haproxy-2.0.14-11.11.1<>,Uda2p9|x:uA/pNE=Í;'KKIpM}̰&Qo}ţ)D6L=q+d5t />=`k:+\$J`É]NC' Wcn)|NcoIh E9~OKO`#YG*g"w?l͞Vs,s!lx+r"EqBhP; M2y}hە$󩕺W\ca{ƣ0QL>L?xd   O5 Km      3 4X6T8;S;t=p=/>p/B/(C:8CDl9Dl:Ll=i>i?i@iBjFjGj0Hl,In(XnYnZn[o\o]q ^xb{c{d|+e|0f|3l|5u|Hv~Dwpxlyh%z &(,2tChaproxy2.0.1411.11.1The Reliable, High Performance TCP/HTTP Load BalancerHAProxy implements an event-driven, mono-process model which enables support for very high number of simultaneous connections at very high speeds. Multi-process or multi-threaded models can rarely cope with thousands of connections because of memory limits, system scheduler limits, and lock contention everywhere. Event-driven models do not have these problems because implementing all the tasks in user-space allows a finer resource and time management. The down side is that those programs generally don't scale well on multi-processor systems. That's the reason why they must be optimized to get the most work done from every CPU cycle.a2s390zl38T{SUSE Linux Enterprise 15SUSE LLC GPL-3.0+ and LGPL-2.1+https://www.suse.com/Productivity/Networking/Web/Proxyhttp://www.haproxy.org/linuxs390xgetent group haproxy >/dev/null || /usr/sbin/groupadd -r haproxy getent passwd haproxy >/dev/null || \ /usr/sbin/useradd -g haproxy -s /bin/false -r \ -c "user for haproxy" -d /var/lib/haproxy haproxy if [ -x /usr/bin/systemctl ]; then test -n "$FIRST_ARG" || FIRST_ARG="$1" [ -d /var/lib/systemd/migrated ] || mkdir -p /var/lib/systemd/migrated || : for service in haproxy.service ; do sysv_service=${service%.*} if [ ! -e /usr/lib/systemd/system/$service ] && [ ! -e /etc/init.d/$sysv_service ]; then mkdir -p /run/systemd/rpm/needs-preset touch /run/systemd/rpm/needs-preset/$service elif [ -e /etc/init.d/$sysv_service ] && [ ! -e /var/lib/systemd/migrated/$sysv_service ]; then /usr/sbin/systemd-sysv-convert --save $sysv_service || : mkdir -p /run/systemd/rpm/needs-sysv-convert touch /run/systemd/rpm/needs-sysv-convert/$service fi done fi if [ "$YAST_IS_RUNNING" != "instsys" ]; then if /usr/bin/systemctl is-active --quiet apparmor.service; then /sbin/apparmor_parser -r -T -W /etc/apparmor.d/usr.sbin.haproxy &> /dev/null || : fi fi if [ -x /usr/bin/systemctl ]; then test -n "$FIRST_ARG" || FIRST_ARG="$1" [ -d /var/lib/systemd/migrated ] || mkdir -p /var/lib/systemd/migrated || : if [ "$YAST_IS_RUNNING" != "instsys" ]; then /usr/bin/systemctl daemon-reload || : fi for service in haproxy.service ; do sysv_service=${service%.*} if [ -e /run/systemd/rpm/needs-preset/$service ]; then /usr/bin/systemctl preset $service || : rm "/run/systemd/rpm/needs-preset/$service" || : elif [ -e /run/systemd/rpm/needs-sysv-convert/$service ]; then /usr/sbin/systemd-sysv-convert --apply $sysv_service || : rm "/run/systemd/rpm/needs-sysv-convert/$service" || : touch /var/lib/systemd/migrated/$sysv_service || : fi done fi test -n "$FIRST_ARG" || FIRST_ARG="$1" if [ "$FIRST_ARG" -eq 0 -a -x /usr/bin/systemctl ]; then # Package removal, not upgrade /usr/bin/systemctl --no-reload disable haproxy.service || : ( test "$YAST_IS_RUNNING" = instsys && exit 0 test -f /etc/sysconfig/services -a \ -z "$DISABLE_STOP_ON_REMOVAL" && . /etc/sysconfig/services test "$DISABLE_STOP_ON_REMOVAL" = yes -o \ "$DISABLE_STOP_ON_REMOVAL" = 1 && exit 0 /usr/bin/systemctl stop haproxy.service ) || : fi test -n "$FIRST_ARG" || FIRST_ARG="$1" if [ $1 -eq 0 ]; then # Package removal for service in haproxy.service ; do sysv_service="${service%.*}" rm "/var/lib/systemd/migrated/$sysv_service" || : done fi if [ -x /usr/bin/systemctl ]; then /usr/bin/systemctl daemon-reload || : fi if [ "$FIRST_ARG" -ge 1 ]; then # Package upgrade, not uninstall if [ -x /usr/bin/systemctl ]; then ( test "$YAST_IS_RUNNING" = instsys && exit 0 test -f /etc/sysconfig/services -a \ -z "$DISABLE_RESTART_ON_UPDATE" && . /etc/sysconfig/services test "$DISABLE_RESTART_ON_UPDATE" = yes -o \ "$DISABLE_RESTART_ON_UPDATE" = 1 && exit 0 /usr/bin/systemctl try-restart haproxy.service ) || : fi fiFV%xX  -E B q!X%hi;_ % $ e 5%?R - FFC '!L  6y='5qi3{1] #T:yBFSHDGgD Hb@EFeIeqvv10 ".T>}yw9 >A聠A큤A큤A큤A큤A큤A큤A큤A큤A큤A큤Aa2a2a2a2a2a2a2a2a2^^^^^^^^^^^^^^^^^^^^^^^^^^^^^a2a2a2^^^^^^^^^a2^a2^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^a2^a2a2a211f9339571329a5ab34e17dccd6386ca3e39822c947c947a1af61a5e1db657dd5794e09695c029721bdea4a5d35a95c5cecda0b5dbbec6069c9857296ed72ad8cbd7ecd2cc5345c85af175c4497548b3d12999bc42fad268e594ca46b6b1d77af044b159de4752bd81a5eddae3490cf481a0ce11ae01500b829736ac92e90b7130b59181d50189044e77eb018477f961e8c6c1dc837768031bad3843b7a4ae665b83a2085f445ad80179d3ff1ed2cb4cbe15a5e0538e70b32601df43ba802592d4917a80520d52ac07e2081817885231aca6034582f1a1f9b0b74bbead60f5438d5ec4f8af446d5ecb23d306ec6ac82959b07ae5040375ef94557a6c81a066d2647f068a16d842175410d4b41da5c3f57306aacb74217500d4fa8822f550bfd94739782b06489350a37a8d3753d97f4d34021a3ef3b595ee43b74d762d35c3bce5120fc7e8f576ad299158bbde68e8cd56425b1dda1427e43a2292ecb2cc583da1682cb28a8690cb90edeaa61f3d0207e8f282b7a50be46e5aa37606339f9c27037ef4bd293d32fd4fa65a251fe49c588416b6406cbca9ff2f17fd4c2d03edb362c9edd7608ff2b88cda9e0e6803dab5c6042e10e67b4415698ae2dbd5411380c4fce4f65e4df4b3154b05e8e7b99e54c8122438898b831768bca002f00c352eceaf73aa3bb160e535c3b69c9c91696c913a6373d388ddbaaf334888d4f1b489e8ac8a342e7ac6f97f864fde1ccadd0f194443ac722e159be552514d8e4990b97f335ca9b86bde572d76f8f618f7132e63bbbb82ec7836a581118e426afb4913864e08ed7085c7e15033737c94d3f0d840335c8dd3dc58e3c488297291a590ce1c2371e2effd1ceb80d1087f6b36194312860f79c135ded8c129490078beac53daec4e7e15c5a9dd9590395722f38df3faae087f02f388ae1dd4594a0d4a1fb5a2286746a00d5986be9390f3c532811a97f884a8d99e970515e9c7ec2e05824e6307a254873823854929a072c6ea5f18c7b58348eb53a77314d4db606c737461f9dedcd550de481fcf0a25b3dde843e082dc377e21604024710f8cc662b0de60beeab05b3c2918107f640cce6fcdfcc2287974bc840b28d5f20d8f0d79f2c1238ffa2e010c4fb6c2672074a0ee92816189cd71df18d515ca85e08b53e91501378065efcbc5006ad6b13ccb8655a586332d43723469435d1be34ba0caf0d5f40a2f8b1a15ed36f0fdeab5d27c6d77c5e8a5efa5c4473589bae29ab49409abda03d2f9d0338e447654aab22b5ac618036191fcc912c4b271d3be121a3f8cfb068541d854071ef50acf6f6a955d8b31c8c3f72aa00572964ece1cbcdd589cddcf0eb6f9bf7e48e73c9404f5aaa8ac5b2c346c5b5532d6f3affb8ca2c2ac1872c8b126c4180905a63b6db5b242a9b0c66159f10755eecb2b07d4baba5dbfd471d0e4d028ff74221702450647838cef1bc7e5b1bfda273e17c98d2f0aa8c9bf186b70f99bc04c0a6818e513c09cf7e0f59ec748d2b78d3d169e33d52452fa4abe24327087af4a1625bc4da102f9e9d8c07f8372e31caf7420df9755f2b43af7056fa11101dfe12cc7ab96535e642a76d86d66bbc983d82700aafbbb30dd5392d6ccad52646d932f52e68df43417ff910f45aa52157702f4d2a4a5b875545e047f434c9fa69cf584383c71c67cfea0349f9c236b4bffac3da6f9bd7b320d35b59dc05bac1e1a0791101f4e4db2772fcf852353e921a38ede1d0705d1be9983ad4c7bff1a15755124dd229112203f34fffe1ed8951a4a1fe0832af9aaf02f0bd8b0591e59efe86cf5e2d6767ab90bdb1446d49393862fba2f761dd5a23c43373e17336c799602bc1ef35d2208c0519c1288516147a703f16c2837eb8802deb27f83beaa0ac0c626a1ac4d322f40710ace0faa6a234f7225c8f9704de47de79cdd537eca68c228b43fd0815a63c0c25edfdb2973e1e35f80f11e96b54c1ba6ebd99acb147cfd530085d317dcfa3a574346dd436ea7655ee1d7f6a7ffda00c8f82489af9d16d2add72376d97d081e70f90eaa106d8bc3db6d06f8b03f45537630643d37c3edc7cde5d24edae1fcfad953e8fef11c5a28bd9238051b48c45ad1b9058b36c93c4b34ccb9b1971585ba7ef6f21c033ed03c266ac171adf29977e7bbf3004fe7ddb9db7630752f8fdc6898f7c99a99eaeeac5213627ecb093df9c82f56175dc72bffe5e5980187af2a62dd053f390b109be3302d60b9190c3def0b805208283c645afc7c8ec346db063190f2637913788e018e2d2d9ad655e114d7deb94cbbc3315b631e8bd8597b846c53ebd6cb979681b9e77e5e1380b22d4fb367d57ec069bc2dc6f1d39bf4c74fccfd6c106f31720454e8965253cd2c5dda78adf2692dfa3f28821753af9ec235dbbedff69ad9ff24a2c3902377ea1f1c596959b8fb7d912dc5b54429fd37ab30e43b21ff0664c6d44ae47c51a9f47a739cf08dceff350d26fc8fb3d1e2c5c87fc6c7effb84e7f3f675a653b1b9801e232c9ca6ac66afda4395d057cc3cf0b13c5ac788c7643000990331ccb7684a6ec449c32fc9f35dde6e1d407d7f7d220aa0d09e820f069280bc5f8d51ffac6b28fc85e73eb2e859285526d6a176a9d4d631354266f84d7e943a30cfb3d6a5e9e58d7292331ae7a3d767cba8d40707250a7b2c96a9d3666184e5457c91710d04510ec2ff397a49c0f54eb9d16cc9d36e6ea07195e479a7239d286250bf9f17ecd99b62da2466fd505e8881411c52a05da7917038389bede4fe9864209ac47461b5df79f8a1478d2008768592d7047f4507686e97b04bf5b066283789212096f1869a469a5bce224ab0be03aef9969a56a496e6bbd2f27d2ab365fa43020a375a523ae493ced3779dc72819c4ab859b6799fb9abfa6dbd3774c5a724d2004b0c36ddd7620ce70bbecd320bfecd8dd15384410c0af22ff1a43078c84dcb81b2d5f77c2e7f1835e232e7519fc70a9d5ae57995e069afc89379f17a2ee209afeaf58a62fe426d0b09bec61c8ddc3ebad4e250cbcc3e86dc9317e03223b905db8b3fe3704d478c4cb56b9cfc59c5f11634d9f332892179a99552c488c521b6968aba98a2e0a3aa790a167c57ae1a1e0bc7978869b7f7688d13aa941a99901ea5230066029a23a16d5ce32532499c475052250f6b0efc26c451c059749a6966885235bfccbe1d4fecd09bd2250056678bcca805f5f35c85eb9df481317f1fedaa293244d54fc1bc0527ef867316eda08e96d1708307243a4268d575e352e8f15c9f53015f7e66b4f614087fe73c2d61c0b8491f194c4dfd665a46251c54f89c8d904726f6bb790c5c1ec009b85371563d22bb4780732b6192969e137abaab72b67620cd6513b00dabc1659121ddd5fa373c6b0956ebb50eb0af8066dd3628579c61638e42b066be5437788e3769da6372403ef5b062d13520dd34598a6d75db6958c831f6061c6ee57f6088f04434f7979cfca879931da27a2e4bb428c1ad46ef08c7a04586792f367a11d434522de1204b84871e2886848361e2258a2827c46ed9580fb8805a8f08997c58551992bf3076ecd574b8da972232cc571070ee027e8f1b598f9c5a07026373351a67c8c18e38c83f59f5de06e05a8d8008438b8e468383381bcbc57c5fc9cc1904c10f3752f22d451fde8d389d36e194e1edffead5e5ebe7967736f691ea94b343642980a7cb2ba3df1655bda1ccd0686fe5e961f0affc0aab8bd90152f19f7685df07007198989c622f5d41de8d703e7bef3d0e79d62e24332ee739a452af62aa20dcc3994852776b8552b9820c1a562196da33b81b224d4441c9fcdec3ca01476bf9cf3d942c6bd5ae671bb085c16b62b1610a6f4e3c278bbd0624b5127164ae7ea3f2d38da55e9226339e79c7e8dccd9449fd2d46d6f959c898c0157da420649e853756c3bbc50bd78c1e86484ab1e10ad8306b47a02b8022874c5927485055ef30b40bee05aee79617246a9758b90f5cb8937ad211f013b0de4d223a4b63e029e6537399d13acc661b4df591e7c58e23affa336f762e758a3cf56b33d81fdb421fa49f39eebee03d411b1dde856ed3581c8daaca7d77bf8b3ed236ec539695fc771d5d4f4070f3ebb1bedd948ee669648b75f61c602ec1f718582e78783ec418b96e4805efc0cfa7ec523796f745d8f44cc62e814cdbdb9d8b60943f3f54eec0ded52ec03d1e500ca9f0acdb33653875f12e4348540c4d6d69aeefb269a3576850c0a699d2c1249eb119cf96a0b677426656367a6afef0e5b00a6cea6f46d7569c249f9dc0f0705da67e4ceeb4c398fce82f60279ce44075294f0e2cd53b76c85ba36bf1085b90cf2849180003347f3df9e88df2d3abf3837f7d408abaf24cd77e4f3b946be3e5a770bd33c6399fc2e06f3dd456c8085859a6dc20bdfd3e0d0024b6b9f2aff837f31b3eee39315d1195a26adea2269aca42603727845be2630dd24c803f6ca1824328fbc160690f9dcb99a4235531898d73827e6e3a9bd7700648f72f159454c31029bdaad74b68532a76681d217a23e254f43201430108b718bdf7ef1909bf1c0a307c8984ee00d08c86a237f640646f05d0d1bf2825d8ca0dc7bbd079159a6266c33c2ab4f99fc9a94539d8a4020cc070083534fb9c5e6b65b4cbc3e490a43e9d5f9316354830f908ada652a734c489a8f58e36ae13957257628aa1f6e175570127e3e2716b6b5529c780a92198755fff6973ef4ab38465ff89d109a9fc57e71324afebe843e184b695e20140d0571dba7adc7f031148d1d01891ba5d10cd6fbcd162a52776a36514ca09dad6966db41ecb0b627362076e160b7814ec9b1406c78e89e16281331eb69a6f5ac21492414fea1d18b34195cec3ecefa11afc1ecc0b705f82e1365fcdc1f896d3c4978110913366d23c19f36a768a4f245953fc1fefe14bcadbf739cb3ea0c2e22cc93b70ff9c305e031bb4f50eaa35d72cff4e2ee4f74c6eb349a5b717516e2d97fbfa1fcb602777f67643e0717ca51fceaa25ac9e5ccc62e0c727dcf27796057201fb5fded56a25ff6ca288206d49cd3f68b69a7782142062defb6d40ac731cce51db00a2224f7e1f083590818d35142ac0614971f722ec764b2eb507b0b9ad50520a78355f9d7ab8dd71c/sbin/servicerootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootroothaproxyhaproxyrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootroothaproxyhaproxy-2.0.14-11.11.1.src.rpmconfig(haproxy)haproxyhaproxy(s390-64)haproxy-1.5haproxy-doc @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@    /bin/sh/bin/sh/bin/sh/bin/shconfig(haproxy)libc.so.6()(64bit)libc.so.6(GLIBC_2.10)(64bit)libc.so.6(GLIBC_2.11)(64bit)libc.so.6(GLIBC_2.14)(64bit)libc.so.6(GLIBC_2.15)(64bit)libc.so.6(GLIBC_2.16)(64bit)libc.so.6(GLIBC_2.2)(64bit)libc.so.6(GLIBC_2.3)(64bit)libc.so.6(GLIBC_2.3.2)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libc.so.6(GLIBC_2.5)(64bit)libc.so.6(GLIBC_2.6)(64bit)libcrypt.so.1()(64bit)libcrypt.so.1(GLIBC_2.2)(64bit)libcrypto.so.1.1()(64bit)libcrypto.so.1.1(OPENSSL_1_1_0)(64bit)libcrypto.so.1.1(OPENSSL_1_1_1)(64bit)liblua5.3.so.5()(64bit)libpcre.so.1()(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.2)(64bit)libpthread.so.0(GLIBC_2.3.2)(64bit)libpthread.so.0(GLIBC_2.3.4)(64bit)librt.so.1()(64bit)librt.so.1(GLIBC_2.2)(64bit)librt.so.1(GLIBC_2.3.3)(64bit)libssl.so.1.1()(64bit)libssl.so.1.1(OPENSSL_1_1_0)(64bit)libssl.so.1.1(OPENSSL_1_1_1)(64bit)libsystemd.so.0()(64bit)libsystemd.so.0(LIBSYSTEMD_209)(64bit)libz.so.1()(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)systemdsystemdsystemdsystemdvim2.0.14-11.11.13.0.4-14.6.0-14.0-15.2-14.14.1a,@a @_^@^@]@]@]@]@]@](]]^][][][]@1@]$]@]@]@]\-@\ac\73\[[[[[[v[ug@[3|@[3|@[0@[ @Z?ZȲZZ%ZZU@UcUPUG_@UD@U4@U/@UTE@TD@TԬT@T@T@TdTxcTuTuTmT_W@TSyTPTBV@TAvarkoly@suse.comemil.penchev@suse.comvarkoly@suse.compablo.bravo@suse.comdmaiocchi@suse.commrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.dekgronlund@suse.comkgronlund@suse.comkukuk@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.dekgronlund@suse.comkgronlund@suse.comjengelh@inai.demrueckert@suse.demrueckert@suse.dekgronlund@suse.comkgronlund@suse.comkgronlund@suse.comkgronlund@suse.comkgronlund@suse.commrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.dekgronlund@suse.comkgronlund@suse.comkgronlund@suse.comkgronlund@suse.comkgronlund@suse.comkgronlund@suse.comkgronlund@suse.commrueckert@suse.dekgronlund@suse.commrueckert@suse.dejengelh@inai.dekgronlund@suse.comkgronlund@suse.comkgronlund@suse.commrueckert@suse.demrueckert@suse.dekgronlund@suse.comkgronlund@suse.commrueckert@suse.demrueckert@suse.demrueckert@suse.dekgronlund@suse.comkgronlund@suse.comkgronlund@suse.comkgronlund@suse.comkgronlund@suse.comkgronlund@suse.comkgronlund@suse.comkgronlund@suse.commrueckert@suse.dekgronlund@suse.comkgronlund@suse.comkgronlund@suse.comkgronlund@suse.commrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.dee.istomin@edss.eemrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.dedmueller@suse.comkgronlund@suse.comkgronlund@suse.comkgronlund@suse.comkgronlund@suse.comkgronlund@suse.comkgronlund@suse.commrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.dekgronlund@suse.commrueckert@suse.deaspiers@suse.commrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.deledest@gmail.commrueckert@suse.dekgronlund@suse.comledest@gmail.commrueckert@suse.dekgronlund@suse.commrueckert@suse.dekgronlund@suse.com- CVE-2021-40346: haproxy: request smuggling vulnerability in HTX (>= 2.0) (bsc#1189877) Added patch: 0001-2.0-2.3-BUG-MAJOR-htx-fix-missing-header-name-length-check-i.patch- Fixes HAProxy vulnerabilities on H2 (bsc#1189366) Added patch: haproxy-2.0-h2_enforce_checks_on_the_method_syntax_bef.patch.- bsc#1178277 - L3: SLES15sp2: haproxy does not support TLS1.3, it is still build with openssl version 1.1.0. Branch for SLE15-SP2 to build against openssl-1.1.1d- Removed patch: haproxy-2.0-hpack-tbl.patch as already fixed in 2.0.14 - Update to version 2.0.14: (bsc#1169457) * [RELEASE] Released version 2.0.14 * BUG/MINOR: namespace: avoid closing fd when socket failed in my_socketat * BUG/MEDIUM: muxes: Use the right argument when calling the destroy method. * SCRIPTS: announce-release: use mutt -H instead of -i to include the draft * MINOR: http-htx: Add a function to retrieve the headers size of an HTX message * MINOR: filters: Forward data only if the last filter forwards something * BUG/MINOR: filters: Count HTTP headers as filtered data but don't forward them * BUG/MINOR: http-ana: Matching on monitor-uri should be case-sensitive * BUG/MAJOR: http-ana: Always abort the request when a tarpit is triggered * MINOR: ist: add an iststop() function * BUG/MINOR: http: http-request replace-path duplicates the query string * BUG/MEDIUM: shctx: make sure to keep all blocks aligned * MINOR: compiler: move CPU capabilities definition from config.h and complete them * BUG/MEDIUM: ebtree: don't set attribute packed without unaligned access support * BUILD: fix recent build failure on unaligned archs * CLEANUP: cfgparse: Fix type of second calloc() parameter * BUG/MINOR: sample: fix the json converter's endian-sensitivity * BUG/MEDIUM: ssl: fix several bad pointer aliases in a few sample fetch functions * BUG/MINOR: connection: make sure to correctly tag local PROXY connections * MINOR: compiler: add new alignment macros * BUILD: ebtree: improve architecture-specific alignment * BUG/MINOR: sample: Make sure to return stable IDs in the unique-id fetch * BUG/MINOR: dns: ignore trailing dot * MINOR: contrib/prometheus-exporter: Add heathcheck status/code in server metrics * MINOR: contrib/prometheus-exporter: Add the last heathcheck duration metric * BUG/MEDIUM: random: initialize the random pool a bit better * MINOR: tools: add 64-bit rotate operators * BUG/MEDIUM: random: implement a thread-safe and process-safe PRNG * MINOR: backend: use a single call to ha_random32() for the random LB algo * BUG/MINOR: checks/threads: use ha_random() and not rand() * BUG/MAJOR: list: fix invalid element address calculation * MINOR: debug: report the task handler's pointer relative to main * BUG/MEDIUM: debug: make the debug_handler check for the thread in threads_to_dump * MINOR: haproxy: export main to ease access from debugger * BUG/MINOR: wdt: do not return an error when the watchdog couldn't be enabled * DOC: fix incorrect indentation of http_auth_* * OPTIM: startup: fast unique_id allocation for acl. * BUG/MINOR: pattern: Do not pass len = 0 to calloc() * DOC: configuration.txt: fix various typos * DOC: assorted typo fixes in the documentation and Makefile * BUG/MINOR: init: make the automatic maxconn consider the max of soft/hard limits * BUG/MAJOR: proxy_protocol: Properly validate TLV lengths * REGTEST: make the PROXY TLV validation depend on version 2.2 * MINOR: htx: Add a function to return a block at a specific offset * BUG/MEDIUM: cache/filters: Fix loop on HTX blocks caching the response payload * BUG/MEDIUM: compression/filters: Fix loop on HTX blocks compressing the payload * BUG/MINOR: http-ana: Reset request analysers on a response side error * BUG/MINOR: lua: Ignore the reserve to know if a channel is full or not * BUG/MINOR: http-rules: Preserve FLT_END analyzers on reject action * BUG/MINOR: http-rules: Fix a typo in the reject action function * BUG/MINOR: rules: Preserve FLT_END analyzers on silent-drop action * BUG/MINOR: rules: Increment be_counters if backend is assigned for a silent-drop * DOC: fix typo about no-tls-tickets * DOC: improve description of no-tls-tickets * DOC: ssl: clarify security implications of TLS tickets * BUILD: wdt: only test for SI_TKILL when compiled with thread support * BUG/MEDIUM: random: align the state on 2*64 bits for ARM64 * BUG/MINOR: haproxy: always initialize sleeping_thread_mask * BUG/MINOR: listener/mq: do not dispatch connections to remote threads when stopping * BUG/MINOR: haproxy/threads: try to make all threads leave together * DOC: proxy_protocol: Reserve TLV type 0x05 as PP2_TYPE_UNIQUE_ID * BUILD: on ARM, must be linked to libatomic. * BUILD: makefile: fix regex syntax in ARM platform detection * BUILD: makefile: fix expression again to detect ARM platform * BUG/MEDIUM: peers: resync ended with RESYNC_PARTIAL in wrong cases. * DOC: assorted typo fixes in the documentation * MINOR: wdt: Move the definitions of WDTSIG and DEBUGSIG into types/signal.h. * BUG/MEDIUM: wdt: Don't ignore WDTSIG and DEBUGSIG in __signal_process_queue(). * MINOR: memory: Change the flush_lock to a spinlock, and don't get it in alloc. * BUG/MINOR: connections: Make sure we free the connection on failure. * REGTESTS: use "command -v" instead of "which" * REGTEST: increase timeouts on the seamless-reload test * BUG/MINOR: haproxy/threads: close a possible race in soft-stop detection * BUG/MINOR: peers: init bind_proc to 1 if it wasn't initialized * BUG/MINOR: peers: avoid an infinite loop with peers_fe is NULL * BUG/MINOR: peers: Use after free of "peers" section. * MINOR: listener: add so_name sample fetch * BUILD: ssl: only pass unsigned chars to isspace() * BUG/MINOR: stats: Fix color of draining servers on stats page * DOC: internals: Fix spelling errors in filters.txt * MINOR: http-rules: Add a flag on redirect rules to know the rule direction * BUG/MINOR: http_ana: make sure redirect flags don't have overlapping bits * MINOR: http-rules: Handle the rule direction when a redirect is evaluated * BUG/MINOR: filters: Use filter offset to decude the amount of forwarded data * BUG/MINOR: filters: Forward everything if no data filters are called * BUG/MINOR: http-ana: Reset request analysers on error when waiting for response * BUG/CRITICAL: hpack: never index a header into the headroom after wrapping 2020/02/13 : 2.0.13 * BUG/MINOR: checks: refine which errno values are really errors. * BUG/MEDIUM: checks: Only attempt to do handshakes if the connection is ready. * BUG/MEDIUM: connections: Hold the lock when wanting to kill a connection. * MINOR: config: disable busy polling on old processes * MINOR: ssl: Remove unused variable "need_out". * BUG/MINOR: h1: Report the right error position when a header value is invalid * BUG/MINOR: proxy: Fix input data copy when an error is captured * BUG/MEDIUM: http-ana: Truncate the response when a redirect rule is applied * BUG/MINOR: channel: inject output data at the end of output * BUG/MEDIUM: session: do not report a failure when rejecting a session * BUG/MINOR: stream-int: Don't trigger L7 retry if max retries is already reached * BUG/MINOR: mux-h2: use a safe list_for_each_entry in h2_send() * BUG/MEDIUM: mux-h2: fix missing test on sending_list in previous patch * BUG/MEDIUM: mux-h2: don't stop sending when crossing a buffer boundary * BUG/MINOR: cli/mworker: can't start haproxy with 2 programs * REGTEST: mcli/mcli_start_progs: start 2 programs * BUG/MEDIUM: mworker: remain in mworker mode during reload * BUG/MEDIUM: mux_h1: Don't call h1_send if we subscribed(). * BUG/MAJOR: hashes: fix the signedness of the hash inputs * REGTEST: add sample_fetches/hashes.vtc to validate hashes * BUG/MEDIUM: cli: _getsocks must send the peers sockets * BUG/MINOR: stream: don't mistake match rules for store-request rules * BUG/MEDIUM: connection: add a mux flag to indicate splice usability * BUG/MINOR: pattern: handle errors from fgets when trying to load patterns * BUG/MINOR: cache: Fix leak of cache name in error path * BUG/MINOR: dns: Make dns_query_id_seed unsigned * BUG/MINOR: 51d: Fix bug when HTX is enabled * BUILD: pattern: include errno.h * BUG/MINOR: http-ana/filters: Wait end of the http_end callback for all filters * BUG/MINOR: http-rules: Remove buggy deinit functions for HTTP rules * BUG/MINOR: stick-table: Use MAX_SESS_STKCTR as the max track ID during parsing * BUG/MINOR: tcp-rules: Fix memory releases on error path during action parsing * MINOR: proxy/http-ana: Add support of extra attributes for the cookie directive * BUG/MINOR: http_act: don't check capture id in backend * BUG/MEDIUM: 0rtt: Only consider the SSL handshake. * BUG/MINOR: stktable: report the current proxy name in error messages * BUG/MEDIUM: mux-h2: make sure we don't emit TE headers with anything but "trailers" * BUILD: cfgparse: silence a bogus gcc warning on 32-bit machines * BUG/MINOR: dns: allow srv record weight set to 0 * BUG/MEDIUM: ssl: Don't forget to free ctx->ssl on failure. * BUG/MINOR: tcpchecks: fix the connect() flags regarding delayed ack * BUG/MEDIUM: pipe: fix a use-after-free in case of pipe creation error * BUG/MINOR: connection: fix ip6 dst_port copy in make_proxy_line_v2 * BUG/MEDIUM: connections: Don't forget to unlock when killing a connection. * BUG/MEDIUM: memory_pool: Update the seq number in pool_flush(). * MINOR: memory: Only init the pool spinlock once. * BUG/MEDIUM: memory: Add a rwlock before freeing memory. * BUG/MAJOR: memory: Don't forget to unlock the rwlock if the pool is empty. * BUG/MINOR: ssl: we may only ignore the first 64 errors * CONTRIB: debug: add missing flags SF_HTX and SF_MUX * CONTRIB: debug: add the possibility to decode the value as certain types only * CONTRIB: debug: support reporting multiple values at once * MINOR: acl: Warn when an ACL is named 'or' * CONTRIB: debug: also support reading values from stdin * SCRIPTS: announce-release: place the send command in the mail's header * SCRIPTS: announce-release: allow the user to force to overwrite old files * MINOR: build: add linux-glibc-legacy build TARGET * BUG/MINOR: unix: better catch situations where the unix socket path length is close to the limit * MINOR: http: add a new "replace-path" action * BUG/MINOR: ssl: Possible memleak when allowing the 0RTT data buffer. * BUG/MINOR: dns: allow 63 char in hostname * BUG/MEDIUM: listener: only consider running threads when resuming listeners * BUG/MINOR: listener: enforce all_threads_mask on bind_thread on init * BUG/MINOR: tcp: avoid closing fd when socket failed in tcp_bind_listener * DOC: word converter ignores delimiters at the start or end of input string * BUG/MINOR: tcp: don't try to set defaultmss when value is negative * SCRIPTS: make announce-release executable again 2019/12/21 : 2.0.12 * DOC: Improve documentation of http-re(quest|sponse) replace-(header|value|uri) * DOC: clarify the fact that replace-uri works on a full URI * BUG/MINOR: sample: fix the closing bracket and LF in the debug converter * BUG/MINOR: sample: always check converters' arguments * BUG/MEDIUM: ssl: Don't set the max early data we can receive too early. * MINOR: task: only check TASK_WOKEN_ANY to decide to requeue a task * BUG/MAJOR: task: add a new TASK_SHARED_WQ flag to fix foreing requeuing * BUG/MEDIUM: ssl: Revamp the way early data are handled. * MINOR: fd/threads: make _GET_NEXT()/_GET_PREV() use the volatile attribute * BUG/MEDIUM: fd/threads: fix a concurrency issue between add and rm on the same fd * BUG/MINOR: ssl: openssl-compat: Fix getm_ defines * BUG/MEDIUM: stream: Be sure to never assign a TCP backend to an HTX stream * BUILD: ssl: improve SSL_CTX_set_ecdh_auto compatibility 2019/12/11 : 2.0.11 * BUG/MINOR: stream: init variables when the list is empty * BUG/MINOR: contrib/prometheus-exporter: Use HTX errors and not legacy ones * BUG/MINOR: contrib/prometheus-exporter: decode parameter and value only * BUG/MINOR: http-htx: Don't make http_find_header() fail if the value is empty * DOC: Clarify behavior of server maxconn in HTTP mode * DOC: clarify matching strings on binary fetches * DOC: move the "group" keyword at the right place * BUG/MEDIUM: stream-int: don't subscribed for recv when we're trying to flush data * BUG/MINOR: stream-int: avoid calling rcv_buf() when splicing is still possible * BUG/MEDIUM: listener/thread: fix a race when pausing a listener * BUG/MINOR: ssl: certificate choice can be unexpected with openssl >= 1.1.1 * BUG/MEDIUM: mux-h1: Never reuse H1 connection if a shutw is pending * BUG/MINOR: mux-h1: Don't rely on CO_FL_SOCK_RD_SH to set H1C_F_CS_SHUTDOWN * BUG/MINOR: mux-h1: Fix conditions to know whether or not we may receive data * BUG/MEDIUM: tasks: Make sure we switch wait queues in task_set_affinity(). * BUG/MEDIUM: checks: Make sure we set the task affinity just before connecting. * BUG/MINOR: mux-h1: Be sure to set CS_FL_WANT_ROOM when EOM can't be added * BUG/MINOR: proxy: make soft_stop() also close FDs in LI_PAUSED state * BUG/MINOR: listener/threads: always use atomic ops to clear the FD events * BUG/MINOR: listener: also clear the error flag on a paused listener * BUG/MEDIUM: listener/threads: fix a remaining race in the listener's accept() * DOC: document the listener state transitions * BUG/MAJOR: dns: add minimalist error processing on the Rx path * BUG/MEDIUM: proto_udp/threads: recv() and send() must not be exclusive. * BUG/MEDIUM: kqueue: Make sure we report read events even when no data. * DOC: listeners: add a few missing transitions * BUG/MINOR: tasks: only requeue a task if it was already in the queue * DOC: proxies: HAProxy only supports 3 connection modes * BUILD/MINOR: ssl: shut up a build warning about format truncation * BUILD/MINOR: tools: shut up the format truncation warning in get_gmt_offset() * BUILD: do not disable -Wformat-truncation anymore * DOC: remove references to the outdated architecture.txt * BUG/MINOR: log: fix minor resource leaks on logformat error path * BUG/MINOR: mworker: properly pass SIGTTOU/SIGTTIN to workers * BUG/MINOR: listener: do not immediately resume on transient error * BUG/MINOR: server: make "agent-addr" work on default-server line * BUG/MINOR: listener: fix off-by-one in state name check * BUILD/MINOR: unix sockets: silence an absurd gcc warning about strncpy()- CVE-2020-11100: Fixed an H2/HPAC vulnerability (bsc#1168023) - Added patch: haproxy-2.0-hpack-tbl.patch- Update to version 2.0.10+git0.ac198b92: (bsc#1157712) (bsc#1157714) * [RELEASE] Released version 2.0.10 * SCRIPTS: git-show-backports: add "-s" to proposed cherry-pick commands * SCRIPTS: create-release: show the correct origin name in suggested commands * BUG/MAJOR: mux-h2: don't try to decode a response HEADERS frame in idle state * BUG/MAJOR: h2: make header field name filtering stronger * BUG/MAJOR: h2: reject header values containing invalid chars * MINOR: ist: add ist_find_ctl() * BUG/MINOR: ssl: fix curve setup with LibreSSL * BUG/MINOR: cli: fix out of bounds in -S parser * DOC: Add documentation about the use-service action * DOC: Add missing stats fields in the management manual * BUG/MINOR: mux-h1: Adjust header case when chunked encoding is add to a message * BUG/MINOR: mux-h1: Fix a UAF in cfg_h1_headers_case_adjust_postparser() * MEDIUM: mux-h1: Add the support of headers adjustment for bogus HTTP/1 apps * REGTEST: vtest can now enable mcli with its own flag * MINOR: stats: Report max times in addition of the averages for sessions * BUG/MINOR: stream-int: Fix si_cs_recv() return value * MINOR: contrib/prometheus-exporter: Add a param to ignore servers in maintenance * MINOR: contrib/prometheus-exporter: filter exported metrics by scope * MINOR: contrib/prometheus-exporter: report the number of idle conns per server * BUG/MINOR: contrib/prometheus-exporter: Rename some metrics * MINOR: contrib/prometheus-exporter: Report metrics about max times for sessions * MINOR: counters: Add fields to store the max observed for {q,c,d,t}_time * MINOR: stream: Remove the lock on the proxy to update time stats * MINOR: freq_ctr: Make the sliding window sums thread-safe * BUG/MINOR: http-ana: Properly catch aborts during the payload forwarding * BUG/MINOR: mux-h1: Fix tunnel mode detection on the response path * BUILD: debug: Avoid warnings in dev mode with -02 because of some BUG_ON tests * BUG/MEDIUM: stream-int: Don't loose events on the CS when an EOS is reported * BUILD/MINOR: ssl: fix compiler warning about useless statement * BUG/MINOR: peers: "peer alive" flag not reset when deconnecting. * BUG/MEDIUM: mworker: don't fill the -sf argument with -1 during the reexec- Update to version 2.0.9+git6.26b7b800: * BUG/MINOR: ssl: fix crt-list neg filter for openssl < 1.1.1 * BUG/MINOR: peers: Wrong null "server_name" data field handling. * MINOR: peers: Add debugging information to "show peers". * MINOR: peers: Add TX/RX heartbeat counters. * MINOR: peers: Alway show the table info for disconnected peers.- Update to version 2.0.9+git1.caf02113: * BUG/MINOR: init: fix set-dumpable when using uid/gid- Update to version 2.0.9+git0.efac87ee (bsc#1154980) (CVE-2019-18277): * [RELEASE] Released version 2.0.9 * BUG/MINOR: mux-h1: Don't set CS_FL_EOS on a read0 when receiving data to pipe * BUG/MEDIUM: filters: Don't call TCP callbacks for HTX streams * BUG/MINOR: log: limit the size of the startup-logs * BUILD: contrib/da: remove an "unused" warning * MINOR: memory: also poison the area on freeing * CLEANUP: session: slightly simplify idle connection cleanup logic * BUG/MEDIUM: Make sure we leave the session list in session_free(). * BUG/MEDIUM: listeners: always pause a listener on out-of-resource condition * BUG/MINOR: queue/threads: make the queue unlinking atomic * DOC: management: fix typo on "cache_lookups" stats output * DOC: management: document cache_hits and cache_lookups in the CSV format * DOC: management: document reuse and connect counters in the CSV format * BUG: dns: timeout resolve not applied for valid resolutions * BUG/MINOR: action: do-resolve now use cached response * BUG/MEDIUM: stream: Be sure to release allocated captures for TCP streams * MINOR: doc: http-reuse connection pool fix * BUG/MEDIUM: stream: Be sure to support splicing at the mux level to enable it * BUG/MEDIUM: mux-h1: Disable splicing for chunked messages * BUG/MEDIUM: mux-h2: immediately report connection errors on streams * BUG/MEDIUM: mux-h2: immediately remove a failed connection from the idle list * BUG/MEDIUM: mux-h2: report no available stream on a connection having errors * BUG/MINOR: config: Update cookie domain warn to RFC6265 * BUG/MEDIUM: servers: Only set SF_SRV_REUSED if the connection if fully ready. * BUG/MEDIUM: stream_interface: Only use SI_ST_RDY when the mux is ready. * MINOR: mux: Add a new method to get informations about a mux. * BUG/MINOR: spoe: fix off-by-one length in UUID format string * BUG/MAJOR: stream-int: Don't receive data from mux until SI_ST_EST is reached * BUG/MINOR: mux-h2: Don't pretend mux buffers aren't full anymore if nothing sent * BUG/MINOR: cli: don't call the kw->io_release if kw->parse failed * MINOR: tcp: avoid confusion in time parsing init * BUG/MINOR: mux-h2: do not emit logs on backend connections * MINOR: config: warn on presence of "\n" in header values/replacements- Update to version 2.0.8+git0.60e6020c: * [RELEASE] Released version 2.0.8 * BUG/MEDIUM: pattern: make the pattern LRU cache thread-local and lockless * BUG/MINOR: stick-table: fix an incorrect 32 to 64 bit key conversion * BUG/MINOR: ssl: fix memcpy overlap without consequences. * BUG/MEDIUM: http: unbreak redirects in legacy mode * BUG/MINOR: mux-h2: also make sure blocked legacy connections may expire * BUG/MINOR: sample: Make the `field` converter compatible with `-m found` * BUG/MINOR: cache: alloc shctx after check config * BUG/MINOR: stick-table: Never exceed (MAX_SESS_STKCTR-1) when fetching a stkctr * BUG/MINOR: ssl: Fix fd leak on error path when a TLS ticket keys file is parsed * BUG/MINOR: mworker/cli: reload fail with inherited FD * BUG/MEDIUM: ssl: 'tune.ssl.default-dh-param' value ignored with openssl > 1.1.1 * CLEANUP: bind: handle warning label on bind keywords parsing. * CLEANUP: ssl: make ssl_sock_load_dh_params handle errcode/warn * CLEANUP: ssl: make ssl_sock_put_ckch_into_ctx handle errcode/warn * CLEANUP: ssl: make ssl_sock_load_cert*() return real error codes * REGTEST: mcli/mcli_show_info: launch a 'show info' on the master CLI * BUG/MEDIUM: mux_pt: Only call the wake emthod if nobody subscribed to receive. * BUG/MEDIUM: mux_pt: Don't destroy the connection if we have a stream attached. * Revert e8826ded5fea3593d89da2be5c2d81c522070995. * BUG/MAJOR: idle conns: schedule the cleanup task on the correct threads * BUG/MEDIUM: mux_pt: Make sure we don't have a conn_stream before freeing. * BUG/MINOR: tcp: Don't alter counters returned by tcp info fetchers * BUG/MINOR: mworker/ssl: close openssl FDs unconditionally * BUG/MINOR: http-htx: Properly set htx flags on error files to support keep-alive * MINOR: version: make the version strings variables, not constants * BUG/MINOR: WURFL: fix send_log() function arguments * BUG/MINOR: mux-h1: Capture ignored parsing errors * BUG/MINOR: mux-h1: Mark the output buffer as full when the xfer is interrupted * BUG/MINOR: chunk: Fix tests on the chunk size in functions copying data * BUG/MEDIUM: htx: Catch chunk_memcat() failures when HTX data are formatted to h1 * BUILD: ssl: wrong #ifdef for SSL engines code * BUG/MINOR: ssl: abort on sni_keytypes allocation failure * BUG/MINOR: ssl: free the sni_keytype nodes * BUG/MINOR: ssl: abort on sni allocation failure * BUG/MEDIUM: applet: always check a fast running applet's activity before killing * MINOR: stats: mention in the help message support for "json" and "typed" * DOC: fix typo in Prometheus exporter doc * DOC: clarify some points around http-send-name-header's behavior * BUG/MEDIUM: cache: make sure not to cache requests with absolute-uri * BUG/MINOR: peers: crash on reload without local peer. * BUG/MEDIUM: mux-h2: do not enforce timeout on long connections * BUILD: ebtree: make eb_is_empty() and eb_is_dup() take a const * MINOR: mux-h2: add a per-connection list of blocked streams * BUG/MINOR: action: do-resolve does not yield on requests with body * BUG/MEDIUM: lua: Store stick tables into the sample's `t` field * BUG/MINOR: lua: Properly initialize the buffer's fields for string samples in hlua_lua2(smp|arg) * BUG/MINOR: stats: Add a missing break in a switch statement- Update to version 2.0.7+git0.1909aa1e: * [RELEASE] Released version 2.0.7 * BUG/MEDIUM: namespace: fix fd leak in master-worker mode * DOC: Fix documentation about the cli command to get resolver stats * BUG/MINOR: contrib/prometheus-exporter: Return the time averages in seconds * MINOR: stats: Add the support of float fields in stats * MINOR: spoe: Support the async mode with several threads * MINOR: spoe: Improve generation of the engine-id * BUG/MEDIUM: spoe: Use a different engine-id per process * BUG/MINOR: mux-h1: Do h2 upgrade only on the first request * BUG/MAJOR: mux_h2: Don't consume more payload than received for skipped frames * BUG/MINOR: mux-h2: Use the dummy error when decoding headers for a closed stream * BUG/MEDIUM: mux-h2: don't reject valid frames on closed streams * BUG/MEDIUM: namespace: close open namespaces during soft shutdown * BUG/MINOR: mux-h2: do not wake up blocked streams before the mux is ready * BUG/MEDIUM: checks: make sure the connection is ready before trying to recv * BUG/MEDIUM: stream-int: Process connection/CS errors during synchronous sends * BUG/MINOR: stream-int: Process connection/CS errors first in si_cs_send() * BUG/MEDIUM: check/threads: make external checks run exclusively on thread 1 * BUG/MAJOR: mux-h2: Handle HEADERS frames received after a RST_STREAM frame * BUG/MINOR: mux-h2: Be sure to have a connection to unsubcribe * BUG/MEDIUM: stick-table: Properly handle "show table" with a data type argument- Update to version 2.0.6+git0.58706ab4: * [RELEASE] Released version 2.0.6 * MINOR: sample: Add UUID-fetch * BUG/MINOR: Missing stat_field_names (since f21d17bb) * BUG/MINOR: backend: Fix a possible null pointer dereference * BUG/MINOR: acl: Fix memory leaks when an ACL expression is parsed * BUG/MINOR: filters: Properly set the HTTP status code on analysis error * BUG/MEDIUM: http: also reject messages where "chunked" is missing from transfer-enoding * BUG/MINOR: ssl: always check for ssl connection before getting its XPRT context * BUG/MINOR: listener: Fix a possible null pointer dereference * MINOR: stats: report the number of idle connections for each server * BUG/MEDIUM: connection: don't keep more idle connections than ever needed * BUG/MAJOR: ssl: ssl_sock was not fully initialized. * BUG/MINOR: lb/leastconn: ignore the server weights for empty servers * MINOR: contrib/prometheus-exporter: Report DRAIN/MAINT/NOLB status for servers * BUG/MINOR: checks: do not uselessly poll for reads before the connection is up * BUG/MINOR: checks: make __event_chk_srv_r() report success before closing * BUG/MINOR: checks: start sending the request right after connect() * BUG/MINOR: checks: stop polling for write when we have nothing left to send * BUG/MEDIUM: cache: Don't cache objects if the size of headers is too big * BUG/MEDIUM: cache: Properly copy headers splitted on several shctx blocks * BUG/MINOR: mux-h1: Be sure to update the count before adding EOM after trailers * BUG/MINOR: mux-h1: Don't stop anymore input processing when the max is reached * BUG/MINOR: mux-h1: Fix size evaluation of HTX messages after headers parsing * BUG/MINOR: h1: Properly reset h1m when parsing is restarted * BUG/MINOR: http-ana: Reset response flags when 1xx messages are handled * BUG/MEDIUM: peers: local peer socket not bound. * BUG/MEDIUM: proto-http: Always start the parsing if there is no outgoing data * BUG/MEDIUM: url32 does not take the path part into account in the returned hash. * BUG/MEDIUM: listener/threads: fix an AB/BA locking issue in delete_listener() * BUG/MINOR: mworker: disable SIGPROF on re-exec * DOC: fixed typo in management.txt * BUG/MEDIUM: mux-h1: do not report errors on transfers ending on buffer full * BUG/MEDIUM: mux-h1: do not truncate trailing 0CRLF on buffer boundary * MEDIUM: debug: make the thread dump code show Lua backtraces * MINOR: lua: export applet and task handlers * MINOR: tools: add append_prefixed_str() * MINOR: debug: indicate the applet name when the task is task_run_applet()- Use %license instead of %doc [bsc#1082318] - Recommend apparmor, it's not required to work (make haproxy useable in a container)- enable prometheus exporter- enable verbose make output- Update to version 2.0.5+git0.d905f49a: * [RELEASE] Released version 2.0.5 * BUG/MEDIUM: mux_pt: Don't call unsubscribe if we did not subscribe. * MINOR: fd: make sure to mark the thread as not stuck in fd_update_events() * BUG/MINOR: stats: Wait the body before processing POST requests * BUG/MEDIUM: lua: Fix test on the direction to set the channel exp timeout * BUG/MEDIUM: mux_h1: Don't bother subscribing in recv if we're not connected. * BUG/MINOR: Fix prometheus '# TYPE' and '# HELP' headers * BUG/MINOR: lua: fix setting netfilter mark * BUG/MEDIUM: proxy: Don't use cs_destroy() when freeing the conn_stream. * BUG/MEDIUM: proxy: Don't forget the SF_HTX flag when upgrading TCP=>H1+HTX. * BUG/MINOR: buffers/threads: always clear a buffer's head before releasing it * MINOR: ssl: ssl_fc_has_early should work for BoringSSL * BUG/MINOR: ssl: fix 0-RTT for BoringSSL * BUG/MEDIUM: stick-table: Wrong stick-table backends parsing. * [RELEASE] Released version 2.0.4 * BUG/MEDIUM: checks: make sure to close nicely when we're the last to speak * BUG/MINOR: mux-h2: always reset rcvd_s when switching to a new frame * BUG/MINOR: mux-h2: always send stream window update before connection's * BUG/MEDIUM: mux-h2: do not recheck a frame type after a state transition * BUG/MINOR: mux-h2: do not send REFUSED_STREAM on aborted uploads * BUG/MINOR: mux-h2: use CANCEL, not STREAM_CLOSED in h2c_frt_handle_data() * BUG/MINOR: mux-h2: don't refrain from sending an RST_STREAM after another one * BUG/MEDIUM: fd: Always reset the polled_mask bits in fd_dodelete(). * BUG/MEDIUM: proxy: Make sure to destroy the stream on upgrade from TCP to H2 * BUG/MEDIUM: mux-h2: split the stream's and connection's window sizes * BUG/MEDIUM: mux-h2: unbreak receipt of large DATA frames * BUG/MINOR: stream-int: also update analysers timeouts on activity * BUG/MAJOR: http/sample: use a static buffer for raw -> htx conversion * BUG/MEDIUM: lb-chash: Ensure the tree integrity when server weight is increased * MINOR: wdt: also consider that waiting in the thread dumper is normal * BUG/MINOR: debug: fix a small race in the thread dumping code- Update to version 2.0.3+git14.0ff395c1 (bsc#1142529) (CVE-2019-14241): * BUG/MAJOR: queue/threads: avoid an AB/BA locking issue in process_srv_queue() * BUG/MINOR: htx: Fix free space addresses calculation during a block expansion * BUG/MINOR: hlua: Only execute functions of HTTP class if the txn is HTTP ready * MINOR: hlua: Add a flag on the lua txn to know in which context it can be used * MINOR: hlua: Don't set request analyzers on response channel for lua actions * BUG/MEDIUM: hlua: Check the calling direction in lua functions of the HTTP class * BUG/MINOR: hlua/htx: Reset channels analyzers when txn:done() is called * DOC: improve the wording in CONTRIBUTING about how to document a bug fix * BUG/MINOR: log: make sure writev() is not interrupted on a file output * BUG/MEDIUM: streams: Don't switch the SI to SI_ST_DIS if we have data to send. * BUG/MEDIUM: lb-chash: Fix the realloc() when the number of nodes is increased * BUILD: threads: add the definition of PROTO_LOCK * BUG/MINOR: proxy: always lock stop_proxy() * BUG/MEDIUM: protocols: add a global lock for the init/deinit stuff * [RELEASE] Released version 2.0.3 * BUG/CRITICAL: http_ana: Fix parsing of malformed cookies which start by a delimiter * BUG/MINOR: http_htx: Support empty errorfiles * BUG/MINOR: http_ana: Be sure to have an allocated buffer to generate an error * BUG/MEDIUM: tcp-checks: do not dereference inexisting conn_stream * BUG/MINOR: mux-h1: Close server connection if input data remains in h1_detach() * BUG/MEDIUM: mux-h1: Trim excess server data at the end of a transaction * BUG/MINOR: checks: do not exit tcp-checks from the middle of the loop * BUG/MINOR: session: Send a default HTTP error if accept fails for a H1 socket * BUG/MINOR: session: Emit an HTTP error if accept fails only for H1 connection * BUG/MINOR: debug: Remove flags CO_FL_SOCK_WR_ENA/CO_FL_SOCK_RD_ENA * DOC: htx: Update comments in HTX files * BUG/MINOR: hlua: Make the function txn:done() HTX aware * BUG/MINOR: cache/htx: Make maxage calculation HTX aware * BUG/MINOR: http_htx: Initialize HTX error messages for TCP proxies * BUG/MINOR: http_fetch: Fix http_auth/http_auth_group when called from TCP rules * BUG/MINOR: backend: do not try to install a mux when the connection failed * BUG/MEDIUM: http/htx: unbreak option http_proxy * BUG/MEDIUM: checks: Don't attempt to receive data if we already subscribed. * BUG/MINOR: dns: remove irrelevant dependency on a client connection * [RELEASE] Released version 2.0.2 * BUG/MEDIUM: threads: cpu-map designating a single thread/process are ignored * BUG/MEDIUM: tcp-check: unbreak multiple connect rules again * BUG/MINOR: mux-pt: do not pretend there's more data after a read0 * BUG/MEDIUM: streams: Don't redispatch with L7 retries if redispatch isn't set. * BUG/MEDIUM: streams: Don't give up if we couldn't send the request. * BUG/MINOR: mux-h1: Correctly report Ti timer when HTX and keepalives are used * BUG/MEDIUM: mux-h1: Don't release h1 connection if there is still data to send * BUG/MAJOR: listener: fix thread safety in resume_listener() * MINOR: task: introduce work lists * BUG/MEDIUM: servers: Fix a race condition with idle connections. * DOC: Fix typos and grammer in configuration.txt * BUG/MEDIUM: da: cast the chunk to string. * BUG/MEDIUM: checks: Don't attempt to read if we destroyed the connection. * BUG/MINOR: server: Be really able to keep "pool-max-conn" idle connections * BUG/MEDIUM: fd/threads: fix excessive CPU usage on multi-thread accept- Update to version 2.0.1+git27.5db881ff: * BUG/MINOR: ssl: revert empty handshake detection in OpenSSL <= 1.0.2 * BUG/MEDIUM: servers: Don't forget to set srv_cs to NULL if we can't reuse it. * BUG/MEDIUM: stream-int: Don't rely on CF_WRITE_PARTIAL to unblock opposite si * MINOR: stream-int: Factorize processing done after sending data in si_cs_send() * BUG/MINOR: mux-h1: Don't process input or ouput if an error occurred * BUG/MEDIUM: mux-h1: Handle TUNNEL state when outgoing messages are formatted * BUG/MEDIUM: lb_fas: Don't test the server's lb_tree from outside the lock * BUG/MEDIUM: http/applet: Finish request processing when a service is registered * MINOR: action: Add the return code ACT_RET_DONE for actions * BUG/MINOR: contrib/prometheus-exporter: Don't try to add empty data blocks * MINOR: server: Add "no-tfo" option. * BUG/MEDIUM: sessions: Don't keep an extra idle connection in sessions. * BUG/MEDIUM: servers: Authorize tfo in default-server. * BUG/MEDIUM: connections: Make sure we're unsubscribe before upgrading the mux. * BUG/MINOR: contrib/prometheus-exporter: Respect the reserve when data are sent * BUG/MINOR: hlua/htx: Respect the reserve when HTX data are sent * BUG/MEDIUM: channel/htx: Use the total HTX size in channel_htx_recv_limit() * BUG/MINOR: hlua: Don't use channel_htx_recv_max() * BUG/MINOR: contrib/prometheus-exporter: Don't use channel_htx_recv_max() * BUG/MEDIUM: checks: Make sure the tasklet won't run if the connection is closed. * BUG/MEDIUM: connections: Always call shutdown, with no linger. * BUG/MINOR: mux-h1: Don't return the empty chunk on HEAD responses * BUG/MINOR: mux-h1: Skip trailers for non-chunked outgoing messages * BUG/MEDIUM: checks: unblock signals in external checks * BUG/MEDIUM: mux-h1: Always release H1C if a shutdown for writes was reported * BUG/MEDIUM: ssl: Don't attempt to set alpn if we're not using SSL. * BUG/MINOR: mworker/cli: don't output a \n before the response * BUG/MINOR: mux-h1: Make format errors during output formatting fatal * BUG/MEDIUM: mux-h1: Use buf_room_for_htx_data() to detect too large messages * BUG/MEDIUM: proto_htx: Don't add EOM on 1xx informational messages * BUG/MINOR: log: Detect missing sampling ranges in config * BUG/MINOR: memory: Set objects size for pools in the per-thread cache * BUG/MAJOR: mux-h1: Don't crush trash chunk area when outgoing message is formatted * BUG/MINOR: htx: Save hdrs_bytes when the HTX start-line is replaced * BUG/MEDIUM: ssl: Don't do anything in ssl_subscribe if we have no ctx. * BUG/MEDIUM: connections: Always add the xprt handshake if needed. * BUG/MEDIUM: stream_interface: Don't add SI_FL_ERR the state is < SI_ST_CON. * BUG/MINOR: spoe: Fix memory leak if failing to allocate memory * BUG/MEDIUM: mworker/cli: command pipelining doesn't work anymore * BUG/MEDIUM: mworker: don't call the thread and fdtab deinit * BUG/MINOR: mworker-prog: Fix segmentation fault during cfgparse * BUG/MAJOR: sample: Wrong stick-table name parsing in "if/unless" ACL condition. * BUG/MEDIUM: lb_fwlc: Don't test the server's lb_tree from outside the lock * BUG/MEDIUM: mux-h2: Remove the padding length when a DATA frame size is checked * BUG/MEDIUM: mux-h2: Reset padlen when several frames are demux- Correct version line, which should be 2.0.0+git6.- allow the new master socket path in the apparmor profile- Update to version 2.0.0~git6.41dc8432: * BUG/MEDIUM: htx: Fully update HTX message when the block value is changed * MINOR: htx: Add the function htx_change_blk_value_len() * BUG/MEDIUM: compression: Set Vary: Accept-Encoding for compressed responses * BUG/MINOR: mux-h1: Add the header connection in lower case in outgoing messages * BUG/MINOR: lua/htx: Make txn.req_req_* and txn.res_rep_* HTX aware * BUG/MEDIUM: h2/htx: Update data length of the HTX when the cookie list is built- Update to version 2.0.0~git0.ba23630a: - new internal native HTTP representation called HTX, was already in 1.9 and is now enabled by default in 2.0 ; - end-to-end HTTP/2 support including trailers and continuation frames, as needed for gRPC ; HTTP/2 may also be upgraded from HTTP/1.1 using the H2 preface; - server connection pooling and more advanced reuse, with ALPN protocol negotiation (already in 1.9) ; - layer 7 retries, allowing to use 0-RTT and TCP Fast Open to the servers as well as on the frontend ; - much more scalable multi-threading, which is even enabled by default on platforms where it was successfully tested ; by default, as many threads are started as the number of CPUs haproxy is allowed to run on. This removes a lot of configuration burden in VMs and containers ; - automatic maxconn setting for the process and the frontends, directly based on the number of available FDs (easier configuration in containers and with systemd) ; - logging to stdout for use in containers and systemd (already in 1.9). Logs can now provide micro-second resolution for some events ; - peers now support SSL, declaration of multiple stick-tables directly in the peers section, and synchronization of server names, not just IDs ; - In master-worker mode, the master process now exposes its own CLI and can communicate with all other processes (including the stopping ones), even allowing to connect to their CLI and check their state. It is also possible to start some sidecar programs and monitor them from the master, and the master can automatically kill old processes that survived too many reloads ; - the incoming connections are load-balanced between all threads depending on their load to minimize the processing time and maximize the capacity (already in 1.9) ; - the SPOE connection load-balancing was significantly improved in order to reduce high percentiles of SPOA response time (already in 1.9) ; - the "random" load balancing algorithm and a power-of-two-choices variant were introduced ; - statistics improvements with per-thread counters for certain things, and a prometheus exporter for all our statistics; - lots of debugging help, it's easier to produce a core dump, there are new commands on the CLI to control various things, there is a watchdog to fail cleanly when a thread deadlock or a spinning task are detected, so overall it should provide a better experience in field and less round trips between users and developers (hence less stress during an incident). - all 3 device detection engines are now compatible with multi-threading and can be build-tested without any external dependencies ; - "do-resolve" http-request action to perform a DNS resolution on any, sample, and resolvers now support relying on /etc/resolv.conf to match the local resolver ; - log sampling and balancing : it's now possible to send 1 log every 10 to a server, or to spread the logging load over multiple log servers; - a new SPOA agent (spoa_server) allows to interface haproxy with Python and Lua programs ; - support for Solaris' event ports (equivalent of kqueue or epoll) which will significantly improve the performance there when dealing with numerous connections ; - some warnings are now reported for some deprecated options that will be removed in 2.1. Since 2.0 is long term supported, there's no emergency to convert them, however if you see these warnings, you need to understand that you're among their extremely rare users and just because of this you may be taking risks by keeping them ; - A new SOCKS4 server-side layer was provided ; it allows outgoing connections to be forwarded through a SOCKS4 proxy (such as ssh -D). - priority- and latency- aware server queues : it is possible now to assign priorities to certain requests and/or to give them a time bonus or penalty to refine control of the traffic and be able to engage on SLAs. - internally the architecture was significantly redesigned to allow to further improve performance and make it easier to implement protocols that span over multiple layers (such as QUIC). This work started in 1.9 and will continue with 2.1. - the I/O, applets and tasks now share the same multi-threaded scheduler, giving a much better responsiveness and fairness between all tasks as is visible with the CLI which always responds instantly even under extreme loads (started in 1.9) ; - the internal buffers were redesigned to ease zero-copy operations, so that it is possible to sustain a high bandwidth even when forwarding HTTP/1 to/from HTTP/2 (already in 1.9) ;- Update to version 1.8.20~git0.6fb9fadc: * [RELEASE] Released version 1.8.20 * BUG/MINOR: spoe: Don't systematically wakeup SPOE stream in the applet handler * BUG/MINOR: da: Get the request channel to call CHECK_HTTP_MESSAGE_FIRST() * BUG/MINOR: 51d: Get the request channel to call CHECK_HTTP_MESSAGE_FIRST() * BUG/MEDIUM: thread/http: Add missing locks in set-map and add-acl HTTP rules * BUG/MINOR: acl: properly detect pattern type SMP_T_ADDR * BUG/MEDIUM: maps: only try to parse the default value when it's present * BUG/MAJOR: http_fetch: Get the channel depending on the keyword used * MINOR: skip get_gmtime where tm is unused * BUILD/MINOR: listener: Silent a few signedness warnings. * BUG/MEDIUM: listener: make sure the listener never accepts too many conns * BUG/MEDIUM: listener: use a self-locked list for the dequeue lists * MAJOR: listener: do not hold the listener lock in listener_accept() * BUG/MEDIUM: list: fix incorrect pointer unlocking in LIST_DEL_LOCKED() * BUG/MEDIUM: list: fix again LIST_ADDQ_LOCKED * BUG/MEDIUM: list: correct fix for LIST_POP_LOCKED's removal of last element * MINOR: list: make the delete and pop operations idempotent * BUG/MEDIUM: list: add missing store barriers when updating elements and head * BUG/MEDIUM: list: fix LIST_POP_LOCKED's removal of the last pointer * BUG/MEDIUM: list: fix the rollback on addq in the locked liss * BUG/MEDIUM: lists: Properly handle the case we're removing the first elt. * MINOR: lists: Implement locked variations. * BUG/MINOR: threads: fix the process range of thread masks * BUG/MEDIUM: spoe: Return an error if nothing is encoded for fragmented messages * BUG/MEDIUM: spoe: Queue message only if no SPOE applet is attached to the stream * BUG/MEDIUM: pattern: assign pattern IDs after checking the config validity * BUILD: connection: fix naming of ip_v field * BUILD: use inttypes.h instead of stdint.h * BUG/MEDIUM: peers: fix a case where peer session is not cleanly reset on release. * MINOR: cli: start addresses by a prefix in 'show cli sockets' * BUG/MINOR: cli: correctly handle abns in 'show cli sockets' * BUILD: Makefile: disable shared cache on AIX 5.1 * BUILD: makefile: add _LINUX_SOURCE_COMPAT to build on AIX-51 * BUILD: makefile: fix build of IPv6 header on aix51 * MINOR: tools: make memvprintf() never pass a NULL target to vsnprintf() * BUILD: makefile: work around an old bug in GNU make-3.80 * BUG/MAJOR: checks: segfault during tcpcheck_main * DOC: The option httplog is no longer valid in a backend. * BUG/MEDIUM: ssl: ability to set TLS 1.3 ciphers using ssl-default-server-ciphersuites * BUG/MINOR: http/counters: fix missing increment of fe->srv_aborts * BUG/MAJOR: stats: Fix how huge POST data are read from the channel * BUG/MAJOR: spoe: Fix initialization of thread-dependent fields * BUG/MEDIUM: threads/fd: do not forget to take into account epoll_fd/pipes * MEDIUM: threads: Use __ATOMIC_SEQ_CST when using the newer atomic API. * BUG/MINOR: ssl: fix warning about ssl-min/max-ver support * BUG/MEDIUM: 51d: fix possible segfault on deinit_51degrees() * BUG/MEDIUM: logs: Only attempt to free startup_logs once. * BUG/MINOR: listener: keep accept rate counters accurate under saturation * BUG/MAJOR: listener: Make sure the listener exist before using it.- Update to version 1.8.19~git0.ebf033b4: * [RELEASE] Released version 1.8.19 * BUG/MINOR: config: Reinforce validity check when a process number is parsed * BUG/MAJOR: stream: avoid double free on unique_id * BUG/MAJOR: spoe: Don't try to get agent config during SPOP healthcheck * BUG/MEDIUM: server: initialize the idle conns list after parsing the config * BUG/MEDIUM: spoe: initialization depending on nbthread must be done last * BUG/MINOR: lua: initialize the correct idle conn lists for the SSL sockets * BUG/MINOR: spoe: do not assume agent->rt is valid on exit * DOC: ssl: Stop documenting ciphers example to use * DOC: ssl: Clarify when pre TLSv1.3 cipher can be used * [RELEASE] Released version 1.8.18 * BUG/MINOR: config: make sure to count the error on incorrect track-sc/stick rules * BUG/MAJOR: spoe: verify that backends used by SPOE cover all their callers' processes * BUG/MAJOR: config: verify that targets of track-sc and stick rules are present * BUG/MINOR: config: fix bind line thread mask validation * BUG/MEDIUM: stream: Don't forget to free s->unique_id in stream_free(). * BUG/MEDIUM: mux-h2: do not close the connection on aborted streams * MINOR: connstream: have a new flag CS_FL_KILL_CONN to kill a connection * MINOR: stream-int: add a new flag to mention that we want the connection to be killed * MINOR: stream-int: expand the flags to 32-bit * BUG/MEDIUM: mux-h2: wait for the mux buffer to be empty before closing the connection * BUG/MEDIUM: mux-h2: make sure never to send GOAWAY on too old streams * BUG/MEDIUM: mux-h2: fix two half-closed to closed transitions * BUG/MEDIUM: mux-h2: wake up flow-controlled streams on initial window update * MINOR: xref: Add missing barriers. * BUG/MINOR: stream: don't close the front connection when facing a backend error * SCRIPTS: add the issue tracker URL to the announce script * SCRIPTS: add the slack channel URL to the announce script * BUG/MINOR: deinit: tcp_rep.inspect_rules not deinit, add to deinit * BUG/MINOR: spoe: corrected fragmentation string size * DOC: nbthread is no longer experimental. * BUG/MINOR: hpack: return a compression error on invalid table size updates * BUG/MINOR: mux-h2: make it possible to set the error code on an already closed stream * BUG/MINOR: mux-h2: headers-type frames in HREM are always a connection error * BUG/MINOR: mux-h2: CONTINUATION in closed state must always return GOAWAY * MINOR: h2: declare new sets of frame types * MINOR: h2: add a bit-based frame type representation * DOC: mention the effect of nf_conntrack_tcp_loose on src/dst * BUG/MEDIUM: ssl: Fix handling of TLS 1.3 KeyUpdate messages * BUG/MINOR: check: Wake the check task if the check is finished in wake_srv_chk() * BUG/MINOR: server: don't always trust srv_check_health when loading a server state * BUG/MINOR: stick_table: Prevent conn_cur from underflowing * BUG/MINOR: backend: BE_LB_LKUP_CHTREE is a value, not a bit * BUG/MINOR: backend: balance uri specific options were lost across defaults * BUG/MINOR: backend: don't use url_param_name as a hint for BE_LB_ALGO_PH * BUG/MEDIUM: ssl: missing allocation failure checks loading tls key file * DOC: Be a bit more explicit about allow-0rtt security implications. * BUG/MEDIUM: ssl: Disable anti-replay protection and set max data with 0RTT. * BUG/MAJOR: cache: fix confusion between zero and uninitialized cache key * DOC: http-request cache-use / http-response cache-store expects cache name- Update to version 1.8.17~git0.e89d25b2 (bsc#1121283) (CVE-2018-20615): * BUG/CRITICAL: mux-h2: re-check the frame length when PRIORITY is used * BUG/MEDIUM: lua: dead lock when Lua tasks are trigerred * BUG/MINOR: lua: bad args are returned for Lua actions * BUG/MINOR: lua: Return an error if a legacy HTTP applet doesn't send anything * BUG/MEDIUM: cli: make "show sess" really thread-safe * MINOR: stream/cli: report more info about the HTTP messages on "show sess all" * MINOR: stream/cli: fix the location of the waiting flag in "show sess all" * MINOR: lb: allow redispatch when using consistent hash * BUG/MEDIUM: server: Also copy "check-sni" for server templates. * BUG/MEDIUM: mux-h2: mark that we have too many CS once we have more than the max * MINOR: mux-h2: only increase the connection window with the first update * BUG/MAJOR: stream-int: Update the stream expiration date in stream_int_notify() * BUG/MEDIUM: dns: overflowed dns name start position causing invalid dns error * BUG/MEDIUM: dns: Don't prevent reading the last byte of the payload in dns_validate_response() * BUG/MINOR: logs: leave startup-logs global and not per-thread- Update to version 1.8.15~git0.6b6a350a: (bsc#1119419) (CVE-2018-20103) (VUL-0) (bsc#1119368) (CVE-2018-20102) * DOC: Update configuration doc about the maximum number of stick counters. * BUG: dns: Fix off-by-one write in dns_validate_dns_response() * BUG: dns: Fix out-of-bounds read via signedness error in dns_validate_dns_response() * BUG: dns: Prevent out-of-bounds read in dns_validate_dns_response() * BUG: dns: Prevent out-of-bounds read in dns_read_name() * BUG: dns: Prevent stack-exhaustion via recursion loop in dns_read_name * DOC: refer to check-sni in the documentation of sni * DOC: clarify that check-sni needs an argument. * MINOR: servers: Free [idle|safe|priv]_conns on exit. * MINOR: stats: report the number of active jobs and listeners in "show info" * BUG/MINOR: mux-h2: advertise a larger connection window size * BUG/MINOR: mux-h2: refrain from muxing during the preface * BUG/MINOR: hpack: fix off-by-one in header name encoding length calculation * BUG/MEDIUM: sample: Don't treat SMP_T_METH as SMP_T_STR. * BUG/MINOR: lb-map: fix unprotected update to server's score * BUG/MINOR: cfgparse: Fix the call to post parser of the last sections parsed * BUG/MINOR: cfgparse: Fix transition between 2 sections with the same name * BUG/MINOR: ssl: ssl_sock_parse_clienthello ignores session id * BUG/MEDIUM: hpack: fix encoding of "accept-ranges" field * BUG/MINOR: config: Copy default error messages when parsing of a backend starts * BUG/MEDIUM: Make sure stksess is properly aligned. * BUG/MINOR: config: better detect the presence of the h2 pattern in npn/alpn * BUG/MEDIUM: auth/threads: use of crypt() is not thread-safe * BUG/MAJOR: http: http_txn_get_path() may deference an inexisting buffer * BUG/MINOR: only auto-prefer last server if lb-alg is non-deterministic * BUG/MINOR: only mark connections private if NTLM is detected * DOC: cache: Missing information about "total-max-size" * BUG/MINOR: ssl: Wrong usage of shctx_init(). * BUG/MINOR: cache: Wrong usage of shctx_init(). * BUG/MINOR: cache: Crashes with "total-max-size" > 2047(MB). * BUG/MEDIUM: h2: Close connection if no stream is left an GOAWAY was sent. * BUG/MEDIUM: pools: Fix the usage of mmap()) with DEBUG_UAF. * DOC: fix reference to map files in MAINTAINERS * MINOR: peers: use defines instead of enums to appease clang. * MINOR: cfgparse: Write 130 as 128 as 0x82 and 0x80. * MINOR: server: Use memcpy() instead of strncpy(). * CLEANUP: stick-tables: Remove unneeded double (()) around conditional clause * MINOR: lua: all functions calling lua_yieldk() may return * BUG/MEDIUM: threads: make sure threads_want_sync is marked volatile * BUG/MEDIUM: threads: fix thread_release() at the end of the rendez-vous point * BUG/MEDIUM: stream: don't crash on out-of-memory * BUG/MEDIUM: mworker: segfault receiving SIGUSR1 followed by SIGTERM. * BUG/MINOR: checks: queues null-deref * BUG/MEDIUM: Cur/CumSslConns counters not threadsafe. * MEDIUM: ssl: add support for ciphersuites option for TLSv1.3 * BUG/MEDIUM: buffers: Make sure we don't wrap in buffer_insert_line2/replace2. * BUG/MINOR: backend: check that the mux installed properly * BUG/MINOR: connection: avoid null pointer dereference in send-proxy-v2 * DOC: clarify force-private-cache is an option * MINOR: threads: Make sure threads_sync_pipe is initialized before using it.- also fix the systemd case for the apparmor_reload change- only reload the apparmor profile on newer distros, seems older distros do not have apparmor-rpm-macros yet- only use network namespaces on 12.x and newer, failed to build on sle11- guard all parts referring to systemd to fix build on sle 11- Update to version 1.8.14~git0.52e4d43b: (bsc#1108683) (CVE-2018-14645) * [RELEASE] Released version 1.8.14 * BUG/CRITICAL: hpack: fix improper sign check on the header index value * BUG/MINOR: cli: make sure the "getsock" command is only called on connections * BUG/MINOR: tools: fix set_net_port() / set_host_port() on IPv4 * BUG/MEDIUM: patterns: fix possible double free when reloading a pattern list * DOC: Fix typos in lua documentation * BUG/MINOR: server: Crash when setting FQDN via CLI. * BUG/MAJOR: kqueue: Don't reset the changes number by accident. * BUG/MEDIUM: snapshot: take the proxy's lock while dumping errors * BUG/MINOR: http/threads: atomically increment the error snapshot ID * BUG/MINOR: dns: check and link servers' resolvers right after config parsing * BUG/MEDIUM: h2: fix risk of memory leak on malformated wrapped frames * BUG/MEDIUM: session: fix reporting of handshake processing time in the logs * BUG/MINOR: stream: use atomic increments for the request counter * MINOR: thread: implement HA_ATOMIC_XADD() * BUG/MEDIUM: ECC cert should work with TLS < v1.2 and openssl >= 1.1.1 * BUG/MEDIUM: dns/server: fix incomatibility between SRV resolution and server state file * BUG/MEDIUM: hlua: Don't call RESET_SAFE_LJMP if SET_SAFE_LJMP returns 0. * BUG/MAJOR: thread: lua: Wrong SSL context initialization. * BUG/MEDIUM: hlua: Make sure we drain the output buffer when done. * BUG/MEDIUM: lua: reset lua transaction between http requests * BUG/MEDIUM: mux_pt: dereference the connection with care in mux_pt_wake() * BUG/MINOR: lua: Bad HTTP client request duration. * BUG/MEDIUM: unix: provide a ->drain() function * DOC: Fix spelling error in configuration doc * BUG/MEDIUM: cli/threads: protect some server commands against concurrent operations * BUG/MEDIUM: cli/threads: protect all "proxy" commands against concurrent updates * BUG/MEDIUM: lua: socket timeouts are not applied * DOC: ssl: Use consistent naming for TLS protocols * DOC: dns: explain set server ... fqdn requires resolver * BUG/MINOR: map: fix map_regm with backref * BUG/MEDIUM: ssl: loading dh param from certifile causes unpredictable error. * BUG/MEDIUM: ssl: fix missing error loading a keytype cert from a bundle. * BUG/MINOR: ssl: empty connections reported as errors. * BUG/MEDIUM: cli: make "show fd" thread-safe * MEDIUM: hathreads: implement a more flexible rendez-vous point * BUG/MEDIUM: threads: fix the no-thread case after the change to the sync point * MINOR: threads: add more consistency between certain variables in no-thread case * BUG/MEDIUM: threads: fix the double CAS implementation for ARMv7 * MINOR: threads: Introduce double-width CAS on x86_64 and arm. * BUG/MEDIUM: lua: possible CLOSE-WAIT state with '\n' headers- Require apparmor-abstractions to reduce dependencies (bsc#1100787)- Update to version 1.8.13~git4.c1bfcd00: * MINOR: dns: new DNS options to allow/prevent IP address duplication * MINOR: dns: fix wrong score computation in dns_get_ip_from_response * BUG/MEDIUM: queue: prevent a backup server from draining the proxy's connections * BUG/MEDIUM: servers: check the queues once enabling a server * MEDIUM: proxy_protocol: Convert IPs to v6 when protocols are mixed * BUG/MEDIUM: threads: unbreak "bind" referencing an incorrect thread number * MINOR: threads: move "nbthread" parsing to hathreads.c * BUG/MEDIUM: threads: properly fix nbthreads == MAX_THREADS * BUG/MINOR: threads: Handle nbthread == MAX_THREADS. * BUG/MINOR: config: stick-table is not supported in defaults section * BUG/MEDIUM: h2: prevent orphaned streams from blocking a connection forever * BUG/MEDIUM: threads/sync: use sched_yield when available * BUG/MINOR: servers: Don't make "server" in a frontend fatal. * BUG/MEDIUM: stats: don't ask for more data as long as we're responding * BUG/MEDIUM: stream-int: don't immediately enable reading when the buffer was reportedly full * MINOR: h2: add the error code and the max/last stream IDs to "show fd" * BUG/MEDIUM: threads: Fix the exit condition of the thread barrier * MINOR: debug: Add checks for conn_stream flags * MINOR: debug: Add check for CO_FL_WILL_UPDATE * BUG/MINOR: http: Set brackets for the unlikely macro at the right place * BUG/MEDIUM: h2: make sure the last stream closes the connection after a timeout * BUG/MEDIUM: h2: never leave pending data in the output buffer on close * BUG/MEDIUM: h2: don't accept new streams if conn_streams are still in excess * MINOR: h2: add the mux and demux buffer lengths on "show fd" * MINOR: h2: keep a count of the number of conn_streams attached to the mux * BUG/MINOR: h2: remove accidental debug code introduced with show_fd function * MINOR: h2: implement a basic "show_fd" function * MINOR: mux: add a "show_fd" function to dump debugging information for "show fd" * BUG/MINOR: ssl: properly ref-count the tls_keys entries * MINOR: systemd: consider exit status 143 as successful- Update to version 1.8.12~git0.8a200c71: * MINOR: stick-tables: make stktable_release() do nothing on NULL * BUG/MAJOR: stick_table: Complete incomplete SEGV fix- Update to version 1.8.11~git0.1d6ef58d: * BUG/BUILD: threads: unbreak build without threads * BUG/MAJOR: Stick-tables crash with segfault when the key is not in the stick-table- Update to version 1.8.10~git0.ec17d7a9: * MINOR: threads: Be sure to remove threads from all_threads_mask on exit * BUG/MEDIUM: threads: Use the sync point to check active jobs and exit * BUG/MEDIUM: fd: Don't modify the update_mask in fd_dodelete(). * BUG/MAJOR: ssl: OpenSSL context is stored in non-reserved memory slot * BUG/MAJOR: ssl: Random crash with cipherlist capture * BUG/MINOR: lua: Segfaults with wrong usage of types. * BUG/MAJOR: map: fix a segfault when using http-request set-map * MINOR: lua: Increase debug information * BUG/MINOR: signals: ha_sigmask macro for multithreading * BUG/MINOR: don't ignore SIG{BUS,FPE,ILL,SEGV} during signal processing * BUG/MEDIUM: threads: handle signal queue only in thread 0 * BUG/MINOR: unix: Make sure we can transfer abns sockets on seamless reload. * BUG/MINOR: contrib/modsecurity: update pointer on the end of the frame * BUG/MINOR: contrib/mod_defender: update pointer on the end of the frame * BUG/MINOR: contrib/modsecurity: Don't reset the status code during disconnect * BUG/MINOR: contrib/mod_defender: Don't reset the status code during disconnect * BUG/MINOR: contrib/spoa_example: Don't reset the status code during disconnect * MAJOR: spoe: upgrade the SPOP version to 2.0 and remove the support for 1.0 * BUG/MEDIUM: lua/socket: Buffer error, may segfault * BUG/MEDIUM: lua/socket: Sheduling error on write: may dead-lock * BUG/MEDIUM: lua/socket: Notification error * BUG/MAJOR: lua: Dead lock with sockets * BUG/MEDIUM: lua/socket: wrong scheduling for sockets * MINOR: task/notification: Is notifications registered ? * BUG/MEDIUM: spoe: Return an error when the wrong ACK is received in sync mode * BUG/MEDIUM: stick-tables: Decrement ref_cnt in table_* converters * BUG/MEDIUM: lua/socket: Length required read doesn't work * BUG/MEDIUM: servers: Add srv_addr default placeholder to the state file * BUG/MEDIUM: fd: Only check update_mask against all_threads_mask.- Update to version 1.8.9~git9.6d82e611: * BUG/MEDIUM: cache: don't cache when an Authorization header is present (VUL-1) (bsc#1094846) (CVE-2018-11469) * BUG/MEDIUM: dns: Delay the attempt to run a DNS resolution on check failure. * BUG/MINOR: ssl/lua: prevent lua from affecting automatic maxconn computation * BUG/MEDIUM: contrib/modsecurity: Use network order to encode/decode flags * BUG/MEDIUM: contrib/mod_defender: Use network order to encode/decode flags * BUG/MEDIUM: spoe: Flags are not encoded in network order * BUG/MINOR: lua: Socket.send threw runtime error: 'close' needs 1 arguments. * BUG/MINOR: spoe: Mistake in error message about SPOE configuration * BUG/MEDIUM: ssl: properly protect SSL cert generation * BUG/MEDIUM: pollers: Use a global list for fd shared between threads. * BUG/MEDIUM: http: don't always abort transfers on CF_SHUTR * BUG/MINOR: lua: ensure large proxy IDs can be represented * BUG/MINOR: lua: schedule socket task upon lua connect() * BUG/MEDIUM: task: Don't free a task that is about to be run. * BUG/MINOR: map: correctly track reference to the last ref_elt being dumped * DOC/MINOR: clean up LUA documentation re: servers & array/table. * BUG/MINOR: lua: Put tasks to sleep when waiting for data * BUG/MEDIUM: threads: Fix the sync point for more than 32 threads * BUG/MINOR: checks: Fix check->health computation for flapping servers * BUG/MINOR: config: disable http-reuse on TCP proxies * BUG/MINOR: lua/threads: Make lua's tasks sticky to the current thread * BUG/MEDIUM: h2: implement missing support for chunked encoded uploads * MINOR: h2: detect presence of CONNECT and/or content-length * BUG/MEDIUM: lua: Fix segmentation fault if a Lua task exits * BUG/MINOR: log: t_idle (%Ti) is not set for some requests * BUG/MAJOR: channel: Fix crash when trying to read from a closed socket * BUG/MINOR: pattern: Add a missing HA_SPIN_INIT() in pat_ref_newid()- Update to version 1.8.8: * BUG/CRITICAL: h2: fix incorrect frame length check (VUL-0) (bsc#1089837) * MINOR: cli: Ensure the CLI always outputs an error when it should * BUG/MINOR: cli: Guard against NULL messages when using CLI_ST_PRINT_FREE * BUG/MEDIUM: kqueue: When adding new events, provide an output to get errors. * BUG/MINOR: http: Return an error in proxy mode when url2sa fails * BUG/MEDIUM: connection: Make sure we have a mux before calling detach(). * BUG/MEDIUM: threads: Fix the max/min calculation because of name clashes- Update to version 1.8.7: * [RELEASE] Released version 1.8.7 * MINOR: servers: Support alphanumeric characters for the server templates names * BUG/MAJOR: cache: always initialize newly created objects * [RELEASE] Released version 1.8.6 * BUG/MINOR: spoe: Don't release the context buffer in .check_timeouts callbaclk * BUG/MINOR: spoe: Initialize variables used during conf parsing before any check * BUG/MAJOR: cache: fix random crashes caused by incorrect delete() on non-first blocks * BUG/MINOR: fd: Don't clear the update_mask in fd_insert. * BUG/MINOR: cache: fix "show cache" output * BUG/MINOR: email-alert: Set the mailer port during alert initialization * BUG/MINOR: checks: check the conn_stream's readiness and not the connection * BUG/MEDIUM: h2: always add a stream to the send or fctl list when blocked * BUILD/MINOR: threads: always export thread_sync_io_handler() * BUG/MEDIUM: h2: don't consider pending data on detach if connection is in error * BUG/MEDIUM: h2/threads: never release the task outside of the task handler * MINOR: h2: fuse h2s_detach() and h2s_free() into h2s_destroy() * MINOR: h2: always call h2s_detach() in h2_detach() * BUG/MAJOR: h2: remove orphaned streams from the send list before closing * MINOR: h2: provide and use h2s_detach() and h2s_free() * CLEANUP: h2: rename misleading h2c_stream_close() to h2s_close() * BUG/MINOR: hpack: fix harmless use of uninitialized value in hpack_dht_insert * BUILD/MINOR: cli: fix a build warning introduced by last commit * MINOR: cli: make "show fd" report the mux and mux_ctx pointers when available * MINOR: cli/threads: make "show fd" report thread_sync_io_handler instead of "unknown" * BUILD/MINOR: fix build when USE_THREAD is not defined * BUG/MINOR: lua funtion hlua_socket_settimeout don't check negative values * BUG/MINOR: lua: the function returns anything- Update to version 1.8.5: * BUG/MINOR: listener: Don't decrease actconn twice when a new session is rejected * BUG/MINOR: h2: ensure we can never send an RST_STREAM in response to an RST_STREAM * BUG/MEDIUM: h2: properly account for DATA padding in flow control * DOC: don't suggest using http-server-close * DOC: log: more than 2 log servers are allowed * BUILD/BUG: enable -fno-strict-overflow by default * MINOR: log: stop emitting alerts when it's not possible to write on the socket * BUG/MEDIUM: threads/queue: wake up other threads upon dequeue * BUG/MINOR: tcp-check: use the server's service port as a fallback * BUG/MEDIUM: tcp-check: single connect rule can't detect DOWN servers * BUG/MINOR: lua: return bad error messages * BUG/MINOR: spoa-example: unexpected behavior for more than 127 args * BUG/MINOR: cli: Fix a crash when sending a command with too many arguments * BUG/MINOR: seemless reload: Fix crash when an interface is specified. * BUG/MINOR: dns: don't downgrade DNS accepted payload size automatically * BUG/MAJOR: threads/queue: Fix thread-safety issues on the queues management * BUG/MEDIUM: threads/unix: Fix a deadlock when a listener is temporarily disabled * BUG/MEDIUM: spoe: Remove idle applets from idle list when HAProxy is stopping * BUG/MINOR: force-persist and ignore-persist only apply to backends * BUG/MEDIUM: fix a 100% cpu usage with cpu-map and nbthread/nbproc * BUG/MINOR: cli: Fix a typo in the 'set rate-limit' usage * BUG/MINOR: cli: Fix a crash when passing a negative or too large value to "show fd" * BUG/MEDIUM: h2: also arm the h2 timeout when sending * BUG/MINOR: unix: Don't mess up when removing the socket from the xfer_sock_list. * BUG/MINOR: session: Fix tcp-request session failure if handshake. * MINOR: systemd: Add SystemD's SystemCallFilter option to the unit file * MINOR: systemd: Add SystemD's Protect*= options to the unit file * MINOR: systemd: Add section for SystemD sandboxing to unit file * BUG/MEDIUM: buffer: Fix the wrapping case in bi_putblk * BUG/MEDIUM: buffer: Fix the wrapping case in bo_putblk * BUG/MEDIUM: h2: always consume any trailing data after end of output buffers * MINOR: stats: display the number of threads in the statistics. * BUG/MINOR: h2: Set the target of dbuf_wait to h2c * MINOR: debug/pools: make DEBUG_UAF also detect underflows * BUG/MINOR: debug/pools: properly handle out-of-memory when building with DEBUG_UAF * DOC: cfgparse: Warn on option (tcp|http)log in backend * DOC: lua: new prototype for function "register_action()" * BUG/MEDIUM: ssl/sample: ssl_bc_* fetch keywords are broken. * BUG/MEDIUM: http: Switch the HTTP response in tunnel mode as earlier as possible * BUG/MINOR: ssl/threads: Make management of the TLS ticket keys files thread-safe * BUG/MINOR: init: Add missing brackets in the code parsing -sf/-st * BUG/MEDIUM: ssl: Shutdown the connection for reading on SSL_ERROR_SYSCALL * BUG/MEDIUM: ssl: Don't always treat SSL_ERROR_SYSCALL as unrecovarable. * BUG/MINOR: threads: fix missing thread lock labels for 1.8- if we lock down the permissions the home directory has to be owned by haproxy (bsc#1077716)- Avoid %__-type macro indirections. Remove redundant %clean section. Do not ignore errors from useradd.- Ensure haproxy home directory is not world readable (bsc#1077716)- Update to version 1.8.4 (bsc#1080069): * BUG/MINOR: config: don't emit a warning when global stats is incompletely configured * DOC: Mention -Ws in the list of available options * DOC: Describe routing impact of using interface keyword on bind lines * MINOR: init: emit warning when -sf/-sd cannot parse argument * BUG/MEDIUM: standard: Fix memory leak in str2ip2() * BUG/MINOR: time/threads: ensure the adjusted time is always correct * BUG/MEDIUM: spoe: Allow producer to read and to forward shutdown on request side * BUG/MEDIUM: spoe: Always try to receive or send the frame to detect shutdowns * BUG/MINOR: epoll/threads: only call epoll_ctl(DEL) on polled FDs * BUG/MINOR: threads: Update labels array because of changes in lock_label enum * BUG/MINOR: cli: use global.maxsock and not maxfd to list all FDs * CLEANUP: Fix typo in ARGT_MSK6 comment * BUG/MINOR: sample: Fix output type of c_ipv62ip * CLEANUP: sample: Fix outdated comment about sample casts functions * CLEANUP: sample: Fix comment encoding of sample.c * BUILD: kqueue/threads: Add test on MAX_THREADS to avoid warnings when complied without threads * BUILD: epoll/threads: Add test on MAX_THREADS to avoid warnings when complied without threads * MINOR: threads: Use __decl_hathreads instead of #ifdef/#endif * BUG/MINOR: kqueue/threads: Don't forget to close kqueue_fd[tid] on each thread * BUG/MEDIUM: checks: Don't try to release undefined conn_stream when a check is freed * BUG/MEDIUM: threads/server: Fix deadlock in srv_set_stopping/srv_set_admin_flag * BUG/MINOR: threads: always set an owner to the thread_sync pipe * MINOR: threads: Fix build when we're not compiling with threads. * BUG/MINOR: mworker: only write to pidfile if it exists * BUG/MEDIUM: threads/mworker: fix a race on startup * BUG/MEDIUM: kqueue/threads: use one kqueue_fd per thread * BUG/MEDIUM: epoll/threads: use one epoll_fd per thread * MINOR: fd: add a bitmask to indicate that an FD is known by the poller * BUG/MEDIUM: fd: maintain a per-thread update mask * BUG/MEDIUM: threads/polling: Use fd_cache_mask instead of fd_cache_num * MINOR: threads/fd: Use a bitfield to know if there are FDs for a thread in the FD cache * MINOR: global: add some global activity counters to help debugging * MINOR: threads: add a MAX_THREADS define instead of LONGBITS * MINOR: global/threads: move cpu_map at the end of the global struct * MINOR: servers: Don't report duplicate dyncookies for disabled servers. * BUG/MEDIUM: peers: fix expire date wasn't updated if entry is modified remotely. * BUG/MINOR: poll: too large size allocation for FD events * CONTRIB: debug: fix a few flags definitions * DOC: clarify the scope of ssl_fc_is_resumed * BUG/MEDIUM: stream: properly handle client aborts during redispatch * BUILD/MINOR: ancient gcc versions atomic fix * BUG/MEDIUM: mworker: execvp failure depending on argv[0] * MINOR: dns: Handle SRV record weight correctly. * BUG/MINOR: lua: Fix return value of Socket.settimeout * BUG/MEDIUM: lua: Fix IPv6 with separate port support for Socket.connect * DOC: lua: Fix typos in comments of hlua_socket_receive * BUG/MINOR: lua: Fix default value for pattern in Socket.receive * BUG/MEDIUM: ssl: cache doesn't release shctx blocks * BUG/MEDIUM: h2: properly handle the END_STREAM flag on empty DATA frames- Add dependency on apparmor-profiles (bsc#1079985)- Update to version 1.8.3: * [RELEASE] Released version 1.8.3 * MEDIUM: h2: prepare a graceful shutdown when the frontend is stopped * BUG/MAJOR: hpack: don't return direct references to the dynamic headers table * BUG/MEDIUM: http: don't automatically forward request close * MINOR: don't close stdio anymore * BUG/MEDIUM: mworker: don't close stdio several time * BUG/MEDIUM: h2: ensure we always know the stream before sending a reset * DOC/MINOR: configuration: typo, formatting fixes * BUG/MEDIUM: h2: improve handling of frames received on closed streams * BUG/MEDIUM: h2: properly handle and report some stream errors- Update to version 1.8.2: * [RELEASE] Released version 1.8.2 * BUG/MEDIUM: checks: properly set servers to stopping state on 404 * BUG/MAJOR: connection: refine the situations where we don't send shutw() * BUG/MEDIUM: cache: don't cache the response on no-cache="set-cookie" * BUG/MEDIUM: cache: respect the request cache-control header * BUG/MEDIUM: cache: replace old object on store * BUG/MEDIUM: cache: do not try to retrieve host-less requests from the cache * MINOR: http: add a function to check request's cache-control header field * BUG/MINOR: cache: do not force the TX_CACHEABLE flag before checking cacheability * BUG/MINOR: http: properly detect max-age=0 and s-maxage=0 in responses * BUG/MINOR: http: do not ignore cache-control: public * MINOR: http: start to compute the transaction's cacheability from the request * MINOR: http: update the list of cacheable status codes as per RFC7231 * MINOR: http: adjust the list of supposedly cacheable methods * BUG/MEDIUM: lua: fix crash when using bogus mode in register_service() * BUG/MEDIUM: checks: a server passed in maint state was not forced down. * MEDIUM: netscaler: add support for standard NetScaler CIP protocol * MEDIUM: netscaler: do not analyze original IP packet size * MINOR: netscaler: check in one-shot if buffer is large enough for IP and TCP header * BUG/MEDIUM: stream: don't consider abortonclose on muxes which close cleanly * MINOR: stream-int: set flag SI_FL_CLEAN_ABRT when mux supports clean aborts * MINOR: mux: add flags to describe a mux's capabilities * BUG/MINOR: h2: properly report a stream error on RST_STREAM * CONTRIB: halog: Fix compiler warnings in halog.c * CONTRIB: iprange: Fix compiler warning in iprange.c * BUG/MAJOR: netscaler: address truncated CIP header detection * BUG/MEDIUM: netscaler: use the appropriate IPv6 header size * MINOR: netscaler: rename cip_len to clarify its uage * MINOR: netscaler: remove the use of cip_magic only used once * MINOR: netscaler: respect syntax * DOC/MINOR: intro: typo, wording, formatting fixes * BUG/MEDIUM: mworker: Set FD_CLOEXEC flag on log fd * BUILD/MINOR: Makefile : enabling USE_CPU_AFFINITY * BUG: MINOR: http: don't check http-request capture id when len is provided * BUG: MAJOR: lb_map: server map calculation broken * BUG/MINOR: stream-int: don't try to receive again after receiving an EOS * BUG/MEDIUM: h2: fix stream limit enforcement * BUG/MEDIUM: http: don't disable lingering on requests with tunnelled responses * BUG/MEDIUM: h2: don't close after the first DATA frame on tunnelled responses * BUG/MEDIUM: h2: don't switch the state to HREM before end of DATA frame * MINOR: h2: don't demand that a DATA frame is complete before processing it * BUG/MEDIUM: h2: support uploading partial DATA frames * MINOR: h2: store the demux padding length in the h2c struct * BUG/MEDIUM: h2: debug incoming traffic in h2_wake() * BUG/MEDIUM: h2: work around a connection API limitation * BUG/MEDIUM: h2: enable recv polling whenever demuxing is possible * BUG/MEDIUM: h2: automatically set CS_FL_RCV_MORE when the output buffer is full * BUG/MEDIUM: stream-int: always set SI_FL_WAIT_ROOM on CS_FL_RCV_MORE * MINOR: conn_stream: add new flag CS_FL_RCV_MORE to indicate pending data * BUG/MEDIUM: lua/notification: memory leak * DOC: notifications: add precisions about thread usage * MINOR: systemd: remove comment about HAPROXY_STATS_SOCKET * BUG/MEDIUM: threads/vars: Fix deadlock in register_name * BUG/MEDIUM: email-alert: don't set server check status from a email-alert task * CONTRIB: halog: Add help text for -s switch in halog program * MINOR: mworker: Improve wording in `void mworker_wait()` * MINOR: mworker: Update messages referencing exit-on-failure * BUG/MEDIUM: h2: fix handling of end of stream again * BUG/MEDIUM: peers: set NOLINGER on the outgoing stream interface * BUG/MEDIUM: checks: a down server going to maint remains definitely stucked on down state. * BUG/MEDIUM: ssl engines: Fix async engines fds were not considered to fix fd limit automatically. * BUG/MEDIUM: mworker: also close peers sockets in the master * BUG/MINOR: ssl: support tune.ssl.cachesize 0 again * BUG/MAJOR: hpack: don't pretend large headers fit in empty table * BUG/MINOR: action: Don't check http capture rules when no id is defined- Update to version 1.8.1 (bsc#1069954): * BUG/MAJOR: h2: correctly check the request length when building an H1 request * BUG/MAJOR: thread: Be sure to request a sync between threads only once at a time * BUG/MAJOR: thread/peers: fix deadlock on peers sync. * BUG/MEDIUM: h2: do not accept upper case letters in request header names * BUG/MEDIUM: h2: remove connection-specific headers from request * BUG/MEDIUM: h2: enforce the per-connection stream limit * BUG/MEDIUM: checks: Be sure we have a mux if we created a cs. * BUG/MEDIUM: peers: fix some track counter rules dont register entries for sync. * BUG/MEDIUM: h2: don't report an error after parsing a 100-continue response * BUG/MEDIUM: threads/peers: decrement, not increment jobs on quitting * BUG/MEDIUM: stream: fix session leak on applet-initiated connections * BUG/MEDIUM: cache: bad computation of the remaining size * BUG/MEDIUM: ssl: don't allocate shctx several time * BUG/MEDIUM: tcp-check: Don't lock the server in tcpcheck_main * BUG/MEDIUM: kqueue: Don't bother closing the kqueue after fork. * BUG/MINOR: h2: use the H2_F_DATA_* macros for DATA frames * BUG/MINOR: h2: reject response pseudo-headers from requests * BUG/MINOR: h2: properly check PRIORITY frames * BUG/MINOR: h2: reject incorrect stream dependencies on HEADERS frame * BUG/MINOR: h2: do not accept SETTINGS_ENABLE_PUSH other than 0 or 1 * BUG/MINOR: h2: the TE header if present may only contain trailers * BUG/MINOR: h2: fix a typo causing PING/ACK to be responded to * BUG/MINOR: h2: ":path" must not be empty * BUG/MINOR: h2: try to abort closed streams as soon as possible * BUG/MINOR: h2: immediately close if receiving GOAWAY after the last stream * BUG/MINOR: hpack: dynamic table size updates are only allowed before headers * BUG/MINOR: hpack: reject invalid header index * BUG/MINOR: hpack: must reject huffman literals padded with more than 7 bits * BUG/MINOR: hpack: fix debugging output of pseudo header names * BUG/MINOR: mworker: detach from tty when in daemon mode * BUG/MINOR: mworker: fix validity check for the pipe FDs * BUG/MINOR: ssl: CO_FL_EARLY_DATA removal is managed by stream- License is now GPL-3.0+ and LGPL-2.1+- [apparmor]: allow haproxy to restart itself. needed for seamless restart. also reload the apparmor profile on update.- enable network namespaces on 42.3 - Enabled systemd notify mode: new BR: pkgconfig(libsystemd) This fixes problems with starting 1.8 on 42.3. - apply build option changes as adviced by upstream- Update to version 1.8.0 (bsc#1069954): https://www.mail-archive.com/haproxy@formilux.org/msg28004.html- Update to version 1.7.9: * BUG/MINOR: peers: peer synchronization issue (with several peers sections). * BUG/MINOR: lua: In error case, the safe mode is not removed * BUG/MINOR: lua: executes the function destroying the Lua session in safe mode * BUG/MAJOR: lua/socket: resources not detroyed when the socket is aborted * BUG/MEDIUM: lua: bad memory access * DOC: update the list of OpenSSL versions in the README * DOC: Updated 51Degrees git URL to point to a stable version. * BUG/MINOR: http: Set the response error state in http_sync_res_state * MINOR: http: Reorder/rewrite checks in http_resync_states * MINOR: http: Switch requests/responses in TUNNEL mode only by checking txn flags * BUG/MEDIUM: http: Switch HTTP responses in TUNNEL mode when body length is undefined * BUG/MAJOR: http: Fix possible infinity loop in http_sync_(req|res)_state * BUG/MINOR: lua: Fix Server.get_addr() port values * BUG/MINOR: lua: Correctly use INET6_ADDRSTRLEN in Server.get_addr() * BUG/MINOR: lua: always detach the tcp/http tasks before freeing them * BUG/MINOR: lua: Fix bitwise logic for hlua_server_check_* functions.- Update to version 1.7.8: * BUG/MINOR: stream: flag TASK_WOKEN_RES not set if task in runqueue * BUG/MAJOR: cli: fix custom io_release was crushed by NULL. * BUG/MAJOR: map: fix segfault during 'show map/acl' on cli. * BUG/MAJOR: compression: Be sure to release the compression state in all cases * DOC: fix references to the section about time format. * BUG/MEDIUM: map/acl: fix unwanted flags inheritance. * BUG/MINOR: stream: Don't forget to remove CF_WAKE_ONCE flag on response channel * BUG/MINOR: http: Don't reset the transaction if there are still data to send * BUG/MEDIUM: filters: Be sure to call flt_end_analyze for both channels * BUG/MINOR: http: properly handle all 1xx informational responses- Update to version 1.7.7: * BUG/MINOR: Wrong peer task expiration handling during synchronization processing. * BUG/MEDIUM: http: Drop the connection establishment when a redirect is performed * BUG/MEDIUM: cfgparse: Check if tune.http.maxhdr is in the range 1..32767 * DOC: fix references to the section about the unix socket * BUG/MINOR: log: pin the front connection when front ip/ports are logged- Update to version 1.7.6: * DOC: changed "block"(deprecated) examples to http-request deny * DOC: add few comments to examples. * DOC: update sample code for PROXY protocol * DOC: mention lighttpd 1.4.46 implements PROXY * DOC: stick-table is available in frontend sections * BUG/MINOR: dns: Wrong address family used when creating IPv6 sockets. * BUG/MINOR: config: missing goto out after parsing an incorrect ACL character * BUG/MINOR: arg: don't try to add an argument on failed memory allocation * BUG/MEDIUM: arg: ensure that we properly unlink unresolved arguments on error * BUG/MEDIUM: acl: don't free unresolved args in prune_acl_expr() * MINOR: lua: ensure the memory allocator is used all the time * CLEANUP: logs: typo: simgle => single * BUG/MEDIUM: acl: proprely release unused args in prune_acl_expr() * BUG/MAJOR: Use -fwrapv. * BUG/MINOR: server: don't use "proxy" when px is really meant. * BUG/MINOR: server: missing default server 'resolvers' setting duplication. * DOC: add layer 4 links/cross reference to "block" keyword. * DOC: errloc/errorloc302/errorloc303 missing status codes. * BUG/MEDIUM: lua: memory leak * MEDIUM: config: don't check config validity when there are fatal errors * BUG/MINOR: hash-balance-factor isn't effective in certain circumstances * MINOR/DOC: lua: just precise one thing * BUG/MINOR: http: Fix conditions to clean up a txn and to handle the next request * DOC: update RFC references * BUG/MINOR: checks: don't send proxy protocol with agent checks * BUG/MEDIUM: lua: segfault if a converter or a sample doesn't return anything * BUG/MAJOR: http: call manage_client_side_cookies() before erasing the buffer * BUG/MINOR: buffers: Fix bi/bo_contig_space to handle full buffers * BUG/MINOR: acls: Set the right refflag when patterns are loaded from a map * BUG/MINOR: http/filters: Be sure to wait if a filter loops in HTTP_MSG_ENDING * BUG/MEDIUM: peers: Peers CLOSE_WAIT issue. * BUG/MAJOR: server: Segfault after parsing server state file. * BUG/MEDIUM: unix: never unlink a unix socket from the file system- Update to version 1.7.5: * BUG/MEDIUM: peers: fix buffer overflow control in intdecode. * BUG/MEDIUM: buffers: Fix how input/output data are injected into buffers * BUG/MEDIUM: http: Fix blocked HTTP/1.0 responses when compression is enabled * BUG/MINOR: filters: Don't force the stream's wakeup when we wait in flt_end_analyze * MINOR: config parsing: add warning when log-format/tcplog/httplog is overriden in "defaults" sections- Update to version 1.7.4: * MINOR: config: warn when some HTTP rules are used in a TCP proxy * BUG/MINOR: spoe: Fix soft stop handler using a specific id for spoe filters * BUG/MINOR: spoe: Fix parsing of arguments in spoe-message section * BUG/MEDIUM: ssl: Clear OpenSSL error stack after trying to parse OCSP file * BUG/MEDIUM: cli: Prevent double free in CLI ACL lookup * BUG/MINOR: Fix "get map " CLI command * BUG/MAJOR: connection: update CO_FL_CONNECTED before calling the data layer * BUG/MEDIUM: ssl: switchctx should not return SSL_TLSEXT_ERR_ALERT_WARNING * BUG/MINOR: checks: attempt clean shutw for SSL check * BUG/MEDIUM: listener: do not try to rebind another process' socket * BUG/MEDIUM: filters: Fix channels synchronization in flt_end_analyze * BUG/MAJOR: stream-int: do not depend on connection flags to detect connection * BUG/MEDIUM: connection: ensure to always report the end of handshakes * BUG: payload: fix payload not retrieving arbitrary lengths * BUG/MAJOR: http: fix typo in http_apply_redirect_rule * BUG/MEDIUM: stream: fix client-fin/server-fin handling * MINOR: fd: add a new flag HAP_POLL_F_RDHUP to struct poller * BUG/MINOR: raw_sock: always perfom the last recv if RDHUP is not available * DOC/MINOR: Fix typos in proxy protocol doc * DOC: Protocol doc: add checksum, TLV type ranges * DOC: Protocol doc: add SSL TLVs, rename CHECKSUM * DOC: Protocol doc: add noop TLV * MEDIUM: global: add a 'hard-stop-after' option to cap the soft-stop time * BUG/MINOR: cfgparse: loop in tracked servers lists not detected by check_config_validity(). * MINOR: server: irrelevant error message with 'default-server' config file keyword. * MINOR: doc: fix use-server example (imap vs mail) * BUG/MEDIUM: tcp: don't require privileges to bind to device- Update to version 1.7.3: * BUG/MINOR: stream: Fix how backend-specific analyzers are set on a stream * BUG/MEDIUM: tcp: don't poll for write when connect() succeeds * BUG/MINOR: unix: fix connect's polling in case no data are scheduled * BUG/MINOR: lua: Map.end are not reliable because "end" is a reserved keyword * MINOR: dns: give ability to dns_init_resolvers() to close a socket when requested * BUG/MAJOR: dns: restart sockets after fork() * MINOR: chunks: implement a simple dynamic allocator for trash buffers * BUG/MEDIUM: http: prevent redirect from overwriting a buffer * BUG/MEDIUM: filters: Do not truncate HTTP response when body length is undefined * BUG/MEDIUM: http: Prevent replace-header from overwriting a buffer * BUG/MINOR: http: Return an error when a replace-header rule failed on the response * BUG/MINOR: sendmail: The return of vsnprintf is not cleanly tested * BUG/MAJOR: lua segmentation fault when the request is like 'GET ?arg=val HTTP/1.1' * BUG/MEDIUM: config: reject anything but "if" or "unless" after a use-backend rule * MINOR: http: don't close when redirect location doesn't start with "/"- Update to version 1.7.2 (bsc#1023141): * BUG/MEDIUM: lua: In some case, the return of sample-fetches is ignored (2) * BUG/MINOR: stream-int: automatically release SI_FL_WAIT_DATA on SHUTW_NOW * DOC: lua: documentation about time parser functions * DOC: lua: section declared twice * BUG/MINOR: lua/cli: bad error message * DOC: fix small typo in fe_id (backend instead of frontend) * BUG/MINOR: Fix the sending function in Lua's cosocket * BUG/MINOR: lua: memory leak executing tasks * BUG/MINOR: lua: bad return code * BUG/MEDIUM: ssl: properly reset the reused_sess during a forced handshake * BUG/MEDIUM: ssl: avoid double free when releasing bind_confs * BUG/MINOR: stats: fix be/sessions/current out in typed stats * BUG/MINOR: backend: nbsrv() should return 0 if backend is disabled * BUG/MEDIUM: ssl: for a handshake when server-side SNI changes * BUG/MINOR: systemd: potential zombie processes * DOC: Add timings events schemas * BUG/MINOR: option prefer-last-server must be ignored in some case * MINOR: stats: Support "select all" for backend actions * BUG/MINOR: sample-fetches/stick-tables: bad type for the sample fetches sc*_get_gpt0 * BUG/MAJOR: channel: Fix the definition order of channel analyzers * BUG/MINOR: http: report real parser state in error captures * BUG/MAJOR: http: fix risk of getting invalid reports of bad requests * MINOR: http: custom status reason. * MINOR: connection: add sample fetch "fc_rcvd_proxy" * BUG/MINOR: config: emit a warning if http-reuse is enabled with incompatible options * BUG/MINOR: tools: fix off-by-one in port size check * BUG/MEDIUM: server: consider AF_UNSPEC as a valid address family * MEDIUM: server: split the address and the port into two different fields * MINOR: tools: make str2sa_range() return the port in a separate argument * MINOR: server: take the destination port from the port field, not the addr * MEDIUM: server: disable protocol validations when the server doesn't resolve * BUG/MEDIUM: tools: do not force an unresolved address to AF_INET:0.0.0.0 * BUG/MINOR: ssl: EVP_PKEY must be freed after X509_get_pubkey usage * MINOR: proto_http.c 502 error txt typo. * DOC: add deprecation notice to "block" * BUG/MINOR: Reset errno variable before calling strtol(3)- Update to version 1.7.1: * BUG/MAJOR: stream: fix session abort on resource shortage * BUG/MINOR: cli: allow the backslash to be escaped on the CLI * BUG/MEDIUM: cli: fix "show stat resolvers" and "show tls-keys" * DOC: Fix map table's format * DOC: Added 51Degrees conv and fetch functions to documentation. * BUG/MINOR: http: don't send an extra CRLF after a Set-Cookie in a redirect * DOC: mention that req_tot is for both frontends and backends * BUG/MEDIUM: variables: some variable name can hide another ones * BUG/MINOR: stats: fix be/sessions/max output in html stats * MINOR: proxy: Add fe_name/be_name fetchers next to existing fe_id/be_id * DOC: lua: Documentation about some entry missing * MINOR: Do not forward the header "Expect: 100-continue" when the option http-buffer-request is set * DOC: Add undocumented argument of the trace filter * DOC: Fix some typo in SPOE documentation * BUG/MINOR: cli: be sure to always warn the cli applet when input buffer is full * MINOR: applet: Count number of (active) applets * MINOR: task: Rename run_queue and run_queue_cur counters * BUG/MEDIUM: stream: Save unprocessed events for a stream * BUG/MAJOR: Fix how the list of entities waiting for a buffer is handled * BUILD/MEDIUM: Fixing the build using LibreSSL * [RELEASE] Released version 1.7.1- Update to version 1.7.0: * BUG/MEDIUM: proxy: return "none" and "unknown" for unknown LB algos * BUG/MINOR: stats: make field_str() return an empty string on NULL * BUG/MEDIUM: http: Fix tunnel mode when the CONNECT method is used * BUG/MINOR: http: Keep the same behavior between 1.6 and 1.7 for tunneled txn * BUG/MINOR: filters: Protect args in macros HAS_DATA_FILTERS and IS_DATA_FILTER * BUG/MINOR: filters: Invert evaluation order of HTTP_XFER_BODY and XFER_DATA analyzers * BUG/MINOR: http: Call XFER_DATA analyzer when HTTP txn is switched in tunnel mode- Update to version 1.6.10: * BUG/MEDIUM: systemd-wrapper: return correct exit codes * BUG/MEDIUM: srv-state: properly restore the DRAIN state * BUG/MINOR: srv-state: allow to have both CMAINT and FDRAIN flags * BUG/MEDIUM: servers: properly propagate the maintenance states during startup * BUG: vars: Fix 'set-var' converter because of a typo * BUG/MEDIUM: channel: bad unlikely macro * CLEANUP: lua: move comment * CLEANUP: lua: control executed twice * CLEANUP: ssl: Fix bind keywords name in comments * DOC: ssl: Use correct wording for ca-sign-pass * BUG/MINOR: stick-table: handle out-of-memory condition gracefully * BUG/MEDIUM: connection: check the control layer before stopping polling * BUG/MEDIUM: stick-table: fix regression caused by recent fix for out-of-memory * CONTRIB: initiate a debugging suite to make debugging easier * BUG/MINOR: cli: properly decrement ref count on tables during failed dumps * BUG/MEDIUM: lua: In some case, the return of sample-fetche is ignored- Update to version 1.6.9+git.1477940904.ab45181 (fate#321723) * BUILD: poll: remove unused hap_fd_isset() which causes a warning with clang * MINOR: cfgparse: few memory leaks fixes. * MINOR: build: Allow linking to device-atlas library file * DOC: Fix typo in description of `-st` parameter in man page * BUG/MEDIUM: peers: on shutdown, wake up the appctx, not the stream * BUG/MEDIUM: peers: fix use after free in peer_session_create() * BUG/MEDIUM: systemd: let the wrapper know that haproxy has completed or failed * MINOR: systemd: report it when execve() fails * BUG/MINOR: systemd: check return value of calloc() * BUG/MINOR: systemd: always restore signals before execve() * BUG/MINOR: systemd: make the wrapper return a non-null status code on error * BUG/MINOR: ssl: prevent multiple entries for the same certificate * BUG/MINOR: ssl: Check malloc return code * BUG/MINOR: vars: smp_fetch_var() doesn't depend on HTTP but on the session * BUG/MINOR: vars: make smp_fetch_var() more robust against misuses * BUG/MINOR: vars: use sess and not s->sess in action_store() * MEDIUM: make SO_REUSEPORT configurable * MINOR: Add fe_req_rate sample fetch * MINOR: show Running on zlib version * MINOR: show Built with PCRE version * BUG/MINOR: displayed PCRE version is running release- Update to 1.6.9 (bsc#1003264) - MINOR: cli: allow the semi-colon to be escaped on the CLI - BUG/MINOR: payload: fix SSLv2 version parser - BUG/MAJOR: stream: properly mark the server address as unset on connect retry - DOC: Updated 51Degrees readme. - BUG/MAJOR: stick-counters: possible crash when using sc_trackers with wrong table - BUG/MINOR: peers: empty chunks after a resync. - BUG/MINOR: peers: some updates are pushed twice after a resync. - MINOR: sample: use smp_make_rw() in upper/lower converters - BUG/MEDIUM: stick-table: properly convert binary samples to keys - BUG/MEDIUM: stick-tables: do not fail on string keys with no allocated size - BUG/MAJOR: server: the "sni" directive could randomly cause trouble - MINOR: sample: provide smp_is_rw() and smp_make_rw() - MINOR: sample: implement smp_is_safe() and smp_make_safe() - BUG/MEDIUM: samples: make smp_dup() always duplicate the sample - BUG/MAJOR: compression: initialize avail_in/next_in even during flush - BUILD: make proto_tcp.c compatible with musl library - DOC: minor typo fixes to improve HTML parsing by haproxy-dconv - BUG/MEDIUM: stream-int: completely detach connection on connect error - BUG/MEDIUM: lua: somme HTTP manipulation functions are called without valid requests - DOC: lua: remove old functions - BUG/MINOR: peers: Fix peers data decoding issue - BUG/MEDIUM: lua: the function txn_done() from action wrapper can crash - BUG/MEDIUM: lua: the function txn_done() from sample fetches can crash- update to 1.6.7 - MINOR: new function my_realloc2 = realloc + free upon failure - CLEANUP: fixed some usages of realloc leading to memory leak - Revert "BUG/MINOR: ssl: fix potential memory leak in ssl_sock_load_dh_params()" - BUG/MEDIUM: dns: fix alignment issues in the DNS response parser - BUG/MINOR: Fix endiness issue in DNS header creation code - changes from 1.6.6 - BUG/MAJOR: fix listening IP address storage for frontends - BUG/MINOR: fix listening IP address storage for frontends (cont) - DOC: Fix typo so fetch is properly parsed by Cyril's converter - BUG/MAJOR: http: fix breakage of "reqdeny" causing random crashes - BUG/MEDIUM: stick-tables: fix breakage in table converters - BUG/MEDIUM: dns: unbreak DNS resolver after header fix - BUILD: fix build on Solaris 11 - CLEANUP: connection: fix double negation on memcmp() - BUG/MEDIUM: stats: show servers state may show an servers from another backend - BUG/MEDIUM: fix risk of segfault with "show tls-keys" - BUG/MEDIUM: sticktables: segfault in some configuration error cases - BUG/MEDIUM: lua: converters doesn't work - BUG/MINOR: http: add-header: header name copied twice - BUG/MEDIUM: http: add-header: buffer overwritten - BUG/MINOR: ssl: fix potential memory leak in ssl_sock_load_dh_params() - BUG/MINOR: http: url32+src should use the big endian version of url32 - BUG/MINOR: http: url32+src should check cli_conn before using it - DOC: http: add documentation for url32 and url32+src - BUG/MINOR: fix http-response set-log-level parsing error - MINOR: systemd: Use variable for config and pidfile paths - MINOR: systemd: Perform sanity check on config before reload (cherry picked from commit 68535bddf305fdd22f1449a039939b57245212e7) - BUG/MINOR: init: always ensure that global.rlimit_nofile matches actual limits - BUG/MINOR: init: ensure that FD limit is raised to the max allowed - BUG/MEDIUM: external-checks: close all FDs right after the fork() - BUG/MAJOR: external-checks: use asynchronous signal delivery - BUG/MINOR: external-checks: do not unblock undesired signals - BUILD/MEDIUM: rebuild everything when an include file is changed - BUILD/MEDIUM: force a full rebuild if some build options change - BUG/MINOR: srv-state: fix incorrect output of state file - BUG/MINOR: ssl: close ssl key file on error - BUG/MINOR: http: fix misleading error message for response captures - BUG/BUILD: don't automatically run "make" on "make install" - DOC: add missing doc for http-request deny [deny_status ] - drop patches which were pulled from git before 0001-BUG-MAJOR-fix-listening-IP-address-storage-for-front.patch 0002-BUG-MINOR-fix-listening-IP-address-storage-for-front.patch 0003-DOC-Fix-typo-so-fetch-is-properly-parsed-by-Cyril-s-.patch 0004-BUG-MAJOR-http-fix-breakage-of-reqdeny-causing-rando.patch 0005-BUG-MEDIUM-stick-tables-fix-breakage-in-table-conver.patch 0006-BUG-MEDIUM-dns-unbreak-DNS-resolver-after-header-fix.patch 0007-BUILD-fix-build-on-Solaris-11.patch 0008-CLEANUP-connection-fix-double-negation-on-memcmp.patch 0009-BUG-MEDIUM-stats-show-servers-state-may-show-an-serv.patch 0010-BUG-MEDIUM-fix-risk-of-segfault-with-show-tls-keys.patch 0011-BUG-MEDIUM-sticktables-segfault-in-some-configuratio.patch 0012-BUG-MEDIUM-lua-converters-doesn-t-work.patch 0013-BUG-MINOR-http-add-header-header-name-copied-twice.patch 0014-BUG-MEDIUM-http-add-header-buffer-overwritten.patch- pull patches from git to fix some important issues (bsc#983972) (bsc#983974): 0001-BUG-MAJOR-fix-listening-IP-address-storage-for-front.patch 0002-BUG-MINOR-fix-listening-IP-address-storage-for-front.patch 0003-DOC-Fix-typo-so-fetch-is-properly-parsed-by-Cyril-s-.patch 0004-BUG-MAJOR-http-fix-breakage-of-reqdeny-causing-rando.patch 0005-BUG-MEDIUM-stick-tables-fix-breakage-in-table-conver.patch 0006-BUG-MEDIUM-dns-unbreak-DNS-resolver-after-header-fix.patch 0007-BUILD-fix-build-on-Solaris-11.patch 0008-CLEANUP-connection-fix-double-negation-on-memcmp.patch 0009-BUG-MEDIUM-stats-show-servers-state-may-show-an-serv.patch 0010-BUG-MEDIUM-fix-risk-of-segfault-with-show-tls-keys.patch 0011-BUG-MEDIUM-sticktables-segfault-in-some-configuratio.patch 0012-BUG-MEDIUM-lua-converters-doesn-t-work.patch 0013-BUG-MINOR-http-add-header-header-name-copied-twice.patch 0014-BUG-MEDIUM-http-add-header-buffer-overwritten.patch- update to 1.6.5 - BUG/MINOR: log: Don't use strftime() which can clobber timezone if chrooted - BUILD: namespaces: fix a potential build warning in namespaces.c - DOC: add encoding to json converter example - BUG/MINOR: conf: "listener id" expects integer, but its not checked - DOC: Clarify tunes.vars.xxx-max-size settings - BUG/MEDIUM: peers: fix incorrect age in frequency counters - BUG/MEDIUM: Fix RFC5077 resumption when more than TLS_TICKETS_NO are present - BUG/MAJOR: Fix crash in http_get_fhdr with exactly MAX_HDR_HISTORY headers - BUG/MINOR: lua: can't load external libraries - DOC: "addr" parameter applies to both health and agent checks - DOC: timeout client: pointers to timeout http-request - DOC: typo on stick-store response - DOC: stick-table: amend paragraph blaming the loss of table upon reload - DOC: typo: ACL subdir match - DOC: typo: maxconn paragraph is wrong due to a wrong buffer size - DOC: regsub: parser limitation about the inability to use closing square brackets - DOC: typo: req.uri is now replaced by capture.req.uri - DOC: name set-gpt0 mismatch with the expected keyword - BUG/MEDIUM: stick-tables: some sample-fetch doesn't work in the connection state. - DOC: fix "needed" typo - BUG/MINOR: dns: inapropriate way out after a resolution timeout - BUG/MINOR: dns: trigger a DNS query type change on resolution timeout - BUG/MINOR : allow to log cookie for tarpit and denied request - OPTIM/MINOR: session: abort if possible before connecting to the backend - BUG/MEDIUM: trace.c: rdtsc() is defined in two files - BUG/MEDIUM: channel: fix miscalculation of available buffer space (2nd try) - BUG/MINOR: cfgparse: couple of small memory leaks. - BUG/MEDIUM: sample: initialize the pointer before parse_binary call. - DOC: fix discrepancy in the example for http-request redirect - DOC: Clarify IPv4 address / mask notation rules - CLEANUP: fix inconsistency between fd->iocb, proto->accept and accept() - BUG/MEDIUM: fix maxaccept computation on per-process listeners - BUG/MINOR: listener: stop unbound listeners on startup - BUG/MINOR: fix maxaccept computation according to the frontend process range - MEDIUM: unblock signals on startup. - BUG/MEDIUM: channel: don't allow to overwrite the reserve until connected - BUG/MEDIUM: channel: incorrect polling condition may delay event delivery - BUG/MEDIUM: channel: fix miscalculation of available buffer space (3rd try) - BUG/MEDIUM: log: fix risk of segfault when logging HTTP fields in TCP mode - BUG/MEDIUM: lua: protects the upper boundary of the argument list for converters/fetches. - BUG/MINOR: log: fix a typo that would cause %HP to log - MINOR: channel: add new function channel_congested() - BUG/MEDIUM: http: fix risk of CPU spikes with pipelined requests from dead client - BUG/MAJOR: channel: fix miscalculation of available buffer space (4th try) - BUG/MEDIUM: stream: ensure the SI_FL_DONT_WAKE flag is properly cleared - BUG/MEDIUM: channel: fix inconsistent handling of 4GB-1 transfers - BUG/MEDIUM: stats: show servers state may show an empty or incomplete result - BUG/MEDIUM: stats: show backend may show an empty or incomplete result - MINOR: stats: fix typo in help messages - MINOR: stats: show stat resolvers missing in the help message - BUG/MINOR: dns: fix DNS header definition - BUG/MEDIUM: dns: fix alignment issue when building DNS queries - CLEANUP/MINOR: stats: fix accidental addition of member "env" in the applet ctx - refreshed patches to apply cleanly again - haproxy-1.6.0-makefile_lib.patch - haproxy-1.6.0-sec-options.patch- update to 1.6.4 (fate#320607) (bsc#937202) - BUG/MINOR: http: fix several off-by-one errors in the url_param parser - BUG/MINOR: http: Be sure to process all the data received from a server - BUG/MINOR: chunk: make chunk_dup() always check and set dst->size - MINOR: chunks: ensure that chunk_strcpy() adds a trailing zero - MINOR: chunks: add chunk_strcat() and chunk_newstr() - MINOR: chunk: make chunk_initstr() take a const string - MINOR: lru: new function to delete least recently used keys - DOC: add Ben Shillito as the maintainer of 51d - BUG/MINOR: 51d: Ensures a unique domain for each configuration - BUG/MINOR: 51d: Aligns Pattern cache implementation with HAProxy best practices. - BUG/MINOR: 51d: Releases workset back to pool. - BUG/MINOR: 51d: Aligned const pointers to changes in 51Degrees. - CLEANUP: 51d: Aligned if statements with HAProxy best practices and removed casts from malloc. - DOC: fix a few spelling mistakes (cherry picked from commit cc123c66c2075add8524a6a9925382927daa6ab0) - DOC: fix "workaround" spelling - BUG/MINOR: examples: Fixing haproxy.spec to remove references to .cfg files - MINOR: fix the return type for dns_response_get_query_id() function - MINOR: server state: missing LF (\n) on error message printed when parsing server state file - BUG/MEDIUM: dns: no DNS resolution happens if no ports provided to the nameserver - BUG/MAJOR: servers state: server port is erased when dns resolution is enabled on a server - BUG/MEDIUM: servers state: server port is used uninitialized - BUG/MEDIUM: config: Adding validation to stick-table expire value. - BUG/MEDIUM: sample: http_date() doesn't provide the right day of the week - BUG/MEDIUM: channel: fix miscalculation of available buffer space. - MEDIUM: pools: add a new flag to avoid rounding pool size up - BUG/MEDIUM: buffers: do not round up buffer size during allocation - BUG/MINOR: stream: don't force retries if the server is DOWN - BUG/MINOR: counters: make the sc-inc-gpc0 and sc-set-gpt0 touch the table - MINOR: unix: don't mention free ports on EAGAIN - BUG/CLEANUP: CLI: report the proper field states in "show sess" - MINOR: stats: send content-length with the redirect to allow keep-alive - BUG: stream_interface: Reuse connection even if the output channel is empty - DOC: remove old tunnel mode assumptions - BUG/MAJOR: http-reuse: fix risk of orphaned connections - BUG/MEDIUM: http-reuse: do not share private connections across backends - BUG/MINOR: ssl: Be sure to use unique serial for regenerated certificates - BUG/MINOR: stats: fix missing comma in stats on agent drain - BUG/MINOR: lua: unsafe initialization - DOC: lua: fix somme errors - DOC: add server name at rate-limit sessions example - BUG/MEDIUM: ssl: fix off-by-one in ALPN list allocation - BUG/MEDIUM: ssl: fix off-by-one in NPN list allocation - DOC: LUA: fix some typos and syntax errors - MINOR: cfgparse: warn for incorrect 'timeout retry' keyword spelling in resolvers - MINOR: mailers: increase default timeout to 10 seconds - MINOR: mailers: use for all line endings - BUG/MAJOR: lua: applets can't sleep. - BUG/MINOR: server: some prototypes are renamed - BUG/MINOR: lua: Useless copy - BUG/MEDIUM: stats: stats bind-process doesn't propagate the process mask correctly - BUG/MINOR: server: fix the format of the warning on address change - BUG/MEDIUM: chunks: always reject negative-length chunks - BUG/MINOR: systemd: ensure we don't miss signals - BUG/MINOR: systemd: report the correct signal in debug message output - BUG/MINOR: systemd: propagate the correct signal to haproxy - MINOR: systemd: ensure a reload doesn't mask a stop - BUG/MEDIUM: cfgparse: wrong argument offset after parsing server "sni" keyword - CLEANUP: stats: Avoid computation with uninitialized bits. - CLEANUP: pattern: Ignore unknown samples in pat_match_ip(). - CLEANUP: map: Avoid memory leak in out-of-memory condition. - BUG/MINOR: tcpcheck: fix incorrect list usage resulting in failure to load certain configs - BUG/MAJOR: samples: check smp->strm before using it - MINOR: sample: add a new helper to initialize the owner of a sample - MINOR: sample: always set a new sample's owner before evaluating it - BUG/MAJOR: vars: always retrieve the stream and session from the sample - CLEANUP: payload: remove useless and confusing nullity checks for channel buffer - BUG/MINOR: ssl: fix usage of the various sample fetch functions - MINOR: cfgparse: warn when uid parameter is not a number - MINOR: cfgparse: warn when gid parameter is not a number - BUG/MINOR: standard: Avoid free of non-allocated pointer - BUG/MINOR: pattern: Avoid memory leak on out-of-memory condition - CLEANUP: http: fix a build warning introduced by a recent fix - BUG/MINOR: log: GMT offset not updated when entering/leaving DST- update to 1.6.3 (fate#320607) - BUG/MEDIUM: lua: clean output buffer - BUG/MEDIUM: http: switch the request channel to no-delay once done. - BUG/MEDIUM: http: don't enable auto-close on the response side - BUG/MEDIUM: stream: fix half-closed timeout handling - BUG/MEDIUM: cli: changing compression rate-limiting must require admin level - BUG/MEDIUM: sample: urlp can't match an empty value - BUG/MEDIUM: da: stop DeviceAtlas processing in the convertor if there is no input. - BUG/MEDIUM: checks: email-alert not working when declared in defaults - BUG/MEDIUM: http: fix http-reuse when frontend and backend differ - BUG/MEDIUM: config: properly adjust maxconn with nbproc when memmax is forced - BUG/MEDIUM: peers: table entries learned from a remote are pushed to others after a random delay. - BUG/MEDIUM: peers: old stick table updates could be repushed - BUG/MEDIUM: lua: Lua applets must not fetch samples using http_txn - BUG/MEDIUM: lua: Forbid HTTP applets from being called from tcp rulesets - BUG/MAJOR: lua: Do not force the HTTP analysers in use-services for all the details see /usr/share/doc/packages/haproxy/CHANGELOG or http://www.haproxy.org/download/1.6/src/CHANGELOG- on sle11 we still need to own /etc/apparmor.d/local- instead of owning the apparmor directories, BR apparmor-profiles.- fix link to tarball- update to 1.6.2 - BUILD: ssl: fix build error introduced in commit 7969a3 with OpenSSL < 1.0.0 - DOC: fix a typo for a "deviceatlas" keyword - FIX: small typo in an example using the "Referer" header - BUG/MEDIUM: config: count memory limits on 64 bits, not 32 - BUG/MAJOR: dns: first DNS response packet not matching queried hostname may lead to a loop - BUG/MINOR: dns: unable to parse CNAMEs response - BUG/MINOR: examples/haproxy.init: missing brace in quiet_check() - DOC: deviceatlas: more example use cases. - BUG/BUILD: replace haproxy-systemd-wrapper with $(EXTRA) in install-bin. - BUG/MAJOR: http: don't requeue an idle connection that is already queued - DOC: typo on capture.res.hdr and capture.req.hdr - BUG/MINOR: dns: check for duplicate nameserver id in a resolvers section was missing - CLEANUP: use direction names in place of numeric values - BUG/MEDIUM: lua: sample fetches based on response doesn't work - drop haproxy-1.6.0-ssl-098.patch: included upstream- update to 1.6.1 - DOC: specify that stats socket doc (section 9.2) is in management - BUILD: install only relevant and existing documentation - CLEANUP: don't ignore debian/ directory if present - BUG/MINOR: dns: parsing error of some DNS response - BUG/MEDIUM: namespaces: don't fail if no namespace is used - BUG/MAJOR: ssl: free the generated SSL_CTX if the LRU cache is disabled - MEDIUM: dns: Don't use the ANY query type - drop haproxy-1.6.0-ssl.crash.patch included in update- add haproxy-1.6.0-ssl-098.patch: fix building on openssl 0.9.8- added haproxy-1.6.0-ssl.crash.patch: fix SNI related crash- only use network namespace support on distros newer than 13.2- update to 1.6.0 The most user-visible changes, we can cite the simpler handling of multiple configuration files, the support for quotes and environment variables in the configuration, a significant reduction of the memory usage thanks to a new dynamic buffer allocator, notifications over e-mail, server state keeping across reloads, dynamic DNS-based server address resolution, new scripting capabilities thanks to the embedded Lua interpreter, use of variables in the configuration to manipulate samples, request body buffering and analysis, support for two third-party device identification products (DeviceAtlas and 51Degrees), a lot of new sample converters including arithmetic operators and table lookups, TLS ticket secret sharing between nodes, TLS SNI to the server, full tables replication between peers, ability to instruct the kernel to quickly kill dead connections, support for Linux namespaces, and a number of other less visible goodies. The performance has also been improved a lot with support for server connection multiplexing, much faster and cheaper HTTP compression via libslz, and the addition of a pattern cache to speed up certain expensive ACLs. The great flexibility offered by this version will allow many users to significantly simplify their configurations. Some users will notice a huge performance boost after they enable the features designed for them. for all the details see /usr/share/doc/packages/haproxy/CHANGELOG - drop patches we pulled from upstream git: 0001-BUG-MINOR-log-missing-some-ARGC_-entries-in-fmt_dire.patch 0002-DOC-usesrc-root-privileges-requirements.patch 0003-BUILD-ssl-Allow-building-against-libssl-without-SSLv.patch 0004-DOC-MINOR-fix-OpenBSD-versions-where-haproxy-works.patch 0005-BUG-MINOR-http-sample-gmtime-localtime-can-fail.patch 0006-DOC-typo-in-redirect-302-code-meaning.patch 0007-DOC-mention-that-ms-is-left-padded-with-zeroes.patch 0008-CLEANUP-.gitignore-ignore-more-test-files.patch 0009-CLEANUP-.gitignore-finally-ignore-everything-but-wha.patch 0010-MEDIUM-config-emit-a-warning-on-a-frontend-without-l.patch 0011-BUG-MEDIUM-counters-ensure-that-src_-inc-clr-_gpc0-c.patch 0012-DOC-ssl-missing-LF.patch 0013-DOC-fix-example-of-http-request-using-ssl_fc_session.patch 0014-BUG-MINOR-http-remove-stupid-HTTP_METH_NONE-entry.patch 0015-BUG-MAJOR-http-don-t-call-http_send_name_header-afte.patch - refresh/redo patches to apply cleanly again: old: haproxy-1.2.16_config_haproxy_user.patch new: haproxy-1.6.0_config_haproxy_user.patch old: haproxy-makefile_lib.patch new: haproxy-1.6.0-makefile_lib.patch old: sec-options.patch new: haproxy-1.6.0-sec-options.patch - added new haproxy.cfg to have a minimal config we can actually launch! - drop patch haproxy-1.5.8-fix-bashisms.patch: patched files no longer exist - drop haproxy.vim: we will use the copy which ships with the upstream tarball now.- fix haproxy status checks (bsc#947204)- Backport patches from upstream: - BUG/MINOR: http: remove stupid HTTP_METH_NONE entry - BUG/MAJOR: http: don't call http_send_name_header() after an error - Add 0014-BUG-MINOR-http-remove-stupid-HTTP_METH_NONE-entry.patch - Add 0015-BUG-MAJOR-http-don-t-call-http_send_name_header-afte.patch- Backport patches from upstream: - BUG/MINOR: log: missing some ARGC_* entries in fmt_directives() - DOC: usesrc root privileges requirements - BUILD: ssl: Allow building against libssl without SSLv3. - DOC/MINOR: fix OpenBSD versions where haproxy works - BUG/MINOR: http/sample: gmtime/localtime can fail - DOC: typo in 'redirect', 302 code meaning - DOC: mention that %ms is left-padded with zeroes. - CLEANUP: .gitignore: ignore more test files - CLEANUP: .gitignore: finally ignore everything but what is known. - MEDIUM: config: emit a warning on a frontend without listener - BUG/MEDIUM: counters: ensure that src_{inc,clr}_gpc0 creates a missing entry - DOC: ssl: missing LF - DOC: fix example of http-request using ssl_fc_session_id - Add 0001-BUG-MINOR-log-missing-some-ARGC_-entries-in-fmt_dire.patch - Add 0002-DOC-usesrc-root-privileges-requirements.patch - Add 0003-BUILD-ssl-Allow-building-against-libssl-without-SSLv.patch - Add 0004-DOC-MINOR-fix-OpenBSD-versions-where-haproxy-works.patch - Add 0005-BUG-MINOR-http-sample-gmtime-localtime-can-fail.patch - Add 0006-DOC-typo-in-redirect-302-code-meaning.patch - Add 0007-DOC-mention-that-ms-is-left-padded-with-zeroes.patch - Add 0008-CLEANUP-.gitignore-ignore-more-test-files.patch - Add 0009-CLEANUP-.gitignore-finally-ignore-everything-but-wha.patch - Add 0010-MEDIUM-config-emit-a-warning-on-a-frontend-without-l.patch - Add 0011-BUG-MEDIUM-counters-ensure-that-src_-inc-clr-_gpc0-c.patch - Add 0012-DOC-ssl-missing-LF.patch - Add 0013-DOC-fix-example-of-http-request-using-ssl_fc_session.patch- Update to 1.5.14 (CVE-2015-3281) (bsc#937042) + BUILD/MINOR: tools: rename popcount to my_popcountl + BUG/MAJOR: buffers: make the buffer_slow_realign() function respect output data- Update to 1.5.13 - Dropped all patches backported from git, no further changes than those patches provided. - Removed patches: + Remove 0001-BUG-MEDIUM-stats-properly-initialize-the-scope-befor.patch + Remove 0002-BUG-MEDIUM-http-don-t-forward-client-shutdown-withou.patch + Remove 0003-BUG-MINOR-check-fix-tcpcheck-error-message.patch + Remove 0004-CLEANUP-checks-fix-double-usage-of-cur-current_step-.patch + Remove 0005-BUG-MEDIUM-checks-do-not-dereference-head-of-a-tcp-c.patch + Remove 0006-CLEANUP-checks-simplify-the-loop-processing-of-tcp-c.patch + Remove 0007-BUG-MAJOR-checks-always-check-for-end-of-list-before.patch + Remove 0008-BUG-MEDIUM-checks-do-not-dereference-a-list-as-a-tcp.patch + Remove 0009-BUG-MEDIUM-peers-apply-a-random-reconnection-timeout.patch + Remove 0010-DOC-Update-doc-about-weight-act-and-bck-fields-in-th.patch + Remove 0011-MINOR-ssl-add-a-destructor-to-free-allocated-SSL-res.patch + Remove 0012-BUG-MEDIUM-ssl-fix-tune.ssl.default-dh-param-value-b.patch + Remove 0013-BUG-MINOR-cfgparse-fix-typo-in-option-httplog-error-.patch + Remove 0014-BUG-MEDIUM-cfgparse-segfault-when-userlist-is-misuse.patch + Remove 0015-MEDIUM-ssl-replace-standards-DH-groups-with-custom-o.patch + Remove 0016-BUG-MINOR-debug-display-null-in-place-of-meth.patch + Remove 0017-CLEANUP-deinit-remove-codes-for-cleaning-p-block_rul.patch + Remove 0018-BUG-MINOR-ssl-fix-smp_fetch_ssl_fc_session_id.patch + Remove 0019-MEDIUM-init-don-t-stop-proxies-in-parent-process-whe.patch + Remove 0020-MINOR-peers-store-the-pointer-to-the-signal-handler.patch + Remove 0021-MEDIUM-peers-unregister-peers-that-were-never-starte.patch + Remove 0022-MEDIUM-config-propagate-the-table-s-process-list-to-.patch + Remove 0023-MEDIUM-init-stop-any-peers-section-not-bound-to-the-.patch + Remove 0024-MEDIUM-config-validate-that-peers-sections-are-bound.patch + Remove 0025-MAJOR-peers-allow-peers-section-to-be-used-with-nbpr.patch + Remove 0026-DOC-relax-the-peers-restriction-to-single-process.patch + Remove 0027-CLEANUP-config-fix-misleading-information-in-error-m.patch + Remove 0028-MINOR-config-report-the-number-of-processes-using-a-.patch + Remove 0029-BUG-MEDIUM-config-properly-compute-the-default-numbe.patch- Backport upstream patches: + DOC: Update doc about weight, act and bck fields in the statistics + MINOR: ssl: add a destructor to free allocated SSL ressources + BUG/MEDIUM: ssl: fix tune.ssl.default-dh-param value being overwritten + BUG/MINOR: cfgparse: fix typo in 'option httplog' error message + BUG/MEDIUM: cfgparse: segfault when userlist is misused + MEDIUM: ssl: replace standards DH groups with custom ones + BUG/MINOR: debug: display (null) in place of "meth" + CLEANUP: deinit: remove codes for cleaning p->block_rules + BUG/MINOR: ssl: fix smp_fetch_ssl_fc_session_id + MEDIUM: init: don't stop proxies in parent process when exiting + MINOR: peers: store the pointer to the signal handler + MEDIUM: peers: unregister peers that were never started + MEDIUM: config: propagate the table's process list to the peers sections + MEDIUM: init: stop any peers section not bound to the correct process + MEDIUM: config: validate that peers sections are bound to exactly one process + MAJOR: peers: allow peers section to be used with nbproc > 1 + DOC: relax the peers restriction to single-process + CLEANUP: config: fix misleading information in error message. + MINOR: config: report the number of processes using a peers section in the error case + BUG/MEDIUM: config: properly compute the default number of processes for a proxy - Added patches: + Add 0010-DOC-Update-doc-about-weight-act-and-bck-fields-in-th.patch + Add 0011-MINOR-ssl-add-a-destructor-to-free-allocated-SSL-res.patch + Add 0012-BUG-MEDIUM-ssl-fix-tune.ssl.default-dh-param-value-b.patch + Add 0013-BUG-MINOR-cfgparse-fix-typo-in-option-httplog-error-.patch + Add 0014-BUG-MEDIUM-cfgparse-segfault-when-userlist-is-misuse.patch + Add 0015-MEDIUM-ssl-replace-standards-DH-groups-with-custom-o.patch + Add 0016-BUG-MINOR-debug-display-null-in-place-of-meth.patch + Add 0017-CLEANUP-deinit-remove-codes-for-cleaning-p-block_rul.patch + Add 0018-BUG-MINOR-ssl-fix-smp_fetch_ssl_fc_session_id.patch + Add 0019-MEDIUM-init-don-t-stop-proxies-in-parent-process-whe.patch + Add 0020-MINOR-peers-store-the-pointer-to-the-signal-handler.patch + Add 0021-MEDIUM-peers-unregister-peers-that-were-never-starte.patch + Add 0022-MEDIUM-config-propagate-the-table-s-process-list-to-.patch + Add 0023-MEDIUM-init-stop-any-peers-section-not-bound-to-the-.patch + Add 0024-MEDIUM-config-validate-that-peers-sections-are-bound.patch + Add 0025-MAJOR-peers-allow-peers-section-to-be-used-with-nbpr.patch + Add 0026-DOC-relax-the-peers-restriction-to-single-process.patch + Add 0027-CLEANUP-config-fix-misleading-information-in-error-m.patch + Add 0028-MINOR-config-report-the-number-of-processes-using-a-.patch + Add 0029-BUG-MEDIUM-config-properly-compute-the-default-numbe.patch- BUG/MINOR: check: fix tcpcheck error message - CLEANUP: checks: fix double usage of cur / current_step in tcp-checks - BUG/MEDIUM: checks: do not dereference head of a tcp-check at the end - CLEANUP: checks: simplify the loop processing of tcp-checks - BUG/MAJOR: checks: always check for end of list before proceeding - BUG/MEDIUM: checks: do not dereference a list as a tcpcheck struct - BUG/MEDIUM: peers: apply a random reconnection timeout - Add 0003-BUG-MINOR-check-fix-tcpcheck-error-message.patch - Add 0004-CLEANUP-checks-fix-double-usage-of-cur-current_step-.patch - Add 0005-BUG-MEDIUM-checks-do-not-dereference-head-of-a-tcp-c.patch - Add 0006-CLEANUP-checks-simplify-the-loop-processing-of-tcp-c.patch - Add 0007-BUG-MAJOR-checks-always-check-for-end-of-list-before.patch - Add 0008-BUG-MEDIUM-checks-do-not-dereference-a-list-as-a-tcp.patch - Add 0009-BUG-MEDIUM-peers-apply-a-random-reconnection-timeout.patch- added 0002-BUG-MEDIUM-http-don-t-forward-client-shutdown-withou.patch BUG/MEDIUM: http: don't forward client shutdown without NOLINGER except for tunnels- added first patch from the 1.5 branch after the update: 0001-BUG-MEDIUM-stats-properly-initialize-the-scope-befor.patch- update to 1.5.12 - BUG/MINOR: ssl: Display correct filename in error message - DOC: Fix L4TOUT typo in documentation - BUG/MEDIUM: Do not consider an agent check as failed on L7 error - BUG/MINOR: pattern: error message missing - BUG/MEDIUM: pattern: some entries are not deleted with case insensitive match - BUG/MEDIUM: buffer: one byte miss in buffer free space check - BUG/MAJOR: http: don't read past buffer's end in http_replace_value - BUG/MEDIUM: http: the function "(req|res)-replace-value" doesn't respect the HTTP syntax - BUG/MEDIUM: peers: correctly configure the client timeout - BUG/MINOR: compression: consider the expansion factor in init - BUG/MEDIUM: http: hdr_cnt would not count any header when called without name - BUG/MEDIUM: listener: don't report an error when resuming unbound listeners - BUG/MEDIUM: init: don't limit cpu-map to the first 32 processes only - BUG/MEDIUM: stream-int: always reset si->ops when si->end is nullified - BUG/MEDIUM: http: remove content-length from chunked messages - DOC: http: update the comments about the rules for determining transfer-length - BUG/MEDIUM: http: do not restrict parsing of transfer-encoding to HTTP/1.1 - BUG/MEDIUM: http: incorrect transfer-coding in the request is a bad request - BUG/MEDIUM: http: remove content-length form responses with bad transfer-encoding - MEDIUM: http: restrict the HTTP version token to 1 digit as per RFC7230 - MEDIUM: http: add option-ignore-probes to get rid of the floods of 408 - BUG/MINOR: config: clear proxy->table.peers.p for disabled proxies - MINOR: stick-table: don't attach to peers in stopped state - MEDIUM: config: initialize stick-tables after peers, not before - MEDIUM: peers: add the ability to disable a peers section - DOC: document option http-ignore-probes - DOC: fix the comments about the meaning of msg->sol in HTTP - BUG/MEDIUM: http: wait for the exact amount of body bytes in wait_for_request_body - BUG/MAJOR: http: prevent risk of reading past end with balance url_param - DOC: update the doc on the proxy protocol - remove patches that we pulled from the 1.5 tree 0001-BUG-MINOR-pattern-error-message-missing.patch 0002-BUG-MEDIUM-pattern-some-entries-are-not-deleted-with.patch 0003-BUG-MEDIUM-Do-not-consider-an-agent-check-as-failed-.patch 0004-BUG-MEDIUM-peers-correctly-configure-the-client-time.patch 0005-BUG-MEDIUM-buffer-one-byte-miss-in-buffer-free-space.patch 0006-BUG-MAJOR-http-don-t-read-past-buffer-s-end-in-http_.patch 0007-BUG-MEDIUM-http-the-function-req-res-replace-value-d.patch 0008-BUG-MINOR-compression-consider-the-expansion-factor-.patch 0009-BUG-MEDIUM-http-hdr_cnt-would-not-count-any-header-w.patch 0010-BUG-MINOR-ssl-Display-correct-filename-in-error-mess.patch 0011-BUG-MEDIUM-listener-don-t-report-an-error-when-resum.patch 0012-BUG-MEDIUM-init-don-t-limit-cpu-map-to-the-first-32-.patch- pull 3 patches from upstream: 0010-BUG-MINOR-ssl-Display-correct-filename-in-error-mess.patch 0011-BUG-MEDIUM-listener-don-t-report-an-error-when-resum.patch 0012-BUG-MEDIUM-init-don-t-limit-cpu-map-to-the-first-32-.patch- pull 3 patches from upstream: 0007-BUG-MEDIUM-http-the-function-req-res-replace-value-d.patch 0008-BUG-MINOR-compression-consider-the-expansion-factor-.patch 0009-BUG-MEDIUM-http-hdr_cnt-would-not-count-any-header-w.patch- pull 3 patches from upstream: - BUG/MEDIUM: peers: correctly configure the client timeout - BUG/MEDIUM: buffer: one byte miss in buffer free space check - BUG/MAJOR: http: don't read past buffer's end in http_replace_value - Add 0004-BUG-MEDIUM-peers-correctly-configure-the-client-time.patch - Add 0005-BUG-MEDIUM-buffer-one-byte-miss-in-buffer-free-space.patch - Add 0006-BUG-MAJOR-http-don-t-read-past-buffer-s-end-in-http_.patch- added another fix from upstream: 0003-BUG-MEDIUM-Do-not-consider-an-agent-check-as-failed-.patch- haproxy.init: fix reload and force-reload not to start a stopped service- pulled 2 patches from upstream: 0001-BUG-MINOR-pattern-error-message-missing.patch 0002-BUG-MEDIUM-pattern-some-entries-are-not-deleted-with.patch- update to 1.5.11 - BUG/MEDIUM: backend: correctly detect the domain when use_domain_only is used - MINOR: ssl: load certificates in alphabetical order - BUG/MINOR: checks: prevent http keep-alive with http-check expect - BUG/MEDIUM: Do not set agent health to zero if server is disabled in config - MEDIUM/BUG: Only explicitly report "DOWN (agent)" if the agent health is zero - BUG/MINOR: stats:Fix incorrect printf type. - DOC: add missing entry for log-format and clarify the text - BUG/MEDIUM: http: fix header removal when previous header ends with pure LF - BUG/MEDIUM: channel: fix possible integer overflow on reserved size computation - BUG/MINOR: channel: compare to_forward with buf->i, not buf->size - MINOR: channel: add channel_in_transit() - MEDIUM: channel: make buffer_reserved() use channel_in_transit() - MEDIUM: channel: make bi_avail() use channel_in_transit() - BUG/MEDIUM: channel: don't schedule data in transit for leaving until connected - BUG/MAJOR: log: don't try to emit a log if no logger is set - BUG/MINOR: args: add missing entry for ARGT_MAP in arg_type_names - BUG/MEDIUM: http: make http-request set-header compute the string before removal - BUG/MINOR: http: fix incorrect header value offset in replace-hdr/replace-value - BUG/MINOR: http: abort request processing on filter failure - drop patch included in update: 0001-BUG-MEDIUM-backend-correctly-detect-the-domain-when-.patch- pull fix from usptream: 0001-BUG-MEDIUM-backend-correctly-detect-the-domain-when-.patch BUG/MEDIUM: backend: correctly detect the domain when use_domain_only is used- update to 1.5.10 - DOC: fix a few typos - BUG/MINOR: http: fix typo: "401 Unauthorized" => "407 Unauthorized" - BUG/MINOR: parse: refer curproxy instead of proxy - DOC: httplog does not support 'no' - MINOR: map/acl/dumpstats: remove the "Done." message - BUG/MEDIUM: sample: fix random number upper-bound - BUG/MEDIUM: patterns: previous fix was incomplete - BUG/MEDIUM: payload: ensure that a request channel is available - BUG/MINOR: tcp-check: don't condition data polling on check type - BUG/MEDIUM: tcp-check: don't rely on random memory contents - BUG/MEDIUM: tcp-checks: disable quick-ack unless next rule is an expect - BUG/MINOR: config: fix typo in condition when propagating process binding - BUG/MEDIUM: config: do not propagate processes between stopped processes - BUG/MAJOR: stream-int: properly check the memory allocation return - BUG/MEDIUM: memory: fix freeing logic in pool_gc2() - BUG/MEDIUM: compression: correctly report zlib_mem - drop patches that we pulled from git before: 0001-BUG-MEDIUM-patterns-previous-fix-was-incomplete.patch 0002-BUG-MEDIUM-payload-ensure-that-a-request-channel-is-.patch 0003-BUG-MINOR-tcp-check-don-t-condition-data-polling-on-.patch 0004-BUG-MEDIUM-tcp-check-don-t-rely-on-random-memory-con.patch 0005-BUG-MEDIUM-tcp-checks-disable-quick-ack-unless-next-.patch 0006-DOC-fix-a-few-typos.patch 0007-BUG-MEDIUM-sample-fix-random-number-upper-bound.patch 0008-DOC-httplog-does-not-support-no.patch 0009-BUG-MINOR-http-fix-typo-401-Unauthorized-407-Unautho.patch 0010-BUG-MINOR-parse-refer-curproxy-instead-of-proxy.patch 0011-BUG-MINOR-config-fix-typo-in-condition-when-propagat.patch 0012-BUG-MEDIUM-config-do-not-propagate-processes-between.patch- pulled some more fixes from git: 0003-BUG-MINOR-tcp-check-don-t-condition-data-polling-on-.patch 0004-BUG-MEDIUM-tcp-check-don-t-rely-on-random-memory-con.patch 0005-BUG-MEDIUM-tcp-checks-disable-quick-ack-unless-next-.patch 0006-DOC-fix-a-few-typos.patch 0007-BUG-MEDIUM-sample-fix-random-number-upper-bound.patch 0008-DOC-httplog-does-not-support-no.patch 0009-BUG-MINOR-http-fix-typo-401-Unauthorized-407-Unautho.patch 0010-BUG-MINOR-parse-refer-curproxy-instead-of-proxy.patch 0011-BUG-MINOR-config-fix-typo-in-condition-when-propagat.patch 0012-BUG-MEDIUM-config-do-not-propagate-processes-between.patch see patch headers for details.- pulled 2 fixes from git: - 0001-BUG-MEDIUM-patterns-previous-fix-was-incomplete.patch Dmitry Sivachenko reported that commit 315ec42 ("BUG/MEDIUM: pattern: don't load more than once a pattern list.") relies on an uninitialised variable in the stack. While it used to work fine during the tests, if the uninitialized variable is non-null, some patterns may be aggregated if loaded multiple times, resulting in slower processing, which was the original issue it tried to address. - 0002-BUG-MEDIUM-payload-ensure-that-a-request-channel-is-.patch Denys Fedoryshchenko reported a segfault when using certain sample fetch functions in the "tcp-request connection" rulesets despite the warnings. This is because some tests for the existence of the channel were missing.- fix bashisms in example scripts - add patches: * haproxy-1.5.8-fix-bashisms.patch- update to 1.5.9 - BUILD: fix "make install" to support spaces in the install dirs - BUG/MEDIUM: checks: fix conflicts between agent checks and ssl healthchecks - BUG/MEDIUM: ssl: fix bad ssl context init can cause segfault in case of OOM. - BUG/MINOR: samples: fix unnecessary memcopy converting binary to string. - BUG/MEDIUM: connection: sanitize PPv2 header length before parsing address information - BUG/MEDIUM: pattern: don't load more than once a pattern list. - BUG/MEDIUM: ssl: force a full GC in case of memory shortage - BUG/MINOR: config: don't inherit the default balance algorithm in frontends - BUG/MAJOR: frontend: initialize capture pointers earlier - BUG/MINOR: stats: correctly set the request/response analysers - DOC: fix typo in the body parser documentation for msg.sov - BUG/MINOR: peers: the buffer size is global.tune.bufsize, not trash.size - MINOR: sample: add a few basic internal fetches (nbproc, proc, stopping) - BUG/MAJOR: sessions: unlink session from list on out of memory - Drop patches pulled from git - 0001-BUILD-fix-make-install-to-support-spaces-in-the-inst.patch - 0002-BUG-MEDIUM-ssl-fix-bad-ssl-context-init-can-cause-se.patch - 0003-BUG-MEDIUM-ssl-force-a-full-GC-in-case-of-memory-sho.patch - 0004-BUG-MEDIUM-checks-fix-conflicts-between-agent-checks.patch - 0005-BUG-MINOR-config-don-t-inherit-the-default-balance-a.patch - 0006-BUG-MAJOR-frontend-initialize-capture-pointers-earli.patch- BUILD: fix "make install" to support spaces in the install dirs - BUG/MEDIUM: ssl: fix bad ssl context init can cause segfault in case of OOM. - BUG/MEDIUM: ssl: force a full GC in case of memory shortage - BUG/MEDIUM: checks: fix conflicts between agent checks and ssl healthchecks - BUG/MINOR: config: don't inherit the default balance algorithm in frontends - BUG/MAJOR: frontend: initialize capture pointers earlier - Add patches: - 0001-BUILD-fix-make-install-to-support-spaces-in-the-inst.patch - 0002-BUG-MEDIUM-ssl-fix-bad-ssl-context-init-can-cause-se.patch - 0003-BUG-MEDIUM-ssl-force-a-full-GC-in-case-of-memory-sho.patch - 0004-BUG-MEDIUM-checks-fix-conflicts-between-agent-checks.patch - 0005-BUG-MINOR-config-don-t-inherit-the-default-balance-a.patch - 0006-BUG-MAJOR-frontend-initialize-capture-pointers-earli.patch- fix bashisms in pre script- update to 1.5.8 - BUG/MAJOR: buffer: check the space left is enough or not when input data in a buffer is wrapped - BUG/BUILD: revert accidental change in the makefile from latest SSL fix - changes in 1.5.7 - BUG/MEDIUM: regex: fix pcre_study error handling - BUG/MINOR: log: fix request flags when keep-alive is enabled - MINOR: ssl: add fetchs 'ssl_c_der' and 'ssl_f_der' to return DER formatted certs - MINOR: ssl: add statement to force some ssl options in global. - BUG/MINOR: ssl: correctly initialize ssl ctx for invalid certificates - BUG/MEDIUM: http: don't dump debug headers on MSG_ERROR - BUG/MAJOR: cli: explicitly call cli_release_handler() upon error - BUG/MEDIUM: tcp: fix outgoing polling based on proxy protocol - BUG/MEDIUM: tcp: don't use SO_ORIGINAL_DST on non-AF_INET sockets - Dropped patches: - 0001-BUG-MEDIUM-http-don-t-dump-debug-headers-on-MSG_ERRO.patch - 0002-BUG-MAJOR-cli-explicitly-call-cli_release_handler-up.patch - 0003-BUG-MINOR-log-fix-request-flags-when-keep-alive-is-e.patch - 0004-BUG-MEDIUM-tcp-fix-outgoing-polling-based-on-proxy-p.patch- BUG/MEDIUM: http: don't dump debug headers on MSG_ERROR - BUG/MAJOR: cli: explicitly call cli_release_handler() upon error - BUG/MINOR: log: fix request flags when keep-alive is enabled - BUG/MEDIUM: tcp: fix outgoing polling based on proxy protocol - Added patches: - 0001-BUG-MEDIUM-http-don-t-dump-debug-headers-on-MSG_ERRO.patch - 0002-BUG-MAJOR-cli-explicitly-call-cli_release_handler-up.patch - 0003-BUG-MINOR-log-fix-request-flags-when-keep-alive-is-e.patch - 0004-BUG-MEDIUM-tcp-fix-outgoing-polling-based-on-proxy-p.patch- update to 1.5.6 - BUG/MEDIUM: systemd: set KillMode to 'mixed' - MINOR: systemd: Check configuration before start - BUG/MEDIUM: config: avoid skipping disabled proxies - BUG/MINOR: config: do not accept more track-sc than configured - BUG/MEDIUM: backend: fix URI hash when a query string is present - dropped patches that were pulled from upstream 0001-BUG-MEDIUM-config-avoid-skipping-disabled-proxies.patch 0001-BUG-MEDIUM-systemd-set-KillMode-to-mixed.patch 0004-BUG-MINOR-config-do-not-accept-more-track-sc-than-co.patch 0005-BUG-MEDIUM-backend-fix-URI-hash-when-a-query-string-.patch - dropped patch we sent upstream haproxy-1.5_check_config_before_start.patch- BUG/MINOR: config: do not accept more track-sc than configured - BUG/MEDIUM: backend: fix URI hash when a query string is present - Add patch: 0004-BUG-MINOR-config-do-not-accept-more-track-sc-than-co.patch - Add patch: 0005-BUG-MEDIUM-backend-fix-URI-hash-when-a-query-string-.patch/bin/sh/bin/sh/bin/sh/bin/shhaproxy-1.5haproxy-docs390zl38 1630672538  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~2.0.14-11.11.12.0.14-11.11.12.0.14-11.11.12.0.142.0.142.0.142.0.14   usr.sbin.haproxyusr.sbin.haproxyhaproxyhaproxy.cfghaproxy.servicehaproxyhaproxy-halogrchaproxyhaproxy51Degrees-device-detection.txtCHANGELOGDeviceAtlas-device-detection.txtREADMEROADMAPSOCKS4.protocol.txtSPOE.txtWURFL-device-detection.txtacl.figarchitecture.txtclose-options.txtcoding-style.txtconfiguration.txtcookie-options.txtdesign-thoughtsbackends-v0.txtbackends.txtbe-fe-changes.txtbinding-possibilities.txtconfig-language.txtconnection-reuse.txtconnection-sharing.txtdynamic-buffers.txtentities-v2.txthow-it-works.txthttp2.txthttp_load_time.urlrate-shaping.txtsess_par_sec.txtexamplesacl-content-sw.cfgcontent-sw-sample.cfgerrorfiles400.http403.http408.http500.http502.http503.http504.httpREADMEoption-http_proxy.cfgsocks4.cfgtransparent_proxy.cfgwurfl-example.cfggpl.txthaproxy.1internalsacl.txtbody-parsing.txtbuffer-api.txtconnect-status.txtconnection-header.txtconnection-scale.txtentities-v2.txtentities.figentities.pdfentities.svgentities.txtfilters.txthashing.txtheader-parser-speed.txtheader-tree.txthttp-cookies.txthttp-docs.txthttp-parsing.txtlist.figlistener-states.figlistener-states.pnglua_socket.figlua_socket.pdfnaming.txtnotes-layers.txtpattern.diapattern.pdfpolling-states.figrepartition-be-fe-fi.txtsequence.figstats-v2.txtstream-sock-states.figintro.txtlgpl.txtlinux-syn-cookies.txtlua-apiMakefile_staticchannel.figchannel.pngconf.pyindex.rstlua.txtmanagement.txtnetscaler-client-ip-insertion-protocol.txtnetsnmp-perlREADMEcacti_data_query_haproxy_backends.xmlcacti_data_query_haproxy_frontends.xmlhaproxy.plhaproxy_backend.xmlhaproxy_frontend.xmlhaproxy_socket.xmlnetwork-namespaces.txtpeers-v2.0.txtpeers.txtproxy-protocol.txtqueuing.figregression-testing.txtseamless_reload.txtselinuxREADMEhaproxy.fchaproxy.ifhaproxy.tehaproxyLICENSEhaproxy.1.gzhaproxy.vimhaproxy/etc/apparmor.d/local//etc/apparmor.d//etc//etc/haproxy//usr/lib/systemd/system//usr/sbin//usr/share/doc/packages//usr/share/doc/packages/haproxy//usr/share/doc/packages/haproxy/design-thoughts//usr/share/doc/packages/haproxy/examples//usr/share/doc/packages/haproxy/examples/errorfiles//usr/share/doc/packages/haproxy/internals//usr/share/doc/packages/haproxy/lua-api//usr/share/doc/packages/haproxy/lua-api/_static//usr/share/doc/packages/haproxy/netsnmp-perl//usr/share/doc/packages/haproxy/selinux//usr/share/licenses//usr/share/licenses/haproxy//usr/share/man/man1//usr/share/vim/vim80/syntax//var/lib/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:21035/SUSE_SLE-15-SP2_Update/9d60a9106c0d7bb8121d0caa8867a4ce-haproxy.SUSE_SLE-15-SP2_Updatedrpmxz5s390x-suse-linux      ASCII textC source, ASCII textdirectoryELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, interpreter /lib/ld64.so.1, BuildID[sha1]=123b359f4f09642d7d0dc6eb71d8a8068810ab74, for GNU/Linux 3.2.0, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, interpreter /lib/ld64.so.1, BuildID[sha1]=98acd1f98d844e9612ea8b5b28350578fa1e7753, for GNU/Linux 3.2.0, strippedASCII text, with no line terminatorsFIG image text, version 3.2, ASCII textISO-8859 textHTML document, ASCII textzlib ERROR: incorrect header check (HTML document, ASCII text, with CRLF, LF line terminators)troff or preprocessor input, ASCII textSVG Scalable Vector Graphics imageUTF-8 Unicode textPNG image data, 974 x 768, 8-bit/color RGB, non-interlacedXML 1.0 document, UTF-8 Unicode text (gzip compressed data, max compression, from Unix)PNG image data, 596 x 180, 8-bit/color RGB, non-interlacedSE Linux policy interface sourcetroff or preprocessor input, ASCII text (gzip compressed data, max compression, from Unix)!!RR$RRRRRR R RRRRR RRRR R R"R!RRRR%RRR RRR#RRRRR R![Dڭ5Yapparmor-abstractionsutf-89f9eca65a1418a562f7af0b8d2c2b9e271eaad957eda9ae5204d1bd3941012e4?@7zXZ !t/]"k%a/hIVaM;Lܨi79]_3c.5N,#bky{fϹ$[RߕXv]0! }*OևO1M3{Z<󼔴 FjlwӈsNE*=4 >wۿIu,)*q!=_5  9Ň n;<8_!GGvkEF֨ü\So_w{֖@wJ|pS~uAA"IsŌ8TZM^uCzI+*̎i};ΓcO?ϰP#u& sXwd66*$˴$Rk^h++W[-_Ki~hICK;f9p)`AeH/KK4c{7-ۙa2oc;16;nbmc- mSU7,N;LXA8l7e>zjE{+xdÒ𶓅Z$ՐN8z#f dfAXk\!EVz"i D;,LЈ"8RyQ+*r aP Va;/@G.4&B)+z 1c8t 'glaOObbo pRg `4OylN"+cAB[(O3ܟmMހl};"R4 m&{L/:aS==)*KN~3L?:c⏯( @4f`mbh+ZgI4ZƎ`?!j6b E(/u*hwL&2v!z!VW0[:T_ܥ7F\rS뤏%j#mhVTV?/H^*~A(iM5BֆbT Xopb6#D*43s9QrB@Ԉ/q^G+o̫Em,ȳWi $1?+-eޑ՟ܛ|r "?`ȶEBYF2XTcX`bZSux!݂`$1Z;mf3P(T~p [sLS[AU[&EPNrCUDRѰ6vts%at`a?g0y#<8Opa l֭(p; *PYI/@J,o\o({7~2'«ZEۿ [V=i4Wp'$|*>O% }o>z,N|2k1腄n Ą܇X<~a݀j_i5sN p.%#Z3Mn5Ї,<&!Dr3|yq>p Ypr>|K!SYmͨ~f[BP,<ђjc;O0yR/J14|6X;]+J។t@yfKiᑯCءo?oCz!$SEwBo2sY璣a++]h D5o3FEeN)Z51݅FWdJ6m&}MJѴHP| rlO:o9s7s<wa)V1{OB2]Rj=HEc[7dљKC`^]vF!L ;LYh\YQ&dbĎϻ!х^dmN2d.ϛ΀[&;CshB 2sA6o ,`/8n Dd0{DXQK?2^chm~0p{d ;T^tu! \o#n(R'f*dwE7Ե s,GF{u1sg+-S(/ڰnSQ.1Y׮("J2vhY25ܓ)6\V] )`ū. /6"]0Gl{K`{4d=7Quå"]цSc`nMYۡnGBeZ#1עrJ1a_z`%+dԌ (ra+ _ j2cɎ 9bx-}#o7D`ꌠU#5ş^#"'EwƧԶ. *ZE)h!}3,4i`cKp#DLKa?9T䱬 x/zi%υb|\m^_l_b,9iG lwyWgs0 0Uװ1 C˩PG8k+4Mi =(Q?Mј5ŒO'awB30抩 К֍ʪ8bO1-Tu\%'`\4't`4)]3">x70iXeC~ثw|h-y lWr1J̝2j\|` }v 눢)R誁i w͙uwѱqO?/+v tqi@ij߀qϼyjaJw=[wKi9%LQ r:4ilYP9&he諡{Qt(HV%%}kTD0> ݵ< piTtE7bʸ {c2*7hw%%p"ۢuhU0*J |i0#fmrPfrTǿz5;!ߎ<劂)_d%i2}Cdq5`yN;j?KH6}oPaEzKreq햡@΃~-C (b-ʉޤӮsHٟ SEAS $f1h G=_Ymu'[Z8•W´J9> o>0J:Їb+v.)jӰz3Ψ-2rƨ9U |$\"8_j3*ɸNCهy-yC.VŘe<-,r?T_]݆2=ȳzNINd Qr3aF1'#d|7 K<18J 58-8"Ȁd -]et!%I$<$# {,DLm emH@ `7)m>QalXF.V[d1:`dmPJw hRW_Q-on-ۺN-v#V(64:z\v_L]̫ S߽2I&)Kx-D2)[銭Ď=Hk7vO.pPy~3QoC3_ YRf1}ԭ2{8Ez)֏֩FĶ{$V6ÂEG =Hqk6A.aMS)չ(#fM9y˹3HiT \:щPP <"͇9 gL`-0ϸ,]d3%6 ^TdB2nMg]j(Yr} N tK[Yrr}IYhk{grW!ĭGڦI`IEW!fDH Z4miřLbj5 &M|ZsGsAǚ%(DfĂtUɄ{Վk1_Q B^+:2ZΞw+&8<=Dg?-}.8`UkbEu_,"!0,5?[BKs?:}8RH)>a1M\_z|QR1A&pV95 _TSgQ<d1ox|qV& A0[mJe_ߦbz!g^D$ #)MɀĩmQw5/Sp35a!!,ۿײ`Wf -EPtNGx=}ɴ9sKuW4O9,}FfHHf/^Oc60&2elE$G7/"=e,9ITLSW;3_ζ4˿n2DN `7Hf<{\/Σz<scx.xӮڱj׍^g1ƑЌS7?)y-Q_xl/1bkاDn:-^HIZ,%X4l5m쾕{UBIZ1Q*.7LSnU'/9 hZM>GlB.Lw.Bh@,w|F% -8P?=7a($`V5 s@ݭR; f E :6i wmOh})acm{ #ƥC[#+69P*W"MXcYpM C4̹Qմ^S˹bI$NĬ8}1_YꢄyOADY*#n! :W|Q/-e+N6>i0YsEtQduYU"4 ;t讋@ݬ9s>а &i=g[6c_s |'k!@K{?x0e[_\42Z s9"q1 %"ؿ{94ݗ$THĿ0N껑M fc-SqPT){Sc%aި5B%%`Z%84|VE ɶ4L1s#azV_ԄTC21qRmB>T *jwO.l,Н:^ .%Ql*,Nv.6pn JϽ6?>v FƱe\`e]WAkng{˲2}8̃0v.ɶ ^ꉥ Uцح`yBG&.]c˿Sha-@xr69845'9 PxVi77^CQc 3ߞƥt؀\693r^iv/^wm!k{Cɩgb)KAZoF _`)v61PB@ciWk峫n^8~p.~HqsHAI<#7,9/h²$XNNL@, -ZZs_dkY<@gbF.w u*PI{.7t xVR2SV_{>ME~,="ḗrn~˭c^QaCZ >J݂LզŽ>vΌi-X ‚62]͍grN@*ďtXFsm%YzF'r_X;D6Ⱦ*5(ab܆A:7hXzlµSh*=B fElMXխZJ|++YPFWٿ A{gS f~ME;zIG ")E[$Ȑ >ژEKxuy?B)`a4g{E4;qGխAs l&9 U *\uHѱ(l6- m}O] 5~?Q95GRo>yoٟ(WqK@%P3D4AkUR.㻞7}XK9-]yE|b-$PLP'lb)gƶx0{Wri_A}cw OiYE &H>u+FeɅ]X :&' sHt GYgL#],*0}S[/$A@:!!E-41cjbE|\GtEe}xY>f^e|0պ2-}?ocƢ:֧) DcҎږuþ)x-E#'FQr83TRmt$z$2:\M嵷A<jN kkJc;BXp"RmNq9> dB"K[u/@#L4&=sc;6c9uT\LV ?O#̴dp ͫҏPU6>S0}"4zش%ܘwp|*4t\@O neJp;!Z٨;e_u 26|*Fe7Fȴ|c3c{V w4'=~PPO]`]>l$dh *}ea r les+z:\Ox_FG?oªuRFW^FS]am ?}Ы~46ovހ?$] i i1uj>Ij[$/^-܂K=EHH:]n?sMKĺ’ >w3"{sl~y ]QWŽ׶{QB.b'_.#0+G2cAt7qhݬ ]m%C-_T{E ^9>49SZ˱sΏ /4 -P:wo$iY*&1>;+TR,LB7͗ؿ`H?@$ ,!ܦSL„tâmxA 8\׷lv\=# tMTNt٣|aˆm$uA.)߁mB0p, j|?f4G:It`ٳw}؛9g1 ęTo_ ߄( ]Tik]{SibP( +M 1 oW*R~tWcO͂ L^^w)mh].5qDOt CS{RR$ /0./Tfzpso)ߒm>a^o- :}۾;ϖBTm;#FfT8tYWpVXďt(厬|XXƲ~ ֤˸Eswy՘-s#eRRv>QE\<5::LyLy*qq =N8qFЭS'~xj@Z>;fΧCfQ>]Q . MjL/*5}!Q L3Xh^| 7XcZ,އ^[zUb`"t8Aт8]>/$]Ϥt,'$8 Gf_EXqk:$Fl|y[3C|$yɜmҢ Wctxζ"W?Hz>C~=t>2-_fymek?m̢HVG!"zRWRTF;]z̛>Ɣg5 *T}jPާ*'}xR@dmT7U\l!{X%]%&{*MB{8U!,yҜy89ˬ!wO˿K |+ #K:( #R8GҼH&ϴMvu*<梌d*:D /o9`Acl nyF׌u: aB,YRHBE98svBg޿Lؔ~ƺH5 'Vjps+kx=X)m1T$/籮mLշjU6RM%&-L!L*}>'p:_S0VK=Y|ҀL OTrυV3e7qWu0, eܴ W+( -ͰPa /q\T^Uib{KXR_ў;̻u‰m_C $i ely< SvN~F hKd7T1P18(Ӷ; M7!\`)ʍLx2c( o{tkw/>`b$Azz ]aJT Q d[޶C@gyPk:tf8s|Um~_ %ZSc8ߥRIw^\]E&j}=V+[n5Qu/Lr=:z<y\[;oe{EyYVy3uqQ"sjJ!,̌K̾ZN7ۧ=K= i[| Q$/̋/*ؽb+ O;mc^ c/X uVD{u\35Za(~~j4bʄI 1U $PGԧhp q3֊Ex~lmsYT2%!xv.M_ԪcUZn`Wi;tͯ ){J7C X& " M>"QthxcI;iAr)MˑsӬ&2&PQ8FtFbUiV7L8JAcRr I&P&s^cI[mhDdUK]@T{/j 2vj~P/ɓ1\רN:nѤK˫lMW;oL`Rztvl0B[!B|ctOj| LsT:a *:m9܉,)TSm{Rq0XLJYOK[E< WV`9UkA秝' X0Wh8D5ȥԋ3dXi wi5k1Gإ *U`E.29s W\$A|(vţjzOjfv s2)1F^8 .WZZT_'<+H5 U*ʶWZw{4T\*re>nK0&X\s{u =NC:5ɐ;&NUꕹMpAΧ$ j"f$t/B6؊"4cՊ)evU~UkF 8C 'Fui9Ż/]>$pxd3F 5t)'(*t̒*Q!͔LycN?D}"本,Ux+ahLMHe*QLseK{] L5 OGdxlà *yFU &n{8QgFDh1<)[PYN}Xd$.H⧒N h7%v[v9<=$wF+H)͝I5˅4 U?rJ P% ޗɜB S^%i`.n<)8|J,W!K@ĸ$=b&VU.*?{~娮h$)ʎyWYMFgLYߴ3"ׁ-'szuEV$2$pӧvRr'ZV8I#IP0!XHe90Ga17 `g4+gf$=c^395xbs=F> VH>H[o=0 Sruڎ%v#pZm6kV:h]o2H^[/lP\R= ݝlnёc's1+ȾwZyD Z92ɀ aY/]w"/AwNN5-9d>uY}wh©wpe(1?]1 PrF9rf_?C_:O#`%y m AGE7Hت(6j'[R:+SX ىnL '螺c-86ovC-^o]qڅcy/㓖P҆ 5%zo:+;.,kI{Rc6Kh? Ton_[(̺XHY:mi2 1&{7@Uz|L'g"_16`tsxn O5>'rc`Kq+W쭠Ҽg;IĤrIȂr+4g4e@gt1v̊ţ(/c`,L?l(J+kgԹ;o &B{Eg}”Hc*M/ VmW.햂@4)&/+׸c x4+B͸~Y:u#YpF跬35HI{`ѣ" 1j7[g3d54s#1xtǬZC*AYr:x ޱl.`[?%w31LT6 ˃0)!Wۿ٨;1whȟϹځ);(J]Jx I#-%7XX+oMX27,[v7Zamwc,53&Vrw2Ǜ_^\6(1oO˴͖WZCrFYaW'[ԻTۤVcnU3ݸj@{b'OhoieFXS+M2Έ+}&uH\~0Grqƒ{Rc5أ~FNօwV?YᕠJՋ\Nk*cCͿ`HEL*`r ۘ]\pO?G+p\}u<!~ڋFBl>2?GqXSDE4{4wjP]n>5 ?jnii >(tC0_$|5 C D2;=}?#G=`5g[&-\C|21c,֒gn"Y?R_ 0 o1C`P15TE]9z}.bPT B2ZcƄ7k[ {Wq== QtOԜ^{Ijsa2 1ϟXTf-# Ȫ{?{MX#S{ -K"&@j" SJ)7Xr$3PÜyIoy!ԄX#"#8ޔ' N7:pj>)x2@=yu9] B&~z0 $"i[toO(CzCC׸$5A+3Sw^ 5 B^LU9 u's8Ty?ɠ_ӣ i.rc8D0w{BV8xX{LLND5/!FC=[1BW^ӦVъxbh+,EgznI; y55v澃62k̡ۢ6 lrhbJxPg=?b 5^('nB"KYDg4z`hY>Ќ:y9KR $ͣH'grXo3ьSXjd|$˺DyuUKTw:SMWB+_Coa{7CE"J`J% |#^Ab 6"&VPwYe Z"8"je<!GaFG@(-Z[}ݒOIw(Cî>Ěb19P7,Ri0} ɆKTd?plϖK)%G񙮜Iզm-@NFֽC;!Xj0&e#Qz mcRyb89O UɨZ]>_E.+ԝ!`pTC$zc`=i|J`=1Hp5ㅘkOG~Q<U"Wj^1^Mݠ1}CA$xk}«Icg^XTo7b2"E2k/ֱi[d(BӍ79MlJ&1ۧzb*$-u1L(,N4@OV)n/[-2}QL =w[ =| <fkhE$령07#@;@Sru r(M }nW8mO TW!s;Pb)U/Yu ˬKll+RquFXܧnnRZƞp[c'e ` 9\'zc_.*Xi:=zn"_şB>aL? \{T^ۨEզ`xׯnR ,VjOw-V*GZ63fr"893 PR131dpIgPUba$ uHQHkY! r(2^GvF\e7CbRzUq@g0SJ $+ɬmxs'[w3yLy#bT}=zy/ϖSOz[N`.lϜ=ldn+ Fk}I"CQ'@jm{h=n.\}DF4<)ۆ,Ɠx;4|)Mi/ 5qw!nT "Cf f'SIcN*\s-r^1aV'*'ۓe}D1FRMRPJsRXV AB,\D`͡BTr~t$!b&`[[?T>y= ct[\Ԯ'6tM|k恿=ew2|)Z-790\VJhu"yHZ6J@%QFl7sxba2Gax.Vex"Zdw})^/ص|(tZUf͕l6iE>^"Kﵮvw>PhegiDku( !j1Ez`,?pzbYЎF_t-joW1nü4~¬i"Z}a>$^oOq !ߗ>V RS++qM. || k& S46ߚ4d6iyY[tCAHnCV6 qhFħGUڴJ:l%㏕r td [#ĢOe$5\-8R?k:^D,%P A)~?r*Ը&.g 'X!W:;NNQ ["sOi~8Jg"ӌ V̳ ůsrTO-*&$Ŝ0vXDb?-^KbVj ^*p .paNw3i@N2!#?ݜ}X^s-p^ o &YU <8zv?k<~[3_ !M݀ա'\NDn`;jq@q)GvF?[pGڱ&%Fo;7,u! 2A.քe1tũGd [2rk a|tmWz)F$ʲmU2,iN"0w=m+lN]䲦lq#1 qmчu"݀cCܬhZ@!IS5)j]ZoQv):Gkx{;j\ 9sX?P+.-DqӏO㺞W_Uڣ4*,>8l1?b/#^*Fu;`mLF鱰iMitz->넟|IK4}SыtcWf0tI-A#;W/m1$Tb5gLLc\~8wcو"@#bQ_jT3_~_e 41as!U]AwIUz^AS98߷lV;)DTNo}r}/)łQm[G1vnI&:U19r@yi!H"voe/i-w7B6Y"r9@%H>|y_Y 7fÓ$>U c?BM{IS]n"p74AtS0QľMb řT(g\vq cn{ ]_>@LkSבgA$1 B Xd>_}h{Zwn[mfQ5n -Bvd-zASu€_иPoz{=% QGzzDo?hLrn7?H7%V%'J4$"1mmL*D$\7OxęT9_Tɏ=~Fe9eYhDy}|IqOЕnxRTAeEES3Q2poņoXŧv 6u٫&^;HVR -X1)aeF?eɾ 5~|JG+5i#)V\|rM%Gݛ4b;q4PYq!NJejA U>}ru:Y>RkÏJ/>:sdLoZs)HmU"7`c~(KX], DbH%Fw&m &m9Rk4'37zH *: =>sf GgԽ}>pi(v Rۗ$wRArԏvx(,ADyUb ^+tt;`\xd0PLP2%\ly {.$}7?Eӈ~{߸ȭqk6H&nqٲM=B@p17*_SfWgYR8$  2Qjx$l20+ضy%ҝo *z<ѣbv_VY}͒ eس~]'4]YNŵTLAcNȕSCX)tR?[z6' xn>{+9qzON1 %a]9UyY 8\%aa}x.-o  9{"n|Bk ߜX41wnIw6e~ҤB{!#3m3sn˻Y36!涱n>V-|S;~`Tc@{UtYMV}~{gkBBeisZ\?MC@[ k]j p=+*cjgkFJAEYZ7M|8R03 M\ɘ$J%M>`gK|H^8yRrXRW|#X)ZڞDL~ c 43l ZO8C$--VB)YOqImvSҸ".!bOP)w>d^I (T@C1#bfN HV %4naOEܚUW̤uz~\u^с+N щj(~;cni' C>Gv8F@n䙝g #Wu :>)$lW.9$፶j6njYa!9ޤ -D9_n=]6яܽ%}tԾ++n\e c4WHeͲgv=D)hoxzc|*<5 !z` Y,Tw?aPOg9jvψ~5i&hg-gQ5N(6^蒑2,9aWdDŒM038^X;4b\;rzfR17e C9n'( cFAII3 ז mm4AgH{>^O3ĹK[X$63*J 4 g"5e(rfpޱ;KIG *TGَagW lIHOlukBLi(D%)*+NkR=f㉉K4U?&ܥs>Vkoɒo 74ٻEŸ]tAVsjkirgزUDVa n5~nz=zu^f#gcHmcc KOK%[d+̠E9wbQId⳶z6{#DX bY.ZF1ܓW*f!~؉MЖE0D(]D!8j% HfШD-m^˱lK{]nl:<$b8!'vq܀P{ar0jd;s'q(eu,SP$L'^Kkkӭv6l`mXS˅t\|OPZn { xK_P=Í3U#=zЄ:,ׄF='CmuẬO-)v 2'.j&"#(CI5:qѾ̞ +d :&#q;u,Yb  'U5 @iЄh2m\ SUoS̮ f:V)ﻘ++Lv[wQp@p/air o-.WwGY.V>Vʵ?ٓ=.(D"xOECغ{'"+53{pGg.~Q2?=Ma"h5=6xtr*\&j}M- 6>OƆ+Cjze٩? E>suG#1gXqqL{<(n-45A>k A<O#˲Y]V8l@^G9 n l& Z's#-Cgo8JS:l-;,#\cx+|5DnHUmS}ILH~}m"sݽ B/hrpXStx ϷiR2nC(,VihPVyqd+.9Xj'%b5dҋ9{:I\lpKnfI:zKqeBWu4nO:Y׉jfv tV)=ǧ:V ?\۫UgkO2@'T4rvΦk(f~7f1>pbḭDT")v݃ `o7ZK1؂P7}3vЂ963-VYI^M9cʍJKUv?΂t!L"R^|T}ZOb(%:Wvq||p$,Bh R/%UOiEygu'&@Tzoh+NJ dazᇛʏݜQ*0Fz"uo^uO48)OjyZ۪֟=+Ze`3f1%J>`&D\30OLvЌ\mKmcdDX%&:%i|<7iLfJa5/)"<⾐ݬ)mڳz֥ e{JxkWy!@MZz(ϮgG #[S^0ݡLtS.&KqJ} I].&p1NlbOI.K~\:3T?ޤ5Kwg\zxSDF/UN|4\;qQ{琰{u<UXO4g :2Iy}xIbwp傅0WOwjcKlL$vp`)6 Ne0p+rkQEkn?AU%d Ey_G,wawCeڡjc..Ju`~{FR¢P$@R9G{kҕb 9xj~[áuqm:i;8E]2ǏI8HPgtjy|odY4cVXq2l]!?ٿJΤZMϰ75v?pcpMk$)5ϋࣰ[Q89S[Q6>g;6J,\yeqMuy\ .gvadIȰ™8!78_^H#RT$vDSo,a _2kHǒ nFiurbҼ (ˬ7aػAbE#mgKa ,bqlwJw/(U0Bx6!ZPVs]HuٲqW(j2kll:"hnk%oa;AOH/Gg5褴i/[gNr{MNn޿"QNYHќoS 22W/!ZZPK+\` ;5r/FMpz}$`d '%o,ƥr4.טY<\3M^ˎVQC'lEμ$Dv U]r`L鏈89,7Q,ejK9}gpauz-ˣdtk 5΂Fɀɡ \!vyZ)l Dc@$Df\T#ݞw #?Xo@GJ_@q+ɪ!f,;6,3Kͤ(]+>)@[N%PWw>{lk e7%N3^Dbi}zRf7`}fɆKZrΐ\'zKżM:Zs-b)A.mX 9ˑ'AS2 H;O|ok[ҭ1iXa١{`+6 /%vXg]'92^yֳzĴ佚h__X#&c hF@y&ԥEu;e6!:2# s\I[HS3O^=[OY2T\bP*7ۘkڄU4EVp(ߠKXf~VʆʰqS [8b:("_nэn4#?[) CQj"ZJ0:(ntXђ47Hw5{("wj͂P5-d'yNM0cHh̝n .7G5`J+ԼCě:>. њ٭TYy [&*[>&L2^vk3*׵bKd遇=rz|$'?j LŘŇ^>4908qvwҒ]OiMٸjpCI[R#``lLrw S`^g,X8: HMWV^ sV;|GSI[ :X(d??o1"1{ix 6h]̙1byoivK$fרWX3I`LaKfA*ujTgt.e'?igD/rk ZʦX/\Nz09`B${$uX]'88٫k<0߃-;叙}WE)(\g)Ȕ^Ըiz)TU0! G]]i˹TDMmߩƈ{TOi8[Ci5cL3 +Ə%na?v.x]qB/SR;0U<9L #qNY1ÈtĜkF4\_޿҇܈JfW!:.!vZJKjoi-_s!'CM/%S*RhU&1Z\]wO)SQpL }Y)n+ ŨncCjJgkntGa7i8eTLI&?_,7򊼠D`ANe Pt›UGd]W p˥OȗFzܑV 2j5υIl(͇Tl늼MM9/FE󾽁2UmA[o>!3:5!gӲ CɅÆ^726FJ4 (.0M0! !c$8s j7g;LA7SOpD߇Ϊ$ͣ M4I}oW`+%3j' J|=~E1}c>\_@6>\5bEJi_;c3lFa2#Fwm{ڵt-AJ\/>pzsi@Ӭpcٰw gjP/Dؐ:/ҐƢE`ƹv*r:Kazטƀ/yyޒ!3K_AZMn8`Vucwn͢]X(8Ṿ>c*ܐݤ'b}׵(8A.o\u0t. 0釨 ^pHÂ)OOmRoROAcFZM'K^4Oy0PF썡rr~ӭ Q;۲AB`],lyU Ȧ宧Ww\yDe7["I5oVX څK?sB|Eg.2s%]#[z:'I'K#DXa].[m) vh ?Q@۳~X.R InkшƋ4-=Sx>~CNr`_*E(Id*ZȗsY#=K:׭q2Ak&Jw$+vwֲgIS?6e~k&h@ Yu[>:Uh9 Ή1*?\O8o%B;(M&U) @9,c;|64ڧE28iz%n%r^߫W$x4ImD7gsd_4IkZ3%7UYag#y8R5FNILɷЃ=v<&V9ylx_C8 KjJWV54 ? yϋmФsO.l-юiPW$+y +9?MjS ;ءU步p ?qcJz{%1^[>5}4nfނN rpnj->0\`#]/تzU7}NT.~HO> o=tELKL6b6}aͪ3OO~AO 9N*b 4,fu\EFo*5ES1l.QR1FpPdfGx_2gzev#*}w;jA_h \!]aPn 3C]@(as0ЍE Y Fw򦍈g{z|6,yX9Y1DAf Plɜ BY)>p䟱[̴10JC({IN8gJh)n9C=[2BEʯƑ%& XXuJ%2ퟩ}j1}cX㿂"dPVda,%1Yk"/8y:ȌgMno!Ð+0fXbJ yP X rD[85ZG@ES}Mj5Kr޳8{@n{`Ns9!*Oa=B< HA~B@Q3MlӿmktO>:"DyMnҽ@ᅲ$_?3ݤ>]Tf.0^ 1;(itb x(E޽+Æs(7׻K>Y&d(B 'rf`ZL〈^;h~/ST#ȢԲ@ j!wc ^c"9sWxjp>^cQSqOP\i.4?pIix6G8bd)ĿVQ4& j{BXH2G#2tm\mOk}.yN;sY_4Qx]I O#,1Y[oXHXf+DB> ._ho=2꾋n[?J %rڮm*O v~j˜J\Ntkɑ ^=aY~}0/.zb0OmZ_]EB|1ٱ޾wż:cL2wI,$-v護+&aKP9'Zz$Dbd^CwFQ:VڜYH]Aa:ēZ <6'Ѳm(p,|y X8ھ6Sv ٯACҊ7օ1YkCAfpRz&[D6~788izkM&-PJ)(Y$cL&qk*(v8l6l<5a.V#NʘNX4sVxiY~;hlC+tiU)J?bb:/#z tqʈi (?6/H)R)^XTꓗv:CH3Pcl,W4O%EmƻypYuGqЩNa W06Nq+.Y|^a8{S*|z]l'fy@-+>< 5Dj!zҍiYF_r7=VبL1R-oriO8k9TSA2yL (,[&}4+>?9ѲM:nk.$4Fg鳞, ٌx8Qr>z"(xD'89T[t/Dl[}dXxg|0 ~tCΩ_Lmun)b2?UQ|i>$KA((CPK@#N }gq7vHY%rUDAZ—bgxQNrȞ#zMOEoGFٿ=w:;5* ^_ܮ__σWҋxk[XD8G50=O^y=3`9F(toO|ғkDo9{[}m=|cKKi ^E/sŖ)WC:CKSwꭸBh'S+1zܺVB"*8% B{#3GwxF 7&F%`uH BW{sL K l:nt9I GA/͜;h s'&dKn9θAi5a`!VQ=ގ 8=M[r"'8Ò. D~;T@aOt@?9~T ?])% TXU;f$iBC,^0+8)$ʚKH_ZKhg4ѹkK㯑4 dЁ_OaUCr,#m#<sAt)K@$' !Y=|tt|X|@A[=>+n5^?t[laYȱ &7W- #pv<6Z^u]&]Ѽ QG[7N[Fb8vEUG>LِP@3"}, , $ F!,)><ͯ8f@VJ3Rǥqlr.5ޗɳ[-;"̎\ !)=]mQ\#ȵ\!8AuIZx1_gUYq(Lc6u`ʜ.}t|ginK}K;M^;Rjet= 曵څ\inѦz\P ~~V^lYlgHĩgެ%E趲2Ri qً6rcB%_Lp>Men H*5$RM5榞e2G7~,01;֙6:d]Hft0 ^8ſfmi4Su;cX|cȌ"x-O4$ 27zXIf28yZ!6c$Undd_Ӡ_ynO %&{"VcWES7D1 -ZFcҀ-f,a BcO MUŖ"?XhVL,/ $Wa {T>˔!5Np:Q0(S@}8>>뒳֯/*)+I>\U0w>U3Е4Ɖk1q\~l: d" ٳgJi:5mט-$BTb|WlZahny.XKh).s.c&!,EzBR~~cAUSBS 61u^D >3R'g6'9q$ љ,JP~J~Bl# }GA'[0B%F-1q()1z-JN!i\D7-ZJTs@zW2LJCR+gvV{^ L*Qm%lZҌ58laJx՛[S6y i_bh 0RT~ٴ[󖏏6][ 6jbV8dehXkt!lTl4P-:)pԨo<|"6 55h홟ߋbsh~bŇ(NjsROumCr ResosۅO!ܢ>rtt-Gw0_ЅA_&!O zOV !\so4&BQ%;tV3}u{=XL LS _/P ʉDؒ~M@+LO3+R!+QwXM|EC(Cvq:6C3jgKGcmWQ$:S2+՘"<.gFc81ueI'Z2Usӓ[H rH h S(%? 塮eTPI{_>3Fs9Z*в͇MxAnf緟[@@^GxK6q2QKݶcӱHyDJ 42ӣ//޷,XcQ"8!51}wwpos3 KNP; К Q0/faF8V{ξ?}SKw-T6" eU ˆ.4ѡ tXyk4oĭ(IO:S~5>%zd{G# 8O)u _%k\~Mcg8/ O%!@;r@ A rzE{oBMx@l"G˃n;h8/_?] bgk%:s+%mpph@c$:M_]#x*XAOc.R2IQy)h3}G">[ ]AwuIZEmǗ~{`m2OMGQ5Psfλ}PKUf5@OzƶZ=NJc!JEM̊A2[CJ*߫?HzH}z~-idu%yEgsޘ@b)}%nm <1q5/+ gu]kd0SPg٪. (5*Pb>]bGƣi5RGOĹooי>.բ`j?ΓdNq}e#T勜hcO':"<Jk,5SDo1q ꝯ>hE Nm3̣wfRcF9^(PiR|@Vo-Cj"^)I!RԄZZ]}5 !Xត:,ڦjX; [=L{$|~oCxܰ+v-MjL+JK(mcPk}N'$DQ}opJKyjF9YΙsU?Od-+\FdEU@ifR?V Y蠒Q^P0MNۛ?t/:dz#72m30ij< q8cB$ ?|3B@(nin]VflT4ޭv;T~@ty(҄eKfq vCy|Rc&.+ֱ=Ee 6y~W¦FȾېt<-n6x0ۓ[/ESv%C=kyH41=a`6 T2Cq(83_7BYҢ,W7Ў:me|[^҉J1 Zm?G'N(U'<((6HՇ[-a.}nȣpѣ UdK a]Еp_'Lp9w bm˻ymQW}Md4]YO<4I0haƯjRuܳq/ߊ L"/^i ,ѹ$87`XDG,3dFVxoC2Ǟt^ ]*urj Zj`ײBY_nHki3tYʑSMԕܸ7.TbWs\e"sל p>žEs5{E9 iq}X.Qԡ,_x*⭋G͒|GhAB %"6և>'~62PENs&2É?>,Z0;Ֆ53@/ Hs[j&/19&2H'/!$N*lu4 Ƒ?`>Ii=W 2UnDIڬf\BT]NPʌc)󤖕_K *U>^E)&i%8%fcK?Ly)cS+*bׄ0D6F vozKNȿOz.#(ЃB_ny=@;,:ӑ1ה#숮S$s8CЃ;l]#t`e|&9rq [AgwKZy MzFxp&VO0Zv/ 9בY9TsjCy| d)2g[/8d4` জi +7 b k7ixSRrQ.YU&p)&?meFϚdׂi4$ W~ǜrwRʊS%jk7V\9E ~bdY jKϕ44&FhXUɧ0/NnJ]T*JG{am0Ie!v$؇{tE*ϷK.RrO`&E4pOPPJrpS嬶t' 강W+qQ}b]R-zP]7IA]p'~Ԁ:pPFIv^` ν.䙯Χ0WrP/¤qAz#J;|HhmY'[g 'G#긃|BoKٞaF@r)+Ili8"Y oi#uKg;.%H?Z6uE3*Em~쨵i]24dRD{(,ʭ7TdrJGHNqk<~iR8RԀHh*\x%8RՐ݁?͕vۄ-hEѓVN)-}\DžeE]YG?}n5eV! 3#B]%eY'k7tlO߅^R%9N>$U`5!qbJa :ݶ( G0k-‚~|{^J&؏Rꭕ4io(_k"ݰY OoByb̓*Y ȃvx.@)%Y#2R5 eAUJƖCS f>o`kUT?8."Gl(U#. {HdzQz0(jdi&᥋hf{8Us0ډug'Dƚ<.'[7np7F8K_+$1^DȈ7 孩#Cr)Q_>sߔӝe+|A&9< v\=F]kw顨bj6k}nDFC_P@4޺$Ys^^1]u hwAI5\!?+W_ycՍPb|Y6!Rȓ* Σ'+~.iKt{Fh)qr.E6͟gkwjrHr*G64~6h|枲#%-hAh5kUmV11 蜦,0$FOTC{o[I9q@?XCSZtCǴ%d;x)05G f OCHfdQ}+z~w* Z?r1&+ɺdRr*'_l>?3X?C UrA>l,-)D\Fߨ /F> ѽal@ ҲHn b@^r{[Il w޷7wq8+ F'3/!>:@K+.c[fWՉtwO-HU{ ,f 0~%K潚aHY#?mr&^Ĭ'>ZN,FЊJS^31L@"M!_آ 9STS`zK *yxǰ J"b7俛u[+bV{`>AE xGyWddZVF=0- _ }a9?!5qJZB^==qNr]zU@Hi(AI+86׍0\|aw/rR\WQO i:Qw0t%HuAW ڛ@Xaun6Q!b44彪%c7gr I)d wS{$P%F/?8J"JE}!B>L',ʄˇ<|‚t)8u֦ԔT³Ala$Eej17S|p.%/@b2/M Af^~~ ⢩nmʲ99a<(YbXv,a&TexxYgn;qAJPlT,"_ }\, \Xd]%c&Jý8U)}&9)PhВquy@yI2y=B]#;Q¸W'03Gk^ 菫kV`t=B.|x)96g,"ƼFFgT34p#up~*9:}8 K tE F;Te(% <3X2Qu؟[شdg`)h1gޓɓI%O/}+"~&g9E#-k~7Y^9`K^ٮ6 !cيr|oGdhևbrk)3Og8%ɀϞKgL^9lx\U =eqj+6:r.N/w7jم÷PN?tV6/BWRkL ]lso+eE\}TcUoSC |%1SqT Op$%^1QWñ瞡 u#\I0F~0raߕk*nQRx|$e:I<^e)H,|5Ҧ8/lYp#1Nȇ6؅u蘍2Puf~H÷7bsT؊,??GVw)g%Uw 2@=~W֊E|g,`LdV4k [X*_ p8UE1Yݷ̵q'Xj/0"=o46 otEFIpq jTQ~QŗȮ nP_A4fRح҈1HMO2G[4+HL%}xV7O!,n`O^uV&p|QHM5ax}r>]h4Ռt:sv^ h6 Зɞ5ڍSqK=>㪜X(nORb j7Nӣ#ZR ;~S U`8po#rBOšc=uZb2%`A?T"sѴQ"8#sM6 flCɂcFbGE~v(^]YԈ-֏2>llU0I,ҫY9.UIwszqf"ե ~C'"\VMk!cPY0ܜ}%GN6BFw(͸(gL`B0tۿ?Ш; ]P@RYj 6nti|s?NV(f:Q1I2.¶u~Y1_J|Y;O#w i5υ, =)rVZf6 BQ^ѽB0Svx7xЖW?ƧL%7ǜ5V+i>Qlb f9cVR?бz H=U3*g477]XgNB$pxcƮv j}ރͦ0K.lx qCˇA)kWW[غ'PV5}^dndELi5h \hS8~C)G 9O>.&&5WbP3K^P 1Nv,Hhc,bn1/ G*XURq/e ~fL@JS=R5g}= v FT:[9Bba[`û$qcWW7^Q6sp=+ih GE7CW"7^A̔(Y@D=>f(=Ku/Xïڌ . )T޻6ws{oNgJa˕BM /qNג VenOK/SQK݀t_Z' kg6w,R9ZN WR\S,]UT61gc7^Co{S Rq;g3Of^-.\gO8y) _3lM@Oz'I2Wۻ Q94|TsG\3#Z"LtwS&3h̽Hcu"C4\s2Y臰Qf;.㇈.)[M|I_YںtO6, ).m(&kjG2Yy;JBj1 '"ewcY*' @oٕV㫸ld^ E7{&\&&O㏥y}!OEDpŦsl0(ǡ\3QᄅMm7S;!32sJDBf@RAbBPm`\⪳8ŊԽXCf2As# E ~{&œv>`/RY+<}}#Mf5_MN*+_|~"BMX䰮akU*%P@4`{Qt @#)-sg71ڏӑ9qCS.MخE`d,CΘeNNF3$4A>2 >qbqUUEc^Xvu;̨ytS%9tq,9c.M4՘Yi P)PW oUrڑb-Q+50sKFj/ *.X8-ECG;MR/Q-vfgn[yax.:aU҄$||?lU&LвxWϥ1PWqeH}tC5*٧jxYb8z|9>7r`oKrg(VtK |vǮ { " l909ђR% :p3 X-AU7m mvm&錝" cX-挥f/VY!H? ۦ&"$nԦ!Eɜձf#BtEړbY͝ư_]?a7m cwL_W|#=FC vZqD \)Aަ(!FbI rBi$H;3)3iR&}Pu<ЋIS9mA/4d5UhZ")tim!W底`Y縪B5 $ԛٸGnp o ZjrDz Pl]ݒQc\wHk* Co%>:b`lxaBM}+1N= ّݪlـ}p6'DQ2wgl>6Bn7V̭ÿRPir?aU 今ld3Wr/|Z7Occ~[g`bE~=F>qwǼkySa0ֱO7ѠmFg^xK[ `3E2$AHs։g_ /0B/P̘9XQlY!?uٶ>v FbV9l ?P]XU~iV+^K /Վ=0S>xA Xn"d:.HCaKwUx$3'8u&ѬVkVRz_th2e;{1 .g޵9[*Ѐ]ezes?.9d׫K;}DfERoʂ! H*Cب{K̿ WJuu zJ1YIV0*%S뮗,;e.;W.#O~oM ɚ2PO|ӟ\?iMB: :IcXIflI웢M,}ȕ{pA2lO.e3qznVbK!%&`a(}  )\Pe"7\> 4a/' =Y] OiH؅ۡ;{e.΃; ^pS : 1\%̤jK,P<@yvlb;8Qs&f;5Ah\bx.tGhSQm3luSW_Vv'Cu -WHlR`z>swPq*Vh!CCPzX ]hXt*h2>M$xcdF 6t+3SDZف^RԠrL~L{|2^|FK`6w<RY9b6YSp \&=l$7GP^ jOݔ o 5pT#4 GVN/_(ڧNp'&Wqerq ,UL7 w*}rS"4.xtN5`n& @o+`J+.J7bQ V8F U!s4hn`*1jwfcTJc){7}f"%vZ u /O8Cɲ_|M՘ pg1A 'h @X̄bOt[@]cؓ(5tƍ/k8FbiG"l%C})v(`p|6:0GY$_3Xm{qVKן$趵,n|FYjF,mj &^Œmՙ£ ˲`D%QrkOpv'Ҽ_T`o>f0<.GGly?'&(B1HJ2ӱhDwi՗,ģνn(i⤮^lbLAK5"^1Ȉ#=8ghr4cWDTEu,E0Lmx_O8ۖVE-6&E {q䱟p`l3h U&/@/pk͚؍=B3ZNUr^¦1W3 zN+<45ucK<ΏZ$)d^M8S jp{ g damDtR#F\jJŚKsu0)ޛK\ګ o¶-mmWMȋpeqӘ󒒍HՋ_zFF߾DpD[ Vڈ:vwa7kt9ڽ{9^U^=Rcr1l$ ^tPVrRuN޶Ļb"\DA'R$jELS<٩Qؐ'5[{%W3r!> Ꜫ ew]4b5!? :cI];ڗ_lQCPUH8`K@醙/ArAoAp;*0禬 yk+nV)c9njENn6\pHv؁=H~ZGChB$/CR&?Wܽq`;fߕ˿C/JaG1Mź8; f9W~TƅJm l>"r{|ap{[Q+CR_ȵ r'*Lg9ABc6^ǙX$iqz|u63\ h}e$'-b4K+k }Q,/}j3=y ?O)>Pl̽ڒBC>Y`EE;}W]<݊h/;֏;E-˰&!~یɚ6 #:WО;5Kg2(8u4 &ٽS2yfWNXr`;p&z>FjógshC8&q֭.mO7IYcHtuɑ*"`w*WMȰM ?2R$⇤º=04]%)EɗѱAD+ҎW55ohڐptb<kH SfOG5D -SK3P>YV8 (~)d߫$rӱ"}"\H %CfY ]S1ұ2\룊]{am:ΆUI^`[юkNv_qLd[sdG=/2κDXLd}'s=av ( ];%!!Ef6.:C (iԢC]m6OƑ-kztcB\>9fG,łĭ RM kAo*i ],!JO6Md+ѣQA26V%~Rv=(߲ M"?H0%Yh`F'T)K>Ph+6ߵt̞R'&@BQ4q`m [Ui:r@&;x#_N=MBwH(!M'=̂3lp.g Ms-# s"]Fm9! WՉO(@&~,tcg1,CJሶ;I{U(/h!CUDQ$N7 [1B3!].3Ež"6K/fd&OPEsW'ڢohoJ\ "r̀;\ޜ^]˵ 7c+TFrXOLMlsNQ"ϿFm ?_kMʯ$*m3:ؼ`if~icEqT&* "f$ 3$d,Æ\jL(35 1o$R|50!1 K|م=yGLx#](H%6NS!9O%͊{op#'/gd &xQG5T5!@~B\+="%:m/)&#?]0|W׍PZ"I:LunVWedX4\ΓcNiTb \]gP3}Xx@RRizh!t$36S 77CcYވΰ}6т, TK'ҲF{I\6vHkK5: %o/ɭj3ejoE_oqH!]t{GCqB5 a> .E#̇ځqJm#G%4%&T,,B['?lks;{^hCokb!I/T!ʯ[*E3?oWo&.Z>侩?5qP88kG|x^?m 8!>5D h7IUDO#Q{=]wƗZ.]/ъ<;%a&ؒ pK y3 TdGO҄g&ҊΔڝnH0*օF2Nb(޺R{aD&`*$`VrXh\8٭jC#%Pߤ/!rB[X|L*I*SQ$F%+2](gpP ;$oBR~%E$* ϪhlʒˆH<t27!;ʷ mQ3G'̯=]95C|'I_2@璒mw3"=W!Ƴ/КJRFt2SWr]HTSDi̫(Z@ Ë5 Tu5H!Z l $.2{LJCW_n?gfkQ N|ii:`*:jνʜqL:L`;| K{;Sc+f5!Ӳ$[C<G`.LC9^(`3 ¦B+-㨉\|0=B`Vntbz97 `&B[!W.TT*~eM`?RșA$1T=haPAWUh޿aH+Ѩ"|)m%\ Ty! (2GlSyl,EA%0Ifr-,j %Z~_ajXPWg(*qnfF fAY폰WoQ?Yϔ//UlJb Wd-.`~]^AUA^зؼOevGLm^MR;x'\U >Ro~M# TUΑw{95?[ٸE1ǓN'vgXlHnsx~L5}s5+ /Z;63Ek\I:jFG#|m#SR{k =~m܎7_mʃjGwPVNQڧx3>]^| YgKEZ^ p1Ocջ \3E |!Y9Y&'# ="NY=Uoȁhebt߅^JeeKH~47+Lo;}zp2FG_$?=>Q+z=|3ˁW{ۉF.;y 4]NҌwPtm+C9akDF|YMt9Wu~4/%ꭶXMDb 0﯅v 6+)ZK?^D2rU([ɑS<<3`콡5I@}9 {Y@Ӵ ٶWQ\|O;gvM" A`x_s16PMF8aUo >0myuv-VU8f<&A=L:P{1( |;r>`4jfz8Efϱ+>}8xbdr'POM~/Bor5G]05'ᝉ

lQ #tȾPcN$,AF_dpO5LW44׼Bkѽ۪5T)^4Kp}ބqE^/po+QBp3i-6ؚ>UZ5 kpÐfDAoms#q,?yAY ,NR q==L5>6%UW .@bFǟƚ_ rli uoksb`󿆵Bw?Tz}9|.>nsmf_KU/ d~ E恇îBL됓c9o8iG^@$q.zqs3/rNUŰpQ'2 glx;G2UA1@yqjz*_<xG&vSëpLVLS00HJo{gZMls:C>Y:ڟrJG \>㪚6D܈aZ+@qU <4 x!F{ePr98!Z 1mۿ$ `[g!tFgsj _=z(fuXlyd+<[Y ~Gxb0ULtiK\&}*W/2(B4lv_]YH-G]*T>g_=.$5mxكL'V&}s360pԇt+nں/gl?oePeU |ORj=+ p6T-s7j-${sמ-*['  +nysFʔ(Li|9X d' }b vƘ畩񰗼_VkهMǒTl͇<&j'r8h q" CpIx:wZGDljҫD%^&P1Ll {5 ad/riDm,<"~$&xEfRPKQO[ob#VnS^@S^":zbۨ"PzT/}v+ٲ =} I=6Qfc j~jo`o U~J\ fOFd_ٕב09}E.⧽V"o繠W@*(5'&cm8Ȃzț&]޲H\,Yÿ+ * 4>W1`8)rK04  ?zvY$"mkٯx\{U?Ͻ}L#w^N&Z2Jz8b[(](^n-TM,,5_Ttc3){1ń¡nJqx*Cݸݹ icN dOk#Q]dM )={Ϙ#U%ll9V.POZjFLY_d8ѥf͍X?R,UE07,+jek .J+ PppϵHC)/zU F# -ɴ5b5pEnN^GAggZI'ܼjr1yq:)i05AF>3 Ŋ2o}=̐ N,uYNg!+$2f_ҾDm\C, ` GzYJ;;8tvKǕbv/%a#w$lINGhNud˾]3[#InFC-֭{zVΉ.fZK~>SIpƯoD EE'|cmeagů`9۸9?Rww'=303OE<6Om fY+wB#W 81pqLTp0PT6_~_jS)دD|MU=OS~ ^xX0aӼ{\p_d܌WK;c+&]OuԌENMŧYUFm˅'f4Gĝ=+_ $,2U'@kܲ' \ږow*BG ب2֪tP%/s;yφ\3 _馡ax[@%eh~j>eiXk n%B %"Q2 rB(26|];7.ogY!7}3':R@\83;z76:V}; hvzc%ˏw Cmmzb?jd{ "ejhnV@".󯸽Ao4:y۩i"ᳪ>Z;L ǣ'rE27OqOm7x|Nm#gw`ClIw߯!ln/zfC7'\^ `Due1١ ⒒i Cx4r.6YQD0)"P6&kb E̯ƃMw{gL#SOK$1㦊;?) 6=oiBC~VM" A?]Ʃg.jw x[0lmw{7fy"Jp6Hbvey_I[_~A>lMڹIZDR۫`ʩqq϶ utY,}֫ϘuW$Xt/EwF# +יf/]RQЎgѾ3訵nosŰ[3#3g^UJhyj=0ޛ_ L[V_`5RԄѨ2pODp#}.rUeMGD0< ;w Ԉ@<#EJɇ5܁l }8*Νcfl21RKE>爙{QC#k sQb!{S΢XX%σXbsdfb $unJHQ\KhfY}ATiX,P |+g^5N~n s[g{k;TZ`=uoUKK YKxz;)˥!dIkVtы`ꍇ`F^ hܓ>nN+pH̺r&CD|)j=Yc䰴{[>r 񇌴͊y(ϒ8.(v{]7ø7]d' `d=vJu42-B/Si;>It xι6;(0U<6(YBSI%,.|F#9:<&(DOmO%)ELl =[u1mJUY5Beҹk.v&ګ7ђ, V**3Y(_x=9pms\@2Zm(IQS|-N#P);=J<)q}·+$QnL!rx43ČXY4P}Ec:1ǛV)@ѯd'1Ѳ$舲v5,JɋgT q 8" Gu Ә) Kt߆EB!o9Kﰑ<_&r2NjwY~P>ӟkC߰3ys@U!XC,k:P8rb^  ^29H.xfwELhѷ[NstHR5".0b)S P/aͯ#'杍7ׁ~2cb=מ47}3}` IȢE XW!n sNB8݊LЎTߘŹV(v0Np#6:[5J^oLaKȰ 9cOPjR >AH e.+Wpfr3̏w˚ɀDi&P-wpA?4&ǜu6hJCrݾmh{$\.Du_\)lQU.9 XZ@ sݯQ0:~1#~@7%"ExDj]>=MW*(=,Y)P~щ2rqˍgY=@Dj5>8M"h)2N8ds>%uϯQHmL:JA?$M,3>'2=L!!5]uNQT޻RfSfvDmSf[001W}xg.Vw]Pfxq&/m2/L #y%2q-?@ oURXABAtcNj b312/ ԝ|*ҤsSK8D<=i l%\#*&#Eo:KL*>eL^j/mc 9ʚjXEKxSr.4B_N`tGN¢Hl\G$&7\?D |)t]G}39J`L8@h7bDD4ҌKDWRj,`*3.mxx ֺK|y ND$QB>~)H>İoym#RZbwnp3ssj@_r:̏-l/ngC_)nwyO#k-9S"- gAZ=uhQ@uGo2 ;)#* ¼ݝw EDDrYy.~_YAŚ:Nh5u! +2_tn߸XгT@] (Lk#- .G,'q?q/z @J?g0H4 ,NiՍy 4IZ;+0AKGdb>KxCuٳ @iPVt.riKi1\Z4"Ӏ}~ C3P^an3)Ĥ&ҐHa :v ;FHfyϻyOGh{,IzS>ڋ2U8J}Jސ}`zZJ,vo3aS7/6{;ߦP1qIzң'Ϯ% ea+K_7m4ˡ]-뀝UZ-DCW[llGi6h0 H |syIǐFզ-Ӂ t%D8b##i"NfE[rq/ gsy%UM"ڕrdmvؼ07oUrpi9ioq\G-Y7x~0Fx^)Ks!Kѳ$p{Q(Ll cNQ$tX!]^-!j3ՏɲL!ў`QgFey= @/-<5o=Bh =/|q˚xm *q60 Epzm-!~AA>kªw; w1=?1z!PgH|""@e-B42Oc>{숃 xv; e#DՓ>kq46]hJ(UM|S|uV[ ۠f\ܣz8FN08o0@jG6[KIa R4,yhjr۳w?AF G&8~L殪(LsǂO[Q& >ɥ)\#q0sm^&|$Fy .):Eӛ~XԐzIŜuю͐*bL&;zL-@҆_j,UP!Ȼ{X&,K L :!?Ѯ"!S2s;,3&Kl=p>U&s%:fqHW *OTYMr{lA^)ީk {`%^q%`\秴S!]n9~!$c&T/zՋOi6p?,u}Qn@"E8oy۬]5Ed?3CL6[hm%_ih]D.֫jjs$.]Nª^[ZWlE|@L:NP?O-RgXFF$ۂ 6{ X7]ѧ\FnkE$"4s 扈Ozb~PJHᛦE>0ty&/fu{}k"ZX4? {-YɦuKzFo k}JɎe3.zA9,!8K@ ,ZQG╾v &oútGk1!^)Ikz䊀دY|U d  0`JQm>.)?_r9vjm*ԒE!\%{_aȉVIg,EVԶrgrY"Pz;Gy&{ؼޣ_!KrBd{c7bvޥ 0 R&< 1r,ijZ,"W'VF(+ dˠTj4cfBmbWV J($=e`ƪ9^Џ=뺷Ѵ} ~aXߙd(0.;\\[-hȗ$eUCgξ{ .r<=8?$Pgvz5^"4Ѣ;4R<>- 5qѻOٶu)2HJߩGN0X\Ufnt"Ms%$l:Syv3y^ xiq,txĒhʝᣛϖCjDBh^I}5p$Wgܣ!5<;ĩIķ`QCƚ7@ׄN>X'g%(BժP@Y'!UȠ\ j"kxByM#@3 g,p0Sg. E34jODžZǑ۹NΙK=`2Os)}-X/Žn:QS[lhZ`W0tuS1 xӲ9~!Ovˋ^fdzmʱ$:P$[foMEJZC0_ 4OT/QkN+b^ /d.d}$~,ZnV)=uF(\DŸ',peq6yH*BM+K)NMY,:WدE\m`$߿w l1t8毛l?ye +Uo9A,z#a7Gua6$bTZn}lbr/̋#ĊGEbQ~NdWA]<םY;=rK/B`$4NY"6-|L¸ (̶o(2_R'b L8d)vѿR4Oqds޳ /ʗDX +p`FE0J욒ϛY>hZ]c!=ӯwwok)dr d@nK =`ǽu`:Ǩ2vxͩPLޱ _jn,d 0kI0E I/Bnv^Qn,T`*_3CEE"%<]Q-±8:rp t,hձ- lpuUTgo$ ]a/R} o܎_β_ 1,貢s -avn+Jz6aƩ6y3] &|fABEW&pi8XU6ǏkdB-`Z+vI̎ N{y,D9J=2x\h~N sl峚Z.&R%V?d[7qe2i_pj|!>Ս6 q⽈r7hɼj_e@|{kכJ" le*2n[ה40ßЖڅ "0+#f@u%e>|"$Of$yb+WGDcHHƍR3x-h,2ͻgs<4&Է#Z]w̿dAqVAn– 3̉'{u%Т^ @@W[ff:[^+utt#LFe10O"X${&dC[%,R-%ͥ`~^X&4a<ސ oLC#ju;^SkHp{+ x|+ t$lk_+],|h6e ]&  `WlM55M-"啕Lտj# ޑNZmkJFͮ䧦ukc~*o.N#  h /;#it̀uҹ&*8o:܏L^an#)NU#Pezžh&ݤqW5atۈό63Ol"!\DD3.^  Jb ), UEWX{4YH׮/t(A6,(n{>E> ˱0 Y-8wyS?6_~nS_/rA[9^4FK3Cy(]@iEJX4X(DW .rgKj&`u`JOX)BԩٱV7xn[hf[dk.>f7kw0#m6x=T<7 *OXgTNZom9=XSO]Y-'|o7EE#zIJt}%ʕ8VWAkkCq+⟕Dy⠞8«׿%Q+:NԺa;g˙;7g7Y!y*h{Yl ˸.T ýxM4q!lZI 1zgF')#F/2&̗xG>/xȔ>JJQ6cAyXcJ "guqo֐8uŷ@\K0,[Š]ڏ 1>G0>~y W\ffl.>DT.YюD6Vt3)H}=`|L[Ta ->P~}} F6SeWkV\2@}ɀPDraAHE"O(Eݕju0zoh'JY Cߺc$T$Bdp@>Xza ,Xfz_~+ey(E5 rZIdo5 QI:0'` 6>)3[ٵ,JI/A6*R,E (P(J F!:I-ӈaoHg)pLY/q[@LHY~xZ)juA*r>I.+S& 7䙪Q{>!EH-́cߎGRmI mb m`NiHfH!Z6fLeS!fg\7GE`;Ae,cO޹inIci8~3{EKvW6>Բ>Ix4ZH1Ĺ3.F^N>E^"0AM"շ˱FRr4cK㡌zר<Ai23(hПޫ 4qA&r$T?[lMJݮyu'4{@ПW(+dZ21Hqz]E![8,Q(da.jx:wJA 4QIfaJU +)BׁuҠ6~ c"1˿d6; eUL ] lwo((<6`<^2X5ߔ癟*g9yu5OoRm.lרNrP];x0 sN24zc,0tջZlp5;1< !:{o}D&dJQXLZӯ4sAb7d qTm{._tqdGka*ebsG *sDZ<~?;yzé:a:\?0;ʸ 2L[CY7A<<9:l NLRA!'}d>hg1ƪp#PE6KJ Z0!7Ƽ3 hSxL9޾GD~7φ1 &QGy)uA2Bsb<=T;rDʀH;DQ o P g=`4L@,y:(BѝĨyXpQ8%6R/lVAdD堋 H͹]ͷ6h wbʱMC Q ":@P$񊞍G,ߺ"G}i NwC=,Ko xu2B2GW 6qѽZ=0"nA3e9Xuш[HF1P<ݐ9j<ӜG""\40_SL9>{: 0bB< 6\6Wo;;U#% cpһun6EMk1pB)1;ep%:'/Q$"T5WB;aTq{zxj2i<f0jV3M)w" ,]R˖CH nԞICFS2TotnLy > @>pgu-۩]k8||d, zc7r I֮`BU8n K!6*6l^;hO٨^|lR*膂/ `tڢ!eT~iƐ UW>[#R=~-z}T8%  "J5bIUQqe:c'ٙ} eCᇩWb_ƙPm-˙}w])n6kM%yIH˼zo;wCJdm1z>Ac_ͷ -v]TT|QA F00E^]DvUFi¦ܥP2eӕ{~P*W5xQ/zR09jдjlΕK 5t 2_ZA֗fÚ[=W&X_]U3U!Vϥi=0 O!cJ0Bq~KyPE+K՚֚^^vW1Q|W"xh;cBGPU)? ܡqV ;v,1#6^JZ{+sߕ 󋴭PF~m8|.VĈ\3<9%Hnɵ;=w7$F pb%vCG (<$Lu+ebO7bmB\m2RsoWHPXFZ֩E̪]g3vtd9&n* 'GrEU0GʊoaQE]jxr2 p0ܓcLg&9'LEJzcdžf_A7rf ax}?p!le苘>mt2GoGcðMo!e B5c`i{no鞯˖_͢+Z>4ѵ՗/Fk̯ɣJe)?}©F _Ro@;^b#(ϟb Uq: +ĽFhIِWaRjx%DpJ GZI+K_5Լ ;o+3X ;0UI--+u&GY*@r*4ei'0=^CҩtQ lreb{ C٭6d#ZԌkSzEfgǘ u[1 8 4U}w̉5Zkir2xۆu{x:4>^"M͐" =y`ؓyd1gibK)ʱd"S-[ֶi>l_fU /K2+W>v\a ׆;CuPPfզ,H1qPgBT@rkb8j8N}+7{~{I3)%}Șg{qkLOĉ1*EmQr<Ԇ 8誢7(m ym S/X<\jab,L <+{hFZB7BqX)H`]tm!OSwꆅv M}S#}ĸ)*k|QkW,qLQ!u~dHbb\B3)ʿ1CV?qK9 oT +E\`5;E5 _ž"3iغ' oLDs]^*a%&/8mn0&OX kZ0sڊ(%.fT>1WW P9ئ|'$[ Sg I3k??B7bË6KT&Ha׾XTםaJg Ԡ-7MjE}T.?nd|Y}sU޸HɟUu!VØgw(pKNɱX>ʕҢ1rC乐WYD$󻳦wHy.=}6>RO?b[yGCԒkV8y·Qce>쭹V,S m`b*D0h?Y~]+y_7G?U64VJڅ2X"w_yVDr# tMC5=0>&FRD5+Q97 PwbڋrZɄ.Q*MW| $= @N'&k #n( rX Lj^EwTQBw+Н&P{w[Ksߊ50bTipĿMnFI#@VX%^b[lVu0DsW&}9 e @l p#Upiu+ͱcN:ؾ>τ!3x /w pXRӘY񁼲ZH1$٤#v ;ϲth6dp!X*u}|;盰[ASU% f$8a*#DEY8pjj-{qc+?0%#`& '../Hz0 7ׯ :cx5D&]RBa>"lEV[]>YPӑ8p'vUA|T/ < vʊsqO?WYk6x:vWQUC4P7lkp@:a1MV`9וF0eЕ>}aN|by5#Y2$be5~n{" ܣC$g]Jӗ:2\X۽\iZJg{!tu Xwi#L(k.3fL꽢S#n_6t r_<)y5`x,Re!@2x{΍mI51:T:{R+tp 5_.@JᕞgrMHA)!'kD*qǹUjn}EðGmA|;E\Zx$FYooyJ(vA^Ulއ&=`P0\Eb ]/ū:Pĺ_,,I=EY3.Tk0<4s>gMhC!iPuw±Oe'X^S\ˊ_( ZDK8Qt}`ᐫK䑗*xe s?ԧCbi6b-hB`$Qs\)N[z=}h7jɷ,ޔ>ͽifךPpP%:ʹ:A % ,EETdOQ<4\ #yr@(vv#5L7K\z2^zk{ 6k'¸\zR Yܤ|TEX#(i&ji <$!}#:GAM ɮb/f=G{H)P=m||̰a~LMǖt3%kAH`MlwYz3FJ؜DHE,@m?V_cETj|~=UuWc+*җ _#㹒u@58:v_k:CInQpdJãW,.ܗBɲ`p2r{祃A/|R ,d7G ssxHzj = 1{Iaq Mu]X1jPw`CncP)}"QL>@+~5f՗zxh,ov/JUyG%t}ˏ6&z,sIk%005O5oЃP9E9Vnؙ\9\ =oS0ᮦCf=]9\?F4~Ƽk, owQ& lhΑm-˰Sme-ǩ*+Yʩ17huF"6!z%@/ PDx^v欫%ϒNW! 0h]RۈOz-8CqsE?jM\KZEIrL0J5I5x\kbtlJC_6AOB.w*W.(^|dc'tiy/'q&Z)r݃%]{j=O^)ً_Ej5xҤej6OXr#R^:rgW4gHqI7"d/d @)UXQtZ- 3t 4wVqEOg3W̜'}i~sdWAjS=?Xn*9`~خw뼒)txOq zӧvEiLCq} 1J, j)N\贘ԃCU2I16H̫{ӧ .C|E[No5 E%-5:khZ@nVk-u^FԩI_ -YnOR]lNrBϳPCޓQ Ku܀"M핯3 <;^RhGHyF\sWQ5JBN/5yTSc#A g . WwD-\1x?eِ (0'h".ߺu.n؝}7oȴڜn"@ ӝ1;^^u?X!,s d7Í픆x/Iq\eX/!و EjED@1vXlևvhW}D?]/[Mv賥(habc>T}M\ױK¦}L/&~kQT ~8OJHVZ;9d͵HW+5${ZΚbvam,m 2 bB{1*Q%*uˁbx3l%9LEe?FU2I n*hުX*%a0g LQԒa-9Dyt["1,66C(k)ެp% r=2ElꇄVdhˍMI 7P4f@<1IfGW謒˧7_lؙ9ڠ`&fiGl+o-s]0|F8@ o<3".&KRпR0^[]GXfY ʨfQC#t]/,@QSvPB z8.諕Oꖰz(ymj;8Ƀ.H"^u4w3>˹*J]z&39\Up-54Ze; B?)MqH̤$]$f.vXe40Z(áVr9rw<ʾ\cata. T_u|t㝑?@LT`_=i`.][ L2NXLmt 3Q8bLB.r]9D sLFW&ԣZvuZ倡xcAIyCƖP\E*o(%Kun@q*U L!\V}>Q!ۨhVm~TTuI4]/RX+xC_}^+6ƪVHoK*^xQsTE./4l}g!}(*؃dS8De}xQ; _s4\xg[X:9BAHaR(B) ǗtEq#oaJis. Ec`W+ZS3fɌQ рm>! 3#uVen RZZf@h/W7ۛ> z.7d▮jnvxjuHUZbe} Pth(ND ۛح.5#p&@•~3  r1S*}j9RKPЫbG{G?'|D6f.B s~{qz+<%+^uUb KW 7PnIca=`hރ{A#L4  K3jyk4_-KRisэ>ɱalk|= Cya{%uVqkѿ/ȕ } i_v$==y3?x%gިLqg\"nicA<>\uۉ]om@|q*dϤN@cu5dŤ$0}+I5I?/ΟhUXE=p- c2|2>AZII(/ʸJ#Dk<0 k8mfts|t$_3f !_=#vJ@oI)bn Fo܇6(s !7@3c7VV .ie_!* t 'V}LǩKiTtw{]6UJ5> :*otxyUYإ‘۹5TE4mevџ ;?JKBVs72c,u(tA{ﳫEZ>~Ӭ m䄙jлd őӌG\" '¢"'++MG&MJ/ kT?:y H5ǒ.DѼ_| bM@7Ң%K[sR([Uԧ%I]%}UC%;wpwL6ţfFÝ'uʍ>曠A&xVy| OmR I#eoc1lvϱV_n \恉3$ *:]Rr9"}-/:T# n]5/4;7‡;-R(Co?$R!GroBW3@6kae#E~q(t,Tw+-);r>䂑 O&I\5ʟus~OF ̞J/yޯb=4q:E؛ɧbr>taWRđu#U[HAļiIunx :,{ioc؞i7H/(E7'U b w`G;>D0lߎ8+涄Y*'p?ys~e Tx@ĒLU']ؿ?Ҟ"[:ݰCwtAa)/|!U}j qa|oVsMUkyrK8}tNlC:N^`Py7C XfgyMUv&! _43:5MT0KGаD2> z *}Pg/ĪB1#ioa#S8]M,Sڼ+ GbA细B0sc;S0ļa(>b Ja{Œ}(t 6@n* Ȉqݨ9Ŀh|dwVkޫ^kB#|DW˖܇;->EխۜP?, QX-`l+.{_hY)RvNqȝp8Q[{Bj:fC\xtS}0f%,o3fa{k{Ƶp7-p Mj6 ToJ q.N)Qإ!)((<3pV| <`< B5C1yS!4:Qg5 S&?s5!q K*R.obAIi@bE)Y4dȵ/o/y8`q^|H:Tw@1dO@#h&3ViUٻ?}AvDEw1"ՠIYn>X~c>6|qd/ wd Kɵl*-ەs9\SC s[1 ?K"#+cXJ@'!JAlu/RnLLXźdfL EfcwR 1ra!k=TyםwуQk t>( ;rZPll3hp9Dr a miidE,T{ pZUkb>;[Ǥ^ ,Z z=Hl|/Y;eFjȃƒ-F_$=},5ANDZő0 Y;v@$zn^+@1 #Y"cտI:2/1X' !q˼KqQs: DU,Vk&nVp6}#>iƱQ֒|XIc>}qcKXDDX$4&{}QsΓ^ K]T,@rTu.>wX)>V=:%~̆WI>8#3A0-3IztNɐl|T'TzHd)#8QG:Feܹ{vy`L'<+LlRlH߫s.&{rw|y\. 4oo;n@onrAІ %XgIZӆڞq jpp22 O-0ҏpRg0\ܱވ-׷=h\/nBAp϶I8d[v"67}Mf_kG cmu 5X%%OW7&,TܥGZ^٧a%΄m2ע׌SxVC.b~k.FQ]d*%E))M8t$Ġt s*PLJCd[I1Og3v:0M(6}-A_b"j(`8ϸC\41'/ ~+흀藪\NpK\FYJPb V%A| ``jQEwIq^&٘/2:volq 8|wu\"6c-EOvS}WDǃG[myA9~cGJ|~][g`6~^ ͣ!EGF–ϐK}t1QBLc|dc2| WUxI8p]k_iQUgmvtNwfC >4(=^y8 # (PӠΘe%J߾d2žc 4.~6%pW$Nw8zIwa<8ZHw`yO@に+||;|CDfO3i{æ +K+dDjDNē1w$$; l#kIUܹ!J69c#/HnEU|xVg";8JĔ^̿b'jQ>u#A&sMa-09`i RyMT@~УUu aä Ş}G KF'eEȭRB ,z(.ͱ4pI*6\7Cp j%>."֫]1lQ1hNM)P5xW-A~1}* Gu*0hI%r nmhn r,)CK`XkU2~a/ (}yf̖  BBrNo"6q89X>Xέ>UOna5_dz/^jbXTK:!wzd61CW%0ʅr~ h/k .+QK/UO*&À<)繏D,$K5k$򑖳)K,Z'̄ل5¤-TT%{DT_q~ E6Mc ӄ c|lc e*ط K#,L4.)0z U(;{xLuwPwLL+l1t^!*S+Z fp4JϮ^:Pfv:#k1 5@t\i4fc [v?T]&O5Xp5NccԹZWO*1ppC Y4@e Y#k02S3ٙ@%0cJpN[c\4H ? I6@k\"obF`+3Mt{bȴam1 IҧWn8*L\+(T@4jr9Ũ8]>@*ge|!W9XdMP: 9_g.,`ܧVR* \6gJ_`\YAgB|22WՏ܏B 7,,L?ܥmmug>eiLJk(\J~Օ2İ `P;%ًdNϢ^%Fǡ xʝò qB׌dgsQ{X"3!F 2e;;mfiۺ#3Q4%S߽N@h y>RJn!/-(/M`mDSrs9QX~tk{$=iv_84 !>ex[d"XWw_sZ$=-[b?)/ b܌y(䖟4e`pHv>)8l Uq~͊4=/9K4OK!@8Vy k}^`7hpbJ D%y0IF& 3Gn]vyj+&s|l*p{WmHǞ{%@a/*@v'vxm1.rSHʓ$A!k;@LTr)Iou+zo(uֈ.MY^j 0 kV.^.O?NbrWA $܋43ħ }pYdL .֕>Df :Rlёa^Y9I c@ϠV&ѶWOz/{hؓY]{j5S;#  KӀA'jCmDR{Fc`|˫h!.g#U<$eB\B|K"Ɔ}رrb[/N}ᑺ>zcEw` eFbxkwJŭؕn).2aF▧GLˎt#C+VDB #fsEچwSoյX'X[dJCʧן xJ%b}ɡ "Om٧nE)p}J"n٥E"=se]>1sO‰G| TfZN^BجxϦdY襁GQ;D::N|3M-pfE<هC.-ܭ^hٿ-װ%Lf]:{pCLdGs n]|ʁ$~z! ]J\k33K-Ul/I' :E|ryJyE b5[؊C;ePe_.W]AOPܙj:>gejB_ W_lTw"2Z<}` ߴwV4U:Ӗn^$t%M~¨Vm^^$R]B_W Wܦ P@|_:KVn`\|*̀>kR\ Ql]Dm^'x*|(iHZ z 4PoQ@ĴĨ:x2dX뢦;ꐄ_{ '5wH D6|ǥ DZJ 5%,#!䮠]lg5d%2n'#G >&HM`=QՊlPh1g+5{ft=OBp'0@Qқn/ҲCBLCp3Eiט ?EUZf#|軞jBӛF ) H3&ǜ~ki?H> Jh>? DQI ѫHT&~ v\^qaTh.YIvO'LESMR\R[LIZY:_Fѽ9@\QLR6L0.ypQ6^G~߻A3͑&sx\Wk,/U7LfP]C\FDAKaϪ*^t f2[ZW@K퀧0%BD@/Ǥ$|a)8;%-h[ϞG|l,0͝QtM g2Y6Bg)۰Gf]dfWxJa7"fI>cudq@McЏ%:ِ Vs#Do^8R>Zl659VxXv%[Y╸0>Zw9_gEs/}rŹvcyaj*zۜ n܈w8Y2Ǜ;(!gy=^']ϨUZ[šW #)wȄc=dܥL-WIJjl7I6C"Os{Õ3OL!>Fy,-;p,iBH qz6GRMLJCI8>oi]ZdGfUw^OuEy|6)U(\\|hE.Av1Hso]}`N,*TےԐɫ& l_wz0ҁg3l"x-FGZQ jn<&G]+f _.)8bd7;N4H@$N.+JDjQg,!KqȄ~Qvz 0!ˊi$FG wx1`}sԅY7Nі'Q žk\IC7m:9xߥ.L ; 1&rO$ NhMl&$x?O,Ls*`iN4 軣 `n☼P\|R1Y'?Ql!.@8eXP]yET^q(3h,le"jD+,-Վ,b 4AlS,֙,7Gj?G\QaEȼ3~v`$@=)bG%EePOMzר fo">0S+ P,({oY.dK+6'T(IG޿K _YIftwMIjDzΰ(Krƥ?IG\<㌊t~ACу>rgܱe3UU`>Ny^"ȈvEBe&:-9+BPddXm>Opuq_UAY97=G{0' 쾓SwK@55 <>c|0gWט-B-zo0~!'2RI36rnj9gwxcÞxu(ۧI2^vbJpx ;mwLl@3K WBP&D#!AI=8⤲ẅ́txH17O߻/-A+l K-K 8҄yRkֽuXn.Դ;]43wlj/L"]D!.m.`*nVAQ {1q.-k)83p~i_1ϗg'ۋ6 ~z̷BNQp}$^ vcVnC_s#H`F}12W ]!L|kIƺEeKoFv;%+)9$t9UZ{ӫ{AC@w@lAdV1(䏫3W$!cg:F=K$Gt7C 8*ff@S YT}h(-0}hl$XFC^hQdB>Q[& ҰH3([4\@8P݇WiQaudPF[_p9]~O9 $Y06%=TfZN̜4* 4$K#G޵td<s3h$dkksu{gj)mòQO_pb`۟x!`I[[oԷ *P| ?PǦ-ʨٔޘh.*6 y:KG36rqŊ[EM9oQE,ץ ϖ=ʯ'ʤ`bR8hnaLϋI:R햦);!efu cYp/eE(9J90_N3/yDY+p_΢#C#\Llu0+UY6EDLܑ9 ٵHQ_#8|:Sx85SX@~ nx|ƫR,qm8wb x.y r=ƓRٟN(ꆠaU|h4%qizee4| iz-cr>b#@.ˑ5Wyشvns] 3%?"HeFX\>+3yA3t4YgY\'TkUp1띜3lH@.- r]UKw\3y*rݷ(\ ڰ}a(p\`˹ʃ5n BA2!ܗ_'1h qXvlH=`̙qSy#p,N/NA$"^_Ɗ<|mJWNN [i"o]B4Z,-0d$EU\n ȑIBXAHMt-;\-ZU({3ؕo燊p,#va –ćsSJO'♳盶n}*oV`TnlD@?» I3?]C|{- ^{+1jV%\D-_Μ?9VY, ̹]'1ی7cOn>&{]?9M6VqfȲ+d6Xऺh~a(؄6SGˀ[Fzȷ 2p-#@R.:6NT7?6.M;ĊT1-?,%TaesJNf@KTǺzn#&yMy8I 'Ëj=y}zt-Jtq fB3 q=LNC-0[vv?(ю|6EdDЁv:4䴖NQV@qzVJ|T)bvvs"Y jW= ./cU&q̆AďJW@[7$SUW=f_-"v-I Wќ!c8w+MseD m\=uNy;"M%,ެjZ) Fh Ow;}|#T-"srT^nA@mEV*,~#ebu1hciR1A** .;_G4>:2z4 ֡S)H+wr+TiAL-QHiR5b]_%b&?)wu "湜OTX>IP m~z[tY|A~ hXtj1חT'.=/ڰVĢՑcZ~>D'jBUlxT9 ?>F Y+tBK|xڙ3N& &.,N.W5`|妪f+g!)'ҫbev,?)eԴO2t>7}r wëKh|$dA<[<᝹#$V?JycbO98 7#7W{lS-\%2oUͧF)M$k*;lXXsiř3A(uSfUH+;{ |%)ixCmҠ*p(D:5e&P'..Hg椥܌#؛m'La)2x}E#^x,-6>i+Nā(Pv' [ v+ֹ[ lsqnuұbd{ q1kL,py=STqXtLʂ!m#57׃ rӣyzs5a՜[3>kf4IzDa:l`Ro1\DZ1f# u?sh1OX.d^3%9fPavzsT,t9T]=$-d1ō43]$bAq@Ħ\r[3EaJSqR`WQ.,4q!:Lc;6b!'mJ k% LM]k&T;W,Xɚĭ7s7; bo/1_=th+mX}+i Ʊ+W EQsXnf!F mJkEbo&LZYD}ZՅF:Q\'r1-nL_dہt?P-[Fƭw/'x );XV5>ӴM|wm|4xvQ^]{Rs'D,Jփ}S< xIv+\jᲮֲiskQ\L/&=ԛsU ԬΧ0 x9"1>D4VۍŤzN/CcH}/@k(M=]N6) ,yҹ,f!:᧨Cw󴁟5/н#4T~3'`@q>٤(P5IY-Pb,`z)%Dq[E׊EAԗׅnޣcٝzR1dNaܫ|{i[5>9%xqle݀/rLOk)Np<i ?UBw$+\dm@e9ߠ_׀뿵fީ1GkՖfbT"a< L'rM?d&+^}Y;G_ѻqqY+v }cԒݸ y-6*AeML/畵INJ`/o$ ^{u%°'`wK\_k@ra=sh;*_@h$^ө,JX0he6won6 H=3cw+? p'd֤ =ܹfGŮL?;9AWݮ3GNGadB+UTuZ8e,56z8r$U+*@gR1]rKHW=zgfO x}2!˶KsX $ȗd_x{nANu[ҿOԯNNQ)`;6rbOX^tʶRXۤ]ҕեkҪv"l>.Cu`*1Y{&!i1%Gp=zB%zdxjx4όG5@|jR:(<,ЦJQBHJenVBxd3cmEscf99Ĥ;pWBc8,ì>=HW.?@9gTV@3۾3*p |4 5Jh[0٣>|s*^nGȩ ỵHD졣YJxrEb=K)jpKj)1G%vgLm>ˈQ>&SԉsY╍Ϗ|ֻ?hoN3\&= q%0ۥ(t.wƂ|A+izI0W3]2PR4;lYmA0Ѯuޢ} 14c ՑRDzFoko;x'tI#q)YoR{B/$]>Ȍ=6/.)Jo{@TN"ݤwpP:ӆ8qTʗ;U{6I.OǪ8>IJdq{GPNB؏G#ÃB"O`^v}D3~1! Vgר{dr*}kp">|5SlE٠ӪЭXA/X6 DꪾY1aNͫjmQI2}·1`%y*C wy4ͳrT홄ZV}4?2T0z-1)&h"?>iTXj%G,e82(_)PNp #VvM4/Y]"~ɢcC!0wx^$OH&Ƹj)ދCK06IY@wUlC׌gL;UHu,G%|x#e%9V>$E9#>`%w+6⭈L=>PҋCz3)JBv0q+XWaT4Z&GҊA?MA]Tk # W=ZOv>S= [G쨐<%.psP10suU0^1-8|ňPzJ: @aeжG)[5a.+ a\b (0; -a&FF #W<kZ2iQʀ Gr.Aoa-/LkEynM֝e3g-֡bYKbM0?v!:q1 β·$o]˸lV;yTBJ҇NCZEj,fux%\ӆ:[G~A\Veү_`ȖfkL(Ol3*; D..ވ!s  Рt}Է·i>h/#+0#OI:gf-re*Y[i>5WR` !o*3,;/͚aa:UO\VjM]ΌU˲>[, hd*$/}XrWŠNqyЎ $P>1x_l5*{#;cU(vc@hIrʹP^,{d<4΀YvoBvuL-ѩK%˪^̺Q^TR^,jD$tL.Xf>g<0biWnW;MDx %&7{U dsž|=lp,Ķ&L &|dQNL{-k_94 }j,,eI[`=).rwSM䉤V *E@$VE="¦| "Xӏ$!xgk #Q⹗”oH8[ /'o3y}@/3fr#삣`&:v_] ZRHxXN&ِ]#mop̕~fٛ,љ`dhr۴-QOIxo10f[eGvQNGЌ%U4% <#,5ܧc⦰^6@qoRuCc-y/LĐaq><$ỳwPD Ah$4;3ccqພpokgsNlz [h=ӡ=~tT{_5ZRߺU=kiIQqfJ0gdÏOAܲ]c1x@U7jgZ`jTm ȏ_IL0`q MikM'= BH>TWI%m R-r~Gx箨L~3cia3eBB2Sum ]dS;f*h[3(n'Fa Zy=&t:5fa f47%$E{ﳤ\ɗ9./e:tj=JRuL҇ E B.iK;R{V=3295oM7?h%x]${S-^?4~]3~ ]-EA]#bC!;OA{b{hP zZQ!.V]F{kky~KkL5qI&qSTq^4U\dounHA?#L"5*Vz.]UHZڝ#ȵ8\%[`G([{ۀmRvJi'KuVĥnCLH:++bc 0J:⑁l-B50kag$i%G}3&!}dQSsb~B0@IhO7'J QA~ڣNP(? "j <$ 4l7#:||tf$f'~ViyZQSPqNޟ`mɂp.o9'tEM@^s-/\|T!wZC19pױxV$3bX8"Ÿ¯dHѰZ(v RA TjuDƹf(?WֽpA_h͙g2\ $SU["d6mMoXO& NB:%-ګk˦U>t*XWq>bGoAD*lL^'!~8-zgcu˅q៣-̩(fJY3c*Gn8?w:p$QV>m =kiU@;XpEh nUg&-u)mjE&[.U  ATA =Cڵ0h3Q`&CfQH˻gٽg_ Q]] ``vkUl@Heyj^m`WV݅Y8 SK)'YƐ~7lB;4W"9WDN4fFi`kVtǣVYJn< KL˭ׄ\m:YTrfqե5a7 bNC_S" -d8٦j ŀ-P KB:kIƝ6klG|?l\. \ q^(̜6|y MPFG'\kJ #GFե,rt̂hkz$':*;49+$xe_A#w8*&`T*}fLn@cȹVmͦJ #>ɥNMӟp?/TsJR -yILJpQj%19R 3bNI}> ;f{3e``@[A7A6%6Pp+']aeN\!sDNLӾOȻp]D80/,`YW$e%l1:rP M>-4"҆4G#w28K+wGaCDz 򥐦\5iG4]f .ɻOq8LC \G:u/2#[f7lY4| Qw~_v0<႞y\L8g =9o >T;͚#҉wٌ~7ss‘1ES%ae9STw^2áŸygU&G?3_N򾫣l^-&*'7"fC'OÆ++v:-@sVBaj}\=09a$3jjWldd9LU.]r^OQxg^b:Z$⦛ūq ]hQI0HNq8Y\ !GJͯ#pP4^[}ýF:EV_Z @ڡb!y-7gd+DeE+W NGJ fKo|;N(@كnSIwZ1}vŇQ5EDf$MAPцuIQ 0@O>Oj"% ׼߸^ػ s&2З L?]Ҹ)b3'Su&$KO;4viP\_67ujӮ,\o%:&Qgلlv|?kbջ\z3)u=vhf1{J$?TyWo-v y6B.O`D?Uή5P P5$B2QnA3i>AIޚ#jDjȌۢa}, =DW*ZZM K% P-V"0`: d:Aj3uDhEpSډ$$VKGWlz(=WYs_Gzm١(@2^Z⟁XeXyifrF<%R5zNN_~S HH%Q,R8:4Ix0g{,z>];x*Kܡ_ N0ksR3qBVph濞_ν1'{Gezy>(mLP^3,'+Vqd${m3pWK Xb4:uu+砒m Ɇ694D j@qd`GG !]cD-?w(GCH 2c"X^D&rs~\3K[&Oz\AG(*9U %(]qqj]*ϊ_4x7z u wT'`|l#vb\9 OrS@dxj'u B3I]TES~G}x 7f_c H:=h~l3&Xsqm94l)tIu~̜/DPpЂpzC2Esw1VYJXUd3lhr_:x]K2KUPV_Vef(ux˶೮K*/2|"CFq` m%gKv1j襚\.ۖr&Y _6Y:d[8_nycwIj)eu>IӴ)DjUWi_heΉx]jó"c_HaMhmC~6%<3ˡ _9.[çۨQ[ُyZKL D;} œ(tlrH9 I(%T6djdcdU^L@!#0\P pra '6heyeK0$CΗIzcl?3š2]#Ί1W< ]*+sB-Q|RtD]>境O B (hDBjz$73zX2BiM1P.>]}R?03bz!K(&i}~7]R)%ȤڂKY^aAk4N;aCڰB3ijx}`%*".A>Vkg/ӛtüok /vbD36RҝO= /]~FJ >\֥=qSU ?C$! Nuϧ [C>mɝC#-#ErkJ̼boBM +DXú~  6J:R2ZSFcWh%^L'( z3 S.ыXJ)[%O}S# Tz-vIkWy1^[3HR%T _C^Og4!oqTp̈4ⓧw?,*l1*%CO.}{W<ưnHvwwGƼԙk=sI Ƒ9rV+߁g g9 l,_$zSmUNO C^'KX7yV,:7.Pl`T!;YCN~7(UHQ!j[K2JMWo/@/c1ɪ:bt ASJxŰf3E3N-LxO.uCJGd/{[}pW$&Q`qGvU~B)&M-FtP`6Dct^F5}N_eVBѭve;gBĦj\'&(H4)lX!?b]\T$s`66ӏF87Ȓ0:C?!w:g3`\"0ZC(9I#6N%Mc"|l<@O'>hSp8W;'89i<=^uS "O퓳_Rwv/L3+ LFר6?au[fonQ3=joPn\ hHX9FKVڡJFNbU($2C& ڝK䀦`tL< %~o.g;i?Hu~q$c@\珽_#7A@tq>zwknwqJY '[ ͪu6Zij``kVOv=hHjI%aF3a: 7 gÊCJ8bVڤ3B/Pi&P"Jmn2;U`oFIM2I4&;WՈMkUOy!=8۷"u 9{sW#'r]$ܥg.$bkeG؎> icRd83Jn LVDt6xUZh{Rm cfX걷)HM|ɫЅtW UyޗQiWIҚvYDG=Xe_Vgf.ԺgKtWXmC ؜wX h2e@04=AڤW"du*)lЌga==[}``@Kg=agRܱzD[kY+5=7A$sY+{ DyF<1:ڙnY)|5+Fe1Ar䴤3c 5qUKz 3ۨĝ ɕ~٤D>nʕ؂;Ӭ4ng>atcC50>"iρ}nߒƗ(7D>shu X)nqC*oؕSf +s7 !X ̑Oత R=tW7T{m=TS!HL~ˈތV eI$.%)M,YA9Ӎ&gސK=w0Y0K\-Zg ۰@usv9>~귄SdN=cߵ@DE~L|2d]Qi 6"NF&)β˒sk81_*⎝)2sy~:ɚd'*@єpf1*Ž&b-/ACq- hʛE8H ISc0-[`Gk^JتvݳwxQb0ѱko}ͫ'B,ۧ 8+Mx qPF-B @ݏJ| ::\|دmhDt\v،zF̤'C܊SswMqqLwGyGXQq咦bÿD|wEfdM7),7P3Uf`i/C _.7 QPcT2'Nh*fMԐ?gl#DЊ$r d:p!1r<;tRITJ-B ad(pX^@g%'x[U~㩩γNCVϒRY  G5Ǩ`b,Ug~kՆմ?ЇZLAQRJ4wL3'/ԍ b:jJr}Bx2K"Sl@J)>_O_pњ ϲzO!8P%;,ql* UP&ak)Dx0D*ʔd Wv1i\zt>o ZKZ(t%m~ Z\ %_ao@5Qy>J$*m=m"}l&&ܔ[BEi?T RӼ|ƀ199kg!{+Jm?T"gmBfv 3}c:Q]d9lOO]MX{N | #5#MBύϴC=|NhO:bېm(KNUSHxƹ[X޹ȝu ]Wmrq=YYhׁiX8_rmgAh*±}v@:ǬnnQ yyƬ;?!.k U-{ΜEJR Yq>8D4/eK([Lԫ·Bv9%?wh ҈wOWEY ݍ:dVBxPX꼅/U{)`,Ўק 5SA2G=t"筒QANi$/̴5R6|VXdjC ~|;յbK}(E:RggH NTcCA q0869[Uߊ mM)Czed*n岾,4cI{a8io}]{&~'idxku(s.UF^M}7@BW{1L55>^oprʜ5k2r@zcLɼ nea|~>u\2,u⶙>kOO4m? k+pbL1mP/&DF-5S<5U0,.%I¸y5Bl Pjsz`8|~ZX`IT]$g ՎwZfecG|<4 ,\h܊_UWl t ?YN9#!$Y/9l(75'K+?HsñZf}y:-\0͏&d|J[@3p'j ~CJt"w N!PI@+8dR+'Mm>,>NPu, Nԕe@cPenu#X~ !T~(npT ~faX l&k.1)fs)΋{QtLؐ,Ĝu#wڗ KE!I):+_+X|!7=1 4 GDb %ҿ{RTICTKH,13XzF'9nr']2lDy5!,utZo a:Xs EO+oj@G6閝`KJ_=cԔ5J 4ljN}fVxПOLa2C)4Zi[J-vD!mӻv0DŽ3U=o>>>C ~됙 4?a^ɺߔ!ޓ:0 :RtMޖP ;'S1nDg%=E n9xn=d)J֜?Kx%*O"}1sid~&:k0E:$ؚ| ]}5b{VB7t5. ӄj{4u0AB/߉2c/iمց*wf_AT?,'vFia,a Db@Ϙt<:;|m/b\Ui"(BKzP@]42'iܯ(eʙO﷜H 0WG `i#ΝGKVcrVǑT1{ֽpmTNj?JQP`ׄpvd#Ü,NM\LYGH 3s+yK78~#VS<*bE$V﯑Em/Ԟ)7ئJoj`*yS/ם h" 0o^ QK 5m}ߟM\p3A7BLoN[dO,u3#<+% 4 BA.)nE:PNUl|{kh/G^!7J;)Zo9YagGEh&!|GM+O0]wweߐ)t)s TN0%=6Rawy]^DuAj0PtHQNUp@a$ FTz dr(IqDoyFl:C8Q^c n?b\z4 εg1 +Rq;jt ӳJiZ]^-djSIջ4 q^)` yluCŰvYUA]~M`gӀOn@%ŗy[$ZoRtu,kmqUw ؕQT'akILĀDctLIsukiJYwC8'ԃ@ɔsOpIzC i<8!=Pg3e}ڹ'䟋 /VnA,^EGzkj0o&njtrYt.[O,P7)eybm_yd".7*h4Yqe ENk禵>BEBj}2IİO2CqU!X= [jʷW@IG'saGS;|Bn^̺:qEr|[#؜1^L#K&BkF RX˨|ہIf/ !i%BL8aG_<΋5 q'@\Ѿ lV<=Gş=4K^CW:Z $] +~!U#} I_u,LQȘE}^|B|CK:6C_l8d|)lsِH/D(tyޚJ>4 2Ѳځ*`tg?4!K\yZ[3ed r4.53k!-EVa mҺ\%WCW[գ-J'4}.v<^;GY37mum o мe&LO;HSr^4~:ij~N !_9p"ϑM@p%fVȻ}^^8aVQy:fn Z.0\`!&[/[@ ghN6j\|Vo2,կ? lB{;sl^r&M/=ݲQߛ$$]G\Ab1[H21msX}wuNr /$}D=HQwdiN+AkA;K<jw0d|vQ 9}hGjf՛j5]CE>Du炅U)#lnNirCvg&jF6opZN?Ov#0c+hl \kz-9y: .cIš{unUtD^2%bLIa< 7b*sdR">TG;E3p"_ݘ|\xߚcĿ$3=hsz_!觓G5Y 3q nN__'.21*]#嗖8v>T3:u=!cjEp؅Rv 87Z=!7x) I;*VMmld6+.<_I'L7– ~=6%vd|#5[_P &B䨌}y,L\:(m]X'r\;׫3Dԙ]uVY<`*NuR/<*S\{}qYX FI xDe1o#+٦)V`  '<86O_5a$=FDʜLp6֓( 4} X YZK!a!gRK2 قʳGm`~ m(_gvq8p~ȶnn3cgQN\,pzc&lז,?M}q%2 e<r1 M%7wd&gD: /<9Ä1~t'rg=I0g6 ޱyHD3?AqJy kP,S@Ys76"jeSܑuq|s Gˍԟ[!c)1-!]p~3^bn/fxvF}L)VfzI`ikIl^Gb7怺^Xʝ6BIϡ!rg*.0Wku)sUn49ZNZQցSjPX6 $}~!6b߫-s߾gH$؋+=jDO cWZlZ~~2(4" F}Oq͋zcuF'Z G:Y?o,ss@E!qoLа*lvaEH6}Ptf/"^{C ++H3m\}Z't*GiE.Fӝh`*PP;M{e¡| n;]Iy6a%ARu A4BC(OdOF'˱k1pQXDq=ٻ9@0 OV}kpiz@z ר%*OҿNW8jvp\lG쭯NT;tx64lJ8mXԕW(8R㖣1TP_=s{~{ӋjJn#Qщr~#9f 2'2~S1"\G'z3DW 2Rj2 4"Vj! MdCIk ZGC-NbeSsuR/5&ayX"n'GYy|#jA\h}^YR(f9[~˚LU=3L_Nl76L=RWЊ ]%Qhl1r6Տӻ$O'm\*jSJr g ЬmXk#$es5Wd=YH28xYqQ}0‰S+¥(NCcl t2츾pggCB8m׹Np5ܬ׭B;r( ]g^$N"L6Pb[tH`cR$i( YFPla6GGMdRy  QCkcB{Fabaf &<AgJ]AFo_+s(xNn SQmB6''=