freeradius-server-libs-3.0.21-150200.3.12.1 >  A cp9|lS5G9}E-o^jޛ ,-˜`=30G߯Vd*i 4}0 <g;pS h( 謖(e_/@M5-8`!-GA2hJ"3rÈZL2#U/i~.qaWJ8Iʊ wHgd{n5Kk_q#p{Y|2Fb?6b9 'bydQ7@\OXFeczFU dfa0372dac664f2342b10dd5f9be793416199badbcf1beb2fd66a38a897f5d80fe7ae93bce8711b6c9c0b958fa9b19319c3a6064cp9|׵P혐TԙSKYJH MoJL#q,,s`g;Tr]o\!&`}S/}C#Нj`8wd;<%'^{K~%\xU-Y:%)~y<VH5hL9SuqML) (QF*%ŵH6zLKO@օ*-+dо?!~KEnz >p>4?$d  . Hlp| !(H X h   8`(*84(9(: (FqGHIXY\]8^b+cd`eefhlju|vwxy4$z Cfreeradius-server-libs3.0.21150200.3.12.1FreeRADIUS shared libraryThe FreeRADIUS shared libraries.c$s390zp36SUSE Linux Enterprise 15SUSE LLC GPL-2.0-only AND LGPL-2.1-onlyhttps://www.suse.com/System/Librarieshttp://www.freeradius.org/linuxs390xʸR 'F[AA큤cccccc!^zM^zMa32d04b6d71cd357220b3e0d0136f739b77c0ac69f326aab5449be5a5161c31e55ebf513dfe57e1a80a594d181f4f03c1946650b55186c46b67c63c8e1d6274c93245f975b8f3783358bdf2429288a7cfcbf4e72e4bebce03efe7970e561529353f95151239a6f6d7f4e5ece945d85faea82ec0bf48a775f891387da117d8b6f8b9cc1e5d41938be45a368f126a6d1fda03d60a3d622dc75e776be4e90c2d2c6e6d6a009505e345fe949e1310334fcb0747f28dae2856759de102ab66b722cb4rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootfreeradius-server-3.0.21-150200.3.12.1.src.rpmfreeradius-server-libsfreeradius-server-libs(s390-64)libfreeradius-dhcp.so()(64bit)libfreeradius-eap.so()(64bit)libfreeradius-radius.so()(64bit)libfreeradius-server.so()(64bit)@@@@@@@@@@@@@@@@    ld64.so.1()(64bit)ld64.so.1(GLIBC_2.3)(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.15)(64bit)libc.so.6(GLIBC_2.2)(64bit)libc.so.6(GLIBC_2.3)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libc.so.6(GLIBC_2.8)(64bit)libcrypto.so.1.1()(64bit)libcrypto.so.1.1(OPENSSL_1_1_0)(64bit)libpcap.so.1()(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.2)(64bit)libtalloc.so.2()(64bit)libtalloc.so.2(TALLOC_2.0.2)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)3.0.4-14.6.0-14.0-15.2-14.14.1ct`@_@_FN^y@^p^h^@\\v{\u*@[<[2*ZZWQYY@YlY, @XO@X@X*Xh@X.@W@WiV@V.Vf@UĝU@U@UU8U7@TZ@TTT~@T|X@adam.majer@suse.deadam.majer@suse.deadam.majer@suse.deadam.majer@suse.deadam.majer@suse.deadam.majer@suse.deadam.majer@suse.dejcnengel@gmail.commichael@stroeder.comadam.majer@suse.demichael@stroeder.comadam.majer@suse.demichael@stroeder.commichael@stroeder.commichael@stroeder.comadam.majer@suse.devarkoly@suse.commichael@stroeder.comadam.majer@suse.demichael@stroeder.comkukuk@suse.deadam.majer@suse.dejengelh@inai.deadam.majer@suse.demichael@stroeder.comadam.majer@suse.demichael@stroeder.comjkeil@suse.demichael@stroeder.comjkeil@suse.dejkeil@suse.dejkeil@suse.demichael@stroeder.comvcizek@suse.commichael@stroeder.comtchvatal@suse.comvcizek@suse.comdimstar@opensuse.orgvcizek@suse.commeissner@suse.com- CVE-2022-41859.patch: fixes information leakage in EAP-PWD (bsc#1206204, CVE-2022-41859) - CVE-2022-41860.patch: fixes crash on unknown option in EAP-SIM (bsc#1206205, CVE-2022-41860) - CVE-2022-41861.patch: fixes crash on invalid abinary data (bsc#1206206, CVE-2022-41861)- logfile_secrets.patch: do not log passwords in logfiles (bsc#1184016)- freeradius-server-radiusd-logrotate.patch: move logrotate options into specific parts for each log as "global" options will persist past and clobber global options in the main logrotate config (bsc#1180525)- freeradius-server-radiusd-logrotate.patch: fix permissions in logrotate global section (bsc#1170505, bsc#1174905)- update to 3.0.21 (jsc#SLE-11896) Feature Improvements * New stored procedure for allocating IPs with PostgreSQL Rates of 1500 IPs per second are now possible See raddb/mods-config/sql/ippool/postgresql/procedure.sql * Add SQL IP pool support for Microsoft SQL Server See raddb/mods-config/sql/ippool/mssql/ * Added RCNTEC dictionary. Closes #3168. * Added Pica8 dictionary. Closes #3179. * Add TLS-Client-Cert-Valid-Since attribute holding not Before date Patch from Boris Lytochkin. Fixes #3157. * Generate attributes containing unknown OIDs See raddb/sites-available/tls * Update the WiMAX dictionary. * Added ability to rlm_python(Python2) show a stacktrace from errors. #2979. * Add WiFi Alliance Policy OIDs. See raddb/certs/xpextensions * radmin now shows coa stats, too. * Sample schema extensions for summarizing data in SQL See mods-config/sql/main/*/process-radacct.sql * Update dictionary.aerohive, dictionary.fortinet, dictionary.arista and dictionary.erx. * Added VAS Experts dictionary. * Many updates to RPM and jenkins builds from Matthew Newton. * Added %C (time now in seconds) and %c (microsecond component of now) back-ported from the "master" branch. * Add reload capability to systemd unit file in Debian and RedHat. * Increase timestamp precision in postauth to maximum supported by each database and simplify (and make more consistent between drivers) the timestamps in SQL queries by using expansions. * Option to set dictionary path in raduat script. Bug Fixes * Various fixes found by PVS-Studio. * Set permissions of certificates in bootstrap shell script Fixes #3132. * Increase the 'nasportid' SQL field for 'varchar(32)'. #3141. * Skip processing proxy reply if there are no home servers available. * Update SQLite IPPool queries. Fixes #3177 * rlm_sql_unixodbc fixes. Fixes #2822. * Fixes when building with LibreSSL. * Fix the rlm_python3 build. Note that this module is experimental. #3183. * The rlm_python should append the 'python_path' paths in 'sys.path'. It fixes the expected behavior to use the existing Python modules Fixes #3180. * Fix rlm_python to print the script errors properly. * Bound total query time for PostgreSQL. Fixes #3253. * Many fixes to Oracle sqlippool. It now does 500 IPs per second without any tuning. Fixes #3270. * Reference sqlippool by it's correct name. Fixes #3272. * Revert 3.0.20 patch which caused crashes on duplicate clients. * Update WiMAX-MSK attribute. Fixes #3280. * Fix crash when trying to access non-existant regex capture group. * Use timestamps (request or server) rather than SQL NOW() in accounting queries so that these are stable when replayed from a file buffer. - freeradius-python3_patches.patch: upstreamed- update to 3.0.20 (bsc#1146848) Feature Improvements * Added Force10 dictionary. * Update dictionary.hp with new attributes. #2690. * Update dictionary.aruba with new attributes. #2696. * Fix side-channel leak in EAP-PWD (bsc#1144524, CVE-2019-13456) * Relax OpenSSL version checks, now that their API is both public, and stable. * Note that tls_min_version/tls_max_version also support "1.3" Since there is no standard yet for EAP with TLS 1.3, it will not work. * Added tripplite dictionary from #2760. * Switch to the async interface for rlm_sql_postgresql so that we can enforce query_timeout. * Added new LDAP option 'allow_dangling_group_ref'. * Updated documentation and functionality for EAP session caching See "cache" section of mods-available/eap. * Tighten systemd unit file security. Fixes #2637. * Disable TLS 1.0 and TLS 1.1 support in the default configuration We STRONGLY recommend doing this for all installations. * Add expansions for *outgoing* Radsec connections "%{proxy_listen:TLS-...}" for TLS-Client-Cert-* and TLS-Cert-* attributes. Fixes #2839. * Add %{listen:tls} which returns "yes" or "no" for TLS or non-TLS connections. * Update dictionary.lancom with new attributes. #2847. * Added rlm_sql_mongo. See raddb/mods-available/sql. Note that this module is experimental. * Added more documentation in sites-available/robust-proxy-accounting. * sqlippool now re-allocates unexpired leases, to prevent IP pool exhaustion when clients perform multiple reauthentication attempts * Add support to radmin keep the history in ~/.radmin_history. * Add support for ENV and LD_PRELOAD in radiusd.conf. See the new ENV sub-section of radiusd.conf. * Update dictionary.aptilo. #3002. * Update dictionary.airespace. #3039. * Add sites-available/coa-relay, which makes CoA easier #3045. * Add example stored procedure for IP Pools in MySQL See mods-config/sql/ippool/mysql/procedure.sql * Update dictionary.dhcp dictionary with the recent hardware types. * Add experimental rlm_python3. This should largely work the same as rlm_python, which was Python2 only. * Add Dockerfiles for Debian10 and CentOS8. * Add RPM spec file compatibility for RHEL/CentOS 8. * Notes on certificate constraints. See raddb/certs/server.cnf. * Add NAIRealm example to raddb/certs/server.cnf, for RFC 7585. Bug Fixes * Allow listen.ipaddr to reference an IPv6-only host. Fixes #2627 * ERX-Acct-Request-Reason is "integer". Closes #2635. * Fix a slow memory leak in the file management code. * Try to fix file permissions if they get modified while the server is running * Fix slow memory leak with clients. * Fix request and connection timeouts in rlm_rest. * Fix systemd issues. * Fixes from clang analyzer. * Fix missing include for the dictionaries: alcatel.esam, altiga,alvarion.wimax.v2_2,aptis,asn, audiocodes,avaya,bristol, columbia_university,freedhcp,garderos, infoblox,motorola.illegal, starent.vsa1, telkom, wimax.wichorus. * Fix internal sanity check when running with "-Xx". * Allow "inner-tunnel" virtual servers to work better with "accept" and "reject" policies. * Fix dictionary.huawei data types for Huawei-DNS-Server-IPv6-address and Huawei-Framed-IPv6-Address. * Framed-Interface-ID in postgresql/queries.conf is string, not inet Fixes #2817. * Fix rlm_cache to complain on unknown attributes in the "update" section of its configuration. * Add configure checks for -latomic. This helps on armel, mips and mipsel. Fixes #2828. * Add support to Oracle 19 and 18. Via #2857. * Add support for decoding tags in rlm_rest. Fixes #2848. * Use correct passwords when updating CRLs in raddb/certs/. * Properly separate "originate-coa" packets when accounting packets are read from the detail file reader. * Use the correct virtual server for pre/post-proxy. * radsqlrelay fixes backported from "master" branch * Fix DoS issues due to multithreaded BN_CTX access (bsc#1166847, CVE-2019-17185) - disable python2 for SLE15 and Factory - freeradius-server-enable-python3.patch: enable Python3 module - freeradius-python3_patches.patch: backport python3 fixes from upstream - freeradius-server-opensslversion.patch: updated- Enable memcached driver on SLE15- Add missing BuildRequire on samba-core-devel required for windbind support in rlm_mschap.- update to 3.0.19 (jira#SLE-5890) Feature improvements * Update dictionary.cisco * Update sqlippool to allow for stored procedures with PostgreSQL. This increases performance substantially. Patch from Nathan Ward. Fixes #2540. * Re-added "show client config" command to radmin. * Cleaned up mods-available/sql example so that it is easier to understand. * Added pfSense dictionary. Closes #2581 * Update dictionary.h3c Closes #2592 * Update elasticsearch/logstash config for v6.7.0. * EAP-PWD security fixes from Mathy Vanhoef. See http://freeradius.org/security/ (CVE-2019-11234, CVE-2019-11235, bsc#1132549, bsc#1132664) Bug fixes * Update dynamic_client module and server core so that the functionality works. This has been broken since at least v2. * Fix crash in sqlippool due to escaping changes. Patch from Nathan Ward. Fixes #2532, #2533. * Fix systemd notify, watchdog and unit files. Fixes #2541, #2499. * Fix erroneous length check in EAP-FAST. * Update documentation to remove old "ignore_null" configuration. Fixes #2578. * Fix default POD port. Should be 3799. Fixes #2591 * Correctly encode vendor-specific "encrypted" attributes. Fixes #2600- reformat changelog mostly by wrapping lines - add missing bug numbers for security fixes- update to 3.0.18 * cleanup_delay can now be 30 seconds. This helps with proxies that have packet loss. * Do-Not-Respond policies can now be set in the "post-auth" section. * Encode / Decode ADSL Forum DHCP options. * Fix module ordering issues. e.g. when "sqlippool" needs "sql". See the "instantiate" section of radiusd.conf. * Add Big Switch dictionary. Fixes #2252. * Add sql_session_start policy (raddb/policy.d/accounting) This minimizes race conditions when using Simultaneous-Use (#2257). * For rlm_perl, all variables are now tainted by default. See raddb/mods-available/perl, and the "perl_flags" configuration item. This change should only affect people who are using variables in insecure ways. * Allow "sqlcounter" module to be listed in "post-auth". * Add support for IPv6 attributes in SQL. Fixes #2280 * The server is better at handling fail-over for outbound RadSec and TCP connections. Fixes #2284. * The server is now more aggressive about retrying failed outbound RadSec and TCP connections. Fixes #2284. * Add TLS-Session-Version and TLS-Session-Cipher-Suite to the "session_state" list. * Add expansion for Radsec connections. "%{listen:TLS-...}" for TLS-Client-Cert-* and TLS-Cert-* attributes. * Add notes on running "ldapsearch" using the parameters from the LDAP module. * "ipaddr" attributes can now be cast to "integer" type attributes in an "update" section. * Move main thread queue to using atomic queues. This should help with contention in high load scenarios. * Add "recv_buff" setting to listeners. For more details, see sites-available/default. * The sqlippool module can now use attributes other than "Pool-Name" to assign IP pools. The "Pool-Name" attribute is still the default. * The "unpack" expansion can now unpack substrings. See mods-available/unpack for documentation and examples. * The preprocess module now does "ciscvo_vsa_hack" for Eltex-AVPair Fixes #2301. Vendors SHOULD NOT USE THAT KIND OF ATTRIBUTE. * Allow for -LDAP-UserDN. See mods-available/ldap for more information. * Add sanitizing of control list for moonshot. Fixes #2318. * Update rlm_sql_mysql to be compatible with MySQL 8 Fixes https://bugs.launchpad.net/bugs/1795310. * Allow logging of only Access-Accept or Access-Reject messages See radiusd.conf, "auth_accept" and "auth_reject". * Removed Connect-Rate comparison. It was unused and broken. * Add dictionary.infinera. * Use OpenSSL HMAC functions instead of local ones. * Some SQL modules can now use "auto_escape" to escape unsafe strings See mods-config/sql/main/mysql/queries.conf. * Add wispr2date conversion in mods-available/date. * Implement dictionary-based handling in rlm_python. Fixes #2334 See mods-available/python for details. * Add support for SKIP LOCKED in sqlippool. This can improve performance by an order of magnitude or more. See raddb/mods-config/sql/ippool/*/queries.conf Fixes #2383 * Allow PSK and certificates at the same time Except for TLS 1.3 which does not support that. * Update docker scripts. Fixes #2306 Patch from Matthew Newton. * Add crypt xlat. * MySQL connections can now skip verifying the server certificate. Fixes #2481. See mods-available/sql. * Add better mechanism to detect MariaDB (Old MySQL). * Add RFC 7532 "bang path" support for realms Fixes #2492. * Update dictionary.ukerna documentation. Fixes #2493. * Add support for systemd service and watchdogs Fixes #2499. * Check for openss/rand.h, and allow building without OpenSSL engine. Patch from Eneas U de Queiroz Fixes #2517. * The default PosgtreSQL queries now use "ON CONFLICT" to better deal with issues. This requires PostgreSQL 9.5 or later. Please use a recent version of PostgreSQL, or edit the default queries to remove "ON CONFLICT". BUG FIXES * The session-state list is no longer cleaned in the inner-tunnel. This lets the outer Access-Reject section access session-state. * Fix typo in lock initialization for TLS sockets Found by Sergio NNX. * Add check for crash when home server down Fixes #2233. * Add username key for postauth table. * Better libpcap checks, when the header files or libraries are missing. Fixes #2245. * Allow building with old versions of OpenSSL Fixes #2247. * Allow non-FreeRADIUS State attributes to be used with the "session-state" list. i.e. State length != 16. * Be more aggressive about cleaning up zombie children when running in debug mode. * Use LTDL_DEEPBIND, which fixes issues with Oracle libraries exporting LDAP API functions. * unlock files when asked to unlock them. * return error instead of asserting in map code. * Don't write 0 bytes to SSL. Fixes #2270. * Remove "expiry_time IS NULL" from allocate_update query. Fixes #2262. * Various dictionary cleanups and consistency checks Fixes #2281. * rlm_python has stronger thread locking to prevent reported issues. Performance may be affected. * Don't allow Message-Authenticator to overflow past the end of a large packet. * Fix crash in sqlippool when SQL server goes away Fixes #2300. * Typos in man pages. Patch from Nikolai Kondrashov Fixes #2303. * Fix crash with CoA packets/ Fixes #2304. * Fix crash in rlm_exec with CoA. Fixes #2328. * Print errors while parsing the log config, and don't quit when deprecated log settings are found. * Fix DHCP encoder xlat so that it can be used with a list of attributes. It previously only encoded the first member of the list, and now encodes all members. * The "expr" module now skips more whitespace. * Remove internal FreeRADIUS-Response-Delay attributes from attr_filter Access-Reject. * Don't send junk to redis when maximum args reached. * Small updates to IPv6 for accounting schema Fixes #2364. * Fix OpenDirectory integration in rlm_mschap. * Fix slow memory leak with dynamic clients. * Don't artificially truncate debug output for long strings. * Fix memory leak in EAP-PWD. * Fix crash in "hints" file with Fall-Through = yes. * Fix crash / timer issues with many CoA packets. * Fix attr_filter so that it does not treat vendor attributes of number 26 as Vendor-Specific. * Fix reconnect correctly in rlm_sql_mysql. * Fix rlm_cache to properly use Cache-TTL < 0 Fixes #2485. * Fix rare occurance of bad xlat expansion. * Check for rare race condition when a proxy reply arrives too late.- install license as %license instead of documentation- also fix ownership of /var/log/radius in systemd unit- update to 3.0.17 Feature Improvements * Add CURLOPT_CAINFO. Patch from Nicolas C #2167. * "stats home server" now supports "src IPADDR", to specify home server also by source IP. Fixes #2169. * Add Dockerfiles for a selection of common systems. * Increase number of permitted file descriptors, for systems with many home servers. * Add TLS-Client-Cert-X509v3-Extended-Key-Usage-OIDs Patch from Isaac Boukris. Fixes #2205. * Update main READMEs. Patches from Matthew Newton. * Added dictionary.mimosa. Bug Fixes * Don't call post-proxy twice when proxying to a virtual server. Matthew Newton, #2161. * Use "raw" string value for shared secrets and dynamic clients It now parses strings with backslashes and "special characters" correctly. Fixes #2168. * Fix RuntimeDirectory for RedHat, from Alan Buxey. * Relax checks in 'if' parser from Isaac Bourkis. * Minor cleanups for %{debug_attr:&request} from Isaac Boukris. * Be more aggressive about cleaning up cached certificate attributes, due to deficiencies in OpenSSL. Reported by Nicolas Reich. * Be more accepting when parsing IPv6 addresses. Bug noted by Klara Mall. * Fix double free in rlm_sql. Fixes #2180. * rlm_detail now writes empty Access-Accept packets. * rlm_python can now create tagged attributes. * Don't crash on duplicate realm + authhost / accthost * Allow partial certificate chain to trusted CA. Fixes #2162. * Treat SSL_read() returning zero as error. Fixes #2164. * detail writer now checks if the file was renamed or deleted. * Add User-Name to Access-Accept if EAP-Message exists, not Stripped-User-Name. * RedHat Systemd updates. Fixes #2184. * Use correct API for State variable in rlm_securid. * Remove broken radclient option "-i". * Fix "users" file (and hints, etc). So that it does not get confused about entry ordering with multiple $INCLUDEs. * Fix rlm_sql to expand the un-escaped string, not the raw string. * Link default and inner-tunnel only if they exist. Fixes #2206. * Don't use both IP_PKTINFO and IP_SENDSRCADDR. * Always install signal handler for SIGINT (needed by Docker). * Fix intermediate CA flow for OCSP. Fixes #2160 Intermediate certs which are not self-signed will now be checked. * sqlippool now returns "fail" if it fails IP allocation. * Fix rlm_yubikey to look for correct attribute in replay attack check.- update to 3.0.16 Feature improvements * rlm_python now supports multiple lists. From #2031. * Add trust router re-keying. From #2007. * Add support for Samba / AD LDAP schema. See doc/schemas/ldap/samba/README.txt and doc/schemas/ldap/samba/ * Add "tls_min_version" and "tls_max_version" to EAP module for Debian OpenSSL issues. * Better documentation for client certificates in PEAP and TTLS: it usually doesn't work. Fixes #2068. * Distinguish login failure from AD unavailable. Fixes #2069. * Update RH spec files. Fixes #2070. * Run Post-Proxy-Type if all home servers are dead. Fixes #2072. * Print offending IP addresses when EAP sessions come from two upstream home servers, and rate-limit the messages. * Minor packaging updates. * Better documentation for rlm_rest. * EAP-FAST now has it's own "cipher_list", so that it is easier to configure. * EAP-FAST now forcibly disables TLS1.2, until such time as we implement the new keying mechanism from TLS1.2. * Add documentation for allow_expired_crl. * Update Debian logrotation. #2093 and #2101. * DHCP relay can now drop responses. #2095. * rlm_sqlippool can now assign Delegated-IPv6-Prefix. It also now can assign any IPv4 or IPv6 address. Based on patches from maximumG. #2094. See raddb/mods-available/sqlippool for changes. * radeapclient can now use EAP-SIM-Ki to dynamically create the necessary triplets. * Explain why many LDAP connections are closed. Fixes #1969. * Debian build / package issues fixed by Matthew Newton. * dictionary.patton updates from Brice Schaffner. Fixes #2137. * Added scripts to build "inner-server.pem", and updated mods-config/inner-eap and certs/README to match. * Added provisions for using an external CA. See raddb/certs/ * Include dhcpclient binary in freeradius-dhcp debian packge. Bug fixes * Bind the lifetime of program name and python path to the module FR-AD-002 (redone) * Pass correct statement length into sqlite3_prepare[_v2] FR-AD-003 (redone) * Allow 100-Continue responses with additional headers in rlm_rest. * fix corner case where detail files were not being locked correctly. * Fix (SQL-Group == "%{...}") checks, and same for LDAP-Group. Fixes #1947 * Clean up exfile code. Which should help to avoid issues with reading / writing 100's of detail files. * Fix build for winbind. Patch from Alex Clouter. * Fix checkrad for Mikrotik. Patch from Muchael Ducharme. * Fix home server stats lookup. Patch from Phil Mayers. * Add libjson-c3 as an optional dependency. * Require LTB OpenLDAP on CentOS / Redhat, to avoid linking against NSS, which breaks the server. Fixes #2040. * rlm_python fixes. Fixes #2041 * Typos in "man" pages. Fixes #2045 * Expand "next" in %{%{...}:-%{...}}. Fixes #2048 * Don't add TLS attributes twice. Fixes #2050. * Fix memory allocation in rlm_rest. Fixes #2051. * Update trustrouter for new API. Fixes #2059. * Fix SQLite issues on FreeBSD. Fixes #2060 * Don't do debug logging of bad passwords. Fixes #2064. (bsc#1099802) * More graceful handling of "die" in rlm_perl. Fixes #2073. * Fix occasional crash when using cisco_accounting_username_bug = yes * EAP-FAST fixes from Isaac Boukris. [#2078], #2076, and #2082, #2126. * DHCP fixes, relay, #2092, add run-time check, #2028 * Decode multiple RADIUS packets at a time in highly loaded RadSec connections. Patch from Jan Tomasek. #2106. * TunnelPassword is not "single value" in LDAP schema. Fixes #2061. * sql log now opens the expanded filename, not the input one. This was a regression introduced in 3.0.15. * Remove unnecessary UNIQUE constrain in Oracle schemas. * Fix SSL thread and locking issues when modules also use SSL. Fixes #2125 and #2129. * Re-add dhcpclient "raw packet" changes. Patches from Nicolas Chaigne and Matthew Newton. Fixes #2155.- Fix permissions of radiusd.service (bnc#1053654)- bsc#1055679 - freeradius-server does not provide winbind/AD auth Added libwbclient-devel as buildrequires- update to 3.0.15 with security fixes for issues found via fuzzing by Guido Vranken (bsc#1049086) https://freeradius.org/security/fuzzer-2017.html * CVE-2017-10978: FR-GV-201 (v2,v3) Read / write overflow in make_secret() * CVE-2017-10983: FR-GV-206 (v2,v3) DHCP - Read overflow when decoding option 63 * CVE-2017-10984: FR-GV-301 (v3) Write overflow in data2vp_wimax() * CVE-2017-10985: FR-GV-302 (v3) Infinite loop and memory exhaustion with 'concat' attributes * CVE-2017-10986: FR-GV-303 (v3) DHCP - Infinite read in dhcp_attr2vp() * CVE-2017-10987: FR-GV-304 (v3) DHCP - Buffer over-read in fr_dhcp_decode_suboptions() * CVE-2017-10988: FR-GV-305 (v3) Decode 'signed' attributes correctly * FR-AD-002 (v3) String lifetime issues in rlm_python * FR-AD-003 (v3) Incorrect statement length passed into sqlite3_prepare- update to 3.0.14 (still FATE#322416) Feature improvements * Enforce TLS client certificate expiration on session resumption, and Session-Timeout. See CVE-2017-9148 (bnc#1041445) * Updated dictionary.cisco.vpn3000, dictionary.patton * Added dictionary.dellemc * Lowered the log output for failed PEAP sessions. * ALlow utc in rlm_date. * The internal OpenSSL session cache has been disabled. Please see mods-available/eap * Update detail reader documentation. * Make outgoing RadSec connections non-blocking. * Add SQL backing to Moonshot-*-TargetedId generation. Bug Fixes * radtest uses Cleartext-Password for EAP, not User-Password. * Update documentation for mods-enabled/ linking. * Enhanced checks for moonshot salt. * Allow session resumption for RadSec connections. * Update "huntgroups" file to note that port ranges are not supported * Fix OpenSSL permissions issues on default key files. * Certificates are not required when PSK is used. * Allow SubjectAltName as first extension in cert. * Fixed talloc issue with TLS session resumption. * "&Attr-26 := 0x01" now produces useful error messages. * Handle connection error in rlm_ldap_cacheable_groupobj. * Fix endian issues in DHCP. * Multiple minor fixes for Coverity complaints. * Handle unexpected regex. * Fix minor issues in dictionaries. * Fix typos and grammar. Patches from Alan Buxey. * Fix erroneous VP creation in rlm_preproces. * Fix MIB. Patch from Jeff Gehlbach. * Trust router updates from Alejandro Perez. * Allow build with LibreSSL. * Use correct packet for channel bindings. * Many fixes found by PVS-Studio. Thanks to PVS-Studio for giving us a test license. Please see the git commit history for more info. * Fix incorrect length check in EAP-PWD. This may be exploitable. * Stop rotating session database files (radutmp, radwtmp) since these are not logfiles. - freeradius-server-radiusd-logrotate.patch: updated- removed obsolete freeradius-server-fix-cert-bootstrap.patch because recent /etc/raddb/certs/bootstrap simply works - update to 3.0.13 (still FATE#322416) Feature improvements * Add dictionary.rfc7930. Note that we do not implement the RFC. * Added 'cipher_server_preference' to mods-available/eap Patch from #1797. * OpenSSL 1.1.0 compatibility fixes. * rlm_perl: radiusd::xlat to evaluate xlat string within perl script * Allow authentication retry in winbind. Patch from Herwin Weststrate. See raddb/mods-available/mschap. * Added "recv-coa" method to rlm_rest. It behaves the same as "authorize". * Document Trust Router tr_port option. Patch from Stefan Paetow. * Update elasticsearch/logstash examples so that they work with elastic stack v5. Patch from Matthew Newton. * Print information about packets, replies, and contents in the detail file reader. * Update abfab-tr policy. Pull request #1893 from Stefan Paetow. * Reject packets which contain User-Password and EAP-Message. * Add example for filtering Access-Challenge. See sites-enabled/default. * Pull symlink fixes from v4.0.x. Fixes #1859. * Add systemd reload. Not everything is reloaded, but some is. Fixes #1662. * Better documentation for listen "ipaddr". Fixes #1921 * Add dictionary.cnergee, updated dictionary.nomadix. * radclient no longer needs -x to print statistics with -s. Bug fixes * Minor typos. Fixes #1763 * Fix typo in RPM build. Closes #1767. * rlm_mschap check for password expiry only if password was correct. Fixes #1762. * Update debian build. * update rlm_counter "man" page. Fixes #1775. * Remove erroneous assert. Fixes #1778. * fix mschap password change test. Fixes #1792. * Cleanup config file on data remove. Fixes #1795. * passwd module returns "notfound" if not found. * Check for old OpenSSL, and don't build rlm_eap_fast if it necessary. Fixes #1803 * Cleanup memory better after ldap version query. Patch from Aleksey Katargin. * Rename lt_* functions to avoid linker issues with libtool. Fixes #1277 * Many miscellaneous fixes and typos. * Allow long strings in %{%{foo} bar:-%{baz} blah". Fixes #1866 * Fix filtering operators, along with more documentation and more tests for them. * Fix OpenSSL fixes. Fixes #1876. * Finish SQL select queries even when SELECT returns no rows. Fixes #1879. * Set Module-Failure-Message for more EAP errors. * Correct typo in dictionary.rfc5580. Fixes #1882 * Remove obselete systemd syslog.target. * Client-Port-Balance load-balancing now uses client port. * Radrelay examples fixed from Alex Clouter. * Update systemd target. Pull request #1896. * Trim starting whitespace in xlat strings. * Get MySQL result lengths using normal API. * suid down after fchown(). Fixes #1914. * Fix cases of comparing pointer to NUL character. Fixes #1915. * OpenSSL v1.1 fixes. Pull request #1921. * Better Handle v4/v6 host names. Pull request #1919. * Remove "Auth-Type = System" from docs and examples. * Don't crash on malformed %{home_server}. Fixes #1922 * fix erroneous use of talloc destructor in rlm_eap * Issue trigger modules.sql.fail. Fixes #1923 * Document python_path gotcha's. Fixes #1845 * dlopen() the specific version of Python. Fixes #1592- Don't require insserv if we use systemd - Remove require for unused fillup- Merge changes from SLE to openSUSE (FATE#322416): * freeradius-server-radclient-init-error-buffer.patch - make sure we initialize error buffer. bsc#911886: radclient error free() invalid pointer * freeradius-server-opensslversion.patch: remove OpenSSL version check and assume we know what we are doing. (bnc#1013311) * merge .changes file, mostly. - do not attempt to detect "vulnerable" OpenSSL versions. SUSE security fixes do not necessarily bump version numbers as does upstream OpenSSL (bnc#1021375) - do not generate certificates in %post. End-user needs to do this manually. - keep FreeTDS disabled on SLE12 - we never shipped it enabled - require OpenSSL 1.0+ - use pkgconfig(systemd) instead of plain systemd as BuildRequires - don't list manual pages as %doc- Remove --with-pic which is for static libs only. - Use SUSE RPM group names. Trim filler words from description. - Do not hide errors from groupadd/useradd.- Add upstream keyring - 2 new modules: rlm_sql_freetds and rlm_eap_fast- update to 3.0.12 - still fate#320481 The focus of this release is stability. * Feature improvements + Add support for =~ and !~ in update sections. See "man unlang" + Add dictionary.checkpoint. + Simultaneous-Use prints out more information. + Print WARNING in debug mode when packets may be truncated. + Added expansions %{home_server:state} and %{home_server_pool:state}, which show the state of the server / pool. + Mark rlm_sql_freetds as stable. + Make rlm_perl less fragile. Patch from Herwin Weststrate. + Allow extended attributes to have "encrypt=2" + Update dictionary.aruba. + Add support for EAP-FAST. This is an isolated feature which does not affect anything else. + Update OpenSSL vulnerability list. Use a version of OpenSSL released after September 20, 2016. + EAP certificate verification is now done when "verify" is enabled and "ocsp" is disabled. + New dhcpclient and rlm_rad_counter man pages. + Minor abfab and moonshot additions. + Pass CFLAGS through from environment in RPM builds. Allows more custom builds. + Build with Heimdal in addtion to libkrb5. * Bug Fixes + Use correct typedef for older versions of sqlite. + Update mssql schema to add priority + don't complain on /dev/urandom in ldap + fix == operator in update sections + Don't create DHCP strings with many trailing zeros. + Allow MS-CHAP change passwords instead of complaining on large buffer. + Allow assignment or equality operator on SQL. + Update aclocal tests for FreeBSD 10. + Remove occasional hang in rlm_linelog. + Copy VSAs to inner tunnel for TTLS and PEAP. Fixes #1544 + A few minor bugfixes caught in v3.1.x cleanup, and back-ported to v3.0.x. + do_not_respond again works in post-proxy + Allow realm "~^.*$" {} and User-Name with no realm. + Fix leak when creating unknown attributes + Fix Debian / logrotate. + Make OpenSSL error functions thread-safe. + Fix crash with rlm_sql and updating SQL-User-Name. + Debian build updates. + Allow regular expression comparisons in radclient. + Fix memory leak on unknown attributes in detail file reader. + Update example paths in "man" pages when installing them + Build fixes for rlm_mschap. Fixes #1489. + BSD build fixes. Patch from issue #1583. + Be more careful about /lib/ when building. Fixes #1585. + Correct ifdef placement error. Fixes #1572. + Allow for more files in internal "exfile" API So it will be possible to open more than 64 "detail" files at the same time. + Remove support for statically built EAP modules. Fixes #1591. + Many fixes to rlm_python from Guillaume Pannatier. + Use correct week adjustment in SQLcounter. Fixes #1608 + Minor fixes to allow compilation without DHCP, VMPS, or TCP. + Fix checks for module / config file change on HUP. + Compile regex comparisons when sent via "debug condition". + Update filenames in documentation and examples. + Don't crash if SQL connection becomes unavailable. + Disallow originate_coa when proxy_requests = no. + Free rad_perlconf_hv in correct perl context. + Multiple fixes for Debian builds. #1510, among others. + Set OpenSSL FIPS compatibility flag when necessary. + Pulled fixes for the build system over from other branches. + Fix OCSP for RADIUS over TLS. + Fix skip_if_ocsp_ok behavior. + Better fixes for systems without closefrom() but which have /proc. + Minor build fixes back-ported from v4.0.x. + build --whout-ascend-binary. Fixes #1761. + Be more aggressive about not opening new connections in debug mode after CTRL-C. Address #1604.- use %{with} macro for conditional inclusions instead of hardcoding version numbers - improved package descriptions - fixed builds on SLE12 and SLE11SP4- removed installation of experimental module rlm_sqlhpwippool.so - update to 3.0.11 (fate#320481, bsc#961479, CVE-2015-8763, bsc#935573, CVE-2015-4680) * Changes of version 3.0.11 + Feature improvements - "unlang" comparisons of IP addresses to IP prefixes are now detected, and types automatically cast. - Allow shorthand form of ipv4prefix values e.g. 127/8. - Add "auto_chain" to raddb/mods-available/eap, tls subsection. This allows the disabling of OpenSSL auto-chaining of certificates. Which might be wrong. - Added printing of coa and disconnect stats (radmin). - radclient defaults to expecting Access-Accept responses to Status-Server. - Updated dictionary.lancom, dictionary.starent. - Portability fixes for Solaris. - More errors from ntlm_auth gets passed to MS-CHAP. - Update abfab-tr-idp virtual server. - Added "filter_password" in policy.d/filter. This removes embedded zero bytes in User-Password, for compatibility with broken clients. - The server now issues a WARNING message if duplicate configuration items are found. - TLS can skip the "verify" section if OCSP returns OK. See raddb/mods-available/eap, "skip_if_ocsp_ok". - Set TLS-OCSP-Cert-Valid = yes / no / skipped, which is the result from the OCSP check. - Interoperate with AD and "LmCompatibiltyLevel = 5", by always setting WBC_MSV1_0_ALLOW_MSVCHAPV2 for native winbind in rlm_mschap. - TTLS and PEAP now require "virtual_server" to be a real server. - Print WARNING when TTLS or PEAP identities are spoofed or not properly anonymized. See RFC 7542 for requirements. - Various rlm_python fixes from Herwin Weststrate. - Allow setting Response-Packet-Type in "Post-Proxy-Type Fail", which is useful when the home server does not respond. - elasticsearch updates from Matthew Newton + Bug Fixes - Fix issue where field nas_type would not be accessible via the %{client:} xlat, for clients loaded from SQL. - Fix compatiblity issues with OpenSSL 1.0.2. Ignore calls to msg_callback with 'pseudo' content types. - Data type "ipv4prefix" is parsed correctly. - Use correct talloc context in rlm_exec. Fixes #1338. - Complain in unlang if "else" is used with no previous "if" or "elsif". - Send accounting status packets to the accounting port. Fixes #1364. - Print out CFLAGS when doing "radiusd -Xxv" - Fixed bug with coa/acct stats value #1339. Based on patch from Jorge Pereira. - Fixes for LEAP proxying. Don't use LEAP! - Fix issue with "directory already exists" seen when doing "make install". - Fixed bug with radmin related to the option "stats detail " - Complain if the detail file reader does not have permission to read the "detail.work" file. Fixes #1398 - Fixed SoH. Attributes were not being copied to the virtual server. - Used a wrong list to global statistics in "stats". - Create EAP-PWD identity correctly. Prevents segfaults. - Dynamically validate authentication types for PEAP and EAP-MSCHAPv2. - Fix includes in installed headers. - OpenSSL 1.0.1f and 1.0.1g do NOT calculate TLS 1.2 keys correctly. See raddb/mods-available/eap, "disable_tlsv1_2" - Allow password change to work for MS-CHAP. This requires 'r=0', because password changes are not retries. - Fix home server fail-over for home servers using TCP and/or RadSec. - Special characters in expanded regexes are now escaped e.g. User-Name containing '.', and comparing /%{User-Name}/, the '.' will now be escaped. See src/tests/keywords/regex-escape. - Use correct authentication vector when sending Access-Reject replies for RadSec. - Set FreeRADIUS-Proxied-To in TTLS again. You should use the "inner-tunnel" virtual server, instead of relying on this attribute. - Fix debugging constants in rlm_perl. Patch from Herwin Weststrate. - Add samba-dev / samba4-dev to debian builds so that rlm_mschap can automatically use the new winbind API. - Automatically skip zero-length attributes when sending packets, instead of erroring out.- fix bsc#951404 * Rebuild of freeradius-server package fails * fix source url - ftp://ftp.freeradius.org/pub/freeradius/ + ftp://ftp.freeradius.org/pub/freeradius/old/- update to 3.0.10 * Changes of version 3.0.10 + Feature improvements - Do more optimization of unlang policies. This makes run-time a bit faster. - Re-name most of the functions in src/lib. Third-party module authors will have to do the same. - More documentation on contributing and how to write modules. - Update radiusd.service for systemd. - Open IPv6 proxy socket if the server is listening on IPV6 auth / acct / coa packets. - Create debian packages for DHCP. Fixes #1125. - Add more tests for "update" section parsing. - Update "man" pages. - Update attributes for Alcatel 7750 - Add dictionary for Boingo Wi-Fi - Add support for DHCP lease queries. See raddb/sites-available/dhcp - On HUP, check all modules for config files which have changed. And only re-load those modules. - Allow FreeRADIUS-Response-Delay(-USec) to be set for RADIUS packets. Patch from Herwin Weststrate. - Documentation fixes from Alan Buxey and Matthew Newton. - Update "logrotate" script. - Added more RFCs to doc/rfc for new standards implemented by FreeRADIUS. - Don't crash when doing "radmin -e "help hup". Patch from Matthew Newton. - The dictionary parser now does more sanity checks, which prevents run-time problems with invalid attributes. - Update debian packages. Patches from Christopher Hoskin. - Many other debian packaging fixes from Matthew Netwon and Herwin Weststrate. - Add "session-state" to Perl. Patch from Herwin Weststrate. + Bug Fixes - Fix rlm_files so that there are no collisions when loading 10's of 1000's of users. - Fix radclient to use our internal v4/v6 parsing functions. v6 addresses with ports now work correctly. - Fix sending/receiving packet messages to wrap v6 addresses in square brackets '[]'. - Check for sasl/sasl.h when building rlm_ldap, and disable SASL functionality if unavailable. - Fix issue which caused a non \0 terminated buffer to be assigned to attributes if the value being assigned contained an invalid escape sequence. - Fix deadlock when reconnecting connections in the connection pool. - Fix potential overrun in functions that used fr_utf8_char with a non nul terminated buffer. - Fix decoding issue for Tunnel-Password type attributes which were very long. Found by Denis Andzakovic. - Fix radclient issue with TCP sockets on FreeBSD. - The server now creates ${run_dir} and ${logdir} directories in daemon mode, when running as "root". - Handle tags when using maps. Fixes #1191. - Fix crash when CoA packets time out. - Fix parse error in rediswho - Fix regex support in SQL radcheck the "users" file and radsniff. - Register listen xlat earlier, so that it's available when the virtual servers are being parsed. - Parse Ascend-Data-Filter when given as "0x..." - Print Ascend-Data-Filter correctly. Add test cases for both. - Allow old-style clients again. They will be disallowed for 3.1.0 and following. - Complain instead of crash when "else" and "elsif" are in the wrong place. - Clean up memory more aggressively. This lowers the maximum memory used, most typically for TLS based EAP methods. - Prevent the server from unlinking the control socket of an already running instance. - Fallback to using the configured OCSP URL if one exists, and no URL is provided in the certificate. - Return CoA-NAK if proxying CoA fails. Based on patch from Jorge Pereira. - Lower peak memory usage by decreasing size of internal memory pools. - The control socket is now left in place if a second copy of the server is accidentally started. - Allow virtual attributes in "switch", "case", etc. Fixes [#1240] and #1265. - Many spell check / typo fixes in comments and example configuration files. - Better handle multiple DHCP listeners. - Don't print secrets for old-style realms. Fixes #1267. - Don't fall through in empty "case" statements. Fixes #1274. - Update EAP-TTLS so that MPPE keys are correctly calculated with TLSv1.2. - Always delete MS-MPPE-* from the TTLS inner tunnel. This allows TTLS / EAP-MSCHAPv2 to work. Fixes #1206. - Fix off by one error that caused some MSCHAP-Error messages to be sent without the password change version (V=3) and the textual message component (M=). - Always include C= V= and M= in MSCHAPv2 errors. RFC 2759 does not say that any of these fields are optional, and not including V= caused errors with wpa_supplicant. - Do not include M= in MSCHAPv1 errors. It's not supported.- Fix boo#912714: freeradius can't use ntlm_auth * Create winbind group * Add radiusd to winbind group- Remove gpg signature file * The gpg signature checking is broken and doesn't work- Fix bsc#935573: Insufficent CRL application for intermediate certificates * CVE-2015-4680 * freeradius-server-CVE-2015-4680.patch based on https://github.com/FreeRADIUS/freeradius-server/commit/a03814af310bb3bee74ea012546d99c48b0ea5c3- update to 3.0.9 * Changes of version 3.0.9 + Feature improvements - Make "pool" configurations more consistent, and update documentation for them. - Move connection pool logic to "most recently started", instead of MRU. This should help with pool stability. - More VSAs for 3GPP2 - Added examples of multi-value attributes to rlm_perl. - LDAP-Group and SQL-Group attributes are now dynamically allocated. - Only the "sql" module registers SQL-Group. Other instances register "instance-name-SQL-Group", similarly to "ldap". - Unknown attributes are now complained about more often when used in unlang statements. e.g. if (Foo-Bar == 3) used to be a string to string comparison. It is now a parse error. - Rename RLM_COMPONENT_* to MOD_* in the code. This makes many things easier. - Move to C99 initializers for modules. - Load modules in raddb/mods-enabled. This allows attributes like "LDAP-Group" to be used in the "files" module, without explicit ordering or listing in "instantiate". - Added 'bootstrap' section to modules. Third-party modules will need to be updated. - When adding clients from a DB, add them to a virtual server if that virtual server has a "listen" section. Otherwise, add the clients to the global list. - When reading dynamic clients from a file, don't expire them if the underlying file is unchanged. - Allow the server to originate CoA requests from the post-auth stage. - The server creates ${run_dir} and ${logdir} in daemon mode, if they do not already exist. - Add dictionary for Wi-Fi Alliance Hotspot 2.0. The server now supports all mandatory and optional attributes for this specification. - HUP now re-loads the configuration only if the files have changed. If all files are unchanged, HUP re-opens the log file, and does nothing else. - Much better debug messages for EAP-TLS, including which attributes are cached, and when they are retrieved. - Increase default max_requests to 16384. Memory is cheap now. - Added "stats memory" commands to radmin. Debug build only. - Aptilo controller dictionary updates. - SQL modules now use Acct-Unique-Session-Id everywhere. - The redis modules are now stable. - The LDAP module now supports SASL "interactive bind" method. This allows Kerberos based administrator and user binds. - DHCP code is now in libfreeradius-dhcp. - More DHCP encoding / decoding unit tests. - rlm_replicate can now be listed in the "accounting" section. - Better sqlite debugging output. - Remove "required" option from many sql_ippool directives. - Set default CA "basic constraints" to "critical". Fixes #1073 - Updates to help / man pages from Jorge Pereira. - Added more tests. + Bug Fixes - Be more careful about unused config item warnings when using -Xx. - Move more defines to be auto-generated. - Allow virtual servers in proxy fallback. - Allow %{module:} to work. - Don't crash in RadSec. Closes #980. - Return better errors when a unix group / user is not found. - Re-enable detail module "locking" parameter. - Don't crash when logging replies from Status-Server packets. - The couchbase module now uses "update" instead of "map", for consistent with the rest of the server. See raddb/mods-available/couchbase - Don't require NT-Password for MS-CHAP password changes. - Be a bit more careful about decrypting MS-CHAP-MPPE-Key attributes. Closes #1013. There is no perfect fix, tho. - Fix security issues with EAP-PWD. See http://freeradius.org/security.html#eap-pwd-2015 - Fix dynamic clients read from SQL in non-debug mode - MS-CHAP now allows retries (i.e. password change) when passwords are expired. - Allow "user=radiusd" when the server is already user "radiusd" - suid up/down works on non-Linux systems. This means that the control socket should have the correct ownership. - Fix issue which caused the server to sometimes have problems when a home server was marked zombie. - Fix format.pl because Perl is now more picky. - Fix proxy to Packet-Dst-IP-Address, so that it uses the correct destination port. - Fix corner case with cursor functions and removal. - OpenDirectory fixes and documentation. - Fix leaks in rlm_redis. - RFC 6929 "evs" attributes are now encoded / decoded properly. - Fix talloc pool leaks when receiving malformed or retransmitted Accounting/CoA requests. - Printed attributes again use double quotes instead of single quotes. - Set X509_V_FLAG_CRL_CHECK_ALL, and add "check_all_crl" to eap.conf. Fixes oCert CVE-2015-4680. - rlm_expr now errors out correctly on malformed attribute references instead of triggering an assert. - Make "break" work in "foreach" loops - Allow dynamic expansions to work again in the "hints" file. - Correct minor typos in comments and examples from Alan Buxy. - Re-urlencode the path portion of ldapi:// urls before passing it to ldap_initialise. - freeradius-server-rlm_sql_unixodbc-configure.patch removes hard-coded directory in configure script of rlm_sql_unixodbc - install new module rlm_sqlhpwippool.so- minor adjustments/cleanup of spec and changes- update to 3.0.8 * Changes of version 3.0.8 + Feature improvements - Allow syslog_severity to be set in rlm_linelog. - Allow defaults to be set for bulk clients in LDAP and couchbase. - Updates to dhcpclient. Patches from Nicolas C. - rlm_mschap now supports direct connections to winbind, which is faster than ntlm_auth. See raddb/mods-available/mschap. Patch from Matthew Newton. - Recommend /dev/urandom for TLS randomness, instead of ${certdir}/random - Allow TLSv1 to be disabled via "disable_tlsv1" in tls{}. - Allow Expanded EAP types where vendor is 0 (IETF) and type is normal EAP type. Supplicants sending Expanded EAP types like this are broken. - Add support for server side sort controls when searching for user objects in rlm_ldap. + Bug Fixes - Don't complain about "authorize" in "server {}" blocks, but only if there's no "server" block. - Fix cosmetic issue where debug from the first packet read by a detail reader thread would be emited during config parsing. - Fix ASSERT on truncated detail packets. - Don't use main server log functions from within panic_action, as in the case of syslog this would cause deadlocks if the fault was triggered from within a malloc. - Fix issue in "switch" when "correct_escapes = false". Fixes #911. - Fix sqlcounter configuration to use "%%b" instead of "%b", otherwise the new syntax validation will fail. - Allow forward references in configuration items. Modules aren't always loaded in a sane order. - Fix more escaping issues. Closes #912. - Decode MAC addresses correctly for VMPS. - Fix memory leak with TLS connections. - Fix state machine threading issues for conflicting packets. - Fix copy_request_to_tunnel issues for tagged attributes. - Allow "ok" to over-ride "updated" inside of Auth-Type sections. - Update state machine so that post-proxy is run though child threads for performance, instead of blocking the main thread. - Allow "netmask" to work again in client definitions. - Relax restrictions on SQL group queries. - track outgoing proxy sockets and clean them up more aggressively. - track proxy statistics, including CoA and Disconnect. - If radmin has a connection failure when running a command, it re-connects and runs the command again. - mark home servers "unknown" less aggressively. - Fix potential SEGV in PostgreSQL driver on error. - Fix issue where fields like nas_type would not be accessible via the %{client:} xlat, for dynamic clients. - Set default busy_timeout (of 200ms) in the sqlite driver, so writes don't cause selects to fail in multithreaded mode. This is user configurable, and may be increased if required. - Convert Password-With-Header attributes to binary (from hex or base64), in the authorize method of rlm_pap. - Fix invalid assert in state.c, that could cause abort in post-auth. - Fix double free when -m flag is used, and connection pools are referenced by multiple modules. - RADIUS over TLS accounting uses the same port as authentication. - Regularized return codes from radmin commands. - Fix RHEL spec file so it works correctly for Centos7 which uses systemd, and didn't like the SystemV init script. - radwho and radlast now have a -D option to load dictionaries - DHCP packets are no longer checked for duplicates. - Don't crash in sql module group comparisons in corner case. - Calculate MPPE keys correctly when using TLS 1.2. - Fix load-balance sections. Closes #945 - TLS certificates are available again in the post-auth section. They are not available for session resumption. - radclient encodes CHAP-Password properly when using -c Closes #955. - Fix issue in rlm_cache_memcached driver that caused variable length values to be truncated. - Fix track functionality in detail reader, so it no longer fails with a "Failed marking detail request as done: Bad file descriptor" error. - Actually add the peer identity (as User-Name) to the inner tunnel in EAP-PWD requests, so it's available for lookups. - Fixes to PostgreSQL queries. Patches from Santiago Gimeno. - new set of consolidated patch files: deleted: * freeradius-server-2.1.1-logrotate_su.patch * freeradius-server-2.1.6-rcradiusd.patch * freeradius-server-initscript-pidfile.patch * freeradius-server-radius-reload-logrotate.patch * freeradius-server-var_run.patch added: * freeradius-server-radiusd-logrotate.patch * freeradius-server-rcradiusd.patch * freeradius-server-tmpfiles.patch- Do not disable as-needed build - Remove the with_sysconfig switch and just stick with versions- update to 3.0.6 - fixes a segmentation fault in PEAP module (bnc#912588) Feature improvements: * radmin / raddebug conditional errors are printed to the output, instead of being discarded. * raddebug will exit if condition set with -c was invalid. * radmin auto-reconnects if the connection to the server has gone away. * rlm_cache now has submodule support. See raddb/mods-available/cache * New memcached driver for rlm_cache. See raddb/mods-available/cache * Add support for &Attribute-Name[*] in conditions. See "man unlang" for details. * Add &Attribute-Name[n] which gets the last instance of an attribute e.g. Module-Failure-Message[n]. * Allow for redundant string expansions. See the "instantiate" section of radiusd.conf. * When checking IP addresses in conditions, make the right side be parsed as an IP prefix. * Support JIT compilation of compiled regular expressions when built with libpcre. * Support named capture groups with "%{regex:}" when built with libpcre. * Increase regular expression capture groups from 8 to 32. * Emit error markers for badly formed regular expressions. * Allow 'm' flag to enable multiline mode in regular expressions. * Support limited implicit attribute conversion in update sections. * Support casting between IPv6 and IPv4 where the IPv6 address has the v4/v6 mapping prefix (::ffff:).- Drop .keyring and .sig file: freeradius-server still uses MD5 signatures, which are no longer validated/accepted by GPG 2.1.- update to 3.0.5 Some of the new features: * Allow LDAP to specify arbitrary attributes for dynamic clients. * Allow one level of backslashes (finally). See radiusd.conf, "correct_escapes" setting. * When supported by OpenSSL, allow TLS 1.1 and TLS 1.2 in EAP methods. * Allow multiple new connections to be spawned simultaneously in the connection pool, to cope with spikes in traffic. * Use kqueue on systems which support it. This allows for better scaling when using many sockets. * Home server "response_window" can now take fractions of a second. See proxy.conf. * radmin now supports "show module status", as thee counterpart to "set module status" * "ipaddr" will now use v6 if no v4 address is present. You should use "ipv4addr" or "ipv6addr" to force v4/v6 addresses. * "client" sections will allow "ipaddr = 192.192.0/24". The old "netmask" is still accepted, but the new format is preferred. * Allow custom HTTP headers to be set for rlm_rest requests using control:REST-HTTP-Header (attributes consumed after use). * Extend format of %{rest:} expansion to allow HTTP method and POST data to be specified and urlquoting. * Add support for aliases in rlm_ldap. * Add support for connection pool sharing to all modules that use the connection pool (pool = ). * "tls" sections now have a "psk_query" configuration item, for dynamic queries to discover a key from a PSK identity. * Preliminary support for EAP channel bindings. * Foundational work for dynamic home servers. They do not yet work, but this is now only a matter of updating the "realm" module in a future release. * Support &attr[*] syntax to copy all instances of an attribute when used with the += operator in an update section. May be qualified with a tag. * The logintime and expiration modules can now be listed in the post-auth section. This makes some configurations simpler. * rlm_sqlippool is now IPV6 capable. Set "ipv6 = yes" to get Framed-IPv6-Prefix returned. The SQL queries have NOT been updated. Please submit patches. and numerous; bugfixes - remove gpg-offline - create /run/radiusd after install - drop freeradius-server-opensslversion.patch (upstream)- freeradius-server-opensslversion.patch: do not check the minor version of openssl, minor versions are supposed to be compatible. bnc#906682s390zp36 16708475243.0.21-150200.3.12.13.0.21-150200.3.12.1freeradiuslibfreeradius-dhcp.solibfreeradius-eap.solibfreeradius-radius.solibfreeradius-server.sofreeradius-server-libsCOPYRIGHTLICENSE/usr/lib64//usr/lib64/freeradius//usr/share/licenses//usr/share/licenses/freeradius-server-libs/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:27107/SUSE_SLE-15-SP2_Update/ea436a6cecae00bf250af9f8b03f03e5-freeradius-server.SUSE_SLE-15-SP2_Updatecpioxz5s390x-suse-linuxdirectoryELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=cc7f2b2e21d464a2fdd1cc0a642b845925079e6c, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=7f927c30f51e86f93fdbfd4f66a5adb42936c1aa, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=61e54bfb21f713f15b01b9d9959e945668953faa, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=0b02572170c5ddf86eb3ec00d000f04882d43e0c, strippedASCII text  PRRRRPRRRRPRRR R RRRRRRR RR R RRPR RRRRRR Rɋoip*;qutf-8f3ead3085a944aa11906a6db80c0729fa2291020b2c95f74a496ac8815fe46cb? 7zXZ !t/] crt:bLL qE^0zF]! qh};Cbr\e 2.&0XޤVg2_xGԷ嶝kv 8wn\Bv]. tvt{hmu>`BIN6I jm/tʧ!cЉzCnY0h6<2cyMRDO ;i8X:1SG 7l+' P̘߯?մK4e]C(Ji!K ec^}un&0.hdruPȡP\tÿ NtyrL{ąCsbS}!Yz"S8%/VXq&4gA OyՋBUj2]]b9+(;ёlI9uNQBN~;װwRbcUwpqyQI:qqIpCAlOTގo&7DV+Tdj䛎DX[l{NET,3ǧl$|D0y!AiCZy_XPHzU}w#.Qw_Ec=DЦVL).N|6εD_^ލ/%ȁO\V7{ԍ$y;䎒3W,xBb8:z?5-pxL~F)E`2̹P!=HL \w)MmW'|ZaX=zh~ 6I;n9m!io-oh1Gx w"wktU D* Ud?A1x[Z@c\:Rv&ܛYgXz@qzoo+kۙS0Z@X2mtdyE1G 1m@?,nQ3WAx@K Gn(ƪY]*_VNq+KQGƫrPtU SH||͜yMXk$q7yh Wy:p6z.YFN ,(DHٵDCn2Bpl|B@kֻ Z}z.n'2+Ҫ}bdrgۖx5:X*s1At&o@Nve E fOm!p׻o\oܵ@r/eDrJ +xR1K`,17Z\D˅.3i[ a\F/Pr0VR,;q VlE~|yW[ ‘+a,q±";MSR8C2o3$Y} iP@$l%Z!bf)Ì#eҤ6>YCLyQ[u\?AJC nXA4j5BK)ȫSC~KV5燪b,i֚s0%9"쟯I{gOSYq3Ǹ.~&{sG3 ı?C7se4I\G^|1RO_E$&V2pM^1!4 X4%,d[;,K8at!A-SU< jbțf;QRR:7V׾ʆ[ d!~h/ѲoF5F5ɒ@n-EA cD'}x 3=˧SKl;XhgۦtSCT\x"%daj3 = Nm]&@Wg4!$pO2M`q|rRVf s8C4?!Rm6 D|R B/tNer9׻zρZkU(kM@w-4/pB2&:A-wJr[Tu%\>j7=v _Vbm>f(<[v}~%/៯|s2@Rl I.$kP?:Lv)nTa*$ a'/0h]߫IOku+idumEW|Q5Y'z7mG6QP0y,+$pj:` 2.ؐ(l#zPc-?-=%O(q2Z`DQ- Р{\\ʃ5ʢg2k}/cA@zCn:gVC.g_ѦM͵vH ~,F6*)I3Nkm&_~K5sΐ־IOcnܒ?a15~yH(]2Kςן1Ey)a.[ P(n~)V !V=H} #0tn64ʼ(o=rh/1G%N)U> kT\D ;A sAčvr/ŵ ,gDA4ڗw Il'!.935h=oYC]=o˒y+0kU H5[f豊Z^l5 ?T"E(|ޚşj0X;1`bI<pB);qҒHp-vl^ˆl(-TV x.^>#ؠ,A`m=kPːY1B>GC"NqU۲2pREQ#aF3^O3D =_j|~KknL6Z$Sl%j\_@XC/RWߺEè"dK#gwR X ص'<UlP^F,Б~隲i.!x"23l 9ʒn2󡔄p )-n9P?uvXψ@RzLmXt*6 g>k3]ok]_H7o3!ӋхBs84[AYǶ5})1윮q5k&偔|<-v5źRHĩm?՛Mig1*x"F " h[Q()3\'[WJb~4p>[?S7m5wg-qi 6jX@uc_}C N14V Ccv^JL v'T dz3|2޶wF7$V)1YfkT8Ҿr?p-Kb] aUdJyfkr[̒ؖx)zhoj(ťJxzZ6:Wp  ># *vԋy8G+WVH7WX`IV)8t _D`Zͭu)ZRk$?2N&.]X`]է q@i򬄢C&exqM9ݑF'G4Y \ʮuxŒ-.4Ԭ"䂄ށN5șFߍ\4ns.KaxT4mk "EKcWG@.g6Ax Bz1,gaǜ~BjTI'&Y9S*ev @LU*rjWfM|AC%܉Q}Z1-d#̵BdBĻO[6qTK%[s$SxMCxXG3$o'1P|B%tCw/S{W(.d9~0ױ>h"Q{ 27DE-)9 wu'Xp1f{҆_"AZEv\Q1~ dh`[mɔAV`PRYw^˺\Y+q|"tO[;=. qa#M(pIa}2-W,>-W2ǣ%JӼ_No(=S2AD-WB߉t)_:)6i{ (T -ԴPٝ_ɉ.pcE%v,(vh}JM O80LtFſP +$u#=HHɴּ`N+u|9X)Sp*mu\I+!_7Ʉ„'LQ ẁjM#l^arȀPFt.PjBϓ,wcP-ˬ>=$Y sSԃq%lO]也(c[qygiItGُҸb~9Pegoo. J}Ә؁)Z "_ &Hmg?em7.Iӱ|T;脛B҇E{߼-lK'ɸE* ?U}3.܁1gᭅ:F,< 4ďRED?/(Ġ>Fczp, Og=Ș h3vF+lNPk8 E #ƶl8j r="o if<}T]!@BI*a:Lɭ 33fs<556n%L;~@bJ`V|S贫,MҜ#s>>Fy(p.>tLfpStڃPp|g`]4,>+]c9&[=YûjIAV„j`]cH=:q,^&]}B_ 0 TQEW{1=DNB2{ p0lF`3"OHe.lJ14 67 uqBC %S҉t5$!3%A+pndz8c0힖o@ `4MS'aEh9ZS+!1&7֬͢no¤/(2ǭK[惕C=gI9lH^b;-,-ɽsE&" K-qD$='Ϛ6(L3Xa͆ )hp3 #>ܫhQ ~+S=?,S]eZn _&kҍmϒb.ڞ(|՝4)&=;7'aӌiX7>QpJyA1u. kQg tXt}'Y%\zuD"ݪyEM̦lXmFt?D9ETPEZI\x>XHeH7?}߆iQM.ι:}„`Qp%ZVG@EO?,>序q)+΂7UR5[+%у>At_T ?|jsuz!\f'I;i+w̐ߝ;3|B:x CG-\w ւ9(Afh-4kek: 8/$C ;{l3T`X@e1N2V*!Y$ s(`VI$}F-zXm;s mp4X׹ਸ$Hv3t}{80p;c4?z C С2b!B0ׄV ZbMl,Pus `Pĵ;Yؿ١Xbgu@9-.Qng >aKEQE|[L_ሂfVz'gv<ċR ΆSo1o^XH7guUze_Feeuy%rYO W5& |U?V.`ӣ+;4{?3> ~w{ԝLuG6F/[7|og7XLO) Q7qHDIfE-xW l3~ѱf 3UTAq>-WGՐ)Xl!Lohe1j3$;ܑ# Z4@d_` $к)nt9אr"ƒohm>{X|;cҹet}~CZc5uگ^*}dypJ)?,Z0 ssf.RTYYXeHհdX N,'soi"Mh,eMԇO ƵYGVZ}㱽N(/FUkʃfpYGiL]>VaSCH}秶e 2>=uaVH´!SDc^@$]Dq3p dquz[|Ÿf 9 wu Kqq ީ,ۄIpTwq[ˈ>L,?oG`"/VD:p Vw""~QM\gmf lpV*)*;siʪ]t2mֈ CUxԭ/F Ѷ^&$XƸ䊁&(|gǰA&7) =cFjVפPP'R+P'l:8dXT@ڍӫ~٭}N!(^1ͻ*K)Qn]teRw.F~  c,N>Q%M w ]jJTB$1VAկ./Yk5*iDxz*ƿd>+ZG(Gq3mV[8hYʣ_f-9KKǦ#1C}i2PF_3s-G7eHBb5ت?;' I f߷+2W vSUZÉEo iR-ܰ:_3!ư`.;-CFPg06V?8H(TX<hF7]u?'D Ӄodi-7!5O)E)"6xM>CԸ2ʈI[k!t+TOzzٜ~Ѻ(1.C9LwOjVpΤ]R S`U {u[QKr0{H5f9UjxdbBUTNC8…:46mk|aM'@_)uK[IC1mߥ?I-O>>CZɬIt%y> UIpL8^E> 70ΰ(Eއ&Cױ[>0n6f3iLdUkϵ0 >}5’侬"> ^XBHU8ƎGσVg[H| &"ٸ$ӂ.n&eAAђozGD44,*WgRiV 4RGe:Td J+4>-+V߯4󴵁N <.*VM Oo 'vh|0\xnqW|j:Pzi^jm]c9CVzv~>u B|JczރpK-_(| ös CE]Ř!!!Va+fr؅#)m'ް;r4eɯL BtX;vW:fiaR+E?ysm(:EMd!κ|{:n5Lkg CTwz Xz7R(%Pd_&z\i(^*`~(h.F{ ,i2DuwL!>(؁H"?w+&زY(|MHO6#?p9vuj0>g: [~M!]nc)j81d}aaOܝ5qQZhaN 2\BEzufwyO iZ;T~q컝br .Vb۟m*+V{!xn?m`wYAՋ7# : 06Idz/Wj䠵2='kϡr"7*ʐ]q،3B\ߜOIA@MV>* oH(ܱurH>PLeG6#0!ΛXÇ~/Q0$ɔX..wĻ̾vY &5BEf/?DTt2q6"A`t,9W`ߢ2t#:P"7t s沩d.A$Plꧻq|?L[+q>cħ 32H,T˚)Xo{Ra>Li>bb=SS'%IUS{$fH̎e36 _U-䷪xSj47~t,f 0cYB@A#kp͝.r,쿷9d=4+M+˩) =4!LY] K(ݍfo ϯRWY@`)+9O?kL?$YjuB\7%@%XN^"ub6`@8d[zcU,2NEf%΅`0&z*\GM"3 1"T[ N+ĀCQ|i46v U>Tzp-gX$I}:"Fg6~ؓ}dMO0>7Ȑ+y` GU&Y0X)&.ŠPQ%& O+/ BR5MlL*36@]xfzOőzf\ʚw+6/%B:+TčkJF#^J'?ڂ:ˌY@b~E>׃$I (+n6v@0ºr` %dNJCshc5˪vsIKAv B5' .icڳIҁD}'xQZnM 9}o>-Ĕ0HzCdBLyS gddd_O2BՅ?LT^ry.j O4o"h ]UL,"v lXMoe!WFڒqݎۑxW)nikVmXyȸw;Bo 3c:2B{31J(^̞gIyEE+&0Tjۼ|7zZpyS-%7N RHn.ÿDœ#poBHф7ۙ}KuI#UNu.sl9yܢ7Rޡ4?*TR$ɿSE9qlϠZNF*%!z)Mߺ82ryۧBooJB' ړW8KESkbMWki=p~ h5P#4k U] x-\\K]0!|(RKW7 h7RZ|!J>%Li|x>^#P:Ո N'u6nŠ0+>x$-'AXLa؛U7&"oq YTb%?#=b8Bpɰp"=ZKl {<ϒ9n'¼CIDanO?~,f[΃,n'@iaff \22`*bn{> K "5 hvY8SلPL fI #A bDQs[Ep`u[j=iI"َ:=Xb@tRa\sHSR6S\6L ŵϾ@cG.*h AUY:M0/<P؊S}79|ΦϵKgN˚_` YD UL` z`՚~h}7ytѝ%$_fMI!O?fLLO臅5Sxt],N,RD| l ' '"C{[-!t5ik bSDO}y\y t +dHh]_Iy/'# O]־ mւ'2u60'J-_97_lrc&}ָ,dZ1?P1B9Fɱή_DM5uA:%TٽvT,%mnAQBbߣFb#`"Y?jI!)JaSGjL>3ǚ7}rt z0Ĵa =O],=(ڒ[hqW4'N朿E+:;=A{FJu][mf2i^ly>HIލ{I",K>Kg9|+c#kBfH^z+8WaT 8AKekӨ`wẶPpcM*Q8r'-~KMD6 wZxCRr9J~^ ma8P@BPvM$ NbG38!D<ݴv a ȾyؐVKPH|˰@8x\y]Xæ˖Pm6;S ?RtN!6l$-S@R9G-Oۣ@JDúRsgZ)~*XSKV^եks0"N^/_}N0$k2ʫ$׽J˰c#AX =qΟuEΐ*A'%=6VIO}C>Uz..bRTN dW6jn9h`;^)J>-I4g@U$}/,@Zl+4q;dGӘ+*tUg~M]jJ ž>RVn#R!}10S̏}aTkC3+jHcg[3Qٌq\q# a_8;!NX6^zե1z (#_G] P5IR潌VJdBm2".)Bxje@_ 0O>͈|o6wm 4D7_U+8IKdYz,xÙZtT`fBӘxDA(9>ïpiHC' W%1%6nGx@V*6MDvooNK5Gـ%_[SV1#֞U||<̇!kN\q@鎿z k4.Rf泌5ݷ),;"G3j׭3:.7+AkWuSFǔB:5 D0KQޙ35clփ<ߒC3VD?9 C6HI Upte??Hth9}aRil,Dϋs :X %ORrHX}Cb+>L3~*Kꘞ u+򨄥֝6UyO=TZ5>1^{5D]Iv# Ecus>?kQ< ޑ%2KqٽKJgE{/,/Rt%Δ+^{nј~^zj%DK9Q"*Bj6:50esi7Y8/)u*ùrQCo Z⍙tT[RpZ[x!4itϚc܍qƧ]G\I('¸>,{6`C7]]~@/ywo`T8*Uھ8wr)~. Xc!-$LPϧok/Iv8llPVq_" =7 ګ8`ۛX( n;Ejcʕ}] -ӿC.!7!skgCi>NFI`ə^FOul~L]OJt;a{XMEXiy'e'9IUL.7;7+934C0񭩢./<؆;8>ށ<%6z&YF(t 78Z?qi{;Q]^QRmD群,*BĢ%7HtFU,4$KFb1Qu%"3ǦW[f%@K L1ay 6<(.b+?uh2"{z_Tb̼;A_a,`. =<6xX`g[QTFqE@)9I>m61CyoU!XbP Vmܗ7/"NmV1}aQy6"Unͨ`Ìy˂:·ݨe?e[k?V>c! 1]fKeB~MW(<)sL]kE=h2 u9S4Pxp8kHQ꼯(+m(RGټ4Uy jI$d DOߊ[|%Hv%R,FNXeuǯsvyz|8jb%:GLۼvB69 Ə-h-Mh=TJ#]4PwcEܘcQToF\OɥZxU ΩDQ-SWF RK q(8@q8@28V+d3LPZM#hLQ,^˳?‘RGuQ:Q S})А 9W Ŵf*#S::(I2Xg(ߠ ldA0LZcu1s6PJzpXBAA2>4w>By_г^"X;>qҳ >*k#1uYP>voB4g&<"iD^7iPlQ,+m|!봣4+m;ݽ]'Wj ݄qm}㰜Џw*Ny]Un$K*]Y+"c7/x{NGiN$ {9΃:j?p_= yT:ݧxvKuI,nX/? ..X5߭l=6 @KZ1پ5T/bѡߠn?EL2r)y7R܍t0&T.1WS5AH6K+85u$;e+óD\l]##>d \.t̑l=<s{aڈzeH#SYΣOdBřAJW-׳ލ'P<3YT3 2V aM;j;~Xoֹ jm"?m쉞TSPݶ]$mL4s.}Ol>H}p鈰Qç["ɤf2fy2}9v?Vr~ЕG9h,zƱE#I 29AHO"5XkԌ+IJ 乴vS k.PIK/婴 پ\\|T -+/m9apxRH4v`L7+&w}Z9uu#}@SPWdz8]~R88P6pۛYVKs葖܈8F#^hS^xБHhk&2#6xVT{{JF4ნLt]20w`/XMXu Z=ҰDʡ+_[ԥLn p_ʹr|K=PM.>m@gD(R=S'Iw E:/{[I'3wehEbU]GYn߶Җn>x*ӌ-eGJ Ixlh<@T&8?Ttr#mP)Wkt#G-EdgSFw{ ٶ"Iz VKg9t8ԓa}D!d@aZi^ v:(ښ{n0gY47>5#z{U} *|b@L] 5GdWY }6:P{gd3NW# Wh7A 7F~Ӯ$1ֽ(9bPb[tc7BHA7f^tq>遙~Q$Τ}[\N ; f#6AħDڦEdYA*߰Nylw尅ms"tS0:fi~LRK!T&9aOdldI 0?c1m98%;of#eH}Ct fLz6C %\t~2Pm:Z.iX|"A9 |2uk'!ϲsw&ƺ ,dׄPbT*0pfZs$ Nr=q&QEKj,AUvsۻa`,5)w˾1D#Y su7F;Z6(4(&U$-1"S6n bO%3macYZ#>4HYJ*N_ yMJE"I;da~X D2p6-\zfͳo]=Xm!PGf^GQQ 0TV{V4 D+L*qO~_ flJM: {qj l1"񇩈Y eG!cs+{6V؉(~Qx^A{ ) B`& Rc0 >%rE26Wtri7ׇ(:B(QE+&VEӗ; z+#hmB;龦@IX{L7ONA) l3P*p]EԌ-j Rm4}aow g7s6=hK]f(>t6]ñ CVbjU;,FKN19 И <}5M0"y?\W 6uwro 'Fw[BԹ"AyLy tXĢpNHtb&-—x̯jQ|LlxMx^N=Gf(ti>x@X0xL蒠[ѐi)%0҃8|MkZ~;l]V$}}F%X4qn EmPiJ*bıw@?K\i+4(S9kUcо /QU3? N6{rVʕwe yDI]TenѪ|2GW305?߅hm+ Qc09&/ <.C\{5o(~;^`e&UF fD6R(.pk7?Ga-- sf;2m+/>A>E"Bhux"aM2)`z;wŠVFtrB;?S@yL-G_ް *nvhQpPz`r2=]+9?EX^&F7#B,sFEfQ zSWrH0JLQȄ!gv:‹ژie_503x5v[oKqc~x]/ aïؘ b+R,k[",cbQ,R ˜$Q@lKP |}dΪ@Ş );H3e7ߠ )1] p!$.CNNI%*&Ocq[}pspZi[~$+25F`\KBD;q=)2ݚ8=oJ;vf9|ѧ$$vm3l>9Pޤͻ ^O;;l9F!bR$CP mYIYZR&M-&iL}w54$UdZanpN~b7g$PUFƩx mW(82 6wm_c{AӹGyO 1}Z:yw 12$H6}22] T@D465f~\9YǰP0N"FU_۱< BAz#j偳 _ &,  fMFʁCWzv.7\duZ`g2 gTIԠx|HN-3+ !=en Qh2.n$\SB־womm<7q{( mXU:6[kqC Ӂdz.xpjO=컳7^hHETbb`~8,l}ݛgG8#v2$GR?C ׈<%U:_Rɑ@HRx,Ulwb QҾo8 %D|nX̎jNpۆx gRB$CI%>`~K8q?hc |Ld3/ba tZ&3U:FP)F`}R!]_7 x5⌓yx3y&w|!Ie*d ۋO`p@Kzg Pz{!Do?-;}<}MINRCϜv^έÌ8cw9*PGڟP+I浾M$ CRER `**pŋDm89,YnU•V|Na(jۏ$WgO,,ڔ^~HNq̓+\tX-לnk{PjO¿Ÿӫi.`ךk66 b1y+RӇoWD\l7Yg/'e )yY֖[֯t8 tCY@IAzϕ,;(3~tY9:'{`"^dEU5Rkp>#{C"h Bered`=$ܶVWh?(U6^%u!ƦW7 ddvн !WrhsєP(M3o񃮈~l¬fTd6tjfpqiLj+htgs&nvuկO!طf8R v H,^Sg=6 Pd62i.kk=s7.Żu#"jEnN(6rVrA' =cd-?۲˒gtV"떽'^) HU>993 (gXTU0n!1go$&]W_ ¿.?~ &7_ f~0ݺHx@|pk3fKa`& !CyК(O4čZ[@}yT3'K@Ό LN 5s'c loc'"I4vMۯ qR {0 u Kr"@)þRơf5 kM`ۭi#o<LrhKEb&c2OfTw _ZY$ٌ-> Lv)7}]PߚL#cbag [Q$R } (֏(ȉRcJpj1PtWUt"n>9٧Wf9 >zD@i;:!6茔TL`7\ٹ[eQ5aG?u >|BYkӁ(T.2 L4A&޴H){%^L x˜Cev{N̦K]\?;: h;4_q&rq˂X6iDSC3Uywe4h ~h|‡j42aʚGJUP68iuiR(ovIQX˸A 1/F#piM,(ϢA뎧6c@o#^H.bh_%=XJ;XZ<5CKq 2K䓫~ϕ-G f=f)X)Ǻ*Z]YeZ݉Ė+k7p(yp`9 wuSv1~V>猌 v+e %ཤWD_^6a'=$2*KYt;.76Vt9g*gi*<˰.1=zd_# #I"\#$[켂fss!PC{oh+삙810td<-Q̡ܸ+bi.1ւ.[W !8qޔ+ۊq[ƄJS)JCFgS@>.N"y"m+nHɫ3o lo_ ՐcC2$Šdd;[|IY7j 8L;*-bTL"Uv be6CO\1Bg,[W̑~1:PH0Є%CTiBRgc95n%|Va"!:ĵ 'Y| ̧o~um~=Nnu{y$hNPr/cCSPhn O5HV6:  E|;#-Tf{1Bpuiϊmʵb>u MH/)T%6&#l[8a]a/@lX1E-NDk}%^8y 3$Ahp()b[xq: y$u/*crs]Q$C+ hK#T6k1v뚞FP@lRb9WX;gE6pGD"Fiq=|w#. "/%K-go!nu#K``ue~sr&ݎt_n D#h/;7*|…vDYG$772:JI!o3<R1rg t!% ZG> ]pBz[nLt7]Kj~q ">mσVt˙[O,=)s\># ۃ`@Yߘ].t0R^!rI BK7qf+r2j gT $D gdPQ R;ǥ(c=K7!FTv|UC^g uPWs*us5ko1mtZ$I/,yCJ"J0*t1He%V4$_ߟP X/&Fic37}Nڪ)F!#%2|@~^5;1|=UrFmL !6%R/t~$*T-+_( 5>4ɨ3e!iO$}xrECV"|uX\iJ!n@_q".dsI5A,O;fkax#U/Lj{ ޶:w;;P-ӓGp*eß=* f0 5'R6 ~J<1|qg\3p"{ 3םbJ^ufo*<8Ax'^.82,K2jt8_ѻ,1ja }TXg 'aAEQEī.F2~ {^%|z2Hmcc=UcPz7+m^CD}棵BM%̃[9NY1DlrvC#oρR=Bv\ 8R.`_[ }VC>) ČU^>*KyQ8 WHn *[I pshk7؝w0tR^QWnz)Ѻs":?-Yt S3A!|jHBreؑrI0KȮz$v:&i \+8&yW ;?''⪝v+Pb-$Yk=o+kƼ8bcaq6j4h3m x'8rǂWy^{JvERS#M)J!r @CiV뱈6MTE 2 k_DbS!dff.`cqb+OB\7z;+zt81`wL{}#j)v ^aXb#YMӋ:I56kP:7u'@MDSjfga-Ԝkxr=1 FFۊJj{t_euh'ӆP7p9Em AS׆b'x\A%\f+-6P5?:$Kǩ2\:Xs8uVpD.W~aC,`zAiIګyK41f%Dw+pnrN+]%=+#6Z֫_Jz~1~;0@!ȵ!B:ojcW ŭC*dga&cpyV+u?2U+c!r[%΍IJPƸ"dcN0vٷ/5f6 nL'bV,ׂoA <ܵ  e$SƼ Rh3h`}R$WxD> z7z24sO%\[wҜbr_AĘ!Qr9}PT.6:R(|OՊա]b5gN.]\U S14-;8tanp| b>MG{8w0E@z~d6 ,c ƺ;0—* h+WqBhje@>yk!L(o-~}nґ /!k7ƴ.?i2Hp¨NnutM &vm!lbbb')=ୄKk: ScR:0̴WzS#.8r 2I;*[Cjk0٦!̿؜W:* Tڠ!"͊$p lZڠK(Ȁ (QVNQſK<@u6 /semҰq!#h3𥮂 6?`Ҏtu?-,@,=<3p:&v+{#2Z^ʀA[[*7F SB\+i)h5$ҫ 1ɶBe?< `JT֛n2_$̏0$%h˸-.s;"m`86z̊v̵ǘeaԀ0͓vƏ8"&6My1]W ϤCI8o%N r̻$!!yvdEV{s5~C4:]J-gJҪ;f 2}FG =/m`(cKƘzqVeWg<5UlňaH^1}=CA~S>e=`+dgjf=_҅U:5A62ɗb8ܠ1avO6) =GuU1K26f  Ƽ;h?ZQƙPD ́et+k*o-u'|AbMVK GJUI'AL]LM̠ƴDw&L* (J(‰}Y`uǼ;k< -ʏdԯ&c A<$_)ALSfK m|lLy7i4ZI$$BP m eZ'.$Lhu,X9P#%Z/{> L̮o@?!,h˓Of.Vn !'=‰a7c*<WGRzx)nTUƯ$4jejMF>7 S?15ţKqfw^;0=/ )KF8v5^̔EEaL![uLm{O(3B(C\XgV2OEL5fXbZ: `fۛuoWٴ eeΣuo/Z:qP۟kR#x;PEZIlqa`K(UxAl_z,ȟgW^N ֳV\,kD=2oeX:tv"^X۴Eq^'ŗ',g[9ӊ䙻W .O|9 ?a@)7QIGJD#'swQ'?!Uf6,u:o,%-IZ MCcKn{*'!`6hdG$_Bh]i~WN'0SƺRF%U7/ fMdP+WD#9\)`|t!IEȔnx2Wv%pMk!?bdE2BW`Ҳ--U:BGȡܛÁa&?Zkgoli'Q<`q^X)M__ j zmN2P3Ro0kW~ʁbs&5(땢ic>C>C3U'l^E)6EGE<'" w{甝O)Jp?ސA}HvF|W'X?1fmM|)lbVY'9fݨ'StSNRb[ƾ٥7V96p sy6B?YEeGrM֦i5l\!㰮|5DZ٢TF oZ(lYggrz 9s8G_)ɔIۧj"R:jT$|;l`Z^T0KK09cݦG8cHF=l] lhCF-.pH6wMw=^Jݘ{ԺC'6PI"rԵ( @8lS8(VzU ]t7x1r  K sJK @H5BKDSeNB 1JƍADE9'Z8wpAҔ,ugWҎP>\8$zSh4eE j'Bi,!b :k^J#x6]fVyTIh.r^G~K$fe*hcq訨YYGrd[cYQBNP<ȩTZnn(XEv>9Di2>w;8I{߂32Vr=p{ nechA%Վm]0ɍoP1:+B9%TYV'e o/2Cr=ÁU`H`s6;rI eX*Hk$)'6+ g/\8&63ct8*Rok+H7ި;䯬&(V$QZ`Vښe!=J9oBEwG{iL"cRoQ+;>NW6Stp5%#08^e]+bۂPZ0TH_+4lq2!gV* JtB֐&Xw9BرTr&٘䡍('N!ڔëF$.H/9}JׇPcmCZdÜb,#>>SEMҧJԚ=r_b}5APCӦ7婬ZDI,%Vk`3hmߕl!Wn::\du^Zs! Qyt^g$U=U $=ԁ3k&?E,A クpAcJ =lHq`x@[KuT;KYr[$Ζ(ڔy ڍŗK^W| ;D\2w좕M!_/%ɢ'đ qx[8ٸ XϏ =洠3.@}>S"> 0[GLo|Ǖhg4ߒo58!ež NdP?aOb"O.T;b;V۪\$@@@0)( hd@{oROXPѱZ#ªfp~|1 ݬ̿A~QNΠ&|Wg0 /$V*QJZDӭ˲z+^pm Fޘa1TdBD'%m( U9-$h!e<v_^p AeNY{=~ 34ILe&du1TK˞v Eb ђH҈=_y\۩ b P/N32nBz$yuXVTQl|sB۰V؉엾 #o6WOM=.E \?3mM24)S^WXi'͝|5Kua :Ė}'[?Ob[pL[>Z8}&Lkh%GZGd88ɁQ34YEX^v(tDZ<ӯf/tQ/׼[Ȋ_H} *j;0^bL=K݆ \(K2!1CK1^g`a+6knj i1X`,'˻n#U.g2 ,.d eZkcUG\362M\IK@jLC۝Y_"̔A2Uo9i#H8Bh]/0}w)Nn}^#$HU&lU6܆ %ߜ@/VBXxiS5bLJW5DU)%B׷nЌ/GnRWr;5+M)k6'D I=^J?~^z xl9=-ZX0CnbPw @O G@ !dS&uM Ws-BASGbf;g7 ,3AeC6PxyIhc;}nҋp v; `b "[{L&Cx_6.)'_㏢ˎ]2!H;Kᄇ9SSu`×Ĭb#b,ݘ'Ӟ'5y?Fr/iWm@jc$ߎX G. #T(r}}g]ZQP6ϛc^<48O pYTyQ9-I-RAVίtX[CutwKLOlfdg0A3(ܖ{ Rl#̾dd?:wFBA2tS@/}ȦE˝ xBذdw:4ܬ0IbyT:b=R Iɼm}' m)X)LS&q VC;vb.SzXe)òԯI}Щ_3٫|i#;!ˬ=@Tpqbxp dgDK~UFKv8ϠK0`tI *:ȷXOzQsL3 ÂN M%. HU9gqKߐOr0B \&%{~j#+b=;rUȒ64T#t0Q0ӧ:?9K:x{-=', 魓0ʣGL᷆SpJ>Pn6XLHWoSIyt!~>Y,,}% pi+ACOhLr݄n2K@+5A5RBf!y,zO2MXVBouBDžw`A'MF6$ND9JiA3iW(8^R"%;RT&ztTNթC"/.CaҔS4|Vm%ɡ'y\';P}ERb&"Ruv؄l i'Y{Y2繞'uPg27un)᧛ybb׸WZglQ lurK7P cDd42B>:Fɖ2;mЎ];.B 8f)>Yq>*F'`%@ڶ{<'.PaT|)YK7 Z@0<ޛ|~wjh, * 6D =B( X=.hMX&Gtu2LƖKoKՙ$of7"Xk=c.C+TCsօ}Dz|Li#R|*Ry F[tǿH%djL]#i;94XQ8o9;OF$.`"_ZEӅ6zNFF=M/Hb̵WSĻ_U;.tk` y~{X%,qKABvK7kV'ѩQe?8 zQpR82c§v!;W!?j+lL-84pM2^7#)@E͛'wQ GJ!@@a9eF`gڔ2J9DS=o`}>x>}BG5p0IE/\Y\OtqT]$i^92s-5|zʴ(4mm3 8TH~<,#v`x݁h|!S%w#Å:yFo40à2Aő׋j+I9Uf#9gftГSa_6ulxj"k؉^r[_wݔzy{~%5͝=Y|\wV$D7ig UV֮ th)sYn.%tט8~f+!6y prHڎ.jx]%^K3ۡԣH BAy:\V9; ҸFV#J^&*XX&4)˿"9"쮕Bl뺂bpV{ZjK $:_d,!-AqVBr`["ry}Fy]teA}~?ejOEtCS[M#cW?ۉW Q37^fX N]G %dwie6xMI(0(ױqdRڵe<11|*>Bxi\юA*^1>GVođ)b&?W?Jt3-a+v[&%qz՝.-\"q2Q5,dVxhL6lF ࠾D κLk}9&|x!YH8㴗v*M Je< [GnVt6. _ۙJ{kI5%ό#GڒlDYL$A e=7]-p}X>iMuhavp~VV*QR-h2.5u)iu za@=E'/A{zT f.Ȓ/_̊4sj y:1'y͚ "fT`_bHy :u|ʩ&# 4| '|:JhG$m|-R`W$urQj?*f39GNWæg$lѕfaQ;ħ<+txYuI>g/fW/wuweq̶]aA)RqԄAo],96o ,r>D{n,Kp{F@q$;}\bUL\]PךӹӸ6; :ĪeLb(f+Rp#`f P,u%KFaԳTT.>8jҌY!.^ \6dؤgAbKhg#M1K}^Bd)Z!p # ^tH WCB q8%tTh{ՑNcp1E/v)qlRw>Մ7Lp_}qő3Q,FN[g/ZF)._p"|M)P]*WeݗP@m ~PQ5QT&:I˼ Nf$o]ND=yR*"n NP;žW;tT kNX- ۲tk+P-/4;E/\S\`Еh K>xnY.fYiU4鲙Q*&䬸yx2``ADhEQmhRO&dGnOjy8xZĠE\SC9Cfy 3˪&l#d9̜dƒoP:;nVAT80~Hg|Y쓄.ANX[(//ܿXq:YTNTS "CS8S"dFY=c{rg!]cD[%ke=wx >o|F _Y'lu&Ɔ*[+C$X(ڣMȸjoxM ]?h 6 ^5Hu9yh.2~A3=I[#Sy?Gq5,G7Ŀ,|m6.جz(qfw q%DTwtn&CV;ӡh8[e8}΍wbD/s3zd3pj#a{|2Է,tѥw|] Q?sdj!]DLEy:5 ْxl~+brQ_u!WJF'}Aڪ0ɴ_>\C#g~3I$8u;vw/3/kk%d$EauALzws ya,qok{B plE7*>K~ 7e D@E,b&6z($61I 1' (lU~Ĝ˕۾p`t\&Gasa my$@M? Ѫ6C[N67ZHXZd123@d]GqJD6\Ic;hT 4f"aeZX@Rr*_d עg-ʗ`m㪜QcW4$)S[P'\f(X=ne(5<`#Gl$)i{Iڷ/iل"r~ػ䕯RjmnL3SO-7oxRF5[G,as$u | OF2E_™efP<+`H a9͌gn&Cl9 mp,tҔzՒV|.n0xрϴuCV s_e ZQx;P[ّOu'sE!+kKeiIG0 `鄑w -cM~ R5K5]y<2lɨ)̑h2z/2JA*~Mrv+Gqw+ gA gBuX>-BIU ߱W->`>M`}+Nbs >ý+O G ǟr;lר*dϛ\,ٸ@'aմlj xs0=mT2<8ܩr.i/+ֈI|1Vmz?f),irҸ}WRA0 "smo%_[4AOPS/]O!~ f j>"'`-܆(+a0J"R) m "F atReo߆[vEn q=)>Vzy6Nl~(ش'&ϝHHxn=73#l"1K7 & WsӺr8xoï[Y$ni H/'/)3`M=n920S iϹ{Sa+5U o~ <%7x@|D.}>^SAr5n堉] t^vkf*ѯ/I5SY7cx.?R>u%[$` ?ko4 IyM"w0U; lO?(hGۭmzlSP?GV( $3P{@P3NcyuM-HڦCLEۇ|&{IVG ~/q 嶰^GRxV)(r4gO RϺ`< ;5[&b )O=3p6ԇ6;Z@SLwL7\5_߹QKI Ņ6`nw*9@s~l1Y& \+5,"2gJ9u\`y?j#CRkj)XgKE5R5~ߔA4TP EKhIu= {H&I*R)\f8ճeF_*|wdproFOL- Q=2s*iG: X:r䰌=K\9TòHꧢAiM"i[OlnMfIXI&o ͉bQ*q98TFhђfhxrr37Zs[j.Fѳ$%cff$O'wq_î䑾it/ѐ(SKOGgjy9Gֈ?,9ⴶ!\V,8*n/M|AQ<1@r4<ύ2f d uPE)`u1wBIEdHp)¹FĔ+MƉ8v/tc\χG ixsj:<)tFcfNs3@#cNwXlJ r~t* ~BY@o8i!,dL;k/IoPi&Y?쳻ʽ0$adA=~aB+J珛d3E*x9w9fKUoKPȓcK=$wu7xM (StC:ǁDc y# ֤k4T%rZMhПOb\+ |50r,đhD% ϘQ4=pWT m,p;#ߠ0H'$ޱRjW|8(HII̽mwϜéR։˒s+ENЍi/0TX+D[/A@TΠTFLdvw;|@|^xWcZwrn!1זyWR_K}#<acH6>8Hl.],Ȳɲz^#g<)s~΀g*nwyդ..Zs6 z)k ɦCa[M #Ý7:M 9-|&Jզ!>_V!4O'B.V EL{2Vηނ;:ZTkQ5W9ԍKf +̔~!r&03шjdYg" YZ_5w1P4~P-ЇIwvi9R09~4{P|NtϞon6wv+hX>c,jÖa%L+NwGfl2r *_cCQm']f播 q9MK·$K~Z >bT d˯dܾn[)OY1id7tKò 7ңh\ɑ{[ AFm TvNpi(0'{(`L%$!}9ҕϋ JJOxv Wc:w1-W/MFm:.$6RhrmAE<7-f]$A:\ [Ң4?3倸z؃l\vl[v^ ܑSZgE;$P]H ]0]O;K~6pSu;$:θKX:ácoHtSo vgLfcޫhʐӓB…;(s9bti@o7ӰݠvC=NP, Չ|2Ƃ76 L]GЍ7ZD^YS3ňFöGO.\I;r(h"O;P06I|1s3yNnD57%pf!26aH*7AtCվhh&0Wf﹊O<^ j >>%fM ˈ&9=¸Lɮ٪#ݸDA}ԬrCܠvN }=>{Gra 6>vƆooi3x[#tVr9\na(&IAbY'~&V-5V>n&w?J_ бNu?6jnL- v%g!Mtj6'BF-İrAgOV{˺W9bާ*rjLm$,7I0σBǗg W¸RJ.,DMEEXhEc;_]xkKვx4XqE˳$!QB፶81c%rT[҈X:N_Q[[Bm >G-%M-)N %c;9uȎ/@9Lsϴvt7 1 5F=/'2=W&J$ Ya!fN Z @ '[ XY!W9B=]>Y9|g,&l,?Oʊ+$hMIWX@JV11R='^qQ:HvxΤV8jLoYTf6Rvv6s">dK,XorN(NjagY-At-PGwP#wZb &Պ=Ou)mgpXҭc98 lEZuc0uxkXHH%nm*f{,Q7eB;FAma^@%0,|ګ0N_u1 uf-?o`@R>#K߹Llwo`#.!&-If}@u;y͡o9tC}1=P*PՍpxkۧD4w%ll|O$^~%cGdW㶝۵:~~>:2dA`;0wkS4Qo sB*AxVbСBᣘ郹 ℝD3ߣ nݟ 'G;i0P~ܟQ)/wmڇbiqߠ_haAVō;o[3S~3Q Q'AB_}\𵦨 s\Ebwl[^&byU0!!k{ #Fb" u U߮ʝ@OXaP/y9Zx*,8</QSe6JV. δK$Yue|*6!oBV)ܘоQ(7"Rteq ^Y+culHql.I{V6o|MUH?sߴ\c,b bD++a~ _BnR$ l!no%2{|q'̆pI^ ,P]Ð-X&+͋Puk?KuZ!rY׈M/7/F"eP^}MasK̒Dy^eOP i)x<MF}Un5ޘ!U<]ZmIԐP2|H |#;.y3O>Tn@ 6v*ӥi#'yi:^*+ItHO>VSZ;@4,Eg%~ 2`D+3\;ی.fzL2^m@sҪ$a B=h*ǟ*׷PcjG b^jD}>V֑w55B< *ۯF!2`kǖS"SϛEG_B?PpV_T+6>0a)F&A1zqT:]bI̚.gڬ~M8A#t㵨cP(?udLbeWfEwoSP@X>ntm+@{qFVB?~aJ-kt,_B_fߛèx7 !OcZuC`yI, 6Pw7v7ْUB}pr :yq[[%^ɅULp>jVI`Ue/9ok-zk"y0;t߻TU!nPsNE䥄]DĠ&g(ȋ3 <11ZgG+%f6t<!5;sPxΙ?_fr=%1Bk;o9ob/[ k~)G^g_ɓfBBH:eDld~}C1 ꮈso. *TO%L7>Vڙ۩"V>溯GcTU+s=^ }b1'.t6bix/X,TϪli_%KT]IJ]t^T7F|``Nׂ\ VE`Udlz:dvT*1v)<ɮ m6d8hpJeeV9\"G;(j8i7!fW_&1^8CO'Q 6B$I}Wn6iH B{Q8+ H\z Ҁ4QW+sؿD~j<dqE}ܡzZ*W>7xdXUϷxUNTmYmW0 1{`ܽc.x,ߦ⵰PedMf.H_Nu5T9-쿹B1K {V7^[1IqNWOΦ`7]g@#ZL4DiέPQ-*=%l`\U FKP7i(ܨ' c-wTFqgHJ|8t’H4;S%,I9fg명vaz ?|ky2`"GzXFۃ8yo "m}%?,tx q{H3)G }ifLP^hV7 x1qF:c^¥ȍ! ! yztrBI*|oh%CYyI<2$0&O ΜE;ۏ?ܨ/ YfK>e1yhXau#_ȫ v[ewYJz]b!'D0m^Ehu"XzoȏRąpX%?]*Ӳ'1@Rp޴E,Appٗdd6r/oOit!F̐frp켂rv ]=1anNBR_O)ުUN8#3 F_Е1_s;sDҙz0c +ˇAuĨ S(v4,F#l r/ZPiV7M,nnj7?n~Y]uW +/>o>`cD;+j$ Ƨj428(jźf!8$~jou6#6_ ^1Czi(Ӂ޸?< +:ۛji3gOgSzi_m b?{YČ^8ZW|p$ toO_S,=EphO$k'3)XV,G4 i"V,LzݲA@چP,&3ɨjlLӜű=#, /BU8CG]?Ij|#@_5 DIzwCae4ҷjy3^&bf lfm9<2&k񧬴Yy}Q;X9f>=rÅmUՆ`k~r2\2<}a9eA9YЮvw9\{R9HGH+˺?Q_;p]*`[f-|sfFI /pOzL^F(>8;sBc)FhNQl7 ދH܁xe-hpTmumR_[RP*3DPm~yNU"wacj#cq RŽS΅wӀ~ l8 ;Wg] ֊늁 wN:~jXGN,\=֖=!e1I+)*;3eBIʍ,(lB4d,pMnxԾ 28z+Qۘq22RA.;Gdl䓩}/tԝɔbؚ}NBcەÇz6ahPA 3A6 ۭA-{w3ip)rYzxaAz4zf? 1V &JkB `߭#YabSڵ=Ƈ/qyY׀n+  EjHjhV#OO CV}~ԯϪ8@8,CsN+4z%Da!#@ȸvWD^b'J5?t롾yܺD+?zcd(Q6B͎AϿ"{~FRV6UQ@Wf7dA },٘ݭF_dbb&ەUPOuTrT9 L> v*`Nv6KEF39`xnK_$&fzٯLZB|O sYA'MuNchLi ;K")x\-o07u+mzw,,ѣHH.^^ߛZAaFׂֆYX5[AEب>2d)4jZ|?w;{0)j~Y'a멖ؾG_HhpVVtB͉?0hZ4ҽ .WE%wV5JrG'&Zx!$My,f|CZ#/8W*Xe0>א҈lI^" ޡV?|3:\hRjA䏮,.Dv{( ^hrf-`Hz7kYVN95ˁ j#GC*z Pf|Za&T)}$vQuBw/d;)HHWxZ'$ܚĽ/`;e݋_㊵5Fl4*.b_G!ri!Hrd TJEʇ[t Gw4/.OhKbhm37/`sj6%- ߗ#_TGQ#?v!v-t kR#O]*Nz}RRl6E%9 ,n'H\aYMbe;`IwPZƒ@' D>P_K f̨/%K;e"c}z:9B\Hv|qX/ĤuYeohyx4F蛫6R.C}&=?~y.yY,,mhuOn srt_$b(b-cmRo}5\PZ$oA^Ȗlz5(}ݸ24sR"AH#0.SfGmgT:Á^r׉K@BXp@WLi7+Q20h՘}`g$΍2PjI -B+M[?%vZN&P׉8:ꀂ!W]߄ҍ~ 1o^f33 ZՈARd>nzU+H,{Tc%ν!HRCrA!>8O}u_ĢE.M׋AӮi.р DE58\Dh{۲XMqwdeT:JtUAW `n8_`h G( Λ] ni%2<%} TQt3-,5Xg\MyH@Zdl5(.! 7fw&BԂ黛B~B5xt| )*syljTE+ +l\@[aq]4^l7bGNf$.i6C _\sT2xW`xѧ8 (Ǜ)CurP`p)$섹NOu`Їb<>h$ʕK]Ks7BH2ZCU)yMZvAqW0M)JaJZ,1-ӔKRL|!kB~ #ފ>hz (MOTK eRZ\-q+;~UN86p=[̅!:mUˬ?uCihNcb_9n9̻ql]p[Brܱ&?CO]+U٭#Mi>Q xiT/ v$58W@:3qW!#^"i&]) ~wpEB7( _6FH^s6fN]ݶvdƉ`1?N*V@.:)e "-FLY`7}pQNjzסQ $Gh -W[ Hu5*7)Cp .1Tmc^,R#8Jr@5g;wK]}ZD)/ڮ)'dϙdm6kςf%]'-l{UQʹ)g(ILO!vpI2ɢ-~(ַVZ}+E;'`"~5_GO(:<: _6F.4NƋJ =|8Qn[FSq)IPz\caxsio22!EfLqo`ٓO*bOՒ--^%+pK;O9씲#Uؑqm))Tc ?7ͫ~ E:#tE^ naI͋aSIQ;K/ᱩۜ7ztdˌjQJaOu"P)3 R܍-l/I(U70׏5,)3qOZ> HwP({\KA9R ]͂ }TF\cV?o)b H6M92 WB|-R*a8*%8DV}J*me0%оD& |lS> Gźߺ%&첺8;?uN {sAe,+ NiyM6 aIF9@F<,#-Ml(xG+NPR!1o &lHߐ +bD{B;C541"RąعtKnڸZ}Cʻ? t7=Ow%M잸 D9z ;:t7ՍywJ K¦_3*w#n [~tw$ V~wX)#-Y?kyl|suسfX4Lxh,mѕiw au.{>#/${urӾ ")޺> AC__AWԋwU;&z 78@rޅD}F#Wt¶wF?&i1?SޭuS=#l1 7>6\t: L`S%n(;9tS3~sqdAwxcT_d5VB,2(IkW{T(9J3_.xEr* vO 0IP4e?$Qbj+4 C_1Q^ϳ:L{57=C47LRdkSXOj_c_#Yt1m oX E(!EkCIQFFňH~LMyDڳ#n]p6k..&@&ELpŷFlR#-Kk 2.G+"@"//}?6 I\5ofv8IvqpwkiSx,Kەoo3uӅOh0UKzBưC5Jvb0۴.33QK&9תD[x Q5w^(\f.!Ɍ*eqж4PiS,! H+_AR 7_H(n1׷&4h1\֜KwL#w3=]!3ea0}J:ajqi4TQ(D{! A>ہ3Xv$~&e߃Hx9Ckhi#hn ;!/n 7uk4Op# hT3֜PDŽ2lq GyoHE.Ah.D9~^Dl*"py3 !M!hL׭1czf%VfHPvq/!~n$,Eu +;vFQ>9  1-TҰuKUVh^O|[XxX)e@;W%VPy<+Yh\ZRy@q Efg5qw1ێKic/"7 ag!@ci6c1Qr~:hnXt7#8Z4NbVٻoU5j ,!EHTV6ze^7QNJ /#C?`x2ƻ&=@M]n4:9YTQ7 1t^ Q}~AlmNI^ 4+Sj" @TPŻL ؕH1Ed❬N y\ +Yy}yT V5Ǘ bFOdقմQv͆YBigu9T$'>D uڳNtb,0ۊ+DZ):I0z1ȗSeClS[ՃՖs;OHXlp:{ȡpD"\kp/s],E!S}Mp5r̹Gi>5AddjopFp*1ui?zߑN[ۈ0:Q]B#ZQ9.lǤ݊U\ħ?HQiM% wüaJ}9 ('ĄCk2ms ]P`|n0W+02nUy/ Yjlw@‚ALZW =@R6m@ KJvy-mߴװ$"?]tD0e±%ň7t. &piVپj_zidlBD}:jt3CO+ L6]XjWznkI{Zud(v#Tp u ӓ'{eM],V6`ǚ_ O..4k?D&"ܽVLK )5׬#%S3F/ӫW (`ٰ`fhpp?LF-jg45j!QhS9hr3C6UXoGdQ?XI0G)=-ntJ|6Q""nZ@|ZuzPzז'bG6X~`dp{TlB&l^EUt+ե`Ⱥl-63얁]>p7CfѪ&@SȻ(@<' oM۔i5谦6$ϜAv}jfl r15O3rgn 6S:ݼQs'z+ϯQd`m$veӯV%9X?f:` (m$×?f߷HB)˯{e.XCp.v4VZ]4OC̉nl1H%,fn] qWG՞h鑆[x)2bՏCp"[>^б1pO.7΁h'.[> I/Vy$n6w}ϰ% =+1ki=흎a+/~3#'gx۶3h 􏓔+ o,C=3z? "JLq{?w "\›]Di}L`c,ݜ<bV׈u AlP_QJ^((cX:9!Sc3~Ԑ_jbak뻃=2sZȍ 7!H4͔81۠ x&SL-xLm1t|PoA<V`>gX#Hbo[wscJ4􈘥KlZ|Jaӫ#@Tm"~=} !RȀ@K 4UeAƳw~ 508|㺏V] q_fATc) 94zK ,c ᜾&]I?:$[-A{sخQis&- ##%| @v|tH#MiS%]b#ߢq:$хoU36)UBdA&p2YRlq/](E)uÅ]/(8@Ne?N3pl<[$RX ."Z"E xM@m?D\duM]QjO*.PR?8x5G L :6`kJV,&뜥4"CZⴿ(yOdO; FEᨕ15o$?ww^Fta]?5)V(b:12mNܘ5Z~z7y2oݜ~yLҙ)DHjw)-xH{oLOIjB˶ҞR|>Kb s~߅4WjzxL/S>k*3;e>XL9 Xljgٚ4Pq'cΧM!]0s|1FƉL jdɱRf&1r|pWL(8/iiWE>K@/,Sv *TXcqwms B\wihcJT#܋7lr/y)eK#V[ 4N :|\곇=vLxXd$Nh>(f29Zh%x-5x*s'O F r2Xgw/Rk놁[PjQ?E33[is(ހxDIvZz֛MȧX9s,ipnڟ׻l~d]W5_wiI5'ڶS8zA n _֋zw>mq4ѺU+r9zשXӷSB(_yCL'sJ֍c¾ O?*0]9K{BjZ^ λ@qs2*[LM>q- Zۡw~,N }u߀,deǞAYץꝦŴu==mPp?N-a9*}<#"pu{H1_| 6ͱMђXdb\ἦ\^ӌǔ7[vyBABke{8,]s$#^ZBR\` =*m1)ogsԅ|H:iԀ"Y~9#;pY74 Ҩޓa;U`֩zj6 CkDgI5OmQ~I$@Ϭ+9BA-$Z3~֪?N鵽W<@[XZ{A0&u|/\2(wpSnbz]E9%\HS®V ll3{G}Hd[[XkQs̊PB3CU<_<~ζaY.]=Tx:vTvWriSNg$[DZd`{Jv^k8c.'%t55R#2ѝڷSf'ڃY j)׀R0 UIa=RءAPPjfhUNqe,v{˵Ul0&qǹ^1c -@q RBdr +U]zW@e im%0@?;g+`($x<֗ 뒏3inn))De68(j )5߂xCZSs\ILD|{T3BfB[5)Dz:R?һe$&kBVq|P<rFCs;|IA!J`k2[G'9 zx,#ˈ5${G0oέ7/riP`b|_ԍN4?0bc~4rZ#gBscF!|e%v9~ؔ0WpǨC#DyO)F,[։Ynt 8]CW *@A3ukn0DJ + `Yv X)ܑeHyÑޤsA487G~V1`?H%B2Z>*M{/EФPPVH;"#EW= %<ܟ9$9 U+G` `"7xoIQkzͩ8҉DŬwkm'[RY wµlk٨{/lUz\нXܷp'H+%nalx/ϲ?bL ֝zu!dwfl|k'Q-Z~뺛W(7G:_3 {>t&yVti9AV-_G]&S {"zZ㤊a$ tՊL?F9_y;5i䤔Z^YμT!& jCk<ܔO_-+!fE=𢢭q,#fLej {E/!W ihM: LG_Ytp[p nj5gBT:^!; ݆=9@ͭN9r @r)˩~1*:0\.#wkp=:YC\z\Jw4!Rɻ%^i־_k,AXgC@|MOӑU9I 2<{ZOwпuz!%hvSJ.5~| 8vwG%Xp8W]j\.ӔX΀ְ%rWl˅D}Г{)ZVHa@GEFu0Ov|O`*g/u? Eɉ6< fY>!}̷(*=0+,rVw,`ʥiKhs.G9(s[c  vabQqI:-|Ui$-iE9V p-:{jOcK1$jWx}p5 جKjdzje|p73]Τ|bXui%mydG3fgFv i$|d!#t^)#EU4لPbŔNk!Y1hmv+ڡ@e1\u/.}|R7rݣwLv#:I9I8p&.O bn}x IijL%1, 1Rc@7 #?&_D+}L*SH<_x}0/ m>ҫ3Vn "۰ѓyl<@%G_3T_ҙGH[Vr[(?Y6<30ؐ-цL4ǁ[^ٜ'YG}QE{a PyZLFlkk(Ap}Lk@ȡ$ !x.@Ѐ!Z*x[IG(dW0)6 yW^PTX"c+wK2&A>e<-`pW8@ƾ49It_=e-a$$~j3`S437Y,d]~2|uQ:B?h{^VoF*me8Ð-9W*qLZ]J'3+z:CZy糤}Q 4|!H\PMmق}Y #=_iq~!jKiqy!bhF}2:aR$/,A|-=)K2HTx8j<6|zrP~1 hF5ěn;aVN y"W2jDL({=al$5bONIO9rq[ #cb 0h3P}) i'1QG~pa|%?6XE. NRXΐk ZZPGƷ"*UvV!I,FU]_H5Zpg"B Aaj\Oz֗*w=֋)꒜Q5JQ.5G~8,&}qua7Pû}> iK)[ϣ H*q7G$g7o[+ð<_h|V}Bj=h)c\ mdK6J&%lf +YE9"-vYzmCT!_mr]x>1d@fYV!Ul/=]3|BCN:хbڼfZMKH0ͳfGkW󘽿[Fc2OV؍):Cq1KZiJȍxnҦ,\&S".q\$D?8Ɏ%av@sꝨ [hAbr^ާ{IC-, \qNh)`L lnE %[p.r#妲RrpƩuDjOc<7^&1 m:jXJ /ds`3:?hፐdK'Y~3Y1:#Ԫjdro*oFc5ō]{Q1ӤFv;(!_,tm"QKLc~DKvlyw"+7DMG* ЩXVD1c7\eW6Աw{lX dl! P%xLyrrw[?;0]wÙY"_UӓӕK>j\m#o7FL9OGY2| d3jɏ3n$Ǘ-,7F)?£N)*DC'm(oLKj27K^K"_q[3*HmFHdkI&np0z#,92]Zbao̕mp[\L/@l}j)4YO:XH } 0d,+$LOw<`iYZS܇ۡ${:6ܛޝs-d~#5d.>Ŀ(3y%z>[a~o% .k/%Nm[K}Ddb@y3(C$D o5X, RY-u&E‹:j&7Iuqbq" CQc؛fϐ$d=_]sa܂ |$0jC)Mͽ5E?ƒ Hn3bw֑0**wj[ +'kT([* hp/*Lt[#pp"p({Pr'!-r2XhܥϵSZiD#柝>!&䙢z xqi~ {[ W{ 3M6դYmOCb\7/!hmg|^R,0VPP鰲ّDg c}`=0\n,h-dQFZfМp#C$MZX27O# %(|OMH,ON)&AÙ:Fd 䁫&qpL̦"}(Y( ʣm_q緀 i ieХgt2a? Z2`ئJ}o{6+~&B"RxNˏmˆF=X;,=gx~I$p:ZJ B$;vp<$hBQer4Tϲϑ7/*S"V"lKm+$c~/l4' &rCag 8r6WJ/¿ Ԏe~|Ouj.aq850)2NYg:=XW;C"a>Hs q.YŎ'֛Cʤ6<"R>ξRkrd&:*dZD~ 5eЄ+]Th0)^ AHHau%zzc2XRgjSd.MM{PA(v!7zΕ ~Xʔ(߇Q_<c9srf!u:Dm+$itba;')ìըb# +<'K(-5jEeRbmdM: PDGC4t؋`Db=ݍ_wl{*C +6mMwL{Ck&L]Fva%͘Q H^?1߃BƠDt`k\, YJtFYQ>CgnTrFyi(E4XFԧR>F ֦͢P06h^CIFENx-6جPXE/՟^ xM /0屰RV݆X+A׹:)q$+h,1K*Nuw8O*bdI͆oǭ5+^z|8f2'G{}0sȭ~F&V&|2H"Ϟ~ ";&ZZP7r3U"w6C2$|MDt_E(׈,آq:)ȻJlX fdRPj <`)%Xg`R^ODCYn -=sIfWaE _Wm\c^ęYl+^6qUEIodXڝ=^iqLڀxe=p>A\-[9֙LmOW:Fo֗m{dz&A |:"}&O};0oQ0Z{.PwcFw bG!@Q;OnIS^[ GuN z.W( g~0 *IKm?G`nBP'ȗ[Bu4;ύS$ȸЭDs֗=e0w`k*ۄu= k S7f,Ϸ>L>8q`;MiJ!|֍W ~:urEX6 c򚆗Z0[]!dKw)AVebH#,_Q3#s5QϭJn0'ft7T+prluE\. mߺ!2A 7vX7Pt1U?/E<~ұ]蟿$vH,~'Ϻ_yV͂$"#UsOW*XA_Sfjl k[jD`/ت ,t_0$8vw7qц:&3?a>񮑊;KA~[/IΕyv{4^"iwBMH6k_Z2{Eߛ BZSM{Qu `v$/.<'dtʏ^jaT9uO+')l!I~Nb^ׄX$A.Mxs7 %WlXt eu>[YNӊdׄP U7+^G[θʓ睡< {k`# 9QI٤ː?ȸ*M0Aމ,HXaESCLdڅ#y~x|ax;gUD\k _gFhP|Hͭo~ch/Q6>'55c(ƞS2dXoZB^Lkme$WsetoJ!-Jt?xZ d-W E~,vz3Tʊ6~-7Sh$(eڿ >:gp]V])֛lN1Ǵ]e2x rB\AIVi5`1M̭! fK6$r=# 8[04IÕ'1rҲ.bM}U] zewѪ#7j{P/$<)/,6{/ G q7dkڙ9'D@Ta tkF|E\dL,Wl.3&R] &[J4JxEPJ-(\mTtH ߍBH n+:#{~`v$ {! {3n8_m|TxA[bbpL ^HZoSc[F~vӦ6q(X0VnBC.ǹhL#^0ѼS;GC:>#$bЇ~(^4.cy;bB ؀ڳK^X}IJiAz8^E2&~ՉW5  ;{}hYƏ` WoOpO^Nw)FŴNtGj#_ *`q}HT払a(P+dzze+x]Zl(T3nU6@X :f2 >t6(ko9ɥ4C!SƆQ"TTw(o 2B3.ݦY|ӄ˿ $D!!J E"%PG[U^TVsMX< ĩzGHѵ4귺FLjZp\kOb nsH:siXoIM'VDNRol&B7#ӛJUl;.D G9 w7pu/`蕽.V;O2IÑj)X`DIr1"vt \ZՖGj m"`t[-``+fpL"V_8 C(jeaXLb_C 4 ӎk|O;$ęiݤiJf;G 5.\>{_KFSH{ԥ|ìq*>LI[ߡ}_2Sţj-{wv8zT(cm6QzpQO .Fze U coӱUZǤ̦oQJ0Of8O/jXƾ'ÿ8uo?#=¥ ͑~!iVSDž7f5&l}qO,bg:7ϗfUeCjO[zlXQmdM"@meZDwH$aC,;DRKhE3iSƉKhDIWo+߶9:8;y` ߛ8K l5vBn IQ[ʆ^mb.0+Vޢ߮]I(i2"BwO^%E3T/Zɇo;pud6xӶ? :7[>9ͷ0?Ǵ7ͩWݺ|@U+RG2UnYz|]S%}Rdo;julz+?5`HQO$~r+DIݺp0;;8Ί ќ>Vl~cZ׎(0 Rs6WZ|lP7Y8*(\_%uxG{GK?H]^v-{}Lᦁʡn"xKhҶ|F7Aa$ H!Al$p ʶa2Ϻkgj4ѡr\ښ|rit!ܟ c:@ vY\䚱 a|sO)6& g7Vq __ٹm ;\_\ 邬\^͓TJ{E]}!v}S#6Un풚4Tɴ*\"ʄ7~X(iq2}7R>W;kM'rd\0|tKՐԲ@,F(i`aZp/Bu+4Loc.H @Q<IJO:UxzoNb-w.gV8. ;ڨ{;#ہ=flRlnCYWj,`Ÿn 6CO ׸ER{m.(+Ԭǔ`#B(+G O'o0F DAxDxKyb*y-Bq,kJdw4zH?vlu߱dVmd?<22 JXXWtڊܖ*oZQ ޸ p4H?g :9-z9KiT +(DŽr\6l=PdYo+Yz0v#T8X' U8OZPm>y%'4~fݼOb9ϛ=Mkpj%$@bwkQ)غbm*֋4^xpP"Ixf.m1<71o&WhX6Kڼ@m=P=c| s{#6 +]]#q dGf?Zw|D\<=L A&uZJ)R;"%=׿pDYyz^suݧ0(emzD--k0NB#oP鷉}ڈ/1r I€>'Y;0\{kٯ nrSf0dBAB;fR k݆L_ {sTQ8*M,n=0eaeť-E--WgK[wk H*[<8:Wd HJ!̕EOT4?w=n={/Tv@"b8e?TA|V/U8\U@mmhWst҆ІĻżڰ9^_~0c# mj(#0l̐Ӵ adg[ .KR*hE9Г!;_t"T>5XG];c5A)Q%f#p]'{r#K/VqOn/Pzi#=HC.y j U-ş"BDJ~`ܴe3S~7QubIhej~>×9dz'LY0g9ut{ J 2ՏIc,r+z,3Er5{5Ji%ʍX]@~RKaoi<佣']I9ި&+h4A0%7 |:CBjpT՜sˇ_XDsv!/ޖCnrbzW>V̷ڗXmeV knhʝZ>(N<ڊV-ERV^GELz# gJl?ZkvXcP0ëtaa e&E8u{&FFUh,Š ۤ Q~;tC<* H )?f?k Hca#[sb } ʨ;[7 /rc$>@5{ a"  -ΖX j -S -Nd^Qb/DzR꩝L@?Z@n=-sd-t"nB .xO謝x\96:o0 M\m 4* o;o2c?W"Fm!^\Z#0-nr]ĩ*Pyuq1'Yclkt&|K!N'I)R|M0$g!P5XY4_D9~yLM?Wn#;򟤛ku9 M^C=/G͎Dԣ-1l/)}a`cmlh*Je,ž-A?0 ^)X!zz|wi+#W;-X?l&u+K ,?f(j1%V>9?z!P9މI/) T~.FwPw91 ss\fպ(qQzZD)ܫY桵?οBvT~v_0$xeEu(2"&ţ[W>l`K)aMOuC l NmN|1LYìFʧ6 >ie% 9>ݞ9ľ7Yip}YcvV(.V]%vq#;D?RNGX" VIp! zBkO !D_v8+-:EJEgM`չ@w{Ʌ ?A( n@9C K_0yS)<\ K ?sFoGw ɌB,6ɕWBgW?a|yğc:I +0w@<1|salkB*hp]"A | -#/YcDX:0JU Ϝ uc$!Q(XKyh<1e$X= +M @aU) pd 9X)p-Q5e܃>zۘB?Jbv9Շ$i~\F;(udE"r! 'zmj#ELg3'㤭ܕWF$ 4F&j`!u*v#6O0;| l dH_G1tai  j?dMJ*\W6W0l{<&&htT 7}֧{ ]UG|TTX1aWjj^fQaC/ծ}ⴹfHף}mLЃ|EAif(q_Id"<!OCG-֍|E&~O[`~J> &TtHoɺ u( FX+' 9 ӊ(Ѷ;Jjûњݐ}&Up黗Zs}ڽOUD0!5wD>}:zZi3ʠ PJ)ɣnlԜR6/bZ8&ڐ-37Bk8._@Q~PEjC2Gn:&p7KЩMF@ B4[i@2=G|'ynqMS b}]=Ꞃ7PvwX~9V2XUX|OrGFFnA^ Hz'9 ԰*0OgEJQK2*FfH.3gsNEq$I0'ν}xjT z-(S ε2<3{Lb f6=؇5nWLPY4[gũ@n5"OK>Y ?WO ByJlD!_:qe!߾LHκ Q*<,(=XݤaY3eM(Kޡ*b<tA/+hٞ'Sts@(8uzOi:p( TE/Vu.$l]!*rxJ\GC2`v'w'~9 S /t{ #൐KDNPSӠWE}L$S[aD^l*8BN#m[~rqҵ<1&{'Z XEOec)0|'E ŗ"(4o,`r(BdC;V""ǛD?8&(`ݰ&zU8UߥQ@ձUa"AGD>:fԚmоBoRn;˿>/LGoTD~?"pY^a `L,T4-=]׽ VJF}AK%iy I^ڻbʧ'ua|-@;s1]9M5(/V5rn"u|&v4h7NG#\pb%{mmjU"Ic8?clwy+Hqv^]̂w˚;U6<55lXnO5tHZRdAH:8ۧpj!1)%BA8-wKIyP ~̀{} [9ɯ36LC TՕц2_`Co^SCl^Sg-w&bSh+·bT3vipog v5bS,=KCfdG7$GAO9ۆӘkS 렣V f8Kx%fLV7q00i;iYQЄWU |$_tpjVfh𳺨x 8~[j3m_ˆ<-w!-5>⧾߄1v5~2aפM\\Y5VUiwY9|/WU7\ۜtbҳUɰ>@,QQƢRDm6߯2On5j ro$B;B֝~v&䕽~2M(/剌`BIhɢH&Ny{r$UK5Zqcwb?^LdƇ%-N#it1?^6f`y)}m1jvi/p_JPhM$#x8#Z'gSX#4٦|Y4C哅#r\g8WML3 a}R 93m% < niuІ)fbdPץE܂I eJW 3qY>a'{ u bDB}n :KNxDJY &VA}{)N[7iLLQ3^o%Cz|`4qX9xmXp"huxه4E8ϑ*PmUGѶ0n|:KǛ!_o_(Ha[u$䃪^j'/_B?wS4oFǥ^z6:*M&빥8Sar#x25{sܷv>[GhL5/X*Y3 ! i Y;7ZwhBMx$`InW~i>=)c &5]ǦTͶ.,i,gѯ/pJa4!om6F?X6ϺKu}0͑mtReN"Tb+/-WH|~߆IF§WzҖJFfL֘tcw4ޘYD8X1HX1FڰäcE@!8tbJov( o%j|v3(jۅV@7ZRz8B_ͯa;,8!Q ת_ɺ ʰKrowU Y>z)bEث9#vA ̶ R/+Gudm 1k2a;Ckj#DƑQ< 9M9A^ex =u T#ofia,oԙg'Vcd0}PQ{ֈ&O?ѕIwQ䳛5@czZI&该67%*l'h3a 9uR5sbF +Su@I];? &ϓe*ݷ=OG}2W OvZqpw,cU^O1}d+KvE\-& Щx4T"fod O[_̅;%:А2 w~$Z )B F=Mn5S~orFar4}lD9 PePN7ެbaFM轶g;3ݷћStA:ݧsPyYH]̰Y9{PzYu]ܸ(9~<@niI}\8-O[ e*(ћg+zo1/’y!W htZ;+cH.N2= zJ@ci8߇]=m3X qKMt#C~ٗT2~{M5څ]҄Jf]m8ddG %sV]@_—<jg jHu1xsK[;ny v~Lˬ5B{>V_bل1uGxQN%oJa_?NxqƏ@,Fה,fB`ٻpuéfm}{NB8DbGk.ԩtLK2LiWaM4Si~3@l +U7/̌]Y_4[a7EP[KO9C%_.~&!}iTrJ.hѱ߬('LR2fS{ե1J%)/^7bV]radb9!MV(T[U8"*(F_Zr>,a馹H*` {aS8;:Q;:CEh̖ t`b;0*ٶ=L[}YfEFKpy'\6 Tmp׿kE.AA+;:UA*ToMJV*M -eQZ߉AFA s 5@hWB NQ=U]%uUpfVwL1U /l\[7{,*Ǧl*! 6#}6R B)˴>\ք9_Va|rC$o#%]~ŜU:*RR¾T87A&[tF\#Pt˿E(wTF*~ !D`+b(Q\>Dm=ya)+kG*6E.f7`sɺEa.,1k~`c'e|CւVX`Àm2n 'Nu)lV96? XkdDQ.C9ǘQNKC; ;Mw'؇:w=$<}%,l2;`vۛ _@-Б+fɞ*QdXoO.DQ̈8u8r=s_ElsZUahD+6S`x{a(iJMg8fȇ.?Iqک$f>ep~UQ" ]-cd |ᣤe+thOQ<6淟t:{nm=cIVuw3GIν@Ħ]i:Ulq6p9nΝ7 "vЂ}S2PU=uj|q  zgؼĤ]C-ի4'L,>JJqڴ UM-wp](jREwR/wn/IoucpOiU[!V= &r`i9KG&S;d:mt;$bf@_TiBFv/(Cg]B^z(!$( L;ɻKapD~X Xê=7mƟ|JNmFJ<;Z4z{w vi/>6Qjgת@ZeO68Fs\J,L1 #(eqNhS+<^l^$ln&8fM`E@׉uT2 *gBI +Onp-K2շ/j#<~H#rOx9ǰ3&^`Rx<tjy2Vc49 qƋr#0}*jˆ2em2x'ثϫ 7^If㰰t1[ wLOB7),MNM}b0uM:=ocT; ,ި^l|,GG+j8&a)ѡ# RRY9/iW(eUFԔ)YțW<0W&Uy=11^P!ήFУzns=:SS(K s]v^#w~08NwA6@*à@#{O3ҜtlShc}Vb^`9tD&Br6"W;Lp>iG !=%w'dȴ;#O? `4Y5]r ou3sW CuܦܳtgzFJ߇p]Ub끑6aaU$:P۫I87m_$+eu ljF,R&4Z8km/CsDJ][0K?wya35ЅT@4yeqTϽ+e_U Tw% V!+Hrgi7FV9GƖaU71,B ,ˏe;;OR\Uap$[t4gfVI}.\uӌ.v?||<`-"=;C$3п#MfhT?7-uM3dŔm'K6\X=я>֮,qN豣#Ga,+'KzcJOB#eg _(uaNqA? 5.@$# M&`Wq#הu_,Y σAQtLTmt m9*\ؠ(8U;'cBegLNIgv&8`Tj_5UC=}{4p.}$sU'M\-rD& |Huֿ6{ݩAA)U9܁NMWSYС|D5<` %]j69 y{SZ0U* kjwy1H/ѡJto߉H%^gXqs6}A‚QIJqFW`1"b\[̣a2/k2*б/ʪC#ծ#b> ͥ[ y XH*H}'\:!9A!A:W.с$pY:RF{$29V8MhmjD 8EFjR_qp<Ǣcӊ`Rl+kaDbY/ruPiFHDM|Wo: cd[ ᅢRzU9Y"Y3>SqbHyٙ}QiNYɦc{Y T{ײ^*i{M(OAw_} U;e-gyjVdKbѧV.8(I(r}WQ_v' U) !lvs9x{c-/}e ^(W`3byFrD+[7̗57"2t]Z{``kd {1j5RXQhVx㼚Op U6ڵWC,"CVn*-Ix$0Ϋȉ':[RS&N5pl+` \AԷX<˜~pE(CUXQWВ;7c'|NL)W+_8s7,Mxf SP g/Iv]J)\-2 +I˧*T4wPmb'Z`"DV=K v6UHosd$=#(.Hr];)|"6 kvsQT/OH^b{b!;KNX:˺/iOmm,Y(A( EΑEJGs1ۂBEDi~j` ͉ym|B-٦/3ն";gmF8.{҅ޓxV*I4kbn]3Y!;q-myXU1.[Ѹ *sr ;cUGEy*%$Cݚ}OBEn5ɍ]#1! ^K P 07vSRphI & 4ϟQUǽSx/h#m;N[-П;!VRMXLxnj0!OHl/}#WO7! 4RA`^vw<taR Ux9Xlzl[U_N0/US zO1b塈=JPa(2%5!b+"#1&wbQh , Nal kt|_>D! ^lcəA 01Eg‹IM^E =`ÛAgN;!%Tk@)mۈcu^j@p}!0گ {Q9N .,3e-n>WfREF` F\#s~N=fL;GbC f&ڱĸ$VXT[ǽʑ'2r_9m[}ٲ P, Yü|I$02Nhp[ƹl 2ԋ֤X @Y/p扲ZoعnM֢hk,v@+.qΈUrl.8y|EqFy@nyER>L9E Ӵ#T0\3L0[ lJb_nRPDYZKۻgk_s\ЪN+E gQt LĨ'探Ie~Ij)h~X>җTA8>Qu"ƭ{sV 08P_M ffxը*A()1!\KV0^J1#fĊ eOsLag-jRXkC\8k^EQl oR>嫗`mt6(+(—Of1jE^uJaj} h{atiQ{'R5 <`u(ߦt1[`W>E 3skk&#3A)C32_ =,qr!TRJ9tSGPDY% $I$I܏OId $Nu0v{WjcϾ'TCPj-ҧ꒠a M7|.rAN M:EnC}[npoe?!G#{,|ֱߗj?r0ɏޱ 52})A @aS'e[e|8ePr8LdbȘ />7APc81S4Q3s4Nb7=ipP ,\WS4f+ ?, uQ,UF,i9]$.B((1 i pj) Wtc-Qu;Z C RO"ew,Nʆ&XqQ:watûIhb06 W'痷ˉ}C9VP|jŞp4:Q&xXD|}#@ bRgK JHPl![O5#$ (6|ď,j$fhĈz~R ''6XѕIyK7ZbݳMM^{"]G?Bv?8o:L1`Z]HޗRg{1d7yN{hn$br_aɾ(ظ nm](aw/WV.|ȋ (Z6 آmNThڀkc۬Eh~Tx4BO=R"ϥۯ:V W'lJQۮ38ZWĜP:"U6*Fܛ`.-kg,*Nj sZ-D;ًǤ|O s勧2^͛I0,ߝMÚ;n[0+nFӻ#8|9q.: 9;g)9T `w\KhqEҩ ?['B;-5Gtp7zό7y ILҗV4MyvTD LpI&[orr P3VFfðl[W@65by-U;=@%cS _3*8tHFrx[c.$0YdID~Z~w>t8z5?}ۗ.u^άNSDI +3JRM&Rί!loPo,lSE PpUQTVbm. I7dw' J>qm+ GG%cz+~T1a;/O{ȷ?4Yvai9s1hm=;@XvhxtW%k|K!yQE<јsw|XVU9ZwCq="V %T&v>,G-p|-bR݃͜uJ)a"X+(+u.(i-@W"7W\F ?}c%Ѝhu LhQk57zLLI4 `%_q;81aRo-64,&D]ˣ8 9ci?nSNһ,l#EOb ߅e+'5=4̦lgP% O4dV%X(`/ ios˶<3F QR a+=_\z!|H.ǗAR[v U z Cb.fEX2~ ~eG5X6 &-PҞx%Y[=JLwkiJR QA歛s a?|b@*:X?PYܗNQ"ee<+I~+:ƹ8~XˀLh' ~ނ"DK|> ;ԦJ}3Q Qq|Na" fPu$a78L{\FS³аymj¼Sbn#1̋#9F}oz*= !'47#>(.VY^c<9 0E(f>폃v_?< + ^9HBJZM5!S_?5e u4GzЊ[%f *K<{0U0N\<.q|-}>v`sbbʗ]5zO6l@jU+4Nqݼ iǩ%YF$[G3m mk =gZ[Ti&BZ6t] -K`@g!]&Ji'or;bG7ap}d6cUp^ou.r`R[JEaF)5(ɠ~]iLn"|O>Yf|33E#|&O*AX3Uz›AW{x`Ml<_- s@΋DCո~ɼ"^č+(IBe<-p ɜչr/5X~- L !ڎ\YD" ًwtc luΡeD{_O&''gvsyg4U-;=$)PR\> 'ujyɒnEjϗJv]ߌ"!5#/#yQ:םPvF@ne@N%Zũ 0"L-{i9멏%ۯVU.{CxK{V_ f}RXD`10i`ssyTt6X,uxU4"D{}5]'x'*eH&D`YH)ة敢5E<8Ƹt}M{)dx&FC]J]Fv5EGhʱt8SRro)v K1S3J1.|s$bREi F gӾg\XhX(T<FtT۸CB8Sհ& w$?hf #u1qdz-M.[1_ph Bڷr$[\TA4rL?md*%M Eв{YGyI#jI(};l>Jx4NxTRr'pDcI*awN u'KeezyU4-3HWb]S!&X&YÏyї,?h!ܝyJhwH C|q7"DzRl=3 IJ3 5N{A8j.ZEҠqE=%*.X%F( *7jϴQB (k P0ـfy6ehq Zuφ)S*)7mA7f(W5]Gmu˃luѴS]{yqp8vArKݓb!G uBM!kۤ170#/XKpP $@g*]B8r/gO9up ILua5"h{uvL 6_`k#w#}eLL Ӱ Mt#jl_ QDJ!q=킦Bs[Ӧ>"mNJp]*՚ʞe99o[F r`/欢Һr2U|h2)ugce.(8k'fhP&wL][1ɮ9+NF %E[ty!y'{(inC1=/$e;4 1'Ws:EUN$A!)l Zr`V$G. ≏Rk،gލ8!֏X/QOT3T}УxsFxIf1@b.|0luy ρ`/`XK$͔&{6ueyJ2#,wm>^$9ϰ>LDGW0G{qƟ z!2ۡ[&!󜶀+F>Bڬ>0jG/@-ǚ*cH#yI$0q (Qrý,7mZ+rUZwiru2J$%O0:&rE擴TTKHj_5< n/Aa$}a}cruH8*DiQ8x2Tz'"[H1fhU3)JN378 @Fw qO.jx/]_q]".Kz9δp00ss[BeO mXm!bM{7Rf:n6 r K{-ҕ42gL񣋡X/i϶%VJ}+/Kog-R3I\ȟ1ñWk ީx /aYDSO@2ylo ?N[C3į|["AF^< X┮)󑲁@BH-8@ "Nt6݋)H2ܩX!E H &k P҇HPzB_8df]y;OEUe9ٱn:11e?VEpc`Lqo@[̮VEL_[; *GpG Hd0dqٳ_<*Xy|O|wZW񹑆vFiS 0ztN :4-Ҽ ̛"V/8ڐ}} ً/oR!siv\?mz~Un_yqYHwK+(C ?Ejq]|F^w%;~eY@,o:kYp(!^LJ#kRJ~BXk2WP$d֦kiW6mAʎ^B9=$|8`L6D1?62 H[kg.D)y29ʮfD8>nSwB(YLkD l,DLTbnFQ(K%}f7KU|14{dks?&{zfOͱ.b|o[ޏC&cgG'~&_3W8asc[RNT0\}:h _P$h h1Whbk<|B>ݵ3Wx?~ ;v`[-@%} 'XK`M #KP+x~Ofm>cd`u'UgQhiE%"c3UGS[:=8X,GvCx4iyV I*~2c/,`buekx70gaWg芇@۲N8A.ˈXŇӲ~ze4_y{s)̨}gN@cN2뼫Ke,{@tX歐Y2 5O+`K$ c;E2C8W^|pIW*Q )x? z1ib2N" "b):"יs!u%Kܐ=i8>QSÀڟ%^<uʋV F\]hڧ>̥G@;>@y쥀c'?D"o lu݋~Y]fxfgurr./} u^ _LPP_fJU@X6UЕ򥦪p[; y(^ѰD|隬ơ~[WwxV ~vuĺ>#6unWsR+7"32gFÞKy@z9a 1e#Mr0Qakc~?6^ƹ8L򶽌HXcHǫa95w}/w=;;R5}4{SGVۯƆ.y"0岸 :E(NijuU&K]=:ns(`[,ܶ tpX>-t4Oj ph˚bbyf[\6d3QcQ'+3SP VPKH4|}(duڐt k}=Hnۥ@o@@=Xm^QKH79й태y-[ WWPSW(noGR~yxmrua%zQRq m0ɑTMTg`t:N"ZWT AkZOsj4:$H@/*H:j=GFċE#Ӝ*..aGIY*P_ w܅rڪpy$ ߇wG=3dUVXWu{Q~ .#%1U~"C 2]8d N̰튖88R(Ulr[զ{:c ;߮±kG~b 4G}ҙ v/zG D෦${y9 Cp@iJ(+KtVl> w0kL2-Nڽ OA0ඩx_ qu[DҳZ(( (Os1VI,`&&|zn@@ht{5r$ < 'e<`ZBĚ搵qQϟ)1do6K&P8Bm8WNIH1&W \.ks3F!l pn_j%`:(>w~0z "f):u;nc|w ]NLzwc \ȱ]>5V dH߆]=u!l:}:àD8zY c:$0`h{~ـu`NkN1&5!zݐhJ! D?`PKk%6E(J|g Aœ91(t-Tn @!Cn췣0HfMh{y -2z'Wlyq+r[r=AVDT/=̃]hB\%0vL4 C:d[3z=H#N;#+>^riCCJe=MD A Zxp;8R υyoYoPJ;Y:FӮcTID p~kx1x4qaW-mڽ'HFn:s<+wYVi?jf"sw땄Bf 2Y}c&iW-D$9/5EISfUrb.5˾n;7KOWBMEnce)  t {P:z!Hp\A9})8q;^ʸI}Uvg s]>9qGS+̵a'Iu#NM'UNn!>DfxCBI!W3;0h$ ǻxٹ RԸOռv|4~c zBi.N½d(<6B.yuZc$XV <15߱=0fѰ% om[kbbԿѼٮRD]uaaKk$d[06 %bi)9.∆=faȂW' N>YKPѮ-4?$wG/R2So׷ KׇcSf4,v<;nR -lw l h>{1!ns5Bzc!lYмr=['M)SNXxC"r>,R*GE7UoL{O|{E#bDttYL*^ -&<G< 0}[Iu l;׮#ofݗ5 B\hYDhޕ-To;#1D nsh,MlB8)Du|}P򮟄ڊd )#~ )ʌM薪Gk>v~$1S¹}2B .¾* ԌaHRtc {J{Wb~6C޵spcm{[xJZ@ܶ=t~oWפ)$W3eҋ U86+E&Y?t.jDy# ОdR#KH/BN4f&Eb83H&N+4bV)ʬqRmx.&l \${c;E*6xbz!7Bs>HvUm~xЊZZ!D!Y*Tk@v"e]w)rÖg<1njm.R!xb0S.;\B04[)2>I5CxBk7O7`5_O!il@]x\ 1CU1k:a{74GMd!ä((IZZL2oD 6 9!1b4'R5޳Rb[㫮8vvNy"LqfM$Xg3׼x>@*0Ѥ C.iniʮ[͕* !g}LC!hF0YA3Rp qf?]`Ey!?Ǟ9@`ߵ?_S9' sby(NKINU'N3>DNS_$ baآ!*DQR 'fO`)3ve%=d]J!ÅKN̸V2iw>m2̐&XKX(s.޺e2:')`Щߤν{QaR]Ȁ47Ttȟ 07=Ne4zɲpQ{߆Ġ\;4/BSR1_<ĺ* l cdcwKv9Gڌ8 .rÖ*\iBVVQqSkt+a2$lASJ\AsE~Lm"Xs>Flx ~:ɵ $cqH{XLdV;j0ɶ/P(BF$> }TAF+%K3:-!v:feƭ.{,qvG1*D/5b=4O4eFzj+<%%'YEb\溣a-r)㣅~YsSإNZ 5fz挥ǾSfh[%vK/z}Wgrchtx4]&[xucjc5- cufL)<cTIrm-Y{bhuZ'.(:x5r FB}QܨUf2  ԛ V27qTX(PVUjE;DA6ǒtqu+))Nli]$/ۤ %,"s9k1.A$GD \iyjO>+ wA#4 Z&{ˎo ~:JŋI!LEfGG  N4~)"vhrf_.O:;5RUg.h}'o,UGF]v2V*n4'eGѢPpoHNYj^)EI-9469Q2"y>+q=M4?9vzo*Gc`.@nRP4336fXh6 S0bݤ$tz,~d σPS(c@(֡dHW ݲ9M UY|i0RQ5Wh\*ȶm)sJV~GL̶H"xQ*b# fgy9r\VpP%z߰J*102'k$0ֵ'ѱ e$hbxteS =Wi5x ⺆Kov0Wl|RVOJssH]Wi(mqGkf㻦^ٿE5]PԟHҹ4(Ul`Ŀ ްZ}Exu֡,pAbO[i<`w_rfIuHC9[p.h)lCMYuRhNTdh,=P 6 vp%\N БC2fEAW-e{ "0\vOM9(y1c b2=^ܚKBP|QXm?*?`?CkWL e5rzr(w JTr3zr9N cpwi1T&JZkXծBgB>ɂA$3isħy1 dJK:S")ȎGm wf!L4š!iEw>,4\*h^@: qv8oEw}NNHˁ-rO&\+ACaw2Y8k>ثG=!,:".5撨*$ Tr&Cpztԡ((3.g{2bTM1эI*T4{,"5ⶕrM-Xf>4 ^yrmtw} }C/?i,b0(y X-E@ˁ+B|@]Bkoaū .m6 QNfeL]|gǚ;[= D]@6ڷ Ŭd-Ar[?y~j IE @ 4s璧9d mء?1p9JGxJ2 <F8? 9וxwaF$\GJKR?+'œdƕ>27.2e7hoWO eDgfdpK|9_r7>#e P)hޘ7.Zo|ƻ[ꋀ+^Jթ9 :L͖K$~J)5 ~QΡUFmr:Њ 8*A[Kl\HI:(]0ʝwr0bi"\{<̮|c;ӽn$q?][2b3%SNx#q"/SDۛﳵYC5ZOj3R/VMtj'HUA=D/(D[wi0#9Lɚ/1H#Eڜψys!1uW2jY$ oBϙw9ƚMt,1xVRRbZb^.S𵞖F3fks X|0O }vV+v_QKkWIkNr_R'ŜyIvh{(vf#!8\z ۸\P3,;^ڟ8Gߎ&s! OAC$sq**|.0XЊi; mPuao܃64>DQT{ކ2/1` f HBuXy8zW[[{H}JvDdr8>?XOܖM/5ϥj.Gp @2 H LkiCBN1h?/ x*oqI>G1u^G؋jVfR$1eA7`z…flLXmS<B]ͷCѰq%F/ K-2t"s-05HK)zfz j~xD]"u Hçʐ Cg=g1|2M ꌴ277y ʶ9A՜RFYٳ6/,6,65q_5Ą4.6ywL¬rf|k%إQPZ"XDG|p_-S9{]%}iHfS~k&;i:Yk:qmٶ&;"N{ 4QO@UG)5͒B&AGW >26)nDf4Q0Rў* 0MP[V~n${ԨcA+WHW7/U\3 LCYF,c0I-NItD͎Oͧ‹ * )ZA*ӴP̕SWRM_Y14fB ԶZ_x'h0f+M*um1O܎].'d7˽="Nm͒OjM)C\`l)Ã7Sܒ-x׏93m}u/m|Mi G&) ]!3a͚ƹ?ר V`KeHEiX) =V|!rrl$5O}7BEeqlctYҰJ~٦'cfA'(;f7;ڍH |0f0]`[ yE7{ҙ7*ƚLV8jQ$IqkP(PF3)Q{/z!FCcFVex䀹Vq BdՖ‘o}(0E|a(9C9fDsh!J =}ν<1ĶhOݭO9C5M)&ۙ¢|SԦ̯U7!6&ū"gzmH| 4Ix&UZ 2G:E`[zRU3()d9gy}:U1FDb e~S&-Iƨ8*QfHe(Pw8bIsX, غ: XSc,W'PnghyN< J[. TrjL@n7&%q@$:޲HPvTu/Ʃ$ruh$6 .cmv$&w^)T̗LSh%,(E)ȞSԀ[?2eզj)/N{ŦSnAHEU;rVWui{5GzwKa {~~ܡG4АBKY!Ǟ is҂rЙ8FSkyQٓ6]Y9 ,~ljSޘ6ܿm$mi:*8 z;>E>B&`MGVeo0[_BĐj3Kl`| vV@֙xYatQHmIl9-ulKN}]dأALmPq?|LK+Y Tjn49 L>B cGo-ڪXjf&O!6Ó<ĄϏJS*р۩ʗ R<@tK.ft @a|qV5 ~4: >tF*@礲ƭ zuEi!t,^> %K]w#8a~Dvi_u䲑*b嫰߿glV8/JT^oN  ֿ^|hv֙n%Yj>sf Nrr<& ̡ ɟo̝K/b@Xdz<4Ɇ8F5ot"Եy_Rպ6V`KJ]K5ed3oC0d+q=?X({3:GP'{UsWBk.,&uɰ|?Vd#W:]rAqxGә$U`@l!qXZs=W2N51iJnJkab㈽,C0)/} Z{D^/~{ZZ^$0^XMPw@uz\.V„ YqCE_%HGBB6enƹo@-Azk̷؃EqQu4~ʕ$ ^묚_}Cs@C"ofyQQOÉ1c F/1;)UP<)F&,z nMVj&*+}B0eLNA~E/f,/! f!7\Nd XSWk鳶̃ wUhX\ 0n[=!wA EWCbğ~Xg WS-82,z`sĩX#\DGZbiL(k$.aa{j Qa+!!84R U,Dޗ$-2mtqkXDŽ d~`X k;.8QKQ:ܘZ$9D1@=/)rkdrW٧YfjH/Z7??\[At2uaf)bE.60<[}i!ި7z$*c(ݯ̨q~9o>YouzJa#8'M7c9Sȕd7dRWk8;=1 rn(M.]7HZ4 ҉eC;֜^&%DXYDNg5_!B%# E81d辢ODC7 Sw2+- _ 1jdSc.R\(bi`VwûIu Da . k$* 1yE3ɔa (jcϮ/J0j9}HQ^ bXTMݗ:ymQ4z|T '` -[ VKӲ)D!iS9]&RAq;cHz 2>ۅ03AwX뀊K㮒[IAAzH3ň8 Bo$JCݥHGb6S~Yl]P4K-J':!?,c2?G_AVٗmނ4Pͻ'Q>FՐ!|~Xl{ğ(b̜#J`Z>ImU,M#δ$"A|^'Wz-&i|IЏ2^|V(5,2g]?b⵰8v_0xwPY8{ .(qY0jzm[_I{Lpc9He'޲N$0@e\a :Ș PYZῩꇇ"D"S D .6*,29 db("dwD"b 4WVwnM'2<:uEG8r-:X++4eXU@SL 80 ʩm'<0f֋HL܊^|ΞPd=c<D~t=b66Cm)zJ+C8O-&RWz1;Pmޟޓկ0ZJ\<\JV[y\(.r~ T< ނm[%P, ;^.*)oJgGW^:|$NoX/gf]TwU t^ 8Tlf59g?e' {3$<+]!EhAG/MyNNM:'sz3Oڿ V )0[ H1eW'U>帊&~J?*Y\?wul\/};Rd ITc -C% kONNP0 ;1-{pڶ[FW"+2MeA{"G8}sVi5>J<Աm&.D)߈ꓼ$GkrϬ̨9pB:ysF7Q {qnJyi IZ>мl',B麊 cdԥ;kbrr*|ퟘ؞I?:Q2Xn{yV+)E_nrgr6QB)<6@}}UH.ymyN:`iI}gAf l\%姌eBҗzz]`S,= Vݠ@;~̚V vڪL4 ʟ)P(qjD{zm*֔5}%~̩`V8dT5[R{, JPIݮ(wgw{y# )CҞ'gaJ4)]|19$Qw̯+V,+3a6PTqQ硨N( C>IꙘ!3ݤr_Um'B?tM0h/l;R_VQeH>fh} 7n눹TW{iRguGXEqf\0q:pRd_ҕ)^@:ѱ$Y!r!m2ci#|Bo/e<LN"茡 !bcZ9˞zQw򙕗@8^\ u (Gm4~:"tM! %F"p1G%AӒ \@@'\4e~0PdojIrۘ\MY" K%aIWO'p(x([FBWuMM[@mџj%m*}~P V3q-3XՎ08q: :C{ɤ!5(kdeU).>9zHӅ IN ~l-sE6 DRDs[f:3䆜nv+8nIBb$yx.NaW="0dM ;GZڸPJwQkNCg^{aXǭ8řcu&:%BFeǎ0[$iE?w9Vx8Hq<ϰ]HCGK D.k2YXMh,7IT_~2p j78NI |4s-C4*#-lƷ:xCe 8+ pOY؇u)vʡt|P\-@ f) {F87 JtYXGWo,#h΃rp9?wJww5(Dxק Gs %O{6 >-^T7+ef&;#;W_t.b%\\#pQ;2)<_.~ 8> ohtה*sOtCb=tT4D*)s@cޡU NkXg>18%!PZ\,ӐZRlKJz.Kx*7 C[%RAxdEQu0oEfޮ٣Y1LY$X s.̃Έc mBۼE^`Dh4@Dž ݺyӕ'} _<ʍstrUgfEr`F 4%V(t'a߱ m{UkҺݾgڸs/E1HKh6_/Įj >iGVv*Mg(\HX’G-ե"\b!- NWjwj&"ou{GJN%*)@ԩK͡T_l_+TdC:DWF?D}P452o x󱒢w3胫  g?R4l eX0_Wg$gʇgvqŷ E+Gy1G)1MZZvKpTl6GPvH?h~i@ ٧BGCP{qpѼLSf1JgQ@Ն{ => p< 5Ȋ{6ZcS-0If8nj`MI$ őA1C[&64?]u P8zxPæwƞ]u&-Vh[XI5u;RMH*!ĸjSkNV|5P06z\ 4|EXC̋U*ՌE+0-I~-y,,,Yg8]Y*p>jmÎwL佝%9;ڋ|,ނȳ6ZˆZzK[ k-+¼ pd^>uT&n$@,{ "uGRS!I]#Qh;[ gt"m|@{]Z{ˌ-Tv;( *`SE8&gkNS.\Fjvr(;ʐ455]ߩ`sn(tY3?&:ZwmÐ_뼜ה-~#&mL!áwaQ۫>Y4=\%a~7oMI'ó P>߾'MJn,T[!'G䝆b)$;$U~ /p|&q>@d#rrRf4pVn .f1=," yIe/=uo?%pg9>:?M, _ 3oo~K7 N)[E- v<\"NɏZAɗPuiu_WZmB>w|}[fZmT|>'sI-Ԩq;c>kb1P;ey80K\5hadh(Ϟf0}Iz*%# W1:ok_Oi=~8hCe"HOƼ&TƘ м~0EC *UF?+`&H;F,wzDu|= P8 ?ȿ0O -ɲKaEt];` AsݎH=zbvw:絀2y]zrSG[Gu7v{HѼHM cXڳBgR.aJ^A CY,.ax!+ecC02MUqZ~ȩ>jKXHCPksm}sUVA +_+7PgS 0Iڍ,2RwWZ Wphe L2rMėԣ a'[} X2\2 o]pڏcpERwVɾr &xZXXv&MJ\D$V҉uL0`#Γ.xzXn?;yYrdUcWܬG'֑ŗ܍ { ]>Dr@@$MÊ< |DEg,]U#>Ҳkz׻7 :JDA%L67  /^_Umӥ@wuLKkj ný̟iby{0 d3gIe<7q)gG\yG0(h]_ày3wAxaqEw7A4TC"*Q[XM~q@ ;ܝ?Ѿ'YZʤ}9,*c'0YiYM|fEgj=zhb[3$rZvaGɮ3oVR/|(diN|kO"JO M18,ᖊb~KlGS;`W 9%N%q'.R%'46M{;uTIzj?`FIHDlK ,#.u(}N6MM9BcV.i2U(:]/і[\GMљ젒aI)eӉѣyB1ز`~!=ja`}[6LilfFϊOtud!{l-]k&*<ܑ~ׄ$12A`"No Ȱv.$Gp/;zb`YX t?}>#C>ǯcZ[/vxSD4*"N%F%\w֨7]0g8e/SڮfНBK1t72a IwUIEg8ۯF2OָڦnU]",]gJ o*phN=0IOQMבֿ~= /_&u)4n¥cp.fj v}Md{ h0 \aa$?03H?mQXozV{5!. BBd6?Jpim_NRQq;cԅ7{8{ې VF L*FQ)эTDCС:bN*G~? h*.Я)V|" As>$ cwX^N",Zayl.!1<*|dQb6cku.Hcm v [%өr|Z_5A2EĭPheέ'390\Z4)`^˯cuoFQjwL-gi#HS,:yn}1=ɩfo_YEInMoW##6L!ĀqBE#^qZit.S0 h\4\Ȼ݃IXbB: R,I5B~^+›=@,0'ZA{[xtUlH Ws2X@׸ 5.QܪLsڀVIsݥoCJr;y;qF PqL4rZW4w2n9fTi-2Th38DgM^!N;=_ec>n1|;ˡ!.S1{ dǟ5Ad LI}m0f<`\i8wyk}[l= {A[0k3@hߝW":NB iq\=c3 aeJ> üsܯ+Gi 9A.uhIa/o{F{a!鮳)G1\Z9j^U~)י]lRGjB.H ~ 0>Ce8W[&XIRxu-'B;mMZЫi 2 WEq LZ;1-lڮRRleJB* S6*gq;4we^DAw?.EjZf>Ƨ'_pDZ 33{ځ ybl(A3ğÖżyN 4dV3&@,LXP?P )|c#uݏ}vWK8Eh(h`/Y]EF/kC_cS2W2, ǢlPEAݡ% OiN` t "˰f:yĚåYKMgGƕm(cУfNҴQ>1eP~&d~e)Pv$)6$v|dŅ1 :=Aг2GwҒXV |<ƾ.<y^͓A?=rq %~I_gƃ۽Ny.֮ހon:UUcgw C@3\q;WbxjI'&8PEi69ۉ3ҥ"Q^ng $hm1=^kf[k ki"#"=EpQKcHz79"&#IPﺃa\Ogi+9T`﨔kvf:_26k_ELBnڨOi&FMVj kN(x (?eD~ 5XYTmgq$ٔ WؙP&pz|9:="bljL},PL6y6p,F(3v,@mPFp;n~vL6/ Pw6#3)Z1Yo]2 T;޹}7|[a?}is<_C\8.QJX>s?&[--&WL14,CY>H$om`cw&Ժ v_:Z&m 3DBP 4+1³sģ՜^7V-uo^}!#%MYnƩs~Ԅ]Yt+.:9  VMB"DDIpd;EáL8>'sHğBXd-~Z}QC5>z :ϧ&e'k|k~@x%q $) Z*5^%cbVvuZX/^-^@+2 4X |]NVt.]z\|SR~'I/NMg9$6Ow_q s#yY! 敄Jp4z79u~}TE84+@}yi I@xaɽS(Y\bEĥPHSRC;n$Jaz6aFZ&Ԟx%D*N(OarQrpKbD.3ڰ"c1ΏدQ, wWƻOmF٘(iu' @IwyR&rr DyS6>:ch[ Z?QÍ\f]~2~|-V0  fDtqW|Opy #˭>53/z^=N0VNRELM92ע {nk s5Ib iN`@u 'u*=8 أ䵔MSKG35P)021Wd~ AU𪶛,5:蔿Im|R ೛J‘ݵl\3q,(a ]F&7Gfpr{}4.S9Ҝ#Lh!T@Rؕ$ }T2\< CE![TAB2qWe3yi3{ORDup{~l#:4cN[z,sӝ$[|k90|y+ZT7vy:s?:@'?p!@@8c 䀸{-ulBe/nO-Tp/TcY_Knĸܒ}VYE&s"iA=@;b'|PޭH',3 GqD(Fb ' V^|V9QҮ' a懘u !q$wZ܋c`;0kyD#z+X:?Ow2BFW2%HǏ e8`?H+l%3;oI=j![$?TRuqT%ZqN6eͥJ.04<,9GUY_Owг:gT~P@ud&"cNA!0S2ͩ(ï1oڐ敄Օm 74Kk(q?jDƿ^䨼yLgN!!;]?fٗa,3f{S!Z.0|? Y۔zFegңAl9dW2FG.RLSJr}&YVHhR=B9 0h xF!c a0 p$=|5'| H'*3H`2_93C ,@bprn9讪M*T:k(a~oPgQO)hέ$Jn 2SF2ʛKN &AUlΗwWpә5?EWJtvhwER%nk}CTeNWjXHZ+CԷ;r_Q>_oKa :ҬK 3H"SJ00ƬGz:I6Q"8ܡRe@Tf IF"Amm M(y\sUw^Ҩ2m̋$v̊ yo`/=}m#N([πWH>mϗa^5 1r@&O _>A{)Z{:]M` 7pJ/廸p#DSi-u8֖& c |gzW>uȿCHp\l_.PS9Ir=O@xv%]D\,7H_JX7Pq⫅J@=$ܤ|8f$TV-: 3=s_qBvZh kىbK pk1q ׻񓄮^K)54Ihuq K|0?mԉwk\+?sTgoFM$/<'_#Bc]+d,7Xqv|֖`o7YmOgp˺ZLJr{6 4хYC|iD4z?\PZzDS^+wX6g|t2XdvgE0GSm lCrYՔ=P.<壸<`25uN!b'9U~mId((vz2N%kmcLMOJ|$|ڤ9,ӯG_ӌxL c~*KpN9_XЫkm8fbgĝBpw7q:];c݄ Y s_%JPr}R:b@BIUM_a'~y6jO,{SN6*.m}s]+tY=<' Tꊦ^*}yUhgEoSj^cZd[U8+j+IŹ~#_ Nb%R3a'R2YW o8vt[[7S])C*dƠ+:uR5=t7>Խ[z\rQZ1<"&q>5VOVWT^rk &O4Y=ha(1H46f/ cEnrd`6ʵha#\tJG25La6x/6P5 B]^Za#l*wym_|1'ioe^Z !^kjV*wFg0rF82ųH!RӶ54JJ񴋞qP_\G^l_Lc߸av98MHsJmltI)L_n Q ~) MX ]H킜a0ql:͝0P9%&P U7O*&ɜjW@M$JB?&Ǭ昵KK3MͲW-\,s'lC`C* #>eWn+%m'(ϷOJDގOu͋B +@\f2ۭϚjJ5_mťGr{ ?%|J!_uZd\3K$لVb1 *_f Ű6PE߸YsWbfjOE"$H-RsDfV,ISQ==m9#-)G`x8AeF.C8:1(sS hx: N"[K'iJ5(Z~d"l! VKQY4ze`c.m5@נsJp x(vQvi2/I2%NXt~+(TpTxA*<(4FZjx3/AY#d`&+=Q_pKz5.3FO9c\,KS`udKnn m3s-m.{GY&Ǫ=hg)rzv`bf c_ |># v%7+ɠQjĭ$PfB0:ĺ_~沅u_HK~-{(߿E"s Nr na@A$xF5Yex*v 9u;"ߌ0UdA9M^>D:_ЍC"Ҝ`П{K>ܶy~mNJ[ `jR*Ox׉-vڹ^>C4+d 5YB$>}|֡[m!@]KR[F?.lFQMw&Iٚ`E K(9`H2.^j_GOb$= ;g"-C% ( 5z[`\!,TB$4Mk"$xn:"yAkFAA5NkHer  )UG2Уq:Gr{ WEriR>1{h3Q'}J?ϙ iF r*e䶮yK)Am2聿kc8(Ӆg#Ml:U9 aDBrlZﰓh6뽨pʫH.Yv*z#c*W^ j'\SL_W9JϢpf"E=.I X<so c>\7@z c1ۣ-iķIMKţ嚲iL+4iϳC9 \ZIϊEmOr ķnF_P,S|9s Hu2hI_ w/9+@e}XR4x{ y,-D >$8'hOs!˘BcjH5qMЯ ᳽qėc0KHm _"KW"ԇO 򽽚IG$ݩF !|$C)[̘uC~yeeb?u M&=E .ZEI$t]5Y]Iۯ3C82+ !Biтb/OC{䛡2MPȒN;6twKx U=KL̛oIw`Eߝʧ藑*!ZT4b|xQ4d.Yξ7N~qh+ۍ4?t竐=VkTدG𘹁 WJh&/6b,thlO ̅5͊5gI BԸ;Cɂ( 1qu b-TV= C3D.ZX8֯@;I@.R+9v N7mYE9CXS: ϼqak߼ɗ˘OӐI@BGWWKe4SKFoZBVTFI9)ܾ"P,p\ko Ec Oo%ZusYjdnb;"r <^üVVlOͅt2*U#%%zP<0c% ]ԖuF0x ?l.G-?|&@jL iLFv,tbFv>n;y/@gDXy '">,.$CEMAd8#kDT m Qv +[.|jsUL.rɀ5`s[~my*E}x⏺i6/=;) F4s>=.;WsKlNƳv&nkz"L7bs o-B1Cl;0P~F,s'2Fl2KT QUcąsASБЗ-yYLhYA#Ϡ@!m0B]T7<9w*xsU!:(KINU ɣPpill7|z}'Aq[QQ)IrPB8cZdu>N j#W;xVKDRK|%A"gEք +ܝԙvLao=z{1b4"@UܢԸp!nQzEcW;Sb)e4N'j 5,}(n+/Y%2 (6N8%J 9XuKTM#GƆvzgM"R``VCro!Pv_U?ӄCff$A -M(;WylIi9.nE =R02C5LH+P5d1sO2cm<908=Z.(o:;܌}k0>?>-*:b\; T>ۯF*R]}n$慹PxXQ ?Á Kq &[!Z@$e($Jv ~u):LIS/JK-L.7-o&~OJ)eCՒ `}]{_ɘG%_a]j07 6 +րKФ36Tn|fTC\^L4FA5#,G. MJSh 349 }]DZm6jh 'ESvסɆV89xF#5++e܇M[W(Pcb&϶ 蘭G%wt0i)(>}bףQ+L4eRpRy aBه$r^\^h}7PʧmfW 0yMZSx%"R-J2lffG.XRW8H4T44WְVQtw܌'Z?<Lv% oqQHu#?*7(6Tupۗ~[ih2|kاgBlI^tUmmmjQ6h*Tt*= +@3=4s^ ^? B>0!}VaxD:YtakTSaWvWbiKG^Rk?WfU]Q^/9+oL9ܔuL4vۣ~瘡 <'ФR_z0b-|_S!àL^HkL8JL T'tA, sي1Z{4 ?eI탅(8'DHLjX$PDUn: cn0C|,Rԓ_H",{(~gԠ#dok2[@? ׾y^]Fhns[th p>k˰3D, ^Jq6ã{seBϨ4È@(|xHT@v >m\T_Өš2vڿ^0cʛԀ`7{1EmT~{$bCa@;)D, •I ϒRl?TKTɩSK֖;I׎`nO>??{ BV_@Z-„g9 :{[BŊ~>>F~"K}瞌vh۴Lv"aߛ)/ ǻfqlȘ(832a!W,&!lDzTw?eV4&Pt6칄هE؊s],lX#ۮXD/ Ud)d);U쬓.cy_ | dꉓ8_9L78SsQQ+KCnݡT\XPY:uTLU7$[lao{ݍ Mv݄@ogb@.?d{ݝCF1"S E$B{yp܉|v+c*9B+'l '5ic(كPN=*KlzW=>x¦$b%=wj8Q,.G-7oćs?mjz~*|%y \V_ 6jׯKygŊp) ӲP5t &8%DWz 4)2ő݊w C猼 uMid(ܙSMFY!p 7n~Wg}. 6" mϼnr`Bxp`O=62cS IZBrvd@ownM&tw0W/?7a<񣀷5(`F,N|zu|o>q/EVh)N`z?%䠺@l' r}c[ԣFr7'd.|/-—R" ,$ϚYNS % 2<\`3% UK3LRG#ԍ=I;_^^zK摦n .umup0\t Ǧ|A`2S Oẃn;?WQ/3U<~JR=D筛E<ҊN˲Wn* 8 Da aܛk"c(=/WұMTˣ- -CsFg~Ճy'۱TN+{Q/R/w`CiC.<ȼq[_ 9=+,Fw\Hh,q\(xlE#Zke; $'S2>-_uG@~BLu(Lh^oNbx4 7`O4W9jotn{TycP=|MƊʩ*8-q·R `XIo@;ʆz#%0Cm UgjwM6GY,+};qp#nO="MқP8vP*5P~`E// Y/h f%'"Mj(L=,8krK`_Y_;d{\0n0|ZM-wd,7tLԁg z9ZsgxM_XmR @v;18&,Pc}%]0"yvY}I?9RŠr]]cJ"`tpaՔ?ft' ^%TnS]z$8 ؊YɁgַu_!QQuJba ke 1{X2\qKIzZp$ۣ\X`\ۨaDrJZEXu[do]$[BJxmxC2 WC7Ft}Fc$TXM"ޜC$N {?͌.0Q6MZM,uˆ5Bܝe).<_ERiUg;kMt PHX{eH%=z4Y]R#[wu\W\R=:dŜ]*Lx͋ZV+zRF,rV2!P4-VRohjŗcCIL;NpV~^ !fclnuS]©5+2Sc=/2YxIk͛_4v3hgڮ3)tWO:*6+<F"FAqD]]IK vxGBE{Y|yZpUSZ.Wٝ ދv;k}+uĀኝ DGx!D႖TF!I`=W5 cNHi;5ڱ%1.:dڂ mӡ<v$lҔyhPF#gc _.#G1cX g Ce=O}TB ),-:\ .#k}pРS9b֌Ġ&mjyۜ;K?K8@dzA`{W  PJzpeܠ٬C_oĉiscVc i-|dSHsS>X0NʲO-t ?u.[{ֿQ|qc#v͊4M#ud}1, Ć|] \w"Nf?BwJ;LEFyD=>Gsm E}|F ZtMS ^i`t?I᥆,X+ja:@ {X5 5LbĞ33v%挃bn8j23kǰ7nhp)7/?.- cβޱe³kAJFw uѨLD*hmy@X>6v0IAzشmP.*]ne&ף"g}v?9cK0[qTF ]pY Lt"O^wv٨oiy|]a":AKRsAT6#Pݱj[:'R~7$SN2!-*3ӑ[CLmon !GwXv0 T<SxZ%̏fkn'=a$`ccew!U6C[ Ch+Hif[r}H~sR/pma]dù2qf5pD /#^#_;wjiITwzTc\zˆAN`ȴ*rάv;x$I<\PcpgOEro1! 9ƛ4OgJ#|ƼeUО_,`GS$9 > МH~RQ\>&D+{sq<->e ~ٖ13ċJu{GuglqW,sUk7@St?|:fCDS*u48`?#yt47#tݍ"ŰD駼ZD3 Aùo4}~5eRV,C K1~zB߇dCSt0:IMrEtȼ i0V}ķ 'К=MI0mrӞXpGCpI!0z}bZŲ Cw )5!l| FS_y%BD[v2%LMV gmom F҈)_$ޝҗbzwTgnU7SrTrOi0:]K&8l= o6BNd{&2` Sa:bi5Ky]tw]@F )~:ʛOW$R{a?h'Kt1jH/X k -Y뛫ŘmAg@5 Ox. i22q\D8VL=ieeA+vTD}$0AYUy\1N8,E]U9ƁHiʛNեzɥߎT{@S;]o}t"TkXE ݢ \V`Kz |Ud={l8D oӋw?LErF¯@pWew1qcYJ:(k$B!ԋr=3FAEY-rT<^i'8Yٶ{'ew.bb!7\~)^RIjCSxEEwL]: uW| 9xTCaIjBqODƳ9LۘPR"#Цi`6"@5 [z99C)Q %c+yA=̇*dKnSLc v^g"=!O23LX<įmeHTw;㊯;*R//C"]eٻI}Ol$jK 6N2ԒKgyf:z״o}C-E4 764]ӇN[ } Ʀ }$1: k{{ǻ!#8С]C)}$ <0yVz7P>qlW]e-@lnE#vz4R4O ݀B*cΞ]jL|;`x,)kI~a?.zӈR;m< 2fgIRՆ<C7I:8~tB)Td tu &9f޺pB:8Y(Z+ʄ/Ҝ?.?yK*TdӖP\.h(vmИ=)&pnu;ZGSVe)a?Le"&<^=ISmKiPO?uqS-wǻtcQd\-p޹A:\[Ynѽ%ɁM*;9x :z JАIYMU=/jzspr7`vp uKQA+<a'PY=Ifu ?%ubjAFdo>9Ň,Fʴ$B&t* 7-->q V --&q!cpRBouz(L)Tm ?Ul@QL!W,V~6!);^hPTr\+ypq9 T>1etE=ެxη>1(!~Zt=$+X8,FPFGN$?+ rk<3:[=Y,4[Y Eb6㉑:$ڜ4|j;poY3{,k ~9ǂ{Cwo 0OS͜Aw~1.Q](Š{Q*BJSݿK;X4/lylNl*MASX8 ]wLw/z.`C@1-k+8;ENPwaI[m?9=5Ae`R o[ۮr/A)Vr 2V'4~"˦$ [XJ ?3+?tu[+1Inx/6R]&Z/Pq.x'XɂUm1Aꎔ%SJ0.%wt[#6(wB~䫊0e9͙Hy9kr@JЍW R'`}Tb ڡƪ|VJ ~&Vu.Krff(3Cg.t1Buԭ)m١6{m4jty$LMaQe3 CIb*#a*^qhuA+R;B 9&LDzg ?m6<9C`WF0y f `Լtò9/jGȻ2A**N׹zC 2HrIx+ač"mv+tj@DF3 |p˾P,֔Es+xVA`Ah\㌐Ba?ȄA)S3SN땶|ݲ 9Q:GuTl7pl'v?+>y !1$͞C.9 tBַn@ϩT7eʱe,EA_SeR8wsL?խGw"a9UM`Xq!5Jh'WJ1E2~"16<?:Iԝ5{d|IW踅1%|'|\X Dq$_xC0oI%%H&0^;i%}uNG.'7BF2|A=F `i%Xѧ4+ Cn $*SFjqÜuɵH҇x9gޤaف|c1AH0[EE)]h"nP7%C;LgٳépeSӅm6;J?_&l8Bd<X[YB|I "۾Xze~o+:"}CTsDԢIJ:/ e @ +2|D!I`'Im%uOt3%cx[Z};e5E- VYH@OTk>#fP2r蘠у~l(ꠕT~@/oz1ZeߖA$ؼT3J.dLk9us(TJ܎K: yLbBZ;B?b^>jUH#`%qB`{ mj .qzjSLNozJ[.@Ž 5V9ޖ4QWSޒoqevvQ:a9L8>c3ϱ|Ok.+ſ\qdW(ŝAyjbGv3JMfx/]?|p $0Z^5" BmQ2TY _A>]EgJ6yPxM҅MF1P,$MFM6ĕSk6P|&TeZ[bhA/9DaZJN6MB.(p}"5Cnb9=fʕDZO.^4{˕:SR<ѡNKTCtrIz$/ј+5*u.o ߪ& 4ՊLٜY;'S=//,]K U=Yl#ZnA1hRpAZT' l@#!(fҫ_"%;(M9K25t ? 텛jA^8tFij]]I4y'wڥO|I26 U^ 1 dn]n~8}͕<$CDϤ8‡ [1L'3M3_ /2a[_u/%E}TgXAN3Q'ӎr t{{DvfP˱- -(@Sp,m7ATY=S$>5HϿ@RO/ k6qυ5t?@[. $!N%$;'O#B( N Sʍox 3Α~%{I[xg<[Gvs)~{Al Lup=h_7w AG?0&UTRʉ~خQ]2lE.%v,ر밲|ڜv$ ٬@U);rkeD=A `i:v*8:2_*_'wC6-\4V,Z# ˸({kTM}@QnkS)! =uP?!&*3ē~KߘYò)׶<''+~GwL"go=OJ3 (uDrwv^rCn0N'ȯ;H2sa+lZ$c 1QfL \[g[9|~& OՓM $JM*=; h.Yz84!dJ%ZG!8=,|1M†=/(zu!(4䅅{II_(ɷu}e-;T%b#c{@)W7ia-:x/Swns5}||+ |yXW=,Eq֤Z"FU}Ey2Uۘ ;pZ`FCQ7@P/~V+v\=R'R593J#K(n\JuD~Wki}R{Ny+lS}Kl \&BZbbT iRKIn[&S }&?ʧoBͫeUv y6\U'M[o#l&}Y/+ Je 9Xa#j0K2!Ő!ċآ9c1s Ѯ+%فL%IZDD'|, xJ "C>*}ŠxhAe\*lqcɘ^/h0̃~e1ʷ?Yu_.+(`e^#;qG /#ĪT ^cr' rnB<`%=L l֟ ϳ(w봴5-=0q ^q|\t?ǜ&0[MX9\;]] qQIt'7yp[%gKeFůhHDdDGVlI!ʖApFFm%NG"fT*sCp[t7 }08Y8s^_O`@R#j>[CeXp3bHY[Mjh!둑o,ƚf&Y.S`e B)3]f@,yYs?y7e@;/ ;Vr #7`XmrxS5-$dgJFܣ '$/x)]4q%L3b>`)0fu|ݬKA YY#àx!klj%> ᴕy#b翑:#\m8EzոvAZT nK`i|)1* B TXEQnPUݝ.{/jqB#J)IQ\efRXssz*Aa+;5x #BjmuL435%))VlC)<3iČ=`B,u(;ʑt KѾU/me?H̦\JЬfDN{7$#,c-nӚ{RЍՌ"Coh4s.{!F1@<9iϮ{: *hz`aЗΔfM>63h/w)i.-@v[K0Q0cSe/?3f Cݞ`c"Đ(Ox<X])C ܋!r[ع4%%́ =ZHp ^(> ϔӽ0׵ƒXEsJ bm] ^cݥF4m=VIڹ:{eRfD- 2"2i5I5Pb 9XnɝJQVֺaܑg Le4(y0QjS+w2oX 5GI4 ͈_? irk|O /L!3MU<lF{.[z% `H5 */R"|Ag L ]ޔͅw](~@LG]"m7縂IֳHXBh?:YD&K=Yq ~b7⩢i!*sP+a^cg֮fC2ڤ߁8"g_`*`z`S[yMˌ&ʺaSܥ\6S^>VUC\> O$P-)TsU!g"ؤs@{}eO j[<VV%3*J28wR2hSF? T$oW8;&R$==>xm5urӹ}rXLԍP'[Sid/&!L`8smNϼ wR~VFrWPbҤ"?/^`L-gv^xL+,t%9t]&kbtn TԺgUnUfrgEcodNɤƪ))]fz'!rgGcv$W)RD;h@c0h;B0 WrTj=dEaW-pp:2J]ݶq (?!0&+|yڱS@ `}<,W|_vDpfqfڶCSõ|yV+] Xk++$6!S~ 0o֞͐6nU\t3SllwݡgRr±d Q@xjv`ۍ{kLw#iIa?e)AS8E24crgZZ2lN$">Tqt/T3fi_A_띗Wf`]8o/#s?π7)[T @->cͱޏ Mc={SUpu J4 dg+飭:EhETA]1Rz79JF2$O9D\%T +~Ls7 %~FO@}LЏpm ۃB@wöQZyܿsԏ; 4k0*]\'p( >҈ 7R'ƀI\s,}*ab]ɲ6<ꃶjo ϗA DQƬe(}>jpY( 5=Kc)21C)Z]\ṙ̇gUj+ ے Osԇ :0zc4(za)Q/ gc߂Y#l_׋^HUJn ܗEM쉒y]ַ؛Rfhhh`muЏ?{"WP¾=3fR}\;w;׬y`chnMJ~~y4"Āb=3; Ȝh2V ۂ\e_? (?2(oiRi$ 71n!~wG2׾1c/ N[ZUqLEM2!Pqrк[{*:L󄓳&hl (A#7iW$YD%aO5!;$$Dkt0UJyq Ќ oϳ1>&q-mVYZÒCa?uz z#q~^k,;cUC&Z݇:`d$#aI( WQ%kS0ċjEkF}K\cfxo$^OkI@*|pm 7 `K_W K*щ  +Gݜ%v*rz|CœYhqlo"ZnȠhL@ppmP:6{h͊:NV͡J1]'[y^aI”6Y68*5aBn]yުKjN9(!0wrH>#~}C_F,y-Ѓ-seJ_ެQXuq^:_{c8'ajQ)3Yko'5b)SrFv,7|RX7sI8|MbISd n| 9 TWe=Q}/2B^v[6JHMd 2'IY&cm,;8waҴ%WpIdBDxEuQ=8BYM7aR1 t l4\9~B\R,ݽ.c^,mď du<0I*S4n}24qFR#5YN\T1\-p]x/}~u7& 9IǩF]\(3<% t?}DY?/ݹ;݌#k&}mu_MaYmV_D~mRʅ1ۏ֍k;k6G-L5r̈SI_`tk]׸U',6( V.@Õ ɴEOl7GCʏw!1IܚS5s ^ 9V|:QDPؓkZX^gEdywr'B2ַEXJOB ra#ƨ΂ONt2"D'g ^jҟ֍+GhNt??ۨФF3Q]BRbBf/K;e a=q:XP[mr $ Pcd F^dk'2m`4xTb,LCD"0*`C;߃Ht)^β(ueԌUW6( aLȶӌ 6Wl_a"Ӝ5ĵF_%R*m嗜4ґrɬU0 &]rdB=cL .C[ Jv4bJ!{}enƨU^3t$&$$=BmC * D1ÙUt"0?f(h41E=\ȉ8xwO`H1v;ͬ=q፷o#Ecc!<6ը\hq.C.XJSqv[ i{&,?G*M$U)zGCgSz3BxfWnQ3M}F)X!Gf[}%Eunz$6 ij]?ҔŎ91JO':ne-` ?z吲ASRAoo9԰+;LJ)=b]:^yzG ɴը>pCDf~>>CR8NaRSST)4@c̀B53 _&$TKsմ|јH=lX]K BKx3 S6 :knB0tӪf5b^V5Tp^ Q~0v`/Yy#{*y`sF,{cr$xT!dQ̯EuUhpLAx#JxD#`ײ)bt PjN7]ќ LIv`8ȑhuh yמ:J/yߠKYh.>u/rWf1^KIp`Q{֓Nʨ?J,ʩ\EQ'P惠K_4B5? H~s@?gj9cRЬ5SEYKBwp ͏CYkC{)yK7A5e!ˎ †] 96(M ۪hR¼"R-z̈Z/?wʒkrww?"}be M/RZRԏ l#sѱ˚%}F^:`F"yOxo؉J׆te9yfAN?,ف7Kh` uI#Z/ kj'ju5 Զx. Ie2iXaR@$ةF)5W\+~M.}(E ٓb$ vK1X6DxFTuGߔ{s԰Vl-fv4\3PbfMO#fne&._\|%2ڡA402v SrOw+lpx5lޕ4 CogꧻFv /!}Q!|ʉ=%BU!N+r)g/[>{d0+D'{3^a~6ųڪL0)'3P!A/@p2oІd6/c݃ ,Jf-g9)op{7H*u̡U?F&0 D^'\ƀ$+?!{] 0X>)_Ds O!+;P뭅Ύ%PC d&K-sV TG~V!QK .vIfL'&":Y@yIxYyj_ICk3'dSͲ."؃ itE^PN 5MƇ25%i>k>HFXr,5u?a9'zd֠ x!j[Yuv{D2hYJ B{n] %լrhZȣ|.PR?qp J2C JnWhN'HAE{of_pB 4X>'˒cn'XJift)YNٞX!̋Zj`5*S"rnc%mT?7$(/+\Ul sf\ qōaTAЮ>r-g!1N|7 +[hbƳZ ?(<2ḘNqԿv]M<7s hw\!)[ɓm3aِx]K@lU77]ڢ.%ތ@~B7߯s)+9j (@暁=uE{4&ⱂ*X9A?3N0}0ZT簳5SpT4,ң4' Yhq4|uvv4Nve|-7E"UB= +~$m7#"OB#Djb  *_kw}v' 5*^q%?Kn,ajļί! W8yU)bvq2 Yw)Y9QA0IU2D&;zYL#;Zlטor*MBepԙG]-si~@5ڠ.I;5U|9&F!so9)#Qmu_+߼ 8Q)V;,028:$XLEt5W}Ǧ/WVHh0X6}y4vy~NH? 9`CKHŁU3=f1l9ׇ'^@`'7B4\p|x`o:q Kb9!7 ;MDN{QL/^юLJa?,VznU*gMzXSOԇB.i!*y 35M ^ BˤqNڑGZ) V>Q1r(].047ԙu`#?Hm­k\mQ5}#ƃ/DOQ :җpod4Et ,1!Y,;JRoNs9~r]R35FAH~p6 cŹ!"848嫏zƒ3 >m6D6$5.cd3˯!JZef~]w@Gچ'xwD\`l5[LF(0dyג6YM3DXЀyP ;%w| 6 `aJ澆~nE|!h;FT)_Qn1I=,~)sӖ>ůqW1ElϤ5τZPpE`R+& e5{!I?R/#*GƴNfLH;V?!aW @vlӟm޹)G=O\ϾN^ Yo* YC#rY 8CQ`@6Axm=U=.qK',ⷳmrTR@~A釭Ha$ dHj3wa.w2'hh 鱺侉J C% h̤B|BC}XYU$#cP׀#sR@{ Wٵ?^l[o#ibž 6p;%?4#3N|gcV$ɚKk" !}!Jgzi.o7/Ze+5"!Ap{S#dʞ_yչ],?A[:};atRĶzMh5_gf8^A SLq]ފ?y?+.i*N4.ElQ힒F\8Pd9ӘDW3^q?,W&Ryk; ܇ܷpsŢ.wMkU(]G]Y8)KAGj 'W .cZ ʉk]Q &PIg6ctԩ+iGk>餞.Bٵė51#^5;5͘]mXk CҖ`N*f=82D/NZP˪ h1 pWU!P&Tj&8_!$%\nχ]ۜ. L#y$((~ !|ڹRf 3k<2(M P,"UƇi {oA1|6+WHvxs0l37P6aU{dBJa2\@u~RZliQ(-5t0']r'?n_tB;PtXo~LbȀ'~;1Ӵ@ ]`z%ݙlvD8=ԁ {c S4賸W{e")vQ_ aɲX<eC~27N@ (]cTg\)O=B0[^ZCLʜܘֲANٌ?p 6(vL3 X~V7'&0g #1$g{K~ B}|n(X|C6hJ[q5.2O"Ɇ~Cne;X~4܍-)zwo2|KDxPڑߠu j[U q@o j$tO%}kM[x>quHI+ 9R&?1axqRQ 2]T"A]9YB Ȫz!rn4wyx)*GlKJ%@_и*-L;tIɲ1?c Ί>3G Y0ҧ2gUQ}9RO \yvV)Tt}\W$vNl5fS{^M]ρ@>6z*%9a(=R^<i3?} $ 5BpAF6GܗcQSs|\kodI#m!pT 2OkM74QN9{XPq:Tlo]-r7 %IUqttq߭*}nk>Uư )+f>Ȝ-#kq]93 |WM;}2UiVDExƿBy#}[ϼJ_hm\(qs {t˷J5m|m-G "0I_1~EUdfNj{K;WnǰĩU{'",vrkY{}$8-7< eBNIc6pLw 5q@jr)U*26,¡=/m*cIG$5 NL`{.pΥ Q`Q\zjRf.6RWn̔5#UXGkQw|D!0A-Fl M(]s"XM<(hC*O,VO9 0ɜZni`'m\) vi I(wng52.`hwk7~TV.%u܀ͻ&}m|YfdDZoNGf˾߭O8ƃc#E5W(l YT ]wva'j?qQq=dTA97rЖVA zK`Ll\F]ҵ :@Ѥ 2ù;J=Aߟm}T: :g|۞$#,a+0Kf[%݅Q}/9*?*[3KA43ʯStGB=FßYT*.nu0EnݧVg&") ss-IVr`݂K[}ܑ- ƗΩZ˜_ULuj^7h%N{Rm|d@g .#h饽U(OӘ}q?D#$4V<=> c_ϥ %;yvR0unbIuSjPl/v Nɴ&|P; tr7Ğ_)y«EH`z@3i"F:9k]u}L¥g8Jέx GqZeP,}$ASGbu%m70U gy,e5ȕpk09jmM]ʌ|jpgpd':B-ƒagmxh\ƪ47֥y~HD/e6 -ue( nhgg䙖^{D[ }ľJf "i4ڹ&%USO-I\G Gzft~<OHpW̝/:'S.0\nɹ7/tyБy jPLDQ35S~qTXսmtGPX弛5H7ӫ%^^-{+bV{*ˉ!U:x}%>5SJ ^7PU뭸<&͎)$ZzÊ^D:2B^%c$!UliSCxp_8j`&7a󝷷iFf1EN QTC?;.#XQ<*$ۿ$dFx?|,)TjP&!`[aMsHg >٣$R>lFa]zd oI(҇xDr_ؒqEҳ+~JM=^r%PAn؎ r$y.dYtJv.m$i0dcKD?u[3C&;uДCs& ǃe#7QtA wW5aۖV唧̅X V[|ׄhQUJ\W*8.D"0"vY6ɖ?_*yOJힶk:tV9`[N; /tOv:LSP) ժɤ=r[Oq̟i9X'T颎(kuبGv`{7LJ.,6M̝W7ۆe*Dg-f Kt~lRUxdQ6!e )&$='m`ZN/Mz𙠈L-؅ȶ)϶t!kmRk4 4x֙pBXƇ~4>ZPrK;jsvf?kn.'?~'[mF`}5oΔQJJ3p5Z:L5t@ \52IP`Bd.!]!!ʆkNW0t)y2rNqb(m2[KlmZ`G 9fH%g1Ic%F$x Lh@ vTXhm16>00D3K†L\GѦH?iIlۼWkt ׀\qj¢@_ڹݮ4vWhǐ͸gSB&cRKi应tjvjI.qQO6/ȄA(WJUZ˗ҍD^jd8\RV쿌Bf_cu_O=aH:)6O^RiՄ7~T.ɓ4J^ԮċEAʝ\G2/)XTH;]Zd@uOKG~f~ʰ/Gʻ>Y3;` % ހbRmm3g+.@;O2uMb^op- VPR+чKD 9[+rȓ'+sr߈0B&V"JIj\`+;Q`wHtL80ϜK5|QRTʹmJ8KZq?!j{R;*^Zx/Lm(iϰ)0-*їW3&7;Į]kׯ&Vj)1jc{.A $'CQc-dT)#_KKP ֑v&}SA=%k?35k"\_Y۳#oF@W8|aS4K4a`p&l&^Iue,:rY\x| WDx ݸq{L5~dy:ko̸H ө6s!NjҮvי)N)V$hȮӠ:S-e -UuY Apq9 $3u YZ