wpa_supplicant-gui-2.10-150500.3.3.1<>,eܲp9|= `)81 YJAT2Рw+fh6>6GZo0 q\8{[#0-lW+CkxeGz1JӘDͳls=jQnfk'^fˀ#ԝD|gG9x  hΎc:bd"x>T?Dd ' J , BNkq|      *4`h&(S8\*9*: d*FxGHIXY\]^b cd;e@fClEuXv`wxyz@Cwpa_supplicant-gui2.10150500.3.3.1WPA supplicant graphical front-endThis package contains a graphical front-end to wpa_supplicant, an implementation of the WPA Supplicant component.eܲnebbiolo SUSE Linux Enterprise 15SUSE LLC BSD-3-Clause AND GPL-2.0-or-laterhttps://www.suse.com/Unspecifiedhttps://w1.fi/wpa_supplicantlinuxppc64le 큤eܲeܲc624f646c36a2dfbb7f20df1e3a6f1a83418ebadcd1f1150839c3288c509dbfed57783ead2cca37539bf8b5c4a81b8105c2970de177652fe1a027433593467aarootrootrootrootwpa_supplicant-2.10-150500.3.3.1.src.rpmwpa_supplicant-guiwpa_supplicant-gui(ppc-64)@@@@@@@@@@@@@@@@    libQt5Core.so.5()(64bit)libQt5Core.so.5(Qt_5)(64bit)libQt5Gui.so.5()(64bit)libQt5Gui.so.5(Qt_5)(64bit)libQt5Widgets.so.5()(64bit)libQt5Widgets.so.5(Qt_5)(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.17)(64bit)libgcc_s.so.1()(64bit)libgcc_s.so.1(GCC_3.0)(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.17)(64bit)libstdc++.so.6()(64bit)libstdc++.so.6(CXXABI_1.3)(64bit)libstdc++.so.6(CXXABI_1.3.9)(64bit)libstdc++.so.6(GLIBCXX_3.4)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)wpa_supplicant3.0.4-14.6.0-14.0-15.2-14.14.3e}@c@b@b@`lM@`?z@`:4@`_|\@_i@_i@^@^@^|@^|@^Y]]>[<@[[ā@[[;@[@[QY@X@X]W@VU@VŲ@V`V=@UKSUCjU8U'@U/@TBV@cfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comsp1ritCS@protonmail.comcfamullaconrad@suse.comsongchuan.kang@suse.comcfamullaconrad@suse.combwiedemann@suse.comcfamullaconrad@suse.comilya@ilya.pp.uatchvatal@suse.comtchvatal@suse.comilya@ilya.pp.uailya@ilya.pp.uakbabioch@suse.comro@suse.dekbabioch@suse.comkbabioch@suse.comkbabioch@suse.comro@suse.demeissner@suse.comobs@botter.ccdwaas@suse.commeissner@suse.comtchvatal@suse.comlnussel@suse.decrrodriguez@opensuse.orgcrrodriguez@opensuse.orgcrrodriguez@opensuse.orglnussel@suse.demichael@stroeder.comro@suse.dezaitor@opensuse.orgcrrodriguez@opensuse.orgstefan.bruens@rwth-aachen.destefan.bruens@rwth-aachen.destefan.bruens@rwth-aachen.de- Add CVE-2023-52160.patch - Bypassing WiFi Authentication (bsc#1219975) - Change ctrl_interface from /var/run to %_rundir (/run)- update to 2.10.0: jsc#PED-2904 * SAE changes - improved protection against side channel attacks [https://w1.fi/security/2022-1/] - added support for the hash-to-element mechanism (sae_pwe=1 or sae_pwe=2); this is currently disabled by default, but will likely get enabled by default in the future - fixed PMKSA caching with OKC - added support for SAE-PK * EAP-pwd changes - improved protection against side channel attacks [https://w1.fi/security/2022-1/] * fixed P2P provision discovery processing of a specially constructed invalid frame [https://w1.fi/security/2021-1/] * fixed P2P group information processing of a specially constructed invalid frame [https://w1.fi/security/2020-2/] * fixed PMF disconnection protection bypass in AP mode [https://w1.fi/security/2019-7/] * added support for using OpenSSL 3.0 * increased the maximum number of EAP message exchanges (mainly to support cases with very large certificates) * fixed various issues in experimental support for EAP-TEAP peer * added support for DPP release 2 (Wi-Fi Device Provisioning Protocol) * a number of MKA/MACsec fixes and extensions * added support for SAE (WPA3-Personal) AP mode configuration * added P2P support for EDMG (IEEE 802.11ay) channels * fixed EAP-FAST peer with TLS GCM/CCM ciphers * improved throughput estimation and BSS selection * dropped support for libnl 1.1 * added support for nl80211 control port for EAPOL frame TX/RX * fixed OWE key derivation with groups 20 and 21; this breaks backwards compatibility for these groups while the default group 19 remains backwards compatible * added support for Beacon protection * added support for Extended Key ID for pairwise keys * removed WEP support from the default build (CONFIG_WEP=y can be used to enable it, if really needed) * added a build option to remove TKIP support (CONFIG_NO_TKIP=y) * added support for Transition Disable mechanism to allow the AP to automatically disable transition mode to improve security * extended D-Bus interface * added support for PASN * added a file-based backend for external password storage to allow secret information to be moved away from the main configuration file without requiring external tools * added EAP-TLS peer support for TLS 1.3 (disabled by default for now) * added support for SCS, MSCS, DSCP policy * changed driver interface selection to default to automatic fallback to other compiled in options * a large number of other fixes, cleanup, and extensions - drop wpa_supplicant-p2p_iname_size.diff, CVE-2021-30004.patch, CVE-2021-27803.patch, CVE-2021-0326.patch, CVE-2019-16275.patch, CVE-2022-23303_0001.patch, CVE-2022-23303_0002.patch, CVE-2022-23303_0003.patch, CVE-2022-23303_0004.patch: upstream - drop restore-old-dbus-interface.patch, wicked has been switching to the new dbus interface in version 0.6.66 - config: * re-enable CONFIG_WEP * enable QCA vendor extensions to nl80211 * enable support for Automatic Channel Selection * enable OCV, security feature that prevents MITM multi-channel attacks * enable QCA vendor extensions to nl80211 * enable EAP-EKE * Support HT overrides * TLS v1.1 and TLS v1.2 * Fast Session Transfer (FST) * Automatic Channel Selection * Multi Band Operation * Fast Initial Link Setup * Mesh Networking (IEEE 802.11s) - Add dbus-Fix-property-DebugShowKeys-and-DebugTimestamp.patch (bsc#1201219) - Move the dbus-1 system.d file to /usr (bsc#1200342) - Added hardening to systemd service(s) (bsc#1181400). Modified: * wpa_supplicant.service - drop wpa_supplicant-getrandom.patch : glibc has been updated so the getrandom() wrapper is now there - Sync wpa_supplicant.spec with Factory- Enable WPA3-Enterprise (SuiteB-192) support.- Add CVE-2022-23303_0001.patch, CVE-2022-23303_0002.patch, CVE-2022-23303_0003.patch, CVE-2022-23303_0004.patch SAE/EAP-pwd side-channel attack update 2 (CVE-2022-23303, CVE-2022-23304, bsc#1194732, bsc#1194733)- Add CVE-2021-30004.patch -- forging attacks may occur because AlgorithmIdentifier parameters are mishandled in tls/pkcs1.c and tls/x509v3.c (bsc#1184348)- Fix systemd device ready dependencies in wpa_supplicant@.service file. (see: https://forums.opensuse.org/showthread.php/547186-wpa_supplicant-service-fails-on-boot-succeeds-on-restart?p=2982844#post2982844)- Add CVE-2021-27803.patch -- P2P provision discovery processing vulnerability (bsc#1182805)- Add CVE-2021-0326.patch -- P2P group information processing vulnerability (bsc#1181777)- Add wpa_supplicant-p2p_iname_size.diff -- Limit P2P_DEVICE name to appropriate ifname size (https://patchwork.ozlabs.org/project/hostap/patch/20200825062902.124600-1-benjamin@sipsolutions.net/)- Fix spec file for SLE12, use make %{?_smp_mflags} instead of %make_build- Enable SAE support(jsc#SLE-14992).- Add CVE-2019-16275.patch -- AP mode PMF disconnection protection bypass (bsc#1150934)- Add restore-old-dbus-interface.patch to fix wicked wlan (boo#1156920) - Restore fi.epitest.hostap.WPASupplicant.service (bsc#1167331)- With v2.9 fi.epitest.hostap.WPASupplicant.service is obsolete (bsc#1167331)- Change wpa_supplicant.service to ensure wpa_supplicant gets started before network. Fix WLAN config on boot with wicked. (boo#1166933)- Adjust the service to start after network.target wrt bsc#1165266- Update to 2.9 release: * SAE changes - disable use of groups using Brainpool curves - improved protection against side channel attacks [https://w1.fi/security/2019-6/] * EAP-pwd changes - disable use of groups using Brainpool curves - allow the set of groups to be configured (eap_pwd_groups) - improved protection against side channel attacks [https://w1.fi/security/2019-6/] * fixed FT-EAP initial mobility domain association using PMKSA caching (disabled by default for backwards compatibility; can be enabled with ft_eap_pmksa_caching=1) * fixed a regression in OpenSSL 1.1+ engine loading * added validation of RSNE in (Re)Association Response frames * fixed DPP bootstrapping URI parser of channel list * extended EAP-SIM/AKA fast re-authentication to allow use with FILS * extended ca_cert_blob to support PEM format * improved robustness of P2P Action frame scheduling * added support for EAP-SIM/AKA using anonymous@realm identity * fixed Hotspot 2.0 credential selection based on roaming consortium to ignore credentials without a specific EAP method * added experimental support for EAP-TEAP peer (RFC 7170) * added experimental support for EAP-TLS peer with TLS v1.3 * fixed a regression in WMM parameter configuration for a TDLS peer * fixed a regression in operation with drivers that offload 802.1X 4-way handshake * fixed an ECDH operation corner case with OpenSSL * SAE changes - added support for SAE Password Identifier - changed default configuration to enable only groups 19, 20, 21 (i.e., disable groups 25 and 26) and disable all unsuitable groups completely based on REVmd changes - do not regenerate PWE unnecessarily when the AP uses the anti-clogging token mechanisms - fixed some association cases where both SAE and FT-SAE were enabled on both the station and the selected AP - started to prefer FT-SAE over SAE AKM if both are enabled - started to prefer FT-SAE over FT-PSK if both are enabled - fixed FT-SAE when SAE PMKSA caching is used - reject use of unsuitable groups based on new implementation guidance in REVmd (allow only FFC groups with prime >= 3072 bits and ECC groups with prime >= 256) - minimize timing and memory use differences in PWE derivation [https://w1.fi/security/2019-1/] (CVE-2019-9494, bsc#1131868) * EAP-pwd changes - minimize timing and memory use differences in PWE derivation [https://w1.fi/security/2019-2/] (CVE-2019-9495, bsc#1131870) - verify server scalar/element [https://w1.fi/security/2019-4/] (CVE-2019-9497, CVE-2019-9498, CVE-2019-9499, bsc#1131874, bsc#1131872, bsc#1131871, bsc#1131644) - fix message reassembly issue with unexpected fragment [https://w1.fi/security/2019-5/] (CVE-2019-11555, bsc#1133640) - enforce rand,mask generation rules more strictly - fix a memory leak in PWE derivation - disallow ECC groups with a prime under 256 bits (groups 25, 26, and 27) - SAE/EAP-pwd side-channel attack update [https://w1.fi/security/2019-6/] (CVE-2019-13377, bsc#1144443) * fixed CONFIG_IEEE80211R=y (FT) build without CONFIG_FILS=y * Hotspot 2.0 changes - do not indicate release number that is higher than the one AP supports - added support for release number 3 - enable PMF automatically for network profiles created from credentials * fixed OWE network profile saving * fixed DPP network profile saving * added support for RSN operating channel validation (CONFIG_OCV=y and network profile parameter ocv=1) * added Multi-AP backhaul STA support * fixed build with LibreSSL * number of MKA/MACsec fixes and extensions * extended domain_match and domain_suffix_match to allow list of values * fixed dNSName matching in domain_match and domain_suffix_match when using wolfSSL * started to prefer FT-EAP-SHA384 over WPA-EAP-SUITE-B-192 AKM if both are enabled * extended nl80211 Connect and external authentication to support SAE, FT-SAE, FT-EAP-SHA384 * fixed KEK2 derivation for FILS+FT * extended client_cert file to allow loading of a chain of PEM encoded certificates * extended beacon reporting functionality * extended D-Bus interface with number of new properties * fixed a regression in FT-over-DS with mac80211-based drivers * OpenSSL: allow systemwide policies to be overridden * extended driver flags indication for separate 802.1X and PSK 4-way handshake offload capability * added support for random P2P Device/Interface Address use * extended PEAP to derive EMSK to enable use with ERP/FILS * extended WPS to allow SAE configuration to be added automatically for PSK (wps_cred_add_sae=1) * removed support for the old D-Bus interface (CONFIG_CTRL_IFACE_DBUS) * extended domain_match and domain_suffix_match to allow list of values * added a RSN workaround for misbehaving PMF APs that advertise IGTK/BIP KeyID using incorrect byte order * fixed PTK rekeying with FILS and FT * fixed WPA packet number reuse with replayed messages and key reinstallation [https://w1.fi/security/2017-1/] (CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088) * fixed unauthenticated EAPOL-Key decryption in wpa_supplicant [https://w1.fi/security/2018-1/] (CVE-2018-14526) * added support for FILS (IEEE 802.11ai) shared key authentication * added support for OWE (Opportunistic Wireless Encryption, RFC 8110; and transition mode defined by WFA) * added support for DPP (Wi-Fi Device Provisioning Protocol) * added support for RSA 3k key case with Suite B 192-bit level * fixed Suite B PMKSA caching not to update PMKID during each 4-way handshake * fixed EAP-pwd pre-processing with PasswordHashHash * added EAP-pwd client support for salted passwords * fixed a regression in TDLS prohibited bit validation * started to use estimated throughput to avoid undesired signal strength based roaming decision * MACsec/MKA: - new macsec_linux driver interface support for the Linux kernel macsec module - number of fixes and extensions * added support for external persistent storage of PMKSA cache (PMKSA_GET/PMKSA_ADD control interface commands; and MESH_PMKSA_GET/MESH_PMKSA_SET for the mesh case) * fixed mesh channel configuration pri/sec switch case * added support for beacon report * large number of other fixes, cleanup, and extensions * added support for randomizing local address for GAS queries (gas_rand_mac_addr parameter) * fixed EAP-SIM/AKA/AKA' ext auth cases within TLS tunnel * added option for using random WPS UUID (auto_uuid=1) * added SHA256-hash support for OCSP certificate matching * fixed EAP-AKA' to add AT_KDF into Synchronization-Failure * fixed a regression in RSN pre-authentication candidate selection * added option to configure allowed group management cipher suites (group_mgmt network profile parameter) * removed all PeerKey functionality * fixed nl80211 AP and mesh mode configuration regression with Linux 4.15 and newer * added ap_isolate configuration option for AP mode * added support for nl80211 to offload 4-way handshake into the driver * added support for using wolfSSL cryptographic library * SAE - added support for configuring SAE password separately of the WPA2 PSK/passphrase - fixed PTK and EAPOL-Key integrity and key-wrap algorithm selection for SAE; note: this is not backwards compatible, i.e., both the AP and station side implementations will need to be update at the same time to maintain interoperability - added support for Password Identifier - fixed FT-SAE PMKID matching * Hotspot 2.0 - added support for fetching of Operator Icon Metadata ANQP-element - added support for Roaming Consortium Selection element - added support for Terms and Conditions - added support for OSEN connection in a shared RSN BSS - added support for fetching Venue URL information * added support for using OpenSSL 1.1.1 * FT - disabled PMKSA caching with FT since it is not fully functional - added support for SHA384 based AKM - added support for BIP ciphers BIP-CMAC-256, BIP-GMAC-128, BIP-GMAC-256 in addition to previously supported BIP-CMAC-128 - fixed additional IE inclusion in Reassociation Request frame when using FT protocol - Drop merged patches: * rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch * rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch * rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch * rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch * rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch * rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch * rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch * rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch * rebased-v2.6-0009-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch * wpa_supplicant-bnc-1099835-fix-private-key-password.patch * wpa_supplicant-bnc-1099835-clear-default_passwd_cb.patch * wpa_supplicant-log-file-permission.patch * wpa_supplicant-log-file-cloexec.patch * wpa_supplicant-git-fa67debf4c6ddbc881a212b175faa6d5d0d90c8c.patch * wpa_supplicant-git-f5b74b966c942feb95a8ddbb7d130540b15b796d.patch - Rebase patches: * wpa_supplicant-getrandom.patch- Refresh spec-file via spec-cleaner and manual optimizations. * Change URL and Source0 to actual project homepage. * Remove macro %{?systemd_requires} and rm (not needed). * Add %autopatch macro. * Add %make_build macro. - Chenged patch wpa_supplicant-flush-debug-output.patch (to -p1). - Changed service-files for start after network (systemd-networkd).- Refresh spec-file: add %license tag.- Renamed patches: - wpa-supplicant-log-file-permission.patch -> wpa_supplicant-log-file-permission.patch - wpa-supplicant-log-file-cloexec.patch -> wpa_supplicant-log-file-cloexec.patch - wpa_supplicant-log-file-permission.patch: Using O_WRONLY flag - Enabled timestamps in log files (bsc#1080798)- compile eapol_test binary to allow testing via radius proxy and server (note: this does not match CONFIG_EAPOL_TEST which sets -Werror and activates an assert call inside the code of wpa_supplicant) (bsc#1111873), (fate#326725) - add patch to fix wrong operator precedence in ieee802_11.c wpa_supplicant-git-fa67debf4c6ddbc881a212b175faa6d5d0d90c8c.patch - add patch to avoid redefinition of __bitwise macro wpa_supplicant-git-f5b74b966c942feb95a8ddbb7d130540b15b796d.patch- Added wpa-supplicant-log-file-permission.patch: Fixes the default file permissions of the debug log file to more sane values, i.e. it is no longer world-readable (bsc#1098854). - Added wpa-supplicant-log-file-cloexec.patch: Open the debug log file with O_CLOEXEC, which will prevent file descriptor leaking to child processes (bsc#1098854).- Added rebased-v2.6-0009-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch: Ignore unauthenticated encrypted EAPOL-Key data (CVE-2018-14526, bsc#1104205).- Enabled PWD as EAP method. This allows for password-based authentication, which is easier to setup than most of the other methods, and is used by the Eduroam network (bsc#1109209).- add two patches from upstream to fix reading private key passwords from the configuration file (bsc#1099835) - add patch for git 89971d8b1e328a2f79699c953625d1671fd40384 wpa_supplicant-bnc-1099835-clear-default_passwd_cb.patch - add patch for git f665c93e1d28fbab3d9127a8c3985cc32940824f wpa_supplicant-bnc-1099835-fix-private-key-password.patch- Fix KRACK attacks (bsc#1056061, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13087, CVE-2017-13088): - rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch - rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch - rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch - rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch - rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch - rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch - rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch - rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch- fix wpa_supplicant-sigusr1-changes-debuglevel.patch to match eloop_signal_handler type (needed to build eapol_test via config)- Added .service files that accept interfaces as %i arguments so it's possible to call the daemon with: "systemctl start wpa_supplicant@$INTERFACE_NAME.service" (like openvpn for example)- updated to 2.6 / 2016-10-02 * fixed WNM Sleep Mode processing when PMF is not enabled [http://w1.fi/security/2015-6/] (CVE-2015-5310 bsc#952254) * fixed EAP-pwd last fragment validation [http://w1.fi/security/2015-7/] (CVE-2015-5315 bsc#953115) * fixed EAP-pwd unexpected Confirm message processing [http://w1.fi/security/2015-8/] (CVE-2015-5316 bsc#953115) * fixed WPS configuration update vulnerability with malformed passphrase [http://w1.fi/security/2016-1/] (CVE-2016-4476 bsc#978172) * fixed configuration update vulnerability with malformed parameters set over the local control interface [http://w1.fi/security/2016-1/] (CVE-2016-4477 bsc#978175) * fixed TK configuration to the driver in EAPOL-Key 3/4 retry case * extended channel switch support for P2P GO * started to throttle control interface event message bursts to avoid issues with monitor sockets running out of buffer space * mesh mode fixes/improvements - generate proper AID for peer - enable WMM by default - add VHT support - fix PMKID derivation - improve robustness on various exchanges - fix peer link counting in reconnect case - improve mesh joining behavior - allow DTIM period to be configured - allow HT to be disabled (disable_ht=1) - add MESH_PEER_ADD and MESH_PEER_REMOVE commands - add support for PMKSA caching - add minimal support for SAE group negotiation - allow pairwise/group cipher to be configured in the network profile - use ieee80211w profile parameter to enable/disable PMF and derive a separate TX IGTK if PMF is enabled instead of using MGTK incorrectly - fix AEK and MTK derivation - remove GTKdata and IGTKdata from Mesh Peering Confirm/Close - note: these changes are not fully backwards compatible for secure (RSN) mesh network * fixed PMKID derivation with SAE * added support for requesting and fetching arbitrary ANQP-elements without internal support in wpa_supplicant for the specific element (anqp[265]= in "BSS " command output) * P2P - filter control characters in group client device names to be consistent with other P2P peer cases - support VHT 80+80 MHz and 160 MHz - indicate group completion in P2P Client role after data association instead of already after the WPS provisioning step - improve group-join operation to use SSID, if known, to filter BSS entries - added optional ssid= argument to P2P_CONNECT for join case - added P2P_GROUP_MEMBER command to fetch client interface address * P2PS - fix follow-on PD Response behavior - fix PD Response generation for unknown peer - fix persistent group reporting - add channel policy to PD Request - add group SSID to the P2PS-PROV-DONE event - allow "P2P_CONNECT p2ps" to be used without specifying the default PIN * BoringSSL - support for OCSP stapling - support building of h20-osu-client * D-Bus - add ExpectDisconnect() - add global config parameters as properties - add SaveConfig() - add VendorElemAdd(), VendorElemGet(), VendorElemRem() * fixed Suite B 192-bit AKM to use proper PMK length (note: this makes old releases incompatible with the fixed behavior) * improved PMF behavior for cases where the AP and STA has different configuration by not trying to connect in some corner cases where the connection cannot succeed * added option to reopen debug log (e.g., to rotate the file) upon receipt of SIGHUP signal * EAP-pwd: added support for Brainpool Elliptic Curves (with OpenSSL 1.0.2 and newer) * fixed EAPOL reauthentication after FT protocol run * fixed FTIE generation for 4-way handshake after FT protocol run * extended INTERFACE_ADD command to allow certain type (sta/ap) interface to be created * fixed and improved various FST operations * added 80+80 MHz and 160 MHz VHT support for IBSS/mesh * fixed SIGNAL_POLL in IBSS and mesh cases * added an option to abort an ongoing scan (used to speed up connection and can also be done with the new ABORT_SCAN command) * TLS client - do not verify CA certificates when ca_cert is not specified - support validating server certificate hash - support SHA384 and SHA512 hashes - add signature_algorithms extension into ClientHello - support TLS v1.2 signature algorithm with SHA384 and SHA512 - support server certificate probing - allow specific TLS versions to be disabled with phase2 parameter - support extKeyUsage - support PKCS #5 v2.0 PBES2 - support PKCS #5 with PKCS #12 style key decryption - minimal support for PKCS #12 - support OCSP stapling (including ocsp_multi) * OpenSSL - support OpenSSL 1.1 API changes - drop support for OpenSSL 0.9.8 - drop support for OpenSSL 1.0.0 * added support for multiple schedule scan plans (sched_scan_plans) * added support for external server certificate chain validation (tls_ext_cert_check=1 in the network profile phase1 parameter) * made phase2 parser more strict about correct use of auth= and autheap= values * improved GAS offchannel operations with comeback request * added SIGNAL_MONITOR command to request signal strength monitoring events * added command for retrieving HS 2.0 icons with in-memory storage (REQ_HS20_ICON, GET_HS20_ICON, DEL_HS20_ICON commands and RX-HS20-ICON event) * enabled ACS support for AP mode operations with wpa_supplicant * EAP-PEAP: fixed interoperability issue with Windows 2012r2 server ("Invalid Compound_MAC in cryptobinding TLV") * EAP-TTLS: fixed success after fragmented final Phase 2 message * VHT: added interoperability workaround for 80+80 and 160 MHz channels * WNM: workaround for broken AP operating class behavior * added kqueue(2) support for eloop (CONFIG_ELOOP_KQUEUE) * nl80211: - add support for full station state operations - do not add NL80211_ATTR_SMPS_MODE attribute if HT is disabled - add NL80211_ATTR_PREV_BSSID with Connect command - fix IEEE 802.1X/WEP EAP reauthentication and rekeying to use unencrypted EAPOL frames * added initial MBO support; number of extensions to WNM BSS Transition Management * added support for PBSS/PCP and P2P on 60 GHz * Interworking: add credential realm to EAP-TLS identity * fixed EAPOL-Key Request Secure bit to be 1 if PTK is set * HS 2.0: add support for configuring frame filters * added POLL_STA command to check connectivity in AP mode * added initial functionality for location related operations * started to ignore pmf=1/2 parameter for non-RSN networks * added wps_disabled=1 network profile parameter to allow AP mode to be started without enabling WPS * wpa_cli: added action script support for AP-ENABLED and AP-DISABLED events * improved Public Action frame addressing - add gas_address3 configuration parameter to control Address 3 behavior * number of small fixes - wpa_supplicant-dump-certificate-as-PEM-in-debug-mode.diff: dump x509 certificates from remote radius server in debug mode in WPA-EAP.- Remove support for <12.3 as we are unresolvable there anyway - Use qt5 on 13.2 if someone pulls this package in - Convert to pkgconfig dependencies over the devel pkgs - Use the %qmake5 macro to build the qt5 gui- add After=dbus.service to prevent too early shutdown (bnc#963652)- Revert CONFIG_ELOOP_EPOLL=y, it is broken in combination with CONFIG_DBUS=yes.- spec: Compile the GUI against QT5 in 13.2 and later.- Previous update did not include version 2.5 tarball or changed the version number in spec, only the changelog and removed patches. - config: set CONFIG_NO_RANDOM_POOL=y, we have a reliable· random number generator by using /dev/urandom, no need to keep an internal random number pool which draws entropy from /dev/random. - config: prefer using epoll(7) instead of select(2) by setting CONFIG_ELOOP_EPOLL=y - wpa_supplicant-getrandom.patch: Prefer to use the getrandom(2) system call to collect entropy. if it is not present disable buffering when reading /dev/urandom, otherwise each os_get_random() call will request BUFSIZ of entropy instead of the few needed bytes.- add aliases for both provided dbus names to avoid systemd stopping the service when switching runlevels (boo#966535)- removed obsolete security patches: * 0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch * 0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch * 0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch * 0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch * wpa_s-D-Bus-Fix-operations-when-P2P-management-interface-is-used.patch * 0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch * 0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch * 0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch * 0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch - Update to upstream release 2.5 * fixed P2P validation of SSID element length before copying it [http://w1.fi/security/2015-1/] (CVE-2015-1863) * fixed WPS UPnP vulnerability with HTTP chunked transfer encoding [http://w1.fi/security/2015-2/] (CVE-2015-4141) * fixed WMM Action frame parser (AP mode) [http://w1.fi/security/2015-3/] (CVE-2015-4142) * fixed EAP-pwd peer missing payload length validation [http://w1.fi/security/2015-4/] (CVE-2015-4143, CVE-2015-4144, CVE-2015-4145, CVE-2015-4146) * fixed validation of WPS and P2P NFC NDEF record payload length [http://w1.fi/security/2015-5/] (CVE-2015-8041) * nl80211: - added VHT configuration for IBSS - fixed vendor command handling to check OUI properly - allow driver-based roaming to change ESS * added AVG_BEACON_RSSI to SIGNAL_POLL output * wpa_cli: added tab completion for number of commands * removed unmaintained and not yet completed SChannel/CryptoAPI support * modified Extended Capabilities element use in Probe Request frames to include all cases if any of the values are non-zero * added support for dynamically creating/removing a virtual interface with interface_add/interface_remove * added support for hashed password (NtHash) in EAP-pwd peer * added support for memory-only PSK/passphrase (mem_only_psk=1 and CTRL-REQ/RSP-PSK_PASSPHRASE) * P2P - optimize scan frequencies list when re-joining a persistent group - fixed number of sequences with nl80211 P2P Device interface - added operating class 125 for P2P use cases (this allows 5 GHz channels 161 and 169 to be used if they are enabled in the current regulatory domain) - number of fixes to P2PS functionality - do not allow 40 MHz co-ex PRI/SEC switch to force MCC - extended support for preferred channel listing * D-Bus: - fixed WPS property of fi.w1.wpa_supplicant1.BSS interface - fixed PresenceRequest to use group interface - added new signals: FindStopped, WPS pbc-overlap, GroupFormationFailure, WPS timeout, InvitationReceived - added new methods: WPS Cancel, P2P Cancel, Reconnect, RemoveClient - added manufacturer info * added EAP-EKE peer support for deriving Session-Id * added wps_priority configuration parameter to set the default priority for all network profiles added by WPS * added support to request a scan with specific SSIDs with the SCAN command (optional "ssid " arguments) * removed support for WEP40/WEP104 as a group cipher with WPA/WPA2 * fixed SAE group selection in an error case * modified SAE routines to be more robust and PWE generation to be stronger against timing attacks * added support for Brainpool Elliptic Curves with SAE * added support for CCMP-256 and GCMP-256 as group ciphers with FT * fixed BSS selection based on estimated throughput * added option to disable TLSv1.0 with OpenSSL (phase1="tls_disable_tlsv1_0=1") * added Fast Session Transfer (FST) module * fixed OpenSSL PKCS#12 extra certificate handling * fixed key derivation for Suite B 192-bit AKM (this breaks compatibility with the earlier version) * added RSN IE to Mesh Peering Open/Confirm frames * number of small fixes- added patch for bnc#930077 CVE-2015-4141 0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch - added patch for bnc#930078 CVE-2015-4142 0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch - added patches for bnc#930079 CVE-2015-4143 0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch 0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch 0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch 0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch 0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch- Add wpa_s-D-Bus-Fix-operations-when-P2P-management-interface-is-used.patch Fix Segmentation fault in wpa_supplicant. Patch taken from upstream master git (arch#44740).- 0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch Fix CVE-2015-1863, memcpy overflow. - wpa_supplicant-alloc_size.patch: annotate two wrappers with attribute alloc_size, which may help warning us of bugs such as the above.- Delete wpa_priv and eapol_test man pages, these are disabled in config - Move wpa_gui man page to gui package- Update to 2.4 * allow OpenSSL cipher configuration to be set for internal EAP server (openssl_ciphers parameter) * fixed number of small issues based on hwsim test case failures and static analyzer reports * P2P: - add new=<0/1> flag to P2P-DEVICE-FOUND events - add passive channels in invitation response from P2P Client - enable nl80211 P2P_DEVICE support by default - fix regresssion in disallow_freq preventing search on social channels - fix regressions in P2P SD query processing - try to re-invite with social operating channel if no common channels in invitation - allow cross connection on parent interface (this fixes number of use cases with nl80211) - add support for P2P services (P2PS) - add p2p_go_ctwindow configuration parameter to allow GO CTWindow to be configured * increase postponing of EAPOL-Start by one second with AP/GO that supports WPS 2.0 (this makes it less likely to trigger extra roundtrip of identity frames) * add support for PMKSA caching with SAE * add support for control mesh BSS (IEEE 802.11s) operations * fixed number of issues with D-Bus P2P commands * fixed regression in ap_scan=2 special case for WPS * fixed macsec_validate configuration * add a workaround for incorrectly behaving APs that try to use EAPOL-Key descriptor version 3 when the station supports PMF even if PMF is not enabled on the AP * allow TLS v1.1 and v1.2 to be negotiated by default; previous behavior of disabling these can be configured to work around issues with broken servers with phase1="tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1" * add support for Suite B (128-bit and 192-bit level) key management and cipher suites * add WMM-AC support (WMM_AC_ADDTS/WMM_AC_DELTS) * improved BSS Transition Management processing * add support for neighbor report * add support for link measurement * fixed expiration of BSS entry with all-zeros BSSID * add optional LAST_ID=x argument to LIST_NETWORK to allow all configured networks to be listed even with huge number of network profiles * add support for EAP Re-Authentication Protocol (ERP) * fixed EAP-IKEv2 fragmentation reassembly * improved PKCS#11 configuration for OpenSSL * set stdout to be line-buffered * add TDLS channel switch configuration * add support for MAC address randomization in scans with nl80211 * enable HT for IBSS if supported by the driver * add BSSID black and white lists (bssid_blacklist, bssid_whitelist) * add support for domain_suffix_match with GnuTLS * add OCSP stapling client support with GnuTLS * include peer certificate in EAP events even without a separate probe operation; old behavior can be restored with cert_in_cb=0 * add peer ceritficate alt subject name to EAP events (CTRL-EVENT-EAP-PEER-ALT) * add domain_match network profile parameter (similar to domain_suffix_match, but full match is required) * enable AP/GO mode HT Tx STBC automatically based on driver support * add ANQP-QUERY-DONE event to provide information on ANQP parsing status * allow passive scanning to be forced with passive_scan=1 * add a workaround for Linux packet socket behavior when interface is in bridge * increase 5 GHz band preference in BSS selection (estimate SNR, if info not available from driver; estimate maximum throughput based on common HT/VHT/specific TX rate support) * add INTERWORKING_ADD_NETWORK ctrl_iface command; this can be used to implement Interworking network selection behavior in upper layers software components * add optional reassoc_same_bss_optim=1 (disabled by default) optimization to avoid unnecessary Authentication frame exchange * extend TDLS frame padding workaround to cover all packets * allow wpa_supplicant to recover nl80211 functionality if the cfg80211 module gets removed and reloaded without restarting wpa_supplicant * allow hostapd DFS implementation to be used in wpa_supplicant AP mode- Update to 2.3 * fixed number of minor issues identified in static analyzer warnings * fixed wfd_dev_info to be more careful and not read beyond the buffer when parsing invalid information for P2P-DEVICE-FOUND * extended P2P and GAS query operations to support drivers that have maximum remain-on-channel time below 1000 ms (500 ms is the current minimum supported value) * added p2p_search_delay parameter to make the default p2p_find delay configurable * improved P2P operating channel selection for various multi-channel concurrency cases * fixed some TDLS failure cases to clean up driver state * fixed dynamic interface addition cases with nl80211 to avoid adding ifindex values to incorrect interface to skip foreign interface events properly * added TDLS workaround for some APs that may add extra data to the end of a short frame * fixed EAP-AKA' message parser with multiple AT_KDF attributes * added configuration option (p2p_passphrase_len) to allow longer passphrases to be generated for P2P groups * fixed IBSS channel configuration in some corner cases * improved HT/VHT/QoS parameter setup for TDLS * modified D-Bus interface for P2P peers/groups * started to use constant time comparison for various password and hash values to reduce possibility of any externally measurable timing differences * extended explicit clearing of freed memory and expired keys to avoid keeping private data in memory longer than necessary * added optional scan_id parameter to the SCAN command to allow manual scan requests for active scans for specific configured SSIDs * fixed CTRL-EVENT-REGDOM-CHANGE event init parameter value * added option to set Hotspot 2.0 Rel 2 update_identifier in network configuration to support external configuration * modified Android PNO functionality to send Probe Request frames only for hidden SSIDs (based on scan_ssid=1) * added generic mechanism for adding vendor elements into frames at runtime (VENDOR_ELEM_ADD, VENDOR_ELEM_GET, VENDOR_ELEM_REMOVE) * added fields to show unrecognized vendor elements in P2P_PEER * removed EAP-TTLS/MSCHAPv2 interoperability workaround so that MS-CHAP2-Success is required to be present regardless of eap_workaround configuration * modified EAP fast session resumption to allow results to be used only with the same network block that generated them * extended freq_list configuration to apply for sched_scan as well as normal scan * modified WPS to merge mixed-WPA/WPA2 credentials from a single session * fixed nl80211/RTM_DELLINK processing when a P2P GO interface is removed from a bridge * fixed number of small P2P issues to make negotiations more robust in corner cases * added experimental support for using temporary, random local MAC address (mac_addr and preassoc_mac_addr parameters); this is disabled by default (i.e., previous behavior of using permanent address is maintained if configuration is not changed) * added D-Bus interface for setting/clearing WFD IEs * fixed TDLS AID configuration for VHT * modified -m configuration file to be used only for the P2P non-netdev management device and do not load this for the default station interface or load the station interface configuration for the P2P management interface * fixed external MAC address changes while wpa_supplicant is running * started to enable HT (if supported by the driver) for IBSS * fixed wpa_cli action script execution to use more robust mechanism (CVE-2014-3686)nebbiolo 17089625542.10-150500.3.3.12.10-150500.3.3.1wpa_guiwpa_gui.8.gz/usr/sbin//usr/share/man/man8/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:32791/SUSE_SLE-15-SP5_Update/92c4c1ac4c1b5c1bddbd97dfd31e26c2-wpa_supplicant.SUSE_SLE-15-SP5_Updatedrpmxz5ppc64le-suse-linuxELF 64-bit LSB shared object, 64-bit PowerPC or cisco 7500, version 1 (SYSV), dynamically linked, interpreter /lib64/ld64.so.2, BuildID[sha1]=c4bfe404caeab93c0730b45720c72d338e597193, for GNU/Linux 3.10.0, strippedtroff or preprocessor input, ASCII text (gzip compressed data, max compression, from Unix)R R RRRRRR RRRRR R RR-S|;f&L¡2F utf-803483380700b55528d1767ed105964248f1dad29efba36a00a77e999e13cf4b6? 7zXZ !t/SM]"k%{m{#rD~d tGJf͚u4~.vR_B'чM! PrNa=?@vʐ%Ӛ2B%&η)י ]ilHg߆;,MbpgtGgLb9gnPeL>rs<"{^J>IA&ԬFp>ϙɛ@=vpֶa~xsxvE{Lv\3ȕy:W,>? S<)U|5migvZL`wqVqלimSyi&B(6SSYZFHlWjV_>a=_ Oچ)&o۬ȝp ,߻+J=m! {QE*ILQ!H0{ n]5@1%ל&:0n=33v(D?Dɥ{8Pn|33 wjt&)_62ZXmů—ր9T}r"Vn9@S5ydʨG\Z'ۯ `絈m}oP5_Q¬xצo2j1fHwOn,(-b(윀48Ɨ[u=$뱃/^M)<]:"%Ln'$h޺!l5o@b-|YV+A!Z /g &r)\DDmK0nk6LW_)v|%3=/4{̋m)Z E8YJ@,309n[sEw"OD|WNfm)L$^V]s\lȷoGp`>k~7"n7V!N9|$cuU1Dbq<3j#jb<1^,` N[|=NL'#2(vppq籓W0ưs2Ϫ+(M4O4:ޤy<_oFD"j߄Hz3T,8-+םޔ,ۘkk E"aAΌ5| k&Q+9tWmZV@XX7`ߢk: 7_ȴ  MvZ{ET.AV{( ZY  蒙YOSM9^Юj-6Qzb~^)N#^+.LeK7};p/$V S'/C%4 İl{?,$"tjO̖zL>E*kJG, iqpݒIfN5Fzb=AG~)m{uEU9B&$#l:+V\Z wnJ V@4d Pږܫm3%*tk+`NM7Y\A]o=hSK }tW61ot~#vٿ/h='v.KͭWYiز*5 ߮igfrxUt20o:}F\3AK=DQ"O_ <* _}&jTK8װ}#CcqBIXgmicxhdrCΰ]Wb[Z-,: *yXۊ|M:UGvʰl;P32$dwWT <=Bզ?+4e©ٓFlyystfa-S n7Kᷲw=,zd~.ukiFPƹ>fk(n_(#0Yx~8ӗ }1y:p-H 3Sa5X(2hY5oSԦ܈Zg; <%(78ʜӪ7B!|[Zezi۩#psw›-IŸVSbOI!n!%Fy#P!{*k#+S%B 7b .s3kdz>Pb AH ŦRɷr~C\94뾑 [OK&- jWZ蒫U/QsTcjmNȢ>u#7hdd\gC8@ ǝQ;éYeSq5n^"nm.6Eoj~d1#UŻBȌ5|A}%8^:)cT#g|kO[\XkS4YU>Fu.ޡGacVAo̗ާ(8͂^x/RMLϦ[/ƭQ5}.-[=^cǭ!{+ndΌnΝFnܾ rI),ȭmǵc^۶d>9o2y}^v ̚Ȅ&a;r)YFb͙R'2' Cb˶8|^pp zMD #1IHL<;SI퍰.qnCvRUlBzaKcZ# ߄F Y]5eѨ@~ψ#3&,̅#:4$7rZ [Y?12Ly,SE;.h~))s$8A]7h}u*8f2h]C5jqFumhM<^<3Vhefgâ-YA>vL ~[>R}Jx9Vt]Ch U°"*Fg$S`[">Lf ][o_Eڨ-sqkcp3Y74X_|_rror+`S&jZx_OH y),vMmCQc`Ȕ{n= O,&d22ECrTOH]\K;fTìDc@[ &-#(H F8LYٗ{jthv)uf쇆/x;`*I37{]EҙPWkP V݀ s$]{:WEpru}iQ(F$? ӟ51>(;待&Y``#ʳE@ m_P4F`__Jg0Z1w}4eTAO GC]DGT}?Y|vC`[R0TAk /kci58Ɩ"{_!o}i8x`_>,,=!VB% 9u#nIR<`srqUGHSp}FmI{;ny"E b 0ې{nT~Tk #z թBε2CܕZ>㄀lXcհ!Rڨ q˰Yx>2Y5UhUC點UBuO )Uf9 2cM Q$Ws쳌O^|-o2vy؁~&=*T(w\/ɊᑿkP14јګ=I 6n@4>3)P #2&wi-tr+ϥf`wKۧ*:8y;|jEJQLo Y/a4WT8# j_#2PB̫Qbku3LY8eoH`oMn5S05 MUG9ZdnOZІkپ B:kz Yhc0L9;YXiMaHm f, R)qj mMÿMI92&-I)iBCZwm+z N٤BԌW}k9 d~N1vd@ڇ*2"a6 ?7 I/@vq5U ЧMS"J5k^|FD[\ 񗩚pzR'$kFGa?W դPbn6" NՃ|kզ Nyg3kdk="ۡ.m+2 oڃxgAAoB9w.]67  i/=/*r<0(ޢ-o/~UZނ=c{_vG7H]FY +V32EkȊi}w߽s1TPРAJ1C7nVg*Ռ"FD,~?L=W+<ɲk^e)Qrv'fEۭD'k|R?8$`pK@&u2D;),Prf쑯`]nנXO2ϗvz+l9dŠSҁt#|KGH<˘+4~|X:_6Nߧ 4/2wxD$jJf)#f{ Ս(H#qE~vvt/iLѝ`2DTǟ~"DX )uWm%l{Zj._ =u]}!/f͎!^ MK(' }g=6GK4~ S6L(FYFSuj9k"0Ú5sB}Nez@C}T&ZW渉q]-1i$|vGUA:>sYHf@-Fެ:khFOyKT¯Qj{AVeըa@Gv<2]L.͟4d7ޭA;܀%k*iڛ6A #aB0jZeg+2$ǺT6 +YKPG#>W)i:HM=euMeN/Ҩځ_[ێ8=B@~RtTGHj|p"F_8HĴTf-KOv3zp2!#(W+wQh%Cc8Bd{F,fyJrU;b`nZ1.SvC )ݚA'N4dgZ D\vҗa3,튥j|d߁@tп5z _-uŤ51 {8*Nd.OQJ4A+,~hǸ6V± C~?G=^[d`m r#Ljp,dyJ "Je5@]!k1<(E[B>gr>3<)cV)g, S2wFLRg | F2V!_$LҮ0Qcz*ޙ8b*@Zg2z5Aw{8i6ޒs:Hp* h§WwS# W(`\j*J͢q䀘#v&V%4";(wtAv,t1ѡ"҄::+E._DT`RwAMmaMQy{d2KR!fźX3Y3aؑ~m]uwM{IQ%`=Wi| 2:q lK_iD= #T@V~ ï::F7-\xI9h+ܲ%RtڋT璮C4u0fHARɜ]+xH:XiL9އ\5?tPAoҗm~vq}47뒻B=!WdUFJ[0U{blpHK2, xZ'jʒh|T0Jk3ܜ7偉@u,k@Ϙ@>.}BT6C(EBGJMMNO/2I.'kLӀFwKuwߌ8fJ}mpl}} D溱'sbo\7*foxEh` Y;鸷v(oPc*jl7^ur0C2\ ?5_c,(:qT n?.thz` ki-ՒTL _5!`9kO}r>?L+ycM}13:boȠAdz*^Z3Zm Cv3C?|hMwjƗ|ԜN.+ D(ݳ>VxD&9V֯@L=yxIV[! _ITq+ H ZڷkTZ҉ڀ/R!ɸ.Δ=H8;V&JXcNy' @鈊1LE@n=DίzgLB,/ﶈIx< ^l%ю ?}o,HF`o,.c;FP[IEVvcukr'r -نzG?R^"0c?")It$W4I BjORXtST" BnKm&!$>ˍP5.I2H|ʶBwjƗU2" U[[u!rš/BFXpိã#6XJ"1ݸWFo*bJ7muy&]-E(ݔin,Dh^2nGZk>_@cúٛ %8v|>o<>AMH9,71I|d&7]0ؙz-'WYh; +0Z 0E,P8py81:|c~ka…| e+;u UnzSsؠ2Z:*IН!/G}tǻ<u/w<ȍ#_+q tYz;i\Ψ*4BS|Cl>n 7M@w8'w FܞNÀ_b5*/鏐4a[( L~]eosh*4uCW0f/$F_c9%'O\hؘMG$:8(:{a8#{UJZO7ZAh󉞜#Y/z;*jTfcي7Vγ>>9k"fJnsΣqimfh8`G9}6pk kWzu  T}]kQYCH4m18!TͅLW8LqyhTݗ}EoW} pÌ0̖*(mXZ>wQik!Ğ+}<'=̓8&QNfjפ,4%a!߆"ՋˣͤLUf,O!%' >ԥ0]8&u"ub+-nHGٮ h/id[M#Z#a$aWKD`uP0~[2p$hN{kqp3gZOO,އsωE䵭pNKt`W&xT @YZG7miYiP< %Mmԭ6D*T}OwVuhÝ9sjeB8dv~| 򝏡uO>9V#u) Cq,%㓲eS|!Z"bb 'T;(2AK;%Դ9<VD)$?Ӂ:|oBkvxejP_@k2y}4⠔dNk5C/Ƨ,qɏ 3]-S #p{)dQ꼌zj.6r}Pn{~t%tIkL"sz㣜V^eΌFi`Nh썴/feMV _|[1bi@g6(hÿg4) B9>ʉ'.d&-j?)jbT@Rb'C~-uYy.0 as?*ҳ),9r?+Q}LnmnD.sy/=i;ĨϤ`9!d54;\e,]Z#}rbKfrL#"g $M\AB@LpF%!Cw5sWsBjbxnaMmMz4ɷ5"'/ qݭ檁 ?h ZA5<2{6Z̘ԽSıUwYuЩ_i7Qr7(j 2N*in (8RM=y\Dj.۰U`ܻ.>h$.(v4c[aYV,h͌ Sg`dO- 'hw}zj3?x{$\jiv3ö9@&yFK{k]]Ip`W'=cٳF h؏gA@ 3+>sZ5/|9y4WF|}_HQ "]\l1PkEP~~'69"Ot~ 0 3t-2jRPE`y6%鉖B|mbCo't8gpJz Z tY5]9C1eȐWj$qYZ̏5p<3oFXIo̦ZdX؍Ve"hFtOԏ~ulrf~ܥ f 6>ؚRG#ucqb Ew#KkG3 ;8㻮>8%iW0/> JGLZ.UoA]I=S&~bQM XR% d;J8MDJ2Ą}  pjz>Xw\,c:$sN= ,.f+`JmV+/ a})%ۺs4sчqKU}Ï*kO!j⧧LuwlrM9u7 /.%=IJ;͟fk䠉' Py4k6HoMddQ Yjn;RX|JN)M_Ft#N-ߛ"".@P5|zd\Xbtcc[l Ddgh쓡l=2_[Nub1S-B4=;(Δ 6;܍U.) G2JOT1m\o]^8Vfge-QwPgW%P#A-J_MJqVڤniLix`TGx 1䈶 R3/փX`-e*0OE^v=2%}'U"sM`ŝr {O_um(Q[Oz#Jq˳!gtP//"uJY$)N{Jq) fO+z[*?l#~W`=ir"zLX@"򶄄۷Bye58/5ttq fzcط#MFYky6F/{ eDž_D}".~.kF/H YrjIĸd48.̞.0R탂iv Z*ncr`'oU1؜RGb&Ԟgѡ0 la',2"b;H/Ww) %Ft4p Ő)!pE,@(ݾ8|kٴYObEuA} :Vde4Ջf"}UϦC6R+VR^iH?<]i|+G>vvL>u>O&[ F[ MG){ԢO?OL>l!aQ3{մ<_agf_֌՝ck@ɯQKz|F#l&C3М.aYmthBbߐN9Bs\Q3Fm|Ci$CAsVyweLLsf2@r"~`n͕3h:nI|ExlH&\Xkcc0}͸2]q9'!9\5hUu%~fsFڙh-x{X͎12%>JRi$HaBU!WC6%4>J9(ȅ~.odk 2ȄCrCGSq8y"gx.]lJJ_#t@1>mR.m"ٲAavyz`{'-j<)?:W)jw`挧k%w9UdO@ěyٿ/\KpDǷl>S7b(Đ jXޞ*;;G³B8SYP2g0=,tT'jN`i4|9a`u۰ s ]F_K(wwa5) !j%0].3܁D0`EL7߲LT7iwEqQ9 7S[u(ll~zid~Usr$+@xM)|nmFaiIZ8dCc!LfiQ[(q;8~'yZʵ?=Do$lh;beD-/p}:eY"rٳg=O }R(pEE!UeQoMyvJ "WmXͯSJUr#W"qb4PNYlzM9ԭ}e.-(H45L|EsYw;% s k5N%F94>a>ݵ@&sT,>0g 3O_PAd85uWcSwźԣP-J#C]~mBp6GU}ЍuFz˟8 &BF(LC0zMʨݖ:Սv__$@ԶђYLGD)7JHSgxJڅ. 2vt֥ulx}Rc8Eɗ~5r ʠ*:]3(XӺA[~FFH5U ڹ\Lbe"mQSpy<+03y^ T|6^SI9/Sbq'MkJ5ӫKϝ SH/`;torr]ٿ"}[Duچ]WI>* AFj38 L1ҤY6>iU")_& ׄ<+BʌJnFIۮ<&Zj;~/e=$QJ7C}zh Fj:m flΜЄ ͢/Mf68}Π%Y)'d-|7=N:#ep 1^N9Oͯcyk] :aŠRu{3cIG1|p ݤDd:j5՚s'4Xgq8 n } a@jG$(hv)][{ {/񾹦X計gk52`k־^Ry 9zq0Ęx*/G,sR3RASG75߳ -`4I: ~Ɇ>KH~ŝO7οMZ12*¾l.'󅴉W\q .'IorfLP]Hods'۾PX UH bِٵ\]Հ Yϑrߎ,i0'36P&zxJ.DhHdfCЦa~!ĠmZ}z8|[ j7  `i0~:as F&9ٖ5T{ږ/b-'9ɭ~Q,2#gj4Iҹ$VƿΎ2_ٜbsWH{Fv*X$R fle&}ua# 2o0mϬoMh)!3ؕs.ozwۂh ,`zhY<褄^[ urbp [s\aˆO/@kQؚCL~z 2Z}!LT W } 7K7pO)hV ox0$^ޢ6NX-KH5ndOlz%"жe0%Q%Z%`v ۑ_Y[WP Se:P]+ 3#7Gh/=jۀhW z]4m]OeK2X?BTML< oH̿ZӂGzҶC􉍩=UmlTI'@*JbhMMMLY9W-4G.KIBQVJP#D+Aܻ42[!=:6#6SghVc$#Rjփ/$4j_q!z8 {e^@n%򈰅i MPRNB [qX7mѣ8Exq8.'dcP9rو0FOژtǯZۭ(cg:$rBROr?}|15TH$"oQlFarЉ0@5[T:4) T!ϟ@4e|)w<3A[-dGq˞ۘu)z‰I׶r<В}R=l6j[9Pl .PX(hިLcCb^=-rm^ܰמm:cr E7 .M f&#@XbD1̵?#c|D~ *Y?عގU&t&OGiT1jqh ;v*W.F=TKb_լxvx%1 Ӄ6V3W{ $= bH!S1ֽ:YnIha",hFBZ6bJ. {~Pkx)[I9A+xRkQ7%$bKfl.תt?FuN*7w_K*#Ew,\ޓb䟖&W^uuJ2v^K/-3Z6@eJ*"3Aᓣ܄HNL^xch+Ew$mcxj4jtNQYcW_/c1<"s8 VQ&}9IҶoC>=IN=D0Db $eWboEM?mWU ;5yf`lT; TlxjVA68>4z_x\<& ЦH '" `ixAꤧ|J$FŀiǽդDԛlBB;ɹGb-V/LMɀ|8+ c|jWWH;&\#<>h,іE24bN&Fy;Na$V lL# ~I\.--a/Uׄ aY<dslhTy9Ec\-wZil^lF*(q9g|򶃹T<[Տ{.)aQ}1V.B\sx) i|{ۗ%VǍbRlL@z5Ox܅.5/\qPǫբ7 GQnh3Y-Oŗuߨg!Y cbq/}\rJ DEy"l} i [F}{cOtE݀ &3Mn詚Gy :Gy悗.}*g]6kҦ&ΩwlɩAkZ -,+ ![{]/!31ÎvQw"aŠ:uY:_,W7?.v>%YW 6ym(+ޱ# ߼%Jt%׏M8e0ba1xiP ~ "2M;{lo϶V{YGO>hYm¥", yL0a͍O5_jv~,FkNv_ӧnyt; , E7ܜOa]G1\U-.i*.cڮCmo 09&~ ځ2YVi,9ʍ.dnD·) 3XifyeߧڴAϔV]¤ebˉf+Hy,D!yo? hNLC8@0o\Yةj@]$Ք5,AEX2=AtOfN'<(*-H@6=Rv>Wn')= !|PClF颂x"`sOKC*(irƦ8kVA[v_zf[v}g/=THB5"6FzCXt'A:Tβʖb%#Zy@#&cM譼.*!3 t)-I1tpvj]_ h|+m{5u*%=-jj8IkwI~ RtzT3jx[(B5 j=M3Mc( 2T@' T7|EPa7jf㑥W[7-ŷR nMەSɯHk`1*F5T׊I 볋|aEӥ> /1{Lrsh'6Q׃e*5ɯE$Qݤ]L4Yf|/*2|?ڛ;SZ%q|g&Jbk28zz*>4E ":j$Ջ1s4CɆt2X+HPUoTFq̛'SEgQ, T҃Te(bݔ=Qrr*>c:1 D Jea3}ăk_AP 'g(H RQ/nw)蕈I@4T Q4 V|yAq>po3Qls~ʵάe(1V!m fč $6k_JxM;أ< 4;g<)Ii@֋K'3Ѝ7Ea:Q_!5Z7sEJ@[y?N Q6}0Ix֏44[ md((p\e+u gq4NJzg3 f۾ꎖfU -ot0L\q-:/t ni r(jmOwOCy|mt\EP.^&l\PVsGu{{ֻQ~|@#$A (K)yfUPZs8:^osg7ؒEm7GaG)b/a )ۙf}KXD1hty)v09OQNvkN3\ge,3%U3_򽈊!\Fʄ,/h5Wr6='>RgvޫW:aqD븮d;=w([P#%* _R(%9YԤ7ѹٵ qlXIxOyg  3^{)0ɀ)Q1uG]N dԢQ1l 6v'JtīuK0OI.(-p_6ȝ^#ijh9ayVI*+]aSΘc,CFSqf6O2!Dl`MM׺BLoi+p9=p{4lzQ%*ݒw`CY2qpᷕꊉ¸khS9Am-hٙ?0m6SĩGʆ"lL2]8KUrrBZ\ܾ7/ښ"u /t&. > n9Qvsf8uplRzs8@9Rַ9{Ofp9/ԣY` yN^Jn1]#y˪W |^8 Jfđ ٧a7-LSl6!i-6τouކZLD~Tgqu$d9dE"J%+.ᐨ!:| לG*]BȾŧL!iE ,`4ښhcdih l`=P'B5mq*Z(0UBK7EoPڼ-a\aX>/ h-N46zu_%^褅jR+rw}3qJY(4 7Ure৿v'[DU$$}Ԍ7Y3ќQ`! YgRl GMq{&_ۈϡϑ͋:?~!iJ/1d@5jᑛ~^l5wY8=Qn|P_~?6jW;dO ?i-XcEFw6ӈ#@Wp +Im,4\r5ҵýU>e|*<'\ml 8ch/r}_iI5CYڱv2 ^ CZik1IK Ƴ}_2C}(]< M;\ꜻlY_Zݣd'vAxWb(E>[vfWر@lRO``zAX I Er 1aV"%p eق4üYz "rCFe̸oYM$7 4WTZ+]@Ff7H)BOoBd~1tbx4!L2h hX%R_@% kJi F kG-Q1ga `4L+_Cg:E Q4dѲsʰY $Ô}vmʡEia+sh'06~n-eJymK՞J%( AKRW9wgVO2XE|;Q l 9oz`@tTv]8XN@̇8wwIŴ*hK,xIܽf" <.~[,lU0Xz3N%:&$պrߴY@ͼ+ha]ĨtS*jC#*}wi!vD]64Bk`MOm ?aL$ a`m~1DS$d_#SbXv+8 ; ow{(bJȏgNnbvcsVvVstRaLvEFG&..Vef+otC~X{/ q%ޚdpq@/~.*鷾i^F [5M D0A5ۙ>^C婀(0vuPt^S72ׄa=J%ŗ od1XȺ' m"F'p<$kBZ+VU_r2[ Hi0\g_*7?22eҸO!1(oli2j7!3eRSrOmldN p/E=zmT$-I\Ks2KHoA%UhW Un[|ũC)q氩YmAR~~o9F aʎ.IDq4`G(Xm]JEi\($yvwi &[v@l$bM`3H΍bm4Z)Uװs, c llp"Fp7_thgٶ O `צ:dpU&5OɖC0-N!8TCq~K!=i8*эO%  ñ@~?Bv󤜛 TZKðB#2P$f*[&Iaf8 dNBvFߠ)dk?NA44sE‹o5# Hn,v )J(ǢE4Y>EHJTBB}.ni +$.à3My*-k될_s\ 3[q 1y# ` գv'^QJ>K7[G!l3sڷ桾iZ3k ,[!eٝ&\fi2hI@P f%/BfハՌC]RYTrEA"S/d &'|sʩe0RzER Tʮig\@m)0]Dy]ao}(T9#F H;)x)g<;Ek$Ek e.Dipm-z7Gj e3fE**~Ë,>XƩ8ϒxf*IS#Y~Z Nf(ls9@ۄ1ګpdOw7$ϾO}ERҜ էkcn(;[h˿P"z=UcZG4(AadHw!d p9PA}=(kvk,#A,Q6>!fU[m cTc Eі8fL0_,>qКBI/8irhj 8+  MHWK.YԏSsP>abMf_|5f"v1Qvۭon+bhS4lX`2gc_{n~3B`$*W}(ut'ly u$qdXr*:L~1r( \;pGlO49ȦfVNV.C7ɷҏm`Tڐ~=?yڊFT N:"9>UFySdrωI{C C aJ:"4{ GwxR{iCzRyྒE&&יU&th NP=bEqGYcY">zXSDfB!2 f!1٪ȣ^hbKbAFbD=|RlGgG 9MߋPC?SjF MZJEAO}:D~d1wpZ6Saɣ>;Zݺsq%TXe1 }VQD'7މ=L[rsX\syi21xdYpVߊg_9pWDImI }lդR5Vc @䒭ͩ:`7IfE} _[MhF$H Ю,DkkjBnaDUJsodG px.}ga?}A J^/)4T&\2_IZhq'Akn㛨Dl {{)tΒ֓Fo8?[R]/ě ˳>D{1QV17`THfRuU+M;vG ig8u$ѠeCޭ|A\E6YGǷP.07:$ C:@yeyD?sȿƙØpE\*ɭ "ğ7{hĺ<) x9F*d6myF]mT>Om TcJ˓2+3}xN?eRk]:1x>@,o~HM7j‹UhdgC=27WùixѷDxY+K?(~@zBe`y#Fdh B3ksFDI !Pj9d$3>% Nt({w#x('wSgvqU  Ϯhy8Vh)p֕6?ԠFjJ^[Fb-xI[n/:v4'&%Il)[tϦ5ꋻ&ñnuSW) G-D"˦W#!]LTM.D^9t'pMkV0| ] 9AgGWgnP9TCguBrXKwcڪxF ֈqF[8[HT G?i;Pב be}^ES}`* ;oCcsDs\X瘐wvU] K]#2LGº;GFfXF`eI)̨kk6#ћu=3R`Z<>Nfv&e]ܱ9hG>5Ou>y?bMf\ZdXQ 7id* $Tͼ#C[REE;qwj~fKONJ.W4dM&c Y°S^`ˈO2rqP[uKJ ro`DA urY k2΢\nRs ][( @Q5ݏgRp"p'B{vSUϏ\EZ>j[n 9?^U+Mc^T\B(=yk RYnY}(3"ow\׳Qo!&ftˆPE;n.&(Q]WOP3~9bRS=6fҲnYQQa|(=K+%_<%ߢ0"!dao~b5F@ƌև-Շ҆*79~/e(D)-" /LJ Lr/}.&BJ5Lowc  ׄn$El?Kf;+aSew ЂUT-m?46.P>$5tۤJrCmCK \>˞-0~?B_N]k>:nG¢^Q|iw>|\vK_ſJHg8i7ͤ j_U[1~'X(hZ~ՕV%)7 Y 9oS=ӣ9b.TLZd xake.i-? 0>X)ד@3jE61 #OtWMƗ*vU]Lhv(k8Q>OA8Q|:* 4cߘN{;=y3\ {6Z^+CFݿϪ`RF\B xZeru-%Nۋqn^37g Ee:*>ĉ6Tn9 >nRMpk{0m|GՉČ#<[Bɘ]$t]*ѶS{hD&>J(NR5* ڤ+|Rm-{Viۈ^}mND"n ,?|X .o 2NRUbxZI=NHN0N{Ή: Nw2(5_-)I[)mRjf|="uÕ0rFXʵ_nC`x+!b{9E:ӝ#rLfXPs] S_,'ﱭOD,Z7mR[.P'zUw0H=^'95N TK$cM'`;3m~I q 27# 3lj UѶ6IԣA53J4gqqLE35jWb $S=(IA ;iA@_ <2Gщ6XntpetiOZ@nk2~oƟRCJ-"DBfqsF@c812 `=wJjA}E3ˉ-WL07n?@{aΔwEbjE+,˚a1樶.by-.Q 7Ut y#;"F ykfzF-)]"9;6XJRK.Y2Z%<ʢtmF6;[]J}0;^VPKl~$)m/@#>=N4_O8>ef?pȀHj,}FB; bH)b+dS\@yy{Rt )3]@-}7+>?3YGA+0`uҊݜ99Ns)ɑ k|E)i)d}5&>A8GKY gЂ|ۋͬӱ[lR}j0ҍvw:i8иh]%e_# Wi1/{c; V7#pЄ(~{TJuR5v35R})-P>{^!<| ?sVPk,P?uj]E>E.x˪e,u܊߭V0`Y3fcGȯʜCɋ/ WpHI9&xqc0C=*5@eq9XILY,Loė{3a s**㪥=,iP[:M5N+ccۊMUWхsQ\rC,!ypwsd;g^lnx> H2vrCZok|ls)s\:0V7Ѧĉ'aER\y/n#r!z֫zQrBrMx CVj;*A< V.ѐr E"o̰7S3c) 3&8JMl3=nx+Rr>FЬr'6Os{za|*~*9e撐G`ǒz?R O2 ep>&\_ %ۺ+o[[q$ab(MVQc8ƒTYTLDnˣI&葛;-$J = 14skX _kj FLxے2z ( [_}"UMdx|e#`G\) '-r D{{s3w6hI YNۥ% Ofk L"ui$?;󵓡opJCP, Qr﵁_G rw}azN( Ar}`-s#TAQ vv5H{E>jM|K:~yI7D9YL0/*.!БXQȵYAל& x*奸#xSjauT[c_d4\9IRqFNZR% @I(Pԣc6 W040Сp^ƲƹX@<89( a@)`B{Kʖ=Mt)kzmI8@W-1_(^Mzdf}&;=qOdek;<7[f4|7WMtE"aY[߱ sW!'NgfZع]3mQ3^ĺV >T"b\<Uي޳g4:|eɹ,V, 8 f gSjc$ԖH֘,2RU |d$W=E㽗N $m"@3Cٍq9'^wB$*)_.E¤+[֣YA\Ӊ . j~0\<P MwhrVd_K7bV4} #ōl4^v;EږJAMN:Dۖ"P4cbܿR 0C8=IŠ < kytš.[hubR`vĝL\v!pI> џ즨s:]b(" 7:wOF/ݨU a쭣9')7ȉQ^;,o }h9 @Tng5z7zi ! 3KWVWJQ*TwF͐b,5hwП+z ˵$4 oZ7|큙QHu.I S+8odKOڟ`HДc&J`6Ӥ]A-$ "LjP{jYuͷ#FzLB wmgiYh]XdIzĮp ǟw@.}"xσc ~h " ѯ:y; )إwhpBOQ[oݤrWa<ƸC|'cHX4v=Ew%WX?^\4<8U#1ؗ p!˴؅I]LA|/ZV0hԢvf٭tWWyzqz\>vDJvNFt툗>Vi6i= ^"}r8|2dԗZ*I&Ab:ÞSwFO(+6nw:T|( Ce7,ah )\` E*븬h衁U (`d®婂(A"3%?~,.} ͨT؞Uqs!vp- NOԘ 'jXI+ѭ@Ȧ%//QA˄}9׫]k2:ks&Pw[`:ŋK!/47[L{˳<%&}4/S9r*/b-2emat>mYajB[NZ&䙶9݃M@/}O/:a/0Mϥxlf ~NRjpF_'*ܞ+ݟr|eG_-CA%`4P0 fn/WāHEmt`/gr~C6'~mBh0$AĒ Z.<R\~>h@_)l02aZ+Zg\ .+ ғR|kh8{C61 gĎ2mDR)"-q!; (Y%a$xK~RZ}%L(:+!պ4*Dz_gm3J\ueLH 1ZBJ'C:i;v_k|!񑢭N h8)G\TPЈEEiAkTaUm\塋9j].5 8gaN+Yk7 9*v  \}lSٹ RYǓֶg;9uFO+O@-5+?г ?И;os;PtѾDZ&.O/gT)%K}z6 -[MZ u1˵d̿`Ý tQ|GS4F1*>JE6%gdN)LT4Pͽa[` jzv2JPBmwz}Smr198K^B̊@;sJ~}x}R S4^:&ySXԞtBó岣O =K# cYذgS|87qE`"<) Dn0RSx3 l=Uof9yeӋ[a2Yu/Fse>[p7Uʹ `Tm3jlゞECZ161=.Xd lf*R({reG;Qp-m`O_'fG?ֹAԮޠtDwLLc$0rm!~VwiW>ih0!B#Q2`i(H /gVȃ.%}2EkS,#WKc&Up~UH*hJӼ[S[N?*)<Pk6V#XHw:'vEBid>N뙞I@MfIEFbK vQ^:rlpQe V~ &#!vMKpe9,ȉU_N?~}Ƞ>966+-6*{w,ؽV솭š*фU{1eXFTQucUNC(r:L~Oc UYd,"%cp5-Q!8I\<?GPB/Ql}E//[{D$3HbbTܤ<g׎;"'+1"41Z[!4Xq ‚Eܳ%1H|=K%p{Z281D.h:uiIؼ}ELB2%jMؘ!v{m=L;A;K)h?WVnyqoi=#N^ەMh4<OM-")(`|Jjg"eS|)AvJ|-|)Ӏ\VDZ[̜ç̸b6?SY_1jYo%iqf.IWi͇ OsݎWl7ܝH&wtY 4\Tò)@aQlDs#ipû\nJ0,٘dXc`$l7â1gV[6b{|1fBBI< ]$-?m(f.D-B*1Zȍ @8c '5Lq%vp@:B% ?ęT Xhjz6=*/X?ѻp;J$G^o:u6ff9 њ#UA08z;}:0`=| 0Ǟx]K Iu`#pL7|O#;qJ&U;0y j7HϣȉV5RT \S,k_3o9d~Ut ^D_, XOxb7v$ JL||FC!s8\z-歿D~)* 4Y¶yd9YQҚL%RV-5H&{Hb+葧I-`$B>$K;jT9* ǘA<ϯѿ(g;{֌Im=I@V3|RJ/a.).'YȳC-]sh=mO@^*x\?Z>IA.5Yld\M懝,0s*Bg+ߔViH{t~hPiX֙gZ9fNn[,KgD,{6ںdDڀ|ő ZȉiF:V+0 w^b|TeziG>`6e<x'3KQ1'"6J֏AȺӅcv)`jj̺_JyJ\-1JMLr0_IӊbG3_7*(>U`3khtJ(䰝iek}#Qi¦5]X=J$w^,2VR2oϒ[4h" ?=$+Ykb:L<mnJJ.ΐMS/43ooL Jߘ\WYEKv<%'xPpX OM -;}0'U9a붤vӺf(!OD5{Y е?1 .TL} x nK*ʽ挏sYD˛f(#O%睱,䉥y[ӒCu(*/+Z++!֫+Yb@l6{HT09k>~I&ڮԠC piDf8\-0YY<n:@eHywiKd:;su$Om!}[VW|=h+}W~YuaN?}G@XW{'5 a:i3;tscd%s_!Wwn \4<J;Y5Y3^ctCYcq[Ip5n$g/0 lMѻK&ς:^ub: *5w,ժh8?y*m&q"-P+ի/Ūp{.܇)K3dcbؘK&05RnԌVo0=t44 4Vs4wmxh|%4>oF$15qL$v;Cڍ?ǻ~_+月MS_R5+Uɸ}iۥW:$f hMB37+oX[K#2U2 yBnKv-DXsu \Uz>o7,6FX4AkE`yѩTޣ*hy!0g{Xu#ex?%<΂BUKa|e9˴ۜޥ={WX88<>-ƚ.qiQERpiAFѓ^8{jaQx|VQ;;Xuuϙ8,Z<e²sf}BUoԺ0R3 _Q8{͠]Sɴ離IDſvʋT,BPȱQCM *P<+a#)7Q9ƅܬ2z? &:"͍gUA]J=j-SpkJ!DA4 r{GIh:Ms`Ǧ *?dLKq#4s6':ߝ#/NF8bvy>rY%[X.8 Z%?dEit>=#XVfuMQt@}ݾV-TRX !}A h#oa󽜚[{&Y>nEJ.j4L7Ϫ ,ܢlk=G R=i @%}>+Lv<كd. 'ħFXCMs +^ ;&qj@Y `XEx_] wr7teC{AxM7~0Ý-eUPԦpLMSdҪNJb[TCzk-ؗkzI-_ϊ^UX b*Q[hhe1ቮMkˎRגޜ,x4`N! pJ(wbT$:M.i159΋a@(i[1b]hAdԎQHPːrАb:B k^u";ar{kh=Dd<~_pw%L>amh`ue=w(<+0څqw5Ho#z$گwv@ׅ' p TavDVu},Ł(oi}Oۯԇ'G)x _3NRZ0}Li6j gAbzk[OA+" $aЭB}{xg H~]zNγqV.lqltBu H8 t<1n' ʾo_1.9JmSi1Lddd`n|B!) zAxߞZի[Dd㺇X>?_c*|5Du4%2–6+Շ[ J]'/C&u/l O;P`獳0+*M鱸(DŽAZ⇂˲K\mm{(Yk _S7K@V=N nEEվ;R`$"ƵA~ œΠnM_ |Gl ^ks*S_>0RUCBcvdX|L\$y.uJᳩ M{C)0j=-" Hw)` ) Ś\R 8:5`b&2g?p%b8=.@.7PPVub(`r(LqXhk`zPR:mߟ|2jd#m.d/QI%fn䁛%}_A׽#fɊRˆT:X"40@xض92XǨȕ9b~61F滸4q\(1!D|MАh/1a.]"gAX&t>Ke LAR"Q 7ޮ=mb?"nH#;nd}ŵ ]*u8bpyxуp|tĝ9g+8*49kzTl} c(QK1 ӀRX&:%MfܝcIOYG0RbN6`5fHsfO<*xu8QS+߅Ha7&_25yh (>=iV=0u]hӇ2Ý\qXj2vD'5rb^oҠ6b׆IXBE@wM]'& ?9dKoF>LjJꊡbDxȔ_&CLH! cO-sv8a={ʡ{ߏTx@2LS29Teq5wb-ͱ3laO6wNЙbMT+R!%+%W|1Q!}>L 21"kVs' %VʛUa9e;i.xI6' i(a/)QJc;xxԗkǦT`n^U6-,eJ?R讀Xqt۾s\-qfF GU ՉطĜ˲Wƅ z5]4^dftclQK-sg]Q2MCFe9 Fs )7/^j0r/C(HJll҈][eRȝ߉İ+2h]3 -cTwάWCew2_͂uSՉ/륎@ކEZtza}^=4cEfYSXCEY\Qǒ" a';?St@>hbפj%I*z5bLFˋ ddD3mHp$.Odci/(ܣBt9bb0E}YA5 ZRʌjW0b);6OiYӉ_Gn}e9Gp!ѽWтkCfNH_# 2p${SP; UddC;b pgK8[ڏ5L-ラ,.XSbV90Da*ZrjȎ'*:]l P_j*6>>"4*ERCg/ uPB1}aN>ٹk\8akL8Z$'Ds涼.K"2̃ 8_,6(rd =8|R ]#G`L'vD!M J6awbd]k_vRLŨu+NLa_ǿJF'mS 3Ԛě=5ƓHǏ7 ^q:]}lےX7tӊݟ"BcӜ@ SqG:*Mu_#,Mbkz*Pl{*=uqع(v dzlLBbL̟hn ("6H@Nn P>-; "zkbRޅ*S#[4_- ^bIByp~~Z(#=&0pr0J`ɣ}̓w"{bJp}Nb nka|ud?6`8:~["\`K[cRIw*Xw%z,ZBA!mz2}?[.N⺗zTĴj&e7A\8FWC Cmy%I˪Pl~Dq l/Cs>ܨN4FrIIW!YT+y(eIK)i8RjwdŎmHX/t "%<]"hU0iz;؈/2n8D3GrycTS]b$ZI7Q&_YV+CU91F) CY3'/: .Bg_Asvˀ35j[Z`6)fH/Ȟ:ʼnN!*C: *q'qӫ%/ƾ cB#9sioLPJd;phTBB~ )uG~58_$F10 k 6 H !`!?OyΆ$#쬢.ao YwqIKpI%zf~ eބ֣7a雩9cuE VŰ\w#J{HZ<AR۸ :$'B'638K-c % b񰢏~(Ze8>j-]'$m (Vz!?ր^im63kg5-6ܓk=Η:Z /ֳ;&/ݸ0<0=0$Z6|j~md~*2 !L`ùA$U؃5b5d::2E{c5ގ/BcE\FU{9 .ͽ9S{i܏ڣʭ=P3#e2$Dw [~Wg@&^<' 7Fd!hFݜP2u: x#{n~t?Ɏ3?݋ \tP?|P~Bt{ܸJyn^@L(.5a*Ŭ1W,ŕ- E[Q\LऌPN y99E|u3q)?Ŏz#v͢GpPUߏU:6{>ӝ"QJ/I,z:յ-C2 }}5JL"x3|iqjޕMVlBаMYE4h ?dǀ /`GAĄLErș*U!uW[T`0),(aW嘎5ġ2zS~>] p2ɣd_kKEv,9 J5hq<[,/Du)K(v8%wq N1_MxVsw7XKCTsw(D/qZxsMR]&Jz hՁHE0u msP$-yz"B `!٬jXrɁ7Z6E|A]Pط!c kq{*l?BUWudrqT=v'(ض\f殯#"(R=EnA*gzt6ke+栘23d)\ueSqCe) 6 fDӊ|kWJMz8ҧ@ָ{@$FK%Ze+}*LWms0XH3*/':– (p6ꬓV\%o͞Zs _;ߢf/ [g͐KT|_9ćoӑPL~H-hHPـCF~1zFBON _[@2sgPµ7 E0|YI `Z12YPRp!iR$ !u1uF,P WPdF"yMMQRFƲbTma Lxl1?CWDe+I d>/(q7B7u/ܯcAngT5b]IY:ӑ5ѽA"c1f3j+YTxOԘ U^/n *R{wGܪjh"*U-761Bjz],9ca\*jp ȽK*;50zP; YZ