wpa_supplicant-gui-2.10-150500.3.3.1<>,|eܲp9|MY g |v3Bwhb[!"N9x*= ̑ ҃l;_P|IezTTt?`zKyޭs2o-KTUG~ @//#Dת5NJ;&Oְ8قE N Cu'Ieў+ 琨DĆJ&ZN Dʜ!9='LJ`pXA׿-".4Zu9s@vtD R>>?d ' J , BNkq|      *4`hv(8*9T*: *FGHIXY\ ](^=b]cdefluvwxyz8HLRCwpa_supplicant-gui2.10150500.3.3.1WPA supplicant graphical front-endThis package contains a graphical front-end to wpa_supplicant, an implementation of the WPA Supplicant component.eܲh04-armsrv2 SUSE Linux Enterprise 15SUSE LLC BSD-3-Clause AND GPL-2.0-or-laterhttps://www.suse.com/Unspecifiedhttps://w1.fi/wpa_supplicantlinuxaarch64 큤eܲeܲ2d08b3e426c99d3a0ebf007ce7a88ba3c45fb493b459e24b2e5989411b461b1cd57783ead2cca37539bf8b5c4a81b8105c2970de177652fe1a027433593467aarootrootrootrootwpa_supplicant-2.10-150500.3.3.1.src.rpmwpa_supplicant-guiwpa_supplicant-gui(aarch-64)@@@@@@@@@@@@@@@@@@    ld-linux-aarch64.so.1()(64bit)ld-linux-aarch64.so.1(GLIBC_2.17)(64bit)libQt5Core.so.5()(64bit)libQt5Core.so.5(Qt_5)(64bit)libQt5Gui.so.5()(64bit)libQt5Gui.so.5(Qt_5)(64bit)libQt5Widgets.so.5()(64bit)libQt5Widgets.so.5(Qt_5)(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.17)(64bit)libgcc_s.so.1()(64bit)libgcc_s.so.1(GCC_3.0)(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.17)(64bit)libstdc++.so.6()(64bit)libstdc++.so.6(CXXABI_1.3)(64bit)libstdc++.so.6(CXXABI_1.3.9)(64bit)libstdc++.so.6(GLIBCXX_3.4)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)wpa_supplicant3.0.4-14.6.0-14.0-15.2-14.14.3e}@c@b@b@`lM@`?z@`:4@`_|\@_i@_i@^@^@^|@^|@^Y]]>[<@[[ā@[[;@[@[QY@X@X]W@VU@VŲ@V`V=@UKSUCjU8U'@U/@TBV@cfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comsp1ritCS@protonmail.comcfamullaconrad@suse.comsongchuan.kang@suse.comcfamullaconrad@suse.combwiedemann@suse.comcfamullaconrad@suse.comilya@ilya.pp.uatchvatal@suse.comtchvatal@suse.comilya@ilya.pp.uailya@ilya.pp.uakbabioch@suse.comro@suse.dekbabioch@suse.comkbabioch@suse.comkbabioch@suse.comro@suse.demeissner@suse.comobs@botter.ccdwaas@suse.commeissner@suse.comtchvatal@suse.comlnussel@suse.decrrodriguez@opensuse.orgcrrodriguez@opensuse.orgcrrodriguez@opensuse.orglnussel@suse.demichael@stroeder.comro@suse.dezaitor@opensuse.orgcrrodriguez@opensuse.orgstefan.bruens@rwth-aachen.destefan.bruens@rwth-aachen.destefan.bruens@rwth-aachen.de- Add CVE-2023-52160.patch - Bypassing WiFi Authentication (bsc#1219975) - Change ctrl_interface from /var/run to %_rundir (/run)- update to 2.10.0: jsc#PED-2904 * SAE changes - improved protection against side channel attacks [https://w1.fi/security/2022-1/] - added support for the hash-to-element mechanism (sae_pwe=1 or sae_pwe=2); this is currently disabled by default, but will likely get enabled by default in the future - fixed PMKSA caching with OKC - added support for SAE-PK * EAP-pwd changes - improved protection against side channel attacks [https://w1.fi/security/2022-1/] * fixed P2P provision discovery processing of a specially constructed invalid frame [https://w1.fi/security/2021-1/] * fixed P2P group information processing of a specially constructed invalid frame [https://w1.fi/security/2020-2/] * fixed PMF disconnection protection bypass in AP mode [https://w1.fi/security/2019-7/] * added support for using OpenSSL 3.0 * increased the maximum number of EAP message exchanges (mainly to support cases with very large certificates) * fixed various issues in experimental support for EAP-TEAP peer * added support for DPP release 2 (Wi-Fi Device Provisioning Protocol) * a number of MKA/MACsec fixes and extensions * added support for SAE (WPA3-Personal) AP mode configuration * added P2P support for EDMG (IEEE 802.11ay) channels * fixed EAP-FAST peer with TLS GCM/CCM ciphers * improved throughput estimation and BSS selection * dropped support for libnl 1.1 * added support for nl80211 control port for EAPOL frame TX/RX * fixed OWE key derivation with groups 20 and 21; this breaks backwards compatibility for these groups while the default group 19 remains backwards compatible * added support for Beacon protection * added support for Extended Key ID for pairwise keys * removed WEP support from the default build (CONFIG_WEP=y can be used to enable it, if really needed) * added a build option to remove TKIP support (CONFIG_NO_TKIP=y) * added support for Transition Disable mechanism to allow the AP to automatically disable transition mode to improve security * extended D-Bus interface * added support for PASN * added a file-based backend for external password storage to allow secret information to be moved away from the main configuration file without requiring external tools * added EAP-TLS peer support for TLS 1.3 (disabled by default for now) * added support for SCS, MSCS, DSCP policy * changed driver interface selection to default to automatic fallback to other compiled in options * a large number of other fixes, cleanup, and extensions - drop wpa_supplicant-p2p_iname_size.diff, CVE-2021-30004.patch, CVE-2021-27803.patch, CVE-2021-0326.patch, CVE-2019-16275.patch, CVE-2022-23303_0001.patch, CVE-2022-23303_0002.patch, CVE-2022-23303_0003.patch, CVE-2022-23303_0004.patch: upstream - drop restore-old-dbus-interface.patch, wicked has been switching to the new dbus interface in version 0.6.66 - config: * re-enable CONFIG_WEP * enable QCA vendor extensions to nl80211 * enable support for Automatic Channel Selection * enable OCV, security feature that prevents MITM multi-channel attacks * enable QCA vendor extensions to nl80211 * enable EAP-EKE * Support HT overrides * TLS v1.1 and TLS v1.2 * Fast Session Transfer (FST) * Automatic Channel Selection * Multi Band Operation * Fast Initial Link Setup * Mesh Networking (IEEE 802.11s) - Add dbus-Fix-property-DebugShowKeys-and-DebugTimestamp.patch (bsc#1201219) - Move the dbus-1 system.d file to /usr (bsc#1200342) - Added hardening to systemd service(s) (bsc#1181400). Modified: * wpa_supplicant.service - drop wpa_supplicant-getrandom.patch : glibc has been updated so the getrandom() wrapper is now there - Sync wpa_supplicant.spec with Factory- Enable WPA3-Enterprise (SuiteB-192) support.- Add CVE-2022-23303_0001.patch, CVE-2022-23303_0002.patch, CVE-2022-23303_0003.patch, CVE-2022-23303_0004.patch SAE/EAP-pwd side-channel attack update 2 (CVE-2022-23303, CVE-2022-23304, bsc#1194732, bsc#1194733)- Add CVE-2021-30004.patch -- forging attacks may occur because AlgorithmIdentifier parameters are mishandled in tls/pkcs1.c and tls/x509v3.c (bsc#1184348)- Fix systemd device ready dependencies in wpa_supplicant@.service file. (see: https://forums.opensuse.org/showthread.php/547186-wpa_supplicant-service-fails-on-boot-succeeds-on-restart?p=2982844#post2982844)- Add CVE-2021-27803.patch -- P2P provision discovery processing vulnerability (bsc#1182805)- Add CVE-2021-0326.patch -- P2P group information processing vulnerability (bsc#1181777)- Add wpa_supplicant-p2p_iname_size.diff -- Limit P2P_DEVICE name to appropriate ifname size (https://patchwork.ozlabs.org/project/hostap/patch/20200825062902.124600-1-benjamin@sipsolutions.net/)- Fix spec file for SLE12, use make %{?_smp_mflags} instead of %make_build- Enable SAE support(jsc#SLE-14992).- Add CVE-2019-16275.patch -- AP mode PMF disconnection protection bypass (bsc#1150934)- Add restore-old-dbus-interface.patch to fix wicked wlan (boo#1156920) - Restore fi.epitest.hostap.WPASupplicant.service (bsc#1167331)- With v2.9 fi.epitest.hostap.WPASupplicant.service is obsolete (bsc#1167331)- Change wpa_supplicant.service to ensure wpa_supplicant gets started before network. Fix WLAN config on boot with wicked. (boo#1166933)- Adjust the service to start after network.target wrt bsc#1165266- Update to 2.9 release: * SAE changes - disable use of groups using Brainpool curves - improved protection against side channel attacks [https://w1.fi/security/2019-6/] * EAP-pwd changes - disable use of groups using Brainpool curves - allow the set of groups to be configured (eap_pwd_groups) - improved protection against side channel attacks [https://w1.fi/security/2019-6/] * fixed FT-EAP initial mobility domain association using PMKSA caching (disabled by default for backwards compatibility; can be enabled with ft_eap_pmksa_caching=1) * fixed a regression in OpenSSL 1.1+ engine loading * added validation of RSNE in (Re)Association Response frames * fixed DPP bootstrapping URI parser of channel list * extended EAP-SIM/AKA fast re-authentication to allow use with FILS * extended ca_cert_blob to support PEM format * improved robustness of P2P Action frame scheduling * added support for EAP-SIM/AKA using anonymous@realm identity * fixed Hotspot 2.0 credential selection based on roaming consortium to ignore credentials without a specific EAP method * added experimental support for EAP-TEAP peer (RFC 7170) * added experimental support for EAP-TLS peer with TLS v1.3 * fixed a regression in WMM parameter configuration for a TDLS peer * fixed a regression in operation with drivers that offload 802.1X 4-way handshake * fixed an ECDH operation corner case with OpenSSL * SAE changes - added support for SAE Password Identifier - changed default configuration to enable only groups 19, 20, 21 (i.e., disable groups 25 and 26) and disable all unsuitable groups completely based on REVmd changes - do not regenerate PWE unnecessarily when the AP uses the anti-clogging token mechanisms - fixed some association cases where both SAE and FT-SAE were enabled on both the station and the selected AP - started to prefer FT-SAE over SAE AKM if both are enabled - started to prefer FT-SAE over FT-PSK if both are enabled - fixed FT-SAE when SAE PMKSA caching is used - reject use of unsuitable groups based on new implementation guidance in REVmd (allow only FFC groups with prime >= 3072 bits and ECC groups with prime >= 256) - minimize timing and memory use differences in PWE derivation [https://w1.fi/security/2019-1/] (CVE-2019-9494, bsc#1131868) * EAP-pwd changes - minimize timing and memory use differences in PWE derivation [https://w1.fi/security/2019-2/] (CVE-2019-9495, bsc#1131870) - verify server scalar/element [https://w1.fi/security/2019-4/] (CVE-2019-9497, CVE-2019-9498, CVE-2019-9499, bsc#1131874, bsc#1131872, bsc#1131871, bsc#1131644) - fix message reassembly issue with unexpected fragment [https://w1.fi/security/2019-5/] (CVE-2019-11555, bsc#1133640) - enforce rand,mask generation rules more strictly - fix a memory leak in PWE derivation - disallow ECC groups with a prime under 256 bits (groups 25, 26, and 27) - SAE/EAP-pwd side-channel attack update [https://w1.fi/security/2019-6/] (CVE-2019-13377, bsc#1144443) * fixed CONFIG_IEEE80211R=y (FT) build without CONFIG_FILS=y * Hotspot 2.0 changes - do not indicate release number that is higher than the one AP supports - added support for release number 3 - enable PMF automatically for network profiles created from credentials * fixed OWE network profile saving * fixed DPP network profile saving * added support for RSN operating channel validation (CONFIG_OCV=y and network profile parameter ocv=1) * added Multi-AP backhaul STA support * fixed build with LibreSSL * number of MKA/MACsec fixes and extensions * extended domain_match and domain_suffix_match to allow list of values * fixed dNSName matching in domain_match and domain_suffix_match when using wolfSSL * started to prefer FT-EAP-SHA384 over WPA-EAP-SUITE-B-192 AKM if both are enabled * extended nl80211 Connect and external authentication to support SAE, FT-SAE, FT-EAP-SHA384 * fixed KEK2 derivation for FILS+FT * extended client_cert file to allow loading of a chain of PEM encoded certificates * extended beacon reporting functionality * extended D-Bus interface with number of new properties * fixed a regression in FT-over-DS with mac80211-based drivers * OpenSSL: allow systemwide policies to be overridden * extended driver flags indication for separate 802.1X and PSK 4-way handshake offload capability * added support for random P2P Device/Interface Address use * extended PEAP to derive EMSK to enable use with ERP/FILS * extended WPS to allow SAE configuration to be added automatically for PSK (wps_cred_add_sae=1) * removed support for the old D-Bus interface (CONFIG_CTRL_IFACE_DBUS) * extended domain_match and domain_suffix_match to allow list of values * added a RSN workaround for misbehaving PMF APs that advertise IGTK/BIP KeyID using incorrect byte order * fixed PTK rekeying with FILS and FT * fixed WPA packet number reuse with replayed messages and key reinstallation [https://w1.fi/security/2017-1/] (CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088) * fixed unauthenticated EAPOL-Key decryption in wpa_supplicant [https://w1.fi/security/2018-1/] (CVE-2018-14526) * added support for FILS (IEEE 802.11ai) shared key authentication * added support for OWE (Opportunistic Wireless Encryption, RFC 8110; and transition mode defined by WFA) * added support for DPP (Wi-Fi Device Provisioning Protocol) * added support for RSA 3k key case with Suite B 192-bit level * fixed Suite B PMKSA caching not to update PMKID during each 4-way handshake * fixed EAP-pwd pre-processing with PasswordHashHash * added EAP-pwd client support for salted passwords * fixed a regression in TDLS prohibited bit validation * started to use estimated throughput to avoid undesired signal strength based roaming decision * MACsec/MKA: - new macsec_linux driver interface support for the Linux kernel macsec module - number of fixes and extensions * added support for external persistent storage of PMKSA cache (PMKSA_GET/PMKSA_ADD control interface commands; and MESH_PMKSA_GET/MESH_PMKSA_SET for the mesh case) * fixed mesh channel configuration pri/sec switch case * added support for beacon report * large number of other fixes, cleanup, and extensions * added support for randomizing local address for GAS queries (gas_rand_mac_addr parameter) * fixed EAP-SIM/AKA/AKA' ext auth cases within TLS tunnel * added option for using random WPS UUID (auto_uuid=1) * added SHA256-hash support for OCSP certificate matching * fixed EAP-AKA' to add AT_KDF into Synchronization-Failure * fixed a regression in RSN pre-authentication candidate selection * added option to configure allowed group management cipher suites (group_mgmt network profile parameter) * removed all PeerKey functionality * fixed nl80211 AP and mesh mode configuration regression with Linux 4.15 and newer * added ap_isolate configuration option for AP mode * added support for nl80211 to offload 4-way handshake into the driver * added support for using wolfSSL cryptographic library * SAE - added support for configuring SAE password separately of the WPA2 PSK/passphrase - fixed PTK and EAPOL-Key integrity and key-wrap algorithm selection for SAE; note: this is not backwards compatible, i.e., both the AP and station side implementations will need to be update at the same time to maintain interoperability - added support for Password Identifier - fixed FT-SAE PMKID matching * Hotspot 2.0 - added support for fetching of Operator Icon Metadata ANQP-element - added support for Roaming Consortium Selection element - added support for Terms and Conditions - added support for OSEN connection in a shared RSN BSS - added support for fetching Venue URL information * added support for using OpenSSL 1.1.1 * FT - disabled PMKSA caching with FT since it is not fully functional - added support for SHA384 based AKM - added support for BIP ciphers BIP-CMAC-256, BIP-GMAC-128, BIP-GMAC-256 in addition to previously supported BIP-CMAC-128 - fixed additional IE inclusion in Reassociation Request frame when using FT protocol - Drop merged patches: * rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch * rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch * rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch * rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch * rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch * rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch * rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch * rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch * rebased-v2.6-0009-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch * wpa_supplicant-bnc-1099835-fix-private-key-password.patch * wpa_supplicant-bnc-1099835-clear-default_passwd_cb.patch * wpa_supplicant-log-file-permission.patch * wpa_supplicant-log-file-cloexec.patch * wpa_supplicant-git-fa67debf4c6ddbc881a212b175faa6d5d0d90c8c.patch * wpa_supplicant-git-f5b74b966c942feb95a8ddbb7d130540b15b796d.patch - Rebase patches: * wpa_supplicant-getrandom.patch- Refresh spec-file via spec-cleaner and manual optimizations. * Change URL and Source0 to actual project homepage. * Remove macro %{?systemd_requires} and rm (not needed). * Add %autopatch macro. * Add %make_build macro. - Chenged patch wpa_supplicant-flush-debug-output.patch (to -p1). - Changed service-files for start after network (systemd-networkd).- Refresh spec-file: add %license tag.- Renamed patches: - wpa-supplicant-log-file-permission.patch -> wpa_supplicant-log-file-permission.patch - wpa-supplicant-log-file-cloexec.patch -> wpa_supplicant-log-file-cloexec.patch - wpa_supplicant-log-file-permission.patch: Using O_WRONLY flag - Enabled timestamps in log files (bsc#1080798)- compile eapol_test binary to allow testing via radius proxy and server (note: this does not match CONFIG_EAPOL_TEST which sets -Werror and activates an assert call inside the code of wpa_supplicant) (bsc#1111873), (fate#326725) - add patch to fix wrong operator precedence in ieee802_11.c wpa_supplicant-git-fa67debf4c6ddbc881a212b175faa6d5d0d90c8c.patch - add patch to avoid redefinition of __bitwise macro wpa_supplicant-git-f5b74b966c942feb95a8ddbb7d130540b15b796d.patch- Added wpa-supplicant-log-file-permission.patch: Fixes the default file permissions of the debug log file to more sane values, i.e. it is no longer world-readable (bsc#1098854). - Added wpa-supplicant-log-file-cloexec.patch: Open the debug log file with O_CLOEXEC, which will prevent file descriptor leaking to child processes (bsc#1098854).- Added rebased-v2.6-0009-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch: Ignore unauthenticated encrypted EAPOL-Key data (CVE-2018-14526, bsc#1104205).- Enabled PWD as EAP method. This allows for password-based authentication, which is easier to setup than most of the other methods, and is used by the Eduroam network (bsc#1109209).- add two patches from upstream to fix reading private key passwords from the configuration file (bsc#1099835) - add patch for git 89971d8b1e328a2f79699c953625d1671fd40384 wpa_supplicant-bnc-1099835-clear-default_passwd_cb.patch - add patch for git f665c93e1d28fbab3d9127a8c3985cc32940824f wpa_supplicant-bnc-1099835-fix-private-key-password.patch- Fix KRACK attacks (bsc#1056061, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13087, CVE-2017-13088): - rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch - rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch - rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch - rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch - rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch - rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch - rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch - rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch- fix wpa_supplicant-sigusr1-changes-debuglevel.patch to match eloop_signal_handler type (needed to build eapol_test via config)- Added .service files that accept interfaces as %i arguments so it's possible to call the daemon with: "systemctl start wpa_supplicant@$INTERFACE_NAME.service" (like openvpn for example)- updated to 2.6 / 2016-10-02 * fixed WNM Sleep Mode processing when PMF is not enabled [http://w1.fi/security/2015-6/] (CVE-2015-5310 bsc#952254) * fixed EAP-pwd last fragment validation [http://w1.fi/security/2015-7/] (CVE-2015-5315 bsc#953115) * fixed EAP-pwd unexpected Confirm message processing [http://w1.fi/security/2015-8/] (CVE-2015-5316 bsc#953115) * fixed WPS configuration update vulnerability with malformed passphrase [http://w1.fi/security/2016-1/] (CVE-2016-4476 bsc#978172) * fixed configuration update vulnerability with malformed parameters set over the local control interface [http://w1.fi/security/2016-1/] (CVE-2016-4477 bsc#978175) * fixed TK configuration to the driver in EAPOL-Key 3/4 retry case * extended channel switch support for P2P GO * started to throttle control interface event message bursts to avoid issues with monitor sockets running out of buffer space * mesh mode fixes/improvements - generate proper AID for peer - enable WMM by default - add VHT support - fix PMKID derivation - improve robustness on various exchanges - fix peer link counting in reconnect case - improve mesh joining behavior - allow DTIM period to be configured - allow HT to be disabled (disable_ht=1) - add MESH_PEER_ADD and MESH_PEER_REMOVE commands - add support for PMKSA caching - add minimal support for SAE group negotiation - allow pairwise/group cipher to be configured in the network profile - use ieee80211w profile parameter to enable/disable PMF and derive a separate TX IGTK if PMF is enabled instead of using MGTK incorrectly - fix AEK and MTK derivation - remove GTKdata and IGTKdata from Mesh Peering Confirm/Close - note: these changes are not fully backwards compatible for secure (RSN) mesh network * fixed PMKID derivation with SAE * added support for requesting and fetching arbitrary ANQP-elements without internal support in wpa_supplicant for the specific element (anqp[265]= in "BSS " command output) * P2P - filter control characters in group client device names to be consistent with other P2P peer cases - support VHT 80+80 MHz and 160 MHz - indicate group completion in P2P Client role after data association instead of already after the WPS provisioning step - improve group-join operation to use SSID, if known, to filter BSS entries - added optional ssid= argument to P2P_CONNECT for join case - added P2P_GROUP_MEMBER command to fetch client interface address * P2PS - fix follow-on PD Response behavior - fix PD Response generation for unknown peer - fix persistent group reporting - add channel policy to PD Request - add group SSID to the P2PS-PROV-DONE event - allow "P2P_CONNECT p2ps" to be used without specifying the default PIN * BoringSSL - support for OCSP stapling - support building of h20-osu-client * D-Bus - add ExpectDisconnect() - add global config parameters as properties - add SaveConfig() - add VendorElemAdd(), VendorElemGet(), VendorElemRem() * fixed Suite B 192-bit AKM to use proper PMK length (note: this makes old releases incompatible with the fixed behavior) * improved PMF behavior for cases where the AP and STA has different configuration by not trying to connect in some corner cases where the connection cannot succeed * added option to reopen debug log (e.g., to rotate the file) upon receipt of SIGHUP signal * EAP-pwd: added support for Brainpool Elliptic Curves (with OpenSSL 1.0.2 and newer) * fixed EAPOL reauthentication after FT protocol run * fixed FTIE generation for 4-way handshake after FT protocol run * extended INTERFACE_ADD command to allow certain type (sta/ap) interface to be created * fixed and improved various FST operations * added 80+80 MHz and 160 MHz VHT support for IBSS/mesh * fixed SIGNAL_POLL in IBSS and mesh cases * added an option to abort an ongoing scan (used to speed up connection and can also be done with the new ABORT_SCAN command) * TLS client - do not verify CA certificates when ca_cert is not specified - support validating server certificate hash - support SHA384 and SHA512 hashes - add signature_algorithms extension into ClientHello - support TLS v1.2 signature algorithm with SHA384 and SHA512 - support server certificate probing - allow specific TLS versions to be disabled with phase2 parameter - support extKeyUsage - support PKCS #5 v2.0 PBES2 - support PKCS #5 with PKCS #12 style key decryption - minimal support for PKCS #12 - support OCSP stapling (including ocsp_multi) * OpenSSL - support OpenSSL 1.1 API changes - drop support for OpenSSL 0.9.8 - drop support for OpenSSL 1.0.0 * added support for multiple schedule scan plans (sched_scan_plans) * added support for external server certificate chain validation (tls_ext_cert_check=1 in the network profile phase1 parameter) * made phase2 parser more strict about correct use of auth= and autheap= values * improved GAS offchannel operations with comeback request * added SIGNAL_MONITOR command to request signal strength monitoring events * added command for retrieving HS 2.0 icons with in-memory storage (REQ_HS20_ICON, GET_HS20_ICON, DEL_HS20_ICON commands and RX-HS20-ICON event) * enabled ACS support for AP mode operations with wpa_supplicant * EAP-PEAP: fixed interoperability issue with Windows 2012r2 server ("Invalid Compound_MAC in cryptobinding TLV") * EAP-TTLS: fixed success after fragmented final Phase 2 message * VHT: added interoperability workaround for 80+80 and 160 MHz channels * WNM: workaround for broken AP operating class behavior * added kqueue(2) support for eloop (CONFIG_ELOOP_KQUEUE) * nl80211: - add support for full station state operations - do not add NL80211_ATTR_SMPS_MODE attribute if HT is disabled - add NL80211_ATTR_PREV_BSSID with Connect command - fix IEEE 802.1X/WEP EAP reauthentication and rekeying to use unencrypted EAPOL frames * added initial MBO support; number of extensions to WNM BSS Transition Management * added support for PBSS/PCP and P2P on 60 GHz * Interworking: add credential realm to EAP-TLS identity * fixed EAPOL-Key Request Secure bit to be 1 if PTK is set * HS 2.0: add support for configuring frame filters * added POLL_STA command to check connectivity in AP mode * added initial functionality for location related operations * started to ignore pmf=1/2 parameter for non-RSN networks * added wps_disabled=1 network profile parameter to allow AP mode to be started without enabling WPS * wpa_cli: added action script support for AP-ENABLED and AP-DISABLED events * improved Public Action frame addressing - add gas_address3 configuration parameter to control Address 3 behavior * number of small fixes - wpa_supplicant-dump-certificate-as-PEM-in-debug-mode.diff: dump x509 certificates from remote radius server in debug mode in WPA-EAP.- Remove support for <12.3 as we are unresolvable there anyway - Use qt5 on 13.2 if someone pulls this package in - Convert to pkgconfig dependencies over the devel pkgs - Use the %qmake5 macro to build the qt5 gui- add After=dbus.service to prevent too early shutdown (bnc#963652)- Revert CONFIG_ELOOP_EPOLL=y, it is broken in combination with CONFIG_DBUS=yes.- spec: Compile the GUI against QT5 in 13.2 and later.- Previous update did not include version 2.5 tarball or changed the version number in spec, only the changelog and removed patches. - config: set CONFIG_NO_RANDOM_POOL=y, we have a reliable· random number generator by using /dev/urandom, no need to keep an internal random number pool which draws entropy from /dev/random. - config: prefer using epoll(7) instead of select(2) by setting CONFIG_ELOOP_EPOLL=y - wpa_supplicant-getrandom.patch: Prefer to use the getrandom(2) system call to collect entropy. if it is not present disable buffering when reading /dev/urandom, otherwise each os_get_random() call will request BUFSIZ of entropy instead of the few needed bytes.- add aliases for both provided dbus names to avoid systemd stopping the service when switching runlevels (boo#966535)- removed obsolete security patches: * 0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch * 0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch * 0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch * 0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch * wpa_s-D-Bus-Fix-operations-when-P2P-management-interface-is-used.patch * 0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch * 0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch * 0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch * 0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch - Update to upstream release 2.5 * fixed P2P validation of SSID element length before copying it [http://w1.fi/security/2015-1/] (CVE-2015-1863) * fixed WPS UPnP vulnerability with HTTP chunked transfer encoding [http://w1.fi/security/2015-2/] (CVE-2015-4141) * fixed WMM Action frame parser (AP mode) [http://w1.fi/security/2015-3/] (CVE-2015-4142) * fixed EAP-pwd peer missing payload length validation [http://w1.fi/security/2015-4/] (CVE-2015-4143, CVE-2015-4144, CVE-2015-4145, CVE-2015-4146) * fixed validation of WPS and P2P NFC NDEF record payload length [http://w1.fi/security/2015-5/] (CVE-2015-8041) * nl80211: - added VHT configuration for IBSS - fixed vendor command handling to check OUI properly - allow driver-based roaming to change ESS * added AVG_BEACON_RSSI to SIGNAL_POLL output * wpa_cli: added tab completion for number of commands * removed unmaintained and not yet completed SChannel/CryptoAPI support * modified Extended Capabilities element use in Probe Request frames to include all cases if any of the values are non-zero * added support for dynamically creating/removing a virtual interface with interface_add/interface_remove * added support for hashed password (NtHash) in EAP-pwd peer * added support for memory-only PSK/passphrase (mem_only_psk=1 and CTRL-REQ/RSP-PSK_PASSPHRASE) * P2P - optimize scan frequencies list when re-joining a persistent group - fixed number of sequences with nl80211 P2P Device interface - added operating class 125 for P2P use cases (this allows 5 GHz channels 161 and 169 to be used if they are enabled in the current regulatory domain) - number of fixes to P2PS functionality - do not allow 40 MHz co-ex PRI/SEC switch to force MCC - extended support for preferred channel listing * D-Bus: - fixed WPS property of fi.w1.wpa_supplicant1.BSS interface - fixed PresenceRequest to use group interface - added new signals: FindStopped, WPS pbc-overlap, GroupFormationFailure, WPS timeout, InvitationReceived - added new methods: WPS Cancel, P2P Cancel, Reconnect, RemoveClient - added manufacturer info * added EAP-EKE peer support for deriving Session-Id * added wps_priority configuration parameter to set the default priority for all network profiles added by WPS * added support to request a scan with specific SSIDs with the SCAN command (optional "ssid " arguments) * removed support for WEP40/WEP104 as a group cipher with WPA/WPA2 * fixed SAE group selection in an error case * modified SAE routines to be more robust and PWE generation to be stronger against timing attacks * added support for Brainpool Elliptic Curves with SAE * added support for CCMP-256 and GCMP-256 as group ciphers with FT * fixed BSS selection based on estimated throughput * added option to disable TLSv1.0 with OpenSSL (phase1="tls_disable_tlsv1_0=1") * added Fast Session Transfer (FST) module * fixed OpenSSL PKCS#12 extra certificate handling * fixed key derivation for Suite B 192-bit AKM (this breaks compatibility with the earlier version) * added RSN IE to Mesh Peering Open/Confirm frames * number of small fixes- added patch for bnc#930077 CVE-2015-4141 0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch - added patch for bnc#930078 CVE-2015-4142 0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch - added patches for bnc#930079 CVE-2015-4143 0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch 0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch 0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch 0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch 0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch- Add wpa_s-D-Bus-Fix-operations-when-P2P-management-interface-is-used.patch Fix Segmentation fault in wpa_supplicant. Patch taken from upstream master git (arch#44740).- 0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch Fix CVE-2015-1863, memcpy overflow. - wpa_supplicant-alloc_size.patch: annotate two wrappers with attribute alloc_size, which may help warning us of bugs such as the above.- Delete wpa_priv and eapol_test man pages, these are disabled in config - Move wpa_gui man page to gui package- Update to 2.4 * allow OpenSSL cipher configuration to be set for internal EAP server (openssl_ciphers parameter) * fixed number of small issues based on hwsim test case failures and static analyzer reports * P2P: - add new=<0/1> flag to P2P-DEVICE-FOUND events - add passive channels in invitation response from P2P Client - enable nl80211 P2P_DEVICE support by default - fix regresssion in disallow_freq preventing search on social channels - fix regressions in P2P SD query processing - try to re-invite with social operating channel if no common channels in invitation - allow cross connection on parent interface (this fixes number of use cases with nl80211) - add support for P2P services (P2PS) - add p2p_go_ctwindow configuration parameter to allow GO CTWindow to be configured * increase postponing of EAPOL-Start by one second with AP/GO that supports WPS 2.0 (this makes it less likely to trigger extra roundtrip of identity frames) * add support for PMKSA caching with SAE * add support for control mesh BSS (IEEE 802.11s) operations * fixed number of issues with D-Bus P2P commands * fixed regression in ap_scan=2 special case for WPS * fixed macsec_validate configuration * add a workaround for incorrectly behaving APs that try to use EAPOL-Key descriptor version 3 when the station supports PMF even if PMF is not enabled on the AP * allow TLS v1.1 and v1.2 to be negotiated by default; previous behavior of disabling these can be configured to work around issues with broken servers with phase1="tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1" * add support for Suite B (128-bit and 192-bit level) key management and cipher suites * add WMM-AC support (WMM_AC_ADDTS/WMM_AC_DELTS) * improved BSS Transition Management processing * add support for neighbor report * add support for link measurement * fixed expiration of BSS entry with all-zeros BSSID * add optional LAST_ID=x argument to LIST_NETWORK to allow all configured networks to be listed even with huge number of network profiles * add support for EAP Re-Authentication Protocol (ERP) * fixed EAP-IKEv2 fragmentation reassembly * improved PKCS#11 configuration for OpenSSL * set stdout to be line-buffered * add TDLS channel switch configuration * add support for MAC address randomization in scans with nl80211 * enable HT for IBSS if supported by the driver * add BSSID black and white lists (bssid_blacklist, bssid_whitelist) * add support for domain_suffix_match with GnuTLS * add OCSP stapling client support with GnuTLS * include peer certificate in EAP events even without a separate probe operation; old behavior can be restored with cert_in_cb=0 * add peer ceritficate alt subject name to EAP events (CTRL-EVENT-EAP-PEER-ALT) * add domain_match network profile parameter (similar to domain_suffix_match, but full match is required) * enable AP/GO mode HT Tx STBC automatically based on driver support * add ANQP-QUERY-DONE event to provide information on ANQP parsing status * allow passive scanning to be forced with passive_scan=1 * add a workaround for Linux packet socket behavior when interface is in bridge * increase 5 GHz band preference in BSS selection (estimate SNR, if info not available from driver; estimate maximum throughput based on common HT/VHT/specific TX rate support) * add INTERWORKING_ADD_NETWORK ctrl_iface command; this can be used to implement Interworking network selection behavior in upper layers software components * add optional reassoc_same_bss_optim=1 (disabled by default) optimization to avoid unnecessary Authentication frame exchange * extend TDLS frame padding workaround to cover all packets * allow wpa_supplicant to recover nl80211 functionality if the cfg80211 module gets removed and reloaded without restarting wpa_supplicant * allow hostapd DFS implementation to be used in wpa_supplicant AP mode- Update to 2.3 * fixed number of minor issues identified in static analyzer warnings * fixed wfd_dev_info to be more careful and not read beyond the buffer when parsing invalid information for P2P-DEVICE-FOUND * extended P2P and GAS query operations to support drivers that have maximum remain-on-channel time below 1000 ms (500 ms is the current minimum supported value) * added p2p_search_delay parameter to make the default p2p_find delay configurable * improved P2P operating channel selection for various multi-channel concurrency cases * fixed some TDLS failure cases to clean up driver state * fixed dynamic interface addition cases with nl80211 to avoid adding ifindex values to incorrect interface to skip foreign interface events properly * added TDLS workaround for some APs that may add extra data to the end of a short frame * fixed EAP-AKA' message parser with multiple AT_KDF attributes * added configuration option (p2p_passphrase_len) to allow longer passphrases to be generated for P2P groups * fixed IBSS channel configuration in some corner cases * improved HT/VHT/QoS parameter setup for TDLS * modified D-Bus interface for P2P peers/groups * started to use constant time comparison for various password and hash values to reduce possibility of any externally measurable timing differences * extended explicit clearing of freed memory and expired keys to avoid keeping private data in memory longer than necessary * added optional scan_id parameter to the SCAN command to allow manual scan requests for active scans for specific configured SSIDs * fixed CTRL-EVENT-REGDOM-CHANGE event init parameter value * added option to set Hotspot 2.0 Rel 2 update_identifier in network configuration to support external configuration * modified Android PNO functionality to send Probe Request frames only for hidden SSIDs (based on scan_ssid=1) * added generic mechanism for adding vendor elements into frames at runtime (VENDOR_ELEM_ADD, VENDOR_ELEM_GET, VENDOR_ELEM_REMOVE) * added fields to show unrecognized vendor elements in P2P_PEER * removed EAP-TTLS/MSCHAPv2 interoperability workaround so that MS-CHAP2-Success is required to be present regardless of eap_workaround configuration * modified EAP fast session resumption to allow results to be used only with the same network block that generated them * extended freq_list configuration to apply for sched_scan as well as normal scan * modified WPS to merge mixed-WPA/WPA2 credentials from a single session * fixed nl80211/RTM_DELLINK processing when a P2P GO interface is removed from a bridge * fixed number of small P2P issues to make negotiations more robust in corner cases * added experimental support for using temporary, random local MAC address (mac_addr and preassoc_mac_addr parameters); this is disabled by default (i.e., previous behavior of using permanent address is maintained if configuration is not changed) * added D-Bus interface for setting/clearing WFD IEs * fixed TDLS AID configuration for VHT * modified -m configuration file to be used only for the P2P non-netdev management device and do not load this for the default station interface or load the station interface configuration for the P2P management interface * fixed external MAC address changes while wpa_supplicant is running * started to enable HT (if supported by the driver) for IBSS * fixed wpa_cli action script execution to use more robust mechanism (CVE-2014-3686)h04-armsrv2 17089624812.10-150500.3.3.12.10-150500.3.3.1wpa_guiwpa_gui.8.gz/usr/sbin//usr/share/man/man8/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:32791/SUSE_SLE-15-SP5_Update/92c4c1ac4c1b5c1bddbd97dfd31e26c2-wpa_supplicant.SUSE_SLE-15-SP5_Updatedrpmxz5aarch64-suse-linuxELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=c6564b029854e9164fdaae17b1d52d2822383e30, for GNU/Linux 3.7.0, strippedtroff or preprocessor input, ASCII text (gzip compressed data, max compression, from Unix)RR R RR RRRRRRRRR RR RRT>ʓXhb_utf-8eca5733e6d6c4ddf55119254fb9d6181fba2205de37b871c3f0737cb575d570e? 7zXZ !t/1]"k%pRUJzx+P"\>*LAHdz(o"@G[<XW v5 cMYiU#8 4`[)XU̼w'J0 "SV*٫ f$7Jɚ?;`eom8lq/yw!O tZI %?aBc Q71ׁͪu ^Y2MM;+* VEu9~^Q1f+BeD/V5d: -!>dWN.^ _E=ۖRl$cŮ^VY 2+{=~2?jt~8 jDi}{S< xlNI.Vb闡 9̀y|g@C53^wŹsok't޼O'}7=J&xnE5lccCֵb.͐DH:֘?J73D4ŗ*0[L%I]ڞ/zcWN/a"C"Δ{YlajZ+.M HbЙV$_۶`jL,- 95`@K4bj3# nxFmVRk[5.#]ua)|bkpP7N^˕oaUY/HA 5hq7}V ^c\ʈyOUHtWIX叟a[>D2Cwg,^1J3[v@ŋ^_sq4әbܝčQ:p[xAT7lmld_Rj ѽ̧i!YGOtwPƒrO 7qUtq\/T Mcul!u.aTNXJbɛ4?/0Iz"묍76TxAF~"o gvHn(ظQb4PRaؑF Y>\S+hL+G]fD'MV jm+RK,*5JzcX s4Z,\{D\#@TAzH4eD)7~g4U@[wڌyoǖ&tFmP'. FtJ ;ƒX6yjߩ1gܫ]#:HT4egL9:eX;j _ZPH-n.`b| 7{i.sZoN˔pMtk>9eE^ei?6H: {ҿ;u 5,]"u~^d-Ful aJd=OYblr}PnXˈ/KJh"LK x^a(1t^u[iXc0XW@+c9; 8"AxvuXB}M g;1}H5l;"i͙4s{7˼m^cV /]@+ٕĶߍ26lp c1z5ԝղ!/ Kc 3Bߢ&Dn斉QGP~vTΦ ġ(@F o0p]V%dHQ{0VF*I_ӠPnGd>M!3\Z˕ ,FS\Q!w]Xb<YڈU$IRL#i+WhN_zeJJg;v ;QÔA,JS}k\?+Ĝu|+6a?)LyT-/CC)ނR@n4$$<ς¬SJݵ6Oc= JlC O zEՋ1Hӣ>zsP]|T=,5SE,Z?gO}|~[;%'r'@[   \!-ߠ1NBI(]Qؗ/dIzE5tF'vb䜧o۪߮6v,bZ\!wii#~7pss-Z h-nK Cƚ O$cNzxeP^0܎&o,z x]#@֟QU+r>c{<;ij(|U "(fTIF =r3HHE:2ٓzskҭӠƆJDg\kM$5|e WVWD<5w'x-me MĘxL iX| RR$ cgE |Z RԖfׄa8&-Wl{.guO oMb3YڿaCAd[$iW/DhꚺÆ!7a$* j?\F/eW C:^Z jA_Ķʒc 2̌ g̥4u@7͙S>>3 PZuQ#t^.T|(V|wexx 7Yto 2s# "*|`Dm衈m/?mypuoAo/>->y+cjswƆ`Vă9[+Sa3a]^tS҈쟀нl{N><^e"6d +7rNnFaKS1Xϒ"@J)23će8a'qɶc!Z9DwߪW"\˕>óxޒf6+{Fn^n =$oSW0붸~JlGwAwFx)hWCPtI:ĀG*h0?umǸ?B? 4A/mzש7!{J1#0d ɍQYP?cO6IEb!ꋧ,wgx?2a>CY&$UUؔt=& H!<Шw;؉;2= r'ݛD?=*׫K" Xt'Xn`~VPեH +SҊpؒ_sej u);ߋ/?nCSB9A LuhW5 bĀ?DӅXEZF%Gg-ވ Ck#z)6rT:?⹫N bPO6d3u ]h3jX(8m}ʩl&cfF9-esC ʟd}IR0f}Cɗѫeӱs0]{V K|3Ğ,+oAF ;8жe q(" WyOT Z$V:=+l'vΑ#mOhpE߆vaxٶoyM L6VfCܤK]`$5dǫ%[ cZ’Y\XY,ζ my~` ,w\b#dW$ߔDF ^RaшGOKoԇ.9ff%zJD$yt>GpI)hZ^P[0 3lc&Sy1_ =SyuxQ;sK@)fwI#/tThl,{=g&4jr VBβ0boyaN @A_*z9o1]W9w-Ը0_!:u8ջCLZdn<6J@!}#"NnbYdǮ՝fآIs].RzwɳkX OHN+.h$"dFG:|9!rbn>nŞǝŸ^ M?$Go} WR?k0E>J D4YGI-DP8Q<}0p`7dyBܫm\8Ku [h Xf*ABUVo:q.W6PWmb#G9y,ua@{A&RޞΎMRG"mTڼS<Y$UH7.PFwOH,KwF-= 2t~W BHfs><UR@&.蓎=q<*:5|ڲ3,IM$!Q4 \oІjTT-%%+SD/cv$s ]YB$3%WnT ;Ҝ Vö$ݰt+"jDWtW"q1SM^3r;Vj#E MBץNz+avؿN-_|8&b,I_Q VCB JxI+]gH #KE|jOW]a.a'󁀥͆RoWNM)P|? 9ZÝ9/V!--pb$tYİAFs11ZHF{"L#7VYoۃ]4CLOCs/%M=wH#5>Ck>@;Zx-)sH(uW7CO[@%zV=b;t0=uԟ>>55vҋc+/uB$t5b8P@o<@Q-D~FQ "]?7Kƒe {_J/&~9AU(4O_l(Ypvz`B-Gk6[|-WܔjxqMoT=o5{rZFNr(s6Pendv:b$&zUHE#Crx "NCB5^>TUG&D˳l%=p[7䲩^gngoO~_U{gY^/[9'CH@U+3R:xUCsSbEa 6=N<)q|D> Boɰ_<҃g\4T kgU TT2;H{26 妋kIRm:Ug`j^KL딤EF&]#Mqi`^-%C0ҵRTMM4mi2 ;Ji@; Hw3<}/$N`Wy_Ү:\NC\8+!>(EJXq}7OTYx4clgpc{=.`rgL E8Z)̟o=A,/aG{۰n@QĦvӧv}2*O|2'wKgj~yٚƇVZVCck15k efg#y8*Uڜ[|"57"q:+,D-t3(&;up-%O@5YP.XlOA4l02@:<(P5b'J(y#ςaO\yyOb<[EcT2,5T?ԻՈ;cKWV2-"Sp YVp~}yFȼ|KLfF>)Ybu2 e5] 倚[n|xTBuϥ(m E)|]E(nE'RyZ: tdi2'2D/`hTs8ߵ7M+Ѭ*-f\R53 LŢI b^ߏNo:=[?$b]ȏlM̂Q5 s{yN2lxul8*–nD1i~<#XWH/Aj/m;WA@:7n3RQKQy챋CO2㽮r|^0r6Yb\vS#\mi. =,`Yw#@%[/1GĴ_ݬ̅F!2r.;jMCNlw'`^=5Crt} o^ι#٥wxj\ T[M'4):'' -Sgd=p2[ tTe.'J-0,Gxen&5]}# `QNOlp(dcCYսuYQ E[gL 7, 寕r?dW[#˗n ML{]ӭXrQ  tRQ%x&iC'4Vw 4qhsObUGûb&I[PgXfLqIw_kGuڍkUز̔*%׭%U8aUpmˌp(/tQ 9Yܶuә&?2wgg@bێp`0Z/u^|kMBp4Ka\Zx@r<-M{bx%嘧HC+y"8@B*X O#{L#w-0",Ca QydщaxYnyHۅvձlܮѢ3n30ǨpV6_V@ockEÛCg,xjOZ 9.`#j3h3ؓԡauܞ3 DdBs_V55ࢉIz91FN>˾Bw I]PǮ{*7v`rpL"45L_/^Tw ]ny[enWV^CNjJ?4y>p'K B8ߔ)`:e}%{?Hzhpb\;LfىGgNPs&N&XDX5#_,nvUˊ,>ldC<{U+`NBdAA3;^"Iܗ0DxC@h2#+]Pi0l"lq#;b.06%TAd7!"cu,ol| ?V= P8@yS kw3Lq'=3}@rQqMτlwHgKa ibQESLO,21ovrcwը5kfY:ME{9o ;cbCqk ~nQ4*nr6}CSԊ~rf,VShn1-i,!|=εR Vmfeȁf/^>1w\AHj%K/*17Lw81b^:_TW?_`Ũx|)WrcZ FszHo]? ײ1">ʷ͍U_λU1.plgN%iS\0#e[INCT2'#v5mD0e7$Y~W )|!)|$ȗ>J7&R5 XiPveOaYƴ Og˩iW952H\3w \ >P c/-9 [K~#V|4q4هU P7+Qk% qq2h#u9p[j 8ߖTМ82Ĉ^6|"=ISG2ѵ1MeI]u'.^(ukmr|ls í8Iԩ1eǦm4b*ăw1gI`I 7BE?q= ǹٜзT#-R(EH s|vz ~Q2 pTFr?ޡa^E{g8Xk5uqc:]gh!dyYWLC;yΪ|9F,(ѧ˱.Tt-2@h}L$oRJayԲ"ޅ[THrZ׃VW+ح*XE=xHwQ;CÔ1rf%I4! O8p@nWRղ$Ζ0Uw017Ԏ^y8K53-ĀͫgWfo:F۝z1ޮ֦w7.t7۱S+2+I:rTov,vOYosL *(@F[x۫KX6ayw4spח3d$t j F?2XRU&x$5Ơ 0DsTu!Do|QwO ۠iW,`[GO(0l#ȥ[OqـR-|semnNj}MSg)MN})WbD) z%Ⱦ FM1w8u?DUA}~4_Dvt\1wZ/Hw`JR"h{ª"i,Ik(SmyM #oɝ !H(rg miz4ӣnq2RB-=Q6'LpVLbb=d$Uo1dy'ZМpKL%ѐ7 #ԇ|HIhkߒ+wQVU LE],rAƴ.OP8%cA{h:;Ojgacx}jdܡvC1)I:"Z+XO)> fӡ7*Hơt_ /U~˻FVX}y[M˶Yp`2$-7t1X>!)zGJc)&*wZK+W Դ!TXݕ*D}z=ǢYS{Y=fgŸ4|8waec}:xyN"*ܩЕ( ň'$=x:ꨭ8ɍzB`f``RzfV!,C7|Ic<.,[Hx%6_-s+4eѕ,h:+Gug-FG "g-nC^]wxٜ̍ =4 aS 5cS&MsJ.L-5Cq٥ ؝Q|'ٝK-l3tbC- L% <|a(㚪NOT0[ۍˇR,Szvnd=6Ԧb,}/,0 ]RӜC{gp\N26vRCB_XFFQ@P(\ 21kHr)_"Z9ژ5W.0' Jy{5[#,1!a]tn>VoQjlԀ'.G;e9= wIQa}":|vIؒN(I:ԦB/ca wer*]O3Ԃ0^?7 ׶haԺ"hW{t0x]ETdʤ2JB:bm0 Gj] Ɔt3(BzMw:.t}_ o{e3]tw9AA~ AM}*$`;Wm,{wY`\5$A|gg*Z*6ѩ].V=q2Fq8*tG|EL]a52wɸ]ïL/ݺ;)6lʹ>?[F[*7ln'ɜh¢]pNk'>I5V58v a3k.ۍ1x+; $5TcjH(7Abʸ7lx09{ 4%t hpl)'C"_ UBepkE@*bNl_9Y>ʡ=i&έ_4~AmO}u#٩w0pSǽ+`x:{3ɹ͂J0Ճ@eFkZe`5lgCeq4 / d.Y")ؙL;kZX8^7$W#ł%J-r^yn|FVpoQw}LIN?qr@} ͙پ)⻉6 sl1N%S?(0DJZY@:ua9Vvu՝ G+Ak.T 3a< 6C|-xzB |6F$MBBU?dh7$X IYWթMxN Zɜ&3T0Nﱇ!" I;T&MUk-}ta(l+\qpԟFgW\k–B}uNe\"4?QyY[#L},#r&yd]a/&RptGȪȡbpFw*^EH&Y[zB&DtV\@{0X]k i0WLI‡皆<@ 9Qb|=dĚ!a({dn^v12_.SWiUBv=xO}€d3[}q3ʦC]q##[+0N46DЋ]pO W 2٦e^368d`F;nMEM$Yqa}=o4SAgKBv =-?/Ԡ 8ލ;KeX:8z>yl:K'oEAlAUW#Vcѥ# qDG$)_ǮB2M_Z?e^}8=9QB&A] +O]sczfIHmQu=Mf9T,8!UsɲϤR].~8m=MYnE~!چr)q1az7ҁr)8\=h(dLeCoK2{p-J`L&s&-INڟ5m > ld6uOi+ߴK2bjJaJ_SPVHwt-bюI?@~u s)xzH tdIY۶֗zoTH6E& [r#$lo| ;UlWdAt ,6z(](XJ)~F5LȎs&=*~,~Š% C[V~? })WGWЦ0P%F3xj":ܑ+R'fI=; } `u[1A2.5VbJf'.^ fifC|pংA{8T2|L*P/b6S}$@+eJkFKVSRgݧxy2‹ չjNJ@`* .TN 13UtrppL{pp4+F엳ԛ *>t^k;S鬘$jV0V1t:8ͣE4MXNcZ?2yJ ߂Yݛإx"Ԝ'8h]iLY^c"j@tDysJ`_G@lO}#SW03G:ʿ"X`X4Bxq@h&0R"S$ }TMcG%D֙$x3IC1S ⅼ1h GBKYy 65c$vfj%[kaMSᥩJ^3} %^AyYfA~2YS[cMUD`+[%@pxF\wK*9CTpşC,B&_Fh/-3e8nWv%w" ~ p*de"vQƃҾK\?@)j╭[KhmC:# u0`]ڀ`:g~ *B{Ol†~O^Jc83k'0r@ H;䆒G!ׂwQ#R{U.A /X16r=9N#G/(43ҳ+G]>Bd(X7Dm[ӈN4i>k\(WM(XU@(~|zψC~)W2f) 'wUZF}9cst$`zj]Z`ɼ,߹#lOZj'^'vO-@LZ}&1K:tϪTЌ|}M9{U¢Ku?8;rV.EZa/]BLJ&`a#f律 Rfi 0hetv 7GFX3; II{}‰љF؂f&7- guMbWk@Lp*úؓ OPw5Zz$Oa7ufNĥlp *H45C^rn?b!;*UY(f,!vFE1HVݯuѴNj%O/U <|Ӱ @A1nbLlzncSV 1Gp$[כD`p>s{!'f:vKVv ,zwԑ(-j3BQ[Nq-Й0&Ċ '(L)9G4A[$IG8A鞪 rO'an(nf/;JJA64*=xD3 W׻et?Lܴz["17n|9,N^z#HQ*u13(1pj.c_.T3t{ ?vY=wŸY A]I8G] i# @<aLr,qF00 qzYq,a2/JOU(93BomLt|*0%dDƌI2yIڗRӽ-++ &⣇@nMMZ6L^<; 8_Mr_>6ڣ:o]0WL==6WTa/>f[즖m{ w)ˏjU_"?hUmY!nEMB`p*:iv3Л kRԃ~#ʚe%b nYij ͘;dbhm}gGb# n|7 [c[Smχ=SCc6)pn>deBR)&풂.>>U 7dYb܊z+Py,܀B-uռ*AΪ:)7c؉Ri=!Ƅx`.M#,R?j5ÎlLxͤڕsٳ,|nˢόnfD }Nz9L&ԡKͱI,7Mfh~Ͼd7-e'oz}hûkW6 -B}dZuƣS^ۇyCލr *ld+n4{ёS=3/!hAE-!gj E*{va?P)"jJD6_ǜqs[qHr&3V*# $7!y+PO҅rSqO#ӅWŻ o9n  sؙ閟JKY:xVM}hx2wb8@_֥%W F> 5~]Z{M[3Jb4+\޴k}a_DD8dy`ę?jAvDO`dCɽ԰v/]Q9ı o"ĈHJ($~m4=r)P49,ykC05L:1|+% ߙ76HcjO70W%!ʕr7~02XfˉW te іn (Q^pp܌w,.:Ei yBW8ƛ[> nUEt$d 1u`KϊWoܑ^ޛUci)-;#+v!YW0P ?Ӄ0}<+9/ VhYN13ߚ _S0"YsZT,y З, ? Vk&!kcZa;YY֣ehEfH N7дwbЭrG v~\>yNP,k#dy)][J'b4h l}uS퍠l[.ϤU'dF~Eɟgo|ə ܗF/[{ޏFRQ-ݭ S} 'x?^(mLpqQ#v e&ǫe{N r>\CӮRnIĢegV:F=SGʞ<ڲ1&f|U25!ׂD̹snbn%gTi\ۅtz,(&O ҽu&waFkyXM(vp-{A%'vBoJ֖59GPp۾Ëp7<\Ha=˕7Wϸ^#N,I7٬}~jҩTiIծ"PhS%tN-\>Y!Sca`*]9fR.u.]^N!amn N4x%HI[2[T_[MU[ý @.T#^8VxY4'tXA/Y4nLWR'O8Th۹0&A&$ ="V{,>^EJߌFўH :)bvE.;Ad&z]Z^K1+]O)\>C>H.A`MDjL2fqK6׉AVa-.{ncX,KTilp>[gW`^q.G̼ :lSfĊFzl5ѲsMbm/.Z`ɇ' 0tvO󺵔Ʌ#&B%itc鲂rwIKpXl Ou4y:b0i[g?2YxիsP|_6b^<<,sZ:ZP5cO#XiojDTNTI;Wހx` tfMR^ISoK^$H% #c70R e,.h ͏q a:)7o3Fq-@$oVV RtPؓyr8=c.C6ig,L6NS0ZߺG#`Nd6ibF7PH_ ǒYCU1=׏;<1@`dٲSmHE.M2Ҭ,׀;/:.a S5Ddj? {o3v"< 0N}[QPo9QR{b:R6cVH 0ySx*z~ V\mNsX+|` Â/9ZE}ZSɐ'^0o{6’VGg?Ø%дWD!7LXD'$Qw q2f!dgk \uV˝AUZ 8zRv"h.NZK{B4ɹFw'YnU$`mN̛Ve7n9S `]s9dZږݗz*Cκw=&3W8ޡ3BFo6#v7iA6-M)L.c+cCxD"٧jC 2*yG9%6.]I̘f N}w?|m XH:"!:"@L&ƟESxج;'d6W,n<5iIP2mX,.+Ro$o 1; 9W2ґ3&6rYxǯo_^6?j旡a@V'O=8O&JLwk\p,WikNj0>4!0o/io/)&蟹մ?=b\lbNI+R@*4k Bs88LzE^]'\wm\0HuWp_ `CLh[5D+lA72eKX+ylA Y^E<yիI-uB7E٬BCfh| asq[˝ʑXS9Lẇ#TXЇkLob7{&爞ߝ=aP)mz5QWk'/ݘҷ(UF Czfܾ܉kT-\9*7,8DpM >yJ58<:v1*Ěj0O?Q'QQ}F[hj >/BQ5#/9=MKW[<) V.~gv\NX%H°. I84RP5{,y`ڪptk^_&oi`a|CG@@˓GA$8zdma|띻OVבيћve*ڬmiLݿgX'*{$.u+Zڴ5PK&}B93|Fyb.2!77wʵ c(-Po&8>rRZw6d{8gI{td,7c ?L$f,5GHְ'ծEMmp[n'1CF_ a7# ̟lib wКůVYNBKq__PǢstnHlrV/ɇe`44$ 1fNIAi+;L; ٛҤ_ ]:8bu? {%xa^|nmb Xyq  , r`=Ş?H} (EІچCV{}+q/RgBk ߣʻ2-[m}쬺"U9Iop(I!D:ThoFINBa_M$܂=!98} W%I軁 v{Ĝ c$ ȆN{bW654Jڌ-am'ڡ6*<)h[E\ILlĸJ[U'A'y8- 8EC A4ETPmne|KR!/&}u( ,*S t"VH꠾bRe '8#kW,s'b^tL:tviJ4.9x5K2iSE&\E(RƷ&Kȏ֣N ^zB xE"(0.nn|]E5E\,iكCHhw%4_~Lrft%75nHI|, b5F5׏Q5,'x pvE qpt L롂g9\225"&zTdljNӃ˴a$3fOYlD͗l[1+ظ;"?M%5Y}*x9&BֵL\B bDPp&~YK1T|)zc5hylSb2tft{mh}SkIqIgl!0#)?8ѵ._?!0nl~[tdz` [{;hP)U쐖K 3ňɈR 麼>S!?L8዆c( \>uY 3;ѕDu}LJH_xh/o%e&>^^4f}mg'bv fӨ6w~V4'2MK;`YhvIVUQ4v>_v&YseÌ )Gl&xiW#k5/)L1[Xg&W9 OC5l+{* >sz7%j<ükJA>",qt^lλ; Jrzͽk1ksmR񍀮/*BKgH\8\&l)szȤ}v1z9$ſ1>ovH Mhvʮt?v֟G\4Xeih҇ i_bZ[:nKbub=vtLR\Nf `PR4oƾ-%g! ɯ`ZYK9iA& ҹPgWIWfsPW1Ɍڊ\σ$s[Xj3O8_"~S\8Vx؎Qb4k!JOCw;r:H/Zl"M̓2)r 3zNi[gj1sܬ@ߴкϋ"l&~JPO]В c5o?䟞9gg>܏4<"۶ɱ$9ЉSҸ봼CX0!&(|~o"zHrWY@6}2^"G7O=Q&R3Rr2j̶vPU{7٣}Z)MncuǛ~l N %5gDS~RK/ڑo ]tZ%ljPqjプd"L7GCjyC780=#[滩c-X}5:*4ÈDoeJ5!ْҰ۬|Ɯ"f fs?ɺ@esimqxl0wUN4BI 6Wdev{pmÆ|)mU9*$|#TgM"W5>f u6=P1k͌AL8)?Y \@5bȱq_e=>l4rgMυ_&Ӯs׼ (,E%TXy<" D<]3rҪ qb!~_ X2& Z5fG\`@0B=dV_z/EW̻`ZP̞=h5#;F#bx '>ZyBF0Ûp\ݮЏB0wᢴy@:fL4%nE^ B=YuџVKi桅&qqWQl |+ &.vӓ F"Nn೐b~)8u`Y',E>E]慄 _n5{Ъ]4Դ_g39Hʓc3|M%d#™W5i`'%]&9ZHtș\Wr>(:t%mϷG}Ա@1V?+J6ZU%y]l1Gp7chL8G<iQ5X3sr`F]ك>Q0aC۲io PFEc֐PƨJKfr2 ty& x&)/ux<$*!L U3Q05>o@{M# i ^eY%3n-F0gcS7gNDJU5KZ9I_kqN/]$$eI. pF8)) E2(,6>l՚U͸Q-'^}Ze`q@p~1Ԓ f8 ʀ#TWE|I\RjV0\ݸ `Xx `bo=>F5&ns劉wR ļê]הϣ%*O+aD.yǧX]%k_5{rVEGf)S;fO%K>( LQa+<CGٰ.oZ ~}lYӽcQvCCV:lw8a8ŏɏquNl-m;SIRf,βx2|Wvh9neD*)378?{x!M8w[@~G ۀb/ 7Tl0ˉ6Xakr؁ MqnSz[suG[d[8d_RZ @~FWa#rTI+b?FQEţnMBE!|d!Bnd;'!|W<؟$rKiuD2Zsu 9 gi^%4{b1L6p00%]yi؏K3Uv;CUyE߬e'00VT=u,^;/IнbfVK;O'&O)Hv+Fb(HtR]+ӹƘ~ eYk֍ٙxng& ,VCqrGfr@pC {3@4%<*`6,ڤNϖT0 X)z | $ .dm?qF} *k-p`_N0UEQ΀o?lx_ѵ/f,բ2Q>*+z{cbi=b. "`:uLj7U{ZK@\ؘ)uwh 0 ǹlFpZfo;>!7(#H^%"/_M}nשQdq/Lm Jt V=@ձ'tBM5Y~^(>E~=؍妘D^W urm"eppLѲ.;{Ե]2KUQD TUc_kK()Ȇl2ɗhV6#h% 0tN*FvV#+ 喹•Q+xmMgf+ M [k~ɸ2E$A0o {aJ=^8d %xqÿ:6{ L88[n/&MK=zɰ GmB>C!KLWB!݌bC?5ƟjyQpެ]ɸዅc'宕0cE=oߘgNk>ڡmԇx:S,ƁUE*PLwhԡh5kE[dL-W;zwf"YC4><_"JDƐ9,W d&$?X[wil39zе:,rs}iQ5 0&^Hܮ̺,H9}Ӌ dðR j{TAGX5%V""LJD>D"`v ..`&tEi`eycAWnLغB~,(Gg 8jV' l{D_kvwvl[C!Hhk{|]@^i33+'BbOfNtnh<VcF2!@9J=THd͌dh%!hXRJ3Ӊ;vyT~ow7~gv!Ά!EbsxM` cT@ΎT$?dfh%бl/bs/Vu|*b~堉2r21.Ǐ# R痝քXlƜZ\la~ = \Lqn&PmM.jQVl"&= )1s@bF_BҾwRK Ez]Bxy-î^KV[oIoJ9&2JV)\Px{2'Ahl?xõB=,I ~z[ڛ\LAQ*L$8ɚ$nDY?F&<V0D9uc"Y@% vxM_kkwk u~W|HC m؟zXjupƾ ˽/\#ԫw#K>="{(Z K,ߣeN,~nVd cn} bGÆ%w2*W;7RV|soiR/U]sPrZčGRNljc9L]A`k1Yady!oN@2 V~0 w5%0i1 o=[qZg c>o=kʲܚ std3s6lj7L F9[31PEau_(ͼ!sH3tZȤ7@M=pAR\6ȀdHn^Qw}- Z*yiLn,@]ZuagM|5;t{/frA ɂACJvm5UЂ^TiX)[*-PHs^W\Π&#/](1z+ S13X-ˤ>F4_#CǫƩ/Ps`!)"xJki\I_$0)ީB+L {{/Nm!YUNDрtT.7lFUȒɎVԄ>Q3t_43puW6i]ڵ+aP+?M#p#f~֞QM9I5[奱 ,:ժpS.~g0 -(E$ʚai::XJCO:SHXbi)}4jPwA(19_.:"XGd㨫v9S;n=8yޞ O_A+]'|F21GTSQlJ!I+k;!.y w0t4vy 0 > @G4(6~[,!\pZXd\v2cpnZ(Wla9jkWVDr1vcjV"W!S.XfS׌vRfʄ y;e \J[9,Ɖenc)CL-8<ĶȪpiFe Y\R2bfuo xPZ|/&pNNɛ$݀: .#suG:'fƮf?pAp}lopVsm/e0O4Mv.'X6_ҡcV%I>3qLBW׫łAyء8Òa/:UGߑM!E8p"9{]h}f;/[l#EAЇYO j^|ZfqmW#UX͈~1RIP RZN 9Qؓ[skC%qFUiu`PȟeN^5 ]} 4,%r/Ei9xZRC9y0sEr=dH_871]}fhpxk<ݵ,: ZwDhCP\3ɵ,!dO{o, J7 #Ax#NḎL Ȩ㑧~t@+UA]kT4=CD̺贈y2躥v׀j.lXBz8̝oҩ=.o%Cƀ:Kz5-zՕƂ2pDBZWTE{96ߢ@<ԐY)s/P0bTzq}hN ݀V Jmn5zWMN*\(xC)2!u"LE:j8_T1TɻAKeg2m> ѻzgswH3L]W8'Z`qގXbrՌ5<;ٙԧa3`̮$SsdDOȝE}i+g.%%߷Ӝ$ ׺3rc/^ g iH ;'ܜAek,ma҃'NO0HÊN*t"Uf9pvUgSJDrUrCq`'-PI ?WMV%AdufLdYn,/wi~ZzppM!kDۇO+UDO3FUIyj*^QQjU1ޠ~zB}{4-_3*į&=lĭ/H>9obg u#s62#ÇO$Dg^}bx{n)FB:S}o K9\OKJ+/JwvU7@(º yFrֆؑ m#}ƱrQf ̾Pv7=XnnB܅HfH E80VcƵ5zMb0ױc` ˫w/h d ^p^~o jI]p~cf_Tk.ogLĠ5}_+ u/,JPVpڡ@??#;;~%d/Tkb$yߙ?OZBk0Y23XF-5YQ17kOUF*Sq\mSkV}u(eK)EAuxH?2dٚ0bSS?}oԼ`g{ĬnhoZ36R%2KkOKQ(N\hiy5]dˎ:[PH+OR:V9A.5PtI?TVona!O)qG~0ۚJ-süaVdűA#{# p{GtvY^r@ֶ??,]8[xv_G/Q"n.UCJ(q$؟E9<18j+c=%M `9 ?^+q1{%u&NF? wLJFu_F[:R5ı80k|Kw m[л՘E07M/_9vеrm2 ƫs ˓4?#[XJLa]ZZ+a"0{R8*%x)\Tm1bD8(B!BUJ_ fW]Cv 4,O(JRC4kDYSS#թ['sY9ȯs9++_eYlW(kKo27WgNuM'(QȻWU7SOC`7Et%: tԉ?7h3[|q-R9<k3SS- f%>*WUSȰuS Ǖ;Ts\v'f.́^ ے6GI-$´iݧe^A1*;'OZz^usŮ2|F4^gfDCz.{3UW,@N2tļ.e0Α^x{fgy8o}y+qp?Wt OkjAXR|Q :y:I>>mBj $Uev 4pg{:BdaX ~+K=ɵϪ>R_yNu_X$08!\'_Wό޽BKnC:wMwGߜfZJ/;hg yZOQgy`Br쩣m8`fH .H tsh}{9%}.i 0 @ևL70ϧ_|Qx 72y5q iɱY=pl\~:_VV.ddFj1ǗYU jG0{⽕fqIrxSR/m;).={y12X'<[ͣ8 TK{A5[H2yٍ2`wՓ,Xԣ!V8xh :pPǩ'/U#b:۱ܯ֓Î8}pɏP@qEo9Lp nco93D$U{5gKHG:萈'a3 EWj 9nGJ\b\lրggrMo8fe)^VmOM&qa垲.ojԋb0C\H?>XHbAɤC6~GǮ r9lfW`[!9k0d@P@qu}#QU[ߌkxdoqmpl7@fvz0 nR>r燉E"[: .}zޫbZS#D8}jzIxQt^ R{%)~* TPD0[ Ԡf!D@D3D>CyQ/^cN{jSg=C%Tc:Y{6灥~kV,oeiM~02o\T ]' ,eK#jG8*~AU-IZ/bM;Oy#|9$hgg|1h4cA;D{ ~OІ>hE۠/Vk=zB 6WK|?V9Sm=%zott6/'} FYSb""\VaN/>LRJlSk`k2>m'sUu{4uG=hڛ`ȬR1|1L=FԿJd߇5XhYoqnVȎOr0GXmR}Ǖm^@e! km-k1şH IgڦI0KQ{r:RIU܇ѧC?ࠞŏ:[.Jd-*r9uMO3<2WI>tAZ!urLe!WN9d'ؿ=MnDܫg~<`bDYD,kEb \t#1n5~90/9bQk Mb;k9y@o<2}2ՠ<:k?KwQ>*ryiwt >eaTrr6&׌ ǧ,X,` 栐@n%{R!y1]M$DJ?f@ӵmb}2s1j1iGC}䒳갿*9e_% aΈDwBTxFߍi9#@1凘EnלJ&CyYrJQFThK\c0: (A&Dm Kn"(.~tk{S* HP(tj䮱 W{2N>yܢ@T5J@c#jޘ|%#\Akq$Rq[3zzGJيz:[(|TU\cNWsR4-sj7d̙GTEϩ}6g(\J;eu,'!E%ܛSڗgP?xTH%5'nj=7 x hFl_4{ƚ <#6?y:)`6U!C 7-k'U,%ZΙ*q0y C,5fn2?!ێ+ilü#+EaxE == 9pr(Z C' ZNWѦ=[I#v~ΛB>^(qLL{ca[!Ukק]r/^$;kܢjnǛ~{f~-e1Py|W aڴ0Y3S+^.ʳ C2](J~t>xƎeL(>c`j0 $U!:H|bhp,.&fU3KK 1rI,kuXGpƱ9nigY+(sLA#Ž' 񅲫S U=ڃ4orc7SOm1@Ujiasu"nqOx.[}ITIȮ|.Dsɤs}2nYwd+%$b݅nK>%QAU[mGrqyvdX̾VK'MQMa:نs2ip )' A)/uE/ؒ 3+5s6mqgJށP3^^1ׁ_<ȠaUS^ l!ڙiK6pIf YI #5ϣ( xÅ}˃sitB@ܧ_؉'>^gd9>,"d"~S"|®U&YٰHPVxS)d1? %{!g׺sGk홯bb"M5uq=˜„GQ߲Dx>\9h]˖jU<eT,RGQGD5)BX途(̽s Aө ƷEzZq<5~D쨳3,dmrCzmdc` n3G op-ƶQZKHVH=LG{/zd:4cG6]Vݏo~7K,Ji=4HDO!xՁhJGw0Q smiÉ٣Km5JT炭Wi^=lܴZF: +i$ծ '}vx#YJ:%Ҝ/|ҸؖjTPC~p-Zj痊EAŤMݗqy8PgJFW"NǔQ=(Z-Oaʪ*nƪ*( GnioWGw-MFrKlk+|\IuvnC=2CQVwz%xUV)+{z1xj#XNx}Kqzߢ d"AιW7>yNǀk{G>gvbkd(g 8n"-{Qv##kSɠU_q^ XѰ"Ò2q:+|tb+ͷ⠕S/ E#˲QA\JC69cN#;lOW~P,6Fࣇ۱b0&h݊Ma ;mj_e" y^ۅ tEI_*v yj&SO`E3b([:0s:HET]|ÚpQCRP('X!NJWЃ/-uEyEܝBM1= A\&`?0׸8}L !tm@"-Gܫ$*5XJ}Gt/#MOGrF.hOD}*Hyj'!1O)O6`%nuqaO#-0qZ]wSڭbsd'~YQ|Ѥ &S#SFjZэ,@<<:\&_#??mU[dɌy26$A_֏N%WZʉ"ױ!3{P#uL;!a] Ù1bBC۫NKwNUDvuT7Oyf }eMB[ 8 >[09GčD{t>_,^O]rULԠТ*y|aѹ"]@ ~&Fת,KE 'G9 U| n.,Ω«+]@^M!ڂM!@pf/OچrsŸZt&tdӠ̝iq !T*-~V+:xDb"um׎4aDsymopj@s4:aEᗞ[ hEe5N=/4|z;^B[ m &$êӷ)imJυc3{ҡ5B¿^F\ l&`qj΄("|fq?hҊ;-)Hs9S-+;)4(ǎtv#,p`E6Z<ڰo YV I\LUيjv8 i6s4iIW6DJe)OEǯu d+H6"DW1<? .If |OԑoDD5T < ,g[!򈻟/,jLƬF/af Qd݇e@W-'&Fdrx_=nTGJSڞ[ZmÓoL HN*YVȁ4HWUc;活0hWUȮ~(BL X3_mcc蔆_b)‡}@^Nj;E:xmގ-RWpdqQ;ڣ}߮UbGXuTʽrSfS@GUD-!́5Uvn#7󊛇ao 59lH]8Κ`% B( Iؐ r:GֿP|5D "ssxM;4m&iֱZhp\dxѽ?V2"G 9` w;'3|I`?{UGgbE<14fX5CTGNHKUT?Dsyϭ{|ma: . i`3sZ9JW3)c:=<'}H\ؘ] w ڑr|{H & ]l06Iڏ qκSplNDžL%zS)4a3]d*ܚxQ뗟{׽BifPeN.|P^W/ #@GZf-Cӟ &k~=^%JeD]xOފUS*b?O+:_=lvl Dʍ|-Ɉ1-D+A Lڲۑ6H!ha3cgɺdw֬rPO[6%=2տTrxaD&\8h2MY l[:퀒~&J.3Pn _s U/^W%1{` aq0 LR"7i[`Bbjڔ/N1W55 }1Z54-2j1ǞpyDީK>?Kۃpkc"u<NxZ3QvGL4XR0TFJSSͨ'^&-ܹ,⮵z0+|6~Ӌ9X9ihbs3Aef"ucE/ʸ97Uj3L6x@̎(2&%wZ_`@sHh`ضLӓH҈©kgTx:hy`T2*O`EY0vN:@P-ϣU?tvD)_SX݀*  @Bʔm f4Xe1: LERʶG} XGTf)-"Ve Mjw!ߠQz JlbjHyIe{ԛ/ (MéwGHSkd?I*vBԇ:WՖo- i~lBI `7\cpH!{|ˢ$9,'|/,$k~疷3&1Sm rq0v=`ޜ]C#@ M H<4Gyc g 5X6g|ƣ$~3ܗpN?Q#S8WZY)Ѕ^x Sk!1"cpf5Zd8j?(}9@ I~zAXY꥟vt dZ@=0sѭ̻=9I/2Y*$mmÙtR,7!Fܪx)A/B,˦NsY9,No;D+F/nkbC~@cV,9" uIòҭy$<пKR aO[#۝ bX#CcT_v yK9%b_, mceysRB\=o)Ih?q<{eMval7)26UJB k0вb6&i}kW#ꮗ o_ F|jJl6ߗeд,k_B=%ȅrjL)tl%Ӑ)8docHa iFV2e iu~:Ң D{l ?:b2Mr\\2aL؂~Eh2]87Зku{0oC&0JY;~-vd"ڂgzD]7tti#P0qJ-c}@YJ_ƞAE9 ") G6D+cV:ZM)Wv Z}d-T[GYs n*p+d 6@%_d׺wpcҐ*={7=Su5 [I5qV 0;[Dk- P+/2PUz1mL;dgc]a//Ug2]EW|~Yن2^Xz}"\_'a]JC"&?ln5!} S/X*IoW5fVȓ")Ah,9 ;a;7Z aR&6o¯=ŸI'XaW%~hIh r$yoxlj9/Bb:XK! @9hF .MxyHtQ[O! $uK]in0+D,Mu'/%9}9QK9|4" + 3H*H}G1 佄l"dS]j={M%OVh$GNLjlsɿ3j; m ȨAcN8q4^fwosmH",Q4Nڤ~W C\.OU>mL3GO%@U ,~~aR=R5 d4+YZ#4XsU:S\6vKw j!ym39uİM~~ʻM#} `KnTK!`z4nE(ap4O^P'ojUVf}Lbz_m(< OPBcd!QK^ygvdD q~(Vm>_&notҺq.[:>9g,ny@H4'HJ2npn?4J^GvR"f~|~ $JrѪWBMr-*fF‰^Q=1N׬S[*9ԅTKŀ=4`ҳ/[w%%RWGl.]sjןYۻP C-QRMs N2#BekkaWkehOtoyBk /c;k_v˹LI&\η2H?r|Xjvڡfp˟-~*BNyK];ܶ^-eLS%BA: ,:Z1 ]][rB1[o m-%0W2v֌ 'PATA۳OK&+H0d(&R\j5& d tMM sؔ xгb PQ:%k`'W}J)|=WvQIަy^p[kIhw}Y6:d7dU|=! b..SqBl*ՂO;EM'co =>3qU }b`<+؊#%]s.qb$Uf~ѢVؠ W_Z!u9WK>S=NT! ȒS*jF]] L-9O"ZĢ곡3[k@IGOZ.l.!-ﯳۼu1sU`'W% uWy=1Mĵ]p/_&=S|<9vO9,M/*A He4>Amıw` $Tdۛ Two:'S%Aōbv6!4[oflBzt X !ΆIJ]o?%W9ɹ  $TcG<:0oTfP vHLVR0ZR%gUk/)ɔu1 {ng U@US&HkJ?ցyoԬ,!.yUpQ2 * Y yu 93`Uzg{o_WٻY9gˈ[uܑY-;U2@r> cllQ rA=y"[Y@׭y +t,}cHFey1-xjP;N=TRO~NgdގnaAt>D<+̡X=G:!}o77W41+?h}iwlM{m0g jRm}v4V\p]mW ޷Guh#yE/L8eAr+N,Pk-_48G=Rfju *_B=?{S6BEm\<46NhDfrqOh? i'pʛƮ{nϯ׼pi 9 FDh淭1|'W.CCOnC UU;s&X l?6V%=ӥD{o^vuFg3-ؠљi2+mPMBSj~}MzxD;UglE|l { ~.;-T<SGEލA\ tM|&?v`-' τ%(8V),kf!*wyuߕ4jf7N\!S <2ط%=æmkX"'Z/oz\) JYKq:S*=K4BH7D8u>ݜvo``hfLeLFwECA)-JjƞON{qז^" 4~6(kO9oΗbNh&֟ˆ+UsҒM"?==M"#|"d-0fJc/:o|/rTO~dQ(c]{Vv$ZN2=azѶ;ζ~<(+ +c0 G<1l 5\z ;kֲȎqnxb;c"5y{g?7􅹦~AnjvRgs2yIJ9·3z "wPpD.tR$Y=XɂqwS9T$W q`hrVtܛ2{eImͭ-:3o%4T1ߨۀ`6͙9A ,ڒ} ;ęL.wѓQ%G@ɏ;]7DЕ7A5wiU# gpFSչvPu(6kְfd;#}) PR2?+NEiz !G,~:fe97H7QJ1ZEsMMI^à/o5FT1v?/7^^ʞd64s5~ީ=7?Qtɝi#N,i$b$Y~(/Ql;: bx шEkb<&ɒ@@m<tҐ>T2o8 ~ǻ X歫4 C)앪A0vƌrÞv%y5x=RɁH8}ӂ33c l_+>:YE1\/r5 {S@w}[(]VHҶTӰAۋIў%}h 6R3ևGyZ {~Kv@m&߫0kgUJ8"U՝nF bGKcʏq=!yj/Rc,BzM~-a0ScB _mK!ْ#Kʡ#͗aE6stb&UJ͐IKEP:O>NdQ( "R⭛ٜL?%¶`qEwρUlq ߔ!U*mZ 4Vyˆ eƕ_^&3Q2k4PàpFͲ{g[4s:5WnשEкAI ;][o>~[7r.`*@:MɦWuZүFM]<Xjw`|%|MЗbc~]m+M&aDD~y րH6'2Ǝcߘ6G͓N_V m:yEmVIA@v#@%00Or¼B=$y1kpBoR#ېdݕp+?-U1^6NpҼc>~yWe>|(>cf /K>U]|Ǭ0|,u93"luիd>P|W7گ `I+;.k^% P8,&KV{b -O-5 M.mdCk4zDS(TOd[&|"5uXܲ0n'- , i"^N_5ًir~|Ǡj6F[t"mY<lB. ҸBLqu[TեڗJk}"J;8g>Xl;1@HK@xi,rwYAP1﹨MwE7e&5Q?69KJ5J0~#|R W`:͖ʴ'3u^5eu- 5͘%;啓 2|w0pu܁M.yo*' ?dیЉ+5^4Hy(f T`7 sv+Y@n=U";<VN֡&FԐ7]U$0rI1ZEtVs˵d@~oQ:][{|tXVW:$-$-s2&{0N,K!C@M<,8Ǯx (\zarS$L+N^Ȩp5pcRmeAezTYד ϩD/A2*v;v!9 Kl^K zbʝA>r,OFAG\ SAL|7eh9VN`j[֒S ׵RIjQޭҶ=NT?<{3je[F#~<ؐ7]:s!!( Z"k>_݀-N/ȤTgDROlTq!F1&} Ԍb,4}n@Aj'm7dĈ;Wȶ c5'3)ϷQ[g' z54%F ;m6#l)зN=A2Myܣ4,OX)*U:l.d%u 3ĥ_gvw^kcHN>ɳExוN)i5^~S>4“/EE 9 ꠲&X#O1aQ*4Si<k:a0T5|yFu.`n Y Ys'%UUm=NVflVk&a~ d ^#~ܟ5!3zK1.m7Ho@D$W"xK -Zۘ-7y^nx᫥ AczՔԽ.ML>yj\ Շz~7IkzNŨq OZ4e$X|7sXd4UpF:*k*M7U>9|y5{c gK@XN?) cGCED t796XUmFx3`;72VuE4*mD&:w9OtQ^'Znt07cr5B(`$ߎ#!'%7p]C[B 65&g;(D784Pn G!Nްuvt36s`mW "Kr8j#T6nkB wL46(S*sq_o"ȸb|OUlGePbN{:r=&L +m-/Z l~KB>L\'V\١BD%Xa^2!,4|` 4aWR^|8mkLeW >دlL4aDMA%Ys TN;F 846= {%ro} D#.ZMrp*s~M zZ`J&:(cLkHDl^XZTR/%#C^kv?9QU]mٌn| %u.v|39*3.K 6r gupPNm?D^Be 2Ұ#j;q^)}zܱd2 hFʈ7!el+(YAaAo40! (t%TE)Y`(c< C}x;rpAGh?z{qu؎"}q#$Cیnb9C'CD_eziꕟQdF$/^!+XzҚN]̀=t ~:ᔯm*D ʖPK<0ݢii>ȪLbJ jQ4-41ظ_x| o9өIi-Ne|9 O&vL n 5i'J4ƶ'}8,D.ȽCz'#ു4P(}U3Pksu"i**P祣mCc?qIcfIE # YZ