libtls17-2.8.0-lp152.2.6 >  A ^/=„I ?;k҄1g(mocܟrw\we!+? }s!6y* ~]e"aLJBII}L,3cX:/Ϩ4  Qބ tcȮ!BVzn-gzz~Ft"wga0t:hfG]-ލRp*9e™mYˣ߿nH-Sgo*AN?EaC`?B%!iweVBP. bb974da020e61b107d1d089e31c1ab295c41e5e3e443f0f203427a9a8cb1a681a1e9fc320bcbb658b6415a9bdd1db49d4cf027af0ȉ^/=„jhfH3hݰ'\@pŨ&hwC5.cw;R6>l?:Fw[=G|:Ҫc`թ <ę^x(d 9R6> 9H֍E왬?{եy=oGJV{!Efxɤ|*s#\q|#> 繹 XŸqy hW706ShI-XVRآT]*wjX#k1bJq%N)z >p@^`?^Pd   g ",4 8 < D  0xG(q8x)9):)>[=@[LF[[G[pH[xI[X[Y[\[][^[b[c\d\e\f\l\u]v]w]x]y]z]^^^ ^LClibtls172.8.0lp152.2.6A simplified interface for the OpenSSL/LibreSSL TLS protocol implementationLibreSSL is an open-source implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. It derives from OpenSSL and intends to provide a more secure implementation. The libtls library provides a modern and simplified interface (of libssl) for secure client and server communications.^sheep82XopenSUSE Leap 15.2openSUSEOpenSSLhttps://bugs.opensuse.orgSystem/Librarieshttp://libressl.org/linuxx86_64X^^3edb5728d1a95e4da0c103e2db25026c98babee518993dd53aa5a87c620d8e30libtls.so.17.0.1rootrootrootrootlibressl-2.8.0-lp152.2.6.src.rpmlibtls.so.17()(64bit)libtls.so.17(LIBRESSL)(64bit)libtls17libtls17(x86-64)@@@@@@@@@@@@    /sbin/ldconfig/sbin/ldconfiglibc.so.6()(64bit)libc.so.6(GLIBC_2.14)(64bit)libc.so.6(GLIBC_2.2.5)(64bit)libc.so.6(GLIBC_2.26)(64bit)libc.so.6(GLIBC_2.4)(64bit)libc.so.6(GLIBC_2.8)(64bit)libcrypto.so.43()(64bit)libcrypto.so.43(LIBRESSL)(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.2.5)(64bit)libssl.so.45()(64bit)libssl.so.45(LIBRESSL)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)3.0.4-14.6.0-14.0-15.2-14.14.1[j@Z?Z@ZZ@Z;@Z%8Z@Y*@YKYY@Y i@Y XX@W@WWWZWPW)@V@V@VjV9@V VU@UUU@U@UzU@U @TT@TÉ@TT~@jengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.detchvatal@suse.comtchvatal@suse.comjengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.deastieger@suse.comjengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.deastieger@suse.comjengelh@inai.dejengelh@inai.dejengelh@inai.desor.alexei@meowr.rujengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.de- Update to new upstream release 2.8.0 * Fixed a pair of 20+ year-old bugs in X509_NAME_add_entry. * Tighten up checks for various X509_VERIFY_PARAM functions, 'poisoning' parameters so that an unverified certificate cannot be used if it fails verification. * Fixed a potential memory leak on failure in ASN1_item_digest. * Fixed a potential memory alignment crash in asn1_item_combine_free. * Removed unused SSL3_FLAGS_DELAY_CLIENT_FINISHED and SSL3_FLAGS_POP_BUFFER flags in write path, simplifying IO paths. * Removed SSL_OP_TLS_ROLLBACK_BUG buggy client workarounds. * Added const annotations to many existing APIs from OpenSSL, making interoperability easier for downstream applications. * Added a missing bounds check in c2i_ASN1_BIT_STRING. * Removed three remaining single DES cipher suites. * Fixed a potential leak/incorrect return value in DSA signature generation. * Added a blinding value when generating DSA and ECDSA signatures, in order to reduce the possibility of a side-channel attack leaking the private key. * Added ECC constant time scalar multiplication support. * Revised the implementation of RSASSA-PKCS1-v1_5 to match the specification in RFC 8017. * Changes from 2.7.4: * Avoid a timing side-channel leak when generating DSA and ECDSA signatures. [CVE-2018-12434, boo#1097779] * Reject excessively large primes in DH key generation.- Update to new upstream release 2.7.3 * Removed incorrect NULL checks in DH_set0_key(). * Limited tls_config_clear_keys() to only clear private keys.- Update to new upstream release 2.7.2 * Updated and added extensive new HISTORY sections to the API manuals.- Update to new upstream release 2.7.1 * Fixed a bug in int_x509_param_set_hosts, calling strlen() if name length provided is 0 to match the OpenSSL behaviour. [CVE-2018-8970, boo#1086778]- Update to new upstream release 2.7.0 * Added support for many OpenSSL 1.0.2 and 1.1 APIs. * Added support for automatic library initialization in libcrypto, libssl, and libtls. * Converted more packet handling methods to CBB, which improves resiliency when generating TLS messages. * Completed TLS extension handling rewrite, improving consistency of checks for malformed and duplicate extensions. * Rewrote ASN1_TYPE_ get,set _octetstring() using templated ASN.1. This removes the last remaining use of the old M_ASN1_ macros (asn1_mac.h) from API that needs to continue to exist. * Added support for client-side session resumption in libtls. * A libtls client can specify a session file descriptor (a regular file with appropriate ownership and permissions) and libtls will manage reading and writing of session data across TLS handshakes. * Merged more DTLS support into the regular TLS code path.- Update to new upstream release 2.6.4 * Make tls_config_parse_protocols() work correctly when passed a NULL pointer for a protocol string. * Correct TLS extensions handling when no extensions are present.- Add extra-symver.diff- Update to new upstream release 2.6.3 * Added support for providing CRLs to libtls - once a CRL is provided via tls_config_set_crl_file(3) or tls_config_set_crl_mem(3), CRL checking is enabled and required for the full certificate chain. * Reworked TLS certificate name verification code to more strictly follow RFC 6125. * Relaxed SNI validation to allow non-RFC-compliant clients using literal IP addresses with SNI to connect to a libtls-based TLS server. * Added tls_peer_cert_chain_pem() to libtls, useful in private certificate validation callbacks such as those in relayd. * Added SSL{,_CTX}_set_{min,max}_proto_version(3) functions. * Imported HKDF (HMAC Key Derivation Function) from BoringSSL. * Dropped cipher suites using DSS authentication. * Removed support for DSS/DSA from libssl. * Distinguish between self-issued certificates and self-signed certificates. The certificate verification code has special cases for self-signed certificates and without this change, self-issued certificates (which it seems are common place with openvpn/easyrsa) were also being included in this category. * Removed NPN support - NPN was never standardised and the last draft expired in October 2012. * Removed SSL_OP_CRYPTOPRO_TLSEXT_BUG workaround for old/broken CryptoPro clients. * Removed support for the TLS padding extension, which was added as a workaround for an old bug in F5's TLS termination. * Added ability to clamp notafter values in certificates for systems with 32-bit time_t. This is necessary to conform to RFC 5280 §4.1.2.5. * Removed the original (pre-IETF) chacha20-poly1305 cipher suites. * Reclassified ECDHE-RSA-DES-CBC3-SHA from HIGH to MEDIUM. - Add des-fcrypt.diff [boo#1065363]- Update to new upstream release 2.6.2 * Provide a useful error with libtls if there are no OCSP URLs in a peer certificate. * Keep track of which keypair is in use by a TLS context, fixing a bug where a TLS server with SNI would only return the OCSP staple for the default keypair. - Update to new upstream release 2.6.1 * Added tls_config_set_ecdhecurves() to libtls, which allows the names of the eliptical curves that may be used during client and server key exchange to be specified. * Removed support for DSS/DSA, since we removed the cipher suites a while back. * Removed NPN support. NPN was never standardised and the last draft expired in October 2012. ALPN was standardised. * Removed SSL_OP_CRYPTOPRO_TLSEXT_BUG workaround for old/broken CryptoPro clients. * Removed support for the TLS padding extension, which was added as a workaround for an old bug in F5's TLS termintation. * Added ability to clamp notafter values in certificates for systems with 32-bit time_t. This is necessary to conform to RFC 5280 §4.1.2.5. * Implemented the SSL_CTX_set_min_proto_version(3) API. * Removed the original (pre-IETF) chacha20-poly1305 cipher suites. * Reclassified ECDHE-RSA-DES-CBC3-SHA from HIGH to MEDIUM.- Update to new upstream release 2.6.0 * Added support for providing CRLs to libtls. Once a CRL is provided, we enable CRL checking for the full certificate chain. * Allow non-compliant clients using IP literal addresses with SNI to connect to a server using libtls. * Avoid a potential NULL pointer dereference in d2i_ECPrivateKey(). * Added definitions for three OIDs used in EV certificates. * Plugged a memory leak in tls_ocsp_free. * Added tls_peer_cert_chain_pem, tls_cert_hash, and tls_hex_string to libtls, useful in private certificate validation callbacks. * Reworked TLS certificate name verification code to more strictly follow RFC 6125. * Added tls_keypair_clear_key for clearing key material. * Removed inconsistent IPv6 handling from BIO_get_accept_socket, simplified BIO_get_host_ip and BIO_accept. * Fixed the openssl(1) ca command so that is generates certificates with RFC 5280-conformant time. * Added ASN1_TIME_set_tm to set an asn1 from a struct tm *. * Added SSL{,_CTX}_set_{min,max}_proto_version() functions. * Added HKDF (HMAC Key Derivation Function) from BoringSSL * Providea a tls_unload_file() function that frees the memory returned from a tls_load_file() call, ensuring that it the contents become inaccessible. This is specifically needed on platforms where the library allocators may be different from the application allocator. * Perform reference counting for tls_config. This allows tls_config_free() to be called as soon as it has been passed to the final tls_configure() call, simplifying lifetime tracking for the application. * Moved internal state of SSL and other structures to be opaque. * Dropped cipher suites with DSS authentication.- Update to new upstream release 2.5.5 * Distinguish between self-issued certificates and self-signed certificates. The certificate verification code has special cases for self-signed certificates and without this change, self-issued certificates (which it seems are common place with openvpn/easyrsa) were also being included in this category.- Add conflict between libressl and the main versioned packages too- Add conflict for split openssl packages- Update to new upstream release 2.5.4 * Reverted a previous change that forced consistency between return value and error code when specifing a certificate verification callback, since this breaks the documented API. * Switched Linux getrandom() usage to non-blocking mode, continuing to use fallback mechanims if unsuccessful. * Fixed a bug caused by the return value being set early to signal successful DTLS cookie validation.- Update to new upstream release 2.5.1 * Avoid a side-channel cache-timing attack that can leak the ECDSA private keys when signing. [bnc#1019334] * Detect zero-length encrypted session data early * Curve25519 Key Exchange support. * Support for alternate chains for certificate verification. - Update to new upstream release 2.5.2 * Added EVP interface for MD5+SHA1 hashes * Fixed DTLS client failures when the server sends a certificate request. * Corrected handling of padding when upgrading an SSLv2 challenge into an SSLv3/TLS connection. * Allowed protocols and ciphers to be set on a TLS config object in libtls. - Update to new upstream release 2.5.3 * Documentation updates - Remove ecs.diff (merged)- Add ecs.diff [bnc#1019334]- Update to new upstream release 2.5.0 * libtls now supports ALPN and SNI * libtls adds a new callback interface for integrating custom IO functions. * libtls now handles 4 cipher suite groups: "secure" (TLSv1.2+AEAD+PFS), "compat" (HIGH:!aNULL), "legacy" (HIGH:MEDIUM:!aNULL), "insecure" (ALL:!aNULL:!eNULL). This allows for flexibility and finer grained control, rather than having two extremes. * libtls now always loads CA, key and certificate files at the time the configuration function is called. * Add support for OCSP intermediate certificates. * Added functions used by stunnel and exim from BoringSSL - this brings in X509_check_host, X509_check_email, X509_check_ip, and X509_check_ip_asc. * Improved behavior of arc4random on Windows when using memory leak analysis software. * Correctly handle an EOF that occurs prior to the TLS handshake completing. * Limit the support of the "backward compatible" ssl2 handshake to only be used if TLS 1.0 is enabled. * Fix incorrect results in certain cases on 64-bit systems when BN_mod_word() can return incorrect results. BN_mod_word() now can return an error condition. * Added constant-time updates to address CVE-2016-0702 * Fixed undefined behavior in BN_GF2m_mod_arr() * Removed unused Cryptographic Message Support (CMS) * More conversions of long long idioms to time_t * Reverted change that cleans up the EVP cipher context in EVP_EncryptFinal() and EVP_DecryptFinal(). Some software relies on the previous behaviour. * Avoid unbounded memory growth in libssl, which can be triggered by a TLS client repeatedly renegotiating and sending OCSP Status Request TLS extensions. * Avoid falling back to a weak digest for (EC)DH when using SNI with libssl.- Update to new upstream release 2.4.2 * Ensured OSCP only uses and compares GENERALIZEDTIME values as per RFC6960. Also added fixes for OCSP to work with intermediate certificates provided in responses. * Fixed incorrect results from BN_mod_word() when the modulus is too large. * Correctly handle an EOF prior to completing the TLS handshake in libtls. * Removed flags for disabling constant-time operations. This removes support for DSA_FLAG_NO_EXP_CONSTTIME, DH_FLAG_NO_EXP_CONSTTIME, and RSA_FLAG_NO_CONSTTIME flags, making all of these operations unconditionally constant-time.- Update to new upstream release 2.4.2 * Ensured OSCP only uses and compares GENERALIZEDTIME values as per RFC6960. Also added fixes for OCSP to work with intermediate certificates provided in responses. * Fixed incorrect results from BN_mod_word() when the modulus is too large. * Correctly handle an EOF prior to completing the TLS handshake in libtls.- Update to new upstream release 2.4.1 * Correct a problem that prevents the DSA signing algorithm from running in constant time even if the flag BN_FLG_CONSTTIME is set.- Update to new upstream release 2.4.0 * Added missing error handling around bn_wexpand() calls. * Added explicit_bzero calls for freed ASN.1 objects. * Fixed X509_*set_object functions to return 0 on allocation failure. * Implemented the IETF ChaCha20-Poly1305 cipher suites. * Changed default EVP_aead_chacha20_poly1305() implementation to the IETF version, which is now the default. * Fixed password prompts from openssl(1) to properly handle ^C. * Reworked error handling in libtls so that configuration errors are visible. * Deprecated internal use of EVP_[Cipher|Encrypt|Decrypt]_Final.- Update to new upstream release 2.3.4 [boo#978492, boo#977584] * Fix multiple vulnerabilities in libcrypto relating to ASN.1 and encoding.- Update to new upstream release 2.3.3 * cert.pem has been reorganized and synced with Mozilla's certificate store- Update to new upstream release 2.3.2 * Added EVP_aead_chacha20_poly1305_ietf() which matches the AEAD construction introduced in RFC 7539, which is different than that already used in TLS with EVP_aead_chacha20_poly1305(). * Avoid a potential undefined C99+ behavior due to shift overflow in AES_decrypt. - Remove 0001-Fix-for-OpenSSL-CVE-2015-3194.patch, 0001-Fix-for-OpenSSL-CVE-2015-3195.patch (included)- Add 0001-Fix-for-OpenSSL-CVE-2015-3194.patch, 0001-Fix-for-OpenSSL-CVE-2015-3195.patch [boo#958768]- Update to new upstream release 2.3.1 * ASN.1 cleanups and RFC5280 compliance fixes. * Time representations switched from "unsigned long" to "time_t". LibreSSL now checks if the host OS supports 64-bit time_t. * Changed tls_connect_servername to use the first address that resolves with getaddrinfo(). * Fixed a memory leak and out-of-bounds access in OBJ_obj2txt, * Fixed an up-to 7 byte overflow in RC4 when len is not a multiple of sizeof(RC4_CHUNK). - Drop CVE-2015-5333_CVE-2015-5334.patch (merged)- Security update for libressl: * CVE-2015-5333: Memory Leak [boo#950707] * CVE-2015-5334: Buffer Overflow [boo#950708] - adding CVE-2015-5333_CVE-2015-5334.patch- Update to new upstream release 2.3.0 * SSLv3 is now permanently removed from the tree. * libtls API: The read/write functions work correctly with external event libraries. See the tls_init man page for examples of using libtls correctly in asynchronous mode. * When using tls_connect_fds, tls_connect_socket or tls_accept_fds, libtls no longer implicitly closes the passed in sockets. The caller is responsible for closing them in this case. * Removed support for DTLS_BAD_VER. Pre-DTLSv1 implementations are no longer supported. * SHA-0 is removed, which was withdrawn shortly after publication 20 years ago.- Update to new upstream release 2.2.3 * LibreSSL 2.2.2 incorrectly handles ClientHello messages that do not include TLS extensions, resulting in such handshakes being aborted. This release corrects the handling of such messages.- drop /etc/ssl/cert.pem- Avoid file conflict with ca-certificates by dropping /etc/ssl/certs- Update to new upstream release 2.2.2 * Incorporated fix for OpenSSL issue #3683 [malformed private key via command line segfaults openssl] * Removed workarounds for TLS client padding bugs, removed SSLv3 support from openssl(1), removed IE 6 SSLv3 workarounds, removed RSAX engine. * Modified tls_write in libtls to allow partial writes, clarified with examples in the documentation. * Building a program that intentionally uses SSLv3 will result in a linker warning. * Added TLS_method, TLS_client_method and TLS_server_method as a replacement for the SSLv23_*method calls. * Switched `openssl dhparam` default from 512 to 2048 bits * Fixed `openssl pkeyutl -verify` to exit with a 0 on success * Fixed dozens of Coverity issues including dead code, memory leaks, logic errors and more.- Update to new upstream release 2.2.1 [bnc#937891] * Protocol parsing conversions to BoringSSL's CRYPTO ByteString (CBS) API * Added EC_curve_nid2nist and EC_curve_nist2nid from OpenSSL * Removed Dynamic Engine support * Removed unused and obsolete MDC-2DES cipher * Removed workarounds for obsolete SSL implementations * Fixes and changes for plaforms other than GNU/Linux- Update to new upstream release 2.2.0 * Removal of OPENSSL_issetugid and all library getenv calls. Applications can and should no longer rely on environment variables for changing library behavior. OPENSSL_CONF/SSLEAY_CONF is still supported with the openssl(1) command. * libtls API and documentation additions * fixed: * CVE-2015-1788: Malformed ECParameters causes infinite loop * CVE-2015-1789: Exploitable out-of-bounds read in X509_cmp_time * CVE-2015-1792: CMS verify infinite loop with unknown hash function (this code is not enabled by default) * already fixed earlier, or not found in LibreSSL: * CVE-2015-4000: DHE man-in-the-middle protection (Logjam) * CVE-2015-1790: PKCS7 crash with missing EnvelopedContent * CVE-2014-8176: Invalid free in DTLS- Ship pkgconfig files again- Update to new upstream release 2.1.6 * Reject server ephemeral DH keys smaller than 1024 bits * Fixed CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp * Fixed CVE-2015-0287 - ASN.1 structure reuse memory corruption * Fixed CVE-2015-0289 - PKCS7 NULL pointer dereferences * Fixed CVE-2015-0209 - Use After Free following d2i_ECPrivatekey error * Fixed CVE-2015-0288 - X509_to_X509_REQ NULL pointer deref- Update to 2.1.4: * Improvements to libtls: - a new API for loading CA chains directly from memory instead of a file, allowing verification with privilege separation in a chroot without direct access to CA certificate files. - Ciphers default to TLSv1.2 with AEAD and PFS. - Improved error handling and message generation. - New APIs and improved documentation. * Add X509_STORE_load_mem API for loading certificates from memory. This facilitates accessing certificates from a chrooted environment. * New AEAD "MAC alias" allows configuring TLSv1.2 AEAD ciphers by using 'TLSv1.2+AEAD' as the cipher selection string. * New openssl(1) command 'certhash' replaces the c_rehash script. * Server-side support for TLS_FALLBACK_SCSV for compatibility with various auditor and vulnerability scanners. * Dead and disabled code removal including MD5, Netscape workarounds, non-POSIX IO, SCTP, RFC 3779 support, "#if 0" sections, and more. * The ASN1 macros are expanded to aid readability and maintainability. * Various NULL pointer asserts removed in favor of letting the OS/signal handler catch them. * Refactored argument handling in openssl(1) for consistency and maintainability. * Support for building with OPENSSL_NO_DEPRECATED. * Dozens of issues found with the Coverity scanner fixed. * Fix a minor information leak that was introduced in t1_lib.c r1.71, whereby an additional 28 bytes of .rodata (or .data) is provided to the network. In most cases this is a non-issue since the memory content is already public. * Fixes for the following low-severity issues were integrated into LibreSSL from OpenSSL 1.0.1k: - CVE-2015-0205 - DH client certificates accepted without verification. - CVE-2014-3570 - Bignum squaring may produce incorrect results. - CVE-2014-8275 - Certificate fingerprints can be modified. - CVE-2014-3572 - ECDHE silently downgrades to ECDH [Client].- Add package signatures- Update to new upstream release 2.1.3 * Fixes for various memory leaks in DTLS, including those for CVE-2015-0206. * Application-Layer Protocol Negotiation (ALPN) support. * Simplfied and refactored SSL/DTLS handshake code. * SHA256 Camellia cipher suites for TLS 1.2 from RFC 5932. * Ensure the stack is marked non-executable for assembly sections.- Update to new upstream release 2.1.2 * The two cipher suites GOST and Camellia have been reworked or reenabled, providing better interoperability with systems around the world. * The libtls library, a modern and simplified interface for secure client and server communications, is now packaged. * Assembly acceleration of various algorithms (most importantly AES, MD5, SHA1, SHA256, SHA512) are enabled for AMD64. - Remove libressl-no-punning.diff (file to patch is gone)- Update to new upstream release 2.1.1 * Address POODLE attack by disabling SSLv3 by default * Fix Eliptical Curve cipher selection bug/sbin/ldconfig/sbin/ldconfigsheep82 15896296872.8.0-lp152.2.62.8.0-lp152.2.6libtls.so.17libtls.so.17.0.1/usr/lib64/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.opensuse.org/openSUSE:Leap:15.2/standard/ca866d54f9c0cb21fc0a755b4c972813-libresslcpioxz5x86_64-suse-linuxELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=c32d50b6006cffd454096b5d15d36ae78a10a328, strippedPPRRRRRR R R R RR RˋtKE$mc|RZw<QYu#gIy8$xn,*qUG]P!&ėh6 b?XF x$W[wS1>ƊTP.F8la] +"f27 /̫fI8-st@_ jcfX i/ k}[M\8Il\~ǔ+F"9Vr+1%λz{s=R@l66R~l4Aϡ ӺC0u?]salLݢ5o  𮕘vmNcpI9Sx=8v`T~tOJƓBz zuL{zzis^}3c <>*%T GK{ه:yƓ``17a!9†ԅ"uEP̱`x#;z)ѽV0.-z9qV@$B0`̓q}Q.P済:'s6v~ l }A[ކ0ӹ\Z{g3Ghw09H2|B *d/cp& |%p:MD5pw_Ff%fly0Q }52+^W(M?0x5Njಔ D~^<\MC6@nAS_ H~,xױW7zВl)gߞxck;׃.B;Tat}x\tA>;Y^ ;a/tT^bX4KJZICzL.eqxjx`(Ll*6rhE4 QP(qJތ_}TD{QYŗӹ^)qiҗpe) FVD0FSaPvM7I-tZ$@ 墧J=W"JL^\iKa5*%:FzlSDJr'jZk.Xf -W%I<;l5'Ga5دH WJ:"̹^a7Gz#O ,!+##K{킬~] ͫN <Ύ,2~OHޑGbdafO:,W[nƫY&+h 2N~Л;Sέ*novV@kՄpe/{Yx*RM/~= aiQxF0=-Ve%ð\yM՘:(oLZZ<8^ jE>X*̈xC2Tjj Jeޕ 9Ie~AI NGu0 ^S?b 3I8ge0G y(Ǐ4G,JdiEĕy4Ó3.gtU svdtO*-lau-¼mg:oJO/`PI+!uBג4^BkagnkJ(%_ hm\wakobez,H&XpȈ1}G`ѫ:x#}%X fv;"  l?tS:w0-WkwXi=HDwùV0 Ǖa|naoR^y1XھŖmܭ>xG,zHڊ@:K=*nR . uQz N o\Xbs$ TZ? UPm͕Ⱥ%bjhX~$L`}1fNCCqظ!Ny X]ZVoar,ct2E; ̞Tcv`V3&"P܁|)'ϩ_ r[nBB9ߗ<8Jd#Ad"!cF\(T';0*/wץ@Dޖ&|x` @8dwl|'C*aKXTv>)}6\cL?-fG%e\I1y-#؟ 8a|B;wTw!M32wB@HL:8őܾ5C:3ĿU+ylek(nu;&`)0EIYCS0d 5'\YOĬ7VYfu OCFDC8Uc&\}r-FL"'xE݄Vo?W~7pUX&J?'Hc#1; ptVQ{濚hJ1,:k7rꤛ ޣ%[>k 2ǮUuof6G%`MJV_xZ0)80$eSMl0.bCW\SSmjJ}$vc,$WPSY2qb2n[\*߫tq{_)?XZ{q zr:@=[ (szq o̧R,(I%}ΘwfoS;ҵ2 `- \$$yծR_o$=dsƊ~ufBm/J3e-CL!LAH"bˆGrUk [<(h+#+EOp+Mfċ A$W2#( -pױ7׼;/]P ~%=.jSty=,leZ!A[`6pf(w\N)lvCxY 7'Xr^1 `Z~NUmVJUP>օ˽cO`D.LW\&R1z$dmFR$*I^F C9D^_yPo\8sL7ֿx` Lv ,04!Bcí*}O?&lPp0A|.jd,Qoewhc/ݜ1`iC2r\T((1h;AK."ԕ(S= 4g:wҜ|9T YqrX^&D6r'Xzx.u7jT Ȃ]یPݷ܀n؃XlB`!pN;+) $~SDia}<(Kj)01uڅɞ o'kLp'} 7\dd5Jt/r=87h(xϊ?]na⯳6]ン3tE 6y)_#}Z'0W.-4o~C}tA.JQˑXlP~qV0uY@ƁXJa]bT<[M5?=ZcY(,@F,1Neui Z+kJ.Y&4%/B{ppxp&+SB ,v99OJ^4v6nge YQ6h́s<䐛P%ͷM57mn\Ȱ]ЛŐvMp6|hےV_2X :4ndsGy]i>Zbż-N! g PQWzӸ^} 429 (q;&o4 ^4~Ww(84,`?y)W)`~1|`m[])_/MSIAKӶqtcZRz`βK>o@J Ib (ʙ&ҍWޥ=*͜6,*?vUё7諒K!f͎N,zBÆ t s6;.@]:^[O'1fO#բry[f] 7%0dJe2\˘(@4B:FrjRGf42ER6qQ ^&W8MܨLY-cnn8 a3_ҪjeO}5A4ʈyN6̬ز[{&+@ Q/ \^ns@ߛOWX&9n(k&/<5c]qNKYxkuAv@o,.P>;GM`CB?_j$Ty$Gnܣm}Nۀ}jV_jmh/-ɞRE\R5EL.Phc׏cFqYC"8hMn`Լ[AƳHS{JYАj`&)b r?7w ]=zɥҚqMj Sl@GI{DD]6fk| OC#7$ߢF;He uJr,aVa뮪IFcЂ#! !:c>0jA]u#,d"*,$b%iYnoKh,~kCpM1;4h> ^z>"O3ULiQ,-(K_wLX=8̤ nKΪ+f4طq)eO`&똵Z/yj_fZb{R[ }vBX“fƭ"i94vRh*Kwʾ$"KW" Hs}$'_رXPQ_H*M em. Qq9EC:{y`p;t $#ԏU$5BXmxZp6WO_WbR̪}654+ye-\ZU] x d~Cd7*}Wc 9+͍>7[1_Ɍ+AȢyj{w~Qw9Gk-k1Ʊb)E ?2۟5HNn2b1-WdH(h j8>Rݷ; V)ͨ;.jbvDǨhHi'>m$Ս>/(AU¹!fzfo3؜}FE'OcʧCa kb68P[d}`lr&H/6B<15NWWk$[@Z}LJqjokQHH p~AXJ#Bb|Lj/9>@zTK'qad8/d5waDN| -isקW@xܴ0V Ş[XP(,k̛Շ7q o)5_ԷeuCy5H=ЄMEI0OcuTYhj[&Hw]a2_: 9#h\zLj:Q"~,:. ΓGxf nI_RkA%Epga~n.Gُy ӗ{&y6E1<+GҏxS=)qׄSvиSC\d}]P}xcoS5`T# BUpK } TU%MRR0 <4>m6P#eT3oԕ[əxȆF=Ya?S}#k8ޔmd|t4Y S"ݾzHb)4֠]q0r c̢ՕRE#p& k8'ڱ#ԉ-P)nZhMs[L̅ =aqN[1h (sJCDH Mܫx0RVwO2s·]R>[vAP sn 6bp\`[vWI8]d;>33m!SXeާUӥd&Um[zƅ6'\d"T v0SH#=(!c:–!wzs-ʉͤ}2p!g1z$gԊCQF%Xw=?TVYR {|CnjFVZu@Ge$eFL*Prv'bZ<ۖqc2%~ڙ/}JD,KֱwN)Ee9cyW)ӗOH 6x:bl̍=/9Kq!޶z>bD-'WupW8}sZXft/߃[T7gkM X:Yp/H}g?| ~?хNRd@MJ o3ߕW/s\xEflTIL:qPtS 6tX2FdMV?zV›029nH{yg T%"A4?D5~:@W{99(X`ZL@m戺Fn_eI{Ї+Cg"j #yVԜp"lZ!!`r* 4m8ՔqފqY*߁21\urq^iCPUdK(˙ɞh6{VE\7lω^[I2Dc8'w\f %EGutc= Yq ]^M. ^C ھ.@ pl]Y5ωrnvu/cR|}0Mf2X͖b잾pg$E{+? K!+ىL_˵l:Ѳq8SH7!u"v0ZR@m0- CbQ,ac8VMؗ1kX:n3]y?+vnSƄ\܄R 3 }ǵ-h?!g~)ev&%Oot<:3<8XM̡?\M0N]|R SXfh3_vOO G) Fe#ߝS.DIa@ 봦JAt vD֙%ϥ+%aMփtSЛ;{EojSl(|pVq 8}dc2TJ43VTigGFeL:oFe72ѭtT0'`?`dDt)454X]䚬T^$kדWዓj>2- O9vl\U+CX&#{QF3M&ųRPc.!ǶEb_C@ ޼'mȔ}d}pVR94/`,|.ZHϴ7x=*)=D_+ﲸF g 2&Ϥt-̂A3wV03@6kg: ȱtkAr>|/E[~K-T=:P6v?)ny CV0/[b7&Xa^iKTO h~i6NK]/2KnV-Te9Q̢:XH֌:XX-h֭fM4?RH81OK o3gxٝ7x]Xe`mg KER'G8W`iI&)2jRɅI z7R/"2Ԉ;N7zhfv.IBz9[Eh) |sw%sem}M$diwppwl7G|U\&MFvE rRZDu) hnzYⱡ]qICFwM*G3:)2""vE˯*uP0Ϻ LYyjedZ_!A[lk 7 Ӿ\Z*-:!+|2=Z!0 RƄmb/S10mיB.q\#<(؍TCM}1dɨIOw&Y$ZV`pAS%̀[\E*J~J,H^%dZv9Ҩ3(5eEAAK>Mȳ4Co.[3} @.</: SW@38-AbC3Qj9~lQ[EArpie $3ӚV5r7Ҡe.73­[[*0/4rQts՚B!XI.Zg2Z_a!pϞhsQjn2bx$6' W3?`\e࿺qDbאWt_9`~ہjP\jI=XQj&`t<T5T)>̙rhk $8uWS+3&nɎɌCj;JzZeZܔXk0U]LL7_^ 1mߍ(3h3JnIFbUiCV$V1!t%w9b"€c+MeDr6';h;@Q Q6ӍzzMDldg*8Ԩbq؞bph;\5k^$ T}B{aN 7RWZO`Xo3Dʢ+` t}qKVNIbmȆq%7V_Y, #Ei=5[Y`'>R6Qc=8tyns^x2e_N׉y4@7{$wJ E7EfXG!sWӏ%kny%zf Gw.S=F:AR%&vo.Dxj:H c`Y]DZf[uش#>@K^+^lZV/' Z l\D9M^2j/w߃#S#eU&d>8 OuN'A^ $ Dl9m~C# a5$̣yWb\\WGqy`V1^$\Lqq'O+j<%X(TD|傜vR$7/9VdGUFE?kC"GWOt'qY6a9.!M.;O`Ą&}Aэ_V @RD$8n|j |U-~|vһ*'/mb 8 -Ţ=x0Jat_N#ȕ]DBSX@(=,i(]96q1r(n65B M͸ $V%+QK;, x9Eq!_.]*Cy\'ZAMpy~\}S9Ȁ 0O.)z,KGoDK\ZίګLMh,[GkL ,!0S|Q#`p%{tE횾l˿;r*rp+6SoKはBI.ex0i9ڠ4OWNF-8ЀѸ\[E5ꇹVƋ $.N;dC.Y* e\,A'tLbYq(?cʏ,@b^*o iwn@a1 b{,s Y">{Fi8糅h޺ vTݵSuRhm^?CgTP~Ap U{) ƹ3 %fzrC絣MWDAz$ ]pVxyqeۏ2Qzcr8!9̎Vgc4-/"iӃ#$;M/fWY81r2iR&ʝ7u1VȈ"1?m1[ `<!wQpj]o`S,֠X渜P?RHm<.s0iFlo WE$(J (b \כ aF,#'9o 5|nc(VΈ`Oxg(9jԲx i3&A; WZ!?胭ײLj3FC#6<>TY?ZK"OwSnW.+ ޒXALm6yBB{ܑ'pH>]|r DX!H 7C3]I7'a}R@1r:'$@,oxhM2"HdiG9S_Iq6eC$!̆.9Rx="F|7w_́O@&~ oxf6"4ZZ_gdTE:u_zY"sON*gHӶ-Xl㧾䔿cS- we+A!iCQbCaJѹ&rKm]r*0q9kQ㜄MI5UM JRΖniU\5߼*WaB_9>|)h},!=c~RƔf0Ď[]? H@:ײ69UW5H~BJt޵1~> g? <;}Ma#xhUweG&\3_2'~7Z%BpGBNOH댥DYHOy^/A۵sGxsR~uxv@u}¸:9m?g:H2g9z?}3H;7H˾+, &Km@c="%AP*cuJbskn葚K]{+ލyrm6nLHC]GV;xLd;yD.8]ޯ6's5Z^hԕ`. u5AV0BܢbƄ_|Ahj;o;(wMDdez.{)jID2}mo4,''̞3m9_oc=ﰬ %n%:c?;%~CH诘ۈ(ekE b}YC`޶ܻ#/% -<@cS#,䎿eQD)*Q6j/R~[ԓ@)FemG6ևjT_ ^h7ipzG# Ҙ? iREtѤEhX!J- N;9DwEBߕ9}l7lTZ eU#$LO{hxt1ȠbBo B u*6Y0'KIgF g?suc"Y~ѩ^&ͶU9Z(lf%qRF۠b{0CBleHb=,ʸ]Bu]$5yi#=xj )s1㧠G/fz/ֹ|3񐥜,2sVR"q },_wazb&9?7F$ )EQ7!r˺dYsԁ:ABUg\(, <6~e}SPTܴʺ3~īpAOI_/=mVAA[ i9skN<UOqב%xڱ碤IzV%Ȍ:e0Ms" f62j`SmӺ,WcY/O`ZZaǨ uPO1/SVkǨc'd io=Op6=g\m[[I'8͍p-?Tܫ墩` z6p{S mmL٭xS!ow6&*/!pLx웮g !X VQ,r/d#/3wB%ҧP *Uil#wq)ΒχY)TS\9 x$"FyO3 F™ǻ<@FeaUQn ?4ـ1жT2eFɵa7 \PP!ΗNj+ẠVty5 9tZ s@Ai@:O̗nN4<~J/k;k^ЎW 1;alj=sC͚@S0_EF۷LMJ| L2Sqt=iF@Q? jU\;[?fE{ztUL7NxNzG =/ B33lb w*='ٟA7$rfȘ_Figw c 4~\']2: ǚ/H TjQw̼/+?)f=FzU8 9*\QV~ouuU搜 ~֦1v5 N1WM5 ;L (yԺ8>ΚLRHi%k\EWv_ߖO8u=~7x500M~?$qe)tK筓MA Zhzj),; 78ˮD;hXgtq(1:' @p,7 ާ ͕'fQ O5cxВ Vy\ȿϐ; J\ ti.h3r.;$O#0)tO|UR_JNЍQPn?CIJO?t'^b~Ul|\݂1e~G %߯=un&!6俦nF|$Cq0@>Iz/d:ȡ=>!dw $JgڞRW"d!Mhe3pa@~b"PKLfMQDe^4nr7o zɄzkɗwAzp :F@$Fk,;s%m{jCn4c\ƽB3a!w\Qz$ٱ"BѰ |4[  logQ\UWeY=KG5OCg)&e_)M _wv G&biBZs ȟz` g,j*m}"s/bacӋ?hLG3#@QkH:x_\RU, ,LǮ^+ =͈dbΛe ĺ5r{?;!Ko0ɮ"QﮠP%4B\A:fˬ}rDŀ;y74T6 ;dfBfa[>O~R̽]C#Ӯuj9cR7le=YX71KGw[37X+ x%)+ h0L+n6t6,a@Zf2(E It$-ުZH4F4U$Pȸ/ 0P?ܨeV%TL2OIBM?tℬFiBWo9$KH Ǩq0O-xA0! 8t>c #ReVsP?p嶗^ʼn(g2'R]2N| fؤ`b`$m0U?y\ƒ mM\y -iE3M {M`i[&BμsyN5$ OI Tn͇!#pA홤XFͼGE9C+aۿShi͚wa#EdUЍB[CY?4R >$wb0sG*PS!Z'8wHMỪ"I7ZI7*Ѡx|7ZuVpq(d \Fb/`#-kR{ P_[T"@8+̔}tIB2Dv_* R UU㯏KO>ҏaay`8K H`&?1k{(,OLx{$-C# quPUC`ؚp5 6nsJ7=^lU`u\te"<u~C^N,Φ'W19y!.(vEWn % PD2 9_8¥1K,x5O3k/gŢm[Vu9ӊp+X"%Ô[rh.ۡH.L}-rT^gGA%N74{ak* Ӟ@NVqG-Eԏ҃`"x2he_0d G]Y'OXUMZBa'czh7j|w#I(AcEg5T3\Q1Pm[E;[.GFU\A̹ M'Kv7u,/J !E$7f u^o Z %EBL1v- IU#"ZYTPf  P{mSyRM֧ K{B藜,r6.?)ROcՐH}oX)ƒe~X&.K-w6<0҄#6_y)DϨQdWœ.rw>a!]KfJBȒj66Jx-¬[xU '(9ieD\֛F\4 B\wLӝsu"\P8쾬 x.jQZu=Z&F`_ǻ) iɬ{d8#*ʢbBB z6j+P^\6\%A|* ڴyAu9^dq<8%`~ Ҷ C8)JĖ}ЀOc 'fLR4y8\ W[-rf_|2a}٩P"Y2a 'ߕәZVGy2awaz96A YZ