freeradius-server-libs-3.0.21-3.6.1 >  A `,p9|v1\Q)2RYz|0H>HH`5iF[\ 1^OTe+iz~|/rN%tLi~~[+U<~0zZZb&wc5/m@]'\&;0`+; [U~^Y qRnЉo(K7i#EC]k-+30 GSCPA/!7M_g ^hX@146c89a91af9671b5b67ac123aa6cfe3b71399431f7a71827f3e505de5d6a65068893fb961853e4b04036fa8ea791953eb514cfbĉ`,p9|5b8_ݴ"0/4SEo߸=~Ww`F0U aN*4nEA%a≩Rlb)uE閗/>|}_n'3@@rCys`aWcogyp\Pic6;CũO/*)wBou͈ ?4 GpP5یiX E?ɐg Uv a1 n\^p>|?ld  & @dhpt < L \ |   ,T||(8 &9&: {&FGHI X(Y@\`]^bscdefluvw<x\y|$z  &hCfreeradius-server-libs3.0.213.6.1FreeRADIUS shared libraryThe FreeRADIUS shared libraries.`,s390lp5SUSE Linux Enterprise 15SUSE LLC GPL-2.0-only AND LGPL-2.1-onlyhttps://www.suse.com/System/Librarieshttp://www.freeradius.org/linuxs390xʰR 'F[AA큤`,غ`,ػ`,ػ`,ػ`,ػ`,^zM^zM9509b5a417a6c12db4b2384d1b6ed6b714a42bf15eac8a859b234b6bfe157feab094cdd1700f2b9386d7f343268f4ad3cdc43ecbfeb7618463306fac656859d715838c7216930ca45b5544b209d2b02a3d0efa19c0a3f104137d5690dba854afcb85c9cd08385f429397a54b869e39edf34a567ba2dadba670510b283d2862c68b9cc1e5d41938be45a368f126a6d1fda03d60a3d622dc75e776be4e90c2d2c6e6d6a009505e345fe949e1310334fcb0747f28dae2856759de102ab66b722cb4rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootfreeradius-server-3.0.21-3.6.1.src.rpmfreeradius-server-libsfreeradius-server-libs(s390-64)libfreeradius-dhcp.so()(64bit)libfreeradius-eap.so()(64bit)libfreeradius-radius.so()(64bit)libfreeradius-server.so()(64bit)@@@@@@@@@@@@@@@@    ld64.so.1()(64bit)ld64.so.1(GLIBC_2.3)(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.15)(64bit)libc.so.6(GLIBC_2.2)(64bit)libc.so.6(GLIBC_2.3)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libc.so.6(GLIBC_2.8)(64bit)libcrypto.so.1.1()(64bit)libcrypto.so.1.1(OPENSSL_1_1_0)(64bit)libpcap.so.1()(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.2)(64bit)libtalloc.so.2()(64bit)libtalloc.so.2(TALLOC_2.0.2)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)3.0.4-14.6.0-14.0-15.2-14.14.1_@_FN^y@^p^h^@\\v{\u*@[<[2*ZZWQYY@YlY, @XO@X@X*Xh@X.@W@WiV@V.Vf@UĝU@U@UU8U7@TZ@TTT~@T|X@adam.majer@suse.deadam.majer@suse.deadam.majer@suse.deadam.majer@suse.deadam.majer@suse.dejcnengel@gmail.commichael@stroeder.comadam.majer@suse.demichael@stroeder.comadam.majer@suse.demichael@stroeder.commichael@stroeder.commichael@stroeder.comadam.majer@suse.devarkoly@suse.commichael@stroeder.comadam.majer@suse.demichael@stroeder.comkukuk@suse.deadam.majer@suse.dejengelh@inai.deadam.majer@suse.demichael@stroeder.comadam.majer@suse.demichael@stroeder.comjkeil@suse.demichael@stroeder.comjkeil@suse.dejkeil@suse.dejkeil@suse.demichael@stroeder.comvcizek@suse.commichael@stroeder.comtchvatal@suse.comvcizek@suse.comdimstar@opensuse.orgvcizek@suse.commeissner@suse.com- freeradius-server-radiusd-logrotate.patch: move logrotate options into specific parts for each log as "global" options will persist past and clobber global options in the main logrotate config (bsc#1180525)- freeradius-server-radiusd-logrotate.patch: fix permissions in logrotate global section (bsc#1170505, bsc#1174905)- update to 3.0.21 (jsc#SLE-11896) Feature Improvements * New stored procedure for allocating IPs with PostgreSQL Rates of 1500 IPs per second are now possible See raddb/mods-config/sql/ippool/postgresql/procedure.sql * Add SQL IP pool support for Microsoft SQL Server See raddb/mods-config/sql/ippool/mssql/ * Added RCNTEC dictionary. Closes #3168. * Added Pica8 dictionary. Closes #3179. * Add TLS-Client-Cert-Valid-Since attribute holding not Before date Patch from Boris Lytochkin. Fixes #3157. * Generate attributes containing unknown OIDs See raddb/sites-available/tls * Update the WiMAX dictionary. * Added ability to rlm_python(Python2) show a stacktrace from errors. #2979. * Add WiFi Alliance Policy OIDs. See raddb/certs/xpextensions * radmin now shows coa stats, too. * Sample schema extensions for summarizing data in SQL See mods-config/sql/main/*/process-radacct.sql * Update dictionary.aerohive, dictionary.fortinet, dictionary.arista and dictionary.erx. * Added VAS Experts dictionary. * Many updates to RPM and jenkins builds from Matthew Newton. * Added %C (time now in seconds) and %c (microsecond component of now) back-ported from the "master" branch. * Add reload capability to systemd unit file in Debian and RedHat. * Increase timestamp precision in postauth to maximum supported by each database and simplify (and make more consistent between drivers) the timestamps in SQL queries by using expansions. * Option to set dictionary path in raduat script. Bug Fixes * Various fixes found by PVS-Studio. * Set permissions of certificates in bootstrap shell script Fixes #3132. * Increase the 'nasportid' SQL field for 'varchar(32)'. #3141. * Skip processing proxy reply if there are no home servers available. * Update SQLite IPPool queries. Fixes #3177 * rlm_sql_unixodbc fixes. Fixes #2822. * Fixes when building with LibreSSL. * Fix the rlm_python3 build. Note that this module is experimental. #3183. * The rlm_python should append the 'python_path' paths in 'sys.path'. It fixes the expected behavior to use the existing Python modules Fixes #3180. * Fix rlm_python to print the script errors properly. * Bound total query time for PostgreSQL. Fixes #3253. * Many fixes to Oracle sqlippool. It now does 500 IPs per second without any tuning. Fixes #3270. * Reference sqlippool by it's correct name. Fixes #3272. * Revert 3.0.20 patch which caused crashes on duplicate clients. * Update WiMAX-MSK attribute. Fixes #3280. * Fix crash when trying to access non-existant regex capture group. * Use timestamps (request or server) rather than SQL NOW() in accounting queries so that these are stable when replayed from a file buffer. - freeradius-python3_patches.patch: upstreamed- update to 3.0.20 (bsc#1146848) Feature Improvements * Added Force10 dictionary. * Update dictionary.hp with new attributes. #2690. * Update dictionary.aruba with new attributes. #2696. * Fix side-channel leak in EAP-PWD (bsc#1144524, CVE-2019-13456) * Relax OpenSSL version checks, now that their API is both public, and stable. * Note that tls_min_version/tls_max_version also support "1.3" Since there is no standard yet for EAP with TLS 1.3, it will not work. * Added tripplite dictionary from #2760. * Switch to the async interface for rlm_sql_postgresql so that we can enforce query_timeout. * Added new LDAP option 'allow_dangling_group_ref'. * Updated documentation and functionality for EAP session caching See "cache" section of mods-available/eap. * Tighten systemd unit file security. Fixes #2637. * Disable TLS 1.0 and TLS 1.1 support in the default configuration We STRONGLY recommend doing this for all installations. * Add expansions for *outgoing* Radsec connections "%{proxy_listen:TLS-...}" for TLS-Client-Cert-* and TLS-Cert-* attributes. Fixes #2839. * Add %{listen:tls} which returns "yes" or "no" for TLS or non-TLS connections. * Update dictionary.lancom with new attributes. #2847. * Added rlm_sql_mongo. See raddb/mods-available/sql. Note that this module is experimental. * Added more documentation in sites-available/robust-proxy-accounting. * sqlippool now re-allocates unexpired leases, to prevent IP pool exhaustion when clients perform multiple reauthentication attempts * Add support to radmin keep the history in ~/.radmin_history. * Add support for ENV and LD_PRELOAD in radiusd.conf. See the new ENV sub-section of radiusd.conf. * Update dictionary.aptilo. #3002. * Update dictionary.airespace. #3039. * Add sites-available/coa-relay, which makes CoA easier #3045. * Add example stored procedure for IP Pools in MySQL See mods-config/sql/ippool/mysql/procedure.sql * Update dictionary.dhcp dictionary with the recent hardware types. * Add experimental rlm_python3. This should largely work the same as rlm_python, which was Python2 only. * Add Dockerfiles for Debian10 and CentOS8. * Add RPM spec file compatibility for RHEL/CentOS 8. * Notes on certificate constraints. See raddb/certs/server.cnf. * Add NAIRealm example to raddb/certs/server.cnf, for RFC 7585. Bug Fixes * Allow listen.ipaddr to reference an IPv6-only host. Fixes #2627 * ERX-Acct-Request-Reason is "integer". Closes #2635. * Fix a slow memory leak in the file management code. * Try to fix file permissions if they get modified while the server is running * Fix slow memory leak with clients. * Fix request and connection timeouts in rlm_rest. * Fix systemd issues. * Fixes from clang analyzer. * Fix missing include for the dictionaries: alcatel.esam, altiga,alvarion.wimax.v2_2,aptis,asn, audiocodes,avaya,bristol, columbia_university,freedhcp,garderos, infoblox,motorola.illegal, starent.vsa1, telkom, wimax.wichorus. * Fix internal sanity check when running with "-Xx". * Allow "inner-tunnel" virtual servers to work better with "accept" and "reject" policies. * Fix dictionary.huawei data types for Huawei-DNS-Server-IPv6-address and Huawei-Framed-IPv6-Address. * Framed-Interface-ID in postgresql/queries.conf is string, not inet Fixes #2817. * Fix rlm_cache to complain on unknown attributes in the "update" section of its configuration. * Add configure checks for -latomic. This helps on armel, mips and mipsel. Fixes #2828. * Add support to Oracle 19 and 18. Via #2857. * Add support for decoding tags in rlm_rest. Fixes #2848. * Use correct passwords when updating CRLs in raddb/certs/. * Properly separate "originate-coa" packets when accounting packets are read from the detail file reader. * Use the correct virtual server for pre/post-proxy. * radsqlrelay fixes backported from "master" branch * Fix DoS issues due to multithreaded BN_CTX access (bsc#1166847, CVE-2019-17185) - disable python2 for SLE15 and Factory - freeradius-server-enable-python3.patch: enable Python3 module - freeradius-python3_patches.patch: backport python3 fixes from upstream - freeradius-server-opensslversion.patch: updated- Enable memcached driver on SLE15- Add missing BuildRequire on samba-core-devel required for windbind support in rlm_mschap.- update to 3.0.19 (jira#SLE-5890) Feature improvements * Update dictionary.cisco * Update sqlippool to allow for stored procedures with PostgreSQL. This increases performance substantially. Patch from Nathan Ward. Fixes #2540. * Re-added "show client config" command to radmin. * Cleaned up mods-available/sql example so that it is easier to understand. * Added pfSense dictionary. Closes #2581 * Update dictionary.h3c Closes #2592 * Update elasticsearch/logstash config for v6.7.0. * EAP-PWD security fixes from Mathy Vanhoef. See http://freeradius.org/security/ (CVE-2019-11234, CVE-2019-11235, bsc#1132549, bsc#1132664) Bug fixes * Update dynamic_client module and server core so that the functionality works. This has been broken since at least v2. * Fix crash in sqlippool due to escaping changes. Patch from Nathan Ward. Fixes #2532, #2533. * Fix systemd notify, watchdog and unit files. Fixes #2541, #2499. * Fix erroneous length check in EAP-FAST. * Update documentation to remove old "ignore_null" configuration. Fixes #2578. * Fix default POD port. Should be 3799. Fixes #2591 * Correctly encode vendor-specific "encrypted" attributes. Fixes #2600- reformat changelog mostly by wrapping lines - add missing bug numbers for security fixes- update to 3.0.18 * cleanup_delay can now be 30 seconds. This helps with proxies that have packet loss. * Do-Not-Respond policies can now be set in the "post-auth" section. * Encode / Decode ADSL Forum DHCP options. * Fix module ordering issues. e.g. when "sqlippool" needs "sql". See the "instantiate" section of radiusd.conf. * Add Big Switch dictionary. Fixes #2252. * Add sql_session_start policy (raddb/policy.d/accounting) This minimizes race conditions when using Simultaneous-Use (#2257). * For rlm_perl, all variables are now tainted by default. See raddb/mods-available/perl, and the "perl_flags" configuration item. This change should only affect people who are using variables in insecure ways. * Allow "sqlcounter" module to be listed in "post-auth". * Add support for IPv6 attributes in SQL. Fixes #2280 * The server is better at handling fail-over for outbound RadSec and TCP connections. Fixes #2284. * The server is now more aggressive about retrying failed outbound RadSec and TCP connections. Fixes #2284. * Add TLS-Session-Version and TLS-Session-Cipher-Suite to the "session_state" list. * Add expansion for Radsec connections. "%{listen:TLS-...}" for TLS-Client-Cert-* and TLS-Cert-* attributes. * Add notes on running "ldapsearch" using the parameters from the LDAP module. * "ipaddr" attributes can now be cast to "integer" type attributes in an "update" section. * Move main thread queue to using atomic queues. This should help with contention in high load scenarios. * Add "recv_buff" setting to listeners. For more details, see sites-available/default. * The sqlippool module can now use attributes other than "Pool-Name" to assign IP pools. The "Pool-Name" attribute is still the default. * The "unpack" expansion can now unpack substrings. See mods-available/unpack for documentation and examples. * The preprocess module now does "ciscvo_vsa_hack" for Eltex-AVPair Fixes #2301. Vendors SHOULD NOT USE THAT KIND OF ATTRIBUTE. * Allow for -LDAP-UserDN. See mods-available/ldap for more information. * Add sanitizing of control list for moonshot. Fixes #2318. * Update rlm_sql_mysql to be compatible with MySQL 8 Fixes https://bugs.launchpad.net/bugs/1795310. * Allow logging of only Access-Accept or Access-Reject messages See radiusd.conf, "auth_accept" and "auth_reject". * Removed Connect-Rate comparison. It was unused and broken. * Add dictionary.infinera. * Use OpenSSL HMAC functions instead of local ones. * Some SQL modules can now use "auto_escape" to escape unsafe strings See mods-config/sql/main/mysql/queries.conf. * Add wispr2date conversion in mods-available/date. * Implement dictionary-based handling in rlm_python. Fixes #2334 See mods-available/python for details. * Add support for SKIP LOCKED in sqlippool. This can improve performance by an order of magnitude or more. See raddb/mods-config/sql/ippool/*/queries.conf Fixes #2383 * Allow PSK and certificates at the same time Except for TLS 1.3 which does not support that. * Update docker scripts. Fixes #2306 Patch from Matthew Newton. * Add crypt xlat. * MySQL connections can now skip verifying the server certificate. Fixes #2481. See mods-available/sql. * Add better mechanism to detect MariaDB (Old MySQL). * Add RFC 7532 "bang path" support for realms Fixes #2492. * Update dictionary.ukerna documentation. Fixes #2493. * Add support for systemd service and watchdogs Fixes #2499. * Check for openss/rand.h, and allow building without OpenSSL engine. Patch from Eneas U de Queiroz Fixes #2517. * The default PosgtreSQL queries now use "ON CONFLICT" to better deal with issues. This requires PostgreSQL 9.5 or later. Please use a recent version of PostgreSQL, or edit the default queries to remove "ON CONFLICT". BUG FIXES * The session-state list is no longer cleaned in the inner-tunnel. This lets the outer Access-Reject section access session-state. * Fix typo in lock initialization for TLS sockets Found by Sergio NNX. * Add check for crash when home server down Fixes #2233. * Add username key for postauth table. * Better libpcap checks, when the header files or libraries are missing. Fixes #2245. * Allow building with old versions of OpenSSL Fixes #2247. * Allow non-FreeRADIUS State attributes to be used with the "session-state" list. i.e. State length != 16. * Be more aggressive about cleaning up zombie children when running in debug mode. * Use LTDL_DEEPBIND, which fixes issues with Oracle libraries exporting LDAP API functions. * unlock files when asked to unlock them. * return error instead of asserting in map code. * Don't write 0 bytes to SSL. Fixes #2270. * Remove "expiry_time IS NULL" from allocate_update query. Fixes #2262. * Various dictionary cleanups and consistency checks Fixes #2281. * rlm_python has stronger thread locking to prevent reported issues. Performance may be affected. * Don't allow Message-Authenticator to overflow past the end of a large packet. * Fix crash in sqlippool when SQL server goes away Fixes #2300. * Typos in man pages. Patch from Nikolai Kondrashov Fixes #2303. * Fix crash with CoA packets/ Fixes #2304. * Fix crash in rlm_exec with CoA. Fixes #2328. * Print errors while parsing the log config, and don't quit when deprecated log settings are found. * Fix DHCP encoder xlat so that it can be used with a list of attributes. It previously only encoded the first member of the list, and now encodes all members. * The "expr" module now skips more whitespace. * Remove internal FreeRADIUS-Response-Delay attributes from attr_filter Access-Reject. * Don't send junk to redis when maximum args reached. * Small updates to IPv6 for accounting schema Fixes #2364. * Fix OpenDirectory integration in rlm_mschap. * Fix slow memory leak with dynamic clients. * Don't artificially truncate debug output for long strings. * Fix memory leak in EAP-PWD. * Fix crash in "hints" file with Fall-Through = yes. * Fix crash / timer issues with many CoA packets. * Fix attr_filter so that it does not treat vendor attributes of number 26 as Vendor-Specific. * Fix reconnect correctly in rlm_sql_mysql. * Fix rlm_cache to properly use Cache-TTL < 0 Fixes #2485. * Fix rare occurance of bad xlat expansion. * Check for rare race condition when a proxy reply arrives too late.- install license as %license instead of documentation- also fix ownership of /var/log/radius in systemd unit- update to 3.0.17 Feature Improvements * Add CURLOPT_CAINFO. Patch from Nicolas C #2167. * "stats home server" now supports "src IPADDR", to specify home server also by source IP. Fixes #2169. * Add Dockerfiles for a selection of common systems. * Increase number of permitted file descriptors, for systems with many home servers. * Add TLS-Client-Cert-X509v3-Extended-Key-Usage-OIDs Patch from Isaac Boukris. Fixes #2205. * Update main READMEs. Patches from Matthew Newton. * Added dictionary.mimosa. Bug Fixes * Don't call post-proxy twice when proxying to a virtual server. Matthew Newton, #2161. * Use "raw" string value for shared secrets and dynamic clients It now parses strings with backslashes and "special characters" correctly. Fixes #2168. * Fix RuntimeDirectory for RedHat, from Alan Buxey. * Relax checks in 'if' parser from Isaac Bourkis. * Minor cleanups for %{debug_attr:&request} from Isaac Boukris. * Be more aggressive about cleaning up cached certificate attributes, due to deficiencies in OpenSSL. Reported by Nicolas Reich. * Be more accepting when parsing IPv6 addresses. Bug noted by Klara Mall. * Fix double free in rlm_sql. Fixes #2180. * rlm_detail now writes empty Access-Accept packets. * rlm_python can now create tagged attributes. * Don't crash on duplicate realm + authhost / accthost * Allow partial certificate chain to trusted CA. Fixes #2162. * Treat SSL_read() returning zero as error. Fixes #2164. * detail writer now checks if the file was renamed or deleted. * Add User-Name to Access-Accept if EAP-Message exists, not Stripped-User-Name. * RedHat Systemd updates. Fixes #2184. * Use correct API for State variable in rlm_securid. * Remove broken radclient option "-i". * Fix "users" file (and hints, etc). So that it does not get confused about entry ordering with multiple $INCLUDEs. * Fix rlm_sql to expand the un-escaped string, not the raw string. * Link default and inner-tunnel only if they exist. Fixes #2206. * Don't use both IP_PKTINFO and IP_SENDSRCADDR. * Always install signal handler for SIGINT (needed by Docker). * Fix intermediate CA flow for OCSP. Fixes #2160 Intermediate certs which are not self-signed will now be checked. * sqlippool now returns "fail" if it fails IP allocation. * Fix rlm_yubikey to look for correct attribute in replay attack check.- update to 3.0.16 Feature improvements * rlm_python now supports multiple lists. From #2031. * Add trust router re-keying. From #2007. * Add support for Samba / AD LDAP schema. See doc/schemas/ldap/samba/README.txt and doc/schemas/ldap/samba/ * Add "tls_min_version" and "tls_max_version" to EAP module for Debian OpenSSL issues. * Better documentation for client certificates in PEAP and TTLS: it usually doesn't work. Fixes #2068. * Distinguish login failure from AD unavailable. Fixes #2069. * Update RH spec files. Fixes #2070. * Run Post-Proxy-Type if all home servers are dead. Fixes #2072. * Print offending IP addresses when EAP sessions come from two upstream home servers, and rate-limit the messages. * Minor packaging updates. * Better documentation for rlm_rest. * EAP-FAST now has it's own "cipher_list", so that it is easier to configure. * EAP-FAST now forcibly disables TLS1.2, until such time as we implement the new keying mechanism from TLS1.2. * Add documentation for allow_expired_crl. * Update Debian logrotation. #2093 and #2101. * DHCP relay can now drop responses. #2095. * rlm_sqlippool can now assign Delegated-IPv6-Prefix. It also now can assign any IPv4 or IPv6 address. Based on patches from maximumG. #2094. See raddb/mods-available/sqlippool for changes. * radeapclient can now use EAP-SIM-Ki to dynamically create the necessary triplets. * Explain why many LDAP connections are closed. Fixes #1969. * Debian build / package issues fixed by Matthew Newton. * dictionary.patton updates from Brice Schaffner. Fixes #2137. * Added scripts to build "inner-server.pem", and updated mods-config/inner-eap and certs/README to match. * Added provisions for using an external CA. See raddb/certs/ * Include dhcpclient binary in freeradius-dhcp debian packge. Bug fixes * Bind the lifetime of program name and python path to the module FR-AD-002 (redone) * Pass correct statement length into sqlite3_prepare[_v2] FR-AD-003 (redone) * Allow 100-Continue responses with additional headers in rlm_rest. * fix corner case where detail files were not being locked correctly. * Fix (SQL-Group == "%{...}") checks, and same for LDAP-Group. Fixes #1947 * Clean up exfile code. Which should help to avoid issues with reading / writing 100's of detail files. * Fix build for winbind. Patch from Alex Clouter. * Fix checkrad for Mikrotik. Patch from Muchael Ducharme. * Fix home server stats lookup. Patch from Phil Mayers. * Add libjson-c3 as an optional dependency. * Require LTB OpenLDAP on CentOS / Redhat, to avoid linking against NSS, which breaks the server. Fixes #2040. * rlm_python fixes. Fixes #2041 * Typos in "man" pages. Fixes #2045 * Expand "next" in %{%{...}:-%{...}}. Fixes #2048 * Don't add TLS attributes twice. Fixes #2050. * Fix memory allocation in rlm_rest. Fixes #2051. * Update trustrouter for new API. Fixes #2059. * Fix SQLite issues on FreeBSD. Fixes #2060 * Don't do debug logging of bad passwords. Fixes #2064. (bsc#1099802) * More graceful handling of "die" in rlm_perl. Fixes #2073. * Fix occasional crash when using cisco_accounting_username_bug = yes * EAP-FAST fixes from Isaac Boukris. [#2078], #2076, and #2082, #2126. * DHCP fixes, relay, #2092, add run-time check, #2028 * Decode multiple RADIUS packets at a time in highly loaded RadSec connections. Patch from Jan Tomasek. #2106. * TunnelPassword is not "single value" in LDAP schema. Fixes #2061. * sql log now opens the expanded filename, not the input one. This was a regression introduced in 3.0.15. * Remove unnecessary UNIQUE constrain in Oracle schemas. * Fix SSL thread and locking issues when modules also use SSL. Fixes #2125 and #2129. * Re-add dhcpclient "raw packet" changes. Patches from Nicolas Chaigne and Matthew Newton. Fixes #2155.- Fix permissions of radiusd.service (bnc#1053654)- bsc#1055679 - freeradius-server does not provide winbind/AD auth Added libwbclient-devel as buildrequires- update to 3.0.15 with security fixes for issues found via fuzzing by Guido Vranken (bsc#1049086) https://freeradius.org/security/fuzzer-2017.html * CVE-2017-10978: FR-GV-201 (v2,v3) Read / write overflow in make_secret() * CVE-2017-10983: FR-GV-206 (v2,v3) DHCP - Read overflow when decoding option 63 * CVE-2017-10984: FR-GV-301 (v3) Write overflow in data2vp_wimax() * CVE-2017-10985: FR-GV-302 (v3) Infinite loop and memory exhaustion with 'concat' attributes * CVE-2017-10986: FR-GV-303 (v3) DHCP - Infinite read in dhcp_attr2vp() * CVE-2017-10987: FR-GV-304 (v3) DHCP - Buffer over-read in fr_dhcp_decode_suboptions() * CVE-2017-10988: FR-GV-305 (v3) Decode 'signed' attributes correctly * FR-AD-002 (v3) String lifetime issues in rlm_python * FR-AD-003 (v3) Incorrect statement length passed into sqlite3_prepare- update to 3.0.14 (still FATE#322416) Feature improvements * Enforce TLS client certificate expiration on session resumption, and Session-Timeout. See CVE-2017-9148 (bnc#1041445) * Updated dictionary.cisco.vpn3000, dictionary.patton * Added dictionary.dellemc * Lowered the log output for failed PEAP sessions. * ALlow utc in rlm_date. * The internal OpenSSL session cache has been disabled. Please see mods-available/eap * Update detail reader documentation. * Make outgoing RadSec connections non-blocking. * Add SQL backing to Moonshot-*-TargetedId generation. Bug Fixes * radtest uses Cleartext-Password for EAP, not User-Password. * Update documentation for mods-enabled/ linking. * Enhanced checks for moonshot salt. * Allow session resumption for RadSec connections. * Update "huntgroups" file to note that port ranges are not supported * Fix OpenSSL permissions issues on default key files. * Certificates are not required when PSK is used. * Allow SubjectAltName as first extension in cert. * Fixed talloc issue with TLS session resumption. * "&Attr-26 := 0x01" now produces useful error messages. * Handle connection error in rlm_ldap_cacheable_groupobj. * Fix endian issues in DHCP. * Multiple minor fixes for Coverity complaints. * Handle unexpected regex. * Fix minor issues in dictionaries. * Fix typos and grammar. Patches from Alan Buxey. * Fix erroneous VP creation in rlm_preproces. * Fix MIB. Patch from Jeff Gehlbach. * Trust router updates from Alejandro Perez. * Allow build with LibreSSL. * Use correct packet for channel bindings. * Many fixes found by PVS-Studio. Thanks to PVS-Studio for giving us a test license. Please see the git commit history for more info. * Fix incorrect length check in EAP-PWD. This may be exploitable. * Stop rotating session database files (radutmp, radwtmp) since these are not logfiles. - freeradius-server-radiusd-logrotate.patch: updated- removed obsolete freeradius-server-fix-cert-bootstrap.patch because recent /etc/raddb/certs/bootstrap simply works - update to 3.0.13 (still FATE#322416) Feature improvements * Add dictionary.rfc7930. Note that we do not implement the RFC. * Added 'cipher_server_preference' to mods-available/eap Patch from #1797. * OpenSSL 1.1.0 compatibility fixes. * rlm_perl: radiusd::xlat to evaluate xlat string within perl script * Allow authentication retry in winbind. Patch from Herwin Weststrate. See raddb/mods-available/mschap. * Added "recv-coa" method to rlm_rest. It behaves the same as "authorize". * Document Trust Router tr_port option. Patch from Stefan Paetow. * Update elasticsearch/logstash examples so that they work with elastic stack v5. Patch from Matthew Newton. * Print information about packets, replies, and contents in the detail file reader. * Update abfab-tr policy. Pull request #1893 from Stefan Paetow. * Reject packets which contain User-Password and EAP-Message. * Add example for filtering Access-Challenge. See sites-enabled/default. * Pull symlink fixes from v4.0.x. Fixes #1859. * Add systemd reload. Not everything is reloaded, but some is. Fixes #1662. * Better documentation for listen "ipaddr". Fixes #1921 * Add dictionary.cnergee, updated dictionary.nomadix. * radclient no longer needs -x to print statistics with -s. Bug fixes * Minor typos. Fixes #1763 * Fix typo in RPM build. Closes #1767. * rlm_mschap check for password expiry only if password was correct. Fixes #1762. * Update debian build. * update rlm_counter "man" page. Fixes #1775. * Remove erroneous assert. Fixes #1778. * fix mschap password change test. Fixes #1792. * Cleanup config file on data remove. Fixes #1795. * passwd module returns "notfound" if not found. * Check for old OpenSSL, and don't build rlm_eap_fast if it necessary. Fixes #1803 * Cleanup memory better after ldap version query. Patch from Aleksey Katargin. * Rename lt_* functions to avoid linker issues with libtool. Fixes #1277 * Many miscellaneous fixes and typos. * Allow long strings in %{%{foo} bar:-%{baz} blah". Fixes #1866 * Fix filtering operators, along with more documentation and more tests for them. * Fix OpenSSL fixes. Fixes #1876. * Finish SQL select queries even when SELECT returns no rows. Fixes #1879. * Set Module-Failure-Message for more EAP errors. * Correct typo in dictionary.rfc5580. Fixes #1882 * Remove obselete systemd syslog.target. * Client-Port-Balance load-balancing now uses client port. * Radrelay examples fixed from Alex Clouter. * Update systemd target. Pull request #1896. * Trim starting whitespace in xlat strings. * Get MySQL result lengths using normal API. * suid down after fchown(). Fixes #1914. * Fix cases of comparing pointer to NUL character. Fixes #1915. * OpenSSL v1.1 fixes. Pull request #1921. * Better Handle v4/v6 host names. Pull request #1919. * Remove "Auth-Type = System" from docs and examples. * Don't crash on malformed %{home_server}. Fixes #1922 * fix erroneous use of talloc destructor in rlm_eap * Issue trigger modules.sql.fail. Fixes #1923 * Document python_path gotcha's. Fixes #1845 * dlopen() the specific version of Python. Fixes #1592- Don't require insserv if we use systemd - Remove require for unused fillup- Merge changes from SLE to openSUSE (FATE#322416): * freeradius-server-radclient-init-error-buffer.patch - make sure we initialize error buffer. bsc#911886: radclient error free() invalid pointer * freeradius-server-opensslversion.patch: remove OpenSSL version check and assume we know what we are doing. (bnc#1013311) * merge .changes file, mostly. - do not attempt to detect "vulnerable" OpenSSL versions. SUSE security fixes do not necessarily bump version numbers as does upstream OpenSSL (bnc#1021375) - do not generate certificates in %post. End-user needs to do this manually. - keep FreeTDS disabled on SLE12 - we never shipped it enabled - require OpenSSL 1.0+ - use pkgconfig(systemd) instead of plain systemd as BuildRequires - don't list manual pages as %doc- Remove --with-pic which is for static libs only. - Use SUSE RPM group names. Trim filler words from description. - Do not hide errors from groupadd/useradd.- Add upstream keyring - 2 new modules: rlm_sql_freetds and rlm_eap_fast- update to 3.0.12 - still fate#320481 The focus of this release is stability. * Feature improvements + Add support for =~ and !~ in update sections. See "man unlang" + Add dictionary.checkpoint. + Simultaneous-Use prints out more information. + Print WARNING in debug mode when packets may be truncated. + Added expansions %{home_server:state} and %{home_server_pool:state}, which show the state of the server / pool. + Mark rlm_sql_freetds as stable. + Make rlm_perl less fragile. Patch from Herwin Weststrate. + Allow extended attributes to have "encrypt=2" + Update dictionary.aruba. + Add support for EAP-FAST. This is an isolated feature which does not affect anything else. + Update OpenSSL vulnerability list. Use a version of OpenSSL released after September 20, 2016. + EAP certificate verification is now done when "verify" is enabled and "ocsp" is disabled. + New dhcpclient and rlm_rad_counter man pages. + Minor abfab and moonshot additions. + Pass CFLAGS through from environment in RPM builds. Allows more custom builds. + Build with Heimdal in addtion to libkrb5. * Bug Fixes + Use correct typedef for older versions of sqlite. + Update mssql schema to add priority + don't complain on /dev/urandom in ldap + fix == operator in update sections + Don't create DHCP strings with many trailing zeros. + Allow MS-CHAP change passwords instead of complaining on large buffer. + Allow assignment or equality operator on SQL. + Update aclocal tests for FreeBSD 10. + Remove occasional hang in rlm_linelog. + Copy VSAs to inner tunnel for TTLS and PEAP. Fixes #1544 + A few minor bugfixes caught in v3.1.x cleanup, and back-ported to v3.0.x. + do_not_respond again works in post-proxy + Allow realm "~^.*$" {} and User-Name with no realm. + Fix leak when creating unknown attributes + Fix Debian / logrotate. + Make OpenSSL error functions thread-safe. + Fix crash with rlm_sql and updating SQL-User-Name. + Debian build updates. + Allow regular expression comparisons in radclient. + Fix memory leak on unknown attributes in detail file reader. + Update example paths in "man" pages when installing them + Build fixes for rlm_mschap. Fixes #1489. + BSD build fixes. Patch from issue #1583. + Be more careful about /lib/ when building. Fixes #1585. + Correct ifdef placement error. Fixes #1572. + Allow for more files in internal "exfile" API So it will be possible to open more than 64 "detail" files at the same time. + Remove support for statically built EAP modules. Fixes #1591. + Many fixes to rlm_python from Guillaume Pannatier. + Use correct week adjustment in SQLcounter. Fixes #1608 + Minor fixes to allow compilation without DHCP, VMPS, or TCP. + Fix checks for module / config file change on HUP. + Compile regex comparisons when sent via "debug condition". + Update filenames in documentation and examples. + Don't crash if SQL connection becomes unavailable. + Disallow originate_coa when proxy_requests = no. + Free rad_perlconf_hv in correct perl context. + Multiple fixes for Debian builds. #1510, among others. + Set OpenSSL FIPS compatibility flag when necessary. + Pulled fixes for the build system over from other branches. + Fix OCSP for RADIUS over TLS. + Fix skip_if_ocsp_ok behavior. + Better fixes for systems without closefrom() but which have /proc. + Minor build fixes back-ported from v4.0.x. + build --whout-ascend-binary. Fixes #1761. + Be more aggressive about not opening new connections in debug mode after CTRL-C. Address #1604.- use %{with} macro for conditional inclusions instead of hardcoding version numbers - improved package descriptions - fixed builds on SLE12 and SLE11SP4- removed installation of experimental module rlm_sqlhpwippool.so - update to 3.0.11 (fate#320481, bsc#961479, CVE-2015-8763, bsc#935573, CVE-2015-4680) * Changes of version 3.0.11 + Feature improvements - "unlang" comparisons of IP addresses to IP prefixes are now detected, and types automatically cast. - Allow shorthand form of ipv4prefix values e.g. 127/8. - Add "auto_chain" to raddb/mods-available/eap, tls subsection. This allows the disabling of OpenSSL auto-chaining of certificates. Which might be wrong. - Added printing of coa and disconnect stats (radmin). - radclient defaults to expecting Access-Accept responses to Status-Server. - Updated dictionary.lancom, dictionary.starent. - Portability fixes for Solaris. - More errors from ntlm_auth gets passed to MS-CHAP. - Update abfab-tr-idp virtual server. - Added "filter_password" in policy.d/filter. This removes embedded zero bytes in User-Password, for compatibility with broken clients. - The server now issues a WARNING message if duplicate configuration items are found. - TLS can skip the "verify" section if OCSP returns OK. See raddb/mods-available/eap, "skip_if_ocsp_ok". - Set TLS-OCSP-Cert-Valid = yes / no / skipped, which is the result from the OCSP check. - Interoperate with AD and "LmCompatibiltyLevel = 5", by always setting WBC_MSV1_0_ALLOW_MSVCHAPV2 for native winbind in rlm_mschap. - TTLS and PEAP now require "virtual_server" to be a real server. - Print WARNING when TTLS or PEAP identities are spoofed or not properly anonymized. See RFC 7542 for requirements. - Various rlm_python fixes from Herwin Weststrate. - Allow setting Response-Packet-Type in "Post-Proxy-Type Fail", which is useful when the home server does not respond. - elasticsearch updates from Matthew Newton + Bug Fixes - Fix issue where field nas_type would not be accessible via the %{client:} xlat, for clients loaded from SQL. - Fix compatiblity issues with OpenSSL 1.0.2. Ignore calls to msg_callback with 'pseudo' content types. - Data type "ipv4prefix" is parsed correctly. - Use correct talloc context in rlm_exec. Fixes #1338. - Complain in unlang if "else" is used with no previous "if" or "elsif". - Send accounting status packets to the accounting port. Fixes #1364. - Print out CFLAGS when doing "radiusd -Xxv" - Fixed bug with coa/acct stats value #1339. Based on patch from Jorge Pereira. - Fixes for LEAP proxying. Don't use LEAP! - Fix issue with "directory already exists" seen when doing "make install". - Fixed bug with radmin related to the option "stats detail " - Complain if the detail file reader does not have permission to read the "detail.work" file. Fixes #1398 - Fixed SoH. Attributes were not being copied to the virtual server. - Used a wrong list to global statistics in "stats". - Create EAP-PWD identity correctly. Prevents segfaults. - Dynamically validate authentication types for PEAP and EAP-MSCHAPv2. - Fix includes in installed headers. - OpenSSL 1.0.1f and 1.0.1g do NOT calculate TLS 1.2 keys correctly. See raddb/mods-available/eap, "disable_tlsv1_2" - Allow password change to work for MS-CHAP. This requires 'r=0', because password changes are not retries. - Fix home server fail-over for home servers using TCP and/or RadSec. - Special characters in expanded regexes are now escaped e.g. User-Name containing '.', and comparing /%{User-Name}/, the '.' will now be escaped. See src/tests/keywords/regex-escape. - Use correct authentication vector when sending Access-Reject replies for RadSec. - Set FreeRADIUS-Proxied-To in TTLS again. You should use the "inner-tunnel" virtual server, instead of relying on this attribute. - Fix debugging constants in rlm_perl. Patch from Herwin Weststrate. - Add samba-dev / samba4-dev to debian builds so that rlm_mschap can automatically use the new winbind API. - Automatically skip zero-length attributes when sending packets, instead of erroring out.- fix bsc#951404 * Rebuild of freeradius-server package fails * fix source url - ftp://ftp.freeradius.org/pub/freeradius/ + ftp://ftp.freeradius.org/pub/freeradius/old/- update to 3.0.10 * Changes of version 3.0.10 + Feature improvements - Do more optimization of unlang policies. This makes run-time a bit faster. - Re-name most of the functions in src/lib. Third-party module authors will have to do the same. - More documentation on contributing and how to write modules. - Update radiusd.service for systemd. - Open IPv6 proxy socket if the server is listening on IPV6 auth / acct / coa packets. - Create debian packages for DHCP. Fixes #1125. - Add more tests for "update" section parsing. - Update "man" pages. - Update attributes for Alcatel 7750 - Add dictionary for Boingo Wi-Fi - Add support for DHCP lease queries. See raddb/sites-available/dhcp - On HUP, check all modules for config files which have changed. And only re-load those modules. - Allow FreeRADIUS-Response-Delay(-USec) to be set for RADIUS packets. Patch from Herwin Weststrate. - Documentation fixes from Alan Buxey and Matthew Newton. - Update "logrotate" script. - Added more RFCs to doc/rfc for new standards implemented by FreeRADIUS. - Don't crash when doing "radmin -e "help hup". Patch from Matthew Newton. - The dictionary parser now does more sanity checks, which prevents run-time problems with invalid attributes. - Update debian packages. Patches from Christopher Hoskin. - Many other debian packaging fixes from Matthew Netwon and Herwin Weststrate. - Add "session-state" to Perl. Patch from Herwin Weststrate. + Bug Fixes - Fix rlm_files so that there are no collisions when loading 10's of 1000's of users. - Fix radclient to use our internal v4/v6 parsing functions. v6 addresses with ports now work correctly. - Fix sending/receiving packet messages to wrap v6 addresses in square brackets '[]'. - Check for sasl/sasl.h when building rlm_ldap, and disable SASL functionality if unavailable. - Fix issue which caused a non \0 terminated buffer to be assigned to attributes if the value being assigned contained an invalid escape sequence. - Fix deadlock when reconnecting connections in the connection pool. - Fix potential overrun in functions that used fr_utf8_char with a non nul terminated buffer. - Fix decoding issue for Tunnel-Password type attributes which were very long. Found by Denis Andzakovic. - Fix radclient issue with TCP sockets on FreeBSD. - The server now creates ${run_dir} and ${logdir} directories in daemon mode, when running as "root". - Handle tags when using maps. Fixes #1191. - Fix crash when CoA packets time out. - Fix parse error in rediswho - Fix regex support in SQL radcheck the "users" file and radsniff. - Register listen xlat earlier, so that it's available when the virtual servers are being parsed. - Parse Ascend-Data-Filter when given as "0x..." - Print Ascend-Data-Filter correctly. Add test cases for both. - Allow old-style clients again. They will be disallowed for 3.1.0 and following. - Complain instead of crash when "else" and "elsif" are in the wrong place. - Clean up memory more aggressively. This lowers the maximum memory used, most typically for TLS based EAP methods. - Prevent the server from unlinking the control socket of an already running instance. - Fallback to using the configured OCSP URL if one exists, and no URL is provided in the certificate. - Return CoA-NAK if proxying CoA fails. Based on patch from Jorge Pereira. - Lower peak memory usage by decreasing size of internal memory pools. - The control socket is now left in place if a second copy of the server is accidentally started. - Allow virtual attributes in "switch", "case", etc. Fixes [#1240] and #1265. - Many spell check / typo fixes in comments and example configuration files. - Better handle multiple DHCP listeners. - Don't print secrets for old-style realms. Fixes #1267. - Don't fall through in empty "case" statements. Fixes #1274. - Update EAP-TTLS so that MPPE keys are correctly calculated with TLSv1.2. - Always delete MS-MPPE-* from the TTLS inner tunnel. This allows TTLS / EAP-MSCHAPv2 to work. Fixes #1206. - Fix off by one error that caused some MSCHAP-Error messages to be sent without the password change version (V=3) and the textual message component (M=). - Always include C= V= and M= in MSCHAPv2 errors. RFC 2759 does not say that any of these fields are optional, and not including V= caused errors with wpa_supplicant. - Do not include M= in MSCHAPv1 errors. It's not supported.- Fix boo#912714: freeradius can't use ntlm_auth * Create winbind group * Add radiusd to winbind group- Remove gpg signature file * The gpg signature checking is broken and doesn't work- Fix bsc#935573: Insufficent CRL application for intermediate certificates * CVE-2015-4680 * freeradius-server-CVE-2015-4680.patch based on https://github.com/FreeRADIUS/freeradius-server/commit/a03814af310bb3bee74ea012546d99c48b0ea5c3- update to 3.0.9 * Changes of version 3.0.9 + Feature improvements - Make "pool" configurations more consistent, and update documentation for them. - Move connection pool logic to "most recently started", instead of MRU. This should help with pool stability. - More VSAs for 3GPP2 - Added examples of multi-value attributes to rlm_perl. - LDAP-Group and SQL-Group attributes are now dynamically allocated. - Only the "sql" module registers SQL-Group. Other instances register "instance-name-SQL-Group", similarly to "ldap". - Unknown attributes are now complained about more often when used in unlang statements. e.g. if (Foo-Bar == 3) used to be a string to string comparison. It is now a parse error. - Rename RLM_COMPONENT_* to MOD_* in the code. This makes many things easier. - Move to C99 initializers for modules. - Load modules in raddb/mods-enabled. This allows attributes like "LDAP-Group" to be used in the "files" module, without explicit ordering or listing in "instantiate". - Added 'bootstrap' section to modules. Third-party modules will need to be updated. - When adding clients from a DB, add them to a virtual server if that virtual server has a "listen" section. Otherwise, add the clients to the global list. - When reading dynamic clients from a file, don't expire them if the underlying file is unchanged. - Allow the server to originate CoA requests from the post-auth stage. - The server creates ${run_dir} and ${logdir} in daemon mode, if they do not already exist. - Add dictionary for Wi-Fi Alliance Hotspot 2.0. The server now supports all mandatory and optional attributes for this specification. - HUP now re-loads the configuration only if the files have changed. If all files are unchanged, HUP re-opens the log file, and does nothing else. - Much better debug messages for EAP-TLS, including which attributes are cached, and when they are retrieved. - Increase default max_requests to 16384. Memory is cheap now. - Added "stats memory" commands to radmin. Debug build only. - Aptilo controller dictionary updates. - SQL modules now use Acct-Unique-Session-Id everywhere. - The redis modules are now stable. - The LDAP module now supports SASL "interactive bind" method. This allows Kerberos based administrator and user binds. - DHCP code is now in libfreeradius-dhcp. - More DHCP encoding / decoding unit tests. - rlm_replicate can now be listed in the "accounting" section. - Better sqlite debugging output. - Remove "required" option from many sql_ippool directives. - Set default CA "basic constraints" to "critical". Fixes #1073 - Updates to help / man pages from Jorge Pereira. - Added more tests. + Bug Fixes - Be more careful about unused config item warnings when using -Xx. - Move more defines to be auto-generated. - Allow virtual servers in proxy fallback. - Allow %{module:} to work. - Don't crash in RadSec. Closes #980. - Return better errors when a unix group / user is not found. - Re-enable detail module "locking" parameter. - Don't crash when logging replies from Status-Server packets. - The couchbase module now uses "update" instead of "map", for consistent with the rest of the server. See raddb/mods-available/couchbase - Don't require NT-Password for MS-CHAP password changes. - Be a bit more careful about decrypting MS-CHAP-MPPE-Key attributes. Closes #1013. There is no perfect fix, tho. - Fix security issues with EAP-PWD. See http://freeradius.org/security.html#eap-pwd-2015 - Fix dynamic clients read from SQL in non-debug mode - MS-CHAP now allows retries (i.e. password change) when passwords are expired. - Allow "user=radiusd" when the server is already user "radiusd" - suid up/down works on non-Linux systems. This means that the control socket should have the correct ownership. - Fix issue which caused the server to sometimes have problems when a home server was marked zombie. - Fix format.pl because Perl is now more picky. - Fix proxy to Packet-Dst-IP-Address, so that it uses the correct destination port. - Fix corner case with cursor functions and removal. - OpenDirectory fixes and documentation. - Fix leaks in rlm_redis. - RFC 6929 "evs" attributes are now encoded / decoded properly. - Fix talloc pool leaks when receiving malformed or retransmitted Accounting/CoA requests. - Printed attributes again use double quotes instead of single quotes. - Set X509_V_FLAG_CRL_CHECK_ALL, and add "check_all_crl" to eap.conf. Fixes oCert CVE-2015-4680. - rlm_expr now errors out correctly on malformed attribute references instead of triggering an assert. - Make "break" work in "foreach" loops - Allow dynamic expansions to work again in the "hints" file. - Correct minor typos in comments and examples from Alan Buxy. - Re-urlencode the path portion of ldapi:// urls before passing it to ldap_initialise. - freeradius-server-rlm_sql_unixodbc-configure.patch removes hard-coded directory in configure script of rlm_sql_unixodbc - install new module rlm_sqlhpwippool.so- minor adjustments/cleanup of spec and changes- update to 3.0.8 * Changes of version 3.0.8 + Feature improvements - Allow syslog_severity to be set in rlm_linelog. - Allow defaults to be set for bulk clients in LDAP and couchbase. - Updates to dhcpclient. Patches from Nicolas C. - rlm_mschap now supports direct connections to winbind, which is faster than ntlm_auth. See raddb/mods-available/mschap. Patch from Matthew Newton. - Recommend /dev/urandom for TLS randomness, instead of ${certdir}/random - Allow TLSv1 to be disabled via "disable_tlsv1" in tls{}. - Allow Expanded EAP types where vendor is 0 (IETF) and type is normal EAP type. Supplicants sending Expanded EAP types like this are broken. - Add support for server side sort controls when searching for user objects in rlm_ldap. + Bug Fixes - Don't complain about "authorize" in "server {}" blocks, but only if there's no "server" block. - Fix cosmetic issue where debug from the first packet read by a detail reader thread would be emited during config parsing. - Fix ASSERT on truncated detail packets. - Don't use main server log functions from within panic_action, as in the case of syslog this would cause deadlocks if the fault was triggered from within a malloc. - Fix issue in "switch" when "correct_escapes = false". Fixes #911. - Fix sqlcounter configuration to use "%%b" instead of "%b", otherwise the new syntax validation will fail. - Allow forward references in configuration items. Modules aren't always loaded in a sane order. - Fix more escaping issues. Closes #912. - Decode MAC addresses correctly for VMPS. - Fix memory leak with TLS connections. - Fix state machine threading issues for conflicting packets. - Fix copy_request_to_tunnel issues for tagged attributes. - Allow "ok" to over-ride "updated" inside of Auth-Type sections. - Update state machine so that post-proxy is run though child threads for performance, instead of blocking the main thread. - Allow "netmask" to work again in client definitions. - Relax restrictions on SQL group queries. - track outgoing proxy sockets and clean them up more aggressively. - track proxy statistics, including CoA and Disconnect. - If radmin has a connection failure when running a command, it re-connects and runs the command again. - mark home servers "unknown" less aggressively. - Fix potential SEGV in PostgreSQL driver on error. - Fix issue where fields like nas_type would not be accessible via the %{client:} xlat, for dynamic clients. - Set default busy_timeout (of 200ms) in the sqlite driver, so writes don't cause selects to fail in multithreaded mode. This is user configurable, and may be increased if required. - Convert Password-With-Header attributes to binary (from hex or base64), in the authorize method of rlm_pap. - Fix invalid assert in state.c, that could cause abort in post-auth. - Fix double free when -m flag is used, and connection pools are referenced by multiple modules. - RADIUS over TLS accounting uses the same port as authentication. - Regularized return codes from radmin commands. - Fix RHEL spec file so it works correctly for Centos7 which uses systemd, and didn't like the SystemV init script. - radwho and radlast now have a -D option to load dictionaries - DHCP packets are no longer checked for duplicates. - Don't crash in sql module group comparisons in corner case. - Calculate MPPE keys correctly when using TLS 1.2. - Fix load-balance sections. Closes #945 - TLS certificates are available again in the post-auth section. They are not available for session resumption. - radclient encodes CHAP-Password properly when using -c Closes #955. - Fix issue in rlm_cache_memcached driver that caused variable length values to be truncated. - Fix track functionality in detail reader, so it no longer fails with a "Failed marking detail request as done: Bad file descriptor" error. - Actually add the peer identity (as User-Name) to the inner tunnel in EAP-PWD requests, so it's available for lookups. - Fixes to PostgreSQL queries. Patches from Santiago Gimeno. - new set of consolidated patch files: deleted: * freeradius-server-2.1.1-logrotate_su.patch * freeradius-server-2.1.6-rcradiusd.patch * freeradius-server-initscript-pidfile.patch * freeradius-server-radius-reload-logrotate.patch * freeradius-server-var_run.patch added: * freeradius-server-radiusd-logrotate.patch * freeradius-server-rcradiusd.patch * freeradius-server-tmpfiles.patch- Do not disable as-needed build - Remove the with_sysconfig switch and just stick with versions- update to 3.0.6 - fixes a segmentation fault in PEAP module (bnc#912588) Feature improvements: * radmin / raddebug conditional errors are printed to the output, instead of being discarded. * raddebug will exit if condition set with -c was invalid. * radmin auto-reconnects if the connection to the server has gone away. * rlm_cache now has submodule support. See raddb/mods-available/cache * New memcached driver for rlm_cache. See raddb/mods-available/cache * Add support for &Attribute-Name[*] in conditions. See "man unlang" for details. * Add &Attribute-Name[n] which gets the last instance of an attribute e.g. Module-Failure-Message[n]. * Allow for redundant string expansions. See the "instantiate" section of radiusd.conf. * When checking IP addresses in conditions, make the right side be parsed as an IP prefix. * Support JIT compilation of compiled regular expressions when built with libpcre. * Support named capture groups with "%{regex:}" when built with libpcre. * Increase regular expression capture groups from 8 to 32. * Emit error markers for badly formed regular expressions. * Allow 'm' flag to enable multiline mode in regular expressions. * Support limited implicit attribute conversion in update sections. * Support casting between IPv6 and IPv4 where the IPv6 address has the v4/v6 mapping prefix (::ffff:).- Drop .keyring and .sig file: freeradius-server still uses MD5 signatures, which are no longer validated/accepted by GPG 2.1.- update to 3.0.5 Some of the new features: * Allow LDAP to specify arbitrary attributes for dynamic clients. * Allow one level of backslashes (finally). See radiusd.conf, "correct_escapes" setting. * When supported by OpenSSL, allow TLS 1.1 and TLS 1.2 in EAP methods. * Allow multiple new connections to be spawned simultaneously in the connection pool, to cope with spikes in traffic. * Use kqueue on systems which support it. This allows for better scaling when using many sockets. * Home server "response_window" can now take fractions of a second. See proxy.conf. * radmin now supports "show module status", as thee counterpart to "set module status" * "ipaddr" will now use v6 if no v4 address is present. You should use "ipv4addr" or "ipv6addr" to force v4/v6 addresses. * "client" sections will allow "ipaddr = 192.192.0/24". The old "netmask" is still accepted, but the new format is preferred. * Allow custom HTTP headers to be set for rlm_rest requests using control:REST-HTTP-Header (attributes consumed after use). * Extend format of %{rest:} expansion to allow HTTP method and POST data to be specified and urlquoting. * Add support for aliases in rlm_ldap. * Add support for connection pool sharing to all modules that use the connection pool (pool = ). * "tls" sections now have a "psk_query" configuration item, for dynamic queries to discover a key from a PSK identity. * Preliminary support for EAP channel bindings. * Foundational work for dynamic home servers. They do not yet work, but this is now only a matter of updating the "realm" module in a future release. * Support &attr[*] syntax to copy all instances of an attribute when used with the += operator in an update section. May be qualified with a tag. * The logintime and expiration modules can now be listed in the post-auth section. This makes some configurations simpler. * rlm_sqlippool is now IPV6 capable. Set "ipv6 = yes" to get Framed-IPv6-Prefix returned. The SQL queries have NOT been updated. Please submit patches. and numerous; bugfixes - remove gpg-offline - create /run/radiusd after install - drop freeradius-server-opensslversion.patch (upstream)- freeradius-server-opensslversion.patch: do not check the minor version of openssl, minor versions are supposed to be compatible. bnc#906682s390lp5 16135518133.0.21-3.6.13.0.21-3.6.1freeradiuslibfreeradius-dhcp.solibfreeradius-eap.solibfreeradius-radius.solibfreeradius-server.sofreeradius-server-libsCOPYRIGHTLICENSE/usr/lib64//usr/lib64/freeradius//usr/share/licenses//usr/share/licenses/freeradius-server-libs/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:18279/SUSE_SLE-15-SP2_Update/9c7f074efad29e98ec7d42bac29d6719-freeradius-server.SUSE_SLE-15-SP2_Updatecpioxz5s390x-suse-linuxdirectoryELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=fc553ffb042b8d5b6212671dc0681e54807ee70a, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=348c8d0efe9c6dc4af3a532e3c829a4f32926175, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=9c9c3b06a2dfcb3ba67adef45e5d3b66a96eefe2, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=8d9ee2d1a30661e72d8a574d9cf80c76edfdd6cb, strippedASCII text  PRRRRPRRRRPRRR R RRRRRRR RR R RRPR RRRRRR R]F%/ q#@oHutf-811ccc3fe952058347739fca0f5a1ed63272caf23791ae528327f7a0d7eafb9c2? 7zXZ !t/] crt:bLL b(=v O і~aǢ>7Ix#E"mt fM zj2=ݞ`pNμAn:H>\`cojYB ƳPzq1?A,McA<&i"7xΤ7aw?ś,]o2>2>[R*eK5>6L,0^cJ|bҟoKMԘ+ <Q=B-dw/0i"67CMhkoPGJK|θh=OQh \-£ 3F٠j Մ?]֝@)̛Z7:MP?F?Xǰoדּ,Q=`Aw:Xr6Ŵ%7. v[T (Y foUF6$}'0r9e#Þvtnd  'E"[\5d1 \Uws1GLq" 3 ;x 5vf'ƚ`#_GK/u $\Yߵ@}8d 73g4/1&{yPop%BWCY.|ml? ^: m7*+Q@p<Dc,nFEf \f@).L'}d-:U: D{j@&u2 z;8ܹ0$hc)Ni;sm{&<& :0ౙRG12\pͯ ǽuIR-S3-sfMZݴ^vI,3HNsʔ~68_H!\`KRgXsW_B\2}ʟ3دE7Z;Q +U܆ ,eA,ц|P- ʆCq Ait&1> DRۖD ˷u`vH3Kɓ?C4ŮbNtه"QKkRS^a$@EY-yaӹ(+ kkE.]e?(]7Fo, ٮS&B[˚=M(KE!>ȧܳi7}(4W!T7>yQ#,8O&w3 R'3$,qaj63IFMb(tu>8 h,c Vbg _s.]-,$R] /𯻨nBx*cA^[TIPKO~xsʚ ?s o&Gܺ 5puL, }˩>upī(uy(q*zhva?{Ui&/٢|*,ӚuhXϪa8r.z::݅inݯrݠH;ҁkN6zU7(74%_S;@ (匴~ Lm '{rs%qވؠ:^X#vbJìԵCӚZrҬĩ{{zI7YC$->WJC*t/R;fd,YjsJa8U,| OEZ(`?pU.` ䷝r:`> BmEۏךca9L`x yWQΌu\<GDqo,*7>=X^"5F%gznvaJ' 0Nv/r)2j^\،y! E|J齬~\~[;/:t>vYYw2KcnI8- u[D6I5*\8<TP"A Vu9S!M= #QIDPKF"8aR)ND`R:/׋N܍}@IȾ KX3Ik;J gF)'03A_yLFZ5 *[֣J$>\CR~o+$5GOgXlO9lYpyP'lu&M ZҀNںXG*-IG1R wC(l~.(+$iӀfvC.47 ,0UWk |džA)|i @Y霎gJ̟1{9Epl4O\^BZVMk0baqۢŪo4Q .\nnb~b8NⅩt:s+80(A #C}DB%,2ïV)!~AJ#6{j&OouMxW]sAEĜ,6#DN\y Gض6UÜFB+VLV1Xˉo {4~^F^ВQՠZ- $/7`+>e u?wRdV%CƹM/?G~K!"䶸^#[8c$BytϬH&Dw*ۙ02Yy+XN'PB8-d)1e>X!q[0e 5NX?`XzZ=0 _t_hXl jOVTŮ&,}܀+m6&2WM7Au8JL~Ńp\xldDU)rJdi0᝗G"K{ F]o=}/(Бۓ ++8zp ?~бr cujd*|R:⸑՞D Z Ϻ u w(a@)\`ŐsYG (X?ڹ^mXUGLWew![i˜C&YF߉qjXK\dU N@DQԃK .M|8zk_s@=ןVSŁ%#v{[匵(WMZQ֍x3?4-zXqSU񸽞CmQmR_"r@n{.#gO^))gH/>{бL7gl; ;w5M6` ƴ BarACA͘9 9?"$bPPG>[N)Q^6 *f7`mFAn[>g)oh*9H_;A>?r`a_'K^cnSs4wݜQ]wF:(ȹ/ 2S$Dmzj+N׊VKQ88Ȼ; Uk&HȔ^Tp#d& \#JQȟcf~:OQm e3-)1XM2& 0H8y:;WO3KKCCY&Z$_q3S+u@THNCx'CYFN[p&pl.riX rFLn+Z@O7MRVb}4 3z{ i gu+_x~& %N^+ﶠb ȓ0n'W S☮,8?>~bJA#"آUB^f|_ b^nc1gYYխ "6ՙ Wtœ3"!DR!ю׬TZ4pr;NjQ%c_IM }9V(:Mo٩b̙e8,= =AҐd2Q>ZAHRx<Ѩ$tn"Ph5+ƭX/7b|+)1lcnىX4ISʲ<9𓐥,<TVYIxO!@DKOqku˷߷B*8= Pk&z#^hu#8kn7r~ZNk90)*" G^b@ޮ8h?3;}*V1"?hgp mvF艽8p\ QjxchF/qud"$P|e_y)X}sӣkև\}Ҙ?S^޿J[pAɃ`Q,!lb$짋찒fO5wYQSFZu=BOXJuuܣM+pKkOդPcbX@տL[mUZ`hA jecʷ )A͙%'@G>Kaڤ[(8槏Ձ8^.kݽ)v#\Thᎆ?~tY'0[Lw*&s*}c(pqȉ 6YY L118 ^lFH<GVB;Иp{ifb}(2]*⇑gݭboFB0Agr_MjA ĥdhbm*j3VW)}pE<7{_,ˌ5[4ef3X;s&R&H@h`ybR8#MzpMFw5yk֘^U*LK^^ xCN4o50 -3'KTZ^W\YHx\pM0b>6/ZʱLwj / YVU&9 m1f,GhZK1WPgה)x[Vk3Ec6iFYʇT2P@!n"יd䖀XhKTNVt'hls`Ԅ.?chxlO..ܥ1KmJwTJ|xw6ybF;+2Z~+/]+£z86݁O1FAJlz͔|,!oFHА^vh?kj9P}iO[L58&]&7nJ Ci-"K0zd> [1x? QQѐEܽV]䁭܅Đ \ ɐ 24br%z^"ʬ;lV~YP,:m"᫛j$ʣ777%.I?P,C#+/‡^4]emR^a UM J%N&krV۝UuRONr>6mv|%V KlP[]߽LU[ G rbOm bmWyiS.Ju0׾ $ng&~ @sƺ& Qch8}CZ3X(lrG(cXI~GhS签uU.mnʖ$v^{\c kAQf ,<юj'rՅK Bvݕ-fNZ]Z]. $ٶQԐO_T׍]kpC*&ϗ4ejl%ɫ>3a_;s?hՊ Vze*e07:A *n3=IbG&1Tob2t! >PyF`(b#;m /#^r1|;Mqԩ ?#Ń<|Ԯ):\_|^ =e<;NDFID=;cN|߼Pk8# \6b:Pt)& |]+i+o(txG?"ƍ?mVcMG[wz伆Ai/)e@e\wɆ+(~cFa㠉 B9Nes썖ʻAH)ǔD?B**(&r@].y} ҷо\0?@"ۇazDm"*bXG9(;Xxʅz מpB tuQH8o,?^"_W 1I+͙3poc5q:"~ ¥s Σ­nFƲ|V508G%JdÆЉsS{~|xOV$ bo)C;MB%[޳:%fI*gdI;p> }頼ک*R7݌T.Sֹ\rO \< u VɊ_T?ַ)$ uF^s?To -%e#YWλ70KK1)l F.XgkVkw6~'օ&G v`NU8Tx*RnVm!0Tɏ8?Ͳ|SFG3Cw>Ő{Pqq~߶LK MOp\096 ٦1UR*g~7!0IB߯VETef$l$|a{+8+^ i{=ȎKꮅ$7۷ʊ7%n}iO E(A=kgֿj^ Jai9N>/%NJPLiv ؁Dt:R1EMaCz{4큔,K>iϗ +6},Eq$Q(0+.6v6pbt"͞䉗ToA@b7 ԛAtA)ɧi&1p\\>_՝ *{'Z-! 5q b9QH,jr_ST c$m^2au}̊^B)x[MHtKkyED{FtZš&(wF3Xs#\Ėvo(KD?BE~8cCv Q;=_HHyו `כտp/ºhlumoLCp_b!֑Н!X [blK:ˮo)+t;]]Қx__PTig_~d=1Kl2,E1ɡ .SHh~X1xU.}m ~2C;F4ejfJvPJUrVotH؎@ԠA܆kp?O!W-t ۠f4i˘Hey4F9ɐ#ʏƚU2]6 27.59C.ʤ=R[St C17;g&Vf'ف.0}c@j)PdbpY25ܩ1\Uٷ )HBgpUT>8Či=cbb>Z.n)pR.a~v+I ]-*]D&0 jrXc'L[aucѵ2ieu |?-T9 6q VU1p_O8PP?Xןϲ90vJh1Gd3[i6OOmGIF:GU`Tf[99>4w Ct.*Im(hhm-͓JAX.:FY-sVCUD`ARWCu Éhf3PP+@,x+9/ okECi)ט;Wca9fg5㕎/C8e`- ؽD!=PGS"QoNk;:_ UҒ,I>Ewn7m#_*3x}wf(5F31NxP d'W@̧o 3f4q.``V.UA#xX{v1BR-*7&]QȪ]}3!R]S:7rJ v H;&E# d d ui' :7%N}b_| 4 41xvg}m~Z*%9iD/7Q!CNF` 4OfcB:*uܩ9]s ÇKʜ {/)0غq1LsW@Đ`eބs;UԚKJ3֎!{ 7qܯ#UUAL_{2oB4k?=׉+vc 6ߎUPZy%ٳRG~0&"g*?d38Ce+F E)D끫W Wޗynܜ'.0}zmj1"SI//c@ B{;ٲ4w}KZuN,{:!{28+ dVpb R٘8EҸcj򉣨w5k.%'aQx>iPT \96^s (Fns<۳nx~ "Ru\wJ★< 8 :Hܫ &Y:ٟBkdJ$ښoF+ye@Rtʄod\Ʌ n4Ivdxun]*xԆ1MElJY4?{+Z;a~v'ip}ăID"5έ`e֤bV ް ,8yd9r 2A]'IPVPhV JU*7৩+y6 .pIy{)nx>)ɬY"ԯPq{t_ַ\R;󼆍aJ;!b>f?wa]YRpSK kYe.ܹ7h{s/xb=o(HϷX!U Rkw3v)L&6n$|{Ќ>LFF.1JzE_`A=J g<4!~C(YTCwm0Cv>%-vz < DOCŽ3XcY˅zX ³2ClYjI4/80e YY>Կ BВ#OUF{\jo66%VcQp|ث+9Z*}Y)E5f@q!j2^&=&G+/gQ5hk@I3 .:Q؄WmfD8.9GD0,vZAߘ-X5` ? W3A8_9 .|>2SDZf ERcҰ^qNtA1x1a ~lZZq:nJB{ڴz4$ؒe^[̆tB p+|XlS~֠~?ߑI/pDpW.yƅW`t{J  袻6m4re $P1YOb veDcW450f> ej1[ĀxX+&;ಌO'qA4o9UpVPpӱr _wcTer17x`! `j,([8l8)&|-uԕ>% Qz˜ʃ}0sY]3< Glhyw}Ep~~8cAQD4)5>Ok8}bi~R_)>|Bv$fGWc= ?¥,J)a[' #@.&E!%.u#v(8!8Y-R4">>sxC5U"Oo.]9ЪW${[br&\k&4ϲ^@abzD$v)4T=̜I䘉/y JPjD터\ pFR!IX]I rhI*FīrTeieR]I+"y#%ʛly7W%Y$k{@,F\8 `NvAXu4 72VEHTF1Čzג(QF72U]@a_f GC@0 .'5ov ȫ(Z#෻Ft䅀P pSfhP 7Nޫr*yo],K G/F+ ^Lh@>9@)i)ϻPR̫A.Վ[+Kd r08BIj ϟqe(n CHWB,pxǮ4gN?JFSq-zj'Y;0JDu7ӍWrS 5` j`gHAjo-M|v^O=S`?鎭z満>BYq}eu3bmcцfכi沷e9Vn4,[$ xoϷ8m˻yFWUGJј=?=p{U>:0L9&dHOwT|3u'M9F Oα,IŸt {\E'N eBgy7PN>o$:.q 0Ӱ&pwIN7KsY4?TtCsl}0x WL̽uCHn'T|luV-ܻA+1Ŝ$c ӵJ#V7fܤ\>׾.\E=/Í\k&/2D葁@cDe5,3?H]o`{2_SH.YX BZ,҃C}#6*!|F9g5 ~~qk+NHȍB=s Ed¹ mka) |QDv{6RUMNQ=R#+&!A >p4?Xxo>nPYwwp`la*)P~"{PF*Ze$cOQ$>SqڛGQ^*C0{%9<Ϡoz)-2Ee*rRkI*`F0|C >t<s0gw_6V{]3A:(/%vHe4 ?DǧR#.;ͥ\1kFЮXrS'+tA$>;(`➭~[ fn !"4'ix70F]ySV^x\YB4*gcG'dW9q-3&If V4;n?-W%< ծٕEGf33Ju5&3 ]'zGUꡆь8:{vU-F9.[~=%@fZak 3+y-^±=0xZ=UTOpKe;pOײUbMC2i/77G bNjEwی\.c "~'}0(Poħ<؆߬[!)a:OvZ6-G1J0ʋQϩ& 7ïwI.B<]ǀ( $u}j}5ZOz`uoTIh̹VbãqwZq>'8ؙ7ǹ~!6Av" !Ҟ7,!]`TϘHF kFAE*n5YԂ꬇#7wj}_LS-5aU(,qDZL*X]b-g h^8qԐiG G@; k []R)\FM9,!ʣ8}Ȥ'kT} J\zj19UDвK]~ <=~՜W! pf[;q'Ɣrn/!Gl37uV7 ŭ?R=n"뽟qyt52tp;x1Bi-3Z3?"G/u7tLgS4ɞu2{&?ؘgsproyuww4Gc9Z:خ-uuecZ*D-mCE_ 3+xqGYԬY+X#"/ Jw oӏiS:[w=\kHEBxjlH'y+~9W5JRV]U{(%Ql]{ Fgcultuplurnvm1ލ"k|.Tΐ.@L63bv }xVY]s/kU(V `{M^cƐTQ B>SJ."3t6}4.Z^ ڌǎRڳx8:t񝺻!炈O@{m/Nw {-Sd(m g6"\nG%Nv\Ʊ11)6 fO;4S@ Nq <(P^9{= {/`{*7S#W2"BO1!@Jx_%ݺf3@-݄K9|_@N;q`l7h`ϧ%J/k=k3珄$ 1ŠO / Se!r"Q YT $u"ۻɮ߶}A vј2#¥/Gn貮Uew_Xt¯_py1vQ5cۊSmoPȊ|L:T'QƲI*.\X>JCaae`= bq8zݱ;o°lzˬö~얎Ql[5~H"9WzNuKQrY,KLf\8}δkor)jVxpPCInY_ Q,,CEx/\QJق` Co':*KLqM쮎s/"X(˝F/1@~)|7 K.2t"D ގW_-RLhoF7Amc{6ZtGы%3{fW(.lW'NS$.;|k"QNFƱRlV #^fn@&@7̱s#a@ejTc*̲@34k6#b7<'Lڐ4{ qXܻ372O\RQ:fZOߊGP DyEI&YzHn q?Ӝ2ri$?;ρ`agobeRp)Yy>:w}7$R5gWGP1_yz 1&q|WMΠrӭd^00lD"npg[O1$S^Dh1$_yRov*:30_a*߳sX 8X&=*5LSSy>pƨlԌM0jaQn;\.fy]$S@x E|(Urg+Fh >#$0MÔX$K PZ%_T.yNBexZ݊ω%SF Y w3Ӭ[׿V@[A[O =SZG"mX) ??O?{ PLEA@vubVXX7]2_eWݝMdR~Ě;8Ǯ|vog*KM1!k!`O[IaG}#Rs-u& X. $D4Ȋl`!m8D0{a@GuKXq,M[b/!N֮㌁,6udf۵rJ0%XU!,WXTNnf)v/bjY96&rΚY cgq \ޖGwCd¡ #iJH~]37v۔2;nLcο b4;~6-NaaRӦp/(C؟kgqyމu`,SA+ɒJ`t͓"gÒ/TH Hvf@?`w {76PQ>b+qt0 P$ ty Et ٤5qVPg*JG/9^v Z8g V L\ pʭCL;bոKf0&1=DZo3YgVt]fҍg o9Wx092kF/@pʍpz,nh&>:AHXM_ʝƊMs5^.\dOˈje^$}P?oLotf F:8q}R߫l_amyia(mH G=AIǃ?0@;sEZ#„s<ٶL =`ȶJGS5ep(x"jZ//)JL a-H,AP__R4I%553ݤ3٦])rG(?b3r]_=˺sq8ExFp?gm y'%L[8$Gut-R4g"i @uʳ%m~] ,)P2sztyxU~d=%NfMCjvrlc%=2X 3_Q%:1& 2d7/M'6Va`8zoW?Cr(ya72jOuQ(Ehy[ Eɧtd]G) {GN3N|?Qkz镯!U CX9 HaK+wctQ,d5C"WqԌ5\j=S)' ۄKEL3!&cԥHl/X*ppލ*@ 2:7,փsj :xy]-l50_3Anf@2M WIի`|s˳>  lrU9EM]db}3]Mfu!}d՝VԘ` E]~SbWqx9*&I*bJ:LPz2Bw+>5IzXKPt[*/hHosxq,#PDssc"`ڇ#,U#+K 9OX\K ~bV#F9h#T\RC8nJahSO?f$E5ovWuz;|vEW bw e)~]/g7\k$:aCox dhv`jt(brX #'RⳀ@Fa4tp9EG($=hxN5rq)B<$fĚNG.Yv@GV'$H ~Lm$qzL!M1ͪGu" wXW!6զ&t:5V;4pCȨjeTQu0pΩ &EUleeϼ'č PQϴl/5}+V[kp@&u6r:#QGNBz G\Yq,wq{>LgRs0sܭ0Nx\IR)y&Йnltv8:Q&@ND_9 XSs#uN|0j* ň$/g×ק<^J7Nj6Um6Ic5pXRQ 0##N$rҎ)"Q`k3 ?,Empn3D`*W84Xp33im%"3DPh?^`?YMfW5rtQv`պ#5_gn'Y܌jXTS̄۝{L#Dݿi1O/qjɒ+d-z4؆Aae -d=ۚXFr8af -n\,/B#9o$nCAdU0^) Y/jGOA-}uGzw$ഁ'.޶k0/fok@8b,lпQNDJ>$[°3UI}Foq./vPϥ턶2cՂ VٔPi K",6~ȑ=d$#0 <,(f;FDэ)úv{TjSڻ0>L5őWx>{/eٓmPŧE҃QiR{B׹x/ҢQr P "CL)R%('³lr6Bi51[蠐 T]glFQa&^j ^_ORr-⛯";rO=Vam̴[J ,X*殛D!q@UeM*x%0˪X SXbɽ9Ԡ{z Zp}>nhŔ1Cep5*y{J @sZN6#K㵘}zْ{XV>oURFK& x7l[p) +`ޝp Uw1WkC/;m1_{\'EI14:,@֨y_!XkT`ܨ>=q; AU U;u5pcfx9&z6Y^194o_ȕOV Au )_Z\FMzC[>a_#N ĶMj1<*|sGF[PZ9q&MTZ{ߤ&=':tH}!eI/S8o=&/f Is% z6Pxn]=tȇ|[H9C-m%5KG 4/y~wyy+m#Lf#jGlɻ!;h&FZؘ~5U2{Cͽ?4j8{aP'x%r3]##aL^D9dtW:jN;)EF*|`6nym4ω.S N*=7d0!tҊ^ƹ)sm7sc izuk\t=9iU0l%I>KG:D#Оgtݭc 9 U4Ƈzâ~PQ*`,  l~D3 .i~AUp%T<&O-^}/;QcpR5vhGM! w/?~[L[=kלd%wнDȽs8n3.,LDlD"Mtdjr4*I#|.R6[)+0sjT8<a*!;#+AtOHaW4IƉ}ܫ4NLfBXţM`UpT;^uՔ~ߏP;԰#N2x- |a~2˞ʩ;]eUMseg}) ^e焄jтȜ.:{C+n]3,\~bu!a*^7_ED sYr-px7<ÿ) 7n08} W&SUG]ce7x Yt9c7ơ>n'9l#(.#.8JRq<+r"a7^_<'ܷ'\YMV"v!W&a#ڥжvޖCv-/u*,Ip &`nB?f8H.h؊YwҋuFʷسSIp 5up8 5DZ(?". 3x*Yj9,zݰk t^)a8E>4 |TNS#p^;%ay=aBR0 qMHV Mxusֈv$w"NigUP ˬ'̶ZELtK-mX `|6G9i kuGV7n:eH//6mWlKܝuk;{٧̪Iŵ}2URxHWn_i,Qea; NnwWgfЀen K'Ή3i؎'f@_>jH o^mFUjT^F[S_Y=HgZ tyG f#$ ~B?x63Oע'D&z%o \ M? E)JяV9cFÝFYh(-Ii(}пܦ{:A2sEM=tfE.zO:"X?ч^ZT2{QK"J4Ggi^oFc3Gqhc~,G~0/'?=( \~{)F־_˜ӦH٠HՉ 2`9ˬԧd}!@uRӄD~"ʎo|V7}r𺅫!Vͯ c"hO;hei>Q|,Sqj]]U _rT/36 ̇m39OnE[B@>e'. RZ\Z2  Wʬ*dkä/P-e\֮2<5<+F 5;SMRXEIrBG|*ZN`](,qUnr^8RZ_¹KQPD#^#Y="<~3D*foaO䠵ủ߉J 6hbɛ x-p1c yQpCQB P&~V3"'V^8N?;c>c&D⿒@`L7 Er|,\!X c =n0@Zii=UvenHqU[pONϢ`#¾)" |y74\N>EGsHv;.xk*,-0 H2HQIJFFiQvU͞ i6-~[؍Ɗm10϶'J7 3Q¦V[\lxR-^ |5+|.8s.~~ nDʥkV3\rǹV֕?4VKL)PNCM/Q%#4 MY$liP鄬FCw5\)Ycח!]ŶBsk)-$`e}/%ehqz\r}Ѹ/7*0{E1z2Gܩ{`'GbKqp"U[u1,r6jeVZ MN8d"pFc t<Ղ UJ@k“֞nygAY|S n3~Eԇ46OhXoUYPGIЄ K/GIJ&ꚵܜMY 5Pw~FF~O2)mfXf3'vX:ƶiT΂asE XğD}WBqJڗU0hߓ҂MVͪ,oy+H^":ICpȹSF!9_?W5Y-t1ddH@X\MpEL4kKxveXT!|uxH~H).򆋅֮K2W{?7nqy-ZM 7m }ŒJԧ `hŇnSMBK(e6EY^Pp>u\N|喯hʼi{K~*R8b"4` aV?ČK`vUϚ'l8 =S5/L/"Dá:pqzM4>4\وB?5G:H|M=!<4ھwQY1Md,ā"-nU_`|JrÇUTtE&n  ~R]=wSsتr'E!y^$h?8kߚǸy:7ԸE{wtcdk(E38\%mKi=]Zwy  G-aCr^nQxʨ,Q[eZspIn V45ROuQf,+f@Q.qIkみrteL |4Z5R{tXDDZ,<BW6G$Q3IEpHJ:Yx/S!_-vV2Ĉٯ6 ֻ3K aĂ4k7ýGxB+T/)yjEr 4f=Dz(P,]_k "h*B+ookKp,B\xr|5z }EWW=Mr5DUa΢Ӌ1UB m DR6Q }l<n53 :G~4Ǧ5 k2w"<csWF1br8S90iCӝBYEC`GyȮr\nlWvdp`k^#iJ"Ķ`Qv.\΄f!nqGH cߴusP|3=n0W#(/ѐuIåߋ𿯎8G(&,v#GؖTH]»Ah}!]q4Q@\/!89WU&LjcsHF䭷+O c 17fu+쿘G5]%Ez҄VLxI/R(Xl%شf- TD@5I.$>u#lp_2.ݠwszZhc5 PjDMA߯nr~֤k#[Do& u)ke `LJG,$j󔥵QQ ߦ =Jr0؛1?t!\n"`ǃ<"d=soŚwhΐeVJ|\])gF ƍ:G~]XPne'*z7Huqj=DIN?v&C\ۯU( 7j%,Q.2K18lBS+dJх*wQLhP!a.l/k1Z8'D P̾C!: ERmyZhY`o5qZgH_e+p5EaCp>&Y|o+k!e;w OV5N[M2BR%=S4Pʋ2aUyMZ--hcsy\s6T|f4iR #Cymimc 6ҟhr\1J~TOtL-.1:HcEd> 㒕la{Z=C1̝ rDM&>5DVձ[Bc^qBwF:cD(B]"VT*Gé+/)IqąZ 3JL ՀuѲl%ԩsE:Α/rY>Qv$h~yHi}:gE-S凖`=Ɓ&6% cCt  $E(21%fU8=qYc2mG ~nyp0tE]`ݻ@?K|KIKϰo N7h+YM=T֝(_L"jљFuäo{~q}O^f8]S>dGe2bl- .2ŧ?i:p0xz dBp;Z11i6]lq \>xnu*Hjp8pe^>P ׸D-^14]=b1گ+OYRVuK󻚊.P7xd(&p O;m<OZ7찥v5ҎFn48;HԻC}1"$ `1xt+J/=2X\N; j(|_E+ !^z^8ZX2`=D$|r E'Wq^ [bQ17%1㾱ݚIo4C3xMՊ$^;|_I< *O@DtupshBE2!bЎRbH{~L~*ܬ+$n5h|t6CCbVfeIi|@:ƔT[6f( Q80olc)a~2HɅZd@I! 4N6?fVYY~PLp 0%V]>N{$#!R<:9h'1j62;xaQiѽ!6ifVC/Jߙ=蛼2ƌ&"~gOh&-V;N n"aÅ{ UF[1aSӵމO(#9vB mB_74Aq#jG$s )|%^&ƨJM`%Yca e@9 Uȑwڌ_F ɹ~4g "q+[tW.fko#{űV}j Y!=yjl$lnXtxON,39I|G'>82e~̘ip|I[%U:΂=r]3"i^>a.E`SXm2'}~Ή%B˯6 8s%|=1U$r [qe8 \8'ɗ`a`P!N(# 0>;w۩vWAυY ca($gYNBa Q~N07'}mcXLO X.OFP8Lhc8il86ݖ|:3mq7_* ts竫 #N2j8:3*ߣ [ɺ%oH,P߱@q-yY9O A <3<=|Qdg>ZS؍%Y0=HXzOqZh=JNu;!#2h2-zfla&48DR 4Qq2 H='!V%ٛ)^b!oH0azכgž_P@kSȭzMq '~qB:Gҵ6fU5f,Zgk 8&C%N*VCG8bFZqp&:M>v"}w&f7C{ +7 "\4*hSD4HчCr.M#$(}>\ sRV _a&X0P X^d86B.<@!O%_]N%A95J,C\@c' jbds\ͫ2 lj}ƺX[44Jgr)ky8ն#,-kCdFnߕHO(Lb%ܞϔߛ**Gr< P!࣋_9Bg6Qb޹D Yrk9uۭhlO@ƒRO{Z!-jSw0Fk?H8Z-g(ٹIDuYOKKot(aLRT ;J(rw$eUL=TR}S}|[Y?ltC3v[0CF1^D4 )b3Ftwt 1 ?iz^KFX zJ_lQK? #ISç bm? l4)pGG] ;4^LPN.Â4׸Ge^]> ,!6oJ@`ABcZvaf'o>=y@[eU 8V <IMj."{7yKNrǔ#s_&_G,!̙^fb]gjVĐk#(QKm3w㙡dZZAC#4m0MtI_VP5\o-MH:s8g9ƽ v`!LBȋ[+G71e/d#Xf ~!<7OƵB}/eJ۔/ 1fM(>L,?kװA0]0ó7 5m*م ,[Х'vjoLЏ!r{Odmx9D(#XJ>p8ṟ.i|a)Zv'K  Sy?:"ZQ~5pqWBq܁d9l]]}Km:lT%lD+:#e;!Vg, TMiYv'8;5|_ kd Pa}/Gڏ΅&hUwE˸xgg0&!͋Q & DhS1w`XqO I&l$hJHV6RxUM]ܡdAemdݰ jMLEFj jwׁ_Ż. <4#G:e)Gkk,|Žqv xa(hv 7/i_Ee]DQCv_XP 2YaҨ~6'X3RH j W6TF&@z@U';`Qyg#FeHg ѡߋ,n;Yb[FqDVkg)^Rpn(Y+k QrM@-Z+<#3юIB(KҽRN5k6yX4bYBrND9# en/qXbx ,^@K'aAo€zC+H*[OT&R[39ͬipl El{#dm[g ؾ^뎌Ċ UcGCdQ 1iз{/ޞ1ʅW4@柮OVoė!6g9 ֌{4 >0(`-&/Ɋt/_ m 1-{USU?p;2ܹxj A~ޟ-σnf,nF^˶FZvذ9{0pi,xD=mzQS*',|JсW5z#76,]^ ŖfUw:[jV `kIMk,k>߳a{|2fXX w (2RsnA¹Z|ݫ j+m).j[+;BabL`O¥G:~U}8,!F$,q.2ÌJ 8c'6Xi۪S$>[R#o'K/Q{|"I"bDpLsSCɅ؏/%gtXmwK*e'M[~00h|^eVw'QnMYJ4/ Ύ,/9ެ`M)1odk&E- wZ0gcכ[˹wݪ [_AGy9x1.@ןZ f:4KPٷX yO?? qYdҩz54̧ ;9{o.}@?e7;TXWSj@<80kԙ('I|%6D栶Q"T|40+5 D@| Ӣ)՘נk[pGrDp-(=b8nazzhYHਜ਼9ʼn1U![Lk`3wDE8_ W:#wã2'ͺ=ʊ  ɞ@P\H]kkmMSOxsa3ѳ gmЖBS{RQwA9k' ɕW,N-KD5V́,v^z# ݅jP-٤&u"+n|$K0g+kj`90^ue!Sˁ$x CAY' gWyrCoqX5X?f*2P+ =3^kAMa@с9$ZMLLhPa ,L -Ԫ'eoݵ}cJGnkXÀO%`eDw@P*FpDC{F-r|/҆POw ӽ"v;v+p^/]beG !V@vl u{ >?a̛Jtu$b%*sJfuޠ{ц豶c{%o{7&;u&4o!J/#X2=q':vf%eEbBdar)W`!—1kZ)G9+ݩVq%Nb89u0uJ:>pl'Ep Ȑj% \d!DJs|b FDTH 9DbR ^3&8pbl}UcWr*g^ KM.7/sD,Ɋ0uNR7t 5:fguyvpaK:o[$x )"`y*WLj&G-0`̙S:dx{}  :c"\H|O?`Mט:LEM>2쀃%= @x0Y"WGi&P6C(u9 7:Y6 rڥq_A')u88>tY'eG{yC nIۀ"~(unW%Q%mmvJ<'jͤ| geO}hɥNn%q tio; B.9G i}c=2TGg湂PjJ$_w#c{ޫq3XivCH,HSA5m*!vn 4{48+Jiv6ǘp6J1\=CR]`qвMʗ.{mRm8\ }ӌzݯ LJ#{{ٝs$S}魈-GU T\k3 NT`,6qdh5@#Q?Ł5M+5+|,Wd?ӌl_~%Tk!<) ʈvm/ufArմZAXN,B:}QCDjw[ʘo]A%Ҷ+B6CfYR &vZ\>̇N'm0(A~?܂,|Ÿ,ϣTՎ4}l!h^CQRI<=wԾbLҚYh ]"pc$A1n]| Rið0vP8sW<_prゞp,7+5pQVy<^JAři|_伎O ,Qe$~9Ci)\6Nz!VKiIλV3ìpJK_I?ct޳r vdaHlJX~ IV6UVӚP}z8d7yEl+ l-TqRPL1p4>1cR!Ydx4:a,mai/OY *DC~Rf Q7,d:vK8Xn\/Vu`m20N8hfuKMGo`|Um>͏ҋfW?o$~/Tn!/xUxA>ISF۠;Ťi~WW4}W;I+IM4z>Tf>ׄ84-HwTҨwcmK`ЪkekRu =ĉDOtpy ȫ@E2{UjNZ_ZN:Ag_J oJr൉F^PʇNI F4peي8d#[ZAhإѭY-t|/΄gv9{咞ohh~ k)kkdOyza[ڂտhs)='E]ӀPȉ$cpX}xwzlheZPԪ>L܄~7\LkF .0'9⌧U"яAIFake'A[jGI[=z?,fy_7mnY? `Gίp*i!'j>WJet9w=ɰ"4ĺ.)8!8J~k>pϭ~ `"TY}#T'c!IY5!=%uum .5 ,ɕ:XL-` "=s'#{N[b䨑=+S=wugg$ ^?Pg2u撔=84]kt{\~h)RCWҊ04Qz sXVm;xDZ4kYl5aHXK8% !fTԏ } e #wz6cja.vcu8E,d$L/;ƛ j}WX]h~C۲T\#}MK⮿.*,u+hJbCJv3qE\1^h0]vjp_`#|1BC >t̔Ű&R*a}?MQs7}CF,FnGT h, k5d} Ht_nۧBkk_%u]";H);sRh9 ʀS*;F; :ʻ\}tPFܘL ҔfCsFh6v˺sBZ$&Ў7R72`EsᵭZo\"t0:P 07AM.!52PZbm$u .&pU)⦞{ HWvӞ T$kʹ\ Ő?C}hW"Xi$C20-Xԍ U71=Tek $͝Fmz{4scZƫ5uEa@%q`5(q]@E}O $7~"!,>'rLS0;46IXST,@ը٫Ug4/m@UB-BJZPX(xƀ$&J~@fi&S2D {r|p5:||R/mKW 3ӌDT^$Ra& 9PjUW4d;g2S""ŏşfQder5x+U҇㆟PjEqw. Q笓l5;23/Qx7g;1\d2kmףe)[m"jh2[Y*UB-j\>6EC Z.Ƕ#n{į1~H|zMSta˖w KR%t-(cbO2 wa?M.7G̲~z휿v2cu+TG+m`Qg0h|Ztl!~4vVV}#siyT,0L\AU;O 'WQs ۲uEm)xEfH+c9nndN]8 8@B>Z4q8Ҥ`Ta)LG7g<&͠4 {1N=):m#΁hvssybYMK)@Ubˍ` n/Nɤz)N /.b _OvhgB*1~@GxnuݔsC5efQR?/n䬏LxW/SQ3QoDFx!ʳ5w.T5L1?hٚ7fU-*-6l\.NwDC03Ҙp:Xޛ{CL$)Hp-JMr$(p[Ld; A(@[ԒɊM͎]X9Y 2Z=&?*̸m!*gVN=<7n4nV.OW='3ُ_i"fVP+RdI94m᱒UDfK}>RLh;frN(/AX9,OP#YW/1NCW}zT|z+ #Pb?-J4m fR()C=ON񺌌h\2d`0#~=HBW`*"U0lO*׷iQSۡ,wijr-T\O4!yrYtpy1,QLrM U0^Bi:7>nW|MR.o&E+=:Cׇ\Ok3 ќbg(|]:NקK[VfXRKѓO^WXJx &Zߕe'˴hԣr&^Do-NM7]wLCy7W, /DVvD;uvE "͋T50Q}[\WBCSTK䉎Qj^.ojZF΅l_zzaEBL[8ě\OE9Uu5 ffKt! 3hw67ih+syɟGUuB\/!a &a|z&ޔ"l R:f!S(`o!#8CDer :؉\?/}sLL@.8sGynRǥ2OwePS>+ɡ{-oC+_.xS}+E<ܰB_E G󢼱QZsk [o׬Ug_SzsL9)KzcU;FM100KkSCW*aX K#!BpZ6pG#!ރ)q>e фm|GxJʼ9nalGxQ,v{f ?PTsx{GtuR|V#Ʉ­TJO9U:ބVK mdڱK\Bpb}1 _r> :MF,T\FNpEbO6ƖՐR,'_umZ9f?(rO{H\!(6}˺h)~=F$[[Dޑ#jYUj;RrnkG;f=ѱwCTQ5J#bkOcߞ_tq`hMx@)*kLITAKT\ГYDD:Cզ: p;0j}[nmTJ U+߁р"&Ͷw8P0n:鷒>{t5Q_~+8&QB#Ku`Dpq<5?JPq]x5 ؝p}%.QߌC"(c-[rJAxRUjkcsB8^Q_3:Nn<8h,jymrO(=,bHƘrVFlLJpoϒ$]Uco퀬`;}/_ 53<qh^ P`EY-] #v:JeLω.\T#DZ墆6G.|.+'J~I.ݑdxltTrPf$r2GN?I.-WTrpʙ0}"Iz{{o-/;E.װ z5ф@ 8Mk q[Kgw|#^b'Ov{ryP(Y`.,9.CO7aM-2&j~bhLn2 Oq$ejo 9LJe Ã_7Gi칒L o9XG RI=[atYHQ+Rt7nVWi??]Q,i{\a\qjZro? Yb3&Ю-ȷjs8s=-0,\GeRq+Z(U8بza{iHXu !+K'[.|ABOD^T3?m&ZFw'0YcY,| n!i8} =\wT9Bڣ"Xn~IKf&:i90jn%OGl5E3]V pmR.Z}ti$abΡ&vS.Ewˁ'9gQ,;&Q]d*_55;!eqmBKnᾪ(!Wf!X^G)SwŠBeDۅ-%5H70vj~ߍ VJ6MKCA/b/Rv+)^@w6Zzǖ˶ (#Ȋ-'bE=c;kwE.tu>Mݱtᣀ}mV:%8@S8=oE~Y#eJK؞`<3}}~L:/n_@͑dą=m2XokcyTk몙:~ۉ|qjk(zWm?LLÜ\E.FyV2X _ۚͿٓL\a7b`{$^{֭Ax5*XCS%))`*7gVK4؍F8í,_}3Bl.Xl4H=kw3+ ^Vg3q!v\YXYO 4 \{U~-IG3꒿!μv7e=Sz%SWψv/"Kj6VV去o ?܊;ջIMزHG4]YN%߽YÜ_9T KaHMlPPX&e}1LU~Gp|9dB{saҕ}_5jlxVunMv7)TC'!r '={h̓1J{?!ZƊچ{rCƣ٭m\UTy!`XP_~`B(`DHM{mh ?߭C_ `1Re _MЖ&ΒwߒWUno8R !TqhغAU.Sŷ~ ;1'gu,"YWG^j~2#̪(:x\nKn5v 8PP RYR[scΕXL$%T* ?0@ѵ,C'*Γȋ=Sڎ4fZ7~~l a@"5T{+0?dDF)ݼ\fdK򍨿mߘp҈~u 61ú\uҙ&J((^3ki)N.4IKb#3|1#ŚSN,qp(PRkB94 puEZ̆ʵ =G7MwC)x4jsQe/.u\w`FDtEm=}FxRؠ{C?8.|vX[0Fmdќ~ U3lR`_ȗCz 3D1yT.v#ywWgtx\[~QB[~~梊F.f]r)e.E)(*h̞l)!1_k>x,eT6K"y(LnlEM7ztdou)C)t%Gjc:  ѩpwW+brLRC:w*ؤ9e ҰŇö^ gz:j)"Uu-MH4 &GuHoL=t$ß QdRf}PdizwOp4RUUN |73֓zւ6-ŏP&Zq9*DnibOEt̊$BeW;>4hV>sP\VTm,}9THd>";ckDf'b@'9M%e"?#dHP LړUaf 41KVO2LyO,d)tWf&b|Ь692 v'QMPg y'B|7hv )no&L Lك qieuL}xKx?CpX/( n$Y)[U"ڙSQ  uP :Ju=/*VN(急ydTc;+ctq Hb ɞק"VOU8ݵ#tMႌmLg9r(߹:l%Axy>=%H񹳥KQMaC?;8XYZ ݜa yB5,QI;X%nﻌr?  dIʕ%oq@yg<,3 2sOثg_oAc2ڡ\b*CQQ^<ܔbcWD ^wIXV1M4ڽ C7Dj;ֲ3wT8;dΑ&J8+ [Q]8qӲHm|<#뜶N7`A G&+x.*ΎbA d$yl#9wԛ6UB8c=Ω3c9aGK 2$ 8 #DN{.1 n߽7$i)fXU k~> '}U*vUj&D%zy12mE͜)XKsrq⟑콋 r10+h|LVmWac"cyѴ .Nm!$|~KjȈ 7{x8Jv]kp.gEF5g5'дl~ CdE޵ht깳q꙲+`rtu@z{ȳelE8B6v1AtNǽ- }#ɹa991̌t1K7A3!d/ۜ{(9d(f0it];܌hzv ,_zI|.&wNRnG&}|{rAQN7AJu4Xgog[Eo()QQ {)6Ps3[ɦIյsEʏ&VFjvSS,b\3$ɑr-zS'B5X+Dr)ԣ78^MulNw/N#F.R"Pʟ\–R^>Lӏ(CQ _j֒l9J.ޤ{ |u̍zub$z6KEw ya7S:ܸ˪^?%g\}K!iQf`խ.q7f'ׇ|85>ǃƢ4~ܒW VWL<r`Tp#j) !N.7epda[NU4d~מ#ŚYiGI)t5 *=jEsߓ.ju gaJ)DI' h-y2P?JojǷ/:CHto!2-B̿Ժ'C32>_w!Y2|7pm_O_'ʵJ~*,fL,ǕFeF4!bpvYni=~m/<΀e/Rwn8֤[ bZL1֧HF%;r@Nx"o5ސZe'6oFP-S% `e<ҷq}sE@v8\v /oſ޾zĝqubɠ'kE {эqhj3H_w˝ǜa1 3\Am88bQ(rLY3DzAZʮO$.T=c{07o@q#~26_1:6ڡ]e$\AԓY: IIKs1 vPHKG[HM92*7$˄,p'LHy JI z;rv6g hW8Y7^)Z+yD,; qy|,٫C$>dduD3hdz2y@UrMt_nwbMCH-(`+=`2&LK$/q #wE[-1M2|֜jlZ;.OaJ95 z X_jKyV̧Ĥ Cè.[H9%o̻_M՝f-k?ϡq9|",iZy;i#Fے`e-z^y댈TTI`^$;P"J\#  78/pipl [\r8ޚ֪VFL$,v]}/oi[oWTT~S?τ\[ދMnPM"y&b|<=/|.DpKrnqnl #Wt }uߔ.%<sZoRQοvA\LG+Ocp< D``:?J73)>-j Ǖ!n3-C7|8(m5U=h`jGOB=[C-iyt4T-z굊dN+Dd~ шeڹm.Z5t&%,gg0z9ղq_1]{ tt6!";x`&?}6رLإkQ#jBl@@eJ^ Uʔ'F[Jw*ѻT\Z@}BK da~CRXHG3==#E e v Jejv1ݿժ=^'UMRu$ s72BM%vxoJ:]@P1GϪ 40&6qfsnDs &ӽi;Cmbcc70Bkxګ!ߨ8hMALkic$CPhxJm*pU9\/WSAwQCX/'\@9h ‡b68)8g RvLTEpLRBÈF:ټz}*A$y>6왍XD eMS m*m2bȩ`}iI#iY Ps&"*OJ ,5߬zXdIim0Kx,k*6eN"ݤQn[wŧ|M C eJLhԃ:G 7`V3XH`xx\PI=6l>h5G#}Um.sh^ܔ:TѬDB5W LiDY}F=S2?Xd=FbUYcj;BƬXKB#K_" 6?T@?ĝRя9Mh@_(t~A2_f;r Rմ}ZpMK82(WB=O-ZI}nY`t0mlI;dWMS閾GhFj,/E^|26[_0դY[P'h;knhjG~ePQ-Y,'eJcryBJX+PUeSS;$ݖ*uIsQr49Ah5VcJuѲ2߈2;T  _/uVi驨Keݨ&klwsuf%xj۲_5$Z۔0_&-xL]cLS%'`s+l%AϣR>I-z/yMya/=LĶ`- '/4~|5yjUlR zHxKlcuZb.a6Αؠ%d5R4iK+H0lT$G" Wr*[8mcߚ`BZ4+j R6j:ۮp4 5L)yrL!7ZyB:6 ]`UYeɘsIiN>`#|aqV!(R#Oy?d(pu}?GvZfq30k~wlu->L[=feLJ% "h _b +^`^džɩ"ul(W43EiY %vq9ײ#x rmMBI G<6SsXpa 8@*Sy9qdTZf"% NG/IcLQz{kӕwv6UOZ"ڨևc#!]ܲM|ExC1ͼ$(૪ N`]CwWޚmjF>!YnvUSbw<[$zM@|b^hr7&*$ʬS_uBrjZH#PP4IrsQPV.1DFgDVjȉpր*}1fbkhLzנm`my)⻯}bilE8E i!4/ ]5NRG)t'Go5̙ lkiginwTW[Z^ WXzyY,.<,ߵjsGȂ FY(R)=+5i;\hH4UC;~6O_Tr?ps㶉dD]ؐ+mGԁ8oy!oGGtق/ڎԹ l4BKYMi_[Dad.B~z;\?t^t[*'Y  }Y(Տ'1W ɝ_0ՐHzzApX{am\1كʫ:$>ꮴ4'^G2x_J]ɉߒw#5M.T$igࡷ~V 3#A4j\eY"- ) ͛0 uуt,.0S#cTLah TZjZx&b } d4Yaiz=-VM ![u$' -;8Cy574I/cuG!ڿ'RiWsb%F/ l KAaO 2Mh`~T~\^ \~QR[;[ܽGExg{ jٞU=׬ Xyl ;eӛBߛ*) xNX-~"!UxxG!x~ TIc9sAO?9snE \?< gA*J:w*!"*+ƟKص׊]^yvQ&. P}/0 ,2 !(b0 " Ҟz "gyI&ݯ~HZ9ߐ<;zb=6o{mʭVpEdBOYL<)n ]f!nR-o{!߅mqT1bA& ܴl)/I7`w9tJ`}t\hqTټWotB6z"Iw1)}TcqFA v-)& luL=Õx;G2J '\XsbW'mOʶm!O>Ce*юM4 E<$ 4JHecma$0nޔAĉI= [Cy8C2z+sK[_Z AN\v+xz_HX_.ttCe'fyQc5BǣbVnju:D͂!9ʮ̉ɿ:'{릑]N6(@eI=y?!k8ށvxM u{LU/Nilvño'o )&qжpY!߃~Mp⏺11A_2SujK3 yAЫG*኱ ]`/,6KK1!%jo/ A/JFR$m;H ;;@hmbT۪T%7)o#@uAqK٧(OQ-Pd^1DXv%jFyn ty7b'f"8DuH͐vjq6;ʆKk۫ǔZj2[C3fec2 s)0vP_YV䴣HtLdZHx*]#VAÀJqc |9@Y_֞l #\v %O8b?t'ejᕹPcLpQ-(H_r=+WీԨ" Tw!dpyGðջĝY!Gd2B:(7eOwV06 Sj  FL="D3BWV0'?ݪA%n_65aL5 ޮ/Zgs`dFRdեMvNNc5rYTj"Q;RJX=­:y@cx\G=«!|.Z&SW1"V I.3XT|(MK].ݭc=!rwGu~c ܷ.ZΙ]ߊS= B k/pK͊I~uoy^qI'Vros3AM;MT\ѥkR#"eyGla/!ꗟmpnK{yKAWuaTCزs&z똲⟦7&~'< 7\lLo}ݷ:ҜzU*<W{jrt cCݜNwR`rjDSG/*3+AjyYz\NQ%}h P,gn<Yڣ/qMMva%7ʩi(?BcPrv|D3U& #xzmtޑW!,L%O]Xeƃe΂ Xk 28@μ݊ o_#3KJTQ: &|vUFz9ā恻$˰p{ WFi# [kur%22 F\ +~Mo~vQzҚ |+*N蟴8yĢs-͏< 'h)i=:h.{Y閾Tҙb`TݧuZG^*rđ}TSwUT^0}^pI iz֝ I bݧU }L ܁YP܍!2FPn,DS)/npm=6ACe6P%n4hE!hy\Ec&'c$6'M*i~/vZ,ZK3w_9A>~FV#˚dWي=AGB ^H,c 1{7ib6@iծ9b|;T?zzE+AdL}:g4i?cPBq`QpMz~Ac.׶2 &jNX %Ua  VeHC뿠r T.YWB2`Q]b~9Πp7e2>p#׋UҎ)לsg6>fUY_wXY=.77 N['-l !ɍ a?rN%H* e~ }GǶ+vߌh"̢/V׸Qn7XA/I JNμ6iBtQ\OB[6ftX(RЭϱ"h&m<|`Z"ڼ1"7@z,z܉4P ?G-h7;◵9=|܀mGij0-vqV$r+OK0ڹbwgH;5^#uN3Xb R+.1r).R&mk>BW$|K&-b}`*&OKc2EL 9.:"kUL?'? }G^9$wv o]E/4H%lQ ؅:_9ѢL-4o߻ʡH^}.VN._n?m],S@Ѫ֑arGVًyR#q\y(]!Zu))%I AIkS%@0f(IekY1) }kt^.bmeS"1(/m-x(=-h5Ҭ%]r@Y|.SqhW쐦1} RT޳ZZIpRf[-n"':HPofWSw[&-29óo=Zn <6=q FJJ}mt>W?-F ҷtyJ@!1̪$\(п4d}W›X+D߄]b "df=,h|5sg9}羊2oF7C@ X Yjv͜3lJVnC@׽y*o杍\Z S.y) k(Odpd͆rحjqӣonM925}sJM h=U]pVp֯mл0Ǩp{oCڡKV0 3_Tc2(gƜ2&m/,I^U;iv VOGRme+& )Нg$z F; )Bd b\/EN:>AfsgIS5F{6|}1Z ?$KZJO ~o'gM~M1=&ҥwU "QLha@{&VYUxdă_5RoXD>kvV6os)0Ar660!  ^k2-ezXW_ZZa}fY ɃR)^a6lm,#X44<2 bƏleDl](]'dŴ0VDH!X%cT}zO^ɅfE]]4J!<$쎙++당0ͅh"d;'AT[+.(Ƀ#x0+:nC=>f/p=@)8pzqcx]3 wDOn[VMLۋj1^G `ܒm.K(F?=+i"/k !'4&U1 c']wJyj(sN}J꺎8ӗQ& HL;8q]c'E'Λz'Rlu}`"Iy{F1t &bMF{-̤w_gn@|R5TjD>Zd}o%wTJGбH|SX)ޮ_FaWs%| \\8OS>C]N/0LB9ڑ = `Ϡ# #<1k|;R70rqb@.^(tE?Rw]7'Q$^zz)X)4RpN/d;ءa$0azn;~0B1_98јs#r*417 366/J\>ˑ@;2pmᨳw$:zv,/7,L`i]{h,Ϧ?ER}z7mE=kPTU(g0H |y>u֬y&s7t|L@ +<:JF1akc(M7$hp1 M 'jg4DZČ)gޭF2s~(M+yAsOT%6 S(ph :qv&V)#skH;>=(3 <Ƕe&C-wnlV1q\kg ~R;E$h˥ɮ.igQZ.v.ag[e=l~̟rN57uGHe\f;@JȨN$&\3Br"*e1݂JYr-LN{@gbBâ;7zoDv*|^"y'EI5Jq ]}mwl^ve}.v; =8oT^UOA27ܤ>dgH]S 9İ v*0MSgc6רGb$38"5a GYpI)Et.H׎$"[sAT GB!Ke?ֶ!TĤ}ϐU4"x"H_nFئAJ fc ĪxR)RZC:g]Ahd HmNߪ/ɇ\ + Co^ 2e4;:ٱYĮPL )`%zxSL]n^fo<y׵_y iV{ {90g;Y }6l`rbk[';R/m}M~A6 F ?w^Z4=m\Owb {!rQ/yӐ2s-_5,veNFug61{diu Hj"a n~%b& qrzSrboILX0d@8yIrCv]rISw76YbU |%'{! U^QI81Oex/[~"P0WV]BI}Qt8Qrw @LkSl6 $+9*-b+X,0}|/?2Z _ɒ (9Ҡ+ΖZNP=!,`7C E]mu9Uˀy~ 닂e-mO4`f 'Uz"]Z/szIB[#n%O9z79=鮩<~^\\馁ą* ̃FSaK*q#"U7QwRK؝ /}E{?NLzqp>^RL:v_ VSsdڮ&ŚB;mx"z dy#Ntk i%AW >Md. B<6׾ʏ CT\=V*ܸB᠌3H糫s3IآÑ8'N rEUA 7s|/p $ZuqyCJY =_o -fԃ t}Sgx8Z7W8D[-+ʴ/'!P1a7Tn B+.y&̚e&X_39e40 t8(_J IU)^v H<~6{Wz > 0LE~gYhPT^ b,lpl`FYX1˚Gjm֔ڕl60O#\)nűOZ DY^5F2*ofLUV 4dM&6N G467NI) O>2j_EPBu g"`7i@14;O4٧y6,9Q*Q(܀݄ ; bκC=气e]qݸ&֪cSNbuMm=P Ѣ$:atx=32y)컘VʹLB= y@j`1L1.Tn⡞q߱ᦐuA$q^-SRƕڤ0a&5R9AZMU7p!N %ܥ.NpTI}~`L 4+̟nYpŶNRrh&e42KÌ{LhNLeZm>`~wNI'QL]%pgJTkHl m@6cۭ'K A r0&GA_=8TX ļS!3镥]c/CSeALGuCЈ@~\:T$B_j7.DyXU*1C u¼ tdgcy*h W88_ُXK`>VXI&%ġDZd;`"Ugˈ:ğ0'VofNlKt\d-NSh 14-$~#Y S6.Y WɈFkx7ežDe>u_"Ќgvw\NJ0,D$lO}Dy>tMNX#4ހÎ[H9mte.TD;!BNZfCFF=F4+li3_\|VݣD;nx˱,F& Xq_[%/|:/Nݽi{Yv}̵7ɒ :IڋmqU#|\ Udг\y6R,!'kWV-, zG`tG^_E!(%xpG÷~z7ѩA|![,~`'?iP9H$>0xC»@pڄ&T6[ t̹(&%Qp3/InK-Itew'a$BaˠB=ҔeA9T s|Ckܲw4\ZykP≶>;ۋujEpSwWByKɪ.Zv{BfƞEAukVǪ g' 0 K&$${fF]L vAu.Onƛ ǢPJҔ4d)lVz8Ot1d/ `+GL|Wt4`f_mae‰}<}o)1IXCIW^7qb+J!>5eˢ^ͦǐS,{A?r:;]`t&o2F?Z^bָOȖ5hra޲H"ѷm*xFid\)4:>ݵ5Q'Ѵ}XQ$gD8si*hI)z(,vN;>Џa~ iԭH:Ll>4%jѪϺt9:c,cFs蓢&I`5Xr3I0Ŋu҅d#K[u6+01$ؐOv<:8YmNYxyߌ CiN F6)+!=jN8TO7Q{ޕl^|g5ϨMus>߀-f{knQzsNC4 x=TOG >fmdڈ,7cv){N8{F]_IZX!V>8q퍷\UYhϐzqrEm ZXLwdD7fʐ. bm64x(NH9D?[`X}ɆcM< ;?NABqhHR/ڡV qQJCюi~$3JC"Il%$F)}%YȕX۲A.BvX?0 2etV+Iɟe|ǖ- {UWgETy, DlGf۵ŀtn>--4Mx n,i函xc5^plSĚ#lЛoаoC}u,>d)E"[#Fc 0,$Q6GLA6 pfu{6<,Jt[@ BhJ) APŵkGtL #U>#!U7uW&n_N?J4b[* 2P&=rk@q`z4oF'㾞I_˚D,g߼lZ*e5!^V|'x҅]MxyiExc ~YfQ|7T|R(2ǥj70-GGLhE^xhV nŕꯃٙޟOdڮ+h7G[+C"4^W)1'}w5v|ZG;utW#mCEˇ`oY+U# dV(9ZI Dw? 2ȕd2"u6uJ'CY,Wd/[5'!+G?Ie6 V*uClp>v^1bc M# -m'b|&F)f7Mji2 !$F10KfS7wT4-Q+v >W9<yu2$pYd% $QJH؉a8tW]M7F,6[: 8yނB 7W)A`疵9Yg_ٞBhⲍ>&<,{^OB[cp8X`$ 4mA*z\*< ]%y~(o=Eh>QJlYMb'ĒՎKZ&\~UVXm||e>ſľᒾu="t}z*7 O+IY 7f.uz@ .LGmUoiп\xcU}t&JT8Atn ++1U/p_'wvdhD&o j {N`r/Bc2fO\uj:,)oQI&A Eb"} cq{?Q\gǼkȿ=a1IJȻg{q^G Qb<15ޠLfN/g 5;g9UՓs~ڽXJ.)w-&(ϑȫ唕 υMc>kh =O ܈%*

w/( ft{B&a ˁXo}fw(`}3ȠmoӜ(оT%٣=Sz"b@1)w:WAC̨daR[@,Ol s_/:jM: 9[$#gGd|/ Jq t.9Z"I6) n Ö7ETgA;C<7{sş Fo&]P_͑pYE- 31`C֙9xUలϩEzt۬"dSRno[K_a*7Í5UUoݡ x >ѿk)sTI;fVHo ]ti$f B75 z}.ň8E`eƹFV;ٚvoڢRglFQ++l"BFzo3 O\30o5!]j*=mc7>M~o'_;4m4+%.Ee m.?z!RI¡53]WUvƺFlyp4;M%% M4G(LprsE1Vf7c,E0Y W$faY64* -mK l¡[w Qr) - =3~ak7\GΝӑWp;!Dd^.鿗fYK [8:6$]}%X7agYIqU:"d(gu4UY>u91txx{k53V㹄k҉ԥt)8,-AOa_q_ lW(t]cȼ/5E붎{L'ؖ i-Uż?Ik ^[#o_qU`Ԯ=<8l3GםD xV(p~:D!ef!P`.,,b]v1TSid$48l*9ƙoCʟ~{K;,a.e@osO =:nX̚i5ϋ_PVIc$> N##9 +:)vu]7\(ߡQ: <_cAԹ.d*+$\S4NY|q~ SbFB&Ew`X_@1fdY7<[Ӕi4ū 5!/ PKZߨD0L"vr ex3#Uq@P$.FbrHv٣FiB:>lńw^ɥCC#8[v E_4;6Nڱ4Ŝ&BjUFƒ]J [A̛-n.a{y$y +k% Dww"\$LTG/Ѯ>+~WwuX[ cH~; EXη`eJ}?ar'dvRxw[ 憀w)ӧer?7 wޫ[9U*r({ˣ(S m$nm!'Ҁw bu@'כF>jt5Eɩ%?trf,Wՠ*[n2 C\KFT"ҵRLOgF$s3Aʕ ^BX+(x<~!&8(92 H2A8x$ރڠ\k /IOBn`"@V *ut6ZHrшd5(y? 7չFy^YlEAYU!wj*6s@2ѽ/q4I.UƆo_ʳfl*d8BLqiP߹ӳK4/L]_W9`9Nρ~ٱ(NpJ> `$8+u)9tێWC:f::%bt,ZU/PˊG?-uQ2KRGg5,W.JAӢEi#~s`aA Qcُd ٪GDo.?CE}\Hkc1 hPr*گ(AiHLwQ~[ml&2wC ǬlԇrϨeg/ >WnT!LM: :Co|D?Kq)7:?v$y]n8(,ܽdJ6?ld̓=E3JxAMw"bcHxO”Px?u]38Yk~^$.D¦+,QlF ;VOo] %T36>:t"{h'pa0VXw6`xr!݄oFX0o9K4ALP4@ʁw"$f?<:: R=NsJ<t]rԱ2 }/bE$[]NRy@PYzu\Z=2&M=ɎFr.:IsiL)(lOAs$?Em˙[ §R)!0ӓo|Q tvAk`ߣ !e('ƒ:\/Gg*pJTziVMQ^3bQ{pUC1/j/AtyaWX[RZ wW)brگb3߉D r/tgg!;b'Jׁ+[Ն;-aްdw`d|Z,Wj'LduMF( S` Ѥ2Iˡ*:M Ǘ3C4P 2bI(TzC/nQ, rJfDtCh^͔hMm>D| >d]>1Tc LAI`Yv)l Z$?<,GP1/!h-D>8;/IřeEz {eE=nPWJrĨऌDJ^p波qpKA6H׵OWfL ս 7[s,,F i"nիz%`H|mX`(b9S՝Qj5s+2+wۘ~[k7< 4D(lpsYuw:ZgL#jG`Ъ\՟L}~⥂@B25:haaZڽAa`ϭ \%V Eoϳ{A@2]Dk4<lT }]aeC5UEY)(^j hhK>q꭬iyf}Rl4'2uc?0௖l0Ŷ_z=|W ʔ а1U(hVz ] ˟(J~aвvf,w)+/_I8d&e6ײ`%FXe~pE2$Rq~dPk I;q(2.!iuB֣S2q,bQzžQo?gjRϢ* $QF1/kc8LF^]rlEW1J?%49xɫ1 /F&F^AcGJ+.Pg~)AyE# x Vh1 (3n/LɮR}๧,4IfȬP[\.I߿a@,땸TLH!?8“OPJ P9HL $])Mq9U_01''-v|0V[cCw!j ^9Ǫo#Is]Hbg'M+bﳃ$\߹hpB$;}h '$G-9j"FV!{;3+}ep( mLOi=;kk_\).]į>Hʶ ޝ"|n fnʐ_ݤGO1r#M̥Cz(+93פ,_LHfF#-!v&" gYC%#|ȹslԅ2ZJ@MeD7"GBjt?~Wt ׍Iwr7evԥ'{о–KI'ώ4# * 4H”|.C:b!! VCsF c}&t܅bUϯȿ ;1j[!(޽`*ty/_ ǮgvPR}zqĤH7dkZΞxtm^K4Xt́|t#В":6Թؙ[5>SLą2Q@f{\0ٺurr7gr3@zTOSU0_dJyua\AFhgN="xݲw@ ło l$W6^B}M.lLAIm ȾhFxp0OiF1A(wB2"/W܉w1۵p1WN uA_ֹˀk$`c@r$o+\6s<9{J8>,^8Z6}!$~1t׵[KDq֐F kCn״-}lh5qiX!$GVe0F1ۂ@^xhwY(A3>$Q>gmIkRAh/jGēǏoɥX$,J4ƍUЭ W5B7RLZ4~7vdQRٜrX %D'u~RjY4\lpepż30J"=*7˦J)?4(ec>8bjаFe@8q/qbp8#nV$Ҷz Mn@e3ij< UM1e׭cjvVJDS/ʚ w7fYl Ƀu҃ӄ 8q%Bu n~V,w٨-tpϤE#BcÂ:W-VdzB?CG?`Sţ6V]w ޡ"fIq9y*?pP&Tp1<rn$ QY+B4?a݂5#_U@_Aa862Dc/y vl=3nK7v{N!ΕA;R{R6b \>w,r((o뫷j{5]ED}d %m=Vq>G*łh~gG:*oH|XgDt}תɚf@FGVXc[Kr`^z6$rC .3GWU~S05L7z `z .cu)NkvBq/5M8'N/GjvlI뜥|-PZb bi60[ @V H5p V᎝*j~,'g<^}M~|o'^ ^#3ʒ., !mʖP=Jf*{)N!y3I:uD s;rr=Q|~fYñ!w&_ɩ'@D)^XC jdE Mבe*xԒ^~ԝd j7B 8Л:@21Ά*FGѷ&W6E+r l:o\TԵrN&X%r;kίAvvePg(5brh{'[aW*(z?kxzdk0~!  ~}4;P&9JD$[z|^aff!EۨڳE,L9~p[؝Gтl;2bNG2h?9AFc]:yÿ ߞM2riIH) .6}e@nX0X:? b(Sxa8E8Qn>z\f\b~a}% vq2govtzׁPu\R1~H% $s@ӤhE*.|%D1,I.wjƲ@!$yU^>eZ^:m 6t墵a MNhNX1[%Q-iM3A3">셐ű%)u \ $?hSuI7ikAB9 %? xS,)**7"rD 8`d4z1B }zܯ+|y-k6c@:!VP\dAdI(*堪,,<[9١N{ >B_ |D.zPGp>a$ &j¯ߴVۢR'1 EMj10 vº5 +%TS>[pt[X,uY̴,*.?됻nMT<*GYۓK#Q_or Ɏ]UA"?4_HS] 8;ci.vJF֦>n]R,5˗FRS} H_.psoM" 9I~46;^ے~xQM3G~+`Nv9J0D{[Vi,r_?+:YQRpn1]f4T./]" /Z8V x>U,9Ej`Rgdݶ_ WFeMQ=j};oWpa)!@YsJb P}!ypZ^0LyP$Eu@'vhd xh ޕs '%}5!6[3#J"Ťݡ54hbR{9Nl/Ҭ:oYGDwe Aa1+7aYtgksd[K 3N^Uza7䉢C,h?Ԇ(o~-oYCeލ,+t޴]z/d]3-WocDO<8~+srE<Kq}y~,⢯Ɠ㹧eAm'kgD]yQԿ Ȝ w!#klA`XW`im520PCIBf g&DS|4Eg~wۘ6ɢQe%0{qC@tT1'n^T mAh2g~ Ax;GS.2 E06*Q D P-Z׏+~_x 0itXoENJnҿ(1O.%!NPXN [J cLlMQ~\,+>`%jb,~ާXeC̈́ZstSE3xc~YKqAE%ۯÚR7΃J3gUq_=oڃqeaoXۓ#W_w]tU-b͝h4zГ 埒ގC"LɆR$#B\?7 6!9\qMh~ Un>&%[c^1@ltcB^ҝnKUG#Cn&)$i+Ny?g?'2GlGvf_^Ҽzg5~tvCt/4#n\c1.gT?ZETg#?e.dAj5@z|*8d,Ts[mjyH0uņLAj2Yn;+{U9B0PRu2_/Q).puѵ!^B O:V|Cȍ>I*k-T$3lD="mCjMIэ0Ix ";Qf jWgѷv_m+D젡ިF"`-i t|sUmOS=rKbAaPlh:Jb* 2GP4ZB.9}f.*ux-ܹ•;{jÔ)|ۙS|En\LQU;Y)dVor@Q}DƴEtNUkG\'OY]Ybr2p]2Z'͸.j,030 .7۫FN!; zYPC7;/lɌYK]}[GI%|))]@uw&oRkJMUk#^R xuidI_o 0bFHœoGLY_nGV\ oS8&g:Ts8j H^c-F"D1>*K9`װnס^[ $,m֒,N9`7lb*lF3- ; sxAI6(@-$)+:ƨ95#sȘxpp 08Ixs8fn8kMEAWs`wݾJU!YitO4- aԸ+TT~^`M^&+{D˳ds̬i 7 n&X2arsL`G#,z'Wj&ZP$.0p0FUa㛹wBK3\ W8NRtݓ)/ݧvȵHwiiR<^=y Qp?ýjc- 9r̋tha4} =|"s .ʠepQ)LF+p,~9Ab kRYrb9G(Z_Tb=ֹ&6{enh $=#N4W*?o䋁F=5n֚]fa>@9"栎2FS1ޓ| 꽢gUF19ѭgq*mA$YRz‹GAո\aQ'w166m(69-EZQ,?+,F8ď4썴*! ԲHїހS e$n987݆QZiwgoۧQ\*y+:Wb0~bm`<^)!Eim ;5-19/<1Wf1lbQ{gsC PbjRx$rz2c=|['&}Y"ْ2]aȩQf89J#1krQ?&`{^@x*I@ GY gg</qBGHE wO鳇t Z꬧0mc\XT6gnF|~e݆J ,PHŕ'DBPpUl99zB&עCl͑B SUXsȮ;*2@DճW86Qz3AC óL˂lI9,})/[8ߕz TXty5UixXqRN7~+y@PqgП7:1t0k$=x1YZɎEݥ%;jzwWtC'.vqsx):DL3΢њ3Y4L!`s+id:A黧:vp]Jy*_|1݅vnHa(F\10` O,I4k&C\FGQV=>gd1YTD .0t|`igSM0R呁su_8'ѳmS+WgJf P%q3LV1v|TPy 3_-D~2 Z5!Vlyܠsl~ӟ!2s:[d,jP&=:XaF $Wmꕲ~!MӋպH f\JI) z:T1e|BVbn*ķXHHJ6:7,r@IKNDϖ슱[E m7!rT; (c;ͮ̀L J93`3"-8\yzGEL6g6I>5Dz ;cFv(Kw*%QW-ϼ eԸ)t5^ )])÷_> UB%By]wRq8x(uo/b 'rKCi|>G#VYCĠOf vzn9Rȶgi+g#W+ Vچ] PAhr i&kQ _v*#;a8MՁ97dkԃ| P/gÈFʌKPB)\f9xȈe7Ii%tTD]pv/a.-y:ܥB{7s} A0Ɲ5!"KZ(n4"--Y}VMqn_UB1bmɘzH6V;O#0ha¨$AobKS{*vT # ׋Cacu uH3-~'I3<=dߏ>3~yAov>UHyL /{ =2ʣp(D=wf4Фn2L)f"4DA|Ulܳy*nsGkOqN87h :_v.nH]a/mATYޤYq $TbCrQ+X7eЊgZ=)')IAGg_%rKpJ(.xeMl+?f1xج۾3d>vѕ,Ygլ^1{`sxЦDU>{${Xohr1T?~g=F s a5kHD')Fۈ<8, "8Oxē\\XP[AQDhp Ξ #aL4ڴ@wrcϹy|.wRKp;+hzI.XVΡm*|&;b+_X !rX[uSΧy!4V >_~yd FP-8iy ؞2ZCT]'Ex7|rz&itލLTe6:" 2muH_"0<)O"KŰ&|z^?{OwE*)nPֽVE" H~2sjzCPжq `n+[ O7XpzGb TҟmhzQUQGr ^'`;:刉rU0^l0 a-FF0GM@.0!s*i%&_L]Vn c-"?^ҡSSLOЉ c w!XD]|WV!¥e<' @!#ѧ=J:Un%`fl.":SHt2_ld5P$Ah,0b}R!~$s?Ϫ*ic`&2Śktb@vQoE.v8Ӆ:k/iJ>lmQ,h]d޳, _IqUN /)JX^V,UnC p+V8[eo WۀٵZ.2ϚBp{a{{IQq1%ƆȈ0f>TH健&#ZsXx䝖A ""kocQw$~=Flj)י@_t%:3'=Ju'1& kЩ?-/Ed!äTu ed[Dq IS VeJc jx7^\za_s-RԪ%Pr'7ﰕ\GimPxej2։UecS@C?&/И-vn\/43H 2)^B d8U2\8-k>0='꺪!=6QY F) |­PnBHgfpdd"~,bƅJvW4j8WJ(~ u1rbpnuvyM*}}6(RFhXJYzZNgvyi+㏎ݵm@$ 閭VxmYF Tl#Z+CGpb8&1&> M 2 \R2Y"2'|?AA@ۻt?%A!Nt8Fe#00ȡ?:ŕr[O`[z7yiM]}{٠v|75xGZv L5"QnGw>}A^|>[Ct܈8L{ݣ"h0VUmwGɫL$G$ `ZR 0"1C{FD9,2-L.YX}[LнP!]#sۼZ$23T`|hBZ Q&~\pW2YL!S!7nn۫DeթPX ap888,[b?o=$ՎLm?!dpG<- ծhk}ݡ)E*5g+-CjZC8u {f|,eͤ r$@;tDf:MvS+pCa!DZnY{O&:-~FHFd+/##?_.̪r1#pW [̙{,uӳ='%rr rBBr*ë6uIŠ#Rxo81V>QF): Ik8W+OȾSn^ܠJp,*KKsZQma-+*tNTԴsԹ" `So3(%ō?%"&Y3ؿ2 C-p}pZ8L%(1 +랡V^#M9f.tg# nr5a1b϶ >}S4OIxXb+kZQ?Iw.c?^~np!ačVxN wgc霝fte7YgKġ9v,vڿ= ѪH$v2w"PtӦKG!'t,`jNA'r(JNnKqس+B$ZzۿXu8B61%x n{<d^o/>?9o/i ƾgVl$vؙo %%mv4"p9GwkNDCE=LQ|8R?B;^L΋W[\۵-727ռRYx9{PPU^&T݁t.DK$CQ2EsdYFo'-Z6mpavfX=;Eܛ@8E~Cz_bex-ģ[/jЖԈbpcd𪱌jwOz<ZpWcs }w"޻/(+<2c LdQpdiֶq]Ӽ^:%Z ETGe8=<*;z^w@f_6e)&Qx=ZJ鉻ؼL (uJyoG̓<QQk>KbƤNTKqd](ס ƭ'#XyiXErLqa!Ɠ6#G]J4t,nohp0G+%sPf7p]KJyD)')7K)%}J{hDzw}?4ʊSSRA[mRrz}d\Rˑ vF$(OֳpD qq3Z˳#ro4B^. ݉f-<1aie1$4kf//G057|ja,~2}(=1B vt<+El5/*q7EEe "OAr!xSo5A2$$͈yd.vB鑲q9DE*O sހ^$pqQ.KSޛJYdlr&nP"_5QNŬƤ PC_gO2T 6kW9RQPb -.=$"G3RnςBԳ޹j;F8~2+B=/܆YKJnzKU B!R P8Y`"88Qhf Jmu RO9{~UQ!ŧ|eVjNXJ Qs A k '2/]W"'[%Sf)z[ É1 tU%DWA+ ߇ta3ol+N[Je|GIP䈷J *~BW#,M?PPДzi1Z TA1s9t,&G}PEu:.bq?vqʉ6uZ2 8-UChވn7ŀU/)M5d$$$/ž5Ntwٚ9fq+΃'H !KE}ppV`',O0oos3N0ΰm;ױ9 4a+nȊ'p7U~i#u|K3nDʓټaE@0vb緮Gj0R .DcVPAUuq~RLKCI }p18ymYL$Z V{.P 5 GI:d WB#e8h[3`U!nN}S4xKT7@h_(>Fӎo}Bɉ+GG'zDwepnQӐf'~ c܋ucu|BQD()H2wQZ&smb*P8H+זK-#aB/Dz{>.hhJzZ^+@Uu d-PH|LJMZ]II@9#^81=?QQpA4$"9UHy Es`卶%bp^_C,z|R$:iĔCJUO(?j"Q%l壽/1 ;,FMCсFSα +fO֐,^!3 2:WZG?_4+5 aL`O̎%X ym2:r2ǒ=jƀ٘,I~f_X=% ęx|W1=78ߔ2cwˤGPL: z V*Ŝ f H A0Mg%>un-(҅~Jý,hoH,N!|dWŌaG E:gβ)k* >@7;D;&T~]H~I!B_X 48&h#?qHY169MbDH"vtz5lMEh f?(H .]rhR><_ĵ!Rjߪ+I?}X%zxN,Th+yl `g#$ >6H>r}eXvG>Q3jLZdwY*yrl# VⓟH]IY<5G D!L${@ Q7.bxҘ-H^ 69uHW"A]n ͥ%1ӈ+W+*v= 4`QrˣM-7`ŀ<곽@8p:dIqX-l,U,ڤ`k0 B:l#S?@z$`o tkP4j]ula`:& 7ۓ*Z_8pPu3͝ԦxDm7܌ZMt/-V$k.Y+ݤaPaF]FGYq$_0YFׇZ nodw67W3^S+k3;Y:cSnMcp ew&}"WΜGIuuHwW⫝̸C/q:ִr2DT(NjFKS җLxuE:)9 byz{ xbs&vH0\iCb6ͣg|7Wv0N XY*`mϠ13ڰi|9Y.1*bˑ{vT*"A4v)9d=%ϰ4Դ1vrȦ!4Ue֊ܦ 'e):LQuO'0]5xFqŊ;gPXB*Q,ꐩT?iI&xswQd2)ur 5 5UةrHk̓ '񩆃9. Vl-ڂ0ov7NaW)CTwKM C}3IgOէ7`{d~+#en-;p/WA 't"Sٿu. 5i(%K9dH2Qp4fZI&5{(ޒg/r `u>hTny%Ϳ@ws #_}uo9I 1ZN_ivQEhB}ٌ/8Ud89 Z^;:03= |G ZlLDK (Ua 46%=xMh{: chU;.u!ɋ:_ |dWNBOn," 3LĶu0!"0)Ub8)QL jJl<4F4JaQ|gQ`{=T}0sȸKmy99-8W&]AX 2Jյ}OʙXVt?^P5Ї=5[`MRYB`Ό& ]Q+~vedsyvᴉm e~yhfU*v i/D*p;p{MpTﺓZjt !+*H_z .\rVھe1C,ٴ } P4{8o> !f A@Hw(*Hŭ%0AN!Hu Vh&|Fb<.Wng'ȩB|?OBL26 rU4}(Gq Eϫc"'2[H2TԡoATQ -\jNT9WCJZޱIf~δ P&:qd(dh|ݪ!-y{qqD!F]>2JSՀ`[Qx{_;5+G ?\_L7B ~9.-WZ)r pT@w=PVK&Rqq4{"%,; +Zs VpyyT4*v@Ci^.༇K$ob8B4MMd<3BO3@q-P O&Cg1#/95cdRd&DfE(bH<\ ~.DTyZ ʝ̣u/mM0_ T](S/'Eᗠ25/uwRKNRo Ѣ٭=bIgNpտ| N1vSKOy W骋8_IZъ?r@0|?k%j5YX 'U k h*HxEKӠ-‰F={Ke 'wF6tuk=t- ? A0ży+횱yQFV"瞣uAvb+>;]vifxxY#վͱ<-խ D@u|C^pJF5%$k2 4#f|:ďK=ѺK\Qq5CS֘x QGrMF$ݗu+ܾ T s~ !ZnO>f6WRj|lF1CRQRBGD"lR[+6SƁz\dwUc~(J*${e h\%;ȴ-ag~i9hZfh427 c~o0 J03k1Q'>{+,y0ħ㯱, oJIq!$#žf q@iBlȺD3qt1.+!xpjĨP@N]|RJd>cEm_,,>CEn4N #~M䡆5_;yDZMM"Qhz2׉|-x0F'_b,92CKn,:Isu8iL#96GhۄR~nZuH'MQEass}2G\8!cEz 1)_)nG 佢c.֢OGWYIdU`$\?803/#pZٟaEXMjo Ck2ʠ#2Q+AeN$(?wDMYqc}] 6L+ݙ/_!gvL%d);FӼ5imtSN.>YK\ǐ"PחsX} ?\)Ϙ5`Uc!ə*ڻ\i֒1>l$*8J*~˭$\yOf&j2=3cKly@t+Yß{Fp?iP,ejc_S;,BE7ܮ7 x45؎Q&Kvo_s <$)2g!7-'} ` ͒-Мܾ]0V+ܻ9 <1ϕwM5䢵7>s]"S|2 H  r(1&oV%_co$ K1t|Y`B@9Ig(Xu3yCKN=׉/]FF%neLC^>R:~dFŃIfQq9.I7 |WCpǡo&7qdH̖ ۮ\-G4 E[OGqb˒<Vv޹hkϸ&Y9yQ3+zOЦd\H',Dty x4*H:: Z.1H}Wv$f=3M( #ÜLyE/90E+GR(B㩭҈`1ăf_eKfmF\^o 8Gb[+HҦ)bQspyPL ^oȃyC(gΖw|tT k"@$\Ջ$TB^M Ms@F)N]vKe/lݩ8TJfN,pJݕ(^Gyspk7:S ~>q| =xECAx[dWx9Cۗx?K^ ~"yi&z"lz  P\+|]&U'!̫ φc }G:8op._8[ T]4 ṽ :6*%@ 6Q}LXSPnÃ@̥ 1UDZgE1̾3BcD]"Dnޅ=N=)uP~0'ˎL TcPMɞeb-OSkC]?/i +ӱ]!W;n:њg.m&-S3-D}=L\KWwյ?m7BgF[&N11]͙J#k)|5\H"3`;Ց!iY = >)'!?,ȃt\B*`Qu DR溇A"h۟@V;6:bt-R8 +lD8آmv` Q)v9[$mVY~7ߛiR^kk]cdf6Q'C C5&䏡_jQ_ÚBʹbxlIuah!>"vU3UK1)H,foe5eL>Y@٦8&aj*Zt T>MX`NH) y8&46<-` lPy$lI%~ShCmZԚdk0a\9|]>ԙ\vl؆u-@i` @jf4 k~ēKJKV$NVg='e^V/ ?U}xo}y:Mo:B%Аz&L)NQhkٌB> X 4y K|合dl rS]!Q!&U| 6͵nchGdP i6KWy]¥CYMF+ܞhrlĥ1 ouF 2FKՙ]|"!)Uj`цTm 2 A`;]Z@g~/.؃B]h9O4=S|J8C[<8o0f鲩P Wj$iUWuA,U=†%*=hiSgoGy|Pw2Atȥ5؞!uOX*TċP58I\r H gF5bN|ur9 U> qaX>VEavw2[8E׊/&4qkY>3 y¥Up-oKlewWHP䢨8x}1}3O4ۖ)ā-^&uKv! '"1wMdy$T)C[0YUF&}F^f>=D/ [ui+*эAp&=S20lUFKʰ/$݊#U5`3`J1TՋ J-JVc!'G짞A?Fu Ghgg?&݌_9rsy 1ސބ2M1;k]Êu\b|ݯgCpۥ۸ 7i~2q74F]Iy} WR35R Gpg%h&WRӰ˝>NsG#Rob<(%̒O~Ll[6V`AFhPTsKFƎ n(L}"Ovztbx%T)$wcT?J!1FME=:z BsExk*au7jd팯,{,JX#/0Hȳݒq)Q$rz[n[nY< _8Z zS눌tqExmꦐg jYL1d|ȒHb= ,ZC]|dUT<{ԜL9+1E5lmbnSܔ4 Rk'{/YiUfL{GK7<~C2^4wȍJJAG5;a%Ј.._Q xk~`9X/d?Y9~%zxgc}Rz֠j"lj8T#T}KɂEdw.7dr?p|I_ϔUyn=PW-;]LW1G廉`> ˅9:U2OiSV\CL=wylE,LsN©e ΢UĔXQ|!՝̋FV(v?,ՕA9L@J[A3E]b>ؾ9K~jOcП@hLߌյ|^C7n~{~[N DcYIл\ohY8sݠ0YVH mp-jd5* o(hoԘED%ᾉV?Oob\34Vl`VvztF1B˝ӹ1 w쀪#!J8jh#FXZ%QyZT'h[+aL3A4ß2ohe/H+խHGGw~GQ=;c/ ( -mz[c =qC2~Q™Ql ,2?91 It].)L<ǮkXe^IyMosOf :O(da3|3Yf|ˆߍr {^Dz.ZkN‚€J$T"ɭA)ES~"`FܗS,\J™UVpMx_.c5ڔDhꨚ×< |IXzr^t!ӹE_΢TzRf<. _ƺdK+ @ɴ<]ш@fo{6q*~WS]~[%B~-xVix`C߇ 8i]Sf;ݓ:FWw9$@m]|#bi3K4ell1T 0ȭ—`cv%33E Lt(QUC֢Q5IU̡bA L>ڣK~F8poK+,28P=x\"_75TjѐK :فJqf¿fp-e%w^s4`kU}-~B=6U}= 2K  tؖP=Yj.䉺fl l8~pxj؆bX .ma?R$}pxXdN425aƴ|&$JڰFdeM\gBl-L1< )]C d&-Mo ߂( Ńl2i ܀E)c0V)M7"q-ƫ)zxN oqh}G a7dxO,u$9`8QL+9;Ak^7ʪBlRHڽ-6f-s_oC&Fk5r /m'5'm 3.#Z ,=+ nr cg'~I*q<]g&3>˜GסwZ`Q^p7,z# +XMRm0(R=LY\#wGDpоb<(ٕ:BԞB<ڂ \S%OP$  YM8ꯖt4<쁘4(=٠pm杧Rvt7fjʢd >́ʴJd?nYpS{@ KAb3KiXLKPJ>+Uo^.EA~wnDzgm>Z*v*_<?8o!,W+<N(`4Ow?$`cRgkMpx2J:R ۭgg:k(`{D :.Q& IRnFl)93"@2XaM2=-   HΦ*Xo̵B4" L [[E5 \C5Ĕ {@\I;Kbe'Z:0("skVea%B/4)1x२F2WLh8_ik;& zs46fK _dV0b eBh1y+{#5A}?)dD,8KEF6h/e<`CIMWGz$?nۘy7[QF!>;+:FH9e4{LeB/M {sC.d4V'NVp(ܹd\Vr]-5`R-Bp)J-%wȲ,]\n܋ۇG: _s0 W jEas[wa6Fæ:6`ʮB4) _w)U܁V8sHDtQ>hsAz/3+2}['pt;23ne`J폍Ֆh \Pc= ;^k<6TL2 A.1WPM@ʶхPtr+=j~bO_Pv98ƟΠ 4xBq:@P~J p5ծ-d5UCȢKs6C ׆;^TyfF [DއJ@aڕ%eB UI,DWт\mk6x7 gPčlvS/X?U|nJ}08㗝3wQDN2ۙjIGΗ;&,t`(ܴ_RX+w9mk/Z}ٶ+ II/z;VDڱ+҅`]wGIh j6-RW$E7=T"<_G)%v9p&ŽDunڛ֖ek{nRS>G-c?0Λ %_Aa?zB3 nU0+"Y.py}~#plK*)4R 8h7"}ަgVm13#,.a6uE݊Z΅BΡ=ϕr+TO5.q+hA g'HGA!ggȬԥ8y?[Jnfn|YE#LE2jʜw[Mԏj.`^ٰ n dPxeU?"ooP"5J!zسOtA ?/*vkXmyݦ)E"EZ]}Nv1zjEMhu|w14J=N0mj+q1Z+~i˳UݥiF)B+I0|v43D?'W.ïoQ"%6pRjw71fN}8[QZ ~:1pr\9ucZk%Uq)FO:HpJ*wʵ*Xm (!!NU|MzX2{L ,y^~`y.5vhgj`bPcA֐<i[6(xE: j Jdk'$]-0"+spӦ55 %/eڈA@j9gPH e>ÿnݭvZ,y4}k'W%G0S<cMF/RIn+F^qeafGF HYo (aO \z~+e-NN<00 C_9?gfR52|'@d]naW,` h-N*߿$cRAq{\3I@F}k\mpeKRVڗOcQWGhe4]ipI.vקQ?A؉z.@ݔ)cʊxB"Y ^nf0m=ڐ7іUZ)I>W5syPTkզ\C5eX2I(zA] 'l%{pH[z NՔj X?(_%>:I5L vAFao!;*ͻIp3R664jiv#ݕ)b^=oz:0HȜh gmKr QQ~}YuY:Sc}A75|OM#q΢4.2 ?y!*p&YGvqaZvYxz5Í@Rm6,5RrI63;\-}BџK7]_}sGW1~m8|ݴ1X TŔb哉S8_fzIKl741څ! C76GximCQ{Ȓp$Yrж -BQlݻv=޴Rl7QlKgk#R{xُk5 icn|`|.Wܥ`C3[E@vxoT }*o9xUI YΗ')@KboIY k߰\VJ_zI=#SKm D1R E%8R>ebpɾ Dt?Y-x `u )ȳ9R sk/C,CrX.T?ho/CʄRMV ׌i꼁؂LAIkA Q,-è Ez{=]Ye h.oz vT [ Љk\IG$T?? "7!gN]Q l;p<5l]/&KЗȳ;͍I<,bp i9Ue"L,nw5 pI7N G5#07!);Rj'/r!k2F{ra%1l$⛫eϙkMX}VXCk@o@4OSxiiܻo1> g OЛD44फF=I X2^Kh<$Y+m>--xPuuupMB nFj|M 3C㋳t**M$8ahFhRGU:t\VޗP\ASnN!"Xi/aqlUjVQgĥXYDlkmvNuޑmFp[҅$ W_CiqµuO}"9sJ P^qG a+wE{م (hjs1?uJq c핺ζg&'&I5AE4bܯMKz\e֣#b凟7֙-f9aDͨ4U0 pы\[K.Pj9o`ڤ0*6-B?>r,ؠM}׫e]eaN#j(|#ey ^ftOt@ B=tﺑv \hl?~ FV!Ľ+ k?g#?F㽠/R߃NoSqmpЏKP:|\pҝ\B@*g& <!kozkw}XSr;V|@>JX~akZi!f >S[„4>\,P-X{l,M/~.7:sG"0QԭNtv). g^]q(hADpk!YiaXV1t)Mkq Yz }n*_kPIgX'ej&ωcᔒ ޯc1e &^M6@u=Zt4\Lpe8 _Sy'Vp*џjpX. 8aPV;3|=mF /|faԂu#hIrR/RROבӟ#m9|ɈZ$R[4zCGI+ QْK!IFmilfQMR}_@0˅uCęzT1~SNRR~:JjոXRÁJֈnrؼ1aգU&qyӖY CVI= Ǻ&-ܚW /(2 hjc'! CVBk4紋E{; :^fwSg#v'}%ꍩ+)NNv@_Du.S$Q1J'64S])MDKQɐPDL [#;TjPO5Mִ)5]v%,Rw2N\:}m6HANaA6Aw=bOv>Ɖ_Ҕd((,"ʹlӤJ0oOZAXXe+ EmSpJ;m^h%rN Zxibw +f0"t ~6e"[\ Q::l6qOՐ\ a ' Ew+$pF)yB^ j;nGQ_BN3WIUYLc s: ق\#t}J,iD~]^(] k,qe}hOhRɹ8ՎBբ9Kr8ʹǛ T?`f9!&`MDԵ*B83sϘMI'^soL40b=(7؅8ແ^ЭJۑ]ӸN/}I` CdB9bx>#Yҳi͑lr[JrUY6ݿV9WP^o֯ ڕ}y׸TcY<\JNE{[2hRϱ#5df*(U q+>5;2NI)W &u 1C\=ܳ@.nJĖڨnuOwt{R-^kQM .s'VhwJ/f Wbÿ랯6+\*+>LɕHknĂzY1*)6q `U^@ܒ(Qp/DFHQ J~]-hЁ,ʠXX0 Lca,pHd%Sj%W 옩~-U` V#}xGQם'_c=nP/!dI [|oL7$eY,;=ac۹YTv+ ~3Ga>pAYfX? i.V:[Ղ_~C,:VGmi+T*fJWn#]c[,s-[T^l8(_Y6l`)I@~+$r>AyQ)r4LC< K{Lpe9S?(AtL ?|mS?JyhݽA܅?1S9~ o%S/_ʊAaN%H_g+Z( LXz _ˬdҝW iqVrXƩ)ue"n*9`̨D}6y MLcU6A0 S.*;]I7K*v5{IJA\ϱLE0pP_I:N9}6h޵%ĢcFz[h7?w*ϋM D+@N㜸!/i/Ab^l9ۄ$}&s-r0Y n݌0{4vOm}Jr2W.-ڇr\3L]VьEZ~teN+C._Y9ԙ}͑M }H SF67c|R@QJq]dYE-Cf:wl]d: Nk";M' %G2tSÍGG(Ae9/v3Z0 R%l5'0\")^MB },!E|]e$*4uL:YvK{l!kKQVz}p ԘӵF3[@WE1j)N}V_k8?|[Pr\#Wo=Jo7uCɈ /7EJ9 R&(g$P%of[-~/6E$2iWQ1`{(Y:9[PԅP|2([ >]`ަ) woME! qwbSo#L`gsXVa]\ FvG^TpP@7{&oMpJ~E0)~^>XŁ ֎ٳ%7GJ#2vǐٲ, ܡ/Wl%:} xRx&@g2Į .tE](C/KlQq!5]m[%xfFܜI).vrk艵kJI4'KC›Xp e/]r{~9ژ͕6) ,,6˚/SXK}tDh}1(9I.H3d$Mw Ɣ6f7SP] (X7;%D% @ǔMQXS0R+{_0k[;?[7-^pU Z ^>?ҵ&tmwՉ̶vRfl+Rؤgx;z'\æ:hUR16Α RKoJ^ht]cyKyp=$fCee,v]>?^WTƕ;,Bz3Q'e\Vi.Ue8)f/T[O$@LY`y`&1J_/Dub7$;:S>V@NSPe^wz:Sgڌؗ/(tF&3"?Rq,i9FE`J}piBEfwP Gυ1pFDkB3U)f84+CSx%ySeIҔȝgMwtĥB}*Ǭ46FHAE,º%vP_ps6?kX,erտ>h+\2-)T;]WO1⑼p" oqFeI7۽MsMUj{ƨkmxT>Gv_Z!S>ux*EMj Wɨ`A僚f٢xL{|mCTR:iI%ÿ@d !5 F֎S(чaZ6-1wfV Y7'2Ʀa{QɄ9@sK9"BR*r&`n~HWCQn_nc}ozzEI(X;k_+6 0:{\nU!xatJ&#A/|G,Ba+5K`,;Em }P;7@v"HY%yJ=ks͏^WP Pfꌜ9=,iNH1jh?Ƴ1d՘jW6!WD׊&j0A!EłPx^7b;,b%?j@-vY kjOUe-R9g*t RQKS&wjy.tqXnXoԨK}qG, i Fair #H# 's`^̵d /WT)(ʈ}d֪@ok1? rBWWv̼?vCGXW׺>p Y .7QJ4ڪ J=W mr w*;Tփ?{O @; K ̒_A6 H7?k$JVATu~fQJ[AB> q*qlZr5 p>'!48 ֹl$i+oRXusgYqى+"ᾆ-/&vL KA^^ˉs}-|1!Edy_OJ+*sLON/s:dK",O}Gn!7ލG)Q)Os]NV8⟅ @)] &!N5wtV&MqMqK~X;p=ay-훎略X[G_{z_Rah {؊,yɄk,CzKB`Ucu}Fh xbL;q [z |#L$OLv/5Śs{Ύsy-\FqCWo1@_o;Lչ#Z .IDsg +uҢp/]Bf`ɾewq$<䔦DaJWMcJ%2bg+a,b~7eD}ټ -Zf /3U7ُ[ ҭ}@: DWkN a(ny$-ן|yQHl$2b/q:/2AJ9XDQ;¶ps<㮋:RK9oA/,k6/k;ڲUܼyO0(y a=^ʁ''Od,9IS3'"晆wBVb!+Tcj@<ן籾d_Nol(S*,z6YH~NmjW( U.YQ*w]j.L' N44 P}]AxvL=2Ds2j.la$㡩f/%3茷@mZajL=ҦAʟ72B hw(w(@ȶwT;j{&6TL@D$mұBz!Y%nQh)O~Q>E7|ⵡUDE]-4^i>$rIg73dVU\-drv'wa_ӵ3NgϺu4J*=i*œ|@73we)_GH(zC7C۽)TdnE[0HyU hIKT݈2*Vm a}{:YNC&8wшh5-QߐMGԆQ(1nGtzjqǸgL"co帹ː08 %k X  |vKƹR7+B|toFt LYN.Ҳ^hɛ )SEg9B 4:.uh!iiU &iy0 *7RIyzI]݄>PSs޼ ;ReجL@%'3Ӿz]KpbT ݺ?vfZQy&A :/%txaۧ!kb w=8 d~ @؁~ϕOP&t5R ~V<>Nlo4C?+p0Y/:hN 0 IiWfD#.'9c(XqsK6cMX剁w8-@m ^=R8oE ]>הʖ3u3ku7txATϝmzdi?|6E}V@DjFwOĤPf` 5kbCPQhp[ʎÂǥ"w\Cb:"lPlAx)i<:ۇ'k8nmZPn1_Ű_01СBc@&sHMh"&3:;l#\=NQ{ AW;m03ydϤҙoÚ{#[#_4"SQf EgƊ/b-aݚߣF]ł: ܘיVE%]@=`Ϧletj^/hƔօRmӧ0I~݀ͪOǛְ-0ݠh)3*MtB@Fh^>:@I l:Y0 )DM!&O05 Y}_g^3n +䴤A羱NS_rJ8zj+J6dI`1z7nT|Lf7u`ilʗ+Y'|&|`pоTV ҁNXҵ?=∫0֓{9ωwldm /b`|H4`{ÇGYP0ud!!0[ԐHnh5@QptgלمAinMvRDi|8EEAqi%{6Ҙ׃GJX5ᛨѬdtϚ{H+Td)ݹZو܍es ?)E9"c#K= {ڜ"y`4_q C )„Kv,I'[{pNz:Z<3Gv&S_6ۯ.z!BJzmr[~dG`/I=ƇBӵIr &Av$ע"ESqɅ?P0@YO|Q;P/9ռ  ~rƿ`/7I Ƹ$Qhfoө˄6q,D١xA HmhUMԐ%͙!X׷r9S} 윂0.oɞdZǯY8iչ\V3,ci$$ʼj^7^אcGnɄ{Uq>nw3R`?;Z{)QzQd䇸#5G E]8%yAiȜh=tC+9US"̗JHѽiko4?lLWo;e&7t;?Xר2뷝%@<ȔMQ_A @BWh k/?c5sF!&ng:M !ΰ>( m7R{:(*_tbfWETdR79etW5?v;}ߓYRG|㔆˜MyYт{chݔ vAFGA'꼌SObeך>wlIbSLSBU,B?c!i3[|{Y8DS{+ew*+=wkLb0.Yfòw8̕;V=u7 gB?p] }$fU1DR &#>xUnYXP(O.5BX5~4/ +3VUX:6Ն(,.a '􇝙;,9+'=^ո_j*q /fRXT獝 h "L)% m(Gkt-=Qk w vṪ~}J/e{pן2t6'q'm;Χ(6N*:ilR›s%j)w#tQ[Q$֔z]Ok8<>!H؍t'_E,! VZ7 -s_!rE{)=T};o>/B Qg`A})K;(*(v,&<*U)aEߪ7p/%ݡ?+h˓2O|ã M<]r-UqSMCWDNd2ួG/Il3nOfI-0Ks;BHQF&L *1̏v !%XlLpF$Z=#6+YISbu -n4fJ_Q$^bO D;P2y\n>-b|KkfٜeaC d]@SϨ&oyZs&9S߱R`|&C(b !9k,WI<q$u=Xͧt {< \{L?zK҆c>!L2o/芮Җ(w!d.(vov=&xTڐNu)lNUօ6P~`8PReڅwwO /PW,kg }*T^sx{O[?ki s~nۋa/`b?n&ٱ.V ʆ%E{֣{"˴.[ L+m#pa8%du`y?d# &F(A9ba1g]]w[XI/_XE.A?ZNcē;Zfܞ#'YXQi4!J%z$w5& Z4x#. E} ёcn iDHAǠ=cyڦ{O/1|8gǗRkZ0I媷?u#oK ҐjKh; XաgMpۘ.V׏|"sdO$7 (Y7ޭ%7b+RJ+qҲJ"ǦV2^PUM"~wMo#᫈X͓BLf.CIBWRFy9pTȽOhog<͢bQ b ϞzQNuw&B2l-tJaV/L Ak:BMxu00>/2\z,-kƃ J"ـ\"pQ2aѢ/;Up}U|0yw K"oΓڐzEtlnTh \;}UpO;C$Sjh(< qk#G>W*i‚,3ÒLLQU[MOsƒ}́?`2 npyYƥARg&8Qoy9Ȫq")7!skk.e59ut+6+ZGltNZ"ȗOܖl;~=|]V[ QwU Y"#>H'']#1g>Qv$p.Z-P͜G %U6x' RGǁHw0<70!:dg2R CZz0nځbઁl9)m|%2#͇q HFQ`Lnud2k4RN s} R*1[B.]m:jBnj ȴ ,z >㰅6cA\cwpΛrWblmB x `K oҬ`g 9vscazEx,mc}䭏@|V2U RYSvCJ+zn䂐,1`Y ִ pkRG,(xGdV*,sǖrtT5}]<5w?(NUTlCݱDИ<1s@nՔcY!(&J KnH7~{(#lh kYO0B[2y^BVI Zg Od?8|Yi#!:Po_ڡY.oɵh?TpGbżɯڰ^ S,ƹ}:KX;I1+. P 3udGSLdGAHF~*60uj6ڪ(,=kƍxRǓYqjAFM=1}Ǔ$w 7 0csyJU(4(Mu:=|-g*n5L֑(!1U@JVݙbLtn5] r aE+.qֲnub9p mNeo٣rfY4Ea R] iYB`TbPYFĠs|M O8f2ǖ 3rLmYk\$gwMb=NL<0EBC,.e5.p/hmNɊ1֫,(`\/-I;KЪttl52;n7o)>00"T^!xUAT={) i~Y=QvB-fYj=e._Ts ^kBK+^ %g& ݐׁxϭ$ >j{w?$LvE Ӣ%AMOX̗S '6?"7J8_7+f^˸鸝uKy;_ȝϣY3 :1+T8ʀXDTo4$t#EeU.ziŨY/dږmGaP1֗ޏ9{X$>K=MurnG@ v!#z^0m'ٺ:>dTJ^-r±)H(ÈC jI{&dtdcqXz`.C֋nM'Y5fާq{ʭ:<„@%z2 ;V51GXm+FW#`g!ѭ4`m~n_<(s"dz*UتkW-̿~ CJq݇S(5q|4 ;a?GLXqrh?}Gj5S&2ltx JLJl->ϻ$$!-h̏&&f˗5;0NLŇcbinl3@vy,T zq;]oӞSa"Gӆ {Bj29s3D[1{te]CU~èҔw/zpD+[k9eb*=?׷eh. ob e}O"Ge:!ϐzco˟FWVu|3VOiF"GL E)ɓBUzVneBgg]Amq[VX@kp!>\ZdIvҐaE0"ֵ=z#-Cfu.Wʗ+34g@xɟBa(2׶N B"-]P0}XTJ͍\WSvkFhӣ+}[E=2(UdgwՒ֮4͠IMYL?HUN64 fI"*cLP9S4 $L]r1A^gS!bΞ#ߪL]cC+9PG=)JZyA$/j8Uulw,vU c\2=5F nv%Me*֍:y8#ߐSG h7*T<36hBŎ*~ B5v 8W@~^0n 9E gӰDh$/^s;2{A'ayD8a,ǷMxJzx6Cbb0 IPV -W e*!Uy k9mpزi*t6VW6yUZUm K%ޏjnJʞckf9(5ё?_v@2F݃&igFyXgͩkv$_2t [ѩ^k7G@\E{ nlp1Ztofй(ǀ6!3vyGV]9f C۞'DG+4d$c;>h#j(_b18g'%alF]:tr_6x=9lFQ ׿B4:9f(2m8S 4QP( ڌ'ViƸ/X:(‹(bM4g,,ou;VU%Kuzje=>b<x@t$iߣe'`.2ԡ氞U`u^LyъA=!'Ad)vnw,"i&\d(?A6[Y޻Ma]ނ (T=2z?x/R4"\dx@-n/?dv/.C{A1\QHJ+yXLĜ$&^$xYĴ {>+73E@"ք 1~_P,WU44i c+Z:Oc V7ukp*@I2dA:I{YA@VcPO˜rdkh_VҤR#9aiKyM>UKˠ^ApJkéZr)z,t]5+%؝#"w5) _CB9oۥzꊦ3H俢Yj: -GD6)ۑT?|̾Xl,FK$ augݦ:SKLQ)9lQ?p`ElN1JPE=f!˷>OItW~VBNml2aɀЖ^k-rEÂJȀ46O 90eՏon Yu|VxHu}, =q MJ8PLaȎmba6%-1&% %^׬ۯ8׈,""tñ8x^UA%Sr}m@I }xS 1J,i]xSYX3w`vaͻ.'\bR9%fh#w³Lh }[^ZM ҃'/oO"dVc161EoH /)idTi*Lܔ|[_5\B$BkF & hv92ާr3r?EȆJiKjsG.&:]7%C2NXp "fI=)Ky8fB9oWޤ7^L7m[ɼ9p(0A$:}ߵ!@;M8 S*7߆!L5JҐ.8xȯʙ׿x%qig`7ޘO2Bs~c==ց8~m.bܷ:sŀ}Z.!KYeSM\-F 7CD!F/;8M7e>}ut'. 3LP,9wnHQ,Y_1ғ=&oEM Y3tFomHb;d_՟x0'tzTBdgtSՕ7]2Z_@ja^EzWZ7(M`ෙm}-Ź; )T _,R7;y5OⰚo59`Urzkԓ.t=ghwdi7v>L$viGB)okP;+膏&tOZ/;a(&v6M$]?;#t*XmWs$;6P8Ql˸9(xDQ Nwa|+4VqMȨ3+40 3*^_ɝMD`BĸE7'&*Xz(J'Fǀ".yk&TS 0J>jY?1b0K 9|!hL/ hXf3!&{X F4~tHEbKǚ=:Ae?`m= 4pnA%N_COK|-WvT@WC cS FgO!Bho8.2KMWK/߻# sk?|].1{a@|+J'[sx}fJ. 4M8SB|`Bx8d`,=n)p89̪c.59k%{#Բq%G]_< r1tp{tl`U l:wwi5 l$ƹh C^$f1lV=t]]F$O>DME0Q_KDrm&ip6 /*p3<; OXoLpw$c.]:oYy'ttl8z,Η S?s_~/^W%5-r#骮N(ەH܉땜M@`;;6y!NNrQweGL\jISӐt/41]A+jdgo~k1_ׇ$|pg256Nl6[4Jvv`׹L߭(Z;jp%QSU<ۋbçq D?]TC & x,*0DKOLIE5̶A: $r$BVkK&w1gg޵V|MV l. ^@<%nF14ӾfP&1XjۜzxVcNnחPP1l 2$yn)-;BN?!%,%6(O*@Ǧ-|X]q #f0[VP…ӷ!%cwՠ! ڽB }Ͱt߮* }Bg/3P)7<4J"mOC!6l*@r4z]23[WO7BWWR$ ̔hki*pɋ{%pUcFMXg|<#0S^ "(쌣J#%PA6ŧ>ܩWeOj+Oj 1~ntΥ\nYZ|u_=kq9..M84BVf&6@}>Ub9 ߤaюhqTˈc2̩x)W] h$qEɰ-,?oY^~+6AC'ؤB)ɏ QW镌r92"Tƀvn]p1Jog$>J)>${ykR(N:-˲_{׮1ݧlfuf<DSֿ?=&U6aW}1 2KX^!([+B:T(tzᮓ"G%0Ɵ&\0Ɛ0F;d>T`N98G ycvF8ZfMJ"}wv9oCy!h+`dYzb&cS6MQf0*x՛M" eZ\3sn^8ɔǡEnA hV0M2\1V5H餬rrUyKՃyiB#dHr66f|aiUd U9WQCAN _ÔH8ltD6 ULmF}$swWVeKd3 n ^m/xc1?ȽTTZ%3LXeᠣaܐ1ȋU\<94r:mJ٤B, =̄{4NVlpU xX'\2]?':rpXlF5<;zdmj.sn1J=1QARF9@A gQuzDU>n,HOxJgE:hLJ( ҉(EӘP;9N#h]͋ߝ衐tCFBNLՂ 5@t = D÷?- W pF01@r$E"N?jLJ( gWԺ`ZKʿ>Cwp8LJYiu޹ā;Q!s< J@P6 KGVVIpƅZN 9B@6Ør'ɽ TnXEQ/9o֟-P$q򢗐)kOPA}cQSo7Sq癿-LaW&AEVEF9}?A614tɦɢ!w2f Ek}A=)DdƑAv rgwc&gXIT#H=*ڢNS"Ȃz "8R&9!3V?y|X%`OwG?Aի^|w]1|Bv#:tkP )FL(`̅髁{\ZWfϽ=.Ҿ}K&[оlKrI5A=d2&[AQ:E|W_j)<'zkw@g*"vs1(SPdͻ5Nzpyf|/ixę&5Ė?n@O'ش;8^ϳSR )իG"sz}:_6vk ? 4HJ 8O2~@vDU#ݣd^y_eוdXY: /tB澛 :(:r#;}{\YrL_UgMgey.lCle!sg؎&: wl-aDƭFTAE~qb"'DiqF=aoBFF`3VF.ݔTyxjܰ.B ڛu3i.*^:ؠMtVRK-~TX3 m4o+2Z)6=;vne(2yttGUƇk^矿8It"ć֣39nsV`!fE0%õ |R,$7QV{eG'c /k{5ɱʳw!ORc3,3M!&~SvH&S;aªN(sD.㛚kv"V1N T776Ϛ(Ƕ#Wq/b l?_U&zd絅QN6pH0uEq#0Άg :X 3,qSaFaWz*n]< ~ f4V/-J%/g1WC%w7jQ/,_sDi8c"ބV JEK *vȐ~)wz 6_WP%uB{G( f#sa'^T\pJ̵9.F<&6˴9di,H2( X|DK*!m aIm6 NHS7B] fj@]w\vc T$>8DnP+y;\@uj%y*ataf`О7C\$>PZwLx{ݛ֨7?y.q儫x"+G'~llIyArIK0c=XAr^|mdzY@F^](hQs㊺WuOFw'rDn!]wj֤N|Dl~:zJ}ϡE|8ISm7+G5'qڪSMs+|~6hR)șZw˶O[:m)4P '2{Ɏb4h:fN-3P|</4d4N 4H4q#j s&%omn#aՏ 3 yFc(ڦ9tKD="8"EMC:p YMdF$л\ŌF%5ϫYU;>57V Yf#tѽ9?tU\C Pd+3ى͘pKuמ˘ hzh%I}tloF,iCa^4&UbvVQb2vyFyV(a\A#5AN p!WR7 !]nG c4Md*]fizf4+ы!\N^ޝ*8 y =jYK ⻍k'<=sz`?ф<,Pp亁,תPZ4O_hUoLH`(E3gX si(p zf6xOL=+PLҡPtwZ2@\Ycدdx\yv>~(<n[<3N!Lb2LW/XOL.n`k50UnNY\/LUZD@keIΦ+P9]0^"&,&+JbOr~Lz SR2dMKEپDDк(}xB@֐S'Ukd_/aEztّCҠhZp&R 4J~igUL`a_5kc0s!$duy$cw)?]Σ ;2Ŀ@6/GDA{?XeW8lOn|O~O݉\Dԋ)WcakJa)qJAԱ^}ɰ(Wʢ8_/X6>G}7R'.FMac=PI6t՚-bh64O^ZAȖ_ӑڷz"8؁sJSI3o+cԘLК-ZËB: ThFjV0.+A0IRMw@V523Ձ1I&+@YK~Rp"M<5m\iTWE(ABv1[iSjx"IcN>ԨT? ÎAdHMX9 ߼u%g _Q1ٟ<EPB+[\\U5"_k^pR=[mk|>'Ry ) l}qӌP~^nm5QO<)[AX[N5ޖ?HOj=-DnlB4$/9Y^rL'nee#AfIfEHLNB+ڳ\iQ2-X rBSْGpsΆMĨI6#@t*QxӉ'smp(*ˮ[%Nipi^e\zl%'r[OBGuVK<0"$c]QW>oO$yw]mzv T*`R YHi>?Vt0"aRgB#FkV?6/)8z7jnߟ^o@ f^V;I҃ o\ _3iڤ|f3@+;ww3R̨\SV t6'@DU^2mG\H2t RFI;>/qޙI8RA'Qj-@=ZXH9Za CZcu p6KLw_jE sbm[B 6ٜ:D,z,"+3J3ÉSOrx)]n/S]Wo$K0$pYG$ĸ[CBpTh_ qp4<(0{Ai1ĝ]@ MsS2 k:yvV I)yT pKly*ҾDQ/"_='k%MNYGwSx-I܇BZn6{ڮ}V^@`d)K^O˾ =TNCSז5:1KRTQjܢ#^[ ~g2~뭴sY-Ti"7::ǁ.˖KU VU67f$LQoz$yDjzb]Vt?{Ƶ PmK"3;9=~xz:wHpÝ:M(-끔@eY#-4J(׿nW =مJ+>dJ|;.1RJxX)XSڪr0 ΍#&S|Ws:E&4?D''.3QX0 Le2~Lr9ۓkJ^unR[D&g.jU3'R]qxY9C#}*Men/Ūwޡ1'ür.)حqo{{u# EHگW<0^e?p800 ݟʅ {fBn˲;>!+0p"&Š9boqJqY,NwNl$Fzc:D\ά௶ú7"Ѥ]+; B佂?0H[2º jݒbEZαD&nU^4`Um+q?p_nseF!bEju4h\x_Qb*eIԤ>1Ԧإzށ_Pu^]FmӦi1z(,ki⥫#}rt]P0f [BAg78F/ފA9mU IZ2մ>~,y*mZjVus%Uf1_j(1+2?'{# Wj]>{w.m;cr+Q#܂c#p<#M#A,yBesz1KWKho602=Y85tEؐX,/;9Zdm=欒s+ۚYp{$+q2*& ms^NiDL_!pܭ 7[]=r)|D 9'(IGZ.=BQ2Q;#;N"J=@$Z> S..+Bt19& *-t p]uH84X@%-˞uDֹ-]b*#68 (8}kJ-#k)GHTMF 7ٌ.wVoV^)b1,;˚D?%Ak@9ŗhM򌟓evk , kƷBPuj !k}3y-I_d1 uwlm`s;뻂"<]Y{c0uGMnJ&w-_'Ydjn[t sC6Tg2r; 4^}3h /:n^f77Xp0>FPº[i{NK\ul?m|k 'tvȧ VVCgK iq}hip̀[m(_xY;uX a85[r(|?̇34Lޏ"%ޭz*vY6T*@ҶW{QeQ)]@1vDeTW/4[a{R̰n{)p#"e!ʯZg6_͐[qdt96k:_@*/ 00-963ĺq4gn _|3;UxT ]lTHjbZG;ɟ =.NN_U,.זƼP}s-Q6\mʃ׎i G- V0g)(*k7/Kk޵,OS2]l%ha }|; DʿOd|\٬EN%_`8.zͲX9@|ၵ!=ze!dK ppӎ|0, [-.EC -5%x BPT[;΀TeLjNHvDrQXSrDr=py.Y03;nUXYF糘&\4`A;<W-ymX=ZMAO%Þ-AhP,Â< !f&E]vP"d8u۾üş`7MVe}SRƒs86NVOnj!; ̢լI|0Ҽ@4b vU(]lvP˿e<5}G-:^ai!<cZǽxKpl2]c9S,KOlLGPݗZ6=,S;עڸ궮; D0T U4a Ȅ*r1s[w8Tmd/&s = y^f' db02dxφP(Y4PK)*w‡fq"9PÂ_4>z4ZTQd؆raRq7 "x\^lqIx&!'3,8⫝̸MH|8i$ W\ '8Ap{jɤ\LZٛx#W ]1اj*1{% ':s^_1=#Aaǀh@,e0U2zZ2cq+#0|F>ӆ Xn3+r\"H >V7w^4^Ϩy 2q, Czi:)ƏF mG`s!*6Td^pq8޴e:m"D ĠMѳ&&,M`Q϶?9G<$?SE[+2jJKG~@\4d Q6$٭У{GtxdR0[+K ug+ou$!|90K멤~/bY:W(N$/maja)3Inו 37\~.ee 8 =׳UfE4"%bۯ/?V ڎVD<8~ߊg99NY#e`n :%U#T ɔй`nHMb/u_ )zsj2b}0̣g/]LIJ4}3: &% %"tnF,bfM@F 0EzRh"51L=7 55IO<]r6S28Tŭ u,K|1s#4#`'޶8`0H*k 7&dmQxt:C"AGH1/Ve_ZCW2l(k.ݶ⺨b+:ڌBQn<;L6ѧ6yܣˬ+ mv 05kS.0εI{eA 0#MWxu_te; ty[H [JbI$8ħ4p!AǤT'c4`Z4QX36ΨUQ SYK] SlgaJJLz%itX l5)L8gDs#FJT:pkj dkdT?5r6xTD3EC~OpA0Y}Ky* Xc_<[)3%bcSU]Rrxݹ{RWuu[˖hyp?|1<\^YX'6g:{A&0D \J?bF{J?Y3#Ӏ++mta{New=X&x_(PKSӲ7k+WW;->.0ފWi/LԍZć-K1G-32]*\8w]\3ypO1F 5bW[Qw;S]ԛ #JtZUNW [%󮓤S,~_Z}3.vbs%.B۩#g5ș7;K.^g+!&%E6gM]D(e1ːKd\a|ޗ!UGB++ W~Nd.t= ݝx@Β2 mT=e~K>Mm ˗uOĖyeJeP ,zRV"KQ غG3^fuIPSn jSWkɀڈS@%a~y,>*R, 9ť2&>z5Le^an{HbG.>^U"3/enT|ab-LXpL]<Ȫ\*𠒋;'M]nN=<ᖒf>s4A d'̉=>}x!!e1Q\hD^CÏ]F4[AQ#?^rIK܉: z`z ξхКicK6||N:^ZXWtZH8z-e~A%>=fxm [P@M8FlOթ ݆i0$&"à^z(%w®%K(PW_bЌ-gsMxZ _,J#[#H@h5R DiduymްO ِQ~U3WRYn| iBW i`<'S#&mLaO`9J1<O.%>rqq#D$hMG??!Ϳ[L @"~}`1sٿN+ D;]ijceub0P(?o .r7ћ sHXg5^J]z;|`u8&KצEGwp'JuDz<;^fe $, M "wWʞ2Nit9B{s[I;yJd5".W$O{T;sr%lyZ ǾBO74,!/`FnRp|MwJ7D.\$9k0' Gw1U|) 19kMAױ/Eѷ݃4^fg79M.RǙ{uIڂfaR4˂J݇*MÕO,jH EZȐ%7z ¿Aq dAׁ0A,{LP-ugS#X:17)!:qh'SƚPPLT \|UIhT_ߏW}NQ0K}gW"B?冐s ;+6-"CΪ Rr(FDq#\8y| `T'`aZ q _*LPYsa!sY?~*˝c8sO6cý)b2aJRT.{tL$kV BI[$Nz8 |xS7>T[XtR66Oc>D ̆#嫁{G{my^SEc gUgK-e:;Kz(c:Wì00fȩ^w5᯿/ NCj#VgjE68T~lFA)ʃRݭ#ȣp 1)eBPr_JEw=#~t_@ %{*N#jZҚ3uA sJSApuqIR[lj{^g)ϵ|\i;ܤT'sP_g2S%+r}$Lͤc mzE*8D΀; BćAQ;a$ |A_ zR&8AGd?cĕݦ Yi2g]$g)Uйك̱!]?u>O8Ҫ>{'FWUj=J.:˿zo1C;C36F637@3Fax^hObL wtsBkjy@[+3]0) / J[ 3 duC5G05/P'C>3r=B\vYL-5Aܬ4$xT4VZvD V-~#?؋Ԁa".,75;x]KM_Sn/#yhQtSҪX@zAqAXalr@*>ڢpJ OHhLBʻ5 ~l8mO;Wh_vR"_7<鎽*,fb@C"j'BXŌm~CA8zqb"L? n씠Awx5F.=E4vK7xw;%8VoPDj0o?6H$\O <j>}i|`)0BLغ+P{3-[ +ApaěI?YHyaMo&ݑ"+B^.$ZbΧ͖>\h{8񸼺c(G{ôF|^~EdȜo2舑vH$o"hV҄6oYkg@z&y&'#E`lD\"Mm ,Tij5tpJj /T땥p`~1u՗c/ _ͧ4Z[H$qa< K͘-Ftg lݭOfrޙ舛RY=G߉O2)Η;4 G <jeLlMp !ڔͻ2yZo~K𖵏9`Vh׳Md"^ TZO)2Hl$YIwRAww2w-Z)kPt3$<.|i8; MNUWOiL L!j31&tLٜy~%]: ]=xbf3$@HIi:okrGpge;&AQ#$ TPiv`X[S&]:pT/%|jdNA.ŗ>5ny$&?_.l$EW [͙'$,̆lKc=o!,ɁS!k]h;J!?V,篐xNZD 5=M }= mg[* 9}Tjn5ʤYr!iuW{ìK,g8 q l~m4tIv)W#S=M?H` ])жm1HUr:y8/08  (Kjc,?|k؂fKoN.B*nHd `+\!mFt65Оp}0#rPwLO7)tDTej:my={Q,j,'aw"laS^n'D)DܭD3K:hSrJL|yS11PiԹks߉_͊ /_vX4c숑u=Wb?ޠ}I!('>>̈́["e^`9ZZ'%6wu@]6ܝP? BP]Q%G mwmi`2{b4gmYQ E& N|ߖ CTȳG&J}~VM>iM]7opKo+7qæq܇x/xTr'{[|B/%%ٲ<0-\\r J\rUVa&gC<$fKiB2VKL 9s':S&jY6uFTFHK'Q&Q,—T<ڥ?e\%g !d.1b&D?4]p݈BLPdïMplU]>Lȥ28?%jًw :rD+5 mhi䘹fgOwt }9K) >^ P R8y2~V=wljmqxt ÷SEhan^ sw %㊄.%5)gSZpvb~<B Bnۍ?Td5?Nn C> (G9Jdz=B lI(AV\wRq$xû7W~}q~%Aӵ4P:3ef[P2^ 2"đݫ8#d1HbH~Hfbi(ǑEpgt@MsB0x+2RYo鱃m=aMީ%3 !Q1x%M؞d<+==o^s-BT(Z(:?=(ktQE3Awu[By1'w8⛝< 9{e@Eo<39RpxX Nw5M'M;1Lm##eMRāXG.vbM޿cٚ1؍21lpzR!aGqE(+?.1kv`;bPCϊ~K ljg GWkxucPr:-.CyɻxVQz JI^zal16TBe}Q5sK"! ]9v"E[. 5▮( 5|N-yI9/>{a1dͰ~b5! U\pHdEy&C(~4g?)%njSdOCb=pVkn/4lqJGVV΅$~+&v0j k̎]䩙Z QS]7wKwa_sJO|ϡ .j`Q.-Gy~;dWZG(e:M|mc7M %0& 4LT;,*ˎVZ))MZ#rIפHBWc6=] !gKRy6try!'fW˵UJha;2DYQH2JezJ#:g*3=ǡ,j3)]E7;6B:ݿЈ;?ޚhq8mDPK6FK`FiM VVb27LĜ s!S d'[niuȑ-^97u&]M=RP$_y! O끱c [ϟ) 5 $F|eףTC Vݴ#/npP4d$}ΕT,|]a$8 iJ fp M biƂM;UuBpf}bLcf#Svܻ-wY ĺe1ӂePw:Cn|*"KO&vvq>rOI( iQ8!qN VoI4km^I_,62E0 hyY0)RL .d=cPׁ3C.Xij?yqrH 7H:ݺ,ԒÐd*Wy0{_uS\/HH&.ƬPX.k@`2G!:Py"WCG^/Ow#x쥛/\1q';Ǹ)-H2y)#k?; ze$nduۂe2ZP!/uFǛk! oCt;\rZ9 us uKm/3ØU{a !/۹»xP/tb2 wk cS I0([ϖpGŞ.}As;a9+JEStwLq,:#vv`whi9ePܵCEO >YbmA[0h)xmHQB^4Z)jB|7StSN.0x, +\{.O$gnVKˣ%"?ۧR'@07O*CX219/hZ_9 ``"~sDA5hbmbl@ږLnVPaSWORUJ|5W,.][ټѴwB )^)pST>f} aqL)vlgbfZ1kM-BwF|t$ ","D@8no{2dZ6)V45 O RK>*uV&%7ЃףaM1g( bsK &B`D!-%fa7&!x# V{v!No'E^zDaR&] 'T^bt b[~H&hPH%Nz[au .oh0SgK7AՃV#hFo Ly&L9wQ$f`ΒݱףE֥P$$_ǥo+"Ԏ1:7(Źe7 2r(z2J oAe\5 U^iƆQ^f_T)^L`x7SF\cZuvRq37%&= [kl/ YK͉4_M]Mτ8dllMZ.dAXQ ,4e RPe_ 3c4͚&kd֑k LJқs))vҿab8J /5E/D/M xJN-+x-H\-7rc 1pb DoS [Q%WY8[}b tH?I_sHͅ8fL0 /, !_VSP.%m N?E%:˭f3P!߼n3~a&_b^7fn&9BD r{ yeD 4[.Rh1PHWC,H"9^ݬ'p׆@L2cuECcOKp@)a҃SO[$A7 <ֹ*(_jiXsb"V̚a\3MaVА0?=b&tG4Ue{̄77Q(`:ԧ\@KKcat:~\_,; ;oZMhS^5pf#0L mEs"LElzdx8ޗ2)kcn"]S9|/~%K%P!wJ 1:MATVoث3 L2/ahwꔳhnjz:L5>"VP4#2RW(xOT2Bmo@X= =ƂqP =b<6s6&PD}L- k!N%DJWzFyqJ}&ՋOJ9f,+^_dXX)'jx$Sxdiウ*Og Y3q9 B>? };z`np-j++8ݬiyIz1'K ~R5C8QDFq*C=. ^2anMd_MH*\R+ehceXCer&Dh:aѐ;S]BO50R,'-rV@aX)!j6yҶp0 ZR?ЁkcDGW)Zң5yT/`7P`#EZ=K! bgv]e>S @ Ɲ"VwQ`E'h&ỎoY5zQ h<囂 ~9YC3RDdS:%%y1HֈZ)ݟnڟVEh\{ ^%/kV,nGbπt-UYSz'2#*21AcxH]"G/]!PܝC:u?=[ ]M$Bt.vd)F #R\?tu{ddIꭏ矨OX- 5ReY-c`YY u}g!1qpsa΁ɻ҇"pk<2<c?mnĪ-ΧS8+o-Mmaj0Fbl ϘdL1OiJ-p0*J?a5 /Q&*~MIՍ8G JVfn t|BUn @hW=S=y2))\j=!nNL\d =WIK?3rƟ:ɩJ`?{k|'+Z%AR;>:N^0ߓK&~rr<9V`U3|/CHfì\,ֹѧWMTr|=I ="[V ӏKYChx/)K4E|LrI  O%i6]@ϹfԳ8B}Ot qT4߇[Yo|Y)%k K4dh4pk-4nU,r8Ƀ\)jx ?n7Ub M)K1c6,lJ^zη2K q!g.7k*ٛdqj%xUuw$*:TS[rlˤBQkn>o8#eUDmG^%+;}U΍{ R㣼%%ؙ0/|%eѝ$)!e+ę'#C]z3ΤnB εL^:H_I-"0PŐ[c8t5)kēд\KmgVe.OWJ tgNc knMr;HH֚YZcg\unD◊ S `u(m7!Pi4YWM3pm(}(þKFktCmI Z-" [ktJsT*R~΁[Ic@F X4B!-$JXͩ'CI6{}@Y8݅1q0uQzN)G MiS3~ ɿX7ֶMJBsT~}u OqD\ dP64}$!>5¸2E(lݩ>:D^7˴.'c}#mw"W0& j\tf>F#kO3nH s#̹D#9wA2ЊJCrS>\:jblDz 'Ѐ6c ~QnR K'*??$ Mx@ j"cTu*!Zߥ> _4OA{޲/Z:k#%NNN6jr3Lk`o5 )BhN/2/ >/QcO3_CQ\t̻-#"}b{0.8d`:.g潕%\]e6~ 9q'䑕Nk*+2aRw̱q\cmdF!u6H^uaz}@ .O!/nYR6vKm\cL+ @2x|Wuq$^h.U@f'UKpfLLiByGg@OaBKf@%y,p@/s7ܺsqu+cdqE.\#b'@L_0Ch%mC2fmqt *AVXmm?l' _^ÜDf3heڑp %tǞJ `ղUFϧW# g\q(C %ߨ%-su{vEƧU"ixydcqJ&ݯyvHl鋥 rC"堨&jOEVN 7V^jN-fa^5\)FOH={j4DW4ת,݂_B⋂$^mCxJVϬ/_MjΓ5b0!E+?^ϋRguzn;G#+N?E6/5I,q1N]W7铘 i'a.ռlwCe#mdHrS6yc@/ Ne~fxW-J,j"^-3C_0G*TǃA+0Djѫ4Z8^fNr2))hSP k{aXޝ]2N \lp0yW.`_XX{ٱTn)_\ID%j # {tIn8[m;WYFˬb)rVd TAa4Jgdy>,lˮF>E !Ög8qbPo2ԏUg߹}I\Iă.Xו'\=5`|8&'<:ϕ#'Y٭>[Vq U~ bp̾3_%D"|U\p JV,#3A/ATZ여002@18nPm^Ԝ5t+'@r%(>+/zGEu7 zH9Heڵe̓'M!qu_)4t@5O`lbE)BD[Rn4 +K| o唯m /^KtH?д5Ddp#<̶Ӛ$-AjF[:ʬj*Wh3-4K`?뿩v0-6~$=of'K"WNO%[~OOx=0Pz(9m>QvqC}7XƳ:|2" W9)HCnNaqow %mBJٝ.-֯ kS}ř1ǁ"7cpG _`*hҰ8aرie RզjQQC|nE9"R.T3QN6d%4tƄ.e { ]1TH5pD; T֟:]' U@d:o0!x=]wܘt" 0|p(U#Vzy@Qww>tW[< 6bD([,( *`dsض=(ؠ2[szƬLa=-H#Fk0 dLGgІKv_Q UuSyy6$Kk߱bSb@: Ι AXM ͽcd.+n*΀1Urq/{ttaZ'Hi/{L5: -w}D:uRUJrGc{:W "0~7nv$VTl U+C۩( zKW)į.iI~ݺm #~EnPh8i%q A;Yd}q/yrq"^`}qBwpmRnHoI/zsT,>x OY 0hpУ/14Nέs]sߢjλ+pXlh SR!Qqj޾kaϚ H,53YKjd2BT]&=|[_Uȱ%))ʲ4YQVqK";mI(E| p:ۮoz`fآuUvn!= -p9:8wT7nRӔ(":è¦)@~}ټGTMA elC_`oGC\)@_X.:̍ [s#>)a}\2I"ɮ2BVo,NFY{_d%&GWc~Ke,@cpD nprsspkurxs2gԚ' 7P6]CU:)"mnc[ۭͶ!k(ytlI8*B*EK O D{pFaAh~O%'-1O]hH@|DŖb#+s%ye|NoƗvrXtℾhK'Pn;$4O/O-_;migMnI)`>(|?O0ljb^Bٵ8 >JЗq-BxS\3ɉcL1sG:@ꉑ;\X4,',8ƞ^LĴhu=y&'+k_yı%!+np= ~>"'0UEbڹd9a[MJ׺BW]'vֹEQQ9`|n)H9[=" \KIƹ D۠/gsC!جYCNyv SLD7 WJGeX&&q8%b(q@SX'Mғ9Aj$& Z<Ȩ&H]<Iy3hUY!VACD!l 𕽵 Nn?%~e"U:s(7 t&}/ʁ7^':K6ՓY@v>utrdo5Jys}l >V*+b""אܽn̟ibN,?g^QmJQnGWyB5r;E0BŌ-MM3J1K++3gr#':Ӑ>mOTo,?H6) ~\'|{OoRIq7z /0KYO~=n&dㅗ; #ke`KvInݳ Mo;ڿˉX)Urv4E:'vTe'd_JG^ u |@tJm!q:qtTΧ3v?MdS՗(XF{4:nw g=U;U*[nQ>S qWdB߫_hh|z`O ^MhR>+㵨Bicv+3 +3! An H&02N$g?<[nyҁP}gn5=x,aqc[6mv}[Ȫ3w0BLqsp/T}eQyF(pQ;;Hꚓ;KT\L~WĪD ͮ] GS8Yi* ;+P=s/l1)뛃cx9qt[nU]ȠI?y2@Lm;iX4đ6! -ZU 9CgC_wCɕơhۨevl77kp"4Qg` o\JzkHtp?V~!,?%6>Pɪ122CWkcVn,e,a`$Z&/D׫\CD r(4Ŀv<-n~d$+o S|vg ˴VJVnan:a&;P`[i:zu9e=_`}̱jݣ[n4nqR($^վk8n7Qݜe $EYMX@;2l]-}WCHfJ.-P@bv!$~X8bqpa\=O yⅆa&Ւj"/A%Xv ^$~#ZWX mSN!`@Bz;cyӷdDVaӚ'Fm3YUOt%*Xꄋpb%kPCYӥ gejBېyʕEڼ *c 73Cķ:`u~.5I-J13vGsy+٩ 22m.V77,Gfg3f: W) U N@3<Ϛjֳ+SZIrZlTZ%GhQjDun@gQT(̠_ W#oYs.RDtap-,3ؔQ%kqقJ^2eT/n5n@id2N"J Hl/sc0) Ql8Km<12/=  s 1MٺvT)3=/G)j\5wN.m xYy͋Md]Exsfez[i# 흋2="B [&$_@0,O,i2_Xj};$y!@ym"#A?!$+x8/&Ɩd4!R>#ɨvM;*p!᷎5\R̕t mbkV FZx)jC',/;\1>tC| s4E"m5`N$LҁcތPQ4XgS:þ,i0pqmHaoRK"hP)s NJPlT}v ~zJ}JE+&^HGAP# v>Uļli;40NƿKh_ƽłp&_ å@Ly W|+ ?p GL?$< 7f:l0 UhD-W630඾.4S>p5VIд<9@v 9V"eijIhHufZ޼}c}ўUO7Aiklxlm3(g%I˂TD9ycOȌ.6$4p pw{eHZ*"UjDl5$P'1*Qp[ɂ'=?LlquR3c,oi&2vdPzֻ(.s95 mʘO&[Ѥ {Yu2!1hzhzagN'~d临 bJբM Ͳ̻0Pi@_X`fӀ;,'r ;lMF㼪.(6*mu BRE,2FyƷ!ũRWSofݔRd|qR(XkD)x,+%ۙg6gO; Dxy*\Zf/)O$s2|'QAD X(LǨ,PK;(_4OKr m0f9>>hб@GCҦTjyx~C'Ax:_ No喠ft@zzX:_ƜbI3\ iր0^j/АK 4'K|ƛ68}-Tξ+Xƒ0n縷&{,|xRXwL@9TԼ~QnwOp2bYO8Y)-en"OYsc+_(6bᝥ!\˫c2bydzfut =P|S(BM{F-q#]Aͅۏ3FzyA1"JE5xV.擰4hfe=mWJI hgw+S J2F1Rq+.y]BfWWEprćIU"^%j# }\cU6 jX%GvC#F WvȊܩrawQz^r_ 0-FX Ճ9gtj^GEV*]F>~Kc!hTQ8/]<tA:4j^AMkkSu+ݾy6ooTnŃ6Z[|&Oεx7cO3TSkWh3KD]ܣT0"-="m ѭ[W8xfr׆fE_ ױ{6's?YZ #:VVa#! Eۓov;0-tV4b#cNxwm"x؞,=K&.Ǧfx3Ax{˔AcRtZε |?/Wٲ̴o,Ôo ȎE.RxKg ZWiywXB\I'qJewVByV3)% G"%Cg(_fBsFf PiGT@@kZI`o=`j:` [<"!>$85rɖ]Rn11nc LlW+j+jkreMf4 9Zq% @kgd(+?I e;A$M6/wF2C6'O*W1:SiB"v6?$ز.H &9\jg6Kx[)Ęx7 S6*n`'9TрlI1cZu: luoڦvk Xɡrc8g+Xa&tQL1uM̅"pinD=VAo* J" Gۻ߆kisGO.\ض-bOEozRs0N;# u!jVh mǜlo #OU@E& !\u0-,06cov ؜=%f*7G}v\TBE^` Z5/S<"Vg(+̊:bl1P &،@@ByKL4bdKeȳmK|.QQo>.ꡧ;R; \;QTZcOUAɁ:vvh+2}n==TAGE'>j=| {M-ԄUۚU?"2mv٢( bYO.)a0)oM@T+(/6fDEԡ `*"9Mm΃hTVwjwu;S._T$*hd`-ɺlOikхOP.+ioSמ/bBјlH NAtz<*Ezը pkS=&q Ony] n4qcaׅ24]rujM1G[=xCP|smD69_4ztJA{6m@_jȼ'4S1NPIAWPuBaJfcdwT3ƃLeAT"e'x^yƛ~dpZґV25fAEiǥ|ceظDE7V,W&e"KQj=)|>}X!|"e&@'%pؕpCR`/{];m@-+USʍ"`޷v Oc<+)€S|Dw3 j ʕGc M0 ۈ;Ʋ|gen[rꕮO.SU<b`͟$Jv߶ŐqjMYJ䰏VXPKM3ԿaJ)^! k%:ބ,"#W޾[ע؝(y{%w z`m@]D@oOKJf_Ah>CH!j /ZeF;?:MF|dqo=Ι|SF2gL^'SƎGZ6݉EMw|D/bls>@<2uF%#L=*g%JǘIB0ܺ_aUr4rTDxt {PǨr"8|LLBڈ0e_%_r"x/,FDEqh &8D~Ԋ KK+U=Zx,MQk"8]΅iP@+>t%XSFFbƆ&~,[Ɯ:SWMh?3j(' \FIWy[d'ŎRHoQ!™:qU ` ደHi\S m&&1T J$ I =,;NBPLqLT"4 g(>+Y}W+}fZ6n 'In0FcJ= #qկ]'ZcGb'vdxoTQ؜ Au44U41a0 UP[\)ë:菰s) ݰ"c'Si&}^ijYtػ9ilhvuE=s ț^VLo2/DHtc%%"$3팀=۰s[D^cP/Z k(Y˳-\S.ț#'8HbK=1߰!O=C~gDH+|=.w >^bⵎ" t!辇,;/y{q^יBZh[@yks=K:*<3 ^6,dQsb;P"(~ʝsp*T{3SsUrO!m\&[-{jOdlerɫxܕTb%Lp ݌'ؔön &7Ap;7r9a;0#N7b6ce~X dymMqcx"0|5w0fy@2gwJ?2=x@TϽqYbU}S]` V|q\26/\N u^ 8ܘ$YE!F~PB'{ kbM8rm}SmD{\nOlMjb(wmkM/C6po-Vćۺ%_Ofk~(/Lҳu(Zc6:39F %41O{}K/NmoSR\-H+kfq^`KVrPV! n(`P.ʉgO!?YT88+)*)N~S*JeDgTg EK֝A=\ȷw;M9Aב%S=j/Ϳ@rG/@'XNtȄ2Iz6knO+30VK{(4:KT qkʣTm.E7͒kóBi=7L}2`{hWb,Jަ8L( Ie7ҷb'șJ>)v. q}rZ(|cpAsFZ4"vxgNL(xcÔ^BL+Uo~ph=ZC`|Oɕ4#?2v}oDx~^'ϥ' [Ms,/d9$w\יY.`]ؙanE-#[VԿ?󬅙MjV Ȣ#O^TFsX_wOxԝ N®f'xaH].lw@(59#U.u)Z'AxAGz 2~g,Nxh5lvЗsˍeT zsasIV8*MP!Ϩh|AX4ie"6E?