFCT1Bfc3dhcF9n cmFudF9yZWYKCnhlbi11bnN0YWJsZSBjL3MgMjQ1NDg6ZDExNTg0NGViZmJi IGludHJvZHVjZXMgYSBuZXcgR05UVEFCT1AgdG8gc3dhcApncmFudCByZWZz LiAgSG93ZXZlciwgaXQgZmFpbHMgdG8gdmFsaWRhdGUgdGhlIHR3byByZWZz IHBhc3NlZCBmcm9tCnRoZSBndWVzdC4KClRoZSByZXN1bHQgaXMgdGhhdCBw YXNzaW5nIG91dC1vZi1yYW5nZSByZWZzIGNhbiBjYXVzZSBYZW4gdG8gcmVh ZApwYXN0IHRoZSBlbmQgb2YgdGhlIGdyYW50X3RhYmxlLT5hY3RpdmVbXSBh cnJheSwgYW5kIGRlZmVyZW5jZQp3aGF0ZXZlciBpdCBmaW5kcy4gIFR5cGlj YWxseSwgdGhpcyByZXN1bHRzIGluIFhlbiB0cnlpbmcgdG8gZGVmZXJlbmNl CmEgbG93IHBvaW50ZXIgYW5kIGZhaWwgd2l0aCBhIHBhZ2UtZmF1bHQuCgpB cyB0aGlzIGh5cGVyY2FsbCBjYW4gYmUgaXNzdWVkIGJ5IGFuIHVucHJpdmls ZWdlZCBndWVzdCwgdGhpcyBpcyBhCkRlbmlhbCBvZiBTZXJ2aWNlIGFnYWlu c3QgWGVuLgoKU2lnbmVkLW9mZi1ieTogQW5kcmV3IENvb3BlciA8YW5kcmV3 LmNvb3BlcjNAY2l0cml4LmNvbT4KQWNrZWQtYnk6IFBhdWwgRHVycmFudCA8 cGF1bC5kdXJyYW50QGNpdHJpeC5jb20+CgpkaWZmIC0tZ2l0IGEveGVuL2Nv bW1vbi9ncmFudF90YWJsZS5jIGIveGVuL2NvbW1vbi9ncmFudF90YWJsZS5j CmluZGV4IDk5NjFlODMuLjMyZGUyOTUgMTAwNjQ0Ci0tLSBhL3hlbi9jb21t b24vZ3JhbnRfdGFibGUuYworKysgYi94ZW4vY29tbW9uL2dyYW50X3RhYmxl LmMKQEAgLTIzMjgsNiArMjMyOCwxMiBAQCBfX2dudHRhYl9zd2FwX2dyYW50 X3JlZihncmFudF9yZWZfdCByZWZfYSwgZ3JhbnRfcmVmX3QgcmVmX2IpCiAK ICAgICBzcGluX2xvY2soJmd0LT5sb2NrKTsKIAorICAgIC8qIEJvdW5kcyBj aGVjayBvbiB0aGUgZ3JhbnQgcmVmcyAqLworICAgIGlmICggdW5saWtlbHko cmVmX2EgPj0gbnJfZ3JhbnRfZW50cmllcyhkLT5ncmFudF90YWJsZSkpKQor ICAgICAgICBQSU5fRkFJTChvdXQsIEdOVFNUX2JhZF9nbnRyZWYsICJCYWQg cmVmLWEgKCVkKS5cbiIsIHJlZl9hKTsKKyAgICBpZiAoIHVubGlrZWx5KHJl Zl9iID49IG5yX2dyYW50X2VudHJpZXMoZC0+Z3JhbnRfdGFibGUpKSkKKyAg ICAgICAgUElOX0ZBSUwob3V0LCBHTlRTVF9iYWRfZ250cmVmLCAiQmFkIHJl Zi1iICglZCkuXG4iLCByZWZfYik7CisKICAgICBhY3QgPSAmYWN0aXZlX2Vu dHJ5KGd0LCByZWZfYSk7CiAgICAgaWYgKCBhY3QtPnBpbiApCiAgICAgICAg IFBJTl9GQUlMKG91dCwgR05UU1RfZWFnYWluLCAicmVmIGEgJWxkIGJ1c3lc biIsIChsb25nKXJlZl9hKTsK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Wed Sep 05 11:19:00 2012 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 05 Sep 2012 11:19:00 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1T9Dbl-0005dX-Ep; Wed, 05 Sep 2012 11:17:21 +0000 Received: from mail27.messagelabs.com ([193.109.254.147]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1T9DYt-000551-Ug; Wed, 05 Sep 2012 11:14:24 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-15.tower-27.messagelabs.com!1346843656!2698197!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.6.1.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 31598 invoked from network); 5 Sep 2012 11:14:17 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-15.tower-27.messagelabs.com with AES256-SHA encrypted SMTP; 5 Sep 2012 11:14:17 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1T9DYh-0001EZ-BG; Wed, 05 Sep 2012 11:14:11 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1T9DYh-0005Tm-0t; Wed, 05 Sep 2012 11:14:11 +0000 Date: Wed, 05 Sep 2012 11:14:11 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team X-Mailman-Approved-At: Wed, 05 Sep 2012 11:17:18 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 18 (CVE-2012-3516) - grant table entry swaps have inadequate bounds checking X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2012-3516 / XSA-18 version 2 grant table entry swaps have inadequate bounds checking UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= The grant table hypercall's GNTTABOP_swap_grant_ref sub-operation does not perform adequate checks on the input grant references. IMPACT ====== A malicious guest kernel or administrator can crash the host. It may be possible for an attacker to swap a valid grant reference, which they control, with an invalid one allowing them to write abitrary values to hypervisor memory. This could potentially lead to a privilege escalation. VULNERABLE SYSTEMS ================== Xen-unstable, including Xen 4.2 release candidates are vulnerable to this issue. Xen 4.1 and earlier do not include this hypercall and are therefore not vulnerable. MITIGATION ========== The only mitigation is not to run guests which have untrusted administrators. RESOLUTION ========== Applying the attached patch will resolve the issue. PATCH INFORMATION ================= The attached patch resolves this issue Xen unstable xsa18-unstable.patch $ sha256sum xsa18-unstable.patch ad354a1964fc52b0e48d405514156935cc8dfcb5bdaee307e3e74afcc0ca8914 xsa18-unstable.patch -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQRzP3AAoJEIP+FMlX6CvZ350H/jfmrx6a1pNYF3KYtVVIXu1y ZERi/qxji162XGvB+7gdq+IdhLYAeWXRFF309U1FwcRxaQJPRAT024q6Hs+ITr9i L7OnSP9s+UHT4251X3UlOnEfQyKF6NKJIYbamQbfVIvVPdUtNLj4SKYqxlvjyyc3 DpqiARD5f9+i7OkcojvhXszlbMgbpSQ8TYCW5De0dTkZgKQYq2hRuYf/1hmZ1lJt vFEkTCFxO7uxoH6gulyuEjszDYFAUmE3xdxKbT11mIkwnS1wfgp4Ob5H0ioSDNJo oOxqt4KsuNXHDW/B8QlxnQejKBL0INtmOjh7GMox4bvxg4gP57ZlDweC2lkR37c= =dD8C -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa18-unstable.patch" Content-Disposition: attachment; filename="xsa18-unstable.patch" Content-Transfer-Encoding: base64 eGVuL2dudHRhYjogVmFsaWRhdGUgaW5wdXQgdG8gR05UVEFCT1Bfc3dhcF9n cmFudF9yZWYKCnhlbi11bnN0YWJsZSBjL3MgMjQ1NDg6ZDExNTg0NGViZmJi IGludHJvZHVjZXMgYSBuZXcgR05UVEFCT1AgdG8gc3dhcApncmFudCByZWZz LiAgSG93ZXZlciwgaXQgZmFpbHMgdG8gdmFsaWRhdGUgdGhlIHR3byByZWZz IHBhc3NlZCBmcm9tCnRoZSBndWVzdC4KClRoZSByZXN1bHQgaXMgdGhhdCBw YXNzaW5nIG91dC1vZi1yYW5nZSByZWZzIGNhbiBjYXVzZSBYZW4gdG8gcmVh ZApwYXN0IHRoZSBlbmQgb2YgdGhlIGdyYW50X3RhYmxlLT5hY3RpdmVbXSBh cnJheSwgYW5kIGRlZmVyZW5jZQp3aGF0ZXZlciBpdCBmaW5kcy4gIFR5cGlj YWxseSwgdGhpcyByZXN1bHRzIGluIFhlbiB0cnlpbmcgdG8gZGVmZXJlbmNl CmEgbG93IHBvaW50ZXIgYW5kIGZhaWwgd2l0aCBhIHBhZ2UtZmF1bHQuCgpB cyB0aGlzIGh5cGVyY2FsbCBjYW4gYmUgaXNzdWVkIGJ5IGFuIHVucHJpdmls ZWdlZCBndWVzdCwgdGhpcyBpcyBhCkRlbmlhbCBvZiBTZXJ2aWNlIGFnYWlu c3QgWGVuLgoKU2lnbmVkLW9mZi1ieTogQW5kcmV3IENvb3BlciA8YW5kcmV3 LmNvb3BlcjNAY2l0cml4LmNvbT4KQWNrZWQtYnk6IFBhdWwgRHVycmFudCA8 cGF1bC5kdXJyYW50QGNpdHJpeC5jb20+CgpkaWZmIC0tZ2l0IGEveGVuL2Nv bW1vbi9ncmFudF90YWJsZS5jIGIveGVuL2NvbW1vbi9ncmFudF90YWJsZS5j CmluZGV4IDk5NjFlODMuLjMyZGUyOTUgMTAwNjQ0Ci0tLSBhL3hlbi9jb21t b24vZ3JhbnRfdGFibGUuYworKysgYi94ZW4vY29tbW9uL2dyYW50X3RhYmxl LmMKQEAgLTIzMjgsNiArMjMyOCwxMiBAQCBfX2dudHRhYl9zd2FwX2dyYW50 X3JlZihncmFudF9yZWZfdCByZWZfYSwgZ3JhbnRfcmVmX3QgcmVmX2IpCiAK ICAgICBzcGluX2xvY2soJmd0LT5sb2NrKTsKIAorICAgIC8qIEJvdW5kcyBj aGVjayBvbiB0aGUgZ3JhbnQgcmVmcyAqLworICAgIGlmICggdW5saWtlbHko cmVmX2EgPj0gbnJfZ3JhbnRfZW50cmllcyhkLT5ncmFudF90YWJsZSkpKQor ICAgICAgICBQSU5fRkFJTChvdXQsIEdOVFNUX2JhZF9nbnRyZWYsICJCYWQg cmVmLWEgKCVkKS5cbiIsIHJlZl9hKTsKKyAgICBpZiAoIHVubGlrZWx5KHJl Zl9iID49IG5yX2dyYW50X2VudHJpZXMoZC0+Z3JhbnRfdGFibGUpKSkKKyAg ICAgICAgUElOX0ZBSUwob3V0LCBHTlRTVF9iYWRfZ250cmVmLCAiQmFkIHJl Zi1iICglZCkuXG4iLCByZWZfYik7CisKICAgICBhY3QgPSAmYWN0aXZlX2Vu dHJ5KGd0LCByZWZfYSk7CiAgICAgaWYgKCBhY3QtPnBpbiApCiAgICAgICAg IFBJTl9GQUlMKG91dCwgR05UU1RfZWFnYWluLCAicmVmIGEgJWxkIGJ1c3lc biIsIChsb25nKXJlZl9hKTsK --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Wed Sep 05 11:19:00 2012 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 05 Sep 2012 11:19:00 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1T9Dbk-0005bv-3R; Wed, 05 Sep 2012 11:17:20 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1T9DXP-0004qz-2t for xen-announce@lists.xen.org; Wed, 05 Sep 2012 11:12:51 +0000 Received: from [85.158.139.83:19732] by server-6.bemta-5.messagelabs.com id B1/42-21336-2B337405; Wed, 05 Sep 2012 11:12:50 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-11.tower-182.messagelabs.com!1346843568!21461727!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.6.1.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 22577 invoked from network); 5 Sep 2012 11:12:49 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-11.tower-182.messagelabs.com with AES256-SHA encrypted SMTP; 5 Sep 2012 11:12:49 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1T9DXH-0001Cf-UU; Wed, 05 Sep 2012 11:12:43 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1T9DXH-0005Qg-SS; Wed, 05 Sep 2012 11:12:43 +0000 Date: Wed, 05 Sep 2012 11:12:43 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team X-Mailman-Approved-At: Wed, 05 Sep 2012 11:17:18 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 16 (CVE-2012-3498) - PHYSDEVOP_map_pirq index vulnerability X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2012-3498 / XSA-16 version 3 PHYSDEVOP_map_pirq index vulnerability UPDATES IN VERSION 3 ==================== Public release. Credit Matthew Daley. ISSUE DESCRIPTION ================= PHYSDEVOP_map_pirq with MAP_PIRQ_TYPE_GSI does not range check map->index. IMPACT ====== A malicious HVM guest kernel can crash the host. It might also be able to read hypervisor or guest memory. VULNERABLE SYSTEMS ================== All Xen systems running HVM guests. PV guests are not vulnerable. The vulnerability dates back to Xen 4.1. Xen 4.0 is not vulnerable. 4.1, the 4.2 RCs, and xen-unstable.hg are vulnerable. MITIGATION ========== This issue can be mitigated by ensuring that the guest kernel is trustworthy, or by running only PV guests. RESOLUTION ========== Applying the appropriate attached patch will resolve the issue. CREDIT ====== Thanks to Matthew Daley for finding this vulnerability (and that in XSA-12) and notifying the Xen.org security team. PATCH INFORMATION ================= The attached patches resolve this issue Xen unstable xsa16-unstable.patch Xen 4.1, 4.1.x xsa16-xen-4.1.patch $ sha256sum xsa16-*.patch f8db42898620112c8e77bf116645d650b3671d4ccc49adcad09c7b4591d55cab xsa16-unstable.patch 4b76d554b23977443209e45d3a2404d63695eb3020ff87a8e16e5e25cbddff31 xsa16-xen-4.1.patch -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQRyVFAAoJEIP+FMlX6CvZkqkH/2k5sdGWVThawtjkpTfx8L3T d0QnlJYstbvGxNkRvaafj32jApGkHWwr/Rd4w1MPxXXJOU6bmXjKKXAugVj0wl5Z PZeVtek46S3sSNCavLH7kL1SVZoCikEH2+kv9edGhKOXxO3C+8FkM+HvoZU7tQco ppUhEfINP9WidXlWSEmK2nhZdvrLW7KeqHTQmwx6AC1mUE0YdaF2oTZRPyOgRwIx quYJ3hLiQiQD3eUV56iqNO19/D4jpPibBG33yurdzahRivuLTb7XD+QfKfEDZ1WC SVqIRJha84QBjHLTtPIgmjyF8ysUXnPLol1NTxpIBFX98OCw9Ery0Zic/poFjcc= =7hrh -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa16-unstable.patch" Content-Disposition: attachment; filename="xsa16-unstable.patch" Content-Transfer-Encoding: base64 eDg2L3B2aHZtOiBwcm9wZXJseSByYW5nZS1jaGVjayBQSFlTREVWT1BfbWFw X3BpcnEvTUFQX1BJUlFfVFlQRV9HU0kKClRoaXMgaXMgYmVpbmcgdXNlZCBh cyBhIGFycmF5IGluZGV4LCBhbmQgaGVuY2UgbXVzdCBiZSB2YWxpZGF0ZWQg YmVmb3JlCnVzZS4KClRoaXMgaXMgWFNBLTE2IC8gQ1ZFLTIwMTItMzQ5OC4K ClNpZ25lZC1vZmYtYnk6IEphbiBCZXVsaWNoIDxqYmV1bGljaEBzdXNlLmNv bT4KCi0tLSBhL3hlbi9hcmNoL3g4Ni9waHlzZGV2LmMKKysrIGIveGVuL2Fy Y2gveDg2L3BoeXNkZXYuYwpAQCAtNDMsMTEgKzQzLDE4IEBAIHN0YXRpYyBp bnQgcGh5c2Rldl9odm1fbWFwX3BpcnEoCiAgICAgICAgIHN0cnVjdCBodm1f Z2lycV9kcGNpX21hcHBpbmcgKmdpcnE7CiAgICAgICAgIHVpbnQzMl90IG1h Y2hpbmVfZ3NpID0gMDsKIAorICAgICAgICBpZiAoICppbmRleCA8IDAgfHwg KmluZGV4ID49IE5SX0hWTV9JUlFTICkKKyAgICAgICAgeworICAgICAgICAg ICAgcmV0ID0gLUVJTlZBTDsKKyAgICAgICAgICAgIGJyZWFrOworICAgICAg ICB9CisKICAgICAgICAgLyogZmluZCB0aGUgbWFjaGluZSBnc2kgY29ycmVz cG9uZGluZyB0byB0aGUKICAgICAgICAgICogZW11bGF0ZWQgZ3NpICovCiAg ICAgICAgIGh2bV9pcnFfZHBjaSA9IGRvbWFpbl9nZXRfaXJxX2RwY2koZCk7 CiAgICAgICAgIGlmICggaHZtX2lycV9kcGNpICkKICAgICAgICAgeworICAg ICAgICAgICAgQlVJTERfQlVHX09OKEFSUkFZX1NJWkUoaHZtX2lycV9kcGNp LT5naXJxKSA8IE5SX0hWTV9JUlFTKTsKICAgICAgICAgICAgIGxpc3RfZm9y X2VhY2hfZW50cnkgKCBnaXJxLAogICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICZodm1faXJxX2RwY2ktPmdpcnFbKmluZGV4XSwKICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsaXN0ICkK --=separator Content-Type: application/octet-stream; name="xsa16-xen-4.1.patch" Content-Disposition: attachment; filename="xsa16-xen-4.1.patch" Content-Transfer-Encoding: base64 eDg2L3B2aHZtOiBwcm9wZXJseSByYW5nZS1jaGVjayBQSFlTREVWT1BfbWFw X3BpcnEvTUFQX1BJUlFfVFlQRV9HU0kKClRoaXMgaXMgYmVpbmcgdXNlZCBh cyBhIGFycmF5IGluZGV4LCBhbmQgaGVuY2UgbXVzdCBiZSB2YWxpZGF0ZWQg YmVmb3JlCnVzZS4KClRoaXMgaXMgWFNBLTE2IC8gQ1ZFLTIwMTItMzQ5OC4K ClNpZ25lZC1vZmYtYnk6IEphbiBCZXVsaWNoIDxqYmV1bGljaEBzdXNlLmNv bT4KCmRpZmYgLXIgMTIyNWFmZjA1ZGQyIHhlbi9hcmNoL3g4Ni9waHlzZGV2 LmMKLS0tIGEveGVuL2FyY2gveDg2L3BoeXNkZXYuYwlUaHUgQXVnIDA5IDE2 OjQ4OjA3IDIwMTIgKzAxMDAKKysrIGIveGVuL2FyY2gveDg2L3BoeXNkZXYu YwlUaHUgQXVnIDE2IDEzOjAzOjM2IDIwMTIgKzAxMDAKQEAgLTQwLDExICs0 MCwxOCBAQCBzdGF0aWMgaW50IHBoeXNkZXZfaHZtX21hcF9waXJxKAogICAg ICAgICBzdHJ1Y3QgaHZtX2dpcnFfZHBjaV9tYXBwaW5nICpnaXJxOwogICAg ICAgICB1aW50MzJfdCBtYWNoaW5lX2dzaSA9IDA7CiAKKyAgICAgICAgaWYg KCBtYXAtPmluZGV4IDwgMCB8fCBtYXAtPmluZGV4ID49IE5SX0hWTV9JUlFT ICkKKyAgICAgICAgeworICAgICAgICAgICAgcmV0ID0gLUVJTlZBTDsKKyAg ICAgICAgICAgIGJyZWFrOworICAgICAgICB9CisKICAgICAgICAgLyogZmlu ZCB0aGUgbWFjaGluZSBnc2kgY29ycmVzcG9uZGluZyB0byB0aGUKICAgICAg ICAgICogZW11bGF0ZWQgZ3NpICovCiAgICAgICAgIGh2bV9pcnFfZHBjaSA9 IGRvbWFpbl9nZXRfaXJxX2RwY2koZCk7CiAgICAgICAgIGlmICggaHZtX2ly cV9kcGNpICkKICAgICAgICAgeworICAgICAgICAgICAgQlVJTERfQlVHX09O KEFSUkFZX1NJWkUoaHZtX2lycV9kcGNpLT5naXJxKSA8IE5SX0hWTV9JUlFT KTsKICAgICAgICAgICAgIGxpc3RfZm9yX2VhY2hfZW50cnkgKCBnaXJxLAog ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICZodm1faXJxX2Rw Y2ktPmdpcnFbbWFwLT5pbmRleF0sCiAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgbGlzdCApCg== --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Wed Sep 05 11:19:00 2012 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 05 Sep 2012 11:19:00 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1T9Dbk-0005bv-3R; Wed, 05 Sep 2012 11:17:20 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1T9DXP-0004qz-2t for xen-announce@lists.xen.org; Wed, 05 Sep 2012 11:12:51 +0000 Received: from [85.158.139.83:19732] by server-6.bemta-5.messagelabs.com id B1/42-21336-2B337405; Wed, 05 Sep 2012 11:12:50 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-11.tower-182.messagelabs.com!1346843568!21461727!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.6.1.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 22577 invoked from network); 5 Sep 2012 11:12:49 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-11.tower-182.messagelabs.com with AES256-SHA encrypted SMTP; 5 Sep 2012 11:12:49 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1T9DXH-0001Cf-UU; Wed, 05 Sep 2012 11:12:43 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1T9DXH-0005Qg-SS; Wed, 05 Sep 2012 11:12:43 +0000 Date: Wed, 05 Sep 2012 11:12:43 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team X-Mailman-Approved-At: Wed, 05 Sep 2012 11:17:18 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 16 (CVE-2012-3498) - PHYSDEVOP_map_pirq index vulnerability X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2012-3498 / XSA-16 version 3 PHYSDEVOP_map_pirq index vulnerability UPDATES IN VERSION 3 ==================== Public release. Credit Matthew Daley. ISSUE DESCRIPTION ================= PHYSDEVOP_map_pirq with MAP_PIRQ_TYPE_GSI does not range check map->index. IMPACT ====== A malicious HVM guest kernel can crash the host. It might also be able to read hypervisor or guest memory. VULNERABLE SYSTEMS ================== All Xen systems running HVM guests. PV guests are not vulnerable. The vulnerability dates back to Xen 4.1. Xen 4.0 is not vulnerable. 4.1, the 4.2 RCs, and xen-unstable.hg are vulnerable. MITIGATION ========== This issue can be mitigated by ensuring that the guest kernel is trustworthy, or by running only PV guests. RESOLUTION ========== Applying the appropriate attached patch will resolve the issue. CREDIT ====== Thanks to Matthew Daley for finding this vulnerability (and that in XSA-12) and notifying the Xen.org security team. PATCH INFORMATION ================= The attached patches resolve this issue Xen unstable xsa16-unstable.patch Xen 4.1, 4.1.x xsa16-xen-4.1.patch $ sha256sum xsa16-*.patch f8db42898620112c8e77bf116645d650b3671d4ccc49adcad09c7b4591d55cab xsa16-unstable.patch 4b76d554b23977443209e45d3a2404d63695eb3020ff87a8e16e5e25cbddff31 xsa16-xen-4.1.patch -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQRyVFAAoJEIP+FMlX6CvZkqkH/2k5sdGWVThawtjkpTfx8L3T d0QnlJYstbvGxNkRvaafj32jApGkHWwr/Rd4w1MPxXXJOU6bmXjKKXAugVj0wl5Z PZeVtek46S3sSNCavLH7kL1SVZoCikEH2+kv9edGhKOXxO3C+8FkM+HvoZU7tQco ppUhEfINP9WidXlWSEmK2nhZdvrLW7KeqHTQmwx6AC1mUE0YdaF2oTZRPyOgRwIx quYJ3hLiQiQD3eUV56iqNO19/D4jpPibBG33yurdzahRivuLTb7XD+QfKfEDZ1WC SVqIRJha84QBjHLTtPIgmjyF8ysUXnPLol1NTxpIBFX98OCw9Ery0Zic/poFjcc= =7hrh -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa16-unstable.patch" Content-Disposition: attachment; filename="xsa16-unstable.patch" Content-Transfer-Encoding: base64 eDg2L3B2aHZtOiBwcm9wZXJseSByYW5nZS1jaGVjayBQSFlTREVWT1BfbWFw X3BpcnEvTUFQX1BJUlFfVFlQRV9HU0kKClRoaXMgaXMgYmVpbmcgdXNlZCBh cyBhIGFycmF5IGluZGV4LCBhbmQgaGVuY2UgbXVzdCBiZSB2YWxpZGF0ZWQg YmVmb3JlCnVzZS4KClRoaXMgaXMgWFNBLTE2IC8gQ1ZFLTIwMTItMzQ5OC4K ClNpZ25lZC1vZmYtYnk6IEphbiBCZXVsaWNoIDxqYmV1bGljaEBzdXNlLmNv bT4KCi0tLSBhL3hlbi9hcmNoL3g4Ni9waHlzZGV2LmMKKysrIGIveGVuL2Fy Y2gveDg2L3BoeXNkZXYuYwpAQCAtNDMsMTEgKzQzLDE4IEBAIHN0YXRpYyBp bnQgcGh5c2Rldl9odm1fbWFwX3BpcnEoCiAgICAgICAgIHN0cnVjdCBodm1f Z2lycV9kcGNpX21hcHBpbmcgKmdpcnE7CiAgICAgICAgIHVpbnQzMl90IG1h Y2hpbmVfZ3NpID0gMDsKIAorICAgICAgICBpZiAoICppbmRleCA8IDAgfHwg KmluZGV4ID49IE5SX0hWTV9JUlFTICkKKyAgICAgICAgeworICAgICAgICAg ICAgcmV0ID0gLUVJTlZBTDsKKyAgICAgICAgICAgIGJyZWFrOworICAgICAg ICB9CisKICAgICAgICAgLyogZmluZCB0aGUgbWFjaGluZSBnc2kgY29ycmVz cG9uZGluZyB0byB0aGUKICAgICAgICAgICogZW11bGF0ZWQgZ3NpICovCiAg ICAgICAgIGh2bV9pcnFfZHBjaSA9IGRvbWFpbl9nZXRfaXJxX2RwY2koZCk7 CiAgICAgICAgIGlmICggaHZtX2lycV9kcGNpICkKICAgICAgICAgeworICAg ICAgICAgICAgQlVJTERfQlVHX09OKEFSUkFZX1NJWkUoaHZtX2lycV9kcGNp LT5naXJxKSA8IE5SX0hWTV9JUlFTKTsKICAgICAgICAgICAgIGxpc3RfZm9y X2VhY2hfZW50cnkgKCBnaXJxLAogICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICZodm1faXJxX2RwY2ktPmdpcnFbKmluZGV4XSwKICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsaXN0ICkK --=separator Content-Type: application/octet-stream; name="xsa16-xen-4.1.patch" Content-Disposition: attachment; filename="xsa16-xen-4.1.patch" Content-Transfer-Encoding: base64 eDg2L3B2aHZtOiBwcm9wZXJseSByYW5nZS1jaGVjayBQSFlTREVWT1BfbWFw X3BpcnEvTUFQX1BJUlFfVFlQRV9HU0kKClRoaXMgaXMgYmVpbmcgdXNlZCBh cyBhIGFycmF5IGluZGV4LCBhbmQgaGVuY2UgbXVzdCBiZSB2YWxpZGF0ZWQg YmVmb3JlCnVzZS4KClRoaXMgaXMgWFNBLTE2IC8gQ1ZFLTIwMTItMzQ5OC4K ClNpZ25lZC1vZmYtYnk6IEphbiBCZXVsaWNoIDxqYmV1bGljaEBzdXNlLmNv bT4KCmRpZmYgLXIgMTIyNWFmZjA1ZGQyIHhlbi9hcmNoL3g4Ni9waHlzZGV2 LmMKLS0tIGEveGVuL2FyY2gveDg2L3BoeXNkZXYuYwlUaHUgQXVnIDA5IDE2 OjQ4OjA3IDIwMTIgKzAxMDAKKysrIGIveGVuL2FyY2gveDg2L3BoeXNkZXYu YwlUaHUgQXVnIDE2IDEzOjAzOjM2IDIwMTIgKzAxMDAKQEAgLTQwLDExICs0 MCwxOCBAQCBzdGF0aWMgaW50IHBoeXNkZXZfaHZtX21hcF9waXJxKAogICAg ICAgICBzdHJ1Y3QgaHZtX2dpcnFfZHBjaV9tYXBwaW5nICpnaXJxOwogICAg ICAgICB1aW50MzJfdCBtYWNoaW5lX2dzaSA9IDA7CiAKKyAgICAgICAgaWYg KCBtYXAtPmluZGV4IDwgMCB8fCBtYXAtPmluZGV4ID49IE5SX0hWTV9JUlFT ICkKKyAgICAgICAgeworICAgICAgICAgICAgcmV0ID0gLUVJTlZBTDsKKyAg ICAgICAgICAgIGJyZWFrOworICAgICAgICB9CisKICAgICAgICAgLyogZmlu ZCB0aGUgbWFjaGluZSBnc2kgY29ycmVzcG9uZGluZyB0byB0aGUKICAgICAg ICAgICogZW11bGF0ZWQgZ3NpICovCiAgICAgICAgIGh2bV9pcnFfZHBjaSA9 IGRvbWFpbl9nZXRfaXJxX2RwY2koZCk7CiAgICAgICAgIGlmICggaHZtX2ly cV9kcGNpICkKICAgICAgICAgeworICAgICAgICAgICAgQlVJTERfQlVHX09O KEFSUkFZX1NJWkUoaHZtX2lycV9kcGNpLT5naXJxKSA8IE5SX0hWTV9JUlFT KTsKICAgICAgICAgICAgIGxpc3RfZm9yX2VhY2hfZW50cnkgKCBnaXJxLAog ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICZodm1faXJxX2Rw Y2ktPmdpcnFbbWFwLT5pbmRleF0sCiAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgbGlzdCApCg== --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Wed Sep 05 11:19:00 2012 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 05 Sep 2012 11:19:00 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1T9Dbj-0005bN-DO; Wed, 05 Sep 2012 11:17:19 +0000 Received: from mail6.bemta4.messagelabs.com ([85.158.143.247]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1T9DVb-0004hj-JH for xen-announce@lists.xen.org; Wed, 05 Sep 2012 11:10:59 +0000 Received: from [85.158.143.99:60864] by server-1.bemta-4.messagelabs.com id 10/C3-12504-24337405; Wed, 05 Sep 2012 11:10:58 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-11.tower-216.messagelabs.com!1346843448!21117190!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.6.1.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 19330 invoked from network); 5 Sep 2012 11:10:50 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-11.tower-216.messagelabs.com with AES256-SHA encrypted SMTP; 5 Sep 2012 11:10:50 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1T9DVJ-0001Az-MN; Wed, 05 Sep 2012 11:10:41 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1T9DVJ-0005Jh-0F; Wed, 05 Sep 2012 11:10:41 +0000 Date: Wed, 05 Sep 2012 11:10:41 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team X-Mailman-Approved-At: Wed, 05 Sep 2012 11:17:18 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 15 (CVE-2012-3497) - multiple TMEM hypercall vulnerabilities X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2012-3497 / XSA-15 version 2 multiple TMEM hypercall vulnerabilities UPDATES IN VERSION 2 ==================== Public release. Credit Matthew Daley. ISSUE DESCRIPTION ================= Several sub-operations of the Transcendent Memory (TMEM) hypercall either do not correctly validate their inputs, do not correctly validate the privilege of the calling guest, or have other security-relevant bugs. A full list of the vulnerabilities in the TMEM system is not available at present. IMPACT ====== An unprivileged guest can overwrite hypervisor owned memory with the content of their choosing allowing them to escalate their privilege to that of the host. In addition an unprivileged guest can also crash the hypervisor, leading to a Denial of Service attack. VULNERABLE SYSTEMS ================== ONLY installations where "tmem" is specified on the hypervisor command line are vulnerable. Most Xen installations do not do so. All versions of Xen from 4.0 onward which have TMEM enabled and are running guests with untrusted administrators are vulnerable. Although we consider it unlikely, we have not been able to rule out the possibility that an malicious unprivileged user could exploit these issues via a trusted TMEM-aware kernel. Therefore all administrators are advised to disable TMEM even if all guest kernels are controlled and trusted. MITIGATION ========== Only systems which have TMEM enabled at boot time are affected by this issue. By default TMEM is disabled unless it is explicitly enabled via the hypervisor command line option "tmem". TMEM has been described by its maintainers as a technology preview, and is therefore not supported by them for use in production systems. Pending a full security audit of the code, the Xen.org security team recommends that Xen users do not enable TMEM. RESOLUTION ========== Work is ongoing, by the community maintainers for TMEM, to patch the specific bugs as they are found. This includes both the multiple vulnerabilities initially reported to the Xen.org security team, and multiple further vulnerabilities which have been discovered since then during our ad-hoc code inspection. At the time of writing, a complete set of fixes even for known issues is not available. PROCESS FOR TMEM VULNERABILITIES ================================ Until TMEM has gained production maturity, the Xen.org security team intends (subject of course to the permission of anyone disclosing to us) to handle these and future TMEM vulnerabilities in public, as if they were normal non-security-related bugs. We therefore intend that currently-known vulnerabilities will be publicly disclosed on the xen-devel mailing list, as normal bug reports, at the expiry of the XSA-15 embargo. In the meantime the list below may be helpful. Xen.org security team will ensure, on expiry of the embargo, that the documentation reflects TMEM's technology preview status. CREDIT ====== Thanks to Matthew Daley for finding these vulnerabilities (and that in XSA-12) and notifying the Xen.org security team. LIST OF KNOWN VULNERABILITIES ============================= **NOTE** that this is unlikely to be a complete list of problems. **NOTE** that after publication of this advisory, after the embargo ends, the advisory will no longer be updated to extend this list of vulnerabilities. See `Process for TMEM vulnerabilities', above. Multiple tmem save-related control ops do not check for NULL clients: TMEMC_SAVE_GET_CLIENT_WEIGHT, TMEMC_SAVE_GET_CLIENT_CAP, TMEMC_SAVE_GET_CLIENT_FLAGS and TMEMC_SAVE_END do not check that the cli_id used to find the client is valid, and can hence dereference a NULL client. This allows a malicious guest to crash the host (DoS), or, in the case of TMEMC_SAVE_END, memory corruption (DoS or worse). Multiple tmem save-related control ops do not check guest output buffer pointers: The functions tmemc_save_get_next_page, tmemc_save_get_next_inv and the TMEMC_SAVE_GET_POOL_UUID subop do not check incoming guest output buffer pointers, and do not use ie. copy_to_guest. A malicious guest can crash the host or cause memory corruption (DoS / code execution). Multiple tmem ops do not check for negative pool IDs: The functions tmemc_save_get_next_page, tmemc_restore_put_page and tmemc_restore_flush_page do not check for negative pool IDs, allowing (at least) memory corruption. do_tmem_destroy_pool does not check for invalid pool IDs: The function do_tmem_destroy_pool does not check for invalid pool IDs, allowing a malicious guest to crash the host or corrupt host memory (DoS / code execution). do_tmem_control's privilege check is commented out: This allows any guest access to control stack operations (many of which themselves do not have adequate argument checking). tmh_copy_from_client and tmh_copy_to_client have an integer overflow vulnerability: This can corrupt host memory. do_tmem_get()'s bad_copy error path leaves a spinlock held: The next operation on the same object will hang the CPU. This is a host DoS. do_tmem_op has at least one error path with broken locking checks: This is a host DoS or worse. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQRyVDAAoJEIP+FMlX6CvZZSEH/11RvLycH5Qm0rkmWb16iuRU s9xmGDxGr6LDGLLYenp7RDc6FU7xjFxNeMhziIWckic2f0V1UtEqxiTHViEeOsOu AQfiwrUaaSf+fwcDqt07bb6gTynxyqS+faLKpk4bq89tKK1318JlxWN2gRtEW5g9 KEo7Bt/O0hYuIJBlBWnH48OHPzGSrwVaw51NLt0oPqiWp4w3ObLRhVttKB7VWJlw OQR9hSStVWhKR68VUBd/LpTZTkX/Hn5qwhX6ltgQ10RW1n4cF2pvebiKu6CtePCl JVBJgn/4ZmaT1joJ8SpX/BONnLt0KHNrublB6vO++1m+7+lBA5qXL38gg4jl48E= =yP/R -----END PGP SIGNATURE----- --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Wed Sep 05 11:19:00 2012 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 05 Sep 2012 11:19:00 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1T9Dbj-0005bN-DO; Wed, 05 Sep 2012 11:17:19 +0000 Received: from mail6.bemta4.messagelabs.com ([85.158.143.247]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1T9DVb-0004hj-JH for xen-announce@lists.xen.org; Wed, 05 Sep 2012 11:10:59 +0000 Received: from [85.158.143.99:60864] by server-1.bemta-4.messagelabs.com id 10/C3-12504-24337405; Wed, 05 Sep 2012 11:10:58 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-11.tower-216.messagelabs.com!1346843448!21117190!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.6.1.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 19330 invoked from network); 5 Sep 2012 11:10:50 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-11.tower-216.messagelabs.com with AES256-SHA encrypted SMTP; 5 Sep 2012 11:10:50 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1T9DVJ-0001Az-MN; Wed, 05 Sep 2012 11:10:41 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1T9DVJ-0005Jh-0F; Wed, 05 Sep 2012 11:10:41 +0000 Date: Wed, 05 Sep 2012 11:10:41 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team X-Mailman-Approved-At: Wed, 05 Sep 2012 11:17:18 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 15 (CVE-2012-3497) - multiple TMEM hypercall vulnerabilities X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2012-3497 / XSA-15 version 2 multiple TMEM hypercall vulnerabilities UPDATES IN VERSION 2 ==================== Public release. Credit Matthew Daley. ISSUE DESCRIPTION ================= Several sub-operations of the Transcendent Memory (TMEM) hypercall either do not correctly validate their inputs, do not correctly validate the privilege of the calling guest, or have other security-relevant bugs. A full list of the vulnerabilities in the TMEM system is not available at present. IMPACT ====== An unprivileged guest can overwrite hypervisor owned memory with the content of their choosing allowing them to escalate their privilege to that of the host. In addition an unprivileged guest can also crash the hypervisor, leading to a Denial of Service attack. VULNERABLE SYSTEMS ================== ONLY installations where "tmem" is specified on the hypervisor command line are vulnerable. Most Xen installations do not do so. All versions of Xen from 4.0 onward which have TMEM enabled and are running guests with untrusted administrators are vulnerable. Although we consider it unlikely, we have not been able to rule out the possibility that an malicious unprivileged user could exploit these issues via a trusted TMEM-aware kernel. Therefore all administrators are advised to disable TMEM even if all guest kernels are controlled and trusted. MITIGATION ========== Only systems which have TMEM enabled at boot time are affected by this issue. By default TMEM is disabled unless it is explicitly enabled via the hypervisor command line option "tmem". TMEM has been described by its maintainers as a technology preview, and is therefore not supported by them for use in production systems. Pending a full security audit of the code, the Xen.org security team recommends that Xen users do not enable TMEM. RESOLUTION ========== Work is ongoing, by the community maintainers for TMEM, to patch the specific bugs as they are found. This includes both the multiple vulnerabilities initially reported to the Xen.org security team, and multiple further vulnerabilities which have been discovered since then during our ad-hoc code inspection. At the time of writing, a complete set of fixes even for known issues is not available. PROCESS FOR TMEM VULNERABILITIES ================================ Until TMEM has gained production maturity, the Xen.org security team intends (subject of course to the permission of anyone disclosing to us) to handle these and future TMEM vulnerabilities in public, as if they were normal non-security-related bugs. We therefore intend that currently-known vulnerabilities will be publicly disclosed on the xen-devel mailing list, as normal bug reports, at the expiry of the XSA-15 embargo. In the meantime the list below may be helpful. Xen.org security team will ensure, on expiry of the embargo, that the documentation reflects TMEM's technology preview status. CREDIT ====== Thanks to Matthew Daley for finding these vulnerabilities (and that in XSA-12) and notifying the Xen.org security team. LIST OF KNOWN VULNERABILITIES ============================= **NOTE** that this is unlikely to be a complete list of problems. **NOTE** that after publication of this advisory, after the embargo ends, the advisory will no longer be updated to extend this list of vulnerabilities. See `Process for TMEM vulnerabilities', above. Multiple tmem save-related control ops do not check for NULL clients: TMEMC_SAVE_GET_CLIENT_WEIGHT, TMEMC_SAVE_GET_CLIENT_CAP, TMEMC_SAVE_GET_CLIENT_FLAGS and TMEMC_SAVE_END do not check that the cli_id used to find the client is valid, and can hence dereference a NULL client. This allows a malicious guest to crash the host (DoS), or, in the case of TMEMC_SAVE_END, memory corruption (DoS or worse). Multiple tmem save-related control ops do not check guest output buffer pointers: The functions tmemc_save_get_next_page, tmemc_save_get_next_inv and the TMEMC_SAVE_GET_POOL_UUID subop do not check incoming guest output buffer pointers, and do not use ie. copy_to_guest. A malicious guest can crash the host or cause memory corruption (DoS / code execution). Multiple tmem ops do not check for negative pool IDs: The functions tmemc_save_get_next_page, tmemc_restore_put_page and tmemc_restore_flush_page do not check for negative pool IDs, allowing (at least) memory corruption. do_tmem_destroy_pool does not check for invalid pool IDs: The function do_tmem_destroy_pool does not check for invalid pool IDs, allowing a malicious guest to crash the host or corrupt host memory (DoS / code execution). do_tmem_control's privilege check is commented out: This allows any guest access to control stack operations (many of which themselves do not have adequate argument checking). tmh_copy_from_client and tmh_copy_to_client have an integer overflow vulnerability: This can corrupt host memory. do_tmem_get()'s bad_copy error path leaves a spinlock held: The next operation on the same object will hang the CPU. This is a host DoS. do_tmem_op has at least one error path with broken locking checks: This is a host DoS or worse. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQRyVDAAoJEIP+FMlX6CvZZSEH/11RvLycH5Qm0rkmWb16iuRU s9xmGDxGr6LDGLLYenp7RDc6FU7xjFxNeMhziIWckic2f0V1UtEqxiTHViEeOsOu AQfiwrUaaSf+fwcDqt07bb6gTynxyqS+faLKpk4bq89tKK1318JlxWN2gRtEW5g9 KEo7Bt/O0hYuIJBlBWnH48OHPzGSrwVaw51NLt0oPqiWp4w3ObLRhVttKB7VWJlw OQR9hSStVWhKR68VUBd/LpTZTkX/Hn5qwhX6ltgQ10RW1n4cF2pvebiKu6CtePCl JVBJgn/4ZmaT1joJ8SpX/BONnLt0KHNrublB6vO++1m+7+lBA5qXL38gg4jl48E= =yP/R -----END PGP SIGNATURE----- --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Thu Sep 06 16:17:02 2012 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 06 Sep 2012 16:17:02 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1T9eiL-0004wX-Ob; Thu, 06 Sep 2012 16:13:57 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1T9ei0-0004vi-B1 for xen-announce@lists.xen.org; Thu, 06 Sep 2012 16:13:36 +0000 Received: from [85.158.138.51:23579] by server-3.bemta-3.messagelabs.com id D8/7D-21322-FABC8405; Thu, 06 Sep 2012 16:13:35 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-2.tower-174.messagelabs.com!1346948013!29115213!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.6.1.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 443 invoked from network); 6 Sep 2012 16:13:34 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-2.tower-174.messagelabs.com with AES256-SHA encrypted SMTP; 6 Sep 2012 16:13:34 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1T9ehq-0006FF-9D; Thu, 06 Sep 2012 16:13:26 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1T9ehq-0006nu-7Q; Thu, 06 Sep 2012 16:13:26 +0000 Date: Thu, 06 Sep 2012 16:13:26 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team X-Mailman-Approved-At: Thu, 06 Sep 2012 16:13:56 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 19 - guest administrator can access qemu monitor console X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory XSA-19 guest administrator can access qemu monitor console ISSUE DESCRIPTION ================= A guest administrator who is granted access to the graphical console of a Xen guest can access the qemu monitor. The monitor can be used to access host resources. IMPACT ====== A malicious guest administrator can access host resources (perhaps belonging to other guests or the underlying system) and may be able to escalate their privilege to that of the host. VULNERABLE SYSTEMS ================== Installations where guest administrators do not have access to a domain's graphical console, or containing only PV domains configured without a graphical console, are not vulnerable. Installations where all guest administrators are trustworthy are not vulnerable, even if the guest operating systems themselves are untrusted. Systems using xend/xm: At least all versions since Xen 4.0 are affected. Systems are vulnerable even if "monitor=no" is specified in the xm domain configuration file - this configuration option is not properly honoured in the vulnerable versions. Systems using libxl/xl: All versions are affected. The "monitor=" option is not understood, and is therefore ignored, by xl. However, systems using the experimental device model version based on upstream qemu are NOT vulnerable; that is, Xen 4.2 RC systems with device_model_version="qemu_xen" specified in the xl domain config file. Systems using libvirt are vulnerable. For "xen:" URIs, see xend/xm, above. For "libxl:" URIs, all versions are affected. Systems based on the Xen Cloud Platform are NOT vulnerable. CONFIRMING VULNERABILITY ======================== Connect to the guest's VNC (or SDL) graphical display and make sure your focus is in that window. Hold down CTRL and ALT and press 2. You will see a black screen showing one of "serial0", "parallel0" or "QEMU monitor". Repeat this exercise for other digits 3 to 6. CTRL+ALT+1 is the domain's normal graphical console. Not all numbers will have screens attached, but note that you must release and re-press CTRL and ALT each time. If one of the accessible screens shows "QEMU monitor" then you are vulnerable. Otherwise you are not. MITIGATION ========== With xl in Xen 4.1 and later, supplying the following config option in the VM configuration file will disable the monitor: device_model_args=["-monitor","null"] With xend the following config option will disable the monitor: monitor_path="null" Note that with a vulnerable version of the software specifying "monitor=0" will NOT disable the monitor. We are not currently aware of the availability of mitigation for systems using libvirt. NOTE REGARDING EMBARGO ====================== This issue was publicly discussed online by its discoverer. There is therefore no embargo. NOTE REGARDING CVE ================== This issue was previously reported in a different context, not to Xen upstream, and assigned CVE-2007-0998 and fixed in a different way. We have requested a new CVE for XSA-19 but it is not yet available. RESOLUTION ========== The attached patch against qemu-xen-traditional (qemu-xen-4.*-testing.git) resolves this issue. $ sha256sum xsa19-qemu-all.patch 19fc5ff9334e7e7ad429388850dc6e52e7062c21a677082e7a89c2f2c91365fa xsa19-qemu-all.patch -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQSMr3AAoJEIP+FMlX6CvZ2O8H/2cZuOEMQd6ELDSmgj2fVaYl qpev3Ux50+wHsBf2JS4XMW+f6wwNWa8IBP1GL+SUvOLVr0PGYb8cbISy+zp6z+ku mAF1T19iaAMNc/feSYwgtLfYE9H25SbB4cuPg6YkyLf6dQn0KnEyf9GIJxHy0xir nU5XKEwhhJHw17cXZyagTBheXqrIRtIhgMNv3oQKg60NDc+2sMYwMmv7lgPVIvTZ 5+rkY7RX34hBCw08qt/CEyI9OXKHL1jDjPM8QtCKuwDzaWI10yQxtLjWJCYEhGkH QqMHU6D8Q3DptCSZj/9urs7+oWGwb3TKR7rUc5v7NbiHlliEX5njDKrhxZpxvJg= =21pO -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa19-qemu-all.patch" Content-Disposition: attachment; filename="xsa19-qemu-all.patch" Content-Transfer-Encoding: base64 RnJvbTogSWFuIEphY2tzb24gPGlhbi5qYWNrc29uQGV1LmNpdHJpeC5jb20+ CgpEaXNhYmxlIHFlbXUgbW9uaXRvciBieSBkZWZhdWx0LiAgVGhlIHFlbXUg bW9uaXRvciBpcyBhbiBvdmVybHkKcG93ZXJmdWwgZmVhdHVyZSB3aGljaCBt dXN0IGJlIHByb3RlY3RlZCBmcm9tIHVudHJ1c3RlZCAoZ3Vlc3QpCmFkbWlu aXN0cmF0b3JzLgoKTmVpdGhlciB4bCBub3IgeGVuZCBleHBlY3QgcWVtdSB0 byBwcm9kdWNlIHRoaXMgbW9uaXRvciB1bmxlc3MgaXQgaXMKZXhwbGljaXRs eSByZXF1ZXN0ZWQuCgpUaGlzIGlzIGEgc2VjdXJpdHkgcHJvYmxlbSwgWFNB LTE5LiAgUHJldmlvdXNseSBpdCB3YXMgQ1ZFLTIwMDctMDk5OAppbiBSZWQg SGF0IGJ1dCB3ZSBoYXZlbid0IGRlYWx0IHdpdGggaXQgaW4gdXBzdHJlYW0u ICBXZSBob3BlIHRvIGhhdmUKYSBuZXcgQ1ZFIGZvciBpdCBoZXJlIGJ1dCB3 ZSBkb24ndCBoYXZlIG9uZSB5ZXQuCgpTaWduZWQtb2ZmLWJ5OiBJYW4gSmFj a3NvbiA8aWFuLmphY2tzb25AZXUuY2l0cml4LmNvbT4KCmRpZmYgLS1naXQg YS92bC5jIGIvdmwuYwppbmRleCBkMzBjYjJjLi5kMjFjM2FhIDEwMDY0NAot LS0gYS92bC5jCisrKyBiL3ZsLmMKQEAgLTQ5MjAsNyArNDkyMCw3IEBAIGlu dCBtYWluKGludCBhcmdjLCBjaGFyICoqYXJndiwgY2hhciAqKmVudnApCiAg ICAga2VybmVsX2NtZGxpbmUgPSAiIjsKICAgICBjeWxzID0gaGVhZHMgPSBz ZWNzID0gMDsKICAgICB0cmFuc2xhdGlvbiA9IEJJT1NfQVRBX1RSQU5TTEFU SU9OX0FVVE87Ci0gICAgbW9uaXRvcl9kZXZpY2UgPSAidmM6ODBDeDI0QyI7 CisgICAgbW9uaXRvcl9kZXZpY2UgPSAibnVsbCI7CiAKICAgICBzZXJpYWxf ZGV2aWNlc1swXSA9ICJ2Yzo4MEN4MjRDIjsKICAgICBmb3IoaSA9IDE7IGkg PCBNQVhfU0VSSUFMX1BPUlRTOyBpKyspCg== --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Thu Sep 06 16:17:02 2012 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 06 Sep 2012 16:17:02 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1T9eiL-0004wX-Ob; Thu, 06 Sep 2012 16:13:57 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1T9ei0-0004vi-B1 for xen-announce@lists.xen.org; Thu, 06 Sep 2012 16:13:36 +0000 Received: from [85.158.138.51:23579] by server-3.bemta-3.messagelabs.com id D8/7D-21322-FABC8405; Thu, 06 Sep 2012 16:13:35 +0000 X-Env-Sender: iwj@xenbits.xen.org X-Msg-Ref: server-2.tower-174.messagelabs.com!1346948013!29115213!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.6.1.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 443 invoked from network); 6 Sep 2012 16:13:34 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-2.tower-174.messagelabs.com with AES256-SHA encrypted SMTP; 6 Sep 2012 16:13:34 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1T9ehq-0006FF-9D; Thu, 06 Sep 2012 16:13:26 +0000 Received: from iwj by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1T9ehq-0006nu-7Q; Thu, 06 Sep 2012 16:13:26 +0000 Date: Thu, 06 Sep 2012 16:13:26 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team X-Mailman-Approved-At: Thu, 06 Sep 2012 16:13:56 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 19 - guest administrator can access qemu monitor console X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory XSA-19 guest administrator can access qemu monitor console ISSUE DESCRIPTION ================= A guest administrator who is granted access to the graphical console of a Xen guest can access the qemu monitor. The monitor can be used to access host resources. IMPACT ====== A malicious guest administrator can access host resources (perhaps belonging to other guests or the underlying system) and may be able to escalate their privilege to that of the host. VULNERABLE SYSTEMS ================== Installations where guest administrators do not have access to a domain's graphical console, or containing only PV domains configured without a graphical console, are not vulnerable. Installations where all guest administrators are trustworthy are not vulnerable, even if the guest operating systems themselves are untrusted. Systems using xend/xm: At least all versions since Xen 4.0 are affected. Systems are vulnerable even if "monitor=no" is specified in the xm domain configuration file - this configuration option is not properly honoured in the vulnerable versions. Systems using libxl/xl: All versions are affected. The "monitor=" option is not understood, and is therefore ignored, by xl. However, systems using the experimental device model version based on upstream qemu are NOT vulnerable; that is, Xen 4.2 RC systems with device_model_version="qemu_xen" specified in the xl domain config file. Systems using libvirt are vulnerable. For "xen:" URIs, see xend/xm, above. For "libxl:" URIs, all versions are affected. Systems based on the Xen Cloud Platform are NOT vulnerable. CONFIRMING VULNERABILITY ======================== Connect to the guest's VNC (or SDL) graphical display and make sure your focus is in that window. Hold down CTRL and ALT and press 2. You will see a black screen showing one of "serial0", "parallel0" or "QEMU monitor". Repeat this exercise for other digits 3 to 6. CTRL+ALT+1 is the domain's normal graphical console. Not all numbers will have screens attached, but note that you must release and re-press CTRL and ALT each time. If one of the accessible screens shows "QEMU monitor" then you are vulnerable. Otherwise you are not. MITIGATION ========== With xl in Xen 4.1 and later, supplying the following config option in the VM configuration file will disable the monitor: device_model_args=["-monitor","null"] With xend the following config option will disable the monitor: monitor_path="null" Note that with a vulnerable version of the software specifying "monitor=0" will NOT disable the monitor. We are not currently aware of the availability of mitigation for systems using libvirt. NOTE REGARDING EMBARGO ====================== This issue was publicly discussed online by its discoverer. There is therefore no embargo. NOTE REGARDING CVE ================== This issue was previously reported in a different context, not to Xen upstream, and assigned CVE-2007-0998 and fixed in a different way. We have requested a new CVE for XSA-19 but it is not yet available. RESOLUTION ========== The attached patch against qemu-xen-traditional (qemu-xen-4.*-testing.git) resolves this issue. $ sha256sum xsa19-qemu-all.patch 19fc5ff9334e7e7ad429388850dc6e52e7062c21a677082e7a89c2f2c91365fa xsa19-qemu-all.patch -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQSMr3AAoJEIP+FMlX6CvZ2O8H/2cZuOEMQd6ELDSmgj2fVaYl qpev3Ux50+wHsBf2JS4XMW+f6wwNWa8IBP1GL+SUvOLVr0PGYb8cbISy+zp6z+ku mAF1T19iaAMNc/feSYwgtLfYE9H25SbB4cuPg6YkyLf6dQn0KnEyf9GIJxHy0xir nU5XKEwhhJHw17cXZyagTBheXqrIRtIhgMNv3oQKg60NDc+2sMYwMmv7lgPVIvTZ 5+rkY7RX34hBCw08qt/CEyI9OXKHL1jDjPM8QtCKuwDzaWI10yQxtLjWJCYEhGkH QqMHU6D8Q3DptCSZj/9urs7+oWGwb3TKR7rUc5v7NbiHlliEX5njDKrhxZpxvJg= =21pO -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa19-qemu-all.patch" Content-Disposition: attachment; filename="xsa19-qemu-all.patch" Content-Transfer-Encoding: base64 RnJvbTogSWFuIEphY2tzb24gPGlhbi5qYWNrc29uQGV1LmNpdHJpeC5jb20+ CgpEaXNhYmxlIHFlbXUgbW9uaXRvciBieSBkZWZhdWx0LiAgVGhlIHFlbXUg bW9uaXRvciBpcyBhbiBvdmVybHkKcG93ZXJmdWwgZmVhdHVyZSB3aGljaCBt dXN0IGJlIHByb3RlY3RlZCBmcm9tIHVudHJ1c3RlZCAoZ3Vlc3QpCmFkbWlu aXN0cmF0b3JzLgoKTmVpdGhlciB4bCBub3IgeGVuZCBleHBlY3QgcWVtdSB0 byBwcm9kdWNlIHRoaXMgbW9uaXRvciB1bmxlc3MgaXQgaXMKZXhwbGljaXRs eSByZXF1ZXN0ZWQuCgpUaGlzIGlzIGEgc2VjdXJpdHkgcHJvYmxlbSwgWFNB LTE5LiAgUHJldmlvdXNseSBpdCB3YXMgQ1ZFLTIwMDctMDk5OAppbiBSZWQg SGF0IGJ1dCB3ZSBoYXZlbid0IGRlYWx0IHdpdGggaXQgaW4gdXBzdHJlYW0u ICBXZSBob3BlIHRvIGhhdmUKYSBuZXcgQ1ZFIGZvciBpdCBoZXJlIGJ1dCB3 ZSBkb24ndCBoYXZlIG9uZSB5ZXQuCgpTaWduZWQtb2ZmLWJ5OiBJYW4gSmFj a3NvbiA8aWFuLmphY2tzb25AZXUuY2l0cml4LmNvbT4KCmRpZmYgLS1naXQg YS92bC5jIGIvdmwuYwppbmRleCBkMzBjYjJjLi5kMjFjM2FhIDEwMDY0NAot LS0gYS92bC5jCisrKyBiL3ZsLmMKQEAgLTQ5MjAsNyArNDkyMCw3IEBAIGlu dCBtYWluKGludCBhcmdjLCBjaGFyICoqYXJndiwgY2hhciAqKmVudnApCiAg ICAga2VybmVsX2NtZGxpbmUgPSAiIjsKICAgICBjeWxzID0gaGVhZHMgPSBz ZWNzID0gMDsKICAgICB0cmFuc2xhdGlvbiA9IEJJT1NfQVRBX1RSQU5TTEFU SU9OX0FVVE87Ci0gICAgbW9uaXRvcl9kZXZpY2UgPSAidmM6ODBDeDI0QyI7 CisgICAgbW9uaXRvcl9kZXZpY2UgPSAibnVsbCI7CiAKICAgICBzZXJpYWxf ZGV2aWNlc1swXSA9ICJ2Yzo4MEN4MjRDIjsKICAgICBmb3IoaSA9IDE7IGkg PCBNQVhfU0VSSUFMX1BPUlRTOyBpKyspCg== --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Fri Sep 07 11:10:36 2012 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 07 Sep 2012 11:10:36 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1T9wPQ-0000SB-PX; Fri, 07 Sep 2012 11:07:36 +0000 Received: from mail6.bemta4.messagelabs.com ([85.158.143.247]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1T9w03-0007wb-4P for xen-announce@lists.xen.org; Fri, 07 Sep 2012 10:41:23 +0000 Received: from [85.158.143.99:27931] by server-2.bemta-4.messagelabs.com id BF/E0-21239-15FC9405; Fri, 07 Sep 2012 10:41:21 +0000 X-Env-Sender: ianc@xenbits.xen.org X-Msg-Ref: server-7.tower-216.messagelabs.com!1347014470!25727106!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.6.1.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 15372 invoked from network); 7 Sep 2012 10:41:12 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-7.tower-216.messagelabs.com with AES256-SHA encrypted SMTP; 7 Sep 2012 10:41:12 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1T9vzi-0003JO-5i; Fri, 07 Sep 2012 10:41:02 +0000 Received: from ianc by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1T9vzh-0000k0-IX; Fri, 07 Sep 2012 10:41:01 +0000 Date: Fri, 07 Sep 2012 10:41:01 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team X-Mailman-Approved-At: Fri, 07 Sep 2012 11:07:36 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 19 (CVE-2012-4411) - guest administrator can access qemu monitor console X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2012-4411 / XSA-19 version 2 guest administrator can access qemu monitor console UPDATES IN VERSION 2 ==================== We have now been issued with a CVE number. ISSUE DESCRIPTION ================= A guest administrator who is granted access to the graphical console of a Xen guest can access the qemu monitor. The monitor can be used to access host resources. IMPACT ====== A malicious guest administrator can access host resources (perhaps belonging to other guests or the underlying system) and may be able to escalate their privilege to that of the host. VULNERABLE SYSTEMS ================== Installations where guest administrators do not have access to a domain's graphical console, or containing only PV domains configured without a graphical console, are not vulnerable. Installations where all guest administrators are trustworthy are not vulnerable, even if the guest operating systems themselves are untrusted. Systems using xend/xm: At least all versions since Xen 4.0 are affected. Systems are vulnerable even if "monitor=no" is specified in the xm domain configuration file - this configuration option is not properly honoured in the vulnerable versions. Systems using libxl/xl: All versions are affected. The "monitor=" option is not understood, and is therefore ignored, by xl. However, systems using the experimental device model version based on upstream qemu are NOT vulnerable; that is, Xen 4.2 RC systems with device_model_version="qemu_xen" specified in the xl domain config file. Systems using libvirt are vulnerable. For "xen:" URIs, see xend/xm, above. For "libxl:" URIs, all versions are affected. Systems based on the Xen Cloud Platform are NOT vulnerable. CONFIRMING VULNERABILITY ======================== Connect to the guest's VNC (or SDL) graphical display and make sure your focus is in that window. Hold down CTRL and ALT and press 2. You will see a black screen showing one of "serial0", "parallel0" or "QEMU monitor". Repeat this exercise for other digits 3 to 6. CTRL+ALT+1 is the domain's normal graphical console. Not all numbers will have screens attached, but note that you must release and re-press CTRL and ALT each time. If one of the accessible screens shows "QEMU monitor" then you are vulnerable. Otherwise you are not. MITIGATION ========== With xl in Xen 4.1 and later, supplying the following config option in the VM configuration file will disable the monitor: device_model_args=["-monitor","null"] With xend the following config option will disable the monitor: monitor_path="null" Note that with a vulnerable version of the software specifying "monitor=0" will NOT disable the monitor. We are not currently aware of the availability of mitigation for systems using libvirt. NOTE REGARDING EMBARGO ====================== This issue was publicly discussed online by its discoverer. There is therefore no embargo. RESOLUTION ========== The attached patch against qemu-xen-traditional (qemu-xen-4.*-testing.git) resolves this issue. $ sha256sum xsa19-qemu-all.patch 19fc5ff9334e7e7ad429388850dc6e52e7062c21a677082e7a89c2f2c91365fa xsa19-qemu-all.patch -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQSc6yAAoJEIP+FMlX6CvZ3MMIAJ3BfY4EXmye0ucZKU2zsrNx R9w3AXdZWywf9qWX9DvgnJ0r4v/1wukqYwqpShAYNRHnbc3M15/ipEyLZDS2L4I2 On2mcaQeFAx5xIesRAaggyr4mQLoafCZxQO1ADPEIoyX97BBCJB85AjY5ctuoRX7 vDIUCwcXENsSVoDu3jJxqwwvbLbR7CA//V6RmCCIV9JKqcAdnrCTbRnoC7auDBzq rbEqf9yyW2Md9Dul6S6j5RUim0CT7dJ7LlEbjRoyiDleHrK1T5UlfxHaCGhGa/ud YRkW34PogsB1/boOi6T03Eir7svNNfN46ZS8Y+Pf6Dkv765BabIKwhhl7idIDUM= =ayT8 -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa19-qemu-all.patch" Content-Disposition: attachment; filename="xsa19-qemu-all.patch" Content-Transfer-Encoding: base64 RnJvbTogSWFuIEphY2tzb24gPGlhbi5qYWNrc29uQGV1LmNpdHJpeC5jb20+ CgpEaXNhYmxlIHFlbXUgbW9uaXRvciBieSBkZWZhdWx0LiAgVGhlIHFlbXUg bW9uaXRvciBpcyBhbiBvdmVybHkKcG93ZXJmdWwgZmVhdHVyZSB3aGljaCBt dXN0IGJlIHByb3RlY3RlZCBmcm9tIHVudHJ1c3RlZCAoZ3Vlc3QpCmFkbWlu aXN0cmF0b3JzLgoKTmVpdGhlciB4bCBub3IgeGVuZCBleHBlY3QgcWVtdSB0 byBwcm9kdWNlIHRoaXMgbW9uaXRvciB1bmxlc3MgaXQgaXMKZXhwbGljaXRs eSByZXF1ZXN0ZWQuCgpUaGlzIGlzIGEgc2VjdXJpdHkgcHJvYmxlbSwgWFNB LTE5LiAgUHJldmlvdXNseSBpdCB3YXMgQ1ZFLTIwMDctMDk5OAppbiBSZWQg SGF0IGJ1dCB3ZSBoYXZlbid0IGRlYWx0IHdpdGggaXQgaW4gdXBzdHJlYW0u ICBXZSBob3BlIHRvIGhhdmUKYSBuZXcgQ1ZFIGZvciBpdCBoZXJlIGJ1dCB3 ZSBkb24ndCBoYXZlIG9uZSB5ZXQuCgpTaWduZWQtb2ZmLWJ5OiBJYW4gSmFj a3NvbiA8aWFuLmphY2tzb25AZXUuY2l0cml4LmNvbT4KCmRpZmYgLS1naXQg YS92bC5jIGIvdmwuYwppbmRleCBkMzBjYjJjLi5kMjFjM2FhIDEwMDY0NAot LS0gYS92bC5jCisrKyBiL3ZsLmMKQEAgLTQ5MjAsNyArNDkyMCw3IEBAIGlu dCBtYWluKGludCBhcmdjLCBjaGFyICoqYXJndiwgY2hhciAqKmVudnApCiAg ICAga2VybmVsX2NtZGxpbmUgPSAiIjsKICAgICBjeWxzID0gaGVhZHMgPSBz ZWNzID0gMDsKICAgICB0cmFuc2xhdGlvbiA9IEJJT1NfQVRBX1RSQU5TTEFU SU9OX0FVVE87Ci0gICAgbW9uaXRvcl9kZXZpY2UgPSAidmM6ODBDeDI0QyI7 CisgICAgbW9uaXRvcl9kZXZpY2UgPSAibnVsbCI7CiAKICAgICBzZXJpYWxf ZGV2aWNlc1swXSA9ICJ2Yzo4MEN4MjRDIjsKICAgICBmb3IoaSA9IDE7IGkg PCBNQVhfU0VSSUFMX1BPUlRTOyBpKyspCg== --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Fri Sep 07 11:10:36 2012 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 07 Sep 2012 11:10:36 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1T9wPQ-0000SB-PX; Fri, 07 Sep 2012 11:07:36 +0000 Received: from mail6.bemta4.messagelabs.com ([85.158.143.247]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1T9w03-0007wb-4P for xen-announce@lists.xen.org; Fri, 07 Sep 2012 10:41:23 +0000 Received: from [85.158.143.99:27931] by server-2.bemta-4.messagelabs.com id BF/E0-21239-15FC9405; Fri, 07 Sep 2012 10:41:21 +0000 X-Env-Sender: ianc@xenbits.xen.org X-Msg-Ref: server-7.tower-216.messagelabs.com!1347014470!25727106!1 X-Originating-IP: [50.57.168.107] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.6.1.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 15372 invoked from network); 7 Sep 2012 10:41:12 -0000 Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107) by server-7.tower-216.messagelabs.com with AES256-SHA encrypted SMTP; 7 Sep 2012 10:41:12 -0000 Received: from xenbits.xen.org ([50.57.170.242]) by mail.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1T9vzi-0003JO-5i; Fri, 07 Sep 2012 10:41:02 +0000 Received: from ianc by xenbits.xen.org with local (Exim 4.72) (envelope-from ) id 1T9vzh-0000k0-IX; Fri, 07 Sep 2012 10:41:01 +0000 Date: Fri, 07 Sep 2012 10:41:01 +0000 Message-Id: Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.428 (Entity 5.428) To: xen-announce@lists.xen.org, xen-devel@lists.xen.org, xen-users@lists.xen.org, oss-security@lists.openwall.com From: Xen.org security team X-Mailman-Approved-At: Fri, 07 Sep 2012 11:07:36 +0000 Cc: "Xen.org security team" Subject: [Xen-announce] Xen Security Advisory 19 (CVE-2012-4411) - guest administrator can access qemu monitor console X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2012-4411 / XSA-19 version 2 guest administrator can access qemu monitor console UPDATES IN VERSION 2 ==================== We have now been issued with a CVE number. ISSUE DESCRIPTION ================= A guest administrator who is granted access to the graphical console of a Xen guest can access the qemu monitor. The monitor can be used to access host resources. IMPACT ====== A malicious guest administrator can access host resources (perhaps belonging to other guests or the underlying system) and may be able to escalate their privilege to that of the host. VULNERABLE SYSTEMS ================== Installations where guest administrators do not have access to a domain's graphical console, or containing only PV domains configured without a graphical console, are not vulnerable. Installations where all guest administrators are trustworthy are not vulnerable, even if the guest operating systems themselves are untrusted. Systems using xend/xm: At least all versions since Xen 4.0 are affected. Systems are vulnerable even if "monitor=no" is specified in the xm domain configuration file - this configuration option is not properly honoured in the vulnerable versions. Systems using libxl/xl: All versions are affected. The "monitor=" option is not understood, and is therefore ignored, by xl. However, systems using the experimental device model version based on upstream qemu are NOT vulnerable; that is, Xen 4.2 RC systems with device_model_version="qemu_xen" specified in the xl domain config file. Systems using libvirt are vulnerable. For "xen:" URIs, see xend/xm, above. For "libxl:" URIs, all versions are affected. Systems based on the Xen Cloud Platform are NOT vulnerable. CONFIRMING VULNERABILITY ======================== Connect to the guest's VNC (or SDL) graphical display and make sure your focus is in that window. Hold down CTRL and ALT and press 2. You will see a black screen showing one of "serial0", "parallel0" or "QEMU monitor". Repeat this exercise for other digits 3 to 6. CTRL+ALT+1 is the domain's normal graphical console. Not all numbers will have screens attached, but note that you must release and re-press CTRL and ALT each time. If one of the accessible screens shows "QEMU monitor" then you are vulnerable. Otherwise you are not. MITIGATION ========== With xl in Xen 4.1 and later, supplying the following config option in the VM configuration file will disable the monitor: device_model_args=["-monitor","null"] With xend the following config option will disable the monitor: monitor_path="null" Note that with a vulnerable version of the software specifying "monitor=0" will NOT disable the monitor. We are not currently aware of the availability of mitigation for systems using libvirt. NOTE REGARDING EMBARGO ====================== This issue was publicly discussed online by its discoverer. There is therefore no embargo. RESOLUTION ========== The attached patch against qemu-xen-traditional (qemu-xen-4.*-testing.git) resolves this issue. $ sha256sum xsa19-qemu-all.patch 19fc5ff9334e7e7ad429388850dc6e52e7062c21a677082e7a89c2f2c91365fa xsa19-qemu-all.patch -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQSc6yAAoJEIP+FMlX6CvZ3MMIAJ3BfY4EXmye0ucZKU2zsrNx R9w3AXdZWywf9qWX9DvgnJ0r4v/1wukqYwqpShAYNRHnbc3M15/ipEyLZDS2L4I2 On2mcaQeFAx5xIesRAaggyr4mQLoafCZxQO1ADPEIoyX97BBCJB85AjY5ctuoRX7 vDIUCwcXENsSVoDu3jJxqwwvbLbR7CA//V6RmCCIV9JKqcAdnrCTbRnoC7auDBzq rbEqf9yyW2Md9Dul6S6j5RUim0CT7dJ7LlEbjRoyiDleHrK1T5UlfxHaCGhGa/ud YRkW34PogsB1/boOi6T03Eir7svNNfN46ZS8Y+Pf6Dkv765BabIKwhhl7idIDUM= =ayT8 -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa19-qemu-all.patch" Content-Disposition: attachment; filename="xsa19-qemu-all.patch" Content-Transfer-Encoding: base64 RnJvbTogSWFuIEphY2tzb24gPGlhbi5qYWNrc29uQGV1LmNpdHJpeC5jb20+ CgpEaXNhYmxlIHFlbXUgbW9uaXRvciBieSBkZWZhdWx0LiAgVGhlIHFlbXUg bW9uaXRvciBpcyBhbiBvdmVybHkKcG93ZXJmdWwgZmVhdHVyZSB3aGljaCBt dXN0IGJlIHByb3RlY3RlZCBmcm9tIHVudHJ1c3RlZCAoZ3Vlc3QpCmFkbWlu aXN0cmF0b3JzLgoKTmVpdGhlciB4bCBub3IgeGVuZCBleHBlY3QgcWVtdSB0 byBwcm9kdWNlIHRoaXMgbW9uaXRvciB1bmxlc3MgaXQgaXMKZXhwbGljaXRs eSByZXF1ZXN0ZWQuCgpUaGlzIGlzIGEgc2VjdXJpdHkgcHJvYmxlbSwgWFNB LTE5LiAgUHJldmlvdXNseSBpdCB3YXMgQ1ZFLTIwMDctMDk5OAppbiBSZWQg SGF0IGJ1dCB3ZSBoYXZlbid0IGRlYWx0IHdpdGggaXQgaW4gdXBzdHJlYW0u ICBXZSBob3BlIHRvIGhhdmUKYSBuZXcgQ1ZFIGZvciBpdCBoZXJlIGJ1dCB3 ZSBkb24ndCBoYXZlIG9uZSB5ZXQuCgpTaWduZWQtb2ZmLWJ5OiBJYW4gSmFj a3NvbiA8aWFuLmphY2tzb25AZXUuY2l0cml4LmNvbT4KCmRpZmYgLS1naXQg YS92bC5jIGIvdmwuYwppbmRleCBkMzBjYjJjLi5kMjFjM2FhIDEwMDY0NAot LS0gYS92bC5jCisrKyBiL3ZsLmMKQEAgLTQ5MjAsNyArNDkyMCw3IEBAIGlu dCBtYWluKGludCBhcmdjLCBjaGFyICoqYXJndiwgY2hhciAqKmVudnApCiAg ICAga2VybmVsX2NtZGxpbmUgPSAiIjsKICAgICBjeWxzID0gaGVhZHMgPSBz ZWNzID0gMDsKICAgICB0cmFuc2xhdGlvbiA9IEJJT1NfQVRBX1RSQU5TTEFU SU9OX0FVVE87Ci0gICAgbW9uaXRvcl9kZXZpY2UgPSAidmM6ODBDeDI0QyI7 CisgICAgbW9uaXRvcl9kZXZpY2UgPSAibnVsbCI7CiAKICAgICBzZXJpYWxf ZGV2aWNlc1swXSA9ICJ2Yzo4MEN4MjRDIjsKICAgICBmb3IoaSA9IDE7IGkg PCBNQVhfU0VSSUFMX1BPUlRTOyBpKyspCg== --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --=separator-- From xen-announce-bounces@lists.xen.org Mon Sep 17 11:35:40 2012 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 17 Sep 2012 11:35:40 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TDZZX-000580-KQ; Mon, 17 Sep 2012 11:33:03 +0000 Received: from mail6.bemta4.messagelabs.com ([85.158.143.247]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TDZYh-00054o-68 for xen-announce@lists.xen.org; Mon, 17 Sep 2012 11:32:11 +0000 Received: from [85.158.143.35:23491] by server-3.bemta-4.messagelabs.com id 77/0D-08232-A3A07505; Mon, 17 Sep 2012 11:32:10 +0000 X-Env-Sender: lars.kurth.xen@gmail.com X-Msg-Ref: server-10.tower-21.messagelabs.com!1347881511!10495837!1 X-Originating-IP: [209.85.214.45] X-SpamReason: No, hits=0.9 required=7.0 tests=BODY_RANDOM_LONG, HTML_30_40, HTML_MESSAGE, ML_RADAR_SPEW_LINKS_16, RCVD_BY_IP, spamassassin: X-StarScan-Received: X-StarScan-Version: 6.6.1.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 22698 invoked from network); 17 Sep 2012 11:31:53 -0000 Received: from mail-bk0-f45.google.com (HELO mail-bk0-f45.google.com) (209.85.214.45) by server-10.tower-21.messagelabs.com with RC4-SHA encrypted SMTP; 17 Sep 2012 11:31:53 -0000 Received: by bkcji1 with SMTP id ji1so2152604bkc.32 for ; Mon, 17 Sep 2012 04:31:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:message-id:date:from:reply-to:user-agent:mime-version:to :subject:content-type; bh=O9f1qgevS4UMn+byKYSSZLXZAdF/aJIKWb5QlG2QyrU=; b=A2hyECCMOXB2mvalKzBIBl3QQM8FBp4t4drCSaJ9rPEbi/gEzbmFhI0HsZB7bCWL08 VCxwm9kSNU1V/cugqwbe+IZH/7oQCKPm+TPRjmMiSsVMUSYak+grmS6gNev5rL60ctwK jQo42C1vJ2K/PWr2Mw4y6JW9qay5T/1nJjbiN+Miqx7pvFgfPLd0YRFyyh5QasI0f6o8 f0AZfliV6bLpYk20Uo9XF2LX0KbWVm1Ow0LSJyquL6dw4voxXnagkVRdV6If6pBXV8nC HTB9LaGxKxOJDwVjzSM0vJvX3t1oGhP/APKud7Fb/cUawOkeiAjNhI7f5u+009xRp6xz l6ig== Received: by 10.205.120.16 with SMTP id fw16mr4054797bkc.102.1347881510902; Mon, 17 Sep 2012 04:31:50 -0700 (PDT) Received: from [172.16.26.11] (b0fb5b35.bb.sky.com. [176.251.91.53]) by mx.google.com with ESMTPS id n5sm5166099bkv.14.2012.09.17.04.31.49 (version=SSLv3 cipher=OTHER); Mon, 17 Sep 2012 04:31:50 -0700 (PDT) Message-ID: <50570A24.2000905@xen.org> Date: Mon, 17 Sep 2012 12:31:48 +0100 From: Lars Kurth User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120907 Thunderbird/15.0.1 MIME-Version: 1.0 To: xen-users@lists.xen.org, xen-announce@lists.xen.org X-Mailman-Approved-At: Mon, 17 Sep 2012 11:33:01 +0000 Subject: [Xen-announce] Xen 4.2.0 Released! X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list Reply-To: lars.kurth@xen.org List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: multipart/mixed; boundary="===============5375204161027231707==" Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org This is a multi-part message in MIME format. --===============5375204161027231707== Content-Type: multipart/alternative; boundary="------------010702040202080003090402" This is a multi-part message in MIME format. --------------010702040202080003090402 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Dear Community Members, Xen.org is pleased to announce the release of Xen 4.2.0. The release is available from the download page: * *Xen Hypervisor 4.2.0*: Download (archives ), Source (tag RELEASE-4.2.0) This release is the culmination of 18 months and almost 2900 commits and almost 300K lines of code of development effort, by 124 individuals from 43 organizations. New Features The release incorporates many new features and improvements to existing features. There are improvements across the board including to Security, Scalability, Performance and Documentation. *XL is now the default toolstack*: Significant effort has gone in to the XL tool toolstack in this release and it is now feature complete and robust enough that we have made it the default. This toolstack can now replace xend in the majority of deployments, see XL vs Xend Feature Comparison . As well as improving XL the underlying libxl library has been significantly improved and supports the majority of the most common toolstack features. In addition the API has been declared stable which should make it even easier for external toolstack such as libvirt and XCP's xapi to make full use of this functionality in the future. *Large Systems*: Following on from the improvements made in 4.1 Xen now supports even larger systems, with up to 4095 host CPUs and up to 512 guest CPUs. In addition toolstack feature like the ability to automatically create a CPUPOOL per NUMA node and more intelligent placement of guest VCPUs on NUMA nodes have further improved the Xen experience on large systems. Other new features, such as multiple PCI segment support have also made a positive impact on such systems. *Improved security*: The XSM/Flask subsystem has seen several enhancements, including improved support for disaggregated systems and a rewritten example policy which is clearer and simpler to modify to suit local requirements. *Documentation*: The Xen documentation has been much improved, both the wiki . This is in no small part down to the success of the Xen Document Days so thanks to all who have taken part. You can find more information in the release notes and feature list on the wiki. Upstreaming The Xen project continues to work closely with our upstreams. Of particular note in this release cycle is the upstreaming of the HVM device model support into upstream qemu . After the Linux dom0 support (merged upstream in 3.0 in the 4.1 release cycle) the qemu-derived device model was the largest remaining piece of code which required upstreaming. Support for Xen was merged into upstream prior to the qemu 0.15 release and is supported as an option using the XL toolstack. It will become the default in 4.3. Alongside this support we have also gained support for SeaBIOS (a cleaner and more maintainable legacy BIOS, used by default when upstream qemu is selected) and Tianocore/OVMF (a UEFI BIOS). Support for Xen has been merged into the upstreams of both of these projects during the Xen 4.2 development cycle. More Information Links to useful wiki pages and other resources can be found on the Xen support page . Thanks Contributions were made to this release by 124 individuals from 43 organizations, and that's not counting contributions to external projects such as the BSDs, Linux or qemu. Many thanks to everyone who contributed to this release, either through code, testing, documentation or in any other way. The diagram below shows organisations which contributed more than 1% in lines of code to the Xen 4.2 release. Several items in the diagram discribe groups of people or organisations: /Individual/ covers contributions by individuals whose affiliation is unknown, /Misc/ covers contributions by commercial organisations which did not go above 1% individually and /University/ covers contributions by Universities which did not go above 1% individually. Xen 4.2 Contribution Stats I did also want to list the top 20 contributors to Xen 4.2 (in terms of commits/and lines of code). These are: * Jan Beulich (338 commits/40357 LOC) * Roger Pau Monne (87/36932) * Ian Campbell (504/32009) * Stefano Stabellini (124/29130) * Ian Jackson (174/27900) * Daniel De Graaf (79/11103) * David Vrabel (45/11075 * Tim Deegan (143/8790) * Christoph Egger (67/8590) * Matt Wilson (9/8508) * Andrés Lagar-Cavilla (115/8050) * Keir Fraser (143/5593) * Wei Wang (34/5577) * Anthony Perard (45/5289) * Olaf Hering (154/4296) * Qing He (20/4179) * George Dunlap (75/4088) * Dario Faggioli (30/3742) * Shriram Rajagopalan (21/3481) * Jonathan Davies (3/3230) For a complete breakdown see the Acknowledgement page . A big thank you again! Best Regards Lars --------------010702040202080003090402 Content-Type: multipart/related; boundary="------------040701070906020708020505" --------------040701070906020708020505 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit

Dear Community Members,

Xen.org is pleased to announce the release of Xen 4.2.0. The release is available from the download page:

This release is the culmination of 18 months and almost 2900 commits and almost 300K lines of code of development effort, by 124 individuals from 43 organizations.

New Features

The release incorporates many new features and improvements to existing features. There are improvements across the board including to Security, Scalability, Performance and Documentation.

XL is now the default toolstack: Significant effort has gone in to the XL tool toolstack in this release and it is now feature complete and robust enough that we have made it the default. This toolstack can now replace xend in the majority of deployments, see XL vs Xend Feature Comparison. As well as improving XL the underlying libxl library has been significantly improved and supports the majority of the most common toolstack features. In addition the API has been declared stable which should make it even easier for external toolstack such as libvirt and XCP’s xapi to make full use of this functionality in the future.

Large Systems: Following on from the improvements made in 4.1 Xen now supports even larger systems, with up to 4095 host CPUs and up to 512 guest CPUs. In addition toolstack feature like the ability to automatically create a CPUPOOL per NUMA node and more intelligent placement of guest VCPUs on NUMA nodes have further improved the Xen experience on large systems. Other new features, such as multiple PCI segment support have also made a positive impact on such systems.

Improved security: The XSM/Flask subsystem has seen several enhancements, including improved support for disaggregated systems and a rewritten example policy which is clearer and simpler to modify to suit local requirements.

Documentation: The Xen documentation has been much improved, both the wiki. This is in no small part down to the success of the Xen Document Days so thanks to all who have taken part.

You can find more information in the release notes and feature list on the wiki.

Upstreaming

The Xen project continues to work closely with our upstreams.

Of particular note in this release cycle is the upstreaming of the HVM device model support into upstream qemu. After the Linux dom0 support (merged upstream in 3.0 in the 4.1 release cycle) the qemu-derived device model was the largest remaining piece of code which required upstreaming. Support for Xen was merged into upstream prior to the qemu 0.15 release and is supported as an option using the XL toolstack. It will become the default in 4.3. Alongside this support we have also gained support for SeaBIOS (a cleaner and more maintainable legacy BIOS, used by default when upstream qemu is selected) and Tianocore/OVMF (a UEFI BIOS). Support for Xen has been merged into the upstreams of both of these projects during the Xen 4.2 development cycle.

More Information

Links to useful wiki pages and other resources can be found on the Xen support page.

Thanks

Contributions were made to this release by 124 individuals from 43 organizations, and that’s not counting contributions to external projects such as the BSDs, Linux or qemu. Many thanks to everyone who contributed to this release, either through code, testing, documentation or in any other way.

The diagram below shows organisations which contributed more than 1% in lines of code to the Xen 4.2 release. Several items in the diagram discribe groups of people or organisations: Individual covers contributions by individuals whose affiliation is unknown, Misc covers contributions by commercial organisations which did not go above 1% individually and University covers contributions by Universities which did not go above 1% individually.

Xen 4.2 Contribution Stats

I did also want to list the top 20 contributors to Xen 4.2 (in terms of commits/and lines of code). These are:

  • Jan Beulich (338 commits/40357 LOC)
  • Roger Pau Monne (87/36932)
  • Ian Campbell (504/32009)
  • Stefano Stabellini (124/29130)
  • Ian Jackson (174/27900)
  • Daniel De Graaf (79/11103)
  • David Vrabel (45/11075
  • Tim Deegan (143/8790)
  • Christoph Egger (67/8590)
  • Matt Wilson (9/8508)
  • Andrés Lagar-Cavilla (115/8050)
  • Keir Fraser (143/5593)
  • Wei Wang (34/5577)
  • Anthony Perard (45/5289)
  • Olaf Hering (154/4296)
  • Qing He (20/4179)
  • George Dunlap (75/4088)
  • Dario Faggioli (30/3742)
  • Shriram Rajagopalan (21/3481)
  • Jonathan Davies (3/3230)

For a complete breakdown see the Acknowledgement page. A big thank you again!

Best Regards
Lars

--------------040701070906020708020505 Content-Type: image/png; name="Contribution-stats2.png" Content-Transfer-Encoding: base64 Content-ID: Content-Disposition: inline; filename="Contribution-stats2.png" iVBORw0KGgoAAAANSUhEUgAAAiUAAAHFCAIAAACiox6jAAAAAXNSR0IArs4c6QAAAARnQU1B AACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAAAadEVYdFNvZnR3YXJlAFBhaW50Lk5F VCB2My41LjEwMPRyoQAAa3ZJREFUeF7tvXlwFde16M3/r24q+ePWu7deqpKbSt3cylDlm9RL mffl+jp+uY6f4ziO4xib2DFxsAgeGBwMBDAyxgyWkAUIEEITiEHMEtYEYtDIKEDGDAIkTIxj Y8c2+BowFsLmW3326T67593du3fv7l6qU3B0tHsPq7vX76y1V6817Bb+oARQAigBlABKIHwJ DAt/CBwBJYASQAmgBFACt5A3eBGgBFACKAGUgAgJIG9ESBnHQAmgBFACKAHkDV4DKAGUAEoA JSBCAsgbEVLGMVACKAGUAEoAeYPXAEoAJYASQAmIkADyRoSUcQyUAEoAJYASQN7gNYASQAmg BFACIiSAvBEhZRwDJYASQAmgBJA3eA2gBFACKAGUgAgJIG9ESBnHQAmgBFACKAHkDV4DKAGU AEoAJSBCAmnkTX/x8GGZn+HF/UTG5k/CkL2YUcKYOfapSUDYSRQ2EOeTq82bvsE4j+HSXVxF J1ZKkYwWEm/oi47o9rzmSNZnNWhzHplSblJiLlDzuNKIJMBEcqvS8G2AuNBzr7vyDDOyWGVu 9oavIHYS4XkStb6sbg6eAwU4vd4ONd73znd9WFpCzO3sTTLYOiMB/rwxX0Sqdne/+/2cFO8X V+j2jc2UvM/UjzyYjuE5FeqE0+pF05fhnHabZer54Ti0ETXqZZoze63G4Ck5R97wHIjpmuDQ iH3OoWoJ9mlwWDN24UUCnHlDX0a67zbKrRWO4uFxcfHog5I65+68nE/GtnxnaGHi5C4EkYZt diLDhxsdpnZmbu6S1ClAQXN25A3jmZSqmboglzs9bC3B9+qWSsJxnwxX3th80w1XRjwuLh59 pJg3t24ZnT+RGDfZszi8uNm0QcdyCVJXbzjfjEyTSBpv2G6j8LUE2zxYrglsw1kCPHnj7Tut yaK2cf9nvmvSvg+qnaVLJPt39bsuxAQY7msXf5quU903Xe1Ak+mWiz5wmJLtbcBDFNnrwtCV 88aA5kEy2J5u87G4BnVKxPFCMAhIf9bVI51Out0dkO0YDvWnb9h4Y3/xeJ+zR3+aN+E4ylmR IcOlohO141Vh+qMuHofuh6+WID0b1IPt+XeVCWftit0ZJcCRN7kLyfXrIYvrXO1Oc45Q2lHd gWbhjepbycUHOPCGHsO87RQGb3iJwqxADDER2pl3Epr+1tVJw+2kWnRrop3NYnPtWE669U2s GTcQchiYNw7+NPuLx+lCtZ6zT964D8QsZ/31br9s16uUmTectYQJm7bXrKtMEA4CJMCRN0af iu3sLRpaXIX0FazqOqvvRnbKxer6IjeUC2+yd53uGztZCwtvrAfQH55T3TxFYeE8Vz6yVCLu QtMOY1cQLt8eLcY0KVzWk268tjROZSLcffGGmr3T9o3zxeN0oZrvB5+8oU0HizuCQc5eLhWd +eB8VbDIPTQtoYreYOsY7lyLW0/QZp0AZR6DIcTzxuaiNN04lu0sPnRXncZABSeVQX+Lt5+S gz/NC2/4isJCidhegNYjs87HrlsdcIz2kCWsjR+ynnTDDNSBjV8V3GyyXDfU1J0Pcrh4LK8d p9788sZxIBY5e7lU7OjNRjrTpcLIG8ZL0bqZNoYJ//SNa/3tMQY6O85TFM8bu5vMeJG4XErm b1qGO9v+ZmZUGZRvKds1b/uGsyj09oWj2mQVLrm0Tfev5RVvMij1M7B1ydBPQnmbV3YaeuPG h31DW1Vu33ZZLx5HlmQnzoM3xs1J3V6G2T2cXZ6HS8U0gHryzVcFR/uG8dawbmaaB9O1F2c1 Hpu5c+RN7q51UnW216TxD6yqx9W+MWkQVpVh+mbHmTfcRWHcArZ/wtubHcGiR6ivu3mm52lp BlhtkWleP9aTTt1fFieFZb4+TBsbp6iPOYfIG5qdFqK2cIi5PB7HfJWy+TG5agk3K8j4PdHx 2ouNzo7zRDnyxhQUay0X128ujk4R89Eh8sbW5OLkT+MtClXgep1j9Y3dm45k+K6uE5WVTmFj gLd56Y0va2XiktrCi2kTL96w+RLdLxV3+8bV1aBTBGwONcZbg82+Ybv24qzGYzN3nryhgONw sTN+J7FxG4fMG93uOvWVnSTjsZy6hbMp2BLNw/jQwpQXzOpcWPfIOm93p7yFUmFyyvlYqcsX eo03VsYp5Wdx86OZWK6J1cecQ7RvGJ2f+lOoysHytmW/Ktj0ek7owbWE5UVl/rrDdO3FRmfH eaJceaOLpjV7703Wba6JxTdi5tvY5quQ/Zdyc886nWWKT3MIJ6Mdw9SC2b520bGcwUWRWQOl NZ1vfpcZUiEW7g4QR3Mm15ONnlE+5qC76ZvQaunUKTYHILLZArGwb+h7ULcsSs7eLhXKS+t4 lbL50xQhUndNUC1hvqgsb0mWay/Oajw2c+fMG8dweLNWMblAXPWllZ6kr7DcloUf3rg+2WD1 ZVo9iL51LKfkogYNwvAqCpvv+Xaq1FpoFjtA6rTsDAA7Hlnc4oYxcwuOgje2k8lMy5ZADl9W TOqdjoSw0gi2U1BkHWAgNzl7vFScbmrdVcFm3+g8BWYnqDctYf3AmMUt6SaT2GjseE+UO2/0 XwJzl5Prs3/GO5zZvqEdXbmHOm3dzk53su4+t1E7ZlsoeynrF2BhMtnejsZ7wa8ojHrE+Wu7 lVFHLma3+VjaEqYHfaxBZNJ1ukl6Oen2N55lL9qHliFaRr0XKW8ygwfgjaVGd7g8nfiak7L7 VcHOG25awtxR5vRa3pLmL1Me7Np4q3lpZh8Ob6RZHk4EJYASQAmgBCSRAPJGkhOB00AJoARQ AgmXAPIm4ScYl4cSQAmgBCSRAPJGkhOB00AJoARQAgmXAPIm4ScYl4cSQAmgBCSRAPJGkhOB 00AJoARQAgmXAPIm4ScYl4cSQAmgBCSRAPJGkhOB00AJoARQAgmXAPIm4ScYl4cSQAmgBCSR APJGkhOB00AJoARQAgmXAPIm4ScYl4cSQAmgBCSRAPJGkhOB00AJoARQAgmXAPIm4ScYl4cS QAmgBCSRAPJGkhOB00AJoARQAgmXAPIm4ScYl4cSQAmgBCSRAPJGkhOB00AJoARQAgmXAPIm 4ScYl4cSQAmgBCSRAPJGkhOB00AJoARQAgmXAPIm4Sc4jsv74sub/33t7/Trw/++cOHvJ7VX deMRy9fa7W/0nnmPvD7+78/iuHacM0ogwRJA3iT45Mq4NMKSy1cuEnicfLsDXvtObfb0unNs Bfvr7nHVE4qb4DVj+U6glMakwRs3ZRQQzgklkFwJIG+Se24jXdnQzRvAlY8/fRegcv79YwCV 4+f3eIKKQ2N22Li2HD2nDlC0or5n0+7jaBVFesng4MmXAPIm+edYzAqvXr/8weW/vnXxKEeu 2CHHlSJBGhB7aH5NJxhDF3t7B69cESNAHAUlkHgJIG8Sf4rDWuDnN67Btsrbfz8OtsuBvjpe tgtLP0Fwwn7so8+XV/30DnhtfPTh3S9OP7qyCvBzc3AwLIFivyiBpEsAeZP0M8xvfTeGrpN9 l1MXug+d2cYChpDasDMjSMtZ05cS3hheW554rH32rL5t9Z+8/TY/6WJPKIHkSwB5k/xzHGSF wBjwkp3928Ej/S0hwcNHt0Eown5sxfT5lryhPwTTp+vVeWdbmq9cvBhEzngsSiANEkDepOEs e14jbMb87cPTx97a5QMGAg5hZ0aQlhsmvuDKG7oB2D37iovO7d6FPjfPFxwekA4JIG/ScZ4Z VgmRyhBOBhv+PWcbBTAjyBBmivx0bIWPlzONNoz6vSfe0I1bp7wADjc0ehiuO2ySIgkgb1J0 si2XCtv+Fy+dgy2ZIAAQfKwA3vy/5yp8w8Zg9BxcWgIPGqX9OsP1owRu3ULepPQq+PSzj+Gx mN5zOwSjgstwAngzfuoKLrzROqn9zQPgbYMIt5RecLhslADyJm3XAOz/w8aMVJv/PggkgDcL X1zIlzdabxBiABbPx/39abv2cL0oAbRv0nINwLMy8XKaecovQDZvfvx/vjUs+/Otb48kOzrj /5l88t3x2Q2ekSO+8j9H/DjT3mH/Zs3Ul0LijdYtxBfAMz0YVJ2WOxDXifZN4q+Bzz7/FB7J lD8EwJOVY2PfjP9nFSQKeDKAgTdf+T9zfjp2zrf/5x0/yOKHvHHhzaZnngubN1r/LRPHQ1Rb 4i9FXCBKAO2bZF4DEGwGz80ISC3jiRO8Grv6037w3WEZzBh5A5//8725SDYH+2b1ffcK442W xeDY2jWYPieZNySuKiOBZPGmOQ8cJ3nN2rnN/E5/1F88fHhxsh3nEAgw8N7haJ//58UV9vxp Rn+a5j1T/WmAH9XWceeNlslGMHJguFU//xk8QIpONtTPiZRAcnijsCWvGf7VeKPCBf4nn9F/ TNrZBIMGwppjGm/mlU+u9o3iT1N9a7ltG4AQbN5kvoEQ68fOvrHLZCMSP+hkS9otiutJmn2j R4qBN0mlDWT+h5CzhO3QOBPIlTeZMAEtZIBEDSjbNll/mhoyYMcblkw2YtgDwWzoZENFnRgJ JMe+IadED5WsPw1caIl0pAFpIHtmsl1nluCx5s29d+SC0OB9BjAZ4waCBbLsUfdvspEFdrzx mskmbPagky0xCjflC0k2b9STSzxq8G/Gl5KAHRx4jAae1kwhaQh+bOwb4IoaDp2DjRYykGGP 6k8jUQO2vAmQySZU9oCT7a9dnSnXWbj8+EogDbzJ2jzZ/2Ju6RDSCK4343V/Jez2DP40pnRq lrzhlckmPPDUP/XkOwcPxFfp4MxTK4HE8yaHF9XV1pwXTwMHEp1B4FnYqjwW/YfKG+6ZbEIC D9g6mKQgtYo7pgtPDm/U2GfiUckiRWfMqP40LYDtzjvv1Pwv5M1tt912+fJl2c4lPLOJpKFB GCpvwstkEwZ4oPAoZqGW7YbF+dhJIDm84XKO9+/fDxC6fv06l96CdwKkOf3OvljYHCInGaSq jeuxAjLZcAcPJGT77OOPg19v2ANKIFQJIG+M4q2trX3kkUdCFTpL5xB7Bnlo+O/TlP0XmHH3 lym77tlX5hPy8/2pJZkPp99Pfn94erbN9lHfv23UBu2QqN+4MiNIg01jxvLiwcRs7jYQ5T9N VOpSf/8/iWD/+fvZIX78rW995VvzrapWe50DxLBBNjZMT8Byc2GbqCSAvLGQ/Lx586ZOnRrV KYFxIbdmGM/TFD2sIAT+pXgDaPnXcdsz7AGoZN5vmPqvGfCUjLvtv4qy+CFvZHkFwYnrsbwy 2Siw0biSIcr8b//Dt779v6t++r8f+YqGH/KG2wuqHpzYtBELjEZ48+LQDhJA3lgLZ9SoUdXV 1eIvHSjkHHbSMx1vwLjRjJhTm+FPQBoDb/R8kgI5rszw3YBfJhswZYwsMfAGgPSfP+BGGhpa 8JQoJgAVf/PiiK4SQN5Yiwi2cO655562tjZXCfJqAA40CHQWYEPQ/AC00LxRSZP1p1HskQIz mnB848T1wLkzSvhYG4qj7B+06giqoZP1p4GVo7InFN6QJWDYNK97E/vhJQHkja0kIVDt9ttv 7+vr4yVrh34g9ZmwhzcZeKPSBTxsYP0ofjZ6dyd69rhiw3cDbplsgDc5+0bBjM6Ugb+Cq01p o/xknGyhgKfmwXs375h75dolAdcwDoEScJUA8sZJROfPnw87QhrSOR97a5cAs0YbwoE3xJ+m tgQrR9m2ybaXKWTAN05cD+SWyUbHmzv0rrOsqy37Ib+QATO01tRMyl9xz7yVD/WeaXXVBdgA JRC2BJA3LhIOL0IaMgVE8lSNbj9GjRGg4wUyvIFggWwcgdp++v3ShKi5YsN3g/W/e5STqQFB AapNo7DnHx75MbFg4PPsexVC3/9PTiFqhpnXjv89wEZ7rW6ZgYZO2PoU+3eWAPLG/QoJI0Ia MjoLc6DRlg31fKsalkbFQ2txa+pGjha3phyni6KONFbNN06cD+ScyUZ1l4HoNGeabttGbRBS 1MCy2jE0b9DQcb/VsUXIEkDeMAmYY4Q0mDVhR6CJ9M5FMlZIvIlLJhsWC2xj8XgDbNDQYbrV Q2xkLAcZ4lCydo28YT0zXCKkocazeLMmEiSEOmhIvFky4zUWVS5/GwgTKKgZYccb+Hx25f1d vRtYL31s5yYBywvScJCSWysvbzhdf9it2+T9HXnDek4DRkhDuHMkuzWh6v2oOg+JN3HMZGMJ PxIm4Poqr5/w4eULrDcAtrOXAANvSCpHJYejruD98OLiXNH7XL2uzFB0Skg1xzD1WfYj6hO1 ZyU1cXG2+opcfEPeeLiNfEdIQxBaGPkColL3kY8bEm84ZrKJ0AYyhAk4UwcNHQ/3fxDeaJmD dRUhFVYQbGSokXlrQBIZFP6sy2qv/q40Vv+Qe0857pS3FOC4rDZAJ8gbb8LzGiH9xZc3IQ1a 5Ao6YRMIiTe8MtlECBsY2hwmgIaOt5vce2tX+4ZKVE+jIwcfijK5tmpG+0yUD8WbXBemesaZ VvSn+hbel8b3COSNZ3myR0hDdmcMDQgDdWHwhl8mm1Ce3GRk2MbC51zpYtkADR3PioA6wI03 +mIpOXY48oY2dOjCKvY0yZX4ytk0yJsgJ1aOY1kipCFlAP/szpFGIYdBDn99hsEbbplswskU wMKblff+zDlMwBVFta0vXx+8KsdNFqdZuPDG4A2zMk8s7BvqqJzfzeBts/WnaT405E2cLiTb uTpESEPE86kL3f40KR7FIoEweMMtk010vGEME3CmTsnGpzCIwKuKcuaNcfMltxvj4k/LmUV5 ENmmbu5oz9ARptjEC2T+Rv6M+zdez6eU7S0jpC9fuYihASzMCNImDN5wy2QTEW8gTAB8Yq4W DEsDyH/Td36flPccTireEsD9G//nzxwh/fc3egf2tQbRpHgsiwTC4A2/TDbR7N+UrX+ahSXs bdoOr/Z/b+CRKAErCSBvAl0XWoT0FzduvNPedmbjBuV1sp1FaWIb3xLgzhvOmWyEmzi+wwSc 8YPbOYG0Ax5skgDyJuhFARHSd/zkJ281NWZhk0HOmwM7fStTPNBVAtx5M3laGcuGvJxtgocJ OFAHt3OCKgg8npIA8ibo5fDp22+f3bKZho3yftvWw2ebXfUmNvAnAe68iXUmGy5hAs7Jb44P tAe9T/B4lMCtW8ibQFcBbNgYSUNcahs39HfuwHhofzhxPYo7b+KbyYZjmICzb61lf1mgWwUP Rgkgb3xfAzeGbuY2bFTGGNhz9nibq+rEBj4kwJ03G0f/UU5fmeusuIcJOFCnunEyPp3jW2Pg gSCB1Ng3VEqhzIlXo9a12HT6CV63S+PqZzda958/2d1jZ9xon5/o3+NDn+IhzhLgzpuYZrIJ KUzAATnFtU9c/Oic2/2Bf0cJWEsgFbwhOevoB59UuMD/2kNTrE9FAWyaugY2tvbBa6C90wU5 dZuP9rcgP/hKgC9v/jCpwtWMkLBBqGECzts5/Rd6UKGiBHxIIBW8IXJx4A37M7iXP71et+cs gQ286naeemvXLmfk9O9swo0cmXkT00w2YYcJOCOn90yrD3WDh6RcAinljeZPIyUpdKm+7a+I v1+6RsOGIOf13X3nGhtckHMUN3Iypak5vfjaN3HMZCMsTMCBOoiclMPDx/JTyxtVVsSjpib+ dgDPxQ+vbNl1WrNs6De7Ok701211Rs7pPnwIVFLebBw3UUJ3mfOURIYJOCAHi4T60LlpPiTl vMk60rL/2Vs659/9xJI02ocHuo9bPIVDx63VbT7Wj6lu+CCHr30Tu0w24sMEHJCDaW/SzA+v a08zb3J4ydWNsDJwzvz1Y2fYkL8e6z7q4lXb0XDozDZePqU098ORN7HLZBNVmIADcvDRHK9q N7XtU8EbfbWjLFJ0xozqTzPHqJ0Y+JAFNqTNmc79zsgZ2I95bjiYOBx5E7tMNhGGCTggp669 KLU6FBfOLoFU8IZdHIaWh068xw4b0vLcnnaXCGnM5hk4aoAjb+KVyWbdnx7lVXSAPVE0Y8tN u+cN3Rz0fa/hgWmQAPLG9iyfPnnGK2xIhPS57S3OyMFsngGdgRx5E69MNuXrn2XU/pE0W90y A5GTBmz4XiPyxlp0N/YsuLri1x37TvhAzo72k84R0v1N9ZjNMwhyOPImRplsNs59JhKKeBoU kJPCnDeWwYQmzWLMcXIrGxdr2DQm7n/i2lcd/aSmJ+sj6b5xEPqByBsLEQNsri+7G16+kdPe edI5XA2zeUrCm7hkspEwTMCOQ6Vbnkkbclh4o2wYQ1VoHTSyn+mAo1SfHq42o3eZM+xhfFQw dHD4HAB5YxTcUHcpgU1A5PR0H3P2qmE2T9/I4WXfxCiTzdqVf/ZkZ0TbOG3IYeANIYfCDMpK yXzYTH9m+MTwiAbJzOVT18twGPJGdxaGDtXQsAmIHNeEnpjN0x9yePEmLplsZA4TcLBy0rOX 484bDRy63FkmCBk/MD4SqBg/xf0ykMPfHJA3OblZwiYgcvo79zpZOdu2YjZPH8jhxZuq6XNi kVlA8jABO+SkJ3zAlTcUN2hkqB/nHgDMmC85K8iCN2jf+EOdXEcNnWgwWzbBHWuuCT0xm2eE vIlFJptYhAnYISclz+W48Ub/BGBuF4a2esBuUbFjy5u4mzfpqX/jSLebfTucYRPEylESejY1 O1g5/ZjN0+MTObzsG/kz2cQoTMAOOWlIeOPCGwMmcr/qUpxAAFruWfRcfFrOf6ZQK9betBTV W7PnDSNsNOS0dlln7XSInIYIaeeEnn1nMJunh7wDXHjz6/ExKHsTrzABO+SkPJO0ySrRPqDc ZYpNo8JEZ9+QUGiMh5bLH+ZzNjff7mGxbOg2V6pH+kDOPueEnpjN04uJw4U38meyiWOYgB1y sESbTw2VrMNSHS/w5aULn1c+6JU30N4fcnodE3r2YzZPZuRw4Y38mWxiGiZgiRxIw4OFqJPF Dj+rSS9vvrx26fPVj/uADTnEH3JOdx502sg5tNvH5nkKD+HCm3WTZ8gcnBbrMAFL5BSuefTy p+/70VJ4TFIkkFbe3Bwc3DLeN2yCIMcloSdm82SwcrjwRuZMNgkIE7BETnHtE2lLPZAUUvBZ R0p5c6N1bkDY+EaOEiHd2upg5WA2T1eLjQtvZM5kk4wwAUvklNdPSM9zoHyUdIJ6SSNvhg5U coGNb+Q0tZ1ySOgJ2Tx7zjS46tw0NwjOmz9NKZfWmZakMAFL5NS2vpwgFYpL8SCB1PHmZn8b R9j4Rg4k9HSIkB7Y13qgry7NRHFee3DeyJzJJklhAnbhag1dJR60FDZNigTSxZsv3j91vew+ 7ryBDi+te7apw1u9nAPdxx28apjN0wE5wXkjbSab5IUJ2CFn/5t1SdGiuA5WCaSIN19++r6/ 6GdGPvlAzonuIw7IwWyedsgJzhs5M9lAmEDRmseiTe0sbHSIkH7ngz5WRYXtEiGB1PDm5uDn tX9kJIfvZj6Q45TQc9tWLMtmiZzgvJEzk01tZZyKDgQnE4arJQIiHhaRFt5oJdR8s4TxQB/I Obdrj52Vg9k8w+CNnJls1v7hIfjKH1yJx6sHjB3woK3j3zQVvPGUIY2RKw7NvCLHOaEnZvM0 IyegfSNnJpvK2vHxQgWv2eJGTvw5wrqC5PMm7G0bS/B4RQ4k9BzYts3Oyjl1FrN56rJ5BuSN hJls0hMmYKYUbuSwauv4t0s6b3jkEfBn8XhFTmfnibNbNlsjB7N56pMOBOSNbJlsUhUmgHkH 4k8N/ytIOG+Gukv90YLLUYCc19s9BEkf7X7DdiMHs3lSyAnIG9ky2aQtTAAfAvWvsGN+ZJJ5 c/OtvVywEaSTv295sQ6iAVr7GF8nu3tskYPZPFXkBOTNqp//TJ7kAukME7BEDm7kxJwm7tNP LG8i2baxJJNX5Ay0d9oh53QfbuQoGzlBeCNbJpvUhgkkaSPHEp8G7ZurKa2WVVM+yWu+dYuq umbS2Gobd1UeixaJ5U3w9M9BzBrDsZ6Q45zQE7N5BuSNVJls0hwmkKSNHFfe6LDRnKevCu3E m1hQhH2SyeTN0KEajrTg0pUn5CgR0o0NllYOZvMMyJuaabMlcaZhmEBiNnJceJOrD63TzBnO NEMd6exPlkLKx3l5yqfwQZZFuZLU8YZTAnmjJEnLlEST7eUJObs6Ttgl9IRsnilP5RnEnyZP JhsME0hMajUX3uRoYeZNv8mfptAp42dTfjS8kD7iTZtbtxLHGyF5a3yTzBNyIKGnXYR0yrN5 BuFN7YiHZLBvMEzA4XHR2BWf5s2bnL+NAgzZAFJBxO7Dkqll0ngjoSctyF7Ose6jdrEDac7m 6Zs38mSywTAB5/QEpVuekUlPuswlgD/N0r6x4k3G7EHeSHRVfPHhQEjlBnwbNJYHXqyfu2XX acYI6TOd+62Rk+Jsnr55I0kmGwwTYMmFE6PwaLd4AZ2LTPGRZawU1XYxOMl0v1JtFNPGZidI IiXsPJUE2TeQSmDjWL5gCK+3d5qWsCPHLqFnf1tzOsuy+ebN8hmFkTvTMEyABTbQBrxqV65d io0qdZlo1jzJhAZkfWIaWLJ/o+IFisHsofZvKMzEO0A6ObyR35NmoBc7ciBC+tz2FutwtaNt KYwd8M0bGTLZYJgAI2+g2abd85LCG1yHIoGE8CYunjTfyHFI6JnCbJ6+eRN5JpvVj/4qhUUH 2AFjbtl/oQdVdWIkkBDexMiT5hs57Z0nrcPV6ja/0b8jVVaOb95EnskGwwS8sgdqsg3dHEyM wk35QpLAm6Ej68PbaBHQM7tjraf7mLVXLWXZPP3xJvJMNhte+pNXbYvtQQI7D1WlXE0nZvmx 582Xly7EIibNmVvsyLFL6Nmfpmye/ngTbSYbCBNYtHYU8sOHBGL3OE5i8MB9IbHnzY2WlwSY IAKGYEdOf+deSysnPdk8/fEm2kw261f82YeqxUOIBMrrJ3DXfdiheAnEmzcyVBzgiKKBXetZ HspREnru2mWBnLrNKcnm6Y83EWaywTCB4ODsOdUoXj/iiHwlEGfexOqBG0YsMSLHLqFnSrJ5 +uNNhJlsMEwgOG8K1zyaoMdx+Krx2PQWY94MHdvKqMTj1YwRORAhbZnQMw3ZPH3wJsJMNhgm EBw2pIe69qLYaFacqJUE4sqbL69d+nzliHiBhH22jMjZZ5fQ83jCy7L54E1UmWwwTIAXbEg/ 5987hpo8vhKIK2+GukvZ1XccWzIip9cmoWeys3n64E1UmWwwTIAvb0o2PoWP4yBvhEogptkE vGKPETmnOw9axA4kOpunD95EkskGwwT4wob0FqM8nkLVYhwGi6V9k5gYaFcCMSLn3J52M3L6 O3ckNZunD95sGPV78Zk6MUwgDN5A4ACaOHGAi8Uc48ebhMVAuyLn7J4trkHSSoR0a6sFchKa zdMHb8RnssEwgTBggyZOTElDph033iQxBtoVOW927nZFTlPbqXONDWbkJDKbp1feiM9kg2EC 4cEGekYTJ6bUiRlv0mbcaChiQY51Qs+6zUf7WxKWzdMrbwpfXCTYmYZhAqHyBndxkDciJBDf PNCuRoxrAxbkHOg+buFV29l06My2JCHHK28EZ7LBMIGwYSObiTP213PML0oh0sXW6JLQSvG0 3I9Shs1UwBOaZOqw0VU/tcPUutPmfnTaWDk2Ly9Tjpr+yVWtFqG7Y+dPS61x48nKOdF9xAI5 ycrm6ZU3gjPZYJiAAN5IZeIw8EZT7hn2ZH9TYWJAU7b+p/Kp1iLHG+qg5jzS1KIfGiE0qwzF q4WRJn77N2k2bjwhxzKhZ5KyeXrlzdoHfyXMn4ZhAmJgI5WJ44U3BA+kprQVJ3QWTq6BJW9U WiBveHMTjRtPyDm3a4/RyqnbfKy/NRleNU+8EZnJBsIElqwbLUzh4kCSPIvjkTcaZ2g/mM4A ylo4FEfM/jTKHWbZT04Fo33jGUdo3NAbPK57OUpCz6ZmA3ISk83TE29mTF8uzrgpfR4ZIFIC 81Y+JEMSTx+8sbVviNlj+rPJD0b2hAh00L7xDBSnA9C4MUcTHN271zlI2jKhZzKyeXrijbBM NhgmIJI02lgt+8u4Khs/nXnkjYYHO04Q4KjYyczIct9FPR554+es2R6Dxo1l9NrBvYedkdPZ eeLsls1Gx9rJ2Gfz9MQbYZlsqtdNiEThpnxQqP4ZuYnjiTeK88s+XoAoQQUgw4cTK4f8aLyB N+rH2lYP8oYfb9C4cQiVdkXO0e43zOFqcc/m6Yk3YjLZbJjxVMr1foTLl8HEcVR47PHQVAQA HTits2+o3ZrcPo8hrloLSTDaRhif5oImNG6cH81xRU5f1yEjcmKezdMTbwRkssEwgQhhA0PL YOLw+4Kd5J5kzy+Axo3rc6DQwBU5A+2dxtiBOGfzZOeNmEw2GzBMIJO5OcLXzkNVSdbTSVmb 7Ly50TiNReFiG2fkWCb0PHu8Labh0ey8EZDJBsMEIsSMNjRmVIsFkqTmzZeXLiBI2CXgjBwl QtqU0DOm2TzZeSMgkw2GCcjAG5hD3/l9sdC5aZ6k1LxJfBFPdpYwtnRGzq6OE/11W3WOtXhm 82TnTdiZbDBMQBLYwDSqGyenWZXHYu0S8+bm4PWy+xj1LDbTJNCx74RDkLQ5oWf/zqbYlWVj 502omWwwTEAe2JCZfHj5QizUbmonKS9vho5tRYr4kMDVFb92Rs6x7qPG2IG4ZfNk5E3YmWww TEA23kgfGJ1a0GQXLi9vMAzaB2zIIa7IOdO534CceGXzZOTNrOlLw8tkg2ECssFGqgyeaQeL zfol5c0X7x7zrW3xQBbkGBN6xiqbJyNvQs1kg2ECEvIGptR7phV1vbQSkJQ3N1peQmwElICz lQMR0ue2t9BWTv+Ohp4zDbGIkGbkzfpJfwnJvsEwATlhA7Mqr58grbbFicnImy+vXQqoavFw FscaJPQc2LaNRk5csnky8iakTDYYJiAtbMjELn50DjW7nBKQkTdDByoRGLwk4GzltHeeNCb0 jEM2T0behJTJBsMEJOcNRg3ICRuYlYy8+XzlCF7aFvtx3cvp6T5miB043r9bcq8aC2/GT10R hjMNwgTmVf9GcoWb8ulBOrWhm4PS6tw0T0w63tx8uwchwV0CV6pHtnadtnsu52R3jw450mfz ZOFNSJlsVq3FimpR5kljRGnPqcY0q3Vp1y4db27sWcBd22KHIAFn5Ay0d+tiB+TO5snCmzAy 2ayf/AdGfYfNopVA6ZZnpNW5aZ6YZLy5Ofh55YOIh5Ak4IAcJaHnrl00cmTO5snCm03PPMfd n7Zk3eho1SiOzi4BjBqQEGxy8eZmf1tIqha7JRJwQI45oeeps5ImkGbhDfdMNhgmwK7rZWjZ 0FUiTOH+pGi1+UWNrqu3lq3taTU5rUqa+iba6mj85ScXb/CxGwFcdEAOREjrEnrKms3TlTfc M9lgmIAMCPE0B6hQwF9f2vTIwBsHyjhME3kT2jn88vMrmKBTAG+crZx93cfpCGk5s3m68oZ7 JhsME/Ck6yVpfP69Y6GpK13H3nkDBky2FvStW7n3Gl4yb5qLh6tVorO0ou0kONy6EzFL9jeK RPbNzb4dYrQtjuKMHENCz/4j0oVHu/KGbyYbDBOQhB9epyGs6CcDb1RyDCOcYeFN/61bevuG PkjR98gbf9TLHDW47QUkgUgJgGOtpdM6SPp050E6dkC2bJ6uvOGbyQbDBLwqeknaF9c+EUAh eTiUgTcGf5ov3iiAgR8Lw0jPHg8zF9xUFvsGc9iIJI021qV1zzZ1nLF8LufcnvYcciTL5unK G46ZbDBMQBJ4+JuGmCg1UbwhdNCog/aNX1wOHVkficLFQe2QY0joCdk8D53ZJkneAVfe8Mpk g2EC/rS8PEe1HV7tVyd5OM4Xb7J2SmZPJmuy6PdvTP603IyUg/KatXA2xe9G2T0eZi64qSz2 zeCW8aj6o5KAHXKa2k6da2zQrBx5snk684ZjJhsME5CHHP5mIseDn1ZhZsRKGTZseHGxFjtg 4g0BidKIwMewC5Q1dfSdCEaIp+Gk4I0SmZZ5OgRfUUnADjnGhJ5yZPN05g2vTDYYJuBPxct2 1OVP3/ekEyNsnLTwZ5MopeANRqZFhRl6XDvkHOg+TscOvDmwM3KvmjNv1kx9iUtmAQwTkI0c /ubT1bshQoQwD02sF3+P6TAPEnVDKXiDOdNk4A3MwQ45J7qPaMjpb6o/fLY5WuQ484ZLJhsM E/Cn3CU8qrpxctRqFsfPSkAK3mDONEl444Cc/s69OeREnc3TmTfBM9lgmICE2AgypSvXLqHK l0EC0fPmi/dP2WrbZ74OFuaTz2j7Oj8p+Jfchtmwn/wwc+APnySfZX+9+/pL//rjf/nXE7gb 5FcCYOXU7TEGSSvharvg0w3kFW02TwfePPp8eXBnGoYJBFHuEh7be6ZVBm2Lc4ieN0OHaix5 U/8TBSHwr4E31K8Kh0489JUfP/ST68sARV+vz+KHvMGXfwn8fcuLZuQoCT2bmjXknOjfE5VX zYE3wTPZ1I7/vYQaE6cURAKrW2agrpdBAtHzxjkS2itv9O39K1zElSVydAk9o8vm6cCb4Jls MEwgiGaX81io+Hl98KoMCjflc4iYN66R0GbeaA411dDJ+tPAylFtHcQMHwlYIqez84SW0DOq bJ4OvNkw8YUg/rQNSybIqTFxVgElcHygPeW6XoblR8wb10hoW3tF2drR+81g2wa2cODfDJEy TjY+ajfN/Vgi52j3G7nYgaMR1Mhx4s2o3/vmDYQJFNSMCKjX8HA5JVDXXiSDwk35HCLmjWsk tL1/DMyarxS8pBEFflXwk22PIQP8WGuJnL6uQxpyxGfztOPN/3uuIkgmm9Wr/yynrsRZBZeA HIkGUo6bWxHzxjUSms2+gWCBLHvU9j98EkPUQkbOQHtnFjnCs3na8SZIJhsMEwiu0yXvAbdw IsddlLz54sMBB1eVEp+W+yE4UUOflc9zzjTdto3qTzOEsaXZJ8Zl7WYrByKk32ptJcgRnM3T jjdBMtlgmIDktAg+vf4LPZEr3JRPIEreuG7ecFGU2AkvCbzX+NqWXbp6OXRCz4H94vLc2PHG dyYbDBMIrs3l70FMruiUE8V5+VHyxnXzhpeixH54SeCdpiUG5OzqONFftzXrWBOVzdOON/4y 2WCYgPyo4DJDfAonchZGyZvBjWN56UHsR5gEzMihE3qKyeZpxxt/mWwwTICLNpe/k3krH4pc 4aZ8ApHxxvXJG2EKFAfyKgEzco51H81u5DTV95xpCDvvgCVv/GWywTAB+TnBcYZiyn1yhQpd xJNrx1F0Fhlvbr6116uaw/bySMCMnDOd+7PICT+bpyVv/GWywTABjtpc/q5CSqR2ePrt5pdB n9PV0uyqDuQKduYO1vFGLdLmo3CBU20dq3FDwVFkvLFLmyaPSsWZOEvAjBwtoWfY2TwteeMj kw2GCchPCL4zDOmpT1feKAo9BxlQ/dkC0gxKPccbHRWa8zyWypGilltkvBnc9gIq9LhLwIAc JaHn9hZi5YSazdOSN14z2WCYAF9VHoveQnrq04U3imljCRiFAXl5uTprOSZohkxeXrbatE0n ObMpN4KCqGK1+HTmY8q4UjDFMG44ld8i443rk55x18Upmb8BOZDQc2DbNgU527Ye7W8JaSPH mjceM9lgmEAsCMF9kmE89enMG1vcEAxQJFJ5A8DIWi+5FrnPKKOIMloov1sGVqTbnE1E2zfu 4zIYXn6aRMMb5yc9U6KpE7PMgV3rN7b2aS8toWd42TzNvIFMNp7SpmGYAHc9HpcOw3jqk5k3 ObMlQwOjjyv7uw4tKkeseEPvCVHFqOktH+29gTc6b5zVuH5w4npMNLwZOrY1MdoWFwISMCCn p/tYNnYgnGyeZt54zWSDYQJxwQP3eYbx1KeLP824HW/JAIo/lryxspJsLCfkjR58Qx2LUU0n TAIG5Jzs7iHI6TvTzt2rZubNwhcXsts3GCbAXYnHqMMwnvp0ixfI2CE5i8KNN0pzkz/N4Hwj MQfWwPHLG2pcV0vFX4No7BsMFkgYbMhyDMgZaO9WkBNCNk8zb9gz2dQ8eC8WHYgRHrhPNaqn PnOhzDnPl40/jdrfH17cTAWz0f6z7LaPIRIggwFL3qgxA2q8AIQNaD/aPKx680cW66Oi4c3n K0ckUuHiomjkKAk9d+0KI5unmTfsmWzW1EzirsKww3hJ4PKn7/NUotgXswQi4A1mFkg2lmjk KBHSjQ0Kcg7t5uhVM/Nm9X33svjTMEwgXmAIabbn3zvGrCGxIU8JRMCbL94/lWyFi6ujkZNL 6NnHbSPHwBv2TDbLaseEpMKw2xhJoOdUI08lin0xSyAC3mAZgjQAqa+tQYuQ3td9/OyWzWDl 8MrmaeANYyabjcXjY6QTcarhSWDnoSpmDYkNeUogAt4MHahMg8LFNb7ZuVtDDkno2c8pm6eB NxXT57s60zBMIDz1Hbuea1tf5qlEsS9mCUTAmxstL6EuTokEaOSc7jwIyBnY13qgry7gXo6B NyyZbDBMIHZUCG/CIWW1Yda66W0YAW8+r/1jSrQtLhMkQCPn3J52QE7wbJ5G3rhlssEwgfB0 dxx7jiokOr2cUVceAW9QC6dNAhpyIEKaJPQMmM2T5g1LJhsME4gjFUKd85Vrl1D7i5eAaN58 eelC2rQtrpe2cpraTikR0tu2Hj7b7NurRvPGNZMNhgmEqrhj2vk7H/SJ17Y4omjeYJm11OJH s3LaO09CuFqQbJ40b5wz2WCYQEx5EPa0jw+0o/YXLwHRvBk60ZBahYsL15BDEnr2+83mSfPG OZMNhgmErbhj2n8YWTvFq+/YjSicN4dqUO2mWQI93QdJkPSJ7iOAnFNn/TwESvPGIZMNhgnE FAYCph1Soc/YAUDwhEXz5saeBWnWtrh2kMDBvYcJcvo790I2zzf6d3jdyKF545DJBsMEBCju mA5RXj9BsKrF4UACwnnTOA11LkqAIEcJV9u1p39Hw6Ez2zwhR+ONQyYbDBOIKQnETLtwzaMI APESEM2bwY1jUduiBDQrR0no2dTsNZunxhu7TDYYJiBGa8d6lDAKS4vX4PEaUTRvsBIBwkaT ALFydrSf7K/betpLNk+NN3aZbDBMINYkEDP5ix+dk09Z06VrvM7O87HG8jteB/TeXjRvUNui BGgJEOSQhJ7s2Tw13lhmssEwATH6Ou6j9J3f511hWh/xq1m7zS+6KbNmzzHDWISa6s7mT8gb /dn58tP3UduiBAwSIMg52v0GezZPjTfrf/eoOVNn2fqn464Kcf4CJNB7plVm3nifG/JGL7Mv 3j2G2hYlYJYAQQ4k9IRsniyBA4Q3lplsNhY+J0BV4RAJkADHKjjM9o2ChOLi4VBRGn6yFaFB SWq1pvPyoEFzRm0Skwj+ohSAVj8hf9RZSxbHWtaTputZZ7tktrq8s8/mCKH+tJv9bahtUQJm CVxd8euOfScAOQPtnSzZPAlvzJlsVt77s4KaEQlQhbgEARLg+MinF96onMk5xXJMAQBoGMrC QPdHMycsj7Xkjd4fl+kp4bwZOrYVtS1KwFICBDkQIf1Wa6trNk/CmyUzXjM40zBMQICaTswQ EfFGs2pUKtAmjGLp6OybjO1jhEOOE9bHWvMmAzP1JxW8weQCy+5G3thJgCAHEnoO7GhxzuZJ eGPIZANhArMr70+MNsSFhC2Bhq4SXn4iL/aNV95kgUPbIn54o9BGHVo9Pun2DVb2RN44SoAg Z1fHiYEup7JshDebxoyl7RsMEwhbQSesf44pbQLxRiFBzlFm9Kdlt2vy8pTdnCwfc5ywPjbn qss56ChLSPlzGuwbTGaDxo2rBAhyDnQfd8jmSXhDZ7LBMIGEwUDAcjhWlQ7Em8w+CvFzDS9u Lh5u8KcR4GQJoQUO6IIITMdqAQjDi4s1B10uYACiEpA3rpoIG6REAgQ5kNDTLpsnwIbOZINh AgK0c/KGqG6czMufhv0wSkBofBraNykBRvBlEuSc7j54tL/FHCENvJk7o0RzpmGYQPJgIGBF yBtGSHBsJpY3mKwT92+YJQDIadt7cmB/tzmbJ/BGy2SDYQICVHMihyiufYKjJsWuWCQglDeD 214I/s0Xe0iPBK5Uj+zYd/LsG3sNJg7wRstkg2ECiYSBgEUhb1gIwbcN8gYDlKWWACBn377j fWe6aOQAb0gmGwwTEKCXkzoERM/zVabYm6sExPIGixEwe5PSY8S4rhSQ03ug982BXRpySCYb DBNIKgmErctVP2IDvhIQypvPVz/uqlywAUrALAFAzvFDh3vONBDkkEw2GCYgTC8ndaChm4N8 9Sn25iwB5I3U3iRkjyYBQM7pY/sIbyCTDYYJJJUBItd1+dP3kRAiJYC8Qd7ERgKAnLOn2oE3 kMkGwwRE6uWkjoW8EQkbGAt5Extti7YOSOBq1SMn+1vXrXg5qRoQ1yVSAsgb5A0CACVgK4FP Nkx4t6mwYPUjIrUSjpVUCSBvkDeobVECWQlcXfvkh1unnalfvHN97apFW8oLtzVVrt5aW5FU 9YfrEiwB5A3yBrVtWiVQ+eClzROPNy/c27R625ZthSu75uVve2l0DbxWzKvbsbKsraBgYXVL 2QZ0pt0jWC8ndTiMT0PepFXbpu/RnE82PPvX11852Lx8/Y7GBU37X63dV1DcSgCjvYA0jVvL uvKfaZm3+OnFnQdXTHq5/IGkqj9cl2AJCNa2OBzGCyDeBEngWs1jH2154WjTkvUtGwuad0/a 3jtna09hye6Xn1lnYIxm02xpWNxROqXz4d/ULKj57Zy2tqIxa2vLBKskHC7BEkAACJaAUN5g /rQUxZiV3QfOsdONC3a1VC9vef0Xm/dNaOl9Zdth2ktmiRniPVvfULR720sdj/6ma+Qjc4vq ob7I2sqqgyvGLarIT7D6w6WJlECM8tmIL8QZEoeQN4K+3SeeNFdqx7xbnw/mC9Dl6W1tAJjR TUdebO619JLZkabqtbq1TflN7dM7n368/YFf7hs7ZsKrzQCbWRVth6ffXlazGp1pIjVyssfi mK8TrlXzi1bZjsBwp4l7i5D4wLtb5A3yxo8EPqseAeYL0KVue+3cphagC7x+13DI1UvmTJrN nc93LZhIbt29kyaPmtMKsBld3Ll/9i/BuCmuqEm2BsTViZQA8oY3Tdz7Q9740baJN1bMCwS6 nGuY39lSAebLw3XdBDCevGTOpFm158m2jTO1L4m7ZxdqNXp3lEwB46ZqdeWi8r+I1Ec4VrIl EAVvoKZzXrFaPTpTOFqrJZ2rGJ37KFtaWmmkFZB2V+oSt0DeIG8sJAAPvrxfNw3Ml+qWrS80 7NLo4s9L5kya8p2P7mx5qfMPj2iw2VRYocFmRfVmgE3vwt/NLt2abPWHqxMsAY71PZn9acCb YcMIRZS35J2eJtRvCp0sWkjME7epIW+QN3dfVx98aW5ZvbCpkaZLQC+ZK2nqO6ZCrLN2u0Io 2vKi9RpsppZ1AGzgVVFTVlJcKlgf4XDJlkBEvFFtFgU4FjSh7B1A0zBi1qB94wYyq7/f2LMg hZ4oCZcMzjHy4As4x0bVdRgAw8VLZkealYu3QkQA2DSr28ZArDP9xXDv6CfzC1/XYDNyfnv3 3IeJcfNCZeOCiqeTrf5wdYIlIC9vNCSpWhR544c3QwcqJVS+iZ8SOMe0B19mNrSa6cLXS2ZH mpqlW1ZvnwSkqdr9exLrTMNm37PPjZ2/XYMNvKkvKyLGTUn1stn5KwUrIxwu8RLYtHueHy1m dYwXf5qLfZPZ0DECB3nj50wNHVmfeOUe/QIzzjH6wRdLwASJJbMjiitpADZarDN9i3ZNm/nI Kztp2Cxe2Uhg0zv33qdXNi5ZtDjx6g8XKFgCde1FfrQYf96oMQNqSIA5hAB54+dM3ezbEb06 TlzaGMgKY3jwxRIwoXrJWEhDxzrTsIFENTRp4P24JV2H8u8ivNm0qnD6q+sLKkYLVkY4XOIl wJE3frRhKo8RGi9w8+0e5E1ACUBWGPODL3aA8fHEpVfbhYU0hlhnOjoAEtUYYEPy1mjGzcPL N86bsjzxug8XKF4CLfvLUqnzo1y0UN588f6pgNo2dYdnssJYPvgSuZeMhTTmWGcNNpCoZkHR FgNs4NeNFWUENsS4+cvybUuXFIlXRjhi4iXQ1bshStWbyrGF8ubLT99PHTA8uu8gK4zdgy/y eMksSfPK2LVryzeRiADyMsQ666ID1EQ1Bt4UVLVqsIGdm/tK1r3w9JK55SMSr/twgeIlcHyg PZU6P8pFC+XNrZuDyBtaAiQrDFR8sXzwRUIvmQNpVm0fp5HGHOusi3tWE9UYYEPy1mi82bFy FkQKvDoNE0JjtZtQJPDOB31Rqt5Uji2WN7duXS+7L83IcX3wRVovGSNpLGOdadi0vTTPEIpG qAPbNiRvDXkdzb9j5LJV02atWbJ8rvhvvjhiGiRw5dqlVOr8KBctmjefr348PbxhefBFci+Z 3SYN8Z7RNk021nnCk5bPIpAP6UQ1BuOmpmqNBht4s7t65mOV9eMefhUTQqdB9YtfY4yKEUTJ B95ji+bN4JbxieUN24MvcfGSeSLNhs7xWl5nS94YEtUYYKPlrdEZN6X1C+egMy0UV5J4/S7b iByTdfLWyUnuTzRvbjROSwxv2B98iZeXzI4088fVmm0au1hnmjrdox6nE9UYYDNqQQfJW6O9 wLi5a9G68U+8VrJipmx6CueTDAlwTGaTZD7wXpto3gx1l8aUN54efImpl8yBNOtW1lbvGKNF BJA3O1rz6bzOlpaNOVGNgTctS2fSsIH3o0tX/rm6afKoYnSmJUO5S7gKfNiTN0qY+hPOm2Nb 48Ebjw++xN1L5pU0DrHOzolqDLApXVlvgA3UVftJ0eopU6oWzcPHPNGZFpYE2g6vZlKQ2Iir BETzRtoUAz4efEmGl8wraZRY54ppDkEB2p9aX3nN/Dgn/cmk0k4tb41GnRfKK0dVbRv76zkL yydJ+L0Yp5QMCfSeaeWqSLEzJgmI5s2Xly7IYN/4e/AlYV4yr6RxjXWmE9XULqh2hg2UG+gq eMLSuJmxaMu0pxYlQ6/hKuSUwPn3jjEpSGzEVQKieQOTj+QRHH8PviTVS+aVNCyxzq6Jagz4 ofPW0MbNL5dtem5EwZLiJXLqKZxVMiTw4eULXBUpdsYkgQh483ntH8M2cYI8+GLJmN/WH5q0 vXfO1p7Ckt2vPL+BV1JLefopfH5D7eo15ogAII1rrLOhZtrUwkZnywb+Suet0WBzZOlo2LmB 0mrgTMPqaslQ69KuYujmIJOCxEZcJRABb260vMSZN8EefHHwks1qOFK4smte/jZ5wMB9JkCa 9etqKltHGWLP4FeWWGeWRDUG/Dy92GLbhtRVA95MenbpS+OWSauncGIJkEDhmke5alHsjFUC EfAmeEh0wAdfnL1k8zccLChu5a7WJezQgTSMsc4siWrM5QZ2Lxxv2LYhRaMBNmOqG8C4wepq CdDpMi+hvH4Cq4Jka2f+rgafUIeSCmpqPbXsH5rz4DO1lKfyi6mMNNvgcWoVBW9ONHiyb7g8 +JJOL5kd5JxJwxjrTMOmvmC5qw+NNDDkrdHAQ4wbKK0GvJlf+bjM2grnFncJcKwkTZQ9A2+G 5+UN1wEHCDN8uLl0dJzo4X2uEfDmi3ePOfGG04MvKfeS+SMNe6wzHYq2vGg9I2xmVbSZLRvN uIFIAYANVleLuzaXf/47D1V5V5VOR7DwprgZjBzNhMlUiKY+UStGU7WktcbEEFJ+DBYS30WI 6C0C3nx57RLNG14PvqCXzNll52zTsMc6syeqMeetocsN0OApW1UCxs3UcsWZhtXV5NfXcZ8h 98o3TLzpV1iSBQ7Bi+mDW4AWo1dNsYOK+0XAQMAYEfAGVnWsZamnii92LEEvGcu20GtTNq3f VGF5S5APm9qndzrmdbZLVDPh1WZGywaamfPWaEWj7164GhKmPf/UYkgIjdXV4q7N5Z8/92Bo Nt7c0nCSxYqZN0qL3KaOAoBE4eZWNLz5857jnhDi2nhCS28aYslY6EK3cSWNp1hnQ6KaUXNa 2WGzonqzpSeNFI0G4wZKq4FxUzgTE0KHlcFFfgyImWEYlQhYeZOlh2rFWPCG2BgUdZA3RrMr IxzKClTdjXpfJW0Rrjh23hUhzg1GNx15sbk3PbFk3EnjNdaZho1rohrncgM0eKBoNBg3wBso raZEpmF1tRXIm3AlwD04jTFegPjEiHLMOshseQMN1b8p/6M/TWUOCeOjvY7UxhcBjoVLcudf P/DKm8Q/cemVKHbtXW2abKzz04+z5EAzt3FNVGOAjWXeGg05xLgZUV4HsMHqamK+4Kd8lIau Eu4bFcz2DeGIyg/LDR01NkD7Ck+FEMQePHz8aQ68saDNrVvnLl9l4Q16yTxBiIU0Wztf6Mp/ xh9pukY+sqBoC7sPjbSsLyuy86Qdnf1fWeOmtF5J0InV1dC4CV8CPacaufMGO2SUAH/eqCaj AnHV1jFOZvDmF7+uO2BGDnrJPAFGa7wkf6tzRAB8//IR6+wjUY2BRotXNtrBhhSNBuOGlFYD 3mB1tZRbHmKW/84HfYzKEZtxl0AYvFEnCbQBj5pqDRpMwed2HQPeoJfMH2B0pNm6xCH2DP4E sc67GvM7Hv2NP7MGjto7caKn6ABCHbu8NXTRaOANlFYD2EB1NTHqBkdJuQQwcxp3irB3GB5v so60XOSfHjiNO44nOy9ZQJC4Hq7YNG6k8R3r7CNRjTlvTVvRGFfjhpRWA94sLsDqauHuk6cc M2T5pVueYVeO2JK7BELiTc6Rpu7fNOfpedO7d8BVpWIDSwkwkkaJdV48ybdNQw5kT1TDUm5A w8/R/DtGLlsFsHmsUtm5wepqCAMxEmjZX8Zdh2KH7BIIyptcqgV9mF8OLqo/zfDY7OWPriBO vEqAkTRBYp3pRDVVRWu9RgeQ9nZ5azTekJ0beEFpNYANVlcTo21xFO6ZBdhVLbYECQTlTRAh Lpy61avCTW17RtIEjHXWYNM96vG5RfX+YDO6uNMubw1dVw1gQ0qrKY/dYHW18OOyEDYggcuf vh9EZeGxASUQJW/qq/emlh/sC18xr6729ULniADy1yCxzrTbbd+zz3lKVENj6bdz2naUTHHY toE/HVwxjhg3pLQaVldDEoiRQHHtEwHVJR4eUAJR8ga3cJypw06agLHOuhScU6f5CEXTkOOQ t8Zg3ABvJk8sA9i88nypGHWDo6RcAnXtRQHVJR4eUAJR8ga3cOx4w06a4LHOQRLVsOet0WCj GTektBpWV0s5A0Quf/+bdQHVJR4eUAJR8gamjls4BuSwk4ZLrDMNG6+JaszlBrrnPuzsSYO/ vlBeSZxppLQaVlcTqXBTPtbFj84FVJd4eEAJRMwb3MLReOOJNFxinTXYQKKakqJN/qIDtKMa Sue4woYUjaYjBbC6WsoZIGz5hWvoAs8B1SYe7lMCEfMGt3CANxWFrBEBYNNwiXUOnqjGU94a Q9ForbSa4kxbViBM4+BAaZYAbt74RATXwyLmTcq3cKpeq1vblM8Se0ba7GjN7/Sb19nywU9/ iWoMsJlU2nko/y5244aUViMJobG6WpoZIHLt+OQNV3D47Cxi3qR2C8craXjFOtPU6Zg5+5FX dgZ0o0EAdFfBE66wgQYl1cuIM42UVsPqaiK1LY51ffCqTx2Jh/GTQPS8SdsWjlfScIx1pmHT MH9ZQNKQwzdWlLHARtu5UUqrzanNRqZhdTV8zFOIBKobJ/PTmdiTfwlEz5u+oxfYH36MdUuv pOEb68wlUY0BUQVVrSyw0YpGa6XVgDcTH1vwcvkD+L0bJSBAAm2HV/vXkRyOzKT9yuX40hUF 01KC6RNMGqsmc5iFBF1Ez5uhGzdfGbs21iBxnbxX0sBWzevt0zonPBkw26b5cAhF852oxgAb 53IDlkWjFeMmU1oNq6sJULI4hCaBsCOhLTUApd4BHsOHD9cqdlK8Uf5CKk1DIeRcjkkl4XFe Xu4ICVDBZQrR8waWsXlFp6vKHnf7t+Erwo9+XpNpOelHpOrqdyZlD3x45Nf/ceQ45U9yvWqW blnTMo09IgBa8o115pWoxlxuwDVvjaFoNF1aDXizqPwvqBBRAgIkICASmoU3xcVg5BCiWPOG Uugkvz5VbpqLspegEyl4c/zgeRdOZHDy8+9keQPs+frthS+NLvz5P/70d1n8kDcSvYA0q7dP 8kQaJdZ5az53m4Z02B0sUY2BNzVVaxg9ab1z7yVFo+E1MVNaDaurCVCyOIQmAQGR0Ey86Vc4 kzFmLPxpOmeaVs5F11ACXASeghS8uX5t0NGlBlz59s8frvmdDW+0zyXhjQ/ShBHrTHNr9+xC LtEBpJMXy9sZYUPv3Gil1bC6GsJApAT6L/QE1pMuHTDyJlPsGEwcM0ZI1ZYsdHLVwzRChb0A Uf1LwRtY7JqFu+xooVozOd5o/jSwcrS/ygAbf6RRYp3njgvJrIFuNxVWcITNqAUdLHlrtKLR D5TUEONGK62G1dVEatuUjzVv5UMCCkiz8iZj2gxXPGuGcmBZL5tq/ZDdguyPPo5AFBnCGUcW 3tgmGgBP2rCsr8zCjoG/whaO0kb5yTjZonGp+SNNSLHOfBPVGFjVsnQmu3Gj1VXTSqsBbGaO LUm5EsTlC5OAAGcaaGZ23mRMHPjJ8gZ+U8mj7tZQEQQ0hcLR/6J7lYU34FKzRsXPf6pjvQ4q EDWgoCjLoShCBsAN6I80JNa58w+PhGfW7B39ZH7h6xwtG+iKpdyAuWg0wObnJetJaTWsriZM 1eJAIAEBzjRvvMmYOBpvsr8RHZchjwE3Fh+IZgTP8WThDaxpZWGrs3Wit2+ymzpwiPr5pB8J DFED0qwt37Rq+zhPEQGkcUixzrqsaBMnjp2/nS9sGPPWmItG06XVsLoaYkCYBMQ403jq46T3 JRFvetrPsPNGt22j+tPUaOlwXWpBSBNerDP3RDUGVo2c386Yt0bbuRm5bBXZudFKq2F1NWGq FgcCCWzaPS/pCjxm65OIN/Ln7gxCmlBjnWnYtMxbzNesIb3VlxWxb9tAy/3lz2uw+WP168ST Bq+lJQtRFaIExEgAc3TKhiOJeOMcpRZVIAAZNwhpwo51DiNRje+8Neai0XRpNayuJkbP4igg gdmV9wuITJNNoUs+H7l44/7gp/Dws4CkCTvWmQ5F45WoxnfeGnPRaLq0GsDm1WllqApRAmIk ICYyTXL9Ltv05OIN5FKbP259tKaMNvr8cbXrqjb4iwgAmybsWGddopqxYya82hyGGw3KDbQV jfHkSaOLRtOl1bC6mhg9i6MQCZx/75hs2hbnIxdv4Hw0rj4QOW8U0qysrd4xxkfsGRwiINZZ F4o2afKoOa1hwAb6XFtZ5RU2B1eM03Zu4A0prYbV1RADIiVQsvEpVO4SSkA63ly88HGEvAlI GjGxzuElqjFAa1ZFm1fYQPs5VWUab7TSasCb12ahM0353o0vARLo6t0gobbFKUnHGzgly2c1 ikdOcNKIiXWmYcM3UY0BNqOLO/fP/qVX3tB11ejSaoozrWy2AEWDQ6AEQAJXrl1C5S6hBGTk zf6dp0TyJjhphMU609EBy4vWh+RDI92ylxugmaQVjaZLq2F1NWSASAmsbpkhoarFKYEEZOTN lU8+E1OBLThpwIG2fVd+59OPh5eWxtxzGIlqDOjylLdG443RuFFLq2F1NZHaFsfCx26kZZuM vAFhrV/aFqqJU/j8hvXraipbR/mLCCBHCYt1NtRM456oxgCbqWUdXt1opD1t3Ny1aJ0WKYDV 1ZABwiSAOWykhY2k9g1Mq+/ohZB4w4U0SqzzqukibRoyVsfM2Y+8sjNUNxrkrWEvN0Bj6Y2C X9FhaVppNayuJkzV4kAggZb9ZTIr3JTPTVL7Bs7Kgj9v4oscLqQRHOssIFGNgV5e89aYi0YT 6kyZUqXlsFmyoBRVIUpAk8CzD38VsiH/cFwmVG8cqSWi/Xx9pBLC96Mfkg/+40fZo175ztf/ 5TvPMkT3XfzoXMp1uszLl5c3bdve4MUbLqTJxjpPHSPerOl8+Dc1C2pCNWtI54tXNvrzpNFF ow2l1bC6GpJGJ4EMOe7+D5U3NEKAPRnAAJC+/vB/5K/4j7v/RcMPeePyqm19WWZti3OTlzdc ogZ4kUZ8rDMdiragaIsA2Ixb0nUo/y5/vNm0qpB2pk0r2aoZN1hdzVVLpqkBIOSrd79yz0gL 3sCfshAy8MaqsTV4xFS7QWz4loC8vIElbV/f49vEeW3KpvXrqwNGBIBNQ2KdOx79jXizBkbc F1qiGgPA/OWtIXAyGDd0aTWsrpYmlrjbHypIrHgDxk3OY5b1p4GVox3iKsnSLc/41oPxOhBK gca0yLTUvPnw4ic+eKOQZlNFkMAz7Vjxsc7CEtUYeLOxosyfZQNH1a+aTxs3L1Q2asYNvCmo GO2qKbBBKiQAnrRhWbeYyWTJGTdG5xt42JQDMwXjFSebLdUiDIP+xeZ95peBYdlC0mRfKhgu kDdhfT/wFBjNkTSRxDobEtWEHYqmIaegqtU3bI7m30HXVTNECrzyPEYKuH/rTwVsLEIDKH4o UQPmHRqwcpQPs3ByDBkoXPNohNUHXHmj1JCmGGP41av2RN54lRhre8Z0ahxJE1Wss7BENVzy 1lgWjQbY0KXVlOpqS4rSokzdtrJRDrQEDPYN/GqyXbI7PXCU2vhHP7QPUdv/Zh2rTgmhnQtv FNMmr1k3LhCH8EdhR17e8IzNUwxUUn8MdNKZRRpvcjaTofsQ1silS6n9aWSFzunUOJImwlhn umZa2IlqaN7Ato2/vDWWRaMNpdWwuhoyxk4COt5QfjY6ZjpHINWflg2hNqEdSqtdH7zKRSH6 68SFNxpccr1rCMogw0yL3CHWBys4oswcaBQL4sSAN3bPfnIkTYSxzroNm9FP5he+LiAUTRui pmqNb08aHLi7eia9c/PLZZueG1Ggbd5gdTXkjRgJRP6MZzDe5EwZiz0eC9xkQaNrHHRLyB9n PR8VA97AmpbM2EYHDizJ37p+83IuEQHQSYSxzoIT1fDKW6MhyrhzU6GLFFiyrECMusFR0iwB MG4izwYd0J+WcaxlXGualaLZLs68iYVRQ1EpHrzRMkYrpNm6hBdpoo11pmHTNW2msOgAQp1R Czr85a2xLBpNrBw6Ydq4h199ufyBNOtBXLsYCURu3IA6dYsXMDjN6F/1TjHV1MkFFChtjdFs 2WMstoU8GxyCD4gHb6DOdPWCBo6kiSSvs90TPK2vvCbSh0bGalk6M4gnzVA0GmBDl1bD6mpi VC2OIoNxw6ay7cKhdbFmCmbITx7EEFBmT/bT7EcW8QIBI6zZ1hC8VTx4A+s8/nYzL7Mm8lhn OjpATKIaA89KV9YHhI2haLShtBpWV0MSiJGADMZNcC2cnh5iw5ubX9xY0zE2IHJkiHUWn6jG AJtJpZ2+89ZolHqhvJKOFPjN8i30M54TH1uAzjQxCjfNo8THuEkPUFxWGhvewDrOvNvumzcy xDrrogPGjpla2CjejQblBroKngho3PSUjqVhoxg3VGk1pdrNvOVp1oO4djESQOMmdhyLE29A uFsPTPWBnNfbp3VGkdfZbsNm76TJo+a0iocNjBgkb41GKbquGsDGUFoNq6uJ0bYpHwWNm9jB BiYcAm8ye15UnJ66B6Z9FCAbw/kPejzxprbjma7FkyJJtWk3aNtL8wSHonHJW2NXNBp4Q5dW w+pqKceAsOWjcYO8uaWwJa+ZfthVhQv8T4AT6EnYlpaWnz/47yzIkSfWOapENQb76enFHLZt DEWjiVftLzNW0Zs3WF1NmM5N7UBo3MQRNuHYN3qkGHjjmza9vb133nnnPffcs//wblfeNO95 sfPpx6Uya6BmmshENeZyA7sXjg+4baOUHlj4O8POzWOV9TRs4H1x+YTU6kFcuBgJoHGDvMlJ QA+VrD8NQsf9OdIuXrw4atSo2267ra2tjYyx81iRHXLkiXWmadc96nHBiWoMvAmYt8Zu50aJ FKBKqwFssLqaGIWb5lEgFXTkCQViqu4jn3YI+zd2LjPiUVMfe2IpAHH58uX8/PxvfvOb1dXV tKQ++vSvZt5ArHP7uhelsmnIZPY9+9yEV5sjiQ4gg86qaAtu2ZjrqpFIATphmvLYzaLFaVaF uHYBEog2FXTkKjvWExDGm6zNk/2PwdIpLS39t3/7N+DN9evXzSLu7qukkbOrMb/zD49ICBvx iWoMYIO8Nftn/5ILbwxFo4E3htJqWF1NgLZN+RBQxDPCOjex1vUyTF4Mb3J4UV1tzVq2BpAC bMzk6j6o7/70pz+BJ81ORp8NXoZHaiTJ6yxVohoDb4LnrbEsGk12caZMqaI3b7C6WsphIGD5 /Rd6ZNCbOAd/EuDMm1z+H6poqs6YUf1pwRObHulbL1usM52opnZBdYQ+NDL0iurNXCwb6MRs 3BhKq2F1NQHaNuVD1La+7E/N4VGSSIAzb0Su6osbg/v+8HsZfWgjH1lQtCVy2Ewt6+AFm965 9969UDFo6NeMBZto4wYSQs+vfDzlChGXH54EIAb6w8sXRGoYHIu7BGLMG5DFx0ePyMabvaOf jCRRjQFvXPLW2BWNBuoYSqsBeLC6WniqFnsGCWAMNHftL77DePMG5HV68UIW5Kz9/tfUjaGv PfMzJWys/YEf30c++uaPsz387Hvf/dr31maCyvy99k6cGFWiGgNv6suKeBk3R/PvMNRVU3Zu 9KXVlMg0rK5mqnOMnOAlAYiBjrZitHjVnMgRY8+bwcuXGLxqP75PBYkCngxg4M13v39X+wN3 PfO1b7yaxQ954/MVYaIaA2wWr2zkBRtz0WhzaTWADVZX46VYsR9LCRwfaE+k/k3bomLPGzhh H3R1sEPi1W8Oy2DGyBv4/L7hPkkDvdUXLI98w4ZMgFfeGkIsS+PGUFoNq6shJEKVgPxhAteX 3W1+0SzRAqlYnjtMMISSwBs4PW++nO+MnJw/TfOeqf40wI9q6/jhDSSqqSpaKwlsfjunra1o TNjGzfRX1xty2JSsmBmqxsHOUyuBeSsfkj+bgAtvgDa5QtHBI3NjzKOE8Aa8at2/Y3reUwGP YZMGtm0AQvBvZjeHWD+Mr8gT1Rg4x6XcAI2r58qqDWFphtJqJCE0VldLLQ/CXnjPqUb59Ss7 b9S10Dm/tPd0zWkFS7nfkwKphPAGzuK725vZIAFhAlrIAIkaULZtsv40LyEDkSeqMcCGV94a jTfmotHm0mpYXS1shZvm/svrJ8gPG5ghoz+NcqZZ8caQzJh6btF3mmPZpJcc3oBk35gxzRo5 w7+RC0KD9xnAZFpCsECWPer+TS6ywJlekKhGklA0Qp3RxZ288tbYFY22LK2G1dXSzINQ1x6j B25ceZPR+8RcIdCxtG/ILk/WlqGNHe0w2fjhdT6J4s21v70DuylWnACuaBlzckFoum0b1Z/G EjXQ+sprkmzYkGnAts2Okikct22gK0vj5rmVTYadm2lPLQpV6WDnqZVA2+HVXtVZVO3ZeKPM Tt3KseQNmX6WOsVAp6S40bTzkijewKre3rKJzavGukNj7k2GRDUG2nHMW+Ng3JhLqymP3Swo Ta1CxIWHJ4F45eV05o1Wa5KYOBmIkMqUmtVjAEumWRKBkzTeQJKbwxPHh4ScrpGPlBRtksqy gclwzFujweZoyShDmAD8ai6tBrxZUPF0eEoHe06nBGLkSWOzqKi8khpZ1M+GFxfnZdCjc6Bl mlGfJCSOOmm8gZN05a1zNl41/zYNAEySRDXmcgPdcx/m60mzLBptGSmA1dXSyYOwV40Vbtgw Fr9WCeQNnIS3Vq/ia+LIk6jGwJuG0jncYWMuGm1ZWg2rq4WtdtPZf3Xj5PjpUZwxmwSSyRvw qh2dMokXcjpmzn7klZ2yudFgPnzz1jgUjbYsrYbV1dLJg1BXjbWi2fR2XFslkzdKRPwHHzA+ AeqMJXkS1RiAN6m081D+XWKMG3NpNYDNvCnLQ1U92HkKJdB3fl9cVSnOm0ECieUNrP3DA/uD mDhSJaoxwAYCoLsKnuAOG+hw3arXzJECo6q2GcKgsbpaCmEQ9pLr2osYVBY2ibEEkswbOC3n a9f5Qw4kqplbVC+hD41MiXveGoei0YAfQ2k1khAaq6uFrX9T1X9x7RNDNwdjrEpx6gwSSDhv QAK2SQfsk6TJlqjGgL2CqtYwLBvLotGWpdWwulqqSCBgsRAA/c4HfQz6CpvEWwLJ5w2k8jyQ 90d2K6d76jSpEtUYYMO33ADNLcui0Zal1ZTItOVzBaghHCIlEsDyNvHGCPPsk88bEMV/nznN +ETO7tmF0vrQQspboyFn06pC884NfDLp2aWGzRusrpYSDIhZ5s5DVcz6ChvGWwKp4A2conde 3+Zq4kiYqMYAv5qqNSF50qCu2t0LV5t5Yy6tBuxZOKdMjCbCURIvAflrqcVbwUs2+7TwBsR+ qqjQDjlyJqoxwObF8vaQYGNXNBrwYy6tBrzB6mqJx4CYBcYrSZpkqjuW00kRb+Ah0EPPjjUj BxLV5Be+LrMbDeY2akFHGHlrHIpGA2zMpdWwupoYRZyGUaBw5+VP34+l1sRJ+5VAingDIjIX LJA2UY2Bfy1LZ4o3bv6y3OKxm0Xz8DHPe9LAg1DXCAFp59875ldr4XFxlUC6eANn6YOuDs3E 8Zqo5v5Zu328gltOYZQbyKWCzr9j5LJV5p2buxate/6pxebHPBeWTwpVE2HnaZBALKpEx1Wp Szzv1PEGzsVAZTkgp2H+Mq8k8AEbOMTrKGLy1mi82Vs52TIszVxaDdiD1dXSAIOw19iyv0xi lYhTC1ECaeQNbORsXdXkAwPieTNyfntIeWuc66op1QdmrTEbN1hdLWxdnPj+V7fMCFGfYddy SyCNvIEzcvX60ISyQ16RI5439WVF4W3b2BWNtiuthtXVEg+DsBdYsvGp64NX5VaJfma3sbXP /KI6oqtHU0U+lRa6Kmt0VbVcjbaE1FpTVptS3igbOZevP7Voryfk0Lz5v/d8d9iwYd94jOzo zPsG/AI/P5qXbTN+7Ne+Pvb/ZvZ7PA1BNw4vb427cVNabzZuXhq3LGx9hP0nWAIQkPbh5Qt+ 1Ln0xwTjjcoTrdg0XW4a1t6clxjipJc3cB7f+fDayFc72HmQ400GJ9/7UZY3wJ6v3VNz/6ya 7339F7dn8UPe+OdNeHlrNNgcXDHOcucGIgWeG1Fg4UxbtDjB2hCXFrYE+i/0SA8OnxPkwxuw aAhYKPD4nJCsh6WaN3BSTr/zCeT2Z0SOyhvgyne/N3737Ta80T73zRuYUlvRmFA9adD5i5Xl lrz5c3WTGTZYXS1sdZzs/pNdIjoYb4hvRPnJ2jEaeGTFhu95pZ03ILgj/R954o1qzeR4o/nT wMrR/qoZQ4yd083WVlaFDRvLotEEP1OmVJl5g9XVks2DUFfX0FXiW0PF4sBgvNG8ZcqWTV5z xpuWGA+a/vwhbxR57O59j4UKCkLAkzYs6ysz2DHZv8IWjtJG+ck42Tzv38yqaAsbNtB/SfUy S+PGsrQaVlcLVR0nu/M0VFFj4A0FEJ27DH7J/SkLGvSnxeJbRpBJbu76qytyFKI89ouc9UtB RY0aUFCU5ZAaMuDaLd1gdHHn/tm/DJs3DsaNubQaqa42t3xEstUiri4MCaQBNqB23HijWCwZ y0X5od9n9mpM9g0JWlPbK79p74PoOAmORfsmdxIqdpx1ZoMhHlpv32Q3daCN+vm8b2RC1Dzx ZkfJlLBh42Dc/HLZJstIgcKZmBAac9h4lkBKYMOmxqm4Z52vzC4emv48KbRJczy05VWyaNsp Bzw48Ea3baP600i0NDtvQs1bo2Gst+i3lp40+PCFykbLSAGsrhbGd/9k94mwYeNQulqhfWM8 3w7ICfV5z6llHQIsG7ui0YRA5tJqxJn2cvkDyVaOuDq+EkDYpAsjzKtF3liIyg454fEG8taE V26ApWg0wMaytBpWV+OriNPQG8KGWf2mriHyxvqUWyInPN6EnbfGtWi0XWk1rK6WBkJwXCPC JnUM8bJg5I2ttGp2D7BvvQRpuXhloxhPWu/cey2LRgNsIFLAcudm8qhijsoIu0q2BBA2XnRv Gtsib5zOem37W0FAwnLsuCVdh/LvEsObTasK7SIFLEurAYGwulqyCcFxdQibNALE45qRNy4C CxU5YvLWOBeNBgLZlVZTNm+wutoKz3HAHJV4XLpC2HhUvCltjrxxP/HhIWdjRZkYywZG2V09 0864sYsUwOpqcVH30c4TYeOuRLBFRgLIG6YLgSX7AIv3THC5Adei0YRAlqXVwLhZUrwkWkWG o8svAYQNkwbBRsgbT9dA5/H32TNJu7JHTN4ajTcOxs1jlRalbkjswIKKp+XXdzjDCCWAsPGk Q7Ax2jceroHj5y95qpdjRx3glpi8Na47N4pxY1VaDWDzyvOlESoyHFp+CbTsL/Nw82BTlAD6 07xeA29d/NRrVVAzdWqq1gjbtnEoGk0iBcY/8Zp1DhusroaRAjYSmF15f8+pRq/3DrZHCaB9 4/kauHRlcELZIVePmV0DYXlrXItGA2/sSqsBgeZXPi7/V2ycoXgJFK559J0P+jzfNngASgDt G3/XwNXrQ7PWvuEDOaMWdIjJW+NaNNqhtBrABquridfjsRixdMszV65d8nfX4FEoAbRv/F8D zsmkLWnUsnSmSE8ajPVCeaVdGLRdaTUlMm1ZQSzUH05SpAQ27Z43dHPQ/w2DR6ZeAsibQJeA p0dzSlfWC4bNwRXj7GADn89YtMVy5warq4lU4nEZa/+bdYFuFTwYJYD+tODXwIG+v7MErU0q 7XTNW1P3s/+hFg/9H8+PvT0Dp+88SD769+9kWTX2Gz/4X9+oU/7k/rIrGk0SplmWVgMCYXW1 uDBAzDznrXyo/0JP8DslwT2c2bjB/KLWCyU9qZppDOWi9TVAA0lO7UpXuDpQjwEORvsmgPDU Q9/58NozS/c7bOdAuYGugifcCPGdB1WQKODJAAbe/OBntx2eftvz/+sfF2XxQ964vxyKRjuU VlOcacvnilFkOIr8EijZ+NSHly9wuEkS3QV33oQgLeRNCEKNqsvBoS8WbDlhhxyveWsW/fuw DGaMvIHPHxzhThpCIwfjxq60GsBm4mMLsLqa/BgQM8Pa1pevD16N6p6K0bgBeKOYPsXFw4kX QzOCCBzgb1rtac0oyhWazrZW2ublKT1kGhsLUWe6alZHyDay7FmAwNG+4Snk1/dfMCOnoKqV xRwhdMn60zTvmepPA/yotg4Tb5yNmzHVDZY7N1hdTYwej8Uo+Dgnu2oIxhuVM5QTLWuM5LCg WieUlaI66TKA0Uild93BEiyOhE/NPbOvNkBL5E0A4VkdevqdT0YVdWnUeXqx+7aNmUYKeAyb NLBtAxCCfzNEItaPw8vZuJn+6no73pSsmBkLbYiTDE8C8Djn8YF2zjdGorsLxhsLVqiQULFA QUPd4lX+Vw0azQoiJKEtJRveaMAR62ZD3vC/D+CB0MmVhwE5kLdm98LxjMaNvhmECWghAyRq QNm2yfrT3EIGoK6aQ1iaXWk1IBBWVwtPicelZ3ic8+JH5/jfFYnukYE3FBJ08QK0PZJ7r1GA AEf71SrUwJIYOepY2zeq3SMWN5gfOrTboGLHWW95a0b8Yy4IDd5nAJOBEAQLZNmj7t/kIgss YeZQVw04NLXc1pm2uGB5XNQizjMMCaxumYGPc/pQCW68yRgdqhmjjz1z4U3GPIHdGRVXFsCx Q0a2qR1vjD37WLb3Q9C+8S4z5iM+Obv/2LxfMNs3wBXNVs4Foem2bVR/mkPUgEPRaOfSalhd LQwNHpc+wYeGT9gw39k+GlLb+LT3SyGRgz+N7L9kHWdkVFNHOt7Q0QKkY51tpPrgcj3pJuNj Xd4OQd54k5fX1jevX/nrltnMyGGKBXDuzdm4sSutBrCZObYkLsoR58lXApClBoOevd7aCWhv ii0IfU3Im9BFDAN4NHT8U8fZuHEorYbV1fhq8Bj1tvNQFWapEaEFZBvDai8o7Dkib8KWcLZ/ MYbOjpWzHCIFRpTX2YWlYXW1GBGC11QhNOD8e8cE3QA4DEoA89kIvgZCNXSO5t8xctkqB97Y lVbD6mq8NHiM+oHSnPgsp+DbH4dD+0b0NRCeoeNQNNq5tBrwZmnJwhjpSpxqEAmAWYP50ETf 9jheRgLIm2guBDB0ji/4Ncc4AlfjxqG0GlZXC6K+43Us7tZEc8PjqMibaK+BL4YG/7ZjGS/k OBs3YN9MmVJlt3mD1dXixQx/sy2vn4B1OaO95XF0tG8ivgauXjh+YuGI4NQZXbrSYefmscp6 h0gBrK7mT4PH5Sh4tqard0PEFzoOjxJAf5oM10BwQ8e5rppDaTWAEFZXiws2/M0TcjxjygAZ bnOcA+7fSHQNgKHTt3y0P0PHoWi0c2k14M1rs8r8KTI8SnIJwFOcGO4s0R2OU0H7RrZr4PLJ Dq9xBK7GzQuVjU7ONKyutuIeycnhdXoQgdZzqlG2axvngxLA/RvprgFwr13sWNU7+78YbR1n 4wbsm8kTy+x4g9XVvKpyydvDVg1EoOGDNdLd1TghjE+T+Rq4ceWjt7e96oqcI0tHO4QJwJ8c SqthdTXJ4eF1erBVc/nT92W+qnFuKZcA2jdSXwDX3jt7puJp33XVgDcOpdWAN4vK/+JVqWF7 CSVQ3TgZt2qkvpNxcmjfxOUa+PStI5bUcS4a7RopgNXVJCSH1ykhaeJyF+M8MT4tTteAmTrO RaOdS6spCaEXlHrVbtheHglg+Fmc7l6cK9o3cbwGNOq4Gjd3LVr3/FOLHSLTFpZPkkd74kzY JQCk6Tu/L45Xb1LnvO/UZvOLWqy+0IyuEICuQJpW/IyUg1Z+xNZDC/sE4f5N2BIOpX+gzvrm OudIAYfSalhdjV25S9USctIgaUK5o4J1GpA3hkrTuoLTzXlJIg7yJtiFFunRf/34k7nb94Ed YwmeaXNqnR67KV4ilSbFyThLYNPueZj9LNK7zWlwTrxRiksPz8sbnqswLe2KfU4MeeNTcPIc 9vHVz/6/X/zq/uWbaeo4l1YDDhVUjEYVL78E4Hmahq4SjHKW53aznAkf3iiuteHFxcCc4n7J F+x3esgbv5KT5ri6uroHHnhgcOhm84mB31W/TqjjUFoNq6vJjxmYIeQIgCSb+OSmNPdZiPaN uleTsWsUGwd5E4vTnspJAmwAOdrSD5x/d0pd2/gnXnNwpmF1NZmRA5s0vWdaU3ktx3XRDPYN xRBTvIC6f5NZvu6vcRWI3bzRvon3Gb148eI//dM/mdfw0QefNK7vnDFmiSV15lc+LrPCTefc wKCBVDToOovjDenGG8Vo0TZldOEAFnjJRKxpCILfdDiKo3hyc0bexPv85Wd+HNZw8uhATUkD FB3QwPPqNEwILVeCztUtM44PtMf7QsTZu0iAinvWucsszRk6SDpBtMH80HG/TcC4ARPHdRWf Xb3euf1IwZSVymOeywrSaUDIturi2ifQoHG9dLFBkiSA9k2MzyaJFPC0gIt/+2jXwZqSjU/J pnzTMx/ATMv+sosfnfN04rAxSiABEkDexPgkGiIFPK3kw8sX2g6vRvAI4xxsz0BkMz5D4+kq xcYJkwDyRuwJzeSpoDyyat4KenuQLRrSLlLA63oAPBB3CylShGneVA0E1gxgBpM3e70ssX0i JYC8EXdaSVwKnUoJtgUzcNFiUPR5lhyn5hop4HVhEBm1/8062LtOFQ9CWiyIEYQJLPd6FrA9 SiDBEkDeiD65DrzxQJtbtxgjBfwtr/9CD2xlo9HjiUbElIH8ZkM3B/2JHY9CCSRbAsgb0edX D5WsPw2sHNXWYZqPj0gBpn5NjeD5dgjVrWsvAmXqSfmmpDHsykBmMzRl/F1deFTaJIC8EX3G rY0Y4lFTw+5dd3CCRAr4XjA43IA9EFsFNb5SghPLZYLZB3YMiAKfzfR9LeGB6ZQA8kb0ebfi Tfaz7H9ulg6vSIGAK4dQK/heD6ZP4oPcYIG1rS9DOB+4GdFXFvCywcPTLAHkjeizb+JNDi/q n1xKXnCPFAguAnC7QQgW4IdYP/NWPhRfAwhSMsMSYCE9pxoxriz4tYE9oAQ0CSBvxF0MuZp9 VN0+nTGj+tPoFBZ33nmnlj6WvPnqV7/KklNA3MKsRjIQSFobCJxjQBewXQCWQBd0kUV72eDo yZYA8iZZ55ff8z1hyAWcUaDT4QVP/ICKh5120PVh7wbBlj4ZBWKUYVB4EcPlyrVLYawR+0QJ oATsJIC8Sc61wff5nkjkogEJeACBxQQPjC9CMu2FlkokZxAHRQk4SAB5k7TLg9fzPUmTC64H JYASiFoCyJuozwDv8bk838N7UtgfSgAlgBK4hbxJ2kXA5fmepAkF14MSQAlIIAHkjQQngesU gj/fw3U62BlKACWAEshKAHmTtEsh+PM9SZMIrgclgBKQQwLIGznOA49Z+Hu+h8fI2AdKACWA EnCXAPLGXUbYAiWAEkAJoASCSwB5E1yG2ANKACWAEkAJuEsAeeMuI2yBEkAJoARQAsElgLwJ LkPsASWAEkAJoATcJYC8cZcRtkAJoARQAiiB4BJA3gSXIfaAEkAJoARQAu4SQN64ywhboARQ AigBlEBwCSBvgssQe0AJoARQAigBdwkgb9xlhC1QAigBlABKILgE/n/nw+EfZ4S+dAAAAABJ RU5ErkJggg== --------------040701070906020708020505-- --------------010702040202080003090402-- --===============5375204161027231707== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --===============5375204161027231707==-- From xen-announce-bounces@lists.xen.org Mon Sep 17 11:35:40 2012 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 17 Sep 2012 11:35:40 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TDZZX-000580-KQ; Mon, 17 Sep 2012 11:33:03 +0000 Received: from mail6.bemta4.messagelabs.com ([85.158.143.247]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1TDZYh-00054o-68 for xen-announce@lists.xen.org; Mon, 17 Sep 2012 11:32:11 +0000 Received: from [85.158.143.35:23491] by server-3.bemta-4.messagelabs.com id 77/0D-08232-A3A07505; Mon, 17 Sep 2012 11:32:10 +0000 X-Env-Sender: lars.kurth.xen@gmail.com X-Msg-Ref: server-10.tower-21.messagelabs.com!1347881511!10495837!1 X-Originating-IP: [209.85.214.45] X-SpamReason: No, hits=0.9 required=7.0 tests=BODY_RANDOM_LONG, HTML_30_40, HTML_MESSAGE, ML_RADAR_SPEW_LINKS_16, RCVD_BY_IP, spamassassin: X-StarScan-Received: X-StarScan-Version: 6.6.1.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 22698 invoked from network); 17 Sep 2012 11:31:53 -0000 Received: from mail-bk0-f45.google.com (HELO mail-bk0-f45.google.com) (209.85.214.45) by server-10.tower-21.messagelabs.com with RC4-SHA encrypted SMTP; 17 Sep 2012 11:31:53 -0000 Received: by bkcji1 with SMTP id ji1so2152604bkc.32 for ; Mon, 17 Sep 2012 04:31:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:message-id:date:from:reply-to:user-agent:mime-version:to :subject:content-type; bh=O9f1qgevS4UMn+byKYSSZLXZAdF/aJIKWb5QlG2QyrU=; b=A2hyECCMOXB2mvalKzBIBl3QQM8FBp4t4drCSaJ9rPEbi/gEzbmFhI0HsZB7bCWL08 VCxwm9kSNU1V/cugqwbe+IZH/7oQCKPm+TPRjmMiSsVMUSYak+grmS6gNev5rL60ctwK jQo42C1vJ2K/PWr2Mw4y6JW9qay5T/1nJjbiN+Miqx7pvFgfPLd0YRFyyh5QasI0f6o8 f0AZfliV6bLpYk20Uo9XF2LX0KbWVm1Ow0LSJyquL6dw4voxXnagkVRdV6If6pBXV8nC HTB9LaGxKxOJDwVjzSM0vJvX3t1oGhP/APKud7Fb/cUawOkeiAjNhI7f5u+009xRp6xz l6ig== Received: by 10.205.120.16 with SMTP id fw16mr4054797bkc.102.1347881510902; Mon, 17 Sep 2012 04:31:50 -0700 (PDT) Received: from [172.16.26.11] (b0fb5b35.bb.sky.com. [176.251.91.53]) by mx.google.com with ESMTPS id n5sm5166099bkv.14.2012.09.17.04.31.49 (version=SSLv3 cipher=OTHER); Mon, 17 Sep 2012 04:31:50 -0700 (PDT) Message-ID: <50570A24.2000905@xen.org> Date: Mon, 17 Sep 2012 12:31:48 +0100 From: Lars Kurth User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120907 Thunderbird/15.0.1 MIME-Version: 1.0 To: xen-users@lists.xen.org, xen-announce@lists.xen.org X-Mailman-Approved-At: Mon, 17 Sep 2012 11:33:01 +0000 Subject: [Xen-announce] Xen 4.2.0 Released! X-BeenThere: xen-announce@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list Reply-To: lars.kurth@xen.org List-Id: "Xen announcements \(low volume\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: multipart/mixed; boundary="===============5375204161027231707==" Sender: xen-announce-bounces@lists.xen.org Errors-To: xen-announce-bounces@lists.xen.org This is a multi-part message in MIME format. --===============5375204161027231707== Content-Type: multipart/alternative; boundary="------------010702040202080003090402" This is a multi-part message in MIME format. --------------010702040202080003090402 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Dear Community Members, Xen.org is pleased to announce the release of Xen 4.2.0. The release is available from the download page: * *Xen Hypervisor 4.2.0*: Download (archives ), Source (tag RELEASE-4.2.0) This release is the culmination of 18 months and almost 2900 commits and almost 300K lines of code of development effort, by 124 individuals from 43 organizations. New Features The release incorporates many new features and improvements to existing features. There are improvements across the board including to Security, Scalability, Performance and Documentation. *XL is now the default toolstack*: Significant effort has gone in to the XL tool toolstack in this release and it is now feature complete and robust enough that we have made it the default. This toolstack can now replace xend in the majority of deployments, see XL vs Xend Feature Comparison . As well as improving XL the underlying libxl library has been significantly improved and supports the majority of the most common toolstack features. In addition the API has been declared stable which should make it even easier for external toolstack such as libvirt and XCP's xapi to make full use of this functionality in the future. *Large Systems*: Following on from the improvements made in 4.1 Xen now supports even larger systems, with up to 4095 host CPUs and up to 512 guest CPUs. In addition toolstack feature like the ability to automatically create a CPUPOOL per NUMA node and more intelligent placement of guest VCPUs on NUMA nodes have further improved the Xen experience on large systems. Other new features, such as multiple PCI segment support have also made a positive impact on such systems. *Improved security*: The XSM/Flask subsystem has seen several enhancements, including improved support for disaggregated systems and a rewritten example policy which is clearer and simpler to modify to suit local requirements. *Documentation*: The Xen documentation has been much improved, both the wiki . This is in no small part down to the success of the Xen Document Days so thanks to all who have taken part. You can find more information in the release notes and feature list on the wiki. Upstreaming The Xen project continues to work closely with our upstreams. Of particular note in this release cycle is the upstreaming of the HVM device model support into upstream qemu . After the Linux dom0 support (merged upstream in 3.0 in the 4.1 release cycle) the qemu-derived device model was the largest remaining piece of code which required upstreaming. Support for Xen was merged into upstream prior to the qemu 0.15 release and is supported as an option using the XL toolstack. It will become the default in 4.3. Alongside this support we have also gained support for SeaBIOS (a cleaner and more maintainable legacy BIOS, used by default when upstream qemu is selected) and Tianocore/OVMF (a UEFI BIOS). Support for Xen has been merged into the upstreams of both of these projects during the Xen 4.2 development cycle. More Information Links to useful wiki pages and other resources can be found on the Xen support page . Thanks Contributions were made to this release by 124 individuals from 43 organizations, and that's not counting contributions to external projects such as the BSDs, Linux or qemu. Many thanks to everyone who contributed to this release, either through code, testing, documentation or in any other way. The diagram below shows organisations which contributed more than 1% in lines of code to the Xen 4.2 release. Several items in the diagram discribe groups of people or organisations: /Individual/ covers contributions by individuals whose affiliation is unknown, /Misc/ covers contributions by commercial organisations which did not go above 1% individually and /University/ covers contributions by Universities which did not go above 1% individually. Xen 4.2 Contribution Stats I did also want to list the top 20 contributors to Xen 4.2 (in terms of commits/and lines of code). These are: * Jan Beulich (338 commits/40357 LOC) * Roger Pau Monne (87/36932) * Ian Campbell (504/32009) * Stefano Stabellini (124/29130) * Ian Jackson (174/27900) * Daniel De Graaf (79/11103) * David Vrabel (45/11075 * Tim Deegan (143/8790) * Christoph Egger (67/8590) * Matt Wilson (9/8508) * Andrés Lagar-Cavilla (115/8050) * Keir Fraser (143/5593) * Wei Wang (34/5577) * Anthony Perard (45/5289) * Olaf Hering (154/4296) * Qing He (20/4179) * George Dunlap (75/4088) * Dario Faggioli (30/3742) * Shriram Rajagopalan (21/3481) * Jonathan Davies (3/3230) For a complete breakdown see the Acknowledgement page . A big thank you again! Best Regards Lars --------------010702040202080003090402 Content-Type: multipart/related; boundary="------------040701070906020708020505" --------------040701070906020708020505 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit

Dear Community Members,

Xen.org is pleased to announce the release of Xen 4.2.0. The release is available from the download page:

This release is the culmination of 18 months and almost 2900 commits and almost 300K lines of code of development effort, by 124 individuals from 43 organizations.

New Features

The release incorporates many new features and improvements to existing features. There are improvements across the board including to Security, Scalability, Performance and Documentation.

XL is now the default toolstack: Significant effort has gone in to the XL tool toolstack in this release and it is now feature complete and robust enough that we have made it the default. This toolstack can now replace xend in the majority of deployments, see XL vs Xend Feature Comparison. As well as improving XL the underlying libxl library has been significantly improved and supports the majority of the most common toolstack features. In addition the API has been declared stable which should make it even easier for external toolstack such as libvirt and XCP’s xapi to make full use of this functionality in the future.

Large Systems: Following on from the improvements made in 4.1 Xen now supports even larger systems, with up to 4095 host CPUs and up to 512 guest CPUs. In addition toolstack feature like the ability to automatically create a CPUPOOL per NUMA node and more intelligent placement of guest VCPUs on NUMA nodes have further improved the Xen experience on large systems. Other new features, such as multiple PCI segment support have also made a positive impact on such systems.

Improved security: The XSM/Flask subsystem has seen several enhancements, including improved support for disaggregated systems and a rewritten example policy which is clearer and simpler to modify to suit local requirements.

Documentation: The Xen documentation has been much improved, both the wiki. This is in no small part down to the success of the Xen Document Days so thanks to all who have taken part.

You can find more information in the release notes and feature list on the wiki.

Upstreaming

The Xen project continues to work closely with our upstreams.

Of particular note in this release cycle is the upstreaming of the HVM device model support into upstream qemu. After the Linux dom0 support (merged upstream in 3.0 in the 4.1 release cycle) the qemu-derived device model was the largest remaining piece of code which required upstreaming. Support for Xen was merged into upstream prior to the qemu 0.15 release and is supported as an option using the XL toolstack. It will become the default in 4.3. Alongside this support we have also gained support for SeaBIOS (a cleaner and more maintainable legacy BIOS, used by default when upstream qemu is selected) and Tianocore/OVMF (a UEFI BIOS). Support for Xen has been merged into the upstreams of both of these projects during the Xen 4.2 development cycle.

More Information

Links to useful wiki pages and other resources can be found on the Xen support page.

Thanks

Contributions were made to this release by 124 individuals from 43 organizations, and that’s not counting contributions to external projects such as the BSDs, Linux or qemu. Many thanks to everyone who contributed to this release, either through code, testing, documentation or in any other way.

The diagram below shows organisations which contributed more than 1% in lines of code to the Xen 4.2 release. Several items in the diagram discribe groups of people or organisations: Individual covers contributions by individuals whose affiliation is unknown, Misc covers contributions by commercial organisations which did not go above 1% individually and University covers contributions by Universities which did not go above 1% individually.

Xen 4.2 Contribution Stats

I did also want to list the top 20 contributors to Xen 4.2 (in terms of commits/and lines of code). These are:

  • Jan Beulich (338 commits/40357 LOC)
  • Roger Pau Monne (87/36932)
  • Ian Campbell (504/32009)
  • Stefano Stabellini (124/29130)
  • Ian Jackson (174/27900)
  • Daniel De Graaf (79/11103)
  • David Vrabel (45/11075
  • Tim Deegan (143/8790)
  • Christoph Egger (67/8590)
  • Matt Wilson (9/8508)
  • Andrés Lagar-Cavilla (115/8050)
  • Keir Fraser (143/5593)
  • Wei Wang (34/5577)
  • Anthony Perard (45/5289)
  • Olaf Hering (154/4296)
  • Qing He (20/4179)
  • George Dunlap (75/4088)
  • Dario Faggioli (30/3742)
  • Shriram Rajagopalan (21/3481)
  • Jonathan Davies (3/3230)

For a complete breakdown see the Acknowledgement page. A big thank you again!

Best Regards
Lars

--------------040701070906020708020505 Content-Type: image/png; name="Contribution-stats2.png" Content-Transfer-Encoding: base64 Content-ID: Content-Disposition: inline; filename="Contribution-stats2.png" iVBORw0KGgoAAAANSUhEUgAAAiUAAAHFCAIAAACiox6jAAAAAXNSR0IArs4c6QAAAARnQU1B AACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAAAadEVYdFNvZnR3YXJlAFBhaW50Lk5F VCB2My41LjEwMPRyoQAAa3ZJREFUeF7tvXlwFde16M3/r24q+ePWu7deqpKbSt3cylDlm9RL mffl+jp+uY6f4ziO4xib2DFxsAgeGBwMBDAyxgyWkAUIEEITiEHMEtYEYtDIKEDGDAIkTIxj Y8c2+BowFsLmW3326T67593du3fv7l6qU3B0tHsPq7vX76y1V6817Bb+oARQAigBlABKIHwJ DAt/CBwBJYASQAmgBFACt5A3eBGgBFACKAGUgAgJIG9ESBnHQAmgBFACKAHkDV4DKAGUAEoA JSBCAsgbEVLGMVACKAGUAEoAeYPXAEoAJYASQAmIkADyRoSUcQyUAEoAJYASQN7gNYASQAmg BFACIiSAvBEhZRwDJYASQAmgBJA3eA2gBFACKAGUgAgJIG9ESBnHQAmgBFACKAHkDV4DKAGU AEoAJSBCAmnkTX/x8GGZn+HF/UTG5k/CkL2YUcKYOfapSUDYSRQ2EOeTq82bvsE4j+HSXVxF J1ZKkYwWEm/oi47o9rzmSNZnNWhzHplSblJiLlDzuNKIJMBEcqvS8G2AuNBzr7vyDDOyWGVu 9oavIHYS4XkStb6sbg6eAwU4vd4ONd73znd9WFpCzO3sTTLYOiMB/rwxX0Sqdne/+/2cFO8X V+j2jc2UvM/UjzyYjuE5FeqE0+pF05fhnHabZer54Ti0ETXqZZoze63G4Ck5R97wHIjpmuDQ iH3OoWoJ9mlwWDN24UUCnHlDX0a67zbKrRWO4uFxcfHog5I65+68nE/GtnxnaGHi5C4EkYZt diLDhxsdpnZmbu6S1ClAQXN25A3jmZSqmboglzs9bC3B9+qWSsJxnwxX3th80w1XRjwuLh59 pJg3t24ZnT+RGDfZszi8uNm0QcdyCVJXbzjfjEyTSBpv2G6j8LUE2zxYrglsw1kCPHnj7Tut yaK2cf9nvmvSvg+qnaVLJPt39bsuxAQY7msXf5quU903Xe1Ak+mWiz5wmJLtbcBDFNnrwtCV 88aA5kEy2J5u87G4BnVKxPFCMAhIf9bVI51Out0dkO0YDvWnb9h4Y3/xeJ+zR3+aN+E4ylmR IcOlohO141Vh+qMuHofuh6+WID0b1IPt+XeVCWftit0ZJcCRN7kLyfXrIYvrXO1Oc45Q2lHd gWbhjepbycUHOPCGHsO87RQGb3iJwqxADDER2pl3Epr+1tVJw+2kWnRrop3NYnPtWE669U2s GTcQchiYNw7+NPuLx+lCtZ6zT964D8QsZ/31br9s16uUmTectYQJm7bXrKtMEA4CJMCRN0af iu3sLRpaXIX0FazqOqvvRnbKxer6IjeUC2+yd53uGztZCwtvrAfQH55T3TxFYeE8Vz6yVCLu QtMOY1cQLt8eLcY0KVzWk268tjROZSLcffGGmr3T9o3zxeN0oZrvB5+8oU0HizuCQc5eLhWd +eB8VbDIPTQtoYreYOsY7lyLW0/QZp0AZR6DIcTzxuaiNN04lu0sPnRXncZABSeVQX+Lt5+S gz/NC2/4isJCidhegNYjs87HrlsdcIz2kCWsjR+ynnTDDNSBjV8V3GyyXDfU1J0Pcrh4LK8d p9788sZxIBY5e7lU7OjNRjrTpcLIG8ZL0bqZNoYJ//SNa/3tMQY6O85TFM8bu5vMeJG4XErm b1qGO9v+ZmZUGZRvKds1b/uGsyj09oWj2mQVLrm0Tfev5RVvMij1M7B1ydBPQnmbV3YaeuPG h31DW1Vu33ZZLx5HlmQnzoM3xs1J3V6G2T2cXZ6HS8U0gHryzVcFR/uG8dawbmaaB9O1F2c1 Hpu5c+RN7q51UnW216TxD6yqx9W+MWkQVpVh+mbHmTfcRWHcArZ/wtubHcGiR6ivu3mm52lp BlhtkWleP9aTTt1fFieFZb4+TBsbp6iPOYfIG5qdFqK2cIi5PB7HfJWy+TG5agk3K8j4PdHx 2ouNzo7zRDnyxhQUay0X128ujk4R89Eh8sbW5OLkT+MtClXgep1j9Y3dm45k+K6uE5WVTmFj gLd56Y0va2XiktrCi2kTL96w+RLdLxV3+8bV1aBTBGwONcZbg82+Ybv24qzGYzN3nryhgONw sTN+J7FxG4fMG93uOvWVnSTjsZy6hbMp2BLNw/jQwpQXzOpcWPfIOm93p7yFUmFyyvlYqcsX eo03VsYp5Wdx86OZWK6J1cecQ7RvGJ2f+lOoysHytmW/Ktj0ek7owbWE5UVl/rrDdO3FRmfH eaJceaOLpjV7703Wba6JxTdi5tvY5quQ/Zdyc886nWWKT3MIJ6Mdw9SC2b520bGcwUWRWQOl NZ1vfpcZUiEW7g4QR3Mm15ONnlE+5qC76ZvQaunUKTYHILLZArGwb+h7ULcsSs7eLhXKS+t4 lbL50xQhUndNUC1hvqgsb0mWay/Oajw2c+fMG8dweLNWMblAXPWllZ6kr7DcloUf3rg+2WD1 ZVo9iL51LKfkogYNwvAqCpvv+Xaq1FpoFjtA6rTsDAA7Hlnc4oYxcwuOgje2k8lMy5ZADl9W TOqdjoSw0gi2U1BkHWAgNzl7vFScbmrdVcFm3+g8BWYnqDctYf3AmMUt6SaT2GjseE+UO2/0 XwJzl5Prs3/GO5zZvqEdXbmHOm3dzk53su4+t1E7ZlsoeynrF2BhMtnejsZ7wa8ojHrE+Wu7 lVFHLma3+VjaEqYHfaxBZNJ1ukl6Oen2N55lL9qHliFaRr0XKW8ygwfgjaVGd7g8nfiak7L7 VcHOG25awtxR5vRa3pLmL1Me7Np4q3lpZh8Ob6RZHk4EJYASQAmgBCSRAPJGkhOB00AJoARQ AgmXAPIm4ScYl4cSQAmgBCSRAPJGkhOB00AJoARQAgmXAPIm4ScYl4cSQAmgBCSRAPJGkhOB 00AJoARQAgmXAPIm4ScYl4cSQAmgBCSRAPJGkhOB00AJoARQAgmXAPIm4ScYl4cSQAmgBCSR APJGkhOB00AJoARQAgmXAPIm4ScYl4cSQAmgBCSRAPJGkhOB00AJoARQAgmXAPIm4ScYl4cS QAmgBCSRAPJGkhOB00AJoARQAgmXAPIm4ScYl4cSQAmgBCSRAPJGkhOB00AJoARQAgmXAPIm 4ScYl4cSQAmgBCSRAPJGkhOB00AJoARQAgmXAPIm4Sc4jsv74sub/33t7/Trw/++cOHvJ7VX deMRy9fa7W/0nnmPvD7+78/iuHacM0ogwRJA3iT45Mq4NMKSy1cuEnicfLsDXvtObfb0unNs Bfvr7nHVE4qb4DVj+U6glMakwRs3ZRQQzgklkFwJIG+Se24jXdnQzRvAlY8/fRegcv79YwCV 4+f3eIKKQ2N22Li2HD2nDlC0or5n0+7jaBVFesng4MmXAPIm+edYzAqvXr/8weW/vnXxKEeu 2CHHlSJBGhB7aH5NJxhDF3t7B69cESNAHAUlkHgJIG8Sf4rDWuDnN67Btsrbfz8OtsuBvjpe tgtLP0Fwwn7so8+XV/30DnhtfPTh3S9OP7qyCvBzc3AwLIFivyiBpEsAeZP0M8xvfTeGrpN9 l1MXug+d2cYChpDasDMjSMtZ05cS3hheW554rH32rL5t9Z+8/TY/6WJPKIHkSwB5k/xzHGSF wBjwkp3928Ej/S0hwcNHt0Eown5sxfT5lryhPwTTp+vVeWdbmq9cvBhEzngsSiANEkDepOEs e14jbMb87cPTx97a5QMGAg5hZ0aQlhsmvuDKG7oB2D37iovO7d6FPjfPFxwekA4JIG/ScZ4Z VgmRyhBOBhv+PWcbBTAjyBBmivx0bIWPlzONNoz6vSfe0I1bp7wADjc0ehiuO2ySIgkgb1J0 si2XCtv+Fy+dgy2ZIAAQfKwA3vy/5yp8w8Zg9BxcWgIPGqX9OsP1owRu3ULepPQq+PSzj+Gx mN5zOwSjgstwAngzfuoKLrzROqn9zQPgbYMIt5RecLhslADyJm3XAOz/w8aMVJv/PggkgDcL X1zIlzdabxBiABbPx/39abv2cL0oAbRv0nINwLMy8XKaecovQDZvfvx/vjUs+/Otb48kOzrj /5l88t3x2Q2ekSO+8j9H/DjT3mH/Zs3Ul0LijdYtxBfAMz0YVJ2WOxDXifZN4q+Bzz7/FB7J lD8EwJOVY2PfjP9nFSQKeDKAgTdf+T9zfjp2zrf/5x0/yOKHvHHhzaZnngubN1r/LRPHQ1Rb 4i9FXCBKAO2bZF4DEGwGz80ISC3jiRO8Grv6037w3WEZzBh5A5//8725SDYH+2b1ffcK442W xeDY2jWYPieZNySuKiOBZPGmOQ8cJ3nN2rnN/E5/1F88fHhxsh3nEAgw8N7haJ//58UV9vxp Rn+a5j1T/WmAH9XWceeNlslGMHJguFU//xk8QIpONtTPiZRAcnijsCWvGf7VeKPCBf4nn9F/ TNrZBIMGwppjGm/mlU+u9o3iT1N9a7ltG4AQbN5kvoEQ68fOvrHLZCMSP+hkS9otiutJmn2j R4qBN0mlDWT+h5CzhO3QOBPIlTeZMAEtZIBEDSjbNll/mhoyYMcblkw2YtgDwWzoZENFnRgJ JMe+IadED5WsPw1caIl0pAFpIHtmsl1nluCx5s29d+SC0OB9BjAZ4waCBbLsUfdvspEFdrzx mskmbPagky0xCjflC0k2b9STSzxq8G/Gl5KAHRx4jAae1kwhaQh+bOwb4IoaDp2DjRYykGGP 6k8jUQO2vAmQySZU9oCT7a9dnSnXWbj8+EogDbzJ2jzZ/2Ju6RDSCK4343V/Jez2DP40pnRq lrzhlckmPPDUP/XkOwcPxFfp4MxTK4HE8yaHF9XV1pwXTwMHEp1B4FnYqjwW/YfKG+6ZbEIC D9g6mKQgtYo7pgtPDm/U2GfiUckiRWfMqP40LYDtzjvv1Pwv5M1tt912+fJl2c4lPLOJpKFB GCpvwstkEwZ4oPAoZqGW7YbF+dhJIDm84XKO9+/fDxC6fv06l96CdwKkOf3OvljYHCInGaSq jeuxAjLZcAcPJGT77OOPg19v2ANKIFQJIG+M4q2trX3kkUdCFTpL5xB7Bnlo+O/TlP0XmHH3 lym77tlX5hPy8/2pJZkPp99Pfn94erbN9lHfv23UBu2QqN+4MiNIg01jxvLiwcRs7jYQ5T9N VOpSf/8/iWD/+fvZIX78rW995VvzrapWe50DxLBBNjZMT8Byc2GbqCSAvLGQ/Lx586ZOnRrV KYFxIbdmGM/TFD2sIAT+pXgDaPnXcdsz7AGoZN5vmPqvGfCUjLvtv4qy+CFvZHkFwYnrsbwy 2Siw0biSIcr8b//Dt779v6t++r8f+YqGH/KG2wuqHpzYtBELjEZ48+LQDhJA3lgLZ9SoUdXV 1eIvHSjkHHbSMx1vwLjRjJhTm+FPQBoDb/R8kgI5rszw3YBfJhswZYwsMfAGgPSfP+BGGhpa 8JQoJgAVf/PiiK4SQN5Yiwi2cO655562tjZXCfJqAA40CHQWYEPQ/AC00LxRSZP1p1HskQIz mnB848T1wLkzSvhYG4qj7B+06giqoZP1p4GVo7InFN6QJWDYNK97E/vhJQHkja0kIVDt9ttv 7+vr4yVrh34g9ZmwhzcZeKPSBTxsYP0ofjZ6dyd69rhiw3cDbplsgDc5+0bBjM6Ugb+Cq01p o/xknGyhgKfmwXs375h75dolAdcwDoEScJUA8sZJROfPnw87QhrSOR97a5cAs0YbwoE3xJ+m tgQrR9m2ybaXKWTAN05cD+SWyUbHmzv0rrOsqy37Ib+QATO01tRMyl9xz7yVD/WeaXXVBdgA JRC2BJA3LhIOL0IaMgVE8lSNbj9GjRGg4wUyvIFggWwcgdp++v3ShKi5YsN3g/W/e5STqQFB AapNo7DnHx75MbFg4PPsexVC3/9PTiFqhpnXjv89wEZ7rW6ZgYZO2PoU+3eWAPLG/QoJI0Ia MjoLc6DRlg31fKsalkbFQ2txa+pGjha3phyni6KONFbNN06cD+ScyUZ1l4HoNGeabttGbRBS 1MCy2jE0b9DQcb/VsUXIEkDeMAmYY4Q0mDVhR6CJ9M5FMlZIvIlLJhsWC2xj8XgDbNDQYbrV Q2xkLAcZ4lCydo28YT0zXCKkocazeLMmEiSEOmhIvFky4zUWVS5/GwgTKKgZYccb+Hx25f1d vRtYL31s5yYBywvScJCSWysvbzhdf9it2+T9HXnDek4DRkhDuHMkuzWh6v2oOg+JN3HMZGMJ PxIm4Poqr5/w4eULrDcAtrOXAANvSCpHJYejruD98OLiXNH7XL2uzFB0Skg1xzD1WfYj6hO1 ZyU1cXG2+opcfEPeeLiNfEdIQxBaGPkColL3kY8bEm84ZrKJ0AYyhAk4UwcNHQ/3fxDeaJmD dRUhFVYQbGSokXlrQBIZFP6sy2qv/q40Vv+Qe0857pS3FOC4rDZAJ8gbb8LzGiH9xZc3IQ1a 5Ao6YRMIiTe8MtlECBsY2hwmgIaOt5vce2tX+4ZKVE+jIwcfijK5tmpG+0yUD8WbXBemesaZ VvSn+hbel8b3COSNZ3myR0hDdmcMDQgDdWHwhl8mm1Ce3GRk2MbC51zpYtkADR3PioA6wI03 +mIpOXY48oY2dOjCKvY0yZX4ytk0yJsgJ1aOY1kipCFlAP/szpFGIYdBDn99hsEbbplswskU wMKblff+zDlMwBVFta0vXx+8KsdNFqdZuPDG4A2zMk8s7BvqqJzfzeBts/WnaT405E2cLiTb uTpESEPE86kL3f40KR7FIoEweMMtk010vGEME3CmTsnGpzCIwKuKcuaNcfMltxvj4k/LmUV5 ENmmbu5oz9ARptjEC2T+Rv6M+zdez6eU7S0jpC9fuYihASzMCNImDN5wy2QTEW8gTAB8Yq4W DEsDyH/Td36flPccTireEsD9G//nzxwh/fc3egf2tQbRpHgsiwTC4A2/TDbR7N+UrX+ahSXs bdoOr/Z/b+CRKAErCSBvAl0XWoT0FzduvNPedmbjBuV1sp1FaWIb3xLgzhvOmWyEmzi+wwSc 8YPbOYG0Ax5skgDyJuhFARHSd/zkJ281NWZhk0HOmwM7fStTPNBVAtx5M3laGcuGvJxtgocJ OFAHt3OCKgg8npIA8ibo5fDp22+f3bKZho3yftvWw2ebXfUmNvAnAe68iXUmGy5hAs7Jb44P tAe9T/B4lMCtW8ibQFcBbNgYSUNcahs39HfuwHhofzhxPYo7b+KbyYZjmICzb61lf1mgWwUP Rgkgb3xfAzeGbuY2bFTGGNhz9nibq+rEBj4kwJ03G0f/UU5fmeusuIcJOFCnunEyPp3jW2Pg gSCB1Ng3VEqhzIlXo9a12HT6CV63S+PqZzda958/2d1jZ9xon5/o3+NDn+IhzhLgzpuYZrIJ KUzAATnFtU9c/Oic2/2Bf0cJWEsgFbwhOevoB59UuMD/2kNTrE9FAWyaugY2tvbBa6C90wU5 dZuP9rcgP/hKgC9v/jCpwtWMkLBBqGECzts5/Rd6UKGiBHxIIBW8IXJx4A37M7iXP71et+cs gQ286naeemvXLmfk9O9swo0cmXkT00w2YYcJOCOn90yrD3WDh6RcAinljeZPIyUpdKm+7a+I v1+6RsOGIOf13X3nGhtckHMUN3Iypak5vfjaN3HMZCMsTMCBOoiclMPDx/JTyxtVVsSjpib+ dgDPxQ+vbNl1WrNs6De7Ok701211Rs7pPnwIVFLebBw3UUJ3mfOURIYJOCAHi4T60LlpPiTl vMk60rL/2Vs659/9xJI02ocHuo9bPIVDx63VbT7Wj6lu+CCHr30Tu0w24sMEHJCDaW/SzA+v a08zb3J4ydWNsDJwzvz1Y2fYkL8e6z7q4lXb0XDozDZePqU098ORN7HLZBNVmIADcvDRHK9q N7XtU8EbfbWjLFJ0xozqTzPHqJ0Y+JAFNqTNmc79zsgZ2I95bjiYOBx5E7tMNhGGCTggp669 KLU6FBfOLoFU8IZdHIaWh068xw4b0vLcnnaXCGnM5hk4aoAjb+KVyWbdnx7lVXSAPVE0Y8tN u+cN3Rz0fa/hgWmQAPLG9iyfPnnGK2xIhPS57S3OyMFsngGdgRx5E69MNuXrn2XU/pE0W90y A5GTBmz4XiPyxlp0N/YsuLri1x37TvhAzo72k84R0v1N9ZjNMwhyOPImRplsNs59JhKKeBoU kJPCnDeWwYQmzWLMcXIrGxdr2DQm7n/i2lcd/aSmJ+sj6b5xEPqByBsLEQNsri+7G16+kdPe edI5XA2zeUrCm7hkspEwTMCOQ6Vbnkkbclh4o2wYQ1VoHTSyn+mAo1SfHq42o3eZM+xhfFQw dHD4HAB5YxTcUHcpgU1A5PR0H3P2qmE2T9/I4WXfxCiTzdqVf/ZkZ0TbOG3IYeANIYfCDMpK yXzYTH9m+MTwiAbJzOVT18twGPJGdxaGDtXQsAmIHNeEnpjN0x9yePEmLplsZA4TcLBy0rOX 484bDRy63FkmCBk/MD4SqBg/xf0ykMPfHJA3OblZwiYgcvo79zpZOdu2YjZPH8jhxZuq6XNi kVlA8jABO+SkJ3zAlTcUN2hkqB/nHgDMmC85K8iCN2jf+EOdXEcNnWgwWzbBHWuuCT0xm2eE vIlFJptYhAnYISclz+W48Ub/BGBuF4a2esBuUbFjy5u4mzfpqX/jSLebfTucYRPEylESejY1 O1g5/ZjN0+MTObzsG/kz2cQoTMAOOWlIeOPCGwMmcr/qUpxAAFruWfRcfFrOf6ZQK9betBTV W7PnDSNsNOS0dlln7XSInIYIaeeEnn1nMJunh7wDXHjz6/ExKHsTrzABO+SkPJO0ySrRPqDc ZYpNo8JEZ9+QUGiMh5bLH+ZzNjff7mGxbOg2V6pH+kDOPueEnpjN04uJw4U38meyiWOYgB1y sESbTw2VrMNSHS/w5aULn1c+6JU30N4fcnodE3r2YzZPZuRw4Y38mWxiGiZgiRxIw4OFqJPF Dj+rSS9vvrx26fPVj/uADTnEH3JOdx502sg5tNvH5nkKD+HCm3WTZ8gcnBbrMAFL5BSuefTy p+/70VJ4TFIkkFbe3Bwc3DLeN2yCIMcloSdm82SwcrjwRuZMNgkIE7BETnHtE2lLPZAUUvBZ R0p5c6N1bkDY+EaOEiHd2upg5WA2T1eLjQtvZM5kk4wwAUvklNdPSM9zoHyUdIJ6SSNvhg5U coGNb+Q0tZ1ySOgJ2Tx7zjS46tw0NwjOmz9NKZfWmZakMAFL5NS2vpwgFYpL8SCB1PHmZn8b R9j4Rg4k9HSIkB7Y13qgry7NRHFee3DeyJzJJklhAnbhag1dJR60FDZNigTSxZsv3j91vew+ 7ryBDi+te7apw1u9nAPdxx28apjN0wE5wXkjbSab5IUJ2CFn/5t1SdGiuA5WCaSIN19++r6/ 6GdGPvlAzonuIw7IwWyedsgJzhs5M9lAmEDRmseiTe0sbHSIkH7ngz5WRYXtEiGB1PDm5uDn tX9kJIfvZj6Q45TQc9tWLMtmiZzgvJEzk01tZZyKDgQnE4arJQIiHhaRFt5oJdR8s4TxQB/I Obdrj52Vg9k8w+CNnJls1v7hIfjKH1yJx6sHjB3woK3j3zQVvPGUIY2RKw7NvCLHOaEnZvM0 IyegfSNnJpvK2vHxQgWv2eJGTvw5wrqC5PMm7G0bS/B4RQ4k9BzYts3Oyjl1FrN56rJ5BuSN hJls0hMmYKYUbuSwauv4t0s6b3jkEfBn8XhFTmfnibNbNlsjB7N56pMOBOSNbJlsUhUmgHkH 4k8N/ytIOG+Gukv90YLLUYCc19s9BEkf7X7DdiMHs3lSyAnIG9ky2aQtTAAfAvWvsGN+ZJJ5 c/OtvVywEaSTv295sQ6iAVr7GF8nu3tskYPZPFXkBOTNqp//TJ7kAukME7BEDm7kxJwm7tNP LG8i2baxJJNX5Ay0d9oh53QfbuQoGzlBeCNbJpvUhgkkaSPHEp8G7ZurKa2WVVM+yWu+dYuq umbS2Gobd1UeixaJ5U3w9M9BzBrDsZ6Q45zQE7N5BuSNVJls0hwmkKSNHFfe6LDRnKevCu3E m1hQhH2SyeTN0KEajrTg0pUn5CgR0o0NllYOZvMMyJuaabMlcaZhmEBiNnJceJOrD63TzBnO NEMd6exPlkLKx3l5yqfwQZZFuZLU8YZTAnmjJEnLlEST7eUJObs6Ttgl9IRsnilP5RnEnyZP JhsME0hMajUX3uRoYeZNv8mfptAp42dTfjS8kD7iTZtbtxLHGyF5a3yTzBNyIKGnXYR0yrN5 BuFN7YiHZLBvMEzA4XHR2BWf5s2bnL+NAgzZAFJBxO7Dkqll0ngjoSctyF7Ose6jdrEDac7m 6Zs38mSywTAB5/QEpVuekUlPuswlgD/N0r6x4k3G7EHeSHRVfPHhQEjlBnwbNJYHXqyfu2XX acYI6TOd+62Rk+Jsnr55I0kmGwwTYMmFE6PwaLd4AZ2LTPGRZawU1XYxOMl0v1JtFNPGZidI IiXsPJUE2TeQSmDjWL5gCK+3d5qWsCPHLqFnf1tzOsuy+ebN8hmFkTvTMEyABTbQBrxqV65d io0qdZlo1jzJhAZkfWIaWLJ/o+IFisHsofZvKMzEO0A6ObyR35NmoBc7ciBC+tz2FutwtaNt KYwd8M0bGTLZYJgAI2+g2abd85LCG1yHIoGE8CYunjTfyHFI6JnCbJ6+eRN5JpvVj/4qhUUH 2AFjbtl/oQdVdWIkkBDexMiT5hs57Z0nrcPV6ja/0b8jVVaOb95EnskGwwS8sgdqsg3dHEyM wk35QpLAm6Ej68PbaBHQM7tjraf7mLVXLWXZPP3xJvJMNhte+pNXbYvtQQI7D1WlXE0nZvmx 582Xly7EIibNmVvsyLFL6Nmfpmye/ngTbSYbCBNYtHYU8sOHBGL3OE5i8MB9IbHnzY2WlwSY IAKGYEdOf+deSysnPdk8/fEm2kw261f82YeqxUOIBMrrJ3DXfdiheAnEmzcyVBzgiKKBXetZ HspREnru2mWBnLrNKcnm6Y83EWaywTCB4ODsOdUoXj/iiHwlEGfexOqBG0YsMSLHLqFnSrJ5 +uNNhJlsMEwgOG8K1zyaoMdx+Krx2PQWY94MHdvKqMTj1YwRORAhbZnQMw3ZPH3wJsJMNhgm EBw2pIe69qLYaFacqJUE4sqbL69d+nzliHiBhH22jMjZZ5fQ83jCy7L54E1UmWwwTIAXbEg/ 5987hpo8vhKIK2+GukvZ1XccWzIip9cmoWeys3n64E1UmWwwTIAvb0o2PoWP4yBvhEogptkE vGKPETmnOw9axA4kOpunD95EkskGwwT4wob0FqM8nkLVYhwGi6V9k5gYaFcCMSLn3J52M3L6 O3ckNZunD95sGPV78Zk6MUwgDN5A4ACaOHGAi8Uc48ebhMVAuyLn7J4trkHSSoR0a6sFchKa zdMHb8RnssEwgTBggyZOTElDph033iQxBtoVOW927nZFTlPbqXONDWbkJDKbp1feiM9kg2EC 4cEGekYTJ6bUiRlv0mbcaChiQY51Qs+6zUf7WxKWzdMrbwpfXCTYmYZhAqHyBndxkDciJBDf PNCuRoxrAxbkHOg+buFV29l06My2JCHHK28EZ7LBMIGwYSObiTP213PML0oh0sXW6JLQSvG0 3I9Shs1UwBOaZOqw0VU/tcPUutPmfnTaWDk2Ly9Tjpr+yVWtFqG7Y+dPS61x48nKOdF9xAI5 ycrm6ZU3gjPZYJiAAN5IZeIw8EZT7hn2ZH9TYWJAU7b+p/Kp1iLHG+qg5jzS1KIfGiE0qwzF q4WRJn77N2k2bjwhxzKhZ5KyeXrlzdoHfyXMn4ZhAmJgI5WJ44U3BA+kprQVJ3QWTq6BJW9U WiBveHMTjRtPyDm3a4/RyqnbfKy/NRleNU+8EZnJBsIElqwbLUzh4kCSPIvjkTcaZ2g/mM4A ylo4FEfM/jTKHWbZT04Fo33jGUdo3NAbPK57OUpCz6ZmA3ISk83TE29mTF8uzrgpfR4ZIFIC 81Y+JEMSTx+8sbVviNlj+rPJD0b2hAh00L7xDBSnA9C4MUcTHN271zlI2jKhZzKyeXrijbBM NhgmIJI02lgt+8u4Khs/nXnkjYYHO04Q4KjYyczIct9FPR554+es2R6Dxo1l9NrBvYedkdPZ eeLsls1Gx9rJ2Gfz9MQbYZlsqtdNiEThpnxQqP4ZuYnjiTeK88s+XoAoQQUgw4cTK4f8aLyB N+rH2lYP8oYfb9C4cQiVdkXO0e43zOFqcc/m6Yk3YjLZbJjxVMr1foTLl8HEcVR47PHQVAQA HTits2+o3ZrcPo8hrloLSTDaRhif5oImNG6cH81xRU5f1yEjcmKezdMTbwRkssEwgQhhA0PL YOLw+4Kd5J5kzy+Axo3rc6DQwBU5A+2dxtiBOGfzZOeNmEw2GzBMIJO5OcLXzkNVSdbTSVmb 7Ly50TiNReFiG2fkWCb0PHu8Labh0ey8EZDJBsMEIsSMNjRmVIsFkqTmzZeXLiBI2CXgjBwl QtqU0DOm2TzZeSMgkw2GCcjAG5hD3/l9sdC5aZ6k1LxJfBFPdpYwtnRGzq6OE/11W3WOtXhm 82TnTdiZbDBMQBLYwDSqGyenWZXHYu0S8+bm4PWy+xj1LDbTJNCx74RDkLQ5oWf/zqbYlWVj 502omWwwTEAe2JCZfHj5QizUbmonKS9vho5tRYr4kMDVFb92Rs6x7qPG2IG4ZfNk5E3YmWww TEA23kgfGJ1a0GQXLi9vMAzaB2zIIa7IOdO534CceGXzZOTNrOlLw8tkg2ECssFGqgyeaQeL zfol5c0X7x7zrW3xQBbkGBN6xiqbJyNvQs1kg2ECEvIGptR7phV1vbQSkJQ3N1peQmwElICz lQMR0ue2t9BWTv+Ohp4zDbGIkGbkzfpJfwnJvsEwATlhA7Mqr58grbbFicnImy+vXQqoavFw FscaJPQc2LaNRk5csnky8iakTDYYJiAtbMjELn50DjW7nBKQkTdDByoRGLwk4GzltHeeNCb0 jEM2T0behJTJBsMEJOcNRg3ICRuYlYy8+XzlCF7aFvtx3cvp6T5miB043r9bcq8aC2/GT10R hjMNwgTmVf9GcoWb8ulBOrWhm4PS6tw0T0w63tx8uwchwV0CV6pHtnadtnsu52R3jw450mfz ZOFNSJlsVq3FimpR5kljRGnPqcY0q3Vp1y4db27sWcBd22KHIAFn5Ay0d+tiB+TO5snCmzAy 2ayf/AdGfYfNopVA6ZZnpNW5aZ6YZLy5Ofh55YOIh5Ak4IAcJaHnrl00cmTO5snCm03PPMfd n7Zk3eho1SiOzi4BjBqQEGxy8eZmf1tIqha7JRJwQI45oeeps5ImkGbhDfdMNhgmwK7rZWjZ 0FUiTOH+pGi1+UWNrqu3lq3taTU5rUqa+iba6mj85ScXb/CxGwFcdEAOREjrEnrKms3TlTfc M9lgmIAMCPE0B6hQwF9f2vTIwBsHyjhME3kT2jn88vMrmKBTAG+crZx93cfpCGk5s3m68oZ7 JhsME/Ck6yVpfP69Y6GpK13H3nkDBky2FvStW7n3Gl4yb5qLh6tVorO0ou0kONy6EzFL9jeK RPbNzb4dYrQtjuKMHENCz/4j0oVHu/KGbyYbDBOQhB9epyGs6CcDb1RyDCOcYeFN/61bevuG PkjR98gbf9TLHDW47QUkgUgJgGOtpdM6SPp050E6dkC2bJ6uvOGbyQbDBLwqeknaF9c+EUAh eTiUgTcGf5ov3iiAgR8Lw0jPHg8zF9xUFvsGc9iIJI021qV1zzZ1nLF8LufcnvYcciTL5unK G46ZbDBMQBJ4+JuGmCg1UbwhdNCog/aNX1wOHVkficLFQe2QY0joCdk8D53ZJkneAVfe8Mpk g2EC/rS8PEe1HV7tVyd5OM4Xb7J2SmZPJmuy6PdvTP603IyUg/KatXA2xe9G2T0eZi64qSz2 zeCW8aj6o5KAHXKa2k6da2zQrBx5snk684ZjJhsME5CHHP5mIseDn1ZhZsRKGTZseHGxFjtg 4g0BidKIwMewC5Q1dfSdCEaIp+Gk4I0SmZZ5OgRfUUnADjnGhJ5yZPN05g2vTDYYJuBPxct2 1OVP3/ekEyNsnLTwZ5MopeANRqZFhRl6XDvkHOg+TscOvDmwM3KvmjNv1kx9iUtmAQwTkI0c /ubT1bshQoQwD02sF3+P6TAPEnVDKXiDOdNk4A3MwQ45J7qPaMjpb6o/fLY5WuQ484ZLJhsM E/Cn3CU8qrpxctRqFsfPSkAK3mDONEl444Cc/s69OeREnc3TmTfBM9lgmICE2AgypSvXLqHK l0EC0fPmi/dP2WrbZ74OFuaTz2j7Oj8p+Jfchtmwn/wwc+APnySfZX+9+/pL//rjf/nXE7gb 5FcCYOXU7TEGSSvharvg0w3kFW02TwfePPp8eXBnGoYJBFHuEh7be6ZVBm2Lc4ieN0OHaix5 U/8TBSHwr4E31K8Kh0489JUfP/ST68sARV+vz+KHvMGXfwn8fcuLZuQoCT2bmjXknOjfE5VX zYE3wTPZ1I7/vYQaE6cURAKrW2agrpdBAtHzxjkS2itv9O39K1zElSVydAk9o8vm6cCb4Jls MEwgiGaX81io+Hl98KoMCjflc4iYN66R0GbeaA411dDJ+tPAylFtHcQMHwlYIqez84SW0DOq bJ4OvNkw8YUg/rQNSybIqTFxVgElcHygPeW6XoblR8wb10hoW3tF2drR+81g2wa2cODfDJEy TjY+ajfN/Vgi52j3G7nYgaMR1Mhx4s2o3/vmDYQJFNSMCKjX8HA5JVDXXiSDwk35HCLmjWsk tL1/DMyarxS8pBEFflXwk22PIQP8WGuJnL6uQxpyxGfztOPN/3uuIkgmm9Wr/yynrsRZBZeA HIkGUo6bWxHzxjUSms2+gWCBLHvU9j98EkPUQkbOQHtnFjnCs3na8SZIJhsMEwiu0yXvAbdw IsddlLz54sMBB1eVEp+W+yE4UUOflc9zzjTdto3qTzOEsaXZJ8Zl7WYrByKk32ptJcgRnM3T jjdBMtlgmIDktAg+vf4LPZEr3JRPIEreuG7ecFGU2AkvCbzX+NqWXbp6OXRCz4H94vLc2PHG dyYbDBMIrs3l70FMruiUE8V5+VHyxnXzhpeixH54SeCdpiUG5OzqONFftzXrWBOVzdOON/4y 2WCYgPyo4DJDfAonchZGyZvBjWN56UHsR5gEzMihE3qKyeZpxxt/mWwwTICLNpe/k3krH4pc 4aZ8ApHxxvXJG2EKFAfyKgEzco51H81u5DTV95xpCDvvgCVv/GWywTAB+TnBcYZiyn1yhQpd xJNrx1F0Fhlvbr6116uaw/bySMCMnDOd+7PICT+bpyVv/GWywTABjtpc/q5CSqR2ePrt5pdB n9PV0uyqDuQKduYO1vFGLdLmo3CBU20dq3FDwVFkvLFLmyaPSsWZOEvAjBwtoWfY2TwteeMj kw2GCchPCL4zDOmpT1feKAo9BxlQ/dkC0gxKPccbHRWa8zyWypGilltkvBnc9gIq9LhLwIAc JaHn9hZi5YSazdOSN14z2WCYAF9VHoveQnrq04U3imljCRiFAXl5uTprOSZohkxeXrbatE0n ObMpN4KCqGK1+HTmY8q4UjDFMG44ld8i443rk55x18Upmb8BOZDQc2DbNgU527Ye7W8JaSPH mjceM9lgmEAsCMF9kmE89enMG1vcEAxQJFJ5A8DIWi+5FrnPKKOIMloov1sGVqTbnE1E2zfu 4zIYXn6aRMMb5yc9U6KpE7PMgV3rN7b2aS8toWd42TzNvIFMNp7SpmGYAHc9HpcOw3jqk5k3 ObMlQwOjjyv7uw4tKkeseEPvCVHFqOktH+29gTc6b5zVuH5w4npMNLwZOrY1MdoWFwISMCCn p/tYNnYgnGyeZt54zWSDYQJxwQP3eYbx1KeLP824HW/JAIo/lryxspJsLCfkjR58Qx2LUU0n TAIG5Jzs7iHI6TvTzt2rZubNwhcXsts3GCbAXYnHqMMwnvp0ixfI2CE5i8KNN0pzkz/N4Hwj MQfWwPHLG2pcV0vFX4No7BsMFkgYbMhyDMgZaO9WkBNCNk8zb9gz2dQ8eC8WHYgRHrhPNaqn PnOhzDnPl40/jdrfH17cTAWz0f6z7LaPIRIggwFL3qgxA2q8AIQNaD/aPKx680cW66Oi4c3n K0ckUuHiomjkKAk9d+0KI5unmTfsmWzW1EzirsKww3hJ4PKn7/NUotgXswQi4A1mFkg2lmjk KBHSjQ0Kcg7t5uhVM/Nm9X33svjTMEwgXmAIabbn3zvGrCGxIU8JRMCbL94/lWyFi6ujkZNL 6NnHbSPHwBv2TDbLaseEpMKw2xhJoOdUI08lin0xSyAC3mAZgjQAqa+tQYuQ3td9/OyWzWDl 8MrmaeANYyabjcXjY6QTcarhSWDnoSpmDYkNeUogAt4MHahMg8LFNb7ZuVtDDkno2c8pm6eB NxXT57s60zBMIDz1Hbuea1tf5qlEsS9mCUTAmxstL6EuTokEaOSc7jwIyBnY13qgry7gXo6B NyyZbDBMIHZUCG/CIWW1Yda66W0YAW8+r/1jSrQtLhMkQCPn3J52QE7wbJ5G3rhlssEwgfB0 dxx7jiokOr2cUVceAW9QC6dNAhpyIEKaJPQMmM2T5g1LJhsME4gjFUKd85Vrl1D7i5eAaN58 eelC2rQtrpe2cpraTikR0tu2Hj7b7NurRvPGNZMNhgmEqrhj2vk7H/SJ17Y4omjeYJm11OJH s3LaO09CuFqQbJ40b5wz2WCYQEx5EPa0jw+0o/YXLwHRvBk60ZBahYsL15BDEnr2+83mSfPG OZMNhgmErbhj2n8YWTvFq+/YjSicN4dqUO2mWQI93QdJkPSJ7iOAnFNn/TwESvPGIZMNhgnE FAYCph1Soc/YAUDwhEXz5saeBWnWtrh2kMDBvYcJcvo790I2zzf6d3jdyKF545DJBsMEBCju mA5RXj9BsKrF4UACwnnTOA11LkqAIEcJV9u1p39Hw6Ez2zwhR+ONQyYbDBOIKQnETLtwzaMI APESEM2bwY1jUduiBDQrR0no2dTsNZunxhu7TDYYJiBGa8d6lDAKS4vX4PEaUTRvsBIBwkaT ALFydrSf7K/betpLNk+NN3aZbDBMINYkEDP5ix+dk09Z06VrvM7O87HG8jteB/TeXjRvUNui BGgJEOSQhJ7s2Tw13lhmssEwATH6Ou6j9J3f511hWh/xq1m7zS+6KbNmzzHDWISa6s7mT8gb /dn58tP3UduiBAwSIMg52v0GezZPjTfrf/eoOVNn2fqn464Kcf4CJNB7plVm3nifG/JGL7Mv 3j2G2hYlYJYAQQ4k9IRsniyBA4Q3lplsNhY+J0BV4RAJkADHKjjM9o2ChOLi4VBRGn6yFaFB SWq1pvPyoEFzRm0Skwj+ohSAVj8hf9RZSxbHWtaTputZZ7tktrq8s8/mCKH+tJv9bahtUQJm CVxd8euOfScAOQPtnSzZPAlvzJlsVt77s4KaEQlQhbgEARLg+MinF96onMk5xXJMAQBoGMrC QPdHMycsj7Xkjd4fl+kp4bwZOrYVtS1KwFICBDkQIf1Wa6trNk/CmyUzXjM40zBMQICaTswQ EfFGs2pUKtAmjGLp6OybjO1jhEOOE9bHWvMmAzP1JxW8weQCy+5G3thJgCAHEnoO7GhxzuZJ eGPIZANhArMr70+MNsSFhC2Bhq4SXn4iL/aNV95kgUPbIn54o9BGHVo9Pun2DVb2RN44SoAg Z1fHiYEup7JshDebxoyl7RsMEwhbQSesf44pbQLxRiFBzlFm9Kdlt2vy8pTdnCwfc5ywPjbn qss56ChLSPlzGuwbTGaDxo2rBAhyDnQfd8jmSXhDZ7LBMIGEwUDAcjhWlQ7Em8w+CvFzDS9u Lh5u8KcR4GQJoQUO6IIITMdqAQjDi4s1B10uYACiEpA3rpoIG6REAgQ5kNDTLpsnwIbOZINh AgK0c/KGqG6czMufhv0wSkBofBraNykBRvBlEuSc7j54tL/FHCENvJk7o0RzpmGYQPJgIGBF yBtGSHBsJpY3mKwT92+YJQDIadt7cmB/tzmbJ/BGy2SDYQICVHMihyiufYKjJsWuWCQglDeD 214I/s0Xe0iPBK5Uj+zYd/LsG3sNJg7wRstkg2ECiYSBgEUhb1gIwbcN8gYDlKWWACBn377j fWe6aOQAb0gmGwwTEKCXkzoERM/zVabYm6sExPIGixEwe5PSY8S4rhSQ03ug982BXRpySCYb DBNIKgmErctVP2IDvhIQypvPVz/uqlywAUrALAFAzvFDh3vONBDkkEw2GCYgTC8ndaChm4N8 9Sn25iwB5I3U3iRkjyYBQM7pY/sIbyCTDYYJJJUBItd1+dP3kRAiJYC8Qd7ERgKAnLOn2oE3 kMkGwwRE6uWkjoW8EQkbGAt5Extti7YOSOBq1SMn+1vXrXg5qRoQ1yVSAsgb5A0CACVgK4FP Nkx4t6mwYPUjIrUSjpVUCSBvkDeobVECWQlcXfvkh1unnalfvHN97apFW8oLtzVVrt5aW5FU 9YfrEiwB5A3yBrVtWiVQ+eClzROPNy/c27R625ZthSu75uVve2l0DbxWzKvbsbKsraBgYXVL 2QZ0pt0jWC8ndTiMT0PepFXbpu/RnE82PPvX11852Lx8/Y7GBU37X63dV1DcSgCjvYA0jVvL uvKfaZm3+OnFnQdXTHq5/IGkqj9cl2AJCNa2OBzGCyDeBEngWs1jH2154WjTkvUtGwuad0/a 3jtna09hye6Xn1lnYIxm02xpWNxROqXz4d/ULKj57Zy2tqIxa2vLBKskHC7BEkAACJaAUN5g /rQUxZiV3QfOsdONC3a1VC9vef0Xm/dNaOl9Zdth2ktmiRniPVvfULR720sdj/6ma+Qjc4vq ob7I2sqqgyvGLarIT7D6w6WJlECM8tmIL8QZEoeQN4K+3SeeNFdqx7xbnw/mC9Dl6W1tAJjR TUdebO619JLZkabqtbq1TflN7dM7n368/YFf7hs7ZsKrzQCbWRVth6ffXlazGp1pIjVyssfi mK8TrlXzi1bZjsBwp4l7i5D4wLtb5A3yxo8EPqseAeYL0KVue+3cphagC7x+13DI1UvmTJrN nc93LZhIbt29kyaPmtMKsBld3Ll/9i/BuCmuqEm2BsTViZQA8oY3Tdz7Q9740baJN1bMCwS6 nGuY39lSAebLw3XdBDCevGTOpFm158m2jTO1L4m7ZxdqNXp3lEwB46ZqdeWi8r+I1Ec4VrIl EAVvoKZzXrFaPTpTOFqrJZ2rGJ37KFtaWmmkFZB2V+oSt0DeIG8sJAAPvrxfNw3Ml+qWrS80 7NLo4s9L5kya8p2P7mx5qfMPj2iw2VRYocFmRfVmgE3vwt/NLt2abPWHqxMsAY71PZn9acCb YcMIRZS35J2eJtRvCp0sWkjME7epIW+QN3dfVx98aW5ZvbCpkaZLQC+ZK2nqO6ZCrLN2u0Io 2vKi9RpsppZ1AGzgVVFTVlJcKlgf4XDJlkBEvFFtFgU4FjSh7B1A0zBi1qB94wYyq7/f2LMg hZ4oCZcMzjHy4As4x0bVdRgAw8VLZkealYu3QkQA2DSr28ZArDP9xXDv6CfzC1/XYDNyfnv3 3IeJcfNCZeOCiqeTrf5wdYIlIC9vNCSpWhR544c3QwcqJVS+iZ8SOMe0B19mNrSa6cLXS2ZH mpqlW1ZvnwSkqdr9exLrTMNm37PPjZ2/XYMNvKkvKyLGTUn1stn5KwUrIxwu8RLYtHueHy1m dYwXf5qLfZPZ0DECB3nj50wNHVmfeOUe/QIzzjH6wRdLwASJJbMjiitpADZarDN9i3ZNm/nI Kztp2Cxe2Uhg0zv33qdXNi5ZtDjx6g8XKFgCde1FfrQYf96oMQNqSIA5hAB54+dM3ezbEb06 TlzaGMgKY3jwxRIwoXrJWEhDxzrTsIFENTRp4P24JV2H8u8ivNm0qnD6q+sLKkYLVkY4XOIl wJE3frRhKo8RGi9w8+0e5E1ACUBWGPODL3aA8fHEpVfbhYU0hlhnOjoAEtUYYEPy1mjGzcPL N86bsjzxug8XKF4CLfvLUqnzo1y0UN588f6pgNo2dYdnssJYPvgSuZeMhTTmWGcNNpCoZkHR FgNs4NeNFWUENsS4+cvybUuXFIlXRjhi4iXQ1bshStWbyrGF8ubLT99PHTA8uu8gK4zdgy/y eMksSfPK2LVryzeRiADyMsQ666ID1EQ1Bt4UVLVqsIGdm/tK1r3w9JK55SMSr/twgeIlcHyg PZU6P8pFC+XNrZuDyBtaAiQrDFR8sXzwRUIvmQNpVm0fp5HGHOusi3tWE9UYYEPy1mi82bFy FkQKvDoNE0JjtZtQJPDOB31Rqt5Uji2WN7duXS+7L83IcX3wRVovGSNpLGOdadi0vTTPEIpG qAPbNiRvDXkdzb9j5LJV02atWbJ8rvhvvjhiGiRw5dqlVOr8KBctmjefr348PbxhefBFci+Z 3SYN8Z7RNk021nnCk5bPIpAP6UQ1BuOmpmqNBht4s7t65mOV9eMefhUTQqdB9YtfY4yKEUTJ B95ji+bN4JbxieUN24MvcfGSeSLNhs7xWl5nS94YEtUYYKPlrdEZN6X1C+egMy0UV5J4/S7b iByTdfLWyUnuTzRvbjROSwxv2B98iZeXzI4088fVmm0au1hnmjrdox6nE9UYYDNqQQfJW6O9 wLi5a9G68U+8VrJipmx6CueTDAlwTGaTZD7wXpto3gx1l8aUN54efImpl8yBNOtW1lbvGKNF BJA3O1rz6bzOlpaNOVGNgTctS2fSsIH3o0tX/rm6afKoYnSmJUO5S7gKfNiTN0qY+hPOm2Nb 48Ebjw++xN1L5pU0DrHOzolqDLApXVlvgA3UVftJ0eopU6oWzcPHPNGZFpYE2g6vZlKQ2Iir BETzRtoUAz4efEmGl8wraZRY54ppDkEB2p9aX3nN/Dgn/cmk0k4tb41GnRfKK0dVbRv76zkL yydJ+L0Yp5QMCfSeaeWqSLEzJgmI5s2Xly7IYN/4e/AlYV4yr6RxjXWmE9XULqh2hg2UG+gq eMLSuJmxaMu0pxYlQ6/hKuSUwPn3jjEpSGzEVQKieQOTj+QRHH8PviTVS+aVNCyxzq6Jagz4 ofPW0MbNL5dtem5EwZLiJXLqKZxVMiTw4eULXBUpdsYkgQh483ntH8M2cYI8+GLJmN/WH5q0 vXfO1p7Ckt2vPL+BV1JLefopfH5D7eo15ogAII1rrLOhZtrUwkZnywb+Suet0WBzZOlo2LmB 0mrgTMPqaslQ69KuYujmIJOCxEZcJRABb260vMSZN8EefHHwks1qOFK4smte/jZ5wMB9JkCa 9etqKltHGWLP4FeWWGeWRDUG/Dy92GLbhtRVA95MenbpS+OWSauncGIJkEDhmke5alHsjFUC EfAmeEh0wAdfnL1k8zccLChu5a7WJezQgTSMsc4siWrM5QZ2Lxxv2LYhRaMBNmOqG8C4wepq CdDpMi+hvH4Cq4Jka2f+rgafUIeSCmpqPbXsH5rz4DO1lKfyi6mMNNvgcWoVBW9ONHiyb7g8 +JJOL5kd5JxJwxjrTMOmvmC5qw+NNDDkrdHAQ4wbKK0GvJlf+bjM2grnFncJcKwkTZQ9A2+G 5+UN1wEHCDN8uLl0dJzo4X2uEfDmi3ePOfGG04MvKfeS+SMNe6wzHYq2vGg9I2xmVbSZLRvN uIFIAYANVleLuzaXf/47D1V5V5VOR7DwprgZjBzNhMlUiKY+UStGU7WktcbEEFJ+DBYS30WI 6C0C3nx57RLNG14PvqCXzNll52zTsMc6syeqMeetocsN0OApW1UCxs3UcsWZhtXV5NfXcZ8h 98o3TLzpV1iSBQ7Bi+mDW4AWo1dNsYOK+0XAQMAYEfAGVnWsZamnii92LEEvGcu20GtTNq3f VGF5S5APm9qndzrmdbZLVDPh1WZGywaamfPWaEWj7164GhKmPf/UYkgIjdXV4q7N5Z8/92Bo Nt7c0nCSxYqZN0qL3KaOAoBE4eZWNLz5857jnhDi2nhCS28aYslY6EK3cSWNp1hnQ6KaUXNa 2WGzonqzpSeNFI0G4wZKq4FxUzgTE0KHlcFFfgyImWEYlQhYeZOlh2rFWPCG2BgUdZA3RrMr IxzKClTdjXpfJW0Rrjh23hUhzg1GNx15sbk3PbFk3EnjNdaZho1rohrncgM0eKBoNBg3wBso raZEpmF1tRXIm3AlwD04jTFegPjEiHLMOshseQMN1b8p/6M/TWUOCeOjvY7UxhcBjoVLcudf P/DKm8Q/cemVKHbtXW2abKzz04+z5EAzt3FNVGOAjWXeGg05xLgZUV4HsMHqamK+4Kd8lIau Eu4bFcz2DeGIyg/LDR01NkD7Ck+FEMQePHz8aQ68saDNrVvnLl9l4Q16yTxBiIU0Wztf6Mp/ xh9pukY+sqBoC7sPjbSsLyuy86Qdnf1fWeOmtF5J0InV1dC4CV8CPacaufMGO2SUAH/eqCaj AnHV1jFOZvDmF7+uO2BGDnrJPAFGa7wkf6tzRAB8//IR6+wjUY2BRotXNtrBhhSNBuOGlFYD 3mB1tZRbHmKW/84HfYzKEZtxl0AYvFEnCbQBj5pqDRpMwed2HQPeoJfMH2B0pNm6xCH2DP4E sc67GvM7Hv2NP7MGjto7caKn6ABCHbu8NXTRaOANlFYD2EB1NTHqBkdJuQQwcxp3irB3GB5v so60XOSfHjiNO44nOy9ZQJC4Hq7YNG6k8R3r7CNRjTlvTVvRGFfjhpRWA94sLsDqauHuk6cc M2T5pVueYVeO2JK7BELiTc6Rpu7fNOfpedO7d8BVpWIDSwkwkkaJdV48ybdNQw5kT1TDUm5A w8/R/DtGLlsFsHmsUtm5wepqCAMxEmjZX8Zdh2KH7BIIyptcqgV9mF8OLqo/zfDY7OWPriBO vEqAkTRBYp3pRDVVRWu9RgeQ9nZ5azTekJ0beEFpNYANVlcTo21xFO6ZBdhVLbYECQTlTRAh Lpy61avCTW17RtIEjHXWYNM96vG5RfX+YDO6uNMubw1dVw1gQ0qrKY/dYHW18OOyEDYggcuf vh9EZeGxASUQJW/qq/emlh/sC18xr6729ULniADy1yCxzrTbbd+zz3lKVENj6bdz2naUTHHY toE/HVwxjhg3pLQaVldDEoiRQHHtEwHVJR4eUAJR8ga3cJypw06agLHOuhScU6f5CEXTkOOQ t8Zg3ABvJk8sA9i88nypGHWDo6RcAnXtRQHVJR4eUAJR8ga3cOx4w06a4LHOQRLVsOet0WCj GTektBpWV0s5A0Quf/+bdQHVJR4eUAJR8gamjls4BuSwk4ZLrDMNG6+JaszlBrrnPuzsSYO/ vlBeSZxppLQaVlcTqXBTPtbFj84FVJd4eEAJRMwb3MLReOOJNFxinTXYQKKakqJN/qIDtKMa Sue4woYUjaYjBbC6WsoZIGz5hWvoAs8B1SYe7lMCEfMGt3CANxWFrBEBYNNwiXUOnqjGU94a Q9ForbSa4kxbViBM4+BAaZYAbt74RATXwyLmTcq3cKpeq1vblM8Se0ba7GjN7/Sb19nywU9/ iWoMsJlU2nko/y5244aUViMJobG6WpoZIHLt+OQNV3D47Cxi3qR2C8craXjFOtPU6Zg5+5FX dgZ0o0EAdFfBE66wgQYl1cuIM42UVsPqaiK1LY51ffCqTx2Jh/GTQPS8SdsWjlfScIx1pmHT MH9ZQNKQwzdWlLHARtu5UUqrzanNRqZhdTV8zFOIBKobJ/PTmdiTfwlEz5u+oxfYH36MdUuv pOEb68wlUY0BUQVVrSyw0YpGa6XVgDcTH1vwcvkD+L0bJSBAAm2HV/vXkRyOzKT9yuX40hUF 01KC6RNMGqsmc5iFBF1Ez5uhGzdfGbs21iBxnbxX0sBWzevt0zonPBkw26b5cAhF852oxgAb 53IDlkWjFeMmU1oNq6sJULI4hCaBsCOhLTUApd4BHsOHD9cqdlK8Uf5CKk1DIeRcjkkl4XFe Xu4ICVDBZQrR8waWsXlFp6vKHnf7t+Erwo9+XpNpOelHpOrqdyZlD3x45Nf/ceQ45U9yvWqW blnTMo09IgBa8o115pWoxlxuwDVvjaFoNF1aDXizqPwvqBBRAgIkICASmoU3xcVg5BCiWPOG Uugkvz5VbpqLspegEyl4c/zgeRdOZHDy8+9keQPs+frthS+NLvz5P/70d1n8kDcSvYA0q7dP 8kQaJdZ5az53m4Z02B0sUY2BNzVVaxg9ab1z7yVFo+E1MVNaDaurCVCyOIQmAQGR0Ey86Vc4 kzFmLPxpOmeaVs5F11ACXASeghS8uX5t0NGlBlz59s8frvmdDW+0zyXhjQ/ShBHrTHNr9+xC LtEBpJMXy9sZYUPv3Gil1bC6GsJApAT6L/QE1pMuHTDyJlPsGEwcM0ZI1ZYsdHLVwzRChb0A Uf1LwRtY7JqFu+xooVozOd5o/jSwcrS/ygAbf6RRYp3njgvJrIFuNxVWcITNqAUdLHlrtKLR D5TUEONGK62G1dVEatuUjzVv5UMCCkiz8iZj2gxXPGuGcmBZL5tq/ZDdguyPPo5AFBnCGUcW 3tgmGgBP2rCsr8zCjoG/whaO0kb5yTjZonGp+SNNSLHOfBPVGFjVsnQmu3Gj1VXTSqsBbGaO LUm5EsTlC5OAAGcaaGZ23mRMHPjJ8gZ+U8mj7tZQEQQ0hcLR/6J7lYU34FKzRsXPf6pjvQ4q EDWgoCjLoShCBsAN6I80JNa58w+PhGfW7B39ZH7h6xwtG+iKpdyAuWg0wObnJetJaTWsriZM 1eJAIAEBzjRvvMmYOBpvsr8RHZchjwE3Fh+IZgTP8WThDaxpZWGrs3Wit2+ymzpwiPr5pB8J DFED0qwt37Rq+zhPEQGkcUixzrqsaBMnjp2/nS9sGPPWmItG06XVsLoaYkCYBMQ403jq46T3 JRFvetrPsPNGt22j+tPUaOlwXWpBSBNerDP3RDUGVo2c386Yt0bbuRm5bBXZudFKq2F1NWGq FgcCCWzaPS/pCjxm65OIN/Ln7gxCmlBjnWnYtMxbzNesIb3VlxWxb9tAy/3lz2uw+WP168ST Bq+lJQtRFaIExEgAc3TKhiOJeOMcpRZVIAAZNwhpwo51DiNRje+8Neai0XRpNayuJkbP4igg gdmV9wuITJNNoUs+H7l44/7gp/Dws4CkCTvWmQ5F45WoxnfeGnPRaLq0GsDm1WllqApRAmIk ICYyTXL9Ltv05OIN5FKbP259tKaMNvr8cbXrqjb4iwgAmybsWGddopqxYya82hyGGw3KDbQV jfHkSaOLRtOl1bC6mhg9i6MQCZx/75hs2hbnIxdv4Hw0rj4QOW8U0qysrd4xxkfsGRwiINZZ F4o2afKoOa1hwAb6XFtZ5RU2B1eM03Zu4A0prYbV1RADIiVQsvEpVO4SSkA63ly88HGEvAlI GjGxzuElqjFAa1ZFm1fYQPs5VWUab7TSasCb12ahM0353o0vARLo6t0gobbFKUnHGzgly2c1 ikdOcNKIiXWmYcM3UY0BNqOLO/fP/qVX3tB11ejSaoozrWy2AEWDQ6AEQAJXrl1C5S6hBGTk zf6dp0TyJjhphMU609EBy4vWh+RDI92ylxugmaQVjaZLq2F1NWSASAmsbpkhoarFKYEEZOTN lU8+E1OBLThpwIG2fVd+59OPh5eWxtxzGIlqDOjylLdG443RuFFLq2F1NZHaFsfCx26kZZuM vAFhrV/aFqqJU/j8hvXraipbR/mLCCBHCYt1NtRM456oxgCbqWUdXt1opD1t3Ny1aJ0WKYDV 1ZABwiSAOWykhY2k9g1Mq+/ohZB4w4U0SqzzqukibRoyVsfM2Y+8sjNUNxrkrWEvN0Bj6Y2C X9FhaVppNayuJkzV4kAggZb9ZTIr3JTPTVL7Bs7Kgj9v4oscLqQRHOssIFGNgV5e89aYi0YT 6kyZUqXlsFmyoBRVIUpAk8CzD38VsiH/cFwmVG8cqSWi/Xx9pBLC96Mfkg/+40fZo175ztf/ 5TvPMkT3XfzoXMp1uszLl5c3bdve4MUbLqTJxjpPHSPerOl8+Dc1C2pCNWtI54tXNvrzpNFF ow2l1bC6GpJGJ4EMOe7+D5U3NEKAPRnAAJC+/vB/5K/4j7v/RcMPeePyqm19WWZti3OTlzdc ogZ4kUZ8rDMdiragaIsA2Ixb0nUo/y5/vNm0qpB2pk0r2aoZN1hdzVVLpqkBIOSrd79yz0gL 3sCfshAy8MaqsTV4xFS7QWz4loC8vIElbV/f49vEeW3KpvXrqwNGBIBNQ2KdOx79jXizBkbc F1qiGgPA/OWtIXAyGDd0aTWsrpYmlrjbHypIrHgDxk3OY5b1p4GVox3iKsnSLc/41oPxOhBK gca0yLTUvPnw4ic+eKOQZlNFkMAz7Vjxsc7CEtUYeLOxosyfZQNH1a+aTxs3L1Q2asYNvCmo GO2qKbBBKiQAnrRhWbeYyWTJGTdG5xt42JQDMwXjFSebLdUiDIP+xeZ95peBYdlC0mRfKhgu kDdhfT/wFBjNkTSRxDobEtWEHYqmIaegqtU3bI7m30HXVTNECrzyPEYKuH/rTwVsLEIDKH4o UQPmHRqwcpQPs3ByDBkoXPNohNUHXHmj1JCmGGP41av2RN54lRhre8Z0ahxJE1Wss7BENVzy 1lgWjQbY0KXVlOpqS4rSokzdtrJRDrQEDPYN/GqyXbI7PXCU2vhHP7QPUdv/Zh2rTgmhnQtv FNMmr1k3LhCH8EdhR17e8IzNUwxUUn8MdNKZRRpvcjaTofsQ1silS6n9aWSFzunUOJImwlhn umZa2IlqaN7Ato2/vDWWRaMNpdWwuhoyxk4COt5QfjY6ZjpHINWflg2hNqEdSqtdH7zKRSH6 68SFNxpccr1rCMogw0yL3CHWBys4oswcaBQL4sSAN3bPfnIkTYSxzroNm9FP5he+LiAUTRui pmqNb08aHLi7eia9c/PLZZueG1Ggbd5gdTXkjRgJRP6MZzDe5EwZiz0eC9xkQaNrHHRLyB9n PR8VA97AmpbM2EYHDizJ37p+83IuEQHQSYSxzoIT1fDKW6MhyrhzU6GLFFiyrECMusFR0iwB MG4izwYd0J+WcaxlXGualaLZLs68iYVRQ1EpHrzRMkYrpNm6hBdpoo11pmHTNW2msOgAQp1R Czr85a2xLBpNrBw6Ydq4h199ufyBNOtBXLsYCURu3IA6dYsXMDjN6F/1TjHV1MkFFChtjdFs 2WMstoU8GxyCD4gHb6DOdPWCBo6kiSSvs90TPK2vvCbSh0bGalk6M4gnzVA0GmBDl1bD6mpi VC2OIoNxw6ay7cKhdbFmCmbITx7EEFBmT/bT7EcW8QIBI6zZ1hC8VTx4A+s8/nYzL7Mm8lhn OjpATKIaA89KV9YHhI2haLShtBpWV0MSiJGADMZNcC2cnh5iw5ubX9xY0zE2IHJkiHUWn6jG AJtJpZ2+89ZolHqhvJKOFPjN8i30M54TH1uAzjQxCjfNo8THuEkPUFxWGhvewDrOvNvumzcy xDrrogPGjpla2CjejQblBroKngho3PSUjqVhoxg3VGk1pdrNvOVp1oO4djESQOMmdhyLE29A uFsPTPWBnNfbp3VGkdfZbsNm76TJo+a0iocNjBgkb41GKbquGsDGUFoNq6uJ0bYpHwWNm9jB BiYcAm8ye15UnJ66B6Z9FCAbw/kPejzxprbjma7FkyJJtWk3aNtL8wSHonHJW2NXNBp4Q5dW w+pqKceAsOWjcYO8uaWwJa+ZfthVhQv8T4AT6EnYlpaWnz/47yzIkSfWOapENQb76enFHLZt DEWjiVftLzNW0Zs3WF1NmM5N7UBo3MQRNuHYN3qkGHjjmza9vb133nnnPffcs//wblfeNO95 sfPpx6Uya6BmmshENeZyA7sXjg+4baOUHlj4O8POzWOV9TRs4H1x+YTU6kFcuBgJoHGDvMlJ QA+VrD8NQsf9OdIuXrw4atSo2267ra2tjYyx81iRHXLkiXWmadc96nHBiWoMvAmYt8Zu50aJ FKBKqwFssLqaGIWb5lEgFXTkCQViqu4jn3YI+zd2LjPiUVMfe2IpAHH58uX8/PxvfvOb1dXV tKQ++vSvZt5ArHP7uhelsmnIZPY9+9yEV5sjiQ4gg86qaAtu2ZjrqpFIATphmvLYzaLFaVaF uHYBEog2FXTkKjvWExDGm6zNk/2PwdIpLS39t3/7N+DN9evXzSLu7qukkbOrMb/zD49ICBvx iWoMYIO8Nftn/5ILbwxFo4E3htJqWF1NgLZN+RBQxDPCOjex1vUyTF4Mb3J4UV1tzVq2BpAC bMzk6j6o7/70pz+BJ81ORp8NXoZHaiTJ6yxVohoDb4LnrbEsGk12caZMqaI3b7C6WsphIGD5 /Rd6ZNCbOAd/EuDMm1z+H6poqs6YUf1pwRObHulbL1usM52opnZBdYQ+NDL0iurNXCwb6MRs 3BhKq2F1NQHaNuVD1La+7E/N4VGSSIAzb0Su6osbg/v+8HsZfWgjH1lQtCVy2Ewt6+AFm965 9969UDFo6NeMBZto4wYSQs+vfDzlChGXH54EIAb6w8sXRGoYHIu7BGLMG5DFx0ePyMabvaOf jCRRjQFvXPLW2BWNBuoYSqsBeLC6WniqFnsGCWAMNHftL77DePMG5HV68UIW5Kz9/tfUjaGv PfMzJWys/YEf30c++uaPsz387Hvf/dr31maCyvy99k6cGFWiGgNv6suKeBk3R/PvMNRVU3Zu 9KXVlMg0rK5mqnOMnOAlAYiBjrZitHjVnMgRY8+bwcuXGLxqP75PBYkCngxg4M13v39X+wN3 PfO1b7yaxQ954/MVYaIaA2wWr2zkBRtz0WhzaTWADVZX46VYsR9LCRwfaE+k/k3bomLPGzhh H3R1sEPi1W8Oy2DGyBv4/L7hPkkDvdUXLI98w4ZMgFfeGkIsS+PGUFoNq6shJEKVgPxhAteX 3W1+0SzRAqlYnjtMMISSwBs4PW++nO+MnJw/TfOeqf40wI9q6/jhDSSqqSpaKwlsfjunra1o TNjGzfRX1xty2JSsmBmqxsHOUyuBeSsfkj+bgAtvgDa5QtHBI3NjzKOE8Aa8at2/Y3reUwGP YZMGtm0AQvBvZjeHWD+Mr8gT1Rg4x6XcAI2r58qqDWFphtJqJCE0VldLLQ/CXnjPqUb59Ss7 b9S10Dm/tPd0zWkFS7nfkwKphPAGzuK725vZIAFhAlrIAIkaULZtsv40LyEDkSeqMcCGV94a jTfmotHm0mpYXS1shZvm/svrJ8gPG5ghoz+NcqZZ8caQzJh6btF3mmPZpJcc3oBk35gxzRo5 w7+RC0KD9xnAZFpCsECWPer+TS6ywJlekKhGklA0Qp3RxZ288tbYFY22LK2G1dXSzINQ1x6j B25ceZPR+8RcIdCxtG/ILk/WlqGNHe0w2fjhdT6J4s21v70DuylWnACuaBlzckFoum0b1Z/G EjXQ+sprkmzYkGnAts2Okikct22gK0vj5rmVTYadm2lPLQpV6WDnqZVA2+HVXtVZVO3ZeKPM Tt3KseQNmX6WOsVAp6S40bTzkijewKre3rKJzavGukNj7k2GRDUG2nHMW+Ng3JhLqymP3Swo Ta1CxIWHJ4F45eV05o1Wa5KYOBmIkMqUmtVjAEumWRKBkzTeQJKbwxPHh4ScrpGPlBRtksqy gclwzFujweZoyShDmAD8ai6tBrxZUPF0eEoHe06nBGLkSWOzqKi8khpZ1M+GFxfnZdCjc6Bl mlGfJCSOOmm8gZN05a1zNl41/zYNAEySRDXmcgPdcx/m60mzLBptGSmA1dXSyYOwV40Vbtgw Fr9WCeQNnIS3Vq/ia+LIk6jGwJuG0jncYWMuGm1ZWg2rq4WtdtPZf3Xj5PjpUZwxmwSSyRvw qh2dMokXcjpmzn7klZ2yudFgPnzz1jgUjbYsrYbV1dLJg1BXjbWi2fR2XFslkzdKRPwHHzA+ AeqMJXkS1RiAN6m081D+XWKMG3NpNYDNvCnLQ1U92HkKJdB3fl9cVSnOm0ECieUNrP3DA/uD mDhSJaoxwAYCoLsKnuAOG+hw3arXzJECo6q2GcKgsbpaCmEQ9pLr2osYVBY2ibEEkswbOC3n a9f5Qw4kqplbVC+hD41MiXveGoei0YAfQ2k1khAaq6uFrX9T1X9x7RNDNwdjrEpx6gwSSDhv QAK2SQfsk6TJlqjGgL2CqtYwLBvLotGWpdWwulqqSCBgsRAA/c4HfQz6CpvEWwLJ5w2k8jyQ 90d2K6d76jSpEtUYYMO33ADNLcui0Zal1ZTItOVzBaghHCIlEsDyNvHGCPPsk88bEMV/nznN +ETO7tmF0vrQQspboyFn06pC884NfDLp2aWGzRusrpYSDIhZ5s5DVcz6ChvGWwKp4A2conde 3+Zq4kiYqMYAv5qqNSF50qCu2t0LV5t5Yy6tBuxZOKdMjCbCURIvAflrqcVbwUs2+7TwBsR+ qqjQDjlyJqoxwObF8vaQYGNXNBrwYy6tBrzB6mqJx4CYBcYrSZpkqjuW00kRb+Ah0EPPjjUj BxLV5Be+LrMbDeY2akFHGHlrHIpGA2zMpdWwupoYRZyGUaBw5+VP34+l1sRJ+5VAingDIjIX LJA2UY2Bfy1LZ4o3bv6y3OKxm0Xz8DHPe9LAg1DXCAFp59875ldr4XFxlUC6eANn6YOuDs3E 8Zqo5v5Zu328gltOYZQbyKWCzr9j5LJV5p2buxate/6pxebHPBeWTwpVE2HnaZBALKpEx1Wp Szzv1PEGzsVAZTkgp2H+Mq8k8AEbOMTrKGLy1mi82Vs52TIszVxaDdiD1dXSAIOw19iyv0xi lYhTC1ECaeQNbORsXdXkAwPieTNyfntIeWuc66op1QdmrTEbN1hdLWxdnPj+V7fMCFGfYddy SyCNvIEzcvX60ISyQ16RI5439WVF4W3b2BWNtiuthtXVEg+DsBdYsvGp64NX5VaJfma3sbXP /KI6oqtHU0U+lRa6Kmt0VbVcjbaE1FpTVptS3igbOZevP7Voryfk0Lz5v/d8d9iwYd94jOzo zPsG/AI/P5qXbTN+7Ne+Pvb/ZvZ7PA1BNw4vb427cVNabzZuXhq3LGx9hP0nWAIQkPbh5Qt+ 1Ln0xwTjjcoTrdg0XW4a1t6clxjipJc3cB7f+fDayFc72HmQ400GJ9/7UZY3wJ6v3VNz/6ya 7339F7dn8UPe+OdNeHlrNNgcXDHOcucGIgWeG1Fg4UxbtDjB2hCXFrYE+i/0SA8OnxPkwxuw aAhYKPD4nJCsh6WaN3BSTr/zCeT2Z0SOyhvgyne/N3737Ta80T73zRuYUlvRmFA9adD5i5Xl lrz5c3WTGTZYXS1sdZzs/pNdIjoYb4hvRPnJ2jEaeGTFhu95pZ03ILgj/R954o1qzeR4o/nT wMrR/qoZQ4yd083WVlaFDRvLotEEP1OmVJl5g9XVks2DUFfX0FXiW0PF4sBgvNG8ZcqWTV5z xpuWGA+a/vwhbxR57O59j4UKCkLAkzYs6ysz2DHZv8IWjtJG+ck42Tzv38yqaAsbNtB/SfUy S+PGsrQaVlcLVR0nu/M0VFFj4A0FEJ27DH7J/SkLGvSnxeJbRpBJbu76qytyFKI89ouc9UtB RY0aUFCU5ZAaMuDaLd1gdHHn/tm/DJs3DsaNubQaqa42t3xEstUiri4MCaQBNqB23HijWCwZ y0X5od9n9mpM9g0JWlPbK79p74PoOAmORfsmdxIqdpx1ZoMhHlpv32Q3daCN+vm8b2RC1Dzx ZkfJlLBh42Dc/HLZJstIgcKZmBAac9h4lkBKYMOmxqm4Z52vzC4emv48KbRJczy05VWyaNsp Bzw48Ea3baP600i0NDtvQs1bo2Gst+i3lp40+PCFykbLSAGsrhbGd/9k94mwYeNQulqhfWM8 3w7ICfV5z6llHQIsG7ui0YRA5tJqxJn2cvkDyVaOuDq+EkDYpAsjzKtF3liIyg454fEG8taE V26ApWg0wMaytBpWV+OriNPQG8KGWf2mriHyxvqUWyInPN6EnbfGtWi0XWk1rK6WBkJwXCPC JnUM8bJg5I2ttGp2D7BvvQRpuXhloxhPWu/cey2LRgNsIFLAcudm8qhijsoIu0q2BBA2XnRv Gtsib5zOem37W0FAwnLsuCVdh/LvEsObTasK7SIFLEurAYGwulqyCcFxdQibNALE45qRNy4C CxU5YvLWOBeNBgLZlVZTNm+wutoKz3HAHJV4XLpC2HhUvCltjrxxP/HhIWdjRZkYywZG2V09 0864sYsUwOpqcVH30c4TYeOuRLBFRgLIG6YLgSX7AIv3THC5Adei0YRAlqXVwLhZUrwkWkWG o8svAYQNkwbBRsgbT9dA5/H32TNJu7JHTN4ajTcOxs1jlRalbkjswIKKp+XXdzjDCCWAsPGk Q7Ax2jceroHj5y95qpdjRx3glpi8Na47N4pxY1VaDWDzyvOlESoyHFp+CbTsL/Nw82BTlAD6 07xeA29d/NRrVVAzdWqq1gjbtnEoGk0iBcY/8Zp1DhusroaRAjYSmF15f8+pRq/3DrZHCaB9 4/kauHRlcELZIVePmV0DYXlrXItGA2/sSqsBgeZXPi7/V2ycoXgJFK559J0P+jzfNngASgDt G3/XwNXrQ7PWvuEDOaMWdIjJW+NaNNqhtBrABquridfjsRixdMszV65d8nfX4FEoAbRv/F8D zsmkLWnUsnSmSE8ajPVCeaVdGLRdaTUlMm1ZQSzUH05SpAQ27Z43dHPQ/w2DR6ZeAsibQJeA p0dzSlfWC4bNwRXj7GADn89YtMVy5warq4lU4nEZa/+bdYFuFTwYJYD+tODXwIG+v7MErU0q 7XTNW1P3s/+hFg/9H8+PvT0Dp+88SD769+9kWTX2Gz/4X9+oU/7k/rIrGk0SplmWVgMCYXW1 uDBAzDznrXyo/0JP8DslwT2c2bjB/KLWCyU9qZppDOWi9TVAA0lO7UpXuDpQjwEORvsmgPDU Q9/58NozS/c7bOdAuYGugifcCPGdB1WQKODJAAbe/OBntx2eftvz/+sfF2XxQ964vxyKRjuU VlOcacvnilFkOIr8EijZ+NSHly9wuEkS3QV33oQgLeRNCEKNqsvBoS8WbDlhhxyveWsW/fuw DGaMvIHPHxzhThpCIwfjxq60GsBm4mMLsLqa/BgQM8Pa1pevD16N6p6K0bgBeKOYPsXFw4kX QzOCCBzgb1rtac0oyhWazrZW2ublKT1kGhsLUWe6alZHyDay7FmAwNG+4Snk1/dfMCOnoKqV xRwhdMn60zTvmepPA/yotg4Tb5yNmzHVDZY7N1hdTYwej8Uo+Dgnu2oIxhuVM5QTLWuM5LCg WieUlaI66TKA0Uild93BEiyOhE/NPbOvNkBL5E0A4VkdevqdT0YVdWnUeXqx+7aNmUYKeAyb NLBtAxCCfzNEItaPw8vZuJn+6no73pSsmBkLbYiTDE8C8Djn8YF2zjdGorsLxhsLVqiQULFA QUPd4lX+Vw0azQoiJKEtJRveaMAR62ZD3vC/D+CB0MmVhwE5kLdm98LxjMaNvhmECWghAyRq QNm2yfrT3EIGoK6aQ1iaXWk1IBBWVwtPicelZ3ic8+JH5/jfFYnukYE3FBJ08QK0PZJ7r1GA AEf71SrUwJIYOepY2zeq3SMWN5gfOrTboGLHWW95a0b8Yy4IDd5nAJOBEAQLZNmj7t/kIgss YeZQVw04NLXc1pm2uGB5XNQizjMMCaxumYGPc/pQCW68yRgdqhmjjz1z4U3GPIHdGRVXFsCx Q0a2qR1vjD37WLb3Q9C+8S4z5iM+Obv/2LxfMNs3wBXNVs4Foem2bVR/mkPUgEPRaOfSalhd LQwNHpc+wYeGT9gw39k+GlLb+LT3SyGRgz+N7L9kHWdkVFNHOt7Q0QKkY51tpPrgcj3pJuNj Xd4OQd54k5fX1jevX/nrltnMyGGKBXDuzdm4sSutBrCZObYkLsoR58lXApClBoOevd7aCWhv ii0IfU3Im9BFDAN4NHT8U8fZuHEorYbV1fhq8Bj1tvNQFWapEaEFZBvDai8o7Dkib8KWcLZ/ MYbOjpWzHCIFRpTX2YWlYXW1GBGC11QhNOD8e8cE3QA4DEoA89kIvgZCNXSO5t8xctkqB97Y lVbD6mq8NHiM+oHSnPgsp+DbH4dD+0b0NRCeoeNQNNq5tBrwZmnJwhjpSpxqEAmAWYP50ETf 9jheRgLIm2guBDB0ji/4Ncc4AlfjxqG0GlZXC6K+43Us7tZEc8PjqMibaK+BL4YG/7ZjGS/k OBs3YN9MmVJlt3mD1dXixQx/sy2vn4B1OaO95XF0tG8ivgauXjh+YuGI4NQZXbrSYefmscp6 h0gBrK7mT4PH5Sh4tqard0PEFzoOjxJAf5oM10BwQ8e5rppDaTWAEFZXiws2/M0TcjxjygAZ bnOcA+7fSHQNgKHTt3y0P0PHoWi0c2k14M1rs8r8KTI8SnIJwFOcGO4s0R2OU0H7RrZr4PLJ Dq9xBK7GzQuVjU7ONKyutuIeycnhdXoQgdZzqlG2axvngxLA/RvprgFwr13sWNU7+78YbR1n 4wbsm8kTy+x4g9XVvKpyydvDVg1EoOGDNdLd1TghjE+T+Rq4ceWjt7e96oqcI0tHO4QJwJ8c SqthdTXJ4eF1erBVc/nT92W+qnFuKZcA2jdSXwDX3jt7puJp33XVgDcOpdWAN4vK/+JVqWF7 CSVQ3TgZt2qkvpNxcmjfxOUa+PStI5bUcS4a7RopgNXVJCSH1ykhaeJyF+M8MT4tTteAmTrO RaOdS6spCaEXlHrVbtheHglg+Fmc7l6cK9o3cbwGNOq4Gjd3LVr3/FOLHSLTFpZPkkd74kzY JQCk6Tu/L45Xb1LnvO/UZvOLWqy+0IyuEICuQJpW/IyUg1Z+xNZDC/sE4f5N2BIOpX+gzvrm OudIAYfSalhdjV25S9USctIgaUK5o4J1GpA3hkrTuoLTzXlJIg7yJtiFFunRf/34k7nb94Ed YwmeaXNqnR67KV4ilSbFyThLYNPueZj9LNK7zWlwTrxRiksPz8sbnqswLe2KfU4MeeNTcPIc 9vHVz/6/X/zq/uWbaeo4l1YDDhVUjEYVL78E4Hmahq4SjHKW53aznAkf3iiuteHFxcCc4n7J F+x3esgbv5KT5ri6uroHHnhgcOhm84mB31W/TqjjUFoNq6vJjxmYIeQIgCSb+OSmNPdZiPaN uleTsWsUGwd5E4vTnspJAmwAOdrSD5x/d0pd2/gnXnNwpmF1NZmRA5s0vWdaU3ktx3XRDPYN xRBTvIC6f5NZvu6vcRWI3bzRvon3Gb148eI//dM/mdfw0QefNK7vnDFmiSV15lc+LrPCTefc wKCBVDToOovjDenGG8Vo0TZldOEAFnjJRKxpCILfdDiKo3hyc0bexPv85Wd+HNZw8uhATUkD FB3QwPPqNEwILVeCztUtM44PtMf7QsTZu0iAinvWucsszRk6SDpBtMH80HG/TcC4ARPHdRWf Xb3euf1IwZSVymOeywrSaUDIturi2ifQoHG9dLFBkiSA9k2MzyaJFPC0gIt/+2jXwZqSjU/J pnzTMx/ATMv+sosfnfN04rAxSiABEkDexPgkGiIFPK3kw8sX2g6vRvAI4xxsz0BkMz5D4+kq xcYJkwDyRuwJzeSpoDyyat4KenuQLRrSLlLA63oAPBB3CylShGneVA0E1gxgBpM3e70ssX0i JYC8EXdaSVwKnUoJtgUzcNFiUPR5lhyn5hop4HVhEBm1/8062LtOFQ9CWiyIEYQJLPd6FrA9 SiDBEkDeiD65DrzxQJtbtxgjBfwtr/9CD2xlo9HjiUbElIH8ZkM3B/2JHY9CCSRbAsgb0edX D5WsPw2sHNXWYZqPj0gBpn5NjeD5dgjVrWsvAmXqSfmmpDHsykBmMzRl/F1deFTaJIC8EX3G rY0Y4lFTw+5dd3CCRAr4XjA43IA9EFsFNb5SghPLZYLZB3YMiAKfzfR9LeGB6ZQA8kb0ebfi Tfaz7H9ulg6vSIGAK4dQK/heD6ZP4oPcYIG1rS9DOB+4GdFXFvCywcPTLAHkjeizb+JNDi/q n1xKXnCPFAguAnC7QQgW4IdYP/NWPhRfAwhSMsMSYCE9pxoxriz4tYE9oAQ0CSBvxF0MuZp9 VN0+nTGj+tPoFBZ33nmnlj6WvPnqV7/KklNA3MKsRjIQSFobCJxjQBewXQCWQBd0kUV72eDo yZYA8iZZ55ff8z1hyAWcUaDT4QVP/ICKh5120PVh7wbBlj4ZBWKUYVB4EcPlyrVLYawR+0QJ oATsJIC8Sc61wff5nkjkogEJeACBxQQPjC9CMu2FlkokZxAHRQk4SAB5k7TLg9fzPUmTC64H JYASiFoCyJuozwDv8bk838N7UtgfSgAlgBK4hbxJ2kXA5fmepAkF14MSQAlIIAHkjQQngesU gj/fw3U62BlKACWAEshKAHmTtEsh+PM9SZMIrgclgBKQQwLIGznOA49Z+Hu+h8fI2AdKACWA EnCXAPLGXUbYAiWAEkAJoASCSwB5E1yG2ANKACWAEkAJuEsAeeMuI2yBEkAJoARQAsElgLwJ LkPsASWAEkAJoATcJYC8cZcRtkAJoARQAiiB4BJA3gSXIfaAEkAJoARQAu4SQN64ywhboARQ AigBlEBwCSBvgssQe0AJoARQAigBdwkgb9xlhC1QAigBlABKILgE/n/nw+EfZ4S+dAAAAABJ RU5ErkJggg== --------------040701070906020708020505-- --------------010702040202080003090402-- --===============5375204161027231707== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-announce mailing list Xen-announce@lists.xen.org http://lists.xen.org/xen-announce --===============5375204161027231707==--