Gentoo 2478 Published by

10 security update has been released for Gentoo Linux:

[ GLSA 201507-10 ] t1utils: Arbitrary code execution
[ GLSA 201507-11 ] Perl: Denial of Service
[ GLSA 201507-12 ] libCapsiNetwork: Denial of Service
[ GLSA 201507-13 ] Adobe Flash Player: Multiple vulnerabilities
[ GLSA 201507-14 ] Oracle JRE/JDK: Multiple vulnerabilities
[ GLSA 201507-15 ] OpenSSL: Alternate chains certificate forgery
[ GLSA 201507-16 ] Portage: Man-in-the-middle attack
[ GLSA 201507-17 ] SNMP: Denial of Service
[ GLSA 201507-18 ] Chromium: Multiple vulnerabilities
[ GLSA 201507-19 ] MySQL: Multiple vulnerabilities



[ GLSA 201507-10 ] t1utils: Arbitrary code execution

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201507-10
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: t1utils: Arbitrary code execution
Date: July 10, 2015
Bugs: #548638
ID: 201507-10

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A buffer overflow in t1utils could result in execution of arbitrary
code or Denial of Service.

Background
==========

t1utils is a collection of simple Type 1 font manipulation programs.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-text/t1utils < 1.39 >= 1.39

Description
===========

t1utils has a buffer overflow in the set_cs_start function in
t1disasm.c.

Impact
======

A remote attacker could cause a denial of service and possibly execute
arbitrary code via a crafted font file.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All t1utils users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-text/t1utils-1.39"

References
==========

[ 1 ] CVE-2015-3905
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3905

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201507-10

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5




[ GLSA 201507-11 ] Perl: Denial of Service

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201507-11
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: Perl: Denial of Service
Date: July 10, 2015
Bugs: #216671
ID: 201507-11

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A vulnerability in Perl allows a remote attacker to cause Denial of
Service.

Background
==========

Perl is a highly capable, feature-rich programming language.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-lang/perl < 5.20.1-r4 >= 5.20.1-r4

Description
===========

S_regmatch() function lacks proper checks before passing arguments to
atoi()

Impact
======

A remote attacker could send a specially crafted input, possibly
resulting in a Denial of Service condition.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Perl users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-lang/perl-5.20.1-r4"

References
==========

[ 1 ] CVE-2013-7422
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7422

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201507-11

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5




[ GLSA 201507-12 ] libCapsiNetwork: Denial of Service

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201507-12
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: libCapsiNetwork: Denial of Service
Date: July 10, 2015
Bugs: #544324
ID: 201507-12

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A buffer overflow in libcapsinetwork might allow remote attackers to
cause a Denial of Service condition.

Background
==========

libCapsiNetwork is a C++ network library to allow fast development of
server daemon processes.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-libs/libcapsinetwork-0.3.0-r2
= 1.8.0.31
< 1.7.0.76 >= 1.7.0.76
2 dev-java/oracle-jdk-bin < 1.8.0.31 >= 1.8.0.31
< 1.7.0.76 >= 1.7.0.76
-------------------------------------------------------------------
2 affected packages

Description
===========

Multiple vulnerabilities have been discovered in Oracle JRE/JDK. Please
review the CVE identifiers referenced below for details.

Impact
======

An context-dependent attacker may be able to influence the
confidentiality, integrity, and availability of Java
applications/runtime.

Workaround
==========

There is no workaround at this time.

Resolution
==========

All Oracle JRE 8 users should upgrade to the latest stable version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-java/oracle-jre-bin-1.8.0.31

All Oracle JDK 8 users should upgrade to the latest stable version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-java/oracle-jdk-bin-1.8.0.31

All Oracle JRE 7 users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-java/oracle-jre-bin-1.7.0.76

All Oracle JDK 7 users should upgrade to the latest stable version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-java/oracle-jdk-bin-1.7.0.76

References
==========

[ 1 ] CVE-2014-3566
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3566
[ 2 ] CVE-2014-6549
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6549
[ 3 ] CVE-2014-6585
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6585
[ 4 ] CVE-2014-6587
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6587
[ 5 ] CVE-2014-6591
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6591
[ 6 ] CVE-2014-6593
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6593
[ 7 ] CVE-2014-6601
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6601
[ 8 ] CVE-2015-0383
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0383
[ 9 ] CVE-2015-0395
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0395
[ 10 ] CVE-2015-0400
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0400
[ 11 ] CVE-2015-0403
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0403
[ 12 ] CVE-2015-0406
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0406
[ 13 ] CVE-2015-0407
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0407
[ 14 ] CVE-2015-0408
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0408
[ 15 ] CVE-2015-0410
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0410
[ 16 ] CVE-2015-0412
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0412
[ 17 ] CVE-2015-0413
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0413
[ 18 ] CVE-2015-0421
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0421

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201507-14

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5




[ GLSA 201507-15 ] OpenSSL: Alternate chains certificate forgery

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201507-15
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: OpenSSL: Alternate chains certificate forgery
Date: July 10, 2015
Bugs: #554172
ID: 201507-15

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Certain checks on untrusted certificates can be bypassed.

Background
==========

OpenSSL is an Open Source toolkit implementing the Secure Sockets Layer
(SSL v2/v3) and Transport Layer Security (TLS v1) as well as a general
purpose cryptography library.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-libs/openssl < 1.0.1p >= 1.0.1p

Description
===========

During certificate verification, OpenSSL attempts to find an
alternative certificate chain if the first attempt to build such a
chain fails.

Impact
======

A remote attacker could cause certain checks on untrusted
certificates to be bypassed, such as the CA flag, enabling them to use
a valid leaf certificate to act as a CA and "issue" an invalid
certificate.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All OpenSSL users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/openssl-1.0.1p"

References
==========

[ 1 ] CVE-2015-1793
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1793

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201507-15

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



[ GLSA 201507-16 ] Portage: Man-in-the-middle attack

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201507-16
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: Portage: Man-in-the-middle attack
Date: July 10, 2015
Bugs: #469888
ID: 201507-16

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A vulnerability in Portage's urlopen function could allow a remote
attacker to conduct a man-in-the-middle attack.

Background
==========

Portage is the package management and distribution system for Gentoo.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 sys-apps/portage < 2.1.12.2 >= 2.1.12.2

Description
===========

Portage does not verify X.509 SSL certificate properly if HTTPS is
used.

Impact
======

A remote attacker can spoof servers and modify binary package lists via
specially crafted certificate.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Portage users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-apps/portage-2.1.12.2"

References
==========

[ 1 ] CVE-2013-2100
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2100

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201507-16

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5




[ GLSA 201507-17 ] SNMP: Denial of Service

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201507-17
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: SNMP: Denial of Service
Date: July 10, 2015
Bugs: #522062
ID: 201507-17

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A vulnerability in SNMP could lead to Denial of Service condition.

Background
==========

SNMP is a widely used protocol for monitoring the health and welfare of
network equipment.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-analyzer/net-snmp < 5.7.3_pre5-r1 >= 5.7.3_pre5-r1

Description
===========

A specially crafted trap message trigger a conversion to erronuous
variable type in SNMP's snmplib/mib.c when the -OQ option is used.

Impact
======

A remote attacker could possibly cause a Denial of Service condition.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All SNMP users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot -v ">=net-analyzer/net-snmp-5.7.3_pre5-r1"

References
==========

[ 1 ] CVE-2014-3565
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3565

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201507-17

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5




[ GLSA 201507-18 ] Chromium: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201507-18
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: Chromium: Multiple vulnerabilities
Date: July 10, 2015
Bugs: #552904
ID: 201507-18

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in Chromium allowing remote
attackers to bypass security restrictions.

Background
==========

Chromium is an open-source web browser project.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 www-client/chromium < 43.0.2357.130 >= 43.0.2357.130

Description
===========

Multiple vulnerabilities have been discovered in Chromium. Please
review the CVE identifiers referenced below for details.

Impact
======

A remote attacker could bypass security restrictions.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Chromium users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot -v ">=www-client/chromium-43.0.2357.130"

References
==========

[ 1 ] CVE-2015-1266
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1266
[ 2 ] CVE-2015-1267
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1267
[ 3 ] CVE-2015-1268
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1268
[ 4 ] CVE-2015-1269
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1269

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201507-18

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5




[ GLSA 201507-19 ] MySQL: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201507-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: MySQL: Multiple vulnerabilities
Date: July 10, 2015
Bugs: #546722
ID: 201507-19

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in MySQL, allowing attackers
to execute arbitrary code or cause Denial of Service.

Background
==========

MySQL is a fast, multi-threaded, multi-user SQL database server.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-db/mysql < 5.6.24 *>= 5.5.43
>= 5.6.24

Description
===========

Multiple vulnerabilities have been discovered in MySQL. Please review
the CVE identifiers referenced below for details.

Impact
======

A remote attacker could send a specially crafted request, possibly
resulting in execution of arbitrary code with the privileges of the
application or a Denial of Service condition.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All MySQL 5.5.x users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-db/mysql-5.5.43"

All MySQL 5.6.x users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-db/mysql-5.6.24"

References
==========

[ 1 ] CVE-2015-0405
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0405
[ 2 ] CVE-2015-0423
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0423
[ 3 ] CVE-2015-0433
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0433
[ 4 ] CVE-2015-0438
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0438
[ 5 ] CVE-2015-0439
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0439
[ 6 ] CVE-2015-0441
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0441
[ 7 ] CVE-2015-0498
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0498
[ 8 ] CVE-2015-0499
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0499
[ 9 ] CVE-2015-0500
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0500
[ 10 ] CVE-2015-0501
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0501
[ 11 ] CVE-2015-0503
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0503
[ 12 ] CVE-2015-0505
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0505
[ 13 ] CVE-2015-0506
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0506
[ 14 ] CVE-2015-0507
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0507
[ 15 ] CVE-2015-0508
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0508
[ 16 ] CVE-2015-0511
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0511
[ 17 ] CVE-2015-2566
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2566
[ 18 ] CVE-2015-2567
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2567
[ 19 ] CVE-2015-2568
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2568
[ 20 ] CVE-2015-2571
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2571
[ 21 ] CVE-2015-2573
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2573

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201507-19

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5