wpa_supplicant-gui-2.10-150600.7.6.1<>,=g"ep9|_:Dtܛ x3|bD48}HLڐoE`| 9BJƇor 5 &*bEv()7*@[br Ә/M-̎_=>+ϖȯavϱ9f}qpE#4DC(m`8U~t4u;$s.N/l]cGŧ9 2M7E HD"MI;HVqSMZ_LeRE,2ڞ y g>>8?(d ' J , BNkqx     &0\d(8+9d+: +FfG|HIXY\]^bcd+e0f3l5uHvPwlxty|z$Cwpa_supplicant-gui2.10150600.7.6.1WPA supplicant graphical front-endThis package contains a graphical front-end to wpa_supplicant, an implementation of the WPA Supplicant component.g"es390zl33 |SUSE Linux Enterprise 15SUSE LLC BSD-3-Clause AND GPL-2.0-or-laterhttps://www.suse.com/Unspecifiedhttps://w1.fi/wpa_supplicantlinuxs390x x큤g"`g"X2cfa63f188d153d581081ec9e97be0e09e20165e668413faff6752bc358361b7d57783ead2cca37539bf8b5c4a81b8105c2970de177652fe1a027433593467aarootrootrootrootwpa_supplicant-2.10-150600.7.6.1.src.rpmwpa_supplicant-guiwpa_supplicant-gui(s390-64)@@@@@@@@@@@@@@@@@@@    libQt5Core.so.5()(64bit)libQt5Core.so.5(Qt_5)(64bit)libQt5Gui.so.5()(64bit)libQt5Gui.so.5(Qt_5)(64bit)libQt5Widgets.so.5()(64bit)libQt5Widgets.so.5(Qt_5)(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.15)(64bit)libc.so.6(GLIBC_2.17)(64bit)libc.so.6(GLIBC_2.2)(64bit)libc.so.6(GLIBC_2.34)(64bit)libc.so.6(GLIBC_2.38)(64bit)libc.so.6(GLIBC_2.4)(64bit)libgcc_s.so.1()(64bit)libgcc_s.so.1(GCC_3.0)(64bit)libstdc++.so.6()(64bit)libstdc++.so.6(CXXABI_1.3)(64bit)libstdc++.so.6(CXXABI_1.3.9)(64bit)libstdc++.so.6(GLIBCXX_3.4)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)wpa_supplicant3.0.4-14.6.0-14.0-15.2-14.14.3ge}@c@b@b@`lM@`?z@`:4@`_|\@_i@_i@^@^@^|@^|@^Y]]>[<@[[ā@[[;@[@[QY@X@X]W@VU@VŲ@V`V=@UKSUCjU8U'@U/@TBV@cfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comcfamullaconrad@suse.comsp1ritCS@protonmail.comcfamullaconrad@suse.comsongchuan.kang@suse.comcfamullaconrad@suse.combwiedemann@suse.comcfamullaconrad@suse.comilya@ilya.pp.uatchvatal@suse.comtchvatal@suse.comilya@ilya.pp.uailya@ilya.pp.uakbabioch@suse.comro@suse.dekbabioch@suse.comkbabioch@suse.comkbabioch@suse.comro@suse.demeissner@suse.comobs@botter.ccdwaas@suse.commeissner@suse.comtchvatal@suse.comlnussel@suse.decrrodriguez@opensuse.orgcrrodriguez@opensuse.orgcrrodriguez@opensuse.orglnussel@suse.demichael@stroeder.comro@suse.dezaitor@opensuse.orgcrrodriguez@opensuse.orgstefan.bruens@rwth-aachen.destefan.bruens@rwth-aachen.destefan.bruens@rwth-aachen.de- CVE-2025-24912: hostapd fails to process crafted RADIUS packets properly (bsc#1239461) [+ CVE-2025-24912.patch]- Add CVE-2023-52160.patch - Bypassing WiFi Authentication (bsc#1219975) - Change ctrl_interface from /var/run to %_rundir (/run)- update to 2.10.0: jsc#PED-2904 * SAE changes - improved protection against side channel attacks [https://w1.fi/security/2022-1/] - added support for the hash-to-element mechanism (sae_pwe=1 or sae_pwe=2); this is currently disabled by default, but will likely get enabled by default in the future - fixed PMKSA caching with OKC - added support for SAE-PK * EAP-pwd changes - improved protection against side channel attacks [https://w1.fi/security/2022-1/] * fixed P2P provision discovery processing of a specially constructed invalid frame [https://w1.fi/security/2021-1/] * fixed P2P group information processing of a specially constructed invalid frame [https://w1.fi/security/2020-2/] * fixed PMF disconnection protection bypass in AP mode [https://w1.fi/security/2019-7/] * added support for using OpenSSL 3.0 * increased the maximum number of EAP message exchanges (mainly to support cases with very large certificates) * fixed various issues in experimental support for EAP-TEAP peer * added support for DPP release 2 (Wi-Fi Device Provisioning Protocol) * a number of MKA/MACsec fixes and extensions * added support for SAE (WPA3-Personal) AP mode configuration * added P2P support for EDMG (IEEE 802.11ay) channels * fixed EAP-FAST peer with TLS GCM/CCM ciphers * improved throughput estimation and BSS selection * dropped support for libnl 1.1 * added support for nl80211 control port for EAPOL frame TX/RX * fixed OWE key derivation with groups 20 and 21; this breaks backwards compatibility for these groups while the default group 19 remains backwards compatible * added support for Beacon protection * added support for Extended Key ID for pairwise keys * removed WEP support from the default build (CONFIG_WEP=y can be used to enable it, if really needed) * added a build option to remove TKIP support (CONFIG_NO_TKIP=y) * added support for Transition Disable mechanism to allow the AP to automatically disable transition mode to improve security * extended D-Bus interface * added support for PASN * added a file-based backend for external password storage to allow secret information to be moved away from the main configuration file without requiring external tools * added EAP-TLS peer support for TLS 1.3 (disabled by default for now) * added support for SCS, MSCS, DSCP policy * changed driver interface selection to default to automatic fallback to other compiled in options * a large number of other fixes, cleanup, and extensions - drop wpa_supplicant-p2p_iname_size.diff, CVE-2021-30004.patch, CVE-2021-27803.patch, CVE-2021-0326.patch, CVE-2019-16275.patch, CVE-2022-23303_0001.patch, CVE-2022-23303_0002.patch, CVE-2022-23303_0003.patch, CVE-2022-23303_0004.patch: upstream - drop restore-old-dbus-interface.patch, wicked has been switching to the new dbus interface in version 0.6.66 - config: * re-enable CONFIG_WEP * enable QCA vendor extensions to nl80211 * enable support for Automatic Channel Selection * enable OCV, security feature that prevents MITM multi-channel attacks * enable QCA vendor extensions to nl80211 * enable EAP-EKE * Support HT overrides * TLS v1.1 and TLS v1.2 * Fast Session Transfer (FST) * Automatic Channel Selection * Multi Band Operation * Fast Initial Link Setup * Mesh Networking (IEEE 802.11s) - Add dbus-Fix-property-DebugShowKeys-and-DebugTimestamp.patch (bsc#1201219) - Move the dbus-1 system.d file to /usr (bsc#1200342) - Added hardening to systemd service(s) (bsc#1181400). Modified: * wpa_supplicant.service - drop wpa_supplicant-getrandom.patch : glibc has been updated so the getrandom() wrapper is now there - Sync wpa_supplicant.spec with Factory- Enable WPA3-Enterprise (SuiteB-192) support.- Add CVE-2022-23303_0001.patch, CVE-2022-23303_0002.patch, CVE-2022-23303_0003.patch, CVE-2022-23303_0004.patch SAE/EAP-pwd side-channel attack update 2 (CVE-2022-23303, CVE-2022-23304, bsc#1194732, bsc#1194733)- Add CVE-2021-30004.patch -- forging attacks may occur because AlgorithmIdentifier parameters are mishandled in tls/pkcs1.c and tls/x509v3.c (bsc#1184348)- Fix systemd device ready dependencies in wpa_supplicant@.service file. (see: https://forums.opensuse.org/showthread.php/547186-wpa_supplicant-service-fails-on-boot-succeeds-on-restart?p=2982844#post2982844)- Add CVE-2021-27803.patch -- P2P provision discovery processing vulnerability (bsc#1182805)- Add CVE-2021-0326.patch -- P2P group information processing vulnerability (bsc#1181777)- Add wpa_supplicant-p2p_iname_size.diff -- Limit P2P_DEVICE name to appropriate ifname size (https://patchwork.ozlabs.org/project/hostap/patch/20200825062902.124600-1-benjamin@sipsolutions.net/)- Fix spec file for SLE12, use make %{?_smp_mflags} instead of %make_build- Enable SAE support(jsc#SLE-14992).- Add CVE-2019-16275.patch -- AP mode PMF disconnection protection bypass (bsc#1150934)- Add restore-old-dbus-interface.patch to fix wicked wlan (boo#1156920) - Restore fi.epitest.hostap.WPASupplicant.service (bsc#1167331)- With v2.9 fi.epitest.hostap.WPASupplicant.service is obsolete (bsc#1167331)- Change wpa_supplicant.service to ensure wpa_supplicant gets started before network. Fix WLAN config on boot with wicked. (boo#1166933)- Adjust the service to start after network.target wrt bsc#1165266- Update to 2.9 release: * SAE changes - disable use of groups using Brainpool curves - improved protection against side channel attacks [https://w1.fi/security/2019-6/] * EAP-pwd changes - disable use of groups using Brainpool curves - allow the set of groups to be configured (eap_pwd_groups) - improved protection against side channel attacks [https://w1.fi/security/2019-6/] * fixed FT-EAP initial mobility domain association using PMKSA caching (disabled by default for backwards compatibility; can be enabled with ft_eap_pmksa_caching=1) * fixed a regression in OpenSSL 1.1+ engine loading * added validation of RSNE in (Re)Association Response frames * fixed DPP bootstrapping URI parser of channel list * extended EAP-SIM/AKA fast re-authentication to allow use with FILS * extended ca_cert_blob to support PEM format * improved robustness of P2P Action frame scheduling * added support for EAP-SIM/AKA using anonymous@realm identity * fixed Hotspot 2.0 credential selection based on roaming consortium to ignore credentials without a specific EAP method * added experimental support for EAP-TEAP peer (RFC 7170) * added experimental support for EAP-TLS peer with TLS v1.3 * fixed a regression in WMM parameter configuration for a TDLS peer * fixed a regression in operation with drivers that offload 802.1X 4-way handshake * fixed an ECDH operation corner case with OpenSSL * SAE changes - added support for SAE Password Identifier - changed default configuration to enable only groups 19, 20, 21 (i.e., disable groups 25 and 26) and disable all unsuitable groups completely based on REVmd changes - do not regenerate PWE unnecessarily when the AP uses the anti-clogging token mechanisms - fixed some association cases where both SAE and FT-SAE were enabled on both the station and the selected AP - started to prefer FT-SAE over SAE AKM if both are enabled - started to prefer FT-SAE over FT-PSK if both are enabled - fixed FT-SAE when SAE PMKSA caching is used - reject use of unsuitable groups based on new implementation guidance in REVmd (allow only FFC groups with prime >= 3072 bits and ECC groups with prime >= 256) - minimize timing and memory use differences in PWE derivation [https://w1.fi/security/2019-1/] (CVE-2019-9494, bsc#1131868) * EAP-pwd changes - minimize timing and memory use differences in PWE derivation [https://w1.fi/security/2019-2/] (CVE-2019-9495, bsc#1131870) - verify server scalar/element [https://w1.fi/security/2019-4/] (CVE-2019-9497, CVE-2019-9498, CVE-2019-9499, bsc#1131874, bsc#1131872, bsc#1131871, bsc#1131644) - fix message reassembly issue with unexpected fragment [https://w1.fi/security/2019-5/] (CVE-2019-11555, bsc#1133640) - enforce rand,mask generation rules more strictly - fix a memory leak in PWE derivation - disallow ECC groups with a prime under 256 bits (groups 25, 26, and 27) - SAE/EAP-pwd side-channel attack update [https://w1.fi/security/2019-6/] (CVE-2019-13377, bsc#1144443) * fixed CONFIG_IEEE80211R=y (FT) build without CONFIG_FILS=y * Hotspot 2.0 changes - do not indicate release number that is higher than the one AP supports - added support for release number 3 - enable PMF automatically for network profiles created from credentials * fixed OWE network profile saving * fixed DPP network profile saving * added support for RSN operating channel validation (CONFIG_OCV=y and network profile parameter ocv=1) * added Multi-AP backhaul STA support * fixed build with LibreSSL * number of MKA/MACsec fixes and extensions * extended domain_match and domain_suffix_match to allow list of values * fixed dNSName matching in domain_match and domain_suffix_match when using wolfSSL * started to prefer FT-EAP-SHA384 over WPA-EAP-SUITE-B-192 AKM if both are enabled * extended nl80211 Connect and external authentication to support SAE, FT-SAE, FT-EAP-SHA384 * fixed KEK2 derivation for FILS+FT * extended client_cert file to allow loading of a chain of PEM encoded certificates * extended beacon reporting functionality * extended D-Bus interface with number of new properties * fixed a regression in FT-over-DS with mac80211-based drivers * OpenSSL: allow systemwide policies to be overridden * extended driver flags indication for separate 802.1X and PSK 4-way handshake offload capability * added support for random P2P Device/Interface Address use * extended PEAP to derive EMSK to enable use with ERP/FILS * extended WPS to allow SAE configuration to be added automatically for PSK (wps_cred_add_sae=1) * removed support for the old D-Bus interface (CONFIG_CTRL_IFACE_DBUS) * extended domain_match and domain_suffix_match to allow list of values * added a RSN workaround for misbehaving PMF APs that advertise IGTK/BIP KeyID using incorrect byte order * fixed PTK rekeying with FILS and FT * fixed WPA packet number reuse with replayed messages and key reinstallation [https://w1.fi/security/2017-1/] (CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088) * fixed unauthenticated EAPOL-Key decryption in wpa_supplicant [https://w1.fi/security/2018-1/] (CVE-2018-14526) * added support for FILS (IEEE 802.11ai) shared key authentication * added support for OWE (Opportunistic Wireless Encryption, RFC 8110; and transition mode defined by WFA) * added support for DPP (Wi-Fi Device Provisioning Protocol) * added support for RSA 3k key case with Suite B 192-bit level * fixed Suite B PMKSA caching not to update PMKID during each 4-way handshake * fixed EAP-pwd pre-processing with PasswordHashHash * added EAP-pwd client support for salted passwords * fixed a regression in TDLS prohibited bit validation * started to use estimated throughput to avoid undesired signal strength based roaming decision * MACsec/MKA: - new macsec_linux driver interface support for the Linux kernel macsec module - number of fixes and extensions * added support for external persistent storage of PMKSA cache (PMKSA_GET/PMKSA_ADD control interface commands; and MESH_PMKSA_GET/MESH_PMKSA_SET for the mesh case) * fixed mesh channel configuration pri/sec switch case * added support for beacon report * large number of other fixes, cleanup, and extensions * added support for randomizing local address for GAS queries (gas_rand_mac_addr parameter) * fixed EAP-SIM/AKA/AKA' ext auth cases within TLS tunnel * added option for using random WPS UUID (auto_uuid=1) * added SHA256-hash support for OCSP certificate matching * fixed EAP-AKA' to add AT_KDF into Synchronization-Failure * fixed a regression in RSN pre-authentication candidate selection * added option to configure allowed group management cipher suites (group_mgmt network profile parameter) * removed all PeerKey functionality * fixed nl80211 AP and mesh mode configuration regression with Linux 4.15 and newer * added ap_isolate configuration option for AP mode * added support for nl80211 to offload 4-way handshake into the driver * added support for using wolfSSL cryptographic library * SAE - added support for configuring SAE password separately of the WPA2 PSK/passphrase - fixed PTK and EAPOL-Key integrity and key-wrap algorithm selection for SAE; note: this is not backwards compatible, i.e., both the AP and station side implementations will need to be update at the same time to maintain interoperability - added support for Password Identifier - fixed FT-SAE PMKID matching * Hotspot 2.0 - added support for fetching of Operator Icon Metadata ANQP-element - added support for Roaming Consortium Selection element - added support for Terms and Conditions - added support for OSEN connection in a shared RSN BSS - added support for fetching Venue URL information * added support for using OpenSSL 1.1.1 * FT - disabled PMKSA caching with FT since it is not fully functional - added support for SHA384 based AKM - added support for BIP ciphers BIP-CMAC-256, BIP-GMAC-128, BIP-GMAC-256 in addition to previously supported BIP-CMAC-128 - fixed additional IE inclusion in Reassociation Request frame when using FT protocol - Drop merged patches: * rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch * rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch * rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch * rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch * rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch * rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch * rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch * rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch * rebased-v2.6-0009-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch * wpa_supplicant-bnc-1099835-fix-private-key-password.patch * wpa_supplicant-bnc-1099835-clear-default_passwd_cb.patch * wpa_supplicant-log-file-permission.patch * wpa_supplicant-log-file-cloexec.patch * wpa_supplicant-git-fa67debf4c6ddbc881a212b175faa6d5d0d90c8c.patch * wpa_supplicant-git-f5b74b966c942feb95a8ddbb7d130540b15b796d.patch - Rebase patches: * wpa_supplicant-getrandom.patch- Refresh spec-file via spec-cleaner and manual optimizations. * Change URL and Source0 to actual project homepage. * Remove macro %{?systemd_requires} and rm (not needed). * Add %autopatch macro. * Add %make_build macro. - Chenged patch wpa_supplicant-flush-debug-output.patch (to -p1). - Changed service-files for start after network (systemd-networkd).- Refresh spec-file: add %license tag.- Renamed patches: - wpa-supplicant-log-file-permission.patch -> wpa_supplicant-log-file-permission.patch - wpa-supplicant-log-file-cloexec.patch -> wpa_supplicant-log-file-cloexec.patch - wpa_supplicant-log-file-permission.patch: Using O_WRONLY flag - Enabled timestamps in log files (bsc#1080798)- compile eapol_test binary to allow testing via radius proxy and server (note: this does not match CONFIG_EAPOL_TEST which sets -Werror and activates an assert call inside the code of wpa_supplicant) (bsc#1111873), (fate#326725) - add patch to fix wrong operator precedence in ieee802_11.c wpa_supplicant-git-fa67debf4c6ddbc881a212b175faa6d5d0d90c8c.patch - add patch to avoid redefinition of __bitwise macro wpa_supplicant-git-f5b74b966c942feb95a8ddbb7d130540b15b796d.patch- Added wpa-supplicant-log-file-permission.patch: Fixes the default file permissions of the debug log file to more sane values, i.e. it is no longer world-readable (bsc#1098854). - Added wpa-supplicant-log-file-cloexec.patch: Open the debug log file with O_CLOEXEC, which will prevent file descriptor leaking to child processes (bsc#1098854).- Added rebased-v2.6-0009-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch: Ignore unauthenticated encrypted EAPOL-Key data (CVE-2018-14526, bsc#1104205).- Enabled PWD as EAP method. This allows for password-based authentication, which is easier to setup than most of the other methods, and is used by the Eduroam network (bsc#1109209).- add two patches from upstream to fix reading private key passwords from the configuration file (bsc#1099835) - add patch for git 89971d8b1e328a2f79699c953625d1671fd40384 wpa_supplicant-bnc-1099835-clear-default_passwd_cb.patch - add patch for git f665c93e1d28fbab3d9127a8c3985cc32940824f wpa_supplicant-bnc-1099835-fix-private-key-password.patch- Fix KRACK attacks (bsc#1056061, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13087, CVE-2017-13088): - rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch - rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch - rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch - rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch - rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch - rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch - rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch - rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch- fix wpa_supplicant-sigusr1-changes-debuglevel.patch to match eloop_signal_handler type (needed to build eapol_test via config)- Added .service files that accept interfaces as %i arguments so it's possible to call the daemon with: "systemctl start wpa_supplicant@$INTERFACE_NAME.service" (like openvpn for example)- updated to 2.6 / 2016-10-02 * fixed WNM Sleep Mode processing when PMF is not enabled [http://w1.fi/security/2015-6/] (CVE-2015-5310 bsc#952254) * fixed EAP-pwd last fragment validation [http://w1.fi/security/2015-7/] (CVE-2015-5315 bsc#953115) * fixed EAP-pwd unexpected Confirm message processing [http://w1.fi/security/2015-8/] (CVE-2015-5316 bsc#953115) * fixed WPS configuration update vulnerability with malformed passphrase [http://w1.fi/security/2016-1/] (CVE-2016-4476 bsc#978172) * fixed configuration update vulnerability with malformed parameters set over the local control interface [http://w1.fi/security/2016-1/] (CVE-2016-4477 bsc#978175) * fixed TK configuration to the driver in EAPOL-Key 3/4 retry case * extended channel switch support for P2P GO * started to throttle control interface event message bursts to avoid issues with monitor sockets running out of buffer space * mesh mode fixes/improvements - generate proper AID for peer - enable WMM by default - add VHT support - fix PMKID derivation - improve robustness on various exchanges - fix peer link counting in reconnect case - improve mesh joining behavior - allow DTIM period to be configured - allow HT to be disabled (disable_ht=1) - add MESH_PEER_ADD and MESH_PEER_REMOVE commands - add support for PMKSA caching - add minimal support for SAE group negotiation - allow pairwise/group cipher to be configured in the network profile - use ieee80211w profile parameter to enable/disable PMF and derive a separate TX IGTK if PMF is enabled instead of using MGTK incorrectly - fix AEK and MTK derivation - remove GTKdata and IGTKdata from Mesh Peering Confirm/Close - note: these changes are not fully backwards compatible for secure (RSN) mesh network * fixed PMKID derivation with SAE * added support for requesting and fetching arbitrary ANQP-elements without internal support in wpa_supplicant for the specific element (anqp[265]= in "BSS " command output) * P2P - filter control characters in group client device names to be consistent with other P2P peer cases - support VHT 80+80 MHz and 160 MHz - indicate group completion in P2P Client role after data association instead of already after the WPS provisioning step - improve group-join operation to use SSID, if known, to filter BSS entries - added optional ssid= argument to P2P_CONNECT for join case - added P2P_GROUP_MEMBER command to fetch client interface address * P2PS - fix follow-on PD Response behavior - fix PD Response generation for unknown peer - fix persistent group reporting - add channel policy to PD Request - add group SSID to the P2PS-PROV-DONE event - allow "P2P_CONNECT p2ps" to be used without specifying the default PIN * BoringSSL - support for OCSP stapling - support building of h20-osu-client * D-Bus - add ExpectDisconnect() - add global config parameters as properties - add SaveConfig() - add VendorElemAdd(), VendorElemGet(), VendorElemRem() * fixed Suite B 192-bit AKM to use proper PMK length (note: this makes old releases incompatible with the fixed behavior) * improved PMF behavior for cases where the AP and STA has different configuration by not trying to connect in some corner cases where the connection cannot succeed * added option to reopen debug log (e.g., to rotate the file) upon receipt of SIGHUP signal * EAP-pwd: added support for Brainpool Elliptic Curves (with OpenSSL 1.0.2 and newer) * fixed EAPOL reauthentication after FT protocol run * fixed FTIE generation for 4-way handshake after FT protocol run * extended INTERFACE_ADD command to allow certain type (sta/ap) interface to be created * fixed and improved various FST operations * added 80+80 MHz and 160 MHz VHT support for IBSS/mesh * fixed SIGNAL_POLL in IBSS and mesh cases * added an option to abort an ongoing scan (used to speed up connection and can also be done with the new ABORT_SCAN command) * TLS client - do not verify CA certificates when ca_cert is not specified - support validating server certificate hash - support SHA384 and SHA512 hashes - add signature_algorithms extension into ClientHello - support TLS v1.2 signature algorithm with SHA384 and SHA512 - support server certificate probing - allow specific TLS versions to be disabled with phase2 parameter - support extKeyUsage - support PKCS #5 v2.0 PBES2 - support PKCS #5 with PKCS #12 style key decryption - minimal support for PKCS #12 - support OCSP stapling (including ocsp_multi) * OpenSSL - support OpenSSL 1.1 API changes - drop support for OpenSSL 0.9.8 - drop support for OpenSSL 1.0.0 * added support for multiple schedule scan plans (sched_scan_plans) * added support for external server certificate chain validation (tls_ext_cert_check=1 in the network profile phase1 parameter) * made phase2 parser more strict about correct use of auth= and autheap= values * improved GAS offchannel operations with comeback request * added SIGNAL_MONITOR command to request signal strength monitoring events * added command for retrieving HS 2.0 icons with in-memory storage (REQ_HS20_ICON, GET_HS20_ICON, DEL_HS20_ICON commands and RX-HS20-ICON event) * enabled ACS support for AP mode operations with wpa_supplicant * EAP-PEAP: fixed interoperability issue with Windows 2012r2 server ("Invalid Compound_MAC in cryptobinding TLV") * EAP-TTLS: fixed success after fragmented final Phase 2 message * VHT: added interoperability workaround for 80+80 and 160 MHz channels * WNM: workaround for broken AP operating class behavior * added kqueue(2) support for eloop (CONFIG_ELOOP_KQUEUE) * nl80211: - add support for full station state operations - do not add NL80211_ATTR_SMPS_MODE attribute if HT is disabled - add NL80211_ATTR_PREV_BSSID with Connect command - fix IEEE 802.1X/WEP EAP reauthentication and rekeying to use unencrypted EAPOL frames * added initial MBO support; number of extensions to WNM BSS Transition Management * added support for PBSS/PCP and P2P on 60 GHz * Interworking: add credential realm to EAP-TLS identity * fixed EAPOL-Key Request Secure bit to be 1 if PTK is set * HS 2.0: add support for configuring frame filters * added POLL_STA command to check connectivity in AP mode * added initial functionality for location related operations * started to ignore pmf=1/2 parameter for non-RSN networks * added wps_disabled=1 network profile parameter to allow AP mode to be started without enabling WPS * wpa_cli: added action script support for AP-ENABLED and AP-DISABLED events * improved Public Action frame addressing - add gas_address3 configuration parameter to control Address 3 behavior * number of small fixes - wpa_supplicant-dump-certificate-as-PEM-in-debug-mode.diff: dump x509 certificates from remote radius server in debug mode in WPA-EAP.- Remove support for <12.3 as we are unresolvable there anyway - Use qt5 on 13.2 if someone pulls this package in - Convert to pkgconfig dependencies over the devel pkgs - Use the %qmake5 macro to build the qt5 gui- add After=dbus.service to prevent too early shutdown (bnc#963652)- Revert CONFIG_ELOOP_EPOLL=y, it is broken in combination with CONFIG_DBUS=yes.- spec: Compile the GUI against QT5 in 13.2 and later.- Previous update did not include version 2.5 tarball or changed the version number in spec, only the changelog and removed patches. - config: set CONFIG_NO_RANDOM_POOL=y, we have a reliable· random number generator by using /dev/urandom, no need to keep an internal random number pool which draws entropy from /dev/random. - config: prefer using epoll(7) instead of select(2) by setting CONFIG_ELOOP_EPOLL=y - wpa_supplicant-getrandom.patch: Prefer to use the getrandom(2) system call to collect entropy. if it is not present disable buffering when reading /dev/urandom, otherwise each os_get_random() call will request BUFSIZ of entropy instead of the few needed bytes.- add aliases for both provided dbus names to avoid systemd stopping the service when switching runlevels (boo#966535)- removed obsolete security patches: * 0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch * 0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch * 0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch * 0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch * wpa_s-D-Bus-Fix-operations-when-P2P-management-interface-is-used.patch * 0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch * 0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch * 0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch * 0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch - Update to upstream release 2.5 * fixed P2P validation of SSID element length before copying it [http://w1.fi/security/2015-1/] (CVE-2015-1863) * fixed WPS UPnP vulnerability with HTTP chunked transfer encoding [http://w1.fi/security/2015-2/] (CVE-2015-4141) * fixed WMM Action frame parser (AP mode) [http://w1.fi/security/2015-3/] (CVE-2015-4142) * fixed EAP-pwd peer missing payload length validation [http://w1.fi/security/2015-4/] (CVE-2015-4143, CVE-2015-4144, CVE-2015-4145, CVE-2015-4146) * fixed validation of WPS and P2P NFC NDEF record payload length [http://w1.fi/security/2015-5/] (CVE-2015-8041) * nl80211: - added VHT configuration for IBSS - fixed vendor command handling to check OUI properly - allow driver-based roaming to change ESS * added AVG_BEACON_RSSI to SIGNAL_POLL output * wpa_cli: added tab completion for number of commands * removed unmaintained and not yet completed SChannel/CryptoAPI support * modified Extended Capabilities element use in Probe Request frames to include all cases if any of the values are non-zero * added support for dynamically creating/removing a virtual interface with interface_add/interface_remove * added support for hashed password (NtHash) in EAP-pwd peer * added support for memory-only PSK/passphrase (mem_only_psk=1 and CTRL-REQ/RSP-PSK_PASSPHRASE) * P2P - optimize scan frequencies list when re-joining a persistent group - fixed number of sequences with nl80211 P2P Device interface - added operating class 125 for P2P use cases (this allows 5 GHz channels 161 and 169 to be used if they are enabled in the current regulatory domain) - number of fixes to P2PS functionality - do not allow 40 MHz co-ex PRI/SEC switch to force MCC - extended support for preferred channel listing * D-Bus: - fixed WPS property of fi.w1.wpa_supplicant1.BSS interface - fixed PresenceRequest to use group interface - added new signals: FindStopped, WPS pbc-overlap, GroupFormationFailure, WPS timeout, InvitationReceived - added new methods: WPS Cancel, P2P Cancel, Reconnect, RemoveClient - added manufacturer info * added EAP-EKE peer support for deriving Session-Id * added wps_priority configuration parameter to set the default priority for all network profiles added by WPS * added support to request a scan with specific SSIDs with the SCAN command (optional "ssid " arguments) * removed support for WEP40/WEP104 as a group cipher with WPA/WPA2 * fixed SAE group selection in an error case * modified SAE routines to be more robust and PWE generation to be stronger against timing attacks * added support for Brainpool Elliptic Curves with SAE * added support for CCMP-256 and GCMP-256 as group ciphers with FT * fixed BSS selection based on estimated throughput * added option to disable TLSv1.0 with OpenSSL (phase1="tls_disable_tlsv1_0=1") * added Fast Session Transfer (FST) module * fixed OpenSSL PKCS#12 extra certificate handling * fixed key derivation for Suite B 192-bit AKM (this breaks compatibility with the earlier version) * added RSN IE to Mesh Peering Open/Confirm frames * number of small fixes- added patch for bnc#930077 CVE-2015-4141 0001-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch - added patch for bnc#930078 CVE-2015-4142 0001-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch - added patches for bnc#930079 CVE-2015-4143 0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch 0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch 0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch 0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch 0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch- Add wpa_s-D-Bus-Fix-operations-when-P2P-management-interface-is-used.patch Fix Segmentation fault in wpa_supplicant. Patch taken from upstream master git (arch#44740).- 0001-P2P-Validate-SSID-element-length-before-copying-it-C.patch Fix CVE-2015-1863, memcpy overflow. - wpa_supplicant-alloc_size.patch: annotate two wrappers with attribute alloc_size, which may help warning us of bugs such as the above.- Delete wpa_priv and eapol_test man pages, these are disabled in config - Move wpa_gui man page to gui package- Update to 2.4 * allow OpenSSL cipher configuration to be set for internal EAP server (openssl_ciphers parameter) * fixed number of small issues based on hwsim test case failures and static analyzer reports * P2P: - add new=<0/1> flag to P2P-DEVICE-FOUND events - add passive channels in invitation response from P2P Client - enable nl80211 P2P_DEVICE support by default - fix regresssion in disallow_freq preventing search on social channels - fix regressions in P2P SD query processing - try to re-invite with social operating channel if no common channels in invitation - allow cross connection on parent interface (this fixes number of use cases with nl80211) - add support for P2P services (P2PS) - add p2p_go_ctwindow configuration parameter to allow GO CTWindow to be configured * increase postponing of EAPOL-Start by one second with AP/GO that supports WPS 2.0 (this makes it less likely to trigger extra roundtrip of identity frames) * add support for PMKSA caching with SAE * add support for control mesh BSS (IEEE 802.11s) operations * fixed number of issues with D-Bus P2P commands * fixed regression in ap_scan=2 special case for WPS * fixed macsec_validate configuration * add a workaround for incorrectly behaving APs that try to use EAPOL-Key descriptor version 3 when the station supports PMF even if PMF is not enabled on the AP * allow TLS v1.1 and v1.2 to be negotiated by default; previous behavior of disabling these can be configured to work around issues with broken servers with phase1="tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1" * add support for Suite B (128-bit and 192-bit level) key management and cipher suites * add WMM-AC support (WMM_AC_ADDTS/WMM_AC_DELTS) * improved BSS Transition Management processing * add support for neighbor report * add support for link measurement * fixed expiration of BSS entry with all-zeros BSSID * add optional LAST_ID=x argument to LIST_NETWORK to allow all configured networks to be listed even with huge number of network profiles * add support for EAP Re-Authentication Protocol (ERP) * fixed EAP-IKEv2 fragmentation reassembly * improved PKCS#11 configuration for OpenSSL * set stdout to be line-buffered * add TDLS channel switch configuration * add support for MAC address randomization in scans with nl80211 * enable HT for IBSS if supported by the driver * add BSSID black and white lists (bssid_blacklist, bssid_whitelist) * add support for domain_suffix_match with GnuTLS * add OCSP stapling client support with GnuTLS * include peer certificate in EAP events even without a separate probe operation; old behavior can be restored with cert_in_cb=0 * add peer ceritficate alt subject name to EAP events (CTRL-EVENT-EAP-PEER-ALT) * add domain_match network profile parameter (similar to domain_suffix_match, but full match is required) * enable AP/GO mode HT Tx STBC automatically based on driver support * add ANQP-QUERY-DONE event to provide information on ANQP parsing status * allow passive scanning to be forced with passive_scan=1 * add a workaround for Linux packet socket behavior when interface is in bridge * increase 5 GHz band preference in BSS selection (estimate SNR, if info not available from driver; estimate maximum throughput based on common HT/VHT/specific TX rate support) * add INTERWORKING_ADD_NETWORK ctrl_iface command; this can be used to implement Interworking network selection behavior in upper layers software components * add optional reassoc_same_bss_optim=1 (disabled by default) optimization to avoid unnecessary Authentication frame exchange * extend TDLS frame padding workaround to cover all packets * allow wpa_supplicant to recover nl80211 functionality if the cfg80211 module gets removed and reloaded without restarting wpa_supplicant * allow hostapd DFS implementation to be used in wpa_supplicant AP mode- Update to 2.3 * fixed number of minor issues identified in static analyzer warnings * fixed wfd_dev_info to be more careful and not read beyond the buffer when parsing invalid information for P2P-DEVICE-FOUND * extended P2P and GAS query operations to support drivers that have maximum remain-on-channel time below 1000 ms (500 ms is the current minimum supported value) * added p2p_search_delay parameter to make the default p2p_find delay configurable * improved P2P operating channel selection for various multi-channel concurrency cases * fixed some TDLS failure cases to clean up driver state * fixed dynamic interface addition cases with nl80211 to avoid adding ifindex values to incorrect interface to skip foreign interface events properly * added TDLS workaround for some APs that may add extra data to the end of a short frame * fixed EAP-AKA' message parser with multiple AT_KDF attributes * added configuration option (p2p_passphrase_len) to allow longer passphrases to be generated for P2P groups * fixed IBSS channel configuration in some corner cases * improved HT/VHT/QoS parameter setup for TDLS * modified D-Bus interface for P2P peers/groups * started to use constant time comparison for various password and hash values to reduce possibility of any externally measurable timing differences * extended explicit clearing of freed memory and expired keys to avoid keeping private data in memory longer than necessary * added optional scan_id parameter to the SCAN command to allow manual scan requests for active scans for specific configured SSIDs * fixed CTRL-EVENT-REGDOM-CHANGE event init parameter value * added option to set Hotspot 2.0 Rel 2 update_identifier in network configuration to support external configuration * modified Android PNO functionality to send Probe Request frames only for hidden SSIDs (based on scan_ssid=1) * added generic mechanism for adding vendor elements into frames at runtime (VENDOR_ELEM_ADD, VENDOR_ELEM_GET, VENDOR_ELEM_REMOVE) * added fields to show unrecognized vendor elements in P2P_PEER * removed EAP-TTLS/MSCHAPv2 interoperability workaround so that MS-CHAP2-Success is required to be present regardless of eap_workaround configuration * modified EAP fast session resumption to allow results to be used only with the same network block that generated them * extended freq_list configuration to apply for sched_scan as well as normal scan * modified WPS to merge mixed-WPA/WPA2 credentials from a single session * fixed nl80211/RTM_DELLINK processing when a P2P GO interface is removed from a bridge * fixed number of small P2P issues to make negotiations more robust in corner cases * added experimental support for using temporary, random local MAC address (mac_addr and preassoc_mac_addr parameters); this is disabled by default (i.e., previous behavior of using permanent address is maintained if configuration is not changed) * added D-Bus interface for setting/clearing WFD IEs * fixed TDLS AID configuration for VHT * modified -m configuration file to be used only for the P2P non-netdev management device and do not load this for the default station interface or load the station interface configuration for the P2P management interface * fixed external MAC address changes while wpa_supplicant is running * started to enable HT (if supported by the driver) for IBSS * fixed wpa_cli action script execution to use more robust mechanism (CVE-2014-3686)s390zl33 17418901492.10-150600.7.6.12.10-150600.7.6.1wpa_guiwpa_gui.8.gz/usr/sbin//usr/share/man/man8/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:37861/SUSE_SLE-15-SP6_Update/9b432eb1227ff88675139bcb07b9c311-wpa_supplicant.SUSE_SLE-15-SP6_Updatedrpmxz5s390x-suse-linuxELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, interpreter /lib/ld64.so.1, for GNU/Linux 3.2.0, BuildID[sha1]=d1148925d3f37e0b3d7f49e3ca494616c5584145, strippedtroff or preprocessor input, ASCII text (gzip compressed data, max compression, from Unix)RRRRRRRR R RR R RRRRRR Rl;v5^Dutf-832292edfb837bfb1842856b0f77dd21e8435bcd3bfbadb3b565fd27fd15cbf64? 7zXZ !t/&>]"k%}RUJzx+P]8\Q.|~S G Fu&d3I-U],.ϡ\e'73MyeM&GWnoU[ uP}dC;N> :ǽ,9Hf~ r+e`%-8&wS:(RC M (1sC [u>se{ bΝj"j+u 8ZBX};Ba6]iYݷ)Y8I &S } Du h0 E0uڬEhC^CM yu+`y )5s`5WˀQnVe|zU :J.%t>E8X?pod{S"v: fo>!DK*=4@{tx4#\ H!#%B֋hf7DFK}G7c嫽8rئ=s i+  Sn=ozU Zq6U:cQ<˦SN8@N$ ݂d8m_9s98{ b!'{Ycҋ&^>w:C#dFSImΓRh~^ R҅RN%*Tۤ(ر\ad;W?B=2^f7@Gʙ_b0be+>00n9ok7J8*r2{ t[Ow#!\6ׇ65;z:j]%tCdU=s7ğ騚:ݳ/iJpe`n`zoɦ}\|G˖ *ycn)utYF~7kYc Ybw^pSgvFbRBa)xX X-7ŠV}^VZ-AFG"3'W+!2*H5l`5x]2f^k;f*cx 3WB)o g%wƯ7T)_"lh;2Dce`q#MB;Zup (kTv[N,lp1/UxڀvvIsF^k^ W u"h aLI-,;wufOBO1` )j$3'T`ޥOq;Dm }Kn"1WF.4[0xhsI4, gsͮ3<.aqM$Z`?g`C|?iHW,Yz /O6rrf9K&JKcek^%HRH8@o9pp)gyuëC/5+A>gcErw~fdh؃פQvRjB}`]9Ms^fz5)yWѭ^$ʘR\8Nf mN+sV۳-| 퉛.A7Ņ:9j&V*>kI;W6sJ}@ʱxF>DT nFś[?&jHWrBCQx$<=Wo{Fx}͠MN` 8r>eE{tC7r酥壚 FR} P9s =L\ٽv٪HYTV U#5 q:l捆>*@/>'[(76;i8\Yolq9"Ҋuv38cjCtnE.+Q%j'IQ"e DX)F/!(5 =;+lO Sg3@c:A =-=-~O0HG{ '̡Aߐm|y>`$iިfBdU M85=ٕG9͇GṃGkj:d!2/omeLN&21s>[ 2=f:BM VhZ nO Y46N[LaM!^Z73 8PNT [kUh?Ry41.XaFĕ_QlL:1Ě[TmeJDT@X$ŰE{=Hy-D6j=yZsl-R'm._7zceE;Ň忉aXԀ[]oW>}%,>z|L׌l)A="t2d32ⅉ4׼Q&NfԜ\̫-*wZ <$%?Uwԟ2(Q9d7rZV.:eFWڕ;A{'_L!ẁ3B^0 0%LG܊PJ 3pQg4x#n<1K/='E9d6\$[hP̖:(|D-*}LE# J 'gU,ݍ/nIX$E!4yF?4VHJZtӻnTw_̏wK]91_Vuh 9$ =_QIْ;e f VtߩѨ\*붻yx[UAS:WmIt@oߢs%]YwZW89O3˶R7@`;}NTC#*pT[.9vy=LnzFjw~Sx䤐h &V!Fn *? on 4SQft>Dݼ`eaiC+7[Etau-Rh_Iޤ粂,'{++)52xHTMJf+7Ҁ=))ӄ a zxJ7u/sB3U#s2Y~LaL%J"Z.3@ {[x~L;qUQ5ZM_#Qbj_DysL)y`/+:TSmo/?>l'jRmj ʜswYRd( C3/oJ#fbLaN0+ɏ3sјP^OMZ?nhAV@ž !(;ai# \95ɕ>GKYk pmd˨"b'C EWЊHRlxHj;]u#bm!0iYHr04+"e&ItWDSU#`$kPqDHcQ8TΈR{ $w.+Cx&jN %G@y .fֳsи[RQᕜ{_WG3t(A"u|Lk2?Ť`rlM iz%|@Se>x0_$M]Wgd#^uplP$b[|U6+w7 %\֏-ۃ ï̀'Ҕ> 'uNN dem>p]e+G/&/{cc F%>_kp Ĥ8@]l8R  n1\9$XD]>]1Ůy*?fItooZ?b+!#'X"*E)b(A8ײa'$)eضOϟrD.rpwp vu #'{eώAt$U4 M_I:]\=t[ZQˠHju:9?e=tVkvgE/cfռǜ W& QM rm_-;R m 1.-R^RC }j3GH[D6 totO:Tg9ջ6=Ykp}ReR_Gbk\qA ǀ(%*żqXN#Q|YavQ@;(Q}oҹuoJ]~Α>S8 q?-slVt 95> ۥTkB  dqu϶ CoiL{¯EH9Bg'mj?W>Dӷ=_G{߭Z7^{mV]K'Ь4NW\ NsW!kv`+[ Xa{o 'I z.\S/ Ȧ(ZK*.ZJ2[/mf962IoW߭hyz |A̕r8,3 7U9Pkw3I55NyI"x\/ؠ.o24zeR0YCnx'mWoۓ5Z f{À n 'p]+oa,7j:C1g2cAK4'e娢 KE&X.R_b]MfXm-&NP|AC*`׭=?W kfhxS26)$20`6dQS(Wy4!6R:'jXb$,Yp]qn`S_t*sQll}ͼN䏉jȥo }ӱ|]݆'[jOQ.w)*88sgQa GWJA5,h>bn8Hp4=I/9QO{~_ ^h^564>157&uCǐ8AuP/*uby+fsy\VBKf]s׋Kz6M餁T`CZK$'0laq[Nj ;&N24ŕkP|./o{+}u4|֧%T~"ю~$T!ԁTGm9Л**ʏ<TaW u.eYsӑ m8Dv-a)PFaLiU \ʡK.pЁ1h(ʕf~ .4F #ꛚ1ZmjPl]bkKPhdVUS؄Ϳ[d c%$p1ϲ=g]T @[v;$`0ǀX5NSy_0)9M&e:"nR` #/;lxSum@ {~NIBNlm~ຽ;{5<;!~e2K|#_r{F`->j7 뗆<'N;d֐9wO7)sG躣PGvhj'm(@C6ZM <╰x$;@_]rŸgnwֆȧE/ 0yy E Hg6baSuG{Vd&=XM!/4g#1>Om `v7o}ԎЈ陋+͏C2YE2i_LS j#,@^ hG‡dEiO(xDH}P\MXM*D('*0/ct"Zz ՕG%{uxjnv૓اa)U1w;>D1ZJ!raG)e$h/#\E+9ms % %axzܡ6/dzwrQ2_18iBR+Ubw`ƞKh˼)_ZX>ƦvILF8kSIcp@}rqyGX9__sӡW U 5 n[Ɛ|=O2楱4k>VfjgCHg; \^濾))qQ$#hvp9ysɊMmOr~^঺\$AH4j+O]T~}!w~$',,Xp^1"FufQ=[9`a,hcv!6*7v j}Bt2G ΀{Wf՟=S?:&|MYSsוn J(t:S/I5[*EopR_,04rUHԾlv sZT.E1K1+/W끷 /|=r@p3Vut9٤pmղYW\_x5 Ac^< [(lʖ&zR|Q=5ϳUնg(|\.\*3Dz)en ω~pnh8_K2S0ӻ(ˆڛN ~&@\I0IahTadz:Ƶ2Y5 ,Q톪5TsxΣ易HhFdƿ 735vXn>D:ć0.3 HA8T^9Z]ܫJXiȻ 5,RդMXrFA<ϙM(H&Zzm&wai~1[ytc)`̥iVqfUx7oJZ.S_qo dq"UAS4r3tŠG3i .oŘ]Cq+Hd ;* %I3*1{QTZ꿊SbqGMYV,I'nRf䆊N,||z1[BӥCi"IR\saXdYߥ @'0s CS,o=B =L>sٸc4 D>1سܰ/",gڳѼNl'4sb=_a-F-Y&W]\q& cRGzk6:A&m >1P{Exs`rŠdZxAKwD9r/T?w_t dƘZbJ7t_QեBG0_b|Nz]mi6vꟘ.Z nuf3&NrDS :g jޫXMHNAU1VQZr:|%Eqg Y7^wH~No{<ϜW#{Xcາ Ms\AVZjߓь8ˁƗ3GJпMuΕA6Xte"[; ËE ~[T I :3](Ƴ4i(qv܎ d2(.ԡ5P@!\-=$nw'qfI%5䳂OFP I,ѕI&ںngwPNiF=Bgd4;Zvv^ˍ Joۆ̆ǏcۑrT?@w%Kpk4P?WgI"" iO 4?l=7LuX1(" YNḦ́ơ#U*@q7 l֛u=(MpTC/_[Ʉߏ)QaL>~AN\imgML7K g7/S|,aI Dw r\dEL&JBBAgeC7zk9rw.`uKwӓm\D[?EBL Ї[S5g'eVg|U(Z~<"Z[~IɢLg5o^5Dsi35FJDRrp,"A}l:GS`Ù{ w1]0rAKϛ;E%ަ)r +`g-x/~`XfEN5aaDZ&[1l{Jf.3(]>Nx]2PWC/T.o,ivV,Lu1KK\|RbS J˘hʤѝRCc=%qQGBI>p2{udKIfu9#[a?S#?gEu&ⱪΛi78_w$z-qQ0M%R.ݵ\# eS06e1xQ*/Z(=6].&> -~XuEB80g{\}ʯ8Pg΄'THQt39 YәkÒ.訵#j(8cfK##eKFU Wnxq© 7'z[ WJ+JyyQe¨[(y+")1RaۊUA~ F$.k{pUM dp R+* Y_@л.* 䌥wV#sa55xCb_#lo)jLM l4jvUyD5@Jv/W7FU8Y kޜ!|!8XrfCQD D9<؇BH~kO÷Z6)sKG&DsVJ$G[9->(lz)|$@~iX`?|H4 q"o7JP܀\R0<:;a᳜&ӗBkQ NX P޵&?r }mD9񈴏pr 2Wp9NgyX\;jɺ<#Ʀh=0\'"AÑEmX<;j8 \Ze?]ry8Pz{|qaZ7ĽF}4DŽO!? TJ@ <ځ^ nQ ;(\vYb!xk)Crr"t2 ]髼Q:B-S0"ec>H4F;;-e(W#^X5մ*\E 9H࿍1h3BXifowA A DI6v^,kvrUj͆,ze66V4A:U1^TtyyMO;aGFՂAt[HJɲ4)ndř ַKL2qg6*10Qd(/+w:mts4Xn)ol7:J-C 'o",3X@`;d"< #30"s7Z<&}RPIiOÞ14EA .94ٮu3/l¢nGM lnƬ/l56a"&p8|]?#Tg4b~꠩x(PP-5C0Fx#iL7!nF Va{`xe @dk&%8;.94ZIlic*׬I_Ж T-;+;' 'PDtӐ"| uA.:BPyc3Mg&̗;mSYg߉y~^1~ _יڵ׃4MؠH@t$8 _ ſIRe傧pmi A38<Ź<|b Iu9z>2 WQ&Hۘ\g"d~Oőt2^f.3ĹAtx_ ' (~q)CAiiIUW\ٺU\(З가ALSHemgjzmBOiSM X}IقF &υK99:1<%0Y/VWocf&O ef0}t,6{&YFFTdПHav%, TO(I6b [L<tnc`3mP|&,_ʺ(MW\c"  o ji&h1M_*8d\4*D .7Uc6lؕwیzK x$OUL@E3=M顇D3.{ud )ߎDzI]W3'Ћi՝Be ZI* J˛D.g;Zx Ì' <.bAM C"ҭ쁇@9YΩ!zGC(7q}4~eǿhW̾ 9ox+ݺgՃܛbo/IfUw<[~Sp1vlŐIZ3VvuLLG0<\e--y a-M dTw ~fTCh0ځ!!nE;cjMP)?ɑ9~r=ǸPXExmO\[(- 'PP@=Ծo!^7srƣk6)nuv/ 4rHLِTb tx\H ԘF PLb|2xZ]C&и)Лgh9xWu=>o&W-.rB0Vƥ ;g rP@W88pd@ ,w#[ UGi;xTMT|C {l.J嵌o fh%J,w1ןxqc;ǙH=VDž؟50mwJ`)2 2s9;R|.:m9UdW#p)Aڋ< *$3.X9S^ 4,MF-pGFc Py=S[ր63B6"4( qu`q>3%Mw29edfwb$XYDH7&.7 6Gk bۚ (agƦh2$@~2+mmR h9{j"?AvUD3bW! Ì N+h Vnk:mW3HRm2L[^mۋyA`~` F:X[iBBKA>p9: lDj1)Lky"q j/ ȥ΃%9bB)T3l 9-O0M%& |N'?&:]-O'#evE/Ha?3Mv`mqxRSz;J;L yUCT$f٦irtZmw[J6fIy\zF ?@䆿,7Ȫoz2"׭| l Ex-sl7e` %K lUn,/r"Ҿǧΐ"d,U XI[ku;(Nt]:fzR9'QpT]|,BpTܡ"Q^DB|1}78|HWNMR: ӈMϣ_8C^XNuXx˼ _qo./sgE gA%'ȑ?7xzye@*23օx=կ um_7jQuDGi+}<*iɜ5aX%8PBSV$=Ojtщܰee(6QNNİ!OR7,E;ƚ4抎-놟_"Q*TC ;EA{D w]`|ERtm3HwN V5r噇4%6 R#GVCV=8=Sn-NNG݁)ڑ,E ;ujMADsi`ZL~h0B'ۓ2z \{wDeWul\I4tK>T}͟k0^3Jv gx;pfC~宲Ҭ֦0,;y3c 0V/P9ɴȡ/EnɺթX%p2gٿby(b< T c|:[24膠Gy|0?ĺp46w6n$yڂ*Zu/D7~|\?wJ 4 MLwhA5È(/*vdSt}xGP*4ȧbBx]A40oCnaL3xVR 87hL9ag:ϐy;,`@Vd!3}*pHw( .؟ɹا9lBs] .tZ 2< ѽFbڀW3NG|8Ґ!%8 i/[ +h|3$4pq%Q4&or8!#ʏ0,uCaTjPS>^JÍ-RUނ>P?Fk-1o#uS(fFE&]) k#x'}81m^!#lopn3B3÷IG~+@B؄͹51F7!Ӣ{Q'nafr!ʂY6d?7,+.0Ɉ  $_ůL«Ao=eNTwDֹ܌s>惬^]@*vkGI(IS_&R(VlTm4 G,+{7>vPv|\l¨8]S4/ŋGZX%#k]E]&$C([٠|6 EªQc#Npnj>@=#|~b8:`{/r նiEƣ^E K@ wt[L5+ǎ^\ģY@MP3!H-0JT%^?9DV>!MH.lDJ)_1s8 n0];3d8up8W4 %Y B32L>"kHT  8~Ӣ*VyL}.9Rè;f̨:a^&; ۨeLM}#&PbRbmۧvYPۿԴ4li(O5M:c-RB ז\cVH ą+%bc<bN |./Vvo8 EFsGK,fc1ḪVˊ;|c^X9ȀF֔)ٓK~j LpB*j"nn܍:s݉"V&eJ\!J@Lb&G"`H&ٱ/Nv⨴jfXF-3(xԏ6YpVPsHF.s{~k{h+zmO37=uFZ fFA=T0{(5Ьv֌MNܧe$_f,|mpd6k+<,'VFs4ABH^Pʼ{22~&b{A3Ŷ=O=/+>ukZ7)wjJr|㠪[3cvgZ=F;$؜J7-ydeF `hNJ2>gۿ)?Axy=bkS\RPyDmiIz ,uO{oWe*[8(a@H'E|SS J7qH bzIaHT)mL}!ۮ7j?iv(xًn%756jSkD۝jk4,dG2C6ҖB@WsM&FU8v7)+0_.jpAS;pAi&1kc!\Ggw!4)oJmt8܁WH\ 218HoeSK Cl i/=oRQ kڣίm8sO_E֍R"RP5$V_>9oH륨/UQFb^:NcBXc=j\sR{&R9EC QԃD6(mol}|8%RJ63:ިF ˡX#I@pg)?Q5cY󱠇uŔ7/MM }h+jج+]c-\[EAbP}[~ޓcj(@P 9Z-fC IDVsfB%MwBYmrFr^ֹj5B`Gvqd|p4&sD{ X7AY\~~'sĮďkIϵŨФ^f|GxCk˜h YI{<:ҝl顫:]jT62or[M򽃴WȪQie7“z@ Zyuj_)w_ն,}re>cǧ_[0UaG.SeW>bDAM|0sOD́@F|m!=@|Gf2DR}pyb7|Ym.@ocךNaao,w+Ӡ?W^Mm&2S,"ϴ(iFd4ٛe7Hopb_e"P:GIu3f0D x[*oBɃɬGKFi%Y5- Wԋ[Yu)˜8N!m5̥3^$N9) +xJr1л{Mת=B ;BY(ʊeY#Kz>DC !mKX^whROq*v/G>,$e{qêE8Ӳ (U|hfl5FhB>?+rӖr7~ B}'*#mȡNx !ͳTG4قGr @u9];ЉW3FEj\V#F1N7SQ4*A2WyO8Q(G _&?Vu6]Y:!jD_Q) /޸Te&V,0̣64fykDk).RTn4&El|g%@цa(4!xtfZ\k8'UzWhKK O}aM)^^i3FQeZzxx+:%wf"% ba 63{b^$3+Ȇw[l tCjÎ8G\{ /G`,.h_̏`*9YQz( KC]^Hu)h ^R؈N܌sQ}Hq]Ҩ閪\g:}Fٲh6<Մ>E㍊Tё0m:j&{!6eM Q$M }XJo<7ͥ]1=RM c5`05@sGms_@;@O%+#n~ޠF_7 2[eR45'WS &sk=nYS ;fBoғDtH. 6YĄKLz]yC-tIRP6*1Jx.YUCEۉ/Td^薲^S\oqO4=ΌO<mg4g*i2Axs @xJz&d1+)5(6'c*ur Qvپa;f9b` T!&!KK8-=x7%!tpR{ĄO@tjK Uq~* 8V9u 3}Dզa805#6Nf̿oԘ@Vk?sx7A׆r"@OZ-rSrL:ik,8.V~27P,Jsҧٗժtg՘rGCrTњ{ݢPԌ ^;F>iS}R~as*4F-Pke އ]d,[LJQ7 & vl@ƛ=@Ix"Xm'Hb^SE \Yud8WἿy߀}Ƴ*?qfGV?ZZrHF JPK2,SďعN?5H7Wu()9x9#` X(Z)J~r (HE"s\oFN@w|LID=!Sۅ!l9/wzqZ-IѪ/-{:i__ @Wm,Sq凤 :yh7u1Aqܬ@zmFQL{ h<ԬULaTpzUijxO1ĺ-R\V!JwM#n|M/ŲYE^J\@ 8UTTŃ2jomh:(}hjqG=Y[p#+@aKk"+! 3zm=Ͽ5Hu1| O` 0޿xA%HiVqY֔U(6D4{ $a #*~spQSf 6a  zbʨ䲻x+%xsp&7rAwۦ_'dqI{$1 ?E_|"9̀E.F!?YAhxFie"j3C% 0CQ-W$( #` D. \(> zZ mY `rqB Am\Rlg酜EP'-;NbsۡrᤃNFrx ^gyu7G9zmthmqSiQZBJ.|V~B1?"Pi K kMgXu;Y2fHmfu)~N X$gZ\y_:Bry5&]X1/i_$>8Ϭ\N LSAr(WudD%Ud  Gۃ,KkM yI~9bTlR#OXCiЮ^, @*@c3a145–D i,wzJ`RTU _QӜ:݌I|0dZb~ m0c^=.۫s)^6]>'*2R@ =rc}!6CƤ|\YMqVZ '6cX2h=}{3c=a$@m<Z{s(F΃ܠ v궸 $˕EgV^J&hxCE11mx巫kxwqG.$#r-[͔O0o6={1j[Gو5R1p`KI {ZE`l#XcGvjoXcϾXc ṅ"ٛBeKd5|do -ddr`0D"&I/a"p+QD6b"MsM{,HÝiVϜ;qE {ceswP- 7A RۡF{eK2sͺO. ʲ5s &![~  !4z\) "U3S}!o2N\B%HR1ؽ+! xL&j2py>?s#ʵq 7!VpP=#<- 5IqyPDȂ[͔M}D]j,l1Ye`|_<:GSG~']TZ'ұ؇MޤzB煎_ٳ5pd]J`F&Ar/A AbD)5HxbJw1t0yw7yu~k/4_s i9 }4/rQ\0oSvg_k{"=Y XU!־T:ՀK9 B:h;d$tM=pa^@?ULA|JT'q@TEdB|63R¤4TXCdvNj09y ÂzщὋIsD&`@uo%wS .oG':b2A=O1pz#r!,aU]s>oʾgEc@OU'cuGIWm2ׅsBՊ$FJ;9&{Ǧe:LgR*iOf(iP[Ũô4yǧBWml5 tKRCb]_D\>txF_Q'*Q>Adp}}> ]xl]k$KIQX `66μШ񞌐_GfX6hlέfK.xsI2\(B8dz+Tn#+e@K)15H(:ǕHQ-6QOy iZҟbIzc4Pn4 0jf 5}\GH&XEK-+rͬd_]j"c%/GVVYTHPT""*h?}4-}pUc29U2A{!aR((趾qM5iI,j̚ȧ#TyqHKSiUB ή[l^]!Fe1dw\1J?|+CjZ+!߮G]wZkYVrt/[Jqh$.*WXiūv:o `ȓ3VJ,W1ՂFA"4RQ+`ީve ůf0(jOyO\;+bv% d-5VR4f&4h]jxP rl lлH vzMeGĎy^yX[\+AeL5@r Paff!~2.8['8ۉSa ukWx(iۢn0"?w%fAȪ?(BAghbl*ai4j.lLTTn$\s ̣LP̺LnV{L9#@Oic.pn%Q FP#9y3C<:Eƚb>cE10eC _҄>(g`5FKV |Ht.gbɌ۟-*AIZ _O,(MH\peS>Ĥ9C݊(]=hC6Hj̰d%\TlҬ}Gd))z\ww՜KJF,uq.}xw4Mu D5|Ġ:Q5RՍ'9mJHκǶ>7]_ q`xźK&ށBU; N7K>c⡱TϷ&!Pgp&>nsGlzs6M]bFʷXB,cz܋_vU皧kmGre|e?K Af"@l:]'zXp[ʼpw;c^>˕U T硜s ^]'`-BTZm:K< Ⱥ*,U`ncMex0((HJϸ8V {$&2@%5u$/σBԮCoB@}!j"Ŀ dEW d,s% J-ZQrO)R($ /Х#5nR۪&0e/!_ *3 BfG۱fd;2@խH)>9_)p,Dl?0ac3(?uf^!ˌK7Xln P/!bkQ*@Dd-^6A q=Q] #רmUutg 涫&GQ:spC=ǒ}ڛg]oKpXSayhLh | ; W9k^\9E$!^[t@׀ 1޾; 롣pm"-oZd(&)z1ӴԈ8h:ȉN1@lJp܏\m!Y]x(|,zB~7n6 C31(C2 梛c>$u3H`՗m["Nkvs#.eg~6t`.6hGaM?l|fSFgzHPcBwCvW$TTi\+6%!BW{WypG#' &-x D30`֑:򷠭WNQ*f 3ǐ+[=x;yfe&yT/0п>N6ͲR>~V $k1/~;> ] O$[r§'DK…{)r|~!zo񐷫[+1) WعB`SѴ@*9 Gt.jԀ&k(}NFάCp7!5t~Mpv?MTֳLUԊSjm ZEcltuTcao)#A] l\G8~xOǎ҄1Y9BX6sBJ.巷!8;L5[N9D(Ft,CK%r,j9wx)% { )V}\\`$H{&w*WKsJ@6 n_R!re6 vXAN&e`X vǼzMIb6 FgL +G@}h7_]m~6NՂL *4e(TCDWH2*lsq]@[R "s)ROR򮹳+ $3 V}O`4=63 zoT_lF+7aZꒄB)zˌ8 $|\roXl}F"1Z>;xm@IV0kq wSo~Sk|w \|}vtLwTxGHLWxy>}Mɳ\yI<凿g$ٚ>--ŝW%pY^mdy}h)|!/v2dނA;C+i" _O qM3^Y"4I% ۪0;M7yEg%pڷU6Բz{yȥS|iG(tKwm]KuoVuQ%-Bz$x]>)P a7p'=Lj*]g{p.>409+FUlUzw #IUk!MNmܾT2)5XI<Cp륖o҂2# ߹{8;BJwj3.l;zOi#ݦ˽:H(zEB4BE͹IZaFbWɀF ߗg9@㚢 d_:yNAN,%bH* 2He%ƭ|u?7]\PBj4riT[ApV\dz@|kv+GBR@C/5:c~i_)s-UbQvv{]n!kU]vևfV|&-xeX"4)( Ig $F JZI6R:ED=^C!'TB5:g.u"Þ8 ĩacjR8 #`o_w(Rj]ޞD!ehA2Y¢gJS^L) Qv<,v8` ~5k&TRII+ -n=GqS4^`k{a)inDgh˕=>SM[:`y&fWQjI̼?B*|+8xfP=뜏Qת־ݤ I65t`wq.@)rJT- [;*pv&2KLjFF::,0px'>z݋TbZ rk%+Cd*t둻7IU1BȯI}(]TL,a{52ԻG^P.#ʫ%g.pR5pC)2/N"s;)E`| c`#z%d]s;'W\suAgRRICk")uje` ٻc魦0s KͲ".«6$딃/@?Axa[hU3G6WSw.hU՞8cYAXHPC&"U@%r%-6ĩAVjG]p()D㊢ЄK\rwW@ Zz-D]XȤ/MPX+qribOԗp({7E0INuZ̝d57a̯8(Aϝ/ Y[6F+sK甍.PpgۏT`Ѳ. 7NKF Mt{M-; 5WH}aPgn8zrd+~9r}VYOy*߆IGged20ޔ秀GcBQՙ/NU1d<T~eET6sr>9 #zaV=PO5z%osc+徂sebj8, -;/FShTFsN\rsJ{% R;g0 _Bc ~ʹ;K2R鋏b{ڬp/I_'t:쵅ش&Kob-\Wuz9p+ N7Ӣg>+UK|E`Se1GGZ7?Ki̳jiNVUeq]_IMk:B6\+G\sw!QE7LJsaےi\͊4Ki" '+v*a).7pBi1Fϰ!lOJ~>T|' {3A;e*FX+xgB?| ^wdR,Ȥ9s~ PV4Z'Mn ^"Rq "'dx"bNFp"s,kχ;2iu8G?ư܀<? 3"#l oD>v`!{f*r"t$%xn'7ɜ*w)3tMi&=X~C ƢTDROAtm6^sn$){;~2hٵ#ić<2x6.5ތҘ+1sP! ]OLR¤?QM@ ۄiYR qv\a^DajSfih]Bi^.G2䢕}&ãH4YqILM.6p~TbDh +_֯x_R)-yRWf#yMGi)e Γ;40eN}eF|XYۙi5`4^zƶRUG}0e:o:PWauٵSQ4@pܺ#4\̸hHןk\ O!F4pW&Mآu_&p;'Vk|gGBUT^!Y6ꟇJ*tQLWΚ6it?dB0yP̽^soPeaԶR𧛉 Pk"G*kpu_i {Re$yl ) mtpP=5/sFDE%Te;6{o ~' fe .,t&@ >j.* l)u7f $DR4^w:ՅTY(ƊU>[JR؊KE⠽Zʼ$La>{C > A0a鷐ݣR(g6Qj: hJ#VhjЅ4|kvJҕ9yXZ6<;bAJ*gQ{ij;V[~{_׻p4W"n0FV&\C=Ͷd, Q AkB6GwAx:u(RE( WIB1DUXMb*+'K\mV4|UV Uk qZ(epoC ]t r[40[x>=$J聻2@푉(-9?oY&J{Oj0n=e~ۗQVY z)wH<$ϜzAm|^rYZjx8 CW.vμ{ 9`AԖ >*>"l "KZk"d]c+_GM_ؗ5OHwiKV1t;wOڄ9n sƉK!gV0͜˔`XggJ!G)J+?)x6(Mj[|Ը}n*n/cjkqśuY> C]̪.6MPy;ro kI$R{ȉqyamHi>Z`A)VO!o+DKUgSTqNZ-\oճԃFE玖~0p[_B driB}V*7E`XǶM tvcI]D{#P)a~oׁDW.w^Z^̍SQ 5?zF4 BAH g;ELgZgܽݰM F+v&bN% (Cٛ|wn PǕ6z ')FoYqǧ-W1jLBiNPc;CJn 9D, ]2j] `*IQx9^‰/3|ʓCU3+uߌ5uZP8or"8*ns+ #{hI#X'"7Fٖ2(V:_CCi[rQ5Ľg0G#s⿼Gi=2Jg2|R\HopeZB qCwMW'fHO{p| xPWB޶~cr\ζKF>ɌS`jPzKap*wEubU RQkܳ}/g͒<"7WDh'1y߂QK >] My wڴͿsuh¥gOCt%GY1͚7˥Rd\HCoI:HoG~6AazЖNeq$e[ ..q>1\jKtҎib'GG<^d^t؞ JW&NA3<| soF`?U;6? U%Bݻ*÷56cD8Gs4FrxkJ Ǽ+MP)'vR ]aY?oPx~bye=E*5࠶/{ujʳ<σeIN1Pt݀3gʈRW'G'hu J01S{яzO%ڨ+ְAڡ :sk.HQH|@ ,z-rq2]N 63e*kiAUjؑΰ$Db'>p6/y_/GglF3h-mKN*w󭇶?o7!<:~'&6*iGekjiK7 j6&cJ.}8IחңI]I(ŕpT?eдߓ]@]GLxNcuq?Y2RwH/UJ@ЫeIsUUˊZS;V;׼tOoLWk<|6|5F<9&<۝IFB J&2e#X0#9-*@:W˼ۛ)?=y^u':{ :56aSO엣}(.otbjS4oLdn a+ ɵqz#eR tB,En_=4QYs Iʐ &U֠ ;A?3a*g+;$ηjy@CEbM%WVA/9)k9.Eͤ"X.0Xah<~ӦS_ xPptsn;¢Gk vN!-(sf>OA6?;I&J*:S?xv (LnؐءOdN81V5Lou2urqb{0ReqT:5qN(J,:k:zNcDW ]H/%ڎ4]]'uq#o\qF̑L 5 ,YDψfK# McƽTp^pq>GÌ$ SX=R(7x@ߚi PsoNkBX)cġ7ֻ^+U8=y$̂{V$i.S0̴cj,Xq[CKms,ZȘ Y $PpiWmoj]R;_w/O!p`hs$^edxA;!i8Lxtqt\p?Krt6a 4˜}4N XK_h@C{=o)X){ExHjy⁧lBV{WCH*[7vpW'vQ"Ѩ8A,G vFb88^9P+"cT:?o|C '9Q'XNfŸ`&;֫5wܞXm\xX'h5,JeM[:};be ,: EE0c_^fμLldRE YZ