freeradius-server-libs-3.0.21-150200.3.12.1<>,c$p9|kV"ƜxKWfq ?h-RQVv(LL,izyO'xx:qtsGtѠV  YSAb$a/ cMLnC*յ4I ]qߺ[>_Hّڏ՜ ?8TWydU`x|LjF-8QrGQҥ;e'syhr8=4KK$Q;?Ą].Ҕiʷo:H܎h5PFIYxE>>4?$d  . Hlp| !(H X h   8`(*84(9(: (FqGHIXY\]8^b+cd`eefhlju|vwxy4$z Cfreeradius-server-libs3.0.21150200.3.12.1FreeRADIUS shared libraryThe FreeRADIUS shared libraries.c$s390zp36SUSE Linux Enterprise 15SUSE LLC GPL-2.0-only AND LGPL-2.1-onlyhttps://www.suse.com/System/Librarieshttp://www.freeradius.org/linuxs390xʸR 'F[AA큤cccccc!^zM^zMa32d04b6d71cd357220b3e0d0136f739b77c0ac69f326aab5449be5a5161c31e55ebf513dfe57e1a80a594d181f4f03c1946650b55186c46b67c63c8e1d6274c93245f975b8f3783358bdf2429288a7cfcbf4e72e4bebce03efe7970e561529353f95151239a6f6d7f4e5ece945d85faea82ec0bf48a775f891387da117d8b6f8b9cc1e5d41938be45a368f126a6d1fda03d60a3d622dc75e776be4e90c2d2c6e6d6a009505e345fe949e1310334fcb0747f28dae2856759de102ab66b722cb4rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootfreeradius-server-3.0.21-150200.3.12.1.src.rpmfreeradius-server-libsfreeradius-server-libs(s390-64)libfreeradius-dhcp.so()(64bit)libfreeradius-eap.so()(64bit)libfreeradius-radius.so()(64bit)libfreeradius-server.so()(64bit)@@@@@@@@@@@@@@@@    ld64.so.1()(64bit)ld64.so.1(GLIBC_2.3)(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.15)(64bit)libc.so.6(GLIBC_2.2)(64bit)libc.so.6(GLIBC_2.3)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libc.so.6(GLIBC_2.8)(64bit)libcrypto.so.1.1()(64bit)libcrypto.so.1.1(OPENSSL_1_1_0)(64bit)libpcap.so.1()(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.2)(64bit)libtalloc.so.2()(64bit)libtalloc.so.2(TALLOC_2.0.2)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)3.0.4-14.6.0-14.0-15.2-14.14.1ct`@_@_FN^y@^p^h^@\\v{\u*@[<[2*ZZWQYY@YlY, @XO@X@X*Xh@X.@W@WiV@V.Vf@UĝU@U@UU8U7@TZ@TTT~@T|X@adam.majer@suse.deadam.majer@suse.deadam.majer@suse.deadam.majer@suse.deadam.majer@suse.deadam.majer@suse.deadam.majer@suse.dejcnengel@gmail.commichael@stroeder.comadam.majer@suse.demichael@stroeder.comadam.majer@suse.demichael@stroeder.commichael@stroeder.commichael@stroeder.comadam.majer@suse.devarkoly@suse.commichael@stroeder.comadam.majer@suse.demichael@stroeder.comkukuk@suse.deadam.majer@suse.dejengelh@inai.deadam.majer@suse.demichael@stroeder.comadam.majer@suse.demichael@stroeder.comjkeil@suse.demichael@stroeder.comjkeil@suse.dejkeil@suse.dejkeil@suse.demichael@stroeder.comvcizek@suse.commichael@stroeder.comtchvatal@suse.comvcizek@suse.comdimstar@opensuse.orgvcizek@suse.commeissner@suse.com- CVE-2022-41859.patch: fixes information leakage in EAP-PWD (bsc#1206204, CVE-2022-41859) - CVE-2022-41860.patch: fixes crash on unknown option in EAP-SIM (bsc#1206205, CVE-2022-41860) - CVE-2022-41861.patch: fixes crash on invalid abinary data (bsc#1206206, CVE-2022-41861)- logfile_secrets.patch: do not log passwords in logfiles (bsc#1184016)- freeradius-server-radiusd-logrotate.patch: move logrotate options into specific parts for each log as "global" options will persist past and clobber global options in the main logrotate config (bsc#1180525)- freeradius-server-radiusd-logrotate.patch: fix permissions in logrotate global section (bsc#1170505, bsc#1174905)- update to 3.0.21 (jsc#SLE-11896) Feature Improvements * New stored procedure for allocating IPs with PostgreSQL Rates of 1500 IPs per second are now possible See raddb/mods-config/sql/ippool/postgresql/procedure.sql * Add SQL IP pool support for Microsoft SQL Server See raddb/mods-config/sql/ippool/mssql/ * Added RCNTEC dictionary. Closes #3168. * Added Pica8 dictionary. Closes #3179. * Add TLS-Client-Cert-Valid-Since attribute holding not Before date Patch from Boris Lytochkin. Fixes #3157. * Generate attributes containing unknown OIDs See raddb/sites-available/tls * Update the WiMAX dictionary. * Added ability to rlm_python(Python2) show a stacktrace from errors. #2979. * Add WiFi Alliance Policy OIDs. See raddb/certs/xpextensions * radmin now shows coa stats, too. * Sample schema extensions for summarizing data in SQL See mods-config/sql/main/*/process-radacct.sql * Update dictionary.aerohive, dictionary.fortinet, dictionary.arista and dictionary.erx. * Added VAS Experts dictionary. * Many updates to RPM and jenkins builds from Matthew Newton. * Added %C (time now in seconds) and %c (microsecond component of now) back-ported from the "master" branch. * Add reload capability to systemd unit file in Debian and RedHat. * Increase timestamp precision in postauth to maximum supported by each database and simplify (and make more consistent between drivers) the timestamps in SQL queries by using expansions. * Option to set dictionary path in raduat script. Bug Fixes * Various fixes found by PVS-Studio. * Set permissions of certificates in bootstrap shell script Fixes #3132. * Increase the 'nasportid' SQL field for 'varchar(32)'. #3141. * Skip processing proxy reply if there are no home servers available. * Update SQLite IPPool queries. Fixes #3177 * rlm_sql_unixodbc fixes. Fixes #2822. * Fixes when building with LibreSSL. * Fix the rlm_python3 build. Note that this module is experimental. #3183. * The rlm_python should append the 'python_path' paths in 'sys.path'. It fixes the expected behavior to use the existing Python modules Fixes #3180. * Fix rlm_python to print the script errors properly. * Bound total query time for PostgreSQL. Fixes #3253. * Many fixes to Oracle sqlippool. It now does 500 IPs per second without any tuning. Fixes #3270. * Reference sqlippool by it's correct name. Fixes #3272. * Revert 3.0.20 patch which caused crashes on duplicate clients. * Update WiMAX-MSK attribute. Fixes #3280. * Fix crash when trying to access non-existant regex capture group. * Use timestamps (request or server) rather than SQL NOW() in accounting queries so that these are stable when replayed from a file buffer. - freeradius-python3_patches.patch: upstreamed- update to 3.0.20 (bsc#1146848) Feature Improvements * Added Force10 dictionary. * Update dictionary.hp with new attributes. #2690. * Update dictionary.aruba with new attributes. #2696. * Fix side-channel leak in EAP-PWD (bsc#1144524, CVE-2019-13456) * Relax OpenSSL version checks, now that their API is both public, and stable. * Note that tls_min_version/tls_max_version also support "1.3" Since there is no standard yet for EAP with TLS 1.3, it will not work. * Added tripplite dictionary from #2760. * Switch to the async interface for rlm_sql_postgresql so that we can enforce query_timeout. * Added new LDAP option 'allow_dangling_group_ref'. * Updated documentation and functionality for EAP session caching See "cache" section of mods-available/eap. * Tighten systemd unit file security. Fixes #2637. * Disable TLS 1.0 and TLS 1.1 support in the default configuration We STRONGLY recommend doing this for all installations. * Add expansions for *outgoing* Radsec connections "%{proxy_listen:TLS-...}" for TLS-Client-Cert-* and TLS-Cert-* attributes. Fixes #2839. * Add %{listen:tls} which returns "yes" or "no" for TLS or non-TLS connections. * Update dictionary.lancom with new attributes. #2847. * Added rlm_sql_mongo. See raddb/mods-available/sql. Note that this module is experimental. * Added more documentation in sites-available/robust-proxy-accounting. * sqlippool now re-allocates unexpired leases, to prevent IP pool exhaustion when clients perform multiple reauthentication attempts * Add support to radmin keep the history in ~/.radmin_history. * Add support for ENV and LD_PRELOAD in radiusd.conf. See the new ENV sub-section of radiusd.conf. * Update dictionary.aptilo. #3002. * Update dictionary.airespace. #3039. * Add sites-available/coa-relay, which makes CoA easier #3045. * Add example stored procedure for IP Pools in MySQL See mods-config/sql/ippool/mysql/procedure.sql * Update dictionary.dhcp dictionary with the recent hardware types. * Add experimental rlm_python3. This should largely work the same as rlm_python, which was Python2 only. * Add Dockerfiles for Debian10 and CentOS8. * Add RPM spec file compatibility for RHEL/CentOS 8. * Notes on certificate constraints. See raddb/certs/server.cnf. * Add NAIRealm example to raddb/certs/server.cnf, for RFC 7585. Bug Fixes * Allow listen.ipaddr to reference an IPv6-only host. Fixes #2627 * ERX-Acct-Request-Reason is "integer". Closes #2635. * Fix a slow memory leak in the file management code. * Try to fix file permissions if they get modified while the server is running * Fix slow memory leak with clients. * Fix request and connection timeouts in rlm_rest. * Fix systemd issues. * Fixes from clang analyzer. * Fix missing include for the dictionaries: alcatel.esam, altiga,alvarion.wimax.v2_2,aptis,asn, audiocodes,avaya,bristol, columbia_university,freedhcp,garderos, infoblox,motorola.illegal, starent.vsa1, telkom, wimax.wichorus. * Fix internal sanity check when running with "-Xx". * Allow "inner-tunnel" virtual servers to work better with "accept" and "reject" policies. * Fix dictionary.huawei data types for Huawei-DNS-Server-IPv6-address and Huawei-Framed-IPv6-Address. * Framed-Interface-ID in postgresql/queries.conf is string, not inet Fixes #2817. * Fix rlm_cache to complain on unknown attributes in the "update" section of its configuration. * Add configure checks for -latomic. This helps on armel, mips and mipsel. Fixes #2828. * Add support to Oracle 19 and 18. Via #2857. * Add support for decoding tags in rlm_rest. Fixes #2848. * Use correct passwords when updating CRLs in raddb/certs/. * Properly separate "originate-coa" packets when accounting packets are read from the detail file reader. * Use the correct virtual server for pre/post-proxy. * radsqlrelay fixes backported from "master" branch * Fix DoS issues due to multithreaded BN_CTX access (bsc#1166847, CVE-2019-17185) - disable python2 for SLE15 and Factory - freeradius-server-enable-python3.patch: enable Python3 module - freeradius-python3_patches.patch: backport python3 fixes from upstream - freeradius-server-opensslversion.patch: updated- Enable memcached driver on SLE15- Add missing BuildRequire on samba-core-devel required for windbind support in rlm_mschap.- update to 3.0.19 (jira#SLE-5890) Feature improvements * Update dictionary.cisco * Update sqlippool to allow for stored procedures with PostgreSQL. This increases performance substantially. Patch from Nathan Ward. Fixes #2540. * Re-added "show client config" command to radmin. * Cleaned up mods-available/sql example so that it is easier to understand. * Added pfSense dictionary. Closes #2581 * Update dictionary.h3c Closes #2592 * Update elasticsearch/logstash config for v6.7.0. * EAP-PWD security fixes from Mathy Vanhoef. See http://freeradius.org/security/ (CVE-2019-11234, CVE-2019-11235, bsc#1132549, bsc#1132664) Bug fixes * Update dynamic_client module and server core so that the functionality works. This has been broken since at least v2. * Fix crash in sqlippool due to escaping changes. Patch from Nathan Ward. Fixes #2532, #2533. * Fix systemd notify, watchdog and unit files. Fixes #2541, #2499. * Fix erroneous length check in EAP-FAST. * Update documentation to remove old "ignore_null" configuration. Fixes #2578. * Fix default POD port. Should be 3799. Fixes #2591 * Correctly encode vendor-specific "encrypted" attributes. Fixes #2600- reformat changelog mostly by wrapping lines - add missing bug numbers for security fixes- update to 3.0.18 * cleanup_delay can now be 30 seconds. This helps with proxies that have packet loss. * Do-Not-Respond policies can now be set in the "post-auth" section. * Encode / Decode ADSL Forum DHCP options. * Fix module ordering issues. e.g. when "sqlippool" needs "sql". See the "instantiate" section of radiusd.conf. * Add Big Switch dictionary. Fixes #2252. * Add sql_session_start policy (raddb/policy.d/accounting) This minimizes race conditions when using Simultaneous-Use (#2257). * For rlm_perl, all variables are now tainted by default. See raddb/mods-available/perl, and the "perl_flags" configuration item. This change should only affect people who are using variables in insecure ways. * Allow "sqlcounter" module to be listed in "post-auth". * Add support for IPv6 attributes in SQL. Fixes #2280 * The server is better at handling fail-over for outbound RadSec and TCP connections. Fixes #2284. * The server is now more aggressive about retrying failed outbound RadSec and TCP connections. Fixes #2284. * Add TLS-Session-Version and TLS-Session-Cipher-Suite to the "session_state" list. * Add expansion for Radsec connections. "%{listen:TLS-...}" for TLS-Client-Cert-* and TLS-Cert-* attributes. * Add notes on running "ldapsearch" using the parameters from the LDAP module. * "ipaddr" attributes can now be cast to "integer" type attributes in an "update" section. * Move main thread queue to using atomic queues. This should help with contention in high load scenarios. * Add "recv_buff" setting to listeners. For more details, see sites-available/default. * The sqlippool module can now use attributes other than "Pool-Name" to assign IP pools. The "Pool-Name" attribute is still the default. * The "unpack" expansion can now unpack substrings. See mods-available/unpack for documentation and examples. * The preprocess module now does "ciscvo_vsa_hack" for Eltex-AVPair Fixes #2301. Vendors SHOULD NOT USE THAT KIND OF ATTRIBUTE. * Allow for -LDAP-UserDN. See mods-available/ldap for more information. * Add sanitizing of control list for moonshot. Fixes #2318. * Update rlm_sql_mysql to be compatible with MySQL 8 Fixes https://bugs.launchpad.net/bugs/1795310. * Allow logging of only Access-Accept or Access-Reject messages See radiusd.conf, "auth_accept" and "auth_reject". * Removed Connect-Rate comparison. It was unused and broken. * Add dictionary.infinera. * Use OpenSSL HMAC functions instead of local ones. * Some SQL modules can now use "auto_escape" to escape unsafe strings See mods-config/sql/main/mysql/queries.conf. * Add wispr2date conversion in mods-available/date. * Implement dictionary-based handling in rlm_python. Fixes #2334 See mods-available/python for details. * Add support for SKIP LOCKED in sqlippool. This can improve performance by an order of magnitude or more. See raddb/mods-config/sql/ippool/*/queries.conf Fixes #2383 * Allow PSK and certificates at the same time Except for TLS 1.3 which does not support that. * Update docker scripts. Fixes #2306 Patch from Matthew Newton. * Add crypt xlat. * MySQL connections can now skip verifying the server certificate. Fixes #2481. See mods-available/sql. * Add better mechanism to detect MariaDB (Old MySQL). * Add RFC 7532 "bang path" support for realms Fixes #2492. * Update dictionary.ukerna documentation. Fixes #2493. * Add support for systemd service and watchdogs Fixes #2499. * Check for openss/rand.h, and allow building without OpenSSL engine. Patch from Eneas U de Queiroz Fixes #2517. * The default PosgtreSQL queries now use "ON CONFLICT" to better deal with issues. This requires PostgreSQL 9.5 or later. Please use a recent version of PostgreSQL, or edit the default queries to remove "ON CONFLICT". BUG FIXES * The session-state list is no longer cleaned in the inner-tunnel. This lets the outer Access-Reject section access session-state. * Fix typo in lock initialization for TLS sockets Found by Sergio NNX. * Add check for crash when home server down Fixes #2233. * Add username key for postauth table. * Better libpcap checks, when the header files or libraries are missing. Fixes #2245. * Allow building with old versions of OpenSSL Fixes #2247. * Allow non-FreeRADIUS State attributes to be used with the "session-state" list. i.e. State length != 16. * Be more aggressive about cleaning up zombie children when running in debug mode. * Use LTDL_DEEPBIND, which fixes issues with Oracle libraries exporting LDAP API functions. * unlock files when asked to unlock them. * return error instead of asserting in map code. * Don't write 0 bytes to SSL. Fixes #2270. * Remove "expiry_time IS NULL" from allocate_update query. Fixes #2262. * Various dictionary cleanups and consistency checks Fixes #2281. * rlm_python has stronger thread locking to prevent reported issues. Performance may be affected. * Don't allow Message-Authenticator to overflow past the end of a large packet. * Fix crash in sqlippool when SQL server goes away Fixes #2300. * Typos in man pages. Patch from Nikolai Kondrashov Fixes #2303. * Fix crash with CoA packets/ Fixes #2304. * Fix crash in rlm_exec with CoA. Fixes #2328. * Print errors while parsing the log config, and don't quit when deprecated log settings are found. * Fix DHCP encoder xlat so that it can be used with a list of attributes. It previously only encoded the first member of the list, and now encodes all members. * The "expr" module now skips more whitespace. * Remove internal FreeRADIUS-Response-Delay attributes from attr_filter Access-Reject. * Don't send junk to redis when maximum args reached. * Small updates to IPv6 for accounting schema Fixes #2364. * Fix OpenDirectory integration in rlm_mschap. * Fix slow memory leak with dynamic clients. * Don't artificially truncate debug output for long strings. * Fix memory leak in EAP-PWD. * Fix crash in "hints" file with Fall-Through = yes. * Fix crash / timer issues with many CoA packets. * Fix attr_filter so that it does not treat vendor attributes of number 26 as Vendor-Specific. * Fix reconnect correctly in rlm_sql_mysql. * Fix rlm_cache to properly use Cache-TTL < 0 Fixes #2485. * Fix rare occurance of bad xlat expansion. * Check for rare race condition when a proxy reply arrives too late.- install license as %license instead of documentation- also fix ownership of /var/log/radius in systemd unit- update to 3.0.17 Feature Improvements * Add CURLOPT_CAINFO. Patch from Nicolas C #2167. * "stats home server" now supports "src IPADDR", to specify home server also by source IP. Fixes #2169. * Add Dockerfiles for a selection of common systems. * Increase number of permitted file descriptors, for systems with many home servers. * Add TLS-Client-Cert-X509v3-Extended-Key-Usage-OIDs Patch from Isaac Boukris. Fixes #2205. * Update main READMEs. Patches from Matthew Newton. * Added dictionary.mimosa. Bug Fixes * Don't call post-proxy twice when proxying to a virtual server. Matthew Newton, #2161. * Use "raw" string value for shared secrets and dynamic clients It now parses strings with backslashes and "special characters" correctly. Fixes #2168. * Fix RuntimeDirectory for RedHat, from Alan Buxey. * Relax checks in 'if' parser from Isaac Bourkis. * Minor cleanups for %{debug_attr:&request} from Isaac Boukris. * Be more aggressive about cleaning up cached certificate attributes, due to deficiencies in OpenSSL. Reported by Nicolas Reich. * Be more accepting when parsing IPv6 addresses. Bug noted by Klara Mall. * Fix double free in rlm_sql. Fixes #2180. * rlm_detail now writes empty Access-Accept packets. * rlm_python can now create tagged attributes. * Don't crash on duplicate realm + authhost / accthost * Allow partial certificate chain to trusted CA. Fixes #2162. * Treat SSL_read() returning zero as error. Fixes #2164. * detail writer now checks if the file was renamed or deleted. * Add User-Name to Access-Accept if EAP-Message exists, not Stripped-User-Name. * RedHat Systemd updates. Fixes #2184. * Use correct API for State variable in rlm_securid. * Remove broken radclient option "-i". * Fix "users" file (and hints, etc). So that it does not get confused about entry ordering with multiple $INCLUDEs. * Fix rlm_sql to expand the un-escaped string, not the raw string. * Link default and inner-tunnel only if they exist. Fixes #2206. * Don't use both IP_PKTINFO and IP_SENDSRCADDR. * Always install signal handler for SIGINT (needed by Docker). * Fix intermediate CA flow for OCSP. Fixes #2160 Intermediate certs which are not self-signed will now be checked. * sqlippool now returns "fail" if it fails IP allocation. * Fix rlm_yubikey to look for correct attribute in replay attack check.- update to 3.0.16 Feature improvements * rlm_python now supports multiple lists. From #2031. * Add trust router re-keying. From #2007. * Add support for Samba / AD LDAP schema. See doc/schemas/ldap/samba/README.txt and doc/schemas/ldap/samba/ * Add "tls_min_version" and "tls_max_version" to EAP module for Debian OpenSSL issues. * Better documentation for client certificates in PEAP and TTLS: it usually doesn't work. Fixes #2068. * Distinguish login failure from AD unavailable. Fixes #2069. * Update RH spec files. Fixes #2070. * Run Post-Proxy-Type if all home servers are dead. Fixes #2072. * Print offending IP addresses when EAP sessions come from two upstream home servers, and rate-limit the messages. * Minor packaging updates. * Better documentation for rlm_rest. * EAP-FAST now has it's own "cipher_list", so that it is easier to configure. * EAP-FAST now forcibly disables TLS1.2, until such time as we implement the new keying mechanism from TLS1.2. * Add documentation for allow_expired_crl. * Update Debian logrotation. #2093 and #2101. * DHCP relay can now drop responses. #2095. * rlm_sqlippool can now assign Delegated-IPv6-Prefix. It also now can assign any IPv4 or IPv6 address. Based on patches from maximumG. #2094. See raddb/mods-available/sqlippool for changes. * radeapclient can now use EAP-SIM-Ki to dynamically create the necessary triplets. * Explain why many LDAP connections are closed. Fixes #1969. * Debian build / package issues fixed by Matthew Newton. * dictionary.patton updates from Brice Schaffner. Fixes #2137. * Added scripts to build "inner-server.pem", and updated mods-config/inner-eap and certs/README to match. * Added provisions for using an external CA. See raddb/certs/ * Include dhcpclient binary in freeradius-dhcp debian packge. Bug fixes * Bind the lifetime of program name and python path to the module FR-AD-002 (redone) * Pass correct statement length into sqlite3_prepare[_v2] FR-AD-003 (redone) * Allow 100-Continue responses with additional headers in rlm_rest. * fix corner case where detail files were not being locked correctly. * Fix (SQL-Group == "%{...}") checks, and same for LDAP-Group. Fixes #1947 * Clean up exfile code. Which should help to avoid issues with reading / writing 100's of detail files. * Fix build for winbind. Patch from Alex Clouter. * Fix checkrad for Mikrotik. Patch from Muchael Ducharme. * Fix home server stats lookup. Patch from Phil Mayers. * Add libjson-c3 as an optional dependency. * Require LTB OpenLDAP on CentOS / Redhat, to avoid linking against NSS, which breaks the server. Fixes #2040. * rlm_python fixes. Fixes #2041 * Typos in "man" pages. Fixes #2045 * Expand "next" in %{%{...}:-%{...}}. Fixes #2048 * Don't add TLS attributes twice. Fixes #2050. * Fix memory allocation in rlm_rest. Fixes #2051. * Update trustrouter for new API. Fixes #2059. * Fix SQLite issues on FreeBSD. Fixes #2060 * Don't do debug logging of bad passwords. Fixes #2064. (bsc#1099802) * More graceful handling of "die" in rlm_perl. Fixes #2073. * Fix occasional crash when using cisco_accounting_username_bug = yes * EAP-FAST fixes from Isaac Boukris. [#2078], #2076, and #2082, #2126. * DHCP fixes, relay, #2092, add run-time check, #2028 * Decode multiple RADIUS packets at a time in highly loaded RadSec connections. Patch from Jan Tomasek. #2106. * TunnelPassword is not "single value" in LDAP schema. Fixes #2061. * sql log now opens the expanded filename, not the input one. This was a regression introduced in 3.0.15. * Remove unnecessary UNIQUE constrain in Oracle schemas. * Fix SSL thread and locking issues when modules also use SSL. Fixes #2125 and #2129. * Re-add dhcpclient "raw packet" changes. Patches from Nicolas Chaigne and Matthew Newton. Fixes #2155.- Fix permissions of radiusd.service (bnc#1053654)- bsc#1055679 - freeradius-server does not provide winbind/AD auth Added libwbclient-devel as buildrequires- update to 3.0.15 with security fixes for issues found via fuzzing by Guido Vranken (bsc#1049086) https://freeradius.org/security/fuzzer-2017.html * CVE-2017-10978: FR-GV-201 (v2,v3) Read / write overflow in make_secret() * CVE-2017-10983: FR-GV-206 (v2,v3) DHCP - Read overflow when decoding option 63 * CVE-2017-10984: FR-GV-301 (v3) Write overflow in data2vp_wimax() * CVE-2017-10985: FR-GV-302 (v3) Infinite loop and memory exhaustion with 'concat' attributes * CVE-2017-10986: FR-GV-303 (v3) DHCP - Infinite read in dhcp_attr2vp() * CVE-2017-10987: FR-GV-304 (v3) DHCP - Buffer over-read in fr_dhcp_decode_suboptions() * CVE-2017-10988: FR-GV-305 (v3) Decode 'signed' attributes correctly * FR-AD-002 (v3) String lifetime issues in rlm_python * FR-AD-003 (v3) Incorrect statement length passed into sqlite3_prepare- update to 3.0.14 (still FATE#322416) Feature improvements * Enforce TLS client certificate expiration on session resumption, and Session-Timeout. See CVE-2017-9148 (bnc#1041445) * Updated dictionary.cisco.vpn3000, dictionary.patton * Added dictionary.dellemc * Lowered the log output for failed PEAP sessions. * ALlow utc in rlm_date. * The internal OpenSSL session cache has been disabled. Please see mods-available/eap * Update detail reader documentation. * Make outgoing RadSec connections non-blocking. * Add SQL backing to Moonshot-*-TargetedId generation. Bug Fixes * radtest uses Cleartext-Password for EAP, not User-Password. * Update documentation for mods-enabled/ linking. * Enhanced checks for moonshot salt. * Allow session resumption for RadSec connections. * Update "huntgroups" file to note that port ranges are not supported * Fix OpenSSL permissions issues on default key files. * Certificates are not required when PSK is used. * Allow SubjectAltName as first extension in cert. * Fixed talloc issue with TLS session resumption. * "&Attr-26 := 0x01" now produces useful error messages. * Handle connection error in rlm_ldap_cacheable_groupobj. * Fix endian issues in DHCP. * Multiple minor fixes for Coverity complaints. * Handle unexpected regex. * Fix minor issues in dictionaries. * Fix typos and grammar. Patches from Alan Buxey. * Fix erroneous VP creation in rlm_preproces. * Fix MIB. Patch from Jeff Gehlbach. * Trust router updates from Alejandro Perez. * Allow build with LibreSSL. * Use correct packet for channel bindings. * Many fixes found by PVS-Studio. Thanks to PVS-Studio for giving us a test license. Please see the git commit history for more info. * Fix incorrect length check in EAP-PWD. This may be exploitable. * Stop rotating session database files (radutmp, radwtmp) since these are not logfiles. - freeradius-server-radiusd-logrotate.patch: updated- removed obsolete freeradius-server-fix-cert-bootstrap.patch because recent /etc/raddb/certs/bootstrap simply works - update to 3.0.13 (still FATE#322416) Feature improvements * Add dictionary.rfc7930. Note that we do not implement the RFC. * Added 'cipher_server_preference' to mods-available/eap Patch from #1797. * OpenSSL 1.1.0 compatibility fixes. * rlm_perl: radiusd::xlat to evaluate xlat string within perl script * Allow authentication retry in winbind. Patch from Herwin Weststrate. See raddb/mods-available/mschap. * Added "recv-coa" method to rlm_rest. It behaves the same as "authorize". * Document Trust Router tr_port option. Patch from Stefan Paetow. * Update elasticsearch/logstash examples so that they work with elastic stack v5. Patch from Matthew Newton. * Print information about packets, replies, and contents in the detail file reader. * Update abfab-tr policy. Pull request #1893 from Stefan Paetow. * Reject packets which contain User-Password and EAP-Message. * Add example for filtering Access-Challenge. See sites-enabled/default. * Pull symlink fixes from v4.0.x. Fixes #1859. * Add systemd reload. Not everything is reloaded, but some is. Fixes #1662. * Better documentation for listen "ipaddr". Fixes #1921 * Add dictionary.cnergee, updated dictionary.nomadix. * radclient no longer needs -x to print statistics with -s. Bug fixes * Minor typos. Fixes #1763 * Fix typo in RPM build. Closes #1767. * rlm_mschap check for password expiry only if password was correct. Fixes #1762. * Update debian build. * update rlm_counter "man" page. Fixes #1775. * Remove erroneous assert. Fixes #1778. * fix mschap password change test. Fixes #1792. * Cleanup config file on data remove. Fixes #1795. * passwd module returns "notfound" if not found. * Check for old OpenSSL, and don't build rlm_eap_fast if it necessary. Fixes #1803 * Cleanup memory better after ldap version query. Patch from Aleksey Katargin. * Rename lt_* functions to avoid linker issues with libtool. Fixes #1277 * Many miscellaneous fixes and typos. * Allow long strings in %{%{foo} bar:-%{baz} blah". Fixes #1866 * Fix filtering operators, along with more documentation and more tests for them. * Fix OpenSSL fixes. Fixes #1876. * Finish SQL select queries even when SELECT returns no rows. Fixes #1879. * Set Module-Failure-Message for more EAP errors. * Correct typo in dictionary.rfc5580. Fixes #1882 * Remove obselete systemd syslog.target. * Client-Port-Balance load-balancing now uses client port. * Radrelay examples fixed from Alex Clouter. * Update systemd target. Pull request #1896. * Trim starting whitespace in xlat strings. * Get MySQL result lengths using normal API. * suid down after fchown(). Fixes #1914. * Fix cases of comparing pointer to NUL character. Fixes #1915. * OpenSSL v1.1 fixes. Pull request #1921. * Better Handle v4/v6 host names. Pull request #1919. * Remove "Auth-Type = System" from docs and examples. * Don't crash on malformed %{home_server}. Fixes #1922 * fix erroneous use of talloc destructor in rlm_eap * Issue trigger modules.sql.fail. Fixes #1923 * Document python_path gotcha's. Fixes #1845 * dlopen() the specific version of Python. Fixes #1592- Don't require insserv if we use systemd - Remove require for unused fillup- Merge changes from SLE to openSUSE (FATE#322416): * freeradius-server-radclient-init-error-buffer.patch - make sure we initialize error buffer. bsc#911886: radclient error free() invalid pointer * freeradius-server-opensslversion.patch: remove OpenSSL version check and assume we know what we are doing. (bnc#1013311) * merge .changes file, mostly. - do not attempt to detect "vulnerable" OpenSSL versions. SUSE security fixes do not necessarily bump version numbers as does upstream OpenSSL (bnc#1021375) - do not generate certificates in %post. End-user needs to do this manually. - keep FreeTDS disabled on SLE12 - we never shipped it enabled - require OpenSSL 1.0+ - use pkgconfig(systemd) instead of plain systemd as BuildRequires - don't list manual pages as %doc- Remove --with-pic which is for static libs only. - Use SUSE RPM group names. Trim filler words from description. - Do not hide errors from groupadd/useradd.- Add upstream keyring - 2 new modules: rlm_sql_freetds and rlm_eap_fast- update to 3.0.12 - still fate#320481 The focus of this release is stability. * Feature improvements + Add support for =~ and !~ in update sections. See "man unlang" + Add dictionary.checkpoint. + Simultaneous-Use prints out more information. + Print WARNING in debug mode when packets may be truncated. + Added expansions %{home_server:state} and %{home_server_pool:state}, which show the state of the server / pool. + Mark rlm_sql_freetds as stable. + Make rlm_perl less fragile. Patch from Herwin Weststrate. + Allow extended attributes to have "encrypt=2" + Update dictionary.aruba. + Add support for EAP-FAST. This is an isolated feature which does not affect anything else. + Update OpenSSL vulnerability list. Use a version of OpenSSL released after September 20, 2016. + EAP certificate verification is now done when "verify" is enabled and "ocsp" is disabled. + New dhcpclient and rlm_rad_counter man pages. + Minor abfab and moonshot additions. + Pass CFLAGS through from environment in RPM builds. Allows more custom builds. + Build with Heimdal in addtion to libkrb5. * Bug Fixes + Use correct typedef for older versions of sqlite. + Update mssql schema to add priority + don't complain on /dev/urandom in ldap + fix == operator in update sections + Don't create DHCP strings with many trailing zeros. + Allow MS-CHAP change passwords instead of complaining on large buffer. + Allow assignment or equality operator on SQL. + Update aclocal tests for FreeBSD 10. + Remove occasional hang in rlm_linelog. + Copy VSAs to inner tunnel for TTLS and PEAP. Fixes #1544 + A few minor bugfixes caught in v3.1.x cleanup, and back-ported to v3.0.x. + do_not_respond again works in post-proxy + Allow realm "~^.*$" {} and User-Name with no realm. + Fix leak when creating unknown attributes + Fix Debian / logrotate. + Make OpenSSL error functions thread-safe. + Fix crash with rlm_sql and updating SQL-User-Name. + Debian build updates. + Allow regular expression comparisons in radclient. + Fix memory leak on unknown attributes in detail file reader. + Update example paths in "man" pages when installing them + Build fixes for rlm_mschap. Fixes #1489. + BSD build fixes. Patch from issue #1583. + Be more careful about /lib/ when building. Fixes #1585. + Correct ifdef placement error. Fixes #1572. + Allow for more files in internal "exfile" API So it will be possible to open more than 64 "detail" files at the same time. + Remove support for statically built EAP modules. Fixes #1591. + Many fixes to rlm_python from Guillaume Pannatier. + Use correct week adjustment in SQLcounter. Fixes #1608 + Minor fixes to allow compilation without DHCP, VMPS, or TCP. + Fix checks for module / config file change on HUP. + Compile regex comparisons when sent via "debug condition". + Update filenames in documentation and examples. + Don't crash if SQL connection becomes unavailable. + Disallow originate_coa when proxy_requests = no. + Free rad_perlconf_hv in correct perl context. + Multiple fixes for Debian builds. #1510, among others. + Set OpenSSL FIPS compatibility flag when necessary. + Pulled fixes for the build system over from other branches. + Fix OCSP for RADIUS over TLS. + Fix skip_if_ocsp_ok behavior. + Better fixes for systems without closefrom() but which have /proc. + Minor build fixes back-ported from v4.0.x. + build --whout-ascend-binary. Fixes #1761. + Be more aggressive about not opening new connections in debug mode after CTRL-C. Address #1604.- use %{with} macro for conditional inclusions instead of hardcoding version numbers - improved package descriptions - fixed builds on SLE12 and SLE11SP4- removed installation of experimental module rlm_sqlhpwippool.so - update to 3.0.11 (fate#320481, bsc#961479, CVE-2015-8763, bsc#935573, CVE-2015-4680) * Changes of version 3.0.11 + Feature improvements - "unlang" comparisons of IP addresses to IP prefixes are now detected, and types automatically cast. - Allow shorthand form of ipv4prefix values e.g. 127/8. - Add "auto_chain" to raddb/mods-available/eap, tls subsection. This allows the disabling of OpenSSL auto-chaining of certificates. Which might be wrong. - Added printing of coa and disconnect stats (radmin). - radclient defaults to expecting Access-Accept responses to Status-Server. - Updated dictionary.lancom, dictionary.starent. - Portability fixes for Solaris. - More errors from ntlm_auth gets passed to MS-CHAP. - Update abfab-tr-idp virtual server. - Added "filter_password" in policy.d/filter. This removes embedded zero bytes in User-Password, for compatibility with broken clients. - The server now issues a WARNING message if duplicate configuration items are found. - TLS can skip the "verify" section if OCSP returns OK. See raddb/mods-available/eap, "skip_if_ocsp_ok". - Set TLS-OCSP-Cert-Valid = yes / no / skipped, which is the result from the OCSP check. - Interoperate with AD and "LmCompatibiltyLevel = 5", by always setting WBC_MSV1_0_ALLOW_MSVCHAPV2 for native winbind in rlm_mschap. - TTLS and PEAP now require "virtual_server" to be a real server. - Print WARNING when TTLS or PEAP identities are spoofed or not properly anonymized. See RFC 7542 for requirements. - Various rlm_python fixes from Herwin Weststrate. - Allow setting Response-Packet-Type in "Post-Proxy-Type Fail", which is useful when the home server does not respond. - elasticsearch updates from Matthew Newton + Bug Fixes - Fix issue where field nas_type would not be accessible via the %{client:} xlat, for clients loaded from SQL. - Fix compatiblity issues with OpenSSL 1.0.2. Ignore calls to msg_callback with 'pseudo' content types. - Data type "ipv4prefix" is parsed correctly. - Use correct talloc context in rlm_exec. Fixes #1338. - Complain in unlang if "else" is used with no previous "if" or "elsif". - Send accounting status packets to the accounting port. Fixes #1364. - Print out CFLAGS when doing "radiusd -Xxv" - Fixed bug with coa/acct stats value #1339. Based on patch from Jorge Pereira. - Fixes for LEAP proxying. Don't use LEAP! - Fix issue with "directory already exists" seen when doing "make install". - Fixed bug with radmin related to the option "stats detail " - Complain if the detail file reader does not have permission to read the "detail.work" file. Fixes #1398 - Fixed SoH. Attributes were not being copied to the virtual server. - Used a wrong list to global statistics in "stats". - Create EAP-PWD identity correctly. Prevents segfaults. - Dynamically validate authentication types for PEAP and EAP-MSCHAPv2. - Fix includes in installed headers. - OpenSSL 1.0.1f and 1.0.1g do NOT calculate TLS 1.2 keys correctly. See raddb/mods-available/eap, "disable_tlsv1_2" - Allow password change to work for MS-CHAP. This requires 'r=0', because password changes are not retries. - Fix home server fail-over for home servers using TCP and/or RadSec. - Special characters in expanded regexes are now escaped e.g. User-Name containing '.', and comparing /%{User-Name}/, the '.' will now be escaped. See src/tests/keywords/regex-escape. - Use correct authentication vector when sending Access-Reject replies for RadSec. - Set FreeRADIUS-Proxied-To in TTLS again. You should use the "inner-tunnel" virtual server, instead of relying on this attribute. - Fix debugging constants in rlm_perl. Patch from Herwin Weststrate. - Add samba-dev / samba4-dev to debian builds so that rlm_mschap can automatically use the new winbind API. - Automatically skip zero-length attributes when sending packets, instead of erroring out.- fix bsc#951404 * Rebuild of freeradius-server package fails * fix source url - ftp://ftp.freeradius.org/pub/freeradius/ + ftp://ftp.freeradius.org/pub/freeradius/old/- update to 3.0.10 * Changes of version 3.0.10 + Feature improvements - Do more optimization of unlang policies. This makes run-time a bit faster. - Re-name most of the functions in src/lib. Third-party module authors will have to do the same. - More documentation on contributing and how to write modules. - Update radiusd.service for systemd. - Open IPv6 proxy socket if the server is listening on IPV6 auth / acct / coa packets. - Create debian packages for DHCP. Fixes #1125. - Add more tests for "update" section parsing. - Update "man" pages. - Update attributes for Alcatel 7750 - Add dictionary for Boingo Wi-Fi - Add support for DHCP lease queries. See raddb/sites-available/dhcp - On HUP, check all modules for config files which have changed. And only re-load those modules. - Allow FreeRADIUS-Response-Delay(-USec) to be set for RADIUS packets. Patch from Herwin Weststrate. - Documentation fixes from Alan Buxey and Matthew Newton. - Update "logrotate" script. - Added more RFCs to doc/rfc for new standards implemented by FreeRADIUS. - Don't crash when doing "radmin -e "help hup". Patch from Matthew Newton. - The dictionary parser now does more sanity checks, which prevents run-time problems with invalid attributes. - Update debian packages. Patches from Christopher Hoskin. - Many other debian packaging fixes from Matthew Netwon and Herwin Weststrate. - Add "session-state" to Perl. Patch from Herwin Weststrate. + Bug Fixes - Fix rlm_files so that there are no collisions when loading 10's of 1000's of users. - Fix radclient to use our internal v4/v6 parsing functions. v6 addresses with ports now work correctly. - Fix sending/receiving packet messages to wrap v6 addresses in square brackets '[]'. - Check for sasl/sasl.h when building rlm_ldap, and disable SASL functionality if unavailable. - Fix issue which caused a non \0 terminated buffer to be assigned to attributes if the value being assigned contained an invalid escape sequence. - Fix deadlock when reconnecting connections in the connection pool. - Fix potential overrun in functions that used fr_utf8_char with a non nul terminated buffer. - Fix decoding issue for Tunnel-Password type attributes which were very long. Found by Denis Andzakovic. - Fix radclient issue with TCP sockets on FreeBSD. - The server now creates ${run_dir} and ${logdir} directories in daemon mode, when running as "root". - Handle tags when using maps. Fixes #1191. - Fix crash when CoA packets time out. - Fix parse error in rediswho - Fix regex support in SQL radcheck the "users" file and radsniff. - Register listen xlat earlier, so that it's available when the virtual servers are being parsed. - Parse Ascend-Data-Filter when given as "0x..." - Print Ascend-Data-Filter correctly. Add test cases for both. - Allow old-style clients again. They will be disallowed for 3.1.0 and following. - Complain instead of crash when "else" and "elsif" are in the wrong place. - Clean up memory more aggressively. This lowers the maximum memory used, most typically for TLS based EAP methods. - Prevent the server from unlinking the control socket of an already running instance. - Fallback to using the configured OCSP URL if one exists, and no URL is provided in the certificate. - Return CoA-NAK if proxying CoA fails. Based on patch from Jorge Pereira. - Lower peak memory usage by decreasing size of internal memory pools. - The control socket is now left in place if a second copy of the server is accidentally started. - Allow virtual attributes in "switch", "case", etc. Fixes [#1240] and #1265. - Many spell check / typo fixes in comments and example configuration files. - Better handle multiple DHCP listeners. - Don't print secrets for old-style realms. Fixes #1267. - Don't fall through in empty "case" statements. Fixes #1274. - Update EAP-TTLS so that MPPE keys are correctly calculated with TLSv1.2. - Always delete MS-MPPE-* from the TTLS inner tunnel. This allows TTLS / EAP-MSCHAPv2 to work. Fixes #1206. - Fix off by one error that caused some MSCHAP-Error messages to be sent without the password change version (V=3) and the textual message component (M=). - Always include C= V= and M= in MSCHAPv2 errors. RFC 2759 does not say that any of these fields are optional, and not including V= caused errors with wpa_supplicant. - Do not include M= in MSCHAPv1 errors. It's not supported.- Fix boo#912714: freeradius can't use ntlm_auth * Create winbind group * Add radiusd to winbind group- Remove gpg signature file * The gpg signature checking is broken and doesn't work- Fix bsc#935573: Insufficent CRL application for intermediate certificates * CVE-2015-4680 * freeradius-server-CVE-2015-4680.patch based on https://github.com/FreeRADIUS/freeradius-server/commit/a03814af310bb3bee74ea012546d99c48b0ea5c3- update to 3.0.9 * Changes of version 3.0.9 + Feature improvements - Make "pool" configurations more consistent, and update documentation for them. - Move connection pool logic to "most recently started", instead of MRU. This should help with pool stability. - More VSAs for 3GPP2 - Added examples of multi-value attributes to rlm_perl. - LDAP-Group and SQL-Group attributes are now dynamically allocated. - Only the "sql" module registers SQL-Group. Other instances register "instance-name-SQL-Group", similarly to "ldap". - Unknown attributes are now complained about more often when used in unlang statements. e.g. if (Foo-Bar == 3) used to be a string to string comparison. It is now a parse error. - Rename RLM_COMPONENT_* to MOD_* in the code. This makes many things easier. - Move to C99 initializers for modules. - Load modules in raddb/mods-enabled. This allows attributes like "LDAP-Group" to be used in the "files" module, without explicit ordering or listing in "instantiate". - Added 'bootstrap' section to modules. Third-party modules will need to be updated. - When adding clients from a DB, add them to a virtual server if that virtual server has a "listen" section. Otherwise, add the clients to the global list. - When reading dynamic clients from a file, don't expire them if the underlying file is unchanged. - Allow the server to originate CoA requests from the post-auth stage. - The server creates ${run_dir} and ${logdir} in daemon mode, if they do not already exist. - Add dictionary for Wi-Fi Alliance Hotspot 2.0. The server now supports all mandatory and optional attributes for this specification. - HUP now re-loads the configuration only if the files have changed. If all files are unchanged, HUP re-opens the log file, and does nothing else. - Much better debug messages for EAP-TLS, including which attributes are cached, and when they are retrieved. - Increase default max_requests to 16384. Memory is cheap now. - Added "stats memory" commands to radmin. Debug build only. - Aptilo controller dictionary updates. - SQL modules now use Acct-Unique-Session-Id everywhere. - The redis modules are now stable. - The LDAP module now supports SASL "interactive bind" method. This allows Kerberos based administrator and user binds. - DHCP code is now in libfreeradius-dhcp. - More DHCP encoding / decoding unit tests. - rlm_replicate can now be listed in the "accounting" section. - Better sqlite debugging output. - Remove "required" option from many sql_ippool directives. - Set default CA "basic constraints" to "critical". Fixes #1073 - Updates to help / man pages from Jorge Pereira. - Added more tests. + Bug Fixes - Be more careful about unused config item warnings when using -Xx. - Move more defines to be auto-generated. - Allow virtual servers in proxy fallback. - Allow %{module:} to work. - Don't crash in RadSec. Closes #980. - Return better errors when a unix group / user is not found. - Re-enable detail module "locking" parameter. - Don't crash when logging replies from Status-Server packets. - The couchbase module now uses "update" instead of "map", for consistent with the rest of the server. See raddb/mods-available/couchbase - Don't require NT-Password for MS-CHAP password changes. - Be a bit more careful about decrypting MS-CHAP-MPPE-Key attributes. Closes #1013. There is no perfect fix, tho. - Fix security issues with EAP-PWD. See http://freeradius.org/security.html#eap-pwd-2015 - Fix dynamic clients read from SQL in non-debug mode - MS-CHAP now allows retries (i.e. password change) when passwords are expired. - Allow "user=radiusd" when the server is already user "radiusd" - suid up/down works on non-Linux systems. This means that the control socket should have the correct ownership. - Fix issue which caused the server to sometimes have problems when a home server was marked zombie. - Fix format.pl because Perl is now more picky. - Fix proxy to Packet-Dst-IP-Address, so that it uses the correct destination port. - Fix corner case with cursor functions and removal. - OpenDirectory fixes and documentation. - Fix leaks in rlm_redis. - RFC 6929 "evs" attributes are now encoded / decoded properly. - Fix talloc pool leaks when receiving malformed or retransmitted Accounting/CoA requests. - Printed attributes again use double quotes instead of single quotes. - Set X509_V_FLAG_CRL_CHECK_ALL, and add "check_all_crl" to eap.conf. Fixes oCert CVE-2015-4680. - rlm_expr now errors out correctly on malformed attribute references instead of triggering an assert. - Make "break" work in "foreach" loops - Allow dynamic expansions to work again in the "hints" file. - Correct minor typos in comments and examples from Alan Buxy. - Re-urlencode the path portion of ldapi:// urls before passing it to ldap_initialise. - freeradius-server-rlm_sql_unixodbc-configure.patch removes hard-coded directory in configure script of rlm_sql_unixodbc - install new module rlm_sqlhpwippool.so- minor adjustments/cleanup of spec and changes- update to 3.0.8 * Changes of version 3.0.8 + Feature improvements - Allow syslog_severity to be set in rlm_linelog. - Allow defaults to be set for bulk clients in LDAP and couchbase. - Updates to dhcpclient. Patches from Nicolas C. - rlm_mschap now supports direct connections to winbind, which is faster than ntlm_auth. See raddb/mods-available/mschap. Patch from Matthew Newton. - Recommend /dev/urandom for TLS randomness, instead of ${certdir}/random - Allow TLSv1 to be disabled via "disable_tlsv1" in tls{}. - Allow Expanded EAP types where vendor is 0 (IETF) and type is normal EAP type. Supplicants sending Expanded EAP types like this are broken. - Add support for server side sort controls when searching for user objects in rlm_ldap. + Bug Fixes - Don't complain about "authorize" in "server {}" blocks, but only if there's no "server" block. - Fix cosmetic issue where debug from the first packet read by a detail reader thread would be emited during config parsing. - Fix ASSERT on truncated detail packets. - Don't use main server log functions from within panic_action, as in the case of syslog this would cause deadlocks if the fault was triggered from within a malloc. - Fix issue in "switch" when "correct_escapes = false". Fixes #911. - Fix sqlcounter configuration to use "%%b" instead of "%b", otherwise the new syntax validation will fail. - Allow forward references in configuration items. Modules aren't always loaded in a sane order. - Fix more escaping issues. Closes #912. - Decode MAC addresses correctly for VMPS. - Fix memory leak with TLS connections. - Fix state machine threading issues for conflicting packets. - Fix copy_request_to_tunnel issues for tagged attributes. - Allow "ok" to over-ride "updated" inside of Auth-Type sections. - Update state machine so that post-proxy is run though child threads for performance, instead of blocking the main thread. - Allow "netmask" to work again in client definitions. - Relax restrictions on SQL group queries. - track outgoing proxy sockets and clean them up more aggressively. - track proxy statistics, including CoA and Disconnect. - If radmin has a connection failure when running a command, it re-connects and runs the command again. - mark home servers "unknown" less aggressively. - Fix potential SEGV in PostgreSQL driver on error. - Fix issue where fields like nas_type would not be accessible via the %{client:} xlat, for dynamic clients. - Set default busy_timeout (of 200ms) in the sqlite driver, so writes don't cause selects to fail in multithreaded mode. This is user configurable, and may be increased if required. - Convert Password-With-Header attributes to binary (from hex or base64), in the authorize method of rlm_pap. - Fix invalid assert in state.c, that could cause abort in post-auth. - Fix double free when -m flag is used, and connection pools are referenced by multiple modules. - RADIUS over TLS accounting uses the same port as authentication. - Regularized return codes from radmin commands. - Fix RHEL spec file so it works correctly for Centos7 which uses systemd, and didn't like the SystemV init script. - radwho and radlast now have a -D option to load dictionaries - DHCP packets are no longer checked for duplicates. - Don't crash in sql module group comparisons in corner case. - Calculate MPPE keys correctly when using TLS 1.2. - Fix load-balance sections. Closes #945 - TLS certificates are available again in the post-auth section. They are not available for session resumption. - radclient encodes CHAP-Password properly when using -c Closes #955. - Fix issue in rlm_cache_memcached driver that caused variable length values to be truncated. - Fix track functionality in detail reader, so it no longer fails with a "Failed marking detail request as done: Bad file descriptor" error. - Actually add the peer identity (as User-Name) to the inner tunnel in EAP-PWD requests, so it's available for lookups. - Fixes to PostgreSQL queries. Patches from Santiago Gimeno. - new set of consolidated patch files: deleted: * freeradius-server-2.1.1-logrotate_su.patch * freeradius-server-2.1.6-rcradiusd.patch * freeradius-server-initscript-pidfile.patch * freeradius-server-radius-reload-logrotate.patch * freeradius-server-var_run.patch added: * freeradius-server-radiusd-logrotate.patch * freeradius-server-rcradiusd.patch * freeradius-server-tmpfiles.patch- Do not disable as-needed build - Remove the with_sysconfig switch and just stick with versions- update to 3.0.6 - fixes a segmentation fault in PEAP module (bnc#912588) Feature improvements: * radmin / raddebug conditional errors are printed to the output, instead of being discarded. * raddebug will exit if condition set with -c was invalid. * radmin auto-reconnects if the connection to the server has gone away. * rlm_cache now has submodule support. See raddb/mods-available/cache * New memcached driver for rlm_cache. See raddb/mods-available/cache * Add support for &Attribute-Name[*] in conditions. See "man unlang" for details. * Add &Attribute-Name[n] which gets the last instance of an attribute e.g. Module-Failure-Message[n]. * Allow for redundant string expansions. See the "instantiate" section of radiusd.conf. * When checking IP addresses in conditions, make the right side be parsed as an IP prefix. * Support JIT compilation of compiled regular expressions when built with libpcre. * Support named capture groups with "%{regex:}" when built with libpcre. * Increase regular expression capture groups from 8 to 32. * Emit error markers for badly formed regular expressions. * Allow 'm' flag to enable multiline mode in regular expressions. * Support limited implicit attribute conversion in update sections. * Support casting between IPv6 and IPv4 where the IPv6 address has the v4/v6 mapping prefix (::ffff:).- Drop .keyring and .sig file: freeradius-server still uses MD5 signatures, which are no longer validated/accepted by GPG 2.1.- update to 3.0.5 Some of the new features: * Allow LDAP to specify arbitrary attributes for dynamic clients. * Allow one level of backslashes (finally). See radiusd.conf, "correct_escapes" setting. * When supported by OpenSSL, allow TLS 1.1 and TLS 1.2 in EAP methods. * Allow multiple new connections to be spawned simultaneously in the connection pool, to cope with spikes in traffic. * Use kqueue on systems which support it. This allows for better scaling when using many sockets. * Home server "response_window" can now take fractions of a second. See proxy.conf. * radmin now supports "show module status", as thee counterpart to "set module status" * "ipaddr" will now use v6 if no v4 address is present. You should use "ipv4addr" or "ipv6addr" to force v4/v6 addresses. * "client" sections will allow "ipaddr = 192.192.0/24". The old "netmask" is still accepted, but the new format is preferred. * Allow custom HTTP headers to be set for rlm_rest requests using control:REST-HTTP-Header (attributes consumed after use). * Extend format of %{rest:} expansion to allow HTTP method and POST data to be specified and urlquoting. * Add support for aliases in rlm_ldap. * Add support for connection pool sharing to all modules that use the connection pool (pool = ). * "tls" sections now have a "psk_query" configuration item, for dynamic queries to discover a key from a PSK identity. * Preliminary support for EAP channel bindings. * Foundational work for dynamic home servers. They do not yet work, but this is now only a matter of updating the "realm" module in a future release. * Support &attr[*] syntax to copy all instances of an attribute when used with the += operator in an update section. May be qualified with a tag. * The logintime and expiration modules can now be listed in the post-auth section. This makes some configurations simpler. * rlm_sqlippool is now IPV6 capable. Set "ipv6 = yes" to get Framed-IPv6-Prefix returned. The SQL queries have NOT been updated. Please submit patches. and numerous; bugfixes - remove gpg-offline - create /run/radiusd after install - drop freeradius-server-opensslversion.patch (upstream)- freeradius-server-opensslversion.patch: do not check the minor version of openssl, minor versions are supposed to be compatible. bnc#906682s390zp36 16708475243.0.21-150200.3.12.13.0.21-150200.3.12.1freeradiuslibfreeradius-dhcp.solibfreeradius-eap.solibfreeradius-radius.solibfreeradius-server.sofreeradius-server-libsCOPYRIGHTLICENSE/usr/lib64//usr/lib64/freeradius//usr/share/licenses//usr/share/licenses/freeradius-server-libs/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:27107/SUSE_SLE-15-SP2_Update/ea436a6cecae00bf250af9f8b03f03e5-freeradius-server.SUSE_SLE-15-SP2_Updatedrpmxz5s390x-suse-linuxdirectoryELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=cc7f2b2e21d464a2fdd1cc0a642b845925079e6c, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=7f927c30f51e86f93fdbfd4f66a5adb42936c1aa, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=61e54bfb21f713f15b01b9d9959e945668953faa, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=0b02572170c5ddf86eb3ec00d000f04882d43e0c, strippedASCII text  PRRRRPRRRRPRRR R RRRRRRR RR R RRPR RRRRRR Rɋoip*;qutf-8f3ead3085a944aa11906a6db80c0729fa2291020b2c95f74a496ac8815fe46cb? 7zXZ !t/\C]"k%(fm?1 1N8HFHST3 Nɢ .ʟ4mGfAm+iX˖W1}^z-Le~US:OhƎ2>f5(44V݌ePGha F?)[x*qFHp{C?t`ױ{ڗ`TEXtJ܈w:)SjkbRӤx03ŻEL[4\0vϾUY`:`MB O؟ \MƉ"?+o`5%y ,GO"WزIs8=#st6X}EBY1WEE.ϻy^cω{n7Shx+ {ԟd=PՁA5nh>ɤFTΒL ħ{!ehj뇄DOQCu-bY!2! ymXm2l7+(IE.ն6a&9߁n+!"'p]4jAf VP{E7~YXx>iwy"u =>3:CNfCz#nWGyX`;$Y =pN49HS: s>.Ԝ?8ާ`87ܚAi s"OJ;v+c}pB8Xh-SZҍM|nS t~B.+Oia"X0n CF|((<=7Z& @Hl$&g/;|i[n)Q:q(l-J/7,;+ԷHfNqbO^N>-fec> Iئw*K9K')JE7[G7  .5"Szrb8/bR@ ȈcZӽA^LkBK7Y'Q⌻J]xUQ[ՠhG{>FMXFr yC??OaF\e=>?BNo,8kgP\5c u U GZU{R&?P U_@V@Me-EO* cN12@,C~;{(?|O)b=6<&W_@a`nVWٶ^kf <`IqGgB=.&?p E5oؠwc߶fCu+gLa|Gěefh^nT[)c btSnBT[>p.T !^µBvYᩥJ@7.0ڝ?הa2\~WQ7ڻ#g2UW_| E=.Mu:^o =SZѦ|+ᥚyV,\Pl)_@hzxa§j0U vM4=yHaDLQNKCġHKئˇjjMFiA4ɟ8LQ1gVw ÙJweR_ՎIІ5^6xS; o(wЭ*dE_7iC:aﻇM T$a4e}uZhblN?0\|9(UMpaCNXac*oڢe)exDcȯT n݂޾]~~0'_a gI^_+8|#mϓ98bm[H`d0^"%^gHd+>AV(Jdfu4%iwZ |3#)(xܖK1-i=)7@rehhKbJk#'KU&8BH[ ^ >vuݓv-+=t$3vcnjXkH(₮7 <߾X'Z҄\:Ł ٦ :wv@3Nw2H2dRWJ'qVlC P jfu4u5vۜH%e-|!1&J%z> r]U OaG$EH+ElL9^fWZ2 n|!{lҁJ0^! 0QR74=֌մ߈sf-ekSzjMc|ۛs>+F|D#CLP`H: 'q-¼ZO|}vN즊.ξ?mN ˻y-@6ZhK>z .ۢ|D"<`͉+ R5"AA0o`0 +CÔpܜU)/y< l|ˢc x0 q" t6vb% A+(giB# t K, 3mur0Q 9@jNm hE[~FK[ /:"jyD;/7}'Hҵ_),?v/N^SFq$WV/f*AwIgm3.kZj^dEbv^I4ojBtG3J[XJ曘ZVW: CZg9 Zc@h4[" _Έ7eUk1"Ը, ?F馝+Y&Pmǂ 4vUEtJ+ݫ^@h; E5! j}/{Z@tP0Dɴ'mUu_ h16%P%W}~R- a?;YAɯ _]Qb &%m,G:$}&5[tS\W/-l@ jdxLwR,K!2阕i#Iqp>-po,ԗ|dH37/<.]v*w y<5jQ>CQ=3vnn "*h}KoNpqyLGu˯aD@Ԃ ?;-( ZYS.3Em}[š(j(ahж هN'%N k %_2J6s*j.+ۢkk&~Ծ8#gᶃL#Y-NɟBa,.[q.˄Ԓs%Hv )jez\Ɠv?ȹϯ&J BÏ|*~W s. GfTQh0AD^!d n5-.NNp4MK}MEqW&yu7rO͌+HNH@5y`$6XJ854ʖٮF=,;b8 ndJ̆Ė9MΏ=@Aq \Eۻi@βWsNşf. sji~G25k Ғ.ՁA $U?r zMOh)!!a(#{%]#("fm|J@O )~p$ ‹Og&蹘coȢpq(q" AqyLSAwIzrS q,_=#ƥxa>\fZ:.Sςma7Kby Dϼ'nʚcWEBWXijwʁkt~7մM\y~0)S-:N&OtŻ2'AMmk9K>rUFY?0FF b|B4\:yUdg;YV^%;'Ԏ;&뷬5BZQ@)_jjO-RwT{9^j@v=XO RTX=BXׯ+SB!"/$G~V~OPyPڎ.f~ e:ۇiғ W!\c\ML=0wn_X*_2)7L({y-vM58U2ur}Y U2h^UÿA `DᠵFrXrL,Iq9Kk82Q_ɣVcX _-36Uz/5ܜ֝jL (53tRf2, x9d]I޸5_o,x eu\ZGx;Y o+iJ]yHKYOu*z*-c_y*p|)D/[4{}<8xG9eB%<R㢘5߯}'p󶭾2\ e GE)%lwF S&%4<1{P iVn`MwYa B"ksxQJm bN_6QiS^@;8QT٬l%&˦+E˳ܪ)9Wr~DPN&ru;a}٩~{%M ‚Md9rGld%Fg+b31 ZiGSnh~ 3|HF6<&x9j]Qbᒕ d Ks4d5Z4y9b;1..ݠ"($"Eb{/$y˹l[a84 I)p~N 'Ls˝rfkb@TL] begSv&kbgџ7q8&2F?嘎"RN$g ڪtЏT|ᗬ[,r53-͍ottZ:*^M|{QHZo$}~j[vJQυv w|~5Ƥ;V'h)=;[׽!B/mO3"V~|PJ\з `%X$E ʑEFS#RnKXBB"8(LC^Ģhc/4/5ra3gEa [-rѾJ_i @,Ѱl\Dn-@Y"ڞSc]Q.k,K&`z@MRX4:&TMRnS V @;d(wRNQv޲ ,׀,!x=@SR4 ,pkeýҴT]*`0wi4~rg~ǩMSG'לu02j<B2[[L\F~J_ SBz9`fvEM2إEw7X?qd=p8/JkΌy2{'p$4V_cfnJxP O%!I^UǺ%c AB^9YmL&@Lo@]E褿ֺѕJԒTM/{P 蠣}%2s R+wd%_svZ X9-$yP6(sUÉw{[n"(b6+ˇ3QӉR3%nԄy<u&Y V3䑹.b즕+~" XUgXپ2x}bjx]Qt@O ;2P1;"gJ@R$xI' r2q ,ab@)KbsEQY(uFxA l6l2slp] k?㜹Շuv@în/o4,3lE(I = ėi.G`#xv_OZ%M]gfǥw@?}J4Һ/.\:_d4~itbb҈Z۰A]Z\j4J`Pɟ'9\5%zKxyAZS;.[-<z[p .:q&G9dT_ h)bXX"hҍިFda¡4yy}Sf˜7ȞD=usޅk_ji߁+L5u3 "j}d-M1#bN1$X97Ӂ=xpEo屪GxKzvc.0ұ"X7DZ,Y̘ 8v_Yi`[ n g*PUkz9ǡ{S8^`۝\z䉘XRO4ACFv{Zfme~؜<̠x+5~ٍ<p3 oZ:."_563K}[3Z0;Vkxf5Vp( o:[]+kgRjx"Y@w$!FQQiWuXOUz=YQN7pT- |5,4s$;ڊ? 3h%WaژpG üOİo"Si~p"rE'Ӭ5_V K|}o=.6jJ6J OŘi4nwWچA߶II ߸%|&ImӸ(y(=r:p^bVL 0ԂM"}6I`h,Y!\.$LF*\m^8Udk\k8CpڄLo6 JwB#FM4faEr&V#m}{\',>= h|AEvG%1!͏uWR^4%DpZ<""[5K(M"qSX$HbL/C):2C 1%2]2˴ ۣҲEp`F}S{!zrj/t<:{(`+ҕfg *カ/sc0l1+{u3nsH^?>d&sgӤ5Q .m5tوדmHFz'}L;cC*=ݹiwbwICOLGmʁ,2}g#&^]}c:ݣjQu'^A5w됿ŝ=vrO͐Nわ !'kFiԪ,}F&K^Ѥ 5 ;9^AjU+?kZg"fF@2 #mǠ~=|QciCg:hr hYB.j.RyA)!aQg63_inBR7!?~pe=3e`HcİM؊(I$v`։\-/ 058 ؏9;I]L-< >&=4g EChĄʫKmJFkD;F7u<wݢ}y{L54*q29Ԥ{oKk2nqۄ*㏏7RZfFt\7cYa|~hwDUe3SƒOS14"XN*:Vzhń}XΉ+rڼ/ǞX;a׎ MۡʅʄSHUc^+cl&TӖYQۅxxjT{!eAb1>|J@T!F?e{MTWVw0#zI Lݘ.ĜTys n1$ٕ% [Fw=2z`0!ĩrݽeC?y̼ݛF{9e=YI *ѧVW]DthO]4[9D6aQ$ݲh!BWaq+u@BV<]1Ϸ Ll9F98uwTorl-֭ng棏b3a]Wtyk&$ol’?J|L]]\*ȕUv_06“buI+ef*Tc. |&봵( jlM0?5C-OLYТȟO*dZ*d2{Cx糏nssE0$<PX+2igƯXh`* nJ(>M)lRw!4X:?p\&b8 i/Co9`xF>YnH= JUJ"4^՞ڃ;MYf%wJ/hjeI"0W7ob iGA=xjQnVLy̭@uR{mX>0!]ʐcfUڷ{Gt<1(],|޺hbCV2-ύw R_#OM)H iMLME`#u-xݕ5IJXF2z>2*SN²9G=0 v6yG>tB] يgfr 0x'J n$eٚ` "4NV.*:;n .#ɚYoXr~ɔ6 Ķ2js+`xݤv ^>nPjsS4PLR49ތlw{jg"!R;F$j'fW|Wzt ю,x~;ءP&qwKT #@..Am.%@@jg{K "/TӂdcҘF[}0*~IQUpHl̍ D&BNQl_^ミ9]3 tPYvr\ƀbrAtL:L JzoF lSlĿ00)0R0bLكo1AXEFrXq_kQ7Rn 7;Dp\#K$e w ڪKmGz6񯰐dn 1ho77w?=bwIXbW W@Q*a{24s\ˍ!)r$>0#4"hn^OWp[b$KSӂh"]"۸j z8h;/ꕬJ\!)E/?pXv[vۜ$M` u=9Y4-…I Jε4lw.~:⺍q!ːmMi K悥C4:׶`=NvisAީ_I%]`U2]8m쯙.çv%?7"'sSB:nr*қmmeAWD^T/WdJ8}>?Itq6[pa2cq|3!A vлڏ6C4 vQZsyS3isb 2gޅZd$10 ~sn[pUHMuj:Eb߮Cs0.Fz4[3syqHRfvX5Rn[_ek%]4ɋ|-(S N5ϰx-O7`#РQND:~3 ҵ|X!Q"feW<,Fg_tQ;i, r <=)AY=:m\U@Oy.EDfİhTCSSE+hd>؈rF5vD(-m`U~̮ H4}}Qν!ׇqO\;M2Nx=b+3PuWK0H>z!| ZpKtx o1pYIKoFر3f[݃Tq2CGYkN7)gsƒԫR MJ/C\3V!iThǥfkSn'DSl|ᴦ+_&gDb~K뜎H&%)4w3AK$t0m>2outͰ|RwDD0dS2&u")]![/5p}H10M(F;7u/p6J I\EJlʠP乍*֐^q{uq ӦثEGKsB9SէRa(kKt#'qgIm `?;~e/9Nf h§,1lV%8,3%T2Ki%HY$\Gџj**#'æ=Jz}i0%6v{ m'rm$shoJ[*\y㕕dCߓNPRq\46,q/Nz> @Ab0 3US$..FMɋfv3άN}t,f/?z &uJ])%e&-f! eU[5ِN ֬ͩ3/(͹ڷK듄|l^k8)6a[^: Kqh3%lвyp[OGZ]@c;`MY,\wZბȗ~uӳ}Xײ1:;B8BAmg-B"z<ʆVn`uM.?  G7b5A6?ߟoecbSt擪x"?0p=dz/[:niG'A]pէ"Sch1[)Ȳ#GI!&]UsFAG} g~o-: !Xz6~e2B(/B~ ιnj]nRwֆsc/fu0sV"HU)k]q[ E@kK ϡK]%n̾L="irp}q0v 6 L_7hæ jђ}kf=h @pdbN$f8 }  aw5iyǾũj0pG3^V9gʺP&SwpO耾u8y$k7~+/ޕ/u+R?LM 1}A<(4'Lb#]j89FIsZЉ%YPB3;>@Or)Xp4ATZʔWTcH;Zkȃ)`HK,d@D-[({lZ2vwo=47OrX-YY/HbIʤ_@Jo//ͣB#.PXiL鲶>c,_>HWA|/j($x(LN.vyJpIc 3Ix18w 5FyƱ̮.$^ٜ]JHIcA:uBPp=kaXpig uv0j+ iIV 0y FE<_z!l T&04Dn$zR"pH[o:)Xx@(c#_+t>x>ko(b}mRlV#W-ri;uM=9GSV ϰQɳe!^m,hyҀWˏ(IW7zE0 euIo?$i uyļL\Gy`ٸDf:U~2@_U:2/dRTpŝYH(1˘_ 9?eVaP^]U} ]'_}rm;ViV3\e\ 8Lts >2yAkj,v }z{m8>]IUmkjɾ-cpPO6Nop&DžUخ6pwLĈ- 0 nU^9㯕w6Ag..wgq8Jh?3!  72x ֬w?WdS00x޼w/JsTܸ(P&TѴFG;.^Zz'L= l:t,PӈF>y, RdEj,$F&'=P%W~4l붥dHHܦ.`͌&;ϮSPsyVg"&BuFCVa6{}!BMx;^TN7e䇋^nK [m˫cd}=JU5:X? izi}$bsy/"^u"^WkY;e:U({ZUʭw /i)\mqf32 jvKTe\Pap5rPU}d3mI屝-.Դ >qL>+S |Gr>-2ߧfNQeLp~dQ7 ދq !6VPPdBΐ~fͰJD)J q^sQcS}p N۹bQ/ Dpyv3z6ʲ]ܑ'{cYQ0fsp|3ԒTؙ6ȮDQlF |o ]$ne脠&`kr&ǖ8U8Xz魸8Hw)UQTŽS2!)m-P٦wo赬Q.W<'fEژ89_r3x{_Ui@$Ui{]y-٥;"' h,SbL:^4. oX<)!]3v.,d O T>ڗ^q>o:r\OI2,3ўmI濵wj;! @ZفJ< P|9bTkb.TCp 2dz:$+8?ڊNԣb@]V׭ծƠPY~+ӣ:1XU!f2:^[e\y_>E[{7g2bj⊰I❶4GK #"X`:xS,2fxvYN0c0tLk +)]qΰfOԣJiRe40؞Qva˖$[6N^cs0Ņ>K[CL88m&VDNbOȣHnK aJ2ejkGȶ_`$Eo nDbvCh+ h LfrIa^"9[[G dbeAdsØb%tD˾ulBok\,UWwXNTgoͽ{NQ!ȡL/(¼~{|÷ ]"~דZ;k-GKygsv9?{*|= )3TPf,0oP.HNrֳY1OnݴB$ !Aigam*KEӓSK(sג tqxO F .b֘ʨws Pb7Z14bYB"~i}ֻ:-[=\"KjBiawߌX3L\c>: \!v~ r(8S;#cW} ?BgHS(8̍(h<էf@ 6ӝ maC=P{_%jo +^!2>j&ϛ Cuuw ӯc^A#_Rd7R~u[nQ ~KQ3IRN%3&eF;Xw7P2~NmY$Qc&1@"< JՙEOPZ^̖x14v\*$GSp&Zj::_Ku*;D]:8}hܶʼn*mB_ }}eGh* Z]0ܬ^U-pkQ.tgOVcٶ ߧ8~2Jc\ps[\5֌nA{xC&sA{rulxh"/ݷ*|A7,wPFULG_ ;:S?!F#33.0Өyɘ6@g47w" U}py uq}d#dxHe1u]P63h.%&hkP'HQivxWL{銙5HeCVi z,A֣%g**g=|ťOL,*MGQ~Ӯm w#AXCd8ReO A %D.{9~M+Fk=dZ=oĿ iCw̎ۦb?k N)o=9 yu߈GNXduE5^DqMIU9F[tt񿘬rɈJ10Cq,޲ÌeډVB\Y:Uկ0'~n?̻B??.0}lT{@(m(R0n34|XM0rw;>;6 NיHJҷ/ʼn~*sڃtER+PNFPGK#nv&ƌBY$  дOLQ[lTidrps>`$J٦0t;a*1Lb܋zK3ogބX&kj"w+""mg]RwmO "&pd 5:n"bMiϱʺJ♝:$>k=ۗ^ X+5"bݟ3: N"׀$:S_H-5ktuWGӟG^pv]mfZ+,xՠkS@hh,fc=7*ZW\خy0x-ͨHEi1iDtI[IZ  9 K <zt&HvI^WVSЍNVzpnfzL}Lˍ2Ԭ*2X;I=TqCUL9I/{ZLtm<oK3aF@-I;3YNkؾg3,$ 6:5\"GSV[Rw1DiLWJ20:n٬y |X6k)G3/{P$g=%i;>-?v5ie=:Ĥߡ E,nlF;G.pǎ蝃v7(03,c39mKE~sl'$Z,ㄧwt"zp-&&(,6F ͰH ?x76~9D )v㪄EFz:'L*R톋q?x3x ԣmp7nb`ufMyYCzo])dF %,%I[Tқq_NMBYV3d|{ߡRh;:N=byg?}+]mCe*^(bSI\Ou?iq![ז,IѼEk.tIJ`'DLq]@E"OmxJGtCJ(!̓rpg"+n0 6D'TO[K kwn0UY~|j9x4i oN{j 1C OHc,`-;ߣiIgl#U#SĿ7:Wa;a@w#09,A Z%'9=XIG4H1}]k52#wg+_8C_+~ ^/qdIY1YrnwFNz |8gU"Mj=̈́ERBh2/: DAU><>k20^sr>{6T[m_kI\EqǶu* &AiUrOo5S] D@E]^4< v O N6ZC+ p)PQ΃ޫoEU.o>| r~s"D5B&7U;c6q_,đIt\_٨ކ{^M]1&b$lK4nOkV Mn8эu}fNU%~ w}yJGu u^ AڸqFp6Q-=hգ N#p\Qܬh; $`^Ud aa0.=Ni3J:kzfTӧݘˀ[JoޕTSpkYv (x~b ִLnǘ}M4۫BP:5O:Y'4N>NeWɪHpo@nF[ԓ)E>Qgܓ\3y-HDUql'3о2C^s.i-l<4zKBXv9WOWX j;lT68+AWl`XRnwTtyo(BB޳[/Y f!P/7Xѝ}E&xA爧(vd4ODCTH̘H}QrpG Ma+@ޅ9qzfkH,a~8N{!; *<|oo5<%'1ҠŨ0[J`+3 <& F,Egls4嫁t# &`r, EZŶjO^uogT$pp^icoeM# jޡ8L՗" ɍ&QOB!;ߎ `6WgFh)S|6I6FHl޹,(IC9rN"q[񃢏ωtؕDnDCJ9i}_=^`M 1)/ޠbK0R_W;Y4G{B[Go,~..B^Kf]cL`Ռ@}ւ)̃Y⇦ :kT\Ix9٬pn5-/N2B19Gng#Ω83lcULEtE߈h,;t j,uX-,~< k< 2#e F RVVH~KJ''leUHђRdI0e+gb79w6g(0WxMl2x[NB$ќ'b]di-UO$_ڎјgn=<تF,oh{GLI?$) pbN7;i1޷`$@;`TпiTW:>ղڙ~7)"&}J;Wbz~}>$ydwi Å5ali=[ 'ty0_ayn &XX;i3blܽ}=TG{Ja*٥4,nvnX5X39FaМ@P'4Հ,p{sOZݜ>@fGĤ*,./REt8X (x;iV'QՋ>04{"8~"`#[z`V~O8[ĥ-^ʹҰurᑥ8HN`@:* B"MdͶS2@`.IN"`[ū/Vl/3XȊca儊k_}\]bZES.}2H1 Ny6H/_۵*pէ J҅j# n݊+d?cU|EnuNr?ep'u2r4}mTǷ8.\ [[-i4AK|✆q7Qܸ.nJL/<)O*ƉB֊݀Ϯhs R,4ȼg1.^•oePh&Z ]\^ QˆJZyB´/ n.uxߨj-SzWStRTM4PxsVzD}J/n=pP `9zFؕ)l"`" JBD듂+/4Qg[#If?z>@mGpZ'c^5҄r~;YxQZp!)MZ)uhĘrR+emҌV}=-$90Oеnb;y?=#va{Ǭm;=uZꭶG pF{TأzUt'4]!F 8|^5i|8وjtFfhT7Wx 6+&0(V`l^>Lm=L:zg:"⼌ͭE عVgФ aۙ "瘈t ߔhƻ\eM_$͋K(TA9G}CC l\#Sl}V <yQQ2ˤk(+BI:2c1%z{rx0heH8gϭ#w0 ~9}:Qumi򥱞"V7S;/) NZ3p=(u0hpv.>P ptb$"G ;hxʲtjfߕ|w·^VS )_z6=zfW46$e{q=r=oV = ! Y٧ |}cSTuQY/>Jl/џ7#[!U ӿF'I溫&5Eji{:hlŪ{i ǘ.PڬjO&膅FL,qg鸂A[JxQNUEYHɱi&%`41+Ku@S7 7y3L$v0`RPsL+Җ sTkQ&b@ y'G&b]r"#r3Cf^[8t⍗ 4r2&9<}xO..k^b [4WU&h[h3a jN)~UY6Dt0(xG qbxWV+27c\1ƆԶhZ?=θ`A&/," 9;Sm0W٣|_k6ξj1 [7Ӡ?ȪT @.!sW;C˸2Bt^q+^ȘVɈ?VIx]emrz 't`"ĐBDWKS)[5blBʁ $.K/cJQb8 Rlߧ)JS9ޛ4qU!Ns2#}U;⥕'8'ÉL Z2oKgnx{&5"lzhe*D Pj;ઉik՞%lwW=$)u_V '4'bza+~85_)e,LSbغ+xGɣZy}{( pԢ2C1^[3C2̪B w:=a*MQε.%G r5%tw5c5(?<_*im`<^ڙ˘Nj}/m[>'%"D9άޫ_8.,W p0Nv6_ : ;q'W(oMtm•8ƃ2m.D(D`cѾ|ٮV{:2I^=! qV/iPeZRU<~\,uށG/>/pvuċhN`1c %.E2r!zS@.ᶆ}\_)#d!AYÑ\%RlЏr7e4c8M#\ ?j>06 aٻ?'L6 ̥2T8J:hOpY1ZJBuԷk=3V t/pmkZvm1UkKݗZ'c01l=C$oSHie_+] g#Jqd >GA H/6W^u`:Q"7|V]#;}?moOpPDWv,%֝iReGI/~ ˨Q<0I%=3KGJOƖŚI8"9>̹/C^%>gey;Ykʨ+Z $jw!^dGCoG B "GL1LfRe%O!iDPYQN즓1I0[?&4a159ulWJ]ɉPm;cdttqFG%(MԥJV$a+ z^<^YH-ct}Z綥wδ(-EV@2g/pOTǙ'ś̷*Su9ybኘК:VV XԌǚTf*L~7`CG6-|6FRW/)O,'F+T:bټiVF/I=L}{J6s ;㖅YK\W$9}X`[Yw1ۄ ;0WS2GE_TU SB݋לuџ~D#30!'M%frY[e4пtlh?E[Dn3zWIrVl8t,.gC$puc:SgϪ$G0Az\̲r2sh#4DԃGdSYM+İSAZZt'I 0wizhTIZ#򻒳Fљu_7cΉHkaS2S;wh<:D`7C+1{h_{lJQ$?WHr* Bn(St9hesEpt3o }MAh8 e$yNUJ)+_Algj/[)8#=p+:0<³j@k-*M_V_ʡhMLJk'͘pn=*Q5oXtZFxxb:9CoĶ* D{sW(~-b!VA4OѢp%>kjDHY2X7s忾Ny$wR܆0Ƈ}R Rĉ#4=JEO Bq4EUmcڿѬ y6I sNH8z _DhV7g55Krgt_|0B$óIŎ¥VL!)H' \8 >E {Ry5C2o]$9BlJ:x#jql5ܮ E|Z+x Y0WrJ;/E|2<C}wrO3b~g \d9< 鋍vZ/S{&} w&1J*ҝ1DT  LxMʓH/ԫga8~}ʈSռUAjdc 5 ؋ȠVŦ+f%ӈIcٺ3Ƕ:9WAnl&l4 >IdMj}9,_KmBY=7 mn S5xFUl/x C; E=_ɞuˈEorcV LSX$n@'mS2 ݈O+R5?QܚE5@֏5K IY&'q~}cN}!qrۂQHp1%*U\80Q#QbWi=聉{- IJ˨j0=pAc㖵0[ c]{FO:鎏-+LG1ߨR^e1,4ڝ2l8Nh eMKe\xH"F* %im(:3Jd`|M d$736ĠqhٴhN6~F naC[F,`61Y@#Jr)38XysE Z $NoCR3f\}͹.nN6Y~'aض۴nw^g; gȥ bza1JpTqԾrPK"ԕKM6A"R>ù- ?SR]]J,-䄞+6UZyK[48a&ap&kMi+h) nE-ʅY侸FlwBo:yd/W;--IOc6%ÑX{j#iT+y)KV;zmI.)ECjs>Nj({k9 \p5#yY~3%;+6kbcvޔ:u=UhS3ķuzdV=@wvL29tiyL!6TæGW7+>6s6uXT.F)=mh^ޣ&LS@Wi"/%;8`$ C{F% cW*D>#iqlQ%g.vZƅu8;DEp*ºqS=;|'upaJ]o&vR!-r4Ѕ9LAR̆)iͽTHw3l>e PBIib+Wgz%j ,\u%3|;dX"l*FJZ5L۰Pf5 À6ZM<\+w'옳  ̖lpaީP/Vg5S[Um^%|a;=-.˴g!tFH4P!c"i8U-#kJЅgnp?ɭ NfzIdžЃ \v"'yCqDЩW7evQ&RJ9jZ孹d7sv2N,4fOE(ryJݧng&7U> F"h+iSJd^)_A1Wd4fp5>ĦA0@xP3W DS`ţ\w&0*i9j\ӃY1W`@Rt+[&ዓbWyaa+U]Ħ81zO5z_ʗDSDNÂ`1L^KFPD yNMɝUQ5ë 䤡K6tu 545]o4ƠS+{ T*L4EɇU" !_(LOZmIuoMi8bJ]$%r"N|4.9Ƣdծ͢bf qtBzH[ 퓗mVk~0]dQy.KD?󋍎~ jbo'w<)^uvt>. yd?uu*/*dkܞDyc  ?yBX|]{k}7 ?à2N4mP$I KQa{"bKXa,M/À^_~OSÀ%ɮK꛾3Y @**-xc'x­+`j?K샐 hۊq#Qh$ BM6_-Cקu W:h.‽.߫:*,SL۲ |MҜA G^$%;kPpD Y2^Y}BPFdGEǷ|EG'E<8S2 '!v.!/!_'68ҷgƽ~)xƤR⎐d\gw櫪|]C:,!OZvqi [ٌ4vM,}?%HcFA @k Ǵ<=MC;[0~j00|sgI%(lGlt W>fPʻO0[FJ e}5.S >$ '<׷VllKNȊ1wi::b_\6݄qWM<4^+^I2p";_SƐ[ l+3i\UW^UY<Ųd!$c1yKYZ%Ӟ|׋ ,'Y Fx`Y(Idtxik`F_Vw U^5]ME r,%-*gDUnh)هYkﳈ82wXZ }LM1@hRہN ,OQe6\{GP!weX(Uk{Yjeq91E5qGfe&Z-ܳg-Uu2TWNap0Iic[oN8]F.ߚg>c ywf-\E D&gis\q3v!,MCzsN-!TPm*Uw2kv)Ο?媶;SIq &Z?}(fqn?u׫o:WD/i=lj,%m!T1MRC}@7iH$w$C>1V72Ok2kj  P6̕,A}_E Q2wz$6(! {>i|T|}1c  /`(W߂2sēb7k{QbI:JWDtXvwZ=~56leK @C@*(|{x1LhlcB[ B$~)(v DV8} V`@QF%'h[7~H1+`%[EQ ::#Rw#`=LuO :lgaV1)aj,D99kT#`HOuxqs`(J`=X;Uء o˕#.AmN ӧtWuK=WGYvn/5o.\%h~Z;ؽۇc!;L#ce lԳ[)r*&q}؅i#w[xFES%|@fV^J1')%WF! CfͶ߃[Vx`n׿ۓX9axyw"q6Џ(9ӠQC2Bꬷ/~l F&Fɭc0îH+~؝]-܇KT:naAet1S; NبYgjt]clPېy(Fs!CY['$<z|2 "K5L z2W6_\JH$+R9 %fq/Z85ݖ|~:zc,5HoJT~j$Uc,{70AjU{IdF6Em{:08= p w {Ҳ1ASL4 9o匠mI%܉`^԰U4wԞ|u|&?o;pA}DbmV-Q Y w*7|dɛc/!'i]3=th;&ҍ́."/ adit8soOdXfA:zfRh< o wRz';kdS1gTl`b|P&{jzя)ނ :⃡ ]PlK/ѝ4hW0#*,FEV&Ҧ3($N6D@pHf_sN=e?] 7GӾ%0 im6-#"w~+fL6xb6Oo0u4I3-VjKftq/T1Jշj77oݼxT;w'vm1fN -5yC౪"r))}f_}a{*UZA1,@}2s~e7VfT:|W%_80Ŧu9Gcp'05EteZ"PhGGfw0@3B}5(Ւ")cY̐>m ֩i^f2˭Y<:7xu*W ^Q:%a)=1M :) >Ot+JpJP^Lh\7^4rûqJ&ia}zX #YE* + H;e0_if3^M$/fcdi` oa'AP'{z1 Ӗ)jp+a RPŵL'`}@thR޻ }7>`S am*47(H5(" r;#vZĒ!R0ג{32R2Y00֝;s\aC8}K|5i!'Ya9Yc̢k$=#$QDq$c@U{~. 3&[V|bkQر) @D۴K({)`}`6AIB@HUjh&)ƽFS;5XL,?$HiiS1RTH(\&<؁|Ǻ+}UD(3,@2`HP4WvJ-[ ַfeׅ4@H—]g<bT>ķU1e=J=C;69qfH V%A(R9&*w'VݿΫܝw^;;H*##ܣ![F3*3U!!VE?`(TF*ldVv2 vknm,]d3Oh)V|A9Ⱦlq1|=8ڿYRY8&k.qªWQkCC0Ol48`Ki6x~̅ǔ́€'~wVY %a#`|ᆋV%4[כ$d(C5/n]dp9:lOW5^zє[# wYc眖mKv 0.&tpB`]֓4oRs8׃ 6t~ns{c{LK\xPK@IM=Q8D&l c̏o< J=,8qH{CQy2tDHPU b87v.Nӛ[ӒW bϑ/ASsRn9I1V̘|4O\Ug{>~FccjE`vJԅm*3a$՚WceEsfש6dqzB~-^ra| /?|3*wb.JIeTmo]=xS}x?wp, 0CG*ŀ;Pߊv%&m7$ʠeR络?b_}-EpdБDdGTh/MhT 냐eB+L9hAR~߻kzPWB^a3WPEj`` 1A韙n)OrS,>0@y ܮ%%ˌl0uUEj|Kuu+P*βArEF2{ 9>?HmGUHP Um7b&LL{c)Vtd$oz۰e` 5-o!3:8 ,㼼IkŐTt!VLy*Ѧ'R ΰb5*N op Hhl-4=O7E+[ ],/afߐ38bvtO4?#u/~)Ap},İRS C/9U5P")̟V$7.)ϔb5=X*W0}tqzT҃(JB"6 QN|ab 0y4$\fT-WQ ;%k=eA#C9.]@%_1p5!lĦ:k3$%a{,Y&Fo!!{Z{OǢxqHZg/F[Ȏ_ 429 cF*Bl; {A =0q@vyc"#^CccX}ljFвEE⏡q2.j*v3إStK% $nѨ![Q*4 Y.,h~q0fÉtHalMq[D~|#UF [?}ML+ȖMKࢳG#҃d!^o,X D)pm7 x`dm ae'C/(Y_~ܰm_C9l}hҩ"Ӣd$UjD[-`0+Xtf禎%{-|V/ bĩxޓ;T'+1a|]8 1xW5HnpK4yeb@anqj.Npo#6y UkEd-̦3\P,Dm(;:Ec*|~3xHK ) vH=L]7nÿy  kr;&rATnO9o[bK VJ)[8MԺ,n-F q9R)Ko9W_n>)^i,x%5u2k潲N.2_$3pi%o -Vn?5Te97Ȧ fQRdW{!@&+ >(YI_*F&v'(*>f!h,dV086?ˈoVx fV^6@?rzC{aUbl`u_#NP&XZIe/dvtX}zn)$ '`>@05"=h ر `M0}5qL$*~:4l []j~w?XUIJ3F~Qx7*Bfm)--;#,q9D5֕e/1 1"pV2]["ǬΎg‚c,HC'׀,?̥pA*xeL|AI>u){R22.s5!ֿXn8H|')gHHq\h%7O7rRlx3Uoui)T  ׻]XЯX7 1]h#Vo/t^^2uQwpp0wЩ,aP`F?KEW 1E^&icR "Y6?v,͞T;ms 0Ts9xGF ^H+m̽\[ U NQE3W,媻gRK/ "Wln۠NY}4JWUYs7q`B{4$G~+mV<>y̹|mYǀ/;}>HYB$B}}]ш{~BpV?2U'V(E4D>>htBe{jHille@DՙWpK-QOM)2yޝvXLcGNcÏȅsaI^9ƧCJ_zSZ\.f hp>c.œ,嘛ez@61)eb(N1~~y6)lwB+ߎH>JtH!و?δ&~M/[(%:- 'DN?į*k"FtIuq 4 N/6҈GG<-t[{[-0SDE/#%5A}ݽkI@=\X8ntKپDcCLn#𴕨cp[".Eq:F<j|`C@khE w}ʫ^UJ +60OPm}\*H=a[JzM㒰@h\x]|j#=Fc@?.0%C@4ZjD,"!6Wdj?Cݏk|ѯX] ƅQ(zׂB5FhtzuYuSzh *oD4f6Bi yw8Ό@Ixn؝NL-7DƜP)E fZI Qpcu1UF4oMX2Ġ)] U~=_kQ-,`B(4’7+upi*$rHFv^*IpPQ/ѝ̋ =d1iDQM=t,䃁zZ)fuCM4>r6S _$sA@cS+HC1xNeP N\qԏ ief=s{B Cj=If7]QˁO761 ^7[0xF{L.J3Ggs^Fg {pde۩'4O^\2^Uz!&}:bn߱GO+ id<g {"%#A)8DS>鹃 >u*ʓLoi( 1c֓ 58O)gtx UD[ۑ٘Dv~e`AZ\a>I±(pCK.Q,wt3NyWV\^@iɏU:${~2zʹ4 }+wq'Ժ϶?)7$<ԏDḿf/aޠJW ;/ t^Osfc%ݘ˄5U'j\K;8Lψ.NkĖ<u\o_NXZQ<t?dMcHa$߅4S2 \j]*GK'%[ :xוs|,4lm5mPdv)K5 B l_,'p&Oyw$Cq}⤞n~Z[[^ C&eMB/5pH,GSB=Nlw](C44ptTe׏ Zij#bGO0S, ?~NFfHV| E,A)^l˄Q?B`dOF:"5,)T;xU-H5v~WzZmto1.o Ń=4R!)rX{J)MzZ\5Qze%d;xw mhV79gȾ+{~-|{)?lB\}QLLya @  W1 Rx2MxEp(пO8*x aN٘i7kf[{pøVnՍ0]g vlhQB h}NG󖫽m5˨Rǒs3>Ld-)jT^0Yb>O ؀b-N@pݝN#=$9}B=.P'YM b_alG,prueoIs#F %֙/clE5)ؔR&Dn J #pV-=N!J>BcC ]ZF<{>Bm >~5r=xTkݫ /ɃZ7Ps! yVߋhAx u`x^;8&nBwYO%(>\OXYjQB+,T+{.M윞,D嘑=9hʌ9+ve }6I(]B ̽pa9^!uՋ^<Ƽ6KH]b13ڰ=D.cBZiܮOe[m"& )]6@r:ߥW쟡`O4e0_CsB|:+2VQ2 ~$t ㈾,*8p&@ڹȔXeQēS c+sWKx`ir$َiZr2C/7)dikDpFG|C qj3CC xRUOVd\>q`v.}CxFSePgkn 6ieC̀/4DǴҫ9}.Bf?ANmH99ϯހ^aޢfnٽjx8K18nTe` ׬dY,{ .I'nz_ZZXn:`tshf=}RhE3&gHS0 ݿnctFn2GiUذKX*`zu_+noSƼHۭ0.7iETRf8Ҥ[:+3'#Ƥp - d+- z%8᲎z2~CO;M䶔${_f,\~ǛH-JVβrȹErC "]ٜ_,m|4@; ڛR 卫$5%J>*ɜZZY*X mDCBZ6l?\\` =dqŇ/y G1}$䲹WI"rިc_B֣Ȅ^U&pY" V,?E"-q|E!PF}s@Qm9 ei_- A$!GPIGMLdf>yHL1|tFbQlbF|j A#^QqQp;Jj9{Q Yq%ƥhArY)'N#R.uY.oW|, 3!(BicA.No>v5P;_OžhчtUQ2N$ u]鵛@ we5ju8NC" GG\h8(^B \wz'du$*֬ӈ\jk-q܋!-oQ3j~+Rܛ#1 12'^}+~~2(;HԒ sO/eUD ѭԬ{zɋdIc-Ư\bE.=eMIAjzÔ!b< ٮ? 3Se\`I4*zzegc oop ؚsYS8xeS \Wɚ_kpÙ*N22 2bO~S1l{TF=mIMXQ=}wۄqͯe%c yʞ#] ;eH `+=U1g #&V9ؿbUFsM|IeTtS=O/ѱDGٚwBTZ(|:io/soI>V'5w˵rnt2.#PRCY;ʘx~_0M.H)χ dDw,YY~V;9ΣU\L펖9(&q5qtĸÂ||;s+8+?e($P$F5\~gl/걂-UCx;y磟XE|kys~qιɰJ󼙶lfDf;׋j[{0.+mhN)ta>$h.:6N;ցK^ƃxI[uIʫ'  j= 1Qrˌ `c<]]Z菉BM5yJ2ݢaˉI!1mT/sWّ1^G;Eg79p,y˼ď=Y4 vtbhCp:0̌2?}r[']'Z?̻Ek_]\ Fz8Q>N^Һw ,n暯P 3 6b*! ˽ 㷖Byg\:#Rw1òx;nGr9l:$qvjM =F5?pqn[~Vbv _'ۨЛsbHE鄭-IHXUĉ܊vlI?M&7IVs7.r5*{Q)t e^!!׳j؃8HR/E_@ny t+#'#}L|%˜z)[CocOwjmiU@0Ɖ cp?,.Uw^1YV ٌgU*Yxʄ]V y&=P \fNWD-Z^VochepUg\uJ+gM.>XXb=b"qME vWQ :, >0>vgPsa)"p?6D"؂=Ɋχ X9<{M3cJL7Ug^b:yVk'D߻Iddy>5=9nNuciw/FQyQea2cZ /dﻵt{ٱ c;Թs|-xd>cpUǽ Z_F4!?VͯwmSM.HLq<4frP 5@gQjyjPBos|={sKT۸cwUvwyE׶Nn^+ӅlF>'R$&UNU!_fy ;]вTGjaJmwfhV3ЮǻwE)^' X^}ohfMN h @^n"ds8t'{`!!dY%8< @K=1⻗ HHuccFԁXj#Z쨊b<WdD[q@>9l݀$e}Ggoy]K[l>F{g0][ǧ-%CVDZO$Ҏ)~OzPcEceW$ .k0ǜº"̀+ r}"WHZT e8wPjt!1i'NS)9وvnKa&ouAӼL)D XQcwLEwu;,,uD*UQ$3^QrNw _3 }@5Ј1]geMp[PCu+Qx93V˶a^x{/YH%?"$@z hkP@w. g䍤ZN(Kj#nAĆ}eߦ́E &ܰ[BeavvU.\68S}~kLLΌ_, wԼ4k}o.`-@Pxz HS͡~{\WթyH~ lql)"D ^>X<,zT&G]h6Kicq2bB3(M>OnDs@@Ƨ3cД"J\ +mAON ȤP~yno z༉bH0\Fȷ5YxYm,5m6Pc j WboK:\L\*li}_Oۺ#WVt(v6-PNc:h"_9} OŹm0޺`k5'/D\,+Z)ΥPjf:oTTԠeBj -+&Y+q:~r TjIMpS \қ[Y1X,#;ցP.A|fa.dE-s|r"'2.)Qiޑ;gɎ|"Qتp3iw%ޗc6W7Y]?4E×1o(=,BdPUe?'"+Ñ^>O Lf[OFqR3>e+,}0fxt,/ θe@MkQ<,Ua PH6ã0d&sg$m~^ yv u,;`C- >"c|s(D], ozDȯ|؝ 3@ LP/CM\+A!umΖpR) Kx㟌9> F@H>,Sw,,I}܂V-EVRGAkUf<\ޟo;L->k,u$SErgX9uxZpilk >h/ؼį%Tz6t;jåЇ8ٶH=eh>>D-A+n  ~рFgKg}Lb|_QYqtLKJW"Nz>Wh0ܟ/A%Oa-NA<wi:uGKT~3GUGM>׀6t\o'•VdÞ9ڡ4si?$ȟKZ]F%X]殴zayM{ 8 .1i<ԑy]bc9| cAe7"EW65ip©='Y'K> }܀/20؃"ES2GS蘾eF9I|$1u6@IQŇ! ||ctty/GɁmg)…K TI1,kU!{/klt?*l粰n#m/0AskI0Ȥ}GWʉ#Uh[< oE unfGRy+",.GYty. ]~jD}#lk[l/Ť<2w6n4,# r:x'45U u3S1CJdud@yHl%[v',! ;:t cLcN>lAO- !_vUHto֬u1Ĩ' c!'@ӣۣ}{>[yCDu?"W}uvqkxjᆆ҅"( Jx |?'yj/< psy!y&XZëHI?Pg[gds7ZՏ1DQ&Xyoa u@N OlBf*OS<-5lŋKW~ڴA[=B>Un] ?jiMGy[$\got}Ʊ |_d0ͲlnJU#fcR^m 5)Zv " af,ImdCO9J''SA 47~B밌,xPɡ* r&VB*C)IAY†MƑ>Toe\ay2bT" Uckxn^rǸ|ZClm.7`:hYhս9|kshJN7o飻&vcZs Jp1kFVYGG* G^SI B΄ yl!P'.~h` /?&a>P₟$c6f}jH}y/Y/ïWV8낽jū?.n[~Hw4X^+C VsՎIbiq3ב0jVƧCeR"$s؛ΣlFh#C*eX b=ʟ!ȩ*T1!tN]}50n%g.0YM&g6K&*p9no\> b*} 2Y}10@:EHϪ'z )zsW߱݅I^+ Z@%uM"+htfQfn?$NM~6.@Ц/z/MFV&TdR76H“L][r>ʨ۰bnXm}ZErvom(X@{٢ %`+8971[sp28ϧ cp U-aCGN8]8ҿFx|Y{Bw6qF)R̂QfLnj5+[L%Ѱ3GgT&;S[z,mEvXR0n^s;--\T1C^&z^(g{O>5_c/ݪCLV-ډBL\*W&ܨX N`61eU9b+qd%ҿjPw;e\^X]2dNs2FO`*if;6-KQ YZ