freeradius-server-utils-3.0.21-lp152.1.3 >  A ^G/=„m.`fJ2%iG$jjPy+IC\ؾ6~Rz DC:_Q|TRNdBDI]Cy|Ht.k "[!gxdգM:qư[Ҋ@k0$nTwZ a+cyy:z* Ԅx%_Vi֛e`J'|䋸+fu'׺'# BZx;Ldd74101cfed41ac3799b87db268ce32cc60e5b26cc409214fbdec432d0fcf602ab8686910629dd060164370ebe9352a6ed7fbdbcP^G/=„(4rǩ%>~@j0^k֚Nv9 0OK+;_#GOiI"Pfi`D;TP??U04TyXX(" <"CX"s(W,&ē2r .LS2u=FDZ{1t,udlAer[2OJ3kS4caΩ k k]%)L[=UUWOPX$9#uθW},>p>?d! + >dhpt  x   8 P h @   D | (@8H$9$:$FGHLIXY\]P^jbc2defluv w4xyhzCfreeradius-server-utils3.0.21lp152.1.3FreeRADIUS ClientsCollection of FreeRADIUS utilities.^Glamb69openSUSE Leap 15.2openSUSEGPL-2.0-only AND LGPL-2.1-onlyhttps://bugs.opensuse.orgProductivity/Networking/Radius/Clientshttp://www.freeradius.org/linuxx86_64x \~/qX$ J(IX8 O6*w큤^G^G^GM^G^G^GN^G^GN^G^GN^GN^G^GN^G^G^GH^GH^GH^GH^GH^GH^GH^GH^GH07663de65c3e40da89859f57d5723d7b9b5b20292fd6117044bf8a2e31f810669a2241d095c087f842c2889a3bab81b0d039aedbb1730be59f3f71b0d5ab02c3ef8ec2f344d438d0fa7f1918130c8459fa4a9cbd45b105519437e451e4aa1242e86b69a47deb8c8b28563a986c0953955b707939dd1fa5d99182a056d532b6156bdce837938932fd461b1cbcda41a1dddca28209aa8901f93a4f4a0a486a6a3bb697cf1626be74fb2144b692de899dc5d9b1643e98fe12c33bf2f9aaa78a4aed1447d340b5b592762fa6906bab65cdcc4005c1c284978daab33c98ad89dbf79fa9bf299c72d458ef397164d802379e00f132b00d8ca2de7ce54c19a7fd379b66d5ec82a9a20ae90622aed0047340872a05f4b845226a8187159b38d578ef7e82ac75b5c19d977fe528dc805d1f136ba06dd96c43732dbf95aefa2b45a0bdc17be5431156ad54e262fc3f082773d20c81f02a4cede8ef978b46a7de3552dad161d8c851016b4b54a9fa858477644c6ca6496db629ffd95d04a737719f6cf95920590bf323cbf624d85728e22a9fdee9064246bf3e2b0bdc44a6b02f524b1186bd12e5de8791ce68a61b908be8831bf86f9bab9899cbd643de937fd5a95d859089bb23f43f81180b56ff754dd70c30bf34c540d9526c9e53c6cbad86d0b5f4ef522ef1e2f35bf523934869919af2b2177c9ee9e9c0ab6ad52af5b57614b12c2d08bc0e0beb9bee88c9ae9e70ab53b4a5b3de2966aef097e016549c494e4d961771435c618ffe1369697e5f228e99401687c6e2276f9ea75d7ab76232060ef0b549eaad978fa290c5fdce3b0dbb5763b122358d6f2c1056ec755663a4015c8a4d00f0114e9efa73dbea5a5d35fb6b9e20f1942dcece8c48adabb1c4649de10440217dbe6b5b6389623779e0eb9b098e59c0525cc1cd59dd1109cada0e1fc87c00bebcbd784ee828b1cdc019207e918c356a8b51f58ad9a44c364b43c6fe8e4e40d9d7dce30598dc43bf317f3d4d6f29d947c5427c63a93797c274d2b685fc8661f939f4849d961e2bcaa4094c331fa34c28ae5869cd58bbde8e3f59d364d9f342f1rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootfreeradius-server-3.0.21-lp152.1.3.src.rpmfreeradius-server-utilsfreeradius-server-utils(x86-64)@@@@@@@@@@@@@@@@@@@@@@@@    /bin/sh/usr/bin/perlfreeradius-server-libslibc.so.6()(64bit)libc.so.6(GLIBC_2.14)(64bit)libc.so.6(GLIBC_2.15)(64bit)libc.so.6(GLIBC_2.2.5)(64bit)libc.so.6(GLIBC_2.3)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libcrypto.so.1.1()(64bit)libcrypto.so.1.1(OPENSSL_1_1_0)(64bit)libfreeradius-dhcp.so()(64bit)libfreeradius-eap.so()(64bit)libfreeradius-radius.so()(64bit)libfreeradius-server.so()(64bit)libgdbm.so.4()(64bit)libpcap.so.1()(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.2.5)(64bit)libssl.so.1.1()(64bit)libssl.so.1.1(OPENSSL_1_1_0)(64bit)libssl.so.1.1(OPENSSL_1_1_1)(64bit)libtalloc.so.2()(64bit)libtalloc.so.2(TALLOC_2.0.2)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)3.0.213.0.4-14.6.0-14.0-15.2-14.14.1^y@^p^h^@\\v{\u*@[<[2*ZZWQYY@YlY, @XO@X@X*Xh@X.@W@WiV@V.Vf@UĝU@U@UU8U7@TZ@TTT~@T|X@Adam Majer Adam Majer Adam Majer Johannes Engel Michael Ströder adam.majer@suse.deMichael Ströder adam.majer@suse.demichael@stroeder.commichael@stroeder.commichael@stroeder.comadam.majer@suse.devarkoly@suse.commichael@stroeder.comadam.majer@suse.demichael@stroeder.comkukuk@suse.deadam.majer@suse.dejengelh@inai.deadam.majer@suse.demichael@stroeder.comadam.majer@suse.demichael@stroeder.comjkeil@suse.demichael@stroeder.comjkeil@suse.dejkeil@suse.dejkeil@suse.demichael@stroeder.comvcizek@suse.commichael@stroeder.comtchvatal@suse.comvcizek@suse.comdimstar@opensuse.orgvcizek@suse.commeissner@suse.com- update to 3.0.21 (jsc#SLE-11896) Feature Improvements * New stored procedure for allocating IPs with PostgreSQL Rates of 1500 IPs per second are now possible See raddb/mods-config/sql/ippool/postgresql/procedure.sql * Add SQL IP pool support for Microsoft SQL Server See raddb/mods-config/sql/ippool/mssql/ * Added RCNTEC dictionary. Closes #3168. * Added Pica8 dictionary. Closes #3179. * Add TLS-Client-Cert-Valid-Since attribute holding not Before date Patch from Boris Lytochkin. Fixes #3157. * Generate attributes containing unknown OIDs See raddb/sites-available/tls * Update the WiMAX dictionary. * Added ability to rlm_python(Python2) show a stacktrace from errors. #2979. * Add WiFi Alliance Policy OIDs. See raddb/certs/xpextensions * radmin now shows coa stats, too. * Sample schema extensions for summarizing data in SQL See mods-config/sql/main/*/process-radacct.sql * Update dictionary.aerohive, dictionary.fortinet, dictionary.arista and dictionary.erx. * Added VAS Experts dictionary. * Many updates to RPM and jenkins builds from Matthew Newton. * Added %C (time now in seconds) and %c (microsecond component of now) back-ported from the "master" branch. * Add reload capability to systemd unit file in Debian and RedHat. * Increase timestamp precision in postauth to maximum supported by each database and simplify (and make more consistent between drivers) the timestamps in SQL queries by using expansions. * Option to set dictionary path in raduat script. Bug Fixes * Various fixes found by PVS-Studio. * Set permissions of certificates in bootstrap shell script Fixes #3132. * Increase the 'nasportid' SQL field for 'varchar(32)'. #3141. * Skip processing proxy reply if there are no home servers available. * Update SQLite IPPool queries. Fixes #3177 * rlm_sql_unixodbc fixes. Fixes #2822. * Fixes when building with LibreSSL. * Fix the rlm_python3 build. Note that this module is experimental. #3183. * The rlm_python should append the 'python_path' paths in 'sys.path'. It fixes the expected behavior to use the existing Python modules Fixes #3180. * Fix rlm_python to print the script errors properly. * Bound total query time for PostgreSQL. Fixes #3253. * Many fixes to Oracle sqlippool. It now does 500 IPs per second without any tuning. Fixes #3270. * Reference sqlippool by it's correct name. Fixes #3272. * Revert 3.0.20 patch which caused crashes on duplicate clients. * Update WiMAX-MSK attribute. Fixes #3280. * Fix crash when trying to access non-existant regex capture group. * Use timestamps (request or server) rather than SQL NOW() in accounting queries so that these are stable when replayed from a file buffer. - freeradius-python3_patches.patch: upstreamed- update to 3.0.20 (bsc#1146848) Feature Improvements * Added Force10 dictionary. * Update dictionary.hp with new attributes. #2690. * Update dictionary.aruba with new attributes. #2696. * Fix side-channel leak in EAP-PWD (bsc#1144524, CVE-2019-13456) * Relax OpenSSL version checks, now that their API is both public, and stable. * Note that tls_min_version/tls_max_version also support "1.3" Since there is no standard yet for EAP with TLS 1.3, it will not work. * Added tripplite dictionary from #2760. * Switch to the async interface for rlm_sql_postgresql so that we can enforce query_timeout. * Added new LDAP option 'allow_dangling_group_ref'. * Updated documentation and functionality for EAP session caching See "cache" section of mods-available/eap. * Tighten systemd unit file security. Fixes #2637. * Disable TLS 1.0 and TLS 1.1 support in the default configuration We STRONGLY recommend doing this for all installations. * Add expansions for *outgoing* Radsec connections "%{proxy_listen:TLS-...}" for TLS-Client-Cert-* and TLS-Cert-* attributes. Fixes #2839. * Add %{listen:tls} which returns "yes" or "no" for TLS or non-TLS connections. * Update dictionary.lancom with new attributes. #2847. * Added rlm_sql_mongo. See raddb/mods-available/sql. Note that this module is experimental. * Added more documentation in sites-available/robust-proxy-accounting. * sqlippool now re-allocates unexpired leases, to prevent IP pool exhaustion when clients perform multiple reauthentication attempts * Add support to radmin keep the history in ~/.radmin_history. * Add support for ENV and LD_PRELOAD in radiusd.conf. See the new ENV sub-section of radiusd.conf. * Update dictionary.aptilo. #3002. * Update dictionary.airespace. #3039. * Add sites-available/coa-relay, which makes CoA easier #3045. * Add example stored procedure for IP Pools in MySQL See mods-config/sql/ippool/mysql/procedure.sql * Update dictionary.dhcp dictionary with the recent hardware types. * Add experimental rlm_python3. This should largely work the same as rlm_python, which was Python2 only. * Add Dockerfiles for Debian10 and CentOS8. * Add RPM spec file compatibility for RHEL/CentOS 8. * Notes on certificate constraints. See raddb/certs/server.cnf. * Add NAIRealm example to raddb/certs/server.cnf, for RFC 7585. Bug Fixes * Allow listen.ipaddr to reference an IPv6-only host. Fixes #2627 * ERX-Acct-Request-Reason is "integer". Closes #2635. * Fix a slow memory leak in the file management code. * Try to fix file permissions if they get modified while the server is running * Fix slow memory leak with clients. * Fix request and connection timeouts in rlm_rest. * Fix systemd issues. * Fixes from clang analyzer. * Fix missing include for the dictionaries: alcatel.esam, altiga,alvarion.wimax.v2_2,aptis,asn, audiocodes,avaya,bristol, columbia_university,freedhcp,garderos, infoblox,motorola.illegal, starent.vsa1, telkom, wimax.wichorus. * Fix internal sanity check when running with "-Xx". * Allow "inner-tunnel" virtual servers to work better with "accept" and "reject" policies. * Fix dictionary.huawei data types for Huawei-DNS-Server-IPv6-address and Huawei-Framed-IPv6-Address. * Framed-Interface-ID in postgresql/queries.conf is string, not inet Fixes #2817. * Fix rlm_cache to complain on unknown attributes in the "update" section of its configuration. * Add configure checks for -latomic. This helps on armel, mips and mipsel. Fixes #2828. * Add support to Oracle 19 and 18. Via #2857. * Add support for decoding tags in rlm_rest. Fixes #2848. * Use correct passwords when updating CRLs in raddb/certs/. * Properly separate "originate-coa" packets when accounting packets are read from the detail file reader. * Use the correct virtual server for pre/post-proxy. * radsqlrelay fixes backported from "master" branch * Fix DoS issues due to multithreaded BN_CTX access (bsc#1166847, CVE-2019-17185) - disable python2 for SLE15 and Factory - freeradius-server-enable-python3.patch: enable Python3 module - freeradius-python3_patches.patch: backport python3 fixes from upstream - freeradius-server-opensslversion.patch: updated- Enable memcached driver on SLE15- Add missing BuildRequire on samba-core-devel required for windbind support in rlm_mschap.- update to 3.0.19 (jira#SLE-5890) Feature improvements * Update dictionary.cisco * Update sqlippool to allow for stored procedures with PostgreSQL. This increases performance substantially. Patch from Nathan Ward. Fixes #2540. * Re-added "show client config" command to radmin. * Cleaned up mods-available/sql example so that it is easier to understand. * Added pfSense dictionary. Closes #2581 * Update dictionary.h3c Closes #2592 * Update elasticsearch/logstash config for v6.7.0. * EAP-PWD security fixes from Mathy Vanhoef. See http://freeradius.org/security/ (CVE-2019-11234, CVE-2019-11235, bsc#1132549, bsc#1132664) Bug fixes * Update dynamic_client module and server core so that the functionality works. This has been broken since at least v2. * Fix crash in sqlippool due to escaping changes. Patch from Nathan Ward. Fixes #2532, #2533. * Fix systemd notify, watchdog and unit files. Fixes #2541, #2499. * Fix erroneous length check in EAP-FAST. * Update documentation to remove old "ignore_null" configuration. Fixes #2578. * Fix default POD port. Should be 3799. Fixes #2591 * Correctly encode vendor-specific "encrypted" attributes. Fixes #2600- reformat changelog mostly by wrapping lines - add missing bug numbers for security fixes- update to 3.0.18 * cleanup_delay can now be 30 seconds. This helps with proxies that have packet loss. * Do-Not-Respond policies can now be set in the "post-auth" section. * Encode / Decode ADSL Forum DHCP options. * Fix module ordering issues. e.g. when "sqlippool" needs "sql". See the "instantiate" section of radiusd.conf. * Add Big Switch dictionary. Fixes #2252. * Add sql_session_start policy (raddb/policy.d/accounting) This minimizes race conditions when using Simultaneous-Use (#2257). * For rlm_perl, all variables are now tainted by default. See raddb/mods-available/perl, and the "perl_flags" configuration item. This change should only affect people who are using variables in insecure ways. * Allow "sqlcounter" module to be listed in "post-auth". * Add support for IPv6 attributes in SQL. Fixes #2280 * The server is better at handling fail-over for outbound RadSec and TCP connections. Fixes #2284. * The server is now more aggressive about retrying failed outbound RadSec and TCP connections. Fixes #2284. * Add TLS-Session-Version and TLS-Session-Cipher-Suite to the "session_state" list. * Add expansion for Radsec connections. "%{listen:TLS-...}" for TLS-Client-Cert-* and TLS-Cert-* attributes. * Add notes on running "ldapsearch" using the parameters from the LDAP module. * "ipaddr" attributes can now be cast to "integer" type attributes in an "update" section. * Move main thread queue to using atomic queues. This should help with contention in high load scenarios. * Add "recv_buff" setting to listeners. For more details, see sites-available/default. * The sqlippool module can now use attributes other than "Pool-Name" to assign IP pools. The "Pool-Name" attribute is still the default. * The "unpack" expansion can now unpack substrings. See mods-available/unpack for documentation and examples. * The preprocess module now does "ciscvo_vsa_hack" for Eltex-AVPair Fixes #2301. Vendors SHOULD NOT USE THAT KIND OF ATTRIBUTE. * Allow for -LDAP-UserDN. See mods-available/ldap for more information. * Add sanitizing of control list for moonshot. Fixes #2318. * Update rlm_sql_mysql to be compatible with MySQL 8 Fixes https://bugs.launchpad.net/bugs/1795310. * Allow logging of only Access-Accept or Access-Reject messages See radiusd.conf, "auth_accept" and "auth_reject". * Removed Connect-Rate comparison. It was unused and broken. * Add dictionary.infinera. * Use OpenSSL HMAC functions instead of local ones. * Some SQL modules can now use "auto_escape" to escape unsafe strings See mods-config/sql/main/mysql/queries.conf. * Add wispr2date conversion in mods-available/date. * Implement dictionary-based handling in rlm_python. Fixes #2334 See mods-available/python for details. * Add support for SKIP LOCKED in sqlippool. This can improve performance by an order of magnitude or more. See raddb/mods-config/sql/ippool/*/queries.conf Fixes #2383 * Allow PSK and certificates at the same time Except for TLS 1.3 which does not support that. * Update docker scripts. Fixes #2306 Patch from Matthew Newton. * Add crypt xlat. * MySQL connections can now skip verifying the server certificate. Fixes #2481. See mods-available/sql. * Add better mechanism to detect MariaDB (Old MySQL). * Add RFC 7532 "bang path" support for realms Fixes #2492. * Update dictionary.ukerna documentation. Fixes #2493. * Add support for systemd service and watchdogs Fixes #2499. * Check for openss/rand.h, and allow building without OpenSSL engine. Patch from Eneas U de Queiroz Fixes #2517. * The default PosgtreSQL queries now use "ON CONFLICT" to better deal with issues. This requires PostgreSQL 9.5 or later. Please use a recent version of PostgreSQL, or edit the default queries to remove "ON CONFLICT". BUG FIXES * The session-state list is no longer cleaned in the inner-tunnel. This lets the outer Access-Reject section access session-state. * Fix typo in lock initialization for TLS sockets Found by Sergio NNX. * Add check for crash when home server down Fixes #2233. * Add username key for postauth table. * Better libpcap checks, when the header files or libraries are missing. Fixes #2245. * Allow building with old versions of OpenSSL Fixes #2247. * Allow non-FreeRADIUS State attributes to be used with the "session-state" list. i.e. State length != 16. * Be more aggressive about cleaning up zombie children when running in debug mode. * Use LTDL_DEEPBIND, which fixes issues with Oracle libraries exporting LDAP API functions. * unlock files when asked to unlock them. * return error instead of asserting in map code. * Don't write 0 bytes to SSL. Fixes #2270. * Remove "expiry_time IS NULL" from allocate_update query. Fixes #2262. * Various dictionary cleanups and consistency checks Fixes #2281. * rlm_python has stronger thread locking to prevent reported issues. Performance may be affected. * Don't allow Message-Authenticator to overflow past the end of a large packet. * Fix crash in sqlippool when SQL server goes away Fixes #2300. * Typos in man pages. Patch from Nikolai Kondrashov Fixes #2303. * Fix crash with CoA packets/ Fixes #2304. * Fix crash in rlm_exec with CoA. Fixes #2328. * Print errors while parsing the log config, and don't quit when deprecated log settings are found. * Fix DHCP encoder xlat so that it can be used with a list of attributes. It previously only encoded the first member of the list, and now encodes all members. * The "expr" module now skips more whitespace. * Remove internal FreeRADIUS-Response-Delay attributes from attr_filter Access-Reject. * Don't send junk to redis when maximum args reached. * Small updates to IPv6 for accounting schema Fixes #2364. * Fix OpenDirectory integration in rlm_mschap. * Fix slow memory leak with dynamic clients. * Don't artificially truncate debug output for long strings. * Fix memory leak in EAP-PWD. * Fix crash in "hints" file with Fall-Through = yes. * Fix crash / timer issues with many CoA packets. * Fix attr_filter so that it does not treat vendor attributes of number 26 as Vendor-Specific. * Fix reconnect correctly in rlm_sql_mysql. * Fix rlm_cache to properly use Cache-TTL < 0 Fixes #2485. * Fix rare occurance of bad xlat expansion. * Check for rare race condition when a proxy reply arrives too late.- install license as %license instead of documentation- also fix ownership of /var/log/radius in systemd unit- update to 3.0.17 Feature Improvements * Add CURLOPT_CAINFO. Patch from Nicolas C #2167. * "stats home server" now supports "src IPADDR", to specify home server also by source IP. Fixes #2169. * Add Dockerfiles for a selection of common systems. * Increase number of permitted file descriptors, for systems with many home servers. * Add TLS-Client-Cert-X509v3-Extended-Key-Usage-OIDs Patch from Isaac Boukris. Fixes #2205. * Update main READMEs. Patches from Matthew Newton. * Added dictionary.mimosa. Bug Fixes * Don't call post-proxy twice when proxying to a virtual server. Matthew Newton, #2161. * Use "raw" string value for shared secrets and dynamic clients It now parses strings with backslashes and "special characters" correctly. Fixes #2168. * Fix RuntimeDirectory for RedHat, from Alan Buxey. * Relax checks in 'if' parser from Isaac Bourkis. * Minor cleanups for %{debug_attr:&request} from Isaac Boukris. * Be more aggressive about cleaning up cached certificate attributes, due to deficiencies in OpenSSL. Reported by Nicolas Reich. * Be more accepting when parsing IPv6 addresses. Bug noted by Klara Mall. * Fix double free in rlm_sql. Fixes #2180. * rlm_detail now writes empty Access-Accept packets. * rlm_python can now create tagged attributes. * Don't crash on duplicate realm + authhost / accthost * Allow partial certificate chain to trusted CA. Fixes #2162. * Treat SSL_read() returning zero as error. Fixes #2164. * detail writer now checks if the file was renamed or deleted. * Add User-Name to Access-Accept if EAP-Message exists, not Stripped-User-Name. * RedHat Systemd updates. Fixes #2184. * Use correct API for State variable in rlm_securid. * Remove broken radclient option "-i". * Fix "users" file (and hints, etc). So that it does not get confused about entry ordering with multiple $INCLUDEs. * Fix rlm_sql to expand the un-escaped string, not the raw string. * Link default and inner-tunnel only if they exist. Fixes #2206. * Don't use both IP_PKTINFO and IP_SENDSRCADDR. * Always install signal handler for SIGINT (needed by Docker). * Fix intermediate CA flow for OCSP. Fixes #2160 Intermediate certs which are not self-signed will now be checked. * sqlippool now returns "fail" if it fails IP allocation. * Fix rlm_yubikey to look for correct attribute in replay attack check.- update to 3.0.16 Feature improvements * rlm_python now supports multiple lists. From #2031. * Add trust router re-keying. From #2007. * Add support for Samba / AD LDAP schema. See doc/schemas/ldap/samba/README.txt and doc/schemas/ldap/samba/ * Add "tls_min_version" and "tls_max_version" to EAP module for Debian OpenSSL issues. * Better documentation for client certificates in PEAP and TTLS: it usually doesn't work. Fixes #2068. * Distinguish login failure from AD unavailable. Fixes #2069. * Update RH spec files. Fixes #2070. * Run Post-Proxy-Type if all home servers are dead. Fixes #2072. * Print offending IP addresses when EAP sessions come from two upstream home servers, and rate-limit the messages. * Minor packaging updates. * Better documentation for rlm_rest. * EAP-FAST now has it's own "cipher_list", so that it is easier to configure. * EAP-FAST now forcibly disables TLS1.2, until such time as we implement the new keying mechanism from TLS1.2. * Add documentation for allow_expired_crl. * Update Debian logrotation. #2093 and #2101. * DHCP relay can now drop responses. #2095. * rlm_sqlippool can now assign Delegated-IPv6-Prefix. It also now can assign any IPv4 or IPv6 address. Based on patches from maximumG. #2094. See raddb/mods-available/sqlippool for changes. * radeapclient can now use EAP-SIM-Ki to dynamically create the necessary triplets. * Explain why many LDAP connections are closed. Fixes #1969. * Debian build / package issues fixed by Matthew Newton. * dictionary.patton updates from Brice Schaffner. Fixes #2137. * Added scripts to build "inner-server.pem", and updated mods-config/inner-eap and certs/README to match. * Added provisions for using an external CA. See raddb/certs/ * Include dhcpclient binary in freeradius-dhcp debian packge. Bug fixes * Bind the lifetime of program name and python path to the module FR-AD-002 (redone) * Pass correct statement length into sqlite3_prepare[_v2] FR-AD-003 (redone) * Allow 100-Continue responses with additional headers in rlm_rest. * fix corner case where detail files were not being locked correctly. * Fix (SQL-Group == "%{...}") checks, and same for LDAP-Group. Fixes #1947 * Clean up exfile code. Which should help to avoid issues with reading / writing 100's of detail files. * Fix build for winbind. Patch from Alex Clouter. * Fix checkrad for Mikrotik. Patch from Muchael Ducharme. * Fix home server stats lookup. Patch from Phil Mayers. * Add libjson-c3 as an optional dependency. * Require LTB OpenLDAP on CentOS / Redhat, to avoid linking against NSS, which breaks the server. Fixes #2040. * rlm_python fixes. Fixes #2041 * Typos in "man" pages. Fixes #2045 * Expand "next" in %{%{...}:-%{...}}. Fixes #2048 * Don't add TLS attributes twice. Fixes #2050. * Fix memory allocation in rlm_rest. Fixes #2051. * Update trustrouter for new API. Fixes #2059. * Fix SQLite issues on FreeBSD. Fixes #2060 * Don't do debug logging of bad passwords. Fixes #2064. (bsc#1099802) * More graceful handling of "die" in rlm_perl. Fixes #2073. * Fix occasional crash when using cisco_accounting_username_bug = yes * EAP-FAST fixes from Isaac Boukris. [#2078], #2076, and #2082, #2126. * DHCP fixes, relay, #2092, add run-time check, #2028 * Decode multiple RADIUS packets at a time in highly loaded RadSec connections. Patch from Jan Tomasek. #2106. * TunnelPassword is not "single value" in LDAP schema. Fixes #2061. * sql log now opens the expanded filename, not the input one. This was a regression introduced in 3.0.15. * Remove unnecessary UNIQUE constrain in Oracle schemas. * Fix SSL thread and locking issues when modules also use SSL. Fixes #2125 and #2129. * Re-add dhcpclient "raw packet" changes. Patches from Nicolas Chaigne and Matthew Newton. Fixes #2155.- Fix permissions of radiusd.service (bnc#1053654)- bsc#1055679 - freeradius-server does not provide winbind/AD auth Added libwbclient-devel as buildrequires- update to 3.0.15 with security fixes for issues found via fuzzing by Guido Vranken (bsc#1049086) https://freeradius.org/security/fuzzer-2017.html * CVE-2017-10978: FR-GV-201 (v2,v3) Read / write overflow in make_secret() * CVE-2017-10983: FR-GV-206 (v2,v3) DHCP - Read overflow when decoding option 63 * CVE-2017-10984: FR-GV-301 (v3) Write overflow in data2vp_wimax() * CVE-2017-10985: FR-GV-302 (v3) Infinite loop and memory exhaustion with 'concat' attributes * CVE-2017-10986: FR-GV-303 (v3) DHCP - Infinite read in dhcp_attr2vp() * CVE-2017-10987: FR-GV-304 (v3) DHCP - Buffer over-read in fr_dhcp_decode_suboptions() * CVE-2017-10988: FR-GV-305 (v3) Decode 'signed' attributes correctly * FR-AD-002 (v3) String lifetime issues in rlm_python * FR-AD-003 (v3) Incorrect statement length passed into sqlite3_prepare- update to 3.0.14 (still FATE#322416) Feature improvements * Enforce TLS client certificate expiration on session resumption, and Session-Timeout. See CVE-2017-9148 (bnc#1041445) * Updated dictionary.cisco.vpn3000, dictionary.patton * Added dictionary.dellemc * Lowered the log output for failed PEAP sessions. * ALlow utc in rlm_date. * The internal OpenSSL session cache has been disabled. Please see mods-available/eap * Update detail reader documentation. * Make outgoing RadSec connections non-blocking. * Add SQL backing to Moonshot-*-TargetedId generation. Bug Fixes * radtest uses Cleartext-Password for EAP, not User-Password. * Update documentation for mods-enabled/ linking. * Enhanced checks for moonshot salt. * Allow session resumption for RadSec connections. * Update "huntgroups" file to note that port ranges are not supported * Fix OpenSSL permissions issues on default key files. * Certificates are not required when PSK is used. * Allow SubjectAltName as first extension in cert. * Fixed talloc issue with TLS session resumption. * "&Attr-26 := 0x01" now produces useful error messages. * Handle connection error in rlm_ldap_cacheable_groupobj. * Fix endian issues in DHCP. * Multiple minor fixes for Coverity complaints. * Handle unexpected regex. * Fix minor issues in dictionaries. * Fix typos and grammar. Patches from Alan Buxey. * Fix erroneous VP creation in rlm_preproces. * Fix MIB. Patch from Jeff Gehlbach. * Trust router updates from Alejandro Perez. * Allow build with LibreSSL. * Use correct packet for channel bindings. * Many fixes found by PVS-Studio. Thanks to PVS-Studio for giving us a test license. Please see the git commit history for more info. * Fix incorrect length check in EAP-PWD. This may be exploitable. * Stop rotating session database files (radutmp, radwtmp) since these are not logfiles. - freeradius-server-radiusd-logrotate.patch: updated- removed obsolete freeradius-server-fix-cert-bootstrap.patch because recent /etc/raddb/certs/bootstrap simply works - update to 3.0.13 (still FATE#322416) Feature improvements * Add dictionary.rfc7930. Note that we do not implement the RFC. * Added 'cipher_server_preference' to mods-available/eap Patch from #1797. * OpenSSL 1.1.0 compatibility fixes. * rlm_perl: radiusd::xlat to evaluate xlat string within perl script * Allow authentication retry in winbind. Patch from Herwin Weststrate. See raddb/mods-available/mschap. * Added "recv-coa" method to rlm_rest. It behaves the same as "authorize". * Document Trust Router tr_port option. Patch from Stefan Paetow. * Update elasticsearch/logstash examples so that they work with elastic stack v5. Patch from Matthew Newton. * Print information about packets, replies, and contents in the detail file reader. * Update abfab-tr policy. Pull request #1893 from Stefan Paetow. * Reject packets which contain User-Password and EAP-Message. * Add example for filtering Access-Challenge. See sites-enabled/default. * Pull symlink fixes from v4.0.x. Fixes #1859. * Add systemd reload. Not everything is reloaded, but some is. Fixes #1662. * Better documentation for listen "ipaddr". Fixes #1921 * Add dictionary.cnergee, updated dictionary.nomadix. * radclient no longer needs -x to print statistics with -s. Bug fixes * Minor typos. Fixes #1763 * Fix typo in RPM build. Closes #1767. * rlm_mschap check for password expiry only if password was correct. Fixes #1762. * Update debian build. * update rlm_counter "man" page. Fixes #1775. * Remove erroneous assert. Fixes #1778. * fix mschap password change test. Fixes #1792. * Cleanup config file on data remove. Fixes #1795. * passwd module returns "notfound" if not found. * Check for old OpenSSL, and don't build rlm_eap_fast if it necessary. Fixes #1803 * Cleanup memory better after ldap version query. Patch from Aleksey Katargin. * Rename lt_* functions to avoid linker issues with libtool. Fixes #1277 * Many miscellaneous fixes and typos. * Allow long strings in %{%{foo} bar:-%{baz} blah". Fixes #1866 * Fix filtering operators, along with more documentation and more tests for them. * Fix OpenSSL fixes. Fixes #1876. * Finish SQL select queries even when SELECT returns no rows. Fixes #1879. * Set Module-Failure-Message for more EAP errors. * Correct typo in dictionary.rfc5580. Fixes #1882 * Remove obselete systemd syslog.target. * Client-Port-Balance load-balancing now uses client port. * Radrelay examples fixed from Alex Clouter. * Update systemd target. Pull request #1896. * Trim starting whitespace in xlat strings. * Get MySQL result lengths using normal API. * suid down after fchown(). Fixes #1914. * Fix cases of comparing pointer to NUL character. Fixes #1915. * OpenSSL v1.1 fixes. Pull request #1921. * Better Handle v4/v6 host names. Pull request #1919. * Remove "Auth-Type = System" from docs and examples. * Don't crash on malformed %{home_server}. Fixes #1922 * fix erroneous use of talloc destructor in rlm_eap * Issue trigger modules.sql.fail. Fixes #1923 * Document python_path gotcha's. Fixes #1845 * dlopen() the specific version of Python. Fixes #1592- Don't require insserv if we use systemd - Remove require for unused fillup- Merge changes from SLE to openSUSE (FATE#322416): * freeradius-server-radclient-init-error-buffer.patch - make sure we initialize error buffer. bsc#911886: radclient error free() invalid pointer * freeradius-server-opensslversion.patch: remove OpenSSL version check and assume we know what we are doing. (bnc#1013311) * merge .changes file, mostly. - do not attempt to detect "vulnerable" OpenSSL versions. SUSE security fixes do not necessarily bump version numbers as does upstream OpenSSL (bnc#1021375) - do not generate certificates in %post. End-user needs to do this manually. - keep FreeTDS disabled on SLE12 - we never shipped it enabled - require OpenSSL 1.0+ - use pkgconfig(systemd) instead of plain systemd as BuildRequires - don't list manual pages as %doc- Remove --with-pic which is for static libs only. - Use SUSE RPM group names. Trim filler words from description. - Do not hide errors from groupadd/useradd.- Add upstream keyring - 2 new modules: rlm_sql_freetds and rlm_eap_fast- update to 3.0.12 - still fate#320481 The focus of this release is stability. * Feature improvements + Add support for =~ and !~ in update sections. See "man unlang" + Add dictionary.checkpoint. + Simultaneous-Use prints out more information. + Print WARNING in debug mode when packets may be truncated. + Added expansions %{home_server:state} and %{home_server_pool:state}, which show the state of the server / pool. + Mark rlm_sql_freetds as stable. + Make rlm_perl less fragile. Patch from Herwin Weststrate. + Allow extended attributes to have "encrypt=2" + Update dictionary.aruba. + Add support for EAP-FAST. This is an isolated feature which does not affect anything else. + Update OpenSSL vulnerability list. Use a version of OpenSSL released after September 20, 2016. + EAP certificate verification is now done when "verify" is enabled and "ocsp" is disabled. + New dhcpclient and rlm_rad_counter man pages. + Minor abfab and moonshot additions. + Pass CFLAGS through from environment in RPM builds. Allows more custom builds. + Build with Heimdal in addtion to libkrb5. * Bug Fixes + Use correct typedef for older versions of sqlite. + Update mssql schema to add priority + don't complain on /dev/urandom in ldap + fix == operator in update sections + Don't create DHCP strings with many trailing zeros. + Allow MS-CHAP change passwords instead of complaining on large buffer. + Allow assignment or equality operator on SQL. + Update aclocal tests for FreeBSD 10. + Remove occasional hang in rlm_linelog. + Copy VSAs to inner tunnel for TTLS and PEAP. Fixes #1544 + A few minor bugfixes caught in v3.1.x cleanup, and back-ported to v3.0.x. + do_not_respond again works in post-proxy + Allow realm "~^.*$" {} and User-Name with no realm. + Fix leak when creating unknown attributes + Fix Debian / logrotate. + Make OpenSSL error functions thread-safe. + Fix crash with rlm_sql and updating SQL-User-Name. + Debian build updates. + Allow regular expression comparisons in radclient. + Fix memory leak on unknown attributes in detail file reader. + Update example paths in "man" pages when installing them + Build fixes for rlm_mschap. Fixes #1489. + BSD build fixes. Patch from issue #1583. + Be more careful about /lib/ when building. Fixes #1585. + Correct ifdef placement error. Fixes #1572. + Allow for more files in internal "exfile" API So it will be possible to open more than 64 "detail" files at the same time. + Remove support for statically built EAP modules. Fixes #1591. + Many fixes to rlm_python from Guillaume Pannatier. + Use correct week adjustment in SQLcounter. Fixes #1608 + Minor fixes to allow compilation without DHCP, VMPS, or TCP. + Fix checks for module / config file change on HUP. + Compile regex comparisons when sent via "debug condition". + Update filenames in documentation and examples. + Don't crash if SQL connection becomes unavailable. + Disallow originate_coa when proxy_requests = no. + Free rad_perlconf_hv in correct perl context. + Multiple fixes for Debian builds. #1510, among others. + Set OpenSSL FIPS compatibility flag when necessary. + Pulled fixes for the build system over from other branches. + Fix OCSP for RADIUS over TLS. + Fix skip_if_ocsp_ok behavior. + Better fixes for systems without closefrom() but which have /proc. + Minor build fixes back-ported from v4.0.x. + build --whout-ascend-binary. Fixes #1761. + Be more aggressive about not opening new connections in debug mode after CTRL-C. Address #1604.- use %{with} macro for conditional inclusions instead of hardcoding version numbers - improved package descriptions - fixed builds on SLE12 and SLE11SP4- removed installation of experimental module rlm_sqlhpwippool.so - update to 3.0.11 (fate#320481, bsc#961479, CVE-2015-8763, bsc#935573, CVE-2015-4680) * Changes of version 3.0.11 + Feature improvements - "unlang" comparisons of IP addresses to IP prefixes are now detected, and types automatically cast. - Allow shorthand form of ipv4prefix values e.g. 127/8. - Add "auto_chain" to raddb/mods-available/eap, tls subsection. This allows the disabling of OpenSSL auto-chaining of certificates. Which might be wrong. - Added printing of coa and disconnect stats (radmin). - radclient defaults to expecting Access-Accept responses to Status-Server. - Updated dictionary.lancom, dictionary.starent. - Portability fixes for Solaris. - More errors from ntlm_auth gets passed to MS-CHAP. - Update abfab-tr-idp virtual server. - Added "filter_password" in policy.d/filter. This removes embedded zero bytes in User-Password, for compatibility with broken clients. - The server now issues a WARNING message if duplicate configuration items are found. - TLS can skip the "verify" section if OCSP returns OK. See raddb/mods-available/eap, "skip_if_ocsp_ok". - Set TLS-OCSP-Cert-Valid = yes / no / skipped, which is the result from the OCSP check. - Interoperate with AD and "LmCompatibiltyLevel = 5", by always setting WBC_MSV1_0_ALLOW_MSVCHAPV2 for native winbind in rlm_mschap. - TTLS and PEAP now require "virtual_server" to be a real server. - Print WARNING when TTLS or PEAP identities are spoofed or not properly anonymized. See RFC 7542 for requirements. - Various rlm_python fixes from Herwin Weststrate. - Allow setting Response-Packet-Type in "Post-Proxy-Type Fail", which is useful when the home server does not respond. - elasticsearch updates from Matthew Newton + Bug Fixes - Fix issue where field nas_type would not be accessible via the %{client:} xlat, for clients loaded from SQL. - Fix compatiblity issues with OpenSSL 1.0.2. Ignore calls to msg_callback with 'pseudo' content types. - Data type "ipv4prefix" is parsed correctly. - Use correct talloc context in rlm_exec. Fixes #1338. - Complain in unlang if "else" is used with no previous "if" or "elsif". - Send accounting status packets to the accounting port. Fixes #1364. - Print out CFLAGS when doing "radiusd -Xxv" - Fixed bug with coa/acct stats value #1339. Based on patch from Jorge Pereira. - Fixes for LEAP proxying. Don't use LEAP! - Fix issue with "directory already exists" seen when doing "make install". - Fixed bug with radmin related to the option "stats detail " - Complain if the detail file reader does not have permission to read the "detail.work" file. Fixes #1398 - Fixed SoH. Attributes were not being copied to the virtual server. - Used a wrong list to global statistics in "stats". - Create EAP-PWD identity correctly. Prevents segfaults. - Dynamically validate authentication types for PEAP and EAP-MSCHAPv2. - Fix includes in installed headers. - OpenSSL 1.0.1f and 1.0.1g do NOT calculate TLS 1.2 keys correctly. See raddb/mods-available/eap, "disable_tlsv1_2" - Allow password change to work for MS-CHAP. This requires 'r=0', because password changes are not retries. - Fix home server fail-over for home servers using TCP and/or RadSec. - Special characters in expanded regexes are now escaped e.g. User-Name containing '.', and comparing /%{User-Name}/, the '.' will now be escaped. See src/tests/keywords/regex-escape. - Use correct authentication vector when sending Access-Reject replies for RadSec. - Set FreeRADIUS-Proxied-To in TTLS again. You should use the "inner-tunnel" virtual server, instead of relying on this attribute. - Fix debugging constants in rlm_perl. Patch from Herwin Weststrate. - Add samba-dev / samba4-dev to debian builds so that rlm_mschap can automatically use the new winbind API. - Automatically skip zero-length attributes when sending packets, instead of erroring out.- fix bsc#951404 * Rebuild of freeradius-server package fails * fix source url - ftp://ftp.freeradius.org/pub/freeradius/ + ftp://ftp.freeradius.org/pub/freeradius/old/- update to 3.0.10 * Changes of version 3.0.10 + Feature improvements - Do more optimization of unlang policies. This makes run-time a bit faster. - Re-name most of the functions in src/lib. Third-party module authors will have to do the same. - More documentation on contributing and how to write modules. - Update radiusd.service for systemd. - Open IPv6 proxy socket if the server is listening on IPV6 auth / acct / coa packets. - Create debian packages for DHCP. Fixes #1125. - Add more tests for "update" section parsing. - Update "man" pages. - Update attributes for Alcatel 7750 - Add dictionary for Boingo Wi-Fi - Add support for DHCP lease queries. See raddb/sites-available/dhcp - On HUP, check all modules for config files which have changed. And only re-load those modules. - Allow FreeRADIUS-Response-Delay(-USec) to be set for RADIUS packets. Patch from Herwin Weststrate. - Documentation fixes from Alan Buxey and Matthew Newton. - Update "logrotate" script. - Added more RFCs to doc/rfc for new standards implemented by FreeRADIUS. - Don't crash when doing "radmin -e "help hup". Patch from Matthew Newton. - The dictionary parser now does more sanity checks, which prevents run-time problems with invalid attributes. - Update debian packages. Patches from Christopher Hoskin. - Many other debian packaging fixes from Matthew Netwon and Herwin Weststrate. - Add "session-state" to Perl. Patch from Herwin Weststrate. + Bug Fixes - Fix rlm_files so that there are no collisions when loading 10's of 1000's of users. - Fix radclient to use our internal v4/v6 parsing functions. v6 addresses with ports now work correctly. - Fix sending/receiving packet messages to wrap v6 addresses in square brackets '[]'. - Check for sasl/sasl.h when building rlm_ldap, and disable SASL functionality if unavailable. - Fix issue which caused a non \0 terminated buffer to be assigned to attributes if the value being assigned contained an invalid escape sequence. - Fix deadlock when reconnecting connections in the connection pool. - Fix potential overrun in functions that used fr_utf8_char with a non nul terminated buffer. - Fix decoding issue for Tunnel-Password type attributes which were very long. Found by Denis Andzakovic. - Fix radclient issue with TCP sockets on FreeBSD. - The server now creates ${run_dir} and ${logdir} directories in daemon mode, when running as "root". - Handle tags when using maps. Fixes #1191. - Fix crash when CoA packets time out. - Fix parse error in rediswho - Fix regex support in SQL radcheck the "users" file and radsniff. - Register listen xlat earlier, so that it's available when the virtual servers are being parsed. - Parse Ascend-Data-Filter when given as "0x..." - Print Ascend-Data-Filter correctly. Add test cases for both. - Allow old-style clients again. They will be disallowed for 3.1.0 and following. - Complain instead of crash when "else" and "elsif" are in the wrong place. - Clean up memory more aggressively. This lowers the maximum memory used, most typically for TLS based EAP methods. - Prevent the server from unlinking the control socket of an already running instance. - Fallback to using the configured OCSP URL if one exists, and no URL is provided in the certificate. - Return CoA-NAK if proxying CoA fails. Based on patch from Jorge Pereira. - Lower peak memory usage by decreasing size of internal memory pools. - The control socket is now left in place if a second copy of the server is accidentally started. - Allow virtual attributes in "switch", "case", etc. Fixes [#1240] and #1265. - Many spell check / typo fixes in comments and example configuration files. - Better handle multiple DHCP listeners. - Don't print secrets for old-style realms. Fixes #1267. - Don't fall through in empty "case" statements. Fixes #1274. - Update EAP-TTLS so that MPPE keys are correctly calculated with TLSv1.2. - Always delete MS-MPPE-* from the TTLS inner tunnel. This allows TTLS / EAP-MSCHAPv2 to work. Fixes #1206. - Fix off by one error that caused some MSCHAP-Error messages to be sent without the password change version (V=3) and the textual message component (M=). - Always include C= V= and M= in MSCHAPv2 errors. RFC 2759 does not say that any of these fields are optional, and not including V= caused errors with wpa_supplicant. - Do not include M= in MSCHAPv1 errors. It's not supported.- Fix boo#912714: freeradius can't use ntlm_auth * Create winbind group * Add radiusd to winbind group- Remove gpg signature file * The gpg signature checking is broken and doesn't work- Fix bsc#935573: Insufficent CRL application for intermediate certificates * CVE-2015-4680 * freeradius-server-CVE-2015-4680.patch based on https://github.com/FreeRADIUS/freeradius-server/commit/a03814af310bb3bee74ea012546d99c48b0ea5c3- update to 3.0.9 * Changes of version 3.0.9 + Feature improvements - Make "pool" configurations more consistent, and update documentation for them. - Move connection pool logic to "most recently started", instead of MRU. This should help with pool stability. - More VSAs for 3GPP2 - Added examples of multi-value attributes to rlm_perl. - LDAP-Group and SQL-Group attributes are now dynamically allocated. - Only the "sql" module registers SQL-Group. Other instances register "instance-name-SQL-Group", similarly to "ldap". - Unknown attributes are now complained about more often when used in unlang statements. e.g. if (Foo-Bar == 3) used to be a string to string comparison. It is now a parse error. - Rename RLM_COMPONENT_* to MOD_* in the code. This makes many things easier. - Move to C99 initializers for modules. - Load modules in raddb/mods-enabled. This allows attributes like "LDAP-Group" to be used in the "files" module, without explicit ordering or listing in "instantiate". - Added 'bootstrap' section to modules. Third-party modules will need to be updated. - When adding clients from a DB, add them to a virtual server if that virtual server has a "listen" section. Otherwise, add the clients to the global list. - When reading dynamic clients from a file, don't expire them if the underlying file is unchanged. - Allow the server to originate CoA requests from the post-auth stage. - The server creates ${run_dir} and ${logdir} in daemon mode, if they do not already exist. - Add dictionary for Wi-Fi Alliance Hotspot 2.0. The server now supports all mandatory and optional attributes for this specification. - HUP now re-loads the configuration only if the files have changed. If all files are unchanged, HUP re-opens the log file, and does nothing else. - Much better debug messages for EAP-TLS, including which attributes are cached, and when they are retrieved. - Increase default max_requests to 16384. Memory is cheap now. - Added "stats memory" commands to radmin. Debug build only. - Aptilo controller dictionary updates. - SQL modules now use Acct-Unique-Session-Id everywhere. - The redis modules are now stable. - The LDAP module now supports SASL "interactive bind" method. This allows Kerberos based administrator and user binds. - DHCP code is now in libfreeradius-dhcp. - More DHCP encoding / decoding unit tests. - rlm_replicate can now be listed in the "accounting" section. - Better sqlite debugging output. - Remove "required" option from many sql_ippool directives. - Set default CA "basic constraints" to "critical". Fixes #1073 - Updates to help / man pages from Jorge Pereira. - Added more tests. + Bug Fixes - Be more careful about unused config item warnings when using -Xx. - Move more defines to be auto-generated. - Allow virtual servers in proxy fallback. - Allow %{module:} to work. - Don't crash in RadSec. Closes #980. - Return better errors when a unix group / user is not found. - Re-enable detail module "locking" parameter. - Don't crash when logging replies from Status-Server packets. - The couchbase module now uses "update" instead of "map", for consistent with the rest of the server. See raddb/mods-available/couchbase - Don't require NT-Password for MS-CHAP password changes. - Be a bit more careful about decrypting MS-CHAP-MPPE-Key attributes. Closes #1013. There is no perfect fix, tho. - Fix security issues with EAP-PWD. See http://freeradius.org/security.html#eap-pwd-2015 - Fix dynamic clients read from SQL in non-debug mode - MS-CHAP now allows retries (i.e. password change) when passwords are expired. - Allow "user=radiusd" when the server is already user "radiusd" - suid up/down works on non-Linux systems. This means that the control socket should have the correct ownership. - Fix issue which caused the server to sometimes have problems when a home server was marked zombie. - Fix format.pl because Perl is now more picky. - Fix proxy to Packet-Dst-IP-Address, so that it uses the correct destination port. - Fix corner case with cursor functions and removal. - OpenDirectory fixes and documentation. - Fix leaks in rlm_redis. - RFC 6929 "evs" attributes are now encoded / decoded properly. - Fix talloc pool leaks when receiving malformed or retransmitted Accounting/CoA requests. - Printed attributes again use double quotes instead of single quotes. - Set X509_V_FLAG_CRL_CHECK_ALL, and add "check_all_crl" to eap.conf. Fixes oCert CVE-2015-4680. - rlm_expr now errors out correctly on malformed attribute references instead of triggering an assert. - Make "break" work in "foreach" loops - Allow dynamic expansions to work again in the "hints" file. - Correct minor typos in comments and examples from Alan Buxy. - Re-urlencode the path portion of ldapi:// urls before passing it to ldap_initialise. - freeradius-server-rlm_sql_unixodbc-configure.patch removes hard-coded directory in configure script of rlm_sql_unixodbc - install new module rlm_sqlhpwippool.so- minor adjustments/cleanup of spec and changes- update to 3.0.8 * Changes of version 3.0.8 + Feature improvements - Allow syslog_severity to be set in rlm_linelog. - Allow defaults to be set for bulk clients in LDAP and couchbase. - Updates to dhcpclient. Patches from Nicolas C. - rlm_mschap now supports direct connections to winbind, which is faster than ntlm_auth. See raddb/mods-available/mschap. Patch from Matthew Newton. - Recommend /dev/urandom for TLS randomness, instead of ${certdir}/random - Allow TLSv1 to be disabled via "disable_tlsv1" in tls{}. - Allow Expanded EAP types where vendor is 0 (IETF) and type is normal EAP type. Supplicants sending Expanded EAP types like this are broken. - Add support for server side sort controls when searching for user objects in rlm_ldap. + Bug Fixes - Don't complain about "authorize" in "server {}" blocks, but only if there's no "server" block. - Fix cosmetic issue where debug from the first packet read by a detail reader thread would be emited during config parsing. - Fix ASSERT on truncated detail packets. - Don't use main server log functions from within panic_action, as in the case of syslog this would cause deadlocks if the fault was triggered from within a malloc. - Fix issue in "switch" when "correct_escapes = false". Fixes #911. - Fix sqlcounter configuration to use "%%b" instead of "%b", otherwise the new syntax validation will fail. - Allow forward references in configuration items. Modules aren't always loaded in a sane order. - Fix more escaping issues. Closes #912. - Decode MAC addresses correctly for VMPS. - Fix memory leak with TLS connections. - Fix state machine threading issues for conflicting packets. - Fix copy_request_to_tunnel issues for tagged attributes. - Allow "ok" to over-ride "updated" inside of Auth-Type sections. - Update state machine so that post-proxy is run though child threads for performance, instead of blocking the main thread. - Allow "netmask" to work again in client definitions. - Relax restrictions on SQL group queries. - track outgoing proxy sockets and clean them up more aggressively. - track proxy statistics, including CoA and Disconnect. - If radmin has a connection failure when running a command, it re-connects and runs the command again. - mark home servers "unknown" less aggressively. - Fix potential SEGV in PostgreSQL driver on error. - Fix issue where fields like nas_type would not be accessible via the %{client:} xlat, for dynamic clients. - Set default busy_timeout (of 200ms) in the sqlite driver, so writes don't cause selects to fail in multithreaded mode. This is user configurable, and may be increased if required. - Convert Password-With-Header attributes to binary (from hex or base64), in the authorize method of rlm_pap. - Fix invalid assert in state.c, that could cause abort in post-auth. - Fix double free when -m flag is used, and connection pools are referenced by multiple modules. - RADIUS over TLS accounting uses the same port as authentication. - Regularized return codes from radmin commands. - Fix RHEL spec file so it works correctly for Centos7 which uses systemd, and didn't like the SystemV init script. - radwho and radlast now have a -D option to load dictionaries - DHCP packets are no longer checked for duplicates. - Don't crash in sql module group comparisons in corner case. - Calculate MPPE keys correctly when using TLS 1.2. - Fix load-balance sections. Closes #945 - TLS certificates are available again in the post-auth section. They are not available for session resumption. - radclient encodes CHAP-Password properly when using -c Closes #955. - Fix issue in rlm_cache_memcached driver that caused variable length values to be truncated. - Fix track functionality in detail reader, so it no longer fails with a "Failed marking detail request as done: Bad file descriptor" error. - Actually add the peer identity (as User-Name) to the inner tunnel in EAP-PWD requests, so it's available for lookups. - Fixes to PostgreSQL queries. Patches from Santiago Gimeno. - new set of consolidated patch files: deleted: * freeradius-server-2.1.1-logrotate_su.patch * freeradius-server-2.1.6-rcradiusd.patch * freeradius-server-initscript-pidfile.patch * freeradius-server-radius-reload-logrotate.patch * freeradius-server-var_run.patch added: * freeradius-server-radiusd-logrotate.patch * freeradius-server-rcradiusd.patch * freeradius-server-tmpfiles.patch- Do not disable as-needed build - Remove the with_sysconfig switch and just stick with versions- update to 3.0.6 - fixes a segmentation fault in PEAP module (bnc#912588) Feature improvements: * radmin / raddebug conditional errors are printed to the output, instead of being discarded. * raddebug will exit if condition set with -c was invalid. * radmin auto-reconnects if the connection to the server has gone away. * rlm_cache now has submodule support. See raddb/mods-available/cache * New memcached driver for rlm_cache. See raddb/mods-available/cache * Add support for &Attribute-Name[*] in conditions. See "man unlang" for details. * Add &Attribute-Name[n] which gets the last instance of an attribute e.g. Module-Failure-Message[n]. * Allow for redundant string expansions. See the "instantiate" section of radiusd.conf. * When checking IP addresses in conditions, make the right side be parsed as an IP prefix. * Support JIT compilation of compiled regular expressions when built with libpcre. * Support named capture groups with "%{regex:}" when built with libpcre. * Increase regular expression capture groups from 8 to 32. * Emit error markers for badly formed regular expressions. * Allow 'm' flag to enable multiline mode in regular expressions. * Support limited implicit attribute conversion in update sections. * Support casting between IPv6 and IPv4 where the IPv6 address has the v4/v6 mapping prefix (::ffff:).- Drop .keyring and .sig file: freeradius-server still uses MD5 signatures, which are no longer validated/accepted by GPG 2.1.- update to 3.0.5 Some of the new features: * Allow LDAP to specify arbitrary attributes for dynamic clients. * Allow one level of backslashes (finally). See radiusd.conf, "correct_escapes" setting. * When supported by OpenSSL, allow TLS 1.1 and TLS 1.2 in EAP methods. * Allow multiple new connections to be spawned simultaneously in the connection pool, to cope with spikes in traffic. * Use kqueue on systems which support it. This allows for better scaling when using many sockets. * Home server "response_window" can now take fractions of a second. See proxy.conf. * radmin now supports "show module status", as thee counterpart to "set module status" * "ipaddr" will now use v6 if no v4 address is present. You should use "ipv4addr" or "ipv6addr" to force v4/v6 addresses. * "client" sections will allow "ipaddr = 192.192.0/24". The old "netmask" is still accepted, but the new format is preferred. * Allow custom HTTP headers to be set for rlm_rest requests using control:REST-HTTP-Header (attributes consumed after use). * Extend format of %{rest:} expansion to allow HTTP method and POST data to be specified and urlquoting. * Add support for aliases in rlm_ldap. * Add support for connection pool sharing to all modules that use the connection pool (pool = ). * "tls" sections now have a "psk_query" configuration item, for dynamic queries to discover a key from a PSK identity. * Preliminary support for EAP channel bindings. * Foundational work for dynamic home servers. They do not yet work, but this is now only a matter of updating the "realm" module in a future release. * Support &attr[*] syntax to copy all instances of an attribute when used with the += operator in an update section. May be qualified with a tag. * The logintime and expiration modules can now be listed in the post-auth section. This makes some configurations simpler. * rlm_sqlippool is now IPV6 capable. Set "ipv6 = yes" to get Framed-IPv6-Prefix returned. The SQL queries have NOT been updated. Please submit patches. and numerous; bugfixes - remove gpg-offline - create /run/radiusd after install - drop freeradius-server-opensslversion.patch (upstream)- freeradius-server-opensslversion.patch: do not check the minor version of openssl, minor versions are supposed to be compatible. bnc#906682lamb69 1589659540 3.0.21-lp152.1.33.0.21-lp152.1.3dhcpclientmap_unitrad_counterradattrradclientradcryptradeapclientradlastradsniffradsqlrelayradtestradwhoradzaprlm_ippool_toolsmbencryptdhcpclient.1.gzrad_counter.1.gzradclient.1.gzradeapclient.1.gzradlast.1.gzradtest.1.gzradwho.1.gzradzap.1.gzsmbencrypt.1.gz/usr/bin//usr/share/man/man1/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.opensuse.org/openSUSE:Leap:15.2/standard/ed9e66b43efb9a38dbadba77403abb61-freeradius-servercpioxz5x86_64-suse-linux ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, BuildID[sha1]=43bfcc20b8c905461b13656da585abae763f48dc, for GNU/Linux 3.2.0, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, BuildID[sha1]=7828cf080cde64a598d841d134685c767c2de227, for GNU/Linux 3.2.0, strippedPerl script text executableELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, BuildID[sha1]=adcbb12a53f310a90621a218b800d06a4979c8e7, for GNU/Linux 3.2.0, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, BuildID[sha1]=ddf17c46922b492c43f5c085587135582d18897b, for GNU/Linux 3.2.0, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, BuildID[sha1]=cec83f5081749beaca81a1e5742a4b71bc15ca64, for GNU/Linux 3.2.0, strippedPOSIX shell script, ASCII text executableELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, BuildID[sha1]=f22d0e3544caccf03e9763f0b7c6cd18f14d7641, for GNU/Linux 3.2.0, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, BuildID[sha1]=bd26e11f7d56fddf9049a25007ff67bc87f7f535, for GNU/Linux 3.2.0, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, BuildID[sha1]=7817fe6a228e70df3e6d5785a8fc100f13b34856, for GNU/Linux 3.2.0, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, BuildID[sha1]=2e90500e89f71d2928f306cca2bf47d24d896115, for GNU/Linux 3.2.0, strippedtroff or preprocessor input, ASCII text (gzip compressed data, max compression, from Unix) #./ABMNOYZb    RRRR RRRRRRRRRRR RRRRRRRRRR RRRRRRR RRRRRR RRRRRRRRRRRR RRR RRRRRRR R RRRRRRR RRRRRRRRRRRRRR RRRRRRRRR R RRRR RRR RRRRRO3 utf-85c855d5c9a8e8f0dcda0132fad913c0757329319691c6c0cc97cfc869f0dcfb9? 7zXZ !t/:] crv9uQNa?hSZXy)SkuV^D-L4z/^z12J6Nv(([Zco9 p^u$CcZtCABC~509z˓hs $_3: A -If#4Ye xe g|[_$"\'43W>8AU^GeCژO٣}H|<32SO衸H)=5a)ү0qOE|20 +* yrYJd6Lc輷3F,pv_Ev(&|즗m*w$RsP=AQwg>d!E_|;hIfF}ۼ<6^k!zHŏ)1LjjvNURkC?.̯Rvy< Gi 1gɴŒYlfyhgt?Rru;\Rg_dp>Gc#YZgz! c榗S%1m=t$*!hYXoK.ԸGO_FWҌTyۖyK_7 }*'hf&ڇ0EG+˓".6E?A-™2cXߔņCvMdu~vm^TD:ҋjpkO3+*dg\e7\8X geX'?sg~9E0I,ؒd`Mk!'l8рe,.`!fW"}}xM]3 WݏF\ &q7Ejr@?\%{aa@z{2DTO8 E`ŘYRwv9n:1Uxw_0jwd_`0#֪y{.iFՅONfhZ]l ͦRQ@|oW /=ұq٤?gԤzZsίUX2G!vI7` e br&#i/@H+Vi!Vw ]=x׌jdOkCRsxbRV4dBfm{5XqLGPo mX|( 1llnjgQrcP蝬biej51F?Mk+ apd-s[t݇[ g=h^p>cf`- BxהŶ6A㉗RNמyc.m#`"@gFZiopQEw"K \>Bm$kO&Oѻ PJ̤yMV"f*Mk >F@ɎݝiIg_gYX"B獀1{]ٝ AmN/`300>)SFvF:oYl:])|wAIQ_6@W}$^:,*ĺ#@`aC3?R@%ylh-^xoaR1^. /`{ csMP8*)+M/]|'AC(jMyIh묂b;uZnp`հ҇#sY-PhBg*1|ϹK[zYx؅e.Zv 3&CJ2a1j Yץ'Ap \a~RCCeH$&g[#l%\@+dưu4:n-& (P(Pkt߉bΒ\KQԈɕ J]Dw P4~c&fƃ5:',o#+s;iZ`JSsFq$ u')3llz"0p$7\64(q QW`ª^i~oΓOs ɺK9l:f6؉Sb*L,# w%tu0*E.&G_=xED8_vBQ# [Hn)} /dO鐡])/̍'c[NƚntG wjO%?h%gv(hʐ|e!]v9 _4,j%QD[[=1#u?LZoQ1v7?m~܄EzDɚΝ 5|}s(>,tXEg>4n RnFN&8hDv2~59L+w` +[N.Ű4+da%.7dki@vDC}4[,k#<%o b+02l8#x:M7f_ot&/[dY-+6ud6mYm YRؕRXJ>R#s w] H!BԼ;an+ „ |Wu$baLYoKAHO*C9PoȘb&3잰7/-tm) Mh+axcM7ދv}NwSbmlX`wI&;tRA5!#V*v:O@F&7]90clO YFCM1CvBmVG5M}SCD*C4bPxqa`} &m H٪d-/$mߘJUHXi [ ti].¢+ѶF-3'%P$to"4ZW~ap@gX/˪}T7qgw,/p_Daە[WR<)j3=*p /ƪ_e>f28̐/K56LHI#m[Z̍Ax[M:>;'m dES1ҳqdĐBePnWS%ZyR1'$3Gz<~Nh@ jZQk,ieW37 &*l$4ăFI'md<>Bު:ԧ˘40gɪ@q_HfNAW1Is$cnLj{s3jjQ$* a`N+ =VKP-},.h1^@@\6=_O?2֎mR1[lrզ6@LSv|qógf G$r/5H_ Cm_:4ImTf ,)Ƥi:oҋPa\ʆ]= 9 צP7N|| [!n#"ߣNQ^TH ~x֒j;#kS#ո'@.uÓXɣYH1=hA1awpPtQCyא0r96oR[j|O4z27PMηNqhio(@Qz վdNTX{ovy*ueQ3pqxRS?D,='*D0}p׿tNʄ{7BPc ]:p!~ 0(,mb$N`TNR/GoYQp}=,>ĽfZsgKhU=>qalh˭SSJwnL^DV..D 7"3OWj/DYjMs#v(|ćX rk>T:Z3P|l]K[ sSY|jX]&]KB3cN?u] N{`loWjk+PWSb:. nLdQ8C/@D%yjTEP1ƃ G!ш*4^?ђ=iƓF"U<\"P3o,hCN4& rJ'$S@" .greҧZq2@\PÃ14Z=!kX%'g!양G#)H@ B>iScJ+%?v?^nv|ս$ǤӒۜI@=@fzv^R(QH_y$L?fg.È=dcF hEOA`Kq /a^Phx_;աM6^aHp t;ΎkjJM6^&$N je]>~4Jv 8_^ش8@] 3 uc_,#A|R &5W]2ڄPF@jGEZ]]He6սA&{Q䈬dvf4.e{qB9dZὣ0*Ԣ%K^^-+V*8Ȯ~ȽOQӛ5D&!> =2XSM7Ǔ5ѼUM4=1bo1x"?.l̦p`.8 ҧC-r7WyvYu@܄ai }x-99ecwg&3/6AR5q]{h[3 +SJ8syzcʑv7~.O j?/k0|D(?1$'ʲ->XA=gb6-ږA%HtS-" b{eB:e@b] Ԡ+{T#y T2(YXAM[FDяΙv'ud/²wuu(|dg0JkjAlS.g#^xK;==)O:ZărU EQ^: 0t-sP'G#ϐqȕ~V$cSTF E_+VK͏MC{G"D 1 4 jfDSs\FaU;vX)SH^4!\J0\*THhQ͓Գl*D3s3QPuN_[v3XD^:-$MHT*nF*Wݸov<ܿvi5UC9Y䅏* PTZq!V(̍M JFOm+IBs),9L 8Dj6|(c',mrpv(M0rp Xw+~ig+Vd(0 va#T1AUX ;J(P B>0#(KGifǪ+c5횚oN!z%rIpƯGҔGa\Üw7:HA¦oeZ SW#4XqV>{xZ$jt3qƪO~=*S7;uf?oUN;akJ" #IpZ7 nO?[+uY/Dǒ7sKGVX-nS 1(G1m XNѢ1}G;ndT>GxgQV,DVV }0ٹH=z#1Iߔ MաBlM YcT;z)0s,Om!J "ܒYu)f ! )2x=}#2#$ tImY[iˈxݕb]& 4[\|,pIʹU> uR63qZPPan_3f8cB.dlQ}39k+1='-o$5h,\#nP`eo9&TVKi]qߤ`ܽg rh([[=^fm)_J;Sm˃I;eOjݶW_C՞5)5*KU8{s?v Y?&s5pP&kK1k<\bs@cIWQch,go hxR5&*7,*1u&^VӁS&P yrĤ qn|.&EۻjТ1?oՐF?||XP'At{Y Cu&()py?v> Sb?}0iu%..$5 A HET(Z30@~mRN?@fR ^}+  t4bfؕzw#G9X"-E%svJW:gj/rśxtȲҒU\X"Ҥjz+a#q##X sf5WQencC;lbsMKڇc}h|/-^vg;9#VL-WT_ D)t_N rjCKFAN`nLrȑq0rm@^tiThX_irGBxT}(]ym. o/ ;h+7kTQX`bߢd&n0el`ir>Z?+3&W"X!\Z@vཱུGl>yy4N10>YQB&1GX/SP4Wˢwv^yYX>G"]z2\!|*yڊ6jzU\xևyg 9`bg AQtL֖SeJ0EQB?29jUah̰ @ڔnU؄;),c^wފ:eÅ:V4@]u;O~G^GAt$JaՌjl= Voա߬X3li/]!(Fz3I9]IJ L~uo!DF[h߱c^_Ʊ({7jfz:S17rJc1A34V|՝J"I#da>“$IǟK9Z;0O] jʬS+2+-ج2a?jM a@ʗB;pwndA^ -rz`mKN"% !F/іw 4Dָ7x^CL>_uaFKE%Gfj1bQvmX.3S.gEC88 nJ? P<4?ec:y&-h_ D0#*M4m[F`s4`r2TaN2aZ'\ޅDر&?97JbCr3] E-5 YTŌF[^-`J#k[%H~by뺒V!z!%yb~ &KpB6*axg? C +ƆwjK#Ɣ;:wG@gBD&7?epP#06RYZvۥ+Yv|ؚ{84>|!{ 8L`y}--i*7]"4wwB;Â,09=Y¹ ZbuIW;$[1K7w/@굦=2 ߠ`jvi1,/y)Y%"@=0y/ jN1Aݜ^ g-F5\S]e=cxP1zҶ>@1_\MfC1ڋ:OKʞs.ƑtѼťFW;BPUʃuL=<#PgFy~ u K,tpi]a[W-cMص s+DγCa9vN~sɁD'UqgurMբ v^5v׍kh.-9dSw/U9j)*k1MӰE>CfSw *1qlĘ-Ba"sTF6Ma QF֏փ`! *{{ ]V8kMSUԑًmDpz9dPG]C$Shp&]#Z3 ;=PK>S+}]DeUa$\ܼsJC)};ozT'M)|K>*FR}؜;9k~7;rd_p˓Yv樟s\Ԡՙøpg. dDo%4!R7&ڇ<%e߶v綨L_u25 Åkeks`4&{ۻ20{F%PlFuffQ!#FNG ad( ^Z]膠K !h5P-y4/&_a y 2B4&OE5g뤧_ gՕ- ]ˣ!601}HxBb7gĞJ\i/EIH4MjHܕw;ۉ1XEhUTv@Egy-LІJ3?'>nʐle異%l.F)yM,봙浝`|. BHp_ޫ] SMQ!.PlD+T|Pei !RW _;8\=ZDQ*i8WjwQ {<&BpeQjVG)sS_VIU ~NGGV*{D'`Xճ*b*ȣ4:|ؙ uu_.;."b ya/,0kebDT;ljW6bP0m=qGGu܍׵0Q#OXInK H=5ǚFHm xM-/zۙŋL.*mqd40{e X-%j՝IFpG^Vpn?ԳEi!^`Rtj~O\CKE9Ixyik."fce3,Q z@uUdż>̄˺(,?ړތ+y˲,:$v<1daխ8k8/s7Bb|Գw괿d(m֚}7k % L_[=5iT8|T%Kn@[w#CH3J3"wsAD&vFXe33}Ük3=MXU^ɢۍC,N\Su>3вo')a\Џ xѶE #7&5E"vɍ]ܹζlAYSPg?6RgX4ۜ=vju:%/2CհU:\d2uByMQ&CxKRLfyA:Vj Z)dJ‚$g`$DS|]uJAKX !_R]iUlCcDb=5lVp,m@D*r_0~crK<'\QXR`&ecWUm{i_())N( UVͤx*` cI=A}uj1PcuFbPP3f6pnT(Sާ>̥I B,n\iw.RܬL/(VaIaLS[$pNk d9doQ64o>mXY X | $R8V$^fKIWj_EL!IR]'ׯG(G b&ά(oP $fI%x`s+64u2[2Z*&?ઇR\缲`} @)26Ij!$,΂;('kd `}=zٺ3 %o4Zxmms;vOegT {bݪߞp$y;,@,O$l, H97~g rE>O4^)kֈz\o)gfi}<3rEӗ7Qn\ pjn)C+8jvh FX@& UA1[fD!6߂p'ai7]1l\kgr))nM!8+y !FxxAy xEV%f:,!CR1w?$;^m[҈7HփVF_`DB^}0;G`w!LgCUoPM L͚n_[ow+̟e߼>J/i;;g *;dUfw9>(Fm߲7d B=zgrTʏ{/[`ZB:DJz+Ti/4D߮g'q | 6YRBhSZZ2wC\x&+죓 =Bժ/ACeo[#PlŽT#L ªTL/:h^|ȎUAj(+ҫ7\YJk"q@Jƅ^֪x)y7G^Jb8V=ſЮס[XA3 XqaYU%*b@Esiۭsv\sz#t(&u:3~O?2$ZԲ`[bbq~Mar*eq֓͡@s ry|^E(J?'?}j#Ңʉ'vCd6l֒e@ clR>z~kMV TMD$&kqmf?aڛ qCxT蠶oCz.+YcЬ(kBE5rl6ɋAp^!!ǖ|yW022 dz[r-T;KH>^rauy88(h:M4ϯQrӌ˂o[_v;>;e:%/3#A-3K찺=z̏@ɡ w j9Ǫ'E@/mIu,Q L~1m=l8rsx#f)/hR\bsYI8/jXgűߟcr ;MzmЉcAG+YuSW ez@Bt˕>ݲp YV<o 4,0GڃӞJ%A v\$c_@."S3::ֈ*;p`tnָMF- 午U覝hHT4ʓ%`~%|険xE%GkGS@x)S$Yn85LY8)#%QM4@^K'g2Qԃ0V9[:0S5-}/4RhyΗUԽU 4o$)H{NHQ{;7 6t-8T\ bG1QAiq(=ط:$l|@X>R#R1/ɼ1WY<#&+ YÜpmG̅JAU0WljI>5Yt/wt_ew@!qtKy-{ӡ/@.s;3Y!+ɘq6&*a(7x;1: l $*0e8 _6>lmkg;9Z YZGH5׼c s,gšPV nU߮.o*z,EXV3}x Z,)2+eΡuHDaXs֋3z XV]kb@p*g'RRhv]K %`%1/\ "1uzpОu~;ZdB/C!B{_g?%HyD'cTNL)rȠRا]s'un=14X,dH?34'D퓘(>c, Cs^mIbQ<6Y*l^ENBN+VOLMVSɤ (I>Sry;ҸQi w/u@B0r/>~10axp`پ?T\TޔI^-9[]gM61l#Q:~@ojЙiJejAq3.qStJiu''&n")_S+[BIR(mSOq[ D+vC J]45(aӏY2 UmG}[|0~ =%m~,h]])=E;%Hh}'~\)q߃Q2c)Tw8eo s:So=G>O$ Oh.g){gR1,ʹ}m0L#at>"WFMBA$20`P)xt\gq7h]c`\Ajmv)[9Lo/ygh vb?&D/[Vz(Ň&cۂYu_,Ebh%?ZIJ5zZ2ZPozrclPȆ3u;=tBN.iʸ;7Zj!/ ]^r{RvUNϢ>].7G1dr4 8/7Ku?> Gm(Ö4l g衸iF/ Y>hP f1cIr4m C=󔱺O7J /<5;x'kRBw|\6An),KP`y  l7dSת Kc8ª"H ܳp촪VF_Rl}ag-`3'yj½ľ"BH$R3Lh9mXxpE`;"?i:6u}3}<3ts?ۄJfݣHHy*#yvC؞)!Vݕe< NWXX#iζ9Ynï>P<lOOD */lkd폺W3iG-c%8<2E/0RA^c9$JZ}?iiwDPmoS(,EvȾ >=qW[)S*$o=:h4YA2'wvg>7+6v`/ttjz6;Й,"Ca65θ-Sqzt޺z?1Bu{\kDB9XnRztIͰsP]x' iH%›ĵ_V,D.nm`~H\1hW#T7]fꈕg10̲2x} BPntYdv#_i.jSUX K{7yNYJE!3Vi2Do:eeLĴB! M>ĠY0y$ױ׃2K&mV3zVz߾% 6q$̯ɔ]냜B@Ҝ`IH= Kr(wƟA 16r}tEc gP%G* 7&M8B$m;v%l+}VF- zQC/mGჭؒ #=Up~_ nbanTեF-_A;=T}Hp'pcck-8|{ ݺpdG@baZצrE6 `A.݇W`@y:¡Ǥ;JUY1ҩKhj ¾u65 I'fˬ>aγ&zn apzvzL|V9b8_.GuVU!/ʄYQ@u[:N%"@Ij*;M˪"OY:N}4{^{<Dk1DΖlbȜ9 J h ^K~ɕ4qR%poΨzu[w>0pjjvY#5_lrh@Z*LӤK"D/@%Šh)`C"BXX܉7&ƿ=V?!JY~IҴz 9!`tgHuY]d(|_g!f3cm|܈@>CEn5ob!}O:g1qdO!mg~ D"}2nQEJM: Z lZ9Wj 7qq@KXNeLͫ}LOS3l/.JY@ŀG5B_թJMJG |y5"C&ȆUh 86 p0q419H`slPi e|If64 )ޤ$͝*YӾ(YOtxh!`9̶u{r޶VszG܆BAaa^xNl~7)- 7wA߄R1bzv0ouO8M2j(4iDGNǣ,`Dx0KG4>GHv˴r HHЎi((gst"4(Jtx@|K-vEWX2=0|rk  яT=dA^w^"e"U`+H1MBTى&#yǧ<-rG1FLG`pVwzw8(։dy@jނ#FON׺iRZ]mH=Gˤ'6m\ζ;#w. (8ϵ)!Q@dJ0\v]y-xʧ^wP߷g:ZA A݈27%}l$|030 {Q\Ih"zru4s$*{|ʅy珉ɴq=1zL!YCmEe"б#\ц>]lgp|QoЅ{?6I2з bn Dha&.S %J#_臚F\SoHe𭱈@49qӫ,GhX4h]Ioe q`F;*+TT;MS1m#K29'誧aX߾7/ (`>wXDiNZ\;f7;i)t&.t?]&Mh $@TZm6)?Ou18"V[v{=)*xe?[@;|KXcwE>/6Bd&QWFEmm8jOGZCaX2v 1vDx) ȝȶYBtbHkL8Uf`S1'8>(47D,=>{:ԃ\

4`JW>ݗ"6?#aF5kV`D;6`$n/5O3kK 2‡pgFγo>!rtwP+DGWDMbص~B'YiZgXV@sko2M6S![*e'@h^t!̤:A8#5oJL , N!w׋@053S!{Ԣ7y wZi30Xww1'{@`7-G6'd0},lr\iQZ#OC&*V4[ґuF(mV{r֮>.U zv+ Zv11N&z>KI/eNj}TN\JW9|}F 3т1:5Ϥ%‘:\ EP[hG7mbDs ) lwY"4Se)[yY NK)cl%s+B~I,7KMT>17#'c"G5(Wƍq'-Rae>Ȉgeb^BmBy{iMG--x\g [^Km w0guh`YZ+?B4LjzXéNT\rĀa{(srHYiv ̰.< ^BQR|y/|2Z矒|'NHi(Oazl/?gÓJ=|x]5aIij㣟ޒ72ڏlq >͔o4rN,b*#+гיja)媄-CV~lGM1PJWڍD+9` =6Wu:>=W:;ć%0߄ 7U9Ztoo$LR=8q @HˉZ_w{j]_S;pdj*r[BWy6e`㽢d@;gyU!XMC CI0Fq6&&h*O_^d7 f:0%u<(ŝ^O_ʲBcUqMgi :Bh$Aj˧ zӗfO}# =Axg0}B sItP"CŤTܐ0 J]XCrmnfOyS]ۙ0yMUSnfŧMs.G9y4 a%꾃sukd㊮tWLB~A8 % Dw rH_rʙR؀{ P֤&MZ3AvŦ:77'* 74YlSy3N D/mRP1)9wqU]gIg ??AG>9z.80B _N3UU^l/S.U{gVcX]yF3MbcQ3=ru*}@9Sf肠F䩍XۦH{v(~Nqwƒ0n ~i({ETZA#Fc9R6ؚKjB(Bbi,r˝>X,Oʶ4F' :ɫ2Ԩorp.OMč(o'WbRxk bgL|y"{R {gOrw2\}x $1s0 "qq_֜eRXmȄ02ɀx`^rUwtNC4BrY48{GW0=T6A9ۋ -ʗK"rkqGcYx;xua)H2vGi%.$`K|af\mz`G7L !助~ хicihJ kt)+Ҩ#& s+%C=ɠ_)7 &̂ g)eӯY~,:ZidB#[?!l^|X<e7B-A9"oJ7וXd{;c8~'YkSEP-ҩp[\`5Poac̲+} Rdٶegi`TFzF\k.gצ0qΔ5b&5l@?^ ޷.&O~}&h@kdgʼnY|nVsv(!KL&VژTН9|A`v~q`kXu`G৭mO5יN19ҙ +0{pQ$M "pV:Y0S&cmpíxx։,c[,?-ZMZy.^n 1g ;̃qGcU׌7IZ)4@g*cwW *$2xVl|h|ཽnGW|oSNnV!ё-]wܚ SPm"fW.a{:WqJ5(YԴVNH#U,F!V ah1sAJRL'J{G '`]/`9XݳXӹ#^nx}8O..v/¤ab OYGk Yڳ9`ssy2*}J 3R)`՘qUk̠~A bLnYwmlK*G_2ϝ;1 ^.el wZL%v5P*-`|X,ɬI )Kv6t{nd8u ay|\v8wS^sbmoAǷx,+&C'.Dp9T_I,Go{ * #I%bR?_˵!>g'y Q0x|Ĕx"8=% 'X*i6_JxPs'Kۯ#lͣ`@s<IiӇNshE gdܸ":|30o#f@}PK7>^:t~{}kpmj$rVmߵd KYcpixXԨςyR99:` 7#rgP>Vhf+v(oeE1 PjzNWlRǷ64F1e@0WhD|WH7iG\J(xB~1>0/ 铍g;@g`)Dua.tOXK8.)\9I->!ܒB32% ,$hkn cGGyu̞dDe4,:CcNMk0OzWB,1([3F4¯VCsyhlc<`\+=FM:y.S i'$ "?O#fjƓhHb/0W2=m([nFqz_ lRƲG(tFSFVe#c%[}++oҢR՚a镁~i7WHvi`i`4T* ϗ}zW&,cqwOvXb Eyu F6Rkó CN@Eq(} ofa,*(G&zVFiS2ң0rk:"a8MkXvsO O-G:?Ia裚iq7 ߘ{;&4ӓ,M;02Geah=8YdF_rϗ' ?Rn+1bu#Y0*3 ]0%6;Rޣ96?j!w (W`'drFQo`zLYφPM}% !]F[G"׷x!;1ľ8&u~@f3WK2ϲ 9B<[1 @%L߼#2J XW8v@V֐dGio[N_x|@_hǃnG4N$ƒy96g:%?Ve]yfwH7O[-yC ]|S>GfCghzQ_  fC♥V&[&1ތFg)V_4c[)<Dždy>@T쾆^}Vy~|N)(+#%\1锵Q?)AK]J@ŐqV8}3 Y'Y4ɺؾlRl6PL.FRKɹ>.Gm1䷅PwJͥ+8:NۧV kn&ywaRt$ل>@$؊@3 Zn<;.a4Qo] ,fPtA&jjvxʬ)e$+ކ4Ijo3]A~b?1B-n}@+WBe,0Ԯ 5z)޶%\UZ}ST̍Ģ1VA1H[ʀV7Vj]Q=l3G CdszF!L t~'*>w&#rn_qj;ԕZ."v˱gN[5Q:!?7`u&KwI'hxJ źKHˉn Z˩iGd7DɪZ+ӥ 7hp#h+*q)kE*Oc I[{>1\ēmb?Ʈy]o~At!P2V3\YK?Yz¼BMg0ߒ8[PM)"YhGP ='HȩF 7]z>0J`;Ű {OH+. *3Wقѭڣ6 J 3/=}l"|YV,k3]/:L*8Em2 -M /9?F^ދ{a u!7 U\,AEnvBt+I6:?,ƢEEbqy^u(I&!R|Ms 79id1r=u'mEF < :fʢ7C#\NE'z^\u3=ϗ9esQ]yh%UʫUӎ*J-sdT eų֤M+֧Yv%a]-ƽLQΆmS@} rol5v9s%>?NZ~t3a{l1B3Z6C Gܷӕ<<Xk%R:&΍Dz~=-ME bl KN) EB y:vYS1x4_TM(tžQ{tQ-qzr @܇w Y)F >ײZGfuTbpvOaԀOL+5n;Lt_%nvkjq6R%h'k7P"`ؾ؊]opWFG.5{#~T'naټkg& ٳ* UNK9nNҸُܢJvk"ݿ){@U$7@aB6.2b\Ww!wp> (+oXGhNafdx)6>WFjM@kƑrl1I}apnobb8 ͨ:> 2$Pޥ{J6K("ݎ! uE2m'9  vYaF[F_StqA3F_'V:3riE {+<[oEgw;Ϻ#^Te!,- ȇ@}}{Q@9q?$mk|oB`HI'*w?7T=Q96q9̔͘hIx}& f(N,% wKegKdj,@pԝ|ϽC6' 䋣:m;TekҺIL:0_RJ\q ᠹyH3"3Vs*-M&&<QTp[T1Whn U`IXTVJ&՘ R: oaaPe gWKk-ui)#KSGp3pjZrtTB{f*\ɸmgDd } isA@_D1 3 u1C8l _^&[bөK!;n FU/O``Sisi pzJdK~c}ɍ@n\1L4'D4VysbcI YpF3}CYl&N7XR.:BCGzC>zN ..ߙ51wuCDѧz):R,b@sVDnG+GSYpLL b7?7!K1AZS~ߦ4n2EJ]KԱ!UQDhzM ʊk:u ƈIKfExJm 1kj'XS&]BglH>p*&6HRn,J߇ & {`ωKXy> "%ᥠag&[mx-1CzNp\aRb2%6)&Lݥߤq.*cнA+mX.[RZr㏭ZH'đshYtrL QvOS'U,P(8_ق?ا5 awTR^[/ "em>:fn*H㚏Vɭn<#m_ސ}k3(^pF&`Zf4s2\jֆvNGPȝd$Gix_2vWMmljt܃(-;Wm`/k#FЁS.c "E w#psСN!/Q@%J( cF#?CoINxb$+Zc`M߸+ƍѰؒ72%9)E &DwI ".lp!hnG󊼿rvT>e~rxA+}HJ4CZK 3&2pw'1>=ܸ |)}wM qOqRfۿPq A`:{ǭ}V;7r#U n|&BZ3:7($}4g{%Q{oEM<]Щ.&RN:["=Lw"%bdE= mtр_L`֑bqP @$ݔh}s+pǼ}9Cktmj]Gƽ[)H0,gT:7QAtZ+m4YZJ#'QLǘ b/E?<['aCBdyPq:K8-{\%e$!¤p&~Br` }]el`DZz/ُ֓Nҕ!Ү=\UVw&_1ZAj95J:sL!1]824vڈTΈ\ %H}z`/H-ҘޟXN:l 5r4T*$Vi(nҐZ;`lG(\eᇸ v*!\WzrA*vk'.}ofPQjL{\- B Ni"yMA*IPcdŠ=kP}Jң^Cg {NuL2 dXz6^ xeF@yPvM`m22&ӧ84!mu #sipKaAhê8wG(u.¤MYSv7t>xzOJ }6[#W&'IX|'f/N :bZ?Qcz6t9@%ЫힼXbxM)0%+GdQLe=-=ZUGlIZUj:{#)/wL0p/b iV/F{bDfStu7Tfv rJ%5m/"ˎ'H>Q/-K u:yVYE R)hWij5A0Kڼ%"ehQNDz?`u-)x&N!IEB'aGșm|gk܈!Ø 7b\Uω衴DV,@,uȍͧ(\EE V! ɾܳx_bTxJp'M)ʃx~9߹##=W$<ݐ% *MmCqv@`xvLi6dldAIT>۬ c+N>.fZf&TtPbχ4DKq^MB[(F.昴 7*-Cl)?^92-5a =Oa?oI.e6jڇX^׬ Fr5=Q)ǐFN|>3 XvŹ2_|ĺ[V`=Rє">撗ik=mwf ,e*B7^i: -̏[`fۂmןb9,k1l7n $d8٫f&2pISۥq&KO>i @v %eٕ/٠+y6~ŁU1'W]A 4UҔN>6Q9Gc c~!,ӭt Me1z*ᶥ@ycSI"mv|=܀n=<ь%b3CS-5nL>%Qw_8LT 竖69c:G[;ERPԩ]󾛧"Z$>x6:MY"1\{ ΟF~uumq&̎V)uv򖰄ҸHA!-"WMm :>>-M_$LWSZNδz| )FE[ bk,7J9`ԕc3X++7G@UnXwcJF|/췯/S`NV(P{^Ci-D3T**Ω:ol{P8L 1 :T9dzVcv1m͖t.]ᓉkx7$@6<Z_+fkf$w, Ol}!VĆu UnbBf ?ETuؙn'PڀFB(H_CA?Y*?rjKY Z[F ES9}H;:BW[DP}YߤG[]uj{F_D H[N0u%vi RkTwHiJs^twec:NX)~;~&%;O!IqNyxޒxyդtRS]l?LGR2 ߮혱|;wFIphN,p~]Խ7O\nq] dF% JjK/t=4W;.u+tr$>E ?q~&_;'{2ﶊ<ֶrz3,ט~>J8mtd=(2f\|W-j$(,yJf)Qz=ibD?$zTΓ:! Vqvp]@3|--KQi`Rj[jO9-m-,U:>Q`QM&Ab' @e]/Elݙ`SS%yگwˤv t7:pI4=SR~O: h74\@f6_TWU!nwMN|i@.n{N詶YOY41H2TxZ`ĨE\ =d"pw]}|PGM4zfZ\axD=OCZ:j*ouL#OŠ׆ %P : H'sC1ҕD3`6b布= A)aF+4)B1RYh Vn eS+㌬@ ;/6&U&aw曧޵cqo{c(ƍ(GD2L7R㙙`Bըz+wXo0Uq;&R/"CӴOfV &}FFr9慭oH[[ ӑ +E*8uF@ p]Pa Kf+$ g7ȿ3$μiPS+b Dk\aj2l TA<ᾊ~@Zv4@ӾhXo.D Q]pb4|hD\8:H2x ]M!^jH_4)ǫ/th?0V: "&x$ ( Nu -c+~O D{SO}! [cV# iz> :ќuFqv* ˯*pfgWcޠ}+9d9}*6DA!*dBiGߎ}fTR.{k HXr&$'slf ĘAPC9Y Y/UkߟWޒOj 伯SOlo>Zݍu}?Xy.pg["=y+Xljd'_JtimBkN$ӅUR0՞xQ?H*{q[QVd'D0Uprw @\. O#LjϮ`W.ewc ~ZdHaHJDܹ;.DPd7AeqVZhYsX\5X^C% JaBDxzȽT> <;N"땮K''= `gcZ t;peV5/J*_@"h&)`Qy6*#,%S+k՝%q2fLB:ms {q&R–wJPLw^8˨k@ =;'y`Ma&vuecqEt.?F 9n5|C̓K>`[ۨ/QCB5$q&j[2;!cq# Ns<msX<|VHaw}\}z|ٔu4_{K oR /=쭬s CU QXBcEYubtLzlHb{CsUjqdjl/˒Q$Px>Wzu 0[HE pBP^påGn ݄<_~s3"Rᅖ#8`B~= PKXR *Żj@b^dM]` t5n#[yV?evScogkN&W#ugI Ҍԡ-fLV&-ΖkŞ҂Mj,B0:胹MLJc/kؙa86*Y.=ܩ/&M]2X:m?vaP懮]E9SAxb)/vR1a`ة s>7j5~7avTH*ehk'$k`V<^+= 9qZهT0ryب%U\9>yaϼ7?,_ yIu+Bg,w j^IBmUq2Lӆ( [w'ԴP iY6@Cp%g &MZ}rkJ`#S*<'3y-u+`oD{JĮD_[ ]ƪrNZu p|} \ #+_\Fs.:'hBg΢Z&?mziԒ6m~pW\ :bH2㘲*rv#R~ xW \m֔i'k{s];Eq (TFghEGFLNp9‹_n6Ò'u0@6\ hAcKgPh[%фYhsHfG'q`%W'C;9X4ӎ: ~ @&+H:T= |xxb"=7Qkٮ6z>Ljeq8dɠ;sSŠDh<nPS<͵F8JqĈbWecG!6ǾBhm ~TϢÐVIgk4zn|DX|^vW %l Mnh"+؅@]mR蛈dS8b䥗 ~,'ܦ\Hļ&xN򘧙;߬nN6Q)O V_t1lTW]碽էͮlQȳ + ۘ1II9cG"7 DIPz{H Hoȭ5 "ޑ/񸸴2z6 WU[!>ìcNHĞu+aRFIcDE9M9XȟJv6b LOQmдeѷ54۲Vh,f5BQ~U س[}WFmu1HsM$!L1qg _ CXH SH͖Ohp2s|֩~$sQvS;jZ,6+E7W6G H,rc:+g#'=L,IcԭHP'zu>~$HDpOS| sFGLZlyӀi ?> PTb#qa6 ڟ9Xַ[۲+jhϬC^&ع9eÝrH jCx2dN9:ԯ؝m EEZZC%zDLC<=*D$77(㭩n),%jÆPGtǵN; }ɷ.-BMw<${2OAYUoP(z!bi14:N˭̚@Eu0Cz%@$deUZOET!]{TX|6+w}YOˏOgdUPf8[B}@߰fxEKKo .6=ΣO;VZh(K23YP[Q'"1v^>N/JcXxmP. p:BmFv?A5ړ` %@zđ6,E h‘ÀقAa^CMv&R28'1#vI ǭ`kI 0Vi{LJ\ZX!K?Y&&mė_>rj-o'١N4%.5 GfJAIiaU\ v ؃ETP;@:۠A6}v6(K )JS^N0 mƴÄן}t{ Asgqk@^K`m-̀] 7ciS[>{弣*&ITxս*ۦ)d5iqW&']nBPtAKCB՗鬊'nHK^ÃpZߖÖ +rg.fs#Kx(|-r"XRxRĖםh± RQNh> Cc0*qznȎ*_f aiȩxH}IEfd5"8G"~* 7"~ *YՄ|rkБ(s}ˌ e=(n:Æ;y?$e \5߹|p jѻJ䭵=EF8Fs )4z]KɻZ}!0DhW5`OH`J/L=6amEKbw=PAf0L9Z%YI yt2f:pMNйM7MBԿ/͍U^ῤ_ R FR@ ayx%Z3ϗY8j67x9׌05RXZ9W ps$k9O6p 4E,ݭ^o4x`'kǍ$VimVnkdA6ɧ L\B)ύ@%Ny_PF'+c$zƲX!b}OtI;Қ<4z95vBJ$g%u)^t.Bכ`3b#䄟7fGӹT[pjrVE̓joCI|% EMYE.Ne8:n\HdXvRrihUH1ho뛀?9=)g!vx}ؓ dl;kUXhhDH:cpظ *DqE!_Fj \؝LF3 |\ ҏ#nB hj nW߶ZVeqYbp8dsW1TmU&닩p[*Sەgw6m[usE/Ml+{sCXca, fs¡T99|å>|(9B|8D>U7rOHcŵiR+dlV|)bLvbYtY%xo_9i(kq{."6]lz_1 ۛt0SCp~NpglǨ]OK6˦zLÑ煓y.7#j _@Xn&hδT}VO6DЊK*|ps:-\n BZDwB |TAtY=e?PYaCSٯ:vfJ`«$TprꟆQ_$_8,8jΣ/+=j۶ݿ+Ԧܻ1ӕyMW\AI ?~W KM@eQ[L6Ԃe6b*s{P-_`^hHA<olP&^X0W^śZ_ޔ$+y[i/Y9=\dx]HS>r !2;l{Dlx "5 ~(X ZҀ_҂ζ42*+F2_Z6JdC|W+AP{Ȉ2]Ӟ y'\aAq 3z̜-3LB9Hj7t=@zۊ  K.fɲKW"EEЃrR 3}M\+pgUZ `b/F~}R5&qTڙ٧z W#cjDxL痻C/ƴbBN(3Vۉ-5:ۄ  Ms}4`5vW1Ii -hȄ I;]p\ 8|yDžk,*l_60"ً( 1̧_wٮ>F0* 3$jxW#'}Ml\4yL} ,q}x=NkqI+ |pcY&EMH_]#t) H`gEr1e ṙd.Eet3j'T6 s(гA򦆫Y?Q0];xDg9[O;om!BF}^w֕ gYyϰfQ5a H嗾q%<ƩtL`AId?;d-f6xG d5%Q:e 7 jYnbO>y!mBQe i¸IW0)r8-֒_h@ElD~>fr(be3opwAmhO1M΅fs"k6I+܅hIJ5N{M& Gpmǜf Zh&ֶ.82ZKp?ɎtITBĎeޛ@ȅi(PiN' TϏwyn ¢@h=W[yZ%30+=Se0nEh]&(WPH1e ~UfL| t?ms$6UG7ӈkM:z9R#MvjID)eOG/rƾBٌ-kŋ {}%`/w=/#I0MFQ!Y6f.? =6Sz܉8x%eoe~Wy7>g>uSZ6 {rKwPJR8bFv8X?/1l,$'\ֻvj<;LHs|˟bXvv e=>d*LT't9ob:>!Ub>_ybuˬP!-!\u^LQ S. DK.JӣU.Do7E\2#6=g;ݢi 9F|2)Y#“pYʷ[&ِew(ĖW%F-D?sLZNH)FPN?4q9iU5Ur)eƄS} 6v;Щ,xJ#сE?9#F?mc]q/E vQkn,@ jӂuHmc zXɤm]~1X+ҕj]dlb2r8cSUI@KcF|$YhP1RRXea@.)B%^Q i]g,7>["M_u_`8cZgeٹ]Dw Wz䐮o{)Tx#N_'\mYOn]F}-:H.p|ņTO3%2  ak1ZW3ށ)V_?ueL&JQ|Q~ (UKApv{>._e}ce}vR6rolOM&-LnpJ4rZH zK;Tk9l>=]$)BLy4=RiCO_$j;E>XDw /[S }A ""+M# ɲ2Y@1JeYQG!-x{,?DUb;|&hmRE25{~Q1=\66GL* ɑOqq颡n"(52?ڶi֢nglX 1v/qJcigé2~FP.BY hEfJ./$ɹٳY3t*JjwR-Qċ[@b+i<>_P۷`l_ 桠/@`Ǣɒ3*#JʴCKt|t#{5\ʑ,K<ltVP~F|^mKg|MO>s,mnܤVػq5 ZQ0 ׹yk_:<딆8I֞UVg'=4upmSĪԞcLE5lih%A- \ ²e[Gc#5%=ؕ;{Gi80d@1X3Eg8gtH8A>Meh}{"9 Uoz(OP`ڍhǪTWh ؟V)+S+X8{L0U փ_q:.1~>LdxeDidS}w1~ڋלtQw0>szӁZa!9ؐzM}ݳs}\f& އœ< w(71 o0Èb|2NY ٟl]?TSyCCACPL8ޭ88er' )F0ɭz$oGy3^ө^<E?i$1)=GRH-%d.LXױL}d/ఔy$Z1=5bٓġܻOl% +#z`7fʰoiH!&y"W@)}cabIQ~jnБ˚͉]pWx#,)b N mi4“Xތש d(WqԶkx^jU@( =\VˠK vyx) gXY@Il%] 1YmAE5i4ٴ~{a:G)2vb-> qm|B%1D Ҕ]Y PyvbOự ?LA/[vq|hdbx]ajq#ϺgChI0թ\o¼;BnTOƸzhPK#-bOAouN՞gC)R9@@!b>+|봫d2>}+OA&r65*Er4X sxC܅?!v1J}E<Cv~̇^cpj5.뵞4C ?^GmI0{Soʂ[=U5$ ;&ʙQȠvPRR03F*X6$]gu>ֆ=LuzAƐL,gE%>7!~u(ݰV'~%Ljt6ضA\'V!O@g˜&Nx5ņ4htѪ f'wyPiT3o h9SA0̃rW!$4SK>bBvi[mo޿/uvx(y=Èljxc"X*sw"ߝW"t02=xiN]χ߱ ,f]Di3SQU$eĀ8kޗRZ&zuȲbJV{4Lt9K3h@EDP4z}t$N3>Mf:pR[~:jF#.CtP:2æmU@ىU"}^s?GI&xhOb0'E)Ǽ`7jF  jB,6uL SsYW@nN7C Ƨ\Uh* ]([fsLl!dE}Cck+,aK l1>mOh2JO `}3R7ryr},}W*^E8uN^ܒ\[KwZ=o MlRHNX<a)[ ⳟAKkwK͝䧛bKMfy1B9E1λܦTCW?uӉ1 p_O6+Bjᣮ7ZԬȧ!xg[v-)&5h{DKj*%- %FoAc[T&hԜ`Mؑ<N-ik/E_oE'@~%]R/}x)c;^u+q_$*d"e3Gym\?F)7i8 *H$lgFv -$txe6\f&1fZM*Wg 5*XoqQsZ)7'dGe\xWD3BJ[)FTǯiyK]&#MqcK|1Gԛ%hໝt'4SNE@hOC8?0w2Ab"~(-0mfl`SꆈͩV2;@ic.]d؆bu +f53뼉 Y3 `I/1e?'wIRiLKL7Z5ֳfC.\N;dE>ttn^TU@w7oSMدwlXT8h{y3z#n$>qEtzf™!GZbLsCT!D-AZLcz:3Ѷm6ƶ^ȑ8;%ydȆlΎjS>s+R_\KJ΅6b4ɘ"a?{S`QuEU+Fe?Ԋ9JUlt1zf&,=is6O0džzKiz &|Hb'dQ~+WhFѓWjʕ[`Fg in4h[xv,)3Ш0&ўFKcx L]s?ҵӏ .}kP- U܇A+)*ݮ=h CNjcg`{8| Ld~:ѳcXNj@;4K~ ON!ʖ?xs9ӂZG>v6PZTrhJby/+ H@.1̴c ;#no3L#GF&aќB-lwgeGlU%@)HCbIƒqV@~#!$ c!sAڐ@ˍ1 e [h&xeivl_OEhFrl(K |,m6=%eU#<ƱPva2 fF(دX 6dF=?%݄Fn<Z=}lmHTX:]mz$R' j .@*pb^NM'-)z[j 6'VxBJSho/hgiNUO#ly\.?g9)Vubh7;9ygu&)*EfĎ(CPo[uc6x&< m1Sφ>qƥ)3m[@_ǃp NWgAz,hZFn4oa_HA i4zF#_¡"0S+/D ۫sy( 6ǒcc= :+b C) M-'N^>}UÏȖ\F[5_~ !vp ;]hs<-UXC;KWUhyY 7üasq!/*T).*=M?e/fB᭴ۄU꧳'XF+=6W` 9o2w)}Gk潽[#XzJ(wFNA={qELisr&mJjR)r&Cv0YKJ=81.*2YpĪҟL[soy8KB|jSҔo@޳!(3_U6Y|kJ#`:>h[B V9AbgOFsq_rlEz÷1>Mٖg39r 2 [{ӌI.A' q?1Z$9!Nk4ySAJM=?B0G0FPGͱxJ4!q`1nY.ĂSlX6@+p/ uv =}Us#Ba ;uJNv3Rwᤱ]p "ti(a/{H~-NV4h A|N#Lb)*uUʪ0Rt4gAD\ɡS0xL!Q-.Ń'x2&&,-A`Bʐ%X? !ek8ZGl°$jq=Ss-t6ƴgCs)yt" #ypn*D7[=WI $ȘjA;'@[J#ut\/d-Ӊk%'sV%:±,׬[8d I借[No8(bo!mP˯Ҟ{8 wCp*ý4'c> i]NFC+ s~T'>kΨWn)-Ӛ:+NkAq/#fTK4f5m]nfY)i32Il95ƛxF{SA.4i7qX_팹_ۜ-L޼2֎Fi-C[t!w={S뒵(+ќ&ŵ*BRci9MU J{Bafj5p]G#)||(P:E;&Z'!F@VDN3;q Sd F]-;+Z476^plkE!c=.rHK)?@d97rk тn5>ɶ"3'=L*fF |KOO go}܄`DWJ( R&D%t`+?lP ׵B3,ʣk츂~ׄV3\JUٻt]IMn5*1 DRM!{9 J/ly̐x>=L%ī6h2yhtˣ̨'S὘i*]#vr)W SK6|Q+ %7S]c{o>CY0͖V"6">XcQclުY/l0]C8$$@Յv9Qj1flQϊ5ob0$ _3n=% {l#L5Mz8 -]K]lG#ջj  wyy !̀rbyћK%]WAndW~f]!]]4i&S{1'~i4>Ro62o>O3Pq1)d<ۚWZr$OVeԨcupeP19m5k*rpD%X!0 &ɞVnD?wG,PRGW?s/4ᴥ{i^fR~^jmA¾yF@6w&/,X{yuBggGu/hVszRǏ^N$u$z{ $Ld23iRIPպ7}df0mh1N*MTT:(\3(oὄ7&~xH6#G " ߜ;٣1k:D]@^L:gZA1ktUϸ;;H}TM~q 0d+z=,bf]4O~%z D!$Y @ψ]F/YI+;e!1F4e] xH%<->bL验.~R+[F9F, C281ϙCxhlj&؅86a,7hlt+J 6LB(d(zJ}V& ?o3y6Z률o r%Ǧ|?A2+tg"OVG On{#O95sZHB}HINSI=İN2@៛GJwR'㌉uF3 hh@ziRSL<9u?&޼cPH?_TsAȦ!ͱ 6eIi _JB#i$kW)q-DNv 6N-` 1v,ĂPz~X0yL$.;f{3rX|@ԫ"@i;,,i;!xwuPWz tIYq7(].R~^6m={qĖ'jG\ge.K|4즐YJqC3?7>E Fh}4Ym9PL^FhۈO`+jԋsI G>V@vȍ |2Uᾣ9ބ Ƌ'\:Xx9pL|b09GxX}z"pK0ns‡f ]͟Wɯ4oGb?-EwW"X) ՝ V5I`~~Ӕ͖̌$J{=p%!)u/J.E4v󐆫4+yK&3-F9M}}8MkidX<*ñÜ{ vkD[X+*~!㜎[U3CXkN%(ew]pL',<هH6LRJ? 1I/~hVفw|\%`Tޥ-Mho-U IAկGW7HOQNT᳒BhulRaPlҎ] ,&xXwΑa(E7MǦRx(  mKٗ&>ÛhZi Z/L ΝTT & 11_;4iE;I/Ɣb-UxJMۙ'CY;4Q?e<3#O#\[ı~ą0<)  Q?S-3U\Q_”`pU_wDSxҔ: UbTC?ɳԚl#@h8a!nT$ʍ)6W_:TX2M͊pE <ĕIF6*yFw'D<Os}FpYߕY)lD&6*cSD|uoo\j؞kp*^ԧt[|v _xk囡D6g jq$NS*6/8 wb$$[-鹪B눥&'<B /48~Gd9t]~!Q"Ʌ8K`y[L%zÏ82B@|'74 yu^*+у\9KI{L`CXq ;U/y pG3(HԩbpV:1EQvY# NbV:_9GŊn} VwD$?1tqbjN"~YНP710;@v?j^8RH 6p7bRGDsZȦO*"yEWM |Zt!Y 1WZE 8[eޛ쭂ȯHQu&{grα2Nl:o!|uSbdW_?s,LP񞙏c[H\D7m~ե]#25L}BFG(䷋)zjȜģ15Ssٶu$.au?>.yOإb1xn`'v@gO!`p\ۄLs0P,tnw:: s-|0P|Ub a|UEJw=%TWOI@_ΆQ)mj=:u0.qgl`^ iĻ۹:Ùrf`U[ ɞ%rњ4uwn]r|+C V˶}'g+^KZeoQN?@u~B]?&?v1j:Ns2P[vaĩpR { %Uq|Av> F. y$=wb0:aZeRU52eeQ'l + >~ʕxDr&uLRRG8B]s?ItK}LK@wSd.>Ws 삊k%tl#PR,4 \bA9Ͽ,R NA>BӍ.E캧~7}SH |_A"LDѓ`` 5]vL!L5JW 059Vd@Xաqi=X@=Ր|4Ļ;%:;QuD+$>3JTcJf9"$/"y0 o:,b.W!U~pe]lM>:!!TkLu\&6Ome*~|13W\jb7Bн,?Ad%y>\B z sNa5S~yH c4ۑgnQqnTHƎvO` F|O|Y[S]]S7—4 Ӎ\*f'9V!'|yw *NKR7-bm  Daab2R,CzJx51XX2^`iIyu4jE򁻈mFMb1v C,s+LB AH+5RZiU6{D3( T[{dlwWIuq#w[t|+'|]EHAMS$XгW# 7uIAA`p|y2m3 77,hoU Tie~X{jUDF-P;:lyĝcpylf9e-oL.nNH8OOe?i˕Sx%j3"4֨m*^@o|o!ew1Mj~v-8ŀa,e4; M7 q]p?ZZ9C15?ڵťOJ0eU5 5!B;Nw7i6ԇ Ll?pJinMpfw8MKGK$83x(2J:-vgٙ 3r ?i5`8vRNE=1FV^@Y1q-SɎ aM~q/)ZhQEI‚St6^(`"tC4Be ,)m9O@3S*@" =WNPTn^!(Dm7C?Kit;nRt&}$vY.Ay͠߾0 oX B|*bHlWADbkhY{k&|3ڿwZ= d;~?6$] jpԥ7-6ATj$ͳ ?H{)R_T0 t}b\pyRϏ?v-r*7n(clonVj)F<-aa^BG?J`9~48DtǽIMVdjHw$fK>їYwn" fMR |ey,E6?5W!1|sd^VjzVߌ F :]|'AR̐XC~PlgK%%D+BCI>\[xF'.7ҒCN5w~:<(⅖#E 41k]*'OmLl4oD5KmY\:r7)ytv$DMRjRg,2*92B䞲6W<8欋{6e wݱۖt&D!.VҰ,rU}jئ l%NOVz6@r<#套j&9F%sѭ9hMq0"S@=h'YJ0ݹ|۲4Uú MS ]ϖlԦM~M=?`V;aYrXp153~WXBjkJ1ٓQ㙾l/~a)­^t#`! @IyS񭣮d;n}7Q77~9>.YTkBrl.:VS>rכ2YƔG!qo&O, W+^ n9jN%(ҝa`ޔx134E]lu@!vjnEXr 1̿_T7WF(m"3?pzL0?ٿ(o}CAB-1-SD uifG + m c ;E6lH$N2xu`5q2ƾ˯ҏEUu,ݍWJ(qjb> TߒF\%.`}}Dqs~wVAxH'VM aEB?h w ꂒ=js#I.Lg<}~.bL9:*t}N3ޝaK&:E0?A$/WPGqXYօ;$gcDLJ@;L&Q,uLv`cMTȭ:I{6 믨USV>˶0Larz˳~|D+?bfГ2 y]^R _TRlӌ=֭ZBUBLzw灛̈́8)'Q%oV^PbmO螮5|~T6tε? 1|i梟h{$as\P1o{7KW)04zy0`#y:I[HCﻍΑ:Ktay.YȇO{_TU?Kh?ii:^jaS*S^.ŷ(d4\.އߐ7I6$Td)d?VF{3</1Vti+@y߼{)ݥ-,p[hqjRgEI~@QKbYLCwU,$X c'&\F 튍6GETtyԴЙ^[6$NުMOf̍m%%dUHP{Wu3PfsE ڒ5V{8Nd#5IY㎲k~1:9lj>9͝ 1W'eMITT ෴Bp C ,`[榁aaU86xb%gaM |^4I[) ZE#Oҷs~%o 9 gf'u65/ p{{mF ~bPqnnp9MoIlZʡ X7 sO}"8I4~r\lxCjSw"y:5ar'ڢdXH1܂>+ Ʌ5#P}K#WЮkά@^ X$ڏS'*7k9߾*0zwg>)naSnNM]P sl9&W:2҂ EiʧpW7ORv"[rR,ds=YN@0t4ep:Zmn{;bmMk{ U*ZC fI^kVW2kA(<w@p1;C}CTiU5`ʶvP&2+ѰqHfO_H@uxԮo`x 1fRBsO9w,;{ $wtJG JAps3 ՠ@5Ithta:|&n-( g8R2ver "(̯.L\%1ତ6OlBVa+y$IZINǂS*k O cT4K() `hBv J+f% ea17NJZbp+C<ğ n[xl6Ss&la/ _; KЩ~]ɡwh=pA؈vq 躯 ρ751ʍkH;7lN] n] != X4`5N`h' kg=lN{؍rB'9'Z" `oĂ%غjL}KnP6 ީElo$߱C_&Ɯop9d0%ͥA8|B 3O ]H HFyʙbU=QřZjNBv0~Ui%RӅ[o cj'0$ ]r3:3c}PQ6gm[(eIB/wXw!y+I/@ΓHW6 A(}FV#(phٷ42}zW(+ij2tb(v~>r>[Ky= \ȏr+8 mGoӖT'"Mxi:}!1L _< BS41h\+8"պG f5*V14蜷$iDR&CZP3 ܔLEtI{|)hȓ쇹z![J'dlnU3ծ's-YRjb.R& BŐ z=H\aEӬc֊..|0%ySfV,)fTk4 !'-2v(*m& :ګc1FKȢ'@*|`/3ְU*R8%{eְ K.2q)'.[)4f>Ƕ|!V"§l~:Kz2ZkFU6U>7΋;vDN }`*O]ӤJ\VGW 8krDvpdh& >{=0 9dP^!]Nh=~m;u_QA*!C]B&Fd%=ҠthOq!geC8lL6A^z6IݯU[sPV脮/J2wo!n–HjN"j&Z.ĖP47ݩgj[5d|ҡiok]8#ReߓqH5.LBӋrpCzzC955s4_웠d[D DGEb74x2\q0|Ip&r0Xi:pf E&% , A`tlB'u(O|KjۅZt |QqSܡ 4i'tz Xa)(Ɣ!VV%I4ycפvF-]:`qѬ("b=]塑ޏrŶ}xd{$ vNl 2<P @Joc FJ}A' (w{ϖDksXr9c*߾CnוXd$cvwK+_b+şd3KD+)]~.G.s?]*}?oBK0+dϑ{iWo܍RLRǃMǵ<ѫoG$>3H[;='U6+eVxX J}gEGJ[pмbёIH`U U82mJx QEΆ$R=I牫) ӄrAg ӮnLq? rtkrUg;Qp fƟmۖ^n`)1JXXgf߹m,T@/FJBƏ+\YpW"{sD᝼IDH9 W!=|Hwf3A 4 pkHD`I׃p ^rP[e&b;ʦ 4[^':dא}Xks<|drBS@BB<}I5A]c4f}O%v9݀) k}JNjJqFSo ٿ+*$_A lkR?%MckQQ$!7R#o`?< [ +'ffW`>6Ĭsow ۑGSi=&\o{H,20/H~֢}ʏp~ QGP<L E{_(b#3]VTX#QKLilo!h_xPUb!GO2;=pe!>V#2X\|<ѥ͵ȱh C#ic1 r3j+X҃Z޺MVWc@*[M0L$J^*'-VI $s9×fcE#wս`PoJIDlh@*1Sg0Ej4 dap^r{b*E|1׀te3j덾/AfX`n. P\bQj8eDeVj0 "ț"Ӧ!zT6TɢP]8۪>^@S "CL=cV*\nѷߢ &`-?ҼiztwzxDa7,݃H~:(9ne-AԔ+0L, Q .368t cͱŗg mdn$1y!mmAYԟp:h.7TDžOZ. pП^2a^gD;dmFq:J9G FǼ.8pS$M>S"BJr^&6Rb\c.r+F9$Jy󷱘MСХ. mP8aL:h},ˌ/ ә}1C.Ii'ҊB*+)'w";sclʹ]J$\FǸP&2eЭ\j:G^'-QF2Uټf? n8@DVLNnN}K.79X.,s W@nV{F+EyjwyU4euL8$yc Hc~b6f曱CΪhِ#dA#劣avOuhkr gdL ufz{Ll'$3pmL]-_/+ˊQ|dNGV?γ\@A(ړH N‰_]#I1ue\c޹ࡼg_SyO&/!cFklDXߌ]*;G+,(+rnC#Hl29bĐeκLC7fIs򒀤R'iY[NnE{ ~鋃4.1! $TCuK̓'VmG2Z;@kCBS]N.振#Ep+g‚C5Zڛ>"5-R;$Ь,b|;g3۟kf'6gbDLrtt^e"r  5xĴM%V풝huaG!o?'R\Ƅ=PsYf.xEW)9S(bPozzim?'߀6@r"Au{y"hpaWG_T&5{1( `Ͼ^J29v|儑Rq1E"^¤x5iT^NRG ɒ4X|W iRO Y&+Bɫ Z++ud}̒RE^S}wXq>V*냧yOҲ*2 ~$>jє#NX͸ -pX jkF3'6 qa)-7'JHSJL@{ri+ Z-q` ?+͵\E=bOqj4&T%,ZAߺ?֌]}d\p0~X 4MCJ`N?iH/Y[=p 駢Z[[y'r xJhvV0'ŊX EPVҞ&uZ*.(ztze;ݯxÁ|9+̼ϸRˋkuT~(->o`B ö`G2~m+7 ;i+0]pF r* G50rB9SOK.DJO2NA[wH5~3WZ#D^}8syX{:r"{˷809:΄{7ȘF2R- B0 TI3SDs b2e ;轤2P-*¹iA5woI?^<] kYK 9!&5D!_fݬ{ک ]zB絇2mWNf6Sr'\O Ƈ+X{jt-/N nTп4+7z!|K`}D]yԟ[eZwY&qMV'>5qR1J.-8,#m ?I:5o[Ձ@[gN%52ⷺT7IMm(/65_a/}4 EWi57 z'g1vibTQJv q vJQHk68Kn `ޠR}$g/tSPؕ\\xY氭J$ߝ!u (KѲOӴʒp ⼿,f t>V%dD=B'~oC"^f򱊉 }".N^"Z;3MEq5ťb豩Ϗ|L q\1FgUKO;:BΩ.Cw1LkHjWxE#RA(!5frh3JTV]Aue%3GsThXWᇰЩ18J!jM\LeX ~p܊3u0) vzZϛjs;Bh/̟=PDm`7 *ԌfC_l\xzucIu{(`_C|i[m ʭ5$UUm;rDݪܴ} DL-v">:;dpA<%g[} 7lJ%BHpYM{ [= kc&E fV6؏&)6i78g!ӕْΞv(tpNΚ%=~TܿUQdG?h<@|n=זA{&irjgfsXzfs'jgsXxPhdѤWXJ yDCW;vrO1z^ItPҵo92^+ōD&8D0Z`ۅ^q5^?HT~Fzf(‚MA5TqNIRKC|o94Q4UsJ1U)SZGܜ`pr ]v*%-9aZA5NOHXep'.O2׽YtYO!\[g?taZv3̮G\8e/v%Y8J5|k#qe{oz^ 'V D 15e^F+=p#7GBG޷Ec@5Md<ʗyDv`qJђۚI]Ps'2WpfC[.<5Ӓy(~͖ǂA31| &ѠĢq#",UTN_z!{4iФB'.* ]^u3;M%"IN "CM8 s 490U^ >}H"|1akI5ܕ#LVUWUdeyrkM)cӝbsa/-ч-#E(`މ~?ƈD#Z|x#H\TRɈ,m4F;M^KPz@rGNNjOHAL hpW<5u縝h/A'!kpǭq*R}*Q4l|.$΃z[A}&wG:XEp&j=Y3j {5Bz `蒹1 @օ,O4tӺ~jF2)%uk9B3J ,,8ʭW5xYvQ0qdo:"6]T$JqdUr0:cBxYxGE5gbpa\M~|a4vLqw\xDԮk5'<ʭph5GO=/qm`N%O ͗xo@)zף nGم*,.O> Gb>ˢl !ng;`O>ф#'I!G*"c kE!uonN9PqO܈ gK6:2FTA~ MYyAڻu[PlvpLDŽs)=IJR 9S[/ ~c--4{b8rRoXו\ؼpgL|rĐ= ^Dl92Άhp[H}aԈt#ma͝8F |j{4zDİaTiea$$mwd^}eN@^U>'\ZeY hcDqvewA_݁P @c{Qo_ 93I9Pc)?Rz FuaSRJe!\Ru )Gʝ¹QzQx9 2RLߑI26yjSŁ(rF(_#Љw\H6\J999p$CM0O5mO(šiDqIWYZm 1FHA^G4bBFaOɘP&(J0be -3 R>ůK'X #Si.Кٚ;4fDCMѦ~4".iwśTUjrI(um0Ң9i(Eܺ^ k(zz3]> If. #\f=^D;{ rng:*ThAeHySE%X8K7 JoM-hfAaDYE|,6I*3^K؊,)+"eziDJ|( e۵kw#BFO:Rsk0MReΉ?*`%  pʍLqavZDVZTd>"-fmf71;Y玻Be`}Aod*` Ѳ:mJ@H]bHn=Q@h0:|C?k8Y$K#UdE`;8oeT)wX#O%Aݜj6cWZaThYM|+E˟q,=p^R64nÀ89w'X(q H2Wnb!FAEw ڷoY "~)u$YU{ߗ*W4*&؀v3Qnem#}yd.+ $$;8=@,yյ B8}gnr55T A@ނ/HkL CQhÀ(hfoB[qΨ6mPh9B"җX,63wt0 g$N0^:H( + !PT$ZٷK? `1R%i:: L:J/r3A9rl^t@¯`͐ݬՈlKZ4͞Fg_}coyp{%Ι"1$O6?͚祖2lzcVIr֖; `#'y-N='؈׆L].Ɨ=-y+} wU0=z[9!ϧr3n=e) ĥbíXUVFwX6]Ob?'() zSD`'i8vWDNsϟ]ۯƚV~S+6ِki FJQwZ9yiEǛ`7"-x%"ǝc2 3`. {"FG'\_ Eh钢m 8g 6 nL`D.T<4^xGa9xʧ=GdL\/G~P4f#~X_]+?$= z_$i 9="D=,D'Wl̛h4p.;7!`vg@iҬ'ꌞ3K.pͤxM/7ؤ[R4wu D皵m͎ځC w@C.tfj>J+y۱Ld7<L,xx42XHno"0+j jjP[Sf.NRV gQ!6k6f$`RͩgwΊPUx~<rYmVt s#oö)c`h0IXĭߖ})rבX$R ~x-pSscM$іp \Νmh=`ܾlxw4M>IʁƖzz%.;フ`u]yɄ1GUoSw(`>X"i}م~I"CA#P'v؀pJuFk>1`g}(xyd !+zQ5f{@=fANP1,TqU:lZ# -ovڒ7o@lϭZ'54Dv0` $vkj%RAb}%Ҵ7B>c!SCuUYvbraЦ`gk 2#Ңjy;G^őF])תO(q"{ׇҳ>zΓ1cq>:҈ك <)?Sq.ؽ (Qe  E7⬯?P̛㼭%䯁s".x)sZՠJzZm+D_?#jL#&t*[-Gaܱ~љKIKgav~&+*?Lx-\kE+:]etTId1F@e>E%%MӤ5Hwo̎WV9@gӱ{7ʙ̧aYʸJlIj1r!Ts`#.J8,y+u萅v2+HūJPޥN7Njyu_c÷tK+jY5xcd*,s5kʘ+ڛN⬁hD[fDȹ|RTl@[ !P@Vj#}c5]l@;CJ/dԇ TdT#/fMzR8"W3T7)8ɳKDEP` )*BsAz1Z fL\k$td:!ỹyR_& uf>=Jܘe\~KA<->ؐ2`ܺGq 7k.IyckYC7l*Bi+N`%4_bPQOnCr-ҳfUn3ZҵϲH$4.8謅l@urFbR r6`/Or>o&Uڢiבi4T<{,i3]U׏uLkNwtƣVmS6Nn:.w%N@]o6:YYl` 6<IEXv;Xu5jEeG\=hl5I1^k8NDt4_Tnb(yc =UI7dsuTN&9(y5Y{GA+ MO5=3@yZo ,c,͖,Q[fŋ3DY୪qi  s`_xG"tճ0rGԷL9ƧN*Co$DUoP3S̏K2zh\8n7SF wz!`ze7wQG(r$~IrJ/M3RUNR\ޅ2lqqՆ&-+,4UJ)q@.9ll>U*^,bZU 8S@z)PO,u\@j[F7OQj{MS<#nFV`A^U(K+oҧ 1}r*)~yDm6٭?lt&cgKOR""[j`FWy`zssAi$oqVJ ۽,ȋgR'x,\#D4;!S2ZH/:|[uXr98"M]WZDnm=ajDo4.%uT6F %lF8l}h—3x:\eU", 0~uw[K>5g=u5dJZ;fDq)] 44 G֣tkDl#z#%x)4 O \%>n=*t7MX-H%6YF>rCojZsm6#@ GJQrp^OOhw äeБ}XI1uΨvbۍO"3](`2o YlPo<7Y֢%iފ?) o5 %Gg )!w1(s/=579]=A5 {#,sAPl|ٯ.5$2a.:- xaKҫza~FEr~ch ۍU0?ֳ,|0Q|a#i!Y !&#+x_5Ή1cBFL;7^Ȯ.-eXNGQ"YOfN1 * ]e=!oY}p)c!m8 >2 hO -sEy w/K?&%KA.fȰ]_L:7dZUC{l8>^Իnx+ꣃ1G9RI̠Nkuhd*&5zEE>ETOQXvl71Sr}kb ĸxwPKBi0[ă$1i ܓy4j4&ўDcNʄK_[#/V*`r3@3‰ھm4a4RG{6{!ӺU=[`l ٴ_ h- 5FiiO+@i$CƏ=|xn"">=;Y nW6?_O0,;΁'eJh)6UR)/#Ӑ5Xs扴z`ߑҹT/8 5y#+* E}3mWe k#*ٟUy7;sHO-A=.~ʯ0x0U \Xd =;7 v, 9DDcr%t.X eitRLcLg\gkm]4`Nb8o$AP,AV 2ᱷ8Jn,GYj:sO'o]WmݾBB?x97KJVe⻹kr8|6ސ+f s&YI(D˯.f{ԍabhAe 輒I^ E~4%8׵\ƏPjX WjZ5oV)7+h66w!Ӣ֛ hJʪF-Ѵ:N 'yf~Q =ԻHʐ@<2o2SeGJM\ @+ʵ<(w8)g@> B6'ǶTqnkvY0O T& {Vپ7#X0*Jmd[s _8d4/ڑV4l!S?:x L~ʹri^Q/JEnp(;X|1]l#:]fo.M=mʡJ>nH!oũ O [tg0Xc].I%5a4aZgW/zy"g}1&ϟ:bz6 dyR]h`JD4BHAf%XERH'wƏCw2ٴlS1+_Qa?m?q ͚Mk231۔˵z_jncge]ҁ.fBpA K0DӉN^׹-igEԘf\bcv>"p4.:Fh Kt^!A}:1D?}.(KP |3<ڭE X7v8hQ?nWq| ٞū'Xj-mS?eM0k>DPIEQwoc2(=KœR!l/‡XN Dy*3c\ ϰi/XrKNjiW夡U@kO-cuhͩšPĪl1l! XU, fyjqFVz<piC'>WM u͡YMF b ڎl$eQ9󖹀;RRn_wHŭMLz'69}{$ý7o(ηs-xNIe pΨ;0;aAI3᥶B)`8"1U )*vKIJKb@1`,(gpG%K| x²̭0rTYjr^!rݢ@)Έۄ%e{s9C!\C~ VGf1Gdy~3ͪMoYg΃ld_ fF=@Wf(bjLIA1̉hv`W7ToltIR 0C91wTȝr?wW'vzip gvG}n'} w/L vi!ܒ|zN7[+Zkk4׏9< k&&1]PHmc6~K @R+묦rhTBmλ a֌|,Xo4=ǼpL.5R(L aV4돡_ճX:yȋGH2i^+3E91Y "gl-+IM؉tƴoQ}v;jF=ܛꪔw84N/mn\~sP͌|,m;$SmS2z$C j"A j W7 5AsQe6__v+ (`lͬq> Υ?7} Rb$brYS$ϙ-Qؽ ܒ7,A_ybyً %l7Mft7x;o>sa&uIv_-(,.k rQOi汛SE< nhxg%i-*KmQʻsVLk;j52՟PUD+` ?Z+gcќ380gQo͒T}jI/H>wE|O$\G{Nr(,#F~V^.ZS“?> #?y39Y|azlSf&mD@/#$LlOSV2x piuc7 64zlMhR=E9E5[S|<;Za1'j nsEg]6n)^e X>(!yJmCp}4\do|]90 %=+ TSØqo^&Dh٢2P1ե(  ۬*M-i1GWӡ-ɜ9!9{V[9^URS$2TD]^T3 NLbG>%Ū$dI%Vw7R /uV5! T#zqzu8]xx XN6a ^{گxgـ6Eo 6kʵyvY*Lsrs&Fʗz;G<̝`L+3#K[0PT pxs~y绀",c-e@ \8Ԥt4ZF}7)D΁J;oqoS7惍pƊ깊@rkXx;wycgoe I/5y"-O;QmdUq1 Hb &^КZY"jdu)5N9HnX_A&̷LIț:z^X:O~+96pQ@=1@B5z'ATPgy AӇ9AE"a鼿8G86C";wn|Mt_mq#=TB-ݤ'/ c(/lUmT7G+5Z3f}o ʇb7>񁬩6/GN,JBYYNV0R [}@,RDkZ3P'-+N^cJ(V X2Cʋ D#8%LXb]կzJH$v"cTy @r~ nge"kͿ@0۾L槜#p`fO h9x@PX&(}y bJRne |9-۱GғL=UA8.QB",/1˭&x # ~BUo HRӤP|DDċw>e :]Q5N4;>R4ս;hbF D3Į)XZN6j~^Fj[r W'Fu%Җ'G xj rI@Si_ &ڋOE<v @”:+zGˤxZ_r(3rO~ Ɉ׳y, dG|wDGA?'F$H c]Ofc\̙h8^!,Hgz;,!(@T Mf1W\.A [i,>dsE}[?ҿ6]Ft<+-1B\~\C%'W<@ɨ)9Q흹J"#Ip_SEՖLt"~;[ %I53#=Y4ݣVp^Lb?g`ǃeeIU]eqd&nD(kkzMLI^>iQ͙*Ѕh rx$A) N~۷/P-Yl=sa,!Nu-4;JQҖF13x)33| }<VCN`ӊJfal-rOkLE})ۨc.&= m*#wB1F4y Y!P( /y?F|S?*Q)\Hbgq擉Gixr!?Ӳ̚wu`qr =V-?!ix 72EGar3b˭| AHL'xrAŞN̮̐&MKf5M*g u+m kv4 `IBg:yFEe… j$ЧϷq#C/71*y~)\yro3]Ltnr?oYqjηL kR 59PЋ[ڂ3KQu)wP:CӅMzL_o '@!C'N"},y ,sJn}:rJ9#J_&N QD Ue_w6Հxl"`5 _qeq>L1 K#AiƯt 7Ž^] G&kuOzޚpQ r3~\Z9qhTaxǪ*IV퍨a5U\^PVD*)dj:47Gm΍< &^03=|\V!-U 2 >3C~"ͺ:NLQnRCk|mK'ZtW[CNO# >H: G2S ktp~ڿ1܏M)lI% &@v|*ؙwh i5 _dє*#~}M e.^eK5 0S108+ oc2k<щV<e{`Fҥ1Ru`Z 6Q< s>~*Jwt+_mtb}i)=o)F<S%VS ٖ>GspEәw2$Muqˬ|=/y\}ǻE৾͡lBczRL!<)q}Wꆹbv|xVQ+~snf"f8I)Cd x ̘ҥ틤lt1&0_#,B.`,ô/7c9 bD92G<%*yؠ?C+UŤ俩8+ƜdQi*IShF™'/MGVKRF5ɨ[zߎҬ2ɪi0nviia^wHyILb9#wp\EU!П+s`qn6CX&s9, lgMv4~_>ߑC%7j\y*w XG ;2$xCP$<ͪ%HKm8ۤ㶆d~#0ʱ=jjCӯٍ@)ܪdMia5E\wE=emW G7r%To/k!E!N@Rб/-Qev]f>Z;x ՠX Yj?9VEH؜$@9q WX#ҞcR5.Ltu v9,> កҋʒDc&u`)ixDGzrK 4GvMRvΖ gϪMcp y4[A*)[P` /KyZ. ;'[4أzCbr={\R)1XQadx^scY3KA-Kȣ Iމe u%e2:Mc̬HP[ K̲mw&Gۗԧ.x2`#,Y_w+53+lmA>=w-+.k(yf^b8߲Qv2W! nGe"<,c{>:~AD:rުYVxeQq12DZ{ ,IZ K-҃B:33L\k@#n ocfBL/[slyxmSo I|?GmFE03N^hshΨc2]$_g+Y^M33l'tMuLJOn zWe&pB[{. f% ҍ%BoʹOڊz7K(ZOHxN41oow+.xdoؓEe]7IevXB%R J͜Ӟ;c!L# ʅwM[>ᢿ%!'K ,]_J91dRi+0۶V'{F$elPR8%[a;D/ڛ>1w3.VM̥Ī'_%5jc ^F7UkXvwc7ToȦq*1ocA"fop$JE'q,X!2_(adV?CCZD{ο?z] E@y;SR# V gy;[V⩛GK#e* QXGb/MZ@Lb͐SO>H ӬbN$G[&NS-m71yik??C#YeFvoK]7g0(q98"zSDW " a`(É^]mG"d |V[a}9wso/}W֤Xn_ \QF_&kI[m!K$x6fs?AUoA0qn1%dkGPYQJ;M&=LBe$p϶S1&vr;2'"[0 c+6F!M]]HEr~Q\y #o4~[~&#Oz_ 0ķxX2wxtGN#i4y:?x2puD(mWॢ:Jag ]Ȁ Ilb~LH >p?bȚ @%R kFc`XM".a@5IS> -"O0`cf$Z( ۻ`D ; :Ӫ<ȕ߯"W@fK2a <\Xwzp@D4#YϣKaSnAO+.AC;nw BPyOm4:.x(4-ߵ`=4@ j΁[׎ )v 2F/c $ R-?_%lu=) t׎<9 x w{מ4;.EYȡLhBk4R}R¤""]JZyw.^l~K#PV-%4˕5OH1zw[bo/ vHzBm0 h2 $@rt*92CMp~[<'$,m%8e3*K@@<3! im}7y.9 Ql9+b l٣<;rٴ@e @> 5NXzP o701լ]=KERU-U\AG@&D!QO+q y`BNױ_ c7!| _>SSC#9] )#-+uHd\.gK91l%U5/?,w HahS$eܮ5N3_@vw~ 2P' q*)BO(,-8O{0А#ɚvB/<w M!H] {MϦ@#x#z`g"M&zyJ ns*V)bfXZwN VSs;\l0F%;~r սJj^@"+Xb^-HP+oL!~>Jr Mpҩ^BzO=(F &ʘ@,%E;+oUg (fi;42<贮 #Rx*5VE+L`nN|F 5!G"6#].B6gb_&p=8qMv q1&F7+8b>M!TDCY_;>չ}ӿ:n3ԕ@ IˍrNv )K_ s pVw.𮰶<_7xU{n-$yY}- B3hZbۗi.?02^-a(@ȈEMhf y n}!.*haJ%u`lI[J2'euHM= 6lhL*:a :W.`č% _ ;j1$\4Ư5s 6h Cpŋ_Tr+Bo/XĚDjx4I9#&1tk ,Oa'=-LU9 rV_3?C?_^ڋNy(gŢP"s'nԜ4?Dا$T̐nd5E`p QriCq ǿlA7jBtT?.NbȲK Rv=0F;^ތ JYe:Y{c&BO{ CdDhp8!%Ľ3;l^tw2m{# l:وXz,*෣ 2pir3Adlɨ&YBהphaTW&Lpns@% *1Omšg"By@ٮoҷzqn")qȡGJ-R;6zT_͙'"yx#u# {RӇ-5da^feK]x|)Vƛ:Y:!.zJ6&j}0ob ӯ-XvPvjbOջKY+y4R1\nN }Ծ\e9|t1]!)сnZ ^푧s1H4J_'.16דQ}<$`Զ -PkIM\?Ecuh5SoG}`[|5$5ʿDc м_^vj/%gNo::v?]+։m]% IE N9 DgdP1;w!q6E枎\2NF|2Kn0-uˮzuיu'U$ 8%]}c @aCj/ORDR&Ry]i /&&lr}ʱ̗=PJU0A!|Q/H^v6ٓ~pkhU|C{ V7Z9.> `6`EV.M/Z|?/69c.j G/p֧-=5ՂN '3^d,~sx+ֻELCEtjB#c-jwg!E[3o6t|N0l'1Epz[k|u%hfT&H-{ 68AP//،ѳ74g*ۧ(!{wFuU]ՠ!*"M J;wX/Q *Gm$^zPB%ʓI;S |G/jE8aQs +pcG]9֧0&H/M] z(ڡWApm ,|(/)id;I;ĽUQȒofSg'  oފ^XO⿃#(y#tY㚚NVlv8<1/C7*-.=/lX9Alٯ4$srRy rFvW`l rnxvxk4^D23݆J&856X"WNPYnJpҧa ]]rP!h6yx =tdP-$-Nk pŜFNce|&f3iE!m]aP؇PTJX~يc4 gU2gvxj݉]B.q!rFM`ai"o~(0<{z?wjw̽Ka9!$/rჼ_LW(8)2!WW&#۠-H44f)rdL2uϰD6e2JpIKȉ)uwX !櫍tեpfÄlN~-q1ƜuO?E@y*+EZ Ύ_x~a5-rGH5T@2r %-LDev5(+$,}BhTj'_:RľTxEˮ.[tR$zgP,\# zqz^KG+YY.jPF~:_mlR w kˁeUޘ1h:^DVwdGe0,Ttw3TzH9Zly!eN[/t/ݮOÐ73) P>IFvr-,qXvF2IWdߵ4*{¢+MK\9hl\^G.Ӎ[ Ę?ָYDB ɴ0AA -;d{Rj:`I>?I~~-j$*3O!֝*+(I\[LCH␚k(ΠIHj?o" $7 Yű9wOcݺ^኱/| RQ>&us0c L2i`ArLj$Z5ӵp>Lm>OZ?/͍Y*+UdO>dl,1&9nW4e7u٣ b-iDKĚ`(w~thե@+Nj,PFtKEfdn=3s6(5 ">ݵ=P1M0Ϥ`kYUOaLyWi%fc]1u7EzMAḠ͍noN> /hP5.B>{~>8#~ =gRTgG.QO#sB|FUFn#+~ݶ:fAHRF{' xnX c\_P}7Kۯe_1͛dOz\KYRxVZ?YRq6[Ѡ3[-C{yCo*K/Fѯ4<y^f-RgؔO&Ld1}=s7fjuŏee-nwQ5e-s*\;aTUӵsTR9'-FkKus ~Oi.0@"+/0REih nU# 0>.4(j-rv\Cctݝ5YcjH' @=}ik;H`4z51ܒnRMj IJ$=4\%UbŕNs2 clT-Ws]5(Os~`l^HOB ((en Jb^elV~)G1(E\/|;SJ6"F ? rՠO䒾jyE En܍|o9t|KvJ e<AG ,7A’ Ƿi딈=ւc]HL]:[$l0әܜnJ KpJT^.̹|:G~a#S wM2 JO?#~1K|l6~CΖP)GgÈIl>Y G}Ԇ>G8)+62kwɀܶ(Y'UYp2l/68@ү'M a3,,{)SOR_t4q-Hq/\ ,My&q^Ej{MRA"ʙSB I4AocH-z89 _q ~]+:)e!(2`cZV-OxqAt*fO91Ҕ)|vҀx!F=3B92~2Ep[V7SY~,M- pM/*7L&VӓG?۳S ̰|^AuNa`'0BU- t!qL/^F$S@W2QC}qq&7l@䷠!@}`*`*ؓ&<^;;DkIO]^,8Es.i̚]zbt nrx=T=(At_$bM6)yQZ_)Td}]tD[&9+Ԇ46E7K TPEeY-=鱠S ?crifИ#Poc5Մ-|iSw.DgAYY7rx6]A8"e@ 64Ma<;ñGkfP2ߺqB,doiwJZ/6)IN` J஬t;<!CmǑw-YMv)R嫜1J{!J8jDx>2 >6 [2SB_8Z Ϧi*sEQ pH&UAzJD' o*?Etp᝗s%gkD(xFpL2Osr5 *(0&mJZf&ʹ(f^rՊ#s ggtޏ=Y%:*9 Ah)t<h?EdlV/îh}\g{29.zDQwp=7,֫5Bg4f/J;Navo2BT*A9ē\Ғ%2k9KWJP3z Xfn6蠭4#5gaEkTPT$jF.přBv2D;<>`(_8c^͋tp9SDt|$s$46 1_mhz&NB^S ^=)zu"V3bqzA䆹L_L6S#$I= N+#bZ!13E24rA졟G;3ÿmJÛZ+H#.b=X[s:iaMϴ|M:|mS\-@!fk|Ķ~w:ɡc`O6I2f&(t7;CWkG= \/[e` !l W4*qbT^6pwf ٲ˞{7kT֫pa2! dSg3 DꂟY,;\qp3 C(0:HAdoqqᝏe<a4NY=*T¦1d̕@<8Bk*?,~ N` 3?)5wOyPMg~8 ` -< "4 w#qƃٿ '#8=nVk_ \ߑ˓\4V_*&vˉVHM vv 0wR`cV4=\œnEaS/Y]Q# O+. HÏP , k*χJ6C]{m9pȝ! /3_q݀X}yXX>L2f-1x 3MjZՓK6Ef 5n2_Ú"4s 㪆VTumHտ6-BXM{5 ?ܱod`"e|0{LW#=}5ct*RK.a@uKln22?M&ڊW[j ~/ݩ0n-1JϛMKko<Ǯzuסe5KQʻ.y+0C?+v* )Ȑe< VvKn09E}X5}x{L#V:ua T!^^i LF}@ʝyWX WW+š.X_C*"!|)i.Rqŭ"-ЙOS5u"IF{P4bP)(aDY1V2Dq5Z_dMhT#d <'Ai 3˪i1*#&QdOg ?s'|ٝ`[& =iM7?l9+6]Ip_}v:u.(ks:&9QfșKĜs"`pV0&_,@sQyE&KwyEO'+mSsA!/ŕn/MhIpc'?VU >^#6kZN8Y,P˅~5O/k\ )M¸I@ 0K_/zpH_:yڍj&SC*TM]8G>|.v$P"!"h\$3l1 F4J^e>[{F2Z6Dr Q6]9=C`V^__B@/[FYCJەȬXAZИm U,"^/3AZ?#EYI=%D+nMRA-_4z%t lk誣̅;ʷ0o-::ZS`z Oqo~ D"tBmBvr'ET\͝,kx$ jA7V_J% +p<퀒ڿN8 @=գ%5 S#-a))w R_/&Z7?c1FW.y7>=k;Ļ_|UdJiO@ vչ5x!){" !$Z[Rn|>םy^I Hmg :} zPzLP6jᒏ>oewVE=ɼ  GE'_tP 4SD P 6ư7Be+F`FN "b@?? %O&{:bч+Bx(RuxH\#4ǿF>,fU^\I/fyB =ĭœ\'wX<11U٫ Ry=qGIc&-{nF!Hul0i> ( -sP|@_I %:GP3?1XsV-LzkuoEqi/6A?o̊1d]U<F*DCʶu r͸.H bKev_Ps2E<=D]FbFW0)qTQd/qdB,H =_\5Q#@90-U^Ij PK[|_Mo7)^kŧMt7NцD+ct@-ˆ;-?adg'9yGDݶ^w<_;POC@dkW2ŭ1^!TBO۬b,VCx.OXh%6Q_ jmק_Gx_KQU ZSNk:j8CZ>GۣEV^L̥0տPeZ%`ӽ^1.bb$-h3 @+ՄMyb#@6h$Cl/,z=)ÄִNk:t@H j("+pX'6{']ns‡Nv\<$VsRLuB (\-(n܇o'B-xB?MID3l $G\En8 J!q:؞(A['-fQ*~HdQڜ\- Θ6sjKʩӆse~^eMڪZN,w&iwԽCћlG _Y:(4 encׯ6h ?kܜ/^eUVake;DGEUE*&ʒM<$e F:H6"-0ȴMM Pc9s7U 4nrCPoŒ]G͓&@}=B«KV{ 70ɚQhE5:ue%=Dg$شy?aEr((RHb ι_p@*-Ok2rM/5sxNMA HV֧Sf{XF71 & }93l;;*5[1GUWxrC:.+#zq&:΢a?Z\sL`]Q6;SL+E&µx(K{{BL hōňlSF/\\RR\9&1, 50{a16Ÿ0rf=I?V *w{NqSU=e_%^5dB%R`m'mgv}dRQt7\7GD@NGՈvuubF;,392LJ5`̏gNŌ4ڽ5h]y1Ḧ%BT+Fx UK{}LJ6j{I 852)vs^%`#)+mr,\tZْ?߆/b.X5r!Mgnt ppoy,> 'gbNW){_Hd~lח01V!srfPj9T/ЎD+4PWآ.;^#`FU8@yl(" I|1،1yzF;ܴ)wy-u}F {T2PkW8_@g? Ҝ+8C'ď1iX/"㯃y.xvC`k"hrtȔ asHvs\d1JA+/Ͳ)Nqα +2 гƇ禣yʑ,r@ςQTĐ?%LNܾZ(/7q,YـFM?с0㗍ao0ixF|tEjB 'OC ;?l [̺Aav,pn6IF>|^':֤Q kPees;CgiEj$5rR#lSFl#Edf)_ S^ $%?<öys!ExL c'g{ <#ڥ;bzT  S&4)gE #ىCT2=6:y&G"Sicp4^#aTgF M -vQd>wUˣe\{y%t=fգBZ(2kh)"'gSZҥYTIܤ"ϫ؍ P`m?`A}_mDhmkt .ʳ.| 9o3[Ʝev 5;IH^}_{3jW Q 6fbf)Nu\ytqށy+LpC͋s",xoZ ؄"t;,QI?{Ga?I~7x /ʷrBNpa~ԝ`ehƄ1¼LG 2zT-.k$H̱-zBGM㙠TpdrjkWFmgXm7y]< {_>žƒ3 $u6Ry"ٯ탗.~G1E &*xrs'S29$5]j?a ~MyKAm- ~6:?IȺJMV,펰0BRSh!pk0,ױS` Y?sP= *Mq~ʵԈ%O+w,uJ,gpOS5@1q9,4ӻ2BԢ^zMRV^NK@c@^T2*=`2CսD"m՗@4[8wl0%ٱ6m f5>ϸxs\A"2hB +V>[GrT/rI̿4(D:1]~Tv>{i(G/ n#eX9&9f4"/0_)9oUB.xnFb4S 9~R .N!)e}Α H,$OE/)MNDơ뮁|jW,LzAR{iQ<pqQYI-E7Ȅ]A _~;RUSaQެ&3 Y}rc'V:@3z볇&qz9jTٰD ~)V<Rx~tAٿ[`pE!xa-} )l $Gml9$1\GTH`36Bw{k\RU\ktMEʍ 0 `R>2VMlλNF81R1’HϽz~Z)dҊχ kWqu?SK!n2cZ.T#zK"+33 ?K쏌QH)}8]14W%C' MR-Ɇm]U c&O١Y0GDeG*]2Z9:V̬KD7yrI{w0z׬|-0=ϰ+/.VZ:ח'ey=bLh#=|xate${9ME'Hl  f, %f-V|]4&+}Qd;S&)($=b 79zaز mG@Y[YfÚ*`8LڒtAW;h52wh{:geK}B_A]$R\JCԔq7 (ݥgv)wWaI;|E`Rxv9L6oJj馋1i%?\or'15Ru%i;Vy21tdj5,E@^[o+T!#>s ۳Bu[cl,C6Jih/B{;aru͗}iE!g9=% g 9,ې\IKU ڍTǍn&]G]ĆFgeteIm/tH2Ĩ:+x,)s_4y;BKLrXO2soo«.`h V!\]@ATd 1[Cʋ0Qf?.3첛vBva* 7pqlJNю̖򥋳&`jtp^!*Kw+cWP[Ao&]wKj/!*$nQ$*мI?- JS+NidѸJ/$%gت=U1b uf&4aݔ %?<~[`Vo~ҎJ%N@I{*^̦*.j!*$K-9@=fVr˴AgVCw A>pp*;dc;8Bu(O咜ߖi6ahǗtȤCjSQMa.#8dhש\0ù,%.h] h>OZ|`iUڰL9ؠ 6ZS5)+$j ohh3Y`GP5!`3)tY'~i`-EEEq8T,jR%lr2{`: 2+3젾g]4WSQ[x;d8[#^m#i%J,\Vsl還ttϩ /20n^čx2r{/‰F}G(i\LD]SNf~񞨓dHS,q$/&"Fgfw*L .z!m E$ʬLHM ˚Fnh7|o2V2eS *$D-fi?Z ߅0*!QIkF4 mMX-8DTQ21K_d\ h;R,#"7)8L7Zc08yW\h%޼twi{- %e\j9:WrW28mnsa{?jXlĮ Kן9-Փ'NjüSPY1Ʋc`j9{wAԗb-"g潘WKrka؟m(| KSg`b-5e ՑꪅL ;"bEۼ\jާ04x*9ħ9GLJGdOEffq7(VatyUu) _@ Tn_17[$'g;6. ؂P.eXrI6'O3t%m~D$#;ȯvJ4R 10x7x&A͗$_i+1jOV_]?i6|,@Jay uk_WGNƘc\V$Bɻ?P#ZK0g꘳ۗ9G{'2%I%69iMQhrO3sqfqr^LsE Ij!ìY:V+_8 B9 a'Xl5riO4іZXdK$ aTKm,EO>~5,+\NY/e45 /Ӕ߭Z qv a4WZ] ҝݍ*]ibX pw %֖5$`/2'5Fź$_#rPnLLZ!?54DK(w0?W!M5~?W0c6jӃ)F"68L{k1l7+=>- QM^y6SDw*lId8B{ csa >סSđBZltM6%S*!0C+zW[;H&_LAֆ;D |CMEaO$E-HKASe>=C6Жxw 5]$gUZۊ]oՋʕEJg5c8n$G*M<*hZwqWz<6$#[^4&IZ(9෕&j fhPo52.WHr&%u3ENz㾁>dr 2>e%5MXY {ݵ`wq`H`ѧDELl Ȼ95top{H:ggUGۈ?Z/+\21WISkɩ(K|ⲭY'|/m+je鐐[`qe7~m=gBjHfP?lÚŞʙOqBk8~i!!{+M=' T\{^GQgI-<*KXc-"F $k^t\ s -z#cݛS ޫyZ2i{7@SxEߗ _Ch#6 d?J_B\ 6)3*X^F; ͜[sP3ۗ ,ԜwQX2;w?٣VJnb>bx?lVHa@^EcϨ$^BkLB*V1@=ӠӢEH>8fru_H5m ̲&g+]_=81WvOH 8F:t.o}˻+2Qm3c5[Ąڷi 5]wPoӕX?w)6sßs]G+޷oUYM/$HNL'=G6m>QasMVpw]G/ljÿ!U{"#t:3S?8 %10ll4{X c {aMc797x~n{`#gucG -,P3 9JƧ!% Ma3lH.Eɧ6LiC"L:ŶMfLfוOL1]D(Eh՞d-g,]P:-T5D>`)v}2^B6nj7Yͤ`C*XhYSܽ]4X&-c=]-Kug4܋ ?R$Hy_U0%iڨcN*֐4'5N %ksN Sw]0` ?M`-6iY+Ik`*x١V*A(G~H-ڍva ԟG*E$)e^&B"M"@G) $BaI Y,XPl}󏛊NK@ˠ0 =$ЖD&zg;   &muJ@4lkXqt KA'FVVGHG4 Hj[k 벐bANpդ3TׯgR'l-y!ߥ/Ai`ȌDZ:"Է~eJIpa䅌ɗ5qiuL.z+I C]S&F>ͧU~`YH7V$A. 6gُN9)i׸[FOTn[wǍ5ǹvMm!Cp߾`BȃiBLB:iL|V;ЮY+|hIep.Ue!zI< .X|/-F|j% ljqɢ\~0]= nJ4*ockiTo5j7O+ VmYIJ6H;2ƖLL\?^w{,A&:tW:&vdȇeܜ:_ӡs-Ia%e%ar.X=rOǿ畂tsL~gDX]LL0D8ʃqZ<$pai0u g؅?{_t+JHWuphN2W==%f @ [ =^U{6/!h`v[Zö]'66,vU,8êcY %:F^b'*8r3P Z.Ykv7%1g*9@ڶ2<ג='EKlLegA;!¢%TBGk4T01XOly}8YX3?r c+i'͗{3TO/ ~FZ qew&JVϒ:܀~"i0!zn(4ðiV8vnZXgzzW]Q_]r8MeA).uBf5M@C_7&xRd 4#hD$+ &Yp^57`nd2S_ #iݾ}Y:*)V\&w:@2Y^4 X0C{GpgLRUHQ-k5(2 e}_N9y1,$O~ =\Wr P3۵ k(20X#3T \CW`٦▼3sȶOrOJ[\VRVs~VD7w2Ґn>*Bl% Q0Ꞝю62~AG]6^aKmcXM7y>~E*kl?tf?PlFzkmC"b;it(媄8.q--.u|}]u&_58)+FNWQ^֗=[XpPH0i7 }J=*`Lq.}\b|򀌽 z29'<kV,Hq!9$]Bn@?"ZZ[Y8_8~p/ps]ߤ]w8Xiy}ʓC>ON;PWTr\c^9tAKN㜌V$!3B0\8dhάǚSe λ1g8fz+3%o.%7jG2+ϵ AT+tnn:޷i\ڣX^y?b4!MH`f+ "@.e$O!o1~ 9o;#e_.tYd)O兠0"<`2MUSuJӠnc ={ԟ]D@;>ΤC,4=Fx0;#?J|,="Td3Dxyk>""ʉ`Į{CE2 DuwmT3N%@a;u\h vǂr6EI /-22OۖH`O$6>^V_̕h)4NW«\D7;n`UlaM5zq{b6d^x؂D[NƑ+ bG5?z`Wz5W{V.m0zk8 .n% b)Þ>6_k̐Mnevӌ+@jLȽ0.t{ť^zaEQz&֣EIZu[%4`p,Kɹ=Wښ`OėL9 -6\,l&aRK_NT'ݖ̏1' 2P,EUԓ>ҵ ɑ+^<`u)+Z{'@%sU¦3"'!~V B]b =ٖdVU6*IĴdG:.9V:;Bp9&M}0Qٸaߨ WXGU>hɱ@`q'eiNTnv;kI@~>d0G?}0P?Fb/i#g4~`m(b-eC+qs؞/v=j̱'s nL tɂc:F}|܋o'D+r{ѭsɹZ4r7 APbuHHۀ,@Y%M3x0ݩWx>m{`h}"4Ƀ$r{ ߁y,f܃D4[ @:Ε@u΄&TEht$pЮ=H5ZЪYxO[myAu Wn3g86&..pMo Z.$:\dSTsP:45 ZPU!=ڼP ~4ܲj:M BW2Nي^K_in9N-ǧazX6 klm%cuIUEXAF } j)F(G颚I5OtMᒤ0W9tnzZ0fonXs*17)~1$!K̿ߜzQCd@P%Uu6+E\ ե^MQqZ1Q uNހ 4yE3E"]u#eC%Q:JA!j@mp:VOoʧ3LnTp,2;0>I6n`|zZ$NL! 8~!g݁ l> S+>[|{J . vm [/ف[79Pp/ϛ*JKsn#NPN尠XS 4!U-Ch; B/B[-& 'u)2_@q:5Ѡ1Is>";h$ 3Cj}+ûu#O*[S\pB'`g(ڑ~paaƉC4α՞ɧ[hF*keòÿ`K xLE_WágyFΩJ+0UHaKr)ōCeah.I{M>HVCHg`Wm7 {¨Ҙ4#~v &}wT\Ĵ,jywcW&;"{|&0n-fdEcJ\6ggN G`D>Yݪ/[]Ũe`Xq5wt8ؚc0=G72Q.)ЏQw JeV4}Z,s_ҼU%z\$զM^/ABNcgٍώRw<·_%&$MFbyB7܍;쒓aV&DP,{ @Av 0r8τ(d>g>•3Md+Ѵ-n507Q?x ⊤4A+P:w(V+AOuT(VpF_x M-u$w&q7mƻ,>. Ɓn eF`Ӵ .,GuQ bG^0SeAvu奅b, kc-k@ fX["DHEN U_HjJ-"GXYج5"*=(#s9!r::s]vG]HnoGv`ǖo nlI7 " WR2V a;H7ۜŧ9=68ۏ37h3aP}TĮۆ`Or:-41[N*4%Gwk!vF,{sQJhI T{g͞:XG3#t茙KIDu&fcZ]Ս30~} 3U>fޏ֧ Xbc2=+ߛ1ur~N;H vX u;/lkyF$r-Ο^ E'IƲW7 /qd$KO/ɾ^ _| nJ]pHqH פz? 7c_J@ԿCpLQmA"1H+3.kIS>>I}3gZq\.3y筜$C'P~0B.g=ީ ~*.!M&&CֱEnG/fiu“s OaZkxeV%qsc%n],vwtW+S̱xa{jT@íMR#[`8I]eg`$p)cXlM4~0蝵eJmYni9j]46_CPUQf7QM1#fAvguNnl:*Wvu\zFޔ!pqw\ۉʡ-xvhEPѷ۽x_9:?\ۘmC]&il)/ͶG@P9tËų,$_̨lEGțOdj8H1\h|Ha}%{.$.IHKm#Fvf)G"W47>;dG-ƍuZe^@YQwwK6Pa+ڗ>h($P_G1 )Z6QI.r2}X1f wMrMwnoqGa ϩw.@XpHs e$URq{2OoťZ@ot$X8T{1C~cEiMm告` N(SXrßH&|6`ؿjQM(P-4#s]UO4Eſl)H QГ\N+,-@a^apugG'nXc!Y/S+U}e 6e{޺w$ v[YZSQzfs:ݞ$=]:UM vTAy #5 ,CWlG5y$c vEæ9FZBx^+lݜ0m1!CeIFJ;k8 4i8ܶng]-/7CiU6\㑝֌2FŐ,mV/[V,P4ZzLi>7#v\+7};~#Jcgv`n@kfU&"ݨ\DtP6 pi!o^VƳ,)99D_/əFۇc/KJ  97KE.h7Ϡ\{Ҩ:ha]'9k#=`:^4|a|K 2sZ1ƿU@Η2_Vʳ잌Tz^۰$y#A:˻sU%ٔtuǂtjWM-c׼\R%#aQ%YQkY.PN NɐZfES>.4"zǙm_Z]Bo+R8u2*Rɛg@lQ? 8V>RVhW2S LgEG{LmV~ ͞xO7n庽*ϒh,ԛ%XSp7v(Ysi]3di-8Q(.Qar#Y {(t eJϾ \k1Y`שxq=޼(bo؍Q \Qx Du7\åx/ rG}5-41YE: (e/m0xq [8?X!s##iShÆ72XYy)rOC]k46'0}Kͩ`vOQ\o:~ (JQU*d ve %*KY}0.-d˴o0uŲk>c΄tcy/9!ua46u {`d5j]AWO~ɴ=g_hբ0Fp00mQ4׌쯓'7䀡h#%SؿX3h[;!|+>fɏ2v:Zb;/M`ͫ,VJmi`tgyW((:I ( +h\5Ty֎n+NkՕ~:_CJK-Jrl\ƌnЫ}R,`$5TFSsP7!eMw ]a'\zWqz&yš"pC8{tHV)o_r*iotic^=,RcpAۓ$ȗDX*_tda /Rv?4K'vzC7^Ƽ~ wi+G==mb2PUU+&[^$1b3&ړ'oFWNwCY ł,tmioCh{1[Tm)dT^:k2WWyNuj~pWw+_!ێw5w6EFd{U*DbEI~+Zms oa๭rn2:1mtkEklivj19 3{L 0g6QplMENH /A)&۽xڄbwkjцcS0R{DX\1)@A "-"6z4f7YüIŸ6Τ o[8󴪫*FEŲ(nQeDOr @+۫Up%/iCד9M"D"yz huʯe .[ACkWUfs1W#@!pfeߖA4EFw,S57anD}m1NupY33$'B͞]coN:uPMz ^y\㇔FrL"%l'*H*<Zb!rjmX٥^Jmpo>#gK&(ߓ`Rq9﫚;Q_Q. -3Bl iMH+(|tD"1ݸ_j9j#rH\hWߍHڛ@wk* zT(/b2t _tO\rИʴTm O֫%ESͷ%E| fn%ߝ"IMvRml  3la]_t`դ1sKtEnסVugy#HfZY|&Gb}rFB.le徆ZԳcm5 U]1|Ӱk#zJ[KcMHkPaߔ% Ò/ڕԌӒ1 dd_Jwp\:GmOҟ =ԏ-y*rޚm=91偓 ѣҖRs,W\/WJ`_^r<ЧSyb8z@7'̧nH &YC4Hc&Z#QZ;@- hБĺ@LRAc#6ͰShS58'sC]IߓҠxG(y*s1s%m{{Ce,mA;Z&XzS Z9+!xyB0{ (-EZ PG_?: 08)%t널53 3 :}QSJU`}j!Lea6nuSTWH'I|u.4e1ήM07 }tT]kA44P4YiPF^qDdF9=2; ]%jq6l Ǖw㗱5* y-Z1F:{g$#M)t0urD7*񗗇}\_7>mLDjRsQ(x)e#_HbBf Bǔ9RDv.aCe.N0o灐M8ROo޹NIdFۑ6B,X5N æ]PDz䭤lkHy}163P8m#nr2닗H? r>ѾQ5z1V+j6\ /|Ptط )ᬞJfMO@m%Rh[v6rTXL(pc22n6.Y&V&ٸiHȴn_R@jpʽX8\qҿ-(]dOeB}5?W[~w=5o5U49䈗Q˻TCOL+ <:[Ķ "^MxEORHi bu y@dӷx'?,XuV*vK2xQjc;zOBh<@EAfFިyI.\h=t7*&UnͲUx_zz?i=WsAq\UQ[̶POgVTCzc^嵭` Yoy%G qx{qnv f)OJy Ghҟpe+::xHKZj̠ j61:'HMn\l/R_W$)Dp˚eC#f[ tLZ~S7#!$dʷ~qv M A+Ljz%>_m$A[hJHǟ>PEݴv 0_ws}%ؐr )P?r+8ES:ve8pHʨ/Ҋ2^{"V-,f `_Ľ/ͽ r"444ulzU0j:ERLgL֮Lic\괛ßPAH,0fb~HXgU  4.YruE#7G+ -3Ǣix-3_:Q>#DOsR.^@YO!z="%PFH|)럏8,%Xjz`P 0 Xy[X:)x>CN3gMi! :XQ>_SA!yZpsfKܺ*+Sg!Fږ fxjtVM603kB܂3K,D}JZZadC/&U=έk12W#"Y'"MNqUHlT194|HP)O^{ڭ{XwQr(p9d7c6C&õH%cRӭbaVQ z}*% 7ܹ sa\FCy19p׽{|PzԹ.ADIi>矔ͤU[D-$x?ڕHL>pmguL)vHPl W; 7?P^ Ȝ5p׻FCsEMɒ9^zZI6&hGuF&sI%~Pk+!ݨPa6|ѥ.șzXdfn I|*EҺ?^-4V$yz#~' ^ !axba٠ dm9-p whvT^k"lU>op02 ŒOLT'ļdžT4n݄v"em}? I}},%a;U8eq{tHY󦪧Xi &frs?T;x~Jq9[C٢m;UMXFIg6'ǽm.D5wTKn]50h֞k `ƥ8,B2R;:'=mlyύu)- *N fb+v&V@4֙s"m]ȋ)2-J%EK}ՕSRF8_uQ|2䌔z+-BƝC>C a-ڝI!Md%8AƥU9V7~snRBs3LG\4m))e0jH]\›D!twvSteg-%dU5 ɼL2pM;s#P{Kgu3/NBRq- ]"L; rA OD3^p8CB4npRJyژrV~⣕*5)sc@}IU[DL9ϴn3{#vv'l\҅ 7<$uLT #t?q-j#8Y~562[nu٣E5qZ;B{0>%]_91F跧,b׬DIUOͽLܫ%Ė13du77u}އuª\N=yL,[P<#͉u~>㏩iWSԀQaO-ETBNt#mM;3c͔2[Y^ѰNq~v6JQkbRv2G#v!$ŷs( Eנү~9ϳ돯|%;_z*[c(MC3dZ>TxQʟ Zz]T,El,Ȩj06Buݒ 3.>v))^z~)i8fg`x%Aݕ?)oEy1gb@і#-@zz"'*U! a+щPdpC],D?Λl-˩̝:Rs4 *D7L9ȈkI5\$: 8ʌ 5Qy2/`\ťao(ϛw3JߣDMz;LKhv77zӽI):3S;q],;TblPo}& 6 hf4 tgP`+[wySL=(v7dS]J_ŰS֬Vޘ]S(pmء y9/Ku`T>%¿*̙4tnv7<GqgqsO;$ť#iHDP+p*^:y/=ZDsBh`oMR8펴OIyt _sTs卥~Q8b0 C&YDBm G[G]EbVnh݊}᭜^<9[3e_G=u7 FJGv9#_BQL߷,!Kb2"Wa#gI1|G #ǺR,D-i Ʌ=t^ǁPaGA V:y%ޟ#}WȇX KHa/|| zqzYa2pќte .i X,e.%BȄk_(|[=CKkxoD zYF@/%G'SKvpe .^*@g6AS*=U&PZɇL?i-b=5CyQPy`e[M^ 뙿dO1$R}aO-Euי5zgo n.\M\kXĮТO#{U%H-{86|R7~9YkH\gߒיTo]zSX C&^0?^D =;OPmeQ?FL5zPZ(| A(4/Y31ibIԏ#Qf0ٯMUQl %y*ai)AG>JכCB"35Jm?c.Ե1?gn4=Nvd'r\1yDbNfz8.H+u՛k^N6bh)+e?Hm#r;3wĠ>lPjD]t1`8hӃJcKgIݬTj.^=wf)&[mcOI]3t*v: !CEJwߋ(0d=6RuԴI*3^r-kAM=UcGL?ȚR_ulݏhϠ*Q~`9FQsh%W&[&Y#q1M;'P̸.|S_Й\9$w;yGMApUic-(ŵh GKQ҅ !숃  2ӀxOEsi٫!"-Lg* Fh.g&悶ƙ_NO H\pMT;gJ&+؝ݛ]-S yV &9ޡ {6QFus[4a,Aӹ-WXW6vCwM!rNZaCvEKZ$yŸ5vv=:#bsBqw:Fտ7WTϥW(wy!YSU"4ZY(1;)tT&{iJ%f^m5%I"c)~^8);Sd2m]&pf(2& / YZ