strongswan-ipsec-5.6.0-lp150.3.3.1<>,/|] p/=„]WS4h Γ-CWÀfc0 H Pa"U..\l]? %rt|9?(+{|!]ʜ[kABOQ!~&.:(5/G"j76Kf cB%+9y+]]T>J`r9N秈r՚@Q.;vh=1usda!PDԂZ(gs E2oب ͳUD€SaXY1V~F1DJP֥j}tNVI:>L?d % I04<@S\e ~ &t4D4 4 4 4 4 444 !4!""%.%x%%(%8%9%:'N=a>i?q@yBFG4Hp4I@4XtYZ[\4]4^?b*cdgelfolqu4vTw4x4y\z$48>Cstrongswan-ipsec5.6.0lp150.3.3.1OpenSource IPsec-based VPN SolutionStrongSwan is an OpenSource IPsec-based VPN Solution for Linux This package provides the /etc/init.d/ipsec service script and allows to maintain both, IKEv1 and IKEv2, using the /etc/ipsec.conf and the /etc/ipsec.sectes files.] pbuild77 ܐopenSUSE Leap 15.0openSUSEGPL-2.0+http://bugs.opensuse.orgProductivity/Networking/Securityhttp://www.strongswan.org/linuxx86_64 test -n "$FIRST_ARG" || FIRST_ARG="$1" # disable migration if initial install under systemd [ -d /var/lib/systemd/migrated ] || mkdir -p /var/lib/systemd/migrated || : if [ "$FIRST_ARG" -eq 1 ]; then for service in strongswan.service ; do sysv_service="${service%.*}" touch "/var/lib/systemd/migrated/$sysv_service" || : done else for service in strongswan.service ; do # The tag file might have been left by a preceding # update (see 1059627) rm -f "/run/rpm-strongswan-update-$service-new-in-upgrade" if [ ! -e "/usr/lib/systemd/system/$service" ]; then touch "/run/rpm-strongswan-update-$service-new-in-upgrade" fi done for service in strongswan.service ; do sysv_service="${service%.*}" if [ -e /var/lib/systemd/migrated/$sysv_service ]; then continue fi if [ ! -x /usr/sbin/systemd-sysv-convert ]; then continue fi /usr/sbin/systemd-sysv-convert --save $sysv_service || : done fi test -n "$FIRST_ARG" || FIRST_ARG="$1" [ -d /var/lib/systemd/migrated ] || mkdir -p /var/lib/systemd/migrated || : if [ "$YAST_IS_RUNNING" != "instsys" -a -x /usr/bin/systemctl ]; then /usr/bin/systemctl daemon-reload || : fi if [ "$FIRST_ARG" -eq 1 ]; then if [ -x /usr/bin/systemctl ]; then /usr/bin/systemctl preset strongswan.service || : fi elif [ "$FIRST_ARG" -gt 1 ]; then for service in strongswan.service ; do if [ ! -e "/run/rpm-strongswan-update-$service-new-in-upgrade" ]; then continue fi rm -f "/run/rpm-strongswan-update-$service-new-in-upgrade" if [ ! -x /usr/bin/systemctl ]; then continue fi /usr/bin/systemctl preset "$service" || : done for service in strongswan.service ; do sysv_service=${service%.*} if [ -e /var/lib/systemd/migrated/$sysv_service ]; then continue fi if [ ! -x /usr/sbin/systemd-sysv-convert ]; then continue fi /usr/sbin/systemd-sysv-convert --apply $sysv_service || : touch /var/lib/systemd/migrated/$sysv_service || : done fi test -n "$FIRST_ARG" || FIRST_ARG="$1" if [ "$FIRST_ARG" -eq 0 -a -x /usr/bin/systemctl ]; then # Package removal, not upgrade /usr/bin/systemctl --no-reload disable strongswan.service || : ( test "$YAST_IS_RUNNING" = instsys && exit 0 test -f /etc/sysconfig/services -a \ -z "$DISABLE_STOP_ON_REMOVAL" && . /etc/sysconfig/services test "$DISABLE_STOP_ON_REMOVAL" = yes -o \ "$DISABLE_STOP_ON_REMOVAL" = 1 && exit 0 /usr/bin/systemctl stop strongswan.service ) || : fi if test -s /etc/ipsec.secrets.rpmsave ; then cp -p --backup=numbered /etc/ipsec.secrets.rpmsave \ /etc/ipsec.secrets.rpmsave.old fi if test -s /etc/ipsec.conf.rpmsave ; then cp -p --backup=numbered /etc/ipsec.conf.rpmsave \ /etc/ipsec.conf.rpmsave.old fi test -n "$FIRST_ARG" || FIRST_ARG="$1" if [ "$FIRST_ARG" -ge 1 ]; then # Package upgrade, not uninstall if [ -x /usr/bin/systemctl ]; then /usr/bin/systemctl daemon-reload || : ( test "$YAST_IS_RUNNING" = instsys && exit 0 test -f /etc/sysconfig/services -a \ -z "$DISABLE_RESTART_ON_UPDATE" && . /etc/sysconfig/services test "$DISABLE_RESTART_ON_UPDATE" = yes -o \ "$DISABLE_RESTART_ON_UPDATE" = 1 && exit 0 /usr/bin/systemctl try-restart strongswan.service ) || : fi else # package uninstall for service in strongswan.service ; do sysv_service="${service%.*}" rm -f "/var/lib/systemd/migrated/$sysv_service" || : done if [ -x /usr/bin/systemctl ]; then /usr/bin/systemctl daemon-reload || : fi fi>`7*h;*O I):p=Yp p8!,Z rQ RAH 7aq AAAAAAAAA큀A큀A큤A큤] [] Z] Z] Z] Z] Z] Z] Z] Z] Z] Z] \] [] [] d] d] h] d] O] [] d] d] d] d] d] d] d] \] h] d] d] Z] d] d] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] \] Z69c1a41970251665b56863a543285ca0b5be2b1b410dd0c468d16236de3cc558e1a6e75b3809b78eba2170b76dff02a25567bafd3021b9fa408ca860b9bc4a07c9a694f8214f8fdae513e43535af28783c2a0b61ad73b252548ebc69ea72166ca71d56e50e72114f810d39337d12df8321d64c3db49a0ffb4ef13ddb0a2a49515f027b34bb367621b4f8ca7663e042bdaba6f97ab60f4b8e6296aef4d205b3e808505c38f4d18de57661457e010a26404ee6ea4f8773d3d8c1593492368f247016e07865475d4f6a4e79e31aaa210b5f85ccedf2be399e2d339348baa0442d74d5d73d37f42ac70085762055bc79a3155126f75b241503276f9608b28cf088bcc5f1e154693645d30e63deacbe946e46030d021b74e205d2e7b45f4eaf9c0889c9e97bca7cdeb031f8c2ddb288406002e634cbf9b98faae3a43a648881a8e629a9f844aa7b09e98137208b894d1c3eaf55f63179af345728f4f50b5887ed21e7248af67d82360674575af985b7ef0a416354240528c470b939824eded58c2e8e8a4ddf914b7c55d80211b6328ca955fb5df5b6dbce73c3d00dc1464b4fae302c24bcfd7b213652c45a8088d6bf258c62bad4132f8c32f856124772b857f10062555e5142d0672b17226ebbc6715e69a0508e055fbdc3235eb367132c4b02d6dcb663bfd575e2c86db9cfec8f20f4a09dc0f89fae6a7646afbc11ea22a52044f59e588a0de657a09c326f2b822dc9be3024c4ab85a609679758be7382de673f86fb81136b08fd7aa1f425e3cfab38b86bb799992367b16d4bbb95d6efffdd219b3dc1d3c77a8b9725853ea440366798b346f17c86b3f64450e904769e41aa1617bb481fe2ee74d9dc61024b4025d199fabe4a252c57e13e00794f41a3329229ea00667b607b7935a4be9b2ade30b709081479ffb8d9ae5d75e9a345ca9fbca23ef06de6d1f6a614770ac44e709d7beeb985802e0671ecfc8cbaf664ed56571a1034eabe5fae7cfff323ad265887b735e51bb6c080e0b4dfdb57d5c47629f185470e331681936f968767911364c73b63e2977fa143d1157d6a6276d891067aceabd06c0e4a8c1b95e361b155e72b7f3ab4f83370c4ac0fa372c86ae60c0e2bc57f1f2b830b4034ba0b89a2c2e7c1f85ca667aa3fc81e29f317ea17458a5d07a4dcdb4808fd39b145177e19b995300f698ae5bd57c62eba56d80c2c5524ed84cbcdd9cbbf40d0162321f77aba1100f937ca307881ad1f8d46a5dedb8e80922d9c6ec0407c604db49a791898d606dd9ad88ddb847ffbaac9c0a8ed23da3114685216636f9a2b02d865d2d2e9bbf21c5865600d2e1c2ae671df5d4bb3e0b32c5498467a6bb83179fa14be08126dfccdf849620686e9821f0f55a184905acd9d552d530cbdfb2c8a7d47c5e5d0001a12a19a4a37b00cffc18309c9da4bc38932081427ee5dfe8cd9b029b136b9e2deaac3fefe3b4f210e1480eca2411bf2dc0abb400e158e05bf683fd1e78e5143aaad55c4063b65d80fd65e2cbdc0603771c7f148ddd8d8429e9340dc041fa0a8a07cda907b6c4beef5b92043165b333ac4f432693f87b41f581a63cf4a5171ad51ee707cdcf62505601899387f24e5d0ddf8d7952a659d79eef9341460a0339f85cc2a7ddebcfff273cf1ece947674a8480c28087248fcb91e75d0910a12c95bab082638eaec4f7b04ece89fef3f72330e44308db58d1734b9e58c7dcf3782e747c3815ea20cc606f47745853056c56866e4190184servicerootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootstrongswan-5.6.0-lp150.3.3.1.src.rpmVPNconfig(strongswan-ipsec)ipseclibstrongswan-stroke.so()(64bit)libstrongswan-updown.so()(64bit)strongswanstrongswan-ipsecstrongswan-ipsec(x86-64) @@@@@@@@@@@@@@@@    /bin/sh/bin/sh/bin/sh/bin/sh/bin/shconfig(strongswan-ipsec)libc.so.6()(64bit)libc.so.6(GLIBC_2.14)(64bit)libc.so.6(GLIBC_2.2.5)(64bit)libc.so.6(GLIBC_2.3)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libc.so.6(GLIBC_2.7)(64bit)libc.so.6(GLIBC_2.8)(64bit)libcharon.so.0()(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.2.5)(64bit)libpttls.so.0()(64bit)libstrongswan.so.0()(64bit)libtnccs.so.0()(64bit)libvici.so.0()(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)strongswan-libs05.6.0-lp150.3.3.13.0.4-14.6.0-14.0-15.2-15.6.0freeswanopenswan4.14.1]A]@]@]@ZYYYY$$@WzOVEUp=UlI@T|Tp@T@Tto@To)@TmMadhu Mohan Nelemane Madhu Mohan Nelemane Madhu Mohan Nelemane Madhu Mohan Nelemane mmnelemane@suse.comndas@suse.dendas@suse.dendas@suse.dendas@suse.dedoug@uq.edu.aumt@suse.demt@suse.demt@suse.demt@suse.demt@suse.demt@suse.demt@suse.demt@suse.demt@suse.de- Added patch to fix vulnerability: CVE-2018-17540 (bsc#1109845) [+ 0010-strongswan-4.4.0-5.7.0_gmp-pkcs1-overflow.patch]- Added patch to fix vulnerability: CVE-2018-10811 (bsc#1093536) - denial-of-service vulnerability [+ 0009-strongswan-5.5.0-5.6.2_skeyseed_init.patch]- Added patch to fix vulnerability: CVE-2018-5388 (bsc#1094462) - Buffer Underflow in stroke_socket.c [+ 0008-strongswan-5.1.2-5.6.2_stroke_msg_len.patch]- Added patch to fix vulnerability: CVE-2018-16151,CVE-2018-16152 (bsc#1107874) - Insufficient input validation in gmp plugin [+ 0007-strongswan-5.3.1-5.6.0_gmp-pkcs1-verify.patch]- Removed unused requires and macro calls(bsc#1083261)- Updated to strongSwan 5.6.0 providing the following changes: * Fixed a DoS vulnerability in the gmp plugin that was caused by insufficient input validation when verifying RSA signatures, which requires decryption with the operation m^e mod n, where m is the signature, and e and n are the exponent and modulus of the public key. The value m is an integer between 0 and n-1, however, the gmp plugin did not verify this. So if m equals n the calculation results in 0, in which case mpz_export() returns NULL. This result wasn't handled properly causing a null-pointer dereference. This vulnerability has been registered as CVE-2017-11185. (bsc#1051222) * New SWIMA IMC/IMV pair implements the draft-ietf-sacm-nea-swima-patnc Internet Draft and has been demonstrated at the IETF 99 Prague Hackathon. * The IMV database template has been adapted to achieve full compliance with the ISO 19770-2:2015 SWID tag standard. * The pt-tls-client can attach and use TPM 2.0 protected private keys via the --keyid parameter. * By default the /etc/swanctl/conf.d directory is created and *.conf files in it are included in the default swanctl.conf file. * The curl plugin now follows HTTP redirects (configurable via strongswan.conf). * The CHILD_SA rekeying was fixed in charon-tkm and the behavior is refined a bit more since 5.5.3 * libtpmtss supports Intel's TSS2 Architecture Broker and Resource Manager interface (tcti-tabrmd). * more on https://wiki.strongswan.org/versions/66- fix "uintptr_t’ undeclared" compilation error. [+0006-fix-compilation-error-by-adding-stdint.h.patch]- Updated to strongSwan 5.3.5(bsc#1050691) providing the following changes: * Fixed a DoS vulnerability in the gmp plugin that was caused by insufficient input validation when verifying RSA signatures. More specifically, mpz_powm_sec() has two requirements regarding the passed exponent and modulus that the plugin did not enforce, if these are not met the calculation will result in a floating point exception that crashes the whole process. This vulnerability has been registered as CVE-2017-9022. Please refer to our blog for details. * Fixed a DoS vulnerability in the x509 plugin that was caused because the ASN.1 parser didn't handle ASN.1 CHOICE types properly, which could result in an infinite loop when parsing X.509 extensions that use such types. This vulnerability has been registered as CVE-2017-9023. Please refer to our blog for details. * The behavior during IKEv2 CHILD_SA rekeying has been changed in order to avoid traffic loss. When responding to a CREATE_CHILD_SA request to rekey a CHILD_SA the responder already has everything available to install and use the new CHILD_SA. However, this could lead to lost traffic as the initiator won't be able to process inbound packets until it processed the CREATE_CHILD_SA response and updated the inbound SA. To avoid this the responder now only installs the new inbound SA and delays installing the outbound SA until it receives the DELETE for the replaced CHILD_SA. * The messages transporting these DELETEs could reach the peer before packets sent with the deleted outbound SAs reach it. To reduce the chance of traffic loss due to this the inbound SA of the replaced CHILD_SA is not removed for a configurable amount of seconds (charon.delete_rekeyed_delay) after the DELETE has been processed. * The code base has been ported to Apple's ARM64 iOS platform, which required several changes regarding the use of variadic functions. This was necessary because the calling conventions for variadic and regular functions are different there. This means that assigning a non-variadic function to a variadic function pointer, as we did with our enumerator_t::enumerate() implementations and several callbacks, will result in crashes as the called function accesses the arguments differently than the caller provided them. To avoid this issue the enumerator_t interface has been changed and the signature of the callback functions for enumerator_create_filter() and two methods on linked_list_t have been changed. Refer to the developer notes below for details. * Adds support for fuzzing the certificate parser provided by the default plugins (x509, pem, gmp etc.) on Google's OSS-Fuzz infrastructure (or generally with libFuzzer). Several issues found while fuzzing these plugins were fixed. * Two new options have been added to charon's retransmission settings: retransmit_limit and retransmit_jitter. The former adds an upper limit to the calculated retransmission timeout, the latter randomly reduces it. Refer to Retransmission for details. * A bug in swanctl's --load-creds command was fixed that caused unencrypted private keys to get unloaded if the command was called multiple times. The load-key VICI command now returns the key ID of the loaded key on success. * The credential manager now enumerates local credential sets before global ones. This means certificates supplied by the peer will now be preferred over certificates with the same identity that may be locally stored (e.g. in the certificate cache). * Adds support for hardware offload of IPsec SAs as introduced by Linux 4.11 for specific hardware that supports this. * The pki tool loads the curve25519 plugin by default. [- 0006-Make-sure-the-modulus-is-odd-and-the-exponent-not-zero.patch, - 0007-asn1-parser-Fix-CHOICE-parsing.patch] - libhydra is removed as all kernel plugins moved to libcharon- Applied patch for "Don't retransmit Aggressive Mode response" bsc#985012. - Applied upstream patch for "Insufficient Input Validation in gmp Plugin" bsc#1039514(CVE-2017-9022). - Applied upstream patch for "Incorrect x509 ASN.1 parser error handling" bsc#1039515(CVE-2017-9023). [+0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch, +0006-Make-sure-the-modulus-is-odd-and-the-exponent-not-zero.patch, +0007-asn1-parser-Fix-CHOICE-parsing.patch]- Updated to strongSwan 5.3.5 providing the following changes: Changes in version 5.3.5: * Properly handle potential EINTR errors in sigwaitinfo(2) calls that replaced sigwait(3) calls with 5.3.4. * RADIUS retransmission timeouts are now configurable, courtesy of Thom Troy. Changes in version 5.3.4: * Fixed an authentication bypass vulnerability in the eap-mschapv2 plugin that was caused by insufficient verification of the internal state when handling MSCHAPv2 Success messages received by the client. This vulnerability has been registered as CVE-2015-8023. * The sha3 plugin implements the SHA3 Keccak-F1600 hash algorithm family. Within the strongSwan framework SHA3 is currently used for BLISS signatures only because the OIDs for other signature algorithms haven't been defined yet. Also the use of SHA3 for IKEv2 has not been standardized yet. Changes in version 5.3.3: * Added support for the ChaCha20/Poly1305 AEAD cipher specified in RFC 7539 and RFC 7634 using the chacha20poly1305 ike/esp proposal keyword. The new chapoly plugin implements the cipher, if possible SSE-accelerated on x86/x64 architectures. It is usable both in IKEv2 and the strongSwan libipsec ESP backend. On Linux 4.2 or newer the kernel-netlink plugin can configure the cipher for ESP SAs. * The vici interface now supports the configuration of auxiliary certification authority information as CRL and OCSP URIs. * In the bliss plugin the c_indices derivation using a SHA-512 based random oracle has been fixed, generalized and standardized by employing the MGF1 mask generation function with SHA-512. As a consequence BLISS signatures unsing the improved oracle are not compatible with the earlier implementation. * Support for auto=route with right=%any for transport mode connections has been added (the ikev2/trap-any scenario provides examples). * The starter daemon does not flush IPsec policies and SAs anymore when it is stopped. Already existing duplicate policies are now overwritten by the IKE daemon when it installs its policies. * Init limits (like charon.init_limit_half_open) can now optionally be enforced when initiating SAs via VICI. For this, IKE_SAs initiated by the daemon are now also counted as half open SAs, which, as a side-effect, fixes the status output while connecting (e.g. in ipsec status). * Symmetric configuration of EAP methods in left|rightauth is now possible when mutual EAP-only authentication is used (previously, the client had to configure rightauth=eap or rightauth=any, which prevented it from using this same config as responder). * The initiator flag in the IKEv2 header is compared again (wasn't the case since 5.0.0) and packets that have the flag set incorrectly are again ignored. * Implemented a demo Hardcopy Device IMC/IMV pair based on the "Hardcopy Device Health Assessment Trusted Network Connect Binding" (HCD-TNC) document drafted by the IEEE Printer Working Group (PWG). * Fixed IF-M segmentation which failed in the presence of multiple small attributes in front of a huge attribute to be segmented. Changes in version 5.3.2: * Fixed a vulnerability that allowed rogue servers with a valid certificate accepted by the client to trick it into disclosing its username and even password (if the client accepts EAP-GTC). This was caused because constraints against the responder's authentication were enforced too late. This vulnerability has been registered as CVE-2015-4171. Changes in version 5.3.1: * Fixed a denial-of-service and potential remote code execution vulnerability triggered by IKEv1/IKEv2 messages that contain payloads for the respective other IKE version. Such payload are treated specially since 5.2.2 but because they were still identified by their original payload type they were used as such in some places causing invalid function pointer dereferences. The vulnerability has been registered as CVE-2015-3991. * The new aesni plugin provides CBC, CTR, XCBC, CMAC, CCM and GCM crypto primitives for AES-128/192/256. The plugin requires AES-NI and PCLMULQDQ instructions and works on both x86 and x64 architectures. It provides superior crypto performance in userland without any external libraries. Changes in version 5.3.0: * Added support for IKEv2 make-before-break reauthentication. By using a global CHILD_SA reqid allocation mechanism, charon supports overlapping CHILD_SAs. This allows the use of make-before-break instead of the previously supported break-before-make reauthentication, avoiding connectivity gaps during that procedure. As the new mechanism may fail with peers not supporting it (such as any previous strongSwan release) it must be explicitly enabled using the charon.make_before_break strongswan.conf option. * Support for "Signature Authentication in IKEv2" (RFC 7427) has been added. This allows the use of stronger hash algorithms for public key authentication. By default, signature schemes are chosen based on the strength of the signature key, but specific hash algorithms may be configured in leftauth. * Key types and hash algorithms specified in rightauth are now also checked against IKEv2 signature schemes. If such constraints are used for certificate chain validation in existing configurations, in particular with peers that don't support RFC 7427, it may be necessary to disable this feature with the charon.signature_authentication_constraints setting, because the signature scheme used in classic IKEv2 public key authentication may not be strong enough. * The new connmark plugin allows a host to bind conntrack flows to a specific CHILD_SA by applying and restoring the SA mark to conntrack entries. This allows a peer to handle multiple transport mode connections coming over the same NAT device for client-initiated flows. A common use case is to protect L2TP/IPsec, as supported by some systems. * The forecast plugin can forward broadcast and multicast messages between connected clients and a LAN. For CHILD_SA using unique marks, it sets up the required Netfilter rules and uses a multicast/broadcast listener that forwards such messages to all connected clients. This plugin is designed for Windows 7 IKEv2 clients, which announces its services over the tunnel if the negotiated IPsec policy allows it. * For the vici plugin a Python Egg has been added to allow Python applications to control or monitor the IKE daemon using the VICI interface, similar to the existing ruby gem. The Python library has been contributed by Björn Schuberg. * EAP server methods now can fulfill public key constraints, such as rightcert or rightca. Additionally, public key and signature constraints can be specified for EAP methods in the rightauth keyword. Currently the EAP-TLS and EAP-TTLS methods provide verification details to constraints checking. * Upgrade of the BLISS post-quantum signature algorithm to the improved BLISS-B variant. Can be used in conjunction with the SHA256, SHA384 and SHA512 hash algorithms with SHA512 being the default. * The IF-IMV 1.4 interface now makes the IP address of the TNC access requestor as seen by the TNC server available to all IMVs. This information can be forwarded to policy enforcement points (e.g. firewalls or routers). * The new mutual tnccs-20 plugin parameter activates mutual TNC measurements in PB-TNC half-duplex mode between two endpoints over either a PT-EAP or PT-TLS transport medium. - Adjusted file lists and removed obsolete patches [- 0005-strongswan-5.2.2-5.3.0_unknown_payload.patch, - 0006-strongswan-5.1.0-5.3.1_enforce_remote_auth.patch, - 0007-strongswan-4.4.0-5.3.3_eap_mschapv2_state.patch]- Applied upstream fix for a authentication bypass vulnerability in the eap-mschapv2 plugin (CVE-2015-8023,bsc#953817). [+ 0007-strongswan-4.4.0-5.3.3_eap_mschapv2_state.patch]- Applied upstream fix for a rogue servers vulnerability, that may enable rogue servers able to authenticate itself with certificate issued by any CA the client trusts, to gain user credentials from a client in certain IKEv2 setups (bsc#933591,CVE-2015-4171). [+ 0006-strongswan-5.1.0-5.3.1_enforce_remote_auth.patch] - Fix to apply unknown_payload patch if fips is disabled (<= 13.1) and renamed it to use number prefix corresponding with patch nr. [- strongswan-5.2.2-5.3.0_unknown_payload.patch, + 0005-strongswan-5.2.2-5.3.0_unknown_payload.patch]- Applied upstream fix for a DoS and potential remote code execution vulnerability through payload type (bsc#931272,CVE-2015-3991) [+ strongswan-5.2.2-5.3.0_unknown_payload.patch]- Updated to strongSwan 5.2.2 providing the following changes: Changes in version 5.2.2: * Fixed a denial-of-service vulnerability triggered by an IKEv2 Key Exchange payload that contains the Diffie-Hellman group 1025. This identifier was used internally for DH groups with custom generator and prime. Because these arguments are missing when creating DH objects based on the KE payload an invalid pointer dereference occurred. This allowed an attacker to crash the IKE daemon with a single IKE_SA_INIT message containing such a KE payload. The vulnerability has been registered as CVE-2014-9221. * The left/rightid options in ipsec.conf, or any other identity in strongSwan, now accept prefixes to enforce an explicit type, such as email: or fqdn:. Note that no conversion is done for the remaining string, refer to ipsec.conf(5) for details. * The post-quantum Bimodal Lattice Signature Scheme (BLISS) can be used as an IKEv2 public key authentication method. The pki tool offers full support for the generation of BLISS key pairs and certificates. * Fixed mapping of integrity algorithms negotiated for AH via IKEv1. This could cause interoperability issues when connecting to older versions of charon. Changes in version 5.2.1: * The new charon-systemd IKE daemon implements an IKE daemon tailored for use with systemd. It avoids the dependency on ipsec starter and uses swanctl as configuration backend, building a simple and lightweight solution. It supports native systemd journal logging. * Support for IKEv2 fragmentation as per RFC 7383 has been added. Like IKEv1 fragmentation it can be enabled by setting fragmentation=yes in ipsec.conf. * Support of the TCG TNC IF-M Attribute Segmentation specification proposal. All attributes can be segmented. Additionally TCG/SWID Tag, TCG/SWID Tag ID and IETF/Installed Packages attributes can be processed incrementally on a per segment basis. * The new ext-auth plugin calls an external script to implement custom IKE_SA authorization logic, courtesy of Vyronas Tsingaras. * For the vici plugin a ruby gem has been added to allow ruby applications to control or monitor the IKE daemon. The vici documentation has been updated to include a description of the available operations and some simple examples using both the libvici C interface and the ruby gem. Changes in version 5.2.0: * strongSwan has been ported to the Windows platform. Using a MinGW toolchain, many parts of the strongSwan codebase run natively on Windows 7 / 2008 R2 and newer releases. charon-svc implements a Windows IKE service based on libcharon, the kernel-iph and kernel-wfp plugins act as networking and IPsec backend on the Windows platform. socket-win provides a native IKE socket implementation, while winhttp fetches CRL and OCSP information using the WinHTTP API. * The new vici plugin provides a Versatile IKE Configuration Interface for charon. Using the stable IPC interface, external applications can configure, control and monitor the IKE daemon. Instead of scripting the ipsec tool and generating ipsec.conf, third party applications can use the new interface for more control and better reliability. * Built upon the libvici client library, swanctl implements the first user of the VICI interface. Together with a swanctl.conf configuration file, connections can be defined, loaded and managed. swanctl provides a portable, complete IKE configuration and control interface for the command line. The first six swanctl example scenarios have been added. * The SWID IMV implements a JSON-based REST API which allows the exchange of SWID tags and Software IDs with the strongTNC policy manager. * The SWID IMC can extract all installed packages from the dpkg (Debian, Ubuntu, Linux Mint etc.), rpm (Fedora, RedHat, OpenSUSE, etc.), or pacman (Arch Linux, Manjaro, etc.) package managers, respectively, using the swidGenerator (https://github.com/strongswan/swidGenerator) which generates SWID tags according to the new ISO/IEC 19770-2:2014 standard. * All IMVs now share the access requestor ID, device ID and product info of an access requestor via a common imv_session object. * The Attestation IMC/IMV pair supports the IMA-NG measurement format introduced with the Linux 3.13 kernel. * The aikgen tool generates an Attestation Identity Key bound to a TPM. * Implemented the PT-EAP transport protocol (RFC 7171) for Trusted Network Connect. * The ipsec.conf replay_window option defines connection specific IPsec replay windows. Original patch courtesy of Zheng Zhong and Christophe Gouault from 6Wind. - Adjusted file lists and removed obsolete patches [- 0005-restore-registration-algorithm-order.bug897512.patch, - 0006-strongswan-5.1.2-5.2.1_modp_custom.CVE-2014-9221.patch] - Adopted/Merged fipscheck patches [* strongswan_fipscheck.patch, strongswan_fipsfilter.patch]- Disallow brainpool elliptic curve groups in fips mode (bnc#856322). [* strongswan_fipsfilter.patch]- Applied an upstream fix for a denial-of-service vulnerability, which can be triggered by an IKEv2 Key Exchange payload, that contains the Diffie-Hellman group 1025 (bsc#910491,CVE-2014-9221). [+ 0006-strongswan-5.1.2-5.2.1_modp_custom.CVE-2014-9221.patch] - Adjusted whilelist of approved algorithms in fips mode (bsc#856322). [* strongswan_fipsfilter.patch] - Renamed patch file to match it's patch number: [- 0001-restore-registration-algorithm-order.bug897512.patch, + 0005-restore-registration-algorithm-order.bug897512.patch]- Updated strongswan-hmac package description (bsc#856322).- Disabled explicit gpg validation; osc source_validator does it. - Guarded fipscheck and hmac package in the spec file for >13.1.- Added generation of fips hmac hash files using fipshmac utility and a _fipscheck script to verify binaries/libraries/plugings shipped in the strongswan-hmac package. With enabled fips in the kernel, the ipsec script will call it before any action or in a enforced/manual "ipsec _fipscheck" call. Added config file to load openssl and kernel af-alg plugins, but not all the other modules which provide further/alternative algs. Applied a filter disallowing non-approved algorithms in fips mode. (fate#316931,bnc#856322). [+ strongswan_fipscheck.patch, strongswan_fipsfilter.patch] - Fixed file list in the optional (disabled) strongswan-test package. - Fixed build of the strongswan built-in integrity checksum library and enabled building it only on architectures tested to work. - Fix to use bug number 897048 instead 856322 in last changes entry. - Applied an upstream patch reverting to store algorithms in the registration order again as ordering them by identifier caused weaker algorithms to be proposed first by default (bsc#897512). [+0001-restore-registration-algorithm-order.bug897512.patch]/bin/sh/bin/sh/bin/sh/bin/shstrongswanbuild77 1574701936  !"#$%&'()*+,-./012345.6.0-lp150.3.3.15.6.05.6.0-lp150.3.3.15.6.0-lp150.3.3.15.6.0 nm-strongswan-service.confipsec.confipsec.daacertsacertscacertscertscrlsocspcertsprivatereqsipsec.secretsswanctlswanctl.confpkipt-tls-clientipsec_copyright_imv_policy_updowncharonduplicheckimv_policy_managerpoolscepclientstarterstrokestrongswan.servicepluginslibstrongswan-stroke.solibstrongswan-updown.soipsecrcstrongswanswanctlpki---acert.1.gzpki---dn.1.gzpki---gen.1.gzpki---issue.1.gzpki---keyid.1.gzpki---pkcs7.1.gzpki---print.1.gzpki---pub.1.gzpki---req.1.gzpki---self.1.gzpki---signcrl.1.gzpki---verify.1.gzpki.1.gzpt-tls-client.1.gzipsec.conf.5.gzipsec.secrets.5.gzstrongswan.conf.5.gzipsec.8.gz/etc/dbus-1/system.d//etc//etc/ipsec.d//etc/swanctl//usr/bin//usr/lib//usr/lib/ipsec//usr/lib/systemd/system//usr/lib64/ipsec//usr/lib64/ipsec/plugins//usr/sbin//usr/share/man/man1//usr/share/man/man5//usr/share/man/man8/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.opensuse.org/openSUSE:Maintenance:11578/openSUSE_Leap_15.0_Update/fa4239b5db9e3e023f03dbe44f39db32-strongswan.openSUSE_Leap_15.0_Updatedrpmxz5x86_64-suse-linux exported SGML document, ASCII textASCII textdirectoryELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, BuildID[sha1]=1c28310fd1f31a92651d0c3b45d43316c2b43c0d, for GNU/Linux 3.2.0, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, BuildID[sha1]=7958a041fcca2ab7f059e002e2a20b215a93310f, for GNU/Linux 3.2.0, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, BuildID[sha1]=e00495a22acc911edf3c22b4781aa79468f9205b, for GNU/Linux 3.2.0, strippedPOSIX shell script, ASCII text executableELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, BuildID[sha1]=5e0940f00c192f6ae374867f32b54da2646a0415, for GNU/Linux 3.2.0, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, BuildID[sha1]=24b55994410eec2223828900dd5b1fe0bd0101be, for GNU/Linux 3.2.0, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, BuildID[sha1]=81bdd037fb1ea2ae971f24aa16f62ef2cf851805, for GNU/Linux 3.2.0, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, BuildID[sha1]=7513574eff0ba16ac5e3788cc38351fe1c14420d, for GNU/Linux 3.2.0, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, BuildID[sha1]=075ce3f834251f8743239dd85c6bd175ca64d291, for GNU/Linux 3.2.0, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, BuildID[sha1]=0e541336de8d7e7c3d0874bf7036f2929aa612e2, for GNU/Linux 3.2.0, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, BuildID[sha1]=d77e19c59fdb397d8381ec06efc04476b7634127, for GNU/Linux 3.2.0, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=267fb2c16d3da30b50a08ff73cd4e84558b5ab1c, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=90382f6c796185a1b5b49f03622f14fba63aa631, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, BuildID[sha1]=7d8f628ea08fe526c8d5e4fab545b7a196432dbf, for GNU/Linux 3.2.0, strippedtroff or preprocessor input, ASCII text (gzip compressed data, max compression, from Unix) %.6@ELRS   RR RR RRRR R RRRRRR RRRRRRR R RRRRRR R RRR RR RRRRR RR RRRRRR R RR RRRRR RR R R RRRRR R RRRPR RR R RRPR R R RRRRR R RR RRRRV̮۔gQqkutf-8f558f951b1bb4437e7340ad8c4fcf1feaf4df0ee2a75f384bb122a53c863fcbe?@7zXZ !t/ V]"k%aFc֘e"dNUcf 2Mr TbV쟶fd8uҫc2W t6ՙҵQ;tl8{&ҪlORZl9MVy} N&a<l)J '+Pl\q&FTwRrX$ZIWS0Ż!lWyZ܊/ (BNW~&[ ]JkPUg#عQ6؄E/Dr* s3ķv^gedU}Y c*tbi jn~ɾ# lrsYVVs4|k4Mgi:?չIw$oTۡvU78HLBl<)[>*Ii ޚrd@϶a&Via Z YDBcyX+lFt.}ojs#V*D䅄< \|O4/ /4J"R6]W:nIgCh.!ۋ9fXH5I5otĆPc d!>F"y("^E1l`jڑNBAO7wz,x' f0Gҍz񙾚ZawQv Ω9BK S.nu̜*v^O>O-{b?rG'ۀt\I`Gw[ sh@TɊ36?_2]]jG6:UrC.L8!B27AzS7! EeP6yOK#~CLd_ߐi;-G!+[mI^@qi7gjmBW^z" [˒`ˁ Y J@kA5o=B8$ -66EmN_dQ'Dyi0 h{;˃k\9),jqaZk uHiU C6BZculXH4˲9w/tgaa^nV/~+k Q'_%qEO:Ŗأ%OآO^|<ShQՌ"XlDtԽE𨻉*2&P)[FF/c#QJ9ͼ6 P` $')f%3f $Q6Z3n@V"-UuA#ocss )Y o |QSgJoQ-Z=IZΖn~ zrTM[ {{*eCyr}=c~[#\"#\DQ97Z\?.y7Nݴ(,;ֳz̫eIrh>Y-O3/nH],d.rf݁Dfd:8mLwLtjc7@`e *ZmŎ _ߦsyLd`;bm׉0!₫&Z4Φk-dGRI{0tߠѝufE_N) ׿Zr1 n7 X4B ܆ae~f#F$ɧBZF4AmS hA+#z ĔFlnWDܶII\R^g>89 %;fjLRT:.*#$?!m{J*:bKE^i$qC C+=â0%7`wy #ĢqFmhDjtȿ$ɪ˔C`)ܮeDbV.Β^QHK=]/a-S -Z_3`iAɀ+1x_}}K~>;k\4%$ \ǶB$WѢmu ,@d\Kg$9v\xdh㍱814Hk0IR)x/CxeZZ]0x5cwI&%bh\2|wMϼ|wt0QzhFYTl]SX[U@AD(p $8-."YƦ\Mas`!..tS®(Ә)sٔʩ~xz"Ŝ7$@k!fuS(V;6]`1ٷgZ 69?РtG󛼰[˂)Z!卡[?w$-2:R~X䰼$isFZ'i.=q%s'MIiz x+N;wr|(,}5J017ׇ,Ah]M)-@$= SܗAx0L潾5F3k F"ԤJ ;p9T]yYM K?r?.3I0kTiqwSq>:h6^4 q=LR2iUAx_A~:!1h!XGl8_uo(J0;2W=!ҕo~N̽ayX琧(,[+FMǴ2T4 2W'AYYÒF9[rx[&&px}>q89 ԋK4lj7CbXs r`ϊ4eV$G>}"O1 ]γDsv(74q~ MZq|ٝ1:JFK_< H]-u`ŰE)kx&``dgsxWDvueKpŒnN bT'g_Ob]ѼYYԳ?R)⫥[jdOk cT߼cAHCj)#ucpY.Vo6;-~ g# E\^Hԯo,:۾:s *J眫p-+АW{ge_ eM)) 򱝄-FNO#\qT)265Ѱ&ꊳc)ѽ[CY_$B^13/E.n|=!lUD\tȝ)5g}0-$`4{JtMD5Ɯ`=)  Rqݳcl}8DB]%/φΙ7NHT=T odqK M\I1^  4ӹ6ro'L6F&X6zln[$y+o, >G՚Y嫦VoQgB{ A4q4T`t 8~GsaF-T g# ;YGL.M@]<ϿrgeO&(q+7ݻ6hb<}4 .EN> k ˎ c3Z_VG9{A]]{I}]NtO}A[Ԑ%:Vr <2f 9T @r "IGYH[Rv*tj(:qIY" 1_aT::WkxUn#΂-Ej=̹X0A9){4  i,mio7=C!1PDm6z:V7/goP=+}0*#s;(iQϼ2 ;x +.<"3yW~Z@ww gO91ɰ!L.} 9KR9T)9EGI74c.e5 HO i]wg+0Q$.>ntnجr:1OQ(J'JŮdD33BktᮬWZ`(t2.}TKU's& J]` %-2EXgVj̳(/-=`z-jҊu^yjm/U4h!EJ훲Z[+׶3@~L9!MOp/vCzvX#S -z) &l͡=\ReCa/Ŋb1ϲ*Zldˁ>*v94nW}tcAA iJ 9?nX Ҵ2eFTHd#`ƱI6B)=5d͝AZ@ӫ‡KFgnه1x3_Ɋ)](v0]}PCRl ө(^3v{G|60r? s܊:Vu֡N9 OgԺ3Z@93G'_D:3.$huWdpVm$Nր=J 9h{\T1 >I 88Vtq`8pctqfߠp%ezC|ɤaX1\ Aӹq Ι{q Z7;``3l^Lfz <~c_11:Xl.{6)UvF d )c*R #N)SY/?W;kQ- Fgk}Ngx A*حYed782GXkd/LRsFMfwEU8'S; Agak܈\Ёdx5XOP-s@lF`ļ0TaqPy]<8dSt)13@TG(K4ĤSB2] f$n0`"lCq/HjhQme|V@|H(usG] +T '.eAO.3hN0(jeuH.`9M'0r$@F@w ʹ4I>;;dj\$@\1hz#bS<}Auӕ)B φ+qp  .jI>W@u; uZ?bhᆎ|zWLK6şff"0tDwPe#T;c1buP1G'C9M $cET)ZI|}tdߥ@2S{=ЮT})> D ó|(ǼԢG+ {'w7#W.]1%$RXe!vr,@/N"v>7#7=ڄ!}>EMV;LSf8_Vk>dS+:vtڵ|J@ P.;_Q}3뒮rRهF$=_q+!SO]L|u/ٰelڶz;K܌RT!Ff)wWS̹rc=@ͼo[xI4pZWMz Xv=&r>uqF/X٥Ddlu PMĻ e7lj6-eFusR4c@~9Jҳ _[0}c\*F$CB`}V]gx3(מ CeJKҫҬ4 :n1X_;/Nyu T#~}A+vP83$VCBuPL-jgR)Gh֤`GُJl.;'[(DXil#wh`.u$WJha2%":,A(Sv]}lJ8>kMS ) V5~>&\v?= AS8H@ԼqQ3'<+%e J>%2>,Ɩ.)<T&;\dTCgꛠTx"־FGD'}QKSB%Y<ݹzZi &!\C=A_J\;s3NݑWt!ey(,eec+Vz˱Os9ZfW)x:ddV #MφRxQk"y_Фꇼ%ejF `\ehI諯mhkT֦J_0ώrNMA*qc2sB'7 &&]Q HaS`d3JÚ$n)hd'3젍a*#Ay&o D,)[,֩!UiD^uF ?_ Bp7pСDePYH책6Kr,^k (LIɤwCVjiGSecw X\+P\],StDяx|2f$gt4&e} @_9NTc#Ux@&Cc 3 ~C3EVӀxk}cBO($孏*1 g,: JMDEHe \#I+XèZM5Ɠ"6֡PaZ~En'2a>w|4#c=" e[Xqʙ!'jژx%o2gF~Ml4>"DDPrv@jm_]~h!0|:es؃c5p]`txTP~V叇i@(;ǂ۩I %h*W5#"դe TH.1n ֽ%:/, QRI(*bQG6DzEn=wkY SoX˨&;I6l2UrVƜ[)'2H9nIR^DƵ7 kn`ՉUj1t^P"̾%"O0JBXZW+q[n_ b^KtL7 O1,$Eٵ^g\3j绱[Lg}zCZ4^4iԥ>:2Ϭrt-{Ccɇ :3Fk@gzk2FDLV;#ሉܠoOs>9Udvc#H|WWb*.dj 0lQ.$Ύ*]['.5![> nPb#dJ ~ouUk_?tBF+~JX3Ȓ;ܞS4x+cH9v9.mBЋLX:1=)6ZߚtI1) O,&veVb- ҟI+C&am6,N,wUi|u g#9D@@jqk"o0U$i9 N:VSXCl8%yj}<~﷞3_M %hͶZ*mMWͳ:Zon$'nǹNl$Ų֬(iVDOKga켟uƹs\2bדovbw&B"^7Tpi)=U:ƻ/ItU8okؘT\אǞ,m6DO:MYg¬V;<^* --S"s| nR2 * _Pl' P6VAd&*y",U[<خ J? Eߵ++5V3/ ]`7!Ze/۔FYwQlš> K 6k`=9Zd?XXQS_𤫐6o+~GS|cZbwa&pk{(s>}g-g*I^Aݡw;xqF{_&.Y#v\Ú YZ1#6p\^*&Nꚋ17A`u6MzHKa'e9ADk=!0z^t90(̄zkzIEQ+K9L+OaA 2&eԏZt@eoKGVxӷCQ^ *@J{_E!~. "mݴ-& ࣎'yz1ߧFPgg79QUiƞR5+ %eð (p] SD%˼E 㬔 Xqhߑভp8q"FDik^Wia4l5N^Pjy$ԟex[e+;.FMYo߇O<:Lq{ƧK=?K!Gā){C3Pwcv7bK>єN(4s'&q"S!UZMtJ|~#NrԲ`߅ @Ck(Mf N4WDu!svi6L~"[,g4A_+x߈K!d[v>Oc$&N՛sb &7q,_dPl!qQUjypŽ}jhhYbU_`( -ubW,H@3(S.p1wiZi]'n3F-X呼i.z°nZ=*otn';NQ閅u3SߟSK D2/HR)b䀦9Ft^=V[ 4pka?:]4M 2+:n"\QYٴ_YsۇD{T4rf W',ѳfadCvWo U=Ƀ qt@8y)Έ M3:CgԽʦP Jb-mq,!{[:e4p $7wlLt1úm~H&ھXh*qY@ƲF ]nc"hoUU"ȥ(Ce28f7C-C9QP 1&/+;Beܧ^~=yoBXoU^otCvlbx؈!y5(gg6Z2hq1](Fϭ="s"=yLqhJny֠+0 d@  \JDMn!eIPUߝNz+v xgȿEٮMLhw1R8ꍏTuԉ`&WC'Lc׻<>ox2yju"gƭXXkefH4}! m|X}d{k?ʵ!jm|iA1r" *T|a>3-c*21NaEV54HΡCSdUij1 U%PGv,|<Ç`VøB-@loJԇK<ߋWjO"ΟÔ# ܞ48G@w%zuP΅B~FO"9=T{ m^Ǚ"KncbÚ[@@kFH`^$&4.("zH6m\~*KDAQL!ΌB!yj/xd-L >@&Q<òZ:lM.d֌KhSaA [31[oF?QVvy\ND,8<3N9im޷H}۷jPNdG^qN)iD.L@I3Q!{ѶTܲCg6S)}VzͶh@)]PȲ4Gj+.J%!1vq+Z5꤇:|qWXu'fŌ*t).ݣ/ė}ݫԠbW0 1s!X/޳8ʍÔM fdfz2I[t1cȃ}귈+j{P^Oxj.WmN5q 57$%lp5s\f67C:` "4q@\~%Q]& uc:rjڹX̭a0֡b\Γ5aK=[b P =9L ,-ufOp4E} [e8WY5ӗxXD}8oj.ĞKT0{ϰI:%Ⱦ>2Ɖ+ t8uër}Oӕ@\dA+`G7e Xhv9bPR6B{j%v灭lCд :T#S#뗡gVV -3]8*O-߳+rnpiEQ=5+f[6ք @^ |/C_^PLD@@?_me;UvJ)Aa>$'.d_jDVTg=Gqʆ/{ ϫ:V 1QM|2ZF-w$>qa~. kMim.~$ΧKQ,9SERDB=FTi~9c(J%ɭ78ФoU)gP-`y\vސt[ k oà2l$ζ!fq1@M[>U9j^j LߤQڝ[_UkӾm i/f#.SKLҽMc0^|ݦ!k4f7AD$vljv:~wl2mlU{~tYY\T|yK@Qs2a tԖ=L)W* W蟻.S.\U塭l5Yp.mSUÓT(`Wt*m(c3qϒhTkuź@lN1{Jמo)iD|@*9 dW5fG`1kI!&*6m K$S:T+}Of==@ȼ y[Of=b2cjxJ5:)k|6sn=ɱዞ[w[9,e; ߨ4mle֗bolȓN|e5'#̳LkC[\fV﮸}X2?<vrM: R;ߎ5!9tt2]M'f J`Y+NiiMKk䃲fLLV*9wɗ5i}| :S ֋oA% cHs@AV詉 GnA{M-1 9 CI<Xج^@voz3&22"[=9-GzS_qSaq@`RYjd(G=~rb/9L4tC/T\Xh+)F@s72qbS3!feR7qר&y]NBBZE;*(\aRԿuqdWӉ.+?hѭE;k)Zjե6Yf|`E 9ߣm)q!GءݥFk8`U^`l-:rOnp`f?qWX)`Чq7'TRyUb&gFj8##fI$͚/,XW\Oj1ptjܬ&-5s*f/h"eGEfxrws$a 2GWWM9X3"(([SZSrKkYE^n‘+Y{:yڼmd:uICe{,O8(Cc )WA"Hαt3e; U$ }xϽBnT5eL Xq ˭9 ;mQWN'U4=CZΛ3sl8?:`X-Y# <Exn!t~YgT*cB2 mpGy}-2~X٨-zM->C5n}φz2&|{9'?؅sGiX鼟XnƜ*Ȓi&Ueݸe۾uia7&0* iOgkn1{d鍀ٲ}"ɦ*R`9mN fdhb^uƹ/`d}^J*4=_5 J)\AhGSBr6fBH^[a C8U{f6vmԸ7F/G8Çunv[Z])F Qi|Ū4⫁u@3X9VϠTyEDgaEHp{aթ6/^|^J}HDSkz73~4DԂނ4t,1G :z$`\;z›?^bp6.Y(` ǿXa Q\܋GiH¶}Mr J.[S3=sM8$"u:dgoBZ ="DQO ks?<A ?@|-izDZmuDPHjrϧPl;9'D:3ڊg iq '? c'.!!Y1Z Ύ;_E7QfF?&WóY8ltN*F릺SU24d_hA;!M#`3A )Frȁ h-|YZ&=eKmeT9zNꥷ![Ek@: [8} z@ Rܓ[w/PYU*ì~{ejn^5:^B E!6ڄ˄}ݯQBn?#7tWCac -c>IñOiiӅO?!ZIù(9`4!ZϛD^fSb?h["ՑdzGkߧj=G"qYW2p^Sl`hd`hiid*i\Wz\RH"șXL0t8"}h ѿ̇?A|Z./ÑZ-zSpɃ?@ބ (1CQzW.{n5M&x@v1YQ;$M(rz lcw6F˒F,X[x"ޮM){+[JjbWYEmad h)s2eqK(lܚ…՚XWܒ(Ӻ`nܮ9ΩI) 3 qbr=4jS(Ƚ={gOo=v5kcBroǟPeMpC3s OpJt`Y #'p-%Qaҧ8w ƒ7M9J8y!TKzHNV{lu6t@'|~rӖ+9?$ +up<atMv#2NB5Da$yjA;v6OLD"Us]~wS iRՙ˴& Oao?BH5KOJWo.KF+&=R}y`}Xua JZ9fU/g~XiJ̋8 ?|]Qhb5>s@{oG4s|k5EJua]dnE)J!e_ `*Þy/6QBڮde^VӶvEԲ]|6鬉-eUqV=M8u!;s䶹w˰vdӢedm\DoU\VF2)~bmOn!PɀQ?E<{[~EΗ^V2=!=ȃ_ jp׍TRJ^]m:9x0aEm|g͸aN'U%O"Lk\< IoAf{L"(Yw.ꁆ/'.MP-W\4*R8d:xvZIh /.R%T:9)z^9CpwJgQ!moFz[v֓6D]NJ1GzbQqK#OR{ٺ`e*R2]/ Ty6qy^%zѰZ_4zX= bv I3CQ:YyYlM^jxDaxt ,EfˡMRC}Rnt(@)J~G27/jg}Pc0j? mz&VZ{S7?kB,xC6P`h؊'zF;< ̛:+(JTnqˎ,oW(X-CݕWK =*<&I)T茺 ڻk qEg";ګ!ar(m^ds$1E_w%aH~V!9؅YQl' Վ7323oR1%z]w*¨r3ɠ6`%T ;J0UAJ@ɚ2'*wg1h; Rg`{d?mh c2#`.G|(oIH߽h](SE?s7$u~2wΥ{^Z3| xbM {='ˉhZcTԎ#+G%uL@kl&QIߤ#rE+u-nS@EWC @cG4uCG"놹42kɺnD<)_mS2[5v(_]m3ʀQZ*|OPǹ?՛ Tguѐ,Fy9{q!q|(1س]%=dc>HvyI9RU57!@{/y6~ "Xha5 k()u\:<"c;?aECn5}5 NI!e@ok,ԎT56| s-PŸv=U#|lXrcnv?' ejs_jrҥjdS՜ن큯Rg-&L3N 'SfN}6Ea/F+iMrZYW-ed'>ԮѢQ 46QQ`jsG:4RbΐkBv]ws 5x݃iD2>g:oB lTY鳵U{ۖiZBy>>)[?H5ͅhâW[Ar8Ų/b>NS8oJ4=9SwiLASJBX > a&il3)F U x P O4!35N> }! :v}Kkgi6+=,{{7<f~_B$HvvyqD˰>=?9'3J+WXͰrWJgfx.TNAdn*d$i: {R =~jkԨ-򇂽{3{\Դ)!|5qFMlC={wVH= N=MTp^*zUP TZ)J҅$[0A-$tIB_Zpbx ye8Ƚ}k4~FjP֮wPQxaSB>o.X H[%7\oCO EkwsgxFMK uشŚFE0Ÿ,O"cCBFAQ'ܩu{S mN"-;ʴl>`ԜN:Yg j-x&juUmp!h /m/uu%0"sWdC2 <ȸFZԂ r*u؊^H=~vӴuy1BŶMMΈb)m߱kf1(9ԟzwR j&F|K4hJYca͍@m:Y-ZbUјJ3ks3q.j}wPC_? q&WY]DQW=q'Fjڑ3ߣ;T%A"G83ysc4JS8ѯc{:Rl*ٶёSnWA-u F A=W9&PV)v%db&{gUŋ!M^F|,셬k=ʮ BS;K?7~}f;2wڶ%E>E%&7AW{q(L5lYc3})J ֢Aw4+2]xaBήy3RL|"_QjM!] =$A;K{s?Y}7yjJb] ;/-)KbS".Y##H lܕ+m]kjku`GSИp> zi36 t@g3|!m1ɸg^K(v`mPOw$_ל/l4 EqXNO"!RuSi9ukR3S|As_/_Sf|=H8')!Э6A5`z_w?*J<Lțk<|y˯fl,IUoHyBG4R +rʶN tԣJЊC Mԏk:z/ U+`eXpςPDr9MWO WSԭ>-#HXEi\DEB"8) fkRouπ{lx;9LWdI3D;WI9:Q `z #hjW~E1b(yoZ<׭=qUj T !F@CS"6>тKV! k;5*gVA$Rk!#'MtXlI#Mm=(\MFvH@Θ;ƛ[i`ϖqL^!!BRi+R@^:Yqa7/ܧ\)k6[g# 渴Tz.'9!&kCx\MA!E)#&U ÎZ>y͔~~Bt4ӃX+[1 CTFhk%IuFڂ,ȿ=4=Dh4hͶ1f[ \zkZ.Hڃ2f1 O i_3fh0)o}2N"B` ucuI<\zzLnr/0}1@Ckp <1KPS@~_~Rv&,5JRտ'LoÆ#jʫ#oCw>GA ^-~uxb w6a/1U~ >Vܰ qo)MT3 chxC.+g:Q:WX_yߩB(A|B_TZבĄj\[~#İtQDqSQ7JS%"nOCé5:& :rW^_kk>ŖJWgMӁ5Ċ LncXA%o|U"d+p01&h rdhw96{~Kڴ7 T3"I ;#銺w#-;,pL비m_5TdVϜ+]C0wD?R&ϴq5VO_v]+֡WZP/hC5^j!"Э_%IB350&GMs[T"(ǭv !0P_j[]#_t9Y iI_Xt < ?h;y߫nmwX̥h?be@wC'9ߪ`9悀gϣiZӡŹypyU/?3de?4Nlra*L@mJمeگƨs9ۻ`>g)T2+0붓sL ɺQHZY]Jck>*!tQ3 P fvc, 5og Z7b$Ŏp+1Ơ%a³]]KGc%}?W嶎!:8sWA`Xk@+b}k`:6ds5È_==[d܌*_8%>x'51iQݳhoJҢpI`cJOw1cpd'6/wY8M;:{\qI E z1W&kD.h Vr3'D.= 7ђ%G& zq8o}D6>ޠe-ȸGHTĿ}1Gʦak},ݳ8;6KG&TMfSS CiDS<\Qr17V o; N-`KFTΘIM,@pMMxsIɒIJVpQ0txoQх4"_0<-d"seho ~c].G鞢MJm94kǾD#RtW.zBiKrGjhUi`K9&Y"?vGswϼ`I~X )+O^sLei?dgRxH C~!d;t\v z. 4y 5_`c,w]JJU h.xݪD v6/@JwC.`U9􅗕O,|fOr~vۗ9j V/ -D/~qp2L9,5Ǡϵ?tyG (Ι`i)DI T++K<67 B7C3~r'=Ttp?i#8r:׬ךZ>AJ_Uq1D_Ah{6ffS~L,|H77[^>gєUo fC%'o\mՠ^#Y2.&~}@$UoKcm /HPH (?`#E;']9@rfײWmtS/c2r 7/o]Tդ%?c\jqkm~& 4P|*fP@2Fs0^pX!#;9>~L;Yw*5apD@E$}Eeoҍ߼1v: XCpX'4,\d3q\K¤ E^,.Uҽ"p̙tF_Q 5}[EdMk3~E}89ҷap8Kįux&z@8_U}㣳f=.Gq9t;oc-OTu u=6Htg&nSh|_weSi_,$]|kˆ+_ZK~˜n0"te Y~d:Hg& +뽬Z* UHC@, #yMnn[nP\L4?TQbP}6mOq{=nfE͜,Ї QK*ޘ30'n28i SCV0独e9b?)jp`鿹Pb(ZP ˷`m:Tx!x`hLzQU&ɠKa Pld1M(0Ld\fCR" (~*%c_<9)|ŽeՌL;1pߍ(ç:B.{ gwFgfX(ֿ`%`<8U"'Gh"+ݲYpS=$콲dOmtBE\-R6tq_J](-5`Y,KSO4SuvMJ Y!jrccA?~zƔ_  b1ʫ &5x F'/РRQE=0MAGGߐ0bpP&no-`$(1?;[".Va2唏g2&l z 3dӆ=ǭZl$ϱ,!-zvј#*WUk'\.3ŞKk]tB|&Frql:S 'Huhy8a)ԼTm(U !wDÎD,rc\k$@ $,WQ +|RsuʨQjjR`θw͝p. ?4&:}ټ:<40jVVV\ru<"6$DJ}ToIǞbU Mہltļwh扄*Uk[7qM+hd(΢;~"j&HCv\1jȉ;l&TXwxևs<>XsHfl߀}upC8XS3'ɹWip-*CRPRb7. ^4u#k_ŰȧYy;}4A}* '`>kdJ z?"} PNҗ*ƣO.f-2NXhH2SHH{]'mš-d){HlE2eP/ .^˛.Thh!$^ erD|' rT)T|&R[BqIæ _ŋ)zԩw҈ ߱5;u^ZjMk |Fvor'b:tk$X&`_2@Lam|i3a/Heq) p1_1>N8pYKNi 5Y'7+ Ƴb1oo_zXc LN?D!P{u;+2/Jab)-4N Qj TtEbfȱbJ >I hvLD$B:ٞ *}/Jډ]L Ds\ꥎULPRn(ňVZ|~YQ:#4#3[Jra[ȇe~{ңPyB+upoZ9 B5J CC. $_蚤y !š3tIO'[ְg@02U*I`EJ"~8{mfS-q>[ߗ{>uv:\̆qH$`ZFcp =7b%ǓXFߥFOe*tX_`QnV==HWq(BB,t e[{}ASAq7J9Ʈ8,`'Τ|hs%;yuJjgOwq8 ]|'W~pW5-8F$*qmI{lzBP˾KۤԻ--;+`"[F|$qt_40~"oMLT/TrA9%?@Swt\"9 >g?>?۬'*EMg0dۗ`]iNYp= jcӏE5^/{>FqW @{Ņ䄑U~Q{\]mJ\w]>4pTX`bNJvjAqplij0S KTpF"ۅs34UݬUå`KQ_`ü$Wl2b-K{S$ԛ/1^I6]cIJGf?z.˺z08^(]pB;! YZOcX~&W@8껝v)͕`6쯯Dz?z>lDm}E Tvd!9:Cag&鄂(PXGvl=ڱs]z#@{^T7/W}^)\~?pRi=!wSABp1&i$z hEpnC@tlɶ _ڠ t[6ލbApEc .ؕNDv4Xiw6LLL Plˍ%;{߱K ϻ.GZ4ԍTĿ^B'$Āo GIv2/Eý_ :h^.,sLZ׍ЛP{&:+L#۠8@ƃuIR1sXoS퉁>on//w6]|=SWlcBgJ _ؽ7?:/t1rH[O`)[Xf_+]nt`}#QThpG<ȧx4-WC۞W:tNw"?T&RW+؛9}]5fR'T_Z/i3|^t@qb+G׶M 0'B: 9'#7TÛ;OuMh1t0gC>xbVw:~<|SЁYJ aB!IЍH /}$6 ԡʏ^h-ypˌeR>9OuKnָ aN- +DuA>jBua1vGRfuϑ xf^[$yE+kWǮ7A" sp W''*hf?nty^EJi,^dAUGK=@a{" MȖ l/,]6J$hFHVdBD6}~J5.&/b+M,)yqAV mCޛGN1KjPUjȮfHSJG- 9~ŞN*M$߹&vO?@zLˣW?땓Rpqf$Û .@=z#*fC*2: 8[vG&4w[  q$8F ^JΏaAT X'e,IBIiXi 3}~DO=$Wc4⸜ ɹA1! /~` G2ȇPuOg45&>0RYA%Jn c@6MAmdͯ6}|%^1Aт9י%11 g0,u&rE݉IX0`@L61R8k>8%aChxY]Dڪg;I'scCWD"+SLF3"Vǯo|ྤd soWuh%CB CA+^/C,UmmdGDig-N (-clejc^1|'Q v%JHTV.RŨDoI$k(>r;*}c98~ԫYo%P(>t#Ї{L^2қ߁wߏ%s)3TwBJ [\kYjOMB6`k˓ Iz|]IŘ8(:+1ʴ%g2DX9 s2"YEW։%@E~W#؈.6 J1S:^AxX)#e~Uvf[%zG4 *%aEZB"[sB>cu뛌s1,AӎH>5 lҩLg&5*Dm?LkqՖ 5d!Idg87w6۰=\xDfBh@:S߃1bYˆ7ӂKtd@tGp`axM3gRR;`acv&?˵u~-xg]Nd +=,Ӏf-857usCH=:#@.# DBSy++ݠ=ѢܷyXK:Ϸ2 |f*hx ?:~j>2)/>3Vwa RIf)~UGa.#EN6H>\>Cݕ׌(u;Q}p/ Y!x:3nԏITUI Yf )D`3To5"oXU}8faa\yG9 ^)o'&RgK@_K %#eAʅ]GխIa9>\DԆF k2UdVǷ9j'J=X hu#3jjl}@߾ֈKфqVh{}Qndf8iHoGd}_ Ȧ_M5h*X\(=DHJIQ^ϜHNl:aG~:-GM(ٟg%k`>cg[-{R'GECB8pfcy~cH217 J3YJ5 R]_8֛l'M-KﻝE| iV-87Umkq~1z A_b[V~g%lÞ^i@)T]{ 莑B&Pc)Oeudx?۽Fb-yb@l %h#zOC*a<۹Cs7n=>o"wj cgus}9̠%Vrٌkz#F=`"QR+/#o"\fVJd6/$䦪s&_ F.~ Qx2NkCYie!EwlM4G)fagnhaU #2 $4+E u_EaB:mJP'W&*5wP33[b_>-%NɦKWt@*&<2CD5uh_+kurK? SYw$[_?SiwCήq,|̜%9{F=MEskV~9K##Xݶ UPGc<4T]_uJm,Q̆B|/@5gq@| EC^so)ڴŕD9 j%= z*lȔ+BXr}M,Dž%CESEATׅ Ky)RH:ؐItu52Vj{]dMA$m3toXQ FYh}m˶ i.WD'5{¬{//n37hT u0TCqTG&aֺ ao[0aѥߗzHN!D<շWWA%r@|OٵB/nϬZ iУPއy&ޗQߧDxt N/+,WBk^HVȥ e FHaxYxr3ޡ6#6N.53K;dccR'wRNvY n);W:ިwn vvqfԔ~&4% 2cF\ ؚ^? ܾ\rۈK-d!Ph6nӹ%QҘ\zr^E3ypê`6@w\E|T%\Vj+G5q~MVqo#Ej&.wJE HbYp1ǣYxK3L)sO|EV_<`2 V|=ܟQ'6R5#?t`Omזz$M3 ϖwLm)dgq9E>wC_?4Un7RȤ4OLp0ҟ9|Fabz3,_hf(uR]sd-EE%s YT@u&eQ rSAvc4k;M"Amx‰u%k/1_)}99 =gCW;*2bJ}APHt*Z;fhb[κp2GY=Mj**$K& z"ZA}(3dy=\$ј =|)_1V4>zІxyc|؍x(A^[pwg!% _bo)@ o?@~FhyFJRNa[0RT.H:@.@;u;^m D,0itGi((H(i"h%rq.8 i}*rCj\ Ū $5{,VʔS07d>nƈz/P p