wpa_supplicant-gui-2.10-150600.7.6.1<>,j؉g!p9|Ϋ]_ZT7MNlNerIJvA{q@3T7^_C̑]%X?\al֮ ]}ݚ_'ŐaM0b CqfBiH'zqAƉݚ֐tEq x9(3oщV3iDEcni1v-rqO˫&-m 3xׂ0/dMts^vRv\8I9,xzPYzDZv>>?d ' J0 FRou     $.8dl((U8\+9+: +F G$H,I4X8Y@\d]l^bcJdefluvw,x4y<z|Cwpa_supplicant-gui2.10150600.7.6.1WPA supplicant graphical front-endThis package contains a graphical front-end to wpa_supplicant, an implementation of the WPA Supplicant component.g!ibs-power9-21 SUSE Linux Enterprise 15SUSE LLC BSD-3-Clause AND GPL-2.0-or-laterhttps://www.suse.com/Unspecifiedhttps://w1.fi/wpa_supplicantlinuxppc64le 큤g!g!c6b05322c1743ca76fbe0369f900942834b3dc4d1c476b13bb0a73ac8b403289d57783ead2cca37539bf8b5c4a81b8105c2970de177652fe1a027433593467aarootrootrootrootwpa_supplicant-2.10-150600.7.6.1.src.rpmwpa_supplicant-guiwpa_supplicant-gui(ppc-64)@@@@@@@@@@@@@@@@    libQt5Core.so.5()(64bit)libQt5Core.so.5(Qt_5)(64bit)libQt5Gui.so.5()(64bit)libQt5Gui.so.5(Qt_5)(64bit)libQt5Widgets.so.5()(64bit)libQt5Widgets.so.5(Qt_5)(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.17)(64bit)libc.so.6(GLIBC_2.34)(64bit)libc.so.6(GLIBC_2.38)(64bit)libgcc_s.so.1()(64bit)libgcc_s.so.1(GCC_3.0)(64bit)libstdc++.so.6()(64bit)libstdc++.so.6(CXXABI_1.3)(64bit)libstdc++.so.6(CXXABI_1.3.9)(64bit)libstdc++.so.6(GLIBCXX_3.4)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)wpa_supplicant3.0.4-14.6.0-14.0-15.2-14.14.3ge}@c@b@b@`lM@`?z@`:4@`_|\@_i@_i@^@^@^|@^|@^Y]]>[<@[[ā@[[;@[@[QY@X@X]W@VU@VŲ@V`V=@UKSUCjU8U'@U/@TBV@cfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comsp1ritCS@protonmail.comcfamullaconrad@suse.comsongchuan.kang@suse.comcfamullaconrad@suse.combwiedemann@suse.comcfamullaconrad@suse.comilya@ilya.pp.uatchvatal@suse.comtchvatal@suse.comilya@ilya.pp.uailya@ilya.pp.uakbabioch@suse.comro@suse.dekbabioch@suse.comkbabioch@suse.comkbabioch@suse.comro@suse.demeissner@suse.comobs@botter.ccdwaas@suse.commeissner@suse.comtchvatal@suse.comlnussel@suse.decrrodriguez@opensuse.orgcrrodriguez@opensuse.orgcrrodriguez@opensuse.orglnussel@suse.demichael@stroeder.comro@suse.dezaitor@opensuse.orgcrrodriguez@opensuse.orgstefan.bruens@rwth-aachen.destefan.bruens@rwth-aachen.destefan.bruens@rwth-aachen.de- CVE-2025-24912: hostapd fails to process crafted RADIUS packets properly (bsc#1239461) [+ CVE-2025-24912.patch]- Add CVE-2023-52160.patch - Bypassing WiFi Authentication (bsc#1219975) - Change ctrl_interface from /var/run to %_rundir (/run)- update to 2.10.0: jsc#PED-2904 * SAE changes - improved protection against side channel attacks [https://w1.fi/security/2022-1/] - added support for the hash-to-element mechanism (sae_pwe=1 or sae_pwe=2); this is currently disabled by default, but will likely get enabled by default in the future - fixed PMKSA caching with OKC - added support for SAE-PK * EAP-pwd changes - improved protection against side channel attacks [https://w1.fi/security/2022-1/] * fixed P2P provision discovery processing of a specially constructed invalid frame [https://w1.fi/security/2021-1/] * fixed P2P group information processing of a specially constructed invalid frame [https://w1.fi/security/2020-2/] * fixed PMF disconnection protection bypass in AP mode [https://w1.fi/security/2019-7/] * added support for using OpenSSL 3.0 * increased the maximum number of EAP message exchanges (mainly to support cases with very large certificates) * fixed various issues in experimental support for EAP-TEAP peer * added support for DPP release 2 (Wi-Fi Device Provisioning Protocol) * a number of MKA/MACsec fixes and extensions * added support for SAE (WPA3-Personal) AP mode configuration * added P2P support for EDMG (IEEE 802.11ay) channels * fixed EAP-FAST peer with TLS GCM/CCM ciphers * improved throughput estimation and BSS selection * dropped support for libnl 1.1 * added support for nl80211 control port for EAPOL frame TX/RX * fixed OWE key derivation with groups 20 and 21; this breaks backwards compatibility for these groups while the default group 19 remains backwards compatible * added support for Beacon protection * added support for Extended Key ID for pairwise keys * removed WEP support from the default build (CONFIG_WEP=y can be used to enable it, if really needed) * added a build option to remove TKIP support (CONFIG_NO_TKIP=y) * added support for Transition Disable mechanism to allow the AP to automatically disable transition mode to improve security * extended D-Bus interface * added support for PASN * added a file-based backend for external password storage to allow secret information to be moved away from the main configuration file without requiring external tools * added EAP-TLS peer support for TLS 1.3 (disabled by default for now) * added support for SCS, MSCS, DSCP policy * changed driver interface selection to default to automatic fallback to other compiled in options * a large number of other fixes, cleanup, and extensions - drop wpa_supplicant-p2p_iname_size.diff, CVE-2021-30004.patch, CVE-2021-27803.patch, CVE-2021-0326.patch, CVE-2019-16275.patch, CVE-2022-23303_0001.patch, CVE-2022-23303_0002.patch, CVE-2022-23303_0003.patch, CVE-2022-23303_0004.patch: upstream - drop restore-old-dbus-interface.patch, wicked has been switching to the new dbus interface in version 0.6.66 - config: * re-enable CONFIG_WEP * enable QCA vendor extensions to nl80211 * enable support for Automatic Channel Selection * enable OCV, security feature that prevents MITM multi-channel attacks * enable QCA vendor extensions to nl80211 * enable EAP-EKE * Support HT overrides * TLS v1.1 and TLS v1.2 * Fast Session Transfer (FST) * Automatic Channel Selection * Multi Band Operation * Fast Initial Link Setup * Mesh Networking (IEEE 802.11s) - Add dbus-Fix-property-DebugShowKeys-and-DebugTimestamp.patch (bsc#1201219) - Move the dbus-1 system.d file to /usr (bsc#1200342) - Added hardening to systemd service(s) (bsc#1181400). Modified: * wpa_supplicant.service - drop wpa_supplicant-getrandom.patch : glibc has been updated so the getrandom() wrapper is now there - Sync wpa_supplicant.spec with Factory- Enable WPA3-Enterprise (SuiteB-192) support.- Add CVE-2022-23303_0001.patch, CVE-2022-23303_0002.patch, CVE-2022-23303_0003.patch, CVE-2022-23303_0004.patch SAE/EAP-pwd side-channel attack update 2 (CVE-2022-23303, CVE-2022-23304, bsc#1194732, bsc#1194733)- Add CVE-2021-30004.patch -- forging attacks may occur because AlgorithmIdentifier parameters are mishandled in tls/pkcs1.c and tls/x509v3.c (bsc#1184348)- Fix systemd device ready dependencies in wpa_supplicant@.service file. (see: https://forums.opensuse.org/showthread.php/547186-wpa_supplicant-service-fails-on-boot-succeeds-on-restart?p=2982844#post2982844)- Add CVE-2021-27803.patch -- P2P provision discovery processing vulnerability (bsc#1182805)- Add CVE-2021-0326.patch -- P2P group information processing vulnerability (bsc#1181777)- Add wpa_supplicant-p2p_iname_size.diff -- Limit P2P_DEVICE name to appropriate ifname size (https://patchwork.ozlabs.org/project/hostap/patch/20200825062902.124600-1-benjamin@sipsolutions.net/)- Fix spec file for SLE12, use make %{?_smp_mflags} instead of %make_build- Enable SAE support(jsc#SLE-14992).- Add CVE-2019-16275.patch -- AP mode PMF disconnection protection bypass (bsc#1150934)- Add restore-old-dbus-interface.patch to fix wicked wlan (boo#1156920) - Restore fi.epitest.hostap.WPASupplicant.service (bsc#1167331)- With v2.9 fi.epitest.hostap.WPASupplicant.service is obsolete (bsc#1167331)- Change wpa_supplicant.service to ensure wpa_supplicant gets started before network. Fix WLAN config on boot with wicked. (boo#1166933)- Adjust the service to start after network.target wrt bsc#1165266- Update to 2.9 release: * SAE changes - disable use of groups using Brainpool curves - improved protection against side channel attacks [https://w1.fi/security/2019-6/] * EAP-pwd changes - disable use of groups using Brainpool curves - allow the set of groups to be configured (eap_pwd_groups) - improved protection against side channel attacks [https://w1.fi/security/2019-6/] * fixed FT-EAP initial mobility domain association using PMKSA caching (disabled by default for backwards compatibility; can be enabled with ft_eap_pmksa_caching=1) * fixed a regression in OpenSSL 1.1+ engine loading * added validation of RSNE in (Re)Association Response frames * fixed DPP bootstrapping URI parser of channel list * extended EAP-SIM/AKA fast re-authentication to allow use with FILS * extended ca_cert_blob to support PEM format * improved robustness of P2P Action frame scheduling * added support for EAP-SIM/AKA using anonymous@realm identity * fixed Hotspot 2.0 credential selection based on roaming consortium to ignore credentials without a specific EAP method * added experimental support for EAP-TEAP peer (RFC 7170) * added experimental support for EAP-TLS peer with TLS v1.3 * fixed a regression in WMM parameter configuration for a TDLS peer * fixed a regression in operation with drivers that offload 802.1X 4-way handshake * fixed an ECDH operation corner case with OpenSSL * SAE changes - added support for SAE Password Identifier - changed default configuration to enable only groups 19, 20, 21 (i.e., disable groups 25 and 26) and disable all unsuitable groups completely based on REVmd changes - do not regenerate PWE unnecessarily when the AP uses the anti-clogging token mechanisms - fixed some association cases where both SAE and FT-SAE were enabled on both the station and the selected AP - started to prefer FT-SAE over SAE AKM if both are enabled - started to prefer FT-SAE over FT-PSK if both are enabled - fixed FT-SAE when SAE PMKSA caching is used - reject use of unsuitable groups based on new implementation guidance in REVmd (allow only FFC groups with prime >= 3072 bits and ECC groups with prime >= 256) - minimize timing and memory use differences in PWE derivation [https://w1.fi/security/2019-1/] (CVE-2019-9494, bsc#1131868) * EAP-pwd changes - minimize timing and memory use differences in PWE derivation [https://w1.fi/security/2019-2/] (CVE-2019-9495, bsc#1131870) - verify server scalar/element [https://w1.fi/security/2019-4/] (CVE-2019-9497, CVE-2019-9498, CVE-2019-9499, bsc#1131874, bsc#1131872, bsc#1131871, bsc#1131644) - fix message reassembly issue with unexpected fragment [https://w1.fi/security/2019-5/] (CVE-2019-11555, bsc#1133640) - enforce rand,mask generation rules more strictly - fix a memory leak in PWE derivation - disallow ECC groups with a prime under 256 bits (groups 25, 26, and 27) - SAE/EAP-pwd side-channel attack update [https://w1.fi/security/2019-6/] (CVE-2019-13377, bsc#1144443) * fixed CONFIG_IEEE80211R=y (FT) build without CONFIG_FILS=y * Hotspot 2.0 changes - do not indicate release number that is higher than the one AP supports - added support for release number 3 - enable PMF automatically for network profiles created from credentials * fixed OWE network profile saving * fixed DPP network profile saving * added support for RSN operating channel validation (CONFIG_OCV=y and network profile parameter ocv=1) * added Multi-AP backhaul STA support * fixed build with LibreSSL * number of MKA/MACsec fixes and extensions * extended domain_match and domain_suffix_match to allow list of values * fixed dNSName matching in domain_match and domain_suffix_match when using wolfSSL * started to prefer FT-EAP-SHA384 over WPA-EAP-SUITE-B-192 AKM if both are enabled * extended nl80211 Connect and external authentication to support SAE, FT-SAE, FT-EAP-SHA384 * fixed KEK2 derivation for FILS+FT * extended client_cert file to allow loading of a chain of PEM encoded certificates * extended beacon reporting functionality * extended D-Bus interface with number of new properties * fixed a regression in FT-over-DS with mac80211-based drivers * OpenSSL: allow systemwide policies to be overridden * extended driver flags indication for separate 802.1X and PSK 4-way handshake offload capability * added support for random P2P Device/Interface Address use * extended PEAP to derive EMSK to enable use with ERP/FILS * extended WPS to allow SAE configuration to be added automatically for PSK (wps_cred_add_sae=1) * removed support for the old D-Bus interface (CONFIG_CTRL_IFACE_DBUS) * extended domain_match and domain_suffix_match to allow list of values * added a RSN workaround for misbehaving PMF APs that advertise IGTK/BIP KeyID using incorrect byte order * fixed PTK rekeying with FILS and FT * fixed WPA packet number reuse with replayed messages and key reinstallation [https://w1.fi/security/2017-1/] (CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088) * fixed unauthenticated EAPOL-Key decryption in wpa_supplicant [https://w1.fi/security/2018-1/] (CVE-2018-14526) * added support for FILS (IEEE 802.11ai) shared key authentication * added support for OWE (Opportunistic Wireless Encryption, RFC 8110; and transition mode defined by WFA) * added support for DPP (Wi-Fi Device Provisioning Protocol) * added support for RSA 3k key case with Suite B 192-bit level * fixed Suite B PMKSA caching not to update PMKID during each 4-way handshake * fixed EAP-pwd pre-processing with PasswordHashHash * added EAP-pwd client support for salted passwords * fixed a regression in TDLS prohibited bit validation * started to use estimated throughput to avoid undesired signal strength based roaming decision * MACsec/MKA: - new macsec_linux driver interface support for the Linux kernel macsec module - number of fixes and extensions * added support for external persistent storage of PMKSA cache (PMKSA_GET/PMKSA_ADD control interface commands; and MESH_PMKSA_GET/MESH_PMKSA_SET for the mesh case) * fixed mesh channel configuration pri/sec switch case * added support for beacon report * large number of other fixes, cleanup, and extensions * added support for randomizing local address for GAS queries (gas_rand_mac_addr parameter) * fixed EAP-SIM/AKA/AKA' ext auth cases within TLS tunnel * added option for using random WPS UUID (auto_uuid=1) * added SHA256-hash support for OCSP certificate matching * fixed EAP-AKA' to add AT_KDF into Synchronization-Failure * fixed a regression in RSN pre-authentication candidate selection * added option to configure allowed group management cipher suites (group_mgmt network profile parameter) * removed all PeerKey functionality * fixed nl80211 AP and mesh mode configuration regression with Linux 4.15 and newer * added ap_isolate configuration option for AP mode * added support for nl80211 to offload 4-way handshake into the driver * added support for using wolfSSL cryptographic library * SAE - added support for configuring SAE password separately of the WPA2 PSK/passphrase - fixed PTK and EAPOL-Key integrity and key-wrap algorithm selection for SAE; note: this is not backwards compatible, i.e., both the AP and station side implementations will need to be update at the same time to maintain interoperability - added support for Password Identifier - fixed FT-SAE PMKID matching * Hotspot 2.0 - added support for fetching of Operator Icon Metadata ANQP-element - added support for Roaming Consortium Selection element - added support for Terms and Conditions - added support for OSEN connection in a shared RSN BSS - added support for fetching Venue URL information * added support for using OpenSSL 1.1.1 * FT - disabled PMKSA caching with FT since it is not fully functional - added support for SHA384 based AKM - added support for BIP ciphers BIP-CMAC-256, BIP-GMAC-128, BIP-GMAC-256 in addition to previously supported BIP-CMAC-128 - fixed additional IE inclusion in Reassociation Request frame when using FT protocol - Drop merged patches: * rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch * rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch * rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch * rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch * rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch * rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch * rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch * rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch * rebased-v2.6-0009-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch * wpa_supplicant-bnc-1099835-fix-private-key-password.patch * wpa_supplicant-bnc-1099835-clear-default_passwd_cb.patch * wpa_supplicant-log-file-permission.patch * wpa_supplicant-log-file-cloexec.patch * wpa_supplicant-git-fa67debf4c6ddbc881a212b175faa6d5d0d90c8c.patch * wpa_supplicant-git-f5b74b966c942feb95a8ddbb7d130540b15b796d.patch - Rebase patches: * wpa_supplicant-getrandom.patch- Refresh spec-file via spec-cleaner and manual optimizations. * Change URL and Source0 to actual project homepage. * Remove macro %{?systemd_requires} and rm (not needed). * Add %autopatch macro. * Add %make_build macro. - Chenged patch wpa_supplicant-flush-debug-output.patch (to -p1). - Changed service-files for start after network (systemd-networkd).- Refresh spec-file: add %license tag.- Renamed patches: - wpa-supplicant-log-file-permission.patch -> wpa_supplicant-log-file-permission.patch - wpa-supplicant-log-file-cloexec.patch -> wpa_supplicant-log-file-cloexec.patch - wpa_supplicant-log-file-permission.patch: Using O_WRONLY flag - Enabled timestamps in log files (bsc#1080798)- compile eapol_test binary to allow testing via radius proxy and server (note: this does not match CONFIG_EAPOL_TEST which sets -Werror and activates an assert call inside the code of wpa_supplicant) (bsc#1111873), (fate#326725) - add patch to fix wrong operator precedence in ieee802_11.c wpa_supplicant-git-fa67debf4c6ddbc881a212b175faa6d5d0d90c8c.patch - add patch to avoid redefinition of __bitwise macro wpa_supplicant-git-f5b74b966c942feb95a8ddbb7d130540b15b796d.patch- Added wpa-supplicant-log-file-permission.patch: Fixes the default file permissions of the debug log file to more sane values, i.e. it is no longer world-readable (bsc#1098854). - Added wpa-supplicant-log-file-cloexec.patch: Open the debug log file with O_CLOEXEC, which will prevent file descriptor leaking to child processes (bsc#1098854).- Added rebased-v2.6-0009-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch: Ignore unauthenticated encrypted EAPOL-Key data (CVE-2018-14526, bsc#1104205).- Enabled PWD as EAP method. This allows for password-based authentication, which is easier to setup than most of the other methods, and is used by the Eduroam network (bsc#1109209).- add two patches from upstream to fix reading private key passwords from the configuration file (bsc#1099835) - add patch for git 89971d8b1e328a2f79699c953625d1671fd40384 wpa_supplicant-bnc-1099835-clear-default_passwd_cb.patch - add patch for git f665c93e1d28fbab3d9127a8c3985cc32940824f wpa_supplicant-bnc-1099835-fix-private-key-password.patch- Fix KRACK attacks (bsc#1056061, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13087, CVE-2017-13088): - rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch - rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch - rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch - rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch - rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch - rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch - rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch - rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch- fix wpa_supplicant-sigusr1-changes-debuglevel.patch to match eloop_signal_handler type (needed to build eapol_test via config)- Added .service files that accept interfaces as %i arguments so it's possible to call the daemon with: "systemctl start wpa_supplicant@$INTERFACE_NAME.service" (like openvpn for example)- updated to 2.6 / 2016-10-02 * fixed WNM Sleep Mode processing when PMF is not enabled [http://w1.fi/security/2015-6/] (CVE-2015-5310 bsc#952254) * fixed EAP-pwd last fragment validation [http://w1.fi/security/2015-7/] (CVE-2015-5315 bsc#953115) * fixed EAP-pwd unexpected Confirm message processing [http://w1.fi/security/2015-8/] (CVE-2015-5316 bsc#953115) * fixed WPS configuration update vulnerability with malformed passphrase [http://w1.fi/security/2016-1/] (CVE-2016-4476 bsc#978172) * fixed configuration update vulnerability with malformed parameters set over the local control interface [http://w1.fi/security/2016-1/] (CVE-2016-4477 bsc#978175) * fixed TK configuration to the driver in EAPOL-Key 3/4 retry case * extended channel switch support for P2P GO * started to throttle control interface event message bursts to avoid issues with monitor sockets running out of buffer space * mesh mode fixes/improvements - generate proper AID for peer - enable WMM by default - add VHT support - fix PMKID derivation - improve robustness on various exchanges - fix peer link counting in reconnect case - improve mesh joining behavior - allow DTIM period to be configured - allow HT to be disabled (disable_ht=1) - add MESH_PEER_ADD and MESH_PEER_REMOVE commands - add support for PMKSA caching - add minimal support for SAE group negotiation - allow pairwise/group cipher to be configured in the network profile - use ieee80211w profile parameter to enable/disable PMF and derive a separate TX IGTK if PMF is enabled instead of using MGTK incorrectly - fix AEK and MTK derivation - remove GTKdata and IGTKdata from Mesh Peering Confirm/Close - note: these changes are not fully backwards compatible for secure (RSN) mesh network * fixed PMKID derivation with SAE * added support for requesting and fetching arbitrary ANQP-elements without internal support in wpa_supplicant for the specific element (anqp[265]= in "BSS " command output) * P2P - filter control characters in group client device names to be consistent with other P2P peer cases - support VHT 80+80 MHz and 160 MHz - indicate group completion in P2P Client role after data association instead of already after the WPS provisioning step - improve group-join operation to use SSID, if known, to filter BSS entries - added optional ssid= argument to P2P_CONNECT for join case - added P2P_GROUP_MEMBER command to fetch client interface address * P2PS - fix follow-on PD Response behavior - fix PD Response generation for unknown peer - fix persistent group reporting - add channel policy to PD Request - add group SSID to the P2PS-PROV-DONE event - allow "P2P_CONNECT p2ps" to be used without specifying the default PIN * BoringSSL - support for OCSP stapling - support building of h20-osu-client * D-Bus - add ExpectDisconnect() - add global config parameters as properties - add SaveConfig() - add VendorElemAdd(), VendorElemGet(), VendorElemRem() * fixed Suite B 192-bit AKM to use proper PMK length (note: this makes old releases incompatible with the fixed behavior) * improved PMF behavior for cases where the AP and STA has different configuration by not trying to connect in some corner cases where the connection cannot succeed * added option to reopen debug log (e.g., to rotate the file) upon receipt of SIGHUP signal * EAP-pwd: added support for Brainpool Elliptic Curves (with OpenSSL 1.0.2 and newer) * fixed EAPOL reauthentication after FT protocol run * fixed FTIE generation for 4-way handshake after FT protocol run * extended INTERFACE_ADD command to allow certain type (sta/ap) interface to be created * fixed and improved various FST operations * added 80+80 MHz and 160 MHz VHT support for IBSS/mesh * fixed SIGNAL_POLL in IBSS and mesh cases * added an option to abort an ongoing scan (used to speed up connection and can also be done with the new ABORT_SCAN command) * TLS client - do not verify CA certificates when ca_cert is not specified - support validating server certificate hash - support SHA384 and SHA512 hashes - add signature_algorithms extension into ClientHello - support TLS v1.2 signature algorithm with SHA384 and SHA512 - support server certificate probing - allow specific TLS versions to be disabled with phase2 parameter - support extKeyUsage - support PKCS #5 v2.0 PBES2 - support PKCS #5 with PKCS #12 style key decryption - minimal support for PKCS #12 - support OCSP stapling (including ocsp_multi) * OpenSSL - support OpenSSL 1.1 API changes - drop support for OpenSSL 0.9.8 - drop support for OpenSSL 1.0.0 * added support for multiple schedule scan plans (sched_scan_plans) * added support for external server certificate chain validation (tls_ext_cert_check=1 in the network profile phase1 parameter) * made phase2 parser more strict about correct use of auth= and autheap= values * improved GAS offchannel operations with comeback request * added SIGNAL_MONITOR command to request signal strength monitoring events * added command for retrieving HS 2.0 icons with in-memory storage (REQ_HS20_ICON, GET_HS20_ICON, DEL_HS20_ICON commands and RX-HS20-ICON event) * enabled ACS support for AP mode operations with wpa_supplicant * EAP-PEAP: fixed interoperability issue with Windows 2012r2 server ("Invalid Compound_MAC in cryptobinding TLV") * EAP-TTLS: fixed success after fragmented final Phase 2 message * VHT: added interoperability workaround for 80+80 and 160 MHz channels * WNM: workaround for broken AP operating class behavior * added kqueue(2) support for eloop (CONFIG_ELOOP_KQUEUE) * nl80211: - add support for full station state operations - do not add NL80211_ATTR_SMPS_MODE attribute if HT is disabled - add NL80211_ATTR_PREV_BSSID with Connect command - fix IEEE 802.1X/WEP EAP reauthentication and rekeying to use unencrypted EAPOL frames * added initial MBO support; number of extensions to WNM BSS Transition Management * added support for PBSS/PCP and P2P on 60 GHz * Interworking: add credential realm to EAP-TLS identity * fixed EAPOL-Key Request Secure bit to be 1 if PTK is set * HS 2.0: add support for configuring frame filters * added POLL_STA command to check connectivity in AP mode * added initial functionality for location related operations * started to ignore pmf=1/2 parameter for non-RSN networks * added wps_disabled=1 network profile parameter to allow AP mode to be started without enabling WPS * wpa_cli: added action script support for AP-ENABLED and AP-DISABLED events * improved Public Action frame addressing - add gas_address3 configuration parameter to control Address 3 behavior * number of small fixes - wpa_supplicant-dump-certificate-as-PEM-in-debug-mode.diff: dump x509 certificates from remote radius server in debug mode in WPA-EAP.- Remove support for <12.3 as we are unresolvable there anyway - Use qt5 on 13.2 if someone pulls this package in - Convert to pkgconfig dependencies over the devel pkgs - Use the %qmake5 macro to build the qt5 gui- add After=dbus.service to prevent too early shutdown (bnc#963652)- Revert CONFIG_ELOOP_EPOLL=y, it is broken in combination with CONFIG_DBUS=yes.- spec: Compile the GUI against QT5 in 13.2 and later.- Previous update did not include version 2.5 tarball or changed the version number in spec, only the changelog and removed patches. - config: set CONFIG_NO_RANDOM_POOL=y, we have a reliable· random number generator by using /dev/urandom, no need to keep an internal random number pool which draws entropy from /dev/random. - config: prefer using epoll(7) instead of select(2) by setting CONFIG_ELOOP_EPOLL=y - wpa_supplicant-getrandom.patch: Prefer to use the getrandom(2) system call to collect entropy. if it is not present disable buffering when reading /dev/urandom, otherwise each os_get_random() call will request BUFSIZ of entropy instead of the few needed bytes.- add aliases for both provided dbus names to avoid systemd stopping the service when switching runlevels (boo#966535)- removed obsolete security patches: * 0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch * 0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch * 0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch * 0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch * wpa_s-D-Bus-Fix-operations-when-P2P-management-interface-is-used.patch * 0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch * 0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch * 0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch * 0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch - Update to upstream release 2.5 * fixed P2P validation of SSID element length before copying it [http://w1.fi/security/2015-1/] (CVE-2015-1863) * fixed WPS UPnP vulnerability with HTTP chunked transfer encoding [http://w1.fi/security/2015-2/] (CVE-2015-4141) * fixed WMM Action frame parser (AP mode) [http://w1.fi/security/2015-3/] (CVE-2015-4142) * fixed EAP-pwd peer missing payload length validation [http://w1.fi/security/2015-4/] (CVE-2015-4143, CVE-2015-4144, CVE-2015-4145, CVE-2015-4146) * fixed validation of WPS and P2P NFC NDEF record payload length [http://w1.fi/security/2015-5/] (CVE-2015-8041) * nl80211: - added VHT configuration for IBSS - fixed vendor command handling to check OUI properly - allow driver-based roaming to change ESS * added AVG_BEACON_RSSI to SIGNAL_POLL output * wpa_cli: added tab completion for number of commands * removed unmaintained and not yet completed SChannel/CryptoAPI support * modified Extended Capabilities element use in Probe Request frames to include all cases if any of the values are non-zero * added support for dynamically creating/removing a virtual interface with interface_add/interface_remove * added support for hashed password (NtHash) in EAP-pwd peer * added support for memory-only PSK/passphrase (mem_only_psk=1 and CTRL-REQ/RSP-PSK_PASSPHRASE) * P2P - optimize scan frequencies list when re-joining a persistent group - fixed number of sequences with nl80211 P2P Device interface - added operating class 125 for P2P use cases (this allows 5 GHz channels 161 and 169 to be used if they are enabled in the current regulatory domain) - number of fixes to P2PS functionality - do not allow 40 MHz co-ex PRI/SEC switch to force MCC - extended support for preferred channel listing * D-Bus: - fixed WPS property of fi.w1.wpa_supplicant1.BSS interface - fixed PresenceRequest to use group interface - added new signals: FindStopped, WPS pbc-overlap, GroupFormationFailure, WPS timeout, InvitationReceived - added new methods: WPS Cancel, P2P Cancel, Reconnect, RemoveClient - added manufacturer info * added EAP-EKE peer support for deriving Session-Id * added wps_priority configuration parameter to set the default priority for all network profiles added by WPS * added support to request a scan with specific SSIDs with the SCAN command (optional "ssid " arguments) * removed support for WEP40/WEP104 as a group cipher with WPA/WPA2 * fixed SAE group selection in an error case * modified SAE routines to be more robust and PWE generation to be stronger against timing attacks * added support for Brainpool Elliptic Curves with SAE * added support for CCMP-256 and GCMP-256 as group ciphers with FT * fixed BSS selection based on estimated throughput * added option to disable TLSv1.0 with OpenSSL (phase1="tls_disable_tlsv1_0=1") * added Fast Session Transfer (FST) module * fixed OpenSSL PKCS#12 extra certificate handling * fixed key derivation for Suite B 192-bit AKM (this breaks compatibility with the earlier version) * added RSN IE to Mesh Peering Open/Confirm frames * number of small fixes- added patch for bnc#930077 CVE-2015-4141 0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch - added patch for bnc#930078 CVE-2015-4142 0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch - added patches for bnc#930079 CVE-2015-4143 0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch 0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch 0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch 0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch 0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch- Add wpa_s-D-Bus-Fix-operations-when-P2P-management-interface-is-used.patch Fix Segmentation fault in wpa_supplicant. Patch taken from upstream master git (arch#44740).- 0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch Fix CVE-2015-1863, memcpy overflow. - wpa_supplicant-alloc_size.patch: annotate two wrappers with attribute alloc_size, which may help warning us of bugs such as the above.- Delete wpa_priv and eapol_test man pages, these are disabled in config - Move wpa_gui man page to gui package- Update to 2.4 * allow OpenSSL cipher configuration to be set for internal EAP server (openssl_ciphers parameter) * fixed number of small issues based on hwsim test case failures and static analyzer reports * P2P: - add new=<0/1> flag to P2P-DEVICE-FOUND events - add passive channels in invitation response from P2P Client - enable nl80211 P2P_DEVICE support by default - fix regresssion in disallow_freq preventing search on social channels - fix regressions in P2P SD query processing - try to re-invite with social operating channel if no common channels in invitation - allow cross connection on parent interface (this fixes number of use cases with nl80211) - add support for P2P services (P2PS) - add p2p_go_ctwindow configuration parameter to allow GO CTWindow to be configured * increase postponing of EAPOL-Start by one second with AP/GO that supports WPS 2.0 (this makes it less likely to trigger extra roundtrip of identity frames) * add support for PMKSA caching with SAE * add support for control mesh BSS (IEEE 802.11s) operations * fixed number of issues with D-Bus P2P commands * fixed regression in ap_scan=2 special case for WPS * fixed macsec_validate configuration * add a workaround for incorrectly behaving APs that try to use EAPOL-Key descriptor version 3 when the station supports PMF even if PMF is not enabled on the AP * allow TLS v1.1 and v1.2 to be negotiated by default; previous behavior of disabling these can be configured to work around issues with broken servers with phase1="tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1" * add support for Suite B (128-bit and 192-bit level) key management and cipher suites * add WMM-AC support (WMM_AC_ADDTS/WMM_AC_DELTS) * improved BSS Transition Management processing * add support for neighbor report * add support for link measurement * fixed expiration of BSS entry with all-zeros BSSID * add optional LAST_ID=x argument to LIST_NETWORK to allow all configured networks to be listed even with huge number of network profiles * add support for EAP Re-Authentication Protocol (ERP) * fixed EAP-IKEv2 fragmentation reassembly * improved PKCS#11 configuration for OpenSSL * set stdout to be line-buffered * add TDLS channel switch configuration * add support for MAC address randomization in scans with nl80211 * enable HT for IBSS if supported by the driver * add BSSID black and white lists (bssid_blacklist, bssid_whitelist) * add support for domain_suffix_match with GnuTLS * add OCSP stapling client support with GnuTLS * include peer certificate in EAP events even without a separate probe operation; old behavior can be restored with cert_in_cb=0 * add peer ceritficate alt subject name to EAP events (CTRL-EVENT-EAP-PEER-ALT) * add domain_match network profile parameter (similar to domain_suffix_match, but full match is required) * enable AP/GO mode HT Tx STBC automatically based on driver support * add ANQP-QUERY-DONE event to provide information on ANQP parsing status * allow passive scanning to be forced with passive_scan=1 * add a workaround for Linux packet socket behavior when interface is in bridge * increase 5 GHz band preference in BSS selection (estimate SNR, if info not available from driver; estimate maximum throughput based on common HT/VHT/specific TX rate support) * add INTERWORKING_ADD_NETWORK ctrl_iface command; this can be used to implement Interworking network selection behavior in upper layers software components * add optional reassoc_same_bss_optim=1 (disabled by default) optimization to avoid unnecessary Authentication frame exchange * extend TDLS frame padding workaround to cover all packets * allow wpa_supplicant to recover nl80211 functionality if the cfg80211 module gets removed and reloaded without restarting wpa_supplicant * allow hostapd DFS implementation to be used in wpa_supplicant AP mode- Update to 2.3 * fixed number of minor issues identified in static analyzer warnings * fixed wfd_dev_info to be more careful and not read beyond the buffer when parsing invalid information for P2P-DEVICE-FOUND * extended P2P and GAS query operations to support drivers that have maximum remain-on-channel time below 1000 ms (500 ms is the current minimum supported value) * added p2p_search_delay parameter to make the default p2p_find delay configurable * improved P2P operating channel selection for various multi-channel concurrency cases * fixed some TDLS failure cases to clean up driver state * fixed dynamic interface addition cases with nl80211 to avoid adding ifindex values to incorrect interface to skip foreign interface events properly * added TDLS workaround for some APs that may add extra data to the end of a short frame * fixed EAP-AKA' message parser with multiple AT_KDF attributes * added configuration option (p2p_passphrase_len) to allow longer passphrases to be generated for P2P groups * fixed IBSS channel configuration in some corner cases * improved HT/VHT/QoS parameter setup for TDLS * modified D-Bus interface for P2P peers/groups * started to use constant time comparison for various password and hash values to reduce possibility of any externally measurable timing differences * extended explicit clearing of freed memory and expired keys to avoid keeping private data in memory longer than necessary * added optional scan_id parameter to the SCAN command to allow manual scan requests for active scans for specific configured SSIDs * fixed CTRL-EVENT-REGDOM-CHANGE event init parameter value * added option to set Hotspot 2.0 Rel 2 update_identifier in network configuration to support external configuration * modified Android PNO functionality to send Probe Request frames only for hidden SSIDs (based on scan_ssid=1) * added generic mechanism for adding vendor elements into frames at runtime (VENDOR_ELEM_ADD, VENDOR_ELEM_GET, VENDOR_ELEM_REMOVE) * added fields to show unrecognized vendor elements in P2P_PEER * removed EAP-TTLS/MSCHAPv2 interoperability workaround so that MS-CHAP2-Success is required to be present regardless of eap_workaround configuration * modified EAP fast session resumption to allow results to be used only with the same network block that generated them * extended freq_list configuration to apply for sched_scan as well as normal scan * modified WPS to merge mixed-WPA/WPA2 credentials from a single session * fixed nl80211/RTM_DELLINK processing when a P2P GO interface is removed from a bridge * fixed number of small P2P issues to make negotiations more robust in corner cases * added experimental support for using temporary, random local MAC address (mac_addr and preassoc_mac_addr parameters); this is disabled by default (i.e., previous behavior of using permanent address is maintained if configuration is not changed) * added D-Bus interface for setting/clearing WFD IEs * fixed TDLS AID configuration for VHT * modified -m configuration file to be used only for the P2P non-netdev management device and do not load this for the default station interface or load the station interface configuration for the P2P management interface * fixed external MAC address changes while wpa_supplicant is running * started to enable HT (if supported by the driver) for IBSS * fixed wpa_cli action script execution to use more robust mechanism (CVE-2014-3686)ibs-power9-21 17418899902.10-150600.7.6.12.10-150600.7.6.1wpa_guiwpa_gui.8.gz/usr/sbin//usr/share/man/man8/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:37861/SUSE_SLE-15-SP6_Update/9b432eb1227ff88675139bcb07b9c311-wpa_supplicant.SUSE_SLE-15-SP6_Updatedrpmxz5ppc64le-suse-linuxELF 64-bit LSB shared object, 64-bit PowerPC or cisco 7500, version 1 (SYSV), dynamically linked, interpreter /lib64/ld64.so.2, BuildID[sha1]=d782f112cf1ba0c3841aa0e0950874f22e0c84e1, for GNU/Linux 3.10.0, strippedtroff or preprocessor input, ASCII text (gzip compressed data, max compression, from Unix)R RRR RRRRR RRRRR R RH~ qQ9o1$utf-8e51c8b3bd4d2a0f16ed07044610cf7384122846ee974bb3c0c8ce8f85780bcf0? 7zXZ !t/6}]"k%{m{#rD~d tGJf͚uI]P8>?K!v2`JpU䴼CxPd_iV1iZ`]\K+(d&}o|zr1 ]އaԈ JE]P.֤yG`uT螐%V~S( #$9ZH̾_5tېrs 59ASni<Vةkdto y$aT0>IvgF2xhZfԿ2&"qL$ Wnyc_*3]PKjIfM2Hx]z(d quM),XEX/ݡ'aVffI}| CKb=ZeXb@>[-H h8&.1y7L)*2X7 aHD#C.Q_w0=gݨC/XRT"Ec1f.I1K}:2ܔa ,(^*N-Yb0]sW.e>=1ڷ+>%IDS d+d2 [eo/{(;m' Y=t62vK/jeMZ'M ~h}ܵLG ^PՏJ@<ݳ<@\}OnH촨R-U9`ZEZ*aS!^f>Ih恩ERD1 8 %\Vy0~UȎCO`)'e=u(#}\^ceȊ* IֿW}ݬ{j*8If*I=Zt0|9d A4#πu5c01ɟȴgah1u'ioh D+ٵ)ON݊cKHMgĤ4VՃdl昮?o ܧ Gy'bYỲf U @DJߌ5zR š"[?Jz%зHR'̶2<*ν<_q*}V6Vm aOʤ{¬v9y4+$QM=Edf#4"a2LS荙2.Gb19Wrb1 Jn[ H>qniNb#$>)b-G`eQ_ % 3#BP 奼>7P\gt(< Ew8}\@7UZm?K_ټKRUGDnz2-/;~Y娍@i9#1wY7tǸn:7.z-uĠ>]nb ?]I=>R3@\52fȵ)uLM*ٿe/ķYi XA,*j7E OQRg.s?`KYk#O1mLdtx>|WeA.y%NM&YQJbBs,2wcגز.AY9Q ?foNp׋la M">)bҙlm&UV;rzƓN=*vtT6JJ2HSU?e[;*5drWg/:ake= ,;bi)z<ܗ#ٻSa:I-Wzڡ%~wo%gJ9u\.:ͼxx9[ZZL?4MR禶%J,Jd{|x{-~?}Uvp 6{*ݕC3q@%G7܅g@%.NUCI r+@XYuE^mǯj߳8ߙΎ!fUN7@^[]6kK~f ^]$dw>R%R%?䔌-25xZw586SJkhpNq̦\^CFS(N"FOqFuHkDaXc h o3C7n2ۛԦ`D F7ww+[̙ǒk ^(׻ .x=^1ʈf hFm]bT<3rُ栞|45/Ijs 4(wDnq[Zor:4o@^iPhcX"HxJx8hhVua #<"21"2ʹUj,I\vg츑Q0vׄԸ 6c7Ɯ9z:C](Eޙ%)|e:kـ3ԟ O>QP xTQYoxQ6l) k^$_,?8 "7cBf )iFC$ EW;wr'm F1CCcgsH/N|bȴOwtgv@%B}ѕ n?Ge,Ң& i"dIr8"WOۙ{&j;^6f;O`(̃a@=_"f\Gzfy "ta%p83D45K=J,+^ʏ|6 ^jH9 IK" ݕ`v^NAa5jźGe{9{T@$ 1o@:lssU䃰z']с9 S6@2K`V}8TFMrK `< LR ުpB-)}_9fOya +a~*'eQRJI]AZH,xЎn=U&x|pحgK]z,_PǴ:wg)^ N[/y%Н]r"*,t" %G+(4 2\DI&c@e6&V#ixY>$ouZR൙u<>;O4:*f56rF݉PhbEx-_`<, 뿒Br8R{|3f*dΤ68jc#&<&@~1#%NwXʬ{@҅la|3J>[)˰:&iˬ4rJoQݛLkA xR XUn ~͍P`_e.M$6#n vyEIBaGf׷(hyYdž b@beK\|0"Kq/k֟D[ɯN6_U*_)| |t\pQ^h<.ܯ*QPǘ7}+$U_b#"/f.y&Me,Lc)od}S[EF2+@Hq"S'70Ҷ!> {u8fgC/M7FvOۺRasBIh"B9& ې4ێ 0xqަk TmԾY k5ǥ3 SU}cjevh<TιAѵ]1Lz".uE9!ȭN+f~tfl;J /g3RQۄ?M$4'V&9ڶvHEȟbntNhs# #!ؓP셎#(uR@抅W\;<.{%|%uɢ#uRW}Hr9Y|e&c/(񎱌Rg^ 5x]/C 箳x/0OjWGSrLG\Q q/kJ"רŽ!0[n/켨FI[#b4o(!$.0 8ِmV|"ڏ#A Bj6VxO RCqgoN 9P}H{ϼoN\g:*oZҀq{8  "SM@04OPzUFd Z a}٦?LǰngêOm/ď]= u^${IZ3/G4EK_s%>&Uk:rKO0(%2 QIODoۈ> }v/~Os8&khlP/ԗ2>/B@qI&R1fDocwx1n`cbl#Seض,/l`~j IY N; oW drAgh"W@U ~TYN'`}tY\`8,rH5@ss[4)R* |Myl׃(*e\Բk,mZ¸ugL1T&Vi"F|[²\<%2Oʐ++ɰU}5˄Q;VEk|d 8%{j`Qդ@П꺞d(Mmu4!,ԯ 15DYkTaM M93Nv ۜp!~M5@XqkU4)P5 d$F۰p''ɸݼT{PY֜QVx퉅 S/23FkBqYH,a_`MG }&肠=x/ qE}or ᠴ:Z9%]]x3^zI^hp?Gd…w3.14nL^a%uHpӺzg(UHaR܂#\Zޫ CK7_I2wj8ҙV\Ʈ j-.9WR}5#C >ƈyJڛjjb5up]Ba#-16q D[š[׸wkCwOaC2p=T!4ꙭ8qxUm##ʷ63YބiX)iTO+ӵC~m/[o*/&V!xn>b10> ;'0V>CNjD2tjzZƑb;=۴us lYu ܵCSwm&ZC*))AM7* hтwaSfqi$2qc|^~ݴD)eP.U[UGk(M#d~L]fYn`xJrUoDʼn6 hX]{ZN(CmU[-}gc|gz <Ŗ 6b!i8aBZ'-n!/ʯ8HZ^79C.*VsW` 1_V2IIJS)=7$9(4]{0C|$gs,=c7s6+0OwNx+d["zxe87Okm>OT$r9{?FNm;_uὂY)tPõVXw90:1qT9fP䎼Ar& |7ik_ecN8q{eOh^XW^FdUHɛ+Cr0zG3L\)/hnj̜i )(ӀCc!7 Q6e@iMz @%& L&[䒇NRtlaV(P>WP2º%׎dJ̬ QX:9iI4>'bEC:[I>&,\z_fVvBk̔6Tb  Z訷nX.qFU^B%wd)0˛ץ*AtJ_4/DN#@7Y+VS"$ 6 7if O o1tU2i@{*&vdxq{ox>T!}w)*~`{&uu ${ 8Q/I\+5\,8%+܇7띰S^LDGY#ɲr&~jO,-.ӴcuW̲㈃.I]pB[RrCߠ8U0a͓{B"j=foIOsEG!Zov=*/L[]P0JZrܽ8[;rEHՀ(1!sZI|)ݬ[n%5 8Ha/A 0bכQpiUE˜!*%j(Grѫ#3{1N1^IxGf)("Z HGÁ*Nv1j<< hhZvIAY2';MFE'=>jbU#GnW9\Kfr1k&dTAp٥Vq'"~8nj-uB@vi1 Fcv,ɈSmHf`Au fUaO%EӪxel@=gj\MdpTuiOc lɋ++Ros<ܶB[Ha)2҉6FPP]SP0lD791 [Y/or:uB/0~oU͊5>qvtլ6qeRb\mYc# Sě6Mt+MXa=.b}XCWfԆ_׶ހ͔S?=dwm,W~4?QE/g?6R0\K1"!z>BrLs. bs0vL@%B<*/3jL ؉xMT4am=>ʊnQ*".38Em k~k \!%&vuPPgJUP"Z=6;Oi>p1TCn2V)Ɗ=/IVkK3j/\:?Ene%$.rtpRBǘ j,y&4ǔ7J9Vt0srޭ#!:yM ɴI3Ń1 #XN l#ļu*^S'"CzIOzHYFP%QP99D(ܭi)i1'ҶKanǐ%(cѓ&4 B{2ށ֜D[2j#&R߱ɑ*'!#^"Q:39N66mO5zj`"xH͒\ǴIJ .ŷO6n ֠2 x6<$*m{ѭp]90K2篦UXSiQ?ܰado2T/dgTUF#mh]Q/H(| ہCaVcy-舀Nx7ՕН_ʘs?"{d3CgqE IZae/t HAoB{F2|6ڠo=N%I@EqK5[ͨ ]F+BoH[D|=dM`qַ~bux'C>YUB(j,02j=T*&z8%bd@#ܤO` `XKfnĭ {7z0(Ƙ(Q6TXÊ #J'3%8(Gvkk|du?.W7H>*V2x{V_$63)Esvʻk~D/`'6qbH]q?Xƀ7װ"Ǫ "_`dVB e]wg60Eb?U7u>TMM A{pg¶LJ'Odn>x" .Qq/t#H=vr<;Jy1d`oIr etOc̀}i(My^h2$,$T O^|vI#/43ȃAzEK1XḨG&De4FIƊo̪ĥw4ϳ%9L]\;="XA-5rJn$X3BxZ/=}@Emc"(T١}k^iXp/ɉ忐 FC@V8蚚n(7-EVHd"TwmybjEU E1Ytg)Dg|Pd7`CRg!24VCH( m>Y|3`hA-ym ?r[6Ў"JDP.9U ;Y%#1iv uxz-kEmv;ܘȌcb/:[ɿ=b%VZ]D|$!D *ϓFlfW7bvlziTI[AUkb}f;V xK#bDĮ 4d]My\ dpˇaQ$!_6P.[jkdݬRa2YDxZl9#xfɱemh&ONw$XeABn`W5/OɊY+XFEza2K"0 cZŎmM+%Z`91FߠRc1( ߙR8SRMUP,!w@,bͬ+A \(j~NX'BCmiLY#/_3TsY %>RUNO;`қ~K k 'c\1p`VڕrzS`cc5҈ {ɳOWxm)n̚esyܐ1 FeSm9>~!:icFۆ`9(n;5> EH 09*a&r"u˹ t~WL g,!w H> 6*#C{B^x1Mk;8A<_z?D (FZ+ tfRգD;R^M Bep('6)@ Y'*9rЄ`^3.Oߑ<>YCBZC%o}wF}o%lqGw,hE heײB@л[{ #EVoeK9*3-&8s6W|{XQ<+Otʗ:Tj\m~!WCN-l<:$=b>~cҜ]g:|G2wl 5{w qI*$8pD#p)n0~B"e=3 iբoXG{LO=53oce #Q-X>|6ۚ 8CW3LL1;p"j7_a>ً'B}"N&(4"xuB$F* `A^9# =.*o^h > 9)j yVV&mVX)qpޅZ)b4ӢAF'n5ErP5DŽuQc`h\e)cm!twd{eV0NcWDf}],e|ZԾN3P$Cg0uB,%bΝA#ǦviGUhIZpT`JJ1LL,BbHgGb&-Y:=5bDiVm=I3CtZE0 B+Fg}}W|ڈ5Z{ Yèjda5Cu 9X4FRc"yFtc9VaX(6k, kO~EhC4YjfnIM@Y4kO%@|Ը]B0ES+4aߏ_ Ek~uAAAjs0w|X W.N~\ؚ\70T)hPg8-Eh/'OjY*py9+,n0bL&k@bnr3MњMI{gApdfĉxE;L>MB^o J7OX6~ņ"ĕހ8n-Ȕ$_ij]e=Av2OIk^Ǣ)IP`TOB^L\fNaNXfBw|o_:)=>F~ %'k:Ǐ=,fs+>fa2:&X _δ AL}]ʻtN/ L|ƴ>Kno +L 6Ӿ𤯗F~]cy-OxQfdXFS׼w\P8&b۰3!-YQ"@b"mY#7Bc nɿAdp*;El?qLϥ=BU#$!`90`W%HֹSL%D]n.d_\~[ms  %mnc+gjkq(36fƔ:D~vp.Yfc|4B~KN2\yaYMI8ַț8tRRoܛ%ygϿwk\;&;U'']g[O*g(Y&vn.i`J'~3p3ˌ1Rt:H";dz_ $լ|#|]n;lDukѡRӇѓCR/O׉ؓ x#˯ܪۑ DʅtۑSNs!j (L/߫˰&|c[j"Ltp@Ua1u?ԿPE6~em ^Hqج!t/eEAה]K nPjX dWFJR; ]Fcg2M B顭kj Qˋ| >f֭ᢃ_3(#mKX$ӣۧ8ψ_$'}u:}= KAVh8=eÂ-}f3nm;Y@"_E B77P_wD]{i;U+W"(\0ĒބFmb@$zMgEEPJr6ec]\LijIb΁$veg$̼ACY9uHƋ5[s2QY@$ "gl9Z fұ0-xHs1Ft Ga ȁ+:GkDn&:%JI)㓍Gc$5g=.KS t_GZ)F \Dxgֱq#m $6u.uXG`016`Y-B!a[}SiqʳV?K٧"\xNi{, ` Thk/1ܗA릎dnuR{q؍ָMsӤ?EA|GHrNR+cb7p?G/b3h94 П[BRL9=5m}|6s8~2u.v6paG;?QSj햠JPRfUuX+;4́} VO٤~yGgSXfi,"7(AOYw%ۜu6tG oUT*Cym_;5t9%fF\glLJd\J|줮t ~~WjoTX`'ۭh1 4ȴ)Ix W2]`'~Hђiyq b O}-&_.{[v@%"*"'k7' 17}[֌ }? ۑ0P!I*ضvA!SWV qV%dvJ&Gv;(0jGo$8'o#D3f00{|ЭEwdsFiH+̃h>'v±~@LtZ97,3NoIYgw[\&?n%Aș>~;3so>~`ke[tNbvWrF9 ZHR}f,%TG&rL;/H"2\XĆy79&WR?6^ØĆU81yJj&8ŬWPl6{3vQԪMQ0ٚR4-t|Ydo"@1WA8 h $ŏ3jGhv]ۄŀ(q8{,t p6){h|}ܬ\'UKt+;"^Iӓr|tlloE>ռDGũ]న ،Rp>F-aX>!,J9%0.b六S%6lﺔi1$d9Su|_f9$Z`B?! 1P=1hETÕ[F25O`SY}^PB| Z4ҥey $}*Suҝ쏺ۨ~S0lM.g#$)N _&?\,5гypSFۘ;0d!OiHs]TB% ~mc+8hoL'f c +ղ=dcλt-fH)i?,Ț!*$%ӂzR^֤ubcڴBƔ@KtUc-^># pu."x4iUDX0jnA7 %"~oT9)14թʯuG`5=CZ <VP*w&` bnH$ E- =pJ߷B@­xElne"!NX]S&[{ S(VPip٨hP:/ldfBOߠKA\N;QX@f+TAutTFg P;m BT;%R8~ObS|/9vw/jIL.CiZMrm*yoJ6T=},:蟅΁q$QsT }jP.힡\灨9<_"btV\(>pX'p8-FALsƨWN [01[֡@5@ӔȎ{3쟓4cqVU1X#m).6W*;QX^ZӢVSa#?h'7J%oE:veL7ckqlu>2*.DSl̞L9qnKhe{SB}B*z}_x:lO}<;4c¬DZ!.SRZI#>J1_ܿJGJ>gVV vg"^<̴93]l_j[*SD4q2r?LO_Y2D|+/-rnjai¿Hq;@l~(4s%t%CtȚRH|n1|^(KlCU%ĉum7tX1WH.n}#2%lYR&<8ȿܖ` ^mUxICGt{zutOfx$I WQV$Fa$&[ Yo Ե vqGD@!Ol&o~g{f:Ih+U?͠yU 7/^)~2,ː_{"IC911Wu:jZ c meRhyOJWU*CJPʸ}'N6]CBIf9t[ KpDY7M\ jDmOA"|Bd”?/(-ԡSJ{bD?w "C:|.e_2i54]`ْo/z/WQOqgPl R1MKOD+8s-JґcA3,ʆv17{z(|ۄuzU[ M\mrVhʇIy)yS-4%vCZ^ Pe;1jϗGӃdjv 7Ncj Q3O{yR7Q$ƒ,[Eo;lIH-Dyơkţg⧰-HDwa( Naɠ,ґL@ժeҟ r^ͻ2n>#MznY]$i׵Ԩ D$yd?ޡ"ی~ R(elD"7D)P]-[2I3Eמb;8Dp:l)@ ݲI0}f0m 稨Pw8UIXX\fP6O؛~hsGAR̩E*.wg)ˋOlErɧUODQw)#b0hkYZY=K0>fQz֎ڱacNn8FO+ =8!~g3^L@j>`1:aLvK1aT젴a RT\h eh\1f0ݛv 6zvPf`Vh%E?¹m,7x A/$^YQ s54g\r ,f~S=b ]_g'vGmԣ<\  LSC0$-7CQh(I>3RhGtF {;XM0%.ila0K`r?`j92)JuG@ێs7q$u9xs?`6B aF: v;THmdIiD Bچ!ob[Xֿ|eL2#Ҵ3T,;+M߄f{25:RƙE " x% hA\`8'Y\]SKׂ0-,,fa$YI"Y:9ssvyz}:z1WAgomif3 ӻoG<8dsZV"%Ѕlp&D,- +ꀜ@kw\tj1_TlY\u[dN<s1NSfSePwD J4x>"r`p aÞ=խ.?01KY@8T>PL23W@|0l1߮ !zF`?hf3#XO\h<'Eku?"hq@! Fρ~v#cP'\:v٤D/S]a715jc&\5LQ0$ݧ*FemV\ҕMrxO{R)_`4Y/kL zp6 *L!n~] ˺E&m4?J48$;ud.}07FZۺTE7z;UtQ߯ak$Cla;W'^mvhcNHxtaYqNՊHii4L'-dxkE3pCsz䅢EW-kEwu :^%FPB|rFʵFW v֑VCr˝Z*3tv,4?Ngq{EԖCV6_#0Es3dY[Wk$T;:U΋;WE5+Ebt,PFFk yf Mrhd'nR^Mª&!l|(x\1e}}\mc7$ E+Ni)=L#M`rӐ; ESS nN0Dh^ssQ<9KR]NV7}E4Ĵ4₲uwpgd؄NfeD e;h{K׃nQLDQلQW^CDW/0OD4:4 (1ٹ !XbGsV ;0`uCbFu8獶P/o9+]ͽ>eMKJA5KC bڃLT0]i"CXĞ*̗@K1p`X"  W4G.5crv@~lzptB@vPq,m5.Je}_UswSnزb_UNW6O!5_ ;GaS6 MIW ߱ xBP($ĉ%Kd b̅&dy4 kފ{jIgRHٟ}oZE,ٹy}ȉ&QlK25:c=璭^c2LK(|f'/:u!*ַZ]Pi-`pw=9$ًl!Xl#xL91guS]O iTܞAנFOgnC) rBTjBc0?o X-ڞ^ vdTPAų-*TR ;jnk~";5RvΪsE+38m]$ LbYU$B4S:(-#Ì?1ȷat6"X\#Om YR^!V@n7Z fb|F-, t킂fr%&-[Ӑ# ҿU>1]$ bU :b/utTN7U+BdZ9h{=d&"ĥv*.g+o|E m_zh64q9 +_gB;Tcm~nho&3mTGu5f2&Tߜ1$6X#HGT߼ ZغAN.қ@y^cLݓ'ޕ K8G|3k mHQ懪AڻYF5央Fωsⳟg p̌paJrU~q@UwK%Aϡ PYtǖtp="q:$JS,Ռ+gދ&bdT멗 䟉[}Ο5Yy`n=p⛰ௗe !_2qWhP AW1Oms^M߯^J\`:GZ'!QlDF/7!)#6Y2AI^ зxtr*"v:}<՟{8Ib[WA*hWd_"JJ $Tqߺ'N|!;ߡߋ.`m9卅R:1Z)p) &2Vޘ'+FqPցa<E`#bjL ػ",Ǘ RHw1쭸Kvr8qZ$?n%$r^ >8l vܨccɢ;B HOD?.}{wؠ8F^ﯝkl8UaW?HGBAڢgI),bS [_ཇݓeFK8aKOG&, Ϝ x[ m˜{0$gQp 物g f)rIi,'{ep%['|5%G,Hbgه`),IyZVQ8V[$0g26M(0AIX+ >;$XV:vPZIj<8σala NKUr{u:^m|wREse(m[@4/ܒzծ7Gji4E6yWfXG(*mSDeF`@m̘ErrKCل^ҥO@|xLACg3#yo %_jE,bVVZ˗?/ `XCSm]>A"^Uv+V۰g Z(T%HǕ%Lp1sF׀ >.wI<1*Mg̑}nג0m_uVH44Pauj=qT(M+3-+' Kz4eÝ+=#{\ȍG THmklq0ۀxVCv#챣8`EhÓaT$zD.'?mhG$3)( 蕳q/Bmh/ YzDԾܹ;ݻ." в$ Tl/W;.c֦i^Ie1Fν-VgI/ ~R-'ܹ=;XWYZ ke \W1|Ͼѡ.{0 V.  +3DJ!X:D6|{Zx`$:5. y kLV6MuS+LN@(Cuf1K;HѸѬXM=/#ԄUk^X;E=2"U:>Ц|dr!QqV9z \HQGfP휤|ӼKHdNnSi}aYPXnrӕ):eIQnۇa` +gL5Eyݔ}bT\ QT*%dE}WGZμ"kdqU6J F+LVqk뽇v8=е6ÊC,dfĞj{f,!Dž l溵P c4\fy|WvLK%Y%>j@.6s!u-mAB ,7JfmGBb=3=nyDUJ thtfU8FXZת",ch* XXU#8@iӌ5hHݠ7_%L.ϭ:tK,1l|"C|? $Ñ*~L {{7>)1e&ơ/ܖ %ҲpnJuϔ=` Z]f{K)!&'>5qUچ 1Ojz |cjE !~w]}S+m ޹!g-pIb2Ӟt' 6xa~R"vND_  ;aLQia~tX! z•91wgO~wgfUA!YƉ&ʢm fEb9ndr$EU{K.9h<৐)=蹰3jt~|UwY՗:>!V^AqbZs' r.iw+uO5W,$zxߐ㛨yi|C^ ZYl3У?n wkv9=h!!g(N9U)JPVˌJo,^M]()N}m r# juR۝}j||)/$0P/+#=~3a{߻JXOCUCXaRZkG)uUtT@^TU&N^|w#$U Kk҅Hqoh2 TP2N(*1х;0It=⬒0CuƉ-[2d>BכF1ɅtQ? ǴkRckB\#a'yH_d &RGqQh> G[H~)vz_&J@oNXkidO1V]}O q o 6~jX6%˹Z&~#mca"S({mE:S<*i$$ xbt?؈D ;ˏ9)ڄ$oaױX Oe5n]\oLdOfVM6^̡]h b}ChʟvE\Wxbm,;!*G:z% J-T&q=,lf+b0Aj01i?+۾SoOa_}Qj=)}OQ>NI!!2QSĵI]M{ɹ}(ֶTˣfƵk/Y '2L|#] 0ݔhhQd\nh6ڵn"SŝJr,d o п9IVlƼl 1j;Ф#[`5$+5 -<!"(vshQ)t@r\dhOD5.)Zϋ.]G(8%C62Wsԑwer|32]m. Y͚PdC+Li֕-PƉ"i3'=׀ g -6<>~;6ϥ0תIE9D/xK*8$IZFt9[W?l@&€Ģ bh [wvbӕ;ς*QGU1Qxw2lOrCr[Hm  'bѨVe/jdҺN~Y@PH鲰E\h؊h)ٴX[;1/AL-Ӄ FlUH+NCd*{ɶSf4V(w#! 5!"VK~{/|2.G~-XRs!$щ.kVvI ^&'8FmTv! ǵխ2Cr_6".Auz˳GADO= Z;k3~? ߳l5EA=S>\2wSCp6Yc^ѕD-jdm9s?E`O>%9ڐ?ImSS_(.ںȱaE])Si:E 1;}Oj mL5w8yGwK4avzg@V$P-Jgx>SB696y s2[zYH\ hUװGWtwW> ^g@8,m&\Їp9KB^F("m6|Cc/^o)7AN$]y0W^w)@1vi)G@]r^9Ϟj% >6͠f]HX>O|8pʾ z3xbu 5)pN7s7xMWg(~^Mn4 UEYꝖk@%R û_n=;PG8Ydv[V#w5wdB981'W >g*sar|Fȋf:JhB$$D|jdcH;vmxLj:wLh#@y6 u\Fu2=ٳmp8D?ڄҳ}| ʇ16Y}o(aJPPk*=,r|~ {q/!ʋLYQQ/"UjQ2~<5O<!`pX=$0 8גhhsZZ W~/S!hq|}eccXG8c/A9eD 'RnlG,(qSl5+`IG>즓ls#.̍¿\٧FO~RO7! zr%$Bz& )O:ݰ hQ{m(%'cۤHŻ竉?Vxҁ3ӄ7~ywhu㢺ۇ&ShZzBiGwL]42s7t`;y[xE!KAMtЕYuB Fyde^T@}.,e1]:}' M 7e psE뉯͈.z)?r `Q6SvWQa˞xV5zv{D (u* ߲v qd%a}MV}:j]vHKH ]$I-wM:F&N +H'RKOd劦՛@pƽ?>F`&%xqV PF" ̯ !J0 9dT[BKMA'bdhw&wݯ:5 ^I I62C4!zAёv3 OwԖ)dUP7 LaV3n7\V[4 1Gt>l3݁I_0{MY*v&`Ë? mzOguc6Ғ8]V?@u|vaq-T (6> ѢA\E|ݙl'k6_eTxʖӖl6cMo}  (Œ2 qg.i@+1m &6_f&0ZVp}#2Ff&#{waOr j0CZ{xȕ~' ,BdXl$n1$MVwほ82P;oRo vm@=K{xgP͡A:,S,&]{og  yfA;<'[3|qvﵙH@yYeu%D Eex)p@Tu$!7/oI P@2%^gw!gS @.L-Z~UBۤܟ1|[0 4Tpkv(0/{^C) 1\RrTF1`"+s=. iN>2»u$Lvl_`ژ9H1bqoӽc+ 輂u-vLاr$ x/ _];cĘD 䚳s  2 -L7T !phvJV V9z [ak+>zhy8?ËBsH`4ItPwsmظG0k k{R0>&<1BieQ٢@͖r ÙBgzioPMkgo'/ur{>cN j>ϮejA`<{W!}-:Nl* *oyf5Q))n-U˳eU&h=u{"{_"W!0. zdY>wTT^;\/a"jyԙ.ZH\Oͅ68H{NlK+qw=L$];HJYZMwMB6_ᱢa\7Q3Zz@KQE;}Xc`>u[pVZ3"Y&<i+P}S,[Y0hXq" |MuC㇭5rT@/.9F |g{/"gNyPB|>Wh 44e=h ޓ$q*a.,?v],̔}|f57I+еn,W=4.oz'b"hGc`zkj];Oն.F8m[8$V0LN6+s>H èYHg[H d_ pO7(N* chfWY_(ÀN[9; g'J#}:n<ukפNn(Y`Ҟ Uu7dzKm#Мtt{{DE:p?Sov ,6a%&рC(EbꐽX^&W5b5'tx؈2 =:6\J<&I@ۅtbnN+Xy :ha+—/PNn~AY, Fm` Uբ7`ӏeeGGD?_Ǎ,V\ { #͌m$)O>7Aj\ŢvJ ͠*?u}x* QMFnJG1zH]>M8 :."6c]&o0sd#yZ: DR]}mƼs~KGЫ+ +r.eQm\&W(#dp>\1uS@f&T%6}ȱL c}| rIҸ ]˃R}.08gS4N6DQ#}ٛjNpS@Tޤr}_V,N\g( ,,׭yT-IWbY_i1]?/*|ұPcP.A;^S>9+1j))]bddJꋁ&RnnG)_ǽ7ō.Bj:fw] ++C}>vu)20髵 1v I4>玓* Pw >(K DSo*¯\]`3 5M}$)_ELSTsK)!+'pz1iK1A4EnNQ+!"0PSPK0i 7=d'W?.ū1C?3ȬM_.& /ςܦߒ|;>]PRξ(Hm(=1EYn5٤ckJi5shߺ֨h6{@=g0cѢ,:,m3I˖|?Sn3;'5ĀdL7<+&]:XbzR!ЮLjлJOc[fy(?Jq!Wg~ӄަYIV!2Ux8!GCV\bm"B.䛧-τ#ըWado fIC'@{FY)Z$҄<HϹd d"XQJċ)063AW:xt~' |y|<1dk7PuQ?=Q|rzy`Td?}W`(S ׻SBךY-;2@l8! ZX ҧz&|?!I=mqoJ-^?pNFaS:pX3ju|p GL৖ "{t Hp7R@X!ה &q֖~4gi?c4!#=ޛ2ybQNUEV&m 07*t9C0%7oQ١Yw$N]8|5M¡D8PrXDpM./ckNΗ-{/?cຊmj;H>L)M"z- afYrOm+wx0` =oY #F]Lscu آйH #ʚ^ !k"O)-z=sfg#].ZY%Nu@V b5%<:-W\/ 䢇f.]!` BO{ӺDrr#,* !P4xb8~2TPVnfw NTy6uH)kB;,_-~~~!l[v;u`-(?DgtQ2x9%*lց vr2Ql]DvQ3SW C+Ҍ( O}ݚr̺.zx!~ *i"yT.?G՟tH}f~芏z>%6-N6^+iCn-!a!e:]䪼-K(Se@1AqHv5@{K%@wLdHps|m8.=!ֽy@#,_haRЧ~~ 'MJRE_\v /F Ya=m"{;+LEmqtT? oƘmQcgj`7~-m;z 1hYׯ RIx`s7~EnYtu9ͮ?eyL0ctϖW{c9LsnbLqW_VgJGg|I[ԙzBNTdtLꒉO/7GqH_,tr˿VRX;Y2P'4Ε%DEZY?4*2fr?f )wm(X\n Hi5+^2U6u%dwǽ[Yu kk Ip}f=UK4Gv[O )@KQmՂw'GSZ ^V喥Js:![lh TND]I+_Ni,hMcYp1 ʪg3+n#0 %!/g}D=`&ul`&=2FZof"c߅e)NCp^&8 cCp/y K ꖯw;GmkެqdAߖ#An>9>C)$%YWx!QD~Ϫ F8?4YPn]租*NBWT"LNO V g)5Ly"zk2*5!ir(Z1ScT(̍]v+HRYUaUjdvf q,x+ -8. K8}-%9j)pX7(" zPd}HoJ N'VVWOoGDzS L 3ŃY:8BB #S4Gl,&Hy-/2p֣;IFu}v/WDjEY}J.{"TȲxt侦wPn\:%}R3@mD#O %ds{)PO4||94T}<)3Yhl ]6iQH ݳ΁K@jMm9e@W3ؿW~BkpaRђK~\ X ulC/6H2q`>xE*3WnL\[*HM_{Mɯa)bco" %X)02jGMF~/c+pnX|`˼ dpį&CH?mlad@o[pp~;PY pǐP%uM$Չ2yUf7Hrn/?r;SaV3L:^iUtalߏzC%qtbt"&5 :& j:Gd%|?ӆlV)ffQxE3 oI"d`9&ݟhp^uj<''2O0Bp8MEiIWj }nU=gx/&{{- "*Ui.76Xaf$6L:3<~]L-\ؿj<%| -Q18L5ggQAQimpXs?818\IS fGA_-6?]lNFE'EmHBX[lT eZbOZ"u84A't.zqTRvŮ^##"6_<~ܢcUF}>D׻ |Mef/^f'fF*\4nGx}-j% h=Oj6)zQ'א?/^m5.#*/NgKF" =07bBC 55[hnݨDx UGω0*`nS 1B@.6*:BrgZOZԄDI2;!SxlH}҈%Wb = k>+|MDwWA#KSV9mdr-?ӦUhF+v݀@jzg7~z dW]bwH>-%HZ o+;vm۩*uff D4RnaMώWv"1ɮ^N U.89+Qw_% _dg2a.+;0M.Uږ l ̅ho Nr3Di}k)E'7]btClafbYJ|^=| ߒya+Np7V,i! "5 6 v {y LhC=f$'P6ӿFTۮ V"%.ŷGoC"?=)@3gH.oa]BY4)YD xb17LitxdIJbtkq5ߛۢ5ZVRJjQ)yv G jS >ɝ.3 SΥ;L̑xFl䮣(5<&ߛ75L.*(cb?lWg?ԣ; A?yʆjD;Xirm{Գ}Uc]P97fl/ +Wi]Z.^K-;8LJWLtТ - ]װ,~yJ$H®c+q0a?%D~B>Wx}єⅵbYigݳ2f*&<}޶" r d/PbVS=VdO9LLw QH] k")]N:: ߜ*O {qPC )ڷ/E õ~,k1z2i~ c3]Bh*RVa;UNZ6aESe!!/%40>T0qFۊBBb݆Mҷ?hϙ\|n]?YKKbˮT_#cQPh}gh4s</QKwȂtRn'Ǎer9ɝhTKpМɖ]\%AY þCsɡcER`Cy ALNSNi:[$ðx mGxUL.Ռ̓ufP/4|Jofyu{^+`Ti'#=P_2*my߹']g)q_Iw9f8Jn}[ܟ-6rۓaRGh_? he spFP xqeMtk[1=vOԻ͆c Z)&dYΠE+EȔcI>/b&N" IC,𪇴6w#v4Y!鄛@!6D1x-kh6g|&]!7|A5\AiQDJvfKN!I{ߩ$cMfau//;c0[  E#7]ikZږ=6Sj7K4]kOCtXD}|q@:4Pqh7R~\k¢k%-%ZOO2>q[ǓA,?D,erֵt:?$4|;^q('0bl,xr:tROjZƌ_;3i9t.*7^<vpEi|H5s9?IVRVEߠ@|u Jtw: 4.z ܳp~0%wFEr0&%LW7GH _22;Ӝć̸v=YHUT VȎ1A 9K[qfԌDKq R&uh0DitZuF O> o>fzXx'#/_ R^[ho,N obZ^ ސPnymH)ڜEkټ4$LjMA#|X^ʂ[ϥ]5sK'AhNw=.G<@M?b٣uF찃1j9<-Ȗ-\c$WOؿ\G?_NהfH ? s?&GscJo}bٴIF]5}0SL Ş5Q,'wdJ|)fG^,,k1~iG`Q0' yVCe>.1[|_qY|+RU{,G2YJ&*qwcp$I GU%'J>nlدEOyxC[-;𘊖.IR/;dL-I<\SʁM3Q͐e Z#Q2b^wL3xi+I`mbU![c? m[(:'r%4eAdfRUp0ﷇGe[|RϦ:Rs~ ;V`Wwv C7ىy纩V:diafH&Vw)X?neN<Hfj/%sƭr 깸zq d 6c|̽:w(U_C(dZV ~Ўz㽆8;)-K?Tئ@W}'*@6Vd(u?)n~@Ě 4G0){L@rN b/xNqۅI$_,OuRgdT_iklj2! 79z(?}F$}ZC 5_j~dgqJ* lT$ǥ- v*qz/v89(&d6QXsr(#`ZA"hаOfݬhHs. g)ł e|Hwo!HD_Fve~3gch߀8\sF" fdtxhUC~>~YS?S+Zؠ xv'!ձhpGiB{Y nY"s?xTPvp/D)4uvkh0XzJxH[??ckڦm>-b PYv@s L7K@ jۼyBHNg/e;X"?\kĨ?|p: 蟱.<,&p2BDK 0`ff pp%W=9;g0uT}Xrb+ZO _<,I(6N,dEWG9OSvߒR?z^a3He-Dތ,gTM1Qy`;?dsl4ێ7-OFCX'B+ {>ə7N44;Ĝ8s,IRڱߕU ^yROwA)rwx2<򱋎EZ(zI7:KqKLsAb"nR1J~~(&x >lD'yClD_#w\wxt g+ԺIئ]fE=L68"ɲ'|jυ]% 8wfTZhytV%0!@ė `7ڻOfLkTLhP4}lO`bdS2Q(0٠+J,p N /U _0&n19-^k\׶@#$0[}Q¬Ξ4JU:6=P],w(a]5yv_>*vxUxkV:L~pdLP36 㲓>$viF,EkޚN@e ssΚ\UKTf.UNp!smtf#%M߼κҍq*=f_ 9\]-Tr" # 16!hl-d\/ahYvpmNͽJ>+ׄ^BC̋|mRs4O!{VDJ|>4+p^]n!ceüuF#!V X7`=U?J8:%A7^5Im`D?Ri2CV)/[j jW,dh5Cq._?gP#l68 vxqN$rG?wubț Xc[+`$ ~ rK ŰC.= u`Т30G;!},oVX*)$ G85&¹X}hKi*jyPZX"IcfnWBye*~3Ū"ٯZ"m*qԓǛ娷3 S+'Q:QξQJ )J4 *?34,iW' Ƣk%SpV8o_:;:tݎi&4VH5QSLq͘fh3U|_q+[Xf wHCL @ RMGXt~{ȴ -vHO .GӉK5vБ<b<9\qUX,=pp}])"ÚAIJq9t8.RB? LݾTH徵138VUKRvFh+YH^z*oM9$+[a3-`#}%ŦyTrH$;#1DAӚ\fO7,_qazmF0}g7 A~|B"llJ<&(ʤ"OY, y{>}}H'[!sA[gJX/} fF pvnj[)FΣ)*[Ei-^cFJ[N Š)vq?]Z4R}ݿ 0im YZ