wpa_supplicant-gui-2.10-150500.3.3.1<>,oeܲp9| ƓUg䓍J ?VAσYrV>+`LBY(Q8ȜVZnMP΋YS-۸fO`i(hs)i4&Ю(_GOpƃg |6gRʯ<5wЪ0Ud<۾򊒀PϾ_Zj!5[ S޷'N)1ir6MܺW5F߄}vdHx˃xf@f;kSsyG[Y>>,?d ' J , BNkqx     &0\d( 8(*9*: 0*FDGXH`IhXlYt\]^bc~de flu$v,wTx\ydzCwpa_supplicant-gui2.10150500.3.3.1WPA supplicant graphical front-endThis package contains a graphical front-end to wpa_supplicant, an implementation of the WPA Supplicant component.eܲh04-ch1c SUSE Linux Enterprise 15SUSE LLC BSD-3-Clause AND GPL-2.0-or-laterhttps://www.suse.com/Unspecifiedhttps://w1.fi/wpa_supplicantlinuxx86_64 큤eܲeܲ16323e1ec3db1b4fae0f7e1563694391effc60f4d49663a38d805b3d8f553d22d57783ead2cca37539bf8b5c4a81b8105c2970de177652fe1a027433593467aarootrootrootrootwpa_supplicant-2.10-150500.3.3.1.src.rpmwpa_supplicant-guiwpa_supplicant-gui(x86-64)@@@@@@@@@@@@@@@@@@@@@@    libQt5Core.so.5()(64bit)libQt5Core.so.5(Qt_5)(64bit)libQt5Core.so.5(Qt_5.15)(64bit)libQt5Gui.so.5()(64bit)libQt5Gui.so.5(Qt_5)(64bit)libQt5Widgets.so.5()(64bit)libQt5Widgets.so.5(Qt_5)(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.14)(64bit)libc.so.6(GLIBC_2.15)(64bit)libc.so.6(GLIBC_2.17)(64bit)libc.so.6(GLIBC_2.2.5)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libgcc_s.so.1()(64bit)libgcc_s.so.1(GCC_3.0)(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.2.5)(64bit)libstdc++.so.6()(64bit)libstdc++.so.6(CXXABI_1.3)(64bit)libstdc++.so.6(CXXABI_1.3.9)(64bit)libstdc++.so.6(GLIBCXX_3.4)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)wpa_supplicant3.0.4-14.6.0-14.0-15.2-14.14.3e}@c@b@b@`lM@`?z@`:4@`_|\@_i@_i@^@^@^|@^|@^Y]]>[<@[[ā@[[;@[@[QY@X@X]W@VU@VŲ@V`V=@UKSUCjU8U'@U/@TBV@cfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comsp1ritCS@protonmail.comcfamullaconrad@suse.comsongchuan.kang@suse.comcfamullaconrad@suse.combwiedemann@suse.comcfamullaconrad@suse.comilya@ilya.pp.uatchvatal@suse.comtchvatal@suse.comilya@ilya.pp.uailya@ilya.pp.uakbabioch@suse.comro@suse.dekbabioch@suse.comkbabioch@suse.comkbabioch@suse.comro@suse.demeissner@suse.comobs@botter.ccdwaas@suse.commeissner@suse.comtchvatal@suse.comlnussel@suse.decrrodriguez@opensuse.orgcrrodriguez@opensuse.orgcrrodriguez@opensuse.orglnussel@suse.demichael@stroeder.comro@suse.dezaitor@opensuse.orgcrrodriguez@opensuse.orgstefan.bruens@rwth-aachen.destefan.bruens@rwth-aachen.destefan.bruens@rwth-aachen.de- Add CVE-2023-52160.patch - Bypassing WiFi Authentication (bsc#1219975) - Change ctrl_interface from /var/run to %_rundir (/run)- update to 2.10.0: jsc#PED-2904 * SAE changes - improved protection against side channel attacks [https://w1.fi/security/2022-1/] - added support for the hash-to-element mechanism (sae_pwe=1 or sae_pwe=2); this is currently disabled by default, but will likely get enabled by default in the future - fixed PMKSA caching with OKC - added support for SAE-PK * EAP-pwd changes - improved protection against side channel attacks [https://w1.fi/security/2022-1/] * fixed P2P provision discovery processing of a specially constructed invalid frame [https://w1.fi/security/2021-1/] * fixed P2P group information processing of a specially constructed invalid frame [https://w1.fi/security/2020-2/] * fixed PMF disconnection protection bypass in AP mode [https://w1.fi/security/2019-7/] * added support for using OpenSSL 3.0 * increased the maximum number of EAP message exchanges (mainly to support cases with very large certificates) * fixed various issues in experimental support for EAP-TEAP peer * added support for DPP release 2 (Wi-Fi Device Provisioning Protocol) * a number of MKA/MACsec fixes and extensions * added support for SAE (WPA3-Personal) AP mode configuration * added P2P support for EDMG (IEEE 802.11ay) channels * fixed EAP-FAST peer with TLS GCM/CCM ciphers * improved throughput estimation and BSS selection * dropped support for libnl 1.1 * added support for nl80211 control port for EAPOL frame TX/RX * fixed OWE key derivation with groups 20 and 21; this breaks backwards compatibility for these groups while the default group 19 remains backwards compatible * added support for Beacon protection * added support for Extended Key ID for pairwise keys * removed WEP support from the default build (CONFIG_WEP=y can be used to enable it, if really needed) * added a build option to remove TKIP support (CONFIG_NO_TKIP=y) * added support for Transition Disable mechanism to allow the AP to automatically disable transition mode to improve security * extended D-Bus interface * added support for PASN * added a file-based backend for external password storage to allow secret information to be moved away from the main configuration file without requiring external tools * added EAP-TLS peer support for TLS 1.3 (disabled by default for now) * added support for SCS, MSCS, DSCP policy * changed driver interface selection to default to automatic fallback to other compiled in options * a large number of other fixes, cleanup, and extensions - drop wpa_supplicant-p2p_iname_size.diff, CVE-2021-30004.patch, CVE-2021-27803.patch, CVE-2021-0326.patch, CVE-2019-16275.patch, CVE-2022-23303_0001.patch, CVE-2022-23303_0002.patch, CVE-2022-23303_0003.patch, CVE-2022-23303_0004.patch: upstream - drop restore-old-dbus-interface.patch, wicked has been switching to the new dbus interface in version 0.6.66 - config: * re-enable CONFIG_WEP * enable QCA vendor extensions to nl80211 * enable support for Automatic Channel Selection * enable OCV, security feature that prevents MITM multi-channel attacks * enable QCA vendor extensions to nl80211 * enable EAP-EKE * Support HT overrides * TLS v1.1 and TLS v1.2 * Fast Session Transfer (FST) * Automatic Channel Selection * Multi Band Operation * Fast Initial Link Setup * Mesh Networking (IEEE 802.11s) - Add dbus-Fix-property-DebugShowKeys-and-DebugTimestamp.patch (bsc#1201219) - Move the dbus-1 system.d file to /usr (bsc#1200342) - Added hardening to systemd service(s) (bsc#1181400). Modified: * wpa_supplicant.service - drop wpa_supplicant-getrandom.patch : glibc has been updated so the getrandom() wrapper is now there - Sync wpa_supplicant.spec with Factory- Enable WPA3-Enterprise (SuiteB-192) support.- Add CVE-2022-23303_0001.patch, CVE-2022-23303_0002.patch, CVE-2022-23303_0003.patch, CVE-2022-23303_0004.patch SAE/EAP-pwd side-channel attack update 2 (CVE-2022-23303, CVE-2022-23304, bsc#1194732, bsc#1194733)- Add CVE-2021-30004.patch -- forging attacks may occur because AlgorithmIdentifier parameters are mishandled in tls/pkcs1.c and tls/x509v3.c (bsc#1184348)- Fix systemd device ready dependencies in wpa_supplicant@.service file. (see: https://forums.opensuse.org/showthread.php/547186-wpa_supplicant-service-fails-on-boot-succeeds-on-restart?p=2982844#post2982844)- Add CVE-2021-27803.patch -- P2P provision discovery processing vulnerability (bsc#1182805)- Add CVE-2021-0326.patch -- P2P group information processing vulnerability (bsc#1181777)- Add wpa_supplicant-p2p_iname_size.diff -- Limit P2P_DEVICE name to appropriate ifname size (https://patchwork.ozlabs.org/project/hostap/patch/20200825062902.124600-1-benjamin@sipsolutions.net/)- Fix spec file for SLE12, use make %{?_smp_mflags} instead of %make_build- Enable SAE support(jsc#SLE-14992).- Add CVE-2019-16275.patch -- AP mode PMF disconnection protection bypass (bsc#1150934)- Add restore-old-dbus-interface.patch to fix wicked wlan (boo#1156920) - Restore fi.epitest.hostap.WPASupplicant.service (bsc#1167331)- With v2.9 fi.epitest.hostap.WPASupplicant.service is obsolete (bsc#1167331)- Change wpa_supplicant.service to ensure wpa_supplicant gets started before network. Fix WLAN config on boot with wicked. (boo#1166933)- Adjust the service to start after network.target wrt bsc#1165266- Update to 2.9 release: * SAE changes - disable use of groups using Brainpool curves - improved protection against side channel attacks [https://w1.fi/security/2019-6/] * EAP-pwd changes - disable use of groups using Brainpool curves - allow the set of groups to be configured (eap_pwd_groups) - improved protection against side channel attacks [https://w1.fi/security/2019-6/] * fixed FT-EAP initial mobility domain association using PMKSA caching (disabled by default for backwards compatibility; can be enabled with ft_eap_pmksa_caching=1) * fixed a regression in OpenSSL 1.1+ engine loading * added validation of RSNE in (Re)Association Response frames * fixed DPP bootstrapping URI parser of channel list * extended EAP-SIM/AKA fast re-authentication to allow use with FILS * extended ca_cert_blob to support PEM format * improved robustness of P2P Action frame scheduling * added support for EAP-SIM/AKA using anonymous@realm identity * fixed Hotspot 2.0 credential selection based on roaming consortium to ignore credentials without a specific EAP method * added experimental support for EAP-TEAP peer (RFC 7170) * added experimental support for EAP-TLS peer with TLS v1.3 * fixed a regression in WMM parameter configuration for a TDLS peer * fixed a regression in operation with drivers that offload 802.1X 4-way handshake * fixed an ECDH operation corner case with OpenSSL * SAE changes - added support for SAE Password Identifier - changed default configuration to enable only groups 19, 20, 21 (i.e., disable groups 25 and 26) and disable all unsuitable groups completely based on REVmd changes - do not regenerate PWE unnecessarily when the AP uses the anti-clogging token mechanisms - fixed some association cases where both SAE and FT-SAE were enabled on both the station and the selected AP - started to prefer FT-SAE over SAE AKM if both are enabled - started to prefer FT-SAE over FT-PSK if both are enabled - fixed FT-SAE when SAE PMKSA caching is used - reject use of unsuitable groups based on new implementation guidance in REVmd (allow only FFC groups with prime >= 3072 bits and ECC groups with prime >= 256) - minimize timing and memory use differences in PWE derivation [https://w1.fi/security/2019-1/] (CVE-2019-9494, bsc#1131868) * EAP-pwd changes - minimize timing and memory use differences in PWE derivation [https://w1.fi/security/2019-2/] (CVE-2019-9495, bsc#1131870) - verify server scalar/element [https://w1.fi/security/2019-4/] (CVE-2019-9497, CVE-2019-9498, CVE-2019-9499, bsc#1131874, bsc#1131872, bsc#1131871, bsc#1131644) - fix message reassembly issue with unexpected fragment [https://w1.fi/security/2019-5/] (CVE-2019-11555, bsc#1133640) - enforce rand,mask generation rules more strictly - fix a memory leak in PWE derivation - disallow ECC groups with a prime under 256 bits (groups 25, 26, and 27) - SAE/EAP-pwd side-channel attack update [https://w1.fi/security/2019-6/] (CVE-2019-13377, bsc#1144443) * fixed CONFIG_IEEE80211R=y (FT) build without CONFIG_FILS=y * Hotspot 2.0 changes - do not indicate release number that is higher than the one AP supports - added support for release number 3 - enable PMF automatically for network profiles created from credentials * fixed OWE network profile saving * fixed DPP network profile saving * added support for RSN operating channel validation (CONFIG_OCV=y and network profile parameter ocv=1) * added Multi-AP backhaul STA support * fixed build with LibreSSL * number of MKA/MACsec fixes and extensions * extended domain_match and domain_suffix_match to allow list of values * fixed dNSName matching in domain_match and domain_suffix_match when using wolfSSL * started to prefer FT-EAP-SHA384 over WPA-EAP-SUITE-B-192 AKM if both are enabled * extended nl80211 Connect and external authentication to support SAE, FT-SAE, FT-EAP-SHA384 * fixed KEK2 derivation for FILS+FT * extended client_cert file to allow loading of a chain of PEM encoded certificates * extended beacon reporting functionality * extended D-Bus interface with number of new properties * fixed a regression in FT-over-DS with mac80211-based drivers * OpenSSL: allow systemwide policies to be overridden * extended driver flags indication for separate 802.1X and PSK 4-way handshake offload capability * added support for random P2P Device/Interface Address use * extended PEAP to derive EMSK to enable use with ERP/FILS * extended WPS to allow SAE configuration to be added automatically for PSK (wps_cred_add_sae=1) * removed support for the old D-Bus interface (CONFIG_CTRL_IFACE_DBUS) * extended domain_match and domain_suffix_match to allow list of values * added a RSN workaround for misbehaving PMF APs that advertise IGTK/BIP KeyID using incorrect byte order * fixed PTK rekeying with FILS and FT * fixed WPA packet number reuse with replayed messages and key reinstallation [https://w1.fi/security/2017-1/] (CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088) * fixed unauthenticated EAPOL-Key decryption in wpa_supplicant [https://w1.fi/security/2018-1/] (CVE-2018-14526) * added support for FILS (IEEE 802.11ai) shared key authentication * added support for OWE (Opportunistic Wireless Encryption, RFC 8110; and transition mode defined by WFA) * added support for DPP (Wi-Fi Device Provisioning Protocol) * added support for RSA 3k key case with Suite B 192-bit level * fixed Suite B PMKSA caching not to update PMKID during each 4-way handshake * fixed EAP-pwd pre-processing with PasswordHashHash * added EAP-pwd client support for salted passwords * fixed a regression in TDLS prohibited bit validation * started to use estimated throughput to avoid undesired signal strength based roaming decision * MACsec/MKA: - new macsec_linux driver interface support for the Linux kernel macsec module - number of fixes and extensions * added support for external persistent storage of PMKSA cache (PMKSA_GET/PMKSA_ADD control interface commands; and MESH_PMKSA_GET/MESH_PMKSA_SET for the mesh case) * fixed mesh channel configuration pri/sec switch case * added support for beacon report * large number of other fixes, cleanup, and extensions * added support for randomizing local address for GAS queries (gas_rand_mac_addr parameter) * fixed EAP-SIM/AKA/AKA' ext auth cases within TLS tunnel * added option for using random WPS UUID (auto_uuid=1) * added SHA256-hash support for OCSP certificate matching * fixed EAP-AKA' to add AT_KDF into Synchronization-Failure * fixed a regression in RSN pre-authentication candidate selection * added option to configure allowed group management cipher suites (group_mgmt network profile parameter) * removed all PeerKey functionality * fixed nl80211 AP and mesh mode configuration regression with Linux 4.15 and newer * added ap_isolate configuration option for AP mode * added support for nl80211 to offload 4-way handshake into the driver * added support for using wolfSSL cryptographic library * SAE - added support for configuring SAE password separately of the WPA2 PSK/passphrase - fixed PTK and EAPOL-Key integrity and key-wrap algorithm selection for SAE; note: this is not backwards compatible, i.e., both the AP and station side implementations will need to be update at the same time to maintain interoperability - added support for Password Identifier - fixed FT-SAE PMKID matching * Hotspot 2.0 - added support for fetching of Operator Icon Metadata ANQP-element - added support for Roaming Consortium Selection element - added support for Terms and Conditions - added support for OSEN connection in a shared RSN BSS - added support for fetching Venue URL information * added support for using OpenSSL 1.1.1 * FT - disabled PMKSA caching with FT since it is not fully functional - added support for SHA384 based AKM - added support for BIP ciphers BIP-CMAC-256, BIP-GMAC-128, BIP-GMAC-256 in addition to previously supported BIP-CMAC-128 - fixed additional IE inclusion in Reassociation Request frame when using FT protocol - Drop merged patches: * rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch * rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch * rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch * rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch * rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch * rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch * rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch * rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch * rebased-v2.6-0009-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch * wpa_supplicant-bnc-1099835-fix-private-key-password.patch * wpa_supplicant-bnc-1099835-clear-default_passwd_cb.patch * wpa_supplicant-log-file-permission.patch * wpa_supplicant-log-file-cloexec.patch * wpa_supplicant-git-fa67debf4c6ddbc881a212b175faa6d5d0d90c8c.patch * wpa_supplicant-git-f5b74b966c942feb95a8ddbb7d130540b15b796d.patch - Rebase patches: * wpa_supplicant-getrandom.patch- Refresh spec-file via spec-cleaner and manual optimizations. * Change URL and Source0 to actual project homepage. * Remove macro %{?systemd_requires} and rm (not needed). * Add %autopatch macro. * Add %make_build macro. - Chenged patch wpa_supplicant-flush-debug-output.patch (to -p1). - Changed service-files for start after network (systemd-networkd).- Refresh spec-file: add %license tag.- Renamed patches: - wpa-supplicant-log-file-permission.patch -> wpa_supplicant-log-file-permission.patch - wpa-supplicant-log-file-cloexec.patch -> wpa_supplicant-log-file-cloexec.patch - wpa_supplicant-log-file-permission.patch: Using O_WRONLY flag - Enabled timestamps in log files (bsc#1080798)- compile eapol_test binary to allow testing via radius proxy and server (note: this does not match CONFIG_EAPOL_TEST which sets -Werror and activates an assert call inside the code of wpa_supplicant) (bsc#1111873), (fate#326725) - add patch to fix wrong operator precedence in ieee802_11.c wpa_supplicant-git-fa67debf4c6ddbc881a212b175faa6d5d0d90c8c.patch - add patch to avoid redefinition of __bitwise macro wpa_supplicant-git-f5b74b966c942feb95a8ddbb7d130540b15b796d.patch- Added wpa-supplicant-log-file-permission.patch: Fixes the default file permissions of the debug log file to more sane values, i.e. it is no longer world-readable (bsc#1098854). - Added wpa-supplicant-log-file-cloexec.patch: Open the debug log file with O_CLOEXEC, which will prevent file descriptor leaking to child processes (bsc#1098854).- Added rebased-v2.6-0009-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch: Ignore unauthenticated encrypted EAPOL-Key data (CVE-2018-14526, bsc#1104205).- Enabled PWD as EAP method. This allows for password-based authentication, which is easier to setup than most of the other methods, and is used by the Eduroam network (bsc#1109209).- add two patches from upstream to fix reading private key passwords from the configuration file (bsc#1099835) - add patch for git 89971d8b1e328a2f79699c953625d1671fd40384 wpa_supplicant-bnc-1099835-clear-default_passwd_cb.patch - add patch for git f665c93e1d28fbab3d9127a8c3985cc32940824f wpa_supplicant-bnc-1099835-fix-private-key-password.patch- Fix KRACK attacks (bsc#1056061, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13087, CVE-2017-13088): - rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch - rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch - rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch - rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch - rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch - rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch - rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch - rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch- fix wpa_supplicant-sigusr1-changes-debuglevel.patch to match eloop_signal_handler type (needed to build eapol_test via config)- Added .service files that accept interfaces as %i arguments so it's possible to call the daemon with: "systemctl start wpa_supplicant@$INTERFACE_NAME.service" (like openvpn for example)- updated to 2.6 / 2016-10-02 * fixed WNM Sleep Mode processing when PMF is not enabled [http://w1.fi/security/2015-6/] (CVE-2015-5310 bsc#952254) * fixed EAP-pwd last fragment validation [http://w1.fi/security/2015-7/] (CVE-2015-5315 bsc#953115) * fixed EAP-pwd unexpected Confirm message processing [http://w1.fi/security/2015-8/] (CVE-2015-5316 bsc#953115) * fixed WPS configuration update vulnerability with malformed passphrase [http://w1.fi/security/2016-1/] (CVE-2016-4476 bsc#978172) * fixed configuration update vulnerability with malformed parameters set over the local control interface [http://w1.fi/security/2016-1/] (CVE-2016-4477 bsc#978175) * fixed TK configuration to the driver in EAPOL-Key 3/4 retry case * extended channel switch support for P2P GO * started to throttle control interface event message bursts to avoid issues with monitor sockets running out of buffer space * mesh mode fixes/improvements - generate proper AID for peer - enable WMM by default - add VHT support - fix PMKID derivation - improve robustness on various exchanges - fix peer link counting in reconnect case - improve mesh joining behavior - allow DTIM period to be configured - allow HT to be disabled (disable_ht=1) - add MESH_PEER_ADD and MESH_PEER_REMOVE commands - add support for PMKSA caching - add minimal support for SAE group negotiation - allow pairwise/group cipher to be configured in the network profile - use ieee80211w profile parameter to enable/disable PMF and derive a separate TX IGTK if PMF is enabled instead of using MGTK incorrectly - fix AEK and MTK derivation - remove GTKdata and IGTKdata from Mesh Peering Confirm/Close - note: these changes are not fully backwards compatible for secure (RSN) mesh network * fixed PMKID derivation with SAE * added support for requesting and fetching arbitrary ANQP-elements without internal support in wpa_supplicant for the specific element (anqp[265]= in "BSS " command output) * P2P - filter control characters in group client device names to be consistent with other P2P peer cases - support VHT 80+80 MHz and 160 MHz - indicate group completion in P2P Client role after data association instead of already after the WPS provisioning step - improve group-join operation to use SSID, if known, to filter BSS entries - added optional ssid= argument to P2P_CONNECT for join case - added P2P_GROUP_MEMBER command to fetch client interface address * P2PS - fix follow-on PD Response behavior - fix PD Response generation for unknown peer - fix persistent group reporting - add channel policy to PD Request - add group SSID to the P2PS-PROV-DONE event - allow "P2P_CONNECT p2ps" to be used without specifying the default PIN * BoringSSL - support for OCSP stapling - support building of h20-osu-client * D-Bus - add ExpectDisconnect() - add global config parameters as properties - add SaveConfig() - add VendorElemAdd(), VendorElemGet(), VendorElemRem() * fixed Suite B 192-bit AKM to use proper PMK length (note: this makes old releases incompatible with the fixed behavior) * improved PMF behavior for cases where the AP and STA has different configuration by not trying to connect in some corner cases where the connection cannot succeed * added option to reopen debug log (e.g., to rotate the file) upon receipt of SIGHUP signal * EAP-pwd: added support for Brainpool Elliptic Curves (with OpenSSL 1.0.2 and newer) * fixed EAPOL reauthentication after FT protocol run * fixed FTIE generation for 4-way handshake after FT protocol run * extended INTERFACE_ADD command to allow certain type (sta/ap) interface to be created * fixed and improved various FST operations * added 80+80 MHz and 160 MHz VHT support for IBSS/mesh * fixed SIGNAL_POLL in IBSS and mesh cases * added an option to abort an ongoing scan (used to speed up connection and can also be done with the new ABORT_SCAN command) * TLS client - do not verify CA certificates when ca_cert is not specified - support validating server certificate hash - support SHA384 and SHA512 hashes - add signature_algorithms extension into ClientHello - support TLS v1.2 signature algorithm with SHA384 and SHA512 - support server certificate probing - allow specific TLS versions to be disabled with phase2 parameter - support extKeyUsage - support PKCS #5 v2.0 PBES2 - support PKCS #5 with PKCS #12 style key decryption - minimal support for PKCS #12 - support OCSP stapling (including ocsp_multi) * OpenSSL - support OpenSSL 1.1 API changes - drop support for OpenSSL 0.9.8 - drop support for OpenSSL 1.0.0 * added support for multiple schedule scan plans (sched_scan_plans) * added support for external server certificate chain validation (tls_ext_cert_check=1 in the network profile phase1 parameter) * made phase2 parser more strict about correct use of auth= and autheap= values * improved GAS offchannel operations with comeback request * added SIGNAL_MONITOR command to request signal strength monitoring events * added command for retrieving HS 2.0 icons with in-memory storage (REQ_HS20_ICON, GET_HS20_ICON, DEL_HS20_ICON commands and RX-HS20-ICON event) * enabled ACS support for AP mode operations with wpa_supplicant * EAP-PEAP: fixed interoperability issue with Windows 2012r2 server ("Invalid Compound_MAC in cryptobinding TLV") * EAP-TTLS: fixed success after fragmented final Phase 2 message * VHT: added interoperability workaround for 80+80 and 160 MHz channels * WNM: workaround for broken AP operating class behavior * added kqueue(2) support for eloop (CONFIG_ELOOP_KQUEUE) * nl80211: - add support for full station state operations - do not add NL80211_ATTR_SMPS_MODE attribute if HT is disabled - add NL80211_ATTR_PREV_BSSID with Connect command - fix IEEE 802.1X/WEP EAP reauthentication and rekeying to use unencrypted EAPOL frames * added initial MBO support; number of extensions to WNM BSS Transition Management * added support for PBSS/PCP and P2P on 60 GHz * Interworking: add credential realm to EAP-TLS identity * fixed EAPOL-Key Request Secure bit to be 1 if PTK is set * HS 2.0: add support for configuring frame filters * added POLL_STA command to check connectivity in AP mode * added initial functionality for location related operations * started to ignore pmf=1/2 parameter for non-RSN networks * added wps_disabled=1 network profile parameter to allow AP mode to be started without enabling WPS * wpa_cli: added action script support for AP-ENABLED and AP-DISABLED events * improved Public Action frame addressing - add gas_address3 configuration parameter to control Address 3 behavior * number of small fixes - wpa_supplicant-dump-certificate-as-PEM-in-debug-mode.diff: dump x509 certificates from remote radius server in debug mode in WPA-EAP.- Remove support for <12.3 as we are unresolvable there anyway - Use qt5 on 13.2 if someone pulls this package in - Convert to pkgconfig dependencies over the devel pkgs - Use the %qmake5 macro to build the qt5 gui- add After=dbus.service to prevent too early shutdown (bnc#963652)- Revert CONFIG_ELOOP_EPOLL=y, it is broken in combination with CONFIG_DBUS=yes.- spec: Compile the GUI against QT5 in 13.2 and later.- Previous update did not include version 2.5 tarball or changed the version number in spec, only the changelog and removed patches. - config: set CONFIG_NO_RANDOM_POOL=y, we have a reliable· random number generator by using /dev/urandom, no need to keep an internal random number pool which draws entropy from /dev/random. - config: prefer using epoll(7) instead of select(2) by setting CONFIG_ELOOP_EPOLL=y - wpa_supplicant-getrandom.patch: Prefer to use the getrandom(2) system call to collect entropy. if it is not present disable buffering when reading /dev/urandom, otherwise each os_get_random() call will request BUFSIZ of entropy instead of the few needed bytes.- add aliases for both provided dbus names to avoid systemd stopping the service when switching runlevels (boo#966535)- removed obsolete security patches: * 0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch * 0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch * 0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch * 0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch * wpa_s-D-Bus-Fix-operations-when-P2P-management-interface-is-used.patch * 0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch * 0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch * 0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch * 0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch - Update to upstream release 2.5 * fixed P2P validation of SSID element length before copying it [http://w1.fi/security/2015-1/] (CVE-2015-1863) * fixed WPS UPnP vulnerability with HTTP chunked transfer encoding [http://w1.fi/security/2015-2/] (CVE-2015-4141) * fixed WMM Action frame parser (AP mode) [http://w1.fi/security/2015-3/] (CVE-2015-4142) * fixed EAP-pwd peer missing payload length validation [http://w1.fi/security/2015-4/] (CVE-2015-4143, CVE-2015-4144, CVE-2015-4145, CVE-2015-4146) * fixed validation of WPS and P2P NFC NDEF record payload length [http://w1.fi/security/2015-5/] (CVE-2015-8041) * nl80211: - added VHT configuration for IBSS - fixed vendor command handling to check OUI properly - allow driver-based roaming to change ESS * added AVG_BEACON_RSSI to SIGNAL_POLL output * wpa_cli: added tab completion for number of commands * removed unmaintained and not yet completed SChannel/CryptoAPI support * modified Extended Capabilities element use in Probe Request frames to include all cases if any of the values are non-zero * added support for dynamically creating/removing a virtual interface with interface_add/interface_remove * added support for hashed password (NtHash) in EAP-pwd peer * added support for memory-only PSK/passphrase (mem_only_psk=1 and CTRL-REQ/RSP-PSK_PASSPHRASE) * P2P - optimize scan frequencies list when re-joining a persistent group - fixed number of sequences with nl80211 P2P Device interface - added operating class 125 for P2P use cases (this allows 5 GHz channels 161 and 169 to be used if they are enabled in the current regulatory domain) - number of fixes to P2PS functionality - do not allow 40 MHz co-ex PRI/SEC switch to force MCC - extended support for preferred channel listing * D-Bus: - fixed WPS property of fi.w1.wpa_supplicant1.BSS interface - fixed PresenceRequest to use group interface - added new signals: FindStopped, WPS pbc-overlap, GroupFormationFailure, WPS timeout, InvitationReceived - added new methods: WPS Cancel, P2P Cancel, Reconnect, RemoveClient - added manufacturer info * added EAP-EKE peer support for deriving Session-Id * added wps_priority configuration parameter to set the default priority for all network profiles added by WPS * added support to request a scan with specific SSIDs with the SCAN command (optional "ssid " arguments) * removed support for WEP40/WEP104 as a group cipher with WPA/WPA2 * fixed SAE group selection in an error case * modified SAE routines to be more robust and PWE generation to be stronger against timing attacks * added support for Brainpool Elliptic Curves with SAE * added support for CCMP-256 and GCMP-256 as group ciphers with FT * fixed BSS selection based on estimated throughput * added option to disable TLSv1.0 with OpenSSL (phase1="tls_disable_tlsv1_0=1") * added Fast Session Transfer (FST) module * fixed OpenSSL PKCS#12 extra certificate handling * fixed key derivation for Suite B 192-bit AKM (this breaks compatibility with the earlier version) * added RSN IE to Mesh Peering Open/Confirm frames * number of small fixes- added patch for bnc#930077 CVE-2015-4141 0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch - added patch for bnc#930078 CVE-2015-4142 0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch - added patches for bnc#930079 CVE-2015-4143 0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch 0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch 0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch 0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch 0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch- Add wpa_s-D-Bus-Fix-operations-when-P2P-management-interface-is-used.patch Fix Segmentation fault in wpa_supplicant. Patch taken from upstream master git (arch#44740).- 0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch Fix CVE-2015-1863, memcpy overflow. - wpa_supplicant-alloc_size.patch: annotate two wrappers with attribute alloc_size, which may help warning us of bugs such as the above.- Delete wpa_priv and eapol_test man pages, these are disabled in config - Move wpa_gui man page to gui package- Update to 2.4 * allow OpenSSL cipher configuration to be set for internal EAP server (openssl_ciphers parameter) * fixed number of small issues based on hwsim test case failures and static analyzer reports * P2P: - add new=<0/1> flag to P2P-DEVICE-FOUND events - add passive channels in invitation response from P2P Client - enable nl80211 P2P_DEVICE support by default - fix regresssion in disallow_freq preventing search on social channels - fix regressions in P2P SD query processing - try to re-invite with social operating channel if no common channels in invitation - allow cross connection on parent interface (this fixes number of use cases with nl80211) - add support for P2P services (P2PS) - add p2p_go_ctwindow configuration parameter to allow GO CTWindow to be configured * increase postponing of EAPOL-Start by one second with AP/GO that supports WPS 2.0 (this makes it less likely to trigger extra roundtrip of identity frames) * add support for PMKSA caching with SAE * add support for control mesh BSS (IEEE 802.11s) operations * fixed number of issues with D-Bus P2P commands * fixed regression in ap_scan=2 special case for WPS * fixed macsec_validate configuration * add a workaround for incorrectly behaving APs that try to use EAPOL-Key descriptor version 3 when the station supports PMF even if PMF is not enabled on the AP * allow TLS v1.1 and v1.2 to be negotiated by default; previous behavior of disabling these can be configured to work around issues with broken servers with phase1="tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1" * add support for Suite B (128-bit and 192-bit level) key management and cipher suites * add WMM-AC support (WMM_AC_ADDTS/WMM_AC_DELTS) * improved BSS Transition Management processing * add support for neighbor report * add support for link measurement * fixed expiration of BSS entry with all-zeros BSSID * add optional LAST_ID=x argument to LIST_NETWORK to allow all configured networks to be listed even with huge number of network profiles * add support for EAP Re-Authentication Protocol (ERP) * fixed EAP-IKEv2 fragmentation reassembly * improved PKCS#11 configuration for OpenSSL * set stdout to be line-buffered * add TDLS channel switch configuration * add support for MAC address randomization in scans with nl80211 * enable HT for IBSS if supported by the driver * add BSSID black and white lists (bssid_blacklist, bssid_whitelist) * add support for domain_suffix_match with GnuTLS * add OCSP stapling client support with GnuTLS * include peer certificate in EAP events even without a separate probe operation; old behavior can be restored with cert_in_cb=0 * add peer ceritficate alt subject name to EAP events (CTRL-EVENT-EAP-PEER-ALT) * add domain_match network profile parameter (similar to domain_suffix_match, but full match is required) * enable AP/GO mode HT Tx STBC automatically based on driver support * add ANQP-QUERY-DONE event to provide information on ANQP parsing status * allow passive scanning to be forced with passive_scan=1 * add a workaround for Linux packet socket behavior when interface is in bridge * increase 5 GHz band preference in BSS selection (estimate SNR, if info not available from driver; estimate maximum throughput based on common HT/VHT/specific TX rate support) * add INTERWORKING_ADD_NETWORK ctrl_iface command; this can be used to implement Interworking network selection behavior in upper layers software components * add optional reassoc_same_bss_optim=1 (disabled by default) optimization to avoid unnecessary Authentication frame exchange * extend TDLS frame padding workaround to cover all packets * allow wpa_supplicant to recover nl80211 functionality if the cfg80211 module gets removed and reloaded without restarting wpa_supplicant * allow hostapd DFS implementation to be used in wpa_supplicant AP mode- Update to 2.3 * fixed number of minor issues identified in static analyzer warnings * fixed wfd_dev_info to be more careful and not read beyond the buffer when parsing invalid information for P2P-DEVICE-FOUND * extended P2P and GAS query operations to support drivers that have maximum remain-on-channel time below 1000 ms (500 ms is the current minimum supported value) * added p2p_search_delay parameter to make the default p2p_find delay configurable * improved P2P operating channel selection for various multi-channel concurrency cases * fixed some TDLS failure cases to clean up driver state * fixed dynamic interface addition cases with nl80211 to avoid adding ifindex values to incorrect interface to skip foreign interface events properly * added TDLS workaround for some APs that may add extra data to the end of a short frame * fixed EAP-AKA' message parser with multiple AT_KDF attributes * added configuration option (p2p_passphrase_len) to allow longer passphrases to be generated for P2P groups * fixed IBSS channel configuration in some corner cases * improved HT/VHT/QoS parameter setup for TDLS * modified D-Bus interface for P2P peers/groups * started to use constant time comparison for various password and hash values to reduce possibility of any externally measurable timing differences * extended explicit clearing of freed memory and expired keys to avoid keeping private data in memory longer than necessary * added optional scan_id parameter to the SCAN command to allow manual scan requests for active scans for specific configured SSIDs * fixed CTRL-EVENT-REGDOM-CHANGE event init parameter value * added option to set Hotspot 2.0 Rel 2 update_identifier in network configuration to support external configuration * modified Android PNO functionality to send Probe Request frames only for hidden SSIDs (based on scan_ssid=1) * added generic mechanism for adding vendor elements into frames at runtime (VENDOR_ELEM_ADD, VENDOR_ELEM_GET, VENDOR_ELEM_REMOVE) * added fields to show unrecognized vendor elements in P2P_PEER * removed EAP-TTLS/MSCHAPv2 interoperability workaround so that MS-CHAP2-Success is required to be present regardless of eap_workaround configuration * modified EAP fast session resumption to allow results to be used only with the same network block that generated them * extended freq_list configuration to apply for sched_scan as well as normal scan * modified WPS to merge mixed-WPA/WPA2 credentials from a single session * fixed nl80211/RTM_DELLINK processing when a P2P GO interface is removed from a bridge * fixed number of small P2P issues to make negotiations more robust in corner cases * added experimental support for using temporary, random local MAC address (mac_addr and preassoc_mac_addr parameters); this is disabled by default (i.e., previous behavior of using permanent address is maintained if configuration is not changed) * added D-Bus interface for setting/clearing WFD IEs * fixed TDLS AID configuration for VHT * modified -m configuration file to be used only for the P2P non-netdev management device and do not load this for the default station interface or load the station interface configuration for the P2P management interface * fixed external MAC address changes while wpa_supplicant is running * started to enable HT (if supported by the driver) for IBSS * fixed wpa_cli action script execution to use more robust mechanism (CVE-2014-3686)h04-ch1c 17089624512.10-150500.3.3.12.10-150500.3.3.1wpa_guiwpa_gui.8.gz/usr/sbin//usr/share/man/man8/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:32791/SUSE_SLE-15-SP5_Update/92c4c1ac4c1b5c1bddbd97dfd31e26c2-wpa_supplicant.SUSE_SLE-15-SP5_Updatedrpmxz5x86_64-suse-linuxELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=009d78ffa518ce75f85e7ce2b8ca6143b89e1df9, for GNU/Linux 3.2.0, strippedtroff or preprocessor input, ASCII text (gzip compressed data, max compression, from Unix)RRRRRRRRRR RR R R R RRRRRRR t\tutf-83ed9c2319b59b25056da5c85ba1c56393fe974499ac1b74fd9285ba9fc6b723c? 7zXZ !t/IOr]"k%{m{#rD~d tGJf͚F`=6鷎-^Fa@c◦7d#c|;pd h\SųLWSm 0?LOpRO扇:Eޢ pK 5`0FzH٤3 Iw.NXBgÚ<;0SQ Nv!*]jPB; r TY$os Tݎ'! z#76 ) ~I7":@YN]b6@6ә=`~w:(;rdYX/GFJ%d@WYr>o:(0t5p]|n @DXպ-63q7`8 (TJ-M4]%Ŗ?no,ʸ2nd&Ӄ)Jiz KFxX.]?mV yud}NmjVGwB2j `W0lCqL <+c>@^{/s<`T?ZZ:kn DT'HoFRzIs-X,&{iMxtύG[ o)Ej0"tVxbύЭ(,MS#jaTH;bHnQڠO}ib2;kk%ƞv]nƑ`w"4lËetb4yz5LF?-bl:LdJ&EH8-(5 ָJƧ3Pd?c@kH 5UzxcE^!©ՠ=U^pһnOT^Ôҽϐ(VAXc7m79x}y|p8t]^'4!Si2l~K6h^+ڮOڲ<0k 5xlu*$,o0IPБ|Qv1uYU`ZcB۔.,xwN'`Lф*A9N0*Y5KY ;s ꭣ`1z5dS*'ie%oBv|i~/7˄?Bō.Nc¯W. oVwfZ<4U9SX乭b2ۂD$1s5;ۑKYW}\z`O1w;q'}Ohqu#D$)Ah93]G@hpNaT6O7KM˯daoBF>ZJ)V5r XBkFLW3r+u+_|RxZF}ҧ$iLI=㑂m; j(S̸3{p%|֊))}X7T̙}=2x2^k][On:O0zYmU/<(ً/_7tRC3}r\e[{Y:}9-sϛZJTnRPDBٛQ§;}sBq['1T.Cl]d 9HHe?VdV$:N}/;i/2D^inDJQ"odoH zg"#Fη6>E^*Eo4FѵEsQEXYԄ}{m-._3ySl %ɪ*1f$ĭYQ!XOŜ;C*G["f5Pt04ׅomLY֟BsIm\^gqem!<8ov={]Bj89i^kd[k6pgÈ|Pd`ut1N~F|8ʼn8ϻX\(ЦRm9h1*  b7JXkOaˈ[D㴒T] /ќCKpxL>{<ςb;]>HJPpa槥F={R:;і5* SUaq. %7 mTNGE3sE+{/hA}hE<U٢7f 2hM Y,8zK䩅]Y@ ũuHW`GOjh۷ 1.P kӽ/]Tݸ0`ĈμIږj}9#*mi~C@k^l]iSh -Vc.(j2/͑<;[ڲ,q@/.1BwSoڞQHځ 23ʖ}h{@m@x,[ANuhhEj*I.~׻8bJU{K: <bIymKGk7`ϰɜ֫hw,._`Oi|T_>TYf\8Nj^"z\R^3dA[̧nOZMƐw>%QE(Lr3Qq 2F?Zjq]ImY-tF&ꢦg)nLRƒ\.fOVJUJ>, '~ŠX(:+VG/46/WiY N&GN-@Sg{9;[ `rH> lAT vci9na&qȒMQdzN>lVlX2-3S mS@F'G# '_͜eDgr [q(hXDV6Pp # lI.^JA)ۂnJ8${!Չ ZMrd.`\gضC0Xb~$њfս ~Z-cn3@$E2ذ'ƃB5ٓ {e۸q]}b/LPM߫kb@IB_aKP 9-*%wHZ8Lc rكŊ.gA7JkǽiB[˅p{ F}S^-nje#:Ɗ.\=9ow/ydT.R8d4|\_q_U@3GK]!$'Jơn DŽ_}sYBS2oxwô`J3s$SYw3W0{54̬ܙXԴl~v9C4WD'mUgfBapbKvA푐Uϡǣѕo-쮎{Q*[iA7%]9FuF"-|st~  Z%Δi&XW\ 5` )K MnU%3[l\i%a,M&gB& s GBOPFz=9oc"ܗ'4ckTPrXwU鵥Ѻh`B3C4z6{:BQQiz 9C<' Drn:J9:&?]Ž.?cXE@SblyՀ\b<~B]p&b{op  D:k[Td [Zcȩf0<_)Cq [Â*/g$Xp%!kGJr'w*}BN~<J$! 'zŒѵ)}ZVrݒ88^*`EajZE٧>P!VYX7Y 兯?2'.SB^b)Ss kQۤF.QKMwe;֗K^WL:&aHLrg3ܧwb2n#kC:F#Ò3 :Hb9k@e =PYl(J"5fz,u%bT[!qQ:bz0=|z{i&B:T$ Wj=m21o7Su9}#'Vk[ @b*mWQ/.X3?Q>o."G|ŠKiH2s- ώwf{@{񒘸$u`#H:Ab% 68Q)i"wGM店y*,snRgZza(} "GJ (Ex֎X|Dq{ئ:_GUgKx3bãB7o;BՍ݁`mGֻ#l5o8= 2yydL&BfǞܥw.Hm.4hƂu9gg{-Ak+ڮk=CǞC?~2ot_(POYC*˸9Ԟu-DŽR?F5>ntcㄏ|taPdSC(tT<;6u$,Ψr<(AXW0lj#o݈9 }ѪTV34o.h& tnPlUT{l7oSOu bFЀOLzMTN!Mcu&Å9I:1:j:bQ@$h K;"+J(—p3sP0]aKyrc}Ees0u {o:D8ήGlefRagJ0ոz}Qh,nFə+TO j{S]";E*>玣webFǩGahaVKUuSyϥ|Kr@Eŷ=JgR"\#U@lܖsJc%Ne4%0DÞ?`gue/%۸PW4x!}d.J~}k\$}3$B1b?pJήus62xjNɝ[$n,k)Φ}ơb~5 ܽ @Q+h{S+I܍Bb.J]ٷ{K#em~,e QRZ/C2z$i[ (k ˗d4'ߤT 0D-Ў+ww>Y4#i ȆtGI>w珦4oj_DӗuUGBU|cS&}F>7fcULn]J]7kdw;` U=zNd2$j9զϊ=PUxvND]r{Tbꤖr`+ *鋳~̀ЮӺ$w1m+ Jm#=]94Z2-ޗTC ΄m)wߟLaxi1 (\f{nwjoհE`ȈU@Ȑ>N-_|_ u%.3s9[wD u|~\Ed'.dQu;ҕ3;~/'OC?Gs벅35HisƧKԉlxSΗc>8:qp9k*v\mH OїCm$ns8js8%5;_ޕ{[/ح Ո")[SA!ѤM2q<ߙC %e_˻᭮A~{t&s5Ԧ6&rRti0{*4c̦:`qǓ(^uvpJwr"2蛏(Xp8,Lx`&;ťLv-a7(g %?O~¼qEUSiy" R@C+&:Y:F} c-B܄XL@VO9h#Lmxwm.[u[4%ޖvX$GBy8 g /JqmOIr zbn2l9K\  "2O $g@|Lꈣ%qofR7ԯ{b"i^Ş1%0i̍Pf1 5t \yw/8Fݹ(8(@RkvUhuUٶk&b9i/-{xk|g5C$`1 k ,XEbDlN/'*lt``_=9Rm~DW}.hN[j+C>I0N41b^[ g`f)cHĮu2-;1E7r"w+*@eg45IdQCLEAXȤ\llWLcr˚@nje3A%MEpJk!wisWKf ԸSHaH[R2?sy e=&WM04y?2>J=I"ZJB6|v"_V"&ӕUȽ~ZB EɀI; @w# ~*$;]#Ekp(O`' d= AF\Z`UCe+3._AKJ]UXT%+x+R9nZo;UGTHe߸ \'vuY`Gdr9^NƤ| Gn_?z&kj1{. qDMnn"F9zk,m&X~G]D3P6F:+l=#zk~ 鉺58+_-O)x¸] 7X>.s :>.yOzD)3ǔ{S~9sY0 P+G"st z?C`˞OCm11e3WSVl#~Q\Už͌`CxZCfKd96$yV&k9(R˨-=9@,i_mklIVKcR Ú)p2vEz54:laHOu3W< qr hc[n~YqA-UB[Jnj>S1J!Qo8ɍ]-+hhItb}F`iYQ.91Kǻ gnR7,kj-H<iJAը&ׂk:tHw(?laxysmܵ](~F>}b4!?&0rm8#QPJ`f;yXeWiLoY$<j ~\kJv1%+#y3l1G6 \䏓2 Jx<;u^4IIhm-sMO! Jo9*+|ia @fPMҖq/ A6ES=^|8'!"[D|H>O 365e^7ѝn2Dn d WSx'\ y횷 q)_ wtURG&/\>=6Q諊t; "]_._a$ny|ʷ]xlfqrEɶt`-6PS37^^m&6d!2eMĈ'TS(uSQW2A#=6G#fNvϪ,Q^"2~EĒ {榵s;gAkex.u0/R&ہQ] c7iCS+^Q&H(R+"*մ=tQ@͓*gqEށ0ϧ.i {܊zg|?GM3QݵH*AEHq8jrJ=nT,Tc"]Pzi:Re{Q;%u:x&%m54.8G s-t;ɯWbK1*:9y9}h.$3"02#5-$t "Eo/6BQZx`q&23H|#E*+* Fn+L0 rk\-ACυK\#Q;Jяc/ІGoت .R3N6+VIHyDR=yđ %#V &>ޯ)^ !c0>G7a}E#3f a~+rxk$3x PvKmr׉D| JUZ jЮlƮB Z~A$pqKj8#%J0xhxP 5> w@j-M@hO+u$ w3Dxi-K nz!{lF0,|i{6o d֎J1Jj'O醒u806oB,zx(/0|r;0(];މ/'tՊC:SrJuA,"cjKGlrj(@2`r*8TԈ{ɝ0wD}B@gRD7Zޣ$xZ^M/IxhPVhލj1x}5%Ji%mfP izLaݿ#e6ߣ6k,F4&:[E*OU>9,[(BKx |_E46B3Yb*JDk=Lx(I=:s[F\k;V?N?yLOB6Q晈OfcskSLfCEx ~iIzia̵0$*$0z=ruswrm$nHTHhipT 27{^3o57: 9]Z+()15EȔ&48GhƶEgGic[EmdV%88 ZRњGԿ@:?#Qg0-ehb&Q:7 I5Gf'!Ih\:O%:Vii०ܵw(xN2sn]0*u?)#jVˡ 77qHCM6SUaFR 3oW*]R2o_]V#Fu0ZrD!bP jo3݈iYx~u[. PQouVϊ.I7r!Bdvț{df~n 7s?A8:`GD]ʲr~tY'_KffN{`-Q!v&Y; Q{0@'h47ӢcKp!: xY[(Ol׌ӓH& CV_Rm[l[_Q|ZmTHvڟ= μ~Gx_mWc\q-Qy1< 3Jq:(=>*IeHxR PvqT (dȜ"T-HME&"CSCN0TmH 4Gb0_3U\VXW<8] }y]̹:n>"vUF{7Gqp)Rؾ/YtNZG,9.UUa,Wߊ63KzXPi1{oaqQg*Ni7X>a|"ƭ7yG\tv/?x*Z$cΊ)yWh*7QZAĹIh0椡h8F jI',]>ęjǸفAL3]`*gyNaVR 9Fɹ2΢5hP+rĞb|q@hI<&})ڵ>c.z:Dؼ0=/sOu*na5[K"s3Qg1}+Ed -f;kw/=bit'/ b^7NogPuV`EǢ鈇FM5Di^xG9 LC&^Ɍ (廌+f76?=ƷUFG 6覮~!MU̗+s.@J}C^܀Sb8c GĦ{Uﰻ`_mbTV+O7;qM.oFEJG5$1oO 'e9w.N^]^=wJdsb(yBGg[ձ'VQBj&t9dfN Mz=ZӾ5Yоfs~pݐAZupj PlTQ#;ZtYOP㰹zhM9k%z9?_+$htVlK z6W[* O#Ac&O~_ֵK~8X˂- EL6 _Xie*lҠ(}A2h̠n#2e~"ԊԀw6! J! R}%#;:V>| E?PD;%8Ʀn]5"(^6IKT҈6sYpK{oDeh!yR8z'#]<ViD}1դF}'mu)Vs@D eɾ"T  ׼gwKtCI`dm ~=jNޥ!,G!?O+;2,а y8Qxy>9fqъ>\6ypjQjc[UzCt9,j[Zx2Xz %YXyL 5;AfgLWˤa՜3h;sj,(*IAN "Xi5zZw DP 'O0h|D:w n-tF l4e;/q6=eVaڴ !ZHxm((6͐4qf ֪Q*$r* ^r!6 鹦$L4,v٘k_)T4[GG wK= aXnsryR;6o Ow Gڸ_W5PZ[+0v. V/ qm3s*Gm2jn/F9.?+`;Z#-`iW"NezSOM C9esQBCȩ=5 <5d:137Y`K[[IzJx6EęF"(f 2JئE Vn:7< 0We`mI#I5t ξ[: $T9$QN`"uª2Y)Ꚉ@^k9\*;c:u O A8р՟Z Nhw~x*]4fIfJ4-Q* M1AEd7ݨX4u7hB$me+g!d&eFa9KàrV0X{}nA9Xz.- ̵x1 ֆ.--ƵGb74+)B f,ð\p|ӥ34P`]Yc1c~`G Rgte$Z}4F(fN2- Z`~ܡ.5ڄ>d zy͊id#ݎ=?|ibݫ]\!.TO{Au|jdP;q1zdK  1g.q*92 .>GCSWfZNd2'rm$x<"'S6S}2iFI39P[ٲ`=zvةފsa'347NWOU΃ W%Ŗ=x41R Ǝs1]^qgY\(UC-Ei(v\0(:}MQQNܮ&],m눐P]?^r/46%RYrxD$ GB^EYԠt2qA!kΦ#H)AQM >}7Ddh4h6T!I#;-dA4M[*QӦm?@el},~qXQ'־e>6,hv,/| 3}>vϼ5 ĝP◶N+4;%z\CR.NDu5ͣUY$25/?"$TF' GA#Tt i bΞ`|rfJa7y!`#'s(KC: vs&p"Ϭ6BbpcNJ&GH2:_,|k]T;E#]m+vM}R[ķ`f->ac~{vϓ_.q={ؽi`UP"CRixS]-Qet㡱XN!" iT1:A.$x9.d]ް3~Ԅ~-89ԩ-Җl>$m-I?!4;l4IdU@ʖS;gWi"}n[iƽOf'9 kC#TSktx w|W@b#~%xů&/#Nt2Y{s~ޒpjk zoz0;8-`=s3uf`D\FJ5DI-\?R,L;}x!(T{儀o<7;4nLuȀUlAzڴ(BX0gbaRz**v&e؞ g37p]K5q0RD Φ'As:>N !us[BծMж_%& "wK/P&}dY{n%ĥH|Oj©2 ή6H1a+6?Us+[`: Fx"Ou g=ϒ}^OR%A:~Z{HCA/|vedI Ktj,~D@k r 8%'a w.=w)7mgU2ԤWZoN]5/>šâf8JP% Y8'wrYtSTu,pS,Ram~o8$~1Mj?-UZ>X틸yp^% o!J:[ne(f2tϛ3aH'U G|rh8 JW1-eKNVCMFF%/.sթZ%%.`PKfYG'G\DZD]H&k.u"4ۙ͵Ml1צK5cL.y|: 4~0:ъ{xG@2NW3+ *akU՛PyW*U+)!fllp` $~",0.f?R@5i-P>*PWNeo+Zx wx(b5\)C)#?ʎC^!p80&(7ۂg-1 :Q2B`1[KKjacӅ%s/fÀ0J s^rNx;ܰdFWm#SD,._naLchI9MY."}RDBuBfOS~q:)%ltxdRQ,m[> gccP]Z*Ks,Xt /GoDz/k ɇn4޵|Pzod,Ty&_~h(z'/̊V]I1O)}dfDxL Jsm jP̭b]) DJC*} `3i]`G>~͙i\dC1]&cc t*#_Q1ˤ㿢$ekyUcvǟθ >~~)t~i+G⛊૽ݜ+LӢjsC^[l]hW}lXkqzJRZY\քa#w A}'8DsZWj(Z2/ʔB76 ۫#CaZ$A[X~]\4"ӽeԉ*T%hTNe:(]UB=! <!ǁ2$ܚ2~oR/H%]eNRIcc3+5yC>Qv}\ޑj .jm-5!;Aц6E{LcJzHF>> /`>t?^Uh;9Vᔴ[G>F3X0L]O"UKΜh'yؽõ)A,.!tqh`hlrkk3#>vyJ) x(FJۈB۝ixH7?YQ OCSM+{GA9M!Aw*'fV`Qqx@jWDjɞr 90w*o \$i@GNk wjWWWq1х%cg=:oq)sκC45ۂ.RH"4 %jkUPxxΗOxz AΐkUr_ϏFmʍF!uPt`[hc)Mf|ޮ\d4cyCTEmw?:ul{ƶs˧ Mgm]ƕR_Dn TwHRRם 4;q8)ZHYu\o -YYz*9j ʖFINdUtNԋʶI%YK zY`CJ4BpR<n=NuE@'2T~h Pno *ݰ U.} !1ҦR2;=a6'$Q |.x޿H#T&>r2ydϻr¢.&zL<륥R8uE' Y&H'wxd/cV_GUdWD7 ]{ɬI/P/"y 43X8Ή٣B*YT{v4eKT=c<0@U1N 2F;Oc`M9ؠ.MHc~Q;(ZA@~1 |X̜CTO᧨6N* AIڜw ' B|+*BᲙ*!/ 3*@aĹiȽDk$S0:2lld6dyiлTyejlٹBXX.@FQKv@6JB+wnZ 3!3vC|zw`R73|I%Ci\[~AS2 yüD ObN,G>U ]*)*LI~p*i! vrMA8$2=<uWzE6\p]tg vo LT_Y B؎p~2+D?Gm^bBҽkR|U>]A}%QFj1K DhkϼPQ/3XE3;2rkrjIX}G-"M^;YIUQ+^w$(h)R"=J{0 WPܭp9#i?.`)r8 ܻάUY|u<گ=8a56LL3\(_zCI{q߮GJ\`dX Pķm2$ ÜϳA9nB]Ԉ*gD8{BtUÉ(SP`(Al VEl?g5Ԧ3?TtrT7 O։Wd)|TQޞk[IEwH1ub i` '`? (pdK<%&.%ZfPSa_0\uutEGX>+QU#([2"SL^Xx04m2h%]#*y|2ԶIw"Mc)1ݖeΝ#ŖR\BznǸ3d S75W_IP!*{[chh 4ϝ-~;0UBsrZ{Wt;Q/ 0i;eK@J-:VjAƇ4U=/zB%Ԡa`EdY׺Qgԡ(A/ڐ}46$B*5PP8^Ys^ӸGTqOp߇I2Pe,MncY=d<<'UMן{"鰕5hO^=2!x^'6Z ɸ cW+zwĖp_BdԤ|de޼W PY4$dlD֖(/ |8~wFnNurR+8U"O1ZۘM{P]՞ئRd|&vl:Ym_tŧk$ZI۠M"mSn~ D( <(>zdRv ݗQ^*|M棿(xj))X,X{Z1'FnO0whء?& [-x ++8 <}Js B{VҸ'6¶M#.`pjFTb6[ո2Ky6DVj>yDjS!=B/ =hyCȻwxBtQA§y`ܞ7S:5 $kC^fE5|첅9TG"o@>1eشCe-4'Th~!5~oSm,M/:)[ Ϲ:#fBN/.̲&m+r^X3BQi,hz.hw```ER{[RkPѻ[sF %mj(/`LԂz5Uw}iNIAce(,,UB+u|1ڋH} YX}X F7 KMP!&m|t 梇!4ʋk\Dp$J䳸o@| ĮmF!\"T(YB&S6#)e ^pV^E]_~p= #;\9h`'l_aٷ =%4QV?&GtR$X DdSn,gi?k׌ҀnHvQlIظAGf:\tDOzRa /N}4Ƃ"e>Xx=Tjʴ]s!)@0#ZqY1fW ȑTtEO%&MZS#Au,r7H]\aK|4/*Nֻ+YΒrˁWjB~9LI{˭(D }hT0l!s;:f<-=f4&&FBTjdg2d1v^zl3hPwoZܫ ѕ# Z((.ƅp6J-FAԥ ΚӪAbM຺eԂieB+4˼Bے1& B¼R5J+KI%ζW75|`v'%M Ϩ[F.-{_b?aϻҜbo~ar\Ca!1uǠRd@'b0Reb<"Un_Q cm+܎&E,&wb}kG-FyD>hgX]B"J,E2ۋF[tDVd~W.-IoK_PQ)mphڍ Z룓wvD9,MAx@Żt/GTvoGq!VϥKG3D?6of go ۙeGJp0 ݵ(dx?9 zxh:59}+㷝ZC_V DX`Щ.0j6RKN E [?k3I{G/ ; fdhÓCEa1iT#,j#Sȯi[k TƟ[Rb Nǽkkxh2YN>0wa߫Uؗ[͇F:o.^ 5a2#HF-cF^XBu9KNH7ՍRK1 fM5Ւ1FNaH7& ,iLg SBG4]G1ɀD.=άE[_0I 6ˉt:,j ! npb%TTzB 5Lؖ[.~G']A77D} MS"5Zw ])hp{TDw/*7{.ghcXcA4 ~f%{]x;ǣ<ca%?25.ǯ|߃ r,|)$$nlYlЋ|;B2kdU]yCPh |Qe]Inn30fuQ"p)O 3nw4S֓*)v\!#`p !ksW=|QmQ?;Awl,g|'*~$ϸ9\Ȧ\ll_h(Epe <ۗS4$b*N*_22@UxLU( ꉄ;JwX|v1e{yAi#JJ[~M?Y|"?} j˪锤A$?;*pt>u$T6zHsX/ʶB ||١7!vJ6E^$Ӯ.5?ߝtK>/jvsw,g3+A}z4D q6=ʯ"㶂/ d`k&ꎶ7I5}jԇs`?\1íFn-c<4>5N1)5P6$z:a)FLVlria¯CFoDb6l?)!OHS-\$]yn nV96]496قhY,Dߋ,!zӻRpERտqK7.nL %t6AY_S_3X6]1M45⫋k7ԛUc:Hw"< G;p4 Jhc;C7IVr4}Oo*ăbfg8vA Kn"4$Sc/REPAqRRw'p('PJVVեP2ͧWpwŻD04qk8l}9<؋*f/&ilx_@Pm!XgH:f㫬:_3Yʫ楒DEn_eyն3RIhn KےK3{Ǚ` ,UjKo`WknԶMb̔9'wV+'"\_`ްuΥk:{[0¥K{-Io_@#A 0ٶMJ"4?6iHv_|Ca 屢G@x,RuKSú[xxOGBPm@]ߘ^* &k9 ; N>\Kb RIbTV*S=->,B9m?vZS$xuGʸ!TBӗ %LDU^_-1P^iB )H@$ٲ F2ZMcPgciF :+DK(XHق֝NQ[#I`3 S G"(7O;s ?:?x-]$0CpKK8:e$,X 6ѥ6$Xq)(;fK{v'v~fMLvaRvCō0pTwo $/>#`XOkwiLBFkC1Lw$hur }g9ז[RfL7Y2m*|,,+.G$##Vpc)ۗNPmqT*/aGU:=uN.!3͖)C H5"Sq=AvKq攀ªa̛R$T*ộ㢼^ַi3upvRͺFd0 C>4PuC豃>g۷?~{ L0z6Ebrw- [mrT4Կ!7;+$۩T3V-mu3==Ro#( Haw{05BtSjѰ70F.ghYxqa%ob`[=]pO2dם 3)W˅ _Õޙ@$9 / Wo]푫:D- 0Ga ɐr*fĠT&=2N\oɕ}\\Qtat"Ndy?mG^K}HKmyZ} p@*vz :)LK2d`Cmw 0ˋHpT$H[7;ET 4SJ U$m_3 [to`v=̢L(MP%[ʏrsC#Vo/5u&X^thB-c_f*bWUS0]UYb .Mt-ԇcMҺ[FGEZJU}@p0֊cl4X#hՌ :|2<N$ST&%Zynx ,t{bڡN7oAf384;ڭ)~5բ-%J}vS&5E |ߧ8Thajil= ht݈UkTQ*O5$5e^֣،I"<_QJ7MLԤHyKǏ-D5T;Xbб8m94뎛diIW\.Z10bD@J] 'i+Iⷠ5Q붸2M%N}Kĥ xbҤ=cSW3 %@')xq BF&`غ_^_M;y~qG}}d6 /ȳ$Eܲ*)U, qe%Jv S5v}hܩѓ\|Q|a}ӱy JisJg)t'ג/{d€Όd &~4~f v 0'|IX`ѡTM"_J2 NYIA;@FWun .-g:HJS$xKcp"}Ǻ\ݸqiA\өrvYˣêV;oj+vܪV>4MiP&X6lvOh'd;;o@Qu57rPRϳRrѨo<9+cz.@-ms>B&9BsȒ:p{=p5kU /hߣ5T:GyoȡNJcvBgd#|=!N;')F>Q溼Ēt|8j7_tǞD;̽B=Xۓt-?`hk{mfh,1#dq nq=^sΆV0eмXgDq=)ys5T<#8]]/L .c}-<x ڨK6^aѶj߃n:KO #!N*U $EroR)Jf+o0#qhƓha tٍ'Ӫ`ެ2bLT$Ο*W%\Q?dvYZ[m&NܲUu1~B{Wgɥa5cW%1ޞw?ѯ,$tmRF M lN166  ŔW,Ul3g6p"Q࠸٣CV1 ==@Gp\Ngj(V/>)ui':¶l);' qC/ H挜E ΉYynNдi4] Q?57Z_1%'YE6w3H%o-5 &u32OOɥtȤQX6!c^6hnd*Y? "{F/ -OTÞ?0 -̼ۗ:jӰTe8U&ȝJ8nqd.% Y9UJgdsR F/4K4) H #ٽ|Цy<ɨ##2y/-19%Z:GJZfH$7Һu^Xlg&~ V(+Ŏ V~Cf +ɱR K$Y uJ@|6, 9UĔ{0PĵUb"2p\f 2ʠh*9TlD=uQ7L:>`ݦs`: :oY!G6V4F>dH!VpE#7~m/47&>kN<ϫ^-v/&3"%_/&:L\yH#ru ]N۰@v:3ͬr?H{aV|(t2@( xh5c1 #si9wmRٷ(ݛ"+tIV;đrMgۙ+\ ?sD[ՃF̔*˩0?8ik_Easd4*r*rX9=TlQ O:7r\Lhj̯^LI!u}0-~CoOU ?XGAڍ!QG@Ζulp-^j{ySfD 1:#pB [B>-KiTj|Ln,aŮ&96IQF'^pw Pd1JMhAJ R2zn$AiK.`:!h6owOiyGbWyzs{?K[-nA?H`NcfVҮú̢VYW_~5:Ol i(1ۃ{9|={ bі~5:kG#sR1&ʂ88mݖ~+? z>v^mZkOX&ؾ|##2;92&KJ#!&0,g!y;43·(Zun'%e13(OY׋яη#5Kl1وED%疿}o/18T,9ǘq}d쳣9| }MNR{,ҒumS;9yÛޕg}|H~s οQUl>I<)HPE!O=$ AR֗X+.O ;js\ fv4 iؘ4[plfW!h8|Jdj_P)ZN9MlfOi3wב:d`/~@}<+F]%z;EkkUTkznaU <ѝ~@t9\jŤ<*pIGD A\Y͢t-bԫ4HkZ[qOIA$kv`SEc!gWR,^|ԩ7],7%u}FBx%QL#cHg~O~* uN&˹C[[,OjiI.4P3J\ŨyjCviv1 V6i65D\ ۼ;\̵0ZErH+6d)7JC^WwK ޲)/aVI㊊RѲқ^*ЋRPxśMV p|UYKj})t0|?p*76dd6Jp8DQ hC*9eipUlf3l|Yl,t1ҋ5Gk$Cڌ.,*sc7*ɴ}B鬃d0V쮲ȺDWގc_e ׼[@I\/R}*uf G5*y:O=QMR.焲%8 Q|*1S1윾qhm$( f<,ie_4'HEƑ/D\[ʤ,)R/% tZo55^%Sy $&¸Iaiu,/8"W]ҋaP*2\iJV6wnw3W_s?B60IQ1@rEmP**F Mڊi,fmi ׽P U?ZN4+æE>F~ Tc`BeX;U=ʦH,fٻtE*Hɳf:f`)@e Ͽ]ǘt݉.@C WIL4׸۶'$z5 bܯcKO^p\m:ѫBTͬҢtAP.8ѡF&p2̖?DJ5"mk(};.U^qgg_RTs'ӢYbǻ&k.ޚ}eWi&ķ]d[#M;ZtQv wM Ȁ3&9:٘)Hj_U/o~؞XۭZ. 9?8ZNbEk{/wP{,5y ^g|̕/No=ftvӼnFq[ ))!9_a^)Enɻ(< Yǰl\ =%Qa]H{UTfؼ$~l(tGN8= Kެ7 t32;}Mb^,S=E.mK69wZ(a2=Mړѐ| 0G72 $ߘZ!sd9js BpI:Z@ %_QzI V.-"+.El'i&{7%r/e 2,="Q _C B4*vo1X/Э IvxDkîܟ-{E]]#o VA0$D,hWmkdxū5ry,ʲu(~h1|2eԹGw\Bh="}}6I jMTlW<\cyQ^>磹["b~KwgE[%.Bn 3Bdm#>#O-6'NG殂\Lk|OCNޮLx+PŎ *R0vEҥD3D@B`rAF:׭4=oq"_FBy_ȣn% ׆n1YT?hoX R@v8œYTnGzJM+>j.ntrpbw/SnV_b_ ؍&-v rPEhQG3F#uTT.bq~YjW; 9~v4hw!XLR4^BPK<3riS 3Ug#3 H(9zAP~Tf\!5jbؚ'_rܑN0F[!87po;!jgd>R ZԸLgCH}h׏輞a]nK/ƴdn`(Tµ?GԜ㪉QqQ٣Z9hujq/iKjlb z[NP:;ƶk49%xFK@Xg~=Q5H sf] aFVFu&`Y-0F3 }< "[=\t=i!"!7G8V {*]:X!λjHG .YJL7#-Tuv:kl9Xeq#-QԦ e;_3Ct fB ێ֯#{6Z ȇ-u .y137۟A%뙿6b:K!O!+XnwH8pk(Y caU1oU:#|Bw e~xfеm(cb7w:?[;P^m$$ʮ 3i>v+D+[GuoRf"k]Xm1$,9Bco5P|@?@LiΊ%|7tHg(MDT%ᗖ£Zuϼ$]9_̟1%C DաXnNBfMVϝ:,$x?k/۶uq&6O7f=a*R3tS3^w'rLn_RP%FOpOŮ9 ޭ2Lc.:*i^!n7Sk8ECܽ|ڏ£˾$JaO$jl>2GA@t X9mY{mHqM4ڈbKϯ7q+:x y5':[)>su(kHk`+TdJu9C>'8JdG~i(UQsvJTyz{|E WQE3N8 bZ2_XԢU40J@|GeZa|!.P873#%c ).I`1MXpy{Dm_ێ m(,KqYM◃\/Cټú˅Xh\Xj˻GPBb**S|٧i 5!/WSe˰6"fֈF'DW 4u\ EJ( eԈwGߵD; (Mt/6z6QM(Mv|4B=^́tHs.4#p"e="H]0uG[a>$Rp&Xl;‡pC.m1;ht)^Y` eam?k2[Ftv!K~uun!4 Igտ'ƉG>8~'ga kJN;#I-)涅;AI} {j;K*Cm#`h/=W4(I{"-m!d2Ù*ܧhsgX5l9W0i '?% zXtUj*F)%S3c,4i}y6|cm(;82QK{3<|^s<=ֹf5j9LNjTse%Eɻs6I@UqWznS t.Dv7rjh܏iK%T3D\P(@0CG`^ts̋aĤQ]=y{ET`h6\+McR/H+G.U|[g4fIFMBۿ)߄e$+nYyJ6n qܬ@hpT>`ZnȜ͓u_8ÉZf@~&&lBDYuLɹ`|A%xA2?VzO;ηO/PBA|0vey4y!jZ]H7HuU뵰pԃPKoK>T]6Fm+1ĸcK: pE!Ch [`My3n>3[bi\ICuJf$5 $o^q_\K~72ѥ΅Qc _6=@)"؟؋84u>Ads%{r:v$=9RN=v m7zv,i!Q[ ٘~h2L>k5I}#͔l 7,:}g|wG bٛ0[zE'HiJ(麫r"Mʊ?zOIzHgKT"U8)emo7b&Qo G(:úFp?1 O\WUG2#E<% h7U`iݗ!R{NPț 2*}v-@ $+Xі$qYw'IZ;/6 (#Yv'"_&ȧF,# 2WB=5 7' ѺQ5zwMz`LfӭQI ( 굝:qt97iקÙS[HWb:gu`hH7?TmR~wQ+8=!t W%|FttR nyn9U+> RĪҸB83āh|K /Q7\eoX5#)iҬ0!rh0-0IJ@Fǘ,5==\O CXkm: ˺m[q>.6FUMCRSneVo `o^23h I#շ \H1jdmCd5RaOOp. zl٠EZ~mP+7.f^g N;gk#!?HIE0&]+pާ3Q-H6%͜ \//@T2Ll蠣/i%TDNNh&fp9y]s 5H |: 8)n2]nC f(Q@&<@\QRp? uioISԓK ݝkE!9z$eHY 7gue0ʒR^yNOݪvKwY;:'1i_'+rє4gQXkR,TaD%D1 Į@YdI6̀\=ϓ @T.S*cB1=/j,GyfmL[0/2)n`l[=C[ ߗ3rH舌zJQ}!pv^*'rMdʫB3cūrGޑˎ@z 7F8+l;QիbP I=O$Z^~ j#'9%eц(L )sei#X(:!gͤˏgPvi/jβL;W OqJό KWi*Ytٶ!{.A8Zў)L͞K.E:ٴS3UyTȓZk3}]N>e߶Yk7b'CXf[˷s{~Lk{4nKG휠 ]ik={Wd)GŚ,ՙHS|c*@b+\5 ԄhH_ީVcSPyx-ħ+v:`o|gиUs#a * :)ʔ?*ą5ďH|)J7!c_7%k=cjv-,"[ffm{a9?h8}ۙ9AQ Y?\Rylto|-{ iiajg hzбX 78Qx * ˓gP5g6o)?3?*ޅKړ 5=)+#ƑZ؞3 qk_bx*|yBI @}_NckIj+[xq=rJꬭÔ:GXz2!+^y≘ƴfʜX)¦9% & EbW9乺)" 3+.)9C'EB׶ac mX7>btD̏׽ݬƢ˖.xL :Jߏ:jf|DdF@[Pp EQ{>KrGT2^~C4=aDNjDV i.&4ȹ1<Ƿaa{o?FB03, ?qJ,%#iuncV}g>#v_;|>ҁVw4`"8C;bxTY:n&a>4WyXQ+&Ҩ ԣd,]WI[>KXQ`)/qeUIT]yKJmU+C̛/.UOI~Mҏm\{_>%x&W9ajn xLp- `76Z1fL_6~y+Ga_ jSؘ ImK @E'&sh jp]e\1@2|_dᡩcfB TPݚŐo=.`H>QcI^Ui2f6wBl `{!}0lrDzADXQ`pmK=]^ i@LtUmG>>Xz*NY`Ct]ә&*z Qz ~pFן9Xȼ6jDlۅȖTŃW!.q 8o qo '6?0R'^U,J7Du${(Z͆H$eI]*$_&:Em^3yczKYoP.,`:WsPFd|XUQ#qY>]T *_/7Vm󻜐}?M)Q.GqVx- ܠsS?Jf ]A30/WL"\5rK?O/.u,:^kBaGKҨ3c;,jݜZb2'd: 0PcCP~\+s >%qޞ.s@'[ Ty?AU4_k ¶nWywu%NE3/yc^ FO Q{п\xGD [0wvf‹#Ǿ$#(A5WDrUZ /]G8ˮ?pXh8w#48Y~Sw$S=xU\-QFRncpD)GZp!zԸرJ$ +jQAI!c__NDGO5|Μqߞ?Ө܃hK{~wKдh(g$*TY9t:#3u|REFN!WLH B;%U@pB.ok;F+vXW" Iyte7G_Zծ̜̻5ӏ^IfoЅQ [D\ YkHPGYSYhkj!Ke6άW:oMTM/\DkϨY)0.S˨{'X^/VsT fFױ &3lW aEC|%( ckPK͝ 1 Q;rD.uZL8F6-xEQDR!+qk.=G|p̷{xNU| dֵG(f4y:j%iLuK!XϨ2*˼%,`DŬT8ܸaIg [6‹WGYRa]wT}][INwQ@<6~s98Bb"cqh^OPnǵ+EQQ`_t運_33 <~D@6)NA>H.19|)!L]ȫrM(?H< htk^Ei&Qv?p`J_$5KW3ePy"{&jIܠd(Š-#{=wcJKBF _=csBU5Et3;!3Zc#!{R6ڹ3C l|a=|yV(uY#2(qf]MCՀd\sGao5yOCbn_Q/y=G`M b]X_t7O!l*ؔ /|)q+L8jK8/ƾtswAQ'|2 Va!A}tAk]2R5!|5ܪ$c0Ɲh#OYIF \݃iQӚ8G[ZNgõH O3` RI\#p-Ď"d&|d jCq4*8Mk谦!C3U1HR \$\s`v nf-F AlP&FϰW1sdzQsĻr0\^!\Ge 0l6kuU|fq;:%#/YT*;y:ͷAo҂-O3C ݻ s凶WBҊdU}W:iB0X\Zq < n?3X8,'CB*YsECc4sbroJi} NVJ8} [ŶfDOڼM;D 4~Ҷ >zưc'#zHth4,C.AC H$‘ 8\w™LVR HVbϮyǷ$ͲfrUPb,f@+j˱*2;Ydx[6MA-#!dbOh՜>}Vɯ# >Tl֔f<6AZ.tf8BacC^kjP6iڢ'bЙ*fZ&OxWVg5yqPHlJS?q47$PMk,X-bpƛ,yk :ǕЄ6i0mձݺ*2%#m J)"}ׅ-)ʽ80a: j@{G2T? TJ)`SKS ~w}).M+\_"J>H={/4ΉYOtd S)/z+e7kq6PAio9gfc hX@arTHpFs׍(q'13['\R;G>]G07K|mT'fBrhDž2AJEV:O7F #XVfI'I " NfXqɓ}-U " W# ΀%«K@ȨxWYףJK ~{*wۍ}m˄3;r! ZjRHM,2 }zfkdpVynmpyxˮ1S|Arq?B8U]u3 ?9zYu``a\9McߗǾI:=b &Yd R5qԣ FQ֡B;AG ]x guͪmߢ$+0xUUaIԸO Y𐐾n-6+AN(Im4DnPcbtopU&;)EWBHJ]DBJ`WՅFp\}g n7Вe YZ