wpa_supplicant-gui-2.10-150500.3.3.1<>,@eܲp9|fY|/1#ْXѨu}؎6 s_^FsKt5f +챩.PlBe{F~U:wAF(y~HCm˜ؐ^>?d ' J , BNkq|      *4`hv(8*9T*: *FGHIXY\ ](^=b]cdefluvwxyz8HLRCwpa_supplicant-gui2.10150500.3.3.1WPA supplicant graphical front-endThis package contains a graphical front-end to wpa_supplicant, an implementation of the WPA Supplicant component.eܲh04-armsrv2 SUSE Linux Enterprise 15SUSE LLC BSD-3-Clause AND GPL-2.0-or-laterhttps://www.suse.com/Unspecifiedhttps://w1.fi/wpa_supplicantlinuxaarch64 큤eܲeܲ2d08b3e426c99d3a0ebf007ce7a88ba3c45fb493b459e24b2e5989411b461b1cd57783ead2cca37539bf8b5c4a81b8105c2970de177652fe1a027433593467aarootrootrootrootwpa_supplicant-2.10-150500.3.3.1.src.rpmwpa_supplicant-guiwpa_supplicant-gui(aarch-64)@@@@@@@@@@@@@@@@@@    ld-linux-aarch64.so.1()(64bit)ld-linux-aarch64.so.1(GLIBC_2.17)(64bit)libQt5Core.so.5()(64bit)libQt5Core.so.5(Qt_5)(64bit)libQt5Gui.so.5()(64bit)libQt5Gui.so.5(Qt_5)(64bit)libQt5Widgets.so.5()(64bit)libQt5Widgets.so.5(Qt_5)(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.17)(64bit)libgcc_s.so.1()(64bit)libgcc_s.so.1(GCC_3.0)(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.17)(64bit)libstdc++.so.6()(64bit)libstdc++.so.6(CXXABI_1.3)(64bit)libstdc++.so.6(CXXABI_1.3.9)(64bit)libstdc++.so.6(GLIBCXX_3.4)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)wpa_supplicant3.0.4-14.6.0-14.0-15.2-14.14.3e}@c@b@b@`lM@`?z@`:4@`_|\@_i@_i@^@^@^|@^|@^Y]]>[<@[[ā@[[;@[@[QY@X@X]W@VU@VŲ@V`V=@UKSUCjU8U'@U/@TBV@cfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comsp1ritCS@protonmail.comcfamullaconrad@suse.comsongchuan.kang@suse.comcfamullaconrad@suse.combwiedemann@suse.comcfamullaconrad@suse.comilya@ilya.pp.uatchvatal@suse.comtchvatal@suse.comilya@ilya.pp.uailya@ilya.pp.uakbabioch@suse.comro@suse.dekbabioch@suse.comkbabioch@suse.comkbabioch@suse.comro@suse.demeissner@suse.comobs@botter.ccdwaas@suse.commeissner@suse.comtchvatal@suse.comlnussel@suse.decrrodriguez@opensuse.orgcrrodriguez@opensuse.orgcrrodriguez@opensuse.orglnussel@suse.demichael@stroeder.comro@suse.dezaitor@opensuse.orgcrrodriguez@opensuse.orgstefan.bruens@rwth-aachen.destefan.bruens@rwth-aachen.destefan.bruens@rwth-aachen.de- Add CVE-2023-52160.patch - Bypassing WiFi Authentication (bsc#1219975) - Change ctrl_interface from /var/run to %_rundir (/run)- update to 2.10.0: jsc#PED-2904 * SAE changes - improved protection against side channel attacks [https://w1.fi/security/2022-1/] - added support for the hash-to-element mechanism (sae_pwe=1 or sae_pwe=2); this is currently disabled by default, but will likely get enabled by default in the future - fixed PMKSA caching with OKC - added support for SAE-PK * EAP-pwd changes - improved protection against side channel attacks [https://w1.fi/security/2022-1/] * fixed P2P provision discovery processing of a specially constructed invalid frame [https://w1.fi/security/2021-1/] * fixed P2P group information processing of a specially constructed invalid frame [https://w1.fi/security/2020-2/] * fixed PMF disconnection protection bypass in AP mode [https://w1.fi/security/2019-7/] * added support for using OpenSSL 3.0 * increased the maximum number of EAP message exchanges (mainly to support cases with very large certificates) * fixed various issues in experimental support for EAP-TEAP peer * added support for DPP release 2 (Wi-Fi Device Provisioning Protocol) * a number of MKA/MACsec fixes and extensions * added support for SAE (WPA3-Personal) AP mode configuration * added P2P support for EDMG (IEEE 802.11ay) channels * fixed EAP-FAST peer with TLS GCM/CCM ciphers * improved throughput estimation and BSS selection * dropped support for libnl 1.1 * added support for nl80211 control port for EAPOL frame TX/RX * fixed OWE key derivation with groups 20 and 21; this breaks backwards compatibility for these groups while the default group 19 remains backwards compatible * added support for Beacon protection * added support for Extended Key ID for pairwise keys * removed WEP support from the default build (CONFIG_WEP=y can be used to enable it, if really needed) * added a build option to remove TKIP support (CONFIG_NO_TKIP=y) * added support for Transition Disable mechanism to allow the AP to automatically disable transition mode to improve security * extended D-Bus interface * added support for PASN * added a file-based backend for external password storage to allow secret information to be moved away from the main configuration file without requiring external tools * added EAP-TLS peer support for TLS 1.3 (disabled by default for now) * added support for SCS, MSCS, DSCP policy * changed driver interface selection to default to automatic fallback to other compiled in options * a large number of other fixes, cleanup, and extensions - drop wpa_supplicant-p2p_iname_size.diff, CVE-2021-30004.patch, CVE-2021-27803.patch, CVE-2021-0326.patch, CVE-2019-16275.patch, CVE-2022-23303_0001.patch, CVE-2022-23303_0002.patch, CVE-2022-23303_0003.patch, CVE-2022-23303_0004.patch: upstream - drop restore-old-dbus-interface.patch, wicked has been switching to the new dbus interface in version 0.6.66 - config: * re-enable CONFIG_WEP * enable QCA vendor extensions to nl80211 * enable support for Automatic Channel Selection * enable OCV, security feature that prevents MITM multi-channel attacks * enable QCA vendor extensions to nl80211 * enable EAP-EKE * Support HT overrides * TLS v1.1 and TLS v1.2 * Fast Session Transfer (FST) * Automatic Channel Selection * Multi Band Operation * Fast Initial Link Setup * Mesh Networking (IEEE 802.11s) - Add dbus-Fix-property-DebugShowKeys-and-DebugTimestamp.patch (bsc#1201219) - Move the dbus-1 system.d file to /usr (bsc#1200342) - Added hardening to systemd service(s) (bsc#1181400). Modified: * wpa_supplicant.service - drop wpa_supplicant-getrandom.patch : glibc has been updated so the getrandom() wrapper is now there - Sync wpa_supplicant.spec with Factory- Enable WPA3-Enterprise (SuiteB-192) support.- Add CVE-2022-23303_0001.patch, CVE-2022-23303_0002.patch, CVE-2022-23303_0003.patch, CVE-2022-23303_0004.patch SAE/EAP-pwd side-channel attack update 2 (CVE-2022-23303, CVE-2022-23304, bsc#1194732, bsc#1194733)- Add CVE-2021-30004.patch -- forging attacks may occur because AlgorithmIdentifier parameters are mishandled in tls/pkcs1.c and tls/x509v3.c (bsc#1184348)- Fix systemd device ready dependencies in wpa_supplicant@.service file. (see: https://forums.opensuse.org/showthread.php/547186-wpa_supplicant-service-fails-on-boot-succeeds-on-restart?p=2982844#post2982844)- Add CVE-2021-27803.patch -- P2P provision discovery processing vulnerability (bsc#1182805)- Add CVE-2021-0326.patch -- P2P group information processing vulnerability (bsc#1181777)- Add wpa_supplicant-p2p_iname_size.diff -- Limit P2P_DEVICE name to appropriate ifname size (https://patchwork.ozlabs.org/project/hostap/patch/20200825062902.124600-1-benjamin@sipsolutions.net/)- Fix spec file for SLE12, use make %{?_smp_mflags} instead of %make_build- Enable SAE support(jsc#SLE-14992).- Add CVE-2019-16275.patch -- AP mode PMF disconnection protection bypass (bsc#1150934)- Add restore-old-dbus-interface.patch to fix wicked wlan (boo#1156920) - Restore fi.epitest.hostap.WPASupplicant.service (bsc#1167331)- With v2.9 fi.epitest.hostap.WPASupplicant.service is obsolete (bsc#1167331)- Change wpa_supplicant.service to ensure wpa_supplicant gets started before network. Fix WLAN config on boot with wicked. (boo#1166933)- Adjust the service to start after network.target wrt bsc#1165266- Update to 2.9 release: * SAE changes - disable use of groups using Brainpool curves - improved protection against side channel attacks [https://w1.fi/security/2019-6/] * EAP-pwd changes - disable use of groups using Brainpool curves - allow the set of groups to be configured (eap_pwd_groups) - improved protection against side channel attacks [https://w1.fi/security/2019-6/] * fixed FT-EAP initial mobility domain association using PMKSA caching (disabled by default for backwards compatibility; can be enabled with ft_eap_pmksa_caching=1) * fixed a regression in OpenSSL 1.1+ engine loading * added validation of RSNE in (Re)Association Response frames * fixed DPP bootstrapping URI parser of channel list * extended EAP-SIM/AKA fast re-authentication to allow use with FILS * extended ca_cert_blob to support PEM format * improved robustness of P2P Action frame scheduling * added support for EAP-SIM/AKA using anonymous@realm identity * fixed Hotspot 2.0 credential selection based on roaming consortium to ignore credentials without a specific EAP method * added experimental support for EAP-TEAP peer (RFC 7170) * added experimental support for EAP-TLS peer with TLS v1.3 * fixed a regression in WMM parameter configuration for a TDLS peer * fixed a regression in operation with drivers that offload 802.1X 4-way handshake * fixed an ECDH operation corner case with OpenSSL * SAE changes - added support for SAE Password Identifier - changed default configuration to enable only groups 19, 20, 21 (i.e., disable groups 25 and 26) and disable all unsuitable groups completely based on REVmd changes - do not regenerate PWE unnecessarily when the AP uses the anti-clogging token mechanisms - fixed some association cases where both SAE and FT-SAE were enabled on both the station and the selected AP - started to prefer FT-SAE over SAE AKM if both are enabled - started to prefer FT-SAE over FT-PSK if both are enabled - fixed FT-SAE when SAE PMKSA caching is used - reject use of unsuitable groups based on new implementation guidance in REVmd (allow only FFC groups with prime >= 3072 bits and ECC groups with prime >= 256) - minimize timing and memory use differences in PWE derivation [https://w1.fi/security/2019-1/] (CVE-2019-9494, bsc#1131868) * EAP-pwd changes - minimize timing and memory use differences in PWE derivation [https://w1.fi/security/2019-2/] (CVE-2019-9495, bsc#1131870) - verify server scalar/element [https://w1.fi/security/2019-4/] (CVE-2019-9497, CVE-2019-9498, CVE-2019-9499, bsc#1131874, bsc#1131872, bsc#1131871, bsc#1131644) - fix message reassembly issue with unexpected fragment [https://w1.fi/security/2019-5/] (CVE-2019-11555, bsc#1133640) - enforce rand,mask generation rules more strictly - fix a memory leak in PWE derivation - disallow ECC groups with a prime under 256 bits (groups 25, 26, and 27) - SAE/EAP-pwd side-channel attack update [https://w1.fi/security/2019-6/] (CVE-2019-13377, bsc#1144443) * fixed CONFIG_IEEE80211R=y (FT) build without CONFIG_FILS=y * Hotspot 2.0 changes - do not indicate release number that is higher than the one AP supports - added support for release number 3 - enable PMF automatically for network profiles created from credentials * fixed OWE network profile saving * fixed DPP network profile saving * added support for RSN operating channel validation (CONFIG_OCV=y and network profile parameter ocv=1) * added Multi-AP backhaul STA support * fixed build with LibreSSL * number of MKA/MACsec fixes and extensions * extended domain_match and domain_suffix_match to allow list of values * fixed dNSName matching in domain_match and domain_suffix_match when using wolfSSL * started to prefer FT-EAP-SHA384 over WPA-EAP-SUITE-B-192 AKM if both are enabled * extended nl80211 Connect and external authentication to support SAE, FT-SAE, FT-EAP-SHA384 * fixed KEK2 derivation for FILS+FT * extended client_cert file to allow loading of a chain of PEM encoded certificates * extended beacon reporting functionality * extended D-Bus interface with number of new properties * fixed a regression in FT-over-DS with mac80211-based drivers * OpenSSL: allow systemwide policies to be overridden * extended driver flags indication for separate 802.1X and PSK 4-way handshake offload capability * added support for random P2P Device/Interface Address use * extended PEAP to derive EMSK to enable use with ERP/FILS * extended WPS to allow SAE configuration to be added automatically for PSK (wps_cred_add_sae=1) * removed support for the old D-Bus interface (CONFIG_CTRL_IFACE_DBUS) * extended domain_match and domain_suffix_match to allow list of values * added a RSN workaround for misbehaving PMF APs that advertise IGTK/BIP KeyID using incorrect byte order * fixed PTK rekeying with FILS and FT * fixed WPA packet number reuse with replayed messages and key reinstallation [https://w1.fi/security/2017-1/] (CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088) * fixed unauthenticated EAPOL-Key decryption in wpa_supplicant [https://w1.fi/security/2018-1/] (CVE-2018-14526) * added support for FILS (IEEE 802.11ai) shared key authentication * added support for OWE (Opportunistic Wireless Encryption, RFC 8110; and transition mode defined by WFA) * added support for DPP (Wi-Fi Device Provisioning Protocol) * added support for RSA 3k key case with Suite B 192-bit level * fixed Suite B PMKSA caching not to update PMKID during each 4-way handshake * fixed EAP-pwd pre-processing with PasswordHashHash * added EAP-pwd client support for salted passwords * fixed a regression in TDLS prohibited bit validation * started to use estimated throughput to avoid undesired signal strength based roaming decision * MACsec/MKA: - new macsec_linux driver interface support for the Linux kernel macsec module - number of fixes and extensions * added support for external persistent storage of PMKSA cache (PMKSA_GET/PMKSA_ADD control interface commands; and MESH_PMKSA_GET/MESH_PMKSA_SET for the mesh case) * fixed mesh channel configuration pri/sec switch case * added support for beacon report * large number of other fixes, cleanup, and extensions * added support for randomizing local address for GAS queries (gas_rand_mac_addr parameter) * fixed EAP-SIM/AKA/AKA' ext auth cases within TLS tunnel * added option for using random WPS UUID (auto_uuid=1) * added SHA256-hash support for OCSP certificate matching * fixed EAP-AKA' to add AT_KDF into Synchronization-Failure * fixed a regression in RSN pre-authentication candidate selection * added option to configure allowed group management cipher suites (group_mgmt network profile parameter) * removed all PeerKey functionality * fixed nl80211 AP and mesh mode configuration regression with Linux 4.15 and newer * added ap_isolate configuration option for AP mode * added support for nl80211 to offload 4-way handshake into the driver * added support for using wolfSSL cryptographic library * SAE - added support for configuring SAE password separately of the WPA2 PSK/passphrase - fixed PTK and EAPOL-Key integrity and key-wrap algorithm selection for SAE; note: this is not backwards compatible, i.e., both the AP and station side implementations will need to be update at the same time to maintain interoperability - added support for Password Identifier - fixed FT-SAE PMKID matching * Hotspot 2.0 - added support for fetching of Operator Icon Metadata ANQP-element - added support for Roaming Consortium Selection element - added support for Terms and Conditions - added support for OSEN connection in a shared RSN BSS - added support for fetching Venue URL information * added support for using OpenSSL 1.1.1 * FT - disabled PMKSA caching with FT since it is not fully functional - added support for SHA384 based AKM - added support for BIP ciphers BIP-CMAC-256, BIP-GMAC-128, BIP-GMAC-256 in addition to previously supported BIP-CMAC-128 - fixed additional IE inclusion in Reassociation Request frame when using FT protocol - Drop merged patches: * rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch * rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch * rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch * rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch * rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch * rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch * rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch * rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch * rebased-v2.6-0009-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch * wpa_supplicant-bnc-1099835-fix-private-key-password.patch * wpa_supplicant-bnc-1099835-clear-default_passwd_cb.patch * wpa_supplicant-log-file-permission.patch * wpa_supplicant-log-file-cloexec.patch * wpa_supplicant-git-fa67debf4c6ddbc881a212b175faa6d5d0d90c8c.patch * wpa_supplicant-git-f5b74b966c942feb95a8ddbb7d130540b15b796d.patch - Rebase patches: * wpa_supplicant-getrandom.patch- Refresh spec-file via spec-cleaner and manual optimizations. * Change URL and Source0 to actual project homepage. * Remove macro %{?systemd_requires} and rm (not needed). * Add %autopatch macro. * Add %make_build macro. - Chenged patch wpa_supplicant-flush-debug-output.patch (to -p1). - Changed service-files for start after network (systemd-networkd).- Refresh spec-file: add %license tag.- Renamed patches: - wpa-supplicant-log-file-permission.patch -> wpa_supplicant-log-file-permission.patch - wpa-supplicant-log-file-cloexec.patch -> wpa_supplicant-log-file-cloexec.patch - wpa_supplicant-log-file-permission.patch: Using O_WRONLY flag - Enabled timestamps in log files (bsc#1080798)- compile eapol_test binary to allow testing via radius proxy and server (note: this does not match CONFIG_EAPOL_TEST which sets -Werror and activates an assert call inside the code of wpa_supplicant) (bsc#1111873), (fate#326725) - add patch to fix wrong operator precedence in ieee802_11.c wpa_supplicant-git-fa67debf4c6ddbc881a212b175faa6d5d0d90c8c.patch - add patch to avoid redefinition of __bitwise macro wpa_supplicant-git-f5b74b966c942feb95a8ddbb7d130540b15b796d.patch- Added wpa-supplicant-log-file-permission.patch: Fixes the default file permissions of the debug log file to more sane values, i.e. it is no longer world-readable (bsc#1098854). - Added wpa-supplicant-log-file-cloexec.patch: Open the debug log file with O_CLOEXEC, which will prevent file descriptor leaking to child processes (bsc#1098854).- Added rebased-v2.6-0009-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch: Ignore unauthenticated encrypted EAPOL-Key data (CVE-2018-14526, bsc#1104205).- Enabled PWD as EAP method. This allows for password-based authentication, which is easier to setup than most of the other methods, and is used by the Eduroam network (bsc#1109209).- add two patches from upstream to fix reading private key passwords from the configuration file (bsc#1099835) - add patch for git 89971d8b1e328a2f79699c953625d1671fd40384 wpa_supplicant-bnc-1099835-clear-default_passwd_cb.patch - add patch for git f665c93e1d28fbab3d9127a8c3985cc32940824f wpa_supplicant-bnc-1099835-fix-private-key-password.patch- Fix KRACK attacks (bsc#1056061, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13087, CVE-2017-13088): - rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch - rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch - rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch - rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch - rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch - rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch - rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch - rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch- fix wpa_supplicant-sigusr1-changes-debuglevel.patch to match eloop_signal_handler type (needed to build eapol_test via config)- Added .service files that accept interfaces as %i arguments so it's possible to call the daemon with: "systemctl start wpa_supplicant@$INTERFACE_NAME.service" (like openvpn for example)- updated to 2.6 / 2016-10-02 * fixed WNM Sleep Mode processing when PMF is not enabled [http://w1.fi/security/2015-6/] (CVE-2015-5310 bsc#952254) * fixed EAP-pwd last fragment validation [http://w1.fi/security/2015-7/] (CVE-2015-5315 bsc#953115) * fixed EAP-pwd unexpected Confirm message processing [http://w1.fi/security/2015-8/] (CVE-2015-5316 bsc#953115) * fixed WPS configuration update vulnerability with malformed passphrase [http://w1.fi/security/2016-1/] (CVE-2016-4476 bsc#978172) * fixed configuration update vulnerability with malformed parameters set over the local control interface [http://w1.fi/security/2016-1/] (CVE-2016-4477 bsc#978175) * fixed TK configuration to the driver in EAPOL-Key 3/4 retry case * extended channel switch support for P2P GO * started to throttle control interface event message bursts to avoid issues with monitor sockets running out of buffer space * mesh mode fixes/improvements - generate proper AID for peer - enable WMM by default - add VHT support - fix PMKID derivation - improve robustness on various exchanges - fix peer link counting in reconnect case - improve mesh joining behavior - allow DTIM period to be configured - allow HT to be disabled (disable_ht=1) - add MESH_PEER_ADD and MESH_PEER_REMOVE commands - add support for PMKSA caching - add minimal support for SAE group negotiation - allow pairwise/group cipher to be configured in the network profile - use ieee80211w profile parameter to enable/disable PMF and derive a separate TX IGTK if PMF is enabled instead of using MGTK incorrectly - fix AEK and MTK derivation - remove GTKdata and IGTKdata from Mesh Peering Confirm/Close - note: these changes are not fully backwards compatible for secure (RSN) mesh network * fixed PMKID derivation with SAE * added support for requesting and fetching arbitrary ANQP-elements without internal support in wpa_supplicant for the specific element (anqp[265]= in "BSS " command output) * P2P - filter control characters in group client device names to be consistent with other P2P peer cases - support VHT 80+80 MHz and 160 MHz - indicate group completion in P2P Client role after data association instead of already after the WPS provisioning step - improve group-join operation to use SSID, if known, to filter BSS entries - added optional ssid= argument to P2P_CONNECT for join case - added P2P_GROUP_MEMBER command to fetch client interface address * P2PS - fix follow-on PD Response behavior - fix PD Response generation for unknown peer - fix persistent group reporting - add channel policy to PD Request - add group SSID to the P2PS-PROV-DONE event - allow "P2P_CONNECT p2ps" to be used without specifying the default PIN * BoringSSL - support for OCSP stapling - support building of h20-osu-client * D-Bus - add ExpectDisconnect() - add global config parameters as properties - add SaveConfig() - add VendorElemAdd(), VendorElemGet(), VendorElemRem() * fixed Suite B 192-bit AKM to use proper PMK length (note: this makes old releases incompatible with the fixed behavior) * improved PMF behavior for cases where the AP and STA has different configuration by not trying to connect in some corner cases where the connection cannot succeed * added option to reopen debug log (e.g., to rotate the file) upon receipt of SIGHUP signal * EAP-pwd: added support for Brainpool Elliptic Curves (with OpenSSL 1.0.2 and newer) * fixed EAPOL reauthentication after FT protocol run * fixed FTIE generation for 4-way handshake after FT protocol run * extended INTERFACE_ADD command to allow certain type (sta/ap) interface to be created * fixed and improved various FST operations * added 80+80 MHz and 160 MHz VHT support for IBSS/mesh * fixed SIGNAL_POLL in IBSS and mesh cases * added an option to abort an ongoing scan (used to speed up connection and can also be done with the new ABORT_SCAN command) * TLS client - do not verify CA certificates when ca_cert is not specified - support validating server certificate hash - support SHA384 and SHA512 hashes - add signature_algorithms extension into ClientHello - support TLS v1.2 signature algorithm with SHA384 and SHA512 - support server certificate probing - allow specific TLS versions to be disabled with phase2 parameter - support extKeyUsage - support PKCS #5 v2.0 PBES2 - support PKCS #5 with PKCS #12 style key decryption - minimal support for PKCS #12 - support OCSP stapling (including ocsp_multi) * OpenSSL - support OpenSSL 1.1 API changes - drop support for OpenSSL 0.9.8 - drop support for OpenSSL 1.0.0 * added support for multiple schedule scan plans (sched_scan_plans) * added support for external server certificate chain validation (tls_ext_cert_check=1 in the network profile phase1 parameter) * made phase2 parser more strict about correct use of auth= and autheap= values * improved GAS offchannel operations with comeback request * added SIGNAL_MONITOR command to request signal strength monitoring events * added command for retrieving HS 2.0 icons with in-memory storage (REQ_HS20_ICON, GET_HS20_ICON, DEL_HS20_ICON commands and RX-HS20-ICON event) * enabled ACS support for AP mode operations with wpa_supplicant * EAP-PEAP: fixed interoperability issue with Windows 2012r2 server ("Invalid Compound_MAC in cryptobinding TLV") * EAP-TTLS: fixed success after fragmented final Phase 2 message * VHT: added interoperability workaround for 80+80 and 160 MHz channels * WNM: workaround for broken AP operating class behavior * added kqueue(2) support for eloop (CONFIG_ELOOP_KQUEUE) * nl80211: - add support for full station state operations - do not add NL80211_ATTR_SMPS_MODE attribute if HT is disabled - add NL80211_ATTR_PREV_BSSID with Connect command - fix IEEE 802.1X/WEP EAP reauthentication and rekeying to use unencrypted EAPOL frames * added initial MBO support; number of extensions to WNM BSS Transition Management * added support for PBSS/PCP and P2P on 60 GHz * Interworking: add credential realm to EAP-TLS identity * fixed EAPOL-Key Request Secure bit to be 1 if PTK is set * HS 2.0: add support for configuring frame filters * added POLL_STA command to check connectivity in AP mode * added initial functionality for location related operations * started to ignore pmf=1/2 parameter for non-RSN networks * added wps_disabled=1 network profile parameter to allow AP mode to be started without enabling WPS * wpa_cli: added action script support for AP-ENABLED and AP-DISABLED events * improved Public Action frame addressing - add gas_address3 configuration parameter to control Address 3 behavior * number of small fixes - wpa_supplicant-dump-certificate-as-PEM-in-debug-mode.diff: dump x509 certificates from remote radius server in debug mode in WPA-EAP.- Remove support for <12.3 as we are unresolvable there anyway - Use qt5 on 13.2 if someone pulls this package in - Convert to pkgconfig dependencies over the devel pkgs - Use the %qmake5 macro to build the qt5 gui- add After=dbus.service to prevent too early shutdown (bnc#963652)- Revert CONFIG_ELOOP_EPOLL=y, it is broken in combination with CONFIG_DBUS=yes.- spec: Compile the GUI against QT5 in 13.2 and later.- Previous update did not include version 2.5 tarball or changed the version number in spec, only the changelog and removed patches. - config: set CONFIG_NO_RANDOM_POOL=y, we have a reliable· random number generator by using /dev/urandom, no need to keep an internal random number pool which draws entropy from /dev/random. - config: prefer using epoll(7) instead of select(2) by setting CONFIG_ELOOP_EPOLL=y - wpa_supplicant-getrandom.patch: Prefer to use the getrandom(2) system call to collect entropy. if it is not present disable buffering when reading /dev/urandom, otherwise each os_get_random() call will request BUFSIZ of entropy instead of the few needed bytes.- add aliases for both provided dbus names to avoid systemd stopping the service when switching runlevels (boo#966535)- removed obsolete security patches: * 0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch * 0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch * 0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch * 0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch * wpa_s-D-Bus-Fix-operations-when-P2P-management-interface-is-used.patch * 0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch * 0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch * 0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch * 0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch - Update to upstream release 2.5 * fixed P2P validation of SSID element length before copying it [http://w1.fi/security/2015-1/] (CVE-2015-1863) * fixed WPS UPnP vulnerability with HTTP chunked transfer encoding [http://w1.fi/security/2015-2/] (CVE-2015-4141) * fixed WMM Action frame parser (AP mode) [http://w1.fi/security/2015-3/] (CVE-2015-4142) * fixed EAP-pwd peer missing payload length validation [http://w1.fi/security/2015-4/] (CVE-2015-4143, CVE-2015-4144, CVE-2015-4145, CVE-2015-4146) * fixed validation of WPS and P2P NFC NDEF record payload length [http://w1.fi/security/2015-5/] (CVE-2015-8041) * nl80211: - added VHT configuration for IBSS - fixed vendor command handling to check OUI properly - allow driver-based roaming to change ESS * added AVG_BEACON_RSSI to SIGNAL_POLL output * wpa_cli: added tab completion for number of commands * removed unmaintained and not yet completed SChannel/CryptoAPI support * modified Extended Capabilities element use in Probe Request frames to include all cases if any of the values are non-zero * added support for dynamically creating/removing a virtual interface with interface_add/interface_remove * added support for hashed password (NtHash) in EAP-pwd peer * added support for memory-only PSK/passphrase (mem_only_psk=1 and CTRL-REQ/RSP-PSK_PASSPHRASE) * P2P - optimize scan frequencies list when re-joining a persistent group - fixed number of sequences with nl80211 P2P Device interface - added operating class 125 for P2P use cases (this allows 5 GHz channels 161 and 169 to be used if they are enabled in the current regulatory domain) - number of fixes to P2PS functionality - do not allow 40 MHz co-ex PRI/SEC switch to force MCC - extended support for preferred channel listing * D-Bus: - fixed WPS property of fi.w1.wpa_supplicant1.BSS interface - fixed PresenceRequest to use group interface - added new signals: FindStopped, WPS pbc-overlap, GroupFormationFailure, WPS timeout, InvitationReceived - added new methods: WPS Cancel, P2P Cancel, Reconnect, RemoveClient - added manufacturer info * added EAP-EKE peer support for deriving Session-Id * added wps_priority configuration parameter to set the default priority for all network profiles added by WPS * added support to request a scan with specific SSIDs with the SCAN command (optional "ssid " arguments) * removed support for WEP40/WEP104 as a group cipher with WPA/WPA2 * fixed SAE group selection in an error case * modified SAE routines to be more robust and PWE generation to be stronger against timing attacks * added support for Brainpool Elliptic Curves with SAE * added support for CCMP-256 and GCMP-256 as group ciphers with FT * fixed BSS selection based on estimated throughput * added option to disable TLSv1.0 with OpenSSL (phase1="tls_disable_tlsv1_0=1") * added Fast Session Transfer (FST) module * fixed OpenSSL PKCS#12 extra certificate handling * fixed key derivation for Suite B 192-bit AKM (this breaks compatibility with the earlier version) * added RSN IE to Mesh Peering Open/Confirm frames * number of small fixes- added patch for bnc#930077 CVE-2015-4141 0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch - added patch for bnc#930078 CVE-2015-4142 0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch - added patches for bnc#930079 CVE-2015-4143 0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch 0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch 0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch 0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch 0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch- Add wpa_s-D-Bus-Fix-operations-when-P2P-management-interface-is-used.patch Fix Segmentation fault in wpa_supplicant. Patch taken from upstream master git (arch#44740).- 0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch Fix CVE-2015-1863, memcpy overflow. - wpa_supplicant-alloc_size.patch: annotate two wrappers with attribute alloc_size, which may help warning us of bugs such as the above.- Delete wpa_priv and eapol_test man pages, these are disabled in config - Move wpa_gui man page to gui package- Update to 2.4 * allow OpenSSL cipher configuration to be set for internal EAP server (openssl_ciphers parameter) * fixed number of small issues based on hwsim test case failures and static analyzer reports * P2P: - add new=<0/1> flag to P2P-DEVICE-FOUND events - add passive channels in invitation response from P2P Client - enable nl80211 P2P_DEVICE support by default - fix regresssion in disallow_freq preventing search on social channels - fix regressions in P2P SD query processing - try to re-invite with social operating channel if no common channels in invitation - allow cross connection on parent interface (this fixes number of use cases with nl80211) - add support for P2P services (P2PS) - add p2p_go_ctwindow configuration parameter to allow GO CTWindow to be configured * increase postponing of EAPOL-Start by one second with AP/GO that supports WPS 2.0 (this makes it less likely to trigger extra roundtrip of identity frames) * add support for PMKSA caching with SAE * add support for control mesh BSS (IEEE 802.11s) operations * fixed number of issues with D-Bus P2P commands * fixed regression in ap_scan=2 special case for WPS * fixed macsec_validate configuration * add a workaround for incorrectly behaving APs that try to use EAPOL-Key descriptor version 3 when the station supports PMF even if PMF is not enabled on the AP * allow TLS v1.1 and v1.2 to be negotiated by default; previous behavior of disabling these can be configured to work around issues with broken servers with phase1="tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1" * add support for Suite B (128-bit and 192-bit level) key management and cipher suites * add WMM-AC support (WMM_AC_ADDTS/WMM_AC_DELTS) * improved BSS Transition Management processing * add support for neighbor report * add support for link measurement * fixed expiration of BSS entry with all-zeros BSSID * add optional LAST_ID=x argument to LIST_NETWORK to allow all configured networks to be listed even with huge number of network profiles * add support for EAP Re-Authentication Protocol (ERP) * fixed EAP-IKEv2 fragmentation reassembly * improved PKCS#11 configuration for OpenSSL * set stdout to be line-buffered * add TDLS channel switch configuration * add support for MAC address randomization in scans with nl80211 * enable HT for IBSS if supported by the driver * add BSSID black and white lists (bssid_blacklist, bssid_whitelist) * add support for domain_suffix_match with GnuTLS * add OCSP stapling client support with GnuTLS * include peer certificate in EAP events even without a separate probe operation; old behavior can be restored with cert_in_cb=0 * add peer ceritficate alt subject name to EAP events (CTRL-EVENT-EAP-PEER-ALT) * add domain_match network profile parameter (similar to domain_suffix_match, but full match is required) * enable AP/GO mode HT Tx STBC automatically based on driver support * add ANQP-QUERY-DONE event to provide information on ANQP parsing status * allow passive scanning to be forced with passive_scan=1 * add a workaround for Linux packet socket behavior when interface is in bridge * increase 5 GHz band preference in BSS selection (estimate SNR, if info not available from driver; estimate maximum throughput based on common HT/VHT/specific TX rate support) * add INTERWORKING_ADD_NETWORK ctrl_iface command; this can be used to implement Interworking network selection behavior in upper layers software components * add optional reassoc_same_bss_optim=1 (disabled by default) optimization to avoid unnecessary Authentication frame exchange * extend TDLS frame padding workaround to cover all packets * allow wpa_supplicant to recover nl80211 functionality if the cfg80211 module gets removed and reloaded without restarting wpa_supplicant * allow hostapd DFS implementation to be used in wpa_supplicant AP mode- Update to 2.3 * fixed number of minor issues identified in static analyzer warnings * fixed wfd_dev_info to be more careful and not read beyond the buffer when parsing invalid information for P2P-DEVICE-FOUND * extended P2P and GAS query operations to support drivers that have maximum remain-on-channel time below 1000 ms (500 ms is the current minimum supported value) * added p2p_search_delay parameter to make the default p2p_find delay configurable * improved P2P operating channel selection for various multi-channel concurrency cases * fixed some TDLS failure cases to clean up driver state * fixed dynamic interface addition cases with nl80211 to avoid adding ifindex values to incorrect interface to skip foreign interface events properly * added TDLS workaround for some APs that may add extra data to the end of a short frame * fixed EAP-AKA' message parser with multiple AT_KDF attributes * added configuration option (p2p_passphrase_len) to allow longer passphrases to be generated for P2P groups * fixed IBSS channel configuration in some corner cases * improved HT/VHT/QoS parameter setup for TDLS * modified D-Bus interface for P2P peers/groups * started to use constant time comparison for various password and hash values to reduce possibility of any externally measurable timing differences * extended explicit clearing of freed memory and expired keys to avoid keeping private data in memory longer than necessary * added optional scan_id parameter to the SCAN command to allow manual scan requests for active scans for specific configured SSIDs * fixed CTRL-EVENT-REGDOM-CHANGE event init parameter value * added option to set Hotspot 2.0 Rel 2 update_identifier in network configuration to support external configuration * modified Android PNO functionality to send Probe Request frames only for hidden SSIDs (based on scan_ssid=1) * added generic mechanism for adding vendor elements into frames at runtime (VENDOR_ELEM_ADD, VENDOR_ELEM_GET, VENDOR_ELEM_REMOVE) * added fields to show unrecognized vendor elements in P2P_PEER * removed EAP-TTLS/MSCHAPv2 interoperability workaround so that MS-CHAP2-Success is required to be present regardless of eap_workaround configuration * modified EAP fast session resumption to allow results to be used only with the same network block that generated them * extended freq_list configuration to apply for sched_scan as well as normal scan * modified WPS to merge mixed-WPA/WPA2 credentials from a single session * fixed nl80211/RTM_DELLINK processing when a P2P GO interface is removed from a bridge * fixed number of small P2P issues to make negotiations more robust in corner cases * added experimental support for using temporary, random local MAC address (mac_addr and preassoc_mac_addr parameters); this is disabled by default (i.e., previous behavior of using permanent address is maintained if configuration is not changed) * added D-Bus interface for setting/clearing WFD IEs * fixed TDLS AID configuration for VHT * modified -m configuration file to be used only for the P2P non-netdev management device and do not load this for the default station interface or load the station interface configuration for the P2P management interface * fixed external MAC address changes while wpa_supplicant is running * started to enable HT (if supported by the driver) for IBSS * fixed wpa_cli action script execution to use more robust mechanism (CVE-2014-3686)h04-armsrv2 17089624812.10-150500.3.3.12.10-150500.3.3.1wpa_guiwpa_gui.8.gz/usr/sbin//usr/share/man/man8/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:32791/SUSE_SLE-15-SP5_Update/92c4c1ac4c1b5c1bddbd97dfd31e26c2-wpa_supplicant.SUSE_SLE-15-SP5_Updatedrpmxz5aarch64-suse-linuxELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=c6564b029854e9164fdaae17b1d52d2822383e30, for GNU/Linux 3.7.0, strippedtroff or preprocessor input, ASCII text (gzip compressed data, max compression, from Unix)RR R RR RRRRRRRRR RR RRT>ʓXhb_utf-8eca5733e6d6c4ddf55119254fb9d6181fba2205de37b871c3f0737cb575d570e? 7zXZ !t/ .]"k%{m{#rD~d tGJf͚P 1?+Yl 4QO%[43spU.&]BƼJj$Z ] )jH\@aRGlDDI=J@})ogSbbf`M{Kne?I;%u+IcZN ]RDʎ5)"oTYc[b[ `* fKCһdq,-<bD]: ?`W(4//7s EL/J֪9ێW|m MyK48@3Be~pCZNMW~FS^pŲU:,&Lh8.Ŀ3ibT}9M4JU 7Iٲ[\%BGűs~NTBa'x6 4 @+G9C7X 8E~%~>~cE]O'E|ȏ3BqGA-Ś} U(3iW܇e c?Ta"pnR5>mi@ȳJ]M?Xi͒֌x~xN*>?rQ {nم"K:DKXȩ#|65AoЬG-K)dGuS]sBz|w24K(L $oT8>(:s*/)V2ecOQ@볪&:|hQzے66jҖ~KJ\o],D _ \e߿ ڬ1 1u$Ђ?: Ƴ-4t]rlx}>$vVȆqy5!yj40Z5cjEVR[!gH?kMCwsg{Wmſf<)-z]٢ь m QrG -w{!"`8S{+Nye\]~AJ_ oҥEN *c:ʵuP]^XFK 1`xRSTaEꫬeMYt1CyȄp#je_^3=1?WQZクG-4Z;'O-ex@ڗɐuф4HhKZ<đG/ӰinSVᅏ@N0 s7JN4wbėSqfO|sX>ڰkǶ%[ /eQ<%I ['Ll25vZu$sï~ 0T.z\S5$eZԈ>Xiٱb(㵊$q"klX-Giz}~lE1W2*Ìd_%AH( DWm,j`q=̯̃Y%P&C5PQQQsiaOlJ-%mMzêG\] mfEVzhM{gxU /PxJ8%6NsEJQvhMrd.}Ǘ6 rbW' uV4l V'V$1Yj}B x?rl/MH%F>gʹKӜFf(DҲIt:J0~d"c( r#s9$o 4D~q'Et~@m^ a0dJTllVD:tcЮSJ4flpVד7:0 N$t\EG&p-p=me8٠,,  A%Ik'=1t>*WҞ7?$lS/Pܹ nZ l v-B^D,X7|0tfw[s*ܟjIzm^J#yT3w=BCU!yBý=,Q3ETܭZ.wl ~ 8u ֽ 46O5MӰM2j=2tn-\*%EqTDO/>/Н]bPv`}B8$|7tK՞:v|gXX{ۦjRv Åv¾낔n xϭyۗdoe%JopXӱU qm8eC*%jdGCj: 5TRt*3M (Ȯ-!< @kp ČK]6$d{'s]0Tp;[(ldᎯ8q ?;6OTl> TnsJ ̮)g,} z:{/);_,6#fNvޚOv;ѢN/iH:ZBsWb0l>btYu-rE>8jQTe/j2p=l4%u9kV1MQ/qux;uUXGj8 ˶w~ n*{-.k>%gawldpNs+4W 1DH*~YZgVt"oA0% Er q0OM5(*q:0II [4H|C_4ybIT2UTrrܠG{7sv5O]_T^}5}q'L,FjVAľFWICIV1fU~jlpI.r*Fr8ye,ce9@jA`(L"IDʅ) 2dg2|a7V]SiW;l{[ܜy"ʨy£Lw!f.Ctߘb'$=h+Z/*ZK`g3>'N6ZHUs A@f;xz`ZkӏiOVFgh227筂 AB/QA=\ja;̜KLK6+;5Vy04Z}m˾7m0rU\ Hkx:N7yxzH'S1yr!AyJ }|l쵐Ond⦋NzN-Ég?ӝUc]=߰A!]5-&<9s|򍮌 "o4B@f_"(|̇ڼdXi/+d&DvI-OD5IحMoEAӪLt9/+lz]炗LjaA޶ͤ _ ܓGDJ'B!UV$2*Ҕ:]qcSD.1h8WDճ߿eR֤;\/A!)yhcMZl;G8 4jBsܭAI~MC=L+3Էz؉G ZWOMI\ ķ3 7DC :@nP#G*;\zݰR7',cDN|_W(D׫/=7P)Hz$ءx J5!"]v/T6 [<"-tM1 .b[|:NxI؎Q^}sf'Sͱڒ#[!&Dp'=-7U$$\:Q-wҷ;وm4Y9={3(kvSGr;A^ y3IiffJ8:-Q -IZ%{>޸tYΚֽ)FK.^$<[ܷ͆07x-X-oaV-@b":&Lv̾PBj Eս|Eq/kD蠠JyXk6;kn>:~(#'>CLArxXU CucM ʢ* -a]sc3-}qd! L!47MDKODwVG-]iW*/Xvi)髉hjO;MHQ0Ap-d:M%w&sb b5|=س95lwZDw{M(Zɘ,)"# .Hi|02x7> i)^FSG!㹻F#!f-i,.ulvB Ly;K]ʿ#7 1J $ US#g@ZDlɹ o(v6Rl$ -*S#X|g4iʣDAXf98I K $Fݚ\aS8W}ۥ6h%t;f>a>o:՗iāա( @+ΠOá B {FUbg÷P A`Z0\ l*Q]e]֫\7r-b`[P 2{`΀}ӫDҝ@Z\􎢨 -Bć86Q`ˠ_oST /FmG_ Bs]>kЩދ9M`,Ʌ{p'/[POe $up) 9͜_r#lb%xPJs"8rKd`1\{=xLι:8-#C_ *hT}$v!^W'o1vnwcXt }Vq8Gsj2;4q"Ȯ;>]~>{{GQw+"ש҆y 5|/kcP(_ϫ!5,{q9 K:RRxjNDmfHڲC4G[{jwvim";Q]32~g k?FE|a3逜Rl0,)@BЦ8cW,~SOlAJO"g4!2C N7Z;k'Dމ8\7Ug ءdg/č$3 Rf}M':HLh1wg(`i!J%6m٘!ay0.EbCG*V{菔#@Q09,<"KpmtS/> ~ YG3 R^k@V]QV? Vee>$z0k_isn%N1NNʺ M@ #g*;~xd)-< ˹Z mPZ3O69q'0xOE27 u4^ʹ9/oDgT~S 4SyqPSF˞n$g?3b-%ZWY#UT\ucܸh7Epvծ"1<2*C͚Fɢ,%_J}B%2(PS)/M+?T~m3U1 kzEq[4m=#'Sp|3.G+v)oep0" WB8y"6  "z V0`,S nB?) ?,Zb0ʞ"Kp(Y O)qd|fֽI7VN BږR6hBXn]foXZRD^5"5KdaT,W '] fu 4a{KE9$mD9=+Tpl^Yz#bx;Xw<$QhSZD6b=*sKs*'ٸa^SϨ6F6U 5ĖܘZ:-L6] TMz{mcb=2~C,2֫0dqOџ1q}o*^-$BecvRmV2G)HΕ):Zx[xB(iW+̃DFx{{FiA<&Vpxz1'Ȫku b!7z`ڞ¢Ejm,;s#ܡ mO}F|\!&L⅙&[u}i6x#T ёA!1 n0]SWr@Hc&UYu dh OԮQ~(#o?KT9P:\ 3'ʑ6pw.]ϓ=#^L勏ȭ~27DNop/h͛;Żmr#L*(2cF1iJtԷ!&(.R$tܣCヨVЋT~~ͨ72ܟr 3/}ymNmw0['.SWj ";6 ^xWx^6:켬jv 8yxYgOq\;E7"3ͲUZݢRKn-D(#IS27Py =c޶ +-ݘbiGzeb$TrK[:S!l@`^=CSc(Qu< /a[޶\tF?,]Jn. z^^md,x8 ÷x?VW:[۞`$aEŦ<` 6TY2JvVDE~~Ah qmQԌxrTo֊w`FgY<8 5/)Z[@aΧ2d25 BIEźŇnHpZF-zVX_3p)v.>덥K.]cwaH|e;OkM[t?FFvK+(:Sפv|kpg@{acNS#xڒdDY+) h4lh)ؽ g&]l{nKoRx<ŔR.bRxno Bw+ڟݰt%isJC_W@k`K7P\G1 lZv;Oj̓XF|߭tAȯyMK%#1 V8k{#󑓟aWt-WM]] 2pc PB$ĥ`S0W9`Ω#`se@30Nbs5jP3̛N-U)8{ڳ4<_L;djW ^s I2Jɜ- ջڨپlߺ=o@5f ^mNG7"SgJXFDƗe~&!-Bh$6ay璄p|#-hN;1 -};Sa%ʮIH]VqXb I>d EjZ!! Cc5'hZTG +] 2%k1xɚD@iBAc%$&n2t%2liN-/RĚfCmp/B}(Ĩl*Э~M5yM?: U -Hv?@P6/R7_ܮoq\`xjYkDr-vRo^ #ݺڱ`-IR:}/X_r\á}K YӜ H"*b(~ 'CVt0FtRCPqya_%27$s?-nucT5P]ddQLd)KbO[B`HӄYh3Mm{i/)2׳(ȇAǐb6HHW+N vH1fRMcbv@wk87zhg`ʩBK*kgs;]8D߷#p IaD(Ua>;Zv^$nnUų] .+׈-߃ۤR@eOZD0agٮBP$A Ko^EЁgBm$_e.wtdJ c,bp{ 5a™mM%`&.{d!Z@Y.ѿ@q׌U6ePVז>G0od,M"uޡE)%Ù^P]A!sҋ%o -zQ @yYDSvKѧ9BzĒI{۴75bv(]y'n3gaSOT[>L!LAaKb]^.h jXgQb, n98墆w)Pt Z}?+17.Z9%n2$nybר [F(`!;U&BG^eFHt(/~dopK(r=,t:l`HW|[aDQʳaHE21ʊy!C\=Xvh;+quR xLidvs? (/s=N’|w o%fU(NO &"o^97wȦ:hY!YηZך> w~Kxblڋ4N0:ekD\vWxSv0<vz*y %eX\eLZu|U4e7#hta]r  ?? y/%5H۠4h=:U\b c?@וHF2_XM"o@Fc!-t0#tr d꾾RR܆]B*) *r Ɋv, '[V0f8ogbp^,G&7 7?t%քjw-?jտ s N9_nmG堇^@'F{@g@6}BчlR9ג`C]v{>zξR۶,"S3ZV]I&E+}pqbT5@nii7[_Ź_ңM[qĺ/$n7V[(@3uϺX]>:&|(f̗ H<=Z׀'&1TxM|T=EY,&ף;4vB|z_UMa^ KԖ KDqM[KN|s S>If;:y%%(|Ag)j-7OquQ 䈴2y8[%_kޗ1UCb8S̓');wX{n?Q_f@)AEdTX0Z/\U) Qj#R"(iْ6oJZ>4KdA&'\;jl`۬/3-c~o|Ik"#D"k\RZ]f\W2nY?U7[pfi@> 2w5Y?ZL_AT+eZ@y+'w=s+*nC9Rݿ"1z#OxPAU`ŶQKa(/=`5yr&! ,WZ9~Nh֛թ~axi ]kCv;vG|ۉ/%|8.1Q.gzr3u38!2j&d@xB2HoF~+Yu*o[P% X !4LnvP_z)4%PS;|[8xMJ;Q]<W`#jf 0T)o>,vC,}l:r8}33$t11,J}ӻ^YűgE'5b.n*"#~Jn`xG~UCۮ賠϶hchxb G[.H %UDxU꨸Vl5ȸ*l1MsH{LVrk.6 ]$_#n8mfuOHV]6yzG 2to 8\Y:3Ds JE=Y#+ 3K:JJA~1lw٩X}Lkp F #NSaahX+˵M]<$6?r%wF_BƧoFy mD}oqBdh >^}: <>*-O BOʞ H?فVxCap-Ê#~1UOTM2G.~O^Axy.ML[kjTd}Q\x::rgTXD?B3} .n6ӐSſt rAdɈ=X>[v]aa ef=eЭKA *7eƑai1!*r/JZ}r 9JPsZ]r58i }cdΆ¿RecYC侺kݶ=!uԯe; [;up-p&H{NXlTfdshǭO>y^Kp9\ AfLZ(b`L†%XhFCnc&NU&{$mwnwΧT-p wcWWg9h{BGUAGޖLǧޥ|cЧSJcd(d A;eyt{d?wV9V44 KvPО';ޟҔ'0xuچ KQ 2Jڕȕ.c@IGc5%" @G?4]yQLd b7Th,7u0=kw;p-wweoR$ :%M9 ݋nj nN^=J?l b1pci|u*&vJ B9XÜ$7y=2/e 5C Bv'U3 H,SLeg:8R]ׇ|ֽlrX'Fhl C_{tEu襞ڤG8`䁟u c, |p _ꁘ,SxYKٻ@ Π;WS$h)|aZAV'T۟9VFi:P-`.[d(l> M `d-W΄V52z ({"EXsr!-8ĥVgB͖&\đE,@a}OD(\MJw6')sHӴA[܊Fd"^$y%Myv%H C@y^MB7-g.2:uP"^,FiS =mg 'cr:5D}ˉ Ta9:o62_0{ނޜEF(_ pЅtrHwrT:-Ε:g(!}ƌuot2g\q:!D,ו*PgLav?脴,6Uh]^h9ZYp=1"LEҜC`|am)`UBFWH;[h&DD攧[\YgQZ3)- t&:p"v:l3j%ǖ_-18l߷p*o2{=*v s_hpwiw+$`=K_NSZVVk*N=c`KW,rQѓ*eĠ RYUfla@n}Zq4,#Q ڽWp +6ioݯb%b:zCFUܐcbB-VYdIeCMiC-D'JGָp[3Zӯ7j!&NB\y {)-d}FjI@z͗#'&*Ȯ˜kA[AV#90]z1n mFмXCDJ"5‡pY2}yޣl1#<0ntΐshq>B)2zNv0c>jV}i3>ڲ'xp?vwq^PhXlD ;+8Q$\)kIM@H,~/>$U7|ꋼfumuƬD{p2ϯQa8R"2jC:d>b)Lن,۱+yK !(og*f{rEt-5\_Xq}Hɚ.IDsɃѰ]@CbZ?(q5T  2s˶ٿ;K}ñ*⵮K@_J3CsOOR0hT>3. G&˨v ;瀕v 0RkO~m9P%F?l|3"Cg`~&){W&\o Ŭr` Yz'*CmO^2Ĕ0\e[8@/b|46}CyuKGuB-֝O2U@^,jAsaMm[ y3.\ ry6ɺmcRqOF ǛW]u ؽ;~9[I>4?s $3MHeu:^nI s;jgt "@1@<)]PzuaіW` IDPe?#Gpn={,<aE1^5S˚^OvoL2 J.5Q z[iHm_bYژv:@aQU(y('ҠɎZj=? H-lF #tLkxH,3/lp1IL4!Q¹'auݫ,raGZ2eSw2eP*PWNKcΈKZw|AXhpimb4M1kj;_EY?aWќPG*Sc!w3ԣln얂3?kXq.(wm$  h E/hejT!w'-=ev)RYf(? hȥnyäA~d社0 'ŪЄn<-G@@%-iPNH\`?4/<2>2omjfSr#V|J[OИmHd p}&*/6 m:?U e]4$ U#s5`p͘<5fz >0%P#Led7=Nyonf-oiR9ʑ S_vPh?_:<+ I+FOLwUnGJ9A!GxIRcG=H7R:}My6&ZlB˴}9^TB@ wS/zÉPK-FURU3O6+ב # 3^runՊ߂6U"B_LAQ%Th )LލEv0h|L!`KXG]Q$+ .mmiژ> Z'EM]QPW%0Y0掆ey"bDժ{tFJG䚫o@NVQR Ae'=-9w[2dU1kn{?l8O7xSro͛ـ0cQٮa}Cq)EQ*z;H?fJ;4%DJhޣwz}ig}gז%٣oQA oZ,u~_ |LVHT=m%nJ1e0{B.eÁ=ڠcPbW] P`L kކ9%B;Eϕ_*!eƶܹ?8Cq$ֲ1`lb"|t3JD;nQpƩTJx/ؔ4D͜")eI*˜;wT HO_Œqh`ڝnZOe_*&Ea&nC*׶#\ژsNl|ؐģ5<.c'09Na"W=ݐ <ҩL8cLk] 60kg3z q#qTE|'/q699|A;nj+"|ϡ(?ՠ=Բn[ nᭂSQtvʨG6mBS 5_:cޞA.!409֞HCla9ѣx7%"RD{緐:%2XLء5SFc,Y~yVG1rAs56LK 7LRQS)!"H4{QRЊAaMsڴR? ܍Ɯ;gJ7V]uR ,L_R+C<pB[ɖT8u2V-Wv:W{{g|pJtr]=Qv<|QY IY6#xe =ƀ)DMI UsB8?HAe[:025TUyq~W\)eL!OJve=(k)xk:$v9$; 8U:&?f`؉t"H?ЍRںdh>{`0&KF>dl4&F;MUT˗;i'=3[{~sLwd}o<Q_HkÓc   Z@Jp?i8X4~H.SBb]T㇙i A"CkѽzOaɝ Gc${|ߤ*ǍAo1LI*~dCݦ| !;bFǁLWNŗ{ %5L" H̭_-?Z,104f;0kl^b2 Bouݩe!tEur@WO8]]mX:dhFi<^2ݻF$%<{y/<;zc(:6+ $;z9 I iVDO[E{#m!#3+)U FWYX=bi}KsҿlK2}aꤝ&o?DߪWAuhHtω'f#.MUAE)n-o6l"ZYADԸw'~O.(v,gS7W BPb.D @ H%~5_ڡY뽰:-`{,4|%L6҈'ɮGR$U+ynZ7hrc1e͆͑:M^gۖ| A)i#;?kܗK:k; ոECx> h.y/`L5:nsՔ/hZHX;7MzUU%@8{W%-6#w4|atIRhXQTsI:(H k{d3,H^AqV[ Ռ){nV`8E9\g>t!NSKLN"ؔox X0ؘ@F ?lŠָ426F%84Ab>OTy6^WEp "l~ţ{JrD l9׈QllLn8[/ Bл5Jt`mT0ӝ V’BLdb`d&=OJ/5i/ L5s51y-j?P:eWς}֕AצYWS ?yNl-GOSҹK&2ʹNmg|72x Ux(n&+hM#j}fK d|{/&cH^yh[7[w+JF. XnDQ;%SNxʼn#FɊDJK~@7^RJ\c?,Ӧ?Nsrk:bd5#ƷɒD[ϛAԡ%3'*CMGj;  RV *G rP,Rz]1:߄D[ON GXѤ$9RAJLk ց> ͔lPnv{$iWs 嫉\Ja/,x0p4[UiwU?$,q1 !@y=k嶗$ }EPE\JJוnTj.f#tZ~]} -~3⫌7kC\04^;HWH5h񸛱xl| =mt^^cisZaҹKZ(uR;>";Y~n\;E' dflúgh*4I>XFVbsk*AVmXŊ'{|=NEx}\}R4Io.՝:40ǩ;bi:7:kG.O^Yn.n *RMH F:L Rx8htJhλa߅o/|-X?܎zml' W e2ă@1{P ZX #aĮXDYA Kt ֢RTvfŹ)NȽ$E˹qH뎸kV(,8,N(fN"Yt eBWZI X5)25IQ_&c GUs/r$ڒ E >ͶObWpfQ6d{ uš{j4*yQN4ZA=!|%rmbXPѵG+?Ұ]9i<-]#YeN=@@Zp[I+m h{i_[/*̾]V@ͦcy 0l?hxqڿ9e0"Ym~ M0KQ;1ENGDPw`? i8sb_lh4p ( B= p qے:Stƴ'w/QوZmb^rh~,6 p[ZY mU;@3 $1,0Os>,nw r 8qth56{jmKz ΢4Me  ՚{!Q5Q(Db@Kw_sIKkǔxÿ984U4#4ArE| @ -۩f8ߵY'@k|=.KOFbʴ#͖g+jCW&㐛xr4B$!V'i}!kIV; Ьh&wЍf0ԤJ ŏwxg'Zz,#(?.4C33 (17՚U}Hk&K)gu^ܺr'pr@掔ۄ>c=971H *SoX˛羨 =ZML`BT>q@@W(5.&MVAX 2aǩ~X<6[,I4:/:\G" c=52r ozm]FJ& ed~W\Sz`Td*7:Te E~QTCe~& ɿc]O9u6Y%! ˺*<,Q[ ljD(-])N1vb{Ê o)۩Ы_"זuT'#ol2o\K ֫ qW1B {2duV^Q[s}3Hֽ2WYV٢Цe#G'`Lsw5![ܛv33Bx [cX}[z)^Uۨ&d4a&r`VG7*|*]3;f>UGVlq2'%idD,,S^dܖ4U%? *0EY>lmo !aٍa2O̎}($89.yǖ6x B7˚--F)MVD@tM̝Sa!vyq+ٝ>fOnkE>=>$j|LQ+2 a6_^ P}ۯ7G䨓KcmI5|XpbR%qֲg wbwU~8/O"qlekUvfU#paWW1DɑoTM)ag?4n ږ9߹HgB"B3ocW3"xFﴆtǬR@I=Ƿح1Y1d#y<D"mja&vpqdPi]w¾p̉@/f.[T_(K/b6kEuaDž=O ŷmono{UU=7+:ϳ- {bCP/$vэ)7dYJe';5n^R1 WHJ-`Ujk,~hElVXeMUC۽d/W4nx#72"&9{ŷ%ϷJ ʫfaD _a͹TRWN+,=b;TH dIv45R9Glb(/'+^ڦOPJ7(L3.C ^LQ N &,ggCr.ND-PF &C ~eͩ 7#  U)d3GXWg 0jCUM7Y`ZC|)`T elO, OG14 nx68Fb?&|!no H[ 3<|_+Qgr)xϽpZjX貢BkEG\uQ"jkJxzV}e_QRg*-2'/ogNmMNM z:^oŠU7['RS1Kww a|H썤T-SL,Xi0}6`z/CLXX-+u0䳇+X󄑡꜒~Aޔ BGHl(5!hrJM!R!R@_㥝B]['yf|ܨ}P9q9CYpUܱ{:ʩ%La »Cu22V:돺lm' BϦ{  S"Z@n{&+vpBWꑕa!%%&yAөpLDR"$k_݊ S96#гooЕ mKT|U!Ø':fc!yB C\st*;Ps\.¦a xvs7P 5 &qہ|)̳a(AO.vtϷ1@Bw'!m+,r.("36l2r(c!ߕh_^H2J#*po}Qgn$l|mpGxcF$&= ݀wyudi5U=3.iK(9O2a<1 EklPhx|;~b]a lR} b춎:@kat8c7so: Ŀ`c5pԞ-OEL"25)?[@rϓš:#aY8~vc1ݎ+;h3-͐'oײ\<*%Ao6*鋻znE2dIZ\Ejq,X' CCa=qicN) %ZԀLW~@`0U_]e|/!0&߽MB^9[,~hgMggU,w1+,c8XL*wKtվw9֝/:"QUm+My?:FTc(r:*qUC6hi3sGBۘUѴL28O1&O%AP"V}P"o7֭.a`ͯK e%rUe %?w?-a`Xߺ!@KtƦ 48)dPUKS4qg *JWJ/Cp%^_" td;ODr[@CZrV6hΉ@ٿ ed`.9hkV7,氳Ϡʡ:l̪S Fܹa#j$MYW{ty@/lj;?iL5* <ن_+!,%m7fx78BtV$F~PLx"6EcV9m*f S|2饔bYLtFx`TQ&F U[\r괄}USL :No[a'WudG^DV 4hR7d %6_}F ĖLr &|ECZoAB3FHVieF>,h$h7_pbnt+Oۥ ̢&T:Dz՘$)JzBZe=S0-.B杴F﯋Y)4#bL_<[;lp~؟) d74/4º'Br]PG-m6X3CT޻*ĸ.DQmn$7r \)=⟃m Lr\~[1:/Uh724tj hh^l$რ}/DfևŽ:&HPuMD%D?WsE|Ag+@-1;+E6UFWl DLрXgi3?\D y80ء_zR>n&><7OTl|fΊv")‹!/=֔}u7N^JBu&'j(ZC 6@CqT\E&d`?('6zF1`-eTLC Cv-:zz(Q]? ^XESějPc+!<2IcBG͓.䪹AVr[hmm_hrgr.laqk?MK[ |QZ5D,;ʮęզ҂FFo*EZk(5\Q%w,65ğii"B$$iO%N{Sug~b>#汖',;Vd80a:K|{)|ʶaa&="W3JH%23hh|sJp"s[uzShNY^2ɘ4L Jd7\%C@mLak5@/ǥNSv֞AUsp|y* uG瘩Q1 E=@&*,' R+ƒz5 R1]k5}>OJH~]n~&E=t{L͞y -BJjI,`5LTvͲ,Zϻ6w/yXl~>VhŒܐ IMS ANS&t~5ek($uJ`ѨA?v@Œ}[2d**n 1~i0`ɻvxSg> [5Xcet6ut]#;bζ0ߴf&Azt9;൥=g3D]Bqa…Aijg{)<\ u@ksnۻ>ɚ%u1 XށɒFlCx;.""ߵ~0r4Z =`s* 3`\e$ K|C C+`sMש%1Gc5ּ4pFWQG|N,>+}S گcrDZUP07O<[9vWNDpm5]/8o㈓pN@u#ۍ8(%JLۓ̅ lRT]sz@Ѧrl҄ nU`MeL>#,4$SXopq|\!#*rǑ'5C_}iďjH A(Iw,l ba :!o&у(K?b}GVǟԶs,-e.}iqksyu!&/n݈z1 T|Gt.ùMx1#Y<|o߂S]쌾N[xb>8e/lН\E"C$oמ&wg91Wt4Aye)0%)k}7Xx>wԖ2RRYVOzD]T:=Ӄb>w|~hjkח-35CмZUWe׽cx8}Q1j(.6jX.lIO2-bJjdžO'o _+srf L9kZ?.&' 6ƃ6)866i͈yVڈSW>̈́хɿkېAƄgBBKkTOf_<[;`ܜI"6*ﴉC:D@^m4 tFhAjd#>uy(-)-ʼnfo`iCwsn (?-Jx:" m<|/b^KWDN/NBvzK5ƙ#=, ;0~) lnn( F>ʁh)L((ǎߧ}3)@+dT^|CbיE?}%ts%avdZB%O&gD\W^05Bo=s7{FZr}iNqԊ',oQTFlϑY20.iF.'8Z9zi |-J ɘs#1 Y$L%+3)XW,X( hiH-9Ԏs+P}}6]d2mڟ<jȘ~{"u`܂0&o#1YkkΫD2q:G_>9Tࡪ~6|MT:;B+"t ڎ{I&19WchP{$^B[Kϰފ aPU#|;Dվt81$Iխ$'a{'H~N"Q_( ^R')R4|5D37`_L=j^PD{ r~AZsiR2J/rC7VYCN?Lł?uY9,;&:40p2_'1b Q ToxG5OרgqC#Qpji+U(n4*GD -$  *%ೋ²-dש͢N 4crn&/i1y!j+RJI@9tBm@XVKiZUUzL)]b4eD,rW-}IJw_H?w8s, %HKHψv_[& vNcO@\pvNl֩I (3*ol՛62 {h"^+Ö@Lk.7]zYm2/?+~P #1dfx%8dq;h83BCr~-C'/>JᩇQ3?Fh-:N1-31BoӶ^JS l2U(Ŵu\a0OW Lm1n1ׁJw6C+0F՞ q*de k”*3!o]Pe҇t7AP ȧn*/݈}BEIX_V2 d4YaS,t5kBupU=?Gzjʘ_ƣ}< Kk7hvΉ}6n{VVw0͖U!و2Z{ONTtfT 3+?`&jdR8\?/ǖOv XM ^:Jhz|T0SH@ipc|TvAxǓ|3DGcN/PQ-ll @O7}m@ G"A l~5>V6Y(eCה-^68_4>2#-A/xԥA|y&dMx{aHЯ* WuYDxWgRu.bdPHםq?i^ϣ}+_d2$ID0Dln"""f/ͅWQz1- vIΤ9-cnw)7H),Ef R}ty\v?M)FQT&Iݷ6/ [QRlgrY.Kpшs.au@RT$i 7Ϊ*M[$NSݩ-d}?'^;݇OXNI#n [ a ݣ%g E !J+³vM obuy+_bdxj&NھVp@3[U1iL.ZB_0$\Tc[6qӹ} bv韐跤d$g 8ub'܏b%?=""7]G8}Pd\\&%΋ib,-M(Բ~tU?yl5t `JRmhۓ@c<4t;-f[p ɑD RM`~MMc"Y7:衺 .~?Ω\ѓ~SZ'j{  *RYԡJ %CGPhl`⁍:!r}^jUh oNsr&ͥ>EMK~_f@!jxRqnf{%< EU} k$s|S7l>OHwǛJvICFbJܛJ 6Z*MDXAh@y fqKrd0@w*kx8^,)dKϝwRnPwGLv*P9]s&OJMNj 7sq`s[ rZZfdZ#OYZ$:Dbj6}twV*rwH1*pyFeUY1p"},TaluNVGߵ}w]i립wlaY-fM{5Qݜ6hSN7D:k*"<;flfҋܭI//oNoGT{{ߠW+Z{r;mZ2R̼BڌcUٸDNq 64.p̓nʅ䬌U3ڠKrB Ve3u]J[WHA+s44gwӛ0DY|΂=׸Y~M-եڷM)t`e Zr.HwLXOWcDe/ַ#a]BomOޣde45Tۺ,=`<յNީ!akZ!߶_L >b9nKh=ԶTN{%5l~-jMYb}e1+١B AsڗZKWgѣ VQYuT"[<-Ǖ;j"h%8Z7WJ~'eIݺ83.`TUȇDL ;ɇZKkVg_ݪ ,>2S NxDC9fbROo,ujv NL5z=YxpdKMN{a[" &r㽿u_-Q`ZC:t02iF%@dv.2,G.%Wh- aTRE򳗰ݕBWD9Q;H Mj}v@SuG G#-ёvΦ=Ջ7cDcNc8mKڸ0e*eܧ?%E Nü/g?TbEw:-'Fy/۾֧OHNճNn2ib%&1\XǗ3fF׫JS`4l}hiD,=mWYj=c\nLAױcc$$WyP(r qDnJTQ 3u]EZ;"Gaޗ"I;O_'%5{yک2X_TuWk~ Z29j&;6,5aݜŢ< Cj7 aC uK?qq.%j0QhTrsumܑpŕlVwvݭ6ψ?7_}kuADG#2e^ (qkz¼ WbKXK6QXxϭxU:/\~d݂,{)'[%;"+J5LɫdLX![_2)F8NZ~DJ&Jpukr9R(AopywX|abB S"CdKc-"5F*Igɶ ߶U*a< n U|rY.a3gDpNӜ֒v.A[E`4,dt+ ]Ii29Uqi|z9 xqƮ͚5:Mc4[y̴ft.dzn܃%Wjc̞?uf"MgqO %xtV@2ӎh;v[4AxB΂$)"|7m0E_^ Z#5M¢Lɺvv }Om1&sʧd Vbe~ ֓%^m㷓{.S fOHcR+ w~4!xk(#i_\F"jˡ9]] ku1-kι3 |YBܥGN+帞 te9F֔oWRrT6fltFVu#Dm봖*)fbbtf]QBaWZj2Xx`29S HF Z+-( 9,2Ar|-g+٪GbQ0JsQrH.7zDpi:nj'Ԥxdia-_dlqX%!p%|'.EHX4huj.$(غ)ct'J-Q]NTZ{\ҿE6A.Cf2qYn7xmr{ˎB=Py 36ib*30/PS7xC;(xx,|'hG̰&-4i. @ ߋu$Fs^6$V] =j1]~:Ln/]ڪK-!g.O}3uT5 oJcP61|[>:OhN{f+mQm"P1Lx+dDp=`u)*{Gju0\brDT&Ƿ'e7ՆT(.; J3j܊$QBԣ&I>b|C@NVd'q ӵbVԘ`e)Ĵo1W2/()eɇZ (7H;*(.h+}4TaM@3E)ھt;ke:.1zЭzk_}Zs-НKj pR\-9l9պݱ&[v:yɴ ؎qv WK ^.(Vx>t.KO`H;^ )G8K+Cr]4D֙8::JLvU4R`9Dn/憙I-6=8y"{Kyr5Y"mI)2Jn<~ZcqŲRzQ{c,$1[(@H0̂"D0k&@Mvn8!m=B7Z7M^5\D* 'ErURI z?eptoYq+p CYl6Av"W~Bn.y ';3Dwx1#rRw![4̲Z7ub8i&_@9]r4Ik#n݊.bm.\y I>O6]0ڿN <WSu%-Z7>j݊>C jHK\4CpkXŊ\X"hAD IڜcW}!Xcnu cp$h)stPi'Eb 2,P:T9~q'3:n\¦ U[xnҝN%q`V$o fs9he/9TCW &d%ۜ;x_&U=陑-E&Vywc T)ŇfW32^v +:v'~3OW1j|=΂#TYs]VL~u|)GqM!$Ho E : 19Ҩ!;)dJ0@!I}ɉ?`TKIsQd{F]v64{Ţd7D{Cud @3p3^@5~ZQ`\n؇H*s@O[%vaÀ gN%9 1|mI`v}R>;A9zOeJ c:( &D*t;V2zѳ1tMm5tښ"߮WFD!_2bt ϚJ@OLSFI jD0%zv1[~_XK8uS^wq )S6G׌|.Pe^EE!-'GZ٤]X*2tu[M@/X݁¹'m^S9UZˆ{]A[DNi;F[Ю ڰ?R(wOHzA񽴄҃GXz `H.nXc9|%\l:g# 4 *Gzycnx&B= |?0S@7~4>Zbʴ>T}m?`3F&u=QIne{uu3NoA+xW{-W)QQk;ж W$)?Mm^S09NmR,R^;Pr 鴣My!&I ׅBqSlp/.Ƚl(kzl!6㙟oI'%ˏ)1z~@LvǪnu,#{o/E9GX^X}/N x诖)2iWi{c~oH3}qzW?-.6T쑖dVO9X,Y+4Ln,,nHp9~ByahC{ p+A.4=ٛbbvr N\ѸZQ6Wd1cy9aƫUO{_phTs݇Q NM k:`ލA:\{-KO h =(;(O>Y> uteܭ %8uWF/-gnm"B,5@.kTGg3U\ Ooduaꓩ A\]G .AV)ȭ?Cq3?ـ'p˜{^Slu=`C/]&e GOͶ0eF؄՟'gxw-R%ˍJW?PaOUtvjhMf x}r5_`q6pSnNr=`т!b̻- ̞>gsc̫W/Ig)t4? xs[%弋IO0AoÐic (ʹoX)6 T?Z`(,SJЋKtЙok'jY`;&v|jpUKQ K3ܚ*׌N ?J쯥E~i5cx6L/YbxC`4&k"fGEzn(iSՈBgX~m/ŅZ?=pPɬi Q95+?andJ 2Ai\R$/*LHq#w=buKtb[P@%z8lmʓc޲&tt)l nW(A".Fp@wx>0,٥/Ƕ#!1w wS>*~t^Gv0#NoQacmrmH/a*fE՝ӂK:C @Ih0?^n=.4"% [-GjIYbF˄;/ͬiƄ],"݌7k9wO e^Lr[­l3_Oq etù6.˰bSwuk'|-`kTн}nnLii m?TH=ʞGK 9%wq7v$,D,:kˉJKdv|Ni|N8 j:Lt:G/v*/ԖTĚf/t4xo M{u-ݗxDŞP|˙wAIn8>y׭ceeem!҃lh.Ook<ϫꨪ'+ITY2wo?*'m&$@zNxZKnZSc(>Am$cpg&>0zwp*LzCs,ƻ/ˣeίaeow?DT=Ui2Vcz$r Y_$yx xJ\ܬ0;{Pdg'k6BrJf[6|pEs>~$ ΍{Tr?Eʓ)8Mw T6i /ưE(K7@~@̷n\bޤ"yPV='Gr/FJAЏ_j=&=@xݍlRPQ\B~< I6m2Y(Qp8^$&j-͡NphcV-q_o`{2GR4[)Q ¹@2`orҸ[^s "(jB8CpI46D7K 0m]o R}ڃvJ}0%`ѿod LH8 x~K}h12f?{JI6.Z˽Cdmfi{-ރW){mj P.6Zyr)XۈdP5bsgdu\Ҁ$Jxr^QU*Tȕ9٫ bxN^%#4#$/onƷ@XN1fg6Xbi8R5w:-sC [Mĺ܏ vDM20X4{qBiהS *G 'ܴ5؜e~Td Y^ SHh9vmڨm`zpD2DY:eu4RidOk*aKw.N) c4J>DҘ^)LZ:yI9TW KKP+צiCqHfk0|<'ku@kЮx 2SuRud,`=>H-2=\ WXWfb},qyF剘k'i _Sl Udwp\,PS*U~9siM9wXpHxUgAg:8B ;]W~" F !}$q>M`,W YfheP'ˌu:a!W-k:΢z> W[ WE7Lm KJͯkZogxȪ|t\)ViJ]1d>1<ϩg~B%H{e@JK!Hy@x۵QQR' X& ~(M?S"=.udR]9jʾHTQNE ,Ѷ@m;MPIӒAeVqs;@ͥ ܬpַ*fKTYpN\W ##yvMc=/KcP0q*Au~^#2Jދa΂<{B;/j|T. "&Ӥ"0LCW{0B]7\|HLX0ZSce$!RF3&t6:!1i 0h幑YYV"ʆb7O+N3lΖ},nFqf lU 1? рLekt+`&X&܆/),e )8pkB+%g*0JB ֖9,Xr6T/,0K&Vƾ /\'ôO$wpׇ[F#l@X *z"/<# #t{zB5S R9fP*S5ዻq .H'.c=*]7D %d:\BUMq#B`H犱6"Uӏ-qNc(2,Tq&&o9*x*m,N  Wݦn&3Zt@}H?4`ݢfh-FUh\I,b=[?Q%Δsۥ|dm&7&.S:y#G'VB}R_PaoBؘhv>VQ$ssi_A(üdn*i=a (zPGdaA 02И[Vgݘ-[>j-rw$t;˜#OzAqg|؃^ 4Ma4Mܧ-j!.ݡBWG2 \Asp/8x/Ύ?sxqEed ?#>jFpzj͒V `ĵ|+^_9F;9"zC-1ww+|@ Ӯ36M% 4'[;Ǹv2Qz=1aWLp0lڽoABh YW4};t+963C/cF,ª 1yڏM ](nWGIوkQ.J+mKLRl'gy@%ЎDCxWfUB!-< ǰ\h*UOSt4=ɢZ%Qn&Y+Wn L{ϔ r?/}@oLݠLY[䄵 Ҡh'kJFLq%^d$0̈rg=Bw(kae3.5Y;%ﺧf)Rb2pQͧ|fjVZآ*ờis2aTf w"3Yf`i[-*KI,/53rPS{h$!NG1\+4lA%S##FtX[ުhǂԶm (H6 ]f*"@FP7#LW23a_g.:+@LQx2IZ:_ϛzoُ?3LkW#?t3yf{r!my7=3-JAǩƢ_dUb)D/R1(Hh5R;Vӭ+1tSԺ߂۵ Q(= xZ ;-!+dȍsNj(q/o }% |[ [HEdlQ3E]d<$#ES)wm.] ۖ$$iõ_j^fGdBj=$[$ȓRR=߮Z荤 (%l~B})ԓ!̝/$~+K>Y/g+_ʼnz `F.x_<ӜDoI'BŤ(pA_55BԎ,/RdK5)6cЭOE2#-7&c/ppU<~`"l]Cse|~(-c?u xa @e 9*[KETc?`#WՊW}#jgko(v/\ AU4\ ]@<`q.;A]W`qLoUҟ@1eCNt,dLll#:9܋zF"¼,HM8DB'nQӰ Ylil*CjR;퐇O]d7uS:߷U:ϸ [tkn\`lS{F}.:|Zf+~49w2r7cV,zlF<2JJtO]+`ڶSLͬڲ0tlk[]/S&cUa#peAgrA 2nynk)|ʉ1UXtd'=puJCq&{S>1퇧hDMPUJsP#?yj+5~V;Lx&h EeE%X):h)>2ՇνBxGiX{3|VP7 pVOl.eOe:Mrԋu]Gҋ3r?Uv?pi'< IHpvj>\5 Q|4<2> :g~a\RA"9:Dz̒ @s9F)+ܻg([̗n3_!b,"qB u>5buY'ߚ7zո-#*D3`H_1YO?O^<2@jSzHWn meJcJf9_u:pHU3Ó $3]i{ʘ PG'霈y 9PPh1- Ɗћ{;LEU]/?;<#g!=E) G_U={7 bPں=!!]x>~Ht訊hT" &3_92INxYY3!%tZ`/wjj_T E"-g6aҪ)ZKg y!" f/U M/ s%1GJOAa|@'zCmCǾQHWxK1%q2'•+ |~8(@aZ)ne)ӡ'C~E9A}n]=6dӯi+ש~ 態Բ3)R^{@h8.׸D-R )-`Ň:AFfGeb28TVp3lx豔Mʘtaq`Q"LD`xNIw&u&lfίpKhv۩-qx@[SrQ^&w[]w7L- egs9ٲ*IT[lmӟؠCB@Imițcg׹ e;9HKȿd$" lH:,C-{lԤʾiQ X|Zb .UǥOYƾ@vmC#]l$ DNhc=@FdۓqD-eeg=4!*1%hC}S ק3jA7Hp˨aSSޥJ<##2ޯQ 1fOw-C^Dwbd~P-p~tt ޞ1 J1fv!2Ms)f>YvR6ܻ`)7ɵ0 }Ӡ7D*pK컷9Zrrn +9Ji@9iy i}Ef$.­$h  ģu6dߝm=܃I3м7jYrwVښRgψt֫x7Z7QM Q|Lq;F-My_FEN1Gf*F|QNo ZfH߽Q0J`k<|=bs&DyNC^&#8G:.m sHOCA_)-XHS#F)ԥA[ޥs/םgv5qC-XocsN- 6BOv2ȆC|p+]*_ՒpVʽ=apN'a`AQOUT@2pBcj?OF:ի N_8IF܇a*.̲Iֶ>VշӲuCtWf&5- Y]pdfa~, kt yR-Ք|`N(gQ4$]5r"U|jMtjjF<>ڸbA`g:&g_t`OsBdY> Ft}a@'ϐ>;ߊp 뤲Gg<;@&kX\?7f>E Z/$[2v.o X?)ځW 'r} 'n2sV)r`MN]6f.HDٲHMӽ!wOwҠq,N?n$Y8. złnlɀQKK 7,7;Dq>y o͚ =6%Y3Gl Fmy*n#_7RI"h"gyѧNi tWQEO㬢j}̤GW5P )p1'(MB(\ۦ\[O/DWeT?|G7AVDo)}Aƞ/ϊpɻܪ:X}rw[MlB1KtRDE!lv 7)\)KZ\(jdq@C8Vq,hx_=R["T=Ė8f.`SaDUCϋ[8A{=x%Jaܣx`d7p$$PM)C+#Z_`^(d V]:yC&2ff!Q7L!+ [qLA+rB h”LS$lW%N^[EA:\}iGE+< c],ىN4*aDڐ6} 8hV_ s $m!syhlh#@V!H#bL"K,>Bغ'feIFkN5nT+6Taf9Ttcan@\Cr9sq uLd u]dJG#53el2&#PC}',r@mo|1> FQf[Z,&U]@#᫏6;)TX"InRYqdg~GMt>k0=lgP/^nordYX7kj\qO&l/783q-<崠^ ~@@֏s8+ CZH/X Z 71DaG3mA{=HRj)mLN$PseQ3#l4ٷSVPlhq. ;NY4LOayn9݁jF Gm [K-H3 aw%z,tK,;_)-2>cB{0+I}圾GЁF_0;+aC ]kF񨕪P8hVy,?^XЊ՗8TcB=w0&O>c)@=;w_7POĽujQ >/cwJ>uMvd"orJMSBL>nàާLً YS4kނ@x.sChbODrCa1NwOf4UgɯOz\UeW)/V@:kԓTJC/!`K21Gc8 \"18Wq7Oݩ,#!o'q8LIxXZ߼ G82dd$[׻g]rAO\cNi|=69\ TO1i#~tp  Z# XN6FͮukJϘi̐mj_<~509>sͮ)ˀL)HCM>,03 ©@K xġ[6\p >MK("{bT 7"uc.yNH5Zh:r%ߓZn>5bN /}Ҥ2íξwJ١ Jy+Mvan'_2qE3xTe3=B1&WuI^)fb`g̿Zlj ̼+9\dY>K "7bs!JOiDz5'?nB=lt裛<(CB,{΂^Wb57vRA9% ѣՎ{S~S-49ŴQ̰5v˟FP%؎j蚧 G7 ͞ykkJ{ʰŷ53i﫤{P@G&uCTX RzW4|z 1$ *sgDhr]hϐ!5YL8mTȖC,stL[A;,@l[cKNX˸§!/کqɪǹ6XGI1@*KZ5%-P&&Pek{v^ybZI[8PUC:ޫ J CR3>X:IG,O i)@ߙOH|55ߝ, |~nVyxR>A䁐q NʩCqʞg)i:'< $fN=we|w3Eλ\qsfnC^Pc_X e%Y廡/p_ oQm94ZY]sLTy=R{zg4zVGmb",=eT \=+!VqVcϽ#lS0&<8gRp #W8cZIPt=%]1ZvJZ.ksTO#Ϝcqp<gM//"RlY>u9@uT .}5R m%"*}(nrWء(Ȯ16'c`}}_fO)iЭ{ti6Owy(v I%!z|bL?)SK9ryB?%^[PKwOU][qŗ%-cm˫ RGX .==#vɽa٥pv v<7WƔR⬺NQbwq,n&wYp6wK3cd0B[e\<|aS3ue dݕFj}|SK6&:sD# )^egӉ?Ԉc{(!e 0+,|pmE>3R^t3lAc][A`oj+j @@3gQ{^_1`oX1p }!#MlVVάT~6"ؖ2gڦ4S:֧q#ko D=Rv/Nޘ^d`b0*xŇ Lu2#% 5 d<ˌxUl2J̻N[6?)Qڇ'urIA4 Vl`w:ɲ*ESLL.J;E6$?FC:f=M; Op\V]=Km񨟩y4 vԯ[U O XI|ka_*C B d$@3ܵΫagT2u/oa&M |GvB$㸧Jl=^=4ԫ_/Uw(l7iGP3vׁ]IWs |ڢ`~0靁Lfv~7GշOծȗ-5][Fe:)fW+A(-!Ye ҿf6 Fae ݭjI%n2y@"lḯʥZ(HJt-%E#ERy&ebCr6V/Ƭ̣L5R'MN.uB뿋*c~dJqZOD '^w9W{Veޡ;Kq{3JM1C%ӴMa7FQK-jhjNG7R %zJ{ Tl)f0=&x'rG_Eդ*F)84[kq>gSc_ĠB\gNEM]ˑwlm/_לKF;Pʓf,A!j,hܰp\O[5p%/*]-fGbH7I[)Gl'[HKrrg1i#5aPCzjOV6Hrۯ y]+Xk~قdk߯]G`k%8uiFe-^/BJ[SUqCzըyX}NB@<-A9-ZVc omhFGk|pe; KHpΎ/3qZbU?stM1$|Y+1ƘDDfsp~j| >ݍ^=:CcB%tsDgmﵳ2x,˟díʊcq{M=5HyXK&(Uh[=7I*4CfSbP1yHoQt8{{7%tQ5~!CwF p[kA q깅g=6 beԛ$vVhkf-I3^FGXk}ғ鞆0bZtl1ayP=w3j[Wh|i }bo.y~nV;ڸ}poMWڠ؁zԷ7q-/E&N ߲0(K4e<^}9UcB. cr&3iE4\u=>X%L 7:N=԰oJ Ա tԍ:ߋمu~4%DZmY"{,.XXydY(0l àGUo|;h&:Fg5k ވULWSUt-A<& i~WsVyI}<\G sQdcD.Z祆"!29~Z -'poOVBY 7K!dnut,E4DN s+5s TmSwaĎ$8nP !q ^B*~+#"tw:+Mٵ!ᘖmyXKRY(@¤6#"QL&7Y~%t~RRv5kv_F1}C0p䮙A!zǩrhFk#9R C֜D+[?T^PaE=l}KuymIdAj2BKJEneAUAs4:,*CI,"TE!Iu)*'H WU)6Lf$]@yiR?>z;>џ[vŐ@aƌGgWjoZQ氠5MJuCrj~ Ļlb$Be!YCZ z#dp;cW ج(i(z.4BmfUP3fśX9AR;kcm%>jrsmYf0[b ! q]u4Az\j⢼CXW򀸢}`# F`G)9t(miEZ Bאª-2''=N rd.Drڰ!VEC6t{&\r@q[xhyF Yy !\FܚSiY@[u~ =/)@/Pnr(4&Jx !^D&d{7wjKᕥcqtR5&.?#9i$c'Bܡ v rb9JxkA !Mu.3Ӓ> ~2g_w33nbV\:^"uB0g#N^~D[F l h9q>oY"w]15=9M !+fT2l R9r)a fbYu>vAb䠟UY@#kCH6*0>[FNV҅%P[ɍg-8B$̉h ?SSNBj˜c{Z#mcyeDI .޸cjw Yd OѤDW^ G22I?=_Ɖ?zd\ƀBW˃eMUGӒ߽ m~hKdO8'\:r^cjby\J4VQ29, W.)\nSJCRs2+a^"ԶB2*| C;K=\0QwJ3睈yСkFTyH%$b@  NX 7 't}u0v6Gy7G,Q 3^s2]9 Ure 3nbeѓ8o| ɔ9W!$P}raKKWӷ7& {;3dL`>a[P@bq͓ eap 6BdbrCd ⧎>r);|V{YobvPqv^oO,++JY:f*gyXZ}|17]Q}6 &5b1 jxNAZ*GpZ|m%n"2]o)ISE"O)@K@=*+ "$DK(Z)>X&?_o H8=񬸑5r I"ThVSMhaRdUH mMx˼hN`θ~-$PJu nEjo# t 7^Sϱ^G:HZ9~k@곒IE f<#ٰO!VG@릲 AVC|'=ZMYyB"b4y^lMS@FeөohѲZLmZk_a8XgN2tkwUyYg7I[t*MFEϦ=fmШ<}ɕ)YauN6'iaqml9 ,˵:F׍DJd3XWI ʼۯInXbny8`7R Vp̓G8"sT}<[SM܀^OS+r]a7·6o^Ktݘ#t>tXfu«}'T UX0$l.`] d)&†CEOiՋY .%5: Qw %ȭA28+ p[ߞI+`q$ٳ ^ gqqoO0߁o$HfR-Oi/~?տXl~vOz~T#Ƕ|rqyNIkP,KmY,=* Yu V2˅a  gn&G 0s[)^$q?N)gtA@Y%*ziViTp.RQ*1O=9˾~g5@e%nH,G>xS/a㸋߀<i WV#x 4%X9|N׻SDǻmW/J3ջ?VV<*9 Z;Y?.ӾVaY$2/v(֫E2Wp`* &G~ v8t1q-ԜFU8A)4cG-ꐝW8O;*}A83"mo* \:"I*ʊ8y gd k$6rD9ٺr\O'x3=†Cy o9h"olAkKpø`ݻUVLv䕖)V78G&o7XV6oV͈TN& @aR'"a`ntgr#*qMDP˦&NߍwQFw+RNk=2EK"ѠԷa*RN0یDs鋿9R>0q3בYnDwFiOz!-bj@T!_vߤ9QFyˎd9}Q!&"RrO(vvv܎ɶ-Qڠ(AwS/!wPYoF!PE'6 Eu,oBjʰ.znk7-=z۱8i|b喢+WiN\e8|2 WC?WoZUBtwV@:'p=j'>tP)V )뺢s=u#E `h?bb*L,2 ͜% JS8ܲh'SQ"u|8݁Qv{`8Z'Tkt`ДofO8JQ]`x>CS៽(yCQt̮8ɾu5t3E,oU _3Gr,;JO%&I׎~ֆ3qIpw҃)%S+,?}oTIm`ӧ]29z,NOzyE"N.D93J90yw9nT5.M(Æʖ>QP<&})i6#1e{.)`+#Mb7ĐB88lT3OivR˽D] m1y.ƩPFZRk#~$รQ. Z&Rͷϓ-o@8k9j",?#~2-N-+"?9ak@jt]P=$Fy-@˷j@3T1e+o;~3QakWz_ՠ$K`7P /ϭa6 DJ'SoK`B >4#ΘoLl8#@O<ynF%p>wS0Ij8Bו<34qs6gh_2dvp/au<&:i)l+rN;uǩ8aQ\IIU|/ؔmQ^8nrkҨ? NGjRJgdQc 6L  f$_h#%^cqG-ϯR&E/ʆ JǝTAzk aTgJ+wfΝN%w_@zj -f&n^ |F8+k}V>dUN̯|ґKt= TGS6<0: N2jR-epRwqiD75.cі8c*nEU_hZ@j󧼁2OwOU3m䘐GSjn^vX)7^7Ν8d J뺲9wq8UzS4Ͼ/kј%zjL0OW<,Ź->/O>S3 miF(KYu}T}UQ$218:rDMO{+dP^ۊf;Y{65NZx:nVi<=:ӳfIy6MM}mt[)HmǪ@ rgBM -< G_/uTgNSjyF|/Zo\o^Ad0up_:2hՈFɄ "0vqkn<^K~cT\}nwb_zH4Ђd4Evp LEwE#^ ̫؁ޠuBb= iE gKX.פ`Q 4s%Ac^Yx-GIBSSrPd!Вe?N]\dmoQrrFu L #:X֖{:1xy;֫.5=^k1Uo 홄GVX#E%4 `7NP:r2`B[a;vlѤ4t N&]s큂},!|׹Y*ϲ0gUIw7feFqm\/qҹ@ϐݔhzU2iơ_ub_*2653-z}o羮y5,2wN/V Ax?R7{أ^̝[]|i3xƀN_ q8kɢj_!/'AHzX+u''V|(J%  UEo*yY=õ哂ERWoRRi U`=˚ӹLpIrI4!\;_?*N\ΆØ*]uK: sgkiܰFEXx,<2Ybs3yR]BTK'F}SlUidH2x,ICu FؗZ DB#PDc3eu#z%:JGrh9+aWN=Võ (ƤI A;xC0Kø8Cw1Y]a=^\?=>[&]&#h~@2lu,WEڳ/ # XRn ֟% +w7=}4dr \ wY x5J]'?({ J.>||JZ!=Z%=^^%=؜r[-1" *4W=ӚvY;3MZ@O;6.MNk,\ X޸ )i]~D"6Mh%cR e/2%}XSygtq}tӧ{"~|?y$(xb)FmGo&ꄞy$ fWB-Wn"7wϴ!lĢQn;8huh%L)gTeu wChF4"XTjr[zɬuEeH>+:oyoy]HnG4܁f8)|L1!%l10-!tC]L7Q|99QE qH}{l/ГchbLWREER-F_nXvILr8pYXd @W>,ajmHfN7J\ (K=E+Y9#KūQ3ٕ6}J/܀G\0b붢MB~遟|Qe~'AH^ :Wm\zd6n,_nx?ċD1<32 3hZEx}CrR& O_+L|c>e}?C1i`P1-U(5iQ/`kcds0nkH(=ʱ  /OuψODCN>A{ JI2 D'iDW@9RJ2^Z!;.+צjTG&r%%~AikuF;؍Zjnad{^ϩCVڨٜTǟa_ P;~0k-F'ņ#"6,DEt T]ϛ! `lE8_rsT3QTsTqvk{ݫBZ^ks:UR=JQz< b#֦@9D)PJYO5niB,AK$>r{1r@ f4 yg9Us,`@7S:8`MZiZ˙0OE{2`=bCfc=hDw*؝m?K*_=eZ`F6tɒ}إk0C$qt1sTb]muv@mMBF+.q%D7;8 L⍯&'=ZB]ѣ !TN8 -.QnygGu6^%n%=V z=A}bqA~56Qذ/[ۅBю2>*&:7v}R(9zUȜ\zk@y.Uz=5B9\abSHuil=٣&.R8F v!vQt󓭑kgd[ǽ [l4m̅i*;[ )Ǔo T9\O7X͜t}Sch ݯ}ai;C`茊FI'L:2צ|yɜ*)P+_HFJS[ŞOPYP >27b!"r>9S`;."FHANK ,UvGE(T}:lχaNz*EJnwl=y0*B80iQr&6>^_| K8V>-ZXsxseOiZPX `L6Y`]ƒuvzrEڹ6ЋR *K=tP=6-i* |&?|}׹_I8g~nƂux ڿf4&B}PŸ̈́|Den~׵U#F}2e@hO:0I?v^V9ԲߐUK@JzэsmG`&qWܘyyM Oцxs8̚˛ EB">s[:?f/ /&@)[&oDQ#[ a?8Y STŹb5{əJBlLeM;Lק@9[ݵYjb߆@q=Iv 4SJ37 BRR'qSh_?a6=/t"4w孙,K6]$AR2:vޭ?rj$L_iwKqWaR.h8O)Fm'ۙ =14%?GQ"C Lkl*pkk Ģ&. ~E rHUF2.U7ԖySiT]nMGU3[DU bV(]FUML贚Ng^9GY.,#^Zj57̋pDs~O`D[ļ}uTOV ޚN;-`L0 "~NmXZ>Zϧ&zk,bmZe{C-MBVy\sˤA>4Tt0՚cse]g)jO Oy/Jwh7DK[&rPL^M:_Z=~Du|d[fv^  @a䕁_>_hP=i9 =XHs!""GaRH> `%#+XVoT+Hgk t`A%Źft =@J#smB{LڏdTS:ׅ)\3WlhLOm+Ki9UՐx/ӛ|q }bֹ2\Bi;^lrø|xٴ)8Bj1$,p1FhC4,.4 :Α (/ w.HrDR Sv"#C,c XE3OG%㜩h5):g,Z*a뙖IYvl r ||06d$Uh*:]NJ3ͺpl'=_@}|ap<,CfV. cօ)1d,YsĬD}9uq-mAzFI]^zn5[1lڔi> a B7$ d -.8 aK ] 5pd [E/7kIuD4P\M<ϥJvG)cTc޿Ѭu@q􏈣ub-q Ggח>Z@(Ar=2}U`$-P>;q^|:Uzk(u Il&0B\$Kq}qf?N&SR9|~<Ib]aoy(*Ws2ԃ4- ڒʅ{lwhχo34=TRn)T7#dOL!`kg".xo W׿at 5ri\!Xdr}c-[6Iڅd}`ѦEA+kyS$ȼb1w<0Qgccr K X.= jX̵֯ UލSFvV<^Z$3_r+;W0xоЙkf ]|bx3d^Zڝ qE*Z]m|ҰKkWyL%7֠OBfU emPA'3^ Wr(X3QɯlQy떽{uχir쀞%A>>s@ x a!S;= ߰!8xc!N+ A ~>YĪ 7 \b3 񱥎7~F7&==*&iQGa'QQHV{\ 2 )jJ ;FZ;=z!o tޅekYN&\"]S!Yrc`dw'xZ%"}9zmƳa/Rke}k0zCf$b9DɱXΎķ~͵r\8a"7$fԜȄpN~ri~/R:= V.#6]KGW'> E3lı>YߦQ Ⱦ9L%|9 AQ>f|Q\ -,f'S,iZJ6f|I(+4Iаaщ@2WSHт#eKTĝoN-i(D3ἺR:4h_*!b% #d`8"ҠD'C%S3`w@NQ,`c!\.j5L3z@6ZP٭o6ѓʃ_tr~PUn4QWif.]}44aiW$a`$Hޘڲ(h]uC\5_3LOyN%w.Zi䔶Dfu]RP/dV3"#m5tݙmѠskM,tef ,EXVAߵh'48YS/,y8he',⡲< }& ǩxZ]6 eqdXs6*mUƻboe %{P We? ԜI y$ %붊Ӵdqؐm/H/͙ ы7 DqlP .Q?#ix[:OL*:w+ЧMzP݌Ndy\C΂m›.m)?V<ӕY6!͔Q7 v;cօ)1m~Э2O)>D?U5|كǾ53dBnm=UcTáAG|wm]CrB%eKR&#~`dH!چ 4x7,iz`u_"걗,sy}cF)_Ұﴩk:V=f+(4PBIYJ48UV@m`7DKsswo(Is͞+h}PlT; i! C~_C/(ໃ9kޢ,rF2-OzČb LBx5 :%@2biИu*oӃ$Ӥo hBc&;*Z#ةJރ2gkױIp80 G%(ڊd8])@>3]j8._il^ \['AS/aL#"颐܅ =YU݁,K ٰ̓i ĪU繇r}^nLR MLVsKZdo M`RWkm[ oކ]HFP4̮U5MGH[ "!D(;u25H1]Mbȑc_}ΰxהZnN[u"AR3;̓ƯzzGO7Á͎A? e(x68{El#T.nXA{IrctH^fRu|gZL1b )X+B</c #!LY4}i%G٫exb\> P­O>f}. |o]P}=fJOR'ݣvhMҿ(UdEuaO97|21u?0e6])h^ot,SS W3@?pa81ܰX9Zs&4xm>'7,1Ei+E!gcf-5{D҆Uȫ[dfOSN2騆.SշV] QE3?*PtCPn=30R-}Gl5&敁;F8M40x'l,Z*LL#KV?'E^v% W ꔏ5ꣅMIPV>|h՘z0KҠVwñ2̒}ND6|.[͔ ed<=9@1ZEyv$ϏyBO.b|/,JT`:z bPInBݷE(zzf ;tZ3I-7Mp3T50hi3LMڃ"ZmΒIcˣܢU=r—T{mEݦ+nF[5vmgKRs J9@GF0qFvSh7$FTzYb{!\ 1C tVf:"j؝EQEo-e3ܥ` IgōЖ|%3&T r&ZoQz<-̱yݺP@C rf"&^wRKx'ˆh ! wHlOOW'-.Q+EWvWdET:va) 4 I+|,|Ͻd5h7J-} tM{L#>{[_k+ %C mMD4%Cso1fi=k}'-1q^15#QJ/Olϫ؃[Ga cj E̻Jaߜ΃񏅰XqmP0иړS*}dl#nY-*\R7D?ibc{#4m/y}~\I LH˚"R1>EDSZg2~BՈN Eg絉Dt+\-=z`k_LiRln.3N?Ah9܈䪍lr/B϶X$R? ʱꂘ佺&Z6;I yD@I`2x ,DX#`ZM=QpE ݑ2Zޞl( ħK2M>8̹wR9HI~IDepVk*+#̶1["8 /B{l\Qs61dyBYu}NBɴ,J[U222v̟']d"Ճ6zI߯J>)ƆU.-:XB7:ʯUghB# Ff5/m094#Ŗ7fW61q/!@-e)弥!, z:2F/hޞ~>31uvZ(9*g9 InCM A?4 A=oܷsbL^7I {O={0g=Jϸw)̻$G_n g CT_8B&";4ُ3'z;HsAYTtѶ=bCLlv}B9&bv^D"^I8IUmbRJ|f0!ʄ kbS*!=R5ܜ1IQ&9HYB KeAnYv331?߼;%|4+|] L/2)J,3-' 'gM6 *߫KqcśFYT#F ԷEIVi7ĸkV)Lx')Yړ!roGǖu 37u2f{mӭ $ZWK%6{{6Ԅ~0eo[铮W^3"{)V%R\§ťث>VTb|.ZGi5!b2JJfkdWk;ŃJW-& VAtgSc+}_D\nAgc`P0go;Ra-F|6]څUqQ'Bg/UĘ%^^t|1\.m,-RD҈!"U3v/)tSvKuEX}TN(";[[q/+gڦ]>~i^9{˔-ieGcylϠlm갍*kVt豬[!4(mv,ۭC$v 4X4[F2r )MLDPz j߆ܹ7)1ސQH/0l'ku ~F#z*Br*6ȄΟÉ<٠VH@U?vۿHgρ2y'D-iu/m?2 [z̞IK~E9xLhQ)`4LW_Q5 YkU6ha:tZiV陷O 6NNopf vEW3cQ%û:Pl8%=gMZ_HR ԗ~^#M|8Z1LֱQӿޭA-[ꪻXf4w{5nBA̓.d;(x1Ȋ7I۵ s8zD\Ej5Hd]BE͊Go@ڵY.ϗO&'vx@*E<1KRYENW™#^w@dKMtmOKs4߸Q]"2zy^H IdU?{ʡe;Ax^3^xKr f)/1R*V^G}xt:Rgy9 cpXD,3-l0 a7/\x5Ӌq >rֳ+@Uٹh% 2y@(OD!D hH+vFڄ6ڗTَY(߇ClNFאB$ʩS^JR1J/ٞ"؆;H/RzhFA J܏`;h_ΓT @SG ָ BCl|:gʵ̦p~nAԕea;J;`|[~qA-F)L YXoTr5+<ćx4ТI"HƤ;JĦOC" 6-ר{O|O:/a0. Cm3SC+ Ɂ*~3b 勳),7ILC؛5KM2'$V 桳%-ozCe:)L_ G] h3A8XI|܁2@%<ҵ1t28 > @zXH 3юhƄꕥPv0gl-u \M~Pҍ?( m*Q)q0y Ֆ~d1ӥMv-:FwrKH>IlᥛIbe/Z^ ayM(UT"&.P`Ja2,Rֹ!tX#?*2]cR4+r_G&&i>1y?g6^ޢX9e _'-W{Rn`^^pZPZ;S:yxVVm/,QLc of/;Q9Kl\\[u?lvKl=,qDnDOo۱-ݙ'<#n2 5jbF.muO?sQ GFiuT`[mE6k=&#X4AEi *}%r4R {U$iwlR5OF3*̨"AVGM)}Gp'!]xt/QZ|qDrFϫ_SfZM!KL_wu0|:Ԡ:'1KinYj*{*13/ 0 zt?l[nfnDM3@ Xbr3J5@:WA{bPU2FqbUzϜ!r"J#6PM'?ǏRYR}Eo}7b.KH#|ف*;^ޞEщ6 6 y1w3rNp u8|2{p6jZUw AWYVpEa¸:Ư9 Q t0d+b2U٥oZ>)8:綢_E|ُ)Ux rb7GJsӞR{lH=%/ܱ9m OCwVⴜ. ^،#-y\==qtNryf (2QkaJZ2e:]=^tH}Y%f%]ESrEH@`PR擛!K#֮c5$B6'O7QYY"!y> 4=+&*OC[!;'LUK_)(cyD:D_1rPg#ݖQvy'ox. :*RYbf8)",Wd\QC\ VK{c@[X$:=x߾~ް李 *gCE=K>&\gxy:O#/OEY5ujim8Za_Nx0#=(Bf6`B;5/2ҽjKJյ{asl1HuM%/*XK,fCB`0qR$+_-+NdOMuo> 9Ѣk#2=E:-mJ -$",w-Mq MMЉ|SlTiYM:K[\xq`}&IbLiH K㽋,hzMA* @1 -F|=ȣ֤;+GBxnʝt`^1Z{64*pnlڭayI$ I=2SM*alI ugOUL$RX?a@o/NŷXv)|3BK aY Zd=E%*PVqrVv1cHȍRY1*',,&WyPb%NG2e$MPLfAƆ8y [xH(& ޫJު^а0`ٳceU%)Ҕ, I vL-md}rL3p/ZaM R1TQ$x?| [T@K6ylu|1H1&|39;U5=VYݪXd5#7-<?hbC`L!?YVҤ<7|9]\ PnA+G#zh`$\:DYM0E#C9pWoJDhO7&"P8%pͫX^#W~v*- FAH\_4% JmfOq\,8` eP~UA@l7 _-%)JD$}BQY;BB_- L%܅Mr8ϰ4for;ugqep{kR(Аj )RF!+505#\Dp"k/xϥF' B4!U_\s0~S :&PҞKB:zuL璾ו|hd.գx"ӑrX̷qVfKjf<5ޮ__rwp.$hqn֚&>S-[.j3m3wdFX~.a<{7&S i RL 6?+_x ys4OR'Z^!R[5{wMS3+R)_\Qr-%c Z"B“57~˯-&Av ^GiHc Ŗ=pKk_^}It-.Zv~[(|V6Oz.!2r)cWXlGM"JU;yf6%ա v|" ic-M[NhYhɆ[M-L03+=VM0h9rیC ] YZ