libressl-devel-3.3.3-lp152.3.3.1<>,`k/=„-A1^% % m ˇW>AT?Dd # f 9NT\RR HR R 4R R RRnR,R t ! ! """3("58"<;9#(;:(;FGRHRI`RXY\R]PR^b7cdefluRvw(RxpRy z@Clibressl-devel3.3.3lp152.3.3.1Development files for LibreSSL, an SSL/TLS protocol implementationLibreSSL is an open-source implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. It derives from OpenSSL, with the aim of refactoring the OpenSSL code so as to provide a more secure implementation. This subpackage contains libraries and header files for developing applications that want to make use of libressl.`kgoat17fopenSUSE Leap 15.2openSUSEOpenSSLhttp://bugs.opensuse.orgDevelopment/Libraries/C and C++http://libressl.org/linuxi5862t!|w G g59%w\@h&&:0 Cw6}4'NH( $-#cQvO*sk++&uSSk m5wPo)NfP\wB. b$'U5A큤`k]`k]`k]`k]`k]`k]`k]`k]`k]`k]`k]`k]`k]`k]`k]`k]`k]`k]`k]`k]`k]`k]`k]`k]`k]`k]`k]`k]`k]`k]`k]`k]`k]`k]`k]`k]`k]`k]`k]`k]`k]`k]`k]`k]`k]`k]`k]`k]`k]`k]`k]`k]`k]`k]`k]`k]`k]`k]`k]`k]`k]`k]`k]`k]`k]`k]`k]`k]`k]`k]`k]`k]`k]`k]`k]`k\`k]`k]`kc`kc`kc`kcb1a9652554dbc8f59f1c738871d9deca91a4f343d9a9321ead22140561850d5ae248ede4a87361ef987b08a3eb27d78c12a51a72123c7c089409730a903d586b2cf69241687efecaa64deff90a1b314f6d7c744c5ffa95e9350772613d5c64c44f58bc8477d20384fc4c14424bf425ad2a7d28cae48522677c122968c059ba934f77271e14e77e629492aa25d5602eaa396d05f076ac02ee44aea2b39f2286709ed141304b928f5781ae3d2dabb2648f3214ca3f33e4ff2ce35f36576d9dbdcc84afaf3681dab2ad4095a6c886ce50ff93d1e7b5ef1f21bea36ed4c01d410d8e7c493b1665915dfe9901cbe0e4d0289c16aef34df5369e5594fd407aee46baa64bfda9dc565fdd5c657bdc16937e4f168c79b1215f5b722c869f7248591f1e2a1249f724f0d2b8a9c042302ee2f0dfb233a96c3b169542825abbdabd7c54c7320c620f0b656374510e4a332f80462b026bf7e5323160c42a319e76b37cbda4bf28c82a0cbd386eaad8de7457adb6117ec423864b53c44e94a45f280a1cfc13b9e6c5682589c2bf0711681d9bd71d5a5364bb40ec6704e114b8a358649d11da4ffd077d3504f5a00d03b4cbceca199b3ef579bfda0242f59adebb4be3fe11ddc8d4ca31b4a952302c58fc0df2e58d1f4bfdb855f910c58a9d3502c3acb36ece27a6fe3b7302188c194d5a29192fb009aa566dc8ba714db92ec572830e043d713f89dea030aa3fb68ae72a0a7bb8c6be377c29937cb6972610bcff82af6e983027d85d3c10ebacb6b405fe8b0d821a6f2947584b89a13b49106d32d5cd0526d96cfab2fde73d2b0f8c62b59bdee2af943509a92ecf3ade1a14bfbebbafa1a8d4a39c17843584bc9c1ce0825496050b4c31f4fdcde33e5641acdaccc7edfc0d3427fa8665bfc8094ca7ebaf1fdc1889fd2891591b137563974fdac2603b95b793c198f3c2327a200a51f4dd97206caccf684be77569dd8338ef5373817b28b9df4db82d26e65df36d744ac5182f938ec018cbca41a442b3f8d178e7a608e391a770a4d041c554463b61a2564fb3443a2bbd7783a911e6a731fadb00b4f75bfc567a735fa0581b280229586d28a2c6e1704c051ed15ff1f1e14a31c4d325f4975ba528aea386d5b4ce5a40ef7a88172e996f5ff40ae8d129078a62376c1478ae7adf1005b57c98f6b7ed5c49df9193b32557bc9d92461a565fab08e7a005587d6d80dccf5f62af420b8f5f44d6f7c19a55d77a9275292f802aaf038d5736dd3553a5078b4510956c946956825bd2da96814d91fce1b234874d8f011ce29b62376d0045e2898778ca55ab00f6bad0f4d4ec3e8e6a49a7997ca3253d7cf426441f9cd7279e2089b4e541ae9213b9c625e46706c19ff88fd2b4828a1465ebfb97e85e4883f5087481b9bdc0bd990e9967c6b35e90a6b27971f0ce4d7eb4e4cee0ac26abe64fd4d299199b83802641066dcab235ade36a91e6c4cc9fa7d596fbc0d76fa12f58b369e39b0dd55fc76d081de6142fc2a731bbfeb35878c664e25e940ed6c0e9fc70bad4ffc365b0eff1622b5736c832c0875d5746227a352dfb4d8d592fe69277a8ef5d7fa70aaeb96907b9319708dff41d66f7914fd123c0069210120e183fa55e0bf777a25b7501024db575f8e917b0f000217771c430c5e857d7faae128f7eb57fa04917fa958269f49d5ad9496f6515f076cec3cfd0b6d12584ec62a8e863e307e587beb1501abc41d21b73ccbcddbb337f37886776cb34081036c7ddd2cbed61e6f9eb63a050f2aaf2593d6b5f435f9879eaeea65b3ab075aa25d9b1a8afb47e02a5feb33982fa4efd5e8c5f0b7bb263677b23413550069e958d4733455a2e27d71bea7a3c708692c90f731b054c87f30aa137a80ba4ccc7a073d68ff0bad2c1c1e191eaedaa4137e88748c58d62da2c0cdf0439cd71bc44bd9626e91089a309f2b63f21d699a051bca87d7bb10f4cb7e29155c10dbb9d5f2f70a5ab1e1113962bfef5a07dbc9189378723694f7fcf7af865efb6bc1e32c34fb3829bfe2baa3383282f82c12af5ebc75ca6f8d2b8cde9084321c283119f8818239f62aeba64107914989378498cc23a754353a0b882ccf4779be92acb8671e188dc2e92bea3cd25aa9b4cf58e9b42c0a5cc4cfc0bd7bd06c156774f1642f80bb4b20efd3ec27b79023b9b3ed45f3675d2397fd36326663b8ac6019cb96d48003d8e07f5c31f217cea35bb379a78327dd785eedaadaa1b16fe35e0ef0ade96ae8e8976cdc1857987283d599b0d6b5df734349b75b52e0c5c379c8c5c06a07c72067fc39e5851474b2c9ee06041efae492a0c96430e0df20e243cec98f0bca8f1949bbc2ced32d5840b295abc3639a52223fd3016b7b0adcacdfc9a83a1bfc1f568b682e2d9f1c7b4c4a49ffd5c8f4d96a7354208d68b3a14e462d1cd9f1957be3ae442c9f65c9a7990482eeb7813b975f73d21ff23c46a7b20b8dc3908a31863fc960da420f39df38323fb7277e800f605feee4d9f75610bb62d70083a224b9f828b027b514cc849480210d447cc81fc71eae100c1f7f87f902589ea862e152ee26d18e91ea70ebd5166a70eb91c8cdff6c9094692026cf243d61ae1c6e6c152b0d45b49dd7624c931cd66ad839604d19ec54c29d921a678e1ab956e97e31819ffef41bc0ddab2acb054786a022f44fb08ff602239419a335ea791ebd1a970ff9550f8315850df7444466b9f49e715f244a66670936f6a4a83a7a63fc51477bde57c76dffde52dfb112e908629535f19c64325f04a13bb903e1888cfd7d7f1de65db6da36d25563fe4102c958d8e3537647d13747d0a2b3f84e2c1ad1e6484bb4941b359453f9e112d4e9959d97d76646984060dd93e1310a84d96fcf8d6e3acf7bfe5a687c8168ae1402a462dc9d646fcf7f2af091dbd54f0b8c69cddfeb6b7ce03017c50364dd59d167b14db35ff210327d57cabfb14be2ae40e440de2aad14d5b2791375e11f03c51d4a05f3c31670183d68dfc7ebcf2d7de947e8cb1cb3e29cb30c1c6132afbe4fb84da6371f5ea6e33628dbc0fc45e730cf79d4ec4614452a4411bd1b6462525e022f0d7b30a1dd8326ca1fe96d3d829ee064458eb0ddf1d47fbf28ad6698ce24060e3138fa811f09100bdad645ccce08aed8715c8a1dea85ececceff42522b62ce4ff043490cb4407ec0022ec212c677a177f70a2430888c9c975a9d2eb5a195a7a0f4dceae498d8570f9dcf226e543bf8a11dbff2c1a612aff579736f8c78bd7263d1c3796517652a1b8c24255ed235821995d1b4154c52a86d5541cd83ee5b16a407675b34d487bf5f0c46226f2ed3d848763200e2221dff3a788864aa5484bdc7cc1020ec45223c50bd4a0156d0fb8b2e7d3dad47eeded6d02413db8ae0870fee71191f95d2381f5de81151aefbacb5ab715312e5b567f77d0f0457e54a278dbd95254667034f47667d40ea2a87857100fc979aaa878abf3e3176a6236dba9117590d5e1cf11e17ea9de1844623f8b44bf3ab3cac04ab68clibcrypto.so.46.0.2libssl.so.48.0.2libtls.so.20.0.3rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootlibressl-3.3.3-lp152.3.3.1.src.rpmlibressl-devellibressl-devel(x86-32)pkgconfig(libcrypto)pkgconfig(libssl)pkgconfig(libtls)pkgconfig(openssl)@@@    /usr/bin/pkg-configlibcrypto46libssl48libtls20pkgconfig(libcrypto)pkgconfig(libssl)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)3.3.33.3.33.3.33.0.4-14.6.0-14.0-15.2-1libopenssl-develotherproviders(ssl-devel)4.14.1``W5@`'@_ _"_=@^^@^]L@\9\@\\B@\ @[ @[@[@[j@Z?Z@ZZ@Z;@Z%8Z@Y*@YKYY@Y i@Y XX@W@WWWZWPW)@V@V@VjV9@V VU@UUU@U@UzU@U @TT@TÉ@TT~@Jan Engelhardt Jan Engelhardt Jan Engelhardt Jan Engelhardt Jan Engelhardt Jan Engelhardt Jan Engelhardt Jan Engelhardt Jan Engelhardt Jan Engelhardt Jan Engelhardt Jan Engelhardt Jan Engelhardt Jan Engelhardt sean@suspend.netBernhard Wiedemann Jan Engelhardt Jan Engelhardt jengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.detchvatal@suse.comtchvatal@suse.comjengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.deastieger@suse.comjengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.deastieger@suse.comjengelh@inai.dejengelh@inai.dejengelh@inai.desor.alexei@meowr.rujengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.de- Update to release 3.3.3 * Support for DTLSv1.2. * Continued rewrite of the record layer for the legacy stack. * Numerous bugs and interoperability issues were fixed in the new verifier. A few bugs and incompatibilities remain, so this release uses the old verifier by default. * The OpenSSL 1.1 TLSv1.3 API is not yet available.- Update to release 3.2.5 * A TLS client using session resumption may have caused a use-after-free.- Update to release 3.2.4 * Switch back to certificate verification code from LibreSSL 3.1.x. The new verifier is not bug compatible with the old verifier causing issues with applications expecting behavior of the old verifier. * Unbreak DTLS retransmissions for flights that include a CCS. * Implement autochain for the TLSv1.3 server. * Use the legacy verifier for autochain. * Implement exporter for TLSv1.3. * Plug leak in x509_verify_chain_dup().- Update to release 3.2.3 * Fixed: Malformed ASN.1 in a certificate revocation list or a timestamp response token could lead to a NULL pointer dereference.- Update to release 3.2.2 * New X509 certificate chain validator that correctly handles multiple paths through intermediate certificates. * New name constraints verification implementation. * Define OPENSSL_NO_SSL_TRACE in opensslfeatures.h. * Make SSL_CTX_get_ciphers(NULL) return NULL rather than crash. * Avoid an out-of-bounds write in BN_rand(). * Fix numerous leaks in the UI_dup_* functions. * Avoid an out-of-bounds write in BN_rand().- Update to release 3.1.4 * TLS 1.3 client improvements: * Improve client certificate selection to allow EC certificates instead of only RSA certificates. * Do not error out if a TLSv1.3 server requests an OCSP response as part of a certificate request. * Fix SSL_shutdown behavior to match the legacy stack. The previous behaviour could cause a hang. * Fix a memory leak and add a missing error check in the handling of the key update message. * Fix a memory leak in tls13_record_layer_set_traffic_key. * Avoid calling freezero with a negative size if a server sends a malformed plaintext of all zeroes. * Ensure that only PSS may be used with RSA in TLSv1.3 in order to avoid using PKCS1-based signatures. * Add the P-521 curve to the list of curves supported by default in the client.- Update to release 3.1.3 * Fixed libcrypto failing to build a valid certificate chain due to expired untrusted issuer certificates.- Update to release 3.1.2 * A TLS client with peer verification disabled may crash when contacting a server that sends an empty certificate list.- Update to release 3.1.1 * Completed initial TLS 1.3 implementation with a completely new state machine and record layer. TLS 1.3 is now enabled by default for the client side, with the server side to be enabled in a future release. Note that the OpenSSL TLS 1.3 API is not yet visible/available. * Improved cipher suite handling to automatically include TLSv1.3 cipher suites when they are not explicitly referred to in the cipher string. * Provided TLSv1.3 cipher suite aliases to match the names used in RFC 8446. * Added cms subcommand to openssl(1). * Added -addext option to openssl(1) req subcommand. * Added -groups option to openssl(1) s_server subcommand. * Added TLSv1.3 extension types to openssl(1) -tlsextdebug.- Update to release 3.0.2 * Use a valid curve when constructing an EC_KEY that looks like X25519. The recent EC group cofactor change results in stricter validation, which causes the EC_GROUP_set_generator() call to fail. * Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey. (Note that the CMS code is currently disabled).- Update to new upstream release 2.9.2 * Fixed SRTP profile advertisement for DTLS servers.- Update to new upstream release 2.9.1 * Added the SM4 block cipher from the Chinese standard GB/T 32907-2016. * Partial port of the OpenSSL EC_KEY_METHOD API for use by OpenSSH. * Implemented further missing OpenSSL 1.1 API. * Added support for XChaCha20 and XChaCha20-Poly1305. * Added support for AES key wrap constructions via the EVP interface.- Add openssl(cli) provides. Replace otherproviders conflict by normal Conflict+Provides.- Update to new upstream release 2.9.0 * CRYPTO_LOCK is now automatically initialized, with the legacy callbacks stubbed for compatibility. * Added the SM3 hash function from the Chinese standard GB/T 32905-2016. * Added more OPENSSL_NO_* macros for compatibility with OpenSSL. * Added the ability to use the RSA PSS algorithm for handshake signatures. * Added functionality to derive early, handshake, and application secrets as per RFC8446. * Added handshake state machine from RFC8446. * Added support for assembly optimizations on 32-bit ARM ELF targets. * Improved protection against timing side channels in ECDSA signature generation. * Coordinate blinding was added to some elliptic curves. This is the last bit of the work by Brumley et al. to protect against the Portsmash vulnerability.- Update to new upstream release 2.8.3 * Fixed warnings about clock_gettime on Windows VS builds * Fixed CMake builds on systems where getpagesize is inline * Implemented coordinate blinding for EC_POINT for portsmash * Fixed a non-uniformity in getentropy(2) to discard zeroes- Update extra-symver.diff to fix build with -j1- Update to new upstream release 2.8.2 * Added Wycheproof support for ECDH and ECDSA Web Crypto test vectors, along with test harness fixes.- Update to new upstream release 2.8.1 * Simplified key exchange signature generation and verification. * Fixed a one-byte buffer overrun in callers of EVP_read_pw_string. * Modified signature of CRYPTO_mem_leaks_* to return -1. This function is a no-op in LibreSSL, so this function returns an error to not indicate the (non-)existence of memory leaks. * SSL_copy_session_id, PEM_Sign, EVP_EncodeUpdate, BIO_set_cipher, X509_OBJECT_up_ref_count now return an int for error handling, matching OpenSSL. * Converted a number of #defines into proper functions, matching OpenSSL's ABI. * Added X509_get0_serialNumber from OpenSSL. * Removed EVP_PKEY2PKCS8_broken and PKCS8_set_broken, while adding PKCS8_pkey_add1_attr_by_NID and PKCS8_pkey_get0_attrs, matching OpenSSL. * Added RSA_meth_get_finish() RSA_meth_set1_name() from OpenSSL. * Added new EVP_CIPHER_CTX_(get|set)_iv() API that allows the IV to be retrieved and set with appropriate validation.- Update to new upstream release 2.8.0 * Fixed a pair of 20+ year-old bugs in X509_NAME_add_entry. * Tighten up checks for various X509_VERIFY_PARAM functions, 'poisoning' parameters so that an unverified certificate cannot be used if it fails verification. * Fixed a potential memory leak on failure in ASN1_item_digest. * Fixed a potential memory alignment crash in asn1_item_combine_free. * Removed unused SSL3_FLAGS_DELAY_CLIENT_FINISHED and SSL3_FLAGS_POP_BUFFER flags in write path, simplifying IO paths. * Removed SSL_OP_TLS_ROLLBACK_BUG buggy client workarounds. * Added const annotations to many existing APIs from OpenSSL, making interoperability easier for downstream applications. * Added a missing bounds check in c2i_ASN1_BIT_STRING. * Removed three remaining single DES cipher suites. * Fixed a potential leak/incorrect return value in DSA signature generation. * Added a blinding value when generating DSA and ECDSA signatures, in order to reduce the possibility of a side-channel attack leaking the private key. * Added ECC constant time scalar multiplication support. * Revised the implementation of RSASSA-PKCS1-v1_5 to match the specification in RFC 8017. * Changes from 2.7.4: * Avoid a timing side-channel leak when generating DSA and ECDSA signatures. [CVE-2018-12434, boo#1097779] * Reject excessively large primes in DH key generation.- Update to new upstream release 2.7.3 * Removed incorrect NULL checks in DH_set0_key(). * Limited tls_config_clear_keys() to only clear private keys.- Update to new upstream release 2.7.2 * Updated and added extensive new HISTORY sections to the API manuals.- Update to new upstream release 2.7.1 * Fixed a bug in int_x509_param_set_hosts, calling strlen() if name length provided is 0 to match the OpenSSL behaviour. [CVE-2018-8970, boo#1086778]- Update to new upstream release 2.7.0 * Added support for many OpenSSL 1.0.2 and 1.1 APIs. * Added support for automatic library initialization in libcrypto, libssl, and libtls. * Converted more packet handling methods to CBB, which improves resiliency when generating TLS messages. * Completed TLS extension handling rewrite, improving consistency of checks for malformed and duplicate extensions. * Rewrote ASN1_TYPE_ get,set _octetstring() using templated ASN.1. This removes the last remaining use of the old M_ASN1_ macros (asn1_mac.h) from API that needs to continue to exist. * Added support for client-side session resumption in libtls. * A libtls client can specify a session file descriptor (a regular file with appropriate ownership and permissions) and libtls will manage reading and writing of session data across TLS handshakes. * Merged more DTLS support into the regular TLS code path.- Update to new upstream release 2.6.4 * Make tls_config_parse_protocols() work correctly when passed a NULL pointer for a protocol string. * Correct TLS extensions handling when no extensions are present.- Add extra-symver.diff- Update to new upstream release 2.6.3 * Added support for providing CRLs to libtls - once a CRL is provided via tls_config_set_crl_file(3) or tls_config_set_crl_mem(3), CRL checking is enabled and required for the full certificate chain. * Reworked TLS certificate name verification code to more strictly follow RFC 6125. * Relaxed SNI validation to allow non-RFC-compliant clients using literal IP addresses with SNI to connect to a libtls-based TLS server. * Added tls_peer_cert_chain_pem() to libtls, useful in private certificate validation callbacks such as those in relayd. * Added SSL{,_CTX}_set_{min,max}_proto_version(3) functions. * Imported HKDF (HMAC Key Derivation Function) from BoringSSL. * Dropped cipher suites using DSS authentication. * Removed support for DSS/DSA from libssl. * Distinguish between self-issued certificates and self-signed certificates. The certificate verification code has special cases for self-signed certificates and without this change, self-issued certificates (which it seems are common place with openvpn/easyrsa) were also being included in this category. * Removed NPN support - NPN was never standardised and the last draft expired in October 2012. * Removed SSL_OP_CRYPTOPRO_TLSEXT_BUG workaround for old/broken CryptoPro clients. * Removed support for the TLS padding extension, which was added as a workaround for an old bug in F5's TLS termination. * Added ability to clamp notafter values in certificates for systems with 32-bit time_t. This is necessary to conform to RFC 5280 §4.1.2.5. * Removed the original (pre-IETF) chacha20-poly1305 cipher suites. * Reclassified ECDHE-RSA-DES-CBC3-SHA from HIGH to MEDIUM. - Add des-fcrypt.diff [boo#1065363]- Update to new upstream release 2.6.2 * Provide a useful error with libtls if there are no OCSP URLs in a peer certificate. * Keep track of which keypair is in use by a TLS context, fixing a bug where a TLS server with SNI would only return the OCSP staple for the default keypair. - Update to new upstream release 2.6.1 * Added tls_config_set_ecdhecurves() to libtls, which allows the names of the eliptical curves that may be used during client and server key exchange to be specified. * Removed support for DSS/DSA, since we removed the cipher suites a while back. * Removed NPN support. NPN was never standardised and the last draft expired in October 2012. ALPN was standardised. * Removed SSL_OP_CRYPTOPRO_TLSEXT_BUG workaround for old/broken CryptoPro clients. * Removed support for the TLS padding extension, which was added as a workaround for an old bug in F5's TLS termintation. * Added ability to clamp notafter values in certificates for systems with 32-bit time_t. This is necessary to conform to RFC 5280 §4.1.2.5. * Implemented the SSL_CTX_set_min_proto_version(3) API. * Removed the original (pre-IETF) chacha20-poly1305 cipher suites. * Reclassified ECDHE-RSA-DES-CBC3-SHA from HIGH to MEDIUM.- Update to new upstream release 2.6.0 * Added support for providing CRLs to libtls. Once a CRL is provided, we enable CRL checking for the full certificate chain. * Allow non-compliant clients using IP literal addresses with SNI to connect to a server using libtls. * Avoid a potential NULL pointer dereference in d2i_ECPrivateKey(). * Added definitions for three OIDs used in EV certificates. * Plugged a memory leak in tls_ocsp_free. * Added tls_peer_cert_chain_pem, tls_cert_hash, and tls_hex_string to libtls, useful in private certificate validation callbacks. * Reworked TLS certificate name verification code to more strictly follow RFC 6125. * Added tls_keypair_clear_key for clearing key material. * Removed inconsistent IPv6 handling from BIO_get_accept_socket, simplified BIO_get_host_ip and BIO_accept. * Fixed the openssl(1) ca command so that is generates certificates with RFC 5280-conformant time. * Added ASN1_TIME_set_tm to set an asn1 from a struct tm *. * Added SSL{,_CTX}_set_{min,max}_proto_version() functions. * Added HKDF (HMAC Key Derivation Function) from BoringSSL * Providea a tls_unload_file() function that frees the memory returned from a tls_load_file() call, ensuring that it the contents become inaccessible. This is specifically needed on platforms where the library allocators may be different from the application allocator. * Perform reference counting for tls_config. This allows tls_config_free() to be called as soon as it has been passed to the final tls_configure() call, simplifying lifetime tracking for the application. * Moved internal state of SSL and other structures to be opaque. * Dropped cipher suites with DSS authentication.- Update to new upstream release 2.5.5 * Distinguish between self-issued certificates and self-signed certificates. The certificate verification code has special cases for self-signed certificates and without this change, self-issued certificates (which it seems are common place with openvpn/easyrsa) were also being included in this category.- Add conflict between libressl and the main versioned packages too- Add conflict for split openssl packages- Update to new upstream release 2.5.4 * Reverted a previous change that forced consistency between return value and error code when specifing a certificate verification callback, since this breaks the documented API. * Switched Linux getrandom() usage to non-blocking mode, continuing to use fallback mechanims if unsuccessful. * Fixed a bug caused by the return value being set early to signal successful DTLS cookie validation.- Update to new upstream release 2.5.1 * Avoid a side-channel cache-timing attack that can leak the ECDSA private keys when signing. [bnc#1019334] * Detect zero-length encrypted session data early * Curve25519 Key Exchange support. * Support for alternate chains for certificate verification. - Update to new upstream release 2.5.2 * Added EVP interface for MD5+SHA1 hashes * Fixed DTLS client failures when the server sends a certificate request. * Corrected handling of padding when upgrading an SSLv2 challenge into an SSLv3/TLS connection. * Allowed protocols and ciphers to be set on a TLS config object in libtls. - Update to new upstream release 2.5.3 * Documentation updates - Remove ecs.diff (merged)- Add ecs.diff [bnc#1019334]- Update to new upstream release 2.5.0 * libtls now supports ALPN and SNI * libtls adds a new callback interface for integrating custom IO functions. * libtls now handles 4 cipher suite groups: "secure" (TLSv1.2+AEAD+PFS), "compat" (HIGH:!aNULL), "legacy" (HIGH:MEDIUM:!aNULL), "insecure" (ALL:!aNULL:!eNULL). This allows for flexibility and finer grained control, rather than having two extremes. * libtls now always loads CA, key and certificate files at the time the configuration function is called. * Add support for OCSP intermediate certificates. * Added functions used by stunnel and exim from BoringSSL - this brings in X509_check_host, X509_check_email, X509_check_ip, and X509_check_ip_asc. * Improved behavior of arc4random on Windows when using memory leak analysis software. * Correctly handle an EOF that occurs prior to the TLS handshake completing. * Limit the support of the "backward compatible" ssl2 handshake to only be used if TLS 1.0 is enabled. * Fix incorrect results in certain cases on 64-bit systems when BN_mod_word() can return incorrect results. BN_mod_word() now can return an error condition. * Added constant-time updates to address CVE-2016-0702 * Fixed undefined behavior in BN_GF2m_mod_arr() * Removed unused Cryptographic Message Support (CMS) * More conversions of long long idioms to time_t * Reverted change that cleans up the EVP cipher context in EVP_EncryptFinal() and EVP_DecryptFinal(). Some software relies on the previous behaviour. * Avoid unbounded memory growth in libssl, which can be triggered by a TLS client repeatedly renegotiating and sending OCSP Status Request TLS extensions. * Avoid falling back to a weak digest for (EC)DH when using SNI with libssl.- Update to new upstream release 2.4.2 * Ensured OSCP only uses and compares GENERALIZEDTIME values as per RFC6960. Also added fixes for OCSP to work with intermediate certificates provided in responses. * Fixed incorrect results from BN_mod_word() when the modulus is too large. * Correctly handle an EOF prior to completing the TLS handshake in libtls. * Removed flags for disabling constant-time operations. This removes support for DSA_FLAG_NO_EXP_CONSTTIME, DH_FLAG_NO_EXP_CONSTTIME, and RSA_FLAG_NO_CONSTTIME flags, making all of these operations unconditionally constant-time.- Update to new upstream release 2.4.2 * Ensured OSCP only uses and compares GENERALIZEDTIME values as per RFC6960. Also added fixes for OCSP to work with intermediate certificates provided in responses. * Fixed incorrect results from BN_mod_word() when the modulus is too large. * Correctly handle an EOF prior to completing the TLS handshake in libtls.- Update to new upstream release 2.4.1 * Correct a problem that prevents the DSA signing algorithm from running in constant time even if the flag BN_FLG_CONSTTIME is set.- Update to new upstream release 2.4.0 * Added missing error handling around bn_wexpand() calls. * Added explicit_bzero calls for freed ASN.1 objects. * Fixed X509_*set_object functions to return 0 on allocation failure. * Implemented the IETF ChaCha20-Poly1305 cipher suites. * Changed default EVP_aead_chacha20_poly1305() implementation to the IETF version, which is now the default. * Fixed password prompts from openssl(1) to properly handle ^C. * Reworked error handling in libtls so that configuration errors are visible. * Deprecated internal use of EVP_[Cipher|Encrypt|Decrypt]_Final.- Update to new upstream release 2.3.4 [boo#978492, boo#977584] * Fix multiple vulnerabilities in libcrypto relating to ASN.1 and encoding.- Update to new upstream release 2.3.3 * cert.pem has been reorganized and synced with Mozilla's certificate store- Update to new upstream release 2.3.2 * Added EVP_aead_chacha20_poly1305_ietf() which matches the AEAD construction introduced in RFC 7539, which is different than that already used in TLS with EVP_aead_chacha20_poly1305(). * Avoid a potential undefined C99+ behavior due to shift overflow in AES_decrypt. - Remove 0001-Fix-for-OpenSSL-CVE-2015-3194.patch, 0001-Fix-for-OpenSSL-CVE-2015-3195.patch (included)- Add 0001-Fix-for-OpenSSL-CVE-2015-3194.patch, 0001-Fix-for-OpenSSL-CVE-2015-3195.patch [boo#958768]- Update to new upstream release 2.3.1 * ASN.1 cleanups and RFC5280 compliance fixes. * Time representations switched from "unsigned long" to "time_t". LibreSSL now checks if the host OS supports 64-bit time_t. * Changed tls_connect_servername to use the first address that resolves with getaddrinfo(). * Fixed a memory leak and out-of-bounds access in OBJ_obj2txt, * Fixed an up-to 7 byte overflow in RC4 when len is not a multiple of sizeof(RC4_CHUNK). - Drop CVE-2015-5333_CVE-2015-5334.patch (merged)- Security update for libressl: * CVE-2015-5333: Memory Leak [boo#950707] * CVE-2015-5334: Buffer Overflow [boo#950708] - adding CVE-2015-5333_CVE-2015-5334.patch- Update to new upstream release 2.3.0 * SSLv3 is now permanently removed from the tree. * libtls API: The read/write functions work correctly with external event libraries. See the tls_init man page for examples of using libtls correctly in asynchronous mode. * When using tls_connect_fds, tls_connect_socket or tls_accept_fds, libtls no longer implicitly closes the passed in sockets. The caller is responsible for closing them in this case. * Removed support for DTLS_BAD_VER. Pre-DTLSv1 implementations are no longer supported. * SHA-0 is removed, which was withdrawn shortly after publication 20 years ago.- Update to new upstream release 2.2.3 * LibreSSL 2.2.2 incorrectly handles ClientHello messages that do not include TLS extensions, resulting in such handshakes being aborted. This release corrects the handling of such messages.- drop /etc/ssl/cert.pem- Avoid file conflict with ca-certificates by dropping /etc/ssl/certs- Update to new upstream release 2.2.2 * Incorporated fix for OpenSSL issue #3683 [malformed private key via command line segfaults openssl] * Removed workarounds for TLS client padding bugs, removed SSLv3 support from openssl(1), removed IE 6 SSLv3 workarounds, removed RSAX engine. * Modified tls_write in libtls to allow partial writes, clarified with examples in the documentation. * Building a program that intentionally uses SSLv3 will result in a linker warning. * Added TLS_method, TLS_client_method and TLS_server_method as a replacement for the SSLv23_*method calls. * Switched `openssl dhparam` default from 512 to 2048 bits * Fixed `openssl pkeyutl -verify` to exit with a 0 on success * Fixed dozens of Coverity issues including dead code, memory leaks, logic errors and more.- Update to new upstream release 2.2.1 [bnc#937891] * Protocol parsing conversions to BoringSSL's CRYPTO ByteString (CBS) API * Added EC_curve_nid2nist and EC_curve_nist2nid from OpenSSL * Removed Dynamic Engine support * Removed unused and obsolete MDC-2DES cipher * Removed workarounds for obsolete SSL implementations * Fixes and changes for plaforms other than GNU/Linux- Update to new upstream release 2.2.0 * Removal of OPENSSL_issetugid and all library getenv calls. Applications can and should no longer rely on environment variables for changing library behavior. OPENSSL_CONF/SSLEAY_CONF is still supported with the openssl(1) command. * libtls API and documentation additions * fixed: * CVE-2015-1788: Malformed ECParameters causes infinite loop * CVE-2015-1789: Exploitable out-of-bounds read in X509_cmp_time * CVE-2015-1792: CMS verify infinite loop with unknown hash function (this code is not enabled by default) * already fixed earlier, or not found in LibreSSL: * CVE-2015-4000: DHE man-in-the-middle protection (Logjam) * CVE-2015-1790: PKCS7 crash with missing EnvelopedContent * CVE-2014-8176: Invalid free in DTLS- Ship pkgconfig files again- Update to new upstream release 2.1.6 * Reject server ephemeral DH keys smaller than 1024 bits * Fixed CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp * Fixed CVE-2015-0287 - ASN.1 structure reuse memory corruption * Fixed CVE-2015-0289 - PKCS7 NULL pointer dereferences * Fixed CVE-2015-0209 - Use After Free following d2i_ECPrivatekey error * Fixed CVE-2015-0288 - X509_to_X509_REQ NULL pointer deref- Update to 2.1.4: * Improvements to libtls: - a new API for loading CA chains directly from memory instead of a file, allowing verification with privilege separation in a chroot without direct access to CA certificate files. - Ciphers default to TLSv1.2 with AEAD and PFS. - Improved error handling and message generation. - New APIs and improved documentation. * Add X509_STORE_load_mem API for loading certificates from memory. This facilitates accessing certificates from a chrooted environment. * New AEAD "MAC alias" allows configuring TLSv1.2 AEAD ciphers by using 'TLSv1.2+AEAD' as the cipher selection string. * New openssl(1) command 'certhash' replaces the c_rehash script. * Server-side support for TLS_FALLBACK_SCSV for compatibility with various auditor and vulnerability scanners. * Dead and disabled code removal including MD5, Netscape workarounds, non-POSIX IO, SCTP, RFC 3779 support, "#if 0" sections, and more. * The ASN1 macros are expanded to aid readability and maintainability. * Various NULL pointer asserts removed in favor of letting the OS/signal handler catch them. * Refactored argument handling in openssl(1) for consistency and maintainability. * Support for building with OPENSSL_NO_DEPRECATED. * Dozens of issues found with the Coverity scanner fixed. * Fix a minor information leak that was introduced in t1_lib.c r1.71, whereby an additional 28 bytes of .rodata (or .data) is provided to the network. In most cases this is a non-issue since the memory content is already public. * Fixes for the following low-severity issues were integrated into LibreSSL from OpenSSL 1.0.1k: - CVE-2015-0205 - DH client certificates accepted without verification. - CVE-2014-3570 - Bignum squaring may produce incorrect results. - CVE-2014-8275 - Certificate fingerprints can be modified. - CVE-2014-3572 - ECDHE silently downgrades to ECDH [Client].- Add package signatures- Update to new upstream release 2.1.3 * Fixes for various memory leaks in DTLS, including those for CVE-2015-0206. * Application-Layer Protocol Negotiation (ALPN) support. * Simplfied and refactored SSL/DTLS handshake code. * SHA256 Camellia cipher suites for TLS 1.2 from RFC 5932. * Ensure the stack is marked non-executable for assembly sections.- Update to new upstream release 2.1.2 * The two cipher suites GOST and Camellia have been reworked or reenabled, providing better interoperability with systems around the world. * The libtls library, a modern and simplified interface for secure client and server communications, is now packaged. * Assembly acceleration of various algorithms (most importantly AES, MD5, SHA1, SHA256, SHA512) are enabled for AMD64. - Remove libressl-no-punning.diff (file to patch is gone)- Update to new upstream release 2.1.1 * Address POODLE attack by disabling SSLv3 by default * Fix Eliptical Curve cipher selection buggoat17 1625844654  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQR3.3.3-lp152.3.3.13.3.3-lp152.3.3.13.3.33.3.33.3.33.3.3opensslaes.hasn1.hasn1t.hbio.hblowfish.hbn.hbuffer.hcamellia.hcast.hchacha.hcmac.hcms.hcomp.hconf.hconf_api.hcrypto.hcurve25519.hdes.hdh.hdsa.hdso.hdtls1.hec.hecdh.hecdsa.hengine.herr.hevp.hgost.hhkdf.hhmac.hidea.hlhash.hmd4.hmd5.hmodes.hobj_mac.hobjects.hocsp.hopensslconf.hopensslfeatures.hopensslv.hossl_typ.hpem.hpem2.hpkcs12.hpkcs7.hpoly1305.hrand.hrc2.hrc4.hripemd.hrsa.hsafestack.hsha.hsm3.hsm4.hsrtp.hssl.hssl2.hssl23.hssl3.hstack.htls1.hts.htxt_db.hui.hui_compat.hwhrlpool.hx509.hx509_verify.hx509_vfy.hx509v3.htls.hlibcrypto.solibssl.solibtls.solibcrypto.pclibssl.pclibtls.pcopenssl.pc/usr/include//usr/include/openssl//usr/lib//usr/lib/pkgconfig/-fomit-frame-pointer -fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.opensuse.org/openSUSE:Maintenance:16678/openSUSE_Leap_15.2_Update/ad212ff1f37670e0c6fb0ee4a7a341ed-libressl.openSUSE_Leap_15.2_Updatedrpmxz5i586-suse-linuxdirectoryC source, ASCII textASCII textpkgconfig filePRPRRPRPRRRoie`0^L^utf-8c1012f932182d8b1b73260fd1d7e1d41fc77155777eda154d09dad8ecf416df1?7zXZ !t/(UD<]"k%]d)(c|s3'i3)֐iS-Ǹzܥ$M=-0r }|C- Iipys=XFx(sT2a)[Ht.Γ VS׵1[lzj/SljlV=ƥҏEQѧ ဝ͕ l|8wѭ STUM>cl4-.B+5X%l<ʲAc=Z>M :lp5iE3YUM/WKŵ& ^AKBGP恬k|+I,D2=8Q 6#R߹pՍA7.$%vL:mɴ":E#8 q Z果jOR]&x8{ zCS 砥+C/=M( *g9]AFWRK(Ow;C\ !VIT5<5kf*NRok 4)^oiPgp! eFXM0/<'d ~]* KC>YBG4zkn'l( Kt-lWylN ƫrkd I ҄'d$Ggs(Ȃ-l !~O"P#"}PWPICR˜ߜ/gvI7H<ť 뤈YߘH%9yڲcWؗ<948x#VǼ묜@ߓ2lk,<(VlxZzOg,^>8?̼Ɇ?¢ձxRJ;ZH hŚ{{d$.3[<|?15/?e>C&1e2t8OFRP/|3v`\Q/cP8)t:m8@h>Iټ8[#lxQ{so惇/rsdH*uV\aS2ZZ67"4I(K-9uk^lV>aP8`#(u/Z^Ci%hр07oTA ,2fuIteô}Xdi/NJ,NcoJ._!A0.n4?,?^~}69lnIZ'jF@$}egwzظ=_?~*89 GQvf+A]zYcc'ޥ=p㫢4 \AREd%27 30iG?0.~# rbS~8 ~ i.%r^]֣!.9@'۬J?YZ~8TI8`hDU:p]7nT9DY|p8b` _)u&BXܴNH40n\zPr?>0I3Ē<7́"poَUn'皘L\\zuOPzll0'hM.Uu0nw(Hƞ^֫gT"CWeB_ / h\Ğ QZz^ M}`@@n҆9=|jj04Șg:HverO\*5^3o`J&u^9;%%I&e_$ؒ#@'=g#؝]uV`mߟw#:xri.ܻN$К){eCtE1V+azg;GrBLO)%@c o pܖks`Eg|l&I9gd'm@~Mfh4S,9 }Dզn:.YL؛Ȫp~C7G`NppIx9SY Q"?b Tɇ s07qDR~备 /RsGDE8+r=s6iXЊฮ4$`K|R;Y>E@=f3-cU9Jg^`3%fMUUB;sBlyurUȅJ<<~%<G* B1%{iOhUAt FnFRϩvm31 \zhKJ Fw'5@"mAfWD:&Z{:5b}ut\D;2+ bodZ8 2k{89a(<2jF#YL!y1mo&ؘع&@lA6fau7r耿۵n$\n% $K禈W'h(2%ja"1x,֖\qlp6$MKU 2np!*I@Mq[N9h8fB) ([n$CjNǂC؈ !n8f \HTH*jgT]3x"]y͆R3D,2 8?3qfѮ"EߤmJىxٯL}md(X0E&[?`yNm"-z1ZFgA5{qbڊ3PLSDL]`G{d¦͌w.#|@̀MJ#z7tX (p_sw5JUߍF]2eWML8&>&<'Z\yV_N!;й ]ccX4<mG? l^]tcՕH J\+5<{P% ZsDܴ>!Z^#QuJYnŏԲ?"`"!~1cCbTVmj#?k A &.mbPx=JDG#uHxl0͊ b{cRɞ[\>C *5A,}09*hro jde'`an\N&T"hL# PHz_KT7Sn)Jr#WW 815(Q J>].7׹. du*0on8Ŗꟗ(sdtQ97$[nfid;Qz?;hþn3:H$fPDE0fFGloYI=S-,9;y3Q~թG4?dn\@Qxkbg"4+Exct 00¿3?DS&8\{XPմRGG6nez<ƻIWչ uo#SZew%+7+o=6/267ޱ284U* ,,hb)M 9Kƌ\/X8(<<;lxGg'cripJ/z:=\g2G3˱SP~*ɸy"P>yoEy#l>(5 㜋ԊA|mA)$ }3XRK^GLlsR.]IG*O ".k[4,KYv&Guŀad*^7S<H;ԣN¬t兩`6> v hEstr 6h ȹv: 0ݿ8ފ4z3ȳ?K˥15>'~4&5ATҔMiEMmkܫb|:}EZo;F38_ZcbەO`t v[TNΑ<*D!& *Ŧ9n Od3'~~`FT7d&e,1[5Ү{ɚv<q& !ht8rJ`1KQg&|!ŗ^Za(É4`ϥQrήk:D@'z1BvAzmM6xKNmVvJD\c(D21\?C͑q=X_y,[f5}J ;nߎh6h 8Ӄ1 7 D^AWV;5L^Gwːu ,6u 1.pwNfpZCte>8пM2?Ja܅FH"ɱ4H~V~RZ~ʪDxTݷ),=12 3Jw;F#4ߝ<8#~JUz 2'+/Z4NBE0!L'Ep2{V{R PVskh R2Lh"(Ǽ6.,{)q}SP%I^ͫף^*03{bgѾyl'C$3Q&/Fv4,@N - We/؏ }o8ɊA}3.=hrTh1OUveOxg6St\d5cp%x"2WyR.H{BXTY564^A &oq߳s9{;z2O&JeѸ70Wy UyM80ʱu&}]edGۏ2Q-sB`[SO?C.i9%z;/اܜMz@Dؽ#Rq)ei5d_.d WPU,7F/ɕL3%pnIrKcH#:ވ0 pcR &p )vZd+W* k>O!cW3gHCBLc;zpWo?HГ%̡4XF#Q .ԊKI|`m,q+lv졖.l/$ +挖 judTUp9'kyN wdChPeVm3ak9fdS:@¥&6';#]6{oswaMO:$[u 8޺jQ:+0Qpy)Nz$=U>j!"waE*a@[p'o%~;.itȈe`LLfjr0ďfdy w&-s]PaN'nK}p?w&0MNEp ]'_rXgENm=m.}zXkPϟ@͗ ^5qrajj&g ѝ!zpZQj *?4a(e r:FEɳc8̋KWZ{RK/]ؒN,0N; Z& \t3iyKE@'ef L0Fv5C u̱M.n< \4oq:bq R% <[:;/|m6FhMZ'<^e.tڑU%9Wݲ_Ì (~h}V遧qHZyem 3!|4i|K_D b: g+@XÂP*6 Aw +PMxGբ+#o /XLǷ 6ȏ-q+61k"O)ք6,IӡD@P^wy&NG%Q ޜ7Nj3%n$L0&M(xCVȡC 9̗P J B lFtŊA*|].D^n~EaE$mwgE*r~oa%% NPyHބ.! P!ͷC>"׹aQ~tnif6=Er1~fHrYUk( K0@T"wH!MY].D?nM ˉ 06v^㾶`S "nzR"x+H՜*:<.)^f><yd] ԥU %K'ixJOFIu͹(Lcadk:i&BNfdeLrbDӗQ37KiX!Wk1ƨy{/=ZwFE@X-Ôb9)5ZG"oGpFAwގ_n=O>exT̛&ƼYflcƨm(Βɛ<B176S9;ȃ><2C炿4xf3Ͷxl@LYӇc7 {)LmܾU#C2E(ؖ]'sYyx (cWGydo RЇ9~QiuNjSL5WXIzyɭQ)YnloV0x-h;ڒr?<+|HbkUka݌X"5YBA)3 K#Om4t%佸4RHswr7urfky'd+[iIY" 8rRL\Mm&ToV|sQt |{W**vڞؔ۸F c,lg 0Q_3S2-s8ڈ%v|C@}]6oPŸ4Tx._}Qq&7zm"Z? ڈ ^ ;rV}O.ܢn|YkEOP;ԥ aE>gY L`.>迉=p ӶZC_ۖOMtהX( 7^ {QAsN)W(c3NH:#C;y !DV>>p{8Uqȵy>/eVC0B !ð@XYRb'cޚ sbBk|mX `) ~z[ɤl6Q\yz~RE 1Dnx$LWiڥM Po\8@qIܝ"ζ&*}pԾ.F(;J'+7rjvx# xg%cշiUb6Ga: Rլڷ-,tL𰋲ٰFw!5u}8sohͬR,⡁eS{`lXWӍhQ?0=DzN_+m,Va?G }1"^zT09MCQXkY//߉B;F#^ 9إ}@Eo/bu.5l#h{cY6/4Y ;bؤ7 ,YɱXyrsNV%dIy?3*61k9J_gԕ2┕!Mk@b!oK\ꛘ4~k`HY uY5"Zd&!w`><4"@\(^ZƔzGB7l׊e Mf%ǝѻX)gs}0?W^t ;6ȵԋ2L޹NKT k| 3ԡ̑4x{ZƏ7VCN$`~%Vڪ[*IORM}1QQ뻗nŇi˜7ٌ{ >bYCqn0/_T%n,1 oVzl;q$;ӵ$_v Rw` ,}g%JQs*1o٬dҭЋ1=8^a|T]E18^ZT9yua Łz}&E<=ԕN&.ʥ FSOIAױy^ר~F7ð zT0b\>q0b9?ǐhg9,{5Hm%i']eԫW.}&jS-sTDճ2f., _!֨a]U([o,L`,H\ь/zJ 7HrH1;Hѹ= [,3S^*b {\pD՚pS@V7KCNdlCbDbjY֟F:y8qv碷#=0Xf!5>랞Bl"Of(!QI.hk`XвcZ4YQH>_B~Z9|l D WX$dGfȴ}Nua%Z,8k^⬛nx Ŧ'%b?74ߓ0{;mI{ h-btPgى֦Gu̗6{|@ߘb.:ͬ TPغ$(  6oM^!."nA{gtq) UmÌtz, 5ہ׺LC/ ӧYB FL.hT?CW:&˪sN/>ֲJ ']/%ðpZl0Z4Z11EmFÃidtvg1 S':1w ټVq*A SLQN㲱zN+0ax8o!?W[̀jk귪J]&邼d$:eA8v?.ΚlXR}4?k/ފlhjgtݟ {Ȥ(Fd :c$(픕@gQ~6hjhgiPҵInR"!˂9Z2UĬW}6QWh}N[<+!lo5Ŋ23$^wp.)x9&$KOЗ.m,bH\|Eco4M-!$nLZehVŵ^Zsl=UN/z,M ?Myza\z<~m "m!ZжʉVjE .hLD˱bD1בp`Ky"l;zɹQ#D u.MvWIfwۼ&u\P sX%|}ƫ~?A m/ؒG[/3S} *!̈}K@_&'*ό>#ߪy9 Fg8!큇zkVPɫ*,c!- V U =Om~Q3v 4Qp8OөDP N~x XD˄4|^%=T]/51pA.- BݺP+j۩;OD긶޷;BOgqiNSQ`P8$f̝;9q;m,<)e@` ?m}oS$cZJӑc:d=_gR/nLIvd&tEoW @8|zyEʦu9>  ^R*6ќTleh2uARl-we@u!#& &](BZli#F_h!9UeIXsLwIM K%mע(8[RӭYL q{k tAolHHycL>9ޞ8,V!4`_m%`;-3nh?sAdVX%r,JB&t嬄#pe{\M^w0 {'~|8L3>\ct%2 !# cM\ >/\oy"\Ȟس(L}C#bjC9:fv@V 5_zv;Z)Jh=3i6KDu"nt1DbôQ(5Aq/6Hxk۪5X=u{x^܁0#AjApE,5!jx]dB Raܶ?l,B5f]g_9&g~U13mp `,徍̴ל#a߽-(sFBjlO++cF>P ;z~:(Tc R (SEUd&o] jj:PoXn@o߈ZޤQ%i!ʦA2WوŖ@H B(ABx>ΜPӓp .!r;ɀ{hE=.E.M=)5.vVhe~L{mD9p`No&4U^-[&y0PN:cn/ %iezt@Ebe: uAZe{ @ Y5w2.&S>Ӌ;V@p@G+bіGVӓz'i u@BwrŃ'/ep?*(A$8IRA˺v YZ