freeradius-server-utils-3.0.21-150200.3.12.1 >  A cp9|/n= (^p}|m@HU^9d Um!T ?m)5EԢE#>.W|h/{#JɆ@Ft_u{+3\zi+|VArfCJ4ɸaI'z Y[.B2uHx(ՓvVsJyF (ye P\>+sM.:3D76g47HhRx~iE]/ 7PnVS>@䩥(01f8dc7e0f4100dca631a848c10f41c236f54690c31b37b4c85b97f8597f526c18c93530d2d6b68bf69f37d6b07c019185908edeTcp9|o^^ cg#7*R$IL6wto,L&o*b[cyA@|n.3@2'!"'k Y1p2B ts> Q92r{SrF]yYjjqrPHk =@1J8s^;y L+6GCY&m V#mӀ^~7BTXw!cdX *`O׫ѹXce"ZhD@ZElFAiXnb%h3dM#=逎т$oQ>p>?d! / Bhlx| -3<   \ t  d   l   (F8P(9(:(FGHIdX|Y\]^*bIcd~efluv whxy(^zCfreeradius-server-utils3.0.21150200.3.12.1FreeRADIUS ClientsCollection of FreeRADIUS utilities.c$s390zp36GPL-2.0-only AND LGPL-2.1-onlyhttps://www.suse.com/Productivity/Networking/Radius/Clientshttp://www.freeradius.org/linuxs390x ` [~?0q$ YI8 O6*w큤cccccccccccccccccccccccc6dc6e398bd0380cf9bc2397d51ef7b8ba8755ef48d45a9f9fdd0a359cf4f36fb724e48cc3e89e4edd4ae624cfc292ca6c856a2865850aa1029b66191043026b1ef8ec2f344d438d0fa7f1918130c8459fa4a9cbd45b105519437e451e4aa124231f925ab43e83fdeb8bfdde14c080286e54823f894ea0985c3f76b5d8606dda541552151a6b5a36a63c4f7441a0ff3ba9f5f9618e51853b71cbd001b07d1c27bb697cf1626be74fb2144b692de899dc5d9b1643e98fe12c33bf2f9aaa78a4aedda7b33b2546a1d399f9d53c71cc857b71e84f6c5113419518062e1128d4b38bca9bf299c72d458ef397164d802379e00f132b00d8ca2de7ce54c19a7fd379b66633626a621d82dc084197237d414a866f41d9b46e960b7853ad75ae346ce4f78ac75b5c19d977fe528dc805d1f136ba06dd96c43732dbf95aefa2b45a0bdc17be5431156ad54e262fc3f082773d20c81f02a4cede8ef978b46a7de3552dad16106c629fd33c4322b5e597fa5620cfa0317c75b6230a1801eb9fc903d2d384a22590bf323cbf624d85728e22a9fdee9064246bf3e2b0bdc44a6b02f524b1186bde65a6a8389ca1738e2f115cc327266290b3207dfb2a5c4bc5a2e3f32d1bdea0634cd7e6f441af0963e83b58ae22c338d4c4daec3edb92c4f731d8303cb0dc6e72ef1e2f35bf523934869919af2b2177c9ee9e9c0ab6ad52af5b57614b12c2d08bc0e0beb9bee88c9ae9e70ab53b4a5b3de2966aef097e016549c494e4d961771435c618ffe1369697e5f228e99401687c6e2276f9ea75d7ab76232060ef0b549eaad978fa290c5fdce3b0dbb5763b122358d6f2c1056ec755663a4015c8a4d00f0114e9efa73dbea5a5d35fb6b9e20f1942dcece8c48adabb1c4649de10440217dbe6b5b6389623779e0eb9b098e59c0525cc1cd59dd1109cada0e1fc87c00bebcbd784ee828b1cdc019207e918c356a8b51f58ad9a44c364b43c6fe8e4e40d9d7dce30598dc43bf317f3d4d6f29d947c5427c63a93797c274d2b685fc8661f939f4849d961e2bcaa4094c331fa34c28ae5869cd58bbde8e3f59d364d9f342f1rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootfreeradius-server-3.0.21-150200.3.12.1.src.rpmfreeradius-server-utilsfreeradius-server-utils(s390-64)@@@@@@@@@@@@@@@@@@@@@@@    /bin/sh/usr/bin/perlfreeradius-server-libslibc.so.6()(64bit)libc.so.6(GLIBC_2.15)(64bit)libc.so.6(GLIBC_2.2)(64bit)libc.so.6(GLIBC_2.3)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libcrypto.so.1.1()(64bit)libcrypto.so.1.1(OPENSSL_1_1_0)(64bit)libfreeradius-dhcp.so()(64bit)libfreeradius-eap.so()(64bit)libfreeradius-radius.so()(64bit)libfreeradius-server.so()(64bit)libgdbm.so.4()(64bit)libpcap.so.1()(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.2)(64bit)libssl.so.1.1()(64bit)libssl.so.1.1(OPENSSL_1_1_0)(64bit)libssl.so.1.1(OPENSSL_1_1_1)(64bit)libtalloc.so.2()(64bit)libtalloc.so.2(TALLOC_2.0.2)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)3.0.213.0.4-14.6.0-14.0-15.2-14.14.1ct`@_@_FN^y@^p^h^@\\v{\u*@[<[2*ZZWQYY@YlY, @XO@X@X*Xh@X.@W@WiV@V.Vf@UĝU@U@UU8U7@TZ@TTT~@T|X@adam.majer@suse.deadam.majer@suse.deadam.majer@suse.deadam.majer@suse.deadam.majer@suse.deadam.majer@suse.deadam.majer@suse.dejcnengel@gmail.commichael@stroeder.comadam.majer@suse.demichael@stroeder.comadam.majer@suse.demichael@stroeder.commichael@stroeder.commichael@stroeder.comadam.majer@suse.devarkoly@suse.commichael@stroeder.comadam.majer@suse.demichael@stroeder.comkukuk@suse.deadam.majer@suse.dejengelh@inai.deadam.majer@suse.demichael@stroeder.comadam.majer@suse.demichael@stroeder.comjkeil@suse.demichael@stroeder.comjkeil@suse.dejkeil@suse.dejkeil@suse.demichael@stroeder.comvcizek@suse.commichael@stroeder.comtchvatal@suse.comvcizek@suse.comdimstar@opensuse.orgvcizek@suse.commeissner@suse.com- CVE-2022-41859.patch: fixes information leakage in EAP-PWD (bsc#1206204, CVE-2022-41859) - CVE-2022-41860.patch: fixes crash on unknown option in EAP-SIM (bsc#1206205, CVE-2022-41860) - CVE-2022-41861.patch: fixes crash on invalid abinary data (bsc#1206206, CVE-2022-41861)- logfile_secrets.patch: do not log passwords in logfiles (bsc#1184016)- freeradius-server-radiusd-logrotate.patch: move logrotate options into specific parts for each log as "global" options will persist past and clobber global options in the main logrotate config (bsc#1180525)- freeradius-server-radiusd-logrotate.patch: fix permissions in logrotate global section (bsc#1170505, bsc#1174905)- update to 3.0.21 (jsc#SLE-11896) Feature Improvements * New stored procedure for allocating IPs with PostgreSQL Rates of 1500 IPs per second are now possible See raddb/mods-config/sql/ippool/postgresql/procedure.sql * Add SQL IP pool support for Microsoft SQL Server See raddb/mods-config/sql/ippool/mssql/ * Added RCNTEC dictionary. Closes #3168. * Added Pica8 dictionary. Closes #3179. * Add TLS-Client-Cert-Valid-Since attribute holding not Before date Patch from Boris Lytochkin. Fixes #3157. * Generate attributes containing unknown OIDs See raddb/sites-available/tls * Update the WiMAX dictionary. * Added ability to rlm_python(Python2) show a stacktrace from errors. #2979. * Add WiFi Alliance Policy OIDs. See raddb/certs/xpextensions * radmin now shows coa stats, too. * Sample schema extensions for summarizing data in SQL See mods-config/sql/main/*/process-radacct.sql * Update dictionary.aerohive, dictionary.fortinet, dictionary.arista and dictionary.erx. * Added VAS Experts dictionary. * Many updates to RPM and jenkins builds from Matthew Newton. * Added %C (time now in seconds) and %c (microsecond component of now) back-ported from the "master" branch. * Add reload capability to systemd unit file in Debian and RedHat. * Increase timestamp precision in postauth to maximum supported by each database and simplify (and make more consistent between drivers) the timestamps in SQL queries by using expansions. * Option to set dictionary path in raduat script. Bug Fixes * Various fixes found by PVS-Studio. * Set permissions of certificates in bootstrap shell script Fixes #3132. * Increase the 'nasportid' SQL field for 'varchar(32)'. #3141. * Skip processing proxy reply if there are no home servers available. * Update SQLite IPPool queries. Fixes #3177 * rlm_sql_unixodbc fixes. Fixes #2822. * Fixes when building with LibreSSL. * Fix the rlm_python3 build. Note that this module is experimental. #3183. * The rlm_python should append the 'python_path' paths in 'sys.path'. It fixes the expected behavior to use the existing Python modules Fixes #3180. * Fix rlm_python to print the script errors properly. * Bound total query time for PostgreSQL. Fixes #3253. * Many fixes to Oracle sqlippool. It now does 500 IPs per second without any tuning. Fixes #3270. * Reference sqlippool by it's correct name. Fixes #3272. * Revert 3.0.20 patch which caused crashes on duplicate clients. * Update WiMAX-MSK attribute. Fixes #3280. * Fix crash when trying to access non-existant regex capture group. * Use timestamps (request or server) rather than SQL NOW() in accounting queries so that these are stable when replayed from a file buffer. - freeradius-python3_patches.patch: upstreamed- update to 3.0.20 (bsc#1146848) Feature Improvements * Added Force10 dictionary. * Update dictionary.hp with new attributes. #2690. * Update dictionary.aruba with new attributes. #2696. * Fix side-channel leak in EAP-PWD (bsc#1144524, CVE-2019-13456) * Relax OpenSSL version checks, now that their API is both public, and stable. * Note that tls_min_version/tls_max_version also support "1.3" Since there is no standard yet for EAP with TLS 1.3, it will not work. * Added tripplite dictionary from #2760. * Switch to the async interface for rlm_sql_postgresql so that we can enforce query_timeout. * Added new LDAP option 'allow_dangling_group_ref'. * Updated documentation and functionality for EAP session caching See "cache" section of mods-available/eap. * Tighten systemd unit file security. Fixes #2637. * Disable TLS 1.0 and TLS 1.1 support in the default configuration We STRONGLY recommend doing this for all installations. * Add expansions for *outgoing* Radsec connections "%{proxy_listen:TLS-...}" for TLS-Client-Cert-* and TLS-Cert-* attributes. Fixes #2839. * Add %{listen:tls} which returns "yes" or "no" for TLS or non-TLS connections. * Update dictionary.lancom with new attributes. #2847. * Added rlm_sql_mongo. See raddb/mods-available/sql. Note that this module is experimental. * Added more documentation in sites-available/robust-proxy-accounting. * sqlippool now re-allocates unexpired leases, to prevent IP pool exhaustion when clients perform multiple reauthentication attempts * Add support to radmin keep the history in ~/.radmin_history. * Add support for ENV and LD_PRELOAD in radiusd.conf. See the new ENV sub-section of radiusd.conf. * Update dictionary.aptilo. #3002. * Update dictionary.airespace. #3039. * Add sites-available/coa-relay, which makes CoA easier #3045. * Add example stored procedure for IP Pools in MySQL See mods-config/sql/ippool/mysql/procedure.sql * Update dictionary.dhcp dictionary with the recent hardware types. * Add experimental rlm_python3. This should largely work the same as rlm_python, which was Python2 only. * Add Dockerfiles for Debian10 and CentOS8. * Add RPM spec file compatibility for RHEL/CentOS 8. * Notes on certificate constraints. See raddb/certs/server.cnf. * Add NAIRealm example to raddb/certs/server.cnf, for RFC 7585. Bug Fixes * Allow listen.ipaddr to reference an IPv6-only host. Fixes #2627 * ERX-Acct-Request-Reason is "integer". Closes #2635. * Fix a slow memory leak in the file management code. * Try to fix file permissions if they get modified while the server is running * Fix slow memory leak with clients. * Fix request and connection timeouts in rlm_rest. * Fix systemd issues. * Fixes from clang analyzer. * Fix missing include for the dictionaries: alcatel.esam, altiga,alvarion.wimax.v2_2,aptis,asn, audiocodes,avaya,bristol, columbia_university,freedhcp,garderos, infoblox,motorola.illegal, starent.vsa1, telkom, wimax.wichorus. * Fix internal sanity check when running with "-Xx". * Allow "inner-tunnel" virtual servers to work better with "accept" and "reject" policies. * Fix dictionary.huawei data types for Huawei-DNS-Server-IPv6-address and Huawei-Framed-IPv6-Address. * Framed-Interface-ID in postgresql/queries.conf is string, not inet Fixes #2817. * Fix rlm_cache to complain on unknown attributes in the "update" section of its configuration. * Add configure checks for -latomic. This helps on armel, mips and mipsel. Fixes #2828. * Add support to Oracle 19 and 18. Via #2857. * Add support for decoding tags in rlm_rest. Fixes #2848. * Use correct passwords when updating CRLs in raddb/certs/. * Properly separate "originate-coa" packets when accounting packets are read from the detail file reader. * Use the correct virtual server for pre/post-proxy. * radsqlrelay fixes backported from "master" branch * Fix DoS issues due to multithreaded BN_CTX access (bsc#1166847, CVE-2019-17185) - disable python2 for SLE15 and Factory - freeradius-server-enable-python3.patch: enable Python3 module - freeradius-python3_patches.patch: backport python3 fixes from upstream - freeradius-server-opensslversion.patch: updated- Enable memcached driver on SLE15- Add missing BuildRequire on samba-core-devel required for windbind support in rlm_mschap.- update to 3.0.19 (jira#SLE-5890) Feature improvements * Update dictionary.cisco * Update sqlippool to allow for stored procedures with PostgreSQL. This increases performance substantially. Patch from Nathan Ward. Fixes #2540. * Re-added "show client config" command to radmin. * Cleaned up mods-available/sql example so that it is easier to understand. * Added pfSense dictionary. Closes #2581 * Update dictionary.h3c Closes #2592 * Update elasticsearch/logstash config for v6.7.0. * EAP-PWD security fixes from Mathy Vanhoef. See http://freeradius.org/security/ (CVE-2019-11234, CVE-2019-11235, bsc#1132549, bsc#1132664) Bug fixes * Update dynamic_client module and server core so that the functionality works. This has been broken since at least v2. * Fix crash in sqlippool due to escaping changes. Patch from Nathan Ward. Fixes #2532, #2533. * Fix systemd notify, watchdog and unit files. Fixes #2541, #2499. * Fix erroneous length check in EAP-FAST. * Update documentation to remove old "ignore_null" configuration. Fixes #2578. * Fix default POD port. Should be 3799. Fixes #2591 * Correctly encode vendor-specific "encrypted" attributes. Fixes #2600- reformat changelog mostly by wrapping lines - add missing bug numbers for security fixes- update to 3.0.18 * cleanup_delay can now be 30 seconds. This helps with proxies that have packet loss. * Do-Not-Respond policies can now be set in the "post-auth" section. * Encode / Decode ADSL Forum DHCP options. * Fix module ordering issues. e.g. when "sqlippool" needs "sql". See the "instantiate" section of radiusd.conf. * Add Big Switch dictionary. Fixes #2252. * Add sql_session_start policy (raddb/policy.d/accounting) This minimizes race conditions when using Simultaneous-Use (#2257). * For rlm_perl, all variables are now tainted by default. See raddb/mods-available/perl, and the "perl_flags" configuration item. This change should only affect people who are using variables in insecure ways. * Allow "sqlcounter" module to be listed in "post-auth". * Add support for IPv6 attributes in SQL. Fixes #2280 * The server is better at handling fail-over for outbound RadSec and TCP connections. Fixes #2284. * The server is now more aggressive about retrying failed outbound RadSec and TCP connections. Fixes #2284. * Add TLS-Session-Version and TLS-Session-Cipher-Suite to the "session_state" list. * Add expansion for Radsec connections. "%{listen:TLS-...}" for TLS-Client-Cert-* and TLS-Cert-* attributes. * Add notes on running "ldapsearch" using the parameters from the LDAP module. * "ipaddr" attributes can now be cast to "integer" type attributes in an "update" section. * Move main thread queue to using atomic queues. This should help with contention in high load scenarios. * Add "recv_buff" setting to listeners. For more details, see sites-available/default. * The sqlippool module can now use attributes other than "Pool-Name" to assign IP pools. The "Pool-Name" attribute is still the default. * The "unpack" expansion can now unpack substrings. See mods-available/unpack for documentation and examples. * The preprocess module now does "ciscvo_vsa_hack" for Eltex-AVPair Fixes #2301. Vendors SHOULD NOT USE THAT KIND OF ATTRIBUTE. * Allow for -LDAP-UserDN. See mods-available/ldap for more information. * Add sanitizing of control list for moonshot. Fixes #2318. * Update rlm_sql_mysql to be compatible with MySQL 8 Fixes https://bugs.launchpad.net/bugs/1795310. * Allow logging of only Access-Accept or Access-Reject messages See radiusd.conf, "auth_accept" and "auth_reject". * Removed Connect-Rate comparison. It was unused and broken. * Add dictionary.infinera. * Use OpenSSL HMAC functions instead of local ones. * Some SQL modules can now use "auto_escape" to escape unsafe strings See mods-config/sql/main/mysql/queries.conf. * Add wispr2date conversion in mods-available/date. * Implement dictionary-based handling in rlm_python. Fixes #2334 See mods-available/python for details. * Add support for SKIP LOCKED in sqlippool. This can improve performance by an order of magnitude or more. See raddb/mods-config/sql/ippool/*/queries.conf Fixes #2383 * Allow PSK and certificates at the same time Except for TLS 1.3 which does not support that. * Update docker scripts. Fixes #2306 Patch from Matthew Newton. * Add crypt xlat. * MySQL connections can now skip verifying the server certificate. Fixes #2481. See mods-available/sql. * Add better mechanism to detect MariaDB (Old MySQL). * Add RFC 7532 "bang path" support for realms Fixes #2492. * Update dictionary.ukerna documentation. Fixes #2493. * Add support for systemd service and watchdogs Fixes #2499. * Check for openss/rand.h, and allow building without OpenSSL engine. Patch from Eneas U de Queiroz Fixes #2517. * The default PosgtreSQL queries now use "ON CONFLICT" to better deal with issues. This requires PostgreSQL 9.5 or later. Please use a recent version of PostgreSQL, or edit the default queries to remove "ON CONFLICT". BUG FIXES * The session-state list is no longer cleaned in the inner-tunnel. This lets the outer Access-Reject section access session-state. * Fix typo in lock initialization for TLS sockets Found by Sergio NNX. * Add check for crash when home server down Fixes #2233. * Add username key for postauth table. * Better libpcap checks, when the header files or libraries are missing. Fixes #2245. * Allow building with old versions of OpenSSL Fixes #2247. * Allow non-FreeRADIUS State attributes to be used with the "session-state" list. i.e. State length != 16. * Be more aggressive about cleaning up zombie children when running in debug mode. * Use LTDL_DEEPBIND, which fixes issues with Oracle libraries exporting LDAP API functions. * unlock files when asked to unlock them. * return error instead of asserting in map code. * Don't write 0 bytes to SSL. Fixes #2270. * Remove "expiry_time IS NULL" from allocate_update query. Fixes #2262. * Various dictionary cleanups and consistency checks Fixes #2281. * rlm_python has stronger thread locking to prevent reported issues. Performance may be affected. * Don't allow Message-Authenticator to overflow past the end of a large packet. * Fix crash in sqlippool when SQL server goes away Fixes #2300. * Typos in man pages. Patch from Nikolai Kondrashov Fixes #2303. * Fix crash with CoA packets/ Fixes #2304. * Fix crash in rlm_exec with CoA. Fixes #2328. * Print errors while parsing the log config, and don't quit when deprecated log settings are found. * Fix DHCP encoder xlat so that it can be used with a list of attributes. It previously only encoded the first member of the list, and now encodes all members. * The "expr" module now skips more whitespace. * Remove internal FreeRADIUS-Response-Delay attributes from attr_filter Access-Reject. * Don't send junk to redis when maximum args reached. * Small updates to IPv6 for accounting schema Fixes #2364. * Fix OpenDirectory integration in rlm_mschap. * Fix slow memory leak with dynamic clients. * Don't artificially truncate debug output for long strings. * Fix memory leak in EAP-PWD. * Fix crash in "hints" file with Fall-Through = yes. * Fix crash / timer issues with many CoA packets. * Fix attr_filter so that it does not treat vendor attributes of number 26 as Vendor-Specific. * Fix reconnect correctly in rlm_sql_mysql. * Fix rlm_cache to properly use Cache-TTL < 0 Fixes #2485. * Fix rare occurance of bad xlat expansion. * Check for rare race condition when a proxy reply arrives too late.- install license as %license instead of documentation- also fix ownership of /var/log/radius in systemd unit- update to 3.0.17 Feature Improvements * Add CURLOPT_CAINFO. Patch from Nicolas C #2167. * "stats home server" now supports "src IPADDR", to specify home server also by source IP. Fixes #2169. * Add Dockerfiles for a selection of common systems. * Increase number of permitted file descriptors, for systems with many home servers. * Add TLS-Client-Cert-X509v3-Extended-Key-Usage-OIDs Patch from Isaac Boukris. Fixes #2205. * Update main READMEs. Patches from Matthew Newton. * Added dictionary.mimosa. Bug Fixes * Don't call post-proxy twice when proxying to a virtual server. Matthew Newton, #2161. * Use "raw" string value for shared secrets and dynamic clients It now parses strings with backslashes and "special characters" correctly. Fixes #2168. * Fix RuntimeDirectory for RedHat, from Alan Buxey. * Relax checks in 'if' parser from Isaac Bourkis. * Minor cleanups for %{debug_attr:&request} from Isaac Boukris. * Be more aggressive about cleaning up cached certificate attributes, due to deficiencies in OpenSSL. Reported by Nicolas Reich. * Be more accepting when parsing IPv6 addresses. Bug noted by Klara Mall. * Fix double free in rlm_sql. Fixes #2180. * rlm_detail now writes empty Access-Accept packets. * rlm_python can now create tagged attributes. * Don't crash on duplicate realm + authhost / accthost * Allow partial certificate chain to trusted CA. Fixes #2162. * Treat SSL_read() returning zero as error. Fixes #2164. * detail writer now checks if the file was renamed or deleted. * Add User-Name to Access-Accept if EAP-Message exists, not Stripped-User-Name. * RedHat Systemd updates. Fixes #2184. * Use correct API for State variable in rlm_securid. * Remove broken radclient option "-i". * Fix "users" file (and hints, etc). So that it does not get confused about entry ordering with multiple $INCLUDEs. * Fix rlm_sql to expand the un-escaped string, not the raw string. * Link default and inner-tunnel only if they exist. Fixes #2206. * Don't use both IP_PKTINFO and IP_SENDSRCADDR. * Always install signal handler for SIGINT (needed by Docker). * Fix intermediate CA flow for OCSP. Fixes #2160 Intermediate certs which are not self-signed will now be checked. * sqlippool now returns "fail" if it fails IP allocation. * Fix rlm_yubikey to look for correct attribute in replay attack check.- update to 3.0.16 Feature improvements * rlm_python now supports multiple lists. From #2031. * Add trust router re-keying. From #2007. * Add support for Samba / AD LDAP schema. See doc/schemas/ldap/samba/README.txt and doc/schemas/ldap/samba/ * Add "tls_min_version" and "tls_max_version" to EAP module for Debian OpenSSL issues. * Better documentation for client certificates in PEAP and TTLS: it usually doesn't work. Fixes #2068. * Distinguish login failure from AD unavailable. Fixes #2069. * Update RH spec files. Fixes #2070. * Run Post-Proxy-Type if all home servers are dead. Fixes #2072. * Print offending IP addresses when EAP sessions come from two upstream home servers, and rate-limit the messages. * Minor packaging updates. * Better documentation for rlm_rest. * EAP-FAST now has it's own "cipher_list", so that it is easier to configure. * EAP-FAST now forcibly disables TLS1.2, until such time as we implement the new keying mechanism from TLS1.2. * Add documentation for allow_expired_crl. * Update Debian logrotation. #2093 and #2101. * DHCP relay can now drop responses. #2095. * rlm_sqlippool can now assign Delegated-IPv6-Prefix. It also now can assign any IPv4 or IPv6 address. Based on patches from maximumG. #2094. See raddb/mods-available/sqlippool for changes. * radeapclient can now use EAP-SIM-Ki to dynamically create the necessary triplets. * Explain why many LDAP connections are closed. Fixes #1969. * Debian build / package issues fixed by Matthew Newton. * dictionary.patton updates from Brice Schaffner. Fixes #2137. * Added scripts to build "inner-server.pem", and updated mods-config/inner-eap and certs/README to match. * Added provisions for using an external CA. See raddb/certs/ * Include dhcpclient binary in freeradius-dhcp debian packge. Bug fixes * Bind the lifetime of program name and python path to the module FR-AD-002 (redone) * Pass correct statement length into sqlite3_prepare[_v2] FR-AD-003 (redone) * Allow 100-Continue responses with additional headers in rlm_rest. * fix corner case where detail files were not being locked correctly. * Fix (SQL-Group == "%{...}") checks, and same for LDAP-Group. Fixes #1947 * Clean up exfile code. Which should help to avoid issues with reading / writing 100's of detail files. * Fix build for winbind. Patch from Alex Clouter. * Fix checkrad for Mikrotik. Patch from Muchael Ducharme. * Fix home server stats lookup. Patch from Phil Mayers. * Add libjson-c3 as an optional dependency. * Require LTB OpenLDAP on CentOS / Redhat, to avoid linking against NSS, which breaks the server. Fixes #2040. * rlm_python fixes. Fixes #2041 * Typos in "man" pages. Fixes #2045 * Expand "next" in %{%{...}:-%{...}}. Fixes #2048 * Don't add TLS attributes twice. Fixes #2050. * Fix memory allocation in rlm_rest. Fixes #2051. * Update trustrouter for new API. Fixes #2059. * Fix SQLite issues on FreeBSD. Fixes #2060 * Don't do debug logging of bad passwords. Fixes #2064. (bsc#1099802) * More graceful handling of "die" in rlm_perl. Fixes #2073. * Fix occasional crash when using cisco_accounting_username_bug = yes * EAP-FAST fixes from Isaac Boukris. [#2078], #2076, and #2082, #2126. * DHCP fixes, relay, #2092, add run-time check, #2028 * Decode multiple RADIUS packets at a time in highly loaded RadSec connections. Patch from Jan Tomasek. #2106. * TunnelPassword is not "single value" in LDAP schema. Fixes #2061. * sql log now opens the expanded filename, not the input one. This was a regression introduced in 3.0.15. * Remove unnecessary UNIQUE constrain in Oracle schemas. * Fix SSL thread and locking issues when modules also use SSL. Fixes #2125 and #2129. * Re-add dhcpclient "raw packet" changes. Patches from Nicolas Chaigne and Matthew Newton. Fixes #2155.- Fix permissions of radiusd.service (bnc#1053654)- bsc#1055679 - freeradius-server does not provide winbind/AD auth Added libwbclient-devel as buildrequires- update to 3.0.15 with security fixes for issues found via fuzzing by Guido Vranken (bsc#1049086) https://freeradius.org/security/fuzzer-2017.html * CVE-2017-10978: FR-GV-201 (v2,v3) Read / write overflow in make_secret() * CVE-2017-10983: FR-GV-206 (v2,v3) DHCP - Read overflow when decoding option 63 * CVE-2017-10984: FR-GV-301 (v3) Write overflow in data2vp_wimax() * CVE-2017-10985: FR-GV-302 (v3) Infinite loop and memory exhaustion with 'concat' attributes * CVE-2017-10986: FR-GV-303 (v3) DHCP - Infinite read in dhcp_attr2vp() * CVE-2017-10987: FR-GV-304 (v3) DHCP - Buffer over-read in fr_dhcp_decode_suboptions() * CVE-2017-10988: FR-GV-305 (v3) Decode 'signed' attributes correctly * FR-AD-002 (v3) String lifetime issues in rlm_python * FR-AD-003 (v3) Incorrect statement length passed into sqlite3_prepare- update to 3.0.14 (still FATE#322416) Feature improvements * Enforce TLS client certificate expiration on session resumption, and Session-Timeout. See CVE-2017-9148 (bnc#1041445) * Updated dictionary.cisco.vpn3000, dictionary.patton * Added dictionary.dellemc * Lowered the log output for failed PEAP sessions. * ALlow utc in rlm_date. * The internal OpenSSL session cache has been disabled. Please see mods-available/eap * Update detail reader documentation. * Make outgoing RadSec connections non-blocking. * Add SQL backing to Moonshot-*-TargetedId generation. Bug Fixes * radtest uses Cleartext-Password for EAP, not User-Password. * Update documentation for mods-enabled/ linking. * Enhanced checks for moonshot salt. * Allow session resumption for RadSec connections. * Update "huntgroups" file to note that port ranges are not supported * Fix OpenSSL permissions issues on default key files. * Certificates are not required when PSK is used. * Allow SubjectAltName as first extension in cert. * Fixed talloc issue with TLS session resumption. * "&Attr-26 := 0x01" now produces useful error messages. * Handle connection error in rlm_ldap_cacheable_groupobj. * Fix endian issues in DHCP. * Multiple minor fixes for Coverity complaints. * Handle unexpected regex. * Fix minor issues in dictionaries. * Fix typos and grammar. Patches from Alan Buxey. * Fix erroneous VP creation in rlm_preproces. * Fix MIB. Patch from Jeff Gehlbach. * Trust router updates from Alejandro Perez. * Allow build with LibreSSL. * Use correct packet for channel bindings. * Many fixes found by PVS-Studio. Thanks to PVS-Studio for giving us a test license. Please see the git commit history for more info. * Fix incorrect length check in EAP-PWD. This may be exploitable. * Stop rotating session database files (radutmp, radwtmp) since these are not logfiles. - freeradius-server-radiusd-logrotate.patch: updated- removed obsolete freeradius-server-fix-cert-bootstrap.patch because recent /etc/raddb/certs/bootstrap simply works - update to 3.0.13 (still FATE#322416) Feature improvements * Add dictionary.rfc7930. Note that we do not implement the RFC. * Added 'cipher_server_preference' to mods-available/eap Patch from #1797. * OpenSSL 1.1.0 compatibility fixes. * rlm_perl: radiusd::xlat to evaluate xlat string within perl script * Allow authentication retry in winbind. Patch from Herwin Weststrate. See raddb/mods-available/mschap. * Added "recv-coa" method to rlm_rest. It behaves the same as "authorize". * Document Trust Router tr_port option. Patch from Stefan Paetow. * Update elasticsearch/logstash examples so that they work with elastic stack v5. Patch from Matthew Newton. * Print information about packets, replies, and contents in the detail file reader. * Update abfab-tr policy. Pull request #1893 from Stefan Paetow. * Reject packets which contain User-Password and EAP-Message. * Add example for filtering Access-Challenge. See sites-enabled/default. * Pull symlink fixes from v4.0.x. Fixes #1859. * Add systemd reload. Not everything is reloaded, but some is. Fixes #1662. * Better documentation for listen "ipaddr". Fixes #1921 * Add dictionary.cnergee, updated dictionary.nomadix. * radclient no longer needs -x to print statistics with -s. Bug fixes * Minor typos. Fixes #1763 * Fix typo in RPM build. Closes #1767. * rlm_mschap check for password expiry only if password was correct. Fixes #1762. * Update debian build. * update rlm_counter "man" page. Fixes #1775. * Remove erroneous assert. Fixes #1778. * fix mschap password change test. Fixes #1792. * Cleanup config file on data remove. Fixes #1795. * passwd module returns "notfound" if not found. * Check for old OpenSSL, and don't build rlm_eap_fast if it necessary. Fixes #1803 * Cleanup memory better after ldap version query. Patch from Aleksey Katargin. * Rename lt_* functions to avoid linker issues with libtool. Fixes #1277 * Many miscellaneous fixes and typos. * Allow long strings in %{%{foo} bar:-%{baz} blah". Fixes #1866 * Fix filtering operators, along with more documentation and more tests for them. * Fix OpenSSL fixes. Fixes #1876. * Finish SQL select queries even when SELECT returns no rows. Fixes #1879. * Set Module-Failure-Message for more EAP errors. * Correct typo in dictionary.rfc5580. Fixes #1882 * Remove obselete systemd syslog.target. * Client-Port-Balance load-balancing now uses client port. * Radrelay examples fixed from Alex Clouter. * Update systemd target. Pull request #1896. * Trim starting whitespace in xlat strings. * Get MySQL result lengths using normal API. * suid down after fchown(). Fixes #1914. * Fix cases of comparing pointer to NUL character. Fixes #1915. * OpenSSL v1.1 fixes. Pull request #1921. * Better Handle v4/v6 host names. Pull request #1919. * Remove "Auth-Type = System" from docs and examples. * Don't crash on malformed %{home_server}. Fixes #1922 * fix erroneous use of talloc destructor in rlm_eap * Issue trigger modules.sql.fail. Fixes #1923 * Document python_path gotcha's. Fixes #1845 * dlopen() the specific version of Python. Fixes #1592- Don't require insserv if we use systemd - Remove require for unused fillup- Merge changes from SLE to openSUSE (FATE#322416): * freeradius-server-radclient-init-error-buffer.patch - make sure we initialize error buffer. bsc#911886: radclient error free() invalid pointer * freeradius-server-opensslversion.patch: remove OpenSSL version check and assume we know what we are doing. (bnc#1013311) * merge .changes file, mostly. - do not attempt to detect "vulnerable" OpenSSL versions. SUSE security fixes do not necessarily bump version numbers as does upstream OpenSSL (bnc#1021375) - do not generate certificates in %post. End-user needs to do this manually. - keep FreeTDS disabled on SLE12 - we never shipped it enabled - require OpenSSL 1.0+ - use pkgconfig(systemd) instead of plain systemd as BuildRequires - don't list manual pages as %doc- Remove --with-pic which is for static libs only. - Use SUSE RPM group names. Trim filler words from description. - Do not hide errors from groupadd/useradd.- Add upstream keyring - 2 new modules: rlm_sql_freetds and rlm_eap_fast- update to 3.0.12 - still fate#320481 The focus of this release is stability. * Feature improvements + Add support for =~ and !~ in update sections. See "man unlang" + Add dictionary.checkpoint. + Simultaneous-Use prints out more information. + Print WARNING in debug mode when packets may be truncated. + Added expansions %{home_server:state} and %{home_server_pool:state}, which show the state of the server / pool. + Mark rlm_sql_freetds as stable. + Make rlm_perl less fragile. Patch from Herwin Weststrate. + Allow extended attributes to have "encrypt=2" + Update dictionary.aruba. + Add support for EAP-FAST. This is an isolated feature which does not affect anything else. + Update OpenSSL vulnerability list. Use a version of OpenSSL released after September 20, 2016. + EAP certificate verification is now done when "verify" is enabled and "ocsp" is disabled. + New dhcpclient and rlm_rad_counter man pages. + Minor abfab and moonshot additions. + Pass CFLAGS through from environment in RPM builds. Allows more custom builds. + Build with Heimdal in addtion to libkrb5. * Bug Fixes + Use correct typedef for older versions of sqlite. + Update mssql schema to add priority + don't complain on /dev/urandom in ldap + fix == operator in update sections + Don't create DHCP strings with many trailing zeros. + Allow MS-CHAP change passwords instead of complaining on large buffer. + Allow assignment or equality operator on SQL. + Update aclocal tests for FreeBSD 10. + Remove occasional hang in rlm_linelog. + Copy VSAs to inner tunnel for TTLS and PEAP. Fixes #1544 + A few minor bugfixes caught in v3.1.x cleanup, and back-ported to v3.0.x. + do_not_respond again works in post-proxy + Allow realm "~^.*$" {} and User-Name with no realm. + Fix leak when creating unknown attributes + Fix Debian / logrotate. + Make OpenSSL error functions thread-safe. + Fix crash with rlm_sql and updating SQL-User-Name. + Debian build updates. + Allow regular expression comparisons in radclient. + Fix memory leak on unknown attributes in detail file reader. + Update example paths in "man" pages when installing them + Build fixes for rlm_mschap. Fixes #1489. + BSD build fixes. Patch from issue #1583. + Be more careful about /lib/ when building. Fixes #1585. + Correct ifdef placement error. Fixes #1572. + Allow for more files in internal "exfile" API So it will be possible to open more than 64 "detail" files at the same time. + Remove support for statically built EAP modules. Fixes #1591. + Many fixes to rlm_python from Guillaume Pannatier. + Use correct week adjustment in SQLcounter. Fixes #1608 + Minor fixes to allow compilation without DHCP, VMPS, or TCP. + Fix checks for module / config file change on HUP. + Compile regex comparisons when sent via "debug condition". + Update filenames in documentation and examples. + Don't crash if SQL connection becomes unavailable. + Disallow originate_coa when proxy_requests = no. + Free rad_perlconf_hv in correct perl context. + Multiple fixes for Debian builds. #1510, among others. + Set OpenSSL FIPS compatibility flag when necessary. + Pulled fixes for the build system over from other branches. + Fix OCSP for RADIUS over TLS. + Fix skip_if_ocsp_ok behavior. + Better fixes for systems without closefrom() but which have /proc. + Minor build fixes back-ported from v4.0.x. + build --whout-ascend-binary. Fixes #1761. + Be more aggressive about not opening new connections in debug mode after CTRL-C. Address #1604.- use %{with} macro for conditional inclusions instead of hardcoding version numbers - improved package descriptions - fixed builds on SLE12 and SLE11SP4- removed installation of experimental module rlm_sqlhpwippool.so - update to 3.0.11 (fate#320481, bsc#961479, CVE-2015-8763, bsc#935573, CVE-2015-4680) * Changes of version 3.0.11 + Feature improvements - "unlang" comparisons of IP addresses to IP prefixes are now detected, and types automatically cast. - Allow shorthand form of ipv4prefix values e.g. 127/8. - Add "auto_chain" to raddb/mods-available/eap, tls subsection. This allows the disabling of OpenSSL auto-chaining of certificates. Which might be wrong. - Added printing of coa and disconnect stats (radmin). - radclient defaults to expecting Access-Accept responses to Status-Server. - Updated dictionary.lancom, dictionary.starent. - Portability fixes for Solaris. - More errors from ntlm_auth gets passed to MS-CHAP. - Update abfab-tr-idp virtual server. - Added "filter_password" in policy.d/filter. This removes embedded zero bytes in User-Password, for compatibility with broken clients. - The server now issues a WARNING message if duplicate configuration items are found. - TLS can skip the "verify" section if OCSP returns OK. See raddb/mods-available/eap, "skip_if_ocsp_ok". - Set TLS-OCSP-Cert-Valid = yes / no / skipped, which is the result from the OCSP check. - Interoperate with AD and "LmCompatibiltyLevel = 5", by always setting WBC_MSV1_0_ALLOW_MSVCHAPV2 for native winbind in rlm_mschap. - TTLS and PEAP now require "virtual_server" to be a real server. - Print WARNING when TTLS or PEAP identities are spoofed or not properly anonymized. See RFC 7542 for requirements. - Various rlm_python fixes from Herwin Weststrate. - Allow setting Response-Packet-Type in "Post-Proxy-Type Fail", which is useful when the home server does not respond. - elasticsearch updates from Matthew Newton + Bug Fixes - Fix issue where field nas_type would not be accessible via the %{client:} xlat, for clients loaded from SQL. - Fix compatiblity issues with OpenSSL 1.0.2. Ignore calls to msg_callback with 'pseudo' content types. - Data type "ipv4prefix" is parsed correctly. - Use correct talloc context in rlm_exec. Fixes #1338. - Complain in unlang if "else" is used with no previous "if" or "elsif". - Send accounting status packets to the accounting port. Fixes #1364. - Print out CFLAGS when doing "radiusd -Xxv" - Fixed bug with coa/acct stats value #1339. Based on patch from Jorge Pereira. - Fixes for LEAP proxying. Don't use LEAP! - Fix issue with "directory already exists" seen when doing "make install". - Fixed bug with radmin related to the option "stats detail " - Complain if the detail file reader does not have permission to read the "detail.work" file. Fixes #1398 - Fixed SoH. Attributes were not being copied to the virtual server. - Used a wrong list to global statistics in "stats". - Create EAP-PWD identity correctly. Prevents segfaults. - Dynamically validate authentication types for PEAP and EAP-MSCHAPv2. - Fix includes in installed headers. - OpenSSL 1.0.1f and 1.0.1g do NOT calculate TLS 1.2 keys correctly. See raddb/mods-available/eap, "disable_tlsv1_2" - Allow password change to work for MS-CHAP. This requires 'r=0', because password changes are not retries. - Fix home server fail-over for home servers using TCP and/or RadSec. - Special characters in expanded regexes are now escaped e.g. User-Name containing '.', and comparing /%{User-Name}/, the '.' will now be escaped. See src/tests/keywords/regex-escape. - Use correct authentication vector when sending Access-Reject replies for RadSec. - Set FreeRADIUS-Proxied-To in TTLS again. You should use the "inner-tunnel" virtual server, instead of relying on this attribute. - Fix debugging constants in rlm_perl. Patch from Herwin Weststrate. - Add samba-dev / samba4-dev to debian builds so that rlm_mschap can automatically use the new winbind API. - Automatically skip zero-length attributes when sending packets, instead of erroring out.- fix bsc#951404 * Rebuild of freeradius-server package fails * fix source url - ftp://ftp.freeradius.org/pub/freeradius/ + ftp://ftp.freeradius.org/pub/freeradius/old/- update to 3.0.10 * Changes of version 3.0.10 + Feature improvements - Do more optimization of unlang policies. This makes run-time a bit faster. - Re-name most of the functions in src/lib. Third-party module authors will have to do the same. - More documentation on contributing and how to write modules. - Update radiusd.service for systemd. - Open IPv6 proxy socket if the server is listening on IPV6 auth / acct / coa packets. - Create debian packages for DHCP. Fixes #1125. - Add more tests for "update" section parsing. - Update "man" pages. - Update attributes for Alcatel 7750 - Add dictionary for Boingo Wi-Fi - Add support for DHCP lease queries. See raddb/sites-available/dhcp - On HUP, check all modules for config files which have changed. And only re-load those modules. - Allow FreeRADIUS-Response-Delay(-USec) to be set for RADIUS packets. Patch from Herwin Weststrate. - Documentation fixes from Alan Buxey and Matthew Newton. - Update "logrotate" script. - Added more RFCs to doc/rfc for new standards implemented by FreeRADIUS. - Don't crash when doing "radmin -e "help hup". Patch from Matthew Newton. - The dictionary parser now does more sanity checks, which prevents run-time problems with invalid attributes. - Update debian packages. Patches from Christopher Hoskin. - Many other debian packaging fixes from Matthew Netwon and Herwin Weststrate. - Add "session-state" to Perl. Patch from Herwin Weststrate. + Bug Fixes - Fix rlm_files so that there are no collisions when loading 10's of 1000's of users. - Fix radclient to use our internal v4/v6 parsing functions. v6 addresses with ports now work correctly. - Fix sending/receiving packet messages to wrap v6 addresses in square brackets '[]'. - Check for sasl/sasl.h when building rlm_ldap, and disable SASL functionality if unavailable. - Fix issue which caused a non \0 terminated buffer to be assigned to attributes if the value being assigned contained an invalid escape sequence. - Fix deadlock when reconnecting connections in the connection pool. - Fix potential overrun in functions that used fr_utf8_char with a non nul terminated buffer. - Fix decoding issue for Tunnel-Password type attributes which were very long. Found by Denis Andzakovic. - Fix radclient issue with TCP sockets on FreeBSD. - The server now creates ${run_dir} and ${logdir} directories in daemon mode, when running as "root". - Handle tags when using maps. Fixes #1191. - Fix crash when CoA packets time out. - Fix parse error in rediswho - Fix regex support in SQL radcheck the "users" file and radsniff. - Register listen xlat earlier, so that it's available when the virtual servers are being parsed. - Parse Ascend-Data-Filter when given as "0x..." - Print Ascend-Data-Filter correctly. Add test cases for both. - Allow old-style clients again. They will be disallowed for 3.1.0 and following. - Complain instead of crash when "else" and "elsif" are in the wrong place. - Clean up memory more aggressively. This lowers the maximum memory used, most typically for TLS based EAP methods. - Prevent the server from unlinking the control socket of an already running instance. - Fallback to using the configured OCSP URL if one exists, and no URL is provided in the certificate. - Return CoA-NAK if proxying CoA fails. Based on patch from Jorge Pereira. - Lower peak memory usage by decreasing size of internal memory pools. - The control socket is now left in place if a second copy of the server is accidentally started. - Allow virtual attributes in "switch", "case", etc. Fixes [#1240] and #1265. - Many spell check / typo fixes in comments and example configuration files. - Better handle multiple DHCP listeners. - Don't print secrets for old-style realms. Fixes #1267. - Don't fall through in empty "case" statements. Fixes #1274. - Update EAP-TTLS so that MPPE keys are correctly calculated with TLSv1.2. - Always delete MS-MPPE-* from the TTLS inner tunnel. This allows TTLS / EAP-MSCHAPv2 to work. Fixes #1206. - Fix off by one error that caused some MSCHAP-Error messages to be sent without the password change version (V=3) and the textual message component (M=). - Always include C= V= and M= in MSCHAPv2 errors. RFC 2759 does not say that any of these fields are optional, and not including V= caused errors with wpa_supplicant. - Do not include M= in MSCHAPv1 errors. It's not supported.- Fix boo#912714: freeradius can't use ntlm_auth * Create winbind group * Add radiusd to winbind group- Remove gpg signature file * The gpg signature checking is broken and doesn't work- Fix bsc#935573: Insufficent CRL application for intermediate certificates * CVE-2015-4680 * freeradius-server-CVE-2015-4680.patch based on https://github.com/FreeRADIUS/freeradius-server/commit/a03814af310bb3bee74ea012546d99c48b0ea5c3- update to 3.0.9 * Changes of version 3.0.9 + Feature improvements - Make "pool" configurations more consistent, and update documentation for them. - Move connection pool logic to "most recently started", instead of MRU. This should help with pool stability. - More VSAs for 3GPP2 - Added examples of multi-value attributes to rlm_perl. - LDAP-Group and SQL-Group attributes are now dynamically allocated. - Only the "sql" module registers SQL-Group. Other instances register "instance-name-SQL-Group", similarly to "ldap". - Unknown attributes are now complained about more often when used in unlang statements. e.g. if (Foo-Bar == 3) used to be a string to string comparison. It is now a parse error. - Rename RLM_COMPONENT_* to MOD_* in the code. This makes many things easier. - Move to C99 initializers for modules. - Load modules in raddb/mods-enabled. This allows attributes like "LDAP-Group" to be used in the "files" module, without explicit ordering or listing in "instantiate". - Added 'bootstrap' section to modules. Third-party modules will need to be updated. - When adding clients from a DB, add them to a virtual server if that virtual server has a "listen" section. Otherwise, add the clients to the global list. - When reading dynamic clients from a file, don't expire them if the underlying file is unchanged. - Allow the server to originate CoA requests from the post-auth stage. - The server creates ${run_dir} and ${logdir} in daemon mode, if they do not already exist. - Add dictionary for Wi-Fi Alliance Hotspot 2.0. The server now supports all mandatory and optional attributes for this specification. - HUP now re-loads the configuration only if the files have changed. If all files are unchanged, HUP re-opens the log file, and does nothing else. - Much better debug messages for EAP-TLS, including which attributes are cached, and when they are retrieved. - Increase default max_requests to 16384. Memory is cheap now. - Added "stats memory" commands to radmin. Debug build only. - Aptilo controller dictionary updates. - SQL modules now use Acct-Unique-Session-Id everywhere. - The redis modules are now stable. - The LDAP module now supports SASL "interactive bind" method. This allows Kerberos based administrator and user binds. - DHCP code is now in libfreeradius-dhcp. - More DHCP encoding / decoding unit tests. - rlm_replicate can now be listed in the "accounting" section. - Better sqlite debugging output. - Remove "required" option from many sql_ippool directives. - Set default CA "basic constraints" to "critical". Fixes #1073 - Updates to help / man pages from Jorge Pereira. - Added more tests. + Bug Fixes - Be more careful about unused config item warnings when using -Xx. - Move more defines to be auto-generated. - Allow virtual servers in proxy fallback. - Allow %{module:} to work. - Don't crash in RadSec. Closes #980. - Return better errors when a unix group / user is not found. - Re-enable detail module "locking" parameter. - Don't crash when logging replies from Status-Server packets. - The couchbase module now uses "update" instead of "map", for consistent with the rest of the server. See raddb/mods-available/couchbase - Don't require NT-Password for MS-CHAP password changes. - Be a bit more careful about decrypting MS-CHAP-MPPE-Key attributes. Closes #1013. There is no perfect fix, tho. - Fix security issues with EAP-PWD. See http://freeradius.org/security.html#eap-pwd-2015 - Fix dynamic clients read from SQL in non-debug mode - MS-CHAP now allows retries (i.e. password change) when passwords are expired. - Allow "user=radiusd" when the server is already user "radiusd" - suid up/down works on non-Linux systems. This means that the control socket should have the correct ownership. - Fix issue which caused the server to sometimes have problems when a home server was marked zombie. - Fix format.pl because Perl is now more picky. - Fix proxy to Packet-Dst-IP-Address, so that it uses the correct destination port. - Fix corner case with cursor functions and removal. - OpenDirectory fixes and documentation. - Fix leaks in rlm_redis. - RFC 6929 "evs" attributes are now encoded / decoded properly. - Fix talloc pool leaks when receiving malformed or retransmitted Accounting/CoA requests. - Printed attributes again use double quotes instead of single quotes. - Set X509_V_FLAG_CRL_CHECK_ALL, and add "check_all_crl" to eap.conf. Fixes oCert CVE-2015-4680. - rlm_expr now errors out correctly on malformed attribute references instead of triggering an assert. - Make "break" work in "foreach" loops - Allow dynamic expansions to work again in the "hints" file. - Correct minor typos in comments and examples from Alan Buxy. - Re-urlencode the path portion of ldapi:// urls before passing it to ldap_initialise. - freeradius-server-rlm_sql_unixodbc-configure.patch removes hard-coded directory in configure script of rlm_sql_unixodbc - install new module rlm_sqlhpwippool.so- minor adjustments/cleanup of spec and changes- update to 3.0.8 * Changes of version 3.0.8 + Feature improvements - Allow syslog_severity to be set in rlm_linelog. - Allow defaults to be set for bulk clients in LDAP and couchbase. - Updates to dhcpclient. Patches from Nicolas C. - rlm_mschap now supports direct connections to winbind, which is faster than ntlm_auth. See raddb/mods-available/mschap. Patch from Matthew Newton. - Recommend /dev/urandom for TLS randomness, instead of ${certdir}/random - Allow TLSv1 to be disabled via "disable_tlsv1" in tls{}. - Allow Expanded EAP types where vendor is 0 (IETF) and type is normal EAP type. Supplicants sending Expanded EAP types like this are broken. - Add support for server side sort controls when searching for user objects in rlm_ldap. + Bug Fixes - Don't complain about "authorize" in "server {}" blocks, but only if there's no "server" block. - Fix cosmetic issue where debug from the first packet read by a detail reader thread would be emited during config parsing. - Fix ASSERT on truncated detail packets. - Don't use main server log functions from within panic_action, as in the case of syslog this would cause deadlocks if the fault was triggered from within a malloc. - Fix issue in "switch" when "correct_escapes = false". Fixes #911. - Fix sqlcounter configuration to use "%%b" instead of "%b", otherwise the new syntax validation will fail. - Allow forward references in configuration items. Modules aren't always loaded in a sane order. - Fix more escaping issues. Closes #912. - Decode MAC addresses correctly for VMPS. - Fix memory leak with TLS connections. - Fix state machine threading issues for conflicting packets. - Fix copy_request_to_tunnel issues for tagged attributes. - Allow "ok" to over-ride "updated" inside of Auth-Type sections. - Update state machine so that post-proxy is run though child threads for performance, instead of blocking the main thread. - Allow "netmask" to work again in client definitions. - Relax restrictions on SQL group queries. - track outgoing proxy sockets and clean them up more aggressively. - track proxy statistics, including CoA and Disconnect. - If radmin has a connection failure when running a command, it re-connects and runs the command again. - mark home servers "unknown" less aggressively. - Fix potential SEGV in PostgreSQL driver on error. - Fix issue where fields like nas_type would not be accessible via the %{client:} xlat, for dynamic clients. - Set default busy_timeout (of 200ms) in the sqlite driver, so writes don't cause selects to fail in multithreaded mode. This is user configurable, and may be increased if required. - Convert Password-With-Header attributes to binary (from hex or base64), in the authorize method of rlm_pap. - Fix invalid assert in state.c, that could cause abort in post-auth. - Fix double free when -m flag is used, and connection pools are referenced by multiple modules. - RADIUS over TLS accounting uses the same port as authentication. - Regularized return codes from radmin commands. - Fix RHEL spec file so it works correctly for Centos7 which uses systemd, and didn't like the SystemV init script. - radwho and radlast now have a -D option to load dictionaries - DHCP packets are no longer checked for duplicates. - Don't crash in sql module group comparisons in corner case. - Calculate MPPE keys correctly when using TLS 1.2. - Fix load-balance sections. Closes #945 - TLS certificates are available again in the post-auth section. They are not available for session resumption. - radclient encodes CHAP-Password properly when using -c Closes #955. - Fix issue in rlm_cache_memcached driver that caused variable length values to be truncated. - Fix track functionality in detail reader, so it no longer fails with a "Failed marking detail request as done: Bad file descriptor" error. - Actually add the peer identity (as User-Name) to the inner tunnel in EAP-PWD requests, so it's available for lookups. - Fixes to PostgreSQL queries. Patches from Santiago Gimeno. - new set of consolidated patch files: deleted: * freeradius-server-2.1.1-logrotate_su.patch * freeradius-server-2.1.6-rcradiusd.patch * freeradius-server-initscript-pidfile.patch * freeradius-server-radius-reload-logrotate.patch * freeradius-server-var_run.patch added: * freeradius-server-radiusd-logrotate.patch * freeradius-server-rcradiusd.patch * freeradius-server-tmpfiles.patch- Do not disable as-needed build - Remove the with_sysconfig switch and just stick with versions- update to 3.0.6 - fixes a segmentation fault in PEAP module (bnc#912588) Feature improvements: * radmin / raddebug conditional errors are printed to the output, instead of being discarded. * raddebug will exit if condition set with -c was invalid. * radmin auto-reconnects if the connection to the server has gone away. * rlm_cache now has submodule support. See raddb/mods-available/cache * New memcached driver for rlm_cache. See raddb/mods-available/cache * Add support for &Attribute-Name[*] in conditions. See "man unlang" for details. * Add &Attribute-Name[n] which gets the last instance of an attribute e.g. Module-Failure-Message[n]. * Allow for redundant string expansions. See the "instantiate" section of radiusd.conf. * When checking IP addresses in conditions, make the right side be parsed as an IP prefix. * Support JIT compilation of compiled regular expressions when built with libpcre. * Support named capture groups with "%{regex:}" when built with libpcre. * Increase regular expression capture groups from 8 to 32. * Emit error markers for badly formed regular expressions. * Allow 'm' flag to enable multiline mode in regular expressions. * Support limited implicit attribute conversion in update sections. * Support casting between IPv6 and IPv4 where the IPv6 address has the v4/v6 mapping prefix (::ffff:).- Drop .keyring and .sig file: freeradius-server still uses MD5 signatures, which are no longer validated/accepted by GPG 2.1.- update to 3.0.5 Some of the new features: * Allow LDAP to specify arbitrary attributes for dynamic clients. * Allow one level of backslashes (finally). See radiusd.conf, "correct_escapes" setting. * When supported by OpenSSL, allow TLS 1.1 and TLS 1.2 in EAP methods. * Allow multiple new connections to be spawned simultaneously in the connection pool, to cope with spikes in traffic. * Use kqueue on systems which support it. This allows for better scaling when using many sockets. * Home server "response_window" can now take fractions of a second. See proxy.conf. * radmin now supports "show module status", as thee counterpart to "set module status" * "ipaddr" will now use v6 if no v4 address is present. You should use "ipv4addr" or "ipv6addr" to force v4/v6 addresses. * "client" sections will allow "ipaddr = 192.192.0/24". The old "netmask" is still accepted, but the new format is preferred. * Allow custom HTTP headers to be set for rlm_rest requests using control:REST-HTTP-Header (attributes consumed after use). * Extend format of %{rest:} expansion to allow HTTP method and POST data to be specified and urlquoting. * Add support for aliases in rlm_ldap. * Add support for connection pool sharing to all modules that use the connection pool (pool = ). * "tls" sections now have a "psk_query" configuration item, for dynamic queries to discover a key from a PSK identity. * Preliminary support for EAP channel bindings. * Foundational work for dynamic home servers. They do not yet work, but this is now only a matter of updating the "realm" module in a future release. * Support &attr[*] syntax to copy all instances of an attribute when used with the += operator in an update section. May be qualified with a tag. * The logintime and expiration modules can now be listed in the post-auth section. This makes some configurations simpler. * rlm_sqlippool is now IPV6 capable. Set "ipv6 = yes" to get Framed-IPv6-Prefix returned. The SQL queries have NOT been updated. Please submit patches. and numerous; bugfixes - remove gpg-offline - create /run/radiusd after install - drop freeradius-server-opensslversion.patch (upstream)- freeradius-server-opensslversion.patch: do not check the minor version of openssl, minor versions are supposed to be compatible. bnc#906682s390zp36 1670847524 3.0.21-150200.3.12.13.0.21-150200.3.12.1dhcpclientmap_unitrad_counterradattrradclientradcryptradeapclientradlastradsniffradsqlrelayradtestradwhoradzaprlm_ippool_toolsmbencryptdhcpclient.1.gzrad_counter.1.gzradclient.1.gzradeapclient.1.gzradlast.1.gzradtest.1.gzradwho.1.gzradzap.1.gzsmbencrypt.1.gz/usr/bin//usr/share/man/man1/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:27107/SUSE_SLE-15-SP2_Update/ea436a6cecae00bf250af9f8b03f03e5-freeradius-server.SUSE_SLE-15-SP2_Updatecpioxz5s390x-suse-linux ELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, interpreter /lib/ld64.so.1, BuildID[sha1]=8d96c752f50dba81faab308ec62d894a3df108a8, for GNU/Linux 3.2.0, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, interpreter /lib/ld64.so.1, BuildID[sha1]=adfd0b7bfa0af9a7fd5a21f3c9eeded67d786029, for GNU/Linux 3.2.0, strippedPerl script text executableELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, interpreter /lib/ld64.so.1, BuildID[sha1]=9948d711384db39ae27058b05a85defda2511c22, for GNU/Linux 3.2.0, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, interpreter /lib/ld64.so.1, BuildID[sha1]=a3111c21a050a2e3e17f298485b11d3e8760ce71, for GNU/Linux 3.2.0, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, interpreter /lib/ld64.so.1, BuildID[sha1]=e8bb3b143c11f55d823192c42d976e6f08b7012f, for GNU/Linux 3.2.0, strippedPOSIX shell script, ASCII text executableELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, interpreter /lib/ld64.so.1, BuildID[sha1]=ce755f82beb79267bc6811af32897f2c329c5941, for GNU/Linux 3.2.0, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, interpreter /lib/ld64.so.1, BuildID[sha1]=e82057ed4906a09790925c0fae3c90bb988b85ba, for GNU/Linux 3.2.0, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, interpreter /lib/ld64.so.1, BuildID[sha1]=d4b21d0a619bd90d1fc241d4d67219da95aff0fe, for GNU/Linux 3.2.0, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, interpreter /lib/ld64.so.1, BuildID[sha1]=dae4d4752d2629d54428572c23b04803f9358ef9, for GNU/Linux 3.2.0, strippedtroff or preprocessor input, ASCII text (gzip compressed data, max compression, from Unix) !*+<=FGHQRY    RRRRRRRR RRRRRRRRR RRRRRRRRRRRR R RRRRRRRRR RRRRRRRR RRRRRR RR R RRRRRRRRRR RRRRRRRRRRRR RRRRR RRR R RRRRRR Rɋoip*;qutf-8f20b9107b0185d0962b33f50c8b9e935d1322c48b5feb8ecf3f03b3b43e4c06e? 7zXZ !t/] crv9w Ta7c". C_Z;BD=)ٷ߼Bi`iULv$lQui [DnT;:%A}QΆ`>QZ& L)8gNFũ#)(5\r Áf֖Oxw` $1RwS0 G/q`L=9 Hc98%oCе9dW3fPBv-[cGnGۿXeƀ/\4'tg3gអ㋟EC79Si|?т9f)(,ak'dZ࣐ płKY|>mtA#磔C&ǜy;n󶃂mrOq\L O0h?.$v6(G5TPo')Дa`F1<߻ fZÝ|DV<(]8Υlnʠ4Am >o5Lo.ݧ6, gC bC'm7 &\)S#bZ oӠogs:k,#zߘ D`.UEMF;3vso2&ps_dڂEgt"#ؠzFCbz@Xz& .]\4HZKO$D)맓* c)8>jU4ďw",~.:fy1;%e6%|` 6T[UqsXL}# "dkT0ƲF@ϭeWKPF[j~bj\}[D^ҵƩuokC?<U%Q@tU/:0 %њ roY4yv<;Y;(<"ӛCo5qk_q1M]{EȲ? Q5FOa 'B`t4A2 vI祙4iH44? ]X*BgA5(eE.cowu=D&^Vs"y+B6K'0֐{ZHES:vvġ[iAV)߷sӽ)$3^ #C T` -S9dZ"~8[CR V򊳉i80.x9* TD$ S*=' /%My?>(jSz'"<3KgQhBjyfu#SC:9UBT2?'G2OwjrD >:òdSy2)k^mrXqiΓl g՜⒍޷ٷyuԍ+ s]keZKh[n@,ҧT4u5{24l2OMM$0/Gt?-2< t& 6a>2fX]U 2FcIR[\7x_ﺁd`alo Lhȓ,k[ bWNjG]dPOsWf9;J'SwHPȑ<7Dz7sn0%: ugzA|΁ <#o1&gԣYo[5Z@ tRA'%a+[aH@ ~!M;.Ҋ[ )Lz)PÙd HtulMJr!.6߮>+OpΙॵ:ݝCm_W[D ͪ>[~ǵU\[V 'w̯;2roxuNUlu1;' l*Dfm6L1$U.fKЄZ{,q2"!%LTk?P 6yzJ "}- k#RRî&ˍ18G \ ,)~a0-ϿHC`TqO|gC !t3P5d(f>bm[V8mz3Q+w:uc W}핢fP7ɋ=vnR4ze9,~z=؋sRcEu LT#O1ֲZ"4A~7o15奊ա/`IjGfp#\z+69-#`LI6ԮֆsbI z|,B"t@v`b%H%& SQlͤ Bw`yX_. t75gd̶=PuSeR>5rkà~o,7@-!l0-G!Rz*fI1 .8\RZu)]1e{%z|ǻ\HˤGSV; ;}A0Կ j㶧+n]:G!o8s/:^.U^XW@!>ovށç[elP%C=b3;B ,(y^ Z*#[S"ͨV]Paaqb`:-bÎ<*+$4tq~fC=2ʔ pS``I3  @ʊQcS\!H(תZ^RXk yr+io8>Oz<כlH:9P3UvGA/d9 c'NkFio :OZUdךӱf`2up  J!V?5pG`  tbg\`2ikN$W a ٥+8Ł>0@VbP T,b;;E0т_6fi]itbKr ;@=oec6::1XȬu   όAʴ>x-vX9Q)6wA \S/L>$i'#4z7M(Tg[nZrrFuم핻#ڬfqP=f+Ƿ{(gGqB8>1˔l`ok"XΉ}E] 輕wYFsDy,=ٱs mFNisI}(|c"EzƐH?p(^w>Ḩ8ĄkvT\EJcJe|?ŀr UUaS; |1Я5V*]Sfg7rFCY2ڪ`i}\\H -Vmbh%J^I2{ yUMZ`#^W*,!Q ο- }s$ > H[T PR_0:-C~+Up/׮#0ڃH}%xS54A<ݴ0UᬍQ9]֏ջnܒs1sx5_X8;i\p}4mϟ-em(C | J54JUVqymW:GYo3vL8[8"7|$,l+IL#6Ne92y7֒1Q{$|!3N7 r̮˷hhWs'V PʰcB1fGves1|z7@eLS;i*+|E4#i"BIvLǃ辤UajbKLVKÅ4,BMܼ]+j.RT/"? Ϸ徠"Yg\>☞ő#8w^rwmӂ(efUk`J縱",+}tJqksAu'뺟)bmxAB4Y+w#Wu`dx\.:is3< "ҽ!?QӜ0a33FXn<]Nť;$IͤHuR (GҢ uNA$o_9RVˤWv3_Ḣ?=k#ӪVAт!Vllj Xҳ7v" -?=XYlN;Z+Bktju JBmV],da>rA@ ʢӆȯNwVxQEߪYol5obXw+S1㛗3^Y%Kb lI{/s-A#Z甀!8lZ9[5X:wԕ.E0ؙWJi^nףe)rW;&Mp|xa7sgP3NRywrWt#AJDkrA0ysv ^s8Jv0ڜi:?* wVԗi$GK?\A'өbCŲC_[$قX!UwkV6zfX#PiΉOBLzD?Yw(}CXWԑ9T*WBApqN4NPWb/ayY(U}c>̑t]6$0Q fq7R׺#MT(6u~Q݊=6$C [qڢHrGC[(s*<^bҒ4e1'r3UЮOK2ljVνa(It+oF;s9vhqVƐ uLp&v*|N.d8mBбN\ ^ X&ߌS̏'oGA$C`"?uh밇,$KGpi'$߁ C+ 0DTE <,N01H,!4\4iq,* kRR-I_:}%Yˁ|-*@ZnJ=`@R9o[Q`5}ügGjo]l,~v̅>;c~xUch 1)qGWޢW+j"/Ɗk} CP`c .,hr);p 1 d 3]FY| Ø3;hӖT"wA`I_L3`A\V j -7̽dԆ(V5}r![?gyo@1o8TLծ]{Sӥ,pAX.gC G-,LC[|?E]i+Ն2;`pbǬ(H cAKВ(7?(@m)J ,AsY'jXgh4@QTuuF|[lׁH$<#h* (nAzc!onh0$|6S_S?WZt^ѼSfJJt t/|]y J?bbCok0iIνL.<&r{ky!E/qBC)LSe +TucE"(„qpבwlMڟzo^Zo&-dP+ɐ + u=de/S=rlYg3k&"~w@=SaxY_r< rNb;j>;f]z 4O3L +@iN%TBPз~y:KexFNYwFrj)ȯuMu̍d$>Yɂvq"L0(VKhl,Z32{Yk5E|X 6:]0^|n;IkZ:]idl82h7$&*ԵrӪHa0 Oތ:˞jKdkr$@z>v7 :;T)p ׎FEȖt;b+Ojpm_44FupQ@JDW$@yJzĞ41&_LБptNY~=WEO/_K/0>;P['Rޡ]O$n9Fh_6#T3owpc&lRK\S력oxjf HB<+@R$7Pf"ki0ت~g咽]BQ턬vSTew{KH\ f>U4hPPY5#K3X?U9i7!cld㕩C,Pt3YRq_ǰ=rygsaxfs ]XA è#xm_~J_[Wwtn+='8Ǐ.ˈ]]҈g4x@1dSB\g<׉@A1\2-;֧KNxxiߦ~كف=1a]nA Edٳ|6ȺtW di:=0 썠(HVrolq]?,KG2-zt&)R;[7y5sꒈ&>h>k]a7Ƈ9^QSyEvƌP|w"s$8ȲwFn־9H[j*^pe9k-nhnѻQ-Psy1 tUeVz&Ԉ0K)g(Q!ijk .M&[7o?1գiKwv\wOQJ3u[Uku<ˆG+qDis ٵ?3OyH4n-{- J8%1ruRtҪ|kH&KNl\ W:a{qKSy ?I4{0hdC{5(@0svBsT*vGIN}y1!S͞u1"\fkӓy d{` XcC4.ӑ9ILx{g`8ϕ)Ve2 PEt;Ha_ě(*XN3 nB[FmC߭)ubrEB>C%l]I1j=#q#P$t6 ͚R+]mH~j0f#,+D&y~)>.5_ZI!ۛ4A 9E״+_h09j7..X:rDX;-g"2 |ޅwN.Yl/!URKY`262,̥!tؾ9ebKc[DS|7Mq]4ƑΔ?HMt-v~3UUp73b77/ɜi9a P%8zV s6Pa@_(h}d%)*g}0g π_?Α=N>WYtCn_M:^8=ٰ=T 9lH)J 1espk],8ƖjnxS.ҊMrc;dsZ+bc$J]ܩ'cʍlÝzeΩ>;yzˊ wz8=÷>a븻PZ($h}6`_qC"H>,cZE {9ؘ{ZKe\DYObA¹O墨挨:h.1!YYQUxAq,Jl@~30> F :u}.YT8z Ѐ4'h VmA@C ;ގ93@fLCBcȺ?X1}?жHbڕ:RiQ6ZEW1&s'=1}ݛ3ᶲ[f靄tlvt5ZS,Цa:Sx&5'‡mB|C ;NuYc_ PJXvtD:/Ru<>c;x& [=y~@49E} +%G׋?QE3$y=8vw-z;9Swߋ7[6 *. awO9%m-G=;V轷fTx*T4}|#?+H9f$]}4x]wpW/9cgJhV67A ;; ŚꩮOpF\bxб3Qsc!:K[Aľ3r V[6R"L6 !S;M-e8-PGc(.B:H|l(vde,*nVcIS4dRY h#B ɝVLR?N^<ҔyHl7MUqaAkq&J#tEf=PN TN#Shl߉,b R slpʚyv5iGyu%j VzrD},^h7o}3#(LvC=S0Om8⎖cQ}& x"~ \q$K~ X#H+M< cA K#8(V.~1BY'VZ'滠_V+v<뫝Kk%y.0Y ʚd_-T?罽;+'=AoiMN2e-,ĉŽ@ҵV4:%t0OߦkRs=I!QOAbLJinOrtp.w13 aʇV!-֛B㦶:Hңdan 0TI &6p '$,$BV O9hsrMWj1+#jGGV԰(+ Aƽ9xh9/̃nNHz(GeJN L BGsbw3phC؛ꞟ;yj.h)Oaڰk Gqr7>T`MxXYH[Тlg>A\ptL u{CzI+bSJM?jqyf}ڠn~n)aM0~<?6Slf5\HE8!Ǘ@XGSW%@7vP`;_'[Fb-lOci $i6=ViG+46򹙼?hZq*n>GjRQb00D5ΈT7l)F0uz#@5Kj%6`7IaZ曕:q4ph)yv=JALXV=-x$vqf@u$CXzd@  )Ĕ@p |BǛs~-Năm<0vb͝IX.Agy+@~BNr/$$NUqsTPOF^ulp8<s|1q&Syڃ!RuSN0 @2! BBrÚ%7f+9r|ÌQ< J|yW3;[s[(2=%F;Q>{\ΕP&<<Ssݝ~$UK=EK}08KH7(C]tUei^{rQhXS!g55/w# /ENV|};`DҘ06^Slw|ÀVg٠`wt&&%H]]W0y^vޥa#UtœD"hG萒ʧns 4cC|}\ s="(kdOcYu4G{Qs"ٞ2a#ȗڳ2ɕ$ּ ZnbBAG.<02(w{VvVugVZp_3 N$9ש%\]VGVR'}/P_(ʓ Q\zάC?3T"刁2os;:Q{8c;1A=ns3,8SP(]4$ư7dH9aJ#Omm 7BԝoՐ W Gffr^ +8q+ۡ<_\Q`!m2[}gp{5pc{Q|tw8LkL)k$tI>Xr Ԣ|=DE&AjE JBl ߕ_jlم5Woԛt8@>s yΗ=piGL;Y-Q* hb &n9 x^_r[U^V`Oªu&*;"HqtmMR5xX_Q QDݥURI!`XVEɍko-D]{%wUDOk3!fg{WF,Dsژh[-|Rp9Z&MUczkE^(T~ )''\t" |P^ӏW+ZG"++ ]։&|Y(s  Vs;ASkG#_R"z$?OI-j;Ɓc%j4z0&4xT7g93Eiy3gd%xNw.OAj ~R,Y t (@QTugX%m/w`hmqU7QO 6 }ELxI\QZ P}½6{&BA8z)uB&k?4S,b0蕟l!{ e&xlǖdX)%$Fs vubګW>MvdI.!J:6" f2i9MFOg-lY}ZaiG;A#$<epP&hGAmߝWPchP_- z0p-i"NQ#üӒuh- XS-\A$v:&`\uB^PbkQxՎx>&K 30=";т`g,(in/JxYb sh_g6mg2>綟о> 4p&^18 ^Y볺z֐w@4=z<͛z S 9)Y+wW_Z(HAC2x 8%gp;VNg( .1fN_s! NBNb ,bk ;/dӜ${֢Mi(h٪J0(`S/X$6J=!DBO[2c#Pm:Ze'@u@uQhԌed5 t4LEtW 7wr%GPsm ' Tt'Bܓ[ WJ}?6˜ Z&Upk\7DD:ؕƺA ռ`cs%qUDd@p%F2Tޯ*0FoΏOFˀ&f#d#nYz荙H(0?oud9<9В o\򛺄}Q,#)0hĐ_qdH7;V7e2ݠ8'fɝm]Rq ,SxB 4<\{iö}K2j`o( : 1=AzߌO lai[ -D ^[9h!=ãUʦhUY>%֬KȍVs;?q:.. گ}ɰ@<.+~lqV;x5՚2N.K4c(K]C?wOQru{.qh0Məqc4-yJ0unuԝVJ!),#TvKnW]{1A ^K ůfyDz]qsAnZKg/1nh23f?6)L$.;8Cp8LhZXHc3 R:OC3DIo2y`f[ %1Pٖvv (/a7L !wU 6ͼyp9̶js+f "IeϺ,/A [{'05v '-ef-luIO[ߓ ] kJ#غ]}d!j{.UY͑F@=S' -tj_r`Eg]\3~KL[ѕH+T;xlsyn]aܔA[^ԅ'/3OK m3"{r_ o5{P]?Oƫ, j&!ᾓ#CRf \(a/YbmEkݨ2[g{l6ڮxqRXwCJ#ha˂'dYkL AfddjOBT J6+*35Te%Df3vFe%g140!`2 !y 6}1(īZyeәi4)3.X7aTQnVF h5)բư\F0hDFXB+nV,>Zxf(Ia.t{b1)ޤz4t6{.7$ڽ=߫\m?)*('re ? </bδTu4z1H.HMEyZ2Yxv|_c ]=҅Aaf< *&mTD.Zkk崴xkdmW{|xξcLvȎC~[{*AˡqIѢe\ƮrnVB9 }T̋ ;YM>q1,`^ mξat:LF*Qbڟr֩,0ey8nHF: O o7+i҆*#CrM{wIrsWPe$A(FXi=dɱ5>H|{| |MٖZXÝYa;#bQGڿ1crt+@3P.(tIX 1xNyn'P0Ǜ:2U8OX~'Fe:q>@3{!c*fW |vm]QyѣTcȬv@=`/rd]e nq*b\dNZ]5j5z +vݨxyȯ B? >~nydbj|{5}ڗ84^c`agP~+=΂Bo9rj + w;i39^ O%SsSS90TNF׋X\{"܁}5xU`]K~vXn zåfsf{Xh0֧xvf»eq{L qs%r?ve4ߧY@`T%K^+e''ycv}r0>uA*Ieuq'[);gG'Ƭo"xe'XZ9#+$`U`4G#=WwWo |!#Q?nȀ](nSZ ٌj Cn7ݜe7eBsIQewֲbnzWŘ6 7@ӈEQ޽sZJdPy1O W҉hi승G*f 8LiDuʀmx 2^{ZUK,V| ޭ1a +S !yw(輻$+COM+Đ `hALrwQGެNCDrغ[<]FSs,o PjZ)4P BХ?18R4&$񊲾/U3\U 'Еb-sW0|~#XOK򅞓n&TT% C." zwc@q!y_s?Wgk~%ب݆[A^Xm[9eYlJ]T2KOq#(kynu۰ ?00_Pft(|ll@Oȑ@`% a{UG-Zٴ2QatV{mL/BK( JKa%M}gO|-nZs223` 'Gc1'lhK 'JY|C2]}Z Ģ)8%Xk饜MtL$v_͍|_)5H-ѵ`̧-Цs⬣>,4j!n&sZbQG' En'Ҁ8bU|2Jw^>Ig2~CS;MJVxTt-. آf7 _:h:&s5=w7K`<#=`!$<^#&܎Ͳ$f _nF1è@8j^LZK<^g~q*jgb+ /<3$̢W ahOaڒn]j WgXq)<_{ToU#x;n- :0 ,`u ;Z s"xp^A5Y#6; 3 ?MfQvl+v7ց˲s$y<+YnH?I:El΁⨏4#,m[Z>2{hfAZㅛa dh9TZץ_eGA-c~f\gҷG n̞B v#dުNuBpCsf2(¬}( >a<{׼H@cO}lsO m8n1]Ug8ިogEΆpEaP2HOVrBЋnO;%Qz)My+֘W+ )nvdXw K`%r@i拺 r-ז:(aZN*Vt Pwd˲y>3a lZ{[V|K''*0Z kPc-36-|uj[4hIHP.9R1};봉[ BK#sX_Ȋ\"tcE0C<ۣ[I-76 YKkpƁP[|0r nR/8RR6Q!Qǚ >aQ,\FRkU QR*B\9Y pRUu!%6H9j@)gRw+@Н4ZT>]6X$P2(:,Q=<{Q+-^l{QrOթ\-=㇒ 峺0@p1]pi[+g/?1&(C݋v:; (aJs:d?E:k'YoXڝ)fMBUjhAUt1d-2]g9` Ht ~`oKlw)&\8t, @S΄(rߞ楡|9>2>^\6^<1`\)OwE55&(>Bf/ެϡY$=rǺF]x RTLv#1!ҟ8ɂju{_ћrHn-oA=e9_)8'+jD/ d[,tZbxLJǺO;?wppA% 7U gۉJR&l5:63a՛| hAD$v;|=;7$5ٖ`E-xtqY(9 njy`\%b/$ڥ8gC@(*'jmV0vqкah/zyp@v;.A@K{b/ ܎˓j$d2 % w2 ̩™dR j&FuI@6!=B pWǢ:]kV0 Dfzɢ'Deh>"g9P4%gb'Mlg\qZKn̷WH{jvpЁh覟.G'm+&p3$!+Z+OFGp6) 'lmrn6°KWɝ_znJ"+;DfUI?m܌/:͓~k)<WHeތ΄^>I !eodW {4 *k* *|̜6wJLel쓶UfmܭȭJc6oy5epӪ֦]p?` 6n3ھ} r.0]pS姣{'K4BIoaeS3 <*WnuW ̺g?]f3SX.Я F qt &"gҒj,8PT߅1"zObP華~jSUxƄ;Hg<}N%,+)]҄;&BsHhf@(@a2<:Snyj{ߗK4Bh d[ű.cP31i}>]G/o~W7RF95KUZcRlӼw&i&>iDհB:{lx,ƕo9 E_fӝ43r7KtRzxjF=j2@f2n9@AeP@Wz*~">!-jwȾ2o-/ͽ!^~ D(\5~Nϭ%¨ gń’jj8Ru#,E&eGפzJ%V"^!3DžƜoOO ӒF$1||w3gTajAL^±cc.J8 gU0~+qV?<ʮol=68lNa4G1wpE~yQUy{+0F2A6.g][5ƣv\vJ[A뫛. lmA?\vWJ# }: B#4a1(젾5{3 QĽlA$HzY;Sя5/Ѽ| 7|nnyjrY>;~pԡ1k !KKdcRBx~'8%`("N\J%qQImu&曷P^t~oxM}W`_d&dݴ)P<=uH0x(4tgeR2 VH:Hc^Z>FišbJgbtv5_B wc-aʺ %q~ T2$qU辛}$3 bq /ăvIsIˊmkuuNNC<& o)@UW<cL5+B|ζͶqhCn~楎fJ2tkZ! XHȅ'|L3䦟O \rDŽpe.cې @8_pf\|G>΋ xğrяB@6ɚp-mvZI'γyJQ/.,6@BiwO2;pL^9un'A̝+v`nn 2{#;CIpvR/G$tR-p;R (',){.yKI/LBl/󧬝F2+8щ7':)f`鍖ߘwtŨ#bAZ դN.3GG⋒Qؼ,z" ܀o1 F;’6 x8?Lf\YF-!Zo|]OVP1iLтm}ęqg jbQO0'ƞ?ƧfBq~JC>.V(_EAN`>+6&omIW&qsqw\#t.GjoZw6Q冟k&&?̜v#.Ւ’4Hͪb]C}S\> "\ VАMkC_DxtIv2?w<yc#Ta%v$T0Vr<+ d~G^J%_pqڻvr:w9]*Þ=Q/Kj`41=*5Skfi$*CP4d'Dwuz@[t$6u\!)5ioMAsm g* 8R2ӶJZ x?+~\ˍn(VH_9ロΥ6aGW-D)Xp`o@R[OsBRᤌ>,[Zk+. a7 tC r>Ľ'Wxda38ֽtsuho&mG}VJ] ij5)SEZ,}e$YFJbh'tW@l} /~gKVR4PE+Uz%[kG5pRov"b m3|s G| Yed۳S IS WxS T;9~TG<~&o6̅J2~K;+G ⻣wS0yh =Ű|ćHi$3l~رbEm;UՑ8a̿кZ)j-9JSBor%n--mC^cSCC-*+pK .EZA_)# u-zx; 'ɞJ`ɈX֏@\@9Cs'kb9Oڞd!VMi[`\ 8xY r͊41Jˤ%~vjjTtVf u,b1M/C`ղRgJ̡_h !wZ뀉lj̓GK 7Xz.vqJK/Wk$tPmMʞ9?~k3)YHZ1/SvЇhx:m 2ua }, ϓ̫7ͳ07*Zq8,pbEE({HYis6t@~s+lĶ^EĮx8մk]PDNQn.o^׬l(w8&-W38⏎f ԻKL H8i6ƌEi)*9o%rMSoJL/5d#x &u/WfY7ہ62].89# ee1՟C"j̔ve-EA/m|OzR_+lTb|. s %\)BD8zeK];-`W XN't2ffᨰ. dUbYvi;0$]'\P&z])zd}(u}F/S<& 44CU,ֆm4SQ*{Oi#7Bm#_5 ?3! I` |K=Q:B^iSc@0}֕z: D<'vK-[lYȝ(_ϽI12Dtv>8ËU<5*V(|~ 2gzۭ8q bFZS-R}tպ5в`Ž:'2͔zS/8:X|ӍrzbYLxID!ېBcF IsַmIxNz;YHZ׃~:#"KO{N9ܦN6 dP8.8AnFO<[eH^jkTH l0a!Zl{ns&uvꌶr)`xl_"YvJyY 1$h$ Xs2Cw袩w!K[˴oBj(LwY3 E߻!<8Yl I5°,dЁi *?2ùc$ G|M3*^\*OdL2o2k΋7<$C=rż_W~S}"X(n~jbb56 Gy1̎nb N+~D2*[j&'a0x> ħꪈZP9^Q lQn.Z!4=Cs4 cϐNꆢJkp3EJI(^ciM_eפ7LVv!]S o6(K.PSIxJt*t]]qmo e@bi*Xz0]L'<+ky:BevӍ[_TgECT0YSJ߻V?2K1RlfgtbRtgi-^rciW1(`U2S:.(Q6GR#9@21W{w*? Wh茡é';p7dWN F3½<ؿOUS*)+R b4#p[sK!¬Q$\w~:OQlV ?vN=7?'YKvP&@Ṇf8;SM8,E >߮VkPǨXE%ÒҊKV"jw2~uV:2>(@ }y+^JӬBvgY޶tl <)Qੈ:7,B#Ze$x /_m%@l\{0!q#9B"[lK8v!] IQ.bZ?_eQN.=pTʶ;i `Y`ESy{7ՔJQ͒~X=$~_UxjGI+Wc!7D_UʼnV1Ovb(Oi{`nXH,#xeB75O)1Ղ8ٷ®# BόZUnvIv}BCkUHҠ ^LܒcݯPQNOJ(*vT; &N7<HgkEH9&97p6P𫗗kua$}/3fD\^3)3R]=#Zt" 3,eO,2E6Ϳ:Q | O>"4(ƙ7Uw9ZB 1yӾ]w{6RâطQ.k=uHrQjIFm.w-L9LP̓5njb RH_ǴsH-|Z '3Ǫ(\"dLR^38uWj~1FWP^й#Cmt0m'Y=o(VY\ouhY>C\ңWh.5\._P2gۢlaIO#Pm*xI =852%)5Ad{Vf&Fg$u0gyўFP QRZ$PǠ01/Y*#ʇ3GOo%L 2 ) 4xa[(5Us41 !E.(q\x1i2rucڈ⚥46[i$Lu+% }Ĩq s7^V\#% ՙpV#S BCz]ڧ3 á1:ՙvGOg>{tyex2JBKǯb/x-΁ ya4@XH@]y|"Ufb!{L[ysC:71isr'WFڐbe9gu.|^IL 9l-L6nl\]!Q}Զ$i~GeܬkQ*#`JMEuGDB!fQ4i9! l ""֍J=Ow:Cz}dXI1|L<@"v'bF@G~pѲQ)!.}%72[N";U3{# 24iC`.kALz'CO8èI#Ucc d2،G Ы(W1]yJpBnF@ہA/i<e -dЌfLQϛhhāMpc湁Ib_s/%@ ?N)0|VZc xΔ!W;״kVmRed -l\3=(7bL .@֨/9o)zte6+2?e#Ugu/e2fUm=Ļ?7ܛ(i8 Tz<6J_< ÀB/I}1 JW9siԌSBqj_PHgpsXi5n ?m,>%%4^j*B!cȤ@ZH`ZAՓl :d HMo1&e-_Fmk Bpr.ğsF\SfIPa17=`j~+Lx`?lIZ1._u5|WEqڌgƉZUty`xBٟ G5Z'>|[%a%1o"\$BN>rdJAŻ SViZxo\};jS:m`So&IDeN奊c5q旡w.2 u>RAEawp!U/n*Am!A%or{~rj KSJuYM?˴!ҵq5c 5Cwl0E'K)p}Qcs!]0}s"N+=Yh]Vm:ґ\&6qGQ~AFwKłf!غ_3k!Г뇱]ŨȨϧ_ ̽m- CUq7iѷyh,, V{nwxa'Z:`4灒NFtP刓3 Wn+R~\[aL>_[jT  mޔbgR2=o2]E,R_D(`y2)r@A|g׵=;c\ߝ->4TլۭUKkYu'B/B{rr!DK1I W - {K,z3Q`{ɮ[K(р'eH57ܲ<[#<[j,=ְmTsԀ}Srvd$,Q3E7CG?tmWhbTA* ڗ[[EmFQ`9̚e*gxJ&tVpмjm?&-V4'k++n];IۚS/ڔlVY {h(|89ë}Q[E9eQΚfrlGa}ÓY_.wթ[EPCZNc&X kLkd7.FmF6pKQBS@9IH|sWHWTζqZ`gr1%Cz[ 8՘PK5^,䀇{Gvw?XD,>GJȮECu=Z;\<$w*y |D:<a̗5KOiV+~5fmd**Q0شZjr?{MטTMGݲZتYNM&eLe^MS>AwW&7#j/m.pIF(;+ss@1JVIBE"i"8.aSbA`Fc\XŞQ1ų]FIJkgd؛91Xzߐ`%g;2( w-45A.mpcaP+heF-93OD[5@{Ø;qH>P{2uΩ/!]Y2XO桹x0E#Ս -"+_if%{~,TTO `fWEPAL)a N*I׮SѮ,,[>~qj-,L>YjL"Q05bZE"'67_| ϫڨUjXZ&PYԺ#k%#x4Yk|HAƢX[ )@7Jk/AꞱ }ƻd6! 8fF9鷰s JѬhMJLE Vn=GQ<̭(L׬fdƑ&esK0c/a/siI*ʭr`pUFeWkf՞7 zM9iD^!n=qs ȋx 2dUIVNn_d(#(C$*;q~RÔ77V*l.79ђ[X4r>y䏰(e+fxw]HNU}g7Uec@8K0]#_8!G6=}W(\{tbb{E 6տ,޾(ìdDikQw(`逇Tm$_̂ϐ=g^yrk0fꉏ[%9HLn̟ H/ѪJN>hGǿ<+_ ޸N7RWo2D|k`-Eì.*o[VQ-ͮ Q=i{_TMqkӮ'g3s(w1:Uuj]h̐tcj`U e3de!m6/u>~K/Ӑ{U"K_x% ,BX_@Zi=afNb >GG-fa5eʪta,Dq\5?t:9dgcvG"yx# 5j0H8vlX']dP9>Q%.uR`WgE Q3ImppC圈LWFkNJ] =٘6(, pB {6ǭ 3(\.S_m*^r*p6ɞ\|lڎMVPb ) A+촭 Z^=t^tj#qܾ3-M ],އV~6g4d 6!ҕO=zl`ݳU⪩\2$e2v~EωLSN,%.pu* fһPJzc%) ")<稫&"U!}mi=,I 6 ;X2&486fvP~K%J3O+Yѣo](h0GVs둣)mV2οT%QZɊH696=%[FuI[BΑ4۩6<ȁg\.iI$ݥf`̈ quOOz3!;f8Ro){:0Ӗюz r Mmu⼨4>6}&';7PwWN+Lg ;ϸ搠I@ O0.RIO +d6p2OXJjv@:{D c뱎LFdۨ~)X ?yѫI'BY-h SOdobr7yAX\هWitds+ZdX݆FZ U^ڤ?t8WhԵq 7׋3S:blzQ'Z~odeqx`W fmIVq8v46iXv?Qy_@XϠ( jE_^O'm֝ L4 sLvڃEₛEPc.#U4w\ k@|#qi[nm"Ygs67kx0?xtmOZTj풶Ql9U$+>=@=Jn\ e{k @O <6l;gG]3$be  5!}ݤﭱe 1m ?>; fy_}Avta-|I*DU#$E GJ~aiF9`Sd~BZ{%ACp%#JB;kS2Xצuii~rxX8_d_=&s$ˤ&0³"4KF0]=[SouҮ/QlXͰo#- dj UY#Rػ^ ̑à{4qhyC_Rۖ=-("<6=F<@G:gۓ$nbҰME̒ O#XVh/k%faiۦID?)_C8#S:.l E)sW┷u૜ BڙFlViӛ-Y@?(l[*_@"^&0)6ݵ!.Bx=2tI} B|/=h˹91X/w +9\zõb,:ŭxd]$ Iv{ vh8ؿ52/YP~ڒ)\M)ӥ,Qi޴Fiè Gݍa8r|mC_~n8~2UظavƮ)waR7>B+-[ໃcT(,ןhf\+ʊ^8/'ccNF96{H+ "OYw5Y k, Zt(~eo,˙rdmOBcq?.R5c6wPXB[w9au8902S Ai:m0Zۂg,>V&GduP .: Qtu(F\D}0? cghRLx"hQfW˞+Ҳ=J$-*4W0$k>Rג͒1"K\ƒc8o=F|h\R:ҽ>OO%=v:64a-D#$Bҿ/[3ל|V*ܻ'"a?Z=dȇOէfo}FCe`;06o>}ne-aU$6:  ʤM.1?O3)Of[w:ܤc_0i!|Hbopt-,IR^,bɽSYv9*Z.?hsr&59-m@gf@jޭY?!r );|6ӧқhYjAtkj8)xv~)95M1MXrp Ґ|nA bVfW;Ŧxﴄs5Βh_7< n%?qOOgz޳-4'Q*@!kXp&P_&{?XQMٷs Y7^ܶ?މWlK3{65rjTHӡs&&\/&Dv9ED+@|`cizH31%4z.v`5t#ڿ=ԏyDVɓDgQӁ[^7{py4[\K;NFqPM*#c! YòF=DtN ? ]3NNǓ^6(C|.ߨ50s]#kbã蚈%#ǙD's4AUMn&8n $T2G#-{*r{&?{ J.9ntG]˅mOBDD\mܲ >QmG'kӺW -5-κFctuR70\Gtq'ʠ{fk V*y>-O_s:0nT !p{ho9u4@*Q 7csGv&ؒ'~RԠlbHKP=-oԬGr;gٓPvz2{*-ԣ#@ebUO,`#x ;Ě}iYí(F$8:H*ҦdRz>PlKtV #gHv7XRbMWpזuYYaݕa<͜41ӓ6qe[us#Td\~e[TpM֞Dg̬gkN4{4ai}ɥ&V9O8ULf`)_R֧bIL`fzDdr\O6[2q@s., $FĆze_٭x>_K@TTN-1g7/a[zfkhNimMbҒ]/$ۿD:ͽD2\][f뎯w gޗ" O#LnII5Ex<^Ȋlk>z}&Ʀ!B8LWx|fO5aL^b^un ign*ŷ~3u Rgqآ,ϫՏ 6ߍq͚i׋KM!3?Eal%CCj)0Upc@k@`ߚ7G1lm9^oXbހR 쉚M}^,جLj呸 ædۙ$fxRo~PUnǦ(K98%F+,2}vkdQ4jUw$Zj1sbLp27';~ DCfk܊K?¡0s T?{%rm~UbS:aJ6{pC\Bwq4hd$z ub/N2e,`Je%h#c\2'+A]0ꄱWEX/HҬ 1](?wMԌ҂MЌ`ľJOKVv+r[7Ʒ7VqԛZ+e]CorDeca4"WZzٷˈz8joda -X*ex4\k^+n|.nv~v@,zEn'߀EGFw:-Т*1gg)z(-[ǭCWm% 2W߫)76'$v|HڇiPJ[Śf3Fl582LxjnhXw>HƏ $/v\$ڭpT¾ox~H0(G<ܙ4?D;\@z=V#zKqXS'=7$\=3cp[(,S^NTFwĖjn^]dO!hvL=b?] l)S8H\x5%@!K .2XE.f&olQVpsce xF.%&ד=;vGǀ٭y(I,:]Es[ MϾQ6QL_)͹dF@Ű4|F[}( x +_ۜΎ05rI e.BJ vr1#^w67 vוJ п&Օ:7#p  Lv`Tz> `siw*{D%R%i؂3Zzϛh=D|4Ԡߊeiݿ!f.|γpy<&H>{ poOUja*# T)bِJ'B(oՑ;GfؼƘGOM]1G@εifM"H /.DVF۱ޏT)-|/Ws=NK4Wq xGM}N8,|}208t~b_9ֲ;KsAy+5|:N\!k_-鳅i+rSî_Rֱ&Ez\yAStj25=R;ۚwdi_)ܚki(sȄpm(nҕI*ّ JU$(ܶ[pCƜnxmtr 8z cNEy  m/~KԹo<Ch!{򉆮8 :W[f\Ô?+=GCNDBFx*뙊$BFT G8LGcʮ13_;cI[%߈ gSø㓈) ؏:MW] >lR(dVbil_!xlz[W*mn^( WJ=@^i`08_JB60;5˹ 2X!(dzvRjHD黼bBMyS.?Dnsm,f%jը/p2iM*:{ٌJI e~?[^Ʋ Ɠ8+oqPY)-~{L[T?vD^23|^*T3e^Tt H歊:4&?*٭ž )._z;{,L`[|r[%tL_^YxYVpșܗyNȥI\ici4!d./!VRd{V;N*ұ`w .;0ㅫB~;%ۿZfl Y޼R]_p+k aN5nÐ8qtIO|YrNkn9k} ^8,CǷ)-;:~Lm?؉i?`^(N"bwVYE6Q%r+έ:ΨՉ#: Ɍ]$IP @8귍Z`vźݓU_u@,cm=m'6dGw9lTϮ k[tfd7ƤRt7@qZrÆ064DxþK ZIkJefpAVUկ}vh7"[ye]_ 9JQXՁ 5tH&N@Id^э)g($Y[bw0]nMFݚ 0!J8Q͕u 姅ؔ,w0ꆖX'XsOmhm'" Q q.y]?ۊy(>zoOڋ)P?8 ./Y5}礩VGZ~c.J/x F$]+j!*8(wl\; UNt wW71/oƸt3y5EPPrll㺗 Hq;`Y v @%f5 < ՍaV08(oFR7V@@F.2 23H|"ҨxkYc|1. Mlފh>u>^GVo xƝv!u"cOӍJP_O b&|VPXB =DFed|z%*6[ccz?fIYWQ{+W 0TD؜xr[eߑY=t`4QZL&2HVpxHMη!.~b" D5r\\/.m-2GD?3:j4rs[)RS:佶$d\ܱ́Q|w/ {p7O+ɼ9݁U w~9ƿ~HȽ:Jf!|X'5gQ(QWQ/bCT4|Ɣx^V [yG7]:Ed1ff 3 xt8oDY8d;V-9O^j{̣+v8=} 3рhUhqU, fAxgLmWwD=;+/W!_ş.K?LFN%cBq+!VKq4+<|#F={X6țٛ{k ]y`xL.QY0GsMZ@;7^-.VVB^뱃xU{2&V 4hh}FR%^52bD&QT|6dHf}'?WU7ƌm~:tOb8KN]QGQ'$g[bY-x;R]K vQnkR} LMpv1ʳaK/iīPy%දЌ@GxlE)=^dDd{WC mo*cz_{&0HQe Վ$ʐՎp.j$KB} Ug״܃|'Q*(s35~+m•Ga\׌RnɴlG*wL@( pL嬻_x4ty#! PnVrykB>vPu|0 ڛόlҼ nD0pY4 &[}ͺWK@@2c2M5Za:pC'gY.7ڵ0ˤbg3>:s  gqU7YIwiE.=sl}PށL=3Ō%Qck*J#v0MF'Ich]_0C/qS*ݷwնU0>Blu䆯aa\!C-wNxk)nB̛r`.ӪB<yvfctxOh!o!Cwdc}-} d{+hO%$Ӷ- ՓS{_nحe]n(8['~T)(N`cSSe@H; o)F\8G-{1gSmMEw:Rޑ_f I8H-Щ5ė*&M-eKy5r|!d>JB6j$;<b }R2&Qۢ6h ]aN.Zw݉1[ `u^5Qo: 3pYqӭoV~cB=Hty4|;d 3uЄ6٘NK <hU>"&`B=5rB^3䟵IeEnN˘-hc8&6X`A{cT]Jl[;3M?IRxr=!R`c?y4}HytM]-RPU_lGb_D@nPOU{f%EJ^ ~L ^qӏ@\bze mT?rtơAQv`5|_e ]pv}v"]>g#>k>:zJ]Lh!):N 5G!F4l^[lt3@9EfEaYqU*3߂*I -. [N)RŪqE ;hw[OF<׎{DdաtXUJ[+G ޺u.82[y(#ijaL^ ف$ޯ?"<\8h7'2xmH#yWBE'z7ب9G:wEB4줹- Y*}J.iLryJ-d6SWillo3~%H<9! U?+;:EW[3q1L$pJk#lP4Yh^6f|A(lO_?$Mq 92.747nNX ;U+"ec}XmVkCy*ENTWz" phPB>ةtC<+Xg(lkKE'W jX}5}:"`ᕏP@vDSM4h#z++yTnIb > ,rH N : #me(6v"+@ydW6sRp6 pBu7VXW{I9߷4cwDJ:ndۃ~L,}%H;Z>lgv}{To*!LYc.!^ siYe\*3І)u낒xJ AdY }9Pۦ| TS?c$#6GxkpL.҉=aci4 40q fg67 }bF{àD{kZu٭[kBFtQĖ%p+6i$GKOF:5a80ӼYaeV˥.<&4<?&ɖ ?V*b`nM-Ͼ jvPPO üd8 .Q]$#s۶GH#7C2 fqLMp*1L!GcMݽw%1cL+c'AnS'3YEbM)#e HO!I^kgba!jI2"c,w7.,P{#$+fv{;BY 2..i˴R1a1d lKryz;],\Y%J)υDOT䦐u(_egF:L-SЉ݉EdoAQ)MʾJb\0᚜gi] }.=K'pdwM~X،V(8ݏJ?СFN1 Pѕ؇/gES/Z4H+m7*rݍGj#BU_bnb6}G)ШgVO. 8{UW!Q?Xǐ;4ܩ1Xxa0l26{&*ndmnllp4hΖHc00]ޡu%n'MR&$g>S9|84OPET~a }j+9Tcx4)I/@K"2t$_=ן`qS/Ng[&1ԍ ڐt8@ `aU؜C^9r=̓ Y!Ǔ`qxVKaa_ &^D4Ci%f-%suKB19o a[zW.n^(,s`B@Ռ,xC v9۝wNL|޿&q]֘!'kOz/Ffpoo 7 RLxbنX{.J_?zK显)[Pj)Zm Vi0U݇.__t'B.T:(23sQðv=4zj*<;$2?Ń\";/PE ʳUώ ύ7ԘB1?3iìM<0ݻcFH)#ZaTQiPͮ&Mj.V^pB%~ټdU17pmRf* `0ٺťQlF,#4>v5_`41ljG,TZWEPt|Fd I.ߒ 7$VV|MæDH;tNm2:}šd'7rܱTx(4ll-ySu6af~0ːhʴO)He)V$%c'2[SI8re.;*,w|:@| S,jcA-@>:D|.UXX@xBNb.Yh= 4(<ߩ>^RGCfB-[.H~vGMPA@o7q6,' .9v$Ň"UƋ,;䪅ɭ~ۡMdwI{_SL ŋH8q]JP8^7 _#1<+/1 YJ2JI]Ytp;hTwjP'i*/')Ћ@kuibt-=}#JR7GO\E)9d.7JU> 1"4M ߉gd'5=1@[e*1*x[+,_PMaEU%/ٴVaD͟y2xú7 ,Ydl.wX4Z7'xU6N7hEMKؿdͰ?JZ3f[VowSOQl[h4":c%v@56&s +K7%2o>+|}[sJ[??Qͣ܍T׸C[}~BIF(A Ud2f'BT$-JedY"^&@yX?pa71HZ9 ,yhi%m9DwD*]8W_S󴧆v=;إ(.fզߓĸQU' _CU/ީ~UwhЈ= Qd]|S}輧xs>ΨJې:ɦXI;a^b ojsAGMpϺةAERtbe:gMZB{P(C:d= t  ]倈z(sּp#6FHCscݱtc‘{Ti~DNiagA[IF!Un*mm!(Kjўg U1zEeFD;:*识XsC1[mFIXGY8|XD$Ev!SgE,]-e1yuC* g9L=DEupܷuk"IԝFYy{YOy`980kՌ )5@'ZL77x̸Ld(-+p  O:~HlSyH['5On=]d[ZS]b|ж`^%v+8VB:[bm{ }?61 yq˞>d%{dA/-û|c7&H=B +Pq#n+?}ģ÷}HςJ١G_/}=,0|'/q 1FV cQoM#I?牆@H-ZĪv?vKaS =#_C~5fhy`K[wq6-X;?vrFz(T@{:PZӐF2uH]V0|2A٤)BPca'uA3LXT^iv}CC>?/)s!elpyt吃ZU29ؤS)ǣq}@=<0ɉv 4}&9# xj0G׍|ybQWr 9c V'736hSpZӆiMܡI  >{)w, r9~Íq 5T'Sd8.cf%@B:ٮp׍rhyJcrJDwLWxփVUP3€絯q(qP.)i*c{v`*(u%l&p 2 Q~vJ04I|tM\)Ƒz.j]t"o}i!_WvA* XH`uy1^B=ydΔ)=r=c>qehV߈nE\iu0Px2AoLxI݇`5ėCU/Vusp{dITeh/1@?|<ɋq4QdXAN}Jvz*drKTᄅ@`'/g~4ݙ416ҾLԄɷ 2[!e_9> ehù49[FP<5/-Zk>,U*K{\epgIvj.{0vKH%7QBsɒ}d"e 0x_o;{Mgw_`@Z5]Bq+OܟbAkE,`/S=Ȕٴ%. pp$WkQ#3aOBߙ&wH(!oV+!Tco(V@nT1#BJ !؞?R2gP-Oi 7`%nS YP!9l$rۮe=NÁu4e44A}׻ [ S{eʈP#NR<ELS`K1_6u O碻t5d>2|F2p-lmXǪ "M^Ky}}SPhoM0?2IW.J$Ur!1+$ CKd`C@SzQhlL:Xڰ#4~"\{|57#ID!ஈ|(Cb*$J|xƔ,4yO2V2CS P^9])UŽ8,SO,nr>Z$g=[9LJi-7*A Q,61,l̈hN醧%KboxsߖxƢU!Qm1O.BAxI|VI52SGm4=Pv-q7szx4YԜE8{\ziatB2YzAZ:T9⌀ۂӆ@?k.]R!p7Pf.^$y˃5JM '90YsF J¼t ݱ[ rO…vַ{e+R$ o3aL\uuLY+Ch h2tLfW6F՚ vѓYtKORH{ƟW~G4G|Sԡ, hf9?01ݧhCXO7*zMzc.jR$Kڄ4 q`& чQEA hrq2I -ȜBky^ill0>4t &pHތN)L &LAYniǕm'0ҵʉW,G& NMnbydxO"?: 3Ñ.Q$.~ovnpA2 ˝]5p$ rh+#IXiz6I.~n3ӂBcsq%04;Jj'%X,sϐ'AҶkx'HgK&Sl um$܌cpyϳ|t/W~pћprbhp ET$ VhsS>RLra=#Q(;E%%rTWJ#WƤ#&%Lix"ZB zqZato`=d9lSR'DPeJwf,Un&8;r#U8X2JA*U끙eG\ D$$Ǔ0HQ!վ!ρFkk&g4>ϭb6*ɩu垕h+{jn4O[ X/PkiӇ᳊4ZZ28GhKѹ H 5kf"a v晃@)PJbnqmAo$y,,U aS#ӳ\i`Gî)KZcH`E@$n/ߞǾhx"7."*GGof|>j?22bY ʏ9h6c[bEc~ TFV!TU@l&oO_03lw_5$"-:A`|3~Q%C|X@b J@|m|6/2<"th%e2cTd+rކ#iV# pv99^l'q-T(nmsN綘# TQ5Yjs2a8(6s*hѥ k(_P⣭`Nmc  =]a7§gsOJeIZSa< ƟFm5gnoͼnmL>Z)f=xJ7ѿߓII.ha/R`|nL0BYm^1>5gU8hhW$um!c:o ^yIKy F;5Ӆ}C|sQX@`AXnrt$W =?0-]}=^+ y4S"Mc\jM'pGAsex'H[9nXGurpэ@ԓy'50Ҿfulve.tOdwv -bptkL|>Q9U%doõ>+B*HzQv hߵMˆ,gܒRϫ( i~1Ͽ(VOSN-6ƷukW\UP7⓸RԲAј ]F_=hC4`XƤ”Ev=AOUѽ2Y!q')th:f&k:4.Dxh{N*ܳd*[f#G.^iRL"Ȕ<_($_4FU:o(4" 44;kdhfT, >WD=2!.'ΗkwL^Mcsz9]؊%g2hՋ[4,Eq; z8G7о\-(DF*  v ͈q[]<ҹªDpY= ] vo*oGҨ7*ο(;:DoJaoM>C9\e c= PζaEZL\KO—Jvҏ,Y)@=ǭw^=0,X(Nfd"޽Ub"zMT^>*?:7VOaf7OOz3/H=Ոoj*$11UСir>oR.~#< DVX pj(^uvVSeA 1IkK"UD?!):|OgKvx5.U탌YmN^:˘Bm*G{|$bT{bu6oR͍Ūg{".8+l.4B,^~;W ۳d]?O?)la_%NuND|-^lp\7&-ciS$9orlFYYk XLU<&^7=I԰H[^ ҮuT{k3-HtEכxn|]&.ϠCMpxRtE{`vv5 pjW(ɢ޶%s]K m-"iN7A3̣%Tzwʻ-Ն5@&YZ}$U2^׾'^3 )ޠKb&+̅ `&coVwE \ɬY-C~h%? lM)6| d/PUnV͘d ŋ37vQ;$PŏEڼ? fU{z$<=8Ax3Ҭrux}&^Stekh~:329`_Tvǣ ~K މ[i]0@B _~F9)0oiG Uj%atgK`G S#pr|+ |a7Ξa"U8UM1@P2Vmjl(`Qi ٷ ڻk=#Xm*3=K"ԓ#N [pQ7#9F9HT(C|1 zdYG a(G';nf4(e FDM*TP2 YOŷϷ-FVL}!mKV!bWP3z0Gs_y}oVts|Owל1wp;۔]mevEo_p5xt͙@ᑿ 5B2Ar *_S? hζL=mLWڈ* Eײ$)8'sD 6t'촵(  hd |3L71T$:wNPi\V]A(ݙ!">6lH5X?41ͱ͐?I'ya" fYRQbv%iڍ&g*RK2_o煢s ,X6n$mBˤ|7bberQlkA!`_ iJ 4}XY:j5r<g:Uy%Yi,l_[^`F zlWv=CáX}GN# (-R4X4%$€ζqÝ̗g&4*d&} =yq]1/dcjC8G< K2)zl|i FS?Y8g"q?A߮@PD 6B}:9c{Bq;N$3j2^CcZ+1{QS)drkNں(%ik``S5@|!d`ˋ^^TlTO|x,] pWȔf' q}9 ߴMQ z#3!FkSZ}Vafds [+A =]fϋ m6ƒ}ZRӍ-USnT+,Ag6L߂=' "%VsǑ _"HQq8Cq(g4ƄнCru˪h&5m&l: ğ1?'"!gRҾө;^ csDӻz?a`Ny.^qA/I1Yq1%* ,M#[Fd~a(OE!ǧUNZ4MZfNvMHWEANeJ6rX }}$[R!}yj憷@UQǵ!uƽ-ە99,PlDv$>]2ʚ΋Ňg C]ܱ `qCQ,2'*A6߆TASe<1fz fyf_ufjI`pޥN͕F>(dfq {V)a<Ő%CFqG£{JLI5/mhd= NyMo,z"- ɪ[DkM%٘Eq7-&7qTJǽ-oz &iwTn!͔ :|\jϞEdiŏw_{~xf;}\SM)^ 9u4 q(G[YO)SG}#;;*sd8sf)t6X!=]EH'Duxp%m9EH*F:=Z`mJI'VLmr֞"D;47{?!s/l/S]7,bx.Z}O' ۲Cy_tє a8+&Zfi첊N-pE )YU-I:"/Û,HUQ9`i̜ dREuQW9*Kҕ8paAO cg qͩ(%X#vٍb4dqQM-Ҿ8T&w;F))̂[hhuHoBRW?<_ %PxK.f Qذ.LU@韌U:8rfd,ѿl^u]wZ!+l '4 Y0:7 j_ /fr|Lo7XDN&ⷒaw--S[P !&%@ \P v1UE;Xsٮb0r| %@BL`/D{ŴhDW(y2ɤ4hr΀WRٷGM~{Ĵ?SW"?[%Q7D&J{)du&d}݆2Îƀg./M݆^~ܦުS;&-P*q,မe)ɦ=G`01f9tC^ ~t9cPW za1x6 fR3 .Uw5p+x\h[)[IXAa}3~?;0hiwcaƚlj;_]٧b;=9>GBI{nFz5 Ec*IlԶ~D] (?xbF^`䳦~CWJSH'Y+gGV0Epy Qny'fh2b=P兙`េNƖBgIPsx'(! ³,GЭ: v 7=!gisȁ6Qw~;[%j2uO#j `%-ư!xWHV+VoS3CbM2t|p^iUt0 3 8Қj!o/+M*$c1Zyg󭫷IW]:h] o782 1@O UNeW;4cz[~vIc +BaCf>oOB]\Z Ze<&zu0c2ρKr^a6x Fx[1['X*<:a\Mx cW̘.lb,}Ε2/B&O X9^E=Ueyv%x>vq#O?+IQxFq!LǕ< ) Hɜ`L|1x ̓f7ȬS(Wgc6#a ~D$mW*gh6Bve{Nқmӝb73.ǽ幩y>`K3k9FWSmG^H3A#jRYIYdp(UЌU 3H7āwdK!P7fvE VEW S섎}@:ȠPI7%ŽB5Hيs\fvQ֐Ό\pPA,ɑ,(#~ϼ/}ҡl3j}q(CXW]cBiBG(#~B iW+_dg.6$ta{!ĂELuѦbG,hp*z8 2؁ 0)= @^ tEvM4mMu^^?@}a0yw*/`FܡK̂|fpC̒SU0\6d'\Cy8P\c{ tϫpD{n=sQT}ǣR3?6(GW=wvr0(7N'|1g-Έ=|`X)c!^Kt}T'AL/7 &Y2ߨC! auR r3+ɻ( i"fmdq2{ Hkt7:ҞaQJ0Ki;'~QZ!Tm+HqvZo1G$k2՛/eH0q9Yϧi@A4Qg/oh/v!:J}gcu%DRd=5=CCPBtR+;o "ĝt{[^`^5 W h',F6Z5S&**{t7$~9*kwߙ,!B{Q \L0>_%z#sq[q 9CC1f[ o52^<$>TP1ReGT0#fgfZf6SYV[0Lz[cfF9Iۦq˨xRD^1e|Q0RvLDukd[iѠH*:%"3yFғX8&eD;qs\HU 1/im *4M 'IÜ/0Q1">|S톫GvjSUڟ@#Oiw3l8d; fOH+*=KDɿ5פLBxc(F+j4Kxۯcؕ. ihcju^`jdd8O`XJu` yaEM\qs8?m⨋^6!\TM) Up+《2i=DyYCY;I[Tx"Gv7Ey7{;_' ӌ&TEZ  W l;mUM"o("qx V9A~hrbbEm0m nU@C;U_2UXHA8蜖 ) Q qib~6oqؖZ65hJ[ƸcZvAlIHG.I_塀`?Oɹ^,T)AdqW6_oSZ7&rT}F8]@io5oBIQooV<a7/{[p)$ Qm׊7JM˕ˢ)s0W9>Vo_Pﷹ$Qg̺-y@}XǺ^@j;jYTiaݚVU<:`ǽp ʺÚN[ߛQ`8y¡"RW:⺥# +V:'xFͳXVFnQ2go+ɖ4rn])th -t&="vw~p،*sv%,/ G9o؊s7Wn@즵Em[~8ll{r\Lh}+;+RTthظ:ܱ\pR:/(فp( \94;ٌ 鍷gAݞ`&;mRcLr9Y۹" ka_J0EUI`ć?aC[zM]go#Ifج1txxqy'l%ͼSlMO탕'^hslZ5 &b4;zhv;{tfD+D2,__`I֋zRr('EnbkYVn{ ,K"Ã(rp"ؽ5震Ev7*;A1Aښ{vߵPǗd[!C#)UU䆦z[> &W:4YI1fQ3ՎF}m+>JX Mˮ|I~zS%B/F3B]:-i:RJӧ;X7c ^hЊďѲLDj[euwڊg٨s RK ƳYx-ďs>’J' \_05y=tp2"lܘV\2D0{dW@^+= ӄ0P3kR$e01W:qhCߍgX)]8PM]ih+whW0QkeW.i Cԉwp(N;tZA{lhij/r#>?@cF]|sp o6aSJ8.)t$RuiS#å:Nٚ/+mC f a:;T]=x3 gL"D~)\>= Je5|bw"[iZ ~&IÞf! <3u˹3F,\1˝cϸ S]B'%&C"@ OE-aeΆȥJ߁.b?ho/ު@H_ioڐ iK&lS* >xψ.ma%6HYjuj>_uщ0$\G7Ζamt5^hIKW}~ipMӅ\cATk"--v]3 j`qkБ)SRgxs7N/b*3sO/Q)yƋwPh"݋r|{\N[:Ci5k!&8ׇ{.A7xPu-g}aynq8jlg8r1߹NF(MHc:;bIvmP SuFI)d>ˮ`'NEQ3i{ f(6e"_4 Wq_Z#: -m. J}0ԅqZ5=m*VHjgD]Y-u&puEO2^%FN'T *Sjrhu qs^u\&}}jE 3'ެ?Z7!*OJQH|#-e꘺x/o2 %5y;{^@tpmn2us]ѻة1WieߍKH;/_KW!;^\,>𦦀i&~L'.#,@nIbJ;U 8e/Od?s@, s)ihuR<>t 8ZcxbܫE&g0>! 5gcxyҧbM@\h0hH*ukȍ]oPO6RqWl(z8ҌPXV{`+  8Qqe*K(dKUZ^SzȪho<.+ MVu5bb`4P5~+3WcF< 6PeALz6`)"&l#dhm>xDVtWݞ5ֆ3K@l؅l]m]v) | Aw-Nd pTSWQccT= c'mt3.};H׈SpmhWL)dB%!\3kGŝS lY`: ,%9aw4CW:Ғ 2h(+iAT Tz^N;NebPyJ֟P*-XHwfDD<Ǖ@_Eӳ\@@\`o&~B|?M6݌{T,?"ۇ ;lsE(8LÞ!t§l ؾ$t%\(Z8Kc#7&|v;ƥpR'olxʾ` ړL\bн($~'r2hƻg¢WABwn;bCeGRW5 ŠGq660v\du%m[Wǁ2HEAq dA"y~W i+ɒO hhǶU7IQi(#O&}\I[]'zjrV^MjDvT+⩬,x3~>@ۦL؟`H!ؚ?~#iSE\  NװΡτH!-C[GȾݳ` -T:[}UT ) KI]B(ue+1g'69#o\Oš8vܜZ ȟGTTOJvs ہCI+dU{8G>]Pm/wL-OUmB7zU͂pqB/׿|/Tc4ҶJ)1!GiBCo09 *%%XO =Z72/!S^f~[}9xگ`VGr{2fﷳRt,!11Φq{r$-Qz<^  c=:pigBa׀`#DOM:7iכ8%EG-O(jca[@1< 0!hJ~Lea64nX,Ƶ(CDM. "E c)hiB*YnQK #/K)vB.9L@PO1M}N6Y5}PJX̀k2+/.4 \e׷2g/V:֔]]v,,S)##KS1fbI :2؛бČ+ć%Nba#/ed\n}|5- ߊ1FjXZwb߯آt%k^|AԷJzR . c>t89[_Hn0Z[!Wߴ>n%k@snH>Q77i\oJy'5Ry1sX⼩By3JBlvƌa[V2LF;L<W2)\T)0٣v8=hp{y"3#9X$1åٶ?IH ,UW ݑœ wK5ԣ@ȴ$٬q(%Tb/v_6uEwJo5,%g╆ˉ;/Yb(q#CrFN`W "[V(r-RD@YOz?/>ly~3pK8I'y5v.Oh&jKgQury' א[^~/;"5[?7O )UP$qh& nHxOҷRZ-4^CWA_L]nE7'zȅd 'OE)=_ 9QT-E"@r(2f9P&v/BX1SgCŇU 0\C?͕%ԟԱbf{BmY~B$zzһ5##WfuXϔsISGRYh5R!hLQr \2?Q<'BE+,>iS(%!Qܨ2.,AB1|(\~lw(Tvnhm6OۍuBˌ?&"'_8UG\#ݰ̸JUnN0(qR)-fv6mT-Ée jAA/pҚߑ'54|{I62Feby4d56SmtY1l#{:84Go:RfR܇58^8#GZ36żGC;Y!'b|/;? h5O* і$<ڄ-D},ϞMs(Ϛ]C\zK1|"\xm} AIg5N!N[2Kr!krt-&LU *g\d>MQzY5oV|h `rBxU΁ڀ:NI M_l*J FH]%'Z/p|i ^]I@O* FfSUZ&?rQ~I0_*խwfM8L.w/y>n[tDh؋/HS(.:;Dh.(5"7T=e ,wd؁֡I8[CF>U'/sW{(^9!9qb*uRS 2)3qc@R*yjKeo[TJLC樂\X(jaO,w.8+T>`A#421u1i-b@mo ?½,fT svm-: rrhT h%(1 A0a]@W * 'u(3[?>`Ԁy ohȭD$riPY#} r=QQ@i,7S@F'_56IGO˂nc6^߳foy#U*ĔwgdK 7]<9ܒy/<\s]l.塟( (, ^ӡܐ}Z\2;~3E#(SEI&H_]c*vn|\խَP0iL6TI)+SV9Y`ɺL>Ee ³I>ĸZb'l{fz]Y@* e֤g*طȩy<ȆKD2߻c=kW4zWxeN$cN4-d\in'!'tp-$$BHCyP{Ԑ}RnҔY˷8cscT(+=V\JIΖ2{j='K ly1Y5QoL%8{OJu*Ii"f.}> tϩG 8G@;nذF*iu_0R)nqh4I3c"m:8S<Éx+IO'Ww2m3kPpRcU%GY\e?k40]wA`Jbz-cL2Siģ8Q0"M@;g>.aKOJDyL\{iZC<qlwB\`e$[OR,L ydKkV,{!A3Ai;!. ;Em 6ƺw@ͩ}H(! K?["h|22{hAL-͐4mW.&Z*2 zZd\6s)2AKg0ޫ5%18D#\[ucյ)WSԊRK5xKkhCy;7G*7 LA{%g3%w)!?<=SeEIB[[7LfpYMJ?ў7|L(43@9y \ӵD˄Vvy#538#9#UxIC2?J- }Z+0Cv\SSI~Q=[וxdM.w>9KKGِQ\IhQ U1n42erԂGU FfTs|`cI@zL8&: 3qE]WkX?3`Y *_AJ u4WVCxy6n fܫ!AV%*Btheן%: \lʴKkW\/缝ξ74p\fyg:"yZOl6tl,2| 3x[l؆'_0dn$3+|_=@P$DM=vkC|~%a ΨfJw=3|IzzMMɣ;xRd|!R6g$B8[EWXF*~E m= 0ڦ\ا(5apU$fn#l >:N{Ami쑭@1_Ov/CN`nGS{ Vg9`:Q+in|J}{m51PcfU>7>)e.CdTfG F,O`'\woĤu將1QQ>,(cMeqZ]b|e#<:1e܏a _`z_NJ "n rdtq(6=E!oH,{ۼ0-n5aYwY<)â0dtmPO;dk`{$K T˕[D kFXBIASrųVW~VVN} ;V$6wpC2*Ql!D}$ -eЯZ.kH< ZZ0na_Dm[C_(ԋvOnͱq37 mhɰx1B-<s}&`O}"VյGF9ؠt3\[^E:ZQ9y.\st@s5hfԊ~3-2#A_N5s}NOQ[C [&]nu (*!/엦{N$> QCf[tA~1aiiᖩ"n}B x9tbZΩͲc!J,VPxvA*.k3$, / vdf c0P}]KjpoloH儩$pi< qg_`O Px@ fvk~(B1VOz\ǭ`|LxUqԞpk&!rY`x1@ 8'LYӨMP{`z7) ,R QOv4Akt:ƚ[-`4CҎϋWOS lE }_d ŹQVߨm4Q )~vI$n%a#PRSbw#`_'4dYPiN \QHψ(HZN6Fnw'Eb=X<]f>jSTm,3mKET<*hjF5cݧ>-mf↍e *wxpCCV*F،7hB|5qʒmk}/ó<ߪB+Ɩ"N $:uɞm3%Q ߬a{*V)?-Wn 0sd)qTbVEzq@`ag&zSD9{fXrXA =)}NtN?=ͱ͑K'3_ be"堲,zypdn\U6iQW$lG˗#Ƅ,{g/x71ueCN)ݶ/p i79Xq8:s6 .mxEThR ɱa?UBV%'Xo cGjY*diڈ|]@{4J5%]{_]E7]Fթ*- hG{G3]E.AֶADEtA \ua7ɎY ewǶ84JYrی(́F8?Z3nA?t>b<&5@r`[|Kf-fX%֟hpV)5:CV#:}2[_xܳ+𖥾j6V`Q?n7nfy gkc()q2ۮJ3 qm*cuf'wp%UmA~΂g% `2}*=,p j5w{5?u^n)={u=DEi¼hH=tcs (5 {\MNdL nIcd8xRuПLhodr]A.g_21͞vU4ILeƾl)=|ӱ g\%rPŭ[[BZϘ[N AbN@йE ( oh0l^XHV3Â#3J80{:Hj= .2M™,G*##P2 d]F c;xRУh5HBvqH'RWI1|&l:x垉}0[x/CU%-`0*oJ9V]łK~^#.~\@e}n MUJDnH &<_{ d0t/g"MaAV%\_;>тf"K#6@Hi5i.oMݭS~L~C'ݕJUwW.!@buH: |mi1SXg>XpBܐ[-e&hQcؤvEB._-m΢Fm?ַ`Auppj Y^ Wj0l X\J,~.:zAT(!87*1Xh,Eq!th5oC77ͱ^~-*&Mib:WM-fYip)oȬk}GIJh/EQ4vt_UElYmX&ʻ #Es6Y~~ҕ%}:\߁M;rͤ FS<ڸs.܉E8 2RxxtЯ;"»:M@!*Q`zpHLGP^V``M)=XDExæ& 8ϥ`ݵ"@\<3ծ5ajuZǴ3hӟ0x*MJ])77&:)N{oRƭ 4wY%X 䉮,!k;N7i sceYW#&䏰[Xy }_3 Ѫ`'MVvE-g;{E:2*E}1\8+G׽w|ЙaL Uɷ[zS[`gbD Z#M0~X%_v_#sU*-;mݴMFn\-)={UVW} \彦:kn`.sdo0dƝa:~B;l+dߤB7:LC*9/L"!*%mǽZ+&A,'¾'kb{Ņh 67Zg4Ry!ÃH)G00 2VX]7:ږƋ6V♎\o ^Kbqt0aVXA%Z4`/#*+.^uD[T4h;☋[YFt MXHj⮿F/t*:*GgЯXzUZI$Fv[- %`Y_ՌzUVjʊPBq!iOta[h{(*M5HĄWju'zB /C`2I%&&y80h[ew;#aYiO=x b>Ж"eX+(QR}FSp]29>Fr_|*%UnW@|tCWt!lRC9 ׌B] S. @Ů@L1@_nc{ʀXCEzv^Ũ09YaF=\u<Q)[D5_E`$68$lx]{|Gͷ40#QcxV:kV7$RÞ:%fp%FۚS]Q$o/\ `y: _^іzvty+S@x]#FxcXQ;&ս!#ƍ K,<]qƋ!B"pnHA%ءCF-p,??whDͭ w!K|6G hQ=$B:["4`q; q)% .?p%{Sr=FaDl\FWYF`5/jL߅lRY 0خFڻB然-܍#$#HHP~K*@_6YI;0\`d}9M'w5W[j#m'zZ̙u{A¢sP%GI_iv}vFwʪᏴ\p(c"'By]zʥ6N?T-!"szz7' ͢!.vrA:-qZȞSBZN Iw%hoj$jļ_|ޤV 2O͸-%g%Qvn&.K@7W)ANc dq2Τ=`[w#Ӛȅa6Ʌ. =6c_1eOHJ[zKǖ-:~2-B`i7,de1+Y ߁(Gg}}Sό3;xʫ]H s9~ޠw ڵx[XR-twY'App:L-OWrxXmr 4Ey6]G7YlTq%{7rbW4,A~0#Imjj`a+Q+F$ia ?9Y\L'qe^U*0m)n,Xz/th䣝jDŽ2' rAJu.uڽ5˕eeO #]qKHgM9^f/2m܋wDXaJ*X&[-H!ChUAza83?0X?Y;zd{irR$T̠ԫֺ+ 11yltP6U>lVA0;!9Z@Q7>q'8Ka?Qc MlLMN_צviW .wR]CC+2(aqu1\t7&,>p΋V< Sܟ{Tnޱ TहleNT#ɴaIÎ75DJV;/?N<ޥ ƛx>Ԋ{J-dlmd/e_5TW3~@N?c%j$ėo-m) D#ڠDr0p%$R$mqC6" ~3 c-kmdUA0I#kԀJ7OQsľ.xF[)-iM$ZǼך^GжIڇ9U i Os6)"zAU{軕6c+L}l\&v3s^!@~p!4W+a!B\Zk)@L=5W]IO}l1Н50{k?,zȊ *RLI|&HNxwMmy2B\}6+fH)QRfm>2ԯ\l5R Բ!~n5iTs(Qze 0 eށG />ıI5|\׀-Ls6b4ERbT夝@YTuѮHycc2v_kY}rϹ&<‡?Zvh1%o ՊuBM\QFщ~RwCDW}:p ۇ_؝QpJsC f]Y,%[P{{H5yGr\mk0ACO?'c_7<+/)dӸj&ơ5'yyypkmm8+{9azHkhPic@XC XQG٪`ym}8*sFa,Ξo\"} ؈o55E[-Y]ƚs,ܬ/RB([,.dNxs[(f9tPA!/Y= (ElGfpy"24m"љLNoyxu۵]9Y#ZxғǵaD/gb+Iwem䜿9R"{ Yj5z߲OFer /F]|vJ(c f؁-|!'g{uۇ-- JT1{yGh}TẼ5"$Ú wp f'M+=A{`68i17G%Kďb$e.wG,',-|.Ds~誯**9wYsAz[u+kTss\'prtt*lw{ 5*aң=.ClP# v8nb2%Zy 6I*;ei I]8KcZdF3#_u3/On6^2ЍSL\5,#mg3K6ɴ= q.&F*Dx݊Sn TI;5T̂j4X-;:O'̹)]omo%j$HH+3 'V .7x9ߔ q pB06uzPEn K{&]Ӎ ,*єvL{x&2s6kᧄ''1<&chxu[q ύ./tsjSef:d &ghmnk#ZJ:+9UŦMUW^ME$_0䠴aĩiOkSW\9xTFƃ5^ïz^UL@Z+[b;m  ISnvc L{AwTN$s"KQ>} 2%$pr }zJ(hdW@9T2 *{W#߸]HHྺ#gRrew=,ynW N d4:C-X-!J7Go=&\H(.Ї.\ i@ [}-boJk-MCw^Ka6U[,-IwarS1xA\=w9iZ$@KCG+ W*!8UdM8ZL^ۆbΞ񂣄~0SacBő2aNlHݾ6IfSTF7RPSc5bVy9[Ru?c2<ہ-х멩ś'UC[rC 0( o[!##B̨s\H N h :<ʶM8{ X"Opkְ7*vzۧlPXR\/5a~%b|!H׼Wp0\wg]{+tjh'95vjO&)ARW , [|Zkh:uDetQV;kE:2笟温H}LI"7x^cT8o~k_ƴ$9] 1ui yH '9?%oyn 9֧.)֜eZMjzsU1nV."_1jik~4;nۼMjn[t}uCeO#.\ɣ{oM yղ i/CPF7%6LvFZ(RsJ$ize1rÚW9O)iPBG"|gZI9f=56)f 0?mZd lqbB5Dmԟ@7y)Wmvd"o+*xL^z\'(`ce-Nrz#Fb^<1ytrqڕ|j%|~X8y.1gxF(`? *)]͵Z]q?a=9 NC9 G0y;$5 GHнŨ G?H"cZ Ua]+ӰiW)uݼb .Ċ=.d c?4 W0<x#67Lm2,[B~ z=sɇ}Bc/Vݤ=ʋХ1d_ޛ]<^;Qv{@ 7j=)ZG\,GlP`8' ,"|>W.7=Yt`rna+5gZģ>B׆KÌОҘ.[+7j;T.yd@R' Q9^e:ȳ.ہ:q MxigZx &hZwG'lYJ+ئ5) ]KO:&]5?Jp` <fI)MruX5ƍ Yә/c ]Йd$~ed۴'pJr~ &$,-!c]u#% tV]& bAC6ҟ`w.pV-]MEp>da-%iS)[x 4-yd/'Jy0@-ĵsOTpVkO"|\փzX&Q#ϭ)?dRDS rwOD,Hۀ_GYG1qSᠥYl2"IſL"3UP"Ih敠+XA(p"^vA?|E0p uʞZQ,f uT,DfQK |ikE/g\<8$ 0w{l=ldSOZLU4ZnL@ŏɰ:=J/ke=BWAK0G2=$^Q3 g^5YF\睍, $w aCtUJ/q='c8,:GS @{ZA\UhP */-%O?RSɰ^a\ Ad4Pךm>$@<1 Da ]mJPKQ hL;kf;Wr%:ĺ=%f5%x\ҩyBG9`9N*92箠 rxXNmyI2tCn"XV$cµgKgnĝݗp/u)HB4/Rq4|v(y5Fozt˩v4Ɔ1 6sW\*X3(!b-}0!J*П6~. =`S5oR%֡#HR:\c$MYv[Q C$}s>2~-͂?Y6QNDm έISDOGSm͙6vRI3#򕿓t<4FV0' &1#D^ \O1T26 Fleb:O=M>ay"%o—8V( Wz}RKKD WHznQ\_S9h0]hX [-7I882 |$wșP-dK8Pe] *د閿m#Aij;B32e,~C-B|J 8UoA)q%DsqKɳC6Pm{ĝ5Ҋ/;ݲE!؞/W=돈!ȦbX,Ri{}sgh&Nu |[>%jSٓ'vT>;ڰo8f]MƠVg<E ^~뿿*N03 P`K-PqhvQyQ&-WrC@dp/?[I5`nQg^S6ƚT7P쳑|ޜLFy8O9'(?KZZT7X!~`2.#wid+Cf>vN'~ˊx߹s},%i<|A0S 硍7 xV_g/7]7ٿ)-%F@Rbh5?srIOW>zdңT 6%|1 %KV>W{SU)0D چa|3%D+ޡ[zoOYC-]׾w̙A2F(Ң}^ᱞ9 >p&8g]8ʌ+p^-8vQ/#NS8_uXTncwRxqW9O "Ȍ1X# APNa_z~b s`c8b,A4ׁW;(9fG䘌Rd(&9S B*rOQpvg+ ~oxud9<:1kEr.}u^+@Z_x)9vn5Kā'/AO yY)xqBRjNje"t7b2 lF ֓ WU̚`c\&8 ЀKK34g{訇 nt-3}sN D;r}"z]6!]%[dR6d8.)dM|i%v@W6+˸X%Ҁwy2!5̜p.fcHҼ X@vg?k1Շܩ{9:[ԯ=qB.ܼPM6GD88RqL87e~wC>9e><L]űBu|{Vzۯ=%  #Z*6w.kWi`9f8]5 jzν5*-S#1ד ˀ6 (x+/-bRKi880:$*A/uZ f@?=b(˱k4b?'[JQƐPĀ,Pq!G#=k08-vA Xaw=!p^pGLeƉW@E'_{A% Xty $_f a o>fBaDҶW-KSkpjYւ8C.ŵ*{ԕIiITY܎fff !/8V=ɫ*M7Yz}Z*s͹+= O޲*}721: #Ji ZdFA'AqӐa d NI!$ڽZot OӍ։k|K])r?42ϕO7_>Ե[{g$JsйD&n-a[5겉&ye1:C,HQ_h  iwo׵Ν@EL$ 1-)tN?m^‡^'kG%~>:j"kˤj1Bg|B֟W>%zv- Tԭy\6Os  ;Zzu/4fbM\3_A@^Izy(dV<9doW^ΐ lA[ ߊi=KlCa[[Be~7 Tr<33};-?CX/b F3.%Pfu^׬7mP^O?;猤cA;cbП6}33D?gZbӥ{K;4VJ9a :|ƴ9Qi=N^ur-h" -g/Xo +]`lRrٰtK{n֭"ѻ)hq"5OIc!G8rBeB ہDRG +s. :+!ep愫ЯNsyu"㟭}X{q# yw#Nd07iQ U;OFcTV{UUr^NjҦev0 gBOuDc p^*:e 4VgPS(QԮlXzWd開y4.c;ّd\7{Y-aM ǹhpG=nKYۜY=mzMwQfkLCvc6I_]B.^浏IpNXy[֙#P0C8WHLB$NzŇN$-c7ZtsM) r9?7|ALNpoC*G20Ƚ@v9OEPBe"ƌ8(pdU|J͌gK # qGo)^ipn{G_ЙcRC<<׫(Uꜥrwf_TKQ` 74Jy< viĥ4dzY/FeӶsSAќfwNU>3(7OjE5j7N ݢMa*rm?<Ć!^Wd%RB), %뙤eͣ܅7+yC rM];³$|u/l}/r;w;o@ܨw A3"Å0z{*F'<^ƒDxvqD]qg)T @- s}o ɠZy-Ş\ס-$ .]ȩ R7B kƗkU"9T[__uvYq& Z7ny,|"4$椞; xL7P!<.;Sq1ܝ#A@?7%񟅊VrfqXBJG~*߂_(WZi+Bfdmѐz~#^x6IHRdo4wl>l|Pr߰?@v.R-2J^ 7ױ 7{ }@HRI*5_{G4UJ8vF5H (0O8eʹs*{C J!0 QbH-e1rV ߻\)6߲.s1;[4So[pe ²~kqd<ٖEU͘Eq}f(+.^ b^?!᧕;00ۘY?`D?uA+%6vmgXV@prЧƿ6}wٗ$ɧI AnhybvF񜖙 L.|_i a1 kD` N`V=zi.H eEx픟}$shKp^ '+7H#E'*f1LO>PTfu6 hhPU i}ހ6#!? 0LJ宮O~BuY9kw6A?pp@ΫfW셸xF$f%o_zrL*ФcRȲ/-BCU&jJy!Q/$%/SZQղJ!TL7t.X'bAOBG̫OR[&H6ʋ?W }jD5Pru˼e!cޢ_x 9ʲG@hs kF|xǫOaw~RYN(1Q2)/fO <\~OudF<Ce@sCaDrP՘.l/E-ܦW6,_IKPUC{\ Rz/ks#x4LWdJf[|3sPܦUhxX<_48VLz0?YI|R˼IHMU\6+$PK%ÕWڣ5J& =)D3Gmg:e&<9 DV륵0e$2}tb!;Ow9IDم m2h$%QA̯+% O9c4qڂ3WH~`'A6q7@wV_%( ] xRaim[2/=F|,_*&olD1[M&f+򹊢&c_8'5KgSN;|!FFCsv uĞ`i99*|U <.sPfg†#/RKXY3x`.~@q!XNS؍ *遻=_ݺ>|m$_Z.f£>MOOdU!lFB6 !y/pkV{󚔠qF+8-}q"#K ЎrbzTJG*[j /t<6709j ~&eب,|I)m=CiuުXR&U<(fHcLDÊȭ:HYe7,4Uѧd{٦XhwfiU7i,f;U Єk}rOWӷdԢqe˺rB6XxXW ^rkK7.Q|?Cs;c,Ii[?9B;"r͎"}QvDea<τkG8,FS T 7Ϊ;6_!tuޞ+ sSSPc[ WbW]-&wtcɶح1yq U1ɽQ8 =(i`'gG,[F6eP1vX\V`3CWM|y"E&I}J1-]HDǟ ,Uh]Wu}40~v8E|3f 6IF*݂d ,dhYL>FWtŌQOJ=[ pӿOgߌ}lFM%'=nPg)(rr,>|(Mn*߻;,wQMYaAł3h 2&dvFJ~aArqrZh,ٷ.&3YYM&:q19Lj"#N'gZoŠV^*6Af*?/7[! \Rtg2ip{k-FL)XyVpA?ڪ^73d|779h"Hh[Aծ[QF Yn|-WsMq'|3kQMN0a@?rقP#y̰_#ׅCĆOIi:'b0 dJu!kTN:H/IZ: j=祮 Wik(% yi+v q&ZWhV7|d2 ;: Y|_:Cb|a~SCn. 䄑Gh)u@g,ޏ eЫg 1Χ[;N*u>Qٵ{Ng`)DO-ucT:E-iy|:[xv89-'YYo2|Mr{B-}%wYj6*GEJ4F'*(y' u83zm*@gJiW TyP1O rVւEN:9 ЯI֪_H/TyS18PW70|=wtY7QW̊ÚQX @-aVy?Rdup&9#ERLio l8 =c]osϒK-9{-e o9[B68@a%< _cҺs#giSPVb*H^X9^E&kEMGYGоm %sDي?(=d,$ [܍Vf5KLm\ynriu1־$ %Qen:*Bv _?کdJT׷U>2D[ɝ*] N ~/#DP_LEĴo`GaYzN=qQLcjx婋_m}Tw׵w S\[qђxPI~Hǫ9_ j 跉C'咰|J>KĀs'{_+a|:mi9s%cV١Jg]\;گX킹+X>(ĄL~T{*Esm4~/Sq^YUi>,Y3]9.΂h(]pD`o'1!"i! e3E}5|V_5D(?'Rdx lZW=RNdIKS-jQ.ՠ94מɳ ɥj'SurX0=Ph&CM5FF}`40$b=4;v7e]44U^4f@ZI/*tx+"BSt2d(k]{ T#k^H!ۀg COg+]H>3v?PIU#/N oMn!?1 V(|`ӊsb&aca<l-^Z%?~wPAC{A0EN?\dץw8w-,cnݖ4vviz_5YDĈ 3΃c2bhx- 7Vc钅Wq1!i~2\pemJzSJI#qH&s'lI qBhI*$d %#Z?Eq&?⇧c9X٩{~}AGŃWZOՃ?OdQđ~jz˯*St&L4 Iu@l^7t8םj:fC*sVQX =.bBVNg MA"{ B^3!sRv=9:K6+9f7@q%Ƶ4u Xv W*nN⥲x9!X`FfI}@㾌C)דd%P5e#8m[9m4:mKts>HS_ԕ$ gZ?-41Qd4|jVaOvo\P9K^`@gUKzyiIP'x< ew -K+o+$KQ7_mAJ7zD\6woLA`|de3` F2+1V,ꮃԕMtBptmՉ*) }.G05S}Di7 s=/Q˺(Sok ZoU 3"WcH~mrD u3?hd0㐟󛍕/c-p隽ќ0w). 2.1_<9%gb ZtUw,qa{u(P]xU b&ddHͨ'ëJ?@Gez^#6,%۽.!F~MQ尣85 6BK{j5Cůcp 0bӴG?wLEOW-n9JheDURPFc" փ#Q= ➡DY1E\MP^F3Cvr~|QK1bI0ď)PeGF- 9)r|lf6m[扎8*|d1.TH-d*]j:꿖 /텭iEP~$<3 /q1^,Ԕ(' +M6Q^9t14Q+d/טJM#tC7Ҋ'OkӖ $4aQE(ʯDSPNp1끿7|^eDދz~㏍7 .&PǮ}`eU^zm8lLn(>!-ژzPcF8_"뾷9U~A6#x o/+$RFAᛵm*% LGz<eZNmgv͔8 ( E)P<+cPI2,wf&m!J &b%: 336Dohv^G-P!` YLܖÄ6lRLiBBcu[X-̄BA3%r#l?F7YxA10Rw o+-޵f(Ckzk nySWH JE |7DTHGFU"-fp#GF]ϻy_-/K _0SR3zZl)03'Ap+<S5̥J;?߽j|_! Lsn{n"o|U@2|j;i!RlJ *th:A [p]=[6q5"E€i|#;݁zz.!N{y=EB v~>dZ &^',:6r6յ6Kw^IةXψi)fwz {I!dM8e5&̓LПdpt {_X4T+:t uqx`9yL Ul% ƯTWT aնpm$n㔦׻`/EtZz[7]ۈ~#t4{FvžI8"6syQ],#ηFǟqA@f;\ T;&t §tY妷́<K<:I'Bz[aŮPcC9F~5Ȍ49i"0C2 =P{n}f[U,Fay ~ +D 7O ;nՁׁ$Z.ٮN477X~/}nR5/C ְP7c-=^CT(3rQiz@]>?9Q2DS/UX`mYC%crNYXc!N)2r6:Ν a0jnYn܍6. _TDsý0W=_DB .~rui`6*9M_99QIΜݚv\wL][ @w~#I㽓O낃]k16s #kh}]6NG5_ݍۇrMѣҴ[ 5 x{儬6wE(I~ZoWhMC+GzHNG r)dHɀxh#Ĭ4gÄ]N(Z>3k:I9'+t* mFqL}7ȴÔsd/>V&I)B˧Q8!0\WZoʸH'ˈLS.ulyS3p X [HQIgDOpN+[]^GZ]<^RƍX>y%s攫 m'O$LBd_9K3qI1fYNO2<< 9p9)8.y[=K kGUFiE%[Ƀ~( 1bg 9('q=dI?%:Da&.'K)%a,|OʎDʑJٌLշN=-LA@0RdP""Ż&ct`X,]Sm*no-{͌42XV fv¯)i{F/O5I^Ӎ}Cݙ?ϏE[NQǓYP./LK(;Ƀݩa1 ZqF$E'~yr;U8eV0E0hm1mMV)hWϐlC>y dДJ؀fՁO_aBh^Ywt<~;7b McNup+0Uk]=JMikցa8p# L`Sag<;>!6eL05`)' #}(<r ef@*DV+@Mo^]Qh-R{n7JVȀ#kAo8w8;۲82 hQݶ3`ہl&b*ڛ!hYj9{+YxM)\ѣrNeʇ_{ Uͨב4  nH :09"JVӑ1 ~>XSB-r1 F^qY\!q3߯ B#ar6+3d7جk?v,T@ ts&HHk5|Kwɣsȼ,֯XR==WCM .%`q1a,w{ A@q&naEdļd=iyKC4gyƭR !_M81j^V7ye% èp(\kFWKuyKϘFp Q}ȊжcrIǶ턓kWG쒒bhVh٘xӃ1Q*[:D&wy.Rpv&: K -z+T Rh!DCޝ&gԏ|$1ȭXNB8'(c ic'+!փY]?x e~g]}q\6 hrJ:,}GQJ/7S,?=ܮ1s՟+ML|Q޷kcj=[M͐<,kS"ѳ(|i H A1#2eR{-'[V|8y6v,H! J#B/#IJ,{OmLn> /oΡc|(v% >{P%.ֶaEΥs5PN @̔jc*֗Y^`Td#u<}'#rҸѢFE7'?~%]?H_B֤ J>)HdFP=[̥C\U1 \1ꔕ҇資[Ɩe*SQL[Qhۺ"$ 3Mw&$'/iT3uX}8S /\k(DPqe8xP4h?z!KddJ_Ku< GE ]~ɘ|ynWo7KZlOKq뻆Q|>Gw,LsuN )[hZW)aDiNZYjjvl|{Ep.Y- gZjyI aa(tUabV'?"o$*77q93-Ϟ /9LVMTiIDVP ϮcoA}۳\PuU8n3~̝dOVt΀}L*3v@QRtb:ت\sԎՕGAI0;ιw}1T-f/2 e"T6K0E׳-ĸ74 E/&N* qiTa}v ~iaSkぐ~K*iϾAQ\x;ٺE2(P~{;8 p>"N렁fU( }ut˷irx8տ:,C-Ҫ8kZ7o=r}Y d<`v-$/Ֆg(Ay+Qo D n &{mxJ_x\vNW.,K|ԟH쥩O>Oו z׀[21lHGV |r\'՘BXFʮGR'03Y.]V%e2=q6z"Y3$9xKHk&>TѢu.z];\5Y[Xs96 F|[?<eD=*hXqi9pv'rEJqBF5d-&1W|C.raK?Iq ;{ݍJυD*D(ĩǻ HТ3If7yh҈"C*Ѵng EC/gRWMH_Br4&k pcxC_΃S:!(&D514EA`hd]9c 1k-Z=8!N.=6ώҚbb]LMУd+c;.s& i`NJkHZ sJ.%"wյ=.-*ϦY.u50^ͦ*h9bvibBՓ.&?TD0E\شn(BljC ai3B&o~[/C_8ѣ^Hi`z1DV. ;(j-zpi)C(f˶0j nPH-~# Y@d5}dP/Eq!/X-}H &;|P:)'"V /&ՖWLrxJWan29l8x 5D Z{ io.0:VATQL?91 W1seeK)$Qґ+04S_7!ʭU5[T障] !ݞͫ} <'dܕ0iIa~Jpۢ>mn@s᥼1^eğ0u =ć2V$D<4+@dzߍW(jSVɸhrk @Y:/ r1j+] aqѳKVRD)u+,= D6k; *ru= ?|{G č#dܜ&p'(,՟M&#|:Дy?ti ⧴3q>_Gt6S^_hd#5jߕY_^ԓyme^5gۋW(H;ôeZT/?ݕB8 )9 Xv C!FW&pLk+QAP +ĺ^t>#9I(|E+zN×V)Ao{qfPLe•-5Fb!=+ДO"eԉ@Jup7-m`$lIJ =ˆ|%汑fx*hh6Wʧ6j$_I!5cd=s#MG??W@,i9֏DtBs9W7xøhA)`z/Yj 71Wu#4DhD*Gߊ7f˽Fpg i(f'k!NTiY4+ N`>8x7[L {5miheE= h꒍))FѸj/"\1o0U: ڐ/Y?@P֖7!tOneS4&UD >!^P$Ghn([\|&3g+s ڒfLQ)bOxu[y8Th:Wnz~,'k<=P@PY>4|)>;X0H#NV2**s~xkt;z(ͣn,+zU{Щx|oӁ %no.@t^zvC>Rd bΉsYJU1O̐|q_NLvrb?^\Ên_W3_dÝDB}:ӝrlj:Vђ5gќH 8{&FΜ RxP7IdgD N;o2dI/1#V꧉i]ǡZX-<GͿI6 LG;dȟ [@6~.n =Bm␛ r-珕Xk7v9BP(0wTjw%"=Yex@x!R!Ncvi^9kt{#xNQtm[^rO #' S5$s#mpG3~#"nEj5e(O!cR"M:B$EZ[d/v`~iEiU2єB+z3*6 飽/gwN9)Ҟ㊱)ۤ)bG!tT:}&BnOH]g dͅ'@&RqE+GDC^Nڰ4.8ì=wzn.s@9%nVw8npZ};v22!cmߍm&ܘgN: lqwbkGķ<4".QO۷c( v?He*]Zq9kjl2$)"wg2n k7ng$Jlଲps^ds~A'#/[0xʵGtxHZ 1!tC2]8Wtp#4=[Sj /dݪ?82H_3`M]/9|l)n#53K~Qt1Iw9{Qg7+OG؉? 5$|oˡ!.SYtՅ?Y3f% kvI8~} pSӂnT})-K]5=E1"Ev|l#ɷ_|[e5^K#&6\In\A?QLpa10tO?#B2QK*ir 1Ѷ[v|G(.K>==sq0SD W:·Pkq&=G}XuIAu5)c ~͢sf{Fb(dV+!b-;UP>"'ڤG6gb,!<? Bm炣lA#IjS<ˋ -uH]qUڍ7lc_RQ & F DHs:+RFoxg dg &˭,i=bfX_f#>ҩذwś6gX!8l Nh, LI:7a]=1N&ćDH~uP"/w ."waz]1~KGxãO٫sA*ȲdPJ֒O󏑂m5 g |'_sc@M *~J;"jA8'=#tBcqSS}Lz],["ꭓWr#9b'|7:΂%4z 4)r?\/ƭk8A[!O"R:os ~v!\Q5{I]YL:c+VFgd )3;m-4|˝ڜָQڜ7C<-%U+/T09Q1P Mt\,QzR-N9| #3 n' |ixXx>qӽo?;b.jM̱rE$v!$Bf߭aeB92Vg/[k}J-ў"iE5+2|}[@pA}偭ߦ5"(xЖ#&XԴ3FSiq\sڦߕ@ݯKr m1X r%CI4IXhhmt4ͥ}_-$7s'2:z1&Ya}h:77b܄괼Y+Xy5P}M919\CHU?Imଊ?CmH% j=kXڒ6J/U3B/Hi[68µNdS!IdglT/0T?{iGa%<(;b`ҧ-C V}g^=`k\eZ]5佊ʈ kL_v|IQk&ɶs2e/w(v$0sF',\\2Jjʶ5JD*]e@ϫ3n?tS#T6¢H:F,QN%TѳQЀV] X71ºgRs/j)Yw 4"%xf3V'<uDNdBZi&0Bg;Ӣw$z[5#a4RM-Mz6/=q"X3xAwFrGst[GJwoƝpx'ȋZC{$e!q~ē'Hr,>OAkrVFDOTyy,r{ÊpcM'JO?2cz(}57`~]y.?'4,u&{pپxm ]JVnx)?NVqn_vyGF?g0,lj1y')җ/Aj2k_j{JX̚d89mv+iQIq'ƓǠ CrMU"WdFJ*f4W?4 pGd^K 8WLpH&]CMHŜd}$jt[akJ[9ېF]A[DS֒&f$iF+<s;n@4?|<1'FO԰?cҝч_x{<%c|xF_Rڙ}Vݙ2 4mиR0u56:c^1ھnبqN}O]_416N0:U<>b ?B UdL #`uby֞-2Oc;R"ߑS+"}9s7합 q?'.ErPxJ׳읰T{3,Vh Jy ctޘWA/D1[Opʻ*Tb ه2f p,)Y 6)lp#(/A 09={G5C5B7B^1Wu#!2L(T4PJ՗a@8$yIN{#Șm l"K +DI~o|&/T&~TNSA`7jYyN} X0)0jCUpߏ"OOu 6`$0%]QP5DrZx*|tPg]u;vM]cX@=Lt6>W”TS<MKVLF'Zge#aPVx(:QN3 W{dٯ}"ԇM/Y$i<Hݙ6Yn62JQ圢 z$,&1IŹ ǐ¹̭qwZNr˼u>ˑhqc(RTfqڰu[D,.~cM%@o>>6LNJLkp Tdj8p̛[Q w:~HJYVF. F}L0p:4CV\\h(h&C uC=^@ N<`t~'%vbتao$n5b>gnNDgX"2|*| ]c1(M&ōe@n0< l$V/Ln#BocP鋋6xUrkLUb{'7qg8ixt 5db@IvM&]Y0Mż9!z*.vD+#iltw` 볃4%Z^ey "YNc'#EQإ񩙧vm&@vJ s+P5pA07wD~Y66%1 J cԀ&cԘf՚VFY{[q M7vO}`/օ}pGrSV1g j` ;;|LÏ~)7F/3o8jȗ$-*|5ޕ9ަl[^/HwϪ޽EhTiSh*<*O45 9YVXoTZad>[d {D~/]fź 쨟f.TU*TxqD4 jx~I:u C.ʹddNzw$<Ѧ1vouY~;lh*S:9\7ǝ?m? O48y [:~"D1YxEbY Bɋפ 0g 'gut`^\"5P<rǫFvB'LJcUr0gr6˻OݐI> E*-7u?d1D}K(a^3v(FxϔpUFmOS;jwb cx`Q hAFТ9?}ORm]U/Y Ht9\(x4/@tY>$xogLßw;jvɯV;/ì gfSA^Q߻}+dyEH [[BMm2P8cd|"r%t?+5&hv(KOC`ZE.l*<܃DamH1jeJ?]c9zNtBu X1u3|((:&ƏgZro~ g rkw +<]ws`}d^P9^7݃]^pi_~n/ :F2jͥ ʗxרnTrHŘ懡3΍>&_z52J(,9dCC0egJDW8$?j>CB5:Δs NzEVCg Ǔ~gW? ܵx뛞%ISJ$yy&Eu}* c[|RAYuY$I(~UO-ua5C*Vխ8ݜ\Dyt$.Q7yê.v %'ǘ='lwAFy|v@):߹+'Uػ9TSe Lτb7)$kϹ#t5"&`eeObv'5.1񫠛/B]^j~c[u I+AtTׁzQhiSE (须6VtE IݹjЖY_gcw)Ues=qfZ &LF8&5k=@359zHҬ|LRLYq> {ZdB1O%ý"QN'αü31 i%I{ġՀ?y"k3”)4-(&b3L㹰j>pL~ @( Bi\"$)+q됂e kHz9TŖq'؜v;[duʻ4!iSCXZ'tig(4W^? Tj6r#e5iݜ3~Fٺ&Q>Xj={Y鲚['u|4gd$=ÙDߋ8?bA=]+`b.& 8j/DjuF}Hx#؁a)  @? {Hh\?5||'Q-.z 'm|{H(ڽl6"U2*FXoۃ+`ȣДO:z[=Z-;LG&5 r^}A/m6{te R;aDx2WrwQ{}RFldJNħ;rE2Cv x;җ|CZ4ŋqAs;:Uõ/qJ?46[z|dS3KJeKUr4mU+D~8 #t mxQ~"`D)%X x̀!(ͭߕvU|E~O =6x˦H&B/0qD+5?:KלfP@_M0sl1𮧪*W=oA6>68'c/bvi=˥ʓ6dג.nNU?3;;ՒiGQ?{p]FeQupF.>Ue\2΂u1ێ@jH;쾒)}r&Gm)bXo$.Į[C-*ˊ EtO~0uIq|j> 4y8^&4$ \ْfy|x 0ǥz vGEUgE&Ofq hzf#!8~1DD {=.F۩[TmʭMkjDb_UO^NGٚU Ìbb)fBQ.BҗW#P>QٴkJ})#>_7dps eKIL>\}{]Ո}q(L̃EZ43tiv9X$iSu]Y%|SkԪqyyie+4Rq؅JhD0:_˥ $srX2F5bh ^E. /[s daTݬw-|VL4^CF.\&]U.R}\($ ̡-ivVώrX1 J,[%QS17Jaimjt!.baر_2>[mA>\u)ԛ@$A`NWp#iA?rXLSx;aoe$[YW h{";ܡwC/N%xg 'n$\S:j(UJAu78sH{Cz/W]$Ƕ "řa+Aٝw԰Y/;;6q*Ӑv6- DnJ-ݍrZGDKƹ/"#w Wh6L '~ʟE|ΡbkBpGpW24Z4f,c,Lxwg0Ear%mY)S4<8Q+$mQ.> xfܡ20X<3l$*TFa곖5*yʨLʓٙpq#Z/'+"zth"֏<|ގQ#'tOn 7k8`RE> QPmHbxIt&nBZPH>vU1c_3`QnY)Bo'v>U4ĉzI?;|(Wv=9hjxo۽eEtC[8L^]_8+-w58+S[?_3WhO*n1Yƶi(z$u݃%cr`dh&8t,bН6M/`'f*&FQf'VsvBA3%E=1<`X3\Yui{WRʐOU@GI >vꭣ,6^0 60)[ (uQ3Kp&aT66/ѓ!vvJfcRh@NYmmhgif19Wtޅm`|zy# ߬VQsөE  ƃt1Ry[ 碖C_`OҪkggN@yќ95CD} z4W,9lXĦ!QˡG-֧{?I%ݻ݇kS+ޑ`qjᬖgV |䩧QZe#\%F,Z%N_5ІQxE{V 1eGb1׻mS+Rvɒ=H|8 ~+hEzqC̋$T V&u]9r8˲(# ) |oI7\Ƽtk!| +HՂ+! 󊷚$wZeXWM(ʪ̓z*궣]LSi]JH/%ZҡXM=B-pWD1-t8]Kc*n+B5ĎKa{B@'&në&0܂D‚cE}h+EH wx ƚJ hl#9C2BMUf(Zfs;`&Y(r;Eݏ1DԌ_u='#Ge P(ncy\A& n(?z\} qomNqW@p,_E2Q+: 4*^w=G*ZV? @\`l-7"`Tm"Xl֐NB^ ia|:\p j{6w]%0p@W17!jk5CR5*Lߜs-!(}Db *6ŏq 8iuxsާ+@;`bĠwK*}Oedޱz9D&Pl%9A` KꑒQyC:՞PX l,T~pJ81d϶rap}Ch\ųaP#TKSLwɽ}%Y~S;SVVNFEu Qp|/E/5a#۬7Y\#}ain>pgX̋[KSz"2;]w !] \+F'A- K ~>3o"7(j}%B= 3VF_PʃNz=nrF:-+?AkZ3C`A¶]nƶ YZ