freeradius-server-utils-3.0.21-lp152.2.9.1 4>$  Ap`z鸋/=„3[lhqxqOSP֊aSI%Y( BeXQ1"o:|VHYo@tU%KӪf/YJ\()rR BI̼eF;U2Q*BJ,Q~׶`P. I) e7ђ{Φil/^_N@tESdJ"ecA}韖{I49f8DCmr4R0a j(ARJ"Vر<98e0fa3065c28886991b49aaff20afb6553debe113ad820a780e600570fdc7e071ffd05129b8c111b455a0371e487b1c35fe2b708`z鸋/=„OW)QEY4>C;*D!H{cŏ$ SQl66"};)(r-L^3''/Ri6)]Ry9 ?| JY8Nm:b`p>:71[aýTSZUuf]Avk\" HyӜͫCL[Va{oZsgy J{2u, %#nt@ŇZͳ5ó!tH+[D>p>?d! - @dhtx |   < T l D   L   (H8P'9':G'FGHXIXY\]`^zbcBdefluv\ w xyhzCfreeradius-server-utils3.0.21lp152.2.9.1FreeRADIUS ClientsCollection of FreeRADIUS utilities.`zcloud127openSUSE Leap 15.2openSUSEGPL-2.0-only AND LGPL-2.1-onlyhttp://bugs.opensuse.orgProductivity/Networking/Radius/Clientshttp://www.freeradius.org/linuxx86_64x \~/q`$ J(IX8 O6*w큤`z`z`z2`z`z`z3`z`z3`z`z3`z3`z`z3`z`z`z.`z.`z.`z.`z.`z.`z.`z.`z.43a925211ab30fe41eb2ec934a32d3897f61e6d87246de283ee93c77fbf53ad066f3d707c48dc80f342901ddd37c34f2717d04f0a1160c1f95ebd3df2af595b3ef8ec2f344d438d0fa7f1918130c8459fa4a9cbd45b105519437e451e4aa1242711a04ed63d33134d809fc76e42556140db95106db60495b1b157bf09d1e4b343996e65b5972b50d4e05b843879ed75ab53850c0e29c1d1201de2d0c99b22b8cb697cf1626be74fb2144b692de899dc5d9b1643e98fe12c33bf2f9aaa78a4aedece7df4ef69f248df53dfdbe2318b9b869af38592df4bbbf44706875b9b08c23a9bf299c72d458ef397164d802379e00f132b00d8ca2de7ce54c19a7fd379b669967ef82428e84e711bc78005efcca814202eeee281147b01fce6c0e09cb4517ac75b5c19d977fe528dc805d1f136ba06dd96c43732dbf95aefa2b45a0bdc17be5431156ad54e262fc3f082773d20c81f02a4cede8ef978b46a7de3552dad16196ba22009fad64dade9ab6bbbc196bde12590c3f8ed40cd7e04d98b5ed75a2fe590bf323cbf624d85728e22a9fdee9064246bf3e2b0bdc44a6b02f524b1186bd409c6524b51a94914b84f8cd1a58f989944461db53c964ecae7b19148cda7842f43d03e81e6586d8950891b961214c83f306d7a4f9d528eb356a96ddbcb994712ef1e2f35bf523934869919af2b2177c9ee9e9c0ab6ad52af5b57614b12c2d08bc0e0beb9bee88c9ae9e70ab53b4a5b3de2966aef097e016549c494e4d961771435c618ffe1369697e5f228e99401687c6e2276f9ea75d7ab76232060ef0b549eaad978fa290c5fdce3b0dbb5763b122358d6f2c1056ec755663a4015c8a4d00f0114e9efa73dbea5a5d35fb6b9e20f1942dcece8c48adabb1c4649de10440217dbe6b5b6389623779e0eb9b098e59c0525cc1cd59dd1109cada0e1fc87c00bebcbd784ee828b1cdc019207e918c356a8b51f58ad9a44c364b43c6fe8e4e40d9d7dce30598dc43bf317f3d4d6f29d947c5427c63a93797c274d2b685fc8661f939f4849d961e2bcaa4094c331fa34c28ae5869cd58bbde8e3f59d364d9f342f1rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootfreeradius-server-3.0.21-lp152.2.9.1.src.rpmfreeradius-server-utilsfreeradius-server-utils(x86-64)@@@@@@@@@@@@@@@@@@@@@@@@    /bin/sh/usr/bin/perlfreeradius-server-libslibc.so.6()(64bit)libc.so.6(GLIBC_2.14)(64bit)libc.so.6(GLIBC_2.15)(64bit)libc.so.6(GLIBC_2.2.5)(64bit)libc.so.6(GLIBC_2.3)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libcrypto.so.1.1()(64bit)libcrypto.so.1.1(OPENSSL_1_1_0)(64bit)libfreeradius-dhcp.so()(64bit)libfreeradius-eap.so()(64bit)libfreeradius-radius.so()(64bit)libfreeradius-server.so()(64bit)libgdbm.so.4()(64bit)libpcap.so.1()(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.2.5)(64bit)libssl.so.1.1()(64bit)libssl.so.1.1(OPENSSL_1_1_0)(64bit)libssl.so.1.1(OPENSSL_1_1_1)(64bit)libtalloc.so.2()(64bit)libtalloc.so.2(TALLOC_2.0.2)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)3.0.213.0.4-14.6.0-14.0-15.2-14.14.1`@_@_FN^y@^p^h^@\\v{\u*@[<[2*ZZWQYY@YlY, @XO@X@X*Xh@X.@W@WiV@V.Vf@UĝU@U@UU8U7@TZ@TTT~@T|X@Adam Majer Adam Majer Adam Majer Adam Majer Adam Majer Adam Majer Johannes Engel Michael Ströder adam.majer@suse.deMichael Ströder adam.majer@suse.demichael@stroeder.commichael@stroeder.commichael@stroeder.comadam.majer@suse.devarkoly@suse.commichael@stroeder.comadam.majer@suse.demichael@stroeder.comkukuk@suse.deadam.majer@suse.dejengelh@inai.deadam.majer@suse.demichael@stroeder.comadam.majer@suse.demichael@stroeder.comjkeil@suse.demichael@stroeder.comjkeil@suse.dejkeil@suse.dejkeil@suse.demichael@stroeder.comvcizek@suse.commichael@stroeder.comtchvatal@suse.comvcizek@suse.comdimstar@opensuse.orgvcizek@suse.commeissner@suse.com- logfile_secrets.patch: do not log passwords in logfiles (bsc#1184016)- freeradius-server-radiusd-logrotate.patch: move logrotate options into specific parts for each log as "global" options will persist past and clobber global options in the main logrotate config (bsc#1180525)- freeradius-server-radiusd-logrotate.patch: fix permissions in logrotate global section (bsc#1170505, bsc#1174905)- update to 3.0.21 (jsc#SLE-11896) Feature Improvements * New stored procedure for allocating IPs with PostgreSQL Rates of 1500 IPs per second are now possible See raddb/mods-config/sql/ippool/postgresql/procedure.sql * Add SQL IP pool support for Microsoft SQL Server See raddb/mods-config/sql/ippool/mssql/ * Added RCNTEC dictionary. Closes #3168. * Added Pica8 dictionary. Closes #3179. * Add TLS-Client-Cert-Valid-Since attribute holding not Before date Patch from Boris Lytochkin. Fixes #3157. * Generate attributes containing unknown OIDs See raddb/sites-available/tls * Update the WiMAX dictionary. * Added ability to rlm_python(Python2) show a stacktrace from errors. #2979. * Add WiFi Alliance Policy OIDs. See raddb/certs/xpextensions * radmin now shows coa stats, too. * Sample schema extensions for summarizing data in SQL See mods-config/sql/main/*/process-radacct.sql * Update dictionary.aerohive, dictionary.fortinet, dictionary.arista and dictionary.erx. * Added VAS Experts dictionary. * Many updates to RPM and jenkins builds from Matthew Newton. * Added %C (time now in seconds) and %c (microsecond component of now) back-ported from the "master" branch. * Add reload capability to systemd unit file in Debian and RedHat. * Increase timestamp precision in postauth to maximum supported by each database and simplify (and make more consistent between drivers) the timestamps in SQL queries by using expansions. * Option to set dictionary path in raduat script. Bug Fixes * Various fixes found by PVS-Studio. * Set permissions of certificates in bootstrap shell script Fixes #3132. * Increase the 'nasportid' SQL field for 'varchar(32)'. #3141. * Skip processing proxy reply if there are no home servers available. * Update SQLite IPPool queries. Fixes #3177 * rlm_sql_unixodbc fixes. Fixes #2822. * Fixes when building with LibreSSL. * Fix the rlm_python3 build. Note that this module is experimental. #3183. * The rlm_python should append the 'python_path' paths in 'sys.path'. It fixes the expected behavior to use the existing Python modules Fixes #3180. * Fix rlm_python to print the script errors properly. * Bound total query time for PostgreSQL. Fixes #3253. * Many fixes to Oracle sqlippool. It now does 500 IPs per second without any tuning. Fixes #3270. * Reference sqlippool by it's correct name. Fixes #3272. * Revert 3.0.20 patch which caused crashes on duplicate clients. * Update WiMAX-MSK attribute. Fixes #3280. * Fix crash when trying to access non-existant regex capture group. * Use timestamps (request or server) rather than SQL NOW() in accounting queries so that these are stable when replayed from a file buffer. - freeradius-python3_patches.patch: upstreamed- update to 3.0.20 (bsc#1146848) Feature Improvements * Added Force10 dictionary. * Update dictionary.hp with new attributes. #2690. * Update dictionary.aruba with new attributes. #2696. * Fix side-channel leak in EAP-PWD (bsc#1144524, CVE-2019-13456) * Relax OpenSSL version checks, now that their API is both public, and stable. * Note that tls_min_version/tls_max_version also support "1.3" Since there is no standard yet for EAP with TLS 1.3, it will not work. * Added tripplite dictionary from #2760. * Switch to the async interface for rlm_sql_postgresql so that we can enforce query_timeout. * Added new LDAP option 'allow_dangling_group_ref'. * Updated documentation and functionality for EAP session caching See "cache" section of mods-available/eap. * Tighten systemd unit file security. Fixes #2637. * Disable TLS 1.0 and TLS 1.1 support in the default configuration We STRONGLY recommend doing this for all installations. * Add expansions for *outgoing* Radsec connections "%{proxy_listen:TLS-...}" for TLS-Client-Cert-* and TLS-Cert-* attributes. Fixes #2839. * Add %{listen:tls} which returns "yes" or "no" for TLS or non-TLS connections. * Update dictionary.lancom with new attributes. #2847. * Added rlm_sql_mongo. See raddb/mods-available/sql. Note that this module is experimental. * Added more documentation in sites-available/robust-proxy-accounting. * sqlippool now re-allocates unexpired leases, to prevent IP pool exhaustion when clients perform multiple reauthentication attempts * Add support to radmin keep the history in ~/.radmin_history. * Add support for ENV and LD_PRELOAD in radiusd.conf. See the new ENV sub-section of radiusd.conf. * Update dictionary.aptilo. #3002. * Update dictionary.airespace. #3039. * Add sites-available/coa-relay, which makes CoA easier #3045. * Add example stored procedure for IP Pools in MySQL See mods-config/sql/ippool/mysql/procedure.sql * Update dictionary.dhcp dictionary with the recent hardware types. * Add experimental rlm_python3. This should largely work the same as rlm_python, which was Python2 only. * Add Dockerfiles for Debian10 and CentOS8. * Add RPM spec file compatibility for RHEL/CentOS 8. * Notes on certificate constraints. See raddb/certs/server.cnf. * Add NAIRealm example to raddb/certs/server.cnf, for RFC 7585. Bug Fixes * Allow listen.ipaddr to reference an IPv6-only host. Fixes #2627 * ERX-Acct-Request-Reason is "integer". Closes #2635. * Fix a slow memory leak in the file management code. * Try to fix file permissions if they get modified while the server is running * Fix slow memory leak with clients. * Fix request and connection timeouts in rlm_rest. * Fix systemd issues. * Fixes from clang analyzer. * Fix missing include for the dictionaries: alcatel.esam, altiga,alvarion.wimax.v2_2,aptis,asn, audiocodes,avaya,bristol, columbia_university,freedhcp,garderos, infoblox,motorola.illegal, starent.vsa1, telkom, wimax.wichorus. * Fix internal sanity check when running with "-Xx". * Allow "inner-tunnel" virtual servers to work better with "accept" and "reject" policies. * Fix dictionary.huawei data types for Huawei-DNS-Server-IPv6-address and Huawei-Framed-IPv6-Address. * Framed-Interface-ID in postgresql/queries.conf is string, not inet Fixes #2817. * Fix rlm_cache to complain on unknown attributes in the "update" section of its configuration. * Add configure checks for -latomic. This helps on armel, mips and mipsel. Fixes #2828. * Add support to Oracle 19 and 18. Via #2857. * Add support for decoding tags in rlm_rest. Fixes #2848. * Use correct passwords when updating CRLs in raddb/certs/. * Properly separate "originate-coa" packets when accounting packets are read from the detail file reader. * Use the correct virtual server for pre/post-proxy. * radsqlrelay fixes backported from "master" branch * Fix DoS issues due to multithreaded BN_CTX access (bsc#1166847, CVE-2019-17185) - disable python2 for SLE15 and Factory - freeradius-server-enable-python3.patch: enable Python3 module - freeradius-python3_patches.patch: backport python3 fixes from upstream - freeradius-server-opensslversion.patch: updated- Enable memcached driver on SLE15- Add missing BuildRequire on samba-core-devel required for windbind support in rlm_mschap.- update to 3.0.19 (jira#SLE-5890) Feature improvements * Update dictionary.cisco * Update sqlippool to allow for stored procedures with PostgreSQL. This increases performance substantially. Patch from Nathan Ward. Fixes #2540. * Re-added "show client config" command to radmin. * Cleaned up mods-available/sql example so that it is easier to understand. * Added pfSense dictionary. Closes #2581 * Update dictionary.h3c Closes #2592 * Update elasticsearch/logstash config for v6.7.0. * EAP-PWD security fixes from Mathy Vanhoef. See http://freeradius.org/security/ (CVE-2019-11234, CVE-2019-11235, bsc#1132549, bsc#1132664) Bug fixes * Update dynamic_client module and server core so that the functionality works. This has been broken since at least v2. * Fix crash in sqlippool due to escaping changes. Patch from Nathan Ward. Fixes #2532, #2533. * Fix systemd notify, watchdog and unit files. Fixes #2541, #2499. * Fix erroneous length check in EAP-FAST. * Update documentation to remove old "ignore_null" configuration. Fixes #2578. * Fix default POD port. Should be 3799. Fixes #2591 * Correctly encode vendor-specific "encrypted" attributes. Fixes #2600- reformat changelog mostly by wrapping lines - add missing bug numbers for security fixes- update to 3.0.18 * cleanup_delay can now be 30 seconds. This helps with proxies that have packet loss. * Do-Not-Respond policies can now be set in the "post-auth" section. * Encode / Decode ADSL Forum DHCP options. * Fix module ordering issues. e.g. when "sqlippool" needs "sql". See the "instantiate" section of radiusd.conf. * Add Big Switch dictionary. Fixes #2252. * Add sql_session_start policy (raddb/policy.d/accounting) This minimizes race conditions when using Simultaneous-Use (#2257). * For rlm_perl, all variables are now tainted by default. See raddb/mods-available/perl, and the "perl_flags" configuration item. This change should only affect people who are using variables in insecure ways. * Allow "sqlcounter" module to be listed in "post-auth". * Add support for IPv6 attributes in SQL. Fixes #2280 * The server is better at handling fail-over for outbound RadSec and TCP connections. Fixes #2284. * The server is now more aggressive about retrying failed outbound RadSec and TCP connections. Fixes #2284. * Add TLS-Session-Version and TLS-Session-Cipher-Suite to the "session_state" list. * Add expansion for Radsec connections. "%{listen:TLS-...}" for TLS-Client-Cert-* and TLS-Cert-* attributes. * Add notes on running "ldapsearch" using the parameters from the LDAP module. * "ipaddr" attributes can now be cast to "integer" type attributes in an "update" section. * Move main thread queue to using atomic queues. This should help with contention in high load scenarios. * Add "recv_buff" setting to listeners. For more details, see sites-available/default. * The sqlippool module can now use attributes other than "Pool-Name" to assign IP pools. The "Pool-Name" attribute is still the default. * The "unpack" expansion can now unpack substrings. See mods-available/unpack for documentation and examples. * The preprocess module now does "ciscvo_vsa_hack" for Eltex-AVPair Fixes #2301. Vendors SHOULD NOT USE THAT KIND OF ATTRIBUTE. * Allow for -LDAP-UserDN. See mods-available/ldap for more information. * Add sanitizing of control list for moonshot. Fixes #2318. * Update rlm_sql_mysql to be compatible with MySQL 8 Fixes https://bugs.launchpad.net/bugs/1795310. * Allow logging of only Access-Accept or Access-Reject messages See radiusd.conf, "auth_accept" and "auth_reject". * Removed Connect-Rate comparison. It was unused and broken. * Add dictionary.infinera. * Use OpenSSL HMAC functions instead of local ones. * Some SQL modules can now use "auto_escape" to escape unsafe strings See mods-config/sql/main/mysql/queries.conf. * Add wispr2date conversion in mods-available/date. * Implement dictionary-based handling in rlm_python. Fixes #2334 See mods-available/python for details. * Add support for SKIP LOCKED in sqlippool. This can improve performance by an order of magnitude or more. See raddb/mods-config/sql/ippool/*/queries.conf Fixes #2383 * Allow PSK and certificates at the same time Except for TLS 1.3 which does not support that. * Update docker scripts. Fixes #2306 Patch from Matthew Newton. * Add crypt xlat. * MySQL connections can now skip verifying the server certificate. Fixes #2481. See mods-available/sql. * Add better mechanism to detect MariaDB (Old MySQL). * Add RFC 7532 "bang path" support for realms Fixes #2492. * Update dictionary.ukerna documentation. Fixes #2493. * Add support for systemd service and watchdogs Fixes #2499. * Check for openss/rand.h, and allow building without OpenSSL engine. Patch from Eneas U de Queiroz Fixes #2517. * The default PosgtreSQL queries now use "ON CONFLICT" to better deal with issues. This requires PostgreSQL 9.5 or later. Please use a recent version of PostgreSQL, or edit the default queries to remove "ON CONFLICT". BUG FIXES * The session-state list is no longer cleaned in the inner-tunnel. This lets the outer Access-Reject section access session-state. * Fix typo in lock initialization for TLS sockets Found by Sergio NNX. * Add check for crash when home server down Fixes #2233. * Add username key for postauth table. * Better libpcap checks, when the header files or libraries are missing. Fixes #2245. * Allow building with old versions of OpenSSL Fixes #2247. * Allow non-FreeRADIUS State attributes to be used with the "session-state" list. i.e. State length != 16. * Be more aggressive about cleaning up zombie children when running in debug mode. * Use LTDL_DEEPBIND, which fixes issues with Oracle libraries exporting LDAP API functions. * unlock files when asked to unlock them. * return error instead of asserting in map code. * Don't write 0 bytes to SSL. Fixes #2270. * Remove "expiry_time IS NULL" from allocate_update query. Fixes #2262. * Various dictionary cleanups and consistency checks Fixes #2281. * rlm_python has stronger thread locking to prevent reported issues. Performance may be affected. * Don't allow Message-Authenticator to overflow past the end of a large packet. * Fix crash in sqlippool when SQL server goes away Fixes #2300. * Typos in man pages. Patch from Nikolai Kondrashov Fixes #2303. * Fix crash with CoA packets/ Fixes #2304. * Fix crash in rlm_exec with CoA. Fixes #2328. * Print errors while parsing the log config, and don't quit when deprecated log settings are found. * Fix DHCP encoder xlat so that it can be used with a list of attributes. It previously only encoded the first member of the list, and now encodes all members. * The "expr" module now skips more whitespace. * Remove internal FreeRADIUS-Response-Delay attributes from attr_filter Access-Reject. * Don't send junk to redis when maximum args reached. * Small updates to IPv6 for accounting schema Fixes #2364. * Fix OpenDirectory integration in rlm_mschap. * Fix slow memory leak with dynamic clients. * Don't artificially truncate debug output for long strings. * Fix memory leak in EAP-PWD. * Fix crash in "hints" file with Fall-Through = yes. * Fix crash / timer issues with many CoA packets. * Fix attr_filter so that it does not treat vendor attributes of number 26 as Vendor-Specific. * Fix reconnect correctly in rlm_sql_mysql. * Fix rlm_cache to properly use Cache-TTL < 0 Fixes #2485. * Fix rare occurance of bad xlat expansion. * Check for rare race condition when a proxy reply arrives too late.- install license as %license instead of documentation- also fix ownership of /var/log/radius in systemd unit- update to 3.0.17 Feature Improvements * Add CURLOPT_CAINFO. Patch from Nicolas C #2167. * "stats home server" now supports "src IPADDR", to specify home server also by source IP. Fixes #2169. * Add Dockerfiles for a selection of common systems. * Increase number of permitted file descriptors, for systems with many home servers. * Add TLS-Client-Cert-X509v3-Extended-Key-Usage-OIDs Patch from Isaac Boukris. Fixes #2205. * Update main READMEs. Patches from Matthew Newton. * Added dictionary.mimosa. Bug Fixes * Don't call post-proxy twice when proxying to a virtual server. Matthew Newton, #2161. * Use "raw" string value for shared secrets and dynamic clients It now parses strings with backslashes and "special characters" correctly. Fixes #2168. * Fix RuntimeDirectory for RedHat, from Alan Buxey. * Relax checks in 'if' parser from Isaac Bourkis. * Minor cleanups for %{debug_attr:&request} from Isaac Boukris. * Be more aggressive about cleaning up cached certificate attributes, due to deficiencies in OpenSSL. Reported by Nicolas Reich. * Be more accepting when parsing IPv6 addresses. Bug noted by Klara Mall. * Fix double free in rlm_sql. Fixes #2180. * rlm_detail now writes empty Access-Accept packets. * rlm_python can now create tagged attributes. * Don't crash on duplicate realm + authhost / accthost * Allow partial certificate chain to trusted CA. Fixes #2162. * Treat SSL_read() returning zero as error. Fixes #2164. * detail writer now checks if the file was renamed or deleted. * Add User-Name to Access-Accept if EAP-Message exists, not Stripped-User-Name. * RedHat Systemd updates. Fixes #2184. * Use correct API for State variable in rlm_securid. * Remove broken radclient option "-i". * Fix "users" file (and hints, etc). So that it does not get confused about entry ordering with multiple $INCLUDEs. * Fix rlm_sql to expand the un-escaped string, not the raw string. * Link default and inner-tunnel only if they exist. Fixes #2206. * Don't use both IP_PKTINFO and IP_SENDSRCADDR. * Always install signal handler for SIGINT (needed by Docker). * Fix intermediate CA flow for OCSP. Fixes #2160 Intermediate certs which are not self-signed will now be checked. * sqlippool now returns "fail" if it fails IP allocation. * Fix rlm_yubikey to look for correct attribute in replay attack check.- update to 3.0.16 Feature improvements * rlm_python now supports multiple lists. From #2031. * Add trust router re-keying. From #2007. * Add support for Samba / AD LDAP schema. See doc/schemas/ldap/samba/README.txt and doc/schemas/ldap/samba/ * Add "tls_min_version" and "tls_max_version" to EAP module for Debian OpenSSL issues. * Better documentation for client certificates in PEAP and TTLS: it usually doesn't work. Fixes #2068. * Distinguish login failure from AD unavailable. Fixes #2069. * Update RH spec files. Fixes #2070. * Run Post-Proxy-Type if all home servers are dead. Fixes #2072. * Print offending IP addresses when EAP sessions come from two upstream home servers, and rate-limit the messages. * Minor packaging updates. * Better documentation for rlm_rest. * EAP-FAST now has it's own "cipher_list", so that it is easier to configure. * EAP-FAST now forcibly disables TLS1.2, until such time as we implement the new keying mechanism from TLS1.2. * Add documentation for allow_expired_crl. * Update Debian logrotation. #2093 and #2101. * DHCP relay can now drop responses. #2095. * rlm_sqlippool can now assign Delegated-IPv6-Prefix. It also now can assign any IPv4 or IPv6 address. Based on patches from maximumG. #2094. See raddb/mods-available/sqlippool for changes. * radeapclient can now use EAP-SIM-Ki to dynamically create the necessary triplets. * Explain why many LDAP connections are closed. Fixes #1969. * Debian build / package issues fixed by Matthew Newton. * dictionary.patton updates from Brice Schaffner. Fixes #2137. * Added scripts to build "inner-server.pem", and updated mods-config/inner-eap and certs/README to match. * Added provisions for using an external CA. See raddb/certs/ * Include dhcpclient binary in freeradius-dhcp debian packge. Bug fixes * Bind the lifetime of program name and python path to the module FR-AD-002 (redone) * Pass correct statement length into sqlite3_prepare[_v2] FR-AD-003 (redone) * Allow 100-Continue responses with additional headers in rlm_rest. * fix corner case where detail files were not being locked correctly. * Fix (SQL-Group == "%{...}") checks, and same for LDAP-Group. Fixes #1947 * Clean up exfile code. Which should help to avoid issues with reading / writing 100's of detail files. * Fix build for winbind. Patch from Alex Clouter. * Fix checkrad for Mikrotik. Patch from Muchael Ducharme. * Fix home server stats lookup. Patch from Phil Mayers. * Add libjson-c3 as an optional dependency. * Require LTB OpenLDAP on CentOS / Redhat, to avoid linking against NSS, which breaks the server. Fixes #2040. * rlm_python fixes. Fixes #2041 * Typos in "man" pages. Fixes #2045 * Expand "next" in %{%{...}:-%{...}}. Fixes #2048 * Don't add TLS attributes twice. Fixes #2050. * Fix memory allocation in rlm_rest. Fixes #2051. * Update trustrouter for new API. Fixes #2059. * Fix SQLite issues on FreeBSD. Fixes #2060 * Don't do debug logging of bad passwords. Fixes #2064. (bsc#1099802) * More graceful handling of "die" in rlm_perl. Fixes #2073. * Fix occasional crash when using cisco_accounting_username_bug = yes * EAP-FAST fixes from Isaac Boukris. [#2078], #2076, and #2082, #2126. * DHCP fixes, relay, #2092, add run-time check, #2028 * Decode multiple RADIUS packets at a time in highly loaded RadSec connections. Patch from Jan Tomasek. #2106. * TunnelPassword is not "single value" in LDAP schema. Fixes #2061. * sql log now opens the expanded filename, not the input one. This was a regression introduced in 3.0.15. * Remove unnecessary UNIQUE constrain in Oracle schemas. * Fix SSL thread and locking issues when modules also use SSL. Fixes #2125 and #2129. * Re-add dhcpclient "raw packet" changes. Patches from Nicolas Chaigne and Matthew Newton. Fixes #2155.- Fix permissions of radiusd.service (bnc#1053654)- bsc#1055679 - freeradius-server does not provide winbind/AD auth Added libwbclient-devel as buildrequires- update to 3.0.15 with security fixes for issues found via fuzzing by Guido Vranken (bsc#1049086) https://freeradius.org/security/fuzzer-2017.html * CVE-2017-10978: FR-GV-201 (v2,v3) Read / write overflow in make_secret() * CVE-2017-10983: FR-GV-206 (v2,v3) DHCP - Read overflow when decoding option 63 * CVE-2017-10984: FR-GV-301 (v3) Write overflow in data2vp_wimax() * CVE-2017-10985: FR-GV-302 (v3) Infinite loop and memory exhaustion with 'concat' attributes * CVE-2017-10986: FR-GV-303 (v3) DHCP - Infinite read in dhcp_attr2vp() * CVE-2017-10987: FR-GV-304 (v3) DHCP - Buffer over-read in fr_dhcp_decode_suboptions() * CVE-2017-10988: FR-GV-305 (v3) Decode 'signed' attributes correctly * FR-AD-002 (v3) String lifetime issues in rlm_python * FR-AD-003 (v3) Incorrect statement length passed into sqlite3_prepare- update to 3.0.14 (still FATE#322416) Feature improvements * Enforce TLS client certificate expiration on session resumption, and Session-Timeout. See CVE-2017-9148 (bnc#1041445) * Updated dictionary.cisco.vpn3000, dictionary.patton * Added dictionary.dellemc * Lowered the log output for failed PEAP sessions. * ALlow utc in rlm_date. * The internal OpenSSL session cache has been disabled. Please see mods-available/eap * Update detail reader documentation. * Make outgoing RadSec connections non-blocking. * Add SQL backing to Moonshot-*-TargetedId generation. Bug Fixes * radtest uses Cleartext-Password for EAP, not User-Password. * Update documentation for mods-enabled/ linking. * Enhanced checks for moonshot salt. * Allow session resumption for RadSec connections. * Update "huntgroups" file to note that port ranges are not supported * Fix OpenSSL permissions issues on default key files. * Certificates are not required when PSK is used. * Allow SubjectAltName as first extension in cert. * Fixed talloc issue with TLS session resumption. * "&Attr-26 := 0x01" now produces useful error messages. * Handle connection error in rlm_ldap_cacheable_groupobj. * Fix endian issues in DHCP. * Multiple minor fixes for Coverity complaints. * Handle unexpected regex. * Fix minor issues in dictionaries. * Fix typos and grammar. Patches from Alan Buxey. * Fix erroneous VP creation in rlm_preproces. * Fix MIB. Patch from Jeff Gehlbach. * Trust router updates from Alejandro Perez. * Allow build with LibreSSL. * Use correct packet for channel bindings. * Many fixes found by PVS-Studio. Thanks to PVS-Studio for giving us a test license. Please see the git commit history for more info. * Fix incorrect length check in EAP-PWD. This may be exploitable. * Stop rotating session database files (radutmp, radwtmp) since these are not logfiles. - freeradius-server-radiusd-logrotate.patch: updated- removed obsolete freeradius-server-fix-cert-bootstrap.patch because recent /etc/raddb/certs/bootstrap simply works - update to 3.0.13 (still FATE#322416) Feature improvements * Add dictionary.rfc7930. Note that we do not implement the RFC. * Added 'cipher_server_preference' to mods-available/eap Patch from #1797. * OpenSSL 1.1.0 compatibility fixes. * rlm_perl: radiusd::xlat to evaluate xlat string within perl script * Allow authentication retry in winbind. Patch from Herwin Weststrate. See raddb/mods-available/mschap. * Added "recv-coa" method to rlm_rest. It behaves the same as "authorize". * Document Trust Router tr_port option. Patch from Stefan Paetow. * Update elasticsearch/logstash examples so that they work with elastic stack v5. Patch from Matthew Newton. * Print information about packets, replies, and contents in the detail file reader. * Update abfab-tr policy. Pull request #1893 from Stefan Paetow. * Reject packets which contain User-Password and EAP-Message. * Add example for filtering Access-Challenge. See sites-enabled/default. * Pull symlink fixes from v4.0.x. Fixes #1859. * Add systemd reload. Not everything is reloaded, but some is. Fixes #1662. * Better documentation for listen "ipaddr". Fixes #1921 * Add dictionary.cnergee, updated dictionary.nomadix. * radclient no longer needs -x to print statistics with -s. Bug fixes * Minor typos. Fixes #1763 * Fix typo in RPM build. Closes #1767. * rlm_mschap check for password expiry only if password was correct. Fixes #1762. * Update debian build. * update rlm_counter "man" page. Fixes #1775. * Remove erroneous assert. Fixes #1778. * fix mschap password change test. Fixes #1792. * Cleanup config file on data remove. Fixes #1795. * passwd module returns "notfound" if not found. * Check for old OpenSSL, and don't build rlm_eap_fast if it necessary. Fixes #1803 * Cleanup memory better after ldap version query. Patch from Aleksey Katargin. * Rename lt_* functions to avoid linker issues with libtool. Fixes #1277 * Many miscellaneous fixes and typos. * Allow long strings in %{%{foo} bar:-%{baz} blah". Fixes #1866 * Fix filtering operators, along with more documentation and more tests for them. * Fix OpenSSL fixes. Fixes #1876. * Finish SQL select queries even when SELECT returns no rows. Fixes #1879. * Set Module-Failure-Message for more EAP errors. * Correct typo in dictionary.rfc5580. Fixes #1882 * Remove obselete systemd syslog.target. * Client-Port-Balance load-balancing now uses client port. * Radrelay examples fixed from Alex Clouter. * Update systemd target. Pull request #1896. * Trim starting whitespace in xlat strings. * Get MySQL result lengths using normal API. * suid down after fchown(). Fixes #1914. * Fix cases of comparing pointer to NUL character. Fixes #1915. * OpenSSL v1.1 fixes. Pull request #1921. * Better Handle v4/v6 host names. Pull request #1919. * Remove "Auth-Type = System" from docs and examples. * Don't crash on malformed %{home_server}. Fixes #1922 * fix erroneous use of talloc destructor in rlm_eap * Issue trigger modules.sql.fail. Fixes #1923 * Document python_path gotcha's. Fixes #1845 * dlopen() the specific version of Python. Fixes #1592- Don't require insserv if we use systemd - Remove require for unused fillup- Merge changes from SLE to openSUSE (FATE#322416): * freeradius-server-radclient-init-error-buffer.patch - make sure we initialize error buffer. bsc#911886: radclient error free() invalid pointer * freeradius-server-opensslversion.patch: remove OpenSSL version check and assume we know what we are doing. (bnc#1013311) * merge .changes file, mostly. - do not attempt to detect "vulnerable" OpenSSL versions. SUSE security fixes do not necessarily bump version numbers as does upstream OpenSSL (bnc#1021375) - do not generate certificates in %post. End-user needs to do this manually. - keep FreeTDS disabled on SLE12 - we never shipped it enabled - require OpenSSL 1.0+ - use pkgconfig(systemd) instead of plain systemd as BuildRequires - don't list manual pages as %doc- Remove --with-pic which is for static libs only. - Use SUSE RPM group names. Trim filler words from description. - Do not hide errors from groupadd/useradd.- Add upstream keyring - 2 new modules: rlm_sql_freetds and rlm_eap_fast- update to 3.0.12 - still fate#320481 The focus of this release is stability. * Feature improvements + Add support for =~ and !~ in update sections. See "man unlang" + Add dictionary.checkpoint. + Simultaneous-Use prints out more information. + Print WARNING in debug mode when packets may be truncated. + Added expansions %{home_server:state} and %{home_server_pool:state}, which show the state of the server / pool. + Mark rlm_sql_freetds as stable. + Make rlm_perl less fragile. Patch from Herwin Weststrate. + Allow extended attributes to have "encrypt=2" + Update dictionary.aruba. + Add support for EAP-FAST. This is an isolated feature which does not affect anything else. + Update OpenSSL vulnerability list. Use a version of OpenSSL released after September 20, 2016. + EAP certificate verification is now done when "verify" is enabled and "ocsp" is disabled. + New dhcpclient and rlm_rad_counter man pages. + Minor abfab and moonshot additions. + Pass CFLAGS through from environment in RPM builds. Allows more custom builds. + Build with Heimdal in addtion to libkrb5. * Bug Fixes + Use correct typedef for older versions of sqlite. + Update mssql schema to add priority + don't complain on /dev/urandom in ldap + fix == operator in update sections + Don't create DHCP strings with many trailing zeros. + Allow MS-CHAP change passwords instead of complaining on large buffer. + Allow assignment or equality operator on SQL. + Update aclocal tests for FreeBSD 10. + Remove occasional hang in rlm_linelog. + Copy VSAs to inner tunnel for TTLS and PEAP. Fixes #1544 + A few minor bugfixes caught in v3.1.x cleanup, and back-ported to v3.0.x. + do_not_respond again works in post-proxy + Allow realm "~^.*$" {} and User-Name with no realm. + Fix leak when creating unknown attributes + Fix Debian / logrotate. + Make OpenSSL error functions thread-safe. + Fix crash with rlm_sql and updating SQL-User-Name. + Debian build updates. + Allow regular expression comparisons in radclient. + Fix memory leak on unknown attributes in detail file reader. + Update example paths in "man" pages when installing them + Build fixes for rlm_mschap. Fixes #1489. + BSD build fixes. Patch from issue #1583. + Be more careful about /lib/ when building. Fixes #1585. + Correct ifdef placement error. Fixes #1572. + Allow for more files in internal "exfile" API So it will be possible to open more than 64 "detail" files at the same time. + Remove support for statically built EAP modules. Fixes #1591. + Many fixes to rlm_python from Guillaume Pannatier. + Use correct week adjustment in SQLcounter. Fixes #1608 + Minor fixes to allow compilation without DHCP, VMPS, or TCP. + Fix checks for module / config file change on HUP. + Compile regex comparisons when sent via "debug condition". + Update filenames in documentation and examples. + Don't crash if SQL connection becomes unavailable. + Disallow originate_coa when proxy_requests = no. + Free rad_perlconf_hv in correct perl context. + Multiple fixes for Debian builds. #1510, among others. + Set OpenSSL FIPS compatibility flag when necessary. + Pulled fixes for the build system over from other branches. + Fix OCSP for RADIUS over TLS. + Fix skip_if_ocsp_ok behavior. + Better fixes for systems without closefrom() but which have /proc. + Minor build fixes back-ported from v4.0.x. + build --whout-ascend-binary. Fixes #1761. + Be more aggressive about not opening new connections in debug mode after CTRL-C. Address #1604.- use %{with} macro for conditional inclusions instead of hardcoding version numbers - improved package descriptions - fixed builds on SLE12 and SLE11SP4- removed installation of experimental module rlm_sqlhpwippool.so - update to 3.0.11 (fate#320481, bsc#961479, CVE-2015-8763, bsc#935573, CVE-2015-4680) * Changes of version 3.0.11 + Feature improvements - "unlang" comparisons of IP addresses to IP prefixes are now detected, and types automatically cast. - Allow shorthand form of ipv4prefix values e.g. 127/8. - Add "auto_chain" to raddb/mods-available/eap, tls subsection. This allows the disabling of OpenSSL auto-chaining of certificates. Which might be wrong. - Added printing of coa and disconnect stats (radmin). - radclient defaults to expecting Access-Accept responses to Status-Server. - Updated dictionary.lancom, dictionary.starent. - Portability fixes for Solaris. - More errors from ntlm_auth gets passed to MS-CHAP. - Update abfab-tr-idp virtual server. - Added "filter_password" in policy.d/filter. This removes embedded zero bytes in User-Password, for compatibility with broken clients. - The server now issues a WARNING message if duplicate configuration items are found. - TLS can skip the "verify" section if OCSP returns OK. See raddb/mods-available/eap, "skip_if_ocsp_ok". - Set TLS-OCSP-Cert-Valid = yes / no / skipped, which is the result from the OCSP check. - Interoperate with AD and "LmCompatibiltyLevel = 5", by always setting WBC_MSV1_0_ALLOW_MSVCHAPV2 for native winbind in rlm_mschap. - TTLS and PEAP now require "virtual_server" to be a real server. - Print WARNING when TTLS or PEAP identities are spoofed or not properly anonymized. See RFC 7542 for requirements. - Various rlm_python fixes from Herwin Weststrate. - Allow setting Response-Packet-Type in "Post-Proxy-Type Fail", which is useful when the home server does not respond. - elasticsearch updates from Matthew Newton + Bug Fixes - Fix issue where field nas_type would not be accessible via the %{client:} xlat, for clients loaded from SQL. - Fix compatiblity issues with OpenSSL 1.0.2. Ignore calls to msg_callback with 'pseudo' content types. - Data type "ipv4prefix" is parsed correctly. - Use correct talloc context in rlm_exec. Fixes #1338. - Complain in unlang if "else" is used with no previous "if" or "elsif". - Send accounting status packets to the accounting port. Fixes #1364. - Print out CFLAGS when doing "radiusd -Xxv" - Fixed bug with coa/acct stats value #1339. Based on patch from Jorge Pereira. - Fixes for LEAP proxying. Don't use LEAP! - Fix issue with "directory already exists" seen when doing "make install". - Fixed bug with radmin related to the option "stats detail " - Complain if the detail file reader does not have permission to read the "detail.work" file. Fixes #1398 - Fixed SoH. Attributes were not being copied to the virtual server. - Used a wrong list to global statistics in "stats". - Create EAP-PWD identity correctly. Prevents segfaults. - Dynamically validate authentication types for PEAP and EAP-MSCHAPv2. - Fix includes in installed headers. - OpenSSL 1.0.1f and 1.0.1g do NOT calculate TLS 1.2 keys correctly. See raddb/mods-available/eap, "disable_tlsv1_2" - Allow password change to work for MS-CHAP. This requires 'r=0', because password changes are not retries. - Fix home server fail-over for home servers using TCP and/or RadSec. - Special characters in expanded regexes are now escaped e.g. User-Name containing '.', and comparing /%{User-Name}/, the '.' will now be escaped. See src/tests/keywords/regex-escape. - Use correct authentication vector when sending Access-Reject replies for RadSec. - Set FreeRADIUS-Proxied-To in TTLS again. You should use the "inner-tunnel" virtual server, instead of relying on this attribute. - Fix debugging constants in rlm_perl. Patch from Herwin Weststrate. - Add samba-dev / samba4-dev to debian builds so that rlm_mschap can automatically use the new winbind API. - Automatically skip zero-length attributes when sending packets, instead of erroring out.- fix bsc#951404 * Rebuild of freeradius-server package fails * fix source url - ftp://ftp.freeradius.org/pub/freeradius/ + ftp://ftp.freeradius.org/pub/freeradius/old/- update to 3.0.10 * Changes of version 3.0.10 + Feature improvements - Do more optimization of unlang policies. This makes run-time a bit faster. - Re-name most of the functions in src/lib. Third-party module authors will have to do the same. - More documentation on contributing and how to write modules. - Update radiusd.service for systemd. - Open IPv6 proxy socket if the server is listening on IPV6 auth / acct / coa packets. - Create debian packages for DHCP. Fixes #1125. - Add more tests for "update" section parsing. - Update "man" pages. - Update attributes for Alcatel 7750 - Add dictionary for Boingo Wi-Fi - Add support for DHCP lease queries. See raddb/sites-available/dhcp - On HUP, check all modules for config files which have changed. And only re-load those modules. - Allow FreeRADIUS-Response-Delay(-USec) to be set for RADIUS packets. Patch from Herwin Weststrate. - Documentation fixes from Alan Buxey and Matthew Newton. - Update "logrotate" script. - Added more RFCs to doc/rfc for new standards implemented by FreeRADIUS. - Don't crash when doing "radmin -e "help hup". Patch from Matthew Newton. - The dictionary parser now does more sanity checks, which prevents run-time problems with invalid attributes. - Update debian packages. Patches from Christopher Hoskin. - Many other debian packaging fixes from Matthew Netwon and Herwin Weststrate. - Add "session-state" to Perl. Patch from Herwin Weststrate. + Bug Fixes - Fix rlm_files so that there are no collisions when loading 10's of 1000's of users. - Fix radclient to use our internal v4/v6 parsing functions. v6 addresses with ports now work correctly. - Fix sending/receiving packet messages to wrap v6 addresses in square brackets '[]'. - Check for sasl/sasl.h when building rlm_ldap, and disable SASL functionality if unavailable. - Fix issue which caused a non \0 terminated buffer to be assigned to attributes if the value being assigned contained an invalid escape sequence. - Fix deadlock when reconnecting connections in the connection pool. - Fix potential overrun in functions that used fr_utf8_char with a non nul terminated buffer. - Fix decoding issue for Tunnel-Password type attributes which were very long. Found by Denis Andzakovic. - Fix radclient issue with TCP sockets on FreeBSD. - The server now creates ${run_dir} and ${logdir} directories in daemon mode, when running as "root". - Handle tags when using maps. Fixes #1191. - Fix crash when CoA packets time out. - Fix parse error in rediswho - Fix regex support in SQL radcheck the "users" file and radsniff. - Register listen xlat earlier, so that it's available when the virtual servers are being parsed. - Parse Ascend-Data-Filter when given as "0x..." - Print Ascend-Data-Filter correctly. Add test cases for both. - Allow old-style clients again. They will be disallowed for 3.1.0 and following. - Complain instead of crash when "else" and "elsif" are in the wrong place. - Clean up memory more aggressively. This lowers the maximum memory used, most typically for TLS based EAP methods. - Prevent the server from unlinking the control socket of an already running instance. - Fallback to using the configured OCSP URL if one exists, and no URL is provided in the certificate. - Return CoA-NAK if proxying CoA fails. Based on patch from Jorge Pereira. - Lower peak memory usage by decreasing size of internal memory pools. - The control socket is now left in place if a second copy of the server is accidentally started. - Allow virtual attributes in "switch", "case", etc. Fixes [#1240] and #1265. - Many spell check / typo fixes in comments and example configuration files. - Better handle multiple DHCP listeners. - Don't print secrets for old-style realms. Fixes #1267. - Don't fall through in empty "case" statements. Fixes #1274. - Update EAP-TTLS so that MPPE keys are correctly calculated with TLSv1.2. - Always delete MS-MPPE-* from the TTLS inner tunnel. This allows TTLS / EAP-MSCHAPv2 to work. Fixes #1206. - Fix off by one error that caused some MSCHAP-Error messages to be sent without the password change version (V=3) and the textual message component (M=). - Always include C= V= and M= in MSCHAPv2 errors. RFC 2759 does not say that any of these fields are optional, and not including V= caused errors with wpa_supplicant. - Do not include M= in MSCHAPv1 errors. It's not supported.- Fix boo#912714: freeradius can't use ntlm_auth * Create winbind group * Add radiusd to winbind group- Remove gpg signature file * The gpg signature checking is broken and doesn't work- Fix bsc#935573: Insufficent CRL application for intermediate certificates * CVE-2015-4680 * freeradius-server-CVE-2015-4680.patch based on https://github.com/FreeRADIUS/freeradius-server/commit/a03814af310bb3bee74ea012546d99c48b0ea5c3- update to 3.0.9 * Changes of version 3.0.9 + Feature improvements - Make "pool" configurations more consistent, and update documentation for them. - Move connection pool logic to "most recently started", instead of MRU. This should help with pool stability. - More VSAs for 3GPP2 - Added examples of multi-value attributes to rlm_perl. - LDAP-Group and SQL-Group attributes are now dynamically allocated. - Only the "sql" module registers SQL-Group. Other instances register "instance-name-SQL-Group", similarly to "ldap". - Unknown attributes are now complained about more often when used in unlang statements. e.g. if (Foo-Bar == 3) used to be a string to string comparison. It is now a parse error. - Rename RLM_COMPONENT_* to MOD_* in the code. This makes many things easier. - Move to C99 initializers for modules. - Load modules in raddb/mods-enabled. This allows attributes like "LDAP-Group" to be used in the "files" module, without explicit ordering or listing in "instantiate". - Added 'bootstrap' section to modules. Third-party modules will need to be updated. - When adding clients from a DB, add them to a virtual server if that virtual server has a "listen" section. Otherwise, add the clients to the global list. - When reading dynamic clients from a file, don't expire them if the underlying file is unchanged. - Allow the server to originate CoA requests from the post-auth stage. - The server creates ${run_dir} and ${logdir} in daemon mode, if they do not already exist. - Add dictionary for Wi-Fi Alliance Hotspot 2.0. The server now supports all mandatory and optional attributes for this specification. - HUP now re-loads the configuration only if the files have changed. If all files are unchanged, HUP re-opens the log file, and does nothing else. - Much better debug messages for EAP-TLS, including which attributes are cached, and when they are retrieved. - Increase default max_requests to 16384. Memory is cheap now. - Added "stats memory" commands to radmin. Debug build only. - Aptilo controller dictionary updates. - SQL modules now use Acct-Unique-Session-Id everywhere. - The redis modules are now stable. - The LDAP module now supports SASL "interactive bind" method. This allows Kerberos based administrator and user binds. - DHCP code is now in libfreeradius-dhcp. - More DHCP encoding / decoding unit tests. - rlm_replicate can now be listed in the "accounting" section. - Better sqlite debugging output. - Remove "required" option from many sql_ippool directives. - Set default CA "basic constraints" to "critical". Fixes #1073 - Updates to help / man pages from Jorge Pereira. - Added more tests. + Bug Fixes - Be more careful about unused config item warnings when using -Xx. - Move more defines to be auto-generated. - Allow virtual servers in proxy fallback. - Allow %{module:} to work. - Don't crash in RadSec. Closes #980. - Return better errors when a unix group / user is not found. - Re-enable detail module "locking" parameter. - Don't crash when logging replies from Status-Server packets. - The couchbase module now uses "update" instead of "map", for consistent with the rest of the server. See raddb/mods-available/couchbase - Don't require NT-Password for MS-CHAP password changes. - Be a bit more careful about decrypting MS-CHAP-MPPE-Key attributes. Closes #1013. There is no perfect fix, tho. - Fix security issues with EAP-PWD. See http://freeradius.org/security.html#eap-pwd-2015 - Fix dynamic clients read from SQL in non-debug mode - MS-CHAP now allows retries (i.e. password change) when passwords are expired. - Allow "user=radiusd" when the server is already user "radiusd" - suid up/down works on non-Linux systems. This means that the control socket should have the correct ownership. - Fix issue which caused the server to sometimes have problems when a home server was marked zombie. - Fix format.pl because Perl is now more picky. - Fix proxy to Packet-Dst-IP-Address, so that it uses the correct destination port. - Fix corner case with cursor functions and removal. - OpenDirectory fixes and documentation. - Fix leaks in rlm_redis. - RFC 6929 "evs" attributes are now encoded / decoded properly. - Fix talloc pool leaks when receiving malformed or retransmitted Accounting/CoA requests. - Printed attributes again use double quotes instead of single quotes. - Set X509_V_FLAG_CRL_CHECK_ALL, and add "check_all_crl" to eap.conf. Fixes oCert CVE-2015-4680. - rlm_expr now errors out correctly on malformed attribute references instead of triggering an assert. - Make "break" work in "foreach" loops - Allow dynamic expansions to work again in the "hints" file. - Correct minor typos in comments and examples from Alan Buxy. - Re-urlencode the path portion of ldapi:// urls before passing it to ldap_initialise. - freeradius-server-rlm_sql_unixodbc-configure.patch removes hard-coded directory in configure script of rlm_sql_unixodbc - install new module rlm_sqlhpwippool.so- minor adjustments/cleanup of spec and changes- update to 3.0.8 * Changes of version 3.0.8 + Feature improvements - Allow syslog_severity to be set in rlm_linelog. - Allow defaults to be set for bulk clients in LDAP and couchbase. - Updates to dhcpclient. Patches from Nicolas C. - rlm_mschap now supports direct connections to winbind, which is faster than ntlm_auth. See raddb/mods-available/mschap. Patch from Matthew Newton. - Recommend /dev/urandom for TLS randomness, instead of ${certdir}/random - Allow TLSv1 to be disabled via "disable_tlsv1" in tls{}. - Allow Expanded EAP types where vendor is 0 (IETF) and type is normal EAP type. Supplicants sending Expanded EAP types like this are broken. - Add support for server side sort controls when searching for user objects in rlm_ldap. + Bug Fixes - Don't complain about "authorize" in "server {}" blocks, but only if there's no "server" block. - Fix cosmetic issue where debug from the first packet read by a detail reader thread would be emited during config parsing. - Fix ASSERT on truncated detail packets. - Don't use main server log functions from within panic_action, as in the case of syslog this would cause deadlocks if the fault was triggered from within a malloc. - Fix issue in "switch" when "correct_escapes = false". Fixes #911. - Fix sqlcounter configuration to use "%%b" instead of "%b", otherwise the new syntax validation will fail. - Allow forward references in configuration items. Modules aren't always loaded in a sane order. - Fix more escaping issues. Closes #912. - Decode MAC addresses correctly for VMPS. - Fix memory leak with TLS connections. - Fix state machine threading issues for conflicting packets. - Fix copy_request_to_tunnel issues for tagged attributes. - Allow "ok" to over-ride "updated" inside of Auth-Type sections. - Update state machine so that post-proxy is run though child threads for performance, instead of blocking the main thread. - Allow "netmask" to work again in client definitions. - Relax restrictions on SQL group queries. - track outgoing proxy sockets and clean them up more aggressively. - track proxy statistics, including CoA and Disconnect. - If radmin has a connection failure when running a command, it re-connects and runs the command again. - mark home servers "unknown" less aggressively. - Fix potential SEGV in PostgreSQL driver on error. - Fix issue where fields like nas_type would not be accessible via the %{client:} xlat, for dynamic clients. - Set default busy_timeout (of 200ms) in the sqlite driver, so writes don't cause selects to fail in multithreaded mode. This is user configurable, and may be increased if required. - Convert Password-With-Header attributes to binary (from hex or base64), in the authorize method of rlm_pap. - Fix invalid assert in state.c, that could cause abort in post-auth. - Fix double free when -m flag is used, and connection pools are referenced by multiple modules. - RADIUS over TLS accounting uses the same port as authentication. - Regularized return codes from radmin commands. - Fix RHEL spec file so it works correctly for Centos7 which uses systemd, and didn't like the SystemV init script. - radwho and radlast now have a -D option to load dictionaries - DHCP packets are no longer checked for duplicates. - Don't crash in sql module group comparisons in corner case. - Calculate MPPE keys correctly when using TLS 1.2. - Fix load-balance sections. Closes #945 - TLS certificates are available again in the post-auth section. They are not available for session resumption. - radclient encodes CHAP-Password properly when using -c Closes #955. - Fix issue in rlm_cache_memcached driver that caused variable length values to be truncated. - Fix track functionality in detail reader, so it no longer fails with a "Failed marking detail request as done: Bad file descriptor" error. - Actually add the peer identity (as User-Name) to the inner tunnel in EAP-PWD requests, so it's available for lookups. - Fixes to PostgreSQL queries. Patches from Santiago Gimeno. - new set of consolidated patch files: deleted: * freeradius-server-2.1.1-logrotate_su.patch * freeradius-server-2.1.6-rcradiusd.patch * freeradius-server-initscript-pidfile.patch * freeradius-server-radius-reload-logrotate.patch * freeradius-server-var_run.patch added: * freeradius-server-radiusd-logrotate.patch * freeradius-server-rcradiusd.patch * freeradius-server-tmpfiles.patch- Do not disable as-needed build - Remove the with_sysconfig switch and just stick with versions- update to 3.0.6 - fixes a segmentation fault in PEAP module (bnc#912588) Feature improvements: * radmin / raddebug conditional errors are printed to the output, instead of being discarded. * raddebug will exit if condition set with -c was invalid. * radmin auto-reconnects if the connection to the server has gone away. * rlm_cache now has submodule support. See raddb/mods-available/cache * New memcached driver for rlm_cache. See raddb/mods-available/cache * Add support for &Attribute-Name[*] in conditions. See "man unlang" for details. * Add &Attribute-Name[n] which gets the last instance of an attribute e.g. Module-Failure-Message[n]. * Allow for redundant string expansions. See the "instantiate" section of radiusd.conf. * When checking IP addresses in conditions, make the right side be parsed as an IP prefix. * Support JIT compilation of compiled regular expressions when built with libpcre. * Support named capture groups with "%{regex:}" when built with libpcre. * Increase regular expression capture groups from 8 to 32. * Emit error markers for badly formed regular expressions. * Allow 'm' flag to enable multiline mode in regular expressions. * Support limited implicit attribute conversion in update sections. * Support casting between IPv6 and IPv4 where the IPv6 address has the v4/v6 mapping prefix (::ffff:).- Drop .keyring and .sig file: freeradius-server still uses MD5 signatures, which are no longer validated/accepted by GPG 2.1.- update to 3.0.5 Some of the new features: * Allow LDAP to specify arbitrary attributes for dynamic clients. * Allow one level of backslashes (finally). See radiusd.conf, "correct_escapes" setting. * When supported by OpenSSL, allow TLS 1.1 and TLS 1.2 in EAP methods. * Allow multiple new connections to be spawned simultaneously in the connection pool, to cope with spikes in traffic. * Use kqueue on systems which support it. This allows for better scaling when using many sockets. * Home server "response_window" can now take fractions of a second. See proxy.conf. * radmin now supports "show module status", as thee counterpart to "set module status" * "ipaddr" will now use v6 if no v4 address is present. You should use "ipv4addr" or "ipv6addr" to force v4/v6 addresses. * "client" sections will allow "ipaddr = 192.192.0/24". The old "netmask" is still accepted, but the new format is preferred. * Allow custom HTTP headers to be set for rlm_rest requests using control:REST-HTTP-Header (attributes consumed after use). * Extend format of %{rest:} expansion to allow HTTP method and POST data to be specified and urlquoting. * Add support for aliases in rlm_ldap. * Add support for connection pool sharing to all modules that use the connection pool (pool = ). * "tls" sections now have a "psk_query" configuration item, for dynamic queries to discover a key from a PSK identity. * Preliminary support for EAP channel bindings. * Foundational work for dynamic home servers. They do not yet work, but this is now only a matter of updating the "realm" module in a future release. * Support &attr[*] syntax to copy all instances of an attribute when used with the += operator in an update section. May be qualified with a tag. * The logintime and expiration modules can now be listed in the post-auth section. This makes some configurations simpler. * rlm_sqlippool is now IPV6 capable. Set "ipv6 = yes" to get Framed-IPv6-Prefix returned. The SQL queries have NOT been updated. Please submit patches. and numerous; bugfixes - remove gpg-offline - create /run/radiusd after install - drop freeradius-server-opensslversion.patch (upstream)- freeradius-server-opensslversion.patch: do not check the minor version of openssl, minor versions are supposed to be compatible. bnc#906682cloud127 1624472258 3.0.21-lp152.2.9.13.0.21-lp152.2.9.1dhcpclientmap_unitrad_counterradattrradclientradcryptradeapclientradlastradsniffradsqlrelayradtestradwhoradzaprlm_ippool_toolsmbencryptdhcpclient.1.gzrad_counter.1.gzradclient.1.gzradeapclient.1.gzradlast.1.gzradtest.1.gzradwho.1.gzradzap.1.gzsmbencrypt.1.gz/usr/bin//usr/share/man/man1/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.opensuse.org/openSUSE:Maintenance:16593/openSUSE_Leap_15.2_Update/01d40a48b058f57394a1ecc1551a3e1b-freeradius-server.openSUSE_Leap_15.2_Updatecpioxz5x86_64-suse-linux ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=d5d8ccb9ea6010bbdf711287999a1b6bb01c9046, for GNU/Linux 3.2.0, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=afa221682cfba19f72e9cc87cfb8a09b43e2979f, for GNU/Linux 3.2.0, strippedPerl script text executableELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=280c2932c87ce3c8ca8c04f49e4ecde1f2eb6222, for GNU/Linux 3.2.0, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=140d980caa97b5f4939074b256aa84365c3e7ce3, for GNU/Linux 3.2.0, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=8cb41af3cfea02eb2bff585b29f2bcc5a14e99d4, for GNU/Linux 3.2.0, strippedPOSIX shell script, ASCII text executableELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=c563fd67b7115d97230315a7a446549b5743299a, for GNU/Linux 3.2.0, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=908220f8356c6e32c7a3a64512b61e0db56e07a5, for GNU/Linux 3.2.0, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=41dbffa6e3f47530056155310762db129fadca1d, for GNU/Linux 3.2.0, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=8aa722d88bd4b7fcf3def1c38666bc015ad562e8, for GNU/Linux 3.2.0, strippedtroff or preprocessor input, ASCII text (gzip compressed data, max compression, from Unix) #./ABMNOYZb    RRRR RRRRRRRRRRR RRRRRRRRRR RRRRRRR RRRRRR RRRRRRRRRRRR RRR RRRRRRR R RRRRRRR RRRRRRRRRRRRRR RRRRRRRRR R RRRR RRR RRRRRp{"Cj"utf-86f386f37f4bd17beb58f51b9c47f5b4b8b42c17d200319442192559713da1586? 7zXZ !t/<] crv9w8; KyZշAZ?n'hA [lkɷL4EdL-m Z{Rȵz z5kC觎_wuU[a>znbgCē)\;Qڏ4}efDamڂՖ/&LS`xtPtg%N}ʃ~9 o@˅ikFHڮiЧZ$[\k0^6my9(V4Om8T['4x#+ΙYiXռslp]5ʙ;zSaG`BC] >x6@[{X>46k (gvבplyjoI'}=-:9u+d![vHɀصY t1 ^[.X9mruS[Bvg AT'W:KV!5K+)f!y9wRJk΍}HK&D2$@M% j#V{L7t>*Tm))xe`uI# |@Hg2N 8^b «-9oftAY1nc:s~XqlO !AfH?ib>V.0{]׻+~)яdJ/?9TG&8!If՞U T⢞A/S .LwrusԳ!u' uXUX=gUQ73 t%s:1 UߥIKo?|8@ϮY,6POWx"c} ^ )]~Nleu['rG[LO8i t2UD34(OڀdU "ט}3-3w3XmntJe&A_ ?G]$a6o]Ħ |ǵ!uk,kۊޒRLO@hI)Z$ROTGN,D4zs%eIyn/N=:2!dN*r)4хu5ɣ8b6u[y.cH=JӜʹכÒU} X9y_M8CsD!-p ♤/0;RˀuJo}jibMzmѠFZ=gXCcԸ4^K-2bXJ͂yF/F:'&ܸ>KO3ohE|-qadnNݏK}@_S7#݈Fw\5M8؁ \Vw'$&I}lJ$21Zb'nٿBOX#WqGDEaK.O%PH;uO'נV)opz:`05V;"]bpDd.KhvH {zy,&3̈́BZPYF>jD1S1ٰ[2@` A}*ѧw#o^."E7ʭHx`➇Jl 30& aotyl#Db{VAj厠A? :.!'-`N@͚E1Q91SgP](HƲYs ݠPJ.[i(Dhd8z1ϸe$0JxHK{9<^+Nw؈qBb78[ށpz"-cPga +6F%6kco:Y6 op#|~D?mKo1Br!N2aF!:@{.st#_V Ek;i$Yt:X^䐦5K(]7X#d5w2#`Gk#Jubɧs 6MpC60_^~aejTG,$ c{zi)ü*ז1yB &aB .)t4*t9lphy݉*J Iz]:"6 I7Qa=\hǝO#/g?RjB}_GZ$=)!l쑋 6/baMj+j͢Lѡ 4r(*\-AðH$H;#UV ,i51ȧe{ 4d7UuP`[_'xd-V%osam) F+TN\ٹ G`RwWtyo:d9TnH?KgǬ< 1=(侊UF~7p yCn)- ;80ĸ.uTa8EprCAO R Wji<) p^%m_G!߳3VweYEjӟYۋ`#+yiꉑaS*E?vץnN H1SCvm?i^2u)4Bhd, A *bͅy$њ0{e $SJ;!?[y=vs޴Eb3aKEs8]6 ?WL 9m-訐̱ѕOm4;UQEyt;8VJDx@tM9LH#aҾ"XT;Z<mOHb9|m{Z6_'eh>r}DoELqK95fS<-ޞFV<> nlRUfg,9]< C lB0C^BfK,,28~؈ _=Ґ쇺$x,Ԋ+CROjpp)C2 vޣcKt Ydo/1/'D fy(`+:E:4}_(' 밤My^(ro&pne#k*taqb$0fwWg tp*7奺DL_%#[xKb'`ާ_Vv\ 1Ǫ\ڕL9o2;1@~ksM ޫOjc)Mø7a霡>QbV>]CQ asFŸUI)PDR4v!d2@ ( C[5 /o ڂ';,(2Ɩ:\zc0 X(\dX0Jɢ1䵟 "MQD3M}-Rn*ZĢ-}P[e?weHū`%I.I&TA(nYJ08 濏-sf i mCv ԧ}J3MF RpGW+nS=+]U<+BwqVJ cϖo4!5SX?߲zP d_6WW $ ,eeU*'f3HsCQs9v22o:sYJJ2ΝjF!S=E!N&[>Db;Ena"AnIb]@!)9$ E&w[xAW1< /O,G7M+Ɍ2 .2$ i #MW_]TdUuItܼD ]07hOPLWTg1 >~vD*E)氒yͯaDY!"ĈaG7IJfDDR*uN`m0DTے1a( ^^+ĶZ="T4 xl`wS+1Cufw!.Ӧsd4RHmfS@Gp0290W'-X7G TzZUĖɇgΔa2V/I/=,͇#+rmGRFfEb!ђl瞳phT>6F,RM?(ש 9،pDLsjR/4^EC99DP\#O>`/odKj? sJv1dլ=8Pvd۞MT< )t=SUh)^A  C[+pZ\M %u]=HW2cfhz>% w85h߁ g U*G:@GnFj)پU+#8pZ4\@X]lA`&)Fn!{JZ_?&=E4n*PB6}D!MyY`7#V R@ 5?Xg/#@@hx%QSEI r܀>Dt3J~ ccID'< DNQj ~F!n7˜a KӘTrZiC92 M??b֘ydwWyNre;yCsU9}-F"4l&*L |^0dPe_Aqa䣺 ezЗp m\gi|dr9+oM >)ƙ{F2Q2LeNV[qI8C6*QۦlI]QOQD3T3_Ut?K7>/~ ^8E@MfX|&9~n{F,`RZ  qdĨaB{ oZ4o4T}kXW/Kn@ -#mkc Z Uo})p[1I$G#OՐwtz/|HWU4]83W8D*H:S[!po qHzHƛAlFCܐq3 o`(Hu1UgRImU'+T+=R^rhm;U{9.oZ慤O}ЬN#gmd"j0]vx@7+d |yZkZpj)ʘQx i֝Bݿ/ jF?hEF剘^ؿ,A!vJlg`@jG⼓ "bk gyHr*؊"S\:<1Q.3PDE:LCW.+M/s`z҆s¸"#yx=DX21! j<_ܡ0cO_5JoTפ2:Qsh?=<~(##/L A^8w]ҧP1UE5XptiFb))-h,zLlUJeq.Z!1-\, a/|-q.Z._@ 20-EGyfcDWzrVRe .πLC$8IԶK3.9MTsNd%׍x4;ީvZp(:J(qtĊKgg.a $0ѩC*KfiPP庴:(ts";SQlZp[t'5[ _zјMn {^*=$'O;~,W \*G:|anvbRj4h^kwMGQjKCiJXuydq4ƚ><:T 9MGUVņjlY,fS9kP.s23uLX#Z:UUdAY|QZHm\=i/ijԄ* ?Fjj3({%<'!!z;JR?k× w |i("{ȐwtE'.+d]/]3 J. @_=0qܗhfA(-oc'}FԾdIEug1I, ȸSq18I?Q`@a&kVR콄m6@sLЌ,܉RG҇֔ѱ^6nE5@{ _ ki=b9\Zf ={T@z)iF$OOxyC*U$ i.PV'ŜC,}03 诜y& yg+ J{AJh2=//C]׎ONKOaAfanf.aFl 7] DH2½UQ -0"QSruM䚺.u˄7v͞I .ćA0$fN8;u+z!,1m,W yaգ{tzIJ9jL߫e5ǃú; &jE][@p8BxCX{7B0Zt-*| (INݮzpu!\@x"$i˦x !O}EDF˃yḱêJ=Uex4S[?.˛xI@]Wi-C,7G)A쨈4d t*D$`rj]'7@_*1W?ER$E}l2 k"`vSdඵ 3TRB~􁣪vɲB.9g}}MgJ01'~F%#D~A;7pw6=ƙA C Oy.Χt[@?ij ;/Qj[c+Z%oX.Hz2u}1'Rr#>΅!Q&\rKtX|㟡WA̼F@ƛ*r6g3͙%;-k\&.WG  ⾉ŀ/yPfm]:$R)0{rWݑ@pT SH&+c<(~ݛ E$v=K$7)&m:Բoj}NeiÚ,nҮ_`ֈ[UQl YP6yƑT>=EF9mJ]M{[g _F X<8+R4ę<›_(d[r/!L:05gمQnj hR>`VڥEO62Z}Jbx S%X~ bX". ]?^pFOiSRמi#0[w27 U+< xXATZNnRƠA_ԇL],Mp}:7@gw&/ʶtq&[te=g7y[U8OcLFxhЕ띮ma*MYF>`Oy&U+fa>kӅ/x gK5E))\tMf.&$I8 pkL,7wۙ7O:Va<Nc 8HǞ.0IJ-n}g=;"tk6swQa?K+qPj7dqJaWɗrEDWA  >*nWG.˹ >(e{`7{Oq\c$`OhL#:(HoqXX+פgo AYt97ݹ{ Dڪ17D] | 4[$Ao!1s^rC R-My8XkE6'!S"Aӹ1o%W *o;S]y`3ks%=&xƬF2ۃ X6Rt˧~HCu8`Dnt9ϔLT@!G W>TẊCaC-S{Eڢ{ SIK$Ԯ!8 N5 >6KcԷȞ ixr&{=!D-U"WHLmW BR 30; Š^IļT =ݽŠ:Pic П[eYbg5h^cֈs;8F8A)hB}WI N >=Y0I7(H#CRe?i,*WjC">VCD*\@Taך5ux~e">{ %Is}'Q+-~[\}2sB&CQF@GxJF:9bQ^GX,,=s{cZ.Ea6y) nf1ۃI湪Ϯ 8їB׬ '_ͣL0`ahA19+ӗ6]JN8]V-tP~Mr-(gw*4coƙ BS\jg $5NܒǤ( TԴ^AGx;\XVuOעtFw$s޾P8̼eo ߝ4 i/@-d^_G ?EMz;J2|sk }-SoO 3kF*͓.Z-(H KPmES*['L-p쯤>[vq H@pVI;5jR&4!]zA\1׷0Ъ}]׮&1ҥ6aI.M9CipI9}%I,9O&~<У e(ߦ@J _`_M>'Mқ6 'kA=%G:ad\ks3zXP Qc>W-^xցR|F `l*hHo:Qv r%dhԛYA_,0ݡ[40nzˇ.lq ocwIWn,n S)^./-H΅^A3zjl/" p$[G/ɚ󐴽9u 6/6YI!ͅ9`4AK+-q+6NO{~pvJV1Kԉ_{[':qҝ$'p,kO])1kKxZ.J "#ݦ"G&zv4w8[!*m!* zZt&N3`o/s>.޾2sv2i'&Le+* GqMiK"p/ @0ԭ-$0Y]'VSjحl͜H13c(:w >I>&W"]eed <· {1F?  ٽMO)k`m8 yf1<"]%tMB N1_aB^C(ߋ7x5ֻ*UH +qt yM%N1J+1U礅:)<;>o6"!+ֳ+MĈpKj"M9u,Q$*G6WL]s"(͕^L9|YCL=?Nn"/| (\Ƚe'ƻ}~rbDShZsY0QKn$A{BӻnrKꗙ+45~`Y%5JG *͡c%d/h2V:ZKemD! h#<7j|!qkj^|c]v]}];R1:'PR& +2SF$y$tP̔;Vllʝ\F~ W"HM(xeߍEI6H%EW n6jzs/ϕ^D1E+6;3v+Ro^f; R%<{Yc.syrJ~4tz{*]O|[C` M3\\OA0)0`B) #&5[eca*WN8zT  -w 5|#>p,x -?H/yJijwtbx&yf !&x!IՀz99v9nxRYSN\.k8z(( 2HdH=aVέ's@k\Oy+QU̪fP*.uPdVΨ# y. M+Ӻ2e+!ƪ`Q4_tđ 2P. M\<1GJtuWt Jݽ,A;N:U!~#tYMS Z4Q9!8}d P:iNCVnb{s UJ͌2JEho]*fO"&qd[oǍ0dwU% tWWl]@#4lU0a&g´QU&hT>!I5M x7^ߖJQ=}$3^T|V{ ҖE즩XaȜ2i&6p}׹dhƾkzw#$Lc]@+;^*8tQFN26Y+U1/[L;Qbu43Hί.0+aebֲmtq!2),)1p;Uqј\*Hlݬ\C `\ ߔ4ܰ_E:D9+76Ev2WQ^6E?`mrh!zs] E]5jLarP2 t Նӹ:irɁ4x2PBɫuNz)KzD rbqDMy6Z4ܑT._eWxoG:eTâ{Ѱ(-q-[o8ꍌ}DS|:0 Fe&y8~QѤ󏽻U*& hֶ_9w5XS> =u/ 2ADC~W!;m6$;(5|,gK2g*%GM@ YW M@vk!8 <쾬F9m W8 uR>6!^d?^sG _E# m8=4. Gj6R ;L%y9V if]9SffN.~'Zez52\Wm+/͊f }Oj]y^ @H54]0Gs\w`S?gqpٌ8yY@t-;B OnEDiXJK%@[haZʀg׿,qv*+җgҚ ӆJqܓIm^X"l cc qWy8֭y";TeyhVL'nؚ8i յ٫-m3U9ݐo dVNϣb}vB4^w{m\],׺b$6:hN%KEcEC )Հ9nzEi3A)6gTj i%[p-z~P$g䟞G45]nsܨ L2#Kk}'a(KӡdpQ>kl08 yȤ~5򧺩6aalCyק3ߍ-> <&+?ClP5YY|wx;62fBm26OBqxYhx@0U;kMκ-\\b |i? &zH02kOEsQfa mgѷ`EltsfD0:ߔCg^5CH#gO!Z83uuƟC_=E2ƚfW/zPE4؎G|_e}ݠ{}R炶,~!䡾|bH@<[JEF]ʼ}]ތjsF8 t>6oA.;t٭-E},3QQRЇTo}AoIdt%m%NpӋ07bew0O|ȨKf/]Q 0U`=:a 3kfA^s6Hx 'X;b"IY3i5Oj^z!J au(lLRh$«95\pstk1CssԸ EjG9 0k⢇ auB?u[B? LT)dF,(+`>$ `_g?jS(.5nV"C<9ANGS9 h`1¾, y&~~o5(3_Ses%SjeyKg;ˬ] _of:f!eDb,VOUgY5u6iDzZ'W^8wFXX>Hzc@v̊ӶOfBD McFFG' P0pt 식:)#ko6CȀhTe4UƛE+XOç#;:ٱ ew];.bIz& Zi7㷤 aDplk;BQua?o<9]12L*&/"_I !ɐ9)[XsP! 7\;sSnr;b=|զ4ܩ+5Lmmhhʞ;t'mSa9KJ@L4:J4&B]Q*.޲?CL( Ҽz]y.TiH֦R&2,_+ON%h:8j^мm,zI7{=5"O5gF3BF/WL`a?q œgnMI1097P0M%r1,&J|T 磵mS~rr6gavm_Xqk5ͪ1>n^__2\ Zl<75; lnG@p:Y#èe,VP .sDD\RPlpS`5Q4 ?٨dgDž(vF\юt;38"#7P&:ȸMaa=F瀭}{jX ͦ;8ܳP{H%?IxҎ#c,<ɇד<֐%]=X,c;1+O#T (x' /GzIu\jCWlWH{ ?@M4`Jh=aҺ-jb@0Il!yK_ògF֫IeP0wL8zgP1j?SF]3_ NE1p6mָD )F#7k>4oR~JKy0#"Q;m=U3A𶡊?DwU9tzٽ.ʞKGeX C5 CanOֳ7݉A2iQ u䠯^ .leɈ<;suϜ/_]{')րxLL=EÉ3֫%UQsR@=t^gDob&,1'qf+Xgud.#tA{`FCCH.R6ysxg4xy?Sq/G@¿9jyFHR{qKh j04b{KSLa-:=q`JmOu$UÛ/w>Hq-OAqzּdT;+*i9"Ch>naPY`R%7%Φ*r;Èt~y5]2сpEg- }%QpXaҖ}6N_3i !N)]1 sû=9B3q`NyF"V+Π\@?`I57z,T?|^iًX`;(3 ~2ɁDMrvoYAƇH˿hrzg\ɋLtJ8hB|.tQ9yx@eQ!=C-v"k=yH}ven!rQ;k6^LTd*AǠQop*tѐsfD1"+#F'T9os_MMzw+#*Ζ F%$4XuBcO ==^ja8oT%JZbSкpTT6oFڅ0u0!x_I&T)JR{ӉB؍W;&۲s 6##ǔj.pdD}%N|7kClZ /Aɫ"'NAaFC8xrH{QAځ%JK-Pi~8_PP;E$CAO$!mI_+}\Zh NW[ sx+4F{d ViX.@sHFvhIMKNǀ8&.fTvK#ϏBN]l$/I-/E<9EhEzh@>6߁xET_i-]w a=-)fPZQ!%LE([8DޘXv F_.b2nǑfCE⺅mnXcRwGt+.L o,Kaq oiwVKm߅+Q\Ery抷LvXyFTY)"As@G'׻c{;i(Pe7%fѮppXX"YX}uãbP]fkIMj.;T&bR.=m&!ð`Z~ m@au9eZ۹@9Vf'&-,x2_|%VlS_@ȿωy ޏ =pKQ8ϛ=c1Un(lBR33RS/ 1{ε;w>D"^H\yaUw=խKI8 2еm,gmb؋6g"~Z:c'W 2ne)džj8Ycآ:ޣQOib4\:e$v!dRŒD R"'0-ѱbF 4X"Y!B\Tk Is7-W.bZH6ln]; `(^㭤)&頼*'[7(3>I0vg!@*b*o ۸HYZnxq_CՉGжVK]s[:٫7/5xapz+v!/m"";ı;&PkB$ЩP|0|tv1 u$?GHOM/Ü i R˟h$>P|a&Ҡ++ fh*tkfl/nm5rՈ=BZS3{gv˙4r3.59f;ZM|fѼ%ʓm5[Md&@5i;;| ߼GrRF5~ۯEzXoSiN10*<7ztDgatj'<^ HЕNK+L>A~L:K'οV4[6 M$ T+VL/@W*X1@9V Qlg cY'd"xnJYEDSTS0T~PlSWPlK>bQ:XRV̰3v/^~c@#Ĉ6rWbjQKl|pt_"T5Olc|#3 3t8n9P遮mR"*!F4鼤3Dԍm\qڞ_l6ҶV.|;`"Y(C_gTEUQ?F/ŖOB4BmHKv Qos&~Ws/B`flܝQ•S096B{~Z]iBPtNM~鴙4PZ`.hRnq5P KF2)H:-3DGq'|vje'6l"_\5VC`bFCzKX&4.D^}xAu D_+}c[7c})evHz]@=%kt.8M(Ӷ mԂqӵm +M^T ofV L$R/_oɒS 4~j``o_45nS޺L9?3ZϷHGwhxoJH5΀(CiCA7λZb!}jM>k#M"TEC^‰޹bl9c 2P>MCgT_G ԡ6#WFl{$-*k)hmAsiaKgq%wgqvoQa5ՠҳ0&-N;t/Bf5KvBl*7*wv  $#WxOzż$99xe+g|;qdciEiv~XoJ#;v4p,4q]9[cd q)`^V!YG|(ܛS ̝2+N#&m$Flj#JI97JR!SȚ/ ~ypjsld;uYVaKeJoRWU )/mԈk՗(:i+RJdKNyN=۾]ﯳGyUt/FZpry"eY֜!!GMfB|| "8WEK^NJmo.  PZ dۣ*1̼f²/ubť~ ~LXTt~D2U#:M=ɰr9XXIoa FvWE{Je?&Qh-VPeɛmֿ浌봒Cy.\X)Bth]QY(`6h^]ڔhi"*(q@h]Ǩ)6\ Hku݃Gb9$?[r F8Zc& Tf7`WNfKIwYrĎk^;%)cݿD?V|ڹ61fp=  hHlYNܣQ Ǫ}d%zKLΦRVq5H  ZeImW\M'|S-p/bR3{ \ 8I3) NBdP nia~FzP!Y[7 )[ck,/%-1x[U_ T,/zlh2 >Txِ+eY[aQa EK[^":t {9LUzl;5^ʝ@[DRȞ, XjR;кU~.-#^"7*dgJdrY8\NnߪֲӉZa_v(a\y&q4#[DdߗPpAr4/+fN]i4r)/^WDZ&?kpPſ4Rx! #c&kaG?rc,J-ڐF  (,聞`*$ZY2ۘwwʆWDiH3aUBhcDgՁSjʌ^` o魉poBxiRpF: f/~b;yO?Gig*2ΌI .\z1k++M>|'il uh鏽otPo ~N'fq{5X=M6OYIoV4{ hcgpM{MΣflNZnϚو| Ǚ߉# K:Po)ɥ۝kܖ"8cb9g-͉Y cA86߱aQoXl6WdCr|c*_ixؽcXp/B bS͟f*Qkh ہ>Ȼ5 td6b #` f\rkL*a-K3t$W/][EccL>'˞XXcFO]arש2HðgM{0!kFmr"h ߈kZZ1l7\6֡<%"QX}$^Qj2vރ9z+^Mʭ4!N3SYie/ĤՕJx?Zû<9z3r{~ͮsߑ0 1ę3{ȇ异FWDW@ ɲ8A[8]V G&OU #|~[^ӖcRKSEvMhu&jeMpO7@Bs 6O|h %Qg$`c;Xc؞m~_zm0~vGg[GݩG=J\Z!"J+a^pnnTm_fc9BavONj@vR0 L9X΁|4" 1r\jy/sr8fQEK7z"'yEIq>u[K18 i-.C;D:^@qA8wY`/;|JewW )H2܄2l? N_T:=ə\/jlQfʤkHqB<[ \L0zь60eSc ݮ4H/RQwGDu2a.I[=1R8񩄩3gQLDtllH]ÜFeCPmAb\A'`7Θ.| > hq@:!=l2^ ,s NBjmK-L {۹̧ID\r }B%I,Qst5&}.+q 4 >]zx~_v:nHI-PD*wZZtVv\2%ڕ€ ,(yArn1z.!.L8%Ƭ :O= ;#Pt"R3')(b]0Q;A,+s1ghUbzǚ, " &s:26(4[_i) 6RtzAw/񼈱w?mO nRPAˀWNуi瘬˚wkךU /RA>%yJ M%4m̼GE=DUrUU˃KE" {$/S2[<WRf!E{ ,GGXBHmW~*I"s')b}Xnћari,(t}9`gVzsWl@9//qAS̑[HaBQNPƇ3qS :@;&ؙb%Xp#Tѩ.шInWBe |3ݚ%wK@T(9ogvB^09sU1lV' o`DYaR_RE/o-@λ4-2G(g3RƗCtbo9O7)uenbrm|嚯2?XHt1xlgD$0(ZDZw yC!޸2* W D,jrkRZ+1 `B.Х;1 ۴Pa)b!%VFim"̨)$8UҷsBwCi7yƍJ>bJӔz#J59 C?cV:O."CL`A9ەص;r&.:aFY96ٷUn;A)-1Kn!Uw[DpiD,!LvH&|'0 1z:.ִXBJe+0t#{ʕ.9?_U0lHbuJWSwrqaF۸“`D@ՁJrpCݚpnV0U;t:{:|]8Y8b I#c@"B 5*u tK&)HG"'I]C oWNo9o1(tj|p=0`̯-L_WW㛴j)\L$V9ym/|+&Y;4 n$\z#c/6>;5jugd۾b i, ~]e})X{_&r6)M)_y%u WR \q ,rR@_kD99x2`ivH͏Xq/$'uʜ7;8|yJrZ 4K-'+-/-A(d.k0ѓ>ZcmyԸr.:]\F⋁\J2((EBG {7k0@.k'5Aܼ'->-9:KŴtO]\D]4&[{;f*f3J& siH.#ejM=#XŇv5lsc6u uӛ½2 9'+m sL%̺kyX{DX_DIT5 nTjwFiON锤T*3F.&UTNo2m IhQwV}œ"qAk@7EMhi F?jEÚa V 673eb ^]oJd0[H-uq'fxl}zʬ\$5ݷڥxJ'ymkQi!aeKz#' {mqOe14M ;RIoYRPٛ实ZJtBdӪ"r.Ƿèt#s1'pTZ#hķ\VE3]C_C [@$:C_\^_rl^\!!,*dꀐ =XB*~R9#Z%^,hW bsxrT0 9b)F[J޿Tx?8stP(+>3=4k?? m,%+ssӢtz9;:p<H{hC$HAvFlﶱ-d!ҰEcQqw_oVJ~'Sg͕bF LAJR W1+WwUm8WT8Eli':É +K0u:ImZ A%7-ك]7ypABbT,Mo"`̠B%>epnRb)b b̉~,ufߐ3nS'.jt01Ou?)}Z!tLs"OxI*GWW=7#bƐUu]1vو@ÁaI;psд<T{;]zǞLw`f'x=[{ <ٹa ֏wQmd~b8bdhXkS8 ]`/b=H k{9}p"3Cw/w-|Y.$EfD#vֆX s6ކ0WGIyM4^BқS b9bw_9n2"<ljz!K>ٛIhxYQEs2 (Tzw| boڞfAKz3M_ۥ++@lܲ.zDCZ!r6jv-} p8?E1`ҬuQYqu(q@K kQA4$HB8nVKd2 Sq鯚/h9xi,l\L_x&8bղLh Ej:,X]to)ep];1R[ Yjjf3b@dRt'}& ?lVcЫY DwSL׳ʼn_#kDqi*iu4Qڞk%+N4GbtBvGƿ?E EF@|CߡԞ*Y&phASд_ҷ4w) 9J |JAdHʇS&%{6D\R+B슖J:uJw (pj['tܻSiA;'o#r}u!̥#ܣ ?X,^vJsjYK.ܧ*Ҟa+N"^$7q 8y@[Qs~YS,s^xo`+,@3 kT?5~ȼ(c ZRYp,mTtjF 9ݎ°ؠQ|+SUҀs<7XkOlS07ݔ֭vF]3b'";Fwܳɕk Fܒ]b @ғIdU1XZ(7Li sӃ;bw x;Q.RY8̜ dQ`͎'Bߣ-Z21|[;̵9 i-J}25Dϧkk[0#9eٳe!WN,b{FPgs5g|xeq%IaՂgQ*AW dnAj?z) +W s<=:?`σ*twj,y#E,\-Ggo!|O2q8T 8]HǹC-$dHp^flbɗ3w%-]70ڛ R>j֣ $Ƨb|w mQWr7ziw,w~LJ'y`4I lգ$::Unִ'kZ"MAz3Wk?*gxj|F Ձ0rZAݧiRѲ@+SCoaWå15l|r禂&c$K]᧑e`Vw՛L8NM,=ao%5[ײsw# r?j{<~7bv? At,K7KJf L:Z7C9ƢG0S%8hibֿraC_j+RC9'/Q3sv\-(8{0ú]^ct.1=I5QYKM3t OU}gJ!G9 l ]Jw}ɰ=41mT""^GE%pU؜acȃ륒5z;9׵pE7Ǭ86;wY巻GeDG?" uq{ 9dVCNYDDʛvN;&DKW@x*fLoRdƚ5QX0(i*m.G|̳0"k#҇.Fl+6>[eqi޽9Ƅp$V~BԭeE!ڕoIҫVמԷ abaSSҙk0fVx`zyOP>9!\CJUEq4K^ +K{;aUռ}Pva`Î&R?:okKCt~ G(IHeGZ$@bzٷ|i B5))g#~izmw[m‡Рh @ ;mvQVpِ=i5Ļ+4&v܃f2V|VN$eÒ;\+%J7S1&^ $%2A;qKjer"X#cbeJpkiȌNt@_gh/Yr葈_}n] MO5Vs3W5b+8J$"C;c4;c0h;6 Q/r{<ّ&ıX vCkKuS±G=] yMpvgRqcYch<#g5֯րp|'yyofe>@5)6Zf`6a<#3`Rw/pa0>ӠbJ pDAF钩d;gJ&/C2aDh۰UC:vc=|ֹCf*ݎp|jesu19;f8⪽10Őkօ[x8 Ee6lڕO!,5T ֤/91Abߺ"CUM.˛d&1ȼ'&O^ f +#6TF9lw\ۏUm,G'l"tТ_)61H"jl[mkt+; w9Āj?]L)*%LqY(@!3F,YZxy7:=O"VKv8Qqٺg L<)-oZ5AUO­@ C&x&ߒ t6Uq_{6)(4?Bt[ǹg-#.RN.b\5 ?uJq$dl1ĭQMuy蹌Q{jcĶdfD(z2q6V`IHԸS8\h0\[%vYLsH}C,X#H>Jx=7p&t|Z2rͫҾO11*C8aA[ -Jy$TW%P͌` Ɓ -e% e\BGYy˺ 5~o[K)-^h]>~AY%&WnPZPm|`qV @"Er&_Νe ֦MjY'} AH^i{`?FS6d =@3ſʹk3|,&ctA b "2ֱH5`;֪E٬HL[c"  yd_MXVJRc8C];ӿZ|V[W0 n0~*S۾RdiZN!ǫKӻ@H0(ru)ԉآ)  1B@*:4Sd=|O7s;N#֕BF[$_SHOVZ-&@/]vo,U~4 ~$^1Qo :+q5//.RatxYDI9RӤ![L /S$76"2bhV #p^ {;8c/\cո>o;)^=撇TM'7x_ϕf=x^M3B`5-nj@~XX5N^lo|QO#d6xaj8Dl¯`"=xܗaa~Y,0Cx$F,9b]<+*FCBsKR[bY و[1<>O]ù|:آ!!DZ*$4 &)PM k +,"reO_M/rK q1=amبe;HP1HKNCHGhStq)ݲ؊ӣ鶀"N$qk^I(+ad(C ygK`AX \,D).:Ӳ!/F}&-췙G'lh1&SAߑ9F|"E'^/ GDZF9f6Haǰb5vN6ckgמ%x(nGr#oce\tp))"": $)oerc]^h;ٿ{>A e]v[)k} v Hm[FMmUB>~K9 džrSkòA?Sy!).1j`[mrxK@6Dφ6oRL6!mONs"~Dߘp8IvV$r 3Dob8I2aMAݛ Oؑ-맯ipSjvmaXʡ x$M<ԏAGb;T[fmM Ză9ԫ ʱ!r851KhY$ؾYsP;$,PMFb67rCb"GJP1FBCNApReŽ, Gcbƽܮ%!Q3qfb3_@29AxcH.#VkZuOcwLaofU`g%,QӅT<mr8(W@7 "bkYK81Bl#GY? }(qgj"˚u} x޻'ǐ;-EPFp?.¿Ze$loPT^Lm\*#E~Kd34Xum22/燻AN Ytj *| "CAMA\~QbX('}ui@hިǘԊ"Q:]c 8|4i4lB˫CXkQ@ޒQ)\>TzIkx<.uo5c!LOJ, Ԓ(rX{A)E O<Ղ ܁]YpeK԰e67#~< 6H'ѩ :W/SA0M1RQ#e[x*p]T~[gV.?qgВF|i,B|Fq'5v@T jndT1Qc uyUj^`{U$y`/B)5vzʧ<3FTNo TG"937&]&#uYcڀgʘ3 k&K,"i,9g ANv1gnKUJeVOܰXfevw"~aSmmJ7)ߡqdYk8 *JJ ?#Ȼ>K2K?5tnf/U`TTעll~l\ܮJ7V!h.Kk|kLtA 6 |iH5C;wf=3>?LcGʭLвε-nV.,GX[f?ze,`.K G]Rx6$;H"Q2Ӕ #+!Y`-3T'WVz0E#ZH]> UcO7OUH\ky jF#L:+ْGYM8euLg C'P4T ]VkCj3; W;SH\.GUr <%J\'uh`\z"6YkE4 po)BsP&ۄҙG5DO7 *'R^+ҷ*ڧ\J?ya2a@uru{`1!4kďM ؖ8!c 9 Jn[qFhAΞ[]a1va.xU].ຆ=|R%*ͫ Xq6Ϝم迴hA j3OJZyo 1du'hMZ=h>vn:BQ|| -eBǝڪ8zr]I99z|0wtF%ό8 `eVX=x/0k΋="T yV"ս[fuƦLh>BNe# ce'[Cocݎ%#D1VLDXaV3Zfzytup1k]o"{ ObF?gd߶" ͨUFYMk)K"Kʈ3vJ8rϰL:tLV`D Z4Z2K\doSDϯ !Rd}"_$超lenfϓ#r5FYbMc̀5~Pq# 6xh3jhSZFk4#l~B]M-BN&^s$qy,\V X?_9 ߖ OhL8iEi כ,bNjW7[UҰo8N/UP5ۨ#">a"Ӓ4 >6> R$5:9߸(,]t{,6KNFЦ^Pc/٧\"fej$:>Ipfox_D9{̳:-i J}HF48|dCKLЧ' L96]MCcQ-ŋ 0L$av_ȭaJIQTۀ”0ZPB`9pAή,vP"}0ڲT? KR〲;95̞ml9L>0'TN1>:=b+U-J]J, q9p2g`<`BV r֘pb_^ac}2d3Mj핱H(ẞgumMNǙJfNu[9 B y6I'>'h[4-vA{\;4i[sU\OH-Wh ܤڼQNHlѩ'QgI&`j n(meRI}-IwhASuԫtU,uӼ X1Ą9Z(2z,ܘ/Mj| \ׯ| Kyr`+FqS!*'0$ D!!0,؀0kIU  #PzCf"c>^ta9`@EށG~ q.ϩE'u\w;wa3TwoS SVs|HQh)1dbElx>>oVć&rX[!!XGspVw D/U6S%:*#!^WB[W=6pȀG="Tj;B Lx3Ğ#gY 7 yI(cmU|Y&,&eٙh/A٤vzo]铅L# w+3{#ΞNP/FZW >tZOyX:|9I_>c! "ewjk9!¹ᛮ_J?eו-(Kuu_m;d&=R.}ex Vy|G|>Ɲn*3+!A*,yuu|!1vYgb7%XC`G|`{T;CuWKH)=N86(䀢KP(Ӥ4mk /!F5Q:8!ݨ1^^QH/Ob4@o)nA/u܉%Iu"S%wRѬ-bt6+H;7J\U|] l z;Y3B9&dD)RPh"Y>c9OT 0mJ1‚[N7 [b,9sҫ&I=M):x9Rg"nyN5bCyB tKV2I&ۈ;&(+% mXGdҬ|z,%Y^~|OԄvhTzQf$_pٞuRxIhGyMbd`/&Įmpj3Du俇Et<@SME(]7_{زؿTUX/2{E>σ6'Rt7;p0-P-i6~ao:ߺ5 aPMP_}u3)c_ŝbg :id h䣹{;@KrD}!ܝ4rĭ1`Q.0 $ry :n2QZl:3O.u%K*_d9k@s0OG"v vU5S_Fs6닾 XX{` \EL1:(gVߵzǦ7@=wz2[K%=;wa i$,X~<נ篧ݭUc1]]50kSE  'OcǺFDt*lh_>F?*ڤN6Ljc@K'?j0C0I0TC0~i0-a/ 8Qs-oS(N:CK!kC`qk-VL)a뷰JF=-WcE9ǘ`G%H 63p4]YJD!Crg\nK"ڨqZ<$'"zguAnS S*6Md£X݃AH'pWEriE2\H_8uv ϊThfxuQ<%J{ExT.)/FʞRXW/ƣJu{!WDȈ/L%deZl 73~]v}'q58YڞjBgmׁkG}};b!erڬrۓ0]VygR8-c5#9wΧ\ϋ0?:gj[q Sp\RK,+󟫷9>% &:C!2-@J $$hԔ.QyOsrϗa0uï/UIM鐗")Ye&ׇ?q/L,nqVNvmVo`anܥhHkCz宖#&m 2{J\2UՁ#C˲5}]ChUk%?U2M~u t1.*\ _Z1'0k-`}s%P[q_,Z *1b+ނm&$GP 2b>f(ᐟLq-vVg#klؗ%ںdC}0EߑR}4pf4X&O'}pE 4%?ʒ7#i|8xnz{@ آ!E cy? "붬*暱+H,ZOV|vЯSyOVfd 븱|ZT:î^. J~s삪(A\+;ϊ˃#KBb m +SvɎy |v*tBatN󽮝Uq@TQ¤u(4;"@i5*VFo߈ +q ;rq=t́ٺ2 %XdqETT'V0ಡEoՊnƺhU-[[S"[+|:bݩ!5#geL0؋_d=azZXЫ>ZxEb*ai&Xh# ֯*gz^|g5$9ybNm/cADīW®93_, ͳG[: ܚ9-sq/cR*{YΣc`krV9L{s{aF!no"0svV l;zH U<;_Kf)|&&+#zV5~!@Z/[(oWE- ,]V,I b7o. %&OXÊ. `)UnM53eȼVd.3w.qF'IY| iVs ҾkF4Y~m "풻Օo⤄Ӽh"S@Jiyct&a6ϣzb$Odt^H/LuYK-q{nPGYSW gKRؐ{3v]͋G/%I~䡃#\`•bMt?TIj^oSNaJ>T)Ex̗XT--EgW4ĂG]ڜfud }e/N/b4t|n+)mfr`inT.G+M G̹dTbaS8,FD#90~VQ!\0V2p4b9ixGRj>–ٙ؝ F%}ػy%/t.xCL>rvq,f9Ihz+CqjB4-뽳,pt{A3ҥJ %=tȗ)~O&L[yyxj)"KC aLCW/J8FboBl2u jVdasx︗I+ݧ ,%Tflc$#=4갠I٨P#}|{oBVH9օFih2BW2{x"s]sA)'ki*V8& JB,WbKJе߮dѳ 8FG]›cK9JߡF[u( ArT(q? h <y=ZJu3 ys[lo|xhA `QrCeXXuVTUWߧ\h}FtE9Dt[aHG,sGA6NŧV[(N?L* ]A.$V^!y23H=&(aI]<ZvhaFۇ&}C@߷Ѡ9QT(s8:J#kA嬎yѬg|4 ӨYLzWx^/`w?L`S6񓰧xَڜ2`/ib[Ք5y/{2}ˊE=.Tò$D/o&WK/#YۖvYJ&@b&z!kH] i=Ewu ڂ;]|:MKǬ[\ x7uD6_;S=$;kWͣT ӰMS voyĠZAq%8ZLdiuxNa''g^K2"xBS(;zwmn+֩)sxoX.+? єN0|gsX8Mo!Lj5hoBRHvZ /hW+",GWvSoiqn0f& T8DLcA3E-V:#KfyBd*̣n9Xܬ&ft)lё&*f` ȑ="uqcSEilʊ~h%E~Q_?$-7'|g,Fy/JhXch4rނ9zvEE9o$]խURQX)HZW]gIB<;Rn8mo ϋύv@:F[)]5>יЦyY_976@bQqno&!!I b˙c}M͆pC' Z8TKd#}K6d#~(xʿ+%'Yy䊦 I~f6"(}0ۑ%b㊗e$R0@yl5 şٔq.෾Pݛ>Tl?b=9LSRHg3&8=z1*e=uMAl .K2C܍ Nm>Kpd&JxEz |iqȹ*U JLhT[߬iNB-a:NuOKP\Q Ξ Q1_Gs>'j|1e rZjXSlvdŶi&x;ّ{Llp/ϒnh0l#N?hf{|$`:pIO"9}cKQdh:o;ȸ*NoPHK}VGEދ ˗$"A6{0)&{WIc~t\d׭Qݓ u3ӛ`-Ÿҝ:QJ0Bڊֶ|`Υ g4]%ZjM _I@oVMsZF2O5镲v3G#Y==u>3ݠ EbY!p2Dv{rK2\ZUx>[04'^Nz~*}yZs2bx1XhD}3NnD6/v7^6''qӷу湑]H: S4`}" &y6ߞЉ $8Dqg]H2lh %"Z]bֻy /P(^lknK~1*AB'21)lML9Z;)= b \Gߘ_FcqRȕ gVڧ#^Fclp7.v$Yf[6WhPm&Q;Z񼺷z8h<_VP2.&/Wz8Za蘎1a ,5Q ;3~I,Xv(r@[/^yzQ <d,yP|#1mp'I ݼM]tphGh\u~hK٫?3O&ҢҸhы "ȠnJΈH_7U)p"D/{{;t&/FrXeLPrH, DArdڳ'NP $|UI'ܗ[Rknc޲ Oi4gֺ?LաHΚZ#* r6Ғ1 ˑrXryeI(9ZSOBe]|XZ$ 6oZ$ŐR"l\;b}W/DHZfǼŭzd^ިjQLn\12\&, Jk+(_l@ݠ30E8.^++F.'{Px034Dߡ[yA6QPm=x[l t[ Jrmu~"ڶ|yo%:9rQB8bRk5Hs yΐ eGκU =}yT㪶l(? qigf?Kl0"L%dT )2!~QpmU /sY7*li*jZS+l䭻p643ZK8A^,.a#4gjfC[RB \(WiX}AKP6@E>g%xvd-l)[d6ᖥ[n';8LX\mSFLex-S2N0u,+|袈!{׊LZB]1"N!t$ނ1ĀUO?lO։kJ5X EV!6?qB\Mw b9ӗK? Cǿ}gʉza~wwO 2R? S<o*K]2?J7tX&?4ͫ.5Q@ gw:ݞ)R 1X?&b7:aD?]=5n{'t_H\j0Q ;>i"{=9ޝqXĎ=a Kܡ$fKkx! D/AVKFJJ6lgVߥgzeu"bj?ѷ:OFլN3cbmnő&:D:6cWݐ:GKl]Vb qn` ~%u )g@/0Qľbptla`1r^sdJsb$)<=#n03!ld#,h fHf 8TA!/CtK&?O|գc+Ekj`+!t.?gֵQ)px;9{"ԫb9*~G~ o4IBiN 2Ӿ22+uӢ0*ۻ?4>ݑ0+\־"[ õE? Ya'P 8 pvGOJw_ ^*@!#vp͑%HT:hg64Tc_|&W&P~VިAXLo8fXi—'܈ 51T^빙Ņ'-5'M@)%u O퉜fuE>ZN&}qk :rl[:C Hq.! Jf0+BцƆ2'Z[* FF0()jIoirCc_M&\x&jMxHK~D{x#?EjSvsaY ]DێY޷OQc?*FxS`ye4lO|B@^}gSP=~SO?@DG(Q7\+"2%q} ħX qk]Nː S[d}S9/;\*t9pIҫze%IA~s@$RwO$LesW(uMhsSDVI;౑ R:Nզ݊)1{ v׶iL P7oYB,n nj!cWm_(1HQg8ԉpt &GjDm?`HV %''T,ip6Ҥ˦ҝv I٪jnTVزr~ĽI滑|^%V7^-x]DȨEJ֏wK}Cbͯ̅ɽ{TJ07J^/69QD4 %lyօb3 # 9f0qFy׷GJoSm.0R4V5׳TdNswe ~pLlFmG+H+)4[ὠ=I}]i#%n'8bek:E7s䐻/6Ghs[@hU^|Ix!S GS#~ˏaI% O:5|xppo# iQ*&9VPD`/k:NW+^f^*y7LZ8gZUBEj|/'^KL^Cu˻|{ $&u[vym|*yyHcp(;a?@"º`F?;b,2 cr-d\K9 rLLER7 )l7N߶[iǡo+6 kCtP=-k&<̶CY4Gg%Bq$&ҺDe'X ķ8UXfQ^IYH?U+Rץ@#e!|Mڤ=]%nskDb$4g {WofWG c>A 9c8wGbkq}8wgQ&[jYS&ƴOV GPFȝKHmXf49æ`Ç.^У5YVN|-Ryrgt^I'\l $lюA蠼լ5#Fo-J<A Oxw:3w[ΉLIy 4tv7ԗzZ9d,fػ@7"Z'_ǣ9;^;ZF+]64[xXC{ 6r0* 6gu*ZK2%O+5ğ&7L+ZSeJjZd7sqxuԧ圷QJHpWk= 6QY,5 >Lgb<ŗxd,%!pzs~ ^3O=K@h5[[b©`x|uePt"Lm/>TU)ӖoES+~} Gw`\63}Ra0MD N!7"yg{Ͷ2{<8 nI.࿆1sڪe&2jBϷ쯈9eBQʟQa̓at]@ogIH]Fjb,9VbX-ݍzAB[l1tK4v}#8-aDzHc+NmUltl,mOC;~5Dpw: R9Db[},$ SWaԛS0sØDԠ$9oy+j_uWW|J?KebtހʚYG쿅B˺7cX63%j\5t8UC>c@ hƑ KQY )/nWzV_MA^W(a# ǖ *vmi:· x~%aAPMjRх?FXAQhҺl2UT+ռd,zoa;d(Vhm}"2}"N){SpY@+)jh i#y S/ |+|ܹ']̆6%)Exb'Y{y״ 3#d>gO_:fDPC}`xjԶ3C껀JB20or5CK>Na:gֈrO7qJgd0 4`xa~`6  =Isao81 &hqYyJHTj/eJsKϤXgv|ZYTׄs:Zר6"l5F8ݫ2&jϱynמwa)w܄f]03`7#6OҠOf Q"P_À6?#x h. ^*IT֐H﷒ĨDOy=_!mPY2FKC muxo;>72KK갥 @IV وIoDo(q0Sn%5ުh\E$D- hPvڝ'% ~ hx! ~xv?!l KۑGVrq5^14QNMY

k {JgcZZ1aM^Ma3'^'YվC"H+x?6=vϝBcu$=(V(p~o2']C'r[ NeL?N>Du2rn&Ve{v-+V;=ۣ N=y w~?4$1"7 0-Å6Vgss̐Qۙɤ z(`'T|lMCǷNwSn%<M? `t,w*P9<_DKzo {7XҗǂM~[@ raV kG9qqtZ_X۪B%qoO:ټ߫_m0 (jlħRׁL;5҈Ο2zKeHoqd V߳)5USμxgIy*wҤߢ½]탊8ZWc-QiX%1^̼RAHт^9|mxHqt<͇ /YS_G$+[lH΃(כ6Q'(ݖѕJ?`G+9{֧JEl*\"EKa q |K{X>衝3nȨ"{{k74{i=*WmU+J#7פ۶|>&/6_[3)S"p@}?{NycqP_M-awda:9D6__ְfB:! 4QӛJm8$pf02q4Y?١bai} y֊|wsZ;rHc5Mb'wE.*l; &,L؞GYIhP ]#LQk$.K}Z'+@Vk;JH-,] C6GK݂^9OH۸"AR,/s?YR`R3?9q| ZcYւ ƪVN溁gZrIQ5-'%F Pܢȸ2}^ԙtsМx0@sSf; t (u],4w]9ۖm~'B7h%x;x Q}|^OJ8csXRP#!ɼl~Yy"L|y ғkt18 iz!~N3=י[=CZgEܩ>9#>q ( 8rqȓ7HwF^cDVFn1eɇ~Wld:;^,5#X&ŸpޭDnx, =A<5d@|+.#b;ʗズ7x*4Z G)1/o!p uudzċ1 U%#C @vBT*i$E0Opoʁfb÷{t(A"^1a`$sOڤe3jot닮3p?FrY1)@t)bI'H 6z[)V{ 5&}* tx-T&Wn޽%Ex~Nb@)ɧ Vdaj3ĄXy;$[b07a=z`1 j"9SʭAG" XH$CxDb%ܵa/za}Lܛ{ ys>ۈ el S|U#&h HLFS h)":27#$V%5~Kf\n:?lO+@8/+ o+No^:fzD ^T"(vW20>?|)I]wҧcS(Yœ'?.}k8I1W6b IIkBKH2A&HHD̏%Uj.{ʅ$Q :6KusD3?#ޥAc)ʉ8"7L%. PJϗ[r \f{|m&9U $^=aLrV5o$/13݀/QR[WLUj}%7A \Ɯ>p(cuo$RU|ޗ,W9J 63 M4fTDuCEa sN*]U! 8ދ[˜ι]~lEY8zGlsJ""ŧ<ݧ.>o7= ⽕/;?IuU5,m .q{kV&\46Kkt6?##q9R95+vzK]n=c8KrpFOyNvrTr@K=V$q:eyF[(߲zNxE ݝ8Jf +3+E8mSP96fQx?t5iLK89)AuryBGԟ-R5mLڷ|zaNqC{( 6#U/"xypiC_.g#c&7{\)*Ƽ:D{p0-~̱>6:ӧlQgk]QMy(u1U<\/,@ڢ+"G؋ u 큡&HTLV'Sv3 ^|$*# xiz*LsK-/鸰C[ΨIlcXY\v"aZ!:J< V+咳ˊ˥ e-BYxU}9UE0zKC"Wvdȓ i.}c Q-$JOx9F ^mat\8`ق9D*Ϡ\H& jN!i턙[Yur{f'k-Ȃ=5'Z]0?z+6oD!0St}eL~8k&j%sz(`e0.RȞ`q_q]* ]X!l?ͨB 7&_K#V4C]4,Hܻ1 ۋVoSu]rBxnͨV,?\<˓vi=q7SZrzfѓ}2l답eAdJ>^8L.q?^5^AudohXd^&4J{,6wevxN FRWjoPeMdw" #-7 08^]n?.r#oBT"1iM/o9c$K{ZO.vˊúRjz(D_R+qѵ[ذNR-9-)ąN@CQbjvs ^:8jBU$K1`4xAaQ?1%G*hfQz9#VP:+8)8AAﱞ{DV.UpUkSy! Mk"T X_ў^u*~}}|Ww}$O GՆcLusزOXX$昂o*b#2PG<6Pb7Úޕ ĢzY% >d#N _^ ߧ^9G'R)J#A{ f2kq~loڦq/b.y氹XxMI ~QŁ'@!~=@nE)= _#6=5硈Rua @Fgz5WRX0ړeÛ l;զlZ[ FJYY`tX:_rӸC_́0G1x j,a3Kdb^"7];=+ͬ>!EԀ`]/'&.k2z(3- Uq`4_<ȱa:ŋ@8\`d3-!WDOrK˹ܩ dΜ~hNq̤ƐבG݃zsDWR,P|yxĨ<Q&^ܻYDmxC+y`&3mHCX6gʊv]ģi!,J2PMz/im2øYP jo2v{ U_ ˋ=!BS}B$@w~>KS94t+(~1Mb1eUu)0H@SHAvq[u*grdʳX.:-ϕ_=f)m;Z5Q>C/a! 9cnqLeɨ/4yë qg :; :f B3#s7'Ekp(nǃl0E~*bMʌr6ǵ$JC4Vf6px 6sDU%_% iTw lNɶ޿3?M~ t4EȈ$.*[`y{ ߴ?:=ۘyp9)~Q#>t2b֜tm* 0ԷXyʸl&KZsR>]j{oVb:b`]zsaj{Qr n1qj¨k(OÊajWc9BG7?7C̝<+n4[A~'/_zKyQ!HfE@ ]'q#GBΌ[{?FJxT*̸4 `)XtfTEk=z׏b8e]b=tSBX/@@u?{)4ݾ5%z ZQ_<`0HhyaH;DNmU);}-.vmUzIa[2!>'r]%TZn}887̈%&8*Qd XWf Ē:]SL+_PxV7i=i&4ݾ&r͋Z~V8Fskh0{oՊkU<3 qЈ}\sT XZGmܭx9)v(UeƩȑT2(޻A5$ 5oF(Y!E4[6_QK_{)P Jl~Q&@5NW칰ѱKgrZj ImR}Z,OMphN$Q"] eDӑSJ+Z$е0WQi"0wKӬı/'E7leB,AiWP~ER1pIH 5gkL=Y~64[M\ID89Wޓ}{ϔa>{0}u`G'+G _ro`LɔqjZWy Qtk jޝP =FQLfI/"LCPgtQ9XHrs?P*2rxiďwedmjq~hgG2XkSytN; O!%GeqWͯ5t(Q1Ԙ`?̙vq{!enJ~):_wQw*%~-Ԙ&4nl;ةt0Xqc= b{AV=R᧙}) !楱{5recY:G&ynŘ$oCJ|)*XyfH5|aKČ8~KA`+N(8r}M,H&#!96BZc,뀳ቕ$ﺉiY"q( =E~QvԖ&M ^F ~Xl7~FWWDZQTe Ua (\ܥQԬ^zŬpUjS*2ED,RȌuGQR ȩUpVt>ƥzDhy9&>yGX~TԙvDeb1BGf*Kb$A@ ,9c'"Ibbg3 8J c1tAv7|e7np}P`(X}^ :=^@$+Tb:ŗ0 'PQw18OpwފtzRddO?\dA /C1/Dp#B0H $#лikoEܻ|7'溝4K爓|3GI2r ,HBy.`5kWtY 7\AU2HIxb#{ ~_ya/>D GщevWw|M8j>R*i}'dZ◑堶%I#"g8'Z4p=՟wIj6gbd,WYQL/h쒆bװ2aPKAI XV!@ɮunp HFD6s&4 ьtaL¬'JS=ijDZ\d̰ךaKLv~ǘzZmE]E*2 ʺ&:1*F.쀚 #w]7q["s2-CMAOZC-ao˖ڜt딡G0wu]4 P&ߡb2FTSSQ ڵ3\D`Ghl6\̾HтZז S6B?>6xd%/ mB/6q,uRiRJFww( ̀10^iS@^($'TC4֕Oy#kz7E =3.k6x"(@W{-tPGӆtsM Pv1 c;;Ш$8TuMnpvU3L$%)cwfbt xWyi2s88g4 %.+ V-,<6M9_g1IZ7(y 2tVH6n!LJqMc~ECqmbٻrHڱ%vs|75!}91 8./d76QyB$6#>f#楆s6!ݩlAiM 47>oa؍ %71Sh<;3 =.h=DYPϘt|5}r0wvzIA> r`^oV3..&uR@;!'ǭjt&Sbj ,^~4m6pC&T$Sr Q3u3ھi&Ia-qғ$h>=7!GCf%F> VQ4`=Qz$V _ wg(B]l6}‹ P/|b kg1)p=*ʘfߔNj?a7ADklL#Z: MBݓX; ."jK|blD' W_5@ ?bk۬敂sipkć-n;nc"yR*N;@2秺Yg!(s8LNRU3lZQ(k? %:fԗXs"~~yB3jSd;c!Mu/gXpkF28KJ EgYpkʲ-zoNʪ-} UL w" ӑgޡ-܏3I힢, %m0Y)o`R}х[eIHZ8?v]i $ò[e: [x=Oό oFz.72FA+nB=4Nk=HqG" pqN$MP=(b4M= S=B1EۊtwUVI7qIx%}r-=Qs,1B@̃Ƕ;̱b]K(oleC;>Ho\hYSVF4y;nc+u=|\.bH^h_w1c@=@5S-PPsJ06U.f>s/=˩<~^;}QT)~^^}^M>ĺ֮^蓋䶑@?6씩 (c*< Ζx7Rd!X̀%;?$z4nl?Iog"i f.o< 0&{fclh;&ԠHd`@!4v7O ;q$ƻw}Um֎.5N$~ZK\k@ŢM zS@}JCLwyN CDRoWٝ$Г7}AWpALZ" NivorKcnFlv?7K=\HF.ΩTʠUsNv+yC%B2˔L- -=#(yX#0u%:DaEx"#W`S|9^7Ԝ0INE_KLzӲŲʲy&i7! l z:_V%݆XDhkE8~WYg]^HV4gp#qC]-'Џ=tEld乘gxon栏 Z[ͽ{;OF=j,blota )`1q`#2l=)Ve~`LtV$D[ L>ݯ\v5r̾PTݾ#F <􎔟e vt >*q00zQuslpJaV ^jPI+fe}l^>-&M:y]6܉Dl"+ /ʖ_2փ[xp֮ؽFz?~xιJ@2QTGF] /#c@|_aMd諃UkCe8,d]kj`-c~eeUpT&`sj|f I. MjxLXzR_bDsM 8v0݀ 3 !ӫ%mET}!.BP h4/]zQ+\jW+\wЬ!جZ,f#FdأDLb0o+RKsnz^O\9dj(]U5t9S&BFː?mێ`/PT쥲G0# hhωW${ jJkr|a:r # *7_૘ M^5Z~%c CE[c @6EAlQj|B"AN dV\xq˓+$_9LҧObUb yh3Z]wv„%wW@nv)"R>JQaSvpcG/X@+[ӥaA{l; }1y'Vcbq"Bm.3rXtUW,/3'!쬽u@#Xh ԟKa)bQ"2 1>cWuX^ IW R֮-NܕM_~]U./95A!l;0"m `ʀna8ˉ4%h}Q^7=KH/6%GnO.+𦪊Jއ^'~fr+ܰ\İ^OtԺNn^OXGɔD%>7iOέpVbgI;$qe5T M@G(4.A*r)с\IL,\6 ~b%:Ue3$-ӫe^I & vQyb`~wxovB+e>sWD [aU ﺩgV"_"NK>{(\ųsJϵz]Z#XDDrdyQU9Ȳh+/jQN t`Eh+έtwbboMQrGelS"hK=T2 ŵrkMQ5ԩw欉|) M7 W#} ?"n729,6¶ qw#SB?: ٿF%l`ڑvZ9;nj>VrC&;$!2/GZ1O0iRViY6CSUf1qKFQ9Ǝ$v񴄞 #Q5yRįp'JÒ .k"5p36!ZnVc~{S/LMΛ:cL>!%n<`OFPtVckxZFцB` iz-tH)a0,/M4ZkghHT y V FBq7ƛb6Sb<?ۚ,򯿨[#RyJLt ]ZeC5uL(!t)am;c#{ˮXv4G4?2,ƒ[ 2+sGtr IZټTҝqUq^-JrZm4sfmX6N;NǎJlMF+被H(VκW0*ޘ3(I.rMRáh@ *NG.{+nAK@H -Sgҝu#VذW3dLBFhc&/lա'y9 NQ. 303~B/JXT܋rDN)&TEX~og+ue?J{WzZ9Ktx>=A󭦫2ll{{~P<i\[̰k J ,쵅hfRáQ<`\/k3q P!M2Pr: o-rؗ[=Dy}qm-q4+ 35qa XE @GI+ 9.ccU(v *|Js`kdeR4x맙TBۊh#Gjҋ6֭߻%iT` ذZI!Tr_NjxN][j* B#3~6- Nr n>FF^T\52Iݴ:<=vlGߠK*: qZ=5&V"-9yOW4>Nv|ӳ f#1ѥsIDv@IIv[AĤtI< "?" ^:-`K[a;'cQCa Rj.%J6R{=kMCǗdŚ|uh5X8,~ Cެq)&FXgw3,#ϤڱkNUA3ck*sxgXH * ~קѪ5Q҅}zr[c$\,"QN!M5ڙݶ`Cx Y@vPa$ş`/6~zϦ1 O-Bw&|[ Jn&xڰAa\BNG׀VVBfǮ9c8儂z :٪>LcTEu6SUk:`2#n*n@gv>2n_5XYf֫$s[6PyL49Rqr)$' <.1#œo ByEj G_4iL~^pu=qd~у:oG]hgˆZ/|+fXDAmlS Q3T}1&ޣn 䀢DzѶWh*w_tW9~Rc 2z4f#H*+]Ch}K jBÊrP3z}( J9$Fa9`# 5j,cy~aţ 9f T/ l1`j%B8U_> D'CF=FmwFaOٛ5?nOԞUL( F)lxISjh.gh3nje+:Ա P8nI W {*!_!.FٯpEG}#zAΩ( l) C>Q؞K#% '؜U`~DW{Zt̒ff֑l/iE2 (VeA?>.h8QwY9J`oEYLwpyjQļ0*Ga4,jV{t. >Аc\s{$kj -ּӪ~sK{6al(T%"m3N'=u)@KLXz\ tsDb݋IռJqZB%w6z&=6Fў{{O!IiC2h%l-oQ5[&b`zo=;.}N=9Ε gjΘ=awBirY{6fW=G-8i s_^< IG vA6 n,6<y*S1bDj.ޖETxug*>d@s+6cWqcfSfKڦF'8S:saʥ)41) `Ccy5d2މSU@.9Ő#.8J*s]'괸`ϲrP(4U0Lz+V{\*5LD>h0;ŦR~% du¹aE7c=Jueo/X.A+Jw )kwM3/6 s UPI.9#1m.3iJQelIt!.1F`1מ2@R<5bmQՄ a^Jٿ+Z=Қ2VŀR[nW& SAW}kPLW5M q$~fӄ]nA#jnǾ-DS$ĥx ;%X"d 0ny@Q3$M[s>H ?q%;"f{y`tEijx#/ ?A4ٺJʫsR{z 7=-d!|RkMxD9 Ҳ`gKfz L"WIX Own@>GJ]@Gbk46Zhe |p)F{+uքH1َ)s#MuL/¸^*O"Z0~O<$|۷n* YG C3#Ap~ :=Lx"WHL5< i2i66m}jY\(i&`jYaPYl;B3I}@Q r7Zauwv/$%G~l^YUzrc~Ht{(g_ xH:QE- mLDZ1(^@ 1 9}x!n3i^AzS\hE׹ڙp^SOF]J\0rZ|D(btz1QF@%RNe 1GC @{9w6HS>:fN Jv 4>|sˆpԏhY$>L#`h{{pv^@0>)g7W7"rY(j~[ɣ'R*'Ы =mpO!\ߋnD0e3jf9x.@3,\"ZX`Ql:(}&H=@ӑ1neYD ]k N`q"Y3B&gO ?U؃tШ[ ["1PL\MM1i6&~'8_w5KdGȇpI:T$˚hn^ hej D~!e;[mQLL_O2OT T&Blfr\~vS.LP0S|Aje"_¬1xKu޻K+n$+CMqQL.lS/a B6M.hoɥLџ#֖"i,ay=)wuYU)M7k*+j!:Vb  r΄=2cGMP[U:976֌/]`+Fξ-4 rCbxT3]m\^"&jK * Ў6-XGoPXSx/'rs$g{h/3ooxL#E+qa BP^MYԶoqt S|dl nSb`Ϙq\ 4R?0 甭aXdZi.!\;)ڿb;'2M> 0qbUQ }탫jc Fݻs^|C{zsm~+fRy)r?~2>d.Vas M W`|9b6QB)ROB3=4%NUltvbhax9N̝o&V?4vz"sSquQ>_xj#528nW qkֵB1_Y(Y=B3p6tKlDZTpA|6]" L!V;*#enG&KC2R'讜t%?cFbAv.)$oP4M,jna{R*Ae}.$*D|(fEj@/ cgOW(Tet;{d8Z{x :R hWe4-V@7+-YXт}$t@90!O̬v qwV 7OUS. \{ekxZh))PhO)a4@H7%:qi>ef.|#>Ǝ۲u %6~! DwE}dB0\78`sBRWR]p+=жr,Bm 4wO U\72@@R^i2bP@H ct rtK$ 6A:9X,AG zlX GvE.1xn{R׌t8MnBK$.(H6?b^4GCܴ_AP)ɂ`5H!UJ'c=ZɆF4(3Edџ:/AVW8$-F"xNafĥF<Aq!{9䂕d4,0QOs}8(4ᖍBבvHmT.ϥQ*m:1փcff`^X8ɶ6|K#R]V=#Ǻh$..$۩.,ġ.c(޺AQ(g0ǂxj1׍Y`%<g윌RA扄~{V{@SW3FG0S]:҂w_ o-xDH82=7<-}EW7HuTV 24z;(*17-\'OB4vo.< |<î*ܑr7|d{ͳ,KKorL.Ӛ T ouP^4[]h<`؇ɍgBl|+=]EZ'\}X2d Y8gʐ8>j/s0 uJbhs҈Cs8DeT巻*l̏-uhA7p=.7*qa"wTgit~%@*\ܶ=Yiq=4u:&5dzeK$3iĂj gA4P;6T./Yea8w]4ʹn$q9 nr \iyCtw |&8VDW)ՙ3y[]"zܖ n!O!-Ex5d=(!|O;a1ë̿7JhXMts|Cl9T1P<.~,VxƉ#SǷhww'7}ֲ!F(*C*>Z9 hJʕHk2qN]{Wt:&p406cRA 8uoiM g )RMqܧ^xPZ`Z.ycF ۾B@P P ZTk}9~ߟlZi Skm;L/8q kUݎ龛g{y(CJ1L HȀ-7Hw%+7Gj2"@|d#u_rz3<١ mYx*40Ɔgd=&9JzPXQb81%ɋnBm`HjG\~,\j)#]}DI?.3Up;k:1> oŒMDE96`rF`׃ZeT4;Y͝>Ff1_ӎfpqN"GF߳a&)s*!wtܮFI&1֦B\9:\# +HAR+w^:;[Tril{yo2>)էe@ź#]@Hg2jKq (@ty )XW.,0em.X^Qm.V~GU) Y9})1p4MEa3"K@`h}j(D(Ɒt"47|_{;tKv[7)41?\uSq.B4,e1tE-{fl 8_gB` e\m lA꼃Q<8_kzhn=2@eJ~z 6<Ҝ7tUUrua0g^8kP:=7Y#OWܸ9PQްtp~yRURQ0ҷ:q?MP5Fw#`/ }!3wA _pk"\+^xSll>hW251,f,[g8~mU2.vI;pq$ld`B<}rr,4IӠ뱛0 bX`Pղ]hfհ LRjvak >uy< [ mK{@ȪK V jZF.nL%+ cWVEBz5ZO%-t`Fd96 $W&yX!r72@Yu2}Fl}SʚY.\_;$Gp7#h%{Dw:8n!⚖iǐ9 /䥯.HX'OQ5D%,U{/N֣!C,^м/zn@۞pwYo\X[f[מϢ)^%Kl4 t9G˲zd~waL;~)q;,'RȽ2vlP]"Vc`ZNtd|-)-R{SǦ8}(#ߛ Hwps. 's毵^1R*KK`瞼6̃W*]b ,B~hV 6*뱖>sOɫ֗79#/@G "a˪3nY4FH*Tc6ZYByWz]yf'(o(^T"9G{oaK4}2RE9Xkn&ʤ_\@IK=9I87Z mS,"5Jl; V>Q  pB,O$:FH:-j[~'`,@1s"4p5/TܲaYc-vE*$ 9lxK ft4٩D2ylKiToSS84t§y<^Dpr>$KjsRAX .yllP) -GXkƃ][ HH/{4/ΒP|7< X1$̓=܉Jfy$F Ԯ׺SG|ywwβHz&Zljc&*=&Kjan_J&h:!MEks.YW1D(YU]$ICoK4g3*kLʢ4r?9 Wyg < `HnaonuNv?`T#*2T@;6>"6cޘOWl#qp\UfQ$f -ܶQ1\L.1< Q+̻ɤꋈ ؠ}=9;AlGKq oDHxiZ99M:!YpoB8sMsݙW?賝iZ:5[_ CܮX͹T\3g;4v |'?Xpcz0 F0ʄC]FRSDiZZb WB p4z~MIo彐qk&bu[aO7_RW_!8%%Þ>(fR;$$2GMor%ha*ߚIYaK)m'sJ&ܖ|堑~f}Fr2tK}sZӛ2rao"mVs/.o\_Lx); BW- Uu tN][|pL͚OS=:are %ۆ/\<=xf5Wlt$֌Huwf$,1TepVf16/i-!=963$3c8kg89ލ|eK,7kP O&H^ahp=@?9ܭNkmNГpIAm J"@r*hM$mCҍ|`!^omLIDD-ވ2MٕԥhOؐI>gUm®|ˑ8ht?z?5^ ;jbvTp1%ykI^NCOv0 HSu͹V{\LX׉DXm<4U%V7bB 1Ú22sS%Ԡhr 瑒;  BFgY4͚u1zԼt5f \f~,ZM $'O.|Y~u7өMUYshc-:Bx3㝟!H'%n@P{zd-OcGa(ll:)Q`DPt#&m5 _ՌF̴5zR3Y;q4Ys@ P]2骒y}vvkS=z!kqe-}>A:&OIT7X%]"0G&+Lkb*В"tzF)NrcoX[P ]ϊ"Np|/?R'2N]K{K(5!2 iρ2@7vC) 'm/>M[-hAy~$j#q0og' AXqWwA }Fw"Eba,nHaM͡cg)r"$\d7r]lGe>W Q@QY9$ƍJ}ߦlF#w7|՜N (1C( LJIU` Mgtd]IOtHLE@;sԷBbDDs:渲?vO{]Odr' p5p^I9B%s8\/ځc1nީmK|`KMp;Vi_(]šT6D/6(qpʖ?A;_!>n}pP"Q/a8puF`1SiJOA WFhNN8Jbh?.\X<|2#٥6邜d|d: `Tm'ʿp+jҐ,p &\ٙ.Avw.,jecz k֏xi%A/\Di8O 0 `s(Ѻqv~c4E-\{*9; Z4X_I jsQ8Xf ]{0khR= )Z<_'P( "&#d.XMez2 C趽]?Y  co?mShkaK++L"[Od_ϟY b(h hMěV Ljlh?-Z9- &YuVR݊cVbm|~;>אgRe%77$#W &E7_*0XqKqlE@F86hTc şBE?rE{:D k=m)=fAn;Mz0{Ҫ14.$yQQ!ՇM640/i .e5ClM #QWv4rKP{2 tpGweEO0.D? ^6r+L9 M  Q"g,ӳ7DV!^/EHR=^Mas{VCa  + .WrrȜOcímCWTICG9-Z >%@_&c&~F&scŧxXЋês9 yqh.*+)rJ)L(0ׅݷS [ O~qѫW@ϧi MKe[!j*>A5Huef1yCN YܵB4Q7< xea|?ab&0D.} C3fXÞ Cl>2 H'\!GttM9T a<* kD3n`AFdBB#r’C[7jo7P@%Qx;]' ѩsLDY+,s٭_& ,E\# J3KIE1%5,HX[@۞gm.IV*#ہY2CjF'v.J 0c4Z"(22h+TG,YEj#'ҹޛ>KP%,ɠRmVP&cj U=\ lQ7z:|F(| 63SmlxdOh"Xu@ mwP'P~6(֡ ȊjKņnj6<;7^|B;Ǟar퍃 D.h}P f^Mrcv k1fTĐ~8BV*BG1\u$_舉H I28sZzAiĝ:#JC+HnPcF|K2gSwB۟NʹQre8a<#i/[TQ"oʾ%`/(se}p _B(F݂Foҁia7lM>Pv)؀#ng}0WX}C+֧"cQpYY^2Ow?Iծ4u_$ -ҫ6!ibs_ 9-N; +^8Cac/RJ%OݫmeE#J@9ڠ.*$hJfH `֊L\[JH&ZIc`VcIcCFۜiU%ezou ۯeǷٮ N; U5ȏ^*m&0ɑDfC[ 8 z4|_a|9R=|=̶JÕt8,Ò>4ҠS3nZQo5MGtܯ_cj`0 ͣ.Z5%% FT1 d/߇7Unek@92`cfuP.wL2!$?MzRiL@TGY\ # ~OإKcE*K^h"c²欃K/aΨЗfqf~}Sɏ5||lwzi(%Uĝ݂lG/l"{a؆a EFq$w1B R%mx̅@):B= >%$v DSa佄R$(3oӸ.CZ4XFPv {Z 4 ] Fc!\ 1ЅSAyl S%$D$ƒ`pMq՚k˖U`\'B/RL#g''yy?`=áh{%pm(HU#jݿfMgfA/hAxYzyymh Ͻ>ܡZVyWZB-$-ANҢ)ȥcAu p訂(m> VcUz Y9'lAw LU!xG4)iJ0lE9d+*bugK j_-b"tu~HN.g}anL'.vlᆚ'$~{Bd`qru?sJut.G("-ݢm,rC4}&UjeG_D_}rmgR۝Aj> 0iql^t2Sݱa>Y7("+JI:YOGU<'pU/b,T!IZ U8ܥ@x.fhspJZ%1G%WBKk+b8lKo Q`*l\Af +4TL0Eb@ Y2NBl@?oʍWx ^!c)[S9x60EbXzv'<|\ѣMAWkf ;􄮸E}H ^qr|cB1 \>YGBlRh9)ʫ?䂧EEMƇF%iV]W$(@j_pױ +hܢ mrs-L&x;1EtˤOUdCۨu?PC $ne0_;t D!֧{AKƯ=6_.K%v+TZ Ti8A1@*M~MoFȫΛ\l{!,Ч`MTw=x>->q7iK U;`K I3wN,t\]jhB" F3x8 خWw)eoXh4Ex#k6 󇔹Aa B=Jޚ8;x=\'מH{0o ub[FAwywLVs;d,FCm#lP35' sh7Z5J3tj˛nQO U2>%X |w%-v]^|%$Ԇ M+eE!._R)Uc S B䎬#e#(^fFOKeHës˿g0mN𻲛 ?7,5I_틤Vy%n?.laB$&ì~͞ptN "OG1 d=$AX/rbP><rh_@qj[l,|~ج+O ]'rmdwb@s藟6 |@IӖ#*nYxh%/C}/ -ثG.XITebcaʳoVX+OC%2(&ڶ 7)I̍(i5MUUOV>cV!(%{Lr?d;NuW&TASf⚮ީp34};q&LctfрPk8cF^+Ձ|f6Ҧv$>hpԿb*:˗O5G-gחu^D_&ɰN[jNF8{X+5U*k!d#ZZGBJăMI/f;<*ut)UZ,3R/RIANhI+2P}icĆIRS#>A2|u6C/ꇴqZG6̃mjnYg`Gs5MϾUӏ\aհ0B&f:pa3=xHMw@vYqf(y4`|S뫯i{qș~FW hu'Ylϕ(-juIZ_v9S?ܗ-56z"Zd^c+U8 tJ^?u,V~s<1ە2AQw_'k7.N2ªtF0Ct yF)ɃjlZoY\ $5+cɸ[)>_?:HuR7o./dS}dvYpk!60/-iB%g #e5`tG7JںeӭɡW p>*=6'BBK, TcήyOkX&U.,B9:tli{s F5z^b{vngȕ ?4^0 cե,-R͐NBi1`2G'v9݀ԗO ,5)?d9Tpߪh+Yt +}.s5960/ޠUGb䅰Tej32Y$UE3-X*ե ㄭ4a㖽c|'?]T]{4~xu0hvj[s'$3+I[jsY#U9v2 mc<t I<tbѢ(7#K17p/G2$+7L ȨxYIcTQNJj ^ r1%Kkh:GTP"h`&ĆƏ,soҋ>ھT;Au7DYƥ޲H̚qZYT:IZsZf,L~oI vUZ>7*rM@zy>")$߱t ~ ]cjW%ZB/iv`hlE¦ ͫ"ρ͞,֗-=>ߗQ9n4|~vlB,aX" +ʿQDnN-s%_nPA#Ad Ux_'IV5z.ckXrq[&GpouSM"Oɾc0;u03!qf9?^ɛ/!3bMMxR]dRg$~ΞlBynloWG0ϡ`O ?[:n4Z*?@;">Zo(F|Zusk7ײ8fn%.!r2=3yX5q׉i=V/Xw+'WZ !6IB^:gHHQz5ds+f^Ubj_1Q,;w@\Z Z-7==^?19dx;$PMccPwNdܚ߆Dޓo!1+j]}NEGAq|NltwZ~ ^~*AGHbgHsڋ>MIakNk:YɎԤ]9+I;NVq`jƥ m(j q$]Y۽lԂP(M1|*(tGPj.{8C܆3jq,hT79"y?0k(}OgwHZʅD{.1慻{">SBgڥ[|lve4O6 @LS=ݥe`BjoQ7Rq\RM"~ M!wE4E Jq1N^h[TNٞRV:0-nث⨯Y t\!q!=A $ ǟH.wV\;#VS|Yڎ2vm1vD8bMwwQV5=b}D"\Oé;p9cބ: X!A\Y6 pgG4&yL G׾_:gڋ;"u:-96GD;[\\!8﹞4ds2|/#zm7sums>2Q+gC&V] `>*b)=v3O撥rJO2EL #ޣ\5>iV21T.ĸZkhO& va0sVS˂![)sQ2& i uq$?#&,i9s-lMgq;Ɩ֚AoQC:bOYm’%@}J64j^_ʎKVkvaz&)ڎUu#fIıN,'#dΘ2ؼ>>~߻īzLrB-Jzt,y /]?Bܘ?JLA@Ʃ!hWJUTɭ`-|LQQkN L#*Z#8.ʕ1gl^[XYBН˦6'bI2t'&H\)\Qkb- q޾2CMeoe"b)6O?j5\<Dϩ)fj-Fb٭n'%賩#Jlmee;vY# LVy!&oЩRDr&}! U-ACȎ /aSDx_2YJZC.N~W/Xw(r(}]y<v)ޣ9D t&ЦځT6,X\(ԨoR:V\gh-,^O+خbZÀ`{&=b^m)?PT 8rY,3 ƊYm"{LCexTyKD`%Bx^WԀ<+~ďJn_ʣ pB2 BYA ľx _Q%IJ9x闡Gߩ#„| ͣaG#$xLqqdA zzvAf"9k~;c)@֢&/zUsoӮ"Ix֝o@g Is4?{d5uI Z3h!lі0ݬl9Uz0 y1WMwQ+9L>ops J_MjB'ԁ܂@+@YxNܼ' î5L}qLEֻ*p% ]Ir%ͺSe {,blDĎADza~nyf!4cc"gp}\~cZw!&q+e0'e$3z-D9LB&#NlZ%u('dlY40$mHNNG)ax@KTxc,/POg!TF"[RV82i/[R^&|5X` L( " 7b?y185kP}}Kͧrlm۟PƇŖyEix l ɒ7F~%w c$IkgbC2Q[+[){V7:#x8.jDQh 1nMx祖7ct>ΖPab8C7{P숰q^ VQ`ռTc˾8x}7/5’ݹB\k͹w6w4[9sk58H1)UZɗ=k@i?ŷ?As".%;}\e&$9mݾYnq/‘: ͳ#ٱ8Y=5.П1#P1}4GZ'gwȤWa]g{ƏDȨ"[#f Ni%8q]y#qˏf'튐hd*K ]@MY!--g!"w籬.F2hO{`W0,Oh(۳_T `Wh2 p ){aL='Ur M FTý R(/"]cv@nTiyRҶ.c?GjΥ\jzq  _ NhmB(16Z%&9ň_@q"&XYӸyX66 %d; Kz:^8eӗTILYwP=ܩ4)VӇ(.|^7zBFeQKC!=Q U!dqI$T$(.rt0lfWT# [Dw)9Ssc{DMKS.D > 7аhx_@!@[sMjW~{'Z?d]Y?G0\ݲ?E9<uR kA"6d޶9I>`ݍ3Ğ4jXҒvS5o45DY/S?/A:@% 0T`Q旙C&⍁&7D n4Y FewcպQ4$޳D7ܷLOQɿ<`B*\gX~(-xA}$Jq8#q)`4n,6MO%^.Hkr4:+O*[LC8XZo 7J=*]%YUڤ@Bwi `ۍ!Rb1dڶ6# 'tVgᠽ#އTm5i#-1$F'?:;vWjU} OcrFMr{:^=!8N)g1u=%\`vM͞)makJTc}6oBX>]tg&lfuS&NZț\Kxq&R+&Bha՟f)ݨZm.AQXhQNDttSLQ38zԧYNjζXճ:* ]⎔ +t#I3XX7[ БQ7zFO`(eLL"/'нSwܼ}y]v]`D1q{Я Dm<ѰI 3٫\G?19Z/y\ޔTCɭ 6-*莺?uXh/7m[E /1/6e+vƊI4 [U/ (hD K աFlUp%᧽2{ _mM-C~5͟Z~%+rI ip#V8 `h!'\]v3hd 1jyMj3!vC 4X ,TUQTVև%~ 4LW'M5o~'&:oŷh2A\W+D1"ag~x4!*Lm&lLUk) yA4_;4Z\c{/^~eb?a\&RɈ"Q:,yP y +b]}V)k!,0$ҍR@y\h8#:e+M嚤}~x w+FB~m#8NNOZaإ xš;<3&1=BF/AM߈ c@-By90+ %ChДɂ39Sy~kEKѸ`1Us+^th"j]gue:4 %T~Ru ~Į'6{] *((Y}|Ibd뗰B^[9e.Xf* LZ'[Aht=aQ.! NSHӄJdMCÄė P4ݑl<Ǜa 0hivnOJBzF(hgFDւ}pcjy|, 2E ?}gP0AX=d9 w;-iY+x4nuPe cPڦ*'kbe۫'G]Cs'qx [H/@Cѧס{ [&gRۋBs`$VzֲuĹ di87Z91/d$,4o'DJJRܳ-SЌ)(xoDhI!AC?$bHc&4l͘ms0Tt/PYNNxVS8f9R#8LcLKh 9 !o}l7p}S$vT:æ'WM`USw`Eh\.'NWen`lDN]AJ%S/>q摼"\B3ma0+Zum #Z}²j|6 VV[Nc*23K6VRG T4X H<C XCo7]F-{j& ȸEC u($̍p5UF ("(.̛FuMyw3mY)QI[gb\ CMuDn6Aͤh ~TF,Aܳ2eW}^܆x12//Դ:6dδ2\Úm3#sI; p']1E>F7X:j̓כ m6ϩXVwoխzͶ6+_C+I@D֧S r2#xqFWp'7|[ 2F쿢aBD_Y_wn[@.qEGj_?y{ţ?ZdeD)~!LJ B&IC(:QD WB+<,zE&T#ѵʷJ.KI!q_(oФ2톔-EĝmTwYRZm"L/Lha;9{5;M>3C74E[ hDYhH7IjΊWsk[;)_(GmHdOoc z)(5 t PD#DxLrGZ xGe洒0[Sӽ`rI Q!;l\mAR-69e? %8/JH/>i[܈Q 17\ryN%O`ǑOCFTROEFrrcCE\;}{~"Nͤ*Zce8Q'G=b@Y 7BwB`Xn b|e"ILDկ$HsOY+Ҿ6 gGZןeR `aGbκ7n]C5saFH*OL:T*8sR0L#RyӖI8! 6Z'ME6ka-_V2bqe1,EjHЛ)˾k!)ӂߏ*B &c((S7 N.~gw PTY[1Ѡop1a92rŐ b/b` t\%@>c 6YXG&ˌĐy}v BVv^H)n+%WS&[MSaj0tJO+%{ۅ!b˰!BP<) ˞q F9Up#k]噂(R2 ,IK:6VW6sQZ2y-#U=_F0}"Ӆ@ؗ)M1vnc0.w MJ^o_J5ltkbM_:p!jsWgk]Kb7LȽ)P-y> ߏKikpTk3Q;ȚH 3?Ql@¡HH,?UgI |)U5d!BʹvtpZF_a$4ڛYD)gvKn)l^y{} tY[4J9=xt/sn|+"7%\H A ӵ,6V)@.g֩ߝ?:OFSD5Ij"\wB~t4sەu1ܘjXvݪЅZ0+M ]n?"nm)6]VzL-lZ_g- 7n B.eMP  ^-!HP)>T^Qq._=% iGssjY@- C=T\C3%4:_Va6BDbMN-36Mrx<ӴX-8W2YFӓrs`w湳gvSY) 3 i5jq,ʢS5I5Q=5!)S*nA+@O\2y^АPQrhw/ rCf&.&1=^)dOX]tr<]|)?j2O2{:]pb̮tҝAA:Hoa+$'I|s:ŗ]9RG#$x+FXKzjcP:BWb(t+rDG4N9IJh؝ t4Goτ |Bm! 0va}Ņi VWݘa]M^'Rxh J?C4G '@yM3t7)u۽\oR[G; spw&zUm&iW EA9+JnFj]"l"ꯚX q̈uW>h. c'T쾯:j#9pHSԮm ^RYINkr7 -+L©{R̄`'S{ڴAa5Ă.Հ }֣v>= 1j.Cw2" WxS3H*]1Bavp*`wh٣1@G%ReAϗUt\2zX|1n ApHӍp-~Ȗ8]7t?iq2.{ !\gnf{&ĒW=9Ưj=XZ8uMk!_W7]M/0ށyS54Sb\i$4<%(~&#ǖֺb#f Tq86c%mUHz |:_"IH6pnj}/P6/eR0A/urlW\~7WͳӕfR+܇eOb=Ԙwk78J01iMlىe >FRTi>z+MŻ~L}|)`hEedKX9>j^Zۛ|th 8{ӪY~:L(tr5:i26,S9X[&gSKejy+!_K 6/YLG͆o0aF0V"Ӛ732R\$;ەHߝO3_^ߣlY^Z氍 ,r&+O>*TQ/-]x+[g;wFe+'J^sE'τ(<8k!Z ҪQY [mW, +[>FMB[cؾ:HtҼCrfe;_lKtBo woc>7a/>S*sE)>%tW>DGbB6]GI Co&0m6ڥLiViq ?rX i s!3p^MdJH #tDvO!@!4d)[w`?Wjss 1:l!pL6!] p8nxOȑbYTVR;|I֮jq'jx K4PN 3TPehZ=_xU||h8ڛI \5#o.譴P[V9oQv}ghØ3U M >ϠL2Qwx# 8򆅫N3e&X |%֬++tKaD*ǚk;E|@?wI L{]a2Q*㌘58U#ﮙѳr1H+=䚷/Q6E60J-EߨÚ};)x5U ?4xmfs/zZ"0Bˬ [Cx l7lk7l(z'F*0Uzɉ.f(>3ܜ9DڛuܱlV%H|.N*;8tt>ssr呲(Nz& HD_).c?+ mֈ헭Q8,\jTzg56.;B9m 3-mnp1!?*)Ѻ3})/c*u?Dq\{o` [Q΃Wlz6vnSwE\ɒ0*4^|/Llj0P;X{l$k]ǵ}ċFDztЋ9rt]I5vJėJOK\p?WTA9[aF(&P/xy\[#(Xx2ߐFhct"(z'S+{fupe]ZK=c(*mfNAm8j^1oB O7d!'Fq +9rޯ\<(FKO4 "i2~K ǐ.A|2L {c{L?f% #1/9sӤA.$ŗЌ]w* ăxzojh: 9\2bcaȞGFL|ː/~шHZ3 $8 kE;M9\CAR!]K_) X:5,ͳM,La=TxV6<8smJKGXB qmC'V VRl}āu6}ޥLU=QcS)%ƽ 8_tHPd\DZ„$kD1j!_XҸs2ìs eQ5Hcz#@v-Sd^LU7DT cgY-Z.W)3c.Β.R0r8GpOg|M&=)T(ʋ?AM;kB*,x°Z֓s]ڷ88Tks辰Lɻ%8)\yo]{i{UNlF?FDUp`~ݤTK;$"N d ZL^t~ #HDm,qSt%d[}j1=g ?K>3G#Tq1@4Q u$`;I ]0Req[Ͱ ?€!7Hj$4鄏'頙Q&ROJx`5&q4M jg$S}Lg/EHCm +PGܣ9_պM_uAP_SRL510`L֝E}[pab\!wqSP:S/𽿠(n\$`[;3OLf$]K~%;`Ƞ'-nݹ :[8ҶF7U3<4?U0qؚ'$W~Xg-hY5f [׷$+ wYʣZn&b @myj3JZJ-b!~q9%J>K33*I W0%o!RܚP9!|QSerUvN> mEg@K'cDljQR[=WF|+\+~A?I6ܸ,7񨇘ͫx[@ i쌟ˑZm/b],˖x|ٱct`dͦ_LIqANi<@7\q'!ea*c'. !?͞VsSAw3%zB@@BUY\a-c>P"H.l{&)9|M?ϙAp 7CvPv.BRvSrLK=T vBqg>G?~ewi9 N$,,̙Wf G'9Ʈvn,p'[YׇY A#?k_yT3U˰+ػ qٱr.a:z+%,@˨)#Jk- v'D 6U# ! q;+%e UW \UV1Ǡ+s`]iFxIV:+.㧖62(ų`o(ߋu<|.4.ȼDt(=<{֢Zx?e-] t!k*14vmYHZf˵rswD{Nw _/ %ԉvב;Tl^'~{ZP*XSG kN_lQ1G">H3vKrhUɎENȔ7ס(0*[[W%fQ ҫgsx~ _2Zfz.^V$ * _pqrX]C2IfS=6;;VO===NQ=/a+M6wuSf/ueႹha[*n9ܵ藓0ZNbw!ϒ2韋kl"!vS>q)fY+}DSj*$g8-=^[zpg8ZEǧK'a>ΓlP]&}31>BK*}riǩGqۆr}2J+ޯ|vmefwCʢ7 vfBx΃&QO Lt_{.YEOAa(oDyYq;[ьɚ{v-q\{4W,=MbYyˉ<6 E6*?[ 65K+)\ .Dh ,nc&O+fF\DUc+õZ589ka$IKn{k֌2khb E4-_Ad$I}Rb@yv1\e "RWs"3X7p"H2mh~WYV~ z#MU>i= [!jdxx%ݯ~7u 7td- 斁Eu}^Ő]=Lo`o6R4VˌF;/&SXA5 o9Kѝ#hgU9qHי b[*E$:0WgmrAoJcϺTA\bxL?v??kDDyȰgC魗Ef07?V:":w4t.!&d&F]JWz"_lT@^ `^ *$օ* X"\=huz&vGB1,?ӹv;v[,=a1ɚ:#Hx"n+;KH;+p.b¤ΤEs ۳Xu穬7=e[$ONY]y\#2uRi`4"j nLBX*/V+8R3 ?>~W;x,-&bA AE0S.i DáV+a;zsn؛7u W⚾3Se`0ůQwO8y@6Ja%bS⋼C[br(<0}X4{ҾļT!.~B -f\K3`jֱQW|4ɎqETJ#8`Gb=EI-vgq"At!#x.'|ǭT˷x߰N`f~>njjON!8'3dq74F~K޲hM t#ӭˉXqrG1 h ڙx/Lj/< v^p63KSiÅ$0Y>'31kPXMfܽ-]rrf 9N58p}'G;ԥku~UX2XD oNj SG^|#tjg,37l`W {dǏ"Miev.۷VLNlEx_K>+шUtȤO w9E ^3!2a5>J^%1jBћ8XEV;cT,RT[Qo{<{?vKdA4lI(^J-l) r!a,{C=_˖-#`fr6 5ݤDB5?՟tv6 _d.dp`t3{(d0j&k'$`wZ4--r1dw iR]kuq_ IM{bjBoS,O NPK1ybh_w݁0gVl ӥ|+ӡI4\<܋kx6S|ܱX PSTCUcQ'AWI UhW1G#>^7K\,!_“M3 X|M`v{h V%VjP>g7ŻūhiQOXTQ@VQ $~#Л8!S% j,Q> Y‚碒ߎas Փq'v0>K  ̀Y+ _yI  <3-q<6D:T80,+,]}avlT8w켣*XXB,$LXVo Q|t TS^ڵ  #!?a$ZcF@xn][A3hvMsҾU,@oLF#n˱,^?MSCiUɏѯ{Kh]EX͞Q@¸ʷk݁cG}[Ua@'Dp)Ř"3=íL׆YO25(v}w-?1)RpCiWXa="8ْvAW!6TNzNȑcѣԊrX1*O0C%Pq#ƢPs&u[a(b QSMegn %oaޖ]pRIf"G^ PP<5ˠG9hn%p ƥsԐӡ:BK&SՆE=gtOd.A̋NA fwanƘQ=\ˆyQ>dc˓}#ڸi|͊tw;~+Gh퇣5YdȄշw)E "v|;_|:eeɪ.ˮ]A@\a"{xl7ZDz=DxMK]<-Y)vB*b#w߹*)\fl"Jt݂7G tw<̨345w 63:àF1 ڽ v Rz5a do-4 ]74U{iX==^zT`]/$Pxe̋:=ZS,T& l xҎ3n]M7ksrB#S$c(ejyYڎ; 4 ]*I-{\' @r5Darx4k.Ȗf ~'V:zoTNv=:Y-b㥐i{Sh Ċm{IwN%ҩMCon:UFG(1(RA#JU躄<aQN\ǽoJ[ޔF=+~Yy%I)@-l2HF'Y;|%!ֻ@y2F׼ $(ґǓR&-n@:5o$(&?k!,[HțXGȟiG=k`WSHL-7!8kj06&ߛWJ6ظjh@b:.=k:.#{l6'穷(CZ|yS<0BgQOؓp)&ai2Cȯ_UoJf>V r"[$4 [s+x6\[@HrPtV ([Vu:6_HRez}du@Us5^ޣVU))臽SR8ۨT uoKg.?Mq#6dcK<@Zuܭ@G2G8vKIDp]Q{>p>.t,LZ%Db}IzݴBlhi7>[gQ+*W]jsM+h6(Q+d:_T0*rƆNIb1e:FC+LDcĜ/tfIbP5ZLp>ӗܯaQDX';?Fr-'gx80 WO}ja^rϫl_g<#6 <:GwIytV*(sowx78 O}ѼbO!> o4 E|ъM!9VtV;Uљ,R .@>-/--`މG+__;b!ͩ ̽j) MƜeUOr4h|#9%ۂ\(0?<5Z^e )k< wN,64|l.#zҒ6 yEKwv>:/˂)?mԋ3,p.ETK"U.1{A1,]3[$ f{MT.JPv#0q*:M좞ߟJ=/IeL2BU[iy쮍aR]Խ΃oҽ]O]Ԯ|yݺaf{!Ѧk1 II B>J(2FZ4G468NNs_*n@H :}=} c 9A%qx-Wvhf۸r}qJTu~ђ\"2ݫ-㏑odۏz?_UF '@/{& SIU> `Eu|kM l]x'db}j,?:kx?_=;upu Ȱ5gT. g< QddnzFT-b{#=/=jI?[E\U>K{at>ä`zu$%Ja4߬:M45U)Q66;_Mv6I>mGÿ[O/& 9*SJĢeiBGO*L]sfQhߺ7H4i;#3DeDNf6rdaE3L`B͉ŀ5]y\ŰAU?CZKp8^[A[B+}p_9@k"yg7@1rpu}Nue6 8lHhFUר'$q^xwkX>NJJW/zñs|}FXJQQ8(B-v S~ճyzGUuEi~"]1N}D]ćeTE9F:EŁLEeٞ.z̡nKg#Ѐ׀GaeH$\@+ 8MLCt^wĖdE#:h.iktrMs!+ 7HfhUd[rE<*qmq\F 3/Cse v-2?p7,mڙ V,|Y2ifnւ+1`Hȍ< NiݝNNCo.=ZOn?J.Jksj;Wu-l͘ϲ9*Y4.<+Q(xTrnD43Qs?Ozx1aQ\pA@aᮥԳ[DщlT$Gm~\戣lG/?RT!C|V.f{L[o+!T-2CpеyLnz =_ n B" ACy +3;r R ѷQd&moNAE߸=9*^οuHwL-I@es{z70ϓOvAiEtQYrg}(O[(RXώv? h43hph!L+2"f>εj]4M~Kʒ|J~KFDw7@V:Ky?E W;-t敃A<3mBi#H4.J[{( w<Y1xLr |dTuI*QgŴn!ī*noU |My$8 ],꫐ېLJ˗hO˓;U'F3ƑYUak~ա9Za?' JS\{sҌߓcWEEQ1V"j@)Sk%G ,@Xg,ɇ yQ ָda&"滯 z~khw쾌~L/G.jZGٙϧ Ֆuԛ*I%`H՜FR1-JT㱠Oe9[=AL4G-[gHN5e|cۑi=NJDhBP8ݧHW[0=Xꋋzy5Z֒_b-TƉż¾RDGH,r/%8kS3Xj=JT/FxdNymG4J !֘Ui! +ԻtھnDD]:?>L{9J"g"6LSmEuq|Z HqcȰ "%{~E,,$Evj.tyS(`$Ye>_:F DǺ8(`ţ[gu,ap,{3lۼXcI[b^( y1v'YtU쫇&\%[lvaBKx, %-aINKYfI+Ԣ`0IoP4[#p{2&i݋R|T? иQfwc1P 3 !Xj&p5L6 \ h>šNg4c*q> XkXwC/Oնt uWG<֞,̃VS`s#_=O:@al r|s2Xo9ew#RBMY5MqWxevA0ZFvH\'JپK+get{Lnv :3wfMϘ ^ bPM0&jg@fwdt<e͠ɸ s*POC ł%|ӆ7ieȮL%zftrŇ[gl{8\uFk *82Z99C~JYa %㙣 3W$'xDn_qi00|:'tt{!EI` : ηC 1f|g_suRx`9oA3%{1P( wf̵ )_쉣 ܬZ EfRb h YOataq'Z$81#]TRWܷcNAn"5SEM!-J!мm)U%Yu7" V/;~Og;u7CW; >qerv_/H3(X!9f>OL7hn坊v:$N:1#yK7pQ|p#mmcQ Qо6b0кsޖZ}o BcRwvhCn i? *%yWȜcV?ű:B; Buj@RTp4jֳ-`CP]P#i"ʦo5i+c*.JO7VU~i_'\Z9%$DV$uMn6y.$cGfÔjn!Htv :[^I^Dnfo6_ 英6~<\1k؈V"|O dpo/gxps+P}<8f|439U$HXnY}=*hH@#e%Bs˕?ؘF ^&"BCɉO'ڝcYI+]:C[frkoh^N?c#EOUzs?$̀@_s 0.CnBc, u'$zc,QU+2Q83quwS %'T{EeL9נp.A/ `]jVOJؼS#<;A*soY$T A_o= Y82W&TP,Y-t22 Qt;~?&%wY" kЁ'Zut!N5G-?YKHmIEp|s"S\5^@Q^P?y<B=#i[DA:emfBY,7J2СSuT/Q ۾q9j!LfLH,-,wW\M#ZHH%Pb?=0r'1fJrD}"͸C{BA- pFQ`~!6'z,Pa-e lRЗUʛ\Ĵjht?},1ŀe)e><fx-9(Py P6B*Ѹ_ؾOvk5~J풏ʕ昭_Qn0;<:Ę#:\DP䄤[xvl*qVzv̤kݘtf2ۿậDdظ+ԝ|m8w`AwEyaΣ7*SR迒xi'YQ8rkiU&.|p1HǏ e&[B[[4n*B+x7 wy@u( }A[NRw$ޘ wX3U4hn=(y$Y7ַ&RR2 VUGrI'bՎآ<-̼_,^ϸ>BjIo5BReyB*l^r/x1>>oY}L9R,,1 L:ξɟ4:K3y9R ؊uhj͑&"[ x+W(kCt.(N%Ll?L/ؑL~u"2@5w;Kl3 ڳ]Ȫzvu+=KӖw#?_$F pfon$@v5XU^rC`%^Yڪgƣ+Rӎa+Tc䊝Hռe$~g,d|ؽm.;>NMJr[S8ѕ$#ZS 3ࡤ+AN;}GM[rNpPNG ʛ`d8j !k\f'?yp&WMGz=wbꭞٷB\'ɔT9M@#c@xa80IH1奛 LV勉2DITI\M\[+hH7u HD 'HZJi[#`\8΢ {Ԩk 5/r,WR Q, R%&&I)¶„%Rjg}U(c[(SjQPI+swEێr#0t-=G?}CIA=VD߃3I)cWr 1|k`ݯG?܃r}9HkeT` +l>O3Vo+XRK!BJSGgx{5qa %9EfQ.lP~Limh2piP o#5OIEMړ'uxkߠ;d5ިwg͑b߶qa^]aMCf|-!;JѷJ/q#qHs  F{ gs}W8=a]zus%#iwƁ;ZKK<LJE"MC-dh4S$G4ڋs%2-LBQyGZw9Y$괕JdWƢ1@Y}LymG\ ҍ$b LfJu%_Y<):M; 'gϋv+6xăO ܁d\aҸNq fڋrp_ة*hPLl43ӵьK;lP5L;ۂsb>_)Z r:ܓ` P&4򐴅3I G7Xռަ]`$qD.&pJٶ"&8N3D AZ cfA9?Eq;쥁%55AR2 !x+?p]Ͱt,_w`e|A :0N]<;ĆH!OtbC ~c22e1$-^̱Aqgn#T .  O _-y9fR 'ɐ{{DfMguN3AǷzάŷ|ͣPv;$0L%)3.cWBgiOӂopz@gVl0H#^1@S6fn519&Hi)S?&dL~V{koIde݆zxU2. bK UP1ߤ",#x-6Jr?MxFEh? '3P T u [e4.+ڟWdyPARO5nKʗ3g({"dg`R\4K n7]t*՗EA c趪:y$G*ck}10Y.3f3S%&_O R4ۆ'5Tc| ܽ]YăRC#8{Lwzn>QR?1{2,W)?_ YkyOd8rUEwki혗H0)V"n%|8Qj[z/N2DR-`+H{]Ge?y 7P :Xh |Aø >"%wOJVaqT )72n!hy:ߨ*a0q,WGL y%u(㼮K%,_kGmfSğvƇB5H $zd;4M*OU ns1%㫩x˳]PZ 7l,%?\P#G${-r)vn 'Gϵ쁹O"%sDZi(/59UۅO}]4lCs'C&M͛-L"9QqoT+KoY Ȟyx̬TaPs](+ij)#bI- !ڃ e+np1) 4AnPk!FhzpvzAIܬ!;'%dr]Xh4Ao-id<ֱS>H)֑PVqI>p>. }X+E>5~}K&^pWMRIn6̛$ӛSVֳKڪΆ]w)hP͚$j*qG<4YȆ%2)d/;ϡBxX/]`ݙN@xվuS06|K=R&bu[ e)^w[ظ B<1C!,G ޑƹGsIC&o|g?<O#0S& ʊzq ,O2tMOgHe{n[E9iAa3S`oC(,@tʇX(] VQ2mZA _6Nt +d/O+6dnʿ_:Xu/\Omb1Ӱ{Ae^}3B444,J!)[F":@oťܲa Dd4e%ԊWqP,$;X+ ݒ5wT, hߏ(rC (J} h0b#:I4O7:n]X H?q][/]q3U%.8Zj"' FC ä Hzְ+ 1TEGek~TP] >YqҮ+ڦ:(;u&!M,}4?͛:k CǦ;0eEBk=z8U^5~jG,>56"UbT*f.&6cL1O)p"op(E7^f.җ1+sq,߭ԙx̣H&en?Z\EuxeM/ͮBeKxȷ⪐ KUr~V+";,Eؖp ,yG0)_c |o)N4pq!TLSՓo4q@H:aUKB!8҉_Rxj/haW5VU~w57|(XKTaO[YO b+|1맯f+B6Mqw1Fbb&hAِ`mrD.Xʥ! [:[־*(r L/DK.7["BY&ÖܒmVwCY:l/l 0Wfϝ=S~ :}Еl7NzZyfв:lɹN,%ZsLō8罖23}MO1`k;qHt qWp^:=D >ORƸ-2H@p@ lfC_g3Lû;p#e5VW%Z-l03[&|}4Kgt7maJxؔY .ik )&"CN1L3wd'Y.вCΊuty AJӱ"uX⮺9E;RMScG 6FޟvaZr4eg,ꬫ"̠OhYZ#:Ps߽)'e2rߍ cpaBf@ZlAQJ";0Md(ܡ'"um~ nLƇ{G Ԭ ʏ49Tгt~74/кr\,JG=%1|͖-zٰ__?5ͤ9c 7o'G].z]5m'An1< ыECO=_?he @AT[_=T~qOۇ--{HbTzH&oG1^vȊ3F 1{,:Nl`]Y]r8y2߷Q#*]*ԫn38gow(4H3qc:+C&LҞ%2~ 1Q_VT  m'ix46]*ttu/jR)9zԢGwxQ;9!6#Dd/(z?AsJ5sFO1[m^zzŢK!BKgF?"S{mc#`ʸY}o޻WFͳ#T]@ ;:]Y9' } U=muNdRn 4G@$wqv K%Pk_ύƦ}ԩP'C~QW'bB56hُj_&%;ccle@!C©"Y TO,F^m:km1y/<.6ºwM yvkC\3By*B͘csj)[V$y·urI2y<`fHr8Wee gr,.nބk!OyY 'h3HA 9KtQB]rRKD՘.=_aʨ&E 1uNnʃŇP0?%4.ͳjX? @i|e58xdLVS  <[7\F}D&AG6kKzEs3?┫-sDTEVT n>KU"J cz=h@ LթT5۫iT؈BlPvW@~fCQ"j󒔚K$\qTh2տz|mڗ{˜mO.1'TWwк{]>׫c ׏C Q`<gUM_;BrH@0*) oZ2u k8E}6t?fp]e.J6҈ٸak"Zz YH\4?ufnoɈ"4C#x~4zbtZRTf{^D`m; ![rylwыhvJ:AIQe8Lr/#;j-?y[N<71ܞǜd"^edWԫ+)IƑwm5D *)ZԮq5|#36dgz5Y{w#ɻ}ÎN^5g4=#WMu?վ+b]ԈULOm0{@m;+oI׆L~9w+0CYH˥ڒlw6TY T[ۄ8a6qF|{2E1`L'Su El+A)i9dIJ:u6k/8F߭mp }d%y^NEk4BTMy @"49NZT&88C)?W ?~w 7=#QܩS AF좯x 4*Ru zǶy$uׯDHIOgy sk=e>guOVӍXxALP~_E&N~ klȳ}ȨHtT\BP TUuWNB lyHvƿxymJDVe (P?-WVʽKB_mx87>Pcz-jbzt܍gy/dgGCP@Hkv|gy Cϧ)oF )lN՝p\Y.(i؃$J)=K+StAR(}*tn0$2Vx>6At2BsD$A<*,'{u(t"BJq("tQhPu&Oi7NF& Hu$ٴAr:(v(5[I _~ sXd]uX-fUˑ򍘒ַDz=S`vBEU7czM*Nice/n^{gSF-j 6s&V6wa*.O2{мPDc}i#.Ćߢʙ YZ