haproxy-2.8.11+git0.01c1056a4-150600.3.3.1<>, ЀgQp9|v% )(kp֡ >?:C(>f_nxd(nCDmFKN%^џ1\c݌yC@2"Ө5\]DUdùT|sGlbV=!0F@JOPWf 4${vcީ[#(B;AMXHV),ia҉ a7ImrnrBOͤ9ww+ؗz&:l$ ^iL8^RJ A̖e^^}?#,Ս<п>R?d   - c2I _F Z ]    5& 57:=U=?@@CB(C8C9F:T=&>.?6@>BFF^GxHIXTYpZ[\<]d^bc»d=eBfElGu\vńwʌx̴yzDTX`dh~πτϟϤϬϲChaproxy2.8.11+git0.01c1056a4150600.3.3.1The Reliable, High Performance TCP/HTTP Load BalancerHAProxy implements an event-driven, mono-process model which enables support for very high number of simultaneous connections at very high speeds. Multi-process or multi-threaded models can rarely cope with thousands of connections because of memory limits, system scheduler limits, and lock contention everywhere. Event-driven models do not have these problems because implementing all the tasks in user-space allows a finer resource and time management. The down side is that those programs generally don't scale well on multi-processor systems. That's the reason why they must be optimized to get the most work done from every CPU cycle.gQh04-armsrv1},SUSE Linux Enterprise 15SUSE LLC GPL-3.0+ and LGPL-2.1+https://www.suse.com/Productivity/Networking/Web/Proxyhttp://www.haproxy.org/linuxaarch64 if [ -x /usr/bin/systemctl ]; then test -n "$FIRST_ARG" || FIRST_ARG="$1" [ -d /var/lib/systemd/migrated ] || mkdir -p /var/lib/systemd/migrated || : for service in haproxy.service ; do sysv_service=${service%.*} if [ ! -e /usr/lib/systemd/system/$service ] && [ ! -e /etc/init.d/$sysv_service ]; then mkdir -p /run/systemd/rpm/needs-preset touch /run/systemd/rpm/needs-preset/$service elif [ -e /etc/init.d/$sysv_service ] && [ ! -e /var/lib/systemd/migrated/$sysv_service ]; then /usr/sbin/systemd-sysv-convert --save $sysv_service || : mkdir -p /run/systemd/rpm/needs-sysv-convert touch /run/systemd/rpm/needs-sysv-convert/$service fi done fi /usr/sbin/sysusers2shadow haproxy-user.conf <<"EOF" || [ -f /.buildenv ] u haproxy - "User for haproxy" /var/lib/haproxy EOF if [ "$YAST_IS_RUNNING" != "instsys" ]; then if /usr/bin/systemctl is-active --quiet apparmor.service; then /sbin/apparmor_parser -r -T -W /etc/apparmor.d/usr.sbin.haproxy &> /dev/null || : fi fi if [ -x /usr/bin/systemctl ]; then test -n "$FIRST_ARG" || FIRST_ARG="$1" [ -d /var/lib/systemd/migrated ] || mkdir -p /var/lib/systemd/migrated || : if [ "$YAST_IS_RUNNING" != "instsys" ]; then /usr/bin/systemctl daemon-reload || : fi for service in haproxy.service ; do sysv_service=${service%.*} if [ -e /run/systemd/rpm/needs-preset/$service ]; then /usr/bin/systemctl preset $service || : rm "/run/systemd/rpm/needs-preset/$service" || : elif [ -e /run/systemd/rpm/needs-sysv-convert/$service ]; then /usr/sbin/systemd-sysv-convert --apply $sysv_service || : rm "/run/systemd/rpm/needs-sysv-convert/$service" || : touch /var/lib/systemd/migrated/$sysv_service || : fi done fi test -n "$FIRST_ARG" || FIRST_ARG="$1" if [ "$FIRST_ARG" -eq 0 -a -x /usr/bin/systemctl ]; then # Package removal, not upgrade /usr/bin/systemctl --no-reload disable haproxy.service || : ( test "$YAST_IS_RUNNING" = instsys && exit 0 test -f /etc/sysconfig/services -a \ -z "$DISABLE_STOP_ON_REMOVAL" && . /etc/sysconfig/services test "$DISABLE_STOP_ON_REMOVAL" = yes -o \ "$DISABLE_STOP_ON_REMOVAL" = 1 && exit 0 /usr/bin/systemctl stop haproxy.service ) || : fi test -n "$FIRST_ARG" || FIRST_ARG="$1" if [ $1 -eq 0 ]; then # Package removal for service in haproxy.service ; do sysv_service="${service%.*}" rm -f "/var/lib/systemd/migrated/$sysv_service" || : done fi if [ -x /usr/bin/systemctl ]; then /usr/bin/systemctl daemon-reload || : fi if [ "$FIRST_ARG" -ge 1 ]; then # Package upgrade, not uninstall if [ -x /usr/bin/systemctl ]; then ( test "$YAST_IS_RUNNING" = instsys && exit 0 test -f /etc/sysconfig/services -a \ -z "$DISABLE_RESTART_ON_UPDATE" && . /etc/sysconfig/services test "$DISABLE_RESTART_ON_UPDATE" = yes -o \ "$DISABLE_RESTART_ON_UPDATE" = 1 && exit 0 /usr/bin/systemctl try-restart haproxy.service ) || : fi fiFFBM5p .j. EBE !X*ua;$ 14 -.`P FF #hI&c#}<,w!L 6yPfR.T:y=e2}F ="_bKz,SHcagD Hb:;eqvv10 "TH}yuw9 A聠A큤A큤A큤A큤A큤A큤A큤A큤A큤A큤A큤A큤AAA큤AgQgQgQgQgQgQgQgQgQgQgQfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxgQgQgQfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxgQgQgQgQgQfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxfBxgQfBxgQgQgQgQgQgQ8a32c84204afc26080cf76d676fa5fff3629c991642c422b1d451470e3be362b603f2db99b558f41fca9744e9bcbe8c4a93eb5c039df6159407df6d992ce8271e1ad616276fee9a3544071c6d5e53bb06396af0c356c14154edc2fb20bcf3eec215c8b930a6f9b422cc69154ed87ac6741f4f65dc35ce9ceb6e4b7924ba25b833a20f26b7e858f196f0bc512e6c6a55f2dd4fd1204abea904fed3af89e1d2190e2b5325e11cbbdb27f3d98b8687ac75fcbe03bff3b12aaa4c12400f4bf9204bb2e120a35766f3d4dd69f15b273f7ae1f2a260723f6a354bc119e18021b7543334ad9057b72c177c7d3071d99b9a956c2a58992b69f7039561bde55b51b05eaf92d0aade78cff36ca4000d3a8e01b278f1ad46d2e4e989983da9cd7bc4bac65874739782b06489350a37a8d3753d97f4d34021a3ef3b595ee43b74d762d35c3bca1682cb28a8690cb90edeaa61f3d0207e8f282b7a50be46e5aa37606339f9c2767d5cf52a30acc590503af38bb98ee26338d2bb0cc8b151f20df71670b0e7d7853bd6d594893cef3b2f2c9448dd0a50d5fe1ab5863732f41ce63eed5e2c9cc8cc4fce4f65e4df4b3154b05e8e7b99e54c8122438898b831768bca002f00c352ed2cf7dd73555848d569b8e298ee251e45e6eecd57759e9b745224b9a0c3193fc5f66ea643546bd70230485446685ed27e34f0bd573d5afabd2611b50ce59339e3b9f158875dffa10ba8a6e0a9e890b97e71858c05d9182d4e23cdf0b388ed6bc1c2371e2effd1ceb80d1087f6b36194312860f79c135ded8c129490078beac53f9dedcd550de481fcf0a25b3dde843e082dc377e21604024710f8cc662b0de608ffa2e010c4fb6c2672074a0ee92816189cd71df18d515ca85e08b53e915013726c4180905a63b6db5b242a9b0c66159f10755eecb2b07d4baba5dbfd471d0e4a988ca12a25be2ab5f2fb6e65f160d720a31c4918e51f00086ca043e4a8e5404a3712e73bf3b437eee23e5577e02220a46f8f59ba7b5cc73cc0d9350332af25a1d34e848a9b211bb24d9fe922d200575f93b00b66e5016f30386362c2c638d111101dfe12cc7ab96535e642a76d86d66bbc983d82700aafbbb30dd5392d6ccad52646d932f52e68df43417ff910f45aa52157702f4d2a4a5b875545e047f434c9fa69cf584383c71c67cfea0349f9c236b4bffac3da6f9bd7b320d35b59dc05bac1e1a0791101f4e4db2772fcf852353e921a38ede1d0705d1be9983ad4c7bff1a15755124dd229112203f34fffe1ed8951a4a1fe0832af9aaf02f0bd8b0591e59efe86cf5e2d6767ab90bdb1446d49393862fba2f761dd5a23c43373e17336c799602bc1ef35d2208c0519c1288516147a703f16c2837eb8802deb27f83beaa0ac0c626a1ac4d322f40710ace0faa6a234f7225c8f9704de47de79cdd537eca68c228b43fd0815a63c0c25edfdb2973e1e35f80f11e96b54c1ba6ebd99acb140f68fc78be87144b79eb898d749e33d36e05ca906d7d60b126a409eb0de60ea303ae26f4635f1bca9750bdd15a0c027ae2fd432761cf741dce1dfe9b5a4f6f3dc55f41be68b776aaf782a9fdb9180f1b2d18df1d65cddf5676aebe9d22fa23465d28e719a997446d630e690b4e6f17b64ae45f9f328c43c2101443601d3c2678f9b72affb76df28379f2931230a2cfb0caca9521d41e29f8d435470d5f274a26a447e968951f930a38657f82418a3c9a2909f26cc2d2d5d1cf2b2a5f60511081e4ae97b754536c126971f465036a1466e29bab7690d4a7a243ee02defb4aa0a5d9371fc83be99ed6bc3e0a9818574d3b0eac985d9c00e4e9571c9bed82198b86ddb9db7630752f8fdc6898f7c99a99eaeeac5213627ecb093df9c82f56175dc754bd975b46612e6262f568b24d42cb250c9bed35a5d61ae94903b867764efaaab660a60da56eeaf9c0f39438256adf79682080b0da66cbe9d20b8d880da50554ade59728609eec65fbcf9d0a5668f2da514a4265b32612cd5d7cc65b9e0a43f617cf40ba6775c9265ae4452b7afc995c89795e0c511eb7bfdbf84e79b46399ef3b964f99523c58eae9a82bb3243a34c0b67f9a1bf74fe0d439761c3adf7483ea39ecb34b2872249b6ab579cecff32d95573cfdd6245664a11c8a453627ade8ed30a73c0d104f4cfbbb1e8e31b0ee5a7deb4730eebb13a32b5d08708c5af4c27e2e66dcd3b6ea9a506cd93f665200fd424b8e1a9166a88e32f40efc5335e2648c039b92672aef1718c2ce2dd53af95d44290705b9bb9686c4c7d450a4438226ca835362ba43ed0d37db84a486384e2ef06fce57d57593d07e184ca476dd3e744587773d9b69cd3fd1143c36750d47415e17b4cf37a895c7321ad9c7d47d1d02166d16ce3c59cbc7147c63d2dcccf04858da3f7c19646b9aa6bdf461556ff49a2a72e42ce3c8aa988278d6fa87ca813ed1a1d784289d47be27a43000acbd92df7c315b631e8bd8597b846c53ebd6cb979681b9e77e5e1380b22d4fb367d57ec0693f28821753af9ec235dbbedff69ad9ff24a2c3902377ea1f1c596959b8fb7d912dc5b54429fd37ab30e43b21ff0664c6d44ae47c51a9f47a739cf08dceff350d26fc8fb3d1e2c5c87fc6c7effb84e7f3f675a653b1b9801e232c9ca6ac66afdaf2438dd40834331e2a73ce00ea85393e712143d5aa65060fb9effdafe87c35cb8b1379cc9d122272b848f14f864248f495dc083a48a721af561036e1f4a9b193bddabaf7ab7f7e8a7862b8324710eceea9d6b6fdd347449d4c2dc4bb4324afe8df196b53de42c6bd96acd12a37968edee08f60c397640d96da38216b769a9a5e61ff6890e638b6348a43aea82e48b1bbe37814d7cb263cd0b9df240a31a880fbaeb231526e1ccc3f38239ca9805384c61171c5abfcc0fdbb7951cfcb8a8ff93050056678bcca805f5f35c85eb9df481317f1fedaa293244d54fc1bc0527ef867316eda08e96d1708307243a4268d575e352e8f15c9f53015f7e66b4f614087fe1060a53be6f8206a7540bbfa6e56b1cdc1adb42e7a04047950a0cdbf445909be683344ff4bb4622c73ad90952538ba8b6a81261dd24bfc84a257f132723008a3f0ff687ed1c87bd2a8e59a917b4d04f7ae22307105a0a01a91e615267d2284557f4c1ca68cfef6cb7b17d748c206a1b0211d832298fd8e468c36bd2375d56a770f6598c61e77d5aa075baacadd009caa28a7583c988dc6dca2e9ef805e90ad0f98839033199aa6efb71635ac49d1c560c6fdc929c51068cc445f2495435af6dda7a76453621bfb1b2dec3545dae998cb32e0242707cccaa0bef4413592a0b07bfd9c08b3b1fbfed4ec24c47c5b1435c3a95155e75a80a8642522c2cde6afec901ddd5fa373c6b0956ebb50eb0af8066dd3628579c61638e42b066be5437788e3769da6372403ef5b062d13520dd34598a6d75db6958c831f6061c6ee57f6088f32f1da978fa64e8e71227da9a73bf960bc804cef476023b7d2d4296bf7870b828fe8a61f4f485e7bcf0ce41ae9f2edaf663b335e025eb4e388378d7800ccc4ffbdd155d2c5d40cf8757831a9ee1870732eab60f904b4a3ad5dda30c808783f69d29bdc9497f4c6a21a76ca645c80715c374995a48cbd2e97c7aeea1cb00cc441a90ecd2916741f6a3db2aee1defe3862c731ccc6237050859f8509ad07d88b011a61edba650ef9a1a2983c58960c42381a18ffd2fc9aa857e168d0845cf5b237a67c8c18e38c83f59f5de06e05a8d8008438b8e468383381bcbc57c5fc9cc190ec1398d2999d9c64c8af79019c503a473e4f03b8406c2ebdaa9883ab0ed213ed4c10f3752f22d451fde8d389d36e194e1edffead5e5ebe7967736f691ea94b340957eca1b719160031ac465e6fa28a50e0e3827aae143782e75699c945474dae5df07007198989c622f5d41de8d703e7bef3d0e79d62e24332ee739a452af62aa20dcc3994852776b8552b9820c1a562196da33b81b224d4441c9fcdec3ca01476bf9cf3d942c6bd5ae671bb085c16b62b1610a6f4e3c278bbd0624b5127164ae7ea3f2d38da55e9226339e79c7e8dccd9449fd2d46d6f959c898c0157da420649e853756c3bbc50bd78c1e86484ab1e10ad8306b47a02b8022874c5927485055ef30b40bee05aee79617246a9758b90f5cb8937ad211f013b0de4d223a4b63e2321e2d812b01fed407108c6e30890329eb7d4c26c1516fb4a2f2913a80aea6ebc96013841ed9bac783f7aa8a59e708cc1b50afe88e53e10ab566555ad128e42264c467a229a62ef24080b04b14f6b53a9c2001efcce647cd513278b29befc85418b96e4805efc0cfa7ec523796f745d8f44cc62e814cdbdb9d8b60943f3f54eec0ded52ec03d1e500ca9f0acdb33653875f12e4348540c4d6d69aeefb269a35ab2c913d39946958301ca81ee6a408457997a2885cc2eedd6f3ea92b842d8fd2b230ec2c76f27f96ab3b009902d3d68db46e30de879c53970dc6dee6db65d2aa42a6b68d251cce7b0339205c9518fa674b81bd6fac82b24ae80875245bb83ecdbf962c786c9d6c216899ca3dc196213c9e0661722ba546bd467dc43a8f8e4cfd1433303adfd6aedef5fec8fb0b07f531de18fe74dc70811813ebeabeae30475e30dd24c803f6ca1824328fbc160690f9dcb99a4235531898d73827e6e3a9bd7700648f72f159454c31029bdaad74b68532a76681d217a23e254f43201430108bd7d73834948fd0e42f5289680e6484e5c014165875de7876081450d548a0f7231378d18de6293dae098c5c474c641f1873c1d68749d6dcb6cd5b7ed6a1d0ba715d0678c912fab844d54a83ba50029769afcbcc044bcfce311819281db60c3790257628aa1f6e175570127e3e2716b6b5529c780a92198755fff6973ef4ab3846aabc2373c3f6e0f5f6991bef967e90b44a9493b44b9aa1a688a0f2769232ec671d01891ba5d10cd6fbcd162a52776a36514ca09dad6966db41ecb0b627362076e160b7814ec9b1406c78e89e16281331eb69a6f5ac21492414fea1d18b34195cec3ecefa11afc1ecc0b705f82e1365fcdc1f896d3c4978110913366d23c19f36a768a4f245953fc1fefe14bcadbf739cb3ea0c2e22cc93b70ff9c305e031bb4f50eaa35d72cff4e2ee4f74c6eb349a5b717516e2d97fbfa1fcb602777f67643e0717ca51fceaa25ac9e5ccc62e0c727dcf27796057201fb5fded56a25ff6ca282da5e249ffb1ec4c8b05e3764af14207278514f17f02beaa52d6ff87adc14a96c42c01a56a02b24614b38e563bd8a1a8d26d7c3cfb878929a8dd3ce6d2cc670d/sbin/serviceQQrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootroothaproxyhaproxyrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootroothaproxyhaproxy-2.8.11+git0.01c1056a4-150600.3.3.1.src.rpmconfig(haproxy)group(haproxy)haproxyhaproxy(aarch-64)haproxy-1.5haproxy-docuser(haproxy) @@@@@@@@@@@@@@@@@@@     /bin/sh/bin/sh/bin/sh/bin/shconfig(haproxy)ld-linux-aarch64.so.1()(64bit)ld-linux-aarch64.so.1(GLIBC_2.17)(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.17)(64bit)libc.so.6(GLIBC_2.32)(64bit)libc.so.6(GLIBC_2.33)(64bit)libc.so.6(GLIBC_2.34)(64bit)libc.so.6(GLIBC_2.38)(64bit)libcrypt.so.1()(64bit)libcrypt.so.1(XCRYPT_2.0)(64bit)libcrypto.so.3()(64bit)libcrypto.so.3(OPENSSL_3.0.0)(64bit)liblua5.3.so.5()(64bit)libpcre2-8.so.0()(64bit)libssl.so.3()(64bit)libssl.so.3(OPENSSL_3.0.0)(64bit)libsystemd.so.0()(64bit)libsystemd.so.0(LIBSYSTEMD_209)(64bit)libz.so.1()(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)sysuser-shadow2.8.11+git0.01c1056a4-150600.3.3.13.0.4-14.6.0-14.0-15.2-13.24.14.3gQeN@ee`@d@d/@dQdd@dw6dw6dP@dP@dP@d"dV@d d cwcwc;@c@c|cIO@c1@c%cob{@bz@bmb@b~H@bgb/.@bbs@b@b@a@aq@aayaZaZaV@a7T@a`@`9@`f@``c`\{@`P`?z@``U__I@__u@_:_:_@_@_@__@_w@_w@_Wr@_$_{_c^y^(@^(@^@^@^^F^C^=Q@^=Q@^)]@]]B]@]@]@]@]߶]e@]@]@]@]@]@](]]^][][][]@1@]$]@]@]@]\-@\ac\73\[[[[[[v[ug@[3|@[3|@[0@[ @Z?ZȲZZ%ZZU@UcUPUG_@UD@U4@U/@UTE@TD@TԬT@T@T@TdTxcTuTuTmT_W@TSyTPTBV@TAvarkoly@suse.comvarkoly@suse.comvarkoly@suse.commrueckert@suse.demrueckert@suse.devarkoly@suse.comvarkoly@suse.commrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.decoolo@suse.commrueckert@suse.dedmueller@suse.commrueckert@suse.demrueckert@suse.dedmueller@suse.comelimat@opensuse.orgmrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.degmbr3@opensuse.orgmrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.degmbr3@opensuse.orgmrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.dekukuk@suse.commrueckert@suse.demrueckert@suse.demrueckert@suse.dedimstar@opensuse.orgmrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.dekgronlund@suse.comkgronlund@suse.comkukuk@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.dekgronlund@suse.comkgronlund@suse.comjengelh@inai.demrueckert@suse.demrueckert@suse.dekgronlund@suse.comkgronlund@suse.comkgronlund@suse.comkgronlund@suse.comkgronlund@suse.commrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.dekgronlund@suse.comkgronlund@suse.comkgronlund@suse.comkgronlund@suse.comkgronlund@suse.comkgronlund@suse.comkgronlund@suse.commrueckert@suse.dekgronlund@suse.commrueckert@suse.dejengelh@inai.dekgronlund@suse.comkgronlund@suse.comkgronlund@suse.commrueckert@suse.demrueckert@suse.dekgronlund@suse.comkgronlund@suse.commrueckert@suse.demrueckert@suse.demrueckert@suse.dekgronlund@suse.comkgronlund@suse.comkgronlund@suse.comkgronlund@suse.comkgronlund@suse.comkgronlund@suse.comkgronlund@suse.comkgronlund@suse.commrueckert@suse.dekgronlund@suse.comkgronlund@suse.comkgronlund@suse.comkgronlund@suse.commrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.dee.istomin@edss.eemrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.dedmueller@suse.comkgronlund@suse.comkgronlund@suse.comkgronlund@suse.comkgronlund@suse.comkgronlund@suse.comkgronlund@suse.commrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.dekgronlund@suse.commrueckert@suse.deaspiers@suse.commrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.deledest@gmail.commrueckert@suse.dekgronlund@suse.comledest@gmail.commrueckert@suse.dekgronlund@suse.commrueckert@suse.dekgronlund@suse.com- Update to version 2.8.11+git0.01c1056a4: VUL-0: CVE-2024-53008: haproxy: HTTP/3 request smuggling via malformed HTTP headers forwarded to a HTTP/1.1 non-compliant back-end server (bsc#1233973) * [RELEASE] Released version 2.8.11 * BUG/MINOR: cfgparse-listen: fix option httpslog override warning message * BUG/MEDIUM: promex: Wait to have the request before sending the response * BUG/MEDIUM: cache/stats: Wait to have the request before sending the response * BUG/MEDIUM: queue: implement a flag to check for the dequeuing * BUG/MINOR: clock: validate that now_offset still applies to the current date * BUG/MINOR: clock: make time jump corrections a bit more accurate * BUG/MINOR: polling: fix time reporting when using busy polling * BUG/MAJOR: mux-h1: Wake SC to perform 0-copy forwarding in CLOSING state * BUG/MEDIUM: pattern: prevent UAF on reused pattern expr * BUG/MINOR: pattern: prevent const sample from being tampered in pat_match_beg() * BUG/MEDIUM: clock: detect and cover jumps during execution * REGTESTS: fix random failures with wrong_ip_port_logging.vtc under load * DOC: configuration: place the HAPROXY_HTTP_LOG_FMT example on the correct line * BUG/MINOR: pattern: do not leave a leading comma on "set" error messages * BUG/MINOR: pattern: pat_ref_set: return 0 if err was found * BUG/MINOR: pattern: pat_ref_set: fix UAF reported by coverity * BUG/MINOR: stconn: Request to send something to be woken up when the pipe is full * BUG/MEDIUM: mux-pt/mux-h1: Release the pipe on connection error on sending path * BUG/MEDIUM: clock: also update the date offset on time jumps * DOC: config: correct the table for option tcplog * BUG/MINOR: h3: properly reject too long header responses * BUG/MINOR: proto_uxst: delete fd from fdtab if listen() fails * BUG/MINOR: mux-quic: do not send too big MAX_STREAMS ID * REGTESTS: mcli: test the pipelined commands on master CLI * BUG/MEDIUM: mworker/cli: fix pipelined modes on master CLI * MINOR: channel: implement ci_insert() function * BUG/MINOR: proto_tcp: keep error msg if listen() fails * BUG/MINOR: proto_tcp: delete fd from fdtab if listen() fails * BUG/MINOR: quic/trace: make quic_conn_enc_level_init() emit NEW not CLOSE * BUG/MINOR: trace/quic: make "qconn" selectable as a lockon criterion * BUG/MINOR: trace: automatically start in waiting mode with "start " * BUG/MEDIUM: trace: fix null deref in lockon mechanism since TRACE_ENABLED() * BUG/MINOR: trace/quic: permit to lock on frontend/connect/session etc * BUG/MINOR: trace/quic: enable conn/session pointer recovery from quic_conn * BUG/MINOR: fcgi-app: handle a possible strdup() failure * BUG/MEDIUM: mux-h2: Propagate term flags to SE on error in h2s_wake_one_stream * BUG/MEDIUM: h2: Only report early HTX EOM for tunneled streams * BUG/MEDIUM: http-ana: Report error on write error waiting for the response * BUG/MEDIUM: quic: prevent conn freeze on 0RTT undeciphered content * BUG/MEDIUM: stconn: Report error on SC on send if a previous SE error was set * BUG/MEDIUM: mux-h1: Properly handle empty message when an error is triggered * BUG/MEDIUM: cli: Always release back endpoint between two commands on the mcli * BUG/MEDIUM: stream: Prevent mux upgrades if client connection is no longer ready * BUG/MEDIUM: init: fix fd_hard_limit default in compute_ideal_maxconn * MEDIUM: init: set default for fd_hard_limit via DEFAULT_MAXFD (take #2) * BUG/MEDIUM: queue: deal with a rare TOCTOU in assign_server_and_queue() * MINOR: queue: add a function to check for TOCTOU after queueing * BUG/MEDIUM: jwt: Clear SSL error queue on error when checking the signature * BUG/MINOR: quic: Lack of precision when computing K (cubic only cc) * BUG/MINOR: cli: Atomically inc the global request counter between CLI commands * BUG/MINOR: server: Don't warn fallback IP is used during init-addr resolution * BUG/MINOR: stick-table: fix crash for src_inc_gpc() without stkcounter * DOC: config: improve the http-keep-alive section * DOC: configuration: issuers-chain-path not compatible with OCSP * BUG/MEDIUM: ssl_sock: fix deadlock in ssl_sock_load_ocsp() on error path * BUG/MEDIUM: debug/cli: fix "show threads" crashing with low thread counts * BUG/MINOR: session: Eval L4/L5 rules defined in the default section * BUG/MEDIUM: bwlim: Be sure to never set the analyze expiration date in past * BUG/MEDIUM: spoe: Be sure to create a SPOE applet if none on the current thread * BUG/MEDIUM: h1: Reject empty Transfer-encoding header * BUG/MINOR: h1: Reject empty coding name as last transfer-encoding value * BUG/MINOR: h1: Fail to parse empty transfer coding names * BUG/MINOR: jwt: fix variable initialisation * DOC: configuration: update maxconn description * BUG/MINOR: jwt: don't try to load files with HMAC algorithm * MEDIUM: ssl: initialize the SSL stack explicitely * DOC: configuration: more details about the master-worker mode * BUG/MEDIUM: quic: fix possible exit from qc_check_dcid() without unlocking * BUG/MINOR: quic: fix race-condition on trace for CID retrieval * BUG/MINOR: quic: fix race condition in qc_check_dcid() * BUG/MEDIUM: quic: fix race-condition in quic_get_cid_tid() * BUG/MEDIUM: h3: ensure the ":scheme" pseudo header is totally valid * BUG/MEDIUM: h3: ensure the ":method" pseudo header is totally valid * MINOR: activity: make the memory profiling hash size configurable at build time * BUG/MINOR: hlua: report proper context upon error in hlua_cli_io_handler_fct() * BUG/MINOR: quic: fix BUG_ON() on Tx pkt alloc failure * BUG/MINOR: mux-quic: fix crash on qcs SD alloc failure * BUG/MINOR: h3: fix crash on STOP_SENDING receive after GOAWAY emission * DOC: api/event_hdl: small updates, fix an example and add some precisions * SCRIPTS: git-show-backports: do not truncate git-show output * DOC: configuration: fix alphabetical order of bind options * DOC: management: rename show stats domain cli "dns" to "resolvers" * DOC/MINOR: management: add missed -dR and -dv options * BUG/MINOR: proxy: fix header_unique_id leak on deinit() * BUG/MINOR: proxy: fix source interface and usesrc leaks on deinit() * BUG/MINOR: proxy: fix dyncookie_key leak on deinit() * BUG/MINOR: proxy: fix check_{command,path} leak on deinit() * BUG/MINOR: proxy: fix log_tag leak on deinit() * BUG/MINOR: proxy: fix server_id_hdr_name leak on deinit() * BUG/MINOR: quic: fix computed length of emitted STREAM frames * [RELEASE] Released version 2.8.10 * BUG/MEDIUM: quic: don't blindly rely on unaligned accesses * BUG/MAJOR: connection: fix server used_conns with H2 + reuse safe * BUG/MEDIUM: http_ana: ignore NTLM for reuse aggressive/always and no H1 * BUG/MAJOR: server: do not delete srv referenced by session * MINOR: session: rename private conns elements * BUG/MEDIUM: quic: fix connection freeze on post handshake * BUG/MEDIUM: server: fix dynamic servers initial settings * BUG/MEDIUM: ssl: wrong priority whem limiting ECDSA ciphers in ECDSA+RSA configuration * CLEANUP: hlua: simplify ambiguous lua_insert() usage in hlua_ctx_resume() * BUG/MINOR: hlua: fix leak in hlua_ckch_set() error path * BUG/MINOR: hlua: prevent LJMP in hlua_traceback() * BUG/MINOR: hlua: fix unsafe hlua_pusherror() usage * BUG/MINOR: hlua: don't use lua_pushfstring() when we don't expect LJMP * CLEANUP: hlua: use hlua_pusherror() where relevant * BUG/MINOR: quic: prevent crash on qc_kill_conn() * BUG/MINOR: hlua: use CertCache.set() from various hlua contexts * BUG/MINOR: tools: fix possible null-deref in env_expand() on out-of-memory * BUG/MINOR: tcpcheck: report correct error in tcp-check rule parser * BUG/MINOR: cfgparse: remove the correct option on httpcheck send-state warning * BUG/MINOR: activity: fix Delta_calls and Delta_bytes count * BUG/MINOR: ssl/ocsp: init callback func ptr as NULL * CLEANUP: ssl/ocsp: readable ifdef in ssl_sock_load_ocsp * BUILD: fd: errno is also needed without poll() * CI: scripts: fix build of vtest regarding option -C * REGTESTS: acl_cli_spaces: avoid a warning caused by undefined logs * DOC: config: fix incorrect section reference about custom log format * DOC: quic: specify that connection migration is not supported * BUG/MINOR: server: Don't reset resolver options on a new default-server line * BUG/MINOR: http-htx: Support default path during scheme based normalization * BUG/MINOR: quic: adjust restriction for stateless reset emission * MEDIUM: config: prevent communication with privileged ports * BUILD: quic: fix unused variable warning when threads are disabled * BUG/MEDIUM: mux-quic: Create sedesc in same time of the QUIC stream * BUG/MEDIUM: quic_tls: prevent LibreSSL < 4.0 from negotiating CHACHA20_POLY1305 * BUG/MAJOR: quic: Crash with TLS_AES_128_CCM_SHA256 (libressl only) * BUG/MINOR: connection: parse PROXY TLV for LOCAL mode * DOC: configuration: update the crt-list documentation * CLEANUP: ssl/cli: remove unused code in dump_crtlist_conf * BUG/MINOR: stats: Don't state the 303 redirect response is chunked * BUG/MINOR: htpp-ana/stats: Specify that HTX redirect messages have a C-L header * BUG/MEDIUM: fd: prevent memory waste in fdtab array * BUILD: stick-tables: better mark the stktable_data as 32-bit aligned * BUG/MEDIUM: h1: Reject CONNECT request if the target has a scheme * BUG/MINOR: h1: Check authority for non-CONNECT methods only if a scheme is found * BUG/MEDIUM: stick-tables: properly mark stktable_data as packed * BUG/MEDIUM: htx: mark htx_sl as packed since it may be realigned * BUG/MINOR: qpack: fix error code reported on QPACK decoding failure * BUG/MINOR: mux-quic: fix error code on shutdown for non HTTP/3 * BUG/MINOR: log: smp_rgs array issues with inherited global log directives * BUG/MINOR: log: keep the ref in dup_logger() * MINOR: log: add dup_logsrv() helper function * DOC: lua: fix filters.txt file location * BUG/MINOR: haproxy: only tid 0 must not sleep if got signal * BUILD: clock: improve check for pthread_getcpuclockid() * BUG/MINOR: mworker: reintroduce way to disable seamless reload with -x /dev/null * BUG/MINOR: h1: fix detection of upper bytes in the URI * BUG/MINOR: backend: use cum_sess counters instead of cum_conn * BUG/MINOR: fd: my_closefrom() on Linux could skip contiguous series of sockets * BUG/MINOR: sock: handle a weird condition with connect() * BUG/MINOR: stconn: Fix sc_mux_strm() return value * BUG/MEDIUM: cache: Vary not working properly on anything other than accept-encoding * BUG/MINOR: server: fix slowstart behavior * BUG/MEDIUM: peers: Fix exit condition when max-updates-at-once is reached * BUG/MEDIUM: spoe: Always retry when an applet fails to send a frame * BUG/MEDIUM: applet: Fix applet API to put input data in a buffer * BUG/MEDIUM: evports: do not clear returned events list on signal * BUG/MEDIUM: stconn: Don't forward channel data if input data must be filtered * BUG/MEDIUM: grpc: Fix several unaligned 32/64 bits accesses * MINOR: net_helper: Add support for floats/doubles. * CI: revert kernel addr randomization introduced in 3a0fc864 * BUG/MEDIUM: peers/trace: fix crash when listing event types * BUG/MINOR: debug: make sure DEBUG_STRICT=0 does work as documented * BUG/MINOR: http-ana: Fix TX_L7_RETRY and TX_D_L7_RETRY values * BUG/MEDIUM: http-ana: Deliver 502 on keep-alive for fressh server connection * CLEANUP: log: lf_text_len() returns a pointer not an integer * BUG/MINOR: log: invalid snprintf() usage in sess_build_logline() * BUG/MINOR: tools/log: invalid encode_{chunk,string} usage * BUG/MINOR: log: fix lf_text_len() truncate inconsistency * BUG/MINOR: listener: always assign distinct IDs to shards * BUG/MINOR: cli: Report an error to user if command or payload is too big * [RELEASE] Released version 2.8.9 * BUILD: proxy: Replace free_logformat_list() to manually release log-format * [RELEASE] Released version 2.8.8 * BUG/MINOR: proxy: fix logformat expression leak in use_backend rules * BUG/MINOR: backend: properly handle redispatch 0 * BUG/MINOR: server: ignore 'enabled' for dynamic servers * BUG/MEDIUM: cli: Warn if pipelined commands are delimited by a \n * MINOR: cli: Remove useless loop on commands to find unescaped semi-colon * MINOR: server: allow cookie for dynamic servers * BUG/MINOR: server: fix persistence cookie for dynamic servers * BUG/MINOR: ssl: Detect more 'ocsp-update' incompatibilities * BUG/MINOR: ssl: Wrong ocsp-update "incompatibility" error message * BUG/MINOR: server: 'source' interface ignored from 'default-server' directive * OPTIM: http_ext: avoid useless copy in http_7239_extract_{ipv4,ipv6} * BUG/MEDIUM: mux-fcgi: Properly handle EOM flag on end-of-trailers HTX block * BUG/MINOR: mux-quic: close all QCS before freeing QCC tasklet * BUG/MEDIUM: ssl: Fix crash in ocsp-update log function * BUG/MINOR: session: ensure conn owner is set after insert into session * BUG/MEDIUM: spoe: Return an invalid frame on recv if size is too small * CI: temporarily adjust kernel entropy to work with ASAN/clang * BUG/MINOR: spoe: Be sure to be able to quickly close IDLE applets on soft-stop * BUG/MEDIUM: spoe: Don't rely on stream's expiration to detect processing timeout * BUG/MINOR: listener: Don't schedule frontend without task in listener_release() * BUG/MINOR: listener: Wake proxy's mngmt task up if necessary on session release * BUG/MEDIUM: hlua: streams don't support mixing lua-load with lua-load-per-thread (2nd try) * MINOR: hlua: use accessors for stream hlua ctx * DEBUG: lua: precisely identify if stream is stuck inside lua or not * BUG/MINOR: hlua: fix missing lock in hlua_filter_delete() * BUG/MINOR: hlua: missing lock in hlua_filter_new() * BUG/MINOR: hlua: segfault when loading the same filter from different contexts * BUG/MINOR: ssl: fix possible ctx memory leak in sample_conv_aes_gcm() * DOC: configuration: clarify ciphersuites usage (V2) * BUILD: solaris: fix compilation errors * BUG/MINOR: cfgparse: report proper location for log-format-sd errors * BUG/MINOR: ssl/cli: typo in new ssl crl-file CLI description * CI: skip scheduled builds on forks * BUG/MINOR: sink: fix a race condition in the TCP log forwarding code * BUG/MINOR: hlua: don't call ha_alert() in hlua_event_subscribe() * BUG/MAJOR: hlua: improper lock usage with hlua_ctx_resume() * BUG/MEDIUM: hlua: improper lock usage with SET_SAFE_LJMP() * BUG/MINOR: hlua: improper lock usage in hlua_filter_new() * BUG/MINOR: hlua: improper lock usage in hlua_filter_callback() * BUG/MINOR: hlua: fix possible crash in hlua_filter_new() under load * BUG/MINOR: hlua: don't use lua_tostring() from unprotected contexts * BUG/MINOR: hlua: fix unsafe lua_tostring() usage with empty stack * BUG/MINOR: tools: seed the statistical PRNG slightly better * MINOR: hlua: Be able to disable logging from lua * BUG/MINOR: hlua: Fix log level to the right value when set via TXN:set_loglevel * BUG/MINOR: config/quic: Alert about PROXY protocol use on a QUIC listener * DOC: configuration: clarify ciphersuites usage * LICENSE: http_ext: fix GPL license version * LICENSE: event_hdl: fix GPL license version * BUG/MINOR: ssl/cli: duplicate cleaning code in cli_parse_del_crtlist * BUG/MINOR: ist: only store NUL byte on succeeded alloc * BUG/MINOR: quic: fix output of show quic * BUG/MAJOR: server: fix stream crash due to deleted server * BUG/MINOR: stats: drop srv refcount on early release * BUG/MINOR: ist: allocate nul byte on istdup * MINOR: quic: warn on bind on multiple addresses if no IP_PKTINFO support * DOC: quic: fix recommandation for bind on multiple address * BUG/MEDIUM: quic: fix transient send error with listener socket * BUG/MEDIUM: hlua: Don't loop if a lua socket does not consume received data * BUG/MEDIUM: hlua: Be able to garbage collect uninitialized lua sockets * BUG/MEDIUM: applet: Immediately free appctx on early error * DOC: quic: Missing tuning setting in "Global parameters" * BUG/MINOR: qpack: reject invalid dynamic table capacity * BUG/MINOR: qpack: reject invalid increment count decoding * BUG/MINOR: quic: reject HANDSHAKE_DONE as server * BUG/MINOR: quic: reject unknown frame type * BUG/MAJOR: promex: fix crash on deleted server * MINOR: connection: add sample fetches to report per-connection glitches * MINOR: mux-h2: implement MUX_CTL_GET_GLITCHES * MINOR: connection: add a new mux_ctl to report number of connection glitches * MEDIUM: mux-h2: allow to set the glitches threshold to kill a connection * MINOR: mux-h2: always use h2c_report_glitch() * MINOR: mux-h2: count late reduction of INITIAL_WINDOW_SIZE as a glitch * MINOR: mux-h2: count excess of CONTINUATION frames as a glitch * BUG/MINOR: mux-h2: count rejected DATA frames against the connection's flow control * MINOR: mux-h2: add a counter of "glitches" on a connection * [RELEASE] Released version 2.8.7 * BUG/MAJOR: ssl/ocsp: crash with ocsp when old process exit or using ocsp CLI- Update to version 2.8.6+git0.f6bd011dc: * [RELEASE] Released version 2.8.6 * DEV: makefile: fix POSIX compatibility for "range" target * DEV: makefile: add a new "range" target to iteratively build all commits * CI: Update to actions/cache@v4 * DOC: internal: update missing data types in peers-v2.0.txt * DOC: install: recommend pcre2 * DOC: httpclient: add dedicated httpclient section * DOC: configuration: clarify http-request wait-for-body * BUILD: address a few remaining calloc(size, n) cases * BUG/MINOR: ext-check: cannot use without preserve-env * MINOR: ext-check: add an option to preserve environment variables * BUG/MINOR: diag: run the final diags before quitting when using -c * BUG/MINOR: diag: always show the version before dumping a diag warning * MINOR: errors: ha_alert() and ha_warning() uses warn_exec_path() * MINOR: quic: Add a counter for reordered packets * MINOR: quic: Dynamic packet reordering threshold * MINOR: quic: Update K CUBIC calculation (RFC 9438) * BUG/MEDIUM: quic: Wrong K CUBIC calculation. * MINOR: quic: Stop using 1024th of a second. * BUG/MINOR: quic: fix possible integer wrap around in cubic window calculation * CLEANUP: quic: Code clarifications for QUIC CUBIC (RFC 9438) * BUG/MINOR: quic: Wrong ack ranges handling when reaching the limit. * BUG/MEDIUM: quic: fix crash on invalid qc_stream_buf_free() BUG_ON * BUG/MEDIUM: qpack: allow 6xx..9xx status codes * BUG/MEDIUM: h3: do not crash on invalid response status code * MINOR: h3: add traces for stream sending function * BUG/MEDIUM: quic: remove unsent data from qc_stream_desc buf * MINOR: quic: extract qc_stream_buf free in a dedicated function * MINOR: quic: Stop hardcoding a scale shifting value (CUBIC_BETA_SCALE_FACTOR_SHIFT) * CLEANUP: quic: Remove unused CUBIC_BETA_SCALE_FACTOR_SHIFT macro. * BUG/MEDIUM: mux-quic: report early error on stream * BUG/MINOR: h3: fix checking on NULL Tx buffer * BUG/MEDIUM: ssl: Fix crash when calling "update ssl ocsp-response" when an update is ongoing * REGTESTS: ssl: Add OCSP related tests * REGTESTS: ssl: Fix empty line in cli command input * BUG/MINOR: ssl: Reenable ocsp auto-update after an "add ssl crt-list" * BUG/MINOR: ssl: Destroy ckch instances before the store during deinit * BUG/MEDIUM: ocsp: Separate refcount per instance and per store * MINOR: ssl: Use OCSP_CERTID instead of ckch_store in ckch_store_build_certid * BUG/MINOR: ssl: Clear the ckch instance when deleting a crt-list line * BUG/MINOR: ssl: Duplicate ocsp update mode when dup'ing ckch * BUG/MINOR: ssl: Fix error message after ssl_sock_load_ocsp call * BUG/MAJOR: ssl_sock: Always clear retry flags in read/write functions * BUG/MEDIUM: h1: always reject the NUL character in header values * BUG/MINOR: h1-htx: properly initialize the err_pos field * BUG/MEDIUM: h1: Don't support LF only to mark the end of a chunk size * BUG/MINOR: h1: Don't support LF only at the end of chunks * BUG/MEDIUM: stconn: Don't check pending shutdown to wake an applet up * BUG/MEDIUM: stconn: Allow expiration update when READ/WRITE event is pending * BUG/MEDIUM: pool: fix rare risk of deadlock in pool_flush() * BUG/MINOR: jwt: fix jwt_verify crash on 32-bit archs * BUG/MEDIUM: cli: fix once for all the problem of missing trailing LFs * BUG/MINOR: vars/cli: fix missing LF after "get var" output * BUG/MEDIUM: cli: some err/warn msg dumps add LR into CSV output on stat's CLI * REGTESTS: add a test to ensure map-ordering is preserved * MINOR: mux-h2/traces: add a missing trace on connection WU with negative inc * BUG/MEDIUM: mux-h2: refine connection vs stream error on headers * MINOR: mux-h2/traces: clarify the "rejected H2 request" event * MINOR: mux-h2/traces: explicitly show the error/refused stream states * MINOR: mux-h2/traces: also suggest invalid header upon parsing error * MINOR: debug: make BUG_ON() catch build errors even without DEBUG_STRICT * MINOR: debug: make ABORT_NOW() store the caller's line number when using abort * MINOR: debug: make sure calls to ha_crash_now() are never merged * MINOR: compiler: add a new DO_NOT_FOLD() macro to prevent code folding * BUG/MEDIUM: quic: keylog callback not called (USE_OPENSSL_COMPAT) * BUG/MINOR: mux-h2: also count streams for refused ones * BUG/MINOR: mux-quic: do not prevent non-STREAM sending on flow control * DOC: configuration: corrected description of keyword tune.ssl.ocsp-update.mindelay * MINOR: mux-h2: support limiting the total number of H2 streams per connection * BUG/MEDIUM: spoe: Never create new spoe applet if there is no server up * BUG/MEDIUM: stconn: Forward shutdown on write timeout only if it is forwardable * BUG/MEDIUM: h3: fix incorrect snd_buf return value * CLEANUP: quic: Remaining useless code into server part * BUG/MINOR: h3: close connection on sending alloc errors * BUG/MINOR: h3: properly handle alloc failure on finalize * BUG/MINOR: h3: close connection on header list too big * MINOR: h3: check connection error during sending * BUG/MINOR: quic: Missing call to TLS message callbacks * BUG/MINOR: quic: Wrong keylog callback setting. * BUG/MINOR: mux-quic: always report error to SC on RESET_STREAM emission * BUG/MEDIUM: stats: unhandled switching rules with TCP frontend * MINOR: stats: store the parent proxy in stats ctx (http) * DOC: config: Update documentation about local haproxy response * BUG/MINOR: resolvers: default resolvers fails when network not configured * BUG/MEDIUM: mux-h2: Report too large HEADERS frame only when rxbuf is empty * BUG/MEDIUM: quic: QUIC CID removed from tree without locking * BUG/MEDIUM: quic: Possible buffer overflow when building TLS records * BUG/MINOR: mworker/cli: fix set severity-output support * DOC: configuration: typo req.ssl_hello_type- Update to version 2.8.5+git0.aaba8d090: * [RELEASE] Released version 2.8.5 * BUG/MEDIUM: proxy: always initialize the default settings after init * BUG/MINOR: lua: Wrong OCSP CID after modifying an SSL certficate (LUA) * BUG/MINOR: ssl: Wrong OCSP CID after modifying an SSL certficate * MINOR: ssl/cli: Add ha_(warning|alert) msgs to CLI ckch callback * BUG/MINOR: ssl: Double free of OCSP Certificate ID * BUG/MINOR: quic: Packet number spaces too lately initialized * BUG/MINOR: quic: Missing QUIC connection path member initialization * BUG/MINOR: quic: Possible leak of TX packets under heavy load * BUG/MEDIUM: quic: Possible crash during retransmissions and heavy load * BUG/MINOR: cache: Remove incomplete entries from the cache when stream is closed * BUG/MEDIUM: peers: fix partial message decoding * DOC: Clarify the differences between field() and word() * BUG/MINOR: sample: Make the `word` converter compatible with `-m found` * REGTESTS: sample: Test the behavior of consecutive delimiters for the field converter * DOC: config: fix monitor-fail typo * DOC: config: add matrix entry for "max-session-srv-conns" * DOC: config: specify supported sections for "max-session-srv-conns" * BUG/MINOR: cfgparse-listen: fix warning being reported as an alert * BUG/MINOR: config: Stopped parsing upon unmatched environment variables * BUG/MINOR: quic_tp: fix preferred_address decoding * DOC: config: fix missing characters in set-spoe-group action * BUG/MINOR: h3: always reject PUSH_PROMISE * BUG/MINOR: h3: fix TRAILERS encoding * BUG/MEDIUM: master/cli: Properly pin the master CLI on thread 1 / group 1 * BUG/MINOR: compression: possible NULL dereferences in comp_prepare_compress_request() * BUG/MINOR: quic: fix CONNECTION_CLOSE_APP encoding * DOC: lua: fix Proxy.get_mode() output * DOC: lua: add sticktable class reference from Proxy.stktable * REGTESTS: connection: disable http_reuse_be_transparent.vtc if !TPROXY * DOC: config: fix timeout check inheritance restrictions * DOC: 51d: updated 51Degrees repo URL for v3.2.10 * BUG/MINOR: server: do not leak default-server in defaults sections * BUG/MINOR: quic: Possible RX packet memory leak under heavy load * BUG/MEDIUM: quic: Possible crash for connections to be killed * BUG/MINOR: sock: mark abns sockets as non-suspendable and always unbind them * BUG/MINOR: startup: set GTUNE_SOCKET_TRANSFER correctly * REGTESTS: http: add a test to validate chunked responses delivery * BUG/MINOR: proxy/stktable: missing frees on proxy cleanup * MINOR: stktable: add stktable_deinit function * BUG/MINOR: stream/cli: report correct stream age in "show sess" * BUG/MEDIUM: mux-fcgi: fail earlier on malloc in takeover() * BUG/MEDIUM: mux-h1: fail earlier on malloc in takeover() * BUG/MEDIUM: mux-h2: fail earlier on malloc in takeover() * BUG/MAJOR: quic: complete thread migration before tcp-rules- Update to version 2.8.4+git0.a4ebf9d3b: * [RELEASE] Released version 2.8.4 * BUG/MINOR: stconn: Report read activity on non-indep streams for partial sends * BUG/MINOR: stconn/applet: Report send activity only if there was output data * BUG/MINOR: stconn: Use HTX-aware channel's functions to get info on buffer * BUG/MINOR: stconn: Fix streamer detection for HTX streams * MINOR: channel: Add functions to get info on buffers and deal with HTX streams * MINOR: htx: Use a macro for overhead induced by HTX * BUG/MEDIUM: stconn: Update fsb date on partial sends * BUG/MEDIUM: stream: Don't call mux .ctl() callback if not implemented * BUG/MEDIUM: mworker: set the master variable earlier * BUG/MEDIUM: applet: Report a send activity everytime data were sent * BUG/MEDIUM: stconn: Report a send activity everytime data were sent * REGTESTS: http: Improve script testing abortonclose option * BUG/MEDIUM: stream: Properly handle abortonclose when set on backend only * MEDIUM: mux-h1: Handle MUX_SUBS_RECV flag in h1_ctl() and susbscribe for reads * MINOR: connection: Add a CTL flag to notify mux it should wait for reads again * BUG/MINOR: stconn: Handle abortonclose if backend connection was already set up * BUG/MEDIUM: connection: report connection errors even when no mux is installed * DOC: quic: Wrong syntax for "quic-cc-algo" keyword. * BUG/MINOR: sink: don't learn srv port from srv addr * BUG/MEDIUM: applet: Remove appctx from buffer wait list on release * DOC: config: use the word 'backend' instead of 'proxy' in 'track' description * BUG/MINOR: quic: fix retry token check inconsistency * DOC: management: -q is quiet all the time * BUG/MEDIUM: stconn: Don't update stream expiration date if already expired * BUG/MEDIUM: quic: Avoid some crashes upon TX packet allocation failures * BUG/MEDIUM: quic: Possible crashes when sending too short Initial packets * BUG/MEDIUM: quic: Avoid trying to send ACK frames from an empty ack ranges tree * BUG/MINOR: quic: idle timer task requeued in the past * BUG/MEDIUM: pool: fix releasable pool calculation when overloaded * BUG/MEDIUM: freq-ctr: Don't report overshoot for long inactivity period * BUG/MINOR: mux-h1: Properly handle http-request and http-keep-alive timeouts * BUG/MINOR: stick-table/cli: Check for invalid ipv4 key * BUG/MEDIUM: quic: fix sslconns on quic_conn alloc failure * BUG/MEDIUM: quic: fix actconn on quic_conn alloc failure * CLEANUP: htx: Properly indent htx_reserve_max_data() function * BUG/MINOR: stconn: Sanitize report for read activity * BUG/MEDIUM: Don't apply a max value on room_needed in sc_need_room() * BUG/MEDIUM: stconn: Don't report rcv/snd expiration date if SC cannot epxire * BUG/MEDIUM: pattern: don't trim pools under lock in pat_ref_purge_range() * BUG/MINOR: cfgparse/stktable: fix error message on stktable_init() failure * BUG/MINOR: stktable: missing free in parse_stick_table() * BUG/MINOR: tcpcheck: Report hexstring instead of binary one on check failure * BUG/MEDIUM: ssl: segfault when cipher is NULL * BUG/MINOR: mux-quic: fix early close if unset client timeout * BUG/MINOR: ssl: suboptimal certificate selection with TLSv1.3 and dual ECDSA/RSA * MEDIUM: quic: count quic_conn for global sslconns * MEDIUM: quic: count quic_conn instance for maxconn * MINOR: frontend: implement a dedicated actconn increment function * BUG/MINOR: ssl: use a thread-safe sslconns increment * BUG/MINOR: quic: do not consider idle timeout on CLOSING state * BUG/MEDIUM: server: "proto" not working for dynamic servers * MINOR: connection: add conn_pr_mode_to_proto_mode() helper func * DEBUG: mux-h2/flags: fix list of h2c flags used by the flags decoder * MINOR: lua: Add flags to configure logging behaviour * BUG/MINOR: ssl: load correctly @system-ca when ca-base is define * DOC: internal: filters: fix reference to entities.pdf * BUG/MINOR: mux-h2: update tracked counters with req cnt/req err * BUG/MINOR: mux-h2: commit the current stream ID even on reject * BUG/MEDIUM: peers: Fix synchro for huge number of tables * BUG/MEDIUM: peers: Be sure to always refresh recconnect timer in sync task * BUG/MINOR: trace: fix trace parser error reporting * BUG/MINOR: mux-h2: fix http-request and http-keep-alive timeouts again * BUG/MEDIUM: mux-h2: Don't report an error on shutr if a shutw is pending * BUG/MINOR: mux-h2: make up other blocked streams upon removal from list * BUG/MINOR: mux-h1: Send a 400-bad-request on shutdown before the first request * BUG/MEDIUM: quic-conn: free unsent frames on retransmit to prevent crash * BUG/MINOR: mux-quic: fix free on qcs-new fail alloc * BUG/MINOR: h3: strengthen host/authority header parsing * BUG/MINOR: mux-quic: support initial 0 max-stream-data * BUG/MEDIUM: mux-quic: fix RESET_STREAM on send-only stream * BUG/MINOR: quic: reject packet with no frame * BUG/MINOR: quic: Avoid crashing with unsupported cryptographic algos * BUG/MEDIUM: stconn: Fix comparison sign in sc_need_room() * BUG/MINOR: hq-interop: simplify parser requirement * BUG/MEDIUM: h1: Ignore C-L value in the H1 parser if T-E is also set * BUG/MINOR: mux-h1: Ignore C-L when sending H1 messages if T-E is also set * BUG/MINOR: mux-h1: Handle read0 in rcv_pipe() only when data receipt was tried * BUG/MEDIUM: hlua: Initialize appctx used by a lua socket on connect only * MINOR: hlua: Test the hlua struct first when the lua socket is connecting * MINOR: hlua: Save the lua socket's server in its context * MINOR: hlua: Save the lua socket's timeout in its context * MINOR: hlua: Don't preform operations on a not connected socket * MINOR: hlua: Set context's appctx when the lua socket is created * BUG/MEDIUM: http-ana: Try to handle response before handling server abort * BUG/MEDIUM: quic_conn: let the scheduler kill the task when needed * BUG/MEDIUM: actions: always apply a longest match on prefix lookup * BUG/MINOR: mux-quic: remove full demux flag on ncbuf release * BUG/MEDIUM: server/cli: don't delete a dynamic server that has streams * MINOR: pattern: fix pat_{parse,match}_ip() function comments * BUG/MINOR: server: add missing free for server->rdr_pfx * BUG/MAJOR: mux-h2: Report a protocol error for any DATA frame before headers * BUG/MINOR: freq_ctr: fix possible negative rate with the scaled API * BUG/MEDIUM: master/cli: Pin the master CLI on the first thread of the group 1 * BUG/MINOR: promex: fix backend_agg_check_status * BUG/MEDIUM: mux-fcgi: Don't swap trash and dbuf when handling STDERR records * BUG/MINOR: hlua/init: coroutine may not resume itself * BUG/MEDIUM: hlua: don't pass stale nargs argument to lua_resume() * CI: musl: drop shopt in workflow invocation * CI: musl: highlight section if there are coredumps * Revert "BUG/MEDIUM: quic: missing check of dcid for init pkt including a token" * BUG/MEDIUM: hlua: streams don't support mixing lua-load with lua-load-per-thread * MINOR: hlua: add hlua_stream_ctx_prepare helper function * BUILD: quic: fix build on centos 8 and USE_QUIC_OPENSSL_COMPAT * BUG/MINOR: quic: ssl_quic_initial_ctx() uses error count not error code * BUG/MINOR: quic: allow-0rtt warning must only be emitted with quic bind * BUILD: Makefile: add USE_QUIC_OPENSSL_COMPAT to make help * MINOR: quic+openssl_compat: Emit an alert for "allow-0rtt" option * MINOR: quic+openssl_compat: Do not start without "limited-quic" * MINOR: quic: Warning for OpenSSL wrapper QUIC bindings without "limited-quic" * BUG/MINOR: quic+openssl_compat: Non initialized TLS encryption levels * DOC: quic: Add "limited-quic" new tuning setting * MINOR: quic: Add "limited-quic" new tuning setting * MINOR: quic: SSL context initialization with QUIC OpenSSL wrapper. * MINOR: quic: Add a quic_openssl_compat struct to quic_conn struct * MINOR: quic: Call the keylog callback for QUIC openssl wrapper from SSL_CTX_keylog() * MINOR: quic: Initialize TLS contexts for QUIC openssl wrapper * MINOR: quic: Export some KDF functions (QUIC-TLS) * MINOR: quic: Add a compilation option for the QUIC OpenSSL wrapper * MINOR: quic: Do not enable 0RTT with SSL_set_quic_early_data_enabled() * MINOR: quic: Set the QUIC connection as extra data before calling SSL_set_quic_method() * MINOR: quic: Do not enable O-RTT with USE_QUIC_OPENSSL_COMPAT * MINOR: quic: Include QUIC opensssl wrapper header from TLS stacks compatibility header * MINOR: quic: QUIC openssl wrapper implementation * BUG/MINOR: quic: Wrong cluster secret initialization * BUG/MINOR: quic: Leak of frames to send. * BUILD: bug: make BUG_ON() void to avoid a rare warning- Update to version 2.8.3+git0.86e043add: * [RELEASE] Released version 2.8.3 * CI: Update to actions/checkout@v4 * MEDIUM: capabilities: enable support for Linux capabilities * BUG/MINOR: hlua/action: incorrect message on E_YIELD error * BUG/MINOR: ring/cli: Don't expect input data when showing events * BUG/MINOR: applet: Always expect data when CLI is waiting for a new command * NUG/MEDIUM: stconn: Always update stream's expiration date after I/O * BUG/MEDIUM: stconn/stream: Forward shutdown on write timeout * BUG/MEDIUM: applet: Report an error if applet request more room on aborted SC * BUG/MEDIUM: stconn: Report read activity when a stream is attached to front SC * BUG/MEDIUM: applet: Fix API for function to push new data in channels buffer * BUG/MINOR: quic: Wrong RTT computation (srtt and rrt_var) * BUG/MINOR: quic: Wrong RTT adjusments * MINOR: httpclient: allow to configure the timeout.connect * MINOR: httpclient: allow to configure the retries * DOC: configuration: update examples for req.ver * BUG/MINOR: stream: further protect stream_dump() against incomplete sessions * BUG/MEDIUM: h1-htx: Ensure chunked parsing with full output buffer * BUG/MAJOR: quic: Really ignore malformed ACK frames. * BUG/MINOR: quic: Possible skipped RTT sampling * BUG/MEDIUM: stconn: Don't block sends if there is a pending shutdown * BUG/MEDIUM: stconn: Wake applets on sending path if there is a pending shutdown * BUG/MINOR: stconn: Don't report blocked sends during connection establishment * BUG/MEDIUM: stconn: Update stream expiration date on blocked sends * DEBUG: applet: Properly report opposite SC expiration dates in traces * BUG/MINOR: checks: do not queue/wake a bounced check * DOC: config: mention uid dependency on the tune.quic.socket-owner option * BUG/MINOR: stream: protect stream_dump() against incomplete streams * BUG/MINOR: ssl/cli: can't find ".crt" files when replacing a certificate * BUILD: import: guard plock.h against multiple inclusion * BUG/MINOR: ssl_sock: fix possible memory leak on OOM * DOC: lua: fix core.register_action typo * BUG/MINOR: hlua_fcn: potentially unsafe stktable_data_ptr usage * CI: fedora: fix "dnf" invocation syntax * IMPORT: xxhash: update xxHash to version 0.8.2 * MINOR: atomic: make sure to always relax after a failed CAS * MINOR: threads: inline the wait function for pthread_rwlock emulation * IMPORT: plock: also support inlining the int code * BUILD: Makefile: add the USE_QUIC option to make help * DOC: jwt: Add explicit list of supported algorithms * REGTESTS: Do not use REQUIRE_VERSION for HAProxy 2.5+ (3) * SCRIPTS: git-show-backports: automatic ref and base detection with -m * DOC: typo: fix sc-set-gpt references * BUG/MINOR: stktable: allow sc-add-gpc from tcp-request connection * BUG/MINOR: stktable: allow sc-set-gpt(0) from tcp-request connection * DEV: flags/show-sess-to-flags: properly decode fd.state * BUG/MINOR: hlua: fix invalid use of lua_pop on error paths * BUG/MEDIUM: quic: fix tasklet_wakeup loop on connection closing * CI: get rid of travis-ci wrapper for Coverity scan * CI: do not use "groupinstall" for Fedora Rawhide builds - drop 0001-IMPORT-xxhash-update-xxHash-to-version-0.8.2.patch: part of the version update- Apply upstream patch for the ppc64le issue: Add patch: 0001-IMPORT-xxhash-update-xxHash-to-version-0.8.2.patch Remove patch: fix-invalid-parameter-combination-for-AltiVec-intrinsic-__builtin_vec_ld.patch- Build error on ppc64le: include/import/xxhash.h:4148:9: error: invalid parameter combination for AltiVec intrinsic __builtin_vec_ld Add patch: fix-invalid-parameter-combination-for-AltiVec-intrinsic-__builtin_vec_ld.patch- Update to version 2.8.2+git0.61a0f576a: (boo#1214102) CVE-2023-40225 * [RELEASE] Released version 2.8.2 * BUG/MINOR: http: skip leading zeroes in content-length values * DOC: clarify the handling of URL fragments in requests * REGTESTS: http-rules: verify that we block '#' by default for normalize-uri * BUG/MINOR: h3: reject more chars from the :path pseudo header * BUG/MINOR: h2: reject more chars from the :path pseudo header * BUG/MINOR: h1: do not accept '#' as part of the URI component * REGTESTS: http-rules: add accept-invalid-http-request for normalize-uri tests * MINOR: h2: pass accept-invalid-http-request down the request parser * MINOR: http: add new function http_path_has_forbidden_char() * MINOR: ist: add new function ist_find_range() to find a character range * BUG/MAJOR: http: reject any empty content-length header value * BUG/MAJOR: h3: reject header values containing invalid chars * REORG: http: move has_forbidden_char() from h2.c to http.h * BUG/MAJOR: http-ana: Get a fresh trash buffer for each header value replacement * BUILD: quic: fix wrong potential NULL dereference * BUG/MINOR: quic: reappend rxbuf buffer on fake dgram alloc error * BUG/MINOR: http-client: Don't forget to commit changes on HTX message * BUG/MEDIUM: quic: consume contig space on requeue datagram * BUG/MEDIUM: bwlim: Reset analyse expiration date when then channel analyse ends * BUG/MEDIUM: h3: Be sure to handle fin bit on the last DATA frame * BUG/MINOR: chunk: fix chunk_appendf() to not write a zero if buffer is full * DOC: configuration: describe Td in Timing events * BUG/MEDIUM: h3: Properly report a C-L header was found to the HTX start-line * BUG/MINOR: ssl: OCSP callback only registered for first SSL_CTX * MINOR: quic: Useless call to SSL_CTX_set_quic_method() * MINOR: quic: Make ->set_encryption_secrets() be callable two times * BUG/MEDIUM: listener: Acquire proxy's lock in relax_listener() if necessary * BUG/MINOR: server-state: Avoid warning on 'file not found' * BUG/MINOR: server-state: Ignore empty files * BUG/MINOR: quic: Missing parentheses around PTO probe variable. * BUG/MINOR: server: Don't warn on server resolution failure with init-addr none * BUG/MINOR: init: set process' affinity even in foreground * BUG/MINOR: cpuset: remove the bogus "proc" from the cpu_map struct * BUG/MINOR: config: do not detect NUMA topology when cpu-map is configured * MINOR: cpuset: add cpu_map_configured() to know if a cpu-map was found * BUG/MINOR: h1-htx: Return the right reason for 302 FCGI responses * BUG/MINOR: hlua: add check for lua_newstate * BUILD: quic: fix warning during compilation using gcc-6.5 * CI: explicitely highlight VTest result section if there's something * CI: add naming convention documentation * BUG/MINOR: http: Return the right reason for 302 * BUG/MINOR: sample: Fix wrong overflow detection in add/sub conveters * DOC: config: Fix fc_src description to state the source address is returned * BUG/MEDIUM: hlua_fcn/queue: bad pop_wait sequencing * BUG/MINOR: hlua: hlua_yieldk ctx argument should support pointers * CLEANUP: quic: remove useless parameter 'key' from quic_packet_encrypt * BUG/MEDIUM: quic: timestamp shared in token was using internal time clock * BUG/MEDIUM: quic: missing check of dcid for init pkt including a token * BUG/MINOR: quic: retry token remove one useless intermediate expand * BUG/MEDIUM: quic: token IV was not computed using a strong secret * BUG/MINOR: config: Remove final '\n' in error messages * BUG/MINOR: hlua_fcn/queue: use atomic load to fetch queue size * EXAMPLES: maintain haproxy 2.8 retrocompatibility for lua mailers script * BUG/MINOR: sink/log: properly deinit srv in sink_new_from_logsrv() * MINOR: hlua_fcn/mailers: handle timeout mail from mailers section * BUG/MINOR: server: set rid default value in new_server() * BUG/MINOR: sink: fix errors handling in cfg_post_parse_ring() * BUG/MINOR: sink: invalid sft free in sink_deinit() * BUG/MINOR: log: free errmsg on error in cfg_parse_log_forward() * BUG/MINOR: log: fix multiple error paths in cfg_parse_log_forward() * BUG/MINOR: log: fix missing name error message in cfg_parse_log_forward() * BUG/MEDIUM: log: improper use of logsrv->maxlen for buffer targets * MINOR: sink/api: pass explicit maxlen parameter to sink_write() * BUG/MINOR: log: LF upsets maxlen for UDP targets * BUG/MINOR: ring: maxlen warning reported as alert * BUG/MINOR: ring: size warning incorrectly reported as fatal error * BUG/MINOR: sink: missing sft free in sink_deinit() * BUG/MINOR: http_ext: unhandled ERR_ABORT in proxy_http_parse_7239() * BUG/MEDIUM: sink: invalid server list in sink_new_from_logsrv() * BUG/MINOR: cache: A 'max-age=0' cache-control directive can be overriden by a s-maxage * BUG/MINOR: tcp_sample: bc_{dst,src} return IP not INT * DOC: ssl: Add ocsp-update troubleshooting clues and emphasize on crt-list only aspect * DOC: ssl: Fix typo in 'ocsp-update' option- Update to version 2.8.1+git0.a90123aa8: * [RELEASE] Released version 2.8.1 * CLEANUP: quic: Remove server specific about Initial packet number space * MINOR: quic: Reduce the maximum length of TLS secrets * MINOR: quic: Move packet number space related functions * MINOR: quic: Move QUIC encryption level structure definition * BUILD: debug: avoid a build warning related to epoll_wait() in debug code * MINOR: compression/slz: add support for a pure flush of pending bytes * IMPORT: slz: implement a synchronous flush() operation * BUG/MINOR: quic: Wrong endianess for version field in Retry token * BUG/MINOR: quic: Wrong Retry paquet version field endianess * BUG/MINOR: quic: Missing random bits in Retry packet header * BUG/MINOR: config: fix stick table duplicate name check * BUG/MEDIUM: quic: error checking buffer large enought to receive the retry tag * BUG/MINOR: quic: Prevent deadlock with CID tree lock * BUG/MINOR: mworker: leak of a socketpair during startup failure * BUG/MINOR: http_ext: fix if-none regression in forwardfor option * DOC: Attempt to fix dconv parsing error for tune.h2.fe.initial-window-size * REGTESTS: h1_host_normalization : Add a barrier to not mix up log messages * DOC: Add tune.h2.max-frame-size option to table of contents * DOC: Add tune.h2.be.* and tune.h2.fe.* options to table of contents * BUG/MINOR: quic: ticks comparison without ticks API use * BUG/MEDIUM: mworker: increase maxsock with each new worker * BUG/MINOR: quic: Possible endless loop in quic_lstnr_dghdlr() * BUG/MINOR: quic: Possible crash in quic_conn_prx_cntrs_update() * BUG/MINOR: quic: Missing initialization (packet number space probing) * BUG/MINOR: namespace: missing free in netns_sig_stop() * BUG/MINOR: server: inherit from netns in srv_settings_cpy() * BUG/MINOR: quic: Address inversion in "show quic full" * BUG/MINOR: quic: Wrong encryption level flags checking * BUG/MINOR: ssl: log message non thread safe in SSL Hanshake failure * REG-TESTS: stickiness: Delay haproxys start to properly resolv variables * BUG/MINOR: peers: Improve detection of config errors in peers sections * BUG/MEDIUM: hlua: Use front SC to detect EOI in HTTP applets' receive functions * BUG/MINOR: proxy/server: free default-server on deinit * BUG/MINOR: proxy: add missing interface bind free in free_proxy * BUG/MINOR: cfgparse-tcp: leak when re-declaring interface from bind line * DOC: config: fix rfc7239 converter examples (again) * DOC: config: fix jwt_verify() example using var() * DOC: quic: fix misspelled tune.quic.socket-owner * BUG/MINOR: spoe: Only skip sending new frame after a receive attempt * CONTRIB: Add vi file extensions to .gitignore * BUG/MINOR: quic: Possible crash when SSL session init fails * BUG/MINOR: stream: do not use client-fin/server-fin with HTX * BUG/MINOR: stats: Fix Lua's `get_stats` function- Refreshed patches to apply cleanly again: haproxy-1.6.0-makefile_lib.patch haproxy-1.6.0-sec-options.patch - Updated series file: removed outdated patches- Update to version 2.8.0+git0.fdd8154ed: https://www.mail-archive.com/haproxy@formilux.org/msg43600.html- Update to version 2.7.8+git0.58c657f26: * [RELEASE] Released version 2.7.8 * MINOR: listener: remove the now useless LI_F_QUIC_LISTENER flag- Add handling for the new startup logs in /dev/shm in the apparmor profile- Update to version 2.7.7+git0.feedf1414: * [RELEASE] Released version 2.7.7 * BUG/MINOR: tools: check libssl and libcrypto separately * MINOR: pools: report a replaced memory allocator instead of just malloc_trim() * BUG/MINOR: pools: restore detection of built-in allocator * MEDIUM: tools: further relax dlopen() checks too consider grouped symbols * MINOR: tools: relax dlopen() on malloc/free checks * MINOR: pattern: use trim_all_pools() instead of a conditional malloc_trim() * MINOR: pools: export trim_all_pools() * MEDIUM: pools: move the compat code from trim_all_pools() to malloc_trim() * MINOR: pools: intercept malloc_trim() instead of trying to plug holes * MINOR: pools: make sure 'no-memory-trimming' is always used * BUG/MINOR: illegal use of the malloc_trim() function if jemalloc is used * BUG/MINOR: quic: fix race on quic_conns list during affinity rebind * MINOR: quic: finalize affinity change as soon as possible * MINOR: mux-quic: do not allocate Tx buf for empty STREAM frame * MINOR: mux-quic: do not set buffer for empty STREAM frame * BUG/MINOR: quic: prevent buggy memcpy for empty STREAM * BUG/MEDIUM: mux-quic: improve streams fairness to prevent early timeout * BUG/MEDIUM: mux-quic: do not emit RESET_STREAM for unknown length * CLEANUP: quic: Rename several variables into quic_sock.c * CLEANUP: quic: Rename variable into qc_parse_hd_form() * CLEANUP: quic: Rename variable into quic_packet_read_long_header() * CLEANUP: quic: Rename several variables at low level * CLEANUP: quic: Rename quic_get_dgram_dcid() variable * CLEANUP: quic: Make qc_build_pkt() be more readable * CLEANUP: quic: Rename variable for several low level functions * CLEANUP: quic: Rename variable into quic_rx_pkt_parse() * CLEANUP: quic: Rename variable into quic_padding_check() * CLEANUP: quic: Rename variable to in quic_generate_retry_token() * CLEANUP: quic: Remove useless parameters passes to qc_purge_tx_buf() * CLEANUP: quic: rename frame variables * CLEANUP: quic: rename frame types with an explicit prefix * BUG/MINOR: quic: Useless I/O handler task wakeups (draining, killing state) * BUG/MINOR: quic: Useless probing retransmission in draining or killing state * BUG/MINOR: quic: Possible leak during probing retransmissions * BUG/MINOR: quic: Possible memory leak from TX packets * MINOR: quic: Move traces at proto level * BUILD: proto_tcp: export the correct names for proto_tcpv[46] * BUILD: sock_inet: forward-declare struct receiver * BUG/MINOR: config: fix NUMA topology detection on FreeBSD * CI: cirrus-ci: bump FreeBSD image to 13-1 * BUG/MINOR: cli: clarify error message about stats bind-process * MINOR: listener: remove unneeded local accept flag * MAJOR: quic: support thread balancing on accept * MINOR: quic: properly finalize thread rebinding * MEDIUM: quic: implement thread affinity rebinding * MINOR: fd: implement fd_migrate_on() to migrate on a non-local thread * MINOR: fd: add a lock bit with the tgid * MINOR: fd: optimize fd_claim_tgid() for use in fd_insert() * MINOR: quic: delay post handshake frames after accept * MINOR: protocol: define new callback set_affinity * MINOR: quic: do not proceed to accept for closing conn * MEDIUM: quic: handle conn bootstrap/handshake on a random thread * MINOR: quic: remove TID encoding in CID * MEDIUM: quic: use a global CID trees list * BUG/MINOR: server: don't use date when restoring last_change from state file * BUG/MINOR: server: don't miss server stats update on server state transitions * BUG/MINOR: server: don't miss proxy stats update on server state transitions * MINOR: server: explicitly commit state change in srv_update_status() * BUG/MINOR: server: incorrect report for tracking servers leaving drain * BUG/MEDIUM: Update read expiration date on synchronous send * BUG/MINOR: quic: consume Rx datagram even on error * BUG/MINOR: quic: prevent crash on qc_new_conn() failure * BUG/MINOR: h3: fix crash on h3s alloc failure * BUG/MINOR: mux-quic: properly handle STREAM frame alloc failure * BUG/MINOR: mux-quic: fix crash with app ops install failure * BUG/MINOR: quic: Wrong Retry token generation timestamp computing * BUG/MINOR: quic: Unchecked buffer length when building the token * MINOR: quic: Do not allocate too much ack ranges * BUG/MINOR: quic: Stop removing ACK ranges when building packets * BUG/MINOR: cfgparse: make sure to include openssl-compat * BUG/MEDIUM: quic: prevent crash on Retry sending * CLEANUP: backend: Remove useless debug message in assign_server() * BUG/MINOR: quic: transform qc_set_timer() as a reentrant function * MINOR: quic: remove TID ref from quic_conn * MINOR: quic: adjust quic CID derive API * MINOR: quic: adjust Rx packet type parsing * MINOR: quic: remove uneeded tasklet_wakeup after accept * CLEANUP: quic: rename quic_connection_id vars * CLEANUP: quic: remove unused qc param on stateless reset token * CLEANUP: quic: remove unused scid_node * CLEANUP: quic: remove unused QUIC_LOCK label * BUG/MINOR: task: allow to use tasklet_wakeup_after with tid -1 * BUG/MEDIUM: log: Properly handle client aborts in syslog applet * MINOR: ssl: remove OpenSSL 1.0.2 mention into certificate loading error * BUG/MINOR: quic: Do not use ack delay during the handshakes * REGTESTS: fix the race conditions in log_uri.vtc * BUG/MINOR: stream: Fix test on SE_FL_ERROR on the wrong entity * CI: bump "actions/checkout" to v3 for cross zoo matrix * BUG/MINOR: quic: Wrong Application encryption level selection when probing * MINOR: quic: Remove a useless test about probing in qc_prep_pkts() * MINOR: quic: Display the packet number space flags in traces * BUG/MINOR: quic: SIGFPE in quic_cubic_update() * BUG/MINOR: quic: Possible wrapped values used as ACK tree purging limit. * BUG/MEDIUM: quic: Code sanitization about acknowledgements requirements * MINOR: quic: Add connection flags to traces * BUG/MINOR: quic: Ignored less than 1ms RTTs * MINOR: quic: Add packet loss and maximum cc window to "show quic" * BUG/MEDIUM: fd: don't wait for tmask to stabilize if we're not in it. * BUG/MINOR: stick_table: alert when type len has incorrect characters * MINOR: activity: add a line reporting the average CPU usage to "show activity" * MINOR: quic: Add a trace for packet with an ACK frame * MINOR: quic: Dump more information at proto level when building packets * MINOR: quic: Modify qc_try_rm_hp() traces * BUG/MINOR: quic: Wrong packet number space probing before confirmed handshake * MINOR: quic: Trace fix in quic_pto_pktns() (handshaske status) * BUG/MEDIUM: resolvers: Force the connect timeout for DNS resolutions * BUG/MINOR: resolvers: Wakeup DNS idle task on stopping * BUG/MEDIUM: dns: Kill idle DNS sessions during stopping stage * BUILD: compiler: fix __equals_1() on older compilers * BUG/MINOR: errors: invalid use of memprintf in startup_logs_init() * BUG/MINOR: mworker: unset more internal variables from program section * MINOR: quic: remove address concatenation to ODCID * MINOR: quic: remove ODCID dedicated tree * MINOR: quic: derive first DCID from client ODCID * BUG/MINOR: quic: Possible crashes in qc_idle_timer_task() * BUG/MINOR: http-ana: Don't switch message to DATA when waiting for payload * MINOR: http-ana: Add a HTTP_MSGF flag to state the Expect header was checked * BUG/MEDIUM: hlua: prevent deadlocks with main lua lock * MINOR: hlua: simplify lua locking * BUG/MINOR: hlua: prevent function and table reference leaks on errors * BUG/MINOR: hlua: fix reference leak in hlua_post_init_state() * BUG/MINOR: hlua: fix reference leak in core.register_task() * MINOR: hlua: add simple hlua reference handling API * CLEANUP: hlua: fix conflicting comment in hlua_ctx_destroy() * BUG/MINOR: hlua: enforce proper running context for register_x functions * BUG/MINOR: hlua: hook yield does not behave as expected * BUG/MINOR: log: free log forward proxies on deinit() * BUG/MINOR: sink: free forward_px on deinit() * BUG/MINOR: stats: properly handle server stats dumping resumption * BUG/MINOR: server/del: fix srv->next pointer consistency * MINOR: server: add SRV_F_DELETED flag * BUG/MEDIUM: dns: Properly handle error when a response consumed * BUG/MEDIUM: channel: Improve reports for shut in co_getblk() * BUG/MINOR: quic: Possible wrong PTO computing * BUILD: quic: 32bits compilation issue in cli_io_handler_dump_quic() * BUG/MINOR: quic: Wrong idle timer expiration (during 20s) * BUG/MINOR: quic: Unexpected connection closures upon idle timer task execution * MINOR: quic: Add trace to debug idle timer task issues * DOC: config: strict-sni allows to start without certificate * MINOR: http-act: emit a warning when a header field name contains forbidden chars * BUG/MINOR: quic: Remove useless BUG_ON() in newreno and cubic algo implementation * BUG/MAJOR: quic: Congestion algorithms states shared between the connection * MINOR: quic: Add missing traces in cubic algorithm implementation * BUG/MINOR: quic: Cubic congestion control window may wrap * BUG/MINOR: quic: Remaining useless statements in cubic slow start callback * BUG/MINOR: quic: Wrong rtt variance computing * MEDIUM: quic: Ack delay implementation * MINOR: quic: Traces adjustments at proto level. * MINOR: quic: Adjustments for generic control congestion traces * MINOR: quic: Implement cubic state trace callback * BUG/MINOR: quic: Missing max_idle_timeout initialization for the connection * BUG/MINOR: quic: Wrong use of now_ms timestamps (newreno algo) * MINOR: quic: Add recovery related information to "show quic" * BUG/MINOR: quic: Wrong use of now_ms timestamps (cubic algo) * BUG/MINOR: backend: make be_usable_srv() consistent when stopping * BUG/MEDIUM: proxy/sktable: prevent watchdog trigger on soft-stop * DOC/MINOR: reformat configuration.txt's "quoting and escaping" table * MINOR: proxy/pool: prevent unnecessary calls to pool_gc() * BUG/MINOR: quic: Missing padding in very short probe packets * BUG/MEDIUM: mux-h2: Be able to detect connection error during handshake * BUILD: da: extends CFLAGS to support API v3 from 3.1.7 and onwards. * Revert "BUG/MEDIUM: stconn: Don't rearm the read expiration date if EOI was reached" * BUG/MINOR: ssl: ssl-(min|max)-ver parameter not duplicated for bundles in crt-list- Update to version 2.7.6+git0.4dadaaafb: * [RELEASE] Released version 2.7.6 * BUG/MINOR: quic: Missing STREAM frame type updated * BUG/MINOR: applet/new: fix sedesc freeing logic * BUG/MEDIUM: mux-h1: Wakeup H1C on shutw if there is no I/O subscription * DOC: config: set-var() dconv rendering issues * BUG/MEDIUM: stats: Consume the request except when parsing the POST payload * MINOR: mux-quic: close on frame alloc failure * MINOR: mux-quic: close on qcs allocation failure * MINOR: mux-quic: ensure CONNECTION_CLOSE is scheduled once per conn * MINOR: mux-quic: interrupt qcc_recv*() operations if CC scheduled * BUG/MINOR: mux-quic: prevent CC status to be erased by shutdown * BUG/MINOR: h3: properly handle incomplete remote uni stream type * MINOR: mux-quic: add flow-control info to minimal trace level * MINOR: mux-quic: adjust trace level for MAX_DATA/MAX_STREAM_DATA recv * MINOR: mux-quic: complete traces for qcs emission * BUG/MEDIUM: mux-quic: release data from conn flow-control on qcs reset * BUG/MINOR: trace: fix hardcoded level for TRACE_PRINTF * BUG/MINOR: quic: ignore congestion window on probing for MUX wakeup * BUG/MINOR: quic: wake up MUX on probing only for 01RTT * BUG/MEDIUM: applet: only set appctx->sedesc on successful allocation * BUG/MEDIUM: mux-h1: properly destroy a partially allocated h1s * BUG/MINOR: stconn: fix sedesc memory leak on stream allocation failure * BUG/MEDIUM: stconn: don't set the type before allocation succeeds * BUG/MEDIUM: mux-h2: erase h2c->wait_event.tasklet on error path * BUG/MEDIUM: mux-h2: do not try to free an unallocated h2s->sd * BUG/MEDIUM: stream: do not try to free a failed stream-conn * BUG/MINOR: quic: Dysfunctional 01RTT packet number space probing * MINOR: quic: Stop stressing the acknowledgments process (RX ACK frames) * MINOR: proto_ux: ability to dump ABNS names in error messages * MEDIUM: proto_ux: properly suspend named UNIX listeners * BUG/MEDIUM: listener/proxy: fix listeners notify for proxy resume * MINOR: listener: pause_listener() becomes suspend_listener() * BUG/MEDIUM: resume from LI_ASSIGNED in default_resume_listener() * BUG/MINOR: listener: fix resume_listener() resume return value handling * BUG/MEDIUM: listener: fix pause_listener() suspend return value handling * MINOR: listener: make sure we don't pause/resume bypassed listeners * MINOR: listener: workaround for closing a tiny race between resume_listener() and stopping * MINOR: listener: add relax_listener() function * MINOR: listener/api: add lli hint to listener functions * MINOR: proto_uxst: add resume method- Update to version 2.7.5+git0.8d230219e: * [RELEASE] Released version 2.7.5 * OPTIM: mux-h1: limit first read size to avoid wrapping * BUG/MAJOR: qpack: fix possible read out of bounds in static table * BUG/MINOR: sock_unix: match finalname with tempname in sock_unix_addrcmp() * BUG/MINOR: protocol: fix minor memory leak in protocol_bind_all() * BUG/MINOR: proto_ux: report correct error when bind_listener fails * BUG/MEDIUM: spoe: Don't set the default traget for the SPOE agent frontend * BUG/MINOR: mux-h2: Fix possible null pointer deref on h2c in _h2_trace_header() * MEDIUM: mux-h2/trace: add tracing support for headers * MINOR: h2: add h2_phdr_to_ist() to make ISTs from pseudo headers * MEDIUM: bwlim: Support constants limit or period on set-bandwidth-limit actions * BUG/MEDIUM: listener: duplicate inherited FDs if needed * BUG/MINOR: quic: Missing STREAM frame data pointer updates * BUG/MINOR: mux-h2: set CO_SFL_STREAMER when sending lots of data * BUG/MEDIUM: mux-h2: only restart sending when mux buffer is decongested * MINOR: buffer: add br_single() to check if a buffer ring has more than one buf * BUG/MINOR: mux-h2: make sure the h2c task exists before refreshing it * BUG/MEDIUM: connection: Preserve flags when a conn is removed from an idle list * BUG/MINOR: quic: Missing STREAM frame length updates * BUG/MINOR: tcp_sample: fix a bug in fc_dst_port and fc_dst_is_local sample fetches * BUG/MEDIUM: mux-h1: Don't block SE_FL_ERROR if EOS is not reported on H1C * DEBUG: ssl-sock/show_fd: Display SSL error code * DEBUG: cli/show_fd: Display connection error code * BUG/MEDIUM: resolvers: Properly stop server resolutions on soft-stop * BUG/MEDIUM: proxy: properly stop backends on soft-stop * BUG/MINOR: mux-h1: Don't report an H1C error on client timeout * BUG/MEDIUM: mux-pt: Set EOS on error on sending path if read0 was received- switch to autopatch to simplify patch handling- Update to version 2.7.4+git0.d28541d1f: * [RELEASE] Released version 2.7.4 * DOC/CLEANUP: fix typos * MINOR: quic_sock: un-statify quic_conn_sock_fd_iocb() * BUG/MINOR: quic: Missing listener accept queue tasklet wakeups * BUG/MINOR: mworker: use MASTER_MAXCONN as default maxconn value * BUG/MAJOR: fd/threads: close a race on closing connections after takeover * BUG/MINOR: thread: report thread and group counts in the correct order * BUG/MINOR: init: properly detect NUMA bindings on large systems * MINOR: quic: Do not stress the peer during retransmissions of lost packets * MINOR: fd/cli: report the polling mask in "show fd" * BUG/MINOR: quic: Wrong RETIRE_CONNECTION_ID sequence number check * MEDIUM: quic: release closing connections on stopping * MINOR: quic: handle new closing list in show quic * MINOR: quic: create a global list dedicated for closing QUIC conns * MINOR: h3: add traces on h3_init_uni_stream() error paths * MINOR: quic: Add transport parameters to "show quic" * MINOR: quic: Add spin bit support * MINOR: quic: Useless TLS context allocations in qc_do_rm_hp() * MINOR: quic: RETIRE_CONNECTION_ID frame handling (RX) * MINOR: quic: Typo fix for ACK_ECN frame * MINOR: quic: Store the next connection IDs sequence number in the connection * MINOR: quic: Do not accept wrong active_connection_id_limit values * BUG/MINOR: mux-quic: properly init STREAM frame as not duplicated * BUG/MAJOR: fd/thread: fix race between updates and closing FD * BUG/MEDIUM: quic: do not crash when handling STREAM on released MUX * MINOR: quic: Send PING frames when probing Initial packet number space * BUG/MINOR: quic: Missing detections of amplification limit reached * BUG/MINOR: quic: Do not resend already acked frames * BUG/MINOR: quic: Ensure not to retransmit packets with no ack-eliciting frames * BUG/MINOR: quic: Remove force_ack for Initial,Handshake packets * MINOR: quic: Add traces about QUIC TLS key update * BUG/MINOR: quic: v2 Initial packets decryption failed * BUG/MINOR: quic: Ensure to be able to build datagrams to be retransmitted * MINOR: quic: Add a BUG_ON_HOT() call for too small datagrams * BUG/MINOR: quic: Do not send too small datagrams (with Initial packets) * BUG/MINOR: cli: fix CLI handler "set anon global-key" call * BUG/MEDIUM: quic: properly handle duplicated STREAM frames * BUG/MINOR: config: crt-list keywords mistaken for bind ssl keywords * MINOR: ssl: rename confusing ssl_bind_kws * BUG/MINOR: ssl: Use 'date' instead of 'now' in ocsp stapling callback * BUG/MINOR: mxu-h1: Report a parsing error on abort with pending data * BUG/MINOR: http-ana: Do a L7 retry on read error if there is no response * BUG/MINOR: http-ana: Don't increment conn_retries counter before the L7 retry * MINOR: quic: notify on send ready * MEDIUM: quic: implement poller subscribe on sendto error * MINOR: quic: purge txbuf before preparing new packets * MINOR: quic: implement qc_notify_send() * MINOR: quic: simplify return path in send functions * BUG/MINOR: http-check: Skip C-L header for empty body when it's not mandatory * BUG/MINOR: http-check: Don't set HTX_SL_F_BODYLESS flag with a log-format body * BUG/MINOR: mux-h1: Don't report an error on an early response close * BUG/MEDIUM: connection: Clear flags when a conn is removed from an idle list * MINOR: quic: consider EBADF as critical on send() * MEDIUM: quic: improve fatal error handling on send * CLEANUP: listener: only store conn counts for local threads * BUG/MEDIUM: fd: make fd_delete() support being called from a different group * BUG/MINOR: fd: used the update list from the fd's group instead of tgid * DOC: config: Clarify the meaning of 'hold' in the 'resolvers' section * BUG/MEDIUM: h1-htx: Never copy more than the max data allowed during parsing * BUG/MEDIUM: fd: avoid infinite loops in fd_add_to_fd_list and fd_rm_from_fd_list * BUILD: thead: Fix several 32 bits compilation issues with uint64_t variables * BUG/MINOR: ring: do not realign ring contents on resize * BUILD: quic: 32-bits compilation issue with %zu in quic_rx_pkts_del() * BUG/MINOR: cache: Check cache entry is complete in case of Vary * BUG/MINOR: cache: Cache response even if request has "no-cache" directive * REGTESTS: Fix ssl_errors.vtc script to wait for connections close * DOC: config: Add the missing tune.fail-alloc option from global listing * DOC: config: Fix description of options about HTTP connection modes * BUG/MEDIUM: quic: Missing TX buffer draining from qc_send_ppkts() * MINOR: mux-h2/traces: add a missing TRACE_LEAVE() in h2s_frt_handle_headers() * MINOR: mux-h2/traces: do not log h2s pointer for dummy streams * MEDIUM: quic: trigger fast connection closing on process stopping * MINOR: quic: mark quic-conn as jobs on socket allocation * MEDIUM: mux-quic: properly implement soft-stop * MINOR: mux-quic: implement client-fin timeout * MINOR: mux-quic: define qc_process() * MINOR: mux-quic: define qc_shutdown() * MEDIUM: h3: enforce GOAWAY by resetting higher unhandled stream * BUG/MINOR: h3: prevent hypothetical demux failure on int overflow * BUG/MINOR: quic: acknowledge STREAM frame even if MUX is released * BUG/MINOR: quic: also send RESET_STREAM if MUX released * MINOR: quic: adjust request reject when MUX is already freed * BUG/MINOR: quic: Missing padding for short packets * BUG/MINOR: quic: Do not drop too small datagrams with Initial packets * BUG/MINOR: quic: Wrong initialization for io_cb_wakeup boolean * BUG/MINOR: quic: Do not probe with too little Initial packets * MINOR: quic: Add to the traces * MINOR: quic: Add a trace to identify connections which sent Initial packet. * BUG/MINOR: quic: Missing call to task_queue() in qc_idle_timer_do_rearm() * MINOR: quic: Make qc_dgrams_retransmit() return a status. * MINOR: quic: Add traces to qc_kill_conn() * MINOR: quic: Kill the connections on ICMP (port unreachable) packet receipt * MINOR: quic: Simplication for qc_set_timer() * BUG/MINOR: quic: Really cancel the connection timer from qc_set_timer() * MINOR: quic: Move code to wakeup the timer task to avoid anti-amplication deadlock * MINOR: quic: Add new traces about by connection RX buffer handling * BUG/MINOR: quic: Possible unexpected counter incrementation on send*() errors * MINOR: h3: add traces on decode_qcs callback * BUG/MINOR: mworker: prevent incorrect values in uptime * BUG/MINOR: mux-quic: transfer FIN on empty STREAM frame * MINOR: h3/hq-interop: handle no data in decode_qcs() with FIN set * BUG/MEDIUM: sched: allow a bit more TASK_HEAVY to be processed when needed * BUG/MINOR: sched: properly report long_rq when tasks remain in the queue * BUG/MEDIUM: wdt: fix wrong thread being checked for sleeping * BUG/MEDIUM: stconn: Don't rearm the read expiration date if EOI was reached * BUG/MEDIUM: httpclient/lua: fix a race between lua GC and hlua_ctx_destroy * BUG/MINOR: lua/httpclient: missing free in hlua_httpclient_send() * MINOR: startup: HAPROXY_STARTUP_VERSION contains the version used to start * BUG/MEDIUM: mworker: don't register mworker_accept_wrapper() when master FD is wrong * BUG/MEDIUM: mworker: prevent inconsistent reload when upgrading from old versions * BUG/MINOR: mworker: stop doing strtok directly from the env- Update to version 2.7.3+git0.1065b1000: (boo#1208132 CVE-2023-25725) * [RELEASE] Released version 2.7.3 * BUG/CRITICAL: http: properly reject empty http header field names * BUG/MINOR: quic: Wrong datagram dispatch because of qc_check_dcid() * DOC: proxy-protocol: fix wrong byte in provided example * BUG/MEDIUM: quic: Buffer overflow when looking through QUIC CLI keyword list * BUG/MINOR: clock/stats: also use start_time not start_date in HTML info * BUG/MINOR: mworker: fix uptime for master process * BUG/MINOR: quic: fix type bug on "show quic" for 32-bits arch * BUG/MINOR: quic: fix filtering of closing connections on "show quic" * MINOR: quic: filter closing conn on "show quic" * MINOR: quic: display Tx stream info on "show quic" * MINOR: quic: display infos about various encryption level on "show quic" * MINOR: quic: display socket info on "show quic" * MINOR: quic: display CIDs and state in "show quic" * MINOR: quic: implement a basic "show quic" CLI handler * BUG/MEDIUM: quic: fix crash when "option nolinger" is set in the frontend * BUG/MEDIUM: stconn: Schedule a shutw on shutr if data must be sent first * BUG/MINOR: server/add: ensure minconn/maxconn consistency when adding server * MINOR: cfgparse/server: move (min/max)conn postparsing logic into dedicated function * BUG/MINOR: h3: fix crash due to h3 traces * DOC: config: 'http-send-name-header' option may be used in default section * DOC: config: fix option spop-check proxy compatibility * BUG/MEDIUM: cache: use the correct time reference when comparing dates * BUG/MINOR: clock: do not mix wall-clock and monotonic time in uptime calculation * BUG/MEDIUM: stick-table: do not leave entries in end of window during purge * BUG/MINOR: ssl/crt-list: warn when a line is malformated * MINOR: quic: Update version_information transport parameter to draft-14 * BUG/MEDIUM: quic: do not split STREAM frames if no space * BUG/MINOR: quic: Unchecked source connection ID * MEDIUM: quic: Remove qc_conn_finalize() from the ClientHello TLS callbacks * BUG/MAJOR: quic: Possible crash when processing 1-RTT during 0-RTT session * MINOR: quic: When probing Handshake packet number space, also probe the Initial one * BUG/MINOR: quic: Do not ignore coalesced packets in qc_prep_fast_retrans() * MINOR: quic: Add a trace about variable states in qc_prep_fast_retrans() * BUG/MINOR: quic: Too big PTO during handshakes * BUG/MINOR: quic: Possible stream truncations under heavy loss * CLEANUP: quic: no need for atomics on packet refcnt * MINOR: quic: add config for retransmit limit * MEDIUM: quic: implement a retransmit limit per frame * MINOR: quic: refactor frame deallocation * MINOR: quic: define new functions for frame alloc * MINOR: quic: ensure offset is properly set for STREAM frames * MINOR: quic: remove fin from quic_stream frame type * BUG/MINOR: stats: Prevent HTTP "other sessions" counter underflows * MINOR: stats: add by HTTP version cumulated number of sessions and requests * BUG/MINOR: stats: fix STAT_STARTED behavior with full htx * BUG/MINOR: stats: fix show stats field ctx for servers * BUG/MINOR: stats: fix ctx->field update in stats_dump_proxy_to_buffer() * BUG/MEDIUM: stats: fix resolvers dump * BUG/MINOR: stats: fix source buffer size for http dump * BUG/MINOR: stats: use proper buffer size for http dump * BUG/MINOR: h3: fix crash due to h3 traces * BUG/MEDIUM: ssl: wrong eviction from the session cache tree * MINOR: h3: add missing traces on closure * BUG/MINOR: h3: reject RESET_STREAM received for control stream * BUG/MEDIUM: h3: handle STOP_SENDING on control stream * MINOR: mux-quic/h3: define stream close callback * OPTIM: h3: skip buf realign if no trailer to encode * BUG/MEDIUM: h3: do not crash if no buf space for trailers * BUG/MINOR: fcgi-app: prevent 'use-fcgi-app' in default section * MINOR: trace: add the long awaited TRACE_PRINTF() * MINOR: trace: add a trace_no_cb() dummy callback for when to use no callback * MINOR: trace: add a TRACE_ENABLED() macro to determine if a trace is active * DEV: hpack: fix `trash` build regression * BUG/MINOR: sink: free the forwarding task on exit * BUG/MINOR: ring: release the backing store name on exit * BUG/MINOR: log: release global log servers on exit * BUG/MEDIUM: hpack: fix incorrect huffman decoding of some control chars * BUG/MEDIUM: mux-quic: fix crash on H3 SETTINGS emission * BUG/MINOR: h3: fix GOAWAY emission * MINOR: mux-quic/h3: send SETTINGS as soon as transport is ready * MINOR: connection: add a BUG_ON() to detect destroying connection in idle list * DEV: haring: add a new option "-r" to automatically repair broken files * BUG/MINOR: sink: make sure to always properly unmap a file-backed ring * MEDIUM: quic-sock: fix udp source address for send on listener socket * BUG/MINOR: quic: Do not request h3 clients to close its unidirection streams * BUG/MINOR: jwt: Wrong return value checked- Update to version 2.7.2+git0.7e295dd2c: * [RELEASE] Released version 2.7.2 * BUILD: hpack: include global.h for the trash that is needed in debug mode * BUG/MINOR: mux-h2: add missing traces on failed headers decoding * BUG/MINOR: mux-h2: make sure to produce a log on invalid requests * MINOR: h3: implement TRAILERS decoding * MINOR: h3: implement TRAILERS encoding * MINOR: h3: extend function for QUIC varint encoding * BUG/MINOR: h3: properly handle connection headers * BUG/MINOR: bwlim: Fix parameters check for set-bandwidth-limit actions * BUG/MINOR: bwlim: Check scope for period expr for set-bandwitdh-limit actions * BUG/MEDIUM: debug/thread: make the debug handler not wait for !rdv_requests * MINOR: threads: add a thread_harmless_end() version that doesn't wait * BUG/MINOR: thread: always reload threads_enabled in loops * BUG/MEDIUM: fd/threads: fix again incorrect thread selection in wakeup broadcast * BUG/MINOR: listener: close tiny race between resume_listener() and stopping * BUG/MINOR: ssl: Fix compilation with OpenSSL 1.0.2 (missing ECDSA_SIG_set0) * BUG/MEDIUM: jwt: Properly process ecdsa signatures (concatenated R and S params) * DOC: config: fix "Address formats" chapter syntax * BUG/MINOR: mux-fcgi: Correctly set pathinfo * MINOR: quic: Replace v2 draft definitions by those of the final 2 version * MINOR: sample: Add "quic_enabled" sample fetch * MINOR: quic: Add "no-quic" global option * MINOR: quic: Disable the active connection migrations * MINOR: quic: Useless test about datagram destination addresses * BUG/MEDIUM: stconn: also consider SE_FL_EOI to switch to SE_FL_ERROR * CLEANUP: stconn: always use se_fl_set_error() to set the pending error * MINOR: listener: also support "quic+" as an address prefix * DOC: config: mention the missing "quic4@" and "quic6@" in protocol prefixes * DOC: config: fix aliases for protocol prefixes "udp4@" and "udp6@" * DOC: config: fix wrong section number for "protocol prefixes" * BUG/MINOR: listeners: fix suspend/resume of inherited FDs * BUG/MINOR: http-ana: make set-status also update txn->status * BUG/MEDIUM: mux-h2: Don't send CANCEL on shutw when response length is unkown * BUG/MINOR: http-fetch: Don't block HTTP sample fetch eval in HTTP_MSG_ERROR state * BUG/MINOR: http-ana: Report SF_FINST_R flag on error waiting the request body * BUG/MINOR: promex: Don't forget to consume the request on error * BUG/MEDIUM: peers: make "show peers" more careful about partial initialization * DEV: tcploop: add minimal support for unix sockets * BUG/MINOR: resolvers: Wait the resolution execution for a do_resolv action * BUG/MINOR: hlua: Fix Channel.line and Channel.data behavior regarding the doc * BUG/MINOR: h1-htx: Remove flags about protocol upgrade on non-101 responses * MINOR: mux-quic: use send-list for immediate sending retry * MINOR: mux-quic: use send-list for STOP_SENDING/RESET_STREAM emission * MEDIUM: h3: send SETTINGS before STREAM frames * MAJOR: mux-quic: rework stream sending priorization * MINOR: mux-quic: add traces for flow-control limit reach * BUG/MINOR: mux-quic: fix transfer of empty HTTP response * DOC: management: add details about @system-ca in "show ssl ca-file" * DOC: management: add details on "Used" status * DOC: config: added optional rst-ttl argument to silent-drop in action lists * CLEANUP: htx: fix a typo in an error message of http_str_to_htx * BUG/MINOR: http: Memory leak of http redirect rules' format string * BUG/MINOR: fd: avoid bad tgid assertion in fd_delete() from deinit() * REGTEST: fix the race conditions in hmac.vtc * REGTEST: fix the race conditions in digest.vtc * REGTEST: fix the race conditions in add_item.vtc * REGTEST: fix the race conditions in json_query.vtc * BUG/MINOR: proxy: free orgto_hdr_name in free_proxy() * DOC: config: remove duplicated "http-response sc-set-gpt0" directive * DOC: config: fix alphabetical ordering of http-after-response rules * BUG/MAJOR: buf: Fix copy of wrapping output data when a buffer is realigned * BUG/MINOR: http-fetch: Only fill txn status during prefetch if not already set * MINOR: config: add environment variables for default log format * CI: Reformat `matrix.py` using `black` * CI: Explicitly check environment variable against `None` in matrix.py * CI: Unify the `GITHUB_TOKEN` name across matrix.py and vtest.yml * CI: Use proper `if` blocks instead of conditional expressions in matrix.py * CI: Add in-memory cache for the latest OpenSSL/LibreSSL * CI: Improve headline in matrix.py * BUG/MINOR: stick-table: report the correct action name in error message * MINOR: cfgparse-ssl: avoid a possible crash on OOM in ssl_bind_parse_npn() * BUG/MINOR: debug: don't mask the TH_FL_STUCK flag before dumping threads * BUILD: makefile: make sure to also ignore SSL_INC when using wolfssl * BUILD: makefile: clean the wolfssl include and lib generation rules * BUILD: makefile: sort the features list * BUILD: makefile: build the features list dynamically * CI: github: use the GITHUB_TOKEN instead of a manually generated token * BUG/MINOR: mux-quic: ignore remote unidirectional stream close * CI: github: enable github api authentication for OpenSSL tags read * MINOR: h3: use stream error when needed instead of connection * MEDIUM: mux-quic: implement STOP_SENDING emission * MINOR: mux-quic: handle RESET_STREAM reception * MINOR: mux-quic: do not count stream flow-control if already closed * MEDIUM: mux-quic: implement shutw * MINOR: httpclient: don't add body when istlen is empty * BUG/MINOR: pool/stats: Use ullong to report total pool usage in bytes in stats * BUG/MEDIUM: mux-h2: Refuse interim responses with end-stream flag set * BUG/MINOR: quic: do not allocate more rxbufs than necessary * BUG/MEDIUM: quic: properly take shards into account on bind lines * BUG/MEDIUM: mux-quic: fix double delete from qcc.opening_list * REGTESTS: ssl: enable the ssl_reuse.vtc test for WolfSSL * OPTIM: pool: split the read_mostly from read_write parts in pool_head- Update to version 2.7.1+git0.3e4af0ed7: * [RELEASE] Released version 2.7.1 * BUG/MEDIUM: stats: Rely on a local trash buffer to dump the stats * BUG/MINOR:: mux-h1: Never handle error at mux level for running connection * BUG/MINOR: mux-h1: Report EOS on parsing/internal error for not running stream * BUG/MEDIUM: tests: use tmpdir to create UNIX socket * REGTESTS: startup: disable automatic_maxconn.vtc * BUG/MINOR: quic: fix crash on PTO rearm if anti-amplification reset * BUG/MINOR: stats: fix show stat json buffer limitation * MINOR: stats: introduce stats field ctx * MINOR: stats: provide ctx for dumping functions * BUG/MINOR: ssl: Fix memory leak of find_chain in ssl_sock_load_cert_chain * MINOR: h3: check return values of htx_add_* on headers parsing * BUG/MINOR: h3: fix memleak on HEADERS parsing failure * BUG/MEDIUM: h3: fix cookie header parsing * BUG/MINOR: mux-h1: Fix test instead a BUG_ON() in h1_send_error() * BUG/MEDIUM: mux-h1: Don't release H1 stream upgraded from TCP on error * LICENSE: wurfl: clarify the dummy library license. * BUG/MINOR: mux-quic: handle properly alloc error in qcs_new() * BUG/MINOR: mux-quic: remove qcs from opening-list on free * CLEANUP: mux-quic: remove unused attribute on qcs_is_close_remote() * BUG/MINOR: quic: handle alloc failure on qc_new_conn() for owned socket * BUG/MINOR: quic: properly handle alloc failure in qc_new_conn() * BUG/MINOR: quic: fix fd leak on startup check quic-conn owned socket * MINOR: quic: reconnect quic-conn socket on address migration * MEDIUM: quic: requeue datagrams received on wrong socket * MINOR: mux-quic: rename duplicate function names * MEDIUM: quic: move receive out of FD handler to quic-conn io-cb * MEDIUM: quic: use quic-conn socket for reception * MINOR: quic: use connection socket for emission * MINOR: quic: allocate a socket per quic-conn * MINOR: quic: define config option for socket per conn * MINOR: quic: test IP_PKTINFO support for quic-conn owned socket * MINOR: quic: startup detect for quic-conn owned socket support * MINOR: quic: ignore address migration during handshake * MINOR: quic: detect connection migration * MINOR: tools: add port for ipcmp as optional criteria * MINOR: quic: extract datagram parsing code * MINOR: quic: complete traces in qc_rx_pkt_handle() * MINOR: quic: remove qc from quic_rx_packet * BUILD: peers: peers-t.h depends on stick-table-t.h * CI: github: split matrix for development and stable branches * CI: github: remove redundant ASAN loop * MINOR: debug: add a balance of alloc - free at the end of the memstats dump * MINOR: debug: support pool filtering on "debug dev memstats" * BUG/MEDIUM: h3: parse content-length and reject invalid messages * MINOR: http: extract content-length parsing from H2 * BUG/MEDIUM: h3: reject request with invalid pseudo header * BUG/MEDIUM: h3: reject request with invalid header name * REGTESTS: startup: add alternatives values in automatic_maxconn.vtc * BUG/MEDIUM: resolvers: Use tick_first() to update the resolvers task timeout * BUG/MEDIUM: freq-ctr: Don't compute overshoot value for empty counters * CLEANUP: ssl: remove check on srv->proxy * REGTESTS: startup: activate automatic_maxconn.vtc * CI: github: set ulimit -n to a greater value * REGTESTS: startup: change the expected maxconn to 11000 * BUG/MINOR: startup: don't use internal proxies to compute the maxconn * REGTESTS: startup: check maxconn computation * REGTESTS: fix the race conditions in iff.vtc * BUG/MAJOR: fcgi: Fix uninitialized reserved bytes * DOC: promex: Add missing backend metrics * MINOR: promex: introduce haproxy_backend_agg_check_status * BUG/MINOR: promex: create haproxy_backend_agg_server_status * MINOR: pools: make DEBUG_UAF a runtime setting * DEBUG: pool: show a few examples in -dMhelp * CLEANUP: pools: get rid of CONFIG_HAP_POOLS * REORG: pool: move all the OS specific code to pool-os.h * CLEANUP: pool: only include pool-os from pool.c not pool.h * CLEANUP: pools: move the write before free to the uaf-only function * BUG/MEDIUM: httpclient/lua: double LIST_DELETE on end of lua task * BUILD: makefile/da: also clean Os/ in Device Atlas dummy lib dir * BUILD: atomic: atomic.h may need compiler.h on ARMv8.2-a * BUG/MINOR: init/threads: continue to limit default thread count to max per group * BUG/MINOR: checks: restore legacy on-error fastinter behavior * BUG/MEDIUM: mworker: create the mcli_reload socketpairs in case of upgrade * BUG/MEDIUM: mworker: fix segv in early failure of mworker mode with peers * MINOR: mworker: display an alert upon a wait-mode exit * BUG/MINOR: checks: make sure fastinter is used even on forced transitions * BUG/MEDIUM: checks: do not reschedule a possibly running task on state change * CI: github: split ssl lib selection based on git branch * CI: github: reintroduce openssl 1.1.1 * BUG/MEDIIM: stconn: Flush output data before forwarding close to write side * BUG/MINOR: ssl: initialize WolfSSL before parsing * BUG/MINOR: ssl: initialize SSL error before parsing- Update to version 2.7.0+git0.437fd289f: https://www.haproxy.com/blog/announcing-haproxy-2-7/ https://www.mail-archive.com/haproxy@formilux.org/msg42914.html- reenable the pcre jit after the last change- Switch from unmaintained pcre 8.45 to pcre2 10- Update to version 2.6.6+git0.274d1a4df: * [RELEASE] Released version 2.6.6 * BUG/MINOR: log: improper behavior when escaping log data * REGTESTS: ssl: fix grep invocation to use extended regex in ssl_generate_certificate.vtc * REGTESTS: ssl: adopt tests to OpenSSL-3.0.N * REGTESTS: ssl: adopt tests to OpenSSL-3.0.N * BUG/MEDIUM: mux-quic: properly trim HTX buffer on snd_buf reset * MINOR: mux-quic: refactor snd_buf * REORG: mux-quic: export HTTP related function in a dedicated file * REORG: mux-quic: extract traces in a dedicated source file * BUG/MINOR: mux-quic: do not keep detached qcs with empty Tx buffers * BUG/MEDIUM: mux-quic: fix nb_hreq decrement * SCRIPTS: announce-release: update some URLs to https * BUILD: fd: fix a build warning on the DWCAS * BUG/MEDIUM: captures: free() an error capture out of the proxy lock * CLEANUP: quic,ssl: fix tiny typos in C comments * BUG/MEDIUM: server: segv when adding server with hostname from CLI * BUG/MINOR: mux-quic: do not remotely close stream too early * CLEANUP: mux-quic: remove stconn usage in h3/hq * BUG/MEDIUM: mux-quic: fix crash on early app-ops release * MEDIUM: quic: separate path for rx and tx with set_encryption_secrets * DOC: fix TOC in starter guide for subsection 3.3.8. Statistics * REGTESTS: ssl/log: test the log-forward with SSL * BUG/MEDIUM: sink: bad init sequence on tcp sink from a ring. * REGTESTS: log: test the log-forward feature * BUG/MINOR: listener: null pointer dereference suspected by coverity * CLEANUP: listener: function comment typo in stop_listener() * REGTESTS: healthcheckmail: Relax matching on the healthcheck log message * BUG/MINOR: mux-h1: Increment open_streams counter when H1 stream is created * CLEANUP: pollers: remove dead code in the polling loop * BUG/MINOR: stats: fixing stat shows disabled frontend status as 'OPEN' * MINOR: proxy/listener: support for additional PAUSED state * MINOR: listener: small API change * BUG/MEDIUM: proxy: ensure pause_proxy() and resume_proxy() own PROXY_LOCK * DEV: flags: add missing CO_FL_FDLESS connection flag * DEV: flags: fix usage message to reflect available options * CI: cirrus-ci: bump FreeBSD image to 13-1 * BUG/MINOR: signals/poller: ensure wakeup from signals * MINOR: h3: Send the h3 settings with others streams (requests) * MINOR: h3: Missing connection argument for a TRACE_LEAVE() argument * MINOR: h3: Add the quic_conn object to h3 traces * BUG/MINOR: h3: Crash when h3 trace verbosity is "minimal" * BUG/MINOR: quic: Trace fix about packet number space information. * BUG/MINOR: quic: Speed up the handshake completion only one time * BUG/MINOR: signals/poller: set the poller timeout to 0 when there are signals * BUG/MINOR: stream/sched: take into account CPU profiling for the last call * MINOR: sched: store the current profile entry in the thread context * BUG/MINOR: sched: properly account for the CPU time of dying tasks * BUG/MINOR: task: Fix detection of tasks profiling in tasklet_wakeup_after() * CLEANUP: task: rename ->call_date to ->wake_date * MINOR: task: permanently enable latency measurement on tasklets * BUG/MINOR: task: make task_instant_wakeup() work on a task not a tasklet * BUG/MINOR: task: always reset a new tasklet's call date * BUG/MINOR: quic: Wrong connection ID to thread ID association * MINOR: quic: No TRACE_LEAVE() in retrieve_qc_conn_from_cid() * MINOR: quic: Add traces about sent or resent TX frames * MINOR: quic: add QUIC support when no client_hello_cb * BUILD: quic: fix the #ifdef in ssl_quic_initial_ctx() * BUILD: ssl: fix the ifdef mess in ssl_sock_initial_ctx * BUILD: quic: enable early data only with >= openssl 1.1.1 * BUILD: quic: temporarly ignore chacha20_poly1305 for libressl * BUILD: ssl: fix ssl_sock_switchtx_cbk when no client_hello_cb * BUILD: quic: add some ifdef around the SSL_ERROR_* for libressl * BUG/MINOR: quic: Possible crash when verifying certificates * BUG/MINOR: h1: Support headers case adjustment for TCP proxies * BUG/MINOR: quic: Possible crash with "tls-ticket-keys" on QUIC bind lines * BUG/MINOR: quic: Retransmitted frames marked as acknowledged * BUILD: makefile: enable crypt(3) for NetBSD * MINOR: Revert part of clarifying samples support per os commit * MEDIUM: peers: limit the number of updates sent at once- Update to version 2.6.5+git0.987a4e248: * [RELEASE] Released version 2.6.5 * BUG/MINOR: http-act: initialize http fmt head earlier * MINOR: debug: report applet pointer and handler in crashes when known * DEBUG: stream: minor rearrangement of a few fields in struct stream. * BUG/MINOR: mux-fcgi: fix the "show fd" dest buffer for the subscriber * BUG/MINOR: mux-h1: fix the "show fd" dest buffer for the subscriber * BUG/MINOR: mux-h2: fix the "show fd" dest buffer for the subscriber * BUG/MINOR: httpclient: keep-alive was accidentely disabled * BUG/MEDIUM: httpclient: always detach the caller before self-killing * BUG/MINOR: h2: properly set the direction flag on HTX response * BUG/MINOR: quic: Frames leak during retransmissions * MINOR: quic: Trace typo fix in qc_release_frm() * MINOR: quic: Add TX frames addresses to traces to several trace events * BUG/MINOR: quic: Do not ack when probing * MINOR: backend: always satisfy the first req reuse rule with l7 retries * BUG/MEDIUM: mux-h1: always use RST to kill idle connections in pools * REGTESTS: http_request_buffer: Add a barrier to not mix up log messages * BUG/MINOR: regex: Properly handle PCRE2 lib compiled without JIT support * BUILD: debug: make sure debug macros are never empty * CLEANUP: exclude haring with .gitignore * DEV: haring: support remapping LF in contents with CR VT * DEV: haring: add a simple utility to read file-backed rings * MINOR: sink/ring: rotate non-empty file-backed contents only * MINOR: ring: archive a previous file-backed ring on startup * BUILD: sink: replace S_IRUSR, S_IWUSR with their octal value * MINOR: ring: add support for a backing-file * MINOR: ring: support creating a ring from a linear area * BUILD: ring: forward-declare struct appctx to avoid a build warning * BUG/MINOR: ssl: leak of ckch_inst_link in ckch_inst_free() v2 * BUG/MINOR: quic: TX frames memleak * MINOR: quic: Move traces about RX/TX bytes from QUIC_EV_CONN_PRSAFRM event * MINOR: quic: Add a trace to distinguish the datagram from the packets inside * BUG/MINOR: quic: Missing header protection AES cipher context initialisations (draft-v2) * BUG/MINOR: quic: Frames added to packets even if not built. * BUG/MINOR: quic: Null packet dereferencing from qc_dup_pkt_frms() trace * Revert "MINOR: quic: Remove useless traces about references to TX packets" * MINOR: quic: Remove useless traces about references to TX packets * CLEANUP: quic: Remove a useless check in qc_lstnr_pkt_rcv() * CLEANUP: quic: No more use ->rx_list MT_LIST entry point (quic_rx_packet) * BUG/MINOR: quic: Stalled connections (missing I/O handler wakeup) * BUG/MINOR: quic: Leak in qc_release_lost_pkts() for non in flight TX packets * Revert "BUG/MINOR: quix: Memleak for non in flight TX packets" * MINOR: quic: Replace MT_LISTs by LISTs for RX packets. * BUG/MINOR: quic: Safer QUIC frame builders * BUG/MINOR: quic: Wrong list_for_each_entry() use when building packets from qc_do_build_pkt() * BUG/MINOR: quix: Memleak for non in flight TX packets * BUG/MINOR: mux-quic: Fix memleak on QUIC stream buffer for unacknowledged data * MINOR: quic: Add reusable cipher contexts for header protection * MINOR: quic: Trace fix in qc_release_frm() * MINOR: quic: Add the QUIC connection to mux traces * BUG/MINOR: quic: Wrong splitted duplicated frames handling * MINOR: quic: Add frame addresses to QUIC_EV_CONN_PRSAFRM event traces * BUG/MINOR: quic: Possible crashes when dereferencing ->pkt quic_frame struct member * MEDIUM: h3: concatenate multiple cookie headers * REGTESTS: add test for HTTP/2 cookies concatenation * REORG: h2: extract cookies concat function in http_htx * BUG/MEDIUM: quic: fix crash on MUX send notification * BUG/MINOR: quic: Missing initializations for ducplicated frames. * BUG/MINOR: quic: do not notify MUX on frame retransmit * MINOR: quic: refactor application send * MINOR: mux-quic: add missing args on some traces * MINOR: mux-quic: adjust traces on stream init * BUG/MEDIUM: mux-quic: reject uni stream ID exceeding flow control * MINOR: qpack: report error on enc/dec stream close * MINOR: h3: report error on control stream close * MINOR: quic: adjust quic_frame flag manipulation * BUG/MINOR: quic: Wrong status returned by qc_pkt_decrypt() * BUG/MINOR: quic: MIssing check when building TX packets * BUG/MINOR: mux-quic: fix crash with traces in qc_detach() * BUG/MEDIUM: quic: Wrong use of in qc_lsntr_pkt_rcv() * BUG/MEDIUM: quic: Possible use of uninitialized variable in qc_lstnr_params_init() * BUG/MEDIUM: mux-quic: fix crash due to invalid trace arg * MINOR: mux-quic: define new traces * CLEANUP: mux-quic: adjust traces level * MINOR: mux-quic: define protocol error traces * MINOR: mux-quic: adjust enter/leave traces * CLEANUP: quic: Remove trailing spaces * MINOR: quic: Remove useless lock for RX packets * MEDIUM: quic: xprt traces rework * BUG/MINOR: quic: fix crash on handshake io-cb for null next enc level * BUG/MINOR: mux-quic: open stream on STOP_SENDING * MINOR: quic: skip sending if no frame to send in io-cb * MINOR: quic: refactor datagram commit in Tx buffer * MINOR: quic: release Tx buffer on each send * MINOR: quic: replace custom buf on Tx by default struct buffer * MINOR: quic: Replace pool_zalloc() by pool_malloc() for fake datagrams * BUG/MINOR: quic: adjust errno handling on sendto * MINOR: quic: Add two new stats counters for sendto() errors * MEDIUM: mux-quic: implement http-request timeout * MINOR: mux-quic: refactor refresh timeout function * MINOR: mux-quic: refresh timeout on frame decoding * MINOR: h3: support HTTP request framing state * MEDIUM: mux-quic: implement http-keep-alive timeout * MINOR: mux-quic: count in-progress requests * MEDIUM: mux-quic: adjust timeout refresh * MINOR: mux-quic: use timeout server for backend conns * MINOR: mux-quic: save proxy instance into qcc * MINOR: h3: implement graceful shutdown with GOAWAY * MINOR: h3: store control stream in h3c * MINOR: mux-quic: send one last time before release * CLEANUP: mux-quic: move qc_release() * MEDIUM: quic: send CONNECTION_CLOSE on released MUX * MINOR: mux-quic/h3: prepare CONNECTION_CLOSE on release * MINOR: mux-quic: support app graceful shutdown * MINOR: quic: define a generic QUIC error type * CLEANUP: quic: clean up include on quic_frame-t.h * MEDIUM: mux-quic: implement STOP_SENDING handling * MEDIUM: mux-quic: implement RESET_STREAM emission * MINOR: mux-quic: use stream states to mark as detached * MINOR: mux-quic: define basic stream states * MINOR: mux-quic: support stream opening via MAX_STREAM_DATA * MINOR: mux-quic: do not ack STREAM frames on unrecoverable error * MINOR: mux-quic: filter send/receive-only streams on frame parsing * MINOR: mux-quic: implement qcs_alert() * MINOR: mux-quic: add traces on frame parsing functions * MINOR: mux-quic: rename stream purge function * REORG: mux-quic: rename stream initialization function * MINOR: mux-quic: emit FINAL_SIZE_ERROR on invalid STREAM size * MINOR: mux-quic: rename qcs flag FIN_RECV to SIZE_KNOWN * MEDIUM: mux-quic: refactor streams opening * MINOR: mux-quic: implement accessor for sedesc * REORG: mux-quic: reorganize flow-control fields * CLEANUP: mux-quic: do not export qc_get_ncbuf * CLEANUP: mux-quic: adjust comment on qcs_consume() * BUG/MINOR: qpack: abort on dynamic index field line decoding * BUG/MINOR: qpack: fix build with QPACK_DEBUG * CLEANUP: pool/quic: remove suffix "_pool" from certain pool names * MINOR: quic: Dump version_information transport parameter * BUG/MINOR: qpack: abort on dynamic index field line decoding * BUILD: quic: Wrong HKDF label constant variable initializations * CLEANUP: quic: Remove any reference to boringssl * MEDIUM: quic: Compatible version negotiation implementation (draft-08) * MINOR: quic: Released QUIC TLS extension for QUIC v2 draft * MEDIUM: quic: Add QUIC v2 draft support * CLEANUP: quid: QUIC draft-28 no more supported * MINOR: quic: Parse long packet version from qc_parse_hd_form() * MINOR: quic: Add several nonce and key definitions for Retry tag * MINOR: qpack: improve decoding function * MINOR: qpack: add ABORT_NOW on unimplemented decoding * MINOR: qpack: reduce dependencies on other modules * CLEANUP: quic: use task_new_on() for single-threaded tasks * MINOR: mux-quic: complete BUG_ON on TX flow-control enforcing * BUG/MEDIUM: h3: fix SETTINGS parsing * BUG/MINOR: h3: fix incorrect BUG_ON assert on SETTINGS parsing * BUG/MINOR: h3: fix return value on decode_qcs on error * MINOR: mux-quic/h3: adjust demuxing function return values * MINOR: mux-quic: simplify decode_qcs API * CLEANUP: Re-apply xalloc_size.cocci (2) * MINOR: connection: support HTTP/3.0 for smp_*_http_major fetch * BUG/MINOR: dev/udp: properly preset the rx address size * BUG/MEDIUM: mux-h1: do not refrain from signaling errors after end of input * BUG/MINOR: ssl: revert two wrong fixes with ckhi_link * MINOR: quic: Revert recent QUIC commits * BUG/MEDIUM: ssl: Fix a UAF when old ckch instances are released * BUG/MINOR: ssl: leak of ckch_inst_link in ckch_inst_free() * BUG/MINOR: ssl: fix deinit of the ca-file tree * BUG/MINOR: tcpcheck: Disable QUICKACK for default tcp-check (with no rule) * MINOR: quic: Add a trace to distinguish the datagram from the packets inside * BUG/MINOR: applet: make the call_rate only count the no-progress calls * BUG/MEDIUM: applet: fix incorrect check for abnormal return condition from handler * MINOR: quic: Replace MT_LISTs by LISTs for RX packets. * BUG/MINOR: hlua: Rely on CF_EOI to detect end of message in HTTP applets * BUG/MEDIUM: peers: Don't start resync on reload if local peer is not up-to-date * BUG/MEDIUM: peers: Don't use resync timer when local resync is in progress * BUG/MEDIUM: peers: Add connect and server timeut to peers proxy * BUG/MEDIUM: spoe: Properly update streams waiting for a ACK in async mode * BUG/MINOR: quic: Frames added to packets even if not built. * DOC: configuration.txt: do-resolve must use host_only to remove its port. * BUG/MINOR: httpclient: fix resolution with port * MINOR: sample: add the host_only and port_only converters * DOC: configuration: do-resolve doesn't work with a port in the string * CLEANUP: quic: Remove a useless check in qc_lstnr_pkt_rcv() * CLEANUP: quic: No more use ->rx_list MT_LIST entry point (quic_rx_packet) * BUG/MINOR: quic: Stalled connections (missing I/O handler wakeup) * BUG/MINOR: quic: Leak in qc_release_lost_pkts() for non in flight TX packets * MINOR: resolvers: shut the warning when "default" resolvers is implicit * REGTESTS: Fix prometheus script to perform HTTP health-checks * BUG/MINOR: tcpcheck: Disable QUICKACK only if data should be sent after connect * BUG/MINOR: mworker: does not create the "default" resolvers in wait mode * BUG/MINOR: resolvers: return the correct value in resolvers_finalize_config() * BUILD: tcp_sample: fix build of get_tcp_info() on OpenBSD * BUG/MINOR: quic: Safer QUIC frame builders * BUG/MINOR: quic: Wrong list_for_each_entry() use when building packets from qc_do_build_pkt()- Update to version 2.6.4+git0.2a2078cba: * [RELEASE] Released version 2.6.4 * BUG/MAJOR: mworker: fix infinite loop on master with no proxies. * BUG/MINOR: ssl/cli: error when the ca-file is empty- Update to version 2.6.3+git0.76f187b36: * [RELEASE] Released version 2.6.3 * BUG/MAJOR: log-forward: Fix ssl layer not initialized on bind even if configured * BUG/MAJOR: log-forward: Fix log-forward proxies not fully initialized * BUG/MEDIUM: mux-h2: do not fiddle with ->dsi to indicate demux is idle * BUG/MEDIUM: cli: always reset the service context between commands * MINOR: applet: add a function to reset the svcctx of an applet * BUG/MEDIUM: http-ana: fix crash or wrong header deletion by http-restrict-req-hdr-names * MINOR: stick-table: Add table_expire() and table_idle() new converters * BUG/MINOR: quic: memleak on wrong datagram receipt * BUG/MEDIUM: ring: fix too lax 'size' parser * BUG/MINOR: quic: Possible infinite loop in quic_build_post_handshake_frames() * BUILD: debug: silence warning on gcc-5 * BUILD: stconn: fix build warning at -O3 about possible null sc * BUG/MEDIUM: task: relax one thread consistency check in task_unlink_wq() * BUG/MEDIUM: poller: use fd_delete() to release the poller pipes * BUG/MEDIUM: quic: always remove the connection from the accept list on close * CLEANUP: mux-quic: remove loop on sending frames * BUG/MEDIUM: quic: Missing AEAD TAG check after removing header protection * MINOR: quic: Too much useless traces in qc_build_frms() * BUG/MEDIUM: quic: Wrong packet length check in qc_do_rm_hp() * BUILD: cfgparse: always defined _GNU_SOURCE for sched.h and crypt.h * CLEANUP: assorted typo fixes in the code and comments * BUG/MEDIUM: quic: break out of the loop in quic_lstnr_dghdlr * MINOR: quic: explicitely ignore sendto error * BUG/MINOR: quic: Missing Initial packet dropping case * BUG/MINOR: quic: do not reject datagrams matching minimum permitted size * BUG/MINOR: sink: fix a race condition between the writer and the reader * BUG/MEDIUM: sink: Set the sink ref for forwarders created during ring parsing * BUG/MINOR: ring/cli: fix a race condition between the writer and the reader * BUG/MINOR: quic: Avoid sending truncated datagrams * BUILD: http: silence an uninitialized warning affecting gcc-5 * BUG/MEDIUM: quic: Floating point exception in cubic_root() * BUG/MINOR: quic: Missing in flight ack eliciting packet counter decrement * MINOR: peers: Add a warning about incompatible SSL config for the local peer * BUG/MEDIUM: proxy: Perform a custom copy for default server settings * REORG: server: Export srv_settings_cpy() function * MINOR: server: Constify source server to copy its settings * BUG/MINOR: backend: Don't increment conn_retries counter too early * BUG/MEDIUM: dns: Properly initialize new DNS session * BUG/MINOR: peers: Use right channel flag to consider the peer as connected * BUG/MEDIUM: peers: limit reconnect attempts of the old process on reload * MINOR: peers: Use a dedicated reconnect timeout when stopping the local peer * BUG/MINOR: mux-quic: do not free conn if attached streams * CLEANUP: mux-quic: remove useless app_ops is_active callback * BUG/MINOR: mux-quic: prevent crash if conn released during IO callback * BUG/MEDIUM: pattern: only visit equivalent nodes when skipping versions * MINOR: ebtree: add ebmb_lookup_shorter() to pursue lookups * BUG/MEDIUM: queue/threads: limit the number of entries dequeued at once * MINOR: quic: Send packets as much as possible from qc_send_app_pkts() * BUG/MAJOR: quic: Useless resource intensive loop qc_ackrng_pkts() * MINOR: quic: Stop looking for packet loss asap * BUG/MINOR: quic: loss time limit variable computed but not used * MINOR: quic: New "quic-cc-algo" bind keyword * MEDIUM: quic: Cubic congestion control algorithm implementation * MINOR: quic: Congestion control architecture refactoring * BUG/MEDIUM: mux-quic: fix missing EOI flag to prevent streams leaks * BUG/MINOR: mworker: PROC_O_LEAVING used but not updated * MEDIUM: resolvers: continue startup if network is unavailable * DEBUG: fd: split the fd check * Revert "BUG/MINOR: peers: set the proxy's name to the peers section name" * BUG/MINOR: sockpair: wrong return value for fd_send_uxst()- Update to version 2.6.2+git0.16a3646fd: * [RELEASE] Released version 2.6.2 * BUG/MINOR: backend: Fallback on RR algo if balance on source is impossible * BUILD: quic: fix anonymous union for gcc-4.4 * BUG/MEDIUM: stconn: Only reset connect expiration when processing backend side * BUILD: add detection for unsupported compiler models * BUG/MEDIUM: mworker: proc_self incorrectly set crashes upon reload * BUG/MAJOR: mux_quic: fix invalid PROTOCOL_VIOLATION on POST data overlap * BUG/MINOR: mworker/cli: relative pid prefix not validated anymore * BUG/MINOR: quic: do not send CONNECTION_CLOSE_APP in initial/handshake * BUG/MINOR: tools: fix statistical_prng_range()'s output range * BUG/MINOR: ssl: allow duplicate certificates in ca-file directories * BUG/MINOR: resolvers: shut off the warning for the default resolvers * MINOR: resolvers: resolvers_destroy() deinit and free a resolver * BUG/MEDIUM: tools: avoid calling dlsym() in static builds (try 2) * BUILD: makefile: Fix install(1) handling for OpenBSD/NetBSD/Solaris/AIX * BUG/MEDIUM: tools: avoid calling dlsym() in static builds * BUG/MINOR: debug: enter ha_panic() only once * BUG/MEDIUM: cli/threads: make "show threads" more robust on applets * BUG/MINOR: quic: fix closing state on NO_ERROR code sent * BUG/MEDIUM: mux-quic: fix server chunked encoding response * CLEANUP: h2: Typo fix in h2_unsubcribe() traces * MINOR: qpack: properly handle invalid dynamic table references * MINOR: h3: handle errors on HEADERS parsing/QPACK decoding * MINOR: h3: add h3c pointer into h3s instance * BUG/MINOR: mux-quic: do not signal FIN if gap in buffer * MINOR: ncbuf: implement ncb_is_fragmented() * MINOR: quic: Increase the QUIC connections RX buffer size (upto 64Kb) * MINOR: quic: Improvements for the datagrams receipt * MINOR: task: Add tasklet_wakeup_after() * MINOR: quic: Duplicated QUIC_RX_BUFSZ definition * MINOR: quic: Add new stats counter to diagnose RX buffer overrun * BUG/MINOR: quic: Dropped packets not counted (with RX buffers full) * BUILD: quic+h3: 32-bit compilation errors fixes * BUG/MAJOR: quic: Big RX dgrams leak with POST requests * BUG/MAJOR: quic: Big RX dgrams leak when fulfilling a buffer * BUG/MINOR: quic: Wrong reuse of fulfilled dgram RX buffer * BUG/MINOR: quic: Missing acknowledgments for trailing packets * MEDIUM: mworker: set the iocb of the socketpair without using fd_insert() * BUG/MEDIUM: mux-h1: Handle connection error after a synchronous send * BUG/MEDIUM: http-ana: Don't wait to have an empty buf to switch in TUNNEL state * BUG/MINOR: mux-h1: Be sure to commit htx changes in the demux buffer * REGTEESTS: filters: Fix CONNECT request in random-forwarding script * BUG/MEDIUM: http-fetch: Don't fetch the method if there is no stream * MINOR: http-htx: Use new HTTP functions for the scheme based normalization * BUG/MEDIUM: h1: Improve authority validation for CONNCET request * MINOR: http: Add function to detect default port * MINOR: http: Add function to get port part of a host * BUG/MINOR: http-htx: Fix scheme based normalization for URIs wih userinfo * BUG/MINOR: peers: fix possible NULL dereferences at config parsing * BUG/MINOR: http-act: Properly generate 103 responses when several rules are used * BUG/MINOR: http-check: Preserve headers if not redefined by an implicit rule * BUG/MINOR: peers/config: always fill the bind_conf's argument * MINOR: fd: Add BUG_ON checks on fd_insert() * CI: re-enable gcc asan builds * BUILD: Makefile: Add Lua 5.4 autodetect * BUG/MEDIUM: ssl/fd: unexpected fd close using async engine * MINOR: fd: add a new FD_DISOWN flag to prevent from closing a deleted FD * BUG/MINOR: http-fetch: Use integer value when possible in "method" sample fetch * BUG/MINOR: http-ana: Set method to HTTP_METH_OTHER when an HTTP txn is created * BUG/MINOR: ssl: Do not look for key in extra files if already in pem * MEDIUM: mux-h2: try to coalesce outgoing WINDOW_UPDATE frames - drop lua54.patch (upstream)- Update to version 2.6.1+git0.f6ca66d44: * [RELEASE] Released version 2.6.1 * REGTESTS: ssl: add the same cert for client/server * BUG/MEDIUM: mworker: use default maxconn in wait mode * BUG/MINOR: quic: Acknowledgement must be forced during handshake * BUG/MEDIUM: ssl/cli: crash when crt inserted into a crt-list * BUG/MINOR: quic: free rejected Rx packets * BUG/MINOR: quic: purge conn Rx packet list on release * BUG/MINOR: quic_stats: Duplicate "quic_streams_data_blocked_bidi" field name * BUG/MINOR: quic: Unexpected half open connection counter wrapping * BUG/MINOR: log: Properly test connection retries to fix dontlog-normal option * MINOR: stream: Rely on stconn flags to abort stream destructive upgrade * BUG/MEDIUM: stream: Properly handle destructive client connection upgrades * BUG/MINOR: task: fix thread assignment in tasklet_kill() * BUG/MINOR: quic: Wrong PTO calculation * BUG/MINOR: quic: Stop hardcoding Retry packet Version field * BUG/BUILD: h3: fix wrong label name * BUG/MINOR: h3/qpack: deal with too many headers * MINOR: qpack: add comments and remove a useless trace * BUG/MINOR: qpack: support header litteral name decoding * BUG/MEDIUM: mux-quic: fix segfault on flow-control frame cleanup * BUG/MEDIUM: cli: Notify cli applet won't consume data during request processing * BUG/MEDIUM: stconn: Don't wakeup applet for send if it won't consume data * BUG/MINOR: tcp-rules: Make action call final on read error and delay expiration * BUG/MINOR: mux-quic: fix memleak on frames rejected by transport * BUG/MEDIUM: mux-quic: fix flow control connection Tx level * BUG/MINOR: cli/stats: add missing trailing LF after "show info json" * BUG/MINOR: server: do not enable DNS resolution on disabled proxies * BUG/MINOR: cli/stats: add missing trailing LF after JSON outputs * BUG/MINOR: h3: fix frame type definition * REGTESTS: healthcheckmail: Relax health-check failure condition * REGTESTS: healthcheckmail: Update the test to be functionnal again * BUG/MINOR: checks: Properly handle email alerts in trace messages * BUG/MINOR: trace: Test server existence for health-checks to get proxy * BUG/MEDIUM: mailers: Set the object type for check attached to an email alert * BUILD: compiler: implement unreachable for older compilers too * REGTESTS: restrict_req_hdr_names: Extend supported versions * REGTESTS: http_abortonclose: Extend supported versions * BUG/MINOR: ssl_ckch: Fix possible uninitialized value in show_crlfile I/O handler * BUG/MINOR: ssl_ckch: Fix possible uninitialized value in show_cafile I/O handler * BUG/MINOR: ssl_ckch: Fix possible uninitialized value in show_cert I/O handler * BUG/MINOR: ssl_ckch: Init right field when parsing "commit ssl crl-file" cmd * BUG/MINOR: ssl_ckch: Dump cert transaction only once if show command yield * BUG/MINOR: ssl_ckch: Dump CA transaction only once if show command yield * BUG/MINOR: ssl_ckch: Dump CRL transaction only once if show command yield * BUG/MINOR: ssl_ckch: Use right type for old entry in show_crlfile_ctx * REGTESTS: http_request_buffer: Increase client timeout to wait "slow" clients * REGTESTS: abortonclose: Add a barrier to not mix up log messages * MEDIUM: httpclient: Don't close CLI applet at the end of a response * MEDIUM: http-ana: Always report rewrite failures as PRXCOND in logs * BUG/MEDIUM: httpclient: Rework CLI I/O handler to handle full buffer cases * BUG/MEDIUM: httpclient: Don't remove HTX header blocks before duplicating them * BUG/MEDIUM: ssl/crt-list: Rework 'add ssl crt-list' to handle full buffer cases * BUG/MEDIUM: ssl_ckch: Rework 'commit ssl ca-file' to handle full buffer cases * BUG/MEDIUM: ssl_ckch: Rework 'commit ssl cert' to handle full buffer cases * BUG/MINOR: ssl_ckch: Don't duplicate path when replacing a CA/CRL entry * BUG/MINOR: ssl_ckch: Don't duplicate path when replacing a cert entry * BUG/MEDIUM: ssl_ckch: Don't delete CA/CRL entry if it is being modified * BUG/MEDIUM: ssl_ckch: Don't delete a cert entry if it is being modified * BUG/MINOR: ssl_ckch: Free error msg if commit changes on a CA/CRL entry fails * BUG/MINOR: ssl_ckch: Free error msg if commit changes on a cert entry fails- Update to version 2.6.0+git0.a1efc048b: https://www.mail-archive.com/haproxy@formilux.org/msg42371.html - refreshed patches - haproxy-1.6.0-makefile_lib.patch - haproxy-1.6.0-sec-options.patch - haproxy-1.6.0_config_haproxy_user.patch - lua54.patch- Update to version 2.5.7+git0.2ef551d02: * [RELEASE] Released version 2.5.7 * CLEANUP: mux-h1: Fix comments and error messages for global options * MINOR: mux-h1: Add global option accpet payload for any HTTP/1.0 requests * BUG/MEDIUM: wdt: don't trigger the watchdog when p is unitialized * CLEANUP: applet: make appctx_new() initialize the whole appctx * BUG/MINOR: conn_stream: do not confirm a connection from the frontend path * DOC/MINOR: fix typos in the lua-api document * BUG/MEDIUM: lua: fix argument handling in data removal functions * BUG/MINOR: server: Make SRV_STATE_LINE_MAXLEN value from 512 to 2kB (2000 bytes). * DOC: install: update gcc version requirements * BUG/MEDIUM: ssl: fix the gcc-12 broken fix :-( * BUILD: listener: shut report of possible null-deref in listener_accept() * BUILD: debug: work around gcc-12 excessive -Warray-bounds warnings * BUILD: ssl: work around bogus warning in gcc 12's -Wformat-truncation * BUG/MINOR: ssl: Fix typos in crl-file related CLI commands * CI: dynamically determine actual version of h2spec * DOC: fix typo "ant" for "and" in INSTALL * BUG/MINOR: ssl/cli: fix "show ssl cert" not to mix cli+ssl contexts * BUG/MINOR: ssl/cli: fix "show ssl crl-file" not to mix cli+ssl contexts * BUG/MINOR: ssl/cli: fix "show ssl ca-file " not to mix cli+ssl contexts * BUG/MINOR: ssl/cli: fix "show ssl ca-file/crl-file" not to mix cli+ssl contexts * BUG/MEDIUM: ssl/cli: fix yielding in show_cafile_detail * BUG/MINOR: map/cli: make sure patterns don't vanish under "show map"'s init * BUG/MINOR: map/cli: protect the backref list during "show map" errors * BUG/MINOR: proxy/cli: don't enumerate internal proxies on "show backend" * BUG/MEDIUM: cli: make "show cli sockets" really yield * BUG/MEDIUM: resolvers: make "show resolvers" properly yield * BUG/MINOR: startup: usage() when no -cc arguments * BUG/MINOR: tcp/http: release the expr of set-{src,dst}[-port] * DOC: config: Update doc for PR/PH session states to warn about rewrite failures * MINOR: mux-h2: report a trace event when failing to create a new stream * BUG/MINOR: mux-h2: mark the stream as open before processing it not after * BUG/MAJOR: dns: multi-thread concurrency issue on UDP socket * BUG/MEDIUM: mux-h1: Be able to handle trailers when C-L header was specified * BUG/MEDIUM: mux-fcgi: Be sure to never set EOM flag on an empty HTX message * SCRIPTS: announce-release: add URL of dev packages * CI: github actions: update LibreSSL to 3.5.2 * BUG/MEDIUM: httpclient: Fix loop consuming HTX blocks from the response channel * MINOR: ssl: add a new global option "tune.ssl.hard-maxrecord" * BUG/MINOR: pools: make sure to also destroy shared pools in pool_destroy_all() * BUG/MINOR: resolvers: Fix memory leak in resolvers_deinit() * BUG/MEDIUM: http-ana: Fix memleak in redirect rules with ignore-empty option * MINOR: connection: Add way to disable active connection closing during soft-stop * BUILD: compiler: properly distinguish weak and global symbols- Update to version 2.5.6+git0.ba44b4312: * [RELEASE] Released version 2.5.6 * REGTESTS: fix the race conditions in be2dec.vtc ad field.vtc * BUG/MINOR: connection: "connection:close" header added despite 'close-spread-time' * BUG/MINOR: sample: add missing use_backend/use-server contexts in smp_resolve_args * Revert "CI: github actions: disable -Wno-deprecated" * BUG/MINOR: rules: Fix check_capture() function to use the right rule arguments * BUG/MEDIUM: rules: Be able to use captures defined in defaults section * BUG/MINOR: rules: Forbid captures in defaults section if used by a backend * DOC: remove my name from the config doc * MEDIUM: queue: use tasklet_instant_wakeup() to wake tasks * MINOR: task: add a new task_instant_wakeup() function * BUG/MAJOR: connection: Never remove connection from idle lists outside the lock * BUG/MINOR: cache: Disable cache if applet creation fails * BUILD: calltrace: fix wrong include when building with TRACE=1 * SCRIPTS: announce-release: add shortened links to pending issues * DOC: lua: update a few doc URLs * SCRIPTS: announce-release: update the doc's URL * BUG/MEDIUM: compression: Don't forget to update htx_sl and http_msg flags * BUG/MEDIUM: fcgi-app: Use http_msg flags to know if C-L header can be added * BUG/MEDIUM: stream: do not abort connection setup too early * BUILD: compiler: use a more portable set of asm(".weak") statements * BUILD: sched: workaround crazy and dangerous warning in Clang 14 * BUG/MEDIUM: mux-h1: Don't request more room on partial trailers * BUG/MINOR: mux-h2: use timeout http-request as a fallback for http-keep-alive * BUG/MINOR: mux-h2: do not use timeout http-keep-alive on backend side * BUILD: debug: mark the __start_mem_stats/__stop_mem_stats symbols as weak * BUG/MINOR: cache: do not display expired entries in "show cache" * BUG/MINOR: mux-h2: do not send GOAWAY if SETTINGS were not sent * CI: cirrus: switch to FreeBSD-13.0 * CI: github actions: disable -Wno-deprecated * BUG/MINOR: stats: define the description' background color in dark color scheme * CI: Update to actions/cache@v3 * CI: Update to actions/checkout@v3 * MEDIUM: global: Add a "close-spread-time" option to spread soft-stop on time window * Revert "BUILD: opentracing: display warning in case of using OT_USE_VARS at compile time" * MAJOR: opentracing: reenable usage of vars to transmit opentracing context * DEBUG: opentracing: display the contents of the err variable after setting * CLEANUP: opentracing: added FLT_OT_PARSE_INVALID_enum enum * DEBUG: opentracing: show return values of all functions in the debug output * MINOR: opentracing: improved normalization of context variable names * CLEANUP: opentracing: added variable to store variable length * CLEANUP: opentracing: added flt_ot_smp_init() function * MINOR: opentracing: only takes the variables lock on shared entries * Revert "MINOR: opentracing: change the scope of the variable 'ot.uuid' from 'sess' to 'txn'" * CLEANUP: opentracing: removed unused function flt_ot_var_get() * CLEANUP: opentracing: removed unused function flt_ot_var_unset() * DOC: opentracing: corrected comments in function descriptions * EXAMPLES: opentracing: refined shell scripts for testing filter performance * BUG/BUILD: opentracing: fixed OT_DEFINE variable setting * BUG/MINOR: opentracing: setting the return value in function flt_ot_var_set() * BUG/MEDIUM: http-act: Don't replace URI if path is not found or invalid * BUG/MEDIUM: http-conv: Fix url_enc() to not crush const samples * BUG/MEDIUM: mux-h1: Set outgoing message to DONE when payload length is reached * BUG/MEDIUM: promex: Be sure to never set EOM flag on an empty HTX message * BUG/MEDIUM: hlua: Don't set EOM flag on an empty HTX message in HTTP applet * BUG/MEDIUM: stats: Be sure to never set EOM flag on an empty HTX message * BUG/MINOR: fcgi-app: Don't add C-L header on response to HEAD requests * BUG/MINOR: httpclient: end callback in applet release * BUG/MINOR: ssl/cli: Remove empty lines from CLI output * CI: github actions: update OpenSSL to 3.0.2 * DOC: remove double blanks in configuration.txt * BUG/MAJOR: mux_pt: always report the connection error to the conn_stream * BUG/MINOR: cli/stream: fix "shutdown session" to iterate over all threads * BUG/MINOR: samples: add missing context names for sample fetch functions * REGTESTS: ssl: use X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY for cert check * BUG/MEDIUM: mux-h1: Properly detect full buffer cases during message parsing * BUG/MEDIUM: mux-fcgi: Properly handle return value of headers/trailers parsing * DOC: reflect H2 timeout changes * BUG/MINOR: tools: url2sa reads too far when no port nor path * DOC: config: Explictly add supported MQTT versions * MEDIUM: mqtt: support mqtt_is_valid and mqtt_field_value converters for MQTTv3.1 * BUG/MINOR: rules: Initialize the list element when allocating a new rule * BUG/MEDIUM: mux-h2: make use of http-request and keep-alive timeouts * MEDIUM: mux-h2: slightly relax timeout management rules * BUG/MEDIUM: trace: avoid race condition when retrieving session from conn->owner * BUG/MEDIUM: stream-int: do not rely on the connection error once established * BUG/MEDIUM: mux-h1: only turn CO_FL_ERROR to CS_FL_ERROR with empty ibuf * CI: github actions: switch to LibreSSL-3.5.1 * BUG/MINOR: httpclient: CF_SHUTW_NOW should be tested with channel_is_empty() * BUG/MINOR: httpclient: process the response when received before the end of the request * BUG/MINOR: httpclient: only check co_data() instead of HTTP_MSG_DATA * BUG/MINOR: server/ssl: free the SNI sample expression * BUILD: httpclient: fix build without SSL * BUG/MINOR: httpclient: send the SNI using the host header * MINOR: server: export server_parse_sni_expr() function * BUG/MINOR: httpclient/lua: stuck when closing without data * BUG/MINOR: tools: fix url2sa return value with IPv4- Update to version 2.5.5+git0.384c5c59a: * [RELEASE] Released version 2.5.5 * REGTESTS: fix the race conditions in be2hex.vtc * BUG/MEDIUM: httpclient: must manipulate head, not first * BUG/MINOR: httpclient: remove the UNUSED block when parsing headers * BUG/MINOR: httpclient: consume partly the blocks when necessary * CLEANUP: htx: remove unused co_htx_remove_blk() * BUG/MEDIUM: httpclient: don't consume data before it was analyzed * BUG/MINOR: session: fix theoretical risk of memleak in session_accept_fd() * BUG/MAJOR: mux-pt: Always destroy the backend connection on detach * DEBUG: stream: Fix stream trace message to print response buffer state * DEBUG: stream: Add the missing descriptions for stream trace events * BUG/MEDIUM: mcli: Properly handle errors and timeouts during reponse processing * DEBUG: cache: Update underlying buffer when loading HTX message in cache applet * BUG/MEDIUM: stream: Use the front analyzers for new listener-less streams * BUG/MINOR: promex: Set conn-stream/channel EOI flags at the end of request * BUG/MINOR: cache: Set conn-stream/channel EOI flags at the end of request * BUG/MINOR: stats: Set conn-stream/channel EOI flags at the end of request * BUG/MINOR: hlua: Set conn-stream/channel EOI flags at the end of request * BUG/MINOR: httpclient: Set conn-stream/channel EOI flags at the end of request * BUG/MINOR: cli: shows correct mode in "show sess" * BUG/MINOR: add missing modes in proxy_mode_str() * BUILD: fix recent build breakage of freebsd caused by kFreeBSD build fix * BUILD: pools: fix backport of no-memory-trimming on non-linux OS * MINOR: stats: Add dark mode support for socket rows * MINOR: pools: add a new global option "no-memory-trimming" * BUILD: fix kFreeBSD build. * BUG/MEDIUM: pools: fix ha_free() on area in the process of being freed * BUG/MINOR: pool: always align pool_heads to 64 bytes * BUG/MEDIUM: httpclient/lua: infinite appctx loop with POST * REGTESTS: fix the race conditions in secure_memcmp.vtc * REGTESTS: fix the race conditions in normalize_uri.vtc * BUG/MEDIUM: htx: Fix a possible null derefs in htx_xfer_blks() * BUG/MEDIUM: mux-fcgi: Don't rely on SI src/dst addresses for FCGI health-checks * BUILD: tree-wide: mark a few numeric constants as explicitly long long * BUILD: atomic: make the old HA_ATOMIC_LOAD() support const pointers * CI: Consistently use actions/checkout@v2 * CI: github actions: use cache for SSL libs * CI: refactor OpenTracing build script * CI: github actions: use cache for OpenTracing * CI: github actions: add the output of $CC -dM -E-- Update to version 2.5.4+git0.e55ab4208: * [RELEASE] Released version 2.5.4 * BUG/MEDIUM: stream: Abort processing if response buffer allocation fails * CI: github: enable pool debugging by default * REGTESTS: fix the race conditions in 40be_2srv_odd_health_checks * BUG/MINOR: proxy: preset the error message pointer to NULL in parse_new_proxy() * DOC: Fix usage/examples of deprecated ACLs * BUG/MAJOR: mux-h2: Be sure to always report HTX parsing error to the app layer * BUG/MEDIUM: mux-h1: Don't wake h1s if mux is blocked on lack of output buffer * BUG/MEDIUM: htx: Be sure to have a buffer to perform a raw copy of a message- apparmor: profile now needs access to /sys/devices/system/node/- Update to version 2.5.3+git0.abf078b15: * [RELEASE] Released version 2.5.3 * DEBUG: buffer: check in __b_put_blk() whether the buffer room is respected * BUG/MEDIUM: httpclient: limit transfers to the maximum available room * BUG/MINOR: tools: url2sa reads ipv4 too far * CLEANUP: httpclient/cli: fix indentation alignment of the help message * BUG/MINOR: ssl: Missing return value check in ssl_ocsp_response_print * BUG/MINOR: ssl: Fix leak in "show ssl ocsp-response" CLI command * BUG/MINOR: ssl: Add missing return value check in ssl_ocsp_response_print * BUG/MINOR: mailers: negotiate SMTP, not ESMTP * BUG/MINOR: httpclient: reinit flags in httpclient_start() * MINOR: httpclient: Don't limit data transfer to 1024 bytes * BUG/MAJOR: compiler: relax alignment constraints on certain structures * BUG/MEDIUM: fd: always align fdtab[] to 64 bytes * BUG/MEDIUM: resolvers: Really ignore trailing dot in domain names * BUG/MINOR: sink: Use the right field in appctx context in release callback * BUG/MINOR: mworker: fix a FD leak of a sockpair upon a failed reload * BUG/MEDIUM: mworker: close unused transferred FDs on load failure * MINOR: sock: move the unused socket cleaning code into its own function- Update to version 2.5.2+git0.042feec44: (CVE-2022-0711 boo#1196408) * [RELEASE] Released version 2.5.2 * BUG/MINOR: mux-h2: update the session's idle delay before creating the stream * BUG/MEDIUM: h2/hpack: fix emission of HPACK DTSU after settings change * REGTESTS: peers: leave a bit more time to peers to synchronize * REGTESTS: server: close an occasional race on dynamic_server_ssl.vtc * BUG/MAJOR: spoe: properly detach all agents when releasing the applet * BUG/MAJOR: http/htx: prevent unbounded loop in http_manage_server_side_cookies * BUG/MINOR: httpclient/cli: display junk characters in vsn * BUG/MINOR: jwt: Memory leak if same key is used in multiple jwt_verify calls * BUG/MINOR: jwt: Missing pkey free during cleanup * BUG/MINOR: jwt: Double free in deinit function * BUG/MINOR: ssl: Remove empty lines from "show ssl ocsp-response " output * BUG/MEDIUM: httpclient: Xfer the request when the stream is created * BUG/MINOR: httpclient: Revisit HC request and response buffers allocation * BUG/MEDIUM: listener: read-lock the listener during accept() * MINOR: listener: replace the listener's spinlock with an rwlock * DEBUG: fd: make sure we never try to insert/delete an impossible FD number * BUG/MINOR: mworker: does not erase the pidfile upon reload * BUG/MAJOR: sched: prevent rare concurrent wakeup of multi-threaded tasks * DEBUG: pools: replace the link pointer with the caller's address on pool_free() * DEBUG: pools: let's add reverse mapping from cache heads to thread and pool * DEBUG: pools: add extra sanity checks when picking objects from a local cache * BUG/MINOR: pools: always flush pools about to be destroyed * BUG/MINOR: mworker: does not add the -sf in wait mode * BUG/MEDIUM: mworker: don't lose the stats socket on failed reload * REGTESTS: ssl: Fix ssl_errors regtest with OpenSSL 1.0.2 * DEBUG: pools: add new build option DEBUG_POOL_INTEGRITY * BUILD: debug/cli: condition test of O_ASYNC to its existence * DEBUG: cli: add a new "debug dev fd" expert command * BUG/MINOR: stream: make the call_rate only count the no-progress calls * BUG/MEDIUM: mcli: always realign wrapping buffers before parsing them * BUG/MEDIUM: mcli: do not try to parse empty buffers * BUG/MEDIUM: cli: Never wait for more data on client shutdown * MEDIUM: h2/hpack: emit a Dynamic Table Size Update after settings change * BUG/MINOR: cli: avoid O(bufsize) parsing cost on pipelined commands * MINOR: channel: add new function co_getdelim() to support multiple delimiters * MEDIUM: cli: yield between each pipelined command * DOC: management: mark "set server ssl" as deprecated * BUG/MEDIUM: server: avoid changing healthcheck ctx with set server ssl * BUILD/MINOR: fix solaris build with clang. * BUG/MINOR: httpclient/lua: don't pop the lua stack when getting headers * BUG/MINOR: httpclient: set default Accept and User-Agent headers * BUG/MINOR: httpclient: don't send an empty body * BUG/MEDIUM: htx: Adjust length to add DATA block in an empty HTX buffer * BUG/MEDIUM: connection: properly leave stopping list on error- Add now working CONFIG parameter to sysusers generator- Update to version 2.5.1+git0.86b093a51: * [RELEASE] Released version 2.5.1 * CI: github actions: clean default step conditions * BUILD: cpuset: fix build issue on macos introduced by previous change * BUG/MAJOR: mux-h1: Don't decrement .curr_len for unsent data * BUG/MINOR: ssl: Store client SNI in SSL context in case of ClientHello error * BUG/MEDIUM: mworker: don't use _getsocks in wait mode * BUG/MEDIUM: http-ana: Preserve response's FLT_END analyser on L7 retry * BUG/MINOR: cli: fix _getsocks with musl libc * BUILD/MINOR: tools: solaris build fix on dladdr. * CI: github actions: update OpenSSL to 3.0.1 * BUILD/MINOR: cpuset FreeBSD 14 build fix. * REGTESTS: ssl: update of a crt with server deletion * BUG/MEDIUM: ssl: free the ckch instance linked to a server * BUG/MINOR: ssl: free the fields in srv->ssl_ctx * CI: Github Actions: do not show VTest failures if build failed * BUILD: makefile: add -Wno-atomic-alignment to work around clang abusive warning * MINOR: cpuset: switch to sched_setaffinity for FreeBSD 14 and above. * MINOR: proxy: add option idle-close-on-response * MINOR: debug: add support for -dL to dump library names at boot * MINOR: debug: add ability to dump loaded shared libraries * MINOR: compat: detect support for dl_iterate_phdr() * REGTESTS: ssl: fix ssl_default_server.vtc * BUG/MEDIUM: ssl: initialize correctly ssl w/ default-server * BUILD: opentracing: display warning in case of using OT_USE_VARS at compile time * DEBUG: ssl: make sure we never change a servername on established connections * DOC: fix misspelled keyword "resolve_retries" in resolvers * BUILD: ssl: unbreak the build with newer libressl * BUG/MINOR: mux-h1: Fix splicing for messages with unknown length * BUG/MEDIUM: mux-h1: Fix splicing by properly detecting end of message * BUG/MEDIUM: peers: properly skip conn_cur from incoming messages * BUG/MEDIUM: backend: fix possible sockaddr leak on redispatch * MINOR: pools: work around possibly slow malloc_trim() during gc * MINOR: ssl: Remove empty lines from "show ssl ocsp-response" output * BUG/MEDIUM: mworker/cli: crash when trying to access an old PID in prompt mode * DOC: config: fix error-log-format example * DOC: config: retry-on list is space-delimited * DOC: config: Specify %Ta is only available in HTTP mode * DOC: spoe: Clarify use of the event directive in spoe-message section * BUG/MINOR: cli/server: Don't crash when a server is added with a custom id * MINOR: http-rules: Add capture action to http-after-response ruleset * IMPORT: slz: use the correct CRC32 instruction when running in 32-bit mode * BUILD: tree-wide: avoid warnings caused by redundant checks of obj_types * MINOR: cli: "show version" displays the current process version * BUG/MEDIUM: sample: Fix memory leak in sample_conv_jwt_member_query * BUILD: bug: Fix error when compiling with -DDEBUG_STRICT_NOCRASH * MINOR: mux-h1: Improve H1 traces by adding info about http parsers * BUG/MINOR: mworker: deinit of thread poller was called when not initialized * BUG/MEDIUM: mworker: FD leak of the eventpoll in wait mode * BUG/MEDIUM: h1: Properly reset h1m flags when headers parsing is restarted * BUG/MAJOR: segfault using multiple log forward sections. * BUG/MEDIUM: resolvers: Detach query item on response error * BUG/MINOR: server: Don't rely on last default-server to init server SSL context * BUG/MINOR: vars: Fix the set-var and unset-var converters * BUILD: evports: remove a leftover from the dead_fd cleanup * BUG/MEDIUM: cli: Properly set stream analyzers to process one command at a time * BUG/MINOR: lua: remove loop initial declarations * BUG/MINOR: lua: don't expose internal proxies * BUG/MINOR: httpclient: allow to replace the host header * BUG/MINOR: cache: Fix loop on cache entries in "show cache"- Update to version 2.5.0+git0.f2e0833f1: https://www.mail-archive.com/haproxy@formilux.org/msg41508.html - refreshed patches to apply cleanly again haproxy-1.6.0-sec-options.patch haproxy-1.6.0_config_haproxy_user.patch lua54.patch- Update to version 2.4.8+git0.d1f8d41e0: * [RELEASE] Released version 2.4.8 * SCRIPTS: git-show-backports: re-enable file-based filtering * DOC/peers: some grammar fixes for peers 2.1 spec * MINOR: stream: Improve dump of bogus streams * BUILD/MINOR: cpuset freebsd build fix * DOC: config: Fix alphabetical order of fc_* samples * BUG/MINOR: sample: fix backend direction flags consecutive to last fix * BUG/MEDIUM: sample: Cumulate frontend and backend sample validity flags * BUG/MEDIUM: stream-int: Block reads if channel cannot receive more data * BUG/MINOR: http: Authorization value can have multiple spaces after the scheme * BUG/MEDIUM: http-ana: Drain request data waiting the tarpit timeout expiration * MINOR: halog: Add support for extracting captures using -hdr * BUG/MINOR: halog: Add missing newlines in die() messages * CLEANUP: halog: Use consistent indentation in help() * MINOR: halog: Rename -qry to -query * DOC: halog: Move the `-qry` parameter into the correct section in help text * MINOR: halog: Add -qry parameter allowing to preserve the query string in -uX * BUG/MEDIUM: resolvers: Track api calls with a counter to free resolutions * BUG/MEDIUM: resolvers: Don't recursively perform requester unlink * MEDIUM: resolvers: remove the last occurrences of the "safe" argument * MEDIUM: resolvers: use a kill list to preserve the list consistency * CLEANUP: resolvers: replace all LIST_DELETE with LIST_DEL_INIT * CLEANUP: resolvers: simplify resolv_link_resolution() regarding requesters * CLEANUP: always initialize the answer_list * CLEANUP: resolvers: do not export resolv_purge_resolution_answer_records() * BUG/MEDIUM: mux-h1: Perform a connection shutdown when the h1c is released * BUG/MINOR: mux-h1: Save shutdown mode if the shutdown is delayed * BUILD: atomic: fix build on mac/arm64 * BUG/MINOR: backend: fix improper insert in avail tree for always reuse * BUILD: fix compilation on NetBSD * MINOR: memprof: add one pointer size to the size of allocations * MINOR: memprof: report the delta between alloc and free on realloc() * BUG/MEDIUM: lua: fix memory leaks with realloc() on non-glibc systems * BUG/MINOR: mux-h2: do not prevent from sending a final GOAWAY frame * BUG/MINOR: task: do not set TASK_F_USR1 for no reason * BUG/MAJOR: buf: fix varint API post- vs pre- increment * BUG/MEDIUM: resolvers: always check a valid item in query_list * BUILD: resolvers: avoid a possible warning on null-deref * BUG/MAJOR: resolvers: add other missing references during resolution removal * MINOR: resolvers: merge address and target into a union "data" * BUG/MEDIUM: resolvers: use correct storage for the target address * BUG/MEDIUM: resolvers: fix truncated TLD consecutive to the API fix * MINOR: resolvers: fix the resolv_dn_label_to_str() API about trailing zero * BUG/MINOR: resolvers: do not reject host names of length 255 in SRV records * BUG/MEDIUM: resolver: make sure to always use the correct hostname length * MINOR: resolvers: fix the resolv_str_to_dn_label() API about trailing zero * BUG/MAJOR: dns: attempt to lock globaly for msg waiter list instead of use barrier * BUG/MAJOR: dns: tcp session can remain attached to a list after a free * BUG/MEDIUM: tcpcheck: Properly catch early HTTP parsing errors * Revert "CLEANUP: server: always include the storage for SSL settings" * BUG/MEDIUM: stream: Keep FLT_END analyzers if a stream detects a channel error * BUG/MEDIUM: cpuset: fix cpuset size for FreeBSD * BUG/MINOR: sample: Fix 'fix_tag_value' sample when waiting for more data * BUG/MINOR: http-ana: Don't eval front after-response rules if stopped on back * MINOR: initcall: Rename __GLOBL and __GLOBL1. * DOC: configuration: add clarification on escaping in keyword arguments * BUG/MEDIUM: mux_h2: Handle others remaining read0 cases on partial frames * BUG/MEDIUM: sample: properly verify that variables cast to sample * MINOR: sample: provide a generic var-to-sample conversion function * CLEANUP: sample: uninline sample_conv_var2smp_str() * CLEANUP: sample: rename sample_conv_var2smp() to *_sint * CLEANUP: server: always include the storage for SSL settings- Update to version 2.4.7+git0.b5e51a5e2: * [RELEASE] Released version 2.4.7 * BUG/MEDIUM: http-ana: Clear request analyzers when applying redirect rule- Update to version 2.4.6+git0.d83fd76a1: * [RELEASE] Released version 2.4.6 * BUG/MEDIUM: filters: Fix a typo when a filter is attached blocking the release- Update to version 2.4.5+git0.e74a1b34b: * [RELEASE] Released version 2.4.5 * MINOR: tasks: catch TICK_ETERNITY with BUG_ON() in __task_queue() * BUG/MINOR: tcp-rules: Stop content rules eval on read error and end-of-input * BUG/MINOR: tcpcheck: Don't use arg list for default proxies during parsing * MINOR: arg: Be able to forbid unresolved args when building an argument list * BUG/MAJOR: lua: use task_wakeup() to properly run a task once * BUG/MEDIUM: lua: fix wakeup condition from sleep() * MINOR: Makefile: add MEMORY_POOLS to the list of DEBUG_xxx options * DOC: peers: fix doc "enable" statement on "peers" sections * BUG/MINOR: mux-h1/mux-fcgi: Sanitize TE header to only send "trailers" * MINOR: stream-int: Notify mux when the buffer is not stuck when calling rcv_buf * BUG/MEDIUM: stream-int: Defrag HTX message in si_cs_recv() if necessary * MINOR: htx: Add a function to know if the free space wraps * MINOR: htx: Add an HTX flag to know when a message is fragmented * MINOR: stream-int: Set CO_RFL transient/persistent flags apart in si_cs_rcv() * BUG/MEDIUM: stream: Stop waiting for more data if SI is blocked on RXBLK_ROOM * BUG/MEDIUM: stream-int: Notify stream that the mux wants more room to xfer data * BUG/MEDIUM: mux-h1: Adjust conditions to ask more space in the channel buffer * BUG/MINOR: stats: use refcount to protect dynamic server on dump * MINOR: server: return the next srv instance on free_server * BUG/MINOR: server: do not use refcount in free_server in stopping mode * MINOR: global: define MODE_STOPPING * MINOR: server: implement a refcount for dynamic servers * BUG/MINOR: http-ana: increment internal_errors counter on response error * BUG/MINOR: h1-htx: Fix a typo when request parser is reset * BUG/MEDIUM: leastconn: fix rare possibility of divide by zero * BUG/MINOR: server: allow 'enable health' only if check configured * BUILD: threads: fix -Wundef for _POSIX_PRIORITY_SCHEDULING on libmusl * BUILD: halog: fix a -Wundef warning on non-glibc systems * BUILD: compiler: fixed a missing test on defined(__GNUC__) * BUILD: fix dragonfly build again on __read_mostly * BUG/MINOR: vars: do not talk about global section in CLI errors for set-var * BUG/MINOR: vars: truncate the variable name in error reports about scope. * BUG/MINOR: vars: properly set the argument parsing context in the expression * MINOR: sample: add missing ARGC_ entries * BUG/MINOR: vars: improve accuracy of the rules used to check expression validity * BUILD: tools: properly guard __GLIBC__ with defined() * BUILD: ssl: fix two remaining occurrences of #if USE_OPENSSL * BUILD: ssl: next round of build warnings on LIBRESSL_VERSION_NUMBER * BUILD/MINOR: regex: avoid a build warning on USE_PCRE2 with -Wundef * IMPORT: slz: silence a build warning with -Wundef * BUILD/MINOR: ssl: avoid a build warning on LIBRESSL_VERSION with -Wundef * BUILD/MINOR: defaults: eliminate warning on MAXHOSTNAMELEN with -Wundef * BUILD: activity: use #ifdef not #if on USE_MEMORY_PROFILING * MINOR: proc: setting the process to produce a core dump on FreeBSD. * MINOR: tools: add FreeBSD support to get_exec_path() * BUILD: tools: get the absolute path of the current binary on NetBSD. * BUG/MINOR: flt-trace: fix an infinite loop when random-parsing is set * BUG/MINOR: cli/payload: do not search for args inside payload * BUILD: ist: prevent gcc11 maybe-uninitialized warning on istalloc * BUG/MINOR: connection: prevent null deref on mux cleanup task allocation * DOC: management: certificate files must be sanitized before injection * BUG/MINOR: tcpcheck: Improve LDAP response parsing to fix LDAP check * BUG/MAJOR: mux-h1: Don't eval input data if an error was reported * MINOR: pools: use mallinfo2() when available instead of mallinfo() * MINOR: pools: automatically disable malloc_trim() with external allocators * CLEANUP: pools: factor all malloc_trim() calls into trim_all_pools() * BUG/MINOR: compat: make sure __WORDSIZE is always defined * BUG/MEDIUM: stream-int: Don't block SI on a channel policy if EOI is reached * CLEANUP: mux-h1: Remove condition rejecting upgrade requests with payload * MINOR: htx: Skip headers with no value when adding a header list to a message * BUG/MEDIUM: mux-h1: Remove "Upgrade:" header for requests with payload * BUG/MINOR: systemd: ExecStartPre must use -Ws * BUG/MINOR: filters: Set right FLT_END analyser depending on channel * BUG/MINOR: filters: Always set FLT_END analyser when CF_FLT_ANALYZE flag is set * BUG/MEDIUM: http-ana: Reset channels analysers when returning an error * BUG/MINOR: stream: Don't release a stream if FLT_END is still registered * BUG/MINOR: lua: Don't yield in channel.append() and channel.set() * BUG/MINOR: lua: Yield in channel functions only if lua context can yield * MINOR: lua: Add a flag on lua context to know the yield capability at run time- Update to version 2.4.4+git0.acb1d0bea: CVE-2021-40346 (boo#1189877) * [RELEASE] Released version 2.4.4 * Revert "BUG/MINOR: stream-int: Don't block reads in si_update_rx() if chn may receive" * BUG/MAJOR: htx: fix missing header name length check in htx_add_header/trailer * CLEANUP: htx: remove comments about "must be < 256 MB" * BUG/MINOR: config: reject configs using HTTP with bufsize >= 256 MB * DOC: configuration: remove wrong tcp-request examples in tcp-response * BUG/MINOR: vars: fix set-var/unset-var exclusivity in the keyword parser * CLEANUP: Add missing include guard to signal.h * BUG/MINOR: tools: Fix loop condition in dump_text() * BUG/MINOR threads: Use get_(local|gm)time instead of (local|gm)time * BUG/MINOR: ebtree: remove dependency on incorrect macro for bits per long * MINOR: time: add report_idle() to report process-wide idle time * BUG/MINOR: time: fix idle time computation for long sleeps * BUG/MINOR: lua: use strlcpy2() not strncpy() to copy sample keywords * MINOR: compiler: implement an ONLY_ONCE() macro * BUG/MINOR: base64: base64urldec() ignores padding in output size check * BUG/MEDIUM: base64: check output boundaries within base64{dec,urldec} * BUG/MINOR: stick-table: fix the sc-set-gpt* parser when using expressions * MINOR: hlua: take the global Lua lock inside a global function * REGTESTS: abortonclose: after retries, 503 is expected, not close * REGTESTS: http_upgrade: fix incorrect expectation on TCP->H1->H2 * BUG/MEDIUM: h2: match absolute-path not path-absolute for :path- Update to version 2.4.3+git0.4dd5a5a6c: CVE-2021-39240 CVE-2021-39241 CVE-2021-39242 (boo#1189366 boo#1189548 boo#1189549) * [RELEASE] Released version 2.4.3 * REGTESTS: add a test to prevent h2 desync attacks * BUG/MEDIUM: h2: give :authority precedence over Host * BUG/MAJOR: h2: enforce stricter syntax checks on the :method pseudo-header * BUG/MAJOR: h2: verify that :path starts with a '/' before concatenating it * BUG/MAJOR: h2: verify early that non-http/https schemes match the valid syntax * MINOR: http: add a new function http_validate_scheme() to validate a scheme * DOC/MINOR: fix typo in management document * CLEANUP: assorted typo fixes in the code and comments * BUG/MEDIUM: cfgcheck: verify existing log-forward listeners during config check * BUG/MEDIUM: spoe: Fix policy to close applets when SPOE connections are queued * DOC: config: Fix 'http-response send-spoe-group' documentation * DOC: Improve the lua documentation * BUG/MINOR: tcpcheck: Properly detect pending HTTP data in output buffer * BUG/MINOR: buffer: fix buffer_dump() formatting * BUG/MEDIUM: spoe: Create a SPOE applet if necessary when the last one is released * MINOR: spoe: Add a pointer on the filter config in the spoe_agent structure * ADMIN: dyncookie: implement a simple dynamic cookie calculator * MINOR: server: unmark deprecated on enable health/agent cli * BUG/MINOR: server: update last_change on maint->ready transitions too * BUG/MINOR: server: remove srv from px list on CLI 'add server' error * BUILD: opentracing: fixed build when using pkg-config utility * DOC: internals: document the FD takeover process * BUG/MINOR: fd: protect fd state harder against a concurrent takeover * BUG/MINOR: pollers: always program an update for migrated FDs * BUG/MINOR: poll: fix abnormally high skip_fd counter * BUG/MINOR: select: fix excess number of dead/skip reported * BUG/MEDIUM: pollers: clear the sleeping bit after waking up, not before * BUG/MEDIUM: connection: close a rare race between idle conn close and takeover * BUG/MINOR: connection: Add missing error labels to conn_err_code_str * BUG/MEDIUM: mux-h2: Handle remaining read0 cases on partial frames * BUG/MINOR: mux-h1: Be sure to swap H1C to splice mode when rcv_pipe() is called * BUG/MINOR: mux-h2: Obey dontlognull option during the preface * BUG/MINOR: mux-h1: Obey dontlognull option for empty requests * BUG/MINOR: systemd: must check the configuration using -Ws * BUG/MINOR: resolvers: Use a null-terminated string to lookup in servers tree * BUG/MINOR: check: fix the condition to validate a port-less server * BUG/MINOR: stats: Add missing agent stats on servers * BUG/MEDIUM: ssl_sample: fix segfault for srv samples on invalid request * BUILD/MINOR: memprof fix macOs build. * BUG/MINOR: mworker: do not export HAPROXY_MWORKER_REEXEC across programs * BUG/MEDIUM: mworker: do not register an exit handler if exit is expected * BUILD: lua: silence a build warning with TCC * BUILD: add detection of missing important CFLAGS * BUG/MINOR: ssl: Default-server configuration ignored by server * MINOR: mux_h2: define config to disable h2 websocket support * BUILD: http_htx: fix ci compilation error with isdigit for Windows- Update to version 2.4.2+git0.553dee326: * [RELEASE] Released version 2.4.2 * REGTESTS: add http scheme-based normalization test * MEDIUM: h2: apply scheme-based normalization on h2 requests * MEDIUM: h1-htx: apply scheme-based normalization on h1 requests * MEDIUM: http: implement scheme-based normalization * MINOR: http: implement http_get_scheme * Revert "MINOR: tcp-act: Add set-src/set-src-port for "tcp-request content" rules" * BUG/MINOR: cli: fix server name output in "show fd" * BUG/MEDIUM: sock: make sure to never miss early connection failures * DOC: stick-table: add missing documentation about gpt0 stored type * BUG/MINOR: peers: fix data_type bit computation more than 32 data_types * BUG/MINOR: stick-table: fix several printf sign errors dumping tables * DOC: config: use CREATE USER for mysql-check * BUG/MEDIUM: resolvers: Make 1st server of a template take part to SRV resolution * BUG/MINOR: mqtt: Support empty client ID in CONNECT message * BUG/MINOR: mqtt: Fix parser for string with more than 127 characters * BUG/MINOR: tcpcheck: Fix numbering of implicit HTTP send/expect rules * BUILD: Makefile: fix linkage for Haiku. * BUG/MINOR: checks: return correct error code for srv_parse_agent_check * MINOR: resolvers: Reset server IP on error in resolv_get_ip_from_response() * BUG/MINOR: resolvers: Reset server IP when no ip is found in the response * BUG/MINOR: resolvers: Always attach server on matching record on resolution * CLEANUP: dns: Remove a forgotten debug message * DOC: config: Add missing actions in "tcp-request session" documentation * MINOR: tcp-act: Add set-src/set-src-port for "tcp-request content" rules * REGTESTS: fix maxconn update with agent-check * BUG/MAJOR: server: fix deadlock when changing maxconn via agent-check * BUG/MINOR: cache: Correctly handle existing-but-empty 'accept-encoding' header * BUG/MINOR: server/cli: Fix locking in function processing "set server" command * BUG/MINOR: resolvers: Use resolver's lock in resolv_srvrq_expire_task() * BUG/MEDIUM: resolvers: Add a task on servers to check SRV resolution status * MINOR: resolvers: Remove server from named_servers tree when removing a SRV item * MINOR: resolvers: Clean server in a dedicated function when removing a SRV item * BUG/MEDIUM: server/cli: Fix ABBA deadlock when fqdn is set from the CLI * BUG/MINOR: server: Forbid to set fqdn on the CLI if SRV resolution is enabled * BUG/MINOR: server-state: load SRV resolution only if params match the config- Update to version 2.4.1+git0.1ce7d4925: * [RELEASE] Released version 2.4.1 * BUG/MINOR: mux-h2/traces: bring back the lost "sent H2 REQ/RES" traces * BUG/MINOR: mux-h2/traces: bring back the lost "rcvd H2 REQ" trace * MINOR: mux-h2: obey http-ignore-probes during the preface * BUG/MINOR: stats: make "show stat typed desc" work again * CLEANUP: mux-h2/traces: better align user messages * MINOR: mux-h2/trace: report a few connection-level info during h2_init() * MINOR: connection: add helper conn_append_debug_info() * BUG/MINOR: server: explicitly set "none" init-addr for dynamic servers * BUG/MINOR: mux-h1: do not skip the error response on bad requests * MINOR: backend: only skip LB when there are actual connections * BUG/MAJOR: queue: set SF_ASSIGNED when setting strm->target on dequeue * CLEANUP: global: remove unused definition of stopping_task[] * BUG/MINOR: mworker: fix typo in chroot error message * BUG/MINOR: ssl: use atomic ops to update global shctx stats * BUG/MEDIUM: shctx: use at least thread-based locking on USE_PRIVATE_CACHE * BUG/MEDIUM: server: do not auto insert a dynamic server in px addr_node * BUG/MINOR: server: do not keep an invalid dynamic server in px ids tree * BUG/MEDIUM: server: do not forget to generate the dynamic servers ids * BUG/MEDIUM: server: clear dynamic srv on delete from proxy id/name trees * BUG/MEDIUM: server: extend thread-isolate over much of CLI 'add server' * BUG/MINOR: stick-table: insert srv in used_name tree even with fixed id * DOC: lua: Add a warning about buffers modification in HTTP * BUG/MAJOR: resolvers: segfault using server template without SRV RECORDs * MEDIUM: resolvers: add a ref between servers and srv request or used SRV record * MEDIUM: resolvers: add a ref on server to the used A/AAAA answer item * BUG/MINOR: resolvers: answser item list was randomly purged or errors * CLEANUP: l7-retries: do not test the buffer before calling b_alloc() * BUG/MINOR: mux-fcgi: Expose SERVER_SOFTWARE parameter by default * BUG/MAJOR: htx: Fix htx_defrag() when an HTX block is expanded * CLEANUP: pools: remove now unused seq and pool_free_list * BUG/MAJOR: pools: fix possible race with free() in the lockless variant * MEDIUM: pools: use a single pool_gc() function for locked and lockless * MINOR: pools: call malloc_trim() under thread isolation * MINOR: pools: do not maintain the lock during pool_flush() * BUG/MINOR: pools: make DEBUG_UAF always write to the to-be-freed location * BUG/MINOR: pools: fix a possible memory leak in the lockless pool_flush() * BUG/MEDIUM: compression: Add a flag to know the filter is still processing data * BUG/MEDIUM: compression: Properly get the next block to iterate on payload * BUG/MEDIUM: compression: Fix loop skipping unused blocks to get the next block * BUG/MEDIUM: opentracing: initialization before establishing daemon and/or chroot mode * Revert "BUG/MINOR: opentracing: initialization after establishing daemon mode" * BUG/MINOR: ssl: OCSP stapling does not work if expire too far in the future * BUILD: make tune.ssl.keylog available again * DOC: use the req.ssl_sni in examples * MINOR: errors: allow empty va_args for diag variadic macro * BUG/MAJOR: stream-int: Release SI endpoint on server side ASAP on retry * DOC/MINOR: move uuid in the configuration to the right alphabetical order * BUG/MINOR: vars: Be sure to have a session to get checks variables * CLEANUP: http-ana: Remove useless if statement about L7 retries * BUG/MINOR: proxy: Missing calloc return value check in chash_init_server_tree * BUG/MINOR: http: Missing calloc return value check in make_arg_list * BUG/MINOR: http: Missing calloc return value check while parsing redirect rule * BUG/MINOR: worker: Missing calloc return value check in mworker_env_to_proc_list * BUG/MINOR: compression: Missing calloc return value check in comp_append_type/algo * BUG/MINOR: http: Missing calloc return value check while parsing tcp-request rule * BUG/MINOR: http: Missing calloc return value check while parsing tcp-request/tcp-response * BUG/MINOR: proxy: Missing calloc return value check in proxy_defproxy_cpy * BUG/MINOR: proxy: Missing calloc return value check in proxy_parse_declare * BUG/MINOR: http: Missing calloc return value check in parse_http_req_capture * BUG/MINOR: ssl: Missing calloc return value check in ssl_init_single_engine * BUG/MINOR: peers: Missing calloc return value check in peers_register_table * BUG/MINOR: server: Missing calloc return value check in srv_parse_source * DOC: intro: Fix typo in starter guide * MINOR: cfgparse: Fail when encountering extra arguments in macro * MINOR: http-ana: Perform L7 retries because of status codes in response analyser * BUG/MINOR: http-ana: Handle L7 retries on refused early data before K/A aborts * BUG/MINOR: http-ana: Send the right error if max retries is reached on L7 retry * Revert "MEDIUM: http-ana: Deal with L7 retries in HTTP analysers" * BUG/MINOR: http-comp: Preserve HTTP_MSGF_COMPRESSIONG flag on the response * BUG/MEDIUM: filters: Exec pre/post analysers only one time per filter * BUILD/MINOR: opentracing: fixed build when using clang * BUG/MAJOR: server: prevent deadlock when using 'set maxconn server' * BUG/MEDIUM: ebtree: Invalid read when looking for dup entry- Update to version 2.4.0+git0.6cbbecf09: https://www.haproxy.com/blog/announcing-haproxy-2-4/ for all the details see /usr/share/doc/packages/haproxy/CHANGELOG - refreshed patches to apply cleanly again haproxy-1.6.0-makefile_lib.patch haproxy-1.6.0-sec-options.patch lua54.patch- Update to version 2.3.10+git0.4764f0e4e: * [RELEASE] Released version 2.3.10 * BUG/MEDIUM: peers: re-work refcnt on table to protect against flush * BUG/MEDIUM: peers: re-work connection to new process during reload. * BUG/MINOR: peers: remove useless table check if initial resync is finished * BUG/MEDIUM: mux-h2: Properly handle shutdowns when received with data * BUG/MINOR: mworker: don't use oldpids[] anymore for reload * BUG/MINOR: mworker/init: don't reset nb_oldpids in non-mworker cases * BUG/MEDIUM: config: fix cpu-map notation with both process and threads * BUG/MEDIUM: mux-h2: Fix dfl calculation when merging CONTINUATION frames * BUG/MAJOR: mux-h2: Properly detect too large frames when decoding headers * BUG/MINOR: server: free srv.lb_nodes in free_server * BUG/MINOR: mux-h1: Release idle server H1 connection if data are received * BUG/MINOR: logs: Report the true number of retries if there was no connection * BUG/MINOR: http_htx: Remove BUG_ON() from http_get_stline() function * BUG/MINOR: http-fetch: Make method smp safe if headers were already forwarded * BUG/MINOR: ssl-samples: Fix ssl_bc_* samples when called from a health-check * MINOR: connection: Make bc_http_major compatible with tcp-checks * BUG/MINOR: connection: Fix fc_http_major and bc_http_major for TCP connections * MINOR: logs: Add support of checks as session origin to format lf strings * BUG/MINOR: checks: Set missing id to the dummy checks frontend * BUG/MEDIUM: threads: Ignore current thread to end its harmless period * DOC: ssl: Certificate hot update only works on fronted certificates * BUG/MEDIUM: sample: Fix adjusting size in field converter * MINOR: No longer rely on deprecated sample fetches for predefined ACLs * DOC: clarify that compression works for HTTP/2 * BUG/MINOR: tools: fix parsing "us" unit for timers * CONTRIB: halog: fix issue with array of type char * REGTESTS: ssl: mark set_ssl_cert_bundle.vtc as broken * DOC: Explicitly state only IPv4 are supported by forwardfor/originalto options * REGTESTS: ssl: "set ssl cert" and multi-certificates bundle * BUG/MINOR: ssl: Add missing free on SSL_CTX in ckch_inst_free * BUG/MINOR: http_fetch: make hdr_ip() resistant to empty fields * BUG/MINOR: ssl: Prevent removal of crt-list line if the instance is a default one * BUG/MINOR: ssl: Fix update of default certificate * BUILD: tcp: use IPPROTO_IPV6 instead of SOL_IPV6 on FreeBSD/MacOS * BUG/MINOR: tcp: fix silent-drop workaround for IPv6- Update to version 2.3.9+git1.afb63bc04: * BUILD: backend: fix build breakage in idle conn locking fix * [RELEASE] Released version 2.3.9 * BUG/MEDIUM: time: make sure to always initialize the global tick * BUG/MINOR: stats: Apply proper styles in HTML status page. * BUG/MINOR: payload: Wait for more data if buffer is empty in payload/payload_lv * MEDIUM: backend: use a trylock to grab a connection on high FD counts as well * BUG/MEDIUM: mux-h1: make h1_shutw_conn() idempotent- Update to version 2.3.8+git0.e572195c7: * [RELEASE] Released version 2.3.8 * BUG/MINOR: http_fetch: make hdr_ip() reject trailing characters * MINOR: tools: make url2ipv4 return the exact number of bytes parsed * BUG/MEDIUM: thread: Fix a deadlock if an isolated thread is marked as harmless * BUG/MEDIUM: fd: Take the fd_mig_lock when closing if no DWCAS is available. * CLEANUP: fd: remove unused fd_set_running_excl() * BUG/MEDIUM: fd: do not wait on FD removal in fd_delete() * MINOR: fd: remove the unneeded running bit from fd_insert() * MINOR: fd: make fd_clr_running() return the remaining running mask * BUG/MEDIUM: lua: Always init the lua stack before referencing the context * BUG/MEDIUM: debug/lua: Use internal hlua function to dump the lua traceback * MINOR: lua: Slightly improve function dumping the lua traceback * BUILD: ssl: guard ecdh functions with SSL_CTX_set_tmp_ecdh macro * BUG/MINOR: ssl: Prevent disk access when using "add ssl crt-list" * BUG/MEDIUM: debug/lua: Don't dump the lua stack if not dumpable * MEDIUM: lua: Use a per-thread counter to track some non-reentrant parts of lua * MINOR/BUG: mworker/cli: do not use the unix_bind prefix for the master CLI socket * BUG/MINOR: protocol: add missing support of dgram unix socket. * BUG/MEDIUM: freq_ctr/threads: use the global_now_ms variable * MINOR: time: also provide a global, monotonic global_now_ms timer * BUG/MEDIUM: mux-fcgi: Fix locking of idle_conns lock in the FCGI I/O callback * BUG/MINOR: freq_ctr/threads: make use of the last updated global time * MINOR: time: export the global_now variable- Update to version 2.3.7+git0.2d39ce334: * [RELEASE] Released version 2.3.7 * BUG/MINOR: resolvers: Add missing case-insensitive comparisons of DNS hostnames * MINOR: resolvers: Don't try to match immediatly renewed ADD items * MINOR: resolvers: Use milliseconds for cached items in resolver responses * BUG/MEDIUM: resolvers: Skip DNS resolution at startup if SRV resolution is set * BUG/MEDIUM: resolvers: Don't release resolution from a requester callbacks * MINOR: resolvers: Directly call srvrq_update_srv_state() when possible * MINOR: resolvers: Add function to change the srv status based on SRV resolution * MINOR: resolvers: Purge answer items when a SRV resolution triggers an error * MINOR: resolvers: Use a function to remove answers attached to a resolution * BUG/MEDIUM: resolvers: Trigger a DNS resolution if an ADD item is obsolete * BUG/MINOR; resolvers: Ignore DNS resolution for expired SRV item * MINOR: resolvers: new function find_srvrq_answer_record() * BUG/MEDIUM: resolvers: Fix the loop looking for an existing ADD item * BUG/MEDIUM: resolvers: Don't set an address-less server as UP * BUG/MINOR: resolvers: Unlink DNS resolution to set RMAINT on SRV resolution * BUG/MINOR: resolvers: Reset server address on DNS error only on status change * BUG/MINOR: resolvers: Consider server to have no IP on DNS resolution error * Revert "BUG/MINOR: resolvers: Only renew TTL for SRV records with an additional record" * CLEANUP: tcp-rules: add missing actions in the tcp-request error message * BUG/MINOR: tcpcheck: Fix double free on error path when parsing tcp/http-check * BUG/MINOR: session: Add some forgotten tests on session's listener * BUG/MINOR: proxy/session: Be sure to have a listener to increment its counters * BUG/MINOR: tcpcheck: Update .health threshold of agent inside an agent-check * BUG/MEDIUM: filters: Set CF_FL_ANALYZE on channels when filters are attached * BUILD: atomic/arm64: force the register pairs to use in __ha_cas_dw() * BUG/MEDIUM: stick-tables: fix ref counter in table entry using multiple http tracksc. * OPTIM: task: automatically adjust the default runqueue-depth to the threads * MINOR: task: give the scheduler a bit more flexibility in the runqueue size * MEDIUM: task: remove the tasks_run_queue counter and have one per thread * MEDIUM: ssl: implement xprt_set_used and xprt_set_idle to relax context checks * MINOR: xprt: add new xprt_set_idle and xprt_set_used methods * MEDIUM: muxes: mark idle conns tasklets with TASK_F_USR1 * MINOR: task: add an application specific flag to the state: TASK_F_USR1 * BUG/MEDIUM: ssl: properly remove the TASK_HEAVY flag at end of handshake * MINOR: ssl: mark the SSL handshake tasklet as heavy * MINOR: task: limit the number of subsequent heavy tasks with flag TASK_HEAVY * MEDIUM: backend: use a trylock when trying to grab an idle connection * MINOR: pools: double the local pool cache size to 1 MB * MEDIUM: pools: add CONFIG_HAP_NO_GLOBAL_POOLS and CONFIG_HAP_GLOBAL_POOLS * MEDIUM: streams: do not use the streams lock anymore * MINOR: streams: use one list per stream instead of a global one * MINOR: cli/streams: make "show sess" dump all streams till the new epoch * MINOR: stream: add an "epoch" to figure which streams appeared when * MINOR: dynbuf: pass offer_buffers() the number of buffers instead of a threshold * MINOR: dynbuf: use regular lists instead of mt_lists for buffer_wait * MINOR: dynbuf: make the buffer wait queue per thread * OPTIM: lb-leastconn: do not unlink the server if it did not change * OPTIM: lb-leastconn: do not take the server lock on take_conn/drop_conn * OPTIM: lb-first: do not take the server lock on take_conn/drop_conn * MINOR: lb/api: let callers of take_conn/drop_conn tell if they have the lock * MINOR: server: move actconns to the per-thread structure * OPTIM: server: switch the actconn list to an mt-list * MINOR: listener: refine the default MAX_ACCEPT from 64 to 4 * MINOR: tasks: refine the default run queue depth * BUG/MEDIUM: session: NULL dereference possible when accessing the listener * MINOR: atomic: implement a more efficient arm64 __ha_cas_dw() using pairs * MINOR: atomic: add armv8.1-a atomics variant for cas-dw * BUG/MINOR: mt-list: always perform a cpu_relax call on failure * REORG: atomic: reimplement pl_cpu_relax() from atomic-ops.h * BUG/MINOR: ssl: don't truncate the file descriptor to 16 bits in debug mode * BUG/MINOR: hlua: Don't strip last non-LWS char in hlua_pushstrippedstring() * BUG/MINOR: backend: fix condition for reuse on mode HTTP- Update to version 2.3.6+git0.7851701ed: * [RELEASE] Released version 2.3.6 * BUG/MINOR: http-ana: Don't increment HTTP error counter on read error/timeout * BUG/MINOR: mux-h2: Fix typo in scheme adjustment * DOC: spoe: Add a note about fragmentation support in HAProxy * BUG/MEDIUM: spoe: Kill applets if there are pending connections and nbthread > 1 * BUG/MINOR: connection: Use the client's dst family for adressless servers * BUG/MINOR: tcp-act: Don't forget to set the original port for IPv4 set-dst rule * BUG/MINOR: http-ana: Only consider dst address to process originalto option * BUG/MINOR: mux-h1: Immediately report H1C errors from h1_snd_buf() * BUG/MINOR: stats: fix compare of no-maint url suffix * CLEANUP: muxes: Remove useless if condition in show_fd function * BUG/MINOR: ssl: potential null pointer dereference in ckchs_dup() * BUG/MEDIUM: resolvers: Reset address for unresolved servers * BUG/MEDIUM: resolvers: Reset server address and port for obselete SRV records * BUG/MINOR: resolvers: new callback to properly handle SRV record errors * BUG/MINOR: resolvers: Only renew TTL for SRV records with an additional record * BUG/MINOR: resolvers: Fix condition to release received ARs if not assigned * BUG/MINOR: fd: properly wait for !running_mask in fd_set_running_excl() * BUG/MINOR: proxy: wake up all threads when sending the hard-stop signal * BUG/MEDIUM: cli/shutdown sessions: make it thread-safe * BUG/MEDIUM: proxy: use thread-safe stream killing on hard-stop * BUG/MEDIUM: vars: make functions vars_get_by_{name,desc} thread-safe * BUG/MINOR: sample: secure convs that accept base64 string and var name as args * MINOR: Configure the `cpp` userdiff driver for *.[ch] in .gitattributes * BUG/MINOR: ssl/cli: potential null pointer dereference in "set ssl cert" * BUG/MEDIUM: mux-h1: Fix handling of responses to CONNECT other than 200-ok * BUG/MINOR: server: Be sure to cut the last parsed field of a server-state line * BUG/MINOR: server: Init params before parsing a new server-state line * BUG/MINOR: http-rules: Always replace the response status on a return action * BUG/MEDIUM: spoe: Resolve the sink if a SPOE logs in a ring buffer * BUG/MEDIUM: lists: Avoid an infinite loop in MT_LIST_TRY_ADDQ(). * DOC: explain the relation between pool-low-conn and tune.idle-pool.shared * BUILD: ssl: introduce fine guard for OpenSSL specific SCTL functions * BUG/MINOR: sample: Always consider zero size string samples as unsafe * BUG/MEDIUM: checks: don't needlessly take the server lock in health_adjust() * BUG/MINOR: checks: properly handle wrapping time in __health_adjust() * BUG/MINOR: session: atomically increment the tracked sessions counter * BUG/MINOR: server: Remove RMAINT from admin state when loading server state * CLEANUP: channel: fix comment in ci_putblk. * DOC: tune: explain the origin of block size for ssl.cachesize * BUG/MINOR: server: Don't call fopen() with server-state filepath set to NULL * BUG/MINOR: cfgparse: do not mention "addr:port" as supported on proxy lines * BUG/MINOR: stats: revert the change on ST_CONVDONE * BUG/MEDIUM: config: don't pick unset values from last defaults section * CLEANUP: deinit: release global and per-proxy server-state variables on deinit * BUG/MINOR: server: Fix server-state-file-name directive * BUG/MINOR: backend: hold correctly lock when killing idle conn * BUG/MINOR: tools: Fix a memory leak on error path in parse_dotted_uints() * BUG/MINOR: server: re-align state file fields number * BUG/MEDIUM: mux-h1: Always set CS_FL_EOI for response in MSG_DONE state * BUG/MINOR: http-ana: Don't increment HTTP error counter on internal errors * BUG/MINOR: intops: fix mul32hi()'s off-by-one * BUILD: ssl: guard SSL_CTX_set_msg_callback with SSL_CTRL_SET_MSG_CALLBACK macro * BUILD: ssl: guard SSL_CTX_add_server_custom_ext with special macro * BUILD: ssl: fix typo in HAVE_SSL_CTX_ADD_SERVER_CUSTOM_EXT macro * MINOR: check: do not ignore a connection header for http-check send- Update to version 2.3.5+git0.5902ad99b: * [RELEASE] Released version 2.3.5 * MINOR: config: Deprecate and ignore tune.chksize global option * BUG/MINOR: sock: Unclosed fd in case of connection allocation failure * BUG/MEDIUM: mux-h2: do not quit the demux loop before setting END_REACHED * BUG/MEDIUM: mux-h2: handle remaining read0 cases * BUILD: Makefile: move REGTESTST_TYPE default setting * MINOR: cli/show_fd: report local and report ports when known * BUILD: ssl: fix build breakage with last commit * BUG/MINOR: ssl: do not try to use early data if not configured * BUG/MINOR: xxhash: make sure armv6 uses memcpy() * BUG/MINOR: mux_h2: fix incorrect stat titles * BUG/MEDIUM: ssl: check a connection's status before computing a handshake * BUG/MEDIUM: ssl/cli: abort ssl cert is freeing the old store * BUG/MINOR: stick-table: Always call smp_fetch_src() with a valid arg list * DOC: management: fix "show resolvers" alphabetical ordering * MINOR: h1: Raise the chunk size limit up to (2^52 - 1) * MINOR: mux-h1/show_fd: report as suspicious an entry with too many calls * MINOR: mux-h2/show_fd: report as suspicious an entry with too many calls * MINOR: ssl/show_fd: report some FDs as suspicious when possible * MINOR: cli/show_fd: report some easily detectable suspicious states * MINOR: cli: give the show_fd helpers the ability to report a suspicious entry * MINOR: mux-fcgi: make the "show fd" helper also decode the fstrm subscriber when known * MINOR: mux-h1: make the "show fd" helper also decode the h1s subscriber when known * MINOR: mux-h2: make the "show fd" helper also decode the h2s subscriber when known * MINOR: xprt/mux: export all *_io_cb functions so that "show fd" resolves them * MINOR: ssl: provide a "show fd" helper to report important SSL information * MINOR: xprt: add a new show_fd() helper to complete some "show fd" dumps. * MINOR: cli: make "show fd" also report the xprt and xprt_ctx * CLEANUP: cli: make "show fd" use a const connection to access other fields * CLEANUP: tools: make resolve_sym_name() take a const pointer * MINOR: contrib: Make the wireshark peers dissector compile for more distribs. * BUG/MINOR: backend: check available list allocation for reuse * BUG/MEDIUM: backend: never reuse a connection for tcp mode * REORG: backend: simplify conn_backend_get * BUG/MEDIUM: session: only retrieve ready idle conn from session * BUG/MINOR: ssl: init tmp chunk correctly in ssl_sock_load_sctl_from_file() * BUG/MINOR: config: fix leak on proxy.conn_src.bind_hdr_name * BUG/MEDIUM: filters/htx: Fix data forwarding when payload length is unknown * DOC: Improve documentation of the various hdr() fetches * BUILD/MINOR: lua: define _GNU_SOURCE for LLONG_MAX * BUG/MEDIUM: mux-h2: fix read0 handling on partial frames * BUG/MEDIUM: tcpcheck: Don't destroy connection in the wake callback context * BUG/MINOR: mworker: define _GNU_SOURCE for strsignal() * BUG/MINOR: mux_h2: missing space between "st" and ".flg" in the "show fd" helper * BUG/MINOR: peers: Wrong "new_conn" value for "show peers" CLI command. * MINOR: build: discard echoing in help target * BUG/MINOR: peers: Possible appctx pointer dereference. * BUG/MEDIUM: stats: add missing INF_BUILD_INFO definition * BUILD: peers: fix build warning about unused variable * BUG/MINOR: dns: SRV records ignores duplicated AR records (v2) * MINOR: peers: Add traces for peer control messages. * BUG/MINOR: threads: Fixes the number of possible cpus report for Mac. * MINOR: server: Forbid server definitions in frontend sections * MINOR: config: Add failifnotcap() to emit an alert on proxy capabilities * BUG/MINOR: init: Use a dynamic buffer to set HAPROXY_CFGFILES env variable- Add lua54.patch to fix building with lua 5.4- Update to version 2.3.4+git0.10189c965: * [RELEASE] Released version 2.3.4 * MINOR: contrib/prometheus-exporter: use fill_info for process dump * MINOR: contrib/prometheus-exporter: avoid connection close header * BUG/MINOR: init: enforce strict-limits when using master-worker * BUG/MINOR: check: Don't perform any check on servers defined in a frontend * BUG/MINOR: sample: Memory leak of sample_expr structure in case of error * Revert "BUG/MINOR: dns: SRV records ignores duplicated AR records" * MINOR: reg-tests: add base prometheus test * BUG/MINOR: reg-tests: fix service dependency script * BUG/MINOR: sample: check alloc_trash_chunk return value in concat() * MINOR: reg-tests: add a way to add service dependency- Update to version 2.3.3+git0.9233c2143: * [RELEASE] Released version 2.3.3 * BUG/MINOR: sample: fix concat() converter's corruption with non-string variables * DOC: Add maintainers for the Prometheus exporter * SCRIPTS: announce-release: fix typo in help message * DOC: fix some spelling issues over multiple files * MINOR: contrib/prometheus-exporter: export build_info * CLEANUP: cfgparse: replace "realloc" with "my_realloc2" to fix to memory leak on error * BUILD: Makefile: exclude broken tests by default * MINOR: converter: adding support for url_enc * BUG/MINOR: srv: do not cleanup idle conns if pool max is null * BUG/MINOR: srv: do not init address if backend is disabled * SCRIPTS: make announce release support preparing announces before tag exists * SCRIPTS: improve announce-release to support different tag and versions * BUG/MINOR: stats: Make stat_l variable used to dump a stat line thread local * DOC: Improve the message printed when running `make` w/o `TARGET` * BUG/MINOR: tcpcheck: Report a L7OK if the last evaluated rule is a send rule * BUG/MINOR: cfgparse: Fail if the strdup() for `rule->be.name` for `use_backend` fails * BUG/MINOR: sink: Return an allocation failure in __sink_new if strdup() fails * MINOR: atomic: don't use ; to separate instruction on aarch64. * BUILD: hpack: hpack-tbl-t.h uses VAR_ARRAY but does not include compiler.h * BUG/MEDIUM: mux_h2: Add missing braces in h2_snd_buf()around trace+wakeup * DOC: fix "smp_size" vs "sample_size" in "log" directive arguments * BUG/MINOR: dns: SRV records ignores duplicated AR records * BUILD: ssl: fine guard for SSL_CTX_get0_privatekey call * BUILD: plock: remove dead code that causes a warning in gcc 11 * CONTRIB: debug: address "poll" utility build on non-linux platforms * CONTRIB: halog: fix signed/unsigned build warnings on counts and timestamps * CONTRIB: halog: mark the has_zero* functions unused * CONTRIB: halog: fix build issue caused by %L printf format * BUG/MEDIUM: mux-h1: Handle h1_process() failures on a pipelined request * BUG/MEDIUM: http-ana: Never for sending data in TUNNEL mode * BUG/MINOR: mux-h1: Don't set CS_FL_EOI too early for protocol upgrade requests * BUILD: Makefile: have "make clean" destroy .o/.a/.s in contrib subdirs as well * BUILD: SSL: fine guard for SSL_CTX_add_server_custom_ext call * REGTESTS: make use of HAPROXY_ARGS and pass -dM by default * BUG/MEDIUM: ssl/crt-list: bad behavior with "commit ssl cert" * BUG/MEDIUM: lb-leastconn: Reposition a server using the right eweight * BUG/MINOR: tools: Reject size format not starting by a digit * BUG/MINOR: tools: make parse_time_err() more strict on the timer validity * MINOR: tcpcheck: Only wait for more payload data on HTTP expect rules * BUG/MINOR: tcpcheck: Don't rearm the check timeout on each read * BUG/MINOR: http-check: Use right condition to consider HTX message as full * DOC: email change of the DeviceAtlas maintainer * BUG/MEDIUM: spoa/python: Fixing references to None * BUG/MEDIUM: spoa/python: Fixing PyObject_Call positional arguments * BUG/MINOR: spoa/python: Cleanup ipaddress objects if initialization fails * BUG/MINOR: spoa/python: Cleanup references for failed Module Addobject operations * DOC: spoa/python: Fixing typos in comments * DOC: spoa/python: Rephrasing memory related error messages * DOC: spoa/python: Fixing typo in IP related error messages * BUG/MAJOR: spoa/python: Fixing return None * MEDIUM: ssl: fatal error with bundle + openssl < 1.1.1 * MINOR: listener: now use a generic add_listener() function * MINOR: listener: automatically set the port when creating listeners * MINOR: protocol: add a ->set_port() helper to address families * BUG/MINOR: mux-h1: Handle keep-alive timeout for idle frontend connections * BUG/MINOR: listener: use sockaddr_in6 for IPv6 * DOC/MINOR: Fix formatting in Management Guide * BUILD/MINOR: haproxy DragonFlyBSD affinity build update. * BUG/MAJOR: ring: tcp forward on ring can break the reader counter. * BUG/MINOR: lua: warn when registering action, conv, sf, cli or applet multiple times * MINOR: cli: add a function to look up a CLI service description * MINOR: actions: add a function returning a service pointer from its name * MINOR: actions: Export actions lookup functions * BUG/MINOR: lua: Some lua init operation are processed unsafe * BUG/MINOR: lua: Post init register function are not executed beyond the first one * BUG/MINOR: lua: lua-load doesn't check its parameters * BUG/MINOR: lua: missing "\n" in error message * BUG/MINOR: mux-h2/stats: not all GOAWAY frames are errors * BUG/MINOR: mux-h2/stats: make stream/connection proto errors more accurate * BUG/MEDIUM: local log format regression. * BUG/MEDIUM: task: close a possible data race condition on a tasklet's list link * MINOR: task: remove __tasklet_remove_from_tasklet_list() * BUG/MEDIUM: lists: Lock the element while we check if it is in a list. * MINOR: plock: use an ARMv8 instruction barrier for the pause instruction- Update to version 2.3.2+git0.d522db763: * [RELEASE] Released version 2.3.2 * BUG/MINOR: http-fetch: Fix smp_fetch_body() when called from a health-check * DOC: config: Move req.hdrs and req.hdrs_bin in L7 samples fetches section * BUG/MAJOR: tcpcheck: Allocate input and output buffers from the buffer pool * MINOR: tcpcheck: Don't handle anymore in-progress send rules in tcpcheck_main * BUG/MINOR: tcpcheck: Don't forget to reset tcp-check flags on new kind of check * DOC: Clarify %HP description in log-format * DOC: better document the config file format and escaping/quoting rules * BUG/MAJOR: peers: fix partial message decoding * BUG/MEDIUM: http_act: Restore init of log-format list * BUILD: Show the value of DEBUG= in haproxy -vv * BUILD: Make DEBUG part of .build_opts * MINOR: http_act: Add -m flag for del-header name matching method * REGTESTS: converter: add url_dec test * REGTESTS: Add sample_fetches/cook.vtc * DOC: cache: Add new caching limitation information * MEDIUM: cache: Change caching conditions * BUG/MAJOR: filters: Always keep all offsets up to date during data filtering * DOC: better describes how to configure a fallback crt * BUG/MINOR: http_htx: Fix searching headers by substring * BUG/MAJOR: connection: reset conn->owner when detaching from session list * CLEANUP: connection: do not use conn->owner when the session is known * DOC: clarify how to create a fallback crt * BUILD: makefile: enable crypt(3) for OpenBSD * BUG/MEDIUM: ssl/crt-list: fix error when no file found * BUG/MINOR: ssl/crt-list: load bundle in crt-list only if activated * BUG/MEDIUM: ssl: error when no certificate are found * BUG/MEDIUM: ssl/crt-list: bundle support broken in crt-list * BUG/MEDIUM: http-ana: Don't eval http-after-response ruleset on empty messages * BUG/MINOR: ssl: segv on startup when AKID but no keyid * DOC: add missing 3.10 in the summary * BUG/MINOR: http-ana: Don't wait for the body of CONNECT requests * BUG/MEDIUM: filters: Forward all filtered data at the end of http filtering * CLEANUP: cfgparse: remove duplicate registration for transparent build options * BUILD: http-htx: fix build warning regarding long type in printf- Update to version 2.3.1+git0.bdd7178b8: * [RELEASE] Released version 2.3.1 * REGTEST: make ssl_client_samples and ssl_server_samples require to 2.2 * MINOR: peers: Add traces to peer_treat_updatemsg(). * REGTEST: ssl: mark reg-tests/ssl/ssl_crt-list_filters.vtc as broken * REGTEST: ssl: test wildcard and multi-type + exclusions * MINOR: cfgparse: tighten the scope of newnameserver variable, free it on error. * MINOR: config/mux-h2: Return ERR_ flags from init_h2() instead of a status * MINOR: init: Fix the prototype for per-thread free callbacks * BUG/MINOR: tcpcheck: Don't warn on unused rules if check option is after * MINOR: spoe: Don't close connection in sync mode on processing timeout * BUG/MAJOR: spoe: Be sure to remove all references on a released spoe applet * BUG/MINOR: http-htx: Handle warnings when parsing http-error and http-errors * MINOR: check: report error on incompatible connect proto * MINOR: check: report error on incompatible proto * BUG/MEDIUM: check: reuse srv proto only if using same mode * BUG/MINOR: http-fetch: Fix calls w/o parentheses of the cookie sample fetches * BUG/MINOR: http-fetch: Extract cookie value even when no cookie name * BUG/MEDIUM: peers: fix decoding of multi-byte length in stick-table messages * BUG/MINOR: peers: Missing TX cache entries reset. * BUG/MINOR: peers: Do not ignore a protocol error for dictionary entries. * BUG/MINOR: stats: free dynamically stats fields/lines on shutdown * BUG/MINOR: lua: set buffer size during map lookups * BUG/MINOR: pattern: a sample marked as const could be written- Update to version 2.3.0+git4.689d98154: * BUG/MEDIUM: ssl/crt-list: correctly insert crt-list line if crt already loaded- Update to version 2.3.0+git3.7a50763d1: * DOC: config: Fix a typo on ssl_c_chain_der * MINOR: http-htx: Add understandable errors for the errorfiles parsing * BUG/MINOR: ssl: don't report 1024 bits DH param load error when it's higher- apparmor: do not limit to tcp sockets. haproxy can do udp as well.- Update to version 2.3.0+git0.1c0a722a8: https://www.haproxy.com/blog/announcing-haproxy-2-3/ for all the details see /usr/share/doc/packages/haproxy/CHANGELOG- Update to version 2.2.5+git0.34b2b1066: * [RELEASE] Released version 2.2.5 * BUG/MEDIUM: server: make it possible to kill last idle connections * CLEANUP: mux-h2: Remove the h1 parser state from the h2 stream * BUG/MEDIUM: stick-table: limit the time spent purging old entries * BUG/MINOR: filters: Skip disabled proxies during startup only * BUG/MEDIUM: mux-pt: Release the tasklet during an HTTP upgrade * MINOR: server: Copy configuration file and line for server templates * BUG/MINOR: server: Set server without addr but with dns in RMAINT on startup * BUG/MINOR: checks: Report a socket error before any connection attempt * BUG/MINOR: proxy/server: Skip per-proxy/server post-check for disabled proxies * BUG/MEDIUM: filters: Don't try to init filters for disabled proxies * BUG/MINOR: cache: Inverted variables in http_calc_maxage function * BUG/MINOR: cache: Manage multiple values in cache-control header value * MINOR: ist: Add a case insensitive istmatch function * BUG/MINOR: lua: initialize sample before using it * BUG/MINOR: server: fix down_time report for stats * BUG/MINOR: server: fix srv downtime calcul on starting * BUG/MINOR: log: fix risk of null deref on error path * BUG/MINOR: log: fix memory leak on logsrv parse error * BUG/MINOR: extcheck: add missing checks on extchk_setenv() * BUG/MEDIUM: ssl: OCSP must work with BoringSSL * Revert "MINOR: ssl: 'ssl-load-extra-del-ext' removes the certificate extension" * BUG/MAJOR: mux-h2: Don't try to send data if we know it is no longer possible * BUG/MINOR: http-ana: Don't send payload for internal responses to HEAD requests * BUG/MEDIUM: server: support changing the slowstart value from state-file * BUG/MINOR: queue: properly report redistributed connections * MINOR: ssl: 'ssl-load-extra-del-ext' removes the certificate extension * BUILD: ssl: make BoringSSL use its own version numbers * BUG/MINOR: disable dynamic OCSP load with BoringSSL * BUG/MINOR: peers: Possible unexpected peer seesion reset after collisions. * DOC: fix typo in MAX_SESS_STKCTR * BUG/MEDIUM: lb: Always lock the server when calling server_{take,drop}_conn * BUG/MEDIUM: mux-h1: Get the session from the H1S when capturing bad messages * BUG/MEDIUM: spoe: Unset variable instead of set it if no data provided * BUG/MEDIUM: task: bound the number of tasks picked from the wait queue at once * BUG/MINOR: connection: fix loop iter on connection takeover * MINOR: fd: report an error message when failing initial allocations * BUG/MINOR: mux-h2: do not stop outgoing connections on stopping * BUG/MINOR: init: only keep rlim_fd_cur if max is unlimited * BUILD: connection: fix build on clang after the VAR_ARRAY cleanup * CLEANUP: tree-wide: use VAR_ARRAY instead of [0] in various definitions * BUG/MINOR: http-htx: Expect no body for 204/304 internal HTTP responses * BUG/MINOR: http: Fix content-length of the default 500 error * DOC: Fix typos in configuration.txt * BUG/MEDIUM: mux-h2: Don't handle pending read0 too early on streams * BUG/MEDIUM: mux-fcgi: Don't handle pending read0 too early on streams * DOC: Add missing stats fields in the management doc * DOC: fix a confusing typo on a regsub example * BUG/MINOR: mux-h1: Always set the session on frontend h1 stream * BUG/MINOR: mux-h1: Be sure to only set CO_RFL_READ_ONCE for the first read * BUG/MINOR: peers: Inconsistency when dumping peer status codes. * MINOR: hlua: Display debug messages on stderr only in debug mode * BUG/MINOR: stats: fix validity of the json schema * MINOR: counters: fix a typo in comment * MINOR: ssl: Add warning if a crt-list might be truncated * BUG/MEDIUM: queue: make pendconn_cond_unlink() really thread-safe * BUG/MINOR: tcpcheck: Set socks4 and send-proxy flags before the connect call * DOC: tcp-rules: Refresh details about L7 matching for tcp-request content rules * BUG/MINOR: Fix several leaks of 'log_tag' in init(). * MINOR: ssl: Add error if a crt-list might be truncated * BUILD: makefile: Fix building with closefrom() support enabled * BUILD: ssl_crtlist: work around another bogus gcc-9.3 warning- apparmor profile: - we need net_admin capability for non local bind and setting "source" for server entries.- apparmor profile fixes: - include abstractions that give access to the openssl config, ssl certs and ssl keys - include local configs only with "if exists" so they do not have to exist. - move local files to %ghost- use parallel build- Update to version 2.2.4+git0.de456726d: * [RELEASE] Released version 2.2.4 * REGTEST: make map_regm_with_backref require 1.7 * REGTEST: make abns_socket.vtc require 1.8 * REGTEST: make agent-check.vtc require 1.8 * REGTEST: fix host part in balance-uri-path-only.vtc * BUG/MINOR: ssl/crt-list: exit on warning out of crtlist_parse_line() * DOC: agent-check: fix typo in "fail" word expected reply * REGTESTS: use "command" instead of "which" for better POSIX compatibility * BUILD: trace: include tools.h * BUG/MEDIUM: listeners: do not pause foreign listeners * REGTESTS: add a few load balancing tests * MINOR: backend: add a new "path-only" option to "balance uri" * MINOR: backend: make the "whole" option of balance uri take only one bit * MINOR: h2/trace: also display the remaining frame length in traces * BUG/MINOR: Fix memory leaks cfg_parse_peers * BUG/MEDIUM: h2: report frame bits only for handled types * BUG/MINOR: config: Fix memory leak on config parse listen * BUG/MINOR: http-fetch: Don't set the sample type during the htx prefetch * BUG/MINOR: h2/trace: do not display "stream error" after a frame ACK * BUG/MINOR: ssl/crt-list: crt-list could end without a \n * BUG/MEDIUM: ssl: Don't call ssl_sock_io_cb() directly. * BUG/MINOR: server: report correct error message for invalid port on "socks4" * BUG/MINOR: ssl: verifyhost is case sensitive * BUG/MINOR: Fix type passed of sizeof() for calloc() * BUG/MEDIUM: pattern: Renew the pattern expression revision when it is pruned * BUILD: threads: better workaround for late loading of libgcc_s- Update to version 2.2.3+git0.0e58a340d: * [RELEASE] Released version 2.2.3 * BUG/MEDIUM: mux-h1: always apply the timeout on half-closed connections * BUG/MINOR: auth: report valid crypto(3) support depending on build options * DOC: ssl-load-extra-files only applies to certificates on bind lines * MINOR: server: Improve log message sent when server address is updated * BUG/MEDIUM: dns: Be sure to renew IP address for already known servers * BUG/MEDIUM: dns: Don't store additional records in a linked-list * CLEANUP: dns: remove 45 "return" statements from dns_validate_dns_response() * CLEANUP: Update .gitignore * MINOR: Commit .gitattributes * BUILD: thread: limit the libgcc_s workaround to glibc only * BUG/MINOR: threads: work around a libgcc_s issue with chrooting * BUG/MEDIUM: ssl: does not look for all SNIs before chosing a certificate * MINOR: arg: Use chunk_destroy() to release string arguments * BUG/MEDIUM: ssl: check OCSP calloc in ssl_sock_load_ocsp() * REGTEST: Add a test for request path manipulations, with and without the QS * MINOR: http-fetch: Add pathq sample fetch * MINOR: http-rules: Add set-pathq and replace-pathq actions * BUG/MEDIUM: doc: Fix replace-path action description * Revert "BUG/MINOR: http-rules: Replace path and query-string in "replace-path" action" * BUG/MINOR: startup: haproxy -s cause 100% cpu * BUG/MEDIUM: contrib/spoa-server: Fix ipv4_address used instead of ipv6_address * BUG/MINOR: contrib/spoa-server: Updating references to free in case of failure * BUG/MINOR: contrib/spoa-server: Do not free reference to NULL * BUG/MINOR: contrib/spoa-server: Ensure ip address references are freed * BUG/MAJOR: contrib/spoa-server: Fix unhandled python call leading to memory leak * BUILD: task: work around a bogus warning in gcc 4.7/4.8 at -O1 * BUILD: tools: include auxv a bit later * MINOR: cache: Reject duplicate cache names * DOC: cache: Use '' instead of '' in error message * BUG/MEDIUM: ssl: crt-list negative filters don't work * BUG/MINOR: http-rules: Replace path and query-string in "replace-path" action * MINOR: http-htx: Add an option to eval query-string when the path is replaced * BUG/MEDIUM: http-ana: Don't wait to send 1xx responses received from servers * BUG/MINOR: reload: do not fail when no socket is sent * BUG/MEDIUM: ssl: fix ssl_bind_conf double free w/ wildcards * BUG/MEDIUM: ssl: never generates the chain from the verify store * BUG/MEDIUM: htx: smp_prefetch_htx() must always validate the direction * BUG/MINOR: stats: use strncmp() instead of memcmp() on health states * BUG/MINOR: ssl: ssl-skip-self-issued-ca requires >= 1.0.2 * BUG/MEDIUM: ssl: fix the ssl-skip-self-issued-ca option * BUG/MINOR: snapshots: leak of snapshots on deinit() * MEDIUM: lua: Don't filter exported fetches and converters * BUG/MINOR: lua: Duplicate lua strings in sample fetches/converters arg array * MINOR: hlua: Don't needlessly copy lua strings in trash during args validation * BUG/MINOR: lua: Check argument type to convert it to IP mask in arg validation * BUG/MINOR: lua: Check argument type to convert it to IPv4/IPv6 arg validation * BUG/MINOR: arg: Fix leaks during arguments validation for fetches/converters * BUG/MINOR: lua: Duplicate map name to load it when a new Map object is created * BUG/MINOR: converters: Store the sink in an arg pointer for debug() converter * MINOR: arg: Add an argument type to keep a reference on opaque data * BUG/MEDIUM: map/lua: Return an error if a map is loaded during runtime * BUG/MEDIUM: ssl: memory leak of ocsp data at SSL_CTX_free() * BUG/MINOR: ssl: fix memory leak at OCSP loading * DOC: spoa-server: fix false friends `actually` * BUG/MINOR: spoa-server: fix size_t format printing * BUG/MAJOR: dns: disabled servers through SRV records never recover * CLEANUP: dns: typo in reported error message * BUG/MEDIUM: mux-h1: Refresh H1 connection timeout after a synchronous send * SCRIPTS: git-show-backports: emit the shell command to backport a commit * SCRIPTS: git-show-backports: make -m most only show the left branch- Update to version 2.2.2+git0.b8a2763d5: * [RELEASE] Released version 2.2.2 * BUG/MEDIUM: tcp-checks: always attach the transport before installing the mux * BUG/MEDIUM: backend: always attach the transport before installing the mux * SCRIPTS: announce-release: add the link to the wiki in the announce messages * MINOR: stream-int: Be sure to have a mux to do sends and receives * MINOR: connection: Preinstall the mux for non-ssl connect * BUG/MEDIUM: connection: Be sure to always install a mux for sync connect * BUG/MINOR: tcp-rules: Set the inspect-delay when a tcp-response action yields * BUG/MINOR: tcp-rules: Preserve the right filter analyser on content eval abort * BUG/MINOR: lua: Abort execution of actions that yield on a final evaluation * BUG/MEDIUM: dns: Don't yield in do-resolve action on a final evaluation * MEDIUM: lua: Add support for the Lua 5.4 * BUG/MAJOR: dns: don't treat Authority records as an error * BUG/MAJOR: dns: fix null pointer dereference in snr_update_srv_status * BUG/MINOR: debug: Don't dump the lua stack if it is not initialized * BUILD: tools: fix build with static only toolchains * BUG/MINOR: mux-fcgi: Don't url-decode the QUERY_STRING parameter anymore- Update to version 2.2.1+git0.0ef71a557: * [RELEASE] Released version 2.2.1 * BUG/MEDIUM: http-ana: Only set CF_EXPECT_MORE flag on data filtering * BUG/MEDIUM: stream-int: Don't set MSG_MORE flag if no more data are expected * BUG/MINOR: htx: add two missing HTX_FL_EOI and remove an unexpected one * MEDIUM: htx: Add a flag on a HTX message when no more data are expected * BUG/MEDIUM: dns: Release answer items when a DNS resolution is freed * BUG/MAJOR: dns: Make the do-resolve action thread-safe * BUG/MAJOR: tasks: don't requeue global tasks into the local queue * BUG/MEDIUM: resolve: fix init resolving for ring and peers section. * BUG/MEDIUM: arg: empty args list must be dropped * DOC: ssl: req_ssl_sni needs implicit TLS * BUILD: config: fix again bugs gcc warnings on calloc * BUG/MAJOR: tasks: make sure to always lock the shared wait queue if needed * BUILD: config: address build warning on raspbian+rpi4 * BUG/MEDIUM: channel: Be aware of SHUTW_NOW flag when output data are peeked * BUG/MEDIUM: server: fix possibly uninitialized state file on close * BUG/MEDIUM: server: resolve state file handle leak on reload * BUG/MEDIUM: fcgi-app: fix memory leak in fcgi_flt_http_headers * BUG/MEDIUM: log: issue mixing sampled to not sampled log servers. * BUG/MINOR: mux-fcgi: Set flags on the right stream field for empty FCGI_STDOUT * BUG/MINOR: mux-fcgi: Set conn state to RECORD_P when skipping the record padding * BUG/MINOR: mux-fcgi: Handle empty STDERR record * BUG/MEDIUM: mux-h1: Continue to process request when switching in tunnel mode * BUG/MEDIUM: mux-fcgi: Don't add private connections in available connection list * BUG/MEDIUM: mux-h2: Don't add private connections in available connection list * CONTRIB: da: fix memory leak in dummy function da_atlas_open() * BUG/MEDIUM: lists: add missing store barrier in MT_LIST_ADD/MT_LIST_ADDQ * BUG/MEDIUM: lists: add missing store barrier on MT_LIST_BEHEAD() * BUG/MINOR: sample: Free str.area in smp_check_const_meth * BUG/MINOR: sample: Free str.area in smp_check_const_bool- Update to version 2.2.0+git0.3a00c915f: https://www.haproxy.com/blog/announcing-haproxy-2-2/ * [RELEASE] Released version 2.2.0 * MINOR: version: mention that it's an LTS release now * DOC: minor update to coding style file * DOC: update INSTALL with new compiler versions * CLEANUP: ssl: remove unrelevant comment in smp_fetch_ssl_x_keylog() * DOC: configuration: remove obsolete mentions of H2 being converted to HTTP/1.x * BUG/MINOR: connection: See new connection as available only on reuse always * BUG/MEDIUM: connection: Don't consider new private connections as available * BUG/MINOR: backend: Remove CO_FL_SESS_IDLE if a client remains on the last server * MINOR: mux-h1: Improve traces about the splicing - refreshed patches to apply cleanly again: haproxy-1.6.0-makefile_lib.patch haproxy-1.6.0-sec-options.patch - track series file in source rpm- Update to version 2.1.7+git0.8bebf80fb: * [RELEASE] Released version 2.1.7- Update to version 2.1.6+git1.661c88907: * BUG/MAJOR: http-htx: Don't forget to copy error messages from defaults sections- Update to version 2.1.6+git0.34db76106: * [RELEASE] Released version 2.1.6 * BUG/MINOR: mworker: fix a memleak when execvp() failed * BUG/MINOR: ssl: fix a trash buffer leak in some error cases * BUG/MEDIUM: mworker: fix the reload with an -- option * BUG/MINOR: init: -S can have a parameter starting with a dash * BUG/MINOR: init: -x can have a parameter starting with a dash * BUG/MEDIUM: mworker: fix the copy of options in copy_argv() * BUG/MEDIUM: contrib/prometheus-exporter: Properly set flags to dump metrics * BUG/MEDIUM: hlua: Lock pattern references to perform set/add/del operations * BUG/MEDIUM: http-htx: Duplicate error messages as raw data instead of string * BUG/MEDIUM: lua: Reset analyse expiration timeout before executing a lua action * BUG/MINOR: peers: fix internal/network key type mapping. * SCRIPTS: publish-release: pass -n to gzip to remove timestamp * Revert "BUG/MEDIUM: connections: force connections cleanup on server changes"- Update to version 2.1.5+git0.36e14bd31: * [RELEASE] Released version 2.1.5 * BUG/MINOR: nameservers: fix error handling in parsing of resolv.conf * BUG/MINOR: lua: Add missing string length for lua sticktable lookup * BUG/MEDIUM: logs: fix trailing zeros on log message. * REGTESTS: checks: Fix tls_health_checks when IPv6 addresses are used * BUG/MINOR: logs: prevent double line returns in some events. * DOC: SPOE is no longer experimental * DOC/MINOR: halog: Add long help info for ic flag * DOC: retry-on can only be used with mode http * BUG/MINOR: server: Fix server_finalize_init() to avoid unused variable * BUG/MINOR: checks: Respect check-ssl param when a port or an addr is specified * BUG/MEDIUM: ring: write-lock the ring while attaching/detaching * BUG/MAJOR: mux-fcgi: Stop sending loop if FCGI stream is blocked for any reason * BUG/MINOR: cache: Don't needlessly test "cache" keyword in parse_cache_flt() * BUG/MEDIUM: stream: Only allow L7 retries when using HTTP. * BUG/MEDIUM: streams: Remove SF_ADDR_SET if we're retrying due to L7 retry. * BUILD: select: only declare existing local labels to appease clang * BUG/MINOR: soft-stop: always wake up waiting threads on stopping * BUG/MINOR: pollers: remove uneeded free in global init * BUG/MINOR: pools: use %u not %d to report pool stats in "show pools" * BUG/MINOR: cfgparse: Abort parsing the current line if an invalid \x sequence is encountered * BUG/MEDIUM: http_ana: make the detection of NTLM variants safer * BUG/MINOR: http-ana: fix NTLM response parsing again * BUG/MINOR: config: Make use_backend and use-server post-parsing less obscur * BUG/MEDIUM: lua: Fix dumping of stick table entries for STD_T_DICT * BUG/MINOR: threads: fix multiple use of argument inside HA_ATOMIC_UPDATE_{MIN,MAX}() * BUG/MINOR: threads: fix multiple use of argument inside HA_ATOMIC_CAS() * BUG/MINOR: sample: Set the correct type when a binary is converted to a string * CLEANUP: connections: align function declaration * BUG/MEDIUM: ssl: fix the id length check within smp_fetch_ssl_fc_session_id() * BUG/MEDIUM: h1: Don't compare host and authority if only h1 headers are parsed * BUG/MEDIUM: connections: force connections cleanup on server changes * BUG/MEDIUM: mux-fcgi: Fix wrong test on FCGI_CF_KEEP_CONN in fcgi_detach() * BUG/MEDIUM: mux_fcgi: Free the FCGI connection at the end of fcgi_release() * BUG/MINOR: checks: Remove a warning about http health checks * BUG/MINOR: checks: Compute the right HTTP request length for HTTP health checks * BUG/MINOR: checks/server: use_ssl member must be signed * Revert "BUG/MINOR: connection: make sure to correctly tag local PROXY connections" * Revert "BUG/MINOR: connection: always send address-less LOCAL PROXY connections" * REGTEST: http-rules: Require PCRE or PCRE2 option to run map_redirect script * REGTEST: ssl: test the client certificate authentication * BUILD: Makefile: add linux-musl to TARGET * BUILD: tools: rely on __ELF__ not USE_DL to enable use of dladdr() * BUILD: tools: unbreak resolve_sym_name() on non-GNU platforms * MINOR: debug: dump the whole trace if we can't spot the starting point * MINOR: debug: use our own backtrace function on clang+x86_64 * MINOR: debug: improve backtrace() on aarch64 and possibly other systems * MINOR: debug: report the number of entries in the backtrace * MINOR: wdt: do not depend on USE_THREAD * BUILD: Makefile: include librt before libpthread * MINOR: debug: call backtrace() once upon startup * MEDIUM: debug: add support for dumping backtraces of stuck threads * MINOR: cli: make "show fd" rely on resolve_sym_name() * MINOR: debug: use resolve_sym_name() to dump task handlers * MINOR: tools: add resolve_sym_name() to resolve function pointers * MINOR: tools: add new function dump_addr_and_bytes() * MINOR: haproxy: export run_poll_loop * MINOR: stream: report the list of active filters on stream crashes * BUG/MEDIUM: shctx: bound the number of loops that can happen around the lock * BUG/MEDIUM: shctx: really check the lock's value while waiting * BUG/MINOR: debug: properly use long long instead of long for the thread ID * MINOR: threads: export the POSIX thread ID in panic dumps * BUG/MEDIUM: listener: mark the thread as not stuck inside the loop * BUG/MEDIUM: sample: make the CPU and latency sample fetches check for a stream * BUG/MEDIUM: http: the "unique-id" sample fetch could crash without a steeam * BUG/MEDIUM: http: the "http_first_req" sample fetch could crash without a steeam * BUG/MEDIUM: capture: capture.{req,res}.* crash without a stream * BUG/MEDIUM: capture: capture-req/capture-res converters crash without a stream * BUG/MINOR: mux-fcgi: Be sure to have a connection as session's origin to use it * BUG/MINOR: obj_type: Handle stream object in obj_base_ptr() function * BUG/MINOR: checks: chained expect will not properly wait for enough data * BUG/MEDIUM: server/checks: Init server check during config validity check * BUG/MINOR: checks: Respect the no-check-ssl option * MINOR: checks: Add a way to send custom headers and payload during http chekcs * BUG/MINOR: check: Update server address and port to execute an external check * MINOR: contrib: make the peers wireshark dissector a plugin * MEDIUM: memory: make pool_gc() run under thread isolation * DOC: option logasap does not depend on mode * BUG/MINOR: http: make url_decode() optionally convert '+' to SP * BUG/MINOR: tools: fix the i386 version of the div64_32 function * BUG/MEDIUM: http-ana: Handle NTLM messages correctly. * BUG/MINOR: ssl: default settings for ssl server options are not used * DOC: Improve documentation on http-request set-src * MINOR: version: Show uname output in display_version() * DOC: hashing: update link to hashing functions * BUG/MINOR: peers: Incomplete peers sections should be validated. * BUG/MINOR: connection: always send address-less LOCAL PROXY connections * BUG/MINOR: ssl: memleak of the struct cert_key_and_chain * BUG/MINOR: ssl/cli: memory leak in 'set ssl cert' * MINOR: ssl: improve the errors when a crt can't be open * BUG/MINOR: protocol_buffer: Wrong maximum shifting.- use the "profile profilename /path/to/binary" syntax to make "ps aufxZ" more readable- Update to version 2.1.4+git0.3cfc2f1d9: (boo#1168023) CVE-2020-11100 - SCRIPTS: make announce-release executable again - BUG/MINOR: namespace: avoid closing fd when socket failed in my_socketat - BUG/MEDIUM: muxes: Use the right argument when calling the destroy method. - BUG/MINOR: mux-fcgi: Forbid special characters when matching PATH_INFO param - MINOR: mux-fcgi: Make the capture of the path-info optional in pathinfo regex - SCRIPTS: announce-release: use mutt -H instead of -i to include the draft - MINOR: http-htx: Add a function to retrieve the headers size of an HTX message - MINOR: filters: Forward data only if the last filter forwards something - BUG/MINOR: filters: Count HTTP headers as filtered data but don't forward them - BUG/MINOR: http-htx: Don't return error if authority is updated without changes - BUG/MINOR: http-ana: Matching on monitor-uri should be case-sensitive - MINOR: http-ana: Match on the path if the monitor-uri starts by a / - BUG/MAJOR: http-ana: Always abort the request when a tarpit is triggered - MINOR: ist: add an iststop() function - BUG/MINOR: http: http-request replace-path duplicates the query string - BUG/MEDIUM: shctx: make sure to keep all blocks aligned - MINOR: compiler: move CPU capabilities definition from config.h and complete them - BUG/MEDIUM: ebtree: don't set attribute packed without unaligned access support - BUILD: fix recent build failure on unaligned archs - CLEANUP: cfgparse: Fix type of second calloc() parameter - BUG/MINOR: sample: fix the json converter's endian-sensitivity - BUG/MEDIUM: ssl: fix several bad pointer aliases in a few sample fetch functions - BUG/MINOR: connection: make sure to correctly tag local PROXY connections - MINOR: compiler: add new alignment macros - BUILD: ebtree: improve architecture-specific alignment - BUG/MINOR: h2: reject again empty :path pseudo-headers - BUG/MINOR: sample: Make sure to return stable IDs in the unique-id fetch - BUG/MINOR: dns: ignore trailing dot - BUG/MINOR: http-htx: Do case-insensive comparisons on Host header name - MINOR: contrib/prometheus-exporter: Add heathcheck status/code in server metrics - MINOR: contrib/prometheus-exporter: Add the last heathcheck duration metric - BUG/MEDIUM: random: initialize the random pool a bit better - MINOR: tools: add 64-bit rotate operators - BUG/MEDIUM: random: implement a thread-safe and process-safe PRNG - MINOR: backend: use a single call to ha_random32() for the random LB algo - BUG/MINOR: checks/threads: use ha_random() and not rand() - BUG/MAJOR: list: fix invalid element address calculation - MINOR: debug: report the task handler's pointer relative to main - BUG/MEDIUM: debug: make the debug_handler check for the thread in threads_to_dump - MINOR: haproxy: export main to ease access from debugger - BUILD: tools: remove obsolete and conflicting trace() from standard.c - BUG/MINOR: wdt: do not return an error when the watchdog couldn't be enabled - DOC: fix incorrect indentation of http_auth_* - OPTIM: startup: fast unique_id allocation for acl. - BUG/MINOR: pattern: Do not pass len = 0 to calloc() - DOC: configuration.txt: fix various typos - DOC: assorted typo fixes in the documentation and Makefile - BUG/MINOR: init: make the automatic maxconn consider the max of soft/hard limits - BUG/MAJOR: proxy_protocol: Properly validate TLV lengths - REGTEST: make the PROXY TLV validation depend on version 2.2 - BUG/MINOR: filters: Use filter offset to decude the amount of forwarded data - BUG/MINOR: filters: Forward everything if no data filters are called - MINOR: htx: Add a function to return a block at a specific offset - BUG/MEDIUM: cache/filters: Fix loop on HTX blocks caching the response payload - BUG/MEDIUM: compression/filters: Fix loop on HTX blocks compressing the payload - BUG/MINOR: http-ana: Reset request analysers on a response side error - BUG/MINOR: lua: Ignore the reserve to know if a channel is full or not - BUG/MINOR: http-rules: Preserve FLT_END analyzers on reject action - BUG/MINOR: http-rules: Fix a typo in the reject action function - BUG/MINOR: rules: Preserve FLT_END analyzers on silent-drop action - BUG/MINOR: rules: Increment be_counters if backend is assigned for a silent-drop - DOC: fix typo about no-tls-tickets - DOC: improve description of no-tls-tickets - DOC: assorted typo fixes in the documentation - DOC: ssl: clarify security implications of TLS tickets - BUILD: wdt: only test for SI_TKILL when compiled with thread support - BUG/MEDIUM: mt_lists: Make sure we set the deleted element to NULL; - MINOR: mt_lists: Appease gcc. - BUG/MEDIUM: random: align the state on 2*64 bits for ARM64 - BUG/MEDIUM: pools: Always update free_list in pool_gc(). - BUG/MINOR: haproxy: always initialize sleeping_thread_mask - BUG/MINOR: listener/mq: do not dispatch connections to remote threads when stopping - BUG/MINOR: haproxy/threads: try to make all threads leave together - DOC: proxy_protocol: Reserve TLV type 0x05 as PP2_TYPE_UNIQUE_ID - DOC: correct typo in alert message about rspirep - BUILD: on ARM, must be linked to libatomic. - BUILD: makefile: fix regex syntax in ARM platform detection - BUILD: makefile: fix expression again to detect ARM platform - BUG/MEDIUM: peers: resync ended with RESYNC_PARTIAL in wrong cases. - DOC: assorted typo fixes in the documentation - MINOR: wdt: Move the definitions of WDTSIG and DEBUGSIG into types/signal.h. - BUG/MEDIUM: wdt: Don't ignore WDTSIG and DEBUGSIG in __signal_process_queue(). - MINOR: memory: Change the flush_lock to a spinlock, and don't get it in alloc. - BUG/MINOR: connections: Make sure we free the connection on failure. - REGTESTS: use "command -v" instead of "which" - REGTEST: increase timeouts on the seamless-reload test - BUG/MINOR: haproxy/threads: close a possible race in soft-stop detection - BUG/MINOR: peers: init bind_proc to 1 if it wasn't initialized - BUG/MINOR: peers: avoid an infinite loop with peers_fe is NULL - BUG/MINOR: peers: Use after free of "peers" section. - MINOR: listener: add so_name sample fetch - BUILD: ssl: only pass unsigned chars to isspace() - BUG/MINOR: stats: Fix color of draining servers on stats page - DOC: internals: Fix spelling errors in filters.txt - MINOR: http-rules: Add a flag on redirect rules to know the rule direction - BUG/MINOR: http_ana: make sure redirect flags don't have overlapping bits - MINOR: http-rules: Handle the rule direction when a redirect is evaluated - BUG/MINOR: http-ana: Reset request analysers on error when waiting for response - BUG/CRITICAL: hpack: never index a header into the headroom after wrapping- Remove unsupported options from example haproxy.cfg - Make haproxy useable for containers - Use sysusers.d to create users. - Use systemd_ordering instead of requiring systemd. - Own vim syntax directory instead of requiring vim. This also solves the problem the directory got never removed if vim is updated before haproxy.- Update to version 2.1.3+git0.5c020bbdd: * [RELEASE] Released version 2.1.3 * BUG/MINOR: tcp: don't try to set defaultmss when value is negative * BUG/MINOR: http-ana: Set HTX_FL_PROXY_RESP flag if a server perform a redirect * BUG/MINOR: http-ana: Don't overwrite outgoing data when an error is reported * MINOR: htx/channel: Add a function to copy an HTX message in a channel's buffer * MINOR: htx: Add a function to append an HTX message to another one * DOC: word converter ignores delimiters at the start or end of input string * MINOR: build: add aix72-gcc build TARGET and power{8,9} CPUs * BUG/MINOR: tcp: avoid closing fd when socket failed in tcp_bind_listener * BUG/MINOR: listener: enforce all_threads_mask on bind_thread on init * BUG/MEDIUM: listener: only consider running threads when resuming listeners * BUG/MINOR: dns: allow 63 char in hostname * BUG/MINOR: unix: better catch situations where the unix socket path length is close to the limit * DOC: schematic of the SSL certificates architecture * BUG/MEDIUM: ssl/cli: 'commit ssl cert' wrong SSL_CTX init * SCRIPTS: announce-release: allow the user to force to overwrite old files * SCRIPTS: announce-release: place the send command in the mail's header * CONTRIB: debug: also support reading values from stdin * MINOR: acl: Warn when an ACL is named 'or' * CONTRIB: debug: support reporting multiple values at once * CONTRIB: debug: add the possibility to decode the value as certain types only * CONTRIB: debug: add missing flags SF_HTX and SF_MUX * BUG/MINOR: ssl: clear the SSL errors on DH loading failure * BUG/MINOR: ssl: we may only ignore the first 64 errors * BUG/MAJOR: memory: Don't forget to unlock the rwlock if the pool is empty. * BUG/MEDIUM: memory: Add a rwlock before freeing memory. * MINOR: memory: Only init the pool spinlock once. * BUG/MEDIUM: memory_pool: Update the seq number in pool_flush(). * BUG/MEDIUM: connections: Don't forget to unlock when killing a connection. * BUG/MINOR: connection: fix ip6 dst_port copy in make_proxy_line_v2 * BUG/MINOR: ssl: Possible memleak when allowing the 0RTT data buffer. * BUG/MEDIUM: pipe: fix a use-after-free in case of pipe creation error * BUG/MINOR: tcpchecks: fix the connect() flags regarding delayed ack * BUG/MEDIUM: ssl: Don't forget to free ctx->ssl on failure. * MINOR: lua: Add HLUA_PREPEND_C?PATH build option * MINOR: lua: Add lua-prepend-path configuration option * MINOR: lua: Add hlua_prepend_path function * BUILD: cfgparse: silence a bogus gcc warning on 32-bit machines * BUG/MEDIUM: mux-h2: make sure we don't emit TE headers with anything but "trailers" * BUG/MINOR: stktable: report the current proxy name in error messages * BUG/MEDIUM: 0rtt: Only consider the SSL handshake. * BUG/MINOR: ssl/cli: ocsp_issuer must be set w/ "set ssl cert" * BUG/MINOR: ssl: typo in previous patch * BUG/MINOR: ssl: memory leak w/ the ocsp_issuer * BUG/MINOR: ssl: increment issuer refcount if in chain * CLEANUP: stats: shut up a wrong null-deref warning from gcc 9.2 * BUG/MINOR: ssl/cli: free the previous ckch content once a PEM is loaded * BUG/MINOR: ssl: ssl_sock_load_pem_into_ckch is not consistent * BUG/MEDIUM: netscaler: Don't forget to allocate storage for conn->src/dst. * BUG/MINOR: http_act: don't check capture id in backend * MINOR: proxy/http-ana: Add support of extra attributes for the cookie directive * BUG/MINOR: ssl: ssl_sock_load_sctl_from_file memory leak * BUG/MINOR: ssl: ssl_sock_load_issuer_file_into_ckch memory leak * BUG/MINOR: ssl: ssl_sock_load_ocsp_response_from_file memory leak * BUG/MINOR: tcp-rules: Fix memory releases on error path during action parsing * BUG/MINOR: stick-table: Use MAX_SESS_STKCTR as the max track ID during parsing * BUG/MINOR: http-rules: Remove buggy deinit functions for HTTP rules * BUG/MINOR: http-ana/filters: Wait end of the http_end callback for all filters * BUILD: pattern: include errno.h * BUG/MINOR: 51d: Fix bug when HTX is enabled * BUG/MINOR: dns: Make dns_query_id_seed unsigned * BUG/MINOR: cache: Fix leak of cache name in error path * BUG/MINOR: pattern: handle errors from fgets when trying to load patterns * BUG/MEDIUM: connection: add a mux flag to indicate splice usability * BUG/MINOR: stream: don't mistake match rules for store-request rules * BUG/MEDIUM: cli: _getsocks must send the peers sockets * REGTEST: add sample_fetches/hashes.vtc to validate hashes * BUG/MAJOR: hashes: fix the signedness of the hash inputs * BUG/MEDIUM: mux_h1: Don't call h1_send if we subscribed(). * BUG/MEDIUM: mworker: remain in mworker mode during reload * REGTEST: mcli/mcli_start_progs: start 2 programs * BUG/MINOR: cli/mworker: can't start haproxy with 2 programs * BUG/MEDIUM: mux-h2: don't stop sending when crossing a buffer boundary * BUG/MEDIUM: mux-h2: fix missing test on sending_list in previous patch * BUG/MINOR: mux-h2: use a safe list_for_each_entry in h2_send() * BUG/MEDIUM: tasks: Use the MT macros in tasklet_free(). * BUG/MINOR: stream-int: Don't trigger L7 retry if max retries is already reached * BUG/MEDIUM: session: do not report a failure when rejecting a session * BUG/MINOR: channel: inject output data at the end of output * BUG/MEDIUM: http-ana: Truncate the response when a redirect rule is applied * BUG/MINOR: proxy: Fix input data copy when an error is captured * BUG/MINOR: h1: Report the right error position when a header value is invalid * MINOR: ssl: Remove unused variable "need_out". * MINOR: config: disable busy polling on old processes * BUG/MEDIUM: connections: Hold the lock when wanting to kill a connection. * BUG/MEDIUM: checks: Only attempt to do handshakes if the connection is ready. * BUG/MINOR: checks: refine which errno values are really errors.- Update to version 2.1.2+git0.d5b6759b5: * [RELEASE] Released version 2.1.2 * BUILD: ssl: improve SSL_CTX_set_ecdh_auto compatibility * BUG/MEDIUM: stream: Be sure to never assign a TCP backend to an HTX stream * BUG/MINOR: state-file: do not leak memory on parse errors * BUG/MINOR: state-file: do not store duplicates in the global tree * BUG/MEDIUM: state-file: do not allocate a full buffer for each server entry * BUG/MINOR: ssl: openssl-compat: Fix getm_ defines * BUG/MEDIUM: fd/threads: fix a concurrency issue between add and rm on the same fd * MINOR: fd/threads: make _GET_NEXT()/_GET_PREV() use the volatile attribute * BUG/MEDIUM: ssl: Revamp the way early data are handled. * BUG/MAJOR: task: add a new TASK_SHARED_WQ flag to fix foreing requeuing * MINOR: task: only check TASK_WOKEN_ANY to decide to requeue a task * MINOR: http: add a new "replace-path" action * MINOR: debug: support logging to various sinks * BUG/MEDIUM: ssl: Don't set the max early data we can receive too early. * MINOR: sample: Validate the number of bits for the sha2 converter * BUG/MINOR: sample: always check converters' arguments * BUG/MINOR: sample: fix the closing bracket and LF in the debug converter * DOC: clarify the fact that replace-uri works on a full URI- drop the udev buildrequires completely- BuildRequire pkgconfig(udev) instead of udev: allow OBS to shortcut through the -mini flavors.- Update to version 2.1.1+git0.4ae521379: * [RELEASE] Released version 2.1.1 * BUILD/MINOR: unix sockets: silence an absurd gcc warning about strncpy() * BUG/MINOR: listener: fix off-by-one in state name check * BUG/MINOR: server: make "agent-addr" work on default-server line * BUG/MINOR: listener: do not immediately resume on transient error * BUG/MINOR: mworker: properly pass SIGTTOU/SIGTTIN to workers * BUG/MINOR: log: fix minor resource leaks on logformat error path * DOC: remove references to the outdated architecture.txt * DOC: proxies: HAProxy only supports 3 connection modes * BUG/MINOR: tasks: only requeue a task if it was already in the queue * DOC: listeners: add a few missing transitions- Update to version 2.1.0+git33.8e4a62508: * BUG/MEDIUM: proto_udp/threads: recv() and send() must not be exclusive. * BUG/MAJOR: dns: add minimalist error processing on the Rx path * BUG/MEDIUM: kqueue: Make sure we report read events even when no data. * DOC: document the listener state transitions * BUG/MEDIUM: listener/threads: fix a remaining race in the listener's accept() * BUG/MINOR: listener: also clear the error flag on a paused listener * BUG/MINOR: listener/threads: always use atomic ops to clear the FD events * BUG/MINOR: proxy: make soft_stop() also close FDs in LI_PAUSED state * BUG/MEDIUM: mux-fcgi: Handle cases where the HTX EOM block cannot be inserted * BUG/MINOR: mux-h1: Be sure to set CS_FL_WANT_ROOM when EOM can't be added- Update to version 2.1.0+git23.e77b108cd: * BUG/MEDIUM: checks: Make sure we set the task affinity just before connecting. * BUG/MEDIUM: tasks: Make sure we switch wait queues in task_set_affinity().- Update to version 2.1.0+git21.67ff2112b: * BUG/MINOR: mux-h1: Fix conditions to know whether or not we may receive data * BUG/MINOR: mux-h1: Don't rely on CO_FL_SOCK_RD_SH to set H1C_F_CS_SHUTDOWN * BUG/MEDIUM: mux-h1: Never reuse H1 connection if a shutw is pending * BUG/MINOR: ssl: certificate choice can be unexpected with openssl >= 1.1.1 * BUG/MEDIUM: listener/thread: fix a race when pausing a listener * BUG/MINOR: ssl/cli: don't overwrite the filters variable * BUG/MINOR: stream-int: avoid calling rcv_buf() when splicing is still possible * BUG/MEDIUM: stream-int: don't subscribed for recv when we're trying to flush data * DOC: move the "group" keyword at the right place * DOC: Fix ordered list in summary- switch to the 2.1 branch https://www.haproxy.com/blog/haproxy-2-1/ https://www.mail-archive.com/haproxy@formilux.org/msg35491.html- Update to version 2.0.10+git14.7caf150a: * BUG/MINOR: mux-h1: Fix conditions to know whether or not we may receive data * BUG/MINOR: mux-h1: Don't rely on CO_FL_SOCK_RD_SH to set H1C_F_CS_SHUTDOWN * BUG/MEDIUM: mux-h1: Never reuse H1 connection if a shutw is pending * BUG/MINOR: ssl: certificate choice can be unexpected with openssl >= 1.1.1 * BUG/MEDIUM: listener/thread: fix a race when pausing a listener * BUG/MINOR: stream-int: avoid calling rcv_buf() when splicing is still possible * BUG/MEDIUM: stream-int: don't subscribed for recv when we're trying to flush data * DOC: move the "group" keyword at the right place * DOC: clarify matching strings on binary fetches * DOC: Clarify behavior of server maxconn in HTTP mode- Update to version 2.0.10+git4.6d9a455d: * BUG/MINOR: http-htx: Don't make http_find_header() fail if the value is empty- Update to version 2.0.10+git3.200c6215: * BUG/MINOR: contrib/prometheus-exporter: decode parameter and value only- Update to version 2.0.10+git2.3a00e5fc: * BUG/MINOR: contrib/prometheus-exporter: Use HTX errors and not legacy ones * BUG/MINOR: stream: init variables when the list is empty- Update to version 2.0.10+git0.ac198b92: (bsc#1157712) (bsc#1157714) * [RELEASE] Released version 2.0.10 * SCRIPTS: git-show-backports: add "-s" to proposed cherry-pick commands * SCRIPTS: create-release: show the correct origin name in suggested commands * BUG/MAJOR: mux-h2: don't try to decode a response HEADERS frame in idle state * BUG/MAJOR: h2: make header field name filtering stronger * BUG/MAJOR: h2: reject header values containing invalid chars * MINOR: ist: add ist_find_ctl() * BUG/MINOR: ssl: fix curve setup with LibreSSL * BUG/MINOR: cli: fix out of bounds in -S parser * DOC: Add documentation about the use-service action * DOC: Add missing stats fields in the management manual * BUG/MINOR: mux-h1: Adjust header case when chunked encoding is add to a message * BUG/MINOR: mux-h1: Fix a UAF in cfg_h1_headers_case_adjust_postparser() * MEDIUM: mux-h1: Add the support of headers adjustment for bogus HTTP/1 apps * REGTEST: vtest can now enable mcli with its own flag * MINOR: stats: Report max times in addition of the averages for sessions * BUG/MINOR: stream-int: Fix si_cs_recv() return value * MINOR: contrib/prometheus-exporter: Add a param to ignore servers in maintenance * MINOR: contrib/prometheus-exporter: filter exported metrics by scope * MINOR: contrib/prometheus-exporter: report the number of idle conns per server * BUG/MINOR: contrib/prometheus-exporter: Rename some metrics * MINOR: contrib/prometheus-exporter: Report metrics about max times for sessions * MINOR: counters: Add fields to store the max observed for {q,c,d,t}_time * MINOR: stream: Remove the lock on the proxy to update time stats * MINOR: freq_ctr: Make the sliding window sums thread-safe * BUG/MINOR: http-ana: Properly catch aborts during the payload forwarding * BUG/MINOR: mux-h1: Fix tunnel mode detection on the response path * BUILD: debug: Avoid warnings in dev mode with -02 because of some BUG_ON tests * BUG/MEDIUM: stream-int: Don't loose events on the CS when an EOS is reported * BUILD/MINOR: ssl: fix compiler warning about useless statement * BUG/MINOR: peers: "peer alive" flag not reset when deconnecting. * BUG/MEDIUM: mworker: don't fill the -sf argument with -1 during the reexec- Update to version 2.0.9+git6.26b7b800: * BUG/MINOR: ssl: fix crt-list neg filter for openssl < 1.1.1 * BUG/MINOR: peers: Wrong null "server_name" data field handling. * MINOR: peers: Add debugging information to "show peers". * MINOR: peers: Add TX/RX heartbeat counters. * MINOR: peers: Alway show the table info for disconnected peers.- Update to version 2.0.9+git1.caf02113: * BUG/MINOR: init: fix set-dumpable when using uid/gid- Update to version 2.0.9+git0.efac87ee (bsc#1154980) (CVE-2019-18277): * [RELEASE] Released version 2.0.9 * BUG/MINOR: mux-h1: Don't set CS_FL_EOS on a read0 when receiving data to pipe * BUG/MEDIUM: filters: Don't call TCP callbacks for HTX streams * BUG/MINOR: log: limit the size of the startup-logs * BUILD: contrib/da: remove an "unused" warning * MINOR: memory: also poison the area on freeing * CLEANUP: session: slightly simplify idle connection cleanup logic * BUG/MEDIUM: Make sure we leave the session list in session_free(). * BUG/MEDIUM: listeners: always pause a listener on out-of-resource condition * BUG/MINOR: queue/threads: make the queue unlinking atomic * DOC: management: fix typo on "cache_lookups" stats output * DOC: management: document cache_hits and cache_lookups in the CSV format * DOC: management: document reuse and connect counters in the CSV format * BUG: dns: timeout resolve not applied for valid resolutions * BUG/MINOR: action: do-resolve now use cached response * BUG/MEDIUM: stream: Be sure to release allocated captures for TCP streams * MINOR: doc: http-reuse connection pool fix * BUG/MEDIUM: stream: Be sure to support splicing at the mux level to enable it * BUG/MEDIUM: mux-h1: Disable splicing for chunked messages * BUG/MEDIUM: mux-h2: immediately report connection errors on streams * BUG/MEDIUM: mux-h2: immediately remove a failed connection from the idle list * BUG/MEDIUM: mux-h2: report no available stream on a connection having errors * BUG/MINOR: config: Update cookie domain warn to RFC6265 * BUG/MEDIUM: servers: Only set SF_SRV_REUSED if the connection if fully ready. * BUG/MEDIUM: stream_interface: Only use SI_ST_RDY when the mux is ready. * MINOR: mux: Add a new method to get informations about a mux. * BUG/MINOR: spoe: fix off-by-one length in UUID format string * BUG/MAJOR: stream-int: Don't receive data from mux until SI_ST_EST is reached * BUG/MINOR: mux-h2: Don't pretend mux buffers aren't full anymore if nothing sent * BUG/MINOR: cli: don't call the kw->io_release if kw->parse failed * MINOR: tcp: avoid confusion in time parsing init * BUG/MINOR: mux-h2: do not emit logs on backend connections * MINOR: config: warn on presence of "\n" in header values/replacements- Update to version 2.0.8+git0.60e6020c: * [RELEASE] Released version 2.0.8 * BUG/MEDIUM: pattern: make the pattern LRU cache thread-local and lockless * BUG/MINOR: stick-table: fix an incorrect 32 to 64 bit key conversion * BUG/MINOR: ssl: fix memcpy overlap without consequences. * BUG/MEDIUM: http: unbreak redirects in legacy mode * BUG/MINOR: mux-h2: also make sure blocked legacy connections may expire * BUG/MINOR: sample: Make the `field` converter compatible with `-m found` * BUG/MINOR: cache: alloc shctx after check config * BUG/MINOR: stick-table: Never exceed (MAX_SESS_STKCTR-1) when fetching a stkctr * BUG/MINOR: ssl: Fix fd leak on error path when a TLS ticket keys file is parsed * BUG/MINOR: mworker/cli: reload fail with inherited FD * BUG/MEDIUM: ssl: 'tune.ssl.default-dh-param' value ignored with openssl > 1.1.1 * CLEANUP: bind: handle warning label on bind keywords parsing. * CLEANUP: ssl: make ssl_sock_load_dh_params handle errcode/warn * CLEANUP: ssl: make ssl_sock_put_ckch_into_ctx handle errcode/warn * CLEANUP: ssl: make ssl_sock_load_cert*() return real error codes * REGTEST: mcli/mcli_show_info: launch a 'show info' on the master CLI * BUG/MEDIUM: mux_pt: Only call the wake emthod if nobody subscribed to receive. * BUG/MEDIUM: mux_pt: Don't destroy the connection if we have a stream attached. * Revert e8826ded5fea3593d89da2be5c2d81c522070995. * BUG/MAJOR: idle conns: schedule the cleanup task on the correct threads * BUG/MEDIUM: mux_pt: Make sure we don't have a conn_stream before freeing. * BUG/MINOR: tcp: Don't alter counters returned by tcp info fetchers * BUG/MINOR: mworker/ssl: close openssl FDs unconditionally * BUG/MINOR: http-htx: Properly set htx flags on error files to support keep-alive * MINOR: version: make the version strings variables, not constants * BUG/MINOR: WURFL: fix send_log() function arguments * BUG/MINOR: mux-h1: Capture ignored parsing errors * BUG/MINOR: mux-h1: Mark the output buffer as full when the xfer is interrupted * BUG/MINOR: chunk: Fix tests on the chunk size in functions copying data * BUG/MEDIUM: htx: Catch chunk_memcat() failures when HTX data are formatted to h1 * BUILD: ssl: wrong #ifdef for SSL engines code * BUG/MINOR: ssl: abort on sni_keytypes allocation failure * BUG/MINOR: ssl: free the sni_keytype nodes * BUG/MINOR: ssl: abort on sni allocation failure * BUG/MEDIUM: applet: always check a fast running applet's activity before killing * MINOR: stats: mention in the help message support for "json" and "typed" * DOC: fix typo in Prometheus exporter doc * DOC: clarify some points around http-send-name-header's behavior * BUG/MEDIUM: cache: make sure not to cache requests with absolute-uri * BUG/MINOR: peers: crash on reload without local peer. * BUG/MEDIUM: mux-h2: do not enforce timeout on long connections * BUILD: ebtree: make eb_is_empty() and eb_is_dup() take a const * MINOR: mux-h2: add a per-connection list of blocked streams * BUG/MINOR: action: do-resolve does not yield on requests with body * BUG/MEDIUM: lua: Store stick tables into the sample's `t` field * BUG/MINOR: lua: Properly initialize the buffer's fields for string samples in hlua_lua2(smp|arg) * BUG/MINOR: stats: Add a missing break in a switch statement- Update to version 2.0.7+git0.1909aa1e: * [RELEASE] Released version 2.0.7 * BUG/MEDIUM: namespace: fix fd leak in master-worker mode * DOC: Fix documentation about the cli command to get resolver stats * BUG/MINOR: contrib/prometheus-exporter: Return the time averages in seconds * MINOR: stats: Add the support of float fields in stats * MINOR: spoe: Support the async mode with several threads * MINOR: spoe: Improve generation of the engine-id * BUG/MEDIUM: spoe: Use a different engine-id per process * BUG/MINOR: mux-h1: Do h2 upgrade only on the first request * BUG/MAJOR: mux_h2: Don't consume more payload than received for skipped frames * BUG/MINOR: mux-h2: Use the dummy error when decoding headers for a closed stream * BUG/MEDIUM: mux-h2: don't reject valid frames on closed streams * BUG/MEDIUM: namespace: close open namespaces during soft shutdown * BUG/MINOR: mux-h2: do not wake up blocked streams before the mux is ready * BUG/MEDIUM: checks: make sure the connection is ready before trying to recv * BUG/MEDIUM: stream-int: Process connection/CS errors during synchronous sends * BUG/MINOR: stream-int: Process connection/CS errors first in si_cs_send() * BUG/MEDIUM: check/threads: make external checks run exclusively on thread 1 * BUG/MAJOR: mux-h2: Handle HEADERS frames received after a RST_STREAM frame * BUG/MINOR: mux-h2: Be sure to have a connection to unsubcribe * BUG/MEDIUM: stick-table: Properly handle "show table" with a data type argument- Update to version 2.0.6+git0.58706ab4: * [RELEASE] Released version 2.0.6 * MINOR: sample: Add UUID-fetch * BUG/MINOR: Missing stat_field_names (since f21d17bb) * BUG/MINOR: backend: Fix a possible null pointer dereference * BUG/MINOR: acl: Fix memory leaks when an ACL expression is parsed * BUG/MINOR: filters: Properly set the HTTP status code on analysis error * BUG/MEDIUM: http: also reject messages where "chunked" is missing from transfer-enoding * BUG/MINOR: ssl: always check for ssl connection before getting its XPRT context * BUG/MINOR: listener: Fix a possible null pointer dereference * MINOR: stats: report the number of idle connections for each server * BUG/MEDIUM: connection: don't keep more idle connections than ever needed * BUG/MAJOR: ssl: ssl_sock was not fully initialized. * BUG/MINOR: lb/leastconn: ignore the server weights for empty servers * MINOR: contrib/prometheus-exporter: Report DRAIN/MAINT/NOLB status for servers * BUG/MINOR: checks: do not uselessly poll for reads before the connection is up * BUG/MINOR: checks: make __event_chk_srv_r() report success before closing * BUG/MINOR: checks: start sending the request right after connect() * BUG/MINOR: checks: stop polling for write when we have nothing left to send * BUG/MEDIUM: cache: Don't cache objects if the size of headers is too big * BUG/MEDIUM: cache: Properly copy headers splitted on several shctx blocks * BUG/MINOR: mux-h1: Be sure to update the count before adding EOM after trailers * BUG/MINOR: mux-h1: Don't stop anymore input processing when the max is reached * BUG/MINOR: mux-h1: Fix size evaluation of HTX messages after headers parsing * BUG/MINOR: h1: Properly reset h1m when parsing is restarted * BUG/MINOR: http-ana: Reset response flags when 1xx messages are handled * BUG/MEDIUM: peers: local peer socket not bound. * BUG/MEDIUM: proto-http: Always start the parsing if there is no outgoing data * BUG/MEDIUM: url32 does not take the path part into account in the returned hash. * BUG/MEDIUM: listener/threads: fix an AB/BA locking issue in delete_listener() * BUG/MINOR: mworker: disable SIGPROF on re-exec * DOC: fixed typo in management.txt * BUG/MEDIUM: mux-h1: do not report errors on transfers ending on buffer full * BUG/MEDIUM: mux-h1: do not truncate trailing 0CRLF on buffer boundary * MEDIUM: debug: make the thread dump code show Lua backtraces * MINOR: lua: export applet and task handlers * MINOR: tools: add append_prefixed_str() * MINOR: debug: indicate the applet name when the task is task_run_applet()- Use %license instead of %doc [bsc#1082318] - Recommend apparmor, it's not required to work (make haproxy useable in a container)- enable prometheus exporter- enable verbose make output- Update to version 2.0.5+git0.d905f49a: * [RELEASE] Released version 2.0.5 * BUG/MEDIUM: mux_pt: Don't call unsubscribe if we did not subscribe. * MINOR: fd: make sure to mark the thread as not stuck in fd_update_events() * BUG/MINOR: stats: Wait the body before processing POST requests * BUG/MEDIUM: lua: Fix test on the direction to set the channel exp timeout * BUG/MEDIUM: mux_h1: Don't bother subscribing in recv if we're not connected. * BUG/MINOR: Fix prometheus '# TYPE' and '# HELP' headers * BUG/MINOR: lua: fix setting netfilter mark * BUG/MEDIUM: proxy: Don't use cs_destroy() when freeing the conn_stream. * BUG/MEDIUM: proxy: Don't forget the SF_HTX flag when upgrading TCP=>H1+HTX. * BUG/MINOR: buffers/threads: always clear a buffer's head before releasing it * MINOR: ssl: ssl_fc_has_early should work for BoringSSL * BUG/MINOR: ssl: fix 0-RTT for BoringSSL * BUG/MEDIUM: stick-table: Wrong stick-table backends parsing. * [RELEASE] Released version 2.0.4 * BUG/MEDIUM: checks: make sure to close nicely when we're the last to speak * BUG/MINOR: mux-h2: always reset rcvd_s when switching to a new frame * BUG/MINOR: mux-h2: always send stream window update before connection's * BUG/MEDIUM: mux-h2: do not recheck a frame type after a state transition * BUG/MINOR: mux-h2: do not send REFUSED_STREAM on aborted uploads * BUG/MINOR: mux-h2: use CANCEL, not STREAM_CLOSED in h2c_frt_handle_data() * BUG/MINOR: mux-h2: don't refrain from sending an RST_STREAM after another one * BUG/MEDIUM: fd: Always reset the polled_mask bits in fd_dodelete(). * BUG/MEDIUM: proxy: Make sure to destroy the stream on upgrade from TCP to H2 * BUG/MEDIUM: mux-h2: split the stream's and connection's window sizes * BUG/MEDIUM: mux-h2: unbreak receipt of large DATA frames * BUG/MINOR: stream-int: also update analysers timeouts on activity * BUG/MAJOR: http/sample: use a static buffer for raw -> htx conversion * BUG/MEDIUM: lb-chash: Ensure the tree integrity when server weight is increased * MINOR: wdt: also consider that waiting in the thread dumper is normal * BUG/MINOR: debug: fix a small race in the thread dumping code- Update to version 2.0.3+git14.0ff395c1 (bsc#1142529) (CVE-2019-14241): * BUG/MAJOR: queue/threads: avoid an AB/BA locking issue in process_srv_queue() * BUG/MINOR: htx: Fix free space addresses calculation during a block expansion * BUG/MINOR: hlua: Only execute functions of HTTP class if the txn is HTTP ready * MINOR: hlua: Add a flag on the lua txn to know in which context it can be used * MINOR: hlua: Don't set request analyzers on response channel for lua actions * BUG/MEDIUM: hlua: Check the calling direction in lua functions of the HTTP class * BUG/MINOR: hlua/htx: Reset channels analyzers when txn:done() is called * DOC: improve the wording in CONTRIBUTING about how to document a bug fix * BUG/MINOR: log: make sure writev() is not interrupted on a file output * BUG/MEDIUM: streams: Don't switch the SI to SI_ST_DIS if we have data to send. * BUG/MEDIUM: lb-chash: Fix the realloc() when the number of nodes is increased * BUILD: threads: add the definition of PROTO_LOCK * BUG/MINOR: proxy: always lock stop_proxy() * BUG/MEDIUM: protocols: add a global lock for the init/deinit stuff * [RELEASE] Released version 2.0.3 * BUG/CRITICAL: http_ana: Fix parsing of malformed cookies which start by a delimiter * BUG/MINOR: http_htx: Support empty errorfiles * BUG/MINOR: http_ana: Be sure to have an allocated buffer to generate an error * BUG/MEDIUM: tcp-checks: do not dereference inexisting conn_stream * BUG/MINOR: mux-h1: Close server connection if input data remains in h1_detach() * BUG/MEDIUM: mux-h1: Trim excess server data at the end of a transaction * BUG/MINOR: checks: do not exit tcp-checks from the middle of the loop * BUG/MINOR: session: Send a default HTTP error if accept fails for a H1 socket * BUG/MINOR: session: Emit an HTTP error if accept fails only for H1 connection * BUG/MINOR: debug: Remove flags CO_FL_SOCK_WR_ENA/CO_FL_SOCK_RD_ENA * DOC: htx: Update comments in HTX files * BUG/MINOR: hlua: Make the function txn:done() HTX aware * BUG/MINOR: cache/htx: Make maxage calculation HTX aware * BUG/MINOR: http_htx: Initialize HTX error messages for TCP proxies * BUG/MINOR: http_fetch: Fix http_auth/http_auth_group when called from TCP rules * BUG/MINOR: backend: do not try to install a mux when the connection failed * BUG/MEDIUM: http/htx: unbreak option http_proxy * BUG/MEDIUM: checks: Don't attempt to receive data if we already subscribed. * BUG/MINOR: dns: remove irrelevant dependency on a client connection * [RELEASE] Released version 2.0.2 * BUG/MEDIUM: threads: cpu-map designating a single thread/process are ignored * BUG/MEDIUM: tcp-check: unbreak multiple connect rules again * BUG/MINOR: mux-pt: do not pretend there's more data after a read0 * BUG/MEDIUM: streams: Don't redispatch with L7 retries if redispatch isn't set. * BUG/MEDIUM: streams: Don't give up if we couldn't send the request. * BUG/MINOR: mux-h1: Correctly report Ti timer when HTX and keepalives are used * BUG/MEDIUM: mux-h1: Don't release h1 connection if there is still data to send * BUG/MAJOR: listener: fix thread safety in resume_listener() * MINOR: task: introduce work lists * BUG/MEDIUM: servers: Fix a race condition with idle connections. * DOC: Fix typos and grammer in configuration.txt * BUG/MEDIUM: da: cast the chunk to string. * BUG/MEDIUM: checks: Don't attempt to read if we destroyed the connection. * BUG/MINOR: server: Be really able to keep "pool-max-conn" idle connections * BUG/MEDIUM: fd/threads: fix excessive CPU usage on multi-thread accept- Update to version 2.0.1+git27.5db881ff: * BUG/MINOR: ssl: revert empty handshake detection in OpenSSL <= 1.0.2 * BUG/MEDIUM: servers: Don't forget to set srv_cs to NULL if we can't reuse it. * BUG/MEDIUM: stream-int: Don't rely on CF_WRITE_PARTIAL to unblock opposite si * MINOR: stream-int: Factorize processing done after sending data in si_cs_send() * BUG/MINOR: mux-h1: Don't process input or ouput if an error occurred * BUG/MEDIUM: mux-h1: Handle TUNNEL state when outgoing messages are formatted * BUG/MEDIUM: lb_fas: Don't test the server's lb_tree from outside the lock * BUG/MEDIUM: http/applet: Finish request processing when a service is registered * MINOR: action: Add the return code ACT_RET_DONE for actions * BUG/MINOR: contrib/prometheus-exporter: Don't try to add empty data blocks * MINOR: server: Add "no-tfo" option. * BUG/MEDIUM: sessions: Don't keep an extra idle connection in sessions. * BUG/MEDIUM: servers: Authorize tfo in default-server. * BUG/MEDIUM: connections: Make sure we're unsubscribe before upgrading the mux. * BUG/MINOR: contrib/prometheus-exporter: Respect the reserve when data are sent * BUG/MINOR: hlua/htx: Respect the reserve when HTX data are sent * BUG/MEDIUM: channel/htx: Use the total HTX size in channel_htx_recv_limit() * BUG/MINOR: hlua: Don't use channel_htx_recv_max() * BUG/MINOR: contrib/prometheus-exporter: Don't use channel_htx_recv_max() * BUG/MEDIUM: checks: Make sure the tasklet won't run if the connection is closed. * BUG/MEDIUM: connections: Always call shutdown, with no linger. * BUG/MINOR: mux-h1: Don't return the empty chunk on HEAD responses * BUG/MINOR: mux-h1: Skip trailers for non-chunked outgoing messages * BUG/MEDIUM: checks: unblock signals in external checks * BUG/MEDIUM: mux-h1: Always release H1C if a shutdown for writes was reported * BUG/MEDIUM: ssl: Don't attempt to set alpn if we're not using SSL. * BUG/MINOR: mworker/cli: don't output a \n before the response * BUG/MINOR: mux-h1: Make format errors during output formatting fatal * BUG/MEDIUM: mux-h1: Use buf_room_for_htx_data() to detect too large messages * BUG/MEDIUM: proto_htx: Don't add EOM on 1xx informational messages * BUG/MINOR: log: Detect missing sampling ranges in config * BUG/MINOR: memory: Set objects size for pools in the per-thread cache * BUG/MAJOR: mux-h1: Don't crush trash chunk area when outgoing message is formatted * BUG/MINOR: htx: Save hdrs_bytes when the HTX start-line is replaced * BUG/MEDIUM: ssl: Don't do anything in ssl_subscribe if we have no ctx. * BUG/MEDIUM: connections: Always add the xprt handshake if needed. * BUG/MEDIUM: stream_interface: Don't add SI_FL_ERR the state is < SI_ST_CON. * BUG/MINOR: spoe: Fix memory leak if failing to allocate memory * BUG/MEDIUM: mworker/cli: command pipelining doesn't work anymore * BUG/MEDIUM: mworker: don't call the thread and fdtab deinit * BUG/MINOR: mworker-prog: Fix segmentation fault during cfgparse * BUG/MAJOR: sample: Wrong stick-table name parsing in "if/unless" ACL condition. * BUG/MEDIUM: lb_fwlc: Don't test the server's lb_tree from outside the lock * BUG/MEDIUM: mux-h2: Remove the padding length when a DATA frame size is checked * BUG/MEDIUM: mux-h2: Reset padlen when several frames are demux- Correct version line, which should be 2.0.0+git6.- allow the new master socket path in the apparmor profile- Update to version 2.0.0~git6.41dc8432: * BUG/MEDIUM: htx: Fully update HTX message when the block value is changed * MINOR: htx: Add the function htx_change_blk_value_len() * BUG/MEDIUM: compression: Set Vary: Accept-Encoding for compressed responses * BUG/MINOR: mux-h1: Add the header connection in lower case in outgoing messages * BUG/MINOR: lua/htx: Make txn.req_req_* and txn.res_rep_* HTX aware * BUG/MEDIUM: h2/htx: Update data length of the HTX when the cookie list is built- Update to version 2.0.0~git0.ba23630a: - new internal native HTTP representation called HTX, was already in 1.9 and is now enabled by default in 2.0 ; - end-to-end HTTP/2 support including trailers and continuation frames, as needed for gRPC ; HTTP/2 may also be upgraded from HTTP/1.1 using the H2 preface; - server connection pooling and more advanced reuse, with ALPN protocol negotiation (already in 1.9) ; - layer 7 retries, allowing to use 0-RTT and TCP Fast Open to the servers as well as on the frontend ; - much more scalable multi-threading, which is even enabled by default on platforms where it was successfully tested ; by default, as many threads are started as the number of CPUs haproxy is allowed to run on. This removes a lot of configuration burden in VMs and containers ; - automatic maxconn setting for the process and the frontends, directly based on the number of available FDs (easier configuration in containers and with systemd) ; - logging to stdout for use in containers and systemd (already in 1.9). Logs can now provide micro-second resolution for some events ; - peers now support SSL, declaration of multiple stick-tables directly in the peers section, and synchronization of server names, not just IDs ; - In master-worker mode, the master process now exposes its own CLI and can communicate with all other processes (including the stopping ones), even allowing to connect to their CLI and check their state. It is also possible to start some sidecar programs and monitor them from the master, and the master can automatically kill old processes that survived too many reloads ; - the incoming connections are load-balanced between all threads depending on their load to minimize the processing time and maximize the capacity (already in 1.9) ; - the SPOE connection load-balancing was significantly improved in order to reduce high percentiles of SPOA response time (already in 1.9) ; - the "random" load balancing algorithm and a power-of-two-choices variant were introduced ; - statistics improvements with per-thread counters for certain things, and a prometheus exporter for all our statistics; - lots of debugging help, it's easier to produce a core dump, there are new commands on the CLI to control various things, there is a watchdog to fail cleanly when a thread deadlock or a spinning task are detected, so overall it should provide a better experience in field and less round trips between users and developers (hence less stress during an incident). - all 3 device detection engines are now compatible with multi-threading and can be build-tested without any external dependencies ; - "do-resolve" http-request action to perform a DNS resolution on any, sample, and resolvers now support relying on /etc/resolv.conf to match the local resolver ; - log sampling and balancing : it's now possible to send 1 log every 10 to a server, or to spread the logging load over multiple log servers; - a new SPOA agent (spoa_server) allows to interface haproxy with Python and Lua programs ; - support for Solaris' event ports (equivalent of kqueue or epoll) which will significantly improve the performance there when dealing with numerous connections ; - some warnings are now reported for some deprecated options that will be removed in 2.1. Since 2.0 is long term supported, there's no emergency to convert them, however if you see these warnings, you need to understand that you're among their extremely rare users and just because of this you may be taking risks by keeping them ; - A new SOCKS4 server-side layer was provided ; it allows outgoing connections to be forwarded through a SOCKS4 proxy (such as ssh -D). - priority- and latency- aware server queues : it is possible now to assign priorities to certain requests and/or to give them a time bonus or penalty to refine control of the traffic and be able to engage on SLAs. - internally the architecture was significantly redesigned to allow to further improve performance and make it easier to implement protocols that span over multiple layers (such as QUIC). This work started in 1.9 and will continue with 2.1. - the I/O, applets and tasks now share the same multi-threaded scheduler, giving a much better responsiveness and fairness between all tasks as is visible with the CLI which always responds instantly even under extreme loads (started in 1.9) ; - the internal buffers were redesigned to ease zero-copy operations, so that it is possible to sustain a high bandwidth even when forwarding HTTP/1 to/from HTTP/2 (already in 1.9) ;- Update to version 1.8.20~git0.6fb9fadc: * [RELEASE] Released version 1.8.20 * BUG/MINOR: spoe: Don't systematically wakeup SPOE stream in the applet handler * BUG/MINOR: da: Get the request channel to call CHECK_HTTP_MESSAGE_FIRST() * BUG/MINOR: 51d: Get the request channel to call CHECK_HTTP_MESSAGE_FIRST() * BUG/MEDIUM: thread/http: Add missing locks in set-map and add-acl HTTP rules * BUG/MINOR: acl: properly detect pattern type SMP_T_ADDR * BUG/MEDIUM: maps: only try to parse the default value when it's present * BUG/MAJOR: http_fetch: Get the channel depending on the keyword used * MINOR: skip get_gmtime where tm is unused * BUILD/MINOR: listener: Silent a few signedness warnings. * BUG/MEDIUM: listener: make sure the listener never accepts too many conns * BUG/MEDIUM: listener: use a self-locked list for the dequeue lists * MAJOR: listener: do not hold the listener lock in listener_accept() * BUG/MEDIUM: list: fix incorrect pointer unlocking in LIST_DEL_LOCKED() * BUG/MEDIUM: list: fix again LIST_ADDQ_LOCKED * BUG/MEDIUM: list: correct fix for LIST_POP_LOCKED's removal of last element * MINOR: list: make the delete and pop operations idempotent * BUG/MEDIUM: list: add missing store barriers when updating elements and head * BUG/MEDIUM: list: fix LIST_POP_LOCKED's removal of the last pointer * BUG/MEDIUM: list: fix the rollback on addq in the locked liss * BUG/MEDIUM: lists: Properly handle the case we're removing the first elt. * MINOR: lists: Implement locked variations. * BUG/MINOR: threads: fix the process range of thread masks * BUG/MEDIUM: spoe: Return an error if nothing is encoded for fragmented messages * BUG/MEDIUM: spoe: Queue message only if no SPOE applet is attached to the stream * BUG/MEDIUM: pattern: assign pattern IDs after checking the config validity * BUILD: connection: fix naming of ip_v field * BUILD: use inttypes.h instead of stdint.h * BUG/MEDIUM: peers: fix a case where peer session is not cleanly reset on release. * MINOR: cli: start addresses by a prefix in 'show cli sockets' * BUG/MINOR: cli: correctly handle abns in 'show cli sockets' * BUILD: Makefile: disable shared cache on AIX 5.1 * BUILD: makefile: add _LINUX_SOURCE_COMPAT to build on AIX-51 * BUILD: makefile: fix build of IPv6 header on aix51 * MINOR: tools: make memvprintf() never pass a NULL target to vsnprintf() * BUILD: makefile: work around an old bug in GNU make-3.80 * BUG/MAJOR: checks: segfault during tcpcheck_main * DOC: The option httplog is no longer valid in a backend. * BUG/MEDIUM: ssl: ability to set TLS 1.3 ciphers using ssl-default-server-ciphersuites * BUG/MINOR: http/counters: fix missing increment of fe->srv_aborts * BUG/MAJOR: stats: Fix how huge POST data are read from the channel * BUG/MAJOR: spoe: Fix initialization of thread-dependent fields * BUG/MEDIUM: threads/fd: do not forget to take into account epoll_fd/pipes * MEDIUM: threads: Use __ATOMIC_SEQ_CST when using the newer atomic API. * BUG/MINOR: ssl: fix warning about ssl-min/max-ver support * BUG/MEDIUM: 51d: fix possible segfault on deinit_51degrees() * BUG/MEDIUM: logs: Only attempt to free startup_logs once. * BUG/MINOR: listener: keep accept rate counters accurate under saturation * BUG/MAJOR: listener: Make sure the listener exist before using it.- Update to version 1.8.19~git0.ebf033b4: * [RELEASE] Released version 1.8.19 * BUG/MINOR: config: Reinforce validity check when a process number is parsed * BUG/MAJOR: stream: avoid double free on unique_id * BUG/MAJOR: spoe: Don't try to get agent config during SPOP healthcheck * BUG/MEDIUM: server: initialize the idle conns list after parsing the config * BUG/MEDIUM: spoe: initialization depending on nbthread must be done last * BUG/MINOR: lua: initialize the correct idle conn lists for the SSL sockets * BUG/MINOR: spoe: do not assume agent->rt is valid on exit * DOC: ssl: Stop documenting ciphers example to use * DOC: ssl: Clarify when pre TLSv1.3 cipher can be used * [RELEASE] Released version 1.8.18 * BUG/MINOR: config: make sure to count the error on incorrect track-sc/stick rules * BUG/MAJOR: spoe: verify that backends used by SPOE cover all their callers' processes * BUG/MAJOR: config: verify that targets of track-sc and stick rules are present * BUG/MINOR: config: fix bind line thread mask validation * BUG/MEDIUM: stream: Don't forget to free s->unique_id in stream_free(). * BUG/MEDIUM: mux-h2: do not close the connection on aborted streams * MINOR: connstream: have a new flag CS_FL_KILL_CONN to kill a connection * MINOR: stream-int: add a new flag to mention that we want the connection to be killed * MINOR: stream-int: expand the flags to 32-bit * BUG/MEDIUM: mux-h2: wait for the mux buffer to be empty before closing the connection * BUG/MEDIUM: mux-h2: make sure never to send GOAWAY on too old streams * BUG/MEDIUM: mux-h2: fix two half-closed to closed transitions * BUG/MEDIUM: mux-h2: wake up flow-controlled streams on initial window update * MINOR: xref: Add missing barriers. * BUG/MINOR: stream: don't close the front connection when facing a backend error * SCRIPTS: add the issue tracker URL to the announce script * SCRIPTS: add the slack channel URL to the announce script * BUG/MINOR: deinit: tcp_rep.inspect_rules not deinit, add to deinit * BUG/MINOR: spoe: corrected fragmentation string size * DOC: nbthread is no longer experimental. * BUG/MINOR: hpack: return a compression error on invalid table size updates * BUG/MINOR: mux-h2: make it possible to set the error code on an already closed stream * BUG/MINOR: mux-h2: headers-type frames in HREM are always a connection error * BUG/MINOR: mux-h2: CONTINUATION in closed state must always return GOAWAY * MINOR: h2: declare new sets of frame types * MINOR: h2: add a bit-based frame type representation * DOC: mention the effect of nf_conntrack_tcp_loose on src/dst * BUG/MEDIUM: ssl: Fix handling of TLS 1.3 KeyUpdate messages * BUG/MINOR: check: Wake the check task if the check is finished in wake_srv_chk() * BUG/MINOR: server: don't always trust srv_check_health when loading a server state * BUG/MINOR: stick_table: Prevent conn_cur from underflowing * BUG/MINOR: backend: BE_LB_LKUP_CHTREE is a value, not a bit * BUG/MINOR: backend: balance uri specific options were lost across defaults * BUG/MINOR: backend: don't use url_param_name as a hint for BE_LB_ALGO_PH * BUG/MEDIUM: ssl: missing allocation failure checks loading tls key file * DOC: Be a bit more explicit about allow-0rtt security implications. * BUG/MEDIUM: ssl: Disable anti-replay protection and set max data with 0RTT. * BUG/MAJOR: cache: fix confusion between zero and uninitialized cache key * DOC: http-request cache-use / http-response cache-store expects cache name- Update to version 1.8.17~git0.e89d25b2 (bsc#1121283) (CVE-2018-20615): * BUG/CRITICAL: mux-h2: re-check the frame length when PRIORITY is used * BUG/MEDIUM: lua: dead lock when Lua tasks are trigerred * BUG/MINOR: lua: bad args are returned for Lua actions * BUG/MINOR: lua: Return an error if a legacy HTTP applet doesn't send anything * BUG/MEDIUM: cli: make "show sess" really thread-safe * MINOR: stream/cli: report more info about the HTTP messages on "show sess all" * MINOR: stream/cli: fix the location of the waiting flag in "show sess all" * MINOR: lb: allow redispatch when using consistent hash * BUG/MEDIUM: server: Also copy "check-sni" for server templates. * BUG/MEDIUM: mux-h2: mark that we have too many CS once we have more than the max * MINOR: mux-h2: only increase the connection window with the first update * BUG/MAJOR: stream-int: Update the stream expiration date in stream_int_notify() * BUG/MEDIUM: dns: overflowed dns name start position causing invalid dns error * BUG/MEDIUM: dns: Don't prevent reading the last byte of the payload in dns_validate_response() * BUG/MINOR: logs: leave startup-logs global and not per-thread- Update to version 1.8.15~git0.6b6a350a: (bsc#1119419) (CVE-2018-20103) (VUL-0) (bsc#1119368) (CVE-2018-20102) * DOC: Update configuration doc about the maximum number of stick counters. * BUG: dns: Fix off-by-one write in dns_validate_dns_response() * BUG: dns: Fix out-of-bounds read via signedness error in dns_validate_dns_response() * BUG: dns: Prevent out-of-bounds read in dns_validate_dns_response() * BUG: dns: Prevent out-of-bounds read in dns_read_name() * BUG: dns: Prevent stack-exhaustion via recursion loop in dns_read_name * DOC: refer to check-sni in the documentation of sni * DOC: clarify that check-sni needs an argument. * MINOR: servers: Free [idle|safe|priv]_conns on exit. * MINOR: stats: report the number of active jobs and listeners in "show info" * BUG/MINOR: mux-h2: advertise a larger connection window size * BUG/MINOR: mux-h2: refrain from muxing during the preface * BUG/MINOR: hpack: fix off-by-one in header name encoding length calculation * BUG/MEDIUM: sample: Don't treat SMP_T_METH as SMP_T_STR. * BUG/MINOR: lb-map: fix unprotected update to server's score * BUG/MINOR: cfgparse: Fix the call to post parser of the last sections parsed * BUG/MINOR: cfgparse: Fix transition between 2 sections with the same name * BUG/MINOR: ssl: ssl_sock_parse_clienthello ignores session id * BUG/MEDIUM: hpack: fix encoding of "accept-ranges" field * BUG/MINOR: config: Copy default error messages when parsing of a backend starts * BUG/MEDIUM: Make sure stksess is properly aligned. * BUG/MINOR: config: better detect the presence of the h2 pattern in npn/alpn * BUG/MEDIUM: auth/threads: use of crypt() is not thread-safe * BUG/MAJOR: http: http_txn_get_path() may deference an inexisting buffer * BUG/MINOR: only auto-prefer last server if lb-alg is non-deterministic * BUG/MINOR: only mark connections private if NTLM is detected * DOC: cache: Missing information about "total-max-size" * BUG/MINOR: ssl: Wrong usage of shctx_init(). * BUG/MINOR: cache: Wrong usage of shctx_init(). * BUG/MINOR: cache: Crashes with "total-max-size" > 2047(MB). * BUG/MEDIUM: h2: Close connection if no stream is left an GOAWAY was sent. * BUG/MEDIUM: pools: Fix the usage of mmap()) with DEBUG_UAF. * DOC: fix reference to map files in MAINTAINERS * MINOR: peers: use defines instead of enums to appease clang. * MINOR: cfgparse: Write 130 as 128 as 0x82 and 0x80. * MINOR: server: Use memcpy() instead of strncpy(). * CLEANUP: stick-tables: Remove unneeded double (()) around conditional clause * MINOR: lua: all functions calling lua_yieldk() may return * BUG/MEDIUM: threads: make sure threads_want_sync is marked volatile * BUG/MEDIUM: threads: fix thread_release() at the end of the rendez-vous point * BUG/MEDIUM: stream: don't crash on out-of-memory * BUG/MEDIUM: mworker: segfault receiving SIGUSR1 followed by SIGTERM. * BUG/MINOR: checks: queues null-deref * BUG/MEDIUM: Cur/CumSslConns counters not threadsafe. * MEDIUM: ssl: add support for ciphersuites option for TLSv1.3 * BUG/MEDIUM: buffers: Make sure we don't wrap in buffer_insert_line2/replace2. * BUG/MINOR: backend: check that the mux installed properly * BUG/MINOR: connection: avoid null pointer dereference in send-proxy-v2 * DOC: clarify force-private-cache is an option * MINOR: threads: Make sure threads_sync_pipe is initialized before using it.- also fix the systemd case for the apparmor_reload change- only reload the apparmor profile on newer distros, seems older distros do not have apparmor-rpm-macros yet- only use network namespaces on 12.x and newer, failed to build on sle11- guard all parts referring to systemd to fix build on sle 11- Update to version 1.8.14~git0.52e4d43b: (bsc#1108683) (CVE-2018-14645) * [RELEASE] Released version 1.8.14 * BUG/CRITICAL: hpack: fix improper sign check on the header index value * BUG/MINOR: cli: make sure the "getsock" command is only called on connections * BUG/MINOR: tools: fix set_net_port() / set_host_port() on IPv4 * BUG/MEDIUM: patterns: fix possible double free when reloading a pattern list * DOC: Fix typos in lua documentation * BUG/MINOR: server: Crash when setting FQDN via CLI. * BUG/MAJOR: kqueue: Don't reset the changes number by accident. * BUG/MEDIUM: snapshot: take the proxy's lock while dumping errors * BUG/MINOR: http/threads: atomically increment the error snapshot ID * BUG/MINOR: dns: check and link servers' resolvers right after config parsing * BUG/MEDIUM: h2: fix risk of memory leak on malformated wrapped frames * BUG/MEDIUM: session: fix reporting of handshake processing time in the logs * BUG/MINOR: stream: use atomic increments for the request counter * MINOR: thread: implement HA_ATOMIC_XADD() * BUG/MEDIUM: ECC cert should work with TLS < v1.2 and openssl >= 1.1.1 * BUG/MEDIUM: dns/server: fix incomatibility between SRV resolution and server state file * BUG/MEDIUM: hlua: Don't call RESET_SAFE_LJMP if SET_SAFE_LJMP returns 0. * BUG/MAJOR: thread: lua: Wrong SSL context initialization. * BUG/MEDIUM: hlua: Make sure we drain the output buffer when done. * BUG/MEDIUM: lua: reset lua transaction between http requests * BUG/MEDIUM: mux_pt: dereference the connection with care in mux_pt_wake() * BUG/MINOR: lua: Bad HTTP client request duration. * BUG/MEDIUM: unix: provide a ->drain() function * DOC: Fix spelling error in configuration doc * BUG/MEDIUM: cli/threads: protect some server commands against concurrent operations * BUG/MEDIUM: cli/threads: protect all "proxy" commands against concurrent updates * BUG/MEDIUM: lua: socket timeouts are not applied * DOC: ssl: Use consistent naming for TLS protocols * DOC: dns: explain set server ... fqdn requires resolver * BUG/MINOR: map: fix map_regm with backref * BUG/MEDIUM: ssl: loading dh param from certifile causes unpredictable error. * BUG/MEDIUM: ssl: fix missing error loading a keytype cert from a bundle. * BUG/MINOR: ssl: empty connections reported as errors. * BUG/MEDIUM: cli: make "show fd" thread-safe * MEDIUM: hathreads: implement a more flexible rendez-vous point * BUG/MEDIUM: threads: fix the no-thread case after the change to the sync point * MINOR: threads: add more consistency between certain variables in no-thread case * BUG/MEDIUM: threads: fix the double CAS implementation for ARMv7 * MINOR: threads: Introduce double-width CAS on x86_64 and arm. * BUG/MEDIUM: lua: possible CLOSE-WAIT state with '\n' headers- Require apparmor-abstractions to reduce dependencies (bsc#1100787)- Update to version 1.8.13~git4.c1bfcd00: * MINOR: dns: new DNS options to allow/prevent IP address duplication * MINOR: dns: fix wrong score computation in dns_get_ip_from_response * BUG/MEDIUM: queue: prevent a backup server from draining the proxy's connections * BUG/MEDIUM: servers: check the queues once enabling a server * MEDIUM: proxy_protocol: Convert IPs to v6 when protocols are mixed * BUG/MEDIUM: threads: unbreak "bind" referencing an incorrect thread number * MINOR: threads: move "nbthread" parsing to hathreads.c * BUG/MEDIUM: threads: properly fix nbthreads == MAX_THREADS * BUG/MINOR: threads: Handle nbthread == MAX_THREADS. * BUG/MINOR: config: stick-table is not supported in defaults section * BUG/MEDIUM: h2: prevent orphaned streams from blocking a connection forever * BUG/MEDIUM: threads/sync: use sched_yield when available * BUG/MINOR: servers: Don't make "server" in a frontend fatal. * BUG/MEDIUM: stats: don't ask for more data as long as we're responding * BUG/MEDIUM: stream-int: don't immediately enable reading when the buffer was reportedly full * MINOR: h2: add the error code and the max/last stream IDs to "show fd" * BUG/MEDIUM: threads: Fix the exit condition of the thread barrier * MINOR: debug: Add checks for conn_stream flags * MINOR: debug: Add check for CO_FL_WILL_UPDATE * BUG/MINOR: http: Set brackets for the unlikely macro at the right place * BUG/MEDIUM: h2: make sure the last stream closes the connection after a timeout * BUG/MEDIUM: h2: never leave pending data in the output buffer on close * BUG/MEDIUM: h2: don't accept new streams if conn_streams are still in excess * MINOR: h2: add the mux and demux buffer lengths on "show fd" * MINOR: h2: keep a count of the number of conn_streams attached to the mux * BUG/MINOR: h2: remove accidental debug code introduced with show_fd function * MINOR: h2: implement a basic "show_fd" function * MINOR: mux: add a "show_fd" function to dump debugging information for "show fd" * BUG/MINOR: ssl: properly ref-count the tls_keys entries * MINOR: systemd: consider exit status 143 as successful- Update to version 1.8.12~git0.8a200c71: * MINOR: stick-tables: make stktable_release() do nothing on NULL * BUG/MAJOR: stick_table: Complete incomplete SEGV fix- Update to version 1.8.11~git0.1d6ef58d: * BUG/BUILD: threads: unbreak build without threads * BUG/MAJOR: Stick-tables crash with segfault when the key is not in the stick-table- Update to version 1.8.10~git0.ec17d7a9: * MINOR: threads: Be sure to remove threads from all_threads_mask on exit * BUG/MEDIUM: threads: Use the sync point to check active jobs and exit * BUG/MEDIUM: fd: Don't modify the update_mask in fd_dodelete(). * BUG/MAJOR: ssl: OpenSSL context is stored in non-reserved memory slot * BUG/MAJOR: ssl: Random crash with cipherlist capture * BUG/MINOR: lua: Segfaults with wrong usage of types. * BUG/MAJOR: map: fix a segfault when using http-request set-map * MINOR: lua: Increase debug information * BUG/MINOR: signals: ha_sigmask macro for multithreading * BUG/MINOR: don't ignore SIG{BUS,FPE,ILL,SEGV} during signal processing * BUG/MEDIUM: threads: handle signal queue only in thread 0 * BUG/MINOR: unix: Make sure we can transfer abns sockets on seamless reload. * BUG/MINOR: contrib/modsecurity: update pointer on the end of the frame * BUG/MINOR: contrib/mod_defender: update pointer on the end of the frame * BUG/MINOR: contrib/modsecurity: Don't reset the status code during disconnect * BUG/MINOR: contrib/mod_defender: Don't reset the status code during disconnect * BUG/MINOR: contrib/spoa_example: Don't reset the status code during disconnect * MAJOR: spoe: upgrade the SPOP version to 2.0 and remove the support for 1.0 * BUG/MEDIUM: lua/socket: Buffer error, may segfault * BUG/MEDIUM: lua/socket: Sheduling error on write: may dead-lock * BUG/MEDIUM: lua/socket: Notification error * BUG/MAJOR: lua: Dead lock with sockets * BUG/MEDIUM: lua/socket: wrong scheduling for sockets * MINOR: task/notification: Is notifications registered ? * BUG/MEDIUM: spoe: Return an error when the wrong ACK is received in sync mode * BUG/MEDIUM: stick-tables: Decrement ref_cnt in table_* converters * BUG/MEDIUM: lua/socket: Length required read doesn't work * BUG/MEDIUM: servers: Add srv_addr default placeholder to the state file * BUG/MEDIUM: fd: Only check update_mask against all_threads_mask.- Update to version 1.8.9~git9.6d82e611: * BUG/MEDIUM: cache: don't cache when an Authorization header is present (VUL-1) (bsc#1094846) (CVE-2018-11469) * BUG/MEDIUM: dns: Delay the attempt to run a DNS resolution on check failure. * BUG/MINOR: ssl/lua: prevent lua from affecting automatic maxconn computation * BUG/MEDIUM: contrib/modsecurity: Use network order to encode/decode flags * BUG/MEDIUM: contrib/mod_defender: Use network order to encode/decode flags * BUG/MEDIUM: spoe: Flags are not encoded in network order * BUG/MINOR: lua: Socket.send threw runtime error: 'close' needs 1 arguments. * BUG/MINOR: spoe: Mistake in error message about SPOE configuration * BUG/MEDIUM: ssl: properly protect SSL cert generation * BUG/MEDIUM: pollers: Use a global list for fd shared between threads. * BUG/MEDIUM: http: don't always abort transfers on CF_SHUTR * BUG/MINOR: lua: ensure large proxy IDs can be represented * BUG/MINOR: lua: schedule socket task upon lua connect() * BUG/MEDIUM: task: Don't free a task that is about to be run. * BUG/MINOR: map: correctly track reference to the last ref_elt being dumped * DOC/MINOR: clean up LUA documentation re: servers & array/table. * BUG/MINOR: lua: Put tasks to sleep when waiting for data * BUG/MEDIUM: threads: Fix the sync point for more than 32 threads * BUG/MINOR: checks: Fix check->health computation for flapping servers * BUG/MINOR: config: disable http-reuse on TCP proxies * BUG/MINOR: lua/threads: Make lua's tasks sticky to the current thread * BUG/MEDIUM: h2: implement missing support for chunked encoded uploads * MINOR: h2: detect presence of CONNECT and/or content-length * BUG/MEDIUM: lua: Fix segmentation fault if a Lua task exits * BUG/MINOR: log: t_idle (%Ti) is not set for some requests * BUG/MAJOR: channel: Fix crash when trying to read from a closed socket * BUG/MINOR: pattern: Add a missing HA_SPIN_INIT() in pat_ref_newid()- Update to version 1.8.8: * BUG/CRITICAL: h2: fix incorrect frame length check (VUL-0) (bsc#1089837) * MINOR: cli: Ensure the CLI always outputs an error when it should * BUG/MINOR: cli: Guard against NULL messages when using CLI_ST_PRINT_FREE * BUG/MEDIUM: kqueue: When adding new events, provide an output to get errors. * BUG/MINOR: http: Return an error in proxy mode when url2sa fails * BUG/MEDIUM: connection: Make sure we have a mux before calling detach(). * BUG/MEDIUM: threads: Fix the max/min calculation because of name clashes- Update to version 1.8.7: * [RELEASE] Released version 1.8.7 * MINOR: servers: Support alphanumeric characters for the server templates names * BUG/MAJOR: cache: always initialize newly created objects * [RELEASE] Released version 1.8.6 * BUG/MINOR: spoe: Don't release the context buffer in .check_timeouts callbaclk * BUG/MINOR: spoe: Initialize variables used during conf parsing before any check * BUG/MAJOR: cache: fix random crashes caused by incorrect delete() on non-first blocks * BUG/MINOR: fd: Don't clear the update_mask in fd_insert. * BUG/MINOR: cache: fix "show cache" output * BUG/MINOR: email-alert: Set the mailer port during alert initialization * BUG/MINOR: checks: check the conn_stream's readiness and not the connection * BUG/MEDIUM: h2: always add a stream to the send or fctl list when blocked * BUILD/MINOR: threads: always export thread_sync_io_handler() * BUG/MEDIUM: h2: don't consider pending data on detach if connection is in error * BUG/MEDIUM: h2/threads: never release the task outside of the task handler * MINOR: h2: fuse h2s_detach() and h2s_free() into h2s_destroy() * MINOR: h2: always call h2s_detach() in h2_detach() * BUG/MAJOR: h2: remove orphaned streams from the send list before closing * MINOR: h2: provide and use h2s_detach() and h2s_free() * CLEANUP: h2: rename misleading h2c_stream_close() to h2s_close() * BUG/MINOR: hpack: fix harmless use of uninitialized value in hpack_dht_insert * BUILD/MINOR: cli: fix a build warning introduced by last commit * MINOR: cli: make "show fd" report the mux and mux_ctx pointers when available * MINOR: cli/threads: make "show fd" report thread_sync_io_handler instead of "unknown" * BUILD/MINOR: fix build when USE_THREAD is not defined * BUG/MINOR: lua funtion hlua_socket_settimeout don't check negative values * BUG/MINOR: lua: the function returns anything- Update to version 1.8.5: * BUG/MINOR: listener: Don't decrease actconn twice when a new session is rejected * BUG/MINOR: h2: ensure we can never send an RST_STREAM in response to an RST_STREAM * BUG/MEDIUM: h2: properly account for DATA padding in flow control * DOC: don't suggest using http-server-close * DOC: log: more than 2 log servers are allowed * BUILD/BUG: enable -fno-strict-overflow by default * MINOR: log: stop emitting alerts when it's not possible to write on the socket * BUG/MEDIUM: threads/queue: wake up other threads upon dequeue * BUG/MINOR: tcp-check: use the server's service port as a fallback * BUG/MEDIUM: tcp-check: single connect rule can't detect DOWN servers * BUG/MINOR: lua: return bad error messages * BUG/MINOR: spoa-example: unexpected behavior for more than 127 args * BUG/MINOR: cli: Fix a crash when sending a command with too many arguments * BUG/MINOR: seemless reload: Fix crash when an interface is specified. * BUG/MINOR: dns: don't downgrade DNS accepted payload size automatically * BUG/MAJOR: threads/queue: Fix thread-safety issues on the queues management * BUG/MEDIUM: threads/unix: Fix a deadlock when a listener is temporarily disabled * BUG/MEDIUM: spoe: Remove idle applets from idle list when HAProxy is stopping * BUG/MINOR: force-persist and ignore-persist only apply to backends * BUG/MEDIUM: fix a 100% cpu usage with cpu-map and nbthread/nbproc * BUG/MINOR: cli: Fix a typo in the 'set rate-limit' usage * BUG/MINOR: cli: Fix a crash when passing a negative or too large value to "show fd" * BUG/MEDIUM: h2: also arm the h2 timeout when sending * BUG/MINOR: unix: Don't mess up when removing the socket from the xfer_sock_list. * BUG/MINOR: session: Fix tcp-request session failure if handshake. * MINOR: systemd: Add SystemD's SystemCallFilter option to the unit file * MINOR: systemd: Add SystemD's Protect*= options to the unit file * MINOR: systemd: Add section for SystemD sandboxing to unit file * BUG/MEDIUM: buffer: Fix the wrapping case in bi_putblk * BUG/MEDIUM: buffer: Fix the wrapping case in bo_putblk * BUG/MEDIUM: h2: always consume any trailing data after end of output buffers * MINOR: stats: display the number of threads in the statistics. * BUG/MINOR: h2: Set the target of dbuf_wait to h2c * MINOR: debug/pools: make DEBUG_UAF also detect underflows * BUG/MINOR: debug/pools: properly handle out-of-memory when building with DEBUG_UAF * DOC: cfgparse: Warn on option (tcp|http)log in backend * DOC: lua: new prototype for function "register_action()" * BUG/MEDIUM: ssl/sample: ssl_bc_* fetch keywords are broken. * BUG/MEDIUM: http: Switch the HTTP response in tunnel mode as earlier as possible * BUG/MINOR: ssl/threads: Make management of the TLS ticket keys files thread-safe * BUG/MINOR: init: Add missing brackets in the code parsing -sf/-st * BUG/MEDIUM: ssl: Shutdown the connection for reading on SSL_ERROR_SYSCALL * BUG/MEDIUM: ssl: Don't always treat SSL_ERROR_SYSCALL as unrecovarable. * BUG/MINOR: threads: fix missing thread lock labels for 1.8- if we lock down the permissions the home directory has to be owned by haproxy (bsc#1077716)- Avoid %__-type macro indirections. Remove redundant %clean section. Do not ignore errors from useradd.- Ensure haproxy home directory is not world readable (bsc#1077716)- Update to version 1.8.4 (bsc#1080069): * BUG/MINOR: config: don't emit a warning when global stats is incompletely configured * DOC: Mention -Ws in the list of available options * DOC: Describe routing impact of using interface keyword on bind lines * MINOR: init: emit warning when -sf/-sd cannot parse argument * BUG/MEDIUM: standard: Fix memory leak in str2ip2() * BUG/MINOR: time/threads: ensure the adjusted time is always correct * BUG/MEDIUM: spoe: Allow producer to read and to forward shutdown on request side * BUG/MEDIUM: spoe: Always try to receive or send the frame to detect shutdowns * BUG/MINOR: epoll/threads: only call epoll_ctl(DEL) on polled FDs * BUG/MINOR: threads: Update labels array because of changes in lock_label enum * BUG/MINOR: cli: use global.maxsock and not maxfd to list all FDs * CLEANUP: Fix typo in ARGT_MSK6 comment * BUG/MINOR: sample: Fix output type of c_ipv62ip * CLEANUP: sample: Fix outdated comment about sample casts functions * CLEANUP: sample: Fix comment encoding of sample.c * BUILD: kqueue/threads: Add test on MAX_THREADS to avoid warnings when complied without threads * BUILD: epoll/threads: Add test on MAX_THREADS to avoid warnings when complied without threads * MINOR: threads: Use __decl_hathreads instead of #ifdef/#endif * BUG/MINOR: kqueue/threads: Don't forget to close kqueue_fd[tid] on each thread * BUG/MEDIUM: checks: Don't try to release undefined conn_stream when a check is freed * BUG/MEDIUM: threads/server: Fix deadlock in srv_set_stopping/srv_set_admin_flag * BUG/MINOR: threads: always set an owner to the thread_sync pipe * MINOR: threads: Fix build when we're not compiling with threads. * BUG/MINOR: mworker: only write to pidfile if it exists * BUG/MEDIUM: threads/mworker: fix a race on startup * BUG/MEDIUM: kqueue/threads: use one kqueue_fd per thread * BUG/MEDIUM: epoll/threads: use one epoll_fd per thread * MINOR: fd: add a bitmask to indicate that an FD is known by the poller * BUG/MEDIUM: fd: maintain a per-thread update mask * BUG/MEDIUM: threads/polling: Use fd_cache_mask instead of fd_cache_num * MINOR: threads/fd: Use a bitfield to know if there are FDs for a thread in the FD cache * MINOR: global: add some global activity counters to help debugging * MINOR: threads: add a MAX_THREADS define instead of LONGBITS * MINOR: global/threads: move cpu_map at the end of the global struct * MINOR: servers: Don't report duplicate dyncookies for disabled servers. * BUG/MEDIUM: peers: fix expire date wasn't updated if entry is modified remotely. * BUG/MINOR: poll: too large size allocation for FD events * CONTRIB: debug: fix a few flags definitions * DOC: clarify the scope of ssl_fc_is_resumed * BUG/MEDIUM: stream: properly handle client aborts during redispatch * BUILD/MINOR: ancient gcc versions atomic fix * BUG/MEDIUM: mworker: execvp failure depending on argv[0] * MINOR: dns: Handle SRV record weight correctly. * BUG/MINOR: lua: Fix return value of Socket.settimeout * BUG/MEDIUM: lua: Fix IPv6 with separate port support for Socket.connect * DOC: lua: Fix typos in comments of hlua_socket_receive * BUG/MINOR: lua: Fix default value for pattern in Socket.receive * BUG/MEDIUM: ssl: cache doesn't release shctx blocks * BUG/MEDIUM: h2: properly handle the END_STREAM flag on empty DATA frames- Add dependency on apparmor-profiles (bsc#1079985)- Update to version 1.8.3: * [RELEASE] Released version 1.8.3 * MEDIUM: h2: prepare a graceful shutdown when the frontend is stopped * BUG/MAJOR: hpack: don't return direct references to the dynamic headers table * BUG/MEDIUM: http: don't automatically forward request close * MINOR: don't close stdio anymore * BUG/MEDIUM: mworker: don't close stdio several time * BUG/MEDIUM: h2: ensure we always know the stream before sending a reset * DOC/MINOR: configuration: typo, formatting fixes * BUG/MEDIUM: h2: improve handling of frames received on closed streams * BUG/MEDIUM: h2: properly handle and report some stream errors- Update to version 1.8.2: * [RELEASE] Released version 1.8.2 * BUG/MEDIUM: checks: properly set servers to stopping state on 404 * BUG/MAJOR: connection: refine the situations where we don't send shutw() * BUG/MEDIUM: cache: don't cache the response on no-cache="set-cookie" * BUG/MEDIUM: cache: respect the request cache-control header * BUG/MEDIUM: cache: replace old object on store * BUG/MEDIUM: cache: do not try to retrieve host-less requests from the cache * MINOR: http: add a function to check request's cache-control header field * BUG/MINOR: cache: do not force the TX_CACHEABLE flag before checking cacheability * BUG/MINOR: http: properly detect max-age=0 and s-maxage=0 in responses * BUG/MINOR: http: do not ignore cache-control: public * MINOR: http: start to compute the transaction's cacheability from the request * MINOR: http: update the list of cacheable status codes as per RFC7231 * MINOR: http: adjust the list of supposedly cacheable methods * BUG/MEDIUM: lua: fix crash when using bogus mode in register_service() * BUG/MEDIUM: checks: a server passed in maint state was not forced down. * MEDIUM: netscaler: add support for standard NetScaler CIP protocol * MEDIUM: netscaler: do not analyze original IP packet size * MINOR: netscaler: check in one-shot if buffer is large enough for IP and TCP header * BUG/MEDIUM: stream: don't consider abortonclose on muxes which close cleanly * MINOR: stream-int: set flag SI_FL_CLEAN_ABRT when mux supports clean aborts * MINOR: mux: add flags to describe a mux's capabilities * BUG/MINOR: h2: properly report a stream error on RST_STREAM * CONTRIB: halog: Fix compiler warnings in halog.c * CONTRIB: iprange: Fix compiler warning in iprange.c * BUG/MAJOR: netscaler: address truncated CIP header detection * BUG/MEDIUM: netscaler: use the appropriate IPv6 header size * MINOR: netscaler: rename cip_len to clarify its uage * MINOR: netscaler: remove the use of cip_magic only used once * MINOR: netscaler: respect syntax * DOC/MINOR: intro: typo, wording, formatting fixes * BUG/MEDIUM: mworker: Set FD_CLOEXEC flag on log fd * BUILD/MINOR: Makefile : enabling USE_CPU_AFFINITY * BUG: MINOR: http: don't check http-request capture id when len is provided * BUG: MAJOR: lb_map: server map calculation broken * BUG/MINOR: stream-int: don't try to receive again after receiving an EOS * BUG/MEDIUM: h2: fix stream limit enforcement * BUG/MEDIUM: http: don't disable lingering on requests with tunnelled responses * BUG/MEDIUM: h2: don't close after the first DATA frame on tunnelled responses * BUG/MEDIUM: h2: don't switch the state to HREM before end of DATA frame * MINOR: h2: don't demand that a DATA frame is complete before processing it * BUG/MEDIUM: h2: support uploading partial DATA frames * MINOR: h2: store the demux padding length in the h2c struct * BUG/MEDIUM: h2: debug incoming traffic in h2_wake() * BUG/MEDIUM: h2: work around a connection API limitation * BUG/MEDIUM: h2: enable recv polling whenever demuxing is possible * BUG/MEDIUM: h2: automatically set CS_FL_RCV_MORE when the output buffer is full * BUG/MEDIUM: stream-int: always set SI_FL_WAIT_ROOM on CS_FL_RCV_MORE * MINOR: conn_stream: add new flag CS_FL_RCV_MORE to indicate pending data * BUG/MEDIUM: lua/notification: memory leak * DOC: notifications: add precisions about thread usage * MINOR: systemd: remove comment about HAPROXY_STATS_SOCKET * BUG/MEDIUM: threads/vars: Fix deadlock in register_name * BUG/MEDIUM: email-alert: don't set server check status from a email-alert task * CONTRIB: halog: Add help text for -s switch in halog program * MINOR: mworker: Improve wording in `void mworker_wait()` * MINOR: mworker: Update messages referencing exit-on-failure * BUG/MEDIUM: h2: fix handling of end of stream again * BUG/MEDIUM: peers: set NOLINGER on the outgoing stream interface * BUG/MEDIUM: checks: a down server going to maint remains definitely stucked on down state. * BUG/MEDIUM: ssl engines: Fix async engines fds were not considered to fix fd limit automatically. * BUG/MEDIUM: mworker: also close peers sockets in the master * BUG/MINOR: ssl: support tune.ssl.cachesize 0 again * BUG/MAJOR: hpack: don't pretend large headers fit in empty table * BUG/MINOR: action: Don't check http capture rules when no id is defined- Update to version 1.8.1 (bsc#1069954): * BUG/MAJOR: h2: correctly check the request length when building an H1 request * BUG/MAJOR: thread: Be sure to request a sync between threads only once at a time * BUG/MAJOR: thread/peers: fix deadlock on peers sync. * BUG/MEDIUM: h2: do not accept upper case letters in request header names * BUG/MEDIUM: h2: remove connection-specific headers from request * BUG/MEDIUM: h2: enforce the per-connection stream limit * BUG/MEDIUM: checks: Be sure we have a mux if we created a cs. * BUG/MEDIUM: peers: fix some track counter rules dont register entries for sync. * BUG/MEDIUM: h2: don't report an error after parsing a 100-continue response * BUG/MEDIUM: threads/peers: decrement, not increment jobs on quitting * BUG/MEDIUM: stream: fix session leak on applet-initiated connections * BUG/MEDIUM: cache: bad computation of the remaining size * BUG/MEDIUM: ssl: don't allocate shctx several time * BUG/MEDIUM: tcp-check: Don't lock the server in tcpcheck_main * BUG/MEDIUM: kqueue: Don't bother closing the kqueue after fork. * BUG/MINOR: h2: use the H2_F_DATA_* macros for DATA frames * BUG/MINOR: h2: reject response pseudo-headers from requests * BUG/MINOR: h2: properly check PRIORITY frames * BUG/MINOR: h2: reject incorrect stream dependencies on HEADERS frame * BUG/MINOR: h2: do not accept SETTINGS_ENABLE_PUSH other than 0 or 1 * BUG/MINOR: h2: the TE header if present may only contain trailers * BUG/MINOR: h2: fix a typo causing PING/ACK to be responded to * BUG/MINOR: h2: ":path" must not be empty * BUG/MINOR: h2: try to abort closed streams as soon as possible * BUG/MINOR: h2: immediately close if receiving GOAWAY after the last stream * BUG/MINOR: hpack: dynamic table size updates are only allowed before headers * BUG/MINOR: hpack: reject invalid header index * BUG/MINOR: hpack: must reject huffman literals padded with more than 7 bits * BUG/MINOR: hpack: fix debugging output of pseudo header names * BUG/MINOR: mworker: detach from tty when in daemon mode * BUG/MINOR: mworker: fix validity check for the pipe FDs * BUG/MINOR: ssl: CO_FL_EARLY_DATA removal is managed by stream- License is now GPL-3.0+ and LGPL-2.1+- [apparmor]: allow haproxy to restart itself. needed for seamless restart. also reload the apparmor profile on update.- enable network namespaces on 42.3 - Enabled systemd notify mode: new BR: pkgconfig(libsystemd) This fixes problems with starting 1.8 on 42.3. - apply build option changes as adviced by upstream- Update to version 1.8.0 (bsc#1069954): https://www.mail-archive.com/haproxy@formilux.org/msg28004.html- Update to version 1.7.9: * BUG/MINOR: peers: peer synchronization issue (with several peers sections). * BUG/MINOR: lua: In error case, the safe mode is not removed * BUG/MINOR: lua: executes the function destroying the Lua session in safe mode * BUG/MAJOR: lua/socket: resources not detroyed when the socket is aborted * BUG/MEDIUM: lua: bad memory access * DOC: update the list of OpenSSL versions in the README * DOC: Updated 51Degrees git URL to point to a stable version. * BUG/MINOR: http: Set the response error state in http_sync_res_state * MINOR: http: Reorder/rewrite checks in http_resync_states * MINOR: http: Switch requests/responses in TUNNEL mode only by checking txn flags * BUG/MEDIUM: http: Switch HTTP responses in TUNNEL mode when body length is undefined * BUG/MAJOR: http: Fix possible infinity loop in http_sync_(req|res)_state * BUG/MINOR: lua: Fix Server.get_addr() port values * BUG/MINOR: lua: Correctly use INET6_ADDRSTRLEN in Server.get_addr() * BUG/MINOR: lua: always detach the tcp/http tasks before freeing them * BUG/MINOR: lua: Fix bitwise logic for hlua_server_check_* functions.- Update to version 1.7.8: * BUG/MINOR: stream: flag TASK_WOKEN_RES not set if task in runqueue * BUG/MAJOR: cli: fix custom io_release was crushed by NULL. * BUG/MAJOR: map: fix segfault during 'show map/acl' on cli. * BUG/MAJOR: compression: Be sure to release the compression state in all cases * DOC: fix references to the section about time format. * BUG/MEDIUM: map/acl: fix unwanted flags inheritance. * BUG/MINOR: stream: Don't forget to remove CF_WAKE_ONCE flag on response channel * BUG/MINOR: http: Don't reset the transaction if there are still data to send * BUG/MEDIUM: filters: Be sure to call flt_end_analyze for both channels * BUG/MINOR: http: properly handle all 1xx informational responses- Update to version 1.7.7: * BUG/MINOR: Wrong peer task expiration handling during synchronization processing. * BUG/MEDIUM: http: Drop the connection establishment when a redirect is performed * BUG/MEDIUM: cfgparse: Check if tune.http.maxhdr is in the range 1..32767 * DOC: fix references to the section about the unix socket * BUG/MINOR: log: pin the front connection when front ip/ports are logged- Update to version 1.7.6: * DOC: changed "block"(deprecated) examples to http-request deny * DOC: add few comments to examples. * DOC: update sample code for PROXY protocol * DOC: mention lighttpd 1.4.46 implements PROXY * DOC: stick-table is available in frontend sections * BUG/MINOR: dns: Wrong address family used when creating IPv6 sockets. * BUG/MINOR: config: missing goto out after parsing an incorrect ACL character * BUG/MINOR: arg: don't try to add an argument on failed memory allocation * BUG/MEDIUM: arg: ensure that we properly unlink unresolved arguments on error * BUG/MEDIUM: acl: don't free unresolved args in prune_acl_expr() * MINOR: lua: ensure the memory allocator is used all the time * CLEANUP: logs: typo: simgle => single * BUG/MEDIUM: acl: proprely release unused args in prune_acl_expr() * BUG/MAJOR: Use -fwrapv. * BUG/MINOR: server: don't use "proxy" when px is really meant. * BUG/MINOR: server: missing default server 'resolvers' setting duplication. * DOC: add layer 4 links/cross reference to "block" keyword. * DOC: errloc/errorloc302/errorloc303 missing status codes. * BUG/MEDIUM: lua: memory leak * MEDIUM: config: don't check config validity when there are fatal errors * BUG/MINOR: hash-balance-factor isn't effective in certain circumstances * MINOR/DOC: lua: just precise one thing * BUG/MINOR: http: Fix conditions to clean up a txn and to handle the next request * DOC: update RFC references * BUG/MINOR: checks: don't send proxy protocol with agent checks * BUG/MEDIUM: lua: segfault if a converter or a sample doesn't return anything * BUG/MAJOR: http: call manage_client_side_cookies() before erasing the buffer * BUG/MINOR: buffers: Fix bi/bo_contig_space to handle full buffers * BUG/MINOR: acls: Set the right refflag when patterns are loaded from a map * BUG/MINOR: http/filters: Be sure to wait if a filter loops in HTTP_MSG_ENDING * BUG/MEDIUM: peers: Peers CLOSE_WAIT issue. * BUG/MAJOR: server: Segfault after parsing server state file. * BUG/MEDIUM: unix: never unlink a unix socket from the file system- Update to version 1.7.5: * BUG/MEDIUM: peers: fix buffer overflow control in intdecode. * BUG/MEDIUM: buffers: Fix how input/output data are injected into buffers * BUG/MEDIUM: http: Fix blocked HTTP/1.0 responses when compression is enabled * BUG/MINOR: filters: Don't force the stream's wakeup when we wait in flt_end_analyze * MINOR: config parsing: add warning when log-format/tcplog/httplog is overriden in "defaults" sections- Update to version 1.7.4: * MINOR: config: warn when some HTTP rules are used in a TCP proxy * BUG/MINOR: spoe: Fix soft stop handler using a specific id for spoe filters * BUG/MINOR: spoe: Fix parsing of arguments in spoe-message section * BUG/MEDIUM: ssl: Clear OpenSSL error stack after trying to parse OCSP file * BUG/MEDIUM: cli: Prevent double free in CLI ACL lookup * BUG/MINOR: Fix "get map " CLI command * BUG/MAJOR: connection: update CO_FL_CONNECTED before calling the data layer * BUG/MEDIUM: ssl: switchctx should not return SSL_TLSEXT_ERR_ALERT_WARNING * BUG/MINOR: checks: attempt clean shutw for SSL check * BUG/MEDIUM: listener: do not try to rebind another process' socket * BUG/MEDIUM: filters: Fix channels synchronization in flt_end_analyze * BUG/MAJOR: stream-int: do not depend on connection flags to detect connection * BUG/MEDIUM: connection: ensure to always report the end of handshakes * BUG: payload: fix payload not retrieving arbitrary lengths * BUG/MAJOR: http: fix typo in http_apply_redirect_rule * BUG/MEDIUM: stream: fix client-fin/server-fin handling * MINOR: fd: add a new flag HAP_POLL_F_RDHUP to struct poller * BUG/MINOR: raw_sock: always perfom the last recv if RDHUP is not available * DOC/MINOR: Fix typos in proxy protocol doc * DOC: Protocol doc: add checksum, TLV type ranges * DOC: Protocol doc: add SSL TLVs, rename CHECKSUM * DOC: Protocol doc: add noop TLV * MEDIUM: global: add a 'hard-stop-after' option to cap the soft-stop time * BUG/MINOR: cfgparse: loop in tracked servers lists not detected by check_config_validity(). * MINOR: server: irrelevant error message with 'default-server' config file keyword. * MINOR: doc: fix use-server example (imap vs mail) * BUG/MEDIUM: tcp: don't require privileges to bind to device- Update to version 1.7.3: * BUG/MINOR: stream: Fix how backend-specific analyzers are set on a stream * BUG/MEDIUM: tcp: don't poll for write when connect() succeeds * BUG/MINOR: unix: fix connect's polling in case no data are scheduled * BUG/MINOR: lua: Map.end are not reliable because "end" is a reserved keyword * MINOR: dns: give ability to dns_init_resolvers() to close a socket when requested * BUG/MAJOR: dns: restart sockets after fork() * MINOR: chunks: implement a simple dynamic allocator for trash buffers * BUG/MEDIUM: http: prevent redirect from overwriting a buffer * BUG/MEDIUM: filters: Do not truncate HTTP response when body length is undefined * BUG/MEDIUM: http: Prevent replace-header from overwriting a buffer * BUG/MINOR: http: Return an error when a replace-header rule failed on the response * BUG/MINOR: sendmail: The return of vsnprintf is not cleanly tested * BUG/MAJOR: lua segmentation fault when the request is like 'GET ?arg=val HTTP/1.1' * BUG/MEDIUM: config: reject anything but "if" or "unless" after a use-backend rule * MINOR: http: don't close when redirect location doesn't start with "/"- Update to version 1.7.2 (bsc#1023141): * BUG/MEDIUM: lua: In some case, the return of sample-fetches is ignored (2) * BUG/MINOR: stream-int: automatically release SI_FL_WAIT_DATA on SHUTW_NOW * DOC: lua: documentation about time parser functions * DOC: lua: section declared twice * BUG/MINOR: lua/cli: bad error message * DOC: fix small typo in fe_id (backend instead of frontend) * BUG/MINOR: Fix the sending function in Lua's cosocket * BUG/MINOR: lua: memory leak executing tasks * BUG/MINOR: lua: bad return code * BUG/MEDIUM: ssl: properly reset the reused_sess during a forced handshake * BUG/MEDIUM: ssl: avoid double free when releasing bind_confs * BUG/MINOR: stats: fix be/sessions/current out in typed stats * BUG/MINOR: backend: nbsrv() should return 0 if backend is disabled * BUG/MEDIUM: ssl: for a handshake when server-side SNI changes * BUG/MINOR: systemd: potential zombie processes * DOC: Add timings events schemas * BUG/MINOR: option prefer-last-server must be ignored in some case * MINOR: stats: Support "select all" for backend actions * BUG/MINOR: sample-fetches/stick-tables: bad type for the sample fetches sc*_get_gpt0 * BUG/MAJOR: channel: Fix the definition order of channel analyzers * BUG/MINOR: http: report real parser state in error captures * BUG/MAJOR: http: fix risk of getting invalid reports of bad requests * MINOR: http: custom status reason. * MINOR: connection: add sample fetch "fc_rcvd_proxy" * BUG/MINOR: config: emit a warning if http-reuse is enabled with incompatible options * BUG/MINOR: tools: fix off-by-one in port size check * BUG/MEDIUM: server: consider AF_UNSPEC as a valid address family * MEDIUM: server: split the address and the port into two different fields * MINOR: tools: make str2sa_range() return the port in a separate argument * MINOR: server: take the destination port from the port field, not the addr * MEDIUM: server: disable protocol validations when the server doesn't resolve * BUG/MEDIUM: tools: do not force an unresolved address to AF_INET:0.0.0.0 * BUG/MINOR: ssl: EVP_PKEY must be freed after X509_get_pubkey usage * MINOR: proto_http.c 502 error txt typo. * DOC: add deprecation notice to "block" * BUG/MINOR: Reset errno variable before calling strtol(3)- Update to version 1.7.1: * BUG/MAJOR: stream: fix session abort on resource shortage * BUG/MINOR: cli: allow the backslash to be escaped on the CLI * BUG/MEDIUM: cli: fix "show stat resolvers" and "show tls-keys" * DOC: Fix map table's format * DOC: Added 51Degrees conv and fetch functions to documentation. * BUG/MINOR: http: don't send an extra CRLF after a Set-Cookie in a redirect * DOC: mention that req_tot is for both frontends and backends * BUG/MEDIUM: variables: some variable name can hide another ones * BUG/MINOR: stats: fix be/sessions/max output in html stats * MINOR: proxy: Add fe_name/be_name fetchers next to existing fe_id/be_id * DOC: lua: Documentation about some entry missing * MINOR: Do not forward the header "Expect: 100-continue" when the option http-buffer-request is set * DOC: Add undocumented argument of the trace filter * DOC: Fix some typo in SPOE documentation * BUG/MINOR: cli: be sure to always warn the cli applet when input buffer is full * MINOR: applet: Count number of (active) applets * MINOR: task: Rename run_queue and run_queue_cur counters * BUG/MEDIUM: stream: Save unprocessed events for a stream * BUG/MAJOR: Fix how the list of entities waiting for a buffer is handled * BUILD/MEDIUM: Fixing the build using LibreSSL * [RELEASE] Released version 1.7.1- Update to version 1.7.0: * BUG/MEDIUM: proxy: return "none" and "unknown" for unknown LB algos * BUG/MINOR: stats: make field_str() return an empty string on NULL * BUG/MEDIUM: http: Fix tunnel mode when the CONNECT method is used * BUG/MINOR: http: Keep the same behavior between 1.6 and 1.7 for tunneled txn * BUG/MINOR: filters: Protect args in macros HAS_DATA_FILTERS and IS_DATA_FILTER * BUG/MINOR: filters: Invert evaluation order of HTTP_XFER_BODY and XFER_DATA analyzers * BUG/MINOR: http: Call XFER_DATA analyzer when HTTP txn is switched in tunnel mode- Update to version 1.6.10: * BUG/MEDIUM: systemd-wrapper: return correct exit codes * BUG/MEDIUM: srv-state: properly restore the DRAIN state * BUG/MINOR: srv-state: allow to have both CMAINT and FDRAIN flags * BUG/MEDIUM: servers: properly propagate the maintenance states during startup * BUG: vars: Fix 'set-var' converter because of a typo * BUG/MEDIUM: channel: bad unlikely macro * CLEANUP: lua: move comment * CLEANUP: lua: control executed twice * CLEANUP: ssl: Fix bind keywords name in comments * DOC: ssl: Use correct wording for ca-sign-pass * BUG/MINOR: stick-table: handle out-of-memory condition gracefully * BUG/MEDIUM: connection: check the control layer before stopping polling * BUG/MEDIUM: stick-table: fix regression caused by recent fix for out-of-memory * CONTRIB: initiate a debugging suite to make debugging easier * BUG/MINOR: cli: properly decrement ref count on tables during failed dumps * BUG/MEDIUM: lua: In some case, the return of sample-fetche is ignored- Update to version 1.6.9+git.1477940904.ab45181 (fate#321723) * BUILD: poll: remove unused hap_fd_isset() which causes a warning with clang * MINOR: cfgparse: few memory leaks fixes. * MINOR: build: Allow linking to device-atlas library file * DOC: Fix typo in description of `-st` parameter in man page * BUG/MEDIUM: peers: on shutdown, wake up the appctx, not the stream * BUG/MEDIUM: peers: fix use after free in peer_session_create() * BUG/MEDIUM: systemd: let the wrapper know that haproxy has completed or failed * MINOR: systemd: report it when execve() fails * BUG/MINOR: systemd: check return value of calloc() * BUG/MINOR: systemd: always restore signals before execve() * BUG/MINOR: systemd: make the wrapper return a non-null status code on error * BUG/MINOR: ssl: prevent multiple entries for the same certificate * BUG/MINOR: ssl: Check malloc return code * BUG/MINOR: vars: smp_fetch_var() doesn't depend on HTTP but on the session * BUG/MINOR: vars: make smp_fetch_var() more robust against misuses * BUG/MINOR: vars: use sess and not s->sess in action_store() * MEDIUM: make SO_REUSEPORT configurable * MINOR: Add fe_req_rate sample fetch * MINOR: show Running on zlib version * MINOR: show Built with PCRE version * BUG/MINOR: displayed PCRE version is running release- Update to 1.6.9 (bsc#1003264) - MINOR: cli: allow the semi-colon to be escaped on the CLI - BUG/MINOR: payload: fix SSLv2 version parser - BUG/MAJOR: stream: properly mark the server address as unset on connect retry - DOC: Updated 51Degrees readme. - BUG/MAJOR: stick-counters: possible crash when using sc_trackers with wrong table - BUG/MINOR: peers: empty chunks after a resync. - BUG/MINOR: peers: some updates are pushed twice after a resync. - MINOR: sample: use smp_make_rw() in upper/lower converters - BUG/MEDIUM: stick-table: properly convert binary samples to keys - BUG/MEDIUM: stick-tables: do not fail on string keys with no allocated size - BUG/MAJOR: server: the "sni" directive could randomly cause trouble - MINOR: sample: provide smp_is_rw() and smp_make_rw() - MINOR: sample: implement smp_is_safe() and smp_make_safe() - BUG/MEDIUM: samples: make smp_dup() always duplicate the sample - BUG/MAJOR: compression: initialize avail_in/next_in even during flush - BUILD: make proto_tcp.c compatible with musl library - DOC: minor typo fixes to improve HTML parsing by haproxy-dconv - BUG/MEDIUM: stream-int: completely detach connection on connect error - BUG/MEDIUM: lua: somme HTTP manipulation functions are called without valid requests - DOC: lua: remove old functions - BUG/MINOR: peers: Fix peers data decoding issue - BUG/MEDIUM: lua: the function txn_done() from action wrapper can crash - BUG/MEDIUM: lua: the function txn_done() from sample fetches can crash- update to 1.6.7 - MINOR: new function my_realloc2 = realloc + free upon failure - CLEANUP: fixed some usages of realloc leading to memory leak - Revert "BUG/MINOR: ssl: fix potential memory leak in ssl_sock_load_dh_params()" - BUG/MEDIUM: dns: fix alignment issues in the DNS response parser - BUG/MINOR: Fix endiness issue in DNS header creation code - changes from 1.6.6 - BUG/MAJOR: fix listening IP address storage for frontends - BUG/MINOR: fix listening IP address storage for frontends (cont) - DOC: Fix typo so fetch is properly parsed by Cyril's converter - BUG/MAJOR: http: fix breakage of "reqdeny" causing random crashes - BUG/MEDIUM: stick-tables: fix breakage in table converters - BUG/MEDIUM: dns: unbreak DNS resolver after header fix - BUILD: fix build on Solaris 11 - CLEANUP: connection: fix double negation on memcmp() - BUG/MEDIUM: stats: show servers state may show an servers from another backend - BUG/MEDIUM: fix risk of segfault with "show tls-keys" - BUG/MEDIUM: sticktables: segfault in some configuration error cases - BUG/MEDIUM: lua: converters doesn't work - BUG/MINOR: http: add-header: header name copied twice - BUG/MEDIUM: http: add-header: buffer overwritten - BUG/MINOR: ssl: fix potential memory leak in ssl_sock_load_dh_params() - BUG/MINOR: http: url32+src should use the big endian version of url32 - BUG/MINOR: http: url32+src should check cli_conn before using it - DOC: http: add documentation for url32 and url32+src - BUG/MINOR: fix http-response set-log-level parsing error - MINOR: systemd: Use variable for config and pidfile paths - MINOR: systemd: Perform sanity check on config before reload (cherry picked from commit 68535bddf305fdd22f1449a039939b57245212e7) - BUG/MINOR: init: always ensure that global.rlimit_nofile matches actual limits - BUG/MINOR: init: ensure that FD limit is raised to the max allowed - BUG/MEDIUM: external-checks: close all FDs right after the fork() - BUG/MAJOR: external-checks: use asynchronous signal delivery - BUG/MINOR: external-checks: do not unblock undesired signals - BUILD/MEDIUM: rebuild everything when an include file is changed - BUILD/MEDIUM: force a full rebuild if some build options change - BUG/MINOR: srv-state: fix incorrect output of state file - BUG/MINOR: ssl: close ssl key file on error - BUG/MINOR: http: fix misleading error message for response captures - BUG/BUILD: don't automatically run "make" on "make install" - DOC: add missing doc for http-request deny [deny_status ] - drop patches which were pulled from git before 0001-BUG-MAJOR-fix-listening-IP-address-storage-for-front.patch 0002-BUG-MINOR-fix-listening-IP-address-storage-for-front.patch 0003-DOC-Fix-typo-so-fetch-is-properly-parsed-by-Cyril-s-.patch 0004-BUG-MAJOR-http-fix-breakage-of-reqdeny-causing-rando.patch 0005-BUG-MEDIUM-stick-tables-fix-breakage-in-table-conver.patch 0006-BUG-MEDIUM-dns-unbreak-DNS-resolver-after-header-fix.patch 0007-BUILD-fix-build-on-Solaris-11.patch 0008-CLEANUP-connection-fix-double-negation-on-memcmp.patch 0009-BUG-MEDIUM-stats-show-servers-state-may-show-an-serv.patch 0010-BUG-MEDIUM-fix-risk-of-segfault-with-show-tls-keys.patch 0011-BUG-MEDIUM-sticktables-segfault-in-some-configuratio.patch 0012-BUG-MEDIUM-lua-converters-doesn-t-work.patch 0013-BUG-MINOR-http-add-header-header-name-copied-twice.patch 0014-BUG-MEDIUM-http-add-header-buffer-overwritten.patch- pull patches from git to fix some important issues (bsc#983972) (bsc#983974): 0001-BUG-MAJOR-fix-listening-IP-address-storage-for-front.patch 0002-BUG-MINOR-fix-listening-IP-address-storage-for-front.patch 0003-DOC-Fix-typo-so-fetch-is-properly-parsed-by-Cyril-s-.patch 0004-BUG-MAJOR-http-fix-breakage-of-reqdeny-causing-rando.patch 0005-BUG-MEDIUM-stick-tables-fix-breakage-in-table-conver.patch 0006-BUG-MEDIUM-dns-unbreak-DNS-resolver-after-header-fix.patch 0007-BUILD-fix-build-on-Solaris-11.patch 0008-CLEANUP-connection-fix-double-negation-on-memcmp.patch 0009-BUG-MEDIUM-stats-show-servers-state-may-show-an-serv.patch 0010-BUG-MEDIUM-fix-risk-of-segfault-with-show-tls-keys.patch 0011-BUG-MEDIUM-sticktables-segfault-in-some-configuratio.patch 0012-BUG-MEDIUM-lua-converters-doesn-t-work.patch 0013-BUG-MINOR-http-add-header-header-name-copied-twice.patch 0014-BUG-MEDIUM-http-add-header-buffer-overwritten.patch- update to 1.6.5 - BUG/MINOR: log: Don't use strftime() which can clobber timezone if chrooted - BUILD: namespaces: fix a potential build warning in namespaces.c - DOC: add encoding to json converter example - BUG/MINOR: conf: "listener id" expects integer, but its not checked - DOC: Clarify tunes.vars.xxx-max-size settings - BUG/MEDIUM: peers: fix incorrect age in frequency counters - BUG/MEDIUM: Fix RFC5077 resumption when more than TLS_TICKETS_NO are present - BUG/MAJOR: Fix crash in http_get_fhdr with exactly MAX_HDR_HISTORY headers - BUG/MINOR: lua: can't load external libraries - DOC: "addr" parameter applies to both health and agent checks - DOC: timeout client: pointers to timeout http-request - DOC: typo on stick-store response - DOC: stick-table: amend paragraph blaming the loss of table upon reload - DOC: typo: ACL subdir match - DOC: typo: maxconn paragraph is wrong due to a wrong buffer size - DOC: regsub: parser limitation about the inability to use closing square brackets - DOC: typo: req.uri is now replaced by capture.req.uri - DOC: name set-gpt0 mismatch with the expected keyword - BUG/MEDIUM: stick-tables: some sample-fetch doesn't work in the connection state. - DOC: fix "needed" typo - BUG/MINOR: dns: inapropriate way out after a resolution timeout - BUG/MINOR: dns: trigger a DNS query type change on resolution timeout - BUG/MINOR : allow to log cookie for tarpit and denied request - OPTIM/MINOR: session: abort if possible before connecting to the backend - BUG/MEDIUM: trace.c: rdtsc() is defined in two files - BUG/MEDIUM: channel: fix miscalculation of available buffer space (2nd try) - BUG/MINOR: cfgparse: couple of small memory leaks. - BUG/MEDIUM: sample: initialize the pointer before parse_binary call. - DOC: fix discrepancy in the example for http-request redirect - DOC: Clarify IPv4 address / mask notation rules - CLEANUP: fix inconsistency between fd->iocb, proto->accept and accept() - BUG/MEDIUM: fix maxaccept computation on per-process listeners - BUG/MINOR: listener: stop unbound listeners on startup - BUG/MINOR: fix maxaccept computation according to the frontend process range - MEDIUM: unblock signals on startup. - BUG/MEDIUM: channel: don't allow to overwrite the reserve until connected - BUG/MEDIUM: channel: incorrect polling condition may delay event delivery - BUG/MEDIUM: channel: fix miscalculation of available buffer space (3rd try) - BUG/MEDIUM: log: fix risk of segfault when logging HTTP fields in TCP mode - BUG/MEDIUM: lua: protects the upper boundary of the argument list for converters/fetches. - BUG/MINOR: log: fix a typo that would cause %HP to log - MINOR: channel: add new function channel_congested() - BUG/MEDIUM: http: fix risk of CPU spikes with pipelined requests from dead client - BUG/MAJOR: channel: fix miscalculation of available buffer space (4th try) - BUG/MEDIUM: stream: ensure the SI_FL_DONT_WAKE flag is properly cleared - BUG/MEDIUM: channel: fix inconsistent handling of 4GB-1 transfers - BUG/MEDIUM: stats: show servers state may show an empty or incomplete result - BUG/MEDIUM: stats: show backend may show an empty or incomplete result - MINOR: stats: fix typo in help messages - MINOR: stats: show stat resolvers missing in the help message - BUG/MINOR: dns: fix DNS header definition - BUG/MEDIUM: dns: fix alignment issue when building DNS queries - CLEANUP/MINOR: stats: fix accidental addition of member "env" in the applet ctx - refreshed patches to apply cleanly again - haproxy-1.6.0-makefile_lib.patch - haproxy-1.6.0-sec-options.patch- update to 1.6.4 (fate#320607) (bsc#937202) - BUG/MINOR: http: fix several off-by-one errors in the url_param parser - BUG/MINOR: http: Be sure to process all the data received from a server - BUG/MINOR: chunk: make chunk_dup() always check and set dst->size - MINOR: chunks: ensure that chunk_strcpy() adds a trailing zero - MINOR: chunks: add chunk_strcat() and chunk_newstr() - MINOR: chunk: make chunk_initstr() take a const string - MINOR: lru: new function to delete least recently used keys - DOC: add Ben Shillito as the maintainer of 51d - BUG/MINOR: 51d: Ensures a unique domain for each configuration - BUG/MINOR: 51d: Aligns Pattern cache implementation with HAProxy best practices. - BUG/MINOR: 51d: Releases workset back to pool. - BUG/MINOR: 51d: Aligned const pointers to changes in 51Degrees. - CLEANUP: 51d: Aligned if statements with HAProxy best practices and removed casts from malloc. - DOC: fix a few spelling mistakes (cherry picked from commit cc123c66c2075add8524a6a9925382927daa6ab0) - DOC: fix "workaround" spelling - BUG/MINOR: examples: Fixing haproxy.spec to remove references to .cfg files - MINOR: fix the return type for dns_response_get_query_id() function - MINOR: server state: missing LF (\n) on error message printed when parsing server state file - BUG/MEDIUM: dns: no DNS resolution happens if no ports provided to the nameserver - BUG/MAJOR: servers state: server port is erased when dns resolution is enabled on a server - BUG/MEDIUM: servers state: server port is used uninitialized - BUG/MEDIUM: config: Adding validation to stick-table expire value. - BUG/MEDIUM: sample: http_date() doesn't provide the right day of the week - BUG/MEDIUM: channel: fix miscalculation of available buffer space. - MEDIUM: pools: add a new flag to avoid rounding pool size up - BUG/MEDIUM: buffers: do not round up buffer size during allocation - BUG/MINOR: stream: don't force retries if the server is DOWN - BUG/MINOR: counters: make the sc-inc-gpc0 and sc-set-gpt0 touch the table - MINOR: unix: don't mention free ports on EAGAIN - BUG/CLEANUP: CLI: report the proper field states in "show sess" - MINOR: stats: send content-length with the redirect to allow keep-alive - BUG: stream_interface: Reuse connection even if the output channel is empty - DOC: remove old tunnel mode assumptions - BUG/MAJOR: http-reuse: fix risk of orphaned connections - BUG/MEDIUM: http-reuse: do not share private connections across backends - BUG/MINOR: ssl: Be sure to use unique serial for regenerated certificates - BUG/MINOR: stats: fix missing comma in stats on agent drain - BUG/MINOR: lua: unsafe initialization - DOC: lua: fix somme errors - DOC: add server name at rate-limit sessions example - BUG/MEDIUM: ssl: fix off-by-one in ALPN list allocation - BUG/MEDIUM: ssl: fix off-by-one in NPN list allocation - DOC: LUA: fix some typos and syntax errors - MINOR: cfgparse: warn for incorrect 'timeout retry' keyword spelling in resolvers - MINOR: mailers: increase default timeout to 10 seconds - MINOR: mailers: use for all line endings - BUG/MAJOR: lua: applets can't sleep. - BUG/MINOR: server: some prototypes are renamed - BUG/MINOR: lua: Useless copy - BUG/MEDIUM: stats: stats bind-process doesn't propagate the process mask correctly - BUG/MINOR: server: fix the format of the warning on address change - BUG/MEDIUM: chunks: always reject negative-length chunks - BUG/MINOR: systemd: ensure we don't miss signals - BUG/MINOR: systemd: report the correct signal in debug message output - BUG/MINOR: systemd: propagate the correct signal to haproxy - MINOR: systemd: ensure a reload doesn't mask a stop - BUG/MEDIUM: cfgparse: wrong argument offset after parsing server "sni" keyword - CLEANUP: stats: Avoid computation with uninitialized bits. - CLEANUP: pattern: Ignore unknown samples in pat_match_ip(). - CLEANUP: map: Avoid memory leak in out-of-memory condition. - BUG/MINOR: tcpcheck: fix incorrect list usage resulting in failure to load certain configs - BUG/MAJOR: samples: check smp->strm before using it - MINOR: sample: add a new helper to initialize the owner of a sample - MINOR: sample: always set a new sample's owner before evaluating it - BUG/MAJOR: vars: always retrieve the stream and session from the sample - CLEANUP: payload: remove useless and confusing nullity checks for channel buffer - BUG/MINOR: ssl: fix usage of the various sample fetch functions - MINOR: cfgparse: warn when uid parameter is not a number - MINOR: cfgparse: warn when gid parameter is not a number - BUG/MINOR: standard: Avoid free of non-allocated pointer - BUG/MINOR: pattern: Avoid memory leak on out-of-memory condition - CLEANUP: http: fix a build warning introduced by a recent fix - BUG/MINOR: log: GMT offset not updated when entering/leaving DST- update to 1.6.3 (fate#320607) - BUG/MEDIUM: lua: clean output buffer - BUG/MEDIUM: http: switch the request channel to no-delay once done. - BUG/MEDIUM: http: don't enable auto-close on the response side - BUG/MEDIUM: stream: fix half-closed timeout handling - BUG/MEDIUM: cli: changing compression rate-limiting must require admin level - BUG/MEDIUM: sample: urlp can't match an empty value - BUG/MEDIUM: da: stop DeviceAtlas processing in the convertor if there is no input. - BUG/MEDIUM: checks: email-alert not working when declared in defaults - BUG/MEDIUM: http: fix http-reuse when frontend and backend differ - BUG/MEDIUM: config: properly adjust maxconn with nbproc when memmax is forced - BUG/MEDIUM: peers: table entries learned from a remote are pushed to others after a random delay. - BUG/MEDIUM: peers: old stick table updates could be repushed - BUG/MEDIUM: lua: Lua applets must not fetch samples using http_txn - BUG/MEDIUM: lua: Forbid HTTP applets from being called from tcp rulesets - BUG/MAJOR: lua: Do not force the HTTP analysers in use-services for all the details see /usr/share/doc/packages/haproxy/CHANGELOG or http://www.haproxy.org/download/1.6/src/CHANGELOG- on sle11 we still need to own /etc/apparmor.d/local- instead of owning the apparmor directories, BR apparmor-profiles.- fix link to tarball- update to 1.6.2 - BUILD: ssl: fix build error introduced in commit 7969a3 with OpenSSL < 1.0.0 - DOC: fix a typo for a "deviceatlas" keyword - FIX: small typo in an example using the "Referer" header - BUG/MEDIUM: config: count memory limits on 64 bits, not 32 - BUG/MAJOR: dns: first DNS response packet not matching queried hostname may lead to a loop - BUG/MINOR: dns: unable to parse CNAMEs response - BUG/MINOR: examples/haproxy.init: missing brace in quiet_check() - DOC: deviceatlas: more example use cases. - BUG/BUILD: replace haproxy-systemd-wrapper with $(EXTRA) in install-bin. - BUG/MAJOR: http: don't requeue an idle connection that is already queued - DOC: typo on capture.res.hdr and capture.req.hdr - BUG/MINOR: dns: check for duplicate nameserver id in a resolvers section was missing - CLEANUP: use direction names in place of numeric values - BUG/MEDIUM: lua: sample fetches based on response doesn't work - drop haproxy-1.6.0-ssl-098.patch: included upstream- update to 1.6.1 - DOC: specify that stats socket doc (section 9.2) is in management - BUILD: install only relevant and existing documentation - CLEANUP: don't ignore debian/ directory if present - BUG/MINOR: dns: parsing error of some DNS response - BUG/MEDIUM: namespaces: don't fail if no namespace is used - BUG/MAJOR: ssl: free the generated SSL_CTX if the LRU cache is disabled - MEDIUM: dns: Don't use the ANY query type - drop haproxy-1.6.0-ssl.crash.patch included in update- add haproxy-1.6.0-ssl-098.patch: fix building on openssl 0.9.8- added haproxy-1.6.0-ssl.crash.patch: fix SNI related crash- only use network namespace support on distros newer than 13.2- update to 1.6.0 The most user-visible changes, we can cite the simpler handling of multiple configuration files, the support for quotes and environment variables in the configuration, a significant reduction of the memory usage thanks to a new dynamic buffer allocator, notifications over e-mail, server state keeping across reloads, dynamic DNS-based server address resolution, new scripting capabilities thanks to the embedded Lua interpreter, use of variables in the configuration to manipulate samples, request body buffering and analysis, support for two third-party device identification products (DeviceAtlas and 51Degrees), a lot of new sample converters including arithmetic operators and table lookups, TLS ticket secret sharing between nodes, TLS SNI to the server, full tables replication between peers, ability to instruct the kernel to quickly kill dead connections, support for Linux namespaces, and a number of other less visible goodies. The performance has also been improved a lot with support for server connection multiplexing, much faster and cheaper HTTP compression via libslz, and the addition of a pattern cache to speed up certain expensive ACLs. The great flexibility offered by this version will allow many users to significantly simplify their configurations. Some users will notice a huge performance boost after they enable the features designed for them. for all the details see /usr/share/doc/packages/haproxy/CHANGELOG - drop patches we pulled from upstream git: 0001-BUG-MINOR-log-missing-some-ARGC_-entries-in-fmt_dire.patch 0002-DOC-usesrc-root-privileges-requirements.patch 0003-BUILD-ssl-Allow-building-against-libssl-without-SSLv.patch 0004-DOC-MINOR-fix-OpenBSD-versions-where-haproxy-works.patch 0005-BUG-MINOR-http-sample-gmtime-localtime-can-fail.patch 0006-DOC-typo-in-redirect-302-code-meaning.patch 0007-DOC-mention-that-ms-is-left-padded-with-zeroes.patch 0008-CLEANUP-.gitignore-ignore-more-test-files.patch 0009-CLEANUP-.gitignore-finally-ignore-everything-but-wha.patch 0010-MEDIUM-config-emit-a-warning-on-a-frontend-without-l.patch 0011-BUG-MEDIUM-counters-ensure-that-src_-inc-clr-_gpc0-c.patch 0012-DOC-ssl-missing-LF.patch 0013-DOC-fix-example-of-http-request-using-ssl_fc_session.patch 0014-BUG-MINOR-http-remove-stupid-HTTP_METH_NONE-entry.patch 0015-BUG-MAJOR-http-don-t-call-http_send_name_header-afte.patch - refresh/redo patches to apply cleanly again: old: haproxy-1.2.16_config_haproxy_user.patch new: haproxy-1.6.0_config_haproxy_user.patch old: haproxy-makefile_lib.patch new: haproxy-1.6.0-makefile_lib.patch old: sec-options.patch new: haproxy-1.6.0-sec-options.patch - added new haproxy.cfg to have a minimal config we can actually launch! - drop patch haproxy-1.5.8-fix-bashisms.patch: patched files no longer exist - drop haproxy.vim: we will use the copy which ships with the upstream tarball now.- fix haproxy status checks (bsc#947204)- Backport patches from upstream: - BUG/MINOR: http: remove stupid HTTP_METH_NONE entry - BUG/MAJOR: http: don't call http_send_name_header() after an error - Add 0014-BUG-MINOR-http-remove-stupid-HTTP_METH_NONE-entry.patch - Add 0015-BUG-MAJOR-http-don-t-call-http_send_name_header-afte.patch- Backport patches from upstream: - BUG/MINOR: log: missing some ARGC_* entries in fmt_directives() - DOC: usesrc root privileges requirements - BUILD: ssl: Allow building against libssl without SSLv3. - DOC/MINOR: fix OpenBSD versions where haproxy works - BUG/MINOR: http/sample: gmtime/localtime can fail - DOC: typo in 'redirect', 302 code meaning - DOC: mention that %ms is left-padded with zeroes. - CLEANUP: .gitignore: ignore more test files - CLEANUP: .gitignore: finally ignore everything but what is known. - MEDIUM: config: emit a warning on a frontend without listener - BUG/MEDIUM: counters: ensure that src_{inc,clr}_gpc0 creates a missing entry - DOC: ssl: missing LF - DOC: fix example of http-request using ssl_fc_session_id - Add 0001-BUG-MINOR-log-missing-some-ARGC_-entries-in-fmt_dire.patch - Add 0002-DOC-usesrc-root-privileges-requirements.patch - Add 0003-BUILD-ssl-Allow-building-against-libssl-without-SSLv.patch - Add 0004-DOC-MINOR-fix-OpenBSD-versions-where-haproxy-works.patch - Add 0005-BUG-MINOR-http-sample-gmtime-localtime-can-fail.patch - Add 0006-DOC-typo-in-redirect-302-code-meaning.patch - Add 0007-DOC-mention-that-ms-is-left-padded-with-zeroes.patch - Add 0008-CLEANUP-.gitignore-ignore-more-test-files.patch - Add 0009-CLEANUP-.gitignore-finally-ignore-everything-but-wha.patch - Add 0010-MEDIUM-config-emit-a-warning-on-a-frontend-without-l.patch - Add 0011-BUG-MEDIUM-counters-ensure-that-src_-inc-clr-_gpc0-c.patch - Add 0012-DOC-ssl-missing-LF.patch - Add 0013-DOC-fix-example-of-http-request-using-ssl_fc_session.patch- Update to 1.5.14 (CVE-2015-3281) (bsc#937042) + BUILD/MINOR: tools: rename popcount to my_popcountl + BUG/MAJOR: buffers: make the buffer_slow_realign() function respect output data- Update to 1.5.13 - Dropped all patches backported from git, no further changes than those patches provided. - Removed patches: + Remove 0001-BUG-MEDIUM-stats-properly-initialize-the-scope-befor.patch + Remove 0002-BUG-MEDIUM-http-don-t-forward-client-shutdown-withou.patch + Remove 0003-BUG-MINOR-check-fix-tcpcheck-error-message.patch + Remove 0004-CLEANUP-checks-fix-double-usage-of-cur-current_step-.patch + Remove 0005-BUG-MEDIUM-checks-do-not-dereference-head-of-a-tcp-c.patch + Remove 0006-CLEANUP-checks-simplify-the-loop-processing-of-tcp-c.patch + Remove 0007-BUG-MAJOR-checks-always-check-for-end-of-list-before.patch + Remove 0008-BUG-MEDIUM-checks-do-not-dereference-a-list-as-a-tcp.patch + Remove 0009-BUG-MEDIUM-peers-apply-a-random-reconnection-timeout.patch + Remove 0010-DOC-Update-doc-about-weight-act-and-bck-fields-in-th.patch + Remove 0011-MINOR-ssl-add-a-destructor-to-free-allocated-SSL-res.patch + Remove 0012-BUG-MEDIUM-ssl-fix-tune.ssl.default-dh-param-value-b.patch + Remove 0013-BUG-MINOR-cfgparse-fix-typo-in-option-httplog-error-.patch + Remove 0014-BUG-MEDIUM-cfgparse-segfault-when-userlist-is-misuse.patch + Remove 0015-MEDIUM-ssl-replace-standards-DH-groups-with-custom-o.patch + Remove 0016-BUG-MINOR-debug-display-null-in-place-of-meth.patch + Remove 0017-CLEANUP-deinit-remove-codes-for-cleaning-p-block_rul.patch + Remove 0018-BUG-MINOR-ssl-fix-smp_fetch_ssl_fc_session_id.patch + Remove 0019-MEDIUM-init-don-t-stop-proxies-in-parent-process-whe.patch + Remove 0020-MINOR-peers-store-the-pointer-to-the-signal-handler.patch + Remove 0021-MEDIUM-peers-unregister-peers-that-were-never-starte.patch + Remove 0022-MEDIUM-config-propagate-the-table-s-process-list-to-.patch + Remove 0023-MEDIUM-init-stop-any-peers-section-not-bound-to-the-.patch + Remove 0024-MEDIUM-config-validate-that-peers-sections-are-bound.patch + Remove 0025-MAJOR-peers-allow-peers-section-to-be-used-with-nbpr.patch + Remove 0026-DOC-relax-the-peers-restriction-to-single-process.patch + Remove 0027-CLEANUP-config-fix-misleading-information-in-error-m.patch + Remove 0028-MINOR-config-report-the-number-of-processes-using-a-.patch + Remove 0029-BUG-MEDIUM-config-properly-compute-the-default-numbe.patch- Backport upstream patches: + DOC: Update doc about weight, act and bck fields in the statistics + MINOR: ssl: add a destructor to free allocated SSL ressources + BUG/MEDIUM: ssl: fix tune.ssl.default-dh-param value being overwritten + BUG/MINOR: cfgparse: fix typo in 'option httplog' error message + BUG/MEDIUM: cfgparse: segfault when userlist is misused + MEDIUM: ssl: replace standards DH groups with custom ones + BUG/MINOR: debug: display (null) in place of "meth" + CLEANUP: deinit: remove codes for cleaning p->block_rules + BUG/MINOR: ssl: fix smp_fetch_ssl_fc_session_id + MEDIUM: init: don't stop proxies in parent process when exiting + MINOR: peers: store the pointer to the signal handler + MEDIUM: peers: unregister peers that were never started + MEDIUM: config: propagate the table's process list to the peers sections + MEDIUM: init: stop any peers section not bound to the correct process + MEDIUM: config: validate that peers sections are bound to exactly one process + MAJOR: peers: allow peers section to be used with nbproc > 1 + DOC: relax the peers restriction to single-process + CLEANUP: config: fix misleading information in error message. + MINOR: config: report the number of processes using a peers section in the error case + BUG/MEDIUM: config: properly compute the default number of processes for a proxy - Added patches: + Add 0010-DOC-Update-doc-about-weight-act-and-bck-fields-in-th.patch + Add 0011-MINOR-ssl-add-a-destructor-to-free-allocated-SSL-res.patch + Add 0012-BUG-MEDIUM-ssl-fix-tune.ssl.default-dh-param-value-b.patch + Add 0013-BUG-MINOR-cfgparse-fix-typo-in-option-httplog-error-.patch + Add 0014-BUG-MEDIUM-cfgparse-segfault-when-userlist-is-misuse.patch + Add 0015-MEDIUM-ssl-replace-standards-DH-groups-with-custom-o.patch + Add 0016-BUG-MINOR-debug-display-null-in-place-of-meth.patch + Add 0017-CLEANUP-deinit-remove-codes-for-cleaning-p-block_rul.patch + Add 0018-BUG-MINOR-ssl-fix-smp_fetch_ssl_fc_session_id.patch + Add 0019-MEDIUM-init-don-t-stop-proxies-in-parent-process-whe.patch + Add 0020-MINOR-peers-store-the-pointer-to-the-signal-handler.patch + Add 0021-MEDIUM-peers-unregister-peers-that-were-never-starte.patch + Add 0022-MEDIUM-config-propagate-the-table-s-process-list-to-.patch + Add 0023-MEDIUM-init-stop-any-peers-section-not-bound-to-the-.patch + Add 0024-MEDIUM-config-validate-that-peers-sections-are-bound.patch + Add 0025-MAJOR-peers-allow-peers-section-to-be-used-with-nbpr.patch + Add 0026-DOC-relax-the-peers-restriction-to-single-process.patch + Add 0027-CLEANUP-config-fix-misleading-information-in-error-m.patch + Add 0028-MINOR-config-report-the-number-of-processes-using-a-.patch + Add 0029-BUG-MEDIUM-config-properly-compute-the-default-numbe.patch- BUG/MINOR: check: fix tcpcheck error message - CLEANUP: checks: fix double usage of cur / current_step in tcp-checks - BUG/MEDIUM: checks: do not dereference head of a tcp-check at the end - CLEANUP: checks: simplify the loop processing of tcp-checks - BUG/MAJOR: checks: always check for end of list before proceeding - BUG/MEDIUM: checks: do not dereference a list as a tcpcheck struct - BUG/MEDIUM: peers: apply a random reconnection timeout - Add 0003-BUG-MINOR-check-fix-tcpcheck-error-message.patch - Add 0004-CLEANUP-checks-fix-double-usage-of-cur-current_step-.patch - Add 0005-BUG-MEDIUM-checks-do-not-dereference-head-of-a-tcp-c.patch - Add 0006-CLEANUP-checks-simplify-the-loop-processing-of-tcp-c.patch - Add 0007-BUG-MAJOR-checks-always-check-for-end-of-list-before.patch - Add 0008-BUG-MEDIUM-checks-do-not-dereference-a-list-as-a-tcp.patch - Add 0009-BUG-MEDIUM-peers-apply-a-random-reconnection-timeout.patch- added 0002-BUG-MEDIUM-http-don-t-forward-client-shutdown-withou.patch BUG/MEDIUM: http: don't forward client shutdown without NOLINGER except for tunnels- added first patch from the 1.5 branch after the update: 0001-BUG-MEDIUM-stats-properly-initialize-the-scope-befor.patch- update to 1.5.12 - BUG/MINOR: ssl: Display correct filename in error message - DOC: Fix L4TOUT typo in documentation - BUG/MEDIUM: Do not consider an agent check as failed on L7 error - BUG/MINOR: pattern: error message missing - BUG/MEDIUM: pattern: some entries are not deleted with case insensitive match - BUG/MEDIUM: buffer: one byte miss in buffer free space check - BUG/MAJOR: http: don't read past buffer's end in http_replace_value - BUG/MEDIUM: http: the function "(req|res)-replace-value" doesn't respect the HTTP syntax - BUG/MEDIUM: peers: correctly configure the client timeout - BUG/MINOR: compression: consider the expansion factor in init - BUG/MEDIUM: http: hdr_cnt would not count any header when called without name - BUG/MEDIUM: listener: don't report an error when resuming unbound listeners - BUG/MEDIUM: init: don't limit cpu-map to the first 32 processes only - BUG/MEDIUM: stream-int: always reset si->ops when si->end is nullified - BUG/MEDIUM: http: remove content-length from chunked messages - DOC: http: update the comments about the rules for determining transfer-length - BUG/MEDIUM: http: do not restrict parsing of transfer-encoding to HTTP/1.1 - BUG/MEDIUM: http: incorrect transfer-coding in the request is a bad request - BUG/MEDIUM: http: remove content-length form responses with bad transfer-encoding - MEDIUM: http: restrict the HTTP version token to 1 digit as per RFC7230 - MEDIUM: http: add option-ignore-probes to get rid of the floods of 408 - BUG/MINOR: config: clear proxy->table.peers.p for disabled proxies - MINOR: stick-table: don't attach to peers in stopped state - MEDIUM: config: initialize stick-tables after peers, not before - MEDIUM: peers: add the ability to disable a peers section - DOC: document option http-ignore-probes - DOC: fix the comments about the meaning of msg->sol in HTTP - BUG/MEDIUM: http: wait for the exact amount of body bytes in wait_for_request_body - BUG/MAJOR: http: prevent risk of reading past end with balance url_param - DOC: update the doc on the proxy protocol - remove patches that we pulled from the 1.5 tree 0001-BUG-MINOR-pattern-error-message-missing.patch 0002-BUG-MEDIUM-pattern-some-entries-are-not-deleted-with.patch 0003-BUG-MEDIUM-Do-not-consider-an-agent-check-as-failed-.patch 0004-BUG-MEDIUM-peers-correctly-configure-the-client-time.patch 0005-BUG-MEDIUM-buffer-one-byte-miss-in-buffer-free-space.patch 0006-BUG-MAJOR-http-don-t-read-past-buffer-s-end-in-http_.patch 0007-BUG-MEDIUM-http-the-function-req-res-replace-value-d.patch 0008-BUG-MINOR-compression-consider-the-expansion-factor-.patch 0009-BUG-MEDIUM-http-hdr_cnt-would-not-count-any-header-w.patch 0010-BUG-MINOR-ssl-Display-correct-filename-in-error-mess.patch 0011-BUG-MEDIUM-listener-don-t-report-an-error-when-resum.patch 0012-BUG-MEDIUM-init-don-t-limit-cpu-map-to-the-first-32-.patch- pull 3 patches from upstream: 0010-BUG-MINOR-ssl-Display-correct-filename-in-error-mess.patch 0011-BUG-MEDIUM-listener-don-t-report-an-error-when-resum.patch 0012-BUG-MEDIUM-init-don-t-limit-cpu-map-to-the-first-32-.patch- pull 3 patches from upstream: 0007-BUG-MEDIUM-http-the-function-req-res-replace-value-d.patch 0008-BUG-MINOR-compression-consider-the-expansion-factor-.patch 0009-BUG-MEDIUM-http-hdr_cnt-would-not-count-any-header-w.patch- pull 3 patches from upstream: - BUG/MEDIUM: peers: correctly configure the client timeout - BUG/MEDIUM: buffer: one byte miss in buffer free space check - BUG/MAJOR: http: don't read past buffer's end in http_replace_value - Add 0004-BUG-MEDIUM-peers-correctly-configure-the-client-time.patch - Add 0005-BUG-MEDIUM-buffer-one-byte-miss-in-buffer-free-space.patch - Add 0006-BUG-MAJOR-http-don-t-read-past-buffer-s-end-in-http_.patch- added another fix from upstream: 0003-BUG-MEDIUM-Do-not-consider-an-agent-check-as-failed-.patch- haproxy.init: fix reload and force-reload not to start a stopped service- pulled 2 patches from upstream: 0001-BUG-MINOR-pattern-error-message-missing.patch 0002-BUG-MEDIUM-pattern-some-entries-are-not-deleted-with.patch- update to 1.5.11 - BUG/MEDIUM: backend: correctly detect the domain when use_domain_only is used - MINOR: ssl: load certificates in alphabetical order - BUG/MINOR: checks: prevent http keep-alive with http-check expect - BUG/MEDIUM: Do not set agent health to zero if server is disabled in config - MEDIUM/BUG: Only explicitly report "DOWN (agent)" if the agent health is zero - BUG/MINOR: stats:Fix incorrect printf type. - DOC: add missing entry for log-format and clarify the text - BUG/MEDIUM: http: fix header removal when previous header ends with pure LF - BUG/MEDIUM: channel: fix possible integer overflow on reserved size computation - BUG/MINOR: channel: compare to_forward with buf->i, not buf->size - MINOR: channel: add channel_in_transit() - MEDIUM: channel: make buffer_reserved() use channel_in_transit() - MEDIUM: channel: make bi_avail() use channel_in_transit() - BUG/MEDIUM: channel: don't schedule data in transit for leaving until connected - BUG/MAJOR: log: don't try to emit a log if no logger is set - BUG/MINOR: args: add missing entry for ARGT_MAP in arg_type_names - BUG/MEDIUM: http: make http-request set-header compute the string before removal - BUG/MINOR: http: fix incorrect header value offset in replace-hdr/replace-value - BUG/MINOR: http: abort request processing on filter failure - drop patch included in update: 0001-BUG-MEDIUM-backend-correctly-detect-the-domain-when-.patch- pull fix from usptream: 0001-BUG-MEDIUM-backend-correctly-detect-the-domain-when-.patch BUG/MEDIUM: backend: correctly detect the domain when use_domain_only is used- update to 1.5.10 - DOC: fix a few typos - BUG/MINOR: http: fix typo: "401 Unauthorized" => "407 Unauthorized" - BUG/MINOR: parse: refer curproxy instead of proxy - DOC: httplog does not support 'no' - MINOR: map/acl/dumpstats: remove the "Done." message - BUG/MEDIUM: sample: fix random number upper-bound - BUG/MEDIUM: patterns: previous fix was incomplete - BUG/MEDIUM: payload: ensure that a request channel is available - BUG/MINOR: tcp-check: don't condition data polling on check type - BUG/MEDIUM: tcp-check: don't rely on random memory contents - BUG/MEDIUM: tcp-checks: disable quick-ack unless next rule is an expect - BUG/MINOR: config: fix typo in condition when propagating process binding - BUG/MEDIUM: config: do not propagate processes between stopped processes - BUG/MAJOR: stream-int: properly check the memory allocation return - BUG/MEDIUM: memory: fix freeing logic in pool_gc2() - BUG/MEDIUM: compression: correctly report zlib_mem - drop patches that we pulled from git before: 0001-BUG-MEDIUM-patterns-previous-fix-was-incomplete.patch 0002-BUG-MEDIUM-payload-ensure-that-a-request-channel-is-.patch 0003-BUG-MINOR-tcp-check-don-t-condition-data-polling-on-.patch 0004-BUG-MEDIUM-tcp-check-don-t-rely-on-random-memory-con.patch 0005-BUG-MEDIUM-tcp-checks-disable-quick-ack-unless-next-.patch 0006-DOC-fix-a-few-typos.patch 0007-BUG-MEDIUM-sample-fix-random-number-upper-bound.patch 0008-DOC-httplog-does-not-support-no.patch 0009-BUG-MINOR-http-fix-typo-401-Unauthorized-407-Unautho.patch 0010-BUG-MINOR-parse-refer-curproxy-instead-of-proxy.patch 0011-BUG-MINOR-config-fix-typo-in-condition-when-propagat.patch 0012-BUG-MEDIUM-config-do-not-propagate-processes-between.patch- pulled some more fixes from git: 0003-BUG-MINOR-tcp-check-don-t-condition-data-polling-on-.patch 0004-BUG-MEDIUM-tcp-check-don-t-rely-on-random-memory-con.patch 0005-BUG-MEDIUM-tcp-checks-disable-quick-ack-unless-next-.patch 0006-DOC-fix-a-few-typos.patch 0007-BUG-MEDIUM-sample-fix-random-number-upper-bound.patch 0008-DOC-httplog-does-not-support-no.patch 0009-BUG-MINOR-http-fix-typo-401-Unauthorized-407-Unautho.patch 0010-BUG-MINOR-parse-refer-curproxy-instead-of-proxy.patch 0011-BUG-MINOR-config-fix-typo-in-condition-when-propagat.patch 0012-BUG-MEDIUM-config-do-not-propagate-processes-between.patch see patch headers for details.- pulled 2 fixes from git: - 0001-BUG-MEDIUM-patterns-previous-fix-was-incomplete.patch Dmitry Sivachenko reported that commit 315ec42 ("BUG/MEDIUM: pattern: don't load more than once a pattern list.") relies on an uninitialised variable in the stack. While it used to work fine during the tests, if the uninitialized variable is non-null, some patterns may be aggregated if loaded multiple times, resulting in slower processing, which was the original issue it tried to address. - 0002-BUG-MEDIUM-payload-ensure-that-a-request-channel-is-.patch Denys Fedoryshchenko reported a segfault when using certain sample fetch functions in the "tcp-request connection" rulesets despite the warnings. This is because some tests for the existence of the channel were missing.- fix bashisms in example scripts - add patches: * haproxy-1.5.8-fix-bashisms.patch- update to 1.5.9 - BUILD: fix "make install" to support spaces in the install dirs - BUG/MEDIUM: checks: fix conflicts between agent checks and ssl healthchecks - BUG/MEDIUM: ssl: fix bad ssl context init can cause segfault in case of OOM. - BUG/MINOR: samples: fix unnecessary memcopy converting binary to string. - BUG/MEDIUM: connection: sanitize PPv2 header length before parsing address information - BUG/MEDIUM: pattern: don't load more than once a pattern list. - BUG/MEDIUM: ssl: force a full GC in case of memory shortage - BUG/MINOR: config: don't inherit the default balance algorithm in frontends - BUG/MAJOR: frontend: initialize capture pointers earlier - BUG/MINOR: stats: correctly set the request/response analysers - DOC: fix typo in the body parser documentation for msg.sov - BUG/MINOR: peers: the buffer size is global.tune.bufsize, not trash.size - MINOR: sample: add a few basic internal fetches (nbproc, proc, stopping) - BUG/MAJOR: sessions: unlink session from list on out of memory - Drop patches pulled from git - 0001-BUILD-fix-make-install-to-support-spaces-in-the-inst.patch - 0002-BUG-MEDIUM-ssl-fix-bad-ssl-context-init-can-cause-se.patch - 0003-BUG-MEDIUM-ssl-force-a-full-GC-in-case-of-memory-sho.patch - 0004-BUG-MEDIUM-checks-fix-conflicts-between-agent-checks.patch - 0005-BUG-MINOR-config-don-t-inherit-the-default-balance-a.patch - 0006-BUG-MAJOR-frontend-initialize-capture-pointers-earli.patch- BUILD: fix "make install" to support spaces in the install dirs - BUG/MEDIUM: ssl: fix bad ssl context init can cause segfault in case of OOM. - BUG/MEDIUM: ssl: force a full GC in case of memory shortage - BUG/MEDIUM: checks: fix conflicts between agent checks and ssl healthchecks - BUG/MINOR: config: don't inherit the default balance algorithm in frontends - BUG/MAJOR: frontend: initialize capture pointers earlier - Add patches: - 0001-BUILD-fix-make-install-to-support-spaces-in-the-inst.patch - 0002-BUG-MEDIUM-ssl-fix-bad-ssl-context-init-can-cause-se.patch - 0003-BUG-MEDIUM-ssl-force-a-full-GC-in-case-of-memory-sho.patch - 0004-BUG-MEDIUM-checks-fix-conflicts-between-agent-checks.patch - 0005-BUG-MINOR-config-don-t-inherit-the-default-balance-a.patch - 0006-BUG-MAJOR-frontend-initialize-capture-pointers-earli.patch- fix bashisms in pre script- update to 1.5.8 - BUG/MAJOR: buffer: check the space left is enough or not when input data in a buffer is wrapped - BUG/BUILD: revert accidental change in the makefile from latest SSL fix - changes in 1.5.7 - BUG/MEDIUM: regex: fix pcre_study error handling - BUG/MINOR: log: fix request flags when keep-alive is enabled - MINOR: ssl: add fetchs 'ssl_c_der' and 'ssl_f_der' to return DER formatted certs - MINOR: ssl: add statement to force some ssl options in global. - BUG/MINOR: ssl: correctly initialize ssl ctx for invalid certificates - BUG/MEDIUM: http: don't dump debug headers on MSG_ERROR - BUG/MAJOR: cli: explicitly call cli_release_handler() upon error - BUG/MEDIUM: tcp: fix outgoing polling based on proxy protocol - BUG/MEDIUM: tcp: don't use SO_ORIGINAL_DST on non-AF_INET sockets - Dropped patches: - 0001-BUG-MEDIUM-http-don-t-dump-debug-headers-on-MSG_ERRO.patch - 0002-BUG-MAJOR-cli-explicitly-call-cli_release_handler-up.patch - 0003-BUG-MINOR-log-fix-request-flags-when-keep-alive-is-e.patch - 0004-BUG-MEDIUM-tcp-fix-outgoing-polling-based-on-proxy-p.patch- BUG/MEDIUM: http: don't dump debug headers on MSG_ERROR - BUG/MAJOR: cli: explicitly call cli_release_handler() upon error - BUG/MINOR: log: fix request flags when keep-alive is enabled - BUG/MEDIUM: tcp: fix outgoing polling based on proxy protocol - Added patches: - 0001-BUG-MEDIUM-http-don-t-dump-debug-headers-on-MSG_ERRO.patch - 0002-BUG-MAJOR-cli-explicitly-call-cli_release_handler-up.patch - 0003-BUG-MINOR-log-fix-request-flags-when-keep-alive-is-e.patch - 0004-BUG-MEDIUM-tcp-fix-outgoing-polling-based-on-proxy-p.patch- update to 1.5.6 - BUG/MEDIUM: systemd: set KillMode to 'mixed' - MINOR: systemd: Check configuration before start - BUG/MEDIUM: config: avoid skipping disabled proxies - BUG/MINOR: config: do not accept more track-sc than configured - BUG/MEDIUM: backend: fix URI hash when a query string is present - dropped patches that were pulled from upstream 0001-BUG-MEDIUM-config-avoid-skipping-disabled-proxies.patch 0001-BUG-MEDIUM-systemd-set-KillMode-to-mixed.patch 0004-BUG-MINOR-config-do-not-accept-more-track-sc-than-co.patch 0005-BUG-MEDIUM-backend-fix-URI-hash-when-a-query-string-.patch - dropped patch we sent upstream haproxy-1.5_check_config_before_start.patch- BUG/MINOR: config: do not accept more track-sc than configured - BUG/MEDIUM: backend: fix URI hash when a query string is present - Add patch: 0004-BUG-MINOR-config-do-not-accept-more-track-sc-than-co.patch - Add patch: 0005-BUG-MEDIUM-backend-fix-URI-hash-when-a-query-string-.patch/bin/sh/bin/sh/bin/sh/bin/shhaproxy-1.5haproxy-doch04-armsrv1 1733406921  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~2.8.11+git0.01c1056a4-150600.3.3.12.8.11+git0.01c1056a4-150600.3.3.12.8.11+git0.01c1056a4-150600.3.3.12.8.11+git0.01c1056a42.8.11+git0.01c1056a42.8.11+git0.01c1056a42.8.11+git0.01c1056a4    haproxyusr.sbin.haproxyusr.sbin.haproxyhaproxyhaproxy.cfghaproxy.servicehaproxy-user.confhaproxyhaproxy-halogrchaproxyhaproxy51Degrees-device-detection.txtCHANGELOGDeviceAtlas-device-detection.txtREADMESOCKS4.protocol.txtSPOE.txtWURFL-device-detection.txtacl.figarchitecture.txtcoding-style.txtconfiguration.txtcookie-options.txtdesign-thoughtsbinding-possibilities.txtconnection-reuse.txthttp_load_time.urlpool-debugging.txtthread-group.txtexamplesbasic-config-edge.cfgcontent-sw-sample.cfgerrorfiles400.http403.http408.http500.http502.http503.http504.httpREADMEluaREADMEevent_handler.luamailers.luaoption-http_proxy.cfgquick-test.cfgsocks4.cfgtransparent_proxy.cfgwurfl-example.cfggpl.txthaproxy.1internalsacl.txtapiappctx.txtbuffer-api.txtevent_hdl.txtfilters.txthtx-api.txtinitcalls.txtist.txtlayers.txtlist.txtpools.txtscheduler.txtbody-parsing.txtconnect-status.txtconnection-header.txtconnection-scale.txtfd-migration.txthashing.txtlist.figlist.pnglistener-states.figlistener-states.pnglua_socket.figlua_socket.pdfmuxes.figmuxes.pdfmuxes.pngmuxes.svgnotes-layers.txtnotes-poll-connect.txtnotes-pollhup.txtnotes-polling.txtpattern.diapattern.pdfpolling-states.figsched.figsched.pdfsched.pngsched.svgssl_cert.diastats-v2.txtstconn-close.txtstream-sock-states.figintro.txtlgpl.txtlinux-syn-cookies.txtlua-apiMakefile_staticchannel.figchannel.pngconf.pyindex.rstlua.txtmanagement.txtnetscaler-client-ip-insertion-protocol.txtnetsnmp-perlREADMEcacti_data_query_haproxy_backends.xmlcacti_data_query_haproxy_frontends.xmlhaproxy.plhaproxy_backend.xmlhaproxy_frontend.xmlhaproxy_socket.xmlnetwork-namespaces.txtpeers-v2.0.txtpeers.txtproxy-protocol.txtqueuing.figregression-testing.txtseamless_reload.txtselinuxREADMEhaproxy.fchaproxy.ifhaproxy.tehaproxyLICENSEhaproxy.1.gzvimvim91syntaxhaproxy.vimhaproxy/etc/apparmor.d/local//etc/apparmor.d//etc//etc/haproxy//usr/lib/systemd/system//usr/lib/sysusers.d//usr/sbin//usr/share/doc/packages//usr/share/doc/packages/haproxy//usr/share/doc/packages/haproxy/design-thoughts//usr/share/doc/packages/haproxy/examples//usr/share/doc/packages/haproxy/examples/errorfiles//usr/share/doc/packages/haproxy/examples/lua//usr/share/doc/packages/haproxy/internals//usr/share/doc/packages/haproxy/internals/api//usr/share/doc/packages/haproxy/lua-api//usr/share/doc/packages/haproxy/lua-api/_static//usr/share/doc/packages/haproxy/netsnmp-perl//usr/share/doc/packages/haproxy/selinux//usr/share/licenses//usr/share/licenses/haproxy//usr/share/man/man1//usr/share//usr/share/vim//usr/share/vim/vim91//usr/share/vim/vim91/syntax//var/lib/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:36700/SUSE_SLE-15-SP6_Update/f8a6f5276d668aa412fc4da78d156cf7-haproxy.SUSE_SLE-15-SP6_Updatedrpmxz5aarch64-suse-linux        ASCII textC source, ASCII textdirectoryELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=003a5c741c01afa3e6a4bc06592e5d1cf4d0ae13, for GNU/Linux 3.7.0, strippedELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=b0585c5de9dae912dba0ad076043c07cc2765153, for GNU/Linux 3.7.0, strippedASCII text, with no line terminatorsFIG image text, version 3.2, ASCII textHTML document, ASCII text, with CRLF, LF line terminatorstroff or preprocessor input, ASCII textUTF-8 Unicode textISO-8859 textPNG image data, 1024 x 552, 8-bit colormap, non-interlacedPNG image data, 1082 x 853, 8-bit colormap, non-interlacedPNG image data, 1046 x 839, 8-bit colormap, non-interlacedSVG Scalable Vector Graphics imageXML 1.0 document, UTF-8 Unicode text (gzip compressed data, max compression, from Unix)PNG image data, 1280 x 982, 8-bit/color RGB, non-interlacedXML 1.0 document, ASCII text (gzip compressed data, max compression, from Unix)PNG image data, 596 x 180, 8-bit/color RGB, non-interlacedSE Linux policy interface sourcetroff or preprocessor input, ASCII text (gzip compressed data, max compression, from Unix)PPRRRRRR R R R RR RRRRRRRRRR RRRϕ-¡Ǵ,systemdapparmor-abstractionssystemdsystemd-sysvcompatutf-89c77fe188a8afccfdee2979243c16767e36450bc348775426797173a9e0d5496?7zXZ !t/]"k% .g1<J>Z˂¶ƣ_!dOc%*!j]_8&  ^٢YK 1oze2^TJZ%yK9ii*[S7:.0biGA<|CYr+f̐;lJ7:k9BI ϢYRa]v L^vE?5g1i"g85'2k)SfXp2S% [(jpQht]ju'jEVtF"0`kihT8Y:A&v*%q[߅Qwq<|CySrK؄ao$S*4BW8S:ӵ@-Z˯A+*z76 $2A}t>wt 'xbSKr+?V[C*~MMސ._2vg=qMP%>D|1t_Ѹ͏ެT:æs^v{g^(káiC!F ;9![/9mAg"?8^ 6|9_Fp>(5&78M6H?@SEqR|sMLoޓLjZ }:%l.,|l05K]~n)#7F#i,B@_RYxQehzWF52S<۫ś8#2߸pğ@xg9@X~z25@Ph,B(dokB,[6!Ǹ'A/_p &k0Cُ^ %(P~ XMέg܌ PZk]yF TIz\ ^oD1 i׾=Fl2(Ob【?z tM΍6\Ia@L=p)g`١-?W)@VH)Zb/jUe |Az11=β}"9IpRnHhfzJV˝xɳj] (M&':I .pvDdl<*"f9]eL x~.0vj^ښ<)V: Է:ˋ-Ai3?^2th[a mW&3DS@V!pɼjsrGݩHK 6ms>Y;<dCQMgrizhh]} c79O**m?ұg.U81)65UGs+_òH{e9%'zpIܗ0:6h'k*@\eƌhV[!Qpyi\7Fq鍐Xv{,Lbhei87y(6nl@IveCCB' p#Į)h[3.6"}쟇nv3K?0}ڊ(Hܿ|$H*^7Nj Jʓ;P0u>fW_˄'٠C767?A'\TT\ьiucC󹻬>Bs^pXF2%,HLCAKh(˨ay;MTϟr޵`yB庨+ly_a@k.t*>L?w-SJpqimh+Xsy%E~&>Ld~ڛpT`;w!3z+Qfw_yuE ׾ D6w7A͏'p )7; dނ PY;xYAsg`8ߎZꊝC;ovpÞg!먕;OH[PdЏHrOL ̲mPբ߂g Ǿ oMNt8cwy;G.W`gqDi,a:97DيWUVZvҤZ8tXDcE.]RLj-sG ݬ !BMzN\sEL>v#NXe%]VSu`N#?F_! vӮWa8m#;em)Tba;R9z۷xĮP 1w#R_"f%A| -xi^,tZc>VbJD\(mMR`~ȥE[Lw&ëncΟIRe-_ëT\QbY+1KʜVzJPLp b No5j (=T|O+S5yfr@'i0 _=Q @A١D/>lmNQF? slM]bd́3˄/X^ܦ#>JT%=ŐG"lDLH{YR}fDfn&dR\pm n8o@L*(#g:CY,Dǖ9R(\RX7X,\AWaL$in .]82{MVvzzɊ 69Jv*qk/THZڷ +JLtV @m9I̤pPLX)JF n#*Y9PYI}7gB¯`<ޜ Fi碑'@:; r6L/ 4CZjWwMC2+?IQ aPCBkl`4ǼTd<BD*<.53ARJL~٢ՙeXqn}<lbkWD/cABJq| wM,' +QLl:TsoVjM ;e<klo-T98ҡ]v r]נK+D}-I?2ÏЍЏG8g8ɗIj S(}d'̈́6NsWݵEOsV ;:,ǵ0Z{)ϕ`AENFWmە<7[|6rqsةeS7z:útPp8}7*Y1"IY/ٳhY-j9q#?]\7}Q#pҬ9zem E7ns~K Bo 5i"(7KgoX ~'e~ F"^ x34OռƞE?地G 39Tԍ*"M2–9i-^'H.G麎59#P.?"Fojf;7Fyvsf@P3Hþ=MjAzŔ%{" Vquq}'z:Z|`>fhD;I$z b  ѼtuYK%"-< E(0zY~LD.f5;$qB8su|EbI } EېKp/H䬷f;H?w|Mi9}`v3”fTBmRuY~qPdM5r ݤF3֐L–O ?|䗬 Z  Y똼#dSڮ["[^L:CMlO(NY,dT}]tu [=.$ZX"˝,󎥘{ DG$XMXZP\\JDS_U?Y +h{nJ4q0ی{9kOed2~ Đ_!{"P>ߡ탆e94/y>+%zfӜ:Fj(V{0]9OL4" TQF[VUg5Z f n`F[xAHIv(`AMܐ ⎬y%R_w vӗfBgL̶jq*e YT ؐ@g%2q7!肽*bOieDaXRU]U6i^SA?'5*!7`>፴-9B:47~Gy>).d3»-6ʒDg){hn`:VQ`}IL2i$F,׊5o"r"|uU1$j6_G,p<8\h n \aVWzy-]#D䑖/R,b41B/q=;uDP goY,"{:λ_u}4 Zք^,> WيT]ʊ\i`*NUŨl~!+:B8a^q_6^T klrn.lØ%r)!u -h RpsP[o]gxGx/u(zj㞶>w!0<#尛g9K &[e^uLƯ VhhE/23ɞZɒqq%"kδ4_\,iE4/lqO2{C݄-g>8\kr//U.k,m}e#7)%3צCkv(h`!}Do eFMw1*|BzR[4;ſ/o5FAW~:COѲ!й?lSű#92n> ~ v.jm8y[SVKJ5f%>0[jd[U eIZ.,O6Bx܃&YAo6"ИnW$|ֻh"mv2{Q\yyjvcqoUN0HLV_訋QJ 0npgS;!XȂOHJ&_S "*&<-L6qJ i%(ђծtGb5Jt$=" >aw+{>Ѹ_QAp.Qq6b gkZ>ULezT/c<!* W۴I@(=A~0$O)ERWԊNWmL7[ i$F$gE1V36LdgQ+`yao;K: '(:)GI#v`NpR S31^$2Ң Xߵ18& +l~gj2LИ?_{Yy!.Ɖaw~lSdє"zv;ԙ !g/E?po-gڋJ$d{!)E T ̻g8a4|Amm֣L繥FbR270pU{?ÎX@ںJXܧdZ76(+xͦ7֊tYZ<1TH*xsD9Ք$Ȓoީx%o| h[]0hIlg+0+Xss v4EtÊYSpՄwV `)Oߌ$&ca$l4:RXvf9WeGHr\ڙWfOخh]h4kOñhK9G=:Lؔy [*vvRy5V(?\(i-oRMwE>R BHvV悰Ω"& eNb\V8f&'_٢PQX(*o ql;oV鯭fFxqZ0̚WY$V_Ij V艵G[L>-] N]DCڌCagkd_x4l K^"q*-Ifs d$#6{01* f@ 24~xzg#b:5 c0K]b(d"4/u\]6*NoϥJ|w–Vq}*9o=5i%ds"씁5-7 Ƞ\Wid]zp[FM"%ZGx"=/$߶Dr^DŽz&~B%Q;P~s87ٽPzѻHB QweZD.|WoǵQT7p=4Ą^p3dڲSlyFjKRB ; hhL|qex;R͙=_ ‘"eA3F;Kq:JfhBi`2`vLw;yn .> l vUt+oX\gKiB?Vq2pU3hۍrdpxb\74?1TD?NO5.-+(٥ɭ#syK6\ؒj'^¹wϝNv."z4ػjP{}Ŧ}\|0;â>W74{؜wqnrc*9mM7JXQzŠ%7?z._{FGՒzN^K$#/*~vьZ+<( Ga@&R:x!K6hJ@ S۶M}<7`CSGk{0`B] ?u9%FݞJbIa,ըw}ԯYe?eԫh?$Vr/~t37!MV:TEY2$$7.!&8Oθ@;$N˻'aTyzVJU=+b C%%X G֊G\_^cxb@M--ag4 %!sv<_IXwOVaL0x}aʴ;A fv&㮓qV_@T(?'x~I;Ych%;JpN(Yi껧0d0U9r(1`76vWی4%x%r4Z2s W,%5OdT&' :/(8s[ybsNӂaS8mmFXaчx=:xp\;|K~V*Ni*MyT| Ģ1)+'%Z;1lTvqc+RKM#.xM#u8?L0a@p?y/G˼jne4K=7R0=!]@b1sʄǗ7-`2v">O<3}jXҘߡ,1,A.Y{XtxG@^ f#Evat$;e;",k*֭^xE3z;aZKh8V3wU,~;Ta;K:,jG<UJh\zCdFz2 "]3,{W^Z\ԄD")|# b69P8-Y\?BQIi{@TՐmjVnONNGjW%PMc-pFl?N?< x^ RJ]Y٭dYh<t㶑:21>*3]WF ;paPN̒JnF(RZ+\O0 V1~7φAR ΂D5{&rI#CaSR;~iYq̛^{YS3P=O|26! 0csAxWoy6xM^2om(L6u`)P踾hiVrw=>l/ټڐ(7(!lndR@yڡ:>hi,!|[ lR.TgA4I˪cRQdTh;5?9z^gݮ0!ԷEM\lKcF_pVИ>6f8No{s?`:e 5^V=vJN1.Aɱ#^0ơPUۢ Vϸ^lHzm*TSA/yB≥u;(֧,njy 珒>AP p^ 'kf?͖֕4fRt ?{.y +)MV?l@Q^zl1 QUJZ`Bm΅#<]Fu2ۛ_uT 74PcMK㐊^Zq4tf5]]00_$T;ż.Gx"F\ӠD$sdrvP"Ԥ^Lr zFxWF2Rgh*maQ¸W-mZ~kBZA_%u[]pE_2&8su=:*_-8Vew 'C[4:A/t8i<-vCIl!;Aǥ2:u+~G Qð_imdGr2ݔj ytedcV5-"lN:0 Gse`#ͻS¬UX>xY! kGyT1Cg++8պzfB׏У;Wlw .۳{]AVTLUe6SzC*} Ǭ},O6vnѺ#U!K L{z'Z8xSH:W*]>i(T 6#\ZqfKtW6 F!|>9B_;{OڐՉsufI۽1_$fYoK'BU!wEFnLP(k)ylw#ܓݛ}@v].۴Kv1E( ODܓNg*WʛE>œfF=vmcu PGvMDlk:tԂsA"`p9D;"\CŽsJ~K;NP~""{G4M[7 L xi`U u-]'㣣%1mxӧPWw.Bj8t2m6'[(Eb,w9ሠobAΝt`ցD(;&JQ~"bn"(;^!o3"% }@c>xJ|x>/I FlD[x3 ::gBh `NGh}Qt}@q}VXޏôxƫǍUl&=#!ASHM(j'l,{Q2i\_ۧ1s@ [S~o$E6D<#K qz!)t=mDE~AAlBW) ̾r֮Ry=&o/x]]lJy/L3+OG(Y_+j}aq:8xk,(&-Y)W2%9yHҬ ў ,w1%L慊 渱%Xm+T=}l++NL%Y$yMj!{ iWNZp=zO%%)26B$MTwտ_=VAcSÛFm@E~_sbwSaZƻ9g+(&`Q)& oXʯn=7HHwWhcr1e(mhB{L&Mes ] Qf{֧mSEj%-2%~:ޯ6RɛI-ԉ1,;)h#{5㣛a5xr;%Il֜,֧*fj蔁.#cin@A_L~%vt/\mH7;{'!8p"ь-_L} ū%25cTP)UJv}%f*'kXSS?/3ЌՆFL|; an)p撘_@Q3YX t2\)U&k罆9;Ð0K?JMN\[s̍2m"Zx["|Iе63< 9+rcnVٕQN4anBn{W|rM Me(+rw2 _GmA7P"\^םƂ ozlsn\eSN }Q֭:kIh!@X:.;ۿ}m6]xϑM83C5&?=WiPH3g)-͂p BRq-y)y阮h\=b -#aE ;Ueu]qKMaa4'y ^=n U|6.x,y5_8;f'(XՔ3 8([VwBB&FL $Njk=oڏ)1Q[|+ʾ9MGtUh6 Sj1Skg[DdtaX2 2}@hΛRj]5@/|τGOhNwx5Q" h> ئXG %>=Y6< it'~DSulKBC+AJeKjYzI!sJp𕱚 4FepySH/Fa\s6uN%j C 6Zxm;>Jز2`ۜg{16ʗ6/\wEo㏍lsž#`7tKO 4V_J/dJ#_1,4|4b@;xc6\г?iBk˕L/ |P?yiK"Л޸!f_gЕ:owN'/S 49H++T|JgiS߀5=-ozT(RT1%ܶsMwtVmPF뭹*1O[2n- 0" 1ի⚻gy,(/ 0H[9M:X o6hwnD}|9Lt:%tKK8]8f)Og}+Yen|%xklGj7Ayk|wqs2013>18F֖?S$DK0^2-Cgc " ,RVoÃga Ξ߾}㩝xᲾ$=z*_:6<_ɡK[wNy,~?#홧K;PW+QMgӜTC{A5Qg?yWSwA8?| UA_$}i>ngm.Rٮ1} 63ndSRX̘sLŸ~ }P;.4:?Hr2n#egڲܭD/8XT N|,CN2,d$LdT. d\Ud̺\4x/ W֯*ĺZ3_};/|ׅ8a:b88ɗ5+4֤c; @K^{bm(vx1v xj|y*5?&cX8%.`TӍaB6)voŦXLRC ?G0DiGm#ٓ[|׏ʻ&?z]uQG֯VyXH qyhE-B7"4Ba,Veʽii .ڧ$ӕ@D h)[1e\N-sc 7(&B}=)+ (8iXSQḥ,xUWXgˬ ao8n`_H١3ۓrsz>dlhЂ\x)(߶ ,>~ 2T +̦?Nԓˆ$-R֔NA:5ZvoDw >y~ȵS1>lo&[݀D<?ĥQVp3.b?YCc ~uFf%]ȏDs~3Pd6YAkXGpmkiho_Ue@6]\k yS r5c h'&Dk'@!5 :hz"lzHhQhoO7x9j6鰨\)h.ʹc3 Y @vj:scP$)TGע@r@/?  ݼ.=KB)Ń@?0mFr2mFn{kt9eIw4q/+X.RiYX 0.f~k׷hf>~q~$ڪ@iYy[Ut+zV*?H%[ew=mEK'JqjW" :a[yTrt#gXR޹TXUTsQ8Bǰ×G;>Tdxk!b{@x#E³ ̕W*aɶ Y\m\Vc1#=;"¾\ECwlxkv慦D1 hXg;#$[-t\_m#H7y4=WZ2/^*<\̯S+tRh&cIHַ>-߮hcn+큊)ZS)ƎCCR5ǩ!m5dT/u'=. C'\*LDX x9h.n|Q5{I҈V#BJH @Em$ Py/ct:=rtfzσ LԈv:W̏T+_xM+o>:xy.%ɩX̆W4({4ΔJ$ #f}tk웛.vu\2>F0*":+jyo"KBXʆ, D6!(0#5JyajAxEPBwr:l|zN<%*\p^Jt31>X)SVke)GgA;BʌO$1iv(֝͌Fb oGxȾIpݰ1r;:eFs} |n @'q!nN(uTح'G9`?xܺc4"JV9'N&I 7M#ghF]Uǚ !{w py8LJ>p қ: -4z[' /a'W94/8Ws$ҧ0٬A9P)W ;do)^^8ei<U/ qH,#tq8*QS [9hTh?">~"EY4 m Y'?i/Ho?ʠ8=^EN ۃ91{Q][h A+; ,M$]q@͎-KݏYYc ߡ/tAhyOf{H. H^5^lgML/T PS -kю) _H5k g_GP :-UQhͨ|_-(E"t֤?-{ܣ'mGVY$NH1UZisyYdCFpuU2CN!,QG˜yY7){|^Bmt)ȤKDzN/m#UHvW+WCL;Ҵf*UNI+Py1fxoiEʭ4N& -\m'y=&V^ {@wt2(R;]Pz[QVLK"(L2@N XP@OZX Rp[b_uԚ!i$r|47JJQtYã +Zh862T29,ȃ:^W }B^0R-;n]2Oz]mG.8)UY toȄH Thu5ةX S:Ca#l\{pKyJ0Ik:(9!@3̔k9c$n~Jݱh_j}7bX4@7e+㲥I5?`ߊBL}nu , ~:^b?ĸ&++9ևr7L0~*L~]7aY/9g/Oronmyœ2}CkƒqeL@$_O;M۞RDj kFuY3`uUE^:xaɊ ɏST`}Xԣ%hJ jb)ٙYX čB(73r)K{ڗE8dH{Ob8,6)j؈pF$0xꙌ=>[,V'g%ٰڲG8Jy$Tx'>F|\l\EI{o%mYK g /R[na2%.M4QZlf]l'> "'!'i)(ҊDi/Pb[áFM 䲻ȕрJ6S! B@ZbB-PM=8@0;jgx>"h<]=veEM}L1suwMX}T yЀp1:!Eg ]oar.J]!*z8 t?oOmze҉?I rs{{ьJ5&E6N,>ǃdhNC{@šbIr'a4r7(P2@Iu:atΟPUI ~K44dA׽*]D7Ss$~bOkB9KoxbR/]qUb-7>%Hpռ+ N,)ۥdA_Y c.a]@/]-r[l:\r[ĆUlL=f.1j_EgR-+koRw!W~xbzT&{{ḰXWclh_Z?5Fe t.l^lᚐE~ {f9"N]l#]}?vYuS~) JO4<󂦈S/W#'^IBI9in+tFBg>LsEdHo.L2餮K_Ԧ4~Tôd*Y[h שUGi8#u%srz=?Raxcلl4vJ[0GyڿwWѣg#0FOL况e0U!| ɼƅ#ZsaF)+Yh)xC,blTuS_s;%5Yc&B^Eזk*՜.;J=p[!nE_T¢X͜lPPfKL~ ţje+!g)^P=c{;y&URK}! oNw Ll+f4*(j=:.jUk]McRe?m+a.%MXخK'>J[GZMy)@λҭ j>s9e ² : ADjmsM8{H`~ Xo^}qzQZKnnʹmlbhn tjq?m뱞?3L0W\!o\y˔"#kᖊa'Attl `UE QK98 8"{•, _z= X5hgkety~"- d N,3~G3=V[S1f3j{Ԫ̇J+--<-x,{*̶hgCX "&+u%2 H1e P;{B!*2KRlWf/ݝ [=/do$D 8B.FL^WX`Bf<d,+z*3PqR:(ZY=A `zgegrE-٪C8_.b*Ro_yĤЯ]u`A\G4@=;*q3 j{YW`(J܆uIX/HAy}TRfP72şJ|W?~q aMxʿ3ۡThs RʍwW.% G}] ^f"To&--V3֗`(1FTgD8.IwV>n+9%xcn8aY\,%L~ 軄E" xV{xGI 6OiGvi[\2Ch['Z{bI=_Xt=/2b1AXI{к$HX(A+a*5T?S[UF@],qF7/L A8CMsb#\Ǣ> ~ k'V3d 3h T#2ˉkCm~C.lXڑ)ފX D.s_.;U1 GV?9-)IP Ȱ+3 XpqZ ;ƼoUڭN"T_+O Ѽk=]|rfN'1S ~ "u]צ\p ,"M<@{YD$4'sʎ5T&2X6ۄeQy|$ Z)l܀ߥYPRat1o8^+m(?ƖXO5%b 81(*3ٌGk84}`0޳ys7'?fWQ3SALZtPank: 8 ٕRqQD3) 8YE_g[MX~ۤ1L&EӘ`b;d]e}DoS/ɾǎ7.Uve$aC r% g7e_Y>dҿ|Lj8L2/V.%""Rz[.!VGi^XM2, rCT|JqE|84AιmQLTV.d4)>ouR4gs 5hpk̶1owrcɺ I;?G`T c+I-TW5_m/=XVgB6ƣ HeL 9=KOr,MCjx+BpP^}P3Qwqiv̊v<:wwR;ʖ\2lv6?(o,0VDhl$si/:$b6ꢥCoP1XD[6$XVf2rڤlRA:~N\*gA:b/\m>3KB5B Hk0FՀ>mߟYmUZhXqime .Ĥ8E  :-ž"]J9G vgb8ч?{QrFJgV]qn 1 l{53Xvvt]gt4|UEFÔv%ڹ|6T΢j)h^ H^SȖ#wx1KGS_\ᱮG9Җ nB3?sj3 SZb_upKu jZKQV_¹G6ٓS='WJ 2 wǎ3W+W.rO>9-q=0Y7OP ziD>.\6pabaT{lڟĞyjq4rnk{y1pOP-Ʀ)ɘR^* &-状$ĿA5BqFމO!C禵S@~caZ _ qKԐ$(J!@WWpoĪz/%zmrEBj<5_I؃AlH0)np>1P=c)ry:] 'pHI-nx71kt%U[h]P$ L۲N­i zkD JGZ54&/cQ{ iSR¡Z l?kS_,ҍĩ'Dfn |v&)"9*-FjeJRS=U>8ca\[vH-$=/@Uc5kX}l`Ss~!ɪW/_ v&pŞ,2`?NLBPvHY |DӼGb;h<O C&|'~U*Id=f4 ŊaR2s&rfP+919X})뚨+}W=,84Kc6큀q$ȥԄƚ]C7K-, r9"A ދjYMZU{knA\#W|yV{k0X7Q@uU~*~`b"2ˬzP+Q 3 Ǵ:zc LpfJ1i*9kTΔ%ar8vHT2,~7<+̪ZZܰ!t1e dE$iRmWrIMaceP ggHkM_J×ȵ51k Zr 6RT e[;0. j]pm]-i{@yTN2[t-lFvC_=Nf˲tg:2EȞ SƯn- J.GcS,/`3vVj(Ĭ4NmAؖlC8_N7+Ј)E<D !`U-z<a𶘉Ө`l yuBꀍI|# wU+l-EYP?9"A*j.IZ0%:1H"KRggj nooU+Xb10gPr#z5W zBIK?r8B"[Z1}ᐯR Q!QLswDf<3pB쮁9΍~Q9VN؅6Nm3OpwFDb/B"5:KuL~$A@q[}KMQbvDOU^K ,`f9zH'2Vx쨑*\ǡy;/Zܠ7Uc#Ѳ=Cf0t> }%ZTu9`YobKz.:1!w\Dzhm51oo:j$Ф2;kA^p̚|eܶ" חmZr׽c M Z1ej=#!1ilߪrQ~T: g P_v> Us>n9~ZմK/X}FV>oڀ6 cq#513^ P[Bi6)u9_aܡv0Aj&j6ʩN5Ib7sӂTR;I'G=?^Zިd1í]"`7]oR&)`}>=LQfX39(Vy'v@݌3ac:ii<+vu`tYI0dـֳFl/]GY5}?+x9<[,Vt}vIFQˮYOcYEK!CR{\(% K'YiSG4ډn#20ʞiךŞ wӃ;{n?J_3 _GE@6Ko Wm+'t"jZm ]Oz1ן.q3ý^\P:blK\>W5!hzSL0g]D S pYy  isGgLVڰcYi6s 7`رO۱Gp{o#p4aƛZ6hlOjo*! d ="4U)0"'7v?ݝX1l}3ľ=;3eUwZȆF9MoS)'R* ]@Ils>e`J[P-w`]NΦNEYbS_"E?x8eJ۷wMkV|ye$Rfq丄V{4]5ٔd;i9w@[ e1Tzt?vj^ѽ[sovPV}2t;>NBvݷNV&*p:4__9sydB s2-RΕv*CH= 5Hv@^of(~9 x)n&?L 򤻒|v 5=^矏Ey&֌BT5d{e ,")3ЌI=E|"a޹t!^+Y\ݼeOc"SQN˩Go5D"[tg،TIɯr\a57 ř{z"M)PqnV_f՟PANB/I?/ ?k61%E= lyJ횫Hkq05C[oWڼ(X0y $x9EЍS ht[mS@IUdћuJLs>lZ?ڸq7v 3}&THkg 6ANL Va?(H3=9%v h-wşnkU,LV\4DAPZ vv*;k; ިVnEu!WO8ΌhDيTΒCe_Q [N;:&Vcџ Hy4M} pMwV!KZCӛ!̷п-eѦ!$]^\ 0;-Y C-g@j;4XeR5Kg,evє*aG2rpTky)q[{+`xFdRz]/hym{Ui,bTq<9wb[nGz i\-_߮TOo\/<3[RM7  $ǔw%KߡCcv3" Fʇٟ;`Rv@ȼT:>d4;Wr_M`co eP YnyɌd*=ֻ([Ku}tx0KЛ%DzE|N`6{hJ\: p-Razcnrt ]HF݋0Cu ÎMKXv$,Moh_Feɤ dĶF/G%5X c"!Nmhcuj7_!$H<806@vE?U\Ӗ<_ށܢX2SEJ M)nէ1JmqS~s%:T8 '>: p{g1~ p_⣅d>rNH^ƻTDY?q\]\e^ ;oGZDީ$ :4`#a&[1q/C-ȑuv J&,Nd)YD2ů_oH + &zs4L^CB~%c%2rq\GuW n0piyRxJcs7J2C2g[㵣B:2QfG%Zd'zyu^yY Ќ )󩻒!4縎䭙YCį?Z(GE׹ݒJ"ҝm˙4DľU$aR .kp>$wbba*JOY_,E`'3JCZȟVO/\2X̥ns~JcJr(!,S>םf CGmɵaxEP`;QYTyo]+ }ppZ0-h-fw-r#_y{҅Cbsx +dy,bLqᵲ;xUU5%G7Zc8t7mN?7n2oLy=8Ce Y^P%-ɽjCCHl͈Q[ ymMZpGV+=3o^˘cxѾܱRy4KĕUj!kfXK3s`xvr5鲕q;,΍*ۢ4eeq+.Eډ ;k o1'%*ogLʏu#/Ā2&VGZSg;%r [Q}3nt |p?R1gr4Qc$F__$̽k>ҫS B"!+Ls?wl%Zߍ+V6Ջ͌!j]?Jt lfDl,v5j[̷{%Lsgٟ0`Iy5' Cu }d0OE#A{y7fK/ `dҬ RbK{'~g0g%vGzvi%4iݫv9 /&"-mbt5't-cJi\ uF>Dh˽,M~sˣ &i qOIGq0 /.n5Գnv7&zu@!%hEL(oB}*]3 ݁Vժ{ _mb.$|_3-) {SGbm9;6Z[XiuZ,I%} _Q`b=i"2%'"R^( 20plD="S;4K%7SItt,|VWH}qfYGs'=7 ]i"} _h #&]_20죳8K?liUwl@B޹S1Kkt.K#QA $ TMYJFJDr=u`@(cmx b_!MYfs F鲮YY6ETtʦF4JQ1 =^ {BuXU;祐BーҞEr~S*،GU*`ixˤTW+K)6n@ ^ +"%i3CK?5&nF@VU6Эd2i [ܗb%,3/it?ԃLB+[|xmv"<%ޣ5s%g:[5 %8h ˣq^h!@WхEΩ#uI%iQB@r'Kv`]Ÿy. + F`tXW(i}[.)z-qhnd8'y(:= a@љD-dzp mivB Q;TєC8u}7+^nPL2Ls̷lt`r*li4uo (F>[r%)&AC>h1^Д1z`"[ k#SPy$W$3+oپkpTL/%;7i ӻ^@XT\O9-^DTY>@Nbǒ5:鎡Zm"@PΡAym2 Ps೐QMA_w6~pHq{=cCP {|SEmkG׊t q}d%Qֹ>*geG[M8?tʜJ `a'g}L]Ss1p~O{ahMQa_\J/XI+} dtQ2$Ꜭ(SW.jqKC|Ng$UIj(ߟY;梲OǧMFҘ7K*0lt%AUYTA9Wcvl-W"zࣿᯑ.#["aLTmYxLPCt&R;lLlTWA{g, >s=}>U ɐ3 ^=#٠(ۇӽ*V([E{gٱKje-$:-!Y\IB)eϬ(ɺLCV@ %CMxyB&2cJ՚XJg O-*7GlꫪKLib+~21k.osVrP<3|F1 `ӉF=uKkq35K;_xγ.I;6CeA.-Vk8fMwmM{= `50 S^fǐn;0BQɠ,9d7.*:UxCLw`2nCG_?FzV#ۯ'f ]Ђ0k1yjKQX%gI8mEE_|\hzQ7Zhɨ4U]oȯ5EPā#:DFUBpE~ H`ͩ&Pv> ~}83,` :IoDN2WN<Ksԩ(w. YBK>/}Kxl3@ FǑoJ|&,_YPo*=bdͷQ}0;m < :/mfy=Rok7~psǹZen<-3ayc^([XRMixBrdP~QdvFoJ޷PHbZ:VQv6,'  ZRj:G[V|B8B`pdl$>'u39 9rW 4_6zS:4qGs\} V~W/j*Rp|!w-!X͕tw%O1y_OAM#bGbZԂM\M-bvg&.%V֖tLlgo rM GN"))vg3܃#N"f=W?Uq sbӧ6bGc˨ ;JT$'(zZ!\>=tjǐ2˜FVُZ8Kgn re3CVyd٣HbO(q<-xYdEhk?Pm'x[fdTAdxIs=/SB!k}w Fmc2ʘ`jQ3'TVf9i|i02(m(0nR}y^d7ZW12H$|W)I&胲#gq<m`7'+Q)IFM1=z3S$,{ʍ+<%DMgI%EA D: a%vy )ZF^;YyCtQהuR qN@^ GKq )b %DEPHSο'`|ES'*Xυ 6lCIP&g[Ebu<(Bl[^8[41^ }S1 ݯ˙=1pSņbPT ;b&72I(eLt]'=@@oflRO7uhXYh 'o!9)I G$F2K񀳝=2sqeʇbI X$ a-͵D>& _+"5)oIJ3JeiX)3[]/n7_-؞q203zIưIBfCS`VV5̣=!h5B76t?)#N5c~ l?[oV%ō8RrBVZ!' o]bG$'gP,$'yg>pqL Egxvn8K$zj O!mDhW.ݖ> EDX <梑ZY:S4(Aqlbv@-u69!>EӼ].Q uʾbA-t0+X_/D?XTfUCXg kr`M`Hܨ?:*sDpę,<\] =A@ Zg/ A+O7PhsD}wVkjnI ]NNrHp#μɲ!^fhpCyƻ2MO]@F5Cqf\5-NnVtDK/Di|MO@ߔnPj&z( 60u4wk;JG{E! ^[MLY[}Tr3v= wQ5ֶcC>@\2+ßr&M=Y1 |Z@ 2 Ł*ܫJr`UJܡB]$GI{_ÒslTiz(#{wѢYj`<7%}>k;tw/D*9u%_rOx5P-6|j;GLXT'{ۢJFX1&-sC$ۗi0lEV4foTL5JEOY2eȓ0f n6zs{[MB!$ޞqE~?.57#HC߸%kĉtUΈΓuw(O!\8w$n[/)$U( nX?sH>x:AP*ąOTKIV#\{i@x%YU d(R 1}7`EnMQ0#t |\p.0Y1D7E>$AZu1$ Xq̉2ט>[7OtVJ82.YsPY~uA|?]6:& sbGϵnrAt>8+E%2+'=k͚]3#݃V5:鹢?p@1ds.ˌ~U%TKݩ{|=3h-TzD4]  Z*]s8CyWΠ;Q3EMDҊ M/4`V5L5[$+x¤#ꢶ)yjF&1fz'ȧq>EeA-AJD:L8 oi+bb(=ZfR&TZtau೽py|YE߁?x!v\^ #Fr;9 tmzEcI=cDL|a x ^$A X1j ;VU auHx8NLGddyräoH~Q8 6w.}ܶ+B?⩼,GUnld⹸TC'rӼ ҺIі2ODދѲa|BR$@?qWrE-/{~QbpM _,)AIgGkU8pi.6uS,j7I ʴJOd470e zOS>"UYF:G 5#Z@2$\27yMd"/.k„;قT-|N-lM03כO 'ӪYLK饎 Dո^ 4@ЂrF/s0+ N>խΗy-6! 3Ƙr]"aG>Gƿ (GE3ے$hp CMn@xkA- *Ͷrj[eDYih4ʡ<k t5 !OЄ/x odi \\(Rd8B;yi5*2>|poL+-Wn3~ڶ^5]91Ȉi4Zf|iM#t' 亂qy51crqimZ L~$qgx,IfW FWɗl0K.֣ DDMfthd0=Z@iwXB9bvBu0n&X?/>'@oa zߌNS\|e'Z:ĶDԖ;!%Jpx|#7zI+JP;T&=Q{J?Kysy :|!=rj~$::׉Mx8Z]6I_RwU,{ 8ҁYϑ!Z./%zLw6R/B<VsMT=%r{Wn#+*d6ސԋ] Q-4A2kvNaK*ȁxwDV֑7I%B{E;#n7>jqacC#l0u7[صrqթ2Ln>9{|,_?,< kRؓA@oZ=gΒKu竃{ԌA0_$\;[CeqGÖ4'4U@LMBtuiQSJP6ѽPFW/!BCV} ᯆn$:4^dB`B'xح5dMqhš-T sq~|XHK}U8k %K=%9{v6:9L@2jN0yH7S׵Jl +8o)t`f wyvfGHMbLid?͘nC{cDϤb>樟p&zWF&xrX9%0|-8/SB9&Rq+Թ%nCMᕋw(M+%p 'Dq&C+5=Eø=. L Ҡz[2MȾD;05bMmiZRZ l #bFF]` +6qXN*GvXAސFjG(H~%93+\p" L#T>˦[1)"H̤N(С/}7HAv~BX֔L;PpF[2{㴫32"^2E D`gc'6Q.GT3 -mdGԝG`Hs% B?ac>&LU}ҩ>Re&6Ѥ%v<ȑ"4QnP:|U1h*OA-]?!6AiF`/6Yġ4fDweZfF_9FGY5Pq0;oW=@|•(Zdar`&2Ƒ5RNB7a71 1DpE =4I+ms[8;({ WI=ŮɏΘ@ZqXҊ#!L?<-@2ܬ~u ~(@DKP2[%'R﷎N{B#q3j d`'"^ܫf+q2@i糕?jq.zX D0/rnp7q}eRySedEi6DH=KE͔\"Q8"X (@^VrK:|'6%q8*Ɨ;^ fFp-s8z[N@%_ݝo/gu  Ⓦk$Xeػwd A^4)<M#`#oQbqMffsѷqef303(WƓ x12tU-{uݜV5EMfDMx鈕[Ut7/Ƭ260?C4Ief;mɻS(0wrpoy>|@4 63$3|>sIˣ|fM=&68c`geqbN+oȴfpiJ[&4V{ ՞3vn 2QQ-/('Pp㰣; `q9LST_w ZiN_w|/. e#X"XK'>Wϔ"OT9.f\ igw&MCYF\ N6"Hٺ3&5/Q>#u)kmO,QU= `x^9K -B5oJi^T쑰rz|ODA/eoJ6g#枾 4׵V8M~Clco{g4(,-XY<=tHzc}!Un6.dKO/ E `x$6NxQ+ԥz;%ر#X-uC80H?>m= EsDSBǷ!n知ʶK#E,BR@1C$ˇ9(9Tdsa̵pz6XFp!%ims$K^݌3ѱGeN0=ab}5MuB=C˻M:0bUP4̂N\ߖ s/'t*tH~)ԛCVpIN/"c(]6KV.'՗a%4_,?#DKAlV)_[|ɷIX^/I!\^@L8!T5R1W(+HЂ{N~Is(WrOir%h36LƗJQR~s:pW4!r9XEgкmhByݡlY+;f)oDŽ/q٨b-T­!d\4L.Q()yDgpB߈nF*(W}:_Gh~ψ[ȎIՀu>{DIusK] 9g~ٸ9І) ݀E=VG#@C b%WR36?$( ѽuǜӗ ʜ,dnSj:}56dO`nǒP+~+l3=Dli'>>1슳(,SqBQH-W7TZS[ "(ouc-t Z t֓QĨU hF y†Vh_#Mák Xηy_4_sAj|/` n^ܻt}"KH$ w zCcF& Ղ£ƩCzإZKM86e>>vB0$ڼaccltZ4Jt0Y̲FC&ko6+~Pc@ga8Tv l[$zGT{W#@tL@I讌b~WSHVVApV:5R!+V;82:)n'aK oʙؘh I˩L SA# +-nG]XĒHRBRb7r.D)g'흳Mb^N(ŗ"y}v_H?c5 P|nnWk|I땲1a!MX ފ[BXizRV\"G[+RQgch"Un?.vp`ƠY#j̧6b$ ܸ]J6 Muak=XL~ᄕmpn3R 1Dp1ɅjlQ}(ґH@bJ¡gZ,}+ .7mLu>dՆWldB4.iRk ָқ M<"AxFkp!YlECXR¿Kt¯=Ƈ)RchRr lB?xԇo!M0ұf)nYv!}S=ԓ;v\H |$r9נOZ0Sۧ,.+OC&;i{7Y< 7B1 nn eޒcxM}Bq\7@;$ߨX'9xj>k{jkGʛCGT>\NhKa_65lf=\;[f`@0j``KSV'xxxL)SK X,~v2jBIW̺ L :(=>?L IJb%YksvN\pC|$:O#5t':.As0Ӽ :sh-{8Qdm^Z7\ER 5IW6rߜ~]ELQYspGu[(7: h7 rsW*#2GVIqVNt0:/Y0@JYL_M=M MɆe9IB.cJ0J,OK6|V(z$g P(ɽZQ!(%9Y{c:E- i؇"dR Cy5>|vMSMNW#l[_/ϙu :9 88f(QXIwT!` /ѸG W‘No嶦*c/SWQzNz\tlǦ\9KF͊.v!lROs+Vǒh0EP9ҨK56&>bmm852aޟA$\vM&HQ;ndA` <ag":hcsJ Q9Bݼʏ-*@c4AЈhw~'>0[mTj.6S|VLX0.upՆWibs# 5y!#[FXɀېG^.nfb&n/ДXU6aҬ1/aNLўBJ,;]M`ޤ5%IX.l*-hB|D >J^YXPxMAgf'Ш4H,ql@uA^a+O,xQ^WLEZ1&y~vnxOg#i M"A:g.o<#RLuswHVxlOAM}@@,Ki:5f\A=?O1Pe\P`h,4#7$.D!\H+7cU<,S("]qIZCiz7QŐerZ98.ɂF9# >+pOU!z]/Tހ3 9_EhF8yS# V9Nڿӕ4Xr;F&h2Hj/F!ZG1=|Z647qjjT74۳x|lfdI8qt۟WoV_[ Cgr/:P[=,3 N_=N \qifkGÅ>~6L[e'IvBThƄ9E|#cEG+̊o{NN_@ 'ݍh-s=i6HA8st`5 E,E0v=7H nMu[ ']Z8:Mv ö`&Ԃ4 HKJ Ŝ,GQrZl1\KsƷRBt5AodIXD.d,p8.\­as93Ї a'ҸPx=9.3tf|4FSP{` TSXb~?o\EMH".j>OLnSVJLm~pUNy8^iJ s xlr1Ws;YMR%UvHV)8?S] [ߗ$0U]|"ɂ ;E d'Ը5IT=5QSk(b0Z _odPQv*Mp&pi\ e;/;nН iR}½Pmh*u.)7:zr9sc,C)bmćUɉ'4b;>f៱$7gTᩤz4q[8`&J%[rP64<۲ hdwT,xDdk($ȧv :O0Pױ{v6ͭDgXUc<۰(g!iҼMy$ l&b/^ m&^cUbi z+FWYsٚ @EtMc$V.Wt-ɶI 8?Iڪ>S7пYl pA[\8YR}9/4(5+Mpx`|!bU)^D|l6 dъ̐97<9U?t.-c5&ݹ.1[٩.˾pBnIv/t)i;pMDN+*C"$7`m@ L}3j>T~ SZ/AazgPY ׼FI))B](,n0*}iNږiKs?/*cXX|'6b0,>\b+ YU21?qP+-pbsT)YF]'YjȽ{R8vɤ{o{U "ѿ~ wSW]yW^@{_uHOIz˺់|F7Rgݟ1=GM [=Ho}Oɶ%NlR(QB5+:{,8 PN &N\SB';pUZZJna(ܙ6)?R qXGж`DyKOBXXTRJ۬/[h ī|X"O.Ӱ4#ށ˴S>qO- XF.\w [mj0hͼ7tƓ ?0÷FGJy1]$p8-!UĚ[GRyF3dQN~ԝ">lo O%A\ANH OώL=?7-#}w0l2DZ3/9J*?Ar :Zp 7hhJ삉3jG26w"m1|wr1. K1G:NSLJ/ja~m9<^Gx_s(YƷ_w~C <JWŭlJE}D7ƋcTV#q1m]`'Jy a?7QޕX vqNe71md%qlOï$cs+m\5SMnwfNt䳁Q?t,1< q( Z.Fód..\X`:7(\X}D *\8]!^e<'n%xMY9XR' ec'*vӘpAk]h} ~QH9 *SCOogM m]^ϼq]33gT_ь`9V\ph&FaDg@J|'LPV3eD)e e6dЃʋ qqHi~K)^K[OM ݋k&ƣkA bِ֗/e?X+I>qӜko즁kB'hZ݃A*#T~Y3լA(0b p>VwX]{N%:,P\*[*®_hZ mz%޷6(vwل ajfγ A6tSY,yKl l\n =|Ep]z:ܨ bT!f&78G*i[BDb'=JYg׎/܊9 x̷vxn42v|ksH$Z ~Vj&j={Z۝44^!yF4I,b >qxBs]yuc:oii\{ǵQh?q/ >-h*A޶<+B?!Jg6ة+mD޲0pr3CM㫁^Ţqքj> Ӄdu-*UgZrz0Џ%3_ӘrwŷL* fW~wΟ! =$tCYiz$HB&@8dC?p^\ +鯞PCÒ⭶#Nd1qb>b}7'ɅoV;=n7l ^ؐ)NNf|ozZPrvS^[r48t*:#>1aܻU `鈪EKҝhNq:h=P3'n--حf iUڦX"NB%cYSlNPiw()uH?ّ†e:󇘇v j3XȻԬjJ6b} C516$(Ͳk"Dw!f^,ĔAXf8;~*V&ݠjBwSkH::ꑦ?YEIؽJWk\V[ ./ݲVoKqR_MwZ:1PT{POAX,O/kʀ޵q2-RA9f&vkc ͙ f 82O\*9麖`5W 0P9Wb!^J؀na1gr<Q@ªӫ7:JK;Qa)}/39;j21PyOnMn-ŏy 9wv锶"<4%|Q XX)UЙOE::\&me$U\eeVӒR֜m xӉ Jl03{.ԄN~ZE\k,+O[}w^̀l6z %{(`ő<_InUʴ9fvzA#/ꊀ8V{ig ͥY&`XnrJl,\~#w 9}S$֝i+5vUB$vD4, ^jW-uʫE=l![qVl闖)t*"a.M#SVtk$Ȅ{Hn])P+5"ZE2rrC1737ݍ]>TYD:CHk_ܳ:HzAuK虯@:B{4=Eÿ &XFƤ z ؑJQ ;ku~ ġ-`yԄr[Ơ2a^+NY~|mgp\XE7ozgXY8m'h|ZXG7U8q~>ѳs>睹'DV_0ub  '9.RWz}x S0{j˴Sl;zDR#!{=n bmAa*ի c"~pSãJiJH&<ΡŖ/P{{)u#(D$ý[ Y&K\7abT%/=M@M 90JD^_%jJNPȭ=FI|51XZ>O>A/XGp$Ð2%@`dEhg']S|ixvr0DŽHAg{I5yhi P85[PAڟ覗ڋbW_FoݑfH6 9|IjubV˶_m`1ۈMans~W.sϒꉯK1tWel.ETPAɨb<|hIsV*H9B 1`.!bzKۅ@JoeM,:HzA_479wԯ# ]Gg `*}3L {fK5Tжo 1PlY(p[yx ۄ1ՠʲ1խ'16nɅ䏉@Nuv{PLwVKJTW 5rÒ1)KOoDS|YEi'% ,Y+B?m7LGpV &Э;%վKætKaZF K7)ڋP+*Rނj\Q!HŌT[XSl22qŵ[.HRk+Lfǫ`볆9h] \. {qS~gѠZ/rbY[xF hE걽:+ rOwzPYRh,QF$fޔإ [0TquHdq R<0VD׳gΒ!z誘0f4֪,dY$dsce֐!p X/=>{lh̽6m1N0U#WKs_Ft鵑 =U(!S8.yz_eD*##!2 gA6I//a~yLLo5N<^'XϒxiN[["xӒޖcW0_2W$?,90O} oa]: d7%+W+Oj+!9s*lI{d82 #nQTA~ci<R 0Cz & t%i\;®KaV !ƶi/EQ/EEy(Ԏ*2>y  ;NGln~,myèrʌ^$Xro [AҬʚt)dDH\ /1!p㦾 KX*.xS`S-A*!8gM;kKkNU<[,u#smmEZG .ZP[7. a1- g.j.w%hX`W:x2@leFk|W$7Eй02ʾn|6niKn]]-z"f$J [&dy*葐-M#`k*ZM"ă/dE F^M.J `N~D ˩8cpE'1 u|l,,M,aEX{l7D S l)np}0׿ !۲͒iSwE;3?Er= }'kly}wwM rU@4f-@vZ&[Rd -Tzz; mS5&,2 HŇWJv{($XuNw]]TG?2.| 2]8H7Gc̊@@ӂ6Ӏ>9QpJ(6u"-vÀ3k|B9Q HSHʂEC.* .HQ7q:́ˈ@уF]P3K#P/렉DQ0;H!xRL -Or RB DN%P#:胥  D\#uG* 2" H8:D#؊iD @-DIsOB53Ex" ""I qb$DI hiA]()h$(H2(2 " z*@-%Dj %$ H"`"qm$nh 8`D$$E"@D dD5@ABEUUYQAqA"AdU^ PPS"SuTrd(H""*!h6"(Q*|P! bX?Yմqh۟Dn:`b~G0D'7Θ+`mk[|:h 8[nO.@n<C $3{cnGtQSc#.}T4D[h\UmcY.WA6_ڑ 6UǠO4pW!hPUP@SwN6DWk{ס XAtMȋeи,x)TdXx3i~V^*E_I; @|$ՔֹyX _N]}nt^H,pż,i7s5 ]vvW}5CHBVhHCs}3oP=~>xiXu+sVN\»wMcE$rChVb6.f82+|,5lj ,K IfbF"FmO>]F%#ISo.4zHJL5ڥC>ʔdX z54r,ň ȲX&m.8h9=c [Lb.ssZp)&YѬmsCY"4Gy'<5 =a6ʁ6c!vfY f%m' q bPS elcHxΎԘtmJ9{.(N5h5 %t5qMep`ED*cŀPP*((\M^ӄ'tyEZ@ϸ#3.E@Τ,+ Ɓޤff0,8GJ[+*+"O-c_9[kר8*{fbIE05>)N6Ȃi5ct=Aãad XocϢKGOIKڅQ!.'-b'7-Ti:Y{?x]7-N;2CFqׁ|R1?"1p/{/Yt﮸']E5DdD\s(!fk!hz Hho@TDb›Ȓ m Z pwq((;fO >^%j~V. 41 X9Y'؈HAQ`qtMm"{x /ӮbȀ-t?dC.( QN%kBɉ"#+~RbY,AX2Sq 5+?̬!֊/?=xt<tsɷrg; _:3HP%@b'b5kf@|!ɴf08>'Ѻ+{[F,@'t{!,Wpm-I hH;nVsv³rX*K; UMAAKiY{>789k<\^ $S6lnk¢*yPV\dD_SgwSszbAC(`-A@RH @PHϩMq~/V6 ə ""Ac:;xG"e5bn Qaw<ZPw8=^O3*{F9K8UC7=eP/P' eZC'X'd;aT*J1rIFMT]M.ct3O{G :r&*t)ՏۮǗg湛oC࿔fX:5smD9 |@(QT>9}qUïK^5IBH& ` =;$F到@0N`SZZ!.Iര ^!Lo8D 1fJĉZ{3OY`ÁNQN="7_)YUiCM\@v&䍢G*'/(c Hs J[mϏŹS42aD O9] ! .TgMυc3hcER1SK0 .0ebS>O'J;]wӠM粺+ kP7U:(r "@D >/3C; ^)iguzj^D`;!uG**S' o$_]2ЧV7V`g($c wW_1&?'Bmnvw`] ?$1?rU݉yZaM\㏍–uPQIGF!p'Eiz]k^_S7m}isNo͇A P@M"GB|"g2f7v(ςOjU,ۍni\Щ9STy do^摌a D`=nm" er,Y`opP >#3=+pSf>lTth1]Hy1Eb yG}Hu^j[(ɯsId7/ "P./u_m'B{ph80y$nu^K4c`;jp2r=vv{*̈ECDgjzI^ 4 `ak]̩7qoWt-wƅ|G6E"T Es9TcjK8yÂWO+Mv1UC}lt& '4g\6P~y|I֗Vk®oWR9xd~s:~K1{\]ւん3HߋR;{fր/߯ac/y܏ SՌK]|0 8_DES6"u;Ru5YdG䝍}|=nu&64Øƙë2H:!n]>_!9N^k'[7:BssK+~N^fssf@##@#z vAr3&]mEuJR Ry?$t8c*՞eess  u v6{]Uނou?vë6E3: Y+I/$Z*Lݥ_eb@{s֛ggl;aӼRTS8'XØcet%켪Kht*PGLpM) 2}}g:9̖+jnY>Ν8m~gn2s[j&umzQ8r[)f i󞞓\.Z!VF<,g7G '302uY  D%A04  fMlQkRV~,kiإ k6ƝB+8I(sNϜ R,`r>?op}˿;Qk*{a a{q``~Nt3j80Dx<*wpM!м kd,9-JH$/qU/> 5 t{WH q$H1$9͑A`d1 Y1I@2qL;0qUѳ9h&Fff0so93i#ꐢ."sohS9588Ӆz `yXo11Y*eFp?)J+?+BrM8J.(8Dt`/?9o-:"tTPKwP圉;+rP/'8=aBA}3 rK#D Qq(t0pN5 h@bl&)KᾧS{;ֵXEUULdTX^W{y<;\ߢݦŦEK8f[ 471M߫D RC%ε:!6Giu%]A4U}Q#@t(~lQl#g|w hc\Apfg{j~7_s?G(V <}C=}Q3͵Â$re4m7RmZ<4/l9~%4 _;Dج}L03屴 /s^z1k#UcZ^GN|fSöY`ǯCsg7~1BvJ̀H3bXQ1k C5~6M׮+l~V׵kk'մlM%c<ķgU{Y>[;,&zLVOU$|.É=w9n>ok%5͙o`I6g}Q@JOq_Bmٿ:;Oٌg15ݾG2HE]z4S&a|{[M׼ߞ]lR%i}4Z0#gM( {"}H8HX(AD{&H ~⾤1`dU@`pTA qJF$Zh8"7=uN?y~y\`z;P !+!<?B&!E (w/S22X  EET>E ,*8hZ(q  tF΄5!qG "K/Åd@ӈ`)"Ȋ*  ӯaӚzfY@@3b>y7Ԡed#.ii%>E#7sRȟ {PN$$ņ&(I*?CxT RE"Uw'_;a r֊~`]NsDD6T] q$& sK zͦE &TUoD3")?gPU3/O G.kPs5 @VBTS$*Z"H ځ '3:1`83hrLN ' >y5ﬦdT CiїFhRrbLP !)!P'5Ah?ԓ%(vq- $? v|n czb~==;)SuH:Wq };Ny7]}_}Nj& oxv"p$(x>+%~*m5cXc ",PRү*QJhbȠ",R1 a>nq~FM9$+ X$I&45AJmd}Fi6qUQsb #EAu  =BG@GRx6QIɛ,Αxf M sWf86|I %O1⿜_[_=V-Y #1s*HR@m%Dx8}.^hyت"\$('PRTX)7t~B9Mݹ1n4eq*b(LLGY5 /?Q A 9Z ^ZOK9mXdԊxr{ ҋWno}ϘXQr+B9XW;sso`G~"O@(oXFI Dw.!LJURc)q2KL-EZz("ȱb*bEUUUQQX[K@ɊxLÅ{}ՂĊ`pb9(#h  UR(a+juˀ}t<"={W(GF%@$$"tO[͆~>ssϏQЁ[ZX-]ES$6!#bŅ^ *T@̞Rjkrsr~wQ_14ly<]2rkR0H ey>bHIDEPZ[o>;&aUK~HV *Qp"{:kMgfŕV-BiYX,<&?#(aƆktky; )"' */s!#~@PWF :z"ceΟ:M}z9~ðW aC;yjumZ$;l|i<1;*B%਩#n[{u|/+aBËP. 1@Tp;X``5PĂu N!:̞Ac9kB%/w@}~V]ؓOG?K.]Hi>a#N/LRmr"29SBhhM"Ox/m-'Z?2}(]=h"d, `,j2rL`imWI؊ \&IW.[7$uέ1wU-#\0`.5)]A<Ԃ#Ձ| 1ԁs0T˜3fT1ADM "0Դt}!a~F^^6D! A9=Nj= qG5ylA95:p|xCo1d ^[J d{``QZK@;{{B٨:$#"iOeY3f7}=a"F VH$bŊlQ*(z9SEUIȠAE(+",+TK15ѻ R.?^R~{}A;,:+6:"*d|.U D$ {(7"<D^r2988nm76۔V+&W0u < {Ȉ" Ӥji]&^dNj M(cQ! VCJ LJg6o[rłi~E}fL;'}L2 s~@I]L-zBM\qM[KUrl"ȍۤĀbSkv`1~1 0U9ԆDNuZqM`uP#*2WoųcD#;^NoS3SQE7ǐbt ad='jkƷb  D cRԈ8 1pG2(psasץ::.Z{]>?;aqQMJyLՂ/sNJϨ13Z֝4}K1P~Ro6.T2J>VV8T/o;^shNkcGmdL+S].Ko96;Za5?mR* ՙ+2wDD1GJ3͑x,slY*^f' +0$ӁJ5  DQ23Dfrd'cY8tB r`>bit_2G6ʀQ\ӜWd"]Ntcit}3C v6=hZ1rBCPg7^/[o-lWdH:M"B,]_p|HT.g霙b"Ѩ9|a{[w J)Tvv+&)&w.=q`~*XJ82D@F;~z IqfNXO!tB0Ftvqݯha@C0^xd_w7:Dvpb 1L2"&*&ru\ ʽ_;]qϱaz:rWM;NiPXl}e۾lomn7aD@4nafC #39ZST\鷖w['7ēv vwOҡGZD#w.҈@&:g:u2ێu >f2|Ȣ jAV(brlFf\E-DD OO& gs>tճ]C=;Libϵ:PJ]9$طq-ˆcff{eڎ``̿Fef%X(( *HLQF cQQTEE dEeZdQTX)YlE=Sț!\j0V&+ B cF%Mu.I8+c(]d 5?T5q5nXj  ND # UկTncVM%-'DRTԃ|./).}n9&\oa]=GOg7Crlh@vbQ@P[if>E2f*c5pObb5h,Q@@{yj,r|G͈QN ckJhIN.渘 Cei&\@|7C#o1H`߃3c$q`*pb9o 4͜# H|6U gD-}NZqJ\5rm_BF#c+]CPC_9m1կe E^'EroQ$U~Ӻ_~RᦢAH*J'a܄ Y%M̫ksG3fv}QHFHdFC/]m񪋥SyIp8<>vfG^̳U$I±O䀹@=1u^ |A,gņ0G u* D[UϯvKFÞW @|,, MZiKdGeKwZGgS㱣D :zÁyhJq[m Lp 㫯Le΂]wӛz~bTb@"3{Ui 54I(q]wN_u7ڴ@x3a®gQWULs0^ZaO`zH"]NF}\/a-$t kTp%1vX6dWt2F4><^kޕ44LrZ,s 䢬tko<Da" AEMjmۊZD*]nMZ OJU3E4ÊR(Sq/\|7[;1_NBkk a*L8X窥bs4#J6n5s' "&kt4rICh RYg|/k/{e'PvNg{ mP (n/Ĥ1!K[iOjr[f" =քbőqm b"+aQR#C&IP *A;IkOS}6U﹕%1jەbd@M9{8)Q]V<|8K[\7x[gò0E" Y$d$A WEy'\#w{_S:Z9op~*2lQ7@c urR~?U٢h1H{I׫ m5+~]˓>+kUKJC+޲hcmF\O #Db(.慑ܠGN|wtH m~^7tBo3P ԘB!ƋڨZ&T6(lsO &>ۛnп 1~|ww{If!]<"6m#8pۏ4 eVȎ>ZE]9~KX,bUp!FCޡℨ)Hsw=~uæA}*dnjQY٥e/A=cP0,]@wt5M~oMxs93h. eizceG,~δM[P}K]ܼ6)3+9A((=+ n!+|{C|/erI@be=4^ =`qCFUB #gc rxLVR@]Us>65iz'tKO>7}{)}쥽Y52P9I!$HͲ%\f=)m|0F^fWCXp k5-סx` l=폓O |:c"3יi.WIjf9\hCriAEF2!yfefEL]8Um:UN!4@(^5Dcc̳Q&K":S`IIx}sOm{`,B rž>^~c;'Ӑ0 G##D#;41(v`\m[p:]zF+{^fss#C}rrKP y->#]Zbj`#PY "d`RJ,r Q*,T* ]?ƠN5M.kA @ Hb%E(˄a2B1y5][});w^/6V,A{ TD@d+E"a5g[Ck=WXbg3D>!c&iS]nv#qrl\lerloM IjF dWܹ}nƥtjb[fVtiIv]Y}vmč_?obQ}r*a/>wCIV}gq\/-V1#f%h̦ p%ۣGgE4։'=5{fre]2q+ &8"1lan0ENg7> BH g.Yb@P@M(? )z>_karR0=dMs0<:L9yDW!s Ė:ypZv;??`+ՐǾ&Wh`x Ն^*Q|eնώ8vg1%ca/[8)L!T\ 4g J:9d@jNW'Kn-5#"`)O*kttgSwh7[ BnУHJ C&d_Su< rZ4Gs|np&aMll)[NVxTDaJgNșՕڹsVOC͢=s& AY+ḪAyB j0gTXdڱ;qaB[)%s]ÅeKFi|I*e\DP s%ۓhpLތuum5[gUG3N7g⊌`BI!!k$"FGuaH*V"*V|f svN\KQ+-.K کߡf qZl" 2Ⱜ:}tΎ*( gb,XłEU , /gqazsW|ƆJF4 qZgu#;X z\ 88ΖؑR"~p`e D#;sn"m4 oĀq$Z9-N73elu;ɝ~anTÛi) 5aQŏ҆c< us :q 0I ,DVdk{>QCCF3M0qwK0o8=_+e6w\fߐ:s>C>INQ+ݕTو3TL\(bX2"QED8NВ֮nDs 6_[;<֓D4 7,sm<  1Bg,x5<; A?/nlf\h ?[hyMFB;Đd$ U[N'1},}Qܐ5܏!qiYw`TC_K "5M*ň;VR0aeKc]WZ2dfӄ8% A#OSO),"ӓbiceߧXޯ| (o!n4#VS2eYN\nڠ-U/0m̴1k8("D:N91zKUqp0k;':cTH(DFcc -ۑvjıqOO{nӗ 귁`1A R޴k}qb4~綱(,\UK& PTAUE6 ;w6l5+7Lh޸%1}"dd%`(0Pe6i)| [fhPN/Nbpx8 Y0Pq/Ϝzj&+z&Xj%F"@~Tm4pt֊D;vNtbøf2ᝯ[/$sԙ7 r(0c"BEfW$t v1Jۛ[8qO-%oL̹/>DRC{G[1к^`f-XPCUHEDfM}#:=D&HzEHos=wh:rE2_=fH/ِ6rgTQk(:7T$Y  DZ|,l=*:zTEc7㑡ԚLHH 8AeD~VYt%D8R!ʶ=EZEAxk0Tj wnfCXdd Ba (   "U 8lo rWx^Fm-, ]~rs^1qRA[Z4q ]҄x !A̜%bktw'W]vwd;JV#u KfmZZچ7Ӥp -N~5f֒ 0#D1m .4eEG-:>_mINj?)AJ=kܦ|uss"?e_ UJlD>9ϨW)J_ 8TmQyrV-,c " J4 r'$0Wu`|g|{~Nos;z 5@bS#JfAO8MFB0 G9{ѲD?so.&APiZK)۳hYҊ.9k)k%kN9 Ygq'^r֓6y3c:/5.jV[ǰaQecO `,,+yY.AQcC@dp@})\kSWPklW–DTUXN -bx[ 66Y9DABJf1C UNK#0BD;"sזsAAWa1zm[kWakΪD$&NOC,tYVG[q:8aHC""1^5׷YJu "e@ gAGCї\p87+Vq@G@J-{ھ" B*8G9qj^"#B)b`,֥J*jnUj4:\|dSl!^ TI y=Ouoz?qNӞi+c]Ni\GVxL-8 D>%`vs=^ӗ 'NcfVl/W|mS{N1L8iku4d4+CyZ 0W +O>i~t`ڨd-SB[8ШT_Pt>w} scjwz,ymNayoeu/.-o!T.YM1gA$!')1Br5S:`7CjTtJ,r*0ZOo4㗗q;Y6a{XӼ6҈ŗah;7#r0nF5Dm/Q`g1=TO3Vz3ZWE00zz^7KjeN'>,S99f0hc-dv=Jw{]n_=f/oߣ}]==gXa2v]׳o=ob÷h9ҦֲRF򧕝o9M~F]^͚;kqq0s:?}߁o.3mbj Wu?'SRTQrZaAC#;6&@?ű1B"%Qj-}gT@UG#kuA1>*s̚:w,{r,$:F,%GVV?D3\G ߷FgzQ3 ?8*o?#ŸPH@͢Jr,XWʤEE]_&m31XLٗg6nmA!MrE:v;- QN%=hėb+dXO&*;~5D^ER((A@ @QG DNU1@2R2%Cv d9Q*g9T.ߩI&$'vv=& $@ᄢ)={d0$3ODVТ-@AXpU;ADGY 1Zѓ  CJ`X>^ 'RV8V/bYa((tdFWeB+ 60($"VЁ #6õ'1L4%w')%ʔ5+xnhH5l9LKl0?ݧY ľ;腯Kp 14 ~QMt-i8pϤĩ.(T@?@$IԈ㈻؀d6j*-]Av΍9 قz8 ?4 ҈dDb|Zm:*UTGa!!H@D$&2Ez_7!u$ěHu0O`pwʠϣs"M+*E'6Hd RrHr(CTJU WYeU PKX(ranfWMd4lȫԐ/,̶u ,'9Lz}xPq |;iX'V9MEg<a r~O [d8I ]3a{S.r`M +&PaکI'YIuC{F9jmD< 25c-K.$91ڢTk2$hErf:KwF VkT3&CYQ[rH\9+Z L.sYћÄÜ 7L:& gHM iʡMh]ͦชZbHxx y JQK0X`heh.)hmF᫃N&&\LMjjՅjc,i&n2Xhrh-N\BW)S)Ehح-Վ\.JPŽdeJq Ea" L1 J貙 dHj&T[4kg,!+dbɳ XP6% q7p${L 'EdY{kRHzzY=V(&fBGJ")]LM;ݽi[qU |iPsHHzZ6&jv|YB>6DBN+$dQُsŔ)j<: #UJ*DNb!WJ! "OYvA`iHI=ΫTI/65P;ٙpH~<@8aDPJM@=&8`R֜- R2 ?W&ٻ9iaj7?Q.7oUM 9٠ Y¢VQrm *3IJft4k2֩j9 RYQzY}8%廇<<'hu Œb& , MfHƕlS1X4FS9f3 @d́XN+XP SÂ^]v1ː:=US ]eUI$JI"zx\p@!$ZRD@54@su[E!4sK &7 !;Qbl* J;Đ6Bmw Oy{K/ϛ0 ;2- Bvi 0!;  QE r>5 pWEBN=Z>SG[j%]RbZQɵO᱿THA@cL7ƻ.bHoW>Sj,"NGd74:Q8~: bh&!ӄ3 Aj57ɵ4z[ϛy*c8rIHćD $gy&ad,X!.ŊN $2d[.mPY'4h[),9I@UdT}^Y&" ̡D0:m7C$VdA$X(O @PgL,!Qm* A@ h)"X 'ᰪO*@IIEY"AFHJFPJ}jXcR<4ϲ3Vbjes1)5)KJ)MdTSd)2agڳ5F[*?i԰ߓzVv2IR%OwYA$H&vu$ I9MIԹ,428;T91Hp!z OBNLȠ*|u(-p5&ewOEoEk'6lK[8X&KMix Ψ/aXU!{(rrh,ZûYCuFE52@Ok63ⱒHD,'@y̝c(OC@Pu0RC.>THfI&E {EF"*6L62Fbזb=hR80aqs NqDt:ёaѪv[=oT[+ *DdL yx[W]r"~MEP^uӧV^L=61w+͝=_l*d5r;yngDDA!<)Ժ4b7źd HHuī&ps>\ov1Oewt&> [T *. dd H(!I'WA] 2gA *Ec CC҇, P~dA jMC$DrEOvvݟ/0 z'#k:6]['.!:I  '42,NrAb2Iv~zw:+R&$R O߰@) 㒇Luafe;BA zR v%F]5ioW!̈́bАēҨȱ'E*6k^$x- \f==~C0Odc (Ҿ[fg=_^'?>mvô $ _4Qϻ.~ZqȠa>Nzc~̊fZ1%@I'ⰘLIc`wڒ HbDBE$DPTTU"A DAd"`#DBE !,"R 122H2$X,R(,"J+,!0VHH`bRHI "`ȱR bQa "A db(*ŀ,1>od.N~pÛ$zz_NeZfT2>LnCea2`Qˡ40bFiTJ.k#bwhEUE$p(ŖĠ㎂E\pʛ>>ñɆIsK"mYC2O%2flD@Re֭Mg 6ld VC $H)PrM ziו9&g';Y;J_9E='z޴p,PO-[EK N?ܥd=ɑ  m>LI3m*7IEĐIX VssC˒VDvͤ6Upd&'xX("" *EwGUÅp~\~(#U@Y҄zGF|$1C:2'AD]ڝ Q)܀δY"tED i@#ɀhCc aDȋ" ꌻ!#"ȇ)3 6lZ 6:qG$FCVݡY;=5)# ёbDDdf'WAYb/kς4;yY?2 Q^{(u"϶AlOkւr_}gn{ɤ `u2ɦ$bsŒȀ$xpӉ.}d]З$AхdubI=Vl>j@[3cN`s2iΆŒ- jlZU{/OpE 6@iHϕa 1'@c,YFD` DdH+&FAHF-BJ T iH% c )gاvjc ayim6r&֔Ux Q j'i @V "AH1bc>A~!*,Dd, qaR ) QV( $RAHLlrBb0H=m%a=÷TgE+kR!jyEmN&{B@ɪۆ@{r<5ΆLBCgCh &t o~zeNIи=큺! 3ɔD-.=8ҥvUq^Pqi Dˁ!X`z}n o>ma FMIcJRD$V l" 1p=^]^'P/[`xBI~l6XN%AVAd xP8QN-RYqaV!3wEY$B,Nfqݳ94s$u0zC!t=c>w[gy?% 2A@`w;vO* |_6 b/y @1E CqY(ʙ`AoȂɫ4yXdI`H(HagtƯx`v10CWeK ш( P媹-Ur9 nҹM]HFo=7/fDp3.A$[LRbLǎ.*|9暞X|f;`ԭ[&?ٴa˃ DjR:ٺ0qgS\@`E\J@U0[/W vzEq٘Ƅ?gib0D7H3؇B#(2Q)R)+$X{̝CM!Y'jWБI=D+0FB,;̇ RQ~p}WC[HcjilR\z>  X<+0yj2hѩ`1D0]>; CXc, snPْqIiLDϱ/5CasLe7hTMS,[̖:kygT*2N+詙█vz̪)*UcQ*COe;rm}mgY71GcEu1"c .l%dQBN:( ( q~: $ ,NJvn,X24U'>x!OJUQYg>IO;=v|}IȒ#_yK$P\Ud!EP>yi=Q9nY& }M(!̪ {^zȠC̦ 'k%b"VH!ϞZ~eVE>'|2'O6 !D2 D A/7yγ ˺_/ r`ޱ@W< g y>^ (u(0o.Iw~b/2BBLD G^~ͤՈl9 HIg(}5˖DzXhT"=O<[\" "ǒw trjrvr9i+aiAO]!B|FI؄;-JԇbIۧ^s KwFLQ{ Oy16[g,pX3 'nWS0\ DZۙπIyY8`W?ճIRC2,;֓]M~ |P @˵&rdý;[ 2xu@ b͠d;!nK*9gS8}wŷ0#ْt2W}NW5xE.6V_NijLݱH7U4 y"^;sMDƒ~$aLpS興T8AT'% Al bJ⁶*zB;qG&E OuMgƣ S] Ú3Ș;@iJ"f| :QcȹWW |1`F4,N3KO0ߠEEt>_-'&9(BH umCHcn|OcvV#|[g㲔Svo+,InȩUm{/ yd3(K!3P):y *YÅ+8,QI&.SؾvE8F3A_' jSRIɨzα<<^n"*.[8qsψ0$Ÿ 8őMVs#ϵ`/.?3Q۞+&G':v `xi6uϩcDVUD&%WjK|p`EH#@tra+Е=5&-`rW=-  7𼞙s@Q0ؙ'_?!KTk^k1Ш7ؾwpqE,Ӱ2Ursa8Ԟ+Noom_ ȸ6q[(3]RE,&ƒNVzRWȐ͸^]iqSM6BZS\pUӎwwU6x:ep.<3N:bdft::a25|8o8C#޳9Ov?ӛ{NJ87//[-Fx=;}ݩuvgE-KG8q0nb#arO"s̅]>\;LO*eN)C@ #PƝ%] J, j]M(JTƙ\¨8H$wR  Rp `gfX}gbH>ԃwh#yBXwf%o]/(c%@=1+yD* A[Ӵlyn\<Ͱٯm{~V58N.|Ѿ&-..dqw/ϏTT[Z@{ řmwA $3|v:0p&) &}d*mOvlq }4^69tZrK5 `oM?jҸq@ANZ7 gFJ"E;QADY|W 43pj"]*A&LжFeXF`#]wNỶ)3I{wݝSO@>N1ېwf:"2m-i[s|e={ o멷 '}ʈ٦F~g PtdIk%eC¶wA]e;w 8a 8Zr#%%gĽ$-^ ̛B7t+!((Fʨ%mGY̬h*l$|=#Г& -ʯ7AZbt1EWTb=~fAYLYxn4?㤦}_xY\?] >]tӃ4Xw[lAcuH߯ 70o0%7/Qu3$C9SP2UO j 7^JRT)@L5MpfTS݅rsԯ>sf)1bw~گ=Q^tv=wStD!;zbA)Emꫜ[TOߞ:.=֓wlnl6]2 #LMüf> XԬP#-fgFnW>~z@e!QbrKAI ] @*ٛ=-eBxĀDs!ܓtqkj6C՗)A.b)ʒ)2,qGNR/k,G t7r{Ϧw *qIpӮ}f Z=_AtyyM2TR:&%Lg#SX"_oS<=5;;E΄Qn=B}:E qxnCC/NO qkZ-ȸˣ4iA/e+9rVT w[b[j+91@C8#oe=anMTkxQP,ފx4I 9ceK}A`E8԰jsb@7G~ш ;,):CmuQauiǙP|M~GH+*T_&cѢngK]Tj̙XlكmiAhL)srZ8WfgOED£K/C* .Ţgμ "I4KBj24ycՀ,B'9&s~P,GQzU-gīC䍤e>\u/jko֘o/cmY靰 CO8 ֶ&7JNkkZ柳by׉n *x"1E. CPk£IKld[j+9W!X~KS L#sh|\*촘bcaJdJI#:ӣɂ)wl7FķrVp}.y{^ U$&? ƸrңOѠVv^V7Q4dSҢޡQ2qRAjhuVwU1+JgDZ#d_`3?um0pdqֺDĉx܁_e;Q3T)O8sH{1_)>5,)o:*$2&G ʟxQQU(-E5}c/t]K4[@n+0O2hyՍO= yyhnQ Q~k } L/*Og7eNFu(f5*'GD%9@dF]3ofJ4,b)Rq :Ԭ佈wf&Aw#iWrˏ9c4»OL f.(jkGxeM?DNᆾZkA󈤏M_GwTlV7yd&AI/-ogSsGdCz՝FemjD\,wHOk^-^UaWm7WHrs93r1o{-奜w2JWn~_3s̸;v{wt!mNmUŲl92˸R^N5s)"Ž}Y M?H;Zc2LŧͽrsGUD]w Id$fWߎOwi%%_6{)Vsq0}翬kdEw?aςcKL)\gmxo'Mdרr zgTDvGzw͕^JO%Wڮ*VyW;$ciūoڱK:9)Å&/KAp"Z#a&8.]\/_uq>P)(L œNq,0({$r#f˄OM-R3NqO"YN=(#OY#x.԰@DnDTF@[93/)Y`@MrJ1n$5Ap;/.J!#lcey#g͓ LMFǎi_@>)FrUOn)`;ϴ+{8Y 8\:_2H|Tb;y*6ƖN3p$hiYlI>]'x;˦ݳ `w iQǂ@O ̬Bdۏ"#u< ,y~-D2]>'abA&Ʌޤo (RhFOe 6EwW:Jk?w1#o>5HlhbI̅~"-!- vgU+@2>F3"GR=fQfJEX] |j(F>UdDщ,G\ȦFNnnt]{yz1Fkkv&}/pnNVA}Q:Zy\K4 䋷$cP. -ir8$RiWiz5:a_BR6%)~]/ڨ ʣƛ2M UٰM ((&0*+6-c[9͙$FuUޝ2 j3/1,Ǚ^Hr26v&Mex5%oLo8Cvçbu"W1bȁoʜm-xVj*>!z+dyzCc5P#F<]|ڇ p_[y՚o5lsY;ZY˒xw3",K-j' Jrܽ/c[?Ky0M<,o͂& {~Yobo?>Y0 ֔f~';tneJstDPP¤maEɔ^mZbwجr^Мg7Nt c 8#иYK_SBBbCl4|Mүޖt wdA*nNKS^(? %Wjͽ}Xի#-8+B|:l 4ʬH¬|3Dr"L:p |pt}r_KS&|Կӡ/%\Rny 'أG Wn*Ɲk%_sK|a07f0ϝI*bt;Of8]cwt=%ڷYGwG@̦rrjPƞH7iVߢ J >+Jڹfqy|[.V7 8 vl0Ǔſz>)u]-ï %WVsrZ8fKjΛͷ+SVT]]Jضp];lqbˣâ CʇJ$\/.K%չUGy}թ+W6vژI0+5Y¥qP#qR>E $\kCR0a;kN~  {F=7ŰaGn~={m0 摘w:lǡU6eA :-T !@.6% :^, {Ѵ-A`A-Wh 90tIa/ӫ?h( EQxzoO 9-XԦXHJ;hB[*  rm--W9cvkEƴ"Hh;0cLn wNCWF qXp!^ȇK}OD7PETۗl7mr6~YEaBptLz7Q'TXhAT@3m3>/bow`nnղ<6g"ZGa!ޕL~^!)L}7>5|y|yVÔ:KAu{={\?.?Um@8l߈+(%vD"u1_ErJˆRA;/ 0TRm>llbs=G(bƳzȪ)D?oCbL@1TX""cɡTwG{CD;xb(Cvg҂G2 Ѐ+z{zx>4bA>Ҏ(!zHP&`/CkS6Wl`j2(""&" =PG7uP50\"eASAy# Ws6QH~UOԡUΊ C'w=ymg#PR<(1EmH@C{>4& P6dq}PV &7iI@\^QY_oݏ{CVOŅ갞c7/`},|@gK -Gt_j`yI32W{kϛh  vp9'[[~s $΢{"&^EjOmkP]zLˎ]ȴﻛfɊP_Km9OW:8סF(;å6bq]|؟,*Xh#Oϱ& I]Uxu$bB:x:V$jt49CW,^%ٜ .xF#`f&~?lqdj'4_ %Z!~,t=[Ra[OHk>3QR,kon7~r8H >%L\\O'?W=='!ٌ 33쥤HPkmWW0+qӟ?m7SڥK#} 7\o4o2K&YKCw/ ?5Q>gHzM.$ <9>$hXl! vN#ܺ]vA'g8h\ ꙺ<.KZm|ߕ?RT7?W$XЌa Ѻ%[Q.TWI1у7p(`r LP<@z7_`Ah]:so#>Gc_Iݖug?)up`hQI{Փj2-PcB`Xhš-e~AJrԝfG;IH`C !osev9czO=߹kb%A'DMt!U^~p𣑍 `eTdWEOX(O*\hd)D3>~=QYrgi6f]a}#릫j8j5vWdxaNw"OĮjVnA+/aBӱCDz4Oaoe[TJ k,+j{Lj7e VSQϥc|AI9v*FS|m Ҷmx[>R*oqG|h1-ddMI-8TYH(#JF~UPBCgsYCmo߲T`\~^+݁ {K3ϴw)o.F!U ˼Q{,2(U&lKW,o6O\\t;#hoB1uݳ~ZFTI7 d-_Bimxd`vݍ\!bt<ڐo5߱dےIo/oFBn@~s?/ХTgl𓍛z2[G-=IئĪ4M̬MFe 3*b4*9J_8}b [9&nt=VlN>~Vap8WQ ]dϭV1m5f3$4K?rO[CVS}uh/BEH!K0j՛6k n0]T.*"}Qcw :1=2h\Wh?e?al1LV5!~[|mRv[qTbfks 7e!PA#-涒G KNj4.S50/-JI0}?R8@47kOA}Jp(Slꇻ$M/&=:W%vK.I*ٕwjy;vsvF^)k6 W%0qpdTlA(BmASnaRxN<ѥͣ[/&)$c'+6Jjc'ٜp !M0qbcIqpEFn{c}~ ƙdÜn3UnTzT9r@|nӪ9\Vdrݘ={*>@'ǛIqF /;RĐ"n|meDHwx꘽q^]:X 2v_I&0@N:m5>S"l0hUGr gI:Z .p41Ϙ G.\>{1JxcJ#9vj"X/2ޤ Zs$Ņ^w7@M2Pcv +.hϓEǝ`}Ԭ<-cBO9Vo|F1'aˆ7\3\5b䵹m}TV\19loRԜȑC}C?w-.fWS[-_wtFTó%6K[#am|D?.1 yڰ1ر`Q& cǁ=mlsύKW"dhZ$"Grz0k- `LD6 jvk͆(D RSw,1Q` ?e -Y R$ęEC %IGi>,ggP~/,;Eؐ$ |Wa}dfnΌXMH}x#n* Mw!Ɓ TbHEˀ}Y/{%h0dS}RS rȂ,@p]묨ȂuyE + Q,W~T Q^,ER??6(?& #(pDp@P X}P"uDOog W@UV!TqE8#!H"G͐w>G3o}οby*T?F(n ). P< Ut=D?!t.W{0vkA2>LuN?W5/jGD:β.GWNP 0gQ?Ɓp Q8+ecBF\.+z j#qPZ]i$BEy)CUf_S_$M>m>fݣ:sMW5T]IW'͟r}f=tEa PpQ*4Ydl1^֬'Uct{i(6OVkpO;K:980[uwLQ2 %júਧ~ONzmN?Ɠ Y5w3rKFLpr("u68b^VZ ~sRTKʺϹɓaMSdzG<7}lw /S+?Abς~R0*Ay7lc;6j ̐0P`thA!(Y~k242 O [iFb7) K:1m8 ґͪ$;˒2ڏN^;YD)xQyn y!t79}RĚW!<摰QpAU??3J]M|+@s( s𦏃W1|zm+!p0y0}9KQ[2G"!*f paT_)&)q70t/zD8L;9ae|lȉPjbM92?8ڧ ?TJe-7+%Q ީ@% '9,shG$!.|M _)u r%gYV Z*uhāFmy{DtOZ,ǩrb8,r;YtgTq+dQ^ 3x~0~ 8si҇?\r`km3ǺJe1bIYR[Q>FAH-˼;z,NUcH[=u{]$=l/ʋ+V(([RT _ldSd\yuh-&N5k-:B}X x ,$j4bscޏ9ŠLm"3 4v.Q*}CCafY5*nڿK{@ 9@\̳ԌȄ3 #;7\{rl@d8;\Ne8Ł^+sb߷No*_zʲj}=j.jsf>T)f&)*2ĹL[O"^(2}EZuZB*vs'U^䨺zwR٣2mMK8`5xRVqk Khz"7?>kjZG^cAwMnP$XˑnE|5VdLV2oes-\ꑳpȢh<72 ;Azw:os,Dm6hbt5C smf>{M'fx|x1w$JZ|Ё?ް[}j!,o<~3 QȬtlU$jԖ6{\}x`}Zuo( xYө^ou34soY3I-(mE H!S &2U(3棻?mS}tZ :܃3dŸRS59aF<`H0q]LNYlAdѺ(c~Fs6?>g GsP whx^v<`oz:[Kwcݣψt(*ϝQayz،=^_>okuԂ}"<i+D|6@Nenm?XPH!"[79f 8|9#'~}|y;]!2o_w 9Y|n?y2+hz$^oܞxs(qS? c$^U RŢ]aQOjQ-1?࿲ϝ˛u."zPDA 4Uvb(S6>>|2 <҈l`u&Ho,xPBs+?a X|H*+誻۩_(>v ~AM8CDR 1;޸Uɲ /ƀtD=yx߼ޟ{Ո(~Aџ(>,=q@")T" 1Q? Ŋ8"#A}lQ6O*"7SwI ^E FÊ.>Q+b➺֪`F @[EBXumjqɚ3nOK Dz؜4m\~lScjFi}_o jmst;7]1ͱ @>wߥׄ{$l71߂y?g0ߢ6._@i~5 .azq5svX6Вvb5^60ZsFRd+՟Ypm@wL)bнlUE KL`ԘNz (F='9mI 1<:fm<;0do6Iox2q9.]YwO,$'V)>fNb7T~HԤbsɭ2!hU+(9e2 TEOYY(m!ī+?fӆpE DDqBQWV6YݛUZ`HpM];on>ҲA\9?Qŗ*'3ϟz>> oB0g`F2Sלv/U{ɾPy8XF2 E<ME7ddX./hf-] 7.A^5]M5$:EbRs@mn MkѱN%A "}ߥ)emƒlsr!bn~ŊTXs:])@ ;pe7nCnĺRYF|D9W'f9Rǃ7psޠNN||G\?hniV{ S96o5)RFnæq?!qEnӼNA~)me1o8&,ݩYG?MEd#aJ7BǨB4Ch#P -dAɂJ:N.Jm pq~P M~6v%YV/3V8[s'kԚ⊩$Ce}̂.j` 1gk[]Mnw.bKyLd@vlG:kON7xJVjHsl$%d>J;}zkM!LŃ ̑Ij5܁^ zmVyMXiҩN0qiJY{bp93 \25UBQ[) qU>79xVWk{E1OՏ|Z/| Ƅi_jR uj>3f.z8n7~/%8c=bRJ8pœu,QUgqR&ں;ƴZnꢬ;u7l У]_[V>/dQK><qc2ܝ2 SY3e2Uѯ >krad*?dqiiMD+u `Vy񵧍zK6>Yw,SuqrT˒L:\'AtJQ{w~LfcZRJ箢QHs%TN\`/u(gt)p[ږ:K,J;J**ZuĊWv x%A7S2ZIEci.P1M TZʮIf J o<0G]vB&,t817 _cV.mBFW?Vb1*JUEeXNzPKZK#&0.TY2S-qJ EEFP*d-H*4zHziB SIS̎0 -jT0N27g< ,B1 |!ko>DjHC h=9)K+~0TȡK0#PLt_RYeDxa`0M:{Մ!d..=!va8zZ=׉{ݣs].`?#,[2cn6(?m>_;,^ OY)p͐k}MFآT8%44̼vPF104fwǚm1Dy_KˈǗp}P3I2trOyo9d` Egz `F4#P)NЀ`G1ʌHI՞j"zrpUH*-_Vd=dWDr( _ uY`/6Ǽ, oUbٲr 1 z|+w4'}c蛿GB*z P|NǴUNt` ~Eޜ_GVMweaD6aE""H.' BVߧ%t~[ = @ 3{|pSdB 9B(6=kM.N߅j"._#GWG Jgǒ㛶`* Ãt$+UN'wH9Lsfu;ɚzXO{ |!UͿPs?>*a[ BU#O'}Ȣ~5*Bh5hn4p `׭BCZ >> 2WjV7χ kTda%~&cMM4{N0i4cυiF*(ǶF7m(#7r;i k+e[A\wHChu~yJt>tlfHSj/E.C',1vȸBW/(( `/`Aijq(ڌaBr旭i#ebRͳ'։$%o-.B b;n/ԶeJ鸊tϡ^0õ+_Ve |B_/J< hKp~*Nq,kRCY?KK-,<jҠj;X$w"zݾ3*6;= ')YxhR[g6tpU'(zGf&U1MUӳO­WfޞVk/(,? a/]99 h ,nہ?ºFE37sJ\]$9I372/]*,brYL+͎Yڬ,nޣbLBU[u I?>uZ1d] a@T% < $#Ú˭cF-v8a8Rj%PsǾiNSQuՁ;on-_.JQyQbhgnBvy{<$fS.cIɅ(fPyN3Ɋ&3R; 1ϏrM[y-:ХZ0r<=eqcεMz.+~orCo#46(՜՗\j#DT-JNW `Xr@-WtB!(d40ch霟s ؓ _ $%u65\A|=]H_r "4Q V]}8'|iu9ri|F*``[Q_n#YcVp8yQߥ6Zowh[~~t07!,2.>Fćuu+;(j; b[R_:*mlh/cǾ_?Wqy) D@^ !;(TA~#eRW3V(}OC> T0@ւ>LP"^z!}W;cos߯bqP'Y>Nyb Z~7>lk d#jCVF `3ڃp$ߑ̾Ų벵G#vSw߷o4^ ?M15붐]^7>ؠ5%g1yW78BY'1VBɐH4$_`4FPcq6dls"0x[TY,θ'P2\j̖Sco8 yһhy:۞'^i-Oi/0UY(,"Hbiꏍ _/5|ݍ‚_X(/CA(/U_"TEvV/hI*64w|XdR ޽p!R+fiV`ѽӕ׃UXF(ԑ9?{)$DP{HS%MS#A|V0ؾ" ! r7 6-먢j=c_"tG8JNȺ:;'awcVƦC~/Y`ѫMr\9\qЅJgN*'4m~Eڐ +-qI8By|g@{#v 3$f,B 9c!zq sT+W]`Fz񧦓U?~dV19ئXׄ٩7pTBMc1/8 ,/c84W* c2wP?2xxqӖ2J_gwU65{|=OnUI6HϔsqyβdLR?BSUn#ˆ* iƑ،y|@u5_k/hm-tg2 U0==-m(Y`3j9@K AmUM6cރv'FPϑ>&]dC ̄Ɣnp^^kulFK7Ń&B{N+->># 5a,o'Cx'g扌ٶc_¥#~C*O?ʉY%cl iAX%ZQ"mX_QYPFAH㸩@YH:@T# VݜvSĹ^kFu~M{!ղ9!$z 8~{ ˊk= D6NȘc5kwVcϛZ[6ɿXdC'޾&zL~GwRjFS~@~' slH!d HX;ڰB7Xmq{)pcԅ0<A&`mѢ ..\5 {&/x'P0 uO36}GI$$$+SbI"`| q. j-$gc=\Se ł)/ A?s=b8p7 B e(M|A9!Q  ˂G<>ȃ>T@gՊuЎ|(Tx6T;C/5TBm:z;oL0$Fu1X~ovԘh'.lɂ$DrR,R%|ʑoCoE=zl |Wˏ8vI~`MFq5}8xgBX9Bi#`CP>o![F}mLӒmiT>qKpOgI?o\^{? dDBKaB B}atcFktFUG2/<?|KaX~&Y7lQg6[ARc("S-1RV iAe* *uMYEV$ss_0o}Si|q_ o9x``N~|ޫ%Kןj;'0ߧ vwcv.8#avɡ )GI",Ho>#;n#RxbD|Y-IN^ ?Ś?>ϼWBy9G zeX$D>#ԍ"\oCt#/Ub$A0G\ v~O"׻lѾr&@nYDrg[~6g;mAv%  &>:nlU 1m%.qK8ۿUqo٘U .fv;ƪ5n1V&h~[CjgtQ1h:3mI,L?;["vw8 "6M ͯtzuu|4m͸DZZ_p?X0E4*bۇgl~+nRAG/k&b "2ede [ G9cA0i$f<, 折 Y D5(LaLRE1G}(4RՆt5CωҚo7qfE7 _~]|̝Q䬔IcvYbFh`Dj Yww _v< Wԕ2e87Oπᾇ̌ra{$6]4ګx)G3egz猲;Vk=y-OM|V}b9[oIaVɪ~)ld4֕MNf6鹵|Rak&M55;ctw~ei @XOF:뷪qSagMo&b5}90ȲA W IFkf8xAD˘Dhy.O!gֈ2)R$W1DcYmGf3'Ԛ|K8/JA7/: Rc?A+j yU43{4a*Q;7YYJ88tvӸ< U-TSwJoKBlQ^w2oA7u^"5W,>yq鮕e)Aixl*6S~6 q|8.DU"gdV%e_2,,|;1%$Fse@-KKdL|Q֩[;Wh?[55iII%?ƄqVFci6*Q9K cyd #&]8-"fu.RP{j_1E".vZxNsm]i@a ea&Df : $uD<Ǥ>mLgqNB ֙m)ha;fUHҔҼ:hм;;pCU2 MS6+}˛ܴ(q/_%3 4=laԒ o`eeJ! F ;> ~ $˄=nZ84äwW%;J%@A^}P[=J nƲ+yX˧:uʿ:޵;'}?'W[EيYF% 9>n2JTsA&YRta3\#@+Ѵc/ U-\D^P2 O!MҪX5!7tQz˫C= [Ӫ=|plǽ05^gEs2hbF;9&<{Y,-NU1N,6SeWR5;icZ6aS׃]#B>|IѲiDfi7#65p`#F0 H3ed- nCV73AI+!d:eӐ fߗF1c3N(Ngp$te@0u9$1)!YVi?fv90HT="WD,I@+'̧ D/Sw AMC DI.N`3A:\ 4/Mxaӣ]|wK9>E"aȐ>dP@V/S HgN4:.VK3&@7w~vrS^gm GW !""!tD!ʾqIY^GXJ ava@qǚQXnFy<&qVf׭80nj"Quxu}}cD'+RsW0q0'Zb_M@pJ*H=dwg~/[ǒ̓c?{_߉_TDT MT,&5p/C"X X1Q:pHeue6`+.bm|QuKx.uo[gEnbzuf1 |=y( X|jVm^*(5>g|NS3]ϗWRa`I}ncmm{B'ܶGۃCcq"P 9C>Byfm{LF'Fz/B{{4XJ:T?g3l079͡OXM sɆ{'8h9~.CoAg]߹\{_<߿~ބnO}jvo{}"6]͜# ޴H *@ƮN;z AͤK;;PӤ^ "PmUP4b(]h* $ #ӉE\PGECC}ߧ Yhl`)G \Ȏ+ Pioa H}֖7 ё=t>̖Ը4c; _sZj3I$^|I^. 3ʪiLSa\΁_`MrpI.Y$>B 'ڟ8Y8R]9-5Wĥ/87 ʦNA\Ȃp5wt-ĿB hR!PaB]ٖa-+?ͥO!+ PZ$1lRȔ|탵&q4?k&W_n<F a.p`ؙb@^AҺ# HD78ućOoj 5R`ZG0ڹ0Rt8/g9,08D 'g!Y2e[;|/zwp cwwc?Uژ,H`T@d3, Œ* 4 R۫eY*J?°;)jزXM@Ca>şԣhy꺻Ow?ޒ(šy1UG}$W9Q^ȀyHtP@( $S"H*e('r(|O@= |_^ACenOy_Gfn>^:tQSq=CT ňf#,>Ia Mk<>lM<ƚ* j:Liz= ع10$'~f_d/XXd@0~][Hc{^'ʲD_a{\֪F05^,7UU0I>砀XjsH3oTxG9ohX׶7󻣭 ϙ 4qvCVbT5;~op.s}?U6V*   ,PDPD" XI 6 - ? @C7RM}TqMabfaz7n'I+?' <=ޘu2!ZAPIP$vխ u +4~nLg80;ʩHᅇ]v @,2 # , æ#R4lADQiZPa>-$8"ߙo?z"EE3 &("{<P[y(p@* }8 9gGm|km`}D:PyH$"z"dź5"=4DO\?O0Ө|.YO_#X}IO?&w 1-o|5֡QjR(ƝnVM@⩫8yu'Mzs-* 6f KG_ Rk21}yLHēPF4YNϋMA w(Fn5Kh;z 3;?2X6P-wgXlv@W9vi" İUsNGxCCcmc}حE6>Z8]{i?ybWVbNMT{IA.4ufߗx0t v<\]>=*T!4 ms=tMY@Si}L>w_`1?UAuL`+*}ףªĨ}o/껌x%Q?u#W8O+Xw_"j;Pi3QBeo!aoPn_]`]LRm^LpIJ '+{gYT=z霬]9"|a @WXW^h;w@V){Rwf#,:J ,V Giگ> q:GCHK#$H'il?eTS_K,ZaD $)e J (]A*"!`QU⽧B 񠁗 ,C˂&aŎNz;]/culK$hE:8#pisj?3?SӠ5I+=8J?oz|'oa6.SKg\cdi/ (ݠv>\t$!.ec:d;AHAJ2:C9mȩ j;s^Vp"3׸}_, }?POd;[2|Zֽ{LE Yt0dC'+ބGgd4͈n t=9= ͻзa퉘hFj~߯=5}Z#.vZDQ^gw~ 5, #!  BTYxG+u`7-PT8Ϗ< 8xV8ߟB}/"ǯ-̝Яi}c}6'ELDTSBC뢊:"T. ȠD/HMwAhێF_/>;rLo ;Ρ}4q@vSCx1Cu5:ԅK|љvAŗ8;v3Aj,sn瞁rL?1 9b{In>i޻lǽl/??WB\vڏb2)86 ƽ[?=BD)He˰q JX3~Ԩʠ$𗟚V"σ7I~^ ~TQdlA!1=bRZ>} _+PZi'g4):2$ ABEuh|#嵭B 2Ѣ"kfHY쓚)ˀ3iRh@W @`!_ㅑ"P2b$ky XXyQ Q !f+'v:PfsO@ 3 hP;צ۷1 3*]"'Pjɶ>f,#ih1̽ #G+$V!D$dRB B [Stɭcuܶf7"g&m LL"8faQ R8lc<^鉯T3ٿd( p?\=y tC[Ei6/3^t*S|Z tg[ѣuT9(rzn1dc W=K@n`T zl}b _u<2d;w!9zM4bUs5ɇL,~T@D2!SaLҥM?"/ʏOEv1т.dԣ]d OaIEN}]HQ*sw>4"_yNx&}qe"d[2/j'">o7R)FWQtw|6_wS`^*:J.:O!JIa}0}_ jty),㾎Vfrh02l $\CQA a B'H!Y aXd%1q+=C0/ p4Ħ6}]\ ݒNndJJ[eH'0 6 D0Pv/ ت yȱ :P.$ҼԳ_eχ@PJP QkBB 0oF9l] 3zdoE/ϴR;3I\i3aFgj2,ea:X*3ɁɩG\w=@ӝcX6ֱ'*`$"*b*!D$ Hl`yA$6-8{ۍ)"S"Xoq۳<0MUJ Hܔ$bמloІ-mL5!0A !bX#DS8=`$[ԒS=^uV]<=n0/)Oڛg ЈFp4$z( H "1҈-Gܙ oExDꭟúþ@Uu$+uS?zhjZXHˤy Z>o,qpYq]ޑB7I׼/:]X 3{U\D{f}I~ JK^uS@d$9D5J*H0ܴ@:嵙q[ u՛bf*20b$"]as&$ٛcaA¤/A  _S/x;*zQvKRT*XAQt"Um1?*._==7UÌT xVm$W[ J#%(4Q]G*|kI?B'WG5 QQt*A(*]Ip:Ԙh}*MQۅ1WLw+kPc2O}uV~c; 9D@yil $ -dV5YgjS~aM-Ǖ !>@:o| *+f7/>?ok9:N^GiQ~{z?쮠vdE` F('Iuog(?ѷoc&'t"b՞B!gYfm!u*hƲDX{ن=$7x}V{Q 7zruQFXҀZzñ>n$.{q̢e}@.Wͯ'?$*?~9P"D4" ,XQ;w Os9sRtyVXl!Yf[c+1?tC~_qce:mN{{fEd7|1. ]J|8sۅ9ӊZ*\w4>sH`h/[QDQws*ck!}+) BAk n@h=H^EN>XrwrKaor0&#wTm\Ϊg~i {  ?2yQi*]v:a!IZ`JX3q| t}̶OJ[(UԒ8E5$Q.Ϳ Nky86:,@uEY$ʼn1 f`lۦ*~<=xFG3o#c!o&Qx}ݹ'S[Igm< 3{igNj'[[){A_00`0&oYM(ȴ@wH`51_ura'_29!P+H_ -RkAxĹ7g#䑂#0ᢔB$y; iHj")̚ /"DO4gyc*@c%"44aЩ9cd2fYHO }LrEoFj U$&A@Q`kd_8p@**f0MB>֦:cG%}M#.)BB|HG:|EmUC`RE")UĂ bACsWUMO@\5ܯMo>/3"z"ٙ=DV<+R~,?#W?~'3x?4?O?GaY6oݑ#J,K?>j.rz14 >&k@bA`sn@i!*!Zd?C 0?Xp9R*e`c?;N5 O;6,S[e@\̥ `+,xˈ sA]$,-Pze[B ּ7M#J:Q$WS14Xc=W *HTDAFİll+oý]9i{{9 4Zp&?~kQPl+q(hyHQR[)s ))Oaś<9a;p:͍9H՜~W6vWP|xy菣~_&( zhj)/(3;o밉(~UH}  R堏W6(9jH0@u2!,b}XdW:ƅ癷Of~Koo+؆@0 'F߂49%OyDil^j>*x`",!5( "=,[M5WQˊ?j)C:.lw s;Pl#En]\6H0|_31PrEf42\zY5{e[A qw73ElZѓm~TN}DPTUőb1Q`V"`F$`A$2sX߾,Ϸ>qaa-X3978i}r|/yLvQ"ys8 K#8@&4NbHr$b#'囃Aw, |=Wu|k- ¤ Уoz]jξg8{i/w݊-uv؆[ E,A L |LgX&K(0-Q'Q&/58\"wP_ *b3MCtu?&I~[ &Ak#$T.ţ vgBj!-\nj¸.^ԖwÎJI8%c1/{8H:3Wb@b`}M@pnv8fuuoڳH_81Yuj&Pؒ+5nX{ݸ]>%M6d Fn]?%0Txd Uk}roFG?܎"ȣ,]:8lQ\)n̨y~sdd0P9.5Cِ125 <譏X `=n>m H$ŤhE3\hfdE8w8R̮٘f\(ar/1o{wy?=5^945N`{lt"k׫Ձn0m {:;,7I?!?XmӖo${>Foƻy3IϚRCsMp_8a( t~ڄ"XDHŵp & }Vb^mz{\h G6AP{hggouuټ\6~N> ykI!Nzv{_Y _Y緶\o'D"_uc}rbRU߈yp #)jCvo~UBD$^u)Aڿ&< K1@áw6QqD7?N-;HiϯVKp"n+e^ŽT*NAM~7{o;5}NlhXN|&]5^Ei_*+VB}0z@OT {߭'^\{1\Ўyx|J}%(nvZ}߼Cw f8sQm6)rNUFu(D;ٞD/oFԤ`1Bjl)B23|EU;KH_⡰p+Ӳp94Z9)VLBԣj afB|!VgR }w0@о 44]d(C^xGYθt9Kr펶=w}˯a[ft jwO.p$3JeOkKKp1l?tWzLߟ=WJ4y'Rc1!e @4L.p<3 [Ds úw01jcTH*2Ԏ2;IR"7C4n4pY>#qq-E8M |nǧ^ko'(^8'ˉbNj? =g=G>~@t$N'}=㧩WW*µZUYG,nVʄ $N׻_r7{e%9'WɎq钘 {K[rKeh0#"4@".S6|.,>?sWVMtWwpFM:6z:0~$sBpa y %Aw|o5pJhcGj6 7b=<*|# WNQ!f!' XQ q |ea ׌-{xQϱԄٍβ4!l0eWy"ZF.CG{U6 V\nw\~v~or{xzDˣGm%alJ%O-44֗:=Ca+2J*J&s?ƶ oUaUg:-G  )4gyd !XspGTlhl}5?=<8AN8T`tQs௧bD פo")0O8j}c‡D,EA c㱺Cӝ B8!fb>Ȏ{_Ҏ??n`ԌaIDޗrtŒZuQ1OC gL U ɏƻMB/:{2@^ǿ |/Pي:o`;:Gfj^~|/o2xУ&I KDߐn~p*r4Us@yj=DWH,iz~<6 qo*tc[\R10$ X4,T0 xucK!=%B?_8 C&j 9q.V؍Qtc}qMm ^ xŐZ 1ò7UWh%UHLt8_[nBC~۾v7촘 d}'jK0(U!kCΫߙA&[5(TиDn)FTÜ`9 ć=R7(FǸps"2]ί.[q32,^:!ݤ=+ݠw~R :eDe$C?-,0Ot(j"Ӫɴ繅f #rտcU֌e!#"N+ZXIhm$sy[9f))U ) uùC-`j3ph@c9 P u+ڕz$Y6m3 jBxK:jN-uinVuscM4pĮ6"d);ι7gn'_կqr4V¿y!2X_ŋ 1u IJV֝eiHÐFQEnJ'j[khҙ=$c@)^~.iٚ$27v/18Mą̚ cdq;j峧w)WS/Ժ~ÄS% uÿy(N{0iG[" V1Q`91@ع$t$Kca`f.u !(@V, ioX kf!P)*oO6f:Bh Zܯñ?žS;S$MctmfY5@Nj*ҕ ʒ[֬ɵ[k{xmq g;W֦aLN\K YiBJ1yVc;+vcGZ acв&pSP1g [x ~u`6,tIx?|)3ގ H DBDmD.d;?k=粶˻t.@MORo$}_AR?~T X"E~ɩ`D dw&[N_g5‡pcA.*G]{Hraԗa+EUl;hpK?;jŷC@@Ґ6 H&`ݫX(+EA>Z}&6@}uJ?e"DF~3CaqqNbܯɭdFRY%8Sh[Lz@Cxv';#K5OáAȅ?OӀW< )d\_J@rۿׇpqx/Z75t|kS"ʛѐc 7nWnǬXH"YFnd D y\H~NE6~M*5(@RW{4(h5*2*ϜyW5o+b0bW._/sjwV/3V~bQ<3JV\<-R^X;LXSMO;veQuotr`/hgeTp4IhV;grEuAC/}ag_@n뮾y.8C!~vzOdէxAw=-,;EN )\ "ǎu}%D.8W6+2~ўc0yfzԗZh7yn?{nWo6lW룝 t36HAD ts<`p !]]s#9oq1(cKXe 1ˮA0PJ4TJ9zݱB?^Bzhe>wǨvcDA- XP;Ag=9Teo*AXCGY QT"9.ݗah:=no$XLJ.}Ыa%H?r >բ0@BQ֡v :C^i)\.)%fC%/6V?Aet?1~^#І*}IqM&9iuVL 6v=%ۭ͆=]Z/oJҘkyJ ]&6lx: N=z12ٵ&WOEd#$iGI)0UypCF܎+\~3ASo|'|lJ2}&plwқCyqO!/Zn >F֞##B_>nH|"(% Iѧ]#j6zXcdPڪ %_L< fN/%5eT)48a^/qfۚ]CZSKTѰ)σgVv&b-V1*YA0zQZĘ4. 8}Ͽv="Lq:lР8]m>͛96k"ٟ!dfPvYrqVw9~{G _AYeDCז$&.2{ՆW귑>6vZ [A)2둜?>7[%ef-'#ʪ[%lg$r>^"o5a%~9Ta:SpSa(;҂8neA(~chWzW ȩ^a5ڄƎ۪k_i^$PD'JVf+k~䷺&@iz*4_z_SoV;49>닐l؝9 XbwO+ea{f^u~ i; 4.pM~rnz*dp2tz½̌N#u3jh5|p S_Mi0#/n;I e͞]4>'Ͼ` /X>(܅,du v޺0~{"B-m:bE# -=J4^-2+c*Y r:*Txdur2|p!u8hd?yo%BdEH<-Gd72[ʊpG?b0w3^hF< LfF!_I *+?> UNFMǮH:e[!-<~bjvѬl{/%i oMXI{ !&7Fcao.)Qbg}W/vd[+z?jwDAU3D|܄>uFM~iC  A" ,@=@XPL0R*]4:[o_cq]`LI C$;ALxK ˡwYOR[*N|Ä ^._S(>JP^ď9Y`G;% ;Hn trI[~1?Ee-6vӲ62o[-s=jl F j01EHKC>?"A]R ʦ?oqO_rZ}C ڎF5"˸U;VU( ;dRC!X BY|Z vr7mx=ՀHZMݼI>e#gьaك#hO/ 1,`IPz*Y=Wv!n);ɞ5_@~4@5jUvM# d&M|N| c HrT<@bVbLwfInE9:~)6 @ɷvEůa" 3w-uF=ףE(E~u O5?M٫jKe<5FF6F&iA(G_Oh:"1}v(dJ&P#ӉnufD^葜/ð4gA0Ka%iiVTBd4400ᷙTP~M,@.%)׼#@HZσЮ|xm.wo9`I\{(xsuTTq.nG+h#Dt!Ӄ%YZ~n 3¤m!B;DޥC} +41i`P>^dzk4-eMm}WEťOfٚL-$~JvbE$>Gԓ~-bj l'-/0Aɠ ꒈK1mۺˁ8 KFAF3(ݑ-m}z*BZfTJhO](3}O>I7OŢP]YVtcr:]XWi6[Ce%]1N$9bK u~>4qE>%eD 1,YGJ^yh-R]zy -}zOZL3>߲C^WfQo]WmJeyhg):0lȵå~|ɏ"5 ^39{ M^0pw,/'8)|&4RVi G77ْY;ITi1K'Mh%c: z7g>oN OηrKO ,]v|>;ի m?^G+34gD!$x?QT-_٭ D%(Fxr0 ):j,Df.1ϲ3K;vҮR]b [&N,;s<ؿ%@ Gg'+lB ?3!iOesBnxTuSMeug"p{)р X1EyB,)h6(2Gv!k"MuYJcBȘ ͧN'1de~\fT_W"%5W4CTUn8Fd%>74p|Zv7j4RFCSZPphdG ?~ɑOqKH_F^v dJT)7OWH/ ~!@:-fמCۗMؗ?ھ{\eM\qP_Կy^Ws,Fu<.Gb) y8 ƱIpA\/<ƥY)bhbh YI6]C\]A[S,RQ3ԛ+@p plK ISj<$uN_rēA,S)zz G| BM#ڸx{4-_> <25brJFŋ}H3[B0#?G%)x]վn}0C\ջN^Ӆ LΝi}Ho/)8)y|QoTCHC9W͓Q6Kَ|liPohnГνGrڲH]1}<$Ab&}cjg>T8QCL ߀CDR!%vZ^'"oNRTl2l8Qo!nNJ˘ ܲhbpî>ɂxƆ9wvtD4= C)uΗNt43 =VE$O#B}u[ScN͎'Qϔ&0F/K1QHyzȠK AԅlÂ; meh2r"i37O !eQpmCݡԤHb?s2۷r-j| ;ZIiG?zs̀ v=̄O{fA $hz$ 1Xp;vqAqDM=ZөegEUB*c1X$k槄J$`tS)p[ Fr:rvnNG B;˝ tWiA<u8 u6@/ȁs`x<.˲yY^;u#3e9xHاIrQ`K0 C$!-)XA&P$Kݺ,J̧_Ms:;&jiH2;_!@lc/Rh}^O*=JO> 3q ,>4o`WQbsԖQvx9$FmR9war:|Nu{>Fk@. LswRAń]ZO μ!9EkZfyDHiЩ,?`°'?ھ-CoRͺĒ&RGCb2G-ȱDTKR1=M1Cr|:_Ӣ71[lϩh\RV5.B, x SL߯Wjw |9-Ͱo7;E;/| /UwSnC3"#l};6Sy3qbFhJԫhDFz~`([/mL ^/;Z]}w;DFl%[W=߭7_s^- ͤ}|)|h5^zi̭tDEE&=.P+H#OAs;9d "z_KT*~YѬQ^Փ0h?_ $1,EJdd!r= yjru1Qqi"$P3[FZ!߽m/#Z?vdHDRZЅ< @6qX/v3wGGqwk Z{k/p ^W8۟GϿq $ A ߢjZXb|8G"cǤEK~*̇9tCʡ# e".:cڿf޸U)(h"fl@_u}N*i0e֋yL,3O_=ڨ}rB"2:P9YಧA ^zc5,rY;@PHg{+Cv֯!ٰΛ#$ ֤ >-,bh9sPaXs};>sW_C|VdoWZ̀1iY!&@@ -TAۼZ |oE[uM in6"K@H0:r5"V9L4hr tMc=SW,Ab0&@{Pqlk7oX53h.4=?17:"X!M$[hB}163LwY|ph!V$F9wiR8((eϮ7LHVKs"?R}s2.Uj&Ԕ$^i qJ#.~[xf$^/^AA)Ng@n lXmaT|AF l:1ߺ'Bipߺ3AK|]PZptoorImdɋW3 ; ˤY~&4qsv >ǔX d7r E9{AyMxtHrط[M;6 y^KkLn(Gt'Ynz8Ǹd븫@ߐ4<=d TĎisڐDCeN-#C͇`_?TF/iM&E;ܸ3t3,r utFof-I|h 9PZ1 -y\rGɹ;1` P.!co#;B `{!Z[-'[ CLIݜV 1[NM?mchL"-m/,[Fw)vccjr 1tZ5GgDrKZ!g8]If9~ g3dM9a8 ?J B%(2h3<7i&<PNf\Q%D^t⌉}Ԑ" IH`eHE&`zJ|#G$M\!4π@ƚ)L#;u#ѯ3[y؎ƛ*yۇw KeOʥATUEYRRU*5>^W>v c4S52K'Έ e385kį[ZS-1lNh i?ωI^kMBӷ(Tj h3fdD9sP3|K O FPvqa+_/ JZvG]u8eiujq>K:oiZ^%`#m 0׫$JBA Ziozt;˫2'ia#ΛJWciRP9 A 8G.)+pCk)GD0dz2Gu<?7Je=!h.TSQeryaaY ΏeD s<7UV]';WUsZ$׏W6/ɒXZktvh _y+e2\#2c:-NMک 201H#g#'"mf:~ R/*C  KC÷+a+OxzqƝ{>m2_7Jk~Oˏ5:ț<,.3b;{Woktjq[[)U;CF{'%g!4rnaHT(!` $E-oD!_Z0sYH } 8jճ޶Wi[ao;S;Ϛ{t5Ħob16.F 3# YC*POS\_eW^x'`ЦHv5E&#XWKg16x}7E󽿍7Բ}Ś2s*{a(|#40zv\ifSt:TW2)u" F'&5jw 9RI2aP" Ȁ/hr}?xY 6Gq{7߿vTw:-`n hY1F,cb$F+( "DE(*QE 2V2EPB(B b TQI"@F$ !@Ny}L.?G7Rz~,3kiVQQpB2 1EEXVHĊQ B< "ΏcCu <;YMEh@0[©A+}n"`l瘞 zw15D &an`L",ŇvvGI#x*wuʌQME<.ͺVڂ-8)=Dt>$9fAF1ImDΓ CE 0/Ǿ*ނz]0O!5#p;D&C]r AZ>GMN#iE爥\L8VK[-DE$2i0`:bS9$xpUy\& &~LYMI~&aeBOc^Bç@vLټS^Sl(jAiF*iC1HH%q5yXUyn #g/7~U͠6~2믝F'e:܋wOǣFAM(~݇oc~{Qaiouk~ 0]%/A5~v06f;GjkGcjc+9dcɆ P>spruH1i~Ujz?nI *~wN c]9oNdf\QE В&k~X05.FcQV&^v E53L_װe} 3LL/ [DtBҜHn=S/dcyƺrI"Z x7^~T@ؠ/ևt0V =g?{ t0 XFoksmIe&cQލ~ND,IGg뫯{aƜSHbt 4Te(MPqw#&$D&pK[Ya:?ߑ4:;j#i';/aeSb>LSb7N9c~yh޿O59_I% n%'vѐ1, f%|~|H]O!/1Z$KDO5}JOZ"Cͅ>ts>%>i>csY9v_yhBt֣ƂazAp4z";iSzb|8 'L1((D]!mit":P~ N~|jmw]2%*b. a*ddjMLE㦳UO!~:hڑ"Gos‰@+3BH=@}M6uB_qDπO#"; GadO7}^@nҹsjj%@XJ bZ@|uEmYF՞x?K:> #dOvwì?E*vpq MM8 tLhσQCAGoKʂzŁjLH(B+n-Sże>}"e]*g|>s:;33~rvpz[[D}eQu͓9v} T1!3\ؽ{Le>F]qš乆0 $F~,7r_! 01s ^ic2[KE9F M~j,ZRsmKFuZ)}ڶ-p(!YM;Ad~f"ĉ!(hH.*(zʮ DR\ jj$nF-ܡxάIh)@mPLIxA`J Mrвl tK|0)TB`ȕ!V!b!K5L 7kBCi? E'!l93٬:n9+d~G2Nsz&Ͳ 5Up"`:?̝Lփo;IXRDQ2i}' '7jP〟븞I鉚FC).v= +#*SF:&7.GY]}{s}"9-* u7hH"%}s2{fwv{l:>e_{w·uJgޗ2 go:C"#Ê!R]=b .8aNhS#d FA FaV~UY vXG5/ٱ a#^tknɉo _FoN9G|kbc+O^PcjRA.Xު&vLl',?KƶC11~H~ShXA? pik>tQ } |kl?:'1p}ꠎ;L/`NL@Yzfop57ѧU[kka ߐ>A4&CZ<O3{,Ḧ<;xx ZwTUzԌ,~}HRIo0Le<9W2,n6Au(EI* J`a␋("۲\$}9b!+s:I]0&G:ã56̫ױ+ q7ɣA:hgG{!c @he}/7E/`zMcg]6N΂ ꁀ=1/%*#՜4 p)L1PDX|4kE`DA.v9L7;RӝX,lM+r砢Ќ{NHS/kϘ-=R>~f:=ha-v7r>L??x?nz~5 Lʔ)ϵ}vY{oU-v2;?g%#kyBYD.~3.?ւ_jn[V%6RCfuaa0E! 9tqv:NӼ_Ĺ0l "*:ш>RWd*Be IV'y}?XpjWnm}ű+Xiue`hڃWkciD^ƌpKvgC"@ 9gЩ!*04Wm{ۻumZAkZ̫f}'?c+m:hySt~ cJj"ZM;I[Wx}+&A͡~ :/ DPa4K^@:&DA\= f4 t\A ۣ./?3|)gVmb8:αz'F '?[sóZFx_/dPAڃvWdg$7] 0+ ^*kh[L Lv!6F 3\v ש[& ci&r5̭33h9xQ&!l.^|S}r>$x;[W/8m vPHhǛ쭔Fc} xk$`a UBU}qc'XD{29Z:lEo+ZLSQS B@7# dUy dLmw!53*L{NkS[PG. ) /eݪ8=w营b ^~ߙv6Z$?/a_١3 >.=t!/^!ǟOP*NttmрsOΊu' ;`哜(VuN601D`e$E)yD7z 'vs(rIk9|>>EzoE:R'HcUT*w,+rGׇxn}Fnff"$$ӈ`\ |J90G`3cmI4Ρ?\ jxϓeRŎ_[E^@z.SoMYiHؒiQFR ٢,n!v@Z]pr1^c@HBj.As!$Wd%cC)A&B,]9爢B*#(4GK 690w0BidpIeZ/yX]/,;eF+6~L=&e3 (EQb-9-ZXm"L;9G;66+.O$QG\sF>Ц!;Xd z|Bdpp4T)'IUxX&vo75"۳ld0h/ˋqq^ףھ5-cL)`1mE|YB` >K=ܵ-um?9Kcn}f`{DG:Dҟ1Ζ 7jezhIAZaͱktJn5R tfToAvC~5Mpq/k9Za 1a}΋eW?5wl¸8# `qO`ѣ?Z!wMK7gUxGtuKU% <R ؗ]_r$|U]<1bZ`4q©P ,_̗A+6Q*(2syae%-1g(a#gMO=3v07sG{|4$6Hb,o'fݍ1⣍۩/os6}V1ⷀ2&5𝄎?i!ьܭ^\\M:g.J"-ÿ}kH+aB 4( -H5=&%f"L);\dTsE,-Ue(Ҟ,f(WύSYb,KĀKYc׎N7NhhHpBG/!o7D/ +ge1$ؒggS4;s<(;uR#X;qi(IШ[BEFWY譯p0٭|On5@bUiSw(]u4d Ҳ~_+k&Y;ֲOOaM(0Fx^կ^e|ƫ)?t_(]P(pUC˖E_\-T*rnIwwN]7i)t)uXJ}fid?8r&Odcq6FҨ`*:i8/L*Ұ_9ߥ0zOpO׳O,xG7{B]Ж@}~iyv<(ظnrJI>l@h%s8r?Rkd"#90__ =] fz{>ڑ 1Zz?_y Wvz` bɽފI/K2I"Lm}KDidefRFipQg=sz7їLqIsH4 H&CӑnbogiR$i1^^ejZ(hk|^n}:cV'ri (#8>̠5 $ZW!2}巨C`2q/avh',| uiMVJmuO8tp$ؔA cx&0O,`)}_xh \BX7KJ7@AzsJ}AxNB|eŴV_Ij )"zt²6TR\MqXւv~{^P;+h4ɱjx"޾k/iE=u@D6̓k/p"! hn30WjFo+uJR yEӴ`ƃq$gRf +-`,NJgBUA( *r>N9إf,5+hA2 {-s\(<L4$+DElէ #TE%*o&; GiASƥA:a;wDT_Wff|D6II3m&0Y}I-3Oy 5 ;224ރ |9ԁ o۬CW2 ^G C9u%s >i zU‰:fƊq.ݻR YbBT% 8?a&, +Lp仍]GI~g8pDE p-q9 4Ǹ};cN\Vvt3Уlez*uRL )å B-crXD!?Odʬlϳo͇ w']G] <@ː~&{6|~G 6M\ʱJ_Ic> _C4dX9n6 Oa~4h(G^Mfj(㌗Zr DR!츢L;+Ɖ en%dSR"”sh=g#]vg{,Bcƛ0+ Ja5{>^L (ؙgKz'J@l |9n_˳5,M)geA;?1mba,*lXfCDzZxͦv]zWZ0Yp}]qQe]AGFq%tb(eHz.ÿz_zl!C HHS#dT+<hJ痛rn^% c ?#h}'H9Li%jrh>YiW֭@q_h'3k T-j8PͫU\ llܛ1uҁ}mQAr3DYx8p/@0/SFfPa#ݟoZ-g+,%S\mB ;bm=Q aᎊq$sc}$߱c{) @B0wpݖ{#["VAU1kB5 ȬJJ䁍#)ysHo8i8#ԡEryz`Od($Wagwp }Y# ZbLZl~o?`U$C:zܸ[%u2rwm( ÆYv$$RJ1_נKlz^4wruuܳzDcM朗 FEo:(Ы*z8{s 91~ ߐ@OPu>үQ}QIRE W^+E 'wE._PQex={^rQ'^۴_f),p:'TA@;% dDL2e֍v#ib(iaIFY%Gi.^ W9Z#Gyo|(L1CT90 1 T3q`bԘNX72 /J#!KKCO`5LJ˳ ziL?0|)BÕɴ L@{4|R$0rشf?X<t8{NKq=ЈH;G˞{5|F%^w-}}Nj 0OHx[yʐUp>}qܿɁOC@Ih}.4_wj!r@p l~3P0P[F=nU]G7X >{~~ :RE6_2w&MQ c?l׹)*GY5p.w'LO9uY+ɻ(aBV>k=wY2XTuœUm hw:9DV/ <=Dl) #BJ $ȓl!Vżyēem ٱlȷqx_:Ӫ kra$D@j!!fQ?@( )G[b#gKxp-lv/VXB ^/uCe92uS$t=Y X}jo-?dFPKC4G/U)]L)3(4qPܸAE>*】,,{4|'^]KN$<(Y@8EVm$>ĀB)a(YIe/N؋c,?B7!z:ً e+g=;'JJsT"5BttbeMUkC|-Dv0,[ఏُK =dCD?VhA=8/T(,|~=(2-F<`pPf_9B߇M9cGCѯcy+WWRH$G L},W@ OF=?kNsω^'K|d+6_ / ~ѵQE{z]HuM_ gy->#CTfqW/8QyPz]$$f5G0q@nkXI7`Y}}?ʷ&3u]vȏXd;Cdu f[f6ݛo9JE6x4$D9٢Er`q|c$!1˂HK4D/q(zkv1\Ίm~\&c$ؚ7ؐíS؋+CFW;[9]ea曵kFoop '2V;!u[Sj·7lM4 n&RZsW Qo";'{t@ \5Ψ $Jo/Yc;?=rkI(&q]T::X'{3_ٿy0Z3hb 7Γ摍-n|B !CK:m˻N"kY'FRz*,?sg1%Cp?ҾqR@Ջ9&sXx؊5F ;dpDa(]?۬[]bY2q]|d`=4F805nmTz4)7p'5Q  ȇ {e!cAݽm[^.1l(eD}*Fs&l,0p@ szo(OL`(rw6Ĩ&)3#o4.3"qѕi/Vt6Qm^.f:4 CtԤ4#kV}?}z=@*M出圐X|6' {y=ޛ?c|hLX/SzI2LA>eM }(ߖiXP!Shqcb`bYF|& 3Vsk5yr[Ts4jY ^ VHO"6JT"B _tW&~!Ӆ^aKUS بm{ut; DI(D{bskbJ{nq:V$kȁ1Kj Tm{2A ;nx>Q?0˨ɡX辻u4ʇ# `º琺ic9k jk4N:f`6tLNoW̆X4o' ,`lL*{w0XˡD%: }ouf[,/p{ֆ0򷨢n0QM}E|ET%"T5h9.6ׇap"f=9aR;wӑs7>G_i'N \xg|E[-p_%CAҽH돜yvu&w8-n9 ʟ_!Ir0Id&gO{V*& я -\:Cx6\: n秥t4+{4;!I{I~9jM%Q|59!ǖ޿X j\D^ۤĬDTOi)zv8 wnŏq >܁lُSG*r[-!@ -YO=^^_pY0A~@HL1?5[lp6c΁\eڥ{l34/ԧBVQ1q_yFwZlU,`Eؐ!$, fz;7.޿iTt  i\m6^?@G#zEnmR UЪrB㥙Qu榗d<vҼ͛9X}* GMt AN/sHzs}{htי?T\K☿No{aYf Bg0G ]MQȾC<"&6Ihl2[3,tU:60lhZB*u]9ej灚Rr:B$8fce W$34ު`&WؽHj!jN`l䷹{gV0Զ{@o-L߳ FǪyTt{1LDۥ̀*X L<(f#b;GQ,/ҐZśC46j&)|}M,sW`Ǖa[""H;=fSX?QThk}A6?zչ2hWG2%NMh̦Y+~ڑe_gbBu`~d$D?R;`62`}=Duef@Yű4Y]"m.>g#Y2+T>VM*F}ϡt⊼~\И%|؛aUyv]/K 0~z?qv[I" _UjO~j Q'y+CnfI9.oPf<uА^wӴЗyIæ`31'j^3F`M&?}MȬBƑ.䗉I?g",-lO%gE>pqNG*XhL' >נ˘ c3#DGi,!S8r5!/0cY9Dͩ&eYWbǩLhD^10UqD3UINػ8(@rt?CτϤ|Fq P$rCt k߅30L "> cj;ٳNUYwިwbIu$=CXqtuƀ7KpRB_TF|vXԏ8BjژO}LO,@4e99h zusOEsMd)nIw'tpA0 ъ,jnZ"vVnUSOe^ @D { f{SUA ǧc3 RiGt|(_n7(|av]|1H]87#WuS|lsdфT%G= AGxUKA/z8D*dLncrPR^NiIF0#Sjӌ^67Zv̴9l22 Ve0`q9gAee{v8Wc[};R5FUDv$K|6B¦`:7.3zLL$ 5PQ0ⴱ6I2i#.-4U984 K!tǴ7Vّm,Gs߂:r VuT61K e|r4ˆNYGW_S6/VlYI0 3nOdF?2p8YaW0{Ap{o7BcǜG\ KwWX53nS?UsH0cM-g/SνA,^$dހ䩐bMs^M%N/IeмXa#1 p30AAJ >ھ^c# usBAG*&b5:StY(B`  q d;7J8g^!Scq UtG_ tXVJ3Obr?mt k|PV r_&qFaIڝi'NqE'm:f;(Y<ힾ6̗:#.ѿ_⯃"Au 3T(ZLbtzTnlVv1G.|\W?[%IJ'E;`cc B<$#SK٧BgæW.2\[:PrLŎ $'ulr>b6-C*h /hGY5{LbDe3 2J#qW@vW[ UFi-ɋD{xl1!*p7*fGE3-sw'rυ=VQlOswuIJo*vL$fSxFg`upO TKã/9 ,]w޶`)\„;K%KlB[D"ր/@#Mq^…My~ZetP]Kud8 2VL1t],Z ;YcO׌m+ u,#U`5[``I43fԀX6}[T.%(0q+|%o4Z~3q/C˰[N,|OWRQy`sH%gkx "R; 6=r&`Z7k51}!)0;P'0,\?10}*:!0jOxbz,2GPլ 3)8В;دOe$!uKBuyޟQkk:1s!442{?Έ%BXVz'"ѕFC*..Dn8'P̛V"Q9y*rͰVYnv<\G\G`gmC. ^z 8D>`#y֋q 1HbFKO {ˇKRaL + SF=Muwq>t I۞Ά]d] oϡymulF/ݺdjUc|aB@vWdŪSU4hYY̥,L" Zb6=w&H8ί^]|:9cH&qz>uIb!!C$A"珗jxi[UjΞQپ j)0>/>& |ed<ŷ(2u[b "D$Kiq`<-'&g.x?5:vEr~ӶI#{>˳+@cᇎYY10RܘrJ8הI0r#%,H5HV…Pz?G꯯u߽Ye& *ڀU4k30P(͇OE֠kiPܢyL\Rd3e m (W5.<פT8fd̲$a!+/$cN{0gJ@j[400WR)yEmZ`k#N!֬.%gV%7nYlC V G]v;6܏"{'(WIXλNLkG 2_Kum6lᵨ{ja1Lz띗Vq/}ϒ"?ftYՍՉ]o;-[,r*Rt,(U˜r,q~5Ym1|53+gۏٳL-C6Hԍ$q*j;flX1UXߪJ˱6վ=|G+A^\rD^"Xt b0ˌj*$h,V$E[b7ߝ䃜y_WC ̓@vG/mSK=SeE{A2xo(:eӂ>(p5wM`U|@y  –{(cJ%=|ϣW/$yx&؎˵%6۲@Ex|bOA?i8x*)6a/R)5Q>D`~~aP&Yl'O]CM y6is}6`ov|)F<Ig3 !9[YD` YB Ĭ;$̽1/jА4b43_  0 hoF6`3b[3o ^eO4tpԯIh8n +#Ag2v %1woT&=3X=@!MrQXsm (*-ԭ[Tk6=H2cخ  LOԟ?>7\-wx(|TiUgURO:OB4dJ@ s?K6L'{zq충 Dxt`t>a+1nW==Jlݰ)@ wc, = ,@8b+qwId[h:0.m`q$,kj6e|I:@WZivZdn}}],{?:11Ò(oon{v6V?vx67|޲")+9k dAj-"G`t? o콮B\S4͹.p`Sj#4-FE}_&:xǶ;Q\{nrz+@CYrLeFw [#%렃̂sguh:Θ!`C}]WRiA]LI!b-joIU[vݩQor_l)_w翳Mh@ [SL 11kmIw4MA[C,4HcOoFSf'7 `S޽f'BTCĕC_ 칓/PU(i-G;=T(Ҋ6N/||fI yTQAX~?a;?g bZfPj&0b{ݗI=ќ UreH#P5I5J]L(nʊ7;#ɺjOm0tS?RG!Y|;2üdW0y7b~bhL ڥYJ$EB{w3qI̗VY0Ue/&"Ib"Dϓqߥ' txXh7'6"6Lv8;Y5~uL/Ie# @s>%`i2mlZFﺿKr\õ 2 !|_UtybJo0v$} B?u9zQHA{?!Os?gZ1ksNXwO )Ui.j~D;@-Mҳ;O$ #3\DB.*T>1ޟt}{lSOe"Y 1ua3>j=6wrrKjZ 2ncEh!"$tO4C%;XZ_D*IzITڝb+?vBE(vf<' 5x*cx4QnQúlUVQ*ﴱc"^Rw( U{ơq}W85#-ژ &  ;N$soO$(1sƨnؖolc#jkc C "MwX +syS82f`:C?y,+WUy͓RHc| PQ\҆y=c7!s_uVx<V6<G_ЎwXC-,=OR ,FY7:Ljyl9_:*xŒSkP@m8P?Pocy2[2lĻz뤠sXI V*e G ~ReD' b:}y#Fm1@}9,1wyp}i$C1I @80 V=nzqvz|Hsg7<˔Pt"oenz{ +vKPx׳[ok~%#k|7 1l x OFRRQl1_hf!3g5%|{d X,(,d) s) ׫9jc iFDi5&Hm)ggt櫇B>.$76ޥ m$ڑzjXHCߧo[v$-!E,\]0T3 L*_%\>> ggl .TB@D=q5p,K `FSYF2wITl;:mNjH҄L::?FKw-JdQQ9ܕ@~`R0@lTflN>1Q(3$PBș>#tz:G}܃k~ηjS*UVs,ɔYA@sݾr5lm綑l&Uy37L'Pv[?k9|엔KE(0_I:G͔~Ē1"d4|U|yZ[3+6!sq5=UD_E@>6Q-n"ەŌGw7iz$5s*")vF8jWZ))P:N&DûPњ.0ˡ>L~[x NPC 8d8(;%b]T~N9,9r21O[iLL6߽%.FXs7aJjQghHpo9Ύ b(bд[qmi m y|M˸0OExu幛 A`W)lu+i:]E  t1\kmBZ(4:;ت?6z&ֆAmQ4%9yxy]<:~{v}ZÐlk8%٢ xYY3 :9M1dFu?82!Fb7al6*^aֽ[ lNCe9zHPIsC ~&Jv]焗}lÉٗ/(W\vW0}ע+R~adF9<*2V5 < ; dDimJ-[&!@d\!5U(x x@ȟ"=wCT^+u^ˍHs_&$m"gEf?ޡ cT o$&T~kMH?FgICGzn=Yy>^Daͺ-eH߸[9g}A0'c ,aX(y6rN4 /-d &Lwyf_ <5Gga\OS\H!)*]׏޴fdll/YZ^o 3qFDZ 09K"11K 6M3*b4xD2C5[x~5yqR|0Rk{xaA{4yCN @!"97e-[]&01, 7<4 AĄz$@܅ZIc]`("c6I(W e'RCkLN/U'&RD>BALyL'Z"rBBS<4r"Rׄ$v'68kgj~tֽk9)}NTԱ?] Ķt3<̶L?{6N*5V 6\080LE))ME7sA=QCQ>ۆn'Ƈ˻77$Q ?H\X*LN1SmIǭUB$+>ik<3gqvB՞_:^ͺJFMRHyjMFg3h+uק=Մm 3lsf_Q،814u_h(ʪ4L>a[O,w`3x9k$AՏ?{.um V:@246ZEtcYKt E@B xJw&x=gիbu@h|ǬeL}ʦp5{]ڮaǍ.WUITxWiMI@T_ޭ X@A@]cƁ!Tf|kŸG0Z2/CH$dNe0!氪dwhrதSjyDYZ@ǶT?CA&!8hޏ_ݺR&_ccL}:z5W?XEwE3"y&]!KJ(`PD:0:B|[?8@;o{N~xmA0I@ZH5;OgRR8eǢ=u1ś0 61\BꐆO9-T̥6l@Yو-lj6}/'>7FM{x ʄe1^oVU vQBLށ8N1}狐U眞&i,˹N?hph]`e4U>uAػ.PЕYdԻCu:)Sk~R${QlGR& Έ_ w{F@T3Bۃ͆poZIps jXk4 AUh;ª~ *=hY9wV4t-?hdG9L㒆?L[H1YЗ]dŸ;*\)f~N{bՎUSTW9L7~cX]gm_Cl41a) t̫n]{ 3u,GZ]m],gIQrDIdAAi;o5b^],E%8 A7X&B @}ۓwM (~gְ'w<{hf@?wLW9]6#3;M4546^>{G.PAD:!S "$^m\/fzQPFɛq0ewev<1Ua3'*eClj5V*1bu:,8'{'iRR#[fiX~xS„WonNAU=Wy+O/jA J 6KufyX1<) |R0(L*S> @W1zzaO:MF/C#eYl(!D]ٰ ٌ isUS L/.3g.o ( _ a)cqzs.>/fF\nL& 激w=9SO{[y.8"۝ ϰ7h~9]\~JJjcj:t&mq 1$">fVL!R-U_81y +" QUH[/N0(L%ZsxR$7t:К IALJXx?},?~à<ķ)C(JK;&˰W*qڝ01$XH,d`3Ә PjB&lD:( gX04@$X BJś¦"XS"}p҄'췎< )6:^yrO~0DҞ H:} ;^aɇk"F(߲m`"-&Q b.krzm̼; #ʼnlB呚,5 zS;:굦@%S53.8f&,.h!ބ32 'ݖ*,(N"韢)u6uaLE(E uoSqsMqhUHI+/Ⱦ|?}Ϯ9D&,j@złU(9cC3_ܩP>'sYQd  ؕ$bN^LcuֺeAd$q^u4lrgcB.eʂ'_mXtNl&#9|XrK5)`$˛-{Tx[Uĥ3ߗ IX_<[kAmlZR.FRwk;E74 tsF> goN -ԘB?BA@TR6z %8%g!Oƣ6&)즫ubt9/MXp#:PB(?-IǘneY){~<Wѳ(6ľOc:A}:3! @O>G?|tj ^z Kesy 4NCʥe9XdP'cmdp&%? njkNOBp?`YYLiЕƐ M(-r>} fǡp'eTD\G\(ԟ471TU (]^sΞ۝`4a[cB g0"I1{F"d />D@|zHK 0rzϩ&uI.nGC@ $jbIfџW'09Q#KV˰6 1ٽp = R43y sL._)rS_N% 1r@%>>~;N0%6v)g@k4ݴ+y~H3- V@US<;wȤPbDhu*KݟUfL$#2ߨNcݛvX3 %nL{F04Ƅ @@gNq\DžY2GC *b'EB",ݦL{KI1s DZaPNe+*ل/q"[gȟ 8)ӯ-o6,PuPܥ5H}N׊H^^ {F FG}8.il/JxHGIKe gjFL?;ok5]_G>L7cE4֨4C3D1TɾMgr=im$ 0ޚ oh͡Y gU.vZ%mBmY~%;/|7ʏ}Ͷ@|xAa%2>{#߀vl>CfE-?i})o a $FdSmۢcH. ~w/Cl$I/\,53Qח}X4}Ҷ2d!Tى9 ECHj '8~㾚{ n+5uU!v:+K.w0WowM.1͆4g,-D=9ݼ Xd@END3\ɠ CYnƞ'|_u]0Fvg8=s'aeg |/MRt*J*XXj9 <c@|sH3)4cf~~/ى.]fLE)]KϪjH 8.2`*y3bPYݓoiCi'CA`bHP[ȃaF=d!_N<_'ƬH44f'֨HsQCGM"ui -Vv)QBp2}xޘzv۵> Uw+>·j'${B c-T .V3cC֒/;Qh)\!-JZU`ƙy!+ƸC}8⒝HUL 9*"6G95E¥sfKqN_s_K%z3z폩Y?S%)WCƟ3ַ߰,gOcכZx< ׄx?:Ahe־ݮO-W-ue5|(Gj|߹BtlLʕ,!$L.޷m~GbJxﵰKerloՂ8;zzm[rdsrDЇٺ:E"@j '㣰{eHE|Xǽ g:NBQ($)QʑVK~f3 Im=E&]ȿz"ACi]o(Ɂ" x +hȱb1TtagNn1nZCeOeo'j<`mw|{ 9a{0`C ݲe?YBT50OB k,  4@jMYN.ѥXk3-H1aXn$44sԵ@hyVB gَ{쯉%`uܺuy W=\ Di~3/s@7,l'g@zXhalB0́)hă跢ٶI]ϡVr@1Pj{G.rYZKJGU~nx.>Rj)/6˘AysJ).azT舸H$K06mEgIësUpK[2}6Vf R k""p@"?΀F d+JKtgi+a `֚b}a@ z8m䃐!tċR>|̮-~!Z:W=V]}C:) 5>O|kUV£%h9@f*@Y+p0]+ν1#y|x9'a@g1Jkϟ[?Y| v ofG%/?11g?s68ޫC" iKB #E 2SO+\|^lC`3FB]7l&vJ?mGw27?l&Nq? lAtfDs-:?BIʈ9Hô( M33 pz =hjV֦|w7=(@(3ew]u._7} 473chsȦȋ+éA-ht4-;*zyI3c9{!{BpN.YS*4樃Xi",NNռDJ ޙŤ7e 6yhDž!3nvJrq>38h~'lby6OkeeU-z~$`d 9N92Zl|k{}wjsU>4|ÿLFJo2@"*iR`4zE:@ W@R;:xVN;^O-,˜kYlի'v]EU#Yy3 jEYT/)J~=ԩ;izY܄vwYڂ/~}忿K#ҨO5+dXBbsmv#[cM:q2YPMk" Aa x+J@@)hLlhP %nljtwH fmZ؜$Tw#}m }E;B*f{+P%1G &6SQ[&C)ʆ=7lՑu~0eq]-K^C^RBU*MҍMXXم%E5nGAT)-~v>$#b(~envm8̥F'o]F5І++{?)%JyTҊ"MT_$OLd"g/USJ4t*4E]$[OBf?mH}Tr 1YU@F;.t"21SSx6 F/a :Qa|,4vYku}9f67 n!f~LsBg;loAsz|̀B3Lc:,A|鸊y"j7&`֖-| kͳ!DPl;ddWC18& }Vji.$p 4ƴ=Sf)^Q*giH/l5&D-Ev 쵪$&ci ڊPZj۹2=5qvĘnw**0j\B_ב03/9-MFؙn'QK- %?cuN&}E|"HGߙq^u%ӇVb.T2˳ 5yo^'jAr32Ǒ]]{)eV "NeOQ}O_Yw:ńS4|*xPȝ޵/?ٽ~(2%ۅ"MsGx/̀$,W%n:6WmGZj=?X_ FpETzDE[t?̰Nw^L`sVPzMzF%靠;F/U]f⯫!ye~_\6w\:Ș>ܼY] d8vt7y<>¼-_aJ!JdC? "JI4 JHޑ!tX*a |b?9yzdr/}Exm#y|uZ?.3{⺙u6Qrs_K/ z,C?R4w)X u66G8t5 rI%9:A1RALx5/@( q{)2DDz &ƔĒ$!m ēZ;:.]!젇Dܚ41//Vc@tO.RVa%Dw1M&ENY) '$nu!ЧQ7;-%aiOy湌-()A/BN[s w%,Q58O#pn8 ğ$ Ho LJ0 1BI P~cw5C5h)$,sףģ{jTwBW7րf~5{25kZ_nR%;' -.kX9o;_CX0<6 8Fkm`{ۚ!6nf]Khv >5 k;fj[nCsˏ-Z•/AOGd9 6f-'8T?$T->&Ayp/&>]gӝK ZJzƸP,9qh5t4RC]F`kWA>g5JTEⶉ~uvEr9s4fbMe=GcMmg{;64"X%[c ZHw_F ҠG;Z!G|a6C3C OV{(:ϓvY}A=Fx^k{9 s:땲s|DÃmQQ$-cL?^1^ĄE_US-60Jy7l$Z/J!=͸ōVE n,mWA\RZvߪ2g 7U?"@gK@ c}r= PeYjnlEZ򙦌V0sB$a6FG!U;T԰pgJHNY` <\aaE㮇88U89| s ÐPpb* :4S4(C Y >jt_8e1 zkt׼0 ai'nz M)Y,bwmߴ>.o0!A9N+b]ơeD" ?Z'' ԁAar%<`HA~HP!Nd#SURi,*Q@oS7Que\DV0,g: DTA=Hҙti{XDHHɳ=&l'aOaZ/npmp4d2^1!Nwtk$s8deGoKc~~w6)"Dv )h#Ci=$O`HPS0C@v.LWV.d9m A觵钀\Fl]Ded}T|Vΰ$Uw--#.+Zo0ɶ/ D kmjBJbInB/,ný^gz'jz;ڏҼw~gL5Gl;[>ۭKg9f *JߑaFœ^̱O=6Y~ɘ9h7GW S 4}& }Xr}U.裥EC h( @Qv(}_{{$u{|AX, 0t0ڗZ>Z)@Nb??I{sM[\M_h}jEAHA_SRZ1LC)?p+䙘 $@6:`;/u0 ljB ''qj8*AICauBBiRlmhEeL4ʬFAH4bK$bATXE,a" )A<"=[UN}M_. ~C Hb @$Y )'Ϗq; ̇djyp?nx<\!=-6>S*KR ,TɡuznI6Df*{as >"Ejr+xQTtHnw2yX!lUPJCXκ.}$!.fSG/eR3^g}oV&t@kYq`|K3)1N¥s'OX$ؐ*C ʺ/gu|h >M>>@0#VqOQ?QV,<h9ccPc.+u_  ݍ7H 7 ;{Pl4,*&( yR $;_+4򒔌 o̶+[Eu~hKpEwwMw:.$N/n.E =U[ilbKi%,O~ھmOv%ҽ/enM@9B,^2Y$݅w;3?u^2qx2'x3@HW !1=$ˠ;+~>}6Q<$ʎ$J̛" [(hGU }u0,.y@y4& WĚ $,0>cCͲM/=wo oSsV⒬ Mfs:3`, 5Wuqp, HSO-`;x*q]WĸKFI vf́7dbO(2s]/\hQ{{_\=B_{`XBVe{LYN_:>t=ʿJnDM4Jx)ESEUe%S8iV 43jT>^QErs*AIUbN1i[7(Uʆ4~" v*!kSf6Cft.=ޙ ϭT۶a8dVmsZPbETr$&XsAs ]X(d9gL<夳p`rHj&({ۆ=uû`LpAZCke4BG>a)?vVJM8*lm96l#I>Yn֦˛S'mVe6G+Ju@+̷P:͡'n&hعl)kcV= +Vg`y2d=-RoP<-pzFdu@Z2$v̮qgɴ?8t BX m(hVE ݯu4DM %\%j~qƻ=S3u>3>ni>x2OR/||6Q̷Y&%/%Vm9J\gӮ8+D,8$/"*x\'J$;dTDR5NT4k%qi^ }{Ѥޘb)BV5ɐ:j騌 pJuAE᪇޶HrR&FyA F>,熼V:Hl($k)MVl_jʳ_d8$S>n,d]:F\qjȀ7!aǿ{c j:X1z!"2QyH4\VYk !{(cf_/u9Qq=qIBKI,[d&˫Mh@m%FIZ8@ ,Ix2Wo"#^U+jSܴsQO;CavRq{L_IC!e9"sXM&ClTg j+XeU=jѷ(ؠ{oibc|ߨ1qi)\yՙ@]EBKPҳ%S!:Õ#_:> KNrOڣ3"VKT]ЖhKNNL|^ OKDzYe΢e6(f-{JqZFA7o@9o% w#v@6%aemR1+FT/ҳ,Ɩ=ƇnDsQl )ZjEp(UTѪ_0aHs󃚩|i;㖚X17`)ivqd4m9ƅYo/C9}Rs\ LV-݀o0YL`ۙ[GUzl7=jlGr~^m-Eegb>]C]ƑG_2Ers[? 6ֵYHNH\}+q:{s2 5pj+z ERzhW?ui SO'K F>˱C#xN_ xdӧ8Ks -ܘ=h1{Obyp9F&3 Cq{tB]U Jsi]!mmb{Ɠ&􊭈 p.Pʧ^/D7cZ!_mIE9zݷDi/1ruw:5̴lw3mjؕ]_(£^_P`|@;?DcKx ŮETbvQhܰ­J&/^gkRצLۉ}1\)IEUgmъI3D3wlv"fqŝ$hk_Uч\^q2ijYfI<IJMVT":MϺLl)ZƇOXWsbwncڣxfKB/ /Me ӫVU{:>)_UpK:%~_-NtSB 2 k!M +x·|Lc{5yݜyo2?Ԧn7_,CxKı ʟI y{Go T;HW̾%? |µ9[r0B4\̨" 9S %mZ5"5 )묮kRp׿Ur6Cf9_]a?|EBGZ? lۨϧ[X׹*$mN,@6Ik# )m#mkR'h>}L_A4|? t޳r#yܳIr!p֮`ղn`S_G3X-uZD ^+iDLBLyoy ߧƕ57<۶qUuj s&?ޥY!FF?OcLS@-cԗxB=f*o:v,CsH)*n}]y7,}NRPU]^rhPis(?Z=BV]jaЋ]qdmn_让0~aBqCspsm6<*dMA9|峡uT9JdݔerclԊu¡ȋ2l_ mf߈|t'uq/&hd~0xۙn?Z5;{\+ڑ0xXJ\ -5\F $[(^ R*I3v hrv~MԈ^+GdL֍=aj{U >R*~N$}m$6L){XyjL~OBi}y 2az }`8G"|0hAгqjQDaF'^"ƾ9{ey5Gm /4RM]n Y?V=قU)$d---SwfV`S  n/x>jz\y*#FJߞAqVK>Њx8$wnl~Ng9ܹۚ7>,E 켃%ن^۶X9 b]-u<~u~ {`,pß۞I4k}IK;8y #T0K23➝ Nݼz.r=L89Ksޥ u 2 >?۹9;oUQt!}eS_tX< Weкw -%7m~!KsŒ0tPx.9@"Sk-0-_Kx7ݣS^~VEss!ZQ#ԡJā[)8';+큇* s)5Õ^CdD!Ǿ -g؀8\'US"6BV"PZ&C,Q2s5\( Ou 8/1d,AT#{81A0ϖ8ćڴ* j9}0ޚE8g~*.3G,JvI[szogh:!*6C&Az6}/ %?E^yEhI9n4e"3xzphxܸ U4 %ѻCP. 3Mwv +R'٬֔E[BI1puYIHv. 8g&2pG]L 53ȅ/<{c hIDYW\_\6KֻY#YК틫,"k]ZΌaG+wt.i^eQY5#n6_uSHX6G%H)VgZRҙl<>0OB@qVl.\\B:?4O%3^T u8:0G,#E<c!ťrBJ[t,XI!yļm'Y \C$ȷ֋Y Z]7cCa *8R<12ԝ,E]({-LJ ]E`@ntIMa{7a6@d/= Om:'y&7gQ>Ʀ\VM 31aG-9͸<ԖKh|nwNқx|yu~f.xk!P+8 %[NY,bzdn[&siZT4bxdÐ&GV]]!GɄd1")/:~KN|j[ߚ;r+. ˶׽y' S_-́A )sXvL}VV!حIpD4A6ym*1q2<ptnE݈(֨"9V-ߪy­'3-xԮMYO<@}nTFΘkP~̱Bd}b5& T'8 mc#YNpNZټ:9[vDH>[m@<5 ]Bì\*P53m4%`O*pr8B?V\i ^1i >E$eN%!8R)3=Ӏڏ6HnvP0vX27P,G:>WXoL44n)/AhFbB ښWLT[$FUg+96Txzʐs>lkO>Xk5lKR?'ҹ:ow^qYu=IT{:@qa#08:@ǖ 4.FAg\Mi"Dw@AWE5vѧ'ltyZq{ "QW_{BQ@fqTzج25X3UޱaT}QG^KSgu>4>_@.F_PNǖ$vhhhK/[UGؾ0E앀vxc `rh! 5T>/#.rm7>yJI~yk*JӃ@Ή{P'a9Qɂ1TQ(;$*"+ͩ@ڑ=jxO6rʙs/v qC"eDeV:4uBolLCNyb0 v}`h0JBa 5Vַ ϓ(jy_6{D6rKwXsGY W(˸`ۥH\z3݅o pcv$fJUQbv΢ˆl7KXz ᗕ9tOgBh{;x)Q ֨TW#i.jcz~!$0/zҭK:ꂰoozosk+j5O֥]7@iNإ6#}ؗ-U{2ϪRYd|ӀG3@8DVBSMQ"5 t`칫pbLF`;$L%2M%2=Hbk~Aa'l)6 iSeKψ28 S ie&2CzS=7j&.PXcjY_@p>p3"$-ʕ[ކ"bZ+XFi'\ë4lN([ "86^MkS(rwmi< ʻ(#m7kX!l㒾zG!Ϊ#lSZ.)RA MRyb㔰Hq5df6 w-9?%' , bڝJ~|%#hR/IϘGOP1X &jBMwnF[ӭBe Ae@A>>Q3=iC 5pQoH^:W)$rdžRn^At+fܷ@QDӊ ڸf41w!Cl44kIQE] #~MV!Dٷ'V$ ~ N݌[&n} (Dž 7Sp>奆:|_M_ p(T22}#S467"Z)JxW Jy yer~ƿHiI",@aZ+[,8p-N5x\ןm5˓\d՗1hX%~qyxGX[P[2Ӧji@ޘ ._>ߔaݪi g?,)F16=yDʗ]n}keI?`3(tdڿ,TXpj5ZL1}'rPe.dbx׼i$6sX`AYz;ru}M^d/p9 λ#9 2Pj{ y~l|\r5.JOS>+z]*Ru8y=瘣?:oRk!VQk+O7 :a\oiX\«Yd>7o\h(lL7eȅ]X ުKfT_`:R (5*i thت?^Cv܅#p8R^HAh˨ Sv]k$zoÄ_?u@m1HXr`Yѳ|GB4Ҍ7wk7՟%i6Z<3i=>@"l&GBng$'1+6u (xm ,eN2}p2t#Na)'>s|@|FЉ04;yV!#[][| 3J(܈gރFbZoO/D6ʆ 5}&*OX%kA'8Q_4"f'J:iUJ{azoWR Y&8~+YRĤ6~{\{xM@Vk2k80Ei 0aǵ\.^MOs.s;+;D#2BA°dH4昗jAYQ s)JR/L ~,e9y7B-@xE$LQa]ٻ?(7K/*J%Lz9#=qA `*G!VvK_}_QFK܇ ~rMR+dE03I]L6>Βm˩ ڸ诧:e<Ɯ[4>v%ڹεSA|ersȋ*]wd6"6 t/c{NBӀ3R6rбi'ފ"p 낸>2A9siKSs0cvÚ7R`+M16/VUS\o.N{Ȁ/^F 49TcgI~sw:.囌vNvBA]sz,#z?ajs76&dp6ʍi9e$;fʀpN`XgKX;V*^[;WK܏eɼU08G('m P*9FinTo46P<ˑڑR):ժqZ2LE saQ|s@ĢCOSK. QG27 %Qi~XZNyXbr憀qOX@`.P ytՠ/u@F2j$(,-UCi5h+vX9;xfZ1L"=N^vaˢP;=g%-m #YoNH֥f~vs[݃eJ ?Hý~~oY:c91K"~f[h=ZVV*rAre'134NH J t(Iu d ^vjO-6 fUjIc$ egre]ȇ44㏨mnFЗ 9jϳ_F_|9o^(#k!vKlq Hsbb'`Egx˖颓:݅gR&yCyUa 0@ƪr:0/# ;)JG2#ri=vR對SAn6K&OU>Ӡ Vik0%TMJ^VVv` v]z "~6}r5 {u!B`}Q"-t- w j1)̸&%cB|B3q/ZH"{_wm;@=BϨ †,F$dpNa/#=x]"иsy0z?B^:i>YL p[]0i\#E?\9* OLILo]Jm0Tfv %ϪEUlE|obξ)@%/xAtżq 3xƜ%wA-3-ER hΘg+|PvX jo8l*.I| zȏ}{p|'1_/ci@_{kADL`vI'z6\ݾϮR%!E 3dGŅV$hM[uXR֒72ÞYj}k|FTax x{`\X5H@M^T{$82Yg^4\L`}ۏedXhv&4VWS p7q7jX+ʹ^1_f| @=.UMs YbT˒9vQ_#(kJ?2[gz`eow_)ob>ɺA=]V{`ȩ9h&E[D@VE+n/z;K') rq@LJHrmKdnT97Ogd<_yBtC{Io|/Xg-hv?_Bhv[U(kޡS.V%JİE7/ ߮a^f$ZD5Z9&.bRYڍ_ ܳcV+P+KkӅSZ=IVek˨pc>W82KdJn.#{fκf(ЄyK|Ll(tq j嵠ı"f#=f..Ż,:0"MVW[֑ Kb1^q:26r{MY6:l.ukb27YfOB6+AIa谍x=,u?P3`S @kVAKyY)tzc!هE!0ߦb=N̷e|Pd48[FM D[Omջ eϸ/ECE{]US` ciw:hi/;AFWeIWm-He$ܜG|M gukdisǥbɍm.ƽjyۇJќkwͥ`C|zu6Έ}X dyK \>!xSgw2V<j8=֒*hP;:fKFvA^=%:1XcL|X"gVK gYɴtuʽrq\*H2JDN}6xSH=/(q݀uaϒIB6<42h m/ zu-jQz C ҝ-A4R;qԛ%Ӱ2%un74۲* i>jsk߶0,cLL[+/wu1=8H#FMu#3׾C[ѕDFkVtV2{v 0հ:&|,q6$餲Ow ,?*GH=PS o!Pf׆Jyn@:r˘ʋz 2fpBv*ܖg3@[h&#mfHIęCAaʧCoӈhŌ}f\T{LE0gqD'\{)x։:3 _>@t=g;EtBq{ƪ2#bnir5* $#][hzmq~]vWQ4!SWXgTii;Y:.((56'~A!E m]Ǫ Q3Gʳ7kt 7О9K}j'@ES%^}PP8krdTHL4 ]?kB:7-:-cJ}+6,9^}*kǽR88N_i#`p(Y^wMԴD`i; 1[@p+m(}ܩHj(}0MlA|pEf<V" !Uԭ%&%K%H,t nzh>|71&TFѼ`|-pxaROl_,H5s!\7/yٛuͤx-Ā4`Nf:$E >јX֙Ddϛvfv-wm\=iۓM}2Ň/Sm{o;Ο1K+yiAH* }ҖAy%P3>7:w̒pP~DЂǁAz~c9TV۞,_kk0=%~ybh)Lg{V46(v6~/"j-9HCgt ǖwuuL|^)Vݣlp| u &8fXO!8ֳζt([x#N{ؔOIۂ9m? {mPwm E05*RD*8\m<"`epz\{= kXB9>~7 +_)Gt~e=ii'{ Zrcb2eYPZw;xs ʟ w|;yb nָؕ"YD=[WexkYV&B6U+7BQ1l^@ ,:1ؙ)=Kd?fkP&.rTil^4|sF sESl |wP ӦdžJ?y䌁b~^]J0j:YŀqYf(>0JSѶD:z}hLô}H4w(fm~Ni"y?O,+ .0nDL^wBl޶겥ۃ;X8tkBf0sͶG~1?ylwxצ"){+K~RN]]񏒊OMOwW9R6:ݓpd*qaҩt$TT.#f?!c4/? G;nLz; )Y?E>v8 >zOW ި$e9;8IX/SČN.qY@4,s EP]BM[?a*yBJHYqpTa Qۋ$p& ZEv[TMN栜ODֱM %тZv䗂f6ҭ5S }8ʿ1̔H-ii6'4 X׷0rW־WdXZ\*2bD:7!o߱~5"G!KpK [2 :=*Aݷy6Ӄ,pa{_`a:V xi$VϪJ{ U[*Iy8.8?, \p4oQ:8 {0i%T ?0r@wNҷ.͟ƝӞm`Bw+'sְgmC 5G;ya}6ـ2Dq,5UPd]/|͆[$I#c>g@⳺;1YŒn=ZΊ4pX  `;Kgʦvi>[hݰ-=^cLY 1kʲ0n_nTǦeȗXy- xx*aO%4k|VBfЇ I"?hH_z3S L+] L17eC(,0e,|UBj-a[3?e,0v[4OИgv^=F<<֩⁊U7 TxfŐe5j*tHM[˩U,[l (gHe4Ը&y< ?I4{"~J)e {o)r!U˵Y|0 ,ܔL4 dJ#y4,cyH dv .cU c]VJc-r^1cJEzwYZ&[zje>J)ѽ8Jyq7$g{p)~i2"gЯ-6;@T*=1v}HX%{߈G#pG%_5{*EvWZ_vfM-r14nA(xV*3~=.B5@PAa=fXTJVc{5 gF>Ə78.{i=qZTzeO>p2%X5U˫= +E妟+VV~77 jNx,X Hd`ϕEO+oC0@c;R8%F^KVwO%뻫ܗ#T#TR)޷ECjҗn1A<,,k-%8n<"]1eڳ*;x݌_a'ősDͤ'.xn+4{-c`X Ul'yHzNiEہgVvUf+9{\3ֲ<,|,+t4V *;~n̵V)Kv}wNLUl_6V?:5n^"ȾZSĻn/1z| VٸGxM`\.U!쩳t*yetB~K{p.f@|^=Q@F\m\[̶vi<&Qx:zJ>GMaJ 9!xؿV.'0Q|Re8u:$J@UQ33@n fo¯asL-oV T26%ue2 ?Ir dcI3_6lhi|rbޑ gPhУژhzi~:}`p1Zc hGrZZ*N+771iGId1|d?ʂk:0Yu(h-U%Hn-̛o 9Z1[_H!LeVCMN?*jX ])Ԓ$> 4XdADlG+(Pۤ|{Ju ɉA|\ee^D CLJa;B)28XzBo/pil {whWA72ۙp3N<:-v8( *C29Lz[I Fyk?@.o+G GK^Rq)fj&9i*#0 >({/5ʞ36))ĉpH)V9=G& wMU CyV:B}M\Ϋs'7=%*kptAjna*mvr$iZQjݏQxz,%z4RZ4\V17x#`BdU}vN`;7ZL9mvi͖ē1lC|DZ;%+|mW(47@'lyꗃE&ff@ڒBðdF$&t\0-*3Va |C{^Qap )u!o *db;rd{dHC"񞎓bg2rߦ|FX a"GO'Sm-0EwP .` @x nFu~([ӒJd-4j!}Ӗ p^4 o6J !TO mZs(TmY|7=\ܩEۍ6=э.yHyӑ*dtpmk6rcK U9pM- ʦS \h*/U&/7N ;zZ~Bn,gMup8ܴZ 8G8oHG'X%c3u*T_ÏUD;`=TG1 }I ^UaڡM ?^UN$,[PӇR +9_ABIx?5ǫ SH3'z 9h=R^˴OҐybu1RU;ڐh횷o=x5;) ޱY8uvcx-7Ӭ,]sѡ h5mчi&K REۅ؈IGgj@$h"$l IOQhPEU ;~c:dJ~]giYCpeqWRUOg{KeS}HXC;fv`F4rӇ ^IR/9 ~!hlANv!4uZc$ } $XmH?@.nb{')ppMeD9qH8FlQ`QXlJG͛|}R\"mqGuJC38M9PTV*GjB(k" G⟖O 6(P#M:({<9msM]oI0Fv% _S#Uf2G>myBP%2I1zR?x5g1@Cax%ELv4ԍoH\˭VuzO?PXPOXߍ&*q'Who@up4M;̍nٖ$ :4H@P:+ 1.his(W~ɕ9C&qR$g;JXj` )|ݜY1+"&$!{{CǬ8+<*qRr%VbՑQÊie }i澾 P:U Iy]d<Ҙh%1.EPVjR;}E45bA(Cм$( P͜xWJLL{|aR6A-h{?XX nu:A~6izu9*=ܣPJr!p+3)w0nJRYX :>F1 `\SX]ۖ ZDsPr?͓p9Ӽ0SC AmQyJ .v̒_Re=Q\mގ/Ew-8e IRY4FawU!@#P-{Tsq8!# T⑙#2EkV5.Ev 1T _u=By֗l =ޣP hlZqNi%]&;K[sϑz{t-f&#vْ&/mϥHd+)2ުR-"uP}o\kBt~m8@݋^[tȀH`WGz rU:^cDba2faXVqCGv)B6C|!84D=50 S@yj]Õ&Ӏ 'KF'/mGӞs})9F ji,-QV,pv¦ՉuAY{Ǝ5xaɝgI?ϡ;E3'JחcmJJ%"rݒT k=ne.ݯBnP JxRտbpVP6:J֮T O!L2%R9|,H9?Q4ւXQmYkb9ek^"q{2 ќ:a/ӷM`s6i7u6J_E[z *QٚH{K$@)aPoW]> )_Yv3!Aы?Oƶ~=r_bpA|RC>j;$=UEu:j&dx_ FNŊJnRrhfGEv:KDUD:?iƏs@: 5 k@NN&juxt W=(E9_[ql*IqDqN*o /VoAhЭVbR+IS):e&T>Shs,t"Zzgxls6.>kcF ?Cz34>"yzs l#6͋˽ Ovq@=_M /Hw\m-_5=w5MJDm/PU@@Fr9dy  0F QinK(m;+y63QLnj">)t࿋^Vw'kw<Ī9`C|9 Η96'u/fKz%>"t, "|4v0q?o.Hs .$F8*AԢ1GA"AeH"i:\Se)YŨG6P/Fكi<2D)7ՀxMȊ-^@JMաhE&K4!RL ِ)ûg0=Vmz--C1ws`sG ]͈ahtx BeǺB2,oP @/|A):OE8axɏ*5"'TN8$(5K=غ9>M*X)r%UnhoXFIh`P8`e milˈb(k.*H-8@ vQR|ɧ}!u"ȥQ:Bjiմ;y3(-(?1'[ps@WO5پT ?Gp77Q_ڦ[z.OƝLnj+Bq划M2O i]#czɽr! X& EVbN"rhOI9\xPcXYf''-Vuu'lZ؉XX"tuRΨTS:MDG= BpCr OeAkSN8F}6se؏ulbB.BWEԑ.@9Ï S T`Kt9[K,D`&peMDhD="췄`4n=r\%nRg`Ds Cג4}&t{ꭑ>M?CPBZE4r>%8)W ZIHȉ|7Y~dyMY\\ '`SWD72KؘBp12֜p=$sc64& uf] [MgBO\LOt(e;l zܮKj/wR#|]\wv8UD/rjtl~ΌZ3W1(QN&.|vKBgnA[\E=MdgG}94LKe9k [aIA9_=NU/Hc_]GQϮy:Rp 0'lYB+~_Pah},dwgvPhZԕඌ|AʣM!䕔h6!`T rHt *\8.2c UWO.N!GM(=+leiT `nɸ}7aߏ73+g!@;+חla_`uTkIR2 DuUz"EbH-5jqg"I۵{Sv9R^-Q2Ƌ_ӺG5$5EgȺ]E'Byi) FT ִ"gxft "Umu z< =bvRr=cox{?v>l641r_"i2EQ "*0"O@rPxiɩím>ȭH-vt~ϳc CD4@7g&0NT^j,I:i %ƌVN"һV=-i%^#R,Soap'߆K\<]rFN1%h[I]o+|; v05670dAr,QWJ@rAP+,.Sܡv:.JZw9ϲC R3r:!}apm٭P[m`+c@zY؎sJ*PO&6C+ w~?l*Ͻ Ҭ6}Pp.!om_7̫cɛ؇@.ʿiv5HE9{O7B(#˕@T2kIH9.Z۪airuƫ_<&uTNGSO#Ps8~N{P('Le2cH^"ǣbURC~%my'CBwv ںٙ_&'SࢍU13Y9fCڤƀ2d3.SοЫ22Upm*VI=-n dP:5u{$.! R 2埝xff+.x6Fu7bLO<Ll.Qk 5ӑE>nzph՜܉#2FQ7\Vs>-k6P#/=T˄騐]I.Z3:o_͓&Qa&m E#z8G07 `-\lym4?\]Q~l"'Z)jP?P<-3򭹬Bŭ"@/9QώR5SiN0ЫxnsDs.}D;"h,-kGr]{aa@r؊?L3t?Q[$!rNj̨ЌٶcCB=qP+zH太8pycG#+񝶦wIJHS#ƢA½hjҼ)]q,E%DQPR/`H|aI.F rوC.Fp|?Bqv5@P >|Ŏe/WQ.QKn !y xmַ] {d l i2My(:9,(r$;Hf/|Z۝,ti8T0iq=uH%_̈<t]Όe2L\C i36{{eU˧ b?ѳeL8R2`cսQHiT; %rvL$owV\N.Veh;<=1ͯh@Р lWBrf VA)O*i y~DnS.@7ZHNXzj 3jQ6Elu!Sh %3!ZFe-mM;n1v$+̆Xg⹇|XXYH/As^(x+M-KҦA]!@f`$%?ۖaC臠֥m;an|&簙b.K9 WU}y??(t<1NA< Kbݟ)M::yȼ3a;R)X.Lαm/dc1/d:u˖޻&t{.N0ZtqGWjiAv}5 @/wyy,[=i2EXX?)qVo.gn@“MX L#8ǣx+A ewEbHvVU95FUT‘aɈSf:7mq[# 3NĐzE9-^o7>/)Nwf Í` !M,e޴~׶`y<V#}L@H⿁a}r"6,w')>*<"c ᙰ1Q_P0:νJ^A|j`=*Cٷ qs61|MSgUܐpsq{aP즢JOk1F+0C?9Z4hWHr{Pq3@R?> o(Ѐ+l94=_72Az}HP\䮬һ9ad׳`xjaNBp_:l| KURdDžN7NqdnogGzUHOq;_tX0s~*"Zo|&;>U0`ׇb[nX!b,+|AѩStkBx711|9bFݗ$:z@ x "zΠyڟ)xb+#ֻ#ڳ?$WQ84SC ki*DVJ{k $&dE8ڎ, 'h[YI;x `#coQ҆-ˑ&4.++NK15c/h׼Dd@`P"^-WEw~yfۯ=?K61N" sIePx?{DM}fH#J2ܿC)u`j@ Yz: R3PB8XJn }$~B5X8ˋ`/JooJ:y,&1eUАhϟ>KCjcVӤ\h".U24€Kh3 uOXa.4X桔_QIO>[$u$sͨz {cء\![T6啩u|PlQrz҉j/:^k 0⒑~ 3Qj:!Qps4TS_GC ZTcO$kA:T$be {|7e>*Uٖd C%7Û =]Gv䡻jO~-5;:73ÀOA_4:\? v@ʾ.k4Mr`Y·j$<]U]C7^ă"r}daiA^P<0ՑA5;K2E_֘3<ƱdhaJxT3.#;`K¦0`qGDdRt!PwЩB>T_ltxi͗hR@?S̉6(w/ (s/]+r]uOx,!b3JGDm1 2 3=0nYP(t>3@. %,0% rq1'V7՜0]JxbS+h j|]dz~6 ֪#.RD@d]N]kvjA Gz_Fw10KHWՐtFUg9&,߽ <h"b˶rwlV%I hT>݊T 1F3foi7Rȴew`=E"אC81Zwl5Œ&Ƽ?x ¥UTvh6'o+ hHqlP! :* d+.Uǀ sjcab끳c2l~zw&~Hr6 (J|HQeQ|*gWD~dpk"@/F}W8CiN3QuX%#H2FC {@dW=2{h`wEʛʒh C~Y>McV \0yRq 15- dO-괁 6}nM7?{P],5h!_cDuk_UionX1s[otZI/vK7\VӶlޝy)7 9zosܹӔd Lh[+n.wm_vIVA`PfiEt74IU7$ڕ}X Gwj.uZ`s1abslHakApEj(&DSC0m^[LM)3V}B]fNVb7yx- #$Qw2*웓T[z2{RԆL"2 FB4&s{l&i#p+@>O~5S5DrK$n&v~.l)^ 6&B)TWuuRJ߽g`E, SC;=룦 x,yT B.ܰ?G`rɁ<^ O$#G 쟷{޷fRp][R>1>?\NW\h~Kh ٯWv-k QkڔIb qOYeiiv*M y-sHa߫0;ULzJjwp\Ӟlb? 6˙^kU7NZq=~[HY2\Y%!$z->`W.h +V[٨ pdDc"|'=(E&';7?`\TCNԞqn,01~˛|vvMDI'JwZd]Z:xDoHA3 C[PIoS6L@T^ `qx!nFe4Oi̐pcof9؛o|,ߺR$^"޶ۛ L_rDW`>p Q}]˹߮Õn zοE!ޮ5 Ci2Ku2r9wފ@M.ݚmF ;:uJ B8Y:s^_ }wxI7Z.(*,& @ *̢叟Ja{!|He(/uͺ :pK'ʮMe1Z/Q, g5F+*l Q6P-кś#x~DIEP# gdqfLܺ ][y,fq >;_#J Y`M4 KbF~:^hGq~,R;dW 32w)ɔuB={B۫,D44uEɝG(>/^ƚ&H 'guaE?,܋7hl.a&9z^ G(5,?8`TM!9Pl=f3J 6]%TjClvx-'<9$n^m], Ig T>5^xJg lD־}u}] TwxR^*ѹ(k8&i?8hY1TDJ4Zn?KGUJ@Um1[2qUX]a/y&پc,m (kw;u>]!8T.N :(>v n[X- 'u\-/K;#4Zmze} [yc ^˒ϕ2U'D)!@<}RZGRй,S%(qv Q'ЁyWz~SAZ+*dabE9rL*F]*P/8N<.hM@ݮrI  AH`/J0AJ*юK(s_a+ibsUkaa11k4%ٟ!ˍJ'7 gxqQ%샳g FiVk^XaHbpZ/Kd>oY| : ;ΰT'CDA#AZlgϟ5. -`0 u) nitkЃl}.KXAe%M+j v\Bn0mĄY *ꌐž\ѦlCQr Kq6|n}wiwxj r8hRnMudC֗;z \օh1h3ӞUW/#& @H㚛H$]x1A&0xc1FRŷ=My^0Ez> 02|*,"/EAsP cjϰMӅǤ;{u I|>>0KP:g}77;b;dv9XC(,6X!){)N];BGBXG_Nl ICM.Pb w+auy5 wܼ6scDXPʈġA]a/_U[Afn^y-OIqVyHu `mef9AK+b_tp&_=;;knkRI4J@=9 o^(~&b:͜vR=0&;Y~ZV)_+tzD ;dnORk*q}WD@P Gf#49CRW?;6ՐpYD؈ Ra+7^M# jFqL2^oLr#’SOkN.{Ү,_ 2Y9.Fޛ|jQfAoS;+^}tfhg󪗴7g[-3w$T2X&ƌR-^|;ҎwZKMZP[=9uO|)nTLVzXR&h PFXTdB>TQ?%zo $cB"2G:z5Ɔ>h7CU8cBaKi]H1.SI/vO܄ \pHEj7 wQB$R%G,NC*$}ktcGE(" FDYXWl8U+9R_%.fW49J85]#*_; ׼Qgo8ုiL)1+bt-\nj L>yrfO7.p|vO! %ϲMݣ|G#V춣; V@)Mگhy &qP)8pc{~:Eu$5GJx}6Vffֱl'\$ J[`3ųp⃠y-d}V(gx߃?uEQJN%v}n%^?U.kq푿 㺤b~z!nA#slD3l22"54&R8OCil kr 0n3>yL$BmǭW@J8ͫ D:=̳38eδ @+4Z>G4p ,[N ;撘t!I.l* {B؟RgY7N=S3x <vpug# uAl6upM$9blWV4+U"M,wyx3"ʒ43:Qpʵ !'K_qY ݦ(v^608qV̥Ӝ7Fu8O)φa M@,>P}'GSp6OF$;1.IIp3WRQ%H6H`* ^b(FoJEY7~-Q滀m&e$qh2D#ebt1pu-C~Avdإux&ӟ1 2PeqX"gNy}_Կs_j5>ֶz-qbSFmRga?O %rf(&FCG~(SQy$-\EP|B"e>f .[QQ"Nhk/8g b \׮ztgSRQIc^ڣ i:T.I2n?ebț~E,̌w%p.OMtp@@=UXŠ]eJy?OErUĬŕԯ~aЄkktôeh-/P l7t`1&8˨yg:'YE]";r:uG~r IAژ"RM](J}Y(џGX>^0jjan4+ `Vmht H%|b7\rAŲ{an\tDgh.ͳ$h.`y!Gk֥nW #`//ɛ8*޾ ztΤ6'[>P/*!ɇ|})?`?)[soy>uݍ6wkRpٻهl<6/"0߿Hh{c Nd QwP\fZFFTH6͠,8e ̡=OajnP\pYV+1G.Xq ! SҖR>JKʼnM/vGw" 7&u;YM(LE_*dt]&PJ$7Y.?9.vҸ$bʈ/PcR>AYec^XhOk8xѨJ0ScZBD1칌Dd͒ KJ.$QS:' Bbg_uy*{b8?|$/bYbd_ VT&krZc\{OWsV8V|*+5jeg Y슶+{BO\-BE:BHarZh 8oW^s ԪW9E<ټ:٤Q~k=4,p侄=i:̹z#%07Jc5'vFcڃ4[Vq۵9cp'Yv{|%ދT_Q(qK\zs nNl01pu&&,!kR&Am2t[]ZIGd_MJH2F+p db!o`LmûhIN _`Umz|AљSZb')İ`WΓ'9vghe9?ş÷L?r(:Ť(#xsZS 5W)}O..+jH7d=?7`.({k6(:-MXs_T=8$ҏx[*1UѦ#Aa$B`r~)!]zw(~B8ŀoĽ'YaٔAVq4\N*oAƬv!oE8*5LMNGM*78p[3Zx뜈lVx@uoTHghlzE)myյ]/N0rn`l;ozi2(yE.qZK h.*lA;fwX]@'fJr4eB:[>aiE c_| <2yI ;atlOT$wSSj7iĉJ|t2imP@јpXrhTjmͫ$Z7Y;QI`ۖ#7kPnԪgd. kT.~ck[W )d.{YRǔcR3BG/{W"Rf dccU:&Beo&01̡g˯m:V%ҵ^I&gݤ!˖ ϨK}T\C_rjIvT̢! B6#FV%z_ *}4__ZƵ-Q} .Μ}AqoEf#+R/L>.Wrrjܸ箨̽ /"uWEy=:>U"[SnIXcdǸlƀթFywu&|Gև; n`{aǁb׊Hh2* !$!Su\ȳkBQgJqĐ-^RWcqvU3nDS\@G,tYZFq4Y"T˺<ԕfԍ!}|1= e8(4E'+ H{j }l6a6Bigz:o(?B)F2 X IrnTucdR2Jted4!,_i.7[@ί_!Cqx)`,neT`xH2|MH3Pmiw~ޞoGK7(ɑ7aJ;w]ϊ@^AA,f\ʱgG"ewZ!r[Y.ԂSGbl~я9#sX2)x=F@OmQ>y7TȾ0[m[P sDmRE|fmepT70)_88SR`K_EqЍK7LTjU>Bi!!ZLn]a:Mo5B VLQ,Uk@!K~ȑ(3)q½rĽ BdݩsEXoL ~_O8$3u j:G8E&@v1P\M1O**Q[QnlLf98ૅq_Sٽl:r^B|FT:. Ȳ"zUq~_t3!4@EssI=ky鍜QF! MvE dςC<@4nlkqK^b9I߮ڹwNE,%_>ֱU( @4XByIЩ9Ì$XD҆#@ ɗ {#3*Xd*G+J;ݣh띨lL__XAiϞA~hI^jY&7 ]Q E5Cb25qD)'rƓҗmǸ0,] XsW6)˓*XxP?'xˉF08tu^FMԗc3CouhI#/yvu\W OXHGɶ x5uHcXm %X5A.+Ǐɿ$X{u.͹ e "V Oѫ|Nlـ̤o|=kq&]|L7`=ZJMW\*Lm:֩ai؀&`gQgT] ];si4 Q, EOVfD(R9d0׿宫GG/̖|a]򔣷$K&m#um*ҒWcV./+WFN*i!=ƈKCש-)+V,!M XɰQuZ*&lOu{/J!d}gCge#RseEWG14͕H JJqM.C&1c̕)*?$c}R̦F} pj|xFן1n屋*^ۇkMjUAwkFxU!ymWk%9+~vk] ޞ9WTQX29~_jT5*)a(0xIFe#ca%Mx-fog"NZsPtRBgNsLYB2i[iiR$ME&Be!a-Fi9㌇úR B/sbڳm~_$mOB&W< ^[)O~fСq(%k.\~trL&B$[u%XIq5a3z==Z+۴J~;QkwsMjd.KruvVZb ;qXv`y>E멨co2u7)N=q:UIbHjٔY cEӠ=ͪ6fӔ*5N> }xJh>rG&Z5ApJ j;ؕ  Ÿa:B\@~o݈£DvSN5딎ٯMcm] >n/Mmo}U8ϱbd;x)L|iy\J)7>wl?3JCٹ)f9q J%T y>/{}\}|/A 'ʼnf=$- PcG2gE[[y3E(UzDTzc<#bZQSv)M 8Q'5jJۙKmܗv?6t` 1^_"=<-hOdm9)A^ؿJ̤+ݧS0IT$. NtnN0Vm1ܐ ܄OЖuʲEm*m {`GILkȳ=]Mj񽯯WٵjY"T:cxd@hq8}AyR: )y@3ES 6*(*JcZJ#t*E'g3 9 .R,.Ɓ@pEn>ވڏNڦΈ*߲'kX[|逻x:kU( n]8Qy~;i/=b`֨s,h;+ mdqbqG%i."2{ypSlT|u䦥ȷ b6i{ \)`C8uSB?eFџА()x TO?E1=^L~%J,x9߱:) WR@|Vx3ܔD+v_.+v_)Z$G7'IĎR8u!֤rypFKUf#$$ ta0>Uiazo&HMQ> k \RHQQZ%S;f g}hIRN3%$ِ95O,n[HtZAU޻[mc Iß)eӠ|kVQ?FA*MePe>c 9o+0oh}&0 6"A"}S5|lx:+ƨyj@1|ɔ/iUssIcTf#T Q"yˆ;{ŹӼ%R#ˀeG6p1O!,l5i6@.|ȕ>V cFlF,Sk{ocW<{w+&14#`̯*dp"kSRK'S @ a1  9vc''Lyo)58BޕJ8{h2|QP Yr*LT LNľY_PqAGBꮷVڷ_)J#͋YQ>L PI>!<; (EwSeW;97PQC,ry76d.5ּ,9F<& `]PN*;n^%^~;ڒv3|&JGarly5KWHBE- F/WQg< گ:zbd;|<Z[c*wGLҾ".AYKa힟LTK &(`?l.}_ph3Ŀɻ 8V)Ai{h- : hCS (>0jLCt@^Z.:fV4n Ge@dN>"}즘UO"}ܞےL;ϗ|sQ76)tj2!#5:M j1⌁6=6ыK nybՂMLl zW-VNU7s5ʵI"y >72lW1jOu4dVv.Oʶ N1Q\a0L.6 f᫨+y"V >E.oݏYMsHEc([5{\~ζ0Em6L#Spa4<`W,Zs") jj\y<8/m 두NV\P"U_utB2?W\,%@!zlxu]b ˨y%Gsǹz(֭ =3IȇZ ȣ+dTDDMd8S$`QGDePb*.g[e>tXFbk.HO15G}eӸ!ҝS.O)<g_Mjz>O@}-wxFrPX%f DӬD.REڬւ7cflj+f./T;I?DW72I").j+FhԵYܹ܉@>Aa`7>U:NE%J\o .ydEvN"J^uT6gNJ7ټ <2~Ӎᅢ0n")A rk^"9l*ȷ"6=e-cf-65eC8":VSx͏`8%͎`HiĉJѯ-cx4jfc3Z_j^_P/#xaME͏yf&Ԋ@5Y1. Zy8AGA_֧DfTLb8}ɻ+g?64 +׏7Y>VPPz=D .Ż$> 9}6yIՎA"&2E` K@Fʧ?FT $ocGްd0nٵ;|y:K5x:Xv}"!g ?ʕmfh&{h FXqOPf#P#dz9G? 5D%E]$r/W>z<e+:MNӜ -`3r{w8%MYO,AƠ=}*@ nihaH1(Ҡ̉4|ENUȎ.\E  nSAl5rYT8eZDC4Ѵb ;w F :ZnIS{%&`fwrQ)iHq . #{WQCViQ)|.V@-QsΠM GwyUx@!Fbi,mAdy5")|\GBRLsĜi>zZt1+#U-Lc<%ՁyӮRWb8Y#CnTفnlt wPCƚ7:NSTWO.1 vQasFIc%jKOmCe ĎQLM2lNH1rip-vi<[,)/KIEgkB#zR ]z5T2w/wsĆ ۜ^S_g45m6d?" *r)=hh9W]W%N VBs * 19'!d^b'jm̂>mWew`TeqC+mZ(럤.a4^$]Frk SS!N`rcJ'z84h6W1v$ 29r.:Z[=i*ʄr`8©ʩHΦMuy>s%Ф$h=lE[Io7V&Kjk 1/Gʥtl{ w8|͊X]~O.^$^KDNYX(OLޯ P[?&ΙSJa-[vbA#5r )zy_+D }&dfBESyuȋ,,$Kh\0pjM.v ,\~~*9iH E }Q̊f<IP?];#(YIןa/ V vN{#@X`"?q'?BiRDq1%u@#i1 >ڐJ][pi078CE~UۥUj کʽ~W@{,#_ᖛ' _]xJgGhEփ7ᰘ)A]@(*n0iTƘ 8?wǜ Q<:ʺraB6OqN|\gM SM$+GqeMQsZ?y\ }yg 4HupV=m7]Rdd +#w82"ҕoTJ. :(P‹ o)Q7v@R y(7d jv1[q6)y_C{%ʬqchGi'͈k/7ED6r@(cǽC}^_pa *z#Kj Mza.^@m3ùVkdQV" ]5˞*%\RŸV3Z6PdU'uW`Zn؉p] U}&S.lC G\(U&U&Kɷή2(4a-ʘ(Yn' 0l4(QGؼ|}8 ذn "yQl>hƸ%}N),EY 9y/iMQ+޺+!d.ikv 3HʧH- %dSV &5I 9\USPc/ 5LXs`?Q~^<[&,)?!PfW>%_`G [?guNv冧 L0AR;+ț oY5(6pI u^oǭ-`IoTMjWYU yJ_H<az aPg\Wz99usXP&uQ/^hٍooWaJz} ࢦMX9 gd߱<Gx#1DaQkL0g+Mns%*۴N D¡g| hM ݶ&JKn0~_()tqT]pΪe0C8ZnC&wzBRsTTJuksabUm xyGKB, ς^hM3F[iL`5[YCpuYIr1{ʉIByIv #c(JΪǵ TVQHK<[ ;?8E@JϞs j~z엸E̠.`F*2V,p,dGF|iރ[{]YJK ^^l@}9N$Lcu=/Y<k)6sFTWy͛>21>y/μWHLlTS L]>Ƀ^́ %*~;Rqu/Mߚψg'!ڙ"ӡfo|˺]Gs@w-;VQe Sm:5'c: pkˬnHK]Ed$vJ47qM+ƶWa?UUG%՜RB $`NwB˜P?y/P'ݎzhž0/~>("А+[~sd긋 _qqq^>_wR"Pjʴah`UΪWr?@K9`х`&ić_FY:kF}%]Sq"/u9r(}" _Y?@+WJ ȑP7Nɑ#*ݿ+?Kuf[ww{|gηcRss^OUjx4L{<g/JY ˔lI0y9߼91b].RpA  #EWRze^_Rr[Kl?b R?dKjWS+nKrM9oz!Aۀ/f]$Ŗ`Z C<3Y"*0J\6}/kSި{#6*Y R<}e"Bbi@C c_`o*0dKHؕ?zi&1Un_kaN4rvdGDUEx /_ҭ c(b;(J3WűoԖDcir-L'JĔeUffu$OY*#[i=Qױ MvP28`V]>HD̨؈FOjj:Gؔn AB'ZA>)I>5#Ӌɍ!*ZZ C0|z+@LRfec>r9n-c I&J<,ܧDĿj+>'Ch,xYRٓof+l++v2$6}5L^%:іz&ro9Ӓ\?U %>0'T.>ΫY)JqpF?:Wl `*Eds~O.`^n^ѱ} GTkϪ6$Bde#Bi#@Y0N̒"砩5~# ԼوO$ɦ?_3N;\`͝bkok=v%Ox0@*eu#/r]DkAj5X[ٴcROE'Y/Lv^3{{;토{%OI#*aOMirU9;O1hnpC=yc}e;O \ γ!wɳwpx,2&RӚ5y\ 4t͟ ЍxVݓpD_-^UOxyM9-=g'IdYL?)|] ZeݭɐsёR~ Su8pC\L_)m@>Z)*`d?.]M&q} ݟʼn 8N?S i74ŋOugH&*nxeHX%>M m&h6"Y_:(" gM0`6/۷[on3B:1qu,Ѧ؝_>ƟOkA#Lj|qi@i# A* YIv}}sSՊg>C j9NmUP0eJr%я&+gav$p'U@ݝD ~$]aߋg=3;:"oWоLdODT{.`0/b7;JV6$Rv2P#w\)?yf'ZLRʧ>1?i~vԉW6xt":\"%a ŇVdFYD?;^kd) XU|Qi\a c/;,PҷXQ]y=R^m#q>Ls{˿L^z0h= ('erVn f'mfRIۍi yFa:`vӰNTrνPı8 ?OO&x `[/R3r1Fn*ҍh8^ޖ?;Ja#sq׹H'SC0$^F0(U1@! v xFp$Y#2&~+-u^<f~xEy/YELS֙$" X὿N8?au[3<%p8G^)Zu5nMд(C,/II\jd0Ceo g=s5Ӯ'!Vpf/q%%);iU\6ڮ b>ػN@xcF_sUf{mu98Ύ2o7mI< p߶_ <)D48EYw )'׹9-zM7N-uZ}SMaGiʌ;ZD F8̢<_ .X$\X o&]d2kp Jnv돷\.& 6gdIG=h/[ Bw謇Sq8ŏ$9Ͷ$lF$`uS2 (9._p:QjjB`e1sa׹)!]+Պf/^6y[a@v"혪k'B6 fyOВX A'e\՗TqO~E8~Ivr} v{E0̋-ur+Ǹ ݫ"4IQam,I%y:pz+tf>`*j"άk3;(25O'1^Ī\xrT_5y{!BH(0o > wj>.%ՙ#3SȾANlU.DU2|9#d)3]UX.=zEҹbowh1g ~4H.0 0XՎ@oQ{reWWCqUR%wi VQܣZA!0LNB)d I> mv +#}0b"eMc"}f nEp@Q؃Ā{1^:Ia-xmz.,Dcwd'Eg𤵢Xv?aXt1-)J9M{,;{}.c>}$O~¯6-|L+dbَ$i(W 'pũ'Zε~w\'sK遛{LJgдDDҟZ&9jI:nge[ejܣ>)IyvYQ4a4$,9@Ͽg 9'4Յm#U|ByMgbݱQ` 8`ձ T:]kǙ_?z\[J=Z7jj6i9 1@ T-ݗ Jw։IĞ6t~mWjm\:gp Xys&F~,(*2oKcҡ!fƝjo $h0f4ȥ ͭ6A/ c& lerrbEuЙ.Ƌ!U\mTe2k ϏRi·yɧH0.=Wp @Rd!H -[ۍ7 e2(zvH@ĖaЭ.(H˛F w[ĉ:[v?;|y~3ʟRS 1 ng1p#4nMdd} ?m]IQ Vg}H ”k6ׁՠŗa%=x]]*5 b4lzr)MY #h@#aE :K=}5w Tf߶è(SbKCO(.ӈ/.3p4 CEj敛!Ô_ҰIcE~yk!9YpYf$Nsp=ؼ;֗7pX:dAGQ/HfK9DE}˙s"Ɠ?)1Y1"ԿH M9 Jeo \!PW9?ZipD[Zpr!!j "!i$}|F<<ЩoqIlWpd*fD|p< E9O}fYlR[)PXu׼NX4xNlt*V,㪎"{_jn.T]\:bѾ3So25MJ646ql`!cn_9S5$!0< b3 ~Sm 0wAe˿F$˨gg$,R[ B,iYogJ sy~t)n,A?UF\g_H7Qfi2D28qʗ'cg%n&L޶  y銥''?Zlh`<]!JƠj. [f6j_(T,u\(Rt6HhЧ/:?Mk\v [O!L2j)SmU#$8 ڂwb$ WOei`~~A|0W|,"d+o+.8SעuGloqۑPsR>&&TKˠ`_u>kٱnb?0U$Y[|Inۈ,R=& <`&jud\kȍ~ 6d:扝+X+Vgd_0#/`~Ҳ yPL ,c dRzTau(Fzg7C$uwn4/#&_ÙpII 0?Vm6(fCܠhTU[uiĸ0S8FW ; p g'll|n26\~Г5T$1u;[\"@F\Oi0|;ha[ݵ}ss/!HYnV-@}.D"h!:o\aٶ]ayɐ7 )UMDB $T_YU%| lC>,6.E9sQRR82)Fy.O4+g# ;*g0) ߚq_Y$?8x;̪:tpu wUOcR,׎_^-󑇿O(&" !Of@.=ǻ}35&.[ e9V3";RcYBHuK@Oh^V!8O=#F֐HG OJ9%ȡP7b'Ҵf2)b%ɶK\/ȑtd4|kӹy&ի|L?9nNFD?6/뼪@[(e-å(w&3z4[8L=`y qƇ~rqd3J8˧:1KͻQu qUF2KK2.Zz5QIj#eɀv6Y9J;'g/TSsr6ǺSyrUHc_&6P..VjH8rjQ ã )aO+8[rdo^!{a8 F m0 pNϢ,JFlB0!x*pIlNzm nT9SZ,Pv~5qF8SJ;T $`." qaTՊN@>hǫ]*T}EEgyC;sD`בB YC`τM$1qS*rRPK?ypATDv0dOĹ /gwGrWzz*Klp-ٸ(^EIz=w_Mq78ͧPTs^#85hYc M[CLfYRzkgV ;9ۈIJ9E"jv&ne+ SB{N`Z$LV/p2pQGO w)|UX8}mk&̋DtI9 o/f kmCx ZϜ̺+{-YnbſWDB@39K;5$wRuYH٬SqR# F&Dyĝ%Wfpʂ=T|bDYrU6gC!LއrB`r*&y֠я'R"Y?{6%T^3ukRU:!IbF# bJ=poWMi{tkY-˪ z=3LYf}|S(DžDn%VN7PZ45ANdMX Bym1EסRqv"X=zgU_I4.T!Kf䂎i-ecD~vEOF=@'X fCT֍01s<V~dh@#t@3GQ]qH #5n !E]J]ywբ^^ɜXm:j  2Y]Qyf"huv!زI#q燧ɧEx*q-8b=MVIXڎ.C/^CXO {i^2o ٱ`՚yȠ:N0귕<[tM{04||aN)+`1jYVM'01'voPӺ*x-l}-/CJMDagvK0Hz#[~u5M[ә~%O۳l1yī_VuKS2`,oYP '}3(շj.nd8!%$PqP` ;Bi^Ba(5~G/\0`ďN=[A/zmп1/#CfpEW`~]{>oCǚc<9FLG5봮oSǪ(79as.4_7]G(m_5H2&{ToCgnK&֋Y筺 jFa;k: ؈ڎȶ݀#^n_S:Dv>t tW/A?W9{j̰)?8 6tϧs$}jU=Shp7ΌVIzRkc?xRAǹ$xJtN|ƤLVN!z8!4-|Sd 1:0++hx'w Fv{1RB8ʾ-̈́dQB\bmKjЩW=IDwϺ0Khh$*.v.h&m 3A)w8D%`k ̬2Wvt.8B_YbhIAXG*2 R^!6o6 z.O9^TI|Q敋͌d _spWQ$劸s!N`aS=FV$c.CjPMߐ<  nl($RY'a0=>Xl<"ąI2o\i1W~XV%7O:Aӆ&Nrs[Z㯺:GzMœhT? *;(tm"yv3&v۲>ms3"d sΡ.?^oatjSR}!$m,<`nb$~ap&r  _?7߅OHAy&IC/EA{&,4ݥ 0m+bY[ZCgDF*2' | S^d.ds \?ECY O>fg"QTmmS:R{B*I{ҥ`NĞZ]h>j|#H 5:!,cΦI9#IGq IvI<^Ir[~CR]0ҽ"O=UM[oc2i z.9 ìARʤC]{,#\y ktAؾ^fDE0f uǍ(# K6naUAF="x[ HC%nimcV^i-Xa29;w]$VB(#bPY:D/9̦u6Eo!Ћe$]2L ̃oSeP,*7f^XY8V3MP:L3p.[MG4h r2d4'8# lo-.m` Ea 1vs>[q L3 lRxk͙ Hu?c5e}x M;l>I͹,lPٵX [FnLmqf.i׉n/uWA`@:{c4"T*Pھr\GlR\>2>L gK *R36zL޳;`(Mjj,gna,X+g#i<6 3^'&C1FǷ++Y2xH(\!n1ɇ~VkƏ5q4(|D9o'ܗ0$Z/BR. O.w^: N'l2"Z1\'>h^h`<@* Ku83cF"5ZVduN9* x1f.է#1s I>J_ﳞݚ{SL~,+Ql O,?xʇ%ܤK ;x[=}6TÛ+Uf=`v3b (x"[`< ^qQX<.܋ ON%@ Pv9y#c{2ۭR rMt%_VG|0$M\O3Ź(N)l6Bxv3`S޳,[0p&m@h᢫ReaYn3?N- E[߅`,B̛YVB*p3fwHq<>_2F#kX[47u+5R1Z\{8,;X7?,Vn{lj^vߊ|8qNI쥡O5{xF_qw,cL.03XQ0ԃũz*i:[pviE[w jl飤I1x:jxǷ-p~&C48BO Hm`# = GW5VĹ/d AwP/Rxl~~3XXF`yfB@L`KH0l\:0IҠS شPlx!rF8MtnEBPOWjH-̟CM_{}UfݿIUgzJaÒ]6&^+Jh+a%0b*W# S"祹 Y~zm=a6gMqz<<ߊnBYehY@ѠQPEc-̦ʓ@o<2e#UJ V|Bֆe.G:lCM_BC ڥաNRc^<߄.JuX6[vنSK7U1Dm8tSևG:Gc4s(Ѹ?C[uaR 9~ !(X9kd"R̩:S2"fQ!+Dk7/\*\\s-=auƸYXT:a@ 7/oɜVLs!ED#:"(K [|%Xi ʰ Ե/l"9 ߳. @9\!38(;/-[0ҧ+EurZ֢@o_o,W)1bABy).B{- l:7[{;]fzM4TK@^I.'-QL2y3$m财yA :c(jPbP$.3F>[l_Hؚ; \=^s5IA.q9kW93F(;* ݋de"*bɐhk pҨ4TCUX ,1Eyݤ}9[($\8_;"-ApC3%C~j28X幺)O(;mW|J]P1<52tDfF'DZBenż:JL&zG*G1|N܊؝rmETHBTHK|{ ~UEb䖣cfAGG[B{= (GݑCq/ö6 #\/f0΂6E%]=s(zȞ蹦|N30x!`٠yH§eߝ(;#hG;UL:~oi%tOn[4}^ßHP1|P/Wcٝb^b-2Μ`KKoSbF*)Ǖ}_s ֲi-N ?%-Mcst1GnW64g:5jDWsָі1xPͷqLU^0̡WySMOVav sfwdIB_.dacvGn:ssg!; 9.bz}=t.(Y-@qU|Kf8TV&zkm7ʉ@Q8ھp䲤/Ӓ_@3k?}Dkq`8tț-P1dKK2V'͚8_"k :')\cZjKʺcNtʿAZU =U[ƫR4,6(;J5(C۵+uc`VΡ,hмR"=B"G/Iic.Y` @zY^!d{1@(zfؕ e?X([Q'ʹn' .(WzlK)7}f[d'Z͓hֱ=V2+6Lyaep7x+ CXc8gB6QȧLדjr*ӗ &tC{$tߛב EX8>aDZh)f, Heq3/@yWiaE<U!j A"gaoB{,a9pI5'CR|yTΛ|jA{ȯN'E1_׬J\,{F6@"j i#*uJApX *&,D<'`D'Ef AaWRjpvUy>ihձ|qQk?Cc DPc$UYiޛ6Kf5LH/KJr|I꥘HtԑVl҃>u8ߦk#О!a͐PǀjC֚iynH?tT`LdPDg9`}DVa= 5[AXP^`)Οce@xG5Ȃv M&/.bXoC M *dF?d6K&SHl~gTj 3|&t]D!͖^CV${ K\ߥ+=~"-e[ ^ųa r`iJ nzFv!;ɌY`v|M~YUQFӽdFa<կ䏿΂lZJ Z:}CLo] ??NnD܂BA q%jSW9>fߥtm[1VA,菈nFw]"<Brcb9cL EX%Ksf#}Ĝ1:/ XkLGʄ2,Hw`ž< IG|Жg9$+ D-"e)3AӃ ~˂j<Lh j~#zɏ;#73[LOL"rY!F;"jjv'|C43EJ .%"ř՗ dക=Yie> *AUaV]Q&NXf7iuqߑAG a߃C`zAAy)`.BzAKmn֧Y?)(G>p2hf1@7u]jϼqE)PZ`N}unsK4JX[͜8.:(VN_nK^8]XhX";v8Uf6{_iY 2SF]|%#/1?ƸʺePFhV=/!E(LnHPmш U{΀CBCЋV,2ECq~Tٳf7 uRPڌ.TYT>*z !o}|ϚSzh8{A<Xb_47u@"Ġ6Ôvi{oN~.MSoamY$*}~ )+{Kfhyef'ECA!&VAPQ +?>Oq96#NjCEj9;Nx`C gq:/cK2FUp:to;Y< AZ\6Hqv93z哂8.ʤPV[o9g/5>gaJb2)=EPʵ܈:$xgSvG ÿ?YT(BbxO>|5'*j\cKt4M ?3͖#R8S*V4w_$s+ ז. R՘'YP4SjjcQpLKʼ D 6|tORH{` }?PN;Ri?ޞa%M+9{& er `}N6A?ܛ>9f6L~381lnƘ1I85ܖtlQC'vDJ1|;PYzMTpHԮ}6`.y'n74=oY$Nt5-yb*i9K;~B27 l 1^ NDѕ '9ǞyB.:wUnZd_JN3ܤ#$OgF7"J ;:\,KGtypm)GqUL{AtOlsr$ +)q+0 PgIpk9FY.%o[(Gⲍ TrSȌžSx^:K<,yy/KW˝ҿ$c~}ZMWV7+fRDH*h_, GP%?ps'(:7u!Ҫϓcښ&hZmvԍF% ׺-_Q!G%,,:X2 4M%؉jD0ݐVV;QQy*rւD /W$(0c#gicx˵\gEУ1фg/MC3ny⊆]Gxqp"Z:* c]f=\ R4y0;pw@0#Sw75wxކ3tyo-i;]Cw?D&#Q%Sхw= h&= ȧCn}!itu x d<2_ot_aKLa P=NL4TE,Z\c$ f:XQ{K+ $ ד ֯&=I˖TLG$; M/ z ~[/Ω48~Lq0;14}ošaF^2)+%7{ډeY%r  q?px d*[{ \VYrycr EO8c`d+{p*$kޱD?ߊ?Zx;>-%eIO;tml.\݁6"[TXB_ݗuUy wl~[-S 6U\:c,:؇xGS5NܨM,SMWN@r&Lio=uWNe[K h(3pk6r}F ^U$C~xos Z |i7 ]nv@G[Y3h'f}Slͣp)ϝZ%:INDS9qh]!8ӌ*,u`ٛZtCPC m6ۖ]YohN*c n]񹖮['%4Ŧ+vJGH!=Ro`9ɢx/HGW $uu9~{`u/jBlv$,MB?hhgmnRID#p[v]L'EGEuў! ,2>9ZL0}Ny ˷o\V59B{H>ʶ®FP{I8; ^ER/E!RvYq+!D ~\EF P8"6Yk=1ܔbX^Oq w!R h$wQi,BxMg: Ӂ);S9#)w(?+PAj BCoR)Lz_fYUe1jEoiY\uyl-;(>M23*s}PvW-HU?sA&*}D8@X\D+tK KOqq`Y K+''Q;4t*6W<o厎B)Nj!PF$^y)rR/F0O%/Y1ß'|7Q wikYEXC%'s(Stu~񄈴FX]ޢRpycl¹j7UΕ "gIߧb=&;E{и)VNT6 7eƑZio -\ JO T,2ˀx##Ml"v`p?vaf/Dڑ4e-8h:,{L-(B4H3Qv4Ej< ;sҶ4Mpͬcֿ@FpTKaD983b5XL(MZԹGItK9dn/YqS-thEX>%cWpHV\uz?~o6:i;WaVOEǫk#jx#,rBv`fb/N1~Ru&|%0~8XF4mwjwK0#k*a˔ޖ2/1%)Ң‚iQӥf7-v4MP dWf5Ɩ{Må.Xf~]ts;nK>w7I%X]\`0>"X9e#upײsYu\ a4C,b5-UwaA*q'XNJNQq87.Yt 0?  D$"ͱ~o=Q1Vp4rpǎ;MCnU)1"C +WW qG.9E8Ma uG#uJw5"õJ&n&+ʳml$ðc:9Tn.䈯aIvm2 ]o|\CJK=B|BsōlߑDWgic(F(73GV,~Hubzh{(^! (mU轟==(i({`Y2z0߂V?Y;`Z^RQUm^bW7x'_0Ȧho(}S' ሶnH։ u8/=~O/Ϳ,[oLJ8}oqy#pm9pLZ:>˶ibXϬwܪ0L]k2*F#*h,?ӆ^ vG_rՈ%JҼc/VkH9u@. 5GNWꁇ$탲W.ˁbk̯{LanehM6zJԐ$wt.PܒmFނo䦽 >tVX~ *W~0g5tlK'L'8 4o D* qayI()f/nSZcwxr^7v y@sSCl:Kh3{ }cӆcYrdȩ%,[7S/Ţ u',aV֥DP8tI!zuL )>QxUtDCK ÌʮTn٬|ݏ KşPڴ8=tRtKY]3mdo;?^Yv^1_mHuً)?Opg> & [yzPtG#(14`\dL8 ?1Zl ^ U艡V Ֆ'Q(fP8h[2h]9/|s}eUpBvq-T8TDHB=rv>^YDpw,Μ;>+ /3y٪ihD uo 5|3hL[DX_K]ڛuBQ[}EU tfwM0&,ǃÂZ<ӎ 4fǵ)Jݍ1e6C$w}GJct 8>痛LXn\kQKS$*udl/xhG< 58|?Q_V%zsuNb ji:;"T!Q:;'fdHA9lڜ.EwPk{Zˆ8IV^3%о@R)2$SXobP (ip.k%fuLm=ƞPm?\==k 0`8NLk#b0rNYU@#{k%ϙC ̪ZG2UQbW˜0t#2]ֲ8ޥO~}R!Tj"ؚ(}7n{԰΀~7C'Y޶UC40/Rn ܦO\̴xV`8D!w_ x;y@v7BMflqvKSQi"z DΦ#ALʦfeY{2V(p&Y,]JI- UvM 4olXmCQҽaFI2쭜E$4d9Q(*>7<zC^G-НpUK}@x\1Da.dƖ J|2㢓PʒW }LVo5M6adY;l G96r"YtPfqS*C!8ʞz޼+5琿m_$o&5w\A ,}} qvVJeA:yq$~~ێLϭnT[yP1$,2'a)YgOzyۧE,6dsWeТ97KP7=7敏'Rz 4QwB)-8N4{`rf">y4- %C&WׁF(-hQLP~~W,5Κ&LWmY"=sп/99`~#eл"w_<9HxQ͏:cMf,ef FՑ_:rsH7dv4~;ٮi7 ^͡S?`]K{_ c>)GƮ{xbīBF> )ؿČ1-nK}x޸Hg-\rUu̒+^#g KBd'&?yR̉"8ZV!DosB?g$u̶V;c@G\MQ!GJK6ѯnT"bO8X * #;bKNk[ $N↉,Xq׌7f37'z{i Lӟ#c_xǏ].K5{beM LoPKiدފl;4hYRJDo'(ByuXf.cGRD7ndJ06ljO9Ck=y\A @0]yo1F= S`"tͲaU rZ3柛- JA2_9( qhu'y@yr549GS6Oz$eP?t g.{\eN˚R'! j 8vGڋCtϨ2(j c14Ub %i%z]Ay" #cz8Ce Nþ(;`b2\o>/W\Qݒ1h6X|"Oe _iԋm^D0UJRJ?\W}1Bi=%@1jjA_{$ĢZȠ6nLb!_)o'Zۋwu*eAkCWm^9#(Cިzjնc,y:F3`ۈ@NdI-n6ѫXyb8Ykǁ1kVΒdB ?G&;c!ٺ6Cyrm!5ǭ8UlsɶV&E~h֦pUF 9cP@Z,~=V-, qJߌyN%EYDF ѹtNmmliȇ,8t]lnfEnBM:~Q%[1KMɼ ڈgBO߃K  oKUO8`ayN,Y=TSR(/ZWN9,.s~y]O(4 [71Yl@(Bhgf@/p \A!M(zw"hזּ0K\a)]*+k#3?l;4-q9 rX Hr$WrvNBmD.\a;èW<|i5~4?Ͱ-`/mZ  הV#t:ut8xWUT`"d7]B1<.PKx,Iywcȭ6!kLrVv"1JA]R;`7WG f3ߐUy QH@[rՅPξ:fg42LY=,.,A0#]tB@S51jYh`\UT@Ǽ )rn1Q53.!i X%pfgqG32TD>%/O,G@q _0u{jq L0.;^]ގB^.̙/BCըאZ<~%eVixDVsx0b e,v ̧V/Fswܽ~b݉E/ueh"dzd^@8F?`oy=tv?IMKSLy8>05z:01ݶJ¶ms8$GȐO?(,d|9,]J<أxVTWzZ;M\g .o)uD+䮭1OK+l.Ȩ\j\@:?IB*@bByx'Vx:ǃ=bMRCCb YSf f,:UCXt0_:rQF?:,N: U)d|L":f-FІ_\:hM.Tw:RP-.`|QfY6?l!C :kb[4T&XνfXBա=MUQ#с?YrkdnIt}Z@顽S1a_h|N0d9=&kQW}nKb’N69$X'>xM1pq9W!HE7*^Pc3zb!/4,?E  UT7`bЅzt:o"X;~~z\ăiRym ?4!fh0g1|Y_ kiYZ_r2m A3,]oX!AS.]1ą< G_%J@PgC!^i0_lܿâථb lryDiemm(9αe&6KwItMFRkN*aP:[9 i2_ie^9IIuψd!1X^ %>Ψ-HAci")e{C&g|oZ3L~{}}ukDOHPEa6?Пx%睹>*nI_aơx_BMG[Z)z]hQH0eI}3ZRX.0sAVlR(%I3^Ph`Z(.2/!0`WɃ8Hfޫ-xzя Թk9l`~)`@^|ڹvr}=[={}7Vf!cK)?`dIX]*õ\ڔvo'˽g$UdZB)ߦ* *W9x ^Hfc)vboihv ]T2k` x"J>0u"yrݳ$tM,5~+&w| Yoۈ"5{t{VA5 m!|6¾;@{m[tA% )JN^]XkMDX㧙n= iǴ 9̏y4TXFq9uh,~<]aLlN(wW5\ށd|nc42#k)}ZX5VWk*UX0<&+%!lgnh8 }ƨUSĒ箱3) `8C#&m3!4yPf=dؚ)D2nz}tĠw00G Z%_|3]"eHΟj{,Ku$8' t2y'!Ջ'1-Fߒ]!Yo8V[2j쭜i@!^W{$ ofw98ntTf"`˥i,upKl`w &izl;L[^`c%A.gM*5ypy&jqi_;:Q8#;:D8L߀iZ]ѺS|]W̟ wTWH49l,V~UCi++FYn˷$8TKОah4mՌN|BgRޖrj6a/v,-;,6J[li(B˛ЎC65}GZ1=W[ĈFRE1I\" CSF3JcAo&}jFrdE} #Pn }~J(Q8~KL3/J"T5oT޺DUVk5G9xkx*KZi|U`M!fњ[K"@?ί) Xkb?eiFukǫ̤ A`j!2d H-jfV-gׯXjK}wM]FEԳN"eV䭹2.M8$hPxGaM:&&X:VuA4 ޯ9یPƂ??"ll(Fqv[T[ij $`|IjC3~ +!#_G}3N9 dN\>bK([w?xh}$I0[J%?V [d&&M,%"~ g 3pFssJO ʷ6yQ`8Mm/RhH : xeJ v)suKUE*?FE3J@)<Oo$ק)tLMrOW 2HދJ%D,e6+V|"HƜξEQȠ#*t xͽ(׬wJ-ZOj@'(-u{zT%))akj͝O"s=d߭rh}3Ւg~bQ c9x&]# ?ƽ^8˴"ylnp_fk.]EИa(DȚMWՒL#òmu w`uPp@HE$KON@&kTk5׃܀Wʦ饈=ם쯎.؍ cD҃č+! ]dXLAT HcLW:!-*^V͒zퟆ"KJ. EM/ = j+AUQo3~"P`U]5|"bvuDn&u%Hk ق& ̻ÔH /n" $JUA8iK\"HS'sHrnj=m,b Fy(vȪ0F☷8wbc gKtoZ8 ܜjd+vzKH&~]y!VjɭP萊NSr|c`n7:O?d/XLMF_ *|0u ?Ty\k7>NjU?V|_a X4 4mikGw)8?=&:GB6L8X Z'D%BQT0D0C^mЯYtQdyc6 FSn7~vLޢI$1~|]s Ag)61 ϩ;1HU P-H &6 [=Y2>]Bj[cζ5^h_f/bOټh @hRi9[CꪠR>oubفo;HR@rt(5wO :n ĠXZL#aڛd!&19B :f2#S2!;˼ҥ KFmQA>M=.gY03>dP|[9pۘ唶bEA+64\^:tc{ \DJ7Jcq 4XrX^60Э [ C?+nvB[*`9ʛBӗB-w!$H^!WڧzE(gT]t*;w zˡ1[409(yLt μWF{A .YIciî&+B ibS- "V~N+VY 8Q\j ڣMʱ?w)҃7m †(PVuL?j6`}MN;Ǥ<Z ?}/x4UrD&,U;} k;rPѶ2 ҕOY)7/=s^l˗rEFM1uR`Eo_, U^.Xǖ(z8b5+ / c gZ wY ؗ%(mlL"yYBV瘆~}L)Xg/&ڝ2{U{Jl~@q& gp ▅Z[cyʦ LVQKhIw8eѩM <+Y[%w4̼(5:Ԗt#WeKTG VxG~@⪑01̮V9KN&-B\xG헫H= iB6F %/ϚzQ;ٟ8[Zy{n|"v Ѭ>L8}Z_^xԠ9p\-xHs19g}cljXo ]$ l + xb 1q0XYPm3]2S mHI~F@{tl]֥rvN)߉$E& _\]+]"&;?ѥǐXѾmC8Tt84l;UT2rИא(/4|#i!I^cy]FO?:]Sz ;j\# |r?L7~@^ǏN5T3&$}x-6>aZ>D^uZȇtqQB%qlJOXS*z$8̱"\ bd W֬)/Zx\Jt)ݶn‚%6Rc:R)&tyX.t3cijRT #j#K-0 rMi`#!ҏr4{uBr'%Afq5 *hڽC7tчw[Fєζ({{]2ڇZS{LxEB~?zx:Ӯ,cF\Fؓo n5eX& cPA x21Zز2=rZ{#`-Mt*.ipVkIsQܗ;u#3 uriܜ/Uʀ2\Q'>xG؁wN=NͦܘƔӠk2V7YlAC:4۲oL.,+5IY mx,PDJsDKehL>DO7zDBצj ٢bKqZ`=,BP¹4]yMoQ:7BgjNU2ǰO+L`6y\.+nX"/Fcm>ThJ;rʟr;]CIi Q Qf` 5V`L0IĚ%)>Yt@դ%Mf00H6ܘ> ҭ~X )U֣ȟ\*etÅ6mgӹ^nZ<Rq$7 b(R3),j"Jd$etrAK52[ip &\).v^µ9jO+%P X8B^#isKT`%SsEF$T)!Ϊ@3⫰#R,>H!PDTG5< ܗ\(?T| y w 8Ƶbk!ĶfY 6n%PV{Fpѐf;WQ;xPD bfRe,XJ k ;4oOB\#?̩0+Tׅ>z|N!\c {ݖH@QNq/""?RN&FάρXll{W9MH{[ptē(T!3ʎpDF;|.2cE1&vs.iZ-E-P&#>UD^,hZ4WgեݴfC@GvOu6hȽЏ8ͦJy^ԃaZ :ǎOqpt ᙌbgɿ,㟣㣣94Ě ƅƦwX1y&`J0&ֈp k+@3FMd&^4$Gl(0ԣ Q 0ԈG?;)ʇ|tT13+It~mHu<}qȢzSNp9m֊/]٣KZS+oߞz ^"/{2 4GtcLd>ڼ?mfjڰXC|}uǟ i% vPQ5i%mVʷk?n4S;)Y4Q⼏70Q7L,P!W>c-B8r(xwIfԦ+D >JhYҘ Cah)j,}0'p$?ٻLe:K5Rg*7Tesb*wzF:ru ~'v62DP1Ho?=9iQ)&M€csxg5[$A53 斄!/9Xinw͵7~skfX ̏35Q#"j:lsK[b>kDRs5_*BSLeu8S!߽ٻM!ٱRK-r2M 4[#X#KUupOH߮?7&Pٝ-7*n-i=333#VsڥG6+YDpq [1"!6$Mr]U)^P GD{"z?i[NjuH>!l{IG)0(+A!^X]A*?'rz¸H$]{ |ѐZIaqf"j~6 m~b@e <_٘GO>>jYXW.,ucb!(;xc*TGCu PXW3M$R$n[㷷%Mz7Uɭ xpqIk*j%uЧa{;%6b{B,x9" TVm5|k3YAj_Xd:L#7ýq_5⺡=ԣ,v-NTӝ $ĒOFũcubb5ϤoC=)9Sl61! ZRa;''eya\[F r`/8Kx@mn j9߼R4"`M t93{u F|KbDǝ.Mi /<\cAjY4cW6 yFs0sy6a$GZ2"0 yR h٥y)4suӳwÝ>ODl|j`hZہ-fR 5p)0lM5v^#C  FN= yM TU.3GT,Ԑc<Uq4g о:9Hk:h]̈́&Y'7<-z/G;Ӟ` : 2ކ0RN+lGf4_Y">m\/e{uLZt<.@Ȕ|uyv" ϝ*?H7T xXx47.Ǟvl=_ܮtfJR[doC*T񝉹iƓ2k{8E#i)S.lx"G#xe?Чqc` ZBsS4PR~%rl*K-*/K?,ִ\JvpCQ?A?ni)v MY>QV1_ORwle[@F&z*m#=6?HX }naqҢ}<ϴmP%~[%}Ȇ%H \/V(K'&"]KB)ƌƞCA_ӐK^v콭em=.uǮHXgM9=*[ML(qCHSg[4c+[(/W#&3A:YHX33>ךdL&̃v6@G#^-l6Nj4y;4xX#'rYˋuǫ˪;ޞ]ķԗ2偎 pF2FL'2[?0\ґ|Q 8Ȣ U.Y|y8ct!^r%d,Phk0kA^#Xp d.؜L"7zj4ꢦ!! -ݾ>N4lW2,qY "EThHәuڿ%!,{smQ 'Egf9&#I/]M$P-D]r6,9NRP!OW)-q3(h3„ў(2Žmn7]`L;jA\r޼c?IhGG

c10?.av+d5rR>VGRdkdy_@W*UWpdtב - IOe,.BQ]Z@>^յrtM[r@ ;fYhdn"+{Z`ʝo9!$tb>a9ih_z347+Q}T/ɽAD+Dd? vXTw}It Mu-ݿ?,1](!xΞ x |:a/YА|'=慖.mR "&s mǝlK>dm7g"撏ǦmwԛX׮q.@큓Ks1`z-(|=}Ўz9*<}ugRZR672j# <$(ѹ%1#_!zU@j]~J/ ^> 3x9,aHdłyƧE@Ne2u-@?@?(_qq^bWʇXW[Id؈C{:(9m ԝN8pB[;F))Q ,WL)P\ut(9^Co\)"VOkHy1Dn:cӼ:-$4oUo*:)[һRVe$qclɣ=uA.F_UkP4ɠ _JyvOfYzFǘ9d UՖ8r!*yW`rqM] EEK.;Ri ʭ%/+("~>Z`&g$(ӾI;w0=lWPRMvɡƳo7AJ<Գc苿^,rڦ. Gp h\de] huI PEߟvpMkN&:`zi{,(z3|vVM۳Ç9u"j0ڮ!SORI&+r{Կ?!bd؃~ WW{迕g,ö{ީ=_Ps}RB~d>g] +NہgC\evZX)MR'{jaxQ?ؽ&,NSqu[aAG!5R0\ŻyUtǓ҅il7BGd4VKÏ歪-]N>qMu*:rUK L]u܄L/L.kF*bj=4FMb(ܗ5v+;ZgPwns1SP˛oIip^Ep4d5u?ly)ʝPx1*~ivaGIRw9B+YHeo+Z=ظLٌ ~)4yް@L~R -ʿeC@Q$ B*gÜPh"HjZrH0iƜ뫥h-KLJgPgʪ%02D$oC$qgp;:êDQitTg" |vU6OYm^54!/sz`HQE&~:Se-lnP9VU ozT t8C0C[DGo,p9apX 榎䰰YB%=]Wvr "=%].[Aa9=wzPX|Khݵ'5{S!ej[s5z"0WfJϙ4JM=AhG ~+]kB cQf3bgy[GR9~}^ژUd]WqKM(2}3~ wQY>Xf`Ck{>c#ԕ4w5+(Q|GM].+h93"^/zW2.0 +]Y.&%Y:#JHЅUalO#:lOfGE J)CԈx +Ll\ʥ79鏁d#ڪ[M[0cp#0-G$PCWc[2 2TY/6a CYbpELl_ՋC(@7x$cL =WL.!̓nh.E*`҇xy!I ^ & ڙ12%BޞOMFE>Jū xT%E12sUĬ`?}GFU31"oES*xOu䛡E>fQ}хa̞E7B6Æ7]C\ztiײ\䤼=j f=bә]c `tIͼVMDv=*ā(0 a/fRUtR@}e$e;Nͧ0Ia. [O%MIrf^e[Hg }_1pAkN"j^ ukq|qTE-q'ϿL=IyɭĴF+| D0VUo>|&8 MaK4*fnzNnL_Z6Taqa bK!x|EGEd.$ךxkͰE֠PYBL:jBΕ(ѹ|ڟ5#!bu_CKl̘]W֒) =J!m3P*yanj@˂B٣Q01mg#2ADuo<d%An;g}뤣;MaЄ,kݾm"J#3}C{͑-豝!͇PBxTtcGŦfxC>+c'@|Ó9f0 zs<݂]s7wJzFBUւL]?_qO\AI C+h7Z--2;(oqn2c>`ZO3ӉS%5fHWgs0!'4(ˍXR4EH }Q I{)~r+"<1YF!K51n\vXG I9{04NP}z [O-WLTR f(\|M+yK(.#J^u6]JDr)uO咊OHspYgwЦ$ @OQg@722/š~a[1`eފ8 E9ݠl&HdU1a&efud"(ɼB,(y>;8(YfEEAdz~HsڐaĪ%)$0Ƿ 1hͰ`YИ5XD2 zpEnr4xb1L5m tG0%2i8XFz/t!t4x¢a[+JZO7֬xFE:v*[!Lхp{/ O h d}0*ᏺk"p7:mm{c?{߁UBM9h=QsB@e4U[ǃW)z]`h \³U^EOa^l߸|SM}mx=d]54o~i136- SOs#2@,D0Z9]1Yo%ce[-{IXc@lGY@F3>9eh7ĵĶ"xJFh%afYlaci'B<َFH:"f_/_ih޺tzJoF^FQ)cppgj>e· )A0冁Pu}3HdK Og7EUh)EfW N{>lQf3\ $=="Z~X %[xjB&C& \sQF[x#j(WOwL"vϻR o[,z~|> }@ /=՚Ezʑ ETw~g$va3B%G>WCIJ ݶ9_i5+3` <2@zШ@jxk>zK҇ @hb4*c tP1/m @mt/+s^lE -o2X)iU<:#< ->wIIu4\fJeJ}keAPe2D> gDŽ6ĵ`*$SÅʅ,ʏx2zz5\pHN;MHJ; $z2(жQ3r#6v?1x@NZlW,LDDAZϕ{f贻@!ES@6)p IrFWAU~$/W%e<-Cq#>_g>h_JC d`40F=߮!dBq.=o#%)u9%ά]?4fZz.,j{4(`,-NR)Iܰt&n[Eɍu!Q7\ꦊ{Bq%KS?3ʥfiNJp+͂v7٨_ +L(i-AsUD3^x2[GdVnGDTEXOQѢĴ A{M,7I#ե~YC݋vX-*a]xucʱ^g1彯i]/f ͜<+vJXv:R:+)#q'X$/t5\ݵ? ;?3^֭q-= b8Mw`w-W_k?sU!_sR8vL~;OV焵yt%YD8*B\+Y2+/A̧(t($ad*N6||UІ"^>b!v@sz.a3鑻֔G>PTȡz+|oC7Te{2x/MeoK@myW&(xF}Ec-tBx y<-%fq 9-֏457 {9ɆaǸ}Z àouzK.f!dZouG/ta7aJ5N_J]haYρuiRQDxJl_D1vU:~0af Z2TiE{Ų_'djlRCI1YU)C2v,KPS=/@9(J =H_ozE!NB LadãYHcGz۪rM*jh]+H}F6wb ߕqjq8X xzbe^)VM--|_l>;護c[Y>mƛPYhҬ-/ -JwF_!R{`VUKfNI>Tt(h~[QQjSgDVv03P۽õ[7,.c '[8\9$ +0;X9.-eVБ]c7쥠~NҝEE&`-CGH i2ϟQV %i@>VCIsncҘ<|qJ oLt\(bKjwK- ) _u܊_j!rPU9j:a?C֟yV]fI V]Ye:g^n:š\W#,WbsTҾG` #ju2ݗQmΰWɻ!esMQpצ3x32O4Y(l`^WnTC۾uDK&H 먯7x Jc$pEvJغCU&$*qeIzU~ಿy>r+ ~%t#KITWDVvVou^UƠ*#T:ﬧ}z?{r* uQHLw(ͥ\GBаo;"sϚ1-Ρ 6;,y !!/xΒ,X|k T2,zey-+֘\P`9pd!;F:;`-N`ؒ|.CGzw+D0桿`>dq> cXq]1C^t>?xZZ83=Tp&;ꅷ@.Gfls} 3uZM7E^1]{2l_>lTisg߸XCھP]_nU1nI0{?O ꍩ>reFǥ<4=:-]ʹG|,=k@ ,~pҜl&xRhcB$9~w@Wb%{R }$0,\q]~D'.Aqt\!+:Ŵg+\ϚĬcY uÅi|<[D;)4dndM6U篗Q?ЍyhQ/c/##S@P"n@#lйRs~ fםMr!olK8TU GwXʮi G eŰuD]aaHu6AEJ, *MB5-Mlj'\Z&obXdŠ ʄTpخ #[W(`ڤu:$Pv5,\d_6{)TfnZtfg6GGC.]cG֦\UY joC -[WHn:JWS8Y:"igIS=Ic_4?Yy^"P)rʢ}Ja%iӠr$ctx4eZJ=b&yUC2p4ݵH<N\3 #y/D_JM(BDة[ g,P뭬yc^P~EkVyt= ܧҺN q@nAlRO|5cD>\SSƜr?&:d~˲`kVY|! @`Z!zf,,sVs95vZVX:$:ȱ H$Ԟ'8FT̪y/ V9){cs IUU`zۑz%.9/ rO7i>8Ĩ^q5Ïzmv&RT=%hx]z*Rd `n7W>;w} GoWv5"D]&$ިV?R)w400Е[u伄o!%;/%ؿ'fxڃWY@w1CC =mV7Llo^eM"T [Q}!4`h 0_J(knl i/zVU]֊=Ao&_ԛ+si30"3In^mӖ(UP_jnsʚ/^ɵIV=oP|/l.F8L;3g><"O|'c4s꼄*ҎlT55=ĂwZNjǦ۹G*m[tuG1يߺ#k;S>x>.?X>Z'OjW uE:MVժH$>J֋WÁSpGxDb򰋊'gQ!5:,}VbzfGxs{S_ge —l j,VVߟ3s ms aG=ҾN[@g8m00@'ր*GΈn.wa;4%(F }&Rwu4\p \Dӓ(YkF/1Z6 ci fjyeIN!һӳOi? t u#MUjX!Ga/{O3U*r+z22kQ {!Wġ8#g.>4pLPJ(4rz!ViX\; Ngڏ հJ xss٫lzҴ1p7b Q-.'AW,nU|\+>;v#'9]7@YU Q:;6&Ua H%OSs" m^u֦h''U884}T{7<ّ!V$)"6E7N_? [ϻN%=q Q4BB4elsy` U@ն䃿>{&O~ }!SO,b2zuoRX*RftVngu$>R/;_5Ba/S\d&aD0VݺD\+ҟէ3O.'L3τ- fVkŋRG%jz^DaH:egw|ǖ3hywp5t x"h'Po_<H :#=ҪK6ȪphD\Z/ĵecP7Cs,@r]q#ͼrv%]^AÈ e}fH8pȺc0Nٚ[0/:YY9[?فLXrMp٩)ꐜo,d1?]4@_7ro|5$.^9G/HƜ!U<|` FvG CKIG=q߸|&{uQ @ .3bw35&||n8"ɥRDᓊV@$ٓ5MVK!fV5D?烉!KIj!]YQmfW񱂬*㯤;_s U䷠5?bKgnjD݃ b^%aXTMļ0}$(nB;1xd G[>5 mp%G &r OSa $O⌍\ Cu E-&8y3`]πp?D^6pLU_WR(RHJ Ba)(j?2% 9Cl;Ɍ""Y>/RjNj1X~X!Vb' Ǿ*j"Berh!OD^pr+f))5NGh9Ydgr<)7!|J@5Z|\$}S"z-d !$wۮ"PKoZB*o<¾g}Z@R(O5UtI؍ 4EOi*T,)3W]G8<>:'D>Y _ڇˣօ7$BڈH.  hۤg n9l r獍Ղ38e@5tt>B:Rq$n)Lm;2"ִZ*8&;theTZG$tFt ==\~2сkcIxFH| $7G 葑]Q*\t& ˿[ UߍmV- 7]]X2g`mؽg5^iELqOFlC#?LƑKE|ካrm-? ki& LX(Ivxz3OMclXӂ`%)|,K'b=˩VOB#!߂wnͲ  CCEI Nq5:Q#8|5]}HFAyGNMjB׀Dv^N;ҿY K$@\(+PVy"~f7Bm+fEorY_zɺ+~/Es ~Gì%ެ^$JF6XjQu6tMhʣs[}]cEmC0gYI-^%ߘӚ<~%߻`6` xdY@|u Iu?–׭7`$hE̊#Kw_CՁj99Pk ˈbŧFW⧂֎E"-(݉8?`7JyB]yB23m$\&~Kݡ/kS&RR̊1bSf!}mbV$ ",}gnpH&>0'U-x( t&(vŔɴ($5+(!INMK@ɘem$uIRwQ+qQq56SF(2t~ii% 81+yk x-[OVxPwP'wJpf$˭9Mu>D(ݢTɕwdJ`!qGB$A`X(အ/cԪ !.EE]@EzU!jIZ/ni*_ z^)Pԋcq*Õl-{jV9w\8.` vzϺԿǰ#:Wd'wJ!=GNb[˳N•.ȧFw#05e25"a іЎPV~>S/fWRnu<5\R1wHh ` Ś}pK90VgU 4cg0~6 }836B!9D >fZgvC:15BXmo%¨Q!Qy+&I *ܗ* f-!ߩZCĝ4Pk viu|<9j$/ʩ>{~*6ٶ(ULUE9WDI~?mQv.t8N\RWqMp+A2a /ekppD,ڂg;F\+^FhӚc2՘SwMUYR"7a 's~D#Ӛ"+iV'SE9ۦ#V@o5w5`pv:P3F1B- O<ЯT3V̆ aQu!9!Tu/C~H_3KO`/4܍AJK >멳SF] RlXv0ZG䶣reg5!;M`F*)*Nӡ@SY6ߖgQUsHE tU(yXdHҊuA PzV nNvo.j=k&o5G3Y44o})HNMB5T ҽ];-.u9g Ny|'_Rzy`/Jg=@WSPVO1(`-!?X5tk(DŽeIzO%̯CQRG" ]N? &}r$&FX:4|ElmzuNUySȎ$R |kA+4pilK>!T~$ l'qxK0kީ i%;f)^d/ 4y5\v;21\rZ7VϜHNM' ]um'=]"aAsǩ>ٸQjy1bΗuhN^|nIXjB{OTı8&H-*(^GYGdp_DfG,ފ UlXF/?` y45檠ؔo(*~uH>wj]B14.kBzrqw:`= (Yx&ͷs ˜sZtYˢ"ۋDMc] B&U)-4pjj1K*JBDC:SS:wyf.Ls;?u(43N>?$deTk:@bszmAߣQ:@~bF@L2{>ƌ @*=f7^Lv.U' SCYVbQÈXw&*&[;AqvggT綤6LZMi ld;}lJB< pvbI|sʯO3#Hsgd6ef8RUQWQZzDKDm;|0TTlS`fQ;דvV4~YMcz_Lqe|M ~<9M*ĩФĺ .u_Th\i[{1>yxay:g5]YgR[Ur?I _'@ꕆf^˾R+O3{~zБ"1oߎ)gbUK]6}m fNdҥ01f"f12YNө 2)w>|C"x: _#=@͌΄?~YpE6 Wԗd@~O9'8Jeeh|&t6"9ǂNM%)ƻ+Fz>CL>{5tzupJ==H/TY.K+(XǦ -} a-Q:],:x|>$].XJv+-O}ZT[kԅ#n3A: }k6%~\4m/ k"( .ӣ Fz>z,4huH7Z bٓ~б'0%bw @$. ffVM0.[;zL#qpFj{[lAh$aॼ|k!MdrP&t@ݖZ'Vj7/ Р>w5 `ʼ $355w 17Hog._L60Am9+y>R1_DYE@%lӝ#U{gv\Mڽ|WP9A_2>CzPXι+e)?Jp@:ڞ`:'!mEM{lҙ1LhFJ+Y17BΠ d١BH"; IIoؔB1Y3hnh"02!~SzjNĀ}WL pN_AD 瓚WHzgA.|*tdRɗ<'2EuvY {;:F9UbяbM-"1G7 y̝`YCbZ& Yr?)<8@ Ĉ|4b?i \Fi}x1!\q2ޕ5(V*r6WϮ62suERlJP4:Pej3{ ZpD-<ۉ EI((}j m86WO6+KnBqhPwcNweTf";~l->L5<Uע[lo&0ǒ@!7-4W,[w[8Ȁ/ 1\<[[-/{ɾL*dSjن[h V'Kܞ@oDAt; [B¼e<<:`%?( E~a^7wp0D,fHh9ԉY:$ol\3^qCMmEbR![eƧѾ4;c }_ ,ap@rId]I } 3lQ NP%u4OV%Y-"w)PxTX8;ZgwPXt܍l*Snh~8TVMG_|+ 0Ij̓sJ~~jڿrH>'_V_1R\߭u"G,4^_[!)Hd wŹZd Υ@+b/ȊWs?sϓCGQ: h}cRO*J([z_2vN5G,5(Vҧ`S"!ʩ<}t lޟpaiJęiɻ@SiLl\mcɐf-rnP(7oY¥ȹ2y#%8> !Nߣ# :{xlt4z*+h~bCK/TnP?뚽b7ƬiܪۖEU P@O)K Hj`GuT?T%khY9q'm?o?& QQX;g. 2_*$K>HnّZBY ߈V=ᠯ~2_i|PߓXNf2i~m)GO&,i p BNOgMc;lvϋ\idK@|X٦ v/EnZŚ%@kaL!Jl2_zr9 %2 y 1|RO(WlkǺ13ڈ.AHLgGoUx b~ngk'BP ǭI #:M[o or^iيh?pJdaxT#dY~PУ}Ik}P "\\Y-8NW}48E;")XT 9mɓ&< b 1&A㶸ZĊyVU8!>)r_6}ž'ͷsil$q2j0Í+D 0c5V&C\Dh)25#]ȡN+Wc0&5 %&c̶ȎF獜H5wyOy9ɶ%~LNG09aMnT^SD}'e r0P'JBew2)zhW`7}MC8X>K|=훵iMD`4Q / 4N+ͯiЈ7Myg IZ:qBw?>E L9쁗7h*9*ӈx$?4{iq9 dn=<ح~ \aZܞ*+>EŘ&`y d5qWPJ9`#tLl;tDb ZO4ILy~?j՚JhV5s5u^ʎZWJnAIv4b7{eqrCG3?X(W̿H9J:`2JL;3u*3&IucK!+3[d8D2%m_ @W$;@Y1H)>'mЭKXK^LTꖽP O #9y( `q k !3kFs<ܿغSU9 ȩݽwozN{+laZ;|v~NA l *=E<0~_l,ԹP@\G Љs Yҵ\1x`[Q- 0fTA`5•byگȼ٭Ï-h=[sLt(>.sKح_m^|F'dO5D?=~M ?VW]~J~\ Q35>*3N?(+m evT;$<NZl+ 8se1էJpp :]1 5I.ӆ>wR'V`Vt=i 94#jk *""xvClwIGoqE4iGSrͲƿBD&%?gnW7hfH5wz+lhm)x$I+v|qAܾIB ,m^ ІڅTĒFr]&Ӹ8~zcx]\#;&ovu~VSdN«BZh=ftC8ˬj a: L<]wHugCd` -Shvv]/Rش%O4c]ciws/zIV3ϊ >[S5rɠ@mڒCY̏ZG-Xl}r}z)ވ.ڦJyI%P۷1 Сǐ yیjQEHs5z4mXAe2/&9YQ{t(  ~BIaNDtC }3(:sOܹ"-CR`ҰUݜHj9zrDnQW[a 3 $ Z۠Oѻ~ΰޙ̢FujnN+Ñä?cptT8+ܵo"G 4}8xy=ax1,رI2ܒPu,3494QBQ0㍠Jчs/7LP]ɹ~>sɕߝ!r,O뽌2Z+\?-0ϙ(TWkQǻC Kv\H|i?&z,%<3^A}"yTJ5D]wrJ'rW_5W68/v .»OTuTkC4r,\["4hhW&j!wU=5~\R;U `7D+is *wиQ >AQH<c'\N+BgphNlA%="GZΩBƋ.Lσ8^}Id.ď!IȆ=<1zA"5C-఍ɂl[L8G,ljTA&M$9 `r x-l $*̅ƹ"|F7"Z!l]Ĵ<7_sl(mn6AvLH)La,hw'J8A| 4%n)u5؄4[LuW,?#C>Ή:  ,A}) ]Zc#pqK޷u@#H+jɞZU*47Vٟ-$v+6&]K8`CC;%g8ȄJZ**zVםRC;?X(vV3( wtPFN>{-P>D',+nzWM\O\[b@ģ[^6~UfK^.`jt؋Sdi -C<z Ib'lb& !!馏vm z3ZҨ6BbIAYF{&yO_{'!~~gD|?n? I:mM$T^R܆Džlʀ[Lcb+zI&XL~zIx y>:pNŖЧ|%6'YS\ ViH:M($EcgbLuO)M:QoPD} @S;EHޙ MaZmfg#t@֥j=\,#RYe-cY@qkb۔9s?-mp";DY%MvU# }K6~H6Wl{-|(bD4dFii;qȢUPjuBƩ!yeW,*N3[soO><蜛@PFq^o4``RdHptQ"hWmަ"FFe뙮 5Oh;_a"1 AQX@u!璽.'d~1B.kk,Rߨof:Amh8]dׅOZM_a7&\uk,{I\Y=gWZpLa:mQt"|f7J= '&?AA+MBǷPi8.e*ЯB= ~VYek] cTQ`1+:}~ꔫ5sulwE?xPĦd] :B &?zכ8 o`"4Kg7 B&E7 _r 6<7DO0ĩ1qCe>hh\2|(wsb|r;2:֤ItZ=7VMWl>U(Q2K|F4|ZXNg\/ӡlۦb8%˔6B"ʍ 7AWjA"޺HP'm4Xbyq$RUh_6/j4Yg=&9yݺb[,LlwD~I14RRO8rST@3l?b&ePw}$,QYN0,5RmO+J[A|8ytdZD]8WEd6&庂DcO]|8>1yY{  I6{%[f|׽JG64Gig(.Ժ(WԩRqz;OU3+*9sHwD&)t]=x8˟b*uJfB.ݠP #ovkKAN3/;7_p\ v%\Y)ޢȵo*ЉpjQ@\ ֶshG[E_cÒd65A$%+/w6Sk!FNځn@WG!ہW"6EF,?O. uS8lY'1MB/O u f/UQ? NAyTgf_ v=U&9Fʊ k5_=BjK@P6sENdz V'&o]Lahor P"'2563&vXyKY{ed}tо(jHͰ*]z~V;?ɛ$ 'G" mȼg2s6`1K'S_7kB06@}WF?::`k.!D$]ێG)ko;ۦh x9mAZ!^L zxC3_4v*Vo #?|SLʾi|?h|t$52;8PZd2=]Խ' y3j^0YGWv "qר@稤۷ \AKbDY=~mt nzO+tWo "B٥O:CL!bn=0Ea c.dI.JL&H%$c2 'jР6:)vTfǧHT[F]`NW5%bp8 QM H)_NN? (sM,Ⱥg)z=ըB('\r$^BNl/i/`E+ݹ.5+UgC[c ~vȊ/]B$WGXIX3D=T(ii/,Kn?pN)1O &^dxZ}n6YS#THȀ[/N!8DnאDõ;f'OOfa>t  I>\$hI-\Lr;Q:p e&p*R9,@X{z&v8x<M7Z4`(ՅQ F/54uQKr`8Z$G%^ļTT0eZuL{7k˳^A:zEݍG7k/utz.2倊e]CZV8$BR^`PV]t\䤃jH}rNfʚ5ޛE{5ɔiBl7v^ISO;*C{aXjf5jx<EtxCY=nf_WFЅ I7o|w>&XVOeĔ` #\x*`*Q.{X* kPm" <|:5m]^agi!38r'Fq:CSΠМxET ?1UF8Yc,:pV`A3*E3y㻦nc)b8p0u39}NZ[gm/qlngi>>EnЉH9KW'1^'Иs"MW>i Lp=(BW=}=/yFϵ`yl#UԡсThyU㙘xu{aiаL8 ݝ[.OIv~+RYTvN?k( uJ GK;rV7Gwz/C B6ғmPX]7LWmv`Ɲ dĩ@ /MerhcFrWY\a^}O_plBɺX .h{n?C#%/HxÓ.,0v~X'x ν5@V8*R+_8G+ PQ;ͬ̀!$v~+% N O~Tu3_Tʩ.֞L#e A4 6݌)ѵw)vU3Gz6]<:)7LTrHo`AaѪr8Тͷ|:)J$MKG=t+3>Xo=YJVO4?N+2{ ÝT6(7/ >7q:+@hXh0wzsZ:̩S{nK^wo$4.Ցgݵ i_$L^TŠ|)bmW"Y]2}K,R Z[9 ~fgo 6(ԭ8evLn$9S;pUlh\vvk=xS#Y="{lTh1o,c!Z'ƴՎ4Nl۠ XF\xά{Ǭ̷csDFDµjjAGWgG#,Sgz>ʻϔ S!{G&_UjnQHȜ&rlEe\qBN I9RG%Hqn7qg+r>)rap``S*79`7㴋V$Ks/;wklB`$*_;z*c'Â+ϧ PA^4Fx =]B'Lw=ur8ؑî{o!$iw4Lj B]7b zoE^HhA㘞M|fO\?8Dmƫք>(kQk4IÚb#OAw7O.EwAhȕK_ Q2(&?\e۹;U eԤwx mOZ)'Ɓ6疵#.90ai)?՛|&[~pUVyBAչ/57ssa VW_h7ngeg#99]ȷ.]քy%H`Sq/ "`E+$c6ʵ:1f yXsUVJ:Jbh@7{3b`Q!Zwm/_$W+!)yT3U]PͯKxaJLa׌GA 밇(j A:%h}*V+ʭkG{Ek8z.E 8<ˬQuvQb% F s3cGAC zc!0^N2pŔ]՛;3ey/#? :vwE_ﶖ:=SSxk̓+Ka"0 t*oPT/9zͤl0R#EPҮ"uZfxE&*u{!91YsO豃^W6V~x(zygRM'.m #}!kwinnm:v1ZWى@lMQJ ١/v5;u!y{əboJB"+ Q˪!#t'o7>(T4* SЛ 3"鳀s>HgqC8[Ox`9)\"N3'Dď'sKyآ@ğXBOv`Q:&C`xT#[" Vz՞+^YMOB\V;h/%e-K_\zosȘ?RI5Jwcz7 Ϡ\:vۋhAnrjaM&CUxԇ`w>+m`ד{#qEH*s)^E_NxW9ojZ*~ҔXr>v~6 2Gb %77O=׸?p6k5'8F=wxG+`0ͲՇ;S"_wA*F?g j#L}rԀ_ϥD:u-9YtV-|)J>S*Ux:?>(x݆{ QH1V 2R Jٖ,'IϖG9_LZB#Q\JR 1>> !2ig5-ƑאLǘ2$NgQg5mCz8D1鸤Q'ȎVOI;YrͥS =q,ȓ9B\@. tY%Rb '&ֶp`"4"^d$^4eږ]H&_m^8'S ~Mjْ!}-RJJ5&CWSpnU]%gx,d@Sun}5L6JYFF4bb}x(r )K7PhQ e2 ~ yЪ59su n3뽎 KUl1vW WTa/9;HW}Oy\tQyAM{ =|#H*@#ǚ(;/$Z}{̅7ϧ #i{Hi04bWv.m_/]#d& ~RId6{G!=jdRW'(`çM =D:''5A&zk::H2#hr:ˤ2[2z}1)tR&ՌpÌxlMNS +'aJqBD]4^Tٓ O;+FӜ TBm״ N/:\Zy1B ok=Yfj{e=w Tq}ySTJ 5*taTAg?Sx>ȵLPZ>gE2Ҍߊa20+qN>yev=_+ + 3QTB5ha :Qa[7Ls>H=nNrԂcl)Z x#%=>݌{!"R8JS!|l icXuԭ_)>{}ëjVDEdsgTY]7 > 'f8!|$B.15茡BoDk:={ -c{Z8g: Ks=/jz!衃"%nOrXr. KGO6CFrO>@2/6D?uLsGq鑓ӓ^E~gztSajuN nh[r@P9_tpmMtm `}&s+5V}?gND7sh[:c.w l9mi}W ͋_:칅V5cz['؎ ٙ|=G~92 &cCŔ&7וm :Fb$%lړ;H>s,%{'HN]tٜ> :w+rqe΁^ӝw8MYå>"dp O!zL%۴~`#{P֕տW͇^Ðq1+F3j ZX@p4 Q ^ 2N@+G%ÿiTOU5No$BXֽ6qˇ,n M{@-_GfJ(51)G01Ho/$O\""\6w35b"IZDed#%gkLCfip$.IϰEUJ XS1X+gu-߰N:tZ$!wC@%%A$UÓZ,d53S`I&m VxGkn)o@"G% 筸:;nT8@p#qc$&Aa(WLV#njG@Ezuu( .7b"\-lWBzb|"jɻrwTd΁#vNa(?YG89iTд{]l{DAˇ)8jd0%|sesi@T.΢'"!QKLA4Ix6'_ke7B_ڙ +#0g/qa6NxܛLr n13q/DP*UR*2[ʋ-ORs_\x'ˈ$TQ^h.KkMW8`GEь@II?ϒ1%C]z!y9|:L 61f:Nl!)~T!B#u47 |rHFtfnC?,CVwaB1Og>5%98h!FRZvwh{WR,5R"m3f˷y۟-Ɍ:|+O`OE\{g99GGH^NlRv᧲T_E-Y(1mE ]41$;M?ĞlCvJ `s~yÀXEn bIZ=G1:aZn$hXن,Y[w&-C 9aL96'D/E^}FRm,#@|Z$w"bF`HDGW' ^xm!SAf؎S󇘎Ŕ/EkϚ0Ҭ_?0*Ș/$=8ֈ@jغ2P&6;$'z0]Z~UƎ$Ω5ΐ!rϓ5&З>s+ȼ> XXn4g׎a65@ޯE[&IjI{k64~th d%\ (co#b5OfMؿUK~ oƾB\e ~ jûBbDp[hݟ6phPת^"(ct 3v3w EgE@ߒש3gaHe5Lݤ0w ]S-SX!#fZ9T!UU8GdKLA3׾P'$wZVq>߿FA3*LAD" +P oQ%rsݲfӮB`^:9 B͑'~~4\3 erVs?!ZȹPӯD)L&t)`{݃Gwb\pjI*{ҧOr8|,C1nV־fl*Cؕ~w+c(haܾyZ:W+U \0 B>$ah!KGSn@p5: clg*=Y.vlLV >N#Q5┉#=5s&X⿩bk1'*>'QCf/5%oF|| 6P-z4_o9t"uSy_MIC 김pXFy~|9Qqj>ݙpyXK#yDN9!|[yq]3&XLݶK tO~APg%_|`/.LRؤC^fk;!X]"ueBscl[B9e^A_2x˃82 p_p>~OK^=<֝X* 打V!i@treN l!I9ӎi=GXi/ 7^s:}[r`Ɛܵ_}#_p~@耦>/UCNFHiCf[Q:FarRmb~(uGzixd 6ڲݮ]Z_ԗER(,DeC:b5q(wQWcRX(I!UԩtOh%K֒LJSo "8X-f0du!h6R-д\ߥgLq}ɭ1ve-C#qjr Sn%T%'Q yeMs'mC/Qy=](yc HRIbNf#^ǼiHzGčC|S˲$@4955VWka L&Tur R-1|6#U)|nV%RRdf춛L(&WVEv-j:Jv CRA}1b-"jht0H3UѺAAÿb[^Q%$2{jӢ*{ƶ⮄%{alSv2 zﵲµěh}ՏORnP, ("'׈(8qt6-Se]*?Y{xNgB,)!VWВl|}dB[dB>Zt}Y;xw洁Qh0YBeFquMFۻ q/eݛEi|#83\dB8 JG;T2<[CGZ=^{{|-k20ɿ:ddOȜȞ֙@cCY1Q$hAseQv9M9ԅnb4|' n1e|f15?p[Ҋ|fCMtբǪuncl>a. ?)2KY*0O/DX˚"42rl y͂qf;rՙ V-N3Ý3d2xŏfvt)djg+EFB`,z`eA],TqcX>5T:23VJ-oA\ijEQÿBBH-+6[$+@zԭZշLɘ jؙ0 3ohPt P 3L>olvZ7htm pc5ic %^1 ̼udm1\gU>ޝϑ !uD!nV"d Ze8Qj]E|;u:Lw5H7v.0XCxTJϑKߕt, keY uP+x@E3eƠ]׹:*4຿Uyz~t O,Mi̳W|7͠-P+R{=]Ä_0N86<'3ʸ 7}ζ"wSB t'r! _pi]+v_$)3fsDLpꏹXpʃKMv (6j t g#J\s4#-;LؽJ8H_ 'GzE$cw):_zيDV\7ktfi 7tTѹ.[%[Kz,b!0߼4WPI]/F&ؒ'QᦗgJO9+6?"ӸO:g &㚬G] ~v湈/ulXIu?*9 Î]4  eLWB֍!WÖ){Ow1U]fjSqbhdݹ?R?bw7n>RX,v~ZdV6{`޹Z=ύk3 aڽ̽k)RwO]=`t7=' `!:$nY!} U"{TL3$X q^ Jftn00e]7^Gm @|<]x}tQ-dq5EbyQ]xѣV*J煚p4[HF2i*f% ҡ0zK`NM63@:uS4@cb&pj㶍8" skm|w_a9*H 7zwX} 0-Ag*){J̼9}~k Pjmd&{/`o{N+Vdb&/g,G+ 5c΅.j,FdH7 ԻOm qvTRʰTay,\#^r_^a)zIٝ&Op,Tf4,a(ΜNO|H$ wޮ~jY;@)G`W~T;VVF0D i۪5ep ROA1phG5YA+ŤH?J'CqǩESA7L:V14JJy16"M7PqN/nK!4Ec^64?oV+Fl0P:w sFoItY.ƌB#:RڷVI9BaF%?g(nB0#hW5"k8[-nbхe!w܇.A5w ma,s$۱0_r@D7` r]bc&=VAbn;=\Rع)ۓ;Fއ&& p{Xh\q"-{+i9XA qS${ GI/%7<7㩠OMPee<@99J eґ >sx_\]nt4('h[^IJX풣Cfs#IC7pCDj3lڑW~d ^ O oHi ݞ:R'ev*B,9FS4$m&L#]OlƗMac26MP\ś{u*mmP2>o`9&|h&h`Uh(Ze+)qk\`۟po,Nb_ Z 7c]_6;Sa>!QW>+CuyCl+u? TJSOiI=`WM=R w#cWT-;9ϽvgyY=vC\aFMG(qM޺j6#a@6}NSB.+,,E%.B9#AQ| fmkLʕ/H w%€MOpKwNN=>D *_mٙP8@Vn.z +^ nA :[VCX,vK4,iu g(%GKQsYpXd0tL?mj0ƪGx}Em]x)qC͹#XaJd^H):R:77cDu\ ĻNC OI RKCB }` 8ҥ<1$,(Oi25!ËXt6P,.fqŬLni0鷰`UIOU[Xj4}{f4xˋmPVUdST@i.r Pq X‘-jU{;}ꨌL~ڗa:4X;ؽhIb|p1]J~F 6X IUc&?SWŜ|Nf㧦[;oO{%Г&=V#X=*+15$:Qipw7V)Ɗ^d*QŤD 3JhTwx@/J1dn?(XzJKsގɔLN:;5]-FR6vd/E8>uXms״ugCwCoZ8 F:paIg?zm›fxM$}ҹ@Aujx]إW dcC),X$L::/uUI%_LFhvkzJ 9aPpY<9Rܢe!MYMfbFz5mc탘ݔ}՜|y2AwIKoҊ6gFu 8+>='(FsPmW35vҴYFzt徼Mx;.r]YTyL?q9x*Ž@wJE8PW0_wKo0ցT֥PmSMIU*al:Ƭ/\f&5p'2h0PHHWW$2OhB] 0!~E,% G i|NaS֩a]8A9J]no^ 2aHG (>*.{eldw: X ejgĨpxRyu6[>YJЖoߡ.0!\h #cS % 6O̘;sm*m@g/Woqt%`F51`#w`.NJ&&Kx@Ȗ##& 0S汌|z?݋o !Ay$&<\5p;pIzyH!-)ue-$sNvzZ% *Pm$KzGL> mhh$niYWHAj-3WhXmgSb~gJfo%oӵ- |[u"gJ˖)cK L'? 14 Rt 3V'zfy+v+gr#@}*7$:: 5F5KeU԰?:_M=VHexyekdfƶ?e.@\rpD$֣:(vwD=g>lu_}(V $59&*} NǍI2yF`h!kP3ѮUB y<-nYě`BKYz~XBWiqڌ4##݇U]3n#]4Z)+,<-$ɉg:Z VY$EX} {2wۜ"sB -e&لyڒ4R}Ꚛj[-yoЖ}Onqyh5)PPm8>NDYKz~m_