freeradius-server-doc-3.2.4-150600.3.3.2<>,3f_p9|ndIF>~ c7IX>;d?Td + D`dpt  (( (  `( ( N( P(T(Zx(`@`p(eeDeTe(e8e29f2:jH2FG(H\(I(X$Y,\T(](^/b%cdZe_fbldux(vzPCfreeradius-server-doc3.2.4150600.3.3.2FreeRADIUS DocumentationFreeRADIUS documentation.f_h01-ch2dMSUSE Linux Enterprise 15SUSE LLC GPL-2.0-only AND LGPL-2.1-onlyhttps://www.suse.com/Documentation/HTMLhttp://www.freeradius.org/linuxx86_641 d   G$4)x -_^ 0)#$ L `t M CQSbB9   ; }DAU  o P; ZMA0a ?L+nDI }r W o2P $WQ*Jrs9 b2!>Ms ܯ;{i w]lxü<ǿJvqzV')P k<Xi*8]^uT3m|]{NƁt72F 6Cبh`ب\X.$7m\V n$1,2>211V "y "< u9s Q4g 'F[A큤A큤AAAA큤A큤A큤A큤AA큤A큤A큤A큤A큤A큤AA큤A큤A큤A큤A큤A큤A큤A큤A큤A큤A큤A큤A큤A큤A큤A큤A큤큤큤AAA큤A큤A큤A큤A큤큤A큤A큤A큤A큤f_ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff_hfffff_hff_hf_hffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff_fffffffffffff_ff53256ad4934387bca2d2ca52e01983f079553abe52fff7089162387006b266e86d80d5f6902c6fb69f92b58efb9a65b2e4949c9c89f02f4735f141f26cce1b1003a2fdc56217de0d35cf653f58002037132c9893da1e517a556273628b429da42235e3e6724a461bc24c3d49a03d70922062297abb491e9df7527d04ac3d6f5b1573fbeea86b48bc98e0af20f4c942ec0625276744a6f925addc66a713430858aee0e87b9a22a533fe4f8d7a225fe23a4e5613a8bc1954174475837a51d8b5f72ff131f314f08715ab3b79829ff26499cccc0b5a4380aecf56d94025f068f547d7fd3161163f54cb9363175ec74cc4140cfc917b362ee9d5f6826c9ae084b32648e54a68f906ac8548e93511ba3e1ea799b84b6c89408b14af8727bbe2ef8f7075a1fac7313ba19627edaee5c4e0606c4ad82c335c84dd45796aacefad3ef58bec0d8c606d8448364b975a9552fd21e53eefd7819d868f4d312f140c2cec0614c6906757834fc394b4d3967411245b08b1528c955687ede54f6621a27b16e5ae9796c4aca7454ad079350380d3194e9e055dbc1a119ac8ff9dab50bebc5bea9265cba2e37472856bb5717a7bcb0ee0eb54b7db6b0568e3b0c63e0a2088349e64dc0d6f4e3c43096304ef6a17a8a5e72a91e034d5bb2875d08f32a4e91649e4738db6442b45cef9f8bade6f0ad252f184294985cfd40dbca0472086c4c81257aac10b7b8ddd70eac9bf56a0ed519e99060e129385ae8793cf75baf5434d1953da86562753e4e4ef9bebe54d1746cd875f088e62742290afc42ce6226e4aeb3c9ce7da7dd03efcf9e0ebe5f00873b444c4dd76d786db13544b157884305b6848526bdf92a79cc64ae6c400b13457d460fc53847c2f069528352f3607e8f674bf32ae12b2e1b21e04b9ede357f4bccadf5acba63ac8610429c37c6ec72b791813ee68648fa9c1daea3db95de049273b1e2dba15b2951c1e1bd83388e94746f9160a241db99248cbcdfb06e797c4c28e8eeb8ec43ba5964e3743795ec298eef52cb5d3f3a5690350b07c7a2b14cdd503da25da3c97b276d03d2e3775858db93a27e3e88da4b605b8c02ecf5ef092c99c93bb413168eed452bb31cc3ccdaa1fcfc96ad0646b1d16a6035e09a87b15421bc019891177c75d619fac8a28cbeba5d5655f0d0589c91e7882cc45cf13de48ca2bf8e05b8af04b472d0b366b9ea907cc3a6ee89f36c618556293dd74c0e7548b725cf57142de8d10b0aea626401f2a01f140cb8efffe7e453edf2ea4b42d675f3a9e66857b838f1943791e347c19cb62545e1cbf26b941652cb795473a309f9bfaf7ce9d1dca697b338496474486d8188529a96bb4039f3acb5bcede7fbdc3756aaef2ca32836d5bce15648973cd20cba60ee63ddf723c6af4d93e6844614330ebe4964ec70cd7e2e4da504d7795ac4d9bc4463e1cc02b39b98bbce3bc389c07aea69a87c5584c3bb689b64ef4a5337e3f2c0b02d7c5f7d04bdb7ded026a84ecb81cb80cc60f4e8e1d2006c74fd805743906e114e71de738d748de9419f21683c4f5f2021e6c6128ee9c25645b9d198f52b6f16514981317949746ee9d44b26ac7a847d23e4f156438da00f302ad31cd09e923f1a9ac7fcda90b1c4cfbe102ee528ba7436b336242f09c025e281d2041822958f07d72beb6841d0f8a27ad3d9e6eb24cb740a0582d02acbacbf1bd34b91494ccb01f0ff789b6bc62f5eeec9d8d2d0591ff25aeb3d546c0a82af0df4a74613c6551a0ac80f1ce1832ef8667b7ec731048b4b0c803413c1fe9e95f8d2f97015a7f1752916708c87982c687c1173a669649aebdf3471bd6160c8b37d2570d0dad5c7f653e4aebfc5610b835faff03fc1e165ebea4b43b76d2e406cb77aa4482730c62128211d930874a37a861abf9e103aba1955ed8dde962a736094fd48d68e4e1baa1281682773eeb0a805522cb68650625964d5c2a108bbeb89dba50aa94c703b319c38000ac71989251e657c40867a576c639f4a2f891791c4f556907c57b96e045b356a16039f46ca2ee628c761a6b9a9e90cdc7aaee23bb907c27daa403d56e477fa8213d40df7b78ea0be4144d89424d18c9944570b3909fde184efad1687ccb6a0347b27ebe00afe7713711d8a68286dc1760e79dde15f4b350f6c5b2c657b05476a98c06d37b470587ef4ab978680f8d9e8e2a4c401d5701a4d674230c118cc5ee17b99286744c607b85d1819632083db1d323f144e0c336c74f6c3af64c2f7d5f8c967fa31909ce5f7988d3a4d885305be22d6336bf84535b1d52d30adf3094f2403d75b413f340b921f4da9871c014b4efef8dd9c1a0a77845dd108d06e803ab74b619b8e0bf5ac0b393871e97cd883df04b53ca343a0ca1d692d50ad18593b0912504741d95b36a066ae739c1c538b7ded09304b6185c7860624c948576663141a82412482cac84cada2e75afe90e6b1c691c7f2e9215f4ff329902bec3e076c4f2c8d807fe12a51c7f94c19d9e10f8ce5c2976d62d496bffcf4419e0d44f52542286a158ee34457ded575427f4c9bb856ba86626bd0328f73ba7b4d92188aa29743f15990b0f2a7dd52420b44e7a34b59018a6b2b17ea4a025f8d3fd73960e6eaa91897d6445a5573ec40aa745b2681becd93c1c6db9f1684234625bc438a61d7f6989c3a4e6047f25a9d71256430d5d2d7f6a117f6f4eae0c67093e97f4d178070ac49cc033f5186aa4912fc6adb4993c1b4717f4cf2becd7480cb3739aa3a8df49ccb39cd3b8cb52fe45fd5c0aaecd0e8077f4e31b75568f3988731efd594af67e345d2c42ead17cb6c2e5289e8211e61b05d111978b4a9bba920d8b0043c0b2ce09eda88443d59ef5ccc103dac33a44dfde42461c4edd21993fea4d575010aa219ba80241514e68408349127ced872acfb689f627b4b9f0dc37210f13ee45439cccd7bfa3a3bcf2e45b6ee228efe33c330d19cd26ac7eb04e60531163151c93fe4bcbc4cb1a03b9469bcaa7d99ef0f3190208e9f669654ab80a64bc4c0966742beeaca513c4efe8d2f3175b9cd4f1fb165f3144d0bbade429ffb8582385ffe3b91a3bfa74770edfe524a90ef50948bd256d266c0fdbf189036195fc9e3817b8b20ff84dcaedc01949cf3187c9db993ad4af2760e33406c436eb2593efb56cc1080607e642eefcc749462d8bfdefcbd6bbe889e2faf0024ee32ceb2652d740539e9932123410554d2ca132c1dccaf145679ad66db63ab4f7b6e3959340dd9ecc2b1084cbda738044e3bd5860176430d1115227c67903080b4ef10f4fe1fbfa8785cdc4463e0c1acfac5ac9f3cae9883e0b28c1596025a7463892a44172b92c4144c9124ff320bc085492dffb52e21c217b616a6e7698a393fb523f4e01cc8d7b4f97c6264362ddee443abfb3a082846cc4da71b73ee4494b8aebcb534ca6c1df5b616402eb93b54f876bca244a467530981b1b57de938d1b6743967f191640b8526331b88b1ba54f44cc5573a93e5172871b4cd00f1c2c8759e0c26716c9821fc015840c3ec9fcda119f375393252b38e6c26850bd65dce803b41cada1a3dc2c70974e6cbdb3ab7c4ab885bdd026cf5248a3f28337c9961b70e53685b5d8b0e26a97e7147838e0cb9092cfddcc90c66e727d6166f51f75414487ae8202794323cf4696f0517524f7a02df4e8c32af5f945317fe08abddf3816db8b82c94da7decf6eccd04ec96c06eb9472679729ce6669967d761143d64aa5ed741366460670f8950854f656ca6775696185fb556986bb92478261222c571f9659ff26285bdfef200868037fb9e748dfeb4f0d14318d56d43b5c2746ac9abd6a585aa3d55f3f2c7d801255ae0a5789d994cd13eda6a8d2558d40b0391f7206da11d0b976d4314892ac480e568ccf55c5357b80b384312f6eff097e821d2bb21bbf4f2683220f495676c74872c7549375a5251d18d4efbbe3c7bb0ae7b9cdf0143dea1c42aec1ecb2dca448a171646c6646e37e6fe71077f68553ed733f17ba0262532d84e361849fe8452a6775bc0636eefdb3b68899be70feae7631329143a0933f7919a161001e7b2e4b10966e12fcc197a791b06363c1cda3d53366c25142f331be941c3e28aa464b095ee3449af8d759f8de24ec6b4c7e8f8c430a08c3f605e58e10f14689bf926c436a1d703da74984723d91f3627f346118c2d8924465ac3486b1844ff6fcd008289c44e6419c1957f84729ce56ec267641ec6a0284cd0c3752d01f5bde0a93364394944df0f1e992e48f226fcfc52efb815b4ccb28b8e2abb276d69fcd5e3ae921237d9a1d51a2b65d092c7f78c4403d0b88a6422cc4f3f172fd775e6dcba94b3875a41495c1c5478c6684b862da584c4e8e868d91e3df2521e5bf2c09e3d5036dd63ec726dc2884d71662435f095cd3feb93187b24aaeb3f546cd15944f6f6c2018b808b6203bf1d335b05b19a493bbd38a69d9a5ba1f6508ce47a784bff4125ad45bcfc28fdb534255abaa6aff259b7e125a182e8bd99bc39dda74d2d13a87a8d9cdd926b2967488277d99185ab73b425913b3af639589d490bb0442664918d3ae70fc6db89d524d110082e5071ea5f30e644c605ad22474425c2ad20d7d3739285c1d5c560ebef9bfcade1d985f6348bd7be717e23e2e861f2ff9f37c16ea2f27126d85270712bc8ccfaca43235570df7311ffe7b2f28a9462723ea40f16100a794623369ed84cb33b86b2fc153cbcad75e38759668dca699972ddab057e514ee44b5989f1bbe2eb802fd11adcce8b3d11c7c00b807c5cded10d813c41ff66b6438bde02f8b977e496d274103eaf0b9a1ecfd49c271f0704de15c171b6ef8e0c57dd6c3c64d85dc3e7529530fd6284b6c57ff9b871605d26a8a38fec107aa18f27df13e1c2f3c2162f6f327b9cba72af86975ea8af19e9fd365e4d6e16fb2859fcd53b9a505187f133e0ec82b64f1a15d853833d9a9aa64a799253f04b20e0ed68fddf56418026289659c563089dfb298c3bef9b7e9d24bac0ae7a6c382f54627862b6564f689deb397e23b3e730b27a502b8505c6a44f14c0e13b7a5dfe8ac43b3b207b2202231d35376c4b81b0137b91f2c4d1cb83bdac70150c416f5572eafb5db3bc9ad2a3d6c944612819e7c1b34bf360404be3f7ecc921fde79df28b8b0ef527e747bd78c82843b62b45a9714ec6ac0416bdb4b9b03e119806fec3508a1565c7df6e2bccc58271263c12bbcc268128f610a28649ff044188853b12d38c98ddc18d38cb432ffa1f0ad1892d51d52f1959ca1586a22a6f0451b42c275b342be0385b0248841ef26715d0b090a6f51fedcae49f271603f0660e1b06b7b9c212ea7dd73a0397e85f68872b01cd0393ed03a72c9c01aa8d84ab93782442582f584372965c119c3c3671ec086ad7da9146713ee80165b85b69b1462e88594ab3643ea14d41fa403ca71b76c7ff6f3cebd750c07088a8291c688b70e860b531d03a4fccc9e358dcd1bf07a2aa53f4bf311d52b29d766114d450f5e32d248c5e572d18fd0ab8ea4b7aefbc8153af97b676ace8cce9995b249748af9ab998ffc9f08bcec11e1b09572c4672aaf862ace75e89faaa01cf2d931dd5cfe035266e16bc8af672f881eebaebd3996c92a1c6900c3262ba90fcca6f575bda58fb16bc548f3d7a5c3fcf069b777fdc4349a53f37e30780333ea387091f00395e2f811e7624ca04f9ee3995ccd61e9fb815ec08c6b38663bc8d1fdfc85ced6279300eb2986377de74447e6aa8a0df3eac7346498df27c5180ef038f8e3b617b55c8b6cca3953ce00a3e3813ecb54d6bc26c7c214d3c8a74e9e9fe6d517b73afce944ef341ad045b1af09665e95cff6da93c00248ff41dafdb989dd04f06c269da1304a384a5fa809b079e16a9bd3e1447ecfa95cdcc299e8e6a4658e494f2ccdc2c9cfd6c3fbd09db381b2f15098606cc115e5ad7376acc1c465f0b1445ed96267888c41ed6694d1feae6f8d223846931124784b247cdaceee0dae5aac5c504a0c90a59272b84ebc81a7247b3695a2891dd3e0e13390cdfc29a99323cd3f128a94109ade402b0a304050f423156e9c7d595c67725464019f57c5ffe797b667472b004212db28c4a8388a7d627e0269c16b6e9de0c5b9ea881c7c8e0b6896219dcb7418b99aa576b35f35153839bffeefe9330dbc9d086b229bf49be2243034c7a0929f0a3a32e1483b7775277fa5a26bbab2413fc93484f00e2267eae2f42386dafc5cac8bc7ec20e2f6bf670ad61565460318ae75fd741709ad94dc134162d6624773f9334da468bb800836f524d4e5f8ae185d45c8a31cdaad505477c0ad26818802dd5a1c09bfe76eb727bc761c188fb49774746b814a000581ed6d4f039cc3da048448569260aaded1197e606af554acdc61a16df8a83b0773750ea7aa9e9b88f2a3047b5c24a271ca1409fc32a38c32854af2074631740c48163eb74c66725c1088941b8f4ea4cff106f68c2aeaa2d0624b4c7791e1bbec5bf2acb34e6e964ee2ad15202b152cae8f5f9ba33684cd2a9e5bce945f6492cc055cc3b56ebc805eaea449290928b121826e535b7f5a384369dea7000dfeb8ee186b9e32be3a9ac6701801cd8cdeb555caba762ff94da4b3312cc9136654b505a4ca554d7fdd3ae9c65b7fce445eb57611dfa447c751b758d8d9c9c4d226b98f983880b202b6d7af8fb22393a41cc60ff2206b8dc1725578c8649f821b886d2a4c8547229ec9cb2806c56edb90cbaffb5128b95f4f35a440876927b56caca7fa2e7a8474ae338c7e919c11b792be35ba8bdf85b5de7622b1fee004aef43661f861217438cb05da3fd52332d863bb7a64a7d64164d1f3558cdf76604f29dd9099a2f06b0e96780d8ad8e00e407d7ebb7ac08974ccd176363dc6b995c0f5016280b70264d3df12c52892b4f1612dc6708c567443bf76e6230bfc5225756f03580c8d93cceba0e54189f86d44269149a760ea768845235609c625a7354cb532f840674deafab633903d2f3b71acce3fd8bbdc8a3c9b80dbeb2f2bda186eee6eb217e44129dce720bad390b39e0e41bfeca6963f83aaea7af97b56afd6153513b07ed235c2f3832b11c033ba15bb3088002c63cc5b9a91defebc7d223e36ad753b9df5930678f2f166b98fadc0c850d8e977b4dbda9c20989d2a5dd462180724e496e194f240b037ecd6292c7499e79526dd4eaf46f5476709e61733c2efb8bbcfd9e1a4be20257ff116cbc1158ef97c36859f7f1ea2a9e6ba8f4e4e2e040daad3dda260f017c08a32d4eaf639e1c229503f42fcf9c0fce714cdb68641d23b0b97650ec7a51ffd1c11aacecf24f55a3b5b7be07d480b1113ebfbbf9781195c8f92cc6aea2052e5b9d1b11e2f8c4e6189dc36e2876be0207a911f9f8925859ff726e491be4efd5f1db67dc256623f4ec62e77a5561a452f181842a6140946747d6138cffead32c3b32ff3616c2fce922ca573daaeffbbe4ae0933247eb5802fa1d002055c8cd92a04ff78aaa794dc6f8f36e0a21e6b9e07d7eaa20982f5b470771af0e29bff65ae4be6bf1511e31b02a8ab4d60d7f852c2d171ecdd8d664d0562d4b8d0fbab82c0397de674274822343765ff92a441278a4ac9308d0b087a42b08c7a072b7431b60949d111a67700ee89a19d4926b61eb33fc64afb7e11e75c72d99e25c6fb25b770d016070eb6f1209a70dd6393ad5e0bfd708753acd8d764251699052a8d3ff02fba3ec913a8856366618f1964c4300605e3054022a80f29deb461e8682872d4432b7f479f4fac336cb6d8465a8acbb8257cf19e7e41895186bf9b3e8f03e9e09b49187ec61d644c8e3d2a7cdbf28bbaf9f7ccb710b79c9243f282092f73c803d44115a8add56a91bde83b95977e144dc0da1f0bafc1951e8c03390f8376123e999230834728cc3c00afbe6a27b3e7cca6d92f84008f744ada6687e16d8aac933837467ae1f6bfedccba44bbde02d805fd885e47169d279550d593531ff96e5d44a1412bb86f348553c428b9452f8eb29d1f3b464e860f8d72b19b8b209a72edf51ad74d634d556086dcbdb7fb13911d9f41b3c1ccd85f1b3cf651ea2e7296c23459aaf27c2e67207ba66e42007a5da98f8ee517267b7b30ce0347b3a35dcc8b52f8e0ff67477a8d38b3d801a5478e62b9f6b3c20246428d1d74bec22b78115b34a0583fd4e8863887d5a288d623c23367b0a1e9ca2c12d58d53f6eb86de6d7f85a992e3f13f89df5a270c52442b6a980407e0dcd044ff543be17274047459eac68c52416cae94fbc178f786dc7153a9bac3a887fa7c92450a574f84e9c19bed02cced007136c00cf20e209ea98bcec98ef65a4ca4e9f918893a3736aec80467fad7ef1871883e84eead3d862790488a7f8eb587076513b48341269278bcf9a5586a315dd13ce69db7bc5ba48822831d445b92b9c5ac886421da96665b9d30bcfd589e7d4d053eafa2697c853c6325cd84fbc7befba8e4976ff693c004c5ea9c8184629d9cd1bd638ac74ecbc4a6f59e7e346219f074d0a3a4edf3e51390cf997ef29b87556e5340c7a4f1c9ceac4fd707f090cb73822bdea35da90d2c893f952eb9cefecf504b13155f69f6e584fd165a2df974a6741aa263465ff66d0a61e874149421755e4ed0c239ab0d80ad10b22d67d72b3c7ba169d7ff2c953f83baec1c34f861d01ca231db727ae2f7b2095411b675524717b36741cca080900d808e0ad4bcebfb3a21b1a5aabb6ba2bb98d59176619d328d1daf883904fb725055a6bfe7fa94bd19469109f56c147554908114bb568760a421eace7be90ffe6d4b3fd9466dcc887659d1a96908e51c49593d5433f4fb2f60b2eca3f9d740fa71e5ccc73b6497e95b4defc579bee5095ffa1c194c38a87d9e12208e3fafbb4c237d5e99fc9ad9bfc05a22933fcdda7e291b90d7f808d01847233bd7ae084ee4d8a99866ad6a121847861cb3eed1dd5623ef00515d0a7985fce791e958616ab9161cea63bf3637f7769a1e41bed57325d719e01482991344aab912f032d0b28f490d96f21647936d3c4e681c504e602fb4d47d8ee761054903a5784afc474e3b5d30ba1768810a01ce43deaaf8b9031982458856f704dd9f320482eef43e90736720aee22f8ce3f4cb06245f1badf0d0cbb7c0d26f8bfd4709d7299b22c2a6cd2fcc36c3ed54fe89007c34c0134aa130ae76ad7a7c4d140d8b2abe917219aee26bf4a72c6b2f45eb0990cb6a6018d67fe55cdb946e47b1f0142956b741443a0642bad5b2bbea208c96e9b40330f753803272bc6430af06579bfe5e458b273a3bce275466fa8882877db5498843060379654c99bae9f4a344d44135b291f868117829e3bd3b2bf0ee67c1d2a670c1175e9c70ea78a8db469fa5b74bf9648a374551c84b1d252f6c2154284048c0630d72455803cacf4a82dc1efb517e6854f373f18b220788c0afba6216e4139282717bdc14fc33f40befafd421437631ca8de65cc14a6b37779ad99218d8cf0bd304dc289377a5068613c72427c0e8f54c22ff7fffe8acedda593a3a61322af441b9eeea5873864a492b53145638852a01a7fc7cf05d9d041aa4f2ca994d8c25486fd3cdf8667615e5387367c33a5e1560b91ebf617adab6dc278dd3e86058a736426b1e6b68b319df1632aa60a5c9e151dbb1bcae05f6e400aa69c8ca70dc735b0bae14304d940b8c76f34b56d40f9108241d11d6cd08cb57bbd20974259ca74a9ac3a9a5a29c6d058e0387e5896862f54614bf5b2c71a7cffc6ea4cbbd1aeb630f393f1a5c2904aa2a9f5b012a3a842044c90abd0b0db121bacdc6febbe9bfd0983d2361a25c8cca0d7bbb5ad4aceb40af8f5c56e69f30aba2f8cea66f113672d183bffa7a476c9f2ea75384817333983a361931f6b20ff5142d36373e245b306f2be0159c450770deb9ac8ab010a3239540c45c2945d94e37c790348a23a0881249a56aaeaeb26444b2401c5d847d2abd69bda03a949a7e3f94ac884ef0a12646749035dc2ae85edb76d450be2fe1375cf37abf49e113bd3691d0b6e645937e036d463a68e436e74294f50b48c4baa2f11894160a3d4c9c8450e4f777236d2caf45f543df464f14e8822aa2b3ac5dbec2780f40cdb91f4b2bd5d0d7234a0b7fd545ea0e6340f74e7785dc1c3d5430130332ad76fbaf148c8f659742cf502556467d80de917859650dd956388666cb749cbc0eec33cf241b311d303383b5fd8f12edf35cc1315f8c04cf7a6f75ba9182287038725c565e15ac4bfc108c99560b7fa54aef989394763eb3a164a28159e7c9f8b24836c31114dd3bce736d46d5f2871799d49c6e008e7c62e80d4dddf3e168c868e9af3516d416c3b624057ec851ba22034cf595427e3cd72d0438318876915fbc93336435599092ffffa25e23c30ceff41230ec1e4c92a956dcdfdb94e7cb322bd0045dffab477df9d06167492efc2eac16834a413c6d990645334b5fb52b586f00a8a5966d0550a5e9f777ac8e0109a2215b6b3d3576a7b69bcb7e17d8c4a19f7c594038a85a82fa785f599587cd2f631aac9c0c43cc50ddcd34f1e3e5aed61ea9cbcecf66a5485b14c3f088a6f115ada07fef851cfea11c8a9c46a50f85041a6b2294ba95b966dcef7a4eea32e27f86de434246f6d922eeb75301e8848805f7102f89edf866f0b45bf282418c341f8341a3b20f85d9d9736c6426f267425c7d5428edf0d67b9d0c647b6038cbf360b7d3215120167f76ecde5c1d62fa806538cc9cd4c348311e9c0311e0ef93e67e86e4be7fb35a6f3f4ea2cf703d14a0284a451714ffc0ff2d70c6a02a4c6251932363c666432014e3583b8002f450315860ff764e53857ac889a11e9025c4c6bf2ea6561852a0d3b7d2d278211c373a74af0d9c2d583b05fbe26d2d83bda8fc2ef1d7f11e2723a96df219e7eee23e1245d41229cd4d5711956edb478861256437052dc11df1ea344a8b022e2a54c2a1772abb89c7546547de01b23b8158ea1d127972a7b293e32e9a21adaab7b9dd15e1aeed22f1d83ce25d311db40c07fa9c26774aa28c52430d59eaeb5bbba5e2bbaf982659b550f67ed93bc6f8f8e1d7748cad0ae795f79a5bf81a4c77ae51c00ccdcf2af7ceefb355465a1c8b19fa098244c45499ab88b7dbd2b30e95910995011344b41bab852894b630127e286330fc76e78cd4660ccfc5e6ddf92f13c1839d74dc8939d03cb128473db97e6e9fc8bd4de51103990ca150be920950936d0a0e46014fc2efd5144a30359c0e6e1ea9fa3dd407d3318204150efd7b4caf6ae6d6a009505e345fe949e1310334fcb0747f28dae2856759de102ab66b722cb4rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootfreeradius-server-3.2.4-150600.3.3.2.src.rpmfreeradius-server-docfreeradius-server-doc(x86-64)    rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)3.0.4-14.6.0-14.0-15.2-14.14.3fCR@dccGc5b?ar@a^@a^@`h@`_@_0@_FN^y@^p^h^@\\v{\u*@[<[2*ZZWQYY@YlY, @XO@X@X*Xh@X.@W@WiV@V.Vf@UĝU@U@UU8U7@TZ@TTT~@T|X@adam.majer@suse.deadam.majer@suse.deadam.majer@suse.deschubi@suse.commichael@stroeder.comwilliam.brown@suse.comscabrero@suse.demichael@stroeder.comadam.majer@suse.derpm@fthiessen.derpm@fthiessen.deadam.majer@suse.depgajdos@suse.comadam.majer@suse.deadam.majer@suse.deadam.majer@suse.deadam.majer@suse.dejcnengel@gmail.commichael@stroeder.comadam.majer@suse.demichael@stroeder.comadam.majer@suse.demichael@stroeder.commichael@stroeder.commichael@stroeder.comadam.majer@suse.devarkoly@suse.commichael@stroeder.comadam.majer@suse.demichael@stroeder.comkukuk@suse.deadam.majer@suse.dejengelh@inai.deadam.majer@suse.demichael@stroeder.comadam.majer@suse.demichael@stroeder.comjkeil@suse.demichael@stroeder.comjkeil@suse.dejkeil@suse.dejkeil@suse.demichael@stroeder.comvcizek@suse.commichael@stroeder.comtchvatal@suse.comvcizek@suse.comdimstar@opensuse.orgvcizek@suse.commeissner@suse.com- update to 3.2.4 (bsc#1223414, CVE-2024-3596) Feature improvements * Preliminary support for TEAP. * Update EAP module pre_proxy checks to make them less restrictive. This prevents the "middle box" effect from affecting future traffic. * Support "interface = ..." on OSX and other *BSD which have IP_BOUND_IF. * Many fixes and updates for docker images * add dpsk module. See mods-available/dpsk * Print out what cause the TLS operations to be made, such as the EAP method name (peap, ttls, etc), or RADIUS/TLS listen / proxy socket. * Add auto_escape to sample SQL module config * Add 'if not exists' to mysql create table queries. ref #5032 (#5137) * Add lookback and more configuration to totp. See mods-available/totp * Update dictionary.aruba; add dictionary.tplink * Added "radsecret" program which generates strong secrets. See the top of the "clients.conf" file for more information. * Add "time_since" xlat to calculate elapsed time in seconds, milliseconds and microseconds. * radclient prints packets as hex when using -xxx * document KRB5_CLIENT_KTNAME in the "env" section of radiusd.conf. * Allow for 'encrypt=1' attributes to be longer than 128 characters. * Add "dedup_key" for misbehaving supplicants. See mods-available/eap * Add proxy_dedup_window. See radiusd.conf. * Added "-t timeout" to radsniff. It will stop processing packets after seconds. Bug fixes * Fix corner case with empty defaults in rlm_files. Fixes #5035 * When we have multiple attributes of the same name, always use the canonical attribute * Make FreeRADIUS-Server-EMA* attributes work again for home server exponential moving average statistics. * Don't send the global server stats when asked for client stats. They use the same attributes, so the result is confusing. * Fix multiple typos in MongoDB query.conf (#5130) * add define for illumos. Fixes #5135 * add client configuration for TLS PSK. * permit originate CoA after proxying to an internal virtual server * Use virtual server "default" when passed "-i" and "-p" on the command line. * Fix locking issues with rlm_python3. * Better handle backslashes in strings in the configuration files. If the configuration items contain backslashes, then behavior may change. However, the previous behavior didn't work as expected, and therefore is not likely to be used. * The detail file reader will catch bad times in the file, and will not update Acct-Delay-Time with extreme values. * The detail module now has a "dates_as_integer" configuration item. See mods-available/detail for more information. * Fix issue where Message-Authenticator was calculated incorrectly for CoA / Disconnect ACK and NAK packets. * reject_delay no longer applies to proxied packets. All servers should now set "reject_delay = 1" for security and scalability. - shebang_fixes.patch: removes use of /usr/bin/env- update to version 3.2.3 (jsc#PED-6567) Feature Improvements * Add "max_retries" for connection pools. Fixes #4908. * Update dictionary.ciena, dictionary.huawei, dictionary.wifialliance and dictionary.wispr; add dictionary.eleven. * You can now list "eap" in the "pre-proxy" section. If the packet contains a malformed EAP message, then the request will be rejected The home server will either reject (or discard) this packet anyways, so this change can only help with large proxy scenarios. * Show warnings if libldap is not using OpenSSL. * Support RADIUS/1.1. See https://datatracker.ietf.org/doc/draft-dekok-radext-radiusv11/ Disabled by default, can be enabled by passing `--with-radiusv11` to the configure script. For now, this is for testing interoperability. * Add extra sanity checks for malformed EAP attributes. * More TLS debugging output. * Clear old module instance data before HUP reload. Avoids burst memory use when e.g. using large data files with rlm_files. * `rlm_cache_redis` is now included in the freeradius-redis packages. Bug Fixes * Don't leak MD contexts with OpenSSL 3.0. * Increase internal buffer size for TLS connections, which can help with high-load proxies. * Send Status-Server checks for TLS connections. * Give descriptive error if "update CoA" is used with "fake" packets, as it won't work. i.e. inner-tunnel and virtual home servers. * Many small ASAN / LSAN fixes from Jorge Pereira. * Close inbound RADIUS/TLS socket on TLS errors. When a home server sees a TLS error, it will now close the socket, so proxies do not have an open (but dead) TLS connection. * Fix mutex locking issues on inbound RADIUS/TLS connections This change avoids random issues with "bad record mac". * Improve REST encoding loop. Patch from Herwin Weststrate. Closes #4950. * Correctly report the LDAP group a user was found in. Fixes #3084. * Force correct packet type when running Post-Auth-Type. Helps with #4980. * Fix small leak in Client-Lost code. Patch from Terry Burton. PR #4996. * Fix TCP socket statistics. Closes #4990. * Use NAS-Port-Id instead of NAS-Port during SQL simultaneous-use checks. Helps with #5010. Changes in version 3.2.2: Feature Improvements * The "configure" process now gives a much clearer report when it's finished * Fallback to "uname -n" on missing "hostname". Fixes #4771. * Export thread details in radmin "stats threads". Fixes #4770. * Improve queries for processing radacct into periodic usage data * Update dictionary.juniper. * Add dictionary.calix. * Fix dictionary.rfc6519 DS-Lite-Tunnel-Name to be "octets". * Update documentation for robust-proxy-accounting, and be more aggressive about sending packets. * Add per-module README.md files in the source. * Add default Visual Studio configuration for developers. * Postgres can now automatically use alternate queries for errors other than duplicate keys. * %{listen:TLS-PSK-Identity} is now set when using PSK and psk_query This helps the server track the identity of the client which is connecting. * Include thread stats in Status-Server attributes. Fixes #4870. * Mark rlm_unbound stable and add to packages. * Remove broken/unsupported Dockerfiles for centos8 and debian9. Bug Fixes * Preliminary support for non-blocking TLS sockets. Helps with #3501. * Fix support for partial certificate chains after adding reload support. Fixes #4753. * Fix handling of debug_condition. * Clean up home server states, and re-sync with the dictionaries. * Correct certificate order when creating TLS-* attributes Fixes #4785. * Update use of isalpha() etc. so broken configurations have less impact on the server. * Outgoing TLS sockets now set SNI correctly from the "hostname" configuration item. * Support Apple Homebrew on the M1. Fixes #4754. * Better error messages when %{listen:TLS-...} is used. * Getting statistics via Status-Server can now be done within a virtual server. Fixes #4868. * Make TTLS+MS-CHAP work with TLS 1.3. Fixes #4878. * Fix md5 xlat memory leak when using OpenSSL 3.0 - freeradius-server-rlm_sql_unixodbc-configure.patch: refreshed - spec file cleanup: remove duplicate BR: from subpackages- update to version 3.2.1: Feature Improvements * Add dictionary.ciena, dictionary.nile, and DHCPv4 dictionaries * Add simultaneous-use queries for MS SQL * Add radmin command for "stats pool " which prints out statistics about the connection pools. * Client statistics now shows "conflicts", to count conflicting packets. * New optional "lightweight accounting-on/off" strategy. When refreshing queries.conf you should also add the new nasreload table and corresponding GRANTs to your DB schema. * Add TLS-Client-Cert-X509v3-Certificate-Policies, which helps with Eduroam. * Allow auth+acct for TCP sockets, too. * Add rlm_cache_redis. See raddb/mods-available/cache for details. * Allow radmin to look up home servers by name, too. * Ensure that dynamic clients don't create loops on duplicates * Removed rlm_sqlhpwippool. There was no documentation, no configuration, and the module was ~15 years old with no one using it. * Marked rlm_python3 as stable. * Add sigalgs_list. See raddb/mods-available/eap * For rlm_linelog, when opening files in /dev, look at "permissions" to see whether to open them r/w. * More flexibility for dynamic home servers. See doc/configuration/dynamic_home_servers.md and raddb/home_servers/README.md. * Allow setting of application_name for PostgreSQL. See mods-available/sql. Bug Fixes * Correct test for open sessions in radacct for MS SQL. * The linelog module now opens /dev/stdout in "write-only" mode if the permissions are set to "u+w" (0002). * Various fixes to rlm_unbound from Nick Porter. * PEAP now correctly runs Post-Auth-Type Accept. * Create "TLS-Cert-*" for outbound Radsec, instead of TLS-Client-Cert-* Fixes #4698. See sites-available/tls, and fix_cert_order. * Minor updates and fixes to CI, Dockerfiles and packaging. * Fix rlm_python3 build with python >= 3.10. Fixes #4441. Changes in version 3.2.0: Feature Improvements All features from 3.0.x are included in the 3.2.x releases. In addition: * Add 'reset_day' and '%%r' parameter for rlm_sqlcounter to specify which day of the month the counter should be reset. * Partial backport of rlm_json from v4, providing the json_encode xlat See mods-available/json for documentation. * Support for haproxy "PROXY" protocol See sites-available/tls, "proxy_protocol" and doc/antora/modules/howto/pages/protocols/proxy/. * Support for sending CoA-Request and Disconnect-Request packets in "reverse" down RadSec tunnels. Experimental for now, and undocumented. * It is now possible to run a virtual server when saving / loading TLS cache attributes. See sites-available/tls-cache for more information. * Removed the "cram" module. It was undocumented, and used old and insecure authentication methods. * Remove the "otp" module. The "otpd" program it needs is no longer available, and the module has not been usable since at least 2015. * All features from 3.0.x are included in the 3.2.x releases. * 3.2.0 requires OpenSSL 1.0.2 or greater. Bug Fixes * All bug fixes from 3.0.x are included in the 3.2.x releases, including * fixes information leakage in EAP-PWD (bsc#1206204, CVE-2022-41859) * fixes crash on unknown option in EAP-SIM (bsc#1206205, CVE-2022-41860) * fixes crash on invalid abinary data (bsc#1206206, CVE-2022-41861) - freeradius-server-enable-python3.patch: refreshed- Migration of PAM settings to /usr/lib/pam.d.- use chown with colon instead dot in radiusd.service- Resolve issue with linking python3 with rlm-python- Remove libwbclient-devel BuildRequires in favor of pkgconfig(wbclient); (jsc#SLE-20577);- update to 3.0.25: * `correct_escapes` has been added back into the default configuration. * A segfault when trying to proxy to zombie home servers has been fixed. * A number of other small bugs and compiler warnings were fixed. * Added support for building with PostgreSQL 14.- Update to version 3.0.24 (jsc#SLE-21237) Feature Improvements * Add sanitizer options to configure script. * Log information needed by Wireshark to decode TLS sessions. * Allow more liberal SQL commands in rlm_sql_map. * Update dictionary.apc, dictionary.h3c. * Add new Acct-Status-Type Subsystem-On and Subsystem-Off See dictionary.iana and https://freeradius.org/rfc/acct_status_type_subsystem.html. * Add reject_unknown_intermediate_ca. See mods-available/eap. * Add dynamic loading of certificates via TLS-Session-Cert-File See raddb/certs/realms/README.md. * Add Server Name Indication (SNI) for outbound RadSec connections See raddb/sites-available/tls, and the home server tls configuration. * Support SNI for inbound RadSec connections. Certificates will be loaded from "realm_dir" in the "tls" section. SNI will be cached in the TLS-Server-Name-Indication attribute. * Preliminary support for haproxy "PROXY" protocol See sites-available/tls, "proxy_protocol" and doc/antora/modules/howto/pages/protocols/proxy/. * Generate parse errors in more circumstances when we know that the configuration is wrong. * Add "weeklycounter" to sample sqlcounter configuration. * Add certificate attributes to the request list, even if the certificates have expired. * The Simultaneous-Use code is now IPv6 aware, and can deal with NAS-IPv6-Address. * Add dictionary.cambium. * No longer logs passwords in logfiles (bsc#1184016) Bug Fixes * Fix crash in trustrouter module (#4115) * Fix crash in state handling. * Don't alter global options in redhat logrotate scripts. * EAP-FAST will print errors and continue, rather than exiting when OpenSSL fails various internal sanity checks. * Allow admin to manually change core limits, even when core limits are disabled. * Fix chunked rlm_rest HTTP body. Closes #4131 * Many fixes around the SQL ippool queries.conf and schema * Fix MySQL stored procedures. PR #4170 * Rework connection pool management for corner cases Fixes #4161, #4162, #4163. * Final fix for double free in #3188. * Fix sqlcounter wrong memory free. PR #4192 * Accept slow writes from proxies over TCP, which allows the server to make more progress when it receives partial packets. * Add 'weeklycounter' for rlm_sqlcounter. * Outbound proxying over TCP / TLS is better able to deal with partial TCP reads, and has fewer issues with slow networks. * Fix wrong data-type of Acct-Delay-Time in rlm_unix. * Fix EAP-FAST PAC lifetime calculation. * Print correct encoded packet length when debugging. - remove python2 build - drop references to SLE11 - freeradius-server-radiusd-logrotate.patch: upstreamed- Add ldap-schemas subpackage for OpenLDAP radius schemas - Add freeradius-server-fix-perl-shbang.patch to fix RPMlint warnings - Fix RPMlint warnings about macros and permissions- Update to version 3.0.23 * Feature improvements * Add "set home_server state ... down" in order to mark the home server as administratively down. Use "alive" to bring it back to life. * Add Post-Auth-Type "Client-Lost" which should make it easier to log when clients stop responding. * Cache TLS messages in &session-state, for more debugging. * Notes in eap configuration about TLS 1.0 / TLS 1.1, and setting cipher_list = "DEFAULT@SECLEVEL=1" * Added MANY warning messages about using TLS 1.3 with EAP. * Bug fixes * Fix crash in some cases when home server is down, in debug mode. * Fix (again) "read clients from SQL" functionality. * Fix sql_map to return values in more situations. * Silently ignore LEAP configuration instead of erroring out. - Update to version 3.0.22 * Feature improvements * Limited support for dynamic home servers. * Add support for prepend operator ^=. * Added rlm_totp, for use with the Google Authenticator app. * The default minimum TLS version is now TLS 1.2, as per RFC 8996. Older versions can be allowed by setting tls_min_version, and updating "cipher_list". * Significantly improve the readability and contents of TLS debug messages. * Allow CoA and Disconnect messages over TLS sockets. * Automatically set fragment size / MTU, so that PEAP/EAP-TLS works, and no longer requires manual changes to the configuration. * Allow "configurable_client_cert=yes" for EAP-TLS. * Add TLS 1.2 support for EAP-Fast. * Add ca_path_reload_interval option for tls. * Add "tls_min_version" to ldap module configuration. * Support running policies when receiving a RadSec connection. * Update TLS "ecdh_curve" code to allow for multiple curves. * Allow delta CRLs. * add rlm_sql_map, which can handle multiple columns from an SQL query. See raddb/mods-available/sql_map. * New xlat for setting status of rlm_always instances and new resource-check example virtual server for manipulating control flow in unlang policies based on status of some external resource. Patches from Terry Burton. * Update radmin to show more information about the home servers using "show home_server list all". * The default configuration now replies with EAP-Key-Name, if it is available, and was requested. * Include extensions in generated certificates. * Ignore user-provided dhparams in FIPS mode. * Remove native support for Cisco LEAP. It is insecure, and should not be used. Proxying LEAP is still supported. * Allow use of password preparation methods with rlm_eap_pwd. * More RFC compliance for various corner cases of DHCP, * Use DHCP-specific schemas. * Add stored procedures for DHCP lease allocation * Add support for DHCP-Decline. * Added mods-available/dhcp_sql which is a DHCP-specific instance of the SQL module. * Treat DHCP Discover and Request differently for lease allocation times. * Add support for PBKDF2 keys. * Update default PostgreSQL schema to use "text" instead of a fixed-size "varchar". * Add radmin command "show client list verbose", which gives a lot more information about each client. * Add support for EAPS-AKA authentication to rlm_wimax. * Add rlm_rest support for HTTP/2. * Add REST-HTTP-Status-Code attribute holding HTTP status code. * Add option to set http_negotiation in rlm_rest. Fixes #2821. * Encode / decode NAS-Filter-Rule according to RFC 4849. * Allow attributes using old names in configuration files, SQL, or modules to match attributes in the packet which use new names. * Allow querying IPv6 stats via FreeRADIUS-Stats-Client-IPv6-Address and FreeRADIUS-Stats-Server-IPv6-Address * Add warnings if there is no "real" User-Name to identify users. * Add sample configuration to update Stripped-User-Name and/or Class for user sessions. See sites-available/default * Add configuration to suppress printing values for User-Name, etc. * Support dictionary.telrad, which is also in WiMAX format. * PEAP 'proxy_tunneled_request_as_eap' is now configurable at runtime with Proxy-Tunneled-Request-As-EAP. * Debug output now lists client/server proposed TLS ciphers. * Add support for TLS1.3 * Bug fixes * Fix long-term double free due to PCRE calling our "free" function twice. * Respect the "log_reject" configuration item in more places. * Run Post-Proxy-Type Fail... when all home servers are down. * Note that rlm_replicate can only use UDP, and not TCP or TLS. * DHCP pool lookup is now keyed by Client Identifier (Option 61) when supplied by client, otherwise the hardware address is used. Compliant with RFC 2132. This change will not affect existing systems on upgrade, but new installations will use the new behavior. * Don't print invalid tags in rlm_cache, among other places. * Do home_server failover immediately when an initial TCP / Radsec connection fails. * Clear error on SQLITE_BUSY to prevent memory leak in corner cases. * Properly add SQL clients to virtual servers. * Use better API when decoding DHCP packets, to avoid unnecessary work. * Parse locale-dependent dates. * Fix radiusd.conf ENV LD_PRELOAD function. * Make the "date" module handle UTC more consistently. * Check for, and complain about, inconsistent use of tls_min_version versus disable_tlsv1 * Fix "read client from SQL" code so that it properly ties clients to a virtual server. Also document the behavior. * Fix leak with unknown attributes in detail reader. * Fix parenting issues in rlm_yubikey. - Drop __DATE__ __TIME__ fixes, implicitly done with source_date_epoch variable supported by gcc >= 7- freeradius-server-radiusd-logrotate.patch: move logrotate options into specific parts for each log as "global" options will persist past and clobber global options in the main logrotate config (bsc#1180525)- remove redundant definitions of apache rpm macros- freeradius-server-radiusd-logrotate.patch: fix permissions in logrotate global section (bsc#1170505, bsc#1174905)- update to 3.0.21 (jsc#SLE-11896) Feature Improvements * New stored procedure for allocating IPs with PostgreSQL Rates of 1500 IPs per second are now possible See raddb/mods-config/sql/ippool/postgresql/procedure.sql * Add SQL IP pool support for Microsoft SQL Server See raddb/mods-config/sql/ippool/mssql/ * Added RCNTEC dictionary. Closes #3168. * Added Pica8 dictionary. Closes #3179. * Add TLS-Client-Cert-Valid-Since attribute holding not Before date Patch from Boris Lytochkin. Fixes #3157. * Generate attributes containing unknown OIDs See raddb/sites-available/tls * Update the WiMAX dictionary. * Added ability to rlm_python(Python2) show a stacktrace from errors. #2979. * Add WiFi Alliance Policy OIDs. See raddb/certs/xpextensions * radmin now shows coa stats, too. * Sample schema extensions for summarizing data in SQL See mods-config/sql/main/*/process-radacct.sql * Update dictionary.aerohive, dictionary.fortinet, dictionary.arista and dictionary.erx. * Added VAS Experts dictionary. * Many updates to RPM and jenkins builds from Matthew Newton. * Added %C (time now in seconds) and %c (microsecond component of now) back-ported from the "master" branch. * Add reload capability to systemd unit file in Debian and RedHat. * Increase timestamp precision in postauth to maximum supported by each database and simplify (and make more consistent between drivers) the timestamps in SQL queries by using expansions. * Option to set dictionary path in raduat script. Bug Fixes * Various fixes found by PVS-Studio. * Set permissions of certificates in bootstrap shell script Fixes #3132. * Increase the 'nasportid' SQL field for 'varchar(32)'. #3141. * Skip processing proxy reply if there are no home servers available. * Update SQLite IPPool queries. Fixes #3177 * rlm_sql_unixodbc fixes. Fixes #2822. * Fixes when building with LibreSSL. * Fix the rlm_python3 build. Note that this module is experimental. #3183. * The rlm_python should append the 'python_path' paths in 'sys.path'. It fixes the expected behavior to use the existing Python modules Fixes #3180. * Fix rlm_python to print the script errors properly. * Bound total query time for PostgreSQL. Fixes #3253. * Many fixes to Oracle sqlippool. It now does 500 IPs per second without any tuning. Fixes #3270. * Reference sqlippool by it's correct name. Fixes #3272. * Revert 3.0.20 patch which caused crashes on duplicate clients. * Update WiMAX-MSK attribute. Fixes #3280. * Fix crash when trying to access non-existant regex capture group. * Use timestamps (request or server) rather than SQL NOW() in accounting queries so that these are stable when replayed from a file buffer. - freeradius-python3_patches.patch: upstreamed- update to 3.0.20 (bsc#1146848) Feature Improvements * Added Force10 dictionary. * Update dictionary.hp with new attributes. #2690. * Update dictionary.aruba with new attributes. #2696. * Fix side-channel leak in EAP-PWD (bsc#1144524, CVE-2019-13456) * Relax OpenSSL version checks, now that their API is both public, and stable. * Note that tls_min_version/tls_max_version also support "1.3" Since there is no standard yet for EAP with TLS 1.3, it will not work. * Added tripplite dictionary from #2760. * Switch to the async interface for rlm_sql_postgresql so that we can enforce query_timeout. * Added new LDAP option 'allow_dangling_group_ref'. * Updated documentation and functionality for EAP session caching See "cache" section of mods-available/eap. * Tighten systemd unit file security. Fixes #2637. * Disable TLS 1.0 and TLS 1.1 support in the default configuration We STRONGLY recommend doing this for all installations. * Add expansions for *outgoing* Radsec connections "%{proxy_listen:TLS-...}" for TLS-Client-Cert-* and TLS-Cert-* attributes. Fixes #2839. * Add %{listen:tls} which returns "yes" or "no" for TLS or non-TLS connections. * Update dictionary.lancom with new attributes. #2847. * Added rlm_sql_mongo. See raddb/mods-available/sql. Note that this module is experimental. * Added more documentation in sites-available/robust-proxy-accounting. * sqlippool now re-allocates unexpired leases, to prevent IP pool exhaustion when clients perform multiple reauthentication attempts * Add support to radmin keep the history in ~/.radmin_history. * Add support for ENV and LD_PRELOAD in radiusd.conf. See the new ENV sub-section of radiusd.conf. * Update dictionary.aptilo. #3002. * Update dictionary.airespace. #3039. * Add sites-available/coa-relay, which makes CoA easier #3045. * Add example stored procedure for IP Pools in MySQL See mods-config/sql/ippool/mysql/procedure.sql * Update dictionary.dhcp dictionary with the recent hardware types. * Add experimental rlm_python3. This should largely work the same as rlm_python, which was Python2 only. * Add Dockerfiles for Debian10 and CentOS8. * Add RPM spec file compatibility for RHEL/CentOS 8. * Notes on certificate constraints. See raddb/certs/server.cnf. * Add NAIRealm example to raddb/certs/server.cnf, for RFC 7585. Bug Fixes * Allow listen.ipaddr to reference an IPv6-only host. Fixes #2627 * ERX-Acct-Request-Reason is "integer". Closes #2635. * Fix a slow memory leak in the file management code. * Try to fix file permissions if they get modified while the server is running * Fix slow memory leak with clients. * Fix request and connection timeouts in rlm_rest. * Fix systemd issues. * Fixes from clang analyzer. * Fix missing include for the dictionaries: alcatel.esam, altiga,alvarion.wimax.v2_2,aptis,asn, audiocodes,avaya,bristol, columbia_university,freedhcp,garderos, infoblox,motorola.illegal, starent.vsa1, telkom, wimax.wichorus. * Fix internal sanity check when running with "-Xx". * Allow "inner-tunnel" virtual servers to work better with "accept" and "reject" policies. * Fix dictionary.huawei data types for Huawei-DNS-Server-IPv6-address and Huawei-Framed-IPv6-Address. * Framed-Interface-ID in postgresql/queries.conf is string, not inet Fixes #2817. * Fix rlm_cache to complain on unknown attributes in the "update" section of its configuration. * Add configure checks for -latomic. This helps on armel, mips and mipsel. Fixes #2828. * Add support to Oracle 19 and 18. Via #2857. * Add support for decoding tags in rlm_rest. Fixes #2848. * Use correct passwords when updating CRLs in raddb/certs/. * Properly separate "originate-coa" packets when accounting packets are read from the detail file reader. * Use the correct virtual server for pre/post-proxy. * radsqlrelay fixes backported from "master" branch * Fix DoS issues due to multithreaded BN_CTX access (bsc#1166847, CVE-2019-17185) - disable python2 for SLE15 and Factory - freeradius-server-enable-python3.patch: enable Python3 module - freeradius-python3_patches.patch: backport python3 fixes from upstream - freeradius-server-opensslversion.patch: updated- Enable memcached driver on SLE15- Add missing BuildRequire on samba-core-devel required for windbind support in rlm_mschap.- update to 3.0.19 (jira#SLE-5890) Feature improvements * Update dictionary.cisco * Update sqlippool to allow for stored procedures with PostgreSQL. This increases performance substantially. Patch from Nathan Ward. Fixes #2540. * Re-added "show client config" command to radmin. * Cleaned up mods-available/sql example so that it is easier to understand. * Added pfSense dictionary. Closes #2581 * Update dictionary.h3c Closes #2592 * Update elasticsearch/logstash config for v6.7.0. * EAP-PWD security fixes from Mathy Vanhoef. See http://freeradius.org/security/ (CVE-2019-11234, CVE-2019-11235, bsc#1132549, bsc#1132664) Bug fixes * Update dynamic_client module and server core so that the functionality works. This has been broken since at least v2. * Fix crash in sqlippool due to escaping changes. Patch from Nathan Ward. Fixes #2532, #2533. * Fix systemd notify, watchdog and unit files. Fixes #2541, #2499. * Fix erroneous length check in EAP-FAST. * Update documentation to remove old "ignore_null" configuration. Fixes #2578. * Fix default POD port. Should be 3799. Fixes #2591 * Correctly encode vendor-specific "encrypted" attributes. Fixes #2600- reformat changelog mostly by wrapping lines - add missing bug numbers for security fixes- update to 3.0.18 * cleanup_delay can now be 30 seconds. This helps with proxies that have packet loss. * Do-Not-Respond policies can now be set in the "post-auth" section. * Encode / Decode ADSL Forum DHCP options. * Fix module ordering issues. e.g. when "sqlippool" needs "sql". See the "instantiate" section of radiusd.conf. * Add Big Switch dictionary. Fixes #2252. * Add sql_session_start policy (raddb/policy.d/accounting) This minimizes race conditions when using Simultaneous-Use (#2257). * For rlm_perl, all variables are now tainted by default. See raddb/mods-available/perl, and the "perl_flags" configuration item. This change should only affect people who are using variables in insecure ways. * Allow "sqlcounter" module to be listed in "post-auth". * Add support for IPv6 attributes in SQL. Fixes #2280 * The server is better at handling fail-over for outbound RadSec and TCP connections. Fixes #2284. * The server is now more aggressive about retrying failed outbound RadSec and TCP connections. Fixes #2284. * Add TLS-Session-Version and TLS-Session-Cipher-Suite to the "session_state" list. * Add expansion for Radsec connections. "%{listen:TLS-...}" for TLS-Client-Cert-* and TLS-Cert-* attributes. * Add notes on running "ldapsearch" using the parameters from the LDAP module. * "ipaddr" attributes can now be cast to "integer" type attributes in an "update" section. * Move main thread queue to using atomic queues. This should help with contention in high load scenarios. * Add "recv_buff" setting to listeners. For more details, see sites-available/default. * The sqlippool module can now use attributes other than "Pool-Name" to assign IP pools. The "Pool-Name" attribute is still the default. * The "unpack" expansion can now unpack substrings. See mods-available/unpack for documentation and examples. * The preprocess module now does "ciscvo_vsa_hack" for Eltex-AVPair Fixes #2301. Vendors SHOULD NOT USE THAT KIND OF ATTRIBUTE. * Allow for -LDAP-UserDN. See mods-available/ldap for more information. * Add sanitizing of control list for moonshot. Fixes #2318. * Update rlm_sql_mysql to be compatible with MySQL 8 Fixes https://bugs.launchpad.net/bugs/1795310. * Allow logging of only Access-Accept or Access-Reject messages See radiusd.conf, "auth_accept" and "auth_reject". * Removed Connect-Rate comparison. It was unused and broken. * Add dictionary.infinera. * Use OpenSSL HMAC functions instead of local ones. * Some SQL modules can now use "auto_escape" to escape unsafe strings See mods-config/sql/main/mysql/queries.conf. * Add wispr2date conversion in mods-available/date. * Implement dictionary-based handling in rlm_python. Fixes #2334 See mods-available/python for details. * Add support for SKIP LOCKED in sqlippool. This can improve performance by an order of magnitude or more. See raddb/mods-config/sql/ippool/*/queries.conf Fixes #2383 * Allow PSK and certificates at the same time Except for TLS 1.3 which does not support that. * Update docker scripts. Fixes #2306 Patch from Matthew Newton. * Add crypt xlat. * MySQL connections can now skip verifying the server certificate. Fixes #2481. See mods-available/sql. * Add better mechanism to detect MariaDB (Old MySQL). * Add RFC 7532 "bang path" support for realms Fixes #2492. * Update dictionary.ukerna documentation. Fixes #2493. * Add support for systemd service and watchdogs Fixes #2499. * Check for openss/rand.h, and allow building without OpenSSL engine. Patch from Eneas U de Queiroz Fixes #2517. * The default PosgtreSQL queries now use "ON CONFLICT" to better deal with issues. This requires PostgreSQL 9.5 or later. Please use a recent version of PostgreSQL, or edit the default queries to remove "ON CONFLICT". BUG FIXES * The session-state list is no longer cleaned in the inner-tunnel. This lets the outer Access-Reject section access session-state. * Fix typo in lock initialization for TLS sockets Found by Sergio NNX. * Add check for crash when home server down Fixes #2233. * Add username key for postauth table. * Better libpcap checks, when the header files or libraries are missing. Fixes #2245. * Allow building with old versions of OpenSSL Fixes #2247. * Allow non-FreeRADIUS State attributes to be used with the "session-state" list. i.e. State length != 16. * Be more aggressive about cleaning up zombie children when running in debug mode. * Use LTDL_DEEPBIND, which fixes issues with Oracle libraries exporting LDAP API functions. * unlock files when asked to unlock them. * return error instead of asserting in map code. * Don't write 0 bytes to SSL. Fixes #2270. * Remove "expiry_time IS NULL" from allocate_update query. Fixes #2262. * Various dictionary cleanups and consistency checks Fixes #2281. * rlm_python has stronger thread locking to prevent reported issues. Performance may be affected. * Don't allow Message-Authenticator to overflow past the end of a large packet. * Fix crash in sqlippool when SQL server goes away Fixes #2300. * Typos in man pages. Patch from Nikolai Kondrashov Fixes #2303. * Fix crash with CoA packets/ Fixes #2304. * Fix crash in rlm_exec with CoA. Fixes #2328. * Print errors while parsing the log config, and don't quit when deprecated log settings are found. * Fix DHCP encoder xlat so that it can be used with a list of attributes. It previously only encoded the first member of the list, and now encodes all members. * The "expr" module now skips more whitespace. * Remove internal FreeRADIUS-Response-Delay attributes from attr_filter Access-Reject. * Don't send junk to redis when maximum args reached. * Small updates to IPv6 for accounting schema Fixes #2364. * Fix OpenDirectory integration in rlm_mschap. * Fix slow memory leak with dynamic clients. * Don't artificially truncate debug output for long strings. * Fix memory leak in EAP-PWD. * Fix crash in "hints" file with Fall-Through = yes. * Fix crash / timer issues with many CoA packets. * Fix attr_filter so that it does not treat vendor attributes of number 26 as Vendor-Specific. * Fix reconnect correctly in rlm_sql_mysql. * Fix rlm_cache to properly use Cache-TTL < 0 Fixes #2485. * Fix rare occurance of bad xlat expansion. * Check for rare race condition when a proxy reply arrives too late.- install license as %license instead of documentation- also fix ownership of /var/log/radius in systemd unit- update to 3.0.17 Feature Improvements * Add CURLOPT_CAINFO. Patch from Nicolas C #2167. * "stats home server" now supports "src IPADDR", to specify home server also by source IP. Fixes #2169. * Add Dockerfiles for a selection of common systems. * Increase number of permitted file descriptors, for systems with many home servers. * Add TLS-Client-Cert-X509v3-Extended-Key-Usage-OIDs Patch from Isaac Boukris. Fixes #2205. * Update main READMEs. Patches from Matthew Newton. * Added dictionary.mimosa. Bug Fixes * Don't call post-proxy twice when proxying to a virtual server. Matthew Newton, #2161. * Use "raw" string value for shared secrets and dynamic clients It now parses strings with backslashes and "special characters" correctly. Fixes #2168. * Fix RuntimeDirectory for RedHat, from Alan Buxey. * Relax checks in 'if' parser from Isaac Bourkis. * Minor cleanups for %{debug_attr:&request} from Isaac Boukris. * Be more aggressive about cleaning up cached certificate attributes, due to deficiencies in OpenSSL. Reported by Nicolas Reich. * Be more accepting when parsing IPv6 addresses. Bug noted by Klara Mall. * Fix double free in rlm_sql. Fixes #2180. * rlm_detail now writes empty Access-Accept packets. * rlm_python can now create tagged attributes. * Don't crash on duplicate realm + authhost / accthost * Allow partial certificate chain to trusted CA. Fixes #2162. * Treat SSL_read() returning zero as error. Fixes #2164. * detail writer now checks if the file was renamed or deleted. * Add User-Name to Access-Accept if EAP-Message exists, not Stripped-User-Name. * RedHat Systemd updates. Fixes #2184. * Use correct API for State variable in rlm_securid. * Remove broken radclient option "-i". * Fix "users" file (and hints, etc). So that it does not get confused about entry ordering with multiple $INCLUDEs. * Fix rlm_sql to expand the un-escaped string, not the raw string. * Link default and inner-tunnel only if they exist. Fixes #2206. * Don't use both IP_PKTINFO and IP_SENDSRCADDR. * Always install signal handler for SIGINT (needed by Docker). * Fix intermediate CA flow for OCSP. Fixes #2160 Intermediate certs which are not self-signed will now be checked. * sqlippool now returns "fail" if it fails IP allocation. * Fix rlm_yubikey to look for correct attribute in replay attack check.- update to 3.0.16 Feature improvements * rlm_python now supports multiple lists. From #2031. * Add trust router re-keying. From #2007. * Add support for Samba / AD LDAP schema. See doc/schemas/ldap/samba/README.txt and doc/schemas/ldap/samba/ * Add "tls_min_version" and "tls_max_version" to EAP module for Debian OpenSSL issues. * Better documentation for client certificates in PEAP and TTLS: it usually doesn't work. Fixes #2068. * Distinguish login failure from AD unavailable. Fixes #2069. * Update RH spec files. Fixes #2070. * Run Post-Proxy-Type if all home servers are dead. Fixes #2072. * Print offending IP addresses when EAP sessions come from two upstream home servers, and rate-limit the messages. * Minor packaging updates. * Better documentation for rlm_rest. * EAP-FAST now has it's own "cipher_list", so that it is easier to configure. * EAP-FAST now forcibly disables TLS1.2, until such time as we implement the new keying mechanism from TLS1.2. * Add documentation for allow_expired_crl. * Update Debian logrotation. #2093 and #2101. * DHCP relay can now drop responses. #2095. * rlm_sqlippool can now assign Delegated-IPv6-Prefix. It also now can assign any IPv4 or IPv6 address. Based on patches from maximumG. #2094. See raddb/mods-available/sqlippool for changes. * radeapclient can now use EAP-SIM-Ki to dynamically create the necessary triplets. * Explain why many LDAP connections are closed. Fixes #1969. * Debian build / package issues fixed by Matthew Newton. * dictionary.patton updates from Brice Schaffner. Fixes #2137. * Added scripts to build "inner-server.pem", and updated mods-config/inner-eap and certs/README to match. * Added provisions for using an external CA. See raddb/certs/ * Include dhcpclient binary in freeradius-dhcp debian packge. Bug fixes * Bind the lifetime of program name and python path to the module FR-AD-002 (redone) * Pass correct statement length into sqlite3_prepare[_v2] FR-AD-003 (redone) * Allow 100-Continue responses with additional headers in rlm_rest. * fix corner case where detail files were not being locked correctly. * Fix (SQL-Group == "%{...}") checks, and same for LDAP-Group. Fixes #1947 * Clean up exfile code. Which should help to avoid issues with reading / writing 100's of detail files. * Fix build for winbind. Patch from Alex Clouter. * Fix checkrad for Mikrotik. Patch from Muchael Ducharme. * Fix home server stats lookup. Patch from Phil Mayers. * Add libjson-c3 as an optional dependency. * Require LTB OpenLDAP on CentOS / Redhat, to avoid linking against NSS, which breaks the server. Fixes #2040. * rlm_python fixes. Fixes #2041 * Typos in "man" pages. Fixes #2045 * Expand "next" in %{%{...}:-%{...}}. Fixes #2048 * Don't add TLS attributes twice. Fixes #2050. * Fix memory allocation in rlm_rest. Fixes #2051. * Update trustrouter for new API. Fixes #2059. * Fix SQLite issues on FreeBSD. Fixes #2060 * Don't do debug logging of bad passwords. Fixes #2064. (bsc#1099802) * More graceful handling of "die" in rlm_perl. Fixes #2073. * Fix occasional crash when using cisco_accounting_username_bug = yes * EAP-FAST fixes from Isaac Boukris. [#2078], #2076, and #2082, #2126. * DHCP fixes, relay, #2092, add run-time check, #2028 * Decode multiple RADIUS packets at a time in highly loaded RadSec connections. Patch from Jan Tomasek. #2106. * TunnelPassword is not "single value" in LDAP schema. Fixes #2061. * sql log now opens the expanded filename, not the input one. This was a regression introduced in 3.0.15. * Remove unnecessary UNIQUE constrain in Oracle schemas. * Fix SSL thread and locking issues when modules also use SSL. Fixes #2125 and #2129. * Re-add dhcpclient "raw packet" changes. Patches from Nicolas Chaigne and Matthew Newton. Fixes #2155.- Fix permissions of radiusd.service (bnc#1053654)- bsc#1055679 - freeradius-server does not provide winbind/AD auth Added libwbclient-devel as buildrequires- update to 3.0.15 with security fixes for issues found via fuzzing by Guido Vranken (bsc#1049086) https://freeradius.org/security/fuzzer-2017.html * CVE-2017-10978: FR-GV-201 (v2,v3) Read / write overflow in make_secret() * CVE-2017-10983: FR-GV-206 (v2,v3) DHCP - Read overflow when decoding option 63 * CVE-2017-10984: FR-GV-301 (v3) Write overflow in data2vp_wimax() * CVE-2017-10985: FR-GV-302 (v3) Infinite loop and memory exhaustion with 'concat' attributes * CVE-2017-10986: FR-GV-303 (v3) DHCP - Infinite read in dhcp_attr2vp() * CVE-2017-10987: FR-GV-304 (v3) DHCP - Buffer over-read in fr_dhcp_decode_suboptions() * CVE-2017-10988: FR-GV-305 (v3) Decode 'signed' attributes correctly * FR-AD-002 (v3) String lifetime issues in rlm_python * FR-AD-003 (v3) Incorrect statement length passed into sqlite3_prepare- update to 3.0.14 (still FATE#322416) Feature improvements * Enforce TLS client certificate expiration on session resumption, and Session-Timeout. See CVE-2017-9148 (bnc#1041445) * Updated dictionary.cisco.vpn3000, dictionary.patton * Added dictionary.dellemc * Lowered the log output for failed PEAP sessions. * ALlow utc in rlm_date. * The internal OpenSSL session cache has been disabled. Please see mods-available/eap * Update detail reader documentation. * Make outgoing RadSec connections non-blocking. * Add SQL backing to Moonshot-*-TargetedId generation. Bug Fixes * radtest uses Cleartext-Password for EAP, not User-Password. * Update documentation for mods-enabled/ linking. * Enhanced checks for moonshot salt. * Allow session resumption for RadSec connections. * Update "huntgroups" file to note that port ranges are not supported * Fix OpenSSL permissions issues on default key files. * Certificates are not required when PSK is used. * Allow SubjectAltName as first extension in cert. * Fixed talloc issue with TLS session resumption. * "&Attr-26 := 0x01" now produces useful error messages. * Handle connection error in rlm_ldap_cacheable_groupobj. * Fix endian issues in DHCP. * Multiple minor fixes for Coverity complaints. * Handle unexpected regex. * Fix minor issues in dictionaries. * Fix typos and grammar. Patches from Alan Buxey. * Fix erroneous VP creation in rlm_preproces. * Fix MIB. Patch from Jeff Gehlbach. * Trust router updates from Alejandro Perez. * Allow build with LibreSSL. * Use correct packet for channel bindings. * Many fixes found by PVS-Studio. Thanks to PVS-Studio for giving us a test license. Please see the git commit history for more info. * Fix incorrect length check in EAP-PWD. This may be exploitable. * Stop rotating session database files (radutmp, radwtmp) since these are not logfiles. - freeradius-server-radiusd-logrotate.patch: updated- removed obsolete freeradius-server-fix-cert-bootstrap.patch because recent /etc/raddb/certs/bootstrap simply works - update to 3.0.13 (still FATE#322416) Feature improvements * Add dictionary.rfc7930. Note that we do not implement the RFC. * Added 'cipher_server_preference' to mods-available/eap Patch from #1797. * OpenSSL 1.1.0 compatibility fixes. * rlm_perl: radiusd::xlat to evaluate xlat string within perl script * Allow authentication retry in winbind. Patch from Herwin Weststrate. See raddb/mods-available/mschap. * Added "recv-coa" method to rlm_rest. It behaves the same as "authorize". * Document Trust Router tr_port option. Patch from Stefan Paetow. * Update elasticsearch/logstash examples so that they work with elastic stack v5. Patch from Matthew Newton. * Print information about packets, replies, and contents in the detail file reader. * Update abfab-tr policy. Pull request #1893 from Stefan Paetow. * Reject packets which contain User-Password and EAP-Message. * Add example for filtering Access-Challenge. See sites-enabled/default. * Pull symlink fixes from v4.0.x. Fixes #1859. * Add systemd reload. Not everything is reloaded, but some is. Fixes #1662. * Better documentation for listen "ipaddr". Fixes #1921 * Add dictionary.cnergee, updated dictionary.nomadix. * radclient no longer needs -x to print statistics with -s. Bug fixes * Minor typos. Fixes #1763 * Fix typo in RPM build. Closes #1767. * rlm_mschap check for password expiry only if password was correct. Fixes #1762. * Update debian build. * update rlm_counter "man" page. Fixes #1775. * Remove erroneous assert. Fixes #1778. * fix mschap password change test. Fixes #1792. * Cleanup config file on data remove. Fixes #1795. * passwd module returns "notfound" if not found. * Check for old OpenSSL, and don't build rlm_eap_fast if it necessary. Fixes #1803 * Cleanup memory better after ldap version query. Patch from Aleksey Katargin. * Rename lt_* functions to avoid linker issues with libtool. Fixes #1277 * Many miscellaneous fixes and typos. * Allow long strings in %{%{foo} bar:-%{baz} blah". Fixes #1866 * Fix filtering operators, along with more documentation and more tests for them. * Fix OpenSSL fixes. Fixes #1876. * Finish SQL select queries even when SELECT returns no rows. Fixes #1879. * Set Module-Failure-Message for more EAP errors. * Correct typo in dictionary.rfc5580. Fixes #1882 * Remove obselete systemd syslog.target. * Client-Port-Balance load-balancing now uses client port. * Radrelay examples fixed from Alex Clouter. * Update systemd target. Pull request #1896. * Trim starting whitespace in xlat strings. * Get MySQL result lengths using normal API. * suid down after fchown(). Fixes #1914. * Fix cases of comparing pointer to NUL character. Fixes #1915. * OpenSSL v1.1 fixes. Pull request #1921. * Better Handle v4/v6 host names. Pull request #1919. * Remove "Auth-Type = System" from docs and examples. * Don't crash on malformed %{home_server}. Fixes #1922 * fix erroneous use of talloc destructor in rlm_eap * Issue trigger modules.sql.fail. Fixes #1923 * Document python_path gotcha's. Fixes #1845 * dlopen() the specific version of Python. Fixes #1592- Don't require insserv if we use systemd - Remove require for unused fillup- Merge changes from SLE to openSUSE (FATE#322416): * freeradius-server-radclient-init-error-buffer.patch - make sure we initialize error buffer. bsc#911886: radclient error free() invalid pointer * freeradius-server-opensslversion.patch: remove OpenSSL version check and assume we know what we are doing. (bnc#1013311) * merge .changes file, mostly. - do not attempt to detect "vulnerable" OpenSSL versions. SUSE security fixes do not necessarily bump version numbers as does upstream OpenSSL (bnc#1021375) - do not generate certificates in %post. End-user needs to do this manually. - keep FreeTDS disabled on SLE12 - we never shipped it enabled - require OpenSSL 1.0+ - use pkgconfig(systemd) instead of plain systemd as BuildRequires - don't list manual pages as %doc- Remove --with-pic which is for static libs only. - Use SUSE RPM group names. Trim filler words from description. - Do not hide errors from groupadd/useradd.- Add upstream keyring - 2 new modules: rlm_sql_freetds and rlm_eap_fast- update to 3.0.12 - still fate#320481 The focus of this release is stability. * Feature improvements + Add support for =~ and !~ in update sections. See "man unlang" + Add dictionary.checkpoint. + Simultaneous-Use prints out more information. + Print WARNING in debug mode when packets may be truncated. + Added expansions %{home_server:state} and %{home_server_pool:state}, which show the state of the server / pool. + Mark rlm_sql_freetds as stable. + Make rlm_perl less fragile. Patch from Herwin Weststrate. + Allow extended attributes to have "encrypt=2" + Update dictionary.aruba. + Add support for EAP-FAST. This is an isolated feature which does not affect anything else. + Update OpenSSL vulnerability list. Use a version of OpenSSL released after September 20, 2016. + EAP certificate verification is now done when "verify" is enabled and "ocsp" is disabled. + New dhcpclient and rlm_rad_counter man pages. + Minor abfab and moonshot additions. + Pass CFLAGS through from environment in RPM builds. Allows more custom builds. + Build with Heimdal in addtion to libkrb5. * Bug Fixes + Use correct typedef for older versions of sqlite. + Update mssql schema to add priority + don't complain on /dev/urandom in ldap + fix == operator in update sections + Don't create DHCP strings with many trailing zeros. + Allow MS-CHAP change passwords instead of complaining on large buffer. + Allow assignment or equality operator on SQL. + Update aclocal tests for FreeBSD 10. + Remove occasional hang in rlm_linelog. + Copy VSAs to inner tunnel for TTLS and PEAP. Fixes #1544 + A few minor bugfixes caught in v3.1.x cleanup, and back-ported to v3.0.x. + do_not_respond again works in post-proxy + Allow realm "~^.*$" {} and User-Name with no realm. + Fix leak when creating unknown attributes + Fix Debian / logrotate. + Make OpenSSL error functions thread-safe. + Fix crash with rlm_sql and updating SQL-User-Name. + Debian build updates. + Allow regular expression comparisons in radclient. + Fix memory leak on unknown attributes in detail file reader. + Update example paths in "man" pages when installing them + Build fixes for rlm_mschap. Fixes #1489. + BSD build fixes. Patch from issue #1583. + Be more careful about /lib/ when building. Fixes #1585. + Correct ifdef placement error. Fixes #1572. + Allow for more files in internal "exfile" API So it will be possible to open more than 64 "detail" files at the same time. + Remove support for statically built EAP modules. Fixes #1591. + Many fixes to rlm_python from Guillaume Pannatier. + Use correct week adjustment in SQLcounter. Fixes #1608 + Minor fixes to allow compilation without DHCP, VMPS, or TCP. + Fix checks for module / config file change on HUP. + Compile regex comparisons when sent via "debug condition". + Update filenames in documentation and examples. + Don't crash if SQL connection becomes unavailable. + Disallow originate_coa when proxy_requests = no. + Free rad_perlconf_hv in correct perl context. + Multiple fixes for Debian builds. #1510, among others. + Set OpenSSL FIPS compatibility flag when necessary. + Pulled fixes for the build system over from other branches. + Fix OCSP for RADIUS over TLS. + Fix skip_if_ocsp_ok behavior. + Better fixes for systems without closefrom() but which have /proc. + Minor build fixes back-ported from v4.0.x. + build --whout-ascend-binary. Fixes #1761. + Be more aggressive about not opening new connections in debug mode after CTRL-C. Address #1604.- use %{with} macro for conditional inclusions instead of hardcoding version numbers - improved package descriptions - fixed builds on SLE12 and SLE11SP4- removed installation of experimental module rlm_sqlhpwippool.so - update to 3.0.11 (fate#320481, bsc#961479, CVE-2015-8763, bsc#935573, CVE-2015-4680) * Changes of version 3.0.11 + Feature improvements - "unlang" comparisons of IP addresses to IP prefixes are now detected, and types automatically cast. - Allow shorthand form of ipv4prefix values e.g. 127/8. - Add "auto_chain" to raddb/mods-available/eap, tls subsection. This allows the disabling of OpenSSL auto-chaining of certificates. Which might be wrong. - Added printing of coa and disconnect stats (radmin). - radclient defaults to expecting Access-Accept responses to Status-Server. - Updated dictionary.lancom, dictionary.starent. - Portability fixes for Solaris. - More errors from ntlm_auth gets passed to MS-CHAP. - Update abfab-tr-idp virtual server. - Added "filter_password" in policy.d/filter. This removes embedded zero bytes in User-Password, for compatibility with broken clients. - The server now issues a WARNING message if duplicate configuration items are found. - TLS can skip the "verify" section if OCSP returns OK. See raddb/mods-available/eap, "skip_if_ocsp_ok". - Set TLS-OCSP-Cert-Valid = yes / no / skipped, which is the result from the OCSP check. - Interoperate with AD and "LmCompatibiltyLevel = 5", by always setting WBC_MSV1_0_ALLOW_MSVCHAPV2 for native winbind in rlm_mschap. - TTLS and PEAP now require "virtual_server" to be a real server. - Print WARNING when TTLS or PEAP identities are spoofed or not properly anonymized. See RFC 7542 for requirements. - Various rlm_python fixes from Herwin Weststrate. - Allow setting Response-Packet-Type in "Post-Proxy-Type Fail", which is useful when the home server does not respond. - elasticsearch updates from Matthew Newton + Bug Fixes - Fix issue where field nas_type would not be accessible via the %{client:} xlat, for clients loaded from SQL. - Fix compatiblity issues with OpenSSL 1.0.2. Ignore calls to msg_callback with 'pseudo' content types. - Data type "ipv4prefix" is parsed correctly. - Use correct talloc context in rlm_exec. Fixes #1338. - Complain in unlang if "else" is used with no previous "if" or "elsif". - Send accounting status packets to the accounting port. Fixes #1364. - Print out CFLAGS when doing "radiusd -Xxv" - Fixed bug with coa/acct stats value #1339. Based on patch from Jorge Pereira. - Fixes for LEAP proxying. Don't use LEAP! - Fix issue with "directory already exists" seen when doing "make install". - Fixed bug with radmin related to the option "stats detail " - Complain if the detail file reader does not have permission to read the "detail.work" file. Fixes #1398 - Fixed SoH. Attributes were not being copied to the virtual server. - Used a wrong list to global statistics in "stats". - Create EAP-PWD identity correctly. Prevents segfaults. - Dynamically validate authentication types for PEAP and EAP-MSCHAPv2. - Fix includes in installed headers. - OpenSSL 1.0.1f and 1.0.1g do NOT calculate TLS 1.2 keys correctly. See raddb/mods-available/eap, "disable_tlsv1_2" - Allow password change to work for MS-CHAP. This requires 'r=0', because password changes are not retries. - Fix home server fail-over for home servers using TCP and/or RadSec. - Special characters in expanded regexes are now escaped e.g. User-Name containing '.', and comparing /%{User-Name}/, the '.' will now be escaped. See src/tests/keywords/regex-escape. - Use correct authentication vector when sending Access-Reject replies for RadSec. - Set FreeRADIUS-Proxied-To in TTLS again. You should use the "inner-tunnel" virtual server, instead of relying on this attribute. - Fix debugging constants in rlm_perl. Patch from Herwin Weststrate. - Add samba-dev / samba4-dev to debian builds so that rlm_mschap can automatically use the new winbind API. - Automatically skip zero-length attributes when sending packets, instead of erroring out.- fix bsc#951404 * Rebuild of freeradius-server package fails * fix source url - ftp://ftp.freeradius.org/pub/freeradius/ + ftp://ftp.freeradius.org/pub/freeradius/old/- update to 3.0.10 * Changes of version 3.0.10 + Feature improvements - Do more optimization of unlang policies. This makes run-time a bit faster. - Re-name most of the functions in src/lib. Third-party module authors will have to do the same. - More documentation on contributing and how to write modules. - Update radiusd.service for systemd. - Open IPv6 proxy socket if the server is listening on IPV6 auth / acct / coa packets. - Create debian packages for DHCP. Fixes #1125. - Add more tests for "update" section parsing. - Update "man" pages. - Update attributes for Alcatel 7750 - Add dictionary for Boingo Wi-Fi - Add support for DHCP lease queries. See raddb/sites-available/dhcp - On HUP, check all modules for config files which have changed. And only re-load those modules. - Allow FreeRADIUS-Response-Delay(-USec) to be set for RADIUS packets. Patch from Herwin Weststrate. - Documentation fixes from Alan Buxey and Matthew Newton. - Update "logrotate" script. - Added more RFCs to doc/rfc for new standards implemented by FreeRADIUS. - Don't crash when doing "radmin -e "help hup". Patch from Matthew Newton. - The dictionary parser now does more sanity checks, which prevents run-time problems with invalid attributes. - Update debian packages. Patches from Christopher Hoskin. - Many other debian packaging fixes from Matthew Netwon and Herwin Weststrate. - Add "session-state" to Perl. Patch from Herwin Weststrate. + Bug Fixes - Fix rlm_files so that there are no collisions when loading 10's of 1000's of users. - Fix radclient to use our internal v4/v6 parsing functions. v6 addresses with ports now work correctly. - Fix sending/receiving packet messages to wrap v6 addresses in square brackets '[]'. - Check for sasl/sasl.h when building rlm_ldap, and disable SASL functionality if unavailable. - Fix issue which caused a non \0 terminated buffer to be assigned to attributes if the value being assigned contained an invalid escape sequence. - Fix deadlock when reconnecting connections in the connection pool. - Fix potential overrun in functions that used fr_utf8_char with a non nul terminated buffer. - Fix decoding issue for Tunnel-Password type attributes which were very long. Found by Denis Andzakovic. - Fix radclient issue with TCP sockets on FreeBSD. - The server now creates ${run_dir} and ${logdir} directories in daemon mode, when running as "root". - Handle tags when using maps. Fixes #1191. - Fix crash when CoA packets time out. - Fix parse error in rediswho - Fix regex support in SQL radcheck the "users" file and radsniff. - Register listen xlat earlier, so that it's available when the virtual servers are being parsed. - Parse Ascend-Data-Filter when given as "0x..." - Print Ascend-Data-Filter correctly. Add test cases for both. - Allow old-style clients again. They will be disallowed for 3.1.0 and following. - Complain instead of crash when "else" and "elsif" are in the wrong place. - Clean up memory more aggressively. This lowers the maximum memory used, most typically for TLS based EAP methods. - Prevent the server from unlinking the control socket of an already running instance. - Fallback to using the configured OCSP URL if one exists, and no URL is provided in the certificate. - Return CoA-NAK if proxying CoA fails. Based on patch from Jorge Pereira. - Lower peak memory usage by decreasing size of internal memory pools. - The control socket is now left in place if a second copy of the server is accidentally started. - Allow virtual attributes in "switch", "case", etc. Fixes [#1240] and #1265. - Many spell check / typo fixes in comments and example configuration files. - Better handle multiple DHCP listeners. - Don't print secrets for old-style realms. Fixes #1267. - Don't fall through in empty "case" statements. Fixes #1274. - Update EAP-TTLS so that MPPE keys are correctly calculated with TLSv1.2. - Always delete MS-MPPE-* from the TTLS inner tunnel. This allows TTLS / EAP-MSCHAPv2 to work. Fixes #1206. - Fix off by one error that caused some MSCHAP-Error messages to be sent without the password change version (V=3) and the textual message component (M=). - Always include C= V= and M= in MSCHAPv2 errors. RFC 2759 does not say that any of these fields are optional, and not including V= caused errors with wpa_supplicant. - Do not include M= in MSCHAPv1 errors. It's not supported.- Fix boo#912714: freeradius can't use ntlm_auth * Create winbind group * Add radiusd to winbind group- Remove gpg signature file * The gpg signature checking is broken and doesn't work- Fix bsc#935573: Insufficent CRL application for intermediate certificates * CVE-2015-4680 * freeradius-server-CVE-2015-4680.patch based on https://github.com/FreeRADIUS/freeradius-server/commit/a03814af310bb3bee74ea012546d99c48b0ea5c3- update to 3.0.9 * Changes of version 3.0.9 + Feature improvements - Make "pool" configurations more consistent, and update documentation for them. - Move connection pool logic to "most recently started", instead of MRU. This should help with pool stability. - More VSAs for 3GPP2 - Added examples of multi-value attributes to rlm_perl. - LDAP-Group and SQL-Group attributes are now dynamically allocated. - Only the "sql" module registers SQL-Group. Other instances register "instance-name-SQL-Group", similarly to "ldap". - Unknown attributes are now complained about more often when used in unlang statements. e.g. if (Foo-Bar == 3) used to be a string to string comparison. It is now a parse error. - Rename RLM_COMPONENT_* to MOD_* in the code. This makes many things easier. - Move to C99 initializers for modules. - Load modules in raddb/mods-enabled. This allows attributes like "LDAP-Group" to be used in the "files" module, without explicit ordering or listing in "instantiate". - Added 'bootstrap' section to modules. Third-party modules will need to be updated. - When adding clients from a DB, add them to a virtual server if that virtual server has a "listen" section. Otherwise, add the clients to the global list. - When reading dynamic clients from a file, don't expire them if the underlying file is unchanged. - Allow the server to originate CoA requests from the post-auth stage. - The server creates ${run_dir} and ${logdir} in daemon mode, if they do not already exist. - Add dictionary for Wi-Fi Alliance Hotspot 2.0. The server now supports all mandatory and optional attributes for this specification. - HUP now re-loads the configuration only if the files have changed. If all files are unchanged, HUP re-opens the log file, and does nothing else. - Much better debug messages for EAP-TLS, including which attributes are cached, and when they are retrieved. - Increase default max_requests to 16384. Memory is cheap now. - Added "stats memory" commands to radmin. Debug build only. - Aptilo controller dictionary updates. - SQL modules now use Acct-Unique-Session-Id everywhere. - The redis modules are now stable. - The LDAP module now supports SASL "interactive bind" method. This allows Kerberos based administrator and user binds. - DHCP code is now in libfreeradius-dhcp. - More DHCP encoding / decoding unit tests. - rlm_replicate can now be listed in the "accounting" section. - Better sqlite debugging output. - Remove "required" option from many sql_ippool directives. - Set default CA "basic constraints" to "critical". Fixes #1073 - Updates to help / man pages from Jorge Pereira. - Added more tests. + Bug Fixes - Be more careful about unused config item warnings when using -Xx. - Move more defines to be auto-generated. - Allow virtual servers in proxy fallback. - Allow %{module:} to work. - Don't crash in RadSec. Closes #980. - Return better errors when a unix group / user is not found. - Re-enable detail module "locking" parameter. - Don't crash when logging replies from Status-Server packets. - The couchbase module now uses "update" instead of "map", for consistent with the rest of the server. See raddb/mods-available/couchbase - Don't require NT-Password for MS-CHAP password changes. - Be a bit more careful about decrypting MS-CHAP-MPPE-Key attributes. Closes #1013. There is no perfect fix, tho. - Fix security issues with EAP-PWD. See http://freeradius.org/security.html#eap-pwd-2015 - Fix dynamic clients read from SQL in non-debug mode - MS-CHAP now allows retries (i.e. password change) when passwords are expired. - Allow "user=radiusd" when the server is already user "radiusd" - suid up/down works on non-Linux systems. This means that the control socket should have the correct ownership. - Fix issue which caused the server to sometimes have problems when a home server was marked zombie. - Fix format.pl because Perl is now more picky. - Fix proxy to Packet-Dst-IP-Address, so that it uses the correct destination port. - Fix corner case with cursor functions and removal. - OpenDirectory fixes and documentation. - Fix leaks in rlm_redis. - RFC 6929 "evs" attributes are now encoded / decoded properly. - Fix talloc pool leaks when receiving malformed or retransmitted Accounting/CoA requests. - Printed attributes again use double quotes instead of single quotes. - Set X509_V_FLAG_CRL_CHECK_ALL, and add "check_all_crl" to eap.conf. Fixes oCert CVE-2015-4680. - rlm_expr now errors out correctly on malformed attribute references instead of triggering an assert. - Make "break" work in "foreach" loops - Allow dynamic expansions to work again in the "hints" file. - Correct minor typos in comments and examples from Alan Buxy. - Re-urlencode the path portion of ldapi:// urls before passing it to ldap_initialise. - freeradius-server-rlm_sql_unixodbc-configure.patch removes hard-coded directory in configure script of rlm_sql_unixodbc - install new module rlm_sqlhpwippool.so- minor adjustments/cleanup of spec and changes- update to 3.0.8 * Changes of version 3.0.8 + Feature improvements - Allow syslog_severity to be set in rlm_linelog. - Allow defaults to be set for bulk clients in LDAP and couchbase. - Updates to dhcpclient. Patches from Nicolas C. - rlm_mschap now supports direct connections to winbind, which is faster than ntlm_auth. See raddb/mods-available/mschap. Patch from Matthew Newton. - Recommend /dev/urandom for TLS randomness, instead of ${certdir}/random - Allow TLSv1 to be disabled via "disable_tlsv1" in tls{}. - Allow Expanded EAP types where vendor is 0 (IETF) and type is normal EAP type. Supplicants sending Expanded EAP types like this are broken. - Add support for server side sort controls when searching for user objects in rlm_ldap. + Bug Fixes - Don't complain about "authorize" in "server {}" blocks, but only if there's no "server" block. - Fix cosmetic issue where debug from the first packet read by a detail reader thread would be emited during config parsing. - Fix ASSERT on truncated detail packets. - Don't use main server log functions from within panic_action, as in the case of syslog this would cause deadlocks if the fault was triggered from within a malloc. - Fix issue in "switch" when "correct_escapes = false". Fixes #911. - Fix sqlcounter configuration to use "%%b" instead of "%b", otherwise the new syntax validation will fail. - Allow forward references in configuration items. Modules aren't always loaded in a sane order. - Fix more escaping issues. Closes #912. - Decode MAC addresses correctly for VMPS. - Fix memory leak with TLS connections. - Fix state machine threading issues for conflicting packets. - Fix copy_request_to_tunnel issues for tagged attributes. - Allow "ok" to over-ride "updated" inside of Auth-Type sections. - Update state machine so that post-proxy is run though child threads for performance, instead of blocking the main thread. - Allow "netmask" to work again in client definitions. - Relax restrictions on SQL group queries. - track outgoing proxy sockets and clean them up more aggressively. - track proxy statistics, including CoA and Disconnect. - If radmin has a connection failure when running a command, it re-connects and runs the command again. - mark home servers "unknown" less aggressively. - Fix potential SEGV in PostgreSQL driver on error. - Fix issue where fields like nas_type would not be accessible via the %{client:} xlat, for dynamic clients. - Set default busy_timeout (of 200ms) in the sqlite driver, so writes don't cause selects to fail in multithreaded mode. This is user configurable, and may be increased if required. - Convert Password-With-Header attributes to binary (from hex or base64), in the authorize method of rlm_pap. - Fix invalid assert in state.c, that could cause abort in post-auth. - Fix double free when -m flag is used, and connection pools are referenced by multiple modules. - RADIUS over TLS accounting uses the same port as authentication. - Regularized return codes from radmin commands. - Fix RHEL spec file so it works correctly for Centos7 which uses systemd, and didn't like the SystemV init script. - radwho and radlast now have a -D option to load dictionaries - DHCP packets are no longer checked for duplicates. - Don't crash in sql module group comparisons in corner case. - Calculate MPPE keys correctly when using TLS 1.2. - Fix load-balance sections. Closes #945 - TLS certificates are available again in the post-auth section. They are not available for session resumption. - radclient encodes CHAP-Password properly when using -c Closes #955. - Fix issue in rlm_cache_memcached driver that caused variable length values to be truncated. - Fix track functionality in detail reader, so it no longer fails with a "Failed marking detail request as done: Bad file descriptor" error. - Actually add the peer identity (as User-Name) to the inner tunnel in EAP-PWD requests, so it's available for lookups. - Fixes to PostgreSQL queries. Patches from Santiago Gimeno. - new set of consolidated patch files: deleted: * freeradius-server-2.1.1-logrotate_su.patch * freeradius-server-2.1.6-rcradiusd.patch * freeradius-server-initscript-pidfile.patch * freeradius-server-radius-reload-logrotate.patch * freeradius-server-var_run.patch added: * freeradius-server-radiusd-logrotate.patch * freeradius-server-rcradiusd.patch * freeradius-server-tmpfiles.patch- Do not disable as-needed build - Remove the with_sysconfig switch and just stick with versions- update to 3.0.6 - fixes a segmentation fault in PEAP module (bnc#912588) Feature improvements: * radmin / raddebug conditional errors are printed to the output, instead of being discarded. * raddebug will exit if condition set with -c was invalid. * radmin auto-reconnects if the connection to the server has gone away. * rlm_cache now has submodule support. See raddb/mods-available/cache * New memcached driver for rlm_cache. See raddb/mods-available/cache * Add support for &Attribute-Name[*] in conditions. See "man unlang" for details. * Add &Attribute-Name[n] which gets the last instance of an attribute e.g. Module-Failure-Message[n]. * Allow for redundant string expansions. See the "instantiate" section of radiusd.conf. * When checking IP addresses in conditions, make the right side be parsed as an IP prefix. * Support JIT compilation of compiled regular expressions when built with libpcre. * Support named capture groups with "%{regex:}" when built with libpcre. * Increase regular expression capture groups from 8 to 32. * Emit error markers for badly formed regular expressions. * Allow 'm' flag to enable multiline mode in regular expressions. * Support limited implicit attribute conversion in update sections. * Support casting between IPv6 and IPv4 where the IPv6 address has the v4/v6 mapping prefix (::ffff:).- Drop .keyring and .sig file: freeradius-server still uses MD5 signatures, which are no longer validated/accepted by GPG 2.1.- update to 3.0.5 Some of the new features: * Allow LDAP to specify arbitrary attributes for dynamic clients. * Allow one level of backslashes (finally). See radiusd.conf, "correct_escapes" setting. * When supported by OpenSSL, allow TLS 1.1 and TLS 1.2 in EAP methods. * Allow multiple new connections to be spawned simultaneously in the connection pool, to cope with spikes in traffic. * Use kqueue on systems which support it. This allows for better scaling when using many sockets. * Home server "response_window" can now take fractions of a second. See proxy.conf. * radmin now supports "show module status", as thee counterpart to "set module status" * "ipaddr" will now use v6 if no v4 address is present. You should use "ipv4addr" or "ipv6addr" to force v4/v6 addresses. * "client" sections will allow "ipaddr = 192.192.0/24". The old "netmask" is still accepted, but the new format is preferred. * Allow custom HTTP headers to be set for rlm_rest requests using control:REST-HTTP-Header (attributes consumed after use). * Extend format of %{rest:} expansion to allow HTTP method and POST data to be specified and urlquoting. * Add support for aliases in rlm_ldap. * Add support for connection pool sharing to all modules that use the connection pool (pool = ). * "tls" sections now have a "psk_query" configuration item, for dynamic queries to discover a key from a PSK identity. * Preliminary support for EAP channel bindings. * Foundational work for dynamic home servers. They do not yet work, but this is now only a matter of updating the "realm" module in a future release. * Support &attr[*] syntax to copy all instances of an attribute when used with the += operator in an update section. May be qualified with a tag. * The logintime and expiration modules can now be listed in the post-auth section. This makes some configurations simpler. * rlm_sqlippool is now IPV6 capable. Set "ipv6 = yes" to get Framed-IPv6-Prefix returned. The SQL queries have NOT been updated. Please submit patches. and numerous; bugfixes - remove gpg-offline - create /run/radiusd after install - drop freeradius-server-opensslversion.patch (upstream)- freeradius-server-opensslversion.patch: do not check the minor version of openssl, minor versions are supposed to be compatible. bnc#906682h01-ch2d 1717503676  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'(3.2.4-150600.3.3.23.2.4-150600.3.3.2   !!!!!!!!!!!!!!"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""#$%$&&$''''$((((((#)))))#**+++++,,,,-..freeradius-server-docChangeLogMakefile.sphinxREADME.docall.mkantoraantora.ymlmodulesROOTassetsimagesfavicon.pngfavicon.svgnetworkradius.pngnav.adocpagesdirectories.adocindex.adocconceptsnav.adocpagesaaa.adocindex.adocmodulesldapauthentication.adocdevelopersnav.adocpagesbugs.adoccoding-methods.adoccontributing.adoccoverage.adocindex.adocprofile.adocrelease-method.adochowtonav.adocpagesindex.adocmonitoringindex.adocstatistics.adocprotocolsdhcpenable.adocindex.adocpolicy.adocpolicy_common_options.adocpolicy_device_options.adocpolicy_ippool_access.adocpolicy_ippool_creation.adocpolicy_network_options.adocpolicy_subnet_options.adocprepare.adoctest.adocproxyenable_proxy_protocol.adocenable_radsec.adocindex.adocradsec_client.adocradsec_with_haproxy.adocradsec_with_traefik.adocsimultaneous_use.adocinstallationnav.adocpagesdependencies.adocindex.adocpackages.adocsource.adocupgrade.adocunlang.gitignorenav.adocpagesattr.adocbreak.adoccase.adocconditionand.adoccmp.adoceq.adocindex.adocnot.adocoperands.adocor.adocpara.adocregex.adocreturn_codes.adocdefault.adocelse.adocelsif.adocforeach.adocgroup.adocif.adocindex.adockeywords.adoclist.adocload-balance.adocmodule.adocmodule_builtin.adocmodule_method.adocredundant-load-balance.adocredundant.adocreturn.adocreturn_codes.adocswitch.adoctypeall_types.adocdouble.adocindex.adocip.adocnumb.adocstringbackticks.adocdouble.adocescaping.adocsingle.adocunquoted.adocupdate.adocxlatalternation.adocattribute.adocbuiltin.adoccharacter.adocindex.adocmodule.adocpartialsrcode_table.adocbugsconceptsaaa.rstproxy.rstconfigurationacct_type.rstautz_type.rstconfigurable_failover.rstdynamic_home_servers.mdload_balance.rstpost_auth_typesession_typesimultaneous_usesnmpvariables.rstdeploymentCYGWIN.rstMACOSXOS2performance-testingsupervise-radiusd.rsttuning_guidedeveloperautotools.mdcoding-methods.rstcontributing.rstmodule_interface.rstrelease-method.rstindex.rstmodulesRADIUS-LDAP-eDirectoryldap_howto.rstmschap.rstrlm_dbmrlm_eaprlm_expirationrlm_krb5rlm_pamrlm_passwdrlm_pythonrlm_sohrlm_sqlrlm_sqlcounterrlm_sqlippoolrfcMakefileattributes.htmldraft-kamath-pppext-eap-mschapv2-00.txtdraft-sterman-aaa-sip-00.txtgenref.plleap.txtper-rfc.plrewrite.plrfc1157.txtrfc1227.txtrfc1448.txtrfc1901.txtrfc1905.txtrfc2243.txtrfc2284.txtrfc2289.txtrfc2433.txtrfc2548.txtrfc2607.txtrfc2618.txtrfc2619.txtrfc2620.txtrfc2621.txtrfc2716.txtrfc2759.txtrfc2809.txtrfc2865.txtrfc2866.txtrfc2867.txtrfc2868.txtrfc2869.txtrfc2924.txtrfc3079.txtrfc3162.txtrfc3539.txtrfc3575.txtrfc3576.txtrfc3579.txtrfc3580.txtrfc3748.txtrfc4072.txtrfc4186.txtrfc4282.txtrfc4372.txtrfc4590.txtrfc4668.txtrfc4669.txtrfc4670.txtrfc4671.txtrfc4672.txtrfc4673.txtrfc4675.txtrfc4679.txtrfc4818.txtrfc4849.txtrfc5080.txtrfc5090.txtrfc5176.txtrfc5247.txtrfc5281.txtrfc5580.txtrfc5607.txtrfc5904.txtrfc5931.txtrfc5997.txtrfc6158.txtrfc6519.txtrfc6572.txtrfc6613.txtrfc6614.txtrfc6677.txtrfc6911.txtrfc6929.txtrfc6930.txtrfc7055.txtrfc7268.txtrfc7542.txtrfc7599.txtupdate.shschemasldapedirfreeradius-clients.ldifiplanetfreeradius.ldiffreeradius.schemaopenldapfreeradius-clients.ldiffreeradius-clients.schemafreeradius.ldiffreeradius.schemasambaREADME.txtfreeradius-attrs.ldiffreeradius-classes.ldiffreeradius-clients-attrs.ldiffreeradius-clients-classes.ldiffreeradius-user.ldiflogstashREADMEkibana4-dashboard.jsonlog-courier.conflogstash-radius.confradius-mapping.shsqlsourceDoxyfileextraclient.ccore.cfreeradius.pngmodule.ctoc.cvendorascendbaycisco.rstproximfreeradius-server-docCOPYRIGHTLICENSE/usr/share/doc/packages//usr/share/doc/packages/freeradius-server-doc//usr/share/doc/packages/freeradius-server-doc/antora//usr/share/doc/packages/freeradius-server-doc/antora/modules//usr/share/doc/packages/freeradius-server-doc/antora/modules/ROOT//usr/share/doc/packages/freeradius-server-doc/antora/modules/ROOT/assets//usr/share/doc/packages/freeradius-server-doc/antora/modules/ROOT/assets/images//usr/share/doc/packages/freeradius-server-doc/antora/modules/ROOT/pages//usr/share/doc/packages/freeradius-server-doc/antora/modules/concepts//usr/share/doc/packages/freeradius-server-doc/antora/modules/concepts/pages//usr/share/doc/packages/freeradius-server-doc/antora/modules/concepts/pages/modules//usr/share/doc/packages/freeradius-server-doc/antora/modules/concepts/pages/modules/ldap//usr/share/doc/packages/freeradius-server-doc/antora/modules/developers//usr/share/doc/packages/freeradius-server-doc/antora/modules/developers/pages//usr/share/doc/packages/freeradius-server-doc/antora/modules/howto//usr/share/doc/packages/freeradius-server-doc/antora/modules/howto/pages//usr/share/doc/packages/freeradius-server-doc/antora/modules/howto/pages/monitoring//usr/share/doc/packages/freeradius-server-doc/antora/modules/howto/pages/protocols//usr/share/doc/packages/freeradius-server-doc/antora/modules/howto/pages/protocols/dhcp//usr/share/doc/packages/freeradius-server-doc/antora/modules/howto/pages/protocols/proxy//usr/share/doc/packages/freeradius-server-doc/antora/modules/installation//usr/share/doc/packages/freeradius-server-doc/antora/modules/installation/pages//usr/share/doc/packages/freeradius-server-doc/antora/modules/unlang//usr/share/doc/packages/freeradius-server-doc/antora/modules/unlang/pages//usr/share/doc/packages/freeradius-server-doc/antora/modules/unlang/pages/condition//usr/share/doc/packages/freeradius-server-doc/antora/modules/unlang/pages/type//usr/share/doc/packages/freeradius-server-doc/antora/modules/unlang/pages/type/string//usr/share/doc/packages/freeradius-server-doc/antora/modules/unlang/pages/xlat//usr/share/doc/packages/freeradius-server-doc/antora/modules/unlang/partials//usr/share/doc/packages/freeradius-server-doc/concepts//usr/share/doc/packages/freeradius-server-doc/configuration//usr/share/doc/packages/freeradius-server-doc/deployment//usr/share/doc/packages/freeradius-server-doc/developer//usr/share/doc/packages/freeradius-server-doc/modules//usr/share/doc/packages/freeradius-server-doc/rfc//usr/share/doc/packages/freeradius-server-doc/schemas//usr/share/doc/packages/freeradius-server-doc/schemas/ldap//usr/share/doc/packages/freeradius-server-doc/schemas/ldap/edir//usr/share/doc/packages/freeradius-server-doc/schemas/ldap/iplanet//usr/share/doc/packages/freeradius-server-doc/schemas/ldap/openldap//usr/share/doc/packages/freeradius-server-doc/schemas/ldap/samba//usr/share/doc/packages/freeradius-server-doc/schemas/logstash//usr/share/doc/packages/freeradius-server-doc/source//usr/share/doc/packages/freeradius-server-doc/source/extra//usr/share/doc/packages/freeradius-server-doc/vendor//usr/share/licenses//usr/share/licenses/freeradius-server-doc/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:34057/SUSE_SLE-15-SP6_Update/8f38b87e450812fcf3f108ec13b38120-freeradius-server.SUSE_SLE-15-SP6_Updatedrpmxz5x86_64-suse-linux        directoryASCII textPNG image data, 160 x 160, 8-bit/color RGBA, non-interlacedSVG Scalable Vector Graphics imagePNG image data, 170 x 24, 8-bit/color RGBA, non-interlacedUTF-8 Unicode textC source, UTF-8 Unicode textC source, ASCII textISO-8859 textmakefile script, ASCII textHTML document, ASCII textPerl script text executablePOSIX shell script, ASCII text executableASCII text, with very long linesPNG image data, 100 x 100, 8-bit/color RGBA, non-interlaced=Nw^)'yWutf-855acff404f6928df61927b1b4c202b00835dbb724ce03d0b58a86125fc21cbdb?P7zXZ !t/޶]"k%fm?1 1N8#b?;OT1]ݜρl~}·]N#z+ gh=8Uv$g<=w׌D O_뙗$!LxJw~π:9y"fEk \>E>2o̕?fo r[1SU] w]ǯە2uQ/=,D$%ks G!?2g4卒%mrC>t6KRZ(Yc1bF#Q!7FtM3N Il:APAV2}-sP5(`i:Ckkv<n Sؼ%|]K5Q+)l)(YGT| T8IV+֞y#xw1sJRـwUM;f&6cxDc1%=Bzux}$<&9D܂ %nfd"Q dX8pGNMB?#37WMn|~ a+E Rp nߨ{o{5kt`C {5W5},n?UxlBYb;`d?mbJʻu#\.Bm%< FFM2Wbo khC{뙾ޣ;H4:yT7Ev*x\YܞXs_Q![Nz{Wշ&EN|$@h YXLybOV]Nb. ,US{ݠed2c7;J=k'zNWK:J͓[Âؘٰ3\ Sa8nJZͪkz4]'oWN K 9D'bHe%уm ߥF1:)̷^ {e!r%I/v/>W&0 }7U+ 8+Y̼"yz3MvR`eaΪS! 8{!! єH2F3OFL5ˀtF]DŽ)Цd>y])&dl؃߳̽D=F]p/I}^8-N @Zk9܂U4oZ (ع4{Go~#MF=Y"4R`rK1\f*eW3JuT~:D?RrfGC6o&B8,G/j#;WanنUŗwMV9 c^4w+e`]bXQrUz+eJ dzbyb] ꇷ?,dJ胛%DQ+ 9:01hFoc6r{X?p=׾YPeXl=Q/8=Kn)y}1^W9&;wYoYeդۡ_ Zr. e6^8[cS6fCKO4AUa\#Ҝ|^sY.nT]_Dj\UeYs_J`H Z3Do4!]RnZcG؎[ 1r1' H9֡ɢԂ[a5FiH闋b i\JUS1-f5Jj! b*_vRV=zj_ <|?‚ W$ d V7G9~9isn2Rb n};SٳpK&bP  NPmk"@ڈbkU_wp-Ҿf>r}.я8n3_]Hi-9'`~/'2᪇6t$K C O)*Th W49Ѕ އ(Mzp}䃘 qŲ8{+L#g ;K]%JnjP@KEżo+.9eT= NPkF\3]. ̾F&@V|[!OT+Tۃ~ YjZ rXNg =.Qbs,vB^Ok+]}~ċ^\=@ބO[^OM|&ig}cqhXըzT̈́&}Ŏ7ШM 1}(,rʻn׶vD=G#gM[શ.X ;P˭ݻ84C j TIAO x5ߑN 1UFo!WhBQ``衍Zҍ;3-`m0dz[XY\奈?~r'V"ţt䟝[b:5Աr-|ޛF&vGG^CUy׺# T7[B::=tB=[HRݑ2`Fɸ;G7v(F9&{!xEܲ|uALx AGJյApqX1ЏPgM_ gJF|4_Pv TpdY{zmVBM!5u *¯֡sp:RMX4)]Ql%f] 6U41yفzh4ō"-^#z=dyS#x &){row~Ha6.=Z5Tf$h->nR~ba8"ȕ 1GpkVcEΌ.3BX)pvi>$Щ7$! g+VmQ/ TpzkaR(;B:G]ZjL]ݧV$5Y1}b LI 7~A ]gbc#C ^Ǒ=΢ ?/KD}֋{vpW>6@W$҇7(nٚ+ҁ{>r7,LPģ07+Ny*Bm:rӾOW)ZI'$9Ɋ紕" *XHvn2QY$MZب1Wۮ*o0NC=MJL q dC}9Nc>喗~sǑbx9|2zЖsP" *;Q|VE =63 ;[EgB1p>R5qa% Q=)Kcmc۳5ýT [79GX5.:@ǣFJdP]~^7,{PѬo[0_E**M!ڂu߫ЇZ幆|:P+6Dԅ]-\Qj4HyhFYjmpUV7R;wzfH~/ BsީwG!;aN<$- )61V,! vxs%˄ȅ lQ[in?Yqu$_ ƗVhpE h֌e[%=j0=]] f0 <*.]QF. ٣%zw6A7zdOCOg`c:{.Y,B.Q2#Q#0sY`$M x+gw9|ֵ~ջM pu#2=LyT 8`Oo*WYuޠb6,.N g=3!l0QnϤtOR5v+ao% 2j8ɱj%l'O:_Q1 +MjkwrU[ORz[y] 7Olظ2?@Qqr;(=?'DF%7bϽO1 o'18yS%lk0[ Lz:):aKDS'~>]00 򟣍K8I6{ ;q~Ɵ\ K3f;@"Cvr..Kd!F(Bb'B`Th+uC fcbRf dnԤ;~6EUU0ivKgّ} T:”hab,Dy_yB`9ޔ*z(ycߵ#KS3P >1?J+f0ސ[Xb7fx⸞tY 1S"PnV?VI7si,h1Ya4i"P+mڱ%?O1q=f 9L|%K~"4{нW|:䦮P[2%,&:\L+6%WOڡsᢖޅuWesМ-?P=KC\Vhq'~zڃs?bOp[%Cz!o :G.ͺx؆c/q38-צ <{awѬ{LM 06`z;6KYʚ[&OO c>c趜=0IM4%mg.Vw~ ӛJhR:Qy#n^e3TQ5`xJRX>=}Ȃ_K;W=(~|=QH\3dgE.t:T޼z[ Oɡh4mOIL#Lb6.tI':dH`;J>- #Kg?3={wپA2R1ӓ%~F+󷜣&!'Bb"A=lud<1{Dԝ֩W\bgX3G1;JJK_rXCO`M)HT aYإ=(}e+iiE-4Iۙ.E~P&2U;h4Z&qI+2W+="qa_VYlZiG qQt>4'$` ,)JW5~qVi_07f ]5A ϐ UBk'Po,Z:?YיG3 ZqC ch8Q˿n s$:0%ZvxFu3541w^S|XjE? 唥2សJS/Kp8oEon+xM&w>CIJ,:4-TFKl,1gEƒ5VMЖB>r}fT$jl4Sh=)?$ `iu.vz\$‡'}$ &1#D\ Knz*%&Xљhs⎍1so=ӶahZ\NpVLRYbpA[u3]{/)o:DQ/%L15yQ)6M;8+<>8r->D흔$K?lzŠ ƨB>(12QpAW:ݛ*UʶQsfh"iJsɥC>Iݫ%2_S1j\z\XF59ݞ;9+p#@+߈9zA9lw4vߢ-t8è;Z0q#+=z,{_xz]?kF ٥'$ &T۔T&#|_ǩ@mvwqiI&'!a 8uq2О0+)-Vz$>ȨaJFߪƔC<O39t4d5{*M KGGR 4`MJ,S":f_Sk͠3ޏn2 ""\ B>C8i$o,{.6ES|qmr/z @ԲsYݹ\+2VO {8_n B2 e-1I"O+3^љ sckBY9dfSp3[ޱa"sI--49' ygJ=FUOg*qk$!q o4GԘ1'0_DWдfWK.єVO9N"̽ίZhJªۮ+{۸wvkuN Nӹo[H$O^6@&V"n;fzi8gR] UMi>oY b#Aok7lƋ>*3MMrt$/2o>KsIK#zhcLԿx?[ 1xu04nCK?lثӈ MfbPPt4,IyiZ9nЖ>x]ܝMm:į=T#|,pX7y V] K_ -:@Sg"( :JB߲^,l^Ll!YTs8yGY~!X v0ܢcN%RO;"r @8e>J0XeU15K.qȧ\uX ƃv߫XyCF\pYUo52ڕ `V)i|< Ϋ>+oN{ i\>ʼnRMWz$"R;c( 0Cz"jp~-K_C1#r jnp_[mܟ-8Piq5>3VΘP)^KdI, dwoi2 E) N9m'nB?a_qW`(tRHUM'x]KKxvjP{#aMX'H|'AKPPҫ,G( ЀAO h=b&PmoEvB\ԎFy Tc Uwso\VxYQ,B -L` /2(ak#60|GCܲލ)ۢ"]wݝ?gʿ߂^P!ܗ bӝ8=,oQ [\x,>[7UCps͖N;qxА̷;$I43a'F݇sЏMƂNsN8CU:>Dlw6G'1bELrٗsoj[U*0ƦA_0%ٝD ۖ

_yVg8M@͆riæ~YT;ǛT$(#FoAi EGt'Wi \R`LIMHRw7ëg7S W1k J_8׬ n(Ujf~k ghCJ-\OD7o67mFYHt؀ ^G3鬍$.=aג}WF7[%w)Zk7vx.~VPVf\׳j] 1trb\^&ft.T*LJK 5-C19| ]JgByn&*| NkƄ}>]ƈqhѱ:,L*`QD"պڔ {ȊBye2$Wq03hή0 ͑gr-%S^G)OYlqYl;f$>Y^Guqކ CTbɖ`nYvr+eplڟ>U!:WhwARݶ +] g!֬;7s\qD3g=l'#i8&C~r.4Nvt4*+qVƳcqTkN%7fTАERI)RZ—2:p9ņ{wF;9֩_6dV14Fuh+ԗ"3J(/u0[V /iWrnGn.M!DM+2xiw>R/=KO?vvZ@kslq1UMN#c-!%/nX#!\֗>ltNYC4oޫ?dےo] I,7d\xJP5MPBr(onjy}i*xH͘ 1Y  j 9~ r@??T!Wg19ces<;btŦ3Wlh/kITpc,>̲C6T|ȻL¤Ay_ bkp;E+jj~7aIq<ֈ?a,W d# uȬ=Xy C0Oum]l[Wr]e3qehaºa-tgۋ;ÅG$JBGh}Yߟ;QzFiZLjBn*?99m*P4=< ܞVgW. D'O۱;wd0 q#6eVp?[5sCe<uC9@\Iq7cLU9JՆ"f۱DPJX$dۍPvuD).7BiU#m3J.coPS^ytI1cckʸϫV+Ω'Zl, [<coB5x'FΞD=4-kc'JKΉjIq/H mxh&S'[^@aQpBaS/%{W,]2( נ!+.֤d֒,VPSHT)@B%-_ABCe4O~#h>caLt]\(vLX6䞕LYGًakX %wbVvhOfX%2J{)g>ӥHM"m/E3 \a$a6G@{Rog$'Su- g?a Z׃OsY Zm`̄w; gaP5rQpΘ![ cc0g%W2r8wVG|baێKEI Vb~·AXݵ2G/=u,dT ȑ(G՟Uô'Ak<(Yi$_ 2ҔoyH)ɴc z@%u9./;XV&#u"{>Ӊ'T\&vcGx4+ ӱ0uVʢY5W))Ʉ-;|A8[Q`ǧ?E)ߦa BC UR|rjf\Gp&[hUnJr_ֈp9[?*D|2jCQ*ۓ6ur}8[|X!毠e Z\-:orE{=I?RRu3E,A/V舟m·&[pVË2 vH1F;cłEDtxSKw8R"9b [-Q!* )fGwѪe2Z93viW`L^M5 F9>^J+tKG8"ì`zw}nv_ˇ͚5dxvW2mܪ!;ÿA #58` N)Ncg0wNc{,G݁q=K xPOӕ2Ԙ'Hh4%qNsh.9$hpttzII' p!/tB3ٞl97Ѱ׊F[0zRUjrkX[ H' u]Fk(¼@yz6$rC2W?JWcN ɿOۇ%JdO,|ݟTMh-cmoZT/*ܚT:[ a>u42w3?͢G~,2z^= N›(t AHTYQ{SIJkbPUSoǠ"š-1,#/̅Ϙ,/8-5+ZBxl4N][|B$l`|*|Lc\Z&'%[!J@>;P[NB819"1W@m//-,FSK*DjZOzŶۗטf3xT}<.I7qm reӈݤLJ&4Z\GڰQ&#Gokœ[z>P㴷# >ʼ79  ~j!S-'^)UDBd!Kt!p;'*=NCp3(Q!A 9OE`N"<&y+8bijxnwf4Uƒo^d\Q O_F+MzdEIw,EtۋK!u6 Sz~ɂqT%쳐]0շ<pkx[dn=~w/}7.Is[$h\I@`fci%r~#n(ͺ1<5V?_R#ɰIhxg[7."O>7;9&\w(u~I"Wt҄`8GQ bq{/0^)ǵupC]h{t-E##@lTtJZv9IK?{HD/X"!W R045C5;KGWnQ,<iRF ~H雲o }s(4%#A5Ap i*x IRnA2A{6$+ܩ;Ju9)ummz5,ϩHaALeqBw q0ZO1-<] iaEt}Up7~9\rw!G͆Sɷ>%3tf!.ےϻLt4i\uZ"qZ C\eSE2sa1fMinH "k9-kTRӋ:0 hN(-{Gֳc+3ml3]T9txWuۍm.˼ŗ+тf&Y:_O_t\q~]kPh蘓AB+ g`C4:čCߨLl~?&b- (bN&J"6I!cS˨mΐJXPփ!#oN"oRŠd΀ wT̄*DgGX R?PB8Wn|{& >nkq ZΡ ]GzYϽ2_ח+dFZGAhPE0DvU"e{Hյ h"+"U2LU?_˛IvrqƗō} c%)k6F$q+^-qsܥ(n]|?SH)?M ]Sx3,, $#~ِ8MPzlypGUPFˊEx#bm2gs0@~O56mO2)hueQ+nkKVIqu/eMy`.Qu=G}`qΫ~WgXD=~`ruORXYTQs |ގpxIZX /`ÿpl&ADo:E1A4SbY^8~K]QgL2T䏍9W”yx(ˆUA(FNJ@wcOX6 ~ orX}|@/p 37_s432j ,dKENAQ$b/e} .bJbJm{+1X̮-x>s3̆mlfM6;rAk/)1bj˹*]nZTRG~e2_Uk@ T_'$@="4tCK/JYR L(+k OOƥa_:-Ž^=w(]=)yQaߍJ{'4'b\s_ؤ1Xӧ ^lN0P!9z#4!+%bE^. @}4ZNqX pòX\9{ y&0K չ9%$xT1[UҡmxPo"֢)Ys>!zl ~;ay72oU$T9Fvt@kFڗbv x?IEy-Qy4?6ˌKyWy$ZF9,/+{ 1xQtzi~Cq\SicDc%$Q1BޥaT}&uxj!K{D@v3~4qh&@џ(]LG}>p\)~k@D-5S)WC[H(٭3W3}cD7p6)q@>4 ق/~en{>BGadw=8_d?fMoT5'uĸK,J4'gL6_o;^XY,XiSx:*qӉQjIWeCK2p@ىNF iG1CydxE "ZEIDXRUKñ&曤*n*+KjFuI7߯[!<&qqvP D))[?;.֮JtYd_a+À m],x܃PS,+P EvA]pD@3hw]nl0{CTTC;,؆qkcESS">7sNR/x7ȸۻQK 鬐FU`=1뤚@cǪsuT坞'u*2u2 vMցTs8C'Rvh0gyS#$C!NQ9#1{1$a"m}E =41YQt m`@[s+ts;\בLK48'\bKt!jʬ&>|ꄻÀ_oFeܠ-{ͩcV*97yZqy SVi֚ zPh E&fEkNy[Ʒ_SqB/dfZ52]F^KÎޔwMD]ڣXl0„dLg4UIWeO& fǚtv9Xz">X#7aw8#"J%8r_ϛZRC;{e*! P6={z>4ヵIpJlηJ:+r ?SةxlYtX$ںdz Qǿ9]QҊ V)TO&{Y[_%e@6\A[T-hGw><@cFa|0j9@9sЉ%H֋2l^ e.K]\T{BU RP֦rp.KiGV0rYfU3ۺ1Qso|矇PGLA.!(Sǚ:HDžq9Fh<U<uaSe_<=6R-6%IbN9c ˯`vJG8i FebneKݔw 63,+%^ΝT /jJCڐ] ˺=6!9@.yC/XmqF.1lkP ˶q;XK-:L<HTF51"1Zo嶼0sQ"#Y" {rUgx]NUiɬl6J$)V&7,"v.M{9<013cE6w~E¹;BQQץjsfK`:\%ӶB* le|Ϭ-Yô5tס0ГZ:9HK.!_όs'ܖCTe[(7= `'ۥhyuE-h 2~$O|͊d<+?f#RY:pqtBu>];t֫<ɋ?䉳@<+A:(W^ksvw9=!N$ gdA% - ;1j5b'>a@~h~տlx'Wt 4\OxY)sP0(LuG;J`Ģ16vf>bYY:אa WC P27^ajxffSRN]K2jG(3QlY[zseꮘZRA&{h;i(br{aO0$*]+(7:2Q]*bx%_vsCo^9<#3dً.UʄRcP} iaL첋̀BKwYVo<(EdybHdK @ vI-4]y X$A!ID77h;]P+/&0j:I pf_Ɉ`( EgWLu$xe$NQU~:b&^O{ȴ%Mk{E*UcL>Q:_q1 O%l^I(^.9Fw!dbmN;([K@?߿q6[=q][tATIVHlyAkx<\,.I%1WJ\J|v?c3Z1 NN)pGʽpnA ev'=ԒjP KD^ވ͒ܕa16]0["9w)`c;L lP/zlA煉ld jhn{f6^X&zŖDe_2=IעcX^4@:Ƒ\sGFS'$4W/g`K@{x}G*] F0[h81: [YOwy"H;$ac es-JM=ZQ69)ͳk,h]%SiGIIx HNy+Xި`G9tԸ1Xz鋸 ilALhTz#;3¢\Ei!3@-5|- TPVP-)H=p\p w3Uxѣ-X\xP?ɢG=A1lb!'טp|cf7dkY/j#0*>MfF9 lrafhNfN<1#uƒ{.[GP((@`qKNw7edlD7zG3eB^zY2GI\yPh#v>܎)K=r1u6{%tX ma<禴z}]g!t7٧J =Z=Թ͌r# ju]jq Ա8ض${K5YUB Ͽ]ωaώC8w!PLN1 Wꐟ6$ mF+TЍP٧{ـ}|)$e}‰<dI|,U.nAIق]Wfd>TݪݗU4&ܕCu~4_#@f7 R"%eO;9uzh:wZks}X:` OY=(-TY"u  !Y͙"s?~}zmûVFP h ;b Yk+=U Gb/MSxwr9f/I;{8b,C|NPxsڜHYMn}iQ鸑n/ +VidAB\>91QZ[$WcGHoT0wmWyj\w{ssa?쾏Fj:]y 5K^m=E[~dc]&Zr{$JULj߽.+h`I L ~xxX y#ob'V|2icNQ`Wpd6鲧G%lWGjӦB%% Vo}٤r5*%kћYAK^tLw 3%ZNz/BhurN 5oBd0.<hF)HnЍ8|qSIO 0#sJk.:|=T{})~/9Jqs|ܑ~dtB]dv8 uo"0B,R>r(g= r&"1%(Vxࢇ§#m&4ה d&L4!IJlaݣ Xy@(!14aQ?%xAUbD#@ʹ[mW)H}akN^/)C'r oc=LQ }d/0fjhXXgۼo!tKK$ +φZW1Xxko䀐^aR,O ։'HsSBLx<+)JY2PT|?gNk%AvP1WmoZr Wф-Q$Cc-[%[՜V\`Ȧ)|.4ɘGkG1ʂ]Eil^ZR3:r M~`fbb&j3 ?C)J8mX) ":8x}vpIG兹\d]CAz۳VZ,TնyQ<QSV5 _$<Ok](vmcaO>D6$p?mkh$-}|UL=fOQp 3hܸxED 7n9 OMv3D1T|)'FsTLIC*`l8gqĶ Zz7{gJm{ lgnVyNWSsrKPz2C_P V!,xz}Q䂹ZL}:($6,}XgVm&{@BDe< .џNDZJ6ժ,k^uTKQAg&JE ["a?$3A-[+jJf#n3z11Nç:׌3b4/TN7İj1Z—iBVo{QE'ݨ%[Ԝ\6/uwT YiiY5] R{ߢ5zocOtwZs)Dl]:q10 (+D<K|5\8zښ~6ІS31q28 (蝃#*xt<'s:!ſ %a6rYZ;%RD-&YEؽLBJ<<5YnhKYiA鯥}ui?>>xAb4A˲Xb YD뎀aWnT("V|U- !CQWK!3B u n 7e{R)9FD@K|z~>2'^Sjdr3]S.7 ߄6b*2W} YM]K9JQ|}R9Oj<ߗ#7D:Ϩ/sU^߶cG|כ:.I5ߠWhwM,CyF lXMޛ(X ;>u8q-W`󆐣t{'[E&=WfW0]Hy*9.eHdW꘹@a8?wdPԂ!fTUŇXMzE ۃm7T$U],#įLz m!CZ}=WUI}g~F7>}ofw+Zo=ww(}=ax);dK&z K\b<@l2v7gE[@γzjxjH^)BROB^+å;_:j kTcv]hac:R6#ţ?vr\nMiHm%zXE7D]\St j+L fW<\ ڪiŵQHpc7` _ &%b8sޔuqz(j92Gx`o'/XzCFĔ;kz`ML[hld\1"KcqPˌT-y>RչMG|ާ()y58SGeT_͟6URG؈%C!_Za'Wz+c%q`cKeǛ ܀ɭsq:dUzLs' 0rS膢o ygCȘnըad[O%~@de [ǹ7 j7ǁ$*LXj$8Ԓr't/۫u!Xr>/s艸h 9zY% ЩHPzml.Fؙ / y XG"3nՔEΐL뽺(7|r.SiclNl ƈ .5"=Kmѧ`4PeغΙa-$ '88v{U-͌z~PmMTL3'|[ty#ZO.`_;xC!#jfḱ{­ht Wx a H̀S?펦vg Y,s{ލ8ˏGǙHij]s`;Ek5Ҥ1n Jvbi4m–P"\sO8fDo@zdOSXfۜXʢ OU4jO*CH@ ĴBa+bN]TWShp #5I] "f 8)0u6c۳HTҸlڡRh=s~kLEYvXtY'Zg}[,5p)bv opKR81z_)&,`.3?[5*;M8\yeťlC`^V35:WJ}U9Xq-|s֩!hAǫjV2永q0cbxHPD>ַ0}JCٞ^3>~c*Y{3ih*DŽ8v=谐˯",7NkKQ*+xa>MAXH!5tf1fc>?ܣQl#*o(-wE2~CzxeJT~8G#HNW*ژ *R,L⩕&MNh;1&)<{6'E0醚LY'z}Ӗ}؈ ԠV/ LlcT)^:R9nنtB?!YU1S}i9^t:Q@wb qmVDoΒ;8F0Tȯ TlݞnLj/ JqV2 F3Qu3sp A(-ySp vN7 P"'=N,4ַ/wt,d1PWۢv\N&7R3,+ tg'^}?a3{Swr Gr1 8# gu? M?JC*JIi4yN:Pڈ+Ģ`'u 2e7qt{#' ~({0(CbTnҲ/c%f=['qWtѐ RkD^%=H4 bi{*PѸ%H#^C'HSo. / F;]i/!pPg-0E@`VDF[K;s^]7AuLf=%<^?' 53yQÁҖIg("`Ɇ3Sc-uȇ:ϟJnNk;|14y ${A EKEZU*.)FPɕgul*Eh2\_OBwjE!U,2SU*Ormh4j}R- UB zKO&.M8UGI6wsK R0U!Sn@'tEmOԃt=ZtnOC}DJ%ޮrً81 ӣ59m)e&:t7F԰Z "P6!nmR[x/bwά7DJ> E?@A0X6qTC/XЖR0D(Xķg>f;o{p"Y;J5@LFevlnFFt”&EU X'cG,'"f Mt%kAXfzri!`%@V%lD"-n-_!v%Y\fK ?TʒvH;yw/!d&' l[ IE@n[nhHA @&}.f‡OeaM T..&G74 _^?ﴇ낃"٦pgW7uIL;Qה*U@5݆'8b d~p:U-,li--}{oWaOփQ/wv"H]g|wlHԗ R~x |s\g̖l/I[o%pd- ,K P t8nPs8A 2Fg|XR_g]#UZ"̋ fJ`g FOqLb\X$z~uh;<ڮ8: 7zss\a]մ#N݀m[+;်EygU>b-QbLYV./m/ Es=2`1,WDʁ$my!Nܑ94eG[>DM?\~fTﻣfLN-H|]ZI|Cbچ;.iH)";fM(F{@T S&he_:ƣJHVyl`H mKzυq>y[5ܸ壓*ajaI{{r,؍ /YwC b S>n"҉]*~WO' nRc;nϋֿ#&Y\;!t6GeBF%=le ";KEHIGq4 =2phojוb&/IȂnOo7quڏѨGrĔtGKl9Ma-{H4 ,Iҁ~BaSX] 9yLvYP8 y8E~Ht\( F+u #3ˣ;N3jN+ i>p gG/<D,U3dAmCr$h?&!U ,bT=0 ҧ/E1m{TAI)AC!RyI/3UI|H9j<''4#lrVo|ywO ӭ,ObԬo~`T<$xɕEp{4Mf Umb% 3ea6\͉Ț>'j6#;9Sd}G09}C [FA )//`yPLmڦ'|pꏯUcCԕ>,"vu9GY\Xlny|EN9i#P29e[_/U^~qr5P6Q??/3ذ:iޟ^eJ豮}7j'F0VOQ2yi_A& n4% Q6M70\\5 [ɹ_/"tbHt9#؊fv3bԒ"A=0 JeV9m&т{ .Ws~ 70ۉa8`8]ŁW#:eȘya:sQ YJ ngw3X&]0\rs.Zh&e^:GDlI08 :TUIM։r %:k&EHĕ3E{TmNH{c@VlX @N(ͨ%*qžKL~S IBw~ahrxq~ۏXK̝SiY#U8svXrUlTʎ)u^y;|1VzQrh9Q;&͚jާGJ{`.L#&s U ުK0KA1ui[Ca9xNQ^`6TxWʆw sBz>5/W8'b;yn0S+O1*H;n, D~  wR>=ߜۥ+δ*`.]d W!c$C=VߵmYR_%y FCQ{hEf>3?4Ԃ<±vvoo{:+W=,1JTN6ABI}G|{+֨5?ĒtuFF7DxVΎ& gtĤi[3װRvu?1{+c?<@*[^˄DE_`r>(䩸 vpBӾuTP1/'.1E`T|-lћϧ6 -Wo (K\1 [Jk/1ZqWQ~l ;ekgFk%N;O 뚷@d 1ZkdƫETpePT xH7GhJ08?ӳPqɍ; '(ZC\lA8[~Ǖ0. N-If^֗uַXw.a`T\N}4ҏ_'E ԑL3qs#k| \ B#A5 3ѷʕK̜fUhR;^s/B$=~9;]ϕ}f$Ť9uUu_@Çm2$H[%(\HǂFVKRE@V,SX S!w=7o,Qb?oc/qN) KrUMV FR,̚DF۱!|'GOڜN;9 h=I',\}4O8l -NezUe@?+1ԡɉ%9;;n[^?Wv 4JBK]̈́8 gToBSNlTC[ڸFxOt'[M V0aR|@Sw> WMrJIkݟ@sţ:CW)_kS;Ĕ~\Y^6\Nt`V^R A,L0\8g$Mb%1Yty}o2kt+.T lU?\f];W^㑠/\=X+ؐUPe8Umr<u1s. ɠu? cw)^ ZxJb·x/ZQ>Oz:I8sFZKy-]?y` LJW߹Vu(O0,GQH5 ?ӂ}'ScZ Щ#\f r8s^NT pV)1I{N#?I=Leg!KoLa͈0F0>Ux]%](opo." olC~dt9)k|p%jt?%f.jU5pph(GUZN )Dkpty\+roU[>{xںKm=rg"~sUڇu δ! ?T9BM~Vpi>&G\-7lRmF$D{e+Lޚ*w_QXCjq Dk3'@Q1S9ң<#i*%\$nI" }[] -£82``q9Gj~4<\; uʎ-OԪeJf;cW~-7Lxυ5,4y;Y3kgj-IGFkpOHdj|?Xn_S U=3ypKȭR~ m+[/X4ϧ<_'_]F|I$PoACol\%]}d>5~v+F6TmRТф":@tlf'mk PtQzDzNpn/Y2G?׍ΟC4AJQ? %W4fS zBjjBm9UD=?m.\47BiVYmME7J0T]H֨40II]wy  %)ia6/+^;" /m_q_D?p4D oQxp] xb_Կ0&: M[/cGbgˈ0K6W26b t pD$"C#q͟NDK#am(K6eOK5ܪ dM)49f B{7ʃlEmdGHZ !TڑE;woH o_n*Ǝξ]~h.8S >{И dohGd' *Z-Rf A+UfwNr M)K>t9tNR-1kKp2h#fXq V(F0"蹽Yp(w}S X|ȡZ$)'%#mAaKb_S듑<闭G.-̓dGyA#@1g#2L J,պF3U140eDA:-Y+EZ$5`"fUGQL?U\!@jdI'eF>$ K#rnrLc8B# _mcA`DnR˳?eA(n r1܄DP2N=?r͢?b,̒.HoiaPj5@W0#E0{x7:- UȠ"AN@ #p6Ma?S?M 1)-N HGPP0!Rg\hqYG(X'JI=ߔ4[M&oW@ <߬,9Mn\ :־;1 .Vg[+AF~Borǔ,!?Ǿw9|ோ-Dr( 2AX T^7C\N~.am OOV4>|i9^R}: aEVUAu[f;m|rƿ9/Q~WU{e .QZJK"HYrVܹ(Oh-dz!:/s IF.΋ǁD rn͵.I,pᝃlA׮4^[̣Ezp0C7TH0N*+ 8Z9k?q+Uscfζ®I>A:=?0 ۬LUnkhť`'H0{t=㉧g>TfPID/#rJ M w^&ёM󁞡Pu"ai*X~k\4b\ Rtk1Ce7; Xv_3^8U8+phJ"+WsX>)xaUbʜq+(GKQ" @rGǁl6WZծP8:FYgFދ*v"l>^K3XI%?^;3Sv(R&X5K]϶SV0a?&7QB: NQ6jcYY.zbݣGYa:wte$U@ ߞ)GUCvXjG>1kSeՠo9شъV Wۜ}p!@9%dӃ}' 9JҰ4}ߖ?\[sax~嗊Uj4jNr 1#dU0]pQ5]ԂYXb=伝_Kk{VL S E2;R % lxsֈio F$g8̘.6HBL.\6;*Q`0\ݧ㼶h_8uiE>l–jf 3FBt+[N<~㯷 @J9ߚ2~1 Ƚ`CEL4O7VpkW -7ٸSCA~UF^))Oa@Bx‘]:?RlYksײ b0c, JHɜG3xHy(JE~QbR711#o\ \)QS6!X_m4Uѹ·#`BW/**0rޔ!Q;,`,@gf]}bŐmafMBrV62ê;Z"VG-[ >g_>3gec4$6Jlg-z#S%G" v=#3uq=Ipr 8P {ƶ˄H.K!I frX|_dul<"|L.V8 , .Q8 )@tk|I$ͷk=¼2OMl[zlgP:]3qM"@[ Yt"Vy7Xm@<ב+bvJx@3B;_"2~>T7=Ⱦ8 }eޭ4IJHϳ?'N iAJ'^\LeB i,<קԊsmW -PgՀ'It lӤ>}Xze!ox6ng`r-MVAHg!mnDnUx|W;+7 9=BV1ԸFǭQrIywpAzJPPN*dY SRM%a3.ThQ[¼IE *z ngjQ &g:{ ծf$=#3Q8{x09^} *vd۞IXߟ==zuHc[,;@ybLVPKinѠ2pdtq ;+(L+ڮ4o,K-/r4d }SC"~-XVf673D?,NAd\줴ZY+A5uKܜLGxa M@:^(}FS2V!旴}J?UCcjUϙTX ;fx3w&̬dltLBb=K:؝19<^\ )݃ 0bql)t{yi%\!iE&H6QL!K%k§.'{IٖqQƚdY?͓+> E_]Kn/%[%VM9Vj64ST0`z9??%}uhe<,Q"C]䫰$\qiFD6!64 #?Esπ,:8R"{CG'Ȇ8i*d/mL, \nK_z9X[VVNis󟻶93Ie-[l`irhbt-l_O\[$p&SƟQ; Gv,7eh"[4jH)KϺ`"--i5-xu*5_2Vc=o#Εorh89F;y E< AvQ)fRBӜW\XZY2}Q0N~WN(Mˇ;)71.ﺰYW]Qx>' iXw,tfkiM59"U=Rr Wߦ~jbxp V_EirɈ.)~k`~͑G+ntk w'5ড়6NDUO…aSFMRsH%uD bkgYKNVFڢʗ wXXb!h:! цo ~ej1\j-13}t.w??F%O.՞ƺ{C#'"X6 |?N.뎷cJHzwyU#],iQ_RX]7I}$C~{׌=|Ou[#M<'#-Z$ >!<еIBZ$C+1G,̈8I4Pu/Hs k&CCNO3=E4i7+Գ/CaTqU}sە*^L<ItScj1w5 $G#]hMvns V3{t~Isވ0adO($GHujJ HGCGDq4w/n;T-f{`Tດ142圪<ŌKt7]<2,nR):vi1XF  UsW5@bNMuQkrox^$W-FV9H (N- pLX֝'V'vAHU9 Yb00'Uo[qdB潥EXrԮty|80&dOo:K`wCC]-ප`N@´oMfUrLI9H"23A'Y_m >(EDhR)PְϴAD/ qAB|̼X=aֳÉ%oT9B CR_YpNcs[J`rLgi^d;8DGN>6r&B_O$Tҥ)Q⯲d`"$ ,jF߰#.},9v^o>#c~'\Q%~oоb}+BƓk-= 6N1!߮ j|JP;/l1nVwjh͗Fۭٯ$=ZY ]n)i>SEx1mKO84Kc,S{̝g1Iq)?ѿDδvQdeK4d&vLtkt#`Ue`Hvx0OsM1/'s|J$+ctŜ]G`sŴp嶃Y%>kns`.ߨ:G㔘yg*)ͬw5U=y=BGVs(a6ymY;~#+8BUg")\WNŋHCODR&}ɲ-´,>f yzψ߻09d~N":DKYn'X`2TWcD s0!B8')u~vVfq ܯ^I xnfN fȭ} _gP0إ~m65|ih]|^?D-r73j b )1?Eѿ63B#&tDBxN-P;e^4T5' Ӡ\w˖Tg%蚊.(W7@{$ybo)aw =;ؽir@mMh&w񨖐F3iCA*d\9.o(Csu I׬QoYWv_@RnXB3TqWuK^p\Sɖ+N܊ىP>gt-C(@ d?Ĵq3SR+ 2O=gQ@~Q gnE69b27]e0N|5=f_CPT2`11+"|d;@D^"#8^-ʠFg6m^ϸ q juG߬#p=a{Nd~h?iIk( {4Ŏl4)1~L~fqόYaB<4I'͏?Wb:;W9bmeLNFq6U:_i?}f*!لQB~ fQ+5BB(OD~`!΀C@^zpZ:a`Rd~r bW_G1OV)~.-:c~Uླྀ})tj ǵo %?fy/* $yD Xuo=9e5ΪqbH(ǘ1f'#.7ok106\E-١\s?r4zz_0S]uc d-gW ť-qsmW&.E+:D;#-Dt?6Rx N^ô)K!MuQqKҞ$S4vuEL~sm+yp*0["2to^T3ԝ`jAQm /5Յ5JGx=;zbf/_ZWԄPEf{JF 6NxC| mSFUlGz&g8Gvnt4E2c5J̛Qw[XDmO*pFFT5!L4"j+iΥlW}j4U3.wlG>^;O|&E:}<p {F@/;hB=KFBlr[q).GbZ 33ފN>p2)m!@ ZIBTF5,S,7yƗi@yۣz h؆J q=Gu2ֲ_=:1i=1?Y6IŴ ܪ;V*ATYm͵@4/@Ӆfe ܺ 2c ㋠Z``qG+hE<~w="]aMm*nn_^Xq|k&dD0rq}; / =Ґa\.#3P6 yyO=߲@dmWm8|rAظ%{?!؅Z,<YQ `ܩuyb2YL۾)ˉHV0mU H ;rZ;[yr1g4%5Ʈ חba췲N@оey2k&YF3˸ 6jx7 ||M+ץan]m*Y[c~I .4ԙ!%0^cKCSlt.*xݨב8~%e{4P:&4oq`AU*x[W'3xL8`ZФ-tLr\{5r+4"6l=Ce|ÿvRV$P-5.}l,~ XE6{6+ʻB`B4(]ϣ@JlM2LyVT&j?N Fhv\7{ |p9b>or 'n1ެM.>iT'صA9KJ[?۰ek2S>i/hܶؒ.|o9X]wplazT]:ev*? jOkQ^Uk@8TvF &TtDV"1wrk[vY/e~o.ۄh2ݡBujiCh_2u0}[iY{͈ "pbi-hDc> W{m >咂m *z  zQ^W8R u~/B@[D`,'Uj6^U[gEjs14# _1{D?C_k)G@mu |fhDʝarfS,]%6ʅU'ɺ#d;iEg7N Iv)+B1QqI@s{ZfYԄp / TS. Bj^oT`kL4/Z; U MseC׋蝿١wH9VTrLMAVTkh2'fGhq8xvҗ`9:F|$^pծ%{gkFMB\EɊhF9sQ5k&hܟ& 9R`sG6fdY$hgrAk7k"<3ڡ*-T)oWg[c0X KV)HEv?쮥%sxfx'x=Kʳ|"rC^cWWQm_xV|UY}[^;.;v)]CEN5b&"k)hZ~` {]ZpGYqM6]6V[k^le(~Bf%d L^]fs'/ d 0vޥ%EzǠD%r4?e lƄҘJ4wvvA2a4 X@GyO`{#QJ~y VTt>4=kO#Hw1P Yfן|~HutlPR'H"L]8Wg MjkwJ*-xLMm*AN&=%fiҴ]tcWπVk`p}3{/tũ|5{í!5VmbԆn5=wX8~ttx1y,i8 0A7`S7"{t < T6Al*P-e4 gVmuQ8Hw-A]+Y-Q2;cEOum gc>@A5p6S٬^6ZmKH2 nm 0b;=o2Y> k68` i?\'nm|8ZZ:龍6dl7LfD&- knxRyȦ3r܎ٍx[l@C8֪H2 &BԶB0.~fU iXv>IJ DӎW[ѷ%(6zCVsΥ0p&ɂYũ2,VFLyg3& ^8~Tf0"H■@B;2&+ӄXѸ) ԈF]GKAq~//.OUALR\4&h5@*U}!KŕrV G oY?e'^|^ܖ2LjO%(3fne{Kﺹ﷨m`'_85uT4=BY42 e&&$˻xΪ TV)+dxr%׳$#V3%n7:R~Pi-dcSVVhBOunN>2<;)B4zQKs=ϨHꄷNM̟1@2XOb`DLN??u+oe$vJ3r} 'S4[|(k|R؃t1 6.!ɡ퉝"._2ǖwEs0Ͽ?/y\hY #tÀʮ +p4u*1_w-x]m5Tu=B؈JUgxF}L~ mŨpf_'Ssr@w%QY JXYUeJȖ 5͋'EgGůO><u {PTiF g$_SOA;͛ܿpcC^Urzŋ1c.@cyQBǻqg]};DQgYNJgV5s >k#XgfFNLsTdϗ bnV<1ǾccWR̖϶mE'etnC%R냀&@cND;V*}Fu:_\32CImw(~! 8KJb˧nMed@g)?`r PKl7=ܟ*Cwqu0}n(!a/ohNI28 /yi, @z{z b8«TAb \cl<vvkgB\UǕP(؆.Uߍx`:iDZR}]*bl7\͈)j̃bE\k0#xw;9$JL UH*5/vj:,EB}B%hQ~'j|~,|1XUXrS g!dr w"A2z\ iNrQ =ޅup)[^APUOc!YRD`@L7U[&tU"k)M uM`7]]!(GLjMY^:}<YL,~|cg6U~*N7gJ#v{Iyp5NB5#w _*t׸I4ej:@xs. XyNϘqCFma ohI5dījFֱɅp͓I[39d[Rݡ.-Q,#_ w 7Y7GjК^|`ֱ87 &pX(oc\0kRx;>ݗSw5AԮ@!'U`b-U#4Ɲu |9Mi&&,nh)hgHC)st 'M1rGf]?J$(ch](=J}|(;ebןlAƏJ r {] ½ &d͸sZCuPfZ[{5_rC&xaC \L@KL:K{ZA[2X֛QA"!2,۰gUzL$v\>hnW0!o$Jj'I3R[ ɥGb4vl2S4xwz{RޥQ N(aHDG؍i?c.ł_)"uqɐMnrX8jOgu1QC@U5iXO;&-q4nH0RUX;nkxQ*sm]S+ҝWXak"G qeb#ˊq԰lxɘ3 yO "[B <§GwOWDFfۨ+S=D3⅗m9Slpv)aNΕ, bҹJushgc&co^'s}s`&rqn},,!i;Ft XΎA`C ~ Ά -M ȂG0 Xjm_M,\̯o{K`zNEQ!2 }Jq |r5Ygkn玣5}o3S),H)kQJѿ叻D><)D1M鍫ůgT&a9ZV_\惙0#>tI@cn}{p#26__jV@1 V <՞+ +ci0}UfzkP{^0¯(^\hlND aщ5_&A ヹ /.dV7o5>]2'R:nGfv$5̍1i҆Aa,Jd ;QlaQ:{,ԄYd@ H }ҳ+5 `̎YC^!:!8elǰy; ṢsdyyX'!E mNߋگp%!kXcr'Eunj*sDbHU#̇XgYQeB|ؐ MRZMK.SWr!ՂxvT=&2b7*HfOk' ޖn=;$&X'E5@LM^vz0#?tÃͬ!>ShXgj-LmȘڧޒy,N\b,qZT:خGtipPMs6d_-)ZRwSU :e~(h'_\ odD$㐬/XA7;EV!Q s ,×{0͞qJT(M&Bg[6]wZ`DMFx4G{ʩLg`?D||`5eS?2ta@|q3{uSʹx`u,PMҪ.Asw-Xҍ3f !V3QV8HE`zUB=^ί-߈: c[F`ȮiKf-b6J4tr4P= L?g5^ YP$j@t# LoCn^[RJ v}_ܮ&VNѺPgSAv+d>f[ X)_D4Bt0pJpSk5Z+.2}^Q|)bRCBѾ0F<&5UgP+!#R<#z=f!maz;1WDE"Hv{bDj.J3#x*>T]%B<'lh7 L00ڶ)1d ש ThXnh ~GEੰ9r~,~oa:n}mN0"}k;]- |ɠsxd+w7#]*<$G"K3tIB?ch)|FfL~njE01K%LLғ2O/{%F]@1yvca FfĖb$P׶ITR$ZPxXs߻@}xز7[sdylbǧ12ml/c9KpwLa`U!ٸ܄%!},65*5),XZ/Id !Ł6ڷjLr[Z妏rmB-&|gT@w`*7gv"Rʼn9*a^yѺc$1"xQ1VZ О;Glನta,m eDJK/3.2Pp͎5/*c,nBA5RΞ#>ukpEXAL FO{%Xʃ 5J+!>  EOj]zaan#Нcx_#D8#O,[Xi|XQmqem`pu.x]](uaӒu9a"zfaLN6]phg"넿dƋaD!75? b1OX5LC$Tg#~޺Zu;T_ԳGXdu"/UoZTLZ407s~B+1)y%4gm @g3ehhrN ڲCqI7{eaDH9֛u#ۅȄQSW67 xv096m4?pѝ(Ï=]s;sQu8f~J|[|8z66%'$]}_$7XVLkNd ފ^pMd2Q=Ff푅uX pmF('b E]"[e;^~F鄍9 ;)OX|Rh,0;VI-%[[dU<X<LB<ѯl@CNa%Fi>Fc۸y0 .󘲇4"8֝Jq#~.Pij*V bZG5a}%݂\a%4m̏wni"C~hoSٺy`^cJBP=ϙNA6ۮGv8i}Ψ]qCcQK~ΟuL5k?,y ٭ʣo=5cq@>Ǘ->!h/g"!&SƆp1` eK HfY{Oԃrê;a[λ2o%ᾩ2o3'1ïHѝAM_߱kT/ƸD|9 Z,reOCO{=?5֋>ż;IKl󺥝nr;|*>i'9咩Dǧ4*zD.67 &EYihtU2dgG/VG Q-f'ᲒWtrб,bC'k2q7rapD$&/bV RqęO ?C|U݆N`tΔ}lsr!U.é2$tG0>nPWC4.$ y/bh(0Vh!rIinn(uneOf-ŒyۥCSg Ln'$)w v-0ÊƔʳTv( ki;`(Ul+tff闵ߜ*w1z*|k6Kʑ_l_)&N_LśOF #L?caF;åwnEO|v5L4h:Ck#H v8?}Wڜ:!äTF@:AR mYΏ i (NQ$_IO>#)k:k b*M胜c~ߗDпeR_/>){6ۏ Mis#)S#^F}y~$5Uv: ( }-!U "Q]"Mfg?:xNlbؕ 2v,!S (njp" oz ES4E\B~b`I2uSF{ԤۖsbKÑ4lZ0 eEcF%#^N R3>4 "@^/Gf4Bgzi1wp|lj %V/{PQ(9*+p7KYk=$x튴fr+|9# Uc=ϛ,>*&P$FRm\cWϳ/,@匦os(vã#_!h_c&3Dy: ~QtnKLd)yRvdLˍAoIB} rWPi.4փzڰSmIR`kUudoil KO@̫^ /iۯ qV\8,X{`eyDF#F!É| aa 1k]&>yӭ׫6% < ' QbĤ@@ut@ >5hЦ9 tn;SQkH.CeEY0/7_G!(qչ @i$7e&̧!NSJrdzY Y"u!R^Dٍ&Hq0o@O&1dOFO+\3sMeS3ړ;D]Sd٬j^55i&42މv g vf@f%GY*Q$/r9x[`30_NC;HpΏ@OJS{u\^rA' f(iPI\[?j1,ȚglRoKL;3LSG>CVǮ'$MyVJI2Hϲ.o6v(M) =;eW^ q(p%5ba2z9kwen=>["Y'qD޽AURO:s+!,"*Ymuk92˕0NR9Qt:J,''JޣM'x(Ȣ} =K߳ s2f꣼foDZ63$T)슑eA+<`6^LZ'_i]:!F]0EZ6Knae$VΏbN`9g4 '!b#(Tt7d].|0gmGFȠ3MR1Nf7a]{2GA KKx;+Zl ZFt1 ]!e4К&χxS}:kWm9vK:}=.]F-}"Av~ؚAg:>Ug2,6AдdKM~HqS l]Yd9A u}Hz_(Ή@թ뒲3cNL<~g03\yA2c=e v1j(o]\ 'L2n骐; l]58 a|:gљ\ —& aly;/ML}c-c^AJV4^b|9%@m)}Ҍ μh8/CdN'B̯@siz9.X":ۚU*i,"V d Xٌ?wUl X3ݒ/yfgVme6C~}a4ԲvM <_&)t!2sNךݳALFѼvGvA؊J6q vmoG,?5Bӻ-^, 9Rt˾SlɾEDvO !@':> ͯ72fcP9{6H]`E%f<- )Ѧ -u_A:0q}1=[َ;`[.MK7hKhZ:\2+K0=SOa|y~ /)2wՇBX@b+h)=h~a2?%Pt+ Xel~QZ}v2#to6 {mn;-v@Cx.',$OzK=_8/2U$i⽐o"yt7+z$?Egբz%uƬqU"*qg 2Py{l2faI!56QXV!^O6Aۣz/OFzJAGc-uT_!Y]B3?&V,PŢ{ѡt_8V^MK}Wբ_yGD Mļ!cԀ$w(HV*gJ# [|Ǻ uM 0OؼN 0Qnl8h19zQ=E]uψ0$| o94/AWNr`65vMn*l@{ b2S|ҹB͉ ulq@49,0v07x֠r'#O 9awDsmV,iS%(76yhT=;ln!QEr݆#Cp9DHY߅ygrR=͗Nɠ1Lk&k /]T};> @d6$#6ڧlMq%WÒ-E=s2mA"%f@!sgDCْ:Rb'J8A\ K(X}/F)CW5?r& j~\UYY;[Fcpڄ/ªhvGޝ+ K`ƚmiϙLR {TJAiUAhi4$t& ~MGсH mV ˝G"W>|}YYb֚F/#@K Wczdb)qyFrU74dΰEFIB/4}/7=ݻϘO$KDb NoR 0m"ܣEsiE&0:dymCGLuJ+;X?;XT,dm<,Hwl|,"(y,ZP+P]~%ի_ qͿP6K_>IKmtgbk 31+4*P ]TRۆv@|g>E!k`*3u0Why z$Y %ƾ$&3˪w(Tv#zg[䆨I7N :D㱒e$ c't' icPe0_: v0|}'d Ls! uXD(XBo5k_ii y'%\I GiA7ȹ0D{ H T5v@Jp'&4n5y*CDÈԫ7)P[MwK~kP#,(L75,;!-ͥ)q5bی0䵣gN6N?5׺"> r^/2iߧLFa!`O^)8Ym k%O6̴v鲘95X¦5BkΡ]gq-4s`Lz+{[6>yB_u=(uqI#/56(tk&qXWwY)L-|}}&}íLhޢX5fqc/`@}k<@%.0f#RZ^jńAv=:iAԞ\Vcy>bZZ@l/V.[6+U3cO N^ʷ]o ]OQMZ"|Ą 4lf.)sYlԳ30 /J[4=*(gXg͹ trZ"MO -O-}NXiz5etDG==b*Rd2Bfʁ,S74f5 I)@~%Jr9}\?Nh3ԋ$iS_ӈA~5Gձ.tqUŷ׬#ynH%Q=+&|F`o~=[b'vԭZCcRj8A?R͓bA%cZ6-zX-i$wߖ=JA<73= lKMq3rrf\BV`HMދ7{v,UH9IIEn"-i{3ģHI6刕zpS6šݼj1,UID밮{g+GB1y# Q$ ]2%xc iLC jpt)O 2f`S2y4:: 퉴~:d#zV嫾l {`Hg hnS8O?mHaRy k`"Wzeuv ùW-fX@m |\H2~y]Q `TK~P+5Z6f q#T'bGtu(c$fFBDⰺaksɂ]#d,)* ''<&?@9v?A컯f[M&Yn7t5sìȧR'RlhRRB0@;޸DII'iHje'`?3gGrf`YcL"-.3)O[1s>H`,5rBc4{ B^  p)G&tiŝ?, V&Dq\P_c#-@Dp-b ʷugA=:uzt#zmܠcLm-lx!Rzn{u)F5DZ$`dqwrH5%5v|RZ&Rq"XCks} $oׇ«4NѥFa[.ҟI!_ʐ2l0%m]dE3YxNIE}S{R TOx_l+,&t=Omi` 16K_|"Wb1w^~#`N"y_LE*%u(La[>Y_Pe[<'+gty=GpGh'tFC]oİjqCZ%1oM"ij0.VB z˔v>{^H|#6=U[ٙ!macQYy5kK/5FqUDhj0Y!%j;K,=&ڱ!J3ok'Z1Ub4f2vvKVFfm.Ǩ.cErԂ*WFiF6$l7Y69S{YzjUʄ raH*c{MM)#<}2ьVLU- 1)V7VAmrT-K~>@]!R! FR<.¼c_"c+4T4bPG*=|mFEhaXa(VgDDNR'I{=Gss/QڤɝRtm63Mq!)94ҌX.T+ [ 3[IᤲMRN c4`=ScxԈ }.өr"n K*ߏW-ZU%3g+wrf S{Q~ JnfVm-s7|\y\rrA[0j ;KďvƏYv<켁 yeLh\Kz~$$Xbxd5]iKʫ [Ne7 \咴Eɑ|]X_Ռ5j0soTbnCe}s`NsIhͼno̻s ?#Jv>1 =v60zOn CYt}98A@G$B(J)efQy֞mkzkHa?#/oߋ#Jjq/,RHLNp?iuPmP9WEl0}J@%*x\|@E>v"sHy)_NRGߺYZs)K7Xg4}?'g۷ڰc}JGO)hp"I p? U~!fQeUHHh3P?)t\T߸CRm` Y HVf(\%$_MP)4@3D>]v`r 0KP>^>fowHԂM# OM)W 5BV PP˒S;IWY|_d<]*{>MϲgxQ+&a zm'OU {v}R2scrZnnMTF2{٘k7ЇʕJҚ|G2A^_YoZ%%T=~)QIj ݃rlES Vqygug"(6̃\RH!*FC/z6 {l7,h +.uQeEJ>i|" ɷ7 i[+4i2$м$߼pL GH .cD耋*6kPŶnڋV[qzjǀr i~MtE@߯[*7Rz\G^"'6ޏP}Ǧen_un`mSdYxїjښ9:8DaD\8Ls&a8 B~iOx+/לɩ)UN\W'P=0 'X!*?&jP"-٣4{/Z ػ&d: Gf#JWߔƸW3a7@q o+NcgI l[ ܾad[z!ƴ:c%_hd GVӈ.TRC{j{ tV >D8Nt?zNb;O5S Iʣ}{?f,֞. 27x'5cj{&YX%+.ǪQCԧ*_s^[jG!,{${VQːCښ]botG9 ԎN8yZ:Bi2r IU2eG8kkS"aN5C} I,38Xh0eb/WP}Hr"1n[ùZ:yGdK% p'l7dy=Lv-Vv-bnYB9%C k"eԁJX'zPr}-")>MTFsb RV:D\+″rxjChH=?rˋ!S'# Q=:cG} ybYkA:y;}5+(MY(b޳C:{|u&Si" O@Iiq mdo2hW40J,lHsuZQ7ƾu=#)UMZgl MӐw2+^X, H֌Te{%}f={g՚o"2?Ak8uvzp#* 󗫂7I䎣qx㧒PbRgo@f-@kXwcZ)MK꽄; )":,ՈIj.!g򧝭S@hu^r"ĎLL#7ŰZrsDg}P3,I8sx`!t͹T2t4Uv.?@x4E7J::Sk>-#&jQn,bW]-[\xCR8SoGLH+P#9#gАw[~[<_,>*sn͉vL gQv?bӎ~ytyD/d " msyC,B7i0B-GݨE}X' `XSiVt+rBXCõ1_E-^! ֌'y:\ ]_{FJ0 hM4q6M]"8W ӍLUBj$^bݰwA%Os7<GBQQ8" 6+.|g (L9`(}o h(&$&J7hTHCI8rXL=ʿ;~v2U -NQ즡~k?hzHσ oW2M?T2r+I&m`j:/33MmTKGnʧЭ >WF\ʖM'<7Z_Rσ2Q_N';nOBڻ}Dz5cQ ׏hy0Kj:jF@3:\Srz!a \(qycM27?tVfR* RDGӼ+3T0"C&!>v >\vK'́Y:'JɭO]3 Nѷ!b% +y;#cxSi2`0 R9 toop]Soqt3bI/#}㼛9d}gSWѾK*Ȝi,(,b/=w:[ۆI) 3Rt"9|䟡+Ey ~NmG$C*ѨDĵg-^} ݱF/]9!z{[9c(9Gq_]n:P_z֝m[_[;.W6emJ/=v 3[gv9w_qZMKU;&*m"680UZ2iIlJ#@>EN4 DxH5s{1LKω%5S :fU+^66 0%ph5w2?俒AbڢzqӺ97n˒1-06Ml ;ϯj.;+״{F)nh>|sB__f0G;ғT,+^f(ՎEq}7Op@/6_}&E-ek?Tm#ũ 5AOupw,>𜨛]}?yiD#$s& tjOuL@2T6րAYg?n}UPlU$z¨1)`m,jcK=q:亐=Σ4ޮa4d6R6<:t>B,o#?:qB0FR*KZ~Ap ׇPD 3q:xp9zC='krs)m:`V;`I _h`;ս'WVBq60}xs]שK%a]ciZ{cG=zvCxce}cewۢO&|Slv:x@ (HWx#?Ƨ>F\4EM~8M.4?hhv{Xۮjۀ]j_?i0Oh@NkM~vTb^5sjH=- 7/R Ӡ,Es؜P3v4C)Vm;`Ӵn#>`` ߋ}BF;~skZH74x#i"K>Z*w4Cnd3<:wSKHF7m+n_ W =L4Y/N/ĕi-P8WpDIjP^me.mp- D.ͦG,u6:L_ q;|Ppq /6RʃLRTvR\dϜ8)ͨ&; r*ѴLUzň >fhyȵW{"$(eș/$EB6'0?xS 2u;ZƞfgAl`$KW?b({"O9oS4BmD[,oyڥ/H?s'%t6II `R3.YyzK7582 wPmͲ5FT$A'[IM2N +CC%둈  aj|img"; !yNeevG/?YY>.QvUgHJP/kW?QW_<jfh2aEn<Nc?Zi)%HY~QAqCP{TIֺ/ڊ%)I~0e@ 6Mq\{n<`Vr5BChjCMlLkK!;7\.b)_=XWv1gNUs^K lؤc7Dmn}ow`\K!X:6&8}8Zqzzȑ Ϗ2׋D䊳 zZ69l鸈)}K>Uֆ{(w6~v&jRh\ X1_ O4d bR̂Y 2a+*[|k5> jN:sí _/xܰXf\}T ڬMZ'jQUȰ&||\2oTD>Xj*bIA(_ty o 5!ߨ+ E[p:(}"zFc=.Z\H3ZKiف"{3OE"1Ooc^E4GTRFVJ4; {pȤ3oNH/ٚjZ#(+NY'#*qbwڑ7QYFld(vYe6ZMmEuIL4`{'  dK\N]MEcҐLM"Q⬦x`z'N(Up"T0.Mℭ!Fp2|kY=9H DN&=* @$ξ-7@: CE-D.Ūw vk Mrg/#RN\ܚ ;-3F9>TbJno΍J;MD$ 5VSٖ駹;%(j]njpͭ[u!|Q! 3꿰F%j AHpHoGaE˜ngȐk ;+t$bm>TpTH'[zu@^j]at6Uoۣڬ?Ɩ n~w:f5z- E_,6 .PFM3r!=g[Ɉ-`[Fa`^XIӺ2\$o TH M#U@kߑ} k0bތSD,t1'Iiv"րx TLѥ,pB=3vuwjZY@Af+b|]!OLL={>R!B6BM)9g5He#Y@OA;&jܶTPLI Bkӌ%sE?#?^sԫ$M!w&xs{TX؆rA|?T)Q &5UM/gM"O=㫏KsO; $} ZjZzPJ6Rly`{˗.Xg}v)4R04k+/l1+ps Tq63fQ$(Y)375 (dU&BeSAV@>sFqٔ$_¹%v`=zcRv_UR%8BgU]mRP?G)ns֧TUo6V%B 7Qi=eKzF 8,nMczzaB?8 8lޚӈ5M?Y%HRfCG 5}9mnEX柿T5D¢Q4aX\Bt4>xe͑•'$:DkHnI4#^wY" C2:M_5 X(cAEg@\a}^$x$JL45*2 7^Bh,O0ʸyߌv{.Fu]s6-}#\gB`IQ{-ԯ53k! nqzq$2@|kՑy.jאʕ(kY5*LJ-V+4ξ{|piS}]\$ imNhǯD\0g>䟱j\j=nKQ/VU*]d0y.O<$x%v~PNp| OZ9<ڭ+6Hf[Ɗ]?wxw-3?D('- !2ʤgr-n^YΤbO:_S,uc< ҠN3eo}p_S=1J戲b;] tJ rL=nYQ}['}͞$s1;0Q͊s4zɯp;wA bT-eaF~6!YuQacH>/G]w7iYw%6+J-MߍF5K.}ۦ+ ٷ6K ߦ/,e xԔ'8c{u3 ,|q:b?_][ 3H C<ٍq&=jel$i^*8$nc+Ny*1o5ӓW:#~xު!b>` ZeL /zn^%Edp{ަ́أG¸Osz8 `1cZ=v&țtk.NbSޒ pFhaޣX6Ob:ɍl`rZ(b6+3s>,AɽI~/C(/mX[L._L=\Ow8&s)P-n?u70KxM,S͊ O>L~дJpF.*%Vs}K\ɕ,@jpltWO-p5+{?.ǜ|;xE3Ԏ3є'YF˦UWJ]㼪٦5Q) Z UI6,.By7J^j -/D//(6 ׌c4er⣭cE #xrSZ_+ͧOW\ _)'키RͱE;إ0}bqg cYh{Q+TÆ o z;ٚkN,W<[* Pe`"vj][Vѥ6} &(H;8V@ī#V-nCu)5FԆJ[\U g>R5|WnΜP@Z2(=>4nz [cA/7~f{G`Fg~f4H`tSvHǎ+ll,QЫs̻Bg8%8{'E]^B(>PR|g,;_iىp@CxF3l,ZWw>շG8Y}:-d m ɺpRG}hLק+ EO#݀Xc)xCŶ&pu |?x}7I*#1u1Gc Ј<ٕUgOЅ6TE-8< i$w9sT%J$6 a+p>M)9+='Tp?4bM3Mc<ﯟ=(?vI^i9-G %}nH$~P4sFxa NYW 734Ew&of|8:׮%BX)H» w$d 2FGhUokgQoYuq?jZA15W@|X$gٵŬ^O?#ebRo.{ڨMဲ%qJOVDk?vB5 =y}-==rA{ '#Д/+!1X<#ݴ> F@)?Ȟ 1bnl'vN_Z{99" Po[2w^E0; /1Po0kl!klB5ibg"ע΍{G)CT0c,:wKH7ޫ^.Qc NX0iĚw7+#v_B|wV }bq<]k# wǀMtāDW 85gE紿Q>QcE>* Bm% Edd53ٕ/3a@N#>->wn1Υk[X~=Un:/{dЯp8GIuwm ֗˦S$b%պbAYNvgKX@C[?[~0K-/ZYsdV:&`}D 6+,ȵXZn 7 ƚ:esJ ~CGb%kH|lEvgmW@H(WUlCmjJvcg_*qMiiLC<.eLpQx][DĦis[V%yLݷFwEFC0Ds#1eY=4; 7NRs }ymp ;&M72D꒾<_Fɏ.Kez7X6"xfǦ燞"ݚ4}eStZtTRk0D]g^JYoB|zLPXܷ~CIspݭ>NKL Vce.ȼ["A4bqg^8,:-2PIX KZ{ݩ֬fuY$2q|g-gHS rIv*CAsjTC܌9`. ꓯmL{_~_'ll ls\_>E4hNHu9e7‡#R4}_xuQ_/MOw\ϯiT f.!ţhe*IvZ^>`w̅^:q\LBM&7>]hԷiwV&^qDfTr$CZҏBcSǞ-cgX "6:44H,NLdJ4b>!a lhSYǽVW&Z,((S^,_ʪ95"76 ^;Eiݴ12a`w-ߣ1+n=TP3p˭t/z B`#NU@kA8)!='EZ]qlo , 5'CA2ҔY&Șh?sO eUr<¤erj_؎>yq\H aM>z_.Rw\S s]ʽ[f]-ebZD cNI5:ɵSNϯ0|3.м[%fH@0ޘw͡ec+VS[n(B!w{ ճ+8T&ab⧡2sC+8r$mo-UՏ=q*@6ĝU$@O.လ0.b {#60"p tꟘPf(?_e; |ʓmџ%ܒ4 K*{D0tX =g71&AWj 0s/<f:" > 1W@q,ߦ}k`y;eP%C,]ʣdٺF̜lÂ/YZ:l8Q kI Qbˊ*\[g]}ǩ3G-O6dc$Y|X,> NDjpb{ge2~$F{1@{R IO x<3U%ib $gFR?+g%DYYp5 %CgKnC!*xB|>l?މsTEm&a#kdg)ݿcЖdԔJuZv21 os"Z-K1_Fkb'`]O2& !\,vI~&QE'0͛MIp'0Nހ>bp =H:TeGﵖqmT7.Օ}綨]jWa"̆϶7$x$YQ"Q;i1[Ok=C8 CZc8!-(biGsut6klmY=F/eHZ2tEQC< ӍKB j}I@rV#5?C1_gA~ P6hhbhk%\Iǁb.7ۭ~}\xeOaz^D#( sgT{h<}%\#y0bAVE =Ӡw+pA /P~UGCky2 7` vN"3&VU~FcF4&nJquÃgm>]@0SH V3 @Ю>C67)қGRg,]\}JM0C鱒V|{+o-h.T͟V(_p{xpZ,v Fi<>& Iƾ<IUsx*2t+.nP2hF+Hl&C!m,v8EV֫]sO}k2\aDŊ2Ę!RMIsO`8:]v`V(_Ґ_qSXLܾB7]zPcVXnUiL~ ʵg桏⺰L8nNSKV:Uü D[~^HZCui'ٻ 'D0"ńDh ~| sIWdg cd< md4"ݲ$L~I% D4ga0@|fj0g#qI_뤏 }.ad dZC6{PJE"mw$[tZu1&z4y3cn\LA!bmV@7uBVFx6a߶Y)".3-76#Qڃ8^3&jswcޯ[?+FE f{^F!rU;Sd 03"8 .p.Skepre$V(St*<"ɝa L'7/9,w 8%Ko{H';|`ޚj{B}-E,ƞ+v:.al>ŒbF V(Sxī 6iwn\܃jo}/c5@lk\gxyByM%3(t?/D7H\hYbK )v;T=%FwɎ,Ra-7O5}ا͟CƱXx *,@/F >h;$TRߎ,y^ оRF{w;1j`k_E+`3(W/^3~i@"䩽r!\*vۇC@e U-hIUYbCx^^@eWIaDŪL[ !qQLs1P}mnNG'p__ݟnKOS IpF'N Hko~-Ҷ>F<~]gzD[3m?3N9g$FaLS/fh^":)Isr]Ce{8Ux'5Ìv .|;G L`eݬlTZ-ŽD .9ڙo1cV~?1Q ]c· rm OhD7EskJU*_^=NlfIZ$W!n1X0~.f&\p4S)G[Ggy3T5P!?rim1pm*+RS֏Wq[ )˽0c5`\mxqdjWo.N\G/vfog{0%:!U5 ˯,m7&ܕP[P>2fj)B@b'"tfe ϗHсF?iicEzP;fNb/@}aOyŭբYTJ5)x/$lR~ܐ4zEf %쿲K-2λa&5yxQzO rfk(M"_|ar9#&jE'[›Qk BŨ~&ksnA0`_? /Zr6FTn+:,#3Kc XLo-zJD /j#TE9ًÄv"ıYF٥ג|QisVdV2F8 E30xz-^YŹlث]G8Zn‡ h` vZ3=y[z~F"mph0~I t-{dA;̶0Q$dhjksq>.\TB٩/ ä%#7+$Y_d[*L3#)7+_:P[4HО0|."(K϶oq"pF{37<(mBE9 CXѣk6#74[M0A'8QInkoG{g;[TGüj{)2`R31o}l9|9:Q/ʢ r#Hb'əd[3Q@gi/a՛%*$!7U{BAL-D)04e"$X2Sp2cWF,pLW=tYdX2(`=~vrF;M08lђD١r _# tyKլ|*CT4HFYM. I#gǮMZs)G@RӥNjbw< ;fY 讃d/7ss ƶ|m'Y!~=!D蠦Ʒj5 ύX1$\_DcH] X5s_pq $iaO21P!0GWmsxN*q:Ј3+}09z4Cu'徲tkIT_ۙDzH62,Q62XDWDy׹3 i!`uD$B>~|#L#C?Or$/b֑ %MOgs? "5B5-hǝ0N,.7z 2k#$? OD "[ a5T5q+th#KgY_}By[*n졀<>y[M9v-v# |1d01&1H2;j$"eq]eS!ktj+ЏqMv ׏^`"B2yF''»Ps7%\iP!{zI#>t_V_ZoYx-ltSgx58OBzbi^_>TgA"^b  n)&~g;Yb|f3Ɗ\791j)m$\gEA /%ONR.%zIR,KrzzWt/Wރ Bë ` 'ai]unjod8{;/5${waᅎUĹh?59ҿ68.o78jrMݹE?"a^X};7pJW<;y" (vBxQjȨ$jͥKV˽ؒz__R<1-o/ e##lb9Y-Q/gX \blqk ,n{ӡtk s( g+Fncn}HWۥ[5dzNp5 bvuRkJ;Owd-(,,L׃6DTGkęNjj1җ#TlĭQ0K~Ygh*Gt#L|,$4G4/"֑#$ɻWKmЅF6f 삧';'BLHIBB=H*ȧz9_228,ڇ(gϦhĆ糓94޽,Xu4#0Ss/HT+mdR9Dp-r['QI0޺.%b +@&eӚiXoleyFp ݦrn{Ӄ]UB؉ ;BYL;t8ycZkҢBqvM{uBM/vm2=3a1Wum#cڶDRA-lR"ޕ*=/vѼh ϼVKB@Lq<$^l 5 ^Xݻž@=m1IKB'acd** Yxٓ SSxEBEMvxI(̓瘱ȮXyÆp|O0o>L3vRA' @'av Zl:&(W?8g9zJ ;>1k'wGzi74c? `8&kʳZ!f;/ztkQnϰ;UY֤3闢ʫaOv-uyC!f6ZasG3&l;Tԡ GkNݒHMKG!ü =JoO~ѷd@W,֯(" +rn OueX~KٳS8l{ FɁ6hDmܧ؞VifE : (T4% LN=aj_L,u鷹6Ǹ|:-PA넚2z~ǣkvCNuLdE*S O>AGe2o_6c.2v*fЌ6,LpJHڹ ~:ۈZPpm"Шc:.tThKċ@L^w@z^A1E@QlV"01,1h!D{9M8>ڃ?Eǡ2od<0uYbyLz?)n7t Yy+t7kMdVЮ~brOA'(z!c~oQSB e8eΜɡƘ֞{^ܐoZap12);jJlBvu]MA~ѤNi>3-q/W" _rnIw?-Iḵz-5+|W$>BlQWn>JՈCF]m“4sF+J|k%A"L"Va|!(㲜3 @϶cy : g{,TQرJZc(Ӣ0[5z3:i6{INJ2ݝ b%_Hwti*feQrr_Doڒ> 5Rʮ%0@@ T E eK@ i0Wdw$F)dRdͨObnڝ'p)F_*SRlOYSLU|*ry BI!K?=7b׫xkiאj&rq5YL(J{BXD8fg@M߈e^eǧ``2us*`8Èy M"1ûPv(,Gom%W [Z =(, GhC=("`>yuTlT<.7=cg1Xci-9٫UG'븓ڠj8*|pk31*? ZQpsu U%SFԌ nppFn=[OeտHĂ [ur#ݝeyPY&B_يi&:SWzfXۭ#8uUXX1JYpײE+ &7K7=y2x]%L F73:|Ei | ߓF+p!WߖlbK(vbV.$6|w"Iĕh^ezj37lS#w$lU!,e7Ƌj^;٘.מލ&Ub,)@1/900iܲ*z :TQ};dk[ _cc)8ƍ hcy Fa@=,_$x#xİQFJW#Cr9'\G?S[55˸ph'\V^s]@]̹2eѬ&ʢ5rkPBb*+O}Ɩ}leUxPwEa"nD]Ga|J-uy0j j<')- j[Ihe qRAYhxhj*Hyo3N*UKGuGGa'5=2"JL7V4kЯ?bM j8=>Ç b;MH $I b.k)"~LiDZ)U~cGAz>Rō0Mg=Қ+ϡ KS*bP1SGvsaI%O$'RĆ Ld#Tf휹P_F}C~ƘPbNnu,KXKDo|:uR<*q=*?ZkH&6fg,^~N:ieI`}TU2zʯG7u&|:Ϣ8z*j6[2qP^ᣙ%:NN?_n#-UzV*HՌVf_&bJlx*},W:`gfBNi_V?\%=c*ϛF$$B1LjVȕAK +0WzUh'K_W*G9WwB)+lpImy*w-[顂y?>-$Ws|o邂:䊘bu 1D!yq=oRg 2`*{ڷ7f9H桭41|I }hU*]y';r#"MQvh;vX )o<ɬm?A`p^i|x׊v.9 +WK[:i%#%%>\KG[\׿^yB,06 \3<Ɍx~k׽ӔQx: #9.hJ ]HxXc5Tg)bJ͋Tpx~Ư8)i3~"e4>}4VkIa߄pZdkwa&8Փf;OrPdOՂh /L|S9Z -ͭ;Y/'0D36C"]"X)FbLDs7h5hp Ma$̈́#t:;ZRmbqlO5x}QsJ @)vsUb^@n}Q8W`$T0ϩ)Q]rXذ f y\ >n{99y;@vC 5[< z7#>[6qEJކGGߍښu<\=Dn8G,86;[/")6ٮxcͬP(8t/~,GB/,h p`sb L'Pb[zIY'U]?D00*#EA0Uss yآf$sx@zK_gƂ 7DY?zA kO4\8Uc.I-dqN\"lrԼ+|0&d׷蛆51$ÛYHr^fI>0YgCֳ{NUX0 .clh\s KrK5`ĭm6|>I7?W58 &{ޯEֿP_Ҁ,TMae/ Xjv1 :nQECx՝Qx)mqbM6qk os1 % nG/Rh2L40Z70k31K˔0oAalW q5ɝfnX1( #JJT;7vR,^cN]d]u.O͙::&;r6|Wڥ#R{V1ϷN}9^]$ݤJ([Brzi!'t< 82;Dq:`0|G[ YZ