July 2012 - Security-news - lists.drupal.org

SA-CONTRIB-2012-118 - Secure Login - Open Redirect
by security-news＠drupal.org 25 Jul '12

25 Jul '12

View online: http://drupal.org/node/1700594 * Advisory ID: DRUPAL-SA-CONTRIB-2012-118 * Project: Secure Login [1] (third-party module) * Version: 7.x * Date: 2012-July-25 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Open Redirect -------- DESCRIPTION --------------------------------------------------------- Secure Login module enables the user login and other forms to be submitted securely via HTTPS, thus preventing passwords and other private user data from being transmitted in clear text. In addition, Secure Login module by default redirects non-HTTPS GET requests for pages containing forms that it secures to the HTTPS site. The module does not sufficiently validate that a requested path is internal to the site, allowing an attacker to disguise a malicious destination address as a GET query parameter passed to a non-HTTPS site URL. This vulnerability is mitigated by the fact that the target site must render a form secured by Secure Login module on its 404 page, such as in a block. A default installation of Drupal 7 renders the user login block on the 404 page, and is thus vulnerable to the open redirect. CVE: Requested -------- VERSIONS AFFECTED --------------------------------------------------- * Secure Login 7.x-1.x versions prior to 7.x-1.3. Drupal core is not affected. If you do not use the contributed Secure Login [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Secure Login module for Drupal 7.x, upgrade to Secure Login 7.x-1.3 [4]. Also see the Secure Login [5] project page. -------- REPORTED BY --------------------------------------------------------- * Albert Martin [6] -------- FIXED BY ------------------------------------------------------------ * Mark Burdett [7], the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Heine Deelstra [8] of the Drupal Security Team * Greg Knaddison [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/securelogin [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/securelogin [4] https://drupal.org/node/1698988 [5] http://drupal.org/project/securelogin [6] https://drupal.org/user/1888132 [7] https://drupal.org/user/12302 [8] http://drupal.org/user/17943 [9] http://drupal.org/user/36762 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-117 - Location - Access Bypass
by security-news＠drupal.org 25 Jul '12

25 Jul '12

View online: http://drupal.org/node/1700588 * Advisory ID: DRUPAL-SA-CONTRIB-2012-117 * Project: Location [1] (third-party module) * Version: 6.x, 7.x * Date: 2012-July-25 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- The Location module allows real-world geographic locations to be associated with Drupal nodes, including people, places, and other content. The Location Search sub-module adds a search page for searching for locations. The Location Search module fails to enforce content and user access permissions and node access restrictions, meaning any user can see any node or user results on the location search page. From now on users must have the "access content" permission and any relevant node access rights to see node based location results and the "view user profiles" and "view all user locations" permissions to see user based location results. CVE: Requested -------- VERSIONS AFFECTED --------------------------------------------------- * Location Search (Location sub-module) 6.x versions prior to 6.x-3.2. * Location Search (Location sub-module) 7.x versions prior to 7.x-3.0-alpha1. Drupal core is not affected. If you do not use the contributed Location [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Location Search (Location sub-module) module for Drupal 6.x, upgrade to Location 6.x-3.2 [4] * If you use the Location Search (Location sub-module) module for Drupal 7.x, upgrade to Location 7.x-3.0-alpha1 [5] Also see the Location [6] project page. -------- REPORTED BY --------------------------------------------------------- * Jon Daley [7] -------- FIXED BY ------------------------------------------------------------ * Reuben Turk [8] the module maintainer * Ankur Rishi [9] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [10] of the Drupal Security Team * Ben Jeavons [11] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] http://drupal.org/project/location [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/location [4] http://drupal.org/node/1699962 [5] http://drupal.org/node/1699984 [6] http://drupal.org/project/location [7] http://drupal.org/user/586142 [8] http://drupal.org/user/350381 [9] http://drupal.org/user/11703 [10] http://drupal.org/user/36762 [11] http://drupal.org/user/91990 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-116 - Subuser Cross Site Request Forgery (CSRF) and Access Bypass
by security-news＠drupal.org 25 Jul '12

25 Jul '12

View online: http://drupal.org/node/1700584 * Advisory ID: DRUPAL-SA-CONTRIB-2012-116 * Project: Subuser [1] (third-party module) * Version: 6.x * Date: 2012-July-25 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Access bypass, Cross Site Request Forgery -------- DESCRIPTION --------------------------------------------------------- The Subuser module allows users to be given the permission to create subusers. The subusers may then be automatically assigned a role or roles. The parent user then has the ability to manage the subusers they have created. A parent user is allowed to assume the role of a subuser they created (switch users) without having the "switch subuser" permission. However, users are prevented from switching to subusers that were not created by them. Additionally users can be switched to a subuser without intending to do so via a Cross Site Request Forgery attack (CSRF). CVE: Requested -------- VERSIONS AFFECTED --------------------------------------------------- * subuser 6.x-1.x versions prior to 6.x-1.8. Drupal core is not affected. If you do not use the contributed Subuser [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Subuser module for Drupal 6.x, upgrade to Subuser 6.x-1.8 [4] Also see the Subuser [5] project page. -------- REPORTED BY --------------------------------------------------------- * Stella Power [6] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Jimmy Berry [7] the module maintainer * Lee Rowlands [8] -------- COORDINATED BY ------------------------------------------------------ * Stella Power [9] of the Drupal Security Team * Greg Knaddison [10] of the Drupal Security Team * Michael hess [11] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] http://drupal.org/project/subuser [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/subuser [4] http://drupal.org/node/1700550 [5] http://drupal.org/project/subuser [6] http://drupal.org/user/66894 [7] http://drupal.org/user/214218 [8] http://drupal.org/user/395439 [9] http://drupal.org/user/66894 [10] http://drupal.org/user/36762 [11] http://drupal.org/user/102818 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-115 - Gallery formatter - Cross Site Scripting (XSS)
by security-news＠drupal.org 25 Jul '12

25 Jul '12

View online: http://drupal.org/node/1700578 * Advisory ID: DRUPAL-SA-CONTRIB-2012-115 * Project: Gallery formatter [1] (third-party module) * Version: 7.x * Date: 2012-July-25 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- Gallery formatter provides a field formatter for images that turns the fields into jQuery galleries. The module did not properly escape input from the user before printing it to the browser, allowing malicious users to inject script code into the page. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create the nodes / entities and the fields that use the formatter. CVE: Requested -------- VERSIONS AFFECTED --------------------------------------------------- * Gallery formatter 7.x-1.x versions prior to 7.x-1.2. Drupal core is not affected. If you do not use the contributed Gallery formatter [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Gallery formatter module for Drupal 7.x, upgrade to Gallery formatter 7.x-1.2 [4] Also see the Gallery formatter [5] project page. -------- REPORTED BY --------------------------------------------------------- * Sudipta Bandyopadhyay [6] -------- FIXED BY ------------------------------------------------------------ * Manuel Garcia [7] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [8] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [9]. Learn more about the Drupal Security team and their policies [10], writing secure code for Drupal [11], and securing your site [12]. [1] http://drupal.org/project/galleryformatter [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/galleryformatter [4] http://drupal.org/node/1699744 [5] http://drupal.org/project/galleryformatter [6] http://drupal.org/user/140596 [7] http://drupal.org/user/213194 [8] http://drupal.org/user/36762 [9] http://drupal.org/contact [10] http://drupal.org/security-team [11] http://drupal.org/writing-secure-code [12] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-114 - Campaign Monitor - Cross Site Scripting (XSS)
by security-news＠drupal.org 19 Jul '12

19 Jul '12

View online: http://drupal.org/node/1691446 * Advisory ID: SA-CONTRIB-2012-114 * Project: Campaign Monitor [1] (third-party module) * Version: 6.x * Date: 2012-July-18 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- This module enables you to integrate Campaign Monitor into Drupal so you can give users the ability to subscribe and unsubscribe for your Campaign Monitor lists. The module doesn't sufficiently validate strings entered in the administration interface. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer campaignmonitor". CVE: Requested -------- VERSIONS AFFECTED --------------------------------------------------- * Campaign Monitor 6.x-2.x versions prior to 6.x-2.5 Drupal core is not affected. If you do not use the contributed Campaign Monitor [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Campaign Monitor module for Drupal 6.x, upgrade to Campaign Monitor 6.x-2.5 [4] Also see the Campaign Monitor [5] project page. -------- REPORTED BY --------------------------------------------------------- * Andrey Tretyakov [6] -------- FIXED BY ------------------------------------------------------------ * Jesper Kristensen [7] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [8] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [9]. Learn more about the Drupal Security team and their policies [10], writing secure code for Drupal [11], and securing your site [12]. [1] http://drupal.org/project/campaignmonitor [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/campaignmonitor [4] http://drupal.org/node/1689790 [5] http://drupal.org/project/campaignmonitor [6] http://drupal.org/user/169459 [7] http://drupal.org/user/697210 [8] http://drupal.org/user/36762 [9] http://drupal.org/contact [10] http://drupal.org/security-team [11] http://drupal.org/writing-secure-code [12] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-113 - Drupal Commons - Access Bypass
by security-news＠drupal.org 11 Jul '12

11 Jul '12

View online: http://drupal.org/node/1679888 * Advisory ID: SA-CONTRIB-2012-113 * Project: Drupal Commons [1] (third-party module) * Version: 6.x * Date: 2012-July-11 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- Drupal Commons is a ready-to-use solution for building either internal or external communities. The Drupal Commons feature (a central module in the distribution) includes a listing of recent comments on discussions. This listing of comments is powered by a view that doesn't fully enforce node access restrictions, which can expose comments for nodes that the user might not have access to view. CVE: Requested -------- VERSIONS AFFECTED --------------------------------------------------- * Drupal Commons 6.x-2.x versions prior to 6.x-2.8. Drupal core is not affected. If you do not use the contributed Drupal Commons [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use Drupal Commons module for Drupal 6.x, upgrade to Drupal Commons 6.x-2.8 [4] Also see the Drupal Commons [5] project page. -------- REPORTED BY --------------------------------------------------------- * Trevor English [6] * Ezra Gildesgame [7] -------- FIXED BY ------------------------------------------------------------ * Ezra Gildesgame [8] the distribution maintainer -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [9]. Learn more about the Drupal Security team and their policies [10], writing secure code for Drupal [11], and securing your site [12]. [1] http://drupal.org/project/commons [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/commons [4] http://network.acquia.com/downloads/drupal-commons [5] http://drupal.org/project/commons [6] http://drupal.org/user/193352 [7] http://drupal.org/user/69959 [8] http://drupal.org/user/69959 [9] http://drupal.org/contact [10] http://drupal.org/security-team [11] http://drupal.org/writing-secure-code [12] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-112 - Ubercart SecureTrading - Failure to follow guideline/specification
by security-news＠drupal.org 11 Jul '12

11 Jul '12

View online: http://drupal.org/node/1679820 * Advisory ID: SA-CONTRIB-2012-112 * Project: Ubercart SecureTrading Payment Method [1] (third-party module) * Version: 6.x * Date: 2012-July-11 * Security risk: Highly critical [2] * Exploitable from: Remote * Vulnerability: Failure to follow guideline/specification - integrity check value -------- DESCRIPTION --------------------------------------------------------- The Ubercart SecureTrading Payment Method module provides an Ubercart payment method for the SecureTrading.com gateway. The module's payment method did not properly verify the validity of payment notification information. A malicious user could trick a site into thinking that an item has been paid for when in fact it hasn't. If you do not use the Ubercart SecureTrading Payment Method payment method then your site is not at risk to this vulnerability. CVE: Requested -------- VERSIONS AFFECTED --------------------------------------------------- * All versions of the Ubercart SecureTrading Payment Method module. Drupal core is not affected. If you do not use the contributed Ubercart SecureTrading Payment Method [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ There is not currently a fixed version of the module. You should disable the module immediately. You can: * Change to a new gateway. * Work with the module maintainer and/or other users to patch the module. Also see the Ubercart SecureTrading Payment Method [4] project page. -------- REPORTED BY --------------------------------------------------------- * Dylan Tack [5] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ No fix provided. -------- COORDINATED BY ------------------------------------------------------ * Dylan Tack [6] of the Drupal Security Team * Damien Tournoud [7] of the Drupal Security Team * Greg Knaddison [8] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [9]. Learn more about the Drupal Security team and their policies [10], writing secure code for Drupal [11], and securing your site [12]. [1] http://drupal.org/project/uc_securetrading [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/uc_securetrading [4] http://drupal.org/project/uc_securetrading [5] http://drupal.org/user/96647 [6] http://drupal.org/user/96647 [7] http://drupal.org/user/22211 [8] http://drupal.org/user/36762 [9] http://drupal.org/contact [10] http://drupal.org/security-team [11] http://drupal.org/writing-secure-code [12] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-111 - Security Questions - Access Bypass
by security-news＠drupal.org 11 Jul '12

11 Jul '12

View online: http://drupal.org/node/1679532 * Advisory ID: SA-CONTRIB-2012-111 * Project: Security Questions [1] (third-party module) * Version: 6.x, 7.x * Date: 2012-July-11 * Security risk: Highly critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- This module provides administrator configurable challenge questions for use during the log in and password reset processes. The module doesn't perform a proper access check, allowing a users' questions and answers to be edited by other users including anonymous users. CVE: Requested -------- VERSIONS AFFECTED --------------------------------------------------- * Security Questions 6.x-1.x versions prior to 6.x-1.1. * Security Questions 7.x-1.x versions prior to 7.x-1.1. Drupal core is not affected. If you do not use the contributed Security Questions [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Security Questions module for Drupal 6.x, upgrade to Security Questions 6.x-1.1 [4] * If you use the Security Questions module for Drupal 7.x, upgrade to Security Questions 7.x-1.1 [5] Also see the Security Questions [6] project page. -------- REPORTED BY --------------------------------------------------------- * Chris Hertzog [7] -------- FIXED BY ------------------------------------------------------------ * Chris Hertzog [8] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [9] of the Drupal Security Team * David Rothstein [10] of the Drupal Security Team * Chris Hales [11] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] http://drupal.org/project/security_questions [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/security_questions [4] http://drupal.org/node/1648200 [5] http://drupal.org/node/1648204 [6] http://drupal.org/project/security_questions [7] http://drupal.org/user/806366 [8] http://drupal.org/user/806366 [9] http://drupal.org/user/36762 [10] http://drupal.org/user/124982 [11] http://drupal.org/user/347249 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-110 - Colorbox Node - Cross Site Scripting (XSS)
by security-news＠drupal.org 11 Jul '12

11 Jul '12

View online: http://drupal.org/node/1679486 * Advisory ID: SA-CONTRIB-2012-110 * Project: Colorbox Node [1] (third-party module) * Version: 7.x * Date: 2012-July-11 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- Colorbox Node gives the user the ability to display ANY page inside a colorbox modal without the header and footer. The module accepts some settings from URL parameters and didn't sufficiently validate them before printing them to the browser, allowing malicious users to inject script code into the page. CVE: Requested -------- VERSIONS AFFECTED --------------------------------------------------- * Colorbox Node 7.x-2.x versions prior to 7.x-2.2. Drupal core is not affected. If you do not use the contributed Colorbox Node [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * Upgrade to Colorbox Node 7.x-2.2 [4] Also see the Colorbox Node [5] project page. -------- REPORTED BY --------------------------------------------------------- * Gerhard Killesreiter [6] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Dennis Blake [7] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Gerhard Killesreiter [8] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [9]. Learn more about the Drupal Security team and their policies [10], writing secure code for Drupal [11], and securing your site [12]. [1] http://drupal.org/project/colorbox_node [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/colorbox_node [4] http://drupal.org/node/1679410 [5] http://drupal.org/project/colorbox_node [6] http://drupal.org/user/83 [7] http://drupal.org/user/384543 [8] http://drupal.org/user/227 [9] http://drupal.org/contact [10] http://drupal.org/security-team [11] http://drupal.org/writing-secure-code [12] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-109 - Restrict node page view - Access bypass
by security-news＠drupal.org 11 Jul '12

11 Jul '12

View online: http://drupal.org/node/1679466 * Advisory ID: SA-CONTRIB-2012-109 * Project: Restrict node page view [1] (third-party module) * Version: 7.x * Date: 2012-July-11 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- This module enables you to disable direct access to node pages (node/XXX) based on nodetypes and permissions. The module issues a NODE_ACCESS_ALLOW if it's permissions are met, but does not respect the "administer nodes" or "access own unpublished content" permissions. The consequence is that this module grants access to unpublished content to any role that has the "view any node page" or "view any node {type} page" permissions. CVE: Requested -------- VERSIONS AFFECTED --------------------------------------------------- * Restrict node page view 7.x-1.x versions prior to 7.x-1.2. Drupal core is not affected. If you do not use the contributed Restrict node page view [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Restrict node page view module for Drupal 7.x, upgrade to Restrict node page view 7.x-1.2 [4] Also see the Restrict node page view [5] project page. -------- REPORTED BY --------------------------------------------------------- * Jake Bell [6] -------- FIXED BY ------------------------------------------------------------ * Jake Bell [7] -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [8] of the Drupal Security Team * Chris Hales [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/restrict_node_page_view [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/restrict_node_page_view [4] http://drupal.org/node/1662724 [5] http://drupal.org/project/restrict_node_page_view [6] http://drupal.org/user/11219 [7] http://drupal.org/user/11219 [8] http://drupal.org/user/36762 [9] http://drupal.org/user/347249 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration

1 0