freeradius-server-utils-3.0.21-150200.3.12.1 >  A c8p9|4:>9]_;L! R[+z 0bPO! 7&-o |7H0-9|'+YHzJᲪ4\E7je Th8C?O&$9>rRa`Sٷ_iګYL&f ׄЂ(LH*u3@?] "*{pjercy%SNJ4ӳqn>\-S 0 0XT_~< f| DАH><[%0(QI܋壣jփkqP J{ZȻ"d*djɏ2NIϠq%,Uz0\&MuP L,Y-1ДM8z$dJρ$ay-Lݸ.>p>?d! / Bhltx )/8   X p  `   h  )(d8l(9 (:(FGHI|XY\](^Bbac defluv wx8yhz8HLRCfreeradius-server-utils3.0.21150200.3.12.1FreeRADIUS ClientsCollection of FreeRADIUS utilities.csheep14\SUSE Linux Enterprise 15SUSE LLC GPL-2.0-only AND LGPL-2.1-onlyhttps://www.suse.com/Productivity/Networking/Radius/Clientshttp://www.freeradius.org/linuxx86_64h \~/qH$ JI@8 O6*w큤cccccccccccccccccccccccc5cf1fb2b05ff5100872b6b6ce3ddb2c0ae59b3a58ea625bd16c01325a117c5d037939085ffa5d8b3a96dc5158a81996976aa9c540f023ae980331099f6894241ef8ec2f344d438d0fa7f1918130c8459fa4a9cbd45b105519437e451e4aa124287caec819474e9f5c5698988b6220304cb684fa7765bb09be8900b4cf5d94617120b0afbc325dca4c93b56dd4c356f0611469e91fd971c4251b02ea5f4b21fc9b697cf1626be74fb2144b692de899dc5d9b1643e98fe12c33bf2f9aaa78a4aedb346fe2d2e1d87da29f1cac51c75f37e49c5d819a9079c58091fd79ef3632b16a9bf299c72d458ef397164d802379e00f132b00d8ca2de7ce54c19a7fd379b66984107a2e5086eb047f711563877133a6e7b45cb87964581655fb4087ff498a0ac75b5c19d977fe528dc805d1f136ba06dd96c43732dbf95aefa2b45a0bdc17be5431156ad54e262fc3f082773d20c81f02a4cede8ef978b46a7de3552dad161ec2bfa379bd1ab5d0fdf9594a7d148c8c58b4d023cfcf8c9d8ab25c2712aa8b3590bf323cbf624d85728e22a9fdee9064246bf3e2b0bdc44a6b02f524b1186bd75c1706ab312baf7777d1d71c35f497962424f0c636124a577e5507bf92bba2d570cfe83a3ef61ac4bc235b23387f1cbc5eb673b2fa9d2d38b5f3abcd6b936532ef1e2f35bf523934869919af2b2177c9ee9e9c0ab6ad52af5b57614b12c2d08bc0e0beb9bee88c9ae9e70ab53b4a5b3de2966aef097e016549c494e4d961771435c618ffe1369697e5f228e99401687c6e2276f9ea75d7ab76232060ef0b549eaad978fa290c5fdce3b0dbb5763b122358d6f2c1056ec755663a4015c8a4d00f0114e9efa73dbea5a5d35fb6b9e20f1942dcece8c48adabb1c4649de10440217dbe6b5b6389623779e0eb9b098e59c0525cc1cd59dd1109cada0e1fc87c00bebcbd784ee828b1cdc019207e918c356a8b51f58ad9a44c364b43c6fe8e4e40d9d7dce30598dc43bf317f3d4d6f29d947c5427c63a93797c274d2b685fc8661f939f4849d961e2bcaa4094c331fa34c28ae5869cd58bbde8e3f59d364d9f342f1rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootfreeradius-server-3.0.21-150200.3.12.1.src.rpmfreeradius-server-utilsfreeradius-server-utils(x86-64)@@@@@@@@@@@@@@@@@@@@@@@@    /bin/sh/usr/bin/perlfreeradius-server-libslibc.so.6()(64bit)libc.so.6(GLIBC_2.14)(64bit)libc.so.6(GLIBC_2.15)(64bit)libc.so.6(GLIBC_2.2.5)(64bit)libc.so.6(GLIBC_2.3)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libcrypto.so.1.1()(64bit)libcrypto.so.1.1(OPENSSL_1_1_0)(64bit)libfreeradius-dhcp.so()(64bit)libfreeradius-eap.so()(64bit)libfreeradius-radius.so()(64bit)libfreeradius-server.so()(64bit)libgdbm.so.4()(64bit)libpcap.so.1()(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.2.5)(64bit)libssl.so.1.1()(64bit)libssl.so.1.1(OPENSSL_1_1_0)(64bit)libssl.so.1.1(OPENSSL_1_1_1)(64bit)libtalloc.so.2()(64bit)libtalloc.so.2(TALLOC_2.0.2)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)3.0.213.0.4-14.6.0-14.0-15.2-14.14.1ct`@_@_FN^y@^p^h^@\\v{\u*@[<[2*ZZWQYY@YlY, @XO@X@X*Xh@X.@W@WiV@V.Vf@UĝU@U@UU8U7@TZ@TTT~@T|X@adam.majer@suse.deadam.majer@suse.deadam.majer@suse.deadam.majer@suse.deadam.majer@suse.deadam.majer@suse.deadam.majer@suse.dejcnengel@gmail.commichael@stroeder.comadam.majer@suse.demichael@stroeder.comadam.majer@suse.demichael@stroeder.commichael@stroeder.commichael@stroeder.comadam.majer@suse.devarkoly@suse.commichael@stroeder.comadam.majer@suse.demichael@stroeder.comkukuk@suse.deadam.majer@suse.dejengelh@inai.deadam.majer@suse.demichael@stroeder.comadam.majer@suse.demichael@stroeder.comjkeil@suse.demichael@stroeder.comjkeil@suse.dejkeil@suse.dejkeil@suse.demichael@stroeder.comvcizek@suse.commichael@stroeder.comtchvatal@suse.comvcizek@suse.comdimstar@opensuse.orgvcizek@suse.commeissner@suse.com- CVE-2022-41859.patch: fixes information leakage in EAP-PWD (bsc#1206204, CVE-2022-41859) - CVE-2022-41860.patch: fixes crash on unknown option in EAP-SIM (bsc#1206205, CVE-2022-41860) - CVE-2022-41861.patch: fixes crash on invalid abinary data (bsc#1206206, CVE-2022-41861)- logfile_secrets.patch: do not log passwords in logfiles (bsc#1184016)- freeradius-server-radiusd-logrotate.patch: move logrotate options into specific parts for each log as "global" options will persist past and clobber global options in the main logrotate config (bsc#1180525)- freeradius-server-radiusd-logrotate.patch: fix permissions in logrotate global section (bsc#1170505, bsc#1174905)- update to 3.0.21 (jsc#SLE-11896) Feature Improvements * New stored procedure for allocating IPs with PostgreSQL Rates of 1500 IPs per second are now possible See raddb/mods-config/sql/ippool/postgresql/procedure.sql * Add SQL IP pool support for Microsoft SQL Server See raddb/mods-config/sql/ippool/mssql/ * Added RCNTEC dictionary. Closes #3168. * Added Pica8 dictionary. Closes #3179. * Add TLS-Client-Cert-Valid-Since attribute holding not Before date Patch from Boris Lytochkin. Fixes #3157. * Generate attributes containing unknown OIDs See raddb/sites-available/tls * Update the WiMAX dictionary. * Added ability to rlm_python(Python2) show a stacktrace from errors. #2979. * Add WiFi Alliance Policy OIDs. See raddb/certs/xpextensions * radmin now shows coa stats, too. * Sample schema extensions for summarizing data in SQL See mods-config/sql/main/*/process-radacct.sql * Update dictionary.aerohive, dictionary.fortinet, dictionary.arista and dictionary.erx. * Added VAS Experts dictionary. * Many updates to RPM and jenkins builds from Matthew Newton. * Added %C (time now in seconds) and %c (microsecond component of now) back-ported from the "master" branch. * Add reload capability to systemd unit file in Debian and RedHat. * Increase timestamp precision in postauth to maximum supported by each database and simplify (and make more consistent between drivers) the timestamps in SQL queries by using expansions. * Option to set dictionary path in raduat script. Bug Fixes * Various fixes found by PVS-Studio. * Set permissions of certificates in bootstrap shell script Fixes #3132. * Increase the 'nasportid' SQL field for 'varchar(32)'. #3141. * Skip processing proxy reply if there are no home servers available. * Update SQLite IPPool queries. Fixes #3177 * rlm_sql_unixodbc fixes. Fixes #2822. * Fixes when building with LibreSSL. * Fix the rlm_python3 build. Note that this module is experimental. #3183. * The rlm_python should append the 'python_path' paths in 'sys.path'. It fixes the expected behavior to use the existing Python modules Fixes #3180. * Fix rlm_python to print the script errors properly. * Bound total query time for PostgreSQL. Fixes #3253. * Many fixes to Oracle sqlippool. It now does 500 IPs per second without any tuning. Fixes #3270. * Reference sqlippool by it's correct name. Fixes #3272. * Revert 3.0.20 patch which caused crashes on duplicate clients. * Update WiMAX-MSK attribute. Fixes #3280. * Fix crash when trying to access non-existant regex capture group. * Use timestamps (request or server) rather than SQL NOW() in accounting queries so that these are stable when replayed from a file buffer. - freeradius-python3_patches.patch: upstreamed- update to 3.0.20 (bsc#1146848) Feature Improvements * Added Force10 dictionary. * Update dictionary.hp with new attributes. #2690. * Update dictionary.aruba with new attributes. #2696. * Fix side-channel leak in EAP-PWD (bsc#1144524, CVE-2019-13456) * Relax OpenSSL version checks, now that their API is both public, and stable. * Note that tls_min_version/tls_max_version also support "1.3" Since there is no standard yet for EAP with TLS 1.3, it will not work. * Added tripplite dictionary from #2760. * Switch to the async interface for rlm_sql_postgresql so that we can enforce query_timeout. * Added new LDAP option 'allow_dangling_group_ref'. * Updated documentation and functionality for EAP session caching See "cache" section of mods-available/eap. * Tighten systemd unit file security. Fixes #2637. * Disable TLS 1.0 and TLS 1.1 support in the default configuration We STRONGLY recommend doing this for all installations. * Add expansions for *outgoing* Radsec connections "%{proxy_listen:TLS-...}" for TLS-Client-Cert-* and TLS-Cert-* attributes. Fixes #2839. * Add %{listen:tls} which returns "yes" or "no" for TLS or non-TLS connections. * Update dictionary.lancom with new attributes. #2847. * Added rlm_sql_mongo. See raddb/mods-available/sql. Note that this module is experimental. * Added more documentation in sites-available/robust-proxy-accounting. * sqlippool now re-allocates unexpired leases, to prevent IP pool exhaustion when clients perform multiple reauthentication attempts * Add support to radmin keep the history in ~/.radmin_history. * Add support for ENV and LD_PRELOAD in radiusd.conf. See the new ENV sub-section of radiusd.conf. * Update dictionary.aptilo. #3002. * Update dictionary.airespace. #3039. * Add sites-available/coa-relay, which makes CoA easier #3045. * Add example stored procedure for IP Pools in MySQL See mods-config/sql/ippool/mysql/procedure.sql * Update dictionary.dhcp dictionary with the recent hardware types. * Add experimental rlm_python3. This should largely work the same as rlm_python, which was Python2 only. * Add Dockerfiles for Debian10 and CentOS8. * Add RPM spec file compatibility for RHEL/CentOS 8. * Notes on certificate constraints. See raddb/certs/server.cnf. * Add NAIRealm example to raddb/certs/server.cnf, for RFC 7585. Bug Fixes * Allow listen.ipaddr to reference an IPv6-only host. Fixes #2627 * ERX-Acct-Request-Reason is "integer". Closes #2635. * Fix a slow memory leak in the file management code. * Try to fix file permissions if they get modified while the server is running * Fix slow memory leak with clients. * Fix request and connection timeouts in rlm_rest. * Fix systemd issues. * Fixes from clang analyzer. * Fix missing include for the dictionaries: alcatel.esam, altiga,alvarion.wimax.v2_2,aptis,asn, audiocodes,avaya,bristol, columbia_university,freedhcp,garderos, infoblox,motorola.illegal, starent.vsa1, telkom, wimax.wichorus. * Fix internal sanity check when running with "-Xx". * Allow "inner-tunnel" virtual servers to work better with "accept" and "reject" policies. * Fix dictionary.huawei data types for Huawei-DNS-Server-IPv6-address and Huawei-Framed-IPv6-Address. * Framed-Interface-ID in postgresql/queries.conf is string, not inet Fixes #2817. * Fix rlm_cache to complain on unknown attributes in the "update" section of its configuration. * Add configure checks for -latomic. This helps on armel, mips and mipsel. Fixes #2828. * Add support to Oracle 19 and 18. Via #2857. * Add support for decoding tags in rlm_rest. Fixes #2848. * Use correct passwords when updating CRLs in raddb/certs/. * Properly separate "originate-coa" packets when accounting packets are read from the detail file reader. * Use the correct virtual server for pre/post-proxy. * radsqlrelay fixes backported from "master" branch * Fix DoS issues due to multithreaded BN_CTX access (bsc#1166847, CVE-2019-17185) - disable python2 for SLE15 and Factory - freeradius-server-enable-python3.patch: enable Python3 module - freeradius-python3_patches.patch: backport python3 fixes from upstream - freeradius-server-opensslversion.patch: updated- Enable memcached driver on SLE15- Add missing BuildRequire on samba-core-devel required for windbind support in rlm_mschap.- update to 3.0.19 (jira#SLE-5890) Feature improvements * Update dictionary.cisco * Update sqlippool to allow for stored procedures with PostgreSQL. This increases performance substantially. Patch from Nathan Ward. Fixes #2540. * Re-added "show client config" command to radmin. * Cleaned up mods-available/sql example so that it is easier to understand. * Added pfSense dictionary. Closes #2581 * Update dictionary.h3c Closes #2592 * Update elasticsearch/logstash config for v6.7.0. * EAP-PWD security fixes from Mathy Vanhoef. See http://freeradius.org/security/ (CVE-2019-11234, CVE-2019-11235, bsc#1132549, bsc#1132664) Bug fixes * Update dynamic_client module and server core so that the functionality works. This has been broken since at least v2. * Fix crash in sqlippool due to escaping changes. Patch from Nathan Ward. Fixes #2532, #2533. * Fix systemd notify, watchdog and unit files. Fixes #2541, #2499. * Fix erroneous length check in EAP-FAST. * Update documentation to remove old "ignore_null" configuration. Fixes #2578. * Fix default POD port. Should be 3799. Fixes #2591 * Correctly encode vendor-specific "encrypted" attributes. Fixes #2600- reformat changelog mostly by wrapping lines - add missing bug numbers for security fixes- update to 3.0.18 * cleanup_delay can now be 30 seconds. This helps with proxies that have packet loss. * Do-Not-Respond policies can now be set in the "post-auth" section. * Encode / Decode ADSL Forum DHCP options. * Fix module ordering issues. e.g. when "sqlippool" needs "sql". See the "instantiate" section of radiusd.conf. * Add Big Switch dictionary. Fixes #2252. * Add sql_session_start policy (raddb/policy.d/accounting) This minimizes race conditions when using Simultaneous-Use (#2257). * For rlm_perl, all variables are now tainted by default. See raddb/mods-available/perl, and the "perl_flags" configuration item. This change should only affect people who are using variables in insecure ways. * Allow "sqlcounter" module to be listed in "post-auth". * Add support for IPv6 attributes in SQL. Fixes #2280 * The server is better at handling fail-over for outbound RadSec and TCP connections. Fixes #2284. * The server is now more aggressive about retrying failed outbound RadSec and TCP connections. Fixes #2284. * Add TLS-Session-Version and TLS-Session-Cipher-Suite to the "session_state" list. * Add expansion for Radsec connections. "%{listen:TLS-...}" for TLS-Client-Cert-* and TLS-Cert-* attributes. * Add notes on running "ldapsearch" using the parameters from the LDAP module. * "ipaddr" attributes can now be cast to "integer" type attributes in an "update" section. * Move main thread queue to using atomic queues. This should help with contention in high load scenarios. * Add "recv_buff" setting to listeners. For more details, see sites-available/default. * The sqlippool module can now use attributes other than "Pool-Name" to assign IP pools. The "Pool-Name" attribute is still the default. * The "unpack" expansion can now unpack substrings. See mods-available/unpack for documentation and examples. * The preprocess module now does "ciscvo_vsa_hack" for Eltex-AVPair Fixes #2301. Vendors SHOULD NOT USE THAT KIND OF ATTRIBUTE. * Allow for -LDAP-UserDN. See mods-available/ldap for more information. * Add sanitizing of control list for moonshot. Fixes #2318. * Update rlm_sql_mysql to be compatible with MySQL 8 Fixes https://bugs.launchpad.net/bugs/1795310. * Allow logging of only Access-Accept or Access-Reject messages See radiusd.conf, "auth_accept" and "auth_reject". * Removed Connect-Rate comparison. It was unused and broken. * Add dictionary.infinera. * Use OpenSSL HMAC functions instead of local ones. * Some SQL modules can now use "auto_escape" to escape unsafe strings See mods-config/sql/main/mysql/queries.conf. * Add wispr2date conversion in mods-available/date. * Implement dictionary-based handling in rlm_python. Fixes #2334 See mods-available/python for details. * Add support for SKIP LOCKED in sqlippool. This can improve performance by an order of magnitude or more. See raddb/mods-config/sql/ippool/*/queries.conf Fixes #2383 * Allow PSK and certificates at the same time Except for TLS 1.3 which does not support that. * Update docker scripts. Fixes #2306 Patch from Matthew Newton. * Add crypt xlat. * MySQL connections can now skip verifying the server certificate. Fixes #2481. See mods-available/sql. * Add better mechanism to detect MariaDB (Old MySQL). * Add RFC 7532 "bang path" support for realms Fixes #2492. * Update dictionary.ukerna documentation. Fixes #2493. * Add support for systemd service and watchdogs Fixes #2499. * Check for openss/rand.h, and allow building without OpenSSL engine. Patch from Eneas U de Queiroz Fixes #2517. * The default PosgtreSQL queries now use "ON CONFLICT" to better deal with issues. This requires PostgreSQL 9.5 or later. Please use a recent version of PostgreSQL, or edit the default queries to remove "ON CONFLICT". BUG FIXES * The session-state list is no longer cleaned in the inner-tunnel. This lets the outer Access-Reject section access session-state. * Fix typo in lock initialization for TLS sockets Found by Sergio NNX. * Add check for crash when home server down Fixes #2233. * Add username key for postauth table. * Better libpcap checks, when the header files or libraries are missing. Fixes #2245. * Allow building with old versions of OpenSSL Fixes #2247. * Allow non-FreeRADIUS State attributes to be used with the "session-state" list. i.e. State length != 16. * Be more aggressive about cleaning up zombie children when running in debug mode. * Use LTDL_DEEPBIND, which fixes issues with Oracle libraries exporting LDAP API functions. * unlock files when asked to unlock them. * return error instead of asserting in map code. * Don't write 0 bytes to SSL. Fixes #2270. * Remove "expiry_time IS NULL" from allocate_update query. Fixes #2262. * Various dictionary cleanups and consistency checks Fixes #2281. * rlm_python has stronger thread locking to prevent reported issues. Performance may be affected. * Don't allow Message-Authenticator to overflow past the end of a large packet. * Fix crash in sqlippool when SQL server goes away Fixes #2300. * Typos in man pages. Patch from Nikolai Kondrashov Fixes #2303. * Fix crash with CoA packets/ Fixes #2304. * Fix crash in rlm_exec with CoA. Fixes #2328. * Print errors while parsing the log config, and don't quit when deprecated log settings are found. * Fix DHCP encoder xlat so that it can be used with a list of attributes. It previously only encoded the first member of the list, and now encodes all members. * The "expr" module now skips more whitespace. * Remove internal FreeRADIUS-Response-Delay attributes from attr_filter Access-Reject. * Don't send junk to redis when maximum args reached. * Small updates to IPv6 for accounting schema Fixes #2364. * Fix OpenDirectory integration in rlm_mschap. * Fix slow memory leak with dynamic clients. * Don't artificially truncate debug output for long strings. * Fix memory leak in EAP-PWD. * Fix crash in "hints" file with Fall-Through = yes. * Fix crash / timer issues with many CoA packets. * Fix attr_filter so that it does not treat vendor attributes of number 26 as Vendor-Specific. * Fix reconnect correctly in rlm_sql_mysql. * Fix rlm_cache to properly use Cache-TTL < 0 Fixes #2485. * Fix rare occurance of bad xlat expansion. * Check for rare race condition when a proxy reply arrives too late.- install license as %license instead of documentation- also fix ownership of /var/log/radius in systemd unit- update to 3.0.17 Feature Improvements * Add CURLOPT_CAINFO. Patch from Nicolas C #2167. * "stats home server" now supports "src IPADDR", to specify home server also by source IP. Fixes #2169. * Add Dockerfiles for a selection of common systems. * Increase number of permitted file descriptors, for systems with many home servers. * Add TLS-Client-Cert-X509v3-Extended-Key-Usage-OIDs Patch from Isaac Boukris. Fixes #2205. * Update main READMEs. Patches from Matthew Newton. * Added dictionary.mimosa. Bug Fixes * Don't call post-proxy twice when proxying to a virtual server. Matthew Newton, #2161. * Use "raw" string value for shared secrets and dynamic clients It now parses strings with backslashes and "special characters" correctly. Fixes #2168. * Fix RuntimeDirectory for RedHat, from Alan Buxey. * Relax checks in 'if' parser from Isaac Bourkis. * Minor cleanups for %{debug_attr:&request} from Isaac Boukris. * Be more aggressive about cleaning up cached certificate attributes, due to deficiencies in OpenSSL. Reported by Nicolas Reich. * Be more accepting when parsing IPv6 addresses. Bug noted by Klara Mall. * Fix double free in rlm_sql. Fixes #2180. * rlm_detail now writes empty Access-Accept packets. * rlm_python can now create tagged attributes. * Don't crash on duplicate realm + authhost / accthost * Allow partial certificate chain to trusted CA. Fixes #2162. * Treat SSL_read() returning zero as error. Fixes #2164. * detail writer now checks if the file was renamed or deleted. * Add User-Name to Access-Accept if EAP-Message exists, not Stripped-User-Name. * RedHat Systemd updates. Fixes #2184. * Use correct API for State variable in rlm_securid. * Remove broken radclient option "-i". * Fix "users" file (and hints, etc). So that it does not get confused about entry ordering with multiple $INCLUDEs. * Fix rlm_sql to expand the un-escaped string, not the raw string. * Link default and inner-tunnel only if they exist. Fixes #2206. * Don't use both IP_PKTINFO and IP_SENDSRCADDR. * Always install signal handler for SIGINT (needed by Docker). * Fix intermediate CA flow for OCSP. Fixes #2160 Intermediate certs which are not self-signed will now be checked. * sqlippool now returns "fail" if it fails IP allocation. * Fix rlm_yubikey to look for correct attribute in replay attack check.- update to 3.0.16 Feature improvements * rlm_python now supports multiple lists. From #2031. * Add trust router re-keying. From #2007. * Add support for Samba / AD LDAP schema. See doc/schemas/ldap/samba/README.txt and doc/schemas/ldap/samba/ * Add "tls_min_version" and "tls_max_version" to EAP module for Debian OpenSSL issues. * Better documentation for client certificates in PEAP and TTLS: it usually doesn't work. Fixes #2068. * Distinguish login failure from AD unavailable. Fixes #2069. * Update RH spec files. Fixes #2070. * Run Post-Proxy-Type if all home servers are dead. Fixes #2072. * Print offending IP addresses when EAP sessions come from two upstream home servers, and rate-limit the messages. * Minor packaging updates. * Better documentation for rlm_rest. * EAP-FAST now has it's own "cipher_list", so that it is easier to configure. * EAP-FAST now forcibly disables TLS1.2, until such time as we implement the new keying mechanism from TLS1.2. * Add documentation for allow_expired_crl. * Update Debian logrotation. #2093 and #2101. * DHCP relay can now drop responses. #2095. * rlm_sqlippool can now assign Delegated-IPv6-Prefix. It also now can assign any IPv4 or IPv6 address. Based on patches from maximumG. #2094. See raddb/mods-available/sqlippool for changes. * radeapclient can now use EAP-SIM-Ki to dynamically create the necessary triplets. * Explain why many LDAP connections are closed. Fixes #1969. * Debian build / package issues fixed by Matthew Newton. * dictionary.patton updates from Brice Schaffner. Fixes #2137. * Added scripts to build "inner-server.pem", and updated mods-config/inner-eap and certs/README to match. * Added provisions for using an external CA. See raddb/certs/ * Include dhcpclient binary in freeradius-dhcp debian packge. Bug fixes * Bind the lifetime of program name and python path to the module FR-AD-002 (redone) * Pass correct statement length into sqlite3_prepare[_v2] FR-AD-003 (redone) * Allow 100-Continue responses with additional headers in rlm_rest. * fix corner case where detail files were not being locked correctly. * Fix (SQL-Group == "%{...}") checks, and same for LDAP-Group. Fixes #1947 * Clean up exfile code. Which should help to avoid issues with reading / writing 100's of detail files. * Fix build for winbind. Patch from Alex Clouter. * Fix checkrad for Mikrotik. Patch from Muchael Ducharme. * Fix home server stats lookup. Patch from Phil Mayers. * Add libjson-c3 as an optional dependency. * Require LTB OpenLDAP on CentOS / Redhat, to avoid linking against NSS, which breaks the server. Fixes #2040. * rlm_python fixes. Fixes #2041 * Typos in "man" pages. Fixes #2045 * Expand "next" in %{%{...}:-%{...}}. Fixes #2048 * Don't add TLS attributes twice. Fixes #2050. * Fix memory allocation in rlm_rest. Fixes #2051. * Update trustrouter for new API. Fixes #2059. * Fix SQLite issues on FreeBSD. Fixes #2060 * Don't do debug logging of bad passwords. Fixes #2064. (bsc#1099802) * More graceful handling of "die" in rlm_perl. Fixes #2073. * Fix occasional crash when using cisco_accounting_username_bug = yes * EAP-FAST fixes from Isaac Boukris. [#2078], #2076, and #2082, #2126. * DHCP fixes, relay, #2092, add run-time check, #2028 * Decode multiple RADIUS packets at a time in highly loaded RadSec connections. Patch from Jan Tomasek. #2106. * TunnelPassword is not "single value" in LDAP schema. Fixes #2061. * sql log now opens the expanded filename, not the input one. This was a regression introduced in 3.0.15. * Remove unnecessary UNIQUE constrain in Oracle schemas. * Fix SSL thread and locking issues when modules also use SSL. Fixes #2125 and #2129. * Re-add dhcpclient "raw packet" changes. Patches from Nicolas Chaigne and Matthew Newton. Fixes #2155.- Fix permissions of radiusd.service (bnc#1053654)- bsc#1055679 - freeradius-server does not provide winbind/AD auth Added libwbclient-devel as buildrequires- update to 3.0.15 with security fixes for issues found via fuzzing by Guido Vranken (bsc#1049086) https://freeradius.org/security/fuzzer-2017.html * CVE-2017-10978: FR-GV-201 (v2,v3) Read / write overflow in make_secret() * CVE-2017-10983: FR-GV-206 (v2,v3) DHCP - Read overflow when decoding option 63 * CVE-2017-10984: FR-GV-301 (v3) Write overflow in data2vp_wimax() * CVE-2017-10985: FR-GV-302 (v3) Infinite loop and memory exhaustion with 'concat' attributes * CVE-2017-10986: FR-GV-303 (v3) DHCP - Infinite read in dhcp_attr2vp() * CVE-2017-10987: FR-GV-304 (v3) DHCP - Buffer over-read in fr_dhcp_decode_suboptions() * CVE-2017-10988: FR-GV-305 (v3) Decode 'signed' attributes correctly * FR-AD-002 (v3) String lifetime issues in rlm_python * FR-AD-003 (v3) Incorrect statement length passed into sqlite3_prepare- update to 3.0.14 (still FATE#322416) Feature improvements * Enforce TLS client certificate expiration on session resumption, and Session-Timeout. See CVE-2017-9148 (bnc#1041445) * Updated dictionary.cisco.vpn3000, dictionary.patton * Added dictionary.dellemc * Lowered the log output for failed PEAP sessions. * ALlow utc in rlm_date. * The internal OpenSSL session cache has been disabled. Please see mods-available/eap * Update detail reader documentation. * Make outgoing RadSec connections non-blocking. * Add SQL backing to Moonshot-*-TargetedId generation. Bug Fixes * radtest uses Cleartext-Password for EAP, not User-Password. * Update documentation for mods-enabled/ linking. * Enhanced checks for moonshot salt. * Allow session resumption for RadSec connections. * Update "huntgroups" file to note that port ranges are not supported * Fix OpenSSL permissions issues on default key files. * Certificates are not required when PSK is used. * Allow SubjectAltName as first extension in cert. * Fixed talloc issue with TLS session resumption. * "&Attr-26 := 0x01" now produces useful error messages. * Handle connection error in rlm_ldap_cacheable_groupobj. * Fix endian issues in DHCP. * Multiple minor fixes for Coverity complaints. * Handle unexpected regex. * Fix minor issues in dictionaries. * Fix typos and grammar. Patches from Alan Buxey. * Fix erroneous VP creation in rlm_preproces. * Fix MIB. Patch from Jeff Gehlbach. * Trust router updates from Alejandro Perez. * Allow build with LibreSSL. * Use correct packet for channel bindings. * Many fixes found by PVS-Studio. Thanks to PVS-Studio for giving us a test license. Please see the git commit history for more info. * Fix incorrect length check in EAP-PWD. This may be exploitable. * Stop rotating session database files (radutmp, radwtmp) since these are not logfiles. - freeradius-server-radiusd-logrotate.patch: updated- removed obsolete freeradius-server-fix-cert-bootstrap.patch because recent /etc/raddb/certs/bootstrap simply works - update to 3.0.13 (still FATE#322416) Feature improvements * Add dictionary.rfc7930. Note that we do not implement the RFC. * Added 'cipher_server_preference' to mods-available/eap Patch from #1797. * OpenSSL 1.1.0 compatibility fixes. * rlm_perl: radiusd::xlat to evaluate xlat string within perl script * Allow authentication retry in winbind. Patch from Herwin Weststrate. See raddb/mods-available/mschap. * Added "recv-coa" method to rlm_rest. It behaves the same as "authorize". * Document Trust Router tr_port option. Patch from Stefan Paetow. * Update elasticsearch/logstash examples so that they work with elastic stack v5. Patch from Matthew Newton. * Print information about packets, replies, and contents in the detail file reader. * Update abfab-tr policy. Pull request #1893 from Stefan Paetow. * Reject packets which contain User-Password and EAP-Message. * Add example for filtering Access-Challenge. See sites-enabled/default. * Pull symlink fixes from v4.0.x. Fixes #1859. * Add systemd reload. Not everything is reloaded, but some is. Fixes #1662. * Better documentation for listen "ipaddr". Fixes #1921 * Add dictionary.cnergee, updated dictionary.nomadix. * radclient no longer needs -x to print statistics with -s. Bug fixes * Minor typos. Fixes #1763 * Fix typo in RPM build. Closes #1767. * rlm_mschap check for password expiry only if password was correct. Fixes #1762. * Update debian build. * update rlm_counter "man" page. Fixes #1775. * Remove erroneous assert. Fixes #1778. * fix mschap password change test. Fixes #1792. * Cleanup config file on data remove. Fixes #1795. * passwd module returns "notfound" if not found. * Check for old OpenSSL, and don't build rlm_eap_fast if it necessary. Fixes #1803 * Cleanup memory better after ldap version query. Patch from Aleksey Katargin. * Rename lt_* functions to avoid linker issues with libtool. Fixes #1277 * Many miscellaneous fixes and typos. * Allow long strings in %{%{foo} bar:-%{baz} blah". Fixes #1866 * Fix filtering operators, along with more documentation and more tests for them. * Fix OpenSSL fixes. Fixes #1876. * Finish SQL select queries even when SELECT returns no rows. Fixes #1879. * Set Module-Failure-Message for more EAP errors. * Correct typo in dictionary.rfc5580. Fixes #1882 * Remove obselete systemd syslog.target. * Client-Port-Balance load-balancing now uses client port. * Radrelay examples fixed from Alex Clouter. * Update systemd target. Pull request #1896. * Trim starting whitespace in xlat strings. * Get MySQL result lengths using normal API. * suid down after fchown(). Fixes #1914. * Fix cases of comparing pointer to NUL character. Fixes #1915. * OpenSSL v1.1 fixes. Pull request #1921. * Better Handle v4/v6 host names. Pull request #1919. * Remove "Auth-Type = System" from docs and examples. * Don't crash on malformed %{home_server}. Fixes #1922 * fix erroneous use of talloc destructor in rlm_eap * Issue trigger modules.sql.fail. Fixes #1923 * Document python_path gotcha's. Fixes #1845 * dlopen() the specific version of Python. Fixes #1592- Don't require insserv if we use systemd - Remove require for unused fillup- Merge changes from SLE to openSUSE (FATE#322416): * freeradius-server-radclient-init-error-buffer.patch - make sure we initialize error buffer. bsc#911886: radclient error free() invalid pointer * freeradius-server-opensslversion.patch: remove OpenSSL version check and assume we know what we are doing. (bnc#1013311) * merge .changes file, mostly. - do not attempt to detect "vulnerable" OpenSSL versions. SUSE security fixes do not necessarily bump version numbers as does upstream OpenSSL (bnc#1021375) - do not generate certificates in %post. End-user needs to do this manually. - keep FreeTDS disabled on SLE12 - we never shipped it enabled - require OpenSSL 1.0+ - use pkgconfig(systemd) instead of plain systemd as BuildRequires - don't list manual pages as %doc- Remove --with-pic which is for static libs only. - Use SUSE RPM group names. Trim filler words from description. - Do not hide errors from groupadd/useradd.- Add upstream keyring - 2 new modules: rlm_sql_freetds and rlm_eap_fast- update to 3.0.12 - still fate#320481 The focus of this release is stability. * Feature improvements + Add support for =~ and !~ in update sections. See "man unlang" + Add dictionary.checkpoint. + Simultaneous-Use prints out more information. + Print WARNING in debug mode when packets may be truncated. + Added expansions %{home_server:state} and %{home_server_pool:state}, which show the state of the server / pool. + Mark rlm_sql_freetds as stable. + Make rlm_perl less fragile. Patch from Herwin Weststrate. + Allow extended attributes to have "encrypt=2" + Update dictionary.aruba. + Add support for EAP-FAST. This is an isolated feature which does not affect anything else. + Update OpenSSL vulnerability list. Use a version of OpenSSL released after September 20, 2016. + EAP certificate verification is now done when "verify" is enabled and "ocsp" is disabled. + New dhcpclient and rlm_rad_counter man pages. + Minor abfab and moonshot additions. + Pass CFLAGS through from environment in RPM builds. Allows more custom builds. + Build with Heimdal in addtion to libkrb5. * Bug Fixes + Use correct typedef for older versions of sqlite. + Update mssql schema to add priority + don't complain on /dev/urandom in ldap + fix == operator in update sections + Don't create DHCP strings with many trailing zeros. + Allow MS-CHAP change passwords instead of complaining on large buffer. + Allow assignment or equality operator on SQL. + Update aclocal tests for FreeBSD 10. + Remove occasional hang in rlm_linelog. + Copy VSAs to inner tunnel for TTLS and PEAP. Fixes #1544 + A few minor bugfixes caught in v3.1.x cleanup, and back-ported to v3.0.x. + do_not_respond again works in post-proxy + Allow realm "~^.*$" {} and User-Name with no realm. + Fix leak when creating unknown attributes + Fix Debian / logrotate. + Make OpenSSL error functions thread-safe. + Fix crash with rlm_sql and updating SQL-User-Name. + Debian build updates. + Allow regular expression comparisons in radclient. + Fix memory leak on unknown attributes in detail file reader. + Update example paths in "man" pages when installing them + Build fixes for rlm_mschap. Fixes #1489. + BSD build fixes. Patch from issue #1583. + Be more careful about /lib/ when building. Fixes #1585. + Correct ifdef placement error. Fixes #1572. + Allow for more files in internal "exfile" API So it will be possible to open more than 64 "detail" files at the same time. + Remove support for statically built EAP modules. Fixes #1591. + Many fixes to rlm_python from Guillaume Pannatier. + Use correct week adjustment in SQLcounter. Fixes #1608 + Minor fixes to allow compilation without DHCP, VMPS, or TCP. + Fix checks for module / config file change on HUP. + Compile regex comparisons when sent via "debug condition". + Update filenames in documentation and examples. + Don't crash if SQL connection becomes unavailable. + Disallow originate_coa when proxy_requests = no. + Free rad_perlconf_hv in correct perl context. + Multiple fixes for Debian builds. #1510, among others. + Set OpenSSL FIPS compatibility flag when necessary. + Pulled fixes for the build system over from other branches. + Fix OCSP for RADIUS over TLS. + Fix skip_if_ocsp_ok behavior. + Better fixes for systems without closefrom() but which have /proc. + Minor build fixes back-ported from v4.0.x. + build --whout-ascend-binary. Fixes #1761. + Be more aggressive about not opening new connections in debug mode after CTRL-C. Address #1604.- use %{with} macro for conditional inclusions instead of hardcoding version numbers - improved package descriptions - fixed builds on SLE12 and SLE11SP4- removed installation of experimental module rlm_sqlhpwippool.so - update to 3.0.11 (fate#320481, bsc#961479, CVE-2015-8763, bsc#935573, CVE-2015-4680) * Changes of version 3.0.11 + Feature improvements - "unlang" comparisons of IP addresses to IP prefixes are now detected, and types automatically cast. - Allow shorthand form of ipv4prefix values e.g. 127/8. - Add "auto_chain" to raddb/mods-available/eap, tls subsection. This allows the disabling of OpenSSL auto-chaining of certificates. Which might be wrong. - Added printing of coa and disconnect stats (radmin). - radclient defaults to expecting Access-Accept responses to Status-Server. - Updated dictionary.lancom, dictionary.starent. - Portability fixes for Solaris. - More errors from ntlm_auth gets passed to MS-CHAP. - Update abfab-tr-idp virtual server. - Added "filter_password" in policy.d/filter. This removes embedded zero bytes in User-Password, for compatibility with broken clients. - The server now issues a WARNING message if duplicate configuration items are found. - TLS can skip the "verify" section if OCSP returns OK. See raddb/mods-available/eap, "skip_if_ocsp_ok". - Set TLS-OCSP-Cert-Valid = yes / no / skipped, which is the result from the OCSP check. - Interoperate with AD and "LmCompatibiltyLevel = 5", by always setting WBC_MSV1_0_ALLOW_MSVCHAPV2 for native winbind in rlm_mschap. - TTLS and PEAP now require "virtual_server" to be a real server. - Print WARNING when TTLS or PEAP identities are spoofed or not properly anonymized. See RFC 7542 for requirements. - Various rlm_python fixes from Herwin Weststrate. - Allow setting Response-Packet-Type in "Post-Proxy-Type Fail", which is useful when the home server does not respond. - elasticsearch updates from Matthew Newton + Bug Fixes - Fix issue where field nas_type would not be accessible via the %{client:} xlat, for clients loaded from SQL. - Fix compatiblity issues with OpenSSL 1.0.2. Ignore calls to msg_callback with 'pseudo' content types. - Data type "ipv4prefix" is parsed correctly. - Use correct talloc context in rlm_exec. Fixes #1338. - Complain in unlang if "else" is used with no previous "if" or "elsif". - Send accounting status packets to the accounting port. Fixes #1364. - Print out CFLAGS when doing "radiusd -Xxv" - Fixed bug with coa/acct stats value #1339. Based on patch from Jorge Pereira. - Fixes for LEAP proxying. Don't use LEAP! - Fix issue with "directory already exists" seen when doing "make install". - Fixed bug with radmin related to the option "stats detail " - Complain if the detail file reader does not have permission to read the "detail.work" file. Fixes #1398 - Fixed SoH. Attributes were not being copied to the virtual server. - Used a wrong list to global statistics in "stats". - Create EAP-PWD identity correctly. Prevents segfaults. - Dynamically validate authentication types for PEAP and EAP-MSCHAPv2. - Fix includes in installed headers. - OpenSSL 1.0.1f and 1.0.1g do NOT calculate TLS 1.2 keys correctly. See raddb/mods-available/eap, "disable_tlsv1_2" - Allow password change to work for MS-CHAP. This requires 'r=0', because password changes are not retries. - Fix home server fail-over for home servers using TCP and/or RadSec. - Special characters in expanded regexes are now escaped e.g. User-Name containing '.', and comparing /%{User-Name}/, the '.' will now be escaped. See src/tests/keywords/regex-escape. - Use correct authentication vector when sending Access-Reject replies for RadSec. - Set FreeRADIUS-Proxied-To in TTLS again. You should use the "inner-tunnel" virtual server, instead of relying on this attribute. - Fix debugging constants in rlm_perl. Patch from Herwin Weststrate. - Add samba-dev / samba4-dev to debian builds so that rlm_mschap can automatically use the new winbind API. - Automatically skip zero-length attributes when sending packets, instead of erroring out.- fix bsc#951404 * Rebuild of freeradius-server package fails * fix source url - ftp://ftp.freeradius.org/pub/freeradius/ + ftp://ftp.freeradius.org/pub/freeradius/old/- update to 3.0.10 * Changes of version 3.0.10 + Feature improvements - Do more optimization of unlang policies. This makes run-time a bit faster. - Re-name most of the functions in src/lib. Third-party module authors will have to do the same. - More documentation on contributing and how to write modules. - Update radiusd.service for systemd. - Open IPv6 proxy socket if the server is listening on IPV6 auth / acct / coa packets. - Create debian packages for DHCP. Fixes #1125. - Add more tests for "update" section parsing. - Update "man" pages. - Update attributes for Alcatel 7750 - Add dictionary for Boingo Wi-Fi - Add support for DHCP lease queries. See raddb/sites-available/dhcp - On HUP, check all modules for config files which have changed. And only re-load those modules. - Allow FreeRADIUS-Response-Delay(-USec) to be set for RADIUS packets. Patch from Herwin Weststrate. - Documentation fixes from Alan Buxey and Matthew Newton. - Update "logrotate" script. - Added more RFCs to doc/rfc for new standards implemented by FreeRADIUS. - Don't crash when doing "radmin -e "help hup". Patch from Matthew Newton. - The dictionary parser now does more sanity checks, which prevents run-time problems with invalid attributes. - Update debian packages. Patches from Christopher Hoskin. - Many other debian packaging fixes from Matthew Netwon and Herwin Weststrate. - Add "session-state" to Perl. Patch from Herwin Weststrate. + Bug Fixes - Fix rlm_files so that there are no collisions when loading 10's of 1000's of users. - Fix radclient to use our internal v4/v6 parsing functions. v6 addresses with ports now work correctly. - Fix sending/receiving packet messages to wrap v6 addresses in square brackets '[]'. - Check for sasl/sasl.h when building rlm_ldap, and disable SASL functionality if unavailable. - Fix issue which caused a non \0 terminated buffer to be assigned to attributes if the value being assigned contained an invalid escape sequence. - Fix deadlock when reconnecting connections in the connection pool. - Fix potential overrun in functions that used fr_utf8_char with a non nul terminated buffer. - Fix decoding issue for Tunnel-Password type attributes which were very long. Found by Denis Andzakovic. - Fix radclient issue with TCP sockets on FreeBSD. - The server now creates ${run_dir} and ${logdir} directories in daemon mode, when running as "root". - Handle tags when using maps. Fixes #1191. - Fix crash when CoA packets time out. - Fix parse error in rediswho - Fix regex support in SQL radcheck the "users" file and radsniff. - Register listen xlat earlier, so that it's available when the virtual servers are being parsed. - Parse Ascend-Data-Filter when given as "0x..." - Print Ascend-Data-Filter correctly. Add test cases for both. - Allow old-style clients again. They will be disallowed for 3.1.0 and following. - Complain instead of crash when "else" and "elsif" are in the wrong place. - Clean up memory more aggressively. This lowers the maximum memory used, most typically for TLS based EAP methods. - Prevent the server from unlinking the control socket of an already running instance. - Fallback to using the configured OCSP URL if one exists, and no URL is provided in the certificate. - Return CoA-NAK if proxying CoA fails. Based on patch from Jorge Pereira. - Lower peak memory usage by decreasing size of internal memory pools. - The control socket is now left in place if a second copy of the server is accidentally started. - Allow virtual attributes in "switch", "case", etc. Fixes [#1240] and #1265. - Many spell check / typo fixes in comments and example configuration files. - Better handle multiple DHCP listeners. - Don't print secrets for old-style realms. Fixes #1267. - Don't fall through in empty "case" statements. Fixes #1274. - Update EAP-TTLS so that MPPE keys are correctly calculated with TLSv1.2. - Always delete MS-MPPE-* from the TTLS inner tunnel. This allows TTLS / EAP-MSCHAPv2 to work. Fixes #1206. - Fix off by one error that caused some MSCHAP-Error messages to be sent without the password change version (V=3) and the textual message component (M=). - Always include C= V= and M= in MSCHAPv2 errors. RFC 2759 does not say that any of these fields are optional, and not including V= caused errors with wpa_supplicant. - Do not include M= in MSCHAPv1 errors. It's not supported.- Fix boo#912714: freeradius can't use ntlm_auth * Create winbind group * Add radiusd to winbind group- Remove gpg signature file * The gpg signature checking is broken and doesn't work- Fix bsc#935573: Insufficent CRL application for intermediate certificates * CVE-2015-4680 * freeradius-server-CVE-2015-4680.patch based on https://github.com/FreeRADIUS/freeradius-server/commit/a03814af310bb3bee74ea012546d99c48b0ea5c3- update to 3.0.9 * Changes of version 3.0.9 + Feature improvements - Make "pool" configurations more consistent, and update documentation for them. - Move connection pool logic to "most recently started", instead of MRU. This should help with pool stability. - More VSAs for 3GPP2 - Added examples of multi-value attributes to rlm_perl. - LDAP-Group and SQL-Group attributes are now dynamically allocated. - Only the "sql" module registers SQL-Group. Other instances register "instance-name-SQL-Group", similarly to "ldap". - Unknown attributes are now complained about more often when used in unlang statements. e.g. if (Foo-Bar == 3) used to be a string to string comparison. It is now a parse error. - Rename RLM_COMPONENT_* to MOD_* in the code. This makes many things easier. - Move to C99 initializers for modules. - Load modules in raddb/mods-enabled. This allows attributes like "LDAP-Group" to be used in the "files" module, without explicit ordering or listing in "instantiate". - Added 'bootstrap' section to modules. Third-party modules will need to be updated. - When adding clients from a DB, add them to a virtual server if that virtual server has a "listen" section. Otherwise, add the clients to the global list. - When reading dynamic clients from a file, don't expire them if the underlying file is unchanged. - Allow the server to originate CoA requests from the post-auth stage. - The server creates ${run_dir} and ${logdir} in daemon mode, if they do not already exist. - Add dictionary for Wi-Fi Alliance Hotspot 2.0. The server now supports all mandatory and optional attributes for this specification. - HUP now re-loads the configuration only if the files have changed. If all files are unchanged, HUP re-opens the log file, and does nothing else. - Much better debug messages for EAP-TLS, including which attributes are cached, and when they are retrieved. - Increase default max_requests to 16384. Memory is cheap now. - Added "stats memory" commands to radmin. Debug build only. - Aptilo controller dictionary updates. - SQL modules now use Acct-Unique-Session-Id everywhere. - The redis modules are now stable. - The LDAP module now supports SASL "interactive bind" method. This allows Kerberos based administrator and user binds. - DHCP code is now in libfreeradius-dhcp. - More DHCP encoding / decoding unit tests. - rlm_replicate can now be listed in the "accounting" section. - Better sqlite debugging output. - Remove "required" option from many sql_ippool directives. - Set default CA "basic constraints" to "critical". Fixes #1073 - Updates to help / man pages from Jorge Pereira. - Added more tests. + Bug Fixes - Be more careful about unused config item warnings when using -Xx. - Move more defines to be auto-generated. - Allow virtual servers in proxy fallback. - Allow %{module:} to work. - Don't crash in RadSec. Closes #980. - Return better errors when a unix group / user is not found. - Re-enable detail module "locking" parameter. - Don't crash when logging replies from Status-Server packets. - The couchbase module now uses "update" instead of "map", for consistent with the rest of the server. See raddb/mods-available/couchbase - Don't require NT-Password for MS-CHAP password changes. - Be a bit more careful about decrypting MS-CHAP-MPPE-Key attributes. Closes #1013. There is no perfect fix, tho. - Fix security issues with EAP-PWD. See http://freeradius.org/security.html#eap-pwd-2015 - Fix dynamic clients read from SQL in non-debug mode - MS-CHAP now allows retries (i.e. password change) when passwords are expired. - Allow "user=radiusd" when the server is already user "radiusd" - suid up/down works on non-Linux systems. This means that the control socket should have the correct ownership. - Fix issue which caused the server to sometimes have problems when a home server was marked zombie. - Fix format.pl because Perl is now more picky. - Fix proxy to Packet-Dst-IP-Address, so that it uses the correct destination port. - Fix corner case with cursor functions and removal. - OpenDirectory fixes and documentation. - Fix leaks in rlm_redis. - RFC 6929 "evs" attributes are now encoded / decoded properly. - Fix talloc pool leaks when receiving malformed or retransmitted Accounting/CoA requests. - Printed attributes again use double quotes instead of single quotes. - Set X509_V_FLAG_CRL_CHECK_ALL, and add "check_all_crl" to eap.conf. Fixes oCert CVE-2015-4680. - rlm_expr now errors out correctly on malformed attribute references instead of triggering an assert. - Make "break" work in "foreach" loops - Allow dynamic expansions to work again in the "hints" file. - Correct minor typos in comments and examples from Alan Buxy. - Re-urlencode the path portion of ldapi:// urls before passing it to ldap_initialise. - freeradius-server-rlm_sql_unixodbc-configure.patch removes hard-coded directory in configure script of rlm_sql_unixodbc - install new module rlm_sqlhpwippool.so- minor adjustments/cleanup of spec and changes- update to 3.0.8 * Changes of version 3.0.8 + Feature improvements - Allow syslog_severity to be set in rlm_linelog. - Allow defaults to be set for bulk clients in LDAP and couchbase. - Updates to dhcpclient. Patches from Nicolas C. - rlm_mschap now supports direct connections to winbind, which is faster than ntlm_auth. See raddb/mods-available/mschap. Patch from Matthew Newton. - Recommend /dev/urandom for TLS randomness, instead of ${certdir}/random - Allow TLSv1 to be disabled via "disable_tlsv1" in tls{}. - Allow Expanded EAP types where vendor is 0 (IETF) and type is normal EAP type. Supplicants sending Expanded EAP types like this are broken. - Add support for server side sort controls when searching for user objects in rlm_ldap. + Bug Fixes - Don't complain about "authorize" in "server {}" blocks, but only if there's no "server" block. - Fix cosmetic issue where debug from the first packet read by a detail reader thread would be emited during config parsing. - Fix ASSERT on truncated detail packets. - Don't use main server log functions from within panic_action, as in the case of syslog this would cause deadlocks if the fault was triggered from within a malloc. - Fix issue in "switch" when "correct_escapes = false". Fixes #911. - Fix sqlcounter configuration to use "%%b" instead of "%b", otherwise the new syntax validation will fail. - Allow forward references in configuration items. Modules aren't always loaded in a sane order. - Fix more escaping issues. Closes #912. - Decode MAC addresses correctly for VMPS. - Fix memory leak with TLS connections. - Fix state machine threading issues for conflicting packets. - Fix copy_request_to_tunnel issues for tagged attributes. - Allow "ok" to over-ride "updated" inside of Auth-Type sections. - Update state machine so that post-proxy is run though child threads for performance, instead of blocking the main thread. - Allow "netmask" to work again in client definitions. - Relax restrictions on SQL group queries. - track outgoing proxy sockets and clean them up more aggressively. - track proxy statistics, including CoA and Disconnect. - If radmin has a connection failure when running a command, it re-connects and runs the command again. - mark home servers "unknown" less aggressively. - Fix potential SEGV in PostgreSQL driver on error. - Fix issue where fields like nas_type would not be accessible via the %{client:} xlat, for dynamic clients. - Set default busy_timeout (of 200ms) in the sqlite driver, so writes don't cause selects to fail in multithreaded mode. This is user configurable, and may be increased if required. - Convert Password-With-Header attributes to binary (from hex or base64), in the authorize method of rlm_pap. - Fix invalid assert in state.c, that could cause abort in post-auth. - Fix double free when -m flag is used, and connection pools are referenced by multiple modules. - RADIUS over TLS accounting uses the same port as authentication. - Regularized return codes from radmin commands. - Fix RHEL spec file so it works correctly for Centos7 which uses systemd, and didn't like the SystemV init script. - radwho and radlast now have a -D option to load dictionaries - DHCP packets are no longer checked for duplicates. - Don't crash in sql module group comparisons in corner case. - Calculate MPPE keys correctly when using TLS 1.2. - Fix load-balance sections. Closes #945 - TLS certificates are available again in the post-auth section. They are not available for session resumption. - radclient encodes CHAP-Password properly when using -c Closes #955. - Fix issue in rlm_cache_memcached driver that caused variable length values to be truncated. - Fix track functionality in detail reader, so it no longer fails with a "Failed marking detail request as done: Bad file descriptor" error. - Actually add the peer identity (as User-Name) to the inner tunnel in EAP-PWD requests, so it's available for lookups. - Fixes to PostgreSQL queries. Patches from Santiago Gimeno. - new set of consolidated patch files: deleted: * freeradius-server-2.1.1-logrotate_su.patch * freeradius-server-2.1.6-rcradiusd.patch * freeradius-server-initscript-pidfile.patch * freeradius-server-radius-reload-logrotate.patch * freeradius-server-var_run.patch added: * freeradius-server-radiusd-logrotate.patch * freeradius-server-rcradiusd.patch * freeradius-server-tmpfiles.patch- Do not disable as-needed build - Remove the with_sysconfig switch and just stick with versions- update to 3.0.6 - fixes a segmentation fault in PEAP module (bnc#912588) Feature improvements: * radmin / raddebug conditional errors are printed to the output, instead of being discarded. * raddebug will exit if condition set with -c was invalid. * radmin auto-reconnects if the connection to the server has gone away. * rlm_cache now has submodule support. See raddb/mods-available/cache * New memcached driver for rlm_cache. See raddb/mods-available/cache * Add support for &Attribute-Name[*] in conditions. See "man unlang" for details. * Add &Attribute-Name[n] which gets the last instance of an attribute e.g. Module-Failure-Message[n]. * Allow for redundant string expansions. See the "instantiate" section of radiusd.conf. * When checking IP addresses in conditions, make the right side be parsed as an IP prefix. * Support JIT compilation of compiled regular expressions when built with libpcre. * Support named capture groups with "%{regex:}" when built with libpcre. * Increase regular expression capture groups from 8 to 32. * Emit error markers for badly formed regular expressions. * Allow 'm' flag to enable multiline mode in regular expressions. * Support limited implicit attribute conversion in update sections. * Support casting between IPv6 and IPv4 where the IPv6 address has the v4/v6 mapping prefix (::ffff:).- Drop .keyring and .sig file: freeradius-server still uses MD5 signatures, which are no longer validated/accepted by GPG 2.1.- update to 3.0.5 Some of the new features: * Allow LDAP to specify arbitrary attributes for dynamic clients. * Allow one level of backslashes (finally). See radiusd.conf, "correct_escapes" setting. * When supported by OpenSSL, allow TLS 1.1 and TLS 1.2 in EAP methods. * Allow multiple new connections to be spawned simultaneously in the connection pool, to cope with spikes in traffic. * Use kqueue on systems which support it. This allows for better scaling when using many sockets. * Home server "response_window" can now take fractions of a second. See proxy.conf. * radmin now supports "show module status", as thee counterpart to "set module status" * "ipaddr" will now use v6 if no v4 address is present. You should use "ipv4addr" or "ipv6addr" to force v4/v6 addresses. * "client" sections will allow "ipaddr = 192.192.0/24". The old "netmask" is still accepted, but the new format is preferred. * Allow custom HTTP headers to be set for rlm_rest requests using control:REST-HTTP-Header (attributes consumed after use). * Extend format of %{rest:} expansion to allow HTTP method and POST data to be specified and urlquoting. * Add support for aliases in rlm_ldap. * Add support for connection pool sharing to all modules that use the connection pool (pool = ). * "tls" sections now have a "psk_query" configuration item, for dynamic queries to discover a key from a PSK identity. * Preliminary support for EAP channel bindings. * Foundational work for dynamic home servers. They do not yet work, but this is now only a matter of updating the "realm" module in a future release. * Support &attr[*] syntax to copy all instances of an attribute when used with the += operator in an update section. May be qualified with a tag. * The logintime and expiration modules can now be listed in the post-auth section. This makes some configurations simpler. * rlm_sqlippool is now IPV6 capable. Set "ipv6 = yes" to get Framed-IPv6-Prefix returned. The SQL queries have NOT been updated. Please submit patches. and numerous; bugfixes - remove gpg-offline - create /run/radiusd after install - drop freeradius-server-opensslversion.patch (upstream)- freeradius-server-opensslversion.patch: do not check the minor version of openssl, minor versions are supposed to be compatible. bnc#906682sheep14 1670847468 3.0.21-150200.3.12.13.0.21-150200.3.12.1dhcpclientmap_unitrad_counterradattrradclientradcryptradeapclientradlastradsniffradsqlrelayradtestradwhoradzaprlm_ippool_toolsmbencryptdhcpclient.1.gzrad_counter.1.gzradclient.1.gzradeapclient.1.gzradlast.1.gzradtest.1.gzradwho.1.gzradzap.1.gzsmbencrypt.1.gz/usr/bin//usr/share/man/man1/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:27107/SUSE_SLE-15-SP2_Update/ea436a6cecae00bf250af9f8b03f03e5-freeradius-server.SUSE_SLE-15-SP2_Updatecpioxz5x86_64-suse-linux ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=e7ae8a6a7bf3dd4439e57af56af58e4ffb9bea84, for GNU/Linux 3.2.0, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=f86ce2dfac0b1a5bcc89f99c3d6b4b12cd11d1ff, for GNU/Linux 3.2.0, strippedPerl script text executableELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=18905414dd368bd2da2d4adbc96ad2b2dc917361, for GNU/Linux 3.2.0, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=febea3f312af2a9323eac49be3596e1b83b6dc6b, for GNU/Linux 3.2.0, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=8f7e37d35369fcc6edf4ca80e03191b3492647f1, for GNU/Linux 3.2.0, strippedPOSIX shell script, ASCII text executableELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=6e9fb12271df2d325c1c37cb0a06581193e31dbe, for GNU/Linux 3.2.0, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=4652a8058c966e88c497537cbfe40ea577138c7d, for GNU/Linux 3.2.0, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=486a5a3fe96fec7c98be6408e73251b7492027ff, for GNU/Linux 3.2.0, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=157332261868ce055193405fea0a66394e3a4f95, for GNU/Linux 3.2.0, strippedtroff or preprocessor input, ASCII text (gzip compressed data, max compression, from Unix) #./ABMNOYZb    RRRR RRRRRRRRRRR RRRRRRRRRR RRRRRRR RRRRRR RRRRRRRRRRRR RRR RRRRRRR R RRRRRRR RRRRRRRRRRRRRR RRRRRRRRR R RRRR RRR RRRRRۀzQ:utf-84806cf7980f29d91101d66462f3b7c885a789c69af79199fdce8cdb97f8206ec? 7zXZ !t/;] crv9w҃@Qf~J` ˣ Ovb$KTxG~bSFS.}ݲ=gUfMVҤ6vFKƬaHR檉6ӠA[߂7=5% Qnjđ9s>Lq:lȉL;P/rZ: q8gX*(s$Fj` 𹦳d,XGf"QQ3JkAx {mշGuUz2[0ݒ=WN%<9'w:6 0kޤ/ ~7=ٗE~km玏qL&cEzs NsLMmK Uk4\(*ڈY}1S'"h;(yAsS-LC:޼"%Um_㐏,$z19(h$6FPGjYF•Ln(zow.pHd\"eZ_z"4Qc*ruثކ\W6( ZțF Ԇ+5%^A" I)6 w\9*ܜ!f,6Eo+4P^q>!XIQjkHAYV+$$쬳D0߿M49:ƗI8~ׇ@I 'o_ʧ&:Sw[~, $ڗ,7-o:1B؃1煈ߒ T|*t)_KT=y% a2޸H.+F FL6baA@R7,7eH/ &gs8 uvSu-1!&Km;autv 5# rmE{]UQBZ>qQ @WTO/X%6{GBٴz<0.1Vc$F^R+ u(>9s̎n ]v%& 66 F/? F2hFnw Ei) NV $뤳I+b%UЗiޤ"'0޷2Quq4_N~# GWNyeDH%)%j\랒@Qn 6*a\NC-5~:eGp$?p U]h JX9*$Ml7) Iz&kW-PbNb*q??*njLɰFE ijwN^MҹX=U'6s'^@_бiJKwM:KN5\4 5g&բa5i9g_TDBŃƄUS3yB `%H\S-MbB*oN_2@7ftSSL|JXtQ"SiQܪT"PcV ̙AaeU!+gȤ| ^a QD ;u)g+r-Ça׏]D>ů;'8^82r ,U|E8&ߩ48 槿 * mP`~)&-yinA%W0g_az_Pmӥ}_՗(Jlǫ4xͩ V!E;ԇwBZz`9Α:ca%wT*TEZ@(ȓ1'p g ts}䤻 @ BG=o5{Ӫ+CQ4$ cVFv|oH֮Lm8\{v03rPÇA/L oL|3m-v<鲴$NNS >OV $D/\1u@ =TP0jIۭv?Z| dF ,/&: '4 gn&}HUehn:>J[DsvMe&)!u܁^,:;-?푲38~1{SǞTZw8: oO%v5[$-gaj޿ᘋUkShh݇<@pKMq2w^{:A"Qr?:Tb&̔Pk`)u==u'FMq3wVd h0FG/*'>Bv5q0\&С:n NgywR.bnJ&nrJ(CdX9`co U%)WD#+s?;~p'x/}Jd57Phj@e5r-Um;aoOKND@y0whJ9v-&h&5$1nD"mk됝MV4( 5oF)c 0]O]9 κ^lg5Yϋ/ɖ}j(6VQCϓZQVxV'7M`nZ罞` J}ҿ 4 edrV,>{i!1+A9bʮSN/8Wb EM/^VrR d9+;;B= Q 'hFn" (|,G w ӦV]Y:۴V6cF{֣fSHK6'C.MDpl 7U.OY.EjZhv_7sM1Vb}ajsM+8ޗ)+4MEm s9S.f?!4:MKS3%SݝJue;+&rOcthdil0-P1aqzxhL-aT* G`ʗKj^=nLQ8(} +*x^-[Ƚ]-5.+o~6,@<‰(܏-BD:.@cLbJ=rePx (,vN(S&_WܺQ!+֮R"/CY! p8&gnS;aZєe|N1=C6R LP'+)L7[b|OrC737;pui+;>UVEIպhj_{#굁ڸ GBs~:qZ{+`boa&?VyhY$dY u" T1nOHĚ&i)c\p`/ @ [NstFId(3w5Z[9^Wm۴Pnqv.2JZ83MO4{,smFm"eFzND jLBVD[Z$p\ f۲=?&r%@QCl(EƬvR#wءVEqտ \QxŏC*KmyqY4.xhZKg[T,'Zt{gt;m>-$ DHS J68rIA[$iFZbF$'zh\%6ŊUlG pPҲ2*z ޞoq~#Ysb9>KE@NZ*5ZBdӒxnBdN/sSx2,YTPCJZCS;#Ͻ ̘=ؗöRCI~g^^)tX(tj0$҇;.og.JqeՒ E >U" Mm@~w(q 0G^ zPL\jQjOAL"_6;dz:kw'8J1O|GYNƷhpx*A |&*q8HQ9mfcxiڬȟ3miޫriQö&b]^N84ShiDXG59%ED le2– YPn8[_E;fv Kxlt蠀1A6qvFmr˭z#J[rT~Yd d)hS6Ƙtbu[:,U~=ZwTƽrG|xZ2AKYc2U?&׶jqcj XS3]hv:8>@#  h9(.A 0nBAOj'Ἦ+?00-8y]e59(Y}U?泙].fsx~*}AJ;ArkE)ygUTR< "5cz%,e&pfqgyrysv.Mh{_ϔ[INXY`a'uZk5CMxҤ&3hN|Id gsɢ:ŊȇP9=YZc{J*+",Г3DgnJ<~7rHdcזsX4а1!#c` o_4Q-n@ax9T % %('\}@eiGM%}X|;7|)lō5o^1hnC+L G< 2ᡰؿU x߮ѵd}#"N Kb)s&LYJX7,fDE]|M'Ő'11by)mM; G)5˛"#f {{͘GCLN4WSH`n+jS2KݮԺCRT'|;ՎK͹* h;0^l$ ͒&~ɨ*J|EO8$sr[@oՒu92e2er`T罖܏~.`o7$ Sgj7JM x*UvW2} dMtϰD$|f @~ힽ& C^y5'xHك S`:r7O 2p̂*b"=˲^Yʍy4/\l$XYKgy}NQ Q— |^)c#y޹:,ߥNd;l bbXC (j=#ɲe55mh xl(YB?St}a]ǰsm#amkLbhrFAC0I)@-(*xxM@nEjQݔ5X5B"̃rJs".xϿK? xkZ*"\ koBH\Y{&AiY5 b|^2ىo7Vs^\Vxy{n;s "AjiH' 0;JT6jC03wEPPՈ,qr< _6ٳzReAk}-!gE}EK[|l"<6kddjU:7VD ;Wqƙl>Sƥ l=0! }kcno2GtHkBe1P5a/[o+!C #_<˯]L(X ?P%/L ǖk,Fυ/&b CͽQBWA j7{LڅT6+y3{~(O#ׄ8JBDv4t,X^:#j'?ׁN;\ދ),*TLi)w4&L>梌>I|Q p#k{{d"/CֱGTOCDÄgw63Grݲ*2 ~pFCjT+ޱ&xD_X}_dۖÏO֣3`8us8͙w;]OYij>jC"⸰/Ei!J<j +mC?*RW:kłIf.n.T6P#L| s)CAS<|DĞ^f,f^WŬqܭ1A7(fZ}Vc!#:* ]>Vpճ9?5y rPtc 5]<;EN>눓,M?ÒM{i5@vl^7ohv䜏Q0_jmcS_ lKpGZ_k\gd.N} C طru`u2|^#|Ǐ9UvRSқ#^k ?@.Ύv5$PZS[[69E̿sN擰48^'?5oBn#שPT#3ݞY Euc(y"{sp; 8Rbʼk-_2Ư𪨉;oSP x,j~H]I+xs$8:SMo^0}Dv%S5##m]y8I\2gPz>XYLA{dFK-Osq;a䫀m:;:d63^h!W8U*|f7V- Q GWLZ_h@`e3,1U=IҦzZL;~sْI?{S@8h..XpM$hNcnX%M͘%Yv[)j"B[mV=_KM!o/'{kt-NkM"C?tʊ6!wSȬpK->EDuE*GUOU/,څt0Y"uVWہG4-mǛ`D=,)lw(ؼs@`0bM^T1@itV!uCWŖ?ڦ (,+{$]_Sfz@QJR3aLrn݄x BXCQ@oR!6.6V;ΓisҋU))F;n`a啽1U/z'[H'[4nXi`w8Aan M$q8Jt0S%ݜdlb4 Vt/`,ZBl;?3B.*B,2TNsfm B]q?3d}hW-:k8ɮ3bp@_2بct+員`!['#UR2o*#sN@[$ uf܇Z-%ėNܟiŭ u)]o<<}oeߝ wP_~}DkR|)*A،%i%"XJg V[Nrjc,<ԥSБUS^Ǫ )ț#xEBj8׹l3c]$'<[ +AӏU_y͗U/ų.S:h4v[Le֝PCY/{UC _^e2yTᚘfFWdU q R!iSo` +"o{ ~9# Xk9V+9\Utq*>įڧI‡ DRk-pK3;JT. @bϗH9j[/8v{B0 _![di44WB9Ylc5V]ڳIyVvϬxo {B&qi:Ba=yx^GOzeEfuQsTīc&f|$-wxՈ= FTul-AFŘNJ|H4PvA%L_/j*</Wm>mCхeCVԕ\ɲ3dPG>Né*2+.RKeFViVya /IF*IzqNH~J>ox^1= >&7TZ yMmwm=~roAh\6;$_f*͸Hgjch:A]ѵɄ HRqyik4Hw`K 筣Z&} p\p+,泰0dR{ȡs"ɾ,oMV ;NKYJ<8lc935 w3f rľ}l1ޕߠŀ-~}67qOY}ŮKg2 9k;ϫDCy y[«qz>T ұe DM̥\11yv@:1immA!( Jۉ?|fOd:/Em:Zi1EQh*!?dT*^\qºܙB3ФLLgs?Ǧ<4pb(jFM$ fھ < u0Jp}tB# hǺбbW/,a s"z\ȇ>(J/}q&ܵa v9SGOcq+I!x?=~|So2jd)~q)Z5`9h^mb^ h ̜Gv} H -2-?)lbK| AK]Ue ճ>xM1S zku 59g waaFYҬ@:0i>jۚ A@"j B^M9[E ijTQi ~ Q5 vZe wޞoJ یŦwm{>p\/n @E/q295 R8'ITԡHE2Ӫ.9nE̝.M_࿏˝z]ybiZW ]=f" ؚ 6놀NY梬:>eI2(2g'{{]nJ :`椺2-o0RKlWz;n7Eiu&ڈIc {a-s5dA@8yĜU!WcJYvd™?v ~XĂ0(tlvsJ]%RoO=,h5|$*'he"N@5c<W^:٤[b2lM@fΝɔr΄T>IwصG*'5vICxu2iLatV0ȏ#9c5( XH,:ȇSJiF'a34Gtg,*-j^8GuayXdY%`vA !@0d0ٯ<ȿ/-0}B8gN,-t@`b^ t~\Ȓ>Z});<=xfB ( 2Ta_; ).OV`S ɒ0'yZ%A4pO^o6J]Vʭp:hA#Ep깓R'$HBXuߤ r#A5BQn|ؾe=XЃuNPlWZc<ّ}]uk͹ aL݃vz5)7>kx@&~~*0> ow$ebGɊ}w+(ae#Ƈl@`QUT"TP_:`Xz9侷f )YLyjJ Xg _f2]sħViNV :x'H35\Lvb;4}Ts }/Vh }Iipo0|A}i\#+l@:vWSƀw{FDhtK,fˡ zw C|\,\1w"x '$AQJv#>lѿj->7:?xoXB Uv0  &~2pOCŸ+s `/3-|;#koDZPPu w;do''?ܘcmw[]~^iVS)VX"v,o -m1eI=rεef{!e\ >;>XvDc\@!g~rcLg=CB<1|pe! /V!zqhu|`W\:c"Zj?WS X&xQ2AФ]vEVAԵf$f8+1t[O=C;kǫZ(=spX˶!~DliE|.lA!+`~AFZpRZxnRQ퉵#-' ~Y q|~zZwޡRX~jnliܓulȂePLt]Ot_`S-,T2\dM!rm)y0/v. `m#=g -Jy<L转 _KLZnUh[1>G Ux &ǿmV7eaYdfI ;(L:mEtU$$: ز=LXAV9j,NV(2̈dW#zVBȃVK_>^dR9$ m+4[Jʆz6|ۆ0;]qhomvkbJo^e/Gc~rҐ)Vf .{x -j(ptB`*=|yh|-!hك&O ډ͘*f]%#|I_UFԝ KѐQVD{ pq|.>O`)M$ZlHk`R-¨xM F]KR $kW>\r,0ޚ@GmgJFԜ1rF+׆]>ޤxk-cS M׀~+#3q 0g JR9H"9q kIb0KԾ}.Kom [}j;ա~߶k^~[ܔg8Sz-&);!W82l _HU=M^ܫyR%'ZAJ]:BK>*qfH T\ yf& N.s H=V YT}Rk$.8Xࠆ_OJ,?а@Y6\Ukд[2—P@y8 q k[﯌ xY35 BJ7.b~N1CR?yRunPO!λof'64˴I1"vP`qOW'^ۉet>࡯~ua pZO~jͯPvCahYC 86rdz-5{&,vrCu>RFe =c4oo!IgRQ*]M\z^qEsF>- uu nK_Y1S$rG_`&#X}"ĭc~ŧ_LY-3 "N?RC m? 3g=Jީ9rJ]8\Rp0,O#bPBAleyը\D ws4zo>)9 `i&>7;GֲԉW7@"?\`+V+P)d*AW6 :߀Zն)sj&4jsrd~/7\[IcTE˳>.GSA-QDm;z·f|o\tvYE)I(cJڀg > _~dg ٺf̍Vo]jP0qin<-ԧ> Xw0xhTP~ʟZ#T v -[J&o MnaHgO 7*!6z_5c>@F][dtHR^U|SiZqjW4x)U4vYݻ ̬V357ine7ٵ3Z^/妘^I6HG9)U(VfyjOYF]<$u+&m!IYysD˵Ĥ:H fBJ]}PF6z5wnսS4j|5U&ȳcC1:́]ݙ8 Na3V+0 M\Z̕4cij!փEݫg(ʕCw `ue͵,8֩uN5=XW=뻷?8je@,z sGHr&DwѺ |%7,%cd[H ,F,_RJagL)EXJ=B"(ٱrdVա#T3kMkwnQ$eLZX-H 1U/nq5R^Sa{6`Aic2-Se1g \COR?f&A\7l_ph`Jvhc'yCw(\|)ymtVF}MJn}b?9o$lB_ӸK:jAB@ĈUZt* M(KU]Oȅ+2Uj#Nއ؂2UDgqB+tЮG# `>Gh (:`VKP yK: 3_ClBcL5y~4@gچ+݆i%`x׷o')=@;Mvm;otfc2iA-t׉H8kϺ k8-o[P!<.9(^n5^0#17 R]Ƣ2Y !{8I(n&= !Qm!%)L1 ?b|axlx ޭzk`\ect4iVvFCuĿ[Ⱦu̿ ^'Imл8)ok|:tz( iצ';B5c@7R<i~uv^ױ ;]7T:ՆG)2R(N~?e!nh l2'8 TOl9s[b$][~ 0Uy1h'M\뎍2p[^S>i+ H&^(>@C|2~]ͻ|(~Y'GP)Ƨ"qCXٚ51!9/ݪt͵>~B ^+Ĩ]L3uiyGW0|1EG2q8fx@1^nxCX%aekHe#SOW]3:uZ,ݓٛsV_+WmfDiv4^l]2؊Eo)bUhl!+󇠿{Tn[:3j%m0bnL)CPd(X=G>~nKP3=x\Gb:>4|YMX9bD;ĥ H!_,7AQ.*F^z% ^^< ]uGI/'Ӣ'ljd]˞<;p[#0L6k+b|@"EԇvezT.a =/B.rBNPVIMc mHpW,fk ޳?]\.mYM1R-=S@QTF͙`uu=p%u9[\lC_^V*.~;?_T$Tk3egꙷ&į 7ݙk mRHIQ`*G%H҃uF`JfajN˝YXlXT?DirT朗^괚FGخL™TRѤŸiNMս;) 7p@#]oj}{O7a"YbY1]8G&TVIe"2 "TT0t~FCC6gƑ!S."a,~*?&A VWV-OIƮ)AM[),J&9R;=5p#U9]G먥خOK@J\ ,4# OVdAo x3f\oK,0YԯtrB@ ik`7jڄNxS!ݙwבQC@NthqfPf[<$y@u?#a<. DyS8@HK-M;pl 5}sFu0v^ȩ8N&>*. ΢Fcb1hǿ&CM,N=߹%?6;j`NxyY7Mӧ/~lݮl h^/ƿ?p  fsE0R7lW]W.-Nas6Vyz|o *wK{{u dݷYԾ2&pX0`I j||m %k)3Mkiz1QX৞ݸ.+UqױS]K\)LY;Aaf\lvffWt]. B@B~ a"YTw![bY֧yLmG$mKp1Q<,(Cgy3r]iĒ=xQc8TMI'Ĉv@ꩈ/謂[ ܙ z5.^U+/Rir3%0-9yӱt~qR[6nF 11pF3?Ҷ]R OR i)^+IF(a+zܲϧn-v^qTےV|@~eHqiyX;>})3^سe?)=#W,y|X (Vm wKڛ-nz΢oֺj[!Z=>.T D!A&`ffBG .=E;U i*R( 9c]?,C^ XؔxEJL=;/n%̍0fPGZD F| <s} "$ Us-[Ay)%nd2GLy} ,-i8 dj_>{$3|ب%UK :@}"C*󡝋`й.=3¸FxBlRFnB@ "_*`x9y(({\>Zx_՛2InK4Ms-AZO|V=KV<}1 26il6rYOꄄ{RRn ei۬i}0t6=?]I,|}:bedM(7 du`k=&pg??`HIjˀtCouvk=_S")m‗x#Y"Dۗpyr5K(5|9$L}0Eӽ# EkO ʩAZ'[w]yiAJFV? zߓ2B Si_俅x+o*;Qy`siOZ f2R$#?.Rp$SRui)tӷ4)% oũ<nkoyVX"b`z)]B;ȨIaF淀P3\wpmƎ.*iE,uPCӾ @ _p'Ժ;=zƮ1O?pw鶑~׵آL*W m 0a۠tEuЎM{Զ ~)ukVy JNZܲfeF݊QaA7#*#Wg֪[Cx YgJ9 I~HmPl#T'GkхYBij#c*zGEgی ΄yAE;)YW6YU$~3*: X!in~1t;cZ),To!ڲQXhX>RW096uyXn-ʝYjBf3 ] +s' jshlOnjE!E[Feg4XN>Kw$SGtIp*?,d:ZnRa'拁t"acRP'V 58SQOa;Em"煋B(-~ڨ0jxD#gse"F.sڿ4y8ľwMٮ$T'U(v;EUj-X׈WbCqtP1ii. +?}ׄHtW+Q2^T JB\7= DF~& lϡmOB]BH̜,7=.>@!{y_[ J'i } 4%FZAyPqlˢ֢|oss=O@2`z4IU&kRU'(8+W|ߺ8gz-?@Ե%&d.=:♾3'/a[i[srSjK=QIűyVQ$n20@Q`~?yt@xBgVf-pBq=`ZX:)/j]'͙l:DAx+Cj}}rۀފ %$ҔZO +H)i5+\= ]1R]yKbxHt9ciî&<@$ 2qrHSHSj+0?夢W84msЭ1}dNfPX wjo_=gO6#^\]dLF#43'/x$/%*!EU(w$٬@[[~UAXd? ӪYĕ +;V("٫_",<o.iaI>0]],=peZPVOų|׿kf *2LGSc{IUH+ Vf: fupCCPBNYW! 7_q:(<$.7ՆD/q #3ZSgR"kbr+Es_22Q-:zNd@nf[+uj= ҡ)m8gFT 5!lp|M%?ڴPᛪ-: N*Fj$|,`i0Lk#wuRܶJ y(2ߏ֓eXGVl۔L@rVJzSIpp}oMƋ)R[i[=gStڻ߳M%v6k(SET͎/t)Iho3u') 3ؠ?T%n>CT)*^:v]0껨A|+lbJP1Pߴ0.K#ɉaM,u 5 )nP"0]_wy>qo WhZQUHƥ[Ե:w@t;Iѿ!iⰗӺ+ _G\`\[oyQ!Gy ^sDpӾ !HDz`ڂ4@!%Zd1flpyf5sGKV@FCǽkAuv(R,9|0ʸ'oD!!6e)H,q]9h]zA ?k0&/aB)c=뻝M|Nt<Xh_]^~g2M(`*cH1ia"F h<xrk\ piidwwN v׊?.<' S4>Sv#~?iJKAż7 i-xC#e.%cX\ |?W1|]vu5.~e-`v*:u[~Ќ7| 8n@r%+:4XFN56,J>=̧JbY [kE&G͜(b;CWy=NZ^<ÙbǹCR2 }\dF'V-N{R;bfaȅG۪oVJLoUړWL Ш{1pSwbxw0Lxov㩀ݲ)'so{]K.Gk*uXp2oC3Y۴09D"TjEgg\z (6XWZ`(J({zdasԜ&>i#Ak߀:N+tI4#ިSMYdP%d4så{ױ[@RR||UcD5kͳ hm=nPU$F]|Yo&|@2H ʜڲ5}m5PCx祱0Z@"ilz\l:ܦ]nZ"Ç!旂mJAi3bVYm +04{ܐ,6*}k];$#μMG|8zLG=Fy$=*BtdJyh:S$H 75ܨy~Y}r:g:” _=ẵۉ۴hhu7ib(px"p|]8Mj ? Ǩ 8W:ϧ:S#eRʷ/+ko#8YJ=pLoj`U mHwCO5-GWXWdZK4DOpA210[8Sxɮ+hQlصORړ )["BOTI=@Mh,J2@ =bh|;ce/D0-e!C N{&*L]Zߖ },/kFȜ mBLBd u-;o]2gk:!ɝ Gþ%|}}JvvlayÅd {JUG5l/%Oyȯ A͸VPX] 9*4;竓4),a# 9E] B%/Z$.-RQk.Plp<!ʿ肁L<WOHzh9]Ơ̥S>DuK~aqi6q F3; \ZM&+zȦ6>0Yb]XVs"$b6TM|l묋f89 [:HpHa&2lmBQ-zK)仨j.7]Ǒ^HuNެ݌-ݗWMO:ثM ` 7D~EqbE,WFf+);t(dz^ g~EQ ѯ+L8ԫйc8$ͯZ$ r@yJv5jԈO@ *nU8>lL_͔9RPv2; sh`\ZA똆l,?Ec D&wKH˗Lu.Kz[Sf٦g%  1th3I'04 p(&*u+L%ˀL < [t=j!eWU6=bۃj dd Asm_gPJTMXg`u] M]0ӣk-R a1(6R>l)ىFM"͚AoqrQ6YtmƆP9ג ?С?rzp$`ëח܁A;AĖ.mOzu3Oτ:ȋ"ܕ50KwDX~l[nju=_:(tm%LO1Z ~Ɗ,Ipv"gE@yk``.ˀl[vI ɰ%f]$ʍĎnR}%^.ZO_P#M $j8WTgPX ߇_9zM_;p׶}N(о]9֐5WxTFkNGsE#¦+rف2VZOewA=< V慊!FfpOOp2`Eſ?X9 6Âe2lT*};JA%&WFgg\6+1V 4"@i7=DG-&Iva 0EҁUeWQ[BO?I5av/$xFRN-Sˆ>å-^7J-F}u'>J4cBms$)ڔ(XZvG{N&v0sL&w&[Kz]P]whhݡ\`#~wg4@8I gR+s&_ &x|f찰de&:'hp3w[`a"SVɛ>@ʼnOk:#hI3*}W=%/ ,> GߙeYcvEY1{t?5m9ui郲3%ƙA|(pj-֏8=Y}U\-A•5!4'ԖHq"w`OIJii1$7%z pR]P'!7.ZFhODY;fW˜v~wCцU ں9Q>衊a}Fj.X|C%ә`R!?85֩>$}m˲EjkbZJ뺝ђoii쿽a#  y.W7> KAr]D EtUtx;.\Q@`@}eʍ6#r&ogMcH^IB#0X7vvT0 K$;8gmƒ~JuϛD(aC_$P)rX3^ч1I.w1@8 T!b?c&05)?0$)_p/'>\6w)+A-tzĆQvϛ_EF]0XZ+y߱_&F#2iyH69?$&!Oo;6a²rL!;rVxgj~W^1)wCgo]>YjD MDބXm^m137hҜ9SӶi@SsmHH^Tnc4C_!۽؅2VEъ8ghKp- l5T*-3*]y4[PIQezb`EK~wbGچY.~;xp(*ئJ鬛T˱B%`|Č5e-109[״,$#fr@D1/nU+U ;"S@JbK<fB 7D B.xeЍe УHD'"*Yzi% i~Ii$HhqP̽+s E߼zMJ33Wy=((h lg;R#8> cS(|7CA KmyL50!lL肱5[vfq[_vY .L,*60$F Yz$'nE!2 9Q/^#6F3=m%,uXnYȟ} Mq+^Җ@W %z߷FMdwvh'jD>lY Ke=;[pC5(FUtkXdؽ4Yr>y:STZy'ʱ6^S a֌EI."ߓR oz|q? %[|+_2:EnJG8FoӅd wM-!T< akQsI?QA5j7&[;ߺl֧ķMJ 2dyD"d8hXe^+o{AzLpqxӝ_6 TnR ,vRbr5(mzb 4f>'.w]u<8ʉ3DG k"\T к_OhRgBKȬ]D4[AN@|bA?SŤ#g>$3oZ2lms3o[l9YN"Dl|Ȝ8䧎I}Vw7^5xG%H3)0gIy4p&|t\(MMsa_uh6tWl`y 'UB~v@˂XF߼+Ե+%m"_D:&sW];]]!>ȇhtuyB]V(7JEq!ThꦬDo I9 cnܕ&_d$/Ivcr CͿ)9XI bsSLc/xZl^v&;IPN:jw:IU2r d5<$HlN@)&_7|WkP eKV3~[C_e뮱89ɕ4dIo(TK >;Wj뎨tF/Xg]⍕݉󎄵an4ZTjfXWq.#~qRKLy[;ty ~Ao_طPTt<̢mxN^_6x}vղW@JV JH1sGdSDr)yEf$E_=du.5jVN ue\lz>p戴:S쎮f ?Q/nM<$YQtduv)?kxj|xli7A -:4r#c)B\M[=u'f_Ķ3%#FJt AK'06>!Bqt>lXH4$Ek8{/Lgճ˱<לXPUL,/:6mE0?)<Eeo]S/4 `ӾOqmn,NUôhs=c[Ėf<{Gd)Pz3륧Bܲm$pXb|M"iU*9Kr7I /l6|C)n VV +d۞;#N8M'˸=J=^ŧI"͑i/ {\AKhGo8 ]ԇPs1ȗiK?{ˠ(p 5u٭Nxs&iA"~84o_fUyNq8s53#'Y ;a) 4ƲmIqHCW/El>X15d쑖*HNE%ּb jhKOZSN/۟kuY4jܵs{xZq %P0`VEB<9z ̑bov.1C`bR?5oU:j HIvzyMY0ŇE}.Cc n" 87jƔ4ܖ{߈s?Bx|Jwd1T쉢7e^Czӕ׺L̙<8hg7vÖ{4Sү ;WGR`Z7g*;u?3y0zC*δpkpal.u%^4?+^xH9nVFeY zYZ2#(w=&._B9kOKqwImrBqGo-v];IKв2 XEfoTy_pn T |$Q͘R'7O ЕVU^ONCtUù񋡋!mL&IA90)'ރ=f-h4;~?yS "EuC-Wٗ&)93?K~#~G5%+B}-D@4 yNk8G{y  pMG„qK?BQ[ݼhXӑyn+^20Mlѓ.u >|Z 7ae7VX9d4!# kp3UX{tuk]4r"GCPy{D:q9a*v jX.?.TTa8MShR>Q8:"d߆x V4g/H`[V [J/yV! XjWR.F2%ljeJƗᝀ@}3zKv9J׋ {3uejxk7Kirkhpw3j-C4~zJ-ٓ^ ][=Y73473X?9 \CMǟB7|a0jYzc ؎ VXMc$2LCT7NㆫX\X0/  rflf$OD )T4__lŠ(pO(+"0';; gG{Iv͛(zjUpVUC^4ɆC fQc8pg|Y.ňͻssukm%N|h$mrE/=]ؕфd-ղCB[ǽ-t5^ G1Y63.:^P~E4k` ~A:K(|?"e|ъ|OIk)z j]a+"K1W-8R/=[wƳ}⌺Kq$A`@m "hsjB+ҧg٩ǫ5`L-|"&3z]_i5b-.uB7_R/*~HM aQ!*w#輅 \A_FYpڼ'o =V bWk+օa b@ `,'p4*)Yk2[f}xms.c0:+/ťl=ޤ%س3Ve,A7S.u~QfZ-P Cj|pOZYUuq*`X~ya12'cڤp Ľ\Ķ+K_0Iug5 ̿Ⱥ;JXޗIWַ擭A+:~z_T7G@4&V~^|( P FSX/#Y>HzRs티 @.~z*re[v:JSS*r^"8 R)ZI蚞HE~;1D9ُƾ{82y_hݽ6@&8:܁2!PuLUVQ(lՍ暉8)8;_K8ȫι)i?ͩ4-D\}\rζ񒶸i8 貔>_gLQ& dQ;WY: 驚#876!ި#憲(t!oYLuW,ta$O?۪.VRXݲ&M;BAEuk=-t=UFXMH`Ș~*qyF|Dѓb/sulg( ]9#d_}$pF.S|Yn/=~%:BoD˫䌭,UO?oTU 62~܆\pFouBn+j&SSjZBuKT}vUɡ '}{h&Ҿh<qX}+X#\ pzn/Dgѡx k^z <z)oFtq[]i1cK~U a %؛c!kvʈ%m @Y}BBi r6iQptPW04 >]Ӊ** &K:gE?@M j(ӂ+pus~rڡM\*SyBau}NjWaajI>Ǚ8`a=J:8Iў{),n*?_P D m_ݯAfIbB.$;O'Ui`KC--EWỾug 8!"7@ zdB{8xZ/㈮v1Jا +H3<R#/bԥ1)ܓo/ }jH'JH4E9/n, vg!d%G񇇋KN.Xt‚j vU"`-ƳA+$9{!5vs}ַ7$4H 9R_>ޒܸCn2~v'FJPf7~bqhr/N&BЌ7,`?̋U[tGUe2~rq_pJ$/TymFlk)$ +?/J^5o@@JWX? lOWO K"^D1 5dbZ?V01sNHat gil4 7*(F{f"[[zn v{M#z+]nA~P33q7J&|q L0u}oJ! @rg 2Z PN1&Wz$h@тTiWY*ev9{CqY9H=S[& ϪyL 9I)|yZ^ST$5m:h VGiRaRˀ/Gnm1mnOÎo\f ͱTo,m?)WM_Ob`PqUmfW+^ICzBkdC{Bq R~`IW1],\x}) ֽxj۴˺=XKYّ<_A]rkUt>ELY)DաF:jX4*NcѴ܉'g~NB Æ+??m x3۾dD~‚H'WZo+6:H:PaNxZ#~Ԃ~宲-}QT&屣V07<":,vBLl%s7#"*Z͑R;3=B '7pbrVl՗z4PLp2&955.JPe}:8zj + /C۔mpۆ>Y4X4ITeGݦY\]2W`j\T!177)|-] qLܶn$~l Ekny-m/*=}jFc [/ OAplAJuN'=u)hx8;&H/S s~&dsj(eD0SQ)T4XY7!sq&ĴH8:xgF@ǜ=#T/ڋ쾞B3Xї\ DnlUʤ>H='s b1,I'PZs}\﷧@0 9ZܤoQWeю/)|{2H)_ft0a;XZMW}-񓣺c3kfϫهk׊Ō 5yL˖gGvvJE7Z֍*)^";,\O蜕*~ج%-r#_Es0Q]vZTB=Wh8Z&VC:lZUQz$8%_2Nw%񐺔hte1ڢ@L-uUwq:!Ja֖è$$ؼ 0'SߩX|,_/1Qpv]1͏gT`]b ѹC.mLi8 v  r%ҥ p&BS7藗bk> pBg܈'i65:>PC>0ui>J OyrlORUc@a E_*8(j*P8 %a{CjHV3B#MenFÇ_A|+M0=*7'ƥ{&,:0S~n;}$CTƉ. 4;Z"])4=tGc;Ke;ːo߽}Fv/5Hi{wg=YG<$wAm(/+ް%ɃFJv?oR,8O~((ԁmbywaƷ |"\9HA0- @ cṅ[fyk;2É{n?{NM`qbJtrPùx'E)ࣤ3őbLi+( VK'd: \O*Js4=:Tލ˝{֮FT?J UpmFxd]"y2~]).(0^wPj'^k7ż:.^ M 8+Z玕'P(pZ@Q|mR e⦁8D.`sm;uR~մ6 }ݻp?Ekǟ͙Ih#IFt-E?ZDJ}6 `yGxFjI 1S.Zy`;Ik_"ϖ.o+q[ϨMR7 %r G4oQV pIhb6Q@,a跋}.w 1(dͳ*S-=!KNp#f7K_lQ?eYcgܹBq}x.PŴ\~;Hx1EY#] z*^LXILnIDDΞ$ _; ORsN-j;S9x2/(s? ]7rǥEԍH9]M`ט ad֛e>fߢ$et^^GhM*SW#x8[&KOŔk{(&.1&ĝFcxO=V?DQjDeĖ436NW-R -> wIX.`ɋ_14l!9 sBgQ1IO5||a_}ډڮy`^H!v62?/t]<4AQVBmg7ߋqD>mhWy'mVdWHj@Fn]b2 p;u V H^vk u]ΞNT0_͉YWW6?Dr8t qc0L{oAoV di \B6GZ,_s>3$O8nS@LzdTd=xGYjZBGQ-`sc1TcũS?DovN.}_ӬJb>#z)h[SZ!;͕w}v2ByQyFԃ%yj &l 8׶bh -ۀW x27Rukֽml\؍%n}Vli}D3pCa{"cq9\քh4ZA/VzOS*#wk+$];oƁ`̠0U' ;)2M;f_쌄nn{##'P7<ؒ닍N |*2zS2"]^f4¡a S䐰$H7Œ1/$D=h=5y"l3VK)s @oHaZӟ=9;n&R@0k'Knȩ1-8E̳`7_53W5ExT@IJ~dz^Dד4d4B06,8gL2=fq<wfӗWûDC  @R>D[`?~kEkqcC/t:M uŰWqxH OOrDl|dC:nQ) @-Ǜt.'Sɸ҈}vS%E87a֊of,fM[ ZH(J%#/l_Qn )ӎ>M^υ4F PtgjF>,b I': %fD|X?[@,3v\ڛp _ED;/&\ 2^`\{cG R]nDIi;*k\~b61QGa{~' -O֏ y AY Gy<qk-" )HO a&<ϠOm}> n6s^~*Ii do[dNk(eI@E)!2>ȼA\ŮIG(y5(?HWa]^ D$`{|ʳ G746ybs.kZV+3WOIiK1 Eh>U([WBZz"~X̞!tzCJr>L11]eFO1{;Z$cgVv``r* 80 q-G}ZX6+P\iۧ/s OVgoo [. m\ P9ͺlv-B8*1mMmAa]޳oOH5HJaXO7"yybb&.c¦D-39be4JvҦ =2r3Oc-bEE㭛<\佼"O6wk`|bDL jW8¿~ u"kOKrR #د'b&+luG$4~R38tYkWWM ⇹ 5| L4t~ojl7Qu-&+U >|*:9.;(TH_{r 9B߳/M.p ~1tΪ2a@prd^گ[ہ IApj*j]U,D/cGXnAB˘>i8FTҒ&P5QjjA>;(Hgc$sQdTulnHDmcs[!Cu''ǰ4@c@ gVTR2 vx2(O$ڗ4ϬxKH1$DVxZкҠyRc 9p[so0! XV>2B $1!y!Wb 93OB ی Oڂ6l^ݟ= ~muؘ}}d qwxF:*I2~9( :|%\̒V4J,.a՟Qt/hܗ|~B,^3` q!JRޱWDsfrokpƷV8F$DZ}~ @=_4`*@n}ߎF;B6^JZocu B]K6)#mU?%JMr6%sr+UA; W%3g9sxc\UK.H,^YꠟţM$g7j;Mo &ܙri:6úT ܁`L`a-$duѼE IM|\5U!2/U‡ X;r86ä́_;|Nԛ í2oܶ8P>OcY2W#rN\~~mWb5ONkG|a=ӛY  3De(6_ĉu8hgt ^ϝޝFGtMg&MCU.tw^e%' B/|WD7?C6<0մ珞q(,; P# O[/9EOcďlL",}_oMETG'LDx:qq)^/o]SVcӾ@y1TݙE-aH - 9;rOpq=R32=Y:h HkzeqzA/#$gERpT)L:OwUbg[a6#l[׍=x #2 klL-J˧zh/=-d'aHcC2etV,%ItthM eUR_YoR;| K VOl2ȼ-BZ<&xs"jB-#=ڢ_g)i *EwU@ =PHt!_ޖ4gÜtƗ*| /De CP5-V/ $yjӊ ˎ9}8k<>._śv"x=0hXj]^0OHwWglZh"no^`a~+^̔ °%O_$JJɁXH:@XܑT}|f w>p@z 1燋T咉 KQcIYa!4?X MZco~Jz޺Gv>*}z'-:ilԀ0SFuDboW0F7 ;-8]P45\]di!EcѨ3?PH6v i MEgOK;Z{/cm\*rᦣzݧ(x30|]q|fc|f| v%q_a1RqT,>aK~/ rJw fVPnd̹Bq#ÿDRiwJIpD^JrIGF6Fte/KPTK( oJ]R7RJ ~pwۑ⛄*i\eZYSAb69^!ٜީy s_>htal(+u>Yr_$ i> Lا1UIyxAuH#9,:U^a1A5gtyS<.X'CN 3HUSgԱ!4 J/ؾe|Ak0em+ ]ӋTs8@*Dh~BqkAo hjիH 9& " w EJ DuQ;sV.CMl%E$*ϻ.d1Γbh9,.t{p!k|/ant;W, @S2*쇁5v)|lsݞ)]ٹ_PRtŸ+6x1[>jC5t}}<uwi(5A6a-~3[I˾[^ɹa:]'C97/TTD'>WI6<7“]+D9s'SdL8 }ҥ &|Н'A# βHVpFpV&ܡMs>a; {fOQ]PF =x^BW@~[PTo$Cmf9^[$Tjڂ0A]sy}=y'-X~D?5p甭cl)\*~ut74eဎ/MJQݬ':'؄]2%k-8hS.4~fwgJNK@qaJ]\"]3ֱHt ơ)ZӠ<jGP^%ֺL>  qdÝR"qkAMGEҪ̹tmw}12uI0?n1þt0WlٸZ,%ع>QAʗ|K<\f:5vI:Nr;yjDfA6=wc 0e;>j&:Zcs7m ac̨ֆqzǰQ^_jҗv"PӍEyaͰǃg܎f9OdleY+'^rML`{%ܶ@l-bt䆠Y6v e JO }t9<n' |+V4פmQ@vp Cxls<E(>n."}qZ EGN/vjʙ(SQ&$buHSk;U#KU2DuD ~, 򑐰 (ۇ_Ko{-k˴-ս= v)>@y= Qem ʄM:r<6Bm[倊*%rymXEΣ4 rߖ9$Y7R3+ 7x5Տե-hS6%^}(85I(^]0կ[/tv>Z/M<1M[V,#C.%MЕh{a8RmpڄqUv`3xhoE&ykx@TǝFwm[Jt;i@QEcBW *NVs) '[xo BK]MF*3^?jEO%Vi>s7o~ADJ)c(>&jaAbvT )A/؀'ܪ@1-lIt bf0 1S43&qn 46kUyK,<&*ɣ 6 K|gzɕg/¬.Pv1 V&t&;4qV;rn5KEqdBי@'s3S;Zl[`=aDvڊ=pCK 4:@YȂm8ham+0a>պw}}{bw m_Zv"GΠ>)\ K򼀯1Ed4n 9X+ mFH^(\}{n妮Y  ~Tv@{AXJnªx܍N{>: FyvSFnq\0mVD,xi&C6+ui`UJܪ*cyV8`gTC~F,0sw{X^@/P6\b~Xۭ̆&vѱ7%9pZ`^)`KdR["dW}3n۳:i" ޮWM4s/u 0xۙ9\M^@8pR&Yx[dԸ;lǓ;f4ߙ@аW%ՅtA譇Iñ9jx3x͘[@ 9ICF'ҩO ,Zԝ??_a\1gk|&W6I c[A$@(9TW$ r,", ݦB%uS.i:qsUpڱ& ýh6y֖#=<'bTF('0yr*Š_\.HD|&-6RxS58;I1tl7+χ[rZ #VᛍE77u1ֶpP`øb(@$ (D1uFY+F w~q}C|+zLze'bff4[@lA͔yq? :"y82BȲ_ӊsa{?9zRo \d)exkpaB+YSD/3sy;.ъXe6IU\w~ *-_4Wb,ǥ?ՇjrgYc5=#Ŀ%q)Ҭɓ۰7m s{a\ YK_ 70&%Q48nD3ݤ 6^dvFNsʔ(/~xvE>Fc w>bݣp*3\>hSy*<:Ȏ,_ix5|Y*JQְ9lCg|7{m:qQ|7qF$˕לs iQ:[ G[І!\}Y\h:9'!{*]+=*V DDm$*]Q/h6`mm~Z[ JKcgy 8z =P"o.cz×|(:: {EE=3K]!ʱy;JuT$Wz++K,}pmg'qDp^8o'ǁuGD; ds9eLӊSsm[ꏾUXN3fX13.yY1UV{hXW ZcGl`1 Wi_lŧ!> [}iTqNyҼ:U^ by @~ttQI$Ҍg.5 CCQ`HnVZڵBiQԿLkәMЭ"ra3_bMž_r];_KKjȭUxc1'gς>թ''?CoeNΙ#RS:ڸutyRuiWfiS^5~kdmB)֌h?wŠ3PH9!P֋RSKpfo> ES5iT79t~Лo!ݯ;ޛof8H 3Q pi}7K*HJIѧ YIo-: gQx#B{(0;Rλ%'4D"UuVlUB>E$xXㅼ:r0@g{f*kfRՉ/lptm5 wn& x Yhׇ\x7xKrj4} …/U({OlmYr.Fȴ#ҩ|'hvpS`Nlz@8&5kwZ$Y_Uj.-$"w<4nJgP}ȳ.ֶ&:u]ꝗۿyZ$Ed\ M#ٍxgx.^ P‰Y3A|NYI]uM"_uǓLc @}SkDˠEk?(%f៳'Y%%v]5RMU#ye`K+ 䜤y%U%cmuo:,)'$ABr݄[R>rژ'HCR4*(:HWZx'5$fg``eHNVcHA.k8,@)i.me^JqwHRʭ .&ےI7W0B}ؒɶGs\A:UwP0ک93SpW'ۗHN{HC i&ˤvFȃdǔt@ jй*?j|VT|QvI9"o'I+"^Yy%ןҥCZPs&!M {c.t[F7$VG0 ir˫^-s91TkK#>ډrM$-J₹<"T`gu7ۺϰ=3{\i V 0RaW D&=}! HR~:N]jYهJ\sBjelb 4ݷ ^( [f4+"v"]B:s]ALGźJW!˻vmCIaK~ s` *BMxyQWlE=֛!]Wm r9T.^d8򄻷8/kl`D1s4l6-|jv*6ğe-ӛ؊z}e0Zqj񢧙P,+?L"L' ]Ҟ1CDK{ʛ JT귙$aX|? lk3#yZc;ôm*# {pF-2oq'vX`0"܂{ڳߔ_1 PDVX_A&-߆R:byZ(2a,z\]Vx/v/ƢLvi+Yj;rrF~fN]jԾM iGus~ o%WlOd_MܔDApeC:Q1Y]!@Er<Alz뤪@86e3e ;Ǖ& !rasHL՗rwS[ۃc_hN.P`e)/Sz٧?&@E1dfvWXSꤝD#)1UIaLzvjT_ǵU j{GP0b/hVO <Ȏ֡ܢg` ]$-zƔ?WZ!PzW |!kX ;`KC }߯̿@c}ǭ'G/=m34& wJBRMF2ZDhʬ] e14tzg:[}:?6%!>X,sK(͑<$PWޜҾnV% &4Uw)X+[i4s\ǴEwbmK|dS{!+4Nޥ0 Dh * ˨#& Wc䅊=J,R&KN7(Yaǃq6'5Z8W`R" n7{ۯlcxj@mTfRK f9 _!BHˉin#;/C2Q.da(mp׳OI׽'‚/9p wU]:f:HV wH*BLOx}䮙psoUPRR Cev%)#{,P}H-OVIS_ŧmx?Bõ=h&m]Y"l4o$h\PQV69\5u !*zFF in}*U%CxN$5zJqhCo|"g:j;՚~'3 @G &ULq7oH~] m]ct hi)eC̿Yoę 6P3e6PgUYIMAGam޾|&t?Slw00.5f&{iVߒזjWْ>o,QQthOɉv]7,?@>h)%ya4oxgn[,Kg8pu"/(ǝԜ++{pgiP /}+n#+^aק!!ZZR|gq>nկ6 5њ%bɁqGZ~;C ,CIrjR}J&Z"I:WS,)^Q?of쯕5U?o.)/_pƅPMřs|`!.QLG^N)Xl ܁sT IsIH`*X о(o:ž\ & F`ɖ&TV8ipϺI>񗗰=ͳ0Ur0442FL ulH,}ڊ Y+(L#U+>|i|9~TOQ.{2N}5,~bWXmXMMTkn~`OeƖ!- 8E2sPȿH+ mSb0e#fL- Z2uCN`"0Ҕ')S:TOD* tB? kv1@̙!u/d8)O[f׫,y 'Ka1B|| 1nHbv Fܝ G_%{݆8ŧtR'WN/!C!Vojй-oS03uW|}DR?Y0[M,mE=cb[1Wfһzʘ`s/t48'9$@L]]tKrH6z!vXee/*6)Rpp?ShjH+@-(e*ZM3BV/uGoEB㖊3Γ&.L1 {4q ޿AV[ [\&2[ DCHe2~=8bߵUziIc9?`JZio\f-zc@OE 2*2'i\s>8r~^Ya&aCʲҀ|jl»]6RKv_( gQ1fXK߃R[;A+PhY|DS) 3ڣZP.z}h'7~wo1XeV~!f9DEz􇤿^:,kd!"7QZH2O ZRBqYf#?BNFL>a<q̡H[6;z5rp__}X/8XN"cv"VjmX 1U[FY$(-\sFQ)^D eI7=esX]\ k.NzR'|8Ҿl0B)KD}GӉg|2ޱdx2AmxcD.ٹՖ(~YPG@) o٣ g: or71Xؾ9|*fO w\B`T&({f=Es!Vg1$[W9YCZr ܲ^oeFqrOV'\׭wk!9KjBC hcn'Jcyqc`"I(x%F}%YWd"/^)|Ej@񧾁CQLG}0=􏵬4-pzOb彂@2̉~.2یꗿmLIjbh(ע ;(1œy\#%Aɣ)T_9X;̆k C>2Gk ^}RAI|NnñP*;Wɦ$BK>#7.+DPB@vh ei@8J|Qz4XեGAxgXdbb˙Q}JzVN|VTqy2tr^[ևz˭ָ_Uk9i Bp7CN(NI\۹ Sޯ9M%P,4U;];ilv`F;d_J;I&5⑷4.9mL#]ׅĽFznȧdcUU]cT6sk&ݾpǮcZULM{փ][lyX E"8A?;(+C"[-'^{R3P ~Fo6Y;0UEZpp oۊν~o_X-O m_-KNwѩ,47jj; uG>;%@(&*:V?oDƫD%z٧e][jY% =jB3I|u4>a& V/dh# s/NƐ;܉ɲS*&8w [I0xO!jG+3r!b;߲sæE1_lꎛ gŴ'׹s~͐TA>-#_Fٰ\bŦ3/MaۛÍ"Sy B&U)Kg " <[]7:KgC鲭yZs9;)vѧ~'jiX<6:`5 ̈́`"ȓ-p04~n?sρh蓮B3ŕ=D?v[ 6H.WߢS RؿV DNQCH{)v3E)-ln;9?00ɺȟ6K&w2J{,FBghE`NF f W=~GuZrаNtdKw\^xg)>6 }2 fq^XN.:'gm*A}pr3£Q6*SiMY"^FZ!cɠ`I@_OxP\[.M0U7չܘf`3O4cW0tQwa2 kڷgMo$-aZNmc qěB] Cv8}V9F&T<kh>󕟋4ճWu6Ғrtg4 j{dZt>Mv$u!-ZŞR#)~"$ZF?,a1Q`ZaLy|gR`uDk&fXOrE'h"yT(<|+C~oSVԧ ]-a!>)8cS}QcƆ{K^H>}ҧN՜ꢙRgoW,Ka*!GK ٛlj) D*[a ( w_;yyDdYP_=Wjx#,DQZkC184=);V{Vb 6.Ja>5qP#p[nz/x +wfuaH?c|*Sby_^1` OineuY+S}7¦˜\tB !2ͺ˂Vf_zԝASmR'pCu#p*{cBm@(EjO#컂:F?gq{=|u+msfA \9qVPQ@ mݛ>Bu=o&!}Gn5Y.KF-;yI@a$^ "5%⻏.]HX7㪣tnucKBZ:o|W4@(7g|Ap>p6J.8·)%rݚ5Z|cƌ0ٛYbߺPZǓftV#/RQpawX@R5b;?ԥ"?@:>=ZvT^{\w 7q8/a5GdAHlPي=/tE]#!zԘGP Ť,IpA~AT'QiB='bD0H;"sw'Gtه$(}(s@TA1-6&aoBJqv-Ipr4M|iy!kaME"j&>=Q$tPvR-v+_4m"v3y>Ůt&8^Pf5%u^v:8 k +2t3Hf%50Ó pّqP(j>ف Xh|0~'^?6MQ8jc#.6\ WpBs<-+ Dp f>|[ KBPղZI; aoIIk#|\LLl(B(Sk@,np-1f@NfO+k^J6ʏ8S:b37x kJ?וۭ{_HPv) Lc5&|HchmoDNU]ngaԔd5SQTn d?cK .+i};7Hi;1 <+Դːp`G?  S'>'}WNVa&7q'Fcbh2 .wLgpv^_&q<:r Xg3K _ݡg-OmRUXIm}=x´YCZ 3MN~oֲn̂TI\kr3NBǸ4'E.x#Dp ]I(0NAEƄ4ܗ '\cVuc;Jn! ܯF̢%Ív6pFB0":Ԫ;@ |M6eP> y΢"6%st]&smYAiFLobq*e@BN΃` =g t7[0dx{ &ieP.G; USxJ8bMaE3G}V́ -Oa:7/5FtG{{pz,ZA!Xu|lBD@NM?'f$#x`ɲ@-{-ï%h5=0U)T?9|z N|-Ϊ؊𨓬1jNuhLsKINB"Oqh 5Gj? e7d߇?hx~=}7AVB8/o߀ʵ m!njY7$ZF7j h Χ-boy9ޭ@wg76 "6 jm/X_&|KyٌHvPg\+T΅41κv 3aǞ43<8? f]dZY/"? 5"2c1xPH; 6i}ZNKˤ*0J Q'guɷ-WL#d-<>Aci$)!nر P{xwЋMXUzʌI%]2 Z L%W(vfM.dm1^S::1q1+IBk0)pᆎ+E: m&d|/}R=DgJˆUv}uA x,:{ E:!MT՝Q&?m 2:HMJ.mHQKqKt;-%AThpμ?۳RE<@WaHwB܋kgϚyk Qrc;0gm Ѧ=*4`O;Lt50ig~NJt!Ԟ%P]}Gghx TC~Oe+.jc721|슫?/ Ԍv@ R;·)C6+M)ú,'E+Ԃ`{} Yl9spYh8ʱm-B1ZTMT}{twVTOcXqӅ)6caO707IB$eӒA3-{ǻEIəHraPڽnفSn] o\voC-:yK^PhY*_GB'(ET9Y&!tPT#_S}@չ9x tvg:~SZ)/3_J;'m^9We2xJo`@/lK8sfeU{djf+xXGP\DDjl^;mfT=,c%;n@IP(+-"wM)7tGx< k*19y9(fO8p"q)׹am lN :{XjGTfobwX4-V5ZpT vZۂbb^Q)S)e ^4M.at[ tG"NS GRY0o9G&j$'eh饠BJ]:Uc :*PQ?(0'<˨pQD+\c` \9!G$T`fj6Y' `p['ƚU1f'' }rK(e@J=ʥX 82"% +60ה3D[=^"o4X`ilt7Y#ږNѹ'&i݉YJ}Qa:'_ײp[c m $HچM]PȠmiΞ'hza} OF_CaE#~4sN3t B6aS̻$ _hW"nH9˾Vwغ+u5PfA.Z*~r_dV/FP,>TPATa|'m2ي^y>|+[Ou,R >t-Q[ӞiD-^2oiI|ӷ2`r DUϸ8f|ecg;H%W Da#zQ 'T`.>M~>>gdE( C@-]hDQV刹Y=w bij zrq`UCi9?+4W+ xWj!g}uƜ!g3!B76oZczV[^%aXaFK;͔N*d!\Izր^9ioB^efe{oa$ԴA}C 8J75ŠOq2N\ `C]*?vMc c[rxX`$/ŜK$eE)ҝr7#f͜CEQ7w?:K .yE :f0 "Mpc5eK12=',@_ΨdȑEq+_e$=P;R E0JHDqwzYD.=&2Yoj{@GGsEI=q^\tį 7Vumֱv:ceAs C$<&J\8~b%zD'wQi3tt#.w<;$ȏ>ߥF3%(_?Y<[BmHq7Y$J9RXB¥an+/_,FM( |]4AV^kwNx97RWF͋~Y˷Ti~'%=gq(nFh`m5i0 Zεִ!oP$^)-WD) %J(Q1QqsI8!aؖު'EGodܚ=T\ZVQ ]<%Vyڛ z(ur̔!llqY5,M"e(z8Yfqy؍j돤E&';96O(`Źmž@QIUWQ3Mg&1l5IiQUɡO *Dv˛"S=cMg PkxˇoWU6E9M4LyPaR3[#S9!2*Fa; y=˷jj:iqqF$}4J;4ݣw&^D2yMӅ>gbߤ{0@njK؈.[ R`~pr{Y1fU0{o֖Xy})Oj/SkrŶiMUf֦c\`bPa?ݤrheiz-%a}( FX3o4ߥpĚ4r\4tC".ͪ{ '-YL;ha [5#7η sAl_WXRHe+pT$}_: jBXhhGޣB6Ի6I m46̩܎>`}/1F#rZKTkhdQ/ ʏP2 Wű>p"7aN4 Uv-uj.>xXaΖi2Q aê@ Ʃ&f:ʜ,pAUp]/xRR0NGP,\#(׽>Tتr;FB/K5Hr0S5],qC!e3Z+O ).epf1ͳ E Lۚzq߶ .LJV~u.'ĂYMbz}0ySb ;tz5i_6OE V 0v}Mtq_Mb|Gߪsp=8X+3B'EE; KW#xg`d=jizhFk{Wmu|Q^U>Bqj, KnXG4[4?9_l_z"!!QN\)v_! %#/<զb7qXRN%B|WةYtt3a w7h UMGDCm´ͯp`SC)fIgQ~ =p^ #sø21lBihՈ9$"lІsgǼ4C[{VZ,5gTLZ.XjrHEf\(_k!F6D6[t]ZsM*i(HDPeErzYauA;07w-/M4-$[Z$pLq/Puy<)4ɏ7 c:ښB(c!C_9={;;l*D-"*ltnrT3I-=̶g4ſ}LCH]X+z1^,ͫ3LK~d(Gnjc·c bV#T '8%:)A.vv}ZgP=zbV..&n~r\ƻ)§ ܴݭk}꿶y7& '!tܢ>!P792՝>bJܙUoҞj#@#* {r_'y_ax`{% 7>bU@l":`KLʩk<%^&<\ݯXӉfHíJe%ݟv4P1 bk\ <ѯb#bN<) A~?,OM>[5"uEr78 ؇҉ȀK=k@J͠igO$+HNrQ7ؔ_pJi<`"RYb.2>BKj俧Hw{Z[p!|G0hƲ-IXsYWOVȆ6構N+# < 1Y*'%nm|d -dnڠ r-t!ƗFE8!"WJvoivވ-D5G1JK1w~'|!*vH|큉ȭVcsLozWJUUnj=` #y~W}^c@N-*KFeM]C2g/gv) 9gmbkgR{t]2($SgD}kfyLpiK }Xo:T)Kt5j^Ͼ0Iw*,PWz4y-ERs0aͦB?E() #"`BFMM94=5ËA%͆{'1%A Sq.Sb߷ nGZ;u1GWCFMCm r47eLJ!:bY5+Od} hSV n&~5cX=a4 =@?FW&ְBhCSSzN7P;jO]vކϼ>hz5vɹR-_6p?²I'FbP-A%v=#]` Y.@0^{(L2 3 yI$qg6*Mpw`$+* ̙?>l ,Otn1ᢪ?TcNVmLCYL&~|5~ qU#e"fp'lo;OJȖa\y+-!&\sꇃf 0Y~ğ\N3HqT*&zG||$*]X_Aܟ d&(qwL&I2_ 3#cb i]A|u/lN8,vaB%v! O)vߴF?ΧfẂlHSI4a$rcj@~Tm)hG?>@r׍hѠS =O7|Ҏx@/[~Za㔦!n[ z$}PH뽉씙xϙ5Bl}=z[gpٜ*0aQ#2qDQ)Dik_4?ҮXATx;Joڜw}xaau1Zqr>>Y^UG |@(w & Ԥ&~bcu[N5UO oDVN؜ڔ}L0 d|rb8ѯgf緷%zWl:ުWJdֳG*4x)BPd-Gb]fMFd?C#75ٿ`SqE/tNnraҩsy^&&-29)$zAqTZSgETQ@<^#o.A0K6+-xbim9Uivt Jj3H˹R>i89vOMc%J 'q`3|hIR86^z&ZiHT׸4h҇S߻\nh*+ s.| x.[ɮ#kh н:4`Ѐݳ@R`6#wVY]3W|kM%;4gMg2@΁)aF/z@D|{a|G\iEAbD 0Q<ۤC()]@I̦Gf1}K=E!?K M"S)Xu]5iٕ4$U_KxXJfw8QCI0x=O Nc8#RNojvנBc&s0EhTn\/Eۦf!?}"gʆՊAҐgk-LhmG3ne1GV ^K?q[t_iv [s_,ĂhT «^jZ@%=Lg0ZX2*%M}$O6Nw"ovL[}NO@#֠%XAhG5ck7$ !]V=0=V0,٘M}1veGO͇U*N1Z>$@<"ܕVjul`Ry*J !_R RMg2#?䉽Zˌ1~l:ƅS*Mm-UsBN-]CTB` 4\F"{0h3$L: "@U8C Y4nA7.=u0N9q`(prwp}Ǘj&CCoSЮblTtZs42ިA?+7;S62`D+H0PI̤/f)K,'!'ƧOX^D`Z7 lS#_֑p<\BE n3 2OF"4X6tpӁK9̰/bD% yDrtȟCِJFjB;n UO\&Z'S8Pn8Yh|r6L0f Nq?&h~đhv wig_oJRyT:V丞kRUlQO֕>k^: M u79ZPqAdj]OɵRc(ppu;=H?f5yQʟl/-5pBd(x8ޱsŽR'\6 ;]Z Xk5 _ٖ fo7ėZ~p^|`0*zmdEhyN-s?w6t "Zh, eġu~J 厷V,O7;7uܹ@_f Et5q >Z *a0%s?Y,{00Q2ͦXQE5M(x.3Z8'46^}"T29RlӊEw^ [gnuDWJ]Rۨa9L.3_4N"_5-sG9)3 L0܁ .Wy~7Qt" `R!Ls rE~UAk8 Xt "GHQwE!?S#XJUW:r c]LkH5#jkGL 7S-(B^ `#{z,6́>HzFTVmE98R+1=kb]߆ ,:7~ l'uPJ_jF)K 4>Vjp͆;9iwKvSK@;1F;LEi& uz)}nJR0̀H ( GID@ROϦNF ?UTgwF00A6|8)"+orh҉/U!x *SC/Rѕc4QU?=5`Z1Ҹw{Mm\hO A)Q_$iK>=_PmQ1*Xp>S^acU]%=g:"NBp\ٜPhɥn+6e]h%BV}mX\1`}ِ$80J0Oѽʽ?lsǽ6ϸ b?ǝ:A"zrF!9kL18H&}+1t@SYQ VE_4)^l-I4;[Z%Т׳NWIoӝ-R-FPa)aBh?kNcDO5$[J=zՠ) dX8K& ľJGq4uqHuz"Ulb)yl#A(ٌpd޾am$S-\t O*fcpcQv"Ƀq=ZGXX1Fxo[bOTeZ`&z$@CSfč|A9(eLK$|ҥ@P:=|rP1+2=„I_ d^M+zR HG<_6T}$I}4¢9<}t0ZЀFK+B lx&͒/(J\xӡ&j-,΅$/E^ ukjMˋ4yh𛆳p )U-_( |L=_11'kT.F/Z]z۟K[?:%AM{UЕ U虧1Gcr2 L1A'x}&Yd>,9P0BQ}A <" //99%-5Z7hCnR:e{嶏U鐖p" I0#5M 1 OZ>rϓIaUשs &h`tbS|'Pʸlp\4t.X1Y?ϷVoϿ1â̸uRS?BKUȠ*%ΦBGjVW{=C\rw( D(eW_U=z{pf TC{DykujҒ#?0'-8GdW>B,(HADq iqD,8ƎZ+{?='uV +Č 'bL+k I67P;(~I,A旝[z?B_P;6"asR<ʬ3J|‹ՌΒ%]x^ aTBDbhtr:֩mjj2rzMYZ9%'5nm+\d&< l]GR6<W?mu_yʪNy(`g"TEv*@R-5wZe 3 j!=/HފAL^å#K-E6J!U-rHRkr(|Aɋ.6;oZVBM?E}A%w.}7Aȍһ=`H3j'׳]lvX =m%=:g 8kRR3OUwL;EX;̥ o J ߩx"B.WԊңn[!r*Xl><;[Ò/B5ht].HV-q kh^>ADd: g, 4ZE{zݒ5[lҸCB?:sL1@FIS Q1硻[uANwQ s|w(I0&_E6 f itYmm6R\WN3mB_0ɸWWe@V>L~sU#qubSݎ⸺ird^f 549׉Ň҈ sZ/YIFU 2H}i[lb>4iHn:#BBvVJ7J.WSl*J(c&-oJQ/ ƳG :h quwl@=p(_ B-X{. _R{/br/2z~0^:@T+4jp_?>?J,F nȋ1g kVIW;vjE!h2٨Ȝ.EoSU7[m.]nN趆eQMåӲɯ۞؊7.*xE+JćJ"!45=n`#K,xd! vq u ƈH<' [l:Q^RO8AM֊cFoR&9?2#"vB>`t3-'x4~y@##e sK)@n~YOO]Zko8]VėWbv/>ɌBn,_gvATk?JYͿۧ6(/D,ɪuL WYG8:GXQG76pS ǜPĹykdQ>r Xq1|ٍTu5*`jN9"6<Tq!  SB٣3#~W5N`G@aV~\[˶Er`QOH~!FaR:)Qm)-s(r3g U۰ 9|Pni8To)=?H)_^s`Z!袰b} jt ւ>[Ĥһx5L +%G4U? I!FJfH iA.Ci|S&V.+db徒s|@K7i;W%ɗĮЄٺ3XĔ_+5ɲσ?X̑Z}°Y$.+"mujKkH؏ %)N,t$_6zú$qU<fU~)/fZH`7@yPWb ):aU1k {̉olKC4C$% Mx蛷J_DzmHqB G^!Ֆ<.j|`&/<\NՍADb* 㐉zd%wD:mvzSd9@%Aժ}2 Tgqܦs,eEŁ)Yy:bK^bYo2hyĘe]êV*wkqWˠ|=h^!8QJd] }Q,?='/EVvpv/Hj X֖[(W!\@$>oI yud%Qtڏҟߟȴ,FS-D$ 1$; M_`8DYjch@:48=8֯=-xt۽F+T*[ۣ dO^1uM"c+e Qe&3t 61jDm86w2@@2qHIU?<_=;( 3I;ܫpE[#Ej0ykL݇85葔[g9gUvb,).ci"~ǚpR T{Wv#Q ژ?K4c{O(*\ICl8+G@,Y_sdڛ1ܼ-' 8:z\ ,ix F2V FuI,8}gU۽.lo5dE* V 'o`JLyday&pcoV.7'L_fFQv};͓3;f-֚ͧ"A@iV)ӷE( T^/tpʚ$ȀF 6%3--mF .o\kA|2VJޟ"˅B.~{Y_-]Hf޽˽|69ުLJ y/KU\[~EA,q֒OQ8<2E<ωp~/[LkޝD8q2~A/HxlvCQdehc- 9Kc:t5xX_)n X#exE~[\}Nsppb"֞tfMG(sȃ) tip͝vG&5Y,Gǯq8&|?\9DҾ]4>|ܦSBu=Tc8 0+xϲݨ^Q퐙Solam>Ӑ0x7dfވ8V8}ƽ| 7E48@$P0 QM5X0vf=~і1;)qm0ژ%>L R|_+Y"zS_0ihOR34XfOctaH4ZP ]@n 4K-x!k?ˈW_yA#ѦFqM=fgIX*,/I gV\&{ =yE)L@#Y;55oW1 X .StaKy4 /~άyP9”E%N-]wu$[ݺ9?B.{ljD^_܌W,D="/QOyi 6:6QY{hm̎ PʅΫ;8lۀ-(q: と%Pqv&$lyZ ;ˈah#;gOl \ c?2qOG˥ ϸCPńecnpwjG}LA D٘]LZ,%A{ڡ*368=ŝi5b<<# %ELӟqg,l3V ,3ɅẨK+|,A6Pāk wEH:oFaTa,2 wJ d#6_44{C}h~g֐CRwΗS"膵e?}.y 3;2ޭl +CQ+ dG04k)@JQ -)֟ašcy>| Pd\/LS j%\?5p@*p0 jiuA~ßZn9RFsجqc6yJW|thH"o0ik9{O7FL $- gBdeƸ xupBCDTh-,xYJv\cY",ed~E_\<\ě~퐷 /7tAu-QݚV"Ҫ6&_-lO{y܆Dx͝˽/wy$?F8$Ijd _#'C-"Uڼ(KTD )Dkl@wk0s 1CFg=~=t~|AC/M/VUI%_ DáS 251Yknd}bk0"?]9 u{Q:?zn\lĪp Th#-J1s'"띣|r]:@Xa~Y{H/9Cķxl3esNg?*c(%Bb27ϲ^I|w#m'l`dd gkyQ bߓ!~D5*YG"DOW-s%}#]Txv*GGt]͝3PM} ~; ?t[PhI֭.P"U{#F^Jp[D5BR|.>P I^koR="+ e2r@U(ӊ=̃w1rI-MGXȰY{s&b[o &=PHg"c n:ug􁲀 ~ ߮%}6CUHuOY\&J&pb.%'z/oDOǎW\:S˩/.JiuhJ q-oLKZG Júj_A<gOs[`I*$ n ,FgG/w?HRR7<ʹr>ry-Klx1~Y8j-!;Z<|x5^tb[ABJwSL#Px&hAAjJ!NJ2!~Tl>, ].0Akwk3 uTU \cp&uc@ͪ>}X!u1\XwkaBo'M6gԌP[2t/ALLP-L3Uצ]qT^ ÍvnIp-ԚLZ}8Bj)Eڃ!3\V׵+p9v&+Xyf8p9v e(5?9Q5Zˍ4@XN*zQvi]:Q87*VKo?QZΈLMpESt|ՃZHj0CgqiW3 ` W.LϚ, ܭ?kP½6pm sY ѪF#<;Q|o(li9My<>Y.zD|1'Q#y#5| 0H9>7I2@*3p>NY>b\!B/xϋ nu$kdݏkGk:Č7 GFKzK8('T-O ˜4 sHumZ9`=!J}-Y!_z>EZ2Eyl osG\Jܞߐ93 q*եw`3VX ʤݍK6[Ձ_7 9ǜuEW 8cЬNT)^.zBFL t^\/Sql .Fյ4cۯdUXLUe8aʥ!\)` _(ZZg/ưv-&ﲒEX>ɿkRZ N-<(#9?Kvo+aS_VCt}_i*F hD0tj^~sQc}7y-8KG?ueR\:C}ieNASHVYWZPg U3B.!{%2W|6r-mj`HY2s$=r_vn7\o"<1E9Kra ^U q/s,.#gJ8[YЦ,6 !>A=?W[,vh{z&nw_^,o^;46 [ȓ4L,px3D0p"9|zsFZ1σOD#,{ 8Í<6te;`><azۅ?)ƺP8x9>,ddhr1:&G c@f( w#*! 4/ͅvf`C$K"hY%P@hrF bK%a6ou 2#m^wt!UxcB w;,PALLE `lڂ \mwI˂  M܊٤+r ;|D0T]UYv]O3;$FjR4w/v_h8݈BK-sjpFU5+lv[zÅ\Xች҉ L79QhpLvh&1aypA(u+."=)+bI63m!ޣ#`F3lm6RFوJ!zWBIr+L§r>ҝ6o X5P&7CMhvG_Ƴ3=\8\=reo'=ğ-kkCyq-[:jn TiqDʑc}zf#qKk fKFyFC nNͰ셳YFqIN12e~꼎gRngrXo_ 'R%»|Lu&'Ad^ UpQ2) jn<̷RCE~5~Nd[ Auw?4Qc,i#~J[ȋ3cUvԢP -/ZH[.֋"MP!ׯ}s~:At$+ݧtx)HjBlBK_sqUmHҚruZW:eDԉʤlr1ۖ1RA.moVȗ'awZǸ, v(l #;u/HaeJ ?~1ɳdgKŪAbB6 =g"~Z+yGiCbn㮁z-Pp@zKw&>wkMqCP99#o+ ΀I֣-QȈABO*AjeB1mώpdKJp\tYTAvy1yn4*T+1]+'xNpDn} FI((C倀P"~&螣ձ,c\yyT5yhbBHL -xKwuĞ`_Ntݠ#'rZ߭(E~5hfH7sd~|dZ/Li,I'܇;"dE7t@//s,A tgA+hq{#jel{-twxt<ƱƼjM\)p]:6sr:;GXSJ ]\GOYh 7 k} )ڴ _(^-ij]3WPKEh 0Fc|;Z#gE\T,% lV؋1 2p\7;HyZ f= fzc)'崱4}5n 7k,iP-QDq~*0."&di+Zb#~xVbyf%0h;,+]KyZ4Ĺ̶ũe=jW:&^:S-k컛{~ ۯQ_A?L=Z|%\(GHƮs^! Lj!mS GYx¡bQpU\'ʳjfOr<>VJ~ |S|P"9v3wT:92t$-p"W^LQ  ѵ(=$G7sK=lsK)QMGdLcBMU 3!Z#F'qkr遻WjBl ~ddߘ6UKu#0r62G ~g묨ܘR~Ŷw&%i/rZl)*Tk|z@+[&h>\!?oWVH9vnn{C"Y:h"(J{iMJ 8ER8$cѯpYpD% zCe0ՠ`5+kي0Y(*6ʼn&o;"qX廭3>Hކ/.rU Mm,%Q逫89-zo>mqoGf셦1WX0j.tA O#%u*w=_uk]`'UN]])B{R~zW-y"nEq i` VxK'\|&mK<%Ռ1J:GݵU1fN6*s7@O.Z鉥䭃 Ċ1 n)AxP)T,sN" "T0P=bzlBObƱ5}oP)mށb2|,ʆ>Yѣ}۽b˾"tL)^@"Zz 3U?"#fC \YV_.I$SЉbnU 2  WK;8:],|]}Ę7m]t]ҋ$ C5Awr`Ö[unPyDclD]}=[ӄ l9?Ụ{Y +N0ZDK01W <]$ɣsSquoAI̺Y'8,sk$$VP.FYf^>J 'l2*9WȯT$B*.]yh+{\Ϲ0WdS#Lk8 KT|>mG]VL>~n%Mo"8@SZѺ4 0\9KBIM8@F |-{`="媸0pb䝇ĀB<޴lDxCQ0CXMcl]:ڣmLj="~"3@#xQw)jSNϢ{H;pu bw{7]pNҟ1x=!?ߙCF nr6o>눘'26%NcL`֏z. GP+Xy Es+uV[ kO_C7W%W/6ru= XMa2=I|<%-I6#evA&`Fꤨa3!(f,b޵Mg9`Ԣfe乎~9 {5yeD4b"icI~<ΕBDf[r>4$3kr'[yb;gя|t]Dk"%H2J 5Mһ,uD?96p/u gw;;3bEV\Ci>zl6Yr-;%1lƿB p(ecɽ(&/x#rIFQdx&)lR ;n$ޕLS$5ɓRuCnL`"&X,AxL ml?\ Ž? n6Ftj.(.KOn Tsun+iyB캌Qffi =xq7>cijLbf M-O6B ^*Ew:6&Ũfk)(ah$5 FQY`-};{L&l:jO,fGLܚ,.\/; so dx;ȵxw_1vߚKn.54oT#lP0~~t13à>aLW&WRFKӲɇ8x0A޷ΛYz\)baz?qGT>8I)Xb0Jޑa E~0uq$S<?[ܲ\݄A0 3:SqT.1`x-5M!<ЄKFtm"msH R8\ɝmu`$ ƇL Dg%1 ǥeɤeKY]}@;9@ahY_k=Q(i1 e=>=i Y'Ug!QBunC-0TSrxLP &0" |DE&/ь拽TWKZwx$k8 a[>gVn7 iUB9vNh`AAhÐGh>@!}Rk6U;])߃kIJOᵻ)RŬ':`N՜HA(Džq貖puy *SdQ\R]4_%qfĆ g?)ݟ#صţug:vO"6CUx-sG^-u dLٕ4H28K+]< ́d?!|`:h.A)0.UH`#'mOIXe|De;cB Xs`}?B25 Zxi@EW{ao˾|3c< cu> OJ/ܿQo'6]?:u LVhWo v~3P]7^1ňI2ZiȜy-6KlYtV Q9Od/T)p o&6  rBXމ)A\W%}C) (e1Az#㩝e*`}͚-hUg^&vfNBV{ ^S.m.5ܷ`}L$5t CuW1!p‘Z}?0w/()i#\ RR1Wu/T%7+5gx>aZ8]<d:cc ؤACj0! rì$/Cqab}`k:'Nld~)/z-*>2-֟@>#iCtJ ; IIR.Qv$^9R%/ZmP A&Zp`9ӱ8b )+wgp%zhC1M0vP5J7_+T+83FmYj"2_<@[\A$HD7 k֞Q/}=3+=ّ"Q>|Pƭ單E%l%b.lߘ/ 5%C\,gBzWb9ݹdݳ{Åې#ԚFYM(4E DFS8 X|YWH |q[H-B5GɼI?O"QH]CZGρ-vJ:mUpWv2-gdIW ӰX)Pyeu6הQXbɚԨ_GD*L,'꘾JQ5o:F@$_hXϭ1jD{0{rd/N&'ѶDXߏBc  IԵw >ڷmCe  CGIiFHPS֥ "]>Hem7NZ)k-6x9_p>:M)p!麚h a!%6;È聭|6%LW u:#hU{wgʆť+X =ݦz`>㡵{]2 X([b|5{)*x꼥2(th/9Mv>(Vm/Ѩ.נЧYoX,Qxyg43P@ZOaD䷖`"r_&J'.3y Sko-]̙56^<ߧI !DpᙃMw&F[U[]۠1]bQU 6Ε_&ّ YEqQ*5PecfֿZ#bêõ@|Ht:i n@>4t(;!:v=pA[g(sKl%6F2/ktu}+ c&1%Dg~c]iHtmwSIYڠxȎiqjVb@" +9~| `t QH]ΰvĚN&bt}~w9gٻ[$iB+c Ib.lR?B㡾>$c#%Ѝ7鍲RjewgN}<1~%?# %ߩ뭏\s(/B f ڸvD5 hH_taV;(^Nr!\#EC'`b42(7aĸ!6q+Uʳ d dpIA`ː8$~w. 㦈c)ot]~ Kv0qvLЃ~ѡ q-=ցv O9]ʃS9sƖvU)U׉6ߗ|=]E?G-9!Tv`VK,$Ra=&(#s;Ae>lIYmNERvs}gý[N`y|%ˮ0/I1@lf!E _P }垣 se x[ O:3/bn P?޻&Z('o &^o;0K0Mz9q$,AC6[Ja%g{L#JDKƶ^?#'*q/8n2HٺB)h27Lo[;?^1Q]턵fDE 6NN! oKjkP͇0ʖW&힇 ѕ^AٛF`A. i 4&Q)ja]p2ârt Ik"t'ǘGd0SbH~p.Jg.i$@!@ʤA#G]*  8nV^FDHΙfPGdcUIW4tFOtQuB 87<1(BݐR^(E-oYS9*-*t}YSwHQazo5뮪~*х8AHRT3z+!n'4-|*ٱ$k@!P7g&;!N [9Qi B/I.zy.l}z,d%>kO+C0@qX+.NzƮwT|]kɽ·?nZ8h67&H4*ش$m2"#C=g{*jY/Muw#osŖV Xg:P{x=xEth2ĕ#;"b}D't\b~f`Mv7Y^LFLSP,ym9'3#nu2o.)x)x VWd G:f.ZSW4O蛻6l1Y ~mTkI߱.,]/=$)s_L8^CZk\/o"ɄytFYUI;kzr{3(|QkKTy_+vVpwCW6}0ubO_N&B 0l)U"($^ }8cpteLN!|sViItKFˢ.-}g嚐R>sMM/V|V~ /HA\ ё#3lNp3(fiB+BMNW5`fMYWԏ2Bua]]#M2jJߚZ뾀Ի@$ʼn nZH{Qٛ] h5o,Cl _">BbtJa|7}|܅A,SLo<M=xY1.e_qKN=~ֹ{#dJ|]ƀ@B'![z57́!j˛h;bSiJmp֥!ۭMdh< Lj!-`Snfcnjp#6 \!M֏$Ɣbv4n'p7`YI9_"wEa3Dq]țR"Xop YBQIMp(P(m"GB^K*G=bbѨZ9`wGU&̒[Y+#;IȒL#8Whs o/Le5!Ac2R߻K`c*hӃ= /)w}7K#48"KX}6,[,YI<֘{ @m`>"#:>~o#kms®u ΢ >]pCl3us<ВqC۹ᔵwZE"JVl,DfekHBJM=qay{/A@Pnl{QV:bw?k FՑ@^ёNABlXV+dǓ3#tYIHޜg!3!ezŬ`x8?snvۚ?@Qtn Q0d' XRy?fͮiΈnBfq0HÇ阍wSUO[la3ؽI劜TŘl?@fzߚ[hݑ7Ek6ϲ~VMըz{|Med>A{Zab!}CøD 7KK rUsLݐ+j'3XoQVcV^%_[~mՔ)q2n@ˎ$LzO@>[QbzkfQn^QX˷@< vfSѾy#a U8;|1X29*eҺmߚpC5+é.VKg5Xjrzn{xHM^SmA ҫT/ˋM$b۴b ,{<`B0ecrhO;2[j\^i-<u[PVڟ5Yy ~ T>tA )Z*Vw_Ip<&'{DɊs@<,9,3}}FOu71|xn-4^VFO Y nu O?e7%z3:½O)O1jХ2/vAE׏M0%B%Ql3RB0 ?l'OlM5otiU-sag9EO_x>XJ"-T[E.pi;=,~% 8Q#n/!U ۟)p)ffմT2|xS$z *q.ȝ1md=vg!m6Iy lˮ 0fc>,|άóۨҨBwOQ@2[ 4Y5t`f+weMt˵Iɼ ,e FJ\@[<"r\W=u0H<'kW_C8D#E5\u߭3,76)5:'Cg!`d+U[ȭ.փij,+J>c+MoBG*&?a1ߒ.ARJOVUk |,+tO v[v5p6vbwjV aYõG>|' -%!Aׇ䷈NԿYgn*}jɜ2yh/4nźwnC} 78R NWO \6)B[`ԍެUlLY8 kxGzhkgʚ .EWϠ=H[!) NVFw6]e-\MѡR%KUSB@xT!7":͞L>O:DHY ,)/vs; Dm<+о+`#YI7yHm}L_s\ƏjZ0` 3.Dx!ƷCd>*1)IwS: u$7wNFxagx\OzK@wz=]GTp#Y &q:<T\Ƥ:,+Z혂jXP=%Z= qGA9PvoK5cD-"'FÑck~`u/V{JōvtA!9m! ?IJ9Z AіB#&b^~r5v]㿠KaZ3 1q:'J= FPqK \iU aaj,$A;|)R0IN#ucwހYIPz".kLjiwh#Nkq~ta:>6=aa ṑ;$nB$򺟞dE*y#N#Gbf2:VX9o2H>̋nQ%ru:H9` ]LJ?-fYTN")rx҉KΟDMGJ (A37$ʺJ 'A6k"oB,e<$$.PWy$#6` zL eTӆFn古51cx4x7nJJ< Wg⑚qV[ok E52m%K*A( Z%we 鱍 q6SFA/-f̀ERmTj+%`'ͭ"{ȥ:Hb 笋P&8- ]Ճdn{K]si$/Zlj4[F~Y<޿+-dVVFsq|ڄy /CA$z4k])l&@#uvAtu83(4A)|MOu#X+oe,_^cXϤ0"GhKG7)~x[Ǚ8~@_ S}M8Ij+(mqb ԏZ#ձamַ9ˎ(Qefpq5mvFt(&;Dǫu)L$%gDiUbIܭvI`hp8W^6mz~m1M.?Fp t W2K˩_<僚`-M<:j^SYggLDꇛ˵ݭ]JaT2)z>]3,;pDRNcL:`a"V :h 'FƿK\MƸHf@Of+`9M À /@MB2L6~3# aNPz J й`ˮHԃ3'4 5~x;_ Aj0yĵ@Rmki!CK#<}5)*kNAr3J8q9_ڎ _Y-#ww+#J`gY2"Je ?rkBDm-5 擇t< 1kտ ^f%X[G&3'2,+-xCkk跳4Lf>9n 9xqloJZ'Lk$_|jdzR,vOX~a#|WEHE/f8J֗Vm-dVl5OZ@Gvj *> l^PmAFO. j<i)&-rJ,7RJ\p!NZ3KEcQGooroZy;:/XYЗm@rg6f{\ƌ 7jR'oѠ!A8Ad6<)[&/ArU=WUlT3ZyvmAm #2~ɋ ‹Z{Vl\vк'DoP3ȪrGqW\r+ oWmdVPޠm/R @ SG@FpPTiS_;x4`ڬڃP0rVUCUcbX^@5݄%GHtHl#zKШG";dm҇j7 4ù=*i*_ee%i`mkIFAd=f*H.%>[։δze4RCyTyT;d>IM@0sCܞ /`ś}$zoj$zb#2} jFׅ?X$Vdz\^dN'<R" rI]9gmJ E&@cwt;iIU:fSb!ѤP㹋V4Fw6`yn_suCH(fZAUY5q\ ٢<\믗$kDZUM)X$AWQU)R7~dij;讧b[5#)wT.[#Û}!EfZL8 {[fuq|d[ w!#r)R>Wnr?Ԑ|C*P>gн ˩EB @“mkh[2fYXabz<3?P'9J__u">;%Zjj\u3O n}x=~H:m, e}GE\\Tzy=.x\JXrFMJE;gD%"HS` QQR97WyQ# r7 xol@y@!\_s}J^ۅ▕v11bf޼]1b{(;e: pҭ;3|{@@G@#NWzNE mr C:&jD\/%Xݾ)P Z~Πw|?g'NW NFy-e|~ zS$F8橒N{wNl8aMTI( 7GwKנ ׮e-u 4S=N[v?Dvxhi_RPS* pqn!O\~Nv*8&&q( XR::\GNHJr7pn+Y60(!CkOn/ua!ɋ`&g{Q4hZ2L?8\9A"BR$D-u Ϫ&)_ׇg!x ? τK)w̐N<I']Y0:=Q,ݳ@X5 !@/;xVDnU1ͲoD'F%A0*) {h{ύ@1?|:xYIb8f1_eGyώw ,z5 3ւ5=ฅyD \F]tfݢeƛ9Oep?"?piMCc6xc8Nqh[L7z c֝BfL `F[7~QJ1SzV|DH˯)G,"Q/-YF%P`hdUTV59МULH^E @!nKH%f܇q߰_tsawb73.zim?.t=Xa|@Ҕ6 7RP !1B->8C'km۫78qw.xTjx5ACqEcud4ˋt4FI>I/o-Ǐ&LAN '' ]\DLI}ŖZ:I`1;KX`eWg #[LiFW.KNQ]obepgqpO(Ŀvgj]1g#סiVTqfuPBQ:iJnbౙgZ0K\t#e gNmƗab0jskSjS?2*/辶^CRwj-#+Q# $I DEE>?u<-JeAf^hc"X<|sx8ܬ'+f8Q5/1,i6:  p}U~"|aTˆFTsmkU.Ȕ _Af~-9'#KX?Ҫ\8./ɢW$C3XjjӾ.Vd01ux~#dw{oU^8.wt9Om[ʔcݲ%(]vt JP0iLJ_L΋^X򠯅 3|g <.*́WX»D1_Ǵ )}P9ս ^*'`7 ộcrzls V|o 8E&ufsD-t?oa/US8|Z/ԤML0zuLnr/yDi΅뮸6PՇ(e-y* 7wZl=H%ˊ{prrI ;WKk}Aڽ'<;t/t|TƆ=0GZo>M}=&MuVq7UC pTftU/?„eWMv˸ pp~FSQBm~B@+4Aߙ**^ɓGӬ38fBdVoWD>rUס;ɚ*ÉFZߵ &HSu`9M 7"}GflSîS1$f\Ui, `_j[p҈ {7.:$kSRcttmCh3[ 46J@Z7N̘q]Qޖ~'OG~m"_",+l.C6p; 3n!'`k3BJ[2wqa σH)³&<SJr]"}m@5 wf)U0 :yb"aSguR!{7GaJ ҆A A2Bƙג%jkSj?es*z}wa+n@M~f]eDn"H؂|-'ћ>Ų?p};A8,jgIۉ鸿Xn;0EOko,_~mq|Ge ɗb {90 dIVjeZsekϔDl jDx*EtYMB srm뢆gYM"BI
(%OFs YLN0WjmE2kǐ&[:W1IrIֈ?`X/_>ꔿ%X4x`:b-$RhcՃ!:J1!eFT E1IGrBQ`"6Q15,: o}AJd֦v|d-6%4ϲ8S5Ӌ] i2gZKVJHzD G{3ҧ Q:h-?Bk(7v6h:zk0<#`hOx% @\-vtG<#l S`Y?% մxRV,m6wmJQlxl9hsѤ3Ź xfOВ1kJG5иD2;ſo#|Xɿq'ϟe ͘>mXH{x@R9{Q.{,D!޳\'ekKPbt$Ե{"So& EZ"Ċ{ 9c\ /}@akcF_w^c'9o)* 5ۚp%S8([3+Av RjQ/s-IĮXrq"~~ߖ& ~hy[~I1탯^\8Ҫǩ 9Z;r'w5d9uLrPj#klC&2<<pC(;ɦNC'Hd{A$wGV_"pxLxO\bi>$~pbsebQ xQZqA'(ZgM_<)P;fG,g o圤<7*FD]ofz[?HِX:Zѯ|As*`z.J9poxZ'3x9!q[6o/u0.qɹcҦ4Ӑx.ݿu7J+Z^d,jl{%?0bE2'>I28ӯ8ɊdRPy:?n|sk^DPѹ.&A''0|7eqpM2!_$V/5:9zB /YΠ"բi^A+у^<)]  GbzGB0 "47"1r`Vtѥ+4L5KeXbY}Za7S)k 2> BFaA&:EM]. ^CU&8ޮwSe5QgG}(Y X?ю!BL.+ c.%hス8,`<'S sYJ"ufy_xvʢlߜ' n戉{itVLo{NfAoPh~ K0u&I֓ntv,xF[RI򶷝}х]ߦu{gEӱl:OJh vSLTC߿NBɋ࿺;gVLm OhjC#g~Fo5w1A#m5pO wM 1fa*K~&Op2$ϵ'yJ<8SO;0O+X.kqI{&b43_Tflz\P!&X@^׍}lloF8J,5FJnBFifR^'zX)d QMSȰ#۹y|F v"_Bv Ap@y9 E,δ/ r@1}%aDH1._V88)p/Jfw>[eHAtQ3p4jD6ub>`UZQA* N8t|(fېoJw: )Xmk$7ypa/NnC BĶ@t1 eKJ}yoHӡzmq4(% "_#:nmtjA߾-%dSӻ`>C:iE~Pe! sz9~͐)f`%/ ''%"'/zVTInQdpq[wTr7[آlڀ*J`ږ)4Ö6d41U`2B x U Ae뭝4Fi7#vqo^?q'Z0Tۅ`=l^9 r]; )&ަ 5ӯvSkVUT+60 }S]}E:8|sGo=D^^OS)N2l )u\+)G*KL2\&%Ŕ~MY{Tm[)t4Ve9(ќ!Ld׭D^!N}/tdYB 'B6Ƒ†,%yd00J_gu"'1E>/~Mq J .<A<+Ys_iv]$6+\0{ dR_WK0Ew>% UG2"ftf@^0:j &<~+]9.pT6w;P NtPcƸq`uԅ:z rLS/N,;P%fXAƧUi ?#Wlaر:aR,˜|ȡ7%L⑐ v/ދ!):c5 J ly ZiJF7S;Jkl={&9nOJ'il‚\ݨt~ڴ;Tlđ |}8LvwOODҿP՝W_e l>'μGw)sW*+6lʙX6GԱ' k *e].(slQH/81q i8km[|?ݒuvP+E|+~Z%eYImռ2qUq:"_׭P1=$ lByc.ևMDh8a+|8M$f{H8>1>7(qj?kV-ԃ_x9JవI)vE:܂`'Se׼ ~ͨgjuwx?! f, '%}x/}F߽ӈ<5ccu_(@CM.9 7\e ϩ0)w]oۭ" u c8`ev164Zx#x_Kk:_+as6'ZR:\o4 ]G1?- @ףǟedmrR~+/=k6KV򶲢/NՄ>o,f=E見/2I:q+2뚼Lm[xU@yfPi7`?mv0S,? Ȍ J(6ctfK9XcQ<(Os^箬n~\.dMj3esIN["[#T~$F\d0CX8_3p+"Мvs}M;s ۚ[6)0]}Gc%J$\dg0eցWƤ۟)M4d$a~xehq03q+d N6=/Z*٘ZBEm=gDےM^b'AT(?0P~١g=a׬~fΠ431q՘tazCœ rydWmK֘hkc~54ŋXX%;xgaep&P#R1|/*u<ř4?;^](ncHb|΍2P t?ZƷ =YQ&uhFʜ'xYua`')Ԭ^kt9 Ah!PϹ:xg:§5ٹfD) A$PՉ/'$:&5驉qPd5hoԣyB{[p; ȤPLu yFNۄ=;//r" sZr% qNH{8 tmx{(M6g^ R%ES}凮/IV((NRTuJv'CBsĐ);jVlGeD!72s<5î!\Sp)DDP *]C%քi݋H?!.}M |@mAP YLt+!xgll"Fdݝ74b b OXY8وN^7o,+b^?Հ\Y2KHY[kAv\$/"o8mx$8дb|7Gd I@8fZڤ2Ȭȗ"`6*^|zoǠKTDT Xc2UH9Sm0R>]ŋ@%3Wr~!ȕKeb9Z/FC0gY9G&[D zIXhUl4ι~/,#H ;Unn"sq8XFއh8: >a Oi"KJw=P] |lXsCt C+!< y~t9>3اp3M@@Cdj!$^_t'[B;WO :5[R!`b[sc 45ru C+r&y vM1KgC ,L,h[_{`ο)B8,OQ╭"/G 6GT7rFu1z>V&+wMp\S"LaN=Q) (NHJ'5Wu_D CYP)iEҍ# brlp?B"MPAEQ@`;d]r=m]9YۣM~@h }˷=)r>61$2S^@UjNJ/10 O5v"¹384ʐ 4_Usu:G 4Ê2%>>K'Fb.ƩaLASوmq:G5jUHכ\Ro(P㾅iG1y&r|bj"+ Rϛ6&#qRUP6hZ?caSM`_0h6}(|5'^~9&lͱ߼}Oq}eHjVv'*DAl\aNh*[ XH-K$r<1Ĉȓlz(fwD?e ;X d)ѓڧlYڑx*W~ǎiC#v' f ~²B'RT`yD.cY܂~2xCkg}mn[Gx>c^yvNyO O$_$HTMh|yW!ۚvX]dIS5_'ݙEk&s!HU%KT3ϧ]D8WzB P-u NI0h&wOeyo<B<(rc=6; *r >/Jқ K˃1/^bn%X")~Z?b"xz q\8=E3`tNY QXx$Թ[,Mp0xXdŬ_-OF#,jM/l6'kXOEO!V`ϝK ]THFƢpF7p㦢60fQwF~!M ӗтK^=9QC(\ Q,Ggf .vɌ9gR3=-!odCMuW/!P+H=(? Wx#*Gf*{"ZG2rRq}DsYhF N̫g]p_n;-ʏ+*q?Bqh/T7F,w^ |wSBxf2 Y0U@W0e;/}%A^Hd×VK7xή@^ܖ8I#oJG {K:cV)d]mD&+cf=9Sl|KPך>'70yD S8ze٭E'"\XicS\)kv}5Ǵm|o Ǧ_s>'1 L;C; jvmMP֮ے'Kmg|b^ф=xebO[lY` 5'R55nLQ4d: :xV@S1p i=}+]\q %[{7VrYrw-j:f!tuLm~ge\q ]CUuhnRg/P^lU]<BKRCY1mI| 9MwTnPmA_뭋.7x'ٕOjt\][|Fʖ7#}ohvً_ݱڣlH#;*Co{WfcȎb+_^y~Yy~L3>4mr} 'zPY2՜} -͢b(fg.oE]nrl! ^yz"Wؿ^ΛY_kj'.MHf .жzhaNUWChcr4.H,UVhKv߬*+? rAIz?4SA rV xu^Wo^הUT#y 29:?$o? M]v@U!!☘ԝ Ѡ񵼲Y> FD}J Bfh{qD3VU?y űoc<:;|n.{)KfnM9&XDZ I O<[eMň镔wmbFgGFm4Wa?@B1&_A̞B3@%DHGV^9)'ސ*ULLCW^U${_c?K#~rԅı&Ƌ(P{Ţ!f6à7Z}@ 4hܸv(I`niSUkiy$0Ƅ-Cz@MOfKA;cSXϒļq] $m <=&NNFq9Ptp-$ n/};r| OzA bJCE+UxrGvB)Զ $RD_)u';gcݘr O`;3GSJ$`ܚZ%C =ޢyQI6)iݺM:9B}ʹ0 O B0j]E$;NOmK΃-9 Q #ը)4$]2[ȹ.u-_J/9fJ.I4:\{,HtRĩZXdffuFÈmQ{N[۷ioDݬk*]7}]3gƦ"#!Սna]m\g" 6sABy!!έFo+mR,.1 mĶ5lX|'fsaD0S0 `@7/6-%'g!NO$ a)@',ws?C1y%>MxC%^KBvQ 3bxza5uiv#%]1 Ǽ^̻A1ne4H߇-o[1 2ɑ?MT B#!:Hq"s Z>z2tz*K7 s C{ЯSUB%܉MGpȜkJ>o4|fJZb ɬѹ]̣YnrڟF<^,QԞw%,n꿂Rw0 0_r" Q܅,HqA$ ڼ컡SIpml4*ZXvD9d<1P..vP:I1kJej!YGr&"5ϐE}V)%F0Ax3J٘L6b$;iѽ/_88: '##9Eq'J̝ќU ڠim*Yp僦 F{i%vYͅNhk"N9UQwneFsO*}aMJ u}v2ˀn8M S{5R4x^5 ݉Ӈ__WK8U/^ ]ljet F﷓)(n(@ +3.^y]O46Ie9Tg;[FuoUk o\!oc/Nd=|2$c7l(rT߇7k;SRZa^Xgιcw!r`)%^_\FՈ)^qlOѺ ]a}l't|(2{Ō{>ɐ&8m"}l:6gbeD Eg8k%ߵ۞fM$Agݴ$WohюtivxYΨ, ?s!-;]!S֎O`RTshf5G=^4͛O\}BZH %I#(cUpa }_k5Ӡnej#YUMnդe+sL\*{u1LU4gЦ>c}Lk\E\SX>!WjF/}@v{ʻ-  ) eEڌɣ%~g^k,$زbB%~]Df^noTj]ۮ8ͦ, 4x&~j=#oҎ ]ƭ,(,.0_i^_QFh5^댫B pgrJH̒w[SLxMF<06]W hLiTX|PN s=ex}'7lsnbmT(Q)F1KӼ5Xv1 B*M?cn]75$FZW?0kD8 c]FZ!mVvU4.igc )--2& ~Zש/Uz&Hv  /_;x1^VABI}I&+ ZSd' ' c5'&p #'qp9R:Ne kH̔-[0b rf )Ĉ:OZBv:Tf?^#5$a2-rCc]8He5spy@ %OƳ-|7)%[kq%(:yzc: Q^Т {]K܊\ c;fm)/rt`Og&]cۇ[ahNPm>]nU=mrvi2_m01[Rg߳GJP6^IBrRU@"'g: jvmߚҲ9$o)0B8>R׮9+11%tKa/ةnHߎ|7ZE/A"A6,W` aH5h$6BT]/g6Yոvs5MӟKSS cQ (bFK-e&+Y] 7֧|!3cY92iD -W29kEA>Y:6b86& ;)~Z;R1[* |ZqdݫZ[,'}bYJ/OAdC({}^-i4Q/ ^x7I--x 4Ox=F9G0 />2AikI|%m_6YYOn}87̛r+$uӣ`L >ֽ,(v?Ѧi+񌴻pXJه);o 1(0"Ȏ-#SqҋMsۋaσẀb!rr`N8(iŸV9KVzA݈ RQGߐgi<7m5QKcjGD*R!aHH !*CC[Օ9`Ua(T/_V%5/$[@17_s rmLwKn!pGAekơ>}QW#AcA#p<3kYܳecgpա_hIgώϥ.UjZ)I\9:HEC9@3=Z,bi%v'ǁ|&ZHEB4hf}9U Ge ͽM:p:KaGX~ 9ru,\pX' $gf 7{vDiaN{%YkfX6Xۄ^j@ە\Yְڟ!Xlev:?*Tbaf3h<+nj^P[˴$_+꠹Vhaua 8, Df&A|3_{}eJյRpn9Y(츬ӥKKzD] j8o@՛jfzP85d6ŗO*rApF?_$J/8 1Vu"K5E_JOܳ3D;KrdUZ8_Vx6m yuą?0͘__>Q{o",7ރ]S4.@ְjtȇR^V08~;C]u>;we'pK\]Neݬ&G'Ӭi :9c*d4}^0D5 Zԫ U4Ne&hRL 9MҜ=2H}&D@ObٱifBf((U6zo;OwZ~a{9v-|Es쐮WU7`ܹ,*fuE;@sGԨʯvw>PGuRbSg Oe}8c%͚_6X{u(MSwa9ɀsS;|vbw -^}AAc ^D1xf;OسBCr{?j(hFuO(,8aCltNXaG>.hk?f@1Z _+z˩8 *)ؗ58Zӓ?jDaQi@BJ C Ƈ/hc\aJa]O΢ >Q|S(1T'b+y]٥C S]zjy; n͒,K|$m v,Pcnlwo1D*:{`&M 0 Y78i]eŦ)~{ [2ͳ@n {s-1̶8-S u_e]s̶ߢ #ɡ1*o>m/Anh> !gPyD]I._ecWS\>fuWQ_ NBwnXjC%޽Ti2@xQwhC8ܛD)8|KI=[!!@ߘ@U̼uH"-!M.ҒDn'Ib_-:*BS@u-^ L (("+vdCv5S2J\x}4C:>Cˌ4WE(X(/n-0?L}H@_cDEuYG,l.55FGQ,mD&=2sPvO4go{܈$̐0%\Sf[~W -fqF$Nh&R?|~ܳR,׎88@6|7l\' "s>Wޗe}"?Wyh,]O&dB(^򩧱 v/) ɄF7YO |1ШqF|Ǽx07blndʃꉰioh˱8. ]W)9zpA]lԿK㬹T*`NY$Vda>(Sj~~ T-q3ijj* ׈Fr/|@n O-zMuJZ!8m8Q>j!gVnĹp1^ݱ߈Tn4g_.<Cn8N<#GW:4@T%VRQ7*-SƋ(8~cߏYLwI$Y=CNۑkP͡ҕ{RtQ5n{5|Ym^mD5b}lDBMZ!U_qocV=wL>@oݯeUBLB5q)wvJu$3r3 (SY?xv.3EcoXP sVAk_Ug|$v2ȳh/dr[Jz1XP$_]t$]A~I~jUop=lF$_-z,P KK1K2Z_"͇%Ґ9AYJv (ֵ nf}"ş6;{I>174M:oWȮ3O ϟ=KC?ñ.—Xvql/o^Ƙz0d쐎H6轢?=~,:;+x3wI?^qӇۂai0bÙ 28@FA*) g(eh֫W؅,z, #f .ЄKEGÖ X$&OImIC<^a- ^Ό/ =VqKYY;Ŝ˔hY,J"lrVQ %mI~@,kE]SRI )Z>.$qci8(p4,~YG릯:o;7zLnoR6&c'[}i /bN^1|18+&,AIR^[y!`i/-0/Nft{*،Gu\,۴|xZwXQnӝ}2iJ>- r"\~sH 4jM 9uKїV X fo U-(F,EQj_zĉW>;o0Nכ>)bQ&96Ӱed+-| |2 GVq'1W}k~P 6$e.<ǺQ|"j\C&PE3̕'Ks.E<~jՔ ; [áN U 嗥;ៀ]"(tYisRьLp߳+kT/>" _Eҗ5/N}O-.IE;ULt(Om'&t:*s\C{`M2 5}Re_~N$)3xOi6 N"uJ>HH3CoD\1N; .nJ yFW詑U;Y٨ŒlR!pאV7*=tW5hf$ eYrs.=/56plP>NV-=I'Aƹ|ϑ"kT[G ,^\g %PZ{"#߿?D ]5M ~ZpP;AT?>Վ072V9ڰҾ&4; wG.5͑tsEsye{-*yi[H"(tjG^ j"Nl:p.s EKD*߸eٌϫB r 4h$!zSGnwqbd{W@uydU*@PS;yEM{R)8|è}#,]ߦG؆cpj|ŊӰx]?!$s|>L}^2)  7uGn.Kt͓t@OC+c(1Ie,- 1ګCH*9y8(v*ljj31ms4,`"͜H5P#,o+Lj陾1 -2 Kp|Ct6*5"Y* #'l'3tM9\#sEClUq@ 6!0|<3 _m4`v,9>s]MzՁ4o4һs^a09M_pRɹ Xh|>mi9vv9g,MYlG1t*cZB |ILVf2Y}5WxJ]*g9j:hd:4}[c(}ƶ?;\ t&GRȰ#$=3Ōqt:aCrZyGP<ӑYS ?icrlUZVF:o!g<޼z%ײe%A._428cc+J6'\Vcdﺞ.D:n8V<󽆙 BNs:J20f3Zgc"h+ǃy*<5td)_E6 ã9C2B.&e+}8j+,'u[xڬEq}@¡GJFo5{U| $5~C*-lWU0+ i:$7DF~fiCxH~iHCm )4co }^:NEU &@#[gxb#2Afa:]q ֓K,>zi+p#ҳIPՉr3H!&^6u.} vIalk{ރeB`>ն9B|C'*28GeP2:ɇ}J3H(0<CaTTo Dm=3Ri=:ͽu;p)jO мIR]852Bwߟ>01Q ǰ2>wERqo3sw:XVסzU=TR7 -yqyoT3+\Zгx.ڭ>C)Fls忖f'-kRL*$YڦJ0xM1o=lp._8:1{IݧTE#ϔDu_pM T*4_*z>j%xpeLؔ6vCIGS;4J64=Z_OfŘ&C?F2X3=˕IKifF[HVyXJ/|wztO ч:H\5buդ f9 M~; f& bYt )TDz{}U\7c`:êd q OM1&ݞlL:cB4 N >mݷv$s4VzZU&aߞZ})JB8A]Ξݵjz]8ZJɲ/&H_AKBGyȘ["PO%ݸmWXk(p)'6\Ǥоž#TB#3Dܞhu̅YoS YZ