wpa_supplicant-gui-2.10-150500.3.3.1<>,L4eܲp9|v&t;|a wmn :=V< kfvx-J9^Ybz@}h|ԶKKʥRHfi.WDEpPxכ$ g;Te'~fhQIkA<B =g{.h^1Gt%\_|UUDFbƍ(#) mF3#כӁirznJ 48;v@~O/.[J\Qc/Nl>>,?d ' J , BNkqx     &0\d( 8(*9*: 0*FDGXH`IhXlYt\]^bc~de flu$v,wTx\ydzCwpa_supplicant-gui2.10150500.3.3.1WPA supplicant graphical front-endThis package contains a graphical front-end to wpa_supplicant, an implementation of the WPA Supplicant component.eܲh04-ch1c SUSE Linux Enterprise 15SUSE LLC BSD-3-Clause AND GPL-2.0-or-laterhttps://www.suse.com/Unspecifiedhttps://w1.fi/wpa_supplicantlinuxx86_64 큤eܲeܲ16323e1ec3db1b4fae0f7e1563694391effc60f4d49663a38d805b3d8f553d22d57783ead2cca37539bf8b5c4a81b8105c2970de177652fe1a027433593467aarootrootrootrootwpa_supplicant-2.10-150500.3.3.1.src.rpmwpa_supplicant-guiwpa_supplicant-gui(x86-64)@@@@@@@@@@@@@@@@@@@@@@    libQt5Core.so.5()(64bit)libQt5Core.so.5(Qt_5)(64bit)libQt5Core.so.5(Qt_5.15)(64bit)libQt5Gui.so.5()(64bit)libQt5Gui.so.5(Qt_5)(64bit)libQt5Widgets.so.5()(64bit)libQt5Widgets.so.5(Qt_5)(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.14)(64bit)libc.so.6(GLIBC_2.15)(64bit)libc.so.6(GLIBC_2.17)(64bit)libc.so.6(GLIBC_2.2.5)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libgcc_s.so.1()(64bit)libgcc_s.so.1(GCC_3.0)(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.2.5)(64bit)libstdc++.so.6()(64bit)libstdc++.so.6(CXXABI_1.3)(64bit)libstdc++.so.6(CXXABI_1.3.9)(64bit)libstdc++.so.6(GLIBCXX_3.4)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)wpa_supplicant3.0.4-14.6.0-14.0-15.2-14.14.3e}@c@b@b@`lM@`?z@`:4@`_|\@_i@_i@^@^@^|@^|@^Y]]>[<@[[ā@[[;@[@[QY@X@X]W@VU@VŲ@V`V=@UKSUCjU8U'@U/@TBV@cfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comsp1ritCS@protonmail.comcfamullaconrad@suse.comsongchuan.kang@suse.comcfamullaconrad@suse.combwiedemann@suse.comcfamullaconrad@suse.comilya@ilya.pp.uatchvatal@suse.comtchvatal@suse.comilya@ilya.pp.uailya@ilya.pp.uakbabioch@suse.comro@suse.dekbabioch@suse.comkbabioch@suse.comkbabioch@suse.comro@suse.demeissner@suse.comobs@botter.ccdwaas@suse.commeissner@suse.comtchvatal@suse.comlnussel@suse.decrrodriguez@opensuse.orgcrrodriguez@opensuse.orgcrrodriguez@opensuse.orglnussel@suse.demichael@stroeder.comro@suse.dezaitor@opensuse.orgcrrodriguez@opensuse.orgstefan.bruens@rwth-aachen.destefan.bruens@rwth-aachen.destefan.bruens@rwth-aachen.de- Add CVE-2023-52160.patch - Bypassing WiFi Authentication (bsc#1219975) - Change ctrl_interface from /var/run to %_rundir (/run)- update to 2.10.0: jsc#PED-2904 * SAE changes - improved protection against side channel attacks [https://w1.fi/security/2022-1/] - added support for the hash-to-element mechanism (sae_pwe=1 or sae_pwe=2); this is currently disabled by default, but will likely get enabled by default in the future - fixed PMKSA caching with OKC - added support for SAE-PK * EAP-pwd changes - improved protection against side channel attacks [https://w1.fi/security/2022-1/] * fixed P2P provision discovery processing of a specially constructed invalid frame [https://w1.fi/security/2021-1/] * fixed P2P group information processing of a specially constructed invalid frame [https://w1.fi/security/2020-2/] * fixed PMF disconnection protection bypass in AP mode [https://w1.fi/security/2019-7/] * added support for using OpenSSL 3.0 * increased the maximum number of EAP message exchanges (mainly to support cases with very large certificates) * fixed various issues in experimental support for EAP-TEAP peer * added support for DPP release 2 (Wi-Fi Device Provisioning Protocol) * a number of MKA/MACsec fixes and extensions * added support for SAE (WPA3-Personal) AP mode configuration * added P2P support for EDMG (IEEE 802.11ay) channels * fixed EAP-FAST peer with TLS GCM/CCM ciphers * improved throughput estimation and BSS selection * dropped support for libnl 1.1 * added support for nl80211 control port for EAPOL frame TX/RX * fixed OWE key derivation with groups 20 and 21; this breaks backwards compatibility for these groups while the default group 19 remains backwards compatible * added support for Beacon protection * added support for Extended Key ID for pairwise keys * removed WEP support from the default build (CONFIG_WEP=y can be used to enable it, if really needed) * added a build option to remove TKIP support (CONFIG_NO_TKIP=y) * added support for Transition Disable mechanism to allow the AP to automatically disable transition mode to improve security * extended D-Bus interface * added support for PASN * added a file-based backend for external password storage to allow secret information to be moved away from the main configuration file without requiring external tools * added EAP-TLS peer support for TLS 1.3 (disabled by default for now) * added support for SCS, MSCS, DSCP policy * changed driver interface selection to default to automatic fallback to other compiled in options * a large number of other fixes, cleanup, and extensions - drop wpa_supplicant-p2p_iname_size.diff, CVE-2021-30004.patch, CVE-2021-27803.patch, CVE-2021-0326.patch, CVE-2019-16275.patch, CVE-2022-23303_0001.patch, CVE-2022-23303_0002.patch, CVE-2022-23303_0003.patch, CVE-2022-23303_0004.patch: upstream - drop restore-old-dbus-interface.patch, wicked has been switching to the new dbus interface in version 0.6.66 - config: * re-enable CONFIG_WEP * enable QCA vendor extensions to nl80211 * enable support for Automatic Channel Selection * enable OCV, security feature that prevents MITM multi-channel attacks * enable QCA vendor extensions to nl80211 * enable EAP-EKE * Support HT overrides * TLS v1.1 and TLS v1.2 * Fast Session Transfer (FST) * Automatic Channel Selection * Multi Band Operation * Fast Initial Link Setup * Mesh Networking (IEEE 802.11s) - Add dbus-Fix-property-DebugShowKeys-and-DebugTimestamp.patch (bsc#1201219) - Move the dbus-1 system.d file to /usr (bsc#1200342) - Added hardening to systemd service(s) (bsc#1181400). Modified: * wpa_supplicant.service - drop wpa_supplicant-getrandom.patch : glibc has been updated so the getrandom() wrapper is now there - Sync wpa_supplicant.spec with Factory- Enable WPA3-Enterprise (SuiteB-192) support.- Add CVE-2022-23303_0001.patch, CVE-2022-23303_0002.patch, CVE-2022-23303_0003.patch, CVE-2022-23303_0004.patch SAE/EAP-pwd side-channel attack update 2 (CVE-2022-23303, CVE-2022-23304, bsc#1194732, bsc#1194733)- Add CVE-2021-30004.patch -- forging attacks may occur because AlgorithmIdentifier parameters are mishandled in tls/pkcs1.c and tls/x509v3.c (bsc#1184348)- Fix systemd device ready dependencies in wpa_supplicant@.service file. (see: https://forums.opensuse.org/showthread.php/547186-wpa_supplicant-service-fails-on-boot-succeeds-on-restart?p=2982844#post2982844)- Add CVE-2021-27803.patch -- P2P provision discovery processing vulnerability (bsc#1182805)- Add CVE-2021-0326.patch -- P2P group information processing vulnerability (bsc#1181777)- Add wpa_supplicant-p2p_iname_size.diff -- Limit P2P_DEVICE name to appropriate ifname size (https://patchwork.ozlabs.org/project/hostap/patch/20200825062902.124600-1-benjamin@sipsolutions.net/)- Fix spec file for SLE12, use make %{?_smp_mflags} instead of %make_build- Enable SAE support(jsc#SLE-14992).- Add CVE-2019-16275.patch -- AP mode PMF disconnection protection bypass (bsc#1150934)- Add restore-old-dbus-interface.patch to fix wicked wlan (boo#1156920) - Restore fi.epitest.hostap.WPASupplicant.service (bsc#1167331)- With v2.9 fi.epitest.hostap.WPASupplicant.service is obsolete (bsc#1167331)- Change wpa_supplicant.service to ensure wpa_supplicant gets started before network. Fix WLAN config on boot with wicked. (boo#1166933)- Adjust the service to start after network.target wrt bsc#1165266- Update to 2.9 release: * SAE changes - disable use of groups using Brainpool curves - improved protection against side channel attacks [https://w1.fi/security/2019-6/] * EAP-pwd changes - disable use of groups using Brainpool curves - allow the set of groups to be configured (eap_pwd_groups) - improved protection against side channel attacks [https://w1.fi/security/2019-6/] * fixed FT-EAP initial mobility domain association using PMKSA caching (disabled by default for backwards compatibility; can be enabled with ft_eap_pmksa_caching=1) * fixed a regression in OpenSSL 1.1+ engine loading * added validation of RSNE in (Re)Association Response frames * fixed DPP bootstrapping URI parser of channel list * extended EAP-SIM/AKA fast re-authentication to allow use with FILS * extended ca_cert_blob to support PEM format * improved robustness of P2P Action frame scheduling * added support for EAP-SIM/AKA using anonymous@realm identity * fixed Hotspot 2.0 credential selection based on roaming consortium to ignore credentials without a specific EAP method * added experimental support for EAP-TEAP peer (RFC 7170) * added experimental support for EAP-TLS peer with TLS v1.3 * fixed a regression in WMM parameter configuration for a TDLS peer * fixed a regression in operation with drivers that offload 802.1X 4-way handshake * fixed an ECDH operation corner case with OpenSSL * SAE changes - added support for SAE Password Identifier - changed default configuration to enable only groups 19, 20, 21 (i.e., disable groups 25 and 26) and disable all unsuitable groups completely based on REVmd changes - do not regenerate PWE unnecessarily when the AP uses the anti-clogging token mechanisms - fixed some association cases where both SAE and FT-SAE were enabled on both the station and the selected AP - started to prefer FT-SAE over SAE AKM if both are enabled - started to prefer FT-SAE over FT-PSK if both are enabled - fixed FT-SAE when SAE PMKSA caching is used - reject use of unsuitable groups based on new implementation guidance in REVmd (allow only FFC groups with prime >= 3072 bits and ECC groups with prime >= 256) - minimize timing and memory use differences in PWE derivation [https://w1.fi/security/2019-1/] (CVE-2019-9494, bsc#1131868) * EAP-pwd changes - minimize timing and memory use differences in PWE derivation [https://w1.fi/security/2019-2/] (CVE-2019-9495, bsc#1131870) - verify server scalar/element [https://w1.fi/security/2019-4/] (CVE-2019-9497, CVE-2019-9498, CVE-2019-9499, bsc#1131874, bsc#1131872, bsc#1131871, bsc#1131644) - fix message reassembly issue with unexpected fragment [https://w1.fi/security/2019-5/] (CVE-2019-11555, bsc#1133640) - enforce rand,mask generation rules more strictly - fix a memory leak in PWE derivation - disallow ECC groups with a prime under 256 bits (groups 25, 26, and 27) - SAE/EAP-pwd side-channel attack update [https://w1.fi/security/2019-6/] (CVE-2019-13377, bsc#1144443) * fixed CONFIG_IEEE80211R=y (FT) build without CONFIG_FILS=y * Hotspot 2.0 changes - do not indicate release number that is higher than the one AP supports - added support for release number 3 - enable PMF automatically for network profiles created from credentials * fixed OWE network profile saving * fixed DPP network profile saving * added support for RSN operating channel validation (CONFIG_OCV=y and network profile parameter ocv=1) * added Multi-AP backhaul STA support * fixed build with LibreSSL * number of MKA/MACsec fixes and extensions * extended domain_match and domain_suffix_match to allow list of values * fixed dNSName matching in domain_match and domain_suffix_match when using wolfSSL * started to prefer FT-EAP-SHA384 over WPA-EAP-SUITE-B-192 AKM if both are enabled * extended nl80211 Connect and external authentication to support SAE, FT-SAE, FT-EAP-SHA384 * fixed KEK2 derivation for FILS+FT * extended client_cert file to allow loading of a chain of PEM encoded certificates * extended beacon reporting functionality * extended D-Bus interface with number of new properties * fixed a regression in FT-over-DS with mac80211-based drivers * OpenSSL: allow systemwide policies to be overridden * extended driver flags indication for separate 802.1X and PSK 4-way handshake offload capability * added support for random P2P Device/Interface Address use * extended PEAP to derive EMSK to enable use with ERP/FILS * extended WPS to allow SAE configuration to be added automatically for PSK (wps_cred_add_sae=1) * removed support for the old D-Bus interface (CONFIG_CTRL_IFACE_DBUS) * extended domain_match and domain_suffix_match to allow list of values * added a RSN workaround for misbehaving PMF APs that advertise IGTK/BIP KeyID using incorrect byte order * fixed PTK rekeying with FILS and FT * fixed WPA packet number reuse with replayed messages and key reinstallation [https://w1.fi/security/2017-1/] (CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088) * fixed unauthenticated EAPOL-Key decryption in wpa_supplicant [https://w1.fi/security/2018-1/] (CVE-2018-14526) * added support for FILS (IEEE 802.11ai) shared key authentication * added support for OWE (Opportunistic Wireless Encryption, RFC 8110; and transition mode defined by WFA) * added support for DPP (Wi-Fi Device Provisioning Protocol) * added support for RSA 3k key case with Suite B 192-bit level * fixed Suite B PMKSA caching not to update PMKID during each 4-way handshake * fixed EAP-pwd pre-processing with PasswordHashHash * added EAP-pwd client support for salted passwords * fixed a regression in TDLS prohibited bit validation * started to use estimated throughput to avoid undesired signal strength based roaming decision * MACsec/MKA: - new macsec_linux driver interface support for the Linux kernel macsec module - number of fixes and extensions * added support for external persistent storage of PMKSA cache (PMKSA_GET/PMKSA_ADD control interface commands; and MESH_PMKSA_GET/MESH_PMKSA_SET for the mesh case) * fixed mesh channel configuration pri/sec switch case * added support for beacon report * large number of other fixes, cleanup, and extensions * added support for randomizing local address for GAS queries (gas_rand_mac_addr parameter) * fixed EAP-SIM/AKA/AKA' ext auth cases within TLS tunnel * added option for using random WPS UUID (auto_uuid=1) * added SHA256-hash support for OCSP certificate matching * fixed EAP-AKA' to add AT_KDF into Synchronization-Failure * fixed a regression in RSN pre-authentication candidate selection * added option to configure allowed group management cipher suites (group_mgmt network profile parameter) * removed all PeerKey functionality * fixed nl80211 AP and mesh mode configuration regression with Linux 4.15 and newer * added ap_isolate configuration option for AP mode * added support for nl80211 to offload 4-way handshake into the driver * added support for using wolfSSL cryptographic library * SAE - added support for configuring SAE password separately of the WPA2 PSK/passphrase - fixed PTK and EAPOL-Key integrity and key-wrap algorithm selection for SAE; note: this is not backwards compatible, i.e., both the AP and station side implementations will need to be update at the same time to maintain interoperability - added support for Password Identifier - fixed FT-SAE PMKID matching * Hotspot 2.0 - added support for fetching of Operator Icon Metadata ANQP-element - added support for Roaming Consortium Selection element - added support for Terms and Conditions - added support for OSEN connection in a shared RSN BSS - added support for fetching Venue URL information * added support for using OpenSSL 1.1.1 * FT - disabled PMKSA caching with FT since it is not fully functional - added support for SHA384 based AKM - added support for BIP ciphers BIP-CMAC-256, BIP-GMAC-128, BIP-GMAC-256 in addition to previously supported BIP-CMAC-128 - fixed additional IE inclusion in Reassociation Request frame when using FT protocol - Drop merged patches: * rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch * rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch * rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch * rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch * rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch * rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch * rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch * rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch * rebased-v2.6-0009-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch * wpa_supplicant-bnc-1099835-fix-private-key-password.patch * wpa_supplicant-bnc-1099835-clear-default_passwd_cb.patch * wpa_supplicant-log-file-permission.patch * wpa_supplicant-log-file-cloexec.patch * wpa_supplicant-git-fa67debf4c6ddbc881a212b175faa6d5d0d90c8c.patch * wpa_supplicant-git-f5b74b966c942feb95a8ddbb7d130540b15b796d.patch - Rebase patches: * wpa_supplicant-getrandom.patch- Refresh spec-file via spec-cleaner and manual optimizations. * Change URL and Source0 to actual project homepage. * Remove macro %{?systemd_requires} and rm (not needed). * Add %autopatch macro. * Add %make_build macro. - Chenged patch wpa_supplicant-flush-debug-output.patch (to -p1). - Changed service-files for start after network (systemd-networkd).- Refresh spec-file: add %license tag.- Renamed patches: - wpa-supplicant-log-file-permission.patch -> wpa_supplicant-log-file-permission.patch - wpa-supplicant-log-file-cloexec.patch -> wpa_supplicant-log-file-cloexec.patch - wpa_supplicant-log-file-permission.patch: Using O_WRONLY flag - Enabled timestamps in log files (bsc#1080798)- compile eapol_test binary to allow testing via radius proxy and server (note: this does not match CONFIG_EAPOL_TEST which sets -Werror and activates an assert call inside the code of wpa_supplicant) (bsc#1111873), (fate#326725) - add patch to fix wrong operator precedence in ieee802_11.c wpa_supplicant-git-fa67debf4c6ddbc881a212b175faa6d5d0d90c8c.patch - add patch to avoid redefinition of __bitwise macro wpa_supplicant-git-f5b74b966c942feb95a8ddbb7d130540b15b796d.patch- Added wpa-supplicant-log-file-permission.patch: Fixes the default file permissions of the debug log file to more sane values, i.e. it is no longer world-readable (bsc#1098854). - Added wpa-supplicant-log-file-cloexec.patch: Open the debug log file with O_CLOEXEC, which will prevent file descriptor leaking to child processes (bsc#1098854).- Added rebased-v2.6-0009-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch: Ignore unauthenticated encrypted EAPOL-Key data (CVE-2018-14526, bsc#1104205).- Enabled PWD as EAP method. This allows for password-based authentication, which is easier to setup than most of the other methods, and is used by the Eduroam network (bsc#1109209).- add two patches from upstream to fix reading private key passwords from the configuration file (bsc#1099835) - add patch for git 89971d8b1e328a2f79699c953625d1671fd40384 wpa_supplicant-bnc-1099835-clear-default_passwd_cb.patch - add patch for git f665c93e1d28fbab3d9127a8c3985cc32940824f wpa_supplicant-bnc-1099835-fix-private-key-password.patch- Fix KRACK attacks (bsc#1056061, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13087, CVE-2017-13088): - rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch - rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch - rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch - rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch - rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch - rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch - rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch - rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch- fix wpa_supplicant-sigusr1-changes-debuglevel.patch to match eloop_signal_handler type (needed to build eapol_test via config)- Added .service files that accept interfaces as %i arguments so it's possible to call the daemon with: "systemctl start wpa_supplicant@$INTERFACE_NAME.service" (like openvpn for example)- updated to 2.6 / 2016-10-02 * fixed WNM Sleep Mode processing when PMF is not enabled [http://w1.fi/security/2015-6/] (CVE-2015-5310 bsc#952254) * fixed EAP-pwd last fragment validation [http://w1.fi/security/2015-7/] (CVE-2015-5315 bsc#953115) * fixed EAP-pwd unexpected Confirm message processing [http://w1.fi/security/2015-8/] (CVE-2015-5316 bsc#953115) * fixed WPS configuration update vulnerability with malformed passphrase [http://w1.fi/security/2016-1/] (CVE-2016-4476 bsc#978172) * fixed configuration update vulnerability with malformed parameters set over the local control interface [http://w1.fi/security/2016-1/] (CVE-2016-4477 bsc#978175) * fixed TK configuration to the driver in EAPOL-Key 3/4 retry case * extended channel switch support for P2P GO * started to throttle control interface event message bursts to avoid issues with monitor sockets running out of buffer space * mesh mode fixes/improvements - generate proper AID for peer - enable WMM by default - add VHT support - fix PMKID derivation - improve robustness on various exchanges - fix peer link counting in reconnect case - improve mesh joining behavior - allow DTIM period to be configured - allow HT to be disabled (disable_ht=1) - add MESH_PEER_ADD and MESH_PEER_REMOVE commands - add support for PMKSA caching - add minimal support for SAE group negotiation - allow pairwise/group cipher to be configured in the network profile - use ieee80211w profile parameter to enable/disable PMF and derive a separate TX IGTK if PMF is enabled instead of using MGTK incorrectly - fix AEK and MTK derivation - remove GTKdata and IGTKdata from Mesh Peering Confirm/Close - note: these changes are not fully backwards compatible for secure (RSN) mesh network * fixed PMKID derivation with SAE * added support for requesting and fetching arbitrary ANQP-elements without internal support in wpa_supplicant for the specific element (anqp[265]= in "BSS " command output) * P2P - filter control characters in group client device names to be consistent with other P2P peer cases - support VHT 80+80 MHz and 160 MHz - indicate group completion in P2P Client role after data association instead of already after the WPS provisioning step - improve group-join operation to use SSID, if known, to filter BSS entries - added optional ssid= argument to P2P_CONNECT for join case - added P2P_GROUP_MEMBER command to fetch client interface address * P2PS - fix follow-on PD Response behavior - fix PD Response generation for unknown peer - fix persistent group reporting - add channel policy to PD Request - add group SSID to the P2PS-PROV-DONE event - allow "P2P_CONNECT p2ps" to be used without specifying the default PIN * BoringSSL - support for OCSP stapling - support building of h20-osu-client * D-Bus - add ExpectDisconnect() - add global config parameters as properties - add SaveConfig() - add VendorElemAdd(), VendorElemGet(), VendorElemRem() * fixed Suite B 192-bit AKM to use proper PMK length (note: this makes old releases incompatible with the fixed behavior) * improved PMF behavior for cases where the AP and STA has different configuration by not trying to connect in some corner cases where the connection cannot succeed * added option to reopen debug log (e.g., to rotate the file) upon receipt of SIGHUP signal * EAP-pwd: added support for Brainpool Elliptic Curves (with OpenSSL 1.0.2 and newer) * fixed EAPOL reauthentication after FT protocol run * fixed FTIE generation for 4-way handshake after FT protocol run * extended INTERFACE_ADD command to allow certain type (sta/ap) interface to be created * fixed and improved various FST operations * added 80+80 MHz and 160 MHz VHT support for IBSS/mesh * fixed SIGNAL_POLL in IBSS and mesh cases * added an option to abort an ongoing scan (used to speed up connection and can also be done with the new ABORT_SCAN command) * TLS client - do not verify CA certificates when ca_cert is not specified - support validating server certificate hash - support SHA384 and SHA512 hashes - add signature_algorithms extension into ClientHello - support TLS v1.2 signature algorithm with SHA384 and SHA512 - support server certificate probing - allow specific TLS versions to be disabled with phase2 parameter - support extKeyUsage - support PKCS #5 v2.0 PBES2 - support PKCS #5 with PKCS #12 style key decryption - minimal support for PKCS #12 - support OCSP stapling (including ocsp_multi) * OpenSSL - support OpenSSL 1.1 API changes - drop support for OpenSSL 0.9.8 - drop support for OpenSSL 1.0.0 * added support for multiple schedule scan plans (sched_scan_plans) * added support for external server certificate chain validation (tls_ext_cert_check=1 in the network profile phase1 parameter) * made phase2 parser more strict about correct use of auth= and autheap= values * improved GAS offchannel operations with comeback request * added SIGNAL_MONITOR command to request signal strength monitoring events * added command for retrieving HS 2.0 icons with in-memory storage (REQ_HS20_ICON, GET_HS20_ICON, DEL_HS20_ICON commands and RX-HS20-ICON event) * enabled ACS support for AP mode operations with wpa_supplicant * EAP-PEAP: fixed interoperability issue with Windows 2012r2 server ("Invalid Compound_MAC in cryptobinding TLV") * EAP-TTLS: fixed success after fragmented final Phase 2 message * VHT: added interoperability workaround for 80+80 and 160 MHz channels * WNM: workaround for broken AP operating class behavior * added kqueue(2) support for eloop (CONFIG_ELOOP_KQUEUE) * nl80211: - add support for full station state operations - do not add NL80211_ATTR_SMPS_MODE attribute if HT is disabled - add NL80211_ATTR_PREV_BSSID with Connect command - fix IEEE 802.1X/WEP EAP reauthentication and rekeying to use unencrypted EAPOL frames * added initial MBO support; number of extensions to WNM BSS Transition Management * added support for PBSS/PCP and P2P on 60 GHz * Interworking: add credential realm to EAP-TLS identity * fixed EAPOL-Key Request Secure bit to be 1 if PTK is set * HS 2.0: add support for configuring frame filters * added POLL_STA command to check connectivity in AP mode * added initial functionality for location related operations * started to ignore pmf=1/2 parameter for non-RSN networks * added wps_disabled=1 network profile parameter to allow AP mode to be started without enabling WPS * wpa_cli: added action script support for AP-ENABLED and AP-DISABLED events * improved Public Action frame addressing - add gas_address3 configuration parameter to control Address 3 behavior * number of small fixes - wpa_supplicant-dump-certificate-as-PEM-in-debug-mode.diff: dump x509 certificates from remote radius server in debug mode in WPA-EAP.- Remove support for <12.3 as we are unresolvable there anyway - Use qt5 on 13.2 if someone pulls this package in - Convert to pkgconfig dependencies over the devel pkgs - Use the %qmake5 macro to build the qt5 gui- add After=dbus.service to prevent too early shutdown (bnc#963652)- Revert CONFIG_ELOOP_EPOLL=y, it is broken in combination with CONFIG_DBUS=yes.- spec: Compile the GUI against QT5 in 13.2 and later.- Previous update did not include version 2.5 tarball or changed the version number in spec, only the changelog and removed patches. - config: set CONFIG_NO_RANDOM_POOL=y, we have a reliable· random number generator by using /dev/urandom, no need to keep an internal random number pool which draws entropy from /dev/random. - config: prefer using epoll(7) instead of select(2) by setting CONFIG_ELOOP_EPOLL=y - wpa_supplicant-getrandom.patch: Prefer to use the getrandom(2) system call to collect entropy. if it is not present disable buffering when reading /dev/urandom, otherwise each os_get_random() call will request BUFSIZ of entropy instead of the few needed bytes.- add aliases for both provided dbus names to avoid systemd stopping the service when switching runlevels (boo#966535)- removed obsolete security patches: * 0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch * 0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch * 0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch * 0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch * wpa_s-D-Bus-Fix-operations-when-P2P-management-interface-is-used.patch * 0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch * 0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch * 0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch * 0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch - Update to upstream release 2.5 * fixed P2P validation of SSID element length before copying it [http://w1.fi/security/2015-1/] (CVE-2015-1863) * fixed WPS UPnP vulnerability with HTTP chunked transfer encoding [http://w1.fi/security/2015-2/] (CVE-2015-4141) * fixed WMM Action frame parser (AP mode) [http://w1.fi/security/2015-3/] (CVE-2015-4142) * fixed EAP-pwd peer missing payload length validation [http://w1.fi/security/2015-4/] (CVE-2015-4143, CVE-2015-4144, CVE-2015-4145, CVE-2015-4146) * fixed validation of WPS and P2P NFC NDEF record payload length [http://w1.fi/security/2015-5/] (CVE-2015-8041) * nl80211: - added VHT configuration for IBSS - fixed vendor command handling to check OUI properly - allow driver-based roaming to change ESS * added AVG_BEACON_RSSI to SIGNAL_POLL output * wpa_cli: added tab completion for number of commands * removed unmaintained and not yet completed SChannel/CryptoAPI support * modified Extended Capabilities element use in Probe Request frames to include all cases if any of the values are non-zero * added support for dynamically creating/removing a virtual interface with interface_add/interface_remove * added support for hashed password (NtHash) in EAP-pwd peer * added support for memory-only PSK/passphrase (mem_only_psk=1 and CTRL-REQ/RSP-PSK_PASSPHRASE) * P2P - optimize scan frequencies list when re-joining a persistent group - fixed number of sequences with nl80211 P2P Device interface - added operating class 125 for P2P use cases (this allows 5 GHz channels 161 and 169 to be used if they are enabled in the current regulatory domain) - number of fixes to P2PS functionality - do not allow 40 MHz co-ex PRI/SEC switch to force MCC - extended support for preferred channel listing * D-Bus: - fixed WPS property of fi.w1.wpa_supplicant1.BSS interface - fixed PresenceRequest to use group interface - added new signals: FindStopped, WPS pbc-overlap, GroupFormationFailure, WPS timeout, InvitationReceived - added new methods: WPS Cancel, P2P Cancel, Reconnect, RemoveClient - added manufacturer info * added EAP-EKE peer support for deriving Session-Id * added wps_priority configuration parameter to set the default priority for all network profiles added by WPS * added support to request a scan with specific SSIDs with the SCAN command (optional "ssid " arguments) * removed support for WEP40/WEP104 as a group cipher with WPA/WPA2 * fixed SAE group selection in an error case * modified SAE routines to be more robust and PWE generation to be stronger against timing attacks * added support for Brainpool Elliptic Curves with SAE * added support for CCMP-256 and GCMP-256 as group ciphers with FT * fixed BSS selection based on estimated throughput * added option to disable TLSv1.0 with OpenSSL (phase1="tls_disable_tlsv1_0=1") * added Fast Session Transfer (FST) module * fixed OpenSSL PKCS#12 extra certificate handling * fixed key derivation for Suite B 192-bit AKM (this breaks compatibility with the earlier version) * added RSN IE to Mesh Peering Open/Confirm frames * number of small fixes- added patch for bnc#930077 CVE-2015-4141 0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch - added patch for bnc#930078 CVE-2015-4142 0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch - added patches for bnc#930079 CVE-2015-4143 0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch 0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch 0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch 0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch 0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch- Add wpa_s-D-Bus-Fix-operations-when-P2P-management-interface-is-used.patch Fix Segmentation fault in wpa_supplicant. Patch taken from upstream master git (arch#44740).- 0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch Fix CVE-2015-1863, memcpy overflow. - wpa_supplicant-alloc_size.patch: annotate two wrappers with attribute alloc_size, which may help warning us of bugs such as the above.- Delete wpa_priv and eapol_test man pages, these are disabled in config - Move wpa_gui man page to gui package- Update to 2.4 * allow OpenSSL cipher configuration to be set for internal EAP server (openssl_ciphers parameter) * fixed number of small issues based on hwsim test case failures and static analyzer reports * P2P: - add new=<0/1> flag to P2P-DEVICE-FOUND events - add passive channels in invitation response from P2P Client - enable nl80211 P2P_DEVICE support by default - fix regresssion in disallow_freq preventing search on social channels - fix regressions in P2P SD query processing - try to re-invite with social operating channel if no common channels in invitation - allow cross connection on parent interface (this fixes number of use cases with nl80211) - add support for P2P services (P2PS) - add p2p_go_ctwindow configuration parameter to allow GO CTWindow to be configured * increase postponing of EAPOL-Start by one second with AP/GO that supports WPS 2.0 (this makes it less likely to trigger extra roundtrip of identity frames) * add support for PMKSA caching with SAE * add support for control mesh BSS (IEEE 802.11s) operations * fixed number of issues with D-Bus P2P commands * fixed regression in ap_scan=2 special case for WPS * fixed macsec_validate configuration * add a workaround for incorrectly behaving APs that try to use EAPOL-Key descriptor version 3 when the station supports PMF even if PMF is not enabled on the AP * allow TLS v1.1 and v1.2 to be negotiated by default; previous behavior of disabling these can be configured to work around issues with broken servers with phase1="tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1" * add support for Suite B (128-bit and 192-bit level) key management and cipher suites * add WMM-AC support (WMM_AC_ADDTS/WMM_AC_DELTS) * improved BSS Transition Management processing * add support for neighbor report * add support for link measurement * fixed expiration of BSS entry with all-zeros BSSID * add optional LAST_ID=x argument to LIST_NETWORK to allow all configured networks to be listed even with huge number of network profiles * add support for EAP Re-Authentication Protocol (ERP) * fixed EAP-IKEv2 fragmentation reassembly * improved PKCS#11 configuration for OpenSSL * set stdout to be line-buffered * add TDLS channel switch configuration * add support for MAC address randomization in scans with nl80211 * enable HT for IBSS if supported by the driver * add BSSID black and white lists (bssid_blacklist, bssid_whitelist) * add support for domain_suffix_match with GnuTLS * add OCSP stapling client support with GnuTLS * include peer certificate in EAP events even without a separate probe operation; old behavior can be restored with cert_in_cb=0 * add peer ceritficate alt subject name to EAP events (CTRL-EVENT-EAP-PEER-ALT) * add domain_match network profile parameter (similar to domain_suffix_match, but full match is required) * enable AP/GO mode HT Tx STBC automatically based on driver support * add ANQP-QUERY-DONE event to provide information on ANQP parsing status * allow passive scanning to be forced with passive_scan=1 * add a workaround for Linux packet socket behavior when interface is in bridge * increase 5 GHz band preference in BSS selection (estimate SNR, if info not available from driver; estimate maximum throughput based on common HT/VHT/specific TX rate support) * add INTERWORKING_ADD_NETWORK ctrl_iface command; this can be used to implement Interworking network selection behavior in upper layers software components * add optional reassoc_same_bss_optim=1 (disabled by default) optimization to avoid unnecessary Authentication frame exchange * extend TDLS frame padding workaround to cover all packets * allow wpa_supplicant to recover nl80211 functionality if the cfg80211 module gets removed and reloaded without restarting wpa_supplicant * allow hostapd DFS implementation to be used in wpa_supplicant AP mode- Update to 2.3 * fixed number of minor issues identified in static analyzer warnings * fixed wfd_dev_info to be more careful and not read beyond the buffer when parsing invalid information for P2P-DEVICE-FOUND * extended P2P and GAS query operations to support drivers that have maximum remain-on-channel time below 1000 ms (500 ms is the current minimum supported value) * added p2p_search_delay parameter to make the default p2p_find delay configurable * improved P2P operating channel selection for various multi-channel concurrency cases * fixed some TDLS failure cases to clean up driver state * fixed dynamic interface addition cases with nl80211 to avoid adding ifindex values to incorrect interface to skip foreign interface events properly * added TDLS workaround for some APs that may add extra data to the end of a short frame * fixed EAP-AKA' message parser with multiple AT_KDF attributes * added configuration option (p2p_passphrase_len) to allow longer passphrases to be generated for P2P groups * fixed IBSS channel configuration in some corner cases * improved HT/VHT/QoS parameter setup for TDLS * modified D-Bus interface for P2P peers/groups * started to use constant time comparison for various password and hash values to reduce possibility of any externally measurable timing differences * extended explicit clearing of freed memory and expired keys to avoid keeping private data in memory longer than necessary * added optional scan_id parameter to the SCAN command to allow manual scan requests for active scans for specific configured SSIDs * fixed CTRL-EVENT-REGDOM-CHANGE event init parameter value * added option to set Hotspot 2.0 Rel 2 update_identifier in network configuration to support external configuration * modified Android PNO functionality to send Probe Request frames only for hidden SSIDs (based on scan_ssid=1) * added generic mechanism for adding vendor elements into frames at runtime (VENDOR_ELEM_ADD, VENDOR_ELEM_GET, VENDOR_ELEM_REMOVE) * added fields to show unrecognized vendor elements in P2P_PEER * removed EAP-TTLS/MSCHAPv2 interoperability workaround so that MS-CHAP2-Success is required to be present regardless of eap_workaround configuration * modified EAP fast session resumption to allow results to be used only with the same network block that generated them * extended freq_list configuration to apply for sched_scan as well as normal scan * modified WPS to merge mixed-WPA/WPA2 credentials from a single session * fixed nl80211/RTM_DELLINK processing when a P2P GO interface is removed from a bridge * fixed number of small P2P issues to make negotiations more robust in corner cases * added experimental support for using temporary, random local MAC address (mac_addr and preassoc_mac_addr parameters); this is disabled by default (i.e., previous behavior of using permanent address is maintained if configuration is not changed) * added D-Bus interface for setting/clearing WFD IEs * fixed TDLS AID configuration for VHT * modified -m configuration file to be used only for the P2P non-netdev management device and do not load this for the default station interface or load the station interface configuration for the P2P management interface * fixed external MAC address changes while wpa_supplicant is running * started to enable HT (if supported by the driver) for IBSS * fixed wpa_cli action script execution to use more robust mechanism (CVE-2014-3686)h04-ch1c 17089624512.10-150500.3.3.12.10-150500.3.3.1wpa_guiwpa_gui.8.gz/usr/sbin//usr/share/man/man8/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:32791/SUSE_SLE-15-SP5_Update/92c4c1ac4c1b5c1bddbd97dfd31e26c2-wpa_supplicant.SUSE_SLE-15-SP5_Updatedrpmxz5x86_64-suse-linuxELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=009d78ffa518ce75f85e7ce2b8ca6143b89e1df9, for GNU/Linux 3.2.0, strippedtroff or preprocessor input, ASCII text (gzip compressed data, max compression, from Unix)RRRRRRRRRR RR R R R RRRRRRR t\tutf-83ed9c2319b59b25056da5c85ba1c56393fe974499ac1b74fd9285ba9fc6b723c? 7zXZ !t/ $]"k%}RUJzx+P]8\=)|寐o}XJ&rxDhS>a\i]7QF,wyrC=}ffL|_5^`Ԁ9[̴ "q 7l.LPW-9j8qSuCPdHBHxo_ LoTM&oP"WDJ"q}OO~xءjTf\ac2hB.(Ó%|_aIuVt9EA 3NQNutA AtMF&ou7J̉G#K&8e|f2 v!x>٠8.% 3g|ݗ/^%æ+ ?= ;xoĕ/~tRN aXW' *?hȜs(9!b|QM6B<XVeޫا\s }SK -N+/NXo m ? Kl/QX"ٍt~ JIwk;3( ;FXћYa誊XQ4扢虭q%(uc/3u.keɰCU -^ DiP<%H!8ik^-/W(>U3 6x7r4$!Xl~a ɵrtUN C'7ahhkE'3C|v+IdR,RTasf,Qdg @8'Ͻp'8M>".O)-h|1<&%R5x |bwmU7/+PV+-L7"|UG)[1T?vѹK($r\~\a|gL$]9eCPE25 B—v5iÿAn5f8%t'*P6H;ב¶0~{`if|l9=-/T_)Ksh<>Ͷp츫psJ e[͝oeD^!@<2z DzFqXq(DpY__ w_ ~(|g-)׫fn!UqQ|RMđSu{F钵/ţQ\JoqĠ/DRDn0ˁ+*lJtT g<9~3!CF:ʣx>s:m0 %/gNv\»VfRt/Ƃ = 4,/ֲX~ypj' s銓ªd $%P"Q޿ݲ5ff*K$J@$ZONaJRlޭ9 ם4/x(21bU-}4 7߰LEJ5B3[Wy_*%R,X`e30JXW+{e ~v|0 VP*zS0Εh&*ՖW*qhF@}=fzZQr0)M_W7%V:2 g?׶Ef0?-Q5~wKxJ+d- Qv6XO4 YjS\Wp Me+9vgP\=+j &R5.m~d&IVdżFJY˜gmyl~^=hؒs=`:Km|:10u͙=pYɣv+sXOFJIC&kfjꇋ)3nWwT Z1NQsҗߢ#[kHsG}p,`3̍ԼT3ZϚr!(NX$' 8<:kgL55|*>9. yo:}f#.(2ayV>ۂ("y򖪵 J0"oZQ? d^ ؟WSز?3ci]Q qlo.enfke,|Ux02hʐj3˪PBkìɶ,ikQIqv*̲4 ѥRSX}X23k3sb:nTP %'﯍kJwyȋ@Qfs!e z ލbBjBHA"O@ .C b Јs%ބȁ!d]-m=I8v ܐ[rKj=@rZ"ͦLv7f lچn|%lr[fdK0r4h;LbG O4on1*5]V{.MceVIe_7qr,b8Yޗ@FdlO7vA(  -^"UoؽEh[*r\f \S6[ z.Ly0qm4 '%D֩7"k\ 2:nv;6jq7H%a.i#uF\Hu&m}LM2xW5R ~"YzJ kF|ęO@78Yfb%蠛>H DL93Cdq[ Jply6OH!Fn^uj=|zI*-XP뫪B/"J)*F$׭}yei=Mv8M)1V 8+D9U JwQ'o[|Џ~ Vٜ {QqG~&vbߓB`ګ@ƐBfyNYz0?v FҬ/p =el+aS 3;DMŶWI7 !քc'Drosd;D'4ZL7Ib{bl\$h4}OeJ tu$]HtN*-T;K5>Pfx Bq ' C$.KG nh ^ xQGjg17T8۸#C[S l0cfD)6yʘ"GiΎ d)ng4̹3i,v4eէBK 7|2e+$12P|'#e'cq2=jfϻbY 1# _IlLK"AJ"Ц+chPMQvp 6oS;o=(ϫB{uIMfz!::Cch* ?Dp_{oN%v jM $o݉Ģ,+)y% kQlvIXA\t+(r(D}Hɜ[0Z1 [o;3-7TX':T#Rb ÿ(4M[qY F{pM`{ƘVcۢL\HB[nk%{*F󶌼yWȚ|>È-,5[HD2%f"HKD+ލ쉄JtgJ,*(sh]?j 7AtP܏wcJCcv48)?Eq=O]BaF[/rg0S!90XCq X_lҴQ?ʏbLv"~ I{>uVJpKr] 1S.u2݄V֤(v#=q!~-$7 ;  I} =cdA]Kɚ. B: R쳘_FUTGӝc_ʯG9Uk9Vۄ$F0ڣb< n5XnC F P  ]CSyOs"ඕκ)>YP`jpsfT|'hnvc1 cs=ɷ<FlEaXII -5|[v3| DA'[Lj(yҋ;8FO9d#ݕwAoR{ȮZb5(h%ϹpE -ORй"^V.?r"iɕn5WI͇fO+N.hQ)_Ff>t,xw-~ @t m0ST<0? )4hT;t=a/ JC%οG#km{$!WNbñn$?/4JRLjD[Z"~dS{ī:pOXW=/,lk{@@@RU9DkvnP~vXc30m<ɜ7~j0ה0GbFucZn!9urRmI~dy*S1Եڍ@nDʱcv&$5݈RVZSu3X: `-.t PT_A q> y=[g) ϭ\zS2H+N5y\jqTnPyP[+s@=,m1+H{Ðџo^Qq^gfb%P /KDŏ,Vcwh qN ܛ ek׶N89C& N>4H9QTjUUF#?0veaΒ_ 1᜼ `M=ѾkkJ݅ oYB+Z}xJFv,U}U|/=UuY<6/;g[Z0hRP~jZ">@ݿrFDXA=j3PR9Uav8<pCt&2g9-ĩQA3vQ [DwZAD%| 4N2g 4r6e.>F)m5A[ep`5[.w-CF!T>_%rnK8oc"s$ez R.)qz#2uX*('Á۔,=e뎐 KCLY=+9X232GG8"8:LDT(7UD1 ߹.(hvM6) kƟy}#sЮ'PCJ 8QᜃPMC98t{תXnqB$P[̌vc)rH2ZzL*c`<]lSz%wM꫃CtG(g=L|(ON዆K EѴM;f !"&8Y=@.U0oTg%m8j\8>j"*h=U*q\lTNQ;ʆRRw*o>)6В9ۑ[ L'4, |f[*RBγThs6#~B#g}"Au`GL4[Ik#V2zaF}Kĥq\lHnkڀR-x^d +84RBqGZw^rSg_|TaW5#\ T%gz6_Y0+Ӛ_tW.̞ti^TttdPD ~+ Nȼ}?b\V˅}A]vsW*S'em4 _n<@.d?+yvFtdl{Jsl";*5Đ/%r'k ZQUس雬!W#*TR)`D6EamDU"稛zP^!{y"T#ñCΡ|{2`u$lA`eV":K:[޹O*t*<+/xXV=-UosJJEQjG2oA sQOcWj &C|cHjM?Tt?I=?|>,LB{2mq&~CnU])!P@4ۋ{iI}u9(kU4q<ތ!H[ۉFvN7p)]8/ }goo-e)En^qѶ)r"|ySV0V|:`wdR ARw Ԅ`^ȴ>ǫ9Mj=2Mp815ِp?GnEEeOcbHV )hNZF !TR6.wPhz?lo P6:=blEGz SAʌE>!='`f0 ~^t^u譓@h'5!⍉˨\d<^=7UvWH/:\&tmB:7EK@BO?| =t1煯D80*a,K;!e)x䜠@$f1%spySn$Ybmu2-+_ÇRj1"ff>znsI X-LV$ Χ0 @u㹝5p v@o r3e=3B-rXtb>svZF#N5%.D$8>7Ȋ&eof3Ŵu?P /ʍeBy`0ƸcH9bҙבo|q$v>-椤13)`J*x"6H'x[_ȷ߯3:Q*^evRGr )'zf$ lE1*Qu?FTh.j_~";74+ 9M qDIB (zR,W;f!OԻR@W,ݳц asWw!}70^i AA5H|UI1JCbňzQ;Q)3ß (e"yum4ԕX74Z/Haʤh|WkYx5_W~HyAQ9) -K*RיQ[h*aMYwyJ#Yn̐n?EEZL;vʜ"Ջ[xFy!qEdJri4PaBf'9Hs,8a,ע#{·ľ> Huj&Ijh.+Z:*ٮ&Dk ]PE5׻˕_VY.僗\((啳ZV&y#d`HO6B&˻^<|.Eܴ7f@r] /a=Է8̑h0FodsHl܏=w}*5X`_c\@GXVWǷFe*_ Φh%[LnsӪAiͦ' 4xtWy A cCӶ9G aS&H3'99D\?_ISf'SiI皰Jf 2E-r=g 3Y>@ ~d<%42P&Ρ`oe6꽭/֍} Վhr&PֈNA]p) ͤ#\tSGBW6D{! Tݼ@]C8K]l=infДkoWh f zv/2~|hJ%\.?~ⶰ)@oՔ]?c$l߷އsk49V=U;Cn};=Cu3)uXo Ttz^5!`=KWoa/i_H7qZUf$U!a"Zfݠ]B'L%㗐3XC pg ĐM&d%n<)ElLjlc"JZw7~-9+ui[fp?[p1H V:&Z:aSXG0~$_pihW(s22;…44_#Ug#@û`A9vYLB)&3NkUw}^zrS2__4/>vŞ## Eq跩A ^Z=Fdzz9NK&SDA[:;6ƺ.+@8jq#p 8m1,Rl3 b).8WfuK/zYjqZZj7GsٛL ͤA3r2*Ejp;&z;:Ktk!\RQ, L9 0^o)dĕ/~[D>VazQߐp&7kgf)K/ z?*J !y_/"[KͬA9?S7Da]{>@y׊dDz[fʏODTqYlXT}y4=?v'c`TQxHyNa.(8ʘA :;ń( X}if9`3{[ѺxL*M-FBo^6~IªylU!5 ے GjxX RkuMAUuW>y`3cCĩ4LBڀdtUfNS&~&wa̼/E{~W^X`1t; Gv*6|5$JLZj<҉pvIuA\-01\W(yDO˥kaŒ)&A[yW(5ELxV`?=T]x'(vj%-BE8Zk` ,(^nL~;B>wrK{S9doK$ g%)Q\f1#㪧K`Pu 1!oaThWz0qG5 0㓭YNj!ܐ_xxK޸8dge3F OQ E&׷\g]:]3g WO*6ghǘmɘĢ@Ϭj sz %͸mOH8ş(h "$lƧqeXw? )f2#&#(4:U`WFErS `!+OgUމ Ro*ǁU"L(sK?> >#O<i Y;Hk< Q>0Kͭ?rd5zdsȌ"o,˼}8o'qM4wSru-vHv҆(+Wb_&7l G#c-)5fo@+Vk2#c[W93$n53FXKIj;3/[\Xso V/ {3%;]}Za(73>;B!֨CB 4)VR+#M yȜ̬R^ Ef f,Pa1Ӳi4\.Rb݀%? 6_ jr]_8lJ?_~MzxCsCVp(hέx`F#hi bijtY1ښ!⮯f*Ib?x7\i0kRSdg (20L|0 ?jB "dG֌Ȫv]ێ sgÅ3C_3ȊlNF)ycq(A[ ;!H:ٱ33_)tVAJFr6 4 u=..i_ZӸ]Yu, `\ZuZ'=tB5?{J|@jRpWئ ܵ_;:zte ,gw3ҳ&ѭKi؋p+)1ÇϺ}R&3~G~aMT=K઱)*]r]p7x^].N Vu.+ZLR')'1^ĻzZ6 =;oT~QYJVHN- ~Hh'u~/gd;𱞷_^=p麊r8Iw_/&"]~Z@lX<Ufˮ4L+-g[x(}KU)>QrW=ˏ72#Hfp}u#)[8@!׋Gx<v3c:(=VOցU]6^Xjq4Zw:7xsj:yM+QZp4IWWT Y٫A#Ffյ^smqQ lORtiZᎁwVqc`f*{>ߗβ* q8cOZuqt%8̩մ&\kͭs/e(咬cډփ *srQ4%;Bb-v?E|Hv8£PatI$1+HmA.sEݢ!9RWsm6`(z[n\aGa\# -XW"F=)B*1scHe!EEY^]AnŲ>N_v_)sѬ̗DrZnp3w5T_(qL (/R֯]wn!m'0)T M^׭%&hJiKCi}P\Y>˯xKr&ϙQNm560!^Miغ}t`ux/ElK.n}-~SJTʓ1$\_>_D!ʒ:ղ=v[[_ރDA (g(ٌ2x23 ?cvK&SUqׂd , O|yJ[y`i5#meNZE;R5GK~q;t ֎!H)H jȰ8iuvEfs 5VX\:Ca3$+KZ9pHK\ I~\3<= pzvJv~L 1F J="b:kzBk/nW=㻷v8°|2:; S\&`ʎ!7F}*Nan1C'qQ@-W)3M]plc\S i4Ƴ~#Q@*@]o#  ,F XҞsYEtFĿA +ץbJO8VČa>&=*Ou!kY揟>7<(R7HTާ_7}r}U3F hŁ&1=lesino1`;m=i9:`LoxcSZ1i7?>I} &Y?W a,ZvOT(2 C8^A蠽k,/~e`zun;6'%y>, ?dpp7ݻ ٠cՐz{uwTİEa@_n?j 3`s؞Q#e3,n\z_@r$1Q.eҡZ 2 !ꦞj`faekO*(8?`Nr1X6\LG|<ޭ:@=ٓ0g2{]پ+t~t;!whD;Cڗ ^W9_+QàVi0ҩTî;i":)j{-k҆ B (_pG?X9@gjB;wew;U3[b'$l"Bķ}AzJ4۵9W7J‡ӳMK*d4 -Bp>P9)gO Kae6ڵ㊈\^kPҚm\#}/,WVH/ml4 }Oz)u7쬽\*xB (7]WA4&?r%wO6+vQWYW<'l:xűYu_.oG[VDC3YdO1+tvY׷91zUyQ5>kd q"09_ɸ_[P!,r/; ,"_;cGrUmẓ{2q/Jb Ô2&n,ß^O?Y}RT~-Lu͕f:RuI^J~ȫTkɬrvz~:0S+C"1(kXPSI,6V2)Dj䫒=r oCLǝuw@Tڊ46KmQQA0œًU<0`˔u˅l|%kB(dؒҟj_'q1T@ Mpjo3 AD<Ȱ8C1"7@UhxSyN/ ޣ{ŧ 5xj$,*DkJ43!>x L 5FA{{~aIL<~?ޯ%`C:<8̞j|Zv>*/;k,}!KuML( pNLì:b<"}\$4*/BXL`"I!;o]{9Ec5k.:>՘W gtePG\HGm;r,WɳP''\t<}%٢4X6$ 7pDuYA g %Ϛ>#l (='Ӗ?+s+VLNC6b,"~ `Mk6pob9l(N7Gp 4՛IՐ܎`Ɛ$a*T̤CPrP(^[pLO; /CH [8HCv#Cv?}3ho } خUFQ#1I na+ &/I(ɕ8 xP 1AȆ?KDܼPA1+pA,DxTӰ?F;=, ޙ(7V&K@j ׀~(N{ I~tǹW|l Op}SM}lVG9i7 d?/ +>6i T[8^ nj,< ɩqH%n4]ӹs.]ڰ"piv@<_% &KF&pY UUg^3r2aI 0CM`}Vfz`ugCn(Q-qT3ϝ }繦Pʺ]hI<ܤKMdߒʖMzm;Cxq<VSdPZY8S.ԟ0_9$[.`?P>;/pD7ѥ+A,Jfןߡ1W"`У)'O83aa|:<4G8oU 14ѪoCn}6~m ˆ24! DQj/H`BG i} 1v|,3lp/?#ih.[d2x*9uj %O5}n&C@Ig*[{t5cOi  kG\B`wg ^єa@%[.jf\ 8`0ܝ-LkU+2qbyrO,vMHKΠ=_@fLVUI@vlib7t \!+Kp>}A:9#gV0>G2/S+] \XɗEK"T)"u$&iݤ`ݬ ]e^6|usP47AƖu!ѯd7kj7 %m pͼC*yqfOyJSaϾJT? .|[҆Y[弹 {]TW(NmAPu.\TpQVh/3Ih/"YK0yz;$2̾X`ݎ?Cb[ɣ,kAj ,[(KjcfTMs,H4fpD{M h(m$\iȢ^&S6O 20y{.l #C?kf7.أ J]6- ⳯9zJpoEPN?/V 'T.!+{ld?1POWxn$=%c}\;C=-s?)t J=cGPHѓ,rIVJ|>} \]_UUhtM-̣V9Y[ܦ3G'k|VN䊈+-Ȣ߹jΌzQ/Ywg.I\kېʕNң+Xm8fıjR*g |Z!,_qهx}.9KyQ#,&Y۰Vv#e-u~e_.]ga 5!52MZ- 0bN q"I~Ӂ)a;&dž&1?鑕róܛQ3KS_N.guvWdd2ltQggKq vrb@s-L!厠hQa /]!qQeV;ɅkEjTc0W3M@Dd5IZ~g΍M &}Cm/U@:AyVp%4ؚsq(o! q%I-L~DI fJpoa>+gHm`ZeqsDMcG#ÂD#:vk d^t[+mKcn=Ԑr/o|bѠ9P揮:kgF0P> MZ&7G>jzPՄBi`׊bZΕ۴pkez&YNnu5+SWTѪ'0Xy'ȇPf8*u?h &y2'Kj?dGoRG G(y~a{Y82d%S.Ѿ[ԒkŻ7TmU >想oL=gF6G>ccDA` neHWx^O+a(Et5:'~AAX29~gekVWL?_m_@(1wԊ 8\a8Bp FdS!UZ2xrs/-{~ (hmg>`=/1qcvu}vxW]8^Y8)hԬty}'DW]t7N(Q!&,IV$SE!ԚDy0Dd"ɐ dy;ʔFޢwW UmrS"S;0x2*Pp h +23K9k'.jݥ|t[bGK49ua0K%LMނѻ[1yzw>/e`FZ2I ¾}-+My8|]ph[mhB8m-9YHh6_O T"O!]%ˈE9)Y \D u f(`J{If9hkTX>'mw抃NzMa{[$㈰auސ<>I,o5ws6݌9.UP = b"LMNҩߩ2_jOWٴUdr]jŌ^_g+ޮ(T {X~V6eD~S-sm s\gi7\ _`ő3S)a\Ybn טɩϳ:n <#hkVD+\d.&+TPȂWm2c6l~>zeZU&1iTr.#"{w4fΜ50IIaIx/P`Z;T.siUUÆॆ<׺KxMp} {3"yl) +zpSx #9OfTvZ;g2v(1q]luZlZ)N$MWdSRQJ>D>lbD2r(ɣ\`%y[d81e|M#H+=S'#IҬn&Ą~Kb8:H]͎H>v$w)(z] ,\Q"?q./g䧼|>51\n:,}4Pe| )>Ab BDbqfGcwBR"bw>f 7~J΁+ϦbHV௢w̠VI{,e˪ x3(@L%θ1$ FRD9Ӑt2Q:(-CS;c7`a.e /+dlL>#G,7aI}J`m#w8yn>x]d "\^)tXk^([j@cf\\E5[eJ@^dMsfA{OG=<2TroL ҙS<1OE a8iKSh wȣARstuore.#_]ZQ}д_W\J!: sȈD㯒LwE.uM9sD/XH&n,4΅톌X5X{j?P%iA6g+}b=grQOoBᔾ S=mD0QN^oci_$Vg2(] R]Bzb-$*6 t f{V~p!}U9̊&bR !黣3.+"]OP ܐ6Bïl>5 b3}ƛnj5" ]C񥑖+ٛjث;W2Jjr,87u jjIEEoTNZ3&ʯ!)Bz;2{-䀁,?y`uIiGp@nX⣹]Fi⓮Y-߳ Mu$nTl~ 64G<,dlfC!z'oYz+2 +#'HU[s1EܜN,K}<17K Cy9ϯ.9aҋCq(>'(;v99tt548zFŠ{H2Yc~?# 6[=O`ܻwoU2EL@Ns4`pZ[{b$lJUxowy!t5@ְ슽/W|+QGgȚ 4~2̰h%ΰ- qbP{b01@5*Vԅ6*񤨟DD8Z,{'89@ I &9ZIqĽ,DW.vS dr{W$o#2ꃳP0yECcojBmٛXKD̛lLAe.P"|Rzv,[E`*q8N wAAmC?m3/Z黻(xz+sKER8ǚʼi7ޮ P:5oxD#q^3pe[g9)3PE>HO͡ 8,2LHFRI#] 5 LƢ֪H \J,fp5 17KtN;Rhe|0!C>軏#i,̧=Uwsl uwFP)"0uجg0ȝ;CW=8!&XdײJcӟ?mo]IWh>s)P$1ˉh['c*;]2=$+1r.nfG9bΊ^ '^zɪJo\DП63=9ۣ9"&l#rcه:s!AgdQUcLFCʪEv(^hZPl[-B#Yw/z?@{vl)+] Hkړ"C#1J+A[ѹn쒺a0i=?z](kՔW^x,"5C\j3^gA^D"3pRu )LTEv1Ŝa"5'o3+:7AqMw=1FN[\p9Zi*P8_I_i xUO(v ,bӘ&p߃<%ּ'1ecju_LIX`,PAIʂP40V” j1Xb8#њ,iF6R"b^FJ?b`KOFC#=zR9C~b P@8r9^YjeD9#C{h+~qz3oaJ8XT*нvyȍ$1n7#KqrN?sS(-0Dum?+\l'NX%h Z=1Wp8 )a<6z'8Ĺ(ޅM*K8B'-X:5j^n++tQDV'+Sݒ%4~](?V, L(EaESܙvSwس o=*HlV^PHL@vb\fO&[K}RAc°^4F_!8#u<2סUKb~]*a =8n|>T;>Qu}}宠~%+Ք nV? ċㅛIVNNG{S4jBCQ(T> zSfۯq MvzQĖr$[b926'{Wb㓗{*mA*<Ę{Zl dQ%ᖎ+;ik 5h^KCK.\;VO80~|pӧDHxssR0s`ۻuWb}μ+=SZTj#^8RBUɈeP>zH!&aY\X]“{~XEd1~M3E)vE;Aqoզ7O!c?A5Ł_*CuzFQM *zy6Ewpy!uQF{\1 Z{?e9K/>tZIW2Ɣ\ H ڙi2͝UvlxE' Z6{x8s?kO߄yy[FS8ޠus[= \MAA$ @70 hE߶U=9(񖈁%ؒ&n"wd*H2[o\؂aQm?ɬ:+)GR vёQ+\ Y 4` ZçˢV۬i Zv{*\@P7&X(C 'HNX +;#T&>.*K-Jrf&3܃ s³KXB`o7I6lL I+{.{4F/ Bʅ%xw!VvưZmf?\&G6'urPQ~.\o-Q16sX$ ?W"|^#3)rñbЁiQeZ/IC#TY+_Rihʨp _ŀqe,c6NZRi3߁a5SZ0ͺnpS *WQNƚ]w.t';-ıA=YB9~GЪ"0_xǁv>(}u^ ;?Xa1;d#CUӢ"oӄ6C9vq>S׬qBVPnBF;%g"յxIo7/s-3:'@?1MEMom@kd!`\u컘] N)E(fp9A'QE -%Xmhω~ $iu{BޚI`Aa⡗5n˦! st :FŀΖE30|5-Aǫ2(zcGPT(}~[xͦ_kfCBFgP%_/ѷFy,^=faţXtrEEANk6zwK/_)/ИhF I#xӫoh9{fFѥ=Lqhh^XGZ-fxS,|-0ؿb"}liĦ7fjӥ D$T?8*%DiXEt[%P0A#ffI. fD'ZK:XZ2h&GV#XC:(Kۄ`/$nQ3PAA1Rx8H-#$׫Oz֑*]Y7H{|8pUZ "oxkkivr[ %`#XGCFHnAh\^ ]K+u|/r=qrz\ #1]c$sJdHxS z$!uZòQhX `7h kIMFAoJZگ_0?- phLcOۼj1BQ EM@Z37_|db!`Q&#/' 2oդU{qHmSukY˂΁mp[-Uϟ2b0 *sDf${˳@emu(/ZCCc$ct׌gِDf&֑L{ߵ;>PWk´z;ONm@d-)!a}g )T%=LסIOa=j~u2 mAʂuP}LWWƁ Ep "W~+h*5:[A* WP].kz6.i8U30#> =E@޳m2SiJ=@#kVשM*ywáh3w?ēxL 6Ysom0-XF %U /3L%}c.8m-MEBsRon6y&[ڤDBDQ `xC]t2l ,5уKSU Dg^ Hd0R߇|%V@@9B ŰKL_()׊c Qd`y0AxhlyRcςPDIqԷVy*M\dy?!WQX'~ޣS.}1\  ^ ޵lXJvBn)c~r:Mⳉ* ks6 h)\CbC. 'Y}wN5on>b9eAe83%!9ȽݼIeQ].goFc'#_q}9#mҥ6[󢅆P80hvCl*Ո N;ådž4Ԓz=Z1dWl(|@w5;n@50X|xӕȉz(,Kl6s##Mnu#PzkX$BTh!_߬qnsd[Fgl 0?m3h\q9B^G'yuf"ϫ'6&t>o9rƓd + a "?&'rX[ܓrd|ϩ_M'zsg{ozjW8Yym??4}¬Ÿ/nוUhsxV"W'Io :D 1m/nUOa sg`DRNt?׀iǴVWRvC7UO6nգ":i.ۑRxދ~udV&F lR]u\F#AMfrQ~laM0QSu8z]niBvmQ&f}MajYίh?A5ΫɻN5?3IZB2zwXYخ4+9 ȨX$$~e *I֐IUke p׳){$ߘZh_vT*KFhDpxJkqQk2[ 8fÔI6;Rg"qCBIzL@h 歒 =2_wdWFb'|+kmFZ=p9"qOi"kPo7F~ ?$@^}t|3kfa;ym* \ ΍akVqd+MAzd@p1mS+I 3s*a>=6ּhY0)ab߰#uqۍ#' klSě 6iA-(fM4(6AlbWk\z2Uܮ\%N;9zׇV"DnIs'p5i 4CZ.V~/{' _{]hSUԬ؍h}^ι_3ܜm<:țjY#H+^jLm{(G65$<*PPG>m+(-T/hi\cxDovOB .mneXcЭ_;S r_ĮڙJr5-[%<'˱ՃlXL-ĶA .HWYKvivyMȂ2 CXZʘ\ QB`}) E[@8][րO[' OG}"y:ଂ;Rks*azxߣI.4gK!K7+ͧwlhGWV'h'oP_MO^o3;4*R۟JO05.^/-8M<"a+$ 2bzeKI 'DZC:}=%F %&w7F`}.׻'.ǦS/n*ID[]1ə{ U!B]B,^)duڦ01VA͙B:?TV=xpMt/JIE_ܠmkzbc9ⓖuGsW(foefT Qk;~Pbᦲ4u&*((/^[M?Y;\}fhaN>.7/X_MA8:Apg|aqtCjOb5Z:)w:넚'_r$ MD}weP[:\!VjAżܓ zVkTJ6DYhO`2\b$Vk3.:NCa-0\ m'bzEK:"B-'$_w9)WiSw轹Ef,*Ks,kN :Ëʘd6e 磖t }fv*W_.ś^PX3`zIgr 5P~M{L}N|:0V#.PkH{h3ӜtPE>T- u8$,1D[Wh$^B#s)d1"T|sH:A| ȉq#I28m6#*<_Q |n})bS:}B'ɪ! Ήyԃ5N2f!7:~7!&Q* ưžYFNpSn]6 "TgJ53Sɒ+ Yӻ)ZQf+BeWn=ʬ)^e[ș F b q+l&?6{304HBWk6$B"g[Ioc܀qM:~,_4%[#_=M4}zE:^t!Ҍ!gGLerR#EbH( "b/&Vط5~QuS#!6A#vI|bB݌m,LYEP]+r$& |0¦mh\@mi4 :ñC%xaHO>݌$&YV~ӺaYR/'5r'6eFH FY4 30ݛYz,)@W< EI^I,'yԍBV=cLg?WUşDXRؑ n~fFE3jYszmne`mVy|h{ȘCKB* mos=72fvK wdjN_OT+7ʊ~?D_NMr9\̐im6`89 mzOlA@}V)2}QR/OPD(X \ 9ߴ25"}RkN8?RsSƒ#mWTΪU,֎gÄ!;ЯYb"2Hew;Kp+D[P,-߼݈U*2@Ե_QcMɍ|8|V(J]uvUjvDI26A[J1Qxǵj~܈ :)$) y!۰*::LIskH qRZ1HH^ ol36Zȯ;,SR֌JwM^*)7z5Foߪ@2pt˱pt3Fv#淅g/H+dgYO sSQE4) \l}aX2Vqt2>VYd٠H( &9$q80, T#8ʛ-jhy1h )Y Za`/"O,PDa0f>tԯ4 f"^RDʷMg\0!a˭Bp/wxg^8lHTYV;]=XQk/@Y=HgJW$&Q6XNj>ZXwd΋-#B`1mw3`pzK)0yBō.{JwR#7c(,ي@(` + F .{%ut>9˴Y+r+ܡ[wkT3VTX2V;981 Ɗ$dip ^|TZD[(J![xG>ri$R}LM n;;}ҹs Ζ9͋,;WގJ9s~Xi L%i7۠pO 靗$5w?=]}3h{6!="5leL@Hکg'~F&IhGsEpfezq[Ojq{] )Џ/"U>͞vSkdrENv~ ՌqG<Ώ2:P9Zf5Ng-Î 4S[oamQR񚸏O{>/wc&[!_=Rx]Y_l"R!WN~we}$}e'.,M*m>py/O Vx(]؞,o"mxŗ ' X6s5G62k|WAXxdHQ|~^tn{VYAJ<3vV2EA49yiwfHo-P69 Q e9PpHI6bu[-}pc-9ESX`D ƣdMޤ?<,?ʂYj?pwfɝJC..6ϵR] MY} 3EpӲV2 U3bb6Mb[dKRZ.'Pڮ(/\j&h Y1)5^:DYӎZ4ԖIt, cH5W\ږWI ^[\]u&`C h;RAcT"( |_J"ũK&mQcHתڣ|tUL3WzvM'6s d]kV>׻@Vz<Je04{N/T'`4f71j0Ns@Tf YZ