������freeradius-server-libs-3.0.21-150200.3.12.1�������������������������������������������������������<���>�������,��������������������������������������������������������c�$p9|���]U�<[#*w&Ony.D#_`�˔8k8f6u,H3t:~�]59�UCC)*% �33�)CEIW7���PCL3H�ڠoC7089K`1^�x^"*T�OT��ofA$Fx˝]b�?Hv7�*ROE�AXe�pﭗR�PM�>?�p`C5L���9(+R�1Kb�Pbg5>bd:ȼ�zMy���>��������������������>��4���?������$�������d���������������������������������������������������� ���������� ���.���������� ���H��������������l��������������p��������������|������������������������������������������������������������������ �����������������������������������������������!���������������(���������������H������� �������X�������
�������h��������������������������������������
�����������������������8���������������`�������������������������������������������������������������������������������������������������(�������*�������8�������4���(���9����������(���:������
���(���F������q�������G�������������H�������������I�������������X�������������Y�������������\��������������]������8�������^�������������b������+�������c�������������d������`�������e������e�������f������h�������l������j�������u������|�������v�������������w�������������x��������������y������4���$���z���������������������������������������������������������� ����C�freeradius-server-libs�3.0.21�150200.3.12.1�FreeRADIUS shared library�The FreeRADIUS shared libraries.����c�$s390zp36������SUSE Linux Enterprise 15�SUSE LLC �GPL-2.0-only AND LGPL-2.1-only�https://www.suse.com/�System/Libraries�http://www.freeradius.org/�linux�s390x����������ʸ�����R�������'��F[AA큤����������������c��c��c��c��c��c�!^z�M^z�M�a32d04b6d71cd357220b3e0d0136f739b77c0ac69f326aab5449be5a5161c31e�55ebf513dfe57e1a80a594d181f4f03c1946650b55186c46b67c63c8e1d6274c�93245f975b8f3783358bdf2429288a7cfcbf4e72e4bebce03efe7970e5615293�53f95151239a6f6d7f4e5ece945d85faea82ec0bf48a775f891387da117d8b6f��8b9cc1e5d41938be45a368f126a6d1fda03d60a3d622dc75e776be4e90c2d2c6�e6d6a009505e345fe949e1310334fcb0747f28dae2856759de102ab66b722cb4���������������������������������������root�root�root�root�root�root�root�root�root�root�root�root�root�root�root�root�freeradius-server-3.0.21-150200.3.12.1.src.rpm������freeradius-server-libs�freeradius-server-libs(s390-64)�libfreeradius-dhcp.so()(64bit)�libfreeradius-eap.so()(64bit)�libfreeradius-radius.so()(64bit)�libfreeradius-server.so()(64bit)�����@���@���@���@���@���@���@���@���@���@���@���@���@���@���@���@����
���
���
���
ld64.so.1()(64bit)�ld64.so.1(GLIBC_2.3)(64bit)�libc.so.6()(64bit)�libc.so.6(GLIBC_2.15)(64bit)�libc.so.6(GLIBC_2.2)(64bit)�libc.so.6(GLIBC_2.3)(64bit)�libc.so.6(GLIBC_2.3.4)(64bit)�libc.so.6(GLIBC_2.4)(64bit)�libc.so.6(GLIBC_2.8)(64bit)�libcrypto.so.1.1()(64bit)�libcrypto.so.1.1(OPENSSL_1_1_0)(64bit)�libpcap.so.1()(64bit)�libpthread.so.0()(64bit)�libpthread.so.0(GLIBC_2.2)(64bit)�libtalloc.so.2()(64bit)�libtalloc.so.2(TALLOC_2.0.2)(64bit)�rpmlib(CompressedFileNames)�rpmlib(FileDigests)�rpmlib(PayloadFilesHavePrefix)�rpmlib(PayloadIsXz)�����������������3.0.4-1�4.6.0-1�4.0-1�5.2-1�4.14.1����ct`@_�@_FN^y@^p^h^�@\\v{\u*@[<[2*ZZWQY�Y�@YlY,
@XO@X@X*Xh@X.@W�@WiV�@V.�V�f@UĝU@U@U�U8U7@TZ@T�T�T~@T|X@adam.majer@suse.de�adam.majer@suse.de�adam.majer@suse.de�adam.majer@suse.de�adam.majer@suse.de�adam.majer@suse.de�adam.majer@suse.de�jcnengel@gmail.com�michael@stroeder.com�adam.majer@suse.de�michael@stroeder.com�adam.majer@suse.de�michael@stroeder.com�michael@stroeder.com�michael@stroeder.com�adam.majer@suse.de�varkoly@suse.com�michael@stroeder.com�adam.majer@suse.de�michael@stroeder.com�kukuk@suse.de�adam.majer@suse.de�jengelh@inai.de�adam.majer@suse.de�michael@stroeder.com�adam.majer@suse.de�michael@stroeder.com�jkeil@suse.de�michael@stroeder.com�jkeil@suse.de�jkeil@suse.de�jkeil@suse.de�michael@stroeder.com�vcizek@suse.com�michael@stroeder.com�tchvatal@suse.com�vcizek@suse.com�dimstar@opensuse.org�vcizek@suse.com�meissner@suse.com�- CVE-2022-41859.patch: fixes information leakage in EAP-PWD
(bsc#1206204, CVE-2022-41859)
- CVE-2022-41860.patch: fixes crash on unknown option in EAP-SIM
(bsc#1206205, CVE-2022-41860)
- CVE-2022-41861.patch: fixes crash on invalid abinary data
(bsc#1206206, CVE-2022-41861)�- logfile_secrets.patch: do not log passwords in logfiles (bsc#1184016)�- freeradius-server-radiusd-logrotate.patch: move logrotate
options into specific parts for each log as "global" options
will persist past and clobber global options in the
main logrotate config (bsc#1180525)�- freeradius-server-radiusd-logrotate.patch: fix permissions in
logrotate global section (bsc#1170505, bsc#1174905)�- update to 3.0.21 (jsc#SLE-11896)
Feature Improvements
* New stored procedure for allocating IPs with PostgreSQL
Rates of 1500 IPs per second are now possible
See raddb/mods-config/sql/ippool/postgresql/procedure.sql
* Add SQL IP pool support for Microsoft SQL Server
See raddb/mods-config/sql/ippool/mssql/
* Added RCNTEC dictionary. Closes #3168.
* Added Pica8 dictionary. Closes #3179.
* Add TLS-Client-Cert-Valid-Since attribute holding not
Before date Patch from Boris Lytochkin. Fixes #3157.
* Generate attributes containing unknown OIDs See raddb/sites-available/tls
* Update the WiMAX dictionary.
* Added ability to rlm_python(Python2) show a stacktrace
from errors. #2979.
* Add WiFi Alliance Policy OIDs.
See raddb/certs/xpextensions
* radmin now shows coa stats, too.
* Sample schema extensions for summarizing data in SQL
See mods-config/sql/main/*/process-radacct.sql
* Update dictionary.aerohive, dictionary.fortinet,
dictionary.arista and dictionary.erx.
* Added VAS Experts dictionary.
* Many updates to RPM and jenkins builds from Matthew Newton.
* Added %C (time now in seconds) and %c (microsecond component of now)
back-ported from the "master" branch.
* Add reload capability to systemd unit file in Debian and RedHat.
* Increase timestamp precision in postauth to maximum supported by each
database and simplify (and make more consistent between drivers)
the timestamps in SQL queries by using expansions.
* Option to set dictionary path in raduat script.
Bug Fixes
* Various fixes found by PVS-Studio.
* Set permissions of certificates in bootstrap shell script Fixes #3132.
* Increase the 'nasportid' SQL field for 'varchar(32)'. #3141.
* Skip processing proxy reply if there are no home servers available.
* Update SQLite IPPool queries. Fixes #3177
* rlm_sql_unixodbc fixes. Fixes #2822.
* Fixes when building with LibreSSL.
* Fix the rlm_python3 build. Note that this module is experimental. #3183.
* The rlm_python should append the 'python_path' paths in 'sys.path'.
It fixes the expected behavior to use the existing Python modules
Fixes #3180.
* Fix rlm_python to print the script errors properly.
* Bound total query time for PostgreSQL. Fixes #3253.
* Many fixes to Oracle sqlippool. It now does 500 IPs per second
without any tuning. Fixes #3270.
* Reference sqlippool by it's correct name. Fixes #3272.
* Revert 3.0.20 patch which caused crashes on duplicate clients.
* Update WiMAX-MSK attribute. Fixes #3280.
* Fix crash when trying to access non-existant regex capture group.
* Use timestamps (request or server) rather than SQL NOW()
in accounting queries so that these are stable when replayed
from a file buffer.
- freeradius-python3_patches.patch: upstreamed�- update to 3.0.20 (bsc#1146848)
Feature Improvements
* Added Force10 dictionary.
* Update dictionary.hp with new attributes. #2690.
* Update dictionary.aruba with new attributes. #2696.
* Fix side-channel leak in EAP-PWD (bsc#1144524, CVE-2019-13456)
* Relax OpenSSL version checks, now that their API is both public, and stable.
* Note that tls_min_version/tls_max_version also support "1.3"
Since there is no standard yet for EAP with TLS 1.3, it will not work.
* Added tripplite dictionary from #2760.
* Switch to the async interface for rlm_sql_postgresql so that
we can enforce query_timeout.
* Added new LDAP option 'allow_dangling_group_ref'.
* Updated documentation and functionality for EAP session caching
See "cache" section of mods-available/eap.
* Tighten systemd unit file security. Fixes #2637.
* Disable TLS 1.0 and TLS 1.1 support in the default configuration
We STRONGLY recommend doing this for all installations.
* Add expansions for *outgoing* Radsec connections
"%{proxy_listen:TLS-...}" for TLS-Client-Cert-* and
TLS-Cert-* attributes. Fixes #2839.
* Add %{listen:tls} which returns "yes" or "no" for
TLS or non-TLS connections.
* Update dictionary.lancom with new attributes. #2847.
* Added rlm_sql_mongo. See raddb/mods-available/sql.
Note that this module is experimental.
* Added more documentation in sites-available/robust-proxy-accounting.
* sqlippool now re-allocates unexpired leases, to prevent IP pool
exhaustion when clients perform multiple reauthentication attempts
* Add support to radmin keep the history in ~/.radmin_history.
* Add support for ENV and LD_PRELOAD in radiusd.conf.
See the new ENV sub-section of radiusd.conf.
* Update dictionary.aptilo. #3002.
* Update dictionary.airespace. #3039.
* Add sites-available/coa-relay, which makes CoA easier #3045.
* Add example stored procedure for IP Pools in MySQL
See mods-config/sql/ippool/mysql/procedure.sql
* Update dictionary.dhcp dictionary with the recent hardware types.
* Add experimental rlm_python3. This should largely work
the same as rlm_python, which was Python2 only.
* Add Dockerfiles for Debian10 and CentOS8.
* Add RPM spec file compatibility for RHEL/CentOS 8.
* Notes on certificate constraints. See raddb/certs/server.cnf.
* Add NAIRealm example to raddb/certs/server.cnf, for RFC 7585.
Bug Fixes
* Allow listen.ipaddr to reference an IPv6-only host. Fixes #2627
* ERX-Acct-Request-Reason is "integer". Closes #2635.
* Fix a slow memory leak in the file management code.
* Try to fix file permissions if they get modified while
the server is running
* Fix slow memory leak with clients.
* Fix request and connection timeouts in rlm_rest.
* Fix systemd issues.
* Fixes from clang analyzer.
* Fix missing include for the dictionaries:
alcatel.esam, altiga,alvarion.wimax.v2_2,aptis,asn,
audiocodes,avaya,bristol, columbia_university,freedhcp,garderos,
infoblox,motorola.illegal, starent.vsa1, telkom, wimax.wichorus.
* Fix internal sanity check when running with "-Xx".
* Allow "inner-tunnel" virtual servers to work better
with "accept" and "reject" policies.
* Fix dictionary.huawei data types for
Huawei-DNS-Server-IPv6-address and Huawei-Framed-IPv6-Address.
* Framed-Interface-ID in postgresql/queries.conf is string,
not inet Fixes #2817.
* Fix rlm_cache to complain on unknown attributes in the "update"
section of its configuration.
* Add configure checks for -latomic. This helps on armel,
mips and mipsel. Fixes #2828.
* Add support to Oracle 19 and 18. Via #2857.
* Add support for decoding tags in rlm_rest. Fixes #2848.
* Use correct passwords when updating CRLs in raddb/certs/.
* Properly separate "originate-coa" packets when accounting
packets are read from the detail file reader.
* Use the correct virtual server for pre/post-proxy.
* radsqlrelay fixes backported from "master" branch
* Fix DoS issues due to multithreaded BN_CTX access
(bsc#1166847, CVE-2019-17185)
- disable python2 for SLE15 and Factory
- freeradius-server-enable-python3.patch: enable Python3 module
- freeradius-python3_patches.patch: backport python3 fixes from upstream
- freeradius-server-opensslversion.patch: updated�- Enable memcached driver on SLE15�- Add missing BuildRequire on samba-core-devel required for windbind
support in rlm_mschap.�- update to 3.0.19 (jira#SLE-5890)
Feature improvements
* Update dictionary.cisco
* Update sqlippool to allow for stored procedures with
PostgreSQL. This increases performance substantially.
Patch from Nathan Ward. Fixes #2540.
* Re-added "show client config" command to radmin.
* Cleaned up mods-available/sql example so that it is
easier to understand.
* Added pfSense dictionary. Closes #2581
* Update dictionary.h3c Closes #2592
* Update elasticsearch/logstash config for v6.7.0.
* EAP-PWD security fixes from Mathy Vanhoef. See
http://freeradius.org/security/
(CVE-2019-11234, CVE-2019-11235, bsc#1132549, bsc#1132664)
Bug fixes
* Update dynamic_client module and server core so that
the functionality works. This has been broken since
at least v2.
* Fix crash in sqlippool due to escaping changes.
Patch from Nathan Ward. Fixes #2532, #2533.
* Fix systemd notify, watchdog and unit files.
Fixes #2541, #2499.
* Fix erroneous length check in EAP-FAST.
* Update documentation to remove old "ignore_null"
configuration. Fixes #2578.
* Fix default POD port. Should be 3799. Fixes #2591
* Correctly encode vendor-specific "encrypted" attributes.
Fixes #2600�- reformat changelog mostly by wrapping lines
- add missing bug numbers for security fixes�- update to 3.0.18
* cleanup_delay can now be 30 seconds. This helps with proxies that have packet loss.
* Do-Not-Respond policies can now be set in the "post-auth" section.
* Encode / Decode ADSL Forum DHCP options.
* Fix module ordering issues. e.g. when "sqlippool" needs "sql".
See the "instantiate" section of radiusd.conf.
* Add Big Switch dictionary. Fixes #2252.
* Add sql_session_start policy (raddb/policy.d/accounting)
This minimizes race conditions when using Simultaneous-Use (#2257).
* For rlm_perl, all variables are now tainted by default.
See raddb/mods-available/perl, and the "perl_flags" configuration item.
This change should only affect people who are using variables in
insecure ways.
* Allow "sqlcounter" module to be listed in "post-auth".
* Add support for IPv6 attributes in SQL. Fixes #2280
* The server is better at handling fail-over for outbound RadSec and
TCP connections. Fixes #2284.
* The server is now more aggressive about retrying failed outbound
RadSec and TCP connections. Fixes #2284.
* Add TLS-Session-Version and TLS-Session-Cipher-Suite to the "session_state" list.
* Add expansion for Radsec connections. "%{listen:TLS-...}" for
TLS-Client-Cert-* and TLS-Cert-* attributes.
* Add notes on running "ldapsearch" using the parameters from the LDAP module.
* "ipaddr" attributes can now be cast to "integer" type attributes
in an "update" section.
* Move main thread queue to using atomic queues. This should help
with contention in high load scenarios.
* Add "recv_buff" setting to listeners. For more details,
see sites-available/default.
* The sqlippool module can now use attributes other than "Pool-Name"
to assign IP pools. The "Pool-Name" attribute is still the default.
* The "unpack" expansion can now unpack substrings.
See mods-available/unpack for documentation and examples.
* The preprocess module now does "ciscvo_vsa_hack" for Eltex-AVPair
Fixes #2301. Vendors SHOULD NOT USE THAT KIND OF ATTRIBUTE.
* Allow for -LDAP-UserDN. See mods-available/ldap for more information.
* Add sanitizing of control list for moonshot. Fixes #2318.
* Update rlm_sql_mysql to be compatible with MySQL 8
Fixes https://bugs.launchpad.net/bugs/1795310.
* Allow logging of only Access-Accept or Access-Reject messages
See radiusd.conf, "auth_accept" and "auth_reject".
* Removed Connect-Rate comparison. It was unused and broken.
* Add dictionary.infinera.
* Use OpenSSL HMAC functions instead of local ones.
* Some SQL modules can now use "auto_escape" to escape unsafe strings
See mods-config/sql/main/mysql/queries.conf.
* Add wispr2date conversion in mods-available/date.
* Implement dictionary-based handling in rlm_python.
Fixes #2334 See mods-available/python for details.
* Add support for SKIP LOCKED in sqlippool. This can improve performance
by an order of magnitude or more.
See raddb/mods-config/sql/ippool/*/queries.conf Fixes #2383
* Allow PSK and certificates at the same time Except for TLS 1.3
which does not support that.
* Update docker scripts. Fixes #2306 Patch from Matthew Newton.
* Add crypt xlat.
* MySQL connections can now skip verifying the server certificate.
Fixes #2481. See mods-available/sql.
* Add better mechanism to detect MariaDB (Old MySQL).
* Add RFC 7532 "bang path" support for realms Fixes #2492.
* Update dictionary.ukerna documentation. Fixes #2493.
* Add support for systemd service and watchdogs Fixes #2499.
* Check for openss/rand.h, and allow building without OpenSSL engine.
Patch from Eneas U de Queiroz Fixes #2517.
* The default PosgtreSQL queries now use "ON CONFLICT" to better
deal with issues. This requires PostgreSQL 9.5 or later.
Please use a recent version of PostgreSQL, or edit the default
queries to remove "ON CONFLICT".
BUG FIXES
* The session-state list is no longer cleaned in the inner-tunnel.
This lets the outer Access-Reject section access session-state.
* Fix typo in lock initialization for TLS sockets Found by Sergio NNX.
* Add check for crash when home server down Fixes #2233.
* Add username key for postauth table.
* Better libpcap checks, when the header files or libraries are missing. Fixes #2245.
* Allow building with old versions of OpenSSL Fixes #2247.
* Allow non-FreeRADIUS State attributes to be used with the
"session-state" list. i.e. State length != 16.
* Be more aggressive about cleaning up zombie children when running in debug mode.
* Use LTDL_DEEPBIND, which fixes issues with Oracle libraries
exporting LDAP API functions.
* unlock files when asked to unlock them.
* return error instead of asserting in map code.
* Don't write 0 bytes to SSL. Fixes #2270.
* Remove "expiry_time IS NULL" from allocate_update query. Fixes #2262.
* Various dictionary cleanups and consistency checks Fixes #2281.
* rlm_python has stronger thread locking to prevent reported issues.
Performance may be affected.
* Don't allow Message-Authenticator to overflow past the end of a large packet.
* Fix crash in sqlippool when SQL server goes away Fixes #2300.
* Typos in man pages. Patch from Nikolai Kondrashov Fixes #2303.
* Fix crash with CoA packets/ Fixes #2304.
* Fix crash in rlm_exec with CoA. Fixes #2328.
* Print errors while parsing the log config, and don't quit when
deprecated log settings are found.
* Fix DHCP encoder xlat so that it can be used with a list of attributes.
It previously only encoded the first member of the list,
and now encodes all members.
* The "expr" module now skips more whitespace.
* Remove internal FreeRADIUS-Response-Delay attributes from
attr_filter Access-Reject.
* Don't send junk to redis when maximum args reached.
* Small updates to IPv6 for accounting schema Fixes #2364.
* Fix OpenDirectory integration in rlm_mschap.
* Fix slow memory leak with dynamic clients.
* Don't artificially truncate debug output for long strings.
* Fix memory leak in EAP-PWD.
* Fix crash in "hints" file with Fall-Through = yes.
* Fix crash / timer issues with many CoA packets.
* Fix attr_filter so that it does not treat vendor attributes of
number 26 as Vendor-Specific.
* Fix reconnect correctly in rlm_sql_mysql.
* Fix rlm_cache to properly use Cache-TTL < 0 Fixes #2485.
* Fix rare occurance of bad xlat expansion.
* Check for rare race condition when a proxy reply arrives too late.�- install license as %license instead of documentation�- also fix ownership of /var/log/radius in systemd unit�- update to 3.0.17
Feature Improvements
* Add CURLOPT_CAINFO. Patch from Nicolas C #2167.
* "stats home server" now supports "src IPADDR", to specify home
server also by source IP. Fixes #2169.
* Add Dockerfiles for a selection of common systems.
* Increase number of permitted file descriptors, for systems with many
home servers.
* Add TLS-Client-Cert-X509v3-Extended-Key-Usage-OIDs
Patch from Isaac Boukris. Fixes #2205.
* Update main READMEs. Patches from Matthew Newton.
* Added dictionary.mimosa.
Bug Fixes
* Don't call post-proxy twice when proxying to a virtual server.
Matthew Newton, #2161.
* Use "raw" string value for shared secrets and dynamic clients
It now parses strings with backslashes and "special characters"
correctly. Fixes #2168.
* Fix RuntimeDirectory for RedHat, from Alan Buxey.
* Relax checks in 'if' parser from Isaac Bourkis.
* Minor cleanups for %{debug_attr:&request} from Isaac Boukris.
* Be more aggressive about cleaning up cached certificate attributes,
due to deficiencies in OpenSSL. Reported by Nicolas Reich.
* Be more accepting when parsing IPv6 addresses. Bug noted by Klara Mall.
* Fix double free in rlm_sql. Fixes #2180.
* rlm_detail now writes empty Access-Accept packets.
* rlm_python can now create tagged attributes.
* Don't crash on duplicate realm + authhost / accthost
* Allow partial certificate chain to trusted CA. Fixes #2162.
* Treat SSL_read() returning zero as error. Fixes #2164.
* detail writer now checks if the file was renamed or deleted.
* Add User-Name to Access-Accept if EAP-Message exists, not Stripped-User-Name.
* RedHat Systemd updates. Fixes #2184.
* Use correct API for State variable in rlm_securid.
* Remove broken radclient option "-i".
* Fix "users" file (and hints, etc). So that it does not get confused
about entry ordering with multiple $INCLUDEs.
* Fix rlm_sql to expand the un-escaped string, not the raw string.
* Link default and inner-tunnel only if they exist. Fixes #2206.
* Don't use both IP_PKTINFO and IP_SENDSRCADDR.
* Always install signal handler for SIGINT (needed by Docker).
* Fix intermediate CA flow for OCSP. Fixes #2160 Intermediate certs
which are not self-signed will now be checked.
* sqlippool now returns "fail" if it fails IP allocation.
* Fix rlm_yubikey to look for correct attribute in replay attack check.�- update to 3.0.16
Feature improvements
* rlm_python now supports multiple lists. From #2031.
* Add trust router re-keying. From #2007.
* Add support for Samba / AD LDAP schema.
See doc/schemas/ldap/samba/README.txt and
doc/schemas/ldap/samba/
* Add "tls_min_version" and "tls_max_version" to EAP module
for Debian OpenSSL issues.
* Better documentation for client certificates in PEAP and TTLS:
it usually doesn't work. Fixes #2068.
* Distinguish login failure from AD unavailable. Fixes #2069.
* Update RH spec files. Fixes #2070.
* Run Post-Proxy-Type if all home servers are dead.
Fixes #2072.
* Print offending IP addresses when EAP sessions come from
two upstream home servers, and rate-limit the messages.
* Minor packaging updates.
* Better documentation for rlm_rest.
* EAP-FAST now has it's own "cipher_list", so that it is
easier to configure.
* EAP-FAST now forcibly disables TLS1.2, until such time
as we implement the new keying mechanism from TLS1.2.
* Add documentation for allow_expired_crl.
* Update Debian logrotation. #2093 and #2101.
* DHCP relay can now drop responses. #2095.
* rlm_sqlippool can now assign Delegated-IPv6-Prefix.
It also now can assign any IPv4 or IPv6 address.
Based on patches from maximumG. #2094.
See raddb/mods-available/sqlippool for changes.
* radeapclient can now use EAP-SIM-Ki to dynamically
create the necessary triplets.
* Explain why many LDAP connections are closed.
Fixes #1969.
* Debian build / package issues fixed by Matthew Newton.
* dictionary.patton updates from Brice Schaffner. Fixes #2137.
* Added scripts to build "inner-server.pem", and updated
mods-config/inner-eap and certs/README to match.
* Added provisions for using an external CA. See raddb/certs/
* Include dhcpclient binary in freeradius-dhcp debian packge.
Bug fixes
* Bind the lifetime of program name and python path to the module
FR-AD-002 (redone)
* Pass correct statement length into sqlite3_prepare[_v2]
FR-AD-003 (redone)
* Allow 100-Continue responses with additional headers in rlm_rest.
* fix corner case where detail files were not being locked
correctly.
* Fix (SQL-Group == "%{...}") checks, and same for LDAP-Group.
Fixes #1947
* Clean up exfile code. Which should help to avoid issues
with reading / writing 100's of detail files.
* Fix build for winbind. Patch from Alex Clouter.
* Fix checkrad for Mikrotik. Patch from Muchael Ducharme.
* Fix home server stats lookup. Patch from Phil Mayers.
* Add libjson-c3 as an optional dependency.
* Require LTB OpenLDAP on CentOS / Redhat, to avoid linking
against NSS, which breaks the server. Fixes #2040.
* rlm_python fixes. Fixes #2041
* Typos in "man" pages. Fixes #2045
* Expand "next" in %{%{...}:-%{...}}. Fixes #2048
* Don't add TLS attributes twice. Fixes #2050.
* Fix memory allocation in rlm_rest. Fixes #2051.
* Update trustrouter for new API. Fixes #2059.
* Fix SQLite issues on FreeBSD. Fixes #2060
* Don't do debug logging of bad passwords. Fixes #2064. (bsc#1099802)
* More graceful handling of "die" in rlm_perl. Fixes #2073.
* Fix occasional crash when using
cisco_accounting_username_bug = yes
* EAP-FAST fixes from Isaac Boukris.
[#2078], #2076, and #2082, #2126.
* DHCP fixes, relay, #2092, add run-time check, #2028
* Decode multiple RADIUS packets at a time in highly loaded
RadSec connections. Patch from Jan Tomasek. #2106.
* TunnelPassword is not "single value" in LDAP schema.
Fixes #2061.
* sql log now opens the expanded filename, not the input one.
This was a regression introduced in 3.0.15.
* Remove unnecessary UNIQUE constrain in Oracle schemas.
* Fix SSL thread and locking issues when modules also use SSL.
Fixes #2125 and #2129.
* Re-add dhcpclient "raw packet" changes. Patches from
Nicolas Chaigne and Matthew Newton. Fixes #2155.�- Fix permissions of radiusd.service (bnc#1053654)�- bsc#1055679 - freeradius-server does not provide winbind/AD auth
Added libwbclient-devel as buildrequires�- update to 3.0.15 with security fixes for
issues found via fuzzing by Guido Vranken (bsc#1049086)
https://freeradius.org/security/fuzzer-2017.html
* CVE-2017-10978: FR-GV-201 (v2,v3) Read / write overflow in make_secret()
* CVE-2017-10983: FR-GV-206 (v2,v3) DHCP - Read overflow when decoding option 63
* CVE-2017-10984: FR-GV-301 (v3) Write overflow in data2vp_wimax()
* CVE-2017-10985: FR-GV-302 (v3) Infinite loop and memory exhaustion with 'concat' attributes
* CVE-2017-10986: FR-GV-303 (v3) DHCP - Infinite read in dhcp_attr2vp()
* CVE-2017-10987: FR-GV-304 (v3) DHCP - Buffer over-read in fr_dhcp_decode_suboptions()
* CVE-2017-10988: FR-GV-305 (v3) Decode 'signed' attributes correctly
* FR-AD-002 (v3) String lifetime issues in rlm_python
* FR-AD-003 (v3) Incorrect statement length passed into sqlite3_prepare�- update to 3.0.14 (still FATE#322416)
Feature improvements
* Enforce TLS client certificate expiration on session resumption,
and Session-Timeout. See CVE-2017-9148 (bnc#1041445)
* Updated dictionary.cisco.vpn3000, dictionary.patton
* Added dictionary.dellemc
* Lowered the log output for failed PEAP sessions.
* ALlow utc in rlm_date.
* The internal OpenSSL session cache has been disabled.
Please see mods-available/eap
* Update detail reader documentation.
* Make outgoing RadSec connections non-blocking.
* Add SQL backing to Moonshot-*-TargetedId generation.
Bug Fixes
* radtest uses Cleartext-Password for EAP, not User-Password.
* Update documentation for mods-enabled/ linking.
* Enhanced checks for moonshot salt.
* Allow session resumption for RadSec connections.
* Update "huntgroups" file to note that port ranges are not supported
* Fix OpenSSL permissions issues on default key files.
* Certificates are not required when PSK is used.
* Allow SubjectAltName as first extension in cert.
* Fixed talloc issue with TLS session resumption.
* "&Attr-26 := 0x01" now produces useful error messages.
* Handle connection error in rlm_ldap_cacheable_groupobj.
* Fix endian issues in DHCP.
* Multiple minor fixes for Coverity complaints.
* Handle unexpected regex.
* Fix minor issues in dictionaries.
* Fix typos and grammar. Patches from Alan Buxey.
* Fix erroneous VP creation in rlm_preproces.
* Fix MIB. Patch from Jeff Gehlbach.
* Trust router updates from Alejandro Perez.
* Allow build with LibreSSL.
* Use correct packet for channel bindings.
* Many fixes found by PVS-Studio. Thanks to PVS-Studio for giving us
a test license. Please see the git commit history for more info.
* Fix incorrect length check in EAP-PWD. This may be exploitable.
* Stop rotating session database files (radutmp, radwtmp) since
these are not logfiles.
- freeradius-server-radiusd-logrotate.patch: updated�- removed obsolete freeradius-server-fix-cert-bootstrap.patch
because recent /etc/raddb/certs/bootstrap simply works
- update to 3.0.13 (still FATE#322416)
Feature improvements
* Add dictionary.rfc7930. Note that we do not implement
the RFC.
* Added 'cipher_server_preference' to mods-available/eap
Patch from #1797.
* OpenSSL 1.1.0 compatibility fixes.
* rlm_perl: radiusd::xlat to evaluate xlat string
within perl script
* Allow authentication retry in winbind. Patch from
Herwin Weststrate. See raddb/mods-available/mschap.
* Added "recv-coa" method to rlm_rest. It behaves the
same as "authorize".
* Document Trust Router tr_port option. Patch from
Stefan Paetow.
* Update elasticsearch/logstash examples so that they work
with elastic stack v5. Patch from Matthew Newton.
* Print information about packets, replies, and contents
in the detail file reader.
* Update abfab-tr policy. Pull request #1893
from Stefan Paetow.
* Reject packets which contain User-Password and
EAP-Message.
* Add example for filtering Access-Challenge.
See sites-enabled/default.
* Pull symlink fixes from v4.0.x. Fixes #1859.
* Add systemd reload. Not everything is reloaded, but
some is. Fixes #1662.
* Better documentation for listen "ipaddr". Fixes #1921
* Add dictionary.cnergee, updated dictionary.nomadix.
* radclient no longer needs -x to print statistics with -s.
Bug fixes
* Minor typos. Fixes #1763
* Fix typo in RPM build. Closes #1767.
* rlm_mschap check for password expiry only
if password was correct. Fixes #1762.
* Update debian build.
* update rlm_counter "man" page. Fixes #1775.
* Remove erroneous assert. Fixes #1778.
* fix mschap password change test. Fixes #1792.
* Cleanup config file on data remove. Fixes #1795.
* passwd module returns "notfound" if not found.
* Check for old OpenSSL, and don't build rlm_eap_fast
if it necessary. Fixes #1803
* Cleanup memory better after ldap version query.
Patch from Aleksey Katargin.
* Rename lt_* functions to avoid linker issues with
libtool. Fixes #1277
* Many miscellaneous fixes and typos.
* Allow long strings in %{%{foo} bar:-%{baz} blah".
Fixes #1866
* Fix filtering operators, along with more documentation and
more tests for them.
* Fix OpenSSL fixes. Fixes #1876.
* Finish SQL select queries even when SELECT returns no rows.
Fixes #1879.
* Set Module-Failure-Message for more EAP errors.
* Correct typo in dictionary.rfc5580. Fixes #1882
* Remove obselete systemd syslog.target.
* Client-Port-Balance load-balancing now uses client port.
* Radrelay examples fixed from Alex Clouter.
* Update systemd target. Pull request #1896.
* Trim starting whitespace in xlat strings.
* Get MySQL result lengths using normal API.
* suid down after fchown(). Fixes #1914.
* Fix cases of comparing pointer to NUL character. Fixes #1915.
* OpenSSL v1.1 fixes. Pull request #1921.
* Better Handle v4/v6 host names. Pull request #1919.
* Remove "Auth-Type = System" from docs and examples.
* Don't crash on malformed %{home_server}. Fixes #1922
* fix erroneous use of talloc destructor in rlm_eap
* Issue trigger modules.sql.fail. Fixes #1923
* Document python_path gotcha's. Fixes #1845
* dlopen() the specific version of Python. Fixes #1592�- Don't require insserv if we use systemd
- Remove require for unused fillup�- Merge changes from SLE to openSUSE (FATE#322416):
* freeradius-server-radclient-init-error-buffer.patch - make sure
we initialize error buffer. bsc#911886: radclient error free()
invalid pointer
* freeradius-server-opensslversion.patch: remove OpenSSL version
check and assume we know what we are doing. (bnc#1013311)
* merge .changes file, mostly.
- do not attempt to detect "vulnerable" OpenSSL versions. SUSE
security fixes do not necessarily bump version numbers as
does upstream OpenSSL (bnc#1021375)
- do not generate certificates in %post. End-user needs to do this
manually.
- keep FreeTDS disabled on SLE12 - we never shipped it enabled
- require OpenSSL 1.0+
- use pkgconfig(systemd) instead of plain systemd as BuildRequires
- don't list manual pages as %doc�- Remove --with-pic which is for static libs only.
- Use SUSE RPM group names. Trim filler words from description.
- Do not hide errors from groupadd/useradd.�- Add upstream keyring
- 2 new modules: rlm_sql_freetds and rlm_eap_fast�- update to 3.0.12 - still fate#320481
The focus of this release is stability.
* Feature improvements
+ Add support for =~ and !~ in update sections. See "man unlang"
+ Add dictionary.checkpoint.
+ Simultaneous-Use prints out more information.
+ Print WARNING in debug mode when packets may be truncated.
+ Added expansions %{home_server:state} and
%{home_server_pool:state}, which show the state of the
server / pool.
+ Mark rlm_sql_freetds as stable.
+ Make rlm_perl less fragile. Patch from Herwin Weststrate.
+ Allow extended attributes to have "encrypt=2"
+ Update dictionary.aruba.
+ Add support for EAP-FAST. This is an isolated feature which
does not affect anything else.
+ Update OpenSSL vulnerability list. Use a version of OpenSSL
released after September 20, 2016.
+ EAP certificate verification is now done when "verify" is
enabled and "ocsp" is disabled.
+ New dhcpclient and rlm_rad_counter man pages.
+ Minor abfab and moonshot additions.
+ Pass CFLAGS through from environment in RPM builds. Allows
more custom builds.
+ Build with Heimdal in addtion to libkrb5.
* Bug Fixes
+ Use correct typedef for older versions of sqlite.
+ Update mssql schema to add priority
+ don't complain on /dev/urandom in ldap
+ fix == operator in update sections
+ Don't create DHCP strings with many trailing zeros.
+ Allow MS-CHAP change passwords instead of complaining on
large buffer.
+ Allow assignment or equality operator on SQL.
+ Update aclocal tests for FreeBSD 10.
+ Remove occasional hang in rlm_linelog.
+ Copy VSAs to inner tunnel for TTLS and PEAP. Fixes #1544
+ A few minor bugfixes caught in v3.1.x cleanup, and
back-ported to v3.0.x.
+ do_not_respond again works in post-proxy
+ Allow realm "~^.*$" {} and User-Name with no realm.
+ Fix leak when creating unknown attributes
+ Fix Debian / logrotate.
+ Make OpenSSL error functions thread-safe.
+ Fix crash with rlm_sql and updating SQL-User-Name.
+ Debian build updates.
+ Allow regular expression comparisons in radclient.
+ Fix memory leak on unknown attributes in detail file reader.
+ Update example paths in "man" pages when installing them
+ Build fixes for rlm_mschap. Fixes #1489.
+ BSD build fixes. Patch from issue #1583.
+ Be more careful about /lib/ when building. Fixes #1585.
+ Correct ifdef placement error. Fixes #1572.
+ Allow for more files in internal "exfile" API So it will be
possible to open more than 64 "detail" files at the same
time.
+ Remove support for statically built EAP modules. Fixes #1591.
+ Many fixes to rlm_python from Guillaume Pannatier.
+ Use correct week adjustment in SQLcounter. Fixes #1608
+ Minor fixes to allow compilation without DHCP, VMPS, or TCP.
+ Fix checks for module / config file change on HUP.
+ Compile regex comparisons when sent via "debug condition".
+ Update filenames in documentation and examples.
+ Don't crash if SQL connection becomes unavailable.
+ Disallow originate_coa when proxy_requests = no.
+ Free rad_perlconf_hv in correct perl context.
+ Multiple fixes for Debian builds. #1510, among others.
+ Set OpenSSL FIPS compatibility flag when necessary.
+ Pulled fixes for the build system over from other branches.
+ Fix OCSP for RADIUS over TLS.
+ Fix skip_if_ocsp_ok behavior.
+ Better fixes for systems without closefrom() but which have
/proc.
+ Minor build fixes back-ported from v4.0.x.
+ build --whout-ascend-binary. Fixes #1761.
+ Be more aggressive about not opening new connections in
debug mode after CTRL-C. Address #1604.�- use %{with} macro for conditional inclusions instead of hardcoding
version numbers
- improved package descriptions
- fixed builds on SLE12 and SLE11SP4�- removed installation of experimental module rlm_sqlhpwippool.so
- update to 3.0.11 (fate#320481, bsc#961479, CVE-2015-8763,
bsc#935573, CVE-2015-4680)
* Changes of version 3.0.11
+ Feature improvements
- "unlang" comparisons of IP addresses to IP prefixes are now
detected, and types automatically cast.
- Allow shorthand form of ipv4prefix values e.g. 127/8.
- Add "auto_chain" to raddb/mods-available/eap, tls subsection.
This allows the disabling of OpenSSL auto-chaining of
certificates. Which might be wrong.
- Added printing of coa and disconnect stats (radmin).
- radclient defaults to expecting Access-Accept responses to
Status-Server.
- Updated dictionary.lancom, dictionary.starent.
- Portability fixes for Solaris.
- More errors from ntlm_auth gets passed to MS-CHAP.
- Update abfab-tr-idp virtual server.
- Added "filter_password" in policy.d/filter. This removes
embedded zero bytes in User-Password, for compatibility with
broken clients.
- The server now issues a WARNING message if duplicate
configuration items are found.
- TLS can skip the "verify" section if OCSP returns OK. See
raddb/mods-available/eap, "skip_if_ocsp_ok".
- Set TLS-OCSP-Cert-Valid = yes / no / skipped, which is the
result from the OCSP check.
- Interoperate with AD and "LmCompatibiltyLevel = 5", by
always setting WBC_MSV1_0_ALLOW_MSVCHAPV2 for native winbind
in rlm_mschap.
- TTLS and PEAP now require "virtual_server" to be a real
server.
- Print WARNING when TTLS or PEAP identities are spoofed or
not properly anonymized. See RFC 7542 for requirements.
- Various rlm_python fixes from Herwin Weststrate.
- Allow setting Response-Packet-Type in "Post-Proxy-Type Fail",
which is useful when the home server does not respond.
- elasticsearch updates from Matthew Newton
+ Bug Fixes
- Fix issue where field nas_type would not be accessible via
the %{client:} xlat, for clients loaded from SQL.
- Fix compatiblity issues with OpenSSL 1.0.2. Ignore calls to
msg_callback with 'pseudo' content types.
- Data type "ipv4prefix" is parsed correctly.
- Use correct talloc context in rlm_exec. Fixes #1338.
- Complain in unlang if "else" is used with no previous "if"
or "elsif".
- Send accounting status packets to the accounting port.
Fixes #1364.
- Print out CFLAGS when doing "radiusd -Xxv"
- Fixed bug with coa/acct stats value #1339. Based on patch
from Jorge Pereira.
- Fixes for LEAP proxying. Don't use LEAP!
- Fix issue with "directory already exists" seen when doing
"make install".
- Fixed bug with radmin related to the option "stats detail
"
- Complain if the detail file reader does not have permission
to read the "detail.work" file. Fixes #1398
- Fixed SoH. Attributes were not being copied to the virtual
server.
- Used a wrong list to global statistics in "stats".
- Create EAP-PWD identity correctly. Prevents segfaults.
- Dynamically validate authentication types for PEAP and
EAP-MSCHAPv2.
- Fix includes in installed headers.
- OpenSSL 1.0.1f and 1.0.1g do NOT calculate TLS 1.2 keys
correctly. See raddb/mods-available/eap, "disable_tlsv1_2"
- Allow password change to work for MS-CHAP. This requires
'r=0', because password changes are not retries.
- Fix home server fail-over for home servers using TCP and/or
RadSec.
- Special characters in expanded regexes are now escaped e.g.
User-Name containing '.', and comparing /%{User-Name}/, the
'.' will now be escaped. See src/tests/keywords/regex-escape.
- Use correct authentication vector when sending Access-Reject
replies for RadSec.
- Set FreeRADIUS-Proxied-To in TTLS again. You should use the
"inner-tunnel" virtual server, instead of relying on this
attribute.
- Fix debugging constants in rlm_perl. Patch from Herwin
Weststrate.
- Add samba-dev / samba4-dev to debian builds so that
rlm_mschap can automatically use the new winbind API.
- Automatically skip zero-length attributes when sending
packets, instead of erroring out.�- fix bsc#951404
* Rebuild of freeradius-server package fails
* fix source url
- ftp://ftp.freeradius.org/pub/freeradius/
+ ftp://ftp.freeradius.org/pub/freeradius/old/�- update to 3.0.10
* Changes of version 3.0.10
+ Feature improvements
- Do more optimization of unlang policies. This makes run-time
a bit faster.
- Re-name most of the functions in src/lib. Third-party module
authors will have to do the same.
- More documentation on contributing and how to write modules.
- Update radiusd.service for systemd.
- Open IPv6 proxy socket if the server is listening on IPV6
auth / acct / coa packets.
- Create debian packages for DHCP. Fixes #1125.
- Add more tests for "update" section parsing.
- Update "man" pages.
- Update attributes for Alcatel 7750
- Add dictionary for Boingo Wi-Fi
- Add support for DHCP lease queries.
See raddb/sites-available/dhcp
- On HUP, check all modules for config files which have
changed. And only re-load those modules.
- Allow FreeRADIUS-Response-Delay(-USec) to be set for RADIUS
packets. Patch from Herwin Weststrate.
- Documentation fixes from Alan Buxey and Matthew Newton.
- Update "logrotate" script.
- Added more RFCs to doc/rfc for new standards implemented by
FreeRADIUS.
- Don't crash when doing "radmin -e "help hup". Patch from
Matthew Newton.
- The dictionary parser now does more sanity checks, which
prevents run-time problems with invalid attributes.
- Update debian packages. Patches from Christopher Hoskin.
- Many other debian packaging fixes from Matthew Netwon and
Herwin Weststrate.
- Add "session-state" to Perl. Patch from Herwin Weststrate.
+ Bug Fixes
- Fix rlm_files so that there are no collisions when loading
10's of 1000's of users.
- Fix radclient to use our internal v4/v6 parsing functions.
v6 addresses with ports now work correctly.
- Fix sending/receiving packet messages to wrap v6 addresses
in square brackets '[]'.
- Check for sasl/sasl.h when building rlm_ldap, and disable
SASL functionality if unavailable.
- Fix issue which caused a non \0 terminated buffer to be
assigned to attributes if the value being assigned contained
an invalid escape sequence.
- Fix deadlock when reconnecting connections in the connection
pool.
- Fix potential overrun in functions that used fr_utf8_char
with a non nul terminated buffer.
- Fix decoding issue for Tunnel-Password type attributes which
were very long. Found by Denis Andzakovic.
- Fix radclient issue with TCP sockets on FreeBSD.
- The server now creates ${run_dir} and ${logdir} directories
in daemon mode, when running as "root".
- Handle tags when using maps. Fixes #1191.
- Fix crash when CoA packets time out.
- Fix parse error in rediswho
- Fix regex support in SQL radcheck the "users" file and
radsniff.
- Register listen xlat earlier, so that it's available when
the virtual servers are being parsed.
- Parse Ascend-Data-Filter when given as "0x..."
- Print Ascend-Data-Filter correctly. Add test cases for both.
- Allow old-style clients again. They will be disallowed for
3.1.0 and following.
- Complain instead of crash when "else" and "elsif" are in the
wrong place.
- Clean up memory more aggressively. This lowers the maximum
memory used, most typically for TLS based EAP methods.
- Prevent the server from unlinking the control socket of an
already running instance.
- Fallback to using the configured OCSP URL if one exists, and
no URL is provided in the certificate.
- Return CoA-NAK if proxying CoA fails. Based on patch from
Jorge Pereira.
- Lower peak memory usage by decreasing size of internal
memory pools.
- The control socket is now left in place if a second copy of
the server is accidentally started.
- Allow virtual attributes in "switch", "case", etc. Fixes
[#1240] and #1265.
- Many spell check / typo fixes in comments and example
configuration files.
- Better handle multiple DHCP listeners.
- Don't print secrets for old-style realms. Fixes #1267.
- Don't fall through in empty "case" statements. Fixes #1274.
- Update EAP-TTLS so that MPPE keys are correctly calculated
with TLSv1.2.
- Always delete MS-MPPE-* from the TTLS inner tunnel. This
allows TTLS / EAP-MSCHAPv2 to work. Fixes #1206.
- Fix off by one error that caused some MSCHAP-Error messages
to be sent without the password change version (V=3) and the
textual message component (M=).
- Always include C= V= and M= in MSCHAPv2 errors. RFC 2759
does not say that any of these fields are optional, and not
including V= caused errors with wpa_supplicant.
- Do not include M= in MSCHAPv1 errors. It's not supported.�- Fix boo#912714: freeradius can't use ntlm_auth
* Create winbind group
* Add radiusd to winbind group�- Remove gpg signature file
* The gpg signature checking is broken and doesn't work�- Fix bsc#935573: Insufficent CRL application for intermediate certificates
* CVE-2015-4680
* freeradius-server-CVE-2015-4680.patch based on
https://github.com/FreeRADIUS/freeradius-server/commit/a03814af310bb3bee74ea012546d99c48b0ea5c3�- update to 3.0.9
* Changes of version 3.0.9
+ Feature improvements
- Make "pool" configurations more consistent, and update
documentation for them.
- Move connection pool logic to "most recently started",
instead of MRU. This should help with pool stability.
- More VSAs for 3GPP2
- Added examples of multi-value attributes to rlm_perl.
- LDAP-Group and SQL-Group attributes are now dynamically
allocated.
- Only the "sql" module registers SQL-Group. Other instances
register "instance-name-SQL-Group", similarly to "ldap".
- Unknown attributes are now complained about more often when
used in unlang statements. e.g. if (Foo-Bar == 3) used to be
a string to string comparison. It is now a parse error.
- Rename RLM_COMPONENT_* to MOD_* in the code. This makes many
things easier.
- Move to C99 initializers for modules.
- Load modules in raddb/mods-enabled. This allows attributes
like "LDAP-Group" to be used in the "files" module, without
explicit ordering or listing in "instantiate".
- Added 'bootstrap' section to modules. Third-party modules
will need to be updated.
- When adding clients from a DB, add them to a virtual server
if that virtual server has a "listen" section. Otherwise,
add the clients to the global list.
- When reading dynamic clients from a file, don't expire them
if the underlying file is unchanged.
- Allow the server to originate CoA requests from the
post-auth stage.
- The server creates ${run_dir} and ${logdir} in daemon mode,
if they do not already exist.
- Add dictionary for Wi-Fi Alliance Hotspot 2.0. The server
now supports all mandatory and optional attributes for this
specification.
- HUP now re-loads the configuration only if the files have
changed. If all files are unchanged, HUP re-opens the log
file, and does nothing else.
- Much better debug messages for EAP-TLS, including which
attributes are cached, and when they are retrieved.
- Increase default max_requests to 16384. Memory is cheap now.
- Added "stats memory" commands to radmin. Debug build only.
- Aptilo controller dictionary updates.
- SQL modules now use Acct-Unique-Session-Id everywhere.
- The redis modules are now stable.
- The LDAP module now supports SASL "interactive bind" method.
This allows Kerberos based administrator and user binds.
- DHCP code is now in libfreeradius-dhcp.
- More DHCP encoding / decoding unit tests.
- rlm_replicate can now be listed in the "accounting" section.
- Better sqlite debugging output.
- Remove "required" option from many sql_ippool directives.
- Set default CA "basic constraints" to "critical". Fixes #1073
- Updates to help / man pages from Jorge Pereira.
- Added more tests.
+ Bug Fixes
- Be more careful about unused config item warnings when
using -Xx.
- Move more defines to be auto-generated.
- Allow virtual servers in proxy fallback.
- Allow %{module:} to work.
- Don't crash in RadSec. Closes #980.
- Return better errors when a unix group / user is not found.
- Re-enable detail module "locking" parameter.
- Don't crash when logging replies from Status-Server packets.
- The couchbase module now uses "update" instead of "map", for
consistent with the rest of the server.
See raddb/mods-available/couchbase
- Don't require NT-Password for MS-CHAP password changes.
- Be a bit more careful about decrypting MS-CHAP-MPPE-Key
attributes. Closes #1013. There is no perfect fix, tho.
- Fix security issues with EAP-PWD.
See http://freeradius.org/security.html#eap-pwd-2015
- Fix dynamic clients read from SQL in non-debug mode
- MS-CHAP now allows retries (i.e. password change) when
passwords are expired.
- Allow "user=radiusd" when the server is already user
"radiusd"
- suid up/down works on non-Linux systems. This means that the
control socket should have the correct ownership.
- Fix issue which caused the server to sometimes have problems
when a home server was marked zombie.
- Fix format.pl because Perl is now more picky.
- Fix proxy to Packet-Dst-IP-Address, so that it uses the
correct destination port.
- Fix corner case with cursor functions and removal.
- OpenDirectory fixes and documentation.
- Fix leaks in rlm_redis.
- RFC 6929 "evs" attributes are now encoded / decoded properly.
- Fix talloc pool leaks when receiving malformed or
retransmitted Accounting/CoA requests.
- Printed attributes again use double quotes instead of single
quotes.
- Set X509_V_FLAG_CRL_CHECK_ALL, and add "check_all_crl" to
eap.conf. Fixes oCert CVE-2015-4680.
- rlm_expr now errors out correctly on malformed attribute
references instead of triggering an assert.
- Make "break" work in "foreach" loops
- Allow dynamic expansions to work again in the "hints" file.
- Correct minor typos in comments and examples from Alan Buxy.
- Re-urlencode the path portion of ldapi:// urls before
passing it to ldap_initialise.
- freeradius-server-rlm_sql_unixodbc-configure.patch removes
hard-coded directory in configure script of rlm_sql_unixodbc
- install new module rlm_sqlhpwippool.so�- minor adjustments/cleanup of spec and changes�- update to 3.0.8
* Changes of version 3.0.8
+ Feature improvements
- Allow syslog_severity to be set in rlm_linelog.
- Allow defaults to be set for bulk clients in LDAP and
couchbase.
- Updates to dhcpclient. Patches from Nicolas C.
- rlm_mschap now supports direct connections to winbind,
which is faster than ntlm_auth.
See raddb/mods-available/mschap. Patch from Matthew Newton.
- Recommend /dev/urandom for TLS randomness, instead of
${certdir}/random
- Allow TLSv1 to be disabled via "disable_tlsv1" in tls{}.
- Allow Expanded EAP types where vendor is 0 (IETF) and type
is normal EAP type. Supplicants sending Expanded EAP types
like this are broken.
- Add support for server side sort controls when searching
for user objects in rlm_ldap.
+ Bug Fixes
- Don't complain about "authorize" in "server {}" blocks, but
only if there's no "server" block.
- Fix cosmetic issue where debug from the first packet read by
a detail reader thread would be emited during config parsing.
- Fix ASSERT on truncated detail packets.
- Don't use main server log functions from within panic_action,
as in the case of syslog this would cause deadlocks if the
fault was triggered from within a malloc.
- Fix issue in "switch" when "correct_escapes = false".
Fixes #911.
- Fix sqlcounter configuration to use "%%b" instead of "%b",
otherwise the new syntax validation will fail.
- Allow forward references in configuration items. Modules
aren't always loaded in a sane order.
- Fix more escaping issues. Closes #912.
- Decode MAC addresses correctly for VMPS.
- Fix memory leak with TLS connections.
- Fix state machine threading issues for conflicting packets.
- Fix copy_request_to_tunnel issues for tagged attributes.
- Allow "ok" to over-ride "updated" inside of Auth-Type
sections.
- Update state machine so that post-proxy is run though child
threads for performance, instead of blocking the main thread.
- Allow "netmask" to work again in client definitions.
- Relax restrictions on SQL group queries.
- track outgoing proxy sockets and clean them up more
aggressively.
- track proxy statistics, including CoA and Disconnect.
- If radmin has a connection failure when running a command,
it re-connects and runs the command again.
- mark home servers "unknown" less aggressively.
- Fix potential SEGV in PostgreSQL driver on error.
- Fix issue where fields like nas_type would not be
accessible via the %{client:} xlat, for dynamic clients.
- Set default busy_timeout (of 200ms) in the sqlite driver, so
writes don't cause selects to fail in multithreaded mode.
This is user configurable, and may be increased if required.
- Convert Password-With-Header attributes to binary (from hex
or base64), in the authorize method of rlm_pap.
- Fix invalid assert in state.c, that could cause abort in
post-auth.
- Fix double free when -m flag is used, and connection pools
are referenced by multiple modules.
- RADIUS over TLS accounting uses the same port as
authentication.
- Regularized return codes from radmin commands.
- Fix RHEL spec file so it works correctly for Centos7 which
uses systemd, and didn't like the SystemV init script.
- radwho and radlast now have a -D option to load dictionaries
- DHCP packets are no longer checked for duplicates.
- Don't crash in sql module group comparisons in corner case.
- Calculate MPPE keys correctly when using TLS 1.2.
- Fix load-balance sections. Closes #945
- TLS certificates are available again in the post-auth
section. They are not available for session resumption.
- radclient encodes CHAP-Password properly when using -c
Closes #955.
- Fix issue in rlm_cache_memcached driver that caused variable
length values to be truncated.
- Fix track functionality in detail reader, so it no longer
fails with a "Failed marking detail request as done: Bad
file descriptor" error.
- Actually add the peer identity (as User-Name) to the inner
tunnel in EAP-PWD requests, so it's available for lookups.
- Fixes to PostgreSQL queries. Patches from Santiago Gimeno.
- new set of consolidated patch files:
deleted:
* freeradius-server-2.1.1-logrotate_su.patch
* freeradius-server-2.1.6-rcradiusd.patch
* freeradius-server-initscript-pidfile.patch
* freeradius-server-radius-reload-logrotate.patch
* freeradius-server-var_run.patch
added:
* freeradius-server-radiusd-logrotate.patch
* freeradius-server-rcradiusd.patch
* freeradius-server-tmpfiles.patch�- Do not disable as-needed build
- Remove the with_sysconfig switch and just stick with versions�- update to 3.0.6
- fixes a segmentation fault in PEAP module (bnc#912588)
Feature improvements:
* radmin / raddebug conditional errors are printed to the output, instead of being discarded.
* raddebug will exit if condition set with -c was invalid.
* radmin auto-reconnects if the connection to the server has gone away.
* rlm_cache now has submodule support. See raddb/mods-available/cache
* New memcached driver for rlm_cache. See raddb/mods-available/cache
* Add support for &Attribute-Name[*] in conditions. See "man unlang" for details.
* Add &Attribute-Name[n] which gets the last instance of an attribute e.g. Module-Failure-Message[n].
* Allow for redundant string expansions. See the "instantiate" section of radiusd.conf.
* When checking IP addresses in conditions, make the right side be parsed as an IP prefix.
* Support JIT compilation of compiled regular expressions when built with libpcre.
* Support named capture groups with "%{regex:}" when built with libpcre.
* Increase regular expression capture groups from 8 to 32.
* Emit error markers for badly formed regular expressions.
* Allow 'm' flag to enable multiline mode in regular expressions.
* Support limited implicit attribute conversion in update sections.
* Support casting between IPv6 and IPv4 where the IPv6 address has the v4/v6 mapping prefix (::ffff:).�- Drop .keyring and .sig file: freeradius-server still uses MD5
signatures, which are no longer validated/accepted by GPG 2.1.�- update to 3.0.5
Some of the new features:
* Allow LDAP to specify arbitrary attributes for dynamic
clients.
* Allow one level of backslashes (finally). See radiusd.conf,
"correct_escapes" setting.
* When supported by OpenSSL, allow TLS 1.1 and TLS 1.2
in EAP methods.
* Allow multiple new connections to be spawned simultaneously
in the connection pool, to cope with spikes in traffic.
* Use kqueue on systems which support it. This allows for
better scaling when using many sockets.
* Home server "response_window" can now take fractions of a
second. See proxy.conf.
* radmin now supports "show module status", as thee counterpart
to "set module status"
* "ipaddr" will now use v6 if no v4 address is present. You should
use "ipv4addr" or "ipv6addr" to force v4/v6 addresses.
* "client" sections will allow "ipaddr = 192.192.0/24". The old
"netmask" is still accepted, but the new format is preferred.
* Allow custom HTTP headers to be set for rlm_rest requests using
control:REST-HTTP-Header (attributes consumed after use).
* Extend format of %{rest:} expansion to allow HTTP method and POST
data to be specified
and urlquoting.
* Add support for aliases in rlm_ldap.
* Add support for connection pool sharing to all modules that use
the connection pool (pool = ).
* "tls" sections now have a "psk_query" configuration item, for dynamic
queries to discover a key from a PSK identity.
* Preliminary support for EAP channel bindings.
* Foundational work for dynamic home servers. They do not yet work,
but this is now only a matter of updating the "realm" module in
a future release.
* Support &attr[*] syntax to copy all instances of an attribute when
used with the += operator in an update section. May be qualified with
a tag.
* The logintime and expiration modules can now be listed in the
post-auth section. This makes some configurations simpler.
* rlm_sqlippool is now IPV6 capable. Set "ipv6 = yes" to get
Framed-IPv6-Prefix returned. The SQL queries have NOT been updated.
Please submit patches.
and numerous; bugfixes
- remove gpg-offline
- create /run/radiusd after install
- drop freeradius-server-opensslversion.patch (upstream)�- freeradius-server-opensslversion.patch: do not check the minor
version of openssl, minor versions are supposed to be compatible.
bnc#906682�s390zp36 1670847524������������������������������������������������������������������������������������������������3.0.21-150200.3.12.1�3.0.21-150200.3.12.1���������������������������������������freeradius�libfreeradius-dhcp.so�libfreeradius-eap.so�libfreeradius-radius.so�libfreeradius-server.so�freeradius-server-libs�COPYRIGHT�LICENSE�/usr/lib64/�/usr/lib64/freeradius/�/usr/share/licenses/�/usr/share/licenses/freeradius-server-libs/�-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -g�obs://build.suse.de/SUSE:Maintenance:27107/SUSE_SLE-15-SP2_Update/ea436a6cecae00bf250af9f8b03f03e5-freeradius-server.SUSE_SLE-15-SP2_Update�drpm�xz�5�s390x-suse-linux����������������������������������directory�ELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=cc7f2b2e21d464a2fdd1cc0a642b845925079e6c, stripped�ELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=7f927c30f51e86f93fdbfd4f66a5adb42936c1aa, stripped�ELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=61e54bfb21f713f15b01b9d9959e945668953faa, stripped�ELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=0b02572170c5ddf86eb3ec00d000f04882d43e0c, stripped�ASCII text�������������������
����������������������������������� ������������P���R���R���R���R���P���R���R���R���R���P���R���R���R��
R��
R���R���R���R���R���R���R�� R���R���R���R���R���P���R��
R���R���R���R���R���R�� R���ɋoip*�;��q����utf-8�f3ead3085a944aa11906a6db80c0729fa2291020b2c95f74a496ac8815fe46cb���������?���� ����7zXZ��
���!�����t/L\�]�"��k%(fm?1�1N8�H�F�HS^.䡼�*��(qF�Ia=+ku+�¼,#]61∾.+-6D�F(R��(�lĤX|@ (eCa�fˀ@m+9蘡T)��-QFīO4B�͆�'cA݄'A~BǍZ�en�ci�$znL(%P�ʶ^�W�\&fh92���q�ʦ-NWuY9T�|1!�9
8mRHo#".�bk$phNgű�?s)$74�5E%~twլk}�$Ũni]5�OhƵkPI�#FLUK"5CJj�NIovk.ü'O/aZ���mhVCLV|l3HTȑH1H6�қ\67x9m)V;�+�)�۳:l�;*G/O^Tc톗I44] �2�|��
P;yPcaw9*G(�xU/N��Ky
mp0˧H�%.>&GE.owM��kS�^���Y�Y˲^�3x.VbA�MQ8;� IxMbu�ġW�u�2OOϒ(�A�gt���L湚gJJܟ&ȓ{�5~,^c�$/\2aM:p�8��Mx#��_�e`D�ch��S/
zY�{�D}o�Yo��N�ξ�O����Xې�hIB 7�ȓmS�L豻87��%I�j}
ꫤ�O�2 ��Dٸ��Ā4e8�'z+6ZI�l[#d���}�JS+(Nl$ze|گy�q�|
B3V.\GWdGOtg,pY`skix�GuT+47^:A�I�&3��Yg=2=F@z
�1.1w J~l*@svNڹ1�vpUe+�ຽ�Z{ePleTVx@"�w-y_���vY1
m6�k{�"�c3���*e"2wݽA���ó<|��rD��G�8!Tk
0^�gy�".�U�d4HN_�"oy^# '_i9Xʨ|,&/Ry}ld<]t[�0 &_`QB��sNXd�ȖTLE��Ui(u!}
lyN ?gH�TI^cz4K�Qн]�t�f6GcׯH8��wt>}RtW%؍�*<�1nl�-f7�y�Tɝpg�>��@֧dH\NT$!$!`,1�,C�sTpD%b#�ģ>�Zz'su#r�#А`!(O8)�@�ʤJ�~S]G��)~śдྪ�7S�!|~\`7vbAUI?#MHo%�bA#�:LZCE�?Rn�p���D�QoC
Zo,R�:/w5��Q*cĮf4DS��Pԙ�XN;�^Q�B� дCZG!�b�_ ܂�\V��YC �,Vxy�p]�x8ꅵ1Ul^�*.ߍR^k?wvJ\ܢ�Y»G,~�Y%B�:ͣ���z7OL�m\:j#`eW�nYe$l:X-U٢`^�O"eF9��d�0c&�=rP0��}>|�jũ<{y-|^gƇ�Wɚ?
ssEWh0�ؤ&SF�>!�xQX>uiqyN�{әtn`K�Ds@6�ŮY�]ԝ'7 �Uz#*Xտu�C_:Ƽ�&L<��.DQ~9�)VBQr<�ab�?5䷷:QBZ':hzz�faIŔsmEH
C�<[�v�};4ɤue^k#>y��vUi~'�Zhg�:k1w<7ɒEh
1�؈28|^/Hx�~~�ލz�,7�r`E0Ou.m@mo��A�IThݎC.z(~rWbQ3N1�x5�M~,m�ti=�|l3D" _p-Ɇ跡�GsS{"_�{�\ cjnz�Bi8u#a\�
w�7�h�4�EƸ�F��E"DAa4_nw1���,�ף{j�z��xo*H��M#h!W{j7n�)vdjTbΙWUN"�22-Ic�ӂ#䕕� FS�{?>
#.([&>B]�"�E�!�P�
4�%�d|=`R@t�JbL�Ώq,SGE���}
Zb�\�,g5p�C$2RM[]QD��SBskĥQK|;"y�|.lD� 22,<��X pTP4�t.dʋ*�LEz$�e%f!&��%K1.EQlb�9]�rr�?0>*�jl$yps
tcyء��9�Ol*���o��bc?JM:CNe7$G0?�$Fm�Rƈj�K&gѹDÚ�|H��??�c|Ka!�<)yp=�zX1��'>o]�DŦ�?��!eqJQVRNW�p�hMSktѥ
I�Q�u�ơY"3o3�Yu�j<�aZӜ�jf0ڒ9yɴQܴ30�*���% %�4]��0L#cgX�<1ZN=�з#H[g稣�&w�:laYf�;>l\�4D3H/&rpUgCZ�O�Jo :m@XM*))�')b[u(#yqqT/�y]$ �f'�͉[ِ�T��8�7�&�8YO�s,��(\�u�=R�8˖L�jnݵz݆9�@5[E8zR7 X�<
Fŕ@� [j[$Q��aL/:)[}.-詅�j8X͕c�N���ɤ� ?�J( ,ςBl+
!liM]**{;}�Bbޚ
1å��# �`r"!ΛO`�̙m0N:=YN�w�N
)wzX�~@0qR%wօT/L\Ri�9a!U5@��`*ф��=_dt
Cg �kmӕ)�G�U�ŘCBх"81�x2�6"T<Ȯ+,,�/+���_L#&1M�5ZBq�|S)M+�z:7u� v";��ը.ID�|�ˍnwh�4;_�F�5Q*A�+�ڵ�z>J&>ccy;Ҟ.RRixGΌJHOc�{z�_.�w[b1_�@,FԤi��2<8�9i*7G�%M$HR~앪tUU2Nmڤ=�ϒG����KZx�x߳ˊ8$k!u _�V�k��4�dF��X9qX�e����,eJ�MY�;e)Wvq�g��Ƒht
%#Gυi=2�g�4�ѣ&A �% ksirCe�[!7Cd^$_�QRuؚF᪲煚�ťnvÌE8Q;,�(I?Nyj k:ݦ5��c�)֒q JdA�%u۫�o룫F�F�(,�(7~8i&!}g!��LϲT36� �8�W)%cP�R���')|Ce?S
\wؠHm"8Y��/;ؘ�� "-1Jtq5BM@^K-,Ֆ@t6�4Z��kXS�2�-U`Eb0yh&-�w'YN �yyI��x���%9UDʍS'���O"�pj� �iD�ļ�3ц+˹Myń�a�ϐ[6�ORop0ʂ�0W�VFJ0�|C�-VL0�I2�}w?ŠJ����.U�0Ō�1-29KB�2�Ub)t%N�y_£�w_<�ç%Qs��!>S�dOt-'=�bv��꞊U6�nR���<�-
4�m����V@r��4V^OO�@�~9�圽N�*xr7"B�EU4�̧__UCoh��hYjiR�g%Pw9|*,jľ
�{Z9q}lQX��X
̣�.�m�
9Jc
�ًA~�Yߛ]&պ R#,ꮪm-*v`8-�]�(FP�_*|x#�㨉HC~5iɅ7,�B赑�1PDwy,��!�kLDnw�D�j���>0Ag1Wa>k徟D2?�[�^�#$TG7bIM�/dLs�*
�a@j^*P�)q�-J+��h[l�4EܞS�J`s�m(s�_.A*a?+YvR^c�w�w�
kYL>W�߇~5l@bݮ����.l2O���$z[$l)U_�ۯW`bvQeܲgy3�~u\' �Y0�NL��q_t8�p�B�.K�?mp����3E.����9wq��t��,N\h�x���^L�Eu!�B.
ƍ
S->ʀ�Ԥ|?4�Z�=w��<�ϗç=ʓ/x'ZG"/��j�|;Ws1%`'{'h�1ɖ/Y;���O viݼ`�j�RăH?zf�La%3&]xIV��t�жV)f�5Â�2ȞHד_)�'h)��L~G�c� .Ї4��LCm�3�V�`����[�K`--A�r�3&DcO�ؤRhDk
��T` ��R1�6:V_)�6}қ?&0�6jp\8v\H}[;8\k��H]�[�1',"/�C>R\x~�$q`9��s=*uDH9P>'ՕX9;'z69��MMq'Rҡax5@YC&M|-��'��-Nh�i`Eߛ�j�[P�r�Պ�`H/~yR��@]+c
A퇂e�
B�%6i�#TL$EP36�A0i�>m��wr`GmNC��^
?��4/�Pi�@�Ӓ�hm6g
hE�Iu>>�li.�54 j�E%K1H�d~_|M<>u!uT���CZ$?�6]Z"LSuϣ+.w�q�//�^zxHߥNc(4t���Bx�<-?��F�":
&y-g�-#;[ˇ�y�^�Տ|ȭfn$��q�:�I=LAEp[hOg5n���hT('lCv�d�ڸ`2; zd&8kb[x�/ae[�'e�6>yczv $=T�r!R]�t�{vp&'�5p�(usawn&SȘn�0�Q
`3TD؉BgE3Y��77oWX[�m[&_;Sx'%i�B�z+�OR;�Meº89^�m/a
sR*pO[À#
\��s|u2�+HC:�
ɆO�]HJ�#�pgX�aqkG݁eѨ^0~>EMjk7R4�CA�3�d
ʥ?
LKXM)j-�6z&6ꪀ��"Ċ�v�]KNR��`�PI ]Q6* M{ErkGOEr)��C`�t8zd�g":SBTyزl9o� (R
FM6V,ύk�de?��XR�x47m�4!�=dZ#Es0\-ސq{NOR��1X7Ȍ8�HɄC�r�s%+J�YD�WInR�{ѣk82"g�G5M6snw^^�0�)�
r;J�\;���Aza�VQLjqi0x�VWk&/E>�.!ۊ+�sZ�n8).8;Q9wd53:);JåD�_�_�,�ݽ{B�Ѭ�_kzF^NvL_/0�:SIe'Q!C-HQ2V&�Ls<1#kj�jJF�07X9QOHX4�YE?yd�aQ%l>;_زާ�<5ωo.g9�\O+⯚B w���nM*?�N��.�Եpwd9F%g6T/oa�#ƫ�
D{)UCNr6��#οA?�a�H煵.aѥ7�x\�\B�y EЩk��YbU>,��J`NUv=8
-�C�2¿+�ܬ3mU`z/vjjaz
��D#�,*@j(Zb*a{؎@p3GІr@uQ.}ϟl,G�u`L�;9`P;(?}lMڇ�l)c�&��C�9�
�݃�{HX�evzĈ#|�u3̄qƖUAΉ�DX�S*�B0��9�gVB9A{rʬ
ؼMuN
�y�
pX'`i ;hs;@Ed�o"Ȫ|kᢁ�@�簖_;X�u@�4&hJ�GRL�p�vw4՞ �uz�mɶ&&B &ǯ�,4uA���O"T[vooF3!iu !a�kҔ�^�T
Y9�;FYUDStu|�a�0�Z_��X`5dcqΖD��T>093]e/��zZݑ,'ҡU O)���qd�RCjM�2;E
A�μ���4+�$K�I�YH-5��PQ'3O�6;��V��DR7m}$���1�#d�h�8Oi̤5J6u��(1!�d2_eWiե"s�y@�3b�r6e#w\@,�
�th_J)-`�腈23�bə{\kDZ\,(���g8Lx�21
Y}0�)� Ce7Thz.z�`"2o�
�~˯���֙UEgci<�\)̀&aQh /eب? гY���M!�(yasiUPx:i�KH!��T)/mb6̤V=��m&>CƗӻ
%L��&Ki?e<*%^,g/KLykm\Wq�ѧ{P��:@AMS�L�-?s�['��
\e�ޘju+
j<�@�=j$AlW(4v�e �;(ҫ��KN�ӳ6먃�'�$@|�l2QJ4Q5eB�ש?_%Wq/�fd:fYF[^T\"mW&Zy^|!�] "F'M�jFMr%�H�3Rl��#�0:�h}O*cj�s(|
�¬�mH��z\I�{ݎ(UT)��6stW�*# �iH҇!ڔS/��끜kʍ( �Ea,�=/w �I#�o�fpHB �Òo'"�1AE=Az[��wʗ�y?0}1��p�*ټoׄLR_'5�ϪU�L�W}mR9 )�~.4EeQc]XhQ�挈9%�DLYL2|u8Eb)_fv=�D:ߓp P��0*�^L`#YF_(]0Ҏe�L
pmw�e$j#ܘ6tdOv
���u0%Wor
M˸�e�:�B�(oJA�Βn)
"(n �to�އp/�YB]$Ds��4l?I16M�1Iv@|?3
։Li2-ʚ��1㻝G0GJY�ۻ� t�öv0�c/j��1mw:&\"(�P>س7ITH8a*hG(:taLuu��N[q9z3>N5�6�`]�g
Hgɜ{N2["Tc%yޒ*wp� Q�wJݲu
6�{@n|6i}�Fx� ��G�[,�Ë)�:\|°y
U�y��C)k2ܤ$^8)�.9; ) ͊*�E�
V�~P@x-`i_k"5��rTm��l+ht�+] Ŝt\VvB�'D y�߲Kt*zбK#�N#�zE[PO>^IUD`�{oi�J&Z] Fat�+8Ł5W I�9$3\H�چ�c8l �Tn�JyV7_z]�s>mXTVv�/WFV �l��X'Q�t�Utn�*,�B`4LL-����tH�P~�vDfDQ"hYvUf�S�c
�qK�ZRZy3}T4
�C�I܌8�w-x�i
�/FjAeA';#j�_{m3u��"�P�=�AD
ea\}��ei5}�Ͼ}M�{c
�̧/ ���[+t-}M79&d-�P'I""�KGSi�Dxs�:|�C972��?�C��Ms}TGl!hi1x9agq̮gIW4��\�
lu,��tBxY(~]i6Yac,k`�
z=hG�b�����u4Vbj`M�&S5�'(#�i((NL>ل`i!ƚEg]Tw�4}�l6N6Z&_~Z�2;R�UVK�T>`[�;WN� ]�p$[�T�>
�z]8c"ސ֮�ڗ�Dn( ��(vlv!�5�*өOЮs�nA
{�j1ɣfs.�!i� X/�,�GP��`,q�\j�dR��1�:o�n܌p@�&Fю�/fhVx�bd6iGZc#m[M�[?��BuN Ira\�Ǎ�"u3 %X8��c4W�Scx�ޑ�e|y!��Lٗuw51 �f
/J�)�_:ao1(�
eJh
�)HIRGeN�f952�s_tf>��:��a�Ik�SLb@P�O�0ҕ{a-yޯaSj�S��6Z�G=Ɵ
|d0H��1p?삵�oxkc2t"���v�DHvfჇ�b<<)9(fT^�ݰQ֖,yf�tm�d˲e�
UsqDU�fY=_:F74RI#�C&CVN٫h�PlS. cɲɁ�#/BA%9&?KG[H�_'t{?g�!q&V$=*a0�mۂ�K�:M��8:я�(ϝw"��,-ߓi�Ϛ0$�ҵ�fh(�agݔbn;hUv0ZYIg�>Biʊ!Ho3:a4�>z)�߲�ʝ��V7�-|�̎)]Y�{0�NJlޚB#ڛWD<�?(E��e{�6ްJO� ѐ7:eB��~ C�Ag&T�f1=4-3�e�oʚt쿆TR%6-}WM��^G*�\�!Xi9)�Gϝ�_ղ|}�*j{%u +'IwgpsÊĸnlv;��4&~�Gd=y7v#2;P��Sn!GPF�MYi/
߾S*ٙ]aga9�K^ȳ�t҄~uO@_HN@_22gūd9nnX~�73T�/�vنB�Zp�+U'�:�Np{h!ھ%0R�Ֆ@&d�V}w��0�<�I�!6~�U��
߇3H$_bc�>_i�K�
";eU)ǂ[,�9`y<(
mn#q;˙�J�q�/o�eԚ.w' �'{:�X���ڢDoڧtE8d��yMëR#]�;-U1�:%�K>�Vx;�P!}(�Dhgӷyg��%�4IzA|V\_��&�%|ƤE�f[u_��s�bԁloQS�m~�X,�Chxs/f \Vyy\9k5ԨJ��H WT6*8�<
Q?4G~eY�ѱN�&/�; <ᙛ���̃5�<��9>=H:�`>f��Xr'}��g/+]ќ|�[� F��o�)&�}�~=�?Mɕz�"*Q&x݀CȔ�av��c�ؚ
�=̶�R�+c%ͪn^9} T'h�j-,4ғ)A#)e&]�7U�K7:�rr�h���(�
ݚ�`րn�7?Hb:/WW�
n�J��%'o��ЀQ� Y/ߋq�FG`)�Htk Hy?@[8&;"���Q-_I��Q( ,�=Cy\?;Vu[|kk�S��euզ;`jZںD~� ҍ5A/��H5$ە�l*4�s6Wf�_1Nc v��E�I��.|�N52=\i({{Rvsќ��c�[_$w>/$�K�cpuE�%��D�v"�첾PD�)X�5�`�~5 =eyr�� Se$�7S@#�u�ki'h
YRn2%ne("ء9L_Z��e�rb�.D B�()Ճl�0�l7y��^|q)
wk �1@v��鬔ߋhnt֟�sB@j^Jd�'-0xpy4�c4�ղKO{DcUف:�2a|!V#�Z](~4?8]}��|ГZTF�WgTisJ��.dϬ8^yכ=ą�-s�fKQ@@�:��';nw8w����f`����l$QgK,;�4$(��>�:͟+r�/Z˷��
�`>s@&&i.�>�\@NhaT%�۽�4
mꟻ/�Zy�挘g®�հ�3Y!?l\o�ܢdq��+ߛ��ƸpЮfOڎ����
�_sLFja F
c>( "
H�4Ly+F��a#E�Ĭ6-�U_^pIcϯѽ"�Ӽt$y8ӼkK5�"R�ec�"�C�� �S`�m-p|:^A,~ENT�tH^C�*+'~G�/"(Wc��P+Hf�:Fn�U:[TwBmF(�ׁ-5SP�4֣�u�b`��W'6̈́�jmތ?g�-�o��ݱ#tMuF+h3"v fqi�O4gJ:|u=�xz`@�~fWw6QG�.i@KF���\quw*�8t����8s䪷c�&���8弃Mm"љ_^w.�ی`]Oo&`)+�&h�EA8JYr!k$z�O[j*8_ft~J|�6ʼnκ�s
� yR
>c�E
5e�(B
V/:�Oo�ԅ|Dv.{�7R!�TJ�|%ח����aĔS|=Ew<�g'2�YF�.;G쩬s|id8 �B� �"KCh BO5pi�r.`מ�>hDZXgV�oq:!"{SLM�ue?,[!�Q2RvD\ m�amXњ�i%̩j�,LXdmOcz��
T)_e�%|P/X��9d�}�v]Ɖއ�U'#csӡ5Ac�t~C��YbT!5ʝk�\�ƪA~�Ѯ
@eۉ�̞"r�el�˿T9/(G1!;�+[�3dI*ϡ\Sb=o�mskzz
kDE6Y,S�A"QD6��P]SaYYmAh'��t8>g*9G7� Gr��^&X|+6f'Ւk�C�Q�+��Zy�xjqZ�RQhzǎng;�PiN ѽr�STd�F\3h�ɳ�[w4[�J{4#�TڏKG'�X,�nx?��\sI.�A�v�
t�C :
Q/�j՛�AƠ[NX�%�kj3*�"�j{C�ɚkI��Yt⼻8c
C[`еT
џ1�F+Y�p9g6 a9oi2�T<'xZk��,��_PSAjF
1Vɪ|1H�D%PJT+IJj�Oku܋�45P�ɍ. Yu�%2߽�Dͅ�t>Ӑ5@ЕHlЪ3jzvj�f5c'[��;&c��#%kv�lܶ:}%HHb1gܻP2�a9R'�䦆Z
żl(͠6�����5G1z Nm�� 5�\+A3�Lw/VC#q?�/�o@�lUL|bo|�0>�JK� Z%L�lD�ɡw�7(2
v�R}W=煙 �W1h@�C�v��nN \.+b\:~ c
Jv;@杣b7C�;��mmx�ߜq�y~fH/��YX�gX2�T̒3[67�
�5�`TUiQ�Q?���E&�xem>4>�M:�鵭c%)���RF_2lW�&^7�YX�Ow!Ȳu � *_)Y(ɂH|
B���p�GqP�ʄ��o!SG��~_�RMh�|h@�"o}9:3²78ioi"q��?�(�/Ql�0k:Dy�SO�C7m[�B'.�G~��))
zꚍoχ��"l�bQw9ܴ�ڞ@rOnB+d3[If,R�g�^�v�%3d>v�ޣ9B�z:�a�(4V+?`
Q7H+R�`hrq2S]q�jit��TKC�9g34Y䚅˱4p(eD�I;^/q�8ڎ�k�/
[�I�
E9�nS:҄h|.-8CsW.o6�:
v�UϪMp��ҨGt9�`�x9+�3�)_h�ГPN1��Qߞ-T{L�ψl��?�84m�E#[*~+bv:w,U�P�5f)�0
*_�C��,q!-zslٌT�h�{+yIV[xF;hhmHZCݞ�K``Q:�d}׀7#tZFԢ([
�r��)|9�=;M
E3D�8)TMo(k�C9"�ҔfUCk�o0y|"k)8mvJm(ɿu%W�7�OҼ�'8
C�Gno,ir(=z�.�C6\4�,]FԋYs lSD�Mr�|:4s�*a13݀w�ekgw��N�Tq?�GVG5�a<%ڌJ/a1NXUT#UnLj~O-�)\;3W_�� V=JO�.��,9 1\8\Bؗ��T՜ы]|QW�4HV0ިOb�k'G
[[�T�?8=��ݿR"G)f6C|5Rw�g\[,�] kT.]j�*�JF"��)˺#���@[y&(G�0o+mhG %�lW=wU7�GX�9I���|,&�+Uqun]5>J-G�!Ld҄�=�_�gu6*٥ �9T-^n~�(��
�zFz]�Y��2;緜*��U�H盯"�k���t-tևBE�44q0uC\%Fڔv@�zpfZū~�*~{qpz5&*6롧YiR
xHpےU�kϒIUݕ@~<�L6F:c���.h
!q�2��ʋ�SM!#њ�Np9W�iJز��3`;ӄyL;:��`1")�\>@$�Q�<=o�3f\'WoE�@>@��}qS0�"ET�ӕ$!<Ľȷ�^#��խŌo|gߦnc�rcJsds�9�2�fp\sGG{�C�c}�є1;w�}N�}4�k�$3��2�ڃ�yccK��@)qG�V��@%bnK�+=:�1�{hk�F6�/ә�%��h(#ӻO�]6�X?+K`X&-
=aGi>VE�'JMEsXP0~zf,NUV!]1%��*1�]аLǔtb`1F��͙)�j!iI��,R�kΦ#_���߱5:UBR!�U~I�Oh?W �{1�w�ԍyvr4hL�};��|qKk�\ېa��2tWEwq|$M��wy\�y]
#>*��⌏[̥0\b,{]H*0oDO
C?�b';iv�WG+&1w:
b\c*e�fDԲ.UӶwLrcӲ�Ip���$y81ž4����n`5!Ja[}lrA�i�N��h�#�.F'[(�n7ֆ=]n+�0#շՌ/g)iJ�z>ϗ}*#,ࡣ2W�O�xt_t�˫Pu,vB�~Vj4�+fA(�6�̇ŧ.Ymπ<"bZѱ*dA1\{����#!N8+t�Xݢ9Q�qq*F�"q~t%hOSK;
]�n}iZlp��
u_�f**%6!Xocr9YT�l!PPm}4r&:O?[U)�dBmPwV�F7#�s�A�t�φkߢ���C_���觓�^ 7�h
�C%}V}�[&J,倕�WңZ�y�y�HL"�5>NH,�=��i0ֽ�c6-N���
�/jhN]�%YjL\A|GI_0$%���biQIiG Q<��xLeoH~}=y~�8(j� |\7�h]aYձ��'�=,*���'3�-�$R)wϜ/�����D�ʅ,Ca�C��T:�+x;%O+(ea�ã��&
j;E}H��E`KKm,9�7*4G'!$(ʢ?p��OX9YB˄Kf��z73!xp&�9FE��4m2uc8<0f
{�2�]s>B��mg[a5
fVlk
:9-1�L�mP]@o�pE)#!OT��}cY9
]SC�ÂY{�1�Hq}*b\%ĵqWJL ��|'`�i`-D�r9LIWGmL4g!y08Kx"_^����w؝o�Zߝ)��1NR7= h
W!"5-zŧ6%O�H5�3�b��;jm]�.i�IgsnF8/{
}O�B Ub�}3Ŭ�u�~�E=[�}d9'�瀢>c7Q�z0���wy��=]Tqy�J�.y)" aIi
U-�p)"�S=J�1e'�H7]E�]
)�[Dw֫F}�x~g�N��yߓ0�X
p?>�=k5�Aؠ��BK(PzH뷓�0�ABk'
�q�;7�7*FipHUd7Y�B�Qߋ:'5טj�Ks�-^aZ@wT8o��sIƜ|Q��p(�}\��ur!=8܅�48��Qx0�^Ckz�^E�~�jFɎhۻu]�Z�OPaM9�mU�&o-MW+�4ppg־J3Ǎ8V�ng#(\g�Bb2OȨ�R-�j�S*00TK)Yn�R�ӿىb�;#�&m6Zа~+�(��Өa>x+=M�-tu�M`e#_�%�جؠE�"�w>^+ݜ6[<|�)Ӧ`6*��g'k�Wt@A(pStu:��? a3sto3|' {7�Y|�F
&~�ki.Є\@��n7JW)4<�ݓ�
s#NN��:�JU��aH0u6�S(�欠w^G -kw⬁�.&���"2WN܌F%1y�K~
nQ-s_AM:p}ʦ3~܀.��ɇ�(WnRr�/2CȖX�G8��F-/3�{Ei63;_�Ýc�rfk5̖T,fz ]�1;|);cD�KЉ�<� ��6�n傫V =>܁KFBC2�u^O"�Cz2�tY�@�ek*Zam D^=jD*׳;O��}P?a�̱h ��yd$Pq=W��"MؒuH�
�]mp.4F�I��w�
] Ħ>¥bmh�'0o�9}���nih<6��/?DS&aD
8���FW�JYȁY�w�a�@գ_p;�e
"%�^�o`=�& �-7`Rd6:5ۑCp�`�yv\`E,�lIJ3B-qYBh{A1BrUTXK8vn-z2Y`�` #G(Be!
>�f�?@�dO&n��Ue2N)ue�vlUjfBqaVr_kڸ 4T� WzA�5.JeD>L`˓z
{.��2&R0�!cN#uֹV�0L$3`ҸU�}T�dK*TM;YCz)�"1�bf���&q�Q2.J!Յ{O�85R,�D]{
i�v�TAFX�/�+{7(bvIG։' `53hgK�ҝ]OU];M�j�.��iv6ݍ
;lbRe) Xyb�?tJyW�kҘ�Tryᦚ܄.�4^eqvDf�"�^#�&�8�w
fF6X>�Yy"d��,p9�bᚥM5`ϚQiH���c�hԢVacj7ZRp0��)�,t��H�$c*S*;
(9�[{:CŘ-&bAչz(1ٲ�̤��$�\g}�t9e+p ?JgJ�rkY[-PP7�qH"R*y4�?.Oi�aOɣ��F)|K}(9tk-=�5P0.?�p�`Sh.|U�/0hlޒ�#l'[Lv�7RPՒ
{����:�ov��(_!]q3��GϺxg"S�W�Mz�C@F!�**>M�ͮdW9HM�t%#LŨqE=gxG�����7l��5uf�O��`b��a-��Vg�ɦJ���n
ih^l5~'N-1JF^\�8բS[.^T���һ��#B7�_�OOQhN ;yS6&ǵ�A2Hi�Z9v$/|wMDdlu{�in&,jD"mI�A`q��Ȍ-D�Lx!w�'QĩU26W+nDD�H�7)'I9R)��ݡ�IwΑ-\�%s�ˇnEQ'>)=ؑ��
vULpm!8�B J
d�O
Ob79/U\XvH�jԬzIc4�1Z,v�A �L�溅+L[Q��N4ԩɫsv�4��n?.Ľ4|\9
E*8 �/NJ�2�#E�:蚞U z���H �e#/b+u;s&9X:�O-UǏsA8/i|#|[)Ņ9�o)�|||�Y榦�g�lr^K@U
��A��,.{�m3Fв�K*Y\LYz���J�EԳUXawӕx\+SkVZ�c+� @���
b�*m*�á_pzl�NJwx�Ѯ:"ʙu��T�t�AClX�ʎGBJ }h3nX:bSWc�4ۓJV�)�0�#U6q?`,�g>"Wy��~"_�kʃt�i+/]ÙuO�*"o9
뱑F����;- )���Lߛ+"T0�>47IH[�u;}�?; �8kcyxH�H(O� ճ�a'SH�Ȋ��}Ŵ��E%��^�^��0�%ĂuQx~� {չlw[t#�6)'c#�tzr�OH�:4Qy57[ʞZ�~���fۄ)� hw`T���jR6�쿬8\[A4�U
SҎ g�[�3� @�ъ�v?_?p�uv���aN@HNB*�>De_0;�?Z��xiyoH��2@r@um?]gZ|N_@�bxPj�]h;A
vW�-J \�-|�H#
�^Z[wplFL#�oǻ�Q��Q;�𤢤R]m1�Hd� �#T7p�!{})dQhJt�|�ހ~]�gzA�w�C��YIęgE�W3O'#6[\{ƈ��)aQ��V��sl$ofK}fhS}Ԟ2�T,Pxv%qJ'dQE>aӓݢ\C���uדu�_m߾#ydɍ�%^�C+h[6ҞEt$|�FP3�ܨGFl+0emD�;�=m&("�`(hܿ+AL�Dq�� DԔtymx+&M hOer�q�Q3IyYl
�G��7|Œ�>��jscoD1�N}!y?Hq�#��Ϳ5qǀ*�U�*_�A\�^\�P�m>��R��W5׀).g6q$4��@}ޖ_ Og%+fʰfFh8ː2�1�=�%5tljZMKS2y7e�G�9�P1M�A}XTi(Tؤl^�ξ?8g�wƋq_uM��0pr%6ԙ3 o�ʌw*0�`&�0i�go|�^dRU'[`z91�4"['�c6
Zydթ<~�D}eTT7*Mn �^�e}^0��Le~Wd!��^s�Bw�Ww���Ja�L7j�Hl�Lti�O8�Qx ;�b6+Z��� JL��Im�&2p8�
zxDhq���$�.*w:��]0���r�WJF:$2��̋0:}*[T�/=v�G~N&;ga�~,⮐�C�3'Kq -Gл��Wd�ANE65.�?%c�K��or
<[
x E`0������gG� yza�D}�)ɠ߿2֎.�i>\�C���Jʩ_�w �s�of, D'gӖ��%̼CL^`�nvHh��{�P�L+6|rrw'�X�+cBQЃ��靛{(�ƧۓhN�ףטY~
�놈YxS�*jq,Zz��..V�~]+_s��# cI"Z?��K4mb@`&?PfDp2'�q|w۟E
\5�s\!ŗ?gn!r�s�?E�`g0{,e.gB��η�:Q�wT|�jO(Rsi)Zk=��i)z>ܔRsV�E^儩NȾ&�A�`1r)-~]#}�|th/��~"2h)Tr�誠bҐT|[bu�OϴWuJ�U�'uG)h�6e]
�`L*Fd$v6Q%A§B.
PԚ�a2>uɲj+|!�u�\�MJKr\�w�Qr�s_7W!Yh�z�!OϠ U[τy4^-X`7ѐ�X~qנgqgy�'l X)p#ߤEr6#ٸZ`'B֨.�ٮ[j]|-��8
^DǬY�[d6OF�ly;�i%,oa_��>I1`>��:-�:yBo�%�J�}14�(kUn�*o^z�fO�wL/\=c�@&& @-�Nn&�/^ԷC u2.8�1\tmZ!fhc*#Q!Ra�l*{s�j8]en(O1Ii�]v^�"Vl�"r�ķ'DpU��≯!t�l#�1@'�Mx:4m�N��WN�+l3M3�NJ�P�UR\DMX-i%�Թ.
�HV���6Su��~CbsoI4{t��K5>�EI"�:�Cr+VT4ptC '?ɑ='F+^9aMY&h�&1lj���!�I'L8,rVH�Iq͌NمVصy6(!x��te�>Wu_WV.�&rxk/~�P7=JYdq�VyD7^F�Q �:�
��k^].݁3ЃP(cs%�C]Q�|b;1M��@pv VA3��ddP@2h"<��s�яy�0N�Z:%9DYn$)�L�.~�j
z�Uq^H]�3>W=�%l1�Es9|[�=PB'�B[vlw��'ۢX}�cb�y-o��;#t ([6ۙ$\.{\)Վ�Tr#�0ӎ�V5[A!� Mf��\GJnc(�i?eU�3B�طSǣ&�[lYs{?�劎lA?sd`(Y2ۖ>�`,s�F�jB)�mpwEP�`CD*}
B|�s�!7��[��P�7�*ςos��ͨy�|��rC2g] ?p�$o<22LIqA#C�RAm71~ akGjI��*ߙ���%Qӻ�.RQ]_$�Q71G`*�m,�s�;z`[�fxC�ԨI\Xp�wߢ(HZ`|q�1w۽ M�WR-ZQtÉZMIV
k�9�i�Ҷ�w��`xt`:(4�Ë=y�kX�S q�< '�ǩ�/EI�_#D�T[і7�F�(1��#]3
gN!~]6XyyKgZ?�A۵��ۙ9R}0�w5C,dVy M4:�nF6;g>&�/m)�s&byQ#hV�l%�ZTB��oPtƀ=opk
?�V.w)
! +R9?V<�*W
�5=%�lND�ch@��5%�~8ok0ZFJk~�?)Zjݯ�%j~$2����k�32�TaIō*$x3�~;FPJy[EU6�{qm `M
�=+��lo$w �g�O,ƕ��l�@)Kp<�(**p�z���}g9����+(X*Rϼ
��K%v9@�WA@�ns��m%�
<�`3p*���sc,h_Rԧ�@�\̭�^i01vwVOg^C~'A!h�/��9��2+;
AJ;�A�I Q2A
<)��
/:%D{U]�qÚ[ K�p6bĪ��iR��q"Ck=��sQL!z�m=#~�瑇f��ի�=0_ �}VR�+�MQQ{2_r>xoX?=�;Rq3qѫoQZ$C ?]ܲ2y�$hZPC:趖'@>r!�V,KU�:X��/2 0�z˫!Q\0g�+([i^/>@ǣK9}R\4PU(LN+'=aߪE,t��büZIGxiB@Se2푞~B:rSSS{Ѵ(}?"g�669{$՚�[$܈5�+}f^�V�˽p���p#Pmd�zmy�;^[ꩂ}{ m�CZ�!��%ڤ�hž��{3m�m|e�'@K2mZ>�]��{R�¥5t=E�`H?)�K�cŭKT�ƛ�md9�><�n F�DPo>Kt>w�4,ƭ:�Ҩ�:-o
Z>(c'H"w˰(nh'Fxad&"{io@-`ᕛ��ft�u[~֧WP,��s a Id̋�ftw`Z�BPU-$ˠudT~H�"� ^Y:b� r�cy�Y`lHtVj{DQr`>;2y�URًܚ`�22|�zm7nDƥYmP?*6JrJglq l8"lO:�4�cd\b!�Tx�v[/<8 n�H)�A"i]�Ը�c~|yŖ6U?�FJ嗷>ΏcXP#WcHw.X�خN|v�Hԕ�F$U"iJI�ΰa4Er(dW?#�An'[n��hlN@�# &Ԋ��OrbP($By�i^��䡛��
Q>}5qشݣnmq�Y[.X:�YNa=,��aEs,o
A0h=,P>ު@36eBd�[#.W)~д�)0BF�#�Wך�î:V1M�7й�uI }�ʛ/_XYFȰ�)}W x� �UÔ�x�?f}wVa�+0 Q#d(@�$b虜[(]ܗ>���ɴ}r�v�z n�'y�]Tz3�BBcQ;"��0*곾kQ�c2nA�7+
<<�c1m2MαH�V�1`gi_c��RFY֠��4OlX�дnɡ�S�@$ԖpU��G�-|���[D{4V)�oUf~;\�DNߦ] %OBq�Ǎː �hi0r��i�|3h(C2-ϡg�P<�o��QCa%�!hxu|/GR`�(rY)am
�.zU'qCë�9Fx�F|"wiuD�WIq5ݨJ�4шT��-1N<��zl�TQ�PAjM�]P�o�Js�gb���U�S�ו2��t6^@\U"2P+�3>$^@IB
7lE*�����j~\c�:7u2��̢�p�N:M���] ~$O+5XF3A==j|Q6{��8Z$"з~ܕ� \�J7
3J Qf@�l{āE�lV'rp�w�0i'Lz@�`ԝWe�nIز!ǝݏ=fWo2%�4�LF�W{{�����I�9}6J�YU鲢1o1/@�:$�cD�٪Q|/[?�ʼ�zր�,�/#�VylgUBɍoUڐ֡MN/�/)�ڮ//�ʵ̤*)S|iu�.XAlA;�i
7hp�qm0}xpZ+fF;tzZtDC�gQ216VW_9lc|4�rZ#^H�^�&uD #h�|Ȯg7>)s?%&�B(q]Р�8~�uI#\�@��alU~�몾Ɨ]DRRl%JԒ\vՔ~�!��"q�ż2V�/��%yDg��ljB0k�v8I
/u:l[O|o�����W!��G �Ex�3ROqyΕ5 j$�٭|rYDphȑMg$�D�;�0�ПN_3
kKﷂ[�n�c# (g}�.b�ݞ0_-�&]"�e���twlՉ1}�(FZ^;�U�~��Ƌ
2ԘB]BhO.
R"!r�5VL
� ϕ���ѡyzXvg7u�*�p�vy?rpőy�?yz_�E:o�!v.0
h`�#kr0�ajv�4�� O�>V@#W*viD/}�l.�Oms
öƳ
dF j9[Fx.5z���M
aU=
r&��zd�yvx3�C!$` +�),^oY�{~-M+<��)�6� ͂7t\2�"`�K�V�4N��7�j�h|3�Kˋ)>;7Z/�"u?*�L�v$s_'>�V[=bMY{�h&ތ}�v � uΧ�{��ϳURLl,ݜy}[�x4uel�|/�av2�0o�hcĊsZ =�|Vi(HH�?�B�#nZQIJ=d#tQ,�kD�$r7�\B9HWY^�[4Mjߘep�}V�3�C
a!xR��%�#gzv8ѷ�R�e`w$@RCs<�aҀ\7FN[l$&TU�9�ĦR&ߛTmv�݆p�"E(Di�Kq2
&`?.^O_naZwb"7a�=i4�*�_,DUWM`zg]��!Vꮻ�=� �*kgV7MO�TYTL
;\[T���H2�e�ׄ-{�'}5�4N;V|u/�𠫇6wa$�.|:TsBwn�n&|мYኹCd3@R< ϋ�:>4�H��
N�K\weFy �tU�Dy)Sb6KSUX&#p�#D�e�l��|�AY�x!�ۣ�+f"-_AZ)A@i�`6��YFڣ�]Y$�=�x�
4Ĥd���玦Џ5^ߜߓ{t�peTb�b$!�Y�Aa
0aO?�Jwj����V�k�1Z;ِ�!�m#:��ܖV�%?�)�#nU\}tl�@j=0%�)ܕ�Nj�"R,�e78U[0�u�Y&�y_Mo)��N�NtM�%4
n8Mcqjd3��II�*7h3V1s,�"o֖�K�v�B{}@0�VX�OG<9alT5�ToxIˉL�{k5���\_�(J>R&�K�GyiEh?M��r3|& ��%8Z+�K%>5^�/DB/_*wWCK�=Ka>�p�/X~ih#^l?��-qɫYa>X%rg-WweS-G�Rλ Bҷ�?%�v�{*K-@e2^�&u}T�Yv�o2+|n�4�I|J:;~�5kLE�K%U��~)^~];y5䶢U&[�H5UY]>�3n{�7CA%�4�f۬��0+ϓ�gPYOٵf{�B5]T�a�jCSBg$�q6gW1_Ϲ*0E+ +i1柛��O_jeJ6U[㜵WR^�?Z_�o@:PGnzϣ7dMVH�d�&٦B.D'�gż��q�2��xF%i ULoV=?P.xSg�O~,p�}H^٥OGv
�F�Wk
2�V&.}ݵn0i1тA0kGқvu=% x"qWs�EW�.du8b=A$�utF"n7�YZ$:�kɕ�iϑ1ΐW�A�+�K+�OaD_lQ~�@�F�HlE -j�\���Vu��!�Fu%�Jj
;�5:�Cܗ�BQ㉐!3�'9�Jko&.u��BAv( �F�z���\�:��4%Rh�ٞ5�,D�|A"i~d�vVx�!0L7e��{a6
\L�t$=U9]Zw|b�\��zy�ӷk_r?.�4鄐ͼ˦DL�0wUAÊw�!NT�okݜ>->ՑQo�ws'_�#�?|ҧ%'\�%4\o%�hohT(s�h��rș gXY1Oݠ*b]�eolCA�eb7��;^+ XlUjN=�a�'W�&|qj�+FK%0:f�QuNs?+PLfvdV���GMr\0Ȧ�!۴Z:�c�?S�T�.
^M.�%T=O[g0&b�60h�JonЀԪ�
P�ASro��`/�5�g!�3!-.HV+֦Ou�-��d<�Yb~��
]o|r,2��5�c-R'
��~\:�'�5I2c:1dT~W��3ƈ1 T:�T߲�[ 1:�ab|f�w!2Qi @JG/rkS\Ut�&p�(Ĭ:~?�t,2(f,�Z�й���X>a�yy/`�1O|�dԝ�$�N+1#$[^u -h�`[ږN9 4L ֑:x||].��HM#��c��bbb�Y b|AO!D;ekP�~Zf!y] ޅ4D�[Y0�.t sl+"pr6z!<��D�g�z5|6�ϼ+�% ��~:�xca;�GpZ�vmlq:RFg{%�깡-�AB�{ʱ�.�9m�NbU%p(lra.g~3��p�U��Lb�\`8}�A┸\;.Z'�L%�km�d|V�n��yUħ��"�UK�G^:]6�-%�yMd�nEѱ6cC7Hdyszi;o��/vsʞ#�~�p{�zNʠq@C(58ꔼQ�DB^�5Ͷb!]pa
<��Kkv�UU)`AƯJ�U%/@)�yĹ@YXVd/�j8��Mp~2��q`U"P2/�+�t@%֊4[�|S�r{�g]rUȅn(b+u=�¬7
do�g�#^γWH
/x�\IUp2gߗ9S3�Og�92e) o�&��^��%ñD9u�P&tk�uP8n/9;]$V����pˇ7����)�jmY1C
1�i@&�E�
�l#VT_G7C2
o#+; �D8Pw$�d��!n{SQbjU�W2�9,˘U272�4j�S�iYhNqSs^Y�O�J7#T:�15*3W-m\[Q}����dNH�UCL5E�ޞ�ޥN2�z+��&2PerI?M"�are;�q#T+tYqj?G��1�4 n@�l:�=72fِh:PxEBi�EWg�RR-�Ne�]N+�^6)$>��:K^m.V:���LsLGg3[X�4y�B�l�8N[X/k�/
sA��a�;4J^H~��i�kq�a-PD�`|A=!
$JtBC(^o��fyu`�vG
3S�.�dBl]DD붒A�ƿ�=GK-kxH/-| �i�}#ߘL�Xm��55J�W�n{a3g(�!
�ĽsLJ�"
d� @2pD�E��$*SU�]ZgWԾEY��?ͰdK/-}&g�TLxFAhR�;�.@D<-�`O4tU��._xN5VͽGq8wn���7�BW|ϓm㿘C��sً$,KJOVc*eI4i�Q�)m@\%$oyV7ހ|!%*�(Erpe$P��l2 U
v�j�ߨY�� zH}�`�YGX�?Svm`HsI=@�DuNCpgt`^l+h�{րL=ebk67�G
BЏ;4kH]F�M#m[%TUC�˃���گkb"��G�Em�|fq+ 4ޅ�sEV�1Մ��8)H�N�+X��ԕ�ba<)�;�v.�lAk2����yU��/l~IBg��ĥƷD�R`z��)@;)z6Ph/
د�`o�WY�o
`>pwv;Ӕ8;A�7|H=%1(۩?VmD#C"40BۀӚ뿍L.�S{�ܻ}n"~=/8ysH+FbC��
�UĚ18Ĩ|_��}�O�z{$2B�^FPX 7oq��K0AG�O[�hϵ�؋lsm)TLn��j^�����f+ɜ�45�e'$�ǒ܇#IP��a:^ew\�¼Y�n)�g� ү7�pZ90�KO�"ْ��9;="o�i�+�̧uw|�ʫ4"F'�;4*H���5rV�]�)>�X�T�Bb_%h��-�Q<���z�/x�V).idB�G4��wj�>1IF[`e� �vrѧC�炱,d=�:�̋%hص$Г��H#Mo��UP]�wh^䆀�W[E1@K݃> h�w48JK~&)^j{]lD� BҺM
gޒɃe5NJB/pX+)%gӠ*cwu+8P{BЕI[SĎ#�p߱�
�?EP�e!BQ>#=2h@
=�KxYލ�z}�3�kɆ0�@{16�8x#>R*v�m��J�y�6C���Uف�P,c��I*vzq�-mܫ~�_��1(ۺ[.�S,�?B�i Hm]sh;�.VG-)nakc"�˽lY.6�Qn�h
{6+b!V��5|O\3-\~��@�Egb�AlM}}�쳴K��lJ�DZ#XW.R&_ز>
E>۳�Rl78e+���p
ۡE�'ՠL\,�[?�fEBڷDWnub �ZZ ��;ϖ ��ӂ��Q�
"-Ty| |8ey<}QR (?a��ݑ9Hb5sqw7t�}y q3+J=loERhf{�"P�{Uן������QCt%dtR�)K.'E$
��\-Z�t"Y}J��
Q�?s%tlP:�*q�l�5�1U�}bEm?~ �Ee�p�<@1 /y-]�Ck-O&EF$~8#<`c9�u#͂VX�G7AL=mu��s5ܙ:]�*-ͱBeU]Tl/,�R�
�Z��h!\-Y�7R-Cz�d�6=f@c{�|�= eL�wI{SOu~/Q�qz�:���0Z?'f�|L�ASc��a��/�J�v(�g~��I�m�V~~b-hnA}o\���@#CdREK.%v�^lnv%ie/ᴬ]kKi6% �1'8�]X�~?8$([�!##�<����V���4ShgJɝ�$C>,��ت�l3F7�! dN�TQ)ٖ�xNX
m�V���i��\wK#{�㳖]2�e[�_y�6a����ܺ̇�E)��Sz�aU�J9�SndnA=K^�191uI�:ߥν�Mb9b�Ŀ��!�uB16GV Q~r^z
8f�Ĕe4˵W� �4i�Ԛ�S�'V&ԛa�tzG0I[G�PuQ]LLx"*L�a�Led}�*�9I�Pg]7m϶0
Wnf�I�5dTffx�;FL^l 8�h=Z6z�I{xsʂҨCO*\\Tޯ�Boe��e&Ji�ͤ�<_'ӭ\Vlc�Ar�aR
J̲&C�}4�PKnA|\T��I0jK�+Zس5N�|eAÊ
;�:����WWg��{�+[�\m=,2��+Hѣޢ�/0(-�ϬOy�)�o�F�jINrh<O5bec�#O��{ln=m;�uԄy'Z���͍M٥j?,�*+IW�r�\SJ@*X+S�*| 監r{:JCDO)D�K�A4N�FΡ^��jH-pA.�rܢ0S0o馫lfCc�7UXj{bT�j%M�Z���"
�IQA@��F6!g%�:$xjSO:u:cǾ�^+p?�k?]j0�G�OyTp. ���Ktۡ9*ǡυ�Ez@�'�E0��i���)z�V�J \�(HQ"ff�!$}�FX:B5+'G�T!ؒ�F�ƿ��Rao,^j�-ћ&hdNҀZq0*Fu2Q\H�Ki6"Vl
鋳U2n`�r}>��ʣu^`2嚵.w�ΧXq�vv�P IpWpf*(֘F�Au���R7EJ�W�d�Ut.Kܑ1�MO蜈�)|bf#>E~֛2v/Mc[�:%bl��w˄6LD�ڮ��w7e�ƱP�&&=�"m3)X5�wrIXu�Piæ�$��oFe1ep
H�\}&�lXݛr{m�b+R'$4"f�NE6
y:{�r>@z x{fn4X���<"�?�<ל����2�0A�'K`Gt0�62 xR �A�h~>6N0'_�ȸGVq6P|�_.�갩�uJ��;��Ϊ��N:�9ݛax��>�,w`W;z[
.Cm7م�p
�TSjQ*ǨS�G:CBNa�t=)1�&݊M7r~D>FX�F�e|h:l֓2w�r3�00رHm��u#hs*%;R�aMW�cCzф�_�'s��;nJ
��G:��--[1&'URLٍNگ:'zi�Mm'au���8�3ON5e�|D0,9.~viP.ь*m¨�m�<�6#&$U՝C#]zG�nk6ފ�łoXn�lF��i=e2�X/R��o9L͠(ƶ�BmɃ)��Td`ӄGZ
n� 6���A҇f��k,=Fb�@b(n]37kC,�j-be ~Ha\NwvEIB`ܴ{V�(;�eI?Z,87̄MƋl@Rα�5Y�2[?
}+"7 ��"U��+X
LjᵂAZ�*_�\y%MU*DH(ـDl�DE�a��n�R)8ID���-/�D?$+jZX�\9
]@Vk�_//n�7fyYJ=�0rVEt)|�&bY_qy�S\�ƞ9�6eH'�kus�jRq@_a�i~�W�;k��/rh�&X"IqЕ8�ujQMS#^
Fdd֖ṹ�<�bd�1UsԚc��3Cv>כ(�P$0j�ox'*�|K;�QV%UWnyfuЫSfɂ�0LAZdӛp:�鶁8ۥL
ŖW����47�*%�i�wc!m+x��p~֖M��/4O¨`9ھwWeǺVkm�ƆTDY(�9e'f<�|~
>|�p3!_�~a<�r%lD`G`, 8�T6G�fe$dZrN4vlF�Ð�n"j)0jgݢsg��3:a�!�-�~D2��+-`\[
)I OaFŢ%^/.?Īl*>T+&"@o0ם?̫ɵ)6 t�80-2 BʤF�>pc 08w+CA�MY}]PtɞO�2lE)٩��\C�iʵx>3AGM]MED�
$�{n=�'9c�i�:?WdsҼj�Ǘ7ߞ�TPL;ZR�;�$��gBˇ 쳼9|-�rPv�G'90x�eW�l,���ͥ�_d֟PB4ey�YߕBigT�+�ojO.spq¥u܂p�)|&>ݶ_%XTu��V69U�ArZW�F!F�5u2u6/:��=
t�w5gL5R�x/��ԟBvs���!+
�2jGg�)-v$&h:e�S�c�*4Mc٘n`foqMM2{6
�2c�XE>�J�^�}��F7ɵ�x�N�+f'x�"`P+=kl��T�ި�Z$~�cRLNJ��nM�W= H,t�|��{m!^ YbsFJc� �tdYL��)h�=��]<Ҙ;}q+|s�T�g�khDIOQ�0-1b>�Q]Z߷1GRO�º#J(t�RA�y?iO-�T#%P{-ڹ'el��vۮ?Dz@�ioh5^�M�̆� ��?�F"�L6J'2o,�}\KҠ��x<1U�b6mZg6&˨
{D�4 �2apw~-8�XIP��Nyz��\2{0>_\a�^5�a4z�*R�%z&EG��kDCEǩ{��HVC�4p;Fv|sM?b��73Tki��ᗕpk�FP̺f/pXZd:;<4={a+U 5#�S��?�kvy�r֏�ȥf5PX
+}Ղ �fY���X�}f!c*�Z:X|^Lݨ�zg |J֗+x�X�
r� و�G�yM��@%$Q�_�/��`=l8OކVG]G]N��2L'$)T��,!//nCP^�XS� H��;�f^_q�2Kg�2�CeIy6��M�0kx�
0Qr�aRuCYpQᏢcUs�S@Ko`]�ؓ�gܤ< �3?H"3^mςŕ�2�D\o1?vy'�v5m
r9�U5Tv>6xxSG+>j(5V6P;�X¸s7vgF�Q�iӫ6�O0u?4M?�上fZG�e^8Gَίj�5E)Nj�i^Z�XB�X�opW/<Ŗ%�(��4l�=z [3ܻif�Y_vC{#�8b0i�Sbc�t~o�8|nz$Jd�ւȱ#Hz�\f1��&�(Mw&d*KIz,j�N9�&xIrM.e@r�.˴+@�DA�nsZˬzVM�y9p5.\/xN&@�o8pI�K��[��Of��^P�
莕�Ԙ6där�FJЃ'
�rZ%ad*Z\��KZ��'h| "�6&�.I�W=)|q:<4LVG֔�|,(u���I�oSr���␃d7Y-���49�194zKJh�V"��u�CB;�+�D7��x#sU��S1�i$ȁK$s%(ݖ
-U[��i8B��.×rۊ=}g�ej6r~Hr=̮!�S��C�Kh�6.αQU�V3͘1l>��R�| �ZPc|0�<^˨��˖b�heނ3�]k;*Y{��8ب�NOA>�;�#�]�՝=I�=�7���g:č #cn.���6�XJă�q*8フR�aocp[�-$.T���X)�rd7Эr L
4�.�yLԊaiOI];z 6ԆJ^MHf8��a0,��`4`P|}���DuaЮe�xN*P08!ٗ�C ޟqr�id�?O� A����CU|4k4iPqLWy}/P\�DƑ�dHJ`
8U:\tC(��Sg\T��\�ʹtց�Iё&X�)ޕ>�[لqRx :k�`/�{q�VQ2-3D
�R��r�Ƿ9%ǹtn=5D{rL�WHqġ�+Z3���8&w Na�2�柝CU{L��o_P-P�gFɣ�\��>]>|vl�AŃDd U"�t�Fr{)f,zDtV�ѧP�
]a7i?�#f$֎}ydl/�W�;Q<\��'Nت;UOw7ɥ�u9zy�{BvM�nF{��.9N.ӣ_k�[EaxЕ I6�5[t�K2LFL��:]�ݨjq^lA9Z
k_5.OEPk��F~$�h�e1e3yyt�\Q�]A"0"f�F�Z'F4xL1UY�n]U*ͫs[gngy#���Ò��XP�.~���FTǂT"��m�R?1I&B��>Xⱟ�?�~j$k00̩3�.J�AM\�,uʖ$>� 4e?
l�f)j`�&jޏ!#b�ҫwʠ p�=tjWv:�@y�W䏡��%Igڽ�j3#&�EߗѸ�wsٯ�./ezw�6 _l@;��)N�:sBۓ�!q<9nT�Y,X&ʪ<�GN`x敝�z+�q��C{K��W;n�`K?�?4b˚/�q�3�d�)�@bN*n��+b')-@*FKn9zB6+eύ�+t5Y`|��j=6�7"V�2c�<_�I^b|�ȷm(pF�Ű.J:1P�xY|�\o/LLXiY_uj/E��ʕ�l_(8j"/к[y_uy}q(i �kϺ&^OW/M���7�`�Y �3sֱ�u�jN{��~X�@lubMİb(lp�]{%�|Q laKU)Fw�F�?C$�\}u.?I�u��Ս"O�#}qy2p#/(/w�(W7Ki@;�|^P()`X�ɟqo�@@t�`N��.,Z10m\#6Űa~>ll�H'8Gu�e⻜깭y}w��!
\�cxXu(!��o��3y%2H�P?P���I.+*4b6{�b2,&�!W&ȿg��pX�фW��b�m n("uTI�Y- Saj�*V*Tؤ48|q^yI 趔kß
H:=�b>d�5ׯ(J��+=h/Q��v�'BQw0,Wc0�h�~[B
Z�ԣX�?/5�[_د'i&Ëu%qiE6HS&?[�
���^��-hɑ29 tLW}=cH:X��2�%ckdp�N�w�{�4���Z-L �
YK.�^k�8T-5⎇L�Q2Gړăc��=�SpOy]i;L,|#`iqAdxن�A&MY�֊�w�ਞ:hJޝ�뾎hU�/<$Zd
,)Ӧ6$�jF.پNqs�nT7 fKQ�( q?4�v
1OU~&ࠖ)ęW�|!rә��^?;� gQJkZ7�I��Xu/�E{R9�s/t2] )�,i;�^B,I��m�L�]d^r*PKjM�L}8]c��O;D>�
R����FOQ�uF6.67�`<�`2 BЀ^2�Z){Ͱ*U'�U
�aU�ݣ�+�}oն�K.@.-A;f.�/Hlq�i�Kx97E\sXA6��y܊ì '?
�)Ҕ�9\VLzĎ����G�czFqL=5SWq�:pg5C6 ^!�C��QmMx2UQ廂fS"= ܳR_KTH*D[2z�&(�['�_�W/C�\c�P*,m"�I�ӡ~
l*�A�i��^��?��blL�ԟNڰTq.CS�|nc#Kw
^ߌyƦ�oO+7a(4?I,˻_�yBmvn4<%+�q�pq)�Qm>Q9H�J��Ye�d^W4cl� қC
K�^喝�k7�["G%<)伴͉sb�HVۉR]l�2UX�nn;GʏmQ�m=|E)NYN3G}"7#q�ʝob|�4r⸳ 2Ɏ\$oy&]¶VZ�~PCZ.h˻�[�@84�Oc�Iu�]33Tl_^�gΥ0ARڷƷ6`g�Ʀ��\R�UT�.Iفe3�8/\gVMt
t5��)#v\xWA6zj/� i1%�-#~贀���yѶ;+
2]#�*�!�_L05NLhLQ�sdF�{:H5g�V[SߌkuėGo�N ?xo֝ͷʁ�enaۉSE�t]>�g�Ocɖ2v;2/�+�g+g QD�6�JXLm-V�iOa$>U�͙z�ϯ҄Ą{FI6)��B�ݯ�:?�7x�Ay$��2喩q)9@?ތ}�
L�ވg�wRǃ!ΧVmU̎Uws�_TsjRySD*ɢό�
�_3�@4L`cL2ب�@X=Ft&vlW&[y0~
YL��!Oî�&5SV|H~^XSQa�5�q#�H��UBCW�ХQ�*ֈ�giF�OR�b U&ۦt�u�S��ib`E�z[ @ZC`/Y5H"-�W�DUB{U�N+n�ec_O6k@]�:b�6VDu4zφ5+k;k�KUᏣ2�+<�C/��c2�PMUy�]hҔ�fX���0O2CuPfQz L #ro#�6�Ddw[ծ&���I@z^
dpY�>xe ^�m2Jxcƅ(RT=�\JA�z(qb�CT*AyHDcco/�|>�/^N>�]w5�6YDkJ�� (Z�E3�D{_߽��C{\��Ƹ;Y�EK^RlCꫛ�CNϳ���n#�\pG$Wa�Jқ[9��@p�(�(���%@|��#�r�j�.�)9]�-e>èWG?)Je��:?0j+�ҿ�0p�K��Weȇ���xM5G$
.Ӑ�b��Q҉Iz�}bVn4:5+;�8TSI@ՍoT/`AFvv�%`�_A6�rȽσ/O�_�s^��T G+P�){gRw��E@ h8r�#18�>~̿��^]憣?]״�InI]L�=�0fTR}X�O1s��?J>;�W:+l])s(�9x�0qܓF%o[5���-&*?ez~f�f/w�ݔs�V*cݳ�V >#.ڙӨ�큅*�#l-^e�_gkJ
y�wø�}��峉al8s5+}Bs��,^|i08��0ļN�r(҉ Bl��$'Y\g<߬���ُ�`�э�AĒP��G&z;��b/,h�"vDm64'
0�?1l�\a060���3"AVi�о�.2�_pqWi�7PԤ�9�@t0jsɏmr#%kk�p7G:{Гluŧ�#FDSH"՚-a��dQQ�9=^*GR̞z1<>(owO[h�ٝ�]�Hҷ2�(��3ltr��Cz$n�o[B7oc�:Yߓ�g+cl8�i&d]^-���_ty�jD).�
sZ2#RvfS@'a&m#L�5vf9�mR�"�Ӝ��==ǘ�VEԸp,Ŵ�<{�Ղ_w]ev3x�k;nG: D]p)k+mφ LH��>��SG�JRk#l ��y�A�yd]-ܧ$+'�""���ߨTB&u5ZR�x=�dMF�r�Nf52�SLܖ�AHZ|ˎ6�D�'n\_�|4v>�j�y2f�ow(��m%S�ٔm̍*zIZTqXK_Ş�+;Ց|BԳȹGr4"M猙jx0=�MOL)R<�n����)-a@F@{)U�o>/5�E_K�xn7*\iߤ^{څ�։[x��=�uW-Џp\W(Bϥ%w&,YY�
p�vF|+lѶ��Zeh[@zi1&g`<~hW?1VN>֤w ��g�Q�J}O�2hGO1tv�\\E kp콛Z�
D=wG\t5aCE4-c�xU� �14-[xQU�
D�?te �D��*y�qOAmQ��>,TLA�ޠ)Xs ֗;͘:���W�*;���}�%��"c��ZO�!Su��Y�s
kiَᳩ?-⊰WN�% %S6^&R��6Qz5rty*d�W�$ҏx5aUazB7)%*؈��RV:�^}oj]�)�r}^K~�5} ��V�C`��W`;>�$L�&Qey߯P-�X0\��p/�Ȁ���7As>�u��z_l_UY^y �n>⇩Hd :~1YtzB[w&P
C4X]ςU;�-¤Q=cd_�mB'���t�)��k�2CW%�}s�-r&��ڂ+�_d.�n"˙J
UKꋒ^܀ ~�EkgҸ8g#9"6�VԂGWc]wJ�˅m1YJJ1-�Z(4Q𮟤�%"{Q�^�hʏ�.$�&\~渷2�E�Q�l�Q�eCjtT�
'�S+pF�-E�S+Y3�%�Q���diی�Ф
U?a�20����vz)�7L��4EOIй/o_���ݘ�]ED������
YZ