apache2-utils-2.4.23-11.2>t  DH`pY`/=„NQC 6ZyCNŗQF80%}hK鞸J? ERQJ@>: ? d  / 17@,, H, , P, , ,<, ,  ,   < _( 8 9`:FuG,H8,I,XY\4,],^b=cd$e)f.l0uD,vw H,x ,y Kz Capache2-utils2.4.2311.2Apache 2 utilitiesUtilities provided by the Apache 2 Web Server project which are useful to administrators of web servers in general.Y`lamb11vopenSUSE Leap 42.3openSUSEApache-2.0http://bugs.opensuse.orgProductivity/Networking/Web/Servershttp://httpd.apache.org/linuxx86_64H" ZX9J )`) o )i J8 J0> +     Y`gY`gY`gY`gY`gY`+Y`gY`gY`gY`gY`gY`gY`gY`gY`gY`gY`gY`gY`gY`mY`gY`gY`nY`gY`nY`gUKY`nPȱY`nPȱY`nPY`nSQY`nQIO Y`nQpTh0Y`nQEY`n654d9a509903a6729e7966b416950db2c286505c4a3454282dd324a0a1723a593a4a08fe819b57297ecc06d8a34a7e97ed087a71215caf75ee6fce62d402d4ccb626a45ee93c8894b8adcb44961f744acb7a332d66b3eeecfd633adee0cbccac86d0f5eaf1a35f028da5c64f5ea19c7c4a8dccd3e97f076c437e1bdb4b1fece7ffe0691cd4b12f714dc7f1673ec6faca0b2d049eed514a0ddb481fba179722043d1f33ac1aaf0c0cc00ffbc9329156a44b806cde7b0e0c25d3cd1ad87beec26b1449c279359c98133d61d1d7a58f544fb94ae1de74e8af3d7a2e3032b7834fcc5bda307d6c063dc3048362139a1049ce50ff6bb120b72699e964f29ff3da6fdda42c33c8b587004f0da2f1c8142a16294264c4cdf958b03d882161c148bb778490b07029cba2aae0138bbfaff874639ec1805eaff54f1abcf13884bf999060c53cab46aa87e811ff3d7e7cb379b96a3452a47f8aaebda1496f559e73dd1ace8c40dfa1176811657d3f4a92422faac7871e63afeaae2275946db8a18dc400ff2e3b6ec20f37eafa980c3cdfd3ad0527d9abcheck_forensicdbmmanagehtdbmhtdigesthtpasswdlogresolvesplit-logfilelogresolve.plrotatelogssuexecab.1.gzdbmmanage.1.gzhtdbm.1.gzhtdigest.1.gzhtpasswd.1.gzlogresolve.1.gzrotatelogs.8.gzsuexec.8.gzrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootapache2-2.4.23-11.2.src.rpmapache2-utilsapache2-utils(x86-64)@@@@@@@@@@@@@@@@@@@   /bin/bash/bin/sh/usr/bin/perllibapr-1.so.0()(64bit)libaprutil-1.so.0()(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.14)(64bit)libc.so.6(GLIBC_2.2.5)(64bit)libc.so.6(GLIBC_2.3)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libcrypt.so.1()(64bit)libcrypt.so.1(GLIBC_2.2.5)(64bit)libcrypto.so.1.0.0()(64bit)libm.so.6()(64bit)libm.so.6(GLIBC_2.2.5)(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.2.5)(64bit)libssl.so.1.0.0()(64bit)rpmlib(CompressedFileNames)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsLzma)3.0.4-14.0-14.4.6-14.11.2YP@YI@Y1S@X @XGW@WW-@W@WF@Wpgajdos@suse.comLed kstreitova@suse.comcrrodriguez@opensuse.orgLed pgajdos@suse.compgajdos@suse.compgajdos@suse.comkstreitova@suse.compgajdos@suse.comoholecek@suse.compgajdos@suse.compgajdos@suse.compgajdos@suse.comcrrodriguez@opensuse.orgmc@suse.comlnussel@suse.decrrodriguez@opensuse.orgdraht@suse.decrrodriguez@opensuse.orgcrrodriguez@opensuse.orgfreek@opensuse.orgcrrodriguez@opensuse.orgcrrodriguez@opensuse.orgcrrodriguez@opensuse.orgcrrodriguez@opensuse.orgcrrodriguez@opensuse.orgcrrodriguez@opensuse.orgaj@suse.comcrrodriguez@opensuse.orgcrrodriguez@opensuse.orgcrrodriguez@opensuse.orgcrrodriguez@opensuse.orgmeissner@suse.comcrrodriguez@opensuse.orgcrrodriguez@opensuse.orgcrrodriguez@opensuse.orgcrrodriguez@opensuse.orgcrrodriguez@opensuse.orgcrrodriguez@opensuse.orgcrrodriguez@opensuse.orgcrrodriguez@opensuse.orgcrrodriguez@opensuse.orgmlin@suse.comcrrodriguez@opensuse.orgcrrodriguez@opensuse.orgmhrusecky@suse.czcrrodriguez@opensuse.orgcrrodriguez@opensuse.orgcrrodriguez@opensuse.orgsaschpe@suse.demeissner@suse.commeissner@suse.comdimstar@opensuse.orgadrian@suse.depoeml@cmdline.netcoolo@suse.comdraht@suse.dechris@computersalat.demeissner@suse.decoolo@suse.comdraht@suse.dedraht@suse.defcrozat@suse.comfcrozat@suse.comdraht@suse.dedraht@suse.dedraht@suse.defcrozat@suse.comcrrodriguez@opensuse.orgcrrodriguez@opensuse.orgcrrodriguez@opensuse.orgcrrodriguez@opensuse.orgcrrodriguez@opensuse.orgcrrodriguez@opensuse.orgcrrodriguez@opensuse.orgcrrodriguez@opensuse.orgcrrodriguez@opensuse.orgcrrodriguez@opensuse.orgcrrodriguez@opensuse.orglnussel@suse.dewerner@suse.delnussel@suse.depoeml@cmdline.netcristian.rodriguez@opensuse.orgpoeml@cmdline.netpoeml@cmdline.netlars@linux-schulserver.deaj@suse.depoeml@cmdline.netpoeml@cmdline.netcoolo@novell.comjengelh@medozas.depoeml@cmdline.netpoeml@cmdline.netpoeml@suse.depoeml@suse.dehvogel@suse.depoeml@suse.depoeml@suse.depoeml@suse.depoeml@suse.depoeml@suse.decrrodriguez@suse.depoeml@suse.de- security update * CVE-2017-7679 [bsc#1045060] + apache2-CVE-2017-7679.patch * CVE-2017-3169 [bsc#1045062] + apache2-CVE-2017-3169.patch * CVE-2017-3167 [bsc#1045065] + apache2-CVE-2017-3167.patch- remove /usr/bin/http2 symlink only during apache2 package uninstall, not upgrade [bsc#1041830]- gensslcert: use hostname when fqdn is too long [bsc#1035829]- security update * CVE-2016-8743 [bsc#1016715] + apache2-CVE-2016-8743.patch + apache2-CVE-2016-8743-1.patch * CVE-2016-0736 [bsc#1016712] + apache2-CVE-2016-0736.patch * CVE-2016-2161 [bsc#1016714] + apache2-CVE-2016-2161.patch - add missing copy of hcuri and hcexpr ftom the worker to the health check worker [bsc#1019380]- security update: CVE-2016-8740 [bsc#1013648] * apache2-CVE-2016-8740.patch- add NotifyAccess=all to service files [bsc#980663]- readd the support of multiple entries in APACHE_ACCESS_LOG [bsc#991032]- Add apache2-cve-2016-5387.patch to fix CVE-2016-5387. Prior to this patch, Apache would translate every header "Foo: ..." received in the HTTP request into an environment variable called $HTTP_FOO="...". While useful in general, this feature could be abused by sending specially crafted "Proxy" headers, which would result in server code running in an environment where $HTTP_PROXY points to an arbitrary, potentially hostile location. This update modifies Apache to ignore the non-standard "Proxy" header entirely so that HTTP_PROXY is never set by the server. [bnc#988488]- update to 2.4.23 to fix CVE-2016-4979 [bsc#987365] - mod_proxy_fdpass needs explicit configure line now - mod_proxy_hcheck was missing due to upstream bug - removed note about ulimits in sysconfig file [bsc#976711] - enable authnz_fcgi module- remove Alias= from [Install] of the template service [bsc#981541c#10]- updated to 2.4.20 to fix CVE-2016-1546 [bsc#980370] - removed httpd-2.4.18-missing-semicolon.patch (upstreamed) - removed httpd-2.4.17-debug-crash.patch (httpd -X does not crash anymore)- start apache services after remote-fs [bsc#978543]- backport of HttpContentLengthHeadZero and HttpExpectStrict + httpd-2.4.x-fate317766-config-control-two-protocol-options.diff (needed to be refreshed against 2.4.18)- fix build for SLE_11_SP4: + httpd-2.4.18-missing-semicolon.patch- Update to version 2.4.18 * drop 2.4.17-protocols.patch in upstream. - Change list too long to mention here see: http://www.apache.org/dist/httpd/CHANGES_2.4.18 for details.- systemd: Set TasksMax=infinity for current systemd releases. The default limit of 512 is too small and prevents the creation of new server processes. Apache has its own runtime/harcoded limits.- fix crash when for -X + httpd-2.4.17-debug-crash.patch- add a note: FollowSymLinks or SymLinksIfOwnerMatch is neccessary for RewriteRule in given dir [bnc#955701]- restart apache once after the rpm or zypper transaction [bnc#893659] - drop some old compat code from %post- 2.4.17-protocols.patch from upstream http2 module: * master conn_rec* addition to conn_rec * improved ALPN and Upgrade handling * allowing requests for servers whose TLS configuration is compatible to the SNI server ones * disabling TLS renegotiation for slave connections- LogLevel directive into correct config file, thanks Michael Calmer for the fix [bsc#953329]- do not build mod_http2 for older distros than 13.2 for now (nghttp2 does not build there)- Include directives really into /etc/apache2/sysconfig.d/include.conf, fix from Erik Wegner [bsc#951901]- gensslcert: CN now defaults to `hostname -f` [bnc#949766] (internal), fix help [bnc#949771] (internal)- Update to 2.4.17 - Enable mod_http2/ BuildRequire nghttp2 - MPMs: Support SO_REUSEPORT to create multiple duplicated listener records for scalability - mod_ssl: Support compilation against libssl built with OPENSSL_NO_SSL3 - For more changes see: http://www.apache.org/dist/httpd/CHANGES_2.4.17- start_apache2: reintroduce sysconfig.d, include it on command line (not in httpd.conf) instead of individual directives [bnc#949434] (internal), [bnc#941331]- Fixup libdir in installed files- fix Logjam vulnerability: change SSLCipherSuite cipherstring to disable export cipher suites and deploy Ephemeral Elliptic-Curve Diffie-Hellman (ECDHE) ciphers. Adjust 'gensslcert' script to generate a strong and unique Diffie Hellman Group and append it to the server certificate file [bnc#931723], [CVE-2015-4000]- add reference upstream bug#58188 along httpd-2.4.12-lua-5.2.patch- update to 2.4.16 * changes http://www.apache.org/dist/httpd/CHANGES_2.4.16 * remove the following patches (fixed in 2.4.16) * httpd-2.4.x-mod_lua_websocket_DoS.patch * httpd-2.4.12-CVE-2015-0253.patch * update httpd-2.4.12-lua-5.2.patch- add patch: httpd-2.4.12-lua-5.2.patch * lua_dump introduced a new strip option in 5.3, set it to 0 to get the old behavior * luaL_register was deprecated in 5.2, use luaL_setfuncs and luaL_newlib instead * luaL_optint was deprecated in 5.3, use luaL_optinteger instead * lua_strlen and lua_objlen wad deprecated in 5.2, use lua_rawlen instead- change Provides: from suse_maintenance_mmn = # to suse_maintenance_mmn_#- apache2 Suggests:, not Recommends: apache2-prefork; that means for example, that `zypper in apache2-worker` will not pull apache2-prefork also - installing /usr/sbin/httpd link: * do not try to install it in '%post ' when apache2 (which includes /usr/share/apache2/script-helpers) is not installed yet (fixes installation on 11sp3) * install it in '%post' if apache2 is installed after apache2- to be sure it is there- access_compat shared also for 11sp3- apache2-implicit-pointer-decl.patch renamed to httpd-implicit-pointer-decl.patch to align with other patches names- apachectl is now wrapper to start_apache2; therefore, it honors HTTPD_INSTANCE variable, see README-instances.txt for details + httpd-apachectl.patch - httpd-2.4.10-apachectl.patch- a2enmod/a2dismod and a2enflag/a2disflag now respect HTTPD_INSTANCE= environment variable, which can be used to specify apache instance name; sysconfig file is expected at /etc/sysconfig/apache2@ (see README-instances.txt for details)- provides suse_maintenance_mmn symbol [bnc#915666] (internal)- credits to Roman Drahtmueller: * add reference to /etc/permissions.local to output of %post if setting the permissions of suexec2 fails * do not enable mod_php5 by default any longer * httpd-2.0.49-log_server_status.dif obsoleted * apache2-mod_ssl_npn.patch removed because not used * include mod_reqtimeout.conf in httpd.conf * added cgid-timeout.conf, include it in httpd.conf - fix default value APACHE_MODULES in sysconfig file - %service_* macros for apache2@.service- reenable 690734.patch, it should be upstreamed by the author (Adrian Schroeter) though + httpd-2.4.9-bnc690734.patch - httpd-2.2.x-bnc690734.patch- drop startssl from start_apache2- allow to run multiple instances of Apache on one system [fate#317786] (internal) * distributed httpd.conf no longer includes sysconfig.d, nor this directory is shipped. httpd.conf includes loadmodule.conf and global.conf which are former sysconfig.d/loadmodule.conf and sysconfig.d/global.conf for default /etc/sysconfig/apache2 global.conf and loadmodule.conf are not included when sysconfig variables could have been read by start_apache2 startup script (run with systemd services). Therefore, when starting server via /usr/sbin/httpd, sysconfig variables are not taken into account. * some not-maintained scripts are moved from /usr/share/apache2 to /usr/share/apache2/deprecated-scripts * all modules comment in sysconfig file is not generated anymore * added README-instances.txt * removed Sources: load_configuration find_mpm get_module_list get_includes find_httpd_includes apache-find-directives * added Sources: deprecated-scripts.tar.xz apache2-README-instances.txt apache2-loadmodule.conf apache2-global.conf apache2-find-directives apache2@.service apache2-script-helpers- add SSLHonorCipherOrder directive to apache2-ssl-global.conf - adopt SSLCipherSuite directive value from SLE12 - remove default-vhost-ssl.conf and default-vhost.conf from /etc/apache2. These two files are not (!) read by the configuration framework, but are named *.conf, which is misleading. The files are almost identical with the vhost templates in /etc/apache2/vhosts.d/. The two templates there do it right because they are not named *.conf and are not sourced either. apache's response with no explicit (eg. default, vanilla) configuration is contained in /etc/apache2/default-server.conf. * remove apache2-README.default-vhost as there are no default-vhost* files anymore.- apache2.service: We have to use KillMode=mixed for the graceful stop, restart to work properly.- dropped 2.0 -> 2.2 modules transition during upgrade * apache-20-22-upgrade renamed to apache-22-24-upgrade - apache-*-upgrade script is called in %posttrans now [bnc#927223]- fix find_mpm to echo mpm binary- apache2.service: Only order us after network.target and nss-lookup.target but not pull the units in. - apache2.service: SSL requires correct system time to work properly, order after time-sync.target- align filenames with upstream names (and add compat symlinks) - find_httpd2_includes renamed to find_httpd_includes- access_compat now built as shared and disabled by default - amend config to use also old syntax when access_compat is loaded - added apache2-README-access_compat.txt - added apache-find-directive script - see [bnc#896083] and its duplicates- add httpd-2.4.12-CVE-2015-0253.patch to fix SECURITY: CVE-2015-0253 (cve.mitre.org) core: Fix a crash introduced in with ErrorDocument 400 pointing to a local URL-path with the INCLUDES filter active, introduced in 2.4.11. PR 57531. [Yann Ylavic]- simplify apache2.logrotate, use sharedscripts [bnc#713581]- remove curly brackets around format sequence "%y" in `stat --format="%{y}" %{SOURCE1}` that caused an incorrect evaluation. Add escaping to proper spec-cleaner processing in the future- remove 'exit 0' from the %post section in the specfile that was placed here incorrectly and caused that the rest of the %post section couldn't be executed.- /etc/init.d/apache2 reload -> systemctl reload apache2.service in apache2.logrotate [bnc#926523]- authz_default -> authz_core in sysconfig.apache2/APACHE_MODULES [bnc#922236]- Add Requires(post) apache2 to the subpackage -worker, -event and - prefork: their respective post scriptlets execute /usr/share/apache2/get_module_list, which is shipped as part of the main package. This script has the side-effect to call find_mpm, which in turn creates the corresponding /usr/sbin/httpd2 symlink.- Patched get_module_list to ensure proper SELinux context for sysconfig.d/loadmodule.conf- Pname -> name variable reduction - Try to fix sle11 build- Version bumpt o 2.4.12: * ) mpm_winnt: Accept utf-8 (Unicode) service names and descriptions for internationalization. [William Rowe] * ) mpm_winnt: Normalize the error and status messages emitted by service.c, the service control interface for Windows. [William Rowe] * ) configure: Fix --enable-v4-mapped configuration on *BSD. PR 53824. [ olli hauer , Yann Ylavic ]- Exit cleanly on end of the post and cleanup the update detection - Remove Apache.xpm as it ain't used- Cleanup init/unit decision making and provide just systemd service on systemd systems- Deprecate realver define as it is equal to version. - Explicitely state MPM mods to ensure we don't lose some bnc#444878- Pass over spec-cleaner, there should be no actual technical change in this just reduction of lines in the spec- add httpd-2.4.x-mod_lua_websocket_DoS.patch to fix mod_lua bug where a maliciously crafted websockets PING after a script calls r:wsupgrade() can cause a child process crash [CVE-2015-0228], [bnc#918352].- httpd2.pid in rc.apache2 was wrong [bnc#898193]- httpd-2.4.3-mod_systemd.patch find libsystemd-daemon with pkg-config, this is the only correct way, in current versions sd_notify is in libsystemd and in old products in libsystemd-daemon.- remove obsolete patches * httpd-2.4.10-check_null_pointer_dereference.patch * httpd-event-deadlock.patch * httpd-2.4.x-bnc871310-CVE-2013-5704-mod_headers_chunked_requests.patch * httpd-2.4.x-bnc909715-CVE-2014-8109-mod_lua_handling_of_Require_line.patch- Apache 2.4.11 * ) SECURITY: CVE-2014-3583 (cve.mitre.org) mod_proxy_fcgi: Fix a potential crash due to buffer over-read, with response headers' size above 8K. [Yann Ylavic, Jeff Trawick] * ) SECURITY: CVE-2014-3581 (cve.mitre.org) mod_cache: Avoid a crash when Content-Type has an empty value. PR 56924. [Mark Montague , Jan Kaluza] * ) SECURITY: CVE-2014-8109 (cve.mitre.org) mod_lua: Fix handling of the Require line when a LuaAuthzProvider is used in multiple Require directives with different arguments. PR57204 [Edward Lu ] * ) SECURITY: CVE-2013-5704 (cve.mitre.org) core: HTTP trailers could be used to replace HTTP headers late during request processing, potentially undoing or otherwise confusing modules that examined or modified request headers earlier. Adds "MergeTrailers" directive to restore legacy behavior. [Edward Lu, Yann Ylavic, Joe Orton, Eric Covener] * ) mod_ssl: New directive SSLSessionTickets (On|Off). The directive controls the use of TLS session tickets (RFC 5077), default value is "On" (unchanged behavior). Session ticket creation uses a random key created during web server startup and recreated during restarts. No other key recreation mechanism is available currently. Therefore using session tickets without restarting the web server with an appropriate frequency (e.g. daily) compromises perfect forward secrecy. [Rainer Jung] * ) mod_proxy_fcgi: Provide some basic alternate options for specifying how PATH_INFO is passed to FastCGI backends by adding significance to the value of proxy-fcgi-pathinfo. PR 55329. [Eric Covener] * ) mod_proxy_fcgi: Enable UDS backends configured with SetHandler/RewriteRule to opt-in to connection reuse and other Proxy options via explicitly declared "proxy workers" (] * ) mod_proxy_fcgi: Remove proxy:balancer:// prefix from SCRIPT_FILENAME passed to fastcgi backends. [Eric Covener] * ) core: Configuration files with long lines and continuation characters are not read properly. PR 55910. [Manuel Mausz ] * ) mod_include: the 'env' function was incorrectly handled as 'getenv' if the leading 'e' was written in upper case in statements. [Christophe Jaillet] * ) split-logfile: Fix perl error: 'Can't use string ("example.org:80") as a symbol ref while "strict refs"'. PR 56329. [Holger Mauermann ] * ) mod_proxy: Prevent ProxyPassReverse from doing a substitution when the URL parameter interpolates to an empty string. PR 56603. [] * ) core: Fix -D[efined] or [d] variables lifetime accross restarts. PR 57328. [Armin Abfalterer , Yann Ylavic]. * ) mod_proxy: Preserve original request headers even if they differ from the ones to be forwarded to the backend. PR 45387. [Yann Ylavic] * ) mod_ssl: dump SSL IO/state for the write side of the connection(s), like reads (level TRACE4). [Yann Ylavic] * ) mod_proxy_fcgi: Ignore body data from backend for 304 responses. PR 57198. [Jan Kaluza] * ) mod_ssl: Do not crash when looking up SSL related variables during expression evaluation on non SSL connections. PR 57070 [Ruediger Pluem] * ) mod_proxy_ajp: Fix handling of the default port (8009) in the ProxyPass and configurations. PR 57259. [Yann Ylavic] * ) mpm_event: Avoid a possible use after free when notifying the end of connection during lingering close. PR 57268. [Eric Covener, Yann Ylavic] * ) mod_ssl: Fix recognition of OCSP stapling responses that are encoded improperly or too large. [Jeff Trawick] * ) core: Add ap_log_data(), ap_log_rdata(), etc. for logging buffers. [Jeff Trawick] * ) mod_proxy_fcgi, mod_authnz_fcgi: stop reading the response and issue an error when parsing or forwarding the response fails. [Yann Ylavic] * ) mod_ssl: Fix a memory leak in case of graceful restarts with OpenSSL >= 0.9.8e PR 53435 [tadanori , Sebastian Wiedenroth ] * ) mod_proxy_connect: Don't issue AH02447 on sockets hangups, let the read determine whether it is a normal close or a real error. PR 57168. [Yann Ylavic] * ) mod_proxy_wstunnel: abort backend connection on polling error to avoid further processing. [Yann Ylavic] * ) core: Support custom ErrorDocuments for HTTP 501 and 414 status codes. PR 57167 [Edward Lu ] * ) mod_proxy_connect: Fix ProxyRemote to https:// backends on EBCDIC systems. PR 57092 [Edward Lu ] * ) mod_cache: Avoid a 304 response to an unconditional requst when an AH00752 CacheLock error occurs during cache revalidation. [Eric Covener] * ) mod_ssl: Move OCSP stapling information from a per-certificate store to a per-server hash. PR 54357, PR 56919. [Alex Bligh , Yann Ylavic, Kaspar Brand] * ) mod_cache_socache: Change average object size hint from 32 bytes to 2048 bytes. [Rainer Jung] * ) mod_cache_socache: Add cache status to server-status. [Rainer Jung] * ) event: Fix worker-listener deadlock in graceful restart. PR 56960. * ) Concat strings at compile time when possible. PR 53741. * ) mod_substitute: Restrict configuration in .htaccess to FileInfo as documented. [Rainer Jung] * ) mod_substitute: Make maximum line length configurable. [Rainer Jung] * ) mod_substitute: Fix line length limitation in case of regexp plus flatten. [Rainer Jung] * ) mod_proxy: Truncated character worker names are no longer fatal errors. PR53218. [Jim Jagielski] * ) mod_dav: Set r->status_line in dav_error_response. PR 55426. * ) mod_proxy_http, mod_cache: Avoid (unlikely) accesses to freed memory. [Yann Ylavic, Christophe Jaillet] * ) http_protocol: fix logic in ap_method_list_(add|remove) in order: - to correctly reset bits - not to modify the 'method_mask' bitfield unnecessarily [Christophe Jaillet] * ) mod_slotmem_shm: Increase log level for some originally debug messages. [Jim Jagielski] * ) mod_ldap: In 2.4.10, some LDAP searches or comparisons might be done with the wrong credentials when a backend connection is reused. [Eric Covener] * ) mod_macro: Add missing APLOGNO for some Warning log messages. [Christophe Jaillet] * ) mod_cache: Avoid sending 304 responses during failed revalidations PR56881. [Eric Covener] * ) mod_status: Honor client IP address using mod_remoteip. PR 55886. [Jim Jagielski] * ) cmake-based build for Windows: Fix incompatibility with cmake 2.8.12 and later. PR 56615. [Chuck Liu , Jeff Trawick] * ) mod_ratelimit: Drop severity of AH01455 and AH01457 (ap_pass_brigade failed) messages from ERROR to TRACE1. Other filters do not bother re-reporting failures from lower level filters. PR56832. [Eric Covener] * ) core: Avoid useless warning message when parsing a section guarded by if $(foo) is used within the section. PR 56503 [Christophe Jaillet] * ) mod_proxy_fcgi: Fix faulty logging of large amounts of stderr from the application. PR 56858. [Manuel Mausz ] * ) mod_proxy_http: Proxy responses with error status and "ProxyErrorOverride On" hang until proxy timeout. PR53420 [Rainer Jung] * ) mod_log_config: Allow three character log formats to be registered. For backwards compatibility, the first character of a three-character format must be the '^' (caret) character. [Eric Covener] * ) mod_lua: Don't quote Expires and Path values. PR 56734. [Keith Mashinter, ] * ) mod_authz_core: Allow 'es to be seen from auth stanzas under virtual hosts. PR 56870. [Eric Covener]- Redone lost patch to fix boo#859439 + service reload can cause log data to be lost with logrotate under some circumstances: remove "-t" from service reload. [bnc#859439]- Fix URL syntax in various files- fix IfModule directive around SSLSessionCache [bnc#842377c#11]- added httpd-2.4.x-bnc871310-CVE-2013-5704-mod_headers_chunked_requests.patch to fix flaw in the way mod_headers handled chunked requests. Adds "MergeTrailers" directive to restore legacy behavior [bnc#871310], [CVE-2013-5704].- added httpd-2.4.x-bnc909715-CVE-2014-8109-mod_lua_handling_of_Require_line.patch that fixes handling of the Require line when a LuaAuthzProvider is used in multiple Require directives with different arguments [bnc#909715], [CVE-2014-8109].- fixed start at boot for ssl and encrypted key [bnc#792309]- fix shebang in start_apache2 script that contains bash-specific constructions- small improvement of ssl instructions [bnc#891813]- fix bashisms in post scripts- added httpd-2.4.10-check_null_pointer_dereference.patch to avoid a crash when Content-Type has an empty value [bnc#899836], CVE-2014-3581- httpd-event-deadlock.patch: Fix worker-listener deadlock in graceful restart.- httpd-2.1.9-apachectl.dif renamed to httpd-2.4.10-apachectl.patch and updated (fixed bashism).- drop (turned off) itk mpm spec file code as mpm-itk is now provided as a separate module, not via patch (see http://mpm-itk.sesse.net/ and [bnc#851229])- enable mod_imagemap [bnc#866366]- fixed link to Apache quickstart [bnc#624681], [bnc#789806]- the following unused patches were removed from the package: * apache2-mod_ssl_npn.patch * httpd-2.0.49-log_server_status.dif- 700 permissions for /usr/sbin/apache2-systemd-ask-pass and /usr/sbin/start_apache2 [bnc#851627]- allow only TCP ports in Yast2 firewall files- more 2.2 -> 2.4 [bnc#862058]- ServerSignature=Off and ServerTokens=Prod by request from security team [bnc#716495]- fix documentation links 2.2 -> 2.4 [bnc#888163] (internal)- Update package Summary and Description. - version 2.4.10 * SECURITY: CVE-2014-0117 (cve.mitre.org) * SECURITY: CVE-2014-3523 (cve.mitre.org) * SECURITY: CVE-2014-0226 (cve.mitre.org) * SECURITY: CVE-2014-0118 (cve.mitre.org) * SECURITY: CVE-2014-0231 (cve.mitre.org) * Multiple bugfixes to mod_ssl, mod_cache, mod_deflate, mod_lua * mod_proxy_fcgi supports unix sockets.- provide httpd.service as alias for apache2.service for compatibility reasons (bnc#888093)- move most ssl options to ssl-global.conf. There is usually no need for every vhost to re-define the ciphers for example (bnc#865582). Drop some commented entries that only lead to confusion.- version 2.4.9 * SECURITY: CVE-2014-0098 * SECURITY: CVE-2013-6438 * multiple bugfixes and improvements to mod_ssl, mod_lua, mod_session and core, see CHANGES for details.- /etc/sysconfig/apache2: add socache_shmcb to the list of modules that are enabled. /etc/apache2/ssl-global.conf: make SSLSessionCache shmcb... conditional on IfModule socache_shmcb. The same applies to SSLSessionCache dmb:* via module socache_dbm in commented section of same file. [bnc#864185] - /etc/sysconfig/apache2: remove reference to non-existing script /usr/share/doc/packages/apache2/certificate.sh, which was only a wrapper to mkcert.sh anyways. [bnc#864185]- update to apache 2.4.7, important changes: * This release requires both apr and apr-util 1.5.x series and therefore will no longer build in older released products * mod_ssl: Improve handling of ephemeral DH and ECDH keys (obsoletes httpd-mod_ssl_ephemeralkeyhandling.patch) * event MPM: Fix possible crashes * mod_deflate: Improve error detection * core: Add open_htaccess hook in conjunction with dirwalk_stat. * mod_rewrite: Make rewrite websocket-aware to allow proxying. * mod_ssl: drop support for export-grade ciphers with ephemeral RSA keys, and unconditionally disable aNULL, eNULL and EXP ciphers (not overridable via SSLCipherSuite) * core, mod_ssl: Enable the ability for a module to reverse the sense of a poll event from a read to a write or vice versa (obsoletes httpd-event-ssl.patch) * see CHANGES for more details- httpd-mod_ssl_ephemeralkeyhandling.patch obsoletes mod_ssl-2.4.x-ekh.diff this new patch is the final form of the rework, merged for 2.4.7.- Removed obsolete directive DefaultType - Changed all access control to new Require directive- reenable mod_ssl-2.4.x-ekh.diff- Correct build in old distros.- disable (revert) mod_ssl changes in the previous commit so it does not end in factory or 13.1 yet.- make mod_systemd static so scenarios described in [bnc#846897] do not happen again.- mod_ssl: improve ephemeral key handling in particular, support DH params with more than 1024 bits, and allow custom configuration. This patch adjust DH parameters according to the relevant RFC recommendations and permanently disables the usage of "export" and "NULL" ciphers no matter what the user configuration is (mod_ssl-2.4.x-ekh.diff, to be in 2.4.7)- fix [bnc#846897] problems building kiwi images due to systemd not being running in chroot. (submit to 13.1 ASAP)- Fix SUSE spelling.- Also fix subtle non-obvious systemd unit confusion we really mean -DFOREGROUND not -DNO_DETACH the latter only inhibits the parent from forking, not quite the same as running in well.. the foreground as required.- Ensure we only use /run and not /var/run- Really use %requires_ge for libapr1 and libapr-util1 mentioned but not implemented in the previous commit.- Use %requires_ge for libapr1 and libapr-util1 - apache2-default-server.conf: Need to use IncludeOptional - apache-20-22-upgrade: also load authz_core - httpd-visibility.patch: Use compiler symbol visibility.- Make the default keysize in the sample gensslcerts 2048 bits to match government recommendations.- Enable mod_proxy_html, mod_xml2enc and mod_lua (missed BuildRequires)- provide and obsolete mod_macro - upgrade: some people complain that log_config module is not enabled by default sometimes, fix that. - upgrade : "SSLMutex" no longer exists. - Toogle EnableSendfile on because now apache defaults to off due to kernel bugs. that's a silly thing to do here as kernel bugs have to be fixed at their source, not worked around in applications.- httpd-event-ssl.patch: from upstream Lift the restriction that prevents mod_ssl taking full advantage of the event MPM.- Update to version 2.4.6 * SECURITY: CVE-2013-1896 (cve.mitre.org) * SECURITY: CVE-2013-2249 (cve.mitre.org) * Major updates to mod_lua * Support for proxying websocket requests * Higher performant shm-based cache implementation * Addition of mod_macro for easier configuration management * As well as several exciting fixes, especially those related to RFC edge cases in mod_cache and mod_proxy. - IMPORTANT : With the current packaging scheme, we can no longer Include the ITK MPM, therefore it has been disabled. This is because this MPM can now only be provided as a loadable module but we do not currently build MPMs as shared modules but as independant binaries and all helpers/startup scripts depend on that behaviour. It will be fixed in the upcoming weeks/months.- apache-20-22-upgrade: still no cookie, module authn_file is ok and must not be disabled on update. authn_core must however be enabled too.- fix apache_mmn spec macro, otherwise all modules down the chain will have broken dependencies- remove After=mysql.service php-fpm.service postgresql.service which were added in the previous change, those must be added as Before=apache2.service in the respective services.- Include mod_systemd for more complete integration with systemd, turn the service to Typé=notify as required - Disable SSL NPN patch for now, it is required for mod_spdy but mod_spdy does not support apache 2.4- apache 2.4.4 * fix for CVE-2012-3499 * fix for the CRIME attack (disable ssl compression by default) * many other bugfies * build access_compat amd unixd as static modules and solve some other upgrade quirks (bnc#813705)- Install apache2.service accordingly (/usr/lib/systemd for 12.3 and up or /lib/systemd for older versions).- Apache 2.4.3 * SECURITY: CVE-2012-3502 * SECURITY: CVE-2012-2687 * mod_cache: Set content type in case we return stale content. * lots of bugfixes see http://www.apache.org/dist/httpd/CHANGES_2.4.3- Improve systemd unit file (tested for months)- use %set_permissions instead %run_permissions (bnc#764097)- Fix factory-auto (aka r2dbag) complains about URL. - Provide a symlink for apxs2 new location otherwise all buggy spec files of external modules will break.- BuildRequire xz explicitly, fix build in !Factory - Drop more old, unused patches- Upgrade to apache 2.4.2 * * ATTENTION, before installing this update YOU MUST READ http://httpd.apache.org/docs/2.4/upgrading.html CAREFULLY otherwise your server will most likely fail to start due to backward incompatible changes. * You can read the huge complete list of changes at http://httpd.apache.org/docs/2.4/new_features_2_4.html- gensslcert: Use 0400 permissions for generated SSL certificate files instead of 0644- modified apache2.2-mpm-itk-20090414-00.patch to fix itk running as root. bnc#681176 / CVE-2011-1176- remove the insecure LD_LIBRARY_PATH line. bnc#757710- Add apache2-mod_ssl_npn.patch: Add npn support to mod_ssl, which is needed by spdy. - Provide apache2(mod_ssl+npn), indicating that our mod_ssl does have the npn patch. This can be used by mod_spdy to ensure a compatible apache/mod_ssl is installed.- fix truncating and resulting paniking of answer headers (bnc#690734)- update to 2.2.22 * ) SECURITY: CVE-2011-3368 (cve.mitre.org) Reject requests where the request-URI does not match the HTTP specification, preventing unexpected expansion of target URLs in some reverse proxy configurations. * ) SECURITY: CVE-2011-3607 (cve.mitre.org) Fix integer overflow in ap_pregsub() which, when the mod_setenvif module is enabled, could allow local users to gain privileges via a .htaccess file. * ) SECURITY: CVE-2011-4317 (cve.mitre.org) Resolve additional cases of URL rewriting with ProxyPassMatch or RewriteRule, where particular request-URIs could result in undesired backend network exposure in some configurations. * ) SECURITY: CVE-2012-0021 (cve.mitre.org) mod_log_config: Fix segfault (crash) when the '%{cookiename}C' log format string is in use and a client sends a nameless, valueless cookie, causing a denial of service. The issue existed since version 2.2.17. PR 52256. * ) SECURITY: CVE-2012-0031 (cve.mitre.org) Fix scoreboard issue which could allow an unprivileged child process could cause the parent to crash at shutdown rather than terminate cleanly. * ) SECURITY: CVE-2012-0053 (cve.mitre.org) Fix an issue in error responses that could expose "httpOnly" cookies when no custom ErrorDocument is specified for status code 400. * ) mod_proxy_ajp: Try to prevent a single long request from marking a worker in error. * ) config: Update the default mod_ssl configuration: Disable SSLv2, only allow >= 128bit ciphers, add commented example for speed optimized cipher list, limit MSIE workaround to MSIE <= 5. * ) core: Fix segfault in ap_send_interim_response(). PR 52315. * ) mod_log_config: Prevent segfault. PR 50861. * ) mod_win32: Invert logic for env var UTF-8 fixing. Now we exclude a list of vars which we know for sure they dont hold UTF-8 chars; all other vars will be fixed. This has the benefit that now also all vars from 3rd-party modules will be fixed. PR 13029 / 34985. * ) core: Fix hook sorting for Perl modules, a regression introduced in 2.2.21. PR: 45076. * ) Fix a regression introduced by the CVE-2011-3192 byterange fix in 2.2.20: A range of '0-' will now return 206 instead of 200. PR 51878. * ) Example configuration: Fix entry for MaxRanges (use "unlimited" instead of "0"). * ) mod_substitute: Fix buffer overrun. - adjusted SSL template/default config for upstream changes, and added MaxRanges example to apache2-server-tuning.conf - fixed installation of (moved) man pages- compile with pcre 8.30 - patch taken from apache bugzilla- enable mod_reqtimeout by default via APACHE_MODULES in /etc/sysconfig/apache2, configuration /etc/apache2/mod_reqtimeout.conf . Of course, the existing configuration remains unchanged.- add default vhost configs * default-vhost.conf, default-vhost-ssl.conf, README.default-vhost- openldap2 is not necessary, just openldap2-devel as buildrequires- add automake as buildrequire to avoid implicit dependency- update to /etc/init.d/apache2: handle reload with deleted binaries after package update more thoughtfully: If the binaries have been replaced, then a dlopen(3) on the apache modules is prone to fail. => Don't reload then, but complain and fail. Especially important for logrotate!- httpd-2.2.x-CVE-2011-3368-server_protocl_c.diff fixes mod_proxy reverse exposure via RewriteRule or ProxyPassMatch directives. This is CVE-2011-3368.- Ensure service_add_pre macro is correctly called for openSUSE 12.1 or later.- Fix systemd files packaging, %ghost is not a good idea. - Use systemd rpm macros for openSUSE 12.1 and later.- don't create $RPM_BUILD_ROOT/etc/init.d twice in %install.- Update to 2.2.21. News therein: * re-worked CVE-2011-3192 (byterange_filter.c) with a regression fix. New config option: MaxRanges (PR 51748) * multi fixes in mod_filter, mod_proxy_ajp, mod_dav_fs, mod_alias, mod_rewrite. As always, see CHANGES file. - added httpd-%{realver}.tar.bz2.asc to source, along with 60C5442D.key which the tarball was signed with.- need to add %ghost /lib/systemd to satisfy distributions that have no systemd yet.- Add apache2-systemd-ask-pass / apache2.service / start_apache2 and modify apache2-ssl-global.conf for systemd support (bnc#697137).- Update to version 2.2.20, fix CVE-2011-3192 mod_deflate D.o.S.- Fix apache PR 45076- Use SSL_MODE_RELEASE_BUFFERS to reduce mod_ssl memory usage- Add 2 patches from the "low hanging fruit" warnings in apache STATUS page. * mod_deflate: Stop compressing HEAD requests if there is not Content-Length header * mod_reqtimeout: Disable keep-alive after read timeout- Remove -fno-strict-aliasing from CFLAGS, no longer needed.- Allow KeepAliveTimeout to be expressed in miliseconds sometimes one second is too long, upstream r733557.- When linux changes to version 3.x configure tests are gonna break. remove version check, assuming kernel 2.2 or later.- Update to 2.2.19, only one bugfix. * ) Revert ABI breakage in 2.2.18 caused by the function signature change of ap_unescape_url_keep2f(). This release restores the signature from 2.2.17 and prior, and introduces ap_unescape_url_keep2f_ex(). [Eric Covener]- Remove SSLv2 disabled patch, already in upstream. - Update to version 2.2.18 * mod_ssl, ab: Support OpenSSL compiled without SSLv2 support. * core: Treat timeout reading request as 408 error, not 400. * core: Only log a 408 if it is no keepalive timeout. * mod_rewrite: Allow to unset environment variables. * prefork: Update MPM state in children during a graceful restart. * Other fixes in mod_cache,mod_dav,mod_proxy se NEWS for detail.- Fix regular expression in vhost ssl template IE workaround it is obsolete see https://issues.apache.org/bugzilla/show_bug.cgi?id=49484 You should apply this update to fix painfully slow SSL connections when using IE.- Allow usage of an openSSL library compiled without SSlv2- set sane default cipher string in apache2-vhost-ssl.template - remove useless example snakeoil certs - remove broken mkcert script- Tag boot script as interactive as systemd uses it- recommend the default mpm package (bnc#670027)- update to 2.2.17: SECURITY: CVE-2010-1623 (cve.mitre.org) Fix a denial of service attack against apr_brigade_split_line(). [Actual fix is in the libapr 1.3 line, which we don't use // poeml] SECURITY: CVE-2009-3560, CVE-2009-3720 (cve.mitre.org) Fix two buffer over-read flaws in the bundled copy of expat which could cause applications to crash while parsing specially-crafted XML documents. [We build with system expat library // poeml] prefork MPM: Run cleanups for final request when process exits gracefully to work around a flaw in apr-util. PR 43857 core: - check symlink ownership if both FollowSymlinks and SymlinksIfOwnerMatch are set - fix origin checking in SymlinksIfOwnerMatch PR 36783 - (re)-introduce -T commandline option to suppress documentroot check at startup. PR 41887 vhost: - A purely-numeric Host: header should not be treated as a port. PR 44979 rotatelogs: - Fix possible buffer overflow if admin configures a mongo log file path. Proxy balancer: support setting error status according to HTTP response code from a backend. PR 48939. mod_authnz_ldap: - If AuthLDAPCharsetConfig is set, also convert the password to UTF-8. PR 45318. mod_dir, mod_negotiation: - Pass the output filter information to newly created sub requests; as these are later on used as true requests with an internal redirect. This allows for mod_cache et.al. to trap the results of the redirect. PR 17629, 43939 mod_headers: - Enable multi-match-and-replace edit option PR 46594 mod_log_config: - Make ${cookie}C correctly match whole cookie names instead of substrings. PR 28037. mod_reqtimeout: - Do not wrongly enforce timeouts for mod_proxy's backend connections and other protocol handlers (like mod_ftp). Enforce the timeout for AP_MODE_GETLINE. If there is a timeout, shorten the lingering close time from 30 to 2 seconds. mod_ssl: - Do not do overlapping memcpy. PR 45444- Add missing libcap-devel to BuildRequires, wanted by "itk" MPM.- update to 2.2.16: SECURITY: CVE-2010-1452 (cve.mitre.org) mod_dav, mod_cache: Fix Handling of requests without a path segment. PR: 49246 SECURITY: CVE-2010-2068 (cve.mitre.org) mod_proxy_ajp, mod_proxy_http, mod_reqtimeout: Fix timeout detection for platforms Windows, Netware and OS2. PR: 49417. core: - Filter init functions are now run strictly once per request before handler invocation. The init functions are no longer run for connection filters. PR 49328. mod_filter: - enable it to act on non-200 responses. PR 48377 mod_ldap: - LDAP caching was suppressed (and ldap-status handler returns title page only) when any mod_ldap directives were used in VirtualHost context. mod_ssl: - Fix segfault at startup if proxy client certs are shared across multiple vhosts. PR 39915. mod_proxy_http: - Log the port of the remote server in various messages. PR 48812. apxs: - Fix -A and -a options to ignore whitespace in httpd.conf mod_dir: - add FallbackResource directive, to enable admin to specify an action to happen when a URL maps to no file, without resorting to ErrorDocument or mod_rewrite. PR 47184 mod_rewrite: - Allow to set environment variables without explicitely giving a value. - add Requires and BuildRequires on libapr1 >= 1.4.2. In the past, libapr1 >= 1.0 was sufficient. But since 2.2.16, a failure to create listen sockets can occur, unless newer libapr1 is used. See https://bugzilla.redhat.com/show_bug.cgi?id=516331 - remove obsolete httpd-2.2.15-deprecated_use_of_build_in_variable.patch- add type and encoding for zipped SVG images (.svgz) Thanks to Sebastian Siebert (via Submit Request #40059)- fix deprecated usage of $[ in apxs2 (httpd-2.2.15-deprecated_use_of_build_in_variable.patch)- Do not compile in build time but use mtime of changes file instead. This allows build-compare to identify that no changes have happened.- add apache2-prefork to the Requires of apache2-devel, because apxs2 will build for prefork, if not called as apxs2-worker (which should rarely be the case). Also added gcc to the Requires.- update to 2.2.15: SECURITY: CVE-2009-3555 (cve.mitre.org) mod_ssl: Comprehensive fix of the TLS renegotiation prefix injection attack when compiled against OpenSSL version 0.9.8m or later. Introduces the 'SSLInsecureRenegotiation' directive to reopen this vulnerability and offer unsafe legacy renegotiation with clients which do not yet support the new secure renegotiation protocol, RFC 5746. SECURITY: CVE-2009-3555 (cve.mitre.org) mod_ssl: A partial fix for the TLS renegotiation prefix injection attack by rejecting any client-initiated renegotiations. Forcibly disable keepalive for the connection if there is any buffered data readable. Any configuration which requires renegotiation for per-directory/location access control is still vulnerable, unless using OpenSSL >= 0.9.8l. SECURITY: CVE-2010-0408 (cve.mitre.org) mod_proxy_ajp: Respond with HTTP_BAD_REQUEST when the body is not sent when request headers indicate a request body is incoming; not a case of HTTP_INTERNAL_SERVER_ERROR. SECURITY: CVE-2010-0425 (cve.mitre.org) mod_isapi: Do not unload an isapi .dll module until the request processing is completed, avoiding orphaned callback pointers. SECURITY: CVE-2010-0434 (cve.mitre.org) Ensure each subrequest has a shallow copy of headers_in so that the parent request headers are not corrupted. Elimiates a problematic optimization in the case of no request body. PR 48359 mod_reqtimeout: - New module to set timeouts and minimum data rates for receiving requests from the client. core: - Fix potential memory leaks by making sure to not destroy bucket brigades that have been created by earlier filters. - Return APR_EOF if request body is shorter than the length announced by the client. PR 33098 - Preserve Port information over internal redirects PR 35999 - Build: fix --with-module to work as documented PR 43881 worker: - Don't report server has reached MaxClients until it has. Add message when server gets within MinSpareThreads of MaxClients. PR 46996. ab, mod_ssl: - Restore compatibility with OpenSSL < 0.9.7g. mod_authnz_ldap: - Add AuthLDAPBindAuthoritative to allow Authentication to try other providers in the case of an LDAP bind failure. PR 46608 - Failures to map a username to a DN, or to check a user password now result in an informational level log entry instead of warning level. mod_cache: - Introduce the thundering herd lock, a mechanism to keep the flood of requests at bay that strike a backend webserver as a cached entity goes stale. - correctly consider s-maxage in cacheability decisions. mod_disk_cache, mod_mem_cache: - don't cache incomplete responses, per RFC 2616, 13.8. PR15866. mod_charset_lite: - Honor 'CharsetOptions NoImplicitAdd'. mod_filter: - fix FilterProvider matching where "dispatch" string doesn't exist. PR 48054 mod_include: - Allow fine control over the removal of Last-Modified and ETag headers within the INCLUDES filter, making it possible to cache responses if desired. Fix the default value of the SSIAccessEnable directive. mod_ldap: - If LDAPSharedCacheSize is too small, try harder to purge some cache entries and log a warning. Also increase the default LDAPSharedCacheSize to 500000. This is a more realistic size suitable for the default values of 1024 for LdapCacheEntries/LdapOpCacheEntries. PR 46749. mod_log_config: - Add the R option to log the handler used within the request. mod_mime: - Make RemoveType override the info from TypesConfig. PR 38330. - Detect invalid use of MultiviewsMatch inside Location and LocationMatch sections. PR 47754. mod_negotiation: - Preserve query string over multiviews negotiation. This buglet was fixed for type maps in 2.2.6, but the same issue affected multiviews and was overlooked. PR 33112 mod_proxy: - unable to connect to a backend is SERVICE_UNAVAILABLE, rather than BAD_GATEWAY or (especially) NOT_FOUND. PR 46971 mod_proxy, mod_proxy_http: - Support remote https proxies by using HTTP CONNECT. PR 19188. mod_proxy_http: - Make sure that when an ErrorDocument is served from a reverse proxied URL, that the subrequest respects the status of the original request. This brings the behaviour of proxy_handler in line with default_handler. PR 47106. mod_proxy_ajp: - Really regard the operation a success, when the client aborted the connection. In addition adjust the log message if the client aborted the connection. mod_rewrite: - Make sure that a hostname:port isn't fully qualified if the request is a CONNECT request. PR 47928 - Add scgi scheme detection. mod_ssl: - Fix a potential I/O hang if a long list of trusted CAs is configured for client cert auth. PR 46952. - When extracting certificate subject/issuer names to the SSL_*_DN_* variables, handle RDNs with duplicate tags by exporting multiple varialables with an "_n" integer suffix. PR 45875. - obsolete patch CVE-2009-3555-2.2.patch removed- readd whitespace removed by autobuild- package documentation as noarch- add patch for CVE-2009-3555 (cve.mitre.org) http://www.apache.org/dist/httpd/patches/apply_to_2.2.14/CVE-2009-3555-2.2.patch http://mail-archives.apache.org/mod_mbox/httpd-announce/200911.mbox/%3c20091107013220.31376.qmail@minotaur.apache.org%3e A partial fix for the TLS renegotiation prefix injection attack by rejecting any client-initiated renegotiations. Any configuration which requires renegotiation for per-directory/location access control is still vulnerable, unless using OpenSSL >= 0.9.8l.- update to 2.2.14: * ) SECURITY: CVE-2009-2699 (cve.mitre.org) Fixed in APR 1.3.9. Faulty error handling in the Solaris pollset support (Event Port backend) which could trigger hangs in the prefork and event MPMs on that platform. PR 47645. [Jeff Trawick] * ) SECURITY: CVE-2009-3095 (cve.mitre.org) mod_proxy_ftp: sanity check authn credentials. [Stefan Fritsch , Joe Orton] * ) SECURITY: CVE-2009-3094 (cve.mitre.org) mod_proxy_ftp: NULL pointer dereference on error paths. [Stefan Fritsch , Joe Orton] * ) mod_proxy_scgi: Backport from trunk. [André Malo] * ) mod_ldap: Don't try to resolve file-based user ids to a DN when AuthLDAPURL has been defined at a very high level. PR 45946. [Eric Covener] * ) htcacheclean: 19 ways to fail, 1 error message. Fixed. [Graham Leggett] * ) mod_ldap: Bring the LDAPCacheEntries and LDAPOpCacheEntries usage() in synch with the manual and the implementation (0 and -1 both disable the cache). [Eric Covener] * ) mod_ssl: The error message when SSLCertificateFile is missing should at least give the name or position of the problematic virtual host definition. [Stefan Fritsch sf sfritsch.de] * ) htdbm: Fix possible buffer overflow if dbm database has very long values. PR 30586 [Dan Poirier] * ) Add support for HTTP PUT to ab. [Jeff Barnes ] * ) mod_ssl: Fix SSL_*_DN_UID variables to use the 'userID' attribute type. PR 45107. [Michael Ströder , Peter Sylvester ] * ) mod_cache: Add CacheIgnoreURLSessionIdentifiers directive to ignore defined session identifiers encoded in the URL when caching. [Ruediger Pluem] * ) mod_mem_cache: fix seg fault under load due to pool concurrency problem PR: 47672 [Dan Poirier ] * ) mod_autoindex: Correctly create an empty cell if the description for a file is missing. PR 47682 [Peter Poeml ]- update to 2.2.13: * ) SECURITY: CVE-2009-2412 (cve.mitre.org) Distributed with APR 1.3.8 and APR-util 1.3.9 to fix potential overflow in pools and rmm, where size alignment was taking place. * ) mod_ssl, ab: improve compatibility with OpenSSL 1.0.0 betas. Report warnings compiling mod_ssl against OpenSSL to the httpd developers. * ) mod_cgid: Do not add an empty argument when calling the CGI script. PR 46380 * ) Fix potential segfaults with use of the legacy ap_rputs() etc interfaces, in cases where an output filter fails. PR 36780.- update to 2.2.12: SECURITY: CVE-2009-1891 (cve.mitre.org) Fix a potential Denial-of-Service attack against mod_deflate or other modules, by forcing the server to consume CPU time in compressing a large file after a client disconnects. PR 39605. SECURITY: CVE-2009-1195 (cve.mitre.org) Prevent the "Includes" Option from being enabled in an .htaccess file if the AllowOverride restrictions do not permit it. SECURITY: CVE-2009-1890 (cve.mitre.org) Fix a potential Denial-of-Service attack against mod_proxy in a reverse proxy configuration, where a remote attacker can force a proxy process to consume CPU time indefinitely. SECURITY: CVE-2009-1191 (cve.mitre.org) mod_proxy_ajp: Avoid delivering content from a previous request which failed to send a request body. PR 46949 SECURITY: CVE-2009-0023, CVE-2009-1955, CVE-2009-1956 (cve.mitre.org) The bundled copy of the APR-util library has been updated, fixing three different security issues which may affect particular configurations and third-party modules. core: - New piped log syntax: Use "||process args" to launch the given process without invoking the shell/command interpreter. Use "|$command line" (the default behavior of "|command line" in 2.2) to invoke using shell, consuming an additional shell process for the lifetime of the logging pipe program but granting additional process invocation flexibility. - prefork: Fix child process hang during graceful restart/stop in configurations with multiple listening sockets. PR 42829. - Translate the status line to ASCII on EBCDIC platforms in ap_send_interim_response() and for locally generated "100 Continue" responses. - CGI: return 504 (Gateway timeout) rather than 500 when a script times out before returning status line/headers. PR 42190 - prefork: Log an error instead of segfaulting when child startup fails due to pollset creation failures. PR 46467. - core/utils: Enhance ap_escape_html API to support escaping non-ASCII chars - Set Listen protocol to "https" if port is set to 443 and no proto is specified (as documented but not implemented). PR 46066 - Output -M and -S dumps (modules and vhosts) to stdout instead of stderr. PR 42571 and PR 44266 (dup). mod_alias: - check sanity in Redirect arguments. PR 44729 - Ensure Redirect emits HTTP-compliant URLs. PR 44020 mod_authnz_ldap: - Reduce number of initialization debug messages and make information more clear. PR 46342 mod_cache: - Introduce 'no-cache' per-request environment variable to prevent the saving of an otherwise cacheable response. - Correctly save Content-Encoding of cachable entity. PR 46401 - When an explicit Expires or Cache-Control header is set, cache normally non-cacheable response statuses. PR 46346. mod_cgid: - fix segfault problem on solaris. PR 39332 mod_disk_cache: - The module now turns off sendfile support if 'EnableSendfile off' is defined globally. PR 41218. mod_disk_cache/mod_mem_cache: - Fix handling of CacheIgnoreHeaders directive to correctly remove headers before storing them. mod_deflate: - revert changes in 2.2.8 that caused an invalid etag to be emitted for on-the-fly gzip content-encoding. PR 39727 will require larger fixes and this fix was far more harmful than the original code. PR 45023. mod_ext_filter: - fix error handling when the filter prog fails to start, and introduce an onfail configuration option to abort the request or to remove the broken filter and continue. PR 41120 mod_include: - fix potential segfault when handling back references on an empty SSI variable. - Prevent a case of SSI timefmt-smashing with filter chains including multiple INCLUDES filters. PR 39369 - support generating non-ASCII characters as entities in SSI PR 25202 mod_ldap: - Avoid a segfault when result->rc is checked in uldap_connection_init when result is NULL. This could happen if LDAP initialization failed. PR 45994. mod_negotiation: - Escape pathes of filenames in 406 responses to avoid HTML injections and HTTP response splitting. PR 46837. mod_proxy: - Complete ProxyPassReverse to handle balancer URL's. Given; BalancerMember balancer://alias http://example.com/foo ProxyPassReverse /bash balancer://alias/bar backend url http://example.com/foo/bar/that is now translated /bash/that mod_proxy_ajp: - Check more strictly that the backend follows the AJP protocol. - Forward remote port information by default. mod_proxy_http: - fix Host: header for literal IPv6 addresses. PR 47177 - fix case sensitivity checking transfer encoding PR 47383 mod_rewrite: - Remove locking for writing to the rewritelog. PR 46942 - Fix the error string returned by RewriteRule. RewriteRule returned "RewriteCond: bad flag delimiters" when the 3rd argument of RewriteRule was not started with "[" or not ended with "]". PR 45082 - When evaluating a proxy rule in directory context, do escape the filename by default. PR 46428 - Introduce DiscardPathInfo|DPI flag to stop the troublesome way that per-directory rewrites append the previous notion of PATH_INFO to each substitution before evaluating subsequent rules. PR38642 - fix "B" flag breakage by reverting r589343 PR 45529 mod_ssl: - Add server name indication support (RFC 4366) and better support for name based virtual hosts with SSL. PR 34607 - Add SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN directives to enable stricter checking of remote server certificates. - Add SSLRenegBufferSize directive to allow changing the size of the buffer used for the request-body where necessary during a per-dir renegotiation. PR 39243. mod_substitute: - Fix a memory leak. PR 44948- Fix missing -Y option in gensslcert [bnc#416888]- merge changes from openSUSE:Factory: - trailing spaces removed from robots.txt - moved Snakeoil certificates to separate subpackage example-certificates [bnc#419601] - removed outdated ca-bundle.crt - NOT merging the change from [bnc#301380] (setting TraceEnable Off), since there is no reason to deviate from upstream- avoid useless (and potentially irritating) messages from usermod called in %post when updating the package - this should probably only be run when updating from very old installs anyway. - likewise, avoid similar useless messages about creation of the httpd user when installing on Fedora.- fix hyperref to the quickstart howto in the installed httpd.conf [bnc#500938] Thanks, Frank!- add ITK MPM (apache2.2-mpm-itk-20090414-00.patch) see http://mpm-itk.sesse.net/- buildfix (from Factory): replace "shadow" by "pwdutils" in requires- update apache2-vhost.template mod_php4 references [bnc#444205]- fixed the ed script which turns apxs into apxs-{prefork,worker,event) to work on Fedora, by using - instead of ^ to go "up" one line. Thereby fixing Fedora build. (Package probably needs further tuning to fit into a Fedora environment.)lamb11 1499471487  !"#$%&'()*+,2.4.23-11.22.4.23-11.2abab2apache2-find-directivescheck_forensiccheck_forensic2dbmmanagedbmmanage2gensslcerthtdbmhtdbm2htdigesthtdigest2htpasswdhtpasswd2httxt2dbmlogresolvelogresolve2split-logfilesplit-logfile2fcgistarterlogresolve.pllogresolve.pl2rotatelogsrotatelogs2suexecsuexec2ab.1.gzab2.1.gzdbmmanage.1.gzdbmmanage2.1.gzhtdbm.1.gzhtdbm2.1.gzhtdigest.1.gzhtdigest2.1.gzhtpasswd.1.gzhtpasswd2.1.gzhttxt2dbm.1.gzlogresolve.1.gzlogresolve2.1.gzfcgistarter.8.gzrotatelogs.8.gzrotatelogs2.8.gzsuexec.8.gzsuexec2.8.gz/usr/bin//usr/sbin//usr/share/man/man1//usr/share/man/man8/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables -fasynchronous-unwind-tables -gobs://build.opensuse.org/openSUSE:Leap:42.3/standard/4132bec854fc86ab3e1aaa801a9bec83-apache2cpiolzma5x86_64-suse-linux    ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 3.0.0, BuildID[sha1]=3c37143fa2374d16d63dde16b6f5014ab623e52a, strippedBourne-Again shell script, ASCII text executablePOSIX shell script, ASCII text executablePerl script, ASCII text executableBourne-Again shell script, ASCII text executable, with escape sequencesELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 3.0.0, BuildID[sha1]=d169bd1958ba24201bd17ac31ebdd3f9208c7cb3, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 3.0.0, BuildID[sha1]=29ca7f0b5b1c9220743b93185622d41a0246e5af, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 3.0.0, BuildID[sha1]=d95e0252e5065c7742147d441e0cf7d549d06162, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 3.0.0, BuildID[sha1]=baaf80fa6ef33fe0a12f593b47f2047403ac6c8d, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 3.0.0, BuildID[sha1]=759f30c5b8ad9767835ebe60836db60b8b310f7b, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 3.0.0, BuildID[sha1]=ea1d9e179bfdd1682df7776ae3b4f61eeae85b55, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 3.0.0, BuildID[sha1]=3d93c3ec2c090239f1b1f0ff2536a7001a316446, strippedELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 3.0.0, BuildID[sha1]=b40b027a1a78014fbc165d97864ece5f3181e003, strippedHTML document, ASCII text, with very long lines (gzip compressed data, max compression, from Unix)troff or preprocessor input, ASCII text, with very long lines (gzip compressed data, max compression, from Unix)troff or preprocessor input, ASCII text (gzip compressed data, max compression, from Unix) "-49:?@F   RRR RRR RR RRRRRRRRRR RR R RRRRR RR RR RRRRR RRR R RRRRR RRRR RRRRRRRRRRR RRRRRR RR RRRRR RRR i1X8 Խs@?`] crv9uhfc؟C'DcBKVq5hP-cs9> Xٙt8` [O[ԯ8%Oͼ6Z]5#qCA'̗?+HLH;}寖 EN<~xeo&̣TDܘOk?k[0VP۝kiIrN_5I0w-Ā7`S Zz!P3iwՍt(ّom0n aElo|d EB"\tFr{ V2%=Jqj 2EaA=vfw_Q OVK{ >9&eEs2(ϗ @]6?EŁA\=rS\ )@M:W/ؗȗv>g*5ɇ:$(3ńD O җo6MQM[ID@b<μqYE@̦K4~u-I*ۛ[&-flZek27,+K&?{*SMP?k_>l&'gQ`4K=sY ᬡTraR*)&닿MWxv XU)aDn -hw6dpfE w FׁbiTK_a #Dg2!ahОXޗ2@K I/ DQh!6Kfp۹T[ME SȁȰ>Vԫ l-UF;S<ٽ2Z~J\ 5BWiӟ;.?()&b:.Y J%> QX5TPE!*X57 kڔDnȟc?\nn !`C5:{RTzy#oSX"C}Df0!Q7XUD?r0+ˁgHm|8]eV1xkgLI.wTջ5'^}=܀EpRv:InRXptG mI?Y(5"$ /O0vZ.5Vo#1M~)އ_xYq5?.qk?FL.ZaWڈQKLjϰ>-]VQh _wX&y |!֘wb6;B4Rbyѧrm8ld N/G{sV,zm{q(?_M?B{A#5yiiX+ƀHQ o[Hُv9Ewށv&,2#W0!*GRi9>~9}` nU5X6f5XO&Ȑ`ԕD" <9?.GhG#"Mw[Si6~&N%gךݨXvxktڮ<":2*$-k>W'o_oyP) I-"Я6un'A%Q.WӰQVy=bZ+ =s曻?JR5- @ o{Ͳ*?=zM_T mfJ ikLm2|Bw9bB"5j۞.֭nY_@՛Ld Son&? ם$~;ay Aq3 +rHcryt}En^]7 h Pdm\Rl7 hkjNQn >PB",w_{l$Ta iA= n#{YN>j!{~]w}q2y2䆟!T[&eaf ءXmx":ڪ.R%ɽ3"JsgPX(1U5 Jӻq짏#]yI E\PzFobe ^'KFK}lniCٕ}RD8k~9" 'π~"u6+FY1|Ca^)Q"h9&dU f9gTOzvUWM3 y>m 9IeE-#~et{m!\[ǣ +[qOofE[#MőȉN6Ɏ0G)#Ҋndj\ 8iLbSٛvI{`8&Ide] FD0_ &܎P) 1*|@ `v {x~5[a ;4<_gx_D*hev?1#>0r\=ݠ:N3WD+ 6FoDVqC1ko=7 ޿3;g"G_VJAT/p(wu2(EY$<ձt?߫ܯGiܲ/V09@G pRu5O| s9;\)3A)~8}oNmf <=ޔ^%X@{ i_]zXe;9ep'.B3,U,:-Zś̳(]/*offe]МQүcZdDIbUuqẀlzԌoPJxhO ŕDX ye[XnFxy!WY?.ooQ&+eƜ>6vx5 O*ߏlqQsgYLAw󠭣NQkTd[tԤroX oV'0X~ų4=􈟥c :=Ҵ&C<=s9Kl $7O ZUn?;H,) =9sG ˑ7xqp&a 2ZTy D/}2A"YZ"^-NDFCT JN2mB'VooգײNF@^+Ƣt+* W UM^Q_VLYaV6|S7NBkVʪ)$r}8UGleyDv'FTFƃfC^=CO Sx~atł޷ (%06DNfc QZHU. PGyO,1meI0wnCkٟԬ#}[/x l v)OMV.8Y? 8ޞkv|zx=Y>1uZV9 )ryݠh/_۹DO']Dܟ},;WQ~SC"u&3b߄*ѓz?9QLQRnHFI9N)'.ˁئRh3.j"Wz|j[$ZY^Vo{:d!GoVĞweb]J3`Xw" <Rs+6&]p,=gz7z}F>BDG;p0?d7FqmW~NЋI}zqQ48 I[Cҩޘmr j qW1ullNb @Oۦ1$X1/BQQѴّBݤ"^zJHqмj%{pLe jd'"WC/=󯕁 V1_GƔOРL[*T,bBt=µ"hoi$~u{6UPItE Hp>GŖk2PI;>N[U !qgd4,clW8uSY6'35Pl5 k[35#1lMbA~һOC$A)s\2{ $` H(GmJm(Nbgkzjb(W>~FQ&KgqK2EpJ𚔧rfiHA $OUu H)]/v#H-$PP  5v23̎r> Clz>׽gۤbJYK5m?r1\ىҖ+sZ%H1p-6DyIgf`l7fOJDnV|0ʟGPK͈ҥGhJ*b V6DaҸz}KČ.s$9f @uTn?b*-aeH,y$JƙC~9CfM(E {9cbWG oސUP-[6Q) V&csJDluWM#@*f=,=>;u"a\eyȐ:B8^'JԔ;D2k^%mvvulE׻yf<ǜujrDhJZ{Y@JHO?[9D,`Lv<8 &^vlЯid/waAN膀ՈÇhce-"M!A*ڈy[mÇ`<=c}z!^$2\x(O02lW4U)?7;RS5qv|UH)W-ʛq=~)@3M"hoT]N!^=C(6+Kj YTBo!SToExh&U{9ծXH+ߵ%/l6*bX[*wj(@f2PtNӪ1Pj떱07@52?{1Iyb'ಌ ?!ͪZڣAfz64$^daYn{uTIM]n֐+S83;c@BXb,^n1w3O- d菨͂,gkox*@밻G(SSѾy C7|5<ůٝ#PO.< wLE !h#xoZ.tZj}[6xxf[Z2X@.>;\*o MVJo`Z1 7Tڇ YMyZk= J2ljpIص/n X䠒m˞4g-3;'x5L NLZIZI.0P6MI/;z =` k\Usz'# y{h<Q]˞wIHګo@O(iSĬ%2.CU캡ƥ/f_B`[5|o353KP; 4Q) 62؏Ɇ!(]6D36؃H/;:|_~:iU-y (g&Ubޘ؀"| ?[QCg+ #!<#D b(z)!-mElaYH+,MdDltr*ơޟOs;JbShy?P˭IJ  آoR2%f3𴔪qK/2OآD񇄖׮#ZM"ֻ>~Y;6|ɐ !!M!=zʰj7js9 G>$%wSbܠG,Yk:JUSNe܇jjWZ%ݧ8VoW1G(x!2f=cRqs[{tPS\b?}ތ]GArM bb B FRi$'K; 3E31;4VO܁6![:x_r_s5l+сM^NR;1FI:2c\T.c}I!nGLqVpܕPHxG)M#Q!Y{C:';Haq59sNjyYCa+rߞzаr)rn7 \,N'Qa.?g|R]!)Ϫ忲w:{SqRLjG}1<oO8C_;L-2|n*ڒs=f>A75\ u%>mݙH|g-B,[:Bf?83*;AMAL֡TBs֯|+bY `Se5)gZoZ)8ow.Nn5ST7Ui1>ЀDNV_Q;}Z3D/_sU ;pCD4wEyF,ѹ&cVHaN̓_5!|,ϾŨM2_ͤf@DDXYId|}͡'q8U- wF`#Lg*!S.jG˝:uIemQM2._q5@%6 vc r1-yj-؍j,j w[ow8L&f|+b&'GsYx]޹ +=b¾Tf宇jvݺHb W S[ n-χsɮ%yu3xG%\S3zqc=-v' x]i"BsݬC$G>i%h|8QI?Kj6n0+c(ed`@]yې/jxc_% ٮm e!44r.`2()') 5ƃ0=Q!"XrGo1tVw/NшR̍r'Tl'dnŨ7$} wр돩Ԣ,X-|Qn Pnk]a%oQfj⚏ڠܜi4lP*V>I ʋht>_A!_G<9bȏ'؍D%4nu>Ў5oIPpjQtPOOB+7{Va^{"sīѥAQI7)_oK$)bz QkIN$NxE|+  kZp g9o)[qy`[b+on>:)aϣ9& `9 ,X*١F]8|Z1W9(ia!/L-K "$kj8F DVBXQèLkf"aϹhoU5UM4oSهDXtKyNJЕ*[ev$n(n@c$gPp⛫-#FB_i Uc?/MrVqj°f}hL`\yTemҋ]*I:9JLM"qLs"[[_Y+C+z[=Iݢ%|b:KO1&jڴ)0~4痱 't9(""OxB סO+Yc7j"0q8rHQ$CD" #Ԃ}cX< 95 757+~^E%af;/F1Z&6qI?h%PS1RjdvwާԬ;PH؂HVhū!ɣ ,zC@6757t8h.P⧝|H tKSM'$ O5O a U#1ru3wq/xԆ#bR>QTp$~,g)9v=fԜ8Fd;@W7X)M@gR)҈v R n,&jTx$MBpT:Gr>4|r5n$%GX7G#]Li_9Ahv/K0^P (,p)6no*U㮑_M񁿐3̓|1:3zs|9FBħNEiii^H|ؗ,=M4wc`J:}NzC%4\.]TJLNV"wTs`;XV^w SXBbI:`[HB[qdAG)fLoe ot|YzQvX<(@MvcбpkkVTPCKgS֧|mڍ2J;E6 9W&k7pi LjW'Ph߇tqԱ:E;Ldnɛ?R:wC\uŒ.keQ= WG'lجtܩ#aw\ʡ%[ؒbq5ՠ,\& /}eUmecneEgH͹'ʐgE&4jM_9qۓxƱyqo% 0JB~GHH8 <9uB(;HYi&w}`qRѰ(yӚ蓼e NT~ IBx_d~3Pdoɂj [{AuJf^;k,؊6Ƈ̓'jT5'Nc]0qPWLP)e6p:E0y3ߺ"M+6uQCMasA<}a<|ۍ~qˍwba"Sˇrv0irt{r_ ZXe)7[ϻ7|oH',7cjp~8ʹr NVhLO6RO4DbMEbl>?UZb!QA+pcr=f_0+W]b3ܤ7CuX$y)>>A@sV7:qys}R87b}\mӅx~_mYv"r["} رb3Tt0ہmF2 a40Ub' l(meBw-w盡x,MZi ްv= ,U1{RccG&RiDx]Mi))yW^7q:+9N+u}A3.o 3uѥ:j8)9gV:gF([[%H' nCa07{,jɮ}FLLk: . ј =<j#2SXj]v #{RN?Q**eTO{)]c%ԱA!h"ܕ:%"b'ABsÐU#CmKB2C6Tq ɫCkX\\ީ^kG NA_pMۍ)lYt?38ژTkζLmp()=o5KZd(mÞg*3a4p雩T^'2l`GЕc|ĪnA/6ۋOVh``J\dMǯP)~L=;Aڿ`Ne>`tkeLAYf6x'"BE4:Ml!]BD&Oh(+dę>+ΗдgIQ'P5ſ3H]]1n$ ykȉ}?=$ CXqj8]ZV|WNح0{eke?q?vQYJ[ +;q/K{0ΌkncGnk0a#-iSm> `N[T ꕳ.Hc+ÕԔ —y KvE3ڮY(O8#PZ0H f)d%9oJ_$r,ȐT!6ÃSsCkgZ:փQ@OeCx֎ܡ>>FZK7?$ieuۖ ГAivBܩ}1V~ ?DojgBvHQj. lEJ;8O1yoLީ—j,IJ^NـܠM=)+ +0Jy<OxAUoIi 47 6 J]9%ʲ/<0ɕZPtjQzʛWQ( 2˿ Bb {_Vqc(pYwH K3rf jRNక/"[ _[P0 EXB[Bc֞6c\m4 Q⹗ʺjdŖ=A /׵"_gѪɡchD}=F*!F5OѴneckz@SL@Zs(VX'BMQʘ@w>ЕARI>pGbl2GjmZCUz[nʍVXUXPڊ{##z{T~!oPMлHh!E3cľ^'R:\OaCLJ>̐k w@q[v/(QrZ_5ZظX#>u͚|8#Q4#TDI +L'ǶGSQcǮh~35kl/3.kSV_ekyAЙ-?HVR_7y p/ؤޡv\Gp%>M1;1y^T奄8P6@Qт`{ ʇNfpN"`Z% k~?=j'gi4cTke=Hms+5{Vq|.J^QBB;VIhG$%0Sh9N݅IՁ:/|@)Bנ&#eȣgQvF~ʍD~f4.L~I :MA6'WB!݀_P >eCfZ:!K|:(׸"׺}{X&~`lCŸ?Jt^`{2"HDq*(.LEmt&? MN:Q-ŃS3]/Hא| ,VJ(|w0R_ݮ9Ā>IjTCd'9VndYs?wXܠ %ʢ mGuM)JS=61C 71dU)/&dKHq '(p_2q0fJ@4*JG{1{\SYa#(9X23-*Q݌\: v+3s]I}[e<ՑL,8{B CD46q65|d<&jg8 sMd% IU/8w7o"nJ2/4A|{5o"ZuxlJ GC0Tg;^`1z$SnQN]@D"^c,VDė!(%y>jugݭGcٜE¤kv )gOJjbMS0iѲd/Dwy'P\1<,^Vi/BTs7."l?UfG}*:RSp)mo/5ͽU>VӀ%m'ΰyއ2Hδ_CS GY?I`&8n{Qr̀#᦭PB4l.=$K`FQ3=ADЧTM\l6 NQ*A>1r:c7Hzghz[c܎ H|Dw1(d/VG V&1JGӂZZ|3Ԃdb3W۴LvpccCw_dU{Lޭ=}0E4pĘ|f l'0nY>D(/ +eo##l lU#O`Z"R9Z%æ~c/Js V6@u o?̶]`X5q0mS+t>pPFvYjNJ6Il(~bIҳ丠z0#\ZB+1W}\F[K5[%jOumzv#rޕe':7#HmɄf(z Ma!}d7O1?uuIIUzcSWf^֠_M*Fz˴??~N{f!vQf-KMh:XIu<(TXxlHwÜz䄲o_tee%*W'n.϶uE8srו-!p=%x_Ö(ʛ1T2`ԃ#gVvNLΤ2ߙvf˶ȱ$6Q bıCg|+;] UАDrGE>"+65>r2ipOq ?ɏ=ki" )ڼ}}.Y&$\<QNJ,qW&}sa GT. l$ nW]OW D^ ZKerr}m!\䩵4,I!&ގō#S|+KWB*ki%LdǏ71ClB+*}F;E4ֻ,@k|5ANeׄ<h|n YTJT,\@>0_8LF3/b,ީ?Z"5ɣGxO@7*{_Ո`{:iEl@[#v7M\V:Q>,RDL1'+ sw^vԽzNqp$p^ZsvJ9;[a뻆[r> DJ[r0#ucv5BT(T=0]6 X#-QtǤTؙ_W~?(_4ߋaUdȌPo{~eatmXId~X+fhP u)b4i*O0j4H1$ 8pq.C;?s tuJrXLm%2^b[> KXoIX6ʌ4'uױ,ymv-ێm5)[A' SHe@">%|fp<ד֪SU|35ka:J*KS %'.f׃&3D @ǪJm(= xFXOTAS챢u+5VynƲbD5US@cPLK(&1N#jAmLƦ+9\[2&pSHb+X̬0 I3r j6FT풋nƢ黩Gut8(/@$>5,xLT+u/lDtE;bM0qN}8`.(+)j3mُ29@Ņ:F.Y(AGl2>d={\yE%MJHw=vEF?[OG}ү?}L#-,90nbSCf;8~/Ekj6ecVB@~a0[C-8JAڄq٢}%IT]!i9Da9) :vuDU(hejΞpxDsEl[ ?e+*ބKPT]#7) 좩Cea˙];k+v0 dAXskܖS>@J=:7%*%~ N`3/ױ\(l?C⃼9s!;WYA :pbՉ-,7bu$M4j W+0Utd$h$E8#I YUa F֩ a!+M$ "x;ܘ vi/epviƸف-A2??],Ra&֋kZ|s[@6ؠft1K Dk4^KGmC}֌28(|VRg$uA̜exOOU^`=CkHR.S/KE.܇za;#t+v[ ̓[ lgܐPjߜ/TQBgbmOXQr{l4]Z{6Gg7AWf\?F]Ls`kAyBvJ0iوݪæ0q_ ͮZ%ƑcV+qD@Ɏ36f(tX!Q/q)R1WOTfJy0'$K<*]`;GU[G }U ˉ&V{ؘqf]\R Ų~9I@dS@֮,Bp>F+"\l=d5 7<6Do6H[&6K-)jaCv@KVI17UT(o EHtu9YLoDZ-I9½sՙ~x{sp[7 ~&?{>T0 εIt +_^%>+&#6;^-7P=D`h?`l~,2s Sm1O-3hXce)3]N wnq9DL4pp53>Zu'N?j΄$Aq8" :XB=Z˻s{5jQxȸ85 ҕVs$™z"rlw'i0k?i5k-p(j-=ؕ3d+8Snu?ή5bP'l^vȞ qfO?'SRSk *>&+$wZ]fn l^齥%Yg^. 272zd Z5憉M럇~ep+@|9Л~ .( *쟁{R~UMzp`U5#kl[ ZS}0VK'zi`gK~m++)X'u\[xgfIpV#nm]0.j: WIe1O]TȔ¼SIsiNU` EθIj:~[3 YJv^,3g1+ThJ^#|$cwjUޛBOva(:(؝}B_~A}1ֵ.1*Ph5*5kߗӉ%r/V#,@S"F}L+ 6<Vw.X*YoMʤi6LFBͧFSe\t,f>Uoy V9&G1b- @-'^!'\kz~U9iF u^(5(^dU~4JqNuns%p&k)x{i "²25"ɦ?CʹUqr161= I^o7q57ċmŦwsq0f7%'ʖ*$-y5 \m:_QT(,Ҽ>b6v;c>1efho?eN sm.J&WϤܖ.iPlˏv1ɨԀ(m#OA2F ")D^ҿ%Ɨo9ք9|nPϢ]x^~dpO-᝹@V;L 7G|S¿)Re@>xFOQ7${NQHɢE|qVVt>'"0c; [cg=]#R=}G!p{Jpg#5IQR1ۓ/rԕԶWx]p ˧ )1 xIw (GtհIj=l$5D\=Ԝ"RP8ag44v ¶T<>XҿFЅ}w5Pn`@{'}ňX#۷;2(!,SW=7+F ?A8#T~wOUsK]{^EiۓQw}>%?1-Gs/?XŖKG HWksPCcTWw:9-FUZ.W W}!m8dAx#dÁywQȥ¹vK_'8Rd}nsD}GׅlTZpIN{fȿPr'-~a91NN7Ofx `_($w6eD\\ &KzЪ$ۿ3_+= {BCŰy9 “ c FIsp! h?+2y>Q4'lb杢Dۛ3_ NcMuwz YR !B.!#WHy ŏf2|f贇4 aXF:/V2vE~l=)ّ͢-*Flg:[Twak8CY|^$QBdE>W1k橯җ:va&Zt_p& [0v,Nզsn4povPL4lv2iS|l٤>+,"2QzH ύkwԪG?=ER;8R^\q"We}kO/įN~=uy´.m:n9KK,v!/$7x*?­ݱ?؇O/ +,˷jjr/P\4%sBl3_r$uomekP' @-"yڞ}3oa%V|gj8d8 r DF4Ն&YÁ*VI!mGe =.x̩҆vFs5IQ=A%{ïЫ~pm!6b=@ HO4;6 _Uw|rv8,]0콻_ 24F  l!~#ㄶ^ 1A6Ba)Y=\&Y( cg}i-i&StLGUXT"{2y|'hj3x7^=;\MWYI1< Ձ6MĖk^ʂTy~&Hf0.&SS뤽XBW.AT=#qxôXPRF^W%4G({5譹2!JQe )1@bQMN}-%nR1=+#JK-[Я؝ܓ.`i۔h^mNJXni{?Ҙ1؟oM:cK3mCyX +l]‚p %]tW.DWiFa3I$ {(<sv I~\icU^Ah DRv7D"m؁sKJV+۵AS>m&0j oy$Yڑ/SpV7 u,;ݿ5drbbY qT_"+L-)ɇ 4ڎ`A  ĎV ho.0jrFI1A-iVorW$-Z}Z!jJ^`u!W7gCDB%*At7rC}upiH;nDn "Z S4'Gls3OȞ5dp.)LK--pЩܢcyrw|2Ac 8vxW%f]KB( F=21Uu6<*s[Gx5>FgSϔ6a[=-Ð]5A՚{law1(,"@ OTĴ Gn $ Ijkgtle̴`2¹A+=z53@ %3<^+k >m=> =N]3dj$.s2H${mg{YW73T\'-i= 楙ZsOY@ 16ܙu:gT ]/ c5wߑK.nOuwya/5<6)ŹUL_QT;9͡ڟ|FkI|g_}JY^##A'r6+cf1`hƩkԨ 4Ta!jnr% -EȮQ*  nl!gѧ(0*Mkb͓ …YA4e;q0Ӣ#% .%O34%v6v39*GzQt;&0Y yt:_g _߅/13D5yqs"HF{'oy QW"+f]=9M'oϏeTF½ӮsI#5wsf0^%-ނ:0{MSm}ҿHBGx386]'[2Ga%(iuҵQ {{Ϳ[()L #k{ME-~pTo؆lg?،y}L`ӿƒ3Ir]ϰFn/Jph2b9E데%մ:h0of l I47򿌫٪v\In-; B=t\L QA1&?g` ]yiGs!*465~?/O~uء JJU(1X3o;%G7_ۑSUbkT r'$\=g|ؗ2`XǽF‹itE{Ǵ ۸ܕK'}ԟǎJ/ :/Z0dnW&-eҼQu2GK%4=ǜV13ie2>b'v7V gPn_?MaUeFE)U{IP'S*bUyZEʂ#I$/q0A*:pX764ū9(^Oq CHDh>m˷g˯1S5jl[]( =+>(~] =n~cO>"\L-J7ZJ?S9vw9y f&l ݬ^m"zI΅R':wJy܏*SZ]Hrr'hp< X*vfaiI*hz@- 1X2<w> ' 'i2E)q)#ެP4 Წy:QS7iw1WRM+?~*`-L"C3e,q@ˉtf z.xLW2UQXۆn4vad1/PQ>B!e4ʀh1Q;8fW'7(E5ȶ٬HOĕ?"uA ˧ʡf, IkHT3Wy L*Y2s숰n. oJ n7_@Cɰ17G[^"|-`?UP!p^b2@2l-;n@vFhLZ"JMW U[@n1 x2u{7> !r@@M1b~1yYwS6ԼHYIzz<^tbOIZ{!!8F1UJ>vk`p);L j,;0XL!$l[U51ItiS4b=8ߓC2/[ʲv~땚In7p^a}=zȌ"d :v&ޔӂzdJ&ʸD @*y2k?_>9Z3+'(G-FD+{eτlUG~7y%&2 M* #L6*l#a*hDI#q<ю`.Og#} &>ŦA}{(+`"Jk$y}XKv8`HXΊ#τPr勠Qƛb/T[ݻ)4Lg!SWYdBj!Ѯ?u}"ude!{{`mBr?FE 6 y?ꖷ)aQ<N'^E1j H#|DIη*)^ BXUs^-]ǒ wI321p_jtp( Wi.9EH/?x%sNd`?뺸ϔ,i'}|`[Il¿y&Z ?/w! pRq``#Jݑ]s{Of} e3G.Y3c㶖3-mI?/t:fFz,W¤X$ {{ze+OBo&pP<[CQ+~lі1fPFAk 42MT)̌KM#qO(徃4q#?GJ"bS\X%!(nBHᜈB"&vbݭWG }o{AiG ʲN-VrE>fʅ$۪̻=FT&)=3Zcȗ)C?hṔ*Z*0e3)H'JaZd-M<3Z`yXҭCϔg}a4mJl)(nl+#W&#%ªwsaU"n9E\v]ZO\&3"2W'Byt{2n-G1XQR|]UQ5@S%OMPyKiauI0MiE{>TV95` HPĶVX0N<ft9"^aZ~Xwپ m.},Krz;x;lOLTa,lЄ]Y՞&">Ayki?b#RXtR ^D^8[:H#xPP"zătlZv }ڷspp,TcgӮb,hjoVVɨܥU郛 cˠu(YNm_ 웘}CkC:"*"B#UNwFs \EMw^&DR/2jܦ{SA^֋?P&ƜI/ THYJnm`,Y_;>z[7vd:4l[xxGF#Yn$-#[(/{2B&~Vܷ1(lv`N\D"K I_dg.PRBxzh 뻦qPZ,,[b|>>:uϙ/,L:Nc_R7iަv$j6^k=}!`lPFӻ 鿍e0k%SFxC[fjuyu>z SQ7~bYgb;!j!Վ_ӵoJbZ&O5uc uh8uAý/,{\p+RL|}y`yU)2J*=^Kzc2fg946 ēEv`S(4ļ 0EHe l|m)b-ղSza >=Pbkg7*p#kC̨ƦqĴl"?oZ4j&յ6tLg+C?m)",~ki7Z/`Zv&T00/m_Fl]F gY:E @aꨁ{}gޕpS!ݹ9j"Yn <2%E+fw48ENRLo2; ~\̃{+.Vkjԅ Y?N* LĹ;CS\wnM5ն_Pg(l5ywuoؒf>0DPJD4R>zQL-7 tqD\IPW=ѕq:ق?ZAf[*юyXNkiŘHΗw)[y)vSX:r@/=V]eH_QIaۧG_ aZ>oOo5j/^EHW FO5]K|Zy8QfyŷljKTD Aځ ߊO?|J*n礒cTK։ڃc̃P{NC͸) V>%11p|{˨E^HJÑMݯo%0. z5j9s,/+`K}[SM:؎I-i*R,.^g }g?}eTD>4 lW=\W?h4?,Hnt&tнm ?_MY5J,Ʊ+ ճaggfP%aX MLUšf+*?!_fĤ|ɦs< N(f)8pp1a}J} iv\8A;=ȯh J#GO 'rwUa-Af_tQ@^ƶm)A;^+@cHϑv<ݙi2+e ߱r+FDtS!ɉf#B"{V?~ˇ>izN;sph]VMl\9^X@W5mB)K6(n@E[sC#OL/<& 9$!}IH!ODwy?%^1=Qo(6d+&ryab!V aEoTP,^pYkL <TIߚbfGؓ[IglQ&eO42z^M %yҽfՑp?-Ce3ɿwohJ'FH+u' ]*?s @.4]fQ'7Y`(þP51f)備BDu甏s ޢ1 >A]f>~`+IrdKVsg\y9Q#2,oj\1Ydԫu뚑e/f@>Dc:dQ.($kqTEI-{jfyC|6n̼>ME'0j7~]{=*V3*}\mLv!p/qDHW\糵 J I%yNFHNW_ :-^?Y&e<{cC&zNg8^켅&l)-0&պ^W|*0s/=Ho?3ySD8$nkא)l)\𤜛CřvBZ1 1{ 4*NӪﰜ^|M.dNv.ޗT[t/^1qR{oℓ] &,c p3>ՙrs͊CJBW`\NBn]j ǫx7 ۅA0F8?Ԛ|yBHĽg(Bh8&Q e"rW9T&"]O E[ՀP?BZ]شKB-*+Bc亿1P͚OW8|%TD{m`{3#C&PKFmX>kTcIE$svSrZ_7C <, g r5jRqQyRea:UKsjZ"m/dPhdCcX5Y#džM`'nޭ]66Y']#O¿LRGk&8\E]UA,ɵ z&3͎څw-bUFE џ/M5E]BGA8IhCoXfҹt9ou=PEиÊS_xځ\ 9kA A2q9TĭYh9FrP#xݧ4t/ktۖ6s4 ywɳ_Q*V3d5f\Ҩ>aEVC|tpP5B-N8߷/y!4$Zm U**swF :kx- xCh>_ĦȎb})m"n[)h]"UV^Jh؊r+v6c8Eh$NZO&xd4...MH / vXܦݒ13 ݨd?ϥ%ԪvPAkH2Y $+ahnCtc .P˜f `l"(ܺF|fQJ"'Ν6{/k%:>y:e훭vVv ̾rXzN/j1@z&b?AL*GZd"0|INX׾sq_{\iqZ״^=:@~^\Z­v*e3[5H_dL!{9k`xt2g@/&]W>-2f\w@?9J*jz}::Wrv4%&՟=D78kԾRw3ͥ_k?]!-Z! JAao^UitoThb>B:*a}T1B"9Kk~I>d":#0].W!Q2Aj=x*P#IYeƪrI|lE>,K|ݬ]DdFhU K}]L{ԟLEAΉn#F&-N!qO'P4AfgqӸc/\?73ά;&do ,@s"_}B3WyK19¹SgRa6b 5wtӃ[ro|0~@?w~')"az w |R[D`N8q I6D=˭dy-d s)'s鱀qL5 +ّox.9'7a`ИrW\pL^ ׌PՁ͋! K+II64?Iqtko517E/ԟY PiAc~&C V8̰Ms o9{?uxcg8Hsm jE,W&}\xYc?clW֬?Uury B怜ZJ,C$1%-9lfXNh-?TdD!" %LIY!cdͬZ_9j;9fS¿buP3%%Y5zj rHq2qS 5? T+&Tcxm3S&Q.\D"4)j80G= s{үWe 6R]8Z4dbݩW!=I.$Pͤ>ėUxn2(|sΙmrNOhf!INڵV|٧<)G9x__q5sY3D "9JQmq;,bIYwޫf%Qn \w}w="%răͪ[&4v YFT$(>@r }&[_,#ѥD}CtAFO(A!HY7 &# -(N|B{ 8@Y.T&W3L;v;#rS:g=}~ًuk*z p4Pρk$*_3Xzd}^R\%+E;h#m7fI u^%Oy<, u9/,<4ܝ=|Wpo4hLc QSa6ܠWkD))-$wA??oB$B/Yr-Kl5Qϛ:so MgׇG/WP C354VmۂWt9y7E rmfLl,_*H>!Dpkn]_C1aHLYO'LnX¢q c)94iן_ Ql`}DQymFBhaB,TJmlϧ?;B|0 w٘nB<Î7g6ƇI.ŜPLT8hKB="hssP7C@t[MwV3d|OzGK <OF#vRG HaWmhlCx(J.DYyi?&_ 4J@"@SE 7o?d™y,i*)c8Ȇvz:OĻ%\y%:W|? Ԃ7B1rm{L0x5YUu w Z@Qn4l[ Sdf ھA:h:0;d(ZhB[^ j-rv3ϕͻM2[ tI}> A󢱍Sn!fb܃tSؙ82 l(Z%: NݩiF?k7i0)7!szbbq@q3X:9,#CV?PB Z0}.u+ud 8 c{wc[~~>s ׆rcjw3osr pC3s cLRӴE Dh`Ի!yԖr6AqNf/t- ]wv|O]E$IshsJO7ffh LHGj.Xlzؽqw$L [sC'5d}b@|]0ܑK GRr5Ri.<;3*^9TWCܹ7ySofDFh"QsT[A1.wW݀PhYMi^s*"r)Z6:6͉q-|O^1-c&W ^и3! 0o]sfVX!6CۧV*";ńEYg>GmsڵՕN֫!z.2W<+ ΧI0Hjq_vnԭAEYpC1()wҪ,K8Jok+s,r|_aڜA`M}z/ͬȟ_ήEx5Z2~g̚vYyNh)+QE`7=t1Yw2n`q}x} IB[z3TkyVhF(iI= @-,A'Olsf=%nY- H`ȟ3z$mb]c V bXG/35IQ"crcQ$\OIg=gdqxl>.\"f Pzu.z!%<`c; ywAjphAe(9=#|6X@v+$x:+H :t OZ2"`Tֲ p0(J;ɀmVcCgIt~Q a MM6 b8"ɉmDʠ<|`tгh% ;{f'gv";T  'ĢTnmCLOKf\趩C*Ǐ4cyW{}u 2*PB9MbQm` ,HK'OD_HS @Iޅ6= NU-ShLנxa[$BgaߤĎmH"%9}kuRh &{agH[(CˤJnotq=AEFsdnY*2 7YŐ dUr}RrQg3fc2/uƳ xve8Ze@tL#3L@EUQ Z)vWTTPM86OR]XڢBzՓUK4SO;Od^[&p2kw+cnL㽹ipW1=l@S,g(u%,`ƭ=]|݌2kAdJ6>w0sVlTt׀{z}j}6*(R"D*8:ⴞxs7+y{h mCD=ݣbvr¿~4w[{FC淭ƞKB)BfQlXÊ?s,[Am;OϹXqoa Dck>S'u-g :=M%A<^9Z>JA1ÿ|]HsʵV3!Q~ۭ#O47ZEi_|K(2I{ǘ"q?7o9z+we[p2&"#pxwrKusDH§E%DRJB-PۃU-2kX7a߉׬]G9QQ(<2S\5YLWcd7Ju(jJ?+`Ap[P#/zBɕʃ,'E5 \0DQa_"S{PK3, ?*nO3b0C|?"70R:k-|a\Xy+R~^DQ Zc'Dr?)J|jCm4Ǔ ׯz XxsQBnDM9 Hٚl<6>cθ{xBwEčk'.4o+J-W!JBlxS8<25pfqѿec5BZdQRb^aH)٥8iBGzX b#rӇ˺&K{<{vҴL#ӖXEQ*gvDFp(RrR[)y[ # i2BD688N콯9S eYj,{GG=mn 2Z~GPbգllI9?"1٬=(H,GLz?0ɢdI?jV|՘@<Ɲ'5e**JIv--%ŀ){TthIlPv$Rl[vY~؁-v+N8ֹ%gj"p XJS r^eFuvQ! _tOdCn%_o,ME/ CQ#Jneӄ #')4R&r 0$v-ɨ@Y`lbuB4h4USj0;w@=DBG]e`;(Rf7%% %_rxNch^}5d/ j/p(6Q {Jc `=.~Ds42b##~M)q;3.!ՏRJ(*:X[d0zFؾՄF*nPoܻDS)UIt< "߄8hPGMΑ]RyceLYc0]V\`gMj @ǐӦϝ;UdH1]F2?=j{Q/L>Ԣ2%0m6'"Tq=*' #sIo"& %\|شek684} q%=MU6 ly 7C#udC}<#7HE pSՎCR_žvr\/|^'~jW#lwiJچ`7]x#z&hZG_'NURm-E ΃oF\bFkkf^Il=L6)rK;N*Ώ%ǣ*J =~)L{UNd:,|:J{asffF/5 3/ۊ6J*ȋM *-V=T1zKB/A 7dY'b N;杅pD=hV+gTx=H7pw].ov`"򏃐ck\D:K#Md#<c9I'[Zp)ZiiDe7"2Nly/)wSbm1-L1bf8s9,8Qp.Nm0eh~WARj:}FV!:_]C8UU:ނu'|j8 2H>e |O$w_I_sI]εfMg8=Lnת̀4.@wDT*Ir=[wE3ؤϲiޙk@OG2Z{o\>BfpaOʘj,@#G(0X 3InP iS5ėf J *skftzW@sZ=B])j'7I-5h"ޞ]wCd2L}BXzc!\82Yp PY~Y> U[ ]y>JbIU>2ioy'c[7VU<Q'K1?pѴvxNEݬO0Tw KVX\|'r"aܻ11:4a&w3D0=bZIRzQ`bf^0 H']jS uWrw JFzZ`sd \۹bHLb4Ԇ&A|Iߗɨu12l["\{x5|zxyؖ$㔆 v&\`8^npu_CȽx,Li +:)8>xEnZ c63fv0V@?D)#+C=h.&9Sޤ.vJA[y xTr)_]ܙGY:$|V-8ۀRC[&+Nԡ{p{+Re[c{#*!ZE?oxص0%ZH8NƉeE]7ges dqR13xOUã3~[:%w6limcL{}3Xt}T<*A__M[.v)6ןo!mQ!-)h®V&*)ΛU6,+!y$:{p tS Z],U+sHw+Ɖ. Qxʘy9۱?4i ^Rsb9;fĔ;tj=}~b#dB_Gk} "ЎՁb!VthN l_g'IL(qt'Ra~Mޖ\,D7DfSX; r q@hZn72[Q+LO F:q/4X_KUH3-A#B+Nv-Wr |8VܐhZ';LKVy坶:?DKH|z[;|v;[BdWw5l& ߥb`k*PNDs_%638_s#hۖ g0jf Eav}f#`'*cQ#y^<&bF|zzAOΜC1 2(a4n9e,Ng dU *H kr#Ds)qL Vc3ozy^l%,+T)=S8W]CQN6 wpG o'lz* 1Rtf/%\kYDN2 i8 L0㱙Uz"}T5Ea oyDCN7a_:Mx a!JFaK+Q^f#et>shwL 8G@GbWEli({ǀTAE0r10;9@FiW*It8UҺ{^_qw3Ab;WJOqjR9 mB2y]HJ.DB<bg3e}fq#d&ѪXo{20 0&I8}R%"q2mblGư9+/@!-Y:}Kab qQKdmOz.-c|9=8{*`]UU7 q<'l?s{ӱ("lU\5\;hEcEgAgt']f9#&YtJ'?HkR!wc5˘U$S-kL^ۡ Qt!Nn*\E x -[ <eWMܦK< S[DkUIk G 1[fe;9[6CU@N~2aS[*$G)ECv*#; S5p`'kH]:6#'\Ŏ$<ۡW73#eRXs)w͡$)pZ?ؘh., ٿ:&i3K [ sa3^iG <Ō{k:er){YIYUy.z}>Ȧ5(c2RYDxwcfb_T`Tvw.LTLEٔ`7?7v66U47? DE,g%SG=RvӹI+`-``C[ A>*;V9HxQWfݒuf$Fm}TXa]1,F0څ40mN4NŊ{ , %j177.Le 0|d6:c*+ TV81瀑Ĥ{%qLf&iPtqW9 $:$ |-f^4<=Zk jlbע=qNyR_5X>b@^rx]kT]q6^iUЉ>q%j> PeKM)ppgzt5Į0@!НI RqD%%M^n"TѲFZ,(J:wթ\Y?Q*!(M.քĶpSb*Lǖe^+ {?[D o{K˩jjvKb4Q?m&+(V#IbRrWYvA:Abg}VЂug{{̙vfnн#Dusg+&ch>Ni`} I:vy8S@/X8 ]a}d9R3\ɔ4!|wﴥ'c`)h6aK{5Ź-Ѱ=R18d1r`\)#VիcI~.`g38'|Li1c ~eGf=]7BA"-H$ 콟ڌ Hܥ}+SlX"YnjK4i1Lu@YK*qA44?0}4htý>z.:Kaj|zK3/rQO`G?S%PJut3V&d)&ù X#3@tOjnu/, $ߗ'64Qafy~ @7 sByEb"?(A a[OH?Mۚ#nWS<= G"-B}QsB3o}䍝/%{\}[*-OcM͖W bB#<UlOaɫۙY1WRqIb栐 SZv,;' Ee~x.p:N XuͅtM/( hYe>}bh{Q"KlN,=M&m/vDE%]tîe|vb]Z uDPәY!47J,N ЄƏqa5ZAF]C{< AL4Պ3-A ufkI} Y^:YXV82@oUjAn!e`]q@І)ԗ:qn T .B{.$p&u VOzP~~+|R jWzJ*n v=k{^}Anp4-myS wQ뻹~oE0)&R?$pwv -lנ$gx'MWx\Q(& G5P۪Ռ0dT3{xCwt _t3K1?ϥn Y ;~;ߒ xnm "M?O?:aq&5Im=Ppc~(d}^tD۔#^cb8d8;:Ω< UO=0]L$<1 wb%J4Qk~/ADgc(^ۦM`bVC6`Ixܶ%֜N/Oǁ &A$lQ@yEr'j'iDZC+HQXK߿臘C.ݐwm+/{6sorC{s@{N|bhPmPhk<Q15x{jVV4׫Q)ΆtE+VF~e)6(l-vrmj1nf&bM`|ց>:qHحlHZJ~},y' ~n#hChT?a^3i@k>|+؊IM͠FӼ|TŖdhJX/}GEo&.O&&CZ6_M>'ŸNϙ<9U';SXm,jFx39%ʹ(*/Kzoլʮ[4 L^doȗb1fl:,EjhO8AN!oR((*Fp@FCZ01D>;δZ Fn xE[X6?:RDL_5I_>'#:p QSOř Ro?8~P$b+>?,΢k|PqM\\3r~M MoV Pp8sM:7W\|Bk` M՘ndxzWfz)GOM{ԹXj*R%S%駅w'J,9R6IL˿k6a\cO N6Ě?^eAwfM_L@ZY»BAkvL\F]*u$zI}\mQ>jV[4sqQ̖I%~b~] N\cNbUSй8A9O4p]J:-R=ͨR/zC~O1X[ /ۏ{UOJӕ?N"Ѡʯܠ4κH8-=:(=HVvQ1Oa~|/HߝM{_>Ri0Lv_Lvg7E-BSA m1 DiQ[Ok@qQ1~J'D6 46ukw RT -m.8!X ѧ6FKz :Q%ނv>I`w@jy*tB^g,X1ٟPCNۗE6Nq\7z߮Un䛪%l- ũc\Dh?JYkPԻn/4~DzbtzcvmbI0x,vW+_Iif0i{fvVg\{ҏEڡ!wA \ P=)*N=%JJ|ocUea( Wƅ5ٽT_yo 6ISޅluwnnyEd#D?$RN^k+ oʗSd+0ݬ#WʾOĵ}XHDV#pJ}z3+R :m.o2qWK|egZn-쉠!w$y&cE$ n_4"8rbY!^%~~@ Bj v m=Ml R}3u%6%9E ԛ4sJ "5?7Y_ƙ %ϞX%5;?(!^<8J]rok5}ߺ yM1Kڅ2Or0װˎ[DrGFOBy<624tN.EyMm9h:=~jfJDa@|B8;Q,`®Fomݦ9Ԣ[&o$`+.)TF>@o=gca~gh09T l(zx4f qD^|1> !+r @h|6рa1 ja0ހQ1`TVdM[\CG, 4 3Ox9'@jFlXڡ#[>t)^ LCн*5`}-,}PZoB_=7.tBE6 pkrůbDy go6Z]1H7.5?x 㧹(!l9˫NI*2M=e"*l!tZ({f.l:0rg2= QR.w!$Z[u@۵pJ{J1YϹ߁ԃiW#N!y_/)gA\BĨ% ȉmD::=bFb9RyĕUdYD(1 ny5M9oLK)IULk-fPQǫis$|:\<ݎw)kYpyX{*֮9-*5ik!eMvI8-HR؛)Oy-|O"9c(:߶!ԵwZ9ߩ ,HH@ǛzJe],MMSc,/pnA;'W`zoy`4ŅF@ցmJW]Z@57 !M +h V˨T/r**:$]ap _t^} t Yşz4E ]c`] OnGIP)js W HӸ|Ih s~|MzIe4ҥU83q]Y`Q|^V ܥBN ZݡY xkY$9ܒ髇v G]?g g-9/brY4i84Lt M6.ᙡ 9nI0UEqǯ꒮Dw3kܻzA WuTNäXl<.<G/dq( !@UHxh\ o '+S3\WVNi kP~>ogY'޹qs0G4=+@ZJah2bKڿFz*ΰG`ҲY.5*z2}J`Bd |#xY&d'NE 1|ǎ)`/!kKAP4MGᓳ<`[{DhmT5z2±a?!GU[-m dn FsŶ<,ur̺%L4Cj꫼X1rjr~k0lU@ NTo*3sC2 j7%Ly]@6;CC#!U`EmU붨6 3Js]*"| H%WfhG].vs"ql%r^ׁ&D|bDLgN)^|ϢR%uϗ'Re{u{u7oX$<Hp,L◧G6,S_p_شSIFqL ]qduK4H~|1$н+i=- ٞ#"gu6qyUCh,-rc⩊>!R7\U؏ lE-mrr:JfAT{#b9jK}YA@y6,"X*>Mq* ̊#}ֵY_ܙ\@5~$*О0kM+f >! hs?҂ZqjSx&k+p\dRS^qS$ ۷,~]0yIf`%j<ق->w Pb2|!L3+́$`5v)9Q{ 1$G[! k2݄Ja$fL|1Lc`8pY #2 &R{X" IG)ah Me\%fT-{+RwU5xo-8!ܚR#ǧ7> n L`+rv}tr/Dς X});j9 ٣Nw. } uQCyCH+ &IПh(>jMs]kK24j$bF50jb YA<](_ftg}. 1ٗҴ}> .Z\Y2 ?/8b@/ߪsLc8Һ T ayxr2}>SeiE+**_^wM]M#-P1KS1M:2ЏQ}Rr@y+n]qt7PXvGI,6"qt윸~ ..Ln]zǜ8OmE^/\4زHV\BJ#v$`\U/>3PAInr8.}z-;T]϶(ni3ǾPO#:F6ůe){YV+z~tIWŌi2~2ɶ"_]}mp`H/<_x]/|@=lDKEI'qeh3=mk{]:f*#DPv"*F4R "63U)4H'&O$gYh8V`uVBySZTaP.7b?AF$КJ=RQ3a|&iyb45 -\n](,.r2uY+Y18Iv }fL_ة)z4"::*<1< p/|Txʕz_zH3I:5gv^im )"M=Qi\:뢯B (ۯUg',0C2̩uRfN 0z<ӀeU!IiAV@"GɚA^D>Μ^Gc >?)<LCRϷXYVKi0"|¹D 4e  oaG-ڕ%SK-m Y+ZQ 8qT'7HKI:-~E0GzpUM^ù2kIFšyCn a/d8A䛉HK"з~ .ykV6ΐ+[u@#lM_*n4A: PaxGrw=[+uNϹ7Jf$[_pJՇ-0j![VK@Uy-Fw&&3 bh AFBJߌj@b?n\ιPT%ond _}y y P (5*D>d} y %t>tG6Wĵ( {3eug~m@>#ȜJ0UͅΛ~/CsuS9󰅂,ԩ%`s1ѭp`*‰(ҞeˇYp4qt$,Գֻ8{ޚic?*N3&#}?.`?IOy~,Lޯ} <"7 j ىdÝYgjE؟(_i J; Lrk*ti?;"zŏ0פֿm"jAHy:{5k "\MlE.S \ ȏ9[V-=&V~S/nedPY,Q>Wxg -̹fDvWUrfਡO&'ЯUzFrKk7xK(p$6'Ey (^3؅O#!U`+<ҡh:ƻ_tU0'| Imdʽfm Q×,TB XLxАbΦSlI[rlq,ǟ܂Nl8́crk q/5 iA i2H`tpB6]xF}jU r}WJw=% 4p=h͑8CDwh;Ga1&qjmWmL9.@l% P+A0Qsy*{ +PU3\9[XTF_?T-/{f(k%GW&雭܊E-:p?[ƄKnèU砮c֞~*Dإd}i%'6IzuyS;_OX6F,m \[ 6D߳L1#?Dދw6ިӎ=z #>IU~'!G{6E4bUxƯeNp菉xHl$:h|߅j^&z,^]g>:g$ Dv<:'` C_}pld:@2|\]U,"Φ`i-#+t /AB:ΦQX rIPEWO ? 9FY=FЇ5S&5|]BAB]=lSU Y-_ҩm 0I*' j8haNJYJ ;Oy,[hV?L59}^&D`@cSf9tü*Öb WÀ,$~_cO%W'9JQzԸEA}V5LB:1ַf\E7Q0 &it4U ;IJ;uG%!OVVز)@NDb gus\g5YK\_14 Mws4%Q@;ӑ|`Zus솀@iQJz3:_[4BRYDNE ?`ʉvX0JozҦ#%UZbұW)d˸hT%^ǀjԿ8 zJ[)]N8]Ps YՉd&`\x?m6hhmw̽dHR=:A JO]}N9W(4א*{`1LLP TV>H5 K!ɨ<X.O/JG%Ύ7QJ̰SwoljY/z O%lsBa'X)l>M2S.]\[ľ  q߸-bF K*؉)@(-eaqgjP" p k47=)?b U[//ӷTcLQ]?(u9`^Sd!|]Ivm(tXOW}eE\ %[:װª?)$grB*flnRg"/_ rۏE#ѳS(ª6hU#5dkd,K"Hp+ "vigt:N Bj&}yax(xL߼+[MeaN 0'6G3yW,о0HUfl5{aL)YCCNwGPI+=Cz^qф {+G*]ZҶ1Jݱ5? N}طGα߁qCm`Fd o,a  \E_WōH?;h?[sTiLyF?u FJ ;9+:tD40 G=D  +-g+ ~ZfcYK6$%5cKī =DJšcD=}T#XM-Z_n2郉J 9|Gis;y:'8gJ""1I5n>|!朴7[pLob-*Y1쉍hDC=](rάYJB&R z ?0a;y6 4Ag9 P# N fnY,b<ӖrޞxzA^soP W]Q])Jo pCmV.9޶^EݘcBuhJTԩ]|>ŇL^TgE6R9xvn).ԑxSBI*_ D٨2ߣIMwP~툸Ɋ 0כ9ӅkA^Yz9q_f{3&REg2C T)SL&DcK-\R((9^NCn=# < ӤoڼNu |tHuuͽqI?J.H4vZ>v*բo,$%lܥ9c C#aԶ x.78?pp\@B~SnҡҭzoS HANN6}#D4O Ő-n*>E믈)4|η)ò<&Y^-~7 wʕ\@(aХF6]rb@L OxɡE]p{TDnNM}+f4^zM0jdΡmݸ%c| I m{&vkJ)6饣LC\P3!VK}h$lUiw)2rdަ>tL^C{ [jSە_N FqC;79=KVrKÄO◮Ûu\dB*\AA az=iHўW_<:DnCM_gZj`dJHO\|a3pzhH}~Y \f8Lxqjcfhjذ tOw "Is:I\g^{W2N3s$1Ȑ6zËL2MPUX ?Zxfˈ#FoRNӢ NDƋ?i7+=-3;l y"6MD2%07v9z).4s*%ބxUaUBɮD7uG{ЀZ S+o_:j" ? Ez2,?_]e!O`3`vL7o*E}500k4wdǕݔ&(PvҾ,L0D}g&a0xK6|14+3uy '!WfAł-ZAkJ60 |Tpvj."|5TF b!EF#e7{TȿA P۫,w;Y?ŘrP#n7ƛ:UgMQoөvlߧ<+gxLEi#PÁFXٝLۧvΏ7'J8LڿDiÆ\""31 ȥ50e]HL}\+s6}r>.3ai2Z:e7S7 uIWLƬJ^:h84{D74azH )IS,Mzϖ"Y"gUq6} ][Ƞh+WFәfj?ҸML 1X1N5@䚃vIͭK=#(2=" )>lg-)݉Aړ~jQG3Y`biqÜ1z@ "сN2n7nEݮDTZaf;H[P4ڷdbWՎSq[Y Ƚ&QzOmGXW(kB {-,1uYNl)UpN_&T7%)ԘCS$VI摯  L%UDTB -@g?r+ {0:UsT/)^eܣ&.zk:} {Q~sIQs?Roj B\ʪ1ʥk8g07vJ(wކ'hlptX٠=7Z .mD<K#Vuy܅E58m"I[%MAaffWQ?5H!yܚ62Mv!(܏dzm&þ]W,ϪU7avۭ"FB9皸%v)vBrDu9/=ĭKw!@~9}-# 9߬Uɑ`chŕ]{^6ۤ!/oPVY*Ok/]F/NE>$.!vn0H9Q FO7D! ivRQ Gb[Ne{Ȼ=Gx͚2G'jJ-|#Q3aeB Lށջ7fG)u^7QLPЂ2/E9H9oc(Ɩu _)rv3y,C7845ET%G`Vh̽C\Mtgo:sucz06<={ XINyi7')o^L #2YJ_?:i'J/ 3Po[~q0a+p29eQ,sRBzL/- .*˚|pkDB l&]\\pQ!Jpt@ifғp<14fmѕAzv+-ofR>yu/ǖ\2s՟ץz(++,@㝨AFr8%W-04[(ip5UՒencϟ(