wpa_supplicant-gui-2.10-150600.7.3.1<>,i4fp9|%{Si}TRʼb#0 TDJE3bvxbKpނ,t*@âۚrE|=qZf) rQk{VOJ[M/fOr"]/Z_Pr)ZC3Mj: #Xܩ~ZV1 C ޔ 馵Z5ʅA|0+rh욢La5GΉQ` `1x+oܫF>d\8cWKvgõj"B*O>>(?d ' J , BNkqx     &0\d(8$*9*: ,*F@GTH\IdXhYp\]^bczdef l u v(wPxXy`zCwpa_supplicant-gui2.10150600.7.3.1WPA supplicant graphical front-endThis package contains a graphical front-end to wpa_supplicant, an implementation of the WPA Supplicant component.fh01-ch2c ~SUSE Linux Enterprise 15SUSE LLC BSD-3-Clause AND GPL-2.0-or-laterhttps://www.suse.com/Unspecifiedhttps://w1.fi/wpa_supplicantlinuxx86_64 큤ff2926792857c00f118ec332f570c5a1cd05c3ed648aecce50546c93583b1fae8ed57783ead2cca37539bf8b5c4a81b8105c2970de177652fe1a027433593467aarootrootrootrootwpa_supplicant-2.10-150600.7.3.1.src.rpmwpa_supplicant-guiwpa_supplicant-gui(x86-64)@@@@@@@@@@@@@@@@@@@@@@    libQt5Core.so.5()(64bit)libQt5Core.so.5(Qt_5)(64bit)libQt5Core.so.5(Qt_5.15)(64bit)libQt5Gui.so.5()(64bit)libQt5Gui.so.5(Qt_5)(64bit)libQt5Widgets.so.5()(64bit)libQt5Widgets.so.5(Qt_5)(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.14)(64bit)libc.so.6(GLIBC_2.15)(64bit)libc.so.6(GLIBC_2.17)(64bit)libc.so.6(GLIBC_2.2.5)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.34)(64bit)libc.so.6(GLIBC_2.38)(64bit)libc.so.6(GLIBC_2.4)(64bit)libgcc_s.so.1()(64bit)libgcc_s.so.1(GCC_3.0)(64bit)libstdc++.so.6()(64bit)libstdc++.so.6(CXXABI_1.3)(64bit)libstdc++.so.6(CXXABI_1.3.9)(64bit)libstdc++.so.6(GLIBCXX_3.4)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)wpa_supplicant3.0.4-14.6.0-14.0-15.2-14.14.3e}@c@b@b@`lM@`?z@`:4@`_|\@_i@_i@^@^@^|@^|@^Y]]>[<@[[ā@[[;@[@[QY@X@X]W@VU@VŲ@V`V=@UKSUCjU8U'@U/@TBV@cfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comsp1ritCS@protonmail.comcfamullaconrad@suse.comsongchuan.kang@suse.comcfamullaconrad@suse.combwiedemann@suse.comcfamullaconrad@suse.comilya@ilya.pp.uatchvatal@suse.comtchvatal@suse.comilya@ilya.pp.uailya@ilya.pp.uakbabioch@suse.comro@suse.dekbabioch@suse.comkbabioch@suse.comkbabioch@suse.comro@suse.demeissner@suse.comobs@botter.ccdwaas@suse.commeissner@suse.comtchvatal@suse.comlnussel@suse.decrrodriguez@opensuse.orgcrrodriguez@opensuse.orgcrrodriguez@opensuse.orglnussel@suse.demichael@stroeder.comro@suse.dezaitor@opensuse.orgcrrodriguez@opensuse.orgstefan.bruens@rwth-aachen.destefan.bruens@rwth-aachen.destefan.bruens@rwth-aachen.de- Add CVE-2023-52160.patch - Bypassing WiFi Authentication (bsc#1219975) - Change ctrl_interface from /var/run to %_rundir (/run)- update to 2.10.0: jsc#PED-2904 * SAE changes - improved protection against side channel attacks [https://w1.fi/security/2022-1/] - added support for the hash-to-element mechanism (sae_pwe=1 or sae_pwe=2); this is currently disabled by default, but will likely get enabled by default in the future - fixed PMKSA caching with OKC - added support for SAE-PK * EAP-pwd changes - improved protection against side channel attacks [https://w1.fi/security/2022-1/] * fixed P2P provision discovery processing of a specially constructed invalid frame [https://w1.fi/security/2021-1/] * fixed P2P group information processing of a specially constructed invalid frame [https://w1.fi/security/2020-2/] * fixed PMF disconnection protection bypass in AP mode [https://w1.fi/security/2019-7/] * added support for using OpenSSL 3.0 * increased the maximum number of EAP message exchanges (mainly to support cases with very large certificates) * fixed various issues in experimental support for EAP-TEAP peer * added support for DPP release 2 (Wi-Fi Device Provisioning Protocol) * a number of MKA/MACsec fixes and extensions * added support for SAE (WPA3-Personal) AP mode configuration * added P2P support for EDMG (IEEE 802.11ay) channels * fixed EAP-FAST peer with TLS GCM/CCM ciphers * improved throughput estimation and BSS selection * dropped support for libnl 1.1 * added support for nl80211 control port for EAPOL frame TX/RX * fixed OWE key derivation with groups 20 and 21; this breaks backwards compatibility for these groups while the default group 19 remains backwards compatible * added support for Beacon protection * added support for Extended Key ID for pairwise keys * removed WEP support from the default build (CONFIG_WEP=y can be used to enable it, if really needed) * added a build option to remove TKIP support (CONFIG_NO_TKIP=y) * added support for Transition Disable mechanism to allow the AP to automatically disable transition mode to improve security * extended D-Bus interface * added support for PASN * added a file-based backend for external password storage to allow secret information to be moved away from the main configuration file without requiring external tools * added EAP-TLS peer support for TLS 1.3 (disabled by default for now) * added support for SCS, MSCS, DSCP policy * changed driver interface selection to default to automatic fallback to other compiled in options * a large number of other fixes, cleanup, and extensions - drop wpa_supplicant-p2p_iname_size.diff, CVE-2021-30004.patch, CVE-2021-27803.patch, CVE-2021-0326.patch, CVE-2019-16275.patch, CVE-2022-23303_0001.patch, CVE-2022-23303_0002.patch, CVE-2022-23303_0003.patch, CVE-2022-23303_0004.patch: upstream - drop restore-old-dbus-interface.patch, wicked has been switching to the new dbus interface in version 0.6.66 - config: * re-enable CONFIG_WEP * enable QCA vendor extensions to nl80211 * enable support for Automatic Channel Selection * enable OCV, security feature that prevents MITM multi-channel attacks * enable QCA vendor extensions to nl80211 * enable EAP-EKE * Support HT overrides * TLS v1.1 and TLS v1.2 * Fast Session Transfer (FST) * Automatic Channel Selection * Multi Band Operation * Fast Initial Link Setup * Mesh Networking (IEEE 802.11s) - Add dbus-Fix-property-DebugShowKeys-and-DebugTimestamp.patch (bsc#1201219) - Move the dbus-1 system.d file to /usr (bsc#1200342) - Added hardening to systemd service(s) (bsc#1181400). Modified: * wpa_supplicant.service - drop wpa_supplicant-getrandom.patch : glibc has been updated so the getrandom() wrapper is now there - Sync wpa_supplicant.spec with Factory- Enable WPA3-Enterprise (SuiteB-192) support.- Add CVE-2022-23303_0001.patch, CVE-2022-23303_0002.patch, CVE-2022-23303_0003.patch, CVE-2022-23303_0004.patch SAE/EAP-pwd side-channel attack update 2 (CVE-2022-23303, CVE-2022-23304, bsc#1194732, bsc#1194733)- Add CVE-2021-30004.patch -- forging attacks may occur because AlgorithmIdentifier parameters are mishandled in tls/pkcs1.c and tls/x509v3.c (bsc#1184348)- Fix systemd device ready dependencies in wpa_supplicant@.service file. (see: https://forums.opensuse.org/showthread.php/547186-wpa_supplicant-service-fails-on-boot-succeeds-on-restart?p=2982844#post2982844)- Add CVE-2021-27803.patch -- P2P provision discovery processing vulnerability (bsc#1182805)- Add CVE-2021-0326.patch -- P2P group information processing vulnerability (bsc#1181777)- Add wpa_supplicant-p2p_iname_size.diff -- Limit P2P_DEVICE name to appropriate ifname size (https://patchwork.ozlabs.org/project/hostap/patch/20200825062902.124600-1-benjamin@sipsolutions.net/)- Fix spec file for SLE12, use make %{?_smp_mflags} instead of %make_build- Enable SAE support(jsc#SLE-14992).- Add CVE-2019-16275.patch -- AP mode PMF disconnection protection bypass (bsc#1150934)- Add restore-old-dbus-interface.patch to fix wicked wlan (boo#1156920) - Restore fi.epitest.hostap.WPASupplicant.service (bsc#1167331)- With v2.9 fi.epitest.hostap.WPASupplicant.service is obsolete (bsc#1167331)- Change wpa_supplicant.service to ensure wpa_supplicant gets started before network. Fix WLAN config on boot with wicked. (boo#1166933)- Adjust the service to start after network.target wrt bsc#1165266- Update to 2.9 release: * SAE changes - disable use of groups using Brainpool curves - improved protection against side channel attacks [https://w1.fi/security/2019-6/] * EAP-pwd changes - disable use of groups using Brainpool curves - allow the set of groups to be configured (eap_pwd_groups) - improved protection against side channel attacks [https://w1.fi/security/2019-6/] * fixed FT-EAP initial mobility domain association using PMKSA caching (disabled by default for backwards compatibility; can be enabled with ft_eap_pmksa_caching=1) * fixed a regression in OpenSSL 1.1+ engine loading * added validation of RSNE in (Re)Association Response frames * fixed DPP bootstrapping URI parser of channel list * extended EAP-SIM/AKA fast re-authentication to allow use with FILS * extended ca_cert_blob to support PEM format * improved robustness of P2P Action frame scheduling * added support for EAP-SIM/AKA using anonymous@realm identity * fixed Hotspot 2.0 credential selection based on roaming consortium to ignore credentials without a specific EAP method * added experimental support for EAP-TEAP peer (RFC 7170) * added experimental support for EAP-TLS peer with TLS v1.3 * fixed a regression in WMM parameter configuration for a TDLS peer * fixed a regression in operation with drivers that offload 802.1X 4-way handshake * fixed an ECDH operation corner case with OpenSSL * SAE changes - added support for SAE Password Identifier - changed default configuration to enable only groups 19, 20, 21 (i.e., disable groups 25 and 26) and disable all unsuitable groups completely based on REVmd changes - do not regenerate PWE unnecessarily when the AP uses the anti-clogging token mechanisms - fixed some association cases where both SAE and FT-SAE were enabled on both the station and the selected AP - started to prefer FT-SAE over SAE AKM if both are enabled - started to prefer FT-SAE over FT-PSK if both are enabled - fixed FT-SAE when SAE PMKSA caching is used - reject use of unsuitable groups based on new implementation guidance in REVmd (allow only FFC groups with prime >= 3072 bits and ECC groups with prime >= 256) - minimize timing and memory use differences in PWE derivation [https://w1.fi/security/2019-1/] (CVE-2019-9494, bsc#1131868) * EAP-pwd changes - minimize timing and memory use differences in PWE derivation [https://w1.fi/security/2019-2/] (CVE-2019-9495, bsc#1131870) - verify server scalar/element [https://w1.fi/security/2019-4/] (CVE-2019-9497, CVE-2019-9498, CVE-2019-9499, bsc#1131874, bsc#1131872, bsc#1131871, bsc#1131644) - fix message reassembly issue with unexpected fragment [https://w1.fi/security/2019-5/] (CVE-2019-11555, bsc#1133640) - enforce rand,mask generation rules more strictly - fix a memory leak in PWE derivation - disallow ECC groups with a prime under 256 bits (groups 25, 26, and 27) - SAE/EAP-pwd side-channel attack update [https://w1.fi/security/2019-6/] (CVE-2019-13377, bsc#1144443) * fixed CONFIG_IEEE80211R=y (FT) build without CONFIG_FILS=y * Hotspot 2.0 changes - do not indicate release number that is higher than the one AP supports - added support for release number 3 - enable PMF automatically for network profiles created from credentials * fixed OWE network profile saving * fixed DPP network profile saving * added support for RSN operating channel validation (CONFIG_OCV=y and network profile parameter ocv=1) * added Multi-AP backhaul STA support * fixed build with LibreSSL * number of MKA/MACsec fixes and extensions * extended domain_match and domain_suffix_match to allow list of values * fixed dNSName matching in domain_match and domain_suffix_match when using wolfSSL * started to prefer FT-EAP-SHA384 over WPA-EAP-SUITE-B-192 AKM if both are enabled * extended nl80211 Connect and external authentication to support SAE, FT-SAE, FT-EAP-SHA384 * fixed KEK2 derivation for FILS+FT * extended client_cert file to allow loading of a chain of PEM encoded certificates * extended beacon reporting functionality * extended D-Bus interface with number of new properties * fixed a regression in FT-over-DS with mac80211-based drivers * OpenSSL: allow systemwide policies to be overridden * extended driver flags indication for separate 802.1X and PSK 4-way handshake offload capability * added support for random P2P Device/Interface Address use * extended PEAP to derive EMSK to enable use with ERP/FILS * extended WPS to allow SAE configuration to be added automatically for PSK (wps_cred_add_sae=1) * removed support for the old D-Bus interface (CONFIG_CTRL_IFACE_DBUS) * extended domain_match and domain_suffix_match to allow list of values * added a RSN workaround for misbehaving PMF APs that advertise IGTK/BIP KeyID using incorrect byte order * fixed PTK rekeying with FILS and FT * fixed WPA packet number reuse with replayed messages and key reinstallation [https://w1.fi/security/2017-1/] (CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088) * fixed unauthenticated EAPOL-Key decryption in wpa_supplicant [https://w1.fi/security/2018-1/] (CVE-2018-14526) * added support for FILS (IEEE 802.11ai) shared key authentication * added support for OWE (Opportunistic Wireless Encryption, RFC 8110; and transition mode defined by WFA) * added support for DPP (Wi-Fi Device Provisioning Protocol) * added support for RSA 3k key case with Suite B 192-bit level * fixed Suite B PMKSA caching not to update PMKID during each 4-way handshake * fixed EAP-pwd pre-processing with PasswordHashHash * added EAP-pwd client support for salted passwords * fixed a regression in TDLS prohibited bit validation * started to use estimated throughput to avoid undesired signal strength based roaming decision * MACsec/MKA: - new macsec_linux driver interface support for the Linux kernel macsec module - number of fixes and extensions * added support for external persistent storage of PMKSA cache (PMKSA_GET/PMKSA_ADD control interface commands; and MESH_PMKSA_GET/MESH_PMKSA_SET for the mesh case) * fixed mesh channel configuration pri/sec switch case * added support for beacon report * large number of other fixes, cleanup, and extensions * added support for randomizing local address for GAS queries (gas_rand_mac_addr parameter) * fixed EAP-SIM/AKA/AKA' ext auth cases within TLS tunnel * added option for using random WPS UUID (auto_uuid=1) * added SHA256-hash support for OCSP certificate matching * fixed EAP-AKA' to add AT_KDF into Synchronization-Failure * fixed a regression in RSN pre-authentication candidate selection * added option to configure allowed group management cipher suites (group_mgmt network profile parameter) * removed all PeerKey functionality * fixed nl80211 AP and mesh mode configuration regression with Linux 4.15 and newer * added ap_isolate configuration option for AP mode * added support for nl80211 to offload 4-way handshake into the driver * added support for using wolfSSL cryptographic library * SAE - added support for configuring SAE password separately of the WPA2 PSK/passphrase - fixed PTK and EAPOL-Key integrity and key-wrap algorithm selection for SAE; note: this is not backwards compatible, i.e., both the AP and station side implementations will need to be update at the same time to maintain interoperability - added support for Password Identifier - fixed FT-SAE PMKID matching * Hotspot 2.0 - added support for fetching of Operator Icon Metadata ANQP-element - added support for Roaming Consortium Selection element - added support for Terms and Conditions - added support for OSEN connection in a shared RSN BSS - added support for fetching Venue URL information * added support for using OpenSSL 1.1.1 * FT - disabled PMKSA caching with FT since it is not fully functional - added support for SHA384 based AKM - added support for BIP ciphers BIP-CMAC-256, BIP-GMAC-128, BIP-GMAC-256 in addition to previously supported BIP-CMAC-128 - fixed additional IE inclusion in Reassociation Request frame when using FT protocol - Drop merged patches: * rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch * rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch * rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch * rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch * rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch * rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch * rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch * rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch * rebased-v2.6-0009-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch * wpa_supplicant-bnc-1099835-fix-private-key-password.patch * wpa_supplicant-bnc-1099835-clear-default_passwd_cb.patch * wpa_supplicant-log-file-permission.patch * wpa_supplicant-log-file-cloexec.patch * wpa_supplicant-git-fa67debf4c6ddbc881a212b175faa6d5d0d90c8c.patch * wpa_supplicant-git-f5b74b966c942feb95a8ddbb7d130540b15b796d.patch - Rebase patches: * wpa_supplicant-getrandom.patch- Refresh spec-file via spec-cleaner and manual optimizations. * Change URL and Source0 to actual project homepage. * Remove macro %{?systemd_requires} and rm (not needed). * Add %autopatch macro. * Add %make_build macro. - Chenged patch wpa_supplicant-flush-debug-output.patch (to -p1). - Changed service-files for start after network (systemd-networkd).- Refresh spec-file: add %license tag.- Renamed patches: - wpa-supplicant-log-file-permission.patch -> wpa_supplicant-log-file-permission.patch - wpa-supplicant-log-file-cloexec.patch -> wpa_supplicant-log-file-cloexec.patch - wpa_supplicant-log-file-permission.patch: Using O_WRONLY flag - Enabled timestamps in log files (bsc#1080798)- compile eapol_test binary to allow testing via radius proxy and server (note: this does not match CONFIG_EAPOL_TEST which sets -Werror and activates an assert call inside the code of wpa_supplicant) (bsc#1111873), (fate#326725) - add patch to fix wrong operator precedence in ieee802_11.c wpa_supplicant-git-fa67debf4c6ddbc881a212b175faa6d5d0d90c8c.patch - add patch to avoid redefinition of __bitwise macro wpa_supplicant-git-f5b74b966c942feb95a8ddbb7d130540b15b796d.patch- Added wpa-supplicant-log-file-permission.patch: Fixes the default file permissions of the debug log file to more sane values, i.e. it is no longer world-readable (bsc#1098854). - Added wpa-supplicant-log-file-cloexec.patch: Open the debug log file with O_CLOEXEC, which will prevent file descriptor leaking to child processes (bsc#1098854).- Added rebased-v2.6-0009-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch: Ignore unauthenticated encrypted EAPOL-Key data (CVE-2018-14526, bsc#1104205).- Enabled PWD as EAP method. This allows for password-based authentication, which is easier to setup than most of the other methods, and is used by the Eduroam network (bsc#1109209).- add two patches from upstream to fix reading private key passwords from the configuration file (bsc#1099835) - add patch for git 89971d8b1e328a2f79699c953625d1671fd40384 wpa_supplicant-bnc-1099835-clear-default_passwd_cb.patch - add patch for git f665c93e1d28fbab3d9127a8c3985cc32940824f wpa_supplicant-bnc-1099835-fix-private-key-password.patch- Fix KRACK attacks (bsc#1056061, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13087, CVE-2017-13088): - rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch - rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch - rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch - rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch - rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch - rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch - rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch - rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch- fix wpa_supplicant-sigusr1-changes-debuglevel.patch to match eloop_signal_handler type (needed to build eapol_test via config)- Added .service files that accept interfaces as %i arguments so it's possible to call the daemon with: "systemctl start wpa_supplicant@$INTERFACE_NAME.service" (like openvpn for example)- updated to 2.6 / 2016-10-02 * fixed WNM Sleep Mode processing when PMF is not enabled [http://w1.fi/security/2015-6/] (CVE-2015-5310 bsc#952254) * fixed EAP-pwd last fragment validation [http://w1.fi/security/2015-7/] (CVE-2015-5315 bsc#953115) * fixed EAP-pwd unexpected Confirm message processing [http://w1.fi/security/2015-8/] (CVE-2015-5316 bsc#953115) * fixed WPS configuration update vulnerability with malformed passphrase [http://w1.fi/security/2016-1/] (CVE-2016-4476 bsc#978172) * fixed configuration update vulnerability with malformed parameters set over the local control interface [http://w1.fi/security/2016-1/] (CVE-2016-4477 bsc#978175) * fixed TK configuration to the driver in EAPOL-Key 3/4 retry case * extended channel switch support for P2P GO * started to throttle control interface event message bursts to avoid issues with monitor sockets running out of buffer space * mesh mode fixes/improvements - generate proper AID for peer - enable WMM by default - add VHT support - fix PMKID derivation - improve robustness on various exchanges - fix peer link counting in reconnect case - improve mesh joining behavior - allow DTIM period to be configured - allow HT to be disabled (disable_ht=1) - add MESH_PEER_ADD and MESH_PEER_REMOVE commands - add support for PMKSA caching - add minimal support for SAE group negotiation - allow pairwise/group cipher to be configured in the network profile - use ieee80211w profile parameter to enable/disable PMF and derive a separate TX IGTK if PMF is enabled instead of using MGTK incorrectly - fix AEK and MTK derivation - remove GTKdata and IGTKdata from Mesh Peering Confirm/Close - note: these changes are not fully backwards compatible for secure (RSN) mesh network * fixed PMKID derivation with SAE * added support for requesting and fetching arbitrary ANQP-elements without internal support in wpa_supplicant for the specific element (anqp[265]= in "BSS " command output) * P2P - filter control characters in group client device names to be consistent with other P2P peer cases - support VHT 80+80 MHz and 160 MHz - indicate group completion in P2P Client role after data association instead of already after the WPS provisioning step - improve group-join operation to use SSID, if known, to filter BSS entries - added optional ssid= argument to P2P_CONNECT for join case - added P2P_GROUP_MEMBER command to fetch client interface address * P2PS - fix follow-on PD Response behavior - fix PD Response generation for unknown peer - fix persistent group reporting - add channel policy to PD Request - add group SSID to the P2PS-PROV-DONE event - allow "P2P_CONNECT p2ps" to be used without specifying the default PIN * BoringSSL - support for OCSP stapling - support building of h20-osu-client * D-Bus - add ExpectDisconnect() - add global config parameters as properties - add SaveConfig() - add VendorElemAdd(), VendorElemGet(), VendorElemRem() * fixed Suite B 192-bit AKM to use proper PMK length (note: this makes old releases incompatible with the fixed behavior) * improved PMF behavior for cases where the AP and STA has different configuration by not trying to connect in some corner cases where the connection cannot succeed * added option to reopen debug log (e.g., to rotate the file) upon receipt of SIGHUP signal * EAP-pwd: added support for Brainpool Elliptic Curves (with OpenSSL 1.0.2 and newer) * fixed EAPOL reauthentication after FT protocol run * fixed FTIE generation for 4-way handshake after FT protocol run * extended INTERFACE_ADD command to allow certain type (sta/ap) interface to be created * fixed and improved various FST operations * added 80+80 MHz and 160 MHz VHT support for IBSS/mesh * fixed SIGNAL_POLL in IBSS and mesh cases * added an option to abort an ongoing scan (used to speed up connection and can also be done with the new ABORT_SCAN command) * TLS client - do not verify CA certificates when ca_cert is not specified - support validating server certificate hash - support SHA384 and SHA512 hashes - add signature_algorithms extension into ClientHello - support TLS v1.2 signature algorithm with SHA384 and SHA512 - support server certificate probing - allow specific TLS versions to be disabled with phase2 parameter - support extKeyUsage - support PKCS #5 v2.0 PBES2 - support PKCS #5 with PKCS #12 style key decryption - minimal support for PKCS #12 - support OCSP stapling (including ocsp_multi) * OpenSSL - support OpenSSL 1.1 API changes - drop support for OpenSSL 0.9.8 - drop support for OpenSSL 1.0.0 * added support for multiple schedule scan plans (sched_scan_plans) * added support for external server certificate chain validation (tls_ext_cert_check=1 in the network profile phase1 parameter) * made phase2 parser more strict about correct use of auth= and autheap= values * improved GAS offchannel operations with comeback request * added SIGNAL_MONITOR command to request signal strength monitoring events * added command for retrieving HS 2.0 icons with in-memory storage (REQ_HS20_ICON, GET_HS20_ICON, DEL_HS20_ICON commands and RX-HS20-ICON event) * enabled ACS support for AP mode operations with wpa_supplicant * EAP-PEAP: fixed interoperability issue with Windows 2012r2 server ("Invalid Compound_MAC in cryptobinding TLV") * EAP-TTLS: fixed success after fragmented final Phase 2 message * VHT: added interoperability workaround for 80+80 and 160 MHz channels * WNM: workaround for broken AP operating class behavior * added kqueue(2) support for eloop (CONFIG_ELOOP_KQUEUE) * nl80211: - add support for full station state operations - do not add NL80211_ATTR_SMPS_MODE attribute if HT is disabled - add NL80211_ATTR_PREV_BSSID with Connect command - fix IEEE 802.1X/WEP EAP reauthentication and rekeying to use unencrypted EAPOL frames * added initial MBO support; number of extensions to WNM BSS Transition Management * added support for PBSS/PCP and P2P on 60 GHz * Interworking: add credential realm to EAP-TLS identity * fixed EAPOL-Key Request Secure bit to be 1 if PTK is set * HS 2.0: add support for configuring frame filters * added POLL_STA command to check connectivity in AP mode * added initial functionality for location related operations * started to ignore pmf=1/2 parameter for non-RSN networks * added wps_disabled=1 network profile parameter to allow AP mode to be started without enabling WPS * wpa_cli: added action script support for AP-ENABLED and AP-DISABLED events * improved Public Action frame addressing - add gas_address3 configuration parameter to control Address 3 behavior * number of small fixes - wpa_supplicant-dump-certificate-as-PEM-in-debug-mode.diff: dump x509 certificates from remote radius server in debug mode in WPA-EAP.- Remove support for <12.3 as we are unresolvable there anyway - Use qt5 on 13.2 if someone pulls this package in - Convert to pkgconfig dependencies over the devel pkgs - Use the %qmake5 macro to build the qt5 gui- add After=dbus.service to prevent too early shutdown (bnc#963652)- Revert CONFIG_ELOOP_EPOLL=y, it is broken in combination with CONFIG_DBUS=yes.- spec: Compile the GUI against QT5 in 13.2 and later.- Previous update did not include version 2.5 tarball or changed the version number in spec, only the changelog and removed patches. - config: set CONFIG_NO_RANDOM_POOL=y, we have a reliable· random number generator by using /dev/urandom, no need to keep an internal random number pool which draws entropy from /dev/random. - config: prefer using epoll(7) instead of select(2) by setting CONFIG_ELOOP_EPOLL=y - wpa_supplicant-getrandom.patch: Prefer to use the getrandom(2) system call to collect entropy. if it is not present disable buffering when reading /dev/urandom, otherwise each os_get_random() call will request BUFSIZ of entropy instead of the few needed bytes.- add aliases for both provided dbus names to avoid systemd stopping the service when switching runlevels (boo#966535)- removed obsolete security patches: * 0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch * 0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch * 0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch * 0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch * wpa_s-D-Bus-Fix-operations-when-P2P-management-interface-is-used.patch * 0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch * 0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch * 0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch * 0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch - Update to upstream release 2.5 * fixed P2P validation of SSID element length before copying it [http://w1.fi/security/2015-1/] (CVE-2015-1863) * fixed WPS UPnP vulnerability with HTTP chunked transfer encoding [http://w1.fi/security/2015-2/] (CVE-2015-4141) * fixed WMM Action frame parser (AP mode) [http://w1.fi/security/2015-3/] (CVE-2015-4142) * fixed EAP-pwd peer missing payload length validation [http://w1.fi/security/2015-4/] (CVE-2015-4143, CVE-2015-4144, CVE-2015-4145, CVE-2015-4146) * fixed validation of WPS and P2P NFC NDEF record payload length [http://w1.fi/security/2015-5/] (CVE-2015-8041) * nl80211: - added VHT configuration for IBSS - fixed vendor command handling to check OUI properly - allow driver-based roaming to change ESS * added AVG_BEACON_RSSI to SIGNAL_POLL output * wpa_cli: added tab completion for number of commands * removed unmaintained and not yet completed SChannel/CryptoAPI support * modified Extended Capabilities element use in Probe Request frames to include all cases if any of the values are non-zero * added support for dynamically creating/removing a virtual interface with interface_add/interface_remove * added support for hashed password (NtHash) in EAP-pwd peer * added support for memory-only PSK/passphrase (mem_only_psk=1 and CTRL-REQ/RSP-PSK_PASSPHRASE) * P2P - optimize scan frequencies list when re-joining a persistent group - fixed number of sequences with nl80211 P2P Device interface - added operating class 125 for P2P use cases (this allows 5 GHz channels 161 and 169 to be used if they are enabled in the current regulatory domain) - number of fixes to P2PS functionality - do not allow 40 MHz co-ex PRI/SEC switch to force MCC - extended support for preferred channel listing * D-Bus: - fixed WPS property of fi.w1.wpa_supplicant1.BSS interface - fixed PresenceRequest to use group interface - added new signals: FindStopped, WPS pbc-overlap, GroupFormationFailure, WPS timeout, InvitationReceived - added new methods: WPS Cancel, P2P Cancel, Reconnect, RemoveClient - added manufacturer info * added EAP-EKE peer support for deriving Session-Id * added wps_priority configuration parameter to set the default priority for all network profiles added by WPS * added support to request a scan with specific SSIDs with the SCAN command (optional "ssid " arguments) * removed support for WEP40/WEP104 as a group cipher with WPA/WPA2 * fixed SAE group selection in an error case * modified SAE routines to be more robust and PWE generation to be stronger against timing attacks * added support for Brainpool Elliptic Curves with SAE * added support for CCMP-256 and GCMP-256 as group ciphers with FT * fixed BSS selection based on estimated throughput * added option to disable TLSv1.0 with OpenSSL (phase1="tls_disable_tlsv1_0=1") * added Fast Session Transfer (FST) module * fixed OpenSSL PKCS#12 extra certificate handling * fixed key derivation for Suite B 192-bit AKM (this breaks compatibility with the earlier version) * added RSN IE to Mesh Peering Open/Confirm frames * number of small fixes- added patch for bnc#930077 CVE-2015-4141 0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch - added patch for bnc#930078 CVE-2015-4142 0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch - added patches for bnc#930079 CVE-2015-4143 0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch 0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch 0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch 0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch 0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch- Add wpa_s-D-Bus-Fix-operations-when-P2P-management-interface-is-used.patch Fix Segmentation fault in wpa_supplicant. Patch taken from upstream master git (arch#44740).- 0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch Fix CVE-2015-1863, memcpy overflow. - wpa_supplicant-alloc_size.patch: annotate two wrappers with attribute alloc_size, which may help warning us of bugs such as the above.- Delete wpa_priv and eapol_test man pages, these are disabled in config - Move wpa_gui man page to gui package- Update to 2.4 * allow OpenSSL cipher configuration to be set for internal EAP server (openssl_ciphers parameter) * fixed number of small issues based on hwsim test case failures and static analyzer reports * P2P: - add new=<0/1> flag to P2P-DEVICE-FOUND events - add passive channels in invitation response from P2P Client - enable nl80211 P2P_DEVICE support by default - fix regresssion in disallow_freq preventing search on social channels - fix regressions in P2P SD query processing - try to re-invite with social operating channel if no common channels in invitation - allow cross connection on parent interface (this fixes number of use cases with nl80211) - add support for P2P services (P2PS) - add p2p_go_ctwindow configuration parameter to allow GO CTWindow to be configured * increase postponing of EAPOL-Start by one second with AP/GO that supports WPS 2.0 (this makes it less likely to trigger extra roundtrip of identity frames) * add support for PMKSA caching with SAE * add support for control mesh BSS (IEEE 802.11s) operations * fixed number of issues with D-Bus P2P commands * fixed regression in ap_scan=2 special case for WPS * fixed macsec_validate configuration * add a workaround for incorrectly behaving APs that try to use EAPOL-Key descriptor version 3 when the station supports PMF even if PMF is not enabled on the AP * allow TLS v1.1 and v1.2 to be negotiated by default; previous behavior of disabling these can be configured to work around issues with broken servers with phase1="tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1" * add support for Suite B (128-bit and 192-bit level) key management and cipher suites * add WMM-AC support (WMM_AC_ADDTS/WMM_AC_DELTS) * improved BSS Transition Management processing * add support for neighbor report * add support for link measurement * fixed expiration of BSS entry with all-zeros BSSID * add optional LAST_ID=x argument to LIST_NETWORK to allow all configured networks to be listed even with huge number of network profiles * add support for EAP Re-Authentication Protocol (ERP) * fixed EAP-IKEv2 fragmentation reassembly * improved PKCS#11 configuration for OpenSSL * set stdout to be line-buffered * add TDLS channel switch configuration * add support for MAC address randomization in scans with nl80211 * enable HT for IBSS if supported by the driver * add BSSID black and white lists (bssid_blacklist, bssid_whitelist) * add support for domain_suffix_match with GnuTLS * add OCSP stapling client support with GnuTLS * include peer certificate in EAP events even without a separate probe operation; old behavior can be restored with cert_in_cb=0 * add peer ceritficate alt subject name to EAP events (CTRL-EVENT-EAP-PEER-ALT) * add domain_match network profile parameter (similar to domain_suffix_match, but full match is required) * enable AP/GO mode HT Tx STBC automatically based on driver support * add ANQP-QUERY-DONE event to provide information on ANQP parsing status * allow passive scanning to be forced with passive_scan=1 * add a workaround for Linux packet socket behavior when interface is in bridge * increase 5 GHz band preference in BSS selection (estimate SNR, if info not available from driver; estimate maximum throughput based on common HT/VHT/specific TX rate support) * add INTERWORKING_ADD_NETWORK ctrl_iface command; this can be used to implement Interworking network selection behavior in upper layers software components * add optional reassoc_same_bss_optim=1 (disabled by default) optimization to avoid unnecessary Authentication frame exchange * extend TDLS frame padding workaround to cover all packets * allow wpa_supplicant to recover nl80211 functionality if the cfg80211 module gets removed and reloaded without restarting wpa_supplicant * allow hostapd DFS implementation to be used in wpa_supplicant AP mode- Update to 2.3 * fixed number of minor issues identified in static analyzer warnings * fixed wfd_dev_info to be more careful and not read beyond the buffer when parsing invalid information for P2P-DEVICE-FOUND * extended P2P and GAS query operations to support drivers that have maximum remain-on-channel time below 1000 ms (500 ms is the current minimum supported value) * added p2p_search_delay parameter to make the default p2p_find delay configurable * improved P2P operating channel selection for various multi-channel concurrency cases * fixed some TDLS failure cases to clean up driver state * fixed dynamic interface addition cases with nl80211 to avoid adding ifindex values to incorrect interface to skip foreign interface events properly * added TDLS workaround for some APs that may add extra data to the end of a short frame * fixed EAP-AKA' message parser with multiple AT_KDF attributes * added configuration option (p2p_passphrase_len) to allow longer passphrases to be generated for P2P groups * fixed IBSS channel configuration in some corner cases * improved HT/VHT/QoS parameter setup for TDLS * modified D-Bus interface for P2P peers/groups * started to use constant time comparison for various password and hash values to reduce possibility of any externally measurable timing differences * extended explicit clearing of freed memory and expired keys to avoid keeping private data in memory longer than necessary * added optional scan_id parameter to the SCAN command to allow manual scan requests for active scans for specific configured SSIDs * fixed CTRL-EVENT-REGDOM-CHANGE event init parameter value * added option to set Hotspot 2.0 Rel 2 update_identifier in network configuration to support external configuration * modified Android PNO functionality to send Probe Request frames only for hidden SSIDs (based on scan_ssid=1) * added generic mechanism for adding vendor elements into frames at runtime (VENDOR_ELEM_ADD, VENDOR_ELEM_GET, VENDOR_ELEM_REMOVE) * added fields to show unrecognized vendor elements in P2P_PEER * removed EAP-TTLS/MSCHAPv2 interoperability workaround so that MS-CHAP2-Success is required to be present regardless of eap_workaround configuration * modified EAP fast session resumption to allow results to be used only with the same network block that generated them * extended freq_list configuration to apply for sched_scan as well as normal scan * modified WPS to merge mixed-WPA/WPA2 credentials from a single session * fixed nl80211/RTM_DELLINK processing when a P2P GO interface is removed from a bridge * fixed number of small P2P issues to make negotiations more robust in corner cases * added experimental support for using temporary, random local MAC address (mac_addr and preassoc_mac_addr parameters); this is disabled by default (i.e., previous behavior of using permanent address is maintained if configuration is not changed) * added D-Bus interface for setting/clearing WFD IEs * fixed TDLS AID configuration for VHT * modified -m configuration file to be used only for the P2P non-netdev management device and do not load this for the default station interface or load the station interface configuration for the P2P management interface * fixed external MAC address changes while wpa_supplicant is running * started to enable HT (if supported by the driver) for IBSS * fixed wpa_cli action script execution to use more robust mechanism (CVE-2014-3686)h01-ch2c 17267463302.10-150600.7.3.12.10-150600.7.3.1wpa_guiwpa_gui.8.gz/usr/sbin//usr/share/man/man8/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:35766/SUSE_SLE-15-SP6_Update/1481ab215a0b1830ea80ceb6538f4766-wpa_supplicant.SUSE_SLE-15-SP6_Updatedrpmxz5x86_64-suse-linuxELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=4923937a402e628dcf7411070b99214f84f65bd3, for GNU/Linux 3.2.0, strippedtroff or preprocessor input, ASCII text (gzip compressed data, max compression, from Unix)RRRRRRRRR RR RR RR R RRRRRRUV&3fy0utf-8039f7d22b77945be6000d3f37931410e5004a8bf1664ecad2030f8b83f18b8ae? 7zXZ !t/G.]"k%{m{#rD~d tGJf͚F`=6鷎-ܖr"M!G(E`TS tkavEܺk=0xªߞ!ol|sӻ-|COFoյ20\Z,R bzYÛSĮZ#C*xx[XfiI;X)'@-jh [Ko n<K\u=\%h&Mn E1&D*z8Sv'Dr(AWZ*AkRVcD1"D$tw}̙6m^t`Qȃ Ӟ"#Nzz$ S>b~,WE[pQѹNO<;GzM4:zv4x%Z/p𐩵 ه$W@(9de~ kjv@DBd'r "SqD|I…ʐ_&NaJ52< y2^ӟA 9h7Gu+ Z-I(7W`Co}{|T4d8oqm]S_!>T_`<FZPPanU 4TE g9-gFodIùosƻ_M1$}Gl~uq$D|fG\^02R7xHu&{wot g`0;e#5EKG" "ccis7BҲQ{!_ZxbZ8 m$܊WGAPǠVZk#]s ~ ?\)5v_WjL@驮4_ؤǭH/B=FxkB-rN+A?" xb_ى8U)5͸==k Bn rۯ2|f ?)8bί)6z$R<-"D WdOUhh@W8a 3TVqdQ%N-KBΡ|wf] qAQNOʢ_\da\\3ݝ*Zkb2V_O"TZtA$뱹FKL-Ob8{ޗrUд+#6mH(F,'*7&3O5A#@Lէټ}IgZF:( =@\%*j7M1MaO ћ_{dJjBId[#f0@j6cg#3r*,53<0! iP8`o~[ٳ"SE :i,4NMiI(ƤE!u#z xr GStrOp1. ,[i~yqIyGMaFIH'xTKH27Gs:iJ~H)Zyl6|P] |2>@)B;FW,/liג`FEoyg71q悏k+ 3 2D.fQhG77$zC<"|ܿxRya'%Bl> !Y]sc+ ?ニdZ-vTyܻ=s]Xz:)!9faĆ&|6"&ƐZO[KMf!F(@߮ԜŠRwh,⇒ PfW١$݃3C .Cai+է JPiz|,xOCe-4 -Ҹ5cqOWuTp8r #k<ȩo<GƜ_ ԩUH5ˇdeM]^mĐ2$F0BgFM׆x͠pZZh_Z%4 p$l}2.^#4Ӆ ȶ>5.F6޹YX6yM=RVe|C|_]ޡ#cXó]{^0Xհa ,;U9NQwtwWJ%5: )>{dN|Ks٪KE21b02A=PY> /šXN  yؗOEvp3͊%7%FHGud=Ļp?Yg0}"ͺ$һC3EwvCW4PG9tsƁDV멒3),J}74?I4. am^5)#өM ']ɩ}st;+ViLʟL%*(>!sAvVʯɰ{;A%ӬJB( !NDT), B^y;$#R]û 3})bKUr36?B7oA0Y>($̧KׄTI/O5KA~ <;!u+0H!sjK&vi#tg/'4w38ȍ_]0B{,-膍sr6L6sR8h)m*Ų]l!6&2>JhԱMD=CI!N2j4Ew"۹PƢl%x47Jtz1I˖czvI4s/q<&# 83yʗ|ePoѤPGB$St0xӖ:8|؊W`r דZ\xG>]/_An=yp8 ytcHYJeXsmΘ)svnl"A"d%\X^I|a^]Jͦ*e&깲D}.^!y6/b}=w*Z5zj8x %5*A+H/%e a;sAٲcRsu>渧Ua6$;}rneow㶴TɃO|{Q̭gIBm@;F[C `~9\T8bP j)jQ^!C},A^|y%Gz-bKa6iA_* b;T%YCcqtiroD09HC1xdw1*/ؙ,(J6wzu9Uuwf*>]WtSb<8*.d~fY]WoL-mv<י@,TȔ˃3/ϋS7o! |7 uȭ k_,'C[A^or% c'e.:#́{ {ܛ{ l` ףW6㛛fm -zJ(G%"s3& ~zޱ,tW<1$rgVe{ gJ?AoK4w-lZ~׹U3.H8D#z+ 0Q__t0XUqs聿: 8f;`Ԉsv~Nbp?,"c&K@se29{Ir6ѳF%,6݂8.q̨ '~1y_jOA$m MYy>|ʑ5HcJJ\ /HGX. # "*i-4d|g .[}k,/^?R 2n/6(KE=)қ"GJAAVV)tDt%2r>zW>*Fl^sнi꨽$jҠ\"bUd3ﴘSYoбd=06~\ 0^gTCXs"x΂9cI+go}% og7Ъ@;PdI@+<~=qlL簿Eq+Eg t.e!c+mʼ73Q[ϺL-4+j}[7`Yg"1 MBp@h`MP^G& f֠:ըQ|Ӹ.?,? s3#"p7s m]i?R&ܮAzidг^EtJZMQΜ\@p\*ih;l !tUkzkE ԗy`&&K\% >sD /([#kϼ&)#3L8H-jo:H'|;8D,L55զJ9Nrd^q6_~mҟw] jl"G#h.!#R'$/65U}S@^X[G>!:(|^# ~tѧM A}g<LlzP7sMV@"N*iIO, d.wDh2Kh/w XVK3ОzL 4gRyb}dKEDjYl=v&lV0[=hzR.׸ȨtM9HF)j>RV_Uo3bgB}Wtnl?3ڒS IJ9VONBgX!8u+BϒHEVNQUs qK0Ԛ>d؞)dXk\V k&`oTa#Qn+#+ /%+ feӏE5b>b< hpبwL6uXz=\GuguaIWc{A::i6Pc=k3<)É N)@1lxd ||kCrτ讍d6 F^~^۽Mӥ7XM2tl3@lЅ`?usR5 >DDy2l#X/VYToTn-< i! _R~r:p7'WL_h) ؟p7͖0؍qpr2'Z#Sd0-vKNcyq3 !~ $ӠHpADB,JQo aL ߝ@/p>vsS~G(|EY5qΣp׍pߙ;Dotjvn{r!*0=sR=`ʣ(>S-}}"" qGLܬrxfI}H %v,u[lsߡc[m6KL;?EC$@РHm3g0ld+3yH0 .K#U `@&cc{kf.C)`?.#ӢP><ymgrIW{V*2ϒv|[my \X:>l'X\/{܉RRJZ\^^v;RVpCpOƕ5C%z'gSvO*Z0VE/DU/+REuO 5)FDDqRP_We1 GGɄTh}9cS:j\ ?Ug'ϴiG.iL&FA3+1 !]3<@!DZu2a!|X*#;g.ޟnyuH@jIL|őUy8\zAŖ<\l:AGէx{BKE횣,1FNƵ p%x ,7B쌀:z4Ll U Ň+> {W<|ZQ2BU0L)sTˡnn >O6{^V[y(eX^W*EyW)oڲ $O&sbݒ_{h88ri|;46G>yV~/_iЎIj˃6?wt52ό98$Fe5\z&s]3l \w>/]dHaD,:;-kNq5XT7˚c_p8g-0 Q2#Ep"[+߮\i {0PWѣțgc !aȑCH1IbNAW=eK|F^cWd5ER7vrvAY0cy:3&x R77a1, <55PԻEI> δ0uU~GfN` k[A.᜔;q9$G- j \rT"xw @㙝д.߶Ee|aj$|PrX%sXm#$%ņ[G/O[pbt\gQ `e&|~dƱ" Uv۝7G8I?rQJؗ1p(-L4@?BWT:$5Qd^<0Eef2QJ[.mwѹPRp[&j57e ʽD:a*6ZFgk^phE9%]Fsv|/]X 6dJګ" )- W^ Sj X(z)ųl]o 3ⴋ`ͯ ԘR /$Aƾ{vTO|)uع#!fѠa8-V?` >\ w}7!rNʲ&T31Խ{W:s)P_IsK<6kc@2!o^N͏eOXԲEXdND26l~яW4X';oј=gߐXFZb7BkMK{{)$Q4џ%S߇s PJ]f`ٿ6q]Ùyg!r#ʦٸW36g;ܞ!Z ܟUrj,c'Hm3QA/GMzND9|2,wšs">*i< vMt0EfrNi{['ʡ (O$o4TX#jC<* a38Wb 5-P=gPaK(Q@@-wm'e遟+ @XK dr1K)&R'azPA(kۑX> ;01a xy9o~j'HYl޿DK=` oPcvf]Jk e.mDܜnT;52Oט9ybR]XUYm }sb?<#]&ll]06TEKw/7؅U2I@;,>DJ F§g#b@%yid Yżk7P%wҜS02WY#" <~O ,UrgT\HHC Ҝ=22thiYLW봚}S6 l%a5Z6^\,XRSPxЏ&j}Hg$ohxK\:@4SzUWiDKqe=ϗ%ˊ@wi$ps I xX>EϪ_xcŞ)\ط*k Q3~upq~ݛֳ[l}E3s'aP 8h]4=R[2¹ֱϞ =)Aa L;h8'7R#&*sBQ"E[vJlA\0a+6B=Ӿtdo^{<{BNgطIk pJIJ0*Qۇ wq!Wĥe|8vW{*Z:n$nԝ(^Q}RtN?V5C6Uf e! E}&Z{zA,OhIbV 7< 4/Iy@+1)ҎgxI΅q( {x_Ѵ Zn.|N7ԹOOkTgK9A: NԏY+bc(f9),2@mȌ~o~WU2-_[9 }32j}v") R/sGwGR\VZBcOd-gq_GAvu\{B6joc(۱k snƚL; %}*Zm[mmr- aޢ4W^'`\En-qn#&g;tPҠJcW)z\)`d$ߟ9+TenWdU)"YVL ID.>W49f!W2C~>A[X+{+Ȅ,Ƒ`K~{L9֊mW>ι`7dF_/z9>T[? jոYb' 9A GZG>䊻P!5t50 /$Ϻ#p\ B B=\yB|TyU(/_X&>`5xp;=M(b8!g'ao|_dpp:Nu DDr\mbFhve„RXW^s{|PDK' ԃ$[0dl8ٝ NqZ;Ɩ(YEbG@c~(4Kn };}&AL#tHɶSGtfJv弸7`NcR:p?GYxµ~CI3r їMf$H4|7Y53.,O^ /B$<#XG˾m{Y AN {X+ZHM1sx(qLnB\GFj3#6j$T`q(tGB75 0>Br7RQ .l/ѭRvEDC r ̮kRL5%,(dž$Kqx}DQ sc'" =勀Af.:oǴ(_8i^F |6'kٯuv[#6;iy4}L O ݷ-6Q\Flkt>c/?dzorԩ}qhNM-%W0v:0F4\?8LtDs"P|C4&m2U:I0m5DB9T@\T2%vQH3`U-_p>P5gf@ wҡ‚8Y$~črqQ Rq&Rr'4Y2G3Y]YRnd~tJfԣQWQ,WϾQm@Z ɳ8B?4E3|[pK}t<~{xׁ<%k4 ^(p_V |ouBdSi Ǭtms w`uD>_`C~8b ^f*9\-(Iyx*9ZwqL9p̙dgIZPy5nl^S37;^ƨbpWNs&oO_c@ Ϯ7Pd$BW')ɩy UTݵӴYB_^3%f^Ek=su)o}ldkkxz1;R)S0v>?M*e(*_F0V.DDzNlR0Lz ';jv֬LܖԹϛfI 1ײ-_tE-YVh,sf@c ?]pT1]DF }WPˈ-g!.eFy5m(֦өtk4N..eXHoL9b'FqYm6ׁpioE<'z| Nزg7Ľ) 츜|f׵we) Ex+=};۳PҩKah錒ktj;{@qX_b(Ð~QO|z;~ܺ['=5n~& JIgXȠïU(crH^) ! xA(6%Imio %˨L!_.y\۽gi _pTGe3P[~â{H9iDk2nGh馄5^*lpx:N%iH%o8(Zї5){lT$^~Hw:RtVa 07ɬ By0naV`%C-" 4q2l/{$1l:}2 T'R=}&o\#9Oh|n-:ֈ{z^39~m̿w[XAV,W$aYvojh`m6цd8#P UQ \"`2 >;ME) %Y-s !nj\GTP굗<8W^5h8O\տĄ0,*=dV +ri+Q.8,z> J̀gIr4\bet"߸.L;▶R~#I73^fVzjbuϭ|tJ; :g~hMܬ22Fj 1!Wq¤]Bٻ|9tFӲrk- 6Shhik& l/ڝGBVߒ-Q?Cbo%x)$1nSBv >jBX *YXfi`S?`RϬ{P)4a%&J + :($Ҷ)`nt]‡3vT)lʹa2Ahއg&5Nd̍>eJW{먛o뻺JgY?̿Ҫ0ܜ#6詋Dj΂ 3.nANn _KV(IԆ[f,rD) (Pt]D q>pﻯ L,!u:U7Q:LuJ8Ulxl:ƹ~i$y25?7ŞPږS[[|5h~``\paW:C*QX7x62EZI3ubeP7d Qt%'3׆`q;P:yнlg<ՄbFf6cyɿ=xt|dOVS(aZeΛ&g0+&ïZWsYw#2\~m>HDO>шqr{ۦA<|xFE:KF 5!b;g qdeQ&3k|Yz S=7/p-*RαNXN !)kQ}vшov@N@)q4]VL#=LƤ;6UAj,\~# Yf[UKE4icۿNr\x`E.f^bmyNl4s``)q^{ bÐKsV]gyGx&|KZSsgc+Eo>W*m ;u𲺃ЬYpzS>T!=kz *3oO(F$˧ŋFgVW\-T3kX!Xl4?at`"wZV-Yi ֫ľͬ8y#hx>|koYHϋͩDtޘO+ Gf/|skDBuh,]^pbl< $yIS;Q&4iVu["; ;X3&UW="JU;--ID n3m CCci,^|C6.L`<4{xLwAK/,0zKʴQڔ~GGJGa[ӟG r /oZk+T]Nᑂ\w=p9 dga%C3073}1AhI O[`(~ȂضBքW'Ji3QP0Z~vGQD0q4JKK.UV' %ҭ^_h#L]؃ă:1'P'%by+]LUwr+Ѣ) ] %y,<$yɫyQ2+ON搷sP4jV۟>0c2׾%IkKlzg%?4YfY{!ǔoJ 4^x-GQ (,ß9qTZH~ROkLե.Sij8Sy+An".E\E H↨q:L+m Bqڄ $K¿A?%Z\;C;|x;<NihB8i_#ͭZJn'w \ 'FBN>sȸ(@sq hZF"9%º<`u mt#ۨ誆P@9y!$q捰vdͥD3XqT>3#^@DLQ?M12ؿ&fFdbt %Lk٨N J Qe0˳0FdՆ3o0,8}/"av ÎGr&fiǛVw {;>^~@: T5-|$,|j+,WZ o'dY"a_n>ho#_O}A-ɦHA}Vg} XNbf >A&+~8}Af>%8'TI"&H D=6)Wl PR槙+4$:ɻښ7c;۟,3)0ёE R@q]M@LvqħE3x;=y3uI:^|4ech01oL(bC) F^kNYE,7^;TLR5[yәKDZ&\#O5dJvzY".LCH?n"3c<9(3Xbz hv99k.Xxc<@Ү \o)Ns?ohc ۣ@tۆ:t-d![ectV=ACɣxeQT:uD3u5u@yGy!$Oh|FFA8=}yJ3:7kBDPr7[yA@لGs҃d|}<3jmIc9&ArDAt!ȑ=^ߛ#yƇ 8Ѐ0?QӨ4XΘz|.h]wYNĕF!'!Ma}Os##_%L㛡qT]z|..]Pp :~š(.7)! z&bCAG:ԫ:lqHze1ZN4Os" O/Xfj}ˢ0cU5%[h+:7 x ff8E$ݚGuԴp{GD|Ry~ӧwN W _xel>W˺;\X 4rrqxMG&`t}|E)襥Q0 ?dqI=rh" Σ>Q tKTi/\m+03%__8Y@A\ңO~c^2.d' F+ b=-_S>$a)Hյ eٵ?Yg.ig{sI4\}%o?)y84?KxLPծZ 0y CG2;oiWX^܃C=mω<4'5w^k 4vzre7<]LaHvTF[-EAhrFz`KXO O-Qhm8d|"sY'YU2HhJ^z )rƐP=$LwMYtojLJQ\l>;ǍNx$ E蚠l}jm#B`כ_0EہQOwMԖ*y5٬A\ 1xwKEgwT3QR' b-ϓ0 4MDcXas3¸ gF 1bSȱ1~/ɌV+\5j0⠃yMN=u Ko]ԸXqQ`TQ ; }AW A>xZEe[7)-Ƙ8t c/[/rGϖu$w xjlij*0ILWzg9#ME~BA8}`ķ]'8')C,̕ dCWrA"* ;Fe^=&$? U;-0!/mݺSke*ͻ서*[i֞5BHݞ4sRm:K3;gеۜ!2Z jZ< 6Ea_JlQJ<P;fhU!mTo>U[7;yma׸yڼAq_F06V'ƁJ3ECKe}/Aq¢ٞVaV)=އ!S0jU et) )3JNWm;t܎_ly1H3dDF#gw#.j4 'nó-Oڔtz)m*Z KKKgIXw$k"5-1WKijqXB‡#k7a]:=$W/ qQ''jg\ bM(rC*NiWrFD%2JZ?W@.AgX2&u~: "!ZW2S'ԣO ]l5h71]2QU%@11ElS:noer^A?F-]XAda^ER.Ф% d_T}> V;8͞hKxM"񭘖St{ o⣕Rȑ{F}5øPb$N:܆%rpu@^MLsAy%h1PbΠ`>RXM~Q%}@gmmtI@R^Qf:w^[-pӶ݃E`\W* #-tvUY28:O~)_y ;v tQ)L* ◎$Lᄧ-nFV-."6jRz7K@$[hKõwąI1 &[V^ͳs>B1%` k޾0dk8e ݤ1@9D(L0=K\ϘYA HSG䉗q}KqΘ (6C#RN" u&mYfn?c?R*{jo?e9D}-$ۭ/ LLC,Pa/~cj: ԞTޭ\5IQY ?!'`\ʁ :F{kVy2G>b|R\`EQ3a<%?hjq T}:jIR;Kd.0Uj2 K~ `P LW0" p#mzccJsx_-7$!1 46/C)s5h74%B&/ T& ۗ1Z2xܣ; wk8I1 o!€]4<;,r>aH5`a_ioO|ߧ%suޟL)] {,`*H\ >ʈ!7?ŬyO)m.:CTHSnS.:՟{^MIېmI *y/٬2I*j65qXBvֿyjTGqB%d|Jcw[Y8a?9y;t?BrX2!`;-O R$!] (WBa?FYg |IlO'F B?~}R%5P㙎I_S9zvp+-hv^5;{yKI*LRH)u"!yrJ8ww 94X$ْDpi!ɕw:]*SBXvqax<9R "d:֩F]'Z#AI<@yq`[Vjn^D*{ J!gdJ5~⛭o!M:Mȏf2.1Hb/j~w*" 9 pJEbet%?2V/~'v فФL$HWn >,*6O v`^z9eۤzbxuF1S)Zȇ*(ry1C^&QVޏ1+hbF3|.9(&=ºV~_(F?bA> &\t /0RlݿVtZXV9}ݶ,wYt[K6º%E^oiY)mާE&e=,t:!&*^dzz%}H痽&əs!Jn\cBr!ڢg+2z--*$Z,iE޼=$`C:/;њ7 c;}:`ޭ6I:S<NjȫxX}38}d-VmGEԤY߰"-dێaDQV%B-̶֨;5!tPDY}]m`Ly䛔 |yⷞQƎ'|Q;4ӂ^HLdgXR} u=PfU_Jc:J^>`Tfn(Ni.A ?-SQN>NߚGJk_^{q-S28@4^k_ŝP14J\Bz-qR _41DGTcG_4gd`KQr% 5n"înak۸||ɪ( nu8zE5Zvt% P8ŕZ;T.|2%UK^]$ڲ֦d5 Sb8/!rpWܰW#RujXi3~V}5lW-Io/P @x-| }ѤM#]W5De+Y6dwE%F0}OHۻÉ FQ(kY"? եmB 1o|i )+|fCgշ# {!vWXpA:/AC8tun v0|,q0 ,v#ޞ ]^B Bu"qsW x)j/vJY^dRcd_NʳHpԔW};v9Q@aPuay6dsP(`u˃i=@;@M{&w1:?' PTaDrgrb;-%'3XlU x|ɦ3eTZ%GbFwy%OCɧS96KY\J#ZsP꘩N*(X&ge?hM ͩn@'`# 3oOMf)GϜ4Y}Q,32u3@HwY}XEa(u,9q:^lD2S 9! V R(9LDR{&qz~>cH`&Zε-P*20e_ ٗNظ+~D_ǭ8NsܘlNd*Z +3sK]Kk3Ix'wc9t\5,E r; 7[N1>8ؤ*޴9\ gW`R`Y $߉zFE'n  <=T*9ȶG!.( )%5RMA2Ovj/%{RLԯJ'zTm = 1{c@3  gb 1v x vû$`v֦.`JϢkggVezfΗس-uSzTM2T Q?Ub~L񆄕=-hwǮ)gr[I#5&rA9Rl5,zج7URI_kOL_++?Na:u5s< .|ŎCbpr^Bq ߻>+5fgPO󋹬~uf#MXrkIP(A~ʜyp/p4OW'է8]sk, [NhyO&Uwep|=/=Ft t"Qd_6uX=4=&BtUYuSgՍ+/s5ƹ*W!:FyϩFޅ jEQnL%ȯcqI\zݴ 9iN:j8Fi5nT; s) a.qa6Ԝ*aKNQ7hS6Nr0(iGV'Rcm+:؎۲'n$Łnb0tR~Z/Ţ1⯔+*)&c`>?/oMI/mQx^@OaJg'Kp %%w4%_A.zsimҎX9yuTg7T;~["՗*) ns  QNP#=o8d3ɣ:r_PSSܭ#m#џYPJ}iln/ټlFz .m4u0d.^nmW? }P^Қ?zy-,mKVKgr c.=> jv&ݣD7oVW5Eƛ~єIf2HjI#NXTx`^eRY^]ړZ\Ocۍ)wdlB2GREZJܛ]F9ϣ}#΍t\ֺzrvNo~cG0y4e)[Rƒfn^\;'67 -Y$\ũtҰSo6*ⓨV#^c02\mg{]0vK#6!YWj_ZPVy:X]ެblɫ̅ᔏ`# " $ix#_ab$^΋cj KؑnD|`qփ˃$%Fе\# qk^2SQ@S_)E{X:΢q/a(/_nMb.N (uB>'&DIFq/]|bOݶH׋0k tm>4)[jbOn@J^kv,2+5?l`rQ!nVpFĹWe[EY/:oNjYU Z#'<*p@Â.y|vU5H DD˃!!,#2O`Ί جѣƟnpٔ/ Ee`#Z{6Y t!CdJ#waNsJt(Z`v .r81ڕbkߘOOR?_)?ufBݸb 5'½ ?a`Dڈۥ4 {BP0!dG>wJ1e<>evkum{7oŴ36Drk8^){OYȌK`(>PGhT<)ppV3;qͽ-JI6cɕ<UG0e$NUΫw;h* .VtI2Aq$ Ed L 58YxCrMqt;}^כ󰱌PnvI &q>5ՉmXOUfI8ZTo* x"BnF/}=[1ʬ5#ʗmu9ÃJl Ck^ T =40oeW6}lO'=q6do~9 va.,tBB"QZe<*vcn}1\@t.n NB$j=$XU [)P2*KW$1Rx%Ak0,uUhegEA,`#9L*]a8i)ˎ +őK]+b増r!XjUj=t*;S1]az\$hp`_ Acd=-;q-dqac4N.m8]o6S^<`6$}_ q&Z"YV gD|r:Eeg5qЂʋJ!"W=˰>( Ȏi0 D!:>\e XQ<׹GW~yVH5ݺw?aj(gj:3Pو<3 \kY| 1z-5UT&Ω2>KDeZ'Kk~uٜ;o/徯6 _`_WFH|<ӮfnXM\t3 iRot50K[aVk}Y(˺' m\ f O;gB#Y Aj*N}ƎI҄"L̬kφ:(AcXR$ DnK݃EtB֭+.09VȩocӤn]f4S#!7Juf^(}gJbK,un -V-5b7CEʫ:bob vˮ4eW΃M.y,j&C?׮F1jv|g% X5ġ 5K:2X^4ڑ6kHyXRil Ƒ߷0%B +(dFӡ9;BKtm=i0"4jJo>CA"Aը}CZHڦp ?PQS4Lpٜr4\AU?*$D4d/kЙDxҐq5q{f\^ʨh-gf2f䶈zѧmE?MLʺ}Y\Z ouKDl`֚bg&8|lȪ fq Q9A^OF 르 R vxzRD,D`(" >;X1 Wn5*|mO?YޕPsK'q] fn.=1crHքI9o%ꀠFqbiM0ߡkV8Gɹkyמfm kxn4W2 LL4^q'XY1ዉrќJ<\-vFLf uiCɎQǣ`%L{oze W 'כb&E 6W'cm9(=!O"e" {+.u,h|1u5 mBzm?eDIU;7yX)5@Gbb|?x[JSl2;"YB- OXnC{YVǜOܶGYϟ#!J^_M-]\(U.!C,pr0Zze2pwwErsH^hIm-8kB-J nyDK/ΛǭͫNY9BеH,偖WhI-+ęOL4`(UF.²LŽ9 |l73:Ք142,XapP]bظw2^ES>NX;|tF-0xV?ȂQ]Q %?c&.*2'IzuAGm3QF@j,;W|w"srpp}%T׿qLn|Yƚ;-޹ȁ`%m^A"$ڄӓJZ-iU3)6FhRrRL " uz|#qRN(S/h S)[,`a":7{OS]A+Zrp4"A*@ qO@5 ;КCν314*Z=%rOP9QѼ)j4_?~g2=Po(SA5hTm0`fY@7Mp}see3 ;K8RY70T2т:50w?Dw\"]e%eZq/cޅ%L/e9 d}l:{S`2Q0`0F$?Tzʖdkڜ_GƋ.uiiPf^r<mB_:k gX^,]X+x0Uߥ < {T5_ rDKtvBdx*f3N{~e!OSu«d=ϰ)#5}B3|EQ7 Mi,/mv;neD  ^ɢ*Qo8t 鎤Oli5 .1vM:L2^s: q^+D?sj9 Z* ЙwN(X)Ҡ{nS*¿ew̆'+"3Y+g8>+%e=/9́5tsۜAΩ4L.OV]HeEG,Q-fV\C*ұg4"ҫ2DMuH@!/:z[>džC|oU p )+y_#F1u߱?uZ-ĩT~ZI1Uvx/:.9̅lpRm+.s9ű/;JÔsDJ<7݂ ]9 BER Æ"s#"f3*c]=Qܐ9 tAw=\L/5{eD֧VzynP]'K$l2v-WEJ6@[(GA}p~jٚEQͱ bE:Mz E[`clL|0|TLzTi6zlAVnKLzwzohhf,I) A]ܭd7/q [\`$o &S ;nb@e-7Ut8N7#rGÇD1C&8C%$hWk(dar;zafZS ,l^Oۥ e^A^&%8r.xQAjg8B ft#s.  rUb݄FKv"nFwv}1&O 83$xoPþTTxK T |t!0W8nڌCPX- Q?w+^#W(`Gm{/鯽aKAF4װnTlyE#-GAMTéaڸ>*ZAseˠxr0)8y4fL6zEi!>B^x,]ʹn`VVT?1H!&/{(r&T y4C) 82 jI\V]}Zȗ3ĉbWȪ@#wF|~aZ& JUNL]-``⺧;!9қ)`ϸ 1Bڕ育EVwn{zSٶRh/O?ZsJH[Yڏy%],|*O!Gكs! 3.dy3?KNzc*')Dw`aCpo%DŽnOz7\tXs;$}+KEʠk3H"Ԙ1! ܁u [9@;l{w|5x+UP*,gAwLFVepKacs捊L{xyxNB,k},{2Dz ki7a󅒓zfU #=-<45f lկ9 `Iin|l_c;.8*Kx̙6T%l?q S]R;{hQ_>ESVRwB1:m^ sՓ8?si7jL.RޱVEw;ۼ.~.:m>Ž<3ҲnKmj(Ji6"|B-S!Mv/|nv=5N?W8V'$ZM_\Ee)m_i@>K@Uh9h%1c%}.h b?-(D(< Ƀ?.{fGF*%i 㱕o7V~tb547rfe)s%~;/s4`P5r%Ei%.5$iA;ϳ!bxpJfd=ͶQcq" ѩaq1 D۽uQ5kEo]fF)?,hQDPX/֎U46#Mد>ʫ%Qԡs5 =ӥu#_զ &r:pAUiN}vQUe+prř ݼg/ ۣ G cK88iq+mPk5HqqO 3)LMEԽ/|ZN<{~B.ٜbSAj|-Cd>6EJzXF7`0&3Z ko=ZH: ;.D&tyW컥.d869 t*;ѽw ;$gy hT^=[ Ul*lH%R#:BþJbD f!$3S!h K bIs% INvT6X٫/pK x5Plf0zۦ;ZXZXt z%*t aͲp0:KlQA &/'F,KN !ꭝ3'Hu?4$*4+BU:jB4(s.jl`'&7WA Mljw(ġƔs}0"ǧͷfDQ\Tv +0v{EbLG'r.sg3DjrִЯFhީl l)}ԙbB|vS$Nv:̻F7\ĚN@Xfw3*a[OCĐ3=޹DzL%g8/ ܲ}Hɇb q Sܫ}lEu4%@VtvnFaE(VKBsʳ Zuф"m\YjIke:"Ӥ^$cR%3F{#cY9 x~r˟2:JG],~Vbo<"]j)N~m @'/I@g b =TgM3MM9>1Ix2 2B&:ٌ# Qɸ`?ܮvðmHn#6y*{[Rd.ZK=jݎ$GA)jij j LzX2QWiY`=!UHW {)$i06 eG~ ଡ଼d\_j"zP Ȗ @VwZ$irެAD?o ՛16ÃHLd| Kq<BkAREaab?lyǐ6YZmCZPs4CJÇl+"6MX~z/ |`SGSk T^-Šfoފ/?{>ȚH =SMwz ~rn>MgYؚqk7(u/2 :d}c=:}/'~bHjqC)y 0ץ^W'G_HnYmK?X:n窙U_f79}Q{͈]QPtrY|xyUQx@r}m#8mGyƅ}5_S- (j=Γs L'ܨn8T _q}ca̭aL}l~$wFw"bnƧZ*[r= h)5kOVɩ:qd^?ho`9\/o3xՓ͌yt4揿2Xd^>FMN5 Gq/\lr)닉"?b8"Q0Fz;oʠ`mmG\60dc ~lU``óW!s 0WP]E𙡊9Fr;(_HsMM3]L )hz0~T6Y faMIknhh%8]aJ쇸ȏ3 x?'O=*KZl]%N1*(ܙ{7i)R8ӏM [73lƗts72k Ra~\U-)Wf]I@C6"DT G~eʗ:"F>y焀ťn-B+߿iejOt8e[K&v ⰎIAt>o[*TZ h[ed/ l e,#V8O0*a8Ҵ﨤1Lr9!G ǓANL+ZrL(>&1Z11˺:d.ev=?NbR}9\C4;0Zj397ߗixEZy\.s0䆘hmiٵ bQ+j؊m\jofp7QՁ.X8rc z}4R+7r/yRw:_*z.sA;|Cos<l ;—4O%A+,Z߀ ʊͰ=:Jj=^6^mc lV6 SMBƸMGp)myDd jrLLc-kJGl/q S$Z$?u!$i~쫧2 vW%`IԤ'{52]39RHwm16dV=PO2A[+Y4v'*7vD}8'Xh'w74Z@+  `Xڅs'5؏QD gYp^"\۞Z'q M؆Z* [ ߔw#8BFi[ ۠b8M1Zvx_W+6O;&)؎xj8o Tô90% P-2'>o kAҊ']5Rz)[(DQ/w̢YxF14I :堁?7.r$X zC_vr]+6oa,ok -h(׆D$"Ԃ˲K^]i *ty-u.E峞!4rchIH 8O&}3Mdഈ-7 ]I^ 3¦{ ,E;˘I ;X`U;',6+eyFymwk ԐC iZO;UG{'ɬ\{E> DsQ}i|*wݵ?;ՀW'M"uzJ`+h?_ibu+ZruVʚ5X>piV6ϛBz +/KVOlG!lBhKjcZVu ~|nj$OIļ66;- J͘1coȆ_y)6᥋Q4XLn"3!Ky(:e=cźP?\rTN"[Zqw| }X:*!=bX6jDGĜх6uWΥ>Vq5#t?Gkg_ƓBYÚ,1Y'8ti[qGޤ9G4}.]Ǒ:;O|=oI,aZnb{v9@T ^OҭjAyՙ-JOkϙknwr2:=b]'P68?'X<=5 Ehܬ:+ T =hmn6#n8ZG7y5ńu ݐߚk(0F; YC3>Eރ{-<ƺ+t8veָ?$2bCd/T2 \H%h6 yXmQV63XywN)u HQ}FܪPQ" ;V_9DZ..fT1DNR*‡623T$D< hP{s HvZc;'| ,#VJ]vdp};U$ 5##_J{bتx:]1;ٍk)F4P>7xXܽkQ~ʹK5 S=VZ[u ׌E(Zo_.O(Xugנjv sA:Q!DD$IcMX''P=\T%"![Ah" I6"ʻY}z4UEꚳBpjq̎Jb1~՜4Ų59Z+ Q<#rKŚ ;.>2H:۩Elmi]rnܠGh,ZԨE3Ou+,JA5bw {V%./8YsքmIX&J1Cc7hF2N(ViKoV3En {iZhZ4;_`8HP4\`?s9 z:F١.6A`Jw:F=w&9fٴu5?}-R/獢T}&}ܑa0GJϫIH_XkD'Ȓ޾F{òˌp[CE2I{#R:I M)*dY!7&DkoYnU{.l-^/> Ϛ D;rPUW Bd͘\IsgH_^eB_Xij^[l9ASUOl-^+-;^4Ȝ;[hL#j>Yb3>mѮU+nahzZuVԯAZCk'"č q XR%)ZQhv+Z䧟]60Nưv~D0C쮵ydu\$‴PKKBᵃc#Ҵ8>qY8Io&)1[V)c8=+핡RUd_+f})#V۸;QMzdL{;<jpX' {XRr s.qA&Bw=qr{>]QO@65!R05Y!%ޞL5"Lc翁XHA&96sw؜ w8O' 窟&r1Av8vfGizP\ qT5Gk\c|ܭ{~)U?5$AM=5sNY8].]k\@yPhrlܢ8m?pk).xiLi +[Ek?nZj.aP-!eM>  dYQ^RhNWu-Bh+(g{Ճ8%L UV$ʮY#|WJXIXbF=߮ʸ[ϐR}QS[ %2>E sI8PXgvUH=a̧b9(CpGP;5 ZW ]  ̓ˁg+N;Ô7f{Id-*lRAkK~;CC*;זKCo OB}!JGof[LGc MPU<}qM:E(*"%1p|pY1ԡ.=2Jt?EZ H%`ǿ{Jdcg]-yf Y5* `nY_OLjV97` ;#D-Qț+rpgY;l >'` r?}9[ *`>K]5]R_T+#,*&GV,؃\wUq(F~pā< \R>< kVSfDNSc FWBS>;#i-n-t,D(Q@3c3s'>es'!޸$HYI:o0duϥ'co^ABQc1zx7~f!UѲbK}X ؗ1kLAڰp,9\4 f$& >_0K7"ҸN Ӗq3WrEHsb` CGs߽'B}S f+=ˤ]7y%YB,_ lْJnH: " HLOJ l Z2L݄2;jICd/W^»I~[<`(Q6`!̟} [ bhdlrcZfCh^1m^GI A}%a*!j*QCuDx|[|^mU~#96Ŋs89 @1؊2gl-3~ (mцZo[>C)'Rw[SRWxJuP UBp4V)QRd/E {|:ƑH fuu"Bo/\`k<"Vď9E[ J{ZIE9b\UOeCf+r˧Tp95tc4_cT_J,m&Zv X La@1ZmBNjODڒk.קˈ!IqdlT@(Brs gfMIҘ `3C0CsmA%h,u@ނ\xMumYх'4 㧎0u~&[*=I# mTHCrZ9fy/HxzG@ ikM66&8qV"fe{PLj,pzS$*hH[ݗ漉qAJXԯ@kiA`bA;+kw0e#+~i[}yFaeO_&LCQJ?!ފϽ&" *LˇAVh%Ye : FQ=lNl9rܪV9uP4%~~?M[YPϙU!#k"4ϱH$^[L u~rr'sM$^Ed-\rKkMQ r8F_ %q%%VڍIGhrT,S4u0闣:Jg3Z ;}mӅ^)f-pZdRot ?4~TS"BX9a^'Bv8m\5a ,-ϫ=2&FGo?{M톔$cRJ m>87Sc'2W-+k"%:wqjA<2^)̎^x1O9^_+8?uW{#ߠ%](QCc8w#|?e49Ƶ׻{WSPnbxf:?xaՄIls42 c6gb|AxF QG?ۈbe4SܶNi8Fb"ёHy* wv*>IdѿG|;gUٮ1I4XfwrV,<[yHb@KDO!\KEch${jQej=}1lZ$SD)eU_}t5ULFBXhXTv3هH}iߎ?ddBCRsZiDa4Gce({ B+AR/e;)&cc%YbwHjY &JF'l7`/< y!PK1uLv++fPjJ9&__ۊϯľ`69YGoN1kԀ~:P. Kg_uq[p z&/E{9k+6.%=|f'7HȭkYV+E56:rн=D:A~ %[¾g8-ť@ls|=4ptDBsL@$'5?18^i/:֐b2sp7eLA2v,!WB.Xss+̞T3fq >5f1~^kH>0SGbpysʅMpV:K2 Xc=j`4~G9 E_+ڜL:<!Z|\by0ɨHyч =~ ]4NEA#uvA$[,3Ta)[M^"➧ {em, Tvc/yeH[䁯붶psK,\Ew/;YU5Bk#5:)c&|P Œ@~-Қ5t51;4M˟D71K:N*+ %#\1@/ɩ8N5'P~ҠekG,JH`V,& A#H0ՓPryhݟ"-)=轁ލ#sy`G0犡D^CVXZ3<|[ 7RUʉ[sA1 cx7-j@T3Zp۹aGb^kKLH16SdiQTumdaJ)*m]S&G`ђߴɯe[S&S@7-Pb-!uoc{\ć?&S@;师쯙YA]5}LX$Y>EF4Ц sM0(ز:x$|dr[]/}եTp_N Ǎ!n~*# K?ofB|ĺ6\yXMP[_8b9'x1ocwx~Y%Մ Y}pV)<)V 4蜟$^5i~rVU5I1hR?BTF J!ˆ|+:G~YE7K41ScN&WOK*Q+_aΡN<߳K*YOvgqFv䘡Š)Jf,~+yeۯ~=L2_h<44"LܣNUh@ Վg&[L}IGl*/+Lz886jYL.jMr' a>֭cCT qI:c矕a߶#16˲HJyqYddF11 [w*G T3QXة钟bY4DIuC*4dTbkJ1L+7?&=頮/3$O eW7+uAP-+NPJ@r3鑿zҬWsHos8n ym\-| М ݗf`k &J8QSBNƙ @B#E [lVSnçCT@pB7JREuNu.Y+{UOSuω . !JПQZ#@=i5֪Ҷ YZ