libtls17-32bit-2.8.0-lp152.2.6 >  A ^ /=„r }͝rɠr+"D Ahc@}߮5wS \s~ߞ[tX&΁!ވeKrGS5Ǫ]P- 8ud9W4(jjNj[U|%fl\s2@ZtP閟l!E| nfY+Kslr*g=Vme^g2{fZ)YDDNK-6r1٣Ee73338f4e83cdb011b89f4deeaf6cc08b4c837f9feab5522b44062653812dc36da5241252f15597a87d229ecf4a65178ad42d46b^ /=„])3y̛fY qj ߘI>q.T; F@tp%ő* {3R$K n8ȣS=#裓+v Wljddʈ]DU7?zyIsl>m|B N=uN"œ6XKdʎ7 7(3ZB>xw '@\eO1@23{nt&BUUJ=`Q Pd+؁*pJ<>p>^?^d ! m $*1@H L P X  @(A8H)9):)>[ G[H[ I[(X[,Y[<\[`][h^[b[c\Nd\e\f\l\u\v\w]hx]py]x]]]^Clibtls17-32bit2.8.0lp152.2.6A simplified interface for the OpenSSL/LibreSSL TLS protocol implementationLibreSSL is an open-source implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. It derives from OpenSSL and intends to provide a more secure implementation. The libtls library provides a modern and simplified interface (of libssl) for secure client and server communications.^cloud105openSUSE Leap 15.2openSUSEOpenSSLhttps://bugs.opensuse.orgSystem/Librarieshttp://libressl.org/linuxx86_64/sbin/ldconfig^^4173f4b8d4356cda3c9cfb1dd6c15dd76ba04e6db536b4c0851e7025873f0baflibtls.so.17.0.1rootrootrootrootlibressl-2.8.0-lp152.2.6.src.rpmlibtls.so.17libtls.so.17(LIBRESSL)libtls17-32bitlibtls17-32bit(x86-32)@@@@@@@@@@@@@@    /bin/shlibc.so.6libc.so.6(GLIBC_2.0)libc.so.6(GLIBC_2.1)libc.so.6(GLIBC_2.1.3)libc.so.6(GLIBC_2.26)libc.so.6(GLIBC_2.4)libc.so.6(GLIBC_2.8)libcrypto.so.43libcrypto.so.43(LIBRESSL)libpthread.so.0libpthread.so.0(GLIBC_2.0)libpthread.so.0(GLIBC_2.2)libssl.so.45libssl.so.45(LIBRESSL)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)3.0.4-14.6.0-14.0-15.2-14.14.1[j@Z?Z@ZZ@Z;@Z%8Z@Y*@YKYY@Y i@Y XX@W@WWWZWPW)@V@V@VjV9@V VU@UUU@U@UzU@U @TT@TÉ@TT~@jengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.detchvatal@suse.comtchvatal@suse.comjengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.deastieger@suse.comjengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.deastieger@suse.comjengelh@inai.dejengelh@inai.dejengelh@inai.desor.alexei@meowr.rujengelh@inai.dejengelh@inai.dejengelh@inai.dejengelh@inai.de- Update to new upstream release 2.8.0 * Fixed a pair of 20+ year-old bugs in X509_NAME_add_entry. * Tighten up checks for various X509_VERIFY_PARAM functions, 'poisoning' parameters so that an unverified certificate cannot be used if it fails verification. * Fixed a potential memory leak on failure in ASN1_item_digest. * Fixed a potential memory alignment crash in asn1_item_combine_free. * Removed unused SSL3_FLAGS_DELAY_CLIENT_FINISHED and SSL3_FLAGS_POP_BUFFER flags in write path, simplifying IO paths. * Removed SSL_OP_TLS_ROLLBACK_BUG buggy client workarounds. * Added const annotations to many existing APIs from OpenSSL, making interoperability easier for downstream applications. * Added a missing bounds check in c2i_ASN1_BIT_STRING. * Removed three remaining single DES cipher suites. * Fixed a potential leak/incorrect return value in DSA signature generation. * Added a blinding value when generating DSA and ECDSA signatures, in order to reduce the possibility of a side-channel attack leaking the private key. * Added ECC constant time scalar multiplication support. * Revised the implementation of RSASSA-PKCS1-v1_5 to match the specification in RFC 8017. * Changes from 2.7.4: * Avoid a timing side-channel leak when generating DSA and ECDSA signatures. [CVE-2018-12434, boo#1097779] * Reject excessively large primes in DH key generation.- Update to new upstream release 2.7.3 * Removed incorrect NULL checks in DH_set0_key(). * Limited tls_config_clear_keys() to only clear private keys.- Update to new upstream release 2.7.2 * Updated and added extensive new HISTORY sections to the API manuals.- Update to new upstream release 2.7.1 * Fixed a bug in int_x509_param_set_hosts, calling strlen() if name length provided is 0 to match the OpenSSL behaviour. [CVE-2018-8970, boo#1086778]- Update to new upstream release 2.7.0 * Added support for many OpenSSL 1.0.2 and 1.1 APIs. * Added support for automatic library initialization in libcrypto, libssl, and libtls. * Converted more packet handling methods to CBB, which improves resiliency when generating TLS messages. * Completed TLS extension handling rewrite, improving consistency of checks for malformed and duplicate extensions. * Rewrote ASN1_TYPE_ get,set _octetstring() using templated ASN.1. This removes the last remaining use of the old M_ASN1_ macros (asn1_mac.h) from API that needs to continue to exist. * Added support for client-side session resumption in libtls. * A libtls client can specify a session file descriptor (a regular file with appropriate ownership and permissions) and libtls will manage reading and writing of session data across TLS handshakes. * Merged more DTLS support into the regular TLS code path.- Update to new upstream release 2.6.4 * Make tls_config_parse_protocols() work correctly when passed a NULL pointer for a protocol string. * Correct TLS extensions handling when no extensions are present.- Add extra-symver.diff- Update to new upstream release 2.6.3 * Added support for providing CRLs to libtls - once a CRL is provided via tls_config_set_crl_file(3) or tls_config_set_crl_mem(3), CRL checking is enabled and required for the full certificate chain. * Reworked TLS certificate name verification code to more strictly follow RFC 6125. * Relaxed SNI validation to allow non-RFC-compliant clients using literal IP addresses with SNI to connect to a libtls-based TLS server. * Added tls_peer_cert_chain_pem() to libtls, useful in private certificate validation callbacks such as those in relayd. * Added SSL{,_CTX}_set_{min,max}_proto_version(3) functions. * Imported HKDF (HMAC Key Derivation Function) from BoringSSL. * Dropped cipher suites using DSS authentication. * Removed support for DSS/DSA from libssl. * Distinguish between self-issued certificates and self-signed certificates. The certificate verification code has special cases for self-signed certificates and without this change, self-issued certificates (which it seems are common place with openvpn/easyrsa) were also being included in this category. * Removed NPN support - NPN was never standardised and the last draft expired in October 2012. * Removed SSL_OP_CRYPTOPRO_TLSEXT_BUG workaround for old/broken CryptoPro clients. * Removed support for the TLS padding extension, which was added as a workaround for an old bug in F5's TLS termination. * Added ability to clamp notafter values in certificates for systems with 32-bit time_t. This is necessary to conform to RFC 5280 §4.1.2.5. * Removed the original (pre-IETF) chacha20-poly1305 cipher suites. * Reclassified ECDHE-RSA-DES-CBC3-SHA from HIGH to MEDIUM. - Add des-fcrypt.diff [boo#1065363]- Update to new upstream release 2.6.2 * Provide a useful error with libtls if there are no OCSP URLs in a peer certificate. * Keep track of which keypair is in use by a TLS context, fixing a bug where a TLS server with SNI would only return the OCSP staple for the default keypair. - Update to new upstream release 2.6.1 * Added tls_config_set_ecdhecurves() to libtls, which allows the names of the eliptical curves that may be used during client and server key exchange to be specified. * Removed support for DSS/DSA, since we removed the cipher suites a while back. * Removed NPN support. NPN was never standardised and the last draft expired in October 2012. ALPN was standardised. * Removed SSL_OP_CRYPTOPRO_TLSEXT_BUG workaround for old/broken CryptoPro clients. * Removed support for the TLS padding extension, which was added as a workaround for an old bug in F5's TLS termintation. * Added ability to clamp notafter values in certificates for systems with 32-bit time_t. This is necessary to conform to RFC 5280 §4.1.2.5. * Implemented the SSL_CTX_set_min_proto_version(3) API. * Removed the original (pre-IETF) chacha20-poly1305 cipher suites. * Reclassified ECDHE-RSA-DES-CBC3-SHA from HIGH to MEDIUM.- Update to new upstream release 2.6.0 * Added support for providing CRLs to libtls. Once a CRL is provided, we enable CRL checking for the full certificate chain. * Allow non-compliant clients using IP literal addresses with SNI to connect to a server using libtls. * Avoid a potential NULL pointer dereference in d2i_ECPrivateKey(). * Added definitions for three OIDs used in EV certificates. * Plugged a memory leak in tls_ocsp_free. * Added tls_peer_cert_chain_pem, tls_cert_hash, and tls_hex_string to libtls, useful in private certificate validation callbacks. * Reworked TLS certificate name verification code to more strictly follow RFC 6125. * Added tls_keypair_clear_key for clearing key material. * Removed inconsistent IPv6 handling from BIO_get_accept_socket, simplified BIO_get_host_ip and BIO_accept. * Fixed the openssl(1) ca command so that is generates certificates with RFC 5280-conformant time. * Added ASN1_TIME_set_tm to set an asn1 from a struct tm *. * Added SSL{,_CTX}_set_{min,max}_proto_version() functions. * Added HKDF (HMAC Key Derivation Function) from BoringSSL * Providea a tls_unload_file() function that frees the memory returned from a tls_load_file() call, ensuring that it the contents become inaccessible. This is specifically needed on platforms where the library allocators may be different from the application allocator. * Perform reference counting for tls_config. This allows tls_config_free() to be called as soon as it has been passed to the final tls_configure() call, simplifying lifetime tracking for the application. * Moved internal state of SSL and other structures to be opaque. * Dropped cipher suites with DSS authentication.- Update to new upstream release 2.5.5 * Distinguish between self-issued certificates and self-signed certificates. The certificate verification code has special cases for self-signed certificates and without this change, self-issued certificates (which it seems are common place with openvpn/easyrsa) were also being included in this category.- Add conflict between libressl and the main versioned packages too- Add conflict for split openssl packages- Update to new upstream release 2.5.4 * Reverted a previous change that forced consistency between return value and error code when specifing a certificate verification callback, since this breaks the documented API. * Switched Linux getrandom() usage to non-blocking mode, continuing to use fallback mechanims if unsuccessful. * Fixed a bug caused by the return value being set early to signal successful DTLS cookie validation.- Update to new upstream release 2.5.1 * Avoid a side-channel cache-timing attack that can leak the ECDSA private keys when signing. [bnc#1019334] * Detect zero-length encrypted session data early * Curve25519 Key Exchange support. * Support for alternate chains for certificate verification. - Update to new upstream release 2.5.2 * Added EVP interface for MD5+SHA1 hashes * Fixed DTLS client failures when the server sends a certificate request. * Corrected handling of padding when upgrading an SSLv2 challenge into an SSLv3/TLS connection. * Allowed protocols and ciphers to be set on a TLS config object in libtls. - Update to new upstream release 2.5.3 * Documentation updates - Remove ecs.diff (merged)- Add ecs.diff [bnc#1019334]- Update to new upstream release 2.5.0 * libtls now supports ALPN and SNI * libtls adds a new callback interface for integrating custom IO functions. * libtls now handles 4 cipher suite groups: "secure" (TLSv1.2+AEAD+PFS), "compat" (HIGH:!aNULL), "legacy" (HIGH:MEDIUM:!aNULL), "insecure" (ALL:!aNULL:!eNULL). This allows for flexibility and finer grained control, rather than having two extremes. * libtls now always loads CA, key and certificate files at the time the configuration function is called. * Add support for OCSP intermediate certificates. * Added functions used by stunnel and exim from BoringSSL - this brings in X509_check_host, X509_check_email, X509_check_ip, and X509_check_ip_asc. * Improved behavior of arc4random on Windows when using memory leak analysis software. * Correctly handle an EOF that occurs prior to the TLS handshake completing. * Limit the support of the "backward compatible" ssl2 handshake to only be used if TLS 1.0 is enabled. * Fix incorrect results in certain cases on 64-bit systems when BN_mod_word() can return incorrect results. BN_mod_word() now can return an error condition. * Added constant-time updates to address CVE-2016-0702 * Fixed undefined behavior in BN_GF2m_mod_arr() * Removed unused Cryptographic Message Support (CMS) * More conversions of long long idioms to time_t * Reverted change that cleans up the EVP cipher context in EVP_EncryptFinal() and EVP_DecryptFinal(). Some software relies on the previous behaviour. * Avoid unbounded memory growth in libssl, which can be triggered by a TLS client repeatedly renegotiating and sending OCSP Status Request TLS extensions. * Avoid falling back to a weak digest for (EC)DH when using SNI with libssl.- Update to new upstream release 2.4.2 * Ensured OSCP only uses and compares GENERALIZEDTIME values as per RFC6960. Also added fixes for OCSP to work with intermediate certificates provided in responses. * Fixed incorrect results from BN_mod_word() when the modulus is too large. * Correctly handle an EOF prior to completing the TLS handshake in libtls. * Removed flags for disabling constant-time operations. This removes support for DSA_FLAG_NO_EXP_CONSTTIME, DH_FLAG_NO_EXP_CONSTTIME, and RSA_FLAG_NO_CONSTTIME flags, making all of these operations unconditionally constant-time.- Update to new upstream release 2.4.2 * Ensured OSCP only uses and compares GENERALIZEDTIME values as per RFC6960. Also added fixes for OCSP to work with intermediate certificates provided in responses. * Fixed incorrect results from BN_mod_word() when the modulus is too large. * Correctly handle an EOF prior to completing the TLS handshake in libtls.- Update to new upstream release 2.4.1 * Correct a problem that prevents the DSA signing algorithm from running in constant time even if the flag BN_FLG_CONSTTIME is set.- Update to new upstream release 2.4.0 * Added missing error handling around bn_wexpand() calls. * Added explicit_bzero calls for freed ASN.1 objects. * Fixed X509_*set_object functions to return 0 on allocation failure. * Implemented the IETF ChaCha20-Poly1305 cipher suites. * Changed default EVP_aead_chacha20_poly1305() implementation to the IETF version, which is now the default. * Fixed password prompts from openssl(1) to properly handle ^C. * Reworked error handling in libtls so that configuration errors are visible. * Deprecated internal use of EVP_[Cipher|Encrypt|Decrypt]_Final.- Update to new upstream release 2.3.4 [boo#978492, boo#977584] * Fix multiple vulnerabilities in libcrypto relating to ASN.1 and encoding.- Update to new upstream release 2.3.3 * cert.pem has been reorganized and synced with Mozilla's certificate store- Update to new upstream release 2.3.2 * Added EVP_aead_chacha20_poly1305_ietf() which matches the AEAD construction introduced in RFC 7539, which is different than that already used in TLS with EVP_aead_chacha20_poly1305(). * Avoid a potential undefined C99+ behavior due to shift overflow in AES_decrypt. - Remove 0001-Fix-for-OpenSSL-CVE-2015-3194.patch, 0001-Fix-for-OpenSSL-CVE-2015-3195.patch (included)- Add 0001-Fix-for-OpenSSL-CVE-2015-3194.patch, 0001-Fix-for-OpenSSL-CVE-2015-3195.patch [boo#958768]- Update to new upstream release 2.3.1 * ASN.1 cleanups and RFC5280 compliance fixes. * Time representations switched from "unsigned long" to "time_t". LibreSSL now checks if the host OS supports 64-bit time_t. * Changed tls_connect_servername to use the first address that resolves with getaddrinfo(). * Fixed a memory leak and out-of-bounds access in OBJ_obj2txt, * Fixed an up-to 7 byte overflow in RC4 when len is not a multiple of sizeof(RC4_CHUNK). - Drop CVE-2015-5333_CVE-2015-5334.patch (merged)- Security update for libressl: * CVE-2015-5333: Memory Leak [boo#950707] * CVE-2015-5334: Buffer Overflow [boo#950708] - adding CVE-2015-5333_CVE-2015-5334.patch- Update to new upstream release 2.3.0 * SSLv3 is now permanently removed from the tree. * libtls API: The read/write functions work correctly with external event libraries. See the tls_init man page for examples of using libtls correctly in asynchronous mode. * When using tls_connect_fds, tls_connect_socket or tls_accept_fds, libtls no longer implicitly closes the passed in sockets. The caller is responsible for closing them in this case. * Removed support for DTLS_BAD_VER. Pre-DTLSv1 implementations are no longer supported. * SHA-0 is removed, which was withdrawn shortly after publication 20 years ago.- Update to new upstream release 2.2.3 * LibreSSL 2.2.2 incorrectly handles ClientHello messages that do not include TLS extensions, resulting in such handshakes being aborted. This release corrects the handling of such messages.- drop /etc/ssl/cert.pem- Avoid file conflict with ca-certificates by dropping /etc/ssl/certs- Update to new upstream release 2.2.2 * Incorporated fix for OpenSSL issue #3683 [malformed private key via command line segfaults openssl] * Removed workarounds for TLS client padding bugs, removed SSLv3 support from openssl(1), removed IE 6 SSLv3 workarounds, removed RSAX engine. * Modified tls_write in libtls to allow partial writes, clarified with examples in the documentation. * Building a program that intentionally uses SSLv3 will result in a linker warning. * Added TLS_method, TLS_client_method and TLS_server_method as a replacement for the SSLv23_*method calls. * Switched `openssl dhparam` default from 512 to 2048 bits * Fixed `openssl pkeyutl -verify` to exit with a 0 on success * Fixed dozens of Coverity issues including dead code, memory leaks, logic errors and more.- Update to new upstream release 2.2.1 [bnc#937891] * Protocol parsing conversions to BoringSSL's CRYPTO ByteString (CBS) API * Added EC_curve_nid2nist and EC_curve_nist2nid from OpenSSL * Removed Dynamic Engine support * Removed unused and obsolete MDC-2DES cipher * Removed workarounds for obsolete SSL implementations * Fixes and changes for plaforms other than GNU/Linux- Update to new upstream release 2.2.0 * Removal of OPENSSL_issetugid and all library getenv calls. Applications can and should no longer rely on environment variables for changing library behavior. OPENSSL_CONF/SSLEAY_CONF is still supported with the openssl(1) command. * libtls API and documentation additions * fixed: * CVE-2015-1788: Malformed ECParameters causes infinite loop * CVE-2015-1789: Exploitable out-of-bounds read in X509_cmp_time * CVE-2015-1792: CMS verify infinite loop with unknown hash function (this code is not enabled by default) * already fixed earlier, or not found in LibreSSL: * CVE-2015-4000: DHE man-in-the-middle protection (Logjam) * CVE-2015-1790: PKCS7 crash with missing EnvelopedContent * CVE-2014-8176: Invalid free in DTLS- Ship pkgconfig files again- Update to new upstream release 2.1.6 * Reject server ephemeral DH keys smaller than 1024 bits * Fixed CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp * Fixed CVE-2015-0287 - ASN.1 structure reuse memory corruption * Fixed CVE-2015-0289 - PKCS7 NULL pointer dereferences * Fixed CVE-2015-0209 - Use After Free following d2i_ECPrivatekey error * Fixed CVE-2015-0288 - X509_to_X509_REQ NULL pointer deref- Update to 2.1.4: * Improvements to libtls: - a new API for loading CA chains directly from memory instead of a file, allowing verification with privilege separation in a chroot without direct access to CA certificate files. - Ciphers default to TLSv1.2 with AEAD and PFS. - Improved error handling and message generation. - New APIs and improved documentation. * Add X509_STORE_load_mem API for loading certificates from memory. This facilitates accessing certificates from a chrooted environment. * New AEAD "MAC alias" allows configuring TLSv1.2 AEAD ciphers by using 'TLSv1.2+AEAD' as the cipher selection string. * New openssl(1) command 'certhash' replaces the c_rehash script. * Server-side support for TLS_FALLBACK_SCSV for compatibility with various auditor and vulnerability scanners. * Dead and disabled code removal including MD5, Netscape workarounds, non-POSIX IO, SCTP, RFC 3779 support, "#if 0" sections, and more. * The ASN1 macros are expanded to aid readability and maintainability. * Various NULL pointer asserts removed in favor of letting the OS/signal handler catch them. * Refactored argument handling in openssl(1) for consistency and maintainability. * Support for building with OPENSSL_NO_DEPRECATED. * Dozens of issues found with the Coverity scanner fixed. * Fix a minor information leak that was introduced in t1_lib.c r1.71, whereby an additional 28 bytes of .rodata (or .data) is provided to the network. In most cases this is a non-issue since the memory content is already public. * Fixes for the following low-severity issues were integrated into LibreSSL from OpenSSL 1.0.1k: - CVE-2015-0205 - DH client certificates accepted without verification. - CVE-2014-3570 - Bignum squaring may produce incorrect results. - CVE-2014-8275 - Certificate fingerprints can be modified. - CVE-2014-3572 - ECDHE silently downgrades to ECDH [Client].- Add package signatures- Update to new upstream release 2.1.3 * Fixes for various memory leaks in DTLS, including those for CVE-2015-0206. * Application-Layer Protocol Negotiation (ALPN) support. * Simplfied and refactored SSL/DTLS handshake code. * SHA256 Camellia cipher suites for TLS 1.2 from RFC 5932. * Ensure the stack is marked non-executable for assembly sections.- Update to new upstream release 2.1.2 * The two cipher suites GOST and Camellia have been reworked or reenabled, providing better interoperability with systems around the world. * The libtls library, a modern and simplified interface for secure client and server communications, is now packaged. * Assembly acceleration of various algorithms (most importantly AES, MD5, SHA1, SHA256, SHA512) are enabled for AMD64. - Remove libressl-no-punning.diff (file to patch is gone)- Update to new upstream release 2.1.1 * Address POODLE attack by disabling SSLv3 by default * Fix Eliptical Curve cipher selection bug/bin/sh2.8.0-lp152.2.62.8.0-lp152.2.6libtls.so.17libtls.so.17.0.1/usr/lib/-fomit-frame-pointer -fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.opensuse.org/openSUSE:Leap:15.2/standard/ca866d54f9c0cb21fc0a755b4c972813-libresslcpioxz5x86_64-suse-linuxELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, BuildID[sha1]=ac5102a93ae5fc4973daa8144f3fc06afd87ff6e, strippedPPRRRRRRRR R R R RR Rutf-8ec7badc523a36e92b355867cdc9e97c112c22ffd5d13965875798251017d23d1? 7zXZ !t/;]^] cr$x#*ʰa 6Y+Ӕ^*U`r '@6')T< rݷQ4\*(|<cjtZ/H(@[0/HM4fj.,[Gd cymB+TLK{ OԀ*V^KLmA0V<܂ZlFw1'՗&,$ !pX~4גAXooG&]Y^qHoaq7_ZgB 2#d 'Z嫦 t" Z<c7kXt/M1+N8=1I"dtyӠte> s齄jlf1QPӐ&la> vfkzՐ3o upeF_ 2bXz-x%[/)W WV\h t(tѿiS?lhudebxJ&3̙&@*l#-v ,Yufd[^1(%[›q3[`L؆/x!Gq[N .}(qEgp<Ȕ(?n ?6 |>LQ==6۟!L4/HھTQBNrP*l)|I@5lkon @l] ;Oje5 = !&Rqt|ȢĂc'Ub<, $=e'rA_!hhr`48.O~{9P/x@JhˆȀ ӭ,JkLx0(&7s̈́8Z2b:Mا^ #CQ]t𣐈36AGV{-Nu@3ߐ mL:iIí@㍭'1M8G%K߬)wמ35̓zzԪ/}o֛.>I @+4oʙ -[\2WOeS~j8d,SޞZ68F"AՓUTw68-N]lC},M${44Or@ɯ%&?4oaDSzJƑ;GsMP>;.XvMeTq}R``&{OCbz $;Kl@Ǥ~iDM Ӑg<8񡭫8kj%?8;WU9~O'܎N#4\tF 4]nv"f21 ߑ`Xݚ{?Ň4iJ |\F-U&v} enG]g?^.QCo4N^ç Jk_ 9POi:հ,x/(N”{1f$nzZz֍qxDEj=N4J8-..@B: ބ_67!|U<(yG-&z7H+>2mbaT[kT)#`,[iLEd%-Ǒ#+x3f$JkgU:W}nA[A ΌyB^&==$نCbH'VrPG+}x.*XZ.gnA޳=~J!&Q?9Rb5j2Y*(DU#^{3addRa'@w0PWFMp?t{4"j8``,o_oT8Pjw6o gZ]&g!8R ~L?% TeHC`Tכz G(鏚^\1^k\gfD&}~*9mĕ`skC=qpzA6J~ MўހE[c&!V\C #c[%JQ `Y>&H/; \Ж wg1oP5{pxV/.߸gRNR^)dex?v&ݏg##u04fFp601 ~eT; %Dblp#QڙSBK\L(Zj\:vƪ!Bqf0rp0BW_V(5%0 IL8䖾PK洍qT\W )Q|G_%+7zt{5sxNH0U꼌 B#kK Dҟ$0`$RƳBחv' h6OM7"XzMk`WO*:5 :ZseFKJ5H)%L?a0T$a"i-]Cl }n(<̉6056מ,iQY櫞H횀|~I!XQ[R2wyj7[aJVabJ̭.wy0E )C9pne>Rxq@gnlPo}!k3;0Jc_]E˔ 3D6 q$,VpY3îQǖh=~! ],= T'lk_8`bԆr I,6?{K7 ӻ8$DD'Cg\ LH.gzWN%YvrZu7DssUHa@ׯħ/Qw쟂2пciݻ@Y Swn)5ޡV&H t1{?k*:d2JXݎx ]L,rw h/Z?UyJ7rJy^W7fVFPAYt/ Hr% Ў8#*̨SfB7zg"&UtLl0@"0~a8Q 5{!zZrȝ(2d=[il +=}ty;nС{/qK 7Ny_T[?4p x;ϵ`6o$aҽAex7kHH€ڼ6T4ĥ^g|_'m9N|yL4iu$pѠ~T:TC*|504m&|(]Tc0[ 3I(t +M|z>vv-Iw`lwˢfzG  ݔܗO>̨-5yt@CN55J|U?Vbd@$‘[FkTIcGٔ-r>EV;Ώ̌ADKҴ ?f/95ې_}b&5,+v5?UAׄ]řm&/_7rM"R# )p/[:I1JRjIDEx*>~)ft(އҸ0ʢ8EL8N_d)`Gy\%¬ȅ€|1fW~UL&Cm?5-Q݌חNNV<׋LɇcH܋dMV8@߯hZ 9GG-0#Fx'׉P+j/?.ӭ&sP=`Ԉh=Pl06M1vbʣ Z"{{Wupس3 Ԕu8\sG8|?81ߗL'E`S)yaFdp:$=KDsrFύٌpndmצ%j\2ϲ4? f?BsA'ux.XRhTjއJFfJ!zm Y :$l&* rk1'2""\ĢL+ዛ Јʥ[#:͎%+mei9bٲƫ/ :x35PꍰWHP`߀ kO\wUNKDF{=T_LB-ʧWoIߘ/"V|P^!+w3 n}<-3u!܈<1`P .'!:OLJ|JY @=,!gdrJbVB-CGa37Ʀr%WV26wd%\jˌ#F2}3&_7έ;eZM6$^p\ Kcײ-6OQ L1% &G - i&4vG[|pshۇY6m@Ht}\1{(elyx-'?Ydz0b9VOo!P3DxՊuB[d kDK۶e<]i9,#bN\'G5!j B:C*.*B&zgwY]iyOFwjc77Co 'ds/5^ -ȻAi7slڨ> ףx|vmКź?>uUsTq]gS #3 eajӕ@ig\[_zQEd;UGV0Zp4llI e})儡bd%'f|u4z8{wӃK Nx[N`V珳hD`< ʎ0,mt]~2Q_~v'ޚ}BUuY6ߍHQCҚEhʺCj[QjCH&$Yj}rsofة.(|wԚQU@)z*R3̞CY["FQѪǓƮdՖ= @C%=x`/=vk#,9$Ԥ:" ڳl7\\ހH5f5b! 8"+%,Tdz^ZP.bp:sZ c?$FR ҀnpHokVu(`ƘPөYqg|t?~BUafçw/7PY1 z)\fHCh$`oФ;LZ6΂mM qhJ],E2@:&SaGox ꌤRe]~`!W>#Ĵ:W%s?  QI<@֒f~Wn_MWo,e}^AJ*ܔ `00ysqH Bk)elBy]uEPLW䞳Z!)м]b+l]7Og-lǕ$.p1,fF/||HإMwm當:ci (2]}UD\wO :T˵+ϭ% eZSaǚP! <֌csM/${G+N&:Adh!5F̻nR/ &5}qaIl:MGeS G'r`A$S\ݍp Xc3o?~Yy$v򈟯Gy% qeb&į-g哫rې[FcҾSW>.2hd30uK+ZQS}}I%5Cю^8K! /{uc?fpP4Yi' P^vBb ~$N׉e4kyReIS-9[$h/x58!8g|75"o*|鬝+HK 5EJ/cFU+ؙ鑀6HCz3C@7h a%agZ+Rg70d"̛`ēBTt*&2gxB.6Y]KFW?K\wmgA91ΙQ>+#EDX~[[ӻ5dNtzsEWK3(? u&U)VKMiQZKߋG4|Km-l+ $k?6zN󚇻rԡfZZv9BG>.h5V*mW]p. QU{hnwRP:+"h2;9Ph0aK.>4j0[z붸;*6(ZI%Dd–iq$_N0UG.Bʪ>`'p,LX.RfI {j5$]fbgxSXmOZ'hò '1Ai8!A3^ifr%^p+{D oykă)L9x{DrGJjݡ炻M"m u+kC],RjB<2;(s~m3i0VRI81Vxգ'n%)w!_ٌ0q8: FZ ő'$Tmq2z/f 9n[Mgi+ӄĺZv*o@ @<;~Fu xSzaWf&'xbPAZ i|#YdbxS׎-Ⱥ6ӵ Q|J&]mј/B\ "Q6?_@SqhddKE;Un?'rM7pTóM/y.pX}kX.[v@$zAؽQR00aᰤA W) "_H*jy&eb>Rh`|sԵԺy%:r, zQW./,y;^aurd퐔bX4?Rt}IYud<& "Ƞ]CSf.ɭ]M$|,-N4PŝByɲꉮ#1FgJyύBcbA@u(>ƃ\(y 7?e,0}ZvBrW]NGRʈɝS`x[]3Ljh2%B6:xx/ B \l`XMO!03z\',rK^k3vnP=VF Lin5"^&5b{zگp餜/ ʀb -V zP74w.2[cMk* &Un`гV#b\3ͤClT.5f*ĴC=sM~fs]<|/Q8sDbŪ덱Wj@մSzeGBMIzyJβ &2Ƹ`t$j>D߁Rba1OA$Ʒfzyy˃_lʗJfה:|,Q%}9JspJaӦYoZnlrE5ܤJ_vHOd:CB럵Y4`PU<|`Xv4#CfԾQ֗[9&ds Ё. x ~~ "4κ&&`#)-%/0fRZi9Q&ο==i778I@ qb^nCyW+hځ-lKZȔlIiߢF̌-srdVjkW2$&Z9Oψlf5VE h-TN27at{ZaItk__/vn"x;ƠTHr"w-w4=S,=p҄NF#c;j "IU9 G>hgD~4l)' kM1xui0\dCV+;+P#3@-Ie9wD,2~(- +_ş6ݖ۷Zi0Ⱥ&u>3Tall[Xc~8=4p&#[QBc`X=xn?]  dh;lR~ 2nhCnsVt)k|;]vJnWbÛ<X1j\s"IBL<Ş^^ + sm۠zBixy缨y0MKV&}>俣Q$pC\jI EZԄ('B709*h<*Y l(bWR?f'Bx-uOH7Ԩ߰RC`<#:V;8ǃ"l->FeH1kqad9 d=*)W4 { b@:)l:mH PqRSYI)i6u4Ш"+1OGd5ܸ>a ͿK\إrTW!Y"800ɿ$":j/ 4AvK ̇8n*qS߳ jFF83$6UUB_RH7{ŅIi&ɧNWHtjzYQ2~W^2;&7s4cϙ]nu"b3=PF1vMv| 6ufe[ /Kp[M«0wNGD5rm?&=[lBuc gr1pi +X lJWx% #.a<,j, ܣL& YOYƛ`!đ V Ly_Oq_ X#ejs2Pmci2G99SǤvCsNЂ7*H| M /Za"b{LPWM@ƹa/&FkhBzזDREm]zJ[AF؁(00:-oLFTtuH˴DnۑM!{KDL!ՈkGJ^bƗb{IE%ewWWẃ!wxϦҗZ[Mۇ~oaCqOKK^|_~'j=OVB׆K꺢@H4̧= o>>{Vsޭ2 0%M=PH)}ERB?GrmfEDl,?ꦒ@b̞ f2dw:ҭDzZš!;}Dͅ9Ё'םozKZ;ǀF#Y`P:vcwS(h&CFYE+ mLQd~0r[sYR&r:]ur󎀗6VxuR TCiuU[;LM$ D) f)O8{:Cv~VJwab)9_QB 4^üsiNc301 ϟsQniz ͛*ÂAg!H-kK |gՀ;ʳH fL}GfNɮA,DCE!"bԡ?}yr̢h_M=r- ^,<9^i%ѡnyk׼ŧ~eU;S66'O1ɣ-aE(bvU|Y,:"MA|NDݽk=Dū"+W7-6'*<1G=KO *1o"ehMx/`=mNZ/hI}J"}# t;2o19B8:8R8#YdgBIGfr/z$7BKl\;$ypW`]ڢ{6?>> .Xrx|Pjdww<ҜΜXԢπ2+¾~(=`]5 ԌŭEYn>XlqZ?ٳga3驨1* Y|+q3=ZW}9Ȟ{o++ !>0s^^SV;:}z<p2mvxA22KnjH _C Mcq&-b,@T}s my/v36ྲ LQ\ l+*(ACSΛiM1v%.P`v/蔲 KqS(.`&߅Eg4>6iކF]Kt_]@'r{CPG@,ǡ),71 A9byl 3'ă kI}fNC;p͏ M $dMm$A!lS;<8xF5NVZpPxF:.'8E6|!&8oYLM %bo6;h ,sF nűܑ';a %9/{}jTK!3T+o[k &#+}׬ 쳔)D++ĖGƚ%D9, @P{B-uٸ޴iNCHY?$E֐HrA@3x=P/[2TH{dL(΃l=,Q(XhV}NE-bkn);ؼ=ڽ"C9>GԾv%as-Gќ&!$UH:PfZ‚]OhĀ{12#z]d.LƸ8j(Uq]39flJ8Mf+: P*/ o(TOaVJv-D~q!CmyK1""2CY. Ϣ҃+89A>_cZ?7&~Āc>:0#a透䎕LbCk!4s*Ue|ݱvHk6h-7M֧rݮapig +!扒(@ $~~>L_ZБU(%⌺Hkª # Yk9vc0ם>Bz ?E'w/Sr~Y9YjLl0ο"mNG3Pns^i\T `{3+[=Ch&-sA*E&=ʌS+Љ-9Ufב54]QL;,Hm:m DvJM(+&(,;NyPR۫^4%ܰk lSSQ*c>R- l"I"HK_ƕ:ndǩtv@ $Rw?;}Oc$EQxk˙yu.sPA<3 8W|d]ݏJ ;/Y~3>0{|wl P 0 ѽnB[v bHſ[sqA;t/%"aR  /}!H}[U)$_ k` F['VF(7,QKq!\ѝspQ8̚.45JW?#I^[#ixg<(]yu`S3sgƊ?2l-E0}ėr]KipXӖjO4Ŧ(z/p:#sǝ"|7 k >Mjȓƿ>NZs?zt}>M~M*粫{,Z> I0oFZ$<1S^Ar[ Wk^{֩f _ҒUzeƵ`\8AdT[tj="_[Yuw:MO R`nI]5Lf¿MwPG+Ev̲cI&kV9~(HQș=;Sa g$(G˲}Wd06L>zWs玸*` 8-\xb6Pϫ&'78C';IJ|ܞ^b3Hv$  SLzW\`)|N@pj=r>{CG"mre +/2 aJ(QߛEd8 #nsg". !`2C&{'B![;<^ 0XF60VCqlC t=h]91i&Yng!7Gbai9NgARʴ F%3uHE b-GHIXFQo;R_=: lENڧaI3+nl?o>298`eNGA:LXCr;fSxpX1חsu/,Ŏu_^H d&%?v YA\ZЕiY8͸D>ûRHɳ, ?6p?2>q+@H!8v܈!eX&.Ǒ#_'ohw#ttDŽsٺ9^ ^lb%MC)M~x<6[RŅopoR;Cʄ馏NP B_m2Ć)2sN}V9:e Mb6gJw^cHlU2E=11~%g4;%7=V`ZތXr|hI/J%>ȋt V"j@>މfQ͜,zUH 2$IXE-w>ucOżvEu[rLPBu-‷ힽ-ifI4h:JE6S^5NMLqD'~)E?M[`vR*ӑv6_>?0ja ؽԿB ]n lç@;|emy n7k*MM)؆ x~x]4ZRpT  Rm2سZFbP5 &2ܡ!rOr: wDP滰?1cwU ܹ̔2B,nOv}S'$&DC8|727CpJ5Ik쒙b^؄pMS!ҍJ$c;aH+.i:C3^R'-&F% ? MOj;Q l+O ]H3pÈ -:[XdwO]OSKl^oxƅE ӼahuK:sH3 )J|ب#~|˲tjRҧzEEh]M l-U [#շ^CF|*KVD=磖D\S %SӺ ޠ)}X%NcD}!WUB|/&P1Ly7`$ hg BgSF-4s+XiPpPY_]fk,lvrr`Ĝ Yɬi_%}l:PCES'oS~* T4 c Z Wj$^UUD {{0UT1X>I6sG9f%\o˹s]68ʦP%G=T;dqlstPv3{sa u% ֔trc)T1sK`?+؞]%t2:2/ <'.?ސaPArQ@0¶&r$} KſqEHS;ײg;[r~,VF0)3%ά.O㮡Rra/1j7=,XѶwex[:q>IV~ʒB3s_kZ^OK-XĂү2 *XP-;J) /UmK!naڦ3nr|N ߿5Ih81O8]=bR: dx=4lyTf~e: Hک\>o7M9Pg :/دȶBF;74nCyX@<,/|t::فwuJjHVE. BהSzprKEBRzb,~oM&#sPշ6:nS 5$pG"ͷ3#0*0Áj*4TALiv*iw!cf m^שt mКWf%Ym&)s۰M`:zyGxf_6"2?r2&åM|ɟ1#HRx|_!T$?%v3lofdnVU=hHǐD͹nn986bݠ=v 7PΓ=k,o;= 0 V`'IK)M|3p0B 0Oz_6\1Su2nSζ`9`#f1(1zPHZKo3ײOZ!D ^0=uG.*G;f>FL')XJJ[tF:%X}6-kh`m J4aa_4Uh)s kФ|O'`XCUrDKiޖbЏyDxius !nQ~Ǵ ;{$o _MC%Ρp"a`%>tɝ+;d6WB2JEzY _YAb

Z¡XLi^n SYdYC";X!mlvД967&fh'(=M;0RcUy"@YCx%?>y;-J7k猞#bm(OL$+QV𶸮B$F/jOjnƙE߳J'6Ob+F@[R1āVQIr!S AW{œ-!Djo5v'~*Z=єxnHuav:5*d]H%TұMkdj. "Qهo&0tSUԺcfyK "ݝ9u>Z)p0g`|<1R5K2Ǟ,55 =/7+@[,1جvV:EŏLz𦒎4㊏∝&< TjY/ @0Ӏkh?PFK11nִ@d-"(`/BȮ]W\A&?A> Bms1mZһDBYZdFJoˍLfYHK!exL3Oe*պj~!bc!|̇;l]Hcqi"7[Om_|rȅePoMes^43MJRxXJ9Z1DQve&fԱ`#YtJ+D~VGlz3ޤU\U 61D{"))r-+I5=y-ڶuTI;=nGNG,Gbx\'eSltoqY8d"MNj+V cGYnF4T!c +\k &`Tw+Lf@u:`S50U֔i~ 1EQGb}. 4粲,GmARpC {ϕ=>SYdax}玨L~KӉp阙mjhiEN>#|n]R4E% D+!ﵨ,$FvY 1 K? %Ȟ2x`kZOaQz=j7n_"2Qcڮw X|v움gy%FRy_ jc~l P(c'J2:mLQ˺ٓۖp?Jt1r|VM=KP,Ro 78E zv^ gBđm)nW%lsflΐWh`Ҁ~ӃkzjTDqw՞ ' 4_P\#+q% _P9"tj#NcG-*᧳Vp(#|cY Fqh &8.4ELHgZPλ-l[_ 70KܱGYqR΍KsT:aC^KD7 o[kӛ2b%&^b71 )0'y1Ҏo>BHP L˃]0Z oh_uRpyA|2p/;ZҔNsS,U f|s!l==Й%ZB'Q#r5rM#8F@Odi{7,,_5PQ5(bI,%mcB|*>KsH A{W3.|L5zFweR .Ҕ]0)ϩk+_uX[ `;RTcHd,@L̩C\|IX)ljq'#d] ɾiYyKf_SGGYQ/}eԽLNʄ+<|9i㑭FyԝP!Lb]@ОBގ;(gUE"^ALKUDmj fȌUTbDUY71mJx_٨)JAM$=x{ Lx"94Ui_>lɉwpXlA6W\Q*^+=Ջ;gͿ,qs2 ԉJԄjH y}(OE媪<2{]l)#ԶʠjJNp?4gwH9M%3VVFےơB]՜Y-l} xy5iV&&L+O]ۣ{&d睉ٿro?D6*%6剌ҫتMUM?=I35ťtG;OoO{oWv=g MHqЪ_ R5C)θ(4F E54WUG^naq@GF->_^uMKy.Jz]xP^uzQxw 676jnb{rZ_G,7l8%qR$X~ lN@I]* >94ɧ)Ɏg s=@4sfUCޏ Ĵ97Z,!PJ Q79n9K)fEiÿ\" D[Sm47^nPC6՟~*(j-BrA:_ zm麫 `g궁:C {9.+ ufD4zmu͢Y+)Yb)[pڦ#%s2КpaRz7o?CP0(圤HSO qjCg܁qᷞSxF/Ƀ؏3JE]F.ZA``M"sIן kBqQN C_l߽_?bU0-Υ1qy]8358wD|6zd?!ZoyP?R4-s 9WIw>ж#^wQIUsݝX.g7:})_6{ Έj|  (&tT70b0sEEQ.|bqA4dHRxx>P~SΟ&t$2L9oa {aFlk<4{PRW|ysC뎚J簩$ȍ2Ah͈ QsQc 屽nڅ֡SvUûęp#;m)%YM;+̈́,[)]!KG{CąĖpu[e]"~#$sض8Me&3$DvBrv[7r7<||"?+pYBdzϴDuA':QUl i)ݙ*Jt3Il4P)?KNj,~eE+FXҨɪۥ7T(2XuC6r Z`Z$lӀSry:ۘzVa%0i|UzU(%;QjxRPZ7}\7z,*GF‚+Re_0z1ZfOPⰆ ϦZRbJiv"̳*[ZdiAAsE0`Qua/&qߡy>385ga%o tSCyNI)؄r'?*Z\xՌkoH`Mq_.@>2TP:ŮOA5! ȃ#T-/qc1{~!,?m/Buʻ= ,6d_w6uYm[U'/iua"ZgE(Rg g$HZ7AC, _Js5G 'd}2RgG"P#j7jp}6$@X,>"O8u&H-)9;(:SWjRmYC}cw?xSq "zL-OAed*&U5/ٻ3g 谣;N]Ky" YZ