������wpa_supplicant-gui-2.10-150600.7.3.1��������������������������������������������������������������<���>�������,���������������������������������������������������������f�p9|��Lj��i~]4D&�m�XQ@T�;颣�_+-
#Gmm$cÆ�M6e+7IJ c�w(Hz�M9tArh��:ѓ*r�ĩgktΤ!�=mz3Q%ӌ}�3I�b(e�d8LW^xTZ��sjaMozf^p��aޡ�G1~��E;8k�w��K�&S9r<^_"H��ŭUef�H���``RW.0����>��������������������>��(���?��������������d��������������������������������������������������������������� ���'���������� ���J������������������������������������������������������������������������������������
��������������,���������� ���B��������������N��������������k��������������q���������������x���������������������� ��������������
���������������������������������������������
���������������������������������������&���������������0���������������\���������������d�����������������������������������������������������(���������������8�������$���*���9����������*���:������
,���*���F������@�������G������T�������H������\�������I������d�������X������h�������Y������p�������\�������������]�������������^�������������b�������������c������z�������d��������������e��������������f��������������l������
�������u������ �������v������(�������w������P�������x������X�������y������`�������z���������������������������������������������������������������C�wpa_supplicant-gui�2.10�150600.7.3.1�WPA supplicant graphical front-end�This package contains a graphical front-end to wpa_supplicant, an
implementation of the WPA Supplicant component.�f�h01-ch2c�����
�~SUSE Linux Enterprise 15�SUSE LLC �BSD-3-Clause AND GPL-2.0-or-later�https://www.suse.com/�Unspecified�https://w1.fi/wpa_supplicant�linux�x86_64��
����큤����f�f�2926792857c00f118ec332f570c5a1cd05c3ed648aecce50546c93583b1fae8e�d57783ead2cca37539bf8b5c4a81b8105c2970de177652fe1a027433593467aa�����������root�root�root�root�wpa_supplicant-2.10-150600.7.3.1.src.rpm����wpa_supplicant-gui�wpa_supplicant-gui(x86-64)�����@���@���@���@���@���@���@���@���@���@���@���@���@���@���@���@���@���@���@���@���@���@����
���
���
���
����libQt5Core.so.5()(64bit)�libQt5Core.so.5(Qt_5)(64bit)�libQt5Core.so.5(Qt_5.15)(64bit)�libQt5Gui.so.5()(64bit)�libQt5Gui.so.5(Qt_5)(64bit)�libQt5Widgets.so.5()(64bit)�libQt5Widgets.so.5(Qt_5)(64bit)�libc.so.6()(64bit)�libc.so.6(GLIBC_2.14)(64bit)�libc.so.6(GLIBC_2.15)(64bit)�libc.so.6(GLIBC_2.17)(64bit)�libc.so.6(GLIBC_2.2.5)(64bit)�libc.so.6(GLIBC_2.3.4)(64bit)�libc.so.6(GLIBC_2.34)(64bit)�libc.so.6(GLIBC_2.38)(64bit)�libc.so.6(GLIBC_2.4)(64bit)�libgcc_s.so.1()(64bit)�libgcc_s.so.1(GCC_3.0)(64bit)�libstdc++.so.6()(64bit)�libstdc++.so.6(CXXABI_1.3)(64bit)�libstdc++.so.6(CXXABI_1.3.9)(64bit)�libstdc++.so.6(GLIBCXX_3.4)(64bit)�rpmlib(CompressedFileNames)�rpmlib(FileDigests)�rpmlib(PayloadFilesHavePrefix)�rpmlib(PayloadIsXz)�wpa_supplicant�����������������������3.0.4-1�4.6.0-1�4.0-1�5.2-1��4.14.3�e}@c@b@b�@`lM@`?z@`:4@`�_|\@_i@_i@^@^@^|@^|@^Y�]�]>[<@[[ā@[[;@[@[QY@X@X]�W@VU@VŲ@V`V=@UKSUCjU8U'@U�/@TBV@cfamullaconrad@suse.com�cfamullaconrad@suse.com�cfamullaconrad@suse.com�cfamullaconrad@suse.com�cfamullaconrad@suse.com�cfamullaconrad@suse.com�cfamullaconrad@suse.com�cfamullaconrad@suse.com�sp1ritCS@protonmail.com�cfamullaconrad@suse.com�songchuan.kang@suse.com�cfamullaconrad@suse.com�bwiedemann@suse.com�cfamullaconrad@suse.com�ilya@ilya.pp.ua�tchvatal@suse.com�tchvatal@suse.com�ilya@ilya.pp.ua�ilya@ilya.pp.ua�kbabioch@suse.com�ro@suse.de�kbabioch@suse.com�kbabioch@suse.com�kbabioch@suse.com�ro@suse.de�meissner@suse.com�obs@botter.cc�dwaas@suse.com�meissner@suse.com�tchvatal@suse.com�lnussel@suse.de�crrodriguez@opensuse.org�crrodriguez@opensuse.org�crrodriguez@opensuse.org�lnussel@suse.de�michael@stroeder.com�ro@suse.de�zaitor@opensuse.org�crrodriguez@opensuse.org�stefan.bruens@rwth-aachen.de�stefan.bruens@rwth-aachen.de�stefan.bruens@rwth-aachen.de�- Add CVE-2023-52160.patch - Bypassing WiFi Authentication (bsc#1219975)
- Change ctrl_interface from /var/run to %_rundir (/run)�- update to 2.10.0: jsc#PED-2904
* SAE changes
- improved protection against side channel attacks
[https://w1.fi/security/2022-1/]
- added support for the hash-to-element mechanism (sae_pwe=1 or
sae_pwe=2); this is currently disabled by default, but will likely
get enabled by default in the future
- fixed PMKSA caching with OKC
- added support for SAE-PK
* EAP-pwd changes
- improved protection against side channel attacks
[https://w1.fi/security/2022-1/]
* fixed P2P provision discovery processing of a specially constructed
invalid frame
[https://w1.fi/security/2021-1/]
* fixed P2P group information processing of a specially constructed
invalid frame
[https://w1.fi/security/2020-2/]
* fixed PMF disconnection protection bypass in AP mode
[https://w1.fi/security/2019-7/]
* added support for using OpenSSL 3.0
* increased the maximum number of EAP message exchanges (mainly to
support cases with very large certificates)
* fixed various issues in experimental support for EAP-TEAP peer
* added support for DPP release 2 (Wi-Fi Device Provisioning Protocol)
* a number of MKA/MACsec fixes and extensions
* added support for SAE (WPA3-Personal) AP mode configuration
* added P2P support for EDMG (IEEE 802.11ay) channels
* fixed EAP-FAST peer with TLS GCM/CCM ciphers
* improved throughput estimation and BSS selection
* dropped support for libnl 1.1
* added support for nl80211 control port for EAPOL frame TX/RX
* fixed OWE key derivation with groups 20 and 21; this breaks backwards
compatibility for these groups while the default group 19 remains
backwards compatible
* added support for Beacon protection
* added support for Extended Key ID for pairwise keys
* removed WEP support from the default build (CONFIG_WEP=y can be used
to enable it, if really needed)
* added a build option to remove TKIP support (CONFIG_NO_TKIP=y)
* added support for Transition Disable mechanism to allow the AP to
automatically disable transition mode to improve security
* extended D-Bus interface
* added support for PASN
* added a file-based backend for external password storage to allow
secret information to be moved away from the main configuration file
without requiring external tools
* added EAP-TLS peer support for TLS 1.3 (disabled by default for now)
* added support for SCS, MSCS, DSCP policy
* changed driver interface selection to default to automatic fallback
to other compiled in options
* a large number of other fixes, cleanup, and extensions
- drop wpa_supplicant-p2p_iname_size.diff, CVE-2021-30004.patch,
CVE-2021-27803.patch, CVE-2021-0326.patch, CVE-2019-16275.patch,
CVE-2022-23303_0001.patch, CVE-2022-23303_0002.patch,
CVE-2022-23303_0003.patch, CVE-2022-23303_0004.patch:
upstream
- drop restore-old-dbus-interface.patch, wicked has been
switching to the new dbus interface in version 0.6.66
- config:
* re-enable CONFIG_WEP
* enable QCA vendor extensions to nl80211
* enable support for Automatic Channel Selection
* enable OCV, security feature that prevents MITM
multi-channel attacks
* enable QCA vendor extensions to nl80211
* enable EAP-EKE
* Support HT overrides
* TLS v1.1 and TLS v1.2
* Fast Session Transfer (FST)
* Automatic Channel Selection
* Multi Band Operation
* Fast Initial Link Setup
* Mesh Networking (IEEE 802.11s)
- Add dbus-Fix-property-DebugShowKeys-and-DebugTimestamp.patch
(bsc#1201219)
- Move the dbus-1 system.d file to /usr (bsc#1200342)
- Added hardening to systemd service(s) (bsc#1181400). Modified:
* wpa_supplicant.service
- drop wpa_supplicant-getrandom.patch : glibc has been updated
so the getrandom() wrapper is now there
- Sync wpa_supplicant.spec with Factory�- Enable WPA3-Enterprise (SuiteB-192) support.�- Add CVE-2022-23303_0001.patch, CVE-2022-23303_0002.patch,
CVE-2022-23303_0003.patch, CVE-2022-23303_0004.patch
SAE/EAP-pwd side-channel attack update 2
(CVE-2022-23303, CVE-2022-23304, bsc#1194732, bsc#1194733)�- Add CVE-2021-30004.patch -- forging attacks may occur because
AlgorithmIdentifier parameters are mishandled in tls/pkcs1.c and tls/x509v3.c
(bsc#1184348)�- Fix systemd device ready dependencies in wpa_supplicant@.service file.
(see: https://forums.opensuse.org/showthread.php/547186-wpa_supplicant-service-fails-on-boot-succeeds-on-restart?p=2982844#post2982844)�- Add CVE-2021-27803.patch -- P2P provision discovery processing vulnerability
(bsc#1182805)�- Add CVE-2021-0326.patch -- P2P group information processing vulnerability
(bsc#1181777)�- Add wpa_supplicant-p2p_iname_size.diff -- Limit P2P_DEVICE name to appropriate ifname size
(https://patchwork.ozlabs.org/project/hostap/patch/20200825062902.124600-1-benjamin@sipsolutions.net/)�- Fix spec file for SLE12, use make %{?_smp_mflags} instead of %make_build�- Enable SAE support(jsc#SLE-14992).�- Add CVE-2019-16275.patch -- AP mode PMF disconnection protection bypass
(bsc#1150934)�- Add restore-old-dbus-interface.patch to fix wicked wlan (boo#1156920)
- Restore fi.epitest.hostap.WPASupplicant.service (bsc#1167331)�- With v2.9 fi.epitest.hostap.WPASupplicant.service is obsolete (bsc#1167331)�- Change wpa_supplicant.service to ensure wpa_supplicant gets started before
network. Fix WLAN config on boot with wicked. (boo#1166933)�- Adjust the service to start after network.target wrt bsc#1165266�- Update to 2.9 release:
* SAE changes
- disable use of groups using Brainpool curves
- improved protection against side channel attacks
[https://w1.fi/security/2019-6/]
* EAP-pwd changes
- disable use of groups using Brainpool curves
- allow the set of groups to be configured (eap_pwd_groups)
- improved protection against side channel attacks
[https://w1.fi/security/2019-6/]
* fixed FT-EAP initial mobility domain association using PMKSA caching
(disabled by default for backwards compatibility; can be enabled
with ft_eap_pmksa_caching=1)
* fixed a regression in OpenSSL 1.1+ engine loading
* added validation of RSNE in (Re)Association Response frames
* fixed DPP bootstrapping URI parser of channel list
* extended EAP-SIM/AKA fast re-authentication to allow use with FILS
* extended ca_cert_blob to support PEM format
* improved robustness of P2P Action frame scheduling
* added support for EAP-SIM/AKA using anonymous@realm identity
* fixed Hotspot 2.0 credential selection based on roaming consortium
to ignore credentials without a specific EAP method
* added experimental support for EAP-TEAP peer (RFC 7170)
* added experimental support for EAP-TLS peer with TLS v1.3
* fixed a regression in WMM parameter configuration for a TDLS peer
* fixed a regression in operation with drivers that offload 802.1X
4-way handshake
* fixed an ECDH operation corner case with OpenSSL
* SAE changes
- added support for SAE Password Identifier
- changed default configuration to enable only groups 19, 20, 21
(i.e., disable groups 25 and 26) and disable all unsuitable groups
completely based on REVmd changes
- do not regenerate PWE unnecessarily when the AP uses the
anti-clogging token mechanisms
- fixed some association cases where both SAE and FT-SAE were enabled
on both the station and the selected AP
- started to prefer FT-SAE over SAE AKM if both are enabled
- started to prefer FT-SAE over FT-PSK if both are enabled
- fixed FT-SAE when SAE PMKSA caching is used
- reject use of unsuitable groups based on new implementation guidance
in REVmd (allow only FFC groups with prime >= 3072 bits and ECC
groups with prime >= 256)
- minimize timing and memory use differences in PWE derivation
[https://w1.fi/security/2019-1/] (CVE-2019-9494, bsc#1131868)
* EAP-pwd changes
- minimize timing and memory use differences in PWE derivation
[https://w1.fi/security/2019-2/] (CVE-2019-9495, bsc#1131870)
- verify server scalar/element
[https://w1.fi/security/2019-4/] (CVE-2019-9497, CVE-2019-9498,
CVE-2019-9499, bsc#1131874, bsc#1131872, bsc#1131871, bsc#1131644)
- fix message reassembly issue with unexpected fragment
[https://w1.fi/security/2019-5/] (CVE-2019-11555, bsc#1133640)
- enforce rand,mask generation rules more strictly
- fix a memory leak in PWE derivation
- disallow ECC groups with a prime under 256 bits (groups 25, 26, and
27)
- SAE/EAP-pwd side-channel attack update
[https://w1.fi/security/2019-6/] (CVE-2019-13377, bsc#1144443)
* fixed CONFIG_IEEE80211R=y (FT) build without CONFIG_FILS=y
* Hotspot 2.0 changes
- do not indicate release number that is higher than the one
AP supports
- added support for release number 3
- enable PMF automatically for network profiles created from
credentials
* fixed OWE network profile saving
* fixed DPP network profile saving
* added support for RSN operating channel validation
(CONFIG_OCV=y and network profile parameter ocv=1)
* added Multi-AP backhaul STA support
* fixed build with LibreSSL
* number of MKA/MACsec fixes and extensions
* extended domain_match and domain_suffix_match to allow list of values
* fixed dNSName matching in domain_match and domain_suffix_match when
using wolfSSL
* started to prefer FT-EAP-SHA384 over WPA-EAP-SUITE-B-192 AKM if both
are enabled
* extended nl80211 Connect and external authentication to support
SAE, FT-SAE, FT-EAP-SHA384
* fixed KEK2 derivation for FILS+FT
* extended client_cert file to allow loading of a chain of PEM
encoded certificates
* extended beacon reporting functionality
* extended D-Bus interface with number of new properties
* fixed a regression in FT-over-DS with mac80211-based drivers
* OpenSSL: allow systemwide policies to be overridden
* extended driver flags indication for separate 802.1X and PSK
4-way handshake offload capability
* added support for random P2P Device/Interface Address use
* extended PEAP to derive EMSK to enable use with ERP/FILS
* extended WPS to allow SAE configuration to be added automatically
for PSK (wps_cred_add_sae=1)
* removed support for the old D-Bus interface (CONFIG_CTRL_IFACE_DBUS)
* extended domain_match and domain_suffix_match to allow list of values
* added a RSN workaround for misbehaving PMF APs that advertise
IGTK/BIP KeyID using incorrect byte order
* fixed PTK rekeying with FILS and FT
* fixed WPA packet number reuse with replayed messages and key
reinstallation
[https://w1.fi/security/2017-1/] (CVE-2017-13077, CVE-2017-13078,
CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082,
CVE-2017-13086, CVE-2017-13087, CVE-2017-13088)
* fixed unauthenticated EAPOL-Key decryption in wpa_supplicant
[https://w1.fi/security/2018-1/] (CVE-2018-14526)
* added support for FILS (IEEE 802.11ai) shared key authentication
* added support for OWE (Opportunistic Wireless Encryption, RFC 8110;
and transition mode defined by WFA)
* added support for DPP (Wi-Fi Device Provisioning Protocol)
* added support for RSA 3k key case with Suite B 192-bit level
* fixed Suite B PMKSA caching not to update PMKID during each 4-way
handshake
* fixed EAP-pwd pre-processing with PasswordHashHash
* added EAP-pwd client support for salted passwords
* fixed a regression in TDLS prohibited bit validation
* started to use estimated throughput to avoid undesired signal
strength based roaming decision
* MACsec/MKA:
- new macsec_linux driver interface support for the Linux
kernel macsec module
- number of fixes and extensions
* added support for external persistent storage of PMKSA cache
(PMKSA_GET/PMKSA_ADD control interface commands; and
MESH_PMKSA_GET/MESH_PMKSA_SET for the mesh case)
* fixed mesh channel configuration pri/sec switch case
* added support for beacon report
* large number of other fixes, cleanup, and extensions
* added support for randomizing local address for GAS queries
(gas_rand_mac_addr parameter)
* fixed EAP-SIM/AKA/AKA' ext auth cases within TLS tunnel
* added option for using random WPS UUID (auto_uuid=1)
* added SHA256-hash support for OCSP certificate matching
* fixed EAP-AKA' to add AT_KDF into Synchronization-Failure
* fixed a regression in RSN pre-authentication candidate selection
* added option to configure allowed group management cipher suites
(group_mgmt network profile parameter)
* removed all PeerKey functionality
* fixed nl80211 AP and mesh mode configuration regression with
Linux 4.15 and newer
* added ap_isolate configuration option for AP mode
* added support for nl80211 to offload 4-way handshake into the driver
* added support for using wolfSSL cryptographic library
* SAE
- added support for configuring SAE password separately of the
WPA2 PSK/passphrase
- fixed PTK and EAPOL-Key integrity and key-wrap algorithm selection
for SAE;
note: this is not backwards compatible, i.e., both the AP and
station side implementations will need to be update at the same
time to maintain interoperability
- added support for Password Identifier
- fixed FT-SAE PMKID matching
* Hotspot 2.0
- added support for fetching of Operator Icon Metadata ANQP-element
- added support for Roaming Consortium Selection element
- added support for Terms and Conditions
- added support for OSEN connection in a shared RSN BSS
- added support for fetching Venue URL information
* added support for using OpenSSL 1.1.1
* FT
- disabled PMKSA caching with FT since it is not fully functional
- added support for SHA384 based AKM
- added support for BIP ciphers BIP-CMAC-256, BIP-GMAC-128,
BIP-GMAC-256 in addition to previously supported BIP-CMAC-128
- fixed additional IE inclusion in Reassociation Request frame when
using FT protocol
- Drop merged patches:
* rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch
* rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch
* rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch
* rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch
* rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch
* rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch
* rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch
* rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch
* rebased-v2.6-0009-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch
* wpa_supplicant-bnc-1099835-fix-private-key-password.patch
* wpa_supplicant-bnc-1099835-clear-default_passwd_cb.patch
* wpa_supplicant-log-file-permission.patch
* wpa_supplicant-log-file-cloexec.patch
* wpa_supplicant-git-fa67debf4c6ddbc881a212b175faa6d5d0d90c8c.patch
* wpa_supplicant-git-f5b74b966c942feb95a8ddbb7d130540b15b796d.patch
- Rebase patches:
* wpa_supplicant-getrandom.patch�- Refresh spec-file via spec-cleaner and manual optimizations.
* Change URL and Source0 to actual project homepage.
* Remove macro %{?systemd_requires} and rm (not needed).
* Add %autopatch macro.
* Add %make_build macro.
- Chenged patch wpa_supplicant-flush-debug-output.patch (to -p1).
- Changed service-files for start after network (systemd-networkd).�- Refresh spec-file: add %license tag.�- Renamed patches:
- wpa-supplicant-log-file-permission.patch -> wpa_supplicant-log-file-permission.patch
- wpa-supplicant-log-file-cloexec.patch -> wpa_supplicant-log-file-cloexec.patch
- wpa_supplicant-log-file-permission.patch: Using O_WRONLY flag
- Enabled timestamps in log files (bsc#1080798)�- compile eapol_test binary to allow testing via radius proxy and server
(note: this does not match CONFIG_EAPOL_TEST which sets -Werror
and activates an assert call inside the code of wpa_supplicant)
(bsc#1111873), (fate#326725)
- add patch to fix wrong operator precedence in ieee802_11.c
wpa_supplicant-git-fa67debf4c6ddbc881a212b175faa6d5d0d90c8c.patch
- add patch to avoid redefinition of __bitwise macro
wpa_supplicant-git-f5b74b966c942feb95a8ddbb7d130540b15b796d.patch�- Added wpa-supplicant-log-file-permission.patch: Fixes the default file
permissions of the debug log file to more sane values, i.e. it is no longer
world-readable (bsc#1098854).
- Added wpa-supplicant-log-file-cloexec.patch: Open the debug log file with
O_CLOEXEC, which will prevent file descriptor leaking to child processes
(bsc#1098854).�- Added rebased-v2.6-0009-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch:
Ignore unauthenticated encrypted EAPOL-Key data (CVE-2018-14526, bsc#1104205).�- Enabled PWD as EAP method. This allows for password-based authentication,
which is easier to setup than most of the other methods, and is used by the
Eduroam network (bsc#1109209).�- add two patches from upstream to fix reading private key
passwords from the configuration file (bsc#1099835)
- add patch for git 89971d8b1e328a2f79699c953625d1671fd40384
wpa_supplicant-bnc-1099835-clear-default_passwd_cb.patch
- add patch for git f665c93e1d28fbab3d9127a8c3985cc32940824f
wpa_supplicant-bnc-1099835-fix-private-key-password.patch�- Fix KRACK attacks (bsc#1056061, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13087, CVE-2017-13088):
- rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch
- rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch
- rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch
- rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch
- rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch
- rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch
- rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch
- rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch�- fix wpa_supplicant-sigusr1-changes-debuglevel.patch to match
eloop_signal_handler type (needed to build eapol_test via config)�- Added .service files that accept interfaces as %i arguments so it's possible
to call the daemon with:
"systemctl start wpa_supplicant@$INTERFACE_NAME.service"
(like openvpn for example)�- updated to 2.6 / 2016-10-02
* fixed WNM Sleep Mode processing when PMF is not enabled
[http://w1.fi/security/2015-6/] (CVE-2015-5310 bsc#952254)
* fixed EAP-pwd last fragment validation
[http://w1.fi/security/2015-7/] (CVE-2015-5315 bsc#953115)
* fixed EAP-pwd unexpected Confirm message processing
[http://w1.fi/security/2015-8/] (CVE-2015-5316 bsc#953115)
* fixed WPS configuration update vulnerability with malformed passphrase
[http://w1.fi/security/2016-1/] (CVE-2016-4476 bsc#978172)
* fixed configuration update vulnerability with malformed parameters set
over the local control interface
[http://w1.fi/security/2016-1/] (CVE-2016-4477 bsc#978175)
* fixed TK configuration to the driver in EAPOL-Key 3/4 retry case
* extended channel switch support for P2P GO
* started to throttle control interface event message bursts to avoid
issues with monitor sockets running out of buffer space
* mesh mode fixes/improvements
- generate proper AID for peer
- enable WMM by default
- add VHT support
- fix PMKID derivation
- improve robustness on various exchanges
- fix peer link counting in reconnect case
- improve mesh joining behavior
- allow DTIM period to be configured
- allow HT to be disabled (disable_ht=1)
- add MESH_PEER_ADD and MESH_PEER_REMOVE commands
- add support for PMKSA caching
- add minimal support for SAE group negotiation
- allow pairwise/group cipher to be configured in the network profile
- use ieee80211w profile parameter to enable/disable PMF and derive
a separate TX IGTK if PMF is enabled instead of using MGTK
incorrectly
- fix AEK and MTK derivation
- remove GTKdata and IGTKdata from Mesh Peering Confirm/Close
- note: these changes are not fully backwards compatible for secure
(RSN) mesh network
* fixed PMKID derivation with SAE
* added support for requesting and fetching arbitrary ANQP-elements
without internal support in wpa_supplicant for the specific element
(anqp[265]= in "BSS " command output)
* P2P
- filter control characters in group client device names to be
consistent with other P2P peer cases
- support VHT 80+80 MHz and 160 MHz
- indicate group completion in P2P Client role after data association
instead of already after the WPS provisioning step
- improve group-join operation to use SSID, if known, to filter BSS
entries
- added optional ssid= argument to P2P_CONNECT for join case
- added P2P_GROUP_MEMBER command to fetch client interface address
* P2PS
- fix follow-on PD Response behavior
- fix PD Response generation for unknown peer
- fix persistent group reporting
- add channel policy to PD Request
- add group SSID to the P2PS-PROV-DONE event
- allow "P2P_CONNECT p2ps" to be used without specifying the
default PIN
* BoringSSL
- support for OCSP stapling
- support building of h20-osu-client
* D-Bus
- add ExpectDisconnect()
- add global config parameters as properties
- add SaveConfig()
- add VendorElemAdd(), VendorElemGet(), VendorElemRem()
* fixed Suite B 192-bit AKM to use proper PMK length
(note: this makes old releases incompatible with the fixed behavior)
* improved PMF behavior for cases where the AP and STA has different
configuration by not trying to connect in some corner cases where the
connection cannot succeed
* added option to reopen debug log (e.g., to rotate the file) upon
receipt of SIGHUP signal
* EAP-pwd: added support for Brainpool Elliptic Curves
(with OpenSSL 1.0.2 and newer)
* fixed EAPOL reauthentication after FT protocol run
* fixed FTIE generation for 4-way handshake after FT protocol run
* extended INTERFACE_ADD command to allow certain type (sta/ap)
interface to be created
* fixed and improved various FST operations
* added 80+80 MHz and 160 MHz VHT support for IBSS/mesh
* fixed SIGNAL_POLL in IBSS and mesh cases
* added an option to abort an ongoing scan (used to speed up connection
and can also be done with the new ABORT_SCAN command)
* TLS client
- do not verify CA certificates when ca_cert is not specified
- support validating server certificate hash
- support SHA384 and SHA512 hashes
- add signature_algorithms extension into ClientHello
- support TLS v1.2 signature algorithm with SHA384 and SHA512
- support server certificate probing
- allow specific TLS versions to be disabled with phase2 parameter
- support extKeyUsage
- support PKCS #5 v2.0 PBES2
- support PKCS #5 with PKCS #12 style key decryption
- minimal support for PKCS #12
- support OCSP stapling (including ocsp_multi)
* OpenSSL
- support OpenSSL 1.1 API changes
- drop support for OpenSSL 0.9.8
- drop support for OpenSSL 1.0.0
* added support for multiple schedule scan plans (sched_scan_plans)
* added support for external server certificate chain validation
(tls_ext_cert_check=1 in the network profile phase1 parameter)
* made phase2 parser more strict about correct use of auth= and
autheap= values
* improved GAS offchannel operations with comeback request
* added SIGNAL_MONITOR command to request signal strength monitoring
events
* added command for retrieving HS 2.0 icons with in-memory storage
(REQ_HS20_ICON, GET_HS20_ICON, DEL_HS20_ICON commands and
RX-HS20-ICON event)
* enabled ACS support for AP mode operations with wpa_supplicant
* EAP-PEAP: fixed interoperability issue with Windows 2012r2 server
("Invalid Compound_MAC in cryptobinding TLV")
* EAP-TTLS: fixed success after fragmented final Phase 2 message
* VHT: added interoperability workaround for 80+80 and 160 MHz channels
* WNM: workaround for broken AP operating class behavior
* added kqueue(2) support for eloop (CONFIG_ELOOP_KQUEUE)
* nl80211:
- add support for full station state operations
- do not add NL80211_ATTR_SMPS_MODE attribute if HT is disabled
- add NL80211_ATTR_PREV_BSSID with Connect command
- fix IEEE 802.1X/WEP EAP reauthentication and rekeying to use
unencrypted EAPOL frames
* added initial MBO support; number of extensions to WNM BSS Transition
Management
* added support for PBSS/PCP and P2P on 60 GHz
* Interworking: add credential realm to EAP-TLS identity
* fixed EAPOL-Key Request Secure bit to be 1 if PTK is set
* HS 2.0: add support for configuring frame filters
* added POLL_STA command to check connectivity in AP mode
* added initial functionality for location related operations
* started to ignore pmf=1/2 parameter for non-RSN networks
* added wps_disabled=1 network profile parameter to allow AP mode to
be started without enabling WPS
* wpa_cli: added action script support for AP-ENABLED and AP-DISABLED
events
* improved Public Action frame addressing
- add gas_address3 configuration parameter to control Address 3
behavior
* number of small fixes
- wpa_supplicant-dump-certificate-as-PEM-in-debug-mode.diff: dump x509
certificates from remote radius server in debug mode in WPA-EAP.�- Remove support for <12.3 as we are unresolvable there anyway
- Use qt5 on 13.2 if someone pulls this package in
- Convert to pkgconfig dependencies over the devel pkgs
- Use the %qmake5 macro to build the qt5 gui�- add After=dbus.service to prevent too early shutdown (bnc#963652)�- Revert CONFIG_ELOOP_EPOLL=y, it is broken in combination
with CONFIG_DBUS=yes.�- spec: Compile the GUI against QT5 in 13.2 and later.�- Previous update did not include version 2.5 tarball
or changed the version number in spec, only the changelog
and removed patches.
- config: set CONFIG_NO_RANDOM_POOL=y, we have a reliable·
random number generator by using /dev/urandom, no need to
keep an internal random number pool which draws entropy from
/dev/random.
- config: prefer using epoll(7) instead of select(2)
by setting CONFIG_ELOOP_EPOLL=y
- wpa_supplicant-getrandom.patch: Prefer to use the getrandom(2)
system call to collect entropy. if it is not present disable
buffering when reading /dev/urandom, otherwise each os_get_random()
call will request BUFSIZ of entropy instead of the few needed bytes.�- add aliases for both provided dbus names to avoid systemd stopping the
service when switching runlevels (boo#966535)�- removed obsolete security patches:
* 0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch
* 0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch
* 0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch
* 0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch
* wpa_s-D-Bus-Fix-operations-when-P2P-management-interface-is-used.patch
* 0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch
* 0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch
* 0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch
* 0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch
- Update to upstream release 2.5
* fixed P2P validation of SSID element length before copying it
[http://w1.fi/security/2015-1/] (CVE-2015-1863)
* fixed WPS UPnP vulnerability with HTTP chunked transfer encoding
[http://w1.fi/security/2015-2/] (CVE-2015-4141)
* fixed WMM Action frame parser (AP mode)
[http://w1.fi/security/2015-3/] (CVE-2015-4142)
* fixed EAP-pwd peer missing payload length validation
[http://w1.fi/security/2015-4/]
(CVE-2015-4143, CVE-2015-4144, CVE-2015-4145, CVE-2015-4146)
* fixed validation of WPS and P2P NFC NDEF record payload length
[http://w1.fi/security/2015-5/] (CVE-2015-8041)
* nl80211:
- added VHT configuration for IBSS
- fixed vendor command handling to check OUI properly
- allow driver-based roaming to change ESS
* added AVG_BEACON_RSSI to SIGNAL_POLL output
* wpa_cli: added tab completion for number of commands
* removed unmaintained and not yet completed SChannel/CryptoAPI support
* modified Extended Capabilities element use in Probe Request frames to
include all cases if any of the values are non-zero
* added support for dynamically creating/removing a virtual interface
with interface_add/interface_remove
* added support for hashed password (NtHash) in EAP-pwd peer
* added support for memory-only PSK/passphrase (mem_only_psk=1 and
CTRL-REQ/RSP-PSK_PASSPHRASE)
* P2P
- optimize scan frequencies list when re-joining a persistent group
- fixed number of sequences with nl80211 P2P Device interface
- added operating class 125 for P2P use cases (this allows 5 GHz
channels 161 and 169 to be used if they are enabled in the current
regulatory domain)
- number of fixes to P2PS functionality
- do not allow 40 MHz co-ex PRI/SEC switch to force MCC
- extended support for preferred channel listing
* D-Bus:
- fixed WPS property of fi.w1.wpa_supplicant1.BSS interface
- fixed PresenceRequest to use group interface
- added new signals: FindStopped, WPS pbc-overlap,
GroupFormationFailure, WPS timeout, InvitationReceived
- added new methods: WPS Cancel, P2P Cancel, Reconnect, RemoveClient
- added manufacturer info
* added EAP-EKE peer support for deriving Session-Id
* added wps_priority configuration parameter to set the default priority
for all network profiles added by WPS
* added support to request a scan with specific SSIDs with the SCAN
command (optional "ssid " arguments)
* removed support for WEP40/WEP104 as a group cipher with WPA/WPA2
* fixed SAE group selection in an error case
* modified SAE routines to be more robust and PWE generation to be
stronger against timing attacks
* added support for Brainpool Elliptic Curves with SAE
* added support for CCMP-256 and GCMP-256 as group ciphers with FT
* fixed BSS selection based on estimated throughput
* added option to disable TLSv1.0 with OpenSSL
(phase1="tls_disable_tlsv1_0=1")
* added Fast Session Transfer (FST) module
* fixed OpenSSL PKCS#12 extra certificate handling
* fixed key derivation for Suite B 192-bit AKM (this breaks
compatibility with the earlier version)
* added RSN IE to Mesh Peering Open/Confirm frames
* number of small fixes�- added patch for bnc#930077 CVE-2015-4141
0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch
- added patch for bnc#930078 CVE-2015-4142
0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch
- added patches for bnc#930079 CVE-2015-4143
0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch
0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch
0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch
0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch
0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch�- Add wpa_s-D-Bus-Fix-operations-when-P2P-management-interface-is-used.patch
Fix Segmentation fault in wpa_supplicant. Patch taken from
upstream master git (arch#44740).�- 0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch
Fix CVE-2015-1863, memcpy overflow.
- wpa_supplicant-alloc_size.patch: annotate two wrappers
with attribute alloc_size, which may help warning us of
bugs such as the above.�- Delete wpa_priv and eapol_test man pages, these are disabled in config
- Move wpa_gui man page to gui package�- Update to 2.4
* allow OpenSSL cipher configuration to be set for internal EAP server
(openssl_ciphers parameter)
* fixed number of small issues based on hwsim test case failures and
static analyzer reports
* P2P:
- add new=<0/1> flag to P2P-DEVICE-FOUND events
- add passive channels in invitation response from P2P Client
- enable nl80211 P2P_DEVICE support by default
- fix regresssion in disallow_freq preventing search on social
channels
- fix regressions in P2P SD query processing
- try to re-invite with social operating channel if no common channels
in invitation
- allow cross connection on parent interface (this fixes number of
use cases with nl80211)
- add support for P2P services (P2PS)
- add p2p_go_ctwindow configuration parameter to allow GO CTWindow to
be configured
* increase postponing of EAPOL-Start by one second with AP/GO that
supports WPS 2.0 (this makes it less likely to trigger extra roundtrip
of identity frames)
* add support for PMKSA caching with SAE
* add support for control mesh BSS (IEEE 802.11s) operations
* fixed number of issues with D-Bus P2P commands
* fixed regression in ap_scan=2 special case for WPS
* fixed macsec_validate configuration
* add a workaround for incorrectly behaving APs that try to use
EAPOL-Key descriptor version 3 when the station supports PMF even if
PMF is not enabled on the AP
* allow TLS v1.1 and v1.2 to be negotiated by default; previous behavior
of disabling these can be configured to work around issues with broken
servers with phase1="tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1"
* add support for Suite B (128-bit and 192-bit level) key management and
cipher suites
* add WMM-AC support (WMM_AC_ADDTS/WMM_AC_DELTS)
* improved BSS Transition Management processing
* add support for neighbor report
* add support for link measurement
* fixed expiration of BSS entry with all-zeros BSSID
* add optional LAST_ID=x argument to LIST_NETWORK to allow all
configured networks to be listed even with huge number of network
profiles
* add support for EAP Re-Authentication Protocol (ERP)
* fixed EAP-IKEv2 fragmentation reassembly
* improved PKCS#11 configuration for OpenSSL
* set stdout to be line-buffered
* add TDLS channel switch configuration
* add support for MAC address randomization in scans with nl80211
* enable HT for IBSS if supported by the driver
* add BSSID black and white lists (bssid_blacklist, bssid_whitelist)
* add support for domain_suffix_match with GnuTLS
* add OCSP stapling client support with GnuTLS
* include peer certificate in EAP events even without a separate probe
operation; old behavior can be restored with cert_in_cb=0
* add peer ceritficate alt subject name to EAP events
(CTRL-EVENT-EAP-PEER-ALT)
* add domain_match network profile parameter (similar to
domain_suffix_match, but full match is required)
* enable AP/GO mode HT Tx STBC automatically based on driver support
* add ANQP-QUERY-DONE event to provide information on ANQP parsing
status
* allow passive scanning to be forced with passive_scan=1
* add a workaround for Linux packet socket behavior when interface is in
bridge
* increase 5 GHz band preference in BSS selection (estimate SNR, if info
not available from driver; estimate maximum throughput based on common
HT/VHT/specific TX rate support)
* add INTERWORKING_ADD_NETWORK ctrl_iface command; this can be used to
implement Interworking network selection behavior in upper layers
software components
* add optional reassoc_same_bss_optim=1 (disabled by default)
optimization to avoid unnecessary Authentication frame exchange
* extend TDLS frame padding workaround to cover all packets
* allow wpa_supplicant to recover nl80211 functionality if the cfg80211
module gets removed and reloaded without restarting wpa_supplicant
* allow hostapd DFS implementation to be used in wpa_supplicant AP mode�- Update to 2.3
* fixed number of minor issues identified in static analyzer warnings
* fixed wfd_dev_info to be more careful and not read beyond the buffer
when parsing invalid information for P2P-DEVICE-FOUND
* extended P2P and GAS query operations to support drivers that have
maximum remain-on-channel time below 1000 ms (500 ms is the current
minimum supported value)
* added p2p_search_delay parameter to make the default p2p_find delay
configurable
* improved P2P operating channel selection for various multi-channel
concurrency cases
* fixed some TDLS failure cases to clean up driver state
* fixed dynamic interface addition cases with nl80211 to avoid adding
ifindex values to incorrect interface to skip foreign interface events
properly
* added TDLS workaround for some APs that may add extra data to the
end of a short frame
* fixed EAP-AKA' message parser with multiple AT_KDF attributes
* added configuration option (p2p_passphrase_len) to allow longer
passphrases to be generated for P2P groups
* fixed IBSS channel configuration in some corner cases
* improved HT/VHT/QoS parameter setup for TDLS
* modified D-Bus interface for P2P peers/groups
* started to use constant time comparison for various password and hash
values to reduce possibility of any externally measurable timing
differences
* extended explicit clearing of freed memory and expired keys to avoid
keeping private data in memory longer than necessary
* added optional scan_id parameter to the SCAN command to allow manual
scan requests for active scans for specific configured SSIDs
* fixed CTRL-EVENT-REGDOM-CHANGE event init parameter value
* added option to set Hotspot 2.0 Rel 2 update_identifier in network
configuration to support external configuration
* modified Android PNO functionality to send Probe Request frames only
for hidden SSIDs (based on scan_ssid=1)
* added generic mechanism for adding vendor elements into frames at
runtime (VENDOR_ELEM_ADD, VENDOR_ELEM_GET, VENDOR_ELEM_REMOVE)
* added fields to show unrecognized vendor elements in P2P_PEER
* removed EAP-TTLS/MSCHAPv2 interoperability workaround so that
MS-CHAP2-Success is required to be present regardless of
eap_workaround configuration
* modified EAP fast session resumption to allow results to be used only
with the same network block that generated them
* extended freq_list configuration to apply for sched_scan as well as
normal scan
* modified WPS to merge mixed-WPA/WPA2 credentials from a single session
* fixed nl80211/RTM_DELLINK processing when a P2P GO interface is
removed from a bridge
* fixed number of small P2P issues to make negotiations more robust in
corner cases
* added experimental support for using temporary, random local MAC
address (mac_addr and preassoc_mac_addr parameters); this is disabled
by default (i.e., previous behavior of using permanent address is
maintained if configuration is not changed)
* added D-Bus interface for setting/clearing WFD IEs
* fixed TDLS AID configuration for VHT
* modified -m configuration file to be used only for the P2P
non-netdev management device and do not load this for the default
station interface or load the station interface configuration for
the P2P management interface
* fixed external MAC address changes while wpa_supplicant is running
* started to enable HT (if supported by the driver) for IBSS
* fixed wpa_cli action script execution to use more robust mechanism
(CVE-2014-3686)�h01-ch2c 1726746330�����������������������������2.10-150600.7.3.1�2.10-150600.7.3.1���������wpa_gui�wpa_gui.8.gz�/usr/sbin/�/usr/share/man/man8/�-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -g�obs://build.suse.de/SUSE:Maintenance:35766/SUSE_SLE-15-SP6_Update/1481ab215a0b1830ea80ceb6538f4766-wpa_supplicant.SUSE_SLE-15-SP6_Update�drpm�xz�5�x86_64-suse-linux����������ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=4923937a402e628dcf7411070b99214f84f65bd3, for GNU/Linux 3.2.0, stripped�troff or preprocessor input, ASCII text (gzip compressed data, max compression, from Unix)�������������������R���R���R���R���R���R���R���R���R�� R���R��
R���R��
R���R���R���R���R���R���R���R���R����UV&3�fy0�����utf-8�039f7d22b77945be6000d3f37931410e5004a8bf1664ecad2030f8b83f18b8ae���������?���� ����7zXZ��
���!�����t/j�XF]�"��k%}RUJz�x�+P"\��5}��B�db$BKZF�8q"I�{C!qd$-)Oi{aT�H):o�LU!s!X
X?Kb{ylS)2L���d~&788E�Uxlĩ�g�8>&?2}��d�kLcꕂ973LB< TP)DA`�trE|D�t%�Hjr{�&gn�][o0睼�aXtD�W={�/6K�Jfn3�X17*wXJs_;ޞ�`��Z?<�7�@�آ/HCF2N�A�&AƇY3>cÆq]�r_ib�^1y�|b�>Qò
�p�kUT�6�T �w4>]B^'�ܟ}svԱ
foQ^���mC�o!�m&dŲ;�i8Y!0!t|%�w�H9�I�����l$GdTf�`U]ߚu
ߦڸ��-op=\�1m��n�dR7�]C�ş(]W!̵B{7+ߚ|�Nj=8gBZk
�Mc 㼢SN��Z<�7G$L�<$�+l핛&�I@뻒-2R�����Up1N�;BÇ5&�tP]kV�)}ok��K Y���ô?0_P-`qC��goer�q�XK8M''ߤ1*2#6]Yoy#Ή�>L>�
KgL�i�~&^{ё�
�ga�;��^�I?&����9Si2,Z�k]r@g]W/6FtG�,�KpjOp�W#۠yR��*M��SB�4sL|A �f:o0ͷRF
b4.��+��^mW��p&G*zƨ;%2hߔHiV4S�sh�
|-?da}C(��
끏*qSr} ܿ_�g�[pP۸jNMf #�O����yJ���}!��PaƦ�A>n(ͥ2@\}1lkE�5�N:ظr���ױx^�!kn�TxzuY�!Q� ڐ$&u߽yB
ƶ
0L^a�<
ixe
F"2'f����,b6tQ�"F��&�6BYda��sL�/b�v�J�Q�YA�fgX9Ka1yb6Y-O�|/Iݟ�H�>#3',̪Z�
MdD�>ȝjf\T:);P�I�%�v(�TdIg[k@n�AlZy)PjtHKk
Ko��I'�"�+k\�^^�v���:Ő�BˇZ
�R64>�"y-*��<�NqVJ��z��ۀ�2h9�IZ.&*,���\�}�A�jťf$FV�$F(b�*R@`N>*v*R8oGcwJ/!o3O
��=[QCc��)ъ�
˻�Ω0�7X�v�+v==�
$Ur4!lɱ>8?N#kסF��$Mc:�R9�B](�]���k-0 공���N_>ۚZIj�X9i<�.�G�
Y(|76&u�ޛrljO
ǭI/3Z ,R�I˃9:�09��E�XeV"ݛڏ<)T�{ n^5Tkxˆ)�ivX92�XFj0 e8ALjcuf�_�~˧�Dx�Mʏcl=_:H1c�/3�ET
z�Լ�e; '��Up=9�-3�jWV�e�EFk^(j�SpPKti�37eIC�ݢf����W��)r
p7laey��;vO)�hTDԨх\Qf}
U>e Z;gx~��Xم
yf�CFxAT�#9{$�װA$vz->Zi{}b]opBgqy/Y|۩ܚ@jVx!qm�!rDa���`Z3͘0Wl�o�g3S=]I�)�ft|{ktQ�PjJaP�etB�߆P<1Jh�t�qGJ����'ri^ӈ�ǤCj8p�'h*˨ 3˒<*Z��lג��B yҜ ��X_�~�뜼)8 %(x.��y3��.oC5'�ӿqoi
��Θv
�r�#�\vr])"E�w�`At��˚m�7
eZI=/�4~tYxL�F�ȳxt�I
r]�
z�4u_!=@�A'W7]>(ə_n�2~g�Vr�\�bSQIטּ:CX#s~+UpRLL]Q�T(}p"J^s;*0:gʅռ*#=�[BDK��aKDSgʬ�"o ;J<*.<ڙފi"c�Q0�3:_2[ӣDIU,??#g3�"�GTR
P�j'�d&K=#
�
C#L�OSK'{1/��
}:"�1�A=; ���ت0wRӚcm0 nB#1.-*lظFCB�nw�z�B��Con$F�myTq@E@��+j{*g5BN:
?CFv�r�`3);
�D[�z/.�Gܡ4^�H2N۽C[N}1R��k�n3ThpZk^^�8;V�ح?�}�cksr�p$/X�ȁwVI9Bgۚ?M&jw?े?7MvAGfY�Yq*�S9jN1}�pRL�wC䨳�h)s֏pB]rA�v��o]|,>9|&�6TZ6WZFeۣշR�M/�=j�)�W4�<�O[-�̗6h:qiUjUf@]خPxq2]2Ut�`4)5!�Vl�\B����'B`@�1>�߳�[�
�@0{f�L3hCvݯ��&�~��B'\)=G&m*:M��nt
�[AqdeCM`0 I2n3>2hqU=45:�=o�;6!W�SIɱ]t�`D�zBz'1�9d5A]d5Fr]&ϖI)�Չ-Ү#��d*�UW�)�#1Ii�
!ґE S϶�{o��2��o f�.�[�:���zo�ߜ~^3v7�B@v}d&jܚ2���E���r٨�[�(ݵ>f,ї66���Y�gAM�G�
3Z���M|��ޟ:S5'T�﹏�-]}*?f�b
H�kf�Fuz}Br/�J�?{5ƍP�Lx,�\o)�ș�:WËR�Z[W ^nFH�nd�pz}��T�:�~v�7s4G0։�P7'N�\ӡ OqQK\���* #�n��b�cr;G�\j%_J�]zTHBG;�9uJ_nu@&>e-K*R6:r@��ʗ�f�-�hIn�@A�P�]=)qq�rEkW26�V�`^GvJ�Nf鸏J?a5z8+ZDz�=p�BoN�U?b�V\7k��SS0rxSD[�|ˢ�q4Ӟ�ndFQU+�#�QìM�Hg�lm�f�F�5nc^KT5+8��4~}t�Z`�h� ҷ�S�b_萙V]?aL*\�EU�!S̖��#�냶Ǚ;\:nQWwE�Kަ�B�[5Q��\?YgoQ"^w3q�#��WGCws�s�4Y&E&5lO �b�
!,:bJrjحY^PRW{09qe�l3h8h
>5WיEBl~`t2�(�U�D�_bRK3'=/˦˰XywR�i}y�b=��]q_#]7>}�`Kh��Rk�x&W�!^#CKGfdLʷ-h�Bh8K���/�v)ݛd��i'y�:��7ΈwZ4X�P�X?ߟk�;5�Pj׀߶I.9M��#�MΕpi�ld1)&5��Z�ڮqe�Q7ψae t�r�Y4&+[4W$`3̨A\SPs?0R(�R�?0�nrk£_s=�Hy�$�_83BQgI{=2,ɤ'A@�~L�I-wEqp[bf9}c[̢T^Jz��,
}�b0HSش���sjAA8�Su*9cutч^�7��� h;#���rk\\
M\d1.�i�~Y�;�@�u oN�Kg\;*Np�7e�4��o��櫊1�u�zJpD\x3b�� oMOמ)D�[5�ұO��S@�Lބ*4� �w(wϴ�ȖcUL�`7a<�S.�Ud�]*�h��ѶQ6X;�EC:�rMAPz�S/(+VqF˄�8EJ;�tHxˋNt.@�D��c'�R?$8 �u��$u&3��\ITbYB{!]'0G.�PTkkSdr5Vft-�XCmw}!ؑ5o}|8wS9SVzPb~Y��(tp[*%;W�ex#��.-ҭص`RE��K^%[
;�a'�:�#�CkS9o<*Sm�DxB2,Dڗϒ!k'DZ�!hf�U��ߖBd]Jhu8Y/_5o���N%�"�z*Ra�#oXQL%�4Γ-ݙ欥rĔM�48d����EW�J|Ԥ<Υ1KrFN-;��!M�;"*`ތ1y5pXGJr٭4B�`0��%��>xHl(u3o�fL�h�nM�O\ިq3�}�(!}lP+�BmLe�=C��p{"H��Pu<
��ݹ IgC��;�0�kgB�Bdi졻bDr��biƥ��U`-]-8�1ؾ`C/�Ϡ�L,}X/(�;FG�k�t[넀0$}(W[4eNBK)y:{mA��R \dZMޗ0W?^J����IM!@k&j�e~wy
�:fɎķ%dG1YI>v`�gIc��p=�.3#hJd5?v�Ģ��A���i�Z�Ɨ?-x{�]!J+@�˯6�:?W@s N�DL5_#�Z��SDQ�b�BGC@h�n�]i;zfiTvp݈ل,idk�gUL>(-P�ӫenSlO@E�OFJtz�')vI��CyE+Ld^T=u�P+&ol5! k�e33}bMe�?�9�>yn�ykBGX
jpYA� �l%ٻ�*߀?��Y�U�6�WNs÷��j�K�GuNfU82Ѳ>+D~8ޠZ-��>;&K�pJ�h@1oh\
:za�.}�_~�[2��iU1r>O$اHǑv.M�{V�&�Ca^0+=!=矢X`e
l"�nd-knjQm62i?wѝIFsv�^;ڏ�䑢-�Í�~�#/,li#N,w{J^se��}�Q7e�ͱL늳DŹZ9���lxpM;fd\�&C\.Qĺ�ЈsǦ:VKΤ�6՛_Y.4wD'�J["0~5{� �m�֒dO�9�zKwGcZH$KM9�ҸTzA%?P�ahRPT�0i{5Ї�&ʴFLlđ��'4��L'}�զq<
�`T�'{:xf|~k�ed�'B`Al�ҁ�q~7� D��O2k[6Y'ԷiQ&ya�3]7 >X+)8Z�oEO]U03fj&�<��yd^PW�kSzh?��Kח�nqDItSNl@耉'��"2����mFS��No�Y�4ۡCE+4Ma�{j��TsL�
0ҵT
F,IJL1�S"�w#<]&��
?=��Xyo,1ۛ��gWֺ�oe�^F�#ru8џ�p�:6(���W��HS�h[P6\y-�sm���K.5h_�EզN^J݉t�((K�ߒCNmaHK
R)h� Ӏ7�,ޜ>[r�7ڐa?` B� ��=˕1!x�Ȳ8o[��!0'
C����1kEL/�(;dvm%SU�]ó]Ik��5�("�ʿ�{U���
HVh]oπGTy]
�eхp*B%,��F̺�4APC Q�4y.:-:Ȥ�V.��5Wc?Y�o�y.{"#6.R�\u>̙;'�JK��uF\��v
#OcB}�B�h`�]B'�k^z�tƴ
�5�Η�
PF*a|c$Ѽ���m 9�~!FL[Z2bd=�8ϵ@L 3
])8 �`p^{
T8+}ѝn̩%%dhTN�l0b�>]
�+� y���6�?ݸ9ÀsУ�N��ߤ
w�zӚҥNaσv�]ZޚS�/(/K=I��;E��"ø]�}��'!��pX}#`��W�o<�gBʯ8��7@<�t�]�!�_zU`I}?GZ$KW�ˠcGt7AyX�*O_SE�YRf$v,.5!ۚy<}t�\:*�V
c�nSs£ЍCŠ1 E�
a
j�5-'9 Km k%KrO/z��4P-ߗMo4,߈f�vmjv�FSs\��yN
2%@hn@�BGW�!��V\:f
�W9n>�h$h
na\)7g fd'T�?�pqx�./i0\QSWHlOs"<�CRhW"[�u;fo�Wu$Qc�B"?��/+>;7C;x'��8ȠYq���#rr;!U/�utb�!�ɣb��a-e?��c?ŷ@X��AޖIFԺ`nx!��b�s� `>ltEiU≓�s|Ċ�FwD{`Ue_5!1qE��9<�I�t�ɶ�7@H0�7wL�O>8���?9f翡6Xa#����}��yKfDML��wB�e��3W4�Ub�Tp�aq ��f5q)^oL~�e%,;?�k"bE1�80e5lz%Om�vZ�
U%��[2Eč�5#�;h?��pQR1GFRB(P�.wh4k+#N�^*cL���4˃PStSV8ɖcQh/鰿P,$ )(鍊
P�´3��$P�ݑ�J3 1bg��&K|ύްۃjȐ�+KHͣV ؛�ے$ƞ`(,�P��� nGQgcQ%o
bP��Ƣz�ZOAnF�V�1YBp;t,4E�v �JۮV{WT%���K����X�~2�7uK/^$BX'�q��
f(g!�i�=�鎴MTTGt�2EUP4~�D`<
&C�@�XEk�PoIB�q�
m?R(/,��5l|�v~ e4�llƳ.�`o �5U#!H0nXqq�;1B(3� �t�)Aw=O1s?�# u1�`�F�.ā'ClDNPeb|�*�0:#j8f}�*s֭u�M־2/�>/IgN.usDزz���C)��τ~,(qB6��NLx¹=>O@5%y�noˬ�c{Y,..'��|�f\��P�Z0*�P(_;
�<�f'氁$+bTkA�e�K1Y�O�cv/7�V o�pI�[9�/^[5OC-QdA#|]|Řk��#^֚$G_�/ &;D��;1zŷ]27Fl ;]#cV��L'��,GVb{
dz~$#�pSӬě'|`
�H(��?ux�Ϙ`��b/�&,9a�w�O$�>�0�b~6�۲ӧ<~=ص�'��Ąאm�
.�71\6ʸs7jQVn&dsrhWǝ{�m4��m�P��!F�A넒cҺ�0p@yQMºnFPU4�[!S[gJE~b/��M ˛�x�yM~Θ+j$0wzBTh�6۸�e�0';r2+)Y�{H_[�sk9iT�`3
� `G{^'�hz� D#)j>�H�}'l�/9��\�vw��3|U!5�%�ZЪ뺰ȷ U�!eZr' YnI�w'tF1FZLTxri/�fWi
�hF\T%B~% dv6Z(�1V7> U�49�>\�L^a8AMl%z�݆~Gؗ�$>Dի0DsՋiQ(v>K!^{�S�7#��p=EU��}/~ѱ�92�*�9GP%�;�N�)Ɇ����]q��y=>~fmGJB��c-�xC�wcKHg�;v,Jgܶ;
�JO˞$�o7`;�\Y��NM˿4�>%a �uՉ$( i~YQn#7
l4`mJgR}���S[Wm$_�;E~�)WАK�M�rSc3Sq�:BI�t�.DHǼG#˔}N:ѥ8�AMhksr��oEc�l�z'�\S/ե01p$tb1��c3F��Ђ�x.aI/Ǣb^�'�k&}Rgh
0`ʥǸVg�e�BXιC}N� ~�-zw�,J�(99a�ЖkDlIH;oqn �\j365IEx[Ԯ��=H#Ss箿�onDUU&@�<34��o������G�+�
��B�s8IՐzHQȴ?O1i5�Rsyi=Dؽ'K4odh�Vw�aiSOW��5v[=eabE)+so@qy��.ņK�u9�rg�}JX�4���L��=�ѓ��&@I&[�PJc�|HZU�.*Q�4y!BDf.^>�Ԕ;33n1ܫNh)^5GEHC\e2[�n �sb�\w$JoX�
�Ľ@GW�KS1rǩur2=�k�a\SC�SX'X#!��� ��Y��u�va?ni=u��g2JȈqrb߱UՋ"S�=^�K�_;�ng%@�9�x(__�dQ)� �x<�DFE�_ L,-�ݠ�z援��,wi&^0��O�rgrq_/�;� �x�Z8OBhg�L2p(Qeհ�s&m9Qh��N�C=��"œy�V����Ȫ;Fc`ƀY'ȣwR=a0'Qɐ;��41N[FI)9�s���%j[$ !6{RT`5b�F^C@`hΦKs�=��(aqeLśAź.էO9}
@�[�]B3�$H���b��/Q��w�mP@�ڮXZ3�n%y,'
f0
�D�/�o�P21Lϐ�ɻ/��:cM\\AZ)gXZ���z�Ot�/���dm%��Q_�b*2;��趝 Ywv�'{�B./y�^ifoJ* ��$"k2`
^aBIV?4�G->ف���OPf ��FE>=&��/-kݝ6IdNˏX��wݮAqu��4C[0ͦ(&�L�e�t°�r8b&_�&�igql;%�\OqwH~n��؍G9���,�m22K VJW�Lhe�\�n�%]�l\�ѭb< Xǣ̚z-(7�U$8+>нfͼ���
.�U?ߥ`2@d�uy@M�(��G`,`��pKyŋjd0Kצ�-|='I>(�yl(Z�M!h~���\d� RN���fbM%3�٨|(/P�w�
l9 T3ƹ@i&6J���
䥴Br$e��Pj�W%?�a�EH͇�#k~�J.Ǧ܇�܂%9�~�^Cs�`�1Js0yA?J`Ȩ��p��psΥ,R�c'sH}��W�h{꾘Cꨈv`^"I��?ac bBDr%hw̶314�*_)~wYlM4(e縡ʏ�F,2Qy5P4D�O6�4fHYv`)O ui�!�נsz=JM<
zmJkYZ��0:
)�/BGC4Y4K�CyyÈMfqh 2^�rFOT@��H*r띥u6x怫�|SA�ʞBN��fS�fnۃ�t��b/�*}{>J�fٶ�wN^ܵ *pڊPq�ut�Y7�CP*n}`83Vi7ٷz`%Q�.% )�f/*"�_"~�QiT�h�ѳ.!6P:O��8b|i.JcsSYw{|*҇fEvJ,;hc[ֽ�ˀUA���.,Zɥ�P~y&z06t* 5RW;: SGc$a^R[l�I�,���9w*)\�����Ӯ7uT%_aRGߝ}�=Ϫ�Nn@��?J`v*� ��/�8s&X�-G�ҁa��h"Ƣ �#j��$�_���{6 2X`̆l4,�r9ih3��0�vM�s~15Pz�C`Js>پg�X.dFk䍰h��,��5�x�HWo~ʺDfwK2S{�j�P�|ɫ�v)J*至��
eqm`�c��?\$�|,7yV͈��vVV AL
9mz0k�ԱUݻ�N�z:KiQ��|%ˎ@�yjU$-:�S�v5�t㑲1dUv�xjΏ�]�R1eF�u!P[�v�=!D~?F�o�en,L
��~*%b5B9HcPXx�"ŀ��Ʊ
��O~�q��Fs6z8�)=�RtGX@3;�>Y�)�#(?N��IJ(.m�q��,c�
�cɈ3_6 ǛfT=ث<�0;q�d
8$oO$_��T6 V�>-&NN]��mH9�kX`>&4�@nR.�}C49+$sޅGY˾�.FAU*cX2[\ُq&{/[;c�|*7nۇFw{dNOwo
G.DPv�p8$�G�lؓQ')ؽ(�y�t�q�Y Ë)KfY��Zt�k5�'q�N?�́� 5�%!/��.pvs+#/Ma�y,1K5AFl7z#!a�5;\,R*$ w�ыT�*oD$Mv�=BiTb_�Pa͟�g�}N�jw9FH՚ƲB)e8�[.'RQ�5,Du u^�K;<�U3ځ� ;6l�P^7mPYe
)yn0�V�W1µ#�.r�}QnCy}�ϭ�sV=:_-EY�(r�bH<8zCҌe��p�qq�m[)NSWW�w#bf\>o�;9BJ-um!x��T]^CB{o.?AԌT��32�̃P�I�0PtzI6��]�VQ];fVgqJ;3P��Ta�"���dw2v&K'��F�U|,+w[ZdZϓw}�62Œ)$"*~ވPlݒG<٢w�b.��4$70u41+#$Fz��EW\WSH<
�^vnP𣘭�-\��6�){RM7@-Jɷ^I|�L�Fg)�DFqpH
koPG;d
^E7j0����.i��#K;��D7l`eoԎQQJO%�ʎ�ƅ�Zp!ODe\!N0Vmy|ʻK: Tm�)�a:3��?��j�ڶ98�k
I�s�=af�"�g�AFVRJNqPV�S�ɉ-½h�3�'K�N���h�#k2O;eZ�ն}��;��L
[yFX.Pzp}R� Q�L�p!�d�3S_K�`hiws�!tҐ&�w��n�OL�tgJ{��!T4k
\ �S6~/ބ1rC_�x预g-U�n9:qRG'Dۗ ^.is2�h>�ӑgc0��5B�`z�ى'@l̅�!IGq�Z핍^TKƜ�B�.�n�0��)�B�T�$Iu��ư�nuaYۉ�i�����2+\キ/�=|Y0,�Yvd�}��sP
�ˤylM8��(�R�{Dm`�gJ[()(-YTs_`�e�HD`\惊H�cϡ!d�(.�` 0@Vzt})dzgztm~7UAe?�:dDV�YkTN�K��}1�?1oD�3�� L{�22؝�LJRXX�̈́?5bn�3�a�T@]`�O��^qa��A `ach��C[i?/�]_x�_kŒ���0t__L7�~7k6q${��Ha�g�pM~iS!r*���'K�)B�^Vno$4FVW��i�&Mg�}R-Dgoc�V\z��F17N<$ɹ�l*&3`�})S?ଦ$10�c
~-�"P
B�)+w>:GM_�4:3L/
+j%*\�-lX�'^ �'{jz"
��61�q�n�`�7�8aBB�
F�~Ja5E|�ޢN��sǙ �4cF8rJO��X�a���M���ck�)7dE8n2D�z�]"_7ڟHK1�$
Ug�e87Z��4e]�̥&� {
ja|�>;_k�LG'��i.p�H�umK�v���JL>)�V#`VE[糇1$_f�`cdž�`^�Q
mFv��p A�uj'"rǎ$3 DXʓ@�Tw^9��"Gb>&Te]v�Tl1pq�RX�(o1οVQ쨭Ꮘ?l�mU`4�h�hq�!P�HH,C�.D�5Ds(KHLi N(㘍o�9
�8vz�a'9��m:WG߹nX}6�'؞W僴wvXjl$ )�ľ+Jf܉�Z,āCVMb��Pf�830nF3�'E/zΉ`xV<*lɋfX+ ���Xdף8}�:Pn5{ֽq&�+*
v/Ha>eI;`_�HµFt�h���z�[{aۇ,�G�ˣ����78�[K 0z��c�L�qް(k R<�cƵGKw[�c}J3`�^N߁t, �&E`�_e�+2IPF�̶Xn�RE23V�i��;�ϼ-�"Pn:\lt���ch