wpa_supplicant-gui-2.10-150600.7.3.1<>, fp9|#P],Ȗs@F.,TI/&'ڲ nƏ*IIc_Y\"_TЗVЏ-8#˥ ,}/i*OЄpaΊ{xNyni awN@ӵ?n.-#1 +_:KO@u ͻ)Bf۩+C 8/g!M M Ѕs6\F8f3[qK>Lj9Bd;ǯk26Eï }>>?d ' J , BNkq|      *4`ht(8*9T*: *FGHIXY\ ](^=b]cdefluvwxyz8HLRCwpa_supplicant-gui2.10150600.7.3.1WPA supplicant graphical front-endThis package contains a graphical front-end to wpa_supplicant, an implementation of the WPA Supplicant component.fh02-armsrv1 SUSE Linux Enterprise 15SUSE LLC BSD-3-Clause AND GPL-2.0-or-laterhttps://www.suse.com/Unspecifiedhttps://w1.fi/wpa_supplicantlinuxaarch64 큤ffd0bc3642a63d3175bdc57c59ed292ac370916851027116f486085f19fdeabf59d57783ead2cca37539bf8b5c4a81b8105c2970de177652fe1a027433593467aarootrootrootrootwpa_supplicant-2.10-150600.7.3.1.src.rpmwpa_supplicant-guiwpa_supplicant-gui(aarch-64)@@@@@@@@@@@@@@@@@@    ld-linux-aarch64.so.1()(64bit)ld-linux-aarch64.so.1(GLIBC_2.17)(64bit)libQt5Core.so.5()(64bit)libQt5Core.so.5(Qt_5)(64bit)libQt5Gui.so.5()(64bit)libQt5Gui.so.5(Qt_5)(64bit)libQt5Widgets.so.5()(64bit)libQt5Widgets.so.5(Qt_5)(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.17)(64bit)libc.so.6(GLIBC_2.34)(64bit)libc.so.6(GLIBC_2.38)(64bit)libgcc_s.so.1()(64bit)libgcc_s.so.1(GCC_3.0)(64bit)libstdc++.so.6()(64bit)libstdc++.so.6(CXXABI_1.3)(64bit)libstdc++.so.6(CXXABI_1.3.9)(64bit)libstdc++.so.6(GLIBCXX_3.4)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)wpa_supplicant3.0.4-14.6.0-14.0-15.2-14.14.3e}@c@b@b@`lM@`?z@`:4@`_|\@_i@_i@^@^@^|@^|@^Y]]>[<@[[ā@[[;@[@[QY@X@X]W@VU@VŲ@V`V=@UKSUCjU8U'@U/@TBV@cfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comsp1ritCS@protonmail.comcfamullaconrad@suse.comsongchuan.kang@suse.comcfamullaconrad@suse.combwiedemann@suse.comcfamullaconrad@suse.comilya@ilya.pp.uatchvatal@suse.comtchvatal@suse.comilya@ilya.pp.uailya@ilya.pp.uakbabioch@suse.comro@suse.dekbabioch@suse.comkbabioch@suse.comkbabioch@suse.comro@suse.demeissner@suse.comobs@botter.ccdwaas@suse.commeissner@suse.comtchvatal@suse.comlnussel@suse.decrrodriguez@opensuse.orgcrrodriguez@opensuse.orgcrrodriguez@opensuse.orglnussel@suse.demichael@stroeder.comro@suse.dezaitor@opensuse.orgcrrodriguez@opensuse.orgstefan.bruens@rwth-aachen.destefan.bruens@rwth-aachen.destefan.bruens@rwth-aachen.de- Add CVE-2023-52160.patch - Bypassing WiFi Authentication (bsc#1219975) - Change ctrl_interface from /var/run to %_rundir (/run)- update to 2.10.0: jsc#PED-2904 * SAE changes - improved protection against side channel attacks [https://w1.fi/security/2022-1/] - added support for the hash-to-element mechanism (sae_pwe=1 or sae_pwe=2); this is currently disabled by default, but will likely get enabled by default in the future - fixed PMKSA caching with OKC - added support for SAE-PK * EAP-pwd changes - improved protection against side channel attacks [https://w1.fi/security/2022-1/] * fixed P2P provision discovery processing of a specially constructed invalid frame [https://w1.fi/security/2021-1/] * fixed P2P group information processing of a specially constructed invalid frame [https://w1.fi/security/2020-2/] * fixed PMF disconnection protection bypass in AP mode [https://w1.fi/security/2019-7/] * added support for using OpenSSL 3.0 * increased the maximum number of EAP message exchanges (mainly to support cases with very large certificates) * fixed various issues in experimental support for EAP-TEAP peer * added support for DPP release 2 (Wi-Fi Device Provisioning Protocol) * a number of MKA/MACsec fixes and extensions * added support for SAE (WPA3-Personal) AP mode configuration * added P2P support for EDMG (IEEE 802.11ay) channels * fixed EAP-FAST peer with TLS GCM/CCM ciphers * improved throughput estimation and BSS selection * dropped support for libnl 1.1 * added support for nl80211 control port for EAPOL frame TX/RX * fixed OWE key derivation with groups 20 and 21; this breaks backwards compatibility for these groups while the default group 19 remains backwards compatible * added support for Beacon protection * added support for Extended Key ID for pairwise keys * removed WEP support from the default build (CONFIG_WEP=y can be used to enable it, if really needed) * added a build option to remove TKIP support (CONFIG_NO_TKIP=y) * added support for Transition Disable mechanism to allow the AP to automatically disable transition mode to improve security * extended D-Bus interface * added support for PASN * added a file-based backend for external password storage to allow secret information to be moved away from the main configuration file without requiring external tools * added EAP-TLS peer support for TLS 1.3 (disabled by default for now) * added support for SCS, MSCS, DSCP policy * changed driver interface selection to default to automatic fallback to other compiled in options * a large number of other fixes, cleanup, and extensions - drop wpa_supplicant-p2p_iname_size.diff, CVE-2021-30004.patch, CVE-2021-27803.patch, CVE-2021-0326.patch, CVE-2019-16275.patch, CVE-2022-23303_0001.patch, CVE-2022-23303_0002.patch, CVE-2022-23303_0003.patch, CVE-2022-23303_0004.patch: upstream - drop restore-old-dbus-interface.patch, wicked has been switching to the new dbus interface in version 0.6.66 - config: * re-enable CONFIG_WEP * enable QCA vendor extensions to nl80211 * enable support for Automatic Channel Selection * enable OCV, security feature that prevents MITM multi-channel attacks * enable QCA vendor extensions to nl80211 * enable EAP-EKE * Support HT overrides * TLS v1.1 and TLS v1.2 * Fast Session Transfer (FST) * Automatic Channel Selection * Multi Band Operation * Fast Initial Link Setup * Mesh Networking (IEEE 802.11s) - Add dbus-Fix-property-DebugShowKeys-and-DebugTimestamp.patch (bsc#1201219) - Move the dbus-1 system.d file to /usr (bsc#1200342) - Added hardening to systemd service(s) (bsc#1181400). Modified: * wpa_supplicant.service - drop wpa_supplicant-getrandom.patch : glibc has been updated so the getrandom() wrapper is now there - Sync wpa_supplicant.spec with Factory- Enable WPA3-Enterprise (SuiteB-192) support.- Add CVE-2022-23303_0001.patch, CVE-2022-23303_0002.patch, CVE-2022-23303_0003.patch, CVE-2022-23303_0004.patch SAE/EAP-pwd side-channel attack update 2 (CVE-2022-23303, CVE-2022-23304, bsc#1194732, bsc#1194733)- Add CVE-2021-30004.patch -- forging attacks may occur because AlgorithmIdentifier parameters are mishandled in tls/pkcs1.c and tls/x509v3.c (bsc#1184348)- Fix systemd device ready dependencies in wpa_supplicant@.service file. (see: https://forums.opensuse.org/showthread.php/547186-wpa_supplicant-service-fails-on-boot-succeeds-on-restart?p=2982844#post2982844)- Add CVE-2021-27803.patch -- P2P provision discovery processing vulnerability (bsc#1182805)- Add CVE-2021-0326.patch -- P2P group information processing vulnerability (bsc#1181777)- Add wpa_supplicant-p2p_iname_size.diff -- Limit P2P_DEVICE name to appropriate ifname size (https://patchwork.ozlabs.org/project/hostap/patch/20200825062902.124600-1-benjamin@sipsolutions.net/)- Fix spec file for SLE12, use make %{?_smp_mflags} instead of %make_build- Enable SAE support(jsc#SLE-14992).- Add CVE-2019-16275.patch -- AP mode PMF disconnection protection bypass (bsc#1150934)- Add restore-old-dbus-interface.patch to fix wicked wlan (boo#1156920) - Restore fi.epitest.hostap.WPASupplicant.service (bsc#1167331)- With v2.9 fi.epitest.hostap.WPASupplicant.service is obsolete (bsc#1167331)- Change wpa_supplicant.service to ensure wpa_supplicant gets started before network. Fix WLAN config on boot with wicked. (boo#1166933)- Adjust the service to start after network.target wrt bsc#1165266- Update to 2.9 release: * SAE changes - disable use of groups using Brainpool curves - improved protection against side channel attacks [https://w1.fi/security/2019-6/] * EAP-pwd changes - disable use of groups using Brainpool curves - allow the set of groups to be configured (eap_pwd_groups) - improved protection against side channel attacks [https://w1.fi/security/2019-6/] * fixed FT-EAP initial mobility domain association using PMKSA caching (disabled by default for backwards compatibility; can be enabled with ft_eap_pmksa_caching=1) * fixed a regression in OpenSSL 1.1+ engine loading * added validation of RSNE in (Re)Association Response frames * fixed DPP bootstrapping URI parser of channel list * extended EAP-SIM/AKA fast re-authentication to allow use with FILS * extended ca_cert_blob to support PEM format * improved robustness of P2P Action frame scheduling * added support for EAP-SIM/AKA using anonymous@realm identity * fixed Hotspot 2.0 credential selection based on roaming consortium to ignore credentials without a specific EAP method * added experimental support for EAP-TEAP peer (RFC 7170) * added experimental support for EAP-TLS peer with TLS v1.3 * fixed a regression in WMM parameter configuration for a TDLS peer * fixed a regression in operation with drivers that offload 802.1X 4-way handshake * fixed an ECDH operation corner case with OpenSSL * SAE changes - added support for SAE Password Identifier - changed default configuration to enable only groups 19, 20, 21 (i.e., disable groups 25 and 26) and disable all unsuitable groups completely based on REVmd changes - do not regenerate PWE unnecessarily when the AP uses the anti-clogging token mechanisms - fixed some association cases where both SAE and FT-SAE were enabled on both the station and the selected AP - started to prefer FT-SAE over SAE AKM if both are enabled - started to prefer FT-SAE over FT-PSK if both are enabled - fixed FT-SAE when SAE PMKSA caching is used - reject use of unsuitable groups based on new implementation guidance in REVmd (allow only FFC groups with prime >= 3072 bits and ECC groups with prime >= 256) - minimize timing and memory use differences in PWE derivation [https://w1.fi/security/2019-1/] (CVE-2019-9494, bsc#1131868) * EAP-pwd changes - minimize timing and memory use differences in PWE derivation [https://w1.fi/security/2019-2/] (CVE-2019-9495, bsc#1131870) - verify server scalar/element [https://w1.fi/security/2019-4/] (CVE-2019-9497, CVE-2019-9498, CVE-2019-9499, bsc#1131874, bsc#1131872, bsc#1131871, bsc#1131644) - fix message reassembly issue with unexpected fragment [https://w1.fi/security/2019-5/] (CVE-2019-11555, bsc#1133640) - enforce rand,mask generation rules more strictly - fix a memory leak in PWE derivation - disallow ECC groups with a prime under 256 bits (groups 25, 26, and 27) - SAE/EAP-pwd side-channel attack update [https://w1.fi/security/2019-6/] (CVE-2019-13377, bsc#1144443) * fixed CONFIG_IEEE80211R=y (FT) build without CONFIG_FILS=y * Hotspot 2.0 changes - do not indicate release number that is higher than the one AP supports - added support for release number 3 - enable PMF automatically for network profiles created from credentials * fixed OWE network profile saving * fixed DPP network profile saving * added support for RSN operating channel validation (CONFIG_OCV=y and network profile parameter ocv=1) * added Multi-AP backhaul STA support * fixed build with LibreSSL * number of MKA/MACsec fixes and extensions * extended domain_match and domain_suffix_match to allow list of values * fixed dNSName matching in domain_match and domain_suffix_match when using wolfSSL * started to prefer FT-EAP-SHA384 over WPA-EAP-SUITE-B-192 AKM if both are enabled * extended nl80211 Connect and external authentication to support SAE, FT-SAE, FT-EAP-SHA384 * fixed KEK2 derivation for FILS+FT * extended client_cert file to allow loading of a chain of PEM encoded certificates * extended beacon reporting functionality * extended D-Bus interface with number of new properties * fixed a regression in FT-over-DS with mac80211-based drivers * OpenSSL: allow systemwide policies to be overridden * extended driver flags indication for separate 802.1X and PSK 4-way handshake offload capability * added support for random P2P Device/Interface Address use * extended PEAP to derive EMSK to enable use with ERP/FILS * extended WPS to allow SAE configuration to be added automatically for PSK (wps_cred_add_sae=1) * removed support for the old D-Bus interface (CONFIG_CTRL_IFACE_DBUS) * extended domain_match and domain_suffix_match to allow list of values * added a RSN workaround for misbehaving PMF APs that advertise IGTK/BIP KeyID using incorrect byte order * fixed PTK rekeying with FILS and FT * fixed WPA packet number reuse with replayed messages and key reinstallation [https://w1.fi/security/2017-1/] (CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088) * fixed unauthenticated EAPOL-Key decryption in wpa_supplicant [https://w1.fi/security/2018-1/] (CVE-2018-14526) * added support for FILS (IEEE 802.11ai) shared key authentication * added support for OWE (Opportunistic Wireless Encryption, RFC 8110; and transition mode defined by WFA) * added support for DPP (Wi-Fi Device Provisioning Protocol) * added support for RSA 3k key case with Suite B 192-bit level * fixed Suite B PMKSA caching not to update PMKID during each 4-way handshake * fixed EAP-pwd pre-processing with PasswordHashHash * added EAP-pwd client support for salted passwords * fixed a regression in TDLS prohibited bit validation * started to use estimated throughput to avoid undesired signal strength based roaming decision * MACsec/MKA: - new macsec_linux driver interface support for the Linux kernel macsec module - number of fixes and extensions * added support for external persistent storage of PMKSA cache (PMKSA_GET/PMKSA_ADD control interface commands; and MESH_PMKSA_GET/MESH_PMKSA_SET for the mesh case) * fixed mesh channel configuration pri/sec switch case * added support for beacon report * large number of other fixes, cleanup, and extensions * added support for randomizing local address for GAS queries (gas_rand_mac_addr parameter) * fixed EAP-SIM/AKA/AKA' ext auth cases within TLS tunnel * added option for using random WPS UUID (auto_uuid=1) * added SHA256-hash support for OCSP certificate matching * fixed EAP-AKA' to add AT_KDF into Synchronization-Failure * fixed a regression in RSN pre-authentication candidate selection * added option to configure allowed group management cipher suites (group_mgmt network profile parameter) * removed all PeerKey functionality * fixed nl80211 AP and mesh mode configuration regression with Linux 4.15 and newer * added ap_isolate configuration option for AP mode * added support for nl80211 to offload 4-way handshake into the driver * added support for using wolfSSL cryptographic library * SAE - added support for configuring SAE password separately of the WPA2 PSK/passphrase - fixed PTK and EAPOL-Key integrity and key-wrap algorithm selection for SAE; note: this is not backwards compatible, i.e., both the AP and station side implementations will need to be update at the same time to maintain interoperability - added support for Password Identifier - fixed FT-SAE PMKID matching * Hotspot 2.0 - added support for fetching of Operator Icon Metadata ANQP-element - added support for Roaming Consortium Selection element - added support for Terms and Conditions - added support for OSEN connection in a shared RSN BSS - added support for fetching Venue URL information * added support for using OpenSSL 1.1.1 * FT - disabled PMKSA caching with FT since it is not fully functional - added support for SHA384 based AKM - added support for BIP ciphers BIP-CMAC-256, BIP-GMAC-128, BIP-GMAC-256 in addition to previously supported BIP-CMAC-128 - fixed additional IE inclusion in Reassociation Request frame when using FT protocol - Drop merged patches: * rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch * rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch * rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch * rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch * rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch * rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch * rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch * rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch * rebased-v2.6-0009-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch * wpa_supplicant-bnc-1099835-fix-private-key-password.patch * wpa_supplicant-bnc-1099835-clear-default_passwd_cb.patch * wpa_supplicant-log-file-permission.patch * wpa_supplicant-log-file-cloexec.patch * wpa_supplicant-git-fa67debf4c6ddbc881a212b175faa6d5d0d90c8c.patch * wpa_supplicant-git-f5b74b966c942feb95a8ddbb7d130540b15b796d.patch - Rebase patches: * wpa_supplicant-getrandom.patch- Refresh spec-file via spec-cleaner and manual optimizations. * Change URL and Source0 to actual project homepage. * Remove macro %{?systemd_requires} and rm (not needed). * Add %autopatch macro. * Add %make_build macro. - Chenged patch wpa_supplicant-flush-debug-output.patch (to -p1). - Changed service-files for start after network (systemd-networkd).- Refresh spec-file: add %license tag.- Renamed patches: - wpa-supplicant-log-file-permission.patch -> wpa_supplicant-log-file-permission.patch - wpa-supplicant-log-file-cloexec.patch -> wpa_supplicant-log-file-cloexec.patch - wpa_supplicant-log-file-permission.patch: Using O_WRONLY flag - Enabled timestamps in log files (bsc#1080798)- compile eapol_test binary to allow testing via radius proxy and server (note: this does not match CONFIG_EAPOL_TEST which sets -Werror and activates an assert call inside the code of wpa_supplicant) (bsc#1111873), (fate#326725) - add patch to fix wrong operator precedence in ieee802_11.c wpa_supplicant-git-fa67debf4c6ddbc881a212b175faa6d5d0d90c8c.patch - add patch to avoid redefinition of __bitwise macro wpa_supplicant-git-f5b74b966c942feb95a8ddbb7d130540b15b796d.patch- Added wpa-supplicant-log-file-permission.patch: Fixes the default file permissions of the debug log file to more sane values, i.e. it is no longer world-readable (bsc#1098854). - Added wpa-supplicant-log-file-cloexec.patch: Open the debug log file with O_CLOEXEC, which will prevent file descriptor leaking to child processes (bsc#1098854).- Added rebased-v2.6-0009-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch: Ignore unauthenticated encrypted EAPOL-Key data (CVE-2018-14526, bsc#1104205).- Enabled PWD as EAP method. This allows for password-based authentication, which is easier to setup than most of the other methods, and is used by the Eduroam network (bsc#1109209).- add two patches from upstream to fix reading private key passwords from the configuration file (bsc#1099835) - add patch for git 89971d8b1e328a2f79699c953625d1671fd40384 wpa_supplicant-bnc-1099835-clear-default_passwd_cb.patch - add patch for git f665c93e1d28fbab3d9127a8c3985cc32940824f wpa_supplicant-bnc-1099835-fix-private-key-password.patch- Fix KRACK attacks (bsc#1056061, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13087, CVE-2017-13088): - rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch - rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch - rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch - rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch - rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch - rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch - rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch - rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch- fix wpa_supplicant-sigusr1-changes-debuglevel.patch to match eloop_signal_handler type (needed to build eapol_test via config)- Added .service files that accept interfaces as %i arguments so it's possible to call the daemon with: "systemctl start wpa_supplicant@$INTERFACE_NAME.service" (like openvpn for example)- updated to 2.6 / 2016-10-02 * fixed WNM Sleep Mode processing when PMF is not enabled [http://w1.fi/security/2015-6/] (CVE-2015-5310 bsc#952254) * fixed EAP-pwd last fragment validation [http://w1.fi/security/2015-7/] (CVE-2015-5315 bsc#953115) * fixed EAP-pwd unexpected Confirm message processing [http://w1.fi/security/2015-8/] (CVE-2015-5316 bsc#953115) * fixed WPS configuration update vulnerability with malformed passphrase [http://w1.fi/security/2016-1/] (CVE-2016-4476 bsc#978172) * fixed configuration update vulnerability with malformed parameters set over the local control interface [http://w1.fi/security/2016-1/] (CVE-2016-4477 bsc#978175) * fixed TK configuration to the driver in EAPOL-Key 3/4 retry case * extended channel switch support for P2P GO * started to throttle control interface event message bursts to avoid issues with monitor sockets running out of buffer space * mesh mode fixes/improvements - generate proper AID for peer - enable WMM by default - add VHT support - fix PMKID derivation - improve robustness on various exchanges - fix peer link counting in reconnect case - improve mesh joining behavior - allow DTIM period to be configured - allow HT to be disabled (disable_ht=1) - add MESH_PEER_ADD and MESH_PEER_REMOVE commands - add support for PMKSA caching - add minimal support for SAE group negotiation - allow pairwise/group cipher to be configured in the network profile - use ieee80211w profile parameter to enable/disable PMF and derive a separate TX IGTK if PMF is enabled instead of using MGTK incorrectly - fix AEK and MTK derivation - remove GTKdata and IGTKdata from Mesh Peering Confirm/Close - note: these changes are not fully backwards compatible for secure (RSN) mesh network * fixed PMKID derivation with SAE * added support for requesting and fetching arbitrary ANQP-elements without internal support in wpa_supplicant for the specific element (anqp[265]= in "BSS " command output) * P2P - filter control characters in group client device names to be consistent with other P2P peer cases - support VHT 80+80 MHz and 160 MHz - indicate group completion in P2P Client role after data association instead of already after the WPS provisioning step - improve group-join operation to use SSID, if known, to filter BSS entries - added optional ssid= argument to P2P_CONNECT for join case - added P2P_GROUP_MEMBER command to fetch client interface address * P2PS - fix follow-on PD Response behavior - fix PD Response generation for unknown peer - fix persistent group reporting - add channel policy to PD Request - add group SSID to the P2PS-PROV-DONE event - allow "P2P_CONNECT p2ps" to be used without specifying the default PIN * BoringSSL - support for OCSP stapling - support building of h20-osu-client * D-Bus - add ExpectDisconnect() - add global config parameters as properties - add SaveConfig() - add VendorElemAdd(), VendorElemGet(), VendorElemRem() * fixed Suite B 192-bit AKM to use proper PMK length (note: this makes old releases incompatible with the fixed behavior) * improved PMF behavior for cases where the AP and STA has different configuration by not trying to connect in some corner cases where the connection cannot succeed * added option to reopen debug log (e.g., to rotate the file) upon receipt of SIGHUP signal * EAP-pwd: added support for Brainpool Elliptic Curves (with OpenSSL 1.0.2 and newer) * fixed EAPOL reauthentication after FT protocol run * fixed FTIE generation for 4-way handshake after FT protocol run * extended INTERFACE_ADD command to allow certain type (sta/ap) interface to be created * fixed and improved various FST operations * added 80+80 MHz and 160 MHz VHT support for IBSS/mesh * fixed SIGNAL_POLL in IBSS and mesh cases * added an option to abort an ongoing scan (used to speed up connection and can also be done with the new ABORT_SCAN command) * TLS client - do not verify CA certificates when ca_cert is not specified - support validating server certificate hash - support SHA384 and SHA512 hashes - add signature_algorithms extension into ClientHello - support TLS v1.2 signature algorithm with SHA384 and SHA512 - support server certificate probing - allow specific TLS versions to be disabled with phase2 parameter - support extKeyUsage - support PKCS #5 v2.0 PBES2 - support PKCS #5 with PKCS #12 style key decryption - minimal support for PKCS #12 - support OCSP stapling (including ocsp_multi) * OpenSSL - support OpenSSL 1.1 API changes - drop support for OpenSSL 0.9.8 - drop support for OpenSSL 1.0.0 * added support for multiple schedule scan plans (sched_scan_plans) * added support for external server certificate chain validation (tls_ext_cert_check=1 in the network profile phase1 parameter) * made phase2 parser more strict about correct use of auth= and autheap= values * improved GAS offchannel operations with comeback request * added SIGNAL_MONITOR command to request signal strength monitoring events * added command for retrieving HS 2.0 icons with in-memory storage (REQ_HS20_ICON, GET_HS20_ICON, DEL_HS20_ICON commands and RX-HS20-ICON event) * enabled ACS support for AP mode operations with wpa_supplicant * EAP-PEAP: fixed interoperability issue with Windows 2012r2 server ("Invalid Compound_MAC in cryptobinding TLV") * EAP-TTLS: fixed success after fragmented final Phase 2 message * VHT: added interoperability workaround for 80+80 and 160 MHz channels * WNM: workaround for broken AP operating class behavior * added kqueue(2) support for eloop (CONFIG_ELOOP_KQUEUE) * nl80211: - add support for full station state operations - do not add NL80211_ATTR_SMPS_MODE attribute if HT is disabled - add NL80211_ATTR_PREV_BSSID with Connect command - fix IEEE 802.1X/WEP EAP reauthentication and rekeying to use unencrypted EAPOL frames * added initial MBO support; number of extensions to WNM BSS Transition Management * added support for PBSS/PCP and P2P on 60 GHz * Interworking: add credential realm to EAP-TLS identity * fixed EAPOL-Key Request Secure bit to be 1 if PTK is set * HS 2.0: add support for configuring frame filters * added POLL_STA command to check connectivity in AP mode * added initial functionality for location related operations * started to ignore pmf=1/2 parameter for non-RSN networks * added wps_disabled=1 network profile parameter to allow AP mode to be started without enabling WPS * wpa_cli: added action script support for AP-ENABLED and AP-DISABLED events * improved Public Action frame addressing - add gas_address3 configuration parameter to control Address 3 behavior * number of small fixes - wpa_supplicant-dump-certificate-as-PEM-in-debug-mode.diff: dump x509 certificates from remote radius server in debug mode in WPA-EAP.- Remove support for <12.3 as we are unresolvable there anyway - Use qt5 on 13.2 if someone pulls this package in - Convert to pkgconfig dependencies over the devel pkgs - Use the %qmake5 macro to build the qt5 gui- add After=dbus.service to prevent too early shutdown (bnc#963652)- Revert CONFIG_ELOOP_EPOLL=y, it is broken in combination with CONFIG_DBUS=yes.- spec: Compile the GUI against QT5 in 13.2 and later.- Previous update did not include version 2.5 tarball or changed the version number in spec, only the changelog and removed patches. - config: set CONFIG_NO_RANDOM_POOL=y, we have a reliable· random number generator by using /dev/urandom, no need to keep an internal random number pool which draws entropy from /dev/random. - config: prefer using epoll(7) instead of select(2) by setting CONFIG_ELOOP_EPOLL=y - wpa_supplicant-getrandom.patch: Prefer to use the getrandom(2) system call to collect entropy. if it is not present disable buffering when reading /dev/urandom, otherwise each os_get_random() call will request BUFSIZ of entropy instead of the few needed bytes.- add aliases for both provided dbus names to avoid systemd stopping the service when switching runlevels (boo#966535)- removed obsolete security patches: * 0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch * 0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch * 0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch * 0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch * wpa_s-D-Bus-Fix-operations-when-P2P-management-interface-is-used.patch * 0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch * 0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch * 0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch * 0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch - Update to upstream release 2.5 * fixed P2P validation of SSID element length before copying it [http://w1.fi/security/2015-1/] (CVE-2015-1863) * fixed WPS UPnP vulnerability with HTTP chunked transfer encoding [http://w1.fi/security/2015-2/] (CVE-2015-4141) * fixed WMM Action frame parser (AP mode) [http://w1.fi/security/2015-3/] (CVE-2015-4142) * fixed EAP-pwd peer missing payload length validation [http://w1.fi/security/2015-4/] (CVE-2015-4143, CVE-2015-4144, CVE-2015-4145, CVE-2015-4146) * fixed validation of WPS and P2P NFC NDEF record payload length [http://w1.fi/security/2015-5/] (CVE-2015-8041) * nl80211: - added VHT configuration for IBSS - fixed vendor command handling to check OUI properly - allow driver-based roaming to change ESS * added AVG_BEACON_RSSI to SIGNAL_POLL output * wpa_cli: added tab completion for number of commands * removed unmaintained and not yet completed SChannel/CryptoAPI support * modified Extended Capabilities element use in Probe Request frames to include all cases if any of the values are non-zero * added support for dynamically creating/removing a virtual interface with interface_add/interface_remove * added support for hashed password (NtHash) in EAP-pwd peer * added support for memory-only PSK/passphrase (mem_only_psk=1 and CTRL-REQ/RSP-PSK_PASSPHRASE) * P2P - optimize scan frequencies list when re-joining a persistent group - fixed number of sequences with nl80211 P2P Device interface - added operating class 125 for P2P use cases (this allows 5 GHz channels 161 and 169 to be used if they are enabled in the current regulatory domain) - number of fixes to P2PS functionality - do not allow 40 MHz co-ex PRI/SEC switch to force MCC - extended support for preferred channel listing * D-Bus: - fixed WPS property of fi.w1.wpa_supplicant1.BSS interface - fixed PresenceRequest to use group interface - added new signals: FindStopped, WPS pbc-overlap, GroupFormationFailure, WPS timeout, InvitationReceived - added new methods: WPS Cancel, P2P Cancel, Reconnect, RemoveClient - added manufacturer info * added EAP-EKE peer support for deriving Session-Id * added wps_priority configuration parameter to set the default priority for all network profiles added by WPS * added support to request a scan with specific SSIDs with the SCAN command (optional "ssid " arguments) * removed support for WEP40/WEP104 as a group cipher with WPA/WPA2 * fixed SAE group selection in an error case * modified SAE routines to be more robust and PWE generation to be stronger against timing attacks * added support for Brainpool Elliptic Curves with SAE * added support for CCMP-256 and GCMP-256 as group ciphers with FT * fixed BSS selection based on estimated throughput * added option to disable TLSv1.0 with OpenSSL (phase1="tls_disable_tlsv1_0=1") * added Fast Session Transfer (FST) module * fixed OpenSSL PKCS#12 extra certificate handling * fixed key derivation for Suite B 192-bit AKM (this breaks compatibility with the earlier version) * added RSN IE to Mesh Peering Open/Confirm frames * number of small fixes- added patch for bnc#930077 CVE-2015-4141 0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch - added patch for bnc#930078 CVE-2015-4142 0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch - added patches for bnc#930079 CVE-2015-4143 0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch 0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch 0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch 0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch 0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch- Add wpa_s-D-Bus-Fix-operations-when-P2P-management-interface-is-used.patch Fix Segmentation fault in wpa_supplicant. Patch taken from upstream master git (arch#44740).- 0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch Fix CVE-2015-1863, memcpy overflow. - wpa_supplicant-alloc_size.patch: annotate two wrappers with attribute alloc_size, which may help warning us of bugs such as the above.- Delete wpa_priv and eapol_test man pages, these are disabled in config - Move wpa_gui man page to gui package- Update to 2.4 * allow OpenSSL cipher configuration to be set for internal EAP server (openssl_ciphers parameter) * fixed number of small issues based on hwsim test case failures and static analyzer reports * P2P: - add new=<0/1> flag to P2P-DEVICE-FOUND events - add passive channels in invitation response from P2P Client - enable nl80211 P2P_DEVICE support by default - fix regresssion in disallow_freq preventing search on social channels - fix regressions in P2P SD query processing - try to re-invite with social operating channel if no common channels in invitation - allow cross connection on parent interface (this fixes number of use cases with nl80211) - add support for P2P services (P2PS) - add p2p_go_ctwindow configuration parameter to allow GO CTWindow to be configured * increase postponing of EAPOL-Start by one second with AP/GO that supports WPS 2.0 (this makes it less likely to trigger extra roundtrip of identity frames) * add support for PMKSA caching with SAE * add support for control mesh BSS (IEEE 802.11s) operations * fixed number of issues with D-Bus P2P commands * fixed regression in ap_scan=2 special case for WPS * fixed macsec_validate configuration * add a workaround for incorrectly behaving APs that try to use EAPOL-Key descriptor version 3 when the station supports PMF even if PMF is not enabled on the AP * allow TLS v1.1 and v1.2 to be negotiated by default; previous behavior of disabling these can be configured to work around issues with broken servers with phase1="tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1" * add support for Suite B (128-bit and 192-bit level) key management and cipher suites * add WMM-AC support (WMM_AC_ADDTS/WMM_AC_DELTS) * improved BSS Transition Management processing * add support for neighbor report * add support for link measurement * fixed expiration of BSS entry with all-zeros BSSID * add optional LAST_ID=x argument to LIST_NETWORK to allow all configured networks to be listed even with huge number of network profiles * add support for EAP Re-Authentication Protocol (ERP) * fixed EAP-IKEv2 fragmentation reassembly * improved PKCS#11 configuration for OpenSSL * set stdout to be line-buffered * add TDLS channel switch configuration * add support for MAC address randomization in scans with nl80211 * enable HT for IBSS if supported by the driver * add BSSID black and white lists (bssid_blacklist, bssid_whitelist) * add support for domain_suffix_match with GnuTLS * add OCSP stapling client support with GnuTLS * include peer certificate in EAP events even without a separate probe operation; old behavior can be restored with cert_in_cb=0 * add peer ceritficate alt subject name to EAP events (CTRL-EVENT-EAP-PEER-ALT) * add domain_match network profile parameter (similar to domain_suffix_match, but full match is required) * enable AP/GO mode HT Tx STBC automatically based on driver support * add ANQP-QUERY-DONE event to provide information on ANQP parsing status * allow passive scanning to be forced with passive_scan=1 * add a workaround for Linux packet socket behavior when interface is in bridge * increase 5 GHz band preference in BSS selection (estimate SNR, if info not available from driver; estimate maximum throughput based on common HT/VHT/specific TX rate support) * add INTERWORKING_ADD_NETWORK ctrl_iface command; this can be used to implement Interworking network selection behavior in upper layers software components * add optional reassoc_same_bss_optim=1 (disabled by default) optimization to avoid unnecessary Authentication frame exchange * extend TDLS frame padding workaround to cover all packets * allow wpa_supplicant to recover nl80211 functionality if the cfg80211 module gets removed and reloaded without restarting wpa_supplicant * allow hostapd DFS implementation to be used in wpa_supplicant AP mode- Update to 2.3 * fixed number of minor issues identified in static analyzer warnings * fixed wfd_dev_info to be more careful and not read beyond the buffer when parsing invalid information for P2P-DEVICE-FOUND * extended P2P and GAS query operations to support drivers that have maximum remain-on-channel time below 1000 ms (500 ms is the current minimum supported value) * added p2p_search_delay parameter to make the default p2p_find delay configurable * improved P2P operating channel selection for various multi-channel concurrency cases * fixed some TDLS failure cases to clean up driver state * fixed dynamic interface addition cases with nl80211 to avoid adding ifindex values to incorrect interface to skip foreign interface events properly * added TDLS workaround for some APs that may add extra data to the end of a short frame * fixed EAP-AKA' message parser with multiple AT_KDF attributes * added configuration option (p2p_passphrase_len) to allow longer passphrases to be generated for P2P groups * fixed IBSS channel configuration in some corner cases * improved HT/VHT/QoS parameter setup for TDLS * modified D-Bus interface for P2P peers/groups * started to use constant time comparison for various password and hash values to reduce possibility of any externally measurable timing differences * extended explicit clearing of freed memory and expired keys to avoid keeping private data in memory longer than necessary * added optional scan_id parameter to the SCAN command to allow manual scan requests for active scans for specific configured SSIDs * fixed CTRL-EVENT-REGDOM-CHANGE event init parameter value * added option to set Hotspot 2.0 Rel 2 update_identifier in network configuration to support external configuration * modified Android PNO functionality to send Probe Request frames only for hidden SSIDs (based on scan_ssid=1) * added generic mechanism for adding vendor elements into frames at runtime (VENDOR_ELEM_ADD, VENDOR_ELEM_GET, VENDOR_ELEM_REMOVE) * added fields to show unrecognized vendor elements in P2P_PEER * removed EAP-TTLS/MSCHAPv2 interoperability workaround so that MS-CHAP2-Success is required to be present regardless of eap_workaround configuration * modified EAP fast session resumption to allow results to be used only with the same network block that generated them * extended freq_list configuration to apply for sched_scan as well as normal scan * modified WPS to merge mixed-WPA/WPA2 credentials from a single session * fixed nl80211/RTM_DELLINK processing when a P2P GO interface is removed from a bridge * fixed number of small P2P issues to make negotiations more robust in corner cases * added experimental support for using temporary, random local MAC address (mac_addr and preassoc_mac_addr parameters); this is disabled by default (i.e., previous behavior of using permanent address is maintained if configuration is not changed) * added D-Bus interface for setting/clearing WFD IEs * fixed TDLS AID configuration for VHT * modified -m configuration file to be used only for the P2P non-netdev management device and do not load this for the default station interface or load the station interface configuration for the P2P management interface * fixed external MAC address changes while wpa_supplicant is running * started to enable HT (if supported by the driver) for IBSS * fixed wpa_cli action script execution to use more robust mechanism (CVE-2014-3686)h02-armsrv1 17267463352.10-150600.7.3.12.10-150600.7.3.1wpa_guiwpa_gui.8.gz/usr/sbin//usr/share/man/man8/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:35766/SUSE_SLE-15-SP6_Update/1481ab215a0b1830ea80ceb6538f4766-wpa_supplicant.SUSE_SLE-15-SP6_Updatedrpmxz5aarch64-suse-linuxELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=16b099ec7acbe82d8d20ab702f005903908fd91c, for GNU/Linux 3.7.0, strippedtroff or preprocessor input, ASCII text (gzip compressed data, max compression, from Unix)RR RR R R RRRRRRRRRR RRe rutf-81d05bd42a3d7022360e39a920c38f107273d85758274f55dd9cd0c88b6ebe5c6? 7zXZ !t/+p]"k%pRUJzx+P"\>*LAHdz(on]c2GszzF,DVr Ro;!t5sʮM}l =gDdhL每_[5yE.}zؿγ TΨ j0zoO>g7öҧ Ve-^ ־.E ^SQ׃2f /H'Y C[,ϲ[;dw,ISv%8ҝq?f{*ciar jZ@bd0 ONDM._iE'ɩgNNeՠ8.LR?Zj҃VOfj-U hSpo rֆc1rl{8\HaqGj0{R#h}5ʤ yr=mab}ŤQe‡;LB@[ GY2+V1:Tae:꘷JHlߕ'>OKӦV,kDc=u <\pc,ێvt[~:r,t)4h=y!m]iz(.lDGz' JיF대śg|7"OkDz\Q6ǤTϑ>sɔ%LWS)mpm93_^H&ƥO)o-f&K] /7y67/QIltCO|X|t-"h8;)KԳBӂeTLk=+OA#DڑFF[cFry׃y7_FFv\RIcXG5)YRNNݣ&uZƳ'ꜞn+rIz|AG̻ZkN &Տ/Txm7I͝fTk.|:!m}^&KJRcr)">hs6z~˸rv[-tNcc׳F~g g2pFBcF*8bpHl k߉pWݸӛsw2qb1H6F&,Ch @wϰ ue< 81X?_ +\fMZ*#PL+l OcJO]wb_%% "ťex4)BCAi3%:mm'RiDY.+HDo?kvFOX3eB;,Z8; ~%x| E(;BPK3@76+VOJ ʟI)σK>|O^x4<&7MX7B'~9U4*MDvaEnIUj 52zjFhYZZ Iokւ33|DU4$S‹EO%$J }aѲsyɍO|[ől!@j,ZHaQpBrKA$W%dT읝:R=R%5v*vJ^s 6f[X!~(/:#{?&'Q-MLlR+B Nމ[YkN( ɉrPMi19O3{6.B[d|J(: {Vl;=>8,"if!UH…a{/z~h8J3JȌNT: Rb8Pq؇ Шayf)q~ܾ > ){0YI U,L)[ׇڪ)>( ]'JFrSHV3Z 緅c i` `3KI<ɃQLYd#-͚($U  <%Pp,j ~uEU3-11,K^JMJB g@-brzEE0b"Ah=Cਛ@BEE{B,\U&, TvA^_Zd O3oM!} V^C鲭ƧlA/'V`wN̯%JeT'&u|PPQE9gt[2|x4yA'$yhTk;SS!uAW5:4ßg7Z8#;aGvݎX:B#楄J ݣ^}XQˆ\6ao>'P#QZ zݸ&~F_dh?t\zv(٘wu[?=zΥB)Ax||8gwGDKlB:6Vz$K~Q;K6ka̮{;Fidq1jeco*'#S"s6PrhKO)"=*pZy.)Ej)|b\sCbjE4s-I8x )&! 7oʊtՋ瘖*~]xk+ co57~\\>4!K*"IccģSZܼAB^z=CUj8}bb½b=trZ3%1!KM9%Tf*ZskXT5*7$:(=P.6ZDws*̕z(8"-̇ǜJn~~cu;d<`^?M:aݱ 9i];  P^LB_Y:IzfRr?ު^ 0ؚnN \UFɈ.fRL?Չ_Jޤn2B,`ɍVŊ9墖ICP&Ejw|5rj+8saco3T0WO$u6tɖNzh` <ӭ jefw6( l~~kh 2j@ Mǰ1[FEtEx!j`Z8;<S'B3kA `4 eg(PFz/Xi>$Ӌ; AUӹPj}C 6q&݋-fn`T\Rkn̄"<ן *S򼒃>OBB VI@T4 's3ۣK8ǞV2LWkhVȐkl [8Iq3`iL @I*3p f ύM?H5*s|y!,* _¬-M e5:x,mtJqj[&8Ԃ5cllԿ*oIa % )~/05ǀVHLR R2Gkwic͓ эvAuc s(IyVQaJʆl(σgMi-J?'0"4ۘ6q9&= Ziu)f%-4ͩ]k ~n"^͸3DURI]6ч?LWaeByuKRxn* nF 3[Fggg2JbWg@VnhݱX.,{@ k.iǦ'Y4ܴ&/%]7Ul9A 4߼#+2d"V* zҼFWp q*`kL[ig!|hhhcW-HShJ3G?3!zy',*$u3F9 ߦ*31 3ΌX0{*>Շgp8(fKbXhҰB)(8nv)/R=Wdw’`; 9OWe4 YkqS{ڊx7Vålv8!_XCݣ=<Ͷ XCtek.S?jU2)@Mijo9vGz(2~> aܚL+ !赜h0zz9y&8P)O@X ^6Ve=Z"BI}D\;馵Z7AI&;^zC"7kq!JiJNr 38X:;Cc}VR*4 V5=9js$~vMIUe1O Bu \zɧF >ӧs$dO8/lō]S1QBL5s{.Vf4gPlqGL˘@77j9k*4 '`tLxPǮ"]'NIo|;sc2W}!ނdsh`iJ~Km ܁~٣QHe+ w2uq}'+?':ϙ,mpL  wL |ȯWdv(Z}^1βqjq (#T5UF4-|/T $NKm5e$D\<$x$BH9+YMU?Q\ W1|Z(IU@͕Лs mz[*.n5V= *(sc-PccFmP.զ&[Y_6+FOkU&p./]Gz-"Hq RI>0F)V 4+=%)SQXݘQZr9ZA@0`'~u/ sr>,x}v&S5#KnΖMYg Rd~hI+(r_[M ܞ&-|9 rK#pj㇂4_Ў8tW'T)ݣZ;y$W:N(`^X58SV WL4 !%8}$l2xBܪުJT"Ѭh$"p+;vB-"6%!ṅt#&^JoFQ!@v^?ZdY9UKБ^!#:=8S0+~GM}WGe{?A~ {C'r->2;C6wĔ`0&TS+.Go *٦a@WV,mnÍ'APÑEim!rC,զbZ:]ONϫ i*ˈlj c>0b[ҘhԉV\ CXn*>atu`Y!>F9R̅q2ZW}~?=4=n]6&vm&7DP"6[˦v=1_^-8<؅lXa׫QE:zARD =s,~elc|؄~X>R 'xVNmMJ}ixLC{܎Bi1-PݏCC <(ӱRp۾Tjڞ~efX•SCٮ rE%aPRް[ZQ)Wݷ3M}8ӜmY #:30.|#zp\^@j$?6̫6΁5٦ :zfK*erۉ=w͉K1xŴ*$M_:}dK@8ge e)]z0H-&yiqaWǿ1YOLcvq#x=Plݚ9,-P6=RP*YEH5⽺ʫjdZgGu08"hP PU4ʁyhbBf|/.GU 9ϻJre Tes cƁ .ˢU-xߞinNJm?QSq>#\86[jfE7jOdRd5r/|غJӱw]0PPESȿ%=HWIhUw< Q¢YRn(ȖG !wۖL="zZ.ɼ&mA,ѩGVLv~"qǽx/!E Y6TC:V,nنnш8Ϯi'rC  RpdUv>! #\c]'6۩*wC]]Sܦ)Bt[_>B)}OW>K־(_}iΉe{O=pw#5#7}4`Nl{0hP#;$u\pݴa@n 9ʼ櫔iC-/E7c/xRwDU92V8G W۫+z3EPdoE{z*xALɌ{T'i d]WTo0t߁IHRH |*#o^@$  E+JmQn1| H=A#ZIV|Ne7%0g)B]>Ңܬ{* gfNwdu$֏(>q ɲ/@5|3U`"4Utt YjעvG VU4o\!鵅5D]*j" 9V8<`s Hy. N\t1gW0w?.qr$KlEV%} \HAUOS$wu7b55_2kn/rt4c s:qI"97w&W5Cmǣvp-~IptKEplݖᣪ[] 99n63Qd~#+شSg8G&l1z+)C#+D i~v~A0@DDYJY8(sAÉ _ BA?Pҧ4щ]~|*VG+N ցj:s&dzqXcFCC!xw' f̌ s6q暚%*@v?6͚jˆn\U>,n@Kq:_'Y0mkj`{\vKcn$C-l"O?(3Ŕ윾!—"\W EZ=ަO ')V532gcj`{q2"7v=$H$)"wq P1xcq2O 9Mn!{W#{!v:1E4Vf'To} @vsS]nk?F< H]O[Ӓ zMH95efHŤ|$&/+7얣Ahlvp `i~7a "` eBx|g\21=Xo~|9Fkcu)b2Vp>]? Yv2ѪsmDZ-˧K l<XB%3ce +f&vPɤ2$NV/ c*$+*Y)^LDItLҖP>Ww\ITc#ש~Ѿ0?8W8eYX U4C6 }%uzk ѨVbkf?D7O@,k y1I`lHP%䔱 LJqj)W 5M Utl/@k{s@!zt&`c -`5'=oj1Jtԃ7?0eHBjl}M$NjTqۜ͆#I N8CEw:i!Ү^blyNy #qz{V Cn+ꐙWq|٬"1RZb|]!&/cy@D8cI譺C˔pyR|OǍq}NWYRSw3itB_F Z"|:ޓC_*xmT`65sV8>U|W'AP BȰv;1 \0?&/ 6̧(yM!2"95<fet>ޗ $ZKnI8?Ē0_ S%OXwQ-7AyUʷO%^X.{/my+cZ90G.ǓMg]O^'y/=3ThG<*{~҉L g)CSghҤzM4ԣȕL79|5Rnexd臸;V~UFWk\Js4ζi*:#U?t,N ,d"f!<5oiE\I<ܔU8o6 [a[NvKnl? RJBdn>㉑?&X۫dȓ?xVA{ 2V*OXʜMmUߟԅ[Wnӂj?3QV3VΙݘu#BJ́2yuɞ{X#&X׿thB5n-ϵO-Ë突!'`{*Y7mAoǒ$cw7Efۂ.ʤ*3&wNE,{x'1x8s< F?Q4`}1_Ml_3;T3>m"ǽӒoX|o:qaϾttj x xtZӊ 7\UbM' (H5 &<֗:oGbtAi9LitKH+g9f*nI> =8)t(Չ]ݩLNZMM[+7nȔ>M8_6< kmu1/א XX'b-ز2 @'u3ahR0]) Fwsʷو>&#ۜy'{w(T]G5 TnAlwVvw[wԬtSDaeB(&lm"Ou.i29NৱXGIv "%U2`[@%FG(gk06IM4면~%Ld -b1Li(7s(&yNGd/rG:3a{[5 ȸ ]prωhe3- ؆/!|)(__'>Ri0~'eDd Wd#I @7oIɠ@gzL 1&;f1C%`mw=b}{eOxkbV|YNK.#ie5E#9\/z"p]Ѕ9:bn׺*:;y0]œo+RyaB ^?䎼EtHIk>A KȸI*~aMT$x,}NloR}y4(oǎcIQB5{Z 1^‚DIl/? )T;Bj2߶Y4: (,xa7`=J+q^-!kyΝ~=Jr5yo%2Tx @7 J97haf0oQUl,g~9k92*p. 6N%ϠVX SI0!Բ3N8/H +W˴'#B$@x1㼩K@0[ruW,{qi$uΏW>ym%5{[aqx46k!<etK圐 ikTL"˱kA{d?yn/j8kJ!DIМ#li7#* k[>ψr:$Rc2 ujUG~@⃬l 0r"(\jY _k1dzOQY¤YWi5ظNX>պfo':!O M^U;T+"f16^ Y涏1QգT(`vZ 7\ ͻǏ{ҏf"Gဋw 2#V4Cϸ*6ET@7ۭP\Y F~LAX diGoI$X9 &ֱ~%j%0J~gӜOۦ::z[a2zW+3()p?؆u[ir̉$@A-Ib91p8wA$rg7]6[ثxܒ]}”6ai$`&S1\V2P/{+b! m떣>-o^J1UYPHi}hܷYF^GLsq \iޢ".)j\a;ҪPG7_\bFEykkc0T[O5/EWcgK]&݋ݏ~n*J2?c\5Rb I"'ẻPM{ ؉?t#*]vFH+w= Znu#;`! ĢrNk}8 ϱsa}Ks  pQV$*؍|5WZ5E0wK f"&["dyÚHohj@ a+93=pGC(zVYR~bAZxM Z/ķo Oz7dQ.;^j.!5)o-K)y%! J a??\FdN 3qp+^pN2D.b8qr0Uiasm{`ѝz(z~tDgk[;;n*} Cm5.=aKӢ᭽KorJ lf@vZl4-QaUJK豫^7&-v_~T9"|*(Zb3}u ҅Ł@9oiųk[@&̢lj$Y?#ڏ+;u߶taiPg}gv@={͟Alp\)H_S?/=mw_*&>A| (zl=? N ׻7Fo8׎8N@Se5ڃ!`;$Lֿ{ E%Hgmp6O}@ư9y0Z? g>=Fw4L[=b0C1Ȫ)LNtAR-kZ)|gw 7F!6 l5x`9lh"H* bpµ˙IJ0ӝ# aΈ*EBFk> 3b\^zr %gx-aqdNK& _"#gLIjvp2 #Uw4֏¸"^mnm %EO]wD"jx  ar<|<-*xobs/\Sj8qUW1ESɃْ@6>gw8 \Rl("j;r^fr{aifib}ԲBO4J;|3l j=? f=.~_)VA6 N 9m >G=q㍏|Q+Wܾ3(æ%Gw@|ognnvE7vj?fKz| ׇ)ٹ¯(n xcg/DܙUHY)i k4s̱:ױ[i mCtdQ-oQx!A/^NC3 SÒR2\Y80_a\@$:Y@$|0jC3dD"=曬bR8kP/7 slU*,N Ee7o#ҹ^nf`hM># &"+ F+(؏МN!vgῤ \W^ngzc,ެ8~z. L3ZAgX0T$àUwg;Űd6OvQ;K ^諯Obڒ/kCfyD KĩfrimO4B5_&*ӐwN_jwpGu(n![]_c-j->MpɻX/oҿi:G( ]/-C_:Ҡ/wڦACvoRՂ=z!A 7ll~`pti2&pnP_-,tOnn;g6*n1׎GvpP홾Ь\ dDsJ=aa3I0 owR)dbO_e }+>dH0!fhֳ I fex3 aW'OZKrgᣳwYW/yOm5uItP)@J1!Y蓷Mxi>6QOTל&<>.~ f*.+|l DʪGcmFrz?yNRuiD4`%󬬿[cJL#ޤG/"rO83l<&Om!+bg6SܝK.$H.wtʟqq N[ Z| ;*glmo| H_z6c_1dܬS|\ "9wNg:5r}/\'k ugBlgmI%dEH6ciRů6m,ѾS3*:yiRgrYZiK{:<G+"hg$jgǯB" M*{eNMok= Qa>H4}}Rl,7d{XF,"bc8vu5!pKigT 76[l0$2X(zJp4DjzPq~a:s'?/J t"O遗ٜXWΙ n~`~d9V%\u1}X3lVl&hD:R˵49~h70#O =PL3(b;I4QQ(V99Yaқ~H A M)efF' T(?8~tƯnkA{Ƴ.q_y=Е NOM~w 5H8nJ̉'(_Qu{0õ1p!ޝ*r y(P2h|#}-_EZn#DZP`)/UF*MP,sսTFWg >eR&FԌ܆,gTsA.JR,ScP#i7{D_evXJɒnN`8PKz۞+_ zX8mQzbbg$M*7nrQZoDg(Eeze 3 ~g$"810L2!X٘5Q4,ʍБ2qZ3M\v:ULUcf )YX.cYĴd nsHaw=;1Mck7W[~:T'{|?ˑTq!ɼ._.E0 X0b$L1J5WqۄzTBR>6a <14 !6Έ, kрZÕQzHal` |G5]-)1dȺMd+0e n%#غ4a4ϾY-.ǥ^mFBWR_I,]t2;i'?[Y o7~eIr /CPS[hRֳqo|6i_ -OFQl쎃9yC$}q rjȆxg<9b?+[-u]df߽wԷ66JyF΄m5hK5mV.ҜMlLko7G϶{jO^3?Xzx$ GT)$/Lbf /ؐ=:C|k*ZThWQ1R KV3UﰂRJ+LSƬZR"U ʖrk,Q -ËHpz)RCn"rFJDs1, ͚Dz5~ܒ=|0e< 5ua* "9 R9,d2-ёcV<`oЃAV2#ɒ0uq#PCIu|co;isǣ6& )[E:# l`84yIl,UP˽K< Tl#"EƗH _cLwGd]?{q˔5w B.u@%3~ͻ)dPz:ŦI_qi *#u%-4MDD+B.p8V`F\o&› h/r{CӸC "pX{/{Cޕ\G/.h@>:'dŔζOܠRsmaE(J7n"8pU|DX}QP*jD^d+R&\KpyEӇm aZr>3l@ev#PuJ5]v)dM1l6jن9)LU)&$\dܥJw:g$fdޤ L JWz:I=HތJy h?_y<]'!B{U%ؓuЮV꤆~.*' >'z1xM ljؽ[řֆi:F9RgLQCWb﹞Qs9?Nc'?:dغݜ#:-'Gsw3~q.ѯQn"(&M__1m z/̀C*.w`ң8NGِ3lgl78أ \(n^G_qե!mn|?6~)<հʼn2[TFG LrT֓%w`ـ:[ۏ.|'`18 N6ݪ)\T@EsӥVs" Mok,Z@Y:hF.N3:aS*eUDqHy\pHoVkAIM5=۪*t,ptX%8TbčAHsjCkmM&ܪR^ɼjϛѬp1{\M};8b8+{QR M-7BKё*7%Fyb;bUNY`U-lhD'rko(94,EZ<[8ᶄ36ˇf!&4[h(뽯9_֛l_ ZF*5.$ `Sxђ:4sUU:B~8,/oisM.X2A mv,PsK P6{6~.S{jeЪ07\t)7 ܥ#$YP$[ |C= zɽtX'p`xr)Ȥ#ț RNLlgf2h&a;LIJ gG/@R|N ~>+,91q{A=O#4Uȩhe?Scj= mOo@>$B=C=-dug$y6Ґ6| 5egЉ; 6Y!S}*իA[+2L3yQߓ&(fs}-ZBɝ{~٩[=t{~ϻ +YoʍDpm y$ӽPdq(Uɀfx0o_b|W+>m)m"(шe"(\jȻؔ\1{0SbW&f$Ytv`jzC؛]OMtF7Fƴp KWuީ $NѱE׭w6ؔk@!}xi k?F:JR5:;?ӌ 3}ά 5sJ:Vg\DqOCElo#+w} nlz[ V *9}.Xj|^:@@e ˈ4﬑p}ϾۛJi#I n\ x 8S$Ն-=bEcMC!=tEE:O>h@yQLV1!詻MNw9hWo8u*?k7aͼp~ ]jRJsi-^;ic}2 US02u.մ,UGaV@MC]TE=,TAhoE $+kp/!1(3gWQSz%ER2}Z.>Ü$~&>D_;VQ؅⢼8#KI5Q(M = ckTJw Vм:$'TQlpH! )'LP ƛ-mKG+a3.]ۡj 6!eW̿툋 ]@\Aˏvw𥓣T9tm--,.O)24ph^On4 =IJ=T[r<5_nL{^䈣yZ 1I"30Zi>>qYw( Ǣ"ؒ_N6B~z!̣dwz8qm$伮Xrmo],쁩Ql(Gt ^Pom_3$ Ҥ|IZ]mx*Oiq/W5lqw(ɍk>/$xXgpl9`B~ R9uR )t(DjC[6<T>|Ve>>#p|cA(i>_&-W+uMNJ0$s\HrZvKеX`Q__4  aN3 ]wu$T IT_LL?#.b<.'q5WF9ZyU%9 R"2*mr;:`!|`eXHP;S!{IE0J2 /=j0.]w؃xr.Oe/&SYIlpdpjs(.ꉗrڡ$rW ._gWvmSS* VbѶ+rRz\^%,ՔN7r6'vZsfq_ɻ{V.e-@@c=(qIS-:>v5a䷈QjX-%5IR)3مy~wT: `v4$/yK^Q`&Xqǩ\2.MT &T Ps +G({upy2,X Q9-r7(5|:xDBgB,NHVĭʾjD`` iֽڠ|[Ix='BXVWCd; =dθG +@#}tT0V#圗9D8ӐOv@ߤPZwZժ2s@3kjֶhx2cxY:Ce3F7^&ֹY QJճ۴RwRVjL[r.Ɯ9񗑿 ];'LT?N7sLBR G0˿=Dci邿5=OIO*dVGT`{6K]Og⟮| ]dp*~i!wb_\L%J_AB6C65 ||X>(7/Sy>ʫ‰ .gb8>]b UC^{qB=yda$y`;.oqGٙQ}aXޣ+ cuL,jJl@ (AW-l^ݑ^3M &ԕ 79{|i>3.P#FvLKaɲaBBw߀ vl"P0 ;dM@v'"656mBMr'KOƂK+~lZ.Kꟹ)?"O-dÞ[P^^#*]ÈY{fm.udU50}tRd":Zr)||^bv0+:r>> '@CyZ50R7f;2%6s;!x|ZzF- f%(?Ի=W!}h̃4 PQoCNj >~@AYۮGTHvh]R@|ÔnXuш952s#۳K m6 -"B, f@qG|mgs".KxYU%@~ZuoVsq{ @="X,Ӝ%j=KfZ*>j Ŝ֥0R`8 >!Ѷr>JEԪ!/{č:3T~܁LVMT'w ~w`~T%r.̧%^JuVmZOGSPyXٖG-A7UD*ezYQ:$a*U-<ё6_ΣeCV]|oo3,(0+z饪SpIa)$Ohu $ykXKҋ+ݗ_VzaGbfvw@9ah{vjqBgm]X3уol2&;Z#w n@VMC # bfH WSGIQdϐ6>qU<;>/yqQ7*G]");#v~Y mX-vV+I!?WyR[|`c~K 7Ҕ03#1@gA|x6JI3Φš VZD4?Յ#C⮞ {rt pmzo0繖Se}\Gvh+B0ڡBi&GE2xe佴ܨv fPYIR(F&K!l>O 9.F6"D&އ9zEIIț 0^UyM"pn " 9iG Yj(xP+ "7uJcGבĘ9e+n< p}$2 ` Rij9!WNEykqռH? K3*<1.fA0}u9̮2dVvT}Ic ]uF14'}AJhdFwֺ y~usY ;ٜf6F[>w m{TD.tg#>|]ʙXqq& dvӌDƾ-eŧRS՟wNcC{,8yoM#Y ;288qe 4iA9:%SfJ3|tݓğHpTx _%9'}u3 j@،Y /RR7,(sUA=50S1!gOAQyW*"Wz%KuW6̎:K(nrPq#܁ tއ9 tjMB~Sx)3azNwM%P;}uUE?%oʦMjD znH#tsΎW c2 .lFɃ-u T[8+bɆ@R|ߚ;L{.>`+њ He)$BgX 2}x p Ƶ,֑k5P)o:utΖe:&aS_K eZdன)>_ejkZ=S,S̄P+ ϾivZ1bip8[l+}LDpDa-lr"^Wi7|4E⨙^=1DҬ'$1Vv;i2% CoB<ɵU7(i@[^̔vMfNŴhX$E$Ejw#JS`Ɨ"_r~S]"Dw ,Qe(6г7yAA7),[ɭZ"5{;찀)/+Xѭk>2'X 'yj`$'D \&Cm,8L>&Tw5kOw1RxC#Xݯ,(ӸtaA^c{geQ9; Q%/lQ@\sȆDWۂ* ]rqzQ.>qƖ6 U|e+RH dn} )|ZՒO!vmw.O5_;3r&gK;8osByo-wb MozTeE`41oGnc,h`\c+#3u#ss9=+'$jqxQI>&>?2Egڇ- GMBH!S=KR!'l\n9ڏG!n\L{J #%#~Ȼ08}.)akG+ʖD8D[-ua?Zڷ>ޥ8?RMds3ܠֈ#΅5mxm&&5LAVe=*orԅOںg8 djX(OGX8&@Ǝݬ"iP_VoUE<Нg& "AV~Ӑ ^?i寧AIRG_.>gZ(H]/^ź~٥~d3e_Ҡ%r mRI-&O.d<5et؂8Y4Qކx#2&>- q_ιwIY}_R֭ m O%H[A}"fH.ݗ#\b&:LLz7VNW2:nbn D:d Wl 4^ \ImV4GJޔ nJ>Uy\};^n[csZ&rTno&@h8vNUcCHAP)r1e#u'uXl[uPǑ =Wæ>//MMwitexcOcFP,a>g{HᄌW2jaMjBvxܞ3nѫƐZ38#گ Y|=ULY S"1|0ݪ)^ s#*I"^ nדpg^ݹ_>Y*" +mrۊvgA}CJH&1-#X-,dc>@蠍)`8SB̚.4R K#{U]8Z`#]yRK͙(LN'աpd q`^V-p90[1XY;γr&f:%Ӱ7>k IN}.4BTzUUU$H7[&s&0'r1J/^+ a j@)]p@/ʀw[lA7k0;mPsue75NQ}]1PTx t\ľi׶ȩ|$y +-T]JgnX;: H5l4AVlHA+a+_ѰXɲ%*pMEiM$$.d3֑`"ٕޯnUz'iIoL0 qx2̜k b UzAKv(?9с\ P?Ejg.,߆WME #$F@@$g\3Hf?:rzǧP_yjhߒ,3MKJKmƉw:c_}յ'$Dˇ'f pU7|r: zSUPC<\H)LP|qTʇnB6Les7L0.GϟނR9ea8nB:ܵjף/ތwT=4TTIЙ.@թ0S=e=]BwlG//Jkom;l9#b tRyBE%9s8 5J%^oVx$_D^i\Cg2_aB@4IXsUE2JxH{ . TDcb8>%@[[kpSQ>tk`׷B[p D_pUyW:6žvGο)[o(v ^׳9v K&=n]^e dbV%.E3sL #%c <4j%z06PtR\G}H3,TR3 }I Ohzۖ/2BEF42fr̠@#906k 7RM3(vlxB)"ORwf[`k!g5,N8`<]I %ΆW|g^SH2)GRdeDs')/8as"뭑Ѥ!$#c> UUhVPd0pH(KE_m5 l*pasѴl e7y1"_e'ـ k\U_od/02f4&+N!-̠G! '`Eс}b]ۏAM ՜_OM3΀[h=6#kZPޛ<*:7qaQ>>h?|yL-Zx%Kta*c9e2Qy (VITR+ԑjzp'K}.z8]?W: ڜ5^z{E+eS9l5IћWC~kC TEhp%\FxV*.Hx#ɡYy`cQ`(NSF}lI8A=\=T/X n(\r E4pq2d6y-~*,F5 aAAznԙfI9Y(*3=1%7 .<ҳn3VRUg1X/.@]T0-+h03$;8 0ڷ 쳜OT]/wq(iep.Xm'~:KC%+Qڄ =S8y~|)֬"n%j^^>'28Mb2yI`veoy-q]u`n^~ǀZa1V EZ: ¦c8) tIN@,\ͼ|8)=~dfQmV)iySKNiT)lJa8kh M9Fb~'Iic;p*Y8!!V^$ȵb0ٍBx3(`wT⼇6(D|)&SPrFcc}wc=;E;(j@wu[~ierԁ`2ONɵ|{slٶ"iq)\6… :K 1iB^fQhBZG9xlb r+%1g7"M$!Sjۧ~Ŀ ǿ\R f \vW+{*D=$S2 C*6spBZ:R!͓YUVPk Op)2]cf*&&&m E+%=ydH^W8+ȔbZ"A,͈Rچ+PC5 R豵"(:?<n/Ü䵾1gdߌΪB.9}񜏠-UՉnVXْ (Rբ˽@#Nx~TTKB`΃[Vsw,Ed4`tG4y@yKcoĈulW(L֤4XC*A Sw>Z"[\CeV۬І"@Fk6,+IJڑEB}2 7DP;^@+0Rmv% k0J,Qy&*/ǚע{œ*U b 9ng CN#%/@^'V̩Hf{],U {pũ %HȦ5ҟNQUpbơEcfx"f)戁gg4X}k!P6C$\hųɈ)O\;?X䪱ŧǤ7r H\!HX<Án _=rx1cd101!,LnڋaJ\hhdnZ-N(π3 =;0g=FnS9xh"ExR崟OuFc rdi~\iw#87Շߘ3 v 5Q"O9a,Zx"$t¦"eo99רn 3,`$oN)hxay˚LP1'rl&mfij/:&65`KbCnc9jz FT?X' =0GMvu]CY0&+}Cj4JgB{,16:F H+vݺGQTԌWvi3q[#Ŀvkpv7p)xzQbvŒN+ZQL7ZΏLn_q(G6Uaב_2V{˕`Y*߲ 19}Aaǐ/4cLL*A HZg')W0 LvP?ΔUBtN&Ji箥BDTs\3r/]7XbkPȕf73;! n&=mcB;NϚƿrLCvs="> RH,t41}o$X*m"©rq-\ML1@)p J)i7Z`"MGAJ6niqܿF, ecuk`=g\`/eW}*?'?Gy D@V#=rnHHA⺓6MٱL4}f7sB rȸ4fP/1R໒j+@5g`S#IFcYIn57/Fؿ2;d7ze' 5K m8mF!_%T&*3SSn!Q.d)@8a+Rf`CKSBXmRR&B̋6#43ߝƏާb0dofz K42|;v0FW{t+>BN~5KZ.2>;Y1ޭ<7覜zZ08l.:|^Ҕy 51t_#DH@ț,jٞ]R^>h I;֣}n |?02 굒id$Ůj !"G(lu{;%+]gr 2YQ$X +.RfX. [t 79w$W`!J9pp,[MאM:k?t,Py"?$MHEkՅPrYA4j{ 뼬7: ,mV)Z$dQHP.ΕzQ,-:@A`LW'k@P܅@sV8yV\yl\K|O`NUNC'C`(U!1iȧ^V/kXtqn/CuZ=45;2[ 9oNAQ_Ae'k?uً|[и~EvSC:ˀ6'eE.}BW66J/<{ȑ]4kUA_8=%447x;|BPbxjyi|ESA&d|}#&Ԓ|{ >ݭQϾ&NB࢕V]]Fx-&Zp'srrVurֵOb&KyM# ,&€O!fh^bt UvĬpޚ~B>E#ey"w-Nޙ-:nakh\\ظnf@_64 wB:\ﲭ6/8ʝMxrS(xpג˔ DW|Ƥ}=,jUm`7vP=Syw!5%X$L.vD9cU(_ppg(,Yq;!{X {Md0qeBK),iv$- uݹB!Zs,Z^=Ѡʾ~ۨt f۪x,SW)@8I0Lo$6qb F-oB&L Ǿ_A6z&@`cU;q?Λ@ m7":H7:iAMbVԅ3lD,6k kw/7OLpX܉ց*2io ]MJBU="!8BUIRabk INScZg/;BlءrAO#VERT4LS8SElit@Su]hgrٴZ#/bo*7bTO9>3'j~E$]M'WExj  \<2v"X>e As[Q5m$a14{Y!0רБ7yCh[J" OۉץJBYM%k |<#w8l.9̺U=QsX6gt%I:5i$ުڱ5U|kMRO4Œ\yajU_H=U95#Z!1t]qQ<1l8di |TlP LԤu 2*]ūtp87kl@ FV(2x;KFyƔtiO,_kǪ g_osTQ%|tTtu{ mH8]?Z6y*HZ곐<P)<-2ʜ΁D I[4Vu };}rZ%#\\2 9 >Fl}~nxe9#r{n×'eԎdN1s~S_p |:gw}eX2]Iw{%LT}cJ: .1{/ֽT4h{mqvw X_k̨~gg>,ES+e"m8'w:N'~zBxga040Z77pٝ,P9F敓W\1F uoHulD_*?c#%2(z7m<nI) ,o?#cBZ;s+l֣Xqbr/N,^ڹ 9Hdx6Yh:8.6 aJz#/AXy;87Ƚ/[ZmY,$K}SXuRK3/hgbeV{sm}g䌝ӞPK8$䊕 ́Ӹӷ&9cx2糃Yp/Ia5 >X\)4L2*( W%/$ Obhg2ʶULf26v֏!M jw? h{Pg/J:=0N֘} D4bUĔ(RrkaRN 9K,keK uтYtكˡ쉋$hk8{{DRhW|[/t1]zŀct5{YЖjCO\.II[JBQ?@&+CТ@&MnVldtVeuKKhɛсgv j}i5Ѭ> (Qmf>ٚp^-_I@S__<1&)34?Yc]FX_m+i8e~:t u!*=Am6/mTvo,/X-W3ڇԧq!śkxG4ey*M}I=hb /8YG0ué Gꊈh\ZeNܮf'0̾{ģP۫UNxdm3Mc/D6S/R[H!&٪6j2p<iQhVP>cO cª2kH}SjS2I{"!Vcj⩛{5ޥ ϏK} ͳ^/~̚|ыx(X S!⬿bQE#dZ~y62 q0̊-wJ'ƶve;20uׄn77g#Mˬ #%տ/M03l&bЍS0+ڵ#1&FQmQXf-}ҁ󬳥( a}VOIAoKsOZ uƸX̖~WYЯR,v$#Fduys3 m#ZH1ke ݶ T(EV^̑%z E 7m4Q/_X^vD$^ANu.C<0ӟjeMҕEZñ Eq7+;:G2 sjJ5'iŤtK1JLJ$5C2-}e&:RM/ysPVI#zG-(EԘVLѥg4mzY;= *I8SfX*nxlp5k)p+ `GΞN!BLc˜CXEm<3ߺQ;R 7~dyQ݁!4zvM57YW" `]\!CL˚ktĒ~HTぐ 38NISA9n[ !]+u(&݋6EI$Q%ȵ9zV] `a8H ǥ*D{o9=dO\1vV)3RٗRkߊ&3 0pgc z+apkbmQ-kt)SAgZ X2aD48%ˣ|jԼMY:!Ȭ@Ca#sν@B|u^ATY^p cnaG]{qjf"͚MyיꥩF![*)(iVˆӐę#dj&4[l|ؐX71C%l>}횼?yg]ޠR)xg9{a/A7X ٦ X+7j.ȍÜm GFǩ RvQB0(JJt\r(i}m htBC{cB+ϑI CtkT\VPH9o9ԒQV3Ýit0م[: eLD6f&Y 7הeֿ'"*O`o!1!L!rw,f8C(A膄lSN 8'ԗ%~W`vElZj4ҋߌD3xpO#l8 9U}t⌝^ԓq#%5\дޞL Vor!)z }@76-'3ր&ëU2{5*iu$뷖 .>1K;p)anƟF];7 eT4v}x;ulrpsք"5"*/ pb^ni(dg57E܋H;=A *lX9YXM"ǫwb%t ã4^f5Yw!~vb6)m`'F򥶗A|`^p99B,p&CWmcޔ ,&[VP oSh.:nCpܕ>; BJNaR1ǝ)4P-)co3'*( [[G-+hImZ<#hgHfiTE'1r3G"(qP pU&ψrUgQr续AALgW迪 {S(x*hH?P0$s:$j? Ǹ%l)wHp#@v$j;]+$:{DߣLƭE.a]\.SA.8Í7Q$DX(wfK1ISi-yĈL){r{Bw2Ӯwf.5S뿚8ܥytoQlFOH8j?lRGB-&<P=2趱R[TcU 88U?^6 |+/Q0X/LoBS6Qn\vpe (ՈuBSUk(J,t *mH)pzpjQExN:!("QTrhIU's(5}0H+U~>Cב h%Sx7 ۊy! M}&cMώ\$'Ⱦ|l^ʙP|.G2ڃD1K'l#UJM1 qLth_'ϰx.RV$:c__7Ԗ8gg[.>{6_RU%%vDdUmm|:4eLZh Evq82KScڞ7Wf?3ؐY;fgdZ\B'y=_+a]6&GR`)1sR e^g0pnPR=$xQmGyKAx[M (ųͦ8|um ONO_(IQ̴f[KW_E(JW@M_zh:K, jY0 ?&@gGC#+%9 #Y(Lrz[ZnTl/#q(̐~^/)@?FT:c@HL]qØ##㷇LɖCNcL0uVlr[(4PDDnzBȭ/9B!zc11Qcp?QJU pd:rsWds0G+IYWA~tٳULVY_Юf7cL{8s8*.MmZN!"\Ek֠#u{|64D*#\^{sS'H3 shBYp~xvuި=tSb1xf@[;2Ϟ!دq [)I6AW+Wson&Wvn\_1>rs^'`ޘjl}8,PnYi3r1~j/ Yo8 sѼt\Cw9(GBz24&}v]G[5wM(JƇgC!RGraB唽kQt J9D&"sOd+ه>%*HRsOibtk? |i7";6.h E4Y JMFǃ&_ x/ʥ4134;p(+4 FA:p--D֚NO~R[ڗsR5 zvq%TI VWu{{Ճ QO>|3WK9yb"k" >*)-|~k⯇quz>絳S!ߺU6ګNZ) "Cy# 7[6YAXinfeYީ f2snXg`v V"/#yl65F>7M2-+'HI^ʫ5,OB$E\ˌ`  uHG3jCGP.@Rzbu>\ta/&;PAtGu XD"wXOԄ$E@8ZFfh,*UãY({g[s[hdc`qF FhIO?3k"sA|LQ֐c<^8\Ń4ɇW< [a[h#fQ>5 :]&5Ap J;,~n{nB,u?%9[u#u̱Qa܍֞v!/7LIwTB츼O8)Ŷ%ƀ,FDou &“_XP5Y1zrınsfLMn5ޮ=r\L2GqGAGtF+BH}oF0e/{͔6 Ko)ãV]}OXU1l pT'TCq=⟺יfkgK#B25m 6?!4eUReF[ʝhňZ%Ƥ6(Ϭֽxn-,K\{oX#g%h!{k4V"TrM»0eï^@" m#uEԃcpbcc'N_ ̤hi՛܏٨XM] @= C!)iGGOrtI$IP|B똪4&߳1Ŀ  Ʀ&^}V lp&B_"+Xp= Jus1I%[RS< 3PL=%lZhh_Qo244O!N"~GǸ Njh{= ^HD Kסky2)[CX/1!;Z V섯P풴Jپ~ f7 dˀ2r EVW$~c&ݞboӝx + P #0YR;|!ȔPd:MU2j󄤏\,O&!;8zM`bŕ\t#  Ӧ`3~9Y0qyKGdcȨ$~fсp$sK-cS&_zi41S6ZO8FGyM!iEbUU^$,CRڄb_b#o%=-"P[~FƌϥC'*JC5(HUҴq%9Ft',tm~{LSl>+fv5 A=SO+&d]<6ǐ?kb hwu씃1Cim)˘`ӃʢR%ourfR;!Oa^]ʶMD0pN#¯)(sKAj1SGb4cYq\IUb~>&f+.4D]xP_π$)|%U8ѡ ʘ`$ 8#nuA(B>WU+Tn8f},!ͺn'XC"EYt='0%s`Qf=*ВkZ!@_} џZ(e#JԘ`W|Na/b,yq&WEy5Vyqׁ5Z}₅>{1u'Vn3DĹk\N o9/3lJk6@!1pjuhaYC#@!^u&Iw4,_} @u70 gGfA(C1?n318Pm\ K@lk*xWuZ uW|7_R2 QFI|}Ss i+dԞR9Ї*J߉O>L{7x{PEʪ s-[rZDZg(`|@tV_xZ'UՔ1ρC]Q8BQaW-ax~EdS£$f%;@ZogO 4Yk{Hq3c5|Vj{%f P4ȫ:$9 ˃mv: ZPM1$ub ޲}c:Zav`+"t"O5p3G Ҥ㟏L|E̫6wd󿭱{=qf'Y]Y9C#⦨~uUn?Rt#Ѱ 7*+ <"c-tco1ر0W=:!K2LAxrbcUS [bR惆uvODu~-҅,S?as PI]us#+"@SfӂQΡ{dmjb ;'<_ h `0a©RfIT:!⍱Sh|Z5$-?t%Á}`)OXRv8,49H3TOM/™#',bMF^" ,IB2Ep k%VAjLT1$`> c05Ύ:\U0y9c=Tf,O?xfʶ:4澁blMourf΢K9͝gHƼ`p>\%QO)+>Pl]C9)E_3#zZi<tcą$$+|dq'GYߎ %i%V&:Qav!pACRPF@nl"Wa=S,UM܆NL,E7e U)(*baFW 4T*a05] 2ξmꀫMTOPLr1wkƮWr8[R%uG:{!^X(';ON;WcFbh u@6 6Fa$ ~3"c!] @7+s*ѰXe~`oUU BwxƇJ*ÖQ<8'Gc[Qahn>5{yP8뾛`3SA]~ C.WfSC;p[]VvJz! Q(9hMJԨ>,SALUqﵺ2m׎RlZfRn8z 7~j#'RAN5ܴ!3p5ߙ}V&ǍHNTl۽"9jY!LDfOl28.mD߫+u2$WwVTs]ߢ>p i"S`u4VC#BQdH>ֶBpZ[_UJt0c:­ûi ?jE %|.!Q&?Km7L#aueAH|GIuX̯UIў6 gȒ<2.X(AKH:aŚM3mО"nЛߕ:7=,*L b'ה]n@~M/4Y'>B6TZYV/sX2 Cn0XtYʆBbv$OD)_+ۨ·q`e6r#58Q91<'KdtJ\x֭{WP&+r _j~sqkkgӜՏ%R{+ͪAH vjM -oZA8dZ >)oaNH !ﺞrU Mi񏲍][6g-f#*NJ2_}-Cc=N[ l8|'k5^BS+IHz~S (!ܼUz`RF#rVaD;=pd43,ѯA VZAh}k$Co! sH&%+kTQ9-0+pA?ƿ61d>-(q_*NLz;Qs Ï$^`PgT, ZZ遢)8NEU Ag9ahШT9-G ?."sv:s|8Lo4uѼ?B+G:cρ:fQM2%h*˪Dk?io͜Six@Ib0(l:q` spb;YM+JO$fmԫ2<# \m!wW_v:~iS^qcQ`j_chyP9KO6 N ~d> @sqޘw(HL'_>~<(۪oDPpFK)Ipk*/ZN Pft6y9xq;RJ۷#=v1gUAEY\4CxdO%W"B)y"Uhԍ(ĵXJfvпsּd'&8[JyWρrj5zƆc4eEH6O߿C.Z/'~~k6'Fbwvة? )A=p&)& jĩ|5SjENdz8 ͆aኹDOU`rAZv5H(dr=Q0J*E:oRㄇ\l"x18{@ɳgo+Q,]v1)mdTãYj'̱u*[J0[[ *S#A[`q<G[<ƕ=C|UR ]]3⌼hyam%+)3HMaQjh <$ryUlDTKC5ڨݛ9zYu^pK}ˀ?v.S)ųa4hU{-bۀƦ!v-A/7k:n$req5Oo1W(^uذ0ueK޿ʭWȮNR cu8\>J8҃N&II-* 0^rAim}+>Rnc`.Z}_B@`RO`!rQKqӚ"$Bk)`tҽ!GeTjK;&;gir~G;-ċ .XmzT㖞y2Q.n*J>~](BiB~19Hvζ%.$]95 0/5SSE&+S өy+B8d wpO=rfi)"V! -w1і@ {(ZgV`;$hJjQ.;Z u 8ϝD^J! ʥ(XoNr\SE4U,fb\{vђɳ}=!C=M/wa^lP9*4%+Y7)ZTф},6gc; -GΜxfe*ڼGA;!3̝}ΦXACYʬZЊ;VY^S`OӬqBC^=,=fy7F$I2Kށ09g]G@\or ӬnOܑ0͘3ܺKϚ]a \bZB%ko(OM]~=t11kX 1:r\%|qzzVN(Tv_dfE 6fP~͘kNL-` {' 8aWa{ cCz1, OzAVO+$GDo_W2]'p!=9}b(g? Wז/?Q35 hS3'i',/(^yJsAAUT*pR2v1\NY%5>zµ!Wn"`paF.cDCQ.Z1^[WAӇsm,J,FMWb U7I!w?}J.b~lq\ۡ-I_4}](z}0+KMɚؽ.p'/)`Y1"k=BdÕI&,7Ґy7(Qߺ|9.옐%w$k/2X0zΥ;=ZDp&qa0oe;ĬE”w/Lr4UH!Ն83WL#5!|FT[%$xdyV尤oӔ;#IXwdj>tm sQ%Kq/|k.RHk&/, ҧ@+,On :Im_Jf?hLd A4}j6d> uUۯg v_{ k/ޔt2XM(HrץPqMWTgiLkkw"2bJa<j%8F "j/OP5&ۈ~|~_,:'ImdImTt݃`%b'7MZA`5 J*Uo[I° 5ƕ\ X1sJn/7(⋳zVR<"l._ͤMg4@Y\?XCQ: @3`OzJZ"m ~/U uV a95ɚn5ֱz^/bT«Sx,u 1Ąi@<8~כ  S7H &_йW|v/C3 X.},xmKwkc} )a$0Z S w*Pq=dЬ F+/GN`QZ+tte=@- % a4k{Ha\Pb ~!ji[G㮷fw$d1`= inٍuHdnDEnINj5~0&,!2 r{/c8ʤҬlhT5x=O\/~D3N6ZD7Uc6O<ʵa0Xs s{,皳 P10ַu51FI b5E8fCQxDP}7q蘊墇-?̩|Pԉ͸ n6i'Aa c1DX٠(ʬ|I10f}I "$ϜAy\'t+Qphqt7W[+ >F_~ a)OeDwAu2B[ܧ s=^S2ynBd,˺ Io2w^׈@f j#D|xo)ךȜCR.l=xr_Zm+9AO^VYZB˱T7 EKj;)m|WvӅ1#lv. ՠwiw6}Hv?ynFs8ֱFw4Z\j(ӌ! ]Ϝq )' ~L`TifݐybIH+RJ<؝r* 5ڢR^)=#= ʻYG=FQ2O9$W z;k:3 _(^f#=N Md>S:|A!GahaۑQfk_-7k'7rru7NyL2_LQܢ$;_7aQ YtZ繡-R) "T AhJ3"}Ymv\^;?d}!_jvVU .rG5vHofXqސc#o7ګBI Mj/@ ` 1L괠Vʴ1O=xN hJԤ͌ū!No4Tag| f  Ec *j5C*vH:]n0[v?ì BsMRo]*4;9ug]aCWFBqO :huV5mR X瀝 <:seSRc}6aܠlFk;׳%ILpX"`k`.qģߨsDjA+eKzBÕA2{'J`y{0qU}gBv Ժ̀Εy_ IExj '2I3?I=suG֦Uk@j=s~ ]t-Fw=xVt/IYjrY@Q N+*1 w کvc[h!nZ4x.=Β^7bէcx{M'oi.YϏي" b2[;1p+^>/t_FۗW}3ߟw k7\J̐~7o]E2SP?% n2Z&ٌu,& 7jDLr٦[/,[t={(dj2xNI!`؆OhK3|oDS\v,k}їV (qs,+MQWXwr= 5[+9ޟvՎh˭Xs0Hs;O#JS>\Gݔt_rϊ-İ)-s&@wz$r ?Sc$A. 6A q{ ŒcÃΛQnkء 6VB/qm|'C?ykI*9MNrQj"O v8Ѡujy qq @"A\*Du%I8Sv[pȯ£#hbd땎/E]zIl}RIsBI_pR& ؉H/4i?p-~:70UctEʃSJfK*xk' 赕Zf| O2Zfޒ޶aJ-]{1j-z;mSU-Cȵ6S=oC{; SU7&o98*}֭h,op8uIlyJOSgkXo!&lc#yh?SpF3^ZMN.yr;`ܹ"oP +bH{_H(;;]m4ڌީ[쌅rݠ1@gLd''Uk| gA^:'G[̓2эXKCIJdhhz(j4m%@.i+ IpZժ UR>/?Q:C積2eߏh]el#ˮ9 2^Y;1,gs<ķ3'noifHI x1c<~P[{͸ŽО=Zn:h7[x&^dL-v1E^3&G93j$ m`EqWt1 ʡ;r~ƮY!$c`,`(/*ɍLJ AN)Ve}bPyO c…+kJ1|_@zxĜ"W, 3 Gq7cK֯%JioL܎.;kT&qtNeHY"^`y515OiDӬM!Xb x-GļǕ*K(E@)w$ ."Ԗ]I|$B?&8FSV`/%0ڱ^UiƯ濫2nu VdZ{|1?:DtK"חQQUM>) eӚ )5o ƒʢWK sCr DOk~x4.ڲd'zGxVj>/ܗX3Ps+!3bF^e6ȥ2l,Q=nD%Ot~ ʁtH隢Ryyt->0eV4 %XV ) HJ_O_N셗(I.cBX >u Y֊=U5@|fD_q0F&Գ_smg=UPB^<'i^ S.@G'\qEDcnz*f`qb0 kBbxX$C{ui(ql{I ITwbVҮu ^Or3YW/qy}gIzc_u_;2Y 6+ d?n7*8Jsg擴]i:>T}1iGFq5vnA_czcCWTq:M4 ʓ؊dPS;}M8#eOX7@9Q[@6qԞ^yV`*{^2W&y͡taU2A0e?^jEzæ(1tm+TZnh|K&2Rr0AyZ$T!q#(ZRO6jr}P8%2DR-s'A]-7%RB鿋oNk<;[fuoF xn+I ^e ˔j_i9O;8maK-Ȃ w'X=?NM3<ÿ>pxk~1R{RI&&ܾhm.K䲙W}W&нH.+c0IԄ/|na@:S%kjϿ" +=;& Ċ8 t斔Äd qgk%`٭ՄLu$yq'lgK @_P@4(elUšњ7Yd`pW՘})BNn}U 9pNl@t9^8"X3:T,ex'ir_й>&S8o0Q WC7V߬r)zSo@"%h-> ]H⤷E%qc}(~$UVHBALW|8ug = y˚-ӧ?Di~`}Mڔ3&j:Mo;/Ɛf-q"%,,9 O(~ilMG1:ѽ Mlma zQiѠxpj'D\`*b8PBit+Eh ^h lB i5C5'μ05w)CmFA;g> #FXf5h -rGTGa)J55ؐz3XDz˂m4aY{KwѐNQܸzKM_+Nn݄~/,i X y\BCz"AY$=;ONӅv+# ֿ)qCFV $JΡ8Abg' _}JD]bʬ;>\W*Ko4JXJ3'"đs|{n, "0VC8KݥG{yz1ae. /*j$b^'%]Sp(#8Zz*KV[}ڀ䰨VxBFa8FTY[2a!zirw)(qDGxzvhe GVREoQWʯe؏}Q]MY[R1w5h}!Mwv@K\'=q#CBӫd^~\2J0v\ AKwWm BZ4*G 'rCӰ?{vfQbܷ8!.Dov`@6>atzz ˿}y%zmފ?fއfx\ڂ1⹫2[ 9loфv  #?XPShhscg;g1kLIYW jFq7 ="$`'ղt"XW5AD FOzbV;P¨q(h@F@CɺZ`5ƆTl1PȼD^GZ3ɻP%K齽@ɜ#p/q|v <$ځiw5*ۅ4#ΩЧl86< d}GOQvmga#qɋuU QF P/j  L? >٤|t(ZMO.MkK0=\j/6!"8ˈPGc*]Dg2;>,>l¼(24Xܦey"V&Ad9~zPo9u۩y֓eP잯K77dD~IFN^D[a>y17V8c%qe2EtF)*rر AR,6mW%8؈AˆKޯ*8yaI,d qp^xH'LPY=S gnaNK`**"3v" -M;CҤ~ S qXMY*I#;DR(},"j*i =hz;MgCew<+v,p-) sК=`G6n,jB:y<{OcwGr6!Cȝ,A4s3gzt] @OSgH9)w!֑9Wjw#TW巾)-e=Lߟ Be>GbC<초Moũ+ֱnztU8պBa~҅&ƈF8NZW ?\/<Ђq$q#^2:Utx A Ok7S'4 ;z?RID=g>R8;Ml_x~STz6 C5)JHKCY!0SRKȬ 13Qm$eaL#RoA;cC&&◻H=HD*L*vB *AsE@.h ,n{/dt'##]W&dן#C.|nH}9/[ݬGܨ~TmtMTňd&_ POOUep WAZlkz :CbPb3 R%^1j5> O8p E?rRIMK̋D$5*R]QP0M_%Ge;g(Iq^MY<]K&[/҆ܩXu,c_^qB)):nNOI<)"xw]QKwK?*F$25j lς:F/;&V%BɊ @`7U`RPUozWy;PM^g33Bݜ^{\rPFgfO&ōxTz{RyB06U'۞5[ t* %5(PqF\uvOgwFF^XGQ7P2 ;VnFnY ?9[#+FXٗ| Hn:K(`w {@) YZ8b] <,>eG2qrLJnj<9'R ,Y, TⳐ?zO(~zVĢp%yT(w Ŕ*))a%2Me ViGT2++7RbbeͲ ?XL YZ