freeradius-server-utils-3.0.21-3.9.1 >  A `p9|GBh^U`qnl d!aVaJAy7VhE4!?3erH Vx h@uZ|0Q8HAmbbX6 mUm"۲(l4VEb\.m _*V&vNAJ9˅puS '܄c#_z@JNT']LFEbLj}Kp6&tge1f2a707924bfd6ffd256f29cbd1440d5360ed069959e671700e56bf5a9ab26b876b162baa10b5ad06ad7f33c37aba361927c259܉`p9|xx1\F?e*]A@o= 3X.8FyE8<5~xNTSO>:"Duqd.P,#化+@V+6v%X#E &N" +$sx3|C'j)n&L(zS*yP8fOsZ!w?ab}qEŕ~?QRtؕU^<<]󻐦UM TF>p>X?Hd! ' :`dlp !'0   P h  X   X  (T8\'9':'FhG|HI<XTY\\x]^bcdFeKfNlPudv wxyHhzDCfreeradius-server-utils3.0.213.9.1FreeRADIUS ClientsCollection of FreeRADIUS utilities.`sheep16SUSE Linux Enterprise 15SUSE LLC GPL-2.0-only AND LGPL-2.1-onlyhttps://www.suse.com/Productivity/Networking/Radius/Clientshttp://www.freeradius.org/linuxx86_64x \~/qX$ J(IP8 O6*w큤`````` `` `` ` `` ```````````0d127aeef02083a4431c1429cf40111e9d073e0b7f65a66600b0c4023383c57016ddc1a7317e721a71a32eca81f7c8533cec3ecebebf99bc6147491421b775fcef8ec2f344d438d0fa7f1918130c8459fa4a9cbd45b105519437e451e4aa12427f3dab1b6b568c819fb9846e44128b6d712a38f8bd80edc950bd66af8d25edd6727a72352517db5bf4eaf9f8f63fedc9729935530c7768debc066dccd3984af5b697cf1626be74fb2144b692de899dc5d9b1643e98fe12c33bf2f9aaa78a4aedbaa977c11ddc405bcbfd5f1dbdbc4c8b09b0ed070b0423696cd4259b349f88aba9bf299c72d458ef397164d802379e00f132b00d8ca2de7ce54c19a7fd379b66930b1850004627ff4aa0a67df090469d47fa7f0b250c5c51f64186b9797defbeac75b5c19d977fe528dc805d1f136ba06dd96c43732dbf95aefa2b45a0bdc17be5431156ad54e262fc3f082773d20c81f02a4cede8ef978b46a7de3552dad16120bd970da8b18c48a8e03d7b11279ff6e490695d7eb93321e4970d5f940b9259590bf323cbf624d85728e22a9fdee9064246bf3e2b0bdc44a6b02f524b1186bd1f159d6abe5e0b2401361f82cf19d8c650e115cff3c520732a891603bfac9e6c4cecb854f8843b23d8b5fc85761c7705a9e4997ba26aa89d5313948445605ea12ef1e2f35bf523934869919af2b2177c9ee9e9c0ab6ad52af5b57614b12c2d08bc0e0beb9bee88c9ae9e70ab53b4a5b3de2966aef097e016549c494e4d961771435c618ffe1369697e5f228e99401687c6e2276f9ea75d7ab76232060ef0b549eaad978fa290c5fdce3b0dbb5763b122358d6f2c1056ec755663a4015c8a4d00f0114e9efa73dbea5a5d35fb6b9e20f1942dcece8c48adabb1c4649de10440217dbe6b5b6389623779e0eb9b098e59c0525cc1cd59dd1109cada0e1fc87c00bebcbd784ee828b1cdc019207e918c356a8b51f58ad9a44c364b43c6fe8e4e40d9d7dce30598dc43bf317f3d4d6f29d947c5427c63a93797c274d2b685fc8661f939f4849d961e2bcaa4094c331fa34c28ae5869cd58bbde8e3f59d364d9f342f1rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootfreeradius-server-3.0.21-3.9.1.src.rpmfreeradius-server-utilsfreeradius-server-utils(x86-64)@@@@@@@@@@@@@@@@@@@@@@@@    /bin/sh/usr/bin/perlfreeradius-server-libslibc.so.6()(64bit)libc.so.6(GLIBC_2.14)(64bit)libc.so.6(GLIBC_2.15)(64bit)libc.so.6(GLIBC_2.2.5)(64bit)libc.so.6(GLIBC_2.3)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libcrypto.so.1.1()(64bit)libcrypto.so.1.1(OPENSSL_1_1_0)(64bit)libfreeradius-dhcp.so()(64bit)libfreeradius-eap.so()(64bit)libfreeradius-radius.so()(64bit)libfreeradius-server.so()(64bit)libgdbm.so.4()(64bit)libpcap.so.1()(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.2.5)(64bit)libssl.so.1.1()(64bit)libssl.so.1.1(OPENSSL_1_1_0)(64bit)libssl.so.1.1(OPENSSL_1_1_1)(64bit)libtalloc.so.2()(64bit)libtalloc.so.2(TALLOC_2.0.2)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)3.0.213.0.4-14.6.0-14.0-15.2-14.14.1`@_@_FN^y@^p^h^@\\v{\u*@[<[2*ZZWQYY@YlY, @XO@X@X*Xh@X.@W@WiV@V.Vf@UĝU@U@UU8U7@TZ@TTT~@T|X@adam.majer@suse.deadam.majer@suse.deadam.majer@suse.deadam.majer@suse.deadam.majer@suse.deadam.majer@suse.dejcnengel@gmail.commichael@stroeder.comadam.majer@suse.demichael@stroeder.comadam.majer@suse.demichael@stroeder.commichael@stroeder.commichael@stroeder.comadam.majer@suse.devarkoly@suse.commichael@stroeder.comadam.majer@suse.demichael@stroeder.comkukuk@suse.deadam.majer@suse.dejengelh@inai.deadam.majer@suse.demichael@stroeder.comadam.majer@suse.demichael@stroeder.comjkeil@suse.demichael@stroeder.comjkeil@suse.dejkeil@suse.dejkeil@suse.demichael@stroeder.comvcizek@suse.commichael@stroeder.comtchvatal@suse.comvcizek@suse.comdimstar@opensuse.orgvcizek@suse.commeissner@suse.com- logfile_secrets.patch: do not log passwords in logfiles (bsc#1184016)- freeradius-server-radiusd-logrotate.patch: move logrotate options into specific parts for each log as "global" options will persist past and clobber global options in the main logrotate config (bsc#1180525)- freeradius-server-radiusd-logrotate.patch: fix permissions in logrotate global section (bsc#1170505, bsc#1174905)- update to 3.0.21 (jsc#SLE-11896) Feature Improvements * New stored procedure for allocating IPs with PostgreSQL Rates of 1500 IPs per second are now possible See raddb/mods-config/sql/ippool/postgresql/procedure.sql * Add SQL IP pool support for Microsoft SQL Server See raddb/mods-config/sql/ippool/mssql/ * Added RCNTEC dictionary. Closes #3168. * Added Pica8 dictionary. Closes #3179. * Add TLS-Client-Cert-Valid-Since attribute holding not Before date Patch from Boris Lytochkin. Fixes #3157. * Generate attributes containing unknown OIDs See raddb/sites-available/tls * Update the WiMAX dictionary. * Added ability to rlm_python(Python2) show a stacktrace from errors. #2979. * Add WiFi Alliance Policy OIDs. See raddb/certs/xpextensions * radmin now shows coa stats, too. * Sample schema extensions for summarizing data in SQL See mods-config/sql/main/*/process-radacct.sql * Update dictionary.aerohive, dictionary.fortinet, dictionary.arista and dictionary.erx. * Added VAS Experts dictionary. * Many updates to RPM and jenkins builds from Matthew Newton. * Added %C (time now in seconds) and %c (microsecond component of now) back-ported from the "master" branch. * Add reload capability to systemd unit file in Debian and RedHat. * Increase timestamp precision in postauth to maximum supported by each database and simplify (and make more consistent between drivers) the timestamps in SQL queries by using expansions. * Option to set dictionary path in raduat script. Bug Fixes * Various fixes found by PVS-Studio. * Set permissions of certificates in bootstrap shell script Fixes #3132. * Increase the 'nasportid' SQL field for 'varchar(32)'. #3141. * Skip processing proxy reply if there are no home servers available. * Update SQLite IPPool queries. Fixes #3177 * rlm_sql_unixodbc fixes. Fixes #2822. * Fixes when building with LibreSSL. * Fix the rlm_python3 build. Note that this module is experimental. #3183. * The rlm_python should append the 'python_path' paths in 'sys.path'. It fixes the expected behavior to use the existing Python modules Fixes #3180. * Fix rlm_python to print the script errors properly. * Bound total query time for PostgreSQL. Fixes #3253. * Many fixes to Oracle sqlippool. It now does 500 IPs per second without any tuning. Fixes #3270. * Reference sqlippool by it's correct name. Fixes #3272. * Revert 3.0.20 patch which caused crashes on duplicate clients. * Update WiMAX-MSK attribute. Fixes #3280. * Fix crash when trying to access non-existant regex capture group. * Use timestamps (request or server) rather than SQL NOW() in accounting queries so that these are stable when replayed from a file buffer. - freeradius-python3_patches.patch: upstreamed- update to 3.0.20 (bsc#1146848) Feature Improvements * Added Force10 dictionary. * Update dictionary.hp with new attributes. #2690. * Update dictionary.aruba with new attributes. #2696. * Fix side-channel leak in EAP-PWD (bsc#1144524, CVE-2019-13456) * Relax OpenSSL version checks, now that their API is both public, and stable. * Note that tls_min_version/tls_max_version also support "1.3" Since there is no standard yet for EAP with TLS 1.3, it will not work. * Added tripplite dictionary from #2760. * Switch to the async interface for rlm_sql_postgresql so that we can enforce query_timeout. * Added new LDAP option 'allow_dangling_group_ref'. * Updated documentation and functionality for EAP session caching See "cache" section of mods-available/eap. * Tighten systemd unit file security. Fixes #2637. * Disable TLS 1.0 and TLS 1.1 support in the default configuration We STRONGLY recommend doing this for all installations. * Add expansions for *outgoing* Radsec connections "%{proxy_listen:TLS-...}" for TLS-Client-Cert-* and TLS-Cert-* attributes. Fixes #2839. * Add %{listen:tls} which returns "yes" or "no" for TLS or non-TLS connections. * Update dictionary.lancom with new attributes. #2847. * Added rlm_sql_mongo. See raddb/mods-available/sql. Note that this module is experimental. * Added more documentation in sites-available/robust-proxy-accounting. * sqlippool now re-allocates unexpired leases, to prevent IP pool exhaustion when clients perform multiple reauthentication attempts * Add support to radmin keep the history in ~/.radmin_history. * Add support for ENV and LD_PRELOAD in radiusd.conf. See the new ENV sub-section of radiusd.conf. * Update dictionary.aptilo. #3002. * Update dictionary.airespace. #3039. * Add sites-available/coa-relay, which makes CoA easier #3045. * Add example stored procedure for IP Pools in MySQL See mods-config/sql/ippool/mysql/procedure.sql * Update dictionary.dhcp dictionary with the recent hardware types. * Add experimental rlm_python3. This should largely work the same as rlm_python, which was Python2 only. * Add Dockerfiles for Debian10 and CentOS8. * Add RPM spec file compatibility for RHEL/CentOS 8. * Notes on certificate constraints. See raddb/certs/server.cnf. * Add NAIRealm example to raddb/certs/server.cnf, for RFC 7585. Bug Fixes * Allow listen.ipaddr to reference an IPv6-only host. Fixes #2627 * ERX-Acct-Request-Reason is "integer". Closes #2635. * Fix a slow memory leak in the file management code. * Try to fix file permissions if they get modified while the server is running * Fix slow memory leak with clients. * Fix request and connection timeouts in rlm_rest. * Fix systemd issues. * Fixes from clang analyzer. * Fix missing include for the dictionaries: alcatel.esam, altiga,alvarion.wimax.v2_2,aptis,asn, audiocodes,avaya,bristol, columbia_university,freedhcp,garderos, infoblox,motorola.illegal, starent.vsa1, telkom, wimax.wichorus. * Fix internal sanity check when running with "-Xx". * Allow "inner-tunnel" virtual servers to work better with "accept" and "reject" policies. * Fix dictionary.huawei data types for Huawei-DNS-Server-IPv6-address and Huawei-Framed-IPv6-Address. * Framed-Interface-ID in postgresql/queries.conf is string, not inet Fixes #2817. * Fix rlm_cache to complain on unknown attributes in the "update" section of its configuration. * Add configure checks for -latomic. This helps on armel, mips and mipsel. Fixes #2828. * Add support to Oracle 19 and 18. Via #2857. * Add support for decoding tags in rlm_rest. Fixes #2848. * Use correct passwords when updating CRLs in raddb/certs/. * Properly separate "originate-coa" packets when accounting packets are read from the detail file reader. * Use the correct virtual server for pre/post-proxy. * radsqlrelay fixes backported from "master" branch * Fix DoS issues due to multithreaded BN_CTX access (bsc#1166847, CVE-2019-17185) - disable python2 for SLE15 and Factory - freeradius-server-enable-python3.patch: enable Python3 module - freeradius-python3_patches.patch: backport python3 fixes from upstream - freeradius-server-opensslversion.patch: updated- Enable memcached driver on SLE15- Add missing BuildRequire on samba-core-devel required for windbind support in rlm_mschap.- update to 3.0.19 (jira#SLE-5890) Feature improvements * Update dictionary.cisco * Update sqlippool to allow for stored procedures with PostgreSQL. This increases performance substantially. Patch from Nathan Ward. Fixes #2540. * Re-added "show client config" command to radmin. * Cleaned up mods-available/sql example so that it is easier to understand. * Added pfSense dictionary. Closes #2581 * Update dictionary.h3c Closes #2592 * Update elasticsearch/logstash config for v6.7.0. * EAP-PWD security fixes from Mathy Vanhoef. See http://freeradius.org/security/ (CVE-2019-11234, CVE-2019-11235, bsc#1132549, bsc#1132664) Bug fixes * Update dynamic_client module and server core so that the functionality works. This has been broken since at least v2. * Fix crash in sqlippool due to escaping changes. Patch from Nathan Ward. Fixes #2532, #2533. * Fix systemd notify, watchdog and unit files. Fixes #2541, #2499. * Fix erroneous length check in EAP-FAST. * Update documentation to remove old "ignore_null" configuration. Fixes #2578. * Fix default POD port. Should be 3799. Fixes #2591 * Correctly encode vendor-specific "encrypted" attributes. Fixes #2600- reformat changelog mostly by wrapping lines - add missing bug numbers for security fixes- update to 3.0.18 * cleanup_delay can now be 30 seconds. This helps with proxies that have packet loss. * Do-Not-Respond policies can now be set in the "post-auth" section. * Encode / Decode ADSL Forum DHCP options. * Fix module ordering issues. e.g. when "sqlippool" needs "sql". See the "instantiate" section of radiusd.conf. * Add Big Switch dictionary. Fixes #2252. * Add sql_session_start policy (raddb/policy.d/accounting) This minimizes race conditions when using Simultaneous-Use (#2257). * For rlm_perl, all variables are now tainted by default. See raddb/mods-available/perl, and the "perl_flags" configuration item. This change should only affect people who are using variables in insecure ways. * Allow "sqlcounter" module to be listed in "post-auth". * Add support for IPv6 attributes in SQL. Fixes #2280 * The server is better at handling fail-over for outbound RadSec and TCP connections. Fixes #2284. * The server is now more aggressive about retrying failed outbound RadSec and TCP connections. Fixes #2284. * Add TLS-Session-Version and TLS-Session-Cipher-Suite to the "session_state" list. * Add expansion for Radsec connections. "%{listen:TLS-...}" for TLS-Client-Cert-* and TLS-Cert-* attributes. * Add notes on running "ldapsearch" using the parameters from the LDAP module. * "ipaddr" attributes can now be cast to "integer" type attributes in an "update" section. * Move main thread queue to using atomic queues. This should help with contention in high load scenarios. * Add "recv_buff" setting to listeners. For more details, see sites-available/default. * The sqlippool module can now use attributes other than "Pool-Name" to assign IP pools. The "Pool-Name" attribute is still the default. * The "unpack" expansion can now unpack substrings. See mods-available/unpack for documentation and examples. * The preprocess module now does "ciscvo_vsa_hack" for Eltex-AVPair Fixes #2301. Vendors SHOULD NOT USE THAT KIND OF ATTRIBUTE. * Allow for -LDAP-UserDN. See mods-available/ldap for more information. * Add sanitizing of control list for moonshot. Fixes #2318. * Update rlm_sql_mysql to be compatible with MySQL 8 Fixes https://bugs.launchpad.net/bugs/1795310. * Allow logging of only Access-Accept or Access-Reject messages See radiusd.conf, "auth_accept" and "auth_reject". * Removed Connect-Rate comparison. It was unused and broken. * Add dictionary.infinera. * Use OpenSSL HMAC functions instead of local ones. * Some SQL modules can now use "auto_escape" to escape unsafe strings See mods-config/sql/main/mysql/queries.conf. * Add wispr2date conversion in mods-available/date. * Implement dictionary-based handling in rlm_python. Fixes #2334 See mods-available/python for details. * Add support for SKIP LOCKED in sqlippool. This can improve performance by an order of magnitude or more. See raddb/mods-config/sql/ippool/*/queries.conf Fixes #2383 * Allow PSK and certificates at the same time Except for TLS 1.3 which does not support that. * Update docker scripts. Fixes #2306 Patch from Matthew Newton. * Add crypt xlat. * MySQL connections can now skip verifying the server certificate. Fixes #2481. See mods-available/sql. * Add better mechanism to detect MariaDB (Old MySQL). * Add RFC 7532 "bang path" support for realms Fixes #2492. * Update dictionary.ukerna documentation. Fixes #2493. * Add support for systemd service and watchdogs Fixes #2499. * Check for openss/rand.h, and allow building without OpenSSL engine. Patch from Eneas U de Queiroz Fixes #2517. * The default PosgtreSQL queries now use "ON CONFLICT" to better deal with issues. This requires PostgreSQL 9.5 or later. Please use a recent version of PostgreSQL, or edit the default queries to remove "ON CONFLICT". BUG FIXES * The session-state list is no longer cleaned in the inner-tunnel. This lets the outer Access-Reject section access session-state. * Fix typo in lock initialization for TLS sockets Found by Sergio NNX. * Add check for crash when home server down Fixes #2233. * Add username key for postauth table. * Better libpcap checks, when the header files or libraries are missing. Fixes #2245. * Allow building with old versions of OpenSSL Fixes #2247. * Allow non-FreeRADIUS State attributes to be used with the "session-state" list. i.e. State length != 16. * Be more aggressive about cleaning up zombie children when running in debug mode. * Use LTDL_DEEPBIND, which fixes issues with Oracle libraries exporting LDAP API functions. * unlock files when asked to unlock them. * return error instead of asserting in map code. * Don't write 0 bytes to SSL. Fixes #2270. * Remove "expiry_time IS NULL" from allocate_update query. Fixes #2262. * Various dictionary cleanups and consistency checks Fixes #2281. * rlm_python has stronger thread locking to prevent reported issues. Performance may be affected. * Don't allow Message-Authenticator to overflow past the end of a large packet. * Fix crash in sqlippool when SQL server goes away Fixes #2300. * Typos in man pages. Patch from Nikolai Kondrashov Fixes #2303. * Fix crash with CoA packets/ Fixes #2304. * Fix crash in rlm_exec with CoA. Fixes #2328. * Print errors while parsing the log config, and don't quit when deprecated log settings are found. * Fix DHCP encoder xlat so that it can be used with a list of attributes. It previously only encoded the first member of the list, and now encodes all members. * The "expr" module now skips more whitespace. * Remove internal FreeRADIUS-Response-Delay attributes from attr_filter Access-Reject. * Don't send junk to redis when maximum args reached. * Small updates to IPv6 for accounting schema Fixes #2364. * Fix OpenDirectory integration in rlm_mschap. * Fix slow memory leak with dynamic clients. * Don't artificially truncate debug output for long strings. * Fix memory leak in EAP-PWD. * Fix crash in "hints" file with Fall-Through = yes. * Fix crash / timer issues with many CoA packets. * Fix attr_filter so that it does not treat vendor attributes of number 26 as Vendor-Specific. * Fix reconnect correctly in rlm_sql_mysql. * Fix rlm_cache to properly use Cache-TTL < 0 Fixes #2485. * Fix rare occurance of bad xlat expansion. * Check for rare race condition when a proxy reply arrives too late.- install license as %license instead of documentation- also fix ownership of /var/log/radius in systemd unit- update to 3.0.17 Feature Improvements * Add CURLOPT_CAINFO. Patch from Nicolas C #2167. * "stats home server" now supports "src IPADDR", to specify home server also by source IP. Fixes #2169. * Add Dockerfiles for a selection of common systems. * Increase number of permitted file descriptors, for systems with many home servers. * Add TLS-Client-Cert-X509v3-Extended-Key-Usage-OIDs Patch from Isaac Boukris. Fixes #2205. * Update main READMEs. Patches from Matthew Newton. * Added dictionary.mimosa. Bug Fixes * Don't call post-proxy twice when proxying to a virtual server. Matthew Newton, #2161. * Use "raw" string value for shared secrets and dynamic clients It now parses strings with backslashes and "special characters" correctly. Fixes #2168. * Fix RuntimeDirectory for RedHat, from Alan Buxey. * Relax checks in 'if' parser from Isaac Bourkis. * Minor cleanups for %{debug_attr:&request} from Isaac Boukris. * Be more aggressive about cleaning up cached certificate attributes, due to deficiencies in OpenSSL. Reported by Nicolas Reich. * Be more accepting when parsing IPv6 addresses. Bug noted by Klara Mall. * Fix double free in rlm_sql. Fixes #2180. * rlm_detail now writes empty Access-Accept packets. * rlm_python can now create tagged attributes. * Don't crash on duplicate realm + authhost / accthost * Allow partial certificate chain to trusted CA. Fixes #2162. * Treat SSL_read() returning zero as error. Fixes #2164. * detail writer now checks if the file was renamed or deleted. * Add User-Name to Access-Accept if EAP-Message exists, not Stripped-User-Name. * RedHat Systemd updates. Fixes #2184. * Use correct API for State variable in rlm_securid. * Remove broken radclient option "-i". * Fix "users" file (and hints, etc). So that it does not get confused about entry ordering with multiple $INCLUDEs. * Fix rlm_sql to expand the un-escaped string, not the raw string. * Link default and inner-tunnel only if they exist. Fixes #2206. * Don't use both IP_PKTINFO and IP_SENDSRCADDR. * Always install signal handler for SIGINT (needed by Docker). * Fix intermediate CA flow for OCSP. Fixes #2160 Intermediate certs which are not self-signed will now be checked. * sqlippool now returns "fail" if it fails IP allocation. * Fix rlm_yubikey to look for correct attribute in replay attack check.- update to 3.0.16 Feature improvements * rlm_python now supports multiple lists. From #2031. * Add trust router re-keying. From #2007. * Add support for Samba / AD LDAP schema. See doc/schemas/ldap/samba/README.txt and doc/schemas/ldap/samba/ * Add "tls_min_version" and "tls_max_version" to EAP module for Debian OpenSSL issues. * Better documentation for client certificates in PEAP and TTLS: it usually doesn't work. Fixes #2068. * Distinguish login failure from AD unavailable. Fixes #2069. * Update RH spec files. Fixes #2070. * Run Post-Proxy-Type if all home servers are dead. Fixes #2072. * Print offending IP addresses when EAP sessions come from two upstream home servers, and rate-limit the messages. * Minor packaging updates. * Better documentation for rlm_rest. * EAP-FAST now has it's own "cipher_list", so that it is easier to configure. * EAP-FAST now forcibly disables TLS1.2, until such time as we implement the new keying mechanism from TLS1.2. * Add documentation for allow_expired_crl. * Update Debian logrotation. #2093 and #2101. * DHCP relay can now drop responses. #2095. * rlm_sqlippool can now assign Delegated-IPv6-Prefix. It also now can assign any IPv4 or IPv6 address. Based on patches from maximumG. #2094. See raddb/mods-available/sqlippool for changes. * radeapclient can now use EAP-SIM-Ki to dynamically create the necessary triplets. * Explain why many LDAP connections are closed. Fixes #1969. * Debian build / package issues fixed by Matthew Newton. * dictionary.patton updates from Brice Schaffner. Fixes #2137. * Added scripts to build "inner-server.pem", and updated mods-config/inner-eap and certs/README to match. * Added provisions for using an external CA. See raddb/certs/ * Include dhcpclient binary in freeradius-dhcp debian packge. Bug fixes * Bind the lifetime of program name and python path to the module FR-AD-002 (redone) * Pass correct statement length into sqlite3_prepare[_v2] FR-AD-003 (redone) * Allow 100-Continue responses with additional headers in rlm_rest. * fix corner case where detail files were not being locked correctly. * Fix (SQL-Group == "%{...}") checks, and same for LDAP-Group. Fixes #1947 * Clean up exfile code. Which should help to avoid issues with reading / writing 100's of detail files. * Fix build for winbind. Patch from Alex Clouter. * Fix checkrad for Mikrotik. Patch from Muchael Ducharme. * Fix home server stats lookup. Patch from Phil Mayers. * Add libjson-c3 as an optional dependency. * Require LTB OpenLDAP on CentOS / Redhat, to avoid linking against NSS, which breaks the server. Fixes #2040. * rlm_python fixes. Fixes #2041 * Typos in "man" pages. Fixes #2045 * Expand "next" in %{%{...}:-%{...}}. Fixes #2048 * Don't add TLS attributes twice. Fixes #2050. * Fix memory allocation in rlm_rest. Fixes #2051. * Update trustrouter for new API. Fixes #2059. * Fix SQLite issues on FreeBSD. Fixes #2060 * Don't do debug logging of bad passwords. Fixes #2064. (bsc#1099802) * More graceful handling of "die" in rlm_perl. Fixes #2073. * Fix occasional crash when using cisco_accounting_username_bug = yes * EAP-FAST fixes from Isaac Boukris. [#2078], #2076, and #2082, #2126. * DHCP fixes, relay, #2092, add run-time check, #2028 * Decode multiple RADIUS packets at a time in highly loaded RadSec connections. Patch from Jan Tomasek. #2106. * TunnelPassword is not "single value" in LDAP schema. Fixes #2061. * sql log now opens the expanded filename, not the input one. This was a regression introduced in 3.0.15. * Remove unnecessary UNIQUE constrain in Oracle schemas. * Fix SSL thread and locking issues when modules also use SSL. Fixes #2125 and #2129. * Re-add dhcpclient "raw packet" changes. Patches from Nicolas Chaigne and Matthew Newton. Fixes #2155.- Fix permissions of radiusd.service (bnc#1053654)- bsc#1055679 - freeradius-server does not provide winbind/AD auth Added libwbclient-devel as buildrequires- update to 3.0.15 with security fixes for issues found via fuzzing by Guido Vranken (bsc#1049086) https://freeradius.org/security/fuzzer-2017.html * CVE-2017-10978: FR-GV-201 (v2,v3) Read / write overflow in make_secret() * CVE-2017-10983: FR-GV-206 (v2,v3) DHCP - Read overflow when decoding option 63 * CVE-2017-10984: FR-GV-301 (v3) Write overflow in data2vp_wimax() * CVE-2017-10985: FR-GV-302 (v3) Infinite loop and memory exhaustion with 'concat' attributes * CVE-2017-10986: FR-GV-303 (v3) DHCP - Infinite read in dhcp_attr2vp() * CVE-2017-10987: FR-GV-304 (v3) DHCP - Buffer over-read in fr_dhcp_decode_suboptions() * CVE-2017-10988: FR-GV-305 (v3) Decode 'signed' attributes correctly * FR-AD-002 (v3) String lifetime issues in rlm_python * FR-AD-003 (v3) Incorrect statement length passed into sqlite3_prepare- update to 3.0.14 (still FATE#322416) Feature improvements * Enforce TLS client certificate expiration on session resumption, and Session-Timeout. See CVE-2017-9148 (bnc#1041445) * Updated dictionary.cisco.vpn3000, dictionary.patton * Added dictionary.dellemc * Lowered the log output for failed PEAP sessions. * ALlow utc in rlm_date. * The internal OpenSSL session cache has been disabled. Please see mods-available/eap * Update detail reader documentation. * Make outgoing RadSec connections non-blocking. * Add SQL backing to Moonshot-*-TargetedId generation. Bug Fixes * radtest uses Cleartext-Password for EAP, not User-Password. * Update documentation for mods-enabled/ linking. * Enhanced checks for moonshot salt. * Allow session resumption for RadSec connections. * Update "huntgroups" file to note that port ranges are not supported * Fix OpenSSL permissions issues on default key files. * Certificates are not required when PSK is used. * Allow SubjectAltName as first extension in cert. * Fixed talloc issue with TLS session resumption. * "&Attr-26 := 0x01" now produces useful error messages. * Handle connection error in rlm_ldap_cacheable_groupobj. * Fix endian issues in DHCP. * Multiple minor fixes for Coverity complaints. * Handle unexpected regex. * Fix minor issues in dictionaries. * Fix typos and grammar. Patches from Alan Buxey. * Fix erroneous VP creation in rlm_preproces. * Fix MIB. Patch from Jeff Gehlbach. * Trust router updates from Alejandro Perez. * Allow build with LibreSSL. * Use correct packet for channel bindings. * Many fixes found by PVS-Studio. Thanks to PVS-Studio for giving us a test license. Please see the git commit history for more info. * Fix incorrect length check in EAP-PWD. This may be exploitable. * Stop rotating session database files (radutmp, radwtmp) since these are not logfiles. - freeradius-server-radiusd-logrotate.patch: updated- removed obsolete freeradius-server-fix-cert-bootstrap.patch because recent /etc/raddb/certs/bootstrap simply works - update to 3.0.13 (still FATE#322416) Feature improvements * Add dictionary.rfc7930. Note that we do not implement the RFC. * Added 'cipher_server_preference' to mods-available/eap Patch from #1797. * OpenSSL 1.1.0 compatibility fixes. * rlm_perl: radiusd::xlat to evaluate xlat string within perl script * Allow authentication retry in winbind. Patch from Herwin Weststrate. See raddb/mods-available/mschap. * Added "recv-coa" method to rlm_rest. It behaves the same as "authorize". * Document Trust Router tr_port option. Patch from Stefan Paetow. * Update elasticsearch/logstash examples so that they work with elastic stack v5. Patch from Matthew Newton. * Print information about packets, replies, and contents in the detail file reader. * Update abfab-tr policy. Pull request #1893 from Stefan Paetow. * Reject packets which contain User-Password and EAP-Message. * Add example for filtering Access-Challenge. See sites-enabled/default. * Pull symlink fixes from v4.0.x. Fixes #1859. * Add systemd reload. Not everything is reloaded, but some is. Fixes #1662. * Better documentation for listen "ipaddr". Fixes #1921 * Add dictionary.cnergee, updated dictionary.nomadix. * radclient no longer needs -x to print statistics with -s. Bug fixes * Minor typos. Fixes #1763 * Fix typo in RPM build. Closes #1767. * rlm_mschap check for password expiry only if password was correct. Fixes #1762. * Update debian build. * update rlm_counter "man" page. Fixes #1775. * Remove erroneous assert. Fixes #1778. * fix mschap password change test. Fixes #1792. * Cleanup config file on data remove. Fixes #1795. * passwd module returns "notfound" if not found. * Check for old OpenSSL, and don't build rlm_eap_fast if it necessary. Fixes #1803 * Cleanup memory better after ldap version query. Patch from Aleksey Katargin. * Rename lt_* functions to avoid linker issues with libtool. Fixes #1277 * Many miscellaneous fixes and typos. * Allow long strings in %{%{foo} bar:-%{baz} blah". Fixes #1866 * Fix filtering operators, along with more documentation and more tests for them. * Fix OpenSSL fixes. Fixes #1876. * Finish SQL select queries even when SELECT returns no rows. Fixes #1879. * Set Module-Failure-Message for more EAP errors. * Correct typo in dictionary.rfc5580. Fixes #1882 * Remove obselete systemd syslog.target. * Client-Port-Balance load-balancing now uses client port. * Radrelay examples fixed from Alex Clouter. * Update systemd target. Pull request #1896. * Trim starting whitespace in xlat strings. * Get MySQL result lengths using normal API. * suid down after fchown(). Fixes #1914. * Fix cases of comparing pointer to NUL character. Fixes #1915. * OpenSSL v1.1 fixes. Pull request #1921. * Better Handle v4/v6 host names. Pull request #1919. * Remove "Auth-Type = System" from docs and examples. * Don't crash on malformed %{home_server}. Fixes #1922 * fix erroneous use of talloc destructor in rlm_eap * Issue trigger modules.sql.fail. Fixes #1923 * Document python_path gotcha's. Fixes #1845 * dlopen() the specific version of Python. Fixes #1592- Don't require insserv if we use systemd - Remove require for unused fillup- Merge changes from SLE to openSUSE (FATE#322416): * freeradius-server-radclient-init-error-buffer.patch - make sure we initialize error buffer. bsc#911886: radclient error free() invalid pointer * freeradius-server-opensslversion.patch: remove OpenSSL version check and assume we know what we are doing. (bnc#1013311) * merge .changes file, mostly. - do not attempt to detect "vulnerable" OpenSSL versions. SUSE security fixes do not necessarily bump version numbers as does upstream OpenSSL (bnc#1021375) - do not generate certificates in %post. End-user needs to do this manually. - keep FreeTDS disabled on SLE12 - we never shipped it enabled - require OpenSSL 1.0+ - use pkgconfig(systemd) instead of plain systemd as BuildRequires - don't list manual pages as %doc- Remove --with-pic which is for static libs only. - Use SUSE RPM group names. Trim filler words from description. - Do not hide errors from groupadd/useradd.- Add upstream keyring - 2 new modules: rlm_sql_freetds and rlm_eap_fast- update to 3.0.12 - still fate#320481 The focus of this release is stability. * Feature improvements + Add support for =~ and !~ in update sections. See "man unlang" + Add dictionary.checkpoint. + Simultaneous-Use prints out more information. + Print WARNING in debug mode when packets may be truncated. + Added expansions %{home_server:state} and %{home_server_pool:state}, which show the state of the server / pool. + Mark rlm_sql_freetds as stable. + Make rlm_perl less fragile. Patch from Herwin Weststrate. + Allow extended attributes to have "encrypt=2" + Update dictionary.aruba. + Add support for EAP-FAST. This is an isolated feature which does not affect anything else. + Update OpenSSL vulnerability list. Use a version of OpenSSL released after September 20, 2016. + EAP certificate verification is now done when "verify" is enabled and "ocsp" is disabled. + New dhcpclient and rlm_rad_counter man pages. + Minor abfab and moonshot additions. + Pass CFLAGS through from environment in RPM builds. Allows more custom builds. + Build with Heimdal in addtion to libkrb5. * Bug Fixes + Use correct typedef for older versions of sqlite. + Update mssql schema to add priority + don't complain on /dev/urandom in ldap + fix == operator in update sections + Don't create DHCP strings with many trailing zeros. + Allow MS-CHAP change passwords instead of complaining on large buffer. + Allow assignment or equality operator on SQL. + Update aclocal tests for FreeBSD 10. + Remove occasional hang in rlm_linelog. + Copy VSAs to inner tunnel for TTLS and PEAP. Fixes #1544 + A few minor bugfixes caught in v3.1.x cleanup, and back-ported to v3.0.x. + do_not_respond again works in post-proxy + Allow realm "~^.*$" {} and User-Name with no realm. + Fix leak when creating unknown attributes + Fix Debian / logrotate. + Make OpenSSL error functions thread-safe. + Fix crash with rlm_sql and updating SQL-User-Name. + Debian build updates. + Allow regular expression comparisons in radclient. + Fix memory leak on unknown attributes in detail file reader. + Update example paths in "man" pages when installing them + Build fixes for rlm_mschap. Fixes #1489. + BSD build fixes. Patch from issue #1583. + Be more careful about /lib/ when building. Fixes #1585. + Correct ifdef placement error. Fixes #1572. + Allow for more files in internal "exfile" API So it will be possible to open more than 64 "detail" files at the same time. + Remove support for statically built EAP modules. Fixes #1591. + Many fixes to rlm_python from Guillaume Pannatier. + Use correct week adjustment in SQLcounter. Fixes #1608 + Minor fixes to allow compilation without DHCP, VMPS, or TCP. + Fix checks for module / config file change on HUP. + Compile regex comparisons when sent via "debug condition". + Update filenames in documentation and examples. + Don't crash if SQL connection becomes unavailable. + Disallow originate_coa when proxy_requests = no. + Free rad_perlconf_hv in correct perl context. + Multiple fixes for Debian builds. #1510, among others. + Set OpenSSL FIPS compatibility flag when necessary. + Pulled fixes for the build system over from other branches. + Fix OCSP for RADIUS over TLS. + Fix skip_if_ocsp_ok behavior. + Better fixes for systems without closefrom() but which have /proc. + Minor build fixes back-ported from v4.0.x. + build --whout-ascend-binary. Fixes #1761. + Be more aggressive about not opening new connections in debug mode after CTRL-C. Address #1604.- use %{with} macro for conditional inclusions instead of hardcoding version numbers - improved package descriptions - fixed builds on SLE12 and SLE11SP4- removed installation of experimental module rlm_sqlhpwippool.so - update to 3.0.11 (fate#320481, bsc#961479, CVE-2015-8763, bsc#935573, CVE-2015-4680) * Changes of version 3.0.11 + Feature improvements - "unlang" comparisons of IP addresses to IP prefixes are now detected, and types automatically cast. - Allow shorthand form of ipv4prefix values e.g. 127/8. - Add "auto_chain" to raddb/mods-available/eap, tls subsection. This allows the disabling of OpenSSL auto-chaining of certificates. Which might be wrong. - Added printing of coa and disconnect stats (radmin). - radclient defaults to expecting Access-Accept responses to Status-Server. - Updated dictionary.lancom, dictionary.starent. - Portability fixes for Solaris. - More errors from ntlm_auth gets passed to MS-CHAP. - Update abfab-tr-idp virtual server. - Added "filter_password" in policy.d/filter. This removes embedded zero bytes in User-Password, for compatibility with broken clients. - The server now issues a WARNING message if duplicate configuration items are found. - TLS can skip the "verify" section if OCSP returns OK. See raddb/mods-available/eap, "skip_if_ocsp_ok". - Set TLS-OCSP-Cert-Valid = yes / no / skipped, which is the result from the OCSP check. - Interoperate with AD and "LmCompatibiltyLevel = 5", by always setting WBC_MSV1_0_ALLOW_MSVCHAPV2 for native winbind in rlm_mschap. - TTLS and PEAP now require "virtual_server" to be a real server. - Print WARNING when TTLS or PEAP identities are spoofed or not properly anonymized. See RFC 7542 for requirements. - Various rlm_python fixes from Herwin Weststrate. - Allow setting Response-Packet-Type in "Post-Proxy-Type Fail", which is useful when the home server does not respond. - elasticsearch updates from Matthew Newton + Bug Fixes - Fix issue where field nas_type would not be accessible via the %{client:} xlat, for clients loaded from SQL. - Fix compatiblity issues with OpenSSL 1.0.2. Ignore calls to msg_callback with 'pseudo' content types. - Data type "ipv4prefix" is parsed correctly. - Use correct talloc context in rlm_exec. Fixes #1338. - Complain in unlang if "else" is used with no previous "if" or "elsif". - Send accounting status packets to the accounting port. Fixes #1364. - Print out CFLAGS when doing "radiusd -Xxv" - Fixed bug with coa/acct stats value #1339. Based on patch from Jorge Pereira. - Fixes for LEAP proxying. Don't use LEAP! - Fix issue with "directory already exists" seen when doing "make install". - Fixed bug with radmin related to the option "stats detail " - Complain if the detail file reader does not have permission to read the "detail.work" file. Fixes #1398 - Fixed SoH. Attributes were not being copied to the virtual server. - Used a wrong list to global statistics in "stats". - Create EAP-PWD identity correctly. Prevents segfaults. - Dynamically validate authentication types for PEAP and EAP-MSCHAPv2. - Fix includes in installed headers. - OpenSSL 1.0.1f and 1.0.1g do NOT calculate TLS 1.2 keys correctly. See raddb/mods-available/eap, "disable_tlsv1_2" - Allow password change to work for MS-CHAP. This requires 'r=0', because password changes are not retries. - Fix home server fail-over for home servers using TCP and/or RadSec. - Special characters in expanded regexes are now escaped e.g. User-Name containing '.', and comparing /%{User-Name}/, the '.' will now be escaped. See src/tests/keywords/regex-escape. - Use correct authentication vector when sending Access-Reject replies for RadSec. - Set FreeRADIUS-Proxied-To in TTLS again. You should use the "inner-tunnel" virtual server, instead of relying on this attribute. - Fix debugging constants in rlm_perl. Patch from Herwin Weststrate. - Add samba-dev / samba4-dev to debian builds so that rlm_mschap can automatically use the new winbind API. - Automatically skip zero-length attributes when sending packets, instead of erroring out.- fix bsc#951404 * Rebuild of freeradius-server package fails * fix source url - ftp://ftp.freeradius.org/pub/freeradius/ + ftp://ftp.freeradius.org/pub/freeradius/old/- update to 3.0.10 * Changes of version 3.0.10 + Feature improvements - Do more optimization of unlang policies. This makes run-time a bit faster. - Re-name most of the functions in src/lib. Third-party module authors will have to do the same. - More documentation on contributing and how to write modules. - Update radiusd.service for systemd. - Open IPv6 proxy socket if the server is listening on IPV6 auth / acct / coa packets. - Create debian packages for DHCP. Fixes #1125. - Add more tests for "update" section parsing. - Update "man" pages. - Update attributes for Alcatel 7750 - Add dictionary for Boingo Wi-Fi - Add support for DHCP lease queries. See raddb/sites-available/dhcp - On HUP, check all modules for config files which have changed. And only re-load those modules. - Allow FreeRADIUS-Response-Delay(-USec) to be set for RADIUS packets. Patch from Herwin Weststrate. - Documentation fixes from Alan Buxey and Matthew Newton. - Update "logrotate" script. - Added more RFCs to doc/rfc for new standards implemented by FreeRADIUS. - Don't crash when doing "radmin -e "help hup". Patch from Matthew Newton. - The dictionary parser now does more sanity checks, which prevents run-time problems with invalid attributes. - Update debian packages. Patches from Christopher Hoskin. - Many other debian packaging fixes from Matthew Netwon and Herwin Weststrate. - Add "session-state" to Perl. Patch from Herwin Weststrate. + Bug Fixes - Fix rlm_files so that there are no collisions when loading 10's of 1000's of users. - Fix radclient to use our internal v4/v6 parsing functions. v6 addresses with ports now work correctly. - Fix sending/receiving packet messages to wrap v6 addresses in square brackets '[]'. - Check for sasl/sasl.h when building rlm_ldap, and disable SASL functionality if unavailable. - Fix issue which caused a non \0 terminated buffer to be assigned to attributes if the value being assigned contained an invalid escape sequence. - Fix deadlock when reconnecting connections in the connection pool. - Fix potential overrun in functions that used fr_utf8_char with a non nul terminated buffer. - Fix decoding issue for Tunnel-Password type attributes which were very long. Found by Denis Andzakovic. - Fix radclient issue with TCP sockets on FreeBSD. - The server now creates ${run_dir} and ${logdir} directories in daemon mode, when running as "root". - Handle tags when using maps. Fixes #1191. - Fix crash when CoA packets time out. - Fix parse error in rediswho - Fix regex support in SQL radcheck the "users" file and radsniff. - Register listen xlat earlier, so that it's available when the virtual servers are being parsed. - Parse Ascend-Data-Filter when given as "0x..." - Print Ascend-Data-Filter correctly. Add test cases for both. - Allow old-style clients again. They will be disallowed for 3.1.0 and following. - Complain instead of crash when "else" and "elsif" are in the wrong place. - Clean up memory more aggressively. This lowers the maximum memory used, most typically for TLS based EAP methods. - Prevent the server from unlinking the control socket of an already running instance. - Fallback to using the configured OCSP URL if one exists, and no URL is provided in the certificate. - Return CoA-NAK if proxying CoA fails. Based on patch from Jorge Pereira. - Lower peak memory usage by decreasing size of internal memory pools. - The control socket is now left in place if a second copy of the server is accidentally started. - Allow virtual attributes in "switch", "case", etc. Fixes [#1240] and #1265. - Many spell check / typo fixes in comments and example configuration files. - Better handle multiple DHCP listeners. - Don't print secrets for old-style realms. Fixes #1267. - Don't fall through in empty "case" statements. Fixes #1274. - Update EAP-TTLS so that MPPE keys are correctly calculated with TLSv1.2. - Always delete MS-MPPE-* from the TTLS inner tunnel. This allows TTLS / EAP-MSCHAPv2 to work. Fixes #1206. - Fix off by one error that caused some MSCHAP-Error messages to be sent without the password change version (V=3) and the textual message component (M=). - Always include C= V= and M= in MSCHAPv2 errors. RFC 2759 does not say that any of these fields are optional, and not including V= caused errors with wpa_supplicant. - Do not include M= in MSCHAPv1 errors. It's not supported.- Fix boo#912714: freeradius can't use ntlm_auth * Create winbind group * Add radiusd to winbind group- Remove gpg signature file * The gpg signature checking is broken and doesn't work- Fix bsc#935573: Insufficent CRL application for intermediate certificates * CVE-2015-4680 * freeradius-server-CVE-2015-4680.patch based on https://github.com/FreeRADIUS/freeradius-server/commit/a03814af310bb3bee74ea012546d99c48b0ea5c3- update to 3.0.9 * Changes of version 3.0.9 + Feature improvements - Make "pool" configurations more consistent, and update documentation for them. - Move connection pool logic to "most recently started", instead of MRU. This should help with pool stability. - More VSAs for 3GPP2 - Added examples of multi-value attributes to rlm_perl. - LDAP-Group and SQL-Group attributes are now dynamically allocated. - Only the "sql" module registers SQL-Group. Other instances register "instance-name-SQL-Group", similarly to "ldap". - Unknown attributes are now complained about more often when used in unlang statements. e.g. if (Foo-Bar == 3) used to be a string to string comparison. It is now a parse error. - Rename RLM_COMPONENT_* to MOD_* in the code. This makes many things easier. - Move to C99 initializers for modules. - Load modules in raddb/mods-enabled. This allows attributes like "LDAP-Group" to be used in the "files" module, without explicit ordering or listing in "instantiate". - Added 'bootstrap' section to modules. Third-party modules will need to be updated. - When adding clients from a DB, add them to a virtual server if that virtual server has a "listen" section. Otherwise, add the clients to the global list. - When reading dynamic clients from a file, don't expire them if the underlying file is unchanged. - Allow the server to originate CoA requests from the post-auth stage. - The server creates ${run_dir} and ${logdir} in daemon mode, if they do not already exist. - Add dictionary for Wi-Fi Alliance Hotspot 2.0. The server now supports all mandatory and optional attributes for this specification. - HUP now re-loads the configuration only if the files have changed. If all files are unchanged, HUP re-opens the log file, and does nothing else. - Much better debug messages for EAP-TLS, including which attributes are cached, and when they are retrieved. - Increase default max_requests to 16384. Memory is cheap now. - Added "stats memory" commands to radmin. Debug build only. - Aptilo controller dictionary updates. - SQL modules now use Acct-Unique-Session-Id everywhere. - The redis modules are now stable. - The LDAP module now supports SASL "interactive bind" method. This allows Kerberos based administrator and user binds. - DHCP code is now in libfreeradius-dhcp. - More DHCP encoding / decoding unit tests. - rlm_replicate can now be listed in the "accounting" section. - Better sqlite debugging output. - Remove "required" option from many sql_ippool directives. - Set default CA "basic constraints" to "critical". Fixes #1073 - Updates to help / man pages from Jorge Pereira. - Added more tests. + Bug Fixes - Be more careful about unused config item warnings when using -Xx. - Move more defines to be auto-generated. - Allow virtual servers in proxy fallback. - Allow %{module:} to work. - Don't crash in RadSec. Closes #980. - Return better errors when a unix group / user is not found. - Re-enable detail module "locking" parameter. - Don't crash when logging replies from Status-Server packets. - The couchbase module now uses "update" instead of "map", for consistent with the rest of the server. See raddb/mods-available/couchbase - Don't require NT-Password for MS-CHAP password changes. - Be a bit more careful about decrypting MS-CHAP-MPPE-Key attributes. Closes #1013. There is no perfect fix, tho. - Fix security issues with EAP-PWD. See http://freeradius.org/security.html#eap-pwd-2015 - Fix dynamic clients read from SQL in non-debug mode - MS-CHAP now allows retries (i.e. password change) when passwords are expired. - Allow "user=radiusd" when the server is already user "radiusd" - suid up/down works on non-Linux systems. This means that the control socket should have the correct ownership. - Fix issue which caused the server to sometimes have problems when a home server was marked zombie. - Fix format.pl because Perl is now more picky. - Fix proxy to Packet-Dst-IP-Address, so that it uses the correct destination port. - Fix corner case with cursor functions and removal. - OpenDirectory fixes and documentation. - Fix leaks in rlm_redis. - RFC 6929 "evs" attributes are now encoded / decoded properly. - Fix talloc pool leaks when receiving malformed or retransmitted Accounting/CoA requests. - Printed attributes again use double quotes instead of single quotes. - Set X509_V_FLAG_CRL_CHECK_ALL, and add "check_all_crl" to eap.conf. Fixes oCert CVE-2015-4680. - rlm_expr now errors out correctly on malformed attribute references instead of triggering an assert. - Make "break" work in "foreach" loops - Allow dynamic expansions to work again in the "hints" file. - Correct minor typos in comments and examples from Alan Buxy. - Re-urlencode the path portion of ldapi:// urls before passing it to ldap_initialise. - freeradius-server-rlm_sql_unixodbc-configure.patch removes hard-coded directory in configure script of rlm_sql_unixodbc - install new module rlm_sqlhpwippool.so- minor adjustments/cleanup of spec and changes- update to 3.0.8 * Changes of version 3.0.8 + Feature improvements - Allow syslog_severity to be set in rlm_linelog. - Allow defaults to be set for bulk clients in LDAP and couchbase. - Updates to dhcpclient. Patches from Nicolas C. - rlm_mschap now supports direct connections to winbind, which is faster than ntlm_auth. See raddb/mods-available/mschap. Patch from Matthew Newton. - Recommend /dev/urandom for TLS randomness, instead of ${certdir}/random - Allow TLSv1 to be disabled via "disable_tlsv1" in tls{}. - Allow Expanded EAP types where vendor is 0 (IETF) and type is normal EAP type. Supplicants sending Expanded EAP types like this are broken. - Add support for server side sort controls when searching for user objects in rlm_ldap. + Bug Fixes - Don't complain about "authorize" in "server {}" blocks, but only if there's no "server" block. - Fix cosmetic issue where debug from the first packet read by a detail reader thread would be emited during config parsing. - Fix ASSERT on truncated detail packets. - Don't use main server log functions from within panic_action, as in the case of syslog this would cause deadlocks if the fault was triggered from within a malloc. - Fix issue in "switch" when "correct_escapes = false". Fixes #911. - Fix sqlcounter configuration to use "%%b" instead of "%b", otherwise the new syntax validation will fail. - Allow forward references in configuration items. Modules aren't always loaded in a sane order. - Fix more escaping issues. Closes #912. - Decode MAC addresses correctly for VMPS. - Fix memory leak with TLS connections. - Fix state machine threading issues for conflicting packets. - Fix copy_request_to_tunnel issues for tagged attributes. - Allow "ok" to over-ride "updated" inside of Auth-Type sections. - Update state machine so that post-proxy is run though child threads for performance, instead of blocking the main thread. - Allow "netmask" to work again in client definitions. - Relax restrictions on SQL group queries. - track outgoing proxy sockets and clean them up more aggressively. - track proxy statistics, including CoA and Disconnect. - If radmin has a connection failure when running a command, it re-connects and runs the command again. - mark home servers "unknown" less aggressively. - Fix potential SEGV in PostgreSQL driver on error. - Fix issue where fields like nas_type would not be accessible via the %{client:} xlat, for dynamic clients. - Set default busy_timeout (of 200ms) in the sqlite driver, so writes don't cause selects to fail in multithreaded mode. This is user configurable, and may be increased if required. - Convert Password-With-Header attributes to binary (from hex or base64), in the authorize method of rlm_pap. - Fix invalid assert in state.c, that could cause abort in post-auth. - Fix double free when -m flag is used, and connection pools are referenced by multiple modules. - RADIUS over TLS accounting uses the same port as authentication. - Regularized return codes from radmin commands. - Fix RHEL spec file so it works correctly for Centos7 which uses systemd, and didn't like the SystemV init script. - radwho and radlast now have a -D option to load dictionaries - DHCP packets are no longer checked for duplicates. - Don't crash in sql module group comparisons in corner case. - Calculate MPPE keys correctly when using TLS 1.2. - Fix load-balance sections. Closes #945 - TLS certificates are available again in the post-auth section. They are not available for session resumption. - radclient encodes CHAP-Password properly when using -c Closes #955. - Fix issue in rlm_cache_memcached driver that caused variable length values to be truncated. - Fix track functionality in detail reader, so it no longer fails with a "Failed marking detail request as done: Bad file descriptor" error. - Actually add the peer identity (as User-Name) to the inner tunnel in EAP-PWD requests, so it's available for lookups. - Fixes to PostgreSQL queries. Patches from Santiago Gimeno. - new set of consolidated patch files: deleted: * freeradius-server-2.1.1-logrotate_su.patch * freeradius-server-2.1.6-rcradiusd.patch * freeradius-server-initscript-pidfile.patch * freeradius-server-radius-reload-logrotate.patch * freeradius-server-var_run.patch added: * freeradius-server-radiusd-logrotate.patch * freeradius-server-rcradiusd.patch * freeradius-server-tmpfiles.patch- Do not disable as-needed build - Remove the with_sysconfig switch and just stick with versions- update to 3.0.6 - fixes a segmentation fault in PEAP module (bnc#912588) Feature improvements: * radmin / raddebug conditional errors are printed to the output, instead of being discarded. * raddebug will exit if condition set with -c was invalid. * radmin auto-reconnects if the connection to the server has gone away. * rlm_cache now has submodule support. See raddb/mods-available/cache * New memcached driver for rlm_cache. See raddb/mods-available/cache * Add support for &Attribute-Name[*] in conditions. See "man unlang" for details. * Add &Attribute-Name[n] which gets the last instance of an attribute e.g. Module-Failure-Message[n]. * Allow for redundant string expansions. See the "instantiate" section of radiusd.conf. * When checking IP addresses in conditions, make the right side be parsed as an IP prefix. * Support JIT compilation of compiled regular expressions when built with libpcre. * Support named capture groups with "%{regex:}" when built with libpcre. * Increase regular expression capture groups from 8 to 32. * Emit error markers for badly formed regular expressions. * Allow 'm' flag to enable multiline mode in regular expressions. * Support limited implicit attribute conversion in update sections. * Support casting between IPv6 and IPv4 where the IPv6 address has the v4/v6 mapping prefix (::ffff:).- Drop .keyring and .sig file: freeradius-server still uses MD5 signatures, which are no longer validated/accepted by GPG 2.1.- update to 3.0.5 Some of the new features: * Allow LDAP to specify arbitrary attributes for dynamic clients. * Allow one level of backslashes (finally). See radiusd.conf, "correct_escapes" setting. * When supported by OpenSSL, allow TLS 1.1 and TLS 1.2 in EAP methods. * Allow multiple new connections to be spawned simultaneously in the connection pool, to cope with spikes in traffic. * Use kqueue on systems which support it. This allows for better scaling when using many sockets. * Home server "response_window" can now take fractions of a second. See proxy.conf. * radmin now supports "show module status", as thee counterpart to "set module status" * "ipaddr" will now use v6 if no v4 address is present. You should use "ipv4addr" or "ipv6addr" to force v4/v6 addresses. * "client" sections will allow "ipaddr = 192.192.0/24". The old "netmask" is still accepted, but the new format is preferred. * Allow custom HTTP headers to be set for rlm_rest requests using control:REST-HTTP-Header (attributes consumed after use). * Extend format of %{rest:} expansion to allow HTTP method and POST data to be specified and urlquoting. * Add support for aliases in rlm_ldap. * Add support for connection pool sharing to all modules that use the connection pool (pool = ). * "tls" sections now have a "psk_query" configuration item, for dynamic queries to discover a key from a PSK identity. * Preliminary support for EAP channel bindings. * Foundational work for dynamic home servers. They do not yet work, but this is now only a matter of updating the "realm" module in a future release. * Support &attr[*] syntax to copy all instances of an attribute when used with the += operator in an update section. May be qualified with a tag. * The logintime and expiration modules can now be listed in the post-auth section. This makes some configurations simpler. * rlm_sqlippool is now IPV6 capable. Set "ipv6 = yes" to get Framed-IPv6-Prefix returned. The SQL queries have NOT been updated. Please submit patches. and numerous; bugfixes - remove gpg-offline - create /run/radiusd after install - drop freeradius-server-opensslversion.patch (upstream)- freeradius-server-opensslversion.patch: do not check the minor version of openssl, minor versions are supposed to be compatible. bnc#906682sheep16 1621404348 3.0.21-3.9.13.0.21-3.9.1dhcpclientmap_unitrad_counterradattrradclientradcryptradeapclientradlastradsniffradsqlrelayradtestradwhoradzaprlm_ippool_toolsmbencryptdhcpclient.1.gzrad_counter.1.gzradclient.1.gzradeapclient.1.gzradlast.1.gzradtest.1.gzradwho.1.gzradzap.1.gzsmbencrypt.1.gz/usr/bin//usr/share/man/man1/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:19717/SUSE_SLE-15-SP2_Update/aaf5b424e46a852247a3a9ab61910f75-freeradius-server.SUSE_SLE-15-SP2_Updatecpioxz5x86_64-suse-linux ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=8b9a82174403422f93609e0c1017edb53602fcde, for GNU/Linux 3.2.0, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=71c759c587319f742dbe87d85b815256f93bc3e6, for GNU/Linux 3.2.0, strippedPerl script text executableELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=e613780e8c01a1fa5fe61957d418435932aea8ae, for GNU/Linux 3.2.0, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=0c3a3acd5bd3b0eef93f45e46dd76bdf4f6ab663, for GNU/Linux 3.2.0, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=da3c03304e5479fcd88d925e7bacedad43af7c47, for GNU/Linux 3.2.0, strippedPOSIX shell script, ASCII text executableELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=dc94264f0eea41e2ce435b4718b1ca35765c9851, for GNU/Linux 3.2.0, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=86aec5005b1f8cf58f7b0a5e46a88f48b0324d75, for GNU/Linux 3.2.0, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=c442c9e1b304da32af8a77661db2401b72abba48, for GNU/Linux 3.2.0, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=c46813a5b193d83425338e6933b94d7e236d7163, for GNU/Linux 3.2.0, strippedtroff or preprocessor input, ASCII text (gzip compressed data, max compression, from Unix) #./ABMNOYZb    RRRR RRRRRRRRRRR RRRRRRRRRR RRRRRRR RRRRRR RRRRRRRRRRRR RRR RRRRRRR R RRRRRRR RRRRRRRRRRRRRR RRRRRRRRR R RRRR RRR RRRRRss9! Sb`utf-85a56e220ebd3041fc779cd9c93c87482e8d20cc40df37314090aec34e1770129? 7zXZ !t/;] crv9w5nDH ?4u*DR@˥3iJ2!TŽajqDADbpDAIzwtNN?4;JZtqTo,wk G (LmC>ujeTa2(Obq+CZ!@oCF#/,y异$:@W.i˴; D7%2hQ@˴@g˹b܏@ =kC a6̲r,;Б\\x G$ZJw=t?nqYs pvઝÑ2FckMIiUZ؃,ޝ,/KMDc7}'AppeCWgE؄˽( k^D}\|"#Vd_ЩKЎj3q:9M7_=y,?Ƞr>?5j:p ɏo>U 1Nz6ԫ'#o_& ŸA*)vr1jSxt0!D(:JF(Zh!h3z:7[_tO0VWfElfU$#8)Y伪Jc^WSN%0xqD[)ӶSlM/`q3E /*V\ 95ZMLhI$mOfs7b:H#B4eш0V(.5YG{Z];A&C w(8Mzן'%{ڽI5N79_-(o #-El\tՌuW}o&#Ecg'DȰ%h7jJ핋3" @_j]EyEgݦn߭х=EEB? x*huI=?سM.~pf;K_41Fdہy;s8%xы sd TK}@ɄuN]v/4IR*(vE І@8q۳ @S+j29x.,{=Ch~2~ ʱKVQyc{Ydo*p)CeK?@fX.zH,kDHSjS^F N;ӕ8oԲdwtua(oLW`*\Qj01HzM[Ԭ +l ϕ(J'3DT+=A(d*uoSmr#YhB7q~\UPOz)iB6!jdk-2cC رzdoiy+IHK)o/(L0hV\/\ɤ/\:Z LGA; ۘ;V0Y@SZ C*p'}]KVjy6)4Mb}$=~61iE➣/|Q_蜩?rYqvF.j`cX.s+\ !]"z0:fMP/ZV&KA8x %Ir}iںlهݓ4kH2x0q&%$E`*s=Bb‚ ʰ_cm4@q-*d D%p^O. {+F -4L=`ʀLm>@P03-(N uL^c=EfG$}(>8S"77{wXK2&1Jh*tw8(!l(N#,)x ~Pz"7A ;PώV;Wnu}ޜJCŦч1W1@"Ǔűj˲n(uf~)0Ĝl[>4C[&.2qdDž҃3Rvv5ycuyهusWdUT5:m!%nҲ>uhG'kNW(9:wh!0;KE7I"C=Q: aj5&6BД2^h=PUTov'kzRvQ4BLOD!Q|RN pRd4 Ȣh^dectsFruFW ͦhTڿvC Ip>ʛ,?jsX1=+ !nu?Ts=魉*$e0-Y%3˵c$\0 +EIZŚPzU"8$ nk!}ƥSE&.ȽmEPwiù%5B 8wn~)w+!Vk\^2&.1xu1_1$& ^J!_%s{DQ૸JъK CJbx/ȶYfe!Wv[.VIk|˫HH5֙vQyjoc\@f dLq N` ;rGmb'r;enN. \%̃Tm4M ]9&xg 烽:sEI-/_Lw/.Ȕ>uD%LP6/ŵt蘅w9r51EELOuuwcT<ڿX`¸tR8=Mщmz $VD^^!Ӿ9SN1.3w!*$ _^f[M+ p f^Bu>W_cH&QaۙoI1>8۲ji=rBF7y{~;)eK,r#"D J|GAzKqv/(jGG; Of@ 2 &Q[D0biPB % I X|6~;H_vDM"voĄH[pEok eݥ}uZuąvޢ3PImeT.E |y7 t6T>uD,en O$"V8񡑷B-!:':՞oKb7[VHQBAHKHI؊co:Qw…nsj4kУ4)C~HN[nL>1$9s \ʾ8N(/#8ڶNwiz]oqOͻ0%$=bڌZJ` ?e@^(%{ v£rc&g}fV+̮NUʬYdĸ$梽 Q4--dcGEr6 c㦽a#Chc^8 n-ga϶l'LCj(߱c˙ObHj;T`y[N+|}@ݩ_Jۺz:=m ɢs56IJC"#x;αU܉rTC|o*oY8VQM;WWLg}S% >V~Ԁ%uRm[&q+;ߖ)!Md)H*`fб*5nߧS=kqǨc};G^ܾ >ˢ|bԮ wR>Ui1a'9Į3(JC ^ZnShvX@W h<-5/YD=$[_Xl9֖#y(ꈱkW˄GM?TC|VZ<"u*A]X܀-U&_ӲfVJ*qN}i.B'#j%ެStI:q*`d6Y2zOJML\OWe3uCӝp*޶#־P$AF@54,^5Vpo@ 6c4Xw\PeBsq Y %S)n qǣZZ3׺& %g.9 16٠']8Jd m~1BAq? 楣Iyb+柆N2+cZymo+Tf-F|?^ɼƇ jD"Wy9%xbxa|=(8(JFx5%u YǎʹL zzVHIBKo[{w3duH2(ѷeOC׮j<]!qW&qa{m@S dI[g_h%8^& l1c)*Fx}J:g>M-W7%tWM;Oyn3+|9In+0D⩱Ea |0ҽPe@_@h؛Ψ*`;,gHMJ2#7dPƋğw\?_! /dwQeiZO?h8qHͼ&;dIH  efO)a\u@o`vhPj~~ :LjpSgRDԩQBj1A:N{Qܿ1 H!CE=Ðh,yct\Bį톊C2Bp2+>1(Z1'n/CUp2~-.~M'p̖<_>7Z6g t"P! @&Nb3!~"hD3q=?k]nC'LD_>I{jai3t̽ZDL0LPF1E*ał5&I4ftj*H/Jw q2]nYǘͶ-Q/J*iOU%nw >ϱh8a@Ut|]0Njei, 6+,5sKJjM2?Nd]\< % 1q$?Y30.[fq}64n@yÃII,|b1| `/D;B gN3#n]sMKyeڽ>Гh ։Eя{eNQ<͒9]Ǿnwҋ{s92@3j7hɗOsaHruA홠 \b 6O7 ݮ..c3I-20H!n;fx+9m/^"#2mBD cwBP*vaմBc3*Ĉޏ6I cĹ#Ij]ͻPR1 TJd* חGjU6 g"57`mvZy֥\Va\ EXp&oRqiI48g-Œb3Bq-*t9@ߡ,->z͗QJ3D*I~WI|TW7iN$L\GzlƉE=pb=P9 8梸}C&m{2_:]xA]QC1/F/6?r@8 (VeOo $Kށ #NBMX(ͣ!K_7bp Ѓ[۽Pd Zawm62Rϩ4)" \18ʻHժmkNIrE"{.=GM۝ :_IhB$rCt ʙ ;f5wy٘gxfٴkN6u`Zze/ֳIl,y)NunWڈ#>~zsk:N22mqz ż[XL'IߑꎊϾ:ad$ƕBy0zj!pA[5yG\8ulYS)gBQ.RGI K<nȬ~ft>9RU6t`¸+.+r쭿 @]qg'I ?%"iWt_+rB=>pmCShAdêTI=N2۹TO`׹^Y'Qhk{ P PU=ibs塷W\Pu ܳhGP[5(yYR|GViLЦ`)̝ 퀋.čx;DlB2!`mdw#b klz/Lۼslן˞qc?Րh_3g?8Ig@`A;^ [Z(9)Pm;wM|!b〚\_wSE,8AC*_˟i871E#U5UvM;RUY;_=2{ۑyGﬡ]&w[`&S9鸣a};S/v Gb?u-dOHBzLҹ C_kd+1gp(sUCw^ V|spǧqY|glsG՝;qG׈TAx됷*2gz!a,P J+""4M}7=4x'2|֡=hLݴ{0jGѺٟ9X4ɫm*0Žy(_y_ʻ5fLDM k+2~ "^%äC pDRK.4eH (9K7N_PyԛKx5{Fl7OL-*oLߣ>ܲǻ;`0-܃p lԫ Y}7nքc6H̗$TEVہ5dwwS}׮ӧ/f?j)TKѭeH gu⿶mH5dETIf l-lVab˧J0yQbkKƓ=!O}q ˷Mk[MUI>o f`k_U fC)WПL)kfP(wD\\3_ZwXфÆ& #U/`ʱs2[Hb_N \ ȓy@UPiK@5 ~%L'f /^*zd?O_}m`a4Kj@VXC)L! 04_HZ~Gw^)0^a [(AeCĞŋtW@ Ml۔BD99\% 21A4c`1]Fwqw=k6x9"y .g'rgH,4?UΓlH,[:V@>&!P0©˘! p7Te=,/j{sɏH_яhW>رxxȟyn Ҁz  %vȿ|̮4Ev{ed.H|voVO[g) {V*6/,!U`'vY )moC%![Yb$[LJw$5ݚ9w 3k~Һܥй7wũ: q2^AF?2 3.g䓒sXfPBy/ӀeH i 2KԑcW{d#u 儢+ /pAO7ٰ[z2§}<5-zTInLBVQ-muX$M"L9a:{kXTQVK̎2ќu衋5E.W_$ŵyT'40m4b-@IVzB$u^}4ff]?{a (rc{-T6FT]‹Oϩ<k%Bs8}-Jg9ڌ=;75sW(ծ,~#$KkoRB!~m!̟“oYO7E#9 Am.KC0ص*v΁F p!ZCFq+Ld ~;&*s/ѳ$iѐ^t)0FSm ujZfOL!"(,\=\>t"$z Ƶ^S-3#uSfP :9 MJ#"lI4 ԠIjqF8מkγdz$#u-2>mل”"l^ҫ_O*^ $d n͸t!lr~yD-LRkrn >0ג{ ˵<*3kqq#xi`Z?SʂoL_\Oʶ7qEV)&̞M8,OyFQ&2"i"9. 3ip3wECZ)4I9)P˳$XoCqYw$SRny3@1;33*B"#Q47E;R#Q:^ڌlZ&L]#Thvx¬h(Oig&LV#Z跷u -iR[wG1&@iE_T$۾ʼ\ºF]}`℉ҠA+PL`Ƒއ\-<?k G0a(|DJ%?dSaA6^tdcIiϘܵ'Cn{"0n4+Jsm ߗE#b2& J/v˜b\glk7K]_ CCn'eI鼂It9]?R Lzׁrَ߄ǿQEHEytNuyS5r5-ĒaYQ#jGPYh1q .̐՞, aWyF'IۑTƯ4[զ5l"+GҨ#P>L%nVwŢDN ch_hUvȖ݌;KѝX@WHJN4]j~lsG1v@Oܯ3:yQQ @}  !o^9gԥ0H?r!:S{}4T=m gW >o';)|-$ 7c7rUYz*]һ^,] C9I0T< $alo_)ǫkmSyqj`Ȇ0 Bub1big$՝@ijWn7/"}TAV%mbḛW5|X+cރ U r}BV@w]:ta|ͽ苼~tch* 7aQ'ʪ>Y!?'}f䕬Z6yz"cSF9E(^caBp)'7ub(Z} jO]},5HQO1<sq zXOpТC&лyg'pX6Ow.T`D-"5R?( > Bxv{m)Ji2~ϰŰrNGm#t$1\W 25EKrZe^nS['A@ `Z+ag-9:AF><,[!:5GVc#*<P=A MzX\dtL_G,]@1o.'k2x[ˆ+F~`Ǝ?Er l1z=Õ3e| /|MQ O|y"!p\(7`Z nQ(SyX A C[eNqWбƵh%iM EDVf\Ւ"SbY_:Gdj!hI? b;ṽa*ycYRt,an"u˨;jVh.ƞWܙ#"v|S҂ح25IA'nY*UҿEn.6!k>2R>Abm$)ncVc]l P@ĻxjX╧YfCM<.>BW"4<{1z lJ%2y(W *UX;ҌqlʜMö MQ jy)pSTS-~wm:f5<:{xVsg-_+_eU _Z!.ۼV>m\ ꋎNp=*Z=7xO_mEݕt+ s|8n+b9WY]`|ױ/J=Lo=ߕ_@Pr8W9Ó.NI-Nr`!da[v)ov_&CΠ~=& MJ=ioEd~.:^kߨfOdb3>5b᯺ʗ  M2I4bf*01~>2qʁFvi#ՇAY'( e\%4@Rh * q#?w'syS8; niUЋd7docaps")7yoJacΖuVDP>ԓC tР<3~3-y3ïk(oeׇ!y*G!j˛/^f`;zXxi:U¬2IZLO2Q^ЅŐ_pL:w9n T]$51V,||RF7~LԚmva;4g7ֲH?1!TD)T5K^#c*'d$xZWkv6P=Y2;8exBa,N8CtkdRL2|E9NYH@Z,*vt$oDƋQ3BjeQa8=*`e)gZ-eb.Rsjk)ldh6o\bHƮcD*hĎ""#鮜oa؋4&1C(d+?olЈGuL]&J"xw 0xmo=kcS|a'e gio+w#tKH*YX_*^u&>ќ[bVmbX+1aZ g*#CC$@2>NNяyM6Ch3>>G98^<je6\N~ӺZEfR]vb[+_É;P{nЫgq3i|àTأT*-[ ldW=&uuYLo@d2f5~b xI;~m=r klQ~ FhqZk9p40G\^ P8\q[t0gʚS70tzb[W* l/#QQfRpϿ `"]sb# ȲY"fpq.n~qJ4UsQX ~ EGZ9uBܚxZ~q+H(+o1t=[?R_FL#e=zZ*'7#Wn"NbXߐؑPa'`E638\}jE>3(QLsdܼv!vf#ۥZ~xbNx{+4 "D +-/ ~GAnFک[!i_CNx]FC @?pS4WwG5Uǥf9ur- DT 硒;gEPܪY[& FĜ,EDq2\qêӭ _zX… <ܔQZQ8Q냘$cil]tM[~4TD75HTY9Y3XPӫh:y K*)z4^< giGbfq9z'5D6a Q,OM[[n-X8h$n"9 86R/<^"E#!8;{B:uiK~u7u%8 e촋Zs.6< L"}%ŀ,૳9 $f>&iu$umt\PNL6*Q; !}&ȧ&*P mI2Yk/§QDVmn{A( HmvhP3Ҩfі%Sc8 cZ@lOw1 |Z CG+E6n"R y6*ueΙ.X{$''6ΰX8+#/o`ݱ5>ĀEUvu-}Gk)X0lWW.`"E R7jj<َI,r~m5TS8r?F): GU9$1LG]O<{NjDZ&M|(zOw}mY n*;=]Q ;n2=wsfTlǔt͑u⠴Px m"B45PQsĞb3L:8hᑡM^ BH?%Ac5@Aa!ٳ&^UR~0 Bgsӆ̩oSK=708o*4[!rϿ~=Yv1ke1~j[;%Wz}mw1ܯc7b|i]OvJnl\z2v#t bML lXG}&]qdiXC8[o 0=QmVA>)\8#O8HnUWe`o߯߆[hˊqqxgUrWxe( ~)M7ڍTk2>c3EM_O|oHr`s%)Ą -mw~a Xܸ"`6ٹo{{sD-i>ޮh#߳B9e";mk./[Ty&mӸ)Bm<)xzzkmg/Әc 떴!Xk$cOժG;]%35Qqi"ܴ-(Ϧw$J|KSYpmZ6%5ltj(s˶K[g`JnPF\qHY[JC)doS?M͓rq$L> P<Jĥ1oZbt[ti(/ːcAOtɕ{o0t3Q[v`b8J%1=jEVU߉#Pq4 { +kr{EvQ"_R? 7Ay(-!A$Δû}+E6B?Ao[rB&<Dg*OоN ي}śW%Ꚓ{k|0Vy1 aТCp *3S{êZJ4Qś͑WyD|]eeuԷ+j5Q(wt@>UʇH"mӱfD\S$L%s|n"94xFiG n+>rӪ륧ddأ2^lOYN)#SISܺږ5DcaA]MB| _캏i/J%nd |jz6yKvT\nW*ƨ0j5EˡxI;^7 e/xokm]됯(w UM1H_67ߕMnFVڲyӉi.o0?7#J8nDu|ZI%SKw] Eb.^yNXVOX[ML]j2T!5ӄC7%eW~Ǘ}o8X e^H䠱AdQ%OanOkSOGW |QcÚuVZeQ.!G*i zEjJAD nLVaޗ?0 ^}JrV@1Ȏct^UJK%RG*UN4ZX4r.Pȯ)ĵ=Pb(FBC֥ &x*G QT!s^]?i}_o'MY MEqKV dUnFY#uV$rU^`Q?;S)UKÆ-Zѽ)[ D&Z8t WT4y6qN֘뫻 oi@p15- 5 ᷽xV` 9P6ѣy{M@cLกUGp,6Sgۼ]F8LMl/b.ɇ펉z-G6cpH?>nv';n55)}u3Q2r2)22O"n ^ȋp*WU3Ha6W1*s Gv^r˶e0IH Q7Ad[u'rAMЭRrIkgsULeQ\]\ɦ޸}U&Y|bEy5sˇnY6Mu>Mٸ@6ïF{BU1iF!DB4]j,x.(Y!EhSSo}QlMȪ벂AL:r9=Q6^#&?Ju0 Jw$Pn E@d{ɿ8М; -A9URaߢ+=Q#mse9Ӂ>c e`1O5;׿)8c<+QqV[.2JԱNhͶK<%y'm}D'~FK|<b DZ\l)䈆YSQ&Ck@؞'=`لaȟ*ל&Ǩ|fe(&B~mI;]Y&GQЙP@fN'z)v냖 _?[7Yl㭷aͥ2vvi],c@㰚yrՔZH*D۔M"^Q/]c)iirF3H1|x_ ]S(d.m,5БCvTۑ=#&ΩW\ 1nPRۨ~JhǘS%>檅1 ӷ;/߱TȤ#~PK&D& {"L2>l"z="|D v6@3tc9[mڅa4 ǩ?XA2\m24˧{j~}}1 &޻QLjT?Vz G0C.8!苷)dKWB.I3zZ"\i7M}AN _ӋZ'~20aCMe9r Q.3?Iq | :uW|,e_ Ǘ?@Ȣ < o''8-(m+S#ߙSbh.0兙-h'/QDR3RỌH~ۓQ`~D>yؑ4xL{Lw#R3`ӎR' [>Qg/uuOM Uɀhz^;PX&烻i V n#'71N6V'o0IJ晍e@*N"`3[)k;'L*S:EH0hМw|E7Ye Ꮚ5Tr$?|ĴRE<*@lc{+ךq-K \hݸʅvasث7җ_g&V{wO]~;h5Bg|yywvBgMk]6.4_? FmDۀf^R7CDlͽS?rK08etp^ZkBS]`n #Z-cH4Kf5 Z<-qYfԸSI2^bO:_n "\668Jn+\]=).z]+>} A~n8qfpQ|]e4oPIa-Q='슥_M+ Esy #HYcW,.\D*]SF^X8Yw/Qjkmc:X]%WPwi+DSI>0 ].QYHl.iTƩ4cD;icgBL*mkǤGa:Fnj<[db :ybV<CR6ٗnקJqZ*A1aMY[2؍DbE D=<D~LP` ŽNod ,莎7mx`!txE%Uow5_ܶ4D.ŦYNM>ۈǻ }Ӎ { #..x Qln;Ř$wY8$'/J!=פ 0>[h琀Kc>^  s@@RބRWS1w4ghrlZi7jbELRr7UV, ֈՂRȉj8-B:t$i{cVѯn(X |_]oS2*ļ|ֳEME^"Է+EH90%&m͇mۋDyɖf1ڏ&aY9PGB((2dx͏cqԂNZhR,3j_<}RHQ~Nk} E _- 66@! /nL#C 4 d3QU]X]XeE!^Ҙp; ة:{t#`ӧ΃GhxKmGԩVa~91*zkQZP~D}/֢AM/k" dRt\⣸s\Qy`fD;G{QhL\xgO X+ ߈lkŤsU}+D;X'!5`Tp@:ϽqBsy: )(0=()6 .$7sԢw->/CNeG{w煺oD*wD >rFb{*q-C)=+KSǐ*MG ? kMryP &ӈ/=J $yBcK^'Dkȥꏿ>%6 : >;8bc{X7m*TNNFn>z刬}XLbSuPj@[8/I3+UQ﷝ $#b(c1Jozbx K+w*Uz/5)v / Y;tz0QS lWOPռ2TPI%O{ݒCM){rPp经&~?I8a"\| ~bH䆑7˜<h@yp`|Bn'. \N=5^9Z4J vgcz>5R;;LCGϷqqQhJہrI& &1GJm)- )5ڛ- sSؕ-!E<}?F=UU6[BDNR2D/zd.>Ixe㡽0qG85,sB''!˿Cݻ%hdYNx3#;B\#("2z)/Q05oҧxe\cNi=;sW` >A׽ʵe{dkPiogXqgUY)`~ٙ^*ы[ 9⮺Ŏ]b}ףsB G4}x,tnlʐ<| Xw\ed&7 .JNoV͟+k,nqP c\rFxnmԴ@J$LW?أZcXh<&?] iwP[ 91;Vz E};Yɸr>\Z`ObnS;;/8m_'yX+=ECU{ҩ[.Âioמ_63iUuzh- zЏrEּxk>@rbțݏˀ9mo4xѿpT U,:2L|}0Xĺ3LCH1|3[ɭA5]rwk-U&Z G-cd4Y[wht<ìHsYzoꅦ;/@hT΍M} ȰX CTc.f6C$b $?'->0b;#G&k஑%ӳaW# rW&@`l* A`[𜻠xPg L/k> 3A'ΠR#z:M3T!KF9ni+uKI4k0(E-P?e5EOM|I3˕^Md[@Ql8Yg~r1&}#"7i݁@lR$ YN~Gi_4=Puݕ9n057k;y6^zcZ2/Jm;0~H,XtݐU)R?\W&*̓'ԣݱ?3AĩvǕzZpY6O1"XBCr[n.H[_z?NZTбq|9/lhx\[uڦNXDHT:Yygt B zw)4ZVgQ薊@ʠsl.TQ;*?SG6:@-YE7~n-<- B#Fu+Aɜ/[2O;Xƌa\`xY2fX(n#D*P̡qgmefە:oa=ngK#Gtu[[vN hpY)7E$|G +)< jLb৲68M' 6K.y5h/hpSfR~fwcdEa] <{ԤDl"[2n׾iV&DhJB nn f،. ^4Aq7F<,ZXHPGdI2dc5 2C/3h^c oz$O?tikB!%L=W{eT)`"fq^ȑ łB5]W“_6a ڟ@QxݵVx|%ڪ\QtQYtO/mN_ԇP}bb'$Tcu5+}OT Si,Ի ]򋝭<`FրvmX&_ B鲱u+ӧ4sMz@P$:5$ V`vawc-NExS+?4̺n Ű8 \h2̪L[-қ;}LF*DI09Қ4oϥA< 9? Pvތ1}ljK|fVm+?Xy,KPf+[\|b>ŗ6`!; ЏG&~!T-1 pTUO E͑V7:UB& 6Ou$HRy-6حXPz G}qeTdK Y=<'|f|  d!.g!7? /y&mw⽶NwNvv4*UW8@nE0籢s?eKChLo<9wz'`_::J09XmDnT>G딛LcYR{oTѐK;4t/* ߿ޠ(p:MyT5k66XVeH[|0}|ՖA;GC9|%5G,H. "S<ƣQsLax yEsݜ~QAx`AH^&0t:[S,=p,+LPn5vk )T^RezhyrqOء+L&zoq3RđF )W>F[g˨ΌMpk$b'u̜~*M)|yoguD )FB B*^JW$;ʹX=nCȱ?Wl_r%%x)^:"a6y;pp,m<lq 1Gk 6j+}.0FaI}}e+A*"!mW'Fur_[EaDm`qo@I0/]@($@̨9>2vR 'X]YNۇ[*e-]DSEQxIJ;U-qF6Di`?:0oxMZ}1S<>i`s4ɋ+YNZvegY+'TdlowR ZC*:]h0Q_F)VmЈV8-WY9(Wr;=v2Y7#_fjD4dۣ.i?^_Y {Qz_j5/g"czrqY3tpêa+ӸRۓ.ܺS. [,=|+-UrdS6Jm4 9h@$^L<ꦇM4"}zE\ep i?@4c ݢ{Uf#A94 9MֶprM>5=r#h5h 3pnqblf6q=J(U #ױ.[I AbuGd+sḡU/io2nd6L$vQw̽Cl4 l0#G˃i9ޖ.v<{ZXnIv6^sQ m5hSGW֗=JǔV[_1GH6<|dJV6Ϟs"[.2K@L85_N`( ̸3`a*18ڮiS5-k1}Jai;I(׀0+%v6 m 1p6Euv.`h<%)P\6&ɋF>33:k4qU,wȊT|CοSu[ffB 藣U:ub BKyIO1uV)cϦ0 %-]ah^"RK\&hI`%faG ΅gY^Ӻ v9~^ql瘝N2'ZIՉ=82 Af 'M=_sZ^p @;pCf%tC_#:epo7s EX!_ݫn^=v@{ԩ{ ~+vI˞SC.~,EAֶcnq h֨]{w@#K*e߯Ϩ4(FSGTmQ 5 P^_KM1A^v`ΆpfVDÙwsgkxuʬs};,5WɲT?•8븁_u[gtГRK&*k#D:2*{d$J;Q{#%VUqPT4H ưߕtS  mUݖ=0*iiSq,wDvE>~0O\:L <*1f}L/lGPC9N~_{ 8Яn]'@< L@# ŽÎվ̦m^!&q}Ӱp҃̌+=; p=y.UJwi!fݪѧD /xjuDت3gtSm*'NPz5hXug<~hMkkdT'*mm姩kot^O:gh!Z?p`6bjț0-3ֻKwLug Qja àېI ߘꭦ&s0{'eK_+@ij97l\BMF~`Z:")S&`+T&Aa = 3ߒ*5/zwIl!΂߆QQGGFZKJp3}@i)qiNX]z']›L:+xF#t,2D7I/06Y;kUQ//hbK_P7;mqlp0/K\v|_MnO |ewꘅnoFn9?DGq-@x 5 UE^2`&O;RUD%U68o;T5-K/8fc.ûÞ-z)eT9Z?Bv'[gm:dȣݓYHTncc-(C3Y^SbƑmk˝Y*'OUNI60Tm 4J:= 4%ߛ8j:9e-ޔnKs9HS bܻ,wqEjB!- ".UN.{ *3r"oР0= m3o!k Cm8C !]inSھwͣ=YK eJPD[A#cnT:xmؓ%/kUxmhe.fl#(9=n~I[`wiFT4^4kU CdӏO')SSCɞ1 Q))Y!)USE\^>Ӧbi2okߨYS,=&~ \ 'X_>1bB 1pGDOJx,wme>߹[uIN&$JD4vg8>T>N,7ef u7xr y2|HQYN7P+R2 *03VY_J)6~+*&] CN|)` V Z[z:¿$a*(`K2ONJ7 Rw:ywΎR:5't5i{ї$^$@2-  r)WlEqnaCɦ S @!Y H $4\+J\Z6Kab]44 jDރǂozk̜{gh; TO J Cj,qH(-@fVk;n,OK ("FvOˡ'ͳOȤA5YX>2ORc]>#W}wη,o1TL@|V>3I9ejo_x+.}E 5f/!Jf vUR EbLIRbKm٧ ~A+=;Ba, W#;XaZ9upnr&JɃLa;r~jwdp٩Uw n& @3Q (wm'' <=R-xf#ۂ?bֲʅ/ 4_RM$L6̆x\h(%:йDHR㡖CKe@ADb~*v@T$'u gϢ7zǂ$\k?,_%/CxAWŐ)hy[p6=Rp,AAkJc;EW FQş@[ S9_Ȭ35u}˖cj7'u$,/6t'*'d ym*!6[p/)*a \ݽG>0~bV&. b~5hl+@%uA^u?cұ)NA,#K=c+ 쳎0.Nvϊ>޸'Kr}r<@;N}迤dߎub{t]ͺHORf =٨ЯRG<=@vD66ud،\I~/޾:ԍّjtvn2e)skإ=M94 ! Ȅ0yq:|̑5L z}zXAUUq5E8@w+@X|<2 FCJL |2 X Iݨ`*{!pVE qI;׎B~o?CAPEK K/"~ {=5&W{dZdKlX[Zښ3f~֜ؑf=#8,"BUPS2k71aZ=BT /L),^R|>!]6V'$-?:rZEu5Yq&`|A-ydÞƴ5$q#MƮٞǂ<ܺV0L?CSCT*@ kLE2;- 4{L1x00sU{5יU9AG3]1aah]sCÏ yj/~EH`*NFNƆUTU%B=;;*p= MSbn@J3NgCF8znYmy8YqV0julwi䑳1|gqqO4B޵CL]6|ǍaSEҏNP}rQqiZs$S9{v'rsk|QKX-|"&Ix*.4̪x[+;"ޔ+i:u!klLun^i-\i_ Z(-佑+~=ֶ1T!i֤-}X";Ȍ.Fʀf:U"^R:(GH;gR-JÎOM2D"N=r࠭(DS3P.yڶbP(jb_>Y$~Vt#3e[A>cˎ3e_)`ARnDUIVH;w54jBL.PժWq1Yv,skRwd|U$oYSŭ$*XuP !g^j Z l1o0ү}i )u. ;M IȧMD] vcY<<x5$wn,;)g bL#̂d"(})dn^>3s4kxXH77~:0fĖm޲~P9ہRpNnmf^Tx}`)؅Yro{ 4vajZuI$aƦxOEcu5_+PűqeuЄՁh/g3ox1 tȌ83 wFڻlXT!#0 MíEVo9d ccHPz@A*Û-Xݓ ubmF^I4Qgɳ }*l|,gdh̐+uUzǰxM*;.F?EnKTB ER_i+V!Q^|:@bzg~Kr&2y|4{( yo-\"}zL,[b ٫ EB{[)snEDyxٴjXjBƒblO(Q c-| \QQsV]D^ѪHio?T>Wx\m Y@+p %l6 paq$h!PA: tWrrxft]2a%ud.MeM嫙Am>$}=VX83nojQ#(Ѓa -Y _;C'A^TB DV#2rer_ m092c|icN'LV'fn/GM) <!#MsR tK4WĐOQ+4Ә.h~AٛWLpo|KFY/jTΆ\Y* }U@翧LLt/jf:b .IGN }[C}2n';]:[R7.O\kMnyld̡eTS~Mj7c{=gFc= R =8'=1X2*mf֔/r6MG{kY,rFj [| 6@9&!X3_9K6OǧtMR~Ͽ!5!_,yGN`Ba^PedxNsZxOOyG{ɕ]\V%}fpʱq;ܡ ,/etu_K&wrȋSѴbȜ _;Z 62mf.1ヨ2֠_ \OH.|{QjISY,wq@OLg䬋dxWxZkH9+0|X&>ΦxE/ц_[]Z:e>[r ëfTOАD\%Ft$)>ŗ6+9$ PZ@~ZP&~q/uro.Q@N3(U쌪0w^Ώbl,PF Gz2 ^2Qu:y,W:m0AȮe@En@kbZR(ѓ7:i'.ܨ43#!WĘFq52}:t*ʦX@jOXУC k5VԾWЇ<"[ 27`)n!PrxJ~)4ɕ{0&0BwTBk š )J'jc>F(v3fk_aɍ~$ z MEQ}\)Z6JggZ"H_)#n*vJ!bt$'Gsl ^2uęA')j+6zG!ՄV;/?1Y$k7 w c+^ 2Ye-#9Ni`IHiq eѥ:ڄ,Dy^fbX z2)lWRujDBP,/)g.n,I0ǖDb}mdLr/}b߆yZ2!m;=3ʏKn2_Faqmq?,1Н)E9ouwm:dU<<|_ĆP3/B"s=Yۙh>\uW8R@YGV߅C*9#2 {l/ߝ dC-y4`yJ&FM O5=u8H qd HYR#rO9FR)),2dT=87@ௗ4fA >ss6)'& ϴBƈ2Z2 KLS18U[cG!G)T\"Ç-k'g pTrY嵘piY<'CEI#NjS9򲞈 [XVEϟjFrfʃ lAtY+ng:Pw*L*V=.Q*j"{nHTXݮHAD>)bW:X=tNm荧 Jl3bvO ЇƄK˖P)n0ɖas47_J<xk3|v8J=>1FH!E 3H$_bwcj@|h'WPD~:046/X)G߂S o%|ZRȧ$2 巒9٩{W'`zàY1tWeѕKH,ȴPvO 6w\L[<܅J&9;ڸgF^|OVD+49%dVҒtq&lB+x9|͈R秌f`~AK;PGBJ{To}ԼaYv|L &~WAr<+l BZ@IS%z[+FPcZ1y᪼kA $,cj%{HtG7DJ7/o `4*ѯl$~v_H5jDXf0?=0A ئ3u$]]R=4`ط4@5j8'ނaאIo^OkfF3_8NЍҵ)hI\.b]9Ë)1WY#O LJDBիR@iV_ 2IKI'uj =j:Q]kѥ= x" b꒩E#}st74v>enS!\ςT2:s_ѿՔ9SSّVӝFP56ۡvCb&uШe!#X}r?Jd@As|A$!-Q9PgK2saBoB -yכ+?VY'툄{ 7~"1K| F&96]}E7w.pt:.H1ҏ}溸i}߽tk=Y1Hы!l2 dݷEx{0enO-l{+6C;,t4("(H8>a:N֊(QQY9.8”|2:k:^D_6MZyEү(_-n 5L{sml:hT>%,ehzNn?=Xζ! z+ !=͞:~IpRpZNhel"DL32)ZS!5FڰQ[s %j0q9Uk.,3MӪ~bסl_;XڍXJDS=*yfB$S0 `T Wzs {җ=}gMǣ62Kmi]aB)šqWHڃ 8} I7_ՁlK7V3"J"f6{q}.oZ5ag>ӔŴ@hdx~!*:^ھ; [SwݺT n(4NcX[GiJ-D?3vc3FEjTCܝ<$>0E퀶i׮r.3OʸMi\bN})JBQ|=եOL7R}-|Iy{'Ô5a)Չ$觱 #9} 得NyUwފthzbv^bQe7FȖ#*[s$5RoS=߃Y1DEiĠq֎=?\|ԔemXٷmݓ7Ms挝O|>D%ͼjXJZF^hJR/3cʌ׹(CL>vn07bN %)9C 9E)z7TޛʤɍqXS8(MM݌?V0/~ F׫eM P2|rkZ{('r5#Y|.Daʹ._N.Uϻ_r&',ix6 \:Wd(6<59?]ϿT-DHek\tW1`DĆK8h077/4,0eNH-.,j6+Fl/ ݎmUА5R܀/|ÅC 8/k}ÈL(|h"8BoiI MEOkp*o M./iNTvz&c/]ͭ[=ߧQ%[9ʤs.g? %r^KR1=8Z5-ãGqnQy0EZ:$*8QwM"aHX`'h-n^R&Tp&m2ɤ :/@.l26o^ /~U&seվ@,Vߜ 3Ae>4GĦ'j/~SxAH&QB)3:FmV<ԜK(W_,[$V {b,r\Hr1[!<`?ʺS}ѼuLJM7*{_')8JldXxۓ67)(gj긙?QÔ r !ˏOUE3n*B_c)tђq@5'k6Ї"D g JDcO fEv<m.UVG?{ Y/–/w,U_4WTG#Jڐ.|x_ʭIGA X;PJQ~,Ξ 2W8  aM'ɳ,nݿ: f6vr]M?$'ka(w1TduUI0mX|UEd׸$k|1C%od%f#k$a&2_!d!g('QEMN؟5tb&pA?Sz~._{Qj0S^bYV"5,O'_p)W{O:/M$uѓ.>h.~E( 2 U Zf4%%DcEG^AApU#4Ѱ'&r]SUIhDA4’&O,ro2vJ"לּ~_Z}zJ( j3(Iԧ/ԍ%rZʀ"j2vwt^=⚏eV<{>W%,'tVS?v>S{{w,F aϘJugY'FjL~"eT rjNi.XҮ[ġNVN$S բcrePvƒ~w$V/$xU@ COعF֥c;+2n4\ć(,]Υo҂kl6׾[b^%D`gLϖdb(+0@%,C4\y4۝E/ycd)hֲpũsQى34'ߨ$ý*tB"hۮˌ"Zd³&9BmVYG6RX5CH`ӕ0@teV?3?(h%lheF!v1teI3X9q靚0Tm\O)5:6]@ӮGtۈqD-)pp?J`TI|͕uĆ3<8l.; .& Ju!F^J4*j3}‹HT E6Ov v ȹ}r=-˄Ey,ŗe.L6J>2r 5v?312d((KRtk h,D,)ZlT*Z^T=],]u:VXw 9jXꖆV0=X N1U_ϓ0ݍAmySCp@DHfHE;XȍeU9΁P~QG$GL䚢 H}}}[Shi׍O cF"qmt rx}@o Nu`~.ϐhz_'E~Q~Ȣ2#1@ M n$B;xb?clJ/iR娫wD#LX;mT/`CʢA;1}8~"^6AEYn[X(MM61x'%Y 3| 7LT(ϚEVm_vOPD|hǥ@Z(sA*z4o k/K/L_c0 + L.rDg=ey]Kj:]-):~[0azˑ%& w>QYNyW:TWXь1?[ƻơT)01x\"ɨ?{ N+:p#/A9D I,(R$Ă:,^'MhPnGK>Az2%$B|yΊqk|rPLxS Sw+ *#2n\!0PtSߺPVoFM]JNG=2,QX)n\ZN%6L2Ug'ٝ! Hݮ`{QM;ϻ`iȮ:wQr7^Cڙ)Ju " ^Q9FGG}1jDh5!n9(yʑIg]xu5_mncèP!_aֿƟMky67UzHb#3SRnXJd)ܸ/4 ou!԰51%l<ҹ΍I,E{ .էs됐j*j% XFl?$26?&! ?IaJ/ue` k 8&BH9[ f[{ǑR' ,]g" ivv$343b5u  _\2#3FSuA:3?)X>NM}%l —{7Lap1c-"d^;p>g&8#97]2T[Uht6B\OԱx /08ch 9*%&Xߍl &6L#@hw jkg^Ne}o8 اay1@QAmjNh f3)XݑZ g?C୐s\кc9>M$Zr'V*Ӄ)2FCfeN3rٕW$p$'ְnJI[W7sPTPa_'rӳTC99ɗV~xVj14=ۿkNV_UIQa\7iX>w2hxڌ EC-NˡaO+p&DEcË܅JYV璖(]%HZ٪y l ^2=8l%Y@+N΄ >MS`2+,]7!j-Zp_*Ʈ:DR,8!=o?(,1Ş]^Sm'vyrO'o|?`.KTI1frO@?Bt qM<*P;XvJ*+u|lgU DxOECZBu=д+OP@ FRn 4Z>V$ .Zj'y*4W¾8^V#VP.zȰ ǘK5szGD)S}+/M^'U{Dt0/EL0Vy(PyGZ Ycܵ"I)Z {K-iׁ'׼I"IC<3L^ єjH 4rAMz6֑X~bR4ZSˆL蒭"k9@Ļ g2"_!R;5{ #We^30XA.(ӈ`06š8@kZN5J-:m;~4VK˭ H`8) W/yX f[$LB_85b#Tbɤ-3Fh-KVO(м.`+#Ɣ>6߶P\bRP,t'toȑ{[4ͮB2QuĘ;;jHn,eT\kg^qCY]2[VvFn@H!jRi"r,D{xTtIl ;8F-" NYL t4;mo$o xڭ/.𶋕(&T:(Z^u 0Xp:cM;1t[ݶ$ ]* /Sr?5Lt EZFv4Yf e28}Y_ؠ +&u+w̋{qg$aG7TnmRa`&Pڴ.MbS|gysi/|N- 8\Y$ !vF%24IEy$7|c[Gg!C2#C$Y+*Yy^L paXc`+TR*cZ7_p0,j% [Ń8\ۊVZBsR&DK1&`$:oj1խ+bwoa ,K0;rPN(gsUJ#RZmXrt+'2;gX<TԼI.kAI#) RDadz,)zgN!6n^6ꀑm݇_+ [54ۍKU0!e3i-HSq׸<[>"@%q rx؀=u$!aXk&;ZhuP 1]>Ap~6E98I ̋{MP_nDE 21$9t7 Ppc]4mMrU‰s^mXR3T͓Ҫ<޽^Ӊm&5z$pEN w="%L~P  \˲d;u@R*kt$; #C:ɤK19Cy^IGv~ȏtP#W)MkL{Ja}övj6:ReܟV%5Z^aM*eϤ8ƥR~P @y߱)59P4]̷J+Iv(s.\d⨝$BJؑNN3g?*lśA#O懭Do-\%+Iͦ?p!=YP m[Oh!i pYΘ.Q+~I\.s<0.j}&=8>8~3Hr Gbmb.ugerv!D7RUE5e$m44}1XQ%J ƟnkgBRYT1Axҷlq+A=؄Gcbƛ>^ f-P(Sf1BC&Wu@m+ _Ej+쫨,ne.,V-fCFĸh:HY μ(WtIn6藯gdQPuG9#bnOdžH(6HH lF gFo cEP$Niޓ8#iq!G+3ӟ)f&XPAxSC+=gD<3.d&%}Z \-MK-ZԨ[wb7(}t>t<ӫ bJ้ņ v3|Vwf'.؆؋T"u;Ql_=(-ݪE&o+Uoi+~єbr4O2 `QKܛS''w;:#^7kSA+q[ đ1~o=ȸ.DÓ+V4.gޮbJVNzҳq!vQa .BAv 7dQѐJolh[zw!ϩՔs^6.r?@3ۺ?w_w#%Em?eOinO5psHnYݒ:yq*1*O3}l 1h_;SN A =* B]ZI&W4'eGT,'3xhg*"Ƀ t&Eo0Gz5g7ӰS#7D7zWba$K+Ch#4q'{O`r{7l%1HN&:dРy :[Niٶd34 '\#s,kbȫ|&im}QEz qۮzY QfND$g ycsjT5a`9/\q ZJ չ}{ua'7^gKIWOg]Pg,dvqkN ( *.C_%,Ls^:n7U`g`͉1TFvuyJ r5mP~՘ṶP#XnxagB*䓷a^nFj$mqZsWU׾Jg<s yV||ƪ*>~%6XY3$|1'N# 195ۗv?ܔl[3/Jܵ4ZGڛ'"M 43̹S4oĊ{|:;eyR9ZdhU^mBwVoڨm[h[*9OL ') lq+Dم)gTڭ RR&յvh%+&0M(* Xj< |Cse[gWE8qb_ 'N!rRwڙrhYl%y5: u*ŕMah63zBCb`&!}\xc!Y(>ETm\yZydhz0q=7R, NLVuVB@uĺr.YANd{R h:Ą^kބ7#M'6yP4 3 j>BK|Lj-Xvʢ4N[V) A\UzHh MW.ϳ4g-r'!)5Nqt~K(ͤR^w͆gҋe1G?B{ߓ3{0DZ7.p>A "aj;vʟ '%f4Vy+jԨR= <ԫ/Ӕi~?F,l/83B\AYͺ)˃Ue˲Ip~wOfj ʼn[Y0 hj,T.Ff)PᇸԼw-) `iJ U>YIv>i8 wK>.l.Rȣ㼵6N™gau*D{nG7̑4b Hqɲʐ{sa$%]1$cPK]&%9ta"@}1Vr%UVF$2+-OO5c^xL ވ.49NԲ P+/ vGx'i[sV8\,&Xq4M ]5笠8(|3yf ȏsA0P5Фі0|FJrSQW{m+nСx1{e vF"*C.cNdW<d3]\{hJsZ\\x~u[E`4TjnNE%¨UkThJݗYF ?}r3p%t 沨{d815&Ogj3d+gv+Y e릣X<ș-1p Z({{f2UՃWG*MkVXTԠjGðR|ϐ=52B]ٙ: &n6R]>x4PXγ>+4T3nˤWV)>jN{WqO[Aםf)xC[Ia [U2  zwα2v Tɧc||,[SK,> ]=k'nGhwT~p1\4@[oVKT~Yj},fRˊlUH!ku!Gllb$4a gN6 C1:7O'%Z ?r̠![d?8)^K0*ޔg},', 0%lcꀌ+R|^m5itڄiQZQ{lK0ֿi Y҆.H t v\dSu=J{B.X"k&E=PbEξLx9Z yK+ƒ zYt{wf=4Q8Ip̷ͻ̤ZPaU~~y<$b &)X-ךsf7l0?IoRib[jRݢO,xȺmwO)jv2;psÞ"#4̦>31qTH|uK6ƁCzIbN&fyc囕o2D\7G>~]\I Lq?vaItrkFN2YSq:֦kݼaw櫛z7m VJT0f$fy=6za)OFS͗!j4rUQRݱ) pczvq3M0Uc ӢI]`\脩].ޑ[}ߕ|^Ek*gDAr-Cw)`y7~Mo ij0G\M-1mп [3'2jҹ'FB:^!; %݈9$vJX~fδ'eoܰ TL>])!pM= Ҕ]u $xNE.D~yk5ԟ5&U~ 䅹 1`h\%le;7ֆDO7{xG\(_kbI8XѪrV5i:HH#y/MScb=܎g(lX棙+C"t*OIb:M4K˱v䐦vGГ} ,UXIn3ͳgb~q",f#:ۜb:8'[}R:}TX8|[| * L Rm/Ujm%#'&I5KZil\+͇⹁~ъcwp +LyT lggTioCp7D0{y\۴,hޖ5(c~ m݌hƌJ.ɔ_=Ay '\&TeH~W__ssXS!*"Jxc1U8,ݕ,mС uЌb1EeaeiFCF}fplEcI)#'[\+/Pcկ K #5 :sK4#)X:VN/ߣ*w $."hIݩ m6QWYqc!W22k7E]#'';=D]<`qbLJ{- Ka"G9 y'^`B*^p26X^0crDh>rb]iN*Fs؎EUU9<>d6 {ԃ;N غ`DN~Q3r9vEZHM<ӛD[f߽k =jK Wk>ŷ-sf)?5sBwѲTg {uk>ɎX|_ںVd(Sr=hEvAM[yg/l23r3FR}I=ٔ稏=v`KYⱍY}6 &] !9R{tDvM ZF?~m%;>Kv^7gǏ%ee-C.~~+u]ٺ j.EL~ĹS^;|JL꾋Tr#ǔIWGɿ=I`'\ef?^0u8i_>=/ћk?㭷OIJ ·H4kt`zW]OUem94Lx`A\3KE $lPʍVYQYef<鳌"2܆'w*p`&E4^D(IL>4%~j {d{<ߩᖼns;,' ͈l7gt9tW^IU3 < g~]J{!N% +-g{"~=֟܇]@ͷ lO1TljimACM ~EyDvK]oyH]ghjtZ ]Li+XnH; fآz\(:[_`">Z^%@;{FfR]Z}=XqȅNܯȑQ?|29`XJmK^۸'u[Wf_8e-@, R0HOmh|Z-~%艣#(l W=7y#å[p+u?w[TX6ʃ?&(c)I >R8z O9/1sZfL 7,dvm`VFSG&1[*s"tOj҆'˲EqXOnj{.F~9-SG7XZ,0ğ[\iPt:|خLyjVWCwP2A&di%klBC ihNDEɬ c9kn*sH.M-(!u-..JGB\s6JqrbA;6,{&*tͲ7s6q XHW"IHH'=d؅IjՄIت&`2~Sn/G͗2!Z4(U)kƁT6`QD )X֖pH J^M$ž$W3fb}tT 5K)],nRk?gW)XD`ڊF F/-dT'c>;eI,ݬ_C4qԴ.Z,ś.zaȨZ0>&R:"ܚg+X y|`>`(f6ƈ,S QF$|.|I)6"ihJ:6kǫ te3jA9?"*E%ʜMC{:oP\#`Kr5(q543n=Y()C -<0W@xO [gU7:4\a튽tyIgZNdtH8h[9}p|ѡðRbR 9r|)/YB~+<9W5REB8l^jV}ГTBCyxDH C/,FC-ГtfUaN'ƹH ky{%[ᾑ&hfyQVoۋsL5S1;?( n9^˄_UpN 4{ ފנl/[ifD SC3?M}OFFF(T= l].ЀtIs1|]zAQNN>? %\\N γ;Sq0%f Xj`=Ufpi) R%Q-C)~ iZ5Sd?,sQ1yY~C{/<~Q 3gW֐0MeZr&9~\Ӡf|U]=|v(PVo5%OBWN \KFE3ne Z?&\ _G]iVvMy!GϷ¨<&Mi Gi^/_0Dn93J{6,En 8[Z&oTS_v9mc465ؼ84ʭ'nǃ 5G H<;t V֬B+uv/-(^Zz*5DLzx?}+-@e-Nr! ;4 7]s(NQc-H99~^{%,RNB]% Ȓ'e̋AJ}xYHGs216'R ҽNb= C]bMn' rs/e o^s+/~G {va5c^F[A4`B H153WЍ`Q@h jJl=C> @CI9i2+9i6𑕓^_-'&}V& wDh^wr'*[ kE^@[Y5<*&,< Wggb'1=FNruzz4>< Z nֱI(-kx22| q6]GD4#V9 tiñX5AX2gJ/sP#ݟ-Q_Bc8y<*Ub*p#D1&tzA63)_+78B˱2{:鯗 Nxr]0یR]w8HAO*BpMTo}/ U=N MKu LQc/&B7$H+&4_q/UoxSl , i*~"A<-B_>;^@Y偠{A0;_LƫAy<\R&e2чK*k4*]lksvz5 q'(5eBɡt1%B[xv@ǟ'~XIxb3 wG~P8 >+~w,nTPp\dqZ #skmʰ~(ILW5<,[`O )I?'yqԤ7[LtTt?J4xS%uKIvw{99Cbb 0 AH:)(}MF:pz;0G 3Z.v}f3{ U1.ά)*32yM{6e6#IIi|4UHЌs:H,I/\1=67OɭtGif\c r *67',D|<Jlj;?\}*)AqRBE MČrj!_,loMk%Ԝ:?TE Ϻ rNeskE@l&/_[Xِ>ݻ4K)[op;3AzKY[E ƄSϘǯQ1i;[BiN _uScq1'̊8<52`Me4bxIhi ?OKlzcMfsө#RK~m Wvl5\Qz] .hܬ OiSo5F<ūnǛrT83L?qE|S1a#Qwቇ0&hzwj![-)=FjYD?ݖMnƥo9 98haS% Ma#^ ti߁H!.O*[A1ͫc8\|Kyᙫ$xhu)jfܸ. K<]āOUN~ =%4t"n9tT&nTSؘꆭ5=f'~iH%G. ﱹGIHȰ9:G4=g*#5~u$9Mc;`p΂~sx{*P[u\>NaF@" #b[ 2YO2s@5U^&=wAk(alef֫Pܗ>-`lݒsL@1ɛ`q1Q6vO.拄MN#(F+P&jmnYE%q $e-p:dQW* :ߟk=]1 'SQH`$LHDCOxQ]D*8 D R)(' \2gSxr9^ #4Lמd]0E5Q@ D(g# C'{;:Qk(H^آ/1\VqA Fco-^NDk ƴ 4jIgWX2-^( 3*vt@"{4Yt lUj"\Ʈ.H//PB. rgAk%NőkmQݹ&k2Iq ̱40RQbO=W17%JLGD?!yӴ R\EeE?03+_kI7ދ4a۶PX,&O~ka oha.L`yi`sHx#sQ-`e!#ѻNwINձlQ7_.tY 7W!G@PlwwɄ)1_zېg7f;=fupŨ:w1SaBN:4r+FŷI"쳷c?j*# #d/-&c@'b{K+K@:Pp(pܩ5x(Js^zM3<-ۃ\ر;ky H[H5:vp$,u8#E:qD,&lDZ;t=!Kuy ķ?!D۳rkY.]jJ49`*!m|.i"S=@DH}Dǽ!3SaVz1nx -;`?dsOr`S:(%סL]k3-ۓݾ9G+:~G9C{omO$,@@%b'TBe߶Rhz.h7cg<ȅUh hB"N^l~_rdIJ'9p+6v@xU]e=Cq 츉~ lڇW@#`xkNdghn;y'dM)X!@Xshe@tovp[ R^߀kL ױMml0q]-d2@L=>U\+v N/|us+^xs DAJ;M6k0CkZi+8XȆ ^縲&)3LBsCKӂWɂ2k9¨6:v]Ae CM:oC,fN42G'lT)T\M+y$v2Q|` ?B\!έLGIe Χ?@I.ڿ[q \I3x0dcP40{ :4&~he;s 0u[} x߮_a= [!\. \o'"|b̓NJG>I~jBH6,t2%aaټ% XXڌkGO+R2+KUSߑFHw)!}JXFln$b[Zh҆nLhyj2b){[IF#slBw.)¶oeJdRF-q eږmKB,OOQu.-6NY.nz*75v`d"~k]s$/]Se 4,T@'21Nwq5t;,||0³ΠDQ>̟ݯJ#2Ȥ\9B}ws*}W4oAZɁ͒h9u(mkJq{ o lq%%sۢʿsX9dT(w@p?\zg ʛhdK \ M7JaJo2ebG䑸Mc;a7Vy-nQ衲T1FZ2,n} T!.'c6sQXJU J Te4lǤ^:!mҶ+p?I4P.`qדz6lw2J:#c:Oc'~(h.e{ǚP:%@? C_0r>D`؛yc)"ب)T4GwAí'wIClTߕDלa9#cDut2 zjǝNjyƃsA`>kbB>9؃Ա8 "ّxDEng6jqR1{. ޾~ 'G[Dr'F%PB:HOr #QN]ݨIYa 05SJdzWÈ@t].OD2nT0ʮ3 /'ʺK U@èiŶIS/dgp ѠJ8jȚ/]Nu<7 'g._oi'jKCR"T2 SYlA5 AH;F3%%"ׁ1B֧nkj:*܃,~|]#B 7lKs275^TS|W'MVoxNdiP}"'=64~2Ȕ`bΗt yWR>ڴK[ mD^ +'ݺAd{5WeBKI#Öס82i{K.nh(~0ю=5Tn H 9VM+m@`)6!ѩH_YBU)Xצ30}9d VYRRiXTfvɔTy ʺܿB;T76?lv6cI ,HVh4!I.uG yɪ0(Q9(2A/jfGU[= УzT;'5TyWLIvT_9=[~Ve8nL$Il(KtC2uu8}x hCп .,d5-hJ$hlJgd_!AW>yBkSovя*$AA>ˎEg BZe d ':fsn7W .M*(b_+~=`ŨnӍTehb4a%DaCubU,=~h±k-qY9O7e<3 + |\0fZHrm4jP3G.`xL(| q,9|th:jy**Kp#e@XO)ɦ2X=T_0vJAx[%MW^,u<֘4wj:pjmCMUi1e!aTX; />p+ʮ:n~RG[1^:ԍM@="NՆrSx7"A Ả}A#5DyHAoXʝ"Ժ g6Ep3v;dj<%lO3m_Y1Nη-Tf͒ԁ-ZmKʯJT͕Ԣ| @}g#< l*\^(-~LJvXwjSOE֮RKl׬f4ÍT 6w8=IGDž&Yy}/9yxTnZF/6sFv'Ũ3Xiv_cƊP ?3~z{x&k7)e~R z~sa;*pM0U\ J5|vK^斎 |(ikhU ) "u""2,_+W { CG6ˇ : "Cc3>b5V0_q nQ$X˚ȧV:qu BdʛTg\\;k "iMЏo YF:vA{i)IlB#{+3 * _xM<X)̱(NiIu Ue#*r7c;癎btuRxBJԷ5'SQ Ν<:G'YVv=p跎.zhw_ɞ}DCRR8„}cO蝕sL|K4S b_B (q3]Xu5 @WasyfVVY[ΫFZ()-"~ߩr.7j\#3vOnN,̊4};vm: = `AL?暻7sƀܮע&2֬ Rkyg ]ՈOy|EЉN-`~Ar o7&$ԙ ̛'?Z.6dO33@I_ᠨ?cTc4 =N%̅\36c,J<EIײ@2yU1֧qPDBp.1ѧJ)j,il-ltS@T<0U.Bz֦!s8$x]˓`sAl ǂ:#Qz1[ˑes9ֹ;zpvQbwbk>|ItԪnISk"XϋlSGVor#1Rai-drd][g>esb;uQ_0lY)!#`)>/~< ]BDloMڲ~F߬!KF%@'/{ֆ+N fl {EQ/Hxj $/GP*;J:ʃٚ rq+6Pu+r)h.￷8+iv"0ī;Jp1{- @iQ{giOxY>(YRj1U9&KYxSP$Y1Vb6vHؖkXcI+y h܎O ⽨?u$yб &h^Hb#ل X't| #-BﺂI&-dEW 1ٹsbWaY$k| WK< =aSEs3#l.`h7!>[< "c@q9;2ll'QzdM愎baH 'WD"V (@i8DtYkݯܓ_x⟁ѦZ2"u{qJDҩ~k4q!?˲6KJ{XS!td޼F8 /*f [L.\p}AV49WEST|X?1Z!%7gU^ׇV9hAQ+59:p 7~@D|LXXj/8u]k)%6kpP,0ʷ@,H(>;]>g{u mM^׆dtVZ͉jݯdqZi%HHq/4&3l8%RqwAH?;h *:,{J"Zo$B?M_mS8!@'+!Dp-CiLj$՛ccr{>{ϝFAoOQHQhҷnc1 jĪx?%']+au~2Gg~_[#+iPʿEKn?KJ 7 l7ʟ8EPTW'3r`x_q:7j;b*pBؤ'7 })6= fm$jOc*kK˥Ge15<4uK(~?VA΅f8Jɳ*l!HpRV.irP۔=!;V[Vsfc9B.PTg?%XT'n3A ++gA^r(GQ#,埆s=_~@-1Gb.Jхn[r$(Ѹ(%yn(#ә0%evr^bմI_.$[ /:Dy?wm'RwU@0^{J{|xu!(Fyh{|ȔFAvmm(}Sf\ߓi$-yxe})qFwNXl㲥dS,e#]LydaPc9a?t^X֪idgU{nHGGᤕ",C~bnk97ɽ:` rreFSeWdz۫4i$X4 MQ6peݵg܎J,o]w-G>0\ x'$SĤ7+Z-\Hf-`rkv%) ikVP~aFMi+:iKS){ùG|!Ƨ~QWdbMd{6u}"!Ǿw^pޖ$#EcV=ԭ}un者YeÔ ыml’|Acoڎq,Ӏ¡`y'E B@12><|}Pg С!o ~b11`pѿO9Z>()9c\ĝc^6v%V''VL*lx(485loeMiL5vFsԟ"^;^ F[ ! @KunzHc̊ .BI+zڄ g}WдÅ2Q&L1E/(c?P8P$Ir,/'֮q,IpDU-yK}ZgI!,CM ޕ_\Dz!XlS$3yG 1Ηp_$a8V7+~܀ #3 k->mS2fb;|T"0 &<ш[3*e6l$j8RCW/ӊ+/ j"2|1I)'T(\sy9rnp />"{19l3Ǔfn|KN t4ޛ51b ؔO_{]Yf>ǜSW 5Te3sPI!xOJGlN/Q5Uc#(dq43B)X, zS:)fMI9aC?`ɚnߏGdj=V1ԕ=@Sy pȭPeB(vz wfrnB _vPÅ `fDwߴ/*rckxcPSa)_(M+=&vC52ǗKC4>'gF|[Q]ȖaI;A,@jև Y+Rt˾ ۫5:ͬ"2+hnіj32q&L*Ҩ$s1[&,Y(JPEI6S]C vd[,M*@WaCrc!6c &5Qi7TPp.C j!'b2{#3 v@!/Q"FhU$-O |#3ײjZ=ngEeV`9ZVmSR5e נ3zw67"v]pfZ1QuC 9n oC.Co3qs`.j Xm7V<5ImSc[:<2K J=E&>siNMLXWQW P$ȨS)O,B3zqv1g2Dcx|ӄ0McKp%WO_lQJ [FqЍo,…6Q~P7v;Δ$[ؤ%:G>Ityl䖬UpɣCySuA el! &5+yAFǀs O=Y*nl[F`b u%KɦXOiTz8'.)OZ =^Ud iwF.Uerb N~3VoB#zf >s;vڗ{Δ4m~9TNy8%>ኖd4‡$}M{?F>~< jbq|xիS)W)H•B\owW.xMO|G`rs5eX=:[٤|x:<@cei-yLPQ`T&cmx-zm:ݍPY!I:<'d'&@jw׽qF6I<K VʔFW-IoY:~7?ev WNN]b%z(5kOgyvzk7(%hSW _\=m# wR鵿뗫,d8ºx XʲU1~R}J^ڻe+=jkН#+^o$8a]M? ,؊{D˳_v󺼣_HEIB\<̓DНΉ?*x炾\z9.7>w4+$_=%ڗCii;yddoǡ@ڭP3Zm{/n.5FBod@ yyz nTOzXAx*O3'Č۳"7D64T@F&vZ'wDTu,rIe`n=zx5cz!eFa|AS`WN_P ; bU\_G=vp_NjKsfjI= SsXb/ Ajn|xh '~-rc~ s{o>ӝk"fIy+_r8]Ƕ#r'Wœʁh$%@AJ<*U8Lniח%psȐaˋ]mB0/B7=rd $VmGO 2}](qNk2J-($>Xک9Pm0c1XFXpiTYvPSEk &mR^6ETB +riG K[.E>e`:ƼQ;efw3Td};uƂ~Rc4\E?+hjEFf7@R"n-+{T v""7A'c CGrDZrLu1<@$0Ǣ#w8G! xWFi_%Z](M$b%J 7Jx6Z.q[7P떱cJ^?.xݛWz+Uݞ}Bqy~[[਀RGy OQpU7&]~bdS:<ېeo;Q:2R\QG 'u=} ȻV kR(+X^d!{ns 27!&LqL'O%^33!zd{zSy\Vi6W3v/4k8]ȏ[e*Ў\n@%O ګzuY2ʾ9W߅ >,ߊ݁*A%YHE7u=OV,x3Ej N b] *j<' +HN3ud:3ν{|*ћkk*X8%Qenj{!FEcRpL^ 6 Ԝl[gݷQvTt7:a$Bw"/36rz}Ob-aݻcJ t?G>uЉ9්Op>h 3^8P5`z-P02ӗ֎b4Xi{U: W}7&?|ߓpMğӍF]X",;kf(8zS>n+'|E|d|22 ,"IH UbfR` xSeZ)+bqf 4P߮a".E'д(QqDVFIh! lNS RO41̏ fPyv+fuw@Vo]~S)SoçsSJXdۚ.%5Hڥŀ 6#nECr*rr0ED۾_cE,wW8_.Sap(qfpEi=V*yT~.3:Jo^|:Zlc}KC4-!7Y]JpPdt GIumHYtWOB"z|) VքhWM6 y}JʾD/UT;qCd H()QyeCI.">n35"tk9QXk#IouyRW?Y(Wl+Jx\B?&g'm\24d,mm}= `yE;tB%pq-scU\jr׾MjC +dO} MAp)ZX`\T )[m2H{**h>ubj33BA&0B3jQA:aovs Tض#guw_(gF OC$KfgOx`08ķ*-F)nPIJE ,h׿hI '${|hEH"Ic ~#%@X̐YBrwZ٘b?&``{(!|eBR4Nneٌ ͩ+Nҩ >ff |mlDs}Kpoх-2AM+ֶ0t[m\?k3n3߷'1?%EΩr >RUS T=5"$#lPMfF$޵bF fx ,ҪTG`(IJM ~LnVΏv]K LO 'Ef ADcrǒƾW[#fYxN5q-e?&{S9 ܦN%L@%5Gp&Ko0>Gyt|Ì*&z;2<@O%?{ŋ}CLDX'1Mܠ&bj- @[îQB FRc8Gm` Όx%Vrd.,S|0|G=J[ +‚H TMk2+p0r$$pgI`)Fn2'm+*{1 hT&yA9,!FZ8Rd X^NAJGpjiG˿unb9cuNjS=Z6.v@–um^ 1yJ4Ip$f0&P1MT nMř<¡2$:J1Bkmi~)34XCA?<mci/EGF aQxtxyHJ*]fP=:J9{&Ghul9R@[DDJ2*AcrBD=/{B=N\.O0v}F HCŵ.HD$Δ]VV"oe~+[oUArӍS=JVD U{QcG}Ja"ʬ-EuYU0D{a"% ~)Xަ1`OG< 3&#_,$T7pXkf ]6dʮUΣuM>5G4s=Hy7 *|yOxXʨr>9u&yAm/!TwoH' )))j/ a[K}R ^ D;u gkd;:\" S б>-2)h[cbwhΌBeVNџ}Q#&ERӡQ-(Qboz F }@{09ЇZLwU]YZZngNj$X;Ǐ5rȩY:_2,{'<5o>D_聻Hc H(#!$ɛXK{4|"[y\7NװW@ҪXhOُ)=62;ފCʎrZ';zX)? 4 "vt9 zt^ sP!\A4s*0N#fC}P$pQü.UvZ[eߑ`(IS*_~E-k8,LIPo!ȭiXj@S Ž^R! )ICjP/ |r[\]D*@ub pI+uir)6,μ9$Ro1Lu{YTڠ 6͝q h[t4(+w^ˆƶjVl o-TrEkQ\&'ɉTNvU}CzBn˜aTI[tݦaV_ODz ~@zt1U])0KrmTcY1I641Y/ H!vI{AA3n^S2'$tkegU62){7'ͯ,J5OI;Z ;fV%OzȤ4vx!c?^*#sn ۀ/=iIFHl([G| CHeU, BEbdYoԥr?@ >+_f^Q'WDm N!8cct9Ŝhi`E|tra?DP2s?[! K@zPЕjȇ7Nߦgݗ~ gP|­G;ρiN1-a`MS=SuzRMIIGBq1Yz*τ^8UJXFE|[CplVZ,K˵m@#3E MVuaXi! p̾X.+DCZCx^hT,#:8 Uw,g`W^T/Exv=ѳj[j,A]݉%# S&c+{?[9~GN}2yaꆯ9u<;԰0Lw"79.g,kʨrԭ %-o>bpj ¼<%e t~ He.@ xЄH Ì%zL_P@s_JEE*?%ɼlWec ˥FժM̘$4s}O~ _ 9߈70u`+<&q}_6 i0"D?jvLncr*+y}qY/ 3!YJyPY e/0>HV2YPHѧ XQ!(lQYko*gj(hTF,% 9xr9 Q7[W͹kft;bmNZ 0L .Bh}cԚlwb,섌$y5UUnLkmA!r|X P %0͋tg==87;6h76pYY)| E;ϗ'ȔTgNvgCJb`"ӓ1PZvGVX9Z!DT9rV9`W #EȢ aVϪ \F=;$r-V߽HzK y*VGWl8srQITX¶[K"IWTWӯ7f׾si?uR[K5tx3r0hÎOWTZŒ}[30ϪB9]o,jH/9ݍvx!tҹfU0) N|CYoBl/,vj1ve<{in!OψsWg)ķD,HLAĖ )"Mz=B珜sكk嬤̪/@5۵3[,![.sFhڪDiIoj.:D7MlrC&[1r6Eto\nor8M,0suٚ[-.VI6upذxM#)fs@M X\Cֻ;heI0]@`:p #f@tސo1|i0aȗ-uPL0"Y>a\-sbبSjYy˝CPqe? iPL`Ux"v) Vɍ/=mO(S+?Y/YzcpQB0v3 x=.G !S>}ʪƳo̧zSm팱ߕ+AiSH:*8`L)h (n~גL}լ]WbE2edDO72QEcP&عt;>JJ?*Ll@*V$:\댥0^ћk=[vilr#aUUW4<*9F%oo^wef|]'=@NΘXo3˜bl3C)S `=snpJ"D$O"?L8J`V8&pjcqrq*B>b?H I5 Lo}^3ϙcj' ,Fl I Ǘ!08kuj;r(iNtQeE}KnPZg(D)cl[Dmd ? s)wʰKZ!y:Fe?@^~Su7,c'C`j[vX_9SH Ԏf2{QZ,l7OL4CSji&s࿦ s2\cs6'E w 0Ud1#m`9*tK rVyۛ`ǽtW/}9[zS_rЏL;B?WE]U!T[^daٝ[]?CԘAT;h ƻz.U:@] GK݅gMs |Ġ&*۩#${^TGawܨX%?ϸni3Re4 :GZY8 eCw"V# F3Viφ0ΉK?t TΣD٧R7֮tQv%_ϘpSOO|v^ګ xͰmT2e0D%3 H,sROG_\oH)9Hl%ØP#]rBM>SS?tJzܶ-tdZzI4J/g|S޽PwŖ~b?O`pRkCAÖi[XA1qBO@29)/!$uSt74'^ UEpbFu1i_$$GD 4.\YNENQOE*^Sn؃,Y3==L3`]`4cT iL;@HksZR7/T:~x⭻`1vˆ2ʲ(C)?@D.^"L'XY(1TYdNraq*B%*evm'm<_G2CNT/J%J*ޜn4Jc=ESt"˂ˤۂT맖I7ۏ;"ʚW1g}zBۜeƐ`ßK6(te9Ѹz,gWz7KꎌcUW,(-L C4 !nkaٍ͑ЪIΌ"!뚰!0 eya*Ţ*{R[ze.s%I9P%)0ݩ)ɴvp=BNJO\p6ڵeB9ᆮ#f MYn [ j@&4ta 0) SDlΠ+튩]o/Xoâ[ :C _Ŕ5,Ud|dvr78vB,r(DA2M1 HPgm{E7+ܛZx ڧ ζ2l0& .0%f Yu,1x:$7X0JB?&"燥+c .)L 9vX#HR>rsy6",(r[>A=]`NZ-W-̩9dɆ GX{8ËB܊"ZȈcW#os$`t`xoTfBT Cu:+bO (䄏*^l O^M7RVgѪSŜT"I*_:ȵ0Vs 3)TeHpC} xo8AAOIiEXX͞Zz]R,Ym\1O/H-ύO ?E߻˽(X>U( g_ )JLoqűX f0se4rGAa$ HG[NM+g||;.esL,.npGD#pQn@w l9E|wB?>R^xV=|+ ݿ'Cuav* iaۮU Y-45Eקy [fhlC[WKeD٪+){ZEMcfjҲ&jçMp41>U}/8Q2գ46]}胼}*)U,(2 GZ+/x~pa18 Q:p:.OMYۀEc`3 eTn%a{>-Y*HS:_\auD1&k#i!gcM^E`/8P&@L|L idEa =vWPE"V6Ioo{w%\,J \l]8T$y+6$hX\1urx֎=;9(\ z (_(zNM1VZJަ8u/Ak;/BsKGΓh<](EyýGu5\ WCpe0ΗM%~]pmg5X[-|?J]di' %a'G5%v^ٕUj3;ʂ0d*@(N?`vr<`Y9oHP3uek%|!sSπvJMt0Cyރ-i8-dt=FDBo! eU'z 4nڹ-$_|LgѧV*4Dny%-I:o\D,)6[h,z˦cYPv,_FV,x@p_h3"I|Yk;Q<p8/myD)6HևNnhO~^t P ڴP:f2߀LD .sCD%%1yM_?|m&Ub5uXDĐ֠i>ੈoX<6 N"/}\s':.F}IGٔa*}nRd; Uhi'sBJّn34|Ű4ֱ$E3ҁ6cU2KX6WKz %kB=J_HfC܍5 0f ZDI[tYЙk\׬n5ǐ`g3)Ē(sV Psιc~D]פH4>]Gy{C`/>l?CS`>6nɥ=r$Rge(p_ %dxklqfԙ\peE-'3łC\,թyBo!w *6903,Fs]\*BvFW?!z8*pW v-HX_@.Z6(h3^ zl-8 @06hVwzL1ʓ lz[M,rT~\Cj#A"*]#N\jhj[v^R! W^%\>gUaD*>;-~ۮ#cЛu*.eG'gT'XQ⚹.4/FGvG*z4ܩd_K΢#Wg}OTC_yqVjd2}=dKhzH =0!):݅[ _QhD^uhL\u¨Pb!eaP& Tod vbin%r2|Kfeɚ rNhQǣq- Ru!޾=65)R2Xw4Oy\]!o2KXl]06W%U:`^guDžX42?K遮l`n랊qX NM}K;+ui2]öEXhSHg&IPw5brp*5Pwr[z+;+6NVTZ`XwM<89{9,Iج~QĆrkg\< 'OE8P;b2'(b#_,H&r *6I.^ Hu+ԣLe-Eec 4|V/@&8sN~_̿q / @zjB4Lr>2dC]G3xNOM{K]&D|pw hZXYlfO[d_uk=|.c JĤLjGj-AUepW$TXX"^el 2Q1d "{<-'6GrfyEU,%?cٵ٠Av"um+&QX>R2.`RE3mQڃ AMI:.*׼P!~_^129췞%xPf%"[(66Tk%"iНp[ L+hg%94I]a x%.eӥns6*i$\m=D{> whz #BfҊ`IG^ 6Q0-IG \(*t4 ªLӌ]'BZ'w'>% ِt3z|QI듿˿]2wf՗kcJ?m_/p= a?o~_A ~.T[k:F^Z>p1lk>ʛQ*O2^[TG GFv@i"|07Ͷ=/оihY^9z<5RjK(gqΣPlIp*2FE.Q0{R1&D~Mie㩣Uie(wnwG׷+I宽Yrtxj c[)~I{9̓o,GijY+&r[V]1{DZ/WFqQĵc&kۥl_Z \0cTs\0r"BPQO2~e o6,;Ѵg.`\ OeaV<^T?߹AÎuoS2dK}]@P] (5Ƅ0E`*l)G(N$j6._sa_ԟO0_uU= ^(S|~h's N$)w6P`h7HK%ptq#[X#UhM')ňō΅u' : 1@A&h)c! N[~UpU.$Zµ 6Y!?lj9cuiyfؚ2Fh_Zmy[$9rv xp! 2D5T*7 $,cXPaG}3ͨtua|nvԝݻ'(D1GK5\o鄗M|%8hϋ5 TW/A;<,H.YwQ=J0qQ_G4PzP S1+`Bh2 Qv6 vã>`2kW4{%ENyX,/ڛ gP+35U\&4;.D7ƺhPydZ,,83-<8t? 1sj:$%f--̗c:;86pTNwc\Kg.ap2ՉaPG89{zS!+/?Bڶ?-ɛ㙀ȍM%`m{礹E'@}@'% _J;xB$)ՂH(vOk{m6}dCI,q@NT`)˾3yFß\9!zd}*}owՎ7S2zd_ف5tvr2ίN:r`|ynPnun|6n9Yo0l?TK\[qG)~~?jN:a yDR'xpVHFB/H dmf]vHT* I0}"33鑋qI I;۠j_1KiWIɿjcZ'KB3fGT1&Ϯ$ynʣ+e Ca!;;D7wCVs%ݒfύ:shGԣk*#{CֈϓIvﵮV/=x"E˂8~g}0迾Aղr4 (X㎼,`āRJI 晊zDG{ Q|Ã~n} 5Ǎ8[XD cuA6^'j Sw}K4jCL,TLۯ[C@ݣ40 954Ș7;տe W T NB1d b29A9a^ao4Sq;~H;lҗYKev6 B)ֲyJ>:?pǁ@*Dߦɀv`lS;@եO^OpX7B~lR\u܀4FC֬|D3+] *(CK0RMfǔWL QAt21 aqQQԮM8n]1B5]E)(39ۭl.ǨR~6"u'~%[o;m)NjMf %aBzS>fLC<!d! 7pH{aLK r=2 qcf gB]i^Ԍms{}be[.hE>^p&WfR6g2WRlVԬ(i^C6)A/[t3SMSy妟7g|eө \HP79 ے|8,0F ? G-)@ {@tL!QʽI+U='寠0-oA!.ptق9Ck57X~v [̻.rNnQH$\Xy w3y!P#'3C0l'֍T6ˆ1~_PxRn.a*Z>3ܝ y+LmB JHaP F+prAD9664suϔ}6%Su7MvʇVkZ&h*drAO$b6!5s#6Qm37ľnp&%qr{n0&n8G}(E7q!L N4:X:cXM!Xyu7@HqoӻS~; Lö"74W{~x|#Y{UAIS.!it3ɤ0`ז&G5 *4kyq'gB c\EY:I#+rT=dP~\rQ#M|tj h3q> a٭(D#qB(;R?s:wEUuT,7NpϜؖX֊j%>e8P/2Gl6@c@8(pwgоUD읥[w踜 AaQIpZnB(UB6k tHvԽ)]C}<մZ#9"22t[IyCM)O3"r(V{))N2ēn#l[+(F06feQЋY[7tnTf_gY股sΛAu82MA#MNpBCF7j}Đ7{~7 04]$F+ u4 `6Xdɮa'8Q$^aEQaorfi7ՄZͨ] %[3dN+O-lc{t8[4UK;8dGs%~oCeXC[Ere?NtS>lBEM;etM@hՆ%op(Le/ƃ3f(bkmgF0bFA!I,0B;dzDs/f&~5v[ ܆ phg'&`w5䗈z<+TL z3bcZy)2e6}*quz|->Ռ/fjX@F] Y,ި@JuPFM*5N'hBTFp1yYŦ9'\iw"Xq=4bTO}or i;5gUdkB$|& xgPRۤ0cC/M >%IKe(*.xBcLυ~S<}𔈀0)fX>lCF ^;z`oEYҥ꿳~q)@d,H(z(PӀ܀,yet5NA}ZOҪWpJ`D:Nl b<8Z,T0OVScXjݜ!Ujq?6FXC1\3?&<R[33% iI7t\kI,ֹRZmEl ʚOGpT3b{2hZ2:Ag[FYs~nM6 agLYR'XX<|!wnVY""/b^"5)qOuPTm |[)탥HP"~txoމ3ɤ<ۙ'\I9k(ILLᱣ%OG~(wu1gt2@t\:2%3 z)SɇQ;zy̸fDZ-R, T}RTϢu5߿0ezO?t@ixn%=S$3A6f ,klbmf@/C9lsmizU&3:"ra B]o$P1=nWTGa(%pKxSs |c $UJ!s FMq?ߤߑ,4Aҝ2]yȖD J7(+0{^$cWYǽjdH)uru rQq*%iĮּ2~oio6ʕ awk99<>y^ fGH@[mxdviK݊\7 rY"}V)4o{Wbe;.#SnRhU"!Poޞ0nYP;gbC(vT#Ɯ` c:ȸ{ ѷo<`g;14CBĉix:/Sfp`D"-*b8!V׉W[%߯)n{8WucZ%{EA臲':8#9&tB PT 3 |P5fi6f=@J? S0G٬؎X5jP V80F +#^RxYK }R"#D@R@G>V&,(PR!'{ `Veq<98wHA=Ĝ/$u[F~?"10B>fm0 Ok<:di_60JMt cw!!ərpJ ,GN  c)J!.Os܌0O׾ [BS<}eEMTPTl=kЀ8PLCWnR%ڴsPkps/Y&qM5Wg>] ߓ~!V}H)?;qdojG .ȦyT|מ0 /n"bc‡Nwgr*m"xyOXH]-fȶ%E@)/0 !Z }u)E:(~BypcikQ'qN1eQLJ[Yo)UX$B%dNht%T myPt5w۳oKf®r]WE5c~)g"ĥ4FU!ak SU2 F Gߺ oa}lMS!CpHm!byj7imz?rR$ ]ɬvQeV(4|ǯƻY؍&G% D->L~hg{EQg]tӣP\6)G'"\%7䬅2l tl[)pR5G3kgQM3/-c;Hv=9<77Bp\Q`u*i^醐q xE4Sy!5n]~m7KC7؜cu}٩]_r7RmRH \^flQS:v.H+UV$aP+ƉQ; m2l.6-ŞK*:c8>ace׉ }y{? E80F-MV~TtLWwT}O2^ceG`)L>,ڑjD>{4ɉDl47fzݘ 9qL$%"ѯߡ`|VQNK8f'N4CP9l )#mG`i>`B~Y.J,mN,nև=[dùky6E?αKyU9\4b{8NyˇzXvlv*7fI}cBaDaҢh%_Ѥ?Fliӿ1h*d((B8JZjh^ = 7Čm@ Snn6vBysbJnG-^bN~=1Dh!lm"C.Z5Swȭ#ZVI)졒*)H* 6ʑ=c^5dc 3e.*ӹ=,܃,1VA-c)7wIkOݑ,~{#tOϫ;O4C{TX;:ahJ7N;L7ނN(x*Kڰ lHMO)MJQ(iWY6/-]$Z߰#THX8Dk?deԌw:݀'0d3?Hɕ@_0we SR/NI9VP[k$J]$C/Q:.5q)V2:cgiXC Z}Mq[:qP/(SZ;6W ] ~X W<8q"vBj @ j9{"B;*>$jsicTy,HhdOl\Ch.W)ZB߻HUY,sz:2* >aI-*6^?c[ڂL~-}T㥭H~?4W-<m-ZoGSIgZǼvI+0ɹ'@݀}i_+@q$2Z}D擫?YYq`$XFN*DXMb'hau#_̘XJ39R76g(z^Z~O(3 wlN56__9VHS̓ N>]1L)¢Uþ? G \aB:iܱc⓬I[`2X(%~tA }_WٖZ<>o6~r֠NWD,1렌ȥ+rb+P؊R =A;j[](mX07=BԿȳMiK ~g:}4z.,+ KF!sBc^N^-bݤM1MR$A;eHwn(S'ļ 6\׳Fk+a ;nR=-B sRm` &2$ߜqֲij²-\՘^=L _x4>ZΌ]% uaq/b:,LtCw/I;xFֵ5`Ad+H4ꖑ|o} Td֠h7WUa! K?>gX@p}~IIR]U}Hc*6&Cw\8vqo` Q<bM!}pwЖPrjLoS:<TЄp-6ܱRͰ5nœoz&&$Ϭ,*@<6 XQ+ղ9-sv"7(ݞYו.T3CjM^j( F;E gU§NlVN}I\r򾶣_RiUr\mLy -!Fqj@mz#|e`wq* _fmqhH>sdn^mH?^_l%%ǹQ㾕ѐs݇hU<#YGfQiE  <=+<*._8gKU4[? ^ذ3E^-#2UhZpVVj~Ôq?YVOd":U N'OZoYEU#ikG60%KXqy 6~!Z}mDP&b|} /&+&{YNMT9A<=7:~ zV7N-Z Ǭ^Y/ŕ; =7'*p owCsl h؟FǭvK1 ^L1ߢŸ:չBpe Uk-xʒMC'gXTug2jveƹ "5Ϛ8#?u+"A#x4vy^kJq~'])5z^G@ޢ(%PTd` :rr,L52uw#-X#'  >{ԳJbW k&喉&@黍J1Si}{ )uNpC$Ŋ'$kʿª*x 7/lHkB_)R0Ka7c=g'aTt^~rd{O2A~cTmUzpc0=ژ6R*aM$0%E( "Ѽcn/1tz4rMEMPW D;<茯ѢE" C“EΙ'Zf7tlȑQDm{f;y01 f - ClR0M*p }?&/6*hhMM;)%e؜m'x2{`(X$Ww-JUC)n. pZUbhU:\K /V 8FL&5bDWF UfTIBAKmVlZ'zW GԣHPhX4 f5?rcH~l88 dQ4:3ڲeOi*l\vS^@N%\( @A 匎!؜Kz_WF^lD"2q7+ T6N#=w_j+M3DH +:E;3w]5"oFt|%#i2FJBxTBC+RwqlE&f P0囫po@Lk4@PʙXoBl9xh'Hc%?'_iBɕyp>\ dgerx <5YZ<׀crugU8׋*P@L".YϺhz^QS;3 Q2b)3t^a6@HWfz (]r(ڙ/r($8n) ˥myJ>A\,{W*(w A)KDuLEf_OOHu]ݮTR(6˟oE Kf9'@յ/pM-c~#DjݛG}@!NkjV 3w8\0ygim\ vFPz斍VǍ\ޅO [{?Kb:9(!KC{ޫ""ce-gg)JKWصkҲ"KeoqjS΀yִY>lkB.z}kadAEuxVDo4;g#8J<~AL_`l#5NV;?Π+u$X)Ih|L4j==:ra[DKJ2c˫}W5Vae_x@C+<_>F+[J XztuQe|g"י1yfQeEGiqU"z"Pk7Ⱎ&5+7N xcЅT}>n)H*|.O ˴kᓔ.u Z섂RP{dx#' \#gTDb)c~HDaMΩsÌC6pw[T牪(jhP 9B>[zI`!ƥsyf354LWHuWA"Znv :؏|16Hwpɢd}jzȷQWR f3:S⽻ߣ'hMn%aB %"Y Pr[67;RL5]ǣX'*? ]h'w[*// l5nm JJ츽}.=w$'!Ф$|*DžvJ{񾊢rb(N0VhnFKŰ}]-1M(_0 "zWnLJc p'^FȢqց̽"H=ڴր&5)ǃnbn2)FtbR ,֩m"- "QZ!.nyLJ,DGglRjUG;5?KM]YͰ<$0y5ie-,agv?JݙчU@Iӣ}ml2e* ªЪGNƚjrD.,-:m)xH_@sm )E|OP<٢g(>lKgqOU?E `߰]==9_ƬjQ_`*\lL .p36F'~Mg!) 5ml)X[Q;ɮ.<6Ug,Ӻ91.5YU {*5;\Pyd_$|PgT˜&5uPZ +>.{pˊΌow cE醳 ;MF0wG%x ɯzS^قAU]_! TZxpzpο/jC -Xo4i. G/"j ߙ8Ĵ,&򶞟x1bٗ] \p<̆o;B{QA_ҳLKXܧq1!W-h0W}Oإ}QO:IZ340N6z,uخ%_՚lǒȖFԍg}Ƀc"bq;H?P9?Nq6g}D`B2L˟6lȅB h^2 .k]XMf07|ldZ~?%Z#$Pk=|8׾:8WEĕF٩_6ėPE6)ʁxJxE{n3bce:Yι[i Ҙ[*ļ2ҔVG'~>">vV8q-(`֛kC~.g_8ihCJtl(/3@ډ/Dnqhd[lգg?RseN!Ceʲ |}s~P_EQ}˴o-<ۊs+"N޻ЖR?FrcfŖ=|*(»P ]7#=l {vő6ds9o4(NjȋscUkݓug xFMpB3 Atwqd=czRԓ| >^:Ϩt)7wSw]#MC}?hQRʞ Ȣ_c8bK*Jђ|=\KnLEfAyރgC8<4mߑ]0-=:C~~)Ζ :rs4է~: "zTwgX5/,b"q< ħ"i)3⫆V&X.H-"KW|䪤ߐ'4*^2ҡղzItgG^0)&ƏX=bx1{߰"m!->\r&N@.׺ D6.j!r=kYS?'m2+̄"}zIriDƒP[* Ő\҃JINzTFIf>Y]Az9rf:qϹ  q3"2b>F>GJb!S3Ǚ M%4$-n186Z$3u|tp#8 )tW8%`IǻQ+LЧe՞@6cـR j'yIC5ã TBCfl3&V:($R;-VLp?ve]/LR%\Ƃ))?pyo^je'by~ 쒖HFOr`ȼyPyMxe_+"KZF%I,(L9aکNBlݴte|I- 1|Oz\8CCB0RIM0~e5ADZr_6yAuG6<ӒY"끩S gd؛r +@ q n%Ca8`hnZyLӝLߊsDtN< gժ4 6aӰ*&+IT85un!{ydйF}fxՈ䋓jMb;3TI=JSK6S&֯ߊl+l R{lM-Qȑuo?ux޺Ksg{1Dx? 0 G_.oZtógp:W:)21 !I4F@Vj17LPU`/4n:!?ڬJ]0Zs%"y2坊zV T3Jܴ' JаT`~ thCLZ> ⦕i[zNf> p 3 H8>㤴MHDCdrϷK~A t碵9t_M[G<AH]x#K FL{c:g."[5bHY#\۱ y$凮+~wPoN/!syJ"(*ߌrKHH[{?ԕQqJL(\W$6'g?u"JrwJ7"߿:ΏZ4 wh>)7anRL+}Lv!h]n\Wd@NN,oChERa6/K(IiV ~)Jl @4،E߆>?y)< :3L~P+8R#8TOZၷf?]V8=t=-C?ol䎴Ō8@B̵~x!LپF˱OvpFꕏ"FI]@KydO~@Ih&6HN":9%qUjPoKMʊ4etUm9@m۲Fx*~F=?9BӚTs Y(yN#[{p⇭pv H7 +4] e$oɣ+>&>\܅>S\8," 21 e˖\5e0;|8,, NuFⱞ%U›,CKU\l ڝwL3ps)$;. yaRO1IT+~n&KehPOZ L8zBiwla~8-Kg|ZrN1g0ehf@!2aX3"JzDzR482Iʥ[ߐԶ#E)@ܐJ$|A!{*=^Ә m8*hBBWL@0^×=zЇ(7Z"w RĝNtӐ9ހhQw7Z@LbhD(9Q*c#`wɬ6u9VjU{}bY#GZKtbeI?)#/N8gЎoI* ֐%Աݱَ:.~"C,p^(k>ҫe7ӵyHҗ+b-rV@SpLWxI#!jo a?ƒ$'SAH|򸓓kR@ښ/++g:t۫,J!BWtWϏlyMɏQ~+Ga=NQhR(9@Qmi%vǪ/6C"EĚ 1W: --q \2 *6+JrZ.I} ԫ:g۽5/%L*;?6W牮%{1Qe\8QYs_T*zF GSuhP4G $߶Z8 jʣ%q_~޵AdaGSr^HTgDF.Q竱e`؍1rjýĠ29`M&>: $KL a@䢤]Uxj.HZoYr%F-h⭰7JI*MΧi6 }i m:YKN1e9dfVMzbl; su;|OF* )clPYG*&~{.$Ev80Τ;Ď"Yg=&ѻ; >ϑl4EǦrK@1_@(s:$ў4_@UbB6<17a- t`Z@j&p:+O2lC2s ƶ{ZxAk߹qRXwy+:&Dˤ.5nv3z%_ Z>yǵF䷘u9/Lxb3㥣"#0Ja]; FdtƀŐd29$4 ;r~/N8& -e&F~hu Ǭ6MI=etiA$D1 Ljh[q'̛@BM6O0Y6!?Ax2z([C[oMVاnD !TxDqpG'"}pX0`-Iomg,R1ѱyk26 wlU-G'tT6 \ó^ .#UryS.+⍎ur'.x7Rʭn|xҪ!S0n-Jn?uer[S|K^u8n`>zmzA}𻸊vۛ/*^ka崅Q0opGz6)IXEԋ&A',}쟖"oU+=4R: ~Țߌ?ZIf)Bh,yKõhJ`t3=bhޣOg} -dC^fHZXS_=F6>Ҍچڏbr1Nq5*9mm#@6^ xX+w|*?@!:jCkE@WC_S9jY\.c`ˊ1mI7cY߭BXͭs_}<7]p-=P=fu(c7ѾR'T賻ﺉ~irAI԰#<ˬ:bł3r=UkhݟР2DAc'n;&^NHs v/GTDQ!cd Q6IbM2g) 6w! l]S(bȈrz0Fa_vLMwNrXrީ<"քmȼFė [yX-s]s 4Hl`؂b=b?]˞} 532̌͡c tYtU8 r>rͩl@ZE`55/c4Ffy]x𖍃MPb~Bb\%~YDaA6FSU2L+ O:4boaypT?'5~j&V nz٦ynh<]٫6 IߑG?Ѡ݃*u:X!%*ҧqѥ]bkM.YY)?qNIh>1+LzALdnt|_3i} lAzƑŲh @نO>S)W+K}UjиȫϏ Ur+T{qv@@T R(<`>C?$qan3(Q?@z6{fg+˾uO9,]<+ozv3j{Y?ӹm :dOU} ?4Yt1hUH65xii2𳶦.-K~-/jf kzTPp+TU:WQʬ"l/꓈{t;K)9RHqa<T [:ԐkIAǡo ~C8O}utWo6TP067D֙ |mԝ,Pm}-hcNk?xmT7[z?u5Zhװ*D_}09.sUMd-3| 2işu{+R.,$! `:*)&bADM(RyP:5H~C>E3io}.d#!ei92M}ևsxCKE+Hxg3M0 : }-o% &|ȏGiOj( wcY2|0ߪ\쵔oްwR"#1$^ WJb+j"Fs,%6 wHfA@)u(N.) 3D܃3ݒ4m qm Kޘ,?c IU: ~Vwkh@#6qڧ^]YV@X%Fӆk‰eHߞ)@q- AӀJJ6H݈FebC .H5穠fCN(#E-3fh.(1rGW.A 9 >~1Z_!LCgKZ3Ykélծa %?]6?9:"IԇBlok%f?i[N,#.v:m<]O(ɗV:3߼j@{jhJ`UҚk璯im"tYݏ^Z1m?1fn+жt. YE}h jhXO_מᅢQǮM[$0@Ź> 9-J?Uũ=]Kp\9zd{j0K˩x)TWsI}xˬI,舭/G•xr((zJ^K'Ƥu}zop4~}$@2"Z']mEC#*2Y&܊z ig6 頼 Qݏ6mn)q7 QUʰ UG|(X_x^_\Eg/ (Q ?M}>7!L1+ *12Г?@%vVD۱6w b[TҎ9vL@E)GyN, ("-Uu-? "s9:֫A  .nIm37hrɷU nY7J"R{«EH{ݸIGu "hw"aJ7d YΧEϞv MUV10%|{菺-!E[LuWGo;]s4^S!n~>1@odeڥ/;I鳾*>Ok2Y?#un9_cH# kZR/SLPUk!q<@;IM/ J'gM%Oc[l1$tݪY3`l /f| I ؞_0˳ <:vv]O1% _ 2TPp*h|4tb= <$Z k*#n蚞@ʧcIhs FnܤGKW^!i_2+&{⩌oJ:t45$Tq0dOQJS6!Ijf?iQ?S7m;4åNq~35OZ&kv̌~p4c(pRfb@MpLPp9`۶@eeĮ-7ihѫ$b2<$1g=Ȗ]KG!>#CJM, #Žf< 0*{4+F}j 'xѳ2[xݜ!ﻅsczp2ёZzvxg"1trRtaDk M#}s!%(ih*pPiO\}u\`H Aa5#?~U•N.qe>bu Y  j&]CkRL'|fph6$ri,^0LU|T^3va@sX$¡|˜iSHFIu۝F)pRziޡW'9r*t&NȘ2W=4/7sL= R\fLn[2|ƏMJ^V޴^e3PꊣE%{4>xnZwXI?֮[gE@W},-"Bm+VـL^&!e;ly+Si;R?Çk_?fsK 豿k$k;7=#,Y9z74bjt? wD8RBǝ=H>Qf7" 1Jro2`"؋2OقM=JmV=`W]1X!mO*HN)#aqj*-2?Z_{IdMX^$dTX!ԣ3AlNY#X?8W*֔ -<A_ Em[&ku/5l y 1kHIUX ޭqQ7d÷[o# UiˬciV_YXzZMux F v`4OE+08' +ČwDY[I`q]&෤-9X}>fY&oOw!-. .ZA,:ĂGbث;S+ {[RY.CMnNqXx;&7ot@ֵl c'o NOcefӶup?mXn @2վ]Sf\n&4T](0*؅Ԗ<{;ޯwòf,9ٓ4J1ϼ59dhnʼݒdIl3kp.ђ7"70\ލ<~g|)) = \iS!̠< ٿqe6k7#d3F%m7k~c2+ x*MIq M8vC6s B%=n%[B&_/RլQ^4RymP!ߺ.c$%$l ♷ D =3ѩA7R4 +pv5#U!2:ڹ~+SUVJQ_a\rzp/b}Y3`S(M˜@oHM+?Rg׎a#Yf&GB%^h*&qd8!@M׵/~<ERڴy FxmJn#šBQ­~߹sCpȭ-+q]["g8itN{F;@4j]|ǍųjazmBw?QUH %K8Kjhh'>h~}?+GzUI'W:Aõ 3ƽ <-6Ge r$2/gO= e]0A>\'ܪ&׊mR ٩%vG1&sp_T^n]ti2( G GWFf{? a=0|r Rc60VHהaN^?|a_FjrɽFnРmvwex}[GjėmSBQ:?r쩚V˄.3r"}—"9tfz g83#qR+Ixjwᴴ"=޲Zƫ:K cl4 I}Z [@k]3W:HN,&r#6>"Q 3d^0 U2'أc64)^-إG.} u}jMdʪNb$Y(T`V!TknVUPd9d=)Qjim oqKiz?4xGpkyY5^aC{ߧ=f߭678鬡@1'W D3-y!^iAdݷMߔON0OC8\#1yZyKV1"ӜuGL#BtmNOCP w/0TuČA~þ먝^DO l>TMnM َo])IZNGu ohˡOAHN Ea?.^kqf=˶ )eF9)蒧D6f>J!Rrj }@7JeT%BegpUl='<'VNB]ft&xQR -fK~V? 1VX\ٰ|ENU39"ͱ -$݁9R& %8jjUg+Dǡ2 *f{!ށe;S\Fj;*Eg*rA_o* J)Fw~/Rhnl"+1-=&nq2ܽhxBW${5C߫ں9*XeÓ7kMztɃXQlƆ< Bs-|b ~DK_+/1:2^+AvR%+N n =KVɢfEM1$.ggx`>YyD<MQ^]exdPmyi5U[c@hIb_CrtVRsrwTͭ^E2:y"*)V0܎g4  ܓRQF!{[˺+ϰb^~]Mrّa5ІFx JX> IZzBuGC}W@]lNr50,-;pJٽ\ʈM٠ ǐ(R~cݶCc^fZ_^ /jJUt0.ӧ5̿LE]QxNQWMRmEU;U<{5l1"ڒ+a|2"6 NAe;8r~ .*׶k&!Drkƣ=yyV4P-2FR0f wnwsdka +}J=OBOS(YðHpL 鐙p#U); tkj x |yUNR8Kvr`/n $sr VmZ:_7$ cu.k@jl%=#HTBs:j'hs0e;? /r[jQ&euM%?>ɱ4.B? #lїDRKLkWN]:&ṏ_7XV>=hgtQmz5 .ݣV\l,Bx}bgB84ӓSv }_sGbf#6ӥ%KsL$ d<^5?b|nSf16^?]7F(R?[Y%@GA1g;%v.FOSL2hr,K~W {ߨ)+5nc@Z\kws 5h5x= <yۢk"He#6ySǷ6O]-zHp@ɸth$*at~3E{K"|46׾Z?m8i\xyFPSP&c1%kdߣiJDw*Z5_"5Im C%dI7/{[Hʢ :*uS[rY -І 9Cb%tj6R"w[z35"lJB(hRǡcƾTAST-bl0ɇpBct, | {JXPWwN$e6F[ǒЈU#: c;͝=7un2@bpDX&&$ٓDB~#t9LogDPCOV십P!bb&"07e#=Y)\Mņvq~2ZUqRX|}ZCC99@q*27@jeNk&#I_S--@qx;G8Y])s)h &ʔ@h$%_o);is?#w>iDsbu6d:B+q`+'u$,EA*FVһ$—9[,f7@7!O"qm>.&%~eaŠsB^!Y,GJdAzR}G2T|`Y69(h|+U 4S)X` >ͪm;NYwf4sKb[c#A| Mĸ<]#I(g{pQ@j0| !EU/FfFq_K_3Aӓ&* &pܵ=?G0 C]XKN]noYW G`G;/+N$吁/1n՞eGB24ˆ!#9TYeʅ*rQf D pG|~[x wgۇAVNŦH xeR.4-u| >=E:SC|/4ԚP(L'4fbk4==%[Ar:7S :3xC^!紲A̷[YJ>5$Ϛ\lCLQ^qLlq`vFjpNW玆z=}ᮦ;L(p/]KN/=VHHqh$r7XQ.uy@O2mkg(.¼v0Ȱ$gzEs_wP-K%-{sr`KљֻB=l_"s!Rd5Q](Âe;78=5rџ3kS"'. ?ب՜_zӉnOt㴐`ˀ߱l < ̿?HZRnZ==J2јӁQx(b~C ԏ_gf}U3CnYI7-J \S}uuTLtot᧺UW.G<õC4 '"&Uu9^GƂ< ]:c9Am\⳨%Ws^~ |#K1 LV+g|fA0 RETRw!Ldsm1LU?nWuN)auNC@)dcY"׶[Ka#PиG7b&oɁ}"sLپ{ \#7<:S}(IeC++cpEyH\E0hUYly&#n( )CD $ r*#mhqQXjQ84 q?fxl IVAB`\ݥ%InڿT42R?}U0HxC ; 3.\??TxPk@~]+T$$ jwqÏbeV!dU_R@]_jK&,UC=Z\ީ`׿سlFJPKq sKihvٟ9~ԁ^Fw+q5Qﶓ>a|F;WM v@"_h%e+7N:’;F-Y?,h%.=c @iq?p[B-ہq\[-"4rn,{Pi]4 0_M5,u W"`kAheΖÝ@㭽u(@v9>5uDւQz=:e f[>7`)SCτِƥCiZ~ac*b18dT|wT`{V109ܫ>ڕ~1qLgerX$rkoŏ鶆+.ܪ8T@wN熃2@>Umo4q`>8N c)uږ<_]P'm!*w"kR[9WQ-׀ . bɼz4ѩ ֙(p,q딲w<̴A\ziSXn9T7o,ԑ4|xlK JDǎ2N[r$D.CS:ѿ*>f%dDv}H4iQA?qTWNJ1Jrv#ÃPJMNF,9ne;!>c[/Np!Gczh~릉l:> Mr]C0[9/ V%9A{SΣ*W8\Mr~]M>W,yڧ|=Rt]UqؑׄGړP@%7KXN5aBv707УޒʟKX~ߛ^y=o'a)>оy9ҫp^׍Í!<w"lD`H܏`wj^eSO՝3a-l!]Qnț^+Hvism;S-[:60Z-:)Mmm^ZM,-a$X;Z3opfVhJ8 OW>BbhV?h(ɑ_#Qg#( *[gv"0ӡUT8h˖dVh}],=\δ$63'} hTl G|Ʀ[Ck=J9Ybh1τv/2bLc,Y1̙K5hC|0T]`f٘&DR"(B}+9s݁z LNUk/D/j\.|HV.)ܸOuOĎr<# tFN,n1ɢT2洴uܡy%%'R8#.\?XT8ck1;EWqso}k ~Ƣc"[mk7p}{ /!Ghߍmron9IQkPIX“s84[ o_eNx&y꣼5mY 6FbٵqzW:I6j'FD",p D#̍+=`YXQuXX~RVN;'?A^VR>;F;TPBR@?F}Jq:pYvo t';Dª_waxrv}Il̏M"Bo|GWr Im<-tOU߹GŶ@&Xi-MuvItޒK-\ЫG}P*|dX4Cw,/ظz6B8(Ev-dOq͛-~ b85:zC>D}ZUX2ӴE Aud]C?ss ^DmN,_`B,ԇS)x>,z ^X(Ls0+w0}GSSB r4 > +lE`iNt ܇ywMw$$H8NJbb ,1;|Rs$=|rw/๞m5F&ѧvhǤˀmw64N0IɄ&ërb d]#?H`@LXxݯ"l?uO<'8iRAcx%dIn _[ͥL bFOp6Q%/b3X- g&=)%k1fu[T)(#6W>"]C\xsUק#| RKO+Si00֍VV6d[;vnjҴ>0t;lŸSEҢ$EXS0j ?Qȱ (\_pĺT-29f3}9_`&o6ْ~H hKږh~'ֽ4^"vKU?= Qp@ RlOD6 5HX Gdsw5Ii.%=ρKiڏ®ݬ8.>X;pWJ%/"RP`O樓Zz_\4D  eEV2w9֦*g%W[{N! C+oV+Cf&p{ۜq )K9x d0GXF/WV~(k9{93Io׿#1{VZrqmݽj.GYijçKà=̤chUR[)vv},mq[I*b)f2sl:u]vGŭR }bc([X]rP%s"אwRT+ ?8r#_383$[AOv(n/UƆ/62ᗩTE;gaH7aݸ)+!|QF?OeiXC;g{o7=tVɜpzgØ#(zu¯+y_}TU_. o!]o. "JԠ 6r.Цjmx\) Y} 5fJ*yZR4:$Q$jOSٴ/~Ia!#FN]x"2$]433U)Q[d,o5X8"C|bš\nS@7g0BTMՍܠC{tn/)!F;x(C[Tx5NCK.I6UPC ~-Ybؓ=L)lq_i~cnD<%K+bEÍ?)_Wd}k LPVXX JUX#ɔ!*|͝mk6R43L.닞JKsQ3(l`՗7[pB 7EQx&ZW,5"wD_t zF]HޫEx);=mͣ$?H,9Ë߲&q̣4O.JQ4f"8|MiL4OCb?}^C`{v2_`4 ZauӀ?X8a3f >[.Ϊs*uf8GFeZaQ 4FQA-ĥE'O$[m?N)7:&P%JXv\yb+JnIhag"%XCqI,5 d<<0 d/9D}H^ͤ<ȵ)PWâ Vk~ DfJ'%5޶XzV@ P|Zw&*'bٱoGxo&/xui QD^Me؅]AϽ%:ڧ6k8\#ap.> W=qR޹]D7$ϣ3fT I ? l=X$}tVI?+ޛ>>V]<8EeP7 gÂ7/RZH@=q^d@$YC6-{ Wˀ];U=Q y\@Ҏ n@ ;¦^[ڳ?Fxou4n筱y+k ;D*\Vv $Тwx o,ѯzQV0F м&`1H .W/7 _Gր2|2 Lp'/(-<+ͨBP%7oH9gAԴzhYbx%m6QcMtm#Gs`yr~SAfX%L2Y,>ԆڞWjv'r [&›1 }ѣlhDŽH.-Z46uc~9SO1sF>OzLMft ޠͳKp#撒ȭ_ B(͔)[Y]Ј?y8{JδITQx' t˞0 RTy9Ih}j=wFܮ=d0N҈l(G2)F#L@k]2@:Km blE_-Yw3Hǵc#D0#'Q)1fzZ=LtM!tRr-ZLD iG j9;♳{t U7E@&!ˆVQ?2]llk%}q5LiOJ!bȄ-sՑLwjTkٟ‹]oJnIӈٖu/ _'ɲ΄)Kߵ Z<06|MbPN.Nz&AwC}l6o 61Oy;O;JF~{y)79Ha›xS23łk`E)k}Ή]|LruuL^|HVfT@;6By."񅔕*TKx KCv34ݩA[H9m;WwKŅ ^hm/@!57[WID@]$p)l1c/F7Ԓ]ҵ0̠fZG׶E;TvTo+۰h(aj7Gj`KAD/cz4z&%@; oq;rLEe ︞}D.y ~ر 3&0urm[F*5翴z6"lbUؖ0UgA@8.ylFiOQ,HgY|,XQl vK=n*EPnA3 ? a"aQ7Ax[%9 ڛq6C^+ZSw4h=C2Eˡ^u$f^P }6#]E\z-C-Z,'v_.-cJ#;\oy'z~Rx&AxBRZs*Pe&gH1g.6Q PP5IbV+Anh& qHch+BZ`($bEަ:-ZfHмn067 !AbL ܍^9|M_=n'Wnz@]afhWp{0o9[ *Dq9v-A_b)Wrwoj;M]jk|Y3zԌGشת5b8|(~ eʦq <˞gZԶn pՠ徰˩^lw4̳K-=(7.DԼ!@& 1Gx PD\Q]6dsA؛F'! LLB+U!lxОb,P2!3O-q lגuBdӛo.ՀKNeȒu3[F%{>M5v ]}IbH*RJe?I&Bt]_oᰐc09^dr>/\9k]C.L/H!*:YԠBHLS)?+ŷFa4,sH15)x&/k)G@3.dW#AGa@-=hO1lwM'Zl˜i ) _phpkh頒Gڋ>f1r|^dw6z9pN‚ nr$D|P>{~BX& jVq2bbdab/Q7”GFdžk?CvGlZ!+ 3CFJw 2v7l ʑ]*ȗ@P'lS0DC!]J9b7,;/V0AoC!u&Jg }O i /&6VuKז'1՛4J)Z1\oGqʦ4 [`ED"giPpc3EVl!A*fyT̻;oNAeUǛ'M"MJLeKS/ |Mm˱dʘ=ߕ/sPYuգX f&1~^qi,̢Mzok6 .NE@p^9b;bt[ڭ!L SE 9SV=ޱC:"^1 A~5 \?(o6Tqk<֊ݝ `f#. pL(duW GXBf!q;qQ=-owNjr3`J YZ