openvpn-auth-pam-plugin-2.4.3-lp150.3.3.1 4>$  Ap[=F/=„%s{Fze:T~5*FvD*:i@i|w ЋfiRRCevSh%7Qv%rR T7Mx9_*5$~IŮl{Uѩ̆g nn3.ɇThf!veY|cBɷm׶2#l-TbxFĝ=\kR@IU/&ԕ+b1,V.;738ecd48775f52cb9a95a5309df6e2edceb6ed495d14133d1b981c26ca817268e2eb57c9a5d61c51454dc4dafd3f55f535fc2c21܉[=F/=„4*j|-hnzH Dk3zî]wt((`X Néc={'>ѻwE U1"n5&>>}F9Nov͗sY x J2RX V-ܗ *ʰb%p?'}&`y~> -x)>F=CeKrD~}D9)eğ3$%Pd4DҲɇ-2Ҍ ` ]y6QK<>p>l?ld  , DX\dh{   " ( 4 w | < b (8=9=: ==FixGiHiIiXiYi\i]i^j bjGcjdkekfklkukvkwl@xlLylXzltllllCopenvpn-auth-pam-plugin2.4.3lp150.3.3.1OpenVPN auth-pam pluginThe OpenVPN auth-pam plugin implements username/password authentication via PAM, and essentially allows any authentication method supported by PAM (such as LDAP, RADIUS, or Linux Shadow passwords) to be used with OpenVPN. While PAM supports username/password authentication, this can be combined with X509 certificates to provide two indepedent levels of authentication. This plugin uses a split privilege execution model which will function even if you drop openvpn daemon privileges using the user, group, or chroot directives.[=6lamb03IopenSUSE Leap 15.0openSUSESUSE-GPL-2.0-with-openssl-exception and LGPL-2.1http://bugs.opensuse.orgProductivity/Networking/Securityhttp://openvpn.net/linuxx86_64IAA[=2[=3[=35d1b45be515d7ebab024567b88a36714df2d2ecabd68ca278e51c1c25ced122erootrootrootrootrootrootopenvpn-2.4.3-lp150.3.3.1.src.rpmopenvpn-auth-pam-pluginopenvpn-auth-pam-plugin(x86-64)@@@@@@@    libc.so.6()(64bit)libc.so.6(GLIBC_2.2.5)(64bit)libc.so.6(GLIBC_2.3)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libpam.so.0()(64bit)libpam.so.0(LIBPAM_1.0)(64bit)openvpnrpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)2.4.33.0.4-14.6.0-14.0-15.2-14.14.1ZZ@Yܶ@Y@YMYA%@Y6@X@XXXXBX<@WRW1@V^VqR@V`.U@ŬUUv@TPT|X@TR(@S%@S,Sof@R&RΏ@Rname as non-const when we free() it - OpenSSL: don't use direct access to the internal of EVP_MD_CTX - OpenSSL: don't use direct access to the internal of EVP_CIPHER_CTX - OpenSSL: don't use direct access to the internal of HMAC_CTX - Fix NCP behaviour on TLS reconnect. - Remove erroneous limitation on max number of args for --plugin - Fix edge case with clients failing to set up cipher on empty PUSH_REPLY. - Fix potential 1-byte overread in TCP option parsing. - Fix remotely-triggerable ASSERT() on malformed IPv6 packet. - Preparing for release v2.4.3 (ChangeLog, version.m4, Changes.rst) - refactor my_strupr - Fix 2 memory leaks in proxy authentication routine - Fix memory leak in add_option() for option 'connection' - Ensure option array p[] is always NULL-terminated - Fix a null-pointer dereference in establish_http_proxy_passthru() - Prevent two kinds of stack buffer OOB reads and a crash for invalid input data - Fix an unaligned access on OpenBSD/sparc64 - Missing include for socket-flags TCP_NODELAY on OpenBSD - Make openvpn-plugin.h self-contained again. - Pass correct buffer size to GetModuleFileNameW() - Log the negotiated (NCP) cipher - Avoid a 1 byte overcopy in x509_get_subject (ssl_verify_openssl.c) - Skip tls-crypt unit tests if required crypto mode not supported - openssl: fix overflow check for long --tls-cipher option - Add a DSA test key/cert pair to sample-keys - Fix mbedtls fingerprint calculation - mbedtls: fix --x509-track post-authentication remote DoS (CVE-2017-7522) - mbedtls: require C-string compatible types for --x509-username-field - Fix remote-triggerable memory leaks (CVE-2017-7521) - Restrict --x509-alt-username extension types - Fix potential double-free in --x509-alt-username (CVE-2017-7521) - Fix gateway detection with OpenBSD routing domains- use %{_tmpfilesdir} for tmpfiles.d/openvpn.conf (bsc#1044223)- Update to 2.4.2 - auth-token: Ensure tokens are always wiped on de-auth - Make --cipher/--auth none more explicit on the risks - Use SHA256 for the internal digest, instead of MD5 - Deprecate --ns-cert-type - Deprecate --no-iv - Support --block-outside-dns on multiple tunnels - Limit --reneg-bytes to 64MB when using small block ciphers - Fix --tls-version-max in mbed TLS builds Details changelogs are avilable in https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24 [*0001-preform-deferred-authentication-in-the-background.patch * openvpn-2.3.x-fixed-multiple-low-severity-issues.patch * openvpn-fips140-2.3.2.patch] - pkcs11-helper-devel >= 1.11 is needed for openvpn-2.4.2 - cleanup the spec file- Preform deferred authentication in the background to not cause main daemon processing delays when the underlying pam mechanism (e.g. ldap) needs longer to response (bsc#959511). [+ 0001-preform-deferred-authentication-in-the-background.patch] - Added fix for possible heap overflow on read accessing getaddrinfo result (bsc#959714). [+openvpn-2.3.9-Fix-heap-overflow-on-getaddrinfo-result.patch] - Added a patch to fix multiple low severity issues (bsc#934237). [+openvpn-2.3.x-fixed-multiple-low-severity-issues.patch]- silence warning about %{_rundir}/openvpn - for non systemd case: just package the %{_rundir}/openvpn in the package - for systemd case: call systemd-tmpfiles and own the dir as %ghost in the filelist- refreshed patches to apply cleanly again openvpn-2.3-plugin-man.dif openvpn-fips140-2.3.2.patch- update to 2.3.14 - update year in copyright message - Document the --auth-token option - Repair topology subnet on FreeBSD 11 - Repair topology subnet on OpenBSD - Drop recursively routed packets - Support --block-outside-dns on multiple tunnels - When parsing '--setenv opt xx ..' make sure a third parameter is present - Map restart signals from event loop to SIGTERM during exit-notification wait - Correctly state the default dhcp server address in man page - Clean up format_hex_ex() - enabled pkcs11 support- update to 2.3.13 - removed obsolete patch files openvpn-2.3.0-man-dot.diff and openvpn-fips140-AES-cipher-in-config-template.patch 2016.11.02 -- Version 2.3.13 Arne Schwabe (2): * Use AES ciphers in our sample configuration files and add a few modern 2.4 examples * Incorporate the Debian typo fixes where appropriate and make show_opt default message clearer David Sommerseth (4): * t_client.sh: Make OpenVPN write PID file to avoid various sudo issues * t_client.sh: Add support for Kerberos/ksu * t_client.sh: Improve detection if the OpenVPN process did start during tests * t_client.sh: Add prepare/cleanup possibilties for each test case Gert Doering (5): * Do not abort t_client run if OpenVPN instance does not start. * Fix t_client runs on OpenSolaris * make t_client robust against sudoers misconfiguration * add POSTINIT_CMD_suf to t_client.sh and sample config * Fix --multihome for IPv6 on 64bit BSD systems. Ilya Shipitsin (1): * skip t_lpback.sh and t_cltsrv.sh if openvpn configured --disable-crypto Lev Stipakov (2): * Exclude peer-id from pulled options digest * Fix compilation in pedantic mode Samuli Seppänen (1): * Automatically cache expected IPs for t_client.sh on the first run Steffan Karger (6): * Fix unittests for out-of-source builds * Make gnu89 support explicit * cleanup: remove code duplication in msg_test() * Update cipher-related man page text * Limit --reneg-bytes to 64MB when using small block ciphers * Add a revoked cert to the sample keys 2016.08.23 -- Version 2.3.12 Arne Schwabe (2): * Complete push-peer-info documentation and allow IV_PLAT_VER for other platforms than Windows if the client UI supplies it. * Move ASSERT so external-key with OpenSSL works again David Sommerseth (3): * Only build and run cmocka unit tests if its submodule is initialized * Another fix related to unit test framework * Remove NOP function and callers Dorian Harmans (1): * Add CHACHA20-POLY1305 ciphersuite IANA name translations. Ivo Manca (1): * Plug memory leak in mbedTLS backend Jeffrey Cutter (1): * Update contrib/pull-resolv-conf/client.up for no DOMAIN Jens Neuhalfen (2): * Add unit testing support via cmocka * Add a test for auth-pam searchandreplace Josh Cepek (1): * Push an IPv6 CIDR mask used by the server, not the pool's size Leon Klingele (1): * Add link to bug tracker Samuli Seppänen (2): * Update CONTRIBUTING.rst to allow GitHub PRs for code review purposes * Clarify the fact that build instructions in README are for release tarballs Selva Nair (4): * Make error non-fatal while deleting address using netsh * Make block-outside-dns work with persist-tun * Ignore SIGUSR1/SIGHUP during exit notification * Promptly close the netcmd_semaphore handle after use Steffan Karger (4): * Fix polarssl / mbedtls builds * Don't limit max incoming message size based on c2->frame * Fix '--cipher none --cipher' crash * Discourage using 64-bit block ciphers- Require iproute2 explicitly. openvpn uses /bin/ip from iproute2, so it should be installed- Add an example for a FIPS 140-2 approved cipher configuration to the sample configuration files. Fixes bsc#988522 adding openvpn-fips140-AES-cipher-in-config-template.patch - remove gpg-offline signature verification, now a source service- Update to version 2.3.11 * Fixed port-share bug with DoS potential * Fix buffer overflow by user supplied data * Fix undefined signed shift overflow * Ensure input read using systemd-ask-password is null terminated * Support reading the challenge-response from console * hardening: add safe FD_SET() wrapper openvpn_fd_set() * Restrict default TLS cipher list - Add BuildRequires on xz for SLE11- Update to version 2.3.10 * Warn user if their certificate has expired * Fix regression in setups without a client certificate- Update to version 2.3.9 * Show extra-certs in current parameters. * Do not set the buffer size by default but rely on the operation system default. * Remove --enable-password-save option * Detect config lines that are too long and give a warning/error * Log serial number of revoked certificate * Avoid partial authentication state when using --disabled in CCD configs * Replace unaligned 16bit access to TCP MSS value with bytewise access * Fix possible heap overflow on read accessing getaddrinfo() result. * Fix isatty() check for good. (obsoletes revert-daemonize.patch) * Client-side part for server restart notification * Fix privilege drop if first connection attempt fails * Support for username-only auth file. * Increase control channel packet size for faster handshakes * hardening: add insurance to exit on a failed ASSERT() * Fix memory leak in auth-pam plugin * Fix (potential) memory leak in init_route_list() * Fix unintialized variable in plugin_vlog() * Add macro to ensure we exit on fatal errors * Fix memory leak in add_option() by simplifying get_ipv6_addr * openssl: properly check return value of RAND_bytes() * Fix rand_bytes return value checking * Fix "White space before end tags can break the config parser"- Adjust /var/run to _rundir macro value in openvpn@.service too.- Removed obsolete --with-lzo-headers option, readded LFS_CFLAGS. - Moved openvpn-plugin.h into a devel package, removed .gitignore- Add revert-daemonize.patch, looks like under systemd the stdin and stdout are not TTYs by default. This reverts to previous behaviour fixing bsc#941569- Update to version 2.3.8 * Report missing endtags of inline files as warnings * Fix commit e473b7c if an inline file happens to have a line break exactly at buffer limit * Produce a meaningful error message if --daemon gets in the way of asking for passwords. * Document --daemon changes and consequences (--askpass, --auth-nocache) * Del ipv6 addr on close of linux tun interface * Fix --askpass not allowing for password input via stdin * Write pid file immediately after daemonizing * Fix regression: query password before becoming daemon * Fix using management interface to get passwords * Fix overflow check in openvpn_decrypt()- Update to version 2.3.7 * down-root plugin: Replaced system() calls with execve() * sockets: Remove the limitation of --tcp-nodelay to be server-only * pkcs11: Load p11-kit-proxy.so module by default * New approach to handle peer-id related changes to link-mtu * Fix incorrect use of get_ipv6_addr() for iroute options * Print helpful error message on --mktun/--rmtun if not available * Explain effect of --topology subnet on --ifconfig * Add note about file permissions and --crl-verify to manpage * Repair --dev null breakage caused by db950be85d37 * Correct note about DNS randomization in openvpn.8 * Disallow usage of --server-poll-timeout in --secret key mode * Slightly enhance documentation about --cipher * On signal reception, return EAI_SYSTEM from openvpn_getaddrinfo() * Use EAI_AGAIN instead of EAI_SYSTEM for openvpn_getaddrinfo() * Fix --redirect-private in --dev tap mode * Updated manpage for --rport and --lport * Properly escape dashes on the man-page * Improve documentation in --script-security section of the man-page * Really fix '--cipher none' regression * Set tls-version-max to 1.1 if cryptoapicert is used * Account for peer-id in frame size calculation * Disable SSL compression * Fix frame size calculation for non-CBC modes. * Allow for CN/username of 64 characters (fixes off-by-one) * Re-enable TLS version negotiation by default * Remove size limit for files inlined in config * Improve --tls-cipher and --show-tls man page description * Re-read auth-user-pass file on (re)connect if required * Clarify --capath option in manpage * Call daemon() before initializing crypto library- Fixed to use correct sha digest data length and in fips mode, use aes instead of the disallowed blowfish crypto (boo#914166). - Fixed to provide actual plugin/doc dirs in openvpn(8) man page.- Update to version 2.3.6 fixing a denial-of-service vulnerability where an authenticated client could stop the server by triggering a server-side ASSERT (bnc#907764,CVE-2014-8104). See ChangeLog file for a complete list of changes.- Update to version 2.3.5 * See included changelog - Depend on systemd-devel for the daemon check functionality- Update to version 2.3.4 * Add support for client-cert-not-required for PolarSSL. * Introduce safety check for http proxy options.- Build with large file support in 32 bit systems.- use %_rundir for %ghost directory - leaving /var/run everywhere else- Updated README.SUSE, documented also the rcopenvpn compatibility wrapper script (bnc#848070).- openvpn-fips140-2.3.2.patch: Allow usage of SHA1 instead of MD5 in some internal checking routines. This allows operation in FIPS 140-2 mode.- Readded rcopenvpn helper script under systemd (bnc#848070)- Fixed invalid mode in exec bit removal call from doc files- Add a section about how to control all or a named configuration with the help of systemctl to the README.SUSE file.- Update to 2.3.2 +Fixes since 2.3.0 - Remove dead code path and putenv functionality - Remove unused function xor - Move static prototype definition from header into c file - Remove unused function no_tap_ifconfig - fix build with automake 1.13(.1) - Fix corner case in NTLM authentication (trac #172) - Update README.IPv6 to match what is in 2.3.0 - Repair "tcp server queue overflow" brokenness, more fallout. - Permit pool size of /64.../112 for ifconfig-ipv6-pool - Add MIN() compatibility macro - Fix directly connected routes for "topology subnet" on Solaris. - close more file descriptors on exec - Ignore UTF-8 byte order mark - reintroduce --no-name-remapping option - make --tls-remote compatible with pre 2.3 configs - add new option for X.509 name verification - add man page patch for missing options - Fix parameter listing in non-debug builds at verb 4 - (updated) [PATCH] Warn when using verb levels >=7 without debug - Enable TCP_NODELAY configuration on FreeBSD. - Updated README - Cleaned up and updated INSTALL - PolarSSL-1.2 support - Improve PolarSSL key_state_read_{cipher, plain}text messages - Improve verify_callback messages - Config compatibility patch. Added translate_cipher_name. - Switch to IANA names for TLS ciphers. - Fixed autoconf script to properly detect missing pkcs11 with polarssl. - Use constant time memcmp when comparing HMACs in openvpn_decrypt.- Try to migrate openvpn.service autostart to openvpn@.service instance enablement.- Fixed to enable systemd support in configure - Fixed openvpn-tmpfile.conf to use GID root, there is no openvpn group. - Added openvpn.target file allowing to handle all instances at once. - Fixed to install the service template correctly as openvpn@.service. Use "systemctl enable openvpn@foo.service" to enable instance using /etc/openvpn/foo.conf. - Disabled systemd variant of restart on update rpm macro, adopted other macros to use openvpn.target to e.g. stop all instances on uninstall.- Remove _unitdir definition, it is provided by systemd. - Install service file without x permissionsUpdate to version 2.3.0: * Full IPv6 support * SSL layer modularised, enabling easier implementation for other SSL libraries * PolarSSL support as a drop-in replacement for OpenSSL * New plug-in API providing direct certificate access, improved logging API and easier to extend in the future * Added 'dev_type' environment variable to scripts and plug-ins - which is set to 'TUN' or 'TAP' * New feature: --management-external-key - to provide access to the encryption keys via the management interface * New feature: --x509-track option, more fine grained access to X.509 fields in scripts and plug-ins * New feature: --client-nat support * New feature: --mark which can mark encrypted packets from the tunnel, suitable for more advanced routing and firewalling * New feature: --management-query-proxy - manage proxy settings via the management interface (supercedes --http-proxy-fallback) * New feature: --stale-routes-check, which cleans up the internal routing table * New feature: --x509-username-field, where other X.509v3 fields can be used for the authentication instead of Common Name * Improved client-kill management interface command * Improved UTF-8 support - and added --compat-names to provide backwards compatibility with older scripts/plug-ins * Improved auth-pam with COMMONNAME support, passing the certificate's common name in the PAM conversation * More options can now be used inside blocks * Completely new build system, enabling easier cross-compilation and Windows builds * Much of the code has been better documented * Many documentation updates * Plenty of bug fixes and other code clean-ups - Add systemd native support for OpenSUSE > 12.1 - Adapt patchs to upstream release: * openvpn-2.1-plugin-man.dif > openvpn-2.3-plugin-man.dif * openvpn-2.1.0-man-dot.diff > openvpn-2.3.0-man-dot.diff - Remove obsolete patchs; fixed or merged on upstream release: * 0001-Use-SSL_MODE_RELEASE_BUFFERS-if-available.patch * openvpn-2.1-plugin-build.dif * openvpn-2.1-systemd-passwd.patch - Rebase specfile to upstream changes: * easy-rsa is not provided anymore with main package * remove %clean section * autoreconf -fi is no needed - Update openvpn.keyring file for upstream release asc key- Join openvpn.service systemd cgroup in start when needed, e.g. when starting with further parameters. (bnc#781106)- Verify GPG signature.- fix ciaran's previous license entry. the license has a SUSE prefix- Fixed openvpn init script to not map reopen to reload so the reopen code is without any effect (bnc#781106). - Added requested OPENVPN_AUTOSTART variable allowing to provide an optional list of config names started by default (bnc#692440).- license update: GPL-2.0-with-openssl-exception and LGPL-2.1 openssl has an openssl exception (also, it is GPL-2.0 only)- Fixed SLES build readding Group tags to sub-packages in spec, not require libselinux-devel on SLE-10 and datadir/doc cleanup.- Updated to openvpn-2.2.2: - Warn once, that IPv6 in tun mode is not supported in OpenVPN 2.2 - Pkcs11 support built into the Windows version - Fixed a bug in the Windows TAP-driver- Fix source URLs.- add automake as buildrequire to avoid implicit dependency- Marked /var/run/openvpn as ghost (bnc#710270), man page and other rpmlint warning fixes- BuildRequires libselinux-devel - Use SSL_MODE_RELEASE_BUFFERS to keep memory usage low, sent upstream as https://community.openvpn.net/openvpn/ticket/157- Add openvpn-2.1-systemd-passwd.patch / modify openvpn.init to support systemd password query (bnc#675406)- Updated to openvpn-2.2.1, a new version series providing several new features. This version fixes build issues and provides updated easy-rsa for OpenSSL 1.0.0 (fixes Trac ticket #125), - Adopted spec file, enabled saving password in a file and to specify an alternative username in x509 cert. - Removed X-Interactive from init script again, as systemd isn't able to use it correctly [any more?] (bnc#675406). We will address it later and probably use /bin/systemd-ask-password.- KVPNC is unable to parse openvpn version [bnc#679153]- Added X-Interactive: true LSB tag to the init script.- Updated to openvpn 2.1.4, providing several bug fixes and improvements, such as: * Fix of a problem with special case route targets * Try to ensure, that the tun/tap interface gets closed on non-graceful aborts. * Several AUTH_FAILED reporting fixes causing the connection to fail without any error indication. * Enable exponential backoff in reliability layer retransmits. * Proxy improvements Please review the ChangeLog file for a complete and exact list.- Do not include build date in binaries- Improved netconfig based client up and down sample scripts.- Added netconfig based client up and down scripts to samples.- Updated to openvpn 2.1.1; linux related changes since 2.1_rc20: * Fixed a couple issues in sample plugins auth-pam.c and down-root.c. (1) Fail gracefully rather than segfault if calloc returns NULL. (2) The openvpn_plugin_abort_v1 function can potentially be called with handle == NULL. Add code to detect this case, and if so, avoid dereferencing pointers derived from handle (Thanks to David Sommerseth for finding this bug). * Documented "multihome" option in the man page. * Added a hard failure when peer provides a certificate chain with depth > 16. Previously, a warning was issued. * Added additional session renegotiation hardening. OpenVPN has always required that mid-session renegotiations build up a new SSL/TLS session from scratch. While the client certificate common name is already locked against changes in mid-session TLS renegotiations, we now extend this locking to the auth-user-pass username as well as all certificate content in the full client certificate chain. - Improved openvpn init script adding messages giving a hint about pid write failure and to look into the log messages (bnc#559041). - Added -fno-strict-aliasing to compile flags in the spec file.- Updated to openvpn 2.1 2.1_rc20, fixing problems in route and option handling provided by the from server (bnc#552440). For complete list of changes, see ChangeLog file, here just the IMO most important: * Fixed a bug introduced in 2.1_rc17 (svn r4436) where using the redirect-gateway option by itself, without any extra parameters, would cause the option to be ignored. * Optimized PUSH_REQUEST handshake sequence to shave several seconds off of a typical client connection initiation. * The maximum number of "route" directives (specified in the config file or pulled from a server) can now be configured via the new "max-routes" directive. * Eliminated the limitation on the number of options that can be pushed to clients, including routes. Previously, all pushed options needed to fit within a 1024 byte options string. * Added --server-poll-timeout option : when polling possible remote servers to connect to in a round-robin fashion, spend no more than n seconds waiting for a response before trying the next server. * Added the ability for the server to provide a custom reason string when an AUTH_FAILED message is returned to the client. This string can be set by the server-side managment interface and read by the client-side management interface. * client-kill management interface command, when issued on server, will now send a RESTART message to client. This feature is intended to make UDP clients respond the same as TCP clients in the case where the server issues a RESTART message in order to force the client to reconnect and pull a new options/route list.- Added network-remotefs to init script dependencies (bnc#522279).- Updated to openvpn 2.1 [2.1_rc18] series (fate#305289). - Enabled pkcs11-helper for openSUSE > 10.3 (bnc#487558). - Adopted spec file and patches, improved init script. - Disabled installation of easy-rsa for Windows.lamb03 15307786782.4.3-lp150.3.3.12.4.3-lp150.3.3.1openvpnpluginsopenvpn-plugin-auth-pam.so/usr/lib64//usr/lib64/openvpn//usr/lib64/openvpn/plugins/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.opensuse.org/openSUSE:Maintenance:8392/openSUSE_Leap_15.0_Update/a4a5440c77f775ec4544ce831a34d25e-openvpn.openSUSE_Leap_15.0_Updatecpioxz5x86_64-suse-linuxdirectoryELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=28e5c98052ee4521dc41c2874d21646da0b86fce, strippedRRRRRRRL37I_6w,Uutf-8a1eae74121743dd4d7367e3dad2c6023ad8d969c82aaff2f9cd0253cd67ff625? 7zXZ !t/K;] crt:bLL o)R `VrW\;Oa>&xnMӣaRBZS /sЈf<W8hslF~pB nSh\.wA94Oz @ |M],}ŕ7a `)qF'XOMJ"'_mn3?4Zaگn%mʮҤ&> .1kK[\"S)d(լ Ч~Et+_$"ORBbaX˚v(P 15A5f$Ihtp|5&k 8rH@M͸⨡dy|TGvl.w?bQq*w\(] ^XDQM [ ou=bgέ\zoax =QCyuދbYsÆ @f\}bIK$~:il_중EŅm%լUMvKyM&3qD޵-ف <8Y ӗ }RZrcw*lS`VχQ/u*C@D4qq-Z;F!Rha8@9 HtԩRs4z@˒ŞWXxnaE8 Ѹia؝l-"-$λ>̟9<="uxʮ31˦e$䤙ki|ρ& Prv5ѲaKd.=<7MBaFM_@ .{)6]^チ-h| qb4Ҫ]`XeZɼב%<R-Cvܯon\i\p1@LimekbѲ ;:[o{d ,kU&xLf!d4l6)iEilHjl@x}jZ%1~*J)tml.UJvtxYu*F%mJfr_B&%A;1['nTwCS3M`q)cWOd<b6mq v$P&T ~^i_:Nxpo̓y1͌;Ck%a63c?hIA<TIM*lC/!f(C>v9hR!#~c)\YrX5QU. ~wb;?'n"5R9IGƺvL֖,?yl޻N7 {~z[_abG(9_ie{!j${˼B MdC&ur=&9TȦ=_Y%w|@e&Ӈ̼jqac->+>5.%V0@T,\[=|]8F>3 7f9+7o%W;۔"ىy7U[}~]w#&+dsbx-H &v //N2AN`Iۋê*Lc"jUH!3R! 3?}u^mX?f*/(g~7g8 c1lI'aU1m(ˉpMCgcJ=OMAMD}=fri9A Tka AxfAUSxt w.9+V&>l){} vz&$"bOj'>B?“h#n*+WQAិռqΒWԅ,g]$j"0=V_rQRe8`~h`y ąldڕKXl=@!9~*3;)8pL2uhܻ”K%ػMfwodZ @7P4.7m@CqԮ`^lg9O.ƢDX) 2 .<.Out{U&* _snvY'IB^] w1_t?zRY%tcU=EGwo7 +< mO gTQşOAc+o?g.^Ir$߬󙮞ămb[Xtjkf d}R~nJ GOmˤFfg(QbCHƟ:k f{BN96 [ĥPl|pͿ(bOap*[ı} ް\O{#tǗ f)Qh[L+b`X]G|7KN$n5Ra18E]$Bӈ-(U"^vA\D}c_|:KMAnʛȼѸp׌jgnU`Ƹ-eJ0,-\핊xEA16qp[9$7Dڼ2*јǜ^5 ɹc\?d֕o5{8pm0 #CfI6 L}VYl(qn<ZW)9=5Y:ʻo7:I3A[J3F,)q jLuwtp= ߲p8buag @ԊKv4V?&aDqG#[9 3-0K<@;9n_h;T okq6^*Ӕy+"V+`=B}Ł0u(-eɡLlpX0PI:Q bwr,W.j0 7>Fmx(h1Jb]t7hO Febo7m('^}]8lNrEj>[UͷP. *SHN'>]P;VөJE{&c&D-c6+:o"=aR(j[ei{|:wbSf-ۂ(i%䆏=I %E6R:3qo*M2AvX?Ǐ*T}ۘl;n@݅E CBESTi`)SVj\S^~Sf}(3؉ffו|-*ήM|B'EdLd_M(N4[vAWw"v`kv;q_g*~soRL Bߚ*`e0Ē xQy M5Cr3r|-vi7pmv[4BoFg*҂{E]ͩo Z( [)B4)fNCV':kE72tCյF dyt;/ 28o\q]PsC"ŌɧT!I缴D9 >W}u7S_.&BD3i[qOcgZm}&<*1' l݅T}t \"7b+yժ"Pu_w]r|c~5ã]^{o+xv)vIR42`2ԤM$5oHO0g2:4;+z$ J[& Kۓ"C[t~_| xͥOsVPQѲ~=lVy8v |jR[""[7N'q(;].y_Ϲ-ĦiKS Ijb w T۠H;,sU$FnG eLUU߻AO,FU4{DXFm>MG9, _O,{kR .`}0`&~xy2*5 >2Bw2-n= YZ