freeradius-server-libs-3.0.21-3.9.1 >  A `=p9|HL%Q˖׈i,NGh*%JR'WtrW(| wT"=V`]Ovg2nO%]V1P[H1ӑx]%lQ`|ԟ ,gdd- !=a_mM֥)R܂ Q#dUZ*2P&.ĺ4s-uAK#tMDvˮPYu1={DGA>hB&Ou.Thv>7NpGbTGnYh*3 :mk,ru!a~zԎcI`7aѽf9pFif Fbmne)TBzv'@mHwH2_JW;m,M2~'sjLo?A ɕUmC$7 >p>?d  & @dhtx  @ P `   0X(8$'9': 'F0GDHdIXY\]^sbcd eflu(vHwxy$zpCfreeradius-server-libs3.0.213.9.1FreeRADIUS shared libraryThe FreeRADIUS shared libraries.`s390zp37SUSE Linux Enterprise 15SUSE LLC GPL-2.0-only AND LGPL-2.1-onlyhttps://www.suse.com/System/Librarieshttp://www.freeradius.org/linuxs390xʰR 'F[AA큤``````^zM^zM1b597175c186f64f854acd245295c893b917421943868ae42fb172891b003b06d5b6907f23f3312862f799c0e8ac213ea259a4ca998a85b28122a53d91a07f3d009bf19a2b7a6cd297c73a27b165ae6c323678fdfa0575541acdb84bac8c073a9951ce11d085e13c172e74cb21261e5921769242045f24504c13c1e05b5f3ba08b9cc1e5d41938be45a368f126a6d1fda03d60a3d622dc75e776be4e90c2d2c6e6d6a009505e345fe949e1310334fcb0747f28dae2856759de102ab66b722cb4rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootfreeradius-server-3.0.21-3.9.1.src.rpmfreeradius-server-libsfreeradius-server-libs(s390-64)libfreeradius-dhcp.so()(64bit)libfreeradius-eap.so()(64bit)libfreeradius-radius.so()(64bit)libfreeradius-server.so()(64bit)@@@@@@@@@@@@@@@@    ld64.so.1()(64bit)ld64.so.1(GLIBC_2.3)(64bit)libc.so.6()(64bit)libc.so.6(GLIBC_2.15)(64bit)libc.so.6(GLIBC_2.2)(64bit)libc.so.6(GLIBC_2.3)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libc.so.6(GLIBC_2.8)(64bit)libcrypto.so.1.1()(64bit)libcrypto.so.1.1(OPENSSL_1_1_0)(64bit)libpcap.so.1()(64bit)libpthread.so.0()(64bit)libpthread.so.0(GLIBC_2.2)(64bit)libtalloc.so.2()(64bit)libtalloc.so.2(TALLOC_2.0.2)(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)3.0.4-14.6.0-14.0-15.2-14.14.1`@_@_FN^y@^p^h^@\\v{\u*@[<[2*ZZWQYY@YlY, @XO@X@X*Xh@X.@W@WiV@V.Vf@UĝU@U@UU8U7@TZ@TTT~@T|X@adam.majer@suse.deadam.majer@suse.deadam.majer@suse.deadam.majer@suse.deadam.majer@suse.deadam.majer@suse.dejcnengel@gmail.commichael@stroeder.comadam.majer@suse.demichael@stroeder.comadam.majer@suse.demichael@stroeder.commichael@stroeder.commichael@stroeder.comadam.majer@suse.devarkoly@suse.commichael@stroeder.comadam.majer@suse.demichael@stroeder.comkukuk@suse.deadam.majer@suse.dejengelh@inai.deadam.majer@suse.demichael@stroeder.comadam.majer@suse.demichael@stroeder.comjkeil@suse.demichael@stroeder.comjkeil@suse.dejkeil@suse.dejkeil@suse.demichael@stroeder.comvcizek@suse.commichael@stroeder.comtchvatal@suse.comvcizek@suse.comdimstar@opensuse.orgvcizek@suse.commeissner@suse.com- logfile_secrets.patch: do not log passwords in logfiles (bsc#1184016)- freeradius-server-radiusd-logrotate.patch: move logrotate options into specific parts for each log as "global" options will persist past and clobber global options in the main logrotate config (bsc#1180525)- freeradius-server-radiusd-logrotate.patch: fix permissions in logrotate global section (bsc#1170505, bsc#1174905)- update to 3.0.21 (jsc#SLE-11896) Feature Improvements * New stored procedure for allocating IPs with PostgreSQL Rates of 1500 IPs per second are now possible See raddb/mods-config/sql/ippool/postgresql/procedure.sql * Add SQL IP pool support for Microsoft SQL Server See raddb/mods-config/sql/ippool/mssql/ * Added RCNTEC dictionary. Closes #3168. * Added Pica8 dictionary. Closes #3179. * Add TLS-Client-Cert-Valid-Since attribute holding not Before date Patch from Boris Lytochkin. Fixes #3157. * Generate attributes containing unknown OIDs See raddb/sites-available/tls * Update the WiMAX dictionary. * Added ability to rlm_python(Python2) show a stacktrace from errors. #2979. * Add WiFi Alliance Policy OIDs. See raddb/certs/xpextensions * radmin now shows coa stats, too. * Sample schema extensions for summarizing data in SQL See mods-config/sql/main/*/process-radacct.sql * Update dictionary.aerohive, dictionary.fortinet, dictionary.arista and dictionary.erx. * Added VAS Experts dictionary. * Many updates to RPM and jenkins builds from Matthew Newton. * Added %C (time now in seconds) and %c (microsecond component of now) back-ported from the "master" branch. * Add reload capability to systemd unit file in Debian and RedHat. * Increase timestamp precision in postauth to maximum supported by each database and simplify (and make more consistent between drivers) the timestamps in SQL queries by using expansions. * Option to set dictionary path in raduat script. Bug Fixes * Various fixes found by PVS-Studio. * Set permissions of certificates in bootstrap shell script Fixes #3132. * Increase the 'nasportid' SQL field for 'varchar(32)'. #3141. * Skip processing proxy reply if there are no home servers available. * Update SQLite IPPool queries. Fixes #3177 * rlm_sql_unixodbc fixes. Fixes #2822. * Fixes when building with LibreSSL. * Fix the rlm_python3 build. Note that this module is experimental. #3183. * The rlm_python should append the 'python_path' paths in 'sys.path'. It fixes the expected behavior to use the existing Python modules Fixes #3180. * Fix rlm_python to print the script errors properly. * Bound total query time for PostgreSQL. Fixes #3253. * Many fixes to Oracle sqlippool. It now does 500 IPs per second without any tuning. Fixes #3270. * Reference sqlippool by it's correct name. Fixes #3272. * Revert 3.0.20 patch which caused crashes on duplicate clients. * Update WiMAX-MSK attribute. Fixes #3280. * Fix crash when trying to access non-existant regex capture group. * Use timestamps (request or server) rather than SQL NOW() in accounting queries so that these are stable when replayed from a file buffer. - freeradius-python3_patches.patch: upstreamed- update to 3.0.20 (bsc#1146848) Feature Improvements * Added Force10 dictionary. * Update dictionary.hp with new attributes. #2690. * Update dictionary.aruba with new attributes. #2696. * Fix side-channel leak in EAP-PWD (bsc#1144524, CVE-2019-13456) * Relax OpenSSL version checks, now that their API is both public, and stable. * Note that tls_min_version/tls_max_version also support "1.3" Since there is no standard yet for EAP with TLS 1.3, it will not work. * Added tripplite dictionary from #2760. * Switch to the async interface for rlm_sql_postgresql so that we can enforce query_timeout. * Added new LDAP option 'allow_dangling_group_ref'. * Updated documentation and functionality for EAP session caching See "cache" section of mods-available/eap. * Tighten systemd unit file security. Fixes #2637. * Disable TLS 1.0 and TLS 1.1 support in the default configuration We STRONGLY recommend doing this for all installations. * Add expansions for *outgoing* Radsec connections "%{proxy_listen:TLS-...}" for TLS-Client-Cert-* and TLS-Cert-* attributes. Fixes #2839. * Add %{listen:tls} which returns "yes" or "no" for TLS or non-TLS connections. * Update dictionary.lancom with new attributes. #2847. * Added rlm_sql_mongo. See raddb/mods-available/sql. Note that this module is experimental. * Added more documentation in sites-available/robust-proxy-accounting. * sqlippool now re-allocates unexpired leases, to prevent IP pool exhaustion when clients perform multiple reauthentication attempts * Add support to radmin keep the history in ~/.radmin_history. * Add support for ENV and LD_PRELOAD in radiusd.conf. See the new ENV sub-section of radiusd.conf. * Update dictionary.aptilo. #3002. * Update dictionary.airespace. #3039. * Add sites-available/coa-relay, which makes CoA easier #3045. * Add example stored procedure for IP Pools in MySQL See mods-config/sql/ippool/mysql/procedure.sql * Update dictionary.dhcp dictionary with the recent hardware types. * Add experimental rlm_python3. This should largely work the same as rlm_python, which was Python2 only. * Add Dockerfiles for Debian10 and CentOS8. * Add RPM spec file compatibility for RHEL/CentOS 8. * Notes on certificate constraints. See raddb/certs/server.cnf. * Add NAIRealm example to raddb/certs/server.cnf, for RFC 7585. Bug Fixes * Allow listen.ipaddr to reference an IPv6-only host. Fixes #2627 * ERX-Acct-Request-Reason is "integer". Closes #2635. * Fix a slow memory leak in the file management code. * Try to fix file permissions if they get modified while the server is running * Fix slow memory leak with clients. * Fix request and connection timeouts in rlm_rest. * Fix systemd issues. * Fixes from clang analyzer. * Fix missing include for the dictionaries: alcatel.esam, altiga,alvarion.wimax.v2_2,aptis,asn, audiocodes,avaya,bristol, columbia_university,freedhcp,garderos, infoblox,motorola.illegal, starent.vsa1, telkom, wimax.wichorus. * Fix internal sanity check when running with "-Xx". * Allow "inner-tunnel" virtual servers to work better with "accept" and "reject" policies. * Fix dictionary.huawei data types for Huawei-DNS-Server-IPv6-address and Huawei-Framed-IPv6-Address. * Framed-Interface-ID in postgresql/queries.conf is string, not inet Fixes #2817. * Fix rlm_cache to complain on unknown attributes in the "update" section of its configuration. * Add configure checks for -latomic. This helps on armel, mips and mipsel. Fixes #2828. * Add support to Oracle 19 and 18. Via #2857. * Add support for decoding tags in rlm_rest. Fixes #2848. * Use correct passwords when updating CRLs in raddb/certs/. * Properly separate "originate-coa" packets when accounting packets are read from the detail file reader. * Use the correct virtual server for pre/post-proxy. * radsqlrelay fixes backported from "master" branch * Fix DoS issues due to multithreaded BN_CTX access (bsc#1166847, CVE-2019-17185) - disable python2 for SLE15 and Factory - freeradius-server-enable-python3.patch: enable Python3 module - freeradius-python3_patches.patch: backport python3 fixes from upstream - freeradius-server-opensslversion.patch: updated- Enable memcached driver on SLE15- Add missing BuildRequire on samba-core-devel required for windbind support in rlm_mschap.- update to 3.0.19 (jira#SLE-5890) Feature improvements * Update dictionary.cisco * Update sqlippool to allow for stored procedures with PostgreSQL. This increases performance substantially. Patch from Nathan Ward. Fixes #2540. * Re-added "show client config" command to radmin. * Cleaned up mods-available/sql example so that it is easier to understand. * Added pfSense dictionary. Closes #2581 * Update dictionary.h3c Closes #2592 * Update elasticsearch/logstash config for v6.7.0. * EAP-PWD security fixes from Mathy Vanhoef. See http://freeradius.org/security/ (CVE-2019-11234, CVE-2019-11235, bsc#1132549, bsc#1132664) Bug fixes * Update dynamic_client module and server core so that the functionality works. This has been broken since at least v2. * Fix crash in sqlippool due to escaping changes. Patch from Nathan Ward. Fixes #2532, #2533. * Fix systemd notify, watchdog and unit files. Fixes #2541, #2499. * Fix erroneous length check in EAP-FAST. * Update documentation to remove old "ignore_null" configuration. Fixes #2578. * Fix default POD port. Should be 3799. Fixes #2591 * Correctly encode vendor-specific "encrypted" attributes. Fixes #2600- reformat changelog mostly by wrapping lines - add missing bug numbers for security fixes- update to 3.0.18 * cleanup_delay can now be 30 seconds. This helps with proxies that have packet loss. * Do-Not-Respond policies can now be set in the "post-auth" section. * Encode / Decode ADSL Forum DHCP options. * Fix module ordering issues. e.g. when "sqlippool" needs "sql". See the "instantiate" section of radiusd.conf. * Add Big Switch dictionary. Fixes #2252. * Add sql_session_start policy (raddb/policy.d/accounting) This minimizes race conditions when using Simultaneous-Use (#2257). * For rlm_perl, all variables are now tainted by default. See raddb/mods-available/perl, and the "perl_flags" configuration item. This change should only affect people who are using variables in insecure ways. * Allow "sqlcounter" module to be listed in "post-auth". * Add support for IPv6 attributes in SQL. Fixes #2280 * The server is better at handling fail-over for outbound RadSec and TCP connections. Fixes #2284. * The server is now more aggressive about retrying failed outbound RadSec and TCP connections. Fixes #2284. * Add TLS-Session-Version and TLS-Session-Cipher-Suite to the "session_state" list. * Add expansion for Radsec connections. "%{listen:TLS-...}" for TLS-Client-Cert-* and TLS-Cert-* attributes. * Add notes on running "ldapsearch" using the parameters from the LDAP module. * "ipaddr" attributes can now be cast to "integer" type attributes in an "update" section. * Move main thread queue to using atomic queues. This should help with contention in high load scenarios. * Add "recv_buff" setting to listeners. For more details, see sites-available/default. * The sqlippool module can now use attributes other than "Pool-Name" to assign IP pools. The "Pool-Name" attribute is still the default. * The "unpack" expansion can now unpack substrings. See mods-available/unpack for documentation and examples. * The preprocess module now does "ciscvo_vsa_hack" for Eltex-AVPair Fixes #2301. Vendors SHOULD NOT USE THAT KIND OF ATTRIBUTE. * Allow for -LDAP-UserDN. See mods-available/ldap for more information. * Add sanitizing of control list for moonshot. Fixes #2318. * Update rlm_sql_mysql to be compatible with MySQL 8 Fixes https://bugs.launchpad.net/bugs/1795310. * Allow logging of only Access-Accept or Access-Reject messages See radiusd.conf, "auth_accept" and "auth_reject". * Removed Connect-Rate comparison. It was unused and broken. * Add dictionary.infinera. * Use OpenSSL HMAC functions instead of local ones. * Some SQL modules can now use "auto_escape" to escape unsafe strings See mods-config/sql/main/mysql/queries.conf. * Add wispr2date conversion in mods-available/date. * Implement dictionary-based handling in rlm_python. Fixes #2334 See mods-available/python for details. * Add support for SKIP LOCKED in sqlippool. This can improve performance by an order of magnitude or more. See raddb/mods-config/sql/ippool/*/queries.conf Fixes #2383 * Allow PSK and certificates at the same time Except for TLS 1.3 which does not support that. * Update docker scripts. Fixes #2306 Patch from Matthew Newton. * Add crypt xlat. * MySQL connections can now skip verifying the server certificate. Fixes #2481. See mods-available/sql. * Add better mechanism to detect MariaDB (Old MySQL). * Add RFC 7532 "bang path" support for realms Fixes #2492. * Update dictionary.ukerna documentation. Fixes #2493. * Add support for systemd service and watchdogs Fixes #2499. * Check for openss/rand.h, and allow building without OpenSSL engine. Patch from Eneas U de Queiroz Fixes #2517. * The default PosgtreSQL queries now use "ON CONFLICT" to better deal with issues. This requires PostgreSQL 9.5 or later. Please use a recent version of PostgreSQL, or edit the default queries to remove "ON CONFLICT". BUG FIXES * The session-state list is no longer cleaned in the inner-tunnel. This lets the outer Access-Reject section access session-state. * Fix typo in lock initialization for TLS sockets Found by Sergio NNX. * Add check for crash when home server down Fixes #2233. * Add username key for postauth table. * Better libpcap checks, when the header files or libraries are missing. Fixes #2245. * Allow building with old versions of OpenSSL Fixes #2247. * Allow non-FreeRADIUS State attributes to be used with the "session-state" list. i.e. State length != 16. * Be more aggressive about cleaning up zombie children when running in debug mode. * Use LTDL_DEEPBIND, which fixes issues with Oracle libraries exporting LDAP API functions. * unlock files when asked to unlock them. * return error instead of asserting in map code. * Don't write 0 bytes to SSL. Fixes #2270. * Remove "expiry_time IS NULL" from allocate_update query. Fixes #2262. * Various dictionary cleanups and consistency checks Fixes #2281. * rlm_python has stronger thread locking to prevent reported issues. Performance may be affected. * Don't allow Message-Authenticator to overflow past the end of a large packet. * Fix crash in sqlippool when SQL server goes away Fixes #2300. * Typos in man pages. Patch from Nikolai Kondrashov Fixes #2303. * Fix crash with CoA packets/ Fixes #2304. * Fix crash in rlm_exec with CoA. Fixes #2328. * Print errors while parsing the log config, and don't quit when deprecated log settings are found. * Fix DHCP encoder xlat so that it can be used with a list of attributes. It previously only encoded the first member of the list, and now encodes all members. * The "expr" module now skips more whitespace. * Remove internal FreeRADIUS-Response-Delay attributes from attr_filter Access-Reject. * Don't send junk to redis when maximum args reached. * Small updates to IPv6 for accounting schema Fixes #2364. * Fix OpenDirectory integration in rlm_mschap. * Fix slow memory leak with dynamic clients. * Don't artificially truncate debug output for long strings. * Fix memory leak in EAP-PWD. * Fix crash in "hints" file with Fall-Through = yes. * Fix crash / timer issues with many CoA packets. * Fix attr_filter so that it does not treat vendor attributes of number 26 as Vendor-Specific. * Fix reconnect correctly in rlm_sql_mysql. * Fix rlm_cache to properly use Cache-TTL < 0 Fixes #2485. * Fix rare occurance of bad xlat expansion. * Check for rare race condition when a proxy reply arrives too late.- install license as %license instead of documentation- also fix ownership of /var/log/radius in systemd unit- update to 3.0.17 Feature Improvements * Add CURLOPT_CAINFO. Patch from Nicolas C #2167. * "stats home server" now supports "src IPADDR", to specify home server also by source IP. Fixes #2169. * Add Dockerfiles for a selection of common systems. * Increase number of permitted file descriptors, for systems with many home servers. * Add TLS-Client-Cert-X509v3-Extended-Key-Usage-OIDs Patch from Isaac Boukris. Fixes #2205. * Update main READMEs. Patches from Matthew Newton. * Added dictionary.mimosa. Bug Fixes * Don't call post-proxy twice when proxying to a virtual server. Matthew Newton, #2161. * Use "raw" string value for shared secrets and dynamic clients It now parses strings with backslashes and "special characters" correctly. Fixes #2168. * Fix RuntimeDirectory for RedHat, from Alan Buxey. * Relax checks in 'if' parser from Isaac Bourkis. * Minor cleanups for %{debug_attr:&request} from Isaac Boukris. * Be more aggressive about cleaning up cached certificate attributes, due to deficiencies in OpenSSL. Reported by Nicolas Reich. * Be more accepting when parsing IPv6 addresses. Bug noted by Klara Mall. * Fix double free in rlm_sql. Fixes #2180. * rlm_detail now writes empty Access-Accept packets. * rlm_python can now create tagged attributes. * Don't crash on duplicate realm + authhost / accthost * Allow partial certificate chain to trusted CA. Fixes #2162. * Treat SSL_read() returning zero as error. Fixes #2164. * detail writer now checks if the file was renamed or deleted. * Add User-Name to Access-Accept if EAP-Message exists, not Stripped-User-Name. * RedHat Systemd updates. Fixes #2184. * Use correct API for State variable in rlm_securid. * Remove broken radclient option "-i". * Fix "users" file (and hints, etc). So that it does not get confused about entry ordering with multiple $INCLUDEs. * Fix rlm_sql to expand the un-escaped string, not the raw string. * Link default and inner-tunnel only if they exist. Fixes #2206. * Don't use both IP_PKTINFO and IP_SENDSRCADDR. * Always install signal handler for SIGINT (needed by Docker). * Fix intermediate CA flow for OCSP. Fixes #2160 Intermediate certs which are not self-signed will now be checked. * sqlippool now returns "fail" if it fails IP allocation. * Fix rlm_yubikey to look for correct attribute in replay attack check.- update to 3.0.16 Feature improvements * rlm_python now supports multiple lists. From #2031. * Add trust router re-keying. From #2007. * Add support for Samba / AD LDAP schema. See doc/schemas/ldap/samba/README.txt and doc/schemas/ldap/samba/ * Add "tls_min_version" and "tls_max_version" to EAP module for Debian OpenSSL issues. * Better documentation for client certificates in PEAP and TTLS: it usually doesn't work. Fixes #2068. * Distinguish login failure from AD unavailable. Fixes #2069. * Update RH spec files. Fixes #2070. * Run Post-Proxy-Type if all home servers are dead. Fixes #2072. * Print offending IP addresses when EAP sessions come from two upstream home servers, and rate-limit the messages. * Minor packaging updates. * Better documentation for rlm_rest. * EAP-FAST now has it's own "cipher_list", so that it is easier to configure. * EAP-FAST now forcibly disables TLS1.2, until such time as we implement the new keying mechanism from TLS1.2. * Add documentation for allow_expired_crl. * Update Debian logrotation. #2093 and #2101. * DHCP relay can now drop responses. #2095. * rlm_sqlippool can now assign Delegated-IPv6-Prefix. It also now can assign any IPv4 or IPv6 address. Based on patches from maximumG. #2094. See raddb/mods-available/sqlippool for changes. * radeapclient can now use EAP-SIM-Ki to dynamically create the necessary triplets. * Explain why many LDAP connections are closed. Fixes #1969. * Debian build / package issues fixed by Matthew Newton. * dictionary.patton updates from Brice Schaffner. Fixes #2137. * Added scripts to build "inner-server.pem", and updated mods-config/inner-eap and certs/README to match. * Added provisions for using an external CA. See raddb/certs/ * Include dhcpclient binary in freeradius-dhcp debian packge. Bug fixes * Bind the lifetime of program name and python path to the module FR-AD-002 (redone) * Pass correct statement length into sqlite3_prepare[_v2] FR-AD-003 (redone) * Allow 100-Continue responses with additional headers in rlm_rest. * fix corner case where detail files were not being locked correctly. * Fix (SQL-Group == "%{...}") checks, and same for LDAP-Group. Fixes #1947 * Clean up exfile code. Which should help to avoid issues with reading / writing 100's of detail files. * Fix build for winbind. Patch from Alex Clouter. * Fix checkrad for Mikrotik. Patch from Muchael Ducharme. * Fix home server stats lookup. Patch from Phil Mayers. * Add libjson-c3 as an optional dependency. * Require LTB OpenLDAP on CentOS / Redhat, to avoid linking against NSS, which breaks the server. Fixes #2040. * rlm_python fixes. Fixes #2041 * Typos in "man" pages. Fixes #2045 * Expand "next" in %{%{...}:-%{...}}. Fixes #2048 * Don't add TLS attributes twice. Fixes #2050. * Fix memory allocation in rlm_rest. Fixes #2051. * Update trustrouter for new API. Fixes #2059. * Fix SQLite issues on FreeBSD. Fixes #2060 * Don't do debug logging of bad passwords. Fixes #2064. (bsc#1099802) * More graceful handling of "die" in rlm_perl. Fixes #2073. * Fix occasional crash when using cisco_accounting_username_bug = yes * EAP-FAST fixes from Isaac Boukris. [#2078], #2076, and #2082, #2126. * DHCP fixes, relay, #2092, add run-time check, #2028 * Decode multiple RADIUS packets at a time in highly loaded RadSec connections. Patch from Jan Tomasek. #2106. * TunnelPassword is not "single value" in LDAP schema. Fixes #2061. * sql log now opens the expanded filename, not the input one. This was a regression introduced in 3.0.15. * Remove unnecessary UNIQUE constrain in Oracle schemas. * Fix SSL thread and locking issues when modules also use SSL. Fixes #2125 and #2129. * Re-add dhcpclient "raw packet" changes. Patches from Nicolas Chaigne and Matthew Newton. Fixes #2155.- Fix permissions of radiusd.service (bnc#1053654)- bsc#1055679 - freeradius-server does not provide winbind/AD auth Added libwbclient-devel as buildrequires- update to 3.0.15 with security fixes for issues found via fuzzing by Guido Vranken (bsc#1049086) https://freeradius.org/security/fuzzer-2017.html * CVE-2017-10978: FR-GV-201 (v2,v3) Read / write overflow in make_secret() * CVE-2017-10983: FR-GV-206 (v2,v3) DHCP - Read overflow when decoding option 63 * CVE-2017-10984: FR-GV-301 (v3) Write overflow in data2vp_wimax() * CVE-2017-10985: FR-GV-302 (v3) Infinite loop and memory exhaustion with 'concat' attributes * CVE-2017-10986: FR-GV-303 (v3) DHCP - Infinite read in dhcp_attr2vp() * CVE-2017-10987: FR-GV-304 (v3) DHCP - Buffer over-read in fr_dhcp_decode_suboptions() * CVE-2017-10988: FR-GV-305 (v3) Decode 'signed' attributes correctly * FR-AD-002 (v3) String lifetime issues in rlm_python * FR-AD-003 (v3) Incorrect statement length passed into sqlite3_prepare- update to 3.0.14 (still FATE#322416) Feature improvements * Enforce TLS client certificate expiration on session resumption, and Session-Timeout. See CVE-2017-9148 (bnc#1041445) * Updated dictionary.cisco.vpn3000, dictionary.patton * Added dictionary.dellemc * Lowered the log output for failed PEAP sessions. * ALlow utc in rlm_date. * The internal OpenSSL session cache has been disabled. Please see mods-available/eap * Update detail reader documentation. * Make outgoing RadSec connections non-blocking. * Add SQL backing to Moonshot-*-TargetedId generation. Bug Fixes * radtest uses Cleartext-Password for EAP, not User-Password. * Update documentation for mods-enabled/ linking. * Enhanced checks for moonshot salt. * Allow session resumption for RadSec connections. * Update "huntgroups" file to note that port ranges are not supported * Fix OpenSSL permissions issues on default key files. * Certificates are not required when PSK is used. * Allow SubjectAltName as first extension in cert. * Fixed talloc issue with TLS session resumption. * "&Attr-26 := 0x01" now produces useful error messages. * Handle connection error in rlm_ldap_cacheable_groupobj. * Fix endian issues in DHCP. * Multiple minor fixes for Coverity complaints. * Handle unexpected regex. * Fix minor issues in dictionaries. * Fix typos and grammar. Patches from Alan Buxey. * Fix erroneous VP creation in rlm_preproces. * Fix MIB. Patch from Jeff Gehlbach. * Trust router updates from Alejandro Perez. * Allow build with LibreSSL. * Use correct packet for channel bindings. * Many fixes found by PVS-Studio. Thanks to PVS-Studio for giving us a test license. Please see the git commit history for more info. * Fix incorrect length check in EAP-PWD. This may be exploitable. * Stop rotating session database files (radutmp, radwtmp) since these are not logfiles. - freeradius-server-radiusd-logrotate.patch: updated- removed obsolete freeradius-server-fix-cert-bootstrap.patch because recent /etc/raddb/certs/bootstrap simply works - update to 3.0.13 (still FATE#322416) Feature improvements * Add dictionary.rfc7930. Note that we do not implement the RFC. * Added 'cipher_server_preference' to mods-available/eap Patch from #1797. * OpenSSL 1.1.0 compatibility fixes. * rlm_perl: radiusd::xlat to evaluate xlat string within perl script * Allow authentication retry in winbind. Patch from Herwin Weststrate. See raddb/mods-available/mschap. * Added "recv-coa" method to rlm_rest. It behaves the same as "authorize". * Document Trust Router tr_port option. Patch from Stefan Paetow. * Update elasticsearch/logstash examples so that they work with elastic stack v5. Patch from Matthew Newton. * Print information about packets, replies, and contents in the detail file reader. * Update abfab-tr policy. Pull request #1893 from Stefan Paetow. * Reject packets which contain User-Password and EAP-Message. * Add example for filtering Access-Challenge. See sites-enabled/default. * Pull symlink fixes from v4.0.x. Fixes #1859. * Add systemd reload. Not everything is reloaded, but some is. Fixes #1662. * Better documentation for listen "ipaddr". Fixes #1921 * Add dictionary.cnergee, updated dictionary.nomadix. * radclient no longer needs -x to print statistics with -s. Bug fixes * Minor typos. Fixes #1763 * Fix typo in RPM build. Closes #1767. * rlm_mschap check for password expiry only if password was correct. Fixes #1762. * Update debian build. * update rlm_counter "man" page. Fixes #1775. * Remove erroneous assert. Fixes #1778. * fix mschap password change test. Fixes #1792. * Cleanup config file on data remove. Fixes #1795. * passwd module returns "notfound" if not found. * Check for old OpenSSL, and don't build rlm_eap_fast if it necessary. Fixes #1803 * Cleanup memory better after ldap version query. Patch from Aleksey Katargin. * Rename lt_* functions to avoid linker issues with libtool. Fixes #1277 * Many miscellaneous fixes and typos. * Allow long strings in %{%{foo} bar:-%{baz} blah". Fixes #1866 * Fix filtering operators, along with more documentation and more tests for them. * Fix OpenSSL fixes. Fixes #1876. * Finish SQL select queries even when SELECT returns no rows. Fixes #1879. * Set Module-Failure-Message for more EAP errors. * Correct typo in dictionary.rfc5580. Fixes #1882 * Remove obselete systemd syslog.target. * Client-Port-Balance load-balancing now uses client port. * Radrelay examples fixed from Alex Clouter. * Update systemd target. Pull request #1896. * Trim starting whitespace in xlat strings. * Get MySQL result lengths using normal API. * suid down after fchown(). Fixes #1914. * Fix cases of comparing pointer to NUL character. Fixes #1915. * OpenSSL v1.1 fixes. Pull request #1921. * Better Handle v4/v6 host names. Pull request #1919. * Remove "Auth-Type = System" from docs and examples. * Don't crash on malformed %{home_server}. Fixes #1922 * fix erroneous use of talloc destructor in rlm_eap * Issue trigger modules.sql.fail. Fixes #1923 * Document python_path gotcha's. Fixes #1845 * dlopen() the specific version of Python. Fixes #1592- Don't require insserv if we use systemd - Remove require for unused fillup- Merge changes from SLE to openSUSE (FATE#322416): * freeradius-server-radclient-init-error-buffer.patch - make sure we initialize error buffer. bsc#911886: radclient error free() invalid pointer * freeradius-server-opensslversion.patch: remove OpenSSL version check and assume we know what we are doing. (bnc#1013311) * merge .changes file, mostly. - do not attempt to detect "vulnerable" OpenSSL versions. SUSE security fixes do not necessarily bump version numbers as does upstream OpenSSL (bnc#1021375) - do not generate certificates in %post. End-user needs to do this manually. - keep FreeTDS disabled on SLE12 - we never shipped it enabled - require OpenSSL 1.0+ - use pkgconfig(systemd) instead of plain systemd as BuildRequires - don't list manual pages as %doc- Remove --with-pic which is for static libs only. - Use SUSE RPM group names. Trim filler words from description. - Do not hide errors from groupadd/useradd.- Add upstream keyring - 2 new modules: rlm_sql_freetds and rlm_eap_fast- update to 3.0.12 - still fate#320481 The focus of this release is stability. * Feature improvements + Add support for =~ and !~ in update sections. See "man unlang" + Add dictionary.checkpoint. + Simultaneous-Use prints out more information. + Print WARNING in debug mode when packets may be truncated. + Added expansions %{home_server:state} and %{home_server_pool:state}, which show the state of the server / pool. + Mark rlm_sql_freetds as stable. + Make rlm_perl less fragile. Patch from Herwin Weststrate. + Allow extended attributes to have "encrypt=2" + Update dictionary.aruba. + Add support for EAP-FAST. This is an isolated feature which does not affect anything else. + Update OpenSSL vulnerability list. Use a version of OpenSSL released after September 20, 2016. + EAP certificate verification is now done when "verify" is enabled and "ocsp" is disabled. + New dhcpclient and rlm_rad_counter man pages. + Minor abfab and moonshot additions. + Pass CFLAGS through from environment in RPM builds. Allows more custom builds. + Build with Heimdal in addtion to libkrb5. * Bug Fixes + Use correct typedef for older versions of sqlite. + Update mssql schema to add priority + don't complain on /dev/urandom in ldap + fix == operator in update sections + Don't create DHCP strings with many trailing zeros. + Allow MS-CHAP change passwords instead of complaining on large buffer. + Allow assignment or equality operator on SQL. + Update aclocal tests for FreeBSD 10. + Remove occasional hang in rlm_linelog. + Copy VSAs to inner tunnel for TTLS and PEAP. Fixes #1544 + A few minor bugfixes caught in v3.1.x cleanup, and back-ported to v3.0.x. + do_not_respond again works in post-proxy + Allow realm "~^.*$" {} and User-Name with no realm. + Fix leak when creating unknown attributes + Fix Debian / logrotate. + Make OpenSSL error functions thread-safe. + Fix crash with rlm_sql and updating SQL-User-Name. + Debian build updates. + Allow regular expression comparisons in radclient. + Fix memory leak on unknown attributes in detail file reader. + Update example paths in "man" pages when installing them + Build fixes for rlm_mschap. Fixes #1489. + BSD build fixes. Patch from issue #1583. + Be more careful about /lib/ when building. Fixes #1585. + Correct ifdef placement error. Fixes #1572. + Allow for more files in internal "exfile" API So it will be possible to open more than 64 "detail" files at the same time. + Remove support for statically built EAP modules. Fixes #1591. + Many fixes to rlm_python from Guillaume Pannatier. + Use correct week adjustment in SQLcounter. Fixes #1608 + Minor fixes to allow compilation without DHCP, VMPS, or TCP. + Fix checks for module / config file change on HUP. + Compile regex comparisons when sent via "debug condition". + Update filenames in documentation and examples. + Don't crash if SQL connection becomes unavailable. + Disallow originate_coa when proxy_requests = no. + Free rad_perlconf_hv in correct perl context. + Multiple fixes for Debian builds. #1510, among others. + Set OpenSSL FIPS compatibility flag when necessary. + Pulled fixes for the build system over from other branches. + Fix OCSP for RADIUS over TLS. + Fix skip_if_ocsp_ok behavior. + Better fixes for systems without closefrom() but which have /proc. + Minor build fixes back-ported from v4.0.x. + build --whout-ascend-binary. Fixes #1761. + Be more aggressive about not opening new connections in debug mode after CTRL-C. Address #1604.- use %{with} macro for conditional inclusions instead of hardcoding version numbers - improved package descriptions - fixed builds on SLE12 and SLE11SP4- removed installation of experimental module rlm_sqlhpwippool.so - update to 3.0.11 (fate#320481, bsc#961479, CVE-2015-8763, bsc#935573, CVE-2015-4680) * Changes of version 3.0.11 + Feature improvements - "unlang" comparisons of IP addresses to IP prefixes are now detected, and types automatically cast. - Allow shorthand form of ipv4prefix values e.g. 127/8. - Add "auto_chain" to raddb/mods-available/eap, tls subsection. This allows the disabling of OpenSSL auto-chaining of certificates. Which might be wrong. - Added printing of coa and disconnect stats (radmin). - radclient defaults to expecting Access-Accept responses to Status-Server. - Updated dictionary.lancom, dictionary.starent. - Portability fixes for Solaris. - More errors from ntlm_auth gets passed to MS-CHAP. - Update abfab-tr-idp virtual server. - Added "filter_password" in policy.d/filter. This removes embedded zero bytes in User-Password, for compatibility with broken clients. - The server now issues a WARNING message if duplicate configuration items are found. - TLS can skip the "verify" section if OCSP returns OK. See raddb/mods-available/eap, "skip_if_ocsp_ok". - Set TLS-OCSP-Cert-Valid = yes / no / skipped, which is the result from the OCSP check. - Interoperate with AD and "LmCompatibiltyLevel = 5", by always setting WBC_MSV1_0_ALLOW_MSVCHAPV2 for native winbind in rlm_mschap. - TTLS and PEAP now require "virtual_server" to be a real server. - Print WARNING when TTLS or PEAP identities are spoofed or not properly anonymized. See RFC 7542 for requirements. - Various rlm_python fixes from Herwin Weststrate. - Allow setting Response-Packet-Type in "Post-Proxy-Type Fail", which is useful when the home server does not respond. - elasticsearch updates from Matthew Newton + Bug Fixes - Fix issue where field nas_type would not be accessible via the %{client:} xlat, for clients loaded from SQL. - Fix compatiblity issues with OpenSSL 1.0.2. Ignore calls to msg_callback with 'pseudo' content types. - Data type "ipv4prefix" is parsed correctly. - Use correct talloc context in rlm_exec. Fixes #1338. - Complain in unlang if "else" is used with no previous "if" or "elsif". - Send accounting status packets to the accounting port. Fixes #1364. - Print out CFLAGS when doing "radiusd -Xxv" - Fixed bug with coa/acct stats value #1339. Based on patch from Jorge Pereira. - Fixes for LEAP proxying. Don't use LEAP! - Fix issue with "directory already exists" seen when doing "make install". - Fixed bug with radmin related to the option "stats detail " - Complain if the detail file reader does not have permission to read the "detail.work" file. Fixes #1398 - Fixed SoH. Attributes were not being copied to the virtual server. - Used a wrong list to global statistics in "stats". - Create EAP-PWD identity correctly. Prevents segfaults. - Dynamically validate authentication types for PEAP and EAP-MSCHAPv2. - Fix includes in installed headers. - OpenSSL 1.0.1f and 1.0.1g do NOT calculate TLS 1.2 keys correctly. See raddb/mods-available/eap, "disable_tlsv1_2" - Allow password change to work for MS-CHAP. This requires 'r=0', because password changes are not retries. - Fix home server fail-over for home servers using TCP and/or RadSec. - Special characters in expanded regexes are now escaped e.g. User-Name containing '.', and comparing /%{User-Name}/, the '.' will now be escaped. See src/tests/keywords/regex-escape. - Use correct authentication vector when sending Access-Reject replies for RadSec. - Set FreeRADIUS-Proxied-To in TTLS again. You should use the "inner-tunnel" virtual server, instead of relying on this attribute. - Fix debugging constants in rlm_perl. Patch from Herwin Weststrate. - Add samba-dev / samba4-dev to debian builds so that rlm_mschap can automatically use the new winbind API. - Automatically skip zero-length attributes when sending packets, instead of erroring out.- fix bsc#951404 * Rebuild of freeradius-server package fails * fix source url - ftp://ftp.freeradius.org/pub/freeradius/ + ftp://ftp.freeradius.org/pub/freeradius/old/- update to 3.0.10 * Changes of version 3.0.10 + Feature improvements - Do more optimization of unlang policies. This makes run-time a bit faster. - Re-name most of the functions in src/lib. Third-party module authors will have to do the same. - More documentation on contributing and how to write modules. - Update radiusd.service for systemd. - Open IPv6 proxy socket if the server is listening on IPV6 auth / acct / coa packets. - Create debian packages for DHCP. Fixes #1125. - Add more tests for "update" section parsing. - Update "man" pages. - Update attributes for Alcatel 7750 - Add dictionary for Boingo Wi-Fi - Add support for DHCP lease queries. See raddb/sites-available/dhcp - On HUP, check all modules for config files which have changed. And only re-load those modules. - Allow FreeRADIUS-Response-Delay(-USec) to be set for RADIUS packets. Patch from Herwin Weststrate. - Documentation fixes from Alan Buxey and Matthew Newton. - Update "logrotate" script. - Added more RFCs to doc/rfc for new standards implemented by FreeRADIUS. - Don't crash when doing "radmin -e "help hup". Patch from Matthew Newton. - The dictionary parser now does more sanity checks, which prevents run-time problems with invalid attributes. - Update debian packages. Patches from Christopher Hoskin. - Many other debian packaging fixes from Matthew Netwon and Herwin Weststrate. - Add "session-state" to Perl. Patch from Herwin Weststrate. + Bug Fixes - Fix rlm_files so that there are no collisions when loading 10's of 1000's of users. - Fix radclient to use our internal v4/v6 parsing functions. v6 addresses with ports now work correctly. - Fix sending/receiving packet messages to wrap v6 addresses in square brackets '[]'. - Check for sasl/sasl.h when building rlm_ldap, and disable SASL functionality if unavailable. - Fix issue which caused a non \0 terminated buffer to be assigned to attributes if the value being assigned contained an invalid escape sequence. - Fix deadlock when reconnecting connections in the connection pool. - Fix potential overrun in functions that used fr_utf8_char with a non nul terminated buffer. - Fix decoding issue for Tunnel-Password type attributes which were very long. Found by Denis Andzakovic. - Fix radclient issue with TCP sockets on FreeBSD. - The server now creates ${run_dir} and ${logdir} directories in daemon mode, when running as "root". - Handle tags when using maps. Fixes #1191. - Fix crash when CoA packets time out. - Fix parse error in rediswho - Fix regex support in SQL radcheck the "users" file and radsniff. - Register listen xlat earlier, so that it's available when the virtual servers are being parsed. - Parse Ascend-Data-Filter when given as "0x..." - Print Ascend-Data-Filter correctly. Add test cases for both. - Allow old-style clients again. They will be disallowed for 3.1.0 and following. - Complain instead of crash when "else" and "elsif" are in the wrong place. - Clean up memory more aggressively. This lowers the maximum memory used, most typically for TLS based EAP methods. - Prevent the server from unlinking the control socket of an already running instance. - Fallback to using the configured OCSP URL if one exists, and no URL is provided in the certificate. - Return CoA-NAK if proxying CoA fails. Based on patch from Jorge Pereira. - Lower peak memory usage by decreasing size of internal memory pools. - The control socket is now left in place if a second copy of the server is accidentally started. - Allow virtual attributes in "switch", "case", etc. Fixes [#1240] and #1265. - Many spell check / typo fixes in comments and example configuration files. - Better handle multiple DHCP listeners. - Don't print secrets for old-style realms. Fixes #1267. - Don't fall through in empty "case" statements. Fixes #1274. - Update EAP-TTLS so that MPPE keys are correctly calculated with TLSv1.2. - Always delete MS-MPPE-* from the TTLS inner tunnel. This allows TTLS / EAP-MSCHAPv2 to work. Fixes #1206. - Fix off by one error that caused some MSCHAP-Error messages to be sent without the password change version (V=3) and the textual message component (M=). - Always include C= V= and M= in MSCHAPv2 errors. RFC 2759 does not say that any of these fields are optional, and not including V= caused errors with wpa_supplicant. - Do not include M= in MSCHAPv1 errors. It's not supported.- Fix boo#912714: freeradius can't use ntlm_auth * Create winbind group * Add radiusd to winbind group- Remove gpg signature file * The gpg signature checking is broken and doesn't work- Fix bsc#935573: Insufficent CRL application for intermediate certificates * CVE-2015-4680 * freeradius-server-CVE-2015-4680.patch based on https://github.com/FreeRADIUS/freeradius-server/commit/a03814af310bb3bee74ea012546d99c48b0ea5c3- update to 3.0.9 * Changes of version 3.0.9 + Feature improvements - Make "pool" configurations more consistent, and update documentation for them. - Move connection pool logic to "most recently started", instead of MRU. This should help with pool stability. - More VSAs for 3GPP2 - Added examples of multi-value attributes to rlm_perl. - LDAP-Group and SQL-Group attributes are now dynamically allocated. - Only the "sql" module registers SQL-Group. Other instances register "instance-name-SQL-Group", similarly to "ldap". - Unknown attributes are now complained about more often when used in unlang statements. e.g. if (Foo-Bar == 3) used to be a string to string comparison. It is now a parse error. - Rename RLM_COMPONENT_* to MOD_* in the code. This makes many things easier. - Move to C99 initializers for modules. - Load modules in raddb/mods-enabled. This allows attributes like "LDAP-Group" to be used in the "files" module, without explicit ordering or listing in "instantiate". - Added 'bootstrap' section to modules. Third-party modules will need to be updated. - When adding clients from a DB, add them to a virtual server if that virtual server has a "listen" section. Otherwise, add the clients to the global list. - When reading dynamic clients from a file, don't expire them if the underlying file is unchanged. - Allow the server to originate CoA requests from the post-auth stage. - The server creates ${run_dir} and ${logdir} in daemon mode, if they do not already exist. - Add dictionary for Wi-Fi Alliance Hotspot 2.0. The server now supports all mandatory and optional attributes for this specification. - HUP now re-loads the configuration only if the files have changed. If all files are unchanged, HUP re-opens the log file, and does nothing else. - Much better debug messages for EAP-TLS, including which attributes are cached, and when they are retrieved. - Increase default max_requests to 16384. Memory is cheap now. - Added "stats memory" commands to radmin. Debug build only. - Aptilo controller dictionary updates. - SQL modules now use Acct-Unique-Session-Id everywhere. - The redis modules are now stable. - The LDAP module now supports SASL "interactive bind" method. This allows Kerberos based administrator and user binds. - DHCP code is now in libfreeradius-dhcp. - More DHCP encoding / decoding unit tests. - rlm_replicate can now be listed in the "accounting" section. - Better sqlite debugging output. - Remove "required" option from many sql_ippool directives. - Set default CA "basic constraints" to "critical". Fixes #1073 - Updates to help / man pages from Jorge Pereira. - Added more tests. + Bug Fixes - Be more careful about unused config item warnings when using -Xx. - Move more defines to be auto-generated. - Allow virtual servers in proxy fallback. - Allow %{module:} to work. - Don't crash in RadSec. Closes #980. - Return better errors when a unix group / user is not found. - Re-enable detail module "locking" parameter. - Don't crash when logging replies from Status-Server packets. - The couchbase module now uses "update" instead of "map", for consistent with the rest of the server. See raddb/mods-available/couchbase - Don't require NT-Password for MS-CHAP password changes. - Be a bit more careful about decrypting MS-CHAP-MPPE-Key attributes. Closes #1013. There is no perfect fix, tho. - Fix security issues with EAP-PWD. See http://freeradius.org/security.html#eap-pwd-2015 - Fix dynamic clients read from SQL in non-debug mode - MS-CHAP now allows retries (i.e. password change) when passwords are expired. - Allow "user=radiusd" when the server is already user "radiusd" - suid up/down works on non-Linux systems. This means that the control socket should have the correct ownership. - Fix issue which caused the server to sometimes have problems when a home server was marked zombie. - Fix format.pl because Perl is now more picky. - Fix proxy to Packet-Dst-IP-Address, so that it uses the correct destination port. - Fix corner case with cursor functions and removal. - OpenDirectory fixes and documentation. - Fix leaks in rlm_redis. - RFC 6929 "evs" attributes are now encoded / decoded properly. - Fix talloc pool leaks when receiving malformed or retransmitted Accounting/CoA requests. - Printed attributes again use double quotes instead of single quotes. - Set X509_V_FLAG_CRL_CHECK_ALL, and add "check_all_crl" to eap.conf. Fixes oCert CVE-2015-4680. - rlm_expr now errors out correctly on malformed attribute references instead of triggering an assert. - Make "break" work in "foreach" loops - Allow dynamic expansions to work again in the "hints" file. - Correct minor typos in comments and examples from Alan Buxy. - Re-urlencode the path portion of ldapi:// urls before passing it to ldap_initialise. - freeradius-server-rlm_sql_unixodbc-configure.patch removes hard-coded directory in configure script of rlm_sql_unixodbc - install new module rlm_sqlhpwippool.so- minor adjustments/cleanup of spec and changes- update to 3.0.8 * Changes of version 3.0.8 + Feature improvements - Allow syslog_severity to be set in rlm_linelog. - Allow defaults to be set for bulk clients in LDAP and couchbase. - Updates to dhcpclient. Patches from Nicolas C. - rlm_mschap now supports direct connections to winbind, which is faster than ntlm_auth. See raddb/mods-available/mschap. Patch from Matthew Newton. - Recommend /dev/urandom for TLS randomness, instead of ${certdir}/random - Allow TLSv1 to be disabled via "disable_tlsv1" in tls{}. - Allow Expanded EAP types where vendor is 0 (IETF) and type is normal EAP type. Supplicants sending Expanded EAP types like this are broken. - Add support for server side sort controls when searching for user objects in rlm_ldap. + Bug Fixes - Don't complain about "authorize" in "server {}" blocks, but only if there's no "server" block. - Fix cosmetic issue where debug from the first packet read by a detail reader thread would be emited during config parsing. - Fix ASSERT on truncated detail packets. - Don't use main server log functions from within panic_action, as in the case of syslog this would cause deadlocks if the fault was triggered from within a malloc. - Fix issue in "switch" when "correct_escapes = false". Fixes #911. - Fix sqlcounter configuration to use "%%b" instead of "%b", otherwise the new syntax validation will fail. - Allow forward references in configuration items. Modules aren't always loaded in a sane order. - Fix more escaping issues. Closes #912. - Decode MAC addresses correctly for VMPS. - Fix memory leak with TLS connections. - Fix state machine threading issues for conflicting packets. - Fix copy_request_to_tunnel issues for tagged attributes. - Allow "ok" to over-ride "updated" inside of Auth-Type sections. - Update state machine so that post-proxy is run though child threads for performance, instead of blocking the main thread. - Allow "netmask" to work again in client definitions. - Relax restrictions on SQL group queries. - track outgoing proxy sockets and clean them up more aggressively. - track proxy statistics, including CoA and Disconnect. - If radmin has a connection failure when running a command, it re-connects and runs the command again. - mark home servers "unknown" less aggressively. - Fix potential SEGV in PostgreSQL driver on error. - Fix issue where fields like nas_type would not be accessible via the %{client:} xlat, for dynamic clients. - Set default busy_timeout (of 200ms) in the sqlite driver, so writes don't cause selects to fail in multithreaded mode. This is user configurable, and may be increased if required. - Convert Password-With-Header attributes to binary (from hex or base64), in the authorize method of rlm_pap. - Fix invalid assert in state.c, that could cause abort in post-auth. - Fix double free when -m flag is used, and connection pools are referenced by multiple modules. - RADIUS over TLS accounting uses the same port as authentication. - Regularized return codes from radmin commands. - Fix RHEL spec file so it works correctly for Centos7 which uses systemd, and didn't like the SystemV init script. - radwho and radlast now have a -D option to load dictionaries - DHCP packets are no longer checked for duplicates. - Don't crash in sql module group comparisons in corner case. - Calculate MPPE keys correctly when using TLS 1.2. - Fix load-balance sections. Closes #945 - TLS certificates are available again in the post-auth section. They are not available for session resumption. - radclient encodes CHAP-Password properly when using -c Closes #955. - Fix issue in rlm_cache_memcached driver that caused variable length values to be truncated. - Fix track functionality in detail reader, so it no longer fails with a "Failed marking detail request as done: Bad file descriptor" error. - Actually add the peer identity (as User-Name) to the inner tunnel in EAP-PWD requests, so it's available for lookups. - Fixes to PostgreSQL queries. Patches from Santiago Gimeno. - new set of consolidated patch files: deleted: * freeradius-server-2.1.1-logrotate_su.patch * freeradius-server-2.1.6-rcradiusd.patch * freeradius-server-initscript-pidfile.patch * freeradius-server-radius-reload-logrotate.patch * freeradius-server-var_run.patch added: * freeradius-server-radiusd-logrotate.patch * freeradius-server-rcradiusd.patch * freeradius-server-tmpfiles.patch- Do not disable as-needed build - Remove the with_sysconfig switch and just stick with versions- update to 3.0.6 - fixes a segmentation fault in PEAP module (bnc#912588) Feature improvements: * radmin / raddebug conditional errors are printed to the output, instead of being discarded. * raddebug will exit if condition set with -c was invalid. * radmin auto-reconnects if the connection to the server has gone away. * rlm_cache now has submodule support. See raddb/mods-available/cache * New memcached driver for rlm_cache. See raddb/mods-available/cache * Add support for &Attribute-Name[*] in conditions. See "man unlang" for details. * Add &Attribute-Name[n] which gets the last instance of an attribute e.g. Module-Failure-Message[n]. * Allow for redundant string expansions. See the "instantiate" section of radiusd.conf. * When checking IP addresses in conditions, make the right side be parsed as an IP prefix. * Support JIT compilation of compiled regular expressions when built with libpcre. * Support named capture groups with "%{regex:}" when built with libpcre. * Increase regular expression capture groups from 8 to 32. * Emit error markers for badly formed regular expressions. * Allow 'm' flag to enable multiline mode in regular expressions. * Support limited implicit attribute conversion in update sections. * Support casting between IPv6 and IPv4 where the IPv6 address has the v4/v6 mapping prefix (::ffff:).- Drop .keyring and .sig file: freeradius-server still uses MD5 signatures, which are no longer validated/accepted by GPG 2.1.- update to 3.0.5 Some of the new features: * Allow LDAP to specify arbitrary attributes for dynamic clients. * Allow one level of backslashes (finally). See radiusd.conf, "correct_escapes" setting. * When supported by OpenSSL, allow TLS 1.1 and TLS 1.2 in EAP methods. * Allow multiple new connections to be spawned simultaneously in the connection pool, to cope with spikes in traffic. * Use kqueue on systems which support it. This allows for better scaling when using many sockets. * Home server "response_window" can now take fractions of a second. See proxy.conf. * radmin now supports "show module status", as thee counterpart to "set module status" * "ipaddr" will now use v6 if no v4 address is present. You should use "ipv4addr" or "ipv6addr" to force v4/v6 addresses. * "client" sections will allow "ipaddr = 192.192.0/24". The old "netmask" is still accepted, but the new format is preferred. * Allow custom HTTP headers to be set for rlm_rest requests using control:REST-HTTP-Header (attributes consumed after use). * Extend format of %{rest:} expansion to allow HTTP method and POST data to be specified and urlquoting. * Add support for aliases in rlm_ldap. * Add support for connection pool sharing to all modules that use the connection pool (pool = ). * "tls" sections now have a "psk_query" configuration item, for dynamic queries to discover a key from a PSK identity. * Preliminary support for EAP channel bindings. * Foundational work for dynamic home servers. They do not yet work, but this is now only a matter of updating the "realm" module in a future release. * Support &attr[*] syntax to copy all instances of an attribute when used with the += operator in an update section. May be qualified with a tag. * The logintime and expiration modules can now be listed in the post-auth section. This makes some configurations simpler. * rlm_sqlippool is now IPV6 capable. Set "ipv6 = yes" to get Framed-IPv6-Prefix returned. The SQL queries have NOT been updated. Please submit patches. and numerous; bugfixes - remove gpg-offline - create /run/radiusd after install - drop freeradius-server-opensslversion.patch (upstream)- freeradius-server-opensslversion.patch: do not check the minor version of openssl, minor versions are supposed to be compatible. bnc#906682s390zp37 16214045693.0.21-3.9.13.0.21-3.9.1freeradiuslibfreeradius-dhcp.solibfreeradius-eap.solibfreeradius-radius.solibfreeradius-server.sofreeradius-server-libsCOPYRIGHTLICENSE/usr/lib64//usr/lib64/freeradius//usr/share/licenses//usr/share/licenses/freeradius-server-libs/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:19717/SUSE_SLE-15-SP2_Update/aaf5b424e46a852247a3a9ab61910f75-freeradius-server.SUSE_SLE-15-SP2_Updatecpioxz5s390x-suse-linuxdirectoryELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=951cb173bb7c900eeda2ab27d53009772ae424aa, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=0f6fd75ae7c1afb2c3130bea7c274ec5c40ab7c9, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=0c79b7eb46ebbe50b0e129504b56c4fc3c383f72, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=8d74a2b60deab947f5fbe698d7e43d5ac34b55c2, strippedASCII text  PRRRRPRRRRPRRR R RRRRRRR RR R RRPR RRRRRR R![!w[q[ ~d7ݏz( jVf L@zwz{:4Z9 2TGay5I"2.%@H F,|YZ^yx;靹l- D=cBJ`hffcaZ ݏ}99<Mjy]f/߅9`rg %?a@:tz2e'p+˷)fWiJ{1u1`98:8kgԯR cxIJݛ,a/9J>Ul>T2@l6M9l^)~ 'URO째+k^j)HC>9*8ӹaטw@=56ND<"NDBֱ*SqȚ&Fİ=IxԖbRxg>&jsV s}aea27FST=]ӜYVmrBb- iӺN_!ƺK)5@WLxݵ[/S+XLj|ZR 償Llkս7!7p7? =mhu{ Lo`%럤>tT #w٭Oȹr+xCW:A(iZg_Sc"g}q)ٞWZ* uҚꙇƊ﫳jPbqT- pp;icPm{ f"ABn;$3WB* 10u+ *JŬ7aݿwlDIМ#9{]K m<ijks9~)w CtcfcnmKU@cu+PoN=U8&f4B1-V#SdIK6},q | #uZ;g+mǖ)39N}@u"PeP!% @4 fsoqˆ+A̻#C|.PK[)y"7b4x9riOk BE̖O)q0 ܩnK9fo!Sښd\bDoYj/D%YnKk*Iխƍ'njLU}`$JlnX,@;X@C bhQTҍ&^C V>9z& +JTIU9E_ٮ #DS^y|E! 1}PeϔdHLj>ĹD%fw_ "rJ}(G [QHM.05b>W{Y{L덠B*xIDhluP 5jiqY.LA&&=}\Zx@[-v%QSs0l}ĖsUD;Ab鯖h`^%͗Qݦ%zw8}ts"!ru2⨯'}mKݖZ+&~OC?O!Jl V`҃AP仫,fU |Tʺ0FvmdfQCtʡK_?W9fZC뤐']AVnn`D u.e[4p,oM? Y ; |{gEx =۽eK\!yR4 <(1S3 6lrCO#?>#ld=;Nsζv).t;_#e#+˃ӯl9!퇧LTj!ZR=jYVP=Y]zȤאK);RI%lNíoj$-(+G&q_oEՑh_R WϟJuA<+M]$@>R]6LAZ/qZ37Z;vƅ_Ч{`6^z!7jy$S'biz)}H/5wXce4ԉl:|u6\Rs=TN\Kِ"]-kx2u|%cX-jFgFM vU4Z*E*0BP3B9/wmBd \hĦ$ {?@LZKuйFGnV'}qKЙ !q+, h֯] c ^Uo GrH.ڬsRYʨ=Y lOv(Fr8>W+%&7=4~ gk\۳r) 2gEQRKv=GX_rLWA[ ?lS䗫4G&2OӔ<[],] OPB?hLkb;d0 .< %1 4JXRD Ocu H&"0}@6˕ #Q'MkLO O`C:Vz-~#d̷T И7;kAb><}#gBmCFܭP|kœ T#H?(GfڣBV3#8Iԯ =&W4X OLƿᯔ{H [ѩ}P)i *([s*;'Hb7f:ZCME@}X^nm'v,' S1>bV]o!UtWH Mql~sk=malw&-켪ڰdHҘmZ#Yh;99Dͨ|c? 5VATJl74lb|bfes>7I2#W8b-7AWkYW{є{nANOsE1ƃZ'6iEpGifF ]!1i_C#Kd 2 ( p7kp$H%  [bT; [rfI⎒m(h^И{bSpptthE!'E> [Rזz$yBN`YyX}Ѭ@"wD^sg%-7fyvěFo\^"Sv&~s!ҩ Y)z΄RW ҐQY]^X ]`qB^O}:3Fo=|2ڹdGF0Hջr@0Ij P'r'N8a2 (*"ЖFsmXNe;v!B. xNs#);%G -c$ <ⶉ ̝[ہ?ypB3s1bdS(r y KlF k h^|wܷm FyLu}]ީ71hXo+*#+u6?4K0yHߞ=qM}nwX;'y*O tEkPmfx 0t9DC- c>~)Ʉ+ &^wŒQU(M ?~9g\:*q36~.Ze+En^U,'X.Mhؚd5T.â */ Hs-w~~$F;Soc~aa@=fn!`shB7QOh^?/2Q>I{c\ 6&jEfJȹ)L.#dózݑ!@]r}Lw=͒kRub:aV2e eP 䗜w]VMZDs`ƣ?2',Z0i- G^|"IDT Y+6[z&+|O!FNq8Ps⭙sA{ G ҟXsń!,y%%Ų|I֧Ta q40!CT iyUĪN8AܺMM']4jUF+'@4ٮf8 tc>ҩ\/Vǟ,-[,Ej$f./rbj2kS[2{gR?;мN70C&&j^r#O]H4vlLWnxr=65h6Y[$^l.xʊ_dsݩ)a6̲)8?!R*Kg=["efӞ:kZJI4,k$W|.~ja@"?a\j́S}@lcco3wܥp(q?6!a1zH9 ̠ۅW swRzu],x%D" #>u^# C9!vbťT 9fXK)+D\*%:8@ Prj%w6uRˡ5>F w.Z`9bFڴfg*C)]$q?Msi[$E.;0l2? fUq uv3WwlOh#Dk.\JoW[K(jP nc܍l 䣸=__ <ץPX9yO?xظu MU?nhRɆĤlE=J/&+|YL΄KfY+D2s<+"f DXA3~Y]"6BΛbw6@Ɣyy=D/i; MUK MϨX* I-/O2Uu/#؝TJM^-jF)ěɩ;n"9BكCK9.-ap*QmΎ0p+ip[UӨޓde7lӈeFOs$>nMjp 9kFjm5;7)FV 3Dzb\wIfC"nfB95u1'j-*,DX<ԮEܵvlvCҥ+En:x # i%yM9Mi5r vlkB[T:EGKO Gaiͅ-jT^S2*H#ǿK^h@4*w5l`,֫!'˨S| [`[,BRޟ#|oL;&)IQB;vx1JnVy t➩->H%NSAx!W0U%4\ "xK;p8}( z. 4xty [>~FۮЇ9II @*'j )WoΑ6pE}{VW{)WaQ+o2@],:%&CI'Z)LҝM X"Vv%"2q1٨;H*9 ٮikn dJiX/>J!lcZƍxFW6.A[ Gc=(hQnTǕt.adjC5pDX:6 %Je跀Eل#N Zڇ[ɴ_©MLZp K~_΍Do:q)[ qN63 Woy@a 7o`eV*NBK˿W> a\PqTp"gˠ*ri{k9SR3` X X#Ð o-W/T9Ӿ;\xH.Ni>N\Q2E@s-`9{^r{NM"J g&xk*6 VӁʴAZ42Xt}2k̨;V^ %@ :rڇRފo9e>DFHRm~ {X b$]UDAf#kg je.rM8Kb1Vڛ@0&0, e(#G9ݹH~aoH =5L)zN hMM.'C);nran`W/SП u /:Gfb-2_UsHb rHa3=he"=@)9W5_c5]浟b\]p8,yM \Q,dDS yţQ;7&{ i/ *ȨKBFOT҉mLŹA>!Bz=b2WNæ!dT.úaоpwAwh.GKXBDe#F`8mB&*c ɑw׺K`@Y>O%´XaG@< )C_l vNlֈ4/UuM nn{O9M`A5Sr]!3?p*:JTӁS#qN2ȀXbf'Xz 0|6{2fytl(B2Bzt7o%m"׸' T0Qd/h[. ENڪ;duĒn JGbUmeA^K=c|iqvo#\9N&ôil1OK%G5 wĵ?h!@Bvٕ7Zzed+k,ZC9G?7u(F޸ FĎC1߽.A{|9K[tPPJآS8[} fo-NkKôE#ϰ)jXv^+ZWpЊ[(u@rDyy*{v"FtYgM4%̂[U&>>Q(',M~wBfUe 5x:n^3l;R3~U_m]>u~+А&rY@ie]p夯vzd+zBTsMQgmB[ hˌlХ]*g+O CH6bM zߵ`vyF%ߌ9@(fjq +L.܀@m8G^$H3*#> ʭDmj1dSM@Fg(J $xZץ5C=-Ãw#UV q &5"M:\G6&ɻȬ@ Y-`I" q, fa92V(iPVP`'Ծ򋇍dx&i`%QPT@?z EF0s g,"5+ѦMTQ:NA!IMQGS74Qޯk*X\MF^[;CO#A0ObF@zDʂ;ig@~_U X!g6o!8 ǁNZFMɡ N[JL@ "Y&"E1Z̜vyf)oMX3:);Z4oViJLv6 _9ZQpD*F)auI pӆ3{s*j^\4 {nY#W*UOzq@ 7g됾h BƱcr$aW60QuJkVӆv[Dur !ód"GjexƒLDooYЯ̀6@i"^ ])P FPcgX >4 msOs:iVxgţ#ƶ &t¶Eu5-.ռplMU,K\!c ѻR*WW)t+n6!K@_Vt敭lu4 9O[;3ѿEb* A0)Kdž#;N&!~nWVfPf{}xjZ_3ȾeiPIAKY4Kk}Z!>V$(4BUWIc%B [;(cP^S7/+3SinyiLK,lafCd_`-w6ܨE`E&NZx.N]X6 $f;yUP R1Ѵmp\Be1UU!@˯E~ϢCY 2jg/Yws1 w7io?ф/j/'Ӡ MjAg0Cb_ [+w$."]t.ɿi)pG9fH&RO Y5T]4UGb`NL贶U4{nl`! 箪g!.7 6MfBl&o5P1`4\9guQ 2): |<BWRk3C`1P_D~-P3)픘=*$Rp;-~hrc1>ě2T0/'5z/>jZX92i=a#?p"LMv'бy* ҷ`>Azyhm,\cl㫳;WyyMo]v 12H$n/o4.xZ&sl#-:Q?PB6> ѧo.u'b4\Xx쵨H^f,[kWůz ndnVF9y w6E]ok 8p'JBs|(X/ijO8d}hQF1|>`;oingT4O# [Od殫@;JwqA\Ì`49NL4yd%{KVplg5laNgȳ !mH5AU'2ԩh?;!ƣiQ<D&ᰨ~ܴ7{ U[|y%}|7質{JH]Lu{}f}9w@(O&b5[\ԿҭZ] @&Xso\,p0T6[{"QZmqӴ\h^m9%?U]/u"7'zجi6Ys[Z`)Y8v6` F }%4poWg 9v,ՏBUmW"?FR@EG͈ak/mػ} jvLz!LMV؈Șp,ٓ3ѣIo2Gg Ubm´Nb>P%ROFy6 AophBQ%d>c: BYuV,1@f+x,ĘPG}GFETqk:S>;X扅xsR簶GaM&*|6&6Xw;< !=gl5\$۠"8e(F.Ƽ z?+r'D*}yޯ"Y3nxkhZ@ǜH6RW953+X1}Tu^ժ7dh 㓺 c`1E9;' ';MCڑXF#CN~+0n$~KtwUj24zN!ռZGׯyy-&7X̟A"*Kv⯌QUu5ݵOq|z9o؟Ҝ{ʻG\;xSNj3zYs l[x㎧߶ QnģD`@K LœT ̆Vѡ^HVrA-IFVGqؕA^42z#IXDw?nC|~T԰pYNT;`?%uN817Pь^1dssfS|_U90+RB֛)'! =($BZuGEŖHCQͿ@>s'{P=8%j_3Ԫ%0)[ tkIaPVbĽLSob.=!;HI"<>sS(sfBF^o%q輦).L}f{u3g.Vw 46p|ZZ<;ϣB PFTmBkQeoq1wCEzZz/ b%M%w$JvljHV $bWv@.Kz$]i;GxeI5n[24@`2ꔁqd;B̶:~;nU.Ȭu4\t*LQ?愹@~AlyR2 > r \D&, @34B% ? AALpiY\yFzJkW/̡+|g4#K1-x?fQEWr^ æq;,Sw8^bgf#M ~"o~7D=gST멺Fg/]P9-B, N[\}O.wYxT7 =x@_kR'X?~~ԤsljsP'ˋ$ŔȌLdtfHqBc|ǡ}~Qˣٻ^˱Hnoj@p!֑K(Iz /Tv8$1Ktx^PQF {897¨ܬ VXѸ8gy_9;QL*n+4K ڿ5];D=>3me˙ūɧhٞtHǗӰLkR"2°1Αtӄ$_fESW7e#:p1M˞X9{RlkWYLvѳb)Lru/I *m^g$ݧvnoJŃBMN#~ ƟDtViXj$8>L]6s9e|{Ln^-vxSϪHXӹǡFTNc) *>@ v8kEwIDH?#8 Y{áV4`NO.8ۻgL4Y>,BIIE)R$mW1$ ϶5 b;) 즰i汣֍\<\!.SQKW¶ϦM60m޳αfY%zFi2>]w ]g|uMb t;/YN+HQJ>lFn*dayÌf ;-j[_v\fI0&׍+{HcJtdA {_dt"k? =3E(oΥ$$^csnCK/‡YR 9Qg=)3n*t{|T W .޽]Ԕj> ǤR2w#9ICgG_J"|axǷB" rd%3 bi=d,BL1fK7W˙Rkl¯Y8x+Vjt5s͖ bIFpc s&v|3d/EJY)Fd?hJ]ܶT)PdA#B62{9qAbqeL>e5ڂqcmTdSF?E'fg'&v6ҸjY8B/{9>_|BE@?}V3L耤횕?QO/mϕ$oA8DgzYDy0O:ݮ|K Yi'5\Qm ->?z*q~djUF IfĤEn?@!#s ɛZq^H FrNtNj>%?Z|=Ź"1gP(%mߓqBGIJ Rۼo,ЪЙ#um;lj Y܉ 6:@,nɕ2By)ix39ŷm-[d8=ڛ"{yD~pFj`36⠤ q*Go7ڄJ&q 7ͷ|͂#8@3M;f€ 7W$)RDݥ[ĀO;F.spJpn2kb| >@ASuTMe4}_@d$;_LͯQŷpn+0X|3 39 mͪUUf Jj3vI1UR3@8KفP@\c݁ s۾#LNjR~N紷 x~Wb Z5}5">mcS.PqbI&Y5>c1w؅BB=jC8y (|I_c2yZ d{v&&Nn{;KFuKK=}c4ZU%8 GA~ft x'f\fxr0ZNA1_\A%XWNV^AAϤ.8x$`䯝o݆&l_k +wqREXw!4Y[9BFڕ\OWlb1 Ut,a-;`O)Zx=KP6yQ2d)-ub YyOЫ< ZBjPr۱ڥAPa y,qW3lj:*@l.D fU Uߍ<ȘDV׸oA"ĽstMΰDoQõE5߶&e 㾉bm dso,; VZpP\,r}DÁSUcjzѲU2L宆ILwźNlq4'%ď{u7hr&!M1>^ӱ+:C*e5$u˻tL(7 ŞR[*_fz;C;wLLjDdH5 !V 0ƴ[~8,VkYE/H?b0EXK(F4|ZKK*fǘ7Mn?1 U&꘯̹'/@_nomoqȠ4gIñGqR@rQBboBd'U,yexI4W3^WJD%U z#i²~ 99`]8CMSSצUoE|ƥZ+>G=EZJI&ǽ9%/dsmD8մwX*+?#Zw3{e;^+K IbI:>ͣ>%MS&2+sxb0ԧԩB6N7 ?t6 2sU >ǂŋ?rsBo gT T JcU ~8o[G6s*H j=0Ҵmt1P/o3] ; 9}j} 4ؤ[w9s83sX(4`\^մXbvߙ5NɎ$@JVL~WA$.Iݚ֫gnUwyMK` yzո1Ӱf]54Q$\z@8Q SGQk/g I yհ*x?襰 >޳ K,#(Ea+h;Q9?4Y֣Fjsnǃ; 7]vݚ2ӘRF_UYq;7xr&/l`NJvND)1CSpyl%4fn`D_=Sdgŝ"F~;ŦL ]>\*_$HK.P>{4<ι!"]H~#ی=G%$'piD.`#⟟yX kQ)[Cdlir2Y8HR Yy ߦs(U :a5xm` k2·ԫ=z sYL$DL1ğѦ`U`aa^$hGjEp[R"*tM6g7v"P@wQ 6NՂrRKL3#Տӿa| P qV.3fnэ#> >݌oXMgk騵j`[yV)I\Nx43 1_ŭ)IVOY\zV;Iˎ}´`cz\ԓ\`k&EAxȑUz[A:{MGsTqjCysGIZ{W^&B|+>-I zHqIW︿+ l)NeZj$=% _bS6k Xޱl\@ͯК˰E~J ]Vi6fv ` D.PR0g襨ؒ3Bjs,OHZ5" TVԫFڨ9T47FŠFT.m3:߻Ia8>$?*_=%ЮN>'U"Svb`qk;^i Q3M? LGnj0f]+ K`'л`۴I:P u c"= _:DŮRGI ܖs45< qIF-ѹ'/J7_x*ժU耴 ʠ_6+V}|$70e迭5KG$ޯt{'r@*JVo 1a\ WiTY/MFWgCavT,!ؿ-*Xj'$s7ifS|h h@J 3bl%`r&x]Elb_PrT:-] 5ni C``RC-J2^2gMȶ{`FQ {4_َ bN.si;5ɥ6OCz"}ՙ{36HS GHg IC`K3敻0SK>y8l,-iVI z|`ՁV._mOf.k#ܔ̓f'1w9kɕ;$ *:~QyL6u%~6WE1VBTOTF"J1=LqfHǘx[XXo ٬ݚ'FK;y?% n²J=c xZSUn棆od~/mZp5XF YVW8nߢ~Ѫz#[j|c)=I`HazC>ؤ$bRb4ƿeic@x>hesrk6aZsߗNuP$ylT S_\n Gg¥Zj[f.lI6ȕ6煮GH3^(iPχ$-#IOqOߞwt[:n3ZKpEVvɛ vG54 {4Y |e@X}`$>?/RiP_[#Su r:0M|͔@cWj-"!?nB{YJTz򝩷,CV 3!v~zEzѫu/{XL6-{ޖbCS(  Y\ 2I$F5E y"}8@HŊ`61]2Ydwcq)C_}SScJ*"LF![9M튥?"#U#Ů6CJVm埦;^Sy$~m->v0q!PJ8ƇжxmK&w8&1W& >fIX .WiFS5-VY8Fy@8a!J~%)3GvZC8Õ\OcZ6}qzS}i d ċ %V@:AG]bM͓eHdվ1?`K5`fجG%gU`ea^~)w܎\0@)lLZSߐ>L_rnj/%Wm~%QNMϭ%K#eS6i vNEur&<}KlDP`cXe4ץqҶ`C+nD"99m7yXBZ~Y?u<̂<u`{!h'u2XJ*_f\"v(W60">y {rrkK|ے VKMap6s^uJet`,'C@DiM'pɱY;6I9$xSkk3gwǗ^o&v޴yWr4n4 +bRE~,d}-p_i^Lc]D+ΏLmaaAYʘCI(<"#5&=6?9Q 1E>L`V Oۛ+\:ٻ :5WxQeY]2 6s]<(i)jbI*O0C.ȒOPPg!q#v+ % :~ 4YHЕ֍ Մukok>ym2ɮfES0BGnzɼ7 P29zLVM}YvNb;M?> ]8jZM.JAoWgK[ؑ'p, 1_ږX?>}ݎ^K{ʀriaO%G|\0 ӧMjHCih6B`Wm|֖bXS;iNfS]) 1Kzn$ga*w0/`\N= ?Y웺YwdPJ `ڣVw\s !3+" oLIK ,>w0|+-ĵgA7 4jgT[.#mGi7[4Jß=|a 2CR0`N_jA,H~. zܔKSwS!DVo߃':Q84c4J\%9~$d`e hK#A\0T}eOm%a:fQa=u_@mF>04G"͍^_4fc* mN󮀾1KA lך ,NAN3W5*Z]QJr%hc"ٟs7 ô TH^e04GStܛJE gS504lmlOӼuHI*Y þlwSd nƹ 5=*rEÕZe+@ޣ#0j6ъm]pRUt2`*!PWU;qiCI/P ekwzObg3fMƉM>~Z>:m~6X[ .cH,RӫcA⋹F)sh.PYc_c?-\M`ؕ_^8'ixD P CͲnqzÀg6VUk#a)x=U}vm SBF8!(#pNEd!tr7\znWi},4aABQ޼w*ڛ< j6$Ҍ7)~Zl&iA3cX7:Ffw%D ç6.~xP1Oece!ܧtx?q=ܮVϧ4':-N1:Ot &uH || 1Pgז=lIBdQ! nɳi̥iq- G;wbEsy`+?>ϗnvBA`&4.%HsO;()d{:,%+B8Ѿ}5xGB4֤M6RKW~b|HW[=Ld6S('m:a)8^(]dUO=!bԆ}=Q #S'ZP%TL }Wi!FR&RMaRˎUNHCs!F#PZOMiZR7 `+ &xy9oV; $@4.[BPaQZU7U>de؆Lg^{uXXP64ķBM$i*^1v(G1 ?cEelxXUϥ JbB>hY7a'vß&(Pu+uڅPu^ Kf]LUR?أE4m%T;a'DA0' K1S[$q )Qb$ JLރ9xh^Wg NQ؋3}" 䑪1;1qwH}ϔ/Q8[ؿMg4ʛZjح^*F shdsj1)K{XPS`5e緰$7KSRRT h!'xSex4 5X -jxFt`J"E)Ԓ+\ߕ#=Hv˭(6n}Bʶg8ByV[E ʀ[~5ÛBzHc 2W%22;lcye6&8/r(uhMEbuMN X]A*A#lwt&@F$_sGMhk}<*?^6]`8/v4EryUks姑weqctbh(SZ8aL(V篦N?p[ޝ>Vֵzvjp?9>YŠꕏDfY79t]"]Oǣ!H)N,%SVE:e)``4@#YFm);ehۃ;B?m+IԭDqy~\)rG.Ttҳ$sW02tɕ3gi4 ti,6ԁNzx|lDIqDao t1Q %hli6Kg`(m^PA^S@"m'{o;CZsPZ# yDjھWܹޝ!%j8FAGD6/Oϊ̥wpA0L$fp+í$ۤ$>JMDI` /Ef>\HŒB}ˮ:;$^.Ó6?d{}_5b,fn굥GmyCe&Ϧc1u&  F Α2OɨPšoXtEd#h22( +hb5qgƐwG{~}?ݳlŚ`={՝b&A4 j}rutJے"}cxUh5/BgКٵ+,5l`3 J Sb-G|ӥķۤslJ]#v %\tbmao:Р&Ɗokcq;xwkTʐh5IԺnl¢9m;R U01jg h&_N9`)GDA- r.9.}H}rړcW5.)W=Sy>8Ұl=,MBd&#LՃY>"0{ɧӡ7 KŢmܱH8X 4lKƯ*1jSC\z}Pܡ$H>5./ɦ$qRD˜pig'QMӉo%-yz]7U`>-d A2SG{sC,Xu>+Xk빟=?m0U.mn\M{y[W35^v ']fMϫrO_tҍ&Rw&O Mqg{vgKgeDB)jĔ=B:[<ީ`s|ӏ[5%kz^Zo!\f5o0RѶ;O m":,#P?be8e'VL {$zb0l,;` 2ZZP ?pv-;.K_ˮQL!.HG/(Stvl1UB2n;=C xs`}#9Gz?fb?ړlIy=1\₰g6$GY 6p+FTa]FY(Ք 2 wcc:F ӟBŪpgqm\ h,ÿѐa ot~ZAĻfZlX`{!6»Głi8l~ L z`^ҖuiFj/Z:l +%Ef-(52ĄUAѫưT#hfE\mT/;0s8 ,sM c=5^&A8Y*$ 03@o2(!>.o8sFAu}$+9_QxԜL1 'NdO]QSĵuu3.=|9$o骼Na4Mj8euTmwOb?^TFDll!2Mյ+eaNM"\8t[ָd-Ļg{*^<:l^\ΒJ`Asx?-%h Dj"AiadH;EB; ,iu:dD h ~jAmc-"n,_kGw`[GB@f,wsX;9uW?|9ބJxfw`]=6mf,} F_lZ#RenOtU/aG&ȄՑqWcÏes= kRcT({ CHb0CJadF_4J'DBy>w=3;Fɶ[C)Y/híj88 347&Y5b]4 *^c r/gkN'w<6ե6G2"Gdv?RQYb4d|5$)Tޔs>NkN w;iufdHW~,ԮTAX%aS׆UՋ7x/0-ewE j!90ojAvcwSRsVc$z% hOipتpU$>d98*܋Z^,4r-{ #4NơY#m{ž5t ؒJdV4I( &O)K0ĭxd+[]6? ^ċQCYTw;]y(βZ q揓&2{ hn>%T a0`JK=F&4~Ǒ_qb-|i7Μ]|S 'Qiwy xW Pdoz8+{K=ux_Q`PNu{Ŝ(4蹉:dD~m"0.nPШG|K皐 'G`DHF^IYӦ[bBV`8'}<%|9OBW$)'p5M"V0_!\4t=>SʺxL 2zdf%`i!=Ll~55y|ָ̇fѣgIP5{+}d-ۑO`[P&zz J!)_r[H|t3FAO@z?_ͱHv#Wͻ}gѪjI.4TI32/E;8·_Aɘ. uznlӾgjِʃzvfK0C?}asnId `is9n*Ry{e m$X<*h NvvjJ8 "ા%F%ՕM%m}V"Wb+q߇.P|bzO5B0pHR]#Tҝf}7Yob܈,::h'9[@Sgԥ0G1׾#䳭;.QN<ſfyX= nni|M8҈]Hay8CM B;n><ԓPTs.RIv;ç+n^C^AWN+H0h/9/x 9,#~*Yn(njk)ȏ_PLOrj4CvK@J=./^bG4pEJU~0'(a-,yh1I0ӎX )w7*!v*aKi=:m8BnkS~,KQ< MKW9EԇE/+*okeJWp"C׶AfNQ7fHVk#켺õLf%KްXgKݣ *ЊE~1m(JmrZwBw,~G%fhкy!1g ru=)$ݵ% ?MEV,.>Bho|RAd.BpܑY29)mko,Q!PWPB[.I~)ŃԽg&1_ ?=B|]@9A6D15 .pRY!%YD ks6_3`볚D' Dր79 YiB+TRCEp /μKGwv~Q[|B;>HcS@LSg`7hXliJn PޑK ^ҶZ̉GK\xk=Rևع$U@>ziʠqn߀RE$OS06I(9p(y]ۻM XU>rBoH\'+[\h* f/Bo*:vs3+P<\2%i3y[Ľ~`M^?Wv2ʨG,@j|AIpW$%xkqlw+Qxa1ٮkk$V^ךc,mNOpW])\H2-CFgYϟ e$F*{ L_F58IRz}Ҟ5HPG18`6׋O-8/h #[ o,%(ozTE{auO$8Ft\%Pu0X\ռh@=M@tӶ,+YzAMګZ9}c{|88Gd ^ _9g1`qFڮ퐓ɜJݕeg{9ow%W ,bnGO5W~fGZbݿgr>,QO6Ʈ~~oZ(8JA{:.Zlav8֤}`&&·5 9V4{G`HNhrx'0V.u+4 //TAFzfȏXwIf}ȩ1vJn:5I'후SSnuNdU%2 87lcqBUH:d\%{*=?2S8k]-[6#v5M^q("g?"`lFijO9D?:tW F*^^|Ѽԟ3|r80[B-Jl+1%H3B@AwX#N~AƤٺ9^("#I=7t{|3_gFI$E~J ~n#ry:1T޻Hu6T_[MvvOΥ,\3,$Cu7B&aeV{DS!ԃGu؊o㕏<,Q|^Hܗ h|Jkɇ#,iZaxCv14Edi ǩF\[@詽tR7Ѵ. 9̶E&6gsZn\S^v$=5߮8>赅ӢZ [&5"ΜqNK.x3ʗi9',ŘKKɴ8tz?zcT8YP\2GpBX :vCVU$1xb Q[Fӳo E/Z-v[3+ӆ[-8٣ 9ffM;;ɯ(N$'@x(%!H"-GU-'|o/hIPrdus^kVmNtGAoud~Kh)wy"ձ"lc]i(*`?GȱI3A;r]&Z9^V%+3* J 2Lt#AsH5-u!"tQŇ*kMq;ġՌVuP3b|ilI/TG^Q>:=7ZE"31;bq8u냯LNÍʼAB?Cu)|Vmn \L|C_xhQL5|ʧNN6Eˤ~7^*1-+P5pmWiAA}f$lM 9bϞo -k㴣]y{l'drS Oؗ) 'lX+aJUj3 ^Tr>2mYD6vV$0d}neChrS~7QO7ݭ$5`O{O"$b ,%9o[APɚ=A$TD*%I\U4ЮX?U77o!xJzՉ1ϕIH8_ucR$$ G,i5đ}s9X6 <Ob\R$;2Ac=dq2VĻ>гb.j)ş矬۽VQ寞ҝܚ80ʁJU5Eun@-Xۥ{Tߝml?C/JӤgwñM5grM]#c;8OCI>~?Ц4>-H*ݔ[zP!H˪c:lFmu A*F h}л羺MiA&߶*f8JߏShf2L*^K| +۝sUFO ^+LK:2Fʮ%UPQ %; ~H#Z, lB*Aktl/Бm‘W~ʞ{=UӉ)t7c6.1+09rzu:bX,Q#av,Wh^}Z=jJ(7.[<ف^#:UgM-z1 iHE&Z}=mQapZu58vj.Yĕ+pl!.|()`bӀKs+;KZ) 5[7aA" C*`P{iv.\!.[MIH␅ }pЩԧaC^'}IcSnPi 4淅Dom|zxv T{̒_|ݦN F۬IH!x:᫖o3SKG7u ,!4Ix~_zO Q؆4q2cJS8Ckmoj~6y=wI$yG/+zKrBF5%DYeotCDS17H<XQ=چ\>:=} pAS8Ug3,Av\Sd;AGqĔj֩c?V x'jM=noW[W<67b+f锝dՓ7hG֨|~hj渣$-([h5[i.|A_{ݏjcOJ"BD}}KR;oq<'#aLưA_0ĀfSBߊ$*$/E:r?劕f&cdN*Ik~7/[R n- u:7Oԏk'$AD+Yݳ,\yO5 F683up(4Dw`WZ۬V2Ik5WbBԔ$//9vY;էmZ/\+3']'lm2Q1|T=| @"V. '̙b¯-76C!N,E{xθzͱY[9# !,)@Gԏ1]`G26#6NdEWd'6) 6﷤]ECo0T^t!C1xa`č0T6Dwm'@efONvϿŘ1/4njI;"H!"~K1[d rK"tcyVZBzF#wlD7\.ډc7{R$*COʑl 3rt2=BP򸶁tS^3 I=tGOtCf ,'Pv>I>>`H́@IX9=~nŨ^ ܌ӎ m^,"ztX T74{C*2:Zك090EfL_Y鼟oڋpwTm! z2Vx(Ew kX_%,R)x+Ѷ4@7q09DL4,.@\=ٺ 3ui-a[k^긆1=:}h ߨ\E fDyM}A_u4p#FG4=71be AQ5h[=&!DmӡHx0 53HЇ&ɭnVh/8ׅh<=AՕGC!E8& 2O"4ݏXO'M-I)@rx;xFP0tq pI `ck#mi.8[C%*Fy<Do=P`0L? ?MMREa[R.&tWY;\\ɋU`mB<:?=wu&SsDh($FF+^C/5qm>60i)^'I)%ԡdWMv.O! `Sa6  *(i_NV"OToXsd;3悊PNҶu~àEִf|.4O`i^Ia~;EvCI aIRKpeJkq+c'*iFR-緭\k,mqc.%}9jژ%2%4XV7żrЩx<06n CM})7}sy|,dumKf1`7t#d[i:8?,~>, a JFK~UV9uZ'_9.3$:<~4> Er2%ЍÆ=nt][mMwckGi,:aafHjRxݨu 'Ȉ|V, bm0%`4{]^[d|ZPF/GK ƥ`>? S1w+XC3j M!C+- ]o[9)Y1msN oΗr\H.C~Q:NNWbwVN^&_کẻ ]Zc i() vGvr,`ߌi8YvFG?)<@lM v>%QɈ3xM·:Կ؁,0Hd4JZ?%c̜gSvTJGc?,R E9};(GX(Y'/ (irS9qb\m98sywEf^KȩlU=hOގRAxزN [0uNHi"xZs)`ˣDŤ > w:w hqWXC#h$*GBB?MHUlD)FOIE1n>,N`oϪgoXL|t9GjM/ccei͢x2Ja%ll=`cCOtE|p$"NҔء@a8qcf<+A< ڍv @:U]j?JEjfW )\S@Z86fLפ^k쪓{nV;V P-׊e'YbT)VA5—õL$dUIp,T1 0{/rjW@uɁylH=)-\tDK5J*&p.~Ϧfyܟ/ĢEY0iVW읟oiz%IL;g=Kf+$-QT3d+rU{4N` =7<@״,m˘~F8!xw.8rTMp]FS mD9`n5*G/x5ث [X=@vBQLL"@æ,Wg<4^4Mk7=JpnezT+:8s9|9LЙc7RuwR%l};XW)@K1j< 4i]a1l:HeP68R}C1A >`B.x,<ӫn8daRٌ꿷ڄ9MrpmR*Hay%]u g~N  _d[-kaQϴ %ޓy=["OtmNE?]z7`MG_b%wh֧eAmP罵"p `7fzrIgZ`h]6>q13wiiVm:\ ĴAkkKg wLf194i*Wri![uud(Ŀ7ҼD#Zn}k<#x!< D[6,[dJگP H7G;Pd<ď~=xOx(JÑMDC ܮ_=΃Poy2t )t60<"e8O l"P;_zۃjbzXm,Q1K6fBU\XyKF 嚞))pP+rt#Ex0YuRWR:fzLB#bI^ms#! t|dVCο;,m-B] ZV%c].f ynbPׅ3tjī>du8[.x6 PR}qF6'dHߔsJh`>apir`@nr ?kO"/c$tݜ^ftof~_(.X%A:Ng&g-weHOCW'o; gI_7h:c QNuvD?_5Q\W^vNztBSV^>N졳:`g6VM _Z=;ge)h6;^)\9,a-dpfoɃtmu~2s-xj> &]$]#ć#v2Yk~ͷ.y7%ڽ[ݹ0Gw6>Gfԗ%^},sd4LLCbn?ۺ4dk ~L&z1&ºv L[ e _"艦V=.ezh䮟k&&`<<߁I<QvYNN>؆Uf'}b5@VLkmr?RGb#",vB&Э<:졖!ݗ&kmM]G6Z߰fC-^0,lֲroq\@״Yc,XKk|]n`c PH*<fM2D氞WX $1:-s] iէЩH:&ݚ>U}tgN#+#ەNg kkۘ.4f9+ĹxYJ_a1i7G[fZŔF( HijktBa|Dh:샿t-v_LȌ& 3$G[+~w7gNé\+Bߨ 7$> yFˬ% *tq>jw 0tw٩+-W sYow GI=N}H SW^5܃D%yqjtt2>h|_ޑ E3D%ͳmize˘zfשi0Lp,}y` 6[Iu*֥U\ތ(Zx24ճdPocIFZcU(8vۋCwnRن=$?o$.* q_gp)XO/?%I}8h4tkDJ[9tdz:V(֍+Nݱ# 70n $KoL>X(ܠI_lgm➡̙6N,u4\8˺5ǭR\˰a9'MgudR \:k7gb=dVhOt'sq1/',)z˟)\n=/t(X7N|t`֍'3*ٵ"7a^{WaO7vc49ɺl+Fa&2q7zƺּ)Jxj fʜ I =:N^>PӰIE{nWm" )yL 1:TTw#8 ġv-K]z*@fqkW#W%?l`2U̗biI r!&ȟ,}g1Z3HT9'F"3&7b! ZNa9O #4j㴱ΖMT>'{ELt)~ni j 00HM6Iv#vt~6m]iFHLgW_g_7?+[w*#flU^ nh=(|Q"N1*$np|:Mw߬'Y..&e7.vlrF +HmUH]P(+ᇥCpAw4NI`ʱGۢPGS~=bC ES3ZCѐfjD_r5Vެ^xQQIM]!s Q%0J[ a3I&z)j0-gVMV~j&rm ȵ,HW2焩10?,ˌv>\i+e`;b'tO 1: i>ˌgkP=[R|ve@3f;X񢫫.U>}o+EN|'N+P_3ݷkY<%#ih~$<_& ̰󯓀( YZ͕7DbYP4oW鹢89O{#`#L@q5"f~22(7!FK 騜U"d2Z} > l|gMd׶KӔ A Ȯ5\Ջb`Eh2M?fC` =_a&"Nl澦6ԙ]10jhNnN:˚dΒz~8JI1McH2Bf^ma2tdSv[)SIHW nXxU ˋ?lcn}bzd`~W9a]5Qe*Laql{&?;w8 }r-q%4u_&TUtlemVMɚp-2$23ڳ `a 8^-"SBF-V7(]di$!2RN O8jnv"  L[xo`YQ )C(w2꫇&h]#z|Xz?Os%ϭw^ۙAOC{0 dY鴔\{)}Aq.a)АWZ|ߨSQP$N Dƺ PNI_0_Ј3./q {S3^) Y!'1ࢻBms ^D] #?qb(rT᫳:cu* 5lA] ( !s>-ƣBb1c֣āx-Ts6 b")}DAK,¿+8ˆ ҃ZA=D⧇Ǡ_x0l SpUrѣ}"׆Y(bʅsO5G/gzZĆs  Sz=ڊN&s_?yb5B\~` #5v|T=ً< *ؖD~ќi79dz4'&)/mGA'µTK!`vPx!~w.0xjacHcg[*OBh跿UVjBzzZʾ\"MRxVV E/vgRV4mݖU^gbA&p 54% jwP=〓e"´ 1M:w{Vg?f-b`̾{eeGe>]TmPw1C$zŰv*rk&0¢†Q,$zL&FVV%M3.і}caR"_U\.O v-ʽ4eIu]ʅ&d v wǻYkc#YM !W8{A`r$T\b_l!vg+㏒L Ydvud1o"niG<otQ z@!홫mAS%-C([2#sPTatöc̫|Mn"V#'{ /C[$qf*SJN~h:,mmZ[S 5ϵ~vlT=͐[Ii&(dTX\>+$p]v@<ف` sXrF4<)P(ۈ.Sv8/3z Q]~)+=];5;A%gsm& :cۛ6@|O$m"`a&+XK*#6GDtr CE/c-f izցJ|\9O3H@f ތ5rϙ>l!D %QqWz? cӚ~9z?A &&M? =W{Y/ԨCLV>;ZFbVw$ugH$>̕iV`䀙Nq 8D߽xɪ$@ Mn×9:PyC)]<:n.fT.Қ(Q z076kCY "Mq2|ge*I ;&?a8vCRƮ>rӳݸHLlh Tz*P)`ε?JRnd~ ̣VΈO7{G_$(R r+~6L? Qc2c%Ij&9EIxXL@Wա9h8'5!G:4&û9)ł,3ryrLԃDQ oQ=:q'< Wh7JjrmMM϶}oN9s^e'HuugxoY &yDDܱ]8#X)\$ G ɧ d#js̻>k9?q!޽]Y ;<;WX4z?c; M&*Hb! wb?Yӱ ~gJODO:S+ )~Xt_~>F-53gcF_]X?d bw^!Њ@,gI9IM uˆ}fr}6'^-6haq3Ѧ;iR4aXL[\qeEԆ-I Հ%jdF† +"D<8# #:4rjռCR@%Ao?,.>Im)v02ә&( e XԂZ^2 qy+U@JBD`icMfPvwya)Oaw Uּ$?PdŬGs(0InJ4j8"uI3'e1I`15=:z,3L|h,{yv,(}[&sZˤ1(=us+pOrf T+g*ib@4pC[63)՜4#$ TpX5^?x)nVRǞz\imrn>H,yO,4;̦b~SPNib4ճ:(Cԗ|*kG%\=nF50cudB,($N( 1#gط MdL[|+u.GN]/; H q22hFzK88ZRw=9Y$o=:QYK ܞ%/E9U|`^N^C± XIb =v$/q%33Neq $*`VWߏcYݏ9;N\!ʭp9HbɇC=m">BtեVgI[N 29ܘʢM0g/^.b;] Fח,{_Z.Zۃ84Ց>;nh0TU!{A0`J1AIU W * p-Omsjk"( 7 6xFh2!/6:gu_} .A]F5z717ğ3sI#rғŒZV^KE&G?ucEMIB4t_/$w0ZRT ޾W/mư,y62~|wYIBzU#ʤYZl}nB Fb,JdB&BawP/RIv!r =c$WҞfHCF$شgfP_:0rՐq-h 4uQLAԭYHc?ٝNC\/ YFr3Rw [ AcC@u޺t'rpx}g@c?Oܽn'YQJi4(TE8R^#%؊*XpmpqPwu@]OW`]0@o4ꕼ5ZPnςkqIJʌhIHp<f*^MDÙT21B(nL"n\3 ~{X TE})h K<ȧz^W)[ 7!*h<>`(FRXy lC1<WY0|lԓjC?6čx 'KU߆'< ]rx**˃5|׉VE8 ޯgwn5:7*? f_&7Ed)3ef@WS-w9-" ];?P#L@b9 g`s%\ѝ=h0L9`ӟZ0i= 93*Z_KLjPC( c it2L;QDt,;bO.pu0]~]',I缰2iVt u .}1ڱ^m!bdyF}:⮺nu) [R ! o 6,o޻W;Pnlv@ .lx9 WA.b7$CoR6tQ rs  g5'W?d=LoY dL@4D1Y-X45Ҙ:du_Qx8ii~q5B* 0f{C=lxJsb#<%iPTIMzf9SSDs MRK,_F.Y6+DؤQ'Uw6N>F7|AN}aZ/5¬3C)ebHd77;g|Hb٘:2M>#S6;G>csk( ߒ4lgWڶ8l .mR~,@9Ix/$pǛPɇ[au+.>CpsecGa[:̩J/o'fH4M˥Oۅfr}nHNZ,C}3-(~*ip{{mf'bd\.n>>ziVy 5:&V."doBo8~])/'|iIR'O3gSiOYVleԦ>e!ƀ)Q\B5U˴ě hMYfޭmLLޠel5 #p}/~7cm~m&e+&TdJc#.%FnЭLm^=!GD~w+xvV߳n!`@85ȞJ,Vã>휮D(Xt Zkʌ=,,2^5~20˽! ʹu_њmU}* 1I՚ByX?ئ:ctҹdvk!iz[*<(*{i4nۧrsoPuP)*#rFc0Ml_h0&t{AElPn*@}%&bi]zHڭz|# @F" qcE\KDxꯟh$0$ ܇CZىiC5c;rWs5Gy>~=,C$zaUƷ3 ]~f7${q #Xnl()3v,-H>5ȋW?y6~aS!\_ i,=Hjw)W b~ltNM Nj1]!WȚv]?$CIr<'J+]Q,F X+((i[Q-ӸJ$/sns;ɦB ]b?Q0vjxD/[,W%q|$%4f.UfNU2%KKtԸ]k&+9H pzlp%vK_WBK7(0ehR=*b[\U"iB/2=jjw/C JI s8?TB?*ȟ8~+?(W-1m(ڛg ߢa{bx$ܩ0a\?98?X^t P)+h9Hv/fqQyVb_AK=cQ;Xkf"2unC d8( iNYOb^&2<Zu4D [[xpfGpJ08|T3ʢ7Xfye}#D1_ .Be` Ha ׫Io`YIZvHG?\z|1s<1ߺa99G)7s6L|hf jt<-5WWgnL=37r)n y ;)p^{o1rbC=4V#,\mE="ɩ[O a$%(ݷzqIrdq@sAo*ge7`;3SJ s䐼 h M>W7;˻K7Nea d)%"R~.)Rb1~[,Php΁Ϭ 8ޥhn͆]@w| _xfjF7BDft,IgGet%vy%k[afd5opxNj^`S<0Z͑+Suf:NՉɀ'8](_o>>"͇)laZᯏjcẘ2'?2sMȭت\K\ U2<RVۘޮۊ;Qʙkw; U+z筃E*g7+ (R7ٔ=/h:I43l]jO\>y/G:.'Vb(}nl0%oh8ujOrRk6y׆Y'4t,@(t%>"W յƃ?*'#W ̷ . UR5Vº '{D;NC,=bAć@ j#|d8fH2gd17aաupٶ>R"kzF5q&nו RԄAov#KM/ٞ0kÅ`A)!De "W̧Փ}#KոA)G_ {%MYmsk}b{oc!j¶f$w_qJЍ>'&W"^PF&f{2U7OgNDRU%TJ9ڛUi`L;Z_ G{ 9]CB*B- ޑ6L\.\D❨lRkyg>}PowM!J١\nK9Rm@r& & 4l۬p$)~Á=r){ӿ"^vQ/Є*^̖8*Z@z2p<_)oqOc]~ 6^=tjk7p{?wQ(~.V߁wAmKE8"Ekdx"Z5XF?!ݔ{0+ p"VX ǚ\W^p9<KM+f;~`MOBP#<2Q%\ˁ.2J>z>`y s2> }8 7 ΚM gG{h ilT_}n[$uc X \QBk{|>P[HIXHh"f`ii J4*q WF.76dFָ5ʊښÂ|@r݃S pj/X.~"1],.)2\{*~:jsAs?7GFHXEǼ$x͎|䂸i7 f/"(Le>MU=!49Alz0R׳pz)6dMSrk)fKn|^KNJ`7`U'#7^u,j&Mf{wH͞InH1IA  f ~p xݧy#6JG6)^Jd”Iz\!vyPMw8$,*Wk1>h䤽٤_zLb?R.6^^P#{ B\NW˹҆ԺY_b6%>ֵ0zQ0 RGHkvW k/Ll*: xEtɞa#<0'v=6AEҔV";OvU*H Lj*\cUxho=s3v=+tvTwPy,0P>.h/ass[L< \1*gCKyuGXݤP@;Y&ɏZp !ݱ;OXg ;b#CLZmB c`[m.2a{՝s99U>?žzPYW+ϔr~3"ѕ*85 wh_Xp7aIWŷ\_f$hk{<tf $ŧK:9n{ hPrOW;ʫ6.``W~%9zi)wsFKn%9<I%@{*b~B?[UsfMkYogdd,D$/;⮣yH4*gl;Rջa2]5‘L_io+.kh]ʄr2C7gTXw4!>rn)~'+'LBxAKYQųP`Ia?b0_h( >Xkh]z qyUj&V.qUS.˃!6Rvp[]4VPq-[82X Q4BB?Mehͥb E [b3x hhtd Ѽ4+=N^3!βBRp)hz ,/ Kv!uR^h#i7fT+[ؗEN6Ʋ0żkUJguk7G,w˧b7|sf;弫bQ&4+Kjo mP%R $qlLYB` "qq.Nɴt:{u`]bl{Ӓ1):VO |5^FMlAk`Qex?.,yx앉?TH-"Pw)w%+-+ 8l K 7$O~i[ }|yTذ|?sscvd%@wl~w`NiB;E0NH ']YK 4r=0yi3w&27/oyWnqG@zy4uJߚH Ϻw)~hJ/}؃XMθ?!Ơ[ٚEP`,CFI.<(jaFSܷ& ($9_Ҟ0^q2ҏJ$$f:-]U d4de%s o4Mb]yKFB*gjӴ]J*C4A@ݧdP#C ۠v !lNjnm|H s3{`TcmDStIyrEn['?rX>C#4ֲVcӠO H Q˹.M`KcBa*~E;'&oCh.8u2\Ҍe5gͫ6S >-v"z."n;ZV9n XoJr_ $ NZ0Zz8)[tŽ=M4> VarAý < x22E Z|4LAA[u1NG6*Lybz *SخNK!mtu/, cCV/[ғu}dWH 7*h낍 ޴4̘UVW .> kZuoQ߀8# Q4Ʊ/?Pq fd0Q5<jSbץ:`7BQ VdAwlDbÄ5Oն\ wzm.>&Cbض,`YyWs6L$~ 9PT ֞) %̦jU9EBh}h!Z2ETLYᒸ`V)S*N tetJZM6:2+'2P+vxM3 )C542\b qK yYra,fgbx>EͯMGTUVO<R* b9Xc/ xn-?<%!soGBTE鷣i>$ޟ'`KDB*mHVTBek7{mW8pZ^`k,{'4IoϏk.a汰$z^璘u=X밨{;Ye ޑ#t t]3\eQ}e" lFFOEnYKL(.o3)fYhB'?u(^"Byufd gz_}5>qz' 2&Xԧy6)^+A%::m3CD$YJ^ݶGHgJ,oڜVr|ٶ5[זlN}1l\PgMMA gajmH"f괘ɑ#dDS]%^T/ZeCpkyTBfdۋu,^Y!P=5ؑACFl9O;)W}pϿZĶ"O( M9;D՚Y.*tE4_=~#)=!V*E2׽E ݞR$wn;q곷Ȱ1,CgaTN՗4PGGAa;cdvu1p(n)7ø8OsCd q}ǧ&{&Od0'&׷߼ټ`_j,̽ӡe2rRTuTN{*y#C_ CWA|?]KpC4Wl)JGblcF_F8 LU՜YD.YEzt4?ƚ ʐKFJl:x!%E,ف &ݎy7H0J&o`(1 g1u7a{;|M3b(r!D8 ̤6fʾS#-F 7s mN|i9zEuNIc6TJU߄S\>UJ-]s /93 +Ā90kR=$&/\n(Rnh-3Jʕy0 ~fԔ:6x0*+޳osv[L>#f@(77&0!23,l(5 u74~j/ Bd`%cI\@hKفcܾpNRz/8 !|+ۛA>HdZSNpPK,`v5r Ⱦi5 e U1,*;W1$ʬ80icZ0HI] s5-Fg"Nx̆Reɵ/s,몺ZcHaEW߻aWj0T^ T YËëe͐EŎ/4~ ^G:J6/F+ѴXE b(p?VR[ Ng0[@WKͅ<o֮WZf5/dW76݄k~p[5ʦC}%<7:Π.gp$g;%;m2 ߓԥ=& S=ct;-WaZOCR\ځPZ}8&uaYG.%dGGyqc89:n WnFL.JY_٪ı:N#Hs{gp8u[HImZ; K+B S95G9"{3~p,#TYۨu!FʠO1#al CiϼJW )YU|nHcD B쩁C#Zۄ2浼Ԟ$1ʑ{vC,IUyJӣ*o'rTKcvO,I~+gs(9l4$3^#2d WZvB%v,\H꧞+hņ0h}X'I@FRxoeV`26_$7ʼn_pYH tC#"2lojGNkW4a$|B 'Q(cԳʯw|{JW.w|ӝ|6, 0VS®(XGR7-Dk\a5[:#Bw+QjwΩKI?Rܸm ϭxr0̨9Y];&B8vG7cH%VA+C1RdOR+EZP-rڦF1 ױ7h fEM7^<Y#[,3^hKDgya7vhg|.6 NXߘtFi)RVn+G,Mϡ_1+b`fkAݥMQC @0-̼1NJCn9*L6/MN?+]'U&B=ݼ hR#LщRM%R6JsD& jU*Ëޗڛ'*K%̌mb]{y \KH}4=Kkyw\4EՋE /: ƽBx@d,;hn5ǚ$w[Py%<[DXi-6vHɭWnS*aw >TWYxmFYkWuC`* xzQxq<6%bZƔ#LɍK`1.  Zpˤ5k@.m<$m t+2>؁ W%`߬ɐ4(w%e\TVh3G7NX8X!=S[nXs-#(n"!: [g8&-7a0hjUb/,[{"7]$jEOsh>qRE;naM-EJfD/OT~[>ufxrHӚCII}?brvJyC.PE6/l7EpzDA֯CHkTn7%tS=}8!l=C(:ӌ iYx,)T1Qt(hτ􌧞-HhwZO*6>dANC_e'}w!@I8E#Yr'ܥQ50`ӟ;o4%]^2ZCqFD$EjdȻP$Ɵ"_"2̀1!W=ġN'0$/9af11 E1(L7yr`Afs,lu}ϳshƼ7ۙWa_U*}q ɏbrU}ٟ$T(o"j~bGnx" dl2 `bg6hYoD%٨҃AHѾM05O7[4>^zS2d9Ɣ]Į(Q!cy#IȲh]/YNQeVt*LqmOm`eo.iݫH;L;Ä=R`A'hAڄZH#^1"YK+:* NJjoN܊tQIxM VXleZqnJV̪`?lH8WT lyVG_O<`aLȮKb"CY|q?fXO>ɟHtlr%[r5kXk ! B}K(h} 5LvhI !(}?Z#*E O 뢣I ުHK`AG9W >HfY9&6X'f9~ _^ t "/WS=|$V]pJxP6.a_@@~&wOԛ(}EvOl2\14R: 9񥍏;}֜,Emun.'?U*KxzeDfO]St%>#+ BO nGS\Mǂ%(^Si]e"L p' ̟_lby$qݹ$xP@.%إA{窆mWqXxrB*"Vm}tiuVLΜΈ{"jUIA$y5;[o-8o|{5 嗡_,D=E'~Ol7Jlo5qH(CA3ɏAy(.dQzoS*fqoF lJ#y`zSe=qɴ?YJf.j iȫ\@mdw{,e|l4IE~ ch@E9(?ٙVxuRctW[L2O*BfyJU"Vu%;|XYAjR9mp;>U7zs_sdz!\d*FS*7A +L:|I|qB-T} lz(ꛥ9g.`E KҼvX&{JX h}9#> e ($w6;tsAw'j𦃳~U&:xx~f,D똷"f%KϯSi5w@<\u͚*[5},i't%PS;dE8{W s;ve+YB?kw\:jjWZvE97*sPJ2\.jv;ײdAœ\=JneҮTbFAJkHQED}'}^{M-Ϩna i YAO[$D8J[`W_"D3% rE ӿcT2wSYVg5%_M2#McD!%)DR|yM>Î(daZ14*!J Evf&y ' ]ƝJq@v9Q[+Y %GEyނ!Yw3V*x.GCG% OAÈO0Uؔ%m2l~:|Wt'8~}Fl_򵓜0M2@e}U&L*ܑk $ !Ml mQK]#}òݗjEb˳[$^#JhmO #$W/:5C$UO~5:y1F/ wboX&}dI}1{gȥyiMpge|srT@F<P1F%Mԩ$YEM/CR\j&ڒ#Ot"zN2CN`aXSu{U R|g8ǘ"i&Gă #$!~t/ӑݣ]c?ZlV^X\yp33T=9?}~81YA?I0dʶJ Ϣ3qDLԿW zNb}G?ލ/7^k87a;O:]Ug3lv7jsdR[̃Gbak^֤O hS?ﱡFgۛZDN/`Gps2>Fá5A&vdտK8$5zǒ֥D@f[ HQ2_lכNDWc~Gբ2!!C[:ߣˁ A%41`7 = ng& {q.[k7ŧȚ _ίNEH/s͔n8ch6%0 3ϱYN<{ /2QF)_ɨGA!(XD@)x5U,z^g@w)tep$=D;ĺ+%V:NJk 5Lxx<Tu~޸$Zu){xq%['Bw-|;:OmL)$Л&> 7(іX#ƴLWj.Ozw9`qvEصVe-i8= ?PWWzl{;q7ܰ 2feHJ@چg6-PXHf;&n/}W>m;?/K^,u S|Toxr6[ѰkQD{a#(kxł ֧GiTDV}x8 kCmYE,y!LqrW cv!a A@xb/+RÑ>!ά<3t2 ٪O4>k/;%>WkѲ t#+k@6el\G%R7Ocg2@.]\jj+bm<GV?yg(i?۫BɔWGy߫~2'꿓evRŴ+_ogt DD/>tX3L6ޒpgF$Mny=쓨(=j@VE!H+Y,{IOe 7I6w.{(N|wT}6Ոh%dZїI$.abE箧qߑک\y);c+MPWktऔo:2~FelhRy`C,+ if+ >ؘˬB'̩VimUqY7.BMxAL$ώy^QMK^p22#Sꀀ-<ُiqK|ӸOt:]}u7bu_xٗh[ &kma!3便Ҏ+iT)Gsm%׽yDI/o>TP6f 3N3= {Aʩn}H&Pm~p_M׿ #E$4h` c^m9r)I, Ֆ(Ҵ"s˷Zz<0BD3 ,[} ɻ|EA|bݰ$93 RyD g ӺEZ л{YKfh=vZ&;Ll[؝_勓DtЈp(J9ڦ~7+fB)ip_ӯ+|l8AXy0TXEn4_Ү:0*k'AkU kk!gU0oedK@UQT_]}l}5unTHXfwlVx띟pQ I4 =@O+wuNͷvȳNϫΌV%,j&=65&dP2.tyCԓ 5 Բ2J|`pDn`]Zl^a;#Ŭ8lt6ڈy ~7*T{U`_cZ6pl-j&zl|P'*~μ B%;V_,}s؁co67vD ̮lkִ{l=VmD U2mUyC Ĝ#թ94: (3q9HYosg ܵ>`X# +|z_fN|6vdldK}8S\vJE~.6P|<4'\5?)e3/~O1-u*u0u_6^g( :J^޽ת \(ͦ(,f:Jdr{o;Iz7@![x riZXA PlBl'7Y)lZ: igRsV,X藫l@JwTO9f~w+"E8~{cE&vnJJ(roBv* qmD q֔&~bi;lsԦ_w]ͯH7}>{Xj`5h* Qה;e"(! Wėh?eھeLUQ R|RCH6fBu{bdzٯB;G 0.:#'kJ{u'] ˤKbMTpʪě6#< wƯ~NRǿbK˘ٗ\>}!:w)&Mn;c ? ΀Dg0&V^acF:yd>>3)ķ)_g‰S}56$±7P(y C[T0;EQ(J"C-bֲ DVBO{+隣_89[O0Fti([G|tpt2Xy{R?x H9Ic`Т۰6/  }7\Z-M3m*}V1ӦHv]:9/gׅූٰHT 8RmR惏؟y$̾9D&!Jn9yw*ǖkov$*L6=(ŵRhA&.উ"q|W6_7 h MqO9Uq:mww*7cʷ8X g6D@yU6δVګC6FtRԞPC*, ;JƥfRj1 Ny0.A*u3_ 3^\=3Of%36C=9,6|(b yw}"/jUR6YaF>=HTXxf>)+;yr 3*t\-~R݈/myL&-9o,N91O;X1@aF[ SfB&BOד82Tȓ4RW$W _7702rnd=LR;6#YIy Q m{# \7"A4\ez,|X'ȅ{RQ }a ˥곧.\p_Ip[Ud?w{'/;^ obn8}تK3n`n2C+09 b%WFl432JV m6}&#<ߌ}ǧ׼Bd*F2llEh&8$p뒾 k@0*-vfsTl3Dy| \0,.羽Jr)Q:PuXIP9͍WVM˿/] WO{Engs-~yoњ<~ زSSR|l%Du+{2^ړ2in&xB.򬼂3xG?QL3I)C&yuqB}nF٣xB/a:OIǴ1yIyPU~C~eB%]-:$9eyKᓥڸ&/$BNj ~7 dt KU!qT򱵗ڝuIEvWÀ) 0cҌMZ>c}La =|\V. VWZH؉jG`_պ7!Ҷ_<{&o0Ai VYNR~Μ"N*djkP g  q^2kVh.}a&`-K=3ċ,98qؔszEʈtĎ¥`%9rMT#^ [xw=S+ PJ6²ˆL$ |eE-Zv6f.wA?@/ٟŕՁ%",2(ƕ3q2I'I{t8ZI{WBf ib^5K>-LBt\g4?9`Ya"LwLh;LM!L;m#\2bL7FRCj5mܪA8͚ĞJz_Ɇjr4A򆗭:UsNz'#eqvwzb. JZx¶=wlt]G7|ϬG#^&z3 ]#S͐B+ ++sDRFotSp7+(A\ @#s{Ua>+F԰2_`|k_hRSA`v{i&GէLU)\w|IhӌQGFǤK= p=O%j\+opБ,*@FM#P6lLA˜P_Ɖ>"b\f7=1D،B|LB[ۦ{2~"6gNfI*rtuf8/kLKmAM9~~+!ȍb/M^C;di85`"]u; P5"0Pmmpx}1^P"7Ovq%׻eG2\js)t"߽i[z}"}A&F.^i_7ʹf`>ژ`&47rAdG0z`6R#lxIFp>vdowbDVяڢ(׼)Sy ukG'c,ToS%Lc$]b[gK7O<yv ypȾ:@Èxqw|]'敦R^L2/ؽŀ-~X1l0? pհǴp&BAMT!8T8^<1g\sHh`Bu@tv,.ʟ_5*XV>Ѹar1Is@=iUd=g qBwLsw_a'GөI`q,6F6_7W;5iArAq͒{1=e`-[/a+Vv,[(Bzm$!S`?]*/  F Ώ! xe3)tMׇ/؍)414%i8z[ *T;gM?Ų/wq(wA/%-o}$$S;9@,Z'J'. j Q=fϽ*goK+^CwnO$*x6z$B)M]=܃Dp0q xyP) W18}[UP3(iڲ*QrԖ⊕V.e}I9MB}۶3P *[wտ8xϸ{B!HUS݄)5Z cf*Xd?HYc `_00,$/ǯ.B˩LN"KNF5wp Izf7XY f9; zeXݗu,6TTqy+:{1?MooRT~da CYi)l6W-f&xBð@N5|Keա_{8;0bW(_{=6,(z֝0IOK-?ss}M~ i3IAFf*e\Bh?6Y\;Q}*JNFtpF+7y6=춬-nJD5[5@^٘kFJ*poxwܘӧ'9 \&mMsaN!r"~;$tiv"|::T5C1eIPmI4`??qz10Ԏ?T]9X]uBF~oV6=52V20i,gRߦّ F4Jfוdṅ6? @n.u2Hݗ t~+^2^ùՂ!4a)M}Lߝ6~>,M4$WUw^˱S'ǠWH|T}ië)}qձrSV<̜Z-mtuB3G1Z?~ȣ5^Ϭb; 0rO`Tӹm{ ]Ә D7Kg;؝%Uɿ3a{s7\8-Akτk%Yٻc.~ٹe)TԤEɘnlklHĵҾϱp'%{(2P\3ڜWh9!UwX1_<.B릳zdk:꠹mʌn=Tt (,CAX4nnn٨~&c(Q.=sv;Ϥ_AgJC@NxrXE_b*mk7p}nΦצGWKG{K2oU3*~⦼T5DVʁp5u&=\rVû..8K>:b_dh- }Q@ȣ:$\uSnѨbV.݈֦UW6/y:sXLz2DXA vE~w (FFè}O&ШXrE$<ƜG_$tLWm{l˓R ĸZ>B%A^V` 6F1Ov`r!hvPz|Q;!8)( *7R㩨L'Ў'p2`\_vHֽ8LbJ_SW rO{>DZxU2 Yc1OHg_jxlAFzumqSb%B Q(>hkv+Kp#m(PDP%M[&QF|(Ǜ:K`j٦9bh: r(mjhl-la0 ?f1sT)$w7{{o+#x2)>(2F?SbIVԦoOfw:5= 5~p:Zz4Aۣg2P:TB7LMtJg2.7tv~8Ӯ 6ObUƇ5m0(h16ꪻ9VW%^=B^IvZ3N6 >fj ȣTw4)o̱unހ~5w`k$'4/uīw6Ş <~Fęaw%$]QoZtDov}Ro}! +4ztMطחd[-' .{ (q7my}8Ͼ 02I_M!0{瑖z1SG>p :8܂3;k1HxCakL̾ޯg %6[|Oڐ1jOӅsBBWro߷I-bTѠ%ds'LA׽BOgM]hVIL^a\̧0wU.OGX -xGaX"tpq[bd)V3 /{xhyw Cq%N7@ ۱#jRgVMV')\X "<es Qm#:9N_J`C9Çcjy])w*]4!*]J@J;:?(65 R_CYVZ0A#U`&/#Z˞}wE ǁݭyz n{.Qs[nӚ1uśX+bhK6F7|Q lh́rk C3A n 0U(VN~A{XfPP uAQJ5=V1=$mo5LH`$+9s:#_D0ͦ(tj:fkpX;?Bzw _W}v3`NR@)!P)&̀B΂Yu3M.4 UhFG8,wTDX0XZN6 ;Zc TW%T@A@*C敯 HLNIF${I[XD\ ^ _u ~]VqѮk?9S|(J9=М3hG=B%|ɟM<pu&(ιEh@Ysp9Y.qA'Reёz5㙅dKJyM헶Y,ɡ XN~ Lw+|HvBKIq\Q#`_33qK }&*x*`N֬i..)d3rҙ "Lh5$:.+o={ɛ-:-[/uxQ tN$sW^-qOeʽ=k&ObㄍP#g¸%$$1EUs% 0h@V4Uh΂^/f4d鋧%(AXhYy#=TaKlFRo9nEO..a+9TBn3ڗ;L;u}6S' >[DW񏰡T3i OuO-A9+[nJ;;%.e-Hn^E,HLeỂQPM\{ U,Fb"qbťDLW`խGcX?_GdWbY":J=IМikĤNMJ%٘y1TB`, KKq%>_ufFt] 8sk*;IY\!%TIQfirrM ¯.uuj5v\, xlDqYI+ {j!׺"Is.!c(!W?K['RqUx gR䂺t/iZ U\"wޔC7B3jV=hvR0n68Y#b]UnZ=S' BJ+z}*2i5 *qa"a87mp$I8{~)/]:}ysiMW4<fʳDw57^}NUHe@5%[,Y\kR>@LָP*O`;T3c,լ\T7;,JXIL#H%ع_se|ooL QZn3$W#gC iːT"wQqإz_~LKu#7.ԒTRP[g$"Z?*}]ލ!B! aGʻwd5OX^Y!#qz#W o.(1q]L&Vs,ZH^bIyGuգK$"fy7tuD#C{C :LxrUX~E>l3 Dvwyi\a&J.Z"ԖJ24'S H8 c:M&&`Y2QTLLMy)wS75 Κ;"_/[%*ypkWRE.6ODFJ0]~od(^st pl ) ET $\] A#V*6W }.A{@A%qfC64s]o *?w 9vo CO Wfj^PyݴshIZ?p[yQ~ZoJi9lVG Ҩ 1DKJ x\To8Th ÔQKʂF]zӀҧ2I$ 7ѫaǸ˚A2L`&jlz0U,xGAd/i0HjGճ(cⷫ_Jf(Y],'G W'^#ڧ;.<p Ӡl^EGJY!nB'N%9π [9M^tO:HK]5H;&paFAtBW*l+w<\ 1"wDbbqx@IN2vsۗE4}~2iL&߮kD6yɚnB4#ݱCbhTy /[!Z@gx.`,! m3??:Zmvv)893[+ph&LB@)bKahqӪ J\w7]wOtj"ue}`$4!L=Y?K*3lw& kbRNB})3Tw@^!0clqg% {"a4KpŝfөZ}+m<zϼU&B-,J(ԇk~5*rPՊGZWh|XAt? ~(|<P_0NqHQˁ~U` ֳ.GF<m!5wUrL/4t\)>ҜfK#;.W:fi5dk9)xaa^/ _Ud61ypyik1Ƹgc|=ٍM-՝x[zT> t{*VWX*ANWi]1h.Kdx4M-+KDMhΕh0Kæopo;< ˆUHV2 @Bn-@iٔZכ|wuH0-DGo{n\ʹp=8I#?ލBD|Kcad۸ahwq$-SQ)nt0˽{gQe{W% zHoͨ=ҳzS+uX-wj9c k$}z7/Z<)^+u& IO዗Rw^[4GU"d2FS F#nn $%kǛ7>6]`sc,ԋ:&]$T~1-;vךYimXŭ Zj6 ,Ϊzxdb\cG\7f)mT *d_^*o]W.-I )eio6\%(I^"`ы[?l\*f\쌍ᥥw%q毪 :ny%g-9g.1<' 8e6p(}(~$Mb=:]S;xZh|xh!Uw9yrhczT EC3QդpD&G^#yTtY_ohXv#bIxqiIq!<mbUr4DQ^1E MhZI^{Cˀ&Ŷ>½Op^G,J8WB}ejwmq !j?ji+>h; :pHD ;e>@``7-1>rz;ی:v }/XW"?xZ(ˬjo7RmD/d`Ir >өBZlP0;W%~MF ޾AbW2Χe>DDt$'i >{"HcO & җ[#id6:_6&_U-)[=z"b;w"϶پA0*Ҙ`we4 [x iI % t;rsh 6OqIF}s}~Lr*"}#B7Wy}֘*`I{fHU"E2bTB3:3|rVFVK Dx@*^z9\hYY6.zdt\Y! }Wn fGvLˬ]&{A1ʼne0 X`s[Jrc"b9 ?p(z=D;.5F ?uuЪ9Y?Uy|WO;^٬I"O0_I9|!ɮ BcmvºOk~:3[%kQ`oעFߝM7<9#g3H( 9Qt C"՟?Cr<[ET>F,EU4軕{P|ыOc@V_y{uH=RkӍ@ t~amD$/ڧfC#[N70dG=zgT7X]yO~P틹Ϭa5oy2"8⊼PblR$EX'4^9y=Xs=!+ˣ`ZSY3aRH?uoRDZC/܂]xq?ƚs;Cmqe˓dv n6-t>Ɋa)"){qP7)-O^5QM|06DP$ZVCj1_FE8W$I$ӭ>K_E-jiȠ@iKU%0Y $_q]ϼa F~EqWNtBD+aع7U7؁ؘ> إtdGe+g aMMC_r["52W#GOrn*V[\S` R& rd_M 55L#QycL.+q>yQڌIbs Liȷhͧ]L5Ԋ/T _u\?HzPE!^G1Z=rO̊LlsЌ%Z?Q o|E'u L㠭 }\@@E_ &ז}F'>貉/Ps\P0V5sY㝺-%T9a4겍ڝ$Jp|(1'g2>O\7޳ɋQ7L U/;F+v % 췂e)V<_%J~BR`M4I>WۦE2fu?j[un@H\մݮ"ho#BưPa~BCtRsyܳo}P(4JL(Rg}a@PY{" S Vgs,DEg#zR})@h"{Lu2pe~ʉ T={"s _2@Ee}B*ҞQ1EK^zҥM<7 kaQBj`ZƬ\=N^yfRPϫ~6K9RT -p|8_rr7 _8x+8Q dGhmh/ۻ'2JjHl*`@OoUX& OkUZaK#9x\L @#> =@o">ZZdvRX&TwwVq8?PSmO.ݛ1ʵP,JY$- 1;oi<RNN|jxm$JĹ?ʋƃқAOun#VrM r[ZĎsuEbyrHI *R h UI }2n_UlC5l3sMC$ڤ,~.s;FT=,4|FTHyPyrclХvz-T(Q;w gZ2 ML+وl=/Iap Հqklq}BB<!UwEJ@H&'}H%SI1K}J`+"R@mK ;.rH1 E U+?'T]*ڊgw/¸^IҸh0O4EdæWg0k0E˛b:Ҧ4` Z*yC[Ѣ7V7S)iե9]Ǜ- zğ~^Ur`v9/ D-7 Kob|vqT1ۀ ;}g&m[pE>E]A!kg,(W ?խ'7(MZu n=dbR>2`h1 t :O m])֍Uf43;]s , W*K,tpyyNO 1\7N4 *;(f>nɏT(A;R3E{dq7#3"c@r:FW5}R]*ժUc4nt zbga@p]cPu1ew>aB`&8dߘyk͜+w ~τ-TjŏFrh.&k$2N됡2ۨ;7̊KqDV#Z\t~/=F:d}}-b)Ý]u.*M`#2'Dd u[Z/vсr ]*CDJ*6$P2?/qwVŞ'.g\VK:'VE}hRTȫ2^kv^ilu5hol\JOVo3&ø IL3A|I{4Ga<'YX([|{-s!sJ>M;%){bA##7Y(]]Oض ;Z΍Z! ę'{["Bx2W~O*xg,wLN`H6*`54yd|ukħAgO}!K株{nSC룛mfGTHC廵:w8iVg?E;ϴ)eGxRi;Xpnޕc1Xh)HAC@B=38dD6r`MV|V\ u2E2+:i<DVg+Zwzj,%er\I-V=jP4 ҁ=uuaue`}a` VTNfJ<=KbI|C{aT/1v(Q^H֣؀fԗ)4nPVKcl;CfG)`jfNR{ `K\ݙvYD|o'.ؔ'T9} ZH(l: yZ 9:BmŊ3=1nP ȶ }oYڹ`zznebv o[ gYybVVI>RLaB|B6x{AJ!\2CQf)zO$;1fo‘I&Ts̼D0moOK!}/'vm6%_5/X=e)7Tz݀MgāttڃTcU\9Aj?\ YiI`,7ah2C]̓,*WI};4U>wPk MmkgHN&Xb!Wf9L =tJO&6ֱBp(>`tc:Yo#"* ||S5nSWi-SGD8 ;-l&r֞`V/q%ZԀ"$<9xpf/ )MihyIG.R-•z jqaLJSE7q#Dі mC'e8jCvoBc]e ҊCf;[o_]45MC.ӫK'?))e7 .f2L+T)@o}S<3*1o@}4kzAb#pG'*ɮNRL*#`ݷMYxR-pXѼ)a5 Z|wjT=2CK]*O&g~s/D 繃PU^)$#1/Z9'K>vIbSq>'eSi 5'ޜjNjA.^U$N-Qһ_nLWq6a,22i(8?(Lqa6)7 CcaQy@^ƳaJTZ]Ž8 +)lZ" ߯S2$W꼭+D-.b iKf*794k>99W ) ؿeB 7y2X9A\gBI%*Љ&D }h&0࿬L\<E*0־b.\B NI8x̂|^݆d7;.,kQZ>$zpl7]#?|њ=7qɀWo-c:lEػظgV*0ϕh8q('Mh>]&#KV"91u(onO&Q%V"co~fue!PMH&KVn^QJƽ=TNKa{3,d#a}Uϓ[xEZY1TgTxȤ4'nP}Cwwl!ҭ+q) )2\V>Ѷ]W> St#.mgK΀='L(v(u4d~'HSzS.^'[:ƾO=b-t<\cR,4BZsO"P0U蒎ь9.RHV]*N3R!nVX޸&w.E#[3&Oj)v+V\H旜 S2>ɫ4~}ns5NPF4ؾFE@;L1#DH Ӕ݁r247$ g̚I+Ճ/@en7"Nݟz2Csx)r3"$ԳKێ 5V`^Q^-{o9Ub BRwM|'~(,omz_ x&^#a5 Fm hdɳ*wO~cXbbm*7>0OOfo(yqRX {PPQxS˗y?(H]Ǡw0^ҡ*EW}|,{gM3_yP\oQM9&9(>ZCbGԚM){6`p߇7DYWq;$937GŬnpW)ONatG5zW(ԜITۼ4r TYTřRPH p0nGX4]&pDu+3G±DhX>8fE̜zsrG`4^7FU-VLʩn67!4GS7vAW-he#\D`dަw0eUBi~PUt;6I"{2)xS9?h݆az:G]XqȂNU芡>!+쉓{ž/#Fn^0# [MS IG u=c_zSCDڔx ~ =WTҸ?&ቭÈx eW|10ZľYο&FJQܗ;܈}5QxbTk,h;3CPۊX[Yeu)韛I^=5)4SL.?-P?>eٝ D"o3~~;9fhtĐ' /-H%F89Lfu'Uy1d`g7HȐwJ{tEBV)l2h*R?½0ǪY;g34bVh4;ƀ8 >6n&S9eY Z/FwOU}-7o 3&K a!Dq0PKl$sO,+%Qt޺CELxKF,Y %*mc_Z}Kb.$P1|)|_w!*#!p grRN_i U3[XB[?8Odqow>?F{@Ng.S)%|X2UxʥX祭-үD0%~UՆSt˗)B#ׅp.i AZcHeO-jMP$]"s] 1%ɬ`a;Feڙ۹oͭ6buHyF0JoP8U"exks"||| wR:re0~f)DK/8C9l|t! /=Em/w`)dkfwS%f- Z6,VWa[BpwmHLpR*kʵp>$sd(iNo*5~ [Ǎs.E^>l j+E\itNzd6k"eCWqz>y=kobET}t'1:f"b/`<' <1ʲe8 = )0Ũg:1^Kx*'F'Q'ݭ0l ]J IǷ.g!G-7VR ˓*2fF&3mڱu:!@3]ƿ`B=Ni. m{ƑsfUBζt YB(mKmb0}# *s^uP/pG;= F1g5SX 7;;m*a tv? - ïvVRbVq 9(ɋN5D3U*{\i&@0Cxqj<"O_.k!apʟBFTt.# q,S 'ԸU_jK&c]d٘DIF4noK#OoloK„zd`Z5Π\4'wv~+AFCʌ@cWTFz|NXS9}ZJf$Z-Q$,('W˗T '^JAh)dQR uW"|7IJD)QZ p@esvMFTbO&.> %:iw"/ 2)܎)+ڰ8:'t@7k N2cs'FNΊ.; Q䝰Nd럊5B%x̒Kpϒ5PA 3/îF:`ʔ,9e3&"fHDY[aٻy;*D/ XMtσV1-Dtne$-*b6ij1c#@rS+%WHR~JY))| {B{6Z+hȃD_LaVd;BJیlQI@[zhoboAGKˍCI/R.YmhAoVV?IC.n,_P4ߙqEx]8Zñ8jT k(b>vͨL% =ҹN$b@ӥoܾ^LCUjfd :v~ c ;ȳ}%id@nĔEϼd-i. ;?}V~wB-K6G8C߁NWoeR #1@g7\TFشa rHg|Tqˢ^!dj֋^n_aOXv6}B"2^TTkN2)uOnB[FBj,\Lp M漢/g1~`e>5,\VicE5l%VkLUУE>duEM:2~s,r<1p 1V=td7fr kn4gUwN˧GC>+ׁ`~S@m]m0 )r7MRڙ%`k Y0ޣdӇxw%̈́ hYqQ}XEKbsg~ r㽽xP-j5ޗ_GV"eSB~&bk-GH~iWTFKPA<[&j-y\ tyKYݞ41C )NR=0L& z093(W Z/C@W+U>}B |5: @n߾Gy=&Dg̠и37Hs\.rR(!Ps5 XCjSJsEf߷NmjcGd`Hiř}2Ρ~E5} 5iY1BVVL.v6.>r~z 8xH֬2ِ2-&/9cbv.,=b v'!.r[p3J]~\:8ԑ,T^81՗T(җ-JbZ7)(FGߌ8t"`mG;:E= "Jo4"(mmH%͞\ eA4ǖOT2Lax]<h6 hD/8_cޣZS؀ΜzFϩMg6Sh<)闩0T>D$ZߦS+B 9vg͒U΍n 9i>7"ʉ/ `Jc&B%JJ+x)DMËw ` a|I,00͋ԷnE0 r?3#7tKEoAx#!D#1[l\ 1}R*+LQhY7'l[NO+`c-ߥYixYP+en5NuUGƟYk mq @⣅u.n}] 2&N`͸{M,l*+̶l&&BGQȠBƻRihexJLXl3bg6ͪ؆RQF>e @eJX<͚hFxwxrJ߈:=wJ+Q)p/ vAn ho Ѐn-۰`byVv*bSr,v 5{3{Amテkβa-*!=@`}7+Ajaroڣ)˜83Q0PVc+Hq}oʲ_[Ьt_^w&rWY%}|nU- vػS0x ,q6G~ݿn,ʙnՅ,3jfif o/Yjmqk}H^UI=\3ŤM~5i_!^ am@-s - )(q~1-c$mF 8QnRB-j6=j\IyLP. FP WHѝU@Vc[T@?`k>UHH L,<H4ˠ~f |sF䦚`/Hwq˦^`y ؂o VH0kj_X|!si22G'FDΫdWhǼP]De d2?!q#"xt˅,0|GD+(P1t1lam]'%ȹιuǷmF4{X+,SzV+2bzeٗb#ݺV_b3= bhm\\Slc6glB{[m~]BKdHrrh[74j]_4;s7;ח|zk G +9Ê^$ !A-~#OSJ+Nq%~ =4m-&+y\GOZ48d烟ԟ61cW"{έ&ccd`g06č{ML _0X3ڑ<cڦ*?&#C H" {8RK׸}r4bq> G6H@/y3 |{d_Z?7>ͭq >,$K+|ZtS16qqBu%A_S "h͌SǂHe4½Wlؓb-2~ٶ?Nc[1} 1C@=!S폘Nd2bt(Y>㝥#HiG@$/f-Ԍ9wQ^Ťάދ%xTױUSMܞl!y7Rdciͦ\H{-+v3G\ސr]<&THމpGCnåZ_LM f섏Dp ZډG*=`}VWKҔ׭;O\\,M{ҙiźv{RE}7ĒPr euJď?DqwSĿJ5G( Wrd~%?[6{+tó@HvAjoo FA'(=W8z:+ejt1<|ꀦ0sI/ӬO"fp&۩^>?Y-}*==wzP<gɰHGT?癩KTn|^Ԑ'7zu'z%;30t V#=rYȩɔYTB-ۑ{r!8~=c3 rٴDvW$c7տL^֖m_ /!A=Vqo=]8# a9@Ǜf>t5F;BA[ )1̄U̺"P=J.1~ꊿ?xfqJ` u?ץQ*S3;%4IEY1c+ na# WSCa,l_(`y!M4N?U+#d8N)<` cd~57b,fuS&pNE0Sma!G@ǺAnMx ̃4S{  xţ$*%:xe^KObrHJK'6مߗK,Т=^n ֥;xҘNQk@pqӮc0y˖x.b882HO yK|fDT@`'UY5VBa:z2K 27uQ,u.[B &htb؜Ve.Fp&>Hac#d$iz|Wz@Lp; 9%j>"*TÇ  ,xe܋ g=s[ ahIC(f,jmu,x6PGF)^˞(x@,ڀ7~9tB==e!ʘ7qϞ8cDZ"Y-ظV(/^΂sT1*NO:\20Ɠxmni?(P aV^%%Ϧa,h%Ţs{ 'H#s_ʍ;d'g4GʺtU=IHiDB"lק{HkZ;7Q+ٵ= kI9ȳەi1TO=D:G z 6]"?9)(J hf,A|N/8*|ԛd:ԙǕ'yt{],4.\ʓ:F)Yx_.t*퇙+3)Ghazj`ĺ3f&ۄ[&}CD/@NyXWEjksLC&1a׵JIJ/Tf2\S,-OːzFR 4s,w xcCϹ&mqr-.ƺ֌(K£nG׬7o%OO.b6h*c * 9FvDڌ)ًz΅s@M|=Ɓw$J.`&s2~:Hl._ a\|Pr1XCT~"t9UBC!rWm|{iFqZ1_>ƧjB-s.ok4x"؍T0&ȼ(ƥn 3U'h{㑘 b^imW2k{<#R -_yf3NF{N~w6g?} >z̗)/krYH\s Jfzq)me mv a(0,&r.G"SC+￳u;r^!{M,H&hR`f}h{G׿G$ \Ņ@Ɵˊޗvw$@Ĝz'K~QMd6! 1z*?-\VҘDZn/ҀlE1Z%:7a]/5?cXXH8;z\nQ+y FX'$ucdCE-_Wh e nZ~"WE  `}*B—&ϸ -/LD.H+:566YIkn_ìJ,/v=cps, [fo*Qrq )Vb_;ˑ/6S:\*gE1q'ۥvueSs}ٺk#O E^_c:g dNCi% 0$|ݎN(z[MD@ح'< { Ov}<Lwu.zMJ@Y U]i4L#,ZA7Q֭WLӊj1e[L˞H 6z :hAȼA"$S{JW ɯoM˸o>Ī+ey;:Wى$JA\+N#AuɀFVEO`lQ+1>#& ⯓px݋?2uB$5vmgy4p]6djEܔvVc Er21XzdhBOY' oMˑ's}ByWmޠH!icX+*?œ'`d378}$}/h|4r:#XV:, *M5{8r?%$\\ +v{MiOjNLUΦ9u5 /_pJȇ}ar˜7"voarl)|&=-5It|~lm%T_`O.s:EPȵ Ŭ}2SțM H)8 _! t9}'&v>x7sNk9uRkTPبR,!ؘ'kW=NtէӸۨH\(4SkLLˣi`kŶ}RiKJHb788̔B":HlA}LyU<"ڏԅH̟UIvpKsۙwq-ddvLd6i)̔-bJxn$#T\qѼ!^W'IJ*.Ŵ>VJrb 8TfGmɩYo6B% MYj 1\wlW6Ѿ-Q#+A;00Hһ~{imsB ig-?e99FZe ncA ^d >tdfټuDinxZ\W%D-༵tkfB ( =}c oAhmjdk>,go,+2Eu.voe 0\Άԧ2nKAaY +^x n(]?C_[S+%rEVJ +Q ˥ζHh_0\08&(v0ՙ&+Y $B#Am=X }ӰTzh3p=7U SWAkIJHoGxr3zHBbl~V(_XP(զ&O %DCd ʟofzgM܀[Iu;Ѫ@0X9sRty6_SrI_oODA~&jdU~ǙI'E ^@;=(QHrss2d!U+R89a*WATvDE?mhc)d՜H4UzFD-nj`oZ?ѕU"4,#ϴ~h Dk0SOi$sOFH_W\]PzzǓ?x|R}| WO~zC]Hʹ*ȓ#\ar+:i[V^?$ts0ԙc G ҅؟.L7c5RpuixXÕFcU)$e6QdD遚аϻQGeH+l=6%0AnHGʟq/V |2e;xxsfu3M.Ȁ']66v-m+> ݮQf&]0ھf@è9fKx#\C#-^LU`t0>kZE]lxʟ+,Tvw jEQl4)@Ml }$àx@Xuʗ: tZK:X쿅<-շi N{ =VeAnS+@W8֔#|Q-wS*}Fj!VY~UÃ61܇5X ObLFZHB >:`wH N^Rs,~jz2LO&SGT5v(IZ70$Œ&< A>Y*QqN`cȭkG)7/,g kҐcH>1]0EҴ߯^V$M20ԇ^?Z ~#SiK5Җkcz˜#_^UAUݤb^ǝznɄQs' $FVO{ C=1S:gNբH3a 1sDN%_wJ=hb80_{QҲ.rGU~U{EWV뎁qo-%]E ;AqС0@x4`DO柸xCRĈ.#SGD%w3PAz)3ILW﮾!pW .^ȁM6"ݴp';FeOjbf1}$eo;1D=VhbMkC,e)Ug 43~hD>.Dp]E\._~aTf'ȿ?,EZ~A[ԆJ8劧 p&.uP$wyȜ/:ԡ*ҬEre{AFNsLwe@Dn!X'u]`C3sl!H0qFB k_"9B E!QGk*᦯n! =`΀Ncʳ^e]t|-mEӼs"#vr4i6v{]CPr,N6|o;0Λp]Y"i"*DS\Zʟw{,_;brzk02ŏ xHQRp%+QeKrm,k>!%PZtl:Eqk2flQI?_L!"KT;^9sz+Չ,+ap#(31LJV'"d1ni nI\,3/'y!@XmA)d#I# LJ[-tIa+yp<b+>q仿 XU4,J 9P*|RJۿC:'pΥUwWpb#qcg6ľP5XT7a/OԊmn'ߕZlw`X )zo<`@ L:{۟e|5!6/Z$.VN`_5Xǹli g~Z!i } = o|\\>T?u 5qUlJ <&D?DkHA(ʇ> P:,FTܝrxaOA22ujWM.+ZQRPj}KL)g0cXHe Lmu 1}&hLN%朢yw79v_%_ k2ʅU%ԗF 6ҏfJ^R>H]Bl `X >=g׺>3 N=qkRlwǶ >g`]h ^&SvN\}_2Ql/<8 ;_s*<57Seu.k+48}ҎY,cĀ܂찓Z="TNYb?a;] "sWhf,lQqJh6bf->R`O>Uq:\Ba;֮'=k&MmtnyRQW9n<N1 n=g r*QεҔzU+c'ѥkGgdۘBǫG{v@},:f?6NAM,^9n7 YM]4*S`B *7) 7g;Gs[Vhrl%]]2aN͋Z؉Eܻ1^2+0Nށe%NLQ& bӱm Ű{7lλe[26LcÍӍṾlH%qJޮ̤*9I**N!6|0YUN0k<z'6ܫ׾@<%$ ?˸Wvs!Nː71:qDmID ҃^nj{,2臎Ԅ{e37/Pd3e63|G9)-},})ӄ/iȵnpC 謓\u`jBM`hQwǘN݈$z3OEE`'>xkLaWbW0o|*2%։_Ff*\#pAP3R(K50\GVn'Id<"@On`Bm$ΘjQE0Ou#Sd32{>T{g%[ؗڔ.8_j}GؿqK׵@ ^jU{+B°؉eOFE7șD1^2y1|_LՉ$?Uq13 }grPs]h!5/_0S![ߐ?wp3jpK*t6O~ZpTmh0K; j\o_=d SaXZ{ Mu jeSIhvI夕Ž4q<(unx\&gOٹøJ@ȨgN-oMxizUD\C@Y|!xW. cݷ=Jn3v{AU~.[KwUS7ժ^g| F7ᙉWDVn`M\hyꀍKDxl?~- Z220W>ʌ֘9SmKOuV&[y9NgD(FƗpbN$yבݦr W%&$ okgUXc~x)e&3֚"ùqƟeWWpIɸ|imgzu.z@BsF>;+0p 1L HSQb2M)VN;77Tn wo,q8͎ƒYcj6sOQ{f:@]%r֛1(_@I;L=vI.#0Ʃlzgh !8b|_賌D'e#+ٕ;;(JN,$t礼vj! [\t4@jה#Ri˟fgEFpnzb|1ɩCCozֺ 똈^?ؓ'~`+e-e2mO@:/ CF9}w?EȨ-jN9x_W4[d=WKdGuB=neGMXI Co.4q@OgyRO,̋>oMoS~Ohdטz[5V% ~CmJ.UZ1[#V'${\*L0!>,f9iILZxwShz\C%7i/lcp2c 8.WSM";3 XWGD:93.؁5f9\Zn替wp叐n>h7P:˒sBl@,|SXXA" ̢O=HhƁ8 r5g˝Oks3TD*N0[AH6T &nulc-n ʌavc(Oo nmGG[O8re^,:zٹYC6%Ɨ=3P3H4mkve>3ZkM{qA{́^}$2TW ݎCu ܢ 6 `c t)ڕ/L"y{cEqsGWh$fq Tz)m.f<77J[gSj c;BM!|-PpʅqjF,X1\b)W0U1_ Xl~Uւn,S3+JIO'"8CFZ" u)תeL7?}E:Gs;8} eq'g8ĆTq;slyPQJ8ր?PBhie%ZakڋM oT_,:r]~$6z~۝,9.#>vz𯷝<$ м5w#_[0%jTl M) '3;?p }ٱ+ BJ8b\GLG bXVse OF'kC"'\?VժCh8pJ[TRZaV@s訠pm+2'2m*oId'r&_yyVWw Ϛ$$vdu ƛWE|eC쉴BtK.1.d)g0u_JTu X,d,6:aqR5Gu_D8dE3n0~>䣷5E)ī"[Y9 )[\-IT5d-4键^(ҺS [MX,4Læə3lN>v|vӆGSq:0QQu^;L:\vt_H/ }IZ󬎃Jl `=}} gVp@~Tvh:@9/G'9N8Cj {KϟSVwEn$v庁K w m<{T8i5=i'VdbH(,L8`.ce{ ]kv5ŝXc"oNFM! 5æ+N=R"pex7 Uh`|`AvLb-[|u6+;nW/̈́Wkm7Ad:H;'͕11pO;,pk-lf?58+@QDa/+L+B/"驞#Hw|Jj!+rJ\P,^llD7 q-,7h޹mJd<ьIY;JP46c~=Uo֘ ߯$/ DվM 69E+#401>rnuP?)G^@UK#*($^y::9M-bw$?xJCWhqPl$"6t@Zڣїz6'M7GSa8w5dwm:z",9)! nLݛж s ¢Yq$A#.H8X^:~u!9(Xײ3Nӟqs 2zraD gįߟD_ߙҭ}nocG nY,&ӬX 9óm $<2`CLҙῚYYvvW i8;Gqzff'2_IDri2EvnA4/ϧ$焤7۪ ^~bjC'“ HZr, s U$yyXGõ-|"V~z`5mظdJc*Y5 }FŔO eo0݅-@|%)GL*US_ R7hБ\ЮqsL-RB_T#EueI3T;q\XB9S ~+f3)ݖJIt'{yݹDAPK+p+,$cJf%mY\-ءi>BRj@Q skuxjb%F/Iіc̓Qe/!ĥk.Z$]?'m.3nҩVݴ:uoaM +oJ0 t9UǐPtI 1|fgzAR*(z`Hd N T_$;y9h1gs'5+#6WcnOQՋ֨sr]CCQ Ӥ~sΒm_?/ۣ_R0O;WZ'eCb?mD@s]ONcydE%KHb',r} wjE1Zqc5 6V4W}Z]{c:ETyQm7V ChfPskBɃ9o Z zgGuW+S.*h8KO>[O~jl`،Z3u#,1\&?2m߱OU`:5$B ['FR*֗0Iy{$o4q^J^zUֶ$(ZY3ΧHӬS53.RAg.Jt)K2פrSIq/4%BWoI7ЦtK&j@ 3b!MFiשDyԝ=\oY/Q[`%|ϟhv)abJsA4C7+jY6uxxT ow/xSѲ%]CŐJ{*\Ȑuy#STk+H(,SPO;^o*ƤwC.=۪sbq&uduZX*U(l?X=51FOL.:gu pem3\VhϬ,ogV= fu#)L[:6QvRQ|ZUmbƤf c.7<((^;QrV'ߝQN@NbAF؄bֻcp6t3%= ھgK0nEa>=loVU" v?ᑎb8s8n~ΜS(`H&ٿXV@]+zPc-?nP+}5:>/oF]_ DMn g֢;lŋAj_%n Ӧ$K~~額1+/:=ŕ,442FКP鐦Hhǒl 9Ap8//xJ[p1W:SHob[t/Odږΐld w*ἊԚ1-÷jTeLȼ)l>W~ErS9M&l5.}JY۰Ҥh0Fo $T$PfͅH-ndRQ^&:Acy*qRLg); =Wy9/U{!Ƣy!i"N:kM *mr+2oH~ۛd&vߏޟjWTq;OuQvf98輡I xCE^w1_< X*>ڰ4 lM1J8l`$9=VlxbYcNHjKTOъ}]mA_CrU"H[Iw/2r :_ ㇽTu?J)K7NT j@n ڼT'.$XMtWbpb'Jҵ2CBb e*$mGI?{-8jRܑ-ꀳֳP;^vPT:?yJIx3If=GGu`VF(XujZ3'`'ۀc.0x5ެ%@\Xz LܡS6-s } xN']zW6e+ *iv^Vd}I4cGEFJBXtrprZ`hϭM=,N`@Ƌ]/H Y,ոhۈ`ZC/,Jb7+*Vs] qtL)IY.3nB bV  3Oq;rCm vfn!ZYF$\݅/ӯlGU <*RG]'\Y'=_zu=+ċR՞!ܿlR9q: \JPCAz3`M{gTTSZ7Xq =1t& TLkNt(`W Y\bi^ȥxߑS t5m&kc}\GkDm"(W7 ܨ? >Gg~|DݹF2#]I((Xwʼ_7.Zf_v`90Z[0XwQ-|5HO<70'ώYZ~A| n0yQѝ5 'c[+~i@\G5ss+pR ofB\H_`qPh #c9d\PҎ wPTQc|iW"jրle?rdY|&7ouOLV!h$MLJPTwCKa>v $eatJm+{*Dm*C x'F', 4&ZcmIP)PZF6 l=N={?tZ[*}1gxĈb,3R3#(bL#WߌGXPWR=|u>YΝCV<)MyX N~L7z#GEVx,XB#,v)OÁ 7OM)a8O6s Ȯ1C2ƥ3N}ӑKT`!FG1ۉ"~~Ґr䁡+Ro퐧?5GF{ih7Sr1 }%4n CqFeÊ;=N'Bbf{hò/Mu.y#MKF|Weyf{f0AF_ـS_.LM.L(7飇w=2scm BEֆCE%1%YaZHdE<">,fӨ*T*11핳͸09œ܀ļu2sz&pxI Y;mFk2^0 ?\ʱ 3̚^ ;{])k`'_iz?qkCftb$~4ZK.^ ]U -[!9ʔz8&e]+RRZ50lU-RIU,wufHHJIc7sLy ˦|8^s"6.Xȍ޲}Yʺb qv$V 1X4]v 0ukDQ#O,'0=!z:>S3: hCME',I2}i:@s][L 'X,: G]r8%pKE_ݡ.y8Ip! F3*]¸%19) S@"uDOiya<5)u}zUŕWU&h54M.lF!uhV}"!M%bT7.ƈjP֦n(:+|N|!ǧ^5Ağ+V@+i+815U7ڲhYJc)5GykLD5?%ַ6B.Ʃ#jkjaGyWSn ,2Q -wz$Ǹ?m$/lZΨϧb34)+;Bv ^Gq5\QeM/0X>z,S/|ݫ| Tuu(76sPR7aA9WcT7MSI`p`ީLBcsꙬaqPPMU1[m8ZI'ڶ8 `ۢ4cl#3u:;>6n8&TcU7/r%;mC'2MOШF,s]=B }@m͘uAn'gWQ{S,a^Ȃc6M6]^=:ɎX#kt@P|=iA}P(KUKD "BDD:9Ȓ-2*vPQT3JVP|a0abT& wȺumB8UebRЯ왎pt_"*%Eϰ$%ͤvd^Ⱥ҂.̗R,J WZiM˯OY-\_eO\߿|$?;D&Wp5) %j)JQ@iC\,1u)l?^ 󾀷nl}Wujxaao#ga07hY>WfC+/^^S[xΐY@$;fjxA`=KĐý5O9b[.#yͮ:II_=D\ ܎9~VuXg1ϊcќNoBK5=uG\(8yzfqg|juv*#YEUD`wt%cYř wwwpNb CF ]WKF[}BI]Y|Br=S'B|8YbuNx$ı(@n|>㍾7Ud%Va=ð+JIoSV'M#LZn8a =XXьԔS@KG]ngDCFxTQ5VMug`# d^HH`zYfZEIӳۍHsYG7NƧ}eB8)gё4*9XHVzTōy@%~6 J"m]S?Zʟb{ mT땵x?Y;+C@.lF#=P,`ؚ]Jf.$͉ʅ^-K)Ez aA3B#R<꺼N+W2Gf|D=]ǫHI s`{V%ŔygeQBQcTiEX 2AT,Pa P3A*kX%tB:QUflBKU*⇕$0n$rKu0M(؇UFjxT metvQDMzgY I^z$0EǮ|9ݤԙf&=G sfeWѩbwQJm&K,?7ݎF:wFM@F)_"J. q?u*%Rk]% Gb\p;,8\*[cꄊ=4 C)A:HՕɿ`g"!\~V$UaChLj#̉w@kuIa(k`/)aƓ[L6yxwj8FI32C.ƹ IJ̞kPxGA-PD'U,Nf7@<.ʲA5VXW}b-" BfL_8bx)OpbzW!W(4#o LmZ6 /ȶ 0",;ॏ4oQYQ%z=h B):^̎!ɶ)۞߁mkc$f?N}2Q CQD |ZwHDaD<9t$wHO_[,)vzB^J06uMcR$HE$Tar5^PM$B[Ri>( Q["R,>c<$g^֏}x5Ebԣ&$&vOĦj4n}ݤeilwN\r(;PVpqncX> +)]D0@Y-X%&P㼀^<̜%]T\Zαs***@i:ZFIYf="#lSY)O;}{7zZԷ^8,p89=UZП6/H04 W`aՋ>DZ"h$3J'56ͳ@er +a ]srw]ȔQ8g/y2Z tSw<2fwNXnm\KdbϻCnc)1OU =.桩 _!%kVs@}V.ч2KY@z" C~|AU #v9[uO:c< -(ͮc2֖^,2>YaȣO.H_ƃIH\Ƚ$Hr-ߓ:|efu;ؐs* #1G y{=gďH>7dl5^Cԧ(2xk8Xh &꼏]ImYKb/h "ɵeA{R|q;La׀涊lQ`X !M@G!SJE*^%v 5'\ {>N i`o%(Fb'گJRvVfm$t\.ͤpM#Ho]I'S9[A ȢJ&~LJ|NG GIߔVK+>~Ȇ\&VSY5_qdaܓG۸E fxh(Mw.0T2FIIK`\~)7O4i4嶵E%+1&q||/آ A$p}IB1&kJ3;Tyұs+]xm3m]xq<JؑK䕂 ^dYKV)S'FVxt O]~5**h'5Rv(p[3:6ιQW&&8>=`+IN hF p}J',BlkВ sDÙBG 4$k9L,i>Gt@:FU!(h>fPѷ/۰V P2sakPw{ 5'|ey6!حi4&Kp+﮷L ޲9$ma gZA%!/8X(o nޡBrߐ+2tO#NjC'?Aw0 Нo hTBI N3l]_j bлY]35{LTJZ8~I |5^=޶^o$̛UoDlH3#KX%$>;$`<%鸧%ⷋC`h,T wrMkEI-x$b7I֝lP Ma)s=AkY>Xh?}hX[_sވ-$! r7Eq$Wo1X_FAl|7X_sUPPB^' ˃3D,4e`=#wPH yyqAVLSv$Fp`""1]'t&XUhz~/aBֻ|r˦:YV$2 \KiTsz\ˏ,xn)\U&4~0nLw}QfTDPX]* ?:]a*,tsmKa*uKjK a璄9ovSie.FZ_\.Ù8/]jA>Kt2dAV=̔m?(>Wlp rFYG=&4uAɚB, Vm¶D0WOl^d?y0'`Fx6w awwQ~b "kҿ}y]^%ASY" >eH3˚,?U%mDdžDDY=)Vu}JJ> (`Yb:7~SH?}ҫCFHF3#t@__qw|t[L\BFul+c9 &xdqk3M{7[r|YO/ ^} -~#)?9"M=S%<WԑB<`Vdɘ|E?ddE%fBUfU MxgeFؾ"x: ޽-gnFaV<_:I>d#i7ubQRGAV/)΀{tСGMގwwv&-[~ow;G^Dmt}朚#Ҩ@9&W(6jg M_ L+5R Ovv&yqq_I99ɧGDQAb-KP-?Oߑ+M ")L/˔5*lcUxIr[ȳ OFi*0480^2"YUI*u M`yim׿Q J`"뺭?G~9޺^Fy )$Ӄ U:1hcݘlڄ́07 ])a1rO* Eh꽞ǒZ6zWo *8''h77 2Hx,5]-g2O0J>w]x`%$h^Ҭ ">#`-ߐlQi<|J3m=HµZk̜qh7w_xR&~LMQ8p|%p5Rp1 PG/S)0h Jiդ+yF$ۺ-86(Y.ƛ)opn蕔/{5jہfXjƷ7Xbߣf8IU[w)qs,s <_zFH. k1^2T9§AJΠ%4k5;ڨBqxFVsAE9M9V^S3u5n[~zѲLYtRM(Z Z:%F TK3t_Y%.2$v,wo"ԧahr̙Ib`St9R~v,Cd!Ş^Ӈo%CmQ^0-.ӿp]>tJq=1E HyN9gƀ\|/RPo\..2z}9$K"~¶Qi6_N?_]ɷw$ qҬ\"M|ʫʹr !r&.YuMoWWf#@;)$.gz4:i_rl岛~MF-Koh3Կ2DA$[:r:cn~\+87/؞"@ WN趘gs" ˋk}]2NF$ߓ;3$ˌT hC:ib\_ޤR9Ve\u[)WDޙ+#3W[_΁N9BӢL1LSAP=ka)R(TI 3ޘaNTs_t_j7-""xWt0QhnQx,JJ?!z9>A]Ipc_$ ~߈g@oւkV %MʟdY H.\wHh pؙgɜjKQ$PMwCΎ~c 'gz .ǔ6mMV7Z~TᬹG 3+u|@gNG֊ ޤܱ Q~ X͑v v5}i3^8udSS;Dkmoإ.Z]ОW8<6"9C'/Mo$5<[NVc,[Nυ?)_`c`CS_ok(HbْN@B3~TpDQP=UU2t%D<jT%0Y>x Oj]+Y!1~͎;|9"XCx`DRV5ʷ^Ը:7yRt/ oD0G$;, Xg~Φ \Ɲ<o}ָ̱_aUjl#&7;X1`cB/ % qN_]F,7B B!/5 @{3Ir(x'hwm7)eU{=\i{K{iVd*m8Mge:op(n|Zf׬5Q a9cZIHLr<_1{A ǖQu!@eZ<4oۓV_lc|]5ӓ8?!]s[e9k&PYgTɔ5H jCdtlpaCh`_}MBLQY{R55soҦ[M$N!k0A;x((r4կ1;rig2}Ͻ$Ǩ~ܸ,3{~ɘͭi~~? mqFf_Q/QY"\F޶Bhn*z.xF r^|gtS"}V59qiz`kD[Dwwͦ~ FfTɽ3zZ~ۂ3B_硢.QADc@G{vkR:T\ T:ڑ9W,?[TFO#}Nߍ]}:NgɌ20!)AQN_Fа0rUkPIڷYPW }6smd5uDɗud +/Qcջ1e Ts: >9[oiz1R6< ϒD|aPMOROMa~3n9D6ya ,{ ~c.궄936^Bt0@2=gf< L"r|h>~@SZҼP7'Rjl*2JW PDmbS?(]wZK%c@;96"Tf{l泗ZEK]9>#VTb0u~ Ҍ3~{UٳX#ֆ(fF l\> ;u2J #1"ԌIP>?_
05| ;n&=P8q҆I7_97)A\DNYQqTa?o+2.X1+)z,?t(JKNI?;4t>'IuxiVd'e>/u ic 9\iK}XaF>W]:!X\âD6wV&󀑯3*_3:P<]UASM H!DiR`+nMS4v05 +ai)ӫ^GaNr%5%Tá|-h#Nr֩`Ut+uE?KP.b}5 إjIBvqyis<U><g"gߵ@rk~'zLiz Fk%;NkAs-*P>p=1%eK0ueb.CWψ+9B6 []mߔc7IOm6Wܱ`xH\eBҢ\NwYIDȼ*(Q,+$o#R*,r4Dg+T@Bsv.n3{b$".s,Z.\>:;ऽ4JVeށ X).'GNA`.7~;2dŷS |/sz<@~p p Y1ҽ:lS),l{`ㄒ%8NDv) Ŀwou_>h*kFȴSn|CPrlXLhȖssʕ:?bd21w/ <2޼[G{ >\yyaT hVSZd3AyydH$8@ u PI9'v#ء_E\f ;b0S00 WXbJXA3*"*V=߂ssJ}_f-m? 9ľ3$QΛiPWC5ձN.UNhF(v`6npɞ3U+bDY$B@xr-N=JC3CEޛ%fA<W-FHf`A\x 'k3-G]A^d#=3-lQyB!ᇪ֥pEz1}&l#3]Bds \x&,Γ rT'>p}3 );@Էpc5UAW>/zJiԿMbB< z!:A#/~,Sub/=+y72E6q{w5 š`Ἱ XڣS[G1ef  @PıvhVE<=f qIzy@[ľ$zHcގg43ԥB c R hosS4T=&Mjʮhs^Q%{<.sv* 7-$WLO<& JN* x!\0V&n՟XU @bٚc<4Rg[Njv yfVRz\r$vTA{)ڠԯ&T7= YBT*ͲegDx{>s<2늴hvY%TՏ)VF*V;yU r_oR6'CUBl? QQ1 g-[GSi|rxp_%sЗ-KZ@Xۿ?%lb_rsN0QnYBy0E_hen-pRC!qAy_[W)ݬ>ۣTߪZGf'bz˸b͔\؜ϽZvrjD9!A7~d8LKД\x]bF??Eռ1H^Fvy(6ǚhO@4D>FeAS3gqe?YEx{̏)0Peb,*vpV yHcnS' _q"OLrrhǀ c܏e@UwpӘb;[v1 6Eͩu%N{[m6D@ iM?2+M.2 h(&։f,5p L686B_Ž7B]D`Ɂp(oè Z Ô $ZJ)G$;`R546ɇ,:P Iag,wpeP50g9CɅ }_Z[sK~$J#0jVI-޴6{(R@GImb5jVZݤHdo wlfTתn=kT1Q  K&bW 7ǐF 9|f}=o"j6аl1Ҡ0CH8DIwz^f[cǙըCBT,l{ e8pIoPO 26==i 8^|~iY>3 xnK3b)[!:L ч,=hB^9Hd|o04S)5PʽA*hw Δ@sr:jsMZE0erWwt$u<\ϖ0Gx+*0q[ȵ2Lv@N2&c9IZ -B8~J$hMHc wPb=gPgk:pRS虨ck3 iuYŌor!2'ұȖm^t(}"C{~вá0٥ 9B{R O?:D0AbyEy|ذIDn}~W2[M&s"{6uT[L UBCsEghNim AV$!s=d~页8r\ap! LKFl΀l72-mUcG \}(N%<m7ӘF 9o/+VߎbϹ\Z5kkMSi}u8J .-ЄU'a$M_:R2u(y PSGKl{~U?u//ί t3YVA]D HvL, Y'; #{3{zƒqUZ xV^JӋrRIoI%Ϛ}κ/ZGaЕfZa=h.10n*.Wh̃)HkUYe!I{\A{&Q*P/`و OSSpGC|TOX߅>>@b~x) 78u50ր h &̝)$Sk~~hLXcJ^4}CBj̋IJ\fq\T{ԟ 7kŴ,JX}ct 鵣1owvn,L/4]Z![f=y@C 8ٷǮQq({@,dsr^n!JJJ?M+M`@ݺm< s+VW,äG|Np5qD}l-Ch. љ Yx8֞D6[u6H Bq';grZ',|'c5HѾŸYpϓC9-oGMćGt>n#I06˜XVCyU()ۉ|Ǹ0!z]xY;?KDiOkՅ;oҸw-ĴylrA%Mt݀t3$af&V=Idolflޛ{ci89Kv/ז&ld;Swwf'&" .F}h-j3-́J{5x@r[a4zM[ǢS׏ZوMKn~^wq12,$,g]m ]σC1?QgxJ71O<W7h"HYܩ;3CWMnN!k"7]g#PξCiLKKgT6v!vv$y v(^]wq_&*20%DCj[3[.Cn;=^ :Jsh K._38EOks!v I]c" {mVLd})m[B} uTЮDw b_/781˱>JO$o^5 ^h~AϜ4gPq|w\IT[[@ pNb:Q~HkeW4,Y7!vv!+ۈ\QGFt6ғR޿ڙۣQi9s)E6YVZ ;v߆m;]9l[c(#=cUb;[5N1'OsƬ/KI>wZ* C餅řzĄu+w+Hg]"$(j$tZ<^B:ҰgdAIzt!,@v@kD/vOt~RS-/# M)TVkzd7Ffzd|vx:āPU~5YܴD1QZОBRagOرkw&=%ӱ{VŰb[qߋEqsapڧҕ4@2}YW[l4;Z4MC%G(5S$f1\b ?&Yfm4-~r^Ĺ̕ĭ -?T#Mn~Ɠ\͵3'ΑYɔi< nO9rزcveXX`P' ~l5<懔7no z>}qQ׿U$H_A*XچNtmogI|jE6Wvg f7Y=UKftU*,Ww򍻦GY{Fs2=Eys:G; ![+U:O˷l~%@%;J.ɕDѭLJ^繚{/+:*ŭ[Kyd Z&VE?cVFğ\u|3#Q+,g%v 1G/j!qi&2A62CY_D 2oZ%rR6T>ajlė$mϛ;X"k2&CjUv5ѥ e+v$+کT%yj°-~L@W(2Ma㓃q({ʾ$v1͵TC!<$h膺7#T-~E6CIB'}AqڌiGYWgPZ Zsf>򇏵9ЁRL ~螽STÑ?P|.OFQ$ҥ=;uγD.w:\yL1XU?Vӝ/$6#dPzӚsv 1fWLSmxնV(,P$=\I܏ᔎͮ^؀'qF ^yH2{Pvz'W-޵qƆ`9NUkqe"Ϋ%=*,|(V%4E)߳㘽Ј`)r46U9YLQ1nkyYW?sQۋ?- fNS> GU͈dV c>J-2%NK.hVJ$zěDayf9dqN*]nss]E.rܻB݂AJٵ f; Rgۼ(-5JnrZ[ڪo1y!ht+6@+HrE-8]p%3m}W 2RMy#µ } @!:OWl0|dJ5(5ͻ>e|pS3I,BheA7927h;F1(4oXӡz[ u:?nKGD.'{FAdjC3s\M$J$.Aޠ닞XT2jz rc׬xk7||$X!nqr9iJ6"0qq4s }M шzO`)) >ëL'4DuL A(3҅Y*1&&6$?RuGʙh=& B%C4L)!~,Urΐ3P*0zFq}8:=>TBeEY~ ymf;8>Tn\3*q=H P\0ȁs!,l11ý @fpeVᰮ(-t!UIӅU|QBs~}fr٢\w18u_AgB]vv JU@1 O SD@` LNNø ^'eƩדkC=h ,BDKvJD[ad?ڈ_qxSgv~|mLuvWFZҴf^gXfںt#*;1?@bӥ$f: vZ˙ܨbB$oOȤ9&3`_D1>&‚;|FcyX:2ZqdW#F@9{[[6IVjjiD )~V%)N=]$&}[̸RNܟAXR-#7,DH%f01#˯~,ۿvGT>)@~`/n68.Yp{ !)Ɯ$u9e)zKh5 @ӊq~:NЕ!\lvRփ\'q!yy'_]YveWn[>ti{git,|Ǫ!ػ=v4L&3JrEgS+JYʊ'0pnj,kY5ΰtՙ JykMwդ'pXR/1$ٵ'C7@1`=T6%r>V^d\E!hyM FRƂ|iU8 i Bf\6zHXBT&%w|_$u3 {Ok,WU0GL.$J[tt7!1F.ZEU>.&yګkΒݛ=8>W\{eX}ޱˡ[ط;"7MZ\ȣ[mvI9n(IZ{TW/ZU7Iwt8ҚWnƤjˏz )Erkluߘ> #nj~1$ ^<r,FGhO]J'#uc<ՋK +cN5Y^/14@=m$#乁]J[(MJdbʱBoWd')63w]o wб̓u1uy`n@ӏ2` }*5oNt?b,\-aVkN%@nvTZ<'}O"+3lq FUT$S#I$|$Q8we:h~`cu\όA{qi^+1W )1i9OhA ToH a>L`>WM{^=0X iZ]ԨGI%saUΛY$ksJC7ykYb'R)=hz9?O,M>&do;=&u & ^;-/}y8p9`ۣ̲J_.tMe+*։8JlZTZ$|$)Cn90G uq)  "*n%o3*EZBP$pl ?1tt.nt^ձ*Y/[׼C{gaqSifAH;vUĈf/9yȨ+l5Xz)V,[a,74L)MM)w]#vBʧZĨe薤Ҽ.f"A8Ci)a#B"Sf?ߩ~ Mb-7󛝱 ԩN/Vv 5 _Iw?L]ͅNg4UvAMb"|mqm <qlYZekL^hOL).gcn/*,Zm,'mޫ$d:ݺI$ӄZ~5߆`ҌWcb]u &PamhG U#Pɢ@f#ߥ^O<N8曎D.#$ǀC=C|Np+l$/?30NfEݣ>!-\]T,I?ܵ⻯x}Tp tz1"-O_VecPD# ΘPҖӑ7bw5=,mʌe:œCwy [~| XT@A h]3AWY8fLzWL S!?ӂeImˆ`pE̪q[U1ё(y|"U>2=7]?FM`i DS31K]E*uK(Z# ᏼ5o՚ֵNp~o$_˃:@`nw}86 (C蔴'z\IZ `Lw yA(2W- UI;JWvNޞ=nt\co}MÕ't]`T3 I5kr^38x|22^J7ZޗFw*"7aᴌg!SUXa=)$^8.]|Md!г`y34PX ܒo!-`3{ã&qHZ{)ij.^f.9N۾|'{$쩩sd񾒳X,N܇>ZU 40e[sh/;E=ZM37D棪ߵ.P6 02s ԉQI6hO-JC(WZWQ%M8`~ ࣬.%Wș,`Y0[uy&i Q4|*[RtګT򅶱?|W!9H~ ?I+*qM1Kk}jf*O"o%= +LʽH^R>)d -X|IZ$"^vC칱XA(D i뱤5f +ۃmDbo>f‡S &D'dDܚנkg-3;bC S xNEI$+ہm$S/upg <>q-{" &얪ADL{.&.PH‡tDP뎜 |ٗB%c\&.f?s qzT XB\] v`0浚h1b0Zg~-D=SA>Nm ;Mtm(~Ճ'&RSโ/`/px7 ]kQΜ׾.O$0*XVQE?"c1jmzQuȏo0za`SnT} XH_sѱYBYCz1Y-K LDT3s 4DbL=oV[(2reFG4LöWr">بHgd?Tntg9Ҡ1{4Rk$v8N{ GPݕgo^l*ؚ֓f%EVl B'c\n$d(h*56LŒ/̏fVXz OUC;6vjǎDl!۽`S{ VwO# %?0ڌ?A&$-w"NKleyHii2 I8Kg=e44pWe~uޟaol%"3Վ(\Iqz1=%vt6~2e(ΚbhSɌ~r$씺ϺPUNM"ֆ&w%^+CZNqнh;4p4ГLꪧYFkvqH_%f9hv8q]f{ќ3wUϳQS= E1п Xm ԗV%g7o%2-ؚ5UhDњ ?P` &?! CDl1 :)lԇ@ rtSO&#dHd΅r ĬN]pLV, a\E%B K kxf;/GOjeh5%\︌Ʈ27Rv\WxLV@TdmyzWm/JB'p͌I~F?*v gQ! FzVKfҽ^8_OmZiBOZJyT?Q:w O47[ 7o;x:y.Dȼe`[N;tAOr!.Z-*~n-WݫDĠaj[St t HH `R,zbJм=ɺ5]>^%شbb#ᅺ+  uGP7>nbj]G~%8f06,8ߖkM,_4/)|zb2b@鼃oe(l)p B|>md_ZM {>gO#V_\Q?<<gT$Y&^XLgpzo#]݉PnJxcwk5o(C<4u:K!X~R~p U}N*$x /lnCrH< HSyBsD!?%3Wtq'b(NZC=G\uq/-> (!m&AL*||x?JG,x=ԺPV,/_0B7±X3 Q}WK-{.F.V֪Ď^҉8-7@tاU$TI(J!HTuzwi!LX4 |PtH5⳸,lK\y*B9Z+ipO\ck؞<]0iif̽MrCODAjBy0h<9RLSEzʗO$"NڳgIhDSȚp6F:ٔR,?yI*d[KB-cvY9JWz*G:pާ8֚4fg>7v.R8M;|ir g.Fyۙ +^IF )؛ӭ&vs9$} Ӗ0/(X2Hl%:#B@#jg(YCֆWA../:f2gM3 bƧ9NpK+X2h}n 'Ե {Hdt ^jhh!y XH[Md{)jӅ B(J++$cp=8. 0ڔe΅$] $ƙ~.Wrv/Yj\Wm ɜX0e 2M U<(:UJJ?KP>4=V)ךSC o~ݥu'L}Eg~$߲υƯd2[C8io6>L$yTɪi;P;."1NVY鮨E{ y"&ɴ#5Sg]M64ִ~cX^Oi#iqmq3Nqnu8Jn{~9ncN!rd|jN|uz!t3bjaVԍQJ꠪,ӓf揩gp t|Dk3ea#|o+'hexP,36n2v_̹ϛğ9E56@3{thrVw7W'|NCG~yNF@|{/(օ󡪳S @Aj{),3R z]ehoz8u)&G҄G,vaŶ B3"-HYp<ls~a1?x?oh:EOw& ^-'LaꙬO̺ # B9}؄7ƫ] DSPc̕ d<Š,H={IoWRo<<:X5R#ZBOC}7)\=Hm`CџdFəzbY։/P[q6Ɣ2Em^IJЬw\D&0:ER:oYLn'yA q>;} MWY9NXPpK(~C"9n?]cv.,ݜ犿/,?"k<Ǘ^uDX1ғM4Z#쌼{"]89{Mz&|0µKpx02l oWEH[ybN$xl A4n$)UGpɘMJ JCZmB#Iku-K@Ç5~*2iu͈1 m-,7IWn0 ^Y^O'Wz001)įiP\,OgaϷ6L.Z>..誥ޚjp_R܎Bfk@ G>$R2WЍke +>jR9¶ׂHr"X;v\+9Y6M" 4+ ,bj'-1PNC~Ɵ=OVW2FE>gNzw5C[I] g:2tH>}:i{UkeD8Bzу2/ޤO>SaPi11I*krܸ~h1*R̮-hs[M+ ! {Wyr3{/xi靡4Lu| w[tDJ&B\ lݲZ;g7c1J[)tۜc)y"k1$~\yhM#ߕBEUiGv HDlITl9KwZ^s'b |LZ4l*#V,k%K͵YY/w/#Ӎ#6u춡(dohfKhkǒDűu # 6+2ٽV@f;O׋u C4h`6fmC0i~0yA:Sa~uA5::0Y'$o(i%-qW gjO|gQHV\2}g#2[F IH*zZaĒKr{sW20Wͼ;m&xsv֬d2w6+"{ajHHsTL8)ND\s(>1:c8ync=C^.9K}(y?k`}l'^xwnI`5*WlG.[fm4?AT( UvRXd{yTa%;)CoNS8Gg4UhGmL`D.]-\"2 h,!{<,ab\ B} _KO -q.H< z}Sŀ&GyC s,v_"C692H>_S[ lŊ g e7&j+1HR"Xh$P,!?웜+>tQa {m:+ dg'd ELa@!21xWgW]{ʻZQÄA<wK>:JMob˙|B؈ F bdW_Y,k&:Ծc+M2~]DT\4MZb}}ޮf\-ĕk,@%@Ѭ^A).lC~r" v6nhl_iVskuz"PeHqyܺEnP\·]/mnaO`G)g7Cҽ5?_c@Q©Ts:3.9(CIEK nieK`roJtCɫ+F ۈ^f.YZeϕr3 l|$F}Vc;5 k<؊`8.? ]/摻U2dY&0%юMDzyhmH0FǾ,.oKLn{*=Gyv^eeyuU4)>9EpIH][ڳ繁l!1u/W-Yل6I"g GͻI^Ee|xI(n!82IPhqj@`FRm*`7`>.4O+\!]ǘ״-IByW5e.les;Jܤbj]y6w#Uj5DQd\Dz $cYx (*Y +Ozנ3ŊHs΅$k;E=fYۧAwVQ d^ 'Hֶ@ sjo8VH=(B@u,^+kwwA5|g^4e\#m2@e̾'@P?›t2" Ǎ|ٓnɼvISA jI bȢ25`/u*OuH0tSكAh0w84NF|ePqxWŞsCWcZy֬H9GJ&S#mʼntcxK ]>9Ș_qKD y`aMvK 8aM#GH& %-3~㰆T_#hE\<.G1VRp&` \8 h7r5=_BWdds5mtFu{b =eکPc.$^鿌#dxI @D:*2gij{oXE0/ % e)*^/!0g h&,&du|B4biF^?m9ue5 An2() <F(9E7!P* ͆LK8Qɧ ˗N e+-d+J <6q-,;4;9$|g_vrj5M3W(DT Sx١2enf#`T|c4(42|`9mT.}b^5 W&hNr\0e6QqH?AH{Wy jZsvO>IicۧqN4y\4莿?>On-rpj֍(岫c}7:>ӏ t7ۦ#a3;UB:JR] ! /XJ]*3"8埻95ܷqj\U*3Bhjw˒D㾊th癝HC * chohI<18~~0~\ E}ksL?e!qq/=WL;9Q&}Il16yڦͶԑ`'m›E1)5N칖tJ/TcP[|%ȃkz4I!/LȞhVKTp|rMt`7A^-8R`ḁ{|Sl`ߤP/}c٩[{[n81G ƾ$xJ } π<0.SfbvnZ xn6 1H߂w7OnV$B⇹ +n^dpzsik!|hv:bjA 긞<,&|&D8A4MN &RkL:#K5 irڟCNb +2sv"._Ru)J_R*>2l2H s3W]ᬻˤJ9$#W ޯe߸dB|xYfz{|\1ޚbz5"51j>E[$geZ" zA),_s/\?*'C>B^52(d2{ɨj굂n)t֑Y~[ \zYK1\=0,(`l\Sj3́T28bϵuD=y%٦˄GSj!.wPlbO(KA'BbFfj̦"ة`s5I^y| ttkZ&"E[R? 9W:;9Tg v*؂/=} 􅄘GA 1h_,*6a%M.z+Dm8oP$UP^#|9-j63{ivS*϶g-DR?̼FئҊEʛ\ 3%b ];n1ĝ  )g9X)+i7EűqV1nOs=\`Jh`'詇}rN^f4n)dX(a7aTRf5ِVQ<*v՚wwлoӽֺ ,+ Xw"EPǭ[d A3F\ kw^ɾϭdˆs5R+zNP mWƚ*D2 M֜z^7Ya]@?"m{9Xa9Bk|o}:Q/$ɼpZ]ĺׅF)O8XxRy* ʿnyVC!yQo,:tWxbW,ozWo'%(nmJB,TofuԝYk>Ov(; T4ÏUtvhVU'}ybǰ>`{f_ ~>pro[lqN{ RX XѱY9:Ω=G9fUК4  U`vjڜΕ=PD dR ٞBfڬ% "%j(!x*wq /o%|?Łbtrc+ R  Wv JXa@? ߵ?v7D6P%VnIV5 +-.ҬX&@ў+C?!ӫ3^ <(!yo u{btgȄ&1A*1MʻV}kUuЙȹh-i_6C8OЪ6-I,{mJ1>XC6ÐnoC`kQ@ft SJ;>ܳj&оø0x!?셂=M<91plh,l1Mѿ75̩s{" l3k6fhGl+Y}pz̞\lW.ىG+GfUyuᜮ-#z8ʋ""QײI+ <2 YխiCiLHc3};:yh 7%IP6,wz#C8(w7z+Ȑ|~)Zt59}VZy7#0}39 iE,+γ=fQwsbv~oFA'sC\;_9ڶ;v~kިvf$/"?ia=LL;чec>m;¤0ykr22QU]m)9eL&%]QƘON3txdѭdd Xy3Bĸ^[0)Ծqen/z8b;Z}9{Z+¢95sVPp؃88 cӓ6jۜ$մqȾdהHdT1 󢏝chgMaPJ  =MVQ AD.g$`U~7VErmn\'zͤ,OTF7@ dq Z{`bp$?jm FQղfEB$~4ӱ`e7Yso|\̒}ju:@aK>BzU;#ɋ GAwYЦnf^|k RE oy :rp>I%h.a5aa *kzq ɾ *\"{ A__ۂoOf$&įFd4%ذ\g·/pOh 8tᮜѓ0D;F-s j(R%K(!-GML:'\Ǖ?u^^nkr/h^hn1nJco若#|B%B ]u[Z¨7QUL|he$ TW>59[\$nmd^ɷM7[I†.IQ)msL@l׸V~;fݢ-$srjy<{)\ҲNP,_lWkg"yVӋ"ܦB1>f_'@ UQ<̑~cE,h>x"6槞׏˚]o-5rZhhbq!aǹp{B6Z臝aeFEM(M6vzJl!t=O}jsdlGKFI}kJ #Iv)pڴM>bCO~.ΕmD5K@W﹦ ^Pts.XۇNHdJ lVAx6c_HF?=Χ)6IsEif'Ec`=wcژE[Hg{jY 2wRN' _!Gmjhan@N^nl[ajW+ Yk`xϝO;8\眯[ A鸪G8+VQ^Uպw/;& /gQ||psP[VX\uB?+p$Lma0cLt!-^/ og1c'w('' np϶J^ T2I jgpo5SZQ<"GACQX vװ\ˑDAjx ,{_ d`K 1m& SmÜkhz_ ]X!.}0Vj>)y.R$АcNt-1s:a ܸ #/M< *÷^&%4{rJ+ ݈oMKMT Xu4x7(ߨvg̨=Hjd0=#8%gk}Ì~t9- }h뗫dA:q%@]6NGFڄ,(*6#4rڄ=<<ӜNS]1JMžli)m0>JcMwQs:w|\@d.|zkkR78-n8C<ͲG< -mVhU" X2 @o0ާJAg-%cpe8e ޭ?W' V /;0 PyZ)=HǿVfaVxH1p;lj--`0Q\\s\/mERQ5'f)] =D~,AC+|q+~,1Qp9蚷=#Riy&@>4YO3߃ ӛ9 DjKQ(ČީoSx'Z䄞W Eȩ64yU;58F.܌jtO7d2 ktwI}H"&K  w~[Mn%\[evU*nϹpI_cm,5u>8` A7ΠR'VƎdunOJxyp ADɣ+Azp̸L|9dYK ν/!g/Mn/58 C fX VuhQ0KGhԧ}| BcXyL8DEj_\h8 [1O\1oEǟƄ c*u=6 .fq#c+Ae<兓67%Հrsw"igقo>iaf\D2nKz$F+RY:RV퍰gA "M]nIp{Sf);Z-z}D%ANqS_"ϸ>?^bTlڕ Kc'aGȷl|k0dv[X_Y%ki1-碘ֳ̽*f⽎.89n@>0J7AdQ 9;r LT\ N-tpffLGG) |2'窐=&ϗÊoYҗ-pLVCшU. 7t7qw)߷+iرd'T )|B{(.Ob 6ve̘$#JJ/G[nh t}x ByŞrRq]O Ջ7qZI\I!+| [Ǟ܏@9Z㸜jІD:L:M(holg 1QMO{{AdwaK5O ߆fhDOGw8Pû#QUJ#SzTxylS hdp"z?ۺRUd%xF/ʪk(0)!n$&CaG`I6p3ėN}d5A}wD ~g)H_qnPQ^=@QWNw\@Ƭk(<&DVƗQr] ]A̴RxFHڏȴhE tE^; `3T~Rz tBoRf/+3 ^D{'u׳ph5ivw{yLGwlx& jIOӬA(Vd3~Bv*8yCB@lo,]2*mSkgk#Wm\\}xȴNKDl} {SpGX7 7E9Ko- ck'7[)ކɐ4 s+=S| ˟m _>)g;K;^O RrvK4H.rSwߕ-eD߂/17iV`ӆh; ;E_ {)=۳msTCltʂSbyu$`t0(HEY.gE ó](Jڶ4e GO#3xbl47W:;if+: C^BI=b>iHEt@@zQHL҉C$ ýc&rɟYr#FEuc`9mҌu>JzϬ-/ >@Lg ԍS!wKud|╨>EIJS 5 ;,ju%[Y5o^+|}UIhoZ`g<4ǰ ЖF=vQ:ʃD?o삼4Ԕn@jTy- d4dJ)yt87 =ΆL7[=^q's. ܚc Vt4ILfY#%"xG_JIck Jg>Y~=y 'Cyf3@|9E 6]u3_jr4mlj/x(qi+._ zUz|}yGl6b#熙[a1[e7ٮU>9ѕ1ݽ6;[ "m9S? ؏ ^*{i^~VN kvJi}x?¾lD* 3R>௲vPŠ2bo h56:3ŷZr]8[7Fthr3&SEl(d%m袿0XR\eI Kx!%M:\4en 9&R 4kx  $mR YZ