wpa_supplicant-gui-2.10-150500.3.3.1<>,geܲp9|7 u_L6}(k_u:"w9#Dz{|+v*D0vWzSٖ߱qAEF:ʥK2W99>k)JRcrI^swPTDVpYg!" {`f=b)ZTIq7룭Z$&j" ׅ<+KF8>T?Dd ' J , BNkq|      *4`h&(S8\*9*: d*FxGHIXY\]^b cd;e@fClEuXv`wxyz@Cwpa_supplicant-gui2.10150500.3.3.1WPA supplicant graphical front-endThis package contains a graphical front-end to wpa_supplicant, an implementation of the WPA Supplicant component.eܲnebbiolo SUSE Linux Enterprise 15SUSE LLC BSD-3-Clause AND GPL-2.0-or-laterhttps://www.suse.com/Unspecifiedhttps://w1.fi/wpa_supplicantlinuxppc64le 큤eܲeܲc624f646c36a2dfbb7f20df1e3a6f1a83418ebadcd1f1150839c3288c509dbfed57783ead2cca37539bf8b5c4a81b8105c2970de177652fe1a027433593467aarootrootrootrootwpa_supplicant-2.10-150500.3.3.1.src.rpmwpa_supplicant-guiwpa_supplicant-gui(ppc-64)@@@@@@@@@@@@@@@@    libQt5Core.so.5()(64bit)libQt5Core.so.5(Qt_5)(64bit)libQt5Gui.so.5()(64bit)libQt5Gui.so.5(Qt_5)(64bit)libQt5Widgets.so.5()(64bit)libQt5Widgets.so.5(Qt_5)(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.17)(64bit)libgcc_s.so.1()(64bit)libgcc_s.so.1(GCC_3.0)(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.17)(64bit)libstdc++.so.6()(64bit)libstdc++.so.6(CXXABI_1.3)(64bit)libstdc++.so.6(CXXABI_1.3.9)(64bit)libstdc++.so.6(GLIBCXX_3.4)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)wpa_supplicant3.0.4-14.6.0-14.0-15.2-14.14.3e}@c@b@b@`lM@`?z@`:4@`_|\@_i@_i@^@^@^|@^|@^Y]]>[<@[[ā@[[;@[@[QY@X@X]W@VU@VŲ@V`V=@UKSUCjU8U'@U/@TBV@cfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comsp1ritCS@protonmail.comcfamullaconrad@suse.comsongchuan.kang@suse.comcfamullaconrad@suse.combwiedemann@suse.comcfamullaconrad@suse.comilya@ilya.pp.uatchvatal@suse.comtchvatal@suse.comilya@ilya.pp.uailya@ilya.pp.uakbabioch@suse.comro@suse.dekbabioch@suse.comkbabioch@suse.comkbabioch@suse.comro@suse.demeissner@suse.comobs@botter.ccdwaas@suse.commeissner@suse.comtchvatal@suse.comlnussel@suse.decrrodriguez@opensuse.orgcrrodriguez@opensuse.orgcrrodriguez@opensuse.orglnussel@suse.demichael@stroeder.comro@suse.dezaitor@opensuse.orgcrrodriguez@opensuse.orgstefan.bruens@rwth-aachen.destefan.bruens@rwth-aachen.destefan.bruens@rwth-aachen.de- Add CVE-2023-52160.patch - Bypassing WiFi Authentication (bsc#1219975) - Change ctrl_interface from /var/run to %_rundir (/run)- update to 2.10.0: jsc#PED-2904 * SAE changes - improved protection against side channel attacks [https://w1.fi/security/2022-1/] - added support for the hash-to-element mechanism (sae_pwe=1 or sae_pwe=2); this is currently disabled by default, but will likely get enabled by default in the future - fixed PMKSA caching with OKC - added support for SAE-PK * EAP-pwd changes - improved protection against side channel attacks [https://w1.fi/security/2022-1/] * fixed P2P provision discovery processing of a specially constructed invalid frame [https://w1.fi/security/2021-1/] * fixed P2P group information processing of a specially constructed invalid frame [https://w1.fi/security/2020-2/] * fixed PMF disconnection protection bypass in AP mode [https://w1.fi/security/2019-7/] * added support for using OpenSSL 3.0 * increased the maximum number of EAP message exchanges (mainly to support cases with very large certificates) * fixed various issues in experimental support for EAP-TEAP peer * added support for DPP release 2 (Wi-Fi Device Provisioning Protocol) * a number of MKA/MACsec fixes and extensions * added support for SAE (WPA3-Personal) AP mode configuration * added P2P support for EDMG (IEEE 802.11ay) channels * fixed EAP-FAST peer with TLS GCM/CCM ciphers * improved throughput estimation and BSS selection * dropped support for libnl 1.1 * added support for nl80211 control port for EAPOL frame TX/RX * fixed OWE key derivation with groups 20 and 21; this breaks backwards compatibility for these groups while the default group 19 remains backwards compatible * added support for Beacon protection * added support for Extended Key ID for pairwise keys * removed WEP support from the default build (CONFIG_WEP=y can be used to enable it, if really needed) * added a build option to remove TKIP support (CONFIG_NO_TKIP=y) * added support for Transition Disable mechanism to allow the AP to automatically disable transition mode to improve security * extended D-Bus interface * added support for PASN * added a file-based backend for external password storage to allow secret information to be moved away from the main configuration file without requiring external tools * added EAP-TLS peer support for TLS 1.3 (disabled by default for now) * added support for SCS, MSCS, DSCP policy * changed driver interface selection to default to automatic fallback to other compiled in options * a large number of other fixes, cleanup, and extensions - drop wpa_supplicant-p2p_iname_size.diff, CVE-2021-30004.patch, CVE-2021-27803.patch, CVE-2021-0326.patch, CVE-2019-16275.patch, CVE-2022-23303_0001.patch, CVE-2022-23303_0002.patch, CVE-2022-23303_0003.patch, CVE-2022-23303_0004.patch: upstream - drop restore-old-dbus-interface.patch, wicked has been switching to the new dbus interface in version 0.6.66 - config: * re-enable CONFIG_WEP * enable QCA vendor extensions to nl80211 * enable support for Automatic Channel Selection * enable OCV, security feature that prevents MITM multi-channel attacks * enable QCA vendor extensions to nl80211 * enable EAP-EKE * Support HT overrides * TLS v1.1 and TLS v1.2 * Fast Session Transfer (FST) * Automatic Channel Selection * Multi Band Operation * Fast Initial Link Setup * Mesh Networking (IEEE 802.11s) - Add dbus-Fix-property-DebugShowKeys-and-DebugTimestamp.patch (bsc#1201219) - Move the dbus-1 system.d file to /usr (bsc#1200342) - Added hardening to systemd service(s) (bsc#1181400). Modified: * wpa_supplicant.service - drop wpa_supplicant-getrandom.patch : glibc has been updated so the getrandom() wrapper is now there - Sync wpa_supplicant.spec with Factory- Enable WPA3-Enterprise (SuiteB-192) support.- Add CVE-2022-23303_0001.patch, CVE-2022-23303_0002.patch, CVE-2022-23303_0003.patch, CVE-2022-23303_0004.patch SAE/EAP-pwd side-channel attack update 2 (CVE-2022-23303, CVE-2022-23304, bsc#1194732, bsc#1194733)- Add CVE-2021-30004.patch -- forging attacks may occur because AlgorithmIdentifier parameters are mishandled in tls/pkcs1.c and tls/x509v3.c (bsc#1184348)- Fix systemd device ready dependencies in wpa_supplicant@.service file. (see: https://forums.opensuse.org/showthread.php/547186-wpa_supplicant-service-fails-on-boot-succeeds-on-restart?p=2982844#post2982844)- Add CVE-2021-27803.patch -- P2P provision discovery processing vulnerability (bsc#1182805)- Add CVE-2021-0326.patch -- P2P group information processing vulnerability (bsc#1181777)- Add wpa_supplicant-p2p_iname_size.diff -- Limit P2P_DEVICE name to appropriate ifname size (https://patchwork.ozlabs.org/project/hostap/patch/20200825062902.124600-1-benjamin@sipsolutions.net/)- Fix spec file for SLE12, use make %{?_smp_mflags} instead of %make_build- Enable SAE support(jsc#SLE-14992).- Add CVE-2019-16275.patch -- AP mode PMF disconnection protection bypass (bsc#1150934)- Add restore-old-dbus-interface.patch to fix wicked wlan (boo#1156920) - Restore fi.epitest.hostap.WPASupplicant.service (bsc#1167331)- With v2.9 fi.epitest.hostap.WPASupplicant.service is obsolete (bsc#1167331)- Change wpa_supplicant.service to ensure wpa_supplicant gets started before network. Fix WLAN config on boot with wicked. (boo#1166933)- Adjust the service to start after network.target wrt bsc#1165266- Update to 2.9 release: * SAE changes - disable use of groups using Brainpool curves - improved protection against side channel attacks [https://w1.fi/security/2019-6/] * EAP-pwd changes - disable use of groups using Brainpool curves - allow the set of groups to be configured (eap_pwd_groups) - improved protection against side channel attacks [https://w1.fi/security/2019-6/] * fixed FT-EAP initial mobility domain association using PMKSA caching (disabled by default for backwards compatibility; can be enabled with ft_eap_pmksa_caching=1) * fixed a regression in OpenSSL 1.1+ engine loading * added validation of RSNE in (Re)Association Response frames * fixed DPP bootstrapping URI parser of channel list * extended EAP-SIM/AKA fast re-authentication to allow use with FILS * extended ca_cert_blob to support PEM format * improved robustness of P2P Action frame scheduling * added support for EAP-SIM/AKA using anonymous@realm identity * fixed Hotspot 2.0 credential selection based on roaming consortium to ignore credentials without a specific EAP method * added experimental support for EAP-TEAP peer (RFC 7170) * added experimental support for EAP-TLS peer with TLS v1.3 * fixed a regression in WMM parameter configuration for a TDLS peer * fixed a regression in operation with drivers that offload 802.1X 4-way handshake * fixed an ECDH operation corner case with OpenSSL * SAE changes - added support for SAE Password Identifier - changed default configuration to enable only groups 19, 20, 21 (i.e., disable groups 25 and 26) and disable all unsuitable groups completely based on REVmd changes - do not regenerate PWE unnecessarily when the AP uses the anti-clogging token mechanisms - fixed some association cases where both SAE and FT-SAE were enabled on both the station and the selected AP - started to prefer FT-SAE over SAE AKM if both are enabled - started to prefer FT-SAE over FT-PSK if both are enabled - fixed FT-SAE when SAE PMKSA caching is used - reject use of unsuitable groups based on new implementation guidance in REVmd (allow only FFC groups with prime >= 3072 bits and ECC groups with prime >= 256) - minimize timing and memory use differences in PWE derivation [https://w1.fi/security/2019-1/] (CVE-2019-9494, bsc#1131868) * EAP-pwd changes - minimize timing and memory use differences in PWE derivation [https://w1.fi/security/2019-2/] (CVE-2019-9495, bsc#1131870) - verify server scalar/element [https://w1.fi/security/2019-4/] (CVE-2019-9497, CVE-2019-9498, CVE-2019-9499, bsc#1131874, bsc#1131872, bsc#1131871, bsc#1131644) - fix message reassembly issue with unexpected fragment [https://w1.fi/security/2019-5/] (CVE-2019-11555, bsc#1133640) - enforce rand,mask generation rules more strictly - fix a memory leak in PWE derivation - disallow ECC groups with a prime under 256 bits (groups 25, 26, and 27) - SAE/EAP-pwd side-channel attack update [https://w1.fi/security/2019-6/] (CVE-2019-13377, bsc#1144443) * fixed CONFIG_IEEE80211R=y (FT) build without CONFIG_FILS=y * Hotspot 2.0 changes - do not indicate release number that is higher than the one AP supports - added support for release number 3 - enable PMF automatically for network profiles created from credentials * fixed OWE network profile saving * fixed DPP network profile saving * added support for RSN operating channel validation (CONFIG_OCV=y and network profile parameter ocv=1) * added Multi-AP backhaul STA support * fixed build with LibreSSL * number of MKA/MACsec fixes and extensions * extended domain_match and domain_suffix_match to allow list of values * fixed dNSName matching in domain_match and domain_suffix_match when using wolfSSL * started to prefer FT-EAP-SHA384 over WPA-EAP-SUITE-B-192 AKM if both are enabled * extended nl80211 Connect and external authentication to support SAE, FT-SAE, FT-EAP-SHA384 * fixed KEK2 derivation for FILS+FT * extended client_cert file to allow loading of a chain of PEM encoded certificates * extended beacon reporting functionality * extended D-Bus interface with number of new properties * fixed a regression in FT-over-DS with mac80211-based drivers * OpenSSL: allow systemwide policies to be overridden * extended driver flags indication for separate 802.1X and PSK 4-way handshake offload capability * added support for random P2P Device/Interface Address use * extended PEAP to derive EMSK to enable use with ERP/FILS * extended WPS to allow SAE configuration to be added automatically for PSK (wps_cred_add_sae=1) * removed support for the old D-Bus interface (CONFIG_CTRL_IFACE_DBUS) * extended domain_match and domain_suffix_match to allow list of values * added a RSN workaround for misbehaving PMF APs that advertise IGTK/BIP KeyID using incorrect byte order * fixed PTK rekeying with FILS and FT * fixed WPA packet number reuse with replayed messages and key reinstallation [https://w1.fi/security/2017-1/] (CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088) * fixed unauthenticated EAPOL-Key decryption in wpa_supplicant [https://w1.fi/security/2018-1/] (CVE-2018-14526) * added support for FILS (IEEE 802.11ai) shared key authentication * added support for OWE (Opportunistic Wireless Encryption, RFC 8110; and transition mode defined by WFA) * added support for DPP (Wi-Fi Device Provisioning Protocol) * added support for RSA 3k key case with Suite B 192-bit level * fixed Suite B PMKSA caching not to update PMKID during each 4-way handshake * fixed EAP-pwd pre-processing with PasswordHashHash * added EAP-pwd client support for salted passwords * fixed a regression in TDLS prohibited bit validation * started to use estimated throughput to avoid undesired signal strength based roaming decision * MACsec/MKA: - new macsec_linux driver interface support for the Linux kernel macsec module - number of fixes and extensions * added support for external persistent storage of PMKSA cache (PMKSA_GET/PMKSA_ADD control interface commands; and MESH_PMKSA_GET/MESH_PMKSA_SET for the mesh case) * fixed mesh channel configuration pri/sec switch case * added support for beacon report * large number of other fixes, cleanup, and extensions * added support for randomizing local address for GAS queries (gas_rand_mac_addr parameter) * fixed EAP-SIM/AKA/AKA' ext auth cases within TLS tunnel * added option for using random WPS UUID (auto_uuid=1) * added SHA256-hash support for OCSP certificate matching * fixed EAP-AKA' to add AT_KDF into Synchronization-Failure * fixed a regression in RSN pre-authentication candidate selection * added option to configure allowed group management cipher suites (group_mgmt network profile parameter) * removed all PeerKey functionality * fixed nl80211 AP and mesh mode configuration regression with Linux 4.15 and newer * added ap_isolate configuration option for AP mode * added support for nl80211 to offload 4-way handshake into the driver * added support for using wolfSSL cryptographic library * SAE - added support for configuring SAE password separately of the WPA2 PSK/passphrase - fixed PTK and EAPOL-Key integrity and key-wrap algorithm selection for SAE; note: this is not backwards compatible, i.e., both the AP and station side implementations will need to be update at the same time to maintain interoperability - added support for Password Identifier - fixed FT-SAE PMKID matching * Hotspot 2.0 - added support for fetching of Operator Icon Metadata ANQP-element - added support for Roaming Consortium Selection element - added support for Terms and Conditions - added support for OSEN connection in a shared RSN BSS - added support for fetching Venue URL information * added support for using OpenSSL 1.1.1 * FT - disabled PMKSA caching with FT since it is not fully functional - added support for SHA384 based AKM - added support for BIP ciphers BIP-CMAC-256, BIP-GMAC-128, BIP-GMAC-256 in addition to previously supported BIP-CMAC-128 - fixed additional IE inclusion in Reassociation Request frame when using FT protocol - Drop merged patches: * rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch * rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch * rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch * rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch * rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch * rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch * rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch * rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch * rebased-v2.6-0009-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch * wpa_supplicant-bnc-1099835-fix-private-key-password.patch * wpa_supplicant-bnc-1099835-clear-default_passwd_cb.patch * wpa_supplicant-log-file-permission.patch * wpa_supplicant-log-file-cloexec.patch * wpa_supplicant-git-fa67debf4c6ddbc881a212b175faa6d5d0d90c8c.patch * wpa_supplicant-git-f5b74b966c942feb95a8ddbb7d130540b15b796d.patch - Rebase patches: * wpa_supplicant-getrandom.patch- Refresh spec-file via spec-cleaner and manual optimizations. * Change URL and Source0 to actual project homepage. * Remove macro %{?systemd_requires} and rm (not needed). * Add %autopatch macro. * Add %make_build macro. - Chenged patch wpa_supplicant-flush-debug-output.patch (to -p1). - Changed service-files for start after network (systemd-networkd).- Refresh spec-file: add %license tag.- Renamed patches: - wpa-supplicant-log-file-permission.patch -> wpa_supplicant-log-file-permission.patch - wpa-supplicant-log-file-cloexec.patch -> wpa_supplicant-log-file-cloexec.patch - wpa_supplicant-log-file-permission.patch: Using O_WRONLY flag - Enabled timestamps in log files (bsc#1080798)- compile eapol_test binary to allow testing via radius proxy and server (note: this does not match CONFIG_EAPOL_TEST which sets -Werror and activates an assert call inside the code of wpa_supplicant) (bsc#1111873), (fate#326725) - add patch to fix wrong operator precedence in ieee802_11.c wpa_supplicant-git-fa67debf4c6ddbc881a212b175faa6d5d0d90c8c.patch - add patch to avoid redefinition of __bitwise macro wpa_supplicant-git-f5b74b966c942feb95a8ddbb7d130540b15b796d.patch- Added wpa-supplicant-log-file-permission.patch: Fixes the default file permissions of the debug log file to more sane values, i.e. it is no longer world-readable (bsc#1098854). - Added wpa-supplicant-log-file-cloexec.patch: Open the debug log file with O_CLOEXEC, which will prevent file descriptor leaking to child processes (bsc#1098854).- Added rebased-v2.6-0009-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch: Ignore unauthenticated encrypted EAPOL-Key data (CVE-2018-14526, bsc#1104205).- Enabled PWD as EAP method. This allows for password-based authentication, which is easier to setup than most of the other methods, and is used by the Eduroam network (bsc#1109209).- add two patches from upstream to fix reading private key passwords from the configuration file (bsc#1099835) - add patch for git 89971d8b1e328a2f79699c953625d1671fd40384 wpa_supplicant-bnc-1099835-clear-default_passwd_cb.patch - add patch for git f665c93e1d28fbab3d9127a8c3985cc32940824f wpa_supplicant-bnc-1099835-fix-private-key-password.patch- Fix KRACK attacks (bsc#1056061, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13087, CVE-2017-13088): - rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch - rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch - rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch - rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch - rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch - rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch - rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch - rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch- fix wpa_supplicant-sigusr1-changes-debuglevel.patch to match eloop_signal_handler type (needed to build eapol_test via config)- Added .service files that accept interfaces as %i arguments so it's possible to call the daemon with: "systemctl start wpa_supplicant@$INTERFACE_NAME.service" (like openvpn for example)- updated to 2.6 / 2016-10-02 * fixed WNM Sleep Mode processing when PMF is not enabled [http://w1.fi/security/2015-6/] (CVE-2015-5310 bsc#952254) * fixed EAP-pwd last fragment validation [http://w1.fi/security/2015-7/] (CVE-2015-5315 bsc#953115) * fixed EAP-pwd unexpected Confirm message processing [http://w1.fi/security/2015-8/] (CVE-2015-5316 bsc#953115) * fixed WPS configuration update vulnerability with malformed passphrase [http://w1.fi/security/2016-1/] (CVE-2016-4476 bsc#978172) * fixed configuration update vulnerability with malformed parameters set over the local control interface [http://w1.fi/security/2016-1/] (CVE-2016-4477 bsc#978175) * fixed TK configuration to the driver in EAPOL-Key 3/4 retry case * extended channel switch support for P2P GO * started to throttle control interface event message bursts to avoid issues with monitor sockets running out of buffer space * mesh mode fixes/improvements - generate proper AID for peer - enable WMM by default - add VHT support - fix PMKID derivation - improve robustness on various exchanges - fix peer link counting in reconnect case - improve mesh joining behavior - allow DTIM period to be configured - allow HT to be disabled (disable_ht=1) - add MESH_PEER_ADD and MESH_PEER_REMOVE commands - add support for PMKSA caching - add minimal support for SAE group negotiation - allow pairwise/group cipher to be configured in the network profile - use ieee80211w profile parameter to enable/disable PMF and derive a separate TX IGTK if PMF is enabled instead of using MGTK incorrectly - fix AEK and MTK derivation - remove GTKdata and IGTKdata from Mesh Peering Confirm/Close - note: these changes are not fully backwards compatible for secure (RSN) mesh network * fixed PMKID derivation with SAE * added support for requesting and fetching arbitrary ANQP-elements without internal support in wpa_supplicant for the specific element (anqp[265]= in "BSS " command output) * P2P - filter control characters in group client device names to be consistent with other P2P peer cases - support VHT 80+80 MHz and 160 MHz - indicate group completion in P2P Client role after data association instead of already after the WPS provisioning step - improve group-join operation to use SSID, if known, to filter BSS entries - added optional ssid= argument to P2P_CONNECT for join case - added P2P_GROUP_MEMBER command to fetch client interface address * P2PS - fix follow-on PD Response behavior - fix PD Response generation for unknown peer - fix persistent group reporting - add channel policy to PD Request - add group SSID to the P2PS-PROV-DONE event - allow "P2P_CONNECT p2ps" to be used without specifying the default PIN * BoringSSL - support for OCSP stapling - support building of h20-osu-client * D-Bus - add ExpectDisconnect() - add global config parameters as properties - add SaveConfig() - add VendorElemAdd(), VendorElemGet(), VendorElemRem() * fixed Suite B 192-bit AKM to use proper PMK length (note: this makes old releases incompatible with the fixed behavior) * improved PMF behavior for cases where the AP and STA has different configuration by not trying to connect in some corner cases where the connection cannot succeed * added option to reopen debug log (e.g., to rotate the file) upon receipt of SIGHUP signal * EAP-pwd: added support for Brainpool Elliptic Curves (with OpenSSL 1.0.2 and newer) * fixed EAPOL reauthentication after FT protocol run * fixed FTIE generation for 4-way handshake after FT protocol run * extended INTERFACE_ADD command to allow certain type (sta/ap) interface to be created * fixed and improved various FST operations * added 80+80 MHz and 160 MHz VHT support for IBSS/mesh * fixed SIGNAL_POLL in IBSS and mesh cases * added an option to abort an ongoing scan (used to speed up connection and can also be done with the new ABORT_SCAN command) * TLS client - do not verify CA certificates when ca_cert is not specified - support validating server certificate hash - support SHA384 and SHA512 hashes - add signature_algorithms extension into ClientHello - support TLS v1.2 signature algorithm with SHA384 and SHA512 - support server certificate probing - allow specific TLS versions to be disabled with phase2 parameter - support extKeyUsage - support PKCS #5 v2.0 PBES2 - support PKCS #5 with PKCS #12 style key decryption - minimal support for PKCS #12 - support OCSP stapling (including ocsp_multi) * OpenSSL - support OpenSSL 1.1 API changes - drop support for OpenSSL 0.9.8 - drop support for OpenSSL 1.0.0 * added support for multiple schedule scan plans (sched_scan_plans) * added support for external server certificate chain validation (tls_ext_cert_check=1 in the network profile phase1 parameter) * made phase2 parser more strict about correct use of auth= and autheap= values * improved GAS offchannel operations with comeback request * added SIGNAL_MONITOR command to request signal strength monitoring events * added command for retrieving HS 2.0 icons with in-memory storage (REQ_HS20_ICON, GET_HS20_ICON, DEL_HS20_ICON commands and RX-HS20-ICON event) * enabled ACS support for AP mode operations with wpa_supplicant * EAP-PEAP: fixed interoperability issue with Windows 2012r2 server ("Invalid Compound_MAC in cryptobinding TLV") * EAP-TTLS: fixed success after fragmented final Phase 2 message * VHT: added interoperability workaround for 80+80 and 160 MHz channels * WNM: workaround for broken AP operating class behavior * added kqueue(2) support for eloop (CONFIG_ELOOP_KQUEUE) * nl80211: - add support for full station state operations - do not add NL80211_ATTR_SMPS_MODE attribute if HT is disabled - add NL80211_ATTR_PREV_BSSID with Connect command - fix IEEE 802.1X/WEP EAP reauthentication and rekeying to use unencrypted EAPOL frames * added initial MBO support; number of extensions to WNM BSS Transition Management * added support for PBSS/PCP and P2P on 60 GHz * Interworking: add credential realm to EAP-TLS identity * fixed EAPOL-Key Request Secure bit to be 1 if PTK is set * HS 2.0: add support for configuring frame filters * added POLL_STA command to check connectivity in AP mode * added initial functionality for location related operations * started to ignore pmf=1/2 parameter for non-RSN networks * added wps_disabled=1 network profile parameter to allow AP mode to be started without enabling WPS * wpa_cli: added action script support for AP-ENABLED and AP-DISABLED events * improved Public Action frame addressing - add gas_address3 configuration parameter to control Address 3 behavior * number of small fixes - wpa_supplicant-dump-certificate-as-PEM-in-debug-mode.diff: dump x509 certificates from remote radius server in debug mode in WPA-EAP.- Remove support for <12.3 as we are unresolvable there anyway - Use qt5 on 13.2 if someone pulls this package in - Convert to pkgconfig dependencies over the devel pkgs - Use the %qmake5 macro to build the qt5 gui- add After=dbus.service to prevent too early shutdown (bnc#963652)- Revert CONFIG_ELOOP_EPOLL=y, it is broken in combination with CONFIG_DBUS=yes.- spec: Compile the GUI against QT5 in 13.2 and later.- Previous update did not include version 2.5 tarball or changed the version number in spec, only the changelog and removed patches. - config: set CONFIG_NO_RANDOM_POOL=y, we have a reliable· random number generator by using /dev/urandom, no need to keep an internal random number pool which draws entropy from /dev/random. - config: prefer using epoll(7) instead of select(2) by setting CONFIG_ELOOP_EPOLL=y - wpa_supplicant-getrandom.patch: Prefer to use the getrandom(2) system call to collect entropy. if it is not present disable buffering when reading /dev/urandom, otherwise each os_get_random() call will request BUFSIZ of entropy instead of the few needed bytes.- add aliases for both provided dbus names to avoid systemd stopping the service when switching runlevels (boo#966535)- removed obsolete security patches: * 0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch * 0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch * 0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch * 0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch * wpa_s-D-Bus-Fix-operations-when-P2P-management-interface-is-used.patch * 0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch * 0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch * 0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch * 0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch - Update to upstream release 2.5 * fixed P2P validation of SSID element length before copying it [http://w1.fi/security/2015-1/] (CVE-2015-1863) * fixed WPS UPnP vulnerability with HTTP chunked transfer encoding [http://w1.fi/security/2015-2/] (CVE-2015-4141) * fixed WMM Action frame parser (AP mode) [http://w1.fi/security/2015-3/] (CVE-2015-4142) * fixed EAP-pwd peer missing payload length validation [http://w1.fi/security/2015-4/] (CVE-2015-4143, CVE-2015-4144, CVE-2015-4145, CVE-2015-4146) * fixed validation of WPS and P2P NFC NDEF record payload length [http://w1.fi/security/2015-5/] (CVE-2015-8041) * nl80211: - added VHT configuration for IBSS - fixed vendor command handling to check OUI properly - allow driver-based roaming to change ESS * added AVG_BEACON_RSSI to SIGNAL_POLL output * wpa_cli: added tab completion for number of commands * removed unmaintained and not yet completed SChannel/CryptoAPI support * modified Extended Capabilities element use in Probe Request frames to include all cases if any of the values are non-zero * added support for dynamically creating/removing a virtual interface with interface_add/interface_remove * added support for hashed password (NtHash) in EAP-pwd peer * added support for memory-only PSK/passphrase (mem_only_psk=1 and CTRL-REQ/RSP-PSK_PASSPHRASE) * P2P - optimize scan frequencies list when re-joining a persistent group - fixed number of sequences with nl80211 P2P Device interface - added operating class 125 for P2P use cases (this allows 5 GHz channels 161 and 169 to be used if they are enabled in the current regulatory domain) - number of fixes to P2PS functionality - do not allow 40 MHz co-ex PRI/SEC switch to force MCC - extended support for preferred channel listing * D-Bus: - fixed WPS property of fi.w1.wpa_supplicant1.BSS interface - fixed PresenceRequest to use group interface - added new signals: FindStopped, WPS pbc-overlap, GroupFormationFailure, WPS timeout, InvitationReceived - added new methods: WPS Cancel, P2P Cancel, Reconnect, RemoveClient - added manufacturer info * added EAP-EKE peer support for deriving Session-Id * added wps_priority configuration parameter to set the default priority for all network profiles added by WPS * added support to request a scan with specific SSIDs with the SCAN command (optional "ssid " arguments) * removed support for WEP40/WEP104 as a group cipher with WPA/WPA2 * fixed SAE group selection in an error case * modified SAE routines to be more robust and PWE generation to be stronger against timing attacks * added support for Brainpool Elliptic Curves with SAE * added support for CCMP-256 and GCMP-256 as group ciphers with FT * fixed BSS selection based on estimated throughput * added option to disable TLSv1.0 with OpenSSL (phase1="tls_disable_tlsv1_0=1") * added Fast Session Transfer (FST) module * fixed OpenSSL PKCS#12 extra certificate handling * fixed key derivation for Suite B 192-bit AKM (this breaks compatibility with the earlier version) * added RSN IE to Mesh Peering Open/Confirm frames * number of small fixes- added patch for bnc#930077 CVE-2015-4141 0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch - added patch for bnc#930078 CVE-2015-4142 0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch - added patches for bnc#930079 CVE-2015-4143 0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch 0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch 0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch 0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch 0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch- Add wpa_s-D-Bus-Fix-operations-when-P2P-management-interface-is-used.patch Fix Segmentation fault in wpa_supplicant. Patch taken from upstream master git (arch#44740).- 0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch Fix CVE-2015-1863, memcpy overflow. - wpa_supplicant-alloc_size.patch: annotate two wrappers with attribute alloc_size, which may help warning us of bugs such as the above.- Delete wpa_priv and eapol_test man pages, these are disabled in config - Move wpa_gui man page to gui package- Update to 2.4 * allow OpenSSL cipher configuration to be set for internal EAP server (openssl_ciphers parameter) * fixed number of small issues based on hwsim test case failures and static analyzer reports * P2P: - add new=<0/1> flag to P2P-DEVICE-FOUND events - add passive channels in invitation response from P2P Client - enable nl80211 P2P_DEVICE support by default - fix regresssion in disallow_freq preventing search on social channels - fix regressions in P2P SD query processing - try to re-invite with social operating channel if no common channels in invitation - allow cross connection on parent interface (this fixes number of use cases with nl80211) - add support for P2P services (P2PS) - add p2p_go_ctwindow configuration parameter to allow GO CTWindow to be configured * increase postponing of EAPOL-Start by one second with AP/GO that supports WPS 2.0 (this makes it less likely to trigger extra roundtrip of identity frames) * add support for PMKSA caching with SAE * add support for control mesh BSS (IEEE 802.11s) operations * fixed number of issues with D-Bus P2P commands * fixed regression in ap_scan=2 special case for WPS * fixed macsec_validate configuration * add a workaround for incorrectly behaving APs that try to use EAPOL-Key descriptor version 3 when the station supports PMF even if PMF is not enabled on the AP * allow TLS v1.1 and v1.2 to be negotiated by default; previous behavior of disabling these can be configured to work around issues with broken servers with phase1="tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1" * add support for Suite B (128-bit and 192-bit level) key management and cipher suites * add WMM-AC support (WMM_AC_ADDTS/WMM_AC_DELTS) * improved BSS Transition Management processing * add support for neighbor report * add support for link measurement * fixed expiration of BSS entry with all-zeros BSSID * add optional LAST_ID=x argument to LIST_NETWORK to allow all configured networks to be listed even with huge number of network profiles * add support for EAP Re-Authentication Protocol (ERP) * fixed EAP-IKEv2 fragmentation reassembly * improved PKCS#11 configuration for OpenSSL * set stdout to be line-buffered * add TDLS channel switch configuration * add support for MAC address randomization in scans with nl80211 * enable HT for IBSS if supported by the driver * add BSSID black and white lists (bssid_blacklist, bssid_whitelist) * add support for domain_suffix_match with GnuTLS * add OCSP stapling client support with GnuTLS * include peer certificate in EAP events even without a separate probe operation; old behavior can be restored with cert_in_cb=0 * add peer ceritficate alt subject name to EAP events (CTRL-EVENT-EAP-PEER-ALT) * add domain_match network profile parameter (similar to domain_suffix_match, but full match is required) * enable AP/GO mode HT Tx STBC automatically based on driver support * add ANQP-QUERY-DONE event to provide information on ANQP parsing status * allow passive scanning to be forced with passive_scan=1 * add a workaround for Linux packet socket behavior when interface is in bridge * increase 5 GHz band preference in BSS selection (estimate SNR, if info not available from driver; estimate maximum throughput based on common HT/VHT/specific TX rate support) * add INTERWORKING_ADD_NETWORK ctrl_iface command; this can be used to implement Interworking network selection behavior in upper layers software components * add optional reassoc_same_bss_optim=1 (disabled by default) optimization to avoid unnecessary Authentication frame exchange * extend TDLS frame padding workaround to cover all packets * allow wpa_supplicant to recover nl80211 functionality if the cfg80211 module gets removed and reloaded without restarting wpa_supplicant * allow hostapd DFS implementation to be used in wpa_supplicant AP mode- Update to 2.3 * fixed number of minor issues identified in static analyzer warnings * fixed wfd_dev_info to be more careful and not read beyond the buffer when parsing invalid information for P2P-DEVICE-FOUND * extended P2P and GAS query operations to support drivers that have maximum remain-on-channel time below 1000 ms (500 ms is the current minimum supported value) * added p2p_search_delay parameter to make the default p2p_find delay configurable * improved P2P operating channel selection for various multi-channel concurrency cases * fixed some TDLS failure cases to clean up driver state * fixed dynamic interface addition cases with nl80211 to avoid adding ifindex values to incorrect interface to skip foreign interface events properly * added TDLS workaround for some APs that may add extra data to the end of a short frame * fixed EAP-AKA' message parser with multiple AT_KDF attributes * added configuration option (p2p_passphrase_len) to allow longer passphrases to be generated for P2P groups * fixed IBSS channel configuration in some corner cases * improved HT/VHT/QoS parameter setup for TDLS * modified D-Bus interface for P2P peers/groups * started to use constant time comparison for various password and hash values to reduce possibility of any externally measurable timing differences * extended explicit clearing of freed memory and expired keys to avoid keeping private data in memory longer than necessary * added optional scan_id parameter to the SCAN command to allow manual scan requests for active scans for specific configured SSIDs * fixed CTRL-EVENT-REGDOM-CHANGE event init parameter value * added option to set Hotspot 2.0 Rel 2 update_identifier in network configuration to support external configuration * modified Android PNO functionality to send Probe Request frames only for hidden SSIDs (based on scan_ssid=1) * added generic mechanism for adding vendor elements into frames at runtime (VENDOR_ELEM_ADD, VENDOR_ELEM_GET, VENDOR_ELEM_REMOVE) * added fields to show unrecognized vendor elements in P2P_PEER * removed EAP-TTLS/MSCHAPv2 interoperability workaround so that MS-CHAP2-Success is required to be present regardless of eap_workaround configuration * modified EAP fast session resumption to allow results to be used only with the same network block that generated them * extended freq_list configuration to apply for sched_scan as well as normal scan * modified WPS to merge mixed-WPA/WPA2 credentials from a single session * fixed nl80211/RTM_DELLINK processing when a P2P GO interface is removed from a bridge * fixed number of small P2P issues to make negotiations more robust in corner cases * added experimental support for using temporary, random local MAC address (mac_addr and preassoc_mac_addr parameters); this is disabled by default (i.e., previous behavior of using permanent address is maintained if configuration is not changed) * added D-Bus interface for setting/clearing WFD IEs * fixed TDLS AID configuration for VHT * modified -m configuration file to be used only for the P2P non-netdev management device and do not load this for the default station interface or load the station interface configuration for the P2P management interface * fixed external MAC address changes while wpa_supplicant is running * started to enable HT (if supported by the driver) for IBSS * fixed wpa_cli action script execution to use more robust mechanism (CVE-2014-3686)nebbiolo 17089625542.10-150500.3.3.12.10-150500.3.3.1wpa_guiwpa_gui.8.gz/usr/sbin//usr/share/man/man8/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:32791/SUSE_SLE-15-SP5_Update/92c4c1ac4c1b5c1bddbd97dfd31e26c2-wpa_supplicant.SUSE_SLE-15-SP5_Updatedrpmxz5ppc64le-suse-linuxELF 64-bit LSB shared object, 64-bit PowerPC or cisco 7500, version 1 (SYSV), dynamically linked, interpreter /lib64/ld64.so.2, BuildID[sha1]=c4bfe404caeab93c0730b45720c72d338e597193, for GNU/Linux 3.10.0, strippedtroff or preprocessor input, ASCII text (gzip compressed data, max compression, from Unix)R R RRRRRR RRRRR R RR-S|;f&L¡2F utf-803483380700b55528d1767ed105964248f1dad29efba36a00a77e999e13cf4b6? 7zXZ !t//߻z]"k%}RUJzx+P]8\mH 1}%s+ހG5C=qUʍ2RN`J fbV3˟D;}qaRс2| 55Bjb[TV S^Zbw_Psy6mm0%k%c\>Y}۟d\t4Ŋ0s즷e)-u{~'U@d#XN-vv8i)cFJbU+DdJQ)lK -"%%Z*g|#ȡہd,M }LNNxG= wOrƦ&B ѠRI=ne(uUC޽ tԞE⫀)yE]VA|d)tGrr3d[i-003 + ƾi^.&1mk027H4iOib$Ge ZԬo)ˉI,α [.-.lݟI>sR.!Sm+}7㮔iD'\v:NuUyV|M2Wh(ebHX_ݢ`aKeL0MOE_&iG+>{,e93.k#]LnCѿSM'bY~f4POsey]5";d%UEailK8Hh4by `<3OIm\~xE$ik}ܝN2+zzøAߒCυ\pK*v,Z4Q˵ޭϖk-ӽ`3IC@h~Z0XO2 `?xBUSLsNw?bQ,B"E ZMCQHw?#TO_Rdx(`uO?I[s\!vzSӹ#W.0&l3Kڔ6AŴTxM#i~S<ZTvPo}hf]I%F[/wѻ:=+a[4w,ܝ*~uP֓csEUi,vgN 1q<{Z$_Ppjwl?s>QCM/}K$ͨd3L#$L7I8+rSZ1 Dt~C[nSSLd8iN"Ms8 .8Le'yYaϴjN={ڭd/ZC78tQtq3@7cI`B4 5k[ش-Xʏ[6v4"eyg.zAXg>;V QQ#wk c6#^%)J4>x-?udS'uf:3|Kݕ`h?=zo֚NO%#[Ki+v>d^&vnrL鈺'=4g 0HQ!5 px%0nyEVH>@2=G~({LQ+hIx~Ul:z+M|QFg|-k|8uٟ/.[mrY+SSbgo+Uzgw?4e[*גQΨ1W* FX› c2=IͰi!ȭ в0s&pe;%;a^{E!(,pS[\!$@"Fq:  V rhP2to,jzpеaҾ'|+ 屰-A/Y!V !QƣXlΓ ;̾|/ wAoJ %`엲IjL h̫EYRH4*F#E&+EmbfvV'udȄʈ)\2rFrbX&a gbH ]kq1T{LNT~I0XSEa%Dnh8  M$o8rzJX<0e3B_ Lt@x)d/iB+d p']A!sоK쀍9\,.x8ZJF^4I],:</S:c./azfHmrSB*[9>K  $*}etګ0 q/L"+X %43a 7J2.EPJE讂^CP48ȑM \ {gYGcyz4ކъ'`XZ聥M$eY>tBb~]M+^2^*%U[kfA=Zg1_mOZuuWT .;wԟ`tc妟S]- Ppn/S3~6 upOnJۓcgotA!<dX)S2<ɆM5}, @]<,lj4We >2Fu'EA|NϏTyN:y|[yB+&{-ώ7z$3U*0M@|By4 i;ŸC8F+ PpR6Av8[^/Zx ]l:pa@*vDϩOTؚui7$U 4s5]讻k오432L3ʴOҌ~>R(im> و}kŒCWT-B},x]'^ FgS9}c3MAȡ6 v<-xqd0bb7B~/`אW#ff&hh95' qr^P ẃ:斔ӡ`nh:-A-:V/eKCt ;[ OMLlEZ8tHXLi׽Qc\*_Gפ?pm F#Vk`LryG.@kE]ߏI4r '̌|c8;MPYw7 #jpl(Dgytx"s M?a3!{;|S=.6"5V-xdB[!~h-%;C!| X:zb50-%MWXt_M?[͹.#M34-n֊g 7fiԯĦ=X0&I#O_^)RA{EwKbf҅d3 5\,S{TԒ[mo`ph~&.],U8\4Aw & p*ܑRN=Cۏb-$oz o! IMnml|N L)v@S|_XFZql:qV< <;38/ʈw!SXR4+.EL (1+#2^OtV^XY]܇N0:ݮy`,q$asD#gHޠ)ME }vʶOȎgS^Ӏh31쒰bmOq)bhXK@pä.8Dhk;:h_Q0 ,vIqgfgiE+71$ϻ9GkBԵI:,`rvt|H( p2*X i8Z\бվ&\;) [BJ| 2k+xa 2T+\@ 㭶58YqxL D_gayGK:- 6Q|G6dPN_RQ! x5 i[DC_cGb¬^Ԃz5ao!\_!msoQ8o>"=CC0*;-%z'[[U+!$7-![߯)Zׇъ ajf&~n8> KDH&g A_%3 BTz4ag}ξR촠%ѿܭA45%@(It4b/3sO^z Fi ??W3Q"{b.ۺz>ɞھh8I:s֨Ul*Bviacis y z+ 2˵*BQӞgؕ7ݥHM6)3z}|kq;wzwK; |eLa dU?,)rDTi/ݧ}.LSZ.!x.(K:ȬE1Kک>b3og@3L^,'=5(7* *EW<jEsB[fDB ӯ`Y#89mr .D6i3rH\d-֝`K>|S%o!:%OfYP#c+ZhPf"[l+)Si)y7Yd Opj5u͎{.,;6,]8 ^\ *Ikڬ䎪J-ZκVˮgQO|R*Go_z%\vL!ovo"]Бnr2M)S0sȊ`^톥rÐ4EshIg+g)(0=q\OʯeCQiNU?X:&%Y< w?6|' cgQJa6ykIԞ\{F3fw3RA_rT-ޡ(>X$$A2=sj|/c'OMRç>kMw3V)[BV3y lqvA2>fJ(H;w3LaNYQŎDx"[^/Hԃ:-~rU-vTs:F<7ay ϑŃ  >G6K^^vH;,~\LZ C{[ ߫VDZdyVQksSk,^=/\'{pAhf H+;3bttx>X _!z`Ȑ荝LS}+"j-*Pʬ]_X/bK`MS?g-W!;P? PF (V?ZHA^"OD9~7j0`]UkkhJԼ;}dbY6J,M) ֭!0Yz'@i4J/(0͡x`Hq60//v9zz5 ɩb}X'.l$+ڇ7H˯כTa G:__۱?lf1S,v֜A;w9^_r!E}S=$ʙ9=]>IccqґUG}3œ4np GJ$ M &Wd"W _Sq#ހ#B{h`rv/js@PrC]ʽ8n|ÑbAd*VLro:$h^KR>ZQ},&E9EU(4AʯZ<0gcvXԚmC=H \L!8p"ڄ:A&2ไkJ#(.!bBй"V3}9Z[sE7D_1_5dCa$뀏1UjZ%hijQ5lgʙRoE|)#yVh=)>V-(c S%%F_󷧎`^Pi ̪DM@*񷛚uQĄb/$4P8X\ /7aǂWaovfxYs*F+~Ȇ.=t>C.@N/ We#5:w:2gtl[9J%֖Fw P\ܟmS"4*QDߡ.Y39+0[ylo-ԞqZ< ;O޶XbE̿4`ٍXM̈(oޛƜuw.f;cp1]Sh:=|/L0O1Q]y$Sl7Zm#Q0hW=ǧ{T-kTqY*gR2vX+1'3Krxoݶ:Q3- EYO㙫+Pβ^ a>~GwMס` 6Q65#OVMuB_+IӴ0N\x\Y7{x\)#.!Xw /`TܡU"a.[ЯG}st˚t(]4 ֐o3;}eؔڇWL!| x.ږ(@~gc98 Ö!* +'ƒ t\p2O?(nz2@qv:˕pAI:>Yr6ak\Wo׾^}Y|ё C#=O?Q4?zvrIqP˙"χޖ@=MiC݄ËfoCVxM{G=ũ,y]Lw3#|C02=BsY9U-s5C~ѻiWJGߜi?DWp{aĆv81M1LN a':.7K><Ώ~R(m9'#S7O-Ǵ qGi g3Z(m*c@S `;"L9I>M[-MbW4 E%+Ƥ8!QMI PU%#~~1R:ew%Pf_ #UU፪`ep//Y=E{N<WMPl-թѯB}&ur wB0a^Hi:l ?r?4?5O{@(Qw|{MP#+9^n `{2Y;Ky3QHN=.dݿyVGȦ6n!| &DȖ ]U`2 \i<EDeXBlu؊cCi\¶1S3v>yiԋVIjC V .Mcrfs|șsViV=[S^Z^ *q%B)0V"ދvEs60[e{= 'mm`3OE,h-ZnOF(74Mǎ<p̯ cC]U)L#hXM&׿[}5?,-6ԍ:fbH W`M D;v_ꐝ?3ON }9bXR +`ȶCCb2|ONw?쇻E;F\veUOksʎ[4P":Ki3o]Tu|Š.MB(p; !]Y0==7wAt#uv$=!nIl_FScylUt4qܸpg[S`e'ʴJ\ qo'PIdm 4v&E&{Z ?ۅjԅ4HuC(4Y~R LgZ"_#Jvh#7CHo(yKe۝uF[2DM @Ke>눐٠Z3G2ur~TOCNW UMQ{nj7OA2} b)pʦ fI;QxN+h&2^񓱝&~ٞ PV^k\"\qcm40ٹ <( Y9B+^PsQSKRB6 <@; 2DnbG3蛥И9ӳܠ9"+B0!L*I fMDpSHs%X7TA9 3룝#śRvџb^k zʩ(I]sçWkZ\jmCAU/# @T4qf! 1qS|E֝ʥ J_Hal30G%:(kU|{d׾oly701f 7߫2]+f 4sQfw{Y3^/KԷDR]]DHCP'o۶ $oQ^MvWDGrOHž ']6bv Uk">:qB!6,1wPnf=Z%Q+i`ߖ6{t I.kuib6_q1M(,Q=Z<6>%.w4ץX_Y);iAVt0c+&ćϜ]^6ʞFSVnQMu17ݎ5h:W"/ /vmt,pb\S30>#\P_#BBˋf.TXDdyxV K]&+P^|_ oK o W~T\Sv*xwA9?! !sbsAo:"v/k&LuM(..POjAR c31 ^OfK5zITh#V;cm &ڐ}&KeGeXliRr9cc-Rbe ;AKitGC uTB@h%cɎz |GMcڨ82eԴº4[\ n X7)l̪"L>ؓT +Oݛcqv8"0<&%^" ģ_rܬmXWce}y8;6*/Pa}C_O7OkdNjGzUQ.cCb<=V 6m~^K!ퟣȍHT9U.Tp?>uaC Gl' KRc> _Invr#gv}Y{2ŹyCB\"r z7Zf @D~wy>mBH+ ׼r5<%Ha?ySia"ܪnD;㋯K&6CdUl_aQ-1>};6kC3*psi,a? bSrО2>d\U{ #Z-XQioPP+,AjeMhxGWymqzv3jPM,kbat 3IV_}`쿧pFj~sb{I>ʋmn[/ ֡r[ &pQ ƼnQR(d/}UY&7(|i ?YnrI ;R>&\@S+7 º?On?٪O^ihj+͡*xt,QcT'_dm>ƿVGbW*x93:ӳ7XWu;x/zK4#k,WcB]fꦛ\X$R *uxxJ7=fgkO_3,iWL_KE p ÇhF3FH`D9Hkο7kffѬ C竽SD/OϯY,`?z&*e{.6&;d&ʣM< .q66VϤ1OCD>Օ%>}^n(V hG +!Lzj/2(A6? h&p|#Q)lqg. 0ގ,`t@8Lt)<`m]=v+N4|׾M{FꦼX*.e9 .f&ڋ 6>|f\pQT6=|ǫF'J[ѷQ'GT&8v (F:~+jkYIl6sRHkࠟ0o3#ɜOyx|v7W4X:0{ZZ RɅ ݚjwmx/*n>ԃfITidc ͱ~QolO=L瀰d g#FNW Sg9 w ZLE;^Wo;u2$GpёG!J#1H~|A }zI5SeX ਸ਼ea??>}C{ 7jpf8%v)M`𱐮]ӝ8F"tG1+ȈI/`C:#,];"~tRޘK:ۆ.) *Qtg$~4m*끔u-{@ܫ] 1rQD$gk"vB|ؒ N9E7n+-jA 4_,20SQIA;,}J@FĤ"K{n0$ۻd3teZ?“ a+Whd^set|? k?׊5gwI}@Hbg+0O^y6r%p…9WjWTGBGyա6aN\ +U^4P+n-ӕ $#BҜA`b>1{}!aWU&JIF~f"qJ$J%ʄ}䁴1=26zrKke;wi> t~ͤB@X7ϱW9/h LRަ؛[y+${qSxG[5j1eW V|o/5 Äiv~u LfΗٌ23xPVf82>8Wos CWN߷(*}#,i=Sg\r9rY*l McĨpq i BEqB3@d vu >}-{.kX '\䝵@jkՊrr~rH= 5tb~vv($b&~+wHMoWey'/=#_~g|V -~MGϘyvg;^WpG zBZ#BtҼ fljAX:ɞ!`1@9%JCC%Yn-lhj[JO(p\" {3G&n'8[[ լKh4;var۹e֥;ϏfH.0(?4 UW ne[xs5Th7ZB}- hOE*,(gz!| dQ;; #K'{Z a W0<>+~k>0]tRn%  H;=x DG}6_kdQly<# P+%1Y]8X,L8 xhSVΖ*m2{MYiƿE28HDōɚMJ 3VWg5ѯ!ǟb'^lȷ0dcoG'_=!ڰifSCMo`ZN1p3_K[P\GЊW T]Y忱K6d_% N.FFìKDm# T8B#Ɀإ+n>ӑn%w:>٪u:-H G@C5IL̚,-yQK z¸a-) YJd«P`rss9aӿ8g>4UКFMRje0 'F6 =k*MflN Il[hbpj-X0a-u ״Y/]I&KO`صdIgo],BX?^(aI4Eyb-C7A,L|RޅGR#t; dzyGRW-La;95겸nA Dg}o.RKS`Tkǰĵwh58ո7Qz@Wx0ґB2-P&eG!c@u' b~ǻsyJ þ 5¦ψS?X3G$ur9]x[*d>}aPH3 dEzԜNm@PҸ$0EYYr "HYr nnz8O˞X%b84PDV^*{nLZk?w7kA; 2,mU$ahK .kopDxǠjnf@l UBD;]/ct^Օ͗!]QUӄἽm#$iU|=(n[s SFQ u$ו?j"! {_];inh+z̡Ƥve1@w8EX`y{~q97Ab@I*[8֔Y2"hj `ݒAabEu7/twx;?oI ©G+6! $ j:Hz?QPC\?0%ޛQE]J>t0ܔ EJdzى {%~$MFtclStnfDڛR @|%sK<=Qcە!;=V,FMu?3 ACpWPf![iA}T& d{%p\r"[vR%ӟҡ)?Ķ>zpj3R-C"Q*H#^m8 J"c4B*㽥%s$6s*Pz1L`u15Wt]cp_XP~NUp >MhZOXD~f,l FUCY~sil-yq|n'sˆCڶnӋw#~#Uz`~m ̯j.s ˜v_R3\aݒ*5=Z՞[1A]ygK(5צhE`m1FH vzKYV wc c .~R"4'7n1`t:-V>nd c v:i]Nu_طxFK8 =,_qN>C8"4/YO2[BL++X %M5s=8Dkpef2nV_œ5ͪ=1|ЪA6=wSvY@AZPvdeŔs/q!ŶRMcdiaOCϨ?H!#wcc5=f`x1zӇnj.$LJɻ4f0f_vG-]p%q#;3f X6W^r|pk KzJƣCUn3{7*2Kf!Pm{%13+څs*Qz G9{1Mu7@ۼ5xfC*d`qUkSbiY sh{Ua$oS86jH1F~\rTҫ 錺;`RjQsUb. R~q;TTOs6"LbPxxDT6,ZJl{}Sٛ~ p*zTaӸ-++hԬ"[`Ն3}R/ ߇UaTBÖbCDq9 +4g)Co2ݤ`u,EްE) 'CqXV0YTO SyCmAY'xk)jK|4ZV_EgZN2 }]$cpk[`b*8785%c30oEOB@ƜKXE*ԥh}`"J6xc~HCӐ%ZNCg p9~b=O), O:[1nEMn/{9`(J襾 `u7h:ɴ> O:s V <e!$1e,Sf2H6'OC\4x"ZBt%_JԴ)1dK= ]?0ռoߓbsP6TEfݓ==2e–7 9^h8OUn{|mҷ5P+4LdGbzj,04N e F뭍=uE>*((4 n,:Cܶx^zQ]PŌ"7dńfyfp\Ru6AYoU[T6[.Vz*˚t,~a}Y/]}ʙ)E^>b~{!M`+uLHTոƟA;v .!g$Ny|`V ҕ&b3ϧP`c.qר?8i|MW8Y/)=i~g|445qe.-?YdIq}փn sއBu/Dձ_L@*5.FjS  Q&j\0<E<7'30vRAÞR^Rrw\!LFTb([,U>M:+gQ|Gm) /(L.sk60LYWޖO"8: I5 f[ɮ,wVUcNzeV&  JlPk̑/kkL0U!:{=C"[ $?]+p^d "՘ŗlw #IUX$1utXIra ,S\lE OȊZh>(Qr,y &ʎrpzhFvs2n*ϣCJc`EV@᎚0*@EUP>`+/llE U fC~LOQ6%(v[o»~s_7U#L{_[U"}B5uq=CbIh 7t욎9%M59[A;KIv?ww>w.SsbQ;)Mrs!׀OWŐaes-o 3G GQP-uREeǶJUwt6H}cgD^exR:-#^&0+o ZZ椈|WQÐZ&ŠF-%·E>La'~1$LDC.A}/}>< tQ.1u#gice{!{M,[#Y~uЦvYw&Q6OX5ͬ8u:in<l3MF'`" 8 !DD 'U0_lsk.'˹$/S->7w69uBݔ"Szu_0zg : !C>d(+юv4$_3ŖbhN=%Kفvܖ3zk"E YTCàz&ԫW0a%+btvKpPIh |&mZ}(s}šs7x (ʠkAW,]u/S3Kwn*rߵ=/(h_&%-gn*yKVS@#OugUTJiB}M46*^lH]}bU#?s*U,?\ߌF= p1!e1qߝ8>y 2 iI ewI:asltvSBu4MGkUk&cI CvR:]A6ᮋOF$& {հ2zؘc֣ͼQdfI.&f=~Q˾U{華$ehJt#,~nDZmUTC#Xg$ 7l2;4&)jK-G+`8T[[rzA&l z6ʡ]g~wo, X3*&ȫ<<^VGrԏ&r{FRް ;jnN(A<`hj)vxEޟS6C@`e1  2İAY`E]X#쟞 k%qnp)}ف/'^ƴ7M_戗j1hdhslZ :gY=0 6[ N)^z26NlN#fK޽IEEگ5Vi PZG#ȑU 'CD/Gy-}X9]^0XV$xkTu[87 R}DJ x!2KM _i)Ӧ@ 􉆰+v|Ϻa Ll"$zpҒ)-]DW -:5^A ʹ\圻9脈bpϐm1 Thg &B PgV,_|.84))_U9O/5 .Zk]W/2 p!;0XX_}n'ٍXTBCMnHYjU@砱l]plKGC`\ {nR { 7F) 8GX.7yD&A҉>gӫ8WAt]1kق2 unJ߬^H>s1ѻ 3hj>cEu*8{;p>"`kq=8/'C*HHRn|GQ4zh~?j5kudѱiA뽉K'HW6)s 8 jO Iٻv )Pm * Dnc_eW0x,zAjk36ʽʪg zL9["#'j]wQYwN䏠ژt|nQ\C;jIZE|>oh0$w|=ޝu~_  ,5vXȓL.ǥ7޹YRJl_n4~g*xS3M@|[;承y|3OSmۦ-fȣ ܃%'fq]Ws{6 kItb$CBJ7hݽu9l a'eڕBถxƩ5?>}eg͗wxob.$"2R7oaX3XTC~`TW(p]JnY"}ZbG*ETmg27 `fِ&KbAdiƑd/B{ #d\|^`!:)tЫJn:DЋ5{JBV3yd/m ! S^ɓ sן\k6`d˟0ᎇt>1GvϋsG֙v I.Q{/GSUzˣgu]ǘzNO Tus!*U7Jlj:' ;18NeFeBoϱP(ӧI o-T )X8bCdvi?i%9g ?T WPh۲~p݅=:-*0ܼJng>;+rOZ{ZNY]'چǹC_o*c$$z%Uն$)h`}`XOE'$Č䞁NH>ԑmUQT51{%G蟪B\-[;p;Ӧ 5k,\Z_X2Mjf0GÊVQ"ov%5=?^B*\/t=&y 幀)y3[[]ou CWz:qףA{>e$ow/Y@سCsyb$ḰLir1&¤@Uh1J j|Cq=+Sg%asR(G,9"?sqwf{PD;r7A5-|O 2'+:x `omxm%M٠t-m8gg9T>]%|UD34)7rK(NzR9Gcr_8;PW*PwӆPfz7$].vcl$4v*:<÷U Py0ޥ":b?[~sHy[P%ǩlֹACxLC0K Qxi_nv42~1Y|=O˸{6 ZZTK~n'VH1CߨPPgjg @nbE<X3|^blK`=hAɄjʞ>FG\۸Lz gM2|_4"'a/^ʵkgvt!%徆X6 G;O{N~~NV-cLesS${;LP0T!Z|j\U:"Mғ7۳`e "g7z.A(_R6SǾR&BK7q?8Wh{&ZN|>s0 La\(eͱ\=N-7̌Vʕuw!Ɯ7Bһӏ423;35~ZQ 4S}2O&1a"Cu_qd&e*`:ܬGt ucN̗xv>)@u)bYj.cb3q, Bgn|+L9q^X9J2a#]gVM=ݨU.s' I윯LO#ޏ}57Xa4#5 ;Ozw9Np8Gwڄ&<;M-@!"款*pؓhOfP6d-Ώdfd G )3I$Ӫǝ@瑧%oc6p:UI[oKJ_o^Pف[q6 7Ҫ.MrL7QɻhjD*?ZB3 TD} &xf^9ZDrQbG׍9h34!h簾~|r j4Gyn' I44 <3,|,?$gYV_pReD .'7q)Уm[Fe#tߨ<_fSN*\&cIީO~aFEJXnX,dHX-[ز `>]f+]ݘ/e?G/7Ъ-vUڊFq!o:[*6'68=I 5Oo$z>1G.8- .s_t8R͎tL{lzS@ Y8v$:J@ 3&'!&Hn6cv/YTl4ɏk/SqX)8 JMJpgP YC[G5 ~K(ÖljZː9>l:m8F8E3MwpcI;aTlnсYkg,K'rrEjbX@ThW]M_o0H<+((UC2ԛYyn -\xH +z#AA ZUM[;2Pf:M=bY4a`ds G%Hp.9+?N˺)OEveCA{ИyOX.Qz:ػU;BIhۥv!C@ըLZh{IW2,ՙ̜җ"h|6 :)զu @;ٖ2HJ|)gVɴ[TO~:D #Bk[2|a7>)Pa,kJrPatܟZ>Qu؎8 ~=3!41k"eij7ᒩE * AbԺtatw/l+tT>&z6ԲG_'A`~gꮺ _;jw_$f{.Cp(\VÁAYN`swH9:ZB3+ t B L7 9nV)15[a!St5k c`d_FQ$ UGT`sGM(Aֆ禾BۡU6dCePw͟˪xAmw?"mD f,DG 7o,S#>-ȅB S#YDHifu:{uj0hum's_5Ddr9 1SSsu??H*@&߳~UP]+5\1aDh: 1 PRx^}Jy_ V7~ Ojx*L2DTDv~?oPHٱʠl(UFTQtu[,6Ȟ?O Z(Hj7!t{;MsdoLwrw`Uz'Sv#_, >*g䵊$0dT:i" T@gM|I{rMFk;۬6vއǙ4Q+S鏎0LuվEƐ7lԀ\(HLfߘyd:b5 qz.h:: {Dd;DW1۶TgnfZ”]cbKs] ୸r`\=.gцGO+zg*;֟_m0,"t-4Т@f=եПf<ƐF/܍k*kKSkbW1?#,n=;[oFȆzʬ1ɡO[+Z d&퍚)&8E{֣+5z|6n?>;3{/5!9$0YXi/֞u >\$ŵ}b8b*T^QW즓npf+;jKSy=N燂i H]7vkV{/1ibY'[ԡXRPDs<,Gد5Sy${h͏!z-w%a+{pGA{H630 ႛ槴1<aC V4)?מC >xpQTo,qF59<'B/GwGTh,q=/z)#_UP"WmxIpp{ 5)6K>'K٨,~"~ыDyz_*Nb*^ש*;hKmMøCHwQ8 \mTPvԱh{ /"mr"È2 /%n/Njcg!akU2';lG."1J 7NqGI[2 V'*W`71UatixʈqOa^DZP1ԇ=3 U p9x<=)PTr TM;H{Q9 'p7lJ!lHӨBfsUsONkGsfOvbhJz_Hv2o$AZNQG:i{M(yE?\Oa4+xnOL,Kw$ɇ~̽x[{Ѓm۬rW1pCN 5s5o&6m\~^178g]nً5y AE/5w+pH 9 ym m|n߸r,.h}oLl}k&@Çߌ9tQmkVP:VƣѮՕR{bS4n`tպwˁCQOԏ0gAOcYlܻ!"ma1XX܋A,2NMmu NvZ2؁F(D.2 se`GqxH@Q R\ЎX[JYJ.4$Uω53L~BD~:‹]V;Hӑ2M)&Hd8.h84_)Pzi@mx @&x. ~lt1HEe榞Z$z3DIH_2 i:6Ք5݄K"ٜljI+V%Vsut7#IS M m4ƣHio>A`1Fޱ#K=R70mnrdHf&nHցrx̨c1AE4ָowt6nN?WE2Ŵ+ ~zp{cdPT)mW'ȵJo(X5}KGq(N>YmhcL-I<;vŐGz8Cȣ"? b iEIA;^nv`A}*eP H 40:mq (|,pN ?<3 L䤈d-gl+cSY t]komZ(0GWe`k8{j`Dxz3c8/{_+mka~7YQK"r_LS)2 hiVI}<%U!c.K :qj-Jl`NZ݋=2T ovBNWq+7؂9o+ֻ5Qm ɵ>咜vy }xlWpMUBC~şJ9)\vU!<'!@^Np{`^GT MRCC(S;$A# @kW Ɉ-)P]zdM+{E`o&exd:J? J ~NyB۱kH9Esμg M=rHeg]~_QHUR"ou,0kXBӹj07 VSkdʍk6zq grf- B g4^әȣn|99oEk4H;|Q^;m.2jFJ7Vp7,HcݢѦv>- y\3S ر8l4*DA .aPnGg;%nѴc[͛?5mtP 1l˘E|^jX7ښEŧ9ZwX5Fw-?ΰ;?Cp؆Y6ǂŸm7*pbBE>m,j7zPJw}vn'ZJ0I']χqIrx)!cbtbNgINg xo5$y5}7^$횹Gu4}cR?|,"|zsEXF)oWG oR@pl' v55Ѡ|KWyUɦ[Ĉ3Q·n, +r B:Qڱ\T PCAp iХ@H? qS8#S>9<Xň J`'cԧby8H\bOߞ( xW{sN0 ෳR}ҙ>bN{D_lKT2zҺ Cx"oT<}}&Ng,K .XGI놘)+Hs(E{n<(̷Cjs^F2'v+Zb&2H9wI%7}p:3p 1'| Mګ:K3ҚYHeR֮qA>5e~c&45$50:YCN5x`׋4'5T]E3mf~`bK4',-U 7s8f~ ȰbY9I"$AM#0'.W!rv3tg0ƍiʲz)B)P[QRK)0`tt{yj3V ĠAI,fsn^8HYi17zje…ʳBe<$OݽXGQx,gŽ)*"v0?3xb?HlfQ<0kK )ATx=47MR ]LM w 4Y.׊1,aoh#Wӕ\+-h~&D7*`Ӵ@WQ &T::mt jnK1wSٶ-La@˷o:E7fEV_޽{eQb%W6r< fx`&,Q`Q29q?t{ь=mjv}Jg<`0v$[(+ 6H&χQd.E 6)euj?o s5W D΁/Q4ٱJ Hפ\"fؤ':C,YǕ3rBxl 1zZʺ7.KG3SMO(K1$ר5ӏAiNPڷh#:FPJܰgl'\U2 ދYҞ2% zN]CZDjB99:{lGU 30n펇1}{I F'', $˲ůD;]( g\}j:ډN{B,M^󋛥X3aډ1QIr!op(E!?Fg,{ka18l =tKEרz 3+֓1rb1 >,GN9\$uC{XY%%Meg6 [5 0R4sV١7 wmulV]NX*[bT-W&12*5@O[/r@d >IG+:iKqZwG_uۂ Imd,F=kɢU,!@CI w9XmFӒ6W)$$ę7};5>i֎q!!;0?WW k;3vR=FৢRur(aY?ݚO4 ֹh^;*]Fd=rug{j. |`s4$[۲ED Cv\K2iAF}R;qى\WnUθzlh+?Tr;hYHJna_c_-1f8{$4Y7Q? /{9gOWn0jKF$| fQE-@!]"e^ZV0d{gà%Ǹ7,g@0Sd6ޒ,SCTuf=e VV"f^u\$A-д[f5N {C$ILJdQt& ]F^^:Դϸb"cLb_`ylïk<[lUȖċ1Ӟj"9 ~7Wi ~*MQ7 9Q3DIAH.:(K^* $ T+ M&\pݚL|:.Mþ! Ɩ/\^\^kM暸8d#PѧZՋwLlυ1ؙ"V>03O۟&u' ,4rq ow,a8O!/Cm19iBC} .s +^bRG+OG]u[ֱIE(SE_a v{~Wijoi1ںIn VdlO 3NW"˼`nb5rډyyuny|ޑ|J6%D? +7se3B<0c> TzUQhʨUڡuDHAH@HCOуLVg_?,/VrG-+ہbl_PYd'}%eϪ3>lWy=^L9VF=Ҽg}ѠB};va_U't┶K9AZi,0 352S4BW(u%ew_h\~ف0G{A$&Pj[f 'r᳣쎌y;f4JB'(a/H[\V?>akC`n0KYlN$2xHeYmEoyֵY:a}wqwU}u-e^ Z=Dg&WU# 3Ϧ-s#ȣ@Lw<bJcߜ?$*LRNTSCz@ur^K J[/Su4t/q-w^]{R(7:ЈPQbXa`=tb3c[D8/SJ\sE<-]w=2} Ac,XͶ&ĬN(SZ屐2do{83 CAU}0Ȟp.S+-Vաm_jg:WB )F;З(´vrDL.X uC6R.gKw#3O#V=p4kbv(+w`= ]Xۚ,#SMp;;G!x9ލ7֝¥)o,ǵt_+ 5w%!lP}[t \u}C"\ܱ,?zyvzݥAjIhL % y3QX_V2,,o?Md4)d6UPuJ#JAij/J65 ayFM}ϝPkËGī:D5ɧ`xXp0*Rb@(] &05«V!;BepB6UyUdt.s%۷D#kW+CS̾LQha?:!ct\C/ħ 8bl<-9Cq]Z 3)J[ 0r\F'%DVpOQ@0Bij^@< T㤦 !rN&2.԰TBw!"|33l]ѓ51.8!K7E> {toP(-1W`W7> rtY/@J ŐHIymFW5K%q4F}<d 5ƙ4+k`lJ ,L'x)1Pox#X䦈+gwϮ^T&Z»mĒmg Bs@pL0KCsMZ$gczi< +Qn2:%F%_Btw}Eol^LKn U,ʡM;i%JFf{dt+ OkCUUOС?|yjm#Oo&FՄ413a?/5p{1?;H YZC;֥wl)ҩZs-vO>|l0c7mdscߍ6@pރ"Q %JŝlH+c(m `٣Opk(U``Y'3 $5<8~ Ǵ8b~:b-^1t/WTK$6&;ZEz>[zKH4"_FeЖg w1κ3^K t'$-CGX͞9 (hJol` tk 5ռ>@VҡB3,s\~ dBt/U3$ g Ìq "Ly^U>)$יY]V)'8o^"Ȋ8THuZoNjநQ~1fX4-\Ɂ毠8P֫1WoT9CV4_cʔf&0p%GZIMaיX(Cբ6*]Eg9  k|kꏸ銷f49(6^S%ѫJŭ݁ں]T4LtY1dV{[zM3ܵpoA#& qx9Eky܋4 zG Wd4a3UGp.lГF](m~` [@aB;i.NQ?fX\&jvD{q;݅I Wk?h+)ƅ( ZxmtKÙ.t,1s/CZHTq^ad§u4L$E}J*Ybo}oaD&Hr{+޽=z wY6 sBq>*lwHv[KB@t ax| _A**ƩZʩṠPc( <ʑj9kO>^J%0xKPHj\my.fW kR`:.-p&j]%61v[XW:^xHܐ|U]lLm<E1Dx e79qn@!iDs&(Rʷޕۂ3d7>ܚGںp$Ls[$ W.Ɗ46a9ͧݛmq5T [!cL>JA);6I ufzj\K ]oR}R݈gSu0\>+1 /pA ^4OJyCc$Y $h/c 3w(#TwlZ{&y8wSoEV 2t36iCPD5&2ΚRD>*I mٟDGq< zV6o{܅.̡U,7@ 3 SpJЩZAUZ;3#Т1ïՈ: ISk쳠[FEePJ# Wj3d)ydA1B5(#ܖ! υ8GL9)>7bf3 3:/#&apr-Hc׀njm֔ Q4 )'||ਿNg*$v|{ $"}&~ftJ׋Pgf}}մ#Yw'=8CуgSFG~+^dfјEҠ }Wm3Ikē*=soRG>Ox܊8!e7ϯvG!#o//|T_[M/*r o粬?7Ӎbjzt%7t2gJԸ@  reŷ\ص!:̾,@BT*1. z17iOu#mV 4D8'v6B/n@lx|B0!m>gtX,}:zgLA͵):V^GDd}HtC> MJerzvި"1'$Hv:7-?uv{tZnָjlGJ*'SH@fL9]Í,\51 EZȍ~63ܕumPC@f#v꬐(׌~4KպhRW2g'ww.zݗP]TmIpB0UVn[3^!;- A$0.k.?`Ck?Wf$_bDUR{u ;(ֱ4%}$r=G?SNR\ha$.țC6Yb{pӏpN %Têzj]`$m`_{LA8l3OtMs_5+[Q-_rg2==$.!i/UoJ/h!f$T)|JJ;4r='ZFѶIThۉ=נ%lڠ6VX]]M8Ԭ;%h2CoV;vL#+ݜ$qp5qҬ !2:vc[\pΦUv] [8IHN{Un-ȴhl,0L$Ԛ3$.&;:LQߪJY kgaHbSK3_xРdM9@RM#y=?D gw`<8LkFʆfZLٯUON8TQGYȄԱz~nGQ%wBpkLzw\\XI1sz?fIX7M$AM8aJx*,*g"erfr.S41U;93Ʉu.2?OR Ϛ$ҡV+1TKz@7R,f/vv9jZ$uO u!D~dVe{&CsA@#"E̕WF#S&*oBOV Rl#.Iu]"+U cq'o L@|O.g(Z[@`r\-4x /50XO녣U _f-uve= Bێ\x8;*\k봚<+]F۳=$rX ͕TV+s.#fۘ|Kcƪx~˶Sj\<x3/t[mq0´V!SͶ+Nhܸ&Цu fjXN4OlZ h8`Xc]1+ xFG:NbPhue>r¬)/ p a⼘k2)ӡck\5SѧNŁɭ ]6-3G6X4j㉙B45Gi>\>\MmΞnt@aKÌBu9m $f﷕.+$\׊OJb܈uO̘W'{qEbd%Rnvm +}WHoU#*9mzIlkpcsˁXw>00#Kr20Ct[=}JPأY(#vth(>ŹJ#^_˦&P q։nѐ#%E/8/dEw6M;'7(Ӄxc;UB6=LӀ- NT f4'IK@|d~<#9x*b˹ ͿR0bc Hgꥐ^|p9T!+]>Z7H ? )2IQ{u %ƫ[1- |Nl'm,`9_i,L&+!e\~ LGlwb| C*V>~۲OvZ 6H"A*=FE_YC"OׅɾYWcz{E_¨ ԟaXȶlX/7 (F/O{NuBk\,Lʣ^y{ =T^""OP* y1S~^@xiSFB+NCZo4 }LKw֮8ܣL[cM}dE6^-Kr)KX璏ò-8{܃3}QpH͕!A죁H;Ge3$wqKn ]JG<´rJ(J8x{ 4}E xI,RNҨ?$ڿptg"mdzA'z AVOc*jL4 Hp$7VMJ]#'fe]~=m}#a`ɭυ]//Wd)]hW/@$>GWӇtayK g:̒iic u{Cm2<[l^`L^lǦEJm)@h\ߞ-Ju7Nolr5HnE5]]BKkG+d@sEMzFc73JViu"t5i'v95qX\= ̐mnYWk~2!!PaB,q%j_1a- n XD fiʴ C]{QW\P`5ӒL'4hOpMneZhxHrJ 55#|Fr@C[B'#50Nr%u;2-(r! k#;/c f1,ԃKe*Jd$Ǜ.輔x 8fo+DBj5 ZkeJcT pfSN^W^䆩itt'6[U JC3 bx8#Ysoe &=ˁ{q 3_8Q(w6BgJq u=N,`(1ߏcdk k?};# d- 9:QAoHeܚ%~_w5\_ 8q"pfF=P[m3)qt\MPa<ϓf"u)Kvkqt56,p@b Cs(QJ`#:[RQի֫xA L@gVzИ+-hxT_͑LN*IAHt%4cB |N"|s+ׁߒ2Yqxnpad_4GAm!: w%'A$Bxq^4H C3V--;|B͎b-\)!,j_z:tJD~R`@1]4 Fe*BëCŃ;`9D}^wb7ZS1O^n??N[BLf>Vk4,ϡ$G>>t(L:@N;j*]. / @8i罵qy"#_'p ϜR6[ p|EPcc)ȠA7;}ISCJt+ӬoF␔Q! 8Td]$;"I~sG,Ï8ϗt͹R촀57$K6!æ \RfYk9g&b˙›Ff#,xZz-q YZ