From 85eee0198b37d38dcc8191ed814adfa0170e7251 Mon Sep 17 00:00:00 2001 From: Sofia Boldyreva Date: Fri, 3 Nov 2023 20:52:55 +0100 Subject: [PATCH] Import openvpn-2.4.12 --- .gitignore | 1 + .openvpn.metadata | 1 + ...lt-cipher-to-AES-256-GCM-for-server-.patch | 32 ++ ...54A3687412CFFEBDEFE0A312F5F7B42F2B01E7.gpg | Bin 0 -> 43992 bytes ...nvpn-2.4-change-tmpfiles-permissions.patch | 9 + SOURCES/openvpn-2.4.12.tar.xz.asc | 16 + SOURCES/roadwarrior-client.conf | 38 +++ SOURCES/roadwarrior-server.conf | 67 ++++ SPECS/openvpn.spec | 303 ++++++++++++++++++ 9 files changed, 467 insertions(+) create mode 100644 .gitignore create mode 100644 .openvpn.metadata create mode 100644 SOURCES/0001-Change-the-default-cipher-to-AES-256-GCM-for-server-.patch create mode 100644 SOURCES/gpgkey-F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7.gpg create mode 100644 SOURCES/openvpn-2.4-change-tmpfiles-permissions.patch create mode 100644 SOURCES/openvpn-2.4.12.tar.xz.asc create mode 100644 SOURCES/roadwarrior-client.conf create mode 100644 SOURCES/roadwarrior-server.conf create mode 100644 SPECS/openvpn.spec diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..77ba4ce --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/openvpn-2.4.12.tar.xz diff --git a/.openvpn.metadata b/.openvpn.metadata new file mode 100644 index 0000000..e992a73 --- /dev/null +++ b/.openvpn.metadata @@ -0,0 +1 @@ +6a2b67d4f56da70ebdfc32340ba554af1f211d67 SOURCES/openvpn-2.4.12.tar.xz diff --git a/SOURCES/0001-Change-the-default-cipher-to-AES-256-GCM-for-server-.patch b/SOURCES/0001-Change-the-default-cipher-to-AES-256-GCM-for-server-.patch new file mode 100644 index 0000000..7e11fe8 --- /dev/null +++ b/SOURCES/0001-Change-the-default-cipher-to-AES-256-GCM-for-server-.patch @@ -0,0 +1,32 @@ +From b56d52fa409c62720791e189e501efb86df0aff4 Mon Sep 17 00:00:00 2001 +From: David Sommerseth +Date: Tue, 4 Jul 2017 16:06:24 +0200 +Subject: [PATCH] Change the default cipher to AES-256-GCM for server + configurations + +This change makes the server use AES-256-GCM instead of BF-CBC as the default +cipher for the VPN tunnel. To avoid breaking existing running configurations +defaulting to BF-CBC, the Negotiable Crypto Parameters (NCP) list contains +the BF-CBC in addition to AES-CBC. This makes it possible to migrate +existing older client configurations one-by-one to use at least AES-CBC unless +the client is updated to v2.4 (which defaults to upgrade to AES-GCM automatically) +--- + distro/systemd/openvpn-server@.service.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/distro/systemd/openvpn-server@.service.in b/distro/systemd/openvpn-server@.service.in +index 9a8a2c7..0ecda08 100644 +--- a/distro/systemd/openvpn-server@.service.in ++++ b/distro/systemd/openvpn-server@.service.in +@@ -10,7 +10,7 @@ Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO + Type=notify + PrivateTmp=true + WorkingDirectory=/etc/openvpn/server +-ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf ++ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --cipher AES-256-GCM --ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:BF-CBC --config %i.conf + CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE + LimitNPROC=10 + DeviceAllow=/dev/null rw +-- +2.11.0 + diff --git a/SOURCES/gpgkey-F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7.gpg b/SOURCES/gpgkey-F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7.gpg new file mode 100644 index 0000000000000000000000000000000000000000..8272cee5dd0b5a6ab233c728d6ce11ac3d7b5d56 GIT binary patch literal 43992 zcmY(rV|XQ97p@!I>Daby+qP}nwrwXJ+qTtl(y?vpbbn{}KJWQ^U+bzLcRh2|95qL+ z3?Nt#^=uspKm>s9IK!{_Y)j9j?FMD3PoWAEAq(&MJY#WY(W{iT zg9X{EFx-)%*z73; zFwh_3w&(Tr)m0Iyzbq8(FSpr&SfLi5$fDTVEDo9~!6eUc8$C-!G$$PP?)(LXpX}Yb zb;pCr<}~oUun8(T&?wL3oua}7f9Xk=*^!mNAK6RkgIhuY2UOiv6@;QlL6-}l`7u3# zpU`Ofzi#UoX}E1xDvhmN16R_A!yCj(@K1HmPD^Im8aq*x8>m6ZP13Q<&Gki%j@MXMeBm7vtp)4nEm*8BdXZIZN$7uT)Hkm(X5L3GR8h0p zrT~jMU4uI^HKPq;%A04iMlI8}*i=5xyah+p90(G7{%rLmA7^)&5I*F`p(XDcGZH}C zTvrN#Cxv4Q;cyQ|fGr!_ZX$E1`4CvDti*UrOamX|@)BP&j z%Vdic03sj&U=ypHy@{==yevKqzLJTNi=&0J2fmDfg|&sP8NRfIlQTZI)BnNzc7J~9 zYHv$xYvRls0mKD@3}j*0tE>HiV6e_ z2mk;DiGcL@+(btOcntCz{)?KtPTuDspruA%!}x3|>c(t{(x4)a6a_z?G*iq3$DOZ` z==0S5Jg77lySmZ?W!VVMQ>`F&&5lnfFMjNXDy;+=y?o^r{zb}5GDb$xrvz#p`Fg3rGkY-!@js53 z%;hDwMC}im^xNIz5m&2V6I_oO`ki>!#Z;;dM?FpL7JQC=TGS$G*^Ibi<<{(+;!A-5 z4pQ~Mqvr@Mv<36Aj>Q*%rjR>J5AE9$-5B-Ld3g-0YET*coOh-g7pc+m zVy}!>3-?lrDy2A;A6%h!HME*Bx!UKGFCA9iaUX zY=GBlhrW&9RuAjVG;&Y~PMG*Cj8o)@DTS9^X}eTHH$Db37Y0~_rQDRG_brk#HEzW} zP3>*rR@w7n3oBphhihJvSV*p>a!s@l#`b_0rG2xW*f0=lbI|Z;8ApajE94fP~IZ|u|W_3 zAppSsT*&Pw?%xY>`ZB&kcWySyxlRIh-@xx;sor5)Z}3IW?k6 z9@PG@cU&o2sM+{*zt8(=vtM%GY(fesH!I6!x?tb9m+w3sca$D^lP==+0_2k&{%l)K ze<)~fcg%+cZRFHMgcP7GbH|sV{$%jQ^-M#E=!Sl9Ts=(}wOKjL$#C2_n}Xs~T)JZi zyB8z_n+LJRaf*2|+ub;i@vF(`=*U|~_$Rw6S_juJy9k?^UWgZ6v6rBZM# ztgaR79XXz^qBeSF|2AOCWVavfzj{idd;jX8Y3jUw%^*C;7X$w`8dmyd#yL}xs^At* zHbuslFT2#l{M>0xLQfDtmpPc!>OMoNbj}M|ai=!pY!7io-#)pC+^6&nl$l61^|ITA z9w|ab`x-0tP*LJCENT?2ORmmN!lWgTE2-hnNF}?+s0w_i(k0QYk=jJ-bTDfAfI8;{ zbv|CAbg}&YeP6Yuw1?%jY>W~2rRl{fhy175f&ZyFH11DD*q^m@RF~}dU-{muvF}db zbyDHR;a^B&Fo?>xyEBwBhdU-{FsTa~mWcT3gqT4ae00$dO5os4qlB3s6}l01ALOlX z-uI}O%mCu89pk7Y?r^&tJ9^kn)c{MADwf`#Cj z&mk~P1OBa#kozzhd`8yrWSR9AcSH)H`UhxVxh`q{p@p)tQ`t`-^suQ5yv5iAxeBvwHG>Ldi%}~( z(uJt>Qe*I(%XrvL4%IaanF(_f^=X?zM&(EIq&hj;d3vRu;x1DH%j~HYf5%HF&rZxe z4+#EP(5>-RqLhq5ssQ(p1S(bduFT{tMFz^3d|ykZ!dc(R?yPh2VFwHom_nNQqfb&- zw|S6$HB?Y^R z^8p9iJM}ra41U?TZzVL;h6mTyS%nl>TCchysdmg8px2VxbK6^F3u8~4vyz~Mlz6jH zX@<{|du+BS9V2EcQ0=RmeP|OtYe{z~G8xA<@(%2Ul;a>TK5#dNB-dNc-u1wr!|#+( zM!z-)%w0{Mqel=4E0sevB(+GHbP0*vDBLjT9wM{1%`~MDKP63< z)^X?HvW*KbHqZy^kx^y<#FU(y+Fkx@PyPp$5snXlXwKO164j(nlwt&6_8)6d|0_v{ z?V*45eAbYd-rt~u3tU5g(PR!6b-$j&)kF=mS@lkkVrc5=P2_zY$&Z~A<22 zIN2wUxde*v{*V<|3HLjeZ@{Nt$$$=(T&UT`eg%k-Mbu4di&>pO%z1DN6?U(casBD3 z`uj|A41U`wzQ)Ha?ZWFb;;KkDYPi7{oUaju@5xE_wC zk6t>f``~Kzu&nL5npwP9!0xRA@y8qmH}4@x=n~Q@S@)7m) zT0)2_Ppy23hDQ(CvHQ)yClfvHMT`gP=*d-l4O+vqfC@JBm@?FfS$wknUsorW6_VF! z1S+0<)Qee^nN_1nY79_atdBYi^Al7#(@|W}HLlHp#_lcoi6c73L_NZ;- zR2p!_6zJ{4f4d#ruCKOd7!ZB8I0jOfR)TmBY9||m3Ahg*i0i^4?iLezxmwo=!FYm1 zU`k(Q#3|O$k_(z<>2lb&Z?hRII-%vU!-%pO82}WIiZpuh`!imJyrXChjW1+OsUqq# zZbFMqM3A$9B(%MWX6ET3t%pQ;gYftZe30`oS?jJpMc^_eBq|D0pPI?U$gDD{jzl$zw4Z+kL4yaULKI_m^5KO7t<`2Rdr%!D%F}p-+z-<`*;MYAT$VM1}Pcpzc?o?JjHE5F}G)M^s`5f|R+De*5o)20~a? zl#&@A2j*STJX%g##h?nYI73)zsc^|OtiNy+>iel3e_}Upz2d3L=ZjDD6~t7)@QK#E z*8T|SQjStuxo-1a#?nRAnX7ZwJkhb=582dzd1kM8`_!6>h(_Ozx))!bagH!o()G8w zYDgV;BAC1z28uIrm*f>=;e0#!VSW_HAv^r6a6`jYJ!iT1)UefZa?0xKW9-2`(;Mvs zw+KD_dKJ>?Vw*vvCpu3O$BUh*v{LTyUYa~qL8SS8UTC<};IhQ##rhecz<%;cB3jrT zu0#)5x4Q8(yX{^7XZN@-%qZn$$epH4ecG87Z8V3I#H#j#{!X8Rk$D(~&DT~I08s`j zG~qw-&`8tv`x_7IlVkVoCq=i9PXvJ6Y6_W#4SI}I{Ky=JLlPGn87d^~Ez(^dlNrT` zxRLf(hUT=%Yyg|H>-<0arpgFrG==x+BtVkDDLR{B{~4ZmKP!nXN>L;ZxKF&^IxUc4gdyGPh7S&_%*U>Jhp3aCzUcd)zaW z=#ocQY)taRhj6udUk@a>kBA5CNn$;yg9xplSVpgOeD&l=@Yl6L*8$c1AA648K=Z zLt?);ZHz>50w9qKj^FL>LGhd76(LR)>LT;xg;5k3zjdnY+Ehm^KcRJs3ZrtN;Qe{; zQoY(H0OhZB=i1e97@W$6cw*fKToePycKx&hust!{k#;mVzfvI1$s1UDy=vBPgZj$Z z3MQ4pYT99E-J65ji#pQ?um(KW+ho-Ma}e$ji3pa6Q5T9eoUP;l<0dI?kn~OU16Tly z62r;OUKmktBJHnIRug*Y+uT8l;oRtvYk>lx+8l3Ly0|8t>BN21>K&>gaK<~vXI}k} zjVnVL0z{w}X-~nE$gDufiLRgp#_Q;x4e^i3KvdrGi5H#ZCh;SmHmG#PZ9#766{a$E zFmwT=j2fh<8bzNvc;ycN6Aw*LIi$bwm_#HbDoc?AJIg`3^FjapzqCUPeR>8Gg-^9dX;>c-3N$45!7IXOxYW8Z$kiG zZ11+1zEnSpQ1jbKvVtXc|71!`OVG4TRqiaDh^wUuS9@&)*nge5wz~Oxx!xgMUGKtJ zk3MH`I>f9`TvCiF{p&3Cg&_#%y0s}Q>!&_v+`enVG@;A|{Q`7)1eBAqLV2PkU|EU@ z-#)~W)xA`vkL?DWNtSX#i%Yk`1=KMH`84YrVEUiKxCLPM_@uXv1ql9n!hv4_yr*V~sNIdYK}cTW)t<=)~Wo*#8WdV8{P zF0hKU-y|?Bl#tfD6h5hiP5vU}3xF7zYUTZEm)VY@x`%#bEDk}aBY3oxP{QLgFFQ-k zj>poi7G8i=x@#W8c8w~_@SK8qJbuSd(=QFotpyn$7_6h4AvZC~6p zh`Sg6R!ZrR3mtE0o8Bb(X9QG>JHME357tes%s>I~O)(9ZJ|Mkigf16_+iT~R%ga7T4fq?+Q zP#}OHp`bzjw#xr+7yUOu|N7-Ja`-R4S(Qw#;tmEoQ4)b;ej0`e+YBvx2B(t*IU^QS zdjZ4%44s8bLAad69r77UKea|`!|jKW7%VXnL*yaj7w0S;(Byt-S zHaW8mdWPQ#*p(7)`!W`bQ2|iZt^@n3^#jBbkt4(OH|UQ=a^miCa8GpPM0V|}fJ=ij zW|9&{Y&96d#5*?(H5;Dw zv;GR6%nBx>IWYpSCVF_I-=r|&XG?lN*_b9Y)uMh#)YVcshr*O~dyNkj z=#9sglcXIx5I9+OCE)+8)s_urxy;9a()Y^N^Z9;R>_}VMAGb}QPiLvuMU#B*fc@aB zZ~=|Gc$nKJ5fG2QC|W!bm-)h#^CFxW$uur?GXdLOdyG1b05pMw#5dQ;R z#kqcg3rZ*;XT(}y9z@CJKOLK9_9gb;c&xN+&p-*IAL=55e`1sYu3rnLec)oa!_h5g z`9L`e4(q*Rtl@fUm%pVs1t47=LyjGd@3i*F?-#>Crjm8re|_hq>5%ag^uS`m2rA*u zJ>U$9f^EsuX}X<{l&HB&|dAIR-NC ziw^>tFbzeRDRuf4`aI$w8+(tF;>8zi>xER!Jf{P{;PT&=1WQU8qWabXx0#pL3KO^y z-)vjM0Tf6lXBFYEwSR;&82np9a&FXbH(YE!|BxWTxCjw2?Tz{S7Htb@sJOz1uM~E=dU!#nP`8RIY zmyNQn)ns*z*dErq>pc6JEi1c*AdO}Mig5LePpmtiVJ%_UZW9@_79+H2UT`7}gj*D# z@ZCeS$>kyuZpoh0F`u%eJ5#IycJEb0NQjZ7D^tH)BH;84@v21e5H4oXiXi^y(HJGA z5^H&6ipExU_b1b#YvyKie4p8h=1i92#tio%%PD9M^q?o`tSi;)O}TSpIl=UfEkPLu zbw&btItKHy^nKuSk!#I=t>Kblth-iTB$zwY@pe4)JUezBG5@hvef7Wg_a70%g#btg zfFKNvwb~ODK@QHkEvyt(m-)F(b`qEL4|nI80U62*`B{2-GUo>v78Y26x}+WdTTDWR-|ICZQ^-QTjVN%g z9pE8cTovWF3{Jq>+p5)TQHOiE5n&3uHgCim?E?$K&mu*or7!(yYYiIV%==CE6Q?5C zA2x6yr0G0|!Fw$@8KuBC9Hygtv4LaQLQT!-!y)LJZ&JIPM7X>MU+$CrGs_KN?v6tp zHy;yOoor*tZLUCR+M|Axy)l9&qv3i~_SATjs%ODk?xNyNsFPUOg{DQpY@`#e?a42R01RjZd@BtJ^%f6ZVZ`S@1HYV_IJrW!1m52{YO4U|L5?EyMA+c-H zUmY4l#Ahz;aNmILzlYIpLxg9oAJWsLYfOnIt{z5|b_aj>iEzUuk*2&A30e3E|LUk( zQh7mtk&LD=m=xqgy>Hu5(9=bMI7lFlj>i>VFN;hQ>S~#uEl@fs9Bgc&21$ZU?fQuG zR;0@r`Mu|_&p0*DdMW|c-3=_Moi1xmb6_75h&%7gC$-4#5%x}ILq11?C7m?H%XykIfuuqA(E?Is0%X)5M-gd%O*xo2nSO>`FqgAqVKbFiA#O>D> z2!D9GKZ<`mIzBHZcvqgef+|7#BG!ooRKFIE-G8m&H}%)Q0Awq{W8f(g#3q9*i$ItD zvDU<4{@2<+@|+I-iOk24?cY;+!ga^5P)*H=X4h_KFKye>5{7Z)<77*ld75GYHzVxe z16W!A<4^AqckNKs$xeb%hHPhXB7g-wD{8MwPS=>ueNR`3-9nke>w)TMvO`=ds?iRQ zz>!8Mw58v6{x#_9&9a>|PmIrjbQMBL<=f21Nz!-xGM*ctcKoZQmYu9hJCjROWdy5+YbWvI2IJy<~4R zvr>+_xqPHp@W0lmz0g|5I}Nc(oVs!WbVFi}rP=;uP5YDBN{Le0E6(*+cg0s zY^8_;8H@D4V$70qCCl{bx!hj}1I+dw@DVLs@*>o3+K2#e?di4vP{ZnoLJO>9yrb=* zYNNXr{W_K5Mh}YzgI40uRO<0^2AWgs{Rq({Ah_F?qKYgNV_3)Mc)x_9V0WNYB}hrw z#rNmtS&%G?;(h)cW&8-qV%VUu^0RkyASdU$l;uHW((H z-@`E5-zPk6Ae#8IhQ-;tI^BSny*#{WrzExC^=cJC67!0X%6#&@e8Uiki1l(?e^Avy zYBkqY4v~r``1q(m#C1Vev4sscNwWl!ZSMY(=&%CL!{ZhB+)MHEYyV7O9NfN&!D$@8 z;t0?NnisRXZwd2(m?OaA;^T9=SNFfxm``AuglpxvR7fsrb?-@=iAr2RL4h=H_45C& z(0}A{4*ZMKI1sGt7jNMAZ`p8c4$rC*ELrUveofQz$7P9vCW8=<=y`57_$dgf-<2(d z>#f?`BYY$VCsX%ZPlJa(%og73=`%_YN&c~KT+yvA;Wl|V1LO*X}b3=iKdP;f>zL2k0Xd}`IQ!YABcA4p>LxJrplvdD4=p7(0Nfi zW}BY>S`*J@u@nreyMpCrx~xC44!uG)8UK^D^Y{I~*8ULXjbR#ae< z%f@x=xEoHL=GF@i?~tgVh@Ar7q%qjq!0c`5GpX4II zlwgWD2q6W}?gYKIn#7Js2{Vk4=+-BO<213?)puO}*TP(U*#V7q<*^t0*cr`ETM1t0 z8LBzV_x~EI8m@)0zdrf8~j3mtj8R$XY{dQzwkd_6t;jtg0DOT}a0GQS{5qTt22Xe`+ zM~R#lo0@C)6vrvy4lucb`qco8^Po+uU^Jnp_lf5!_OT&;(urPATN;c`vEcQ6}8+N;$TjIpFdh`ZM4`{ZDk`8j! zEU^~D7WR*#V=z$)FNEF*Hfk1!<}wB{ddqYJR3*8Zu|xN154{0cCEzB+ZPxA=$0RoN z_7+Q{wgBmE_4oQ;%ej3ufrM^#pSQ_o&+m~@uS&(seH#@DI)L`+FS|$&V13bu?$R(i zfYJ%%wRvgs{E;zfIR?(q9!~r_qHL%tMu)nzI-fdZik+_VXoQiQNwjyaU$u;DSeK_F z@t9B9V3V43AWU{D>)nM$G@w=vG8vTizKnd;DX)pKMtP98!#%He*f2+b)UjQ|5|ZvE-8%q!hUj);~Wm`(~=BMKf2x03tA@XtFjBmPyhqp9o^bYFqYIBd( z-?U!nG`-kQbC`M`UNsQXCWh{0u*B{!DX<~LL>td1%+rBX)nruWhyDC&SEqA)Zl>m2 zVjjBQs&jDF+ueeE9~+}NsgkptM66Qee8NcTK%o}r6PStSH4y$cT8UEZKprQoZ$6lg zRw{nD#MiBHnFmRd&c~P?L1FPx?0$wR1S9o^+#nOc5Bgs*fU(F@XxUoVzeWV*g72@Y z!EJ#yarQ2D`3co@*_@||FseJCp&3n%UWLMWN<){M`09YlA`>o(%u5^roQEW#KN9eA zZANvc5YBCmCH`y8i=j1;GYX=^P!E!H3;NneJInO(k2UEE@xRvo5uY6JZyTUr3lWO* zDR$<+izpT%$^c z6t<2gYJPn=!)B<2%kg7KXiES?HnEO6VPy;SMwfM7;pH{(Q_eLGmHPU3=TsSopv#4m z_F0>2xwsH&=6Fq~6`#0y^PX;MVOch1%x%lyvTijjj;MLOQOG^MM}_Nuon^SgKlylT z2T=51e+-Zodz2L>bKX8s8fiLS4;W}E1I+~bvtl13p-dnbF>uwmI8g=@B6Eio@_-P93Z>T^M3&jsMqLAewquUVLal zQ?Xi+%}hojg;i7GpPh%WXvSY_|A=HW_$N-BzIpJwaH=dRau9o>jZc#7um{t%%wdD^ z3zTCVMs3yEyuuzA1GRl}oqny`l9NoM)s9Z@vi3mbx|Zs*mR5h4Qx`C@xZC`akvcC< zDq)TB&rhVgUE29dJNeyF--HsXv;>j~`z7aJ#qrSFSj4q(B*3Q-)P>ANI9bW6%;Nw7 znQCJ*;n{djULTj&zVo`Kxp2+f&~F@Vz!GYlr#@JiCXf=6Ej49*$g+t)oA}_?+7uIQ zLEz?`Rp-0_mq>rJ-JwSAcf|2gdZFmHP2RQd+GX&OdX{%nK6^!bU^;_dvob|V>f7+D z*fM(@QL}+4G{&LHW0?-{>cYWs2WS7+S}GR?OIxcD0xb{6hb-2S7@&(C>z}7Vp?%X| zYyXIq6$C&hX3wpt_3ugK{_}T#8kMVf`ngeCrCQVbbX=((9RFm^y7T<6wSUBA2K-wm+G>9JbC#;7p}W)Y zryZH8+fwE=Zk89Bm*N<3Cb&YBWxalwVu!F%;!$b|urjZ(BIP#%n9$?`t)J5@V{>DW zlALi3ecR>qxoPrdI@o7v0Et%=wmoNc_$7~&Yll}jzC=_IV^wQD`W=#O;pf1a4wn`K zYvB0;^w_oO1|%j0zN!O-e{{^*2&-V1199rI`D~kQL`K-V2tyfDN7m=Y1dFpNMsDVqFZCLG@Jj`;f8!IgKLGuj~0nW>ty%%P(}FLaLPZX zrOCl2Jt;@TbspvQWxpuIwJlRl&B@%M#V<5)+S`oo2Ku*v-cA>NeJaYSJu6OTuS}-? zoNyacAGYY*l+zFn)lMem498Gy-JaU5T#M4#PILu`Y2i7s_UJ?OI<`_L6>tA z-rJwpf@OMDdqs$T^q{WE`Z-G44suX~(bwX9*8r?B;9Y{Q*`1SsGS6q`05bA*AEO-) zEPdQEX}v#Ruu&_?yp~A+Ypu+%T4zVV!NW@UKxl(RjP7UeM9iP8Nd<5Jwf2uV(}I7I zoG8nM>DS|ZyyQ|a&Ep98tKli9SYQv=>mB9S7oyw=$IoDbUi$>dFB`S$_^MBizO$)x z6{?dw!0n$zQy^oyrWJ(4Bbl7*ns2v|%gv67DR@rA_amV@qr+h7yUzTkmiA^E(Z4}z zp9P!JJmH=EC81_Zi9KnfOt@-eT8Tru1jR>R6+%kKsw)W5EhoYY?|!`?d$h|Fyf3#{ zGS2UHx;4c5@Oh&3qx3*UHID$ZD+7(8BS;wvu|xDlXt~*4Ym*(WOqlC9+@C3$t01Ah zIJ0-b*4ehsZOkO;VK_2*<j+G_&9H)o zLm%9LpQHsvRL;D4Ad$;(Qb9*c6xBYSgcUSEke)(_{Q)qVCnaE{txF#*Z>2K3%rhZR z^|BSP8paraAQ{VS`stySe**|;+GrJ(mUL}x(C6SWvPc~erOd4QNLZp_hX7Mfo1LjrOM!&BXL}Q1wQOO-w9*n1||*E1)6&lB|8>pq~6n9b00eKxQFUZ7;NomuZRmEM-CUAzEyTnzQS=A= zL`DHbJ|Wr6c}CZIy|Ze(0mEuRe5E9Rp8UhKOEHU!DZNN;R9I7W#+M)iqt)+YSK}7_ zGctiERQqHt0#8kPVP~Vy?NV0SUEr0%bnijTlg%yxH|G-bAQi#5(*3Cl0J6w@PZvE=XMF>UB z5JB&sfNjPb-5X7Ha|5q4*fd6NB*{w3?awtCZ(nqlRFG&<({XQid-<=mCtn|1e|TcJ zpz|@aZ_DvgQJI_UKXvUje)zAoeA}{ma{kR$$zxy_uf7AT_Y7Xu6I%?IkI!Y025e`FFb!MD*k!q zk6w~ick$HbW6nFG@We<-v@}l{N6{MowB8XTzl@xM$>NL)DJ)PQYn-> z!UA^2+TXbZz!7z>pQ@QGLX<6&*VPe#9DfdhApnT}jLq5cs|F$}-f&qF-+jD@=LO|B znce@fmRw5$8U!AS=l|E;KTgvH0Z_~zqe(ycZfK4!du+5rERr9U*Qw2oVgO62(xT(&KYB7SN` zW;o(#-BKr($V|{hc?G92v+G^re#xd`%3NvAD3HA~ z41;EOO%2__(|(*Z1E#)x@}KwMe~0IQ{tnM+ff;K4)q@k5`!%6Tj-)UT{Y7}gR>n9` zLgl2b{JT~vShTve1}300u~Ou&j5K=b_J>XN2Up@0Zc(fC{+`=T0%`Qy(7cB7mx%_ptsyHT&d_XoXRT-SFfD#cp_B<89S?QN_ z=pulxo$_8Q`?#}W>dG>wLp}A`#Y2z-K3+}@&q;nMxHm`z4PI@Fl1RM8p!N1UP~~>3 zW~bx;qr|iwnzT~*D%NHoPVBW|oO z-%{a`kVRQwojNzNiyuE=_j8ZPW%%MW7Zz&sk*mCBExvyDq{MTe#zl#|g7KpXT^6cJ z`^=e614aF>&4vgJdFtKOv$R7Q_*R>g zN~RonC-y-5mW9->$(t@dRrG7x=qYkZ)tp+bt=Or(mg{l^0QmOnCmlQWk|4FlC}R;y z+7O8tiQ_z|BNrI#+{wPv@;@IwQ>nwcY9(=H_rhXL(HB^Q(>{~)i^m05~NnMnbdWDF=JYme4$$yCvuxnw+`B; zB|2IaNumF8$H?nkYf1oh&tDopcZpeFlSodaRO?v<-7R4;hZ&~=E>!^svXr_YX`TEm z2=Q6f&guYQZlJp0)HSHOO||D8?NL^nK6;lbM3ayLDPENrd8fWDl4`v<%r@s9*!4gJ zOa@~oYAl_@8Z=w=8Rh3S)N|wo+4*rf;96hWBL@XG03r)aRUi2~1j>`4=mDKtw|!_^ z1N_Gk_YPW3miEJ2!e#+#_OX`3F!M&ly~Q=V<2Yx1jel|{GQRCYKsvSahpPU}^ox<2 zk3}?Dqf2ghKZW0u=7DYX5vFap6Q2>7>soGWIx?Yr*w~kxd$g&!)!3q`&b$87`< zk8xXXR@P4GjeOIaf&jD+4+Z;9NMle^OP zCbs}FfJq2uAH?DBGcyTcln6si!s0gL9j{hx?tXc+WEjEvn4)0%%^NME z8qIxnyk`Od8-^%sFoJ#j6nEG2d!?qWFX4sC&?__bFvK$)y2Ob=r@nWFX1E4Dt>1u! z2tR=ND5GtCP<_ZEkRZuzjzJ zeOeIE<^I+~_^Uy2xXf7idtk^)0;@CQ)Krz!X#GA(ezsW005_ch{}oua^Qd&!ri(cf z|CVB!vT=b5ZOe#5g=-;S5RMCOOMN^U&1R_S1K3@QG}#lFwR%lGF4Qh2i7302*s=#( zaDP-%K9eadpxguvYlR-sGVAuqNR=@F@{a% znt>kk#$GJG*5iudMS}k%0`QlxE%A|YXDsk@El~u}|2OXsWSuWx)}8*G8|zT%u6dqv zn?%v~r@9a3ulx!rODNHZ%^KGYa%W_i9r)@vjKP>WRw;k(iS0 zql`2d@Q=yWHILfd9=f0Wc__q(Vps!nAuxJ7l;#(fJ?-=FM0hl91hC`kJ|(>cdf}9F zCNyf@Nb7YW!D1{Wa>B2_R|2>6g4g#EZDw_ubxn|ltEGe(>9Sf%uAroa!!|_KC5uYA zf8r2iolb%*O;@P^9yTyhrF^6s5?(3>q5}eaj2;x-dEi4idM6+MMm!_cww2&9eU=WK zApt(%tapfDQDyMHyVtp66rDAOj%;T#Os)3!-nE1nnt7?UUvNDh^QOO$&>j3VIg&0~ z-P~km--i5^PO%|9&+C@bVE;m=bNUVF(?^UXZ_1HUe2SvHqnc-V5`d?) z-H^kXzK*PD0o?T8)Zj$m4TGzl+o}oEpu(()@N#{DW&CNax;_4P2>*}ZkidUS*+`^J zE|R{(cYyNA0_*YP$jl=9Yd^ig>*Rp|zmDU7XSw!AZTWZ*kE8J=?-;%Q!Z*c0;;>Z- zT^~7mi`cv)VxwVZClT;*t_YR7`#8!BG~!P7-PqdRJ_)~mrzsuLe;oV1aRpp};d|!+ zSFXzWKxgHO#^!AXn3Ua?*2u}vo!`#;iVqhrKbSh%pmdgeD4k&0B!<{CYZ#|#7P`aA zd9~8sL3#uk;iJqUymXTb&<&=JY{#JPq<#_;?<&yf{B{5Y_cGxtzx_7V^3Xx~IszDY z%W7J71^`;|2an&wRWISxRNKPubW=wqD-?MPUK-2{oLuZ>J?lGp=0U?*7HI^Fr)?q- zUW9mS*_b^w7||c&2?vcJp+ReUKwEG&PaP4YcZ?15(gmpWqTPy#%qkD@4Ii=J!AyRi zvgv{gomSph=q+kR7UGkw&nD?uIMw*f6<16oKFGJQ%2A^_QpgABI$RzeepU8W2;SE! z7A1UcwrSOq1&5#Ha>dhT!XC3_IAQIS;rQhK{W|L`^qw)!vu>&{&D7qWCan7BQvsZv z7g)slbM2lG+RrC%qzKi+A1bT*1a-{0tV~ilMQEeh{-_WK)*|@7m(l@7fbkM_mMeR3 z(eUh-XP&S1LKRF*b=*lS;YeL#w1bk?bB#ccF0Q#H17(1-a?i@g|C<_W3AF4jS;rCB z35EG|9c~OIm*bf>lh(%Lon1+_=CeIo^cd|-KcB9RPxkPJ7}TD!H~FSMWjL0JrY9saPc+yk z@ul8)2gkE$9Kzn=(D>a(nPomSrV_oFWph>CkPA1((3Se}v)aT$_!mLg^!=K~$PU>? z*ScOGd)VHJab9&xmmCC%h*W)!3Y_*w@mGEpk#5lKFX0eh@KB`tNKOVI3rX9rvGBa8X3Pf#paOA!po zmSqRH@#_Tvd4iO|1$NvyQ5Z*V#N|<pXI!V@Q6@G6DYACnwBU+3rtX&+ehVXsv*!0ct-+btW&w~9iBsAbK8N+4bkdT{!%sc*+nKQS<-&F6UA<6%yhG}I1sa=_g4jFw+bp3J61afIC{m&Dsl27t)YW|T_ zF$92~iiW8N68~bf6>-rDgVvF#bX)QtRgb41AKvIZt^_1sTZ>pw$KmkErDYrUOyN)& zx$*t0E!(>8VQ@j|`_&Tc6w=LBcJsctziSUciXEI_HlJQ(`r%m)NHQyPjYl9oRc~f@ zX)R~=PIA`pRYUteXt#0Y8Sh|?*dO#RASk#=hHKiPAj|0)nFmDG6J^?6mYeRittLJ0 zHzicE<gK*v{%8CPX6cWh~q9$bB%l8~^paV`OmC}+x=WC|TPh-NSh(#Iag$ifa zQk|$wFSi!SHFAj@a_S0Qi}9c?ATtu{1s52jIpc8Wbub3(Q(9&Nke=dWCkrfQOG*_c z^UMbaxysyVGkE90`BWYh%PdmselV!Nk5T>rv13fVzn7}z4o8=<5+Xl>Ac#Y%nnS+r z;_B#Gb6-#;)Y{A)k?~a%S%hnBQJc(QOFE#*;(Opoi8HEWI!EJXJ6vP6VUJR$t!eOE z%q~fb1=MNDrzX6~W9Vs;JiiwcX4BSxZP}90=0_7P&*Xb-SoqD8TF(8S@7BSwF=lxm z9lZj^7p@}&D2riD-g|6?@Kv%;0YHjjShhIq0Od-nO?<9Ju|-dV=^i`K!rX5yUyBV^ z%DSmRyJt`93Ia7RHO;?kQAFB_Bd!WAq(UrE{mv?NN6+5Zeb}F`Q zCl%YaZQHhO+ZEf+mwNx-Gv4Q*yGI}NKHGELhrfNzbzgg}xgf?|`KE!*bxpqZ!RJx* zF#o9HUb#CUY~bS4eN`DwRPa9`iCs48X+2q5A>f}jpC6%(6fJ@(2R&S)7$rG$07757 zjX}G)Xe5SjuAV$sqck>HuVk>E3W<>YUXwbt8;d7Z2h?iyoNWs^kyckO6{dlbcC627~ZCwCs|cE>D_d0 zgd3%ZNT<4)g;I~KKsIxWJZvd_HI;pgpm^FReh2KW^Gej(#|$6Mi3luYjstHl=G?Sv zuM`n%S!g;qlItWLzGw*0>rcZ)N;Uu+>U{rbH^O=WtPnwm{`xbn*uOYhly6cu=uKpN zG@ZR`N&YYq)#2%G@S2B5YR*&i#({S6{k2e~O-i{dsY(CtDtPDXDRD(Ps|n>*SIz8j z(VTFo&?@p416m{^^!65tM6^pjs$E0~3HjwlT|G$DUXJ)qC8KMdYCpXr1&Evkf_h;b z;=&4azk9+6GWg%rNOJLHZPLUWky*>1!hUET%*V-md^=P|BHdqV{!wHz;NPK&bifyn zZz6aw9x^KqZ{@gYvIpI@8V1YUfIs5ry0^WTN`#l|V)-wHh_?&osMFg}c~j0GW8}bC zFimLdjJ5btAERmJbOWne0Zh@36vXCn3~@l7`o_$N3oxS1&ic8bf83_WVtA~)bY<1( zl1ckPavwy|-p(+*8F!w`qPbSagXK$?8`JD?wvd&`Cj>8;7ee8MBh2WKD;$Y{_0y|a z4-kKpLsG|hQ9VGoAj+(mz!EQaVkzT280N8XI)4=KmS7ziI0r+tI(C+$M%JJ|O6>xg zRTY%l7sXnWo?#KUE#`f##|cbJNjrBI^>YVoxs2_H2meY#FgL^DTq`TrX%lFoMm+}S z`%T6PCxaCmiB-;y6MSQyZp$7J?sfouLI-aaR@x4@v7@v(t=VY2x}^1(25`WW8kAO> ze#Vo0jKD!8VY|cInDb^y)G)^vpJBy$xczjw{;?wa*>Da+?LyS%d18wWmUD=LDPh;M zgLE{+LEelc{yWk-dF-55+*Nj$l0UDJyp3TNiu+8cb7Ew0ei*UN85J9eX+6z;>ayNR zD+>A%9H|M4tywW6k~g?^+k(e^^YO#sMPfTafI#0>4na>fBMmp+&=V#f0)$VAYC9^) zlLjw zKARf+LYPR+%IR2)E_lraH0(K$b95tRz$N5~C(%_d;L9j~vfx-)ibvF}dm*F{hor4b zUC}(tn^-)eS!7oOtct|q6oQ1Dt~v9pVE10o`AWYy92jY8;W7@68Xq%a03jV@HUjQ$ z(W<^sO~%aGFoW;RFdj{{o3g~#I}i(U@%5*c2ahe-XKN~vn~QZyj|>79sS<|w0xGYJ za9K#9{s}~JDSHjTFGp+_cl_lxg~QwZ$9_7fh<9el!B+Tpj6?8jveljkBKjGIVP&P; zN=hJxAedGiAW`-T%#j>o{%^Y3D4{50t0)0~(&@T|8p~wXjr*c)C8W1lLudY2)jpUC zgUxhAxLX3A^Gdz>L6G+AxI=fY>Yo*oh4shsg#qH}1cXNT&zeXfNtuzIi;xD>eR%gzN4 zL4e86G`$c2W;(kPSBtgJAzN-HK=Ar^QCTd~gD4Ow)77I#U#;d);O!E!u<7wCS{RM| z7#R3)$R*bs3ugHZy&yGo1_vDF9xOST4Os7oyk3A|7cUA_BDCqDi(2Izc278WP!ZA@ z=*_)qjXJy)lq`L1&KOi1|E9*NLW}vXDl~bSku(eDHaPZyy0Gh;8Wc6)zh})q3Y9Ga zKsrfJ@U26BE>LMzmj(xLrIkWC)@W`5798%m45E62u|glBsfRE_dw11lNpnL!j`MG5 zJVYR*lzcxXT*Du13GSeK*CPTT5@mABRg&}}+rG=89mKjUY5mV{VO3ieplZeKcs)&R z7&-Dlc^Ib`R{R3iV8w9~Tt=otVtq$wDdhlXtGSUMEBD-lj@7sOm@@ztwk*-<@h3D^ zB~6qAYs|*CunB?(L%Xq4CKaDqOG1Xvymuvp7|K(h=Zem?wd7ab$(+re0*VgLK=uC7d&*5+;Mo zGk6>xsQ#D4)dDB2g8s3g4hk2l`^LpjxNL}XYS0n1Q^E%!pN(qe)miB>7jq%2974y* zS-GRsB)xFcwGPM!!=S>kO(^~+y!$wp^NCRwQG69uw=@n97aRdqNef352Gd#v=i9xqzt9kK6H3^1FXi<3TxK z3*(bhe4CM%9(Vr)lmXsZ`dtm@rt|%!<{t$)`}>xU7Ij7EK9XuJ)bl*63+qd*UD*6p zso1<8pk3bU6I4BNtmW{_Ct-MqiGfCF&!^_W@i8@VbOd^WR~A6RR#d4YW%XR?Cn>yx z8Yx0E50z>dh~VrwSllXJ!EKsZ>%@AAX3TBTk8G7V-Tm)j<~rlA9iVklfj(nN7@X7je3 zDWU^Bt3wYW1?rz@Y4ZAWjAsv7UNE{vrB59Wc)0wd{=b=i|KY_m%a4*2*tHd0wxWKB zjg>_bIgFn7_#qrxxliY2;&&bP9cQUdkIGfE>mBb~UlOOj|Ak{D*KRYzQ8RpGQc6ci|~ zbo7TyP$5^J+4?Y|BmJWdy#zwYpX5z2t|_E3 z{!7h23hg`mCpmv7p?`elpAfCXku85}l2SL4~N|#T~Xa z!#XbK)UE+*z*AMV`gX}hxrZIxxx7h|RVn75fn06g#v9(u_wTK8y6Gu%I6+@7umK@x ztxZ8(z>2FlqG)M2%@;^Aa4H~}?ItN=!SPuw-V*)vv9Ay83iBby^LGI~JHU0#kd&#A zV`-I@{4sMP`#t+J((1ZBxT(DsdC{zbJ=8-I}7olbay|3tWs{*J1h*hV+i)%EpIuaA_u1^)*ct^Z=TNgztYQhIqFiwy8+q<_aRC zP~0oj>t0V8ab$zQ2{h_VcL(bS080z~uJ%|k>snzIniyTW)2C-pPpZpCNR5(~bG%$R zi+Lr>7GLT(Y_04#k+ss9+f(nQS~dvoMi{D`ClF1KBJxayHH4 z13K1rUMK<0_`YZ1wO1=F$oyk$QJjlIXGf_H1W zvEFXr9_VjFkYLeUMP zeQSoe_fO^E*z@aP!%l%T9B5ciLq=B;8tL%ng`ISzI!>_Gk`VkQgs zGYumTyexUG_Dd=AT>Mvek>4kJ*+^&al7QHl#-l5rX0UW4M?TDoQZA9**m}x&Jj%-t zR-Z`2U^{D2_}1~CQpzNS9Vd6%I#?hx%Ztx=uNCM2rlyEH(g^qWD)Ykwr!)7f7GZrR z$-wuUcRB^zUuynQD7C($S(tp`mQO6qI_zJ2rcCRVudrUS;4%9ff+&MK$R(+8r&rxX zxTKp`FZ-ZTW=)2o7k8VnEnT^HRg|$gu*;lCqns z>?0;B=C_4x^FoLM$;iO3Sadi-2yv1TCBL}dqz&#}xd^AeWzepl+$W-q2JNBn`v!}} zZhnx*K9djI$Kj&O+Fi*vWBU)Jy`PIV++;N=UzKdE4X4C_{x<6@3nDbDS1$50r4y>L zCpMGb*i6Dcn||JDt1=IlzRIu10%<+kVy7wW`A(*szE|}dUhpk9FTT%sIoOuAwXzm3 zobE*Z4RM&HBc@b-;}W^TY$6r%{No1Oc!N`qDA?HK{mhWOJD1)CnMc1bQ~S%gNLV&j ziB~9o=BIID$yzap(1m|C-s*Nl*ajJ-0+)STEuO?lcazy#AtM z{M_YyqE-z{{uf)`&){UXU9NspDnGQ+01_MIvRb?r5vs29guUrOUBl+6OQQhu`uE#E z0F!#TMy#Wl75}EDI2cu$@nV7vM|q{SLRb%FJ~}ewo0^Z*|1@0vqnL}qf6_8jl8Xoe zLV=x(0gMTJCo@>M4GRMEGx-3FzxfbTvRWPk1&XA^gmvH138E*Us=xexymI~ndPF@= zdPD$GFnCAK{X?3+>o;r>)340+U&u%9$wW5m0OthY=fd!aT|!<6#f=YAg-Yc;)u=mV z3Q1U=V3Pub?xVeU2j&uc4)<%~@}_^T1_fy&xEmI7-THre%8$>uZZQO9JjLi1=T8u* zgXX-x%I+rzklh2wMvxE-%5vs)2SFfbn5}iU>l!`(;JzaEt)tWkVm~54ZLVNX{V~3N z+3n|$wzKnL!{J4vu8_GGl2CGD7pW4V!+jH%M2t=*JfE1qI_~7rPT*P4!oA|%&J-Pt z%>0W+mk8m0QsFsupD3urRaUl64lk8?1yQ7Z#Lx?d*ecCpNcsXcvh`+lU=W3N1VHw} zvWjemvS+T#dbzv^9Xe{F(J|_G^(pYU3|NXZixh3A)R<>QHa3-Y^?W~9-(z2Y=TsHt zub%p^H9tic=MQ+5+&Un{qcM*YEX>)1*<@kt`;I|`?MGD0T0iIWoguo-W44U!tS!wU z%kk2R>k(6*W+8WJ8GfPmR_xJBU-dCV>Om|+xKq67}%a!zb zUd{|WT0T_M0Q0kDZb>~N{`3p$U6+!e&%5TEEeihp=J?E%V41;xQ&T4FOo}(toNU5N z;95*W1XHgBBKiFe_5AstF@b-S&M^2-c7*mo@aVxv8vFXpr;ya#n<>56ug$^uWIoxb z*P#e@I*6M2XmA+(L7+Y3rwK`TUR{JNIBGnViuC)IA7-Gy4BZz$QV*afbf9%$I#N0s z-AItxQ|;${*opM?allObXZd0H zDgH zQUd#mGYswgQNi$hHnc6+2iXcom2o=YsJHGVHyJZ3%8H)0_)BnfGL%`^1EIUyMPxZ} zgF++K@UvA`X;g8@q4pD03iM}MCV>+lP*6i!=A?tqmp%F+T3rhG!s0@E%_TM@FUHiS z&E(w2mB`@}CnONo5N37=7>c03aEmufW&IJ*5*@mt@z!tBj5uWco5u}EtCNt z7I_`*W%6`^3fIUAJ`UkAi8~J!T0hCOEtvhjS*FbN05*Xh0>Q|QQN1Yv_36cIjBVlS z5#*oQb6FTqydguMRBaom%YNBK(O$B<`r)vJTW7L9x~9OU?>h8R=ouS5N# z?1{mDDV|K?H;$?ZOAhQE0EB6x!5-OMYiLxVIn^sRO)TDFT*xbz&*%AU*%LkY&CJc2 zOspc7$>WH=QD!$&I_*3&iv37W)jAN(bKPutN;@pvO-VePz;z!a3q$GKnIhu_4YnfY zCc+`Ztn`-(43nq(I0PE7Q^+-v7oy`6Gbo1dnto2TC5A1<5x?kM9M0aCAy5k#G461hQH+Gu z6X|?YJTNoxaWSm>HtVCpPPazrsBv7IQVT4Wm^=>7D$eLm_FwdXahdk>fZp0Y6NnFWS*ozfy(x44UR##(p z>GVO@6RPg`*n~?nycZ9rTjQ~TAsvA%3;@pbXE}DG#cLn=l5kIh0_L?P=1aC1ff2mg zpxs~)c3S;cWLA*~5+sUdK>5N~&E4S`0v{JA1p?E+b?xHXr=*A%ve*mtI2}9va^StB z^^x-Hqw~H>Dyru&%`&o0jpv^NAhHBQ*b?IHcc@`QYVAQ)gWVlcqaPsAjl+catYvFy zV$mZb1XWLIuhKnePm)JFczlX;gPRKs0O4iP!zql?U73n|xl#{YZL%}Os7xHFjsK=* zf=zMXnvsMgR;F9BIk4{OE*%2*yBap|l>1A~KgvKV{Fh;}0T4jcgP>ys_3+?i1WSHb zkPSnkIF?h;hR>{^X4H+(!OGq6$0OA%mkb)r5z1Qqkzct1^oFhsgCyS!nx1n3dWC^M zmI3R-@5gYMH2T|`3(FFGi>I3PYct4X?AV&CmoSMUU>I43jwD!&#z#}7w#}HEV{4i) zM(*xU>7y7yuP#eMN1sOhC!>8HEtQGdIckFWx3Tt^9Hjm($IeZ4Z z463n*D%=sgIPz)1F)2DdWzB_+6^`aLI*pDd zP4*(Aq1A0zS$0lJYWe=7V1*mlMhxY5gbn)6nMv)yODj;x$7}n(S%BeEjaUZ=@hWn) zq#!wM`PY45-xVd>jNieqFr?c|wKnoZh3oJIv7A6cQ*9L5>g=7bXeau$nqK|dkmB)T zy9Q`xPMK-9d_ya}g~6F&55XVI3_|n=F;T5#2+?R7#E4XcZ)}DW99Gnxpw^+F0lL@D z$AbHFSbi5JGpqaH*>Xg_I1)OfP+C|V?v)Ng6W~=^0mmmYR$YjyNN+Z#7I$-37F@jz z)H)L+u~0%-=P0`g0ue9>tSD(OewwMUBrN}?X7)yTmHo1s&=~&-s`XInq^!kB?fa~` zPF`xfB1+}_&zme`-wrJ@rQAG6emL0 zb9%uYYVQ^w%a$I1#7STt*Yy^7$uf2bL`N9NszUU?6O35BU9x{ zr7qT6P9`DV(-RzAsiT!Y9j-Dxs$Vs*FT){t#p?ZCd%Vysi(vNNxGGXlcy0Jp2I;Nf`{c3mtImJRaTM+1p7{f{Oy&M_e(K zF{MYqy-RAY#c`@DHLwBzQE4fRobb9ISvb95?5d4}BUSMl*JQJ{zEyLt^fy%zzeS)(F7317@i0A z?jDf;hZ?B=1aH@nt^ERZ^;PGG75FF!%(;+jY5snPQr~_2&q&%o%6;qieT|En=1;y& zW=vUH2w)1$8+Lt}IIVZr3c@$BAZ-kg?u(&uI1}X_TqzBxmIqg?#}ZDNP{q5S3kOg! z0ErY*z1>OF^)KghA)jV$jR3a1NN>k}bxv}W&mK!$nhS)q zzcv`&T{d1*spc8#c|m^su=&BrTbvlO!=-7QZnzYn+_hYApD05~{PIR`Exz)xCBQpt zp1PsM`oSXmLhg0rx9!q}2tM50(4((%Dl{}lAaSMbG+1+HlPLej=$|N3fPl}jS~`VW zu`C%Hz^N z0mK6|6&8e(AvLaS4?9LYP1Rz{$Pmsrgk6Nn!pdJ(!drE9kz)XJL^cp-+XLY8 zLYOA6nIxPj!@g)+sBOw}o>$)TrHuo3de2<7QUw4`l(k1gn&-P`d3i0*D=2%BG{(AJ z{{fb~|9wj;sSb>6R1@m6GhRR?$K-Z7weN^;3t1Zhb{tFY-rz4ae@9pTCO!|Q$60o? zSIz1<5mo)zhHcFZcMJHYrZ$S>?^*MYqC59})*J#UI}wIsz@z+O`z#66$PN%7K$0`m zkgN2dYwTxdEl^f3)Rrz&Ms2fWU$pFcB_U+I=$?{CSrD2yhw=YUg}@d{7Jm$JT!&5H$PnV1sDCetMTB#j7Gi@+o1q(i#LcKrcV1Rwf8g& ze~|wbD7)-pXYC3Ow0KmJE>-Yg`Vfh=W+c|-tbVehQ2X@vfE;lpV;Hl4O_qw8)`M4qEv^~Mn(2*eV*-l`EX!in)mRzWReNiGom0d&ob`r4Comt9e5H?@4o z&T&&5P!jj=);yKFi&Ub~H~A^xLDeNQLG8RNn+mp5Ap9x5?G-v6fNMyfEg(a6(A;ztB7(Jj?ohf`bVUuvS||5Edh zvUCCeNqI4AL_m(Xp}(7W)8;5ZseE~yqfkp(pjD+JYHe>5-5ZthPCSUskdfb@;;?0& zK8Fo!EwnqGlZsNh(MQ$xW_4`<-eL5nft5$1H~$t+MBME%CjPYmoa)#T`jnM}m<@Iu zjWgy6-g}QeMA%2AmlziJ<4J@x|Hjj3lEh#}s4M15GU*{ouE=>N_YZK}P&!33BRV)T zfHPBkOx83{_aF^5 z9EuFBj}xr!w!}FNIuI-nR8AA&4E}gj6EG6j`dBh-$YBQyW@1kO70a#s&T4j!rz;A7 z1+;DkxQ-kkW5I1#de>R>7@Dk=P{zze)*fuU1aYxGY8NbmkoTpd?s{DOsXO~X23hU* z3I7)@7(lX=2zfsyeqEa zYWAD6^ap&=U@E;H5Q9b(OThe_s!ohf33b3eg>Ypq%I#$wGi&}>`N|Em!))m|kfA{A z{|Vp!J0|C0b#*Fs8$nWTn_HUE16NQM8)U4?K);^YJH^_YR&nft9y?r|lRQ&2 z16OuU0s?e+@tHqd2>HEPi?s!cF{BYr>$bl`^WJ`QduvpJRl+x&2(Tp%hZqqP+czsj z+LejFjUzGhT{;ge*-_sae%K>uI(jVQTi5qKHMrt);MaQuuVBAtMUz}Tg;ESvs4IXF z1m>P#J+6k;EZC>-w!_YCg=-P9?6to(7vBI}j!{_2+!7=O`lz#rv%{v*^z&kELZX#N z#JcP(Ns|5$iRK|%#|IEuNfVrH#a|Tmc(P-ZzCy)ypkBoJnX-M*DZXEnSY14{<@*GI zgrAc1kdP}(zG9YYDA)n%z=;{;NFD}z^L!q+6K}LXufI1k*#ddIe5zER5^l3px>$*) z-P4x3?k}>anYA_5fraoo7K4xHa_@M0+bo0gtk4&?KoeKL z2AUu!bh@EbZQ49%=b38!>K? zu1u%8tw@p|8=j}0uJN1#8S#J9&4>Tq~WH0X?>etu%TW(++guuO+y%r@9OHk+ePq4BFsIwje@r5 zQ$lU(fPo*W&-{uWBqb3=x%fOT$$p?wlWBg~Vp^amptLHAHH%`KZ?rkG;domaJkGf7 zyM?~N(kr!(fSnGDVel;DZF`$sk$^EWj6WJkO1dXm5$Xx5OTR)tWd2{l#PWXu(^lm7 z9S=2z+WVzY6d=dh3<7j*fats|=aS3J4D7p_-w|^7oZ(&M$?u=k8#;vsrP&I|Qy%OF zc<#sr6HNIL;DL59GnuXcCN(_j5+xt>Zt5lxS(TLsXyIR^UEG&sp3AtX)r{#-HDiKq zePT~+5pp0AHokbD8~XwL!Z(QZkP)}&eA+%jD450lDf{KNMV`NS!wK#PBbtOGnu+ilbasP;OgSo9h_d0m}>aFB+fqL}P-psGts z6OhsUKpuY;LD#z}jBz#xi|Xz`NfRQitkGjLJ%l)rJ5#9wMasqBm_H~+Yc^it&5@N8 z9IuL(qKx2(R*m$mtm^YqdD)JD$~lTT3$zh-PAC_8AvipBD(>ZBqFsO6t>Vj117!HN zj|dSyIlk-SFcrw{iv5)FW#YY-Y4X(mWZkaDF=796G*h&-aYgcwd?0}@*pK)(*5)pk z%K~*w_cD^%*-Pg@8#{Z;Dw(rX{3a$-X=POS@l>ZO_p`g0K*pGZOi@nDdT$AC@CYkg z7f?r%IlqD!1ol^W9$-;atYxD7+SJ;5<9WyDdi>NAwtfb-eVcJkIm#5vPiA*u8xfRF z8@{`4MK)8N(H0v)a|3E)VY1dZs7*AT(OoSe1Y`Pz5V1HWK7Ec{`tOE+|9``@L}UbH zU11vJ{l|!dDe-8=lijZ6`()xkUjIM9^v{F+PVir5EIoHZHS-bz#v8cBLKQ_0ya^_V zmS+ol9`?+!{6D)v*ERPZ%(oAw%r)RsFw5c8&13<-+;9Pp2+~Ru;xzA^+YqZd{>Zy2 zu4|_aa=Wm9|6r|T!J@@lX2`z(^s3YN6^oJYhSWDd$jHHJaG1B|`rOgm0+K)>Yd| zBLQSXNk%kuIr`nHj_CDk6G%=ZlQ$wFfx%%6x+EWIQs}5x&b;uFjslfVIz3%?_4NJz zVIgK2{|o&*(8LXTz86}g5xJ}}Xf__RYRb$HIqz_(aHZ&Z9b^O8!-v@p9xmed7Q#@u z#73X|a5t%fyS1qX>@c+F07|)FPCZ$8YnY;8768ahC=oYxs8QbZv$2V4T=dJb7 zj^U69{ct1>Z6zJo`WTTm(ytLV99@B0P|Ms}kv$7GQS)GI3^;S2ekHyV@`&b=OiL=_ z(|EItKgzspV(4G7PHr`N`lZ_@3n`awv1~CcsiUiaui->$13HD%tePue^UC`D z=Ds{+`BcXz7NkJTxJbsD-S-s5I#z!L??KVbN}Vc@Lb&Ah^Nm02aoCIJI18SC9b)|1 z-oSYQqMad|Ssr0$nzHO;CW-D^NbV`IsRvJWJ?E_kmc&#B(QEFdiyQA-8`9QI7(n)8 zJWO)jYCp1l*-vl@+IDv(AV#dLS)NgraK{n{zS7pDJwP~?s8R5nk7D=tu0DYN?Yg!~ zkcRtezm>%gV__$vXeiz16G$FG_&E!)hnM|0!)Ubc;OX8UGrj@@o7hRM3%H{o`<*l& zeG2?IG&0pa+C0FnwWoYj9mct7WG_`>k~afPr7o1`hu4yKz?7kvQZPVKgz&umT=dHaVKt%#F}6V{>1YXEP| zKS>YS)6(b>vfXaCItXNH!+>w}&mz&)7U$)0Z3jcejcb=z?;`Gz?m01>WBl3@#&tLV zD%b%_b>1Yu@*OWHsay9Vy~$=dl|(LFs;uLl;BL{2kQo+UCWQ!E-|9h63k;z1J7Kdr zza`OwLE1nMS^+ZD*Yp3YPm!xnmeBAO`>&FSWM}QwC3?PCAA3L#_ISQgCzu@SOF*T z-1_UO2h*qHMuQr{iq()tj^``|7n79$Q^r*TEB@XIaNM zHZOjO4!zucxmr_iF_0lg4w+kkL9tnn8J#zs7tWxqd>7!0PyshFX~mWUIWQTV z3U44PjdP@&A=h|yV*zxrki2c^W;BhxND`D!+n3ZOwHmSc6Lgr3-6hTTiTr1>>R>UZKFC$&& z>k(43KLDqg_<6R4She?(96j|ze@2LDvOAvY_Qkg}a>u#On-vK~hlr?GDXXrvDG%@) zuf+2Ke8~?w83n9!)?D4aNylpu8QI|i8!Ib{_4~dU9alxApyqktPMx~r18_DjCJj8T zR&gO4TsHBo+icxu*LzHTpgVd#(TYDYk_+-cmi^Lm55|*UrBs+KaeyrNlH#FB%a9^Q zf`Wo8;0Fl}1O?`xfpBdmQ0~tCr9Z?eBmuY64W(hlF?b0Feq~20QUyn=Nkkl?r8i7D z#6!_RA*S3x_;JMExLF1U!-Tk8WNZ_;mr+B_Sbk*9vd!qdGG!^vG^#m{6xJ>DlNz)9 z6f&q*+Z(f|5iafL$fL6S`o!MvHaZ;8qeePq42!M;f~_-tVJj1v=kL7wZ3N=WP5xI4 z5EZ)byKim;PvZv;RepdGZQi}q(n=F2XpEm{%j1v(n`~9JUp|kLZW9yrxa3E~L2!o& zp3~}lv8mpi$YQo|r+-$aXawDan3j|DS=m_)Q+@oX)xJO!LO8*Lcv~F>;sxt1+KOA4 z7&Wzmau&cz+1e<*6UUUrdC(Hhl0A@^m1Q3UUxG+6ZrXLjeFO9uwt|`;m8ehbs-TG1 z`G?;+AXBDP#UJkB;h#f+NI)>Y*@6echWTEFk{>Pv3JC<%?f!30PSw9T$*fTj~F*&aVL4-qmFOG{&Y#@tVX5Tq~@zE;li04=S9YC5-dF@d(>J-GpBa@V_bi8nx zjDfx?op}k@c2VqRUY^a_3ovo~hA64dwkY~ZpCLl)>aRa9>J$2CId?v(WD&8_($qivpLW9qESf>NPXEwVli)8{B+ z(acwS&>uTu)vVFbhb$#5QrbAVgYZ`9^xV05F52L?$&OODwBER;DrO~fnyPD z(3wXy_)rGjIwRJ#q8r;|qq3tGc5lcCy{78^Dse~!`OjLyOJFnPK0pI{P)R&Ck(08| zV2oMZ^cv`kY2~*9SyvRgYI;tqHz|xcF5*e4SGW*4Rf_H z+v$GTu~&FLV!{;Z%6KO!o74=G$YN{+r5?zx5eW{yT*Lu=5B`qE;GKd^^_FZO`o@8 z#BBVy?&H&|7#E1ApmB=I4(6f`by4HBf8rL}%?`sb+Z8~tIJxzfzlafTGJ1TM?{ALy z=w9O(U2t^$2n&tpk2PJFvw2k5l);)sm0xUZZr&DNOWi{>!l2u|3A$au(LY^k={+DE zF8>rC?r`P|N@>6YXX7cN(;Wg`&XEafc9NKr_vFz)4v2eL^>;Y$c-eYHJ`S;OB-qx& z5}pfa_0T-l?=FG}SXM`YV3A6!N%cDFA47{+OR`Zf7X^(OF12>W#zznXjTLhjvri`i z&*Z(8fyX)}NT$11q;@8$`|qzgNN-;^1V)c_A_pWM%RpBx7RQBhH+9WSUAIA2g^-Dy z+goxn9VWcqSnc(obMf|iM9k@@$J)0qG6jhjkbcnNd;%2T0l^qMe`n4C$dL2fT1wO3 zI%;Np_&wf?uwtSU)A}?bk76ufJ_hOaJb++Rx%e@!hlpWD-W09qEC`ZvltYQ17oukq ziuC?5BA@-t)wukWQcSMZb4*vkOwQjHLum6Q7iTpqFB-2~?4@8|s z5W7RK6Ec8Vp6YeLWJIR-dPW>E5> z?H$mT0qM#?%>=6FU9pU)%a3rQ)vo2Z3p`VK8g+|t0it9WYmV1ZPvVr>9df25+S5pY z&+)m;p;4SoRq9_*B+v z`dW_{%WLUq-*(pe26-xrX`~Y&xCclU#E^l92&g*QU*kS6?OR}gy$9is925g8Q;nGI z$X1xhd6L6W$ZU8w{@7oGUol#vKy5J?tAGAs-J~FD39|+=@=`1tb)|6!445Xe_pG2c zy>b@W&Fw88o?H+Z&Mi5*>J(vNv5zArhq zznK^#r~foYorclG7Jtc2hVyYIml1cUxzN2Uu=r--oB5y%p_resuAc9ow?ycw7 zjf5_Kb4A1zwN3rnl&jhvyYF{(c1BIwJS^(zUzH|VKfe>K!5u-9Ro|RN<9t(xe^F9S zdhR-@6HH&VfM(<8Tt=%*Jyevrv}>_<;pm<|%goX#kV!&+3a51?&Be|{?#RmS z*y3#Al-3dqZEED1dl8QbIE1JBH-T%@A{jSGw9#PuJu9qds;y6oxHWEkF_tGH{G=dmImV9a8)!V(IRmd-3`tIJh zc9YlSG2niM&%tW+fQ{fWd>w>2*hY9pEP3BruH+(ta^$VGo`C-{+RCG5ctbKW8g_@Q z?{X6tOYo#ojb5L(Tu|b@Nq*)zD{+ASycZQvVXMX}Ba1R#BF9F)qezNEN zk@~Cmq&^I)dS>X&AQvRuV^*a9#>Rg7y_$l8s>nk>d(+uxUhM%eB z4nCT;^{3W2W)Wtl#P~iE7KMW75WAL6kMWOi=C=-kxu3uA1aMh=f-!%4fSDmrw|hcE z2mDG7EH2NeyT72hJtwh#LQZrXk4U1H@-;uAi1toG2LV)^d{};XOff)4&y~LPQVc<4 zUtO)c8bv}TJ7EP^AoJHKB2{-qw64|TCi7V2-GS29{2n7HeAm8-13RVi^sC^B`fg*1 zrbOaD^=(mOBKJkh;syPUIcG?GJFBf+a6_gd)0IT4!zc)#LclDX>YN z#I4V)6*c?HkwEuWr}>2V{5nU5gWyFczWe~I0C~(C1FXgcaBu2@QrT29GCL#iV0YXn z=xJCnT<$FfgMy=7PW~LZ<-8IE9R zh$~R`93_1jK+h zvifWFd)Z3QaYx8`d2aKixbMu+Z~7Hb%>nYpfwtk2Se7mbjq%8Y^Ea3_N?>W>62mOQ z625?wLMxJ|$K4f+$-x6Gjkw^c(IC}_`;_@XqePHc!Rov&nBM@TOBYh?^YXiLrhGDo zdn^=2L2LY_nFelQbJja4uRMzM{BJUM6{vV>c+L(7d z7G2P39fMXVC-??Wl@l2{F>~76qA1NWZIWkaVG)1}Kz@0RD|5gb;O8I$x_;t$(4X-+ zuJ*Nt{mpSIk9)#8`G*j&Hym^NvENpmKQpJlj9T#wKVtGfCCh(pPASnOdJ6bBP{O!KV zGJ!f3&J{bOVz&-OnU>DYDddq+E3}eb7xji~i++H^S2tp2z4s`NYWU=5eRb2TM3io5 zHB)l;BP7vf&c=^BwWE4-dmeHi%E>hpY#4IX&p4sjxLG0_{PRSDdQEcWY$(Kq@Gosm z0zLw{__}7gw$oa1yxZ!1^&COq69uZ2_eDIj)8O=TwcW3=NWI=_B*5+bL!~8h>pCQE z3vcGGL&~!PsURO)$2g;Kh!N2uM>&JXNEe+EaFk$ls*&?ejK}@w*02iZA^)fv?O@lQ z85m$OCXz7ps(ltt3o{>g0VSK+O%(t6meSTnQ9!HM9{lz+RJ=+NnG*xzF~kbya;C`v zndbG^lfaFcVTv&2-7Q!>JFpkLELAd6<$HfrRAcjT=Nii>U?ReqtVXmia=j)sQ_veM zx8ERL&d0wj%a@|io_-l_kniJ|$6WRgosE7kh!clg>k+Niw7H?t*Vao?&v6UoJYq~H z@d}Q`KiLAxGVfF~K7#*17eg?s;uGrms=G7P(zSx|PWqFhC7_u`=?}BXn6RB#0hMoO zR2~xp1f!)3{OWECUj%KHzaaRF#xawF)`H~~a=`x4Xmr#5H~7ad1Tqd+N_(3}@XQjx z@+q~nFg$DV-4C9VAH~^~bjiQW+!{KbXc$KVooPG6zR2w;0AWmc)9_EVVH4pg6`_gB zARv_r0L!XTRbme!<%Sa{a{&Y(`d*Gzd^qiYU>o{CD^S0$RUP%%aXQ7;4La6Bi}q@J zRU2Ts0p*%3^8flxZ3i!cEAghKdcrFR(3|%Z3NUD?n5~Y$>Y2dzI(gTV#q~Os1?KGc zB|vSwvNGzet@w~%Y`88XVt(G?jPbor5WPGw<`waZgruPqulQbOE&H*wBk0JHFKQ}B zVS*9@JMPp&EF1w~Yr4@<*C#Fa(Tui1dB+@syKa=hdAj`nE9@JCGwr&imcS6y2DlSP|~5_4t0*T*TE4z^H*hG z$Y?Y6!($S*#h4a9TNuA4>SP(}!RlVaZN0p?9^ z>=!ldEG)~1=$Ws@jUCdyRJFtzm!3Mqe=;PWq!wZpDflf*#dxpYM{|^}+IXCY2;LtX z29XpP97T~+sj@0Ri~gY%p>Ka_MXf9=?&y#Pghx)vz^P9>I-z4Zm}af3p*BEeJZkg| zfR9tb@zg#7Qb>FVlryy&(@o|MGqDSFOVphzg#;NRn7IqJG{RlgP*ET{aT^2kiFna-~leZ(Yy)Vi|$*eVz zMDVdTnS`L%{6b3~U6`*S#0WjsFuEpYITNfKY%?w-yo3JnAD_>ugh-pJ7W+{*BD-I}lA6)P~dSAacw6F~$S>cOf zQsbgk8g~YW@{!i%lc6fKeuC2nS7wFcf^kL)7+0(kmI#!%uL6 zPNa>}XV;DQ8h2&83Qg$%r#pmw1Jr5VsmWN^gD}Q*q*fNmTL(W{XGDHC-x=}CP$RO& zNYjoCG8(8~RInp5< zm%Et;L|i(kc+&7+`81vaTjrZbS|UZSi5X+=6vs65&6O)MhDyw8PUK*U8z3>$*}2oW z-Z`to<9>5QgT+z_`}ZdNuY>j#gUJ#4_SZ*)`b#VS>7eB~A_9eSXBrD&O8a?8xCC12 zC{78Fewyt+bc@jxO%u86r#bhuEH8`@-p7M0F|+5vKje!>@=4<6$_!wjtEqoBFAZ&( zd~{71^gf`Z#!AAlxVSfmh;a05L<4=bNA3eysSqa+d`E1kp^MWRdal~}^U6(V21uuy zI>vdh(H4b2R-Lh3rt?mVj|dF#*pIut&e^y~@rw*kHb2M-EJMMC1~izC`K%~ED28NR zO0Jl@h6L5D+*)M6^R(H}q^b9^-Ywa?lNL<(H{FoN_&v&IHmnh-rs1gcKgbOOo`hjr z0Iz%xIIm48@npO!kCt4BRT z0H+s4g?;)e(+pfR%uO_2f7QU*MrDTT`3v$!+0czHRvgJ>Jb0{Il$#b&!E7vb@1z8^ z0dv!Cs=Pu!MpR{qQuQjs1!GYW)`CAMkk@aM{fP4~Zs=%aH-6zphY{@z|ABz88zuKS zohuS%Si*w(w?($_T*=7M+Y_E0?dI|pg?L`Px_Fmxpja5L(j8^FM8D!(x!f(>v<@j+ ziDnZ38D2o#C?A(aJ{NOEWHy475Lj1VGd1=eL>~Hp?tGD>fKwv*zRc(uy)qxdqj+;lz=F!_ zXOnx{l2l;tw?Zh?sOf#4UMWp=#AjLcPr^>z74`2o0dtGnyy++~Yx13f%R$6m;r>xm z43gZk@DFw!FW%>DX=%&9HvqiPeGk7e}nd9x76U4t?O}332xK-=226-1EP~joVf#Zg065@|E+li+CqQg=qrZK|+vCO{2;N%fHWReQTtkfYfD(^wBFf(DSyNm7^Hz#x znIVPP zyo6{$WxsBF;P9#Yz|7F7#!vn%R79;t+_ih(QJSv@EimNSn1(>*+skl8X5%Z`jehSt zFu2JUwRZ3zkJW0ZXZkHB?T=|r>lGz*7;Den&-4~9?SpLs*ZqsmFk_FFi@7Z6(XSV7 z%L~$f`a3Y~>e68N@;zjVB|N!^a*Ls!u1B3#KcZ$|Yqx{=*0*}Q^O$vpUWmBU(?wFd zeUNI;Mso#)sN{Gv^4UjH;r%d^QV#0;T<3g3J{=myi$d;}5V~iJtdA^|*y;hJ?RLb@ zfR%|psZFE0mLKwArt3?6M{rUVIai5Y%*@V}O`lBTQoH%-I)cR?s6YwpCf>;l&ow${low*C4nHnx&nE0X#o zw8zv8pFpm7>pB>M6^^4}#rnjq6>Fv8wVRk{cTM_R5EdQhM7 zFNJvwru`$m?ZLF4htOdkr*;c)AFvWj)ZHYc9Crb)F<+R8RD{zmAJ`Z_z+#*dt&@a$b%_u;@^-kxFKk8OY@Qf~<82%EeTNhpbD>*% zxJvp|`*6G`T_%6OcPbqn8%oAqzax51KLLE^70w#U-!6z1Gvx^MlB5Vd5n5)40v+Tr zudl!UvjZr#wOHQB5um5cKDHl=a5g=Jrlf$eYb>1 z&M=rm@Pi}dI`?G`zs_M^bDATX^9eklybR6#`Ndw|LgjY#0L5z|m*^5c*SrxlSvMv)Fr4eRuJ z78hSLxCm+Y7Rt(k>H5f+9l$UnZNBN)w)|-@`bf!y)uw!;pO43(V{n;UBgK=J`U6Rn z`X5@!VgI6)5fV#eWn=op62ELl*UaYGA`+| z5+X@4uP(2#>r)WYOAUpR zJgqA=2yZ`4XwK6T8~1{FmAA;g#(;!mW2uQ-BOAX&^5~3u4S`|D4&gSIy6HF87nFJ2 zs17+;GHP#kqPyP)M5ZfxyCKnIUDu_hYZBG_ue&<4>*k#lk9=B4Y4_RkcARk4j3+4! z(6cJvrvvwq_dmT2ICawDzGW>x6;4}+tsQGPZT|R)C&1H8M{Zr* zg^er;FdF`yA<-gIRAw0ivdg42?i@@bvV+ce8FtZh&Dk{HHyKJ^(Co!dO10!L5%GoG7R{<*e|P%d0tt-UdhN+BWu^Br}#0A1XNb>=O&P!5L* zPQi9mQUPHMOO3{gw#N!VA+_FhzT=>TNOov(@csAYx+g?X;3%e7Rh#UJfxVXD&4NGEW&WS_#0R|scskE6##<@&U|1JY z`!-6jGZONl21laVp~G|%O^U{D%>Bh_f%$_k6q8kD(cwiEzv#pnx0D^TIg4Fe->eBC z+~FObpu0m^73f}KT#r)DfqlHX5c(tgpfg1NcVCS>=F!F&S?WR}>05iv?9p#$TonTdrT z!B?@aU;5m6sZjFYN_gnwg~A`^X>oK}`l)R&Z_CvGbM90U{aLHlpFf{@8}DvOxB)F6 z>wHWYF;xpfZ%F__ZYgGc3TNb4O@cn-cq(W?b5BrWbJhBdM1Tn|)1FX`7hG*JPUm|f zp9(iC5V&CWM-ppU!3&icxxu|a&xEMu7We1G-a2I2q*=}<>#j69k#G{H`z zmvk7)y7`{xB1$;!H)~XrIQP>+Z&)(e$JL89U74`w2oeASM2{UG6 z5jzFshb!RUJ}te&s6cw7w7&s^b=oBfzwesE0} z?puUe4(e#Abw239G~%xqFI57wxOauWmu=&7my9FloX@aC_9=r9MSmJXjY(%mnI3eV z6V(f`4D3%DU5$i`4Ro-KgxyKMrr=~f^{40pZ#8lAd+o(41K?CyjWdYjS zVMi9hj0xp>Pc4iwbh_Tv1fU1|jtaVku}Bo(c|y&!Shv^x;+t^LCXvK?QLaXqgmBn& z3H%y(t;<1Duwrm+tGQk_u+XBLZvAcD&rG|F!0S9Zci{QypnI32@}OP4L~M_kfjIaS zer<1sF#l$ZeI8AZAwhTnSnrMa2IJymFaw*mE|~r74KH<%>()iDi~@$zV>?-2_+zOC zg=0yYe=Vs(w}Bl7XFv!ElEBUqa)dJ}Y%>YS*)DBqD|XDi$yswQL!qr}oUW6g(XKUh z)_0MPM#wMoG0a3Sx2p{EY{oiu*Z(01~j^3#MUro2aXZ}J;a%Ddxkgj!o#uOq@P0q{@ zmjLV%9#PrFqYnww`f{WOlQ6xI$9F@Wc>)>^Y4CAB^=3qf51Zk6Swt&kRFF!iQB>8q z5HK-DiNH!w!B<(2xeQ-n8SL6qNs~t}7t7@dLegv(*Bwi|*QQ_oU@PuHOB?LGg(`*E zQp|r2(m6cL><5;QbFv%wjwQw<^|rQ*t%ofhDYxLc{JtgSJgp6oUwK$^K3>%$kkB~8 zec)R6(`lxF#5KsJUXQnXTS|>ce-X3Q{`o<$wS>XMf||q&+cjtRxHrb3fe93U;ZXY} zeI+`$f!{1vtt;L)t?Xw&awGO{f;=!cxGZ}w?ZVlgsHS%Nti@nTD@9D=yEbs1;AIRy zh*1@+NMl}|G%)Xs6`D&}pnSi%I--Pvet%rvp5G6tooNEMSttpHC&nxI)i28=FqPUn z>CvlgFxdxEFDFsO#n3P3eaZqp=eY6AH#Ytzv)j}CzBx}vHRsRxxp`iI@7Zh5L{>mJ zV7n7X{GqE?6fX!=A7wic)*M69WV()!rW?u86OeQS%vV`Vpv@^thC9=$SpbM6XKmrs z%g}LB+s#KYUHp-^pi+?wYzVYQ7?r}8sr#f}BYdd{18jy(3{TbHC-H_S5`>GI*m6tQ ziStJJat^83gwakst$4J%^1Jo+&zu-Gu#R1{KttTYd$P>xmo_d{pvzY@B$iX%TWwo(Ys)zklk_jU7kJe18;V_ zNa#X*!f3o*GADmFHyp1D*<$8zqQqPKy~H3|tR8$&C^vv{{DfA)m1s&XOtwN?9r4hM zyZU&TiSjYnHB@oAH-wc4PZXvFsG0}u)mf`He3olVw+$&~oOsA} zVPj6S5v3Lrt?UC$wJURc3*Snd)W{^}eF@KUcO@|Kw;J_f9l9Ums`Ud`N(a)cDsxGg zT2m+ZUFj!lkET8;A~W3=LR^v=LWD6Io$-DT+Y!_(Z*!WWP?g^p`-^S|c9%GwIxg*D z>b`LD2&E>@VSLZ1^V?wYtC0wB@ zL;^o;kpZ_AyCbEst;;h>;8je&`Hv?0?e<-TQ3~jxt%R1FC85T5b#Ff(`>we2VK|&t z-c^zyl+H6EDT>O#sQZmsL)A=wGw#RyyiyuqdVPTnl2%22jNX4~1@Kpn(sk1l_aIBb z8h-Y)x(emLry^k*W(`N&8eOP)@y%HPGKD|dEia;--3y+n8py5IpKS&jh}9mkKC>~= zIP>$?Dy6nP?6~tEYuYN_#+N0{GX$=4hy$*rJ%>ra=1wwhs2hOtJ?8~6=l-aVWD6wf zLRCA&aK1sCTCF`y3^-WO9UWa$&GWZ{zF*l=;}6sUjrW10zf<6Z&yL34rO(S$K4ZrZ zu6)!Pm2fQbirN`8;xrOqedRe08UBoeVg#ld&)t1rM~#IlZ@%!D^|In21mhg^4d2&e zNS(19`Zk;x*o-Fa5c4x?H!;4YPkfNs!ACVLq|iaEM$7jI7MbU+TdI?!30p#*D3FrP z7xjhyJF=dO&x?p?a8+ApLhX?S3d2EaXq|&d?QizLbA!!r%1tErdllb44atpdY!*s9 z6t)DzV94|AwjVZ31 zblB?A0CPx2)|>WNji7LbRWHw!>E;5->v~*JWn7QTR$E8%$rS_{T~L$DO++p;ZjTpz zrH{&S929u9>uc_Pd=O}$)DaJc1WsqUc5-01{6hKC4g7b<|CXa)lmYn19sQz}|CFQA z@d%%KpRKaoDQYEX;&MN|v)yWp-HL7 z0pADk_AmXv8PTD5u$r+b^7>AK`w_2f=O7^>Ce#Td&M8AHjB2;iuMk5u3#?;wY3AXJ z^o{PhA;+ng1xZTTp_D;W4ALft)edS?zj8%JABZTlYiFMv)pk&WLm?~4ZMRU+5VK|G*RpJ4xk5pZsSK=dvclOS$3`;A#=v! zrhRP|4>UTnOHxD6J>Em*+f8Qh1=DqUdo(6vAe^nGu2qN1!?aFx(37cJUqp~i>Vf!^ zOSH1Vuc;T^E%fA!1L1$Vo$=Cfy7~&0w6%cW!#GU0dNk}q0T#UASn)mGOSKfDE~<7C zwHMrE`KSsn(^=;#!860|=OJ&0xMahy!yNj(Yz3W3#M)FI-FmSrB&}ks z0CU<#i9UxwE@mR$)D{C%;1eukQIWPwP`j};2|sXw{nn55r=1M^V^P#IXy3PaRp8l8 zsLl>o|Hg{>AG0ELnB6a;R)H`H6#Keyy*^))iq!^NV%s=KRY-8%oFZ@`y=tt3e{sV= zoJZ{oH}3zKwQPWFYFJuR{LbpawIo=thmOL%&C&0H6<|k$J(C%NEWh9H|5{+YddX$= z+DqyDRvK%nB+pO!Lwr4j;b{?;H7uH9AC}yKP63Aq2s-V1YyClgh7#f=RKb>0dK7w+ z_gQ{qQ@cz6+FpJAT4FwaN#jOxG2eNX)KeDFig^GFMOGU455J_|yw z+Xk09%wMj7$kfoO=A?%o-OVAg9iu`>6Ag9^C{}%A<$_S+x0yf%Z@^KJbiNDJEgHei z9=aaYq5z7JrGz)9-JkiD8n;I7&S$W0-Y&0wj-4Zs7I_rkUx9Q6QsZQWDx^)1BU*st zfMz-nnqbZvf;pKF9STf8$MxucCFJrDY{Ik4^n2TGIHg$&TV)0fai<4zs-s5oVoaeU z;V3x&c@8ML2`ngZf=>f1gCxM%W2}^J{q*UZ_sg7>qr{M09tmVYQU{7m7ahmT)8_J? zXxxL8Cn?Bpt7V3VPzTgFv-{T0z&L;}#|NaoK5gi+N!dpD$kO%qJxWR)6>~{D>6Cxv zsMA*l3=)X^Yi{&jHQ&ModFrF%ay$Qjv+Lj>f2-vmmHHV91S0q!(J+_4(XfA>MtEcQ zAU3;vAcd94q(BO}P*t!2je)LDs?_*u8Pj6Mby6vJ zp+;A!V5b2q$NcGAMb&fPAzz8%Lr59wmKpBg|2Rr<17D!Ea`zm`HzGpY)^)eklVVC!C+r4lG zFN9FfF{7*$OBbFzVT>1=BHc{RXEey0=c_mhwQ0P>(_eMzd$v$1ChKKQ&RV&bGQ8(_ z2{NCur2w`!;QO3;WakQyJ;G6PhSh9Ks*d06O4$BT)*gXWa)cK7@4lK4RUaJU4cnpo zpr{G9f9*UWgQvn_%@=X;+$I%5T-Eu7E&CFV!muz=Ing51Ne>>8iXsD`mDh;be8Oa* zfcA3&F6>V3ZXFz(-p)N4=%NSjEIlb*5DgF2*5S=Aj+hd|`lh_qAq(+2)Sd1FT0c?A zrdQ~O2ou40JHDQW(1Lf%i9UqWDwmE-o}YwhxVXTP@*a+a>PXaTGsMSePj-Q}E&ZUN zHfUBhRT@@tkeEB4`_XzqjAM>Qg=S2bDWj`2jj8fnc@-_Cdct=*6q&#oelsoST>?;r z)BjGdPv-7+6#dbvmt4a-(PVv0@wKUZZ>{VSM{B|}4?L;zfgiLefeh~HSdu;*zDTO) z)vI7xgR;oX`D#=X6XQZ1g5ZcTZ5qF)fkFkxheMA$$!JHd9h&3Q@7B<^-M_5FGBcLY zq7C;m1(*;8OLopgQB9CLkqiczpfB4SB`TVJMV?wEQoh5-%u!#;47L3E)zbj zqIH>J8hKEXWrQ+=ncDt*u5CMYvL-0fbWXae5E!rT<)9rwObbpB!Sl#8np&g{gme-k zj6_(Ur27KY-J>VfuRfuv-7IJz&q5oX*iW4nOG=ir+uDIjd}}!9c3=V0qL25!gjRe_ zBOC8W%9kd7>=keW^QVO{`k>d4LJ*1P(|75LuD(yJKejY%d@#(*yfL}~tVjTFwf*wubSkZZ0O@$X4BW#& z<6mJmvZ^VKk=+er1ZLKPsBk={9Mv>xh$2TeML0m%Adk6s+GGsS_8BTJnIM^`WHK;C zi^7UM1u)`E=vm-2q{YRh@9JrpTZBLPXyMhc_bBBE^uR0l*F_a*G0+&i$yeLk}r3VG?`voHta4Z)fac;QO?n?p1Pl{p?gfKC-}pVmjy}y zCJ4Cq9-yq`<*eJt#8{=^w$6(lOh=8Kjwuqz#(oSEl_$m?`L)kNp0@zZsZ^#(yfFka z6!fB^3&7Wi4>AIrm_?Ztlw zI=(MW7si1uv+$)2BB05(bZpGoTOC0}lLa3iDE zZ^Ftpg1n^@!Oma;{l_mXb)*R_qlC@vQ*X-TBapccWSz1hzqDKmFz7z_w|Gb*n=ye6 zBpj3#1ik6l1fcRkTXhgUaQ1hbV{6^1KCa#zJfaHKT$OF?%IFxE8I@?V0twS(743Ys z*5~i}0p%v}WXDPZ&vjRShRjec7YEj~9!VZYke1aHx>9D!Fg3Maii%hH%sQMoJz(c+ zr=$b-*@{fF{BVj>ux_<0k!=h_hIwR+lEaHYj~GqFw_o>qfVn9EqzB8^GRPE$zUMb%8q-cGv&(ikEF=1a4Lwf*$SEWgi$c{ zAn02DF$aD}axiQrKb*44kMAw7RLC=vz3 n1A)d9D!!}{BI7(Gs@)eCuU{As0BWa1BYk)zwcW<3co6#^@t= 1.11 +BuildRequires: pam-devel +BuildRequires: libselinux-devel +# For the perl_default_filter macro +BuildRequires: perl-macros +BuildRequires: systemd +%{?systemd_requires} +# For /sbin/ip. +BuildRequires: iproute +Requires: iproute +Requires(pre): /usr/sbin/useradd + +# Filter out the perl(Authen::PAM) dependency. +# No perl dependency is really needed at all. +%{?perl_default_filter} + +%description +OpenVPN is a robust and highly flexible tunneling application that uses all +of the encryption, authentication, and certification features of the +OpenSSL library to securely tunnel IP networks over a single UDP or TCP +port. It can use the Marcus Franz Xaver Johannes Oberhumers LZO library +for compression. + +%package devel +Summary: Development headers and examples for OpenVPN plug-ins + +%description devel +OpenVPN can be extended through the --plugin option, which provides +possibilities to add specialized authentication, user accounting, +packet filtering and related features. These plug-ins need to be +written in C and provides a more low-level and information rich access +to similar features as the various script-hooks. + + +%prep +gpgv2 --quiet --keyring %{SOURCE6} %{SOURCE1} %{SOURCE0} +%setup -q -n %{name}-%{version}%{?prerelease:_%{prerelease}} +%patch1 -p1 -b .ch_default_cipher +%patch50 -p1 + +sed -i -e 's,%{_datadir}/openvpn/plugin,%{_libdir}/openvpn/plugin,' doc/openvpn.8 + +# %%doc items shouldn't be executable. +find contrib sample -type f -perm /100 \ + -exec chmod a-x {} \; + +%build +%configure \ + --enable-iproute2 \ + --with-crypto-library=openssl \ + --enable-pkcs11 \ + --enable-selinux \ + --enable-systemd \ + --enable-x509-alt-username \ + --enable-async-push \ + --docdir=%{_pkgdocdir} \ + SYSTEMD_UNIT_DIR=%{_unitdir} \ + TMPFILES_DIR=%{_tmpfilesdir} \ + IPROUTE=/sbin/ip +%{__make} %{?_smp_mflags} + +%check +# Test Crypto: +./src/openvpn/openvpn --genkey --secret key +./src/openvpn/openvpn --cipher aes-128-cbc --test-crypto --secret key +./src/openvpn/openvpn --cipher aes-256-cbc --test-crypto --secret key +./src/openvpn/openvpn --cipher aes-128-gcm --test-crypto --secret key +./src/openvpn/openvpn --cipher aes-256-gcm --test-crypto --secret key + +%if %{with tests_long} +# Randomize ports for tests to avoid conflicts on the build servers. +cport=$[ 50000 + ($RANDOM % 15534) ] +sport=$[ $cport + 1 ] +sed -e 's/^\(rport\) .*$/\1 '$sport'/' \ + -e 's/^\(lport\) .*$/\1 '$cport'/' \ + < sample/sample-config-files/loopback-client \ + > %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-client +sed -e 's/^\(rport\) .*$/\1 '$cport'/' \ + -e 's/^\(lport\) .*$/\1 '$sport'/' \ + < sample/sample-config-files/loopback-server \ + > %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-server + +pushd sample +# Test SSL/TLS negotiations (runs for 2 minutes): +../src/openvpn/openvpn --config \ + %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-client & +../src/openvpn/openvpn --config \ + %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-server +wait +popd + +rm -f %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-client \ + %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-server +%endif + +%install +%{__make} install DESTDIR=$RPM_BUILD_ROOT +find $RPM_BUILD_ROOT -name '*.la' | xargs rm -f +mkdir -p -m 0750 $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/client $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/server +cp %{SOURCE2} %{SOURCE3} sample/sample-config-files/ + +# Create some directories the OpenVPN package should own +mkdir -m 0750 -p $RPM_BUILD_ROOT%{_rundir}/%{name}-{client,server} +mkdir -m 0770 -p $RPM_BUILD_ROOT%{_sharedstatedir}/%{name} + +# Package installs into %%{_pkgdocdir} directly +# Add various additional files +cp -a AUTHORS ChangeLog contrib sample distro/systemd/README.systemd $RPM_BUILD_ROOT%{_pkgdocdir} + +# Remove some files which does not really belong here +rm -f $RPM_BUILD_ROOT%{_pkgdocdir}/sample/Makefile{,.in,.am} +rm -f $RPM_BUILD_ROOT%{_pkgdocdir}/contrib/multilevel-init.patch +rm -rf $RPM_BUILD_ROOT%{_pkgdocdir}/sample/sample-keys + +%pre +getent group openvpn &>/dev/null || groupadd -r openvpn +getent passwd openvpn &>/dev/null || \ + /usr/sbin/useradd -r -g openvpn -s /sbin/nologin -c OpenVPN \ + -d /etc/openvpn openvpn +exit 0 + +%post +%systemd_post openvpn-client@\*.service +%systemd_post openvpn-server@\*.service + +%preun +%systemd_preun openvpn-client@\*.service +%systemd_preun openvpn-server@\*.service + +%postun +%systemd_postun_with_restart openvpn-client@\*.service +%systemd_postun_with_restart openvpn-server@\*.service +%systemd_postun_with_restart openvpn@\*.service + +%files +%{_pkgdocdir} +%exclude %{_pkgdocdir}/README.IPv6 +%exclude %{_pkgdocdir}/README.mbedtls +%exclude %{_pkgdocdir}/sample/sample-plugins +%{_mandir}/man8/%{name}.8* +%{_sbindir}/%{name} +%{_libdir}/%{name}/ +%{_unitdir}/%{name}-client@.service +%{_unitdir}/%{name}-server@.service +%{_tmpfilesdir}/%{name}.conf +%config %dir %{_sysconfdir}/%{name}/ +%config %dir %attr(-,-,openvpn) %{_sysconfdir}/%{name}/client +%config %dir %attr(-,-,openvpn) %{_sysconfdir}/%{name}/server +%attr(0750,-,openvpn) %{_rundir}/%{name}-client +%attr(0750,-,openvpn) %{_rundir}/%{name}-server +%attr(0770,openvpn,openvpn) %{_sharedstatedir}/%{name} + +%files devel +%{_pkgdocdir}/sample/sample-plugins +%{_includedir}/openvpn-plugin.h +%{_includedir}/openvpn-msg.h + + +%changelog +* Fri Nov 05 2023 Elkhan Mammadli - 2.4.12-2 +- Added exit 0 to %%pre + +* Thu Mar 17 2022 David Sommerseth - 2.4.12-1 +- Update to upstream OpenVPN 2.4.12 +- Fixes CVE-2022-0547 + +* Wed Apr 21 2021 David Sommerseth - 2.4.11-1 +- Update to upstream OpenVPN 2.4.11 +- Fixes CVE-2020-15078 + +* Wed Dec 9 2020 David Sommerseth - 2.4.10-1 +- Update to upstream OpenVPN 2.4.10 + +* Sun Apr 19 2020 David Sommerseth - 2.4.9-1 +- Update to upstream OpenVPN 2.4.9 + +* Fri Nov 1 2019 David Sommerseth - 2.4.8-1 +- Updating to upstream OpenVPN 2.4.8 + +* Wed Feb 20 2019 David Sommerseth - 2.4.7-1 +- Updating to upstream OpenVPN 2.4.7 + +* Fri Feb 01 2019 Fedora Release Engineering - 2.4.6-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Sat Oct 6 2018 David Sommerseth - 2.4.6-3 +- Enable the asynchronous push feature, which can improve connect speeds with slow authentication backends + +* Fri Jul 13 2018 Fedora Release Engineering - 2.4.6-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Thu Apr 26 2018 David Sommerseth - 2.4.6-1 +- Updating to upstream, openvpn-2.4.6 + +* Thu Mar 1 2018 David Sommerseth - 2.4.5-1 +- Updating to upstream, openvpn-2.4.5 +- Package upstream ChangeLog, which contains a bit more details than Changes.rst +- Cleaned up spec file further, removed Group: tag, trimmed changelog section, + added gcc to BuildRequires. +- Excluded not relevant file, README.mbedtls +- Package upstream version of README.systemd +- Fix wrong group owner of /etc/openvpn/{client,server} (rhbz#1526743) +- Changed crypto self-test to test AES-{128,256}-{CBC,GCM} instead of only BF-CBC (deprecated) +- Change /run/openvpn-{client,server} permissions to be 0750 instead of 0710, with group set to openvpn + +* Thu Feb 08 2018 Fedora Release Engineering - 2.4.4-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Thu Jan 25 2018 Igor Gnatenko - 2.4.4-2 +- Fix systemd executions/requirements + +* Tue Sep 26 2017 David Sommerseth - 2.4.4-1 +- Update to upstream openvpn-2.4.4 +- Includes fix for possible stack overflow if --key-method 1 is used {CVE-2017-12166} + +* Fri Aug 4 2017 David Sommerseth - 2.4.3-4 +- Change to AES-GCM as the default cipher for server configurations (rhbz#1479270) + +* Thu Aug 03 2017 Fedora Release Engineering - 2.4.3-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 2.4.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Wed Jun 21 2017 David Sommerseth - 2.4.3-1 +- Updating to upstream openvpn-2.4.3 +- Fix remotely-triggerable ASSERT() on malformed IPv6 packet {CVE-2017-7508} +- Prevent two kinds of stack buffer OOB reads and a crash for invalid input data {CVE-2017-7520} +- Fix potential double-free in --x509-alt-username {CVE-2017-7521} +- Fix remote-triggerable memory leaks {CVE-2017-7521} +- Ensure OpenVPN systemd services are restarted upon upgrades +- Verify PGP signature of source tarball as part of package building +- Build against system lz4 library + +* Fri May 12 2017 David Sommerseth - 2.4.2-2 +- Install and take ownership of /run/openvpn-{client,server} (rhbz#1444601) +- Install and take ownership of /var/lib/openvpn (rhbz#922786) + +* Thu May 11 2017 David Sommerseth - 2.4.2-1 +- Updating to upstream openvpn-2.4.2 +- Switching back to OpenSSL, using compat-openssl10 (rhbz#1443749, rhbz#1432125, rhbz#1440468) +- Re-enabling --enable-x509-alt-username (rhbz#1443942) +- Add --enable-selinux +- Build with lz4 library from Fedora + +* Wed Mar 29 2017 David Sommerseth - 2.4.1-3 +- Splitting out -devel files into a separate package +- Removed several contrib and sample files which makes is not + strictly needed in this package. +- build: Enable tests runs by default, long running tests can + be disabled with "--without tests_long" +- build: Removed defined %%{plugins} macro not in use + +* Fri Mar 24 2017 David Sommerseth - 2.4.1-2 +- Various cleanups +- Use systemd-rpm macros (rhbz #850257) +- Removed the deprecated openvpn@.service unit. Replaced by openvpn-{client,server}@.service +- Added README.systemd describing new systemd unit files + +* Thu Mar 23 2017 David Sommerseth - 2.4.1-1 +- Updating to upstream release, v2.4.1 +- Added mbed TLS patch to allow RSA keys down to 1024 bits plus SHA1 + and RIPE-160 hasing algorithms (based on OpenVPN 3 legacy profile) +- Removed no-functional ./configure options +- Use upstream tmfiles.d/openvpn +- Package newer openvpn-client/server@.service unit files + +* Thu Feb 09 2017 Jon Ciesla 2.4.0-2 +- Move to mbedtls to resolve FTBFS. +- Dropped, re-add once openvpn supports openssl 1.1.x +- --enable-pkcs11 \ +- --enable-x509-alt-username \ + +* Tue Dec 27 2016 Jon Ciesla 2.4.0-1 +- 2.4.0. +