Age | Commit message (Collapse) | Author |
|
Integrating the following commit(s) to linux-yocto/5.10.:
ktypes/standard: disable obsolete crypto options by default
CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE is on by default, but really
shouldn't be on in our kernels for a safe set of baseline options.
This is almost never used, so we disable it by default. If something
needs it, they can turn it on in a board specific config.
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit f29be437290a960decdc2d8be8e505e8179c2f58)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
|
|
Updating linux-yocto/5.4 to the latest korg -stable release that comprises
the following commits:
b5dbcd05792a Linux 5.4.117
0ee3bfc2c31e vfio: Depend on MMU
b246759284d6 perf/core: Fix unconditional security_locked_down() call
a1e6a0d1e6cf ovl: allow upperdir inside lowerdir
8198962021fd scsi: ufs: Unlock on a couple error paths
91aa2644a3ab platform/x86: thinkpad_acpi: Correct thermal sensor allocation
164f74391822 USB: Add reset-resume quirk for WD19's Realtek Hub
5922dfc42ac8 USB: Add LPM quirk for Lenovo ThinkPad USB-C Dock Gen2 Ethernet
314192f055d9 ALSA: usb-audio: Add MIDI quirk for Vox ToneLab EX
6cede11149bf perf ftrace: Fix access to pid in array when setting a pid filter
ad4659935e11 perf data: Fix error return code in perf_data__create_dir()
cbc6b467610c iwlwifi: Fix softirq/hardirq disabling in iwl_pcie_gen2_enqueue_hcmd()
c7166a529e2b avoid __memcat_p link failure
8ba25a9ef9b9 bpf: Fix leakage of uninitialized bpf stack under speculation
53e0db429b37 bpf: Fix masking negation logic upon negative dst register
b0c8fe7ef797 iwlwifi: Fix softirq/hardirq disabling in iwl_pcie_enqueue_hcmd()
43b515c52942 igb: Enable RSS for Intel I211 Ethernet Controller
354520d3ea81 net: usb: ax88179_178a: initialize local variables before use
55714a57f369 ACPI: x86: Call acpi_boot_table_init() after acpi_table_upgrade()
b3041510f0fc ACPI: tables: x86: Reserve memory occupied by ACPI tables
91b08c5319a5 mips: Do not include hi and lo in clobber list for R6
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 0bb2a057ed02b94e6f12b0508b5d7f4a535b1ca0)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
|
|
Updating linux-yocto/5.10 to the latest korg -stable release that comprises
the following commits:
f53a3a480862 Linux 5.10.35
94c76056fc3f vfio: Depend on MMU
4348d3b5027b perf/core: Fix unconditional security_locked_down() call
399f9c18473c platform/x86: thinkpad_acpi: Correct thermal sensor allocation
ac2cd82c7609 USB: Add reset-resume quirk for WD19's Realtek Hub
d844aaa49ac8 USB: Add LPM quirk for Lenovo ThinkPad USB-C Dock Gen2 Ethernet
59b3f88386b5 ALSA: usb-audio: Add MIDI quirk for Vox ToneLab EX
27c1936af506 ovl: allow upperdir inside lowerdir
71d58457a8af ovl: fix leaked dentry
2fa0387fa2d0 nvme-pci: set min_align_mask
f8e71c667ee1 swiotlb: respect min_align_mask
85a5a6875ca9 swiotlb: don't modify orig_addr in swiotlb_tbl_sync_single
25ed8827cfbf swiotlb: refactor swiotlb_tbl_map_single
9efd5df078a7 swiotlb: clean up swiotlb_tbl_unmap_single
1f2ef5a0f771 swiotlb: factor out a nr_slots helper
1bbcc985d195 swiotlb: factor out an io_tlb_offset helper
22163a8ec863 swiotlb: add a IO_TLB_SIZE define
2e8b3b0b8e2d driver core: add a min_align_mask field to struct device_dma_parameters
6995512a472f tools/cgroup/slabinfo.py: updated to work on current kernel
a7c37332afa8 perf ftrace: Fix access to pid in array when setting a pid filter
fb4c1c2e9fd1 capabilities: require CAP_SETFCAP to map uid 0
b571a6302a64 perf data: Fix error return code in perf_data__create_dir()
48ec949ac979 net: qrtr: Avoid potential use after free in MHI send
2fa15d61e4cb bpf: Fix leakage of uninitialized bpf stack under speculation
2cfa537674cd bpf: Fix masking negation logic upon negative dst register
a41c193d004e igb: Enable RSS for Intel I211 Ethernet Controller
2e68890993d0 net: usb: ax88179_178a: initialize local variables before use
d3598eb3915c netfilter: conntrack: Make global sysctls readonly in non-init netns
c239bfc2e4ac mips: Do not include hi and lo in clobber list for R6
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 767e6755740204981e5789b7a3066eac855605e8)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
|
|
If an existing source date epoch file was found during do_unpack, it was
deleted and a new one would be written in its place. This causes a race
with check-before-use code in get_source_date_epoch_value. Resolve the
problem by making do_unpack write the new source date epoch to a
temporary file, then do an atomic rename to ensure it's always present,
and change the check-before-use code to use a EAFP exception instead of
checking for file existence.
[YOCTO #14384]
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 0b5e3b33187bf78a2d62cc886463e4b27d6bd228)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
|
|
Several of the valgrind tests (particulaly helgrind) are unreliable and
can fail with a different output.
Particularly, there is a higher chance of failure on QEMU instances with
SMP enabled and on systems with more interrupts such as laptops on powersave.
The tests have been reported upstream as being unreliable dating back
over 5 years, due in part to the ordering of threads during
an "unwinding" process in helgrind.
https://bugs.kde.org/show_bug.cgi?id=345121
https://bugs.kde.org/show_bug.cgi?id=430321
A workaround to improve the reliability of such tests is to force them
to run on a single CPU core using taskset. This greatly reduces the
chance of a failure.
>From my testing, I have found it can help reduce the rate of failures
on both a laptop and QEMU by over 5x. Stress-testing in QEMU for several
hours did not result in a failure while running the test normally did.
The flaky or undeterministic thread-based tests are defined in the
taskset_nondeterministic_tests file. These test cases will be run with
taskset 0x00000001 to run on a single CPU core rather then the regular
test.
The edited run-ptest executes the flaky tests first, then ignores them
to not duplicate the results from the main tests. Everything modified is
restored when testing is complete.
The drawback is that this isn't a foolproof solution. It helps the tests
fail much less frequently, and considering how this issue has been documented
for a long time, a workaround such as this is needed.
Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit b318944dd72ca7b0408e955f3599381ab3ac3ba8)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
|
|
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 0478d9b04d6a6d10e439116b23b641a1e2553e26)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
|
|
Version 3.9.5 includes a fix for CVE-2021-29921.
Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit be23351f97c1a7362c0ddd240a6de0cddfca1b01)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
|
|
This test is flawed since multiple parts of the system can write to the log
and we obtain different numbers of log messages depending on factors we
can't control.
Drop the log testing component of the test.
[YOCTO #12465]
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
By default RPM uses the number of cores as the number of threads to use,
which can result in quite antisocial memory usage.
As we control the macros for compression anyway, we can pass XZ_THREADS
to limit the number of threads if needed.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The git repo for pkg-config was changed, so update the
SRC_URI accordingly with the new link.
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
License-Update: Corrected license information
flex package is under two licenses:
- "BSD-3-Clause" is provided in top-level COPYING file; the license
actually include third obligation (without the actual "3" numbering)
- "LGPL-2.0+" is explained by src/gettext.h
Signed-off-by: Dmitry Kisil <d.kisil@inango-systems.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Upstream database uses both "expat" and "libexpat" to report CVEs
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Backport and modify the patch for CVE-2021-22876 from curl 7.76 to
make it apply cleanly on 7.75.
CVE: CVE-2021-22876
Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Backport and modify the patch for CVE-2021-22890 from curl 7.76 to make
it apply cleanly on 7.75.
CVE: CVE-2021-22890
Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
CVE's affect ESP (NCR53C90) part of chip STP2000 (Master I/O).
On Sparc32 it is the NCR89C100 part of the chip.
On Macintosh Quadra it is NCR53C96.
Both are not supported by yocto.
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
We use the SUSE mirror of xinetd. The CVE fix was added to the main repo
after the latest release but is included in the version from the SUSE repo.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The preferred methods for CVE resolution are:
1. Version upgrades where possible
2. Patches where not possible
3. Database updates where version info is incorrect
4. Exclusion from checking where it is determined that the CVE
does not apply to our environment
In some cases none of these methods are possible. For example the
CVE may be decades old with no apparent resolution, and with broken
links that make further research impractical. Some CVEs are vauge
with no specific action the project can take too.
This patch creates a mechanism for users to remove this type of
CVE from the cve-check results via an optional include file.
Based on an initial patch from Steve Sakoman <steve@sakoman.com>
but extended heavily by RP.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The CVE only applies to RHEL.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
We're using a pre-release version of 2.06 so these issues are fixed but
continue to show up in the checks since it is pre-2.06 and the CPE
entries are "before but excluding 2.06".
Adding these will clean up CVE reports until the 2.06 release comes out.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
A stray space made it into the command for verifying gpg signatures.
This caused verification to fail, at least on my host. Removing the
space makes it work as expected.
Signed-off-by: Daniel McGregor <daniel.mcgregor@vecima.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
What key is used to sign sstate artefacts should not affect the hash of
the object, otherwise everyone would need to use the same signing key.
Signed-off-by: Daniel McGregor <daniel.mcgregor@vecima.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Bintray service has been discontinued causing boost do_fetch to fail:
WARNING: boost-1.76.0-r0 do_fetch: Failed to fetch URL
https://dl.bintray.com/boostorg/release/1.75.0/source/boost_1_75_0.tar.bz2,
attempting MIRRORS if available
RP: Backport to 1.75.0
Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
When running:
execute_pre_post_process(d, d.getVar(ROOTFS_POSTPROCESS_COMMAND))
rootfs_update_timestamp is run, which assumes that rootfs/${sysconfdir}
is already created (usually done through the do_rootfs task on linux).
This causes the build to fail if ${sysconfdir} does not exist.
This may be overlooked if debug-tweaks is enabled since some other
commands are added, one of which creates the required path
(see postinst_enable_logging).
See [1] for more info:
[1] https://github.com/aehs29/meta-freertos/issues/4
Signed-off-by: Alejandro Enedino Hernandez Samaniego <alejandro@enedino.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
We've seen three hangs in cgroup_xattr and two in proc01 so far. The new
plan is just to disable any tests seen to hang. I've had enough of these
causing problems on our testing infrastructure.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Upstream commit:
This is related to parameter entities expansion and following
the line of the billion laugh attack. Somehow in that path the
counting of parameters was missed and the normal algorithm based
on entities "density" was useless.
CVE: CVE-2021-3541
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/8598060bacada41a0eb09d95c97744ff4e428f8e]
Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This patch fixes CVE-2021-3518. The fix for the CVE is the
following 3 lines in 1098c30a:
- (cur->children->type != XML_ENTITY_DECL) &&
- (cur->children->type != XML_XINCLUDE_START) &&
- (cur->children->type != XML_XINCLUDE_END)) {
+ ((cur->type == XML_DOCUMENT_NODE) ||
+ (cur->type == XML_ELEMENT_NODE))) {
This relies on an updated version of xinclude.c from upstream which
also adds several new tests. Those changes are brought in first so
that the CVE patch can be applied cleanly.
The first patch updates xinclude.c and adds the new tests from
upstream, and the second applies the fix for the CVE.
CVE: CVE-2021-3518
Upstream-Status: Backport
[https://gitlab.gnome.org/GNOME/libxml2/-/commit/1098c30a040e72a4654968547f415be4e4c40fe7]
Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Parsing specially crafted Mixed Content while parsing XML data may
lead to invalid data structure being created, as errors were not
propagated. This could lead to several NULL Pointer Dereference when
post-validating documents parsed in recovery mode.
CVE: CVE-2021-3537
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/babe75030c7f64a37826bb3342317134568bef61]
Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Fixes use-after-free in xmlEncodeEntitiesInternal() in entities.c
CVE: CVE-2021-3516
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/1358d157d0bd83be1dfe356a69213df9fac0b539]
Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Fixes heap-based buffer overflow in xmlEncodeEntitiesInternal() in entities.c
CVE: CVE-2021-3517
Upstream-status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/bf22713507fe1fc3a2c4b525cf0a88c2dc87a3a2]
Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Before, ccache's configure stage built HTML documentation and man pages
depending on if asciidoc is installed. This patch makes it configurable.
Pass the new cmake option ENABLE_DOCUMENTATION along and add the
asciidoc dependency if necessary.
This fixes an issue when ccache's configure stage found asciidoc/a2x on
the system outside of the sysroot (e.g. installed via 'apt install
asciidoc'). ccache would then decide to build docs and manual pages, but
would fail during compilation: the system's a2x could not find the
system's asciidoc because it did not reside in the set PATH.
By enabling/disabling docs/man page generation explicitly and adding
asciidoc to DEPENDS as necessary, this is no longer an issue.
[ This corresponds to commit b0aedd74 and parts of commit 1eedc5f8,
with the patch replaced by the upstream version. ]
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Under certain build patterns, warnings about missing manifests can appear. These
are real issues where the manifest was removed and shouldn't have been.
Martin Jansa was able to find a reproducer of:
MACHINE=qemux86 bitbake zlib-native
echo 'PR = "r1"' >> meta/recipes-core/zlib/zlib_1.2.11.bb
MACHINE=qemux86-64 bitbake zlib-native
MACHINE=qemux86 bitbake zlib-native
<the zlib-native manifest is now removed along with the sysroot-components contents>
The code maintains a per machine list of stamps but a per PACAGE_ARCH list of
stamp/manifest/workdir mappings. The latter is only appended to for speed with
the assumption that once stamps are gone, the code wouldn't trigger.
The code only ever appends to the mapping list (for speed/efficency under lock)
meaning that multiple entries can result where the stamp/workdir differs due to
version changes but the manifest remains the same.
By switching MACHINE part way through the build, the older stamp is referenced
and the manifest is incorrectly removed as it matches an now obsolete entry in
the mapping file.
There are two possible fixes, one is to rewrite the mapping file every time
which means adding regexs, iterating and generally complicating that code. The
second option is to only use the last mapping entry in the file for a given
manifest and ignore any earlier ones. This patch implments the latter.
Also drop the stale entries if we are rewriting it.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This CVE relates to bad ownership of /var/log/cups, which we don't have.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
We've noticed that:
MACHINE=qemuarm oe-selftest -r glibc.GlibcSelfTest.test_glibc
ends up with one process growing to about the size of system memory
and triggering the OOM killer. This has been taking out other builds
running on the system on the autobuilders and is one cause of our
intermittent failures.
This was tracked down to:
WORKDIR=XXX/tmp/work/armv7vet2hf-neon-poky-linux-gnueabi/glibc-testsuite/2.33-r0
BUILDDIR=$WORKDIR/build-arm-poky-linux-gnueabi QEMU_SYSROOT=$WORKDIR/recipe-sysroot
QEMU_OPTIONS="$WORKDIR/recipe-sysroot-native/usr/bin/qemu-arm -r 3.2.0" \
$WORKDIR/check-test-wrapper user env GCONV_PATH=$BUILDDIR/iconvdata LOCPATH=$BUILDDIR/localedata LC_ALL=C $BUILDDIR/elf/ld-linux-armhf.so.3 \
--library-path $BUILDDIR:$BUILDDIR/math:$BUILDDIR/elf:$BUILDDIR/dlfcn:$BUILDDIR/nss:$BUILDDIR/nis:$BUILDDIR/rt:$BUILDDIR/resolv:$BUILDDIR/mathvec:$BUILDDIR/support:$BUILDDIR/nptl \
$BUILDDIR/nptl/tst-pthread-timedlock-lockloop
although other glibc tests appear to use 16GB of memory before failing
anyway. By capping the VM size to 8GB, we see the same number of failures
but no OOM situations. There may be some issue in qemu or the test which
could be improved to avoid this entirely but this provides a necessary
and useful safeguard to other builds and doensn't appear to make the
situation worse.
On a loaded system OOM may not occur as the test timeout may be triggered
first. An experiment with a 5GB limit showed an additional 7 failures.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This upgrade builds unnative with gcc11 allowing it to work with newer distros
using gcc 11.
Signed-off-by: Michael Halstead <mhalstead@linuxfoundation.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Robert P. J. Day <rpjday@crashcourse.ca>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Robert P. J. Day <rpjday@crashcourse.ca>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Issue only affects Debian and SUSE.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Issue only affects windows.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
http://git.savannah.gnu.org/cgit/coreutils.git/commit/?id=v8.27-101-gf5d7c0842
"Given runcon is not really a sandbox command, the advice is to use
`runcon ... setsid ...` to avoid this particular issue.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Some fix upstream addresses the issue, it isn't clear which change this was. Our
current version doesn't have issues with the test image though so we can exclude.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
These CVEs are fixed with kernel changes and don't affect the bluez recipe.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The CVE is in the jpeg sources included with ghostscript. We use our own
external jpeg library so this doesn't affect us.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Issue applies to use of cpio in SUSE/OBS, doesn't apply to us.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The patch mentioned as the fix for the CVE is applied to the 6.0 source
code. Zip versioning makes CPE entry changes hard.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
CVE only applies to some distributed RHEL binaries so irrelavent to us.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
We don't build/use the OPIE PAM module, exclude the CVE from this recipe.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
These CVEs apply to the way logrotate was installed on Gentoo, Debian
and SUSE, exclude from cve-check as they don't apply to OE.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|