������wpa_supplicant-gui-2.10-150500.3.3.1��������������������������������������������������������������<���>�������,���������������������������������������������������7�����eܲp9|��~h��tē��u�M�eBu��w�d3${��Z O5eP�/�XO{'#9ܺ?W\�ٳlڪSΎ�_�%F{
\{B/R-d�{Sr$瓜�Y=cڌAn��pI��'k�辆fmìK�z�kMdӉ
1�Ssr"r�j�pfYRaZA�Tw����k7$A]-T�`0 !`O/"v�I2bű0eȴ9���>��������������������>�����?�������������d��������������������������������������������������������������� ���'���������� ���J������������������������������������������������������������������������������������
��������������,���������� ���B��������������N��������������k��������������q���������������x���������������������� ��������������
���������������������������������������������
���������������������������������������&���������������0���������������\���������������d����������������������������������������������������(��������������8����������*���9�������d���*���:������ ���*���F�������������G�������������H�������������I�������������X��������������Y��������������\������,�������]������4�������^������I�������b������i�������c��������������d�������������e�������������f�������������l�������������u�������������v�������������w�������������x�������������y�������������z������8�������������H�������������L�������������R�����������������C�wpa_supplicant-gui�2.10�150500.3.3.1�WPA supplicant graphical front-end�This package contains a graphical front-end to wpa_supplicant, an
implementation of the WPA Supplicant component.�eܲs390zl31�����
|SUSE Linux Enterprise 15�SUSE LLC �BSD-3-Clause AND GPL-2.0-or-later�https://www.suse.com/�Unspecified�https://w1.fi/wpa_supplicant�linux�s390x���
x���큤����eܲeܲ411aaed1de829cc25cd67ccee5c66ff086c1511715d5db364f60637d1d1ec542�d57783ead2cca37539bf8b5c4a81b8105c2970de177652fe1a027433593467aa�����������root�root�root�root�wpa_supplicant-2.10-150500.3.3.1.src.rpm����wpa_supplicant-gui�wpa_supplicant-gui(s390-64)����@���@���@���@���@���@���@���@���@���@���@���@���@���@���@���@���@���@���@����
���
���
���
����libQt5Core.so.5()(64bit)�libQt5Core.so.5(Qt_5)(64bit)�libQt5Gui.so.5()(64bit)�libQt5Gui.so.5(Qt_5)(64bit)�libQt5Widgets.so.5()(64bit)�libQt5Widgets.so.5(Qt_5)(64bit)�libc.so.6()(64bit)�libc.so.6(GLIBC_2.15)(64bit)�libc.so.6(GLIBC_2.17)(64bit)�libc.so.6(GLIBC_2.2)(64bit)�libc.so.6(GLIBC_2.4)(64bit)�libgcc_s.so.1()(64bit)�libgcc_s.so.1(GCC_3.0)(64bit)�libpthread.so.0()(64bit)�libpthread.so.0(GLIBC_2.2)(64bit)�libstdc++.so.6()(64bit)�libstdc++.so.6(CXXABI_1.3)(64bit)�libstdc++.so.6(CXXABI_1.3.9)(64bit)�libstdc++.so.6(GLIBCXX_3.4)(64bit)�rpmlib(CompressedFileNames)�rpmlib(FileDigests)�rpmlib(PayloadFilesHavePrefix)�rpmlib(PayloadIsXz)�wpa_supplicant��������������������3.0.4-1�4.6.0-1�4.0-1�5.2-1��4.14.3����e}@c@b@b�@`lM@`?z@`:4@`�_|\@_i@_i@^@^@^|@^|@^Y�]�]>[<@[[ā@[[;@[@[QY@X@X]�W@VU@VŲ@V`V=@UKSUCjU8U'@U�/@TBV@cfamullaconrad@suse.com�cfamullaconrad@suse.com�cfamullaconrad@suse.com�cfamullaconrad@suse.com�cfamullaconrad@suse.com�cfamullaconrad@suse.com�cfamullaconrad@suse.com�cfamullaconrad@suse.com�sp1ritCS@protonmail.com�cfamullaconrad@suse.com�songchuan.kang@suse.com�cfamullaconrad@suse.com�bwiedemann@suse.com�cfamullaconrad@suse.com�ilya@ilya.pp.ua�tchvatal@suse.com�tchvatal@suse.com�ilya@ilya.pp.ua�ilya@ilya.pp.ua�kbabioch@suse.com�ro@suse.de�kbabioch@suse.com�kbabioch@suse.com�kbabioch@suse.com�ro@suse.de�meissner@suse.com�obs@botter.cc�dwaas@suse.com�meissner@suse.com�tchvatal@suse.com�lnussel@suse.de�crrodriguez@opensuse.org�crrodriguez@opensuse.org�crrodriguez@opensuse.org�lnussel@suse.de�michael@stroeder.com�ro@suse.de�zaitor@opensuse.org�crrodriguez@opensuse.org�stefan.bruens@rwth-aachen.de�stefan.bruens@rwth-aachen.de�stefan.bruens@rwth-aachen.de�- Add CVE-2023-52160.patch - Bypassing WiFi Authentication (bsc#1219975)
- Change ctrl_interface from /var/run to %_rundir (/run)�- update to 2.10.0: jsc#PED-2904
* SAE changes
- improved protection against side channel attacks
[https://w1.fi/security/2022-1/]
- added support for the hash-to-element mechanism (sae_pwe=1 or
sae_pwe=2); this is currently disabled by default, but will likely
get enabled by default in the future
- fixed PMKSA caching with OKC
- added support for SAE-PK
* EAP-pwd changes
- improved protection against side channel attacks
[https://w1.fi/security/2022-1/]
* fixed P2P provision discovery processing of a specially constructed
invalid frame
[https://w1.fi/security/2021-1/]
* fixed P2P group information processing of a specially constructed
invalid frame
[https://w1.fi/security/2020-2/]
* fixed PMF disconnection protection bypass in AP mode
[https://w1.fi/security/2019-7/]
* added support for using OpenSSL 3.0
* increased the maximum number of EAP message exchanges (mainly to
support cases with very large certificates)
* fixed various issues in experimental support for EAP-TEAP peer
* added support for DPP release 2 (Wi-Fi Device Provisioning Protocol)
* a number of MKA/MACsec fixes and extensions
* added support for SAE (WPA3-Personal) AP mode configuration
* added P2P support for EDMG (IEEE 802.11ay) channels
* fixed EAP-FAST peer with TLS GCM/CCM ciphers
* improved throughput estimation and BSS selection
* dropped support for libnl 1.1
* added support for nl80211 control port for EAPOL frame TX/RX
* fixed OWE key derivation with groups 20 and 21; this breaks backwards
compatibility for these groups while the default group 19 remains
backwards compatible
* added support for Beacon protection
* added support for Extended Key ID for pairwise keys
* removed WEP support from the default build (CONFIG_WEP=y can be used
to enable it, if really needed)
* added a build option to remove TKIP support (CONFIG_NO_TKIP=y)
* added support for Transition Disable mechanism to allow the AP to
automatically disable transition mode to improve security
* extended D-Bus interface
* added support for PASN
* added a file-based backend for external password storage to allow
secret information to be moved away from the main configuration file
without requiring external tools
* added EAP-TLS peer support for TLS 1.3 (disabled by default for now)
* added support for SCS, MSCS, DSCP policy
* changed driver interface selection to default to automatic fallback
to other compiled in options
* a large number of other fixes, cleanup, and extensions
- drop wpa_supplicant-p2p_iname_size.diff, CVE-2021-30004.patch,
CVE-2021-27803.patch, CVE-2021-0326.patch, CVE-2019-16275.patch,
CVE-2022-23303_0001.patch, CVE-2022-23303_0002.patch,
CVE-2022-23303_0003.patch, CVE-2022-23303_0004.patch:
upstream
- drop restore-old-dbus-interface.patch, wicked has been
switching to the new dbus interface in version 0.6.66
- config:
* re-enable CONFIG_WEP
* enable QCA vendor extensions to nl80211
* enable support for Automatic Channel Selection
* enable OCV, security feature that prevents MITM
multi-channel attacks
* enable QCA vendor extensions to nl80211
* enable EAP-EKE
* Support HT overrides
* TLS v1.1 and TLS v1.2
* Fast Session Transfer (FST)
* Automatic Channel Selection
* Multi Band Operation
* Fast Initial Link Setup
* Mesh Networking (IEEE 802.11s)
- Add dbus-Fix-property-DebugShowKeys-and-DebugTimestamp.patch
(bsc#1201219)
- Move the dbus-1 system.d file to /usr (bsc#1200342)
- Added hardening to systemd service(s) (bsc#1181400). Modified:
* wpa_supplicant.service
- drop wpa_supplicant-getrandom.patch : glibc has been updated
so the getrandom() wrapper is now there
- Sync wpa_supplicant.spec with Factory�- Enable WPA3-Enterprise (SuiteB-192) support.�- Add CVE-2022-23303_0001.patch, CVE-2022-23303_0002.patch,
CVE-2022-23303_0003.patch, CVE-2022-23303_0004.patch
SAE/EAP-pwd side-channel attack update 2
(CVE-2022-23303, CVE-2022-23304, bsc#1194732, bsc#1194733)�- Add CVE-2021-30004.patch -- forging attacks may occur because
AlgorithmIdentifier parameters are mishandled in tls/pkcs1.c and tls/x509v3.c
(bsc#1184348)�- Fix systemd device ready dependencies in wpa_supplicant@.service file.
(see: https://forums.opensuse.org/showthread.php/547186-wpa_supplicant-service-fails-on-boot-succeeds-on-restart?p=2982844#post2982844)�- Add CVE-2021-27803.patch -- P2P provision discovery processing vulnerability
(bsc#1182805)�- Add CVE-2021-0326.patch -- P2P group information processing vulnerability
(bsc#1181777)�- Add wpa_supplicant-p2p_iname_size.diff -- Limit P2P_DEVICE name to appropriate ifname size
(https://patchwork.ozlabs.org/project/hostap/patch/20200825062902.124600-1-benjamin@sipsolutions.net/)�- Fix spec file for SLE12, use make %{?_smp_mflags} instead of %make_build�- Enable SAE support(jsc#SLE-14992).�- Add CVE-2019-16275.patch -- AP mode PMF disconnection protection bypass
(bsc#1150934)�- Add restore-old-dbus-interface.patch to fix wicked wlan (boo#1156920)
- Restore fi.epitest.hostap.WPASupplicant.service (bsc#1167331)�- With v2.9 fi.epitest.hostap.WPASupplicant.service is obsolete (bsc#1167331)�- Change wpa_supplicant.service to ensure wpa_supplicant gets started before
network. Fix WLAN config on boot with wicked. (boo#1166933)�- Adjust the service to start after network.target wrt bsc#1165266�- Update to 2.9 release:
* SAE changes
- disable use of groups using Brainpool curves
- improved protection against side channel attacks
[https://w1.fi/security/2019-6/]
* EAP-pwd changes
- disable use of groups using Brainpool curves
- allow the set of groups to be configured (eap_pwd_groups)
- improved protection against side channel attacks
[https://w1.fi/security/2019-6/]
* fixed FT-EAP initial mobility domain association using PMKSA caching
(disabled by default for backwards compatibility; can be enabled
with ft_eap_pmksa_caching=1)
* fixed a regression in OpenSSL 1.1+ engine loading
* added validation of RSNE in (Re)Association Response frames
* fixed DPP bootstrapping URI parser of channel list
* extended EAP-SIM/AKA fast re-authentication to allow use with FILS
* extended ca_cert_blob to support PEM format
* improved robustness of P2P Action frame scheduling
* added support for EAP-SIM/AKA using anonymous@realm identity
* fixed Hotspot 2.0 credential selection based on roaming consortium
to ignore credentials without a specific EAP method
* added experimental support for EAP-TEAP peer (RFC 7170)
* added experimental support for EAP-TLS peer with TLS v1.3
* fixed a regression in WMM parameter configuration for a TDLS peer
* fixed a regression in operation with drivers that offload 802.1X
4-way handshake
* fixed an ECDH operation corner case with OpenSSL
* SAE changes
- added support for SAE Password Identifier
- changed default configuration to enable only groups 19, 20, 21
(i.e., disable groups 25 and 26) and disable all unsuitable groups
completely based on REVmd changes
- do not regenerate PWE unnecessarily when the AP uses the
anti-clogging token mechanisms
- fixed some association cases where both SAE and FT-SAE were enabled
on both the station and the selected AP
- started to prefer FT-SAE over SAE AKM if both are enabled
- started to prefer FT-SAE over FT-PSK if both are enabled
- fixed FT-SAE when SAE PMKSA caching is used
- reject use of unsuitable groups based on new implementation guidance
in REVmd (allow only FFC groups with prime >= 3072 bits and ECC
groups with prime >= 256)
- minimize timing and memory use differences in PWE derivation
[https://w1.fi/security/2019-1/] (CVE-2019-9494, bsc#1131868)
* EAP-pwd changes
- minimize timing and memory use differences in PWE derivation
[https://w1.fi/security/2019-2/] (CVE-2019-9495, bsc#1131870)
- verify server scalar/element
[https://w1.fi/security/2019-4/] (CVE-2019-9497, CVE-2019-9498,
CVE-2019-9499, bsc#1131874, bsc#1131872, bsc#1131871, bsc#1131644)
- fix message reassembly issue with unexpected fragment
[https://w1.fi/security/2019-5/] (CVE-2019-11555, bsc#1133640)
- enforce rand,mask generation rules more strictly
- fix a memory leak in PWE derivation
- disallow ECC groups with a prime under 256 bits (groups 25, 26, and
27)
- SAE/EAP-pwd side-channel attack update
[https://w1.fi/security/2019-6/] (CVE-2019-13377, bsc#1144443)
* fixed CONFIG_IEEE80211R=y (FT) build without CONFIG_FILS=y
* Hotspot 2.0 changes
- do not indicate release number that is higher than the one
AP supports
- added support for release number 3
- enable PMF automatically for network profiles created from
credentials
* fixed OWE network profile saving
* fixed DPP network profile saving
* added support for RSN operating channel validation
(CONFIG_OCV=y and network profile parameter ocv=1)
* added Multi-AP backhaul STA support
* fixed build with LibreSSL
* number of MKA/MACsec fixes and extensions
* extended domain_match and domain_suffix_match to allow list of values
* fixed dNSName matching in domain_match and domain_suffix_match when
using wolfSSL
* started to prefer FT-EAP-SHA384 over WPA-EAP-SUITE-B-192 AKM if both
are enabled
* extended nl80211 Connect and external authentication to support
SAE, FT-SAE, FT-EAP-SHA384
* fixed KEK2 derivation for FILS+FT
* extended client_cert file to allow loading of a chain of PEM
encoded certificates
* extended beacon reporting functionality
* extended D-Bus interface with number of new properties
* fixed a regression in FT-over-DS with mac80211-based drivers
* OpenSSL: allow systemwide policies to be overridden
* extended driver flags indication for separate 802.1X and PSK
4-way handshake offload capability
* added support for random P2P Device/Interface Address use
* extended PEAP to derive EMSK to enable use with ERP/FILS
* extended WPS to allow SAE configuration to be added automatically
for PSK (wps_cred_add_sae=1)
* removed support for the old D-Bus interface (CONFIG_CTRL_IFACE_DBUS)
* extended domain_match and domain_suffix_match to allow list of values
* added a RSN workaround for misbehaving PMF APs that advertise
IGTK/BIP KeyID using incorrect byte order
* fixed PTK rekeying with FILS and FT
* fixed WPA packet number reuse with replayed messages and key
reinstallation
[https://w1.fi/security/2017-1/] (CVE-2017-13077, CVE-2017-13078,
CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082,
CVE-2017-13086, CVE-2017-13087, CVE-2017-13088)
* fixed unauthenticated EAPOL-Key decryption in wpa_supplicant
[https://w1.fi/security/2018-1/] (CVE-2018-14526)
* added support for FILS (IEEE 802.11ai) shared key authentication
* added support for OWE (Opportunistic Wireless Encryption, RFC 8110;
and transition mode defined by WFA)
* added support for DPP (Wi-Fi Device Provisioning Protocol)
* added support for RSA 3k key case with Suite B 192-bit level
* fixed Suite B PMKSA caching not to update PMKID during each 4-way
handshake
* fixed EAP-pwd pre-processing with PasswordHashHash
* added EAP-pwd client support for salted passwords
* fixed a regression in TDLS prohibited bit validation
* started to use estimated throughput to avoid undesired signal
strength based roaming decision
* MACsec/MKA:
- new macsec_linux driver interface support for the Linux
kernel macsec module
- number of fixes and extensions
* added support for external persistent storage of PMKSA cache
(PMKSA_GET/PMKSA_ADD control interface commands; and
MESH_PMKSA_GET/MESH_PMKSA_SET for the mesh case)
* fixed mesh channel configuration pri/sec switch case
* added support for beacon report
* large number of other fixes, cleanup, and extensions
* added support for randomizing local address for GAS queries
(gas_rand_mac_addr parameter)
* fixed EAP-SIM/AKA/AKA' ext auth cases within TLS tunnel
* added option for using random WPS UUID (auto_uuid=1)
* added SHA256-hash support for OCSP certificate matching
* fixed EAP-AKA' to add AT_KDF into Synchronization-Failure
* fixed a regression in RSN pre-authentication candidate selection
* added option to configure allowed group management cipher suites
(group_mgmt network profile parameter)
* removed all PeerKey functionality
* fixed nl80211 AP and mesh mode configuration regression with
Linux 4.15 and newer
* added ap_isolate configuration option for AP mode
* added support for nl80211 to offload 4-way handshake into the driver
* added support for using wolfSSL cryptographic library
* SAE
- added support for configuring SAE password separately of the
WPA2 PSK/passphrase
- fixed PTK and EAPOL-Key integrity and key-wrap algorithm selection
for SAE;
note: this is not backwards compatible, i.e., both the AP and
station side implementations will need to be update at the same
time to maintain interoperability
- added support for Password Identifier
- fixed FT-SAE PMKID matching
* Hotspot 2.0
- added support for fetching of Operator Icon Metadata ANQP-element
- added support for Roaming Consortium Selection element
- added support for Terms and Conditions
- added support for OSEN connection in a shared RSN BSS
- added support for fetching Venue URL information
* added support for using OpenSSL 1.1.1
* FT
- disabled PMKSA caching with FT since it is not fully functional
- added support for SHA384 based AKM
- added support for BIP ciphers BIP-CMAC-256, BIP-GMAC-128,
BIP-GMAC-256 in addition to previously supported BIP-CMAC-128
- fixed additional IE inclusion in Reassociation Request frame when
using FT protocol
- Drop merged patches:
* rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch
* rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch
* rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch
* rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch
* rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch
* rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch
* rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch
* rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch
* rebased-v2.6-0009-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch
* wpa_supplicant-bnc-1099835-fix-private-key-password.patch
* wpa_supplicant-bnc-1099835-clear-default_passwd_cb.patch
* wpa_supplicant-log-file-permission.patch
* wpa_supplicant-log-file-cloexec.patch
* wpa_supplicant-git-fa67debf4c6ddbc881a212b175faa6d5d0d90c8c.patch
* wpa_supplicant-git-f5b74b966c942feb95a8ddbb7d130540b15b796d.patch
- Rebase patches:
* wpa_supplicant-getrandom.patch�- Refresh spec-file via spec-cleaner and manual optimizations.
* Change URL and Source0 to actual project homepage.
* Remove macro %{?systemd_requires} and rm (not needed).
* Add %autopatch macro.
* Add %make_build macro.
- Chenged patch wpa_supplicant-flush-debug-output.patch (to -p1).
- Changed service-files for start after network (systemd-networkd).�- Refresh spec-file: add %license tag.�- Renamed patches:
- wpa-supplicant-log-file-permission.patch -> wpa_supplicant-log-file-permission.patch
- wpa-supplicant-log-file-cloexec.patch -> wpa_supplicant-log-file-cloexec.patch
- wpa_supplicant-log-file-permission.patch: Using O_WRONLY flag
- Enabled timestamps in log files (bsc#1080798)�- compile eapol_test binary to allow testing via radius proxy and server
(note: this does not match CONFIG_EAPOL_TEST which sets -Werror
and activates an assert call inside the code of wpa_supplicant)
(bsc#1111873), (fate#326725)
- add patch to fix wrong operator precedence in ieee802_11.c
wpa_supplicant-git-fa67debf4c6ddbc881a212b175faa6d5d0d90c8c.patch
- add patch to avoid redefinition of __bitwise macro
wpa_supplicant-git-f5b74b966c942feb95a8ddbb7d130540b15b796d.patch�- Added wpa-supplicant-log-file-permission.patch: Fixes the default file
permissions of the debug log file to more sane values, i.e. it is no longer
world-readable (bsc#1098854).
- Added wpa-supplicant-log-file-cloexec.patch: Open the debug log file with
O_CLOEXEC, which will prevent file descriptor leaking to child processes
(bsc#1098854).�- Added rebased-v2.6-0009-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch:
Ignore unauthenticated encrypted EAPOL-Key data (CVE-2018-14526, bsc#1104205).�- Enabled PWD as EAP method. This allows for password-based authentication,
which is easier to setup than most of the other methods, and is used by the
Eduroam network (bsc#1109209).�- add two patches from upstream to fix reading private key
passwords from the configuration file (bsc#1099835)
- add patch for git 89971d8b1e328a2f79699c953625d1671fd40384
wpa_supplicant-bnc-1099835-clear-default_passwd_cb.patch
- add patch for git f665c93e1d28fbab3d9127a8c3985cc32940824f
wpa_supplicant-bnc-1099835-fix-private-key-password.patch�- Fix KRACK attacks (bsc#1056061, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13087, CVE-2017-13088):
- rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch
- rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch
- rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch
- rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch
- rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch
- rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch
- rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch
- rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch�- fix wpa_supplicant-sigusr1-changes-debuglevel.patch to match
eloop_signal_handler type (needed to build eapol_test via config)�- Added .service files that accept interfaces as %i arguments so it's possible
to call the daemon with:
"systemctl start wpa_supplicant@$INTERFACE_NAME.service"
(like openvpn for example)�- updated to 2.6 / 2016-10-02
* fixed WNM Sleep Mode processing when PMF is not enabled
[http://w1.fi/security/2015-6/] (CVE-2015-5310 bsc#952254)
* fixed EAP-pwd last fragment validation
[http://w1.fi/security/2015-7/] (CVE-2015-5315 bsc#953115)
* fixed EAP-pwd unexpected Confirm message processing
[http://w1.fi/security/2015-8/] (CVE-2015-5316 bsc#953115)
* fixed WPS configuration update vulnerability with malformed passphrase
[http://w1.fi/security/2016-1/] (CVE-2016-4476 bsc#978172)
* fixed configuration update vulnerability with malformed parameters set
over the local control interface
[http://w1.fi/security/2016-1/] (CVE-2016-4477 bsc#978175)
* fixed TK configuration to the driver in EAPOL-Key 3/4 retry case
* extended channel switch support for P2P GO
* started to throttle control interface event message bursts to avoid
issues with monitor sockets running out of buffer space
* mesh mode fixes/improvements
- generate proper AID for peer
- enable WMM by default
- add VHT support
- fix PMKID derivation
- improve robustness on various exchanges
- fix peer link counting in reconnect case
- improve mesh joining behavior
- allow DTIM period to be configured
- allow HT to be disabled (disable_ht=1)
- add MESH_PEER_ADD and MESH_PEER_REMOVE commands
- add support for PMKSA caching
- add minimal support for SAE group negotiation
- allow pairwise/group cipher to be configured in the network profile
- use ieee80211w profile parameter to enable/disable PMF and derive
a separate TX IGTK if PMF is enabled instead of using MGTK
incorrectly
- fix AEK and MTK derivation
- remove GTKdata and IGTKdata from Mesh Peering Confirm/Close
- note: these changes are not fully backwards compatible for secure
(RSN) mesh network
* fixed PMKID derivation with SAE
* added support for requesting and fetching arbitrary ANQP-elements
without internal support in wpa_supplicant for the specific element
(anqp[265]= in "BSS " command output)
* P2P
- filter control characters in group client device names to be
consistent with other P2P peer cases
- support VHT 80+80 MHz and 160 MHz
- indicate group completion in P2P Client role after data association
instead of already after the WPS provisioning step
- improve group-join operation to use SSID, if known, to filter BSS
entries
- added optional ssid= argument to P2P_CONNECT for join case
- added P2P_GROUP_MEMBER command to fetch client interface address
* P2PS
- fix follow-on PD Response behavior
- fix PD Response generation for unknown peer
- fix persistent group reporting
- add channel policy to PD Request
- add group SSID to the P2PS-PROV-DONE event
- allow "P2P_CONNECT p2ps" to be used without specifying the
default PIN
* BoringSSL
- support for OCSP stapling
- support building of h20-osu-client
* D-Bus
- add ExpectDisconnect()
- add global config parameters as properties
- add SaveConfig()
- add VendorElemAdd(), VendorElemGet(), VendorElemRem()
* fixed Suite B 192-bit AKM to use proper PMK length
(note: this makes old releases incompatible with the fixed behavior)
* improved PMF behavior for cases where the AP and STA has different
configuration by not trying to connect in some corner cases where the
connection cannot succeed
* added option to reopen debug log (e.g., to rotate the file) upon
receipt of SIGHUP signal
* EAP-pwd: added support for Brainpool Elliptic Curves
(with OpenSSL 1.0.2 and newer)
* fixed EAPOL reauthentication after FT protocol run
* fixed FTIE generation for 4-way handshake after FT protocol run
* extended INTERFACE_ADD command to allow certain type (sta/ap)
interface to be created
* fixed and improved various FST operations
* added 80+80 MHz and 160 MHz VHT support for IBSS/mesh
* fixed SIGNAL_POLL in IBSS and mesh cases
* added an option to abort an ongoing scan (used to speed up connection
and can also be done with the new ABORT_SCAN command)
* TLS client
- do not verify CA certificates when ca_cert is not specified
- support validating server certificate hash
- support SHA384 and SHA512 hashes
- add signature_algorithms extension into ClientHello
- support TLS v1.2 signature algorithm with SHA384 and SHA512
- support server certificate probing
- allow specific TLS versions to be disabled with phase2 parameter
- support extKeyUsage
- support PKCS #5 v2.0 PBES2
- support PKCS #5 with PKCS #12 style key decryption
- minimal support for PKCS #12
- support OCSP stapling (including ocsp_multi)
* OpenSSL
- support OpenSSL 1.1 API changes
- drop support for OpenSSL 0.9.8
- drop support for OpenSSL 1.0.0
* added support for multiple schedule scan plans (sched_scan_plans)
* added support for external server certificate chain validation
(tls_ext_cert_check=1 in the network profile phase1 parameter)
* made phase2 parser more strict about correct use of auth= and
autheap= values
* improved GAS offchannel operations with comeback request
* added SIGNAL_MONITOR command to request signal strength monitoring
events
* added command for retrieving HS 2.0 icons with in-memory storage
(REQ_HS20_ICON, GET_HS20_ICON, DEL_HS20_ICON commands and
RX-HS20-ICON event)
* enabled ACS support for AP mode operations with wpa_supplicant
* EAP-PEAP: fixed interoperability issue with Windows 2012r2 server
("Invalid Compound_MAC in cryptobinding TLV")
* EAP-TTLS: fixed success after fragmented final Phase 2 message
* VHT: added interoperability workaround for 80+80 and 160 MHz channels
* WNM: workaround for broken AP operating class behavior
* added kqueue(2) support for eloop (CONFIG_ELOOP_KQUEUE)
* nl80211:
- add support for full station state operations
- do not add NL80211_ATTR_SMPS_MODE attribute if HT is disabled
- add NL80211_ATTR_PREV_BSSID with Connect command
- fix IEEE 802.1X/WEP EAP reauthentication and rekeying to use
unencrypted EAPOL frames
* added initial MBO support; number of extensions to WNM BSS Transition
Management
* added support for PBSS/PCP and P2P on 60 GHz
* Interworking: add credential realm to EAP-TLS identity
* fixed EAPOL-Key Request Secure bit to be 1 if PTK is set
* HS 2.0: add support for configuring frame filters
* added POLL_STA command to check connectivity in AP mode
* added initial functionality for location related operations
* started to ignore pmf=1/2 parameter for non-RSN networks
* added wps_disabled=1 network profile parameter to allow AP mode to
be started without enabling WPS
* wpa_cli: added action script support for AP-ENABLED and AP-DISABLED
events
* improved Public Action frame addressing
- add gas_address3 configuration parameter to control Address 3
behavior
* number of small fixes
- wpa_supplicant-dump-certificate-as-PEM-in-debug-mode.diff: dump x509
certificates from remote radius server in debug mode in WPA-EAP.�- Remove support for <12.3 as we are unresolvable there anyway
- Use qt5 on 13.2 if someone pulls this package in
- Convert to pkgconfig dependencies over the devel pkgs
- Use the %qmake5 macro to build the qt5 gui�- add After=dbus.service to prevent too early shutdown (bnc#963652)�- Revert CONFIG_ELOOP_EPOLL=y, it is broken in combination
with CONFIG_DBUS=yes.�- spec: Compile the GUI against QT5 in 13.2 and later.�- Previous update did not include version 2.5 tarball
or changed the version number in spec, only the changelog
and removed patches.
- config: set CONFIG_NO_RANDOM_POOL=y, we have a reliable·
random number generator by using /dev/urandom, no need to
keep an internal random number pool which draws entropy from
/dev/random.
- config: prefer using epoll(7) instead of select(2)
by setting CONFIG_ELOOP_EPOLL=y
- wpa_supplicant-getrandom.patch: Prefer to use the getrandom(2)
system call to collect entropy. if it is not present disable
buffering when reading /dev/urandom, otherwise each os_get_random()
call will request BUFSIZ of entropy instead of the few needed bytes.�- add aliases for both provided dbus names to avoid systemd stopping the
service when switching runlevels (boo#966535)�- removed obsolete security patches:
* 0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch
* 0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch
* 0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch
* 0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch
* wpa_s-D-Bus-Fix-operations-when-P2P-management-interface-is-used.patch
* 0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch
* 0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch
* 0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch
* 0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch
- Update to upstream release 2.5
* fixed P2P validation of SSID element length before copying it
[http://w1.fi/security/2015-1/] (CVE-2015-1863)
* fixed WPS UPnP vulnerability with HTTP chunked transfer encoding
[http://w1.fi/security/2015-2/] (CVE-2015-4141)
* fixed WMM Action frame parser (AP mode)
[http://w1.fi/security/2015-3/] (CVE-2015-4142)
* fixed EAP-pwd peer missing payload length validation
[http://w1.fi/security/2015-4/]
(CVE-2015-4143, CVE-2015-4144, CVE-2015-4145, CVE-2015-4146)
* fixed validation of WPS and P2P NFC NDEF record payload length
[http://w1.fi/security/2015-5/] (CVE-2015-8041)
* nl80211:
- added VHT configuration for IBSS
- fixed vendor command handling to check OUI properly
- allow driver-based roaming to change ESS
* added AVG_BEACON_RSSI to SIGNAL_POLL output
* wpa_cli: added tab completion for number of commands
* removed unmaintained and not yet completed SChannel/CryptoAPI support
* modified Extended Capabilities element use in Probe Request frames to
include all cases if any of the values are non-zero
* added support for dynamically creating/removing a virtual interface
with interface_add/interface_remove
* added support for hashed password (NtHash) in EAP-pwd peer
* added support for memory-only PSK/passphrase (mem_only_psk=1 and
CTRL-REQ/RSP-PSK_PASSPHRASE)
* P2P
- optimize scan frequencies list when re-joining a persistent group
- fixed number of sequences with nl80211 P2P Device interface
- added operating class 125 for P2P use cases (this allows 5 GHz
channels 161 and 169 to be used if they are enabled in the current
regulatory domain)
- number of fixes to P2PS functionality
- do not allow 40 MHz co-ex PRI/SEC switch to force MCC
- extended support for preferred channel listing
* D-Bus:
- fixed WPS property of fi.w1.wpa_supplicant1.BSS interface
- fixed PresenceRequest to use group interface
- added new signals: FindStopped, WPS pbc-overlap,
GroupFormationFailure, WPS timeout, InvitationReceived
- added new methods: WPS Cancel, P2P Cancel, Reconnect, RemoveClient
- added manufacturer info
* added EAP-EKE peer support for deriving Session-Id
* added wps_priority configuration parameter to set the default priority
for all network profiles added by WPS
* added support to request a scan with specific SSIDs with the SCAN
command (optional "ssid " arguments)
* removed support for WEP40/WEP104 as a group cipher with WPA/WPA2
* fixed SAE group selection in an error case
* modified SAE routines to be more robust and PWE generation to be
stronger against timing attacks
* added support for Brainpool Elliptic Curves with SAE
* added support for CCMP-256 and GCMP-256 as group ciphers with FT
* fixed BSS selection based on estimated throughput
* added option to disable TLSv1.0 with OpenSSL
(phase1="tls_disable_tlsv1_0=1")
* added Fast Session Transfer (FST) module
* fixed OpenSSL PKCS#12 extra certificate handling
* fixed key derivation for Suite B 192-bit AKM (this breaks
compatibility with the earlier version)
* added RSN IE to Mesh Peering Open/Confirm frames
* number of small fixes�- added patch for bnc#930077 CVE-2015-4141
0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch
- added patch for bnc#930078 CVE-2015-4142
0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch
- added patches for bnc#930079 CVE-2015-4143
0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch
0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch
0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch
0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch
0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch�- Add wpa_s-D-Bus-Fix-operations-when-P2P-management-interface-is-used.patch
Fix Segmentation fault in wpa_supplicant. Patch taken from
upstream master git (arch#44740).�- 0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch
Fix CVE-2015-1863, memcpy overflow.
- wpa_supplicant-alloc_size.patch: annotate two wrappers
with attribute alloc_size, which may help warning us of
bugs such as the above.�- Delete wpa_priv and eapol_test man pages, these are disabled in config
- Move wpa_gui man page to gui package�- Update to 2.4
* allow OpenSSL cipher configuration to be set for internal EAP server
(openssl_ciphers parameter)
* fixed number of small issues based on hwsim test case failures and
static analyzer reports
* P2P:
- add new=<0/1> flag to P2P-DEVICE-FOUND events
- add passive channels in invitation response from P2P Client
- enable nl80211 P2P_DEVICE support by default
- fix regresssion in disallow_freq preventing search on social
channels
- fix regressions in P2P SD query processing
- try to re-invite with social operating channel if no common channels
in invitation
- allow cross connection on parent interface (this fixes number of
use cases with nl80211)
- add support for P2P services (P2PS)
- add p2p_go_ctwindow configuration parameter to allow GO CTWindow to
be configured
* increase postponing of EAPOL-Start by one second with AP/GO that
supports WPS 2.0 (this makes it less likely to trigger extra roundtrip
of identity frames)
* add support for PMKSA caching with SAE
* add support for control mesh BSS (IEEE 802.11s) operations
* fixed number of issues with D-Bus P2P commands
* fixed regression in ap_scan=2 special case for WPS
* fixed macsec_validate configuration
* add a workaround for incorrectly behaving APs that try to use
EAPOL-Key descriptor version 3 when the station supports PMF even if
PMF is not enabled on the AP
* allow TLS v1.1 and v1.2 to be negotiated by default; previous behavior
of disabling these can be configured to work around issues with broken
servers with phase1="tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1"
* add support for Suite B (128-bit and 192-bit level) key management and
cipher suites
* add WMM-AC support (WMM_AC_ADDTS/WMM_AC_DELTS)
* improved BSS Transition Management processing
* add support for neighbor report
* add support for link measurement
* fixed expiration of BSS entry with all-zeros BSSID
* add optional LAST_ID=x argument to LIST_NETWORK to allow all
configured networks to be listed even with huge number of network
profiles
* add support for EAP Re-Authentication Protocol (ERP)
* fixed EAP-IKEv2 fragmentation reassembly
* improved PKCS#11 configuration for OpenSSL
* set stdout to be line-buffered
* add TDLS channel switch configuration
* add support for MAC address randomization in scans with nl80211
* enable HT for IBSS if supported by the driver
* add BSSID black and white lists (bssid_blacklist, bssid_whitelist)
* add support for domain_suffix_match with GnuTLS
* add OCSP stapling client support with GnuTLS
* include peer certificate in EAP events even without a separate probe
operation; old behavior can be restored with cert_in_cb=0
* add peer ceritficate alt subject name to EAP events
(CTRL-EVENT-EAP-PEER-ALT)
* add domain_match network profile parameter (similar to
domain_suffix_match, but full match is required)
* enable AP/GO mode HT Tx STBC automatically based on driver support
* add ANQP-QUERY-DONE event to provide information on ANQP parsing
status
* allow passive scanning to be forced with passive_scan=1
* add a workaround for Linux packet socket behavior when interface is in
bridge
* increase 5 GHz band preference in BSS selection (estimate SNR, if info
not available from driver; estimate maximum throughput based on common
HT/VHT/specific TX rate support)
* add INTERWORKING_ADD_NETWORK ctrl_iface command; this can be used to
implement Interworking network selection behavior in upper layers
software components
* add optional reassoc_same_bss_optim=1 (disabled by default)
optimization to avoid unnecessary Authentication frame exchange
* extend TDLS frame padding workaround to cover all packets
* allow wpa_supplicant to recover nl80211 functionality if the cfg80211
module gets removed and reloaded without restarting wpa_supplicant
* allow hostapd DFS implementation to be used in wpa_supplicant AP mode�- Update to 2.3
* fixed number of minor issues identified in static analyzer warnings
* fixed wfd_dev_info to be more careful and not read beyond the buffer
when parsing invalid information for P2P-DEVICE-FOUND
* extended P2P and GAS query operations to support drivers that have
maximum remain-on-channel time below 1000 ms (500 ms is the current
minimum supported value)
* added p2p_search_delay parameter to make the default p2p_find delay
configurable
* improved P2P operating channel selection for various multi-channel
concurrency cases
* fixed some TDLS failure cases to clean up driver state
* fixed dynamic interface addition cases with nl80211 to avoid adding
ifindex values to incorrect interface to skip foreign interface events
properly
* added TDLS workaround for some APs that may add extra data to the
end of a short frame
* fixed EAP-AKA' message parser with multiple AT_KDF attributes
* added configuration option (p2p_passphrase_len) to allow longer
passphrases to be generated for P2P groups
* fixed IBSS channel configuration in some corner cases
* improved HT/VHT/QoS parameter setup for TDLS
* modified D-Bus interface for P2P peers/groups
* started to use constant time comparison for various password and hash
values to reduce possibility of any externally measurable timing
differences
* extended explicit clearing of freed memory and expired keys to avoid
keeping private data in memory longer than necessary
* added optional scan_id parameter to the SCAN command to allow manual
scan requests for active scans for specific configured SSIDs
* fixed CTRL-EVENT-REGDOM-CHANGE event init parameter value
* added option to set Hotspot 2.0 Rel 2 update_identifier in network
configuration to support external configuration
* modified Android PNO functionality to send Probe Request frames only
for hidden SSIDs (based on scan_ssid=1)
* added generic mechanism for adding vendor elements into frames at
runtime (VENDOR_ELEM_ADD, VENDOR_ELEM_GET, VENDOR_ELEM_REMOVE)
* added fields to show unrecognized vendor elements in P2P_PEER
* removed EAP-TTLS/MSCHAPv2 interoperability workaround so that
MS-CHAP2-Success is required to be present regardless of
eap_workaround configuration
* modified EAP fast session resumption to allow results to be used only
with the same network block that generated them
* extended freq_list configuration to apply for sched_scan as well as
normal scan
* modified WPS to merge mixed-WPA/WPA2 credentials from a single session
* fixed nl80211/RTM_DELLINK processing when a P2P GO interface is
removed from a bridge
* fixed number of small P2P issues to make negotiations more robust in
corner cases
* added experimental support for using temporary, random local MAC
address (mac_addr and preassoc_mac_addr parameters); this is disabled
by default (i.e., previous behavior of using permanent address is
maintained if configuration is not changed)
* added D-Bus interface for setting/clearing WFD IEs
* fixed TDLS AID configuration for VHT
* modified -m configuration file to be used only for the P2P
non-netdev management device and do not load this for the default
station interface or load the station interface configuration for
the P2P management interface
* fixed external MAC address changes while wpa_supplicant is running
* started to enable HT (if supported by the driver) for IBSS
* fixed wpa_cli action script execution to use more robust mechanism
(CVE-2014-3686)�s390zl31 1708962535�����������������������������2.10-150500.3.3.1�2.10-150500.3.3.1���������wpa_gui�wpa_gui.8.gz�/usr/sbin/�/usr/share/man/man8/�-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -g�obs://build.suse.de/SUSE:Maintenance:32791/SUSE_SLE-15-SP5_Update/92c4c1ac4c1b5c1bddbd97dfd31e26c2-wpa_supplicant.SUSE_SLE-15-SP5_Update�drpm�xz�5�s390x-suse-linux�����������ELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, interpreter /lib/ld64.so.1, BuildID[sha1]=ebdbb61c3157dd2a2ac7399e57a3f78f7bcf46dc, for GNU/Linux 3.2.0, stripped�troff or preprocessor input, ASCII text (gzip compressed data, max compression, from Unix)�����������������R���R���R���R���R���R���R���R���R���R��
R�� R���R���R���R���R��
R���R���R���a
0<8r%$TM:����utf-8�c710ecd22d7083385758918ee482c19040255930ca401938dd058639eba2bf31���������?���� ����7zXZ��
���!�����t/�]�"��k%}RUJz�x�+P]8\�Q.|�~S
G
F�=!b
�|G��M
ʴUbyN)uff
*w[T#
Ŝ{}@��S�ti/ZD$잰G<�=�m<���h,c 4�sy&A�"JNwu5
{���˛~(X8w`lC>|��S����4QXoY͢���*m�Υs#bt&�r_�uJ��J-�|\I�Nޮw�'Z�$]R�/�
Y&Jw;{A
@�
X%Ԓ�AZŸ(26�V�2TCwT'=Cñ͂l��ѕ}S�^́>Q
�sLm)HeJlNN�.K�̆q��Q\R鳫a!#�.X͟D]U��
�/c!1O��id!a_pWDM6C 7���dyo
o�J:13+@|sF^>,�qӑPʲ�;̥ |á\%�爬�.igeQ>ɚ8m�0㠈�&cx�H!3�KIS3�zn��̢��m�`R1E#�蟶\�,^@iv�s]���2AB^�691ta�q]�H2xP;+�m�/"#3MGL [,M^'}
1K��pfDz�~~1нc92Vw6�J�Y^q ��JQ5];"m9PF$��k[�"!d:/�t�(�3b<����ҼA�ֹ1@v7'i!��/���]�vZ،{�l �nb7%�ء/ t�pE9%?M-�=�d�}�ٔ_=D(|_&,��ˋe�@*Ūc�@G$^9�GŒ2c
t%d2\c#�O�?.T�|yp 1/g=TQyQ߫C2O�b'JA��x?��%^~:"|\p(o*:8�ljcU}Fd90��T,[�}�no_Qz�B;��?��O�
?2dŧ1Y�(.Z`�}�d\qW�%3� WpO�&�zn3I'�g,&�NH}#�[n|�~�4AHL1Dߊ�WsH<*���nܼC+J�{I?⤣[~A4Jav�)9ʒ?�1z+��oBqLFscM�ӽ�>:g�V~g0bvL$ЄB±
�ޏ'>�USx�]ϭ(�k�W�<"0>e,)в��ưvD Ěz뤳>i��. KRƩ�P(dF-�r� �)nXcS;*;FE�gr5[{6
��:
�B .4̂7ߊh�]cK�8է�b(M�V2�O/p��Ul��6n�"�VăZCkh?]u䛈
G*Olf$d3:G�J;|[쥅@ܜ5w�3m�WԄ+JT°TzY^�I���,�& Ia|]��ir�XF=.XB xy0DC3����tz@Y`trV�A%��D�A�:<Ļºj]YmIf
�M3j�z�jC:�ؒ�<-�^
b>qDndg" �ͫcb~kByIģV�bv4ɿ*{PIޫ�=][r#G�0}ǒp|l#�̩�WyO]��[h),,[>wL㙖T�.!]�ֿ[�9hg1v#�C
RL�Q3W7()
�nfb"Gtͣ�Ҁ+8ںc!ӥo�%©�}ǿ<:E)Z.JE)bZXyGRZyg^^�4��^C#!lu~2pF'>I��Lb����0Z8W&�`wIMgw�
VR�A鉶}/KjM/Dgu9/fL>6;@r̋Hɂ+Z�Z%SD\A�G"ĠU7DN*6Z�hPK�v�YRܜ��ƫ['�>(XH�+�@�sTT[��/�!M�QrNfU� CU
?��C�+g��/Hw2d
0iDXڮ2T�f��W���eZ`|Aɉi�r^�%7]�u�Tݔ]+fp}M�Йd�X蛤�S�(�t?NM,*ď.Չ[v`2�x0kh8Hq_`YWf�Cld|I J4l_k|�#�4˄r�`-z=c̆
��I.E7��dFŸ#58�;�UR%�CfV39E76�E1JYSOw�bԾ'p-��AP̗Ç�T�,�1�J�y!�"L;U���E
WȐ��X-�OE+_��a=nd�T�xC�/�Nm�
�|5(�+#y�B�j({P�궂ʁO��ӖR/{ @�r����RKlw�$esg{梲'<ݪ#
��}�`TiVPi,Է�J?47v qAhq�}vĭ<ƴ2P.H2+ �i<�uA${%U2l;fD2fn�6�o쓾˷B:��U�T{��'|(56LڼW^5�g��W)d�V��ص�/)!�م`x}Y!`f�E=L�q";Μ!CԘ��:|�� ,8y*�eOnQ��dS0'a8͙Ơ]%Ok(�0/j��N@_Xڏtd+�~.?9��yir
�yT㥘#va6I?�Cp�;HK
�t#Wtt���?M�ѤMt�/�AMm���MOaU61>B{�_W�X߸,y#��S< $hT���'.%V?x�&c��4b�wc�{�0Ȫ'C^O5�4dLň�*&c:ה$�4$ �� 18uk:�wk7�冶U݉&�wQ�}XeJ.�i"1K�w�'ڪY4Ќ�=OBh�i�ڽ\��S9��ݳ62w9q+� lB�n�wHAc=�(\_fG0
< F}S�d�z^ DBak,1.�
S��$u0-D]W `*?]I:
��sbl9�/�h,Q1A}zʠI)�Jع�B�E饷�br\�B5,w�\l�]֫w�2Ov,gS5z�ٱM>f$XFy$ڗ;h�<�`Z?�Y1-͞>-^JBy^��G %)3�4Dã-{,o�>mɥlcʩJ
G��Q�."io⟷k9���Sʢ;/{9QR(CW=U��Oa�\�p`飧��ckի�m�zi�$6( �
~~}J*!ƅ��"L:n�2u�5�4}@ҰNYl�j'_X63y�GM�1;�o�OYudkShUt>S���,a���P�]�")U�L\bvl!2W6JW.^�X#s�;/gx�ҕ�W2phPp�T@hN
ɰIYrĮ�H>��82Fl�L�VQ�p�\�3VA g'3lD&>%^!�8�[MT�>V-�V(~Z��pW,zjq�M >
^v�> �3'DnJ1�ti-X�垸C�|o.QDMWQPv�*Ix+�s`_b�P3#���f�w�g]�[8Z�:'ԙ;�R�4�A�`
�&�A>loKS�UfL$OY{��7h1yN:O-}�y�6v
�ەH[z�rL`f&q��~Ѭ�&0C[{'�ʐ�o�/烻5KF�-:ir*�%ʵ*�EݐHﮒUv�ٳ&�2q4�D�jr05�m@~LI2vЧ�XD�H�0%~zЊ�Zo17ߺIǗ1{g7?)#�w!�jKA�gdu~���D9W��fh(��A�I
�?]eQ�Qt��1Ƕ*;r]ITX�@ޖ�FW���';`�2�Zؒ+F~7g�H3�LJ>2r;w�AИ��#�Fw�%@"�*n0�S%R.ۧiy�X^⌨�7h�1NĶSWAU$29m~�Ug݀_/] �sjEI{1dîzR5Bk�p;��{^lDY�fX�yFq�-P^*qEt�#$H9`%E'K0�A9sUﻯ,*l��L`8�1��Y�[>�ƴAb6!(ZziVϣ�X�d�-[/o��*�� GzpcyG
@E#@
=`�4[X��CU�\m�&͂=Gr3�+��r^�~1�y�5RFNs= �La8BM��/G�D\xw?r.F�J��#{}o*,�6ˋiW�5>FH�p18�RO� C���V��WAZ�{�V/�`�U����\Nq b�~|s��+�DxR1�L!^:&{Vļ`l)y,�+fbU'ʻW\�}PjGP
9YrSUj0y˵x�7$)'?R ��/
o�i_U[Zk
�Z+DA�qVq�LMe鬤"3k�$EoͼSA�̩/"��#͉_�s�;H=�k&:�Tgluy�C8DG؞λf#X>.z%ky�"2{>Yct��VsW0�RQrkX7~USiFbDV=��7QJ�`@he�څxtx)rJ4dAQq�;STS�h(7*Y'e\p�i҈Pg;_@A�6JJS6#��OQ]FDF�@4H51�/a5�NT�{�N={*�5
�(k'��̖e�izH\V*ey`o�n^
a1xnV@by=��o
д�u
˝gS"�i{
v�#
bHS䧎r$7�I,3M*a`V:)�f[A�u�Ac<ˇ^�4.?U:TH�
020o�w"In[���{B�f~.C�5�+-tr'tBn�0IYFS7x��b,!N�ԨJը�t��X�|'!*<::YE���% Q|4�
7rq�P\d0
~Gek�χy\
pA-,K�j
/QTۢ0�]-Y� JVzj#ا>hH.PZ,B]A[�a]m5fF�F`YƝwy}��rrlX"L\Qkq�Fo>9`X�P�%�rK\6e��'�:)f�D1A
cdW?@"m̊z��C:�
e`$"x+̨PŞ%0<<�bm#bI�*.:
�,�R}GP.��*~sv'�_ݵ#%r�4�E
-4)t�+mO!�ް2XNk�C5S�-5�T�4n �(VN:R-5gzv��h7)�p?~Bڙ��F�V˾ ��?r['�̎O&O@6�cWh�~Zcady2�QJ5d.��ʠ̞nHM6�|sy"+\%�ںT�mLm`!U3>Lͼ|K]*gC8;CV%Oް:,g�r:T�Qi"ch EKuT6uV�
�f4u/#.�E�J)&E9}DM�"���V',�i�f�a[`Ub%E#j@\�Q$Ɖ~HWB[D]�(Ps�7d+JĭK;!@�~�Ŷݔ��r@!4Yz�g5==zoL)ۄ;�Yfw��ȚOrz[2�Yh�TNǯGz\�+"��$�?Fѻ�,{�w���ւPð$?6u_�2bzDWL#-Q�7�tۜ&D�1�Et')�U7WP�iJ�=AFD]weu�9�W`�qE-DCO�!@ډwfN�;W!oK1�2|)y�ċ��tԱ36�/9wEA=_"1{�h5��ˠ�Q��|��oK31TM`U*�6�H=B.�7�|�xspGʽ~�&F�' �A?�KQ#sHs�52�"�8^�(�~-
r^(��Fpxj'dG%1���
�MT{ A��5-C
�vE1T
�lg�wG��J�}��rݞ�!�d� k;7Xr`
(h(�;� V^?�gZm�V?�tо]ʝ
\ͱtfʶ6@�rV�BFB4-�j�x }?e1�̉�[]_/ZQ ˛BO@30Jzz'�U4�-�Hj�kHɁs_O�龏��_c}�C�;�GO2=^YΆFNLnٓ7,a'`8Ny=nj}mt;�r�TW,:C0~7.Bh�*�t�ci]T�����#d-��4\s��;F%-�#]RPbP�yUCvd?s"�E]iN�x)`T Ջ^�G@�5�Jj L�0w_{�Ot�$`Hio�<�
�O!pֺ%0�"밫O?b*Deˇ(X����0J���S:?c�%m�`'��ʚ7��$B�<+SAi)n
[_8*4=9t��`JNm;$\9H&��
P��(�U�))[N j|ԡφ�J �5>F
Fb�ϊʕd̡�"fA{>�(fNovpRy{/�80�YF ��jkPdsx^ſ��sj_OU��o�C$1,y�^J[^�քGY3?FȋfXR��,q{-7s%22q�u�QJ"є҆y;�*e$x�T~�viE
H(WE��<�n?.8t5nJ�dMAl�g�ZW1Lu=a9ghL9ep+$"ӓIa~�'m!?��5W���$4�LTa,��vj[C, �"]CzirPӓ~%x��ŊumsV"sѐݘjHR7D]XuO�c�Gjzσ0ץ""
�0Q�ƇoUԲN�]r9˞=YZa)��+&-r폍@j��"j�u�Eh
��}xX6kE��vלC
QJ[�깗q7�w:ԺX.|ttݔ'w#[��(�B%tJCG+�[E[TYSV[D0ɭ�"eqpL�!�y+R�q! x�N,kmȓߤ�J �VM$@�_7�~$D֨5vg�%ݏ3�t�7\ҳy}XS}�(�XQΘ�Y
vL#nW�\ʊ[pTν(X+"7hEFxBmݞg.nuf��g�8�W1=�m/t
�Ѻ&53�%ʁ/歹VwOMZxE�F�3�$Tmt��c4t�ҁ�?�PyNG*)4"��$TcQ:ҼoMUH��snvUó}�tD#H8O��?�tv̊poPK# +dJ
Wľ�FΑEf[��_8�mjYTxN_y-Aq!=5K\H�|�T^+
~WMtB�K¹1ФD@1i.p�:d"Ѐ��n`�l��xnk��ٯ<
ќ ��@=Cxob~hl���*}�Ɩ�Y�o
l�C$\YS�L}}T�gf���@fdES/�ZNQ�?�îKK3�a?�F
µ7X^#�?ma���[I̥(/#@~B]
F6̍Ƶ7�mnz[ae5%ƜIC��}N/|OUN[Dk��
3�ډĞ9dAv�X9� H"`HTB�*mԟS;pW 3m6OEٮ^a�Cx6Wu{.�B++�~)kARjz)Ǻ,�L>Vz2�|�f*+B�.LxuF�"!D]ݹ��]Q��霻%�EH0^⫉/.ԩf%}�'8=���0,�K���8�#ãm�\@ x&ssUX(\IeU}"AI)r`jy
� �'_&)lBR$Vڢ|jI,;C`]o-Y?d(r vkDn�E�#ߠ��Rn˩
9�u$ߘ) A_M�oe>�Ӏ=��
�va;-0vB4�+g��(YL�\E��D%>[���W֤b�\g#�Ry3ƫXMϫ
/�q���Oc~,�K�ಧ�ȅ͙Ss
��a�_ń
\/+7f!g-PV��f�dY*�+
%)BB,W�deȞ�gl�ۗ&DYN�L?jTXtl ǒYp~~32zL
�א�N)vS,&ϮNѕjs�a!N0qK�=X�B:�Inmc5�#�V͞Pln`dLy9����
X~1 ao1E�*�O%fE��*\r�2k(yր��mzCw4vP���]x�[}�>J�w X^YwuC%�MZ%І?�q�4�\�2�/�C<§ۃǃ
Z�IoXF�όU�i�IUIE\_6�t۫Ur�#�S9�粲>]_t46�IiA'}j�Q$jJ[d�~A,:d-aw=Tѕ�I/�~�4�uCtLy�ݧ���)4�s7�rFc�I�E9%)a�fw�#TB$,Xo�Ǜʎf_�VȐ�/hQi\iz=DEVr81X�uti'3\%_ǺlMuQ��~?ٵ)�[twH^W���ٽVgj�*�`3q\Q��D[25�2m`g/vh3@c[\wgz
J��|+�ܵ,87�2�''%�\�t[gmUΰ�s9�3��r}j
nJ�ʤ="5�F^]G�t *��͑A`�A!D, qXJZ<�
T%|Ж'�â�YHULԝ��V|��A�ޖK0r;�tv�wx`eOohP}�>M<̛@a~�/�|P32�VJ,*Ռ_VKl"�|1z;�lۥ�D!%cdƅQZXq:"J� 3frd�4$ߥ8:@9F�d(Va�aYs3pB%CYV̞wZJ_i{_"B%�E)�g&-�ʩI�D�Tg)$����rJ8�=D�$C^� -�{YA6˼| ��
S(�둺R�W3>�0k=rCI�gK�R�pd�G�ួT9DVQ]9ΰz o�a��_Lؙ�0|U�Nڵb@nt0(/�ڸ+R8I_�*�VKS)|c��dȭg>Ϥ�>fߥ) �Կ�ЬIr|�|���1Յe$c=AAI5䚆���+ς���VRl/wME�q:?M�-bK��TAp�
;6..Ɨ^%���
zɞ�E��g{Hn�M>zޮѝ2�[= �%ؼ+N�=g4�2֎.�"
�o=60 =�$-j
B-IaI\�a@5,h>w}>:�R-.�N;]&.8iĠ_Ikz!2pE֮۽]^�º^1��SRT5]_(ZhܺSB lf�eA�1�hs":���OmT/s$W
x!IjxzmPNrw�q]T� 5J�ys>_[sOIyw2EC/:3�[y)s⤱y;+y 26H�@䷁' ��)aڛ�VFQzM!"w˳s�+(('�ncG%�J�诺�l� �SS6��4��Q\H\ݓ�'D�ȑ'^%ȥl=R�ܬy`Uz#�*E�gc0?�D\/?ld�If~ROJ�K%yI^�4�~8�Rz6ֺ!�k(�r�2i ݙ#b�lO��ąHW~A�f;eFm�hnNٸ-�ݟ1�(CrBR(;Sȿ>@&ttHY!-4�%��Z6��>n#pn[��?&Ѓlh8�&AC��`{/{hr�N}Vǥof�{5��q�vWk�r�U�+� Ͼށ%�p}�{wh|׆ǥ/|"��r(~�{|�IJ�K4[C�c�$<]X=@^m}GwE
��H�/rP��}HkRѺVg40vo"ͯ�z�d@d*6?�.
'6?�7oN|_PJƈyOS]ާ�hc/-��L+�⅞_K\YX6(:H9q�72ns6k�`*op"�;�'���-Η%:+��LXԬ|1��}�Χ0ĥpYC`�:˨}F=xӒv?t=O�ǵb4\'ECB�M#}}��e:fÓMk�cI$qN�9xa@B7)RP�'�#Lް*1 �
=�z\
KiGrμ!�b-/���8^o:�`�&QrK�t+@Ɨ�m��77&b|��89RR}�ko�F�ggn zE2t)9yX"�ĶwU�"`ڝPH_�F�l
%'||1~W/و�'
wH:mn_Qk�^nPoۖUip�w9!
R�xvըOڻCv
^ح~?ɊQQyAIOH_2Õ4/T/KNѢ
V�:>�|�s1*^hl]��{C|ȕy^6bLmp�M6Ђж< H\k��i@Vfcɶbxs"�/t'rFE4z �V�}棓&�'"�DȢٵ�RuZj *�]`�
wg&.�#�n�.w6sU3 7*.K8'3`��l_�A<�ƵpN'W6fXߠ�](�*[wúV(M@1�ީN�$�=�
Z jnaJ@lc[��v�0߮4)HNG,D_�14��00n0k���E:˜Q&UŴJPpK=G&MH��!}RS[w?�fs+�'RC^+~EI��n�W�;�Vl�1LH�X��hoOT_��\xiU�P% �hhse)|)V� #@��
Yg(vwg$ihIfEtuw1vf|u�xi�HDB��4˚LeנW?()V�>"T}tI�c�Z3kC1�s��5:\'�a@AW_֍c�ЇJ!�gh�:[+��qtϭ� oR[t`�J)X8U`I29��X�oPq!�ap:fG0ի�ѓ⾮�xKD9Z{U["rw�u9���Q3M�Y#v�EJ$Q_9CD�.|�(%?]�N�4�\J;P>f.V'*#!�gMҚHܰ<�����cˀҪ6i�.5=LW6ɺR "ﰡ0g$ҏ4OorPjSG�N:6�7X%|X.y/J�[�\S/Hm$4ﻤK�{>\~^! jSHc]iEEuLCM@� �cPG,F�b7iI�q`��wȵis�K�͙Iyj줉O�fyb=�D�)�fŠR�$љSL%{T�C$)Y}Vo0),�WZ%�,Vj}`�'3�|ouG5Dj;xWT]7qtSA|^Y&�[�Yg9oۿD58XWޔ:%E�#GeP�.♭1�3%GW�4��c�[��Αǥd鱛 ?/,VH$%:D?hm�LQ?�5n'(9�4F��en%��e�|"!y�g-v?\Q�ފ|��~p,*�~8,vzI_*_?`)*I3�1j6"��UY%eꅼ>Rn}g;d+~Iưe�u,Li,Ax�iv�q[
�oh`�\*9B[�B,z� 5+9Dy[t`fԾMM���\Dވh7_2JO xhsb|)*%[#&ܧ$gZ줛UJ6(cй
뿻.!(,�a�G{�ZV�k48x��D��":u�5jV�Em�.�%K3sXF3FLvQK�ښBQX#x�Hv7DJJ?C��Bx>4�fM2�%�ʃ�UYgj��+x%$�T'�T5O2p}n�m�"L"��yu�ٝ24
d�E�^4NvCH�ڦ�ݥ1IF-NډD|���H�:#Gmv�5e&dR<�B.6"2y4/O�>Ar
x͐RP�2�9I:eTO+�^fn'g�R&-xr24X{Da��,&hI�ӓT:<�
oqs׆wG97
M`v�3Sô's��1�勯Mq
O
�ui0KN_ٿ1 ѻ&y>tBlO��2>L�X�Ɯ,E"v�uQ�WP)|�ݯ��M|�+�>h �_K*ԥq0H6E�:�GE?�; �1
v1�j�Hc(vIh�
74 �v�>]I�aέ�t�f�<4@z��";Ӊ�$e9lgҚD}a7ڏ^*�I�`\(9Ch�C
HkRZc^:��{$1?�۶%pPk9A
_:D�:d�����tH!-g ��m"D^b�ʵrEY�ɥZ,��n
@1F +�t�)K9r#
7y!k6Q5c$}zu:`�R9�o.ˌ���)Ua�x!�p}K�d<}4X]E`;΄N^#dJ�jvض^|H�Nx���e Y��tSX"V9(nRxqSכ�E)c�N%�P�s�6~ PRM{?Zh(+Fu�yg+�-@Z8,�J5k/��s�Ɯ��Nקkf yr�Bs`8�]_��gx\Z~�"B��)U>"z�c�zT�twl=Y2%ȱž�'j���Q4P'$�*s�/"Cq>��a�eEzAp;ho�=Y��w/;7J#)%ymPAqEs)҅�H3f5S�.>
�nid�1
�u�`CQ�:��{��Q;rth|>:�v�^u��4f43p*E�F�DA(I:Q�y�=ĩc \T+y��}1EYs=Jv�$�ۢwώB�VT�T��2D�H�ܓ*��8{t0va3˙)IgL,�"!ixk9Q#<*x��2:~�FUn+vE�Oq[1�oDqSd/K: g>+��pzB�j��qx�pg_(#�z8z��ٍ,'XBP7U"��3�ݜvζ$�{>g3!Yz}WE퐚��i.=>d[%X[s7vTWӟ?Q#>V��VODXhd>]n�Z)m��p_�zM3`^*ͣ�f=�`
"$�{Ԓ�SNE�m�>p7�䚃EM:4xO 픪(-X�Y�Ԁ�,Z�_#30��|u2�n~|t)O�BSQƣשssJm�Dq�H'ժ��7��d%>�ǿ2�9��y_?'U鬹+3Fv#ҎK#}�kkDtc4?-�7�:L�e7m-p��n�"F"=UծZ�);�Owq�s,ƺtT'=V݊ .QY֟�l]D�-C�f~{�em
�_f
�\:&45 XS��ytڿ*�z5S�n�Ѽ#V�YR�[(R0yˈh�*~ߦ)54S
1Tb t0ߺ?!�6V3wKһ��-�s�9v[�$d0<�Uާ���i{|7r�m�Y&Vц͡!D�',p=�:8^�|��P8�L\p>V5½^�$Jg˖��, B�uPtj�VQEoN@>ސ;I_�!݂\�Z!��Y5qK�P�YB=�IӋ��vp�ØK�Aڙ
Xc ��8UN�J�T(4m&~1�;�}!�C4B;ћ[1wk����H�av(l�~d�
It^2�3z͒.�P3IcNTn˱:*9qF5e6~&׆�z#+]�QB;I!ַJܸ� �{C� x
G
�3�^$]�m?αPaH�sN,
B9Vx%GR+"���NI�Sگ絆�kS[r7
~9]koZ�3�� M��Q@̣ݖ�}-UN"z��0A�&�Wbzyc(X{֨Ӷ~nVCp��:1$$�G��XWKZ3Y>\'kbL(�Zq��\|jXb՛>7sO�2Ok�"&�ﻸ5(�
q
� ꙾ؚLiO�5hM�S-D�4̖.�539ّȶ<��qO]|#=ԛ���8$�f#�Çw&aZNvHa,t㶚?}�s�#�7+l~tE4`LK
Dي(X�g�A)FDsjI�k,û�뜟$f)
`�`pDjskiDO�wT뫔1<,
"�4j�LHcxp"溺vs/���@p&o"�K3]
�=;oQݑ:i�;v-+s�)iS;F:�b}`w||a�wWV�_d*7Dl�3�Ycf�X
yF�o']GdY՞{qQW@zĔIoVEB
`��l0˝��>A��ϜA4-�A^;} ٜ�C8n2�o�T�e~�9�Ǡ_3:�U1�l
E��LA5&x�WПwXl
'o�
�?��Z~z�)ŤNj%%^GYNU9=�.-�> �-�F'��}Kc�z*qm='_�Cb�5#۲~ A�}6dw7�KH4:E�]
%/mOvGo/ζ�X8_[�
�S�c]ƨwPzx�*ǫ�\s�X�<2)f$Ru�4Ɠ-9!�� �H.(�'`g�s^g`O+ fF�@:T�D
z�"��+vX4Fo� (]�T$OW��isy+|
QR0W#lKJW�'[Kin4(��3�5if�x:{#�c�-u���e�Z"9O9���C+E�_F���F]G6~vm͎'K/
84|4d90r_�e^lwp9"�
&�n�;=�J�St\Sw`a�TUCUE%'4�\�fQ!b�o#3CERO%G'T\{3�$�vtuK�;ൈ�-8O1;�%�
2�kɬP9$[m.Nӎ�EO=�XUAdD�
�M\ 3
Pq�(/�Hr�L�zS�7`u".xà3R� Wo�{ l�bo�ZV4DS9߰5EUP9\[\
K*s�kH4l&#|W,x5���*8b��אZ_CBD;n1Z�p
8�IFcSe=^6!�ki)4���Q+xr=*)j%�X|�Qg[Y!G]\_;6�k
�dY�:"*"�l-�x9IPmyŖDUWp���%s9�Zk��;tA*>n4c�^2yNmz�Hܞ�] �͔�7mG
hz�QHT��<
�,1W�I� �i/H%�
+ �(�+gwAZpƬd|/�9
q#dX�J}.KEͰ�W�lf6F1Y�4nO'�wj�}�@8v$���ɦOW$,#ťDPBE/u�fu-U�*A�w�QA/j?�fY ?��9RI�/�,ˤZV�fd5p�o�cj�Ȱ�m"�Y�o�X
q#r4r
ZSm?F�
V'wt][z��eljkWmmK!}!M�dŬ��{�C�gu���}p͖?ȯ_2�#�P3
��@kO1(�t>ԟC� R}0GIai:hr,cj0�YGH{{kQ?�m���XW�,q\Б)�J���^iqEG�K+��L3��^�ݸ~�+-'T��edaBjpGn[�M�R585�E�r9:a�ċb��\Zh|
!��o֜V�r�?+-" �J6�cb� l�E|7��J/j��bӣ���'lu�cȿΧ81A�U-Qm~LTM?�ugIz�t
�� =d#�H)|rqDNh���V�WPM ��$��`�w�.�br�)7�RG�On7uzQ�}@�N<�H�QJ+|zh �DI-kNsT�?2�,�UHwas
�PCa~�/
�
U&A�,X^%�Ka[��,��p�i1ko&."w:-oQŽ1rk4O]ۼ/ۮ�,��7��)��1,��}{�/Qc3 E%nyi"ɰ�!yٝF`^6bch�T�)VEYI�չ{�ir�LP4};CGSyR��~
Տ7y6x��;�y�!�땵֒�G�1}1U.4ˆ2f:�l)?1I�R�2
4yqzZZ,pP^^۱2|i�ayoЂJ8\O��LG0+غAE@� ��zD*Hz�P˭&O�Djd�b9F ,ZPfeW86�[�h[6L-�6~�kӴ!4:9lz:��Ek�S& 4UG�
�4�C8hdV�'2;Kۺz0�bAkDf:WTd-|�8���=y�ᅼxlj�y�|FbNd�(sPKoB�јn*�;H��u!>��0w[�S\#��"=T�Z`D[gjcLo6,�grD��N_HA|4}Rqe7�c/�6uYHM��7aa�E4:Ţ3�$$��v9HCHޒa�|��vFyFS$qB�q���0ԍ'�D�Ht}C>Ϳy�oNڍ�a::d{�2�}��īw��tz�
�S}F':�tvL�)/?#xܙ(^(�I#���Ԃ�I�n�x��I;(?"2ųHb@���C.x=q+\�2He�l!gM ꂮsҟ
n�ey5ɖfM>���v^%JC2։�E�;2A&pG_Cu+J7/foti�Q{r�cd"#ݻ�ˋ8s&5B��+ʆ"�cVwMN)U�/�.0CL'7Ld�q;Ԯ)ŧ�h0�hpv^͓j%j ہ�
�GHm��QSو!}YE;WwZ�-�4_N@�S� ���·7!�R3#*Q�khb=}��~M{Jr7tl`r#_��91C$R��u�S:K�hGX� H@�'#DYhJ�%o?YEl+��o.*W�49q[غ%�tj��Z�^9K�z�k�)NGz҂
-3lh:�ӂQJ$ٿX(D�
9a~x|u�Dv&E�
�7m�4P� ư"ջ/x�I˔NUl]wbu �{�k5w4
*i{#2p��){}Č?+J̪�Rߓ yjRg7o_�e�K7V"8�QY�"Eʛ9��{�wg7UUN�wCܩH<`EhR`M~$Fc��hW6?Yn/��ks?a��ջżGi�>݊�4�}x+яX[,>ʨSHTΣ�7d:/9@b١ې_Ɖ>n-H&d%>J��M3p�̰>G;!�/�L:�TS>�@�#M��S%[;Y3" � ņP&�nSjM�rBgO�G\�Ak�k$T���Z�Jt¬qW/sK]�ȃ"%�$̙���Ǘ7ݰܫ pa�+{://�d3zل;eVx2HU5�B��f��c_�Y\WGdvȝ#p�CJZR?��"�ʴ[5ڊ�D��.�xaۊ��X.�(@ t8f Kc&h[
T��qb�W�r1�����
5F̌dAM's�2TV�?j����ҍ�7s{�tՙ}�zƻo��v�UYy9OoSbc@߸\%##A3Ug;q~?�pդ(��OsLH"T@cҖ�CT১?#G'#X hvc(ZJ7T.A���/ԡIo$�I`N�b�]s<{(zlc�40cp=\9M5)�b^tfF9j0�z2!P��ꧧ^XH�Y�ѩ!N@9y\z&z�x�N+V��;hGoTPF`�JĢG\-��a}v'E{բ�.l��ft��X4@*Wǽ�`�{caßn�b ��jIl2�J'Xl(q��Q
tdН0g�4ᵚh*�� ���%L��A��ťh˪�wR]ۺ�H�FGfڋ8Y~Sln�s�3/3}rFdj:xtio(e;XU
��<�%�y8L�kuX81rtO$�w?lG?ȢkFO?QQCbLFF�_1}9zô7J3Ԫ{|j|K�Mo_XZ�_@�Xk.}V�ߟ]3QrS�ĭX��W3ˍ/J.fcC\WηZ<@~ThFUc~jxAHwvP-�~i��O(ZM�?TuQcM-��$vtSid.�lC�8c^!Y$k:�H2:ҹ6lҲ!Y+ԛ /մ�Ɇ{Dx�u�ᕙ�(�jo�beaQݭx�rB�{c�0=0%"?i]H_9š�lVQ;��z5>{A�q7bs!�r{W,2�ڑaxCFq7G6�r&aŇ�C9�"8~TBgB,({Y/ش`1<2!obA\*{Lp4,E'(,X?q
wL��~M1a`]}�?�SY e�FQ\(1DR�N)het
:�_}V^O��� �tHX�F'�maLO�>poeHM'�7$V q5�g�:j�7͋�e";�PӾ�Z7G[�]&X!�|7ֈW^�#8r*RcN�0E5@Ҹ^�Ed�$6=`�)ʪ?Y,r�E6�p��dr�1�e5Ѝ0
_ڈ:Ii�{_둢OZ�],oPIO3f!h(�:;;/Phy�l DW�%d0c}�zS* [3Ab#�1KT;Ͼb
-%
p~&���;#Og#5v?gx�^q�zؿ�hhzN)��~8<�'�R6ҾZ�ar�"qh_�*(DƟunlW��^0B_V/܁0C,ɢ�%��T*0HRX�#!ֺAn�ʛ��vu��ɌQ,Q�
�,Sq+�Jo+���+v�wJHyC�,uoKK
8Pk[R}䥯*mMLJ:$�`ۻS|=L)=+S��K(w-'g��Vk:/V
֥�