[From nobody Sat May 23 11:19:05 2026
Received: (at submit) by bugs.debian.org; 20 Dec 2025 19:55:53 +0000
X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02
 (2024-03-25) on buxtehude.debian.org
X-Spam-Level: 
X-Spam-Status: No, score=-20.0 required=4.0 tests=BAYES_00,
 BODY_INCLUDES_PACKAGE,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,
 DKIM_VALID_EF,FOURLA,HAS_PACKAGE,PGPSIGNATURE,RCVD_IN_DNSWL_MED,
 RCVD_IN_MSPIKE_H2,RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,
 RCVD_IN_VALIDITY_RPBL_BLOCKED,RCVD_IN_VALIDITY_SAFE_BLOCKED,
 SPF_HELO_PASS,SPF_PASS autolearn=ham autolearn_force=no
 version=4.0.1-bugs.debian.org_2005_01_02
X-Spam-Bayes: score:0.0000 Tokens: new, 25; hammy, 150; neutral, 450; spammy,
 0. spammytokens: hammytokens:0.000-+--XDebbugsCc,
 0.000-+--X-Debbugs-Cc, 0.000-+--trixie, 0.000-+--python3,
 0.000-+--H*ct:application
Return-path: <jscott@posteo.net>
Received: from mout01.posteo.de ([185.67.36.65]:43217)
 by buxtehude.debian.org with esmtps
 (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256)
 (Exim 4.96) (envelope-from <jscott@posteo.net>) id 1vX2ei-007w2g-1l
 for submit@bugs.debian.org; Sat, 20 Dec 2025 19:30:22 +0000
Received: from submission (posteo.de [185.67.36.169]) 
 by mout01.posteo.de (Postfix) with ESMTPS id 889A6240027
 for <submit@bugs.debian.org>; Sat, 20 Dec 2025 20:30:14 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=posteo.net; s=2017;
 t=1766259014; bh=u7WBzlzFnEJA4jCv5+FUlUYmAM27Je10GSYJG95/i5M=;
 h=Message-ID:Subject:From:To:Content-Type:Date:MIME-Version:
 Autocrypt:OpenPGP:From;
 b=ZBQr19BsNPeKl81LiHMtW2jbaRdApmB6OF9CbbS/SyTfVSPaXOyI5Amh89GwzQQNG
 pCXGCTBpkmYOQ+emVxIy0d4JtfSYCA63JYd2GnbnZyCPt9OOISPOPLXTdxpeEYxkHS
 xR4ey9xjFK0EPtZJwr638Yq1orswp4+XNHyQpxpn20au73vM683Po4m8VODZmnugAv
 kt9pa/HQBu7o8eFMt80w48ZPGToYsdNXWVzpPXovtLieDHpWEuXIGRTwCyV2myTmIf
 bko/Xtp3ERfHNepBhKSCeqtN0/1fVG1xa7vWh3OUCG2yT6khVqTdt/c7jeHCOI1ah9
 wkwSCaZUqOTMw==
Received: from customer (localhost [127.0.0.1])
 by submission (posteo.de) with ESMTPSA id 4dYZHT1Sj6z9rxG
 for <submit@bugs.debian.org>; Sat, 20 Dec 2025 20:30:12 +0100 (CET)
Message-ID: <49a1f61cd75749e44897060081f614fed7ef89de.camel@posteo.net>
Subject: TLS certificates for CalDAV servers are always trusted and not
 checked for validity
From: John Scott <jscott@posteo.net>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Jabber-ID: me@johnscott.me
Content-Type: multipart/signed; micalg="pgp-sha512";
 protocol="application/pgp-signature"; boundary="=-/rNoasVydNwaFb5HhUiT"
Date: Sat, 20 Dec 2025 19:30:13 +0000
MIME-Version: 1.0
Autocrypt: addr=jscott@posteo.net;
 keydata=xsFNBFzE2VsBEADAj1mv5RNr31Hy597sG0eAiTJkfOigNmVhV/53DGVJ6qll7FVHxTCT9SfzUAZ0
 J9CQ9cRpOfhiD6RyFsj2n/IaIwYUuL5m5RffE6h28aefCwC6a5yP7b+jhCEVTJcvRQwgHxgOPlGM
 1Iu+c8UtYQOUxZpJ2qIr6/FTYn/XZwdrUqWKESrCZw/WZoyOldz2gj1Et+hKn0KhVtSyWwGk9WzT
 C0TQmxv5qAtgzbQAO0YwR8T1woaBwioy2GneNzlyhXCFEK640yVHDAR3dqdPUI1Vnu+Zw2AZIruU
 umoSjwGnLktlvNTdMVt2KT2D9PNU3Kh87BJ4+nLAKVPHU0xpdkakk8DsXZw9oyBCdVXdtOL3HLDM
 xkLHyHtkinwxZ05OA3blp9Q3ZPyzqPsxhSGSiwH97W3LjKcbNOHZe+gBq7QJGD9TxFm6Do2sHX+I
 DZXd4QDkifmKu9vw+NzPbC9zDjqJ1pj789fCGCabadqmIVDuyBYOyzWtqzGpabKDWZyQgIUFnw+4
 w8DyGbFd2L1UYGqftQVmK0xw5vWVvAl7oscLqKOSt7aUZdulkpBo5THzlUjTNoKojOJRNq491RZ+
 fMWcrafT8w/PkJdSiMW9KzD6m+lihP6nUKRdSobw5benbhdq0MuJWELOGnEZlvSIJ1Zv5z1lvIXw
 pbzlACg2GW/iaQARAQABzRFqc2NvdHRAcG9zdGVvLm5ldMLBuAQTAQoAYgIbAwIeBwUJFmyCoAML
 CQcCIgIDFQoIAhYCFiEE1iI4kOfEYlssFGjRqxgf20HdQcQFAmfqMhQqGGh0dHBzOi8vcG9zdGVv
 Lm5ldC9rZXlzL2pzY290dEBwb3N0ZW8ubmV0AAoJEKsYH9tB3UHEzdsQAJjCIRobjPgRl9szJkO1
 /4N+0BFxJsgeHZ+6DcloyzPNGLM4le962849kyFobVHjNmGrFW49KcOB1HhSb/3VbbQ8Wj6SgEq4
 UvdIxeNlgwkpGFFqQ5lvV2o+A62Ajnw7ZGY5dvpRbFMgpuxorsfPDmSnZbcmcnWWkXJRbpPyV68q
 LDL7ih4+MdAgDfzzTBP9b8JFNeH8TPkLyRyErzSn0CyRwziTYpQvbi7HrNUFix0vLgELki6Nfldu
 O4+4bBRH9KMmqc3DO0VlBHo+2tRXSKMeX+F3LmDx6ewCZspw39sOkfi+Hqbz/shXLwf8c0NCZy6P
 m7+podOJ+xoBABSVXghX4qmAqmynlOMsghqIKhf21jp4kgJnMVZ9Lb4IeA9m0TreDjatUN2zXQtP
 GP4usFtgYkTnw5x/QEzzdGs4pTl5w6KRR50NKAt6rp4oF3osVnqlZlRrz24nnX1u5LAQKzZU5nWU
 9sRiGad+SKZxJSsIkvwAm2QFZ5/sPmTXuNT3GNGcfUpz7ZbwMn0LsHDwsb1qSpjh9f5Q5wDN4tv/
 53ATlj/rh+9+UJF0b8cIfieYmRWKkSnA3J49ddPf9hqJt4I2Ylu/pC84QBe5tJQunyOkydC8sEUr
 Gu3Ex8XNMpqyZpCVaHb1IQiSmNsMihKBQlKngxu2Kp+lKzxrwA0y8f+tzjMEZNc9SBYJKwYBBAHa
 Rw8BAQdAlgU9Oaebk2h9KX8Fg9N208QL3NMDHiRvDlQ+rkhDSQnCwfMEGAEKACYWIQTWIjiQ58Ri
 WywUaNGrGB/bQd1BxAUCZNc9SAIbIgUJA8JnAACBCRCrGB/bQd1BxHYgBBkWCgAdFiEEkmxnJ0so
 6P/XYoMBT0EhCOqwiFAFAmTXPUgACgkQT0EhCOqwiFCmyQD+KBmLQSJpeo4u2Bc+hdCnnXZl2AUn
 qacL4iI77hqQSYEBAJ+/8VGx8mulznXGud1ITZ1dGdaBI2VRqlWwoLT8AJcOVqsP/AslgKNJONjQ
 2PDoQZ8oTWz62Z7TmkvHw1ejg+3GYzmWG4P5COsxmJtCOilIAQmJBzFlSJnCz07YJZbtyVSdOOOv
 0Iqau+3KXp3X26Tr2PmVVdE3+m6e74hQEPYhLaFU8WSOuhU4T9IGvyk32PDy1I64KIeOjgUMgIKP
 4HDvOTDLR8Ud7vX7p2yjfjhJIBO+/Qng3wWKB63cTaLJ1vx20wv7lvh3eQyriFTSXqVAlxWOyb1s
 PzqhJkufOQCwYO/JZriAsREDiMuq6WpozsEVeIT1qqboMZWEZM+LiRu1Br/btS4wKV7QLYr+kQnw
 hudISTzfks+irBTyoqg2TmtKDcZVnXK6s9T3P7IUhsu39DJWKmYEqSQJeMDbc3HFwullrS2m1z8x
 9KAqyv2sjI8gSVxVZH83F7EJ8F08//mT/SbUIwS87ApfxFTSprj7DS2UM36f/1Cp2kSBR1aktith
 AFW7SgQDEgZ4ri6P5/9SrQO3k9aihNtnGevkc77+4LC1d3JbuEJ0Dcb2ROdrvJJDRSCtw4y1mjNV
 yQW/H6jj8LaUblmTTgfdLuRxEbWncoo7QRQv4HFT9YubBgjt4C9ODpQUfUxLlUPi1yUk7SxgbaYq
 Pn0mXgXUmPMcRYB9bzm8GH7hvH78ZtXs+KuqcWrmjkYfhk2gyfKTOQjLpztLd1F0zjMEYodyUxYJ
 KwYBBAHaRw8BAQdAawGd6svo+wrWPrtBk8wcTNnactBF5W/9wXvZnzk9vnbCwXwEGAEKACYCGyAW
 IQTWIjiQ58RiWywUaNGrGB/bQd1BxAUCZ+onawUJDOeDFwAKCRCrGB/bQd1BxMrdD/0b4p9cgsym
 W6NI3YM3+i4wq3p+Tje15O5d8LamoMHSnQtlJHAD7vCrapUwgLworz5O2KwEqhxyfIA/AxFI5CzY
 3M1KNAqF3cPvh9MwKIvV/5PSlcmvJKJoSQ7CFc11IzMbZ9A8j6tDiPt7/a1H2KnjjLSM++qnhYaT
 Upl1BXZZ3sbNUGjYZ+vP7FBKAL+PWmM8TMJxFyV5EUlUk3d9Cgx49lcgVXcM4pFxaWEIpameC+um
 8JJh84JeclBKOBjZmOY+ejkqrdGCT2ZIkZxNaijRUSA8xG3sX58d+RWe1WMVOiD9bcbyPIyboaBM
 rOfsdE30j/Fh/LraGlHFqCK668xOVM50hFOGGC0SoAj/1PhyrC1dBYOljP/aIquuhxX8xyQEVkzJ
 hpE9lEiNwcLF4uAsL4q5qSXcZveDtu02Bt6Xkbdk0AAdsb1W+m5iAkn07BVGHSzqaHyCTuTXbtxT
 2+npdozsS7XGfX7d/1jY0FGluVZNtbBe0lsbWM2EyhMHXwideq9KUFU+uOMp/+YrFQ44VpSqLOP2
 uu1fBLBFp/7bT/2F72jVAnVPXNt78GxuCcyGJKeNgqWZaOPEEmLv4rj3qmhOAWcysNiScOks5S6C
 si6VoNyIieY58YkfMC7wr5BoHH7Z+TCq5I5pNgqrNEwZcBcpkFIRENY5YA23s8Bpcs44BGKHcjAS
 CisGAQQBl1UBBQEBB0CL1OMvuthLeJJqCz/+bzylqz4kDgKBZi48Ake5iFzNTwMBCAfCwXwEGAEK
 ACYCGwwWIQTWIjiQ58RiWywUaNGrGB/bQd1BxAUCZ+onawUJDOeDOgAKCRCrGB/bQd1BxDDaEACC
 Uh7H3MBsoHcBfQF57qHB5TBn1+1tSb3xRPGiU1GJYaQHK3rka/krAElP0fkXxYcMgevBNVcLfQpI
 0TffDlOCJ75IQ48vTTr2uZD/4VsVtk9YuNiPF7Zylq0xi+bPFYc8OdP3WVY204mbjlOaQXC6y33F
 bZc7MyJoHYYEpbV3CLXzwCiFTFSVeNOv2o+m3lbnNsNj825sY1tGcixKQJMgEueoEdCge0mcATiQ
 HrjGo19i78HIfaeWPsQjRkEpqRVfh95UFFcpkI3kacM1G03cbEwpT09wlIrCBTavy3UXjOXUatYF
 tjh6QMhrsBxnFikDVbBO2Mq5sEFa4PHpIknbnJ6TReZxOn2xYNBnI0iZ40InNSYyEjrzAdmd/jeu
 EwcTQ+xwBl2FT7Pm/g2k97vehKZEiWMldh63QT0+lrlavNBtXuL6bZHq0kZ8ZIy9Hgfe6uykR5eL
 gcqFzClc/z47U81T1UFcfagp8QOU6gDPs0iMrd8jyp0gZnhyTOSJ4UKiiGp5aJyHA1cjiOATyVst
 ny5wSOrDaxBN6vpVe3OCwbBoepYI20DrPdzwrmL317yRKG0MU/UNni61GIML6OmFJJW4S5+jGW/o
 9COU82u08/GJe1zVWM883tjWfeSCJ0CJmkMDr3rEDkEUMT5Fg3Fz4sggfDpPcVLH3Yf23SMe4s4z
 BGKHcg0WCSsGAQQB2kcPAQEHQCBmiVNsO/rBddN1Z2vwTwXOtcLZ2h11wHf6s8MyYArLwsHzBBgB
 CgAmAhsCFiEE1iI4kOfEYlssFGjRqxgf20HdQcQFAmfqJ2oFCQzng10AgXYgBBkWCgAdFiEEoj88
 pb052esYrH81s/TdKGH0zboFAmKHcg0ACgkQs/TdKGH0zbp62gD/Ri3CY0Al9J9ucOTqVO8mqT+s
 kiFNNaRnVhoJ/qJqR7gA/0C/XwFaIP69ZLG9IuoNrxGjIY0jVgLXRhFvNcrKLH0ACRCrGB/bQd1B
 xMNHEACmxser7p/cRHuAQP5Dyedqgx+fP8Ah+RouhP4+q+SQdRbnEf1FJYdTwmRZZ/PzdAruypzm
 +0tEKWLnEarXmr6H/NMrrNxRTrAa4Dt38e9tSRppFQH5LOAYPPLs1VD59V+gzt4nmTp/6TdcN/cH
 6e9pkqPzU2xzwEWgm7cRddFsE/wLfXtnfuIglaimNCncMqrGUsH1xrX0MjvOxnspzEknnRATobaL
 bGA8Fi9Yn7Nkr0eJtwhzxZsMUKqgIsc5Bup1Wnp8IIwZUWvQiFEzyt8CjLumQDJKIdbUSjZy4VaA
 5D/sYr7W46HsuLiOkIGakIyv/vJ7+Flw7MtK1nZ9SWVi14sdHyTQd9bERj4MsPuAqrVKNewsxEWl
 QhPdrWCoTDaZvMHZlY7XH7H7S5ELkM4mV/3CsUhJraOzCe0bpWNJXo9tstMROOOyp2vl4UP881E/
 BRVS7A++k72CO826zPhsn57NIL0rt3Va9wcaeGsA2OCY0EclGh9XgelSTiyyir26cccSir9ChOGe
 kECEYfkffM1ZhwEpO2fgYu8WRmdDbGoccQx3hRgEeGmRcN9BPZNorowQ70ynrphPmqs9wqSPd4oT
 +pQ8+B5ggbjvBsVVV8Dme1YOyAPQhVocQzLvQW2DgC8rOU3eGlh8WxkKr9DA5w1E9qGElhPJ+avM
 2Bms0A==
OpenPGP: url=https://posteo.de/keys/jscott@posteo.net.asc
Delivered-To: submit@bugs.debian.org


--=-/rNoasVydNwaFb5HhUiT
Content-Type: multipart/mixed; boundary="=-YYLntEAKHHvjLP9mEfhS"

--=-YYLntEAKHHvjLP9mEfhS
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Package: errands
Version: 46.2.8-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/mrvladus/Errands/issues/401
X-Debbugs-Cc: Debian Security Team <team@security.debian.org>

Having solicited informal opinions from the Debian security mailing list (a=
ttached), I'm filing this report to keep an eye on the issue. To summarize,=
 Errands is able to synchronize a user's task and to-do list data using the=
 CalDAV protocol, a superset of HTTP. Credentials may be retrieved from GNO=
ME Online Accounts where setting up CalDAV is already possible, or informat=
ion can be entered directly in Errands. This consists of a URL (usually HTT=
PS) and username/password authentication credentials. It is typical for maj=
or providers to use HTTP Basic authentication which sends credentials in pl=
ain form and relying on TLS to authenticate the server's identity and encry=
pt data in transit. In its source code, Errands explicitly specifies 'ssl_v=
erify_cert=3DFalse' unconditionally when using a Python CalDAV library. It =
appears this allows it to accept any certificate whatsoever, even from a ma=
licious man-in-the-middle, without notice to the user.
The author doesn't remember why this was needed, but enabling certificate c=
hecking works fine for me with a server and my suspicion is the author had =
a particular service that wasn't doing things properly. Disabling this secu=
rity check for all users unconditionally and without notice is not an appro=
priate fix for a compatibility issue. Any genuine client-side bug that woul=
d cause certificate verification to unduly fail is most likely in a depende=
ncy and is a concern to be separated from Errands.

The author rewrote Errands in C and development focus has shifted there. Fo=
r Trixie at least, this needs to be handled. I've articulated the risks on =
the upstream issue to encourage the author to investigate but patching this=
 downstream is trivial. To assess if breakage is likely, a detective might =
wish to check bug reports for the libraries that Errands depends on (namely=
 the CalDAV one) to see if there are known shortcomings in TLS being handle=
d correctly.

For whatever it's worth, the GNOME ecosystem has decided that disabling TLS=
 certificate verification should never be done in legitimate usage and so (=
if I recall correctly) GLib/GIO and/or libsoup have been removing any param=
eters in their API that would allow this to be turned off or making then no=
-ops. As Errands is part of the GNOME Circle ecosystem and can integrate wi=
th GNOME Online Accounts, there is precedent for even a very firm stance on=
 certificate verification.

-- System Information:
Debian Release: 13.2
=C2=A0 APT prefers stable-updates
=C2=A0 APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500,=
 'proposed-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.12.57+deb13-amd64 (SMP w/2 CPU threads; PREEMPT)
Kernel taint flags: TAINT_USER
Locale: LANG=3Den_US.UTF-8, LC_CTYPE=3Den_US.UTF-8 (charmap=3DUTF-8), LANGU=
AGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages errands depends on:
ii=C2=A0 dconf-gsettings-backend [gsettings-backend]=C2=A0 0.40.0-5
ii=C2=A0 gir1.2-adw-1=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 1.7.6-1~deb=
13u1
ii=C2=A0 gir1.2-goa-1.0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 3.54.5-1~deb13u1
ii=C2=A0 gir1.2-gtk-4.0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 4.18.6+ds-2
ii=C2=A0 gir1.2-gtksource-5=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 5.16.0-1
ii=C2=A0 gir1.2-secret-1=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 0.21.7-1
ii=C2=A0 gir1.2-xdp-1.0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 0.9.1-1
ii=C2=A0 python3=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0 3.13.5-1
ii=C2=A0 python3-caldav=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 1.3.9-1
ii=C2=A0 python3-gi=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
 3.50.0-4+b1
ii=C2=A0 python3-pycryptodome=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0 3.20.0+dfsg-3

errands recommends no packages.

errands suggests no packages.

-- no debconf information

--=-YYLntEAKHHvjLP9mEfhS
Content-Type: message/rfc822; name="Debian Security list email for advice.eml"
Content-Description: 
Content-Disposition: inline; filename="Debian Security list email for advice.eml"

Message-ID: <3e999822ca44723959d49c896c2c8861af1f10f9.camel@posteo.net>
Subject: Errands task manager upstream unconditionally disables TLS
 certificate verification for CalDAV; does this need to be addressed?
From: John Scott <jscott@posteo.net>
To: debian-security@lists.debian.org
Cc: errands@packages.debian.org
Jabber-ID: me@johnscott.me
Content-Type: multipart/signed; micalg="sha-256"; protocol="application/pkcs7-signature";
	boundary="=-gFu1ThpIej7h595+8IS/"
Date: Wed, 10 Dec 2025 04:41:30 +0000
MIME-Version: 1.0
Autocrypt: addr=jscott@posteo.net;
 keydata=xsFNBFzE2VsBEADAj1mv5RNr31Hy597sG0eAiTJkfOigNmVhV/53DGVJ6qll7FVHxTCT9SfzUAZ0
  J9CQ9cRpOfhiD6RyFsj2n/IaIwYUuL5m5RffE6h28aefCwC6a5yP7b+jhCEVTJcvRQwgHxgOPlGM
  1Iu+c8UtYQOUxZpJ2qIr6/FTYn/XZwdrUqWKESrCZw/WZoyOldz2gj1Et+hKn0KhVtSyWwGk9WzT
  C0TQmxv5qAtgzbQAO0YwR8T1woaBwioy2GneNzlyhXCFEK640yVHDAR3dqdPUI1Vnu+Zw2AZIruU
  umoSjwGnLktlvNTdMVt2KT2D9PNU3Kh87BJ4+nLAKVPHU0xpdkakk8DsXZw9oyBCdVXdtOL3HLDM
  xkLHyHtkinwxZ05OA3blp9Q3ZPyzqPsxhSGSiwH97W3LjKcbNOHZe+gBq7QJGD9TxFm6Do2sHX+I
  DZXd4QDkifmKu9vw+NzPbC9zDjqJ1pj789fCGCabadqmIVDuyBYOyzWtqzGpabKDWZyQgIUFnw+4
  w8DyGbFd2L1UYGqftQVmK0xw5vWVvAl7oscLqKOSt7aUZdulkpBo5THzlUjTNoKojOJRNq491RZ+
  fMWcrafT8w/PkJdSiMW9KzD6m+lihP6nUKRdSobw5benbhdq0MuJWELOGnEZlvSIJ1Zv5z1lvIXw
  pbzlACg2GW/iaQARAQABzRFqc2NvdHRAcG9zdGVvLm5ldMLBuAQTAQoAYgIbAwIeBwUJFmyCoAML
  CQcCIgIDFQoIAhYCFiEE1iI4kOfEYlssFGjRqxgf20HdQcQFAmfqMhQqGGh0dHBzOi8vcG9zdGVv
  Lm5ldC9rZXlzL2pzY290dEBwb3N0ZW8ubmV0AAoJEKsYH9tB3UHEzdsQAJjCIRobjPgRl9szJkO1
  /4N+0BFxJsgeHZ+6DcloyzPNGLM4le962849kyFobVHjNmGrFW49KcOB1HhSb/3VbbQ8Wj6SgEq4
  UvdIxeNlgwkpGFFqQ5lvV2o+A62Ajnw7ZGY5dvpRbFMgpuxorsfPDmSnZbcmcnWWkXJRbpPyV68q
  LDL7ih4+MdAgDfzzTBP9b8JFNeH8TPkLyRyErzSn0CyRwziTYpQvbi7HrNUFix0vLgELki6Nfldu
  O4+4bBRH9KMmqc3DO0VlBHo+2tRXSKMeX+F3LmDx6ewCZspw39sOkfi+Hqbz/shXLwf8c0NCZy6P
  m7+podOJ+xoBABSVXghX4qmAqmynlOMsghqIKhf21jp4kgJnMVZ9Lb4IeA9m0TreDjatUN2zXQtP
  GP4usFtgYkTnw5x/QEzzdGs4pTl5w6KRR50NKAt6rp4oF3osVnqlZlRrz24nnX1u5LAQKzZU5nWU
  9sRiGad+SKZxJSsIkvwAm2QFZ5/sPmTXuNT3GNGcfUpz7ZbwMn0LsHDwsb1qSpjh9f5Q5wDN4tv/
  53ATlj/rh+9+UJF0b8cIfieYmRWKkSnA3J49ddPf9hqJt4I2Ylu/pC84QBe5tJQunyOkydC8sEUr
  Gu3Ex8XNMpqyZpCVaHb1IQiSmNsMihKBQlKngxu2Kp+lKzxrwA0y8f+tzjMEZNc9SBYJKwYBBAHa
  Rw8BAQdAlgU9Oaebk2h9KX8Fg9N208QL3NMDHiRvDlQ+rkhDSQnCwfMEGAEKACYWIQTWIjiQ58Ri
  WywUaNGrGB/bQd1BxAUCZNc9SAIbIgUJA8JnAACBCRCrGB/bQd1BxHYgBBkWCgAdFiEEkmxnJ0so
  6P/XYoMBT0EhCOqwiFAFAmTXPUgACgkQT0EhCOqwiFCmyQD+KBmLQSJpeo4u2Bc+hdCnnXZl2AUn
  qacL4iI77hqQSYEBAJ+/8VGx8mulznXGud1ITZ1dGdaBI2VRqlWwoLT8AJcOVqsP/AslgKNJONjQ
  2PDoQZ8oTWz62Z7TmkvHw1ejg+3GYzmWG4P5COsxmJtCOilIAQmJBzFlSJnCz07YJZbtyVSdOOOv
  0Iqau+3KXp3X26Tr2PmVVdE3+m6e74hQEPYhLaFU8WSOuhU4T9IGvyk32PDy1I64KIeOjgUMgIKP
  4HDvOTDLR8Ud7vX7p2yjfjhJIBO+/Qng3wWKB63cTaLJ1vx20wv7lvh3eQyriFTSXqVAlxWOyb1s
  PzqhJkufOQCwYO/JZriAsREDiMuq6WpozsEVeIT1qqboMZWEZM+LiRu1Br/btS4wKV7QLYr+kQnw
  hudISTzfks+irBTyoqg2TmtKDcZVnXK6s9T3P7IUhsu39DJWKmYEqSQJeMDbc3HFwullrS2m1z8x
  9KAqyv2sjI8gSVxVZH83F7EJ8F08//mT/SbUIwS87ApfxFTSprj7DS2UM36f/1Cp2kSBR1aktith
  AFW7SgQDEgZ4ri6P5/9SrQO3k9aihNtnGevkc77+4LC1d3JbuEJ0Dcb2ROdrvJJDRSCtw4y1mjNV
  yQW/H6jj8LaUblmTTgfdLuRxEbWncoo7QRQv4HFT9YubBgjt4C9ODpQUfUxLlUPi1yUk7SxgbaYq
  Pn0mXgXUmPMcRYB9bzm8GH7hvH78ZtXs+KuqcWrmjkYfhk2gyfKTOQjLpztLd1F0zjMEYodyUxYJ
  KwYBBAHaRw8BAQdAawGd6svo+wrWPrtBk8wcTNnactBF5W/9wXvZnzk9vnbCwXwEGAEKACYCGyAW
  IQTWIjiQ58RiWywUaNGrGB/bQd1BxAUCZ+onawUJDOeDFwAKCRCrGB/bQd1BxMrdD/0b4p9cgsym
  W6NI3YM3+i4wq3p+Tje15O5d8LamoMHSnQtlJHAD7vCrapUwgLworz5O2KwEqhxyfIA/AxFI5CzY
  3M1KNAqF3cPvh9MwKIvV/5PSlcmvJKJoSQ7CFc11IzMbZ9A8j6tDiPt7/a1H2KnjjLSM++qnhYaT
  Upl1BXZZ3sbNUGjYZ+vP7FBKAL+PWmM8TMJxFyV5EUlUk3d9Cgx49lcgVXcM4pFxaWEIpameC+um
  8JJh84JeclBKOBjZmOY+ejkqrdGCT2ZIkZxNaijRUSA8xG3sX58d+RWe1WMVOiD9bcbyPIyboaBM
  rOfsdE30j/Fh/LraGlHFqCK668xOVM50hFOGGC0SoAj/1PhyrC1dBYOljP/aIquuhxX8xyQEVkzJ
  hpE9lEiNwcLF4uAsL4q5qSXcZveDtu02Bt6Xkbdk0AAdsb1W+m5iAkn07BVGHSzqaHyCTuTXbtxT
  2+npdozsS7XGfX7d/1jY0FGluVZNtbBe0lsbWM2EyhMHXwideq9KUFU+uOMp/+YrFQ44VpSqLOP2
  uu1fBLBFp/7bT/2F72jVAnVPXNt78GxuCcyGJKeNgqWZaOPEEmLv4rj3qmhOAWcysNiScOks5S6C
  si6VoNyIieY58YkfMC7wr5BoHH7Z+TCq5I5pNgqrNEwZcBcpkFIRENY5YA23s8Bpcs44BGKHcjAS
  CisGAQQBl1UBBQEBB0CL1OMvuthLeJJqCz/+bzylqz4kDgKBZi48Ake5iFzNTwMBCAfCwXwEGAEK
  ACYCGwwWIQTWIjiQ58RiWywUaNGrGB/bQd1BxAUCZ+onawUJDOeDOgAKCRCrGB/bQd1BxDDaEACC
  Uh7H3MBsoHcBfQF57qHB5TBn1+1tSb3xRPGiU1GJYaQHK3rka/krAElP0fkXxYcMgevBNVcLfQpI
  0TffDlOCJ75IQ48vTTr2uZD/4VsVtk9YuNiPF7Zylq0xi+bPFYc8OdP3WVY204mbjlOaQXC6y33F
  bZc7MyJoHYYEpbV3CLXzwCiFTFSVeNOv2o+m3lbnNsNj825sY1tGcixKQJMgEueoEdCge0mcATiQ
  HrjGo19i78HIfaeWPsQjRkEpqRVfh95UFFcpkI3kacM1G03cbEwpT09wlIrCBTavy3UXjOXUatYF
  tjh6QMhrsBxnFikDVbBO2Mq5sEFa4PHpIknbnJ6TReZxOn2xYNBnI0iZ40InNSYyEjrzAdmd/jeu
  EwcTQ+xwBl2FT7Pm/g2k97vehKZEiWMldh63QT0+lrlavNBtXuL6bZHq0kZ8ZIy9Hgfe6uykR5eL
  gcqFzClc/z47U81T1UFcfagp8QOU6gDPs0iMrd8jyp0gZnhyTOSJ4UKiiGp5aJyHA1cjiOATyVst
  ny5wSOrDaxBN6vpVe3OCwbBoepYI20DrPdzwrmL317yRKG0MU/UNni61GIML6OmFJJW4S5+jGW/o
  9COU82u08/GJe1zVWM883tjWfeSCJ0CJmkMDr3rEDkEUMT5Fg3Fz4sggfDpPcVLH3Yf23SMe4s4z
  BGKHcg0WCSsGAQQB2kcPAQEHQCBmiVNsO/rBddN1Z2vwTwXOtcLZ2h11wHf6s8MyYArLwsHzBBgB
  CgAmAhsCFiEE1iI4kOfEYlssFGjRqxgf20HdQcQFAmfqJ2oFCQzng10AgXYgBBkWCgAdFiEEoj88
  pb052esYrH81s/TdKGH0zboFAmKHcg0ACgkQs/TdKGH0zbp62gD/Ri3CY0Al9J9ucOTqVO8mqT+s
  kiFNNaRnVhoJ/qJqR7gA/0C/XwFaIP69ZLG9IuoNrxGjIY0jVgLXRhFvNcrKLH0ACRCrGB/bQd1B
  xMNHEACmxser7p/cRHuAQP5Dyedqgx+fP8Ah+RouhP4+q+SQdRbnEf1FJYdTwmRZZ/PzdAruypzm
  +0tEKWLnEarXmr6H/NMrrNxRTrAa4Dt38e9tSRppFQH5LOAYPPLs1VD59V+gzt4nmTp/6TdcN/cH
  6e9pkqPzU2xzwEWgm7cRddFsE/wLfXtnfuIglaimNCncMqrGUsH1xrX0MjvOxnspzEknnRATobaL
  bGA8Fi9Yn7Nkr0eJtwhzxZsMUKqgIsc5Bup1Wnp8IIwZUWvQiFEzyt8CjLumQDJKIdbUSjZy4VaA
  5D/sYr7W46HsuLiOkIGakIyv/vJ7+Flw7MtK1nZ9SWVi14sdHyTQd9bERj4MsPuAqrVKNewsxEWl
  QhPdrWCoTDaZvMHZlY7XH7H7S5ELkM4mV/3CsUhJraOzCe0bpWNJXo9tstMROOOyp2vl4UP881E/
  BRVS7A++k72CO826zPhsn57NIL0rt3Va9wcaeGsA2OCY0EclGh9XgelSTiyyir26cccSir9ChOGe
  kECEYfkffM1ZhwEpO2fgYu8WRmdDbGoccQx3hRgEeGmRcN9BPZNorowQ70ynrphPmqs9wqSPd4oT
  +pQ8+B5ggbjvBsVVV8Dme1YOyAPQhVocQzLvQW2DgC8rOU3eGlh8WxkKr9DA5w1E9qGElhPJ+avM
  2Bms0A==
OpenPGP: url=https://posteo.de/keys/jscott@posteo.net.asc
X-Rc-Virus: 2007-09-13_01
X-Rc-Spam: 2008-11-04_01
Resent-Message-ID: <yG2oo4SqpuH.A.RBN.OoPOpB@bendel>
Resent-From: debian-security@lists.debian.org
X-Mailing-List: <debian-security@lists.debian.org> archive/latest/29698
X-Loop: debian-security@lists.debian.org
List-Id: <debian-security.lists.debian.org>
List-URL: <https://lists.debian.org/debian-security/>
List-Post: <mailto:debian-security@lists.debian.org>
List-Help: <mailto:debian-security-request@lists.debian.org?subject=help>
List-Subscribe: <mailto:debian-security-request@lists.debian.org?subject=subscribe>
List-Unsubscribe: <mailto:debian-security-request@lists.debian.org?subject=unsubscribe>
Precedence: list
Resent-Sender: debian-security-request@lists.debian.org
List-Archive: https://lists.debian.org/msgid-search/3e999822ca44723959d49c896c2c8861af1f10f9.camel@posteo.net
Resent-Date: Wed, 10 Dec 2025 04:41:50 +0000 (UTC)


--=-gFu1ThpIej7h595+8IS/
Content-Type: multipart/signed; micalg="pgp-sha512";
	protocol="application/pgp-signature"; boundary="=-NsKfaz/X78dUHFxh4UQx"


--=-NsKfaz/X78dUHFxh4UQx
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hello,
Errands is a graphical planning and task organizer application that support=
s using CalDAV to synchronize tasks from a provider. CalDAV is a set of con=
ventions for using HTTP to access and manage calendar and task data; it's s=
imilar to what IMAP is for email. Errands is independently developed but pa=
rt of the broad GNOME Circle ecosystem.

I was browsing upstream issue reports for an unrelated reason and saw https=
://github.com/mrvladus/Errands/issues/401 which I'll crudely transcribe the=
 dialogue of below:
[2025-08-15] powerjungle (reporter): "Is there a reason TLS certificate ver=
ification is disabled by default?"

Code snippet:
> Errands/errands/lib/sync/providers/caldav.py, Line 89
> 	ssl_verify_cert=3DFalse,

Description:
> Doesn't seem like a safe approach. Why isn't there a checkbox at least fo=
r the user to choose?
> I am aware of the rewrite [then-work-in-progress rewrite of Errands in C =
instead of Python], but until then people would still be using the the curr=
ent python package in their distros.

Effectively, Errands hard-codes in its source to never attempt verification=
 of the certificate. I'm not just referring to validation here like checkin=
g a CRL or OCSP, but even name validation, so there is no authentication at=
 all and the user is not notified even when they explicitly give an https:/=
/ URL for the server. The author of Errands had this reply:
[2025-08-15] mrvladus (maintainer):
> I can't remember exactly, but I think it was breaking something so I had =
to disable that.

I find this even more concerning than the average case of a client acceptin=
g any TLS certificate whatsoever, for these reasons:
 =E2=80=A2 Errands uses HTTP Basic or Digest authentication which is common=
 for DAV clients, but it means TLS usage is absolutely essential with the p=
assword otherwise being sent in the clear.
 =E2=80=A2 The calendar and task data is quite revealing on its own; it may=
 have information about one's residence, workplace, attachments, and obliga=
tions. Unlike much groupware, a to-do list application like this is often u=
sed to record one's own thoughts or priorities with no intention of them be=
ing visible to others.

Am I overreacting? If this is an issue worthy of being fixed in Trixie, I w=
ould appreciate if someone who is better with their words and making the ri=
sks understandable why this needs to be made a priority. Above all, I'm sen=
ding this mail here to gather opinions about etiquette and to learn where t=
he bar is before making a "big deal" about something.

I'm merely an Errands user; I don't maintain the package or have a stake in=
 it otherwise.
Thanks, Debian hive mind =F0=9F=98=89

--=-NsKfaz/X78dUHFxh4UQx
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----

iIgEABYKADAWIQSiPzylvTnZ6xisfzWz9N0oYfTNugUCaTj58xIcanNjb3R0QHBv
c3Rlby5uZXQACgkQs/TdKGH0zbpm5gD/R4kdl+Jz+m+TARqL+VoGED0MUG4FWVfM
MNj9rqm3sggBAKIurMxp2A7FKbmvsyG809dXv0uH3hN1/P5Tv5SQtsUI
=8XSh
-----END PGP SIGNATURE-----

--=-NsKfaz/X78dUHFxh4UQx--

--=-gFu1ThpIej7h595+8IS/
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Disposition: attachment; filename="smime.p7s"
Content-Transfer-Encoding: base64

MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCCFFow
ggayMIIEmqADAgECAhAM4TInqCzmo9DzV8Nsth6GMA0GCSqGSIb3DQEBDQUAMHoxCzAJBgNVBAYT
AlBMMSEwHwYDVQQKExhBc3NlY28gRGF0YSBTeXN0ZW1zIFMuQS4xJzAlBgNVBAsTHkNlcnR1bSBD
ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEfMB0GA1UEAxMWQ2VydHVtIFRydXN0ZWQgUm9vdCBDQTAe
Fw0yMzA4MDEwODA5NDlaFw0zODA3MjMwODA5NDlaME4xCzAJBgNVBAYTAlBMMSEwHwYDVQQKDBhB
c3NlY28gRGF0YSBTeXN0ZW1zIFMuQS4xHDAaBgNVBAMME0NlcnR1bSBTTUlNRSBSU0EgQ0EwggIi
MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDTudxfTHvqEIhVwDB4ZDDJq+fDBq1a+nCBCTGd
nj326RGkCS2E1Q63oHTwlD9tkJt6a8UDwIIZ6eG8/OIkM/A+K2lzMrBcP9dEBdGZqCXwbqq4O4Z/
Pl8om7O7G5bwnaacpFpLGTXotg6PT/R9UWXMW+S1I5KiorBXROeFX0N+CbryUfCQj0vB5F85YXqy
HkaZdgO8YdL+j+pfUROJGLdnGff6b3+O58bBZ6f4IUVOARhyaaLQy1ofnwkV0AM2Wl/AIjA8Krwt
ROh0z5/F3k8SUyNyvIQaG0vPyctHRWLsXGbkwHo3wOpXS4KkAQR1zR+ULDGCMFhRSX/j/skJxYmA
tqbU+v56wYeLEM9LmfTCsOSrY8yNRip0PQS4FrZyi888WC49iBLzMktO+JEsmDIiAYDk9kjD9WAh
ubh8iN/5RducVz9lukfCa0+jYH7sRhpc12H3bM2ufvTbRIE5W1CRaALiGzlEWzhA3UWIBba+Y4Br
httxrrwKG9fORAubnFe0yDCnXcHC4N90YIwJ44sP0BgC9LjGR+PZNTzvSAj+qCmZ6xJOPUlssl6H
ycEPU6KsW9KnlZmETscqcC+V3ozBk8xM0VZ/AHZ34pXJcemfWG4e4rxeH0FSdwUEzj3kTA84OqRx
bb/C21XsiS1XyT3KUIGlDiIEQFgnD9Tk/PGpEwIDAQABo4IBXjCCAVowDwYDVR0TAQH/BAUwAwEB
/zAdBgNVHQ4EFgQUZvvDD770v+CcyatN3kcZvcDKpmgwHwYDVR0jBBgwFoAUjPscdbwC059OLkjZ
+WBUqsSzT/owDgYDVR0PAQH/BAQDAgEGMB0GA1UdJQQWMBQGCCsGAQUFBwMEBggrBgEFBQcDAjAv
BgNVHR8EKDAmMCSgIqAghh5odHRwOi8vY3JsLmNlcnR1bS5wbC9jdHJjYS5jcmwwawYIKwYBBQUH
AQEEXzBdMCgGCCsGAQUFBzABhhxodHRwOi8vc3ViY2Eub2NzcC1jZXJ0dW0uY29tMDEGCCsGAQUF
BzAChiVodHRwOi8vcmVwb3NpdG9yeS5jZXJ0dW0ucGwvY3RyY2EuY2VyMDoGA1UdIAQzMDEwLwYE
VR0gADAnMCUGCCsGAQUFBwIBFhlodHRwczovL3d3dy5jZXJ0dW0ucGwvQ1BTMA0GCSqGSIb3DQEB
DQUAA4ICAQACdWiFTrEXejbCNhvlQGjnGr4GwCBRRcs1+uQumSciktKucsj1mCb3tmB09bDya0be
SUDVed/h+fbPKFlON2miwRYZwdGXSFNrynzGC1oYQG3SPS6qwXS2iZe4kQ4d0pTRntGPeHRe13o5
nd3tJw/+XanUoTRy7/N2NxQ8Br16v+Ma6N2XqqLj+zXGMn8h5c0LpmqnkaMxk2hiLxXEOLFoGXXO
il3wHCkgtlZgfbgyeK/AGjqEj9XNfDCe2V4fTLsYqlb+AaVAMpXFtezeGLrsIAef+MYjXNoGKYGe
HM8AiNHeIxavk45O9Etvad/lKvPcH0hgMr9wTReCRnmjpodHgxcKG0LLI6rLR4RbEfRf3rV8xyR6
KkfjIy7W8pN/Cx/i8D/rAM46YcS281duz43X0Oaw6UjiqFwiae8DeKvTINLBR+yfJdQ/lLssNAG3
QNxXRHozNJUp/UeqUnf1WQC4NabQXKp54hWTCSBec+n550+REg/P+tDi+UsoFqiE9Mpz/I/KpA3F
GyhpDxYbLiw/e0nYLqt1HqX8F4L4sLfW346rEHtBWVNPmsQmLjI6mfhm8c4FX3jfnQowPDLvqNGJ
sO/ec397eyb8nN+8MSM1KXPVsMh4LvRZvjVL0DVEfOGBf29HWEXYuJ5llhY9/N31ay4Gsv61VgFE
7v9hQjM4ZDCCBs4wggS2oAMCAQICECVSDRtr8FpV2nzxlWEVFsgwDQYJKoZIhvcNAQELBQAwTjEL
MAkGA1UEBhMCUEwxITAfBgNVBAoMGEFzc2VjbyBEYXRhIFN5c3RlbXMgUy5BLjEcMBoGA1UEAwwT
Q2VydHVtIFNNSU1FIFJTQSBDQTAeFw0yNTA0MDUwMzQwMjZaFw0yNjA0MDUwMzQwMjVaMD4xGjAY
BgNVBAMMEWpzY290dEBwb3N0ZW8ubmV0MSAwHgYJKoZIhvcNAQkBFhFqc2NvdHRAcG9zdGVvLm5l
dDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMGCQxB2MnqxQXP08/dE2d5v78+3ucS2
UiFvb9FN0b0j/BifMZvN/9bumJzpmpVwd0d5JR9+9M/svSRf4hIBf+hLGtYJrbtte5jYEPPAlXYS
oHyNybf7ko1uJ/rHldKdvga5G6fNfThyMVb7ODDuikIDj8DFnJAi7GDuu/LD6evazvNMIwk0ii6E
1qgzf61kHw3nVp3hGs3SSm4AXj+I9ySiap7f9+h8mjqM/z2WdXfWAp07IRa5TfDhmfMjIKlIHGoO
2zf9D4i7ml12ojv/yycmjRJJnFs0Q5ic4yP5puVkC/yCjH6OMg20PaXTcPyFXhDQsmMeuAQgcD9t
V8O3IzGU4Io9gujZPJxda1yZ7BpZH7jV9xuIKbL4WoQGZSZ0dwXvzpDW9NPVeEXH2us+Xfqc6VbE
znMPPhtCqRgeqt603w87gnf7puzKBPLEoQo9VCLRx5cJPlip05TtRP4PH6uOCwK5BYs3LFSnJkg7
iJ8sTrEfbO+gEeboiO2TGplMGC/6zEcVh4yM5mPjfVkFijCZw+AavzIOlE6NHCEqKET/D7wZzAZ/
/122lLaAZ3lNS1fO9FikACxEJ9EbKZJmzphU3TGCpmobcXiDB/esYIi65In7dKy+B0XE7zDy5KZb
oKYz9o/N4u6lfUJb9Gf6kEmBJDTcyYUZZ2pJPyjwMRUvAgMBAAGjggG2MIIBsjAMBgNVHRMBAf8E
AjAAMEEGA1UdHwQ6MDgwNqA0oDKGMGh0dHA6Ly9jc21pbWVyc2FjYS5jcmwuY2VydHVtLnBsL2Nz
bWltZXJzYWNhLmNybDCBgwYIKwYBBQUHAQEEdzB1MC4GCCsGAQUFBzABhiJodHRwOi8vY3NtaW1l
cnNhY2Eub2NzcC1jZXJ0dW0uY29tMEMGCCsGAQUFBzAChjdodHRwOi8vY3NtaW1lcnNhY2EucmVw
b3NpdG9yeS5jZXJ0dW0ucGwvY3NtaW1lcnNhY2EuY2VyMB8GA1UdIwQYMBaAFGb7ww++9L/gnMmr
Td5HGb3AyqZoMB0GA1UdDgQWBBQej7nlaxX39WVBUY+aBFMp+c99RzBMBgNVHSAERTBDMAkGB2eB
DAEFAQIwNgYLKoRoAYb2dwJkAgEwJzAlBggrBgEFBQcCARYZaHR0cHM6Ly93d3cuY2VydHVtLnBs
L0NQUzAdBgNVHSUEFjAUBggrBgEFBQcDBAYIKwYBBQUHAwIwDgYDVR0PAQH/BAQDAgTwMBwGA1Ud
EQQVMBOBEWpzY290dEBwb3N0ZW8ubmV0MA0GCSqGSIb3DQEBCwUAA4ICAQB+Oua8ErSAIhxfeM+I
KN89z4gk+OJRLVxhvJ81We2s/NH5DWwxH3kKL+C8a88xuO0LY/kLSiog7zgWl3olyNbnOM6vnfNz
YWRZqC6TZEh+b02vn6h9/UIsNbB5npZS6H5P9bwF7RQzpxhDmstXsw1knfKtqIliG5EU06D3Npuy
TkDFTsBvGaMiMOLMA9IzELyg8VDjJNbQ+PlVh+ZALKlbBhAjR869mwsqRYK1YHGArNndyUvgGF2J
2JlOhUvhfkiFS0IKCa1fYCJU+xQVKxSO4j2fob1wuLFRqP2luNh2G7LsD1mOw3qKcLSf/l8608On
JVZYtJDdSBgldpeugvC72bar0DvC0E9YFCkQLylwuuk4ISuexe+ieT0cXAbM3m7jJ2iYWXAc8WZZ
SuIUXEPKccQlu6ElHIwTQuUpIuUgKp6dkZY8EnYqdGM2Jn9DSh6kUFr4ePIxi6LZUdFfzjVS6w2i
TObtpE4FSUe000wciTADR0VvmLb8qrAp+uhOm/Oi6X0QHND7p2OpRCs+MqUdT5GT5oR58pKG+cMG
EZchJ3B45vmp2fDD7tVz/lFuZjcm9JM8a/xRkMy+luwqFb3y20bY8pAMi1Ov7Fut6LokemaL28r4
d0bPAeBfmj9i12tRygZpN5SZy/kZ+PfbbTrDBfBxWA0kMdhsvChinxZAGzCCBs4wggS2oAMCAQIC
ECVSDRtr8FpV2nzxlWEVFsgwDQYJKoZIhvcNAQELBQAwTjELMAkGA1UEBhMCUEwxITAfBgNVBAoM
GEFzc2VjbyBEYXRhIFN5c3RlbXMgUy5BLjEcMBoGA1UEAwwTQ2VydHVtIFNNSU1FIFJTQSBDQTAe
Fw0yNTA0MDUwMzQwMjZaFw0yNjA0MDUwMzQwMjVaMD4xGjAYBgNVBAMMEWpzY290dEBwb3N0ZW8u
bmV0MSAwHgYJKoZIhvcNAQkBFhFqc2NvdHRAcG9zdGVvLm5ldDCCAiIwDQYJKoZIhvcNAQEBBQAD
ggIPADCCAgoCggIBAMGCQxB2MnqxQXP08/dE2d5v78+3ucS2UiFvb9FN0b0j/BifMZvN/9bumJzp
mpVwd0d5JR9+9M/svSRf4hIBf+hLGtYJrbtte5jYEPPAlXYSoHyNybf7ko1uJ/rHldKdvga5G6fN
fThyMVb7ODDuikIDj8DFnJAi7GDuu/LD6evazvNMIwk0ii6E1qgzf61kHw3nVp3hGs3SSm4AXj+I
9ySiap7f9+h8mjqM/z2WdXfWAp07IRa5TfDhmfMjIKlIHGoO2zf9D4i7ml12ojv/yycmjRJJnFs0
Q5ic4yP5puVkC/yCjH6OMg20PaXTcPyFXhDQsmMeuAQgcD9tV8O3IzGU4Io9gujZPJxda1yZ7BpZ
H7jV9xuIKbL4WoQGZSZ0dwXvzpDW9NPVeEXH2us+Xfqc6VbEznMPPhtCqRgeqt603w87gnf7puzK
BPLEoQo9VCLRx5cJPlip05TtRP4PH6uOCwK5BYs3LFSnJkg7iJ8sTrEfbO+gEeboiO2TGplMGC/6
zEcVh4yM5mPjfVkFijCZw+AavzIOlE6NHCEqKET/D7wZzAZ//122lLaAZ3lNS1fO9FikACxEJ9Eb
KZJmzphU3TGCpmobcXiDB/esYIi65In7dKy+B0XE7zDy5KZboKYz9o/N4u6lfUJb9Gf6kEmBJDTc
yYUZZ2pJPyjwMRUvAgMBAAGjggG2MIIBsjAMBgNVHRMBAf8EAjAAMEEGA1UdHwQ6MDgwNqA0oDKG
MGh0dHA6Ly9jc21pbWVyc2FjYS5jcmwuY2VydHVtLnBsL2NzbWltZXJzYWNhLmNybDCBgwYIKwYB
BQUHAQEEdzB1MC4GCCsGAQUFBzABhiJodHRwOi8vY3NtaW1lcnNhY2Eub2NzcC1jZXJ0dW0uY29t
MEMGCCsGAQUFBzAChjdodHRwOi8vY3NtaW1lcnNhY2EucmVwb3NpdG9yeS5jZXJ0dW0ucGwvY3Nt
aW1lcnNhY2EuY2VyMB8GA1UdIwQYMBaAFGb7ww++9L/gnMmrTd5HGb3AyqZoMB0GA1UdDgQWBBQe
j7nlaxX39WVBUY+aBFMp+c99RzBMBgNVHSAERTBDMAkGB2eBDAEFAQIwNgYLKoRoAYb2dwJkAgEw
JzAlBggrBgEFBQcCARYZaHR0cHM6Ly93d3cuY2VydHVtLnBsL0NQUzAdBgNVHSUEFjAUBggrBgEF
BQcDBAYIKwYBBQUHAwIwDgYDVR0PAQH/BAQDAgTwMBwGA1UdEQQVMBOBEWpzY290dEBwb3N0ZW8u
bmV0MA0GCSqGSIb3DQEBCwUAA4ICAQB+Oua8ErSAIhxfeM+IKN89z4gk+OJRLVxhvJ81We2s/NH5
DWwxH3kKL+C8a88xuO0LY/kLSiog7zgWl3olyNbnOM6vnfNzYWRZqC6TZEh+b02vn6h9/UIsNbB5
npZS6H5P9bwF7RQzpxhDmstXsw1knfKtqIliG5EU06D3NpuyTkDFTsBvGaMiMOLMA9IzELyg8VDj
JNbQ+PlVh+ZALKlbBhAjR869mwsqRYK1YHGArNndyUvgGF2J2JlOhUvhfkiFS0IKCa1fYCJU+xQV
KxSO4j2fob1wuLFRqP2luNh2G7LsD1mOw3qKcLSf/l8608OnJVZYtJDdSBgldpeugvC72bar0DvC
0E9YFCkQLylwuuk4ISuexe+ieT0cXAbM3m7jJ2iYWXAc8WZZSuIUXEPKccQlu6ElHIwTQuUpIuUg
Kp6dkZY8EnYqdGM2Jn9DSh6kUFr4ePIxi6LZUdFfzjVS6w2iTObtpE4FSUe000wciTADR0VvmLb8
qrAp+uhOm/Oi6X0QHND7p2OpRCs+MqUdT5GT5oR58pKG+cMGEZchJ3B45vmp2fDD7tVz/lFuZjcm
9JM8a/xRkMy+luwqFb3y20bY8pAMi1Ov7Fut6LokemaL28r4d0bPAeBfmj9i12tRygZpN5SZy/kZ
+PfbbTrDBfBxWA0kMdhsvChinxZAGzGCA+IwggPeAgEBMGIwTjELMAkGA1UEBhMCUEwxITAfBgNV
BAoMGEFzc2VjbyBEYXRhIFN5c3RlbXMgUy5BLjEcMBoGA1UEAwwTQ2VydHVtIFNNSU1FIFJTQSBD
QQIQJVING2vwWlXafPGVYRUWyDANBglghkgBZQMEAgEFAKCCAVEwGAYJKoZIhvcNAQkDMQsGCSqG
SIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMjUxMjEwMDQ0MTI3WjAvBgkqhkiG9w0BCQQxIgQgOfU6
Aj2WQrEYWay+/Mia3m+Ye6g85WARLkjcqannRBEwcQYJKwYBBAGCNxAEMWQwYjBOMQswCQYDVQQG
EwJQTDEhMB8GA1UECgwYQXNzZWNvIERhdGEgU3lzdGVtcyBTLkEuMRwwGgYDVQQDDBNDZXJ0dW0g
U01JTUUgUlNBIENBAhAlUg0ba/BaVdp88ZVhFRbIMHMGCyqGSIb3DQEJEAILMWSgYjBOMQswCQYD
VQQGEwJQTDEhMB8GA1UECgwYQXNzZWNvIERhdGEgU3lzdGVtcyBTLkEuMRwwGgYDVQQDDBNDZXJ0
dW0gU01JTUUgUlNBIENBAhAlUg0ba/BaVdp88ZVhFRbIMA0GCSqGSIb3DQEBAQUABIICAJPyUlHS
ILFHoOWtYWKW5T3erACzPvcV2yl4Mmj5mZHBPZxXsTUs+kx5BeCNQ5uJD2Go1sWfyTcvp10Da5WP
LN0oEu+GXZnfIW9NfpV8TK3qbCmM3tP9UvJq7U+56Kwbho+f82vY503QXMV7QymlF2TwkKd+zdQV
3OvCdiaC3YN3p6LXhWi1iv0TXN7uJnVm9cLg1VGTamxv95T4VX/egdO1AWeRM9s8kUjnytbStZgx
4mq3laIOUKINnXV+c1KFBBpScfWNId3ilESf7Dw5+z7i9sbgXeFqdz1s2ap/y7Cflb08Q6eiFCWQ
H4PtJYqALd8mevFouVhJKTWK75h5phLFEk8lydZEV7U5A7hH8+Sde6ktXZw5LLiNujp/Bpp3iYQE
hNvdz06bpOp+w1uza8XGQSTrMxTQRODm/vD6U+jnyg6WUPtFC4/t/MzvcwCsmeQteLgKfZ5A9UTp
mf8U3mexhQMzeeiGD3DTxRZQtP/yAAjGMbKtyq2voKMaVNqsNQgsr/mruJxEi2nirJZbHsQSBkdj
vfh269VCteDEXZvsgRpVxH7ECuPOwAZxSrcKofOI/v7oy05gaV10VxCptaFPvfWrJcSGJwplGfpe
YjHcuZdCKBeBJS0BEnzyxDF6HhGlQTa5ubgvVMSoCi5vJB5NUcLftl7lOtzOobyMtlyLAAAAAAAA



--=-gFu1ThpIej7h595+8IS/--


--=-YYLntEAKHHvjLP9mEfhS--

--=-/rNoasVydNwaFb5HhUiT
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----

iPsEABYKAKMWIQSiPzylvTnZ6xisfzWz9N0oYfTNugUCaUb5PHIYaHR0cHM6Ly9q
b2huc2NvdHQubWUvLndlbGwta25vd24vbmkvc2hhLTI1Ni9zWUF3OTN6QUVrRkIy
RDREM1hOemRSeHEyMFBjNnByZGdtbEVWeXo0QUZRP2N0PWFwcGxpY2F0aW9uJTJG
cGdwLWtleXMSHGpzY290dEBwb3N0ZW8ubmV0AAoJELP03Shh9M26QXkA/0pqYJ/l
TVqKgpTc/6/O/Wo9xRA/4JUIT/ZwZOCaRUUPAP9zLhPersJfPG812wcB5vs9xErb
dt8X8cReI/gMXb5NDw==
=TGh4
-----END PGP SIGNATURE-----

--=-/rNoasVydNwaFb5HhUiT--
]