ID

VAR-200502-0104

CVE

CVE-2005-0175

TITLE

Multiple devices process HTTP requests inconsistently

DESCRIPTION

Squid 2.5 up to 2.5.STABLE7 allows remote attackers to poison the cache via an HTTP response splitting attack. Multiple interconnected devices process valid HTTP request headers inconsistently and in this may manner may allow a remote attacker to poison a cache, conduct cross-site scripting attacks, and hijack user sessions. Some HTTP handling devices are vulnerable to a flaw which may allow a specially crafted request to elicit multiple responses, some of which may be controlled by the attacker. These attacks may result in cache poisoning, information leakage, cross-site scripting, and other outcomes. plural HTTP The server (1) HTTP Line feed code in request (CR/LF) Vulnerability that headers can be divided in server responses due to improper handling of (2) There is a vulnerability that recognizes the second half of the divided header included in the first request as a response to the second request under certain conditions.An arbitrary script may be executed on the user's browser. This issue results from insufficient sanitization of user-supplied data. Squid versions 2.5 and earlier are reported prone to this issue. A paper (Divide and Conquer - HTTP Response Splitting, Web Cache Poisoning Attacks, and Related Topics) was released to describe various attacks that target web users through web application, browser, web/application server and proxy implementations. Exploitation would occur by injecting variations of CR/LF sequences into parts of HTTP response headers that the attacker may control or influence. The general consequences of exploitation are that an attacker may misrepresent web content to the client, potentially enticing the user to trust the content and take actions based on this false trust. While the various implementations listed in the paper contribute to these attacks, this issue will most likely be exposed through web applications that do not properly account for CR/LF sequences when accepting user-supplied input that may be returned in server responses. This vulnerability could also aid in exploitation of cross-site scripting vulnerabilities. This issue is due to a failure of the affected proxy to handle CR/LF characters in HTTP requests. This may facilitate man-in-the-middle attacks as well as others. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Debian Security Advisory DSA 667-1 security@debian.org http://www.debian.org/security/ Martin Schulze February 4th, 2005 http://www.debian.org/security/faq - -------------------------------------------------------------------------- Package : squid Vulnerability : several Problem-Type : remote Debian-specific: no CVE IDs : CAN-2005-0173 CAN-2005-0175 CAN-2005-0194 CAN-2005-0211 Several vulnerabilities have been discovered in Squid, the internet object cache, the popular WWW proxy cache. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities: CAN-2005-0173 LDAP is very forgiving about spaces in search filters and this could be abused to log in using several variants of the login name, possibly bypassing explicit access controls or confusing accounting. CAN-2005-0211 The length argument of the WCCP recvfrom() call is larger than it should be. An attacker may send a larger than normal WCCP packet that could overflow a buffer. For the stable distribution (woody) these problems have been fixed in version 2.4.6-2woody6. For the unstable distribution (sid) these problems have been fixed in version 2.5.7-7. We recommend that you upgrade your squid package. Upgrade Instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. Debian GNU/Linux 3.0 alias woody - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody6.dsc Size/MD5 checksum: 612 f585baec3cc0548a0b6d3e21d185db50 http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody6.diff.gz Size/MD5 checksum: 235426 85d38139f57a82f3c422421ad352e70e http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6.orig.tar.gz Size/MD5 checksum: 1081920 59ce2c58da189626d77e27b9702ca228 Alpha architecture: http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody6_alpha.deb Size/MD5 checksum: 815424 ecbca01e45af0d55e94bcd6dc93a140a http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody6_alpha.deb Size/MD5 checksum: 75546 e3ad6d3c681293593ab8e0c3ed46e56d http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody6_alpha.deb Size/MD5 checksum: 60290 bd894e6b88b4155a4d79ab346ef0ecf0 ARM architecture: http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody6_arm.deb Size/MD5 checksum: 725786 00174ebf650a7becff1a974766a8ef18 http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody6_arm.deb Size/MD5 checksum: 73324 496ebaa76ff79e0b3df5032e9db249ee http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody6_arm.deb Size/MD5 checksum: 58634 b036414c28e9371324b2b2112e2195ef Intel IA-32 architecture: http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody6_i386.deb Size/MD5 checksum: 684246 5f932b6cd8e3fae41bee679b8f78ce9d http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody6_i386.deb Size/MD5 checksum: 73820 51b9d7d06722aa12086d5e321521c957 http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody6_i386.deb Size/MD5 checksum: 58322 8fceca376dc96840d11e210f2796dcb4 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody6_ia64.deb Size/MD5 checksum: 953904 aeaee5d9ee53e39a3aa1e1b775d12142 http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody6_ia64.deb Size/MD5 checksum: 79392 1430eda6e1c2c4b4b8b7fade39efbdc4 http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody6_ia64.deb Size/MD5 checksum: 62960 8cebaa32f4f3f17eef2d731fc4c154b3 HP Precision architecture: http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody6_hppa.deb Size/MD5 checksum: 779494 9341bc9e4b7c39806601a378aad51d56 http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody6_hppa.deb Size/MD5 checksum: 74766 8479e2a71ae184650520cf3a139bc1ad http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody6_hppa.deb Size/MD5 checksum: 59772 bc6dff1697cb54f3c3baa9fbb21cd49b Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody6_m68k.deb Size/MD5 checksum: 666170 bfea1f097c0913615dd885cf6090ff90 http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody6_m68k.deb Size/MD5 checksum: 72654 3db952c5d712e4e0a54db5215f2ae812 http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody6_m68k.deb Size/MD5 checksum: 57868 c81e9618868ea0e82b0c2179067fe3eb Big endian MIPS architecture: http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody6_mips.deb Size/MD5 checksum: 765316 8a18eea8fa4f5a738cf2c9415233d172 http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody6_mips.deb Size/MD5 checksum: 74292 5a6f6f6ac7dd721d9dba3478a5c478de http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody6_mips.deb Size/MD5 checksum: 58946 eae54358cc4adcc85d754fbd6ca29225 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody6_mipsel.deb Size/MD5 checksum: 765424 0490a5ec43851928800922afd54a2d5f http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody6_mipsel.deb Size/MD5 checksum: 74392 1093f566bac7bf08d1da720439234d80 http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody6_mipsel.deb Size/MD5 checksum: 59036 7846b97c6c8661b1e07889fff408b250 PowerPC architecture: http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody6_powerpc.deb Size/MD5 checksum: 722620 0c8c21ad09813e7565022c35f87dd29c http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody6_powerpc.deb Size/MD5 checksum: 73302 d86696f63adab59d1fadbd64702ca633 http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody6_powerpc.deb Size/MD5 checksum: 58522 7d812f5b516060abcdb0eb977ea85a5e IBM S/390 architecture: http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody6_s390.deb Size/MD5 checksum: 712166 809bb77631c098b4c1f548f7d4101f88 http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody6_s390.deb Size/MD5 checksum: 73646 ff34ec95644ed86adfde338834bbe014 http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody6_s390.deb Size/MD5 checksum: 59084 27e215b7b647ce8fbabd1108fc9dbec4 Sun Sparc architecture: http://security.debian.org/pool/updates/main/s/squid/squid_2.4.6-2woody6_sparc.deb Size/MD5 checksum: 724716 da2925f0ab258d718872525a6a2f0a80 http://security.debian.org/pool/updates/main/s/squid/squid-cgi_2.4.6-2woody6_sparc.deb Size/MD5 checksum: 75932 5b46ca56b3274c5e4dbdab3556a85491 http://security.debian.org/pool/updates/main/s/squid/squidclient_2.4.6-2woody6_sparc.deb Size/MD5 checksum: 60956 7a2ec6fb96971c29edfabce83c0069ec These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFCA6RvW5ql+IAeqTIRArERAJ9RzG0Oko2BOd4TdCmy066szqDWygCfdWjV R0Sv6Ly/9lV7nT/fQbPRyv8= =LwDu -----END PGP SIGNATURE----- . --------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated squid package fixes security issues Advisory ID: FLSA:152809 Issue date: 2006-02-18 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CVE-2004-0541 CVE-2004-0832 CVE-2004-0918 CVE-2005-0094 CVE-2005-0095 CVE-2005-0096 CVE-2005-0097 CVE-2005-0173 CVE-2005-0174 CVE-2005-0175 CVE-2005-0194 CVE-2005-0211 CVE-2005-0241 CVE-2005-0446 CVE-2005-0626 CVE-2005-0718 CVE-2005-1345 CVE-1999-0710 CVE-2005-1519 CVE-2004-2479 CVE-2005-2794 CVE-2005-2796 CVE-2005-2917 --------------------------------------------------------------------- --------------------------------------------------------------------- 1. Topic: An updated Squid package that fixes several security issues is now available. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 Fedora Core 2 - i386 3. Problem description: A buffer overflow was found within the NTLM authentication helper routine. If Squid is configured to use the NTLM authentication helper, a remote attacker could potentially execute arbitrary code by sending a lengthy password. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0541 to this issue. An out of bounds memory read bug was found within the NTLM authentication helper routine. If Squid is configured to use the NTLM authentication helper, a remote attacker could send a carefully crafted NTLM authentication packet and cause Squid to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0832 to this issue. iDEFENSE reported a flaw in the squid SNMP module. This flaw could allow an attacker who has the ability to send arbitrary packets to the SNMP port to restart the server, causing it to drop all open connections. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0918 to this issue. A buffer overflow flaw was found in the Gopher relay parser. Although Gopher servers are now quite rare, a malicious web page (for example) could redirect or contain a frame pointing to an attacker's malicious gopher server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0094 to this issue. An integer overflow flaw was found in the WCCP message parser. It is possible to crash the Squid server if an attacker is able to send a malformed WCCP message with a spoofed source address matching Squid's "home router". The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0095 to this issue. A memory leak was found in the NTLM fakeauth_auth helper. It is possible that an attacker could place the Squid server under high load, causing the NTML fakeauth_auth helper to consume a large amount of memory, resulting in a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0096 to this issue. A NULL pointer de-reference bug was found in the NTLM fakeauth_auth helper. It is possible for an attacker to send a malformed NTLM type 3 message, causing the Squid server to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0097 to this issue. A username validation bug was found in squid_ldap_auth. It is possible for a username to be padded with spaces, which could allow a user to bypass explicit access control rules or confuse accounting. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0173 to this issue. The way Squid handles HTTP responses was found to need strengthening. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2005-0174 and CVE-2005-0175 to these issues. When processing the configuration file, Squid parses empty Access Control Lists (ACLs) and proxy_auth ACLs without defined auth schemes in a way that effectively removes arguments, which could allow remote attackers to bypass intended ACLs. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0194 to this issue. A buffer overflow bug was found in the WCCP message parser. It is possible that an attacker could send a malformed WCCP message which could crash the Squid server or execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0211 to this issue. A bug was found in the way Squid handled oversized HTTP response headers. It is possible that a malicious web server could send a specially crafted HTTP header which could cause the Squid cache to be poisoned, presenting users with incorrect webpages. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0241 to this issue. A bug was found in the way Squid handles FQDN lookups. It was possible to crash the Squid server by sending a carefully crafted DNS response to an FQDN lookup. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0446 to this issue. A race condition bug was found in the way Squid handles the now obsolete Set-Cookie header. It is possible that Squid can leak Set-Cookie header information to other clients connecting to Squid. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0626 to this issue. A bug was found in the way Squid handles PUT and POST requests. It is possible for an authorised remote user to cause a failed PUT or POST request which can cause Squid to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0718 to this issue. A bug was found in the way Squid processes errors in the access control list. It is possible that an error in the access control list could give users more access than intended. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1345 to this issue. A bug was found in the way Squid handles access to the cachemgr.cgi script. It is possible for an authorised remote user to bypass access control lists with this flaw. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-1999-0710 to this issue. A bug was found in the way Squid handles DNS replies. If the port Squid uses for DNS requests is not protected by a firewall it is possible for a remote attacker to spoof DNS replies, possibly redirecting a user to spoofed or malicious content. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1519 to this issue. A bug was found in the way Squid displays error messages. A remote attacker could submit a request containing an invalid hostname which would result in Squid displaying a previously used error message. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-2479 to this issue. Two denial of service bugs were found in the way Squid handles malformed requests. A remote attacker could submit a specially crafted request to Squid that would cause the server to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2005-2794 and CVE-2005-2796 to these issues. A bug was found in the way Squid handles certain request sequences while performing NTLM authentication. It is possible for an attacker to cause Squid to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-2917 to this issue. Users of Squid should upgrade to this updated package, which contains backported patches, and is not vulnerable to these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152809 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/squid-2.4.STABLE7-0.73.3.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/squid-2.4.STABLE7-0.73.3.legacy.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/squid-2.5.STABLE1-9.10.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/squid-2.5.STABLE1-9.10.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/squid-2.5.STABLE3-2.fc1.6.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/squid-2.5.STABLE3-2.fc1.6.legacy.i386.rpm Fedora Core 2: SRPM: http://download.fedoralegacy.org/fedora/2/updates/SRPMS/squid-2.5.STABLE9-1.FC2.4.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/2/updates/i386/squid-2.5.STABLE9-1.FC2.4.legacy.i386.rpm 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------- 5db383926b0358e7b1a74cd0c84d3c253fae82a6 redhat/7.3/updates/i386/squid-2.4.STABLE7-0.73.3.legacy.i386.rpm 8d2b75252ee52b9fe943d4478960e30508bae4ea redhat/7.3/updates/SRPMS/squid-2.4.STABLE7-0.73.3.legacy.src.rpm d90f37a598d6789876d85fc41297fb6d6957711d redhat/9/updates/i386/squid-2.5.STABLE1-9.10.legacy.i386.rpm c6f5927ebca3000a5d9cb2d52912e9ea989ee8eb redhat/9/updates/SRPMS/squid-2.5.STABLE1-9.10.legacy.src.rpm 4e1d0e1546e50f3f694617ce641b31230b3989ad fedora/1/updates/i386/squid-2.5.STABLE3-2.fc1.6.legacy.i386.rpm 03e318f01302e6305d368349ea778ac9f104839d fedora/1/updates/SRPMS/squid-2.5.STABLE3-2.fc1.6.legacy.src.rpm 9eb87b9c886d2c72d6ecefa3f70e016d65de9574 fedora/2/updates/i386/squid-2.5.STABLE9-1.FC2.4.legacy.i386.rpm 6aab32f2cb1e01196722d2ee6e980dc3915d788b fedora/2/updates/SRPMS/squid-2.5.STABLE9-1.FC2.4.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v <filename> If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum <filename> 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0541 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0832 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0918 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0094 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0095 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0096 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0097 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0173 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0174 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0175 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0194 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0211 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0241 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0446 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0626 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0718 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1345 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0710 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1519 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2479 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2794 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2796 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2917 9. Contact: The Fedora Legacy security contact is <secnotice@fedoralegacy.org>. More project details at http://www.fedoralegacy.org ---------------------------------------------------------------------

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

network

TYPE

Input Validation Error

CONFIGURATIONS

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

The individual or individuals responsible for the discovery of this issue are currently unknown; the vendor disclosed this issue.

SOURCES

LAST UPDATE DATE

2024-08-14T12:58:19.604000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE