wpa_supplicant-gui-2.10-150600.7.6.1<>,plg!p9||MXE1xIvE/Ӡ K &Q>g!zHc0jj8PjĊ73CnL?~_&{h:k)<0|s#l5xܰP؛@ o%/hm'㜑@ s(U&v >J3T[*]q gUwP EHIZ|?rpHAWQ>8O VM4ۇY*8i vکZ~cؼfOqnaWt0G >><?,d ' J , BNkq|      *4`ht(8+9X+: +FZGtH|IXY\]^bcd#e(f+l-u@vHwtx|yz(Cwpa_supplicant-gui2.10150600.7.6.1WPA supplicant graphical front-endThis package contains a graphical front-end to wpa_supplicant, an implementation of the WPA Supplicant component.g!h04-armsrv1 SUSE Linux Enterprise 15SUSE LLC BSD-3-Clause AND GPL-2.0-or-laterhttps://www.suse.com/Unspecifiedhttps://w1.fi/wpa_supplicantlinuxaarch64 큤g!g!5d525fcb234d87c55ee3beaccb03bb4d2a179e783c962ac155e5c6a6d1782154d57783ead2cca37539bf8b5c4a81b8105c2970de177652fe1a027433593467aarootrootrootrootwpa_supplicant-2.10-150600.7.6.1.src.rpmwpa_supplicant-guiwpa_supplicant-gui(aarch-64)@@@@@@@@@@@@@@@@@@    ld-linux-aarch64.so.1()(64bit)ld-linux-aarch64.so.1(GLIBC_2.17)(64bit)libQt5Core.so.5()(64bit)libQt5Core.so.5(Qt_5)(64bit)libQt5Gui.so.5()(64bit)libQt5Gui.so.5(Qt_5)(64bit)libQt5Widgets.so.5()(64bit)libQt5Widgets.so.5(Qt_5)(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.17)(64bit)libc.so.6(GLIBC_2.34)(64bit)libc.so.6(GLIBC_2.38)(64bit)libgcc_s.so.1()(64bit)libgcc_s.so.1(GCC_3.0)(64bit)libstdc++.so.6()(64bit)libstdc++.so.6(CXXABI_1.3)(64bit)libstdc++.so.6(CXXABI_1.3.9)(64bit)libstdc++.so.6(GLIBCXX_3.4)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)wpa_supplicant3.0.4-14.6.0-14.0-15.2-14.14.3ge}@c@b@b@`lM@`?z@`:4@`_|\@_i@_i@^@^@^|@^|@^Y]]>[<@[[ā@[[;@[@[QY@X@X]W@VU@VŲ@V`V=@UKSUCjU8U'@U/@TBV@cfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comsp1ritCS@protonmail.comcfamullaconrad@suse.comsongchuan.kang@suse.comcfamullaconrad@suse.combwiedemann@suse.comcfamullaconrad@suse.comilya@ilya.pp.uatchvatal@suse.comtchvatal@suse.comilya@ilya.pp.uailya@ilya.pp.uakbabioch@suse.comro@suse.dekbabioch@suse.comkbabioch@suse.comkbabioch@suse.comro@suse.demeissner@suse.comobs@botter.ccdwaas@suse.commeissner@suse.comtchvatal@suse.comlnussel@suse.decrrodriguez@opensuse.orgcrrodriguez@opensuse.orgcrrodriguez@opensuse.orglnussel@suse.demichael@stroeder.comro@suse.dezaitor@opensuse.orgcrrodriguez@opensuse.orgstefan.bruens@rwth-aachen.destefan.bruens@rwth-aachen.destefan.bruens@rwth-aachen.de- CVE-2025-24912: hostapd fails to process crafted RADIUS packets properly (bsc#1239461) [+ CVE-2025-24912.patch]- Add CVE-2023-52160.patch - Bypassing WiFi Authentication (bsc#1219975) - Change ctrl_interface from /var/run to %_rundir (/run)- update to 2.10.0: jsc#PED-2904 * SAE changes - improved protection against side channel attacks [https://w1.fi/security/2022-1/] - added support for the hash-to-element mechanism (sae_pwe=1 or sae_pwe=2); this is currently disabled by default, but will likely get enabled by default in the future - fixed PMKSA caching with OKC - added support for SAE-PK * EAP-pwd changes - improved protection against side channel attacks [https://w1.fi/security/2022-1/] * fixed P2P provision discovery processing of a specially constructed invalid frame [https://w1.fi/security/2021-1/] * fixed P2P group information processing of a specially constructed invalid frame [https://w1.fi/security/2020-2/] * fixed PMF disconnection protection bypass in AP mode [https://w1.fi/security/2019-7/] * added support for using OpenSSL 3.0 * increased the maximum number of EAP message exchanges (mainly to support cases with very large certificates) * fixed various issues in experimental support for EAP-TEAP peer * added support for DPP release 2 (Wi-Fi Device Provisioning Protocol) * a number of MKA/MACsec fixes and extensions * added support for SAE (WPA3-Personal) AP mode configuration * added P2P support for EDMG (IEEE 802.11ay) channels * fixed EAP-FAST peer with TLS GCM/CCM ciphers * improved throughput estimation and BSS selection * dropped support for libnl 1.1 * added support for nl80211 control port for EAPOL frame TX/RX * fixed OWE key derivation with groups 20 and 21; this breaks backwards compatibility for these groups while the default group 19 remains backwards compatible * added support for Beacon protection * added support for Extended Key ID for pairwise keys * removed WEP support from the default build (CONFIG_WEP=y can be used to enable it, if really needed) * added a build option to remove TKIP support (CONFIG_NO_TKIP=y) * added support for Transition Disable mechanism to allow the AP to automatically disable transition mode to improve security * extended D-Bus interface * added support for PASN * added a file-based backend for external password storage to allow secret information to be moved away from the main configuration file without requiring external tools * added EAP-TLS peer support for TLS 1.3 (disabled by default for now) * added support for SCS, MSCS, DSCP policy * changed driver interface selection to default to automatic fallback to other compiled in options * a large number of other fixes, cleanup, and extensions - drop wpa_supplicant-p2p_iname_size.diff, CVE-2021-30004.patch, CVE-2021-27803.patch, CVE-2021-0326.patch, CVE-2019-16275.patch, CVE-2022-23303_0001.patch, CVE-2022-23303_0002.patch, CVE-2022-23303_0003.patch, CVE-2022-23303_0004.patch: upstream - drop restore-old-dbus-interface.patch, wicked has been switching to the new dbus interface in version 0.6.66 - config: * re-enable CONFIG_WEP * enable QCA vendor extensions to nl80211 * enable support for Automatic Channel Selection * enable OCV, security feature that prevents MITM multi-channel attacks * enable QCA vendor extensions to nl80211 * enable EAP-EKE * Support HT overrides * TLS v1.1 and TLS v1.2 * Fast Session Transfer (FST) * Automatic Channel Selection * Multi Band Operation * Fast Initial Link Setup * Mesh Networking (IEEE 802.11s) - Add dbus-Fix-property-DebugShowKeys-and-DebugTimestamp.patch (bsc#1201219) - Move the dbus-1 system.d file to /usr (bsc#1200342) - Added hardening to systemd service(s) (bsc#1181400). Modified: * wpa_supplicant.service - drop wpa_supplicant-getrandom.patch : glibc has been updated so the getrandom() wrapper is now there - Sync wpa_supplicant.spec with Factory- Enable WPA3-Enterprise (SuiteB-192) support.- Add CVE-2022-23303_0001.patch, CVE-2022-23303_0002.patch, CVE-2022-23303_0003.patch, CVE-2022-23303_0004.patch SAE/EAP-pwd side-channel attack update 2 (CVE-2022-23303, CVE-2022-23304, bsc#1194732, bsc#1194733)- Add CVE-2021-30004.patch -- forging attacks may occur because AlgorithmIdentifier parameters are mishandled in tls/pkcs1.c and tls/x509v3.c (bsc#1184348)- Fix systemd device ready dependencies in wpa_supplicant@.service file. (see: https://forums.opensuse.org/showthread.php/547186-wpa_supplicant-service-fails-on-boot-succeeds-on-restart?p=2982844#post2982844)- Add CVE-2021-27803.patch -- P2P provision discovery processing vulnerability (bsc#1182805)- Add CVE-2021-0326.patch -- P2P group information processing vulnerability (bsc#1181777)- Add wpa_supplicant-p2p_iname_size.diff -- Limit P2P_DEVICE name to appropriate ifname size (https://patchwork.ozlabs.org/project/hostap/patch/20200825062902.124600-1-benjamin@sipsolutions.net/)- Fix spec file for SLE12, use make %{?_smp_mflags} instead of %make_build- Enable SAE support(jsc#SLE-14992).- Add CVE-2019-16275.patch -- AP mode PMF disconnection protection bypass (bsc#1150934)- Add restore-old-dbus-interface.patch to fix wicked wlan (boo#1156920) - Restore fi.epitest.hostap.WPASupplicant.service (bsc#1167331)- With v2.9 fi.epitest.hostap.WPASupplicant.service is obsolete (bsc#1167331)- Change wpa_supplicant.service to ensure wpa_supplicant gets started before network. Fix WLAN config on boot with wicked. (boo#1166933)- Adjust the service to start after network.target wrt bsc#1165266- Update to 2.9 release: * SAE changes - disable use of groups using Brainpool curves - improved protection against side channel attacks [https://w1.fi/security/2019-6/] * EAP-pwd changes - disable use of groups using Brainpool curves - allow the set of groups to be configured (eap_pwd_groups) - improved protection against side channel attacks [https://w1.fi/security/2019-6/] * fixed FT-EAP initial mobility domain association using PMKSA caching (disabled by default for backwards compatibility; can be enabled with ft_eap_pmksa_caching=1) * fixed a regression in OpenSSL 1.1+ engine loading * added validation of RSNE in (Re)Association Response frames * fixed DPP bootstrapping URI parser of channel list * extended EAP-SIM/AKA fast re-authentication to allow use with FILS * extended ca_cert_blob to support PEM format * improved robustness of P2P Action frame scheduling * added support for EAP-SIM/AKA using anonymous@realm identity * fixed Hotspot 2.0 credential selection based on roaming consortium to ignore credentials without a specific EAP method * added experimental support for EAP-TEAP peer (RFC 7170) * added experimental support for EAP-TLS peer with TLS v1.3 * fixed a regression in WMM parameter configuration for a TDLS peer * fixed a regression in operation with drivers that offload 802.1X 4-way handshake * fixed an ECDH operation corner case with OpenSSL * SAE changes - added support for SAE Password Identifier - changed default configuration to enable only groups 19, 20, 21 (i.e., disable groups 25 and 26) and disable all unsuitable groups completely based on REVmd changes - do not regenerate PWE unnecessarily when the AP uses the anti-clogging token mechanisms - fixed some association cases where both SAE and FT-SAE were enabled on both the station and the selected AP - started to prefer FT-SAE over SAE AKM if both are enabled - started to prefer FT-SAE over FT-PSK if both are enabled - fixed FT-SAE when SAE PMKSA caching is used - reject use of unsuitable groups based on new implementation guidance in REVmd (allow only FFC groups with prime >= 3072 bits and ECC groups with prime >= 256) - minimize timing and memory use differences in PWE derivation [https://w1.fi/security/2019-1/] (CVE-2019-9494, bsc#1131868) * EAP-pwd changes - minimize timing and memory use differences in PWE derivation [https://w1.fi/security/2019-2/] (CVE-2019-9495, bsc#1131870) - verify server scalar/element [https://w1.fi/security/2019-4/] (CVE-2019-9497, CVE-2019-9498, CVE-2019-9499, bsc#1131874, bsc#1131872, bsc#1131871, bsc#1131644) - fix message reassembly issue with unexpected fragment [https://w1.fi/security/2019-5/] (CVE-2019-11555, bsc#1133640) - enforce rand,mask generation rules more strictly - fix a memory leak in PWE derivation - disallow ECC groups with a prime under 256 bits (groups 25, 26, and 27) - SAE/EAP-pwd side-channel attack update [https://w1.fi/security/2019-6/] (CVE-2019-13377, bsc#1144443) * fixed CONFIG_IEEE80211R=y (FT) build without CONFIG_FILS=y * Hotspot 2.0 changes - do not indicate release number that is higher than the one AP supports - added support for release number 3 - enable PMF automatically for network profiles created from credentials * fixed OWE network profile saving * fixed DPP network profile saving * added support for RSN operating channel validation (CONFIG_OCV=y and network profile parameter ocv=1) * added Multi-AP backhaul STA support * fixed build with LibreSSL * number of MKA/MACsec fixes and extensions * extended domain_match and domain_suffix_match to allow list of values * fixed dNSName matching in domain_match and domain_suffix_match when using wolfSSL * started to prefer FT-EAP-SHA384 over WPA-EAP-SUITE-B-192 AKM if both are enabled * extended nl80211 Connect and external authentication to support SAE, FT-SAE, FT-EAP-SHA384 * fixed KEK2 derivation for FILS+FT * extended client_cert file to allow loading of a chain of PEM encoded certificates * extended beacon reporting functionality * extended D-Bus interface with number of new properties * fixed a regression in FT-over-DS with mac80211-based drivers * OpenSSL: allow systemwide policies to be overridden * extended driver flags indication for separate 802.1X and PSK 4-way handshake offload capability * added support for random P2P Device/Interface Address use * extended PEAP to derive EMSK to enable use with ERP/FILS * extended WPS to allow SAE configuration to be added automatically for PSK (wps_cred_add_sae=1) * removed support for the old D-Bus interface (CONFIG_CTRL_IFACE_DBUS) * extended domain_match and domain_suffix_match to allow list of values * added a RSN workaround for misbehaving PMF APs that advertise IGTK/BIP KeyID using incorrect byte order * fixed PTK rekeying with FILS and FT * fixed WPA packet number reuse with replayed messages and key reinstallation [https://w1.fi/security/2017-1/] (CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088) * fixed unauthenticated EAPOL-Key decryption in wpa_supplicant [https://w1.fi/security/2018-1/] (CVE-2018-14526) * added support for FILS (IEEE 802.11ai) shared key authentication * added support for OWE (Opportunistic Wireless Encryption, RFC 8110; and transition mode defined by WFA) * added support for DPP (Wi-Fi Device Provisioning Protocol) * added support for RSA 3k key case with Suite B 192-bit level * fixed Suite B PMKSA caching not to update PMKID during each 4-way handshake * fixed EAP-pwd pre-processing with PasswordHashHash * added EAP-pwd client support for salted passwords * fixed a regression in TDLS prohibited bit validation * started to use estimated throughput to avoid undesired signal strength based roaming decision * MACsec/MKA: - new macsec_linux driver interface support for the Linux kernel macsec module - number of fixes and extensions * added support for external persistent storage of PMKSA cache (PMKSA_GET/PMKSA_ADD control interface commands; and MESH_PMKSA_GET/MESH_PMKSA_SET for the mesh case) * fixed mesh channel configuration pri/sec switch case * added support for beacon report * large number of other fixes, cleanup, and extensions * added support for randomizing local address for GAS queries (gas_rand_mac_addr parameter) * fixed EAP-SIM/AKA/AKA' ext auth cases within TLS tunnel * added option for using random WPS UUID (auto_uuid=1) * added SHA256-hash support for OCSP certificate matching * fixed EAP-AKA' to add AT_KDF into Synchronization-Failure * fixed a regression in RSN pre-authentication candidate selection * added option to configure allowed group management cipher suites (group_mgmt network profile parameter) * removed all PeerKey functionality * fixed nl80211 AP and mesh mode configuration regression with Linux 4.15 and newer * added ap_isolate configuration option for AP mode * added support for nl80211 to offload 4-way handshake into the driver * added support for using wolfSSL cryptographic library * SAE - added support for configuring SAE password separately of the WPA2 PSK/passphrase - fixed PTK and EAPOL-Key integrity and key-wrap algorithm selection for SAE; note: this is not backwards compatible, i.e., both the AP and station side implementations will need to be update at the same time to maintain interoperability - added support for Password Identifier - fixed FT-SAE PMKID matching * Hotspot 2.0 - added support for fetching of Operator Icon Metadata ANQP-element - added support for Roaming Consortium Selection element - added support for Terms and Conditions - added support for OSEN connection in a shared RSN BSS - added support for fetching Venue URL information * added support for using OpenSSL 1.1.1 * FT - disabled PMKSA caching with FT since it is not fully functional - added support for SHA384 based AKM - added support for BIP ciphers BIP-CMAC-256, BIP-GMAC-128, BIP-GMAC-256 in addition to previously supported BIP-CMAC-128 - fixed additional IE inclusion in Reassociation Request frame when using FT protocol - Drop merged patches: * rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch * rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch * rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch * rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch * rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch * rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch * rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch * rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch * rebased-v2.6-0009-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch * wpa_supplicant-bnc-1099835-fix-private-key-password.patch * wpa_supplicant-bnc-1099835-clear-default_passwd_cb.patch * wpa_supplicant-log-file-permission.patch * wpa_supplicant-log-file-cloexec.patch * wpa_supplicant-git-fa67debf4c6ddbc881a212b175faa6d5d0d90c8c.patch * wpa_supplicant-git-f5b74b966c942feb95a8ddbb7d130540b15b796d.patch - Rebase patches: * wpa_supplicant-getrandom.patch- Refresh spec-file via spec-cleaner and manual optimizations. * Change URL and Source0 to actual project homepage. * Remove macro %{?systemd_requires} and rm (not needed). * Add %autopatch macro. * Add %make_build macro. - Chenged patch wpa_supplicant-flush-debug-output.patch (to -p1). - Changed service-files for start after network (systemd-networkd).- Refresh spec-file: add %license tag.- Renamed patches: - wpa-supplicant-log-file-permission.patch -> wpa_supplicant-log-file-permission.patch - wpa-supplicant-log-file-cloexec.patch -> wpa_supplicant-log-file-cloexec.patch - wpa_supplicant-log-file-permission.patch: Using O_WRONLY flag - Enabled timestamps in log files (bsc#1080798)- compile eapol_test binary to allow testing via radius proxy and server (note: this does not match CONFIG_EAPOL_TEST which sets -Werror and activates an assert call inside the code of wpa_supplicant) (bsc#1111873), (fate#326725) - add patch to fix wrong operator precedence in ieee802_11.c wpa_supplicant-git-fa67debf4c6ddbc881a212b175faa6d5d0d90c8c.patch - add patch to avoid redefinition of __bitwise macro wpa_supplicant-git-f5b74b966c942feb95a8ddbb7d130540b15b796d.patch- Added wpa-supplicant-log-file-permission.patch: Fixes the default file permissions of the debug log file to more sane values, i.e. it is no longer world-readable (bsc#1098854). - Added wpa-supplicant-log-file-cloexec.patch: Open the debug log file with O_CLOEXEC, which will prevent file descriptor leaking to child processes (bsc#1098854).- Added rebased-v2.6-0009-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch: Ignore unauthenticated encrypted EAPOL-Key data (CVE-2018-14526, bsc#1104205).- Enabled PWD as EAP method. This allows for password-based authentication, which is easier to setup than most of the other methods, and is used by the Eduroam network (bsc#1109209).- add two patches from upstream to fix reading private key passwords from the configuration file (bsc#1099835) - add patch for git 89971d8b1e328a2f79699c953625d1671fd40384 wpa_supplicant-bnc-1099835-clear-default_passwd_cb.patch - add patch for git f665c93e1d28fbab3d9127a8c3985cc32940824f wpa_supplicant-bnc-1099835-fix-private-key-password.patch- Fix KRACK attacks (bsc#1056061, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13087, CVE-2017-13088): - rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch - rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch - rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch - rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch - rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch - rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch - rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch - rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch- fix wpa_supplicant-sigusr1-changes-debuglevel.patch to match eloop_signal_handler type (needed to build eapol_test via config)- Added .service files that accept interfaces as %i arguments so it's possible to call the daemon with: "systemctl start wpa_supplicant@$INTERFACE_NAME.service" (like openvpn for example)- updated to 2.6 / 2016-10-02 * fixed WNM Sleep Mode processing when PMF is not enabled [http://w1.fi/security/2015-6/] (CVE-2015-5310 bsc#952254) * fixed EAP-pwd last fragment validation [http://w1.fi/security/2015-7/] (CVE-2015-5315 bsc#953115) * fixed EAP-pwd unexpected Confirm message processing [http://w1.fi/security/2015-8/] (CVE-2015-5316 bsc#953115) * fixed WPS configuration update vulnerability with malformed passphrase [http://w1.fi/security/2016-1/] (CVE-2016-4476 bsc#978172) * fixed configuration update vulnerability with malformed parameters set over the local control interface [http://w1.fi/security/2016-1/] (CVE-2016-4477 bsc#978175) * fixed TK configuration to the driver in EAPOL-Key 3/4 retry case * extended channel switch support for P2P GO * started to throttle control interface event message bursts to avoid issues with monitor sockets running out of buffer space * mesh mode fixes/improvements - generate proper AID for peer - enable WMM by default - add VHT support - fix PMKID derivation - improve robustness on various exchanges - fix peer link counting in reconnect case - improve mesh joining behavior - allow DTIM period to be configured - allow HT to be disabled (disable_ht=1) - add MESH_PEER_ADD and MESH_PEER_REMOVE commands - add support for PMKSA caching - add minimal support for SAE group negotiation - allow pairwise/group cipher to be configured in the network profile - use ieee80211w profile parameter to enable/disable PMF and derive a separate TX IGTK if PMF is enabled instead of using MGTK incorrectly - fix AEK and MTK derivation - remove GTKdata and IGTKdata from Mesh Peering Confirm/Close - note: these changes are not fully backwards compatible for secure (RSN) mesh network * fixed PMKID derivation with SAE * added support for requesting and fetching arbitrary ANQP-elements without internal support in wpa_supplicant for the specific element (anqp[265]= in "BSS " command output) * P2P - filter control characters in group client device names to be consistent with other P2P peer cases - support VHT 80+80 MHz and 160 MHz - indicate group completion in P2P Client role after data association instead of already after the WPS provisioning step - improve group-join operation to use SSID, if known, to filter BSS entries - added optional ssid= argument to P2P_CONNECT for join case - added P2P_GROUP_MEMBER command to fetch client interface address * P2PS - fix follow-on PD Response behavior - fix PD Response generation for unknown peer - fix persistent group reporting - add channel policy to PD Request - add group SSID to the P2PS-PROV-DONE event - allow "P2P_CONNECT p2ps" to be used without specifying the default PIN * BoringSSL - support for OCSP stapling - support building of h20-osu-client * D-Bus - add ExpectDisconnect() - add global config parameters as properties - add SaveConfig() - add VendorElemAdd(), VendorElemGet(), VendorElemRem() * fixed Suite B 192-bit AKM to use proper PMK length (note: this makes old releases incompatible with the fixed behavior) * improved PMF behavior for cases where the AP and STA has different configuration by not trying to connect in some corner cases where the connection cannot succeed * added option to reopen debug log (e.g., to rotate the file) upon receipt of SIGHUP signal * EAP-pwd: added support for Brainpool Elliptic Curves (with OpenSSL 1.0.2 and newer) * fixed EAPOL reauthentication after FT protocol run * fixed FTIE generation for 4-way handshake after FT protocol run * extended INTERFACE_ADD command to allow certain type (sta/ap) interface to be created * fixed and improved various FST operations * added 80+80 MHz and 160 MHz VHT support for IBSS/mesh * fixed SIGNAL_POLL in IBSS and mesh cases * added an option to abort an ongoing scan (used to speed up connection and can also be done with the new ABORT_SCAN command) * TLS client - do not verify CA certificates when ca_cert is not specified - support validating server certificate hash - support SHA384 and SHA512 hashes - add signature_algorithms extension into ClientHello - support TLS v1.2 signature algorithm with SHA384 and SHA512 - support server certificate probing - allow specific TLS versions to be disabled with phase2 parameter - support extKeyUsage - support PKCS #5 v2.0 PBES2 - support PKCS #5 with PKCS #12 style key decryption - minimal support for PKCS #12 - support OCSP stapling (including ocsp_multi) * OpenSSL - support OpenSSL 1.1 API changes - drop support for OpenSSL 0.9.8 - drop support for OpenSSL 1.0.0 * added support for multiple schedule scan plans (sched_scan_plans) * added support for external server certificate chain validation (tls_ext_cert_check=1 in the network profile phase1 parameter) * made phase2 parser more strict about correct use of auth= and autheap= values * improved GAS offchannel operations with comeback request * added SIGNAL_MONITOR command to request signal strength monitoring events * added command for retrieving HS 2.0 icons with in-memory storage (REQ_HS20_ICON, GET_HS20_ICON, DEL_HS20_ICON commands and RX-HS20-ICON event) * enabled ACS support for AP mode operations with wpa_supplicant * EAP-PEAP: fixed interoperability issue with Windows 2012r2 server ("Invalid Compound_MAC in cryptobinding TLV") * EAP-TTLS: fixed success after fragmented final Phase 2 message * VHT: added interoperability workaround for 80+80 and 160 MHz channels * WNM: workaround for broken AP operating class behavior * added kqueue(2) support for eloop (CONFIG_ELOOP_KQUEUE) * nl80211: - add support for full station state operations - do not add NL80211_ATTR_SMPS_MODE attribute if HT is disabled - add NL80211_ATTR_PREV_BSSID with Connect command - fix IEEE 802.1X/WEP EAP reauthentication and rekeying to use unencrypted EAPOL frames * added initial MBO support; number of extensions to WNM BSS Transition Management * added support for PBSS/PCP and P2P on 60 GHz * Interworking: add credential realm to EAP-TLS identity * fixed EAPOL-Key Request Secure bit to be 1 if PTK is set * HS 2.0: add support for configuring frame filters * added POLL_STA command to check connectivity in AP mode * added initial functionality for location related operations * started to ignore pmf=1/2 parameter for non-RSN networks * added wps_disabled=1 network profile parameter to allow AP mode to be started without enabling WPS * wpa_cli: added action script support for AP-ENABLED and AP-DISABLED events * improved Public Action frame addressing - add gas_address3 configuration parameter to control Address 3 behavior * number of small fixes - wpa_supplicant-dump-certificate-as-PEM-in-debug-mode.diff: dump x509 certificates from remote radius server in debug mode in WPA-EAP.- Remove support for <12.3 as we are unresolvable there anyway - Use qt5 on 13.2 if someone pulls this package in - Convert to pkgconfig dependencies over the devel pkgs - Use the %qmake5 macro to build the qt5 gui- add After=dbus.service to prevent too early shutdown (bnc#963652)- Revert CONFIG_ELOOP_EPOLL=y, it is broken in combination with CONFIG_DBUS=yes.- spec: Compile the GUI against QT5 in 13.2 and later.- Previous update did not include version 2.5 tarball or changed the version number in spec, only the changelog and removed patches. - config: set CONFIG_NO_RANDOM_POOL=y, we have a reliable· random number generator by using /dev/urandom, no need to keep an internal random number pool which draws entropy from /dev/random. - config: prefer using epoll(7) instead of select(2) by setting CONFIG_ELOOP_EPOLL=y - wpa_supplicant-getrandom.patch: Prefer to use the getrandom(2) system call to collect entropy. if it is not present disable buffering when reading /dev/urandom, otherwise each os_get_random() call will request BUFSIZ of entropy instead of the few needed bytes.- add aliases for both provided dbus names to avoid systemd stopping the service when switching runlevels (boo#966535)- removed obsolete security patches: * 0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch * 0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch * 0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch * 0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch * wpa_s-D-Bus-Fix-operations-when-P2P-management-interface-is-used.patch * 0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch * 0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch * 0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch * 0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch - Update to upstream release 2.5 * fixed P2P validation of SSID element length before copying it [http://w1.fi/security/2015-1/] (CVE-2015-1863) * fixed WPS UPnP vulnerability with HTTP chunked transfer encoding [http://w1.fi/security/2015-2/] (CVE-2015-4141) * fixed WMM Action frame parser (AP mode) [http://w1.fi/security/2015-3/] (CVE-2015-4142) * fixed EAP-pwd peer missing payload length validation [http://w1.fi/security/2015-4/] (CVE-2015-4143, CVE-2015-4144, CVE-2015-4145, CVE-2015-4146) * fixed validation of WPS and P2P NFC NDEF record payload length [http://w1.fi/security/2015-5/] (CVE-2015-8041) * nl80211: - added VHT configuration for IBSS - fixed vendor command handling to check OUI properly - allow driver-based roaming to change ESS * added AVG_BEACON_RSSI to SIGNAL_POLL output * wpa_cli: added tab completion for number of commands * removed unmaintained and not yet completed SChannel/CryptoAPI support * modified Extended Capabilities element use in Probe Request frames to include all cases if any of the values are non-zero * added support for dynamically creating/removing a virtual interface with interface_add/interface_remove * added support for hashed password (NtHash) in EAP-pwd peer * added support for memory-only PSK/passphrase (mem_only_psk=1 and CTRL-REQ/RSP-PSK_PASSPHRASE) * P2P - optimize scan frequencies list when re-joining a persistent group - fixed number of sequences with nl80211 P2P Device interface - added operating class 125 for P2P use cases (this allows 5 GHz channels 161 and 169 to be used if they are enabled in the current regulatory domain) - number of fixes to P2PS functionality - do not allow 40 MHz co-ex PRI/SEC switch to force MCC - extended support for preferred channel listing * D-Bus: - fixed WPS property of fi.w1.wpa_supplicant1.BSS interface - fixed PresenceRequest to use group interface - added new signals: FindStopped, WPS pbc-overlap, GroupFormationFailure, WPS timeout, InvitationReceived - added new methods: WPS Cancel, P2P Cancel, Reconnect, RemoveClient - added manufacturer info * added EAP-EKE peer support for deriving Session-Id * added wps_priority configuration parameter to set the default priority for all network profiles added by WPS * added support to request a scan with specific SSIDs with the SCAN command (optional "ssid " arguments) * removed support for WEP40/WEP104 as a group cipher with WPA/WPA2 * fixed SAE group selection in an error case * modified SAE routines to be more robust and PWE generation to be stronger against timing attacks * added support for Brainpool Elliptic Curves with SAE * added support for CCMP-256 and GCMP-256 as group ciphers with FT * fixed BSS selection based on estimated throughput * added option to disable TLSv1.0 with OpenSSL (phase1="tls_disable_tlsv1_0=1") * added Fast Session Transfer (FST) module * fixed OpenSSL PKCS#12 extra certificate handling * fixed key derivation for Suite B 192-bit AKM (this breaks compatibility with the earlier version) * added RSN IE to Mesh Peering Open/Confirm frames * number of small fixes- added patch for bnc#930077 CVE-2015-4141 0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch - added patch for bnc#930078 CVE-2015-4142 0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch - added patches for bnc#930079 CVE-2015-4143 0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch 0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch 0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch 0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch 0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch- Add wpa_s-D-Bus-Fix-operations-when-P2P-management-interface-is-used.patch Fix Segmentation fault in wpa_supplicant. Patch taken from upstream master git (arch#44740).- 0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch Fix CVE-2015-1863, memcpy overflow. - wpa_supplicant-alloc_size.patch: annotate two wrappers with attribute alloc_size, which may help warning us of bugs such as the above.- Delete wpa_priv and eapol_test man pages, these are disabled in config - Move wpa_gui man page to gui package- Update to 2.4 * allow OpenSSL cipher configuration to be set for internal EAP server (openssl_ciphers parameter) * fixed number of small issues based on hwsim test case failures and static analyzer reports * P2P: - add new=<0/1> flag to P2P-DEVICE-FOUND events - add passive channels in invitation response from P2P Client - enable nl80211 P2P_DEVICE support by default - fix regresssion in disallow_freq preventing search on social channels - fix regressions in P2P SD query processing - try to re-invite with social operating channel if no common channels in invitation - allow cross connection on parent interface (this fixes number of use cases with nl80211) - add support for P2P services (P2PS) - add p2p_go_ctwindow configuration parameter to allow GO CTWindow to be configured * increase postponing of EAPOL-Start by one second with AP/GO that supports WPS 2.0 (this makes it less likely to trigger extra roundtrip of identity frames) * add support for PMKSA caching with SAE * add support for control mesh BSS (IEEE 802.11s) operations * fixed number of issues with D-Bus P2P commands * fixed regression in ap_scan=2 special case for WPS * fixed macsec_validate configuration * add a workaround for incorrectly behaving APs that try to use EAPOL-Key descriptor version 3 when the station supports PMF even if PMF is not enabled on the AP * allow TLS v1.1 and v1.2 to be negotiated by default; previous behavior of disabling these can be configured to work around issues with broken servers with phase1="tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1" * add support for Suite B (128-bit and 192-bit level) key management and cipher suites * add WMM-AC support (WMM_AC_ADDTS/WMM_AC_DELTS) * improved BSS Transition Management processing * add support for neighbor report * add support for link measurement * fixed expiration of BSS entry with all-zeros BSSID * add optional LAST_ID=x argument to LIST_NETWORK to allow all configured networks to be listed even with huge number of network profiles * add support for EAP Re-Authentication Protocol (ERP) * fixed EAP-IKEv2 fragmentation reassembly * improved PKCS#11 configuration for OpenSSL * set stdout to be line-buffered * add TDLS channel switch configuration * add support for MAC address randomization in scans with nl80211 * enable HT for IBSS if supported by the driver * add BSSID black and white lists (bssid_blacklist, bssid_whitelist) * add support for domain_suffix_match with GnuTLS * add OCSP stapling client support with GnuTLS * include peer certificate in EAP events even without a separate probe operation; old behavior can be restored with cert_in_cb=0 * add peer ceritficate alt subject name to EAP events (CTRL-EVENT-EAP-PEER-ALT) * add domain_match network profile parameter (similar to domain_suffix_match, but full match is required) * enable AP/GO mode HT Tx STBC automatically based on driver support * add ANQP-QUERY-DONE event to provide information on ANQP parsing status * allow passive scanning to be forced with passive_scan=1 * add a workaround for Linux packet socket behavior when interface is in bridge * increase 5 GHz band preference in BSS selection (estimate SNR, if info not available from driver; estimate maximum throughput based on common HT/VHT/specific TX rate support) * add INTERWORKING_ADD_NETWORK ctrl_iface command; this can be used to implement Interworking network selection behavior in upper layers software components * add optional reassoc_same_bss_optim=1 (disabled by default) optimization to avoid unnecessary Authentication frame exchange * extend TDLS frame padding workaround to cover all packets * allow wpa_supplicant to recover nl80211 functionality if the cfg80211 module gets removed and reloaded without restarting wpa_supplicant * allow hostapd DFS implementation to be used in wpa_supplicant AP mode- Update to 2.3 * fixed number of minor issues identified in static analyzer warnings * fixed wfd_dev_info to be more careful and not read beyond the buffer when parsing invalid information for P2P-DEVICE-FOUND * extended P2P and GAS query operations to support drivers that have maximum remain-on-channel time below 1000 ms (500 ms is the current minimum supported value) * added p2p_search_delay parameter to make the default p2p_find delay configurable * improved P2P operating channel selection for various multi-channel concurrency cases * fixed some TDLS failure cases to clean up driver state * fixed dynamic interface addition cases with nl80211 to avoid adding ifindex values to incorrect interface to skip foreign interface events properly * added TDLS workaround for some APs that may add extra data to the end of a short frame * fixed EAP-AKA' message parser with multiple AT_KDF attributes * added configuration option (p2p_passphrase_len) to allow longer passphrases to be generated for P2P groups * fixed IBSS channel configuration in some corner cases * improved HT/VHT/QoS parameter setup for TDLS * modified D-Bus interface for P2P peers/groups * started to use constant time comparison for various password and hash values to reduce possibility of any externally measurable timing differences * extended explicit clearing of freed memory and expired keys to avoid keeping private data in memory longer than necessary * added optional scan_id parameter to the SCAN command to allow manual scan requests for active scans for specific configured SSIDs * fixed CTRL-EVENT-REGDOM-CHANGE event init parameter value * added option to set Hotspot 2.0 Rel 2 update_identifier in network configuration to support external configuration * modified Android PNO functionality to send Probe Request frames only for hidden SSIDs (based on scan_ssid=1) * added generic mechanism for adding vendor elements into frames at runtime (VENDOR_ELEM_ADD, VENDOR_ELEM_GET, VENDOR_ELEM_REMOVE) * added fields to show unrecognized vendor elements in P2P_PEER * removed EAP-TTLS/MSCHAPv2 interoperability workaround so that MS-CHAP2-Success is required to be present regardless of eap_workaround configuration * modified EAP fast session resumption to allow results to be used only with the same network block that generated them * extended freq_list configuration to apply for sched_scan as well as normal scan * modified WPS to merge mixed-WPA/WPA2 credentials from a single session * fixed nl80211/RTM_DELLINK processing when a P2P GO interface is removed from a bridge * fixed number of small P2P issues to make negotiations more robust in corner cases * added experimental support for using temporary, random local MAC address (mac_addr and preassoc_mac_addr parameters); this is disabled by default (i.e., previous behavior of using permanent address is maintained if configuration is not changed) * added D-Bus interface for setting/clearing WFD IEs * fixed TDLS AID configuration for VHT * modified -m configuration file to be used only for the P2P non-netdev management device and do not load this for the default station interface or load the station interface configuration for the P2P management interface * fixed external MAC address changes while wpa_supplicant is running * started to enable HT (if supported by the driver) for IBSS * fixed wpa_cli action script execution to use more robust mechanism (CVE-2014-3686)h04-armsrv1 17418899802.10-150600.7.6.12.10-150600.7.6.1wpa_guiwpa_gui.8.gz/usr/sbin//usr/share/man/man8/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:37861/SUSE_SLE-15-SP6_Update/9b432eb1227ff88675139bcb07b9c311-wpa_supplicant.SUSE_SLE-15-SP6_Updatedrpmxz5aarch64-suse-linuxELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, for GNU/Linux 3.7.0, BuildID[sha1]=d20254213079c98e89091bb17349b31acba57cec, strippedtroff or preprocessor input, ASCII text (gzip compressed data, max compression, from Unix)RR RR R R RRRRRRRRRR RR˟QZsxkK>utf-85e7624714779628126ff371b420bc2837937a6f75d573055737a6d04cc29241d? 7zXZ !t/BI]"k%}RUJzx+P]8\R>~v)z!&~Qϥ']FJlZ Ad/~|ޭsq,v (\,?PfZSuRU%YeZWks2}nӖ5ȏ0 d,^2*L_%%Kb]-FJ}·ԂZ,^1$"l5S7Ȣ qW}?ݩe?2W\s!U\$@g%$ӫ<\DMt󤆢Wbw-_`!{Yap_NAk͞EI'?Z(hw}o̩UgH UI~ uR _F=HB!sյCs(l7W|@z?,cvq~.]6 (.@\ 흃$ 6< +뜚tx`6$(ue῁%"[ǽhb SKi~ym&e)zכ)z{cS}2^dߜ𨯙+qhboRn3O}vq#EzRy:.DfKψljOK1[SC2K%ZuM]i-|o̠~h^r'<2< Zc鉀1V&զծ ۀa/"nqG07]V42iGT[̱ٗ@ك UÅ-˝EIu=8 T-lF2j{ƥ>EAb;dxj]8B8X#;km}Sle 42lE1 οz (1-B8C%.)TZ`Hpi4> c>96S'ߺ=MҾmrI~iCP޻-_yiɋD MŹŻ)HqT.t* gNv{״ m%M!cW9U !wHf(y+ tEQ}ݼ ~/݂z21)EyDh"azé#^UHQd:A?RBmFWY͕ZG?=fx6U-2`?\BFGt"fawq(vģM˗06VH76?=^Mo +M_PVә幆 ;ĀO 폅}ȟkmCc=as\05Hw3RZ+l.`ٓ;?nlvuL}Bn9B%3ox"2*&V%!V\pN(*+dvTL-"2@}`#Vcq2h`Ute *SÈsik|3FuBS&aXpr͐*BGX|,m \؞vK_:whVF@2+dtX~ǟ&>T'ҁJi?;4mS֖Lx>qェ8!^=ߙl/mʀYV\:M΅8z__\h3t%ϧ=nFk8 7u ܃3f3K>%Vàdmb%D.-^ߢn0acϝywS_`u i'B#Ʋ2?3xNx,"r[]<'81WVUt^7[)uo[ SG(EA9!}jg@IC2Mbg Xi-54 ِ63in*H"I0p!`ad3k vیx~5%5i&Ո4Ym\Mys09~qE4?{|ݟ]O=>ϽGZǔ<(oV䰤bI0̰9#}fmk_rHuS*D{S)f6*!IɦSZ1^k5j.%mBE+^H݊k\cWCp΢1g [6¬e["z$k`b*聯WT^8XZ@Jv6Ώ@ DO~u'UH{>7iؔq|f3OPBID N%z8u<"Din\?U{PҮ%+tȞ>(/>:kze1_4f`Y6PHa:JנvuL2 `YX>Nـz?K:"V< }ds`[i%A86'!-Gi<6 gq6hꮌI"J FqbW+ ̜4Nn}$-mPh΂aJ^ IiL9FT~Q1_Ti.䥙)ܮ],R04XlbWkN3<fbP;^Y´bʼn%(h>G;.xWh<XM7STL^8( (ީj0:JIO63փIR aU?@"B,&51rX*pD򉚬kAH}^" 5أyF 5y H.NmnЬ!+uf1^,_G!0[:HRߒY`I2$sGQ(*{DeZ=0 `Sf~67O[畧m49q~߅F& $tW|d[SjKFpzRzޞ} 8ʆG}vR<]欁K0TQ_0Yuti7lXYP\ihvTt̵N4PR1G¸:v("Zlz1 Jw&ANR脁dGr{8x8]8u #T>JmAdli--Q)p#bta~ @iۅjɼ,8A3*P8+b18'0$פn#N? 3>cOp b:L`̾zA(~,Mw x_Jr[Iʒ(swڴ?w-fq/>Qn}Rn&%!fw]ooZ_jS } )mj-y,2r@1f>=?՛gwkOS[aTB<4/0$ $[+3u\k@Jk{ }m_'_}~ʯKЯӖPOq>2<@/sn6  hǃE/b>SuU寞0a@@]ٳ4 &,NMk0M-;\w5T ȏӧyA6 |YC Ë1\N} 1A9Zm_#]Zo=HJ|t's |AhJ ]{n~a1B;e"E.j,*ju@.fEȉ]Vi{2S 4$ ^//myܜ9¾1}R$߸@ZR%` eOS= Z|]nD;S͒dZ"*iY*QuLXzD0:UNya@hsI.9£g\"F82TE^L]MnK cX)!6W"U>g CoȈHRHT>~D!-{J)+o5,ƕ.ȾrЮFD966 Gv$a}lP6i3-ۢrJ. lh.b[;0=/Avņ5i*#Uexʆųbh !o@:@ϐKs$Y2MW˃+Y'~%%X4|q+n yW.е+Cr@أ=UZAyAj#Mo=7M/@O^ADSm?: +WsR02dKj\a2 : &mbkϠfM+sm-XQ;/6h,@<|-]-24;6A'[{b ۧ5[ 0Ix+OFN"LW>n8LSsl SWg sפ>MSJX{68U;zra'O~\Cg8-4_e˶pR'-78@}1.9_zmW9AM"JmL`' b`2|Zt)rNDoY sZ슮]/WjBb`~Q:5t.a+}ȝnV;ea1j! B"m@q [Q=ľ SD!̛QȿD *N޿Esڑc%x'%,006Չ z!3!Y?x|z|\$qM`?6s-Mf֡:~Z^ҕl]A'>!ϱٝ1XJ_)JY+4wS7ܹNwhXj~lĄre|y%1<+ै{JwF=*i=g5vS`OR1PwID*DHnY]a8,Hh|eE ޭ 1s.8E4^_`Nw.MbKnks"oq>dR#P 0CVe|fh7'OXNjح6AzweB4lsmbO{: KދűCQ2VD5ٖ;C vgك  $~ȬogE51+_ H+ˏۃ׬L,'N5 T ?#=$k8bf=|tBvE)%82W<Gem^lۑ%Y/'̻Ӣ }S~ )y`_C4X(g&HjB, K ?=LL#GapvC:,6@fzI?T68 cBFxG`oKNP ݫx/9D$Mw#a`pbP-]#(E(}٤ __]} fQqwSZUFe}`ohlYϡu1˙b0i FDxwW灪h;H,;zUSZԆ .W:S Cɖ(Qb=/RqNc-a41NU&YeR玥FsOM`bul(3,5b{uDuY^D'>+p>tzYEHcrhϞ6˯QJʾ\O+c2U#S&đw@ "~-N38̽)ۯ6<ÕVy[]R^zS@IC|{{6 [vւeIӊOtp?S_w[8qj;1b((% cGd-EOw@5qK؎jF՘&S>Vیc%yL]߻ +^Dj+rnY* PuWLD q 0m7^wV M#7&5̭ }Yg>p%zcHk#ꭋ0_?v a<ďaQu:_@<_Tr(l{'4䝁\<04GY|;!~ F*Wq#>*UWhs$qV@gl]x$+/  S(UA2XevFlAUq-f"uKF_1㊗7U@ xwF0'@i  ,zF}3htA!_axK޴ EzlTm!"P_/G11P iEUӤ6<Y.~ޘȷ1*O)K{s/3 Y9Z'wD!{s>F!bPaB}[X`6E"[/@z߈L'UA%{iGdx.;/+BP41{ʳN~ԣSw?oi@82hq; ?"5[.1U@̷gMXO5:`d-jW+ے̳j[_ p Ds py[*+\_ a1䅒ۃU9Z5=n~g>6u L5vkɑTH6c2~S( ex.j3W߅@qp]#e+(16Yu**@1e^2_uNDh]IVV\&Qe4?XřpV){SͱPㅳoї,;T nTtٶnT.W{5:6ɐ9[tjfQN [1oى JFޠˑCCJ;~|&]fDE\[fDD: $bvūÏ;:T3KM|nJ7#:Lf8> ,Hc[h #{B :v:IuvW/*|Zx4\sVogK ȆwTRɘUs56+TA^{0SE u6,! ALgwOS%K%_W|n f>%x,F49QގlL>~6|4Ԇr YnHb_^8< !L[Iڬo$g*Hva]JqI ck(r+S4A:.? ,;h f+tߖ9eX.zfg:;gu.LžB-7%CL_(ȼGf?\Npg:񙠔}x{jdhkџ6Av}8ȃm+j  F(v"ؑ_?][c y~c i!JUyL[=Yګ1EP@ͥ9,Bι7=Cp=tx-;qYц^ɮƳFz겵, ֲr y @ANX[U{;Zյ,M aoR5^N@C} w2E66)R =VOh X(ot?]v7[\L%H( :@34lj8|:^FUrJ~ʄ_JB{F^_I}~ 3RfrOGBS %hSH9M_պ>';,.N,\. n*א-3V5PhsŞ ]4K|;U/ "eގ ' V@@F맥\Wqr領Ћ]ECiT%D[J]Si%yhG`<oW8T;^G yFtc2ryi;IYQouL~KRj} (Gj""*{\Gm/ey041ԇat zdѭWg[藪5ymh }K7pp FAlJyBs .mhP ebk{40-yq 檇 w6\/% u}F̭E]?3Y^‚n(2>Lg&Cky 6u;Ro[JqeiąO۟/]a8d"ZW*4XK8򁚱o,2!!jRm/,G~Dȋ`Tz:ƈb+:tF#{n*r9HevehʽYiNA <0堓rnWyMãnfKKD#&ksrv$ &}~~k"iy-?@)6tƮsUTZ긴Y}J)~"Oǜ Ƿ/9o]oɩJ^@RP6>Rj5&A"F_![=i87bj <\MA%/ eE8Ӥj4aъVz] N$ L&{(̗L>;Y?LU݉pc2ewGwuN@^~,3.-!ŧ{;^{| x.a)ko} M,ꅏBW2&vK?P=5zuH?+'d9;2C0Dնbz^?L)YmkJ|<'<cQ O 00پ75>%a4MxŻj.Qj a3Ya8:uG{練7 DHL{x 64<%9|v;)#؟ | 7&\J?]"ɇqO熈5_}~Z㽗ֻnw9::丹Ŕ}w$ʹmc%\Fai\nQd GVMD8H\%'C@\ -5RGg t#g 滲KD7ݬѸ+O<@"'%>m߽&*?-5a4gӶ{IuB[eFm`hc=c0\xүPv3?5k݁<=/*xY v{:b WTPT4tdmބ_C#gЇ^_ *s>Cq`ÿ^TJqjHAM59iNf:H-yx; ǿc&/ cb>=XsǪQYH?'Xa [)j 5ꖚ֠GJ#a̎_GLqո-TY}x%Rtʯ&6OWw2~Lw,A]?jlt+w2E`!Tl.-]op@.lġN c螚#&}[>듍; [zo֜Mdˆ:&~K}/Efavf_9Monl Y(')FG#э땄< :$5bAiERu{AÊ6JGVN}!LߑCqTѼP3i|'0C1Db'k?$i8Wޤ9֣GjmPY JIHs|,0l9iXqs(?cΞio~AH5r? ZіD6T?+H?Ob3BEJjo"MӮAl{"09 X7nnB/^Iѽ+ܶNs /Kػt)/r#t[+قn7СRCɳѥ ExU.^&K-B"޽ctEhNv*-6Eb%8{ZaNq^\0eW{0O'V}c$_S@T~E1Lxq)|+75?+ ߱BeH#z*> KU&y:մi$ғQ 7@o"`ot ZcduwҒ(^iQaUG*[p~(OU7N5K gXtQiN("J#QQdlij.fE ^?,=hS95,`7ў@Wم aР\qr_t&w-~Q@l,`%qK*rW.;#6rEuLDuK;sT1_Vq 5(|މU^4{Y;gZ_ě3~#C$=NNG"-N 6240g֊TO =uw0IxDZTu+1գ{Ruuit%:Q%I YA~,$hD(KлvU$'Yg~0m=ްyzg_$L:(rtl|@! x%A"z8f\U0Vm4GP(u YP.@%Ի JNC3#M&vfPGO>e-`+ YP`#Q"PK#-mPŧf; n${oMJηFPùl{@gyO ,\FژϙoizP4E!3 S/Q?_$Ҍ 8M*!} $&yWEk-TGb2?p[Y5T,c?}3^JќC).W7aq!+;)l0KFxygoq# 9L׺ շyp*rjFXԿZPƹ-ax4<(D>*] cu{yYO`jAFJu4pm0c*RMTX^`|Lhd_3\Ntu/xL N37-_opإH?+ [Ϝġ`(KRR°sH7RR)2qd$KcOѾrLq y^T56+Vo!-i2K}~2rY#ZNS9y۵SFI?!fl 9{&/aƾHu7 _dzg~$3 >$yКdkOq,uU2ew)+ͺqPoW0\1yDSḋIN&D g(ZK_ǪqJ!TtbM[Tk~Qʶn5Z.N4Q"a_ab6nD$.ɧM%AX|5 o}_L*VI45!U,(/|#|<1KtS$gsw57uU'+I{`)P I|ۙކuꍅ-?hūiOcw6wޤ͓0} ԇͮh~Y]y1_K eE\'"_P󧀘,ˋ۰Nt1A7È* ω⟈Ô)Or'쯛dXz^Q`҃,7'\!T&wd(]Ӱt6#pwsD Lvj:"wݱ*R[q^ZΑ|3S{ lAHQ)֥SݯFzu9S/mh Xk~hiN24],)кwItYz**bμtDZB̘2 ˟ȪF\:i3)}5gSN՟c`:W܏#U}A*CKqBA(ؚ]G _J m,S1t˕0ZIrޓ*8\ng6q0_CZ1!?pߙf(gao۾p:|2XCGr""x P_bVG؈q_Cf^6{u;*/B=;E5F]woN; t ? ሽuīʃ̈F3GAI>+F!>E2<,11udXMZqk !ltYbjRJ{>Vߚ7 "Uy΀ $ht Υu:Thuu:yϻ-#0#8XԐ&j i)9db/7(cչ|>VVyf:4Y/s5|+VbսhByU{y"7'7ݲ{X<:(SLsZٖMMrZzNUp 5)0QD}KHtDTFkՆۻ>7'_>[SZDN[_q*oᖖCq۫$:Ÿ'Q9ІZgiG,Aѫ/<{~?bpV4#yGa&f S0.a!&E=Nssڱ7̀T=UHH"IqswE %d ̸[oyK2jRҙET. L20F;!w* 9 >a7X:tS}|%48GR{[MQlNx,9͍v,{ eAq2s ݕrO/,s5 ٯ:EDPH&>t"&"Ŗ@tESӕUCjCyk1>ɘ:d*5gId3.zkHIhR~BȦ0I-s>ty%|>^xjdÍ1yUVgnY{&j]u/61vv{%A l@N2!o2}}Vh f H}E&؜7:#,ǃ{*=3,`%%XԎYwNa q"`%\ceV q"q..yUyWqUF|k_M"a'599_xd/33#ɽi[Ezҽ]"XU~]~|GW O5&ϴW'ѬdZ8_m\k~'OBcFL,7;%pTGE5s16j8+138DMr@1"V^sZBt6 [ˮ[|zBot>ݿs8btH%5 Lbd^46eKe_[GQYDW;(`D?ڿy޵j˞WB㘲)2F=BN܋A}^pzΒJ."vss!q7} G0NXAR27rǵt;; V? 37߅]Wc/Ku?DR_lL 8 vIS{_V 8Vᵣ]#:דCW@ RׁRv 5n]nxn LܹXmkO WL*~2Hyk9KYCݫ!p=j!iY{08t=drg':eHhεZu7-6jci@'8&0Jl&y?BruDMT5|7&;uv1X )eVEH,NGٻE4범HJJӾ>\mn橧}$2GfC%tɰߺt c= ׊f(䣥[|jo+R:􍉎yՙ;`i݌~ՒOl;3l{EI eT͓T4d}z-> X/F9uOL`/w1Cs9ciiR|ߌtc_-y]&NyMAUQ-: g_>!ң4e3lZ!ѭR"MP å(bDK$5>DZC6vQL)5wҍ0mc%XҘ8^m#ieZ[+ݖyfXrv2'NJ bۊbsG~g-ȤxmKQ=M[Q~?t{*!M%+(6!l.]u,1k˽s3)-]C-hvjs;8'62YeO,5IGfwjTnc3pxgy5s _iQ!E([_Z 73Rd-c]EK{l޿Og|Q<ف[U/S+ǍSO uȼY6N_K0m;fΣp` 910!r{dRrfS~hGO(ڌ0"\48Q6J$3 k2H: ?0&u..3T8HѤ^G½rla#(!:WnX Úa<ƍ_BaTpQe9vL"Ph'筌LѢ5?5t>cƽ狄@5.-\<$R$S{3H#Nh|HE)&b9pO3B;|#fAhnh[`G̒A&>sҏLo~]7q,ij.|-Z'0b5W7")\˦Txޫ3='/@铃ntߙBV҉㮎sR)gbAO* u;Lg)cotU ܍poCIyi3 KGTʋy-m$p4s+|S"KQg{IֶZ2('6hV5Iˮf0T^ƒcXG(>X L; +̠ic^bLl2PvА\CvUL_ ~f)jx n8_0(-M_SXhq=Nψs?I4`XasT{?<'Bɰa3LGn~M]ߎ1]@~kp^w)/laQ Y z.&dZO/2y5-5sm\ 2n:iwpmMNcF4/Fskw1a1UL\wV$wAUSKI-4G-2fج :z./{&IQ6g2^揊UD1'ٜ 4N-c{w2UXGy},!ZO}>Ʋb &[t|@)]"iɥXiZb#NyuLNڙSfoH߀*}?ingB]T+r {̶Y^]ڸ;q8o휦4}ij0$ Ypt-.N};&yXLhq3ӬyoP{Za(H]q1^"fʫȪ%`L̑{caq ԇrSH{2bx?X}S V% Q o% EYOc(4Svi/Cz@+:>|j`5 ~x }|)m6S,(19}>i0.Yb! @0RVx嫔3CT܆׊ߌCLs<'3iH~~_55yGΟ3(%\KSyg`fu&;1'.˷5l"G D O#f!UJ MT(8 6R:>k˷[DblSH9ˋ#u5J* jlyƔ-H뵴(wcusmw" }A֗dj sg,c+YյY EyU|diNqB3)sJjEH%>JܜdPr͚O)~hc#uLʠ(r#QH΅Y't}QR]P-(Ol7V&8Uhd\FqfD3'<~`sSH`= }}Z<[βrIlz{ ǩJ2~|/pg^J3 [I*4MO*'Ӽm.qwHS3%X5a;>)V\vfH"9R[ujn\ZW-#E)zs6)C8;m!cq*[^-, QTAEFJ\-yƑD4@z]ʓWq]/=Xj u.9'/ u{>BCu8# I$42D?o$ OڿenjCկ.:brZ>_n>ɞ9tS_cQ%S8c:PퟯqУ/fW*`+|9Y a 0m3ǼTDCsBT (HWb4 ȏ+o O=slzM=[9_)8PSzERB3Իy#&2gK#Ha|f^);5SCKk=2fR{(TA@ڎfB=.MJ<υh_Q ns0%q>g7a>FSO1OϪg%+CB#|FQKS|LT4@M5| z#o &Yg7jc.^ي*8s*"}JRa>MXjakt^'(LFV8ߊ>BW2oŴG!9dvn):G#ӕX[L``2TMGM {2N6?્rQ%bbnѧG44fZ щ J#iZKYt`Woz*[,*k qH*_j*1hPq KG>-t>-/vtB'j(,jh~{! -jjlVZ@_BAqie+tǨi,!Km2l!Q7#rJ!Ɲ> (wP]@x"16@.wpe\l1rXۃ{Q ֫0BP4)ɽinU *-"@*~lE wI+-r ~Icz߇o(w(, c_}5K9?^`b2*2F݃sB>KU2ͨ}Smi«lG o,<7ͮDɬ LAZQ ?| ?2K~Ak`38N< =OREɟ0X9oPx?G/!7Sn7T*i9k'[wKƋs?̺lt82,}#ɇ'LRȒ[7I baY5좕|yg?@G,̟ݒpӠU{Z~' (LM@ĥ]q#-NMRGpc~ }PvDW@̑=Q]yd-#dChv-)DޒgB+- j"ga?nhfpfL[^6< A02o ța2ml{/ͺM̛ԭY,UT i# DGs6f-y=w*|sRd)'CTÞ_rkD&'풴F;-(i5Z\#ez Ď6Ymň~Yw2qV(1 9qۭOIa4T%2?F"%uG"3F]R5)!i[[~HQW\eauUi*p@hoAԩ,GC/O nHsD^ ޖ=`(|سiUjGӵz5 FCAɽsonZ4Z /|)Ɩ\׽phQK |OC{Q︂A7] CyQV̮Z B>iM]v$nwR8AnʞSrcRuISn,^TsH WiBJ'+ ui`R'bNm F 7QMP./?ׂn-k }@7nM,+'svY 7(6 uOF*JzŝRm󟬭24M/DC2H!Lssؽ5ę`MeR00k0 »8I529J2tʂ8HRF,˙t!Q}\UCZez&͗f;&g"ꝕC&L7O߂%. Wv8d,Gl6z]IWVAvx4( LK <[!t z`p7H_ிjϞV>,Z#_W[J#%4$"Cl#怅ȸ;.:?|3~6qֹDu -l!%C{UzPL=F_>{-=@GOD4d\$4^[m|s08Y4iUUq]Zg9 _Әw ~,l79i< wzUxw@(Bl[c.nԴy GL{` k@ǭjCnBr YF*ďЫSLp:(U:-aB$Ł}u*;7ᴉrGnph4FDXc]18 Ɇwg,?aSc;3:esZ$1DNekF!:FzpC=X ٱHe+MSB2d7~K:亁"raHq8LF|xT_gxB]zW6PYfo܅aqWYM s@vZ bN WC,J']-0/(U?Vܢb#_"^zI^pˑ5"s GDr\MSB(A@0LJA{U%A(NLi* }K[5-h8ݦg8j$)Mj̷}#ʡƯӤ ЉNKX1;دËZǷqa)v7WB pF9l߱MЙ?8݆WPJ$I]`oIBr2)~KE'%.˭Jfٹ;%dJ#MveIiTsc0f])yϊUAY>}ĘAif&d~=ong@brjL։_a*b򺾽\4:j~EɌ)qOü; z @Imd!"[.8 ڿ'J!E6'o#j^*4Ңvaخ3[>!:끞.՞X?z ;^(ڜh] `qD١LYMDlc|[xvI0^t 1IkoVI-u,*ͰIsE 9QWU.Qv"5ld%?ڛ^rl`8k||lո6,]2A/֥_aIe$eKvSK#^QPB"ekg5:==< w!8Z g`2 ܾtOșĹUqP!MS狹:Plqb\א}PN8w@Bb Ag̋qKɢ#j3x:͊Kl f9)b>%u3Ȏf&&1J{'H̱Bɣ߻˃wi:XWzs+KýlQS!dQJfȠr dO fT%b?IPQyH;E 5<PHE Q\Z3´c=u+dT{ YU!#BGdh J?#=yb 1 * 73T菄Qcn8G8!y|ԡ8?wqYoyYi=( M^אsZ8c\(XBs6KCqAx0Z)F&tH"7y0) ؙߔ^Ev@33`>Gh6>)໸!k[ (3 KRL#8npF##aonJ "Ŀ_\| \@_5V>SO F=((i.[5 5Nm_ Yqu6dPe%ظ>'4s=׏#LG: T)vi@`-fǟp٨\!bLW-jK}Xwgf^T7*Y$h+Ut]*Ƚk VP}f(ަz!>Kb`ԟܧlZE{TipFoinh-\DxjBAleL]g0LcV 2c0ھOu{k'[0ҿ]kQΖJ]giI? Dx-rdu< 4J#[_ЙʚgVn ; l.i@ _|>rQ~@ M W S\KvHAVXX"Z[/2,x6][W`H0E]^T0Ӫ ^wcaDE]B9pzcɉ[12ӱl jN5¾Ңw8LA}))X[i;!B\2H?9uj[G XD 6'FsyMRjv3y끲^u"cl}!ubNbFӬ/(9] Td<6 fާٱh昱i ,ۦ59Zs'$pj1 I(8Az몢j.ZFxW7T4QNLý%:vDzҍYpIs$/䯰lea-Wǐ'6@$hr@ v:(,/|j//fzg pKaɌW l*jx+X6A7vDVǾ9?q p M邉{IRG LH7'pa sGh:1:A,pp钭 iy}=QzFGu1{V:x+ HhnNXÌ2<r̘ol =9U_ш)k&dĮ;/,mn`AhqV3Rio*%*@δM Dl4KnA:D$ rRY,7,KPB9'@'rH,pYL>p:WlzqFG ڙ ,n@/ڜֲ_olTӵm?L\홻 i;\K%ԟA:| $) i\;aԪ;2 sne;]΍U9,XrZB@"[ c0l %EƜ|ha` {.S7K^ pdApΛVM4{1јm[E!iq%#ȼt]w5O]a' ZY*- O*('bg:NfɠJ]C0PyHH9(FYg,t薰O =SR|?J ieJcqf~rK0.9ޏyԭH8l,z +ݜݑn=W[oʹNp9gδi&Qvn_OP0<ʚRR?zE3lzAL w0>+.7 2rf13B.;* +G/r?lYi0gֹYi-O%EdR)4KAi٥X>E뱽_Q- bB5_btC5DJql Jb) kdh9^B{?s[D+Q4e: 7MbR Xbd)d9 bto][#im,nr((}Z#-Đnt"xXW=汋cvUHaj8h? +^#d 9u얮duZZ!&_ } n! $ώf3>O5Z{{l꠮2h]wͲGXwV3qFzpԸ a[wވ #Nq`[Ǭ̥Y0.A{cM& yEFٔzśU~Ri j_nVE !jx=MHccZX1L!D*$AJ #XYGg=^;/DwͿ6lǎ s8R"x#AκWXyF^r1hvS"cݻZ)]2Ƌ{0- Ƶ1$0Z}tpZW/ _ ýaYPZuo`jbۋ1#ظV2BgGq5D-@%*ڏIf@]Oڭ~KU0WV;OCAcZG ڨe j`j@M4F<x]E]zql U{—ӋIʂS[wB?^C;Nf$-`b$閄v:-jƁ7| :$E5_ ZNWxDْG`OnQRw~/cBts,yd^ L]?3zFeÜ|Q>]RVi*K_Q'Js%3rl3\#_HQKwo"9VsKAT`r"Y<'ؗf:m#o .?#52)B9*2rw|tV<|(ߟf\0BX{_w%#[^fDuYnCD+$Fĝ&mȷ;GQ/4ݹp>9#Or8r |1L7DR;*\S#bΟ׏SAij܈òw-~:nw`wi/?ƇxbwY9]FEߘQpuLJY0r%_dڄPoUm"_PQ&%$%הIF6-Iߝb~(p9$1o{5TعlpsveñZ@O\|g?I*}BZ|ö͢ Mj݄y^4:f˸hX /vL=sVLL&<|# LSz/aWQG87G|e{^#ؗ~C?!\wFD$3㽎gXc+{ɻRA􇣂|x> 6C0}Ⱥ@d|gSi<0քe64c`9jj0~`|mJ띛2ALBd[KoWD]w(*<}I:GϻCiT6_!ڸhH ]=jW^e2{j` /7L#0t~;*-q^=ήPm3XۜKm 9ة]Z[&8Pk~A8̓]l>&VpP Y{O .h1aLkef2Rac 5q}>Gj ';pi%áFlBŰp2uIBb9Tb~@`Dj*åuG=v!Nܡ1K6Zf_=&=@^;슺iv<5첱:NѰ*[[d.8w+QYg|:@kņ dl;$IO(0@|RVbzsPebک1jhHbC@[%*WCV~#ا}ם?O;9dhDz(<# Q8j n[ yvN5iϻx** h*06Dqqf dZW/F9tc_֮y[THtDQDv:ḓAI_xuѽJ>$; Bai{g$bRF}/獩m閁He*` /"RTG(-)ȱcB)^榶uՠ @y-wcaPNiiLSr7]dFD:l>eu;䜹2FbeRgQ!Xt 8ZfPaM.r+2 pL՘^Mqwc<7m'33鬥ރ!v8>I7Jҙ>2J OTf%p4>4n tXל@Ht9wHo؎K+zBa3D@#,۟1O'H-} 2Cb(~]SgRp4E5v*kZA61ͼazrBrGԾ~}bRc(ja9Ce mGCP:Z%"ylUg+S~yۋcX!&G&[([Q`bS_ŜnnELͨZLQL`:t m2cZ/=`]TD5UjI7o]Mhȏ_TUYOleߖ:|k\^a֥@Ljг6j>pvړ> obFL@@ќcu"JM7jw šVHnu8 C0~9z.@ֻl.V5ŎQ 4Qumf|&|@;oyVP0Af |'1OCn.D~0u2!vD)o?3Xt.K@ ;;$bWiF&_ }ۛ IT7 sҏ8kƒd"3]BwZKB9bew zCtd|/w0/u2o0+ON /Ci\rriZF k" & )#x#.Eν1Y9Ziw|h#t> 2=ӃteuM#J[*AEүd+Lͦy"#Jڎ=yǣp%QZ$4z7m`z70nrOnIKuJ &-6 x cJ:$1IcW7>'kAP/{t&eY6 d!c9NXrNpg1 ro(q'"Q%\Y6Tj_G@i#٨39`m60͔c FJhjK%^uӦW_< s/2KuEoeCsţE~̨ !%bLP?ӌ-i0vx;,^jmNq&QbZ.VQ(H҄5ɇ6`ti%ʡu&|b]cT1Rw' Oiiu8QigRI#4 ? EN%y]85vT#iՆֺmCxօL+#Q!,Uc]"9-74mILS Tf#l&"'}ةE^ F7Āa~4(I_JWD5RZɫ^NsZ7 Qs?-V4L>/|c\u-qFl$dł@ЛԌYGt_i[?<}K闶%)1&pdL̓ ApP4G<l`YP~@0=YZ2 k kв,XҖPq@yb#$w9!&Y\Dfa_>vwMhlW)x#~>ЬmVyr@n=L %A?<[P 5~_/ΡE2_-:ߊR voAv@ocWO1O|N<4AÒdIFsPgkm~S C8˸eFw. YZ/0;P?Z]N鉸lH>eiqž4HYwP3,@5n3ɴN{(#F좧;~"*R]JHӑsGsVB|_W=魁g |lrn֢rqvMq~3 ۿTF,5FPilIp;&oRyrq|3 yEXK?dߛtūSDaHz>;V!Zg-9͸irAib*1uin3N|jSOK2`a1N`w%&/3s9"@5]NK%Y{Idbs {(&92~"0TT $ݿ#ERbAW C/E%GD_$#̗1ZxTf'V;tpL F|%KL"9bLKȶuW#ݻtg0oi]Dz*pSiNI eY=WIX=/*E&ܥ[-"w"j#w_XSM&Z]v}x3E65Cc85 M5mQsLM+L `GpE:Y1ӠbJmIWtwAmQaY8i$b$`*\u e&A$ RZP.XS@ sĔjfK1-"E[`B8L0>n4TR- V=߆EKMD;G_pno544(2髕By1Ov(GwƗڛJ< LpgϘS ?<7VYoXf:@g`oW䕂J<~X^뻑P3r=RmVQ\mK'S_*Ĝ E+LYsզ"vL .Q\ mYDWb#1@QQv`i8 Bz:H-4CI1KZqwYp#{H)P%{E>?sJݽAt߶J=-"dc.:3xa Nz&Щa~PD%|brk1Ջ/ UU? pQUBKM/Ǔ4BpEKs2"U@]L(UNajz^bjmeuI8u;b]| w[}|GH2BB;eC@ !r/CK&{^E`X*Cd6>\~T|/@rLeb s;ݞi!v"8!:| 垰aPR2d̴g]K&ܑo:_h[vw)zтSH1rEs%QA#1}j#vYy.JIQ&wV}H9ZWv>@Hlz!2YB Xub·C/B9bfj;ws_DՆ˄" $ B5qݽ{cu$A>`ts)F 8/{~m 4 nv'7]-*Ū4&Xx5=cP4`pXJUao>L(iL/dKpPoH>v"]<(Zܸ +>֑Oь?F2P7Kk}1+V$NPT}W> ?6R@?g8:K [1<z(#N.mCxZq:)UTϖ 1\bRD\ R]B<yF21~.%` /[cy,D1u 9S.`_;C/ z| w՚^g+6`&vs?"R{<K~b U :sC)s7feCֈ<$)I%b]=k! I96Ek+s;UEdDg3?__)^}sn~, 0s%r-k 3_:?)%Sny0|vt g|q#0IZ5K"2z;Iq  1 L#𦚏PWτQl#TF6P2>jf>5'ߑ>oôB5E\8w@;R)Mɚ$Kx 4'&-?ZmLՇ7,1aP K;Wm{}}ڞ :u$|Q5~%йwY;#b Sw@xo#-Qt쭥f.2NL5fyq{:t/AL C<$s("XP×aUh]|ZguRYح3KTfeN!4L`T$UÁ[Yg83Ap=EGܹ`*f&YێXP]T'Ҧ`,ӎRwJҽқ^1/90Nfg+zqg02q }>*krRx2~6ޚ@xLq8ڤyqLxݽuB&Cx!,J aL+T9(<'inXȨD->"Y3f31n$!Hѯ(v |r"Vxake;Q=OSr%5[o_+:/LQC18Ui2DŽjHl8yPv67ՕD SL4T?_b|>È*9 ;?^M/݅嬬 k⨭n ʁ-`]/IGqG9/,^Lx˹fN.Z cC9Q표/[}V:,kjEM!˶T^GkZeYo߼C,v9-z 4-𮟚u$M:$aQh4zҨ$*5= e6jHr?dК+b#amzdDԤK#*5L2?uhcA"MhEtaRY+u'~= ǀ\SJ0:F*,t u^}FMW0uu@WipM 8 0F$kKdis>')78c>T՞vDJ[aɯ ÏMa/-Fx\:.wGm&׬T2@#hhlD7oL 7g$p]E14qxYxXI>ɀR V Vzwl9sk"bF(2u0,`$o CBٜ3/;$C8s 9]yXT0s?R6TШM3 6CO c~6%Hg6qQ !t>PPS]RJ`a0͢ 3saτwL_+jP4A9`8)L6adKʵ"Ԧm"t' Rx|H>hsS\O=7>VoI ӧNf}";u) LOK-gDeu%W~2Of VUMUW9J`{p=ݼ3D:jCߍ3BQe0_ɷIO؞0~FH0{I !9R3tDH e::]Y*J/QLZD9SۣU O7grʜ8ۍ8:*WVx<=rp>:o!jܑSy@4K#-y)c jj-Ŷhd"K5- Vm՘NaYT:8VybT?XX~h{ sZV,QnWf#%gU#}c @3,mHvAW"i\ 5}QAs{kYA"m E[Fe7$hߔ>u.TW((Ēȵ%KRޔPPP^j8R#GVUH ]-f!kGك,ԝ-7~GI ӷ6- x_! , 4B>7md׿V 8n Z𨈔6Se/@y67uBH26S!@PLwxUkK!׬5K&Cќ.m{ TOT؁2=lrčWب3=Y+x_ 6tʽ1 _,!L_ G eǞd:鄼zG1KV !V΂W~jx`vNnTsq敘"r-!ws3Vf̼#Wy0z8EHZDj,6߈*hդQړJuhJ2_R8J1 3A <0#D{%5,z<5xS/lJ Sav+c,R5 n%4vKr%T3,)/")xV~3rlx[6[B*%k=,*v \4>P.K|_[_Io&B,~bR}$Mɰh{U1hGb+,,d4G턴2h(n!x fk$ħrwhgτJag=2+vf6~"VEO!*/vCRi+x q朢ފ&MТL &P,k7q^}FӋÌ"tMH8|C9Y x!+; 7kF?X1,4qiKBVr%E#;mlpr¤)Iy2[Tڟѹ'}=%92(?+Wq8j}'Z,^s*-B0tu͎4@tfk[N$2=}%jGM[ʤih¥r4}N1 !?t(M#[ː'Z$#8nb>%Q^|HSKl,XrsW/L.~1*qiI<ΞHt6+fd-u]Pz5&E>%$=V|D>#P)KoЀ>:5 XUw}G9NRp# $ۈ&cHE,?PEnzy:ZFCnPPipkaq[r6@eH6v< s/AB:ӄ+NjN,͠@JGVFbo=jZ9oOV ^7U!bPMB5>jS\]]=PQYV_`apWTԸB \4wׯ.-V(772JOuYnBQZ |gCID暢)nm3 Ƞg.+m%Q*t碌U"OeExmM7SrD{~$Kn].ŭ3R<$TL[Y'Y`S,(۳A~R5Rc\lkoZg6žϽp15Ɛ8x!ti2Q U^ȴ7"}:l#hP%MTa `}J!D=8M7 "'~BP? (\n`۾`*43H)sR胐8~1@*9I$T{kH?Ot@6q04_j:dr#VHw pd{_2Ny٦?Q_Z*>q?e}0ǐ0&s)ot*I]Ovq8+ 57فI"1-+ѵ?0ɲ /ahGAU{XޥC| kzM6Е#O:Nipp5)ũ#Sc0HŨ"r ofB,PL;NyE>P;~E4yC|bd@*?hReyna,r@uSQU@;~6n2@Rv1εQ\3(͢ 8pߛc5AVbE^_ (î}"=(XvhW1nnt,t*! J^BH{wA=OYWFԕ%2zX c!o7)?{փQifa9D"KHp0*it .%|4Ă4@^(f[d]c1Na0jf4% pMa{TwSUb b}gik\EYP)"(bXر#2~'g:7gg1I9_Pjp<ܞVTT ".B_0j{[&bKt__'FJmt_@ւW'r`g5΂hB^31U_>0ʺrM)C<``ePBr&BP`TGB씔 ?Hp}Ə`m2qX\.硴)-MlԳ8@uc@|?Y6+))L|UGw[#}ŏ <YBy*W{Ȯ^ !1FtG^jՈ&h!ly)AAX4:/  52H#+|:~HLJ4C[7Y}\R%aGsh[> T]<[DBeƻVQt(ykvx zݚS*GN_e:Ru&9VAs_$˘(̷Hie@#Dߐ"Y&}l;Z >KP0 @ֶB z*}%i5@! 1}۽zCM!vRPOJ>gYf%㈋-Oh@s66ܦ 8؈ᨦ›hX+ ~΍4c=o\1^x>s}Ro:4 [sY CP}Ʊ'N-kRQ % I.!Q%g?5(48iX,??q}'* rHtbWX ]C'tk W>Sd{A:wK+ ~b'Oʄj YZ