wpa_supplicant-gui-2.10-150500.3.3.1<>,c\eܲp9|`.'d'5;&*}3Dץ1i͝`g߱IuQc\QMo8PZNh@\l HoI0+=3wMsokYisѼsOkUᅨm&A nD ˓IIF)4k*eAO٭3W/[ hTJ˳BF#9hDV`5xaDHJ`?UtO\txqI>>?d ' J , BNkq|      *4`hv(8*9T*: *FGHIXY\ ](^=b]cdefluvwxyz8HLRCwpa_supplicant-gui2.10150500.3.3.1WPA supplicant graphical front-endThis package contains a graphical front-end to wpa_supplicant, an implementation of the WPA Supplicant component.eܲh04-armsrv2 SUSE Linux Enterprise 15SUSE LLC BSD-3-Clause AND GPL-2.0-or-laterhttps://www.suse.com/Unspecifiedhttps://w1.fi/wpa_supplicantlinuxaarch64 큤eܲeܲ2d08b3e426c99d3a0ebf007ce7a88ba3c45fb493b459e24b2e5989411b461b1cd57783ead2cca37539bf8b5c4a81b8105c2970de177652fe1a027433593467aarootrootrootrootwpa_supplicant-2.10-150500.3.3.1.src.rpmwpa_supplicant-guiwpa_supplicant-gui(aarch-64)@@@@@@@@@@@@@@@@@@    ld-linux-aarch64.so.1()(64bit)ld-linux-aarch64.so.1(GLIBC_2.17)(64bit)libQt5Core.so.5()(64bit)libQt5Core.so.5(Qt_5)(64bit)libQt5Gui.so.5()(64bit)libQt5Gui.so.5(Qt_5)(64bit)libQt5Widgets.so.5()(64bit)libQt5Widgets.so.5(Qt_5)(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.17)(64bit)libgcc_s.so.1()(64bit)libgcc_s.so.1(GCC_3.0)(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.17)(64bit)libstdc++.so.6()(64bit)libstdc++.so.6(CXXABI_1.3)(64bit)libstdc++.so.6(CXXABI_1.3.9)(64bit)libstdc++.so.6(GLIBCXX_3.4)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)wpa_supplicant3.0.4-14.6.0-14.0-15.2-14.14.3e}@c@b@b@`lM@`?z@`:4@`_|\@_i@_i@^@^@^|@^|@^Y]]>[<@[[ā@[[;@[@[QY@X@X]W@VU@VŲ@V`V=@UKSUCjU8U'@U/@TBV@cfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comsp1ritCS@protonmail.comcfamullaconrad@suse.comsongchuan.kang@suse.comcfamullaconrad@suse.combwiedemann@suse.comcfamullaconrad@suse.comilya@ilya.pp.uatchvatal@suse.comtchvatal@suse.comilya@ilya.pp.uailya@ilya.pp.uakbabioch@suse.comro@suse.dekbabioch@suse.comkbabioch@suse.comkbabioch@suse.comro@suse.demeissner@suse.comobs@botter.ccdwaas@suse.commeissner@suse.comtchvatal@suse.comlnussel@suse.decrrodriguez@opensuse.orgcrrodriguez@opensuse.orgcrrodriguez@opensuse.orglnussel@suse.demichael@stroeder.comro@suse.dezaitor@opensuse.orgcrrodriguez@opensuse.orgstefan.bruens@rwth-aachen.destefan.bruens@rwth-aachen.destefan.bruens@rwth-aachen.de- Add CVE-2023-52160.patch - Bypassing WiFi Authentication (bsc#1219975) - Change ctrl_interface from /var/run to %_rundir (/run)- update to 2.10.0: jsc#PED-2904 * SAE changes - improved protection against side channel attacks [https://w1.fi/security/2022-1/] - added support for the hash-to-element mechanism (sae_pwe=1 or sae_pwe=2); this is currently disabled by default, but will likely get enabled by default in the future - fixed PMKSA caching with OKC - added support for SAE-PK * EAP-pwd changes - improved protection against side channel attacks [https://w1.fi/security/2022-1/] * fixed P2P provision discovery processing of a specially constructed invalid frame [https://w1.fi/security/2021-1/] * fixed P2P group information processing of a specially constructed invalid frame [https://w1.fi/security/2020-2/] * fixed PMF disconnection protection bypass in AP mode [https://w1.fi/security/2019-7/] * added support for using OpenSSL 3.0 * increased the maximum number of EAP message exchanges (mainly to support cases with very large certificates) * fixed various issues in experimental support for EAP-TEAP peer * added support for DPP release 2 (Wi-Fi Device Provisioning Protocol) * a number of MKA/MACsec fixes and extensions * added support for SAE (WPA3-Personal) AP mode configuration * added P2P support for EDMG (IEEE 802.11ay) channels * fixed EAP-FAST peer with TLS GCM/CCM ciphers * improved throughput estimation and BSS selection * dropped support for libnl 1.1 * added support for nl80211 control port for EAPOL frame TX/RX * fixed OWE key derivation with groups 20 and 21; this breaks backwards compatibility for these groups while the default group 19 remains backwards compatible * added support for Beacon protection * added support for Extended Key ID for pairwise keys * removed WEP support from the default build (CONFIG_WEP=y can be used to enable it, if really needed) * added a build option to remove TKIP support (CONFIG_NO_TKIP=y) * added support for Transition Disable mechanism to allow the AP to automatically disable transition mode to improve security * extended D-Bus interface * added support for PASN * added a file-based backend for external password storage to allow secret information to be moved away from the main configuration file without requiring external tools * added EAP-TLS peer support for TLS 1.3 (disabled by default for now) * added support for SCS, MSCS, DSCP policy * changed driver interface selection to default to automatic fallback to other compiled in options * a large number of other fixes, cleanup, and extensions - drop wpa_supplicant-p2p_iname_size.diff, CVE-2021-30004.patch, CVE-2021-27803.patch, CVE-2021-0326.patch, CVE-2019-16275.patch, CVE-2022-23303_0001.patch, CVE-2022-23303_0002.patch, CVE-2022-23303_0003.patch, CVE-2022-23303_0004.patch: upstream - drop restore-old-dbus-interface.patch, wicked has been switching to the new dbus interface in version 0.6.66 - config: * re-enable CONFIG_WEP * enable QCA vendor extensions to nl80211 * enable support for Automatic Channel Selection * enable OCV, security feature that prevents MITM multi-channel attacks * enable QCA vendor extensions to nl80211 * enable EAP-EKE * Support HT overrides * TLS v1.1 and TLS v1.2 * Fast Session Transfer (FST) * Automatic Channel Selection * Multi Band Operation * Fast Initial Link Setup * Mesh Networking (IEEE 802.11s) - Add dbus-Fix-property-DebugShowKeys-and-DebugTimestamp.patch (bsc#1201219) - Move the dbus-1 system.d file to /usr (bsc#1200342) - Added hardening to systemd service(s) (bsc#1181400). Modified: * wpa_supplicant.service - drop wpa_supplicant-getrandom.patch : glibc has been updated so the getrandom() wrapper is now there - Sync wpa_supplicant.spec with Factory- Enable WPA3-Enterprise (SuiteB-192) support.- Add CVE-2022-23303_0001.patch, CVE-2022-23303_0002.patch, CVE-2022-23303_0003.patch, CVE-2022-23303_0004.patch SAE/EAP-pwd side-channel attack update 2 (CVE-2022-23303, CVE-2022-23304, bsc#1194732, bsc#1194733)- Add CVE-2021-30004.patch -- forging attacks may occur because AlgorithmIdentifier parameters are mishandled in tls/pkcs1.c and tls/x509v3.c (bsc#1184348)- Fix systemd device ready dependencies in wpa_supplicant@.service file. (see: https://forums.opensuse.org/showthread.php/547186-wpa_supplicant-service-fails-on-boot-succeeds-on-restart?p=2982844#post2982844)- Add CVE-2021-27803.patch -- P2P provision discovery processing vulnerability (bsc#1182805)- Add CVE-2021-0326.patch -- P2P group information processing vulnerability (bsc#1181777)- Add wpa_supplicant-p2p_iname_size.diff -- Limit P2P_DEVICE name to appropriate ifname size (https://patchwork.ozlabs.org/project/hostap/patch/20200825062902.124600-1-benjamin@sipsolutions.net/)- Fix spec file for SLE12, use make %{?_smp_mflags} instead of %make_build- Enable SAE support(jsc#SLE-14992).- Add CVE-2019-16275.patch -- AP mode PMF disconnection protection bypass (bsc#1150934)- Add restore-old-dbus-interface.patch to fix wicked wlan (boo#1156920) - Restore fi.epitest.hostap.WPASupplicant.service (bsc#1167331)- With v2.9 fi.epitest.hostap.WPASupplicant.service is obsolete (bsc#1167331)- Change wpa_supplicant.service to ensure wpa_supplicant gets started before network. Fix WLAN config on boot with wicked. (boo#1166933)- Adjust the service to start after network.target wrt bsc#1165266- Update to 2.9 release: * SAE changes - disable use of groups using Brainpool curves - improved protection against side channel attacks [https://w1.fi/security/2019-6/] * EAP-pwd changes - disable use of groups using Brainpool curves - allow the set of groups to be configured (eap_pwd_groups) - improved protection against side channel attacks [https://w1.fi/security/2019-6/] * fixed FT-EAP initial mobility domain association using PMKSA caching (disabled by default for backwards compatibility; can be enabled with ft_eap_pmksa_caching=1) * fixed a regression in OpenSSL 1.1+ engine loading * added validation of RSNE in (Re)Association Response frames * fixed DPP bootstrapping URI parser of channel list * extended EAP-SIM/AKA fast re-authentication to allow use with FILS * extended ca_cert_blob to support PEM format * improved robustness of P2P Action frame scheduling * added support for EAP-SIM/AKA using anonymous@realm identity * fixed Hotspot 2.0 credential selection based on roaming consortium to ignore credentials without a specific EAP method * added experimental support for EAP-TEAP peer (RFC 7170) * added experimental support for EAP-TLS peer with TLS v1.3 * fixed a regression in WMM parameter configuration for a TDLS peer * fixed a regression in operation with drivers that offload 802.1X 4-way handshake * fixed an ECDH operation corner case with OpenSSL * SAE changes - added support for SAE Password Identifier - changed default configuration to enable only groups 19, 20, 21 (i.e., disable groups 25 and 26) and disable all unsuitable groups completely based on REVmd changes - do not regenerate PWE unnecessarily when the AP uses the anti-clogging token mechanisms - fixed some association cases where both SAE and FT-SAE were enabled on both the station and the selected AP - started to prefer FT-SAE over SAE AKM if both are enabled - started to prefer FT-SAE over FT-PSK if both are enabled - fixed FT-SAE when SAE PMKSA caching is used - reject use of unsuitable groups based on new implementation guidance in REVmd (allow only FFC groups with prime >= 3072 bits and ECC groups with prime >= 256) - minimize timing and memory use differences in PWE derivation [https://w1.fi/security/2019-1/] (CVE-2019-9494, bsc#1131868) * EAP-pwd changes - minimize timing and memory use differences in PWE derivation [https://w1.fi/security/2019-2/] (CVE-2019-9495, bsc#1131870) - verify server scalar/element [https://w1.fi/security/2019-4/] (CVE-2019-9497, CVE-2019-9498, CVE-2019-9499, bsc#1131874, bsc#1131872, bsc#1131871, bsc#1131644) - fix message reassembly issue with unexpected fragment [https://w1.fi/security/2019-5/] (CVE-2019-11555, bsc#1133640) - enforce rand,mask generation rules more strictly - fix a memory leak in PWE derivation - disallow ECC groups with a prime under 256 bits (groups 25, 26, and 27) - SAE/EAP-pwd side-channel attack update [https://w1.fi/security/2019-6/] (CVE-2019-13377, bsc#1144443) * fixed CONFIG_IEEE80211R=y (FT) build without CONFIG_FILS=y * Hotspot 2.0 changes - do not indicate release number that is higher than the one AP supports - added support for release number 3 - enable PMF automatically for network profiles created from credentials * fixed OWE network profile saving * fixed DPP network profile saving * added support for RSN operating channel validation (CONFIG_OCV=y and network profile parameter ocv=1) * added Multi-AP backhaul STA support * fixed build with LibreSSL * number of MKA/MACsec fixes and extensions * extended domain_match and domain_suffix_match to allow list of values * fixed dNSName matching in domain_match and domain_suffix_match when using wolfSSL * started to prefer FT-EAP-SHA384 over WPA-EAP-SUITE-B-192 AKM if both are enabled * extended nl80211 Connect and external authentication to support SAE, FT-SAE, FT-EAP-SHA384 * fixed KEK2 derivation for FILS+FT * extended client_cert file to allow loading of a chain of PEM encoded certificates * extended beacon reporting functionality * extended D-Bus interface with number of new properties * fixed a regression in FT-over-DS with mac80211-based drivers * OpenSSL: allow systemwide policies to be overridden * extended driver flags indication for separate 802.1X and PSK 4-way handshake offload capability * added support for random P2P Device/Interface Address use * extended PEAP to derive EMSK to enable use with ERP/FILS * extended WPS to allow SAE configuration to be added automatically for PSK (wps_cred_add_sae=1) * removed support for the old D-Bus interface (CONFIG_CTRL_IFACE_DBUS) * extended domain_match and domain_suffix_match to allow list of values * added a RSN workaround for misbehaving PMF APs that advertise IGTK/BIP KeyID using incorrect byte order * fixed PTK rekeying with FILS and FT * fixed WPA packet number reuse with replayed messages and key reinstallation [https://w1.fi/security/2017-1/] (CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088) * fixed unauthenticated EAPOL-Key decryption in wpa_supplicant [https://w1.fi/security/2018-1/] (CVE-2018-14526) * added support for FILS (IEEE 802.11ai) shared key authentication * added support for OWE (Opportunistic Wireless Encryption, RFC 8110; and transition mode defined by WFA) * added support for DPP (Wi-Fi Device Provisioning Protocol) * added support for RSA 3k key case with Suite B 192-bit level * fixed Suite B PMKSA caching not to update PMKID during each 4-way handshake * fixed EAP-pwd pre-processing with PasswordHashHash * added EAP-pwd client support for salted passwords * fixed a regression in TDLS prohibited bit validation * started to use estimated throughput to avoid undesired signal strength based roaming decision * MACsec/MKA: - new macsec_linux driver interface support for the Linux kernel macsec module - number of fixes and extensions * added support for external persistent storage of PMKSA cache (PMKSA_GET/PMKSA_ADD control interface commands; and MESH_PMKSA_GET/MESH_PMKSA_SET for the mesh case) * fixed mesh channel configuration pri/sec switch case * added support for beacon report * large number of other fixes, cleanup, and extensions * added support for randomizing local address for GAS queries (gas_rand_mac_addr parameter) * fixed EAP-SIM/AKA/AKA' ext auth cases within TLS tunnel * added option for using random WPS UUID (auto_uuid=1) * added SHA256-hash support for OCSP certificate matching * fixed EAP-AKA' to add AT_KDF into Synchronization-Failure * fixed a regression in RSN pre-authentication candidate selection * added option to configure allowed group management cipher suites (group_mgmt network profile parameter) * removed all PeerKey functionality * fixed nl80211 AP and mesh mode configuration regression with Linux 4.15 and newer * added ap_isolate configuration option for AP mode * added support for nl80211 to offload 4-way handshake into the driver * added support for using wolfSSL cryptographic library * SAE - added support for configuring SAE password separately of the WPA2 PSK/passphrase - fixed PTK and EAPOL-Key integrity and key-wrap algorithm selection for SAE; note: this is not backwards compatible, i.e., both the AP and station side implementations will need to be update at the same time to maintain interoperability - added support for Password Identifier - fixed FT-SAE PMKID matching * Hotspot 2.0 - added support for fetching of Operator Icon Metadata ANQP-element - added support for Roaming Consortium Selection element - added support for Terms and Conditions - added support for OSEN connection in a shared RSN BSS - added support for fetching Venue URL information * added support for using OpenSSL 1.1.1 * FT - disabled PMKSA caching with FT since it is not fully functional - added support for SHA384 based AKM - added support for BIP ciphers BIP-CMAC-256, BIP-GMAC-128, BIP-GMAC-256 in addition to previously supported BIP-CMAC-128 - fixed additional IE inclusion in Reassociation Request frame when using FT protocol - Drop merged patches: * rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch * rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch * rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch * rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch * rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch * rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch * rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch * rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch * rebased-v2.6-0009-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch * wpa_supplicant-bnc-1099835-fix-private-key-password.patch * wpa_supplicant-bnc-1099835-clear-default_passwd_cb.patch * wpa_supplicant-log-file-permission.patch * wpa_supplicant-log-file-cloexec.patch * wpa_supplicant-git-fa67debf4c6ddbc881a212b175faa6d5d0d90c8c.patch * wpa_supplicant-git-f5b74b966c942feb95a8ddbb7d130540b15b796d.patch - Rebase patches: * wpa_supplicant-getrandom.patch- Refresh spec-file via spec-cleaner and manual optimizations. * Change URL and Source0 to actual project homepage. * Remove macro %{?systemd_requires} and rm (not needed). * Add %autopatch macro. * Add %make_build macro. - Chenged patch wpa_supplicant-flush-debug-output.patch (to -p1). - Changed service-files for start after network (systemd-networkd).- Refresh spec-file: add %license tag.- Renamed patches: - wpa-supplicant-log-file-permission.patch -> wpa_supplicant-log-file-permission.patch - wpa-supplicant-log-file-cloexec.patch -> wpa_supplicant-log-file-cloexec.patch - wpa_supplicant-log-file-permission.patch: Using O_WRONLY flag - Enabled timestamps in log files (bsc#1080798)- compile eapol_test binary to allow testing via radius proxy and server (note: this does not match CONFIG_EAPOL_TEST which sets -Werror and activates an assert call inside the code of wpa_supplicant) (bsc#1111873), (fate#326725) - add patch to fix wrong operator precedence in ieee802_11.c wpa_supplicant-git-fa67debf4c6ddbc881a212b175faa6d5d0d90c8c.patch - add patch to avoid redefinition of __bitwise macro wpa_supplicant-git-f5b74b966c942feb95a8ddbb7d130540b15b796d.patch- Added wpa-supplicant-log-file-permission.patch: Fixes the default file permissions of the debug log file to more sane values, i.e. it is no longer world-readable (bsc#1098854). - Added wpa-supplicant-log-file-cloexec.patch: Open the debug log file with O_CLOEXEC, which will prevent file descriptor leaking to child processes (bsc#1098854).- Added rebased-v2.6-0009-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch: Ignore unauthenticated encrypted EAPOL-Key data (CVE-2018-14526, bsc#1104205).- Enabled PWD as EAP method. This allows for password-based authentication, which is easier to setup than most of the other methods, and is used by the Eduroam network (bsc#1109209).- add two patches from upstream to fix reading private key passwords from the configuration file (bsc#1099835) - add patch for git 89971d8b1e328a2f79699c953625d1671fd40384 wpa_supplicant-bnc-1099835-clear-default_passwd_cb.patch - add patch for git f665c93e1d28fbab3d9127a8c3985cc32940824f wpa_supplicant-bnc-1099835-fix-private-key-password.patch- Fix KRACK attacks (bsc#1056061, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13087, CVE-2017-13088): - rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch - rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch - rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch - rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch - rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch - rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch - rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch - rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch- fix wpa_supplicant-sigusr1-changes-debuglevel.patch to match eloop_signal_handler type (needed to build eapol_test via config)- Added .service files that accept interfaces as %i arguments so it's possible to call the daemon with: "systemctl start wpa_supplicant@$INTERFACE_NAME.service" (like openvpn for example)- updated to 2.6 / 2016-10-02 * fixed WNM Sleep Mode processing when PMF is not enabled [http://w1.fi/security/2015-6/] (CVE-2015-5310 bsc#952254) * fixed EAP-pwd last fragment validation [http://w1.fi/security/2015-7/] (CVE-2015-5315 bsc#953115) * fixed EAP-pwd unexpected Confirm message processing [http://w1.fi/security/2015-8/] (CVE-2015-5316 bsc#953115) * fixed WPS configuration update vulnerability with malformed passphrase [http://w1.fi/security/2016-1/] (CVE-2016-4476 bsc#978172) * fixed configuration update vulnerability with malformed parameters set over the local control interface [http://w1.fi/security/2016-1/] (CVE-2016-4477 bsc#978175) * fixed TK configuration to the driver in EAPOL-Key 3/4 retry case * extended channel switch support for P2P GO * started to throttle control interface event message bursts to avoid issues with monitor sockets running out of buffer space * mesh mode fixes/improvements - generate proper AID for peer - enable WMM by default - add VHT support - fix PMKID derivation - improve robustness on various exchanges - fix peer link counting in reconnect case - improve mesh joining behavior - allow DTIM period to be configured - allow HT to be disabled (disable_ht=1) - add MESH_PEER_ADD and MESH_PEER_REMOVE commands - add support for PMKSA caching - add minimal support for SAE group negotiation - allow pairwise/group cipher to be configured in the network profile - use ieee80211w profile parameter to enable/disable PMF and derive a separate TX IGTK if PMF is enabled instead of using MGTK incorrectly - fix AEK and MTK derivation - remove GTKdata and IGTKdata from Mesh Peering Confirm/Close - note: these changes are not fully backwards compatible for secure (RSN) mesh network * fixed PMKID derivation with SAE * added support for requesting and fetching arbitrary ANQP-elements without internal support in wpa_supplicant for the specific element (anqp[265]= in "BSS " command output) * P2P - filter control characters in group client device names to be consistent with other P2P peer cases - support VHT 80+80 MHz and 160 MHz - indicate group completion in P2P Client role after data association instead of already after the WPS provisioning step - improve group-join operation to use SSID, if known, to filter BSS entries - added optional ssid= argument to P2P_CONNECT for join case - added P2P_GROUP_MEMBER command to fetch client interface address * P2PS - fix follow-on PD Response behavior - fix PD Response generation for unknown peer - fix persistent group reporting - add channel policy to PD Request - add group SSID to the P2PS-PROV-DONE event - allow "P2P_CONNECT p2ps" to be used without specifying the default PIN * BoringSSL - support for OCSP stapling - support building of h20-osu-client * D-Bus - add ExpectDisconnect() - add global config parameters as properties - add SaveConfig() - add VendorElemAdd(), VendorElemGet(), VendorElemRem() * fixed Suite B 192-bit AKM to use proper PMK length (note: this makes old releases incompatible with the fixed behavior) * improved PMF behavior for cases where the AP and STA has different configuration by not trying to connect in some corner cases where the connection cannot succeed * added option to reopen debug log (e.g., to rotate the file) upon receipt of SIGHUP signal * EAP-pwd: added support for Brainpool Elliptic Curves (with OpenSSL 1.0.2 and newer) * fixed EAPOL reauthentication after FT protocol run * fixed FTIE generation for 4-way handshake after FT protocol run * extended INTERFACE_ADD command to allow certain type (sta/ap) interface to be created * fixed and improved various FST operations * added 80+80 MHz and 160 MHz VHT support for IBSS/mesh * fixed SIGNAL_POLL in IBSS and mesh cases * added an option to abort an ongoing scan (used to speed up connection and can also be done with the new ABORT_SCAN command) * TLS client - do not verify CA certificates when ca_cert is not specified - support validating server certificate hash - support SHA384 and SHA512 hashes - add signature_algorithms extension into ClientHello - support TLS v1.2 signature algorithm with SHA384 and SHA512 - support server certificate probing - allow specific TLS versions to be disabled with phase2 parameter - support extKeyUsage - support PKCS #5 v2.0 PBES2 - support PKCS #5 with PKCS #12 style key decryption - minimal support for PKCS #12 - support OCSP stapling (including ocsp_multi) * OpenSSL - support OpenSSL 1.1 API changes - drop support for OpenSSL 0.9.8 - drop support for OpenSSL 1.0.0 * added support for multiple schedule scan plans (sched_scan_plans) * added support for external server certificate chain validation (tls_ext_cert_check=1 in the network profile phase1 parameter) * made phase2 parser more strict about correct use of auth= and autheap= values * improved GAS offchannel operations with comeback request * added SIGNAL_MONITOR command to request signal strength monitoring events * added command for retrieving HS 2.0 icons with in-memory storage (REQ_HS20_ICON, GET_HS20_ICON, DEL_HS20_ICON commands and RX-HS20-ICON event) * enabled ACS support for AP mode operations with wpa_supplicant * EAP-PEAP: fixed interoperability issue with Windows 2012r2 server ("Invalid Compound_MAC in cryptobinding TLV") * EAP-TTLS: fixed success after fragmented final Phase 2 message * VHT: added interoperability workaround for 80+80 and 160 MHz channels * WNM: workaround for broken AP operating class behavior * added kqueue(2) support for eloop (CONFIG_ELOOP_KQUEUE) * nl80211: - add support for full station state operations - do not add NL80211_ATTR_SMPS_MODE attribute if HT is disabled - add NL80211_ATTR_PREV_BSSID with Connect command - fix IEEE 802.1X/WEP EAP reauthentication and rekeying to use unencrypted EAPOL frames * added initial MBO support; number of extensions to WNM BSS Transition Management * added support for PBSS/PCP and P2P on 60 GHz * Interworking: add credential realm to EAP-TLS identity * fixed EAPOL-Key Request Secure bit to be 1 if PTK is set * HS 2.0: add support for configuring frame filters * added POLL_STA command to check connectivity in AP mode * added initial functionality for location related operations * started to ignore pmf=1/2 parameter for non-RSN networks * added wps_disabled=1 network profile parameter to allow AP mode to be started without enabling WPS * wpa_cli: added action script support for AP-ENABLED and AP-DISABLED events * improved Public Action frame addressing - add gas_address3 configuration parameter to control Address 3 behavior * number of small fixes - wpa_supplicant-dump-certificate-as-PEM-in-debug-mode.diff: dump x509 certificates from remote radius server in debug mode in WPA-EAP.- Remove support for <12.3 as we are unresolvable there anyway - Use qt5 on 13.2 if someone pulls this package in - Convert to pkgconfig dependencies over the devel pkgs - Use the %qmake5 macro to build the qt5 gui- add After=dbus.service to prevent too early shutdown (bnc#963652)- Revert CONFIG_ELOOP_EPOLL=y, it is broken in combination with CONFIG_DBUS=yes.- spec: Compile the GUI against QT5 in 13.2 and later.- Previous update did not include version 2.5 tarball or changed the version number in spec, only the changelog and removed patches. - config: set CONFIG_NO_RANDOM_POOL=y, we have a reliable· random number generator by using /dev/urandom, no need to keep an internal random number pool which draws entropy from /dev/random. - config: prefer using epoll(7) instead of select(2) by setting CONFIG_ELOOP_EPOLL=y - wpa_supplicant-getrandom.patch: Prefer to use the getrandom(2) system call to collect entropy. if it is not present disable buffering when reading /dev/urandom, otherwise each os_get_random() call will request BUFSIZ of entropy instead of the few needed bytes.- add aliases for both provided dbus names to avoid systemd stopping the service when switching runlevels (boo#966535)- removed obsolete security patches: * 0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch * 0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch * 0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch * 0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch * wpa_s-D-Bus-Fix-operations-when-P2P-management-interface-is-used.patch * 0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch * 0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch * 0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch * 0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch - Update to upstream release 2.5 * fixed P2P validation of SSID element length before copying it [http://w1.fi/security/2015-1/] (CVE-2015-1863) * fixed WPS UPnP vulnerability with HTTP chunked transfer encoding [http://w1.fi/security/2015-2/] (CVE-2015-4141) * fixed WMM Action frame parser (AP mode) [http://w1.fi/security/2015-3/] (CVE-2015-4142) * fixed EAP-pwd peer missing payload length validation [http://w1.fi/security/2015-4/] (CVE-2015-4143, CVE-2015-4144, CVE-2015-4145, CVE-2015-4146) * fixed validation of WPS and P2P NFC NDEF record payload length [http://w1.fi/security/2015-5/] (CVE-2015-8041) * nl80211: - added VHT configuration for IBSS - fixed vendor command handling to check OUI properly - allow driver-based roaming to change ESS * added AVG_BEACON_RSSI to SIGNAL_POLL output * wpa_cli: added tab completion for number of commands * removed unmaintained and not yet completed SChannel/CryptoAPI support * modified Extended Capabilities element use in Probe Request frames to include all cases if any of the values are non-zero * added support for dynamically creating/removing a virtual interface with interface_add/interface_remove * added support for hashed password (NtHash) in EAP-pwd peer * added support for memory-only PSK/passphrase (mem_only_psk=1 and CTRL-REQ/RSP-PSK_PASSPHRASE) * P2P - optimize scan frequencies list when re-joining a persistent group - fixed number of sequences with nl80211 P2P Device interface - added operating class 125 for P2P use cases (this allows 5 GHz channels 161 and 169 to be used if they are enabled in the current regulatory domain) - number of fixes to P2PS functionality - do not allow 40 MHz co-ex PRI/SEC switch to force MCC - extended support for preferred channel listing * D-Bus: - fixed WPS property of fi.w1.wpa_supplicant1.BSS interface - fixed PresenceRequest to use group interface - added new signals: FindStopped, WPS pbc-overlap, GroupFormationFailure, WPS timeout, InvitationReceived - added new methods: WPS Cancel, P2P Cancel, Reconnect, RemoveClient - added manufacturer info * added EAP-EKE peer support for deriving Session-Id * added wps_priority configuration parameter to set the default priority for all network profiles added by WPS * added support to request a scan with specific SSIDs with the SCAN command (optional "ssid " arguments) * removed support for WEP40/WEP104 as a group cipher with WPA/WPA2 * fixed SAE group selection in an error case * modified SAE routines to be more robust and PWE generation to be stronger against timing attacks * added support for Brainpool Elliptic Curves with SAE * added support for CCMP-256 and GCMP-256 as group ciphers with FT * fixed BSS selection based on estimated throughput * added option to disable TLSv1.0 with OpenSSL (phase1="tls_disable_tlsv1_0=1") * added Fast Session Transfer (FST) module * fixed OpenSSL PKCS#12 extra certificate handling * fixed key derivation for Suite B 192-bit AKM (this breaks compatibility with the earlier version) * added RSN IE to Mesh Peering Open/Confirm frames * number of small fixes- added patch for bnc#930077 CVE-2015-4141 0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch - added patch for bnc#930078 CVE-2015-4142 0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch - added patches for bnc#930079 CVE-2015-4143 0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch 0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch 0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch 0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch 0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch- Add wpa_s-D-Bus-Fix-operations-when-P2P-management-interface-is-used.patch Fix Segmentation fault in wpa_supplicant. Patch taken from upstream master git (arch#44740).- 0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch Fix CVE-2015-1863, memcpy overflow. - wpa_supplicant-alloc_size.patch: annotate two wrappers with attribute alloc_size, which may help warning us of bugs such as the above.- Delete wpa_priv and eapol_test man pages, these are disabled in config - Move wpa_gui man page to gui package- Update to 2.4 * allow OpenSSL cipher configuration to be set for internal EAP server (openssl_ciphers parameter) * fixed number of small issues based on hwsim test case failures and static analyzer reports * P2P: - add new=<0/1> flag to P2P-DEVICE-FOUND events - add passive channels in invitation response from P2P Client - enable nl80211 P2P_DEVICE support by default - fix regresssion in disallow_freq preventing search on social channels - fix regressions in P2P SD query processing - try to re-invite with social operating channel if no common channels in invitation - allow cross connection on parent interface (this fixes number of use cases with nl80211) - add support for P2P services (P2PS) - add p2p_go_ctwindow configuration parameter to allow GO CTWindow to be configured * increase postponing of EAPOL-Start by one second with AP/GO that supports WPS 2.0 (this makes it less likely to trigger extra roundtrip of identity frames) * add support for PMKSA caching with SAE * add support for control mesh BSS (IEEE 802.11s) operations * fixed number of issues with D-Bus P2P commands * fixed regression in ap_scan=2 special case for WPS * fixed macsec_validate configuration * add a workaround for incorrectly behaving APs that try to use EAPOL-Key descriptor version 3 when the station supports PMF even if PMF is not enabled on the AP * allow TLS v1.1 and v1.2 to be negotiated by default; previous behavior of disabling these can be configured to work around issues with broken servers with phase1="tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1" * add support for Suite B (128-bit and 192-bit level) key management and cipher suites * add WMM-AC support (WMM_AC_ADDTS/WMM_AC_DELTS) * improved BSS Transition Management processing * add support for neighbor report * add support for link measurement * fixed expiration of BSS entry with all-zeros BSSID * add optional LAST_ID=x argument to LIST_NETWORK to allow all configured networks to be listed even with huge number of network profiles * add support for EAP Re-Authentication Protocol (ERP) * fixed EAP-IKEv2 fragmentation reassembly * improved PKCS#11 configuration for OpenSSL * set stdout to be line-buffered * add TDLS channel switch configuration * add support for MAC address randomization in scans with nl80211 * enable HT for IBSS if supported by the driver * add BSSID black and white lists (bssid_blacklist, bssid_whitelist) * add support for domain_suffix_match with GnuTLS * add OCSP stapling client support with GnuTLS * include peer certificate in EAP events even without a separate probe operation; old behavior can be restored with cert_in_cb=0 * add peer ceritficate alt subject name to EAP events (CTRL-EVENT-EAP-PEER-ALT) * add domain_match network profile parameter (similar to domain_suffix_match, but full match is required) * enable AP/GO mode HT Tx STBC automatically based on driver support * add ANQP-QUERY-DONE event to provide information on ANQP parsing status * allow passive scanning to be forced with passive_scan=1 * add a workaround for Linux packet socket behavior when interface is in bridge * increase 5 GHz band preference in BSS selection (estimate SNR, if info not available from driver; estimate maximum throughput based on common HT/VHT/specific TX rate support) * add INTERWORKING_ADD_NETWORK ctrl_iface command; this can be used to implement Interworking network selection behavior in upper layers software components * add optional reassoc_same_bss_optim=1 (disabled by default) optimization to avoid unnecessary Authentication frame exchange * extend TDLS frame padding workaround to cover all packets * allow wpa_supplicant to recover nl80211 functionality if the cfg80211 module gets removed and reloaded without restarting wpa_supplicant * allow hostapd DFS implementation to be used in wpa_supplicant AP mode- Update to 2.3 * fixed number of minor issues identified in static analyzer warnings * fixed wfd_dev_info to be more careful and not read beyond the buffer when parsing invalid information for P2P-DEVICE-FOUND * extended P2P and GAS query operations to support drivers that have maximum remain-on-channel time below 1000 ms (500 ms is the current minimum supported value) * added p2p_search_delay parameter to make the default p2p_find delay configurable * improved P2P operating channel selection for various multi-channel concurrency cases * fixed some TDLS failure cases to clean up driver state * fixed dynamic interface addition cases with nl80211 to avoid adding ifindex values to incorrect interface to skip foreign interface events properly * added TDLS workaround for some APs that may add extra data to the end of a short frame * fixed EAP-AKA' message parser with multiple AT_KDF attributes * added configuration option (p2p_passphrase_len) to allow longer passphrases to be generated for P2P groups * fixed IBSS channel configuration in some corner cases * improved HT/VHT/QoS parameter setup for TDLS * modified D-Bus interface for P2P peers/groups * started to use constant time comparison for various password and hash values to reduce possibility of any externally measurable timing differences * extended explicit clearing of freed memory and expired keys to avoid keeping private data in memory longer than necessary * added optional scan_id parameter to the SCAN command to allow manual scan requests for active scans for specific configured SSIDs * fixed CTRL-EVENT-REGDOM-CHANGE event init parameter value * added option to set Hotspot 2.0 Rel 2 update_identifier in network configuration to support external configuration * modified Android PNO functionality to send Probe Request frames only for hidden SSIDs (based on scan_ssid=1) * added generic mechanism for adding vendor elements into frames at runtime (VENDOR_ELEM_ADD, VENDOR_ELEM_GET, VENDOR_ELEM_REMOVE) * added fields to show unrecognized vendor elements in P2P_PEER * removed EAP-TTLS/MSCHAPv2 interoperability workaround so that MS-CHAP2-Success is required to be present regardless of eap_workaround configuration * modified EAP fast session resumption to allow results to be used only with the same network block that generated them * extended freq_list configuration to apply for sched_scan as well as normal scan * modified WPS to merge mixed-WPA/WPA2 credentials from a single session * fixed nl80211/RTM_DELLINK processing when a P2P GO interface is removed from a bridge * fixed number of small P2P issues to make negotiations more robust in corner cases * added experimental support for using temporary, random local MAC address (mac_addr and preassoc_mac_addr parameters); this is disabled by default (i.e., previous behavior of using permanent address is maintained if configuration is not changed) * added D-Bus interface for setting/clearing WFD IEs * fixed TDLS AID configuration for VHT * modified -m configuration file to be used only for the P2P non-netdev management device and do not load this for the default station interface or load the station interface configuration for the P2P management interface * fixed external MAC address changes while wpa_supplicant is running * started to enable HT (if supported by the driver) for IBSS * fixed wpa_cli action script execution to use more robust mechanism (CVE-2014-3686)h04-armsrv2 17089624812.10-150500.3.3.12.10-150500.3.3.1wpa_guiwpa_gui.8.gz/usr/sbin//usr/share/man/man8/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:32791/SUSE_SLE-15-SP5_Update/92c4c1ac4c1b5c1bddbd97dfd31e26c2-wpa_supplicant.SUSE_SLE-15-SP5_Updatedrpmxz5aarch64-suse-linuxELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=c6564b029854e9164fdaae17b1d52d2822383e30, for GNU/Linux 3.7.0, strippedtroff or preprocessor input, ASCII text (gzip compressed data, max compression, from Unix)RR R RR RRRRRRRRR RR RRT>ʓXhb_utf-8eca5733e6d6c4ddf55119254fb9d6181fba2205de37b871c3f0737cb575d570e? 7zXZ !t/*`l]"k%}RUJzx+P]8\R>~v)z!&!3"a䥍)vMͿFI 6Wql==6% %GlKZT.< ǥo | ?+GdN6MJoKo^ HQܗ)QRʯ$RZj4Z]*т8s>~sAKBK6{&Cl/g} .Y{E}AK*5F) ֕L;ecҦ%XxN7;댬Ju]k`=mϕf qC)D.U~VA3R蝮vEi.%V5JP(FypյɐڃM-ѝkYMY12D5mGL2]n4O(,K<40VIzDz&Ni&&"Ww!XFCDӉa}$N?A{N69+$kSitߎ?eݞ%l(&*8GV!?v`1XAl9GwaV?c"jm(ii3@ڵ@:eM'b"]ej6&uC1ʄuJKU[_@OlY`uIUVK*X-Pulw8$PGƮXkN;ңR4i(= B<]&[7\Wz&׮w14=۴.+h'ZL6)y&'(K7$薙$k2QVO"UNppr9qȯ]" mX"ٚBcѯgVTVy:yR[>^`oa)Q]py]BӅ,GŃb-XpVd+nL@-~> L M;:]ͽj+H|4>4)5_uGK\k'^{d jf< vC9l۷B6d.}F^\6 |(33qZRҟi'u3)Qs;sFd /GĂez zKYG9ĀGV;lDGC{D"s@fte%܆{HׇIx dAմF4W!K81]ܡ5aAKS+缆*|u_Rd_Òޙd.5}̙R `YO858D?:YSےc+5ܱQ)HxfI; *9eoc?^ES0A Çr{;w=]Cިs@ޛF;$_idtSy}f@n[ '677(#np`M5 d"D"?aMNQϫ٥ $"H\\:.{s٢ꚺ+eO暣ԫR)gcvu:8+ƒJqazma2B45UMD!&BĆtN$J ;<׍AƒcXe_)!U}Rd@Is_samH^Lǘ5,_NLB/ߐsyg xC10O6j5 NVMg9# >6Ȩx6TnPCW@u;ut&Ee=GG}w#VUP ΰ& 3A No lA :7pٷҀhpo!prAPy{s( W<7^ϧu`VPouh}gf\]"Kѧ7Վkt ;YoOi6ſԊ=D(Bq Eؗ5Rqt6Lf{n1wfiO}B‹zL^0l  -AE&1]q5/gOj72\o C1*Ɏ@! ascQ@rYiIB{₸L琇7ăepZN7Tw/}Ph\G0Mf|;ޮM ~/ߐkeѴuf`G"n0駓yA1H+Q+Bi'T$*U;%"NTaނ $w0D}AA69Տ2=dBPR1 c^yTU"D%2KtDorSmyyQOYc( u>#Nү1gʏ )]t/fY v@@LI$V=).?fp7qق̪q/= ;L=ukxvO%mO_Ev*Dwy\D`v`fNs1+Ai/zE:gk=r⋳UQ}P?F8R<qR+d%FH))w {4+ڵڹm.AXKVF-n" @>{&Go\C/4VBq Zh"h:^gz^7\&~cj4i~8J~>.h+D#Y|ظoH^}G!RLٛ%k x6J@,a%b٠8Ql~G*p~)i1QG ==8_W=%L2zd'j*ޡU"%m{Fzª%$xɷ*blh6О0OoJ#]!'*M֬-/ M}KZ,F_) \VS, "оͦέ}pOP'gSK!Rpqt5cĂ}w0#}=PFtDƶg+h P;%h.wW? }_tRש1nS{2dN|[݄w]µgON[74`X/&U4=mXE:d:!3| FWWƁHQ2dQ'6e@u4EvogQv˫X^ Sb?e038X,AӑC1\-Lp`Da$H[HM{;ٶy!vB"dIeb8=by,X2|16 \4#<:r|P;㡤^VܜDR{ȿp "mIGxo>eVF"h4&Q `j@HӯAHB Q@5$%̙m Dd*ZA5ʄnw')6 $CZ32wJQ/WIZ#=+-.;L!m D~âVմI -Vr%/Iiˆ=6m}ͰN(t>SD[uS@6["}_{>zq/8DhUC~bdyF̔`G/MNR)1sQZ/(*0/ uOZN)4:˸l53x.雠 ~RTGyՀڭ`Jz+hY-(}0^l -</g&nJc^[o.\60z$ܰ9< ,un͐2DyL/HФQ{|Iᥛ%#IL YٳE$aaa6!xCj3J*%Ņds#K@Tbጴ!mU.  a0"iFwb77ԝ䥔DX 8 Y?%J|vC]0wQe SJ,T|E{p ]Uk2}IlD7j20Ny]BaP;wHП54cUڞ6i}QJ+ictn7`Z2;7Lg;`@݂=Hj 9:P47u+*#U~oyg [0Jq[ig5RGDpXa~ۨ϶z?QS ќ(Q)d/R:g^R ťr.»V*'+veA0 2UW#>0< .ng/]}@W 1 -j_C^#W)7,$@sEh|?ū uIGtIù1mB duL'9qE>+P=?C&GMuIb2l:Rjf%{Q%lIPvjBqXm{``榆jS=V*`@Ը3h̝jb21S0xUS3!b|<(w̾QEY_ZR:XJR||`wO.?^Pv#vBvy:ffFV'> [O$Q) PR8eUCr" U3a$Q./lgZ|kCWscqnOWU$5vBݗ o]\c}}{GI̘y/U%n.Lsىsc;MF%h(Soz/;Cvw~?g2Vm./D-VRY4.9Nfڻ"}!SBS8#Zr{BkE};H؈("vI2[+[ed|:d(Gv7BO=dKDk<_< 3DQ5_p Rb\(澁M(`ⷼržKb Zo4 X<,J\RF>/3iI&1[WMc)g!ev8<T4HwG$߸jTfw`Hh~Fu C xPI=95&Uit1 In5to72xjT`.wrn%x!˸R|Q%i[~F=IRjݧN*tl,/A604Pz0)z^.!{K2Vk7ɦ!oMwmhBqI] 򓕰zCgy !2%MOmǫ~ـݤ[ya'2GBd}AeV.kOT /f̮oAEebB9 G9$͇>l_)1n0>*if Oge #W'JCլf.hx_܁.vKItT\arf>:E4!򳺙BcBmx ؑTպK'jush닚ݟm/C8jK@yye7Hz&[ԆN&q 2vjpGK'1R̎&,29`fG"?v3cT$ȯxmq[Y鶨KCAgizTuGHE""'ukz+20$h)40!:W&+`o22 UCo Egy,U.LU oo+qt=4@4k ɭqj@;z kЂYi-~ 59~V@φ!CIe l:OEc}P]&ܡaQwcAbY7_\(QH=K>79:Y%1}OP[iX$γ?Ei&mYJ(`eA<ălEe@O! #*Hhy}VdԎnL@_2M3_NOa}QvgH9M"BoL3*TVS˥w7&y`#Z7y<Ƚx$JT=  [$Bߦe*mPq (+yooFF[I6/` X`u*{H~s@33ɭHj7?gM(x. Y\\eӗ>,E,YOXB%8;EtE'd:Aw*1my}:3Ն֪VwM#n]t)EmF%!.2K E`3OTm^PΠ(sRVNT~U*<}qcًVLX;)RD؅VjC{Zl2R0}Dc'q CVwe{׼@.ԂIƎK4eR}Bwˆp3_uq7$/JtzM tJ3am2\+ 3JnѲ z:_lAv]IcCU1ѡ4,8ײoRpt<{^Hn~'K8\15+&3RޣƐ*) TcXӐ چYFWǩ9骱v<.G3rC!&tL= 񍐭^U \W=ď GjwnXqFJ.G\C|gwVE޳@dCQpSNz&=ug#}MJ{Mp(ȡF/?Ɏm1IB7Rkn+i_-ױjy AAh4yگR<ݱ&gR0$<3CW*թ&Aq OI'dȣaaA2Дq ^4JDO0 ۝zyo~w*_y:|i^XZI;.~ץݸZ&dCe]X2攦?.-nw\qnpz7K=ٞG wʲD $Sp>j6Zظ@g?նFvH?1JIpJuKחʯ W?ʀWǿ 5VSnYbUYz[ƈ8Nժn8UEɟKJBnDiywzYIE4[U j8iBV :W~cj'U[U#X&]܌ Oil7u$7U4݆P|\IL4JԀKѳ<ꔗȗ(XQlDX)lq`!Y!sB|2*vu(>yn*Sakiʔ3+}~xט4_O }9ApŖ0x5jp} {\j~%snMIl*lh$IpnLӓB|o#3MW.9[^ 0"nFM fR?߽8SjE>윂GPЙ^L??Lge> 0;~Sa.Rkl7єF>5*Y ;5+KEɡkȣhˠdch))Sf"*fT^{r[r0Om<pAKomԢD72FWT@-Gt@3աfPCZ µx^g H h `M9zSdwFlU#'M)T-bx<>HYlո/0ygx{z{!aUBwFhnXblDlLѯ2q2?2+(?Ooz"eIR$]=$eQunpnKUT#Bv BV\N"TcuyrOO|O9-`*t2zѡOcbՉP: 6J! i |q畖S,p#5cN^Opng5e"[ Yj@CzB>zɜf!ȃQ-O(J| F|_zM#-JlނiT)JnѣVi4]Aaz9rAW ĉnUb\_ LOVE7} B=/pXVp֜}2`.·p?/k~|۰W Fb^^c-4 ,9k2{)8"(mĒLZLO[<}QzS_'9/އ\o*Hp@8VV825nO&H䷓ܐj_.t60v ;Kk+Ba*@TYmv<-~`}\p\n:X؃BGZ,١[TNQڶS='j@?%m <-)Aî[*D'0ޅAKJ$YcK\ݗf?bSY͞ -c-pG40qq~WO^e3Dُ蠖"l/ўkKf WEHS`6vG~LdQgs_84-97D 'ޗOR~¬}"U4'}tcb3s2!'MRҹ. [iOf}f'w(t˲O@5kqc]`lQOg 3e#[g6ҫ> ,.1Dz_O H۪H~w0}9?,y_&&#a?oK6ؒ WRƑ8Od]˫R:B< $Nj)" 6)Yq1lޒ_e홪f;P YRT\za\{rDDiW# 4n07pWevC0v[XY-O Yl%ܶCm&ypmej*k{_[Oy7' kؠ@r' 5co|Q  7`[>>x=+"(םռ'I}MI_uyvtI*K/I.nwR#s=ֳ^<m+eK 0wPiĿd*pQ%d,RE usS~LՂ=w򔸛[@H.1-_ے0pT~QZ]РlXgl6(l-Yz\tNw'%w7qg{Ln2U;O-a,HBӏZM`goXye/} CbBY4"Dgz}9YSH SԔj; y95YpAj?v԰4c7Mx-@'%DL5GanneM&ʁB~œq"0F]H9NC4=FsޏKjP=C AsG0q{WHը.+~%V ´;eJ54^mq9 1w2i "D_׉y4:4=8Z>)sd) =f0j JTr-a(5q|awm4IڄkVlC~v,vvWfCA7YXTy$d^l]!P>##ai@;}, Ak Z429XCJ}f=J>bp! @b '=[g]ǓPEm4 _h5lnjˆK4J7/ mo/t Zȶ|C]+'Pv\c |%i-5 KO!ď 6jL$z09kE@y%cNxIZ+Z\~gش<^Z*Aϙ$Cz(P8A:K6H2\ 3guc~8ATW(Dr0x,UuLy$0"ckC\7ͳT@@ær8KsM?|;F -8Fd4Y޵T~8 tRq'/} !60%&֩6=P`ˁ?ByLMhVSh!BYXtoǘ> ! 1'u2O>EN,iCԝ$_%ta(pf/MÓm6@kY$UYQB{SwU q`r',<ZJ_\' wK•ɵW Ɨtq B@П/8GvBt\T%:1𤋮qN= a^mLcGͱB9ߩԆT)J>7\*! 礔87=HG3,bcblΰP]JHNc5 wpEF-5y.#GER؋5EGk*Wf+-! .Y@|s3nW\)qOh+eATU p?tEЭ4-q Q N ׎G.o$3ok\Sr`[gEv:(fRxelNuԵ`iPRg5k0{!N&E}&T'!W[%B6 ^ 4ZMs) 3@= TR=eCl=Se 0+ڍgA<$T /]̞W_<ىb@O&rك.mK]xYO?H/GH8Q?:eiJ Phʑ̱+'6l(헝.HU YNaj,&ʶK~uGyp.W>ῬD}Uq,s6m,7 Vø>k !sW3 2p=IJmxbCʮ&$!PώX籚 xPgop8aG ϋiyqh4g38ETs*b;8[Ԁٓ A8:I#Ga <٤xHgZuD/ dtUʞ|]?R'l`Cw!=RpӘljFE G0VgN(4xf4G۲HrP,4eȪhsi\>^@$6NT*#`Hiy2:Tizݜ 3r_ { -{ OJIB>|6Ysq`.]8`F^+!<+Zb6l;d*X!g - 2aZHpc@%u@]O=-. yжU_Ch$@XFb#77P?؆=d<XԎBGC"ix{`4]3ep0]&q.#{&}JO6NNyBJ)*i ࿤/JlvD:[T,Oe|"\HKk:Xjl;)漇tkŵ?0"$h؋RóKuQAʣ*%yL>/.i7Igq h9WG:3xbGT 3 j3CetX݉~Ir?hk著{k^ER%M&`AJPoι41~0f_)-VIX9 s'*q%P5e/ bBoo2 6㬅W rzݠ\ϟte` .)6XU@ lN['Sj=?UVP.@_J |7ƙq+6 ~¹6;;54#3֍3m7, O5U}Hpz@TixĢQJu׾/̐Wd 2R~MZVo[>n8U&2heQU`rë&6t|:YG~~ 7z}^# Sof4r[tOyb*?s{|Z1]~Sy^i7(JM5PZԠz 6#7Adw)5#^ٸ͡j{%G'pDU{Un&b9##a2rc~c$+  !Pg_٧2|Bmܿ@WMa#[#d”"̠`rI+n1`"+@߀ s}\\, `^ oܗ:f1k܃3?V*tƂ:N|頋 dG G]L:cJSAS*zJ[W T ;렠뇏R h~etI=%鏪?~nrЫQND= 9OIcy*z.VRV\3QrjЈy?n$ݾ< 'a9ȴ@U{Ŵ1J%*uvK.5Qhw8/~X2킌؜PQD ~rD/ mxF:߫bF)nc6otMcxc} YE$ۖoFh"N",(|ooPjS>m[2SV+go7^``efrzI?dJp踏Te7!L "N%Ӛ8ν#i1.clne$XҫmGZ}9Pq [;LgT ?SCH5C̺8 ,6<1Fs|jsfY𛉎`kY_F EW< vw耊gwORp72%ÌvkCA0 %S_{apy.p<0O..qoJ+I?MY0bh%;mUyCj} b7H5!ug7bL1JH>U>3 $l(oU5|QYbj;^^uI9kՇʌCۑ9O8Fy@`ln)A,7iq{}kcF6IGbό`̢NG@ۼ_@ܸX40Dyj cp:8M{ B%߻y? J5KڗÉYg]J0U݅;yx8O?:STPQ[,ѾIg"Ru&FTѺpX0(MCCvO`AsV٭3e6cJ=)֬D̈́;N5_(~t'by {KLEraO40ڬ*-ZFV+ыz4Tjdr(@Z}][,̷Oڙ-mL"WD4*9V+ Iya`7uE MNv"IyC#q4eu>퀣Z 9E Nx}sF܌} dN aw튛+2Uu:HF4Eyfkk)_)[Z>p!#ѨL|_SEԨ:܇VH%PZud]Ԑ _5Ar|Zy,'OY=BQcÓ!2GRdGɘ]n3ԯEhcŗ2$wܽS, U)}c4ATTY{uQꞳ'~8ȹ4±|+-O. IQp#m62MD1BO 4g yK"/kzg.H,Ogx* ˍnz#_|Lc 썚[w`,=ĆhD̜=03l\.3~Ǭug#ws|uH_'{VFxQPsahO vh@Um~C9/媮e@ {weǟ$?($ +)?lFذöaiեә+ lZ9~[ k5; zGF`VQ_pEMわ0 [e 1&!Sr1(IqR !J7gEL`+US;d=%L y}%i_4o=-K ռWe3-_W(F2"ts T^[Lo+f抷$^[=DMrfWgQ-,  mISXT-aax~'QUJ΍:ya>[B4AW4y8/6g՞u frqge tJ\ ~u@nIn}%7괧w Yը=H~gTw5ڸkarr Mp;Żs&~5ǖ/Qjk7lXC#ԍQJ?(N!wZ7ƛD`zJW؂"c휝Q[S:paGőyP qXt2aSlJՅ5T؝6Т4q.[G$SՅY l1%^vV9ZcauCo[hdt+'=%LDoݐkD0ogA04X;M|qR 0[@#$@ יK6~4MQXלv/s. I+10eap܆0|15҆hJԠ;OceFH Uɔ" ;lY0&Gj ,"ߘfhm8%uwU!θEMQ(,#Z 2wtSυh-5x sjn!0p;pw:WW*0f>fHFJr.`XNƓʾ^\G&=TU&~gZwy&yȩָv4%`^h 3)**Ϩ+FJh}|([-I-!:{:EE_C`|Y2%VQNػ}R9G!{g;.^C Qf$>;Ȗm,t4F$ɔndRtC'ke;jל 7Q-:y([:n,.0Qi-un%W2\A8X14<|qKF#] M\2b%/: {(W5-=Y^Sۦ~ٴjW׶CȊ|蓧`9SCk:əCַb!PF"ܢQ&k@SH# >ಾ,{!y 82f>Z,iqb(e@ PgTG+8n@q e>UoZ]ˬW٤w7|oۯ|" -E&9:k]sYp*ʬ哊LQ;O}N`p- Ϳ7% kla")?l@]B95>,Eo}0u՞<܂l,TQ]T3 S?.].|pr0 x:VIt]q_P ̕uݜwJPMo7U!8>.TИE5SW=| yV>B9Q&m/V%c0.i膹Bir)`?r%ϷP႗n?\uO 3޳xt2jK^N+47.tCLce8/DTK$R1+ziLH#況$w3a@׸SՀUӆ9D g24-UdqcH3f V7"62O?d#:<'R6IMbe\2Dgs1bk6rk5tFbQN،,i7[Lwvf]weZ XH5[ں})YcQ, ԜOӴs ohOju]*:A1 g+%Klk?UjQlEPF Ch"*Tל*&TH: GE5[}{;sgQnz0h");N(T$S4q":@eƤ8֝]װW 㡵Xm@s~%: 8K: s3Cqb~/Ѐ:y:pQ[^`T"Y |Y{QɳӰFN,AWlWLoFCJ.GNxiO-߿zDn 7e#J.Kq# 6&^[ z: 6&s,wwe)ٌv{I kQNٴdX<4јЮ qq΀-%%26JZAi_Vom-f4Crhu;#m̭ŏ>a8;뚞ɯ}I!m=$&] wYЦPdB k߬XQI.kXn}犕q; 6ev 3bـ,|Rk6ufeo7am06XBOd-Dθ0ʞ# EDScG8(ހ$\wزRGru{{YVk0b9]Wv3tЪEZ YX1P^IemּH 6!-s#(⷇XC;S/+|F(I(*kHwa矢P7`\-YKRyEa- 1dl`Ы-7gjIcP]eÃuYK~2ڂs9_&0,3Nƨa'Ӷ,sjSkr PҬϝ,8pkT5ʞJ/5g=FPw$, ^9V yK@,zs٪Tr~DՃ@<{mcDžO;,c3I?LKJPk|қQWlNێSd9TǑ#W0Cd_ =#X)}qF/qP},, D_aMΡ/!w\#ѫM >;pE3Svf8)Qk츚$b\T،=z`;/y[DdW LHOVe_RTiBR1(f3NK-g\ NY~XIa4:Se܌ۜ)yBQACSf#}s 1S#58ցT:su,JG;X>a aW%Ć:4JU#ef#lP=d{:;An j!S"Ke[pq5/0{]Bb&_HpR$6TXӪM7)B7J+^̒4$VOZ`}OnF̴8N oY\;/m&ȳ &Tֶd<~-JUnUӯBij R d*- PH~Zߊ}&d*aI sVV4Cu S{+*_S>  #4L%Қz$Bjs MnwrqmP-4F:8hE9Jc&߂TǗYN3QʊHD{k]'qyYA+`ʇ&ȇѰ~>E:ZAv%o}F l`M0ߖSjj珕!uGFъ6"i:?\#+7ބ&`)sl~jDvu˚-A zPwWx <gSG ;~}^-5P rW n"a)ʨ cXO^E#z^J/fc< sLh%>5ś&`0 ,\/ka! )>w1*ι":֤Ul^E&oqԬz| 8yӣ:%;9PXMCLX=q'R%6NT0)LvNbt MEa7%lumIBFߑ 8-֨mGPpu/́:!![z_1oMS"߱>q!͕^:Ȇ噇5#"cг԰^кX($,+ͬLMEX=PǵqE)'%h 7[ ~HJ[w4] 6\(``JU&"-' 8I6tO@_Ҍ$]l#PhCzJ֑pJaDZܶaįaR&3w[lj0R 2&F5wt?Wq.Jn܊oy@2l*V2;BڎJnmq`Q J sTap;ߤ5Ie;'X,1Z)7YkF-祛JR\ĜQga?KZcְ[qy0a{tNWW w{C򮠋>abmvk2Ye*)=Uw:ș%,2LU|,SF0+?cHjc ajO!\%(f_OmŠ$慬U JTs-/-m8ܧ.:"L5xyO婍JrT͆ zGAv6SJ vzk78<'m SN)J5iW%uf0i\z`7D YAgzk VTk<֘75&6wFa0֕h}_V!ƾm .&?H'Ɠ̅ɽPm̜dG+DzǧlGD| _fNUr_C ހ<~)j`MCi)#_u]oha3K3J>"[T9 Z=eZ?"SQX-)ʼn+܁BVN\r Kݯ7xj)+S^7B$x[*VKui:1jϤ>!|9-{ƶC> ]*(lY]apL0wac{0q,:|y!p$|NwDy\ON^+v 瞞6_n~2(yMȲLN-&M f`Э5l`mGcy|fO; ry#uap:-`r@AQz/ I.|E/{% yBQ? Wp? W;g r"xƓf,<}b=slF|A%!ӘuOvԘ(>aV5C>(dު겼iQ5)Y[^ g,(ޟ?z #8$ʩ|*Ȓ  q%A`O*ބQ/h \u_]]yO >qbb91@ˆ -~4;o"{r_T2IӬE;d2컇!v X[R<&~%lR t6Ct‚Dԡ|#DkN)6CL'PEj< _ 2-Fc'0qJ?J[5{iSkov[ 4w.{?%Rg-T/ >2&\b׬w24ߚ@;;eM-l`!pHxjKhO\ao_#V)wzSׅ)YNMK L+K -Y]{w곕:r<} \hdJ Bo?U {˟ѹ܂u;6PՐE[#:35TAzk/\o >̅E͞Yja q ?#B*`S \gKHW{'zvqA͡SY mCז,k)̌- '¶k]T=9 ƝTucA=cQ%RmuU,Y_T^{UFƎL믹ӓ1ޱõǼFpb. oc/ ӊw?f.I-Ԋ'vH+ׄ]*Tzj<#s.q`ڹS=ɫb"`@܃|kٽ v-CWNlv_a!ws9oď7]#IM鵸m&95""H[g^q[tr|0eM@`;/F"GL$p`K)D8c20u,4}?4 ntX Z%nXQI0qCoWsugmSLJ+i|V' YC|1Ο]jXj4vXM٦-=lf)R$%)?e.W#2  mOV6 1ZzZL D{sPh%z]í꺳'}"^%.8S U<>紿UpAJ`{x>6LۙЏ $ ngS!(Sʯ)}<>UL"4v.6R.ǟ'},d@@$3 3^Q'!@:B/ݾitv{Y@qξ88O[.IBs㪠MuI6]Kᨹ)/ƌM߉ά/(}8S+7d)D3ͺmu^فBQ# /ʻh&.xiփ6< cC,m E13ho* :eK2ԭe1p.ݤBx 'V<5!9JNY"=ׅdko s퐇b eiHuL|D- yJϗى ?PAԨc)ݮ-n?RݥA>S*̦:Ljn`l~X,=i: -s\'M5MD8%QfGU%c ,cn9'5W?pC-3|޺<W DG< N@<2I;xׂ`z|ϱo&W2ll4T+D;.;%J$UE 1(:.I;&0\ln2;1b z:I@2ї2kOgJZ?)dit:+f[N`<9>0SbfpgO1_:m`= qOHGy+saxچEz"O|$.F b#[ѕXD QifU&ҎvK5)~dPo7`f|4J4KLƵZLr4+kp M' ;^D†Z]:ԇ :wj6J$%NyAE T3dis3_ʖgK!!Oq"0yXM1`q׼- yl9.`t5+RLi͸?zړ5NOe0N9*l0r{qW$='vnn^ZfEFˎ¶go]UuաIkWW64%õi!,O:8D? 5E vBvIQ6;VA .E` 7 .{ĉ:M+\.qU>'FQ颁px)=]BrS"l£^(mle4{2l!]fd&RN8Wl7\Ac +2nL\hMz&"y&"~/>DNڦ('zMǾ迮c9bҺR;~Կ²RxdrôPF#axcT:{q* Rz5y:=1Jϻ1He9q&T@A JVM3۬?|FeԨn?gU24@vNO_jDye8qUmrLk YogDZgREj eg") Cg a]Z9Ѧcc El#=. w~IӔݸcwvݲZO*~:*HIe#rv8ܔAk 9\$(^!-eg'fi4V,j[&\$d`_ֺ,*? U3%!64D*|StFȐCNM)L_NsנUl;{m HiIHcy.};f#JRYڶ-5J#d``7 vXv'Ur52P`Sl"6: A~?1[ըQ}U#ϪA0ׇ&,@S9h(^ dx 1.[2HݫCděߙӴ󪼆96T[APvkPƄZS5`O 1~ + 7ҭj9X>[]$G2(6lOWBry]."xl[H;'}iV1X,>-0^)*@͎p+Kmʠ-pP[(MW;JjlWb1WH{ILгo8/e 2F{VCwܱSq!ߪEslpGqLY47߸Fb@2FEpzR|E~A~#H r;k'@Ēsy[D}z0fP8gKJ6`Me̙``JzqF 7҄L^n\N5+^v$QH)rkS3 9{k@@L O1:sV"agW#8*}i/M3 z>7 Z(UejavjGoe` cJa =kjq|h(/Uut[_YvK@aLM "Zl2dCgo }=s0 :k8Q*c<ٳR-7;9|ezsIg71zʟNǮ>&C;*' koĚ`dB\".,iVxVE V&jiv*!VetVp6DzDi\r4hP@8|n X֜ ZsgSM)V8 QLdn BO">ە\RWpl6pG4r&nO-8>ЙPXWfU8B\f&w4][x8;Wn93Ǘ%YGa,7)n . GDWP+m#mrʴpQ엙LK|&ΰVT=l +:f B_J Ԍj^ks6hU %pG[vr-kUfxc|jx]ǚֲθT:vncz&J9ԭc&*} _cGE1&V^:Dn'F#Y줔RPd1 K5Qۏ#8kD[qA:-v~!ޯ ZPZhL炙uwaGZ7q [-Y2VFEX& ײz+ E84&mZ,,3 Sٷ $f*x9 B{N3n‡ʦ1&=&ѿ]̿ \M$sK+o/3fcIm;RAp2l‹cDqODvbrϴXV+vWע(p@2ކ?**F8N}fաR(,:TIK՝uuϑGor1JaOzEΥ)vŝ"䦪Oplͥ\-v7GPk ,g`Q)!V0/)/rwYϮVN KXwf&fJwkT?{qRI3ʈ~r3oKpZ;o>goqapၘ}.< eSo OYUhPKVodnKN WsٶGv`,ْ*rH@ִm>mnö%˚\#Bm!z{H29Բs; 㢾7|ͻc@R#AN@2KjG> ;mC4&O;@F~R. k/W1w%6x(yX0mN'; y+ţa≉+M|wJy_t25 !><,Q3#!2> v~}'p&nAJg;"T{3 8 y |QC&JcQe_ytL͕$W4JJRl0A]m~2v4q0aI-l7R]z1JPAyLӚ+h);QtW;|=Y:]I{xƻDZj0f#i!\d~3V4GnZKSWbJT7M]x> ɂ<ף2:U:met~ fHp 8axw 3:mŰ׻G;Q3W*yc'q0mi$kJ'$nu`Hm31![9+Fb?PT4HJ1p 1?VI> Q';sw#o'ձ\wߩ|Q*b@iG} <ėcJCX {Y9 -C)lR{[ogD$^xYO,޷;ߕ NndiAPh ~Lhϕ@suvx|3Io?`LQZl%Sxl8-h;7 }vD{lYI替2;UFv]:z/yOauP5eN>B5@䑦4z48*uaKЫ:aS?gU({߅]2."ydh04zapآB6)_t;g/^@COv͊}$#PH-hֺޞuϋ[U]rOW`N i!֣hJ{ QGVLl^GaşfHr#$MH9uػ,~QbߞMWT6P-0{ˑ{Mq [Id(Ilf I2'4=ƦH69(CfVf-wUzS*>s( PsC]bELKލmZ.+e#|&Jvy.`bB";ʢ9l`"H,zǗ#İṖMP1Q&z, S|"Nx ^b*n #ꗹ]Gv'=i"=׷WQ viڊzv2u֡&`+Tۥ8~=KVhdIMdq[RY$VC"$ǎRIE ӵuqF (Ri1{}T!fs}7)SDf/a@_Y7t|WyA^迄/Ej=F@B0ܴthwQ&{p8_NܔgJgOv)Njޞ]/+X1s**+ߥ7AdD[1yqhCO;6;AHå[(uBJ-A`y\wRs|s*g@ 9ɰv}ڪsjr<?,i^Li$O`7lmsٞFԡጕnC̍o_/r".$LfG~LmC'ya˚dbwuj+H T݈U<`Wx$ѳr~  䥋'ppڊ'5Gs=߾2'֠(V & .@065kgI{tLhM^d r;$Q1DPfJ;Zl]3/fK7$+suw)9 ߻]Zt)ߖBx)" |6|<9QhW%bD4*<]WoU: XwA< B]OM(,`I *o6H{[qsSj굘vYԟtDցzXM,:K½ oO i\kbo`)k;ߏ hSG 74B_, 3Z%CQ6;7߸ĐF '>0Q 7,X-HM6 jA:q5_s&E_>}?Bd^3B`R *Y?Tރ=g k}4F)GAO#H&TU%ǰ NH\&gך oތBK[bzOѪ۵L%#*4TMbHp0 |Dי 5 0_K{#qeW/\zXrg ҮLDA|NzSYgLBjÐ"I@:xOMd T^L`cp9G*BG0:Ɛ{jfqS`4֓bP>ξn"No?[G>=Ȣ~[HIB-y.TQ,iUj` UN~DK``b9P3"U0l.Qp'3sܺr=܇wOG91FEǾC"lEc}بEr~6{>@w~ևwvSѿ򑼾yMȚb^RD PDETr}~{awMQf9^CYnWjP[~Aq(&3rq%:lʋk3/(/7Qf%G(7GKUSAO18)[z`ld7粺ZrjF|ni6f.Dy[iJeA][eLP˛G戃SX<0WUQ7vP"m+GWB.gJ#%w09rX"M3˅)٘)ņOui4 Qr ˆFZٝBy{_|8hf*T?\6jxwŨ9UIjWgDČlQ3F…r$]rNY$>?QmJEu lXPd-w 03w*(?GAW<$PޓN߅P\BNc7_525Fb6}#uFRzgĵu!-opdON68M)n@KQȿ/͜wSu*wÆmզ=S(Eɂ9k`aj߿BGV-^Ƕ1z1ylcIz5(ڒ#@nvʑn^37VS 4V󝴾,xጱ/S]z1@q?NB 3dk<] /rLޱ1|e~["ļx?v Ayi=ӟGG)R+;8+yfO,㷋mNaYVE*_Ɔ`?u]5OlKOb r'|ԥȃ jw2_vV3#xݖu4iu3)qy'(Zkp]O<]ȅ*ݝ=ڈsC?g9륿66ctl7 :}$aZ 0'A&\U+ǬVZ*HB}C$Aj~2P,wR[ZӢZq:AaHo)9#d"я`) &4sd=(f>/;m<T(ojƻ*v>e|L s.snwC }+`ڮ&"`q+3,X:ǞquA) jaVT뗘rBhcJ6O`\vc4c)c|ag{sT('bߖ Kuhb4tTLZaaFpH\.kPjR>|lpyоwE=g$}ʷO^inw=gnfOz4ŗz0r }*BI]sqṊ+&[q5uRYOaD8ಅYSBHdp16TTdd%@|')D67=U<>OIČ^d'(f x y_:(ÎTȡ=2S9g7. _+%N{eKJ7zY /d SVkGH64&?"n<Эo!TnkuٛVK/J>*ONc< J\UZ 1M*S4cF AL>Z/~t,]хĢyqRQi蜃& E(K|>W^]gromSShި CzAlH874uBҴqUB^_WHژL7'q=#)_ZHЂ JZ5i=XN(~Vb;3ѐHXf|!8XaS)0 xG@Q~Q6(ͼfMZo~mtJ#*%] 6SAPMܺd̯RqM gk^R"8;"mS`l/5{lX21DYw`At'xR:F\<&"@5ܾOτ 2{A}HFSƎJHSfE'lh)IsHEJd#K+*"^r"EyJE(zzRu8 yvURRRdқe5$IpT ܸ ;\U43Psu0W~GGG/DE+GCHͅ?,݁3ϨaqSsؐE"D6SD&%\<*ji2 jL%P;p@P`9]3Az[GEq" AbF=#F$\rXC=AMU},]!0 omhZ:s_"LF@8Ҡoɢ8ڰ:NR5?QgހQ:6 3+Wu; 7"TT"@r$[ɣ[-a1*nDOi9!"3CRbzF״BM6:YVq'nY8_8eI7RaLoaҲ>LQT7#c $B' ! '^n<9Gr't v~kp2\s\] U˶7XQR|ɀ!ud_g=1)`&oh