hostapd-2.9-lp152.2.3.1<>,b`m/=„|Mj&PSg>4/7#y ̂f[.C6#Tή 5ZdHg:4UFsYM+S;Ax!s+LVgU#Y&iM*+@(s|;5HUlv ^d׹g5N)p$c`>#l2N .Вd\\fg1C$n ukfQ"ş7"JXP]MG>I|?ld   H ,;AHi  $ P |  j N4\&&s&(89:=>?@FGHIpXY\]^1 bcd'e,f/l1uDvwxyh"z &hChostapd2.9lp152.2.3.1Daemon for running a WPA capable Access Pointhostapd is a user space daemon for access point and authentication servers. It implements IEEE 802.11 access point management, IEEE 802.1X/WPA/WPA2/EAP Authenticators, RADIUS client, EAP server, and RADIUS authentication server. Currently, hostapd supports HostAP, madwifi, and prism54 drivers. It also supports wired IEEE 802.1X authentication via any ethernet driver.`mgoat09kopenSUSE Leap 15.2openSUSEGPL-2.0-only OR BSD-3-Clausehttp://bugs.opensuse.orgHardware/Wifihttps://w1.fi/linuxx86_64 if [ -x /usr/bin/systemctl ]; then test -n "$FIRST_ARG" || FIRST_ARG="$1" [ -d /var/lib/systemd/migrated ] || mkdir -p /var/lib/systemd/migrated || : for service in hostapd.service ; do sysv_service=${service%.*} if [ ! -e /usr/lib/systemd/system/$service ] && [ ! -e /etc/init.d/$sysv_service ]; then mkdir -p /run/systemd/rpm/needs-preset touch /run/systemd/rpm/needs-preset/$service elif [ -e /etc/init.d/$sysv_service ] && [ ! -e /var/lib/systemd/migrated/$sysv_service ]; then /usr/sbin/systemd-sysv-convert --save $sysv_service || : mkdir -p /run/systemd/rpm/needs-sysv-convert touch /run/systemd/rpm/needs-sysv-convert/$service fi done fi if [ -x /usr/bin/systemctl ]; then test -n "$FIRST_ARG" || FIRST_ARG="$1" [ -d /var/lib/systemd/migrated ] || mkdir -p /var/lib/systemd/migrated || : if [ "$YAST_IS_RUNNING" != "instsys" ]; then /usr/bin/systemctl daemon-reload || : fi for service in hostapd.service ; do sysv_service=${service%.*} if [ -e /run/systemd/rpm/needs-preset/$service ]; then /usr/bin/systemctl preset $service || : rm "/run/systemd/rpm/needs-preset/$service" || : elif [ -e /run/systemd/rpm/needs-sysv-convert/$service ]; then /usr/sbin/systemd-sysv-convert --apply $sysv_service || : rm "/run/systemd/rpm/needs-sysv-convert/$service" || : touch /var/lib/systemd/migrated/$sysv_service || : fi done fi if [ "$YAST_IS_RUNNING" != "instsys" ]; then if /usr/bin/systemctl is-active --quiet apparmor.service; then /sbin/apparmor_parser -r -T -W /etc/apparmor.d/usr.sbin.hostapd &> /dev/null || : fi fi test -n "$FIRST_ARG" || FIRST_ARG="$1" if [ "$FIRST_ARG" -eq 0 -a -x /usr/bin/systemctl ]; then # Package removal, not upgrade /usr/bin/systemctl --no-reload disable hostapd.service || : ( test "$YAST_IS_RUNNING" = instsys && exit 0 test -f /etc/sysconfig/services -a \ -z "$DISABLE_STOP_ON_REMOVAL" && . /etc/sysconfig/services test "$DISABLE_STOP_ON_REMOVAL" = yes -o \ "$DISABLE_STOP_ON_REMOVAL" = 1 && exit 0 /usr/bin/systemctl stop hostapd.service ) || : fi test -n "$FIRST_ARG" || FIRST_ARG="$1" if [ $1 -eq 0 ]; then # Package removal for service in hostapd.service ; do sysv_service="${service%.*}" rm "/var/lib/systemd/migrated/$sysv_service" || : done fi if [ -x /usr/bin/systemctl ]; then /usr/bin/systemctl daemon-reload || : fi if [ "$FIRST_ARG" -ge 1 ]; then # Package upgrade, not uninstall if [ -x /usr/bin/systemctl ]; then ( test "$YAST_IS_RUNNING" = instsys && exit 0 test -f /etc/sysconfig/services -a \ -z "$DISABLE_RESTART_ON_UPDATE" && . /etc/sysconfig/services test "$DISABLE_RESTART_ON_UPDATE" = yes -o \ "$DISABLE_RESTART_ON_UPDATE" = 1 && exit 0 /usr/bin/systemctl try-restart hostapd.service ) || : fi fiB0kE>0A큤A큤A큤`m`m`m`m`m`m`m`m`m`m`m`m`m`m`m]JE]JE]JE]JE`m]JE`mceb4c26cbeee4bcbac439eecfd8576f2cbf31ab0162bbca219b1263cc342bd771f56a88fe7f663e2912d82d1fccdb57ea4f3a5f933ce6193a2865b2dfa4a3ac9ad783ce62185a566bb1a9bec9ae1019eed04c4b1dc3c2f5fc9e0db0cbbb92e10110bde2b8db5105ec0670da388c050b9d98e9d49d9016e7b9a70df6b8121cc6a64f3d56657d8fa9cdf3b26f99876d61209e67c625c619c3ce4862a6b1889ab1f36666638cc3cd90d4bb1fba4aa04a36ababf07cd81c4cb24558fd7ca7905a04e756a7d08ff4d8ec04e054d68e4f837ce5f0a1f938cdfd035368587655f99d81c4474e5adc6260c9d5590044b4cd7e90b63639a1b6ff6e42f4205fe72ed4b8cd033acd5e4e2d2a876915e955cc2eaa28b3e64dea9bd691a0197d801d2b33e6da28d97223fdce567f3e7cf718072c174380024825d2b5b51b033475b2be8655b8fbb2b361fe8efebc4121a54c4fbccffa434a91f2feafb715a04e51a9a7b8e48a5f3d55b4d92a4e2fd4362fa43e7bd0f7dbac32e6a904f1f31f5f14f727a5b8c841ae016d32db3a5f03e490d8d1a5181212605dfd7714c189b29885f6a14e106f57f981a4767acfa2291844458ad221bb51b5354c0d8faac97281c014a1c9152fbad783ce62185a566bb1a9bec9ae1019eed04c4b1dc3c2f5fc9e0db0cbbb92e10100973f33a74379e1daf489bc406e5014fc625665f18b876d82d6684d7aef6ee09ab50b5e0f60116b4e49027627ddcddb16fd03b160e132269b79dc59fafc3daf51db52a5e281c61ee21aec82e24a226cae5c6b94bbec0456505d32fab8a1b59servicerootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootroothostapd-2.9-lp152.2.3.1.src.rpmconfig(hostapd)hostapdhostapd(x86-64) @@@@@@@@@@@@@@@@@@@@@@@@@    /bin/sh/bin/sh/bin/sh/bin/shconfig(hostapd)libc.so.6()(64bit)libc.so.6(GLIBC_2.14)(64bit)libc.so.6(GLIBC_2.15)(64bit)libc.so.6(GLIBC_2.2.5)(64bit)libc.so.6(GLIBC_2.3)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libcrypto.so.1.1()(64bit)libcrypto.so.1.1(OPENSSL_1_1_0)(64bit)libdl.so.2()(64bit)libdl.so.2(GLIBC_2.2.5)(64bit)libm.so.6()(64bit)libm.so.6(GLIBC_2.2.5)(64bit)libnl-3.so.200()(64bit)libnl-3.so.200(libnl_3)(64bit)libnl-genl-3.so.200()(64bit)libnl-genl-3.so.200(libnl_3)(64bit)libnl-route-3.so.200()(64bit)libnl-route-3.so.200(libnl_3)(64bit)librt.so.1()(64bit)librt.so.1(GLIBC_2.2.5)(64bit)libsqlite3.so.0()(64bit)libssl.so.1.1()(64bit)libssl.so.1.1(OPENSSL_1_1_0)(64bit)libssl.so.1.1(OPENSSL_1_1_1)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)systemdsystemdsystemdsystemd2.9-lp152.2.3.13.0.4-14.6.0-14.0-15.2-14.14.1`lM@`4@_s!^@]p\O\&@\\ `[@YB@WV#U8T|Clemens Famulla-Conrad Michael Ströder Clemens Famulla-Conrad Clemens Famulla-Conrad Michael Ströder Michael Ströder Jan Engelhardt Karol Babioch mardnh@gmx.deKarol Babioch chris@intrbiz.comchris@intrbiz.commichael@stroeder.commichael@stroeder.commichael@stroeder.com- Add CVE-2021-30004.patch -- forging attacks may occur because AlgorithmIdentifier parameters are mishandled in tls/pkcs1.c and tls/x509v3.c (bsc#1184348)- added AppArmor profile (source apparmor-usr.sbin.hostapd)- Add CVE-2020-12695.patch -- UPnP SUBSCRIBE misbehavior in hostapd WPS AP (bsc#1172700)- Add CVE-2019-16275.patch -- AP mode PMF disconnection protection bypass (bsc#1150934)- Update to version 2.9 * SAE changes - disable use of groups using Brainpool curves - improved protection against side channel attacks [https://w1.fi/security/2019-6/] * EAP-pwd changes - disable use of groups using Brainpool curves - improved protection against side channel attacks [https://w1.fi/security/2019-6/] * fixed FT-EAP initial mobility domain association using PMKSA caching * added configuration of airtime policy * fixed FILS to and RSNE into (Re)Association Response frames * fixed DPP bootstrapping URI parser of channel list * added support for regulatory WMM limitation (for ETSI) * added support for MACsec Key Agreement using IEEE 802.1X/PSK * added experimental support for EAP-TEAP server (RFC 7170) * added experimental support for EAP-TLS server with TLS v1.3 * added support for two server certificates/keys (RSA/ECC) * added AKMSuiteSelector into "STA " control interface data to determine with AKM was used for an association * added eap_sim_id parameter to allow EAP-SIM/AKA server pseudonym and fast reauthentication use to be disabled * fixed an ECDH operation corner case with OpenSSL- Update to version 2.8 * SAE changes - added support for SAE Password Identifier - changed default configuration to enable only group 19 (i.e., disable groups 20, 21, 25, 26 from default configuration) and disable all unsuitable groups completely based on REVmd changes - improved anti-clogging token mechanism and SAE authentication frame processing during heavy CPU load; this mitigates some issues with potential DoS attacks trying to flood an AP with large number of SAE messages - added Finite Cyclic Group field in status code 77 responses - reject use of unsuitable groups based on new implementation guidance in REVmd (allow only FFC groups with prime >= 3072 bits and ECC groups with prime >= 256) - minimize timing and memory use differences in PWE derivation [https://w1.fi/security/2019-1/] (CVE-2019-9494) - fixed confirm message validation in error cases [https://w1.fi/security/2019-3/] (CVE-2019-9496) * EAP-pwd changes - minimize timing and memory use differences in PWE derivation [https://w1.fi/security/2019-2/] (CVE-2019-9495) - verify peer scalar/element [https://w1.fi/security/2019-4/] (CVE-2019-9497 and CVE-2019-9498) - fix message reassembly issue with unexpected fragment [https://w1.fi/security/2019-5/] - enforce rand,mask generation rules more strictly - fix a memory leak in PWE derivation - disallow ECC groups with a prime under 256 bits (groups 25, 26, and 27) * Hotspot 2.0 changes - added support for release number 3 - reject release 2 or newer association without PMF * added support for RSN operating channel validation (CONFIG_OCV=y and configuration parameter ocv=1) * added Multi-AP protocol support * added FTM responder configuration * fixed build with LibreSSL * added FT/RRB workaround for short Ethernet frame padding * fixed KEK2 derivation for FILS+FT * added RSSI-based association rejection from OCE * extended beacon reporting functionality * VLAN changes - allow local VLAN management with remote RADIUS authentication - add WPA/WPA2 passphrase/PSK -based VLAN assignment * OpenSSL: allow systemwide policies to be overridden * extended PEAP to derive EMSK to enable use with ERP/FILS * extended WPS to allow SAE configuration to be added automatically for PSK (wps_cred_add_sae=1) * fixed FT and SA Query Action frame with AP-MLME-in-driver cases * OWE: allow Diffie-Hellman Parameter element to be included with DPP in preparation for DPP protocol extension * RADIUS server: started to accept ERP keyName-NAI as user identity automatically without matching EAP database entry * fixed PTK rekeying with FILS and FT wpa_supplicant: * SAE changes - added support for SAE Password Identifier - changed default configuration to enable only groups 19, 20, 21 (i.e., disable groups 25 and 26) and disable all unsuitable groups completely based on REVmd changes - do not regenerate PWE unnecessarily when the AP uses the anti-clogging token mechanisms - fixed some association cases where both SAE and FT-SAE were enabled on both the station and the selected AP - started to prefer FT-SAE over SAE AKM if both are enabled - started to prefer FT-SAE over FT-PSK if both are enabled - fixed FT-SAE when SAE PMKSA caching is used - reject use of unsuitable groups based on new implementation guidance in REVmd (allow only FFC groups with prime >= 3072 bits and ECC groups with prime >= 256) - minimize timing and memory use differences in PWE derivation [https://w1.fi/security/2019-1/] (CVE-2019-9494) * EAP-pwd changes - minimize timing and memory use differences in PWE derivation [https://w1.fi/security/2019-2/] (CVE-2019-9495) - verify server scalar/element [https://w1.fi/security/2019-4/] (CVE-2019-9499) - fix message reassembly issue with unexpected fragment [https://w1.fi/security/2019-5/] - enforce rand,mask generation rules more strictly - fix a memory leak in PWE derivation - disallow ECC groups with a prime under 256 bits (groups 25, 26, and 27) * fixed CONFIG_IEEE80211R=y (FT) build without CONFIG_FILS=y * Hotspot 2.0 changes - do not indicate release number that is higher than the one AP supports - added support for release number 3 - enable PMF automatically for network profiles created from credentials * fixed OWE network profile saving * fixed DPP network profile saving * added support for RSN operating channel validation (CONFIG_OCV=y and network profile parameter ocv=1) * added Multi-AP backhaul STA support * fixed build with LibreSSL * number of MKA/MACsec fixes and extensions * extended domain_match and domain_suffix_match to allow list of values * fixed dNSName matching in domain_match and domain_suffix_match when using wolfSSL * started to prefer FT-EAP-SHA384 over WPA-EAP-SUITE-B-192 AKM if both are enabled * extended nl80211 Connect and external authentication to support SAE, FT-SAE, FT-EAP-SHA384 * fixed KEK2 derivation for FILS+FT * extended client_cert file to allow loading of a chain of PEM encoded certificates * extended beacon reporting functionality * extended D-Bus interface with number of new properties * fixed a regression in FT-over-DS with mac80211-based drivers * OpenSSL: allow systemwide policies to be overridden * extended driver flags indication for separate 802.1X and PSK 4-way handshake offload capability * added support for random P2P Device/Interface Address use * extended PEAP to derive EMSK to enable use with ERP/FILS * extended WPS to allow SAE configuration to be added automatically for PSK (wps_cred_add_sae=1) * removed support for the old D-Bus interface (CONFIG_CTRL_IFACE_DBUS) * extended domain_match and domain_suffix_match to allow list of values * added a RSN workaround for misbehaving PMF APs that advertise IGTK/BIP KeyID using incorrect byte order * fixed PTK rekeying with FILS and FT- Use noun phrase in summary.- Applied spec-cleaner - Added bug reference - Use defconfig file as template for configuration instead of patching it during build. This is easier to maintain in the long run. This removes the patch hostapd-2.6-defconfig.patch in favor of a simple config file, which is copied over from the source directory. - Enabled CLI editing and history support.- Update to version 2.7 * fixed WPA packet number reuse with replayed messages and key reinstallation [http://w1.fi/security/2017-1/] (CVE-2017-13082) (bsc#1056061) * added support for FILS (IEEE 802.11ai) shared key authentication * added support for OWE (Opportunistic Wireless Encryption, RFC 8110; and transition mode defined by WFA) * added support for DPP (Wi-Fi Device Provisioning Protocol) * FT: - added local generation of PMK-R0/PMK-R1 for FT-PSK (ft_psk_generate_local=1) - replaced inter-AP protocol with a cleaner design that is more easily extensible; this breaks backward compatibility and requires all APs in the ESS to be updated at the same time to maintain FT functionality - added support for wildcard R0KH/R1KH - replaced r0_key_lifetime (minutes) parameter with ft_r0_key_lifetime (seconds) - fixed wpa_psk_file use for FT-PSK - fixed FT-SAE PMKID matching - added expiration to PMK-R0 and PMK-R1 cache - added IEEE VLAN support (including tagged VLANs) - added support for SHA384 based AKM * SAE - fixed some PMKSA caching cases with SAE - added support for configuring SAE password separately of the WPA2 PSK/passphrase - added option to require MFP for SAE associations (sae_require_pmf=1) - fixed PTK and EAPOL-Key integrity and key-wrap algorithm selection for SAE; note: this is not backwards compatible, i.e., both the AP and station side implementations will need to be update at the same time to maintain interoperability - added support for Password Identifier * hostapd_cli: added support for command history and completion * added support for requesting beacon report * large number of other fixes, cleanup, and extensions * added option to configure EAPOL-Key retry limits (wpa_group_update_count and wpa_pairwise_update_count) * removed all PeerKey functionality * fixed nl80211 AP mode configuration regression with Linux 4.15 and newer * added support for using wolfSSL cryptographic library * fixed some 20/40 MHz coexistence cases where the BSS could drop to 20 MHz even when 40 MHz would be allowed * Hotspot 2.0 - added support for setting Venue URL ANQP-element (venue_url) - added support for advertising Hotspot 2.0 operator icons - added support for Roaming Consortium Selection element - added support for Terms and Conditions - added support for OSEN connection in a shared RSN BSS * added support for using OpenSSL 1.1.1 * added EAP-pwd server support for salted passwords - Remove not longer needed patches (fixed upstream) * rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch * rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch * rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch * rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch * rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch * rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch * rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch * rebased-v2.6-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch - Verify source signature- Added rebased-v2.6-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch Ignore unauthenticated encrypted EAPOL-Key data (CVE-2018-14526, bsc#1104205).- Fix KRACK attacks (bsc#1063479, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13087, CVE-2017-13088): * rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch * rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch * rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch * rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch * rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch * rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch * rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch * rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch- update to upstream release 2.6 * fixed EAP-pwd last fragment validation [http://w1.fi/security/2015-7/] (CVE-2015-5314) * fixed WPS configuration update vulnerability with malformed passphrase [http://w1.fi/security/2016-1/] (CVE-2016-4476) * extended channel switch support for VHT bandwidth changes * added support for configuring new ANQP-elements with anqp_elem=: * fixed Suite B 192-bit AKM to use proper PMK length (note: this makes old releases incompatible with the fixed behavior) * added no_probe_resp_if_max_sta=1 parameter to disable Probe Response frame sending for not-associated STAs if max_num_sta limit has been reached * added option (-S as command line argument) to request all interfaces to be started at the same time * modified rts_threshold and fragm_threshold configuration parameters to allow -1 to be used to disable RTS/fragmentation * EAP-pwd: added support for Brainpool Elliptic Curves (with OpenSSL 1.0.2 and newer) * fixed EAPOL reauthentication after FT protocol run * fixed FTIE generation for 4-way handshake after FT protocol run * fixed and improved various FST operations * TLS server - support SHA384 and SHA512 hashes - support TLS v1.2 signature algorithm with SHA384 and SHA512 - support PKCS #5 v2.0 PBES2 - support PKCS #5 with PKCS #12 style key decryption - minimal support for PKCS #12 - support OCSP stapling (including ocsp_multi) * added support for OpenSSL 1.1 API changes - drop support for OpenSSL 0.9.8 - drop support for OpenSSL 1.0.0 * EAP-PEAP: support fast-connect crypto binding * RADIUS - fix Called-Station-Id to not escape SSID - add Event-Timestamp to all Accounting-Request packets - add Acct-Session-Id to Accounting-On/Off - add Acct-Multi-Session-Id ton Access-Request packets - add Service-Type (= Frames) - allow server to provide PSK instead of passphrase for WPA-PSK Tunnel_password case - update full message for interim accounting updates - add Acct-Delay-Time into Accounting messages - add require_message_authenticator configuration option to require CoA/Disconnect-Request packets to be authenticated * started to postpone WNM-Notification frame sending by 100 ms so that the STA has some more time to configure the key before this frame is received after the 4-way handshake * VHT: added interoperability workaround for 80+80 and 160 MHz channels * extended VLAN support (per-STA vif, etc.) * fixed PMKID derivation with SAE * nl80211 - added support for full station state operations - fix IEEE 802.1X/WEP EAP reauthentication and rekeying to use unencrypted EAPOL frames * added initial MBO support; number of extensions to WNM BSS Transition Management * added initial functionality for location related operations * added assocresp_elements parameter to allow vendor specific elements to be added into (Re)Association Response frames * improved Public Action frame addressing - use Address 3 = wildcard BSSID in GAS response if a query from an unassociated STA used that address - fix TX status processing for Address 3 = wildcard BSSID - add gas_address3 configuration parameter to control Address 3 behavior * added command line parameter -i to override interface parameter in hostapd.conf * added command completion support to hostapd_cli * added passive client taxonomy determination (CONFIG_TAXONOMY=y compile option and "SIGNATURE " control interface command) * number of small fixes - renamed hostapd-2.5-defconfig.patch to hostapd-2.6-defconfig.patch- update to upstream release 2.5 - removed 0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch (CVE-2015-1863) because it's fixed in upstream release 2.5 - rebased hostapd-2.4-defconfig.patch -> hostapd-2.5-defconfig.patch ChangeLog for hostapd since 2.4: 2015-09-27 - v2.5 * fixed WPS UPnP vulnerability with HTTP chunked transfer encoding [http://w1.fi/security/2015-2/] (CVE-2015-4141 bsc#930077) * fixed WMM Action frame parser [http://w1.fi/security/2015-3/] (CVE-2015-4142 bsc#930078) * fixed EAP-pwd server missing payload length validation [http://w1.fi/security/2015-4/] (CVE-2015-4143, CVE-2015-4144, CVE-2015-4145, bsc#930079) * fixed validation of WPS and P2P NFC NDEF record payload length [http://w1.fi/security/2015-5/] * nl80211: - fixed vendor command handling to check OUI properly * fixed hlr_auc_gw build with OpenSSL * hlr_auc_gw: allow Milenage RES length to be reduced * disable HT for a station that does not support WMM/QoS * added support for hashed password (NtHash) in EAP-pwd server * fixed and extended dynamic VLAN cases * added EAP-EKE server support for deriving Session-Id * set Acct-Session-Id to a random value to make it more likely to be unique even if the device does not have a proper clock * added more 2.4 GHz channels for 20/40 MHz HT co-ex scan * modified SAE routines to be more robust and PWE generation to be stronger against timing attacks * added support for Brainpool Elliptic Curves with SAE * increases maximum value accepted for cwmin/cwmax * added support for CCMP-256 and GCMP-256 as group ciphers with FT * added Fast Session Transfer (FST) module * removed optional fields from RSNE when using FT with PMF (workaround for interoperability issues with iOS 8.4) * added EAP server support for TLS session resumption * fixed key derivation for Suite B 192-bit AKM (this breaks compatibility with the earlier version) * added mechanism to track unconnected stations and do minimal band steering * number of small fixes- update version 2.4 - added 0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch for CVE-2015-1863 - updated URLs - require pkg-config and libnl3-devel during build - replaced hostapd-2.3-defconfig.patch by hostapd-2.4-defconfig.patch ChangeLog for hostapd since 2.3: 2015-03-15 - v2.4 * allow OpenSSL cipher configuration to be set for internal EAP server (openssl_ciphers parameter) * fixed number of small issues based on hwsim test case failures and static analyzer reports * fixed Accounting-Request to not include duplicated Acct-Session-Id * add support for Acct-Multi-Session-Id in RADIUS Accounting messages * add support for PMKSA caching with SAE * add support for generating BSS Load element (bss_load_update_period) * fixed channel switch from VHT to HT * add INTERFACE-ENABLED and INTERFACE-DISABLED ctrl_iface events * add support for learning STA IPv4/IPv6 addresses and configuring ProxyARP support * dropped support for the madwifi driver interface * add support for Suite B (128-bit and 192-bit level) key management and cipher suites * fixed a regression with driver=wired * extend EAPOL-Key msg 1/4 retry workaround for changing SNonce * add BSS_TM_REQ ctrl_iface command to send BSS Transition Management Request frames and BSS-TM-RESP event to indicate response to such frame * add support for EAP Re-Authentication Protocol (ERP) * fixed AP IE in EAPOL-Key 3/4 when both WPA and FT was enabled * fixed a regression in HT 20/40 coex Action frame parsing * set stdout to be line-buffered * add support for vendor specific VHT extension to enable 256 QAM rates (VHT-MCS 8 and 9) on 2.4 GHz band * RADIUS DAS: - extend Disconnect-Request processing to allow matching of multiple sessions - support Acct-Multi-Session-Id as an identifier - allow PMKSA cache entry to be removed without association * expire hostapd STA entry if kernel does not have a matching entry * allow chanlist to be used to specify a subset of channels for ACS * improve ACS behavior on 2.4 GHz band and allow channel bias to be configured with acs_chan_bias parameter * do not reply to a Probe Request frame that includes DSS Parameter Set element in which the channel does not match the current operating channel * add UPDATE_BEACON ctrl_iface command; this can be used to force Beacon frame contents to be updated and to start beaconing on an interface that used start_disabled=1 * fixed some RADIUS server failover cases- update version 2.3 - removed patch hostapd-2.1-be-host_to_le.patch because it seems obsolete - hostapd-2.1-defconfig.patch rediffed and renamed to hostapd-2.3-defconfig.patch ChangeLog for hostapd since 2.1: 2014-10-09 - v2.3 * fixed number of minor issues identified in static analyzer warnings * fixed DFS and channel switch operation for multi-BSS cases * started to use constant time comparison for various password and hash values to reduce possibility of any externally measurable timing differences * extended explicit clearing of freed memory and expired keys to avoid keeping private data in memory longer than necessary * added support for number of new RADIUS attributes from RFC 7268 (Mobility-Domain-Id, WLAN-HESSID, WLAN-Pairwise-Cipher, WLAN-Group-Cipher, WLAN-AKM-Suite, WLAN-Group-Mgmt-Pairwise-Cipher) * fixed GET_CONFIG wpa_pairwise_cipher value * added code to clear bridge FDB entry on station disconnection * fixed PMKSA cache timeout from Session-Timeout for WPA/WPA2 cases * fixed OKC PMKSA cache entry fetch to avoid a possible infinite loop in case the first entry does not match * fixed hostapd_cli action script execution to use more robust mechanism (CVE-2014-3686) 2014-06-04 - v2.2 * fixed SAE confirm-before-commit validation to avoid a potential segmentation fault in an unexpected message sequence that could be triggered remotely * extended VHT support - Operating Mode Notification - Power Constraint element (local_pwr_constraint) - Spectrum management capability (spectrum_mgmt_required=1) - fix VHT80 segment picking in ACS - fix vht_capab 'Maximum A-MPDU Length Exponent' handling - fix VHT20 * fixed HT40 co-ex scan for some pri/sec channel switches * extended HT40 co-ex support to allow dynamic channel width changes during the lifetime of the BSS * fixed HT40 co-ex support to check for overlapping 20 MHz BSS * fixed MSCHAP UTF-8 to UCS-2 conversion for three-byte encoding; this fixes password with include UTF-8 characters that use three-byte encoding EAP methods that use NtPasswordHash * reverted TLS certificate validation step change in v2.1 that rejected any AAA server certificate with id-kp-clientAuth even if id-kp-serverAuth EKU was included * fixed STA validation step for WPS ER commands to prevent a potential crash if an ER sends an unexpected PutWLANResponse to a station that is disassociated, but not fully removed * enforce full EAP authentication after RADIUS Disconnect-Request by removing the PMKSA cache entry * added support for NAS-IP-Address, NAS-identifier, and NAS-IPv6-Address in RADIUS Disconnect-Request * added mechanism for removing addresses for MAC ACLs by prefixing an entry with "-" * Interworking/Hotspot 2.0 enhancements - support Hotspot 2.0 Release 2 * OSEN network for online signup connection * subscription remediation (based on RADIUS server request or control interface HS20_WNM_NOTIF for testing purposes) * Hotspot 2.0 release number indication in WFA RADIUS VSA * deauthentication request (based on RADIUS server request or control interface WNM_DEAUTH_REQ for testing purposes) * Session Info URL RADIUS AVP to trigger ESS Disassociation Imminent * hs20_icon config parameter to configure icon files for OSU * osu_* config parameters for OSU Providers list - do not use Interworking filtering rules on Probe Request if Interworking is disabled to avoid interop issues * added/fixed nl80211 functionality - AP interface teardown optimization - support vendor specific driver command (VENDOR []) * fixed PMF protection of Deauthentication frame when this is triggered by session timeout * internal TLS implementation enhancements/fixes - add SHA256-based cipher suites - add DHE-RSA cipher suites - fix X.509 validation of PKCS#1 signature to check for extra data * RADIUS server functionality - add minimal RADIUS accounting server support (hostapd-as-server); this is mainly to enable testing coverage with hwsim scripts - allow authentication log to be written into SQLite databse - added option for TLS protocol testing of an EAP peer by simulating various misbehaviors/known attacks - MAC ACL support for testing purposes * fixed PTK derivation for CCMP-256 and GCMP-256 * extended WPS per-station PSK to support ER case * added option to configure the management group cipher (group_mgmt_cipher=AES-128-CMAC (default), BIP-GMAC-128, BIP-GMAC-256, BIP-CMAC-256) * fixed AP mode default TXOP Limit values for AC_VI and AC_VO (these were rounded incorrectly) * added support for postponing FT response in case PMK-R1 needs to be pulled from R0KH * added option to advertise 40 MHz intolerant HT capability with ht_capab=[40-INTOLERANT] * remove WPS 1.0 only support, i.e., WSC 2.0 support is now enabled whenever CONFIG_WPS=y is set * EAP-pwd fixes - fix possible segmentation fault on EAP method deinit if an invalid group is negotiated * fixed RADIUS client retransmit/failover behavior - there was a potential ctash due to freed memory being accessed - failover to a backup server mechanism did not work properly * fixed a possible crash on double DISABLE command when multiple BSSes are enabled * fixed a memory leak in SAE random number generation * fixed GTK rekeying when the station uses FT protocol * fixed off-by-one bounds checking in printf_encode() - this could result in deinial of service in some EAP server cases * various bug fixes/bin/sh/bin/sh/bin/sh/bin/shgoat09 1617803033 2.9-lp152.2.3.12.9-lp152.2.3.12.9-lp152.2.3.1apparmor.dusr.sbin.hostapdhostapd.accepthostapd.confhostapd.denyhostapd.eap_userhostapd.radius_clientshostapd.sim_dbhostapd.vlanhostapd.wpa_pskhostapd.servicehostapdhostapd_clirchostapdhostapdChangeLogREADMEhostapd.confwired.confhostapdCOPYINGhostapd.8.gz/etc//etc/apparmor.d//usr/lib/systemd/system//usr/sbin//usr/share/doc/packages//usr/share/doc/packages/hostapd//usr/share/licenses//usr/share/licenses/hostapd//usr/share/man/man8/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.opensuse.org/openSUSE:Maintenance:16041/openSUSE_Leap_15.2_Update/7bca35dbbc39cdb1fc0329029e455e17-hostapd.openSUSE_Leap_15.2_Updatedrpmxz5x86_64-suse-linuxdirectoryC source, ASCII textASCII textELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=6f36cf00553973fe354aa971c5dc80937fd582e6, for GNU/Linux 3.2.0, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=13d8533a8d2a6bfd652eade792b90fc736863c06, for GNU/Linux 3.2.0, strippedtroff or preprocessor input, ASCII text (gzip compressed data, max compression, from Unix) RRRRRRRRR RR RR RR RRRRRRR RRRRR RRR R RRRzP.,xBwtTX_apparmor-abstractionsutf-848e112005888c6718742f3c10049e77e6bb3725689fb1b6436a2b3a5ff4d7a5d?p7zXZ !t/J҂]"k%a @K^b dwdUqڑav xa]:;!X[̍-*6Dq:4;rEMhc| Cz/ qb7nB܌S5 XņަMA{{O5ج2DJQXx&=U`6Z6"suk`*^ݹ)э9սed];wWǬIkisv{hFr( ;T<UBi)}C>ɫ`ѼJNF5"?Csgg="\@39z*~WF 4~Yjjg8EtMRpAZewjz 3 aXeZć+xvh lGKrFʮ Tp! ѭzP+4SA*81cd܅:fgtI#$pR _ocb0%YL< !ANb15{o<~R_r8Tgk52Þ|}K˄Z"~ys]etSj BinH@æ1[͗Ćr8c[}nL)C < ko\jVCՙZ$QճL`KQ+2׆j*3|7wPGJeCƇZtAo0";pzG1urX1[?GT(jFxt0S[NE͏k&fN^1K>/ ̣y=)#qc`~6!OE<>z@GUM:pɃ\-0ǔy00N²Z>hTZzmư<-OW,3+70?{<1 a_T|80,п;@WHIG䛂Ij<eE}jpXaqχ',0Н59kB4J1Ÿɱ(L+gؒl!\3M/N$ P2M|wPj:h,yٜoӴK i?ov^U?)xu]~z./VaDTi\Mh@8߯0Pp7kC Q_=u=}B]&e.W+c8R.\@ݝeX8T\B)~&.)YH>!uCͫ% i@ڿWw804}P>P܄YhߖLh;zN_X*efpW{zhF͏]}8Ԓxc$qgǮ[_Y@`k;8 D!2;#{8C&҈8Va$VbraHXBsodܠwb5և9 F65wROB$"RVG| 6' 2Jg_h)4(MrOv;W1Q֭}?TP$[gd;PeIdeD92@  bKpxwK-ΗOJV[,EKS=wi,99^,6`tSEJa'uEFFjѱrTڽ#,_UɻEzi[OhO/;>ߣ_`H@{C Xwc=nO{ _ipd=RZG5hYtK]a߁$Xѧ#,L N@|ز9/pJ> u<-?f*jT}-TNJRq#=B1f&8BبT0S X[UsjsDvңB$owcڧ ŠWZVU!jhM[C2œv*tWobѡae&o;LYCT8 Vͱl2ⱺRqqc) o̊ XNaعY#@.BܝeTݦ< 7\!uwmiJBK}C" $c&!;JϨ_ `РkvO{@Z9 7T$H~k{#p >I7$Ƞ~/-㴗dژ'j VfHntR=/*&o]v B~ΎkXB@lv=.ɞӻjqq 1MO[(w3h^YUw?Tg`(Dndeejl@LiXuTVBJ1107 W;‰mkuK=l4p xŝ\@B:^<)Ԩ(8Lemtrۗ s \.3cxg]L\$ UZ\;YVF?g a;S DW|g@#lѲ[{ykS&{D5 NX)X_k!?iԺ$еA!>EݚrZ۝H)o1k7a&dzm{}\ .KY<>S ]DVћ}_.np&pz# 2i=!>N%rh;ve M`o7o"$34_]352%N#pҋVN|>CYtЧqZ|>.xBEݦj-bt_҃у[G_N65؀dLNf%vIAvG% bF }ٖ\ydlڿ09۵6b 'q06On8o2.ϰ=*t)cל* B=r qԢzuDYnz3bI? "bI(?HHߟ-:+ԟx:nFn \liZ(ů][Yte ݣDcIkV'  A+fA^Q:Jvw`׃¡ LiI19[+1IGR,qM "Tij9ť⃕e$ͷ!@K7_~M8?NR7]s +paY 26.SaڄvK%%TcԽ 2fg}k3gOPӗPe{FEO.''1yUA`D|Juq 5,0X 8OAqJ&.XvxHTpoa#ĔVJ}XwyleՍӶdj!x&l 3WZnYs[Jw'$)Lhh:z 0S5^d)s[Y=Ө\iw]Qrx۠w@ E7Dp*D)XOu_\(.%oˎyyÐݣ:\ͩTŏ;624j D}d1o?uS3֬Nl)?#OIƻfZ㜧 %N&O=O~17.Di7й|Q~p] s/I-;:ͭB3`mup کYll cnU)Y@>S3""ͬݙ{2zf]mOQ/#3P EhHb:ԫO+5C|, ]ġ`=XÌO2lK`%{XwhNJgP|]8GK ".50m.<Y/hTz$h(!ǭfH3hl_ߺΊ1Vz%>?8Coc>!0gQU c R`:&$(oHNͽc˲z7Iܾ_%NkG(5WƼD#?,}@\\Wo7B(VY:&.؟?Z2H^LÔ1)& zJ˼4z5ůvl&v`4Х`S@(B%]7A޷7_4gZhGĝ*z -M8S9N6i (RPڑ l/||u.4<@8)YUH0'e>)'BS~ 5#Uex8_`AxZs`z )KVKP:B|C" pyP~yOOPR'vt-v Py^6ԇop.˙l]4Ԝrk.Hjs2n[8d[|akFXE+w Ƌm40dp1 m^Q.'UVfl:a6\\Z/$J U-x^{/Y\uD/N gFMZa{~'0lB'g>6NT'30b錯ql4Ս,1bo DK(v 9v?Kۿϯ#p>EViY6?Pjݸ5K'C *Ĭga۟mz mκwa{ NP{ȠYC,O˾62'?ň+L⻀%B4"Dvfųj^L٠ +?)d|s^BO(EHT~f^m I-$I#+(1ԅz$>z)߉ça)kA|N:tMcpp)eh?Z.fH8"s^± : 9mW~sϬ**΄%4?C7$pǗx ~7Eg&5idLtG܊kV٤%=yx嘮aJÂ7ya0䅧|tVcR` 9[`R{|Yk&5L兕yzǿN+S{XܟeUTQA#T0H13搓}"[Ӊ Zlŵ>c 5wqS㦧]#O2++N+D|Ff>,9 ^3uݞ,uOh2бh&0 ]J/-lBtwHU9*|_[ jRUjp5:„P)qT[C:lږK] W#0Ѭ|Ycrʽuw5 YpIBI= q bPx?|L^@v.J"Ҩln[}DIW_%h#g2C=GjНH*Ot懘X, Bxc?ܻjiP%d=0` \Vs<Ƕش9)yr/x!v8.J6DݧZ.ǚ>M#9Jz$g:L]n% J{;]IZH+`d -rhu!.BO^>P6>-ځN}u-[4x*NNFjꃢhls@jv W)x<.XQ ΐYC<{)M_ ue; ZB""-Y.^]17J.żGKXHy*OlT-Drl=3\\džc.7Zn |}bSYh ֒YFd"T)q}*|:pP>#(bC]uL2 #.1VBNϷ1u'eCb:/<Ɨ߫LVՀ ׈w}Kٳ* hlF( a!YN6jjnZv8]D{qw `{il^}TFƍF4*mXKm6:$T,#ҧJ3cC=b߳^LdN= ʗxl%}ж 3u-5elORJڶH }E2Q<E,`\<D`4H a Ý gFx<0c՛ZhU`GK6rH#>ڈšB+ t >Vgbhڗ~c]Á"b XHZ*k $91/-&wJzL( ]fOcwt (u@.];x@67-aFX9U^CXBI/ !2~>zԃՂHTh^Rp7rQwӞ峽.bniL(9 ̖^\pHT Vl0dnLV<r<[C^Fk2 AguČv(,+cs^,dVzF3ɟ?)wnӆ>:bx`u"цyQ~kFl)T?%+ǫ^ t,CWC;stj!q{z^ʴ-tc4ʇeP&(gtJ9X5)Ig ;!'tZ Ty4Ѻ%N57b4+߉TP(2:+m3CA,֌w j@| C5OՁ:]IL >2,%󆣱9#/!8 ߴ rvŦ89 #L%"e9-hm21#{$P+` a?C`l55S$5pش-{u.N7;e@:V3@g2-2_Y҉NVvs㠗5eP h_d\fҺ:H3 Nȇ\$9NQi@- ᯔ3=)a 77_y;6 WN;l'dy6ql4]z4-'Ԣ~=8rqIX l9"<+k]Jw@Bgba ڱzN( `P ap RzĨ}Dc|\{j/!de,܎569ץyĐI/D4 )欬EAj.uL&hy'Ž64JِvMԒJ~ ă͇5fZESy?e}QObm|W.I0Y9-AI&q2,I(]?ovh?b;h@!'զpS2bX 4mfP(Iu j"yMpTbXڹJw" $QiK&Gu3x\ 5\.x@Age5waM\TX<ɒi*. N'inKVgfk2yW_^L:iϣn$|}$pi?zhBH+pª C9U_hL=gCBeѽ#.K5v.o͕0$"ă r#Mq>PG$m6W|c4f%1Piz-F̧}HZ? ?')}$It["IIE?ueb[@l/!ڭ $ے[Ȥ؅P-7fk 9ʮ rֵ+gVA=Ngc;fa[d ٟEc^98S%>"|.*H%r/-__`"poнbWcEcޓQ^M ?S٪7ɞ@_yةw/Q+c} e nj <CHCݘ"/ <-mk[vXqf.`v#ao |s#lTKY5^lR`>j{(ˤ.i?Iڞ4OH 4m(Av=k΍tQ}Ԇ!m:\C\$zK(Df;?>JΐSWKzɽs2~̄AW3+a)3aBc[<`8]C`3p`BLZ16q`.Idن8KɐjR\WR/ٺ=6:G4\,>Wt؉={J`ob6܇+Цp' .+oaCv;aXfNʮƛf7PoQ~pdcI|[lr=A5lsx@)Մl J1t"2":J0ˊf3FӡF5}s3p.m?8ʟp+M1)N^-e|T?;>{'du$IAmQ+!cL?8`vA¶NBκO\k-TJQ6-oFkBAO̾hOA몇=xnOM:=ǀj#JƒM qpyg FO|&ҿ(ؙ9k BK;3?rUDR_sUE33rbvW;k[q>hg[\͉B(@V+_S:\hCW X!x T4o#bWX[\oȉpX^C+jkտT.=둆f)38 u ϧYFQfTCߔ㢃GNC{1Q݂uL4VI;{WkVY&|Jz)Zu d(xU$P} zeVUC֯vWf;rOb}1` pX3Mu{C"bPF̄?*:wzv URr㜷NZRʦo^ EX ɥ,fipk륉}u 5cՏE呦_LgcKvΟיrZ1bɡ^4=emL%d9VLdSZOf¡ q1}mm7%Pf~1ɁIHe`}@-XIDX+ $3^+M'Ija ֽEN:Igt_pF~E)^xdsˤ7TD ϒܡeTym=ZU<*ҭl$3 9OHD'$vK2b͂T)\2rUu jRCy.{Ύo>nL E lm% [AN=iKz .YΉLOW?u~ZS5Z\Vg[>e>bqZ>\3HGWI ߬U!3IޫL+ފlnMR.Lnpi%h 7|[?Y_߈Խ 7lZ0 B`C"e"Qxw$1_ Nר`Q 4]nw+ ;ٿm7+[vG@eh9qy#?Ʀlʙ/Z6GwZfP7v_SV2~M_UKVFǕ$n$'a@4T3'_1JbJJfL«urdQbsGc,cˑ`4vNmTd@ [@.ù +d!U/ M Ȣ4?^ F[wJ;ѫ"G2sơs\Ȅq^ spC}s{$Z¶^KI5oQB:}(ɚ UEX晸#@$>Q&?aSJˀC@0OקՄicq,P&8O;)&W͕|lxԐ2-r IL-뱙eDl/L2 veuڝ=;i ѵKyD)U'ؠwFq1(Lʻ0+@kM7CH2I+`~k(a4sR5y iIp{*-¸Vn45[,IRz}y"k Tn"(ЌkeW[)<ŃCL/a}>-MGg-K'Bftc_+wnk>DaB>roʻe.Q2tS"b>BF\ʳ :Q/W!ZE.~V&>WwvƆT~A6N ϜN J/aIzP7bEo^1ӛ7pEjH 5CMcBvks!d5vFkr-asmev#R so鏪>n%oIi |E粶 x4:u]ϻ:8\Aӿ.5 Sa+›>f?X4OVΥiWC5 ۊ,5tphx; I Ymr=59~in{aߎi+р[0 xt6)o fBnxmL=}K=h[Z`Q/?q ew\(܍< ڒ\ ni529+Hc,~570^n/ڿ|Uy ^c{]&}3Y=biا[; le/W[ nk\TȞ PRn ށK6 cGtAqêʓŮ?Halu4.0{A g+sk*o.ͶTEn(ԙZ)yq j{1 $٧@+8H!flMS 3Hۓ9>c Ԕxz/FN?T#Ԟ,{r~_8JhBEXZnJYqL/" =v!FMO9) BĂk<=) g)C43I^{L !4Bf-s] oxRbʯoKz^_j6J]}ݽߎ4QY4eK(~ܥ5bj*(W6f Ԯ@/"aOA Hx065db5=9k7-Ё~׺{rkX9Iu:FId@Z~8+vM6 ^K2@=#Gw.`޵қ^u!JLF0 3lM1a9DLpzS-.Ϻ` 3a{IYCa6 Ğ\)4/W߼m3đ1 B+o-AJ' 2 BV7m`٭\8qJ.u%_][6 W#62}[4{7ܼL#[Zyߵג۬9Uީ N3p6A9gVH3L$'&#dc:V ]B `*mwqh< M~T'J_k 訸Al"u%f&0vn#,q[;l㿵8D Qf?ge6sb$g8TF(SP:-L/3ڄ蘽CC1,}Ճ)O֦͘SKg44ֿ䊂@ %x#iՐ0")_GHp>m/\fmw+J`ŹCCCGAMVq[Sj% )*/o+alWN!|kYtBW6Ct iK 8Ǒ4Z3sgZ-I =g`3?2jrς&S Ƌ ?8G NNES0@_ ߏ~aJ<J$IZȞUʮTK]Ahuƽ{JC9&9.ӟ䥭S/I2E@{! uU?(y@'Vpժ+r)ij֓i @[KEZӪj*V }a$vDN$Dwz Vx]a]1xF@ Ɲ?6Soap fzc^ .9#oeAy|>@==Vq‘IBIj~K" )KG%338i,ZG @$!v*Ԝbj@^. Eq2}>~oqh7dʻztL4##j3kvjRa8Ʊ7zaST| δqћ 3$L!fKp 9ٙVVY$װ P 36Pvc?~TVy/FygMR,[~![ dJވ=laG 3e`/oh7FCQ/o]jAՊj%ܰ,o#3 (&:F>4lt 1o#* vEu)`Y} *FURHA yy$H{]]ɔ 3M),䔮JhU\a[ >U&\?{($=C/Y%t<ݏY-oNٺT{4B&]0G5T7@2y{o8ibt|9$&뀵[~@?֨zCeݧ{]?pVT\M SZS]|q_zY:]~U؂NzR(2VZ}K[Mak"Kkt_lԏM1=3 >O7ܹ a=3#`4*d󑛍I-0 CH`$nM7%2d:U@v- wP3zskag\d4jtsޖ*n,=I,힤gDVNpJ^ 5M7[.UƳ` %/U`]=jM~,c.Ր٨=0I`䦄{SCR @$ܢͅǬHo#Ng5wͤ/htSpueN |I딲^ݔv,7ϳ@`X^DUHho>+mڻJ'432uNe:޳z_T7qfVY鶋ܬ^ a08 EV>ѲZ{Z˽rYlY<ە|ܬaͻ?!>;{GnYFqEAddh}E% *,OJetOs-=рA]z_,Đ!Hz4v"'k72 ݌ B$ N_o6Qt 1RFZiGA;Nsb G|G)|GMJ/Da է@/V;OBč\:(H)uW2L78Ŏm\ br[l_XK^P\Kx\(} ;srQ$!p[PN66=< CSo UC"bƂLJA10̀kEI*! 8o`) !3_Y 5Wg~ns1hAi!הW\b%78 '[8_|Z*-LA-0`+z~O~fS]G[DM)"ӗMiRbY'UCsRH!z\2!7}[yz}›Vp>|Y$bild\P0"pRT+MNȨE5uv8A]s,W-4TTr_Fbsӑʃx \G"^wSٲglC-{B o|AKJH )g//-@u.lE+lg(۾\فkSw'АaZg\apB1&&u +Z$zxW>Zn@piE+. ({7~ 1BUv/(m}h ꦩGUA넁[6AOԻ's ΩXxt%|Z-ދ&*vW+.,K̤]ϲYa.^ 6dK (|0%/,(s97@B ^G֬ȃHnh覟 ^ xheY0Ԣt([{8-GY #)P'U^/,ŪuzD1Lt}Y[gJ5HZ XrmgT6 FGόZʀ$TfK1anA#' I-j6YdFĂpSSX?hi(yymw蹹k?UU,4b۫voӈD˾C./݌%JS K$F4W^ Ңs7 b@ax;k_ V/~R Dtł2;ܐB-*eYʢ6MJюPIS#-b?>WǦhX/x}.tȺvJҊǀh25Z$AR*VeJ\⿤GlGL0|`)8#1u&ɬұ"F~+`V'@{0˾<,˒f vو1b+ 5t$>(Շ,fp/|83;Ľ~%wf#dQǯg?I mV`/YsRD{L<[bJ)PfBޫ z{D )VezbEzKSW&)ѼI5Y6b9JmƯ .Hu.؁-g Zd 3R$a"VZ{*g!A( #Su{GX&D\_!#ezY#Xa7$䰋C J%K|_$GxE[$OC|5(~>xcK[eR@U^ۻT0rݽAEɎR\@<!N/z׵RQXx.w@IQMJڄ=!}usDGm'(P;~^'"jG\"_)"կҩ/4. /Yl3ꕼIh]-qʐ,{ۋY`b .d&&(s bK7|pDs#r ;\Elݰ LcVo4("?;/-5 &1JpO?g^?.`DjT"gHx}c D>{HS> L 䬥6v&']`r 7b]}r9曷A'9@Gq$7huo}-F|Y4*Q*׋>>Q&kq:|-D63k7ȴʜ وI&S(o 1xJlDy_ rXU-7ښQ`;klךc/”v"VP)gD 9`:wpT3qy{-͎ x;cc2imCQm`_X~v?i3]Ф xRQyJ 7)on<-ۿ# :" Ru^߽sk·0v@&Ѻt8.h?[0zݜB{O k v>ĒU<`]Ei}")*8fEVȋmdev[sJyfAחx=N} jv$# *$( ut0n Rcsa"H#]_34C=' NN'>\wJTKg\Ap_垚KF*9 q~o̠#O^`ʨA@-D+ʈyTal>SR9!nnt-,hP(Re9:KpOW(gQp^7B7m.v1gg:QNJhU24y͍g˂Bԣm\&dH{ym|4eOd/KUD^d^oj8%*& ֢Ut֗d38)9 D9\$.8SB9pyPs9j0Yǜ'wC<%!D0FN䖒.hve3Ium9WR=_麵g VcF痲A(@ㆼ84CZ_O&.IR=ZsرB&%+{~$,K7 㾆w 'bZp/1G9b]zhN/nܱu;~d{L,&[Y>[,aY&{H'ڞl6nNi v|bY]i*~pNG M< Z<bG6MiT =eRСbGQO$c J"5)ࡍ;tkE(ir;<:؇EB0;-? NZhKzm4ie81և6Zf!b+#cd0]FmؙqluP;u.6l}>|m7LErϟEuSr'PgzLkGb[ృd#ԶPps=vCD) tc/yl֡Б^$FԝzƠ1m'R9^% q@?gA"=`*chS) ,*+js+Ռy=OVAkQ5:jTaa!{,jtHW]fd Y"gRiZPvѐHL\RM TãI^J[7d[Ŋ`J$ˇR߱?nan}>ǺY:S^LTΚxԪ /``=X}23X^0%gm$% zhQ>RKG6&@-ijs)6dvѯD}Ӵ7M'L {; FkLY6"HG|u<svĐ&`aWyP夜Uju?} = tn c#]ڜEK'"1ܰG6-')~. ٽ}~psUljq܆A<@"97bFcZIeԙ8ݵkisLjALAIulצ} [==H*Exbji4r{R#Ynx+FӾU n%L x4uݽ=[$}%bSEؐ$(2z@>'̔ .(GP~>=a6 CCoFoREdWb<ߋqcnY嶷LI410zz4}L @M0u"!%nE3tLɒ0Ds:Eqۇi^aI>ͻ'r';,.mg2 > z?m;'p[ ]Og^G cUyXᇨ+jrC)&VGȄ+0 Ǒ$ΫǐdEIl9HkVx΋%@뜐H=ZȅS44}֟X:imyUwAKf N^eby~(_a谮Yʳa\4Scl+P:y1喙$OРT6os*HnGW{Wx vEi1T,0K.9sZm+s=B rQP>g\`MH'l:ὃśyњ̡uɊaOWhnl /y|6tXOT%#?;;D Lʟ!RuF #VR uϩޑJm 5e3- w3N+7ΕV(#5>ix50su>Nb5׼!Qrw@㬀x4/Llwfpise JwU*_!!58Z+θ$[@+=P_Okzδ(xuyJ$'QPE:Z|m$J3R~hIyS3{FY[2Ǽ@̞wCVs@`{W5/iT\I-^QqB欐'/wQg Ec"9P~2s"uPхVe ȥE%L;9A穥9Gȩ-N#9Ӑ]֦̯ :fw쪐yws38hD4Ϟҥk,A̹+F^;4dBv\!i9oޕ}7_0S{[@n29C+vTGC# Aj 9[vZγ7ʊtTX3 UxDn Pg;<.~gcuӖطMVDkl$ڀ*'<1'> ӧR LOJ~xl|ye<{VG0!0EC$+ I  8˹I N\;+^#2GGVy6KRڠw},fĿt FԯfmY)3 k?w|;PfJ`2 T94Exl(|جTp4Ev(хxEwN:'?{x7ʖ@mb_t38Xʇ)Z.ڜ"61ʛY0ҦlKl%KH|p࣏4ۻSse#300[pXHj9Zb8Oiz1,QYkh7`,\b^s&xx.G›YMFc7gpHN֢ zᚁ^R͟8d -*n*-~A #h@ xPʈE 3JҮrgYijuxdU7PE5sT@gm}@͟}R˓*j_|qkZK#'j̇=P$rD }@(U"{1)fv#ٽ"m+֎Lݤ%e]WU'?!Xw#(l=R3M=KH:kcǭDU>,q ҼDӧHJQӬ뻉5Y>-ELtE_'C0dN-=ū(>)Zh/o(.!A[S@,dUۥyd}z"g=D2„W%{ѥgn XKwfT~WS.a[J G<~n$bH1pSkq~&}~FSZ،2&OLO2*d[;dv`E+'i-;J J[W43/NR["l<}ˆoe2u 9ξ)C'8NNx{žݾ !}Q߀6zכ/S*/{SeZ+ k,=`pyL6UG6"NsoS6t5zz[)>kU.:qB[%{9kݒvV 6USf?%[/%Ց8^זތ8yNܨ']aU548Ls |Ֆ: p@׮ZϲV=jX KνdJ9|]Yv&4 @Cm`=,q!WΖ8@kCp) Mе&DST3]-V<eX mm`*ծ4JL ' W $b;9R<#kϴ*a+PpJ+ Y׻ZGw52 Vό6àBDhJפ'f2:u=z|""K.1;c'x":~PYZp]]ac.5Z%Ҝ~2bc-B]0i{FZaK0g$,XKAتE:`ft,Ša+HkqK01ngոsF|Vi(*W0 rfd[~šIK YY{=\ wwu |:سJQT=ežZ"u: "dUN+{9MTrzAEA+m=,g rLK(:`A*;-/3[~LDa;=k+kL]+D:@;5S s5>"H[%ŀsod"Hvz~B{'30tScc5O~| 7Qg"&!zmŷb+]$55CuҦOXhkX(6Sވm(_eIB=m|Fm&^qD?#rhU8#l8Z_?d6<(vr?Ѧ="y[!7̩`,k`/w3#YËXz`ǃ+nSaD}s7]5>@ =)O[ ,В |, cuxq$QI'3c`6u,h}>݇ %n S\h'dSz›wiʼn{{Σm>=%KԜ%Rvws()@,ȉ ER2uW(*zV /+cv,M#4]b͵7*7kYl/W3Q̒d˃$[p84|iHyK&- $DtaoQSm\/>@3ʤ!pMuc<)%zT[QfM,{9.z܎ `Ќx-Sra=?:IvvzO%ذlvP=X/l=[@Hgh.4;[ ps|qQ׍0> ;PpԑS g46Ym?sm4˔wBpZ7 ݷ) (9}ln=:y&$]`{6~=iĎn:}LBtیP[F`'2dVrz d0:UC;,l HWMWh8퓡r&}r0w~3Fm?Vż%}Tt3xp@d.0Bdv2UPS0)M IaCn|>Q.9,icH[4? i`.i?rʄ U}5ř,g9]~A ; 8q3ū{>D?B`Zp ^7toK:;pEµ DIyR1/Hc MTK]$Ajr84[H@#*#6WJbak6YAe˫p_ኧ;3..m.v5By\ҽ HVR{ëyDЙb/*3L%:M*yH*(H'uH&e# ]nq a'd?DƓ zT N\woБ8m!/.HpXfh#Sr;1u@X߄==҄._kŊr:T=ꌉn IA He3u:T(ጎC =Wp|V?}TlOH)ΰe)qi&_3B&N~ȸ֜aEgq%,,IGu^V2|YŎQ@9,X~9TsTYl^,RbB/ٶs&q:`@)Po1`iDz{D"'™Ut$¦R^qzC󡋶 6!dH9LG)% lܯKXf4oѕktp |b0f›>R|OڜjI<0Z}oZ~nonQ {4r}ಃkr> ֣OX%@t;ހmlc. y IO"w՚r};lo}{T2ZZ?7!_!PΪ >|yTppو0WFL!OS8Lg#W4}_GĴ|-YGEoo|t> 2h-j:;wlk^8R?S|sF9sºM=]8vHℳݠJs-vQRڷr#-voIX( 脻 zEW>l@1`?55TT.Ig(1X8,q8VZa2OTzH5,n7^ΚÓxS!ͽ*%7d GBvsMUM; `"fUb:meea}b)~ :1漪 u/`AA96eQ`ȳ,8[)Ek6JOv v;FZاj)}J= 郥=ݒ'|ɂ$B;2ÎdzmyJ)0ܾ~hوu#y0^9GK{V& 3 ?0m`aLx%kv U%v@=okXסҽ2]xEUI|]F!Ҕ\ߋSȖ`ݓM@^ DA6]OnVz5kfr=j.Ü.{ ۈzPḱpU톖yā!YDÍ>|)O/iȌ?Э\d>-$u@У SM-GeԞ*ڏ60̋6-4jOt*.1r3mϡ.R!MirɊ(G<&Z 1-)ؖgokd5\u%v k#]GSؾJFΚŀg^/{aNrZP| e}\VK?9_5T6, GWXIѴ'ECF*~NgBy"S$x/p겧x5ڌѦ:G(Nl=ߡF 3KxUZdI 튛bMA=`MPNLVZhD2*E)BhW=5uCo#܂Pi2@k/7%^` 0Nv. p6wn:t>+ꍄ=4-QM(Z'wΚ"#3O9kC࿭q){VᄢiMp=ewX}X+9b3858q7HMYX;ODZ-K~ 1G^.T kPɛN+2-gN LIU,@#6~*bY4Xݝ/\tOGTJq3IT!G]ڦk1f9wsІ <ګtac)RsD6o[p@VPVs =:*Gd Q ˤu^QʙZQؑ)(- ԰ 7j9{JgZm9ja缱l=“(UNkdw|+aUt$޺Q ?٪t-^rw0W抃o͸N0 xH=2a~+N㶈1]}} o=`\MYP Œ{|˛!^׋̸87Ʃm3D #OBUN2 aNXr~}ئD=J-&x?\aj4m>hjʟ3mHwxdF?tfol_,1*!b҇aّ4C>{C5_[RDm"?oa(C f=p (J n XDdOiKv$7+k隘A@q_GE&zyF"?o!`#QP O||KNˡ Gf~=%j6؍uHg @bP$6D.\fdrFFe=ޤOhP `k ba8O ¾=&ײA+Po!+:y"sI1d{L'[17>tnz?}X`//x6Ѹ)J@̻`ւb&!ޞ<:-\p+Rg!ҁC_(%KmWH08=$yR)gv1_{顈fz: ?sf]VZT?7'4݇H(WY4 VOSM_+uQay6y [Q8;tq.G˽!@ϋAWJgΚO^ZZS,Ȓx 7+A~{uU$Y6}Xu"v18+m(EEP8{bP{e ԝc-Uλ͇c! [< |[Rrp~d=uC-HW2@a# c.o]6hgԢrjV`FW/0vN2=Etk'48<&$4&|'B(E{\A9Oθ||6Z6wo.U;77e 7[r,uYw@tӨ݉9 o@Cr Z[)djO;C{jX2q(Èj{I-oj5 @# i#0hNKFaإlifvf{}+g]f@S˰#|d.O+[HؿuTa~fkP_*xR47'[7C7>Kr%5DadHqGm-W4nRo`}Ґ<9h~E9*y7N;1]LY?=w;Hbd028'SNk'dZ#4cgx0I΢9[݄]b͞$lHϲyq[Ah߭"eseVԵ4J.BQ g13ۼóY3 pֈAPST[@;?FxAl ,*L546sQP:Ɋ=V\[a>PWʑ\)M[}s>!-qheU34'9F$X @){hA$;mc4n16\3wT YS7^*YJrFjM+x9Pa 0U nS sov(m$_uD)R,L_k(m9GG /xf;sFa:tRB|>UI_x>gSy!|a^)՗q q?OD}Q0sSa yځp[:@QjPi?*f;|)bUup^e}۹N!:W0w]O--'n㖼FnY[&} 8^81fWCy\zOtovtdCJ8 h)eNx5Vzc]MyB1]Ѓc#s'Q,? e_b֯L:ڐc|n{zTjjOfy)1oepW(px^:]n7;`2Qށr#9.N爫'&$>m~\hTY\aW!L,u=5K:3(D־%MaЀ J?* .-;BM&/yi)!HrHR1֪Hy(Px"&-&gi͌d*9%NfU:q~WeS*X#3הg)!C"g.Xx\:W71?WحR+ ALa'K}? h``]cL6վvŊ+w2O]ER36ZxmBh8g9x4SڤFR6V-{C@7Nj![&8(-ZU@mΠr|URh7NI#w:"jO4eMo~xsO"g <-pqe(tOw>teknXםq&Ի~abuKC@2lίå IPp#1#GzͶ@EWq -BF;R,ә7۶-c/M##S=b{&)?dI >Y"L ŅEI mVFY$iLL<<DjoȚ}i a{q}]ґɭh8tShcDĠRI0ؐ2s3ٍ$pG]϶r]Z=W(?E$bv6HnKmfT1Tj]<ԚoM*i'Gprz'܆4 6r4b|}m!@J@Aܥ4 ' s+hx+S66J;Tܹhtg[}ӊP_ڕ;Bų`K gR tklNG)4%xKq8WI&TNkYVB@ٝq7u_LԵh*n b)G5eL')_ QlvYw~J=?҄yGפC-3#E ~胾hgʩ]+6ד"!mwOVɗDˆzڜwbMފ5 o&O1I˶6DvPYmdMN"}-05rC!CX%<=36v?~Y{@&{(a T4$ݼaQ1RtH-{(35u7uGQhu8 7aKɱ,5@eT8ǭ{*Q|q奪#"᳅+MW9/ oAPТfTnQ| C{[&,EH4>ޡMhyO&_Oqk!ɣ⾌Y iHv;""g7L]/nn=uv6`Te;WY`nPEgEh/o_5 |3"<-+ ڽ͵&S+obw||t+lPp NwBwۮ.J%{ֲYt79~6^C,B@g3D?hoXILR*]?Buvrݒԇddk_Vچϕx+woe,jg?RV#(Jqr0AH9}Xԑr'HWu~=O3oەؼ]5&h;yoO pR*EPxyf i`쓶6/-l@x"5 %4fU4x-s1ݠ<,x\~ G}QZs2tgj^Bw@qY4mlL3z^ف24p[BT s(葂 Us=˱ =#EԋXBaVFfwqgy+Ig.KUm-Y"kFŝI- d h׌xh,Zu*u5~@5\H!-Tj!J+~c.:$3)N]1 u_i3H^([| ئ-N$`1k凳cE)68]5l.WyH12 pn:{ ͭ>Fo|@nygǹ׊)9N%k#*X #]OYI,^\"1_ ٳxSjI} ˖1 %]P?wcRK._vxD"wFwv>ݢhĒ@?/-0U9lq/W=9qyʧ>6}꽼OMͣҌm/./G-gkAx^ "{[ЩA>8 o/Bk<>ZWFh0[YZpc@w]]W:n7?d #}E2f^9CY`HYa (s"ϡ$xIygM1n{ [4_~ӝ a#9h"X~O-4qsg;']~*'kr٪VǍVi!KWNXHQ6Zk[-KUj)/_zVpxkHIYGYւVhpS@:: KZwD-INaOCHF lPְKT6eY{Yl"LoT&Ǟ.Z8IWIZSXx scMQn``B՛ߴ(އa_G*8۳"B;j ,..^828~b*-w t7|{c_(qpG]Ēn1QT*Ep*^QLI4t(~$#`8Tա[-<IMGb3CTZ.‚G 2&wBO90:fP;/ qjN7v˙+q56]NS11`e3|T*)h/ſ;#`Qh*8)6ogA2lR%ԙުOx` Q,l8E .zduh-799`.yR]uJssAs6'TŨ0X#Ȇ ⤃yV; ?sA k4, FUnm`#e/m/Lw(T7qy4Tz$7~ݎ5zNIЭ7V"Pх[KIE7FYJ0ނ:BWƭ#=ua5+X@ uPrJW< ũ!\ԼKsmdۅfnZineu㕆!kn"M`"όY# ܮUn*XvY|@k˕Be$GvZ7+(rWamTK=:;BDܙƪ?u~(j?*e Mlj݆ӒFɃNbwFHj ~H$5Î%A ɹ7q'qbYCil}0?1fɕK,"ໆl]¶ܪ󤘋җW$v 2>5!\]շvOd?x7S'j5b DW|d 1`_ cݲo:Z< 1O>@LNn:8D4+䚔$0JCadeY=֛p Q_cϛƌJJuƘ?p'w%(\;fql}uZ6xT6z,}P{{QT/<0D G=֘3Ii?/jG]^6t,~4<ׯ"n]>ЌˏqWj@R"m.KTNqFH̑-cDOvk%T|v~\r_ҋ֕G )yRL޹1FG>Ϝ@3-~x');9/N:3@;ct'۱?.px=dƿAƮdbai78GPrmޑV+ &Jn=ikxF>5"84ĿFa'$>P1$S!Wr--{dU?gD]uF.;cRk#M_3^+&ukc)(=1 63ݥPO?;?nvc .YPôj(z:b]tCKcf8j6h#o)u=>=L3i]ŭj,Q4zl!!ܥX ֓ހY$ֳp~|ANDzRT6Ӡ tscžF皇kcͷD3毘2wCngcgMBVً"ce=As*1ZE6Ba磫S B]rݾ\ _ E?9ʸٸSreg_`}'diz9hW;x՗ak/XigC#R(hkM*!rNNo.0g;2rH`χ6j)"kmE,>΃) ?D(~`,z  aŧ.fR2?Pp[ a4;{E(Q4 ]i$w1oྲྀTg=*X-٨N{K&1Zʡ]hPa?  * 8^>nՐPgGgݽ-hL/װ|ַN(3̠DtTF"6݃_UO^Ϲ}VÄ氨mdܥT\sȸu >%?8Yy >A`'|n7 BwvO ksh*p?=T-<\E< ZSr_kqTVA)eϜvc\&ğxN;D5O3?o,۲ߥ69~C Cmn\H~mۺyhMCOTKy1n ?5篳v[uLoB^j.4 00$Дpd-oID،i{lF [K?ULJytR󰲴V̮ķVswzér{bDIfڼz#Q@ mtyj,RnkhC#,a"ďF$=:FZۯ1!+2J.vD60md'$?4v&t~Ĉ ҧFh}Ҡ_ R&I jc5Ѯ'SwfCB IAYH9 /۹nm2,èim@sA䩇 m_wV6}M]Ӱ(F7&E x->|8e54- #%#rBCӾ$-<_ ]Jz(ӽDQ մ\6%Wl䲻}Wbl)hh=z \~wzUL=fJLny%$_eB,z3$h'Yp:ݬZ⃎*߼6˰z LA{Q8[~,&oOp~O#u1gFC~v\U1!v eaB 79u=+ǝ|*uzp@fۚU=[%UH;ce`Cb+8gƑA55qbhC : 1at3)|,O5S +UﮧK _P-8@-tN(nzrCRS3%/{h6!Y2׺%^ 9DACk!xwA !k,ic~7X] VB$Rt Y?Djt=jq=XvS [`jݙ^~2h$,C功&`2Nh72'>'Z7Nf<@qI avRR~^8WA{ҩoיcp-X;F_ޏ>lC|kܦD5*aZxm 2&2"ɜj?̢< A#F7y:)%Oe_|i4Xv'#OoyFq1hu NR#|tC,}Ǔ+s 1gXb]) pc{: =j)"R>oܾ3~)gGX΅[=]%y* w\ _JTܽz{K˼w`( S1Gj5)A?;.L@vTi}k {zX)Fn cEķPRjt%SS+ l Ƣc-1K K)unȤr>KpABgϸ*!x)o8!u@ p ˝XُB4b*qk%!yi\z6Eԗtj+*`4@:?+9iK{PH./ւam$]>.%o& y5DP‰p*|{,mrILz.ARKX(fy;)gyRinfk cyRX‡Ύ9Awg 1P T[VNUt$$lF']}ՈM9N?)iӖg %c[px4x =5ʤ% Tؼl(9ǚ6u %PuD }1R|}M|;z_UQRG>],9:jJ|Iw87eH&E8U/Z':?nc;**[N>:h( o!KN3}Xcd_10Ď)|ڍd|QM#%jߧ2dH?egA[BwuC4 2F5_"|ӘndTUA{'Z~ Gh`_3Ǝ8K(ޟV2tD*9FQ.((_~+iv=1 o ^Li]G5lpvZ~0~ Yݾ6 !^;XVfGo NҺ[fki!nJ4:xC͗Z࣌ o.6OV$u 7@~C"ր4 (n$8ir5~8?Iqh)|W3`Û<6:H׳&̡@$j@WYжM hzO[] \͙J΍ǪQN+:8mcF;%?9k:Ts}NcB"22c +{V;uGm إoWFI 9Bf ``I1)QA+#\٨C7!+#qβ2}ya ֡KT$7xךh^߁rY}6W݀mxwg 9@.釋vn K.{u<CEnC祅6!^9~NTGg }𕷀iwB,hHrP(ĕE5u:hr`.hc-yŕi~'#3$w9Y*yH\Zsڀ4:bON$Ѹ8> F @ :B)L?ڂ.) HΝܾx69ҋMh @&r3{ :y r;;#SfKJ;:#$KчNa J1xTlp#a/FMt6­RGDѴ}ɣ?;?&3Lzˇ{:F(iGq!^w·{ ~LZL U%h>cqۆ-F#{@QTqu) /෕I)0WhQ9IWF{WwgM;-"܏!}8 Ga8:v/@ۓ?/u1hײEbjB~xo__d Kʥܪ< 9[7, K#TuaD1NBwgɬ;>mbf+ 6 8|5ދ-' )q*"/ ݠn^蠆oÜʿX^jv-'&|#gc{@lg{H;3fz R*ↀɌN"ܠҿx֋&1OD7iRvjP5bJO>6h{TaJU@등qf8VͲʯ|G-R hMK_u"4X[qm#Ę] vOL!ޱt6=r.O@Z`*?΀xT-tl>ԏ3bE"p_{}B̛rk^ آG@ڢ'V!lChfižJ}O}l<ߧs '0!8_N3(m ;#F`e2R]tpmDEZ\r+1 ox !XQ xPi$8 m&KUJ:z꜂/w3Zd؟yw&`뭷S2֜x}XHVG,Z9.r[TV6 I}FJFjsY循i[.3>ѴB{M =2ۯNJKFCn<*A,;N `1QQ=A0L"]mj?Gt*:P],!|ѕz,f{1|܇Y_Y]G^llt @p[B!!2(ȱmGGE[p7@Dt7'ė]PԯjnwHS=bGI( nf|oAMk H'[he