wpa_supplicant-gui-2.10-150600.7.6.1<>,wTg!p9| ^ò*3Kd#hk9/Ůu%C(W! \)F;-^|c+.eYzsꗤ+мt)X}Mͩ hB|H+ϸ _WĨ&p+Uowm =5oW;4(\@dk-O8b !4p^GhĜbEYщye}LIi'sY\Ej_Exg N+ z>>?d ' J , BNkqx     &0\d(8$+9+: H+FGHIXY\(]0^EbecdefluvwxyzL\`fCwpa_supplicant-gui2.10150600.7.6.1WPA supplicant graphical front-endThis package contains a graphical front-end to wpa_supplicant, an implementation of the WPA Supplicant component.g!h01-ch4c ~SUSE Linux Enterprise 15SUSE LLC BSD-3-Clause AND GPL-2.0-or-laterhttps://www.suse.com/Unspecifiedhttps://w1.fi/wpa_supplicantlinuxx86_64 큤g!g!4d91fc40b4e0d610ed40f8ae035850eefb2652f5e39777022c113f2aa0df1c19d57783ead2cca37539bf8b5c4a81b8105c2970de177652fe1a027433593467aarootrootrootrootwpa_supplicant-2.10-150600.7.6.1.src.rpmwpa_supplicant-guiwpa_supplicant-gui(x86-64)@@@@@@@@@@@@@@@@@@@@@@    libQt5Core.so.5()(64bit)libQt5Core.so.5(Qt_5)(64bit)libQt5Core.so.5(Qt_5.15)(64bit)libQt5Gui.so.5()(64bit)libQt5Gui.so.5(Qt_5)(64bit)libQt5Widgets.so.5()(64bit)libQt5Widgets.so.5(Qt_5)(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.14)(64bit)libc.so.6(GLIBC_2.15)(64bit)libc.so.6(GLIBC_2.17)(64bit)libc.so.6(GLIBC_2.2.5)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.34)(64bit)libc.so.6(GLIBC_2.38)(64bit)libc.so.6(GLIBC_2.4)(64bit)libgcc_s.so.1()(64bit)libgcc_s.so.1(GCC_3.0)(64bit)libstdc++.so.6()(64bit)libstdc++.so.6(CXXABI_1.3)(64bit)libstdc++.so.6(CXXABI_1.3.9)(64bit)libstdc++.so.6(GLIBCXX_3.4)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)wpa_supplicant3.0.4-14.6.0-14.0-15.2-14.14.3ge}@c@b@b@`lM@`?z@`:4@`_|\@_i@_i@^@^@^|@^|@^Y]]>[<@[[ā@[[;@[@[QY@X@X]W@VU@VŲ@V`V=@UKSUCjU8U'@U/@TBV@cfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comsp1ritCS@protonmail.comcfamullaconrad@suse.comsongchuan.kang@suse.comcfamullaconrad@suse.combwiedemann@suse.comcfamullaconrad@suse.comilya@ilya.pp.uatchvatal@suse.comtchvatal@suse.comilya@ilya.pp.uailya@ilya.pp.uakbabioch@suse.comro@suse.dekbabioch@suse.comkbabioch@suse.comkbabioch@suse.comro@suse.demeissner@suse.comobs@botter.ccdwaas@suse.commeissner@suse.comtchvatal@suse.comlnussel@suse.decrrodriguez@opensuse.orgcrrodriguez@opensuse.orgcrrodriguez@opensuse.orglnussel@suse.demichael@stroeder.comro@suse.dezaitor@opensuse.orgcrrodriguez@opensuse.orgstefan.bruens@rwth-aachen.destefan.bruens@rwth-aachen.destefan.bruens@rwth-aachen.de- CVE-2025-24912: hostapd fails to process crafted RADIUS packets properly (bsc#1239461) [+ CVE-2025-24912.patch]- Add CVE-2023-52160.patch - Bypassing WiFi Authentication (bsc#1219975) - Change ctrl_interface from /var/run to %_rundir (/run)- update to 2.10.0: jsc#PED-2904 * SAE changes - improved protection against side channel attacks [https://w1.fi/security/2022-1/] - added support for the hash-to-element mechanism (sae_pwe=1 or sae_pwe=2); this is currently disabled by default, but will likely get enabled by default in the future - fixed PMKSA caching with OKC - added support for SAE-PK * EAP-pwd changes - improved protection against side channel attacks [https://w1.fi/security/2022-1/] * fixed P2P provision discovery processing of a specially constructed invalid frame [https://w1.fi/security/2021-1/] * fixed P2P group information processing of a specially constructed invalid frame [https://w1.fi/security/2020-2/] * fixed PMF disconnection protection bypass in AP mode [https://w1.fi/security/2019-7/] * added support for using OpenSSL 3.0 * increased the maximum number of EAP message exchanges (mainly to support cases with very large certificates) * fixed various issues in experimental support for EAP-TEAP peer * added support for DPP release 2 (Wi-Fi Device Provisioning Protocol) * a number of MKA/MACsec fixes and extensions * added support for SAE (WPA3-Personal) AP mode configuration * added P2P support for EDMG (IEEE 802.11ay) channels * fixed EAP-FAST peer with TLS GCM/CCM ciphers * improved throughput estimation and BSS selection * dropped support for libnl 1.1 * added support for nl80211 control port for EAPOL frame TX/RX * fixed OWE key derivation with groups 20 and 21; this breaks backwards compatibility for these groups while the default group 19 remains backwards compatible * added support for Beacon protection * added support for Extended Key ID for pairwise keys * removed WEP support from the default build (CONFIG_WEP=y can be used to enable it, if really needed) * added a build option to remove TKIP support (CONFIG_NO_TKIP=y) * added support for Transition Disable mechanism to allow the AP to automatically disable transition mode to improve security * extended D-Bus interface * added support for PASN * added a file-based backend for external password storage to allow secret information to be moved away from the main configuration file without requiring external tools * added EAP-TLS peer support for TLS 1.3 (disabled by default for now) * added support for SCS, MSCS, DSCP policy * changed driver interface selection to default to automatic fallback to other compiled in options * a large number of other fixes, cleanup, and extensions - drop wpa_supplicant-p2p_iname_size.diff, CVE-2021-30004.patch, CVE-2021-27803.patch, CVE-2021-0326.patch, CVE-2019-16275.patch, CVE-2022-23303_0001.patch, CVE-2022-23303_0002.patch, CVE-2022-23303_0003.patch, CVE-2022-23303_0004.patch: upstream - drop restore-old-dbus-interface.patch, wicked has been switching to the new dbus interface in version 0.6.66 - config: * re-enable CONFIG_WEP * enable QCA vendor extensions to nl80211 * enable support for Automatic Channel Selection * enable OCV, security feature that prevents MITM multi-channel attacks * enable QCA vendor extensions to nl80211 * enable EAP-EKE * Support HT overrides * TLS v1.1 and TLS v1.2 * Fast Session Transfer (FST) * Automatic Channel Selection * Multi Band Operation * Fast Initial Link Setup * Mesh Networking (IEEE 802.11s) - Add dbus-Fix-property-DebugShowKeys-and-DebugTimestamp.patch (bsc#1201219) - Move the dbus-1 system.d file to /usr (bsc#1200342) - Added hardening to systemd service(s) (bsc#1181400). Modified: * wpa_supplicant.service - drop wpa_supplicant-getrandom.patch : glibc has been updated so the getrandom() wrapper is now there - Sync wpa_supplicant.spec with Factory- Enable WPA3-Enterprise (SuiteB-192) support.- Add CVE-2022-23303_0001.patch, CVE-2022-23303_0002.patch, CVE-2022-23303_0003.patch, CVE-2022-23303_0004.patch SAE/EAP-pwd side-channel attack update 2 (CVE-2022-23303, CVE-2022-23304, bsc#1194732, bsc#1194733)- Add CVE-2021-30004.patch -- forging attacks may occur because AlgorithmIdentifier parameters are mishandled in tls/pkcs1.c and tls/x509v3.c (bsc#1184348)- Fix systemd device ready dependencies in wpa_supplicant@.service file. (see: https://forums.opensuse.org/showthread.php/547186-wpa_supplicant-service-fails-on-boot-succeeds-on-restart?p=2982844#post2982844)- Add CVE-2021-27803.patch -- P2P provision discovery processing vulnerability (bsc#1182805)- Add CVE-2021-0326.patch -- P2P group information processing vulnerability (bsc#1181777)- Add wpa_supplicant-p2p_iname_size.diff -- Limit P2P_DEVICE name to appropriate ifname size (https://patchwork.ozlabs.org/project/hostap/patch/20200825062902.124600-1-benjamin@sipsolutions.net/)- Fix spec file for SLE12, use make %{?_smp_mflags} instead of %make_build- Enable SAE support(jsc#SLE-14992).- Add CVE-2019-16275.patch -- AP mode PMF disconnection protection bypass (bsc#1150934)- Add restore-old-dbus-interface.patch to fix wicked wlan (boo#1156920) - Restore fi.epitest.hostap.WPASupplicant.service (bsc#1167331)- With v2.9 fi.epitest.hostap.WPASupplicant.service is obsolete (bsc#1167331)- Change wpa_supplicant.service to ensure wpa_supplicant gets started before network. Fix WLAN config on boot with wicked. (boo#1166933)- Adjust the service to start after network.target wrt bsc#1165266- Update to 2.9 release: * SAE changes - disable use of groups using Brainpool curves - improved protection against side channel attacks [https://w1.fi/security/2019-6/] * EAP-pwd changes - disable use of groups using Brainpool curves - allow the set of groups to be configured (eap_pwd_groups) - improved protection against side channel attacks [https://w1.fi/security/2019-6/] * fixed FT-EAP initial mobility domain association using PMKSA caching (disabled by default for backwards compatibility; can be enabled with ft_eap_pmksa_caching=1) * fixed a regression in OpenSSL 1.1+ engine loading * added validation of RSNE in (Re)Association Response frames * fixed DPP bootstrapping URI parser of channel list * extended EAP-SIM/AKA fast re-authentication to allow use with FILS * extended ca_cert_blob to support PEM format * improved robustness of P2P Action frame scheduling * added support for EAP-SIM/AKA using anonymous@realm identity * fixed Hotspot 2.0 credential selection based on roaming consortium to ignore credentials without a specific EAP method * added experimental support for EAP-TEAP peer (RFC 7170) * added experimental support for EAP-TLS peer with TLS v1.3 * fixed a regression in WMM parameter configuration for a TDLS peer * fixed a regression in operation with drivers that offload 802.1X 4-way handshake * fixed an ECDH operation corner case with OpenSSL * SAE changes - added support for SAE Password Identifier - changed default configuration to enable only groups 19, 20, 21 (i.e., disable groups 25 and 26) and disable all unsuitable groups completely based on REVmd changes - do not regenerate PWE unnecessarily when the AP uses the anti-clogging token mechanisms - fixed some association cases where both SAE and FT-SAE were enabled on both the station and the selected AP - started to prefer FT-SAE over SAE AKM if both are enabled - started to prefer FT-SAE over FT-PSK if both are enabled - fixed FT-SAE when SAE PMKSA caching is used - reject use of unsuitable groups based on new implementation guidance in REVmd (allow only FFC groups with prime >= 3072 bits and ECC groups with prime >= 256) - minimize timing and memory use differences in PWE derivation [https://w1.fi/security/2019-1/] (CVE-2019-9494, bsc#1131868) * EAP-pwd changes - minimize timing and memory use differences in PWE derivation [https://w1.fi/security/2019-2/] (CVE-2019-9495, bsc#1131870) - verify server scalar/element [https://w1.fi/security/2019-4/] (CVE-2019-9497, CVE-2019-9498, CVE-2019-9499, bsc#1131874, bsc#1131872, bsc#1131871, bsc#1131644) - fix message reassembly issue with unexpected fragment [https://w1.fi/security/2019-5/] (CVE-2019-11555, bsc#1133640) - enforce rand,mask generation rules more strictly - fix a memory leak in PWE derivation - disallow ECC groups with a prime under 256 bits (groups 25, 26, and 27) - SAE/EAP-pwd side-channel attack update [https://w1.fi/security/2019-6/] (CVE-2019-13377, bsc#1144443) * fixed CONFIG_IEEE80211R=y (FT) build without CONFIG_FILS=y * Hotspot 2.0 changes - do not indicate release number that is higher than the one AP supports - added support for release number 3 - enable PMF automatically for network profiles created from credentials * fixed OWE network profile saving * fixed DPP network profile saving * added support for RSN operating channel validation (CONFIG_OCV=y and network profile parameter ocv=1) * added Multi-AP backhaul STA support * fixed build with LibreSSL * number of MKA/MACsec fixes and extensions * extended domain_match and domain_suffix_match to allow list of values * fixed dNSName matching in domain_match and domain_suffix_match when using wolfSSL * started to prefer FT-EAP-SHA384 over WPA-EAP-SUITE-B-192 AKM if both are enabled * extended nl80211 Connect and external authentication to support SAE, FT-SAE, FT-EAP-SHA384 * fixed KEK2 derivation for FILS+FT * extended client_cert file to allow loading of a chain of PEM encoded certificates * extended beacon reporting functionality * extended D-Bus interface with number of new properties * fixed a regression in FT-over-DS with mac80211-based drivers * OpenSSL: allow systemwide policies to be overridden * extended driver flags indication for separate 802.1X and PSK 4-way handshake offload capability * added support for random P2P Device/Interface Address use * extended PEAP to derive EMSK to enable use with ERP/FILS * extended WPS to allow SAE configuration to be added automatically for PSK (wps_cred_add_sae=1) * removed support for the old D-Bus interface (CONFIG_CTRL_IFACE_DBUS) * extended domain_match and domain_suffix_match to allow list of values * added a RSN workaround for misbehaving PMF APs that advertise IGTK/BIP KeyID using incorrect byte order * fixed PTK rekeying with FILS and FT * fixed WPA packet number reuse with replayed messages and key reinstallation [https://w1.fi/security/2017-1/] (CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088) * fixed unauthenticated EAPOL-Key decryption in wpa_supplicant [https://w1.fi/security/2018-1/] (CVE-2018-14526) * added support for FILS (IEEE 802.11ai) shared key authentication * added support for OWE (Opportunistic Wireless Encryption, RFC 8110; and transition mode defined by WFA) * added support for DPP (Wi-Fi Device Provisioning Protocol) * added support for RSA 3k key case with Suite B 192-bit level * fixed Suite B PMKSA caching not to update PMKID during each 4-way handshake * fixed EAP-pwd pre-processing with PasswordHashHash * added EAP-pwd client support for salted passwords * fixed a regression in TDLS prohibited bit validation * started to use estimated throughput to avoid undesired signal strength based roaming decision * MACsec/MKA: - new macsec_linux driver interface support for the Linux kernel macsec module - number of fixes and extensions * added support for external persistent storage of PMKSA cache (PMKSA_GET/PMKSA_ADD control interface commands; and MESH_PMKSA_GET/MESH_PMKSA_SET for the mesh case) * fixed mesh channel configuration pri/sec switch case * added support for beacon report * large number of other fixes, cleanup, and extensions * added support for randomizing local address for GAS queries (gas_rand_mac_addr parameter) * fixed EAP-SIM/AKA/AKA' ext auth cases within TLS tunnel * added option for using random WPS UUID (auto_uuid=1) * added SHA256-hash support for OCSP certificate matching * fixed EAP-AKA' to add AT_KDF into Synchronization-Failure * fixed a regression in RSN pre-authentication candidate selection * added option to configure allowed group management cipher suites (group_mgmt network profile parameter) * removed all PeerKey functionality * fixed nl80211 AP and mesh mode configuration regression with Linux 4.15 and newer * added ap_isolate configuration option for AP mode * added support for nl80211 to offload 4-way handshake into the driver * added support for using wolfSSL cryptographic library * SAE - added support for configuring SAE password separately of the WPA2 PSK/passphrase - fixed PTK and EAPOL-Key integrity and key-wrap algorithm selection for SAE; note: this is not backwards compatible, i.e., both the AP and station side implementations will need to be update at the same time to maintain interoperability - added support for Password Identifier - fixed FT-SAE PMKID matching * Hotspot 2.0 - added support for fetching of Operator Icon Metadata ANQP-element - added support for Roaming Consortium Selection element - added support for Terms and Conditions - added support for OSEN connection in a shared RSN BSS - added support for fetching Venue URL information * added support for using OpenSSL 1.1.1 * FT - disabled PMKSA caching with FT since it is not fully functional - added support for SHA384 based AKM - added support for BIP ciphers BIP-CMAC-256, BIP-GMAC-128, BIP-GMAC-256 in addition to previously supported BIP-CMAC-128 - fixed additional IE inclusion in Reassociation Request frame when using FT protocol - Drop merged patches: * rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch * rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch * rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch * rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch * rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch * rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch * rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch * rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch * rebased-v2.6-0009-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch * wpa_supplicant-bnc-1099835-fix-private-key-password.patch * wpa_supplicant-bnc-1099835-clear-default_passwd_cb.patch * wpa_supplicant-log-file-permission.patch * wpa_supplicant-log-file-cloexec.patch * wpa_supplicant-git-fa67debf4c6ddbc881a212b175faa6d5d0d90c8c.patch * wpa_supplicant-git-f5b74b966c942feb95a8ddbb7d130540b15b796d.patch - Rebase patches: * wpa_supplicant-getrandom.patch- Refresh spec-file via spec-cleaner and manual optimizations. * Change URL and Source0 to actual project homepage. * Remove macro %{?systemd_requires} and rm (not needed). * Add %autopatch macro. * Add %make_build macro. - Chenged patch wpa_supplicant-flush-debug-output.patch (to -p1). - Changed service-files for start after network (systemd-networkd).- Refresh spec-file: add %license tag.- Renamed patches: - wpa-supplicant-log-file-permission.patch -> wpa_supplicant-log-file-permission.patch - wpa-supplicant-log-file-cloexec.patch -> wpa_supplicant-log-file-cloexec.patch - wpa_supplicant-log-file-permission.patch: Using O_WRONLY flag - Enabled timestamps in log files (bsc#1080798)- compile eapol_test binary to allow testing via radius proxy and server (note: this does not match CONFIG_EAPOL_TEST which sets -Werror and activates an assert call inside the code of wpa_supplicant) (bsc#1111873), (fate#326725) - add patch to fix wrong operator precedence in ieee802_11.c wpa_supplicant-git-fa67debf4c6ddbc881a212b175faa6d5d0d90c8c.patch - add patch to avoid redefinition of __bitwise macro wpa_supplicant-git-f5b74b966c942feb95a8ddbb7d130540b15b796d.patch- Added wpa-supplicant-log-file-permission.patch: Fixes the default file permissions of the debug log file to more sane values, i.e. it is no longer world-readable (bsc#1098854). - Added wpa-supplicant-log-file-cloexec.patch: Open the debug log file with O_CLOEXEC, which will prevent file descriptor leaking to child processes (bsc#1098854).- Added rebased-v2.6-0009-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch: Ignore unauthenticated encrypted EAPOL-Key data (CVE-2018-14526, bsc#1104205).- Enabled PWD as EAP method. This allows for password-based authentication, which is easier to setup than most of the other methods, and is used by the Eduroam network (bsc#1109209).- add two patches from upstream to fix reading private key passwords from the configuration file (bsc#1099835) - add patch for git 89971d8b1e328a2f79699c953625d1671fd40384 wpa_supplicant-bnc-1099835-clear-default_passwd_cb.patch - add patch for git f665c93e1d28fbab3d9127a8c3985cc32940824f wpa_supplicant-bnc-1099835-fix-private-key-password.patch- Fix KRACK attacks (bsc#1056061, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13087, CVE-2017-13088): - rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch - rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch - rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch - rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch - rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch - rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch - rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch - rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch- fix wpa_supplicant-sigusr1-changes-debuglevel.patch to match eloop_signal_handler type (needed to build eapol_test via config)- Added .service files that accept interfaces as %i arguments so it's possible to call the daemon with: "systemctl start wpa_supplicant@$INTERFACE_NAME.service" (like openvpn for example)- updated to 2.6 / 2016-10-02 * fixed WNM Sleep Mode processing when PMF is not enabled [http://w1.fi/security/2015-6/] (CVE-2015-5310 bsc#952254) * fixed EAP-pwd last fragment validation [http://w1.fi/security/2015-7/] (CVE-2015-5315 bsc#953115) * fixed EAP-pwd unexpected Confirm message processing [http://w1.fi/security/2015-8/] (CVE-2015-5316 bsc#953115) * fixed WPS configuration update vulnerability with malformed passphrase [http://w1.fi/security/2016-1/] (CVE-2016-4476 bsc#978172) * fixed configuration update vulnerability with malformed parameters set over the local control interface [http://w1.fi/security/2016-1/] (CVE-2016-4477 bsc#978175) * fixed TK configuration to the driver in EAPOL-Key 3/4 retry case * extended channel switch support for P2P GO * started to throttle control interface event message bursts to avoid issues with monitor sockets running out of buffer space * mesh mode fixes/improvements - generate proper AID for peer - enable WMM by default - add VHT support - fix PMKID derivation - improve robustness on various exchanges - fix peer link counting in reconnect case - improve mesh joining behavior - allow DTIM period to be configured - allow HT to be disabled (disable_ht=1) - add MESH_PEER_ADD and MESH_PEER_REMOVE commands - add support for PMKSA caching - add minimal support for SAE group negotiation - allow pairwise/group cipher to be configured in the network profile - use ieee80211w profile parameter to enable/disable PMF and derive a separate TX IGTK if PMF is enabled instead of using MGTK incorrectly - fix AEK and MTK derivation - remove GTKdata and IGTKdata from Mesh Peering Confirm/Close - note: these changes are not fully backwards compatible for secure (RSN) mesh network * fixed PMKID derivation with SAE * added support for requesting and fetching arbitrary ANQP-elements without internal support in wpa_supplicant for the specific element (anqp[265]= in "BSS " command output) * P2P - filter control characters in group client device names to be consistent with other P2P peer cases - support VHT 80+80 MHz and 160 MHz - indicate group completion in P2P Client role after data association instead of already after the WPS provisioning step - improve group-join operation to use SSID, if known, to filter BSS entries - added optional ssid= argument to P2P_CONNECT for join case - added P2P_GROUP_MEMBER command to fetch client interface address * P2PS - fix follow-on PD Response behavior - fix PD Response generation for unknown peer - fix persistent group reporting - add channel policy to PD Request - add group SSID to the P2PS-PROV-DONE event - allow "P2P_CONNECT p2ps" to be used without specifying the default PIN * BoringSSL - support for OCSP stapling - support building of h20-osu-client * D-Bus - add ExpectDisconnect() - add global config parameters as properties - add SaveConfig() - add VendorElemAdd(), VendorElemGet(), VendorElemRem() * fixed Suite B 192-bit AKM to use proper PMK length (note: this makes old releases incompatible with the fixed behavior) * improved PMF behavior for cases where the AP and STA has different configuration by not trying to connect in some corner cases where the connection cannot succeed * added option to reopen debug log (e.g., to rotate the file) upon receipt of SIGHUP signal * EAP-pwd: added support for Brainpool Elliptic Curves (with OpenSSL 1.0.2 and newer) * fixed EAPOL reauthentication after FT protocol run * fixed FTIE generation for 4-way handshake after FT protocol run * extended INTERFACE_ADD command to allow certain type (sta/ap) interface to be created * fixed and improved various FST operations * added 80+80 MHz and 160 MHz VHT support for IBSS/mesh * fixed SIGNAL_POLL in IBSS and mesh cases * added an option to abort an ongoing scan (used to speed up connection and can also be done with the new ABORT_SCAN command) * TLS client - do not verify CA certificates when ca_cert is not specified - support validating server certificate hash - support SHA384 and SHA512 hashes - add signature_algorithms extension into ClientHello - support TLS v1.2 signature algorithm with SHA384 and SHA512 - support server certificate probing - allow specific TLS versions to be disabled with phase2 parameter - support extKeyUsage - support PKCS #5 v2.0 PBES2 - support PKCS #5 with PKCS #12 style key decryption - minimal support for PKCS #12 - support OCSP stapling (including ocsp_multi) * OpenSSL - support OpenSSL 1.1 API changes - drop support for OpenSSL 0.9.8 - drop support for OpenSSL 1.0.0 * added support for multiple schedule scan plans (sched_scan_plans) * added support for external server certificate chain validation (tls_ext_cert_check=1 in the network profile phase1 parameter) * made phase2 parser more strict about correct use of auth= and autheap= values * improved GAS offchannel operations with comeback request * added SIGNAL_MONITOR command to request signal strength monitoring events * added command for retrieving HS 2.0 icons with in-memory storage (REQ_HS20_ICON, GET_HS20_ICON, DEL_HS20_ICON commands and RX-HS20-ICON event) * enabled ACS support for AP mode operations with wpa_supplicant * EAP-PEAP: fixed interoperability issue with Windows 2012r2 server ("Invalid Compound_MAC in cryptobinding TLV") * EAP-TTLS: fixed success after fragmented final Phase 2 message * VHT: added interoperability workaround for 80+80 and 160 MHz channels * WNM: workaround for broken AP operating class behavior * added kqueue(2) support for eloop (CONFIG_ELOOP_KQUEUE) * nl80211: - add support for full station state operations - do not add NL80211_ATTR_SMPS_MODE attribute if HT is disabled - add NL80211_ATTR_PREV_BSSID with Connect command - fix IEEE 802.1X/WEP EAP reauthentication and rekeying to use unencrypted EAPOL frames * added initial MBO support; number of extensions to WNM BSS Transition Management * added support for PBSS/PCP and P2P on 60 GHz * Interworking: add credential realm to EAP-TLS identity * fixed EAPOL-Key Request Secure bit to be 1 if PTK is set * HS 2.0: add support for configuring frame filters * added POLL_STA command to check connectivity in AP mode * added initial functionality for location related operations * started to ignore pmf=1/2 parameter for non-RSN networks * added wps_disabled=1 network profile parameter to allow AP mode to be started without enabling WPS * wpa_cli: added action script support for AP-ENABLED and AP-DISABLED events * improved Public Action frame addressing - add gas_address3 configuration parameter to control Address 3 behavior * number of small fixes - wpa_supplicant-dump-certificate-as-PEM-in-debug-mode.diff: dump x509 certificates from remote radius server in debug mode in WPA-EAP.- Remove support for <12.3 as we are unresolvable there anyway - Use qt5 on 13.2 if someone pulls this package in - Convert to pkgconfig dependencies over the devel pkgs - Use the %qmake5 macro to build the qt5 gui- add After=dbus.service to prevent too early shutdown (bnc#963652)- Revert CONFIG_ELOOP_EPOLL=y, it is broken in combination with CONFIG_DBUS=yes.- spec: Compile the GUI against QT5 in 13.2 and later.- Previous update did not include version 2.5 tarball or changed the version number in spec, only the changelog and removed patches. - config: set CONFIG_NO_RANDOM_POOL=y, we have a reliable· random number generator by using /dev/urandom, no need to keep an internal random number pool which draws entropy from /dev/random. - config: prefer using epoll(7) instead of select(2) by setting CONFIG_ELOOP_EPOLL=y - wpa_supplicant-getrandom.patch: Prefer to use the getrandom(2) system call to collect entropy. if it is not present disable buffering when reading /dev/urandom, otherwise each os_get_random() call will request BUFSIZ of entropy instead of the few needed bytes.- add aliases for both provided dbus names to avoid systemd stopping the service when switching runlevels (boo#966535)- removed obsolete security patches: * 0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch * 0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch * 0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch * 0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch * wpa_s-D-Bus-Fix-operations-when-P2P-management-interface-is-used.patch * 0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch * 0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch * 0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch * 0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch - Update to upstream release 2.5 * fixed P2P validation of SSID element length before copying it [http://w1.fi/security/2015-1/] (CVE-2015-1863) * fixed WPS UPnP vulnerability with HTTP chunked transfer encoding [http://w1.fi/security/2015-2/] (CVE-2015-4141) * fixed WMM Action frame parser (AP mode) [http://w1.fi/security/2015-3/] (CVE-2015-4142) * fixed EAP-pwd peer missing payload length validation [http://w1.fi/security/2015-4/] (CVE-2015-4143, CVE-2015-4144, CVE-2015-4145, CVE-2015-4146) * fixed validation of WPS and P2P NFC NDEF record payload length [http://w1.fi/security/2015-5/] (CVE-2015-8041) * nl80211: - added VHT configuration for IBSS - fixed vendor command handling to check OUI properly - allow driver-based roaming to change ESS * added AVG_BEACON_RSSI to SIGNAL_POLL output * wpa_cli: added tab completion for number of commands * removed unmaintained and not yet completed SChannel/CryptoAPI support * modified Extended Capabilities element use in Probe Request frames to include all cases if any of the values are non-zero * added support for dynamically creating/removing a virtual interface with interface_add/interface_remove * added support for hashed password (NtHash) in EAP-pwd peer * added support for memory-only PSK/passphrase (mem_only_psk=1 and CTRL-REQ/RSP-PSK_PASSPHRASE) * P2P - optimize scan frequencies list when re-joining a persistent group - fixed number of sequences with nl80211 P2P Device interface - added operating class 125 for P2P use cases (this allows 5 GHz channels 161 and 169 to be used if they are enabled in the current regulatory domain) - number of fixes to P2PS functionality - do not allow 40 MHz co-ex PRI/SEC switch to force MCC - extended support for preferred channel listing * D-Bus: - fixed WPS property of fi.w1.wpa_supplicant1.BSS interface - fixed PresenceRequest to use group interface - added new signals: FindStopped, WPS pbc-overlap, GroupFormationFailure, WPS timeout, InvitationReceived - added new methods: WPS Cancel, P2P Cancel, Reconnect, RemoveClient - added manufacturer info * added EAP-EKE peer support for deriving Session-Id * added wps_priority configuration parameter to set the default priority for all network profiles added by WPS * added support to request a scan with specific SSIDs with the SCAN command (optional "ssid " arguments) * removed support for WEP40/WEP104 as a group cipher with WPA/WPA2 * fixed SAE group selection in an error case * modified SAE routines to be more robust and PWE generation to be stronger against timing attacks * added support for Brainpool Elliptic Curves with SAE * added support for CCMP-256 and GCMP-256 as group ciphers with FT * fixed BSS selection based on estimated throughput * added option to disable TLSv1.0 with OpenSSL (phase1="tls_disable_tlsv1_0=1") * added Fast Session Transfer (FST) module * fixed OpenSSL PKCS#12 extra certificate handling * fixed key derivation for Suite B 192-bit AKM (this breaks compatibility with the earlier version) * added RSN IE to Mesh Peering Open/Confirm frames * number of small fixes- added patch for bnc#930077 CVE-2015-4141 0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch - added patch for bnc#930078 CVE-2015-4142 0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch - added patches for bnc#930079 CVE-2015-4143 0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch 0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch 0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch 0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch 0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch- Add wpa_s-D-Bus-Fix-operations-when-P2P-management-interface-is-used.patch Fix Segmentation fault in wpa_supplicant. Patch taken from upstream master git (arch#44740).- 0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch Fix CVE-2015-1863, memcpy overflow. - wpa_supplicant-alloc_size.patch: annotate two wrappers with attribute alloc_size, which may help warning us of bugs such as the above.- Delete wpa_priv and eapol_test man pages, these are disabled in config - Move wpa_gui man page to gui package- Update to 2.4 * allow OpenSSL cipher configuration to be set for internal EAP server (openssl_ciphers parameter) * fixed number of small issues based on hwsim test case failures and static analyzer reports * P2P: - add new=<0/1> flag to P2P-DEVICE-FOUND events - add passive channels in invitation response from P2P Client - enable nl80211 P2P_DEVICE support by default - fix regresssion in disallow_freq preventing search on social channels - fix regressions in P2P SD query processing - try to re-invite with social operating channel if no common channels in invitation - allow cross connection on parent interface (this fixes number of use cases with nl80211) - add support for P2P services (P2PS) - add p2p_go_ctwindow configuration parameter to allow GO CTWindow to be configured * increase postponing of EAPOL-Start by one second with AP/GO that supports WPS 2.0 (this makes it less likely to trigger extra roundtrip of identity frames) * add support for PMKSA caching with SAE * add support for control mesh BSS (IEEE 802.11s) operations * fixed number of issues with D-Bus P2P commands * fixed regression in ap_scan=2 special case for WPS * fixed macsec_validate configuration * add a workaround for incorrectly behaving APs that try to use EAPOL-Key descriptor version 3 when the station supports PMF even if PMF is not enabled on the AP * allow TLS v1.1 and v1.2 to be negotiated by default; previous behavior of disabling these can be configured to work around issues with broken servers with phase1="tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1" * add support for Suite B (128-bit and 192-bit level) key management and cipher suites * add WMM-AC support (WMM_AC_ADDTS/WMM_AC_DELTS) * improved BSS Transition Management processing * add support for neighbor report * add support for link measurement * fixed expiration of BSS entry with all-zeros BSSID * add optional LAST_ID=x argument to LIST_NETWORK to allow all configured networks to be listed even with huge number of network profiles * add support for EAP Re-Authentication Protocol (ERP) * fixed EAP-IKEv2 fragmentation reassembly * improved PKCS#11 configuration for OpenSSL * set stdout to be line-buffered * add TDLS channel switch configuration * add support for MAC address randomization in scans with nl80211 * enable HT for IBSS if supported by the driver * add BSSID black and white lists (bssid_blacklist, bssid_whitelist) * add support for domain_suffix_match with GnuTLS * add OCSP stapling client support with GnuTLS * include peer certificate in EAP events even without a separate probe operation; old behavior can be restored with cert_in_cb=0 * add peer ceritficate alt subject name to EAP events (CTRL-EVENT-EAP-PEER-ALT) * add domain_match network profile parameter (similar to domain_suffix_match, but full match is required) * enable AP/GO mode HT Tx STBC automatically based on driver support * add ANQP-QUERY-DONE event to provide information on ANQP parsing status * allow passive scanning to be forced with passive_scan=1 * add a workaround for Linux packet socket behavior when interface is in bridge * increase 5 GHz band preference in BSS selection (estimate SNR, if info not available from driver; estimate maximum throughput based on common HT/VHT/specific TX rate support) * add INTERWORKING_ADD_NETWORK ctrl_iface command; this can be used to implement Interworking network selection behavior in upper layers software components * add optional reassoc_same_bss_optim=1 (disabled by default) optimization to avoid unnecessary Authentication frame exchange * extend TDLS frame padding workaround to cover all packets * allow wpa_supplicant to recover nl80211 functionality if the cfg80211 module gets removed and reloaded without restarting wpa_supplicant * allow hostapd DFS implementation to be used in wpa_supplicant AP mode- Update to 2.3 * fixed number of minor issues identified in static analyzer warnings * fixed wfd_dev_info to be more careful and not read beyond the buffer when parsing invalid information for P2P-DEVICE-FOUND * extended P2P and GAS query operations to support drivers that have maximum remain-on-channel time below 1000 ms (500 ms is the current minimum supported value) * added p2p_search_delay parameter to make the default p2p_find delay configurable * improved P2P operating channel selection for various multi-channel concurrency cases * fixed some TDLS failure cases to clean up driver state * fixed dynamic interface addition cases with nl80211 to avoid adding ifindex values to incorrect interface to skip foreign interface events properly * added TDLS workaround for some APs that may add extra data to the end of a short frame * fixed EAP-AKA' message parser with multiple AT_KDF attributes * added configuration option (p2p_passphrase_len) to allow longer passphrases to be generated for P2P groups * fixed IBSS channel configuration in some corner cases * improved HT/VHT/QoS parameter setup for TDLS * modified D-Bus interface for P2P peers/groups * started to use constant time comparison for various password and hash values to reduce possibility of any externally measurable timing differences * extended explicit clearing of freed memory and expired keys to avoid keeping private data in memory longer than necessary * added optional scan_id parameter to the SCAN command to allow manual scan requests for active scans for specific configured SSIDs * fixed CTRL-EVENT-REGDOM-CHANGE event init parameter value * added option to set Hotspot 2.0 Rel 2 update_identifier in network configuration to support external configuration * modified Android PNO functionality to send Probe Request frames only for hidden SSIDs (based on scan_ssid=1) * added generic mechanism for adding vendor elements into frames at runtime (VENDOR_ELEM_ADD, VENDOR_ELEM_GET, VENDOR_ELEM_REMOVE) * added fields to show unrecognized vendor elements in P2P_PEER * removed EAP-TTLS/MSCHAPv2 interoperability workaround so that MS-CHAP2-Success is required to be present regardless of eap_workaround configuration * modified EAP fast session resumption to allow results to be used only with the same network block that generated them * extended freq_list configuration to apply for sched_scan as well as normal scan * modified WPS to merge mixed-WPA/WPA2 credentials from a single session * fixed nl80211/RTM_DELLINK processing when a P2P GO interface is removed from a bridge * fixed number of small P2P issues to make negotiations more robust in corner cases * added experimental support for using temporary, random local MAC address (mac_addr and preassoc_mac_addr parameters); this is disabled by default (i.e., previous behavior of using permanent address is maintained if configuration is not changed) * added D-Bus interface for setting/clearing WFD IEs * fixed TDLS AID configuration for VHT * modified -m configuration file to be used only for the P2P non-netdev management device and do not load this for the default station interface or load the station interface configuration for the P2P management interface * fixed external MAC address changes while wpa_supplicant is running * started to enable HT (if supported by the driver) for IBSS * fixed wpa_cli action script execution to use more robust mechanism (CVE-2014-3686)h01-ch4c 17418899762.10-150600.7.6.12.10-150600.7.6.1wpa_guiwpa_gui.8.gz/usr/sbin//usr/share/man/man8/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:37861/SUSE_SLE-15-SP6_Update/9b432eb1227ff88675139bcb07b9c311-wpa_supplicant.SUSE_SLE-15-SP6_Updatedrpmxz5x86_64-suse-linuxELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=74afe6a705b5f627b7d9ae6f308cb0388f1a7808, strippedtroff or preprocessor input, ASCII text (gzip compressed data, max compression, from Unix)RRRRRRRRR RR RR RR R RRRRRRe>1jRAcwutf-85cdfab85e186bc1cfb8b30df16a447982f66aed7f2e7244579635a48a7fc0d1a? 7zXZ !t/JO]"k%}RUJzx+P]8\=)|寐o}XRB&'XJS;{^ĉ62Z%gPyq>7;X'}UIFﮘ鐜#nt v=Z;՗, ClWEwV33}!&1x &/ wSEVw^P=lDR-_B.Œ%.2p2wT)(0y=?_×bXyTA!'I+}͠{jde~^ÀJ^jMf׸><%#!_~iWcRI`9Оn_OD(U>nl)MSzag4 EAhK>Bw$\<2w<o? D %:AlXȽv/_E`$hs/EnLI1FH%XsgIM)7ja9e>պ𡄎) )؊~fX32-}_QiH gI?^MDB0!sYe{T(%D$~u^T_00kWF-JZxdwL ܨ|X)wJzqjb땜UN'ݼ/43؞kA?އ}"YAsN09a?#K#:;u{egK[Uh]-|J q >E}tVXo`ϤDw*9*7S :Ȼ-D^O:9ۻd3uU?j{JvmhA~1 H=^@::sl TnU\iZy +0!:sea_vk~xao3.܎ . qWvB['еbHj,Yo?!]83T|L*!MB׷A qT˞Bo*=v% xb*s aJ*Yĭ󖲼-TQ^)ũ- sT)ex79Ms]g7$j;9Lnjm.ح򻅸=Om5) ipDJ:RB}y鉶LtT曓OZb̐k*S"tg2c#Ia]:e7Sf[cQ}rvta#dq6 O}JnTA^Rt.(Y?߈uG3Dtu |P7D*-erGcbg2GQVd} PiهU!Jˋ7zi!CX[Ilxtɫ>ށ zs-OY/ƚf;qw;cQK@-wl ΔGmN6o}P̹1ڎYywn{ہfuرX#6pkxekeLRC8+ytv2w6ԇܿ4sڒ ve .;$ԤP1 P d.A]ji ȩ,e `X\=(/>h&=)VmgLb}p01{׎1Pb'l#_9UyҸNaG1\$Zjpv8IɆW/Ǝcps_ns԰F|3RInc{rդ ja+P]NaCϨԄڝZ[ mLy}m(K=?{jA֚0b܏J^I*Õ 4(sxuցz UK`=CJGAb e#M5 J"Gcا'CEe§ M''A ɦqWbkʭ5_ y;S8:veeVy/)7j", Na`ycBxjP YLӧ`-|Ev8%Z` άym,6lP"Rc!l73%ݣ@3V4(Ĉ2j;&+;V3WdT66/< ,?VjHC ]8UV3=lXyjXƴ^MTXWâQ=<ձϵrǦ&d<]$t +BQܧBW(2_~fW ɐ-9r,058'4_Q$۹VǼ 1# Ly$į$Ar}(Bbq(iOV|ɣ׃!qZKU c߇@Am^Am&䊭)2hnjק7g} ܪ*kIr8NL"9G'6PlvLmuᧁXp#u5$AFKFǁ}|(R98rNLi[98 jڥutT~T2‹%^IĎ߮(HakF㘻ϏL+W&ā-'!԰RΏס]T[P~D+»rtzFx9ܖW~v ~Ns = ChBY+1NGL(mD˹!|eNC'Q^uΥaYqQkcsaP9ÊV4 ,^6SU%N## Vg] s[EZT9JRmI)ЉsȽs*(ϥa vSdfZTFK_d1q }D أqc!*((@_?^k~PQ`,`Wo[93m - /q1Y`V#n8@]` {`' CTN&uR{OLsgBn)#+hYzjZ%3OP^B xQ;F$8U֒)(DOбOf ޏZ~'L=#U*ꔱN1_ OisoZlC9\)'궯mNjc)Y)6hy..,J촟Z'9A7k+88U{<#.Sj>t׾5IkE"^bP`ơ+搘]9'}) K{1FAgAhPYe56wM0wV2B@ެpҐ;֍NvFVCdc!7O_ώ=0 ܑ3KG:C{.p\gYV=ә7m2vԂJOI|,А4\1+Y;*+WQ0Amlvg 2ʺk_lk;q=Ԇqe' ^S1Gb"Lv@1H') wO0b QnBK(ۜG\֏ w;2DY\=\;cz>^o7iiH6!OP'ZK:ZhS *k:8= xB]v^ N#(utznP9AU"*`$RK8Qٛ'ԀF:|/% p yНt^] &pc|7v ( T&˺$%҄û ` kVQ|'!P+@oq. Txʷ?.xyot%JKmvPMhā#Fk"V(G8F.M1op# <ϳ{'Ed:ncmRZ`0ŷ ghQ+^вH(Y~X6)ys:g;6Y B$+)`(:c?_tSRxFR!}ɊlFжg(@p`}> 6hQNsyڡ`LgԨc6 2+u:F9;r& By(|fdV)2HvtG;y1okP00< A[l&ffZ&a RrK„ OL :ZSSj#nײx5bFA?fVC l}v^f -d$dpRVކf^ZhyZ0ZEfM`Mˈ0K|YcHmQ{8TֿVfV}btגmQܔnXBkE( ye6x0%?d&,s)<$n6>PfTB''3ڳؘvۋ=g+ 95I ;2eX+S*GWUD,g$T[UJokǛ)U RQ Y _>,OPSU#ҏ#'a#ÈWtڣAc}qazߎ L2چgƈ߶ ,:]K+FІ@)˅,i0FKd-]u|uU+Z.x.^ /mAG_.Z[2;yGEECf{Kf05x!NϡXy9}(&Sc 2Sx}{&~"ۄβx V2P8S! 6[0p T F%!z(g Fm #yu^)vkc'De"/4 "lcY6lոCY)e$0GS=[z\'30m[mV>zQ}+n68Mϛn|'܁r")KKƐDpoB U06ϐ'08EP;ݾFXВmffO=GKGBZ#x{2o:r^85{}$q6~E9{@VٟX L:[N)OUjhs 3)Y(%9ᨿ.^\VQȕK7#$LGlŖ8- pи=Q4yz=CPbHӘ%]3g策[ֈ㷶B8@ ))M^ גgy 1C{$V ?;2E)*}x<]":' ۢdj䐽k6v˹d p54Y (mU-A64`?N#l=OwиQloZLz]|GEjdss"w\L7}6_u̺Ru4e]G FfWoSO.IF*4/ղ`ֽmC(! *!JBNE[ A?2$ SZj֘m>[8>}>8Cm Q l"GON>a 2<{E5ə hGUwP(HHb$P 8mfT/sa[3-_1eqĮ#4ڳT+X@^DFAn:蕃]Rr1vSZ3 ِ,łY5qւ e!o6ap@IA~ӼpR+Ѣ6XI*Ӊ‡A̞`ap{?y"χfzGg ȀAwاqy#c".rߚX@-bPWJM'q:"gev~ދ 'rj{_ [b.%<<8n$oy6$ԃBȸ&a0reuk4jn*.(avSzSjXǨ7!m'ߥ8;qњkD[*IcPS"CAޣvJl+ }XK޵Go<h* ;"Ϭ mtVg{a]gM(;M t'_ա'6brtv4j6ƅEABUn1Iąn|/hz5O]uYQ'śȻ-E,r ;&sI[W6>IłcbOѼwp%[b.=YXyT0B3|CnFF;ۡ@03Gr@ C0_-j++cPŷ% FTU[.T];}4caWA3'HD\4U(VucX!L-Im{z.#M2t %rt@?1GEEbg؉DRpYAo[H6u2cOTI3M}E4I-I;-GƧn2<:|T},جMp t-H"tx'-}uá&#* yk"#0ZwRGբcW  uf1zb(j&7o㓒a+vz59"0 ^0vދOl* ʹ_BPWLgjzNJKMdAaj&t} n\*0Cso`Ѓ7تydû(1 ̨pEǚ9*TQyI955YCzxZ\D~(%P[hCV3{R?k9VJ*hQX"Zwc,qy5o*K _4r{Dq4) ̚I(JwLN!M@gWvyź.Y%]m#|T]]J!vqMyk#tRJ㶘("-b":&gUttWpf1EkL0d;?TC!>#?&7`de;[#0*{toC /| L:[Wq-"~la[y1#ޥqnWRW"X9<,J#y*6^W3;r7Fvܗ^d#Y4L $_6 Km㛟C0ixoN/aI=f̠cxڄ<Des(00M6ӄ<ɠ gi%NR՛$3ӭ6Ooky&va(@bl[)NrDp "]ID_˦1R㯗AցL|cvpw _g3XnjRAGYo4ȠQ(z,D#>T.*/;.y6׾/Uܚ#b W.wie]P 8G4G[+? TP 7syU/>ls-Ƨڑ b\ _rlS؜ʶ2~(:v bv˼#4+8y$zNi4WeR5#K4β]Ǚy7`fxNehzгխkvW"hFB*H&YYj\HG$ +PAI 'r"KsF7MALmN|yժم7*?J4|knMKLw\t H[Pª " 1ulT|c/hrs;/YX0+Φy?>ղ# eo'tcJ=\ϤӾ+'1gU(I4nyNK|Q2bizSx+%j]r,(aDbLvkV2ۭ1[I' s m|n/IA--u{ ,m`X"3h )orR٭/(F +pWe40[qˌ: &Q(j2mAVzփuKm"&f#j.jծ&yWku,t1w9Q: 9D {*YSt;>t73il$` #k)F`({ۧhَڲ KоHr;̀ԑ)HKR:,T{=Pt 8. $~6"+jB!]Qпr1j4hgvu\@Zx4@&Cש^SIP-9#~m X'cp" TiV$IC8XWH}Uߨ!vkzʻs^@F?ٕaGQ'Z(FщI4{Bڙ0i[.rrdՑG>Tu G}eoK!d-Qn1-/l#calFgPЀ0 Li:3qoxmԌ0%s4goӜ Lf X sy_9p&ĴH^WޔBm.x8J^0q:5]#w5˰ B`J }Pryp'Aѵ6iݗ Sb Le<uY,R2SwLWL^80L{*-ƿTclEO<ǙDwv!2{0/n'$r@)3ys$!UM4gTF=ꇋ̜ɜ=|2TI>/VS!t^_e:<d'2=ا} Q1ȐRX()C+ p4'͢Z-6 ګ.P. V_nlpHs2|T_1ե&Agj]gٿ'ApR5[tL/%g.U](7Ѣ=j |҅1wjK!|9Y+xE=:!oYO٪-3]Jso `KQ]|Lz+-љ){9ESEZmrlx?i1 eMMӉcwD 0ІoTR v< :Icg?`$@(L5lӪcECQhO8> 1,ۦ=kn3 CW վ(΄{&@<[-[|2p9I,DE ޿M `ATaEYڡqO~=@ ȧ._@ MnĩfSl Ø=S:-^稽'>[=FelFWoh`6f*C'GǜB_)Ad1w` |m\UqtAl*5<`-N[%q P.=52V~V`z=@={ERnR[ _IVĢu0>n?HR 5hd=fo. ;BYI" xK.~WCDmo@ U9 $8t6!?3UUe8h*K?& L"#ڗv#0KKiªE?}XQl_ˆ:yᐾo$xϝg~.18lbZuj걞kVVc8ʩxng{&d7Zأ{ݪ'xG9< G2ރVz=d@$0{H`8[/y`}.6:Qӓ<63m}Ξ3n`jfOY% Xbǝvgu-p q}l<{wqڤ~J{jfE (L[”v{sYcuPбa_h/GiI$Va#U]m@֎+͏`UjiNAoȼ4yZŘ%µ,[ B-"c. `jLg ;X) Xl3$+x޷)QG{S]L"ˋY3".n;Qvf .gKǺ) Da/ k9@ӉA~;2Cq 8 !)&v b]%vZT59uΏOYF!l|'K!y ]O(i7[_eqj=ѱKH˿rlr)׌i4~R<̔&=1jlLE~ҿQmT3{e:u_ITMрĨY!k8|@( K))UpV'LX}_7┃g9m|0Uˌ[P8͵]]uN4r絧cLc |v%^GwMBr]gOU[-=Xn"%8i8<4TQD>$Tfn#Y>N_-xDC>xwzr?ŌRY@gEje tf4a|h1Fx#XVh?|"Q=$>,Yb(HSǜM"V{E Sd5k*zv$zsn^Tb4R!'[ j2<T 54mYhykHu٘R@e\ i;c~6#nkmjّI#NXR05a7z~T# twGR<6oR [Oc6\ PP ~X5:Ԙyu΀A bOs6 @VVlG q-Lݜg8^pVт!i|֗d Jg8b15[ ={.)~RT̢yMs dϫ[1f߱&i\$2T>=UACVU3Ǥ|(TFU}Mj2&c*?!Q*QoR+ ưu[ƕ9-eEDUu,^/r?p9H5Zu]qt,=TW[?ܜ`$Y ;gHwmoq *EbITSx܉̄(*ݚ=,y֔ζ]ePU$z P^9;G&'d`<92^y4%'<b~*?')H|^!jT#QjK[>5;ʪSR#E4♂f*g1㷖F d7VEi;͟{3Ż>HU`òԚS|k*pC`ct=5S(dp76@Pd?5g|cAP9q qK.cc0 #e޶CG^.w*g?UxٲrGc,^BUբgF^l^s~%$vseS>5c<|5C^r#EVtMo%AS5IsTFQ}ޫ>*ȫ)}\}9Ӗ1ש]K$qSN]mOű[_pom0\C{V[ .QY(fUz0؅ܖJDR3M9)Y1(Q&zks0.̻ndnف庆8;SN]B2ۢ7m*tB%D))%OŌ5+O9!ngX}A:nYa VRz|HHmXee\ZQgO-t H* #2~ĠB. D&1 -ER;Cd' we( }؜ămIQO,2vڋq&' b[: iإlbe 4:^T[K ܲ+&.\w1ȵIq:Xd-=>ڻDm||ݕnz % N×X^_2ͥ THV1LjI#ܨ nQh՜7͟gś?Yvd|.Ymu 5$ 8[,"t/JlO!NRwyR^"FԄ.Ad1۫:A;bދ{Q̔%8pN,&& Pe( (}~237i4iQk $ʩI ʈh WuUaЦЗW=#=Q9:cD&Hy5;w!FPtК08|owƀG)ߛy{7̀^,Op~P.۔1`La6ZT(v; 8.LE@of_"@P,ruV ,z| Y·Jv!'%0Z[GS{h-=)xPEݙ@'7ePy8[VIRzꠉgAfhBn|aHh1PtzeCW`>̗hU! bH Z{*p3h9}> Nl:u)~ڭ_ĪK(P1w v;X@:HPsM5Ld,By-GrcE.JY>0¬61XN,77yD`~ VBˁh%M} o 2TR |;gҝ\ŮMz $m%}? E&&7=k<:_@)C=xA,!/&EgO|Fҕh1%ǯc2챃ioLž$m| G]PD] 9omkުr$k)+A5IBH|*⼦*@"A1'9jAO;CW rT$ȧgC8:[θS607"*K}' .AOɤ?HmH'GFA ywo9dnO 5O76j_fmԤC#^1;\@٘)c+|.LI~r#{Z-e6HwScIip٩WE㩤F!ۓ 3vzq2Gdp jvOc>Jxh3GZuL1ʧgGACjnOJGW j 3'{fHIe(JL1uߔ .^=;~i(Dm)ֶV*x5rpo<vLLn$c.y;9pƹ5ѤP$[8Z; [%Re>>)-,Ә+K^a=e#PX* 4,0>jo(2pd;@:fPܬ'cnXVQ3{ -hXס٤j'|j-g;.+{Xk#FdQE2waz7K_$Pj\n$U6AZ77Zl0M0 yΊk)(5Yӂ)nkrPJZ %S" `c@$:@ SBʯ(`lcbE۾<40S JПJe.Q!πg6sҲa;Dkj~2t7pZy?6#\$;9>YD{Ыt׋cti(.\vt'Jj 0gHnu1YN+}"+lV ;me$s"1l+q;]}_j7NS1?cF{'rbJ5K>b#͗x1ٷ)V3;PP/B78:#7>N/_X΁r?[v .烶^F ,؞X`A@xQOpCD6ڸmIndHF6Lk&JfB"&礼R=X7ص)Hx#;L>j@K5x[OkGMDFJ͠I`8I#8șp f&Eמ JB-Ԑ,Iexrs{&Ҧ; ypwx2fl2"x&SvvԀR7҃/Ku\р#n-ӱ>eLV66/k~=Psl??a.rb/oK6o#CUfL}ya Ő,CBVbg[4K'_o}1FlMC-{7,s .}LBcǙZ6 y8~hF27=P.ɨON(,1 f ,Lg2x]sD>Rʯ~HS[9sk"jAa$J `{/JlS&6yo>T!RU"<ȶ~Z#:qo{ɓM!2?t]( .!=ZOq>mN g`LJ`΀~2OOe+6_'z8 ù/ *2Tc_T;]RΜup(k\q"khp-3FP" {*5`||ږaeozGܮ8ۊ,4ֹ([UG>uhH-gãwggki #M=xka8RϵM؇[+4ll0MHU[[r~_ ;T[:ߒ}Iu:̙gi=͋\vT2_wސ0)r Ϙ983bh/*f jaJ|hp&Ds(7b;~V&B<8oq﫵oJ6_|ecW?ǢnpN/@opuyd/nݒKxrVڋz6EganTWƥ<8~sTbjۭD~ڽ3jޝ,.gkN岲|HB?viB$Sl!?w^OX91y\Ym&QG|g+^5h™&+`UF|0]_۴%![|'fqXٶ13E** ιg+ L9$H4%"e]_@*wx6./:!U42u5~-"OUVF`,~P# *6VW@Cgt7308Y zݸlX䗋s_jp"D۫hOj* ö02Dy }F@9R~$TZeu[OfYOdהZ꽠PFۦO8Ӛe5`}6P~BG jqnG_߯ǐMA38H`y.Jx 8[{qsRFA>d0/)I\K +A݊7O $ktxlYTSvhh;?R||8g;^*]j?@|M$\8ZK1dm!DJ1̀R!+He{ZhJe}Y2' \l"kIƄXh.vVRS6"ΖѦelxgFK{Ւ$ȨY0AJg\=!R u,݀1,D:m Qب#'f| &DU&0FPhwô86rf$Bj~l}I;/l@c !XÖ=$|XH,b.&Q܌~0GdUr|UFUDp^E9V(Iv6mi]_ƈx?WkG{xߚp=B%נ\=:TZJ $ԨD25i4珔7\F,GyCp" o/tI)^> ?kCo"A~& /!vnAYM=3lY&Kxs,p| 1^v.T $%e`1kFecˢ3~dt b;1V՜nŮZiϒ|(>B&^:Txr5??؞fTb'9[`I7e4(J (х4B#(eeLˋ9ICT.6Ē3|(gT܇Tvp3n>O.0F:v]5 슘a(B:K5JcA r^*J1TG]yF'AH5\ӯ,W\x`6kc}QSdccSH;1 A9ZwzI;A=aAD*N3E8]ӊ{[]QIgk5Al͹_CL!I[l2!6=4Oj+.(KD2ry75Ѧ0%:ֲ!fr>!2;Hh@M<"/nP&"PNTY1( ځ6>8W͂Yc]:IR7IJb*WX~HK/_oBnm ,1JKQ,h z}n9T% k5zxqwq Ǧ @0^lx`X3yS~š$m$R7׌W*wN8r{ՖkSJ|(  e]ޞ֬sAZR?l{"Z1  cїbS5n `l†)r>zHDѬXiʔ,;^2Kf@'*VXLZ! .@nexWz վn\H>2$g7+Q}vd36l0Na%֠8"-r^u"JlŸBN4q3\uĎڟhV 4|FaH;Fߵ] X l*xѾ`8 X5iwe a/zK[gWsT2[ XVc%\ RQeMZ Cv@ZA N"2{p&;v,,M fm^)]5+FP.""'t{z.H[3D[0@5ɟIL-l Bvy%Yf$p)YߗNLZ$}k ߲#EZ_ o Bd]뉭: foVߦ`RQdoG'5Qֺs7J=L8PEXMRԞXdmfI_g|>|E=D'^.[JMDSaq%. $4-~&=&@aV& VF^+t&qmøx|dVhsb: 뤚  .3w~vҽn@e 21#&Z]eArO&Ne)XqU9L"-#ɨC, I2b ɯqݭiDhm |T#.{bܫ]C[q!Ă0_hng,2)ľ@Pc(%wu?AheJ O ϾnQ75ݣgb \uw6GV~/պݙFbB&"t. tַ& \b[+das"]:,b.#w!)vW4<, ǟ6<=ڱtPTysl7:Qd$)E畽[L+D-jC y}&a"apnd__w~ڵFƩDگR LMHiזSHit Ntݲ{7[TCCIu_(QeaڄH0|Eǐà%B›IPB٠78w!GC]1L$J"+% JNUM;4:C~n sC!/moڼ}TNx-R66 idC kTX nb)RK9&MBɠBz_=Eq`Xg zLDX-d\H茁 =Xv tdV~ӹb=='`R B'  1z> .~ ͘F3;!4ߩƈ|L!2XI XNDDښ%P𥉉%?t-4+r %`dc,n'tI.h" O!U >9|BI"-MƁ'6fX]qCǴ9kKK,/OjFȍء_p|nJS(`d^<UT=4Lm@OK$1)Ɲ+b.R^Q9ս#@VMn-_ɩ*y1|w2} daWUF K4cq$O>Q @,{04RTٖ6yHoCq$D2]g4qo%G~z`'?^f1h2zQD h֣ӣ&FFl0~GvG1EՋhR)sx- - .)0oǘGM&ЫHGI5d9Ԍ"әex 8KI|;'NWg~H Y-4;_ASm̋WF*p' h2b>_r)졺j@Gc6F}} ǕỎzpj2*7l4p.IR95+S`".Z[% 6.Cuh(>Sf閚 q3E3c8r9ԻshD4Iyqve=N1<*,R?!(#?Hf}RGrm.% eYo+W"ҹ02fz}g--J5^_82J]S [7b W:R(lֱȥ&5Ui[@psŻH "@U7DEEtye,%P|%tOr^z}\';C騮c,L XgkK T=KJ}M|n{f;w%1@ n[8aJ\iW 1]~2=wE2BDW.Y޴lE~<Ŏ *g)8uE@yȝA،#s!8mɶ뀇_{aUDqŐX7)5ű'KͳV~ibO±[)S!ݨ _jѥ#{8k(Zve61yxnc>fo|gs -HZ,$ 51ʗ8wo fڶ(;?\:;mVmS?j ?H9dKo5k}ãeShYY}Ѫ2l *ysYb=0 z%;.-5cs̛-Urikŀh4g+4IIWR-{{@|ӦjD佋V 5iw||baǭ0ŤOj@b舔3M{ͅ nI1{pF x>e o}x+?>m]|V#Hov?e_jx(:VKb3ǟH\8vvkNP6Y cfm:{w5yW-Y15"O@B5n/*@Fm*%mvmcy V{ɵ$jU; 8XMUe/k,~SV/e2LLGN<|Q]c">;^nXR(1]Lq&B6ozE6[)W.SQ'q2\wf1adh_ppiL;u}YD ȑ&m4 RǥX,Z[n8/Уu j,t2#((&rvY0[dm2ݠe F=P\ m`zo&T$`Ұ"e˂brQk8Ȫ{>1>! ̑WqwXTo(lWg\nM{Q 栂ci&@s[ZʀU`otS/lt(UV[ʽEHen-8Yo-!fyz9<a)_3 _R"}iK{\E'alȀ@ +<L\ xoN.2TdYCK{ 1IJwyfSU8sDp.+tD賶ƮɟNZ\UTH<G2lûaI4:W CZ[C` ?a$pe#ы&Փn{ʧL]-TCK}1TpW H([>SbPlV?t25G]S(5n7(+y{+ؒ.;>YJǘ@A*+ 1;}0?ə?њX`}6~ksֵ}62~M=7ka˴l9_qvB ;iբ|{8La/79/oi=5I4?@oM9v :*n b<[J V%_^ }Ѽςa+[YM2f*|q$<' CfoI5n{t~~#2P :,Lɂ޲̈́B|(f-Դ0a]H)GT~M3خK?2ݾ6c*Fi Df&28{m-dv5%Fh=^uӼ zl1S Wo$>ʟI2L&^h2 #1π lhl*tK:ի&vw 7Cb~Ie1CUm+;HW–] E,Ys Q^W'v *rlj4#I,]IZ~-|m~';f->1B]-v" V;wӏP ^R|TFaT'gq_g;NEd4|uDX6-eqTpE 7 #[Ev蓬oh.0oi̮ۊ7JKmRnj3-Ju;ZǒX/uWi5_#t< aU8 x%S2HN _Ә@J;s;4 TZ ûsЩ0#`:1dEUj@c&ѩt Qu$G EH&ekeO!n_ @f1c;ʸɲ^ht0yl=&)`XhL =:02`5 =~d@\y5oƮ 6Sa׏RhEo'VuFuC܆ʅ͔ɥ^jf3ڒ*BwZ݇[źK 'a} 9%'B8BgA_"i}3߼OR\,и$$j94j@=ABRpT(i% -&E9$ņ%=[G4JF2r6]bKwK!p%f7F%9X2PQ+"47PIЦ! ´n72^ ִ~EYL3p:RY>#YJAUn <%p8&rlhZᤣpwH P̼Q.ߴzJJI8"zX\7)VR lPX'1d9矗C1}_D %I&zy ę׷Xcq/c9W>K Te%̱#gi{lc:<[r p.ڃYOufĶw.UO$KĹY1 LV>'۾̰!4yr%8cce]һ:n? h *I w؝E\CH"?Zx#Zɬs=m}=f\9 4mi|P.N)ݿfm<1n㱍,S QcP#9jw4 S$V#J|~6)?!`C_,%7yRRErqG]|njp&\*=!pG׏/⦳55g& `m\>>,#- @kl>6X 9]W/>ށ 5˵fUu*Lg$պG i= #[0 ) Yz6؍;x{ew@:Y+htz֤DD+thXOzJKSQh;*rQ31$ՕIs!px ړ`}4)Y4L}1`V&1 M!qt.5eT$S),*v r a7`ZrcR -ib{BD>'B ORmDFohl&eM[YKln' i;xLqy1;cčGMi}ŪfWL07e𫪩@0%&Bk-#y0jb~FNWTw+ά~mBj@0S72S,@-_Xدn'j'\oRTRvJG6=Zn1Y ')CuFWF-TX]sjO"ǵ*W|'?]Ms9kbMVW/j#dּ~{|Yq-7+%,xT)8iBFG*ˑ tSgIeYX(Kf1}1evC_' -vI«>/g~+z".XnDMv*J#^7PPKq*_&D{`-BCƬooy+ZhxdЋ҂|(]K|5kL5k,bi`k? GnBUA9l=*\wa>3Qy4q֗0dz)Q2ZZ5T/g"?Y"-3nc5bL6o<T<ϯxh$_1&x5TA\*\!x(v[uBى0LhkIX֬h@PP^ϣ?yjL/,wT5QJsM^vXW0Í^w52!{a4q~H9Nr2ҍpZ$chf(PZzD"HĈ*-; x.GO[a3 d6Nukݺ9nå hx0&onF~8b8-)ή=T/e;ҝ aɪp& `tޏ ܃ cLh2ǭWQ2Y'aG"4Luً:CHj*4% +vu[v&VM((d1X87|ڒC.xᆂԛ{t[Pףg(aכ:q!h@B=]Q:=τtY<5]jBF3u~BR#\TMYVl'BO}6k[bԫKl2?^2jEdEHI ()5Tu&R~QΡTN :Z?DiOzW  oN@ N$;P.8ETwf0lh`A$.c~;ׂzV!Go" ] oWrݥh˲UGL eo *5P"-_m$cV9sg9&W5FR\ 'F/*+pw%֥CxXA.  \p\_E[Z {n)$xbfU[Rcۋ7UP=\=o Ϯd2;;{? 8v]CTLps9-ߙE{jD˃*$1ECn~cI"p^k мJZ۶Lf7d 7#!DEm`0F,Z56IDuE.urO#Es\\hQ2x#Dg{PU ٕV`pKM7]#)Fv9b{aJy|eb,0.CS!Nlg[UggR)ibFMai5:L_5CuP*p{6izf#nX;Z]rpp8iek~}O{oBz]mIu"Q5@-|C-oVާx_ٰsM_Aa]cV &.ƈ^1@^ZY&N$Ht hI 9iC-UsȄUh)B腫X('M:_p(l '$nIy qnf :)Rih-4i4BYm} ۼjZlǗt kMkCђ3^C`rZ? [~Ԅ^8*T)R^X`-B̄FhzuCN-lt*+ &Ɓ$a1A3~WK7 W8 B<8.V/Qk+! **!DFXFZ f\@_Uwy)W`PNΜl'(ͬ:3uڻڎƠ5B M~ ȆT vf+=Q9DT WGbr:no;[jZZH8|VZUU(4^ rn##A _Lds봹a b2FQ f[zU|6ayqذy D&Hv[ի$t]Oc|0dM ~#Bbq-n:Ibm{LJԣEeBFVbȉfvʚ6.{S@'Vp~ /S)炵㛨TF|iH !~_B!~4R(=.}$BhJ&?G-T6WP(>ۘB|6FsM&G&͊AHYP{SoiώNj͔#pJ(o)!{^·UBb'~kp*&rz2 a̿G{mL|Bnb7ߢ&`::W|MB0-׺`d6`{L?(2\A͚1 }\\h8=9R$e-)uĹaVCPݮ6 _%(d5uqv SUw#y/O&V, : vŃ" [ Π iB*+pN= ̩w: LA|7gӤeQ$j rɷ͑q0VIgbC$1mJ[sVlj ȭ^^YN*Q¶?/\|)O#ʇ8=M[h&wfI7^Xo:1/%pȹ+P!OR G,P [8Xum;8p.UIy?:!4.?qEbrCHI&և!*#"cM]?mpG4 .1a}+7-jA&yI;H-:dz)؏b,XR`> (GxJ }떞*-jíLJ!/tzHv1}\S|~ ur꘭hh?{}NdyG.CQژ<xˀ.𠁥0kd%7-"d$|l,H*qg0L=vA2a IU/jLCH 6-, z+t y,Wf{lh< @0ES%IخG~[ ~P5|= F"C ̓dO QNO$b*d+tJna3!t  t( .v5 ɘ.5 IXvB *X Ԯ,`S@կ,P'3XW?¤٬0ZxgΒ/GH|G~`,ە.5TU! ]>(IN!D[-rkQ y.43mWA Ռ~όh%wK'*ug7؞UilǔN=:Z 8UxlRȀmujZW2C>3dWU+Rel8qzԁy/AԠfЗ3m\٫pʧ|Vˡmirp^@7)t}LIB2&4vfW '[(VxVFf ųǹcRTIL+-daQ&0­l4iؙT?U.LWzm[o z6g'+".[thz%V9Wo~>u/v4㢭bgDADVp]5\mBZA~H R'x_ªGv 39Ċ 7"WP|ݯd#fI0M*?NȑFm>J:˸Ƀ6*kcTJJId]]Y`KDD= u^Iyw?9xir_ \*S@[ WyTQ^ht$Xjnzg =#NxsfRoS~1S~<,XFC1BVU֊Uh>fO2{|CK/6zv"{b<"̂@IgX褩NGyژa7'8Ĭ!`3^9:1a zWX2r7<T%'zu5,kn@cO(St&t0mAu5N8afip"\Bq7kt *O3@h< t8b [`5XZۃwyU͖ԗa$?_Id<ʕLW)(}gEl+ @Z{>|Idyٳ< Xbvu .2(s9QSBտ鉂PZ(p?F{*נ#:o@M毑~է\vhiu)`Qw}zAh;+Duli6vd@od@V,e1V4fK2f.9%h;yn 52.UG /c9e%@"B'2Ff[i@*WJ]BD1K3g̘&킞bڡ\)Q&n{C1dO5)PY]s<='@/jro1|CjRZމ͈)- == U{ ֏, @@#hNc$`Cv?8 2VĞDTۦҬC^^[mCm2BD8žMyBo#ʌ^1尙Bׅ]ÑMn8,\YU)!7 QAP?:BŵŴױZk45Lj|HDonԈ6oiڬJ!{ul1,,n{1yHҧ{{$R ,aH>^/x=e:d.Ϣ9CR4ڒO 4}oO0Q0a4sf9acefj7jl>0<-ƅ%8KU}%{?ZF^7PUn,aKP%:vaNϰapM;$22uiqT,Ce?!6g-y^T}jsSM0ʋa߉Qu3XCBHjE|rGY5O.?Nxzc;ZHVۍ?C~%CZ,#('Cbh6!8v=CC*E =z fuK6&,޿e3u< V{j~'Kʾ}MH cogX5ӆ̛,fM r\i4N~Uv*9N<~R7)){!ԋlJIlE1]RSnC3HKB9*e𔎼\i"X_meZE/ę{xu|8E!rNm3|Ɔs$n7 Dˋ[s"es_¯R9kY^H0뢍d!s,gg4AO*]Է֑{@UyJig8sYVl;]Du߁Sa'<3fTӿá<,+\UG%X=-;!cN4g7hz#ӭU.LF!l0COsRrvaB#I?[o+˘A'*]XEk?84 "씖exЮ)):5$ed [C;Y#n(bXY7_s봯9H ;u|ݚdYfpI|r#=Q^Yk"cL$"!$k ~~M+x{VTpē:H"_m!0oR PQ9[3p" C&3y` G![0CQn9ح?3q"ZJL L_t$(g5歷:K%kܾQq0Y@=1q 9sljm޷#w,ϪZ)8/SJ#$mAu܁)UA|&o;΄+2و}/sW!|Oܽbcw}PՓAa(GxQ֓~"$뵢w:/^|'+c^F#-ҘUF}\-d\N fi7I4#+BY_+L@36lT%8d ÅTK7tx7orz$\4඿û;]TKAXyYFcݹG|y32v 17\c)i/ <:C2Cf 6tce9I+ qiʆ; ;G] [l0n4n{)(vx8xa&TO8$K A(/K{Gãf=ƦDVlQ>k'P ?UnV"d=:sTL65짝MW/z];QTd!{(Ew{ZAZO&/ !P&UF8W_9tð)xgo}=j,uЖMo!1K -+A$6Yb!^VJ)c3wHxl2~ <F5n=VwٗgHZЇ,E1SojcaROIbn!׺XKli?zKPu[$٭Zjɫ`rD'UgFwZI_Qn{hAk1piņKTSW<f9&@kiQno֑m {AAۜ %c;Ǽ=m8H תzOܼ`JF;&?!RK͆8b\8qҤɇTme1ox6G"sPpkg$NB=pP(d)kT;(~7y@z%Kʊ{G;~[b4MDJo|K472ZCX2,"$ggGc1ԯ+ѣ̙̔O m`ZTˠ%Ql/8OЙ1^ݞjgwK.zdrW0_z}W?@K`r?~*fx/޺5g|XdɇY)cǚ0YyI|ГrW5 ɴl+l1;w*Jjr|n gC0KwFg,V,Bjee~׏Iɸ";v5;#jM^{^ᵦS"O qwsGkF"bO&Q~f4hT--x {ӟ+RzWR1Gu$ʺ=Jh$26Xwyэ p<218`^9X,6؎$%]GyV, CWײ( jIxzOmB Ć 䎦=<ǚLKhO8,F6v|7b,J! Xi캿(dF޶[u(Kpj%Gnu\`i^>>hk(4'S5"0.ge51VRuP3b5Q%hfo'B)aS1vMy.mR66UlbT Rm#kKT|!\b =Fi^S7z E-TVr7#kRT?=|cLinFv> _3iu P|WR#IH<- "\Mt F! ,YmTK Sɱj ϾOCg&^"7֢N6 ~luƄTO_3T]@{| tGoKUcڡ/bdZMDe uyh&vLkhˆ^J8eY2+e.d.$o+>HS:iUI@LK+Bc *bwGf_Qb$eY<ӊX'1v8ߙH1̣ƯcԼ;hNi`#Rmxf9`M>ߺHq/~O0_Х胮/AZw-ۛۋfler!/;GT\w2.NyD3Ɔ!w+=bᐩ 6FOjeyDպ=Ʋ\īu痪 (m/ȪA/\pVg5Lv[+:>c`e&8!^I{Vzz}V& ]݁!H´y%\{O{RߧA'w Wt%܎6b\E*M\+4Ni0 هiz0uW1wk^Pm5O#Nك'-a5>H@`됟Zlm_yrʊ<'~$;޳^v ܬRҞVn6뒣يRkr=@AeFO1/^Q\^_i Mv~%W!:VtOePSȁ ~d".*Bo)\{m4mq݋|5aaG8Yh'sjmycP77B@Qg.STvPo NWH h2n:aJ+93a-bћ!ԆqvL7w%!Tv~}um5d!,njuƢ~&sO6^f45󵼾hXWJ 0?$yQKuI HBlF{ɒa)Yɸ^ٱKn#mi6K&y):PF-jH)l~dC(׊,N '0 `l{j8 b<{OɜD'o+HVț+4D!Zj^ |Eedĉgr*y71ԅa[>nCK (wl)vK2 qtȖ ώ=vF~5ؕzo3 T_t=k5^kpVVAU &塼#$:Q=y3&v?gn0;XXڲ *cS!Ǫ*'tAyg%|4q&е&L* RJr]#ec}pvD 9uguI&Xb ՗"8Y:.tVq 'D](Ay N5D9sa r9p3-EM̓T!7_e~,q^ac{DЈ4pM(㷘y'w9%+1''*|8̗cxrqW( AJu/194 g:uӈK:=/+ vۘ=쯁f>u[Q#Sg?c|"\M\a01|[^䝭{< q6g$~WGٔR.[4xwL`.ϩ8~Bl-ͻ\2݄xs ,%Z|p&"v[ -1U BQ o̱R7!s1 yb-#Ok9l%e~p]f0-`՛+|H6J,wkNO(ǿI-s90SM6鐗_m2% Qy\ tE MH!cG-(%΃UCK;̫[ ~O:-tꞷjqH!QCn5lP y_f' :յ2DAYL~60"X-HtRHzmT$TLM<ə#QvkTGik8o(7}tBV%2s*N}LDiaᡔW< bB✤g< yڟHlHmc^_g&[tdoW?_ o!3cd[>/6h/v٭d&ALwt E%)Vc(NCNXTL"̓7 AuxZ͉[zj44ocXĎq74xJ95Ա@eE/7>=?2*~nƳA!'6gM:r+ohnlH?Ҹ7PJ5b }{%n5^Z:E18蜲Q !md;&,w7 +ZGq*Gt8==$:0suCIp?'nf՜|DZDq4YUK=\!7]w&kwfpDADO[5/!71ϋ#u{ &oOvar(CF/ (Z \-4&ܼ7jk0sdja= hfmږҴFj,ƨ \b>'u;߀$-?a+ 9,]:xNN6:ӋGZpc5I҇*/qr_CʾSՠB]#}wgιR>҃tǾj |) }_Nuĥ. S uIKD#May?RKGB(>wΧsdtǵԝ7U!O9&7ԛD[Dm H& {}a'FVTTR0YZ e_KWnM_Cd{4"m?M*j UaOEmoXWZWDR-EFEؗ9䇎aACBgo ӣ* ASS&ϗѥftK啃XYd\<`U}g`ZtUȎZ u>yPi<9%E]vt3Sz&~k7n'؛LkxFZIVlH=6r'mWQJs9m O!N݁wVg«~/]TٱK@*ؠgGi&ڌ燺I.~25N% 14ϩH|Ay,wxsN #rTCC779<}ĥqQUug *9δhrPi6Flrγi,W삆Hc% TⱼwXnp{;]ϣGd.^>W0Ѳۅ:(V;A=Rڹ1hS%݋`.v鈲caȅUсrr&d^Y$L hr!92&q/qN52/e w#<-/7hx b}%? t( rF.߭ Vp[f7Aa5w]GN@O(;w"P";enԸc'Ga[c .*$U¢+a8 ɓgerQ2wT55?,ÿi3̐7x102T›;Be蓖ص LCU)PJBpM@5|^eb܌,=Eci-6UP#w--hГBfXEu`tWP,& ($_°Oczll-S6 }^';e:3nbHd  dC*s,X;ڜT Rz9y,Plxb"3їe7F!5a&/~w jgCB1=#\<ł̭Q\9;pŪ-(B 88LD7OktWOhz V_Jp<帧+I=?ʞPcw< cAT>Y"@ѱ۽ޓ?Dx o (1ΚKrTR\l gR%Y_ j`ܾw3825^?[^o -OGURV)="vz(tXZJ2I¿Z夘˪h'IgS%R`rLDyAfg0$@ƙwQ!Pu*)v)Ⱦt>GgxSsyR8baQuNVIB>jN?yI368EJuaJږ'2&jċFgZl i/x&jX"КIؿ5KO7AEIM,%U`.:ҵxԄ 1hglF4G)Zΰ?B<Տ \?ܤcNJ3m. ?fD7?4YLX@K"Ӂ):P4OBp>_WڏdL;]/D_TVO9ozc@~E'6>MI4.?^)l"gCYI.Ga;5yN>Oe'sb+=hW5H9HQnRĈ@"ڷy/qiM {&-wpX>ziϋsGn|zߌG!L2ӊxS\]TZS TBs D50{mɀXw̜1Ch1͟gS7F qj/lDA:DqаwYHm9b?H,יIJ4f0#vbJiofi)N٠!RaXdj.hԩPF!QpO?$vABsM 1:?*SO #*zXr~gRw"Z.cL+ezFѱ! L lՁxO+'T<%I.yRX580h8[rF9BBРm_(5@Y5&Fs fm/MO"0v5򫊹}Fdkɻ=@1ࠣķ/(cmQi6x6({buAL)ҵv#4,-ߨ=PoMmsa)B{2n\V8kv˝,G+NU$'YlY]#rjϘ檨 b- 59YޢL/-!3TK_Us,=!Zq=x.XveEy oeebzgiia0<_An0>_H8 N+϶x29*; EG\i[}h PϷwn1Ο8101A:a4b6ޑN(/c>S'0'}c'8d<⏬/eAaB* Oyub[K-|%1]f8.|q?SJ3-ֱuAlb_*W'TKD"2\C ` ( 3æ C E=..Wlp}%rd:C)#y]\9_cylٌ(Bpk;MV}>`;T+\VTf-y>8-u+lI[B