freeradius-server-utils-3.0.21-lp152.2.3.1 4>$  Ap_k/=„Ń0)!vKFk : }p>?d! - @dhpt  x   8 P h @   H   (D8L%9%:%FvGHIHX`Yh\]^ b)cdmerfulwuv wxhyhzhx|Cfreeradius-server-utils3.0.21lp152.2.3.1FreeRADIUS ClientsCollection of FreeRADIUS utilities._klamb05openSUSE Leap 15.2openSUSEGPL-2.0-only AND LGPL-2.1-onlyhttp://bugs.opensuse.orgProductivity/Networking/Radius/Clientshttp://www.freeradius.org/linuxx86_64x \~/q`$ J(IX8 O6*w큤_k_k_k_k_k_k_k_k_k_k_k_k_k_k_k_k_k_k_k_k_k_k_k_k6d382578de760eb60f10cbe7309055d2aab7b2f9d6349f7e88dcb94318d009c6e7733467168b997e397c4bfbba902c63a95f1e36fa24e05dec7a1edb2e26f248ef8ec2f344d438d0fa7f1918130c8459fa4a9cbd45b105519437e451e4aa12420e009192168f5a45c12b9b04c21b2e973e594ad8d0a646b90da046a37bc6a5a328f2303e0d3e93de6fb0459eaa677abfa51aadca551fa5496062b1eb0c4393fbb697cf1626be74fb2144b692de899dc5d9b1643e98fe12c33bf2f9aaa78a4aedb162991622c6ecb7cc82d223f02daf68394eb083ecd710a3440d29b5e0c1d9c1a9bf299c72d458ef397164d802379e00f132b00d8ca2de7ce54c19a7fd379b664f9e20a377be08aff71b854bdcf17cfd2490218357950995931109c4d92401ecac75b5c19d977fe528dc805d1f136ba06dd96c43732dbf95aefa2b45a0bdc17be5431156ad54e262fc3f082773d20c81f02a4cede8ef978b46a7de3552dad161b62ad681f507a9f866406d581afc5bb541fe8b8136364125ba44d5403bbbb748590bf323cbf624d85728e22a9fdee9064246bf3e2b0bdc44a6b02f524b1186bdccb01aebb0183820c2cc085b54a7d4a387b12343c9f6cc8eb2213bbcbe14255484d115a2d2ef050fde27c81a7aeed304bf96e59eb106c076dd4ffe776841e4182ef1e2f35bf523934869919af2b2177c9ee9e9c0ab6ad52af5b57614b12c2d08bc0e0beb9bee88c9ae9e70ab53b4a5b3de2966aef097e016549c494e4d961771435c618ffe1369697e5f228e99401687c6e2276f9ea75d7ab76232060ef0b549eaad978fa290c5fdce3b0dbb5763b122358d6f2c1056ec755663a4015c8a4d00f0114e9efa73dbea5a5d35fb6b9e20f1942dcece8c48adabb1c4649de10440217dbe6b5b6389623779e0eb9b098e59c0525cc1cd59dd1109cada0e1fc87c00bebcbd784ee828b1cdc019207e918c356a8b51f58ad9a44c364b43c6fe8e4e40d9d7dce30598dc43bf317f3d4d6f29d947c5427c63a93797c274d2b685fc8661f939f4849d961e2bcaa4094c331fa34c28ae5869cd58bbde8e3f59d364d9f342f1rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootfreeradius-server-3.0.21-lp152.2.3.1.src.rpmfreeradius-server-utilsfreeradius-server-utils(x86-64)@@@@@@@@@@@@@@@@@@@@@@@@    /bin/sh/usr/bin/perlfreeradius-server-libslibc.so.6()(64bit)libc.so.6(GLIBC_2.14)(64bit)libc.so.6(GLIBC_2.15)(64bit)libc.so.6(GLIBC_2.2.5)(64bit)libc.so.6(GLIBC_2.3)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libcrypto.so.1.1()(64bit)libcrypto.so.1.1(OPENSSL_1_1_0)(64bit)libfreeradius-dhcp.so()(64bit)libfreeradius-eap.so()(64bit)libfreeradius-radius.so()(64bit)libfreeradius-server.so()(64bit)libgdbm.so.4()(64bit)libpcap.so.1()(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.2.5)(64bit)libssl.so.1.1()(64bit)libssl.so.1.1(OPENSSL_1_1_0)(64bit)libssl.so.1.1(OPENSSL_1_1_1)(64bit)libtalloc.so.2()(64bit)libtalloc.so.2(TALLOC_2.0.2)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)3.0.213.0.4-14.6.0-14.0-15.2-14.14.1_FN^y@^p^h^@\\v{\u*@[<[2*ZZWQYY@YlY, @XO@X@X*Xh@X.@W@WiV@V.Vf@UĝU@U@UU8U7@TZ@TTT~@T|X@Adam Majer Adam Majer Adam Majer Adam Majer Johannes Engel Michael Ströder adam.majer@suse.deMichael Ströder adam.majer@suse.demichael@stroeder.commichael@stroeder.commichael@stroeder.comadam.majer@suse.devarkoly@suse.commichael@stroeder.comadam.majer@suse.demichael@stroeder.comkukuk@suse.deadam.majer@suse.dejengelh@inai.deadam.majer@suse.demichael@stroeder.comadam.majer@suse.demichael@stroeder.comjkeil@suse.demichael@stroeder.comjkeil@suse.dejkeil@suse.dejkeil@suse.demichael@stroeder.comvcizek@suse.commichael@stroeder.comtchvatal@suse.comvcizek@suse.comdimstar@opensuse.orgvcizek@suse.commeissner@suse.com- freeradius-server-radiusd-logrotate.patch: fix permissions in logrotate global section (bsc#1170505, bsc#1174905)- update to 3.0.21 (jsc#SLE-11896) Feature Improvements * New stored procedure for allocating IPs with PostgreSQL Rates of 1500 IPs per second are now possible See raddb/mods-config/sql/ippool/postgresql/procedure.sql * Add SQL IP pool support for Microsoft SQL Server See raddb/mods-config/sql/ippool/mssql/ * Added RCNTEC dictionary. Closes #3168. * Added Pica8 dictionary. Closes #3179. * Add TLS-Client-Cert-Valid-Since attribute holding not Before date Patch from Boris Lytochkin. Fixes #3157. * Generate attributes containing unknown OIDs See raddb/sites-available/tls * Update the WiMAX dictionary. * Added ability to rlm_python(Python2) show a stacktrace from errors. #2979. * Add WiFi Alliance Policy OIDs. See raddb/certs/xpextensions * radmin now shows coa stats, too. * Sample schema extensions for summarizing data in SQL See mods-config/sql/main/*/process-radacct.sql * Update dictionary.aerohive, dictionary.fortinet, dictionary.arista and dictionary.erx. * Added VAS Experts dictionary. * Many updates to RPM and jenkins builds from Matthew Newton. * Added %C (time now in seconds) and %c (microsecond component of now) back-ported from the "master" branch. * Add reload capability to systemd unit file in Debian and RedHat. * Increase timestamp precision in postauth to maximum supported by each database and simplify (and make more consistent between drivers) the timestamps in SQL queries by using expansions. * Option to set dictionary path in raduat script. Bug Fixes * Various fixes found by PVS-Studio. * Set permissions of certificates in bootstrap shell script Fixes #3132. * Increase the 'nasportid' SQL field for 'varchar(32)'. #3141. * Skip processing proxy reply if there are no home servers available. * Update SQLite IPPool queries. Fixes #3177 * rlm_sql_unixodbc fixes. Fixes #2822. * Fixes when building with LibreSSL. * Fix the rlm_python3 build. Note that this module is experimental. #3183. * The rlm_python should append the 'python_path' paths in 'sys.path'. It fixes the expected behavior to use the existing Python modules Fixes #3180. * Fix rlm_python to print the script errors properly. * Bound total query time for PostgreSQL. Fixes #3253. * Many fixes to Oracle sqlippool. It now does 500 IPs per second without any tuning. Fixes #3270. * Reference sqlippool by it's correct name. Fixes #3272. * Revert 3.0.20 patch which caused crashes on duplicate clients. * Update WiMAX-MSK attribute. Fixes #3280. * Fix crash when trying to access non-existant regex capture group. * Use timestamps (request or server) rather than SQL NOW() in accounting queries so that these are stable when replayed from a file buffer. - freeradius-python3_patches.patch: upstreamed- update to 3.0.20 (bsc#1146848) Feature Improvements * Added Force10 dictionary. * Update dictionary.hp with new attributes. #2690. * Update dictionary.aruba with new attributes. #2696. * Fix side-channel leak in EAP-PWD (bsc#1144524, CVE-2019-13456) * Relax OpenSSL version checks, now that their API is both public, and stable. * Note that tls_min_version/tls_max_version also support "1.3" Since there is no standard yet for EAP with TLS 1.3, it will not work. * Added tripplite dictionary from #2760. * Switch to the async interface for rlm_sql_postgresql so that we can enforce query_timeout. * Added new LDAP option 'allow_dangling_group_ref'. * Updated documentation and functionality for EAP session caching See "cache" section of mods-available/eap. * Tighten systemd unit file security. Fixes #2637. * Disable TLS 1.0 and TLS 1.1 support in the default configuration We STRONGLY recommend doing this for all installations. * Add expansions for *outgoing* Radsec connections "%{proxy_listen:TLS-...}" for TLS-Client-Cert-* and TLS-Cert-* attributes. Fixes #2839. * Add %{listen:tls} which returns "yes" or "no" for TLS or non-TLS connections. * Update dictionary.lancom with new attributes. #2847. * Added rlm_sql_mongo. See raddb/mods-available/sql. Note that this module is experimental. * Added more documentation in sites-available/robust-proxy-accounting. * sqlippool now re-allocates unexpired leases, to prevent IP pool exhaustion when clients perform multiple reauthentication attempts * Add support to radmin keep the history in ~/.radmin_history. * Add support for ENV and LD_PRELOAD in radiusd.conf. See the new ENV sub-section of radiusd.conf. * Update dictionary.aptilo. #3002. * Update dictionary.airespace. #3039. * Add sites-available/coa-relay, which makes CoA easier #3045. * Add example stored procedure for IP Pools in MySQL See mods-config/sql/ippool/mysql/procedure.sql * Update dictionary.dhcp dictionary with the recent hardware types. * Add experimental rlm_python3. This should largely work the same as rlm_python, which was Python2 only. * Add Dockerfiles for Debian10 and CentOS8. * Add RPM spec file compatibility for RHEL/CentOS 8. * Notes on certificate constraints. See raddb/certs/server.cnf. * Add NAIRealm example to raddb/certs/server.cnf, for RFC 7585. Bug Fixes * Allow listen.ipaddr to reference an IPv6-only host. Fixes #2627 * ERX-Acct-Request-Reason is "integer". Closes #2635. * Fix a slow memory leak in the file management code. * Try to fix file permissions if they get modified while the server is running * Fix slow memory leak with clients. * Fix request and connection timeouts in rlm_rest. * Fix systemd issues. * Fixes from clang analyzer. * Fix missing include for the dictionaries: alcatel.esam, altiga,alvarion.wimax.v2_2,aptis,asn, audiocodes,avaya,bristol, columbia_university,freedhcp,garderos, infoblox,motorola.illegal, starent.vsa1, telkom, wimax.wichorus. * Fix internal sanity check when running with "-Xx". * Allow "inner-tunnel" virtual servers to work better with "accept" and "reject" policies. * Fix dictionary.huawei data types for Huawei-DNS-Server-IPv6-address and Huawei-Framed-IPv6-Address. * Framed-Interface-ID in postgresql/queries.conf is string, not inet Fixes #2817. * Fix rlm_cache to complain on unknown attributes in the "update" section of its configuration. * Add configure checks for -latomic. This helps on armel, mips and mipsel. Fixes #2828. * Add support to Oracle 19 and 18. Via #2857. * Add support for decoding tags in rlm_rest. Fixes #2848. * Use correct passwords when updating CRLs in raddb/certs/. * Properly separate "originate-coa" packets when accounting packets are read from the detail file reader. * Use the correct virtual server for pre/post-proxy. * radsqlrelay fixes backported from "master" branch * Fix DoS issues due to multithreaded BN_CTX access (bsc#1166847, CVE-2019-17185) - disable python2 for SLE15 and Factory - freeradius-server-enable-python3.patch: enable Python3 module - freeradius-python3_patches.patch: backport python3 fixes from upstream - freeradius-server-opensslversion.patch: updated- Enable memcached driver on SLE15- Add missing BuildRequire on samba-core-devel required for windbind support in rlm_mschap.- update to 3.0.19 (jira#SLE-5890) Feature improvements * Update dictionary.cisco * Update sqlippool to allow for stored procedures with PostgreSQL. This increases performance substantially. Patch from Nathan Ward. Fixes #2540. * Re-added "show client config" command to radmin. * Cleaned up mods-available/sql example so that it is easier to understand. * Added pfSense dictionary. Closes #2581 * Update dictionary.h3c Closes #2592 * Update elasticsearch/logstash config for v6.7.0. * EAP-PWD security fixes from Mathy Vanhoef. See http://freeradius.org/security/ (CVE-2019-11234, CVE-2019-11235, bsc#1132549, bsc#1132664) Bug fixes * Update dynamic_client module and server core so that the functionality works. This has been broken since at least v2. * Fix crash in sqlippool due to escaping changes. Patch from Nathan Ward. Fixes #2532, #2533. * Fix systemd notify, watchdog and unit files. Fixes #2541, #2499. * Fix erroneous length check in EAP-FAST. * Update documentation to remove old "ignore_null" configuration. Fixes #2578. * Fix default POD port. Should be 3799. Fixes #2591 * Correctly encode vendor-specific "encrypted" attributes. Fixes #2600- reformat changelog mostly by wrapping lines - add missing bug numbers for security fixes- update to 3.0.18 * cleanup_delay can now be 30 seconds. This helps with proxies that have packet loss. * Do-Not-Respond policies can now be set in the "post-auth" section. * Encode / Decode ADSL Forum DHCP options. * Fix module ordering issues. e.g. when "sqlippool" needs "sql". See the "instantiate" section of radiusd.conf. * Add Big Switch dictionary. Fixes #2252. * Add sql_session_start policy (raddb/policy.d/accounting) This minimizes race conditions when using Simultaneous-Use (#2257). * For rlm_perl, all variables are now tainted by default. See raddb/mods-available/perl, and the "perl_flags" configuration item. This change should only affect people who are using variables in insecure ways. * Allow "sqlcounter" module to be listed in "post-auth". * Add support for IPv6 attributes in SQL. Fixes #2280 * The server is better at handling fail-over for outbound RadSec and TCP connections. Fixes #2284. * The server is now more aggressive about retrying failed outbound RadSec and TCP connections. Fixes #2284. * Add TLS-Session-Version and TLS-Session-Cipher-Suite to the "session_state" list. * Add expansion for Radsec connections. "%{listen:TLS-...}" for TLS-Client-Cert-* and TLS-Cert-* attributes. * Add notes on running "ldapsearch" using the parameters from the LDAP module. * "ipaddr" attributes can now be cast to "integer" type attributes in an "update" section. * Move main thread queue to using atomic queues. This should help with contention in high load scenarios. * Add "recv_buff" setting to listeners. For more details, see sites-available/default. * The sqlippool module can now use attributes other than "Pool-Name" to assign IP pools. The "Pool-Name" attribute is still the default. * The "unpack" expansion can now unpack substrings. See mods-available/unpack for documentation and examples. * The preprocess module now does "ciscvo_vsa_hack" for Eltex-AVPair Fixes #2301. Vendors SHOULD NOT USE THAT KIND OF ATTRIBUTE. * Allow for -LDAP-UserDN. See mods-available/ldap for more information. * Add sanitizing of control list for moonshot. Fixes #2318. * Update rlm_sql_mysql to be compatible with MySQL 8 Fixes https://bugs.launchpad.net/bugs/1795310. * Allow logging of only Access-Accept or Access-Reject messages See radiusd.conf, "auth_accept" and "auth_reject". * Removed Connect-Rate comparison. It was unused and broken. * Add dictionary.infinera. * Use OpenSSL HMAC functions instead of local ones. * Some SQL modules can now use "auto_escape" to escape unsafe strings See mods-config/sql/main/mysql/queries.conf. * Add wispr2date conversion in mods-available/date. * Implement dictionary-based handling in rlm_python. Fixes #2334 See mods-available/python for details. * Add support for SKIP LOCKED in sqlippool. This can improve performance by an order of magnitude or more. See raddb/mods-config/sql/ippool/*/queries.conf Fixes #2383 * Allow PSK and certificates at the same time Except for TLS 1.3 which does not support that. * Update docker scripts. Fixes #2306 Patch from Matthew Newton. * Add crypt xlat. * MySQL connections can now skip verifying the server certificate. Fixes #2481. See mods-available/sql. * Add better mechanism to detect MariaDB (Old MySQL). * Add RFC 7532 "bang path" support for realms Fixes #2492. * Update dictionary.ukerna documentation. Fixes #2493. * Add support for systemd service and watchdogs Fixes #2499. * Check for openss/rand.h, and allow building without OpenSSL engine. Patch from Eneas U de Queiroz Fixes #2517. * The default PosgtreSQL queries now use "ON CONFLICT" to better deal with issues. This requires PostgreSQL 9.5 or later. Please use a recent version of PostgreSQL, or edit the default queries to remove "ON CONFLICT". BUG FIXES * The session-state list is no longer cleaned in the inner-tunnel. This lets the outer Access-Reject section access session-state. * Fix typo in lock initialization for TLS sockets Found by Sergio NNX. * Add check for crash when home server down Fixes #2233. * Add username key for postauth table. * Better libpcap checks, when the header files or libraries are missing. Fixes #2245. * Allow building with old versions of OpenSSL Fixes #2247. * Allow non-FreeRADIUS State attributes to be used with the "session-state" list. i.e. State length != 16. * Be more aggressive about cleaning up zombie children when running in debug mode. * Use LTDL_DEEPBIND, which fixes issues with Oracle libraries exporting LDAP API functions. * unlock files when asked to unlock them. * return error instead of asserting in map code. * Don't write 0 bytes to SSL. Fixes #2270. * Remove "expiry_time IS NULL" from allocate_update query. Fixes #2262. * Various dictionary cleanups and consistency checks Fixes #2281. * rlm_python has stronger thread locking to prevent reported issues. Performance may be affected. * Don't allow Message-Authenticator to overflow past the end of a large packet. * Fix crash in sqlippool when SQL server goes away Fixes #2300. * Typos in man pages. Patch from Nikolai Kondrashov Fixes #2303. * Fix crash with CoA packets/ Fixes #2304. * Fix crash in rlm_exec with CoA. Fixes #2328. * Print errors while parsing the log config, and don't quit when deprecated log settings are found. * Fix DHCP encoder xlat so that it can be used with a list of attributes. It previously only encoded the first member of the list, and now encodes all members. * The "expr" module now skips more whitespace. * Remove internal FreeRADIUS-Response-Delay attributes from attr_filter Access-Reject. * Don't send junk to redis when maximum args reached. * Small updates to IPv6 for accounting schema Fixes #2364. * Fix OpenDirectory integration in rlm_mschap. * Fix slow memory leak with dynamic clients. * Don't artificially truncate debug output for long strings. * Fix memory leak in EAP-PWD. * Fix crash in "hints" file with Fall-Through = yes. * Fix crash / timer issues with many CoA packets. * Fix attr_filter so that it does not treat vendor attributes of number 26 as Vendor-Specific. * Fix reconnect correctly in rlm_sql_mysql. * Fix rlm_cache to properly use Cache-TTL < 0 Fixes #2485. * Fix rare occurance of bad xlat expansion. * Check for rare race condition when a proxy reply arrives too late.- install license as %license instead of documentation- also fix ownership of /var/log/radius in systemd unit- update to 3.0.17 Feature Improvements * Add CURLOPT_CAINFO. Patch from Nicolas C #2167. * "stats home server" now supports "src IPADDR", to specify home server also by source IP. Fixes #2169. * Add Dockerfiles for a selection of common systems. * Increase number of permitted file descriptors, for systems with many home servers. * Add TLS-Client-Cert-X509v3-Extended-Key-Usage-OIDs Patch from Isaac Boukris. Fixes #2205. * Update main READMEs. Patches from Matthew Newton. * Added dictionary.mimosa. Bug Fixes * Don't call post-proxy twice when proxying to a virtual server. Matthew Newton, #2161. * Use "raw" string value for shared secrets and dynamic clients It now parses strings with backslashes and "special characters" correctly. Fixes #2168. * Fix RuntimeDirectory for RedHat, from Alan Buxey. * Relax checks in 'if' parser from Isaac Bourkis. * Minor cleanups for %{debug_attr:&request} from Isaac Boukris. * Be more aggressive about cleaning up cached certificate attributes, due to deficiencies in OpenSSL. Reported by Nicolas Reich. * Be more accepting when parsing IPv6 addresses. Bug noted by Klara Mall. * Fix double free in rlm_sql. Fixes #2180. * rlm_detail now writes empty Access-Accept packets. * rlm_python can now create tagged attributes. * Don't crash on duplicate realm + authhost / accthost * Allow partial certificate chain to trusted CA. Fixes #2162. * Treat SSL_read() returning zero as error. Fixes #2164. * detail writer now checks if the file was renamed or deleted. * Add User-Name to Access-Accept if EAP-Message exists, not Stripped-User-Name. * RedHat Systemd updates. Fixes #2184. * Use correct API for State variable in rlm_securid. * Remove broken radclient option "-i". * Fix "users" file (and hints, etc). So that it does not get confused about entry ordering with multiple $INCLUDEs. * Fix rlm_sql to expand the un-escaped string, not the raw string. * Link default and inner-tunnel only if they exist. Fixes #2206. * Don't use both IP_PKTINFO and IP_SENDSRCADDR. * Always install signal handler for SIGINT (needed by Docker). * Fix intermediate CA flow for OCSP. Fixes #2160 Intermediate certs which are not self-signed will now be checked. * sqlippool now returns "fail" if it fails IP allocation. * Fix rlm_yubikey to look for correct attribute in replay attack check.- update to 3.0.16 Feature improvements * rlm_python now supports multiple lists. From #2031. * Add trust router re-keying. From #2007. * Add support for Samba / AD LDAP schema. See doc/schemas/ldap/samba/README.txt and doc/schemas/ldap/samba/ * Add "tls_min_version" and "tls_max_version" to EAP module for Debian OpenSSL issues. * Better documentation for client certificates in PEAP and TTLS: it usually doesn't work. Fixes #2068. * Distinguish login failure from AD unavailable. Fixes #2069. * Update RH spec files. Fixes #2070. * Run Post-Proxy-Type if all home servers are dead. Fixes #2072. * Print offending IP addresses when EAP sessions come from two upstream home servers, and rate-limit the messages. * Minor packaging updates. * Better documentation for rlm_rest. * EAP-FAST now has it's own "cipher_list", so that it is easier to configure. * EAP-FAST now forcibly disables TLS1.2, until such time as we implement the new keying mechanism from TLS1.2. * Add documentation for allow_expired_crl. * Update Debian logrotation. #2093 and #2101. * DHCP relay can now drop responses. #2095. * rlm_sqlippool can now assign Delegated-IPv6-Prefix. It also now can assign any IPv4 or IPv6 address. Based on patches from maximumG. #2094. See raddb/mods-available/sqlippool for changes. * radeapclient can now use EAP-SIM-Ki to dynamically create the necessary triplets. * Explain why many LDAP connections are closed. Fixes #1969. * Debian build / package issues fixed by Matthew Newton. * dictionary.patton updates from Brice Schaffner. Fixes #2137. * Added scripts to build "inner-server.pem", and updated mods-config/inner-eap and certs/README to match. * Added provisions for using an external CA. See raddb/certs/ * Include dhcpclient binary in freeradius-dhcp debian packge. Bug fixes * Bind the lifetime of program name and python path to the module FR-AD-002 (redone) * Pass correct statement length into sqlite3_prepare[_v2] FR-AD-003 (redone) * Allow 100-Continue responses with additional headers in rlm_rest. * fix corner case where detail files were not being locked correctly. * Fix (SQL-Group == "%{...}") checks, and same for LDAP-Group. Fixes #1947 * Clean up exfile code. Which should help to avoid issues with reading / writing 100's of detail files. * Fix build for winbind. Patch from Alex Clouter. * Fix checkrad for Mikrotik. Patch from Muchael Ducharme. * Fix home server stats lookup. Patch from Phil Mayers. * Add libjson-c3 as an optional dependency. * Require LTB OpenLDAP on CentOS / Redhat, to avoid linking against NSS, which breaks the server. Fixes #2040. * rlm_python fixes. Fixes #2041 * Typos in "man" pages. Fixes #2045 * Expand "next" in %{%{...}:-%{...}}. Fixes #2048 * Don't add TLS attributes twice. Fixes #2050. * Fix memory allocation in rlm_rest. Fixes #2051. * Update trustrouter for new API. Fixes #2059. * Fix SQLite issues on FreeBSD. Fixes #2060 * Don't do debug logging of bad passwords. Fixes #2064. (bsc#1099802) * More graceful handling of "die" in rlm_perl. Fixes #2073. * Fix occasional crash when using cisco_accounting_username_bug = yes * EAP-FAST fixes from Isaac Boukris. [#2078], #2076, and #2082, #2126. * DHCP fixes, relay, #2092, add run-time check, #2028 * Decode multiple RADIUS packets at a time in highly loaded RadSec connections. Patch from Jan Tomasek. #2106. * TunnelPassword is not "single value" in LDAP schema. Fixes #2061. * sql log now opens the expanded filename, not the input one. This was a regression introduced in 3.0.15. * Remove unnecessary UNIQUE constrain in Oracle schemas. * Fix SSL thread and locking issues when modules also use SSL. Fixes #2125 and #2129. * Re-add dhcpclient "raw packet" changes. Patches from Nicolas Chaigne and Matthew Newton. Fixes #2155.- Fix permissions of radiusd.service (bnc#1053654)- bsc#1055679 - freeradius-server does not provide winbind/AD auth Added libwbclient-devel as buildrequires- update to 3.0.15 with security fixes for issues found via fuzzing by Guido Vranken (bsc#1049086) https://freeradius.org/security/fuzzer-2017.html * CVE-2017-10978: FR-GV-201 (v2,v3) Read / write overflow in make_secret() * CVE-2017-10983: FR-GV-206 (v2,v3) DHCP - Read overflow when decoding option 63 * CVE-2017-10984: FR-GV-301 (v3) Write overflow in data2vp_wimax() * CVE-2017-10985: FR-GV-302 (v3) Infinite loop and memory exhaustion with 'concat' attributes * CVE-2017-10986: FR-GV-303 (v3) DHCP - Infinite read in dhcp_attr2vp() * CVE-2017-10987: FR-GV-304 (v3) DHCP - Buffer over-read in fr_dhcp_decode_suboptions() * CVE-2017-10988: FR-GV-305 (v3) Decode 'signed' attributes correctly * FR-AD-002 (v3) String lifetime issues in rlm_python * FR-AD-003 (v3) Incorrect statement length passed into sqlite3_prepare- update to 3.0.14 (still FATE#322416) Feature improvements * Enforce TLS client certificate expiration on session resumption, and Session-Timeout. See CVE-2017-9148 (bnc#1041445) * Updated dictionary.cisco.vpn3000, dictionary.patton * Added dictionary.dellemc * Lowered the log output for failed PEAP sessions. * ALlow utc in rlm_date. * The internal OpenSSL session cache has been disabled. Please see mods-available/eap * Update detail reader documentation. * Make outgoing RadSec connections non-blocking. * Add SQL backing to Moonshot-*-TargetedId generation. Bug Fixes * radtest uses Cleartext-Password for EAP, not User-Password. * Update documentation for mods-enabled/ linking. * Enhanced checks for moonshot salt. * Allow session resumption for RadSec connections. * Update "huntgroups" file to note that port ranges are not supported * Fix OpenSSL permissions issues on default key files. * Certificates are not required when PSK is used. * Allow SubjectAltName as first extension in cert. * Fixed talloc issue with TLS session resumption. * "&Attr-26 := 0x01" now produces useful error messages. * Handle connection error in rlm_ldap_cacheable_groupobj. * Fix endian issues in DHCP. * Multiple minor fixes for Coverity complaints. * Handle unexpected regex. * Fix minor issues in dictionaries. * Fix typos and grammar. Patches from Alan Buxey. * Fix erroneous VP creation in rlm_preproces. * Fix MIB. Patch from Jeff Gehlbach. * Trust router updates from Alejandro Perez. * Allow build with LibreSSL. * Use correct packet for channel bindings. * Many fixes found by PVS-Studio. Thanks to PVS-Studio for giving us a test license. Please see the git commit history for more info. * Fix incorrect length check in EAP-PWD. This may be exploitable. * Stop rotating session database files (radutmp, radwtmp) since these are not logfiles. - freeradius-server-radiusd-logrotate.patch: updated- removed obsolete freeradius-server-fix-cert-bootstrap.patch because recent /etc/raddb/certs/bootstrap simply works - update to 3.0.13 (still FATE#322416) Feature improvements * Add dictionary.rfc7930. Note that we do not implement the RFC. * Added 'cipher_server_preference' to mods-available/eap Patch from #1797. * OpenSSL 1.1.0 compatibility fixes. * rlm_perl: radiusd::xlat to evaluate xlat string within perl script * Allow authentication retry in winbind. Patch from Herwin Weststrate. See raddb/mods-available/mschap. * Added "recv-coa" method to rlm_rest. It behaves the same as "authorize". * Document Trust Router tr_port option. Patch from Stefan Paetow. * Update elasticsearch/logstash examples so that they work with elastic stack v5. Patch from Matthew Newton. * Print information about packets, replies, and contents in the detail file reader. * Update abfab-tr policy. Pull request #1893 from Stefan Paetow. * Reject packets which contain User-Password and EAP-Message. * Add example for filtering Access-Challenge. See sites-enabled/default. * Pull symlink fixes from v4.0.x. Fixes #1859. * Add systemd reload. Not everything is reloaded, but some is. Fixes #1662. * Better documentation for listen "ipaddr". Fixes #1921 * Add dictionary.cnergee, updated dictionary.nomadix. * radclient no longer needs -x to print statistics with -s. Bug fixes * Minor typos. Fixes #1763 * Fix typo in RPM build. Closes #1767. * rlm_mschap check for password expiry only if password was correct. Fixes #1762. * Update debian build. * update rlm_counter "man" page. Fixes #1775. * Remove erroneous assert. Fixes #1778. * fix mschap password change test. Fixes #1792. * Cleanup config file on data remove. Fixes #1795. * passwd module returns "notfound" if not found. * Check for old OpenSSL, and don't build rlm_eap_fast if it necessary. Fixes #1803 * Cleanup memory better after ldap version query. Patch from Aleksey Katargin. * Rename lt_* functions to avoid linker issues with libtool. Fixes #1277 * Many miscellaneous fixes and typos. * Allow long strings in %{%{foo} bar:-%{baz} blah". Fixes #1866 * Fix filtering operators, along with more documentation and more tests for them. * Fix OpenSSL fixes. Fixes #1876. * Finish SQL select queries even when SELECT returns no rows. Fixes #1879. * Set Module-Failure-Message for more EAP errors. * Correct typo in dictionary.rfc5580. Fixes #1882 * Remove obselete systemd syslog.target. * Client-Port-Balance load-balancing now uses client port. * Radrelay examples fixed from Alex Clouter. * Update systemd target. Pull request #1896. * Trim starting whitespace in xlat strings. * Get MySQL result lengths using normal API. * suid down after fchown(). Fixes #1914. * Fix cases of comparing pointer to NUL character. Fixes #1915. * OpenSSL v1.1 fixes. Pull request #1921. * Better Handle v4/v6 host names. Pull request #1919. * Remove "Auth-Type = System" from docs and examples. * Don't crash on malformed %{home_server}. Fixes #1922 * fix erroneous use of talloc destructor in rlm_eap * Issue trigger modules.sql.fail. Fixes #1923 * Document python_path gotcha's. Fixes #1845 * dlopen() the specific version of Python. Fixes #1592- Don't require insserv if we use systemd - Remove require for unused fillup- Merge changes from SLE to openSUSE (FATE#322416): * freeradius-server-radclient-init-error-buffer.patch - make sure we initialize error buffer. bsc#911886: radclient error free() invalid pointer * freeradius-server-opensslversion.patch: remove OpenSSL version check and assume we know what we are doing. (bnc#1013311) * merge .changes file, mostly. - do not attempt to detect "vulnerable" OpenSSL versions. SUSE security fixes do not necessarily bump version numbers as does upstream OpenSSL (bnc#1021375) - do not generate certificates in %post. End-user needs to do this manually. - keep FreeTDS disabled on SLE12 - we never shipped it enabled - require OpenSSL 1.0+ - use pkgconfig(systemd) instead of plain systemd as BuildRequires - don't list manual pages as %doc- Remove --with-pic which is for static libs only. - Use SUSE RPM group names. Trim filler words from description. - Do not hide errors from groupadd/useradd.- Add upstream keyring - 2 new modules: rlm_sql_freetds and rlm_eap_fast- update to 3.0.12 - still fate#320481 The focus of this release is stability. * Feature improvements + Add support for =~ and !~ in update sections. See "man unlang" + Add dictionary.checkpoint. + Simultaneous-Use prints out more information. + Print WARNING in debug mode when packets may be truncated. + Added expansions %{home_server:state} and %{home_server_pool:state}, which show the state of the server / pool. + Mark rlm_sql_freetds as stable. + Make rlm_perl less fragile. Patch from Herwin Weststrate. + Allow extended attributes to have "encrypt=2" + Update dictionary.aruba. + Add support for EAP-FAST. This is an isolated feature which does not affect anything else. + Update OpenSSL vulnerability list. Use a version of OpenSSL released after September 20, 2016. + EAP certificate verification is now done when "verify" is enabled and "ocsp" is disabled. + New dhcpclient and rlm_rad_counter man pages. + Minor abfab and moonshot additions. + Pass CFLAGS through from environment in RPM builds. Allows more custom builds. + Build with Heimdal in addtion to libkrb5. * Bug Fixes + Use correct typedef for older versions of sqlite. + Update mssql schema to add priority + don't complain on /dev/urandom in ldap + fix == operator in update sections + Don't create DHCP strings with many trailing zeros. + Allow MS-CHAP change passwords instead of complaining on large buffer. + Allow assignment or equality operator on SQL. + Update aclocal tests for FreeBSD 10. + Remove occasional hang in rlm_linelog. + Copy VSAs to inner tunnel for TTLS and PEAP. Fixes #1544 + A few minor bugfixes caught in v3.1.x cleanup, and back-ported to v3.0.x. + do_not_respond again works in post-proxy + Allow realm "~^.*$" {} and User-Name with no realm. + Fix leak when creating unknown attributes + Fix Debian / logrotate. + Make OpenSSL error functions thread-safe. + Fix crash with rlm_sql and updating SQL-User-Name. + Debian build updates. + Allow regular expression comparisons in radclient. + Fix memory leak on unknown attributes in detail file reader. + Update example paths in "man" pages when installing them + Build fixes for rlm_mschap. Fixes #1489. + BSD build fixes. Patch from issue #1583. + Be more careful about /lib/ when building. Fixes #1585. + Correct ifdef placement error. Fixes #1572. + Allow for more files in internal "exfile" API So it will be possible to open more than 64 "detail" files at the same time. + Remove support for statically built EAP modules. Fixes #1591. + Many fixes to rlm_python from Guillaume Pannatier. + Use correct week adjustment in SQLcounter. Fixes #1608 + Minor fixes to allow compilation without DHCP, VMPS, or TCP. + Fix checks for module / config file change on HUP. + Compile regex comparisons when sent via "debug condition". + Update filenames in documentation and examples. + Don't crash if SQL connection becomes unavailable. + Disallow originate_coa when proxy_requests = no. + Free rad_perlconf_hv in correct perl context. + Multiple fixes for Debian builds. #1510, among others. + Set OpenSSL FIPS compatibility flag when necessary. + Pulled fixes for the build system over from other branches. + Fix OCSP for RADIUS over TLS. + Fix skip_if_ocsp_ok behavior. + Better fixes for systems without closefrom() but which have /proc. + Minor build fixes back-ported from v4.0.x. + build --whout-ascend-binary. Fixes #1761. + Be more aggressive about not opening new connections in debug mode after CTRL-C. Address #1604.- use %{with} macro for conditional inclusions instead of hardcoding version numbers - improved package descriptions - fixed builds on SLE12 and SLE11SP4- removed installation of experimental module rlm_sqlhpwippool.so - update to 3.0.11 (fate#320481, bsc#961479, CVE-2015-8763, bsc#935573, CVE-2015-4680) * Changes of version 3.0.11 + Feature improvements - "unlang" comparisons of IP addresses to IP prefixes are now detected, and types automatically cast. - Allow shorthand form of ipv4prefix values e.g. 127/8. - Add "auto_chain" to raddb/mods-available/eap, tls subsection. This allows the disabling of OpenSSL auto-chaining of certificates. Which might be wrong. - Added printing of coa and disconnect stats (radmin). - radclient defaults to expecting Access-Accept responses to Status-Server. - Updated dictionary.lancom, dictionary.starent. - Portability fixes for Solaris. - More errors from ntlm_auth gets passed to MS-CHAP. - Update abfab-tr-idp virtual server. - Added "filter_password" in policy.d/filter. This removes embedded zero bytes in User-Password, for compatibility with broken clients. - The server now issues a WARNING message if duplicate configuration items are found. - TLS can skip the "verify" section if OCSP returns OK. See raddb/mods-available/eap, "skip_if_ocsp_ok". - Set TLS-OCSP-Cert-Valid = yes / no / skipped, which is the result from the OCSP check. - Interoperate with AD and "LmCompatibiltyLevel = 5", by always setting WBC_MSV1_0_ALLOW_MSVCHAPV2 for native winbind in rlm_mschap. - TTLS and PEAP now require "virtual_server" to be a real server. - Print WARNING when TTLS or PEAP identities are spoofed or not properly anonymized. See RFC 7542 for requirements. - Various rlm_python fixes from Herwin Weststrate. - Allow setting Response-Packet-Type in "Post-Proxy-Type Fail", which is useful when the home server does not respond. - elasticsearch updates from Matthew Newton + Bug Fixes - Fix issue where field nas_type would not be accessible via the %{client:} xlat, for clients loaded from SQL. - Fix compatiblity issues with OpenSSL 1.0.2. Ignore calls to msg_callback with 'pseudo' content types. - Data type "ipv4prefix" is parsed correctly. - Use correct talloc context in rlm_exec. Fixes #1338. - Complain in unlang if "else" is used with no previous "if" or "elsif". - Send accounting status packets to the accounting port. Fixes #1364. - Print out CFLAGS when doing "radiusd -Xxv" - Fixed bug with coa/acct stats value #1339. Based on patch from Jorge Pereira. - Fixes for LEAP proxying. Don't use LEAP! - Fix issue with "directory already exists" seen when doing "make install". - Fixed bug with radmin related to the option "stats detail " - Complain if the detail file reader does not have permission to read the "detail.work" file. Fixes #1398 - Fixed SoH. Attributes were not being copied to the virtual server. - Used a wrong list to global statistics in "stats". - Create EAP-PWD identity correctly. Prevents segfaults. - Dynamically validate authentication types for PEAP and EAP-MSCHAPv2. - Fix includes in installed headers. - OpenSSL 1.0.1f and 1.0.1g do NOT calculate TLS 1.2 keys correctly. See raddb/mods-available/eap, "disable_tlsv1_2" - Allow password change to work for MS-CHAP. This requires 'r=0', because password changes are not retries. - Fix home server fail-over for home servers using TCP and/or RadSec. - Special characters in expanded regexes are now escaped e.g. User-Name containing '.', and comparing /%{User-Name}/, the '.' will now be escaped. See src/tests/keywords/regex-escape. - Use correct authentication vector when sending Access-Reject replies for RadSec. - Set FreeRADIUS-Proxied-To in TTLS again. You should use the "inner-tunnel" virtual server, instead of relying on this attribute. - Fix debugging constants in rlm_perl. Patch from Herwin Weststrate. - Add samba-dev / samba4-dev to debian builds so that rlm_mschap can automatically use the new winbind API. - Automatically skip zero-length attributes when sending packets, instead of erroring out.- fix bsc#951404 * Rebuild of freeradius-server package fails * fix source url - ftp://ftp.freeradius.org/pub/freeradius/ + ftp://ftp.freeradius.org/pub/freeradius/old/- update to 3.0.10 * Changes of version 3.0.10 + Feature improvements - Do more optimization of unlang policies. This makes run-time a bit faster. - Re-name most of the functions in src/lib. Third-party module authors will have to do the same. - More documentation on contributing and how to write modules. - Update radiusd.service for systemd. - Open IPv6 proxy socket if the server is listening on IPV6 auth / acct / coa packets. - Create debian packages for DHCP. Fixes #1125. - Add more tests for "update" section parsing. - Update "man" pages. - Update attributes for Alcatel 7750 - Add dictionary for Boingo Wi-Fi - Add support for DHCP lease queries. See raddb/sites-available/dhcp - On HUP, check all modules for config files which have changed. And only re-load those modules. - Allow FreeRADIUS-Response-Delay(-USec) to be set for RADIUS packets. Patch from Herwin Weststrate. - Documentation fixes from Alan Buxey and Matthew Newton. - Update "logrotate" script. - Added more RFCs to doc/rfc for new standards implemented by FreeRADIUS. - Don't crash when doing "radmin -e "help hup". Patch from Matthew Newton. - The dictionary parser now does more sanity checks, which prevents run-time problems with invalid attributes. - Update debian packages. Patches from Christopher Hoskin. - Many other debian packaging fixes from Matthew Netwon and Herwin Weststrate. - Add "session-state" to Perl. Patch from Herwin Weststrate. + Bug Fixes - Fix rlm_files so that there are no collisions when loading 10's of 1000's of users. - Fix radclient to use our internal v4/v6 parsing functions. v6 addresses with ports now work correctly. - Fix sending/receiving packet messages to wrap v6 addresses in square brackets '[]'. - Check for sasl/sasl.h when building rlm_ldap, and disable SASL functionality if unavailable. - Fix issue which caused a non \0 terminated buffer to be assigned to attributes if the value being assigned contained an invalid escape sequence. - Fix deadlock when reconnecting connections in the connection pool. - Fix potential overrun in functions that used fr_utf8_char with a non nul terminated buffer. - Fix decoding issue for Tunnel-Password type attributes which were very long. Found by Denis Andzakovic. - Fix radclient issue with TCP sockets on FreeBSD. - The server now creates ${run_dir} and ${logdir} directories in daemon mode, when running as "root". - Handle tags when using maps. Fixes #1191. - Fix crash when CoA packets time out. - Fix parse error in rediswho - Fix regex support in SQL radcheck the "users" file and radsniff. - Register listen xlat earlier, so that it's available when the virtual servers are being parsed. - Parse Ascend-Data-Filter when given as "0x..." - Print Ascend-Data-Filter correctly. Add test cases for both. - Allow old-style clients again. They will be disallowed for 3.1.0 and following. - Complain instead of crash when "else" and "elsif" are in the wrong place. - Clean up memory more aggressively. This lowers the maximum memory used, most typically for TLS based EAP methods. - Prevent the server from unlinking the control socket of an already running instance. - Fallback to using the configured OCSP URL if one exists, and no URL is provided in the certificate. - Return CoA-NAK if proxying CoA fails. Based on patch from Jorge Pereira. - Lower peak memory usage by decreasing size of internal memory pools. - The control socket is now left in place if a second copy of the server is accidentally started. - Allow virtual attributes in "switch", "case", etc. Fixes [#1240] and #1265. - Many spell check / typo fixes in comments and example configuration files. - Better handle multiple DHCP listeners. - Don't print secrets for old-style realms. Fixes #1267. - Don't fall through in empty "case" statements. Fixes #1274. - Update EAP-TTLS so that MPPE keys are correctly calculated with TLSv1.2. - Always delete MS-MPPE-* from the TTLS inner tunnel. This allows TTLS / EAP-MSCHAPv2 to work. Fixes #1206. - Fix off by one error that caused some MSCHAP-Error messages to be sent without the password change version (V=3) and the textual message component (M=). - Always include C= V= and M= in MSCHAPv2 errors. RFC 2759 does not say that any of these fields are optional, and not including V= caused errors with wpa_supplicant. - Do not include M= in MSCHAPv1 errors. It's not supported.- Fix boo#912714: freeradius can't use ntlm_auth * Create winbind group * Add radiusd to winbind group- Remove gpg signature file * The gpg signature checking is broken and doesn't work- Fix bsc#935573: Insufficent CRL application for intermediate certificates * CVE-2015-4680 * freeradius-server-CVE-2015-4680.patch based on https://github.com/FreeRADIUS/freeradius-server/commit/a03814af310bb3bee74ea012546d99c48b0ea5c3- update to 3.0.9 * Changes of version 3.0.9 + Feature improvements - Make "pool" configurations more consistent, and update documentation for them. - Move connection pool logic to "most recently started", instead of MRU. This should help with pool stability. - More VSAs for 3GPP2 - Added examples of multi-value attributes to rlm_perl. - LDAP-Group and SQL-Group attributes are now dynamically allocated. - Only the "sql" module registers SQL-Group. Other instances register "instance-name-SQL-Group", similarly to "ldap". - Unknown attributes are now complained about more often when used in unlang statements. e.g. if (Foo-Bar == 3) used to be a string to string comparison. It is now a parse error. - Rename RLM_COMPONENT_* to MOD_* in the code. This makes many things easier. - Move to C99 initializers for modules. - Load modules in raddb/mods-enabled. This allows attributes like "LDAP-Group" to be used in the "files" module, without explicit ordering or listing in "instantiate". - Added 'bootstrap' section to modules. Third-party modules will need to be updated. - When adding clients from a DB, add them to a virtual server if that virtual server has a "listen" section. Otherwise, add the clients to the global list. - When reading dynamic clients from a file, don't expire them if the underlying file is unchanged. - Allow the server to originate CoA requests from the post-auth stage. - The server creates ${run_dir} and ${logdir} in daemon mode, if they do not already exist. - Add dictionary for Wi-Fi Alliance Hotspot 2.0. The server now supports all mandatory and optional attributes for this specification. - HUP now re-loads the configuration only if the files have changed. If all files are unchanged, HUP re-opens the log file, and does nothing else. - Much better debug messages for EAP-TLS, including which attributes are cached, and when they are retrieved. - Increase default max_requests to 16384. Memory is cheap now. - Added "stats memory" commands to radmin. Debug build only. - Aptilo controller dictionary updates. - SQL modules now use Acct-Unique-Session-Id everywhere. - The redis modules are now stable. - The LDAP module now supports SASL "interactive bind" method. This allows Kerberos based administrator and user binds. - DHCP code is now in libfreeradius-dhcp. - More DHCP encoding / decoding unit tests. - rlm_replicate can now be listed in the "accounting" section. - Better sqlite debugging output. - Remove "required" option from many sql_ippool directives. - Set default CA "basic constraints" to "critical". Fixes #1073 - Updates to help / man pages from Jorge Pereira. - Added more tests. + Bug Fixes - Be more careful about unused config item warnings when using -Xx. - Move more defines to be auto-generated. - Allow virtual servers in proxy fallback. - Allow %{module:} to work. - Don't crash in RadSec. Closes #980. - Return better errors when a unix group / user is not found. - Re-enable detail module "locking" parameter. - Don't crash when logging replies from Status-Server packets. - The couchbase module now uses "update" instead of "map", for consistent with the rest of the server. See raddb/mods-available/couchbase - Don't require NT-Password for MS-CHAP password changes. - Be a bit more careful about decrypting MS-CHAP-MPPE-Key attributes. Closes #1013. There is no perfect fix, tho. - Fix security issues with EAP-PWD. See http://freeradius.org/security.html#eap-pwd-2015 - Fix dynamic clients read from SQL in non-debug mode - MS-CHAP now allows retries (i.e. password change) when passwords are expired. - Allow "user=radiusd" when the server is already user "radiusd" - suid up/down works on non-Linux systems. This means that the control socket should have the correct ownership. - Fix issue which caused the server to sometimes have problems when a home server was marked zombie. - Fix format.pl because Perl is now more picky. - Fix proxy to Packet-Dst-IP-Address, so that it uses the correct destination port. - Fix corner case with cursor functions and removal. - OpenDirectory fixes and documentation. - Fix leaks in rlm_redis. - RFC 6929 "evs" attributes are now encoded / decoded properly. - Fix talloc pool leaks when receiving malformed or retransmitted Accounting/CoA requests. - Printed attributes again use double quotes instead of single quotes. - Set X509_V_FLAG_CRL_CHECK_ALL, and add "check_all_crl" to eap.conf. Fixes oCert CVE-2015-4680. - rlm_expr now errors out correctly on malformed attribute references instead of triggering an assert. - Make "break" work in "foreach" loops - Allow dynamic expansions to work again in the "hints" file. - Correct minor typos in comments and examples from Alan Buxy. - Re-urlencode the path portion of ldapi:// urls before passing it to ldap_initialise. - freeradius-server-rlm_sql_unixodbc-configure.patch removes hard-coded directory in configure script of rlm_sql_unixodbc - install new module rlm_sqlhpwippool.so- minor adjustments/cleanup of spec and changes- update to 3.0.8 * Changes of version 3.0.8 + Feature improvements - Allow syslog_severity to be set in rlm_linelog. - Allow defaults to be set for bulk clients in LDAP and couchbase. - Updates to dhcpclient. Patches from Nicolas C. - rlm_mschap now supports direct connections to winbind, which is faster than ntlm_auth. See raddb/mods-available/mschap. Patch from Matthew Newton. - Recommend /dev/urandom for TLS randomness, instead of ${certdir}/random - Allow TLSv1 to be disabled via "disable_tlsv1" in tls{}. - Allow Expanded EAP types where vendor is 0 (IETF) and type is normal EAP type. Supplicants sending Expanded EAP types like this are broken. - Add support for server side sort controls when searching for user objects in rlm_ldap. + Bug Fixes - Don't complain about "authorize" in "server {}" blocks, but only if there's no "server" block. - Fix cosmetic issue where debug from the first packet read by a detail reader thread would be emited during config parsing. - Fix ASSERT on truncated detail packets. - Don't use main server log functions from within panic_action, as in the case of syslog this would cause deadlocks if the fault was triggered from within a malloc. - Fix issue in "switch" when "correct_escapes = false". Fixes #911. - Fix sqlcounter configuration to use "%%b" instead of "%b", otherwise the new syntax validation will fail. - Allow forward references in configuration items. Modules aren't always loaded in a sane order. - Fix more escaping issues. Closes #912. - Decode MAC addresses correctly for VMPS. - Fix memory leak with TLS connections. - Fix state machine threading issues for conflicting packets. - Fix copy_request_to_tunnel issues for tagged attributes. - Allow "ok" to over-ride "updated" inside of Auth-Type sections. - Update state machine so that post-proxy is run though child threads for performance, instead of blocking the main thread. - Allow "netmask" to work again in client definitions. - Relax restrictions on SQL group queries. - track outgoing proxy sockets and clean them up more aggressively. - track proxy statistics, including CoA and Disconnect. - If radmin has a connection failure when running a command, it re-connects and runs the command again. - mark home servers "unknown" less aggressively. - Fix potential SEGV in PostgreSQL driver on error. - Fix issue where fields like nas_type would not be accessible via the %{client:} xlat, for dynamic clients. - Set default busy_timeout (of 200ms) in the sqlite driver, so writes don't cause selects to fail in multithreaded mode. This is user configurable, and may be increased if required. - Convert Password-With-Header attributes to binary (from hex or base64), in the authorize method of rlm_pap. - Fix invalid assert in state.c, that could cause abort in post-auth. - Fix double free when -m flag is used, and connection pools are referenced by multiple modules. - RADIUS over TLS accounting uses the same port as authentication. - Regularized return codes from radmin commands. - Fix RHEL spec file so it works correctly for Centos7 which uses systemd, and didn't like the SystemV init script. - radwho and radlast now have a -D option to load dictionaries - DHCP packets are no longer checked for duplicates. - Don't crash in sql module group comparisons in corner case. - Calculate MPPE keys correctly when using TLS 1.2. - Fix load-balance sections. Closes #945 - TLS certificates are available again in the post-auth section. They are not available for session resumption. - radclient encodes CHAP-Password properly when using -c Closes #955. - Fix issue in rlm_cache_memcached driver that caused variable length values to be truncated. - Fix track functionality in detail reader, so it no longer fails with a "Failed marking detail request as done: Bad file descriptor" error. - Actually add the peer identity (as User-Name) to the inner tunnel in EAP-PWD requests, so it's available for lookups. - Fixes to PostgreSQL queries. Patches from Santiago Gimeno. - new set of consolidated patch files: deleted: * freeradius-server-2.1.1-logrotate_su.patch * freeradius-server-2.1.6-rcradiusd.patch * freeradius-server-initscript-pidfile.patch * freeradius-server-radius-reload-logrotate.patch * freeradius-server-var_run.patch added: * freeradius-server-radiusd-logrotate.patch * freeradius-server-rcradiusd.patch * freeradius-server-tmpfiles.patch- Do not disable as-needed build - Remove the with_sysconfig switch and just stick with versions- update to 3.0.6 - fixes a segmentation fault in PEAP module (bnc#912588) Feature improvements: * radmin / raddebug conditional errors are printed to the output, instead of being discarded. * raddebug will exit if condition set with -c was invalid. * radmin auto-reconnects if the connection to the server has gone away. * rlm_cache now has submodule support. See raddb/mods-available/cache * New memcached driver for rlm_cache. See raddb/mods-available/cache * Add support for &Attribute-Name[*] in conditions. See "man unlang" for details. * Add &Attribute-Name[n] which gets the last instance of an attribute e.g. Module-Failure-Message[n]. * Allow for redundant string expansions. See the "instantiate" section of radiusd.conf. * When checking IP addresses in conditions, make the right side be parsed as an IP prefix. * Support JIT compilation of compiled regular expressions when built with libpcre. * Support named capture groups with "%{regex:}" when built with libpcre. * Increase regular expression capture groups from 8 to 32. * Emit error markers for badly formed regular expressions. * Allow 'm' flag to enable multiline mode in regular expressions. * Support limited implicit attribute conversion in update sections. * Support casting between IPv6 and IPv4 where the IPv6 address has the v4/v6 mapping prefix (::ffff:).- Drop .keyring and .sig file: freeradius-server still uses MD5 signatures, which are no longer validated/accepted by GPG 2.1.- update to 3.0.5 Some of the new features: * Allow LDAP to specify arbitrary attributes for dynamic clients. * Allow one level of backslashes (finally). See radiusd.conf, "correct_escapes" setting. * When supported by OpenSSL, allow TLS 1.1 and TLS 1.2 in EAP methods. * Allow multiple new connections to be spawned simultaneously in the connection pool, to cope with spikes in traffic. * Use kqueue on systems which support it. This allows for better scaling when using many sockets. * Home server "response_window" can now take fractions of a second. See proxy.conf. * radmin now supports "show module status", as thee counterpart to "set module status" * "ipaddr" will now use v6 if no v4 address is present. You should use "ipv4addr" or "ipv6addr" to force v4/v6 addresses. * "client" sections will allow "ipaddr = 192.192.0/24". The old "netmask" is still accepted, but the new format is preferred. * Allow custom HTTP headers to be set for rlm_rest requests using control:REST-HTTP-Header (attributes consumed after use). * Extend format of %{rest:} expansion to allow HTTP method and POST data to be specified and urlquoting. * Add support for aliases in rlm_ldap. * Add support for connection pool sharing to all modules that use the connection pool (pool = ). * "tls" sections now have a "psk_query" configuration item, for dynamic queries to discover a key from a PSK identity. * Preliminary support for EAP channel bindings. * Foundational work for dynamic home servers. They do not yet work, but this is now only a matter of updating the "realm" module in a future release. * Support &attr[*] syntax to copy all instances of an attribute when used with the += operator in an update section. May be qualified with a tag. * The logintime and expiration modules can now be listed in the post-auth section. This makes some configurations simpler. * rlm_sqlippool is now IPV6 capable. Set "ipv6 = yes" to get Framed-IPv6-Prefix returned. The SQL queries have NOT been updated. Please submit patches. and numerous; bugfixes - remove gpg-offline - create /run/radiusd after install - drop freeradius-server-opensslversion.patch (upstream)- freeradius-server-opensslversion.patch: do not check the minor version of openssl, minor versions are supposed to be compatible. bnc#906682lamb05 1600894966 3.0.21-lp152.2.3.13.0.21-lp152.2.3.1dhcpclientmap_unitrad_counterradattrradclientradcryptradeapclientradlastradsniffradsqlrelayradtestradwhoradzaprlm_ippool_toolsmbencryptdhcpclient.1.gzrad_counter.1.gzradclient.1.gzradeapclient.1.gzradlast.1.gzradtest.1.gzradwho.1.gzradzap.1.gzsmbencrypt.1.gz/usr/bin//usr/share/man/man1/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.opensuse.org/openSUSE:Maintenance:14190/openSUSE_Leap_15.2_Update/388d832197792b54bb381a0d0865d9cf-freeradius-server.openSUSE_Leap_15.2_Updatecpioxz5x86_64-suse-linux ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, BuildID[sha1]=cede8da504c5aef5fb6151ba5c0c214818afa2dc, for GNU/Linux 3.2.0, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, BuildID[sha1]=ac1a9d53ed8b97648822f0899aa578185c31b334, for GNU/Linux 3.2.0, strippedPerl script text executableELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, BuildID[sha1]=157194ba79b3d44e11e1e337a4f32e7643cba4cd, for GNU/Linux 3.2.0, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, BuildID[sha1]=7f98fc17972ba67ebad1af195f328d15227a3893, for GNU/Linux 3.2.0, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, BuildID[sha1]=bcd5b42677420fe39947fa2a6ceb3d4a9dc7e80f, for GNU/Linux 3.2.0, strippedPOSIX shell script, ASCII text executableELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, BuildID[sha1]=b4818f81dffd6f75d1074aed8cf388e1c7ae419c, for GNU/Linux 3.2.0, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, BuildID[sha1]=351311d6666e9ff1b7c3adc026d31f651cb3263d, for GNU/Linux 3.2.0, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, BuildID[sha1]=b2d69120b2bba01c50e054e01cc58b2024df7ccb, for GNU/Linux 3.2.0, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, BuildID[sha1]=bf2f4555c1e4deaef5fbf7a0d5e6c4dfdfab42e4, for GNU/Linux 3.2.0, strippedtroff or preprocessor input, ASCII text (gzip compressed data, max compression, from Unix) #./ABMNOYZb    RRRR RRRRRRRRRRR RRRRRRRRRR RRRRRRR RRRRRR RRRRRRRRRRRR RRR RRRRRRR R RRRRRRR RRRRRRRRRRRRRR RRRRRRRRR R RRRR RRR RRRRRHP0`BjA`ֈJutf-81d0a88c324dc56e14087ef64ce5f6d69d1a69ecd85c48341e4adeb9b7eab587a? 7zXZ !t/;] crv9u}2c@ W.A`\4#*F=*?n0/4 T!xeQJ*$WNw1C7ڴ( ,B[ohS[v_?2,^Xtw Ǖ}so@iƁ^YBixsNp aټ5G{nW0؍Y5#j}&Ewa&M5^Q/9Ǎ!(0F H Ԓ=g͜?i,NpI: F8PNL-Qc֯?md{=0?JʏfLP2*Axc (Z2sXT/yb_,(-8un2 b0E񯃒ŪXUZ`‰B[";K@Mz~U CPU?iyܧdw" _̻M=(xiJj'e'9-nPZoWN4gL=Fq4x@W3)%Yf+PV3fUvԇ}\G;!mXa2 T*RCB]j3gjF_J C` >]PHaxPpYНc#Zfat7wC:r3tY'o5OH *ݺmuThCӖa]vnfJfWDdN_sp])ckxQ6` mR yN*gR]"]#CEBnkk S 젧`U"J|*5a2ko :l@ $\3y^ɻs{X3=,zO 2֐'פИ!s#SB4TfdϹdM)q"4(4-;*ɩqs枋=ΎVCT?UrT` ^bCލyk>l+L|UI]8o;ӵ 4=y+NJ#`^w20S%`.%$l' j˱rʝxg.VJ H]%Bnى(N[:;7MQw%gc>':(JHa.´O-̈́Tfr)$]d:?6R7L;~~٘\G,]%6֕$I;Ovv b'M}'yޒ͒,g2A.3nDAOÊTӍ<иQ:54Q 5_ ÌP %PMyY`rLH<]GWڽ0?AG .OÌ& 1`5NǥĜ<Ҕpnbg XQ5{ BLo:],|WE d0)bssn~RGr~Bx9'lqheq&, q.eb<@؄Z+x+\Ex$;B7O`^ O+VxN"P\b+x`} Շ}z%^Q3am8fUAЬӌFH|;'Nzs4J=5k`=$r|;nZ}'d`r'V #FX"]e.u/7acEY .W.^:er03gPjvBjғ_V̀V/dOy]>$-#Y9)qby6XUcx*'B}MKx.˚dv(&Z*MPx^SΊpaZ@vo v8jYY4:ʶq%j Jl5F1% }ar*N}տ-_'6_l=_$fEJI~&i q7wؤ&#d+wjTPȌ+b8hnDK{i\Xe W`L_r¨]]r^M~S@$LBL2c5#qyUF4d /SJu5yЫ=hbƂ {nJ DBQ޾(̔ƕ+đ jΠt=*Ī|vi3/nd7. f:þo>pe"y "zзcZyr?FޒFq^}Q+^ݏ+/$;$vF"i<u~ECgBL xNw:YRCܢ͜uXi-`-dK`!/)]ocˌSt6Hw2Zm!'#m9w=yIޗ_@Ly`䪆kz._n49wtT~EҌ,vNI&Wȝ8mjo8K.!֯?C%7Y'K L\M10:\`=A⥢s@&86>Zt M=uxJW|qG9nrCN3G<UgQ\?7R3Bc^ݼ.\؞3`aڟ l~|M?5mƆ ]ɺ-*ۄ [a@P3t%ǥreLԷ -iKwbBdb+:X3¾q`١&w_D9\WF`s(,yϵ1?-MŇ=ƀܢ߈lZW^yɘp?I^$ M;ߦ,{mrl+Ľg@%e,wș7>ziD 1"tAxDBJQZP+G~*H$=DȜR{(lFrDv.#V2-Z$Sڳ9>Z !{sѩ 2ˬ$-A1y"ۈ">e:;sQh8\Ț7!}P^5A £!J`2JZ[4c uic@QU-%\܉'Us!2?kNΕƵ/Z(i,_w"__ۣP+)%$[s6\o Lt't?*.kg 79.~Va%%މ lϠI<ը/ =JzP|NRdM5Ёj+DAl/k072~ -7S[I ٚ.>'ws 'd cnQ G<0[ ^)W> (&⍞'hRX>\興iQ+?&u[4u~0{5MS hu|+ 5dY|w#( aWmᇍΕ`)=AӐʠ8ThF$5~z尒'u&C}Jx i9..}Ev5]-,'$7tEEBjj#ڌ@Qf^ac kKU~컙74$im0e2_`_x8CGCDbUϼsCb JYly5DKSlvH! y"c^6E :il$RJȊf6RA1OSB)JW9BtG)тB! >kr[Ok1ч5+)&?e%|ʵ$;PX=X׍j~:rܡt n]:bD)'d!Ulc `BFS} DiR{x{Ž1KCPgi*(JysqxN٭oB)L6v-֙SYTen=ӑ3- ݶz'it 8Ӌ>Aेay˄ۭ?#Azl5˜(egAY/ >N@Fsh}@Ѽ%¤P ǎ̟nYMr~za-tmTe %XBl:˿ؕk'sF%c=.d+?Sy}n~0p/7ȡ]΢)0![5>;xS-ڡ_c׹|DL ק 6#>Jo߆y  afaZVUsO19d:Uka[3Z|AH> H_h`g`5t~BhJ2hCY?S}J=2=Yncr!gC~\~1+QJ>\[unk-^1B $=Е в8² u5 |e輄WP2?q7"cd֥I2%oiϼ?2;Fն%6Jx5 RƝ߻u*ZZ*tɢTߒ Pv.rW+wQvѫX7)D!lZ]ǎj)ֿ5%&a+Fq\22j`. Qc7qr-0% .m91P XK%Ut/8J˾[Op%m=pWɀ3]X۔ B )X1H@ z_ױtRkHJc3~k<.{? |Ă4y t4[kr!?JCx1-g [ڮ@r/+hTH0"Epe7s9IH[\\ítH@9ޖSZ#\Q1&m _.LQT:.@I}DujfԈ*Zw׮؋J9SPTc-8ʍYF9]Kmay/&Fv V-Ey峋Fo`L(IV5ܴ0īQ]LYb-ʅlhX[=ҽ&{w$gW+l>d5JMU|J6ѶeoǔDIw']d2BzФxB.F`ܡI"5srf:zsYߍH؉4>&W*NkZYi5Gj/]1/+Q$H$Q մn`p|1Tɱ' _@GV}[#jWfk@{Fge^"a]o/`?iA:wύsryBFV4(NGl@(yu9-p񤁰A[D}\v& 0BBtQ=@)Dn \Z&]X"2C}6.Ґ>' *B-4R:+E+QGI^W&Ar-jC>3oh:%h-֠G0ks8V+cƺl `Ҍ޴[[|9#F*TU 'c*WMG%~E$yրp@ٛw` p7^D0D.%APo1!$ n*w3 пV.S;̸hpe<(u VN״!bN=$RnU|Xú#+cr;, *('_r𹢩䋢Gi - Y ^ׅW2Of`Fhxa_V%y$χh 'N|:j{w.N[3nJRmjIKpEQ D|+r:15ʜVGxɨ?q4wvR/ziܦ u)5:^C&9TQ ?\Y cկMsM#.8pRsH y(ZMw]ɒs˻dNVϽ Ȭ:wJKн.E+ _e[8GYB S˲5~t1S!&cv,Ys1k:7{ @WM) 8BQ {q { -h _^|u8DGgˆaj*@uHԳ11(VlEQ| $+v )i/8ulL f7wDZz9љjګg XX^^8+nIDZjɃ?S\{:CzsX& +ߴs|ReJ^jz`i?^:h&tYQny ? s14I<*G,c0qD8Ly|OZYqu)R{;PWr2s='~6[ܜMGKӍ-08S~gRn]EdBN>aFb9 |;u}HV7/)W:U /g"Ʀ6Ëk/r,9 *_5.j$;<Olނc~luONCB2Yx!u|FcTa0i'n7tq=crߎٕR5SEu &!#0e_vUԪ8 l98pXduҠU6@AEŸ k/|Yb+ f$W AK*_bHGk6jo?$\:o hkH}}1QhHwײLW)?|D< "jQdqx)X|mvVtz Elj}Z -gk`X2lq: gc?w/Z'vDdp_c'$ 䦘TԄ2>Q/MtSNz綩7eYz!#t=)՞@}aƇDxy4m\r->s>T':ZK#o`f¼(vOQ%L)kXd΀q Ū,U/ 6i#ZMG\C}]uj-v `3 XXO^c8@/t >'@b˽k ׄn-S]{WaNgC}t|t+߻ WZuwmFYwg T%gY2l4uGNJʹܘd²li!@Py<3R2$8*yfmhFNj5Ap :5TֵwbNlOq&2n@@?94F~NbU}^uܩak셔|Km1 B'sKmY|,L åz.]rѳNf4p:lSk|;B3]\z/H |¯!<aFnC{2u Pz#QW$Ώ 9gC}.4X&i, '$urv߃]YL@K#kϐNi47΁(t"Gfɷņ]D6wMtͶ<{2 U}g dyR1@Gsܘm LiioDwrF Fld`8s6,e?!$WFCtaor [ 7|VUh j UʶzggOF :g\kS'JcvYy-S 5S D]/ҷ3*=c(|?ӨB~f; Aļᑩϰfk^ezܑQ# ;A1̡ɯ,ujbykrQ oiNC )^Ҁafbi2?=F\{?%4tj姢-yTDpS&~0keNAkj gL4g[W|'g8P;cgt,s&Rkܘk‡tKvV}Zu}▾h1ZM+-2GzƆ?}Vj4@s`9!,y\11:3WH`u暯UY6z%a}>onvC>z?S̆y[7d&-HeN5j}WeW)n7z$E(U?q]A8/aX F-E{@/*AS:&F $K\m%Gj^e\gy%6!KP\G`vo☌AR]&}'Bc+}eyÜ|}}{i25PhP9 .^Y ^=3` iW ;/L^Y^%i.ViCyY>z`BI)\aVXv[> ޻κ7;ȿ+:? c˭l0ZEx3Ȋݛ,rȊrq"%.`.i,ԿHOl4W$۹qVGQO]56$DB勇!Mrvb?AmjpdJ adLط6"&l֥04VFVu%P/z,SM /϶E A$\^K%[Vd#{D+k̈LƩ;N'pKGX7C A{5ulqLf@ ŜDxpWb/^h MrbkЋ\KgP.ڛC,ΞYB{B7q =DeOElhL,7eR*GեK: -R ]xnR^8%CyxcV㕾ss6A!9w"< 曲Wcvi:JG,mbM~Hl&|J#ThԪ*ȔyZ³ õgaR)`̴5d>Gtcke&vrVQ@a4v`+}[.m?b O]<^^UY}Ξ790F G͒ xki>#L'z *{Nknѷ'm&4RMg%YH``1^Rn~wle(mme%Yxtf[tz +i>fp+dsB4H_WZ\)]d)߅;.ӭ|zڻJDap񺐟bA~Q:y/b2@PGwɏMP6nbO2M;=vENoh 9i5~xn !J#Ô:GfS ExI胑|^$f i%z#Tپ=klHXQ gݹ+J57)P&s&tcC ּs'?ip=C԰ZhN"ЛA&̑i?Q|n<ʤzbE3^ϕ}%t ?=|5 z73qp׌3G}my^h}YIkׇ?-0 "o,y~ǁ r+ojB͛!6`ҋ9PԊ1_ X;$Kʋe\ .m{ݑ~;y[w^4H-2IS^Y^z5Kg3Fс ժVtR0wl>ΌЭ/zA\u!7]|ZˈnW3e.H"Tr1-9D%Y m31څT ˝o<8LD>߽ .j-ڗH:H|nmxsPNM$< PI'v6wK0Y!0\Ve9G|cqJyӝ #J 52i(Ϧ%xaLǟZ\y?^3 bUt)9*3K~(TÃOBt7^ĩg[ܡRPH8N~-O,9 oqH1;KDU9-`pT6Ef0„m! a.kƲH~5``pἼr9xtbއS `&Ү]ᆬB.sڷƂwX8d cyխuŜ`Ķ`]$R*'_9t-!$c5unɯkm/ح ޞ9}VOcܾe:gܺ`Sot=;T_b|"zoOO5C瑮qA 㺾B{u?j=k?5VI{pzL>֋I,hкh/7v\gQΧmRjKbW8ӡ(ooQ*7{s] `PKa5ϛSHGY7fC-*gmXF=STR͇Qn"bcm5,F>ī؄iD%='IF~D'z9-u%x { TcI^]એ:21TX-&y=ۊ {s2a |w(j|h̿ s-B3рyZe葥|Ӥ:3gy‡ V1Y_s>4fGX*LvX쿞j}Ǽw p0$䩘J 4cUOW>btR|e yHv3 qbmYz mq lVe4BNLq){K:fG$V :/4$#6"8G4|B'лkaϠKk '?w0KWՄWW@鹆W J$dcF_1TŅ\ DN= :ςTJ"n7AOS bqa+Ը3E6٫Z-j󿤲HGQ1z}S@da(WrlP6PmQr7&p{Tvm? /$uPyxS;wΧu\9-^6;רwUoy3^KܕsǯHb~ ̻zϹ~o2e1vj;'z |T6={PN7J__yF; W<&KDFe6?Y Im*Jpʿ۠d9M8SGVXxC5=:W!SVC!4^ȡCA~izS qlQ E eMw%lġe5A'n#m2$=u0:KLT5 NKmĕ3N@gĤ\+H#ԋ}cARgO:O{*Nʝh7㘍 [m[6Ԧk5 dPeYZ\Qi%-ЁAJ=sšАD3|O-UtqpW~ri/loݬV&ȌIQȧ7Z/Ȯ/};~ (&Ӹdjb$ f{ KznȡUQOO[eG'_<|B8Sf/_{jM9"-EXyf$6;JE)~V2<>[ Lrd4"^wGMSȥ{GT/Svq@KG9c{V 0Г[h͐N"%,+:RF ˆ+-,E>5C#MCx غ%.A䩸'vËJtX'cϽJuXP.е?WDoMi] ~ꠐ Gơ,Ț &jI/2zx17l֖Y'PcffCJDeBMr1H:߸IFфWrdznlJ 1]5޽2:7l1u m[BvDd/fWHqݿ-9bl jOG٫@v{L.!/0{u@)Lh)誤_?1vguA_̔ sf&4 *E쯉/!qƷ c >jL~LR" NX-:Ti?rr&7 eVSό"υA`_!E[lrBb#F"(TNIy0(cE4em۔;j]k],:{cpjzHlQF0bЗ1,:8ȶH(VUvAE+A5R5enRt!"1-Yc Lޣ{f4g|,P2B ZD`E]*lx$ Ҍ1v RqyjVF4CԠ=;~ Iö{s〆V!c.Xcou1U Nb ϊֱor|9yYEhn"zɲ4;nQ7l<.Aa8&=\AbYAiʐ0y8_5)e"k96Pӄ`$/kBMI=8MWT3E2ە.TM.*ٗ{/l e=;x,t%yln4*SK,idl ~OoK,1Lcsp?ɱ&g4M[fY=jH#׫4;F$%!3ۆ^ ZgL/T *gNOeB!:?Y\qbv(<*g~з%UTvͰ{0TaVY޷{d k.NMʌFBYK%G$sJg8lt? #SD$X⭚K yV-b Uᖵ"5 !J+B1:?[SQ7[gmo k`v4հUۮK9˦qx[ #DV/Baq %2wx_D|rM5XN`=T{wXEٷ"w;":vv'V|ן@q\M%kk{$~h#ۚiMig-D&@kAgre|\]٫_$:@?_,w =k:[§Kɒ0`dhGbh@w+jj:̜R@`"ig*f(Fg*_FՂRض~r顀 nM@VꄬBԝф!^鄉wD0ݎ[:ȣ!d 8ȍ.,dbNG1s` 6a+Mqh9^ռ^lLjxO߈x@`GGDi Ft/φYeCN7tP';.5x=33 qwq)uJ=ygB\bh~Uh#Zc`P@;ُ.A_!C2"#ukU(ѧ eڢdsEk ͵^ʳdTJiA50t (&D?=C^@ۛ&@kn὿`s"!UkKjJ\+X\N#A%/Qs;ܨ# x /3&YB cFz9\EyKkfAXy7+A1˲ Y"8gG݀)6αкID/VYء^H\1foܞ {)‹婨^%bmTNdZk!RY*kS$n!D+ 61tW?sgϮ~Wv^Ap d~HkvŜP`53T?2"Ҽ'$ץv{HqWE%x 1%$ r~8SZr.v)r".0P+Yu&z bh2켨P*f!u([,)gBqEpL74cBQd $v-7  M5㹸 DSvt^ҦPlw#: 턘3w!b&rQ|~b/ ! g"`yMFzÈ$`*\{Ń4f -Q!7iކ!⟴U&&VjUgz{c*Vd}[,wO O&@(8p'0 وB!k)$0f c烔oVA+0$r-ՖҦ鞮 L#[jlZw)/1S~ZV:}|;E N  qiXG"{`r$L -2οaA2u߄WHIǐ?4jV\ Nl64Dj=K&yG>`k\{!w54ymu$s4L81ŗJXN EMŸ6SqjCbx#$_u!zHF(oi9#^2.d$wYf,= 3@3^+̪zce:MM3݃}j/#+pWܙ4 NBP0~CA O$\#Ch 6RR7dUVR{|; +;E$uZڜLm$8|)V 9$y# 5Q_6]O *^ R8Puiz O.K(@3&Hbci> D#o@WiNK&עj `[<.ψW68sMɍ|,Ο^Y+F&?hg) Ou]`=4 CZQS}_E[rra}rsS V۴5B'53/cW/*M} 1&"R\`f"Rlj+ o䬾-h^d1y?%C,:׊WǦ,'X 5'8~aL J:5<-CI\7DV̕T*cǥwCmD>(p 4[%yi2ρ;&=E }`XbUɎځgt1dߧ=m/6-iOȝ`BXG\<28@M: (t|J9o)h#Sh$du陆le*#!"{U72O=ç hMW/ut3+l/9iS}kk8#-nfalL7?y#=)4g,MmRG =)ڟ()c4aO925ā-Μ)fLcϽe %Hj;l ]CK(ř[f q7lon\&騟A\+]j%K t7hAAM>D:E0}[ܟ?ʂқ_zh%e{qT"h(K^2,0F Mcdž9kEzl& 2pR"˺*m̃תgI|UU,0iDETƯB6( ?MnOhoF! UYߺRzjкao|mv`-NEC5+@aEDS7nĈjM,"KBGIo"G#a)%.7;cgO.E fpKvAu O] ]st =]BeZ+<'"M-Q`'Pq>?!V;rP/'A-A nU6CU"q%Ҷˌ*?F m1얈+eE7 $#*:@ier(º~o#=.& C4D1hqHډ|͌nfՌy2 ^.堮+ nw_>E%p뢾 9J:uAxK`X5}Ͻm LHZ_3*X[~2VbQTZfUSaڷ6P jinI9>1OZؽh1dlHU3"U($/h;-t0?6۞"Iw{kQe-4ٶ:q#Ҵ*B4'WWUSA> 0ho Uϱ[& _f yGP˷`N6I1V6&Znԇp*" ]~; w>Q/3uYȴS.ɰzYYx4ՠ[v,&ŠBW4oha监J+Pbx*,A7P.o/:Kn֫'w{%‘2 95AJV4^$iK' s Uб\*[O 3 <IC.U_譞Eѐls}CG5RxFۡ4!S'^+_K D"پYŭOrop4GJ؆22Br_:j[ε󪫲aU˹rQ9)ǔqhfhbh>IܞL}h {lM|9TP<45]s@|/L7Sp$Y O0&@I0 Jih8]^Tꄓ'e ګB&m&E#3o zQDn*! Az6w<#gTTb_WVSXBYpb&*}|K.$F~EZjV { ߅ROcfpSE裈0E { Dn2|V"*9WZzބkWN^%1{|DWo<3GtJW_60VHYgnb7u_Z#A(9vE#5 *t -32D4vg,Su\x<ɂYM~:9QsMt-/oi ~`h=%pvGW[( L1X `zn&ؓYH QK!V^Jo-08=٢Uʳڳ"gn3]p N+Lt =@apixG^jFQ:NW2Ϛ2kFZ=\䞡=3nц>R [hOGsϠudWkYDUA*Ÿj}!*#hHG%땖h >o@6TH=+7,N8G .4=,|' rܡg5BT=w-_jɇN`ަo4 /ҭ"إidy+F| g;M!n%%6XIlة[_ ͶbPJeAA^'0e[pYI,EP~+b )p&}- \}Aʁ/0p8^ɫ԰Z!(fiw=:IPdW0Ǩ d,ҌMsLo?pT%.tqldh){*7B:7X \0ZT!Z̳̠uCn^-H, JCLkJm #,m~T2v Kc0<_F驨C-Dq'=Lsz9i ;,G}s?ڲZSp*:#!#LG$Sk~[ xLImTAr >% A6SB&H.:ٸ3&ܚoH9yj5bW'5:$|hv͂2Ol~ زGu6y>sUN~kfCFp*TbK e^\` يLjktlg6{蒰ºL;jkq9bӮ4aU| sA_JDW|o}IwQ)4\Z:KahMFӕ<YT*T7THX®)سñxÏ΀0Dj4 i m8_t?紌+r$~pΆ%¥E^<]pt>3lQ /2ءn/zOu``$@^C[bnă7OOfZyE[gD2u C5?/pɲ@ҋ< T?YceUmOB)joxsz?J9L"ǹxa .9dڻ-,G ,od/[ 85ny5‡;g_FLXGV#WXXmk35uHqO3mFb`NEv]B>͛%I>{\/ ,s|L5:wee6"0޵&`|t\B {=(-Z`."il&+wd,E4 q%/]wJ d+0j"JЊ)Pw ԐJ3uw wFy4xA 5@!NXW;pHl^L>7w頍g%$}2n6Nb'{M(dif=ԯmzb<Ȏ6oM㣥$rEsv%) a3rP0uXyls@‰LgC|lLzgU.F^;:]#ddsnY/ 5`YI,87^}3GnUGǐbƇJo SAf$D YA?+Zs G/}`Uip bg?K`"3s+1ji& ڢئc>T"#,ڞ BSY^1|#ȴv-4`1g4dm2)9Qbo xȈ*evXmJ*3vba|K.CC=E@j(|ۘ"杙ǫ;V3k;s[:mI̹ˊ8Y*ȠوVԛ/h|+ {9?@|pz ᧕u:K/[Urpv٨ TY%MZ#?ltL;JP ׼Q>N ewӥ~gRUã)HY; I/k_4I7L9Q:agH3AY±>p<1㒡aJ[^WXY |VNȔ$pWi&2+>)hv'G6Cdrp] SaY X<2]cd'H['ZM|r*⛳6\j\~ /c,Ƃ>E%?,׺I{X;xw\.xjvje`gXGM.ŽCg5EVmzP{5ʴROKdJw?%Z?0nI~ZBN`|%ifa`u[wz8W81*{d:Px_yAɭ*AZYqy"BuC!c{]}Kv`%]ԈZ@V_&.cGZȵZ }$̈́|9?nbM~jczb)g VUrm 2ʪ/CT[=CCL=[wEy>#]]Heog0=3?82|siL":hlf!RmtjR|wJrbjj=v'㧋ljz,\J=xW~uՌTFU^}ӰGއ=Ntqѷ ’ 9sv{Ǝ'N%/i~1|CڹYY#L[(“𮚱v/",V=~z`W{P="ޒMО"Ji 6QY) hF)f'1ؚD;a>(]XJD S20ٽx<)GC)+IyD`QYuV`Y2G/v=_=f+.lG񺯉yEaUBC?mV$T+2RrHHlRtIRѪ' }Cye0Os27cl-UJB݄6 wV6~'ppJ?gi. }[\ y|u6>SB}R-l#a.={-\ V;z‡/=B8_bGw<KC }-JQ]v֜a\"o"#Laˊ]_-8~`ߍ9$R(B^tP ɒ bẘoS}qTw&菼GDEXR mz%}J$FA!=Q]ed&͡Um/>VW T:$6j#҄T aWwf!=.E*-'Nc>'qRdt [fu+4(#;$Ө_8 |b.ըmZ+ qGΣ#rbX껠`"n=fo&& qxO?q$ VNB6eq4jQ#y\7P:##zOHe].Y!E=#S3NZ F;l H4l2b㌡T)>W-GjOi!YPtF( *BCe& f!/+ NK@*hE+(auukؒmhAA@MꥣˬA N4IJ;7NB_]o1'kf|s?m|][6\zRIj2G+LPK-LlW o ,W/K"ku8J†Qa/nA*^a2 Bؙa $qG\aiQ#j-sYzy(38)(+xGN0wFkyw֨vTE0{Kl &o;Qk(@dWbpD;FY$ i4>sϴ1,TMR:?닾+' $NE8Z*5tn[ _,GUXg՟ ?-խmT^zh in1\Q {,Ğ1E/3+Tbի]nj ȹJݐAzE^Q G:7\ xN&V)}qEۧ@]*p؛2raey.v“Z.H5_9; Bxugd ڦ.niܻ&eV]t (mTiy&r:#ФQXƆ}$ D݌ZSҪ3T(w ftᾱfa G_ٓ"S)(CMRf;bSJ#3:7ˮȋ3NsC4jTQӷޞ$V+0dfh=m{v/`P`3!JI>A0~ѦW% IERh RnbCz q\֞af?5E{kA7K*g%q| w$|MĄ)n.iQxJ QޯOCTKt:35gεS nnu ŏ1*JZ#BVMU *DsH>kc׳5hî!i*qgrsT|=mbK.tr`#$o[:;ǘd]M jhOb#h9{@xjF'2sHhKMv`VMHonK+Pmk}>W_p7b/1Q|^GbaJZ&aˣO߅@ekE(aK;>F ӐOk.ur]5e/@v?!Ԛj 9)x!_hN'n`0Kxα'R_bˇ2KYDGH!׳MQ 3-^:7~E>*ͬE>2JG`uAXe,KoaĕaTm>"@g3fnTM | ID{X<›33)lBX=>uUcW@*F] S+ vL3g_x̌G1>b"9Y]TBeS\5rV4J| )'Xt/I,pkK8~|Э=\l,/Fa]/WQPw!5z5'P'BC&(A6Lvj`>/TAHT y jHnq[.w x ~: &}%(CO\oeխT>@@r*p׵vu[ަ_n  ;䄗DT&+STa54'y koĔ01S(l<π!lppۏg[*Ysw`xƭf36태-r57k8H֬rlIvx;gF&ooz"o8X"u)`RՄ-8{ $JT_Al?Tj~ujQbHqlńxI!M /EJ:P2-Oص̚UJ;)Cy>LY._9PPJ=17˜{))XS%8q zq,u^4&/P G9d/L-i{͘J)69="J5Ov"3kR2J EA\dzq!;|pꢪaY_4]5\I=O|8fz. x?U񻿉89wB="}(5//4#k$,\wb*tJ}G&^"`P^~68r>i>U8h}7)u.O>/ET\a'+ZFrQ23yb|BE_. DD.^ ,f 5qRJ̎!mMd".`iwGd}6n|$.4- RbЋ &XaJV(}oP7Šz7yTW.ڔ:mlbMjRAhv0 ډEF%z2EGEc%oik{&N16 J+!;H)7-d=OIbn_KlWj\ ^)VE8X#C4^;*~@Ds# &1SV ɓ0ViތPT`vF-ީ"{Csh-m7#|ȳ$'s+X Ň[=liЗ 3M%\/)4r*xCz}D_ :F3Lw۳3qI.YM4Yurځ.FQ E7c{meHn5{Vl0847& ِe9w)^d^ 3(~ [֡ -6;z!o% ؍SԘp~G̪Rv0M$/_@ZOm\ WNOq-Ҭ'>oN\*rs mN2UB +K75ec},kiO ~O)sBKQa߰ff%[Z*0EA?y;TvVϾU"س'e{m!_dj.*,h/z@;tYO#=_(vZ)u"yCu[5WPcڔa YgtP# M@Tjf"=5϶Th[Y KWJ_"&+@>$B y/}hhZpWdL9Jt)=oĀlf[C`rIQl&e^Wӈ}ݓo2Xe.#^Fz9*6j'6R%h(iLac;G.i6el߭LdX2sDH#v$&޳rЦ1ųM㜲s XB򮙕W[;=p`f5|.\;Dˢ%?jNoB>UG]صV<5_п}S$f*Vи"`.l.Y[h C\ àZg+_p(qՇ Km8Xo,*Tաe)AGbCWUO /ȏcUHlKdP1|׹O]_'@Z%RDtL+);akC0~ۀA pӼЛxd?c&Sp|-=5 )N#|YeU/Zc){'1z &z)3:!X4/@mu6ؿ`g_qc8L/#znlޓg+{.^ُPO3In/s'jq %xAR-|?;7EbZY@G޵(ՓgӮ'g/OAV(+]_KiIȬ$F%ɬԌ/g'~ZٺOQyx:U .K8AD2-R@ 2&}x_8uW'l2'\,"v2O?Xسep!Fbjǒ@'(EcMLnxPt)S;6 %N^Vg e6 *яHexFbVsش=[!T%HA:5޻ T<1 [rxBA_4AƄmXWJIL ! oݲo-kMsU٫TxQ/bٙ,L"eVHBM^x3Gr7dj6z>eF:~RW<݃g#JO[\%O۵Ä)#ϯQ%{͇ KRc Ч?40=;Ki?ȿtW6[xvmv~xT2N(^"D"pA ;=I@W){ՙ~}Fomw af\@^LHHϿw nжliFf Φy3=eiawSZ|Jx j/+;&c*EI|ziyfQ)*Qo~zŹHW? ȈHaZ=J]u (u0'YNma aKQ8,jPRw tN&~ V7&y"nb[նnK+mlr4]2п+6b2ec6am`PW!u!%Z'3Cpk7KwW8s-o)"2xM͇/ڿq>E<0^M}50}DMJ(C1^_nŁ.3G]td84,7c$UbE 0qc LXC IhJ;OIS;\ Fu+-~,ϧ'-Oe=b\GHGo&P'bNMAk#F4kd|UzDЅb/Snɓ3qY/ xT3wzPV% & b-p|L}9tXFpdzOXf6~๕"BndAUV1"y=OL,->- P3W?Z s>O^oԠ7P9v41uqlϖX-;+EHfz, Ӛ!p̜͢GmG)e;5޸*Do$C,s-grt $.)|\#Ny n= ޑ"H_1?k*rLqgpM&c? j!Nh=L `59ž!NݪK<@p+K|\-:Jk؛* iL&*bl OsMn/RR^d\fˉPX-_.Pi9IFzŨw8Ixe~)wHuSv:'"Ɓ$,ԑޒ5Ȅ-,2 {`U6i).}͹*g:P#>apA3qX67aNwY2MXlvvTQ~O9HmcTT[iPY*^KϭJ`<JG3[܏0o 8zNNw#vԊcWgEL ˋ3/bQ ԓC}.$y'N9m/CTҟ-X@&Q&YiF`mN6$~]1}1bfz' G[:U嚐`m5urC. 368㢯Cm}ίv32~d6%M9 Wio@DIuq}׾UY%[ ğ':,h r싙noA~iH\_ZʪXFiw)$vN:1O6|퓊0dxܲ\ry:v.(Y ꘝc?>JG$²zx q +xj Մ܄WIzEs ZZ?2]OgM-䅽ɦ Vz&;nM$:uRg`(oS1Q| ɣd0xVyJ K M"louM1^_kqr< G܄'cT~nۧż 'u@OR;\)~* &c<Tqk̋1^mP|x;Pb|Vw덭ŪݖiZ<^9m?;C@?oyY:B,Xf㮇ym(_zFFFeh{1u "ceYT$l moD&˩v: SdC̪|,^{s!Z!x}NzC%^< asB"9[? ݃(OoER[`?4Wn?HOn`b9qߢ&isЂ3 F[ѻel.1O髥,&bwq!$ԾBSb#²DhJ~)|kc[ױ>:g͝bQ1f-cY%XU]KFnW/gU<Jl~,M:Hz{R$0tv.73{II됗0YIm sl%js镳_ݡYNslEy1Q t9fOj)Q|M;X-/ qwlS5' h C#|e01U˅h\==9,Spk_,̻C8*Ơ7d|(|p2u#t71-:_oؽ'tv i0ktņԚ m"jDGn?^9S}IvF-@-tQwhT2C=QG]OZ9g^Tѩcx}nRwEjtNi4߯[\-Y@zǜkW߇ :"e!ZkA>CJV#+ue2lb/,Y2`jj %әa{mI;ؙ;TSڍ"z eu۱!]F4nc[&s/u^RT"ۥ ]콪5 i5cKO)X<ڋd﫜65ɹ@ vBRyJrʻߚh#/%;aJ Af 6m-W :Ny\F7>;txƹbW?m>z=FzxQ06L:rկqQX3^ lB\ xl E׼  FR7x7[g8b ;k-GǓb/mCِ[8N]k\I!4ILN:Ok #% j8/޲N1c >3pͳ=n.x,0\Um'Z$4@7*81"trY# 7Ee !pF a=Yܼx J6#}&X Ňؾ)2?P$y ߄;ia=5s[/=xAFG-3W{-aY 2"Ba !GxGc!벰k1e)de5&H?.0K8g7XkPUE.Ҩ&fF'"hzyÛ<ժQnZ>V"1|ͭ0c9R*Y֚M4hi-[IG׃+#Es'U>qU1!JT BcdNS0C/=UP S ?,IyAMs1o$]UIk ꌏk80GGUG&s;|Y(͒K8 &_,&xQjFi-\i-Fh1= q#ͦS=P 5g.hѻErfǮzHI**,ʍꚫQv6VH~yޖ&iZ@l_/.0R+6t*03B괲2)) .Q[Z7ᰚS&|Ԡ>;gŃ<R*Zv&%m#WS}[w#;u9:D r9^Y ƮNPO~@,~S9<VŨ9Pm !A1W:19wB 60V$3Nj*H UI1sq$/::VU˳%l mCn%SGC C m6bɚ6R&C7(ҩL u/н 5 Ig{p&Gd`](g_2d^/c0-[\-{|s͉(\I:euR^WG?fG-j8(j_rVy8NtDU'{孥e,^ 3<žNc%)W# ). ~QjY*+j0GˇieL1'%,[!Ȗ*?(9}|~ P ZC7"$mN8HԘ P(s "2i1uCKnSқ CQdyI>"?a_='+(\dAٞQڰDްu*bq/l*d2|"w=}F"G@#+&wTɪF?+s@S[ b0΀8]0NcؙzCw{*b^gIz@"bvbzr W I"d!@oxYV b$j<$TwciJKѺ3^_&SdGe^Gv9!ts$_om3<= b`,pF!/rӵq_㡿4Ir`I #]t#FĚ䍋g\V$FuN fmLW*?C>GWybGWBqm YY6mq>`vK;0nuYaL)aհގE( \8dV)k &?Ww~J~u(>DhzYYT w@ pF%Gb,j R ezSNw'1~%U:f<V|doY, $"9CJ/5: IYduhcFܥH_Ë9Dt:4_OsMzW PVqYo '>5ւ/.P|W^΍is\J՜$VppqרA)>ѬHcy-C`YK~c2X-H~`C-S-Y)`eӇ׬xBOT.1̇MIw$At=/뱺,a'*էM(lUg 1uf7.Tʶ[2gk_DdJf\JGwaJB8m>|נM_L=!ŴbC{,-k.ZeM Zu sZIZ\AUu*74 P$7d̍qPݬ}-Ef ^tE'b"<BGLk]]T%>3$q4;p XrS5YGEŴw|W7ՏV CT*;Dq1oDnjpk"'<6@bEEJΎV:0-JꊊyvgT3ì v:4MC&y.|1Se1e)kvu4.,*F|BBQ8lƽw t/`ŵ莂SXo2"f ѵ?B[pPchb ',PaӁV >y#)XGKf.1dA8K횁F*C>!yAڮMfK Wj,6#|2DK!ե q"`d &s- 6{2"dB^BhªC?GRjt!qf Ih]:fy>#%N!wv۝ւw%p ]p<a{݌z?7k׉޻.m8USnA`c|y%DkO qXL5(sd WFm ToVd (x4)3e^ z0:ߥ i7%κe_x*@ߏB-saՐ",핯6)eu耙fՕhbmoT'yn%-`hI&a06ӽXnH>È {q13DS֓вrCT=S _sӡ%Fkg5o%pٖܤX-Rv%.]eITd*c4e֡2^{J' і#`U$H(ɫbXWjn'g cw7/9$K>l\?nփX_l 6O_b3ƺ7f1JdM0cغ~5}'(T'˹ GCyipg]fжC |ᜩN9&r$;iC$nWF5|~4aԣ"RP b &K1(^* ͯ3Sr /K 1[N6vTT>o6d8!Ee5s2]jܖ%, 0k!)L` hԛp9ee+k]#ɍw)νyD"Ki<0R ~ vٗ[#ټHLG)ZE7:0q\[ػ։>m0I`{?ٱ; ݟz@jVI>Bcુ(Tߴ֑|{DP*qsKR|$ps<CU20(}ooـxv`}Ǽ]n%*LU Sd(̖f;$Ȩq^t16LcAFW-=[&{;Hc e[DpH\vG@CQ(˕9%2$ծp k=(< =) C" D#?<jV_iB׃_*`TY'r-ă4pQTY53Vv^~#r:}K~'2 Kv=:JYLYmQDYx/F#L1#ZIjHG5Þ?x^iWaF!:ЖfC96{*WQ =>ŷ|z}ؼ!t71. DY%ce'x4iؚ5/.vvzZH0nNdE΀Tʴ *F±FNԼm:+>yEzșI\nO ފrGDhR*P刄è~^+yX#p{N*hP0tXXr;^3afad&cL'/96+pd Q=D<2$'Oc5@CDTd+%> 0j4P= t &O䇆2y޺ôpqt75!'OsY֝(&Mtaܲ%5c'q#e{mUQ1K$⤞rk"M @Y:^2keNi:Q9LSĂulme'&rKz%aS8 îuTBG?OJ+?p@◡veo[P_֑ zwk=t"rT80e2luj'@z(_ܝOӓ2WlEVAK7,I..P ȆϷ](Q& iu ?(yI|s.?|خesWB ARqsC-bu2,'ٗr` ґ݅ص$/BM﷮`~w;!<|9{ jT πNodȒ|m%iFy*CidEd=1 8#d[5165me=M>!lo=#IZT$5jbXMȕ?-5͠s73 '#ekbV'¬fj=<) rObm2&9)<~jf'Fj2@!)@c2A/+cRxM ho \;&SDEL}"˽CKZ8? ܉p!A;É%ٌ}S4EW lg,jObU(!-4LA<"ox0חD:"IǾRat ܤxe>?__oV4ڱ<^޶(O\8AeՒPN W>g&HWJ I\ql\q[V~]B{w,RL>HW;-kRdi$CLdZ3g]butE5 lϤ1`5aG-)äؖ=FHォL mpaR(K~IN 6 RT{\BXi䝉Hm$@۰/A(:& y<;xȋ:S>5'&5/Cʆ?2J# ?Ј7|kֈ \D#7cB?\U؁̍&bR>gFfA|D,.FXӍGt6Us\1*hi0,ߥ>VgqƂh/zRmd֏QO Ursl+n>R{jZ!%t?â6 z^]OLDo$Gӭ|Tj9WN[!V o8WueYg'FV? 2m5V r 8~R4nByjJmX_0Jb8\CrJ=U/<&w@171-j ,Bg&1ϗ["sЅcJr)]BNā?M5K[j?Кؔ:3}%4W!myiXXov1f%N_66t|^yX1wUXmF@ ji$ZyY_Hi2 nVLc /Іu+t~Gg_S9@tk#UPKKr\쫦 ^paS q/)b=#.]/׵q>-lܝߞ^kݽُmQ̀MpbZY_&odKb.2 mr O0 =f[qȄ7V7ev8)-o_^ @o#ha'tfǕdJ(6JUs/!N?Y0wE㋜B3^$E ϸB(.6ȮaX܍O ,"_8gβ28f^E>ظ;"eeu$[>3=m]}DH['v@9J O"ץ=ͩZę{moƃUϒLBg@]:49-Կ=Neox>e1@Jt (Z6֊:v.dd'm6H|xiCAbbS ݜ!_{Yֶ`- ;i u^Όu~xIt[4ɬxH +ϡ5bWgr7 th]|ʹ+3o#1a .9e5v%.KA;jq SLJ ::Kw3_^=eCRc2}MU #zhe('QuDO@dVg'@ָk\|U6pȩѰ"I^n⪁GPh^)OWCF? l;MY=eZ/ P0g[Ovڄ +~r)-E%zWܐD UI$5R=Gf‹sFP#Mף* txrW#mВ2;+3"\|%1 äSbjOeQO 3foQٚE9Qry8of}QAHw"a,i()W FT̃ѱ$eMgL:#$ɠs *Vؒ20h!_ea$wWh](BAWC¾uб݆ gMIE{׷0=#*>{ۤ.T nٷ~ -E޼A'7:=ME2DӋ3Jzpc:yoBXq/Uy,t#R"-]PzEWm-QZ!f4xJC/Q>#ɬx'}T~Xɡ̶}u2 rOX9 ۨm&:-5lCx̯%0><4\9b )<Ð5Sڨ=FHsDd8aC௯MȨg`CZaԫ~̐[`lf49>&^Qy^8$ Se\,_#mx$BY!\G8&& GлpiVwF*CIH\1':&>a<² 5) QBQ'Y̷v~m~z Y; OF9FQ4iC@x|;oXT|](̔7?/f1WE=/=x+qJKIg YnsW|@I8ҟZ%@cC%'55D \u0@K:H彐٩8*F_bOB*ZO|q{2633De.>;W{`ɄYP&JZFT \ U}1+}or7f( V\&Ho>Z^Bb}yG7ş~5{=^&܍6~җt3] lgR{NI _Z^晡9%ſ7h.cFu xBŭfpŭjT 49cE"^^_ba,If%ĶR/5S[ӜkuF[Zb*OVsǕZ>#C嘛1O^r>5'i+(d߮+DxE](Vf~Af/X[YA4Spw k&35hުѡN^|9~ԁ҂)-*چ;9_ JIO1v#=3瑶cPIVorn9u½ *w]+Se0۞rH]ȓ;blDIF Lr刳_b2Bt9H6uY2# hUGqUR+Zz[ jWM?{z|zf~vQ pY-_xފbyAO Ǻ8 0r*r#F=Vb=;6 iVIj:ī( Aߥ+'LubvB6("r!z4  ˯wəmß`_韭**sT72^'x:/y&* +*OR,,e0'kq) 4;xj'!h WZSMX x{ M1_!dsFbȼw5>JcxKtW1qb d.(!tv.ҪZ4YaB `~rJ~?'^Z~ 6GwmL־Je"44F3jƛtԀ?E^^yS.wP|j3󆨄[Yr]ǎ~ L͉`m!7c9ΘW=}ΗLI/&pm)ɋd;N+7x+ʌm#?/Ұ%j~gn<'eB3Wm)7ΠrD/*BژgG@أq%[uЄ,n *1#}灂i9\=تE9O Y)8myQCIjTh#`d+J4u]/eHt,!黥<8CǞk/#6{朊{mlsd!t.f͵9X,9išCX H@zaЉ=e++aIpة0\ѷCPh(>*H>h>b<ɆC#tf V7g%'EXji42Kel&19咬!qf5=^CarE#uB8MF }= og^]>z O _LǮBקd${QY]V )*hݘOINנFAO&&2Iu/l:|Gg4S5TtO^h6ءXKR xL3kz5[+v%- Lv <.okɨB$ 4I7pK@m q&Z.xʒ*:GzvF{~=.~9)V6-:q@"R0vl{v'chcI}>@R-tYcs}TSk]'K6̦UN_u9W_]uI#g­\ e(GH yjrf"#x~8J{RU'Q ` W#JSCFzXT:`VV.a(urx_(`x XQLJMh96q ǠxN;?hժ S&b.]Wy>I;$zAvP-%>N^UXT"7zo~R(S:ah@^FZOtTF<Dr3&[)nTE%}̫s^Lr;{h,m%4]͡Шp[cPL>p4u>cyׇuE⾟X`! lW\ݸCG1&K Θ:DqOЉv߮7UƎ@YȇQcK4YQ~bpOx33 ԭqL %jOdr"+&s^E9eC0s;yN2]a:y瓸9R[+5@u5YotZŬ0wt>O$!&4)`/MˎJ#uuAΣ]+Se 2wTy?, .PV &\aclvf\2HY(.bKJwI^Ʉ1Eh> 8P<{v礎LjO1r0( ojyuKƘ7!!߲ 2q3忏_nnU:t=B$ '$=GIL:..E/q9vx婟Qgz M>nF[ XAPM}I<+Ff7qǶF?CvZυP1{dR*!q !p[7x&%9ٷxɄ4(75—a8w5(teCB;W 鏇J7KQ`n9 QR#`kȫo AL-Fz<*D%2; ҩ=uTH׫=\{P}3w{;Opq !W) i9]5uStC̽3hbJ*oh:'ۛ96ĊQzӴs1a" ={ 9h` ZZhñ+3#1E8:bgܘxT\9?z\ZيK j6U:`A`uh+_ʼ6.rDȼxTftk D֚*uPK!UeHW%Nq͹J"{j\yȮӣ?4Д9u6kMq1Z=sC삺F .pBQ;PGx Xև]H W[SvL$3Kݘ;j~cэYm{$X}Z"F{ uMVПƃ.Y%$WgE,`[ i607D.&=- ن=RbZoLՇu!vg"i  ZZt=}.!ML2dg/s\y/ ԒgM??k3(H|ap[*T2菒JQhCyW;,ǧ79^%|+ u8µ:K=TRW7Z`7sfM.nYl7ZDy%2 UB4=U l[D# ^}F &ivye׺NGd$* 9ScRN!x\⒓%4=x*z v$ڳyΊD~!yXT2Y78mU0yG'I"@8"=a'vŅW;n͑fkErWu ϭo-utXfw>5zԗZoLvAC;eO݀o˂\Z'C-.8E+?CmfD<t5]̎ RkL_^w[>!AS>JKӊyB}C7/|Ն]q_'.7pĚX)ZIOxrn/ ;ь$vyl)@qir9 @G˨0tiVL6]zGmG0mX틐ClϘc#u{ϝכխ=P,6Zb r]ث@ya D@i%=69s*EeBlnWPi_=]y,鲉c;4¦=ܑd ''lE5"1w+5mƲ9":L.r@_uŶnެN~$ccrK8N0d_ѐ:S9yK%8X3B x0(;j c~G,H&Q6i-C9>WYNs$\`vĚYpYL@@6ِi*I[jZ -T,a115Ri| F`<~EZJb, tP r=R¸ϱb{n"j!C(%w5Kjѓu׺MWXlg.s`_o gNl@.S)7l VO ? vlpar6;f(>- Ve/Sd?%ywf7r |J9iNmF0uRdw7i>53*bt\bG`O|뚎-#Bz.ͽ*~F|,g{jdhLI-<]hT<?,ObP7d (zc%-Ѓ}'tʒYat:KVJ^KT,3V:4|(F:[FQ-9xT/ZKtkoy>r6C/}bv B1$ejbcT[ߊK ,v~DFnu,.u=7nER:h{JsZL[%}5SC44)H"X„{UL8ƛQ6+'S_{ HkscLWCVsa9梁H2p1zѩX7,>úE@{dEח 埞 o Na [2˜@pC*w3=mX 6G:jJ6FsB+zmM&"a@f=PaT=hX8PE7тץġy=tƊ0jV(R W{%ɰRQts& crNzC̀/Ma'MQ!X}1Ud{)#ι!0q+@$DZ$G"&]\, ECLEI N3Yۓ;NZdP(\)nJcC #-J䟽Y(MszР6t-g&,A/l!nԬS9e6@"S!W+y Hq`sȩBɷx#Q`>[S&# --Ss#B֘E1mp`.}Q#m|'eġ c-7}o(Dbv3,/DgRY"o"^aeJpвN_*Sb1wŘSVkYx^U~I@ 穛x[+c3wqgB2{,r^=~c6f" ' abО7.]RPE_MyЛ4XHXvtt:Y4w0y !D8CR`sf bm% RŁ=8AYU_mUAG}1oMóߕuS/CPr]'/wn.jԻT>eQUˁY[e:^zcbAfT'bbo'"U0R䜊0Ac='yܽ`xSO4o3.jgU7.RNu$].1m%!|z1)v QFWqC)Yo!("[U<'/yWR "6#gBf@ v7~1<<UzgAȼw0:@OBJͼؒ )4.R÷`)nf2@LXz9󔽣b% ѕ[jtP?1)ZH9DI7~^jM /mvn0-1$[|$g+r, ҫ#joJ, !*k փ)dTx B,$Uk:鳠$֊YEHRF -2-C'j3jQ #݊VTˑ]oU0~ХC%g/aHEga`΋]0Ve cU4F bF 2[UrCx/Ok6N6[q?Α}ѥ0ܑ.%.'1+H|n Ir(.-r7w+&y.{rPplDWvp=;zJp\pTI3Qt+@Y nRttFMƾ–X=u #j+oQ$YhƵ3*48j8{,cRp,> zPJW3|r)4dE2|-hK`9y3H*|ca~\3$RgGE==dQVԐHGX]A̘. kT5~X7]rt|$?Ö]GN>T40:~!3γn&fѺ@W"ۂv6pfbE>fNyl"[s~o~_`39ux`DT7CKbd#+LzdP7ӂ[ 0J f*fqdp1]E''MNtCU͠7 ZG:ȦiدjkS7oz!{Uꄓk,Ë6- [ytݪ FLތYCTVYM1qUmxZo =V,=Տ 4f["bDe(i;1^.Z[Q`rVfrd P~"*,D%ɜ0ɦƻCy ,q zAb{Cqk:IOUt%grvAn CBa>nʁѵ WB.]ߕOY3. #VGZ q\׬kG?/iX)BcJ)Fw.p<\y6pZ*6Nhx֊IG ,%R8ts *8oEnƽ<Ă0sTJ*u'cH` r=WZƇO;MXǙc[)t]j!B!ݩh&Gd{\ס w$HlFi PY1px}/oi_V *N9zRݷYUi$Gc~?Xq3R=;nⷞGH1cZ5 ^8>/7E患9p26#+1 fGbh>דn4QUʸ8B|3S\@17Tdš3ƣ“lDZwHg}6wi/.rTDRty2n@f:~y- XZ<,6pj͖nLjfČeHs8B{߲@ꉓ K>C#d*gB5ӳ|w0ao44^]hi$H,>HڿcAvsb>hmd\*ag/d( ò+r$V߭N+(͘Ƃl]^Wꯨ=~Y\#]-Cf^|(~` ?La1~>V񫒬(iC '=Xw "3y2>OܛOLB;qahaB#|ٍ5. OFhmR{*u/e& ̕ Q=QRm}nOmFGk%~:cq$T$43Fi ,z73"7HT3yQ[+$,y*=KJڋړ۪MbHlPş {׷p9Z&1]$v<ߓ[RX=:6,u"[i nQ(p<.O@{8W ×bϷsV9ܐtIX>dY=znϻ{a1#Fcbӕ<(.V}E(1D62:%21b3kc<` Ž4z`h0a K(KAKސs*{M!v_-C%N˻2pxt3ftZ\&˝߻j ers ]n 9TǀFtۑ# +/ 97+u"nxȎ l;ii覢qVQ؂G DŽIF.չ6J 7uC3"lý|m/G?N3 7bM4M/Gp B9V|0F$18xqA㞢E؝D@ˁ"f A,u9YtXjdHZxsH9uZIV~_bw׎9G Z7(>SGu'M|ݓӠNDbfz /w{ wĊȊ|An)7(@–#AҪ@(-p=~FT#Zx *+h;ja6WO#\X$.7*\x}9*C҇X8.ʃlgO#Bn̳nd9cOX=*“v;v/LmHxEVD(dr 0%coS*QۚN1pf`ߕ EWv%9,mԨ-oHAu"1#"}O`  ZXpЀe4A4ٸ̰CHw~ehr~y>Ř Y1QsE Oެ5"cx\VODr4LTM{ R'RP t0vMHQ2m3謁bEI{ox~>5}rR$Ţ}'ҁ^ҷ(Hׯ`Q{bW?Y8=5뻪Hّ!l ƬڞN%)[l mٕ\zD6 ::c J]m{ ྦྷ4[3j)qD}jޘjO=tv[ HPsXDq $K'}]l[o5MTof 2:64Eq,34۰=a:̈PQ"YKکC]E7>Q;8s5$#$1*v=?.?IjiBVqZ'=` xh7I<8< o*dQȺ.)=klVarj[l/0"'=JVDzIFވF@5L3iH~ ߈lhCGd(̭kiq-$1 Vc}6GM;! $M<|Z c8BBb׼TUg="۹/ 能%)8 焚nSU$xc_=jlj/yD id :~kҿgbS4.IPcYi[61-?9n#!>l_+0{5e ǂМȿ XZ}ƳŽdB]9iX-&ucތ;z7(86 ;V$OA?()I&`Zku^3Ucd#_r(\z|o-N54,,k R"Yn\kw+$o$v^(.WT?~* d@']_BåԕBvT K KE14rvC^`qC_zjLTs<^d*,W(܈tm-Xug^jnܒb|OԆr-xU.c0Zw,^u !pl\a۠D+F1^~hhޚʰڕ&TwUStOO'ݛ&8 tW 4ֲGH9Q$N0C53u o^}ˆsIDkTp)0塭9BO,C!~>G1tuҷ+6h떝ǜ>IavLVHT; =ԃOSa ;>(Q~" Az#zuf,]Yӭ)9]<@G!t`,M%Z(@ՏJlݧG0NfC6&oٚ%O%cd_ DPĊSŭ;Zn#Md]W[5h[Ѷ,zZ~a (ҳ8k_I0jįߨD{N'`t2_EIzT)~lnoU7=|\_v5/Ҩ\/~6p4g= W2I,U eKfe8I'c @=mu5c9^ ]2a?kaۀŽҕ锇ѐ^ɌΣ|-(&^{9,RLΰ95I%|/i )Ej;0E(;س@L5\G̈LR7 ?Z}QW.\l):|do o%tex{֬6e>`͖ԕ*zNq됋O 7ti$K~|&9ËavtQޙ<~'Ӡۏ375Oq5};WAA~.{E ҃LI:|ثԸ䝝QCoj%[θF ?ezV-613]=]yu$18dPivhm ڣ->LH[u* 0.@&Hf]dQA5K$okv3u†c ֩Sn';L&otk)#uHp"L~rrj+~ܕw}N[ͅVfG.lx Lf2ʖ>3EAꬥV;5b6Wњŗ,dEBZnEAǂmi0:n h4ցK $-3l:"` h@h0ίd]&É& d#6tE3 T62"fJ:pKƥUFuɦńxn[sbD*r e5;<*QBN~?:VL6_m(JO`t$pH!(;hAwidmNc=r,٣6ѩcnƑb.|O$hy D=+[d_Wshb|Kж-&2Sl]Iu#W1ݺG">u[d"Db@NK[yN}Wdˏ᮷MT2&2QRù .}ϲ\D^NRBưkm!=~|`գVcD9 0xJ7sۧ?$}sq$+-D4iA~ (,~'~6lEVh4Tcj(4'#H.蔡.i'ȷ+yNanm,o=-0[l%#G2nnh/;jǪ X9>Ϙ_r6KcR:!'jj*yMG{Bޫ㯏-g`B9RkeO 0ֳ!whLvycf,8k\Se#{2t'pHUU bQjW SE31aH`x@jbQ ~+^b0 0C$Lּ$xQ'ix於p-Iw£[="O Pj/JԖ1KfC >R,ڲamC6"C;/P?7zϮEZD8sڢߕD(7W ZPK0v 4R5&<9'P~,pm]v1Y#^=>ýŒ=e&,[Glg&-*4efHˉVkRff_ BQ͒w[dAz=g#dAg@B*&:`׿[p qy:4HjTrQ82({xu{519Kcm d,)72 qV yDVW kZ)a"^bwHFGˁ (@uOQfFLISo į9cPc#Se4lWor mt(aޕyƲ~B%QHI/Le'f$)_uTL>^G`~0e;{+4t"6y!jRFa1@LEd.B  DnEBO$V.5  bbԪvF q`/OOdl5j(gYSjcM;RStdhNd)* Z348OFV_TVh hx|j"3gqH3ɜl\Y̳M{RPzDΞ+, 8_~OOί{:վa6:jd6|~x>f `Dxi:7*+|%D{΅tg&j2<… C} Ť:c(l%Aǣ{B;Fk&&60 @og_^^S4yE*PYypaA 0*5s6*uЙ]"jV=scV9T^dS; |fQR;"/o !!S" ʌ;*:lTo-}7w|զf)* ˖ѿT"E_g;X %MXH[?iT4}\[Cm(ؽP{S5ebԺ+jnr!`~91;3铊)lE~c.:74>zmc$3 3eYcSӯsmh ="$rGT7)}0d"N0ƛ\.b QT}3C?H8uhNn Jy%xA@0$'D{8[gg>zd4 ?A |GxAMAw%Y^ ,.'ưnEj| ~E>⩡6qQDybK8o2A < Hʎq$jZ޿4V6tm@RKs!Lw<2&qS,cb[]3VD^@jޤĄ!kbV "OjaaJ@ZlRjC Ŗlr8|dz-d ) 3ψ T_~@TNSCQ+|'b@䒜ͽ%ҁNj$A$h-L1d2-W8s[˂RV&@gėr65 j'NXϫi=ͻRR^nţXL6sr{#uٝ~`ڽвxm`豞OGIbgp ̱'B@hc_%Z,# PI_rjDa$%"aU eڰR?Sz'ߟpe㶸I-xyw&cPvk;|$2ѰǙjQ X?'~e;B̋K nnt WlyDo0 DJy45*[M*r+2)4KAdyW:..DWVdI8o|Z!SV_a?Gd<_ :VJ 2$$uT#7Ox`uhmaCzprY;7L]rKiћA(\R?!dv<2|eGg'YqyΨ߲poFA(C\h (ޏ,Eir~P[7"kzpt>S)q\x01%Gm_KM5}K{5jM@!?أ~&o j녿ڿ-[Xvr oE䚫& VT.yjS{sT]JK~Hr Z4:R|v"6i&vJdKƓa"ZB%[?tE43B$m>=:mM- 7Zq3TCyQOpòܬ+E-Ea*m#E>_1ecB>i߻eq zZYM0/; QyZ_:#$"7~;bct( [=DS<ʋ5<dD(ޭ[}xa +ǫsQ`mz<"M$vp*PMfS)%}8ᷳ!kuG@J7ҵK_-`dCT20QȎàMaz:*({dkbktɼG~I A|`KGM,!t'u0G›(-:B$NMkNbŰ\bnm8{-enN{e+`/yl)b| dD-;dXː³u֨Cpo:@ܵv@"@| E9-r09V33_m~5s]@j6t #;TF]hϹ1ONpўYQ fՄNj s<1 6nŋ,F&_~ V)3p/ۚ㋚Q6k,$qD=$^)oDk6b5'>?>{G4(iOLN/`^Ė GGB5t2O<\::d$6nä~-xF4G~i0"jTZڱΈ+!@6Rg Di\U&,dW^&;v;5Lvrn^nj'i_L̷B]s! ֌ؒcNX\aj(L^|[*Mzj?^*|V%p;6gd'lI,|}>S-'ݐn4,+޳)<~9$Q9>n\|g ˅ĸc3hQтcGx XNDJrD$ǛKS-=ǻi;=AC_hg=gmXcNM;/6\ܪ^$QZl쐝v =5Z^$\ARN}yԵgQٽغv2s4;Y<_M1E62Ztov!0 k_ɑˋ/셉86~0ʳ=YYޚa(hOk'%+oH,Q8G}~:Z"&N~a`+'0k&FPx¿V̢E\^(r/8Rՙff LNRL|p2VH:&@ӱ:G8&/b0e3 3ߑ  dS!hx''?t P$(uZՊ_R&YqA!w [n" JMxn(GJ̏(E[}B?)Th2fP~WtD{>b¯!|+yM‹7VH/׀;1\ *pu05ɝm͟Bv{X"Rfu#r9si벬/\+r5 cT]}Uz= e!XU$<'DIHdV9eĪe[y҄RU~!KWqJPs"FZeb0ُV㨊Ǖju+FG>90w'x\:B h 5ʋVRL4:*d:L\8G "-u٩ yBm| F?U` ]h=[h 6 3%Z/хpPC<f߹r"r"tnTMMlt=*Q AKxa4mmZjˤjQ)X`4h컉Fm5j-l2׎چ~x׉BؗA`/B a˴`eYf6b3ȄE__? DG&dG,7ȿ,C:N/F5kc3^z>ĄLt؋ nC)46>pFeJK[~>)ɂONوB)ZXfH ziݕ-k=Rg;-h!?Mqwѵ@b{ww%9PCg0ڽΫŃ lln?;UTrIjz!ohv<5t bbQ(gypRr𧏱sLU ,/ܩ31OVp[N ) W0)ÄokzgShb6Q$j%4%q st10y\T$P=nl]pă^9.J9;)sd8 _ZKە ^|w;40ʔ5(.(T+33m0ggZ";,)ewjnv8pΠRCK!@eLpBebGx%=K( AY϶k߆Ma:2t\wDv'2sߝ;. /9%]Mh鎪:ef];pTUuSL'tQNۊ$WerOSzIcGp]bV]n@ 䃋H-(4%A=ސhPm0*~˺L w Si 6KVƶ)s:M<:)!EżlD^z/J< vnlԧu eI(L[M J@o|BtgA`g $ZqcSWy[.L>*,p?zqKr;3߲3;H)V7&ٳ 6hKlvJYVC \)e5;IT 9qVmz3}Kژg r,GP9 L뒤8oU_! t+n|3|W} ̕qo88)%OԸy:0M >96̴* Z[QN6yXOY߽2&hoT$2\۫v4;[M`{!$-ӵ)F$Dܘȫ8t=c}n9X;-}w&^~H`-&c v >~E+ _ᬐvc5v{^C>+dI #G'䇾4;diuYS enUڌA}izUƅT UE} Q[>Xv9IlS|Jş\ˢ9zLp3݃BϥmTh>?x4_ʿTe:6K@p v0hpt`U? ߘ䫇X[}2~gѣ}`4螕'ctr_ےaNa3pH2/#pqLlY0޴d n^ w Z{I·1arc UXKv8鈜+jN9=;L HA[f}8fGu$UW+Oڼ0$[lA<ީF^}6B`v?ķ1&өI!,heCڠzI00ϥGm b(q-/ฎG* ~8kv7OaPQ!d8lOWP>hJbM k{W$Rj eMCz{NL_NTz#**~ $UFb:H,ds*OmZ;ڑ+n@ *E<'aUʿen8F F/4a6v!o{}E.j3˙y- yu1+3fG=cW%#HƖ`P h}alUޭo-ܲe)gk>=YTV Yҧ-!$Ǚ4vl:@tΎOH ݱԨw] ‘j/E3k0ގ^ 9)% ^Ay̟)}f`\IvqVf^ipuc?_ec֫a;HL[&n(썰~D\Z)JvUIwG~'d)Q_ORS bT:``S=+TJICcU" ,7ipOFuƀc0Dݐi7K.PJc&Qj4W9InBKEhku*ކNn+41N)NڄzlGس+59a"N3*ۥ38{dcE/+18avNY9@*F5BNGCPR^. 9P]>}JYg1#iZv{icxx-Ò` 8 ]u_?_!]wtVN6PxZ ^n^G Ϳ~Em42Hv /6Xσ bZkF98uѺd~@PxvٛOpvq$:AU,2ZǯUD#eZ~bZ.|ύj2U ݉U@A{L%YfK+1Uo"_jL<`կQS;"DeWݣV-*n=R!ɘtĕp0;XsoȈ]yŪ!\G295*Mtb0ʭ!L@2?zׁeOpBrI.9Jf4Zw5 WwxX6:6UEZSD>2b||F{IB\3 Bxm+$,0Kqm@@ -Rnr(\@;#iep$RfNײ.x!B6,hza6+-MO0DhġTEt5P*4HGjӐ"=44x^eӰm K*Y`" `r W<g,ybh؏ki=EOPCB)OxY~l3b4R'tE+ZDjrsP,ID3QapP ƥku,ވzPMs{dz j%Hadt@T%')i@5ѧ052)bL(E_i9soy۹!+nĂz}88vyaL?clQ׉v w^f0U?C_ `  8ʣ"'/t#5kZzT ^ MF0_<6 fH'4l#"64^}q|JO$Q - #!Ra͑Lc5muن*C1.y{/|Tx zeA ΌJZ .4=,/v'ˉqT~? xYfb;&0ƎI%lsؚ|Z!C&CJ~fy869,!:aBEѴD_{SΒ6\!&JMπg0Ȥ e׎ڳhH_ho`U&'"j]ںq9Vj&L&Yg&5m_c t@6g G3Je[;79J!n_ t}B:]69b?@ /(sQÔc~Of}9m \{Gxz!S#/3pBlbҽ AK0$E{N]oeplEdl~! ɊO-x9eMB%#zXɪ!pl>^K2[:Լ{-AzxYKf Rk]YAqb(ɻFNJ e،)Lnq/LPJƩ^'! rt]'Lr[9\bTr U3u\>FSy}Cutg|=8 Pk+b`fb-HB>&i?GϾQ9AFkC'] 3%(e~y1l XMᔮ\ߩc 4cp㸦Rt ;yLA+ƗbYδCp|>QSzx?& FѳSr9(ͅ WCWӣR1u1֊b '1g^)l{ ^ޯ4jxr!<V{U*[[71}z) <lr gذ#rXh@@"]<*ss 0uX,1_ 耕aLo1 D$ 'wܼ~aBc#XRdJMl= GKĢ<$S@ODeRhEESkoiFn!EP[AB' DN?RXik>";{MFp#!RLpaM' K"neJUog*3xVKd=']#ќ|ΝOk75+,g8 cF_cJfW%3Lz{ `7\^o(hj GmEdû]ℱfMT7f}Υw0VXn@^Dl 9w&]n\WP%ʝV)NOzoEC<(MD4vq*\#=[&-+vZ.OE=TD q-]hD9|<` ?bkt5d\.bwnZu3ZHR6Iů>ge;o:9 c?l4&lo=y㖉gh<4EcU ʟX{C555LBsXsEXzI|=O jѤ^6V>X` ԧߜ(M R= 3}l}Z])Cn&+xYIpo$})*Utu'zoPԗ9=X!?{_WviᤪGN4лZ~4t:1,"(*B W}+gC勁x ];T{@jT$Gt4a/\ZnZZ&7?kH~AH&h1svDI6@h7mWDޘO\p*~9C}kX0Ӈİ g܀K 2m@V.!^Hp~l&X)ְ-_ `y @xO7Vk_+U'bH#,"tDԂRןݝ }&УĠ9jd`ma"ThtAYOAe.!H"(4qT04y>ga%|VG&n5GkX;{@p^[ _\E6#w(%,n"cl5̆>뜩:a^ҬYA ѼNXI+Ky:Lk;R\C)Sp6G8#t;D"r7uOF6 A İS #lJX zpx}{= "v<:7]̸';wd -4Tf1Fc'.FmXZUWMH{₪-H!},uň]έ)Z<} HfS1[*phÝ @D i£=kS/m\\H nK?Lo py6mܲ׾Ѷ̫?좠 YK3 lh|r&ЕUI8R%H b"%KHΔ؋~dX#Tԟ3BouIxsG柖bw҉@>lMb:;/]%/Ei/e$ ;} Z'F[ \hx lמƩmncgPd+)[KAHVŁ9V9!OѨ$;c)ًH2l";PXХbWW1hgn[Gg uhλG!-H\0I+yy-)F%cN")Z46Q(J&ޖ~baej3,synmjc1Fֽ:_A^A6mИ\[9Ӫ"~ph.`ioWme3Q{7!|3ݕmUEbAqCVz111 7( }GkQxm0tRG֩nEb0j>]!z]C߅ h8}ߥ[Z;eTя54|cQLlNkh'$i˄fB8Cs^N[(s3o1E6en]tNuQB0d^-(su KSE=KT||"ͼhs#94Sk.?J9#}6y=jۨX./@Yg5~urxRsH$҅yĈJ) 5`?D,.^C~ݨFM8Ԛl-,{[RbR塰=ꝁ0C{rI)'Цt;?PTFʠ(۱~ҽ-._glZ39uG+fǴ]+lnTέ:UN!a򖉶h+q$)^*PNP3Vn/Ӂ l[y'g E4;W⍓!*E|;pt:P_Ob/OTi&:{\Jm\E6c|M Y[ <kS`W tNkX*8i{7G9;ƴT HV e+!l[Htq0pf yta]%Q#w3FӶ9R#@ 4#s9:sag#Ss!؆(P-}ǃestoeZs\` >pAGCd"5;JDx@ rTGhEU%fBܞU> im;!dw\(gŷ۷OJ0$UVsew BHm2bOI|rlF R.;XM]7 x< \#?\GE#eΤپC]MO:kv; UF[[T"eɴ=䉾g|`U$HMdz>z#8 q˸!|iVĜ8b礟ӡ:v2v'o|;`"uL$EⓏ#*7QG4iw9uldw:=0]MD>hwLFrXBU;f W͕FPSi7V,bhuGk$z zuӹ}%. =&xE]a91d|ǯ K~p>NP>QO)j^"A1Uzݪng:΁3ckQZ>%9=?.ݤa_Y،.LNi[ (،U=S֢4= BJl:hrsNR4gTzٝ4<;#u*[G"~*9J~8E&(**ʡT~/OȌ&߯+T}z'$8@69ګxisە߽SpjpVZO:&ct&gE $T)'u`!{R?-yamѼA1kV(l^q^ֈ7xBDVc~eK|Og/ٌ]I~(PUv)n(XaH  %8z}X~|*oe}#)r}}ĭ?3pUlJP䵺0UlsMD[LbeU{nq({/mHk~@Mq뚠r(犦p[>۷\q̂k1X"/qt/[1W"y>6,5]=N״AgICS[J˿H؃] If A7e׃+s-?yچZTu?x%H#nKM@jn_Lh=k`(6't؃~ߥf^O-h&1wW#7k0~$足hK۪=jG^$jj>KhR^M='!BB.\9|zÌ֌pć+u5z. ئFe?8" }<{Ȍ [ >Iu(/ OM;KIB#pif5.*4@/OwS/}QFja D P lS;K%̓#bE 2["fZ+Ӫ+@DMV؀h`X}ʉhk/Qp(,׽'Ruqc~*koD~)5NM׾IQ챚qnDݘr։EgRV[E{E.W -I0.0x3ƪU&;=HYg ݪ rni#C<5HƠrkTNU&]^ [=^>OY7|bZ+(-R:Y7(Rt`"&Y)lӼhXWQΊ% ٵ]` = 5:2G¥-V B* i"9ќ!?~^L !x|FlJm{+vA^ + }pqezD0/^cm$◷e[pH/*V= Buzכ0q\䒄07x +D.祥]xPqs@e0pQe֏CIqJ iuٗ;Ž{K|]߿mbMUڊf!Zդ:hbкDD8MOxTD:rC%~S&7cWڍ_ O A-J/p⧓3-ٺ0DQCSXfb_b+c|`@Uw lTuZ?, }é Q=}Y]pZyAԇm%Dǿ$TO *~b{&7d$`%V+ u<~RGKwxN5`n |p./,){Jβ 8YoH),?.S%.ΰiuzB!LԿu6)6:_)}uUͬe4$jPV1{42V OmpOKz%n%} s`.ۥ)iȾq6 J$IG9L>)k;;P0ʼno1:W|fOrdwRw ݅ qe^Qس4|6I%cS`-e?!'~y(uԬf/!ԪK4bkef;ա;ÈR9)ZєS %Vo4.SwTd+- ج]4bġ/>|b/Pi?<VZD)H\ [:!)]ƨXzA lt6 zx5d}\8c]uٯL1,MO"Y7 U*Z5eeD$.{6G|udxSi1EVv <3O4tirӱyrԑ?M;oK=O~`9S8 M7X}m1S]w&g]o2[Me'8Ѐ ߾Q\-#e 'j03,pC.*;Y.* s`vج"R:\o>8߫w!]@:k)7g7 62~ȁrT{!<0Yw`hĤ1!029uq7[V'̧lUU9O ,ruI|lLu0cycHo+$*A97-٠fEoRni{+llKN۸RjWQl *K)26Yx*eĻcۇw7C2@o-Wm!=s hɌfڗ?Jd|(k u+Y]&gpx8[7՗X19!/N~ x{?|EPֆN(Ifjܨ%HT%ec(:YF; b rC!Z4@z a=JM  ]5͒DBD3-jRDB &sBT s6\Hs֠,wQnЋnfb_Cuj~Q\i Ọ`VW9_ `wI*7H uCp9ج.;kvypn w$.ְMRB$`}x`sFL(FӖ,i%\QzUHO9!ΐ.g*-?j"'n.qP Mx9)S{ҨC^c=c2,[{(jผʱ@NZ|N >VWx0s+bb)0a#t*< 3HnW'ZξasEzFNL\OtT]j*vC3\bBvӝIda*'D1 i͕ &h>^xpc+5 jIC{etPaY DbݯԠ| OJO߫I^^8TlJ)-p_{Os V&P̵#b &̡D#{aX7l:I):Z0$KVnuv$lOO[_1pVro 4𚽈L:ApieՀd!` 8O1PS)忊%$QT^6Xl<}ʪ{:-ZZX:Eٓ{_n/:$nׄhq[ ާ\F`a+(lw"T|¤! l=jp 6)cmwk?%*Vs%*N+{bOCt7/hT:d^uVG@&5o;qE0XGGH$Ud%Q}h",Jrl|1KE PwV2CZ޻( ]8Ov얪 Q?J@dx7\{ .5TGwX8S!ȥ31RA\nS/C:M+!f:$t-9p?c؅ ^pqMU2y;k8J-L (~+ %[n`T-,ϜT78sei@ȊP9*.CJC4[ )>I?BΟ-Nƶ߿{kIx#%ϫkVe& > l}8Uhʏg;hӉVǧi} p%CdiIH>Yj-/==Q0;}=+;u*rwk|nx}l=1nrEf_>{\S׏N6M 4>ֹKϷ>c>5QN#G"41m#2cmL0kp"t_8+ ņj'r@sP2Jkq@V3iYB9` }$k#$G5Q(Z51H,hx԰<==8̞X(. MyCV\bFW0 [82GKmՎ9]wS>v.l ؊ĜQ֛pa(E%|[vĮ;DfRSiʵDұyї/hف&zzJ4܄Q~O+#Wr+f4$wZS"E2Ihms+3ld a$DT? Z|nO0Fxmc<'78Xm`Lz vwA#j+APf[>pvv9E&HAA J/F&|Yn> j|rS],gw\JzP`ң"k,zt#,Ȓ0^D7@M2&%'1QRśI3Zj:Gk8q3r4S@'.As&rnC넵Y%ƉbAgۀϩp+`0G4zgq=)Y̙/g!րyϣneGkH]ßKHk]4Gm\ \l+TG*a6F7P1o~hfjy#|@0rb3"YP^k ]H/W&ŕ8*yܰj7iB&X [@"J8_,p-BZ)|A{ M*լ86}Ĭ%_ٟ)6EK+{wfv|+}f5UED{ AjkHr S}iv(l]=F_6OAS4qPyc};V5Wo9 oH̾;q?̽< x#Xә#RD%R[r-]Fhỹa.q 1tQ[Fm#|}KWz(2XkڸT=^>a0y׵܆9UMzAH,Wckު4NQ"jށA[?dClyȝ<s"],{.R|xׅIzr,p=?ɘ#p޼YMa;,T9ro$5oz[7p0J`(pɢUpa1kRaC$+xG UUldKyh.@ς6BԦF\Kb$=Йo8$.fˣÆ8"f ;'`J/I+;lNVH W%`wfOz'xa%ʛٕjRn;3j&Vیѳn@ʂOUriív1Bb_v)#xHюt .E{Ol cI~6 1 X6qb(7,O96:eiȠ/2ik)WթӣesuqxCPЄN k?+(Ʌ0-*.\*yn(왋”˥Y/1FT208BKJي˞Ph]p0U؄2N Xykb <1ܒ:hH'AnWGd H.e&K=g M\yM5^gvB0M =P:x;+a3S$҃2\; "pa*qz&NTWl-buG( pр/2CiYgi?7"TTe OpZDQE\_枪)ߖ"lkfaBӮBKL{xދFW1ޟXhHl_ݮF_pm:IuH9TeqWڢnd# (Kw};>yTZUq̚0/yDq-jӘ"qEwe0F6Y N߯6X\B]a}S@c[tǍ _9L>˰[}oDK@іxZOV0ajPϩƸحkSX&>VuV[7`oV쁲oJTKx9ߌ\lK[; L{7sI!킝KkEu'0<ܰSdͥGl0Zl^jkF/Dgl1R`BkZ'߰UǢfw>RdRt %O/\ ؉rJp$낧u#='jOvM` Oڈ6VѥjNQ̀an1p| e =vA J-M$D@3!Aw@y={V0g]BbhWjjTpXwxD@Y#WdoVBazrK~7V> H#ka[9$"HxUS0׼x08R+,n@ E2`ΑC9]J>d8BB)Sw\b6E!E>]! })$!]hXiHolZ:}//Q,#[ni[Eڅ]:1m$@' ΑN1 +pSq*}K=e]*]ֱ;bEh=%,H|nnCKgrt%*cF !ʂh狍H%eȵR%,Z"anLٱ[[Q4Jҋw@&Q{5,'z#3,6v 㣬&,Hvq5"cu ,~ݒS}(<04rpQ*R5/{"b:Le ,UVE:'y& Y)! ee矡?S0lAGmw<_MV\TD^N<5D9I {Pw)"p>n Imp }s)l0k}ws~@M-a1 5dR_\$6TY{C{t3.CrpOM\*ainFzkZNhnX0n, K};ppaq9ZX FJ-䮼H0yV0źD觻F nWڸ'S9K( W;{ȥY~HKC$Cj}s=e3=^U2tT3^.¡D8gФ^goa@=v9jT9Kx 4%]8$ }jmVW+!;biH]}CE؃" ۇ1|]χu2̎r=Ef(a:w kčPB_ۮ|A8z\F`E abG33>6oD\.ҶeXa~&w///8XؐZY?ͨuͶYR>DŽpPuugr:Q|tU~Dz(^z XbR,Pxg>i7k<2"'T˖%KrOq1Cj.$* z xr ^khG =kddb7H%! &i FkKNX#߁8#ITP߆䞈#tЛ,+RF.¾;+=84*%NJFT^G`.KK(ú<,+؋*o}~.X@KrӃۓU`vwz+aO>@Sَ̆Dj=ҷ&:ϖw$7Ͳ*69xt p*ko6sstXB$o.!O@xT]ղN i: (kjwl3ʌ&ƸW5*w%~H@U=cGTb6'KjF+Fs^ҒVd2;}msMqX@#r<  q)sFk4ƣawpp$S:&Qu5wAJ*`1ZiC 'WܲEw`㏻l cC\CdLiIZZakӷĜj0ONGmJiHuM ? J,0'sXƸ"c˩!]E.pj V3s:0t'}CS0ςk@.J+,=ٚ34:h(q$CV)+Zw%ߥ#+ RAw2ý]IcQޔQb>*%v1 3i2XYZ2]kx$6ali xo-9$*Bbg%ebdKVOU} xnjłIlӊei-y,y&)E@Y,5OT7k/Ěax܋E 2 +  iZNSSm 6_k}3a%q Yt]Z@RޫE@#=&ݫ5W:z$ཌha=*C>hiʴ`I'=QPc~]0u<a-R!H?6BFH[,㸙 jޚ.8'[W%Lf@D)ަ9VUJއ42E_BKg4Mx6Nۮ7=BCR_w*W]94ckLi80$!'+75>~ӕs/q!J>wӨHi:"KG{)"&ŦQ"cpN Wk`;h3yco| ^a/:h~|y3e<š'mi .ڏ ⟵j|)5//S4ׁ1Gr bX?$$©9kfiFĨ#Jf YˆuFry #tT|sJi6-W'5]ȥ^C1\C6̓|Q%{).ÉFLIUkQ8ەG%^{`L{S1B% >JA^٧ "ؾߍP;Y!5׊]t  (b ~d4T enruOwQ~YyXt ]L"Fc)i9 u{(x !O,# NP-`@SOZ{~K8gJRHygExR@ K>znh .&k\HzyYQBy̒<ևvp Y'И̿а-s16t]#Q1+*VGS,>*wusf+f[OnaP?dU7e=ʒ0-]-*qlLC8/Qiq݂FMwYvઋl& %FK\E.mE7pfvo_dL sQXu} :--{%8 t>[~uȊ>`jb{gαm}_dJ|⸐ q}qV/Uoǝqe6q7zժs_E#s`PByPz}W&e4Dߍ\g\>S3h6E`,r;2PEb'WEMx10[˴ɧ77aKEh7!N.xo'߆\X$Z| @ *vV=NBc(('e7Yr%uT,0K|ۡ6)Uu" Vnm>2 *|!)-7Vh&uC{=I%R[[u= = -l7{4[o;tB5Dy[GQ$uB^!wm_S~ 4bw' ='}HЬ4-DzZe)yKLUp.B`I;D?lZnk 3C /2@L4վUB6] f:҇!;#zfe6E^^81֋4i/ x)@WI;μvu[?2usVvP-.DaD:z|', bIcar嵺xZdv}Z]_VJ4I@A9VgWO6 ^ҝ=0cz6}vpQj׸SE ?I*' ,_"&)ϸ*F6N҆HbVmɨ<ع `O_`)s o"[JFU+;m(LrTF]NwcmG8Kw?LLoVh&@T3Wa}'@"f%68 e(T,|ZHsUuʺQ%EPڢr 6aB d\r/VوTժ\J 1VbNbb[wib "sD)U73ޤ5yY5jIiR4FYoʓPf_gjԺro~gHbEV [W+#F%5{!wƷ01`NYWA=џ/fG^vVǗ|O!x^/UtǾ(($=I[]@-f4  C 2P>s/PfQ&ujwd'fv ;}m$aBO9{ e6rBEh" RvLmnv<+n_._jX3*QO+/xܟ 6A !;m&O4\;ىuް1:t`,%:|B+m)PV{␱e;_dr/4rFt{=RJ"+W ,av8](WN w>'fq9SU8]}(0<:40xR>Z*  pq7.Lr{oeOhp<:ۉt\w;W<u0Cck|}opQ,o_ 'vXY\hCY4"e\$y>' ݜ\0z`o ڡfAϸXq.ף}"mspڭ%,솴~с9u.C3ؾ.c~r`}Cʹ9o+g{XG; IM0 -)y6m"Ʊ,IrӀ6 SU/3\"Ax-ٲMQ&?Zȑ#YӸ7PIPugfԉ/6NAl.QVzL5e*QSk$i ѹhJG#N[uMHL[ZŇe.U@ cZQO66{>+6``)mn4kwU_;"b!=e=CBZ@I\'΂r]W9_neЬv`B3stAHOPkY* 7xGFr>Jl=Z~ex\%$i\chXށpb!EȘ%/p.d. ըޫ QU/RdC J $Př3oj$[ieq5)\mjTId5_сM'Gz2u KOл}j>zwv)lV2hCxYθ2]ܲɰ7̭ɧ<(d&ۦޔWY(D.v[˜,r|Vvnq_)2TY\=Vk$jguܔ݀x xиuvH$U|b x~TvչvOV<@ =7]]xPcIߨyl^$g7b x\>ܣFӰh*Y$6աEzZi A7h|9fgld)=dCPeGNlHiBlZ8oyX\Z&Vy?L c !!|Ԇ_Y,>Y#r1 qY2"iK˿G8`6{TZA@a{Ov~ҸT=ahQE܄Ŀy5K>Z99-yE o:4zL giQ'Kzeo7a+oIԶ(HWwe˯U)ZxA;ʍmj建?~.!5줇=4wK;3.1qxjZBhIBzas#/P!/ceUHVőG +'qfSQ hMom’ Dc. :9/ﻺ,@7Gmr5Z$etF8C!ne/Vv9=9]5)QihÎ{!a;6 ^%kqB8m([̛,5=X^?ۀBhƑq ~~h'y żΡlZձb>x $Jue?Rzw~/v혎W%e_oW tKsrɘD- ,?gJ=A٭yPMxh!ipǶ'k=tɴWx #XZUX ,B[ +ԓj#\&K"S7JDyTkyX$Ϗ52Q??)ibJƭTxtW/J?Ȁo^ꎑf'ך8PnD O ܌#*1 G[CaFBq씭W Nٶ &5g` *c/U3ϊ$-[>q z̷9ܘ=L-@8~a(\zbJuhΡy\=.m[3/*deImO*HbuFy,֦<]/ujk/Ǫ)2 1Jú||jöytˑŹ U:miJlPP.pEz6˕VUVqpz]:Ν kW~LV]pbCUtE:iY"?M/Xpd, բMd#g%DOm.B18? 0wFa-]zmGg%"7QzMwA$q^Q@hmMh1q M*X=Hv8mm*qc]lKғ/ Д DI }#vp+%<5 z$g]{Iw(Z>ĠAxy#xSF5?575+>C]Pn.``EӲꠘ?BM@U|Rta5@Ig0ؑrGupDnwHFw֔LV;S-Sw4~ߧ\jd}#7 GSB_PfF])Bo$)݆}vScI'g!~\N謦>'҅@)C^7rL!3~JVbͿMn 1=i*4,Vwx(;3.m PO\V+K_#F^8.c⏅P{&؇:R8CqIc^o4 ?: |^r`x(SzQP}*-w9]|~"Qv(>ZWڜ'2Uv}8GR"keI`12vSpN1[ eS ~  K(6 뗻[pACgFp*i8b;$3b]`~HNbz%/ف{s@QybS0 mLA\ .ĚH.ZB}գE#.]+=jϢs\aĞY/d89Tm$A)x?.޻ a$%Y[.%,T;j=! <+^gZ4}u3V,gC;p5E [c?7\RU:K:A(t66(^m] C{ɥёOr W *!>VHix[-:!OO.$O@&ٯ+_&C7| 2"ݝJ`B!];#C4hC@fTYseɱK݃E}(U/!;4Wڍ(+8ݰK"d"m˯6G0f~=ڷMwG'Ԍ '*rdvOGg0~+3cDXJvBjR{ԗw͕)h)E}!OfIy4tX@(&Љpa3;4xP0x3)"R /A4PGV`Q?aNрC鵫-գK7\gOf>4*Dg$0{l xK7XI.?Py XL~ȅZ:QFxtPq5cB3ɹyog#NTS0eƯ0w@X[m&_itjiD́5=̦^)u]اN}B ŒIw|RPG_㨵ܹlu=~d?mG>_"+9"2,aȧ;E X]֔Ϟ!Ǔmx lv!PWGRy,:p=e_> ҺبɚlTrrcMK>~wֹLYK6Kݰ,{}+G1$등I̗dAg)?]9VEn .FӘd!5CS?+"!]B5P96iAY%!.ʥ ,+Rv ?7R}ڕpG}w|RW4ʼn8$&&‘})Fv&R'X>y2[:03TqQpHU&xsqxb<!u+/=(z^wCL1c"CN0EʴFC኏ľkruI7ҧKJ@]*Bq*P`60tliL-{Q7rF7`(0AgSq)qHV[Ċ]q|BwqБbf6'~(|%GþeY?~ a[$x3œy+̽ytLi0Hak~c>!, /fw= •`ΧFV!@~t?kCIX{V^[ 腹u&šŴ[nu3ϵ/;f6?TQU"d_]3[]6ݖon싳K|WY]JTun慃fWpdCeRE2J$A:H%}|XxZelra2K9x9<ܞ^[5W)uڶB<X ꩁܱu*i8;-ډ ϤUOVXM+', )'q5P5+_h -~HO] ou=F 'v VǤ`vK:cGmߛ%>pT9:R `|"~Fb}B;c'v|W~hJ7vHEj n9nWJVlvf~|20bo*qSymPeX(y{,#;|5pktXdò5!˙I/CjiVClRp*|%-e Ud NQZ3 Y uwEr'c~(#I>A%LFM_hVPm0fN {Xm9߀XA|Tw>ż*i%}LgSMEPx5iULq\%tgJ ; z \7, :J+ )T]R ^`YrY#~m$B0c)Gut(dis@(ƅO<}soTV߽SluTkC쾁p p6_@*WtPv>$qt~3ӡ#C&Ē I :2Gq #TmY+ R]Ƨ2H.ϩ&Nh3sx mgxw:1sh`S_X)`2p4+0tESƿlkλG kӧ.jKDl GoF%ЇIKU ԛ$6ct*6I _L(HMZ,?)QI 6v4mThY#/K)2On_pm62ODf7 |no Rja]ܼlzݩLYѼMc%eFdprwD.}# n&kKic{^Y(%YJG|Kl \)WSj*ShQ)BycPiPr&xq?—I%0»TfJ͊κ'Ŷ3'p@Gm 7ѷ*BIs18f(Xжn|hMr&'!ǿ(JBBOOͣ :?)C.(姕81?^r0EaEyŊ0y=H !V0 Ҥ& 6k-;Pv:tn(h ~e|x3 cyZv nT{q2H;kbgfZd>34mLw73.x. 2 CbbyH}dtk]o5@M}N6-*Eh~1okT1N8e0Ԛ7cXrne2ařln++4z b Fs b/s NPECZoo 7ӈYPSo M=EtM}1.7S~+#P^{O{?2}]51k<&D4O(_~[e}N@vAgI} ]èy|z__u{ue)kKbgE FEf!M|Afzé?a!5n5BFDC.jP"D Q u%=>FC{,EBN4vf3DAWN5IJٶD0rMF\:c~ᢡ^CpljZ `QU7uP|obJދ8cs0Cc X9[a}ZL/ϙ`V.JNUr__'d+v뀥St%m`L!T%˅)/>vVnm= 0umD+<3?3~QKRUo؜0T( 9}LF뉒۟4%|YI5ŔM r|1PkE>fl`.3PXPt8ۑV-,?M1ËؓxOW!1--d.VrFb,%KJg_N'8[38HȹhaK;u&.BN8Y:?ǻ^=P)9VR 1AsOMfַHк <ذIX]K+* 嵬ch]C%fpZږ(S^J)xtnih} ,!_$űHPrLm˶~"Swb>Ѱ^./մْ\%:`E ;p螀#[-ټu \tJxXg؀5 O ߑ#[+)b<2Xmzzu-_ >Lf`0~`b H*9Yr)N̥HM_?Q!'edelKgy3_)nք=+K".s#O1#e,kڎ財D4 z(c1nUp}Nl&R/Nx'C/kא|Yѐ@FXq_<VIhRn5x_-;=j}ԯQwhžyYO!FOJI3[q<@f;p" I򜮰CD^z#$RT`nػ>Ey"cjNl 08mv''h^֦ pFOr4¾1<"a&@ˍ^٫NڣIRF9Po,`n Hh2/zD.lN9U|<,N|)&'m FD|W_9srH mVD*XA !"!֗H/kĤ&.oj=Jk c+9XjHuY: >α`Qq9,_/SIx1騎e]飿:9# }934O]/ufWpk+Tz)| Qm2`rWqcZ7x~ {@.5[0|"rxKO/"Ϥ ux74o>fҾC)%vt9g!MQcK9_|OTiA:_57".;3O<]}]bez6K{Lgl:J$bдDXIMTxEe.T^BJ.Ӟ0!Rرt(J.P9<7E IQ>Jt R/b@p7!<)5K۽RI`*T&_jykI8eêKYg<x_2>40l܊ 3=AtL ~/tK-l"H+ggYo4ZY>^EM*/ $ÇF#笇NNpv y 4i89c.7q!~1-WRi^1u$Cm+W?(܁֏DA\#AV{B< TLr+D9_.7YəN,8k>'CK0[~Ƹ hԥkpw'L$EqTNj&Zc2+UMqƚP$HxBB/2M:g"H}!2@B9mF Xހy41>I'~.{Sc=ql&a 2ma VlwWp'mآMx8DӜvw'n"3'gӖƬXa~`vStބ{]nQ:PlX]ojqY:\r'_Ms*?0`w4fVRB e+})j) f}1k9Uœ_z[1}^XhVD<ܶ:`RzCFU93 n7kb{m54 ǔ6}IeJ#Gjv)[IjكYm,/N| !<)=ha4R\6-V# * pBsuA_ӹMǁ!mGd2 [M_!y)b{:,1ªǞ]By;"gt݆ YtI ^"[ɭkq&%_o$*ʶ Cl3JFɶ?e{x*tӶ?u;w ?$Q㢞g|W)fBn\Ý&s;Fւ0 f79Y ۽h CG߻sdTL\5F;ʲqA%_h hhyEuB9PDvv6PWQ5vUx;u^8-H6e hvj[XLM%POvc"7']=R9Ky2'p\  %śkCw&Z; {eFGZ\Sxǀtc&-3H<3ODC,J#nMjlI}X<ox Gl^eGm"YDw/oK"=xllN(q{d3uE[Ea%/F3Δ!ZK[Zrr6@5w vC(@I3`3jbW˵ pe\!,nK94Y0UV\៑d"rx0C:vZ0h>ub*MKz;Rt$Y=4hd}GfQ9.۸$!N$ݸ  {z.oTL @n]|P3AYH9=фG*K/͌_70J{B*ݗNdUF}$Q:#,śfp,S*wƕv^PZa>՗*[ /Ä01JX?]LbxNBGh _NOTm&Z2 d THC是3̏[5eS.exڹO^(101xb i%p<Ħ2 Qq*`LKRwqpkP66Iڥx37ih;ajCio5Lƀۑ)S+?|By)XU."WmH"A2h'|qU#\m'w ]-$ R221r8k5OSʅY6 n]y2P%*/OrF@ Qv-8 5F5P@|+^yB)[?V$R&-}4 Z?F&U֭@)5c<o*ױߺtCwT9E&8"wɼބ\$Hg*/q_.*f e"Ba#=G$C~mP묨c-Z#oG v7z} @zo=,ĮTk YK-Qxz{l6ΐ$RSyC^mSHeahI4E$mǒHMB ,Sl^-)\TJ@8R۔LŰM$M(YE`Qx oO7Qs{aĽTϮjPjE7*< >9UF Y\{/S~t1rˉ7Ca.Hy=[&0Q"΋ڀP=cڟ]ڸϮ9'w0oAMzg']򃫾 :]-Gnpo.iw/RјR/P:>pdcܭ5C~PEk7ii(E O"vnT&U  O-A,=!gX-/L$ NzOǿ>wDN{`~bZ1t z*v O {*0 p1vFr"JUɤ9swD~ryQX4w?Zo0/7.xq9,i8ȦͥNjZ_y-ϼ([t'ƙu,ԔLeOىPBuddF cCfK'ݥ )&_b\y[fB.,;YAXݺՠȓם>:K~YP:'RjQj xD ~ )5$ }'e=cbw:HMF"~@uG?Cߌ(J2 VH?n&Q5h\7Eo HIN )Pg'V":kò?fG:〚~C'p#1~i(9X5%4[FӠ:Nsf=ld"?/sfng^:wvD`g/Ye|Qeb@gY 37FC86eT{rXn>b]'Fd;tgW >|"$Uyg/Cwx`9o՛]x4MNbϑq8wt "lذqEɭ~~E"3 'Ap|sZ }p]zͺ-P&bUk:SsHFX l>+%о| ӧA姯G@4 \$8NH_}R \ҭ>Z)$  v2QRq]z9OBHXf0 ۵` c~O\Vg":'(Әr _o 1s)פ8±(A7*/yS2v!<]%. .VK},B40ȣw;1xxNR  q(=EhLvxŢHj TugڪQaHIzh 'llsAHa=le;{דb_˂-MpJZ/9ZW$5ǖgF}]@YOCH2<̛Bs'ڡHS: t8PGx*;rUtC@16}ߖµ8+0Akw OD`i9S"u!Fk2#[g#ԥyb餾D7E|_.e6GI^,+qe8S J2ж elPDT}@sIU(A_$+9L4f8l˃IϪ66-(>NL0mO\_ƄbG@՛1ͧx*EѾB\8._↮z${L_Ȝ'jA"UU.Bb抔VZ=;0b* :z%hEsbZ3ܘlQ4lH,0yCt.CwlC M i۞JW8NG^_Aʪ]1c="PcdՀވT{II!d$jv`ֽhUCwA?Y t[41 ڿeSSCH|/Y엃'Llԟ'#6 Ȧ݉Yc3-ꊘ}-N- b ߓ\*Y "@dl8C)Ԑd0-Ary0uI>ftUm^;PJZi̺c3ޭ3v]Ɓ3_<\9oʻ1խ5 N`*AY1<ɤc Ԧ"/Y}"Q@Q. 9,3'UW d!eL)}ۗ_4mNZᤩd,XKCNX6m?}!O.3"55`4UQ侠43ٵ="S h-2{P%9g(&FlLƻ}͡jS]4F7pO V^uL`lgL@ehQ)v[܋h)YB =t>}">X4,ǃ f]3Y" ur}'ɽE{DT,,nAEʤP,CXAtxN&2PĖ A kNIZ^o:X(bS\ Akvڻ?K>/@*PͽLn?ʙ{¿_K؛c$fh)r 6@$$VKQk?C>:<%ׯ>@qGCNʏր;Jo|iXfwG3f.I9ΚY枾l7BimtEn^IR.d)V" ϱEAeΒx͔JPqYt@PHr8AdTe/37kMC쾜fPP*JȥDf5CHD>RlG_6`^cJ: "yN2B@FEU wR-5ܹ&N52X0zAV2#P_4SL8)YL)W8fT]C*7j6d=@'\ NL`53Z^j:)xp3xާ);)>LkD+4Ȝ"jGɤ/$Pڂifjv LaNX\:bQ`~Ck,#&%hQr5= T=pWFbOS5vRKb3qC rIv !7s+vGNdԎ7b-}IFk)9jqZ~VM? VY/,Bl>`BŖ#cFw=L+j:і0jxu]IV GW(QȹLB.08[qCezmht(t2T쾝j8ma`l'Q*.RAh E$8P9J-U1`HweV3᠌ XPiҚwgs6lXD妁XDlcы46ZH68sHJ6*DAYikDM*#oDܪㄕP&6,Q7nh{S3/e|sϫ ժR P 8Kt4 N2viXBi%{;=R)7?}C8^rpӵ6KATLUdM CaYe !pY1CIVa Ac2_ERζEN&VP̾:NKP|Oeٮ{QL 5~k+i5(.&X잹>/VZ PW_bV2^騱j0z[ 1MbL`-ҕ1P Zf|KstaqBwOcUO3 3f35uT`AC$kO4Q۩j4:ILKM@ _?"%$F>VM%I4*GnFODӃ(N߱ 7*X_O[t}R!JO&˯4Fg?BV myvW&"8$%>3򂁍9 Lj' ѹft`Kvwסqc,'`4#dQ-qX8=3XL@ ר]t{8ᑩe]ޏE'7J=b9=?QZT$US C{Ԁ}kN C2ŀţ‘.K~{=X:۽F~T_E\`j0n얎 ,2^ .I<A* O>.BQ?@l'- J," NRiu=@S4iQP n4r0T@u{,,N"v#ܰLDžzip8ڙ-nF7f81v={_UB^.YsB{:ig}~Kx7@$ c b-{QB"5\>I͚ \8RP!o5D:@P!a Ȱ d#Tieeԁ磞."ٚy_S'H]R+eGNOx^fS(`YRO%xPr' "TZb"w#ΰ%!t,7jZm3Q5li!3%/'T})ЛWȐ,!sh邯X^X$c+&m RmM/m4?)_Փ\d+l(1Ѕ+0"LaîEx"D RvYhjχ̘%3uU?ҙ)Rido W8,iX3i9[8kl-[Y c;˚aJjh#lV*5]A!NvG28(N"8 pwϱɯi\l v]9/aSt< =>ksdgAOn8gz$.nt=*zBxUc |kr h>[R'rWG1VfWgNl۴NhUִc$J3pd;3t@n{i%+ۛT>WnL@I\K^ᇝšh "<|R.b3ngvyOU[Y+h]^4#e`m#4?ib~?a[2UD(+$kt8)xKsu@l@nΙ|(H)d1z3Og8%[ŐPexp+)'RjkL_<+A Dk5~w&~Ȋ1J} 3FkF33-`I_Y(z$:R #k fFJA)ΐ=a(ߧr}`p]5B-%BMMggz&eя 3]P }aevz851jTϑ)inlO0|mL/&36Tmu#|XyVa,аO:O=IM &rφ{ pG0^AHX*ȕpw5͐:f ~0.ͨzdlĨϟXw ]-(( &86R>FzBsqvGH zg._#О3&SWW"8?r nr2ҷ>I\R&s+7p 6ȹ}|D ] ݃j.8w J@GAl,E@5zFL4+}!9Lmi]"_4Mi97K#D/*2rd IXп`^E_ %M1/TDҪd.ڠ&]iGހbY:+GL$x$eEύ'oEXBV~㦣+ c] YL<0)?9:m:YoBXtNS0i5$G`v/x+Ԗdb^A'M?&qL|? lqV $yWft@FKhwțF3;Z < d2 W?[3ktʊ- pL '+"DoPZ{<;$VLQ .R[Y]x'$ /"Q*%&U3dt=ɕ(w€cGOWtal5R@rs*&;9 {p-jˑRiwg7b ^ OD`a>2!TD״3 od84()k-ܢ,CN_.qaхOx|m6--覅'ǙW#<|/Knf`Ax<گ)U a-k,t7hfI"ZmR9hZg mDf,\-s]M8O~~J N>'bp4pC3OGD(W+:Y\@8b!@N2L˟8~nL9$QPAN?& Q^JPo@Za f U u74z0T&`d`/k!6mjY K8؉)inHF[(c}ȯ^~SIS)R눝vC C>&k6g~WGE/mDt&vqU: 2ޜ`l7fvWzoC\"=.P<:}PK-Fb׾'2=\ !IG٠û(S\,ukWaNGsX)N鸏?TER*,YQM{j!aE<`qGCKR?DҮF(L}0Too 5ϱ5л woHIZmfOŞ6`ůl؀G $}\>QvLtMGܥ8M4gաdmP2f ;J<؞k9ɊcDgGUPG5N!;49 Q8jUj=W{UEƽH"AC!-@ȫQU3:zWaQ$sϭ+Mm]y$tlWBǯ+Ҫ:غX96(fXICҋTBQE vr7$4FTs7Rh#ܕ R, ?Yk\!{'J_\69|S=-M)i9Ęub{_/t/)djb#{=pȗU>Rj>nS9l"Xp%"%n7u_w(#?>kS/8xQ"P[;iLƵ umagk*Η"pŔq7¬u~xv.+F=wy~DAqN[(GFO ıc/x|.k^wv My(0jK֜ȽHOuy;XQI 9K93kFBS乮h_@L<Ժ0b5 CCS.f FdU&e=M<1,7߮$.8T T gf+G4?'E:˭KHcSlR!!$6.p$Lje4W#h˩<.O:8Z:bSqE '8_ zॶBV6`->oaSՏV;/Q-Z行(m+._v݉ˮ'm=΢UiոCx&5'` @ QO%L:aXEdDuז Mfx2)76ǞևDM b)AMX!7-ɏ,WB~k ?z`}Ja<>mى#PAiE*8 lڮ8 JJ:LrlϚ uk%%kvı.%N4pvMDw`8^V5:ܑ񒘈Gkpys)+2!Q-|Ujb)h#-z#g`)s2>Go> 庩( gO%:U:>,@z3E'uSZJOp)߂/߫wEϳ2[q41s @xaf5\%;tPopZ y9GB4"#3'wbkCOTa-#8J]jPrl H\7oIpBTOKmB;Q#V[wS]W~b$D-ݲ*mǑ i43( iAVl2k%pT=p-:TvG" nWpSQ7iح_uJdCC'o?4R'N}f\ItR';~K>f U*c1Osɀ5woPBNC~/DgRt`p"9z*~^pKlj~81Z6M1]fD%fɛiDd94{KFT 7¥ܻ_9|) Fڙ AgO-J&;T,8.J-mvBa%]qmmh j8*'l%o|>5by{_ Y EGoI(%Dk@ ؍Xvt{A`z"$61,[ofpv7:N?_XOQ~f9r6y(]6E1#ŎPϖ82eeA@= jhTΘ!rfǖ|2t!mȔg@4'rRQ/1yD,89T~]}}Zz±ͩU#t$2L[m1lpr+Gixw-n(oYO<G7,  jdOWkn(MR>iP S8~l:OÙ,Z(*.DG.H gXRq=%i5p8ܜ'>Z[i%c%0IB0QK}V}\'u@wTDKC"\䰶CR lSw0tqa?jIvp`!|{ Mx46DX1cMr.  |uMܰ>n54USDDP"gP"Xg {5/[-bP{~09TT+sck|042 GКSW|Rp!ޜY4VUS!ccc~),-bpF&\>B˥o?o8(n6a/cWF),$,A:ѶBQ%k\Bk^Ӡ6w,1Ϩ?٢Q9h=@7cc`{=yp|Pi8VMjK. CH=^u饈(_#*X ۘ薚[~=~I{,)8Nr'h$7ZUupUޝu9 nJ6YB|y84G 8'_b@hEW'{R: r3b<5 `?OƤK?aeU0|ڕFI\O,Q( -⌼ v! Z_dM#QMdh3IqbeMS4؋% A9AvِHKJFpZ{2Vٝb>cm$wsMFO0Ya'۵r#j ڴ0`qr+<`(H )9АZа뭃n <'.}ҧJNCCqmydyCao3ԄwRSxz/. Zd $/P|u~/F)S,{m{ " '+Oq_5Hg]eӯbxeDl"Զީl54Țywnrj V Q= ܩI'OuM )%nFOlw؁"|&KI~,p}}GA}On{jq0j߹@oۛ\?~wOR7<9?aR >'f$U?>N?]fzzYHDgeD= COn-eXݯy[[LrovoPu52},eZ0pۅ'TD6?# 4OqWRfkfeP773KP<Jpx c ^;ĎN'T @koQosHTn4#Q%0u@6 dM8D%IYPv*_W-D!l "ͺ,4fN`yl!2uL1U!H p禶ſCiΏQE;AUpP *-+O+qx21AX_."IǒR9ؙv)&OGʲR]HJR"z2A'pE^7Ġu"X:^ZޏS~1%͞mrx (0IL=%sN*3-Y dUA90ZYu\o03أnxG 49G=uF1C w vkhW'z.Q)hAE'Sl{c~.mj"d<;|#LNjeEa#Yd.hwz8!=LJiMwqQ, W3 \d.+}1Ī|^9\|e3ul$ PhBy:OJ12j_7. Un_uD]/$%:h{ҪȎ6UUi+^8AFKĆ ` YZ