bouncycastle-mail-1.72-150200.3.12.1 >  A d.p9|7lm9cbA=qh{ydNv*GMkĢVΆRtƙQG6Yo$q;ME'Wh#MMRC/ͦT׶۰Y*lQJLH;8Dbb9ff9ec3e71fdc9b50bf08953ab7fac2aac8c58eb6c0ecc6556cc7ccbb2b285755e5ddfe8c93214d563da9869c1db19eef2c840wd.p9|)byu6cʗdLԑh~6fMRCñJD W_ܢ\\Y`UYZCr"t)j:`e{DFA uU`qMBPHNqrT3p>Ⱦȯ a[8qEֿb[3-U\2rQ!s-OpC<"0#_]e{W@׼5l}p(C\ F~u|IpP{2/Î99Gܳap>p>l?\d ' @LPX\u      4 9 @Tm   (M8T9: FGHIXY\l]^bLcd|efluvwxyz XCbouncycastle-mail1.72150200.3.12.1Bouncy Castle S/MIME APIThe Bouncy Castle Java S/MIME APIs for handling S/MIME protocols. The APIs can be used in conjunction with a JCE/JCA provider such as the one provided with the Bouncy Castle Cryptography APIs. The JavaMail API and the Java activation framework will also be needed.dsheep57SUSE Linux Enterprise 15SUSE LLC MIThttps://www.suse.com/Development/Libraries/Javahttps://www.bouncycastle.orglinuxnoarchCA큤dddOdd52188ce145885a01b61858c0c1af5eeaf7e6e73d4269b7c1ac0690d8869d8c7f537e0e2946266c2b5049c12b1934543c301e6b45f283dce17ad64aad4ae2ccfc174e8e0d40b47f1b0d5b5ba5f3ab65e83f987bfb5d1730904d27332efb8721f9b71d12858e519136ff6ea92c1aaffd1186724a2fb2b74fb28fa084f36e07fe80rootrootrootrootrootrootrootrootrootrootbouncycastle-1.72-150200.3.12.1.src.rpmbouncycastle-mailmvn(org.bouncycastle:bcmail-jdk15)mvn(org.bouncycastle:bcmail-jdk15:pom:)mvn(org.bouncycastle:bcmail-jdk15on)mvn(org.bouncycastle:bcmail-jdk15on:pom:)mvn(org.bouncycastle:bcmail-jdk15to18)mvn(org.bouncycastle:bcmail-jdk15to18:pom:)mvn(org.bouncycastle:bcmail-jdk16)mvn(org.bouncycastle:bcmail-jdk16:pom:)mvn(org.bouncycastle:bcmail-jdk18)mvn(org.bouncycastle:bcmail-jdk18:pom:)mvn(org.bouncycastle:bcmail-jdk18on)mvn(org.bouncycastle:bcmail-jdk18on:pom:)osgi(bcmail)@@@@@    bouncycastlebouncycastle-pkixbouncycastle-utiljava-headlessjavapackages-filesystemmvn(org.bouncycastle:bcpkix-jdk18on)mvn(org.bouncycastle:bcprov-jdk18on)mvn(org.bouncycastle:bcutil-jdk18on)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)1.721.721.721.721.721.723.0.4-14.6.0-14.0-15.2-14.14.1cObbbDF@b4t@b3"`@`__@_ @^l@^{G]µ]@]@]@]@[P}@[d@ZYY4Y@VU@V*!@U hT!Tpmonreal@suse.comshvetz.anton@gmail.comfstrba@suse.comfstrba@suse.comfstrba@suse.comfstrba@suse.compmonreal@suse.comfstrba@suse.compmonreal@suse.compmonreal@suse.compmonrealgonzalez@suse.comfstrba@suse.compmonrealgonzalez@suse.compmonrealgonzalez@suse.compmonrealgonzalez@suse.compmonrealgonzalez@suse.comfstrba@suse.comtchvatal@suse.comabergmann@suse.comfstrba@suse.comfstrba@suse.comfstrba@suse.compcervinka@suse.comtchvatal@suse.comtchvatal@suse.comtchvatal@suse.comtchvatal@suse.comtchvatal@suse.com- Update to version 1.72: * Defects Fixed: - There were parameter errors in XMSS^MT OIDs for XMSSMT_SHA2_40/4_256 and XMSSMT_SHA2_60/3_256. These have been fixed. - There was an error in Merkle tree construction for the Evidence Records (ERS) implementation which could result in invalid roots been timestamped. ERS now produces an ArchiveTimeStamp for each data object/group with an associated reduced hash tree. The reduced hash tree is now calculated as a simple path to the root of the tree for each record. - OpenPGP will now ignore signatures marked as non-exportable on encoding. - A tagging calculation error in GCMSIV which could result in incorrect tags has been fixed. - Issues around Java 17 which could result in failing tests have been addressed. * Additional Features and Functionality: - BCJSSE: TLS 1.3 is now enabled by default where no explicit protocols are supplied (e.g. "TLS" or "Default" SSLContext algorithms, or SSLContext.getDefault() method). - BCJSSE: Rewrite SSLEngine implementation to improve compatibility with SunJSSE. - BCJSSE: Support export of keying material via extension API. - (D)TLS: Add support for 'tls-exporter' channel binding per RFC 9266. - (D)TLS (low-level API): By default, only (D)TLS 1.2 and TLS 1.3 are offered now. Earlier versions are still supported if explicitly enabled. Users may need to check they are offering suitable cipher suites for TLS 1.3. - (D)TLS (low-level API): Add support for raw public keys per RFC 7250. - CryptoServicesRegistrar now has a setServicesConstraints() method on it which can be used to selectively turn off algorithms. - The NIST PQC Alternate Candidate, Picnic, has been added to the low level API and the BCPQC provider. - SPHINCS+ has been upgraded to the latest submission, SPHINCS+ 3.1 and support for Haraka has been added. - Evidence records now support timestamp renewal and hash renewal. - The SIKE Alternative Candidate NIST Post Quantum Algorithm has been added to the low-level PQC API. - The NTRU Round 3 Finalist Candidate NIST Post Quantum Algorithm has been added to the low-level API and the BCPQC provider. - The Falcon Finalist NIST Post Quantum Algorithm has been added to the low-level API and the BCPQC provider. - The CRYSTALS-Kyber Finalist NIST Post Quantum Algorithm has been added to the low-level API and the BCPQC provider. - Argon2 Support has been added to the OpenPGP API. - XDH IES has now been added to the BC provider. - The OpenPGP API now supports AEAD encryption and decryption. - The NTRU Prime Alternative Candidate NIST Post Quantum Algorithms have been added to the low-level API and the BCPQC provider. - The CRYSTALS-Dilithium Finalist NIST Post Quantum Algorithm has been added to the low-level API and the BCPQC provider. - The BIKE NIST Post Quantum Alternative/Round-4 Candidate has been added to the low-level API and the BCPQC provider. - The HQC NIST Post Quantum Alternative/Round-4 Candidate has been added to the low-level API and the BCPQC provider. - Grain128AEAD has been added to the lightweight API. - A fast version of CRC24 has been added for use with the PGP API. - Some additional methods and fields have been exposed in the PGPOnePassSignature class to (hopefully) make it easier to deal with nested signatures. - CMP support classes have been updated to reflect the latest editions to the the draft RFC "Lightweight Certificate Management Protocol (CMP) Profile". - Support has been added to the PKCS#12 implementation for the Oracle trusted certificate attribute. - Performance of our BZIP2 classes has been improved. * Notes: - Keep in mind the PQC algorithms are still under development and we are still at least a year and a half away from published standards. This means the algorithms may still change so by all means experiment, but do not use the PQC algoritms for anything long term. - The legacy "Rainbow" and "McEliece" implementations have been removed from the BCPQC provider. The underlying classes are still present if required. Other legacy algorithm implementations can be found under the org.bouncycastle.pqc.legacy package. * Security Notes: - The PQC SIKE algorithm is provided for research purposes only. It should now be regarded as broken. The SIKE implementation will be withdrawn in BC 1.73. * Rebase bouncycastle-javadoc.patch- Version update to 1.71 * Defects Fixed - In line with GPG the PGP API now attempts to preserve comments containing non-ascii UTF8 characters. - An accidental partial dependency on Java 1.7 has been removed from the TLS API. - JcaPKIXIdentityBuilder would fail to process File objects correctly. This is now fixed. - Some byte[] parameters to the CMP API were not being defensively cloned to prevent accidental changes. Extra defensive cloning has been added. - CMS primitives would sometimes convert ASN.1 definite-length encodings into indefinite-length encodings. The primitives will now try and preserve the original encoding where possible. - CMSSignedData.getAttributeCertificates() now properly restricts the tag values checked to just 1 (the obsolete v1 tag) and 2 (for the more current v2 certificates). - BCJSSE now tries to validate a custom KeyManager selection in order to catch errors around a key manager ignoring key type early. - Compressed streams in PGP ending with zero length partial packets could cause failure on parsing the OpenPGP API. This has been fixed. - The fallback mode for JceAsymmetricKeyWrapper/Unwrapper would lose track of any algorithm parameters generated in the initial attempt. The algorithm parameters are now propagated. - An accidental regression introduced by a fix for another issue in PKIXCertPathReviewer around use of the AuthorityKeyIdentifier extension and it failing to match a certificate uniquely when the serial number field is missing has been fixed. - An error was found in the creation of TLS 1.3 Export Keying Material which could cause compatibility issues. This has been fixed. * Additional Features and Functionality - Support has been added for OpenPGP regular expression signature packets. - Support has been added for OpenPGP PolicyURI signature packets. - A utility method has been added to PGPSecretKeyRing to allow for inserting or replacing a PGPPublicKey. - The NIST PQC Finalist, Classic McEliece has been added to the low level API and the BCPQC provider. - The NIST PQC Alternate Candidate, SPHINCS+ has been added to the BCPQC provider. - The NIST PQC Alternate Candidate, FrodoKEM has been added to the low level API and the BCPQC provider. - The NIST PQC Finalist, SABER has been added to the low level API and the BCPQC provider. - KMAC128, KMAC256 has been added to the BC provider (empty customization string). - TupleHash128, TupleHash256 has been added to the BC provider (empty customization string). - ParallelHash128, ParallelHash256 has been added to the BC provider (empty customization string, block size 1024 bits). - Two new properties: "org.bouncycastle.rsa.max_size" (default 15360) and "org.bouncycastle.ec.fp_max_size" (default 1042) have been added to cap the maximum size of RSA and EC keys. - RSA modulus are now checked to be provably composite using the enhanced MR probable prime test. - Imported EC Fp basis values are now validated against the MR prime number test before use. The certainty level of the prime test can be determined by "org.bouncycastle.ec.fp_certainty" (default 100). - The BC entropy thread now has a specific name: "BC-ENTROPY-GATHERER". - Utility methods have been added for joining/merging PGP public keys and signatures. - Blake3-256 has been added to the BC provider. - DTLS: optimisation to delayed handshake hash. - Further additions to the ETSI 102 941 support in the ETSI/ITS package: certification request, signed message generation and verification now supported. - CMSSignedDataGenerator now supports the direct generation of definite-length data. - The NetscapeCertType class now has a hasUsages() method on it for querying usage settings on its bit string. - Support for additional input has been added for deterministic (EC)DSA. - The OpenPGP API provides better support for subkey generation. - BCJSSE: Added boolean system properties "org.bouncycastle.jsse.client.dh.disableDefaultSuites" and "org.bouncycastle.jsse.server.dh.disableDefaultSuites". Default "false". Set to "true" to disable inclusion of DH cipher suites in the default cipher suites for client/server respectively. * Notes - The deprecated QTESLA implementation has been removed from the BCPQC provider. - The submission update to SPHINCS+ has been added. This changes the generation of signatures - particularly deterministic ones. - Version update to 1.70 * Defects Fixed - Blake 3 output limit is enforced. - The PKCS12 KeyStore was relying on default precedence for its key Cipher implementation so was sometimes failing if used from the keytool. The KeyStore class now makes sure it uses the correct Cipher implementation. - Fixed bzip2 compression for empty contents (GH #993). - ASN.1: More robust handling of high tag numbers and definite-length forms. - BCJSSE: Fix a concurrent modification issue in session contexts (GH#968). - BCJSSE: Don't log sensitive system property values (GH#976). - BCJSSE: Fixed a priority issue amongst imperfect-match credentials in KeyManager classes. - The IES AlgorithmParameters object has been re-written to properly support all the variations of IESParameterSpec. - getOutputSize() for ECIES has been corrected to avoid occassional underestimates. - The lack of close() in the ASN.1 Dump command line utility was triggering false positives in some code analysis tools. A close() call has been added. - PGPPublicKey.getBitStrength() now properly recognises EdDSA keys. * Additional Features and Functionality - Missing PGP CRC checksums can now be optionally ignored using setDetectMissingCRC() (default false) on ArmoredInputStream. - PGPSecretKey.copyWithNewPassword() now has a variant which uses USAGE_SHA1 for key protection if a PGPDigestCalculator is passed in. - PGP ASCII armored data now skips "\t", "\v", and "\f". - PKCS12 files with duplicate localKeyId attributes on certificates will now have the incorrect attributes filtered out, rather than the duplicate causing an exception. - PGPObjectFactory will now ignore packets representing unrecognised signature versions in the input stream. - The X.509 extension generator will now accumulate some duplicate X.509 extensions into a single extension where it is possible to do so. - Removed support for maxXofLen in Kangaroo digest. - Ignore marker packets in PGP Public and Secret key ring collection. - An implementation of LEA has been added to the low-level API. - Access, recovery, and direct use for PGP session keys has been added to the OpenPGP API for processing encrypted data. - A PGPCanonicalizedDataGenerator has been added which converts input into canonicalized literal data for text and UTF-8 mode. - A getUserKeyingMaterial() method has been added to the KeyAgreeRecipientInformation class. - ASN.1: Tagged objects (and parsers) now support all tag classes. Special code for ApplicationSpecific has been deprecated and re-implemented in terms of TaggedObject. - ASN.1: Improved support for nested tagging. - ASN.1: Added support for GraphicString, ObjectDescriptor, RelativeOID. - ASN.1: Added support for constructed BitString encodings, including efficient parsing for large values. - TLS: Added support for external PSK handshakes. - TLS: Check policy restrictions on key size when determining cipher suite support. - A performance issue in KeccakDigest due to left over debug code has been identified and dealt with. - BKS key stores can now be used for collecting protected keys (note: any attempt to store such a store will cause an exception). - A method for recovering user keying material has been added to KeyAgreeRecipientInformation. - Support has been added to the CMS API for SHA-3 based PLAIN-ECDSA. - The low level BcDefaultDigestProvider now supports the SHAKE family of algorithms and the SM3 alogirthm. - PGPKeyRingGenerator now supports creation of key-rings with direct-key identified keys. - The PQC NIST candidate, signature algorithm SPHINCS+ has been added to the low-level API. - ArmoredInputStream now explicitly checks for a '\n' if in crLF mode. - Direct support for NotationDataOccurances, Exportable, Revocable, IntendedRecipientFingerPrints, and AEAD algorithm preferences has been added to PGPSignatureSubpacketVector. - Further support has been added for keys described using S-Expressions in GPG 2.2.X. - Support for OpenPGP Session Keys from the (draft) Stateless OpenPGP CLI has been added. - Additional checks have been added for PGP marker packets in the parsing of PGP objects. - A CMSSignedData.addDigestAlgorithm() has been added to allow for adding additional digest algorithm identifiers to CMS SignedData structures when required. - Support has been added to CMS for the LMS/HSS signature algorithm. - The system property "org.bouncycastle.jsse.client.assumeOriginalHostName" (default false) has been added for dealing with SNI problems related to the host name not being propagate by the JVM. - The JcePKCSPBEOutputEncryptorBuilder now supports SCRYPT with ciphers that do not have algorithm parameters (e.g. AESKWP). - Support is now added for certificates using ETSI TS 103 097, "Intelligent Transport Systems (ITS)" in the bcpkix package. * Notes. - While this release should maintain source code compatibility, developers making use of some parts of the ASN.1 library will find that some classes need recompiling. Apologies for the inconvenience. - Version update to 1.69 * Defects Fixed - Lightweight and JCA conversion of Ed25519 keys in the PGP API could drop the leading byte as it was zero. This has been fixed. - Marker packets appearing at the start of PGP public key rings could cause parsing failure. This has been fixed. - ESTService could fail for some valid Content-Type headers. This has been fixed. - Originator key algorithm parameters were being passed as NULL in key agreement recipients. The parameters now reflect the value of the parameters in the key's SubjectPublicKeyInfo. - ContentType on encapsulated data was not been passed through correctly for authenticated and enveloped data. This has been fixed. - NTRUEncryptionParameters and NTRUEncryptionKeyGenerationParameters were not correctly cloning the contained message digest. This has been fixed. - CertificateFactory.generateCertificates()/generateCRLs() would throw an exception if extra data was found at the end of a PEM file even if valid objects had been found. Extra data is now ignored providing at least one object found. - Internal class PKIXCRLUtil could throw a NullPointerException for CRLs with an absent nextUpdate field. This has been fixed. - PGP ArmoredInputStream now fails earlier on malformed headers. - The McElieceKobaraImaiCipher was randomly throwing "Bad Padding: invalid ciphertext" exception while decrypting due to leading zeroes been missed during processing of the cipher text. This has been fixed. - Ed25519 keys being passed in via OpenSSH key spec are now validated in the KeyFactory. - Blowfish keys are now range checked on cipher construction. - In some cases PGPSecretKeyRing was failing to search its extraPubKeys list when searching for public keys. - The BasicConstraintsValidation class in the BC cert path validation tools has improved conformance to RFC 5280. - AlgorithmIdentifiers involving message digests now attempt to follow the latest conventions for the parameters field (basically DER NULL appears less). - Fix various conversions and interoperability for XDH and EdDSA between BC and SunEC providers. - TLS: Prevent attempts to use KeyUpdate mechanism in versions before TLS 1.3. * Additional Features and Functionality - GCM-SIV has been added to the lightweight API and the provider. - Blake3 has been added to the lightweight API. - The OpenSSL PEMParser can now be extended to add specialised parsers. - Base32 encoding has now been added, the default alphabet is from RFC 4648. - The KangarooTwelve message digest has been added to the lightweight API. - An implementation of the two FPE algorithms, FF1 and FF3-1 in SP 800-38G has been added to the lightweight API and the JCE provider. - An implementation of ParallelHash has been added to the lightweight API. - An implementation of TupleHash has been added to the lightweight API. - RSA-PSS now supports the use of SHAKE128 and SHAKE256 as the mask generation function and digest. - ECDSA now supports the use of SHAKE128 and SHAKE256. - PGPPBEEncryptedData will now reset the stream if the initial checksum fails so another password can be tried. - Iterators on public and secret key ring collections in PGP now reflect the original order of the public/secret key rings they contain. - KeyAgreeRecipientInformation now has a getOriginator() method for retrieving the underlying orginator information. - PGPSignature now has a getDigestPrefix() method for people wanting exposure to the signature finger print details. - The old BKS-V1 format keystore is now disabled by default. If you need to use BKS-V1 for legacy reasons, it can be re-enabled by adding: org.bouncycastle.bks.enable_v1=true to the java.security file. We would be interested in hearing from anyone that needs to do this. - PLAIN-ECDSA now supports the SHA3 digests. - Some highlevel support for RFC 4998 ERS has been added for ArchiveTimeStamp and EvidenceRecord. The new classes are in the org.bouncycastle.tsp.ers package. - ECIES has now also support SHA256, SHA384, and SHA512. - digestAlgorithms filed in CMS SignedData now includes counter signature digest algorithms where possible. - A new property "org.bouncycastle.jsse.config" has been added which can be used to configure the BCJSSE provider when it is created using the no-args constructor. - In line with changes in OpenSSL 1.1.0, OpenSSLPBEParametersGenerator can now be configured with a digest. - PGPKeyRingGenerator now includes a method for adding a subkey with a primary key binding signature. - Support for ASN.1 PRIVATE tags has been added. - Performance enhancements to Nokeon, AES, GCM, and SICBlockCipher. - Support for ecoding/decoding McElieceCCA2 keys has been added to the PQC API - BCJSSE: Added support for jdk.tls.maxCertificateChainLength system property (default is 10). - BCJSSE: Added support for jdk.tls.maxHandshakeMessageSize system property (default is 32768). - BCJSSE: Added support for jdk.tls.client.enableCAExtension (default is 'false'). - BCJSSE: Added support for jdk.tls.client.cipherSuites system property. - BCJSSE: Added support for jdk.tls.server.cipherSuites system property. - BCJSSE: Extended ALPN support via standard JSSE API to JDK 8 versions after u251/u252. - BCJSSE: Key managers now support EC credentials for use with TLS 1.3 ECDSA signature schemes (including brainpool). - TLS: Add TLS 1.3 support for brainpool curves per RFC 8734. * Notes - There is a small API change in the PKIX package to the DigestAlgorithmIdentifierFinder interface as a find() method that takes an ASN1ObjectIdentifier has been added to it. For people wishing to extend their own implementations, see DefaultDigestAlgorithmIdentifierFinder for a sample implementation. - A version of the bcmail API supporting Jakarta Mail has now been added (see bcjmail jar). - Some work has been done on moving out code that does not need to be in the provider jar. This has reduced the size of the provider jar and should also make it easier for developers to patch the classes involved as they no longer need to be signed. bcpkix and bctls are both dependent on the new bcutil jar. - Add build dependencies on mvn(jakarta.activation:jakarta.activation-api) and mvn(jakarta.mail:jakarta.mail-api) - Remove unneeded script bouncycastle_getpoms.sh from sources- Build against the standalone JavaEE modules unconditionally- Build with source/target levels 8- Add glassfish-activation-api dependency so that we can build with JDK that does not contain the JavaEE modules- Directory core/docs does not exist- Add bouncycastle_getpoms.sh to get pom files from Maven repos- Version update to 1.68 * Defects Fixed: - Some BigIntegers utility methods would fail for BigInteger.ZERO. This has been fixed. - PGPUtil.isKeyRing() was not detecting secret sub-keys in its input. This has been fixed. - The ASN.1 class, ArchiveTimeStamp was insisting on a value for the optional reducedHashTree field. This has been fixed. - BCJSSE: Lock against multiple writers - a possible synchronization issue has been removed. * Additional Features and Functionality - BCJSSE: Added support for system property com.sun.net.ssl.requireCloseNotify. Note that we are using a default value of 'true'. - BCJSSE: 'TLSv1.3' is now a supported protocol for both client and server. For this release it is only enabled by default for the 'TLSv1.3' SSLContext, but can be explicitly enabled using 'setEnabledProtocols' on an SSLSocket or SSLEngine, or via SSLParameters. - BCJSSE: Session resumption is now also supported for servers in TLS 1.2 and earlier. For this release it is disabled by default, and can be enabled by setting the boolean system property org.bouncycastle.jsse.server.enableSessionResumption to 'true'. - The provider RSA-PSS signature names that follow the JCA naming convention. - FIPS mode for the BCJSSE now enforces namedCurves for any presented certificates. - PGPSignatureSubpacketGenerator now supports editing of a pre-existing sub-packet list.- Version update to 1.67 [bsc#1180215, CVE-2020-28052] * CVE-2020-28052: OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the password * Defects Fixed: - BCJSSE: SunJSSE compatibility fix - override of getChannel() removed and 'urgent data' behaviour should now conform to what the SunJSSE expects - Nested BER data could sometimes cause issues in octet strings - Certificates/CRLs with short signatures could cause an exception in toString() in the BC X509 Certificate implmentation - In line with latest changes in the JVM, SignatureSpis which don't require parameters now return null on engineGetParameters() - The RSA KeyFactory now always preferentially produces RSAPrivateCrtKey where it can on requests for a KeySpec based on an RSAPrivateKey - CMSTypedStream$FullReaderStream now handles zero length reads correctly - Unecessary padding was added on KMAC when the key string was block aligned - Zero length data would cause an unexpected exception from RFC5649WrapEngine - OpenBSDBcrypt was failing to handle some valid prefixes * Additional Features and Functionality - Performance improvement of Argon2 and Noekeon - A setSessionKeyObfuscation() method has been added to PublicKeyKeyEncryptionMethodGenerator to allow turning off of session key obfuscation (default is on, method primarily to get around early version GPG issues with AES-128 keys) - Implemented 'safegcd' constant-time modular inversion (as well as a variable-time variant). It has replaced Fermat inversion in all our EC code, and BigInteger.modInverse in several other places, particularly signers. This improves side-channel protection, and also gives a significant performance boost - Performance of custom binary ECC curves and Edwards Curves has been improved - BCJSSE: New boolean system property 'org.bouncycastle.jsse.keyManager.checkEKU' allows to disable ExtendedKeyUsage restrictions when selecting credentials (although the peer may still complain) - Initial support has been added for "Composite Keys and Signatures For Use In Internet PKI" using the test OID. Please note there will be further refinements to this as the draft is standardised - The BC EdDSA signature API now supports keys implementing all methods on the EdECKey and XECKey interfaces directly - Work has begun on classes to support the ETSI TS 103 097, Intelligent Transport Systems (ITS) in the bcpkix package - Further optimization work has been done on GCM - A NewHope based processor, similar to the one for Key Agreement has been added for trying to "quantum hard" KEM algorithms - PGP clear signed signatures now support SHA-224 - Treating absent vs NULL as equivalent can now be configured by a system property. By default this is not enabled - Mode name checks in Cipher strings should now make sure an improper mode name always results in a NoSuchAlgorithmException - In line with changes in OpenSSL, the OpenSSLPBKDF now uses UTF8 encoding- Version update to 1.66 [bsc#1186328, CVE-2020-15522] * Defects Fixed: - EdDSA verifiers now reset correctly after rejecting overly long signatures. - BCJSSE: SSLSession.getPeerCertificateChain could throw NullPointerException. - qTESLA-I verifier would reject some valid signatures. - qTESLA verifiers now reject overly long signatures. - PGP regression caused failure to preserve existing version header when headers were reset. - PKIXNameConstraintValidator had a bad cast preventing use of multiple OtherName constraints. - Serialisation of the non-CRT RSA Private Key could cause a NullPointerException. - An extra 4 bytes was included in the start of HSS public key encodings. - CMS with Ed448 using a direct signature was using id-shake256-len rather than id-shake256. - Use of GCMParameterSpec could cause an AccessControlException under some circumstances. - DTLS: Fixed high-latency HelloVerifyRequest handshakes. - An encoding bug for rightEncoded() in KMAC has been fixed. - For a few values the cSHAKE implementation would add unnecessary pad bytes where the N and S strings produced encoded data that was block aligned. - There were a few circumstances where Argon2BytesGenerator might hit an unexpected null. These have been removed. * Additional Features and Functionality - The qTESLA signature algorithm has been updated to v2.8 (20191108). - BCJSSE: Client-side OCSP stapling now supports status_request_v2 extension. - Support has been added for "ocsp.enable", "ocsp.responderURL" and PKIXRevocationChecker for users of Java 8 and later. - Support has been added for "org.bouncycastle.x509.enableCRLDP" to the PKIX validator. - BCJSSE: Now supports system property 'jsse.enableFFDHE' - BCJSSE: Now supports system properties 'jdk.tls.client.SignatureSchemes' and 'jdk.tls.server.SignatureSchemes'. - Multi-release support has been added for Java 11 XECKeys. - Multi-release support has been added for Java 15 EdECKeys. - The MiscPEMGenerator will now output general PrivateKeyInfo structures. - A new property "org.bouncycastle.pkcs8.v1_info_only" has been added to make the provider only produce version 1 PKCS8 PrivateKeyInfo structures. - The PKIX CertPathBuilder will now take the target certificate from the target constraints if a specific certificate is given to the selector. - BCJSSE: A range of ARIA and CAMELLIA cipher suites added to supported list. - BCJSSE: Now supports the PSS signature schemes from RFC 8446 (TLS 1.2 onwards). - Performance of the Base64 encoder has been improved. - The PGPPublicKey class will now include direct key signatures when checking for key expiry times. * NOTES: - The qTESLA update breaks compatibility with previous versions. Private keys now include a hash of the public key at the end, and signatures are no longer interoperable with previous versions.- Version update to 1.65 * Defects Fixed: - DLExternal would encode using DER encoding for tagged SETs. - ChaCha20Poly1305 could fail for large (>~2GB) files. - ChaCha20Poly1305 could fail for small updates when used via the provider. - Properties.getPropertyValue could ignore system property when other local overrides set. - The entropy gathering thread was not running in daemon mode, meaning there could be a delay in an application shutting down due to it. - A recent change in Java 11 could cause an exception with the BC Provider's implementation of PSS. - BCJSSE: TrustManager now tolerates having no trusted certificates. - BCJSSE: Choice of credentials and signing algorithm now respect the peer's signature_algorithms extension properly. - BCJSSE: KeyManager for KeyStoreBuilderParameters no longer leaks memory. * Additional Features and Functionality: - LMS and HSS (RFC 8554) support has been added to the low level library and the PQC provider. - SipHash128 support has been added to the low level library and the JCE provider. - BCJSSE: BC API now supports explicitly specifying the session to resume. - BCJSSE: Ed25519, Ed448 are now supported when TLS 1.2 or higher is negotiated (except in FIPS mode). - BCJSSE: Added support for extended_master_secret system properties: jdk.tls.allowLegacyMasterSecret, jdk.tls.allowLegacyResumption, jdk.tls.useExtendedMasterSecret . - BCJSSE: Ed25519, Ed448 are now supported when TLS 1.2 or higher is negotiated (except in FIPS mode). - BCJSSE: KeyManager and TrustManager now check algorithm constraints for keys and certificate chains. - BCJSSE: KeyManager selection of server credentials now prefers matching SNI hostname (if any). - BCJSSE: KeyManager may now fallback to imperfect credentials (expired, SNI mismatch). - BCJSSE: Client-side OCSP stapling support (beta version: via status_request extension only, provides jdk.tls.client.enableStatusRequestExtension, and requires CertPathBuilder support). - TLS: DSA in JcaTlsCrypto now falls back to stream signing to work around NoneWithDSA limitations in default provider.- Added patch: * bouncycastle-osgi.patch + Add OSGi manifests to the distributed jars so that they can be used from eclipse- Fix arch dependent macros in noarch package [bsc#1109539]- Update pom files with those from Maven repository.- Version update to 1.64 [bsc#1153385, CVE-2019-17359] [bsc#1096291, CVE-2018-1000180][bsc#1100694, CVE-2018-1000613] * Security Advisory: - CVE-2019-17359: A change to the ASN.1 parser in 1.63 introduced a regression that can cause an OutOfMemoryError to occur on parsing ASN.1 data. * Defects Fixed: - OpenSSH: Fixed padding in generated Ed25519 private keys. - GOST3410-2012-512 now uses the GOST3411-2012-256 as its KDF digest. - Validation of headers in PemReader now looks for tailing dashes in header. - Some compatibility issues around the signature encryption algorithm field in CMS SignedData and the GOST algorithms have been addressed. * Additional Features and Functionality: - PKCS12 key stores containing only certificates can now be created without the need to provide passwords. - BCJSSE: Initial support for AlgorithmConstraints; protocol versions and cipher suites. - BCJSSE: Initial support for 'jdk.tls.disabledAlgorithms'; protocol versions and cipher suites. - BCJSSE: Add SecurityManager check to access session context. - BCJSSE: Improved SunJSSE compatibility of the NULL_SESSION. - BCJSSE: SSLContext algorithms updated for SunJSSE compatibility (default enabled protocols). - The digest functions Haraka-256 and Haraka-512 have been added to the provider and the light-weight API - XMSS/XMSS^MT key management now allows for allocating subsets of the private key space using the extraKeyShard() method. Use of StateAwareSignature is now deprecated. - Support for Java 11's NamedParameterSpec class has been added (using reflection) to the EC and EdEC KeyPairGenerator implementations.- Version update to 1.63 * Defects Fixed: - The ASN.1 parser would throw a large object exception for some objects which could be safely parsed. - GOST3412-2015 CTR mode was unusable at the JCE level. - The DSTU MACs were failing to reset fully on doFinal(). - The DSTU MACs would throw an exception if the key was a multiple of the size as the MAC's underlying buffer size. - EdEC and QTESLA were not previously usable with the post Java 9 module structure. - ECNR was not correctly bounds checking the input and could produce invalid signatures. - ASN.1: Enforce no leading zeroes in OID branches (longer than 1 character). - TLS: Fix X448 support in JcaTlsCrypto. - Fixed field reduction for secp128r1 custom curve. - Fixed unsigned multiplications in X448 field squaring. - Some issues over subset Name Constraint validation in the CertPath analyser - TimeStampResponse.getEncoded() could throw an exception if the TimeStampToken was null. - Unnecessary memory usage in the ARGON2 implementation has been removed. - Param-Z in the GOST-28147 algorithm was not resolving correctly. - It is now possible to specify different S-Box parameters for the GOST 28147-89 MAC. * Additional Features and Functionality: - QTESLA is now updated with the round 2 changes. Note: the security catergories, and in some cases key generation and signatures, have changed. The round 1 version is now moved to org.bouncycastle.pqc.crypto.qteslarnd1, this package will be deleted in 1.64. Please keep in mind that QTESLA may continue to evolve. - Support has been added for generating Ed25519/Ed448 signed certificates. - A method for recovering the message/digest value from an ECNR signature has been added. - Support for the ZUC-128 and ZUC-256 ciphers and MACs has been added to the provider and the lightweight API. - Support has been added for ChaCha20-Poly1305 AEAD mode from RFC 7539. - Improved performance for multiple ECDSA verifications using same public key. - Support for PBKDF2withHmacSM3 has been added to the BC provider. - The S/MIME API has been fixed to avoid unnecessary delays due to DNS resolution of a hosts name in internal MimeMessage preparation. - The valid path for EST services has been updated to cope with the characters used in the Aruba clearpass EST implementation. - Version update to 1.62 * Defects Fixed: - DTLS: Fixed infinite loop on IO exceptions. - DTLS: Retransmission timers now properly apply to flights monolithically. - BCJSSE: setEnabledCipherSuites ignores unsupported cipher suites. - BCJSSE: SSLSocket implementations store passed-in 'host' before connecting. - BCJSSE: Handle SSLEngine closure prior to handshake. - BCJSSE: Provider now configurable using security config under Java 11 and later. - EdDSA verifiers now reject overly long signatures. - XMSS/XMSS^MT OIDs now using the values defined in RFC 8391. - XMSS/XMSS^MT keys now encoded with OID at start. - An error causing valid paths to be rejected due to DN based name constraints has been fixed in the CertPath API. - Name constraint resolution now includes special handling of serial numbers. - Cipher implementations now handle ByteBuffer usage where the ByteBuffer has no backing array. - CertificateFactory now enforces presence of PEM headers when required. - A performance issue with RSA key pair generation that was introduced in 1.61 has been mostly eliminated. * Additional Features and Functionality: - Builders for X509 certificates and CRLs now support replace and remove extension methods. - DTLS: Added server-side support for HelloVerifyRequest. - DTLS: Added support for an overall handshake timeout. - DTLS: Added support for the heartbeat extension (RFC 6520). - DTLS: Improve record seq. behaviour in HelloVerifyRequest scenarios. - TLS: BasicTlsPSKIdentity now reusable (returns cloned array from getPSK). - BCJSSE: Improved ALPN support, including selectors from Java 9. - Lightweight RSADigestSigner now support use of NullDigest. - SM2Engine now supports C1C3C2 mode. - SHA256withSM2 now added to provider. - BCJSSE: Added support for ALPN selectors (including in BC extension API for earlier JDKs). - BCJSSE: Support 'SSL' algorithm for SSLContext (alias for 'TLS'). - The BLAKE2xs XOF has been added to the lightweight API. - Utility classes added to support journaling of SecureRandom and algorithms to allow persistance and later resumption. - PGP SexprParser now handles some unprotected key types. - NONEwithRSA support added to lightweight RSADigestSigner. - Support for the Ethereum flavor of IES has been added to the lightweight API. - Version update to 1.61 * Defects Fixed: - Use of EC named curves could be lost if keys were constructed. via a key factory and algorithm parameters. - RFC3211WrapEngine would not properly handle messages longer than 127 bytes. - The JCE implementations for RFC3211 would not return null AlgorithmParameters. - TLS: Don't check CCS status for hello_request. - TLS: Tolerate unrecognized hash algorithms. - TLS: Tolerate unrecognized SNI types. - Incompatibility issue in ECIES-KEM encryption in cofactor fixed. - Issue with XMSS/XMSSMT private key loading which could result in invalid signatures fixed. - StateAwareSignature.isSigningCapable() now returns false when the key has reached it's maximum number of signatures. - The McEliece KeyPairGenerator was failing to initialize the underlying class if a SecureRandom was explicitly passed. - The McEliece cipher would sometimes report the wrong value on a call to Cipher.getOutputSize(int). - CSHAKEDigest.leftEncode() was using the wrong endianness for multi byte values. - Some ciphers, such as CAST6, were missing AlgorithmParameters implementations. - An issue with the default "m" parameter for 1024 bit Diffie-Hellman keys which could result in an exception on key pair generation has been fixed. - The SPHINCS256 implementation is now more tolerant of parameters wrapped with a SecureRandom and will not throw an exception if it receives one. - A regression in PGPUtil.writeFileToLiteralData() which could cause corrupted literal data has been fixed. - Several parsing issues related to the processing of CMP PKIPublicationInfo. - The ECGOST curves for id-tc26-gost-3410-12-256-paramSetA and id-tc26-gost-3410-12-512-paramSetC had incorrect co-factors. * Additional Features and Functionality: - The qTESLA signature algorithm has been added to PQC light-weight API and the PQC provider. - The password hashing function, Argon2 has been added to the lightweight API. - BCJSSE: Added support for endpoint ID validation (HTTPS, LDAP, LDAPS). - BCJSSE: Added support for 'useCipherSuitesOrder' parameter. - BCJSSE: Added support for ALPN. - BCJSSE: Various changes for improved compatibility with SunJSSE. - BCJSSE: Provide default extended key/trust managers. - TLS: Added support for TLS 1.2 features from RFC 8446. - TLS: Removed support for EC point compression. - TLS: Removed support for record compression. - TLS: Updated to RFC 7627 from draft-ietf-tls-session-hash-04. - TLS: Improved certificate sig. alg. checks. - TLS: Finalised support for RFC 8442 cipher suites. - Support has been added to the main Provider for the Ed25519 and Ed448 signature algorithms. - Support has been added to the main Provider for the X25519 and X448 key agreement algorithms. - Utility classes have been added for handling OpenSSH keys. - Support for processing messages built using GPG and Curve25519 has been added to the OpenPGP API. - The provider now recognises the standard SM3 OID. - A new API for directly parsing and creating S/MIME documents has been added to the PKIX API. - SM2 in public key cipher mode has been added to the provider API. - The BCFKSLoadStoreParameter has been extended to allow the use of certificates and digital signatures for verifying the integrity of BCFKS key stores.- Package also the bcpkix bcpg bcmail bctls artifacts in separate sub-packages - Revert to building with source/target 6, since it is still possible - Added patch: * bouncycastle-javadoc.patch + fix javadoc build- Version update to 1.60 bsc#1100694: * CVE-2018-1000613 Use of Externally-ControlledInput to Select Classes or Code * CVE-2018-1000180: issue around primality tests for RSA key pair generation if done using only the low-level API [bsc#1096291] * Release notes: http://www.bouncycastle.org/releasenotes.html- Version update to 1.59: * CVE-2017-13098: Fix against Bleichenbacher oracle when not using the lightweight APIs (boo#1072697). * CVE-2016-1000338: Fix DSA ASN.1 validation during encoding of signature on verification (boo#1095722). * CVE-2016-1000339: Fix AESEngine key information leak via lookup table accesses (boo#1095853). * CVE-2016-1000340: Fix carry propagation bugs in the implementation of squaring for several raw math classes (boo#1095854). * CVE-2016-1000341: Fix DSA signature generation vulnerability to timing attack (boo#1095852). * CVE-2016-1000342: Fix ECDSA ASN.1 validation during encoding of signature on verification (boo#1095850). * CVE-2016-1000343: Fix week default settings for private DSA key pair generation (boo#1095849). * CVE-2016-1000344: Remove DHIES from the provider to disable the unsafe usage of ECB mode (boo#1096026). * CVE-2016-1000345: Fix DHIES/ECIES CBC mode padding oracle attack (boo#1096025). * CVE-2016-1000346: Fix other party DH public key validation (boo#1096024). * CVE-2016-1000352: Remove ECIES from the provider to disable the unsafe usage of ECB mode (boo#1096022). * Release notes: http://www.bouncycastle.org/releasenotes.html - Removed patch: * ambiguous-reseed.patch- Build with source and target 8 to prepare for a possible removal of 1.6 compatibility- Version update to 1.58 - Added patch: * ambiguous-reseed.patch + Upstream fix for an ambiguous overload- Set java source and target to 1.6 to allow building with jdk9- New build dependency: javapackages-local - Fixed requires - Spec file cleaned- Version update to 1.54: * No obvious changelog to be found * Fixes bnc#967521 CVE-2015-7575- Version update to 1.53 (latest upstream) * No obvious changelog * Fixes bnc#951727 CVE-2015-7940- Fix build with new javapackages-tools- Disable tests on obs as they hang- Version bump to 1.50 to match Fedora - Cleanup with spec-cleanersheep57 16793321001.72-150200.3.12.11.721.721.721.721.721.721.721.721.721.721.721.721.72.0bcmail.jarbouncycastle-mailLICENSE.htmlbouncycastle-bcmail.xmlbcmail.pom/usr/share/java//usr/share/licenses//usr/share/licenses/bouncycastle-mail//usr/share/maven-metadata//usr/share/maven-poms/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:28308/SUSE_SLE-15-SP2_Update/fb6590c8f0b24df9c8973950299b852f-bouncycastle.SUSE_SLE-15-SP2_Updatecpioxz5noarch-suse-linuxgzip ERROR: Stdin has more than one entry--rest ignored (Zip archive data, at least v1.0 to extract Java archive data (JAR))directoryHTML document, ASCII textASCII textXML 1.0 document, ASCII text, with very long linesP P PPPP PP PPPP PRRRRRUHRUЪ"utf-81ce1ea57137ed8cb2a76ac9567873f8c29b3a77ad554170ac532f6ea1bd83156? 7zXZ !t/] crv(vX0({BoY!`A|T]nh Bɦ9V_b x,7vQ|s7Ռ^e=}~$"lB!pP 02Ln~t+-.{?dE=t,O6ȝ{j|#$J۹aIGRsЂ۸]9 CumVfɠ)vиLYKJھPn^4m![ Ծ25JE#}HFPgo7'SI##W'Fr2-i A0I\(OJ6Ӡbs!msV7זxT2K r@Պ`]Tp21ZC05ni]qI`GVb<#8G{l.(8Z6%\"|%ǘވBNct@C"v]Q;1"FSuLü:.P|d J>z)xMQ]'k/}{[l Eb+Zp@ +|+AbBk~D+!N7M-fӫWnڭr=NN(R*a2}ϲ6Zaauԇ2C8zol5p'~bk_R_r>Wܒ5X| kC%,3KO3DrI}M~6*N(Nz_S;# \}H  gC %^21k0& >E;Zfq% —>}C% `vi=݉(uWZt+#JI؀_I%Jn}Qe=3a=$ *)Ľ57#Pjp~B9LfZ&3= E|n,Hv O\p۷ֹQvґkȔ00Ŭ._ txKU_Vくwd+ (Ӻ;(vЎ7{60kk|J(Ӳ aFk4n];kvi C4#iDž+p&r (=Ķin2 ɀ9"s܁'Yrb_lK%-%VQo{H0s`.iػR'(ai+/:Aa.=i Z)ViaZ\ͦ9Yh^ְMMݓS*)SK ݚB &Qw{HuOWdKn%nZ#RԽ4yfBg6um5nY38 A:bZNžl M;z=LNRDZ[P4AE|n!׆R"`@F2dƪoS⡪gMIgb7A=2+}]+C+.lZ,n ߍj|wm dp[q<9 ?Yyo[Zde̎S@ !"y+˄ЀˢV"2_>3SNjBM Eio}'&]{26SE $ϡxzJyDߺ&ŎH-|㏫Y LXǞ)VMSnAop؉!csNv#*`ж ) Ud!/B$8Lnysb7~EՑw>Ű}dwm{&-2LKO¼'tx`2(y"(YVx*Rb0QW' t 觍ͦOg'}CxFjM0q}:Ϲ6ÈiG G^2>l7Laoo'UQݕE1\:h&l~FȬVI@jWd>gpNEi[۾̆`͵Ș&Mug_d"1jCt0 p;#61҂K-fmVG :s렍KD)WT}B}4Z/>HAua%ZsܛSʬf@zAٲ^At` 2oPHNoc@t8]J I?CeL3c7ߚ!) ѧU-Tsad& kPvӎSJfPq /D wjLWĂ<,mdOCI;~=J^HF t[#n-/^F,AwhV ˄uS!%}Y~GoZp3S_>B?d" fW:ɤpa*,+A<-`|Kɠ \EovCPv;.Ԡ#Jzy%  &3RI 7ޕ6T#jRĸxc:Ҝr7- j%F;IX A )WM=HWǜqmzf­> Hg! n{t97{-ln1Bk#qJRɯ:Rף*qn({J,tϕyK&x!3=$,x/Ąto7+rW)CLx%̣փSM Av8Wo͆1CS2Mt2uSڸZ+H*䃥-w%,6Y0 '׿e9rGR@BX9#QAl⣾jkF'7_ݓ&͜}/~|HqlVI:FPxEI,Әܨe( 4Z9Zg ybpV[ !0{h[׻\[s1;}ɟ%-p bqnْZN 3BzD~ߑ/(XLgc@- IAHPm kQ>LOo:%}{Ck;v=k'BgoE.l|ݨePHQ*d}:B@j=x39t5*dz:,Or2 J ܸ.tD1DM|q #st赭L蜍-FqX. M_.cxv;1y!8|շj*<6bϳdzkEn ,ȴqzpFz=@yaT ZxH6N:„t+G4tL{Ҕ!&iɹ*(.Wnm~>"Txt}A]ӳ,r6jureR,FVWɿQ,B X-^Z>&gU}U>DȑD7Qې)+,R՗/:wbj:"K򋔼b|~s1T*~H@cUVQ|{ePim .Iw؆46;45xWm/ڶN:낍9nDrwѶ7*Ur2k/U?2l?xgj7 no_I`48cGY[Oe;,a~Q#(N^n!,*|(;*ZJ3ts%N yl VP4[x%楻V% cC˧N΢01HlJQӳ?i1MZsڈyҳ-ְ>"[ * 97"S%Aὠ,Q4q#A[݈&54JpG=ג@=;e5x-'Bo@&| .kEmJYS$tԐ = t9hh{NDXX+lMՌ,϶Bά6Ijakj#&_KeZA|JΈ \rQ. u~ʶf)P2Y/|'iH|daAjh;HrL[Po>Y^RvoU`y BuZxJa$`lYsgPm\Nv_;:0TǹCvPIs\DaA{Y?  lHL9@{.=8:({Is T^^N覘ZG5FbR[m }ܼQ&L;J+ HIu a'ot'Dƽ< b]M#U '=_YqVE*q04a bRbEņNA]Ũ&wL]-Z5,rXHzنbvb"iewRjdh_t]8nޏD^6ëYJW21Qqڕo*dtPMA,|xTd-3uɾ>NYbȚrCo?+7޿Vx̓pNZ%%%fNY^1=Jɔ4TL#ƾMMk`zAxFJoP.ˈO@$U]| סx6!]/v!6Sٚa0R&lk"h`NqP @ [.lqX^c q^]mA#`9`@gd6?k(Uy+DqkLopCCM%ZZyl,16!6ol\A.kWrpR(|m;}!!>օ'!Kv$HH"鍢h9B}/}=*_* <ݩ׷}> !:)ğ;APJ,8;A)y!>b}66qecY!hW휙H17l51TF`-8qg,7 XKK task9F(7čWG !q>oWO@搆kvZ\ujW-a3sV2?Ǵ{+ %SXqeP_1.(o!] (BK6H)[kq%z>KƳfGUŞt):T8'+UCC&qp-+t"OPb*VCm9to$r%%@G B9``pc93G6ٵ!VV ɸ7'!8:N 4V"Jf\mNc"Ik~.pF ( dW>A:%ӷ󤈻SAe>9M;qX.~ -2pܘ2XkiD"Yqd= /1j9Vd|)O 7ʏ`m/1(ڛ IjȣY#OBVY^=7=i6s$ݡ`j$1u嫍'k}'q R`&Qd8؎k$uc;xH m #C?)%31:#Wo6f&q m'YAdWv;kNi{n|(!H]lz!Rm ;K;:xzVUB/좔9KER+Ƶ.m-J13 E߄0a S+):̓.1f1EZϱهz]*О{Oe,leݦ@˞qsBIO9`jy2HSwF&vM? dqENWO˙%Eо_.a9=kcT2_St.e(W1|aUs;}Ԯ&? 9`椫ޙ(9ˌ0 ~`(:_:c aQ[gP"Gd]E'+x9M ]=@Um rJW1/Zv4c )c)X%Q~s}hze o@$>`L_V#.{*mTgщ_{D.>`i`Xܞ}3WކdԄjK5эUutr- /h߅'ٙ[i$ƤGD0%Ȋ1WUa/SH!׽J^:," ]XA,ϳn#Q#viWG8G\[bLbˠխ2b{CEZIzB?#z٬>Dx?z86 }WX3oFc3e+/`ojCh VrɪXffcI[Eִ\1of]7ALj vaW܎PO_zOJQisbMw[AI$&g^Gܔ:aC5JrL~k~WUWB.g)7D(ս9 H}-b,T,H78cxb/|L?Ӄ|)n'u>:KK>\W"hcQsG%N#GlhEsnBB̏IԘL8#nJa/XG!b_tф/9g9,Jܮ׃;b ~){qDpoA]E3^N㣷irW+VL d ѶmmVô\왼ڇKxP} abtL5OĚP724sNo[9sMXL".ኑdԼ/^Ayޣ^OH4n[RvoǪl԰hzWΟwJWJ?.j\K鲰)=Zz |\\B 0۪rO{]aZMOdW0鮰qi>^$kNrT-EG |My}0_&ɕ W{;-t1m3\vaXz .TU>XE鿐}FozqK-AĐ>JXelx2A!N>ԕxd){g97T?U\'CY$ O}k4޹Y;1uVt[W TYuO. v'cgB HIf#9>4DLXGj7""31hF W3Σ۟BO281P)(S#~5 I'`Oߵ/Dۻ^th5aG~o-jfOdB@'_ACoaBkT;c|~1fX,|Lax.U+HFlY#IL. H0)0W@du@'([)G.Tg_DKÀ-{K !=*ݮj\%`]a|Al&|O tL$p ]7U=zڎjjܘs6k>I-rZ*@ ] $Z`3.Q8 7rQɟ졛s^=vσs+")OcayDfQj>m ~*ڮ#f%Č+qTzm۪,(evYC2Ѡ68{wБQO\\AJO(I˾ۧYo޹Aⳝ:VvXxƱ\JzMa-,҈KBp0I?B'ؒ? T_?r7;D*T̴J/l8m?WuIR6br$ RaJ~{?0A](Nq,yΗ;!?yН ٍ<BvqG̏VZ+֙ۤ {QER96=/ UX_cSw:E[ρggӶ-t&n)H-Ugp*M$ 5.s7҆[kM>" ec>8;]镡WDD: y^&A6OpY-KןCzx QܘH69i?[tUXl:#m;E)yi**L:${'+ leYdEwvǓD}(sWo-t붨/+' [MdfF;gONsUbfbB[`NJ>N" Q8HLYa^>c4r1;|lb \dd0R;Y k,+U69̽AƏϏ4h9dUO"cƌÉhLP'Q{gƵ?ţC+8mcPx6+h'V]7`lq쇅tQ_?ޏ-b,kL0CEM5$k*jsڕ_gϿO3Ϭ{yZfSHV1)`:md3VQlU2esO"Dx+AHWlv{N21:V0 /ÏiDQm2,Ë6(ֈ;wkv (@QE;jJO9G%voe0BaA2ѥ , ͤ\oyND&«MS-Z$U2WZ1 WrˌC-q1qza!ᒩE pV,@Fb0Ee45i,[W@qA2 ~ mEd5]cR2w IT΄g j G '@<6YjwotNlJշ`kIwD0>Ɋ$Kd MG%q(Rox e1S@Hy%Ik5yڋڴ,p>"o<ˇVt,Pg鏟mj@҃hO3%C=^#jƕݸ ?sj{epD'5su׆3lW ]gDVF\}Wu=Ȯ/Ofdk@a3ǸY)qgKX_.I9;C]Q햔|q;VO)iZưfo9Nqc8L/nF}˰|+[ЈPQ=;vsIB\R(At(޷bLאki Dof~\O;I6'$3^[<Qޞj8": K)\IưU+ _@x/s&,[X6 vQf #GȎ4HS? zLX/ȗw2v8 ]8)+t_)H~ry ]o^XʈfQ2cTQӗfg ةY)ڵIfL8\[bo!5NML#(fJp{XN7{<ҡ<^u  <"KI02 ,%cAÛGF1>@<_'_]u Wт4Bo񠣼eV n[O~ى+rV1Hcn SW+qn/ҒA< +绂WڵP߇̻Wba/$ܦ;,՝dd!N!s(z=k}VȔBC'|7"j҃o,?֊9ܞkOJU t67\$t{dH2E:} cIڄN6  U,kIC Ł@vE7!Ljɚ\b4="6^Z=i<'k=,q{`*vScߏS][o:n֊gX|tAMvVxETQ=r^vvJETj[}r;$EBHDˣzri&Jn:T Ȱccԃ3eBr \ F6oB+V:٣vqs ْ̀۠ŦcGW{ϗZvT[xce^Nrx{=cR|@ W1zW 8 PIr4[JHG Hret9B+oCY. J87 %D -( |]^p!fvfEi^0I9qn!>sQ=nm=\97OMKVW%FC^!w'KC|0A4wp CtboνگS j/YÖD\QW`U AUgĞ]TG}ު/Sx:^|7=λoO/(?ČQ1'4}e;q>[2pUi1ZL[y.SNn)3I`nR[Ij[ނ?HvH)'Φ|3>LcA3YKg!:X 9ݳx?Z_|G$*8M]`)J&A&JGɴ{) &͢&ƍqn`\>=1=Pm?Fػp1f}c~1o4NoN5<~k L, '9nʑu?\͆t\QSGSyX ~7ޓҫmM=5+g<eX|GWВ c\c*H)>DO:6(iHގ?8O>,^uv;8{@uBS^oPV6gpU@hee~(> 2~`޻ؠМx}ѕŠjղ7>ƶNSQ&HbjZcڴC.#n)!cZ:đJCJ\݃ӦNymh&KZs1 ߾|(: 2UgXW>Y5qYԼ g$.IЛI:Fk)?4 <.a\ c9V0[c0oz( 26ݦBM݋N#ЫhwdV!x6tPݑ[Gc@|<(S qN3j8/腙KBw e'3H g5ڢ~)ۣ4+e 1s|B1f,x)Μ5eS>NV0FR~;:#KǙٹF8GJtgH2*k .sDu)B[M:2:=JUEgӸc{U]aֳVMic#ci k UhoTB0 }R."ǃrXcPf箒LTc{)&C{6}#yHqV%ƒn3Yl)|r_m'~1<kUm\ܘf ^qǝUi^)/q ՙ}ѐj%W~v }Ci=ƌ μ!MթQvz`d3NX!@+'\;pا^9FtRj9$#%TׯI2Yw 2nB''寉->y[@pj.p6EXVR'cR%md BٜC$ ["Y=1_჏&EzA ?)bqn hj7\VlemO Va_d LmgGy}<>i7h1Ni TPhuO%ޯ7E6σ_2Pg5vXpӋs9:)O V*YjiN'/2R@u R+ iY$H݋Hy:SUhi5j:tkU[_Y*DNȂDwrΆN/SZu'^)JfVYnc{R9nBO}+ "= B;/p:jid ,͏ zx!̡C{deݳ;ff;#"c(A*OB]3~ԂNP5h'"=(Q0$$ 1xOGK|$ځIp;L=R⬷0!G1eS(h giJ6fXK> 72B碱>.Ț WfCbOB 5WFF\/ʸ¹fc49 ڿly!]]˖dJ. 4bev0aha~⽏vMG%ewNBF,hýb'H9G0,"P>aVuW]w? 'C (ظq!aYnG#K˲kS-wwo3X; CI'=gb, .eEp1v3cbA }xhm+uXlWP ͬ6 f]7;"eN7)9I,@s'#%qv$O`a+>|iߨtz9rҟƭ7ɦ"8/RJ9nPw@oi:D)HNrMv2}g2 kמRv`-N4U?9&}yV2WG|+؎#RmQ%W%FC}vD\)=k'EN$#U9./o|_.aaXrHKqa!Z3 ,栤68=a3]K#-w!2! 5J/4- s %z)<'NUoY0d"٫͇+Kw \sWiG'%n3,,̾8˔ ӷu/3uk?ܿkس@%?Lr#.>*2 1 u65+ $Q]2dTY@u8)|4e~mM-|`ܝ dhlQUT_7zg*~?kn}PSxZbB-"XR >O:pvxV=)woNu$iVKq &oL^v k& |Rr^q3%t}eIlhrroDd] wRXH1hR@ڛ;/wt%ZZ։%|k`^#.ә<ȞL?m$Sg )WCJ|е<>IJ haKEkFO[Gq4WJsVh0VC`!=ו%Of׷iT1gNN[:OT]wӣ=1YXk}O6b/-**>,>#Z-VlmAKHZ_Y n#圵SpQ(0`^҄\()--_& o׾c.q-E` p u1#T]#5[`· ?>ޒC(_g40 1@>l[91^I5@iY7 );O`pl䤬Vxrx176C`1QI},ls' [fq F;*WPJ`/@՛ . 2s#ȶਊT<{v F[ةY-r'—dE&6 yԙGW‡Rp55- '+ ]' ficCK-CF'E!3e[РŮvPFB`9JW|1g:Dgkdi -G,/'ޢ3$Pfdct;&Y!O:lp?3% oX;M!{1Oiအ i#z"b'O;H=w-s]e|^Y%?|dg.TPS InOts_#`V`Ἣ~c& 40Q 7`{r`=R@ҍR3cyP ERptUK_)~FYq0S ISet$kgeiTJln+ bע]W6FQtqcҔMv54pP҂LK1C@N`ˌdBV%L,=WU:]nh^!ʜ#qdp^1 tIC@5Cq+iY *1b4uiYtOT|#Yz ŝ[fr+I<; 85]Nd5Ba.ɶ{&+08Zo$^d+4oiftZwWECὬ X^{QBuHϮwe j2δܥYɊ ,_iNAdAA"@sP"ќ[t0Zpej~t5R'pE㬰GRrU{4B\z\9;t]e΅ +xϙBy.o{+ֈ\ LѶ kJF˵tlHg@o ꢀJ;5# aYNozT) Kܿ?,O֮3?Qք}mFyw'^FaI thFDŽ OCk}bwץ9Jo-dH*sujj%ܛˊ6v,6'`މAs*;~4 63V(Cch^/Gچ$^<+֬P+@[d{3.@Ysíɚ;4v/1R)r@ȄFs2{iBԃcaSd|_iviyaϸ)% HRi=Dd0> ԭMx|!̆o[ tBީueZjvv͛rԏgNi ڜ?MMKjy{q Q W̄sAX{ ! 9&׮+GJRoT~MdYookvj[ !8GRRt)YA{|hT8H 6)p ~?!ADƞRTyAMKeDw eHE22pp4릳$CjЛW3s%{}PA( ZGDӋM4EH.!WIh qٯgAT$jt* '{&%<;埽[q0 ʰ}-d~xNc_ 7(IrMnRd&tqRq)eŅy+9 m(LkB%5 EpћˁX!Gڱ1uoSb& c =ϗz1h$HߐZ vD۹$a-Az[uʐo1Gg!@YWfӇkf穇9a8]9galg_s";9Q`'"Gj;-@gJ8RUc*w8A*'P9JGOYW|^mXx8*R6)Ǜ!gF{)@uӕskחL\6[틼9EUk1G'~c]@p-_`л &6&x7czv/O0a g䑓?SzF[(0Po/'H̛=&M m6ݍ>i}WW2_w~:Z*g$*u>5QY@1)@sA@zgl@0= 0J|>p–tFFW2h7w>ƸsG{wvu+WC3?1HӮсmr/ b1/~MJʽ|2P@w&/XQN4Q !lc b}d@<J3}V*3WWP~ƍ^ @U3t`:: =U,?u(8O o5|@(^/9|@nF*"ҎOԥ@"UXq7zW8"y9h:^OI!;y>҆N aJMaT#M-f-)+lP"]-ɻGLgwXXCUQX)* .& >Ewf}֢6=*'&$/9(ֽ®JŽP]հQѯOcH!Kz*-lOCżBM:Es`qϴ`_d̗ ֩-+ % {xBdTr|8fާ *#KS &ֻhVH8JkFT$W 3mm"S56w#|U_a3V~~~˂.qa$$߰%싟u*]-\m@'V%QhE kw<3_bƦxISd*^=L_E ?) <{QV`#Ռ<`$X荧'o4lj?OE [G_2`4/'fvL^0R3;)3ܫ}ddv+P/T TC\dOx\PڎM^$yc~zm1r ;'іdQ0U,}x[MAU?b]4z4Pn1=}jOl>'xy"V,Q; P|j 6Ex9*PZHE2_J 4pc+!=Xǣ'7=:E1PW8u>QG5ܲdrgXDdn56y2FuBؘ ZB_2IX p *cښU 7g]r&/mi6D+,!uN{7 hХ} kuӼ9I,ws28j4{ԟD]Op9 Ab9 58pʓ6h%/f;W< rixki ~I &C-Q@m?5*?I\@d>jަGϳ{$V>* *[9VbU#\}5}qı{lMj $\C% [iϷ@c'JE#,tU{.e'Td1=NomjUU~{LZ*B՟k?`%hA4ΚЋ@{; Y_!Ej|<@"/s30dRPgaaQ/f^Vz fwq*2B7- .VY39S-@N湌D"KlOC R}m܌#j+#א"_ͧ 1 )JDE,;+=k% 冠È.mmLxkcyoiagV΍ i7AYo^/έ^<:KkP#GMBIF|9=Z-8q˧+%\1R&c;@cj$Irv`IΨ'I#PY~0Na7B9_,Es&5,|V>hЅR; Qg|fϮ SJG¤.ÇBSZ k|܎Zj>ۉ&~v?SJaO2 Ѱȃ_qmg!LaN=(;ʏ<]s$ 2u!S ~BWRLa9M72wHQ%e^eKOFV>`6"HmIγ4>yҸ=tr{(!^NެLTf?u$B[d [%{6Q7.Iv:nLXK F F) 8 xtR6?5|Qݼg^7 >(k4D=4*c6ع҆]h0L啟 T425kDyQznI=T,1Y _"x<%!LF/1Ď֜;}^BOWvՁ^cJ=s t"u*t8)R]EHfFU4ZoԐ"{l ʕGRs (?F^p>~Aڲ?za71? پh5z~u˦jfqi#b, ?n,.:hTJvRH%0reb(T;[e/MX*ꤣ0lh@Y`aSh!G-p(鋱m1AVr70V*zxrqM^loϲ׫^Uh`U1܆EIЕN.ohV؛!*uY.@g%)^hSUY]?!"6@g ̋U0?ͮ3ȍ˅= k F 2 1g7u:BCML&[T$lGn)iWB)íI-vD2Nnpxg^BD}r~'*V!dQA?[:[ANKF(5}m%˽XVJZC ;,{.M*J@G]0Zouegnsݼ 2*_joDYfF_elxFGdwc/a&ҀPZ3 9 v?:cW0 )&̟9 XS QO;H_hrlfIeހ.qi;(|(\3G2ta#H1 l[vSz`8 l-3_U-ɳh[6aܑ7F"I={) OЋE%%诬P7 :۱-r!r ُAצ6 i&GͷDn\]v :zrQp Gʉdcx9 2w1Iyee"+OI-ZO}dRg$v?a.|^W `'ep16mp( N5G#1zmT{} RT76#EmxWNI1YAq-RbTVk޵ҧomQ$ApىEl2}MN{L5]1M2dJ*B ,eqԾ/_yO!boSc*/_D!w; fbSpՐMU`:Ց\"uن  F3//$|W+bH7hx :ЇPkWJ Q_p&VÅe7D = i0 `^ẏ G2 Sr Up#y$q lN9$B(Տ26e䘔vwb@k7Zf ~ {s#c *BNa#efL\܂F7A9$ ԑ^d\n2hoHԾv;FjXy䱩z~3 f4$crdfLQ,Pm3aRxvZދaBPZ,+5n}) Y/ R!I0=61}׫q)rQ`D5)VhO{yMY/DN79W[l σw eE,Bش{ڐ'zPTD&)U;X?wb&kc/SQkK:lf}*{ P= u'Sn l j)8QR̝,'P?R]p`?凩8rdJ_R19Fl&\;*p>5.g8|o;i(5%!NЈ mAZ`fp6𠑥X~C"pq8Q~OYx La]$z܍+_t9G|8ҦKKQå2ldsEDci3+XvR5>vP830N??+m2M,jYZ Ná)|MS-".6)؟~G̊GmC!Z=N%iz0%6k$% 9t T{CQ.D|W=R(w;}n!CHtzgM? v/@]'ﺢ^,NsCˋSg*bflK%T'm@0E:h@!R䦐PqԲ96&Ɏp6jԂ} >mHJ=?,fv*JX꩷!)ᛦ7y^rs\&44OgppBF=lnC/T=);ȁJe%yd@ y EZ![P;/g-f!MpaC)ka=.aV>CS v˜VT)MT;: dXUO归htv2{jvIkYطɂi,@sX|Ȣ?e"Г,0>6Ս9*];ȹ;ʏcqଂZſhJǗq:|A^(;",{je$eCO H \wyv7F~Y|O3'&j4xx o4Τf{bqݕ( {/6 IfDoVg\EŪ]@L/H,J+ȵyb:[qVgה30 َ^6:|^y5@w[m*[rY}Y!'Y?oY-3DM7Ζx6nƾ0ܿ1Sh qT¦fwᝢS~m5GQ/ꎏarZm clNWT"zf+[*y'oe@, ;H g=t;a?ӒNk5*I؎OWWWk֗Z.TfЭT. L#RF =Rph`߹c-> (;6U S85X,O(>tqȶ'Sq RKg6C%N.z:˽* }|?y-Gu-.NXDgY)h @ml?07iM$tq2n‹|VV؇!-ȉ,{H iBd} ".V"X{F׍',n-i(ZYJ"ߋ}pZmNgj.qAcI6y ůa@6⺶1V`1ŝ!AU@Z^ʆ 5JABh[T];#)u5SV|33VTk|خl^_Y0i|"FC2?pX}U}8U{E;H^n4<ޡt Qb2rA,0i_"FW'w ˊ[1Eh]b|&@x َ~a{&Է{U ^GSs.S`ar}*= M~[LHR .Ug.9I7sLa^b*dY5n(q C!ձk̺ۤ0˾ }^ks{SDҒ!*s/ƸL4E9*xw!rGi[Ә'檍8U?oIAXT3_COJ s})'WͰ,GT)+Jg$+ZDeG9O5}mxVh"RxPJqC ۪߷I,Л +AЌ\3Vޡ\\tn8qھkq / G42j{7°8СtRi .Zwӑ:q CPX5` ϣv@]q2\c8)jtod}h%&$q 1fNC$:ICI'"t _JGlDF;vdj;b}LZȳ`o4gRr6WHϲu),MvSZk@2Zw|5ۛ,e.5XI}4 ؽ8,|4OSEd˹AIac7ޞay٧\OG a1:U2'50|TYoǐgMݛ`˦ӫpa^0i1+v㴾22FIffSzdcC'FN#G幰].3IkR׬N PU3fE1~EazX}(D9LVQ%KC]|.30GD",bv]5wŒeBTZ+뭾q5#j=qep+s^Z[Z]+ _4tYwlkқF?jn0Dt˙-LD?w+10,xm:x-88h ,֘g0Joj['4mS;",aW޿ФӏNc1X]qk]Tv>eE*S`Oe){>Aܫ5&_^z㈺AcO 7KO7@G-><*tNY;_}ЉMɏpf~.%ʐLg Rf{pےS /iLEd6\\7:UU(U'T0Z."ݙVD|dKWjrd|j_=qٌ@,&3)%KXR%bPR$'O<ԋbVz|8`yII4sE&NraB~  ˮ=R"ס8B~n3A(zSn+【jO$m!QjHa/MrI)-*bz{!xcJٽ7:ްG'\ܱ͝c b:sc 4vieAECG,3I]'\H?1: {<:0RO ~yL, 4$H< 3r~NWU+yK">u'Q.C.œ2 5 `Ni)eCq zW7 @?C,yr ;;o<[2LeoHҨTly T/]4jmSfrV۫6C]c,v[HFbNaFbof35e?ܒ%?*B5WyoE>!wM(DOw@f}I2Qq΁BPy ,W.e`.FUҭ>NLeڕn@Qs0ռ#c: {waO?d+^6%u,aS#`M!k@4͵cb48\ @dZB~X,Iz)V ";Au @B_Ε'lBuQAmI趍r#1f v݃dkpg{O+Fv^I%<-2ߜP %ɕf|R_J `lǦOqSzk+ʜ/6ۧG JލĹ1\}XȷI:9x2hh$z_㍏hbʽmebM"lM}}LŠ&;n`X8'1C0Uk<$.FympR`/&7})h'G\4XPLtCw#q؂  ͘9̍?XRz-kfG/s#UV[9&__ˋ-,|q*>c8!#0{i{sbZqq(hUaeXC7̮k  #+w=:M 2 C#x.KT?ն Y!2xMg!kif -Vm|U)Ԍdcf,uh Or=U< yv.w6s, : յ\_6XhIOHZo;=G.Ƽ }(;+C0@ey=/ !Z|8>X # f.23E떁B>_I=3ws 1/dز:̤5'oUKRi悭җ~t+A&L"6ĔL3CER&YnoB:,s%>s\L7=& QU{$No5n@d?N“Wwفsg,WhMbčh[3] ,\O~\C>S?h6Y:OӖ)x,Dž'ji~l~c &Ti B춤tW}1E={o~ېnN61Y{D?XP`щ% ,]aS0y T.~]*icHA\G-F ~x1c;:L0}i_eBW\Yw*ɠTJ@ń ~ȫ_BhOE*L]Km.7Jhy{L wTR?q:ga4ASbIbWݱOY7p,r͸CH@b?"\5p*2XVoqNǧ 3N2wh*Z+R hh -Ώ? f<=)#QK60E2e3r@zRH&Xk~[>+K&ݮ}E~.wbztB?Q Xe\^$3yfy|h #Yt+م" ^To]!TXΚ}G.]FMX5[7<yU:^ج dH4W _aZ8 L^m'נ*M@bI*),pͬw..sۑGtQJO`U@}/*h\> w+HT.DN$mNcaOB|ϴ?+\뿎6]-Na}Ju66Hucy[ Ԩz gkK`C+55t=K[ 7$m s>X!{V@kԫ~5鷵/d }Rr謐g^eͬ$Hoa:#y8˵zNUEx*൘rWlS~!yޯ*KI4!F bU(k_,T,2*A9kpQu 0').Tj_r1s`w\3f_Ώ!&bSr`ho[j~#!2|gzs4h_$dze'#V˟~IZEsh?w _nj`Kr:cnZ Q(E TL*o:4UH0pgHcewݚ謆]#,3u_=E'ٯ`kgm4{ çvh:pz8YcŞJ$"=x$/eqLpEwT0tN;oJjŠJ&Mc3smҞ"|H)m册lkS82ʸ"@:QgkQv8W\.D]( |[h !ƶ}Ai0~dn-Pէc1/_Xfۋ|>W~@%"𼃕뵔/՜gdܖC,=F9K0; b8v(im*eO5 zT Z+n//ЋS,$B0N?tnA2#F rO ;'BXlÿ9]Q ߁wjpj˭y0,?[ 0kh]I[)MKԺuE\wEy*=fo1|z wD. $&E"}NSϣGt}^M{j]bn:$Q% RSof1\8Q1c S*]|VzHAĆL#AoMPDSH0k D[$Jq -*]m>}b(4!)UB#KKCG#yދ ILFL$=k}|?~VGG3W*%\g!~'ڪ C"D[]W"A0ǫ)7_1`l_Px* ",,!0_rnW-_dKն\c>:HYT䅤?_}BONM^NbgǴ]mx$ŸBF0xTJam9 $,g#oQ ,\Zɕ6b4Xr2º$HڑGcRE\"zn C{1{G#NFPEFjWG@aboXz3K6YWv_QXh3Kh&6(8ۆe7v2ozhzST@7v`BnWxzii l-E_3G79>B#_f3?2١x\E.Joa2M8ٶ:_dJgQءE}AP.Pˋ'3#(NQn.m簇r0;%m4 U]C8!׺HDX$l\o#2|=޺(M6(JC%J\SjQ#{Y﹪ϼ綠6}ڋ^ݤ!rbCiExD/|AE08,^_FK+M&WO:ox%Vd E}>L_bߓ^},L5*/}ɞBNjϪc\/yRTf#J-{Ab׉o@z8jicܠ~,VQpnʐЩT;wFrIc]n|1~IsGϨ]E_X8 !^3׫ ׬\7]sD0>hGly&?JNf[U Q<[T3-nZA7W5HPT.v|:#xb@[\N%@khԾGh!* =w&^%8_/TCْ؄G$B/'Y2*Z2a W$lDfq{, lȪ >QD9ZJrLu5;4 gQ2ԐOXAXЧ!@c)C :b́|vmրax1 _ۆ 3褢8Dk.Y.WqF4f/D\G!]&&r4P+藌%g>hJLRm~NL* f?3ꙫ\9:HU6? prWwCWhwC٦~Mr shR_{+ BҦ0 &et0)NXz}]ȸm~HPC:f9uSւxByaOfѭ8u.J[Nz}'ݑ3 ?Se}RIٟ/6>E4U4]%^;YX+3jjaIT0Yޮug Gu]j2BWmf;/؇LϣU[M=\~n|l?Iʿl$..VW8vo xJg\8mJnq뱩D!%+tF-Gtz>giv@l(6S8hG(53AKWd t&,S/p㫂I|C%A~3ƺ#q$ ǿ9${JHq86C=t*`%6܀j4nLn$Q76,1."{m[lO9%Rpw'ӹ΅l|&'^ƱlP2iC(Gt/zX?r¿7tPvf~N ̞bkQjqDS6z ΃=Nal2fL {]iptp(t@ T;ZNxxïq~Ew5kU.CLY^Qz;7"3:YALj]%̼vs4h<$ ~-9@?)tV%0.9u>m l^q3t@vgbr.Ujs:X?w8$ÔN&hHʍ.mG|ľ, !HS5 -cCQGtS<r/".<1#A/k'#Mr60~)0iDIDfʂ0 R[Jџ{?sy-D^vaaQioĶX+&dl]u);9VتwF93v7 SKY \<jP_/Y}2"eo1T(q>4;A{sp|`Ks@3@$}w㫯 aF=$py5 *,AXϑJ˵X_(31J$cwMݳTvRP}5ZUtJ*w\T# {#~%z1w@#w *k- v/ݠgmO b_2Ж2})(0nǜQ k_XFU8. t7E* V#$93}ϞoK!\!8hVL"!O/Bl뚈x#p4  MGoh#X ؿ\6I`s+N@N<Cs-ϱ`]30= XhV>ʣ)*kݵ(27s$3IJ|٦\NȬ/V>d IWJQߝHfLB+tF-L \WaNÞ4Ո*?O;p˙퇺GԪ"<襋|7wgds[YԦg6m%|ćJE #^%=/Lڲ؞f9Zu[ "lNayQjIVQ\v&9b>Jզ攞uǘFI_izbQi)ݺD J7}xs<7˿1ϔx:@t1wۜl`etۑܠlYn.,:3֫|1եD຃""*H< ˽؜*6-~ =iFhycxE|đ‚gyoe<֬ \=tψtJP Aۉ qs9`{[ ;q?>Qi$b4+Q' pf!zDz9}4'PAZVpͪ{ % N ;׹ƌpT #ͪZPD1"tU緦{~W[#Vm8Y .Lpg ]CїWmyd,жccuH )7:+ar WR72&sdEF+DrI*_G鹔3:!螾IQr$ VκҎeyʧk詩?,#(@Y@E1+9L,o 4s* @s!lO2΅ %:2 r Qf?)AxR:]}֏*: |-*%jW~'*̌hhKhY|VaWgj1OU2R-"{ަ\hYgXtQ2vY T"&%`&Ji u7; YDč KNhBYNpSYDG][nZUi/.T w: SY;Urc"R\pY8dMg )CA.FO_Z[egiGW2GbmZu~Z}/U|=U8E DM+.eG0@"K8Ɗba/~|< "@f-R+j!T!$Wnq̀o'Ffw5=Y]w馴O AV]T.ƨiڨqԺ,D6[C^p~@C^ @5!%)czwqu^4J ]U:iO C'@,Â!),1KK`g {Jqc^䠲(T u!'& 4XzkVwc ~ X"xf:mnxW~UXU%LY.W~wmijSf1@y/~ {t}WŸHnj!'FTAXj>8v ! g* G?%ӟk愋[3ך<4)Sw0suƨ4\n`]l|ޑL5ad$n uCK}I>`|s):jPC*;lڑ,4<<ב;{dՉ՞KKɢYVĔo*I=7d#V>^̰`?eMotO mNbh;QqE'Z9*O$(^-^׮P1y}gC`BN&d#c97@je[J X_J_~Z1r 4e<~DXB#5A8w#fE\,68M _"tBC;*5GRx=)ާO: !ć9R۪i(Toe '&r &@\ Z* _6 C 4j8_r0 *eP/ NFjAd=u"b{xRzL4OY38?kgԿ#J'uHy1ysC7FTDI?nuw  +{x-:%uA0zܜ^B ho2HCGSϵ `g5:{$fanH徉з*|#Sg?zŜI AP=z_ a>yy©hlGM 4T1 XT4?VJ!ٱ)L⪾mm\UnTjR1g+Y03+eS><7!̧Yzr9 ѝ)1cdA*M4RణCtIKy&"tӿݨ+FGxO46 2-ļ;`wسng%c4=U~ roL5;:4kmhXN{I"\eXz =_jlǵs[1A4tحwrw7.Ekv(xH>zP;l1mžqljM6u,ܣyݨuSxw)PT%퐥`aȺ݆PGD[^'IT#E[eU6%Ȗ_Kl$j/[3:ʑw̞ xJS8#I{OK( ǵKĹ 0K z?TNn\/@Cf6P|a Kl=k+̲l s#z;|ȌT5)7l4tS,溱WcYhҒZ"%QCOR*HGdXL}yc >&eDA]sوD+M7ЈwDdt :$/1`m9 -~3&NA JUri s*lK{Z%(VnxGS4%Kw7,wA,H,Rz+Iv{8Z;ouƱ҇5Y:! ZL19(W(6=!z0:aاB{ yT2'w'G5l'mx'-@"q@%IM,޵m]$cvP?}|WZ_̌2(v-bo\"HyV7}2foIi@K5GfliK"ܤrZyqX6afoUz V\ԙUUc&&"[a}C*W!Gj,c1‡_q1 "`eߣ))"P b֣ ;j܏v+:ι0 E~PP@4O لluJPyǕEa2 8fF.0Hj-cm{, F/[5b(~R mC81JsAmux%V}=cm]i\!P_y ^eC]4u'@mbUb-`Ąe?3Y&] H~tYe36i&lfԈ]a%\V)q3%qٶE(l&'Ql  )b*x_DŽ,֢*]FPc/OzR[cpSMy!@!4POGhЁʳ6Thp)_^`uy\Q:^, ?qlPSD޸,Ψ _ZW>>- `ZLK>ِLMIJמ Rz%KyQP67CeM'8EG]C9Ra3S4Ia 8ʯ 4U۹s( \x8jĎB"O })Ռvp%j8*x :c%l;#1-vsuVv뀏hA@JG^?@tԒn`A| b"C=iԤ.#5uL=@XV+>~&ݵ^e?GXda70!꣩` ~!XhX]E2DޓuE$8jͦ:M3v ڤ %_Dt2)~*M` >#:4"sȰ:DS'ǖՙ߀4IȐ978PQƎ>fDW(؂|xgNvY . 3& ҇]Jof;N;p\TLkP = pZtjäFj'y,n[UcD/cl3ԘԆɉeCG5"TA"g5J~`= Rgtzhܜ$_:Oq hq73 xUN/Ace 62c k6UN9d.E),4V]XҰ#neM71؊RUc>QN8sSj5%{8ZP"sgξJ1x9F4_tgBiq`;qLJMӈa5S-Ppon>&22g1<~L]EѥL.0.hg~+j+Qka"TyH(~P2$Cs!!>8&'uY? .Q47Kҁ@?O3.V@+kޚPT. `Nl$N‡ ԇ xI{CBtS~ ӎ:/X]@MARCF'#8DIilsx(٦jhCx/(hFT7|̍omv2Uc<`3]d~ jIl `;~bށ dU!⇿#a}S ơI1/ dn&!öXG/2ЁXu<Ѻ{r Gvԯ^Ӗi1Oq7MrEKP0`\f c #R1J[ B*s]Lx6[JԜPԍK@?HVZio^ֲၼmU\zAB]~gt{rkU KϠ[sr 69 U4c]eK*h*V4,p[`ζMԬJQFm)s(>~:@pXeGq= Hb>E:&neF&%`t5#,ͶF q-mk1d!؜ f}ٹd)OMG{ܷH-WK̋*$L#"zxx3:Dv`]IGA$C`h2\X8ڴ}ɁTe bjcr0h 0)AU*4CxٚjgS>Ogo.Z4gǫ0&IAvKߍ*K"-Cq?Odqm( c2dKc j-NH6wP/7cNv,&M`yY[N3_ j$l[:$RUQ,o&M읂-JS!n;jb"=/Lq4} N(9n8 /7ZgG(2lUh9VcՀ=0ā@c=Y+z6ȶ͸(n`Nyg6W[$``[DA*쾝XM{Da$Yq hKv)&a̮(tb*wO/e (>-c\_٠Eb|Fpd 6f4S%&.nhDTCR6x'(S`[\HiǤ0S}eE6`~+bGSu(.iĬ C?oDQ()~ZĜ*ṻMqR=:vm4LEBPI`pM]A[:e-o ې-22輬ZEޱ ,&}P}ɰ} ի{ qŵ`PP8CRUrH't\AUޡH 4#YdBljF([v0]ٛO*7޶sWuGWPEfgI,X@h] JˏV0[7>81Im!s&.,aX X^(]a3.7F7qd3v|RѺJ!]|)83 蒐a/laP#~]3,QeԉZt科TI(<\T`G=맺I5EU~qi^*:K>?.D/+R|(fIt 4VJۜ0r}f[T(Y] ɇXHVyЫmr}u@8$@%+ayWD$埿xdGT$ {.o[k4$^3ǂ!%3y ǹ'F3;ŚP2h`cPs,L3}oGbͬYtȹvMO dV!L;>_3Td:CLB)d{Zyp\?7y4mPP;2_^OO 2 d{Ӿ"I%`(O$vv,ab٥g7qMR{KMYr*B߁+A9-D8-|0?G1ە K r.U?׸D-@'pRWD اhx|ȅ$Ϝ%I Q(珠d-7Yغk-ɭ?㭎)x'IR>`)2 /kJ"O_&:ܳnltݥ؁ZʵԨw^H{6GQ3&R^K5NrQ`NF)Ʊ"pYHG9X1|񹤼mwPB1*neW[l*pT*61X/4MD;~b^ߍ Pl&`f͒u^sx-zm?+Fņ\ү?ՌץY/Dnu)osy VxKl+G"v)JK^Y K~˘~A.Ȧ^6Bh$A sTScH<`{}\Y#2qQ+5[)T][dc/d¶[8,&?#bmȡAGO< D[b"|ZTW[B2>>i}u> DJ5C|P.}:.p7% 9C 5za_j(H5(5:RnJ<>Gt@}dը15$x*JhQTPע"Ȧv J )+;n_/E*-߅'"+GZjVs{(%2#B\$>1 赏%>R2hZLPV2'H[`lj%}g{xDR&GAɅCX7w\`E,}ASZGݠ-{GmM{7WɲNQ9?јzA["`j&;7nNYGu`37푀?ds3_/osØ5,N't@#'2dEb -'']IЊ\-6hH`<"ր!  p ~̓ SGnޥv0'hU#p&E0:]-1 /^1➨k0hך`۶H_eCYZASk uNDLP`k9fa40sroHcf@SoDs()e\>k-Mhty|i(r x5z~I٥ OBH] ]!_NJL`X=+;^D_8Ωkǧ`[V:I$˿*(~PUS; ob"ԡ9U\y*zuWG 4*^ԭbVRh o=p4w2eߌ'wHޝ;< _6-RcK<Tww-m-|PwҸ}!_:i]Ц㿩)b+clC $$7ޭ=Kp+^BϋʕR1 XJk mu"5j1\kif,c678=Wke+ 2 5QQT]sVsuKik&"qӥt0!¥C%>l[8, R&]Čq\\n_u2jh*kO|U>o%+g En 74bki`LT}H%qR"wOh QHh!H!LPq[e!eʚ$KU6n' r_œDcPJO0+ݤO//kZb0!`.v;OJj+!<2C?sh;xO^8/OTAF's Qvô|ż:ӳ=l䗮ٞII Yԑ)h [`<@|`Qŏ!^:9{W6fSs `'ښ\okDd>=E! %6s'd\MZףlf]\{-e/_"Dj(tsaDTcJ S?H'̠ (_"uz޹yIbD 4ubqyGM"*dFå :bRc*܊ZE͇ǕPk?̘~5)=C(qeS%/F㞾in3ӎJuOJ?xxA}tf<4SK2joQ"9Om%Vİ+&YxM'Շ_;%2ymdPP@–$6ǤSHRB07522gnh'WӄS="~E>cܶ|ln7݌DSlI3;FZw#kD7dzԥ2 (P%uty̛iwn5j#Vޏ[#ly/p#eEVYJeHY+F$AoqUy\REѯGHBTo&<9̓`lƛau!f G1qhr-bjS >β uK[m#Jh)!ʑH \`@M<㚊vY5ܴ'bFZ$O68۹nkh4 ֽlEgxW:I'G1@nk֑T=%`XAzپ"!7^lMɻ:(IV3$'ֹfp.o {DV;c !]t-L=%Q LTKi|< f)Au3W u!sgц{HbʪUu/S6k.xKRɋs2~iEDwhe٧8RhU=w$̻yuTWYn^¤#D%->HR! nŎɑn5m~žU s/ $OP27SbyQ3up4`V6d,*f%LȘGrSԠ 0J[r':9.vWkSAfW`_$ G\ʴk''@kWǜlޫND1QZ{fB&D.>FaKkYm|XmdV1bF8wyf)f%=7T>dm!A #_xݳ=y韰a%YomSAMz8>ťn8GnD>#L!o"l=S!.Gfэ;( *\:; *O?k4ѷR}UGXCTeUl#բq،DqaUNaq{% !`RFaD !*O[۩}Ih7j5n`ϑru8Wa.NR(6i Tic8q}1J8^ #5hȥ6XU!X!ðO{݆bmL`U-:[U8N{ďGmߪ%ΰ@/۷?1TD#Ψ@>l{ BA|9c;'Hz~ ?Q_.D;_w5Ɲ/(Ȯr,z?~ռ9Z ;Ú$Wuw[hi>W]lR`Nj l ը%;1`ؤ5E`_|aԻ)ߞeUZBEJa2f2@ ي xʭRxf˗Z+'>v& <{N;:k'iL٬(n݈{S<g7iRITRii5ZIzF+f_vcudW5!:F[o"*'0Zs9Ft MY +D{no.ّQ@21`lI xFXszHΛmo%#dPQ 8BIH~ ۳bY Ӫ uAG8~ ˡ J։PD5~RlBņrN܋K "$DN fɖw)ˉsR 'Ts#݀#aPCI&*4pdr(Wչ19k_TJ>ljH9aV-QDݮ=Ձ/o448.m9<%T,YWp XHi!.[ s ro$K""@4\z%MR>܌Hsbv.e{7PJX8WDc#ص6ۏP=Uq| x%NY2Aǜ|%kټ )fY#-A(rw&|%Qm\c*u_*`O4FkB^nLc^5@ҌIeƚT3_~rNEG?4H3S#pP](@=?uL,ΏvuCN2ơ-U'oCUn7w>cKaw);Iuz0,*)ӌr͆u `tn9%S-lc~;]`n!RGaz{;IP>Q˛jՉ{{*@l0UHCLchHS%aE/JMqzF["Նr毉d1#d~' SzFRW19FD4in 0zx27kǶ2 Uu޼"cNz67reN/^uTQDvǘ_&Cyݐw!C1nE \qsAwJ,A1$"c'+miʙ#&Rn&!R)ɘFԠ ӑC-a'>Gǀd~U؄=0a%Ssxj~?1#0N!)1m2yz@ ܄8vzv3[sF䀼WF=pJO6>䂷M58A[i}gR[2;S1)-6h͡ud2Kf^Omѓ׆qNuOƃbs! $GaV ȠvŮ?̼|,ؿPApr⦖Kg^v`dl57ͽtK|ŴQ'?u )#[B 1vwd*tuf@(3"H}eˈT`L?'-C-M_Id{Љ ϑ2=Oԉk9 ;Y֘7t4Q/wabpRydr5Jkc0MjxnݕmeI-ّ 抣Z8Sol nH,#eYφA_Qzf(0zcWPu𖔾/$\u,=fб ԭز#M0CLP+007=mU֊d"Qѯs%Z ;(LX Zɓ!DC#.ಸ#}PΒDC-{`حJ]^~{>#:#c3!NML t[G/gnF:BƱT6VFG/&IN]db*SQ^"0tLef&59UK F߯U})ZxM4;Tl8f^^0,3N1ZXh uJ9ay9snW˭sOU_#bN1*nؖ 붺s̄TSl }' 6FUë\PбSξIL) D*ulq9! (RE9c{<-4a'^R]"[|`'ŨDZԟ:& {#&mQd6{r<`,nw7Qq=f_AeolŎd %5MJvʬ怸3+~O22EI`~ O; ]GADY>Od+֩"\4^)M_őu-S߳ &2LF F<ƙIU+܈W>kl#@sP@s<{t9Zo~qNJnvc4&'?Ho> w,'.+[1=!bJѸO~ &rO9ea&K L빌Nþt5斟 e% 8ޚOw[4B\tƨ ʁ)cͨ #uU5_dG?dOC.@i?J$@oY"}MנcQk_ pXʾz7,yk?KJu]oiApHUY)? 3R=(޼ϯkЂA5SO> SOtЯ`xd si\liJvז.ڪI,1m6!,?g8SYNqx"M{B/$uԶƫa̺+Ep`O$<^ݷ+>q3䔤X 0T6e6< -)+0*ĺX`i\:j 1X']$-8aVJC5Go7i7ymB Do:NH^-F %K?'3i4;q'Ȫ(ic~'8zٜIW!p* /'̗8>q/u$dzя t;HYTh;]ZPNْ8ܥb :.X$Uy堼.ɺڼ9xhu!g(bAx*tWW*+ (r0K)}bOSf~$o !8]ѿ['~Fx9_Y:>ҚiЍ/zAe^[vOEkn^1AGAГj¶,Y+󉒽cAi%_"F Jo8dOR$`Y0mSͧ6Є7,c267,@6"]5]ItSkHwbg68!K⢥$ &|}Å/} VMvH)4(dw|G}E KS5goT9DY+* ^ߝjP(I:\u]yYE0/99s~`}+ {#p0""PGfYd>Ґ}/"f7Od&%`R UvVⴵqSg,|w)WfMZHwc[xZ``$S ^0i1P)e(EΩ;N[M]I٤`+9DUDl'l csOkg !bMeW0ٶ+##)u+#|b碒%, ~vX(d˃O~bkjt"$ybєNc|G8Fw urcz( + F)$.Ӎs8akzKf"u#qsAK]:]ű.[̈Wl3ş_R܁P|$p.(_С"s92ST:Paa Re P0q9e gON9yZR-SNSc#Kкn2D8RtFV$Ρ,3SYzn[/(e9 |. ɪL 3-D6Uk?DJQ'cat9aN_?U0"s_Fl<,n:I75c:OY*bL5ʜ֚EqNgmn!aZĤ)ڳf v );V:L%] q~#>N;zem,6VzmwVܪjD}L3! pMeDu BHS|&Rjtޟvb`f{ D/T ZJ\y\ˑLʮB&-V4*QL,BC)#U8r/c#r&vy'=NJLhZ<4tf]b@3b8ҍ`M3J^ս0(0cCC|N pΟ[qѥua_s;d-͠cʒqbY&^,(65Ngcdv0̭ȃuBJS`]B%e: Rc.}A+Θ҇zDB%v4C6(Mښ~`[;d2?L6*=K(].W?`/*G̓hrP &9Nc ~[۝0W: to^@HZ8M݀dM2e_١”ک=mH €wlž\sUuXϡepm BJib-/=ևb"F $bU"ɇW3+t1ze`S#|yjmO*ƨ2<"%Fڭ3g5ڎe]n_u ^ #,9YeFoNicOcZୌ!tT03?Z~جW;Q&>xY9M\Lo>n%z{Ym3A]nj#+ʩO']: PA&ٕ0y;9F="Nr'(_S8B2T^aQ9zؓP6Drq;p z@{X կaNf_ǒÑ\wA٥tHXVAM`V813 NkIuTqC}, Q 'IӚHq$fM[R5Ra|V(k,4<`>jhm 91.MKdQn[:7jrXU_%#Ʋ֒Q &=Zu1Ƚ2 A4z9ξ^j N7, 3kϲ}$R,YǨK㹇4 eIbEUKCS%ںۆn;mJUC)2Z=a_ē"B ".Hn ,)If?ľ0L{⥸ąZ*B)()I3gg1$@%sm(Aq,0pΖ*'ݫJl-cLTYzDyqϣgf96F%S}rKcB`/-`ŝO@YZ[ )@Ɗ01ݨg1w'pTp&2jyT1=Tl"[l .R-?u;u18I[OCɪh,,kudzQ\{F"TȤbuv07&NJ*t VݍQ!1~"P=`@tȊ>8IAYZ0rB!C?Qէ,wz^Xջ.GhqOYSg#HhK&L9o/¦o,Ftd@gTu6hbף& U8w.\o▗ jR4gTMdq>VasƏ}KўP4Na;mlIҶ|2M6d".B]nr2l \e#'8Q`ދ7dpٍ45t2zӗ]Ô;JN?J!1[1㖶P~~⪍\{p׶uAcG`!oa%P= :<-$(-Sy$|t`jb|T⩉='&#LaϝJnYBpL;$bn)#_ &E 6<﵈s&Dg+)hB{Z.%A4\VG/ӤrfW۶w"LCH^g ?8b7UWto0p"!K5H=fK ]{-:pr9|vZ-ͳ2wIp@Y'e2$䯮QolέR 6? |כg~fDdSG o8e, Fk*@pDJ( K;XzCx$Fr~ x5kDɂյEmO&4\=w\Xӝ k/>7鍚doʅ'19kDy,=}pg@;op; bǷ$d_bzIƮh3yѰ`d 2Хj g(JGSswFs]q*"(*J_fGib &""xh*e,G Lpzn*}re_.]4:yAYŏ2>+S4lHoBepqȼ ϫNӪ(hrtlos&mh=ߚ\ص<,Tv4Jyؔ`Zdl#:7[\V 'آZc~+̝ ʲ/&ql40[C{VNN-DݚXVT0eOO9n|/QKq}Xe ~J6KS@qsXEp8ͪ ևhpښO:JG<ұȧOGo޷@EKM곇gЉVhh#:*X\|rO'L7 xhL@oΞ7OGB7lgz]>ntlUwy$V{ +JiBFߠy̐lC}y#[Gʥ KƎt]GffAko$/F&_&߲[_JXSUF 0UVHG!̹*۰?F)Y]I/\!ITs5m ;ؕl$3-1p95ލDM&j$@#Χv@=fM^MY/]1o31 Ѹ#a~eI|iI+tIE xEJ~߿ 53|\έ-d_u kiOC8/&"L3<%%PW *Ίp#&i Kp!JYha[iiPV PI!Z0bնrq$0n]vuxjɗAi? }B1gO9l9leU<@ }G+"}~yk¥f͒NrR=3#,,'7i6m.ʵ?wSg?/_J$r0%^x^_謽ֈh١ևVU`-NN{jMi yN4Va F%E/4wFGscOݻj~F=c7 1D4< n bϼz$1?g#M&=N^!Y:O9 GҏϡmLHEi&/*bCÎ&q\2MkՕ}Hi4=&E瓋YTW)t[fv:Z kLt:Xcd!wzTL ӂL?G" ɍcq[zo]\v!j4>0a#zYlEX3ULK)ꑰ՚L#'q{s[`%ms9!'0C9`!3vLP@/7 b3vЁ 4 7Sp '\N?b,eyk~[t-({wp<ρLZ7$j3W|Fvwzʩͼxp֧Xs+h wKnM/'B FrCxT[{/lqLBϻ;U3"]}Ab6>?@78%Ę~ÂT|x!\'/+I]eG˥.[kJfDg*kT}]CĨ&{8w{*wtaf C:#uL~b-z/FQ^c}2pa)4V݂+FBTvh%I^!?F1Wp@_er:E^񷁟**`Og99kWT@%HzOsr|&򛁡HR1}\>s Q5@R\d-cJH/yT&xif*t,#|6PܴPzNdҚIDJ,I&¸k軠uzL; d$:i X_\${5 ^,pu.= ٛxOx]q?r/$&𧾔,_M`9bμbb :bܧ[T}Ǝ7>bd >'[o7&,OR [b oj>`֞ErZ/j/Z7+PLhyE|0/Z,NRF_Rk`.!BItZ2^1k+۵yFڨ^L-HFSo:{JP)tͿ̟M"kH {ezeNeQX*66c~ZM3݂%Ӊ%(!(V7TUrPpO3]xzC=< 3DKۿ9r!I{͓悮/g \d7Йn#+L6@K~Lv^@ߖq΃M}` ;m{C/hv`]t&fsi#$@M.e5}d~1V>?** ht$[c5ۢ[ *wi}<3bCS3RLUAll?6t'W W}K$1#%=SmhzO6u'aQA 1 IvH=>8F&%21Mx!d3#>[&f78+skXo4w鵖vP[A8nY(g沱(hޜ&1|29 㶱 ApHt# V֭y۽v: "ի1''z0Gԡ v9=B 4GfDzM\_  $^Qŋ"oaxMt" ܝɩ+٧@#ǣ@1=.7iAw:\[‚pDy֜40#}B kpMUJͶi~[{TSvQGm4B@\j<4 2,qbzRmX,?c?9=UźPPqdZ'*2J"!72NpQS ;g.Ezn ǜ&AⅣC,SJ+P?cژvX$g/GFD7 :@e XaImN+gƠTC0{zn/ x?2?tn[ ֧βG r( lxȰ!vWܧ>y(r'GϐPQOg֯]׊fĥA.Q ^U]{.`Z'C8Sy-INyc6eu9 mұ@KRLS31\O>*˦vjEI:cW=alR@OsOpQ#6R#% կx=u &@Z< ~7Og2fvTO9M -+-(i$J}AB彜yFB p*#s Rz F⇳rTd(?HpgX:|.ɦB%nkHٯA9j )d\4C5Ti}d;#U0y8i'OhɋNՙFq NxGi_KWELtLƐlD KS—ơ.fS5ͅ-e lĂo|!1|kh/jVI]@e_b$M aֹ6<]Y잁~BFuu]@ASB'n`,ui,;Q\B?h1 @k9yR!+[,V('H]C;);&E_F, RJȝon3DI9;D ]%^$m}.3EyR#-ĩ 'H̎_Ej?3}N/ \26<&쾞U I ooBǬf[{_ۭwi6xSD\ @ba^ 4<[V,nPX\ΤMOˊ ux诃e B{̒evNzfC<;LAM==/,P;φ>*\~)8B )y^+X?6!J oBBȤ[hp򧰈+?:c-Zf _>e 0P\{h`D_BYD NÐ82xBݏq8'n8R= o1im1#lW꠻ܰɤ[y\:a;481"Ȥ:A -bkğwAc!~kTh"O~<_ 5p ae`:'=\/::݆1CZ%4 IM# Bn>Hxm UI(vpugG2Cp*i5V"avBU1(eryF9fn<Xhgvk*GsS4 h!nHKҏ=g~#J2Ȃg$9S8 Hm $ 0])#|igm{޼)^ZihXq*>(Y`O l+cήSkUh"icQa߀Ul z{QƴZ'G./l}7/yQqbt?xw&W ?2&{ěg2ڍcUgZj"iF踋OvNYl I,#;\uL>j1Q97-ؓCrsׁy'9 eTUa0(5lO5#q8޴Nc]2C6InCKO"5^QO4_~0M-&E66_l[vMd"5Cma1w R'_zH=""\-Ϝ׍w-&XM<ڕq'~޵Uz]KH`(>իUʙQJ cUi 66K(#1,q;F.V$f@E^ok2 n, UfՐ i[E-&|RdC >/0bk\M:mFz5&;3_)A"Rj5/QPb;rVzNob]uk2e oũ W z> TDv);j]DZ*1]L+̴>m3m;㿠vK& [$֗XeU:4k$În2&69Оc85fN/g8t2qQVNA$'cJ//Ez1bNzʩCJ7rhQPC0DJ%tP <&oQruv<+K!q[˴ eɪβ~Y,m x˼=Sj%Kdaq4ᕘI$<@Oߑpq28;0g @7 ; HZub%r5l\NvBkm@EyF>bo/^b^B2z:? V#z: F- Qɪ_ȕTa!"}>z^>q\`p:*tD;1J(sΥn $|3GC_h]fR@u ‘ Lrڦ+ΗbX'6F~Zϫ#N]7g/$QPG6%`%7М`  u0Ԑz`SۛwpF@WUEChqQ|_ |' ,moh<څP\i%QtJ."A`<*~stQ\Gr1^$NİxcD^bm~zc9=p3'ex)&lv*GD`RS淔獇3>QS-$Yf V6~<_&&Q=M\+_˷Ith~ ʚ΄jxf ߫ ԃ![8.1^t4ں$Cܬry+x9-MR:e0#7 &[T| ON&푾;'`*22;H?TASg4Nӕyt5! Lzu ur&96':j8aT#߿q->>VR= ڛoVwTmH5^^Bg"Z&Eu17+ 4k5:ᚮQk }WQ[j,Z57\gU- /-1)oQ` HPMa̝ǎ G,s=ZϿy^^Va,&G'{}0Y uuj5`%Cj7i}CnK-ol5duV!~Rhxso/8| sm"(G쀉~X4t^_Fϋ.70n.É\Y )=,4Qa"6dAը_[KOm1{pDѶZ&ٺ_*' lb{&}[uKElQSfI4E-g-RB[H0tutow>AΈI)Snqb YZ%T%xPptZAfe$Jnn}5@#I6vN?_o~gC 1ߑEd!r,+}l^CIHH>]"_G+axbڃgh! k͒SwI[&|z~*xr\MsӕۂMz0FaVtENdSن ސVSzfAHubM}y7N`&-J4-)B}{(;7<(Ѽ0S;>fi+@ˊiRgF܉8"-NZ#HLs[xYW7tbZa-_@I PT54@Yf'}W-U˞:46lHsqdMSBC0 j>6 JW$T4?`ݢpZpeEi\EK_8JIg7+ #6S+n"8iR *9%O[ƣJ\LhfjEOf~N9CKS'*{B^e p嘳(L)nm%#M2{[죰$D!?G$F JMu\43Dˊ,ïŋs!M½Fr DMnmxGx~.:nbvBTf`ܕ0{]cEgG(&j+B}?CCї{G_yKcbBrh}ϭ 9#!c^06ud߲Q㋉LĈF35=3[{Re6HL r< |(4s VKSLA.^__,o1 ٦<;U;/Ck?!&ف%#5,8RD8ى !PRU}N_e)]@%8ܛo9,m+41#?/]蛯DOy~ݓ:Ţ>2( `)oFx4le_m14N~Z}a9i[6p+,a7:ZLN7NxeaMc露I?TuG%wYd: Ei-ey*pҊD,_N#Qeh/DBgZ]aEPB5qMMI _!]M9'5u{_`SB_v %0\g.EymvkW[+cBNSR$Q؍^Q6V A"dAY}{k5DF5ez:n_{sxv:M~!O}R/; GEݭF2^J^@m1ߋpYBaR|,sku6gv%{$^>nJt1agǶ%ѧ 1!!)j IHq'B;}?RW)=)O Rc@M3k.xQ-UBӦ^=ck0앍 0֕~FZ4j*anYIls. Ȁ,7<# Ϻ^nߠ|tiH3l9Y_։;7 h q2Rt;ep7 /4vӇ"j)/1#bV ax HkN^ 5:g.'gŻYP2ϕPʢeu,xܠm nIhG~3[Y2eCpݍ>|[~&n # Y[mn]F-],l/)լs}+p󷄐 .O3 ne\6{CiT4 @'vDQ0/t_8°X'vw"TDoc*p{rzeI"0BPrBIKʸeVӿH7i崟]h_ļd<,vYo{njXnOCVN$@ScEͼFo..UòvY"ׇIvQ]mܾJU꭫r 9LXcHXnGW!cQSw!F_ƁSt!I,Ϯ!qn96!8]BkBJAc aHȱ c?Ñ#%dSդ\z ڭLL'PU@&J2&|lR6jkv+O]4Q)$.K*&e4(Jq(p'2X q7c(ip/w }f[z4T_bWUas08/^|.B pAz48[+!3Erk'KsG'9`d`IJul-VgƤ/a^U?% @wMlD_۷鱁E,7!QʒvmVrEJfV2as~ {>ו:of{yPre'f9 Ȧ%QJ7b\T%X7Ȓ mk7 ܑ=WGXltqܫw%R=ync4~6Z#mv @w/z$W6B"'(Y[ܕMS&k^Z]Qk{{.4~[y"yеX\ vSίPj)#&eU<"w;yy襇n]s$Z*ts!8$lY‰ϊ;)FVBWCB4"Ѧy )0ȡ0> E$Z~7AMhC8- ڇM9BC48߼n..>8KĊq[hGCΧ|;TT Gtכ9ؑnuPApԫh-:-CgI(|>KeGfKأչ-dZ0:WU/Ў4qǙ[HGDw%dl3d,*w\>NalE bt-cAdH̿n Xq#5vr]]ϲc Gd\]T^hҵ!`5f`^^abڗF]V(wN)Z(g|DKe VlXJѐ53:*^v0呺7K%Zr Ђ1`c`]~<_$\e~qU2GtԔ$w_d֎ 9*.x?mW5imm2,b<'Sȑe { Y$"ss߈"N"2NVREuHCg^4uQj8áA2Ӭm%G5 i#oCSGFu+z<~DC FT1gsT1MBL,l_k=`p6պ:r~)Il}`kܸy›ѮoJtϽW*. M}w =+;,d {>  7F6H !`J-o@y@Y"S,%uAEmh6|WЊpuq'`OxQ6#]>\7z2PU]FYm nd(J mŽESq 7 [W%"O:l&z}Rbi)*ƻ6ЋEaO=4 8+nBUЈY}zk[ ~zf.a_Oޑ2L6X4z/$;V2W"ߏ$Absިa~~$d_V7XDa1k򍸫5~O^?: Ә(c=`*w"v8izcCf&{Mwi6EK'mp֝DOH;{kQPnۯ~?5o1D4ټKRSPz.3U,^##hp<8S4n&'{A`[,1ei@|^$59avVC_瓌wR*5bT͏*l<9bT˵;nWq5:0Nv8D'b)o[{4 (X6Ԁ.I%l v+2LTpN{9P .RF MFyI }!>.e^#kN IDq7= gUQ42L3>TnڱY h >$2 7l ׻UR}' ml>>k&@ ^|nR8l{O\ٻg!]7vf߆Nd Ф8-zNְXYӂZ'xo,VpȾ*7eeR&he`Lj0Ė> A#: (ziN|o,@$$ZӢXπbs)k8^Pr}l;K?,G3o`GFU]zC[Q4Jw5Tt$<0z-G! CϿ~&@_fv=-~I#SC&+ R$u]f5g E\R@!-+r1_;E#&$ʕI- poWU!\\ {vd%p(yp|MY{?`wTֳ4J 4:V #[XAK 2eR#S$N2NXboG!UQE)j ]@; vcʻbpT rm&6A=(d N)Nٷ C),`MQ3 LFcU=-؀ "iVhaZIŁjA>ОK5&Hl} 2SDے7oc]HAߺڟxuv=FYqX 9wuSs:زӬl0h eV?'|FrjygC{U8(h(U !oALhGD=epi L~-,e_5.=*d( 7/€^v 1.=U设,\KNऽ<ͩpCfk,[g}9,\V2, LͲ&}q$si,Rz24x8 T9٠aq@~`\sݿVwU s1^wkp EtRMiG+u z/`k4@~}cҞ,~ǐF90c. HwzUx9̩! *E+z`ڰoR1|5)4q*sɌlˇIFF̴/D~̵ݜo++Ã39p%xQ/F)0u WAߵ YSΝ?V+0M)& rv[bF\nM*W] DvuWQGN #o<ӮSF}oH9fU+)̤wbʙbm pP3`94h@O%m m=aDFlN5d32=keLjAI E8/aetmkj]|Iz!"}i nf$҂2Lֿ!HIJ\pYޓjB)tM黉+>)5^,Jt4fd8ksTЄJovB C*㓣˽a>} 8/4=T&{1QZ]VȱLs\ӖlJ2R(D%I!yzD4=fpD!ؖzCk՘SnXȚ`:eٵîfI/-t]B{+qRu >B:.<ș'ݵUf7Ÿ Z@\4"` "jH^a1W֫C/ 8:RՓLIv=RTl$$*h>(ۅq.=ڑ v[s|#O zP>k9;IPiqB;- Z!Y6*#T'W(sᖿ' (A8hS6G{tM!崃~SPl7rYRՎN-O=,]341Q/=F8\H{O5e%SJ 3H_4&O ѴsH`n{ z.P6^|ungv> VkAk˅0F b?u%4L&wH;s4S,#/PkhΒA{6jC\-rG]FhKĒaĮ:X}ǑER˫{$"$|Hҗ$R IFdmf7%K=P9bp WZc_шzF/¢az.8uLzy jH$|~:ƫ.sk;N,YJceq y /6ofA7Q4VύѧSa9Onhr}v4.+7F+|Tۓ4fmpG2  B[L jz9ƆN]AS([ECjIrB/+ع5IYJ?8R6>6J]M{H}\x ~sDm%YE%qֵX`rxX0B??"xcuCj/G&GeoP߇'vQBHFUKӝ 3]_;VdSצ8X1b싿~\P||C"([D5^X7aiC`g6(>]P`([1Vj<biٲ"'bFD stL$N1ĄDk.?T%`C:pXB᎘dg2 q ;P\Y>9Aۮ(P\)=W"JpF=@i+z.lWi8ِ^DLc<@M_QU32Ľ0!٩˔S{'Cڥ ?'_1]AmE&._dU4b%8"_AnG K̳44/ e=x% S9Tn:Xc3|]X OI؆5JjQNOfUj(4=5xGwYOe%wmMV5Ktॗ0Aぐjxμ* X6[P>7X?Ī,Anōer̹FTe7W@H]#-L~jү ŞK!>\Gw13 $YH h/S2up u^S24v.XkSyLhiLhJуVE"3(/ ͆OAg6p~2hRv ,W1s ϛC27v4o?SLe0??=r~ X~HJ6 -dV?aM1Eh1o }\'abG~q7 F(P'bI|7SfǞXGSgt<,>mx1pt8m;FL=TA4fJNBowJ揊w~C2 cL0w"UdrT-;_r$hd[7ws.JD&OqZk(*~܃HԺ,!B~D.%#sv#H 7sㅥ2ா~JD/Mb wR[fg'sU˷k3j:Ԣ*;SУjmEZl~>~6qjt[zUEYb.by4-TGƨ3<)5Wwž%7AŒv."Wo N06]8u)sXdEu.ƑѐƤ ]~T'4|Qn B{Ebmͬ(^\wڴiMQ5jV˖UCOa1xfqx?S-L׳u[>t*? ;S$o@~s |x2=2[Lk F( ,ݷFQDG "R6)Z@|z X~.#'<.H.pc -a k<_umA >@K}u[ &m`̏uEScK/g9ϨI}|˕uY,0TX;FV0 ѺBįL4’X|虽xњCSo+#Q9|ǧ-0bߨR='ovwK75-3ܓ 9Z،Y[A,ߠ*W6/i?_8Y歎2?3FCGsW &عi}AֹK]vf% U.V$TGEi2AK^Q68eE^ѹT" )ܠ,㘖^.-PP3@R8rV?9`{̢XVּ 8nS%a{]?@}͌v_N$7 ~A$T|lq=ʌ~al ͸ #it'6/sAj7 ȶ< #|LcyXpFS&(Bک'#)`g>;L!&{5kL&=U-̍r;& mʐ't(LR3dpƞ>#J筀^s a? XY1*A`9ZIU>UoK*;x%8 ޒ PHr #t.昂:c_*oCAJfLJE$w)#fX5-::jR:<m^{sM5&g:mP̌Q<:0幏ESĵAьNObx,-L5}&J(,.nɜq_@c΃7ԱhH 9m7>0F!T,7pp"+mDd%KF&5<%%3 p\ڠg ]3mF}+~Dd٘t_f(O%[‡{B+_H.ȯ1fݻ5F}_NXM4$?r;B7L7|R7q:`d|و\=dgv~iP-J]^ldU|;hɭ7WyU,jepcyLkཱFkK&\hL:Tl8FT0La3o~Q/I P7E8Wqz9mU>m#t-Z7#Ņ]Dj2qQ `Q|.f>H$ˊ<Еj4l%L ZU1!`SoVy6 ^IΖP,~VAU@ec3x#'/+l 4J&rVp e# (rDBS[Uύ8V\E7M—Hb3䆎إTiWʴO@Zb\hzΒHӔfD.}گJJ>HF_SUo˸vF _Ց.7'_Lܻi#= IA ץ(|M̩%@GsL97#FT0%g/ >7 tO6hw35bTEĿ#Y.muܓqh52bZfإfpص-d #Ic;M+[6,Tb_K*Y-E@r` 5V%5zΘH&&zy~%P>ڇN8G-BFs3C!;K &YJ~ICߦSf3. s]$͟dMBG!?%!aCUpM=p*)S5eo<{]ԧ%mh5(&¹SZKݦD}c¸IT4R5ъۘu7q+Nuv=4$qGu5Kz3kEYy]=B_8lܮw);ʦZ5V|]*˘5h`Ϸ)46;[@LՕL*oh2B)G+~[.$:Cᑴ!6+S3EPI6gÂN1-9^nPmAI/Pv~0hpr֠z*;{T \<6YJ/!w[{'@^#S@a/j q0 iFmG]]NQZ.5m.SS%)(pZsyjp^E];ֵ]xwгc)b$D7߷Iq+"R>aX0Ő |]˚3瑗\L}cбLvMv(5Wآ~B/ sC6AJUd2*׼C&\ʂSZ]\E5 ,~IC$zf͙ X['Elҥ* %eMɚS٭KC[p
    P۷,ZaF<SVavEFp֧kU5w{%-G|5_H]{qLPnA4/o |(_`)S6B?w?NK'>w[}V-,oFw\xD>p!*nnApwlBF>CSJ,v'jH+K g@z F,ZEII+%:i$`Em,q4N^iU zcԥ>>f +yEV<* :<#:1X? ' D 589 dd:/ҧ u&4- IM qҡ,#[7,!ja>vn6|zb 4ns@5zP X=O.q8pWR֜ `'> Gܼ#q"#ּ)a ѣcF7{8$2Ŗo櫩aU,tFM$4(ޝe-}y6eJ8ߑeԑ#r$uS%ا9_|O'@VYcxBkX_B]-ew&L#>C\cBS'IJmUmɉb@yD4Nv!xOpCβqo߁ gGF$ .(ybq k@:*c8:B>P,Ek, 7Vw!7)qjui$ I(^92,f/;}|Ѯğqي}_o%EXA.dq6.li4^tV/*|Jj0[&3Pҩ~f~8B$mNo]2s)K05 : C5ߓx8q)[PSdMEHc:& ^*|ǭ"W6U Pt?M ]Lsw7xMNT?ͷa('Ĝ8)MB7 R CсwjҢ^K6C(,{Еei R}h*R<甭F'|{3_H5QA:;xjPbMku SRk~& ڏ ;Wj:5rGHdё%Tg$rLAc9{O x혆o5 &rZsf^>,@u X a/(K,-] jDq݈Y&R:eo5p盕 YLo*1  H(^4Q,'='VrdƆYWtƂO-9Zay'`۳{Ij>h&OGO*TK{36kP }򅺣ʶ-6tD/xmp gq+g@Y3\ه%\NN 4邽<TH#o3%ߴi KI~Zv`0vH\SQh9h&tR]oO_ežBlԋ.9 ^XBidP!IU? @u+sDցi^3 TrL7a>T2 1VT128AF1Bk c3\BS e=I-uZۑͧ)&Cmu쎻 tr7i>1{qp(grY'xMpjxޢW3y& s XoERǕvk;l4EЉU\7Wϗwyz -&#=:]]%o%o# *\*szGVOP iDo=hv0nۆx ;fUPƧIzk>ҧ~@OPc~&0-=d aj|T舏`Z2,w_>>:ͲdD~AZ[Gh-U͖ލdeuNmžP5A@06o΃W굜z ʾ Aۥ̣xMfߵе ;>dR#8H+D`e4f:j q3{RoΨQ shМt3.!*.jO 6cenIZ@x)&Վ|,1H=p' RO3}4y6v]}9bXQ|}FF{Es!sbh~̖$S>\ KܒE6ԫLk'>W+NTQ"y'!blAP %0=l +KqDlO)3KGG^^rDǕB1܊lX:s(?UxzΒk %y|R`bsHGן56ܶ|wkv#|MMv]Ql,}\,9Rq8#~C0 YW ?=!cDv/~n'$AO0F[^Cgۨ`4 @u~(Q]`>8Z[+o!;* ֜ipJ%w-2)o=NJb-4>z?>p?d-z- :TG槝G-g z:3k ۢlϦo-'lc;+~N.ЏУw흌9ϰm :DHe&s;~.o=QVq r i ~!IZM47Ozj8]ͣ74Ͷ /:p:0NI~SV!vry<cx3Q9%/_q<Є&fF Gq]u)$KWs;iG28C>sFAnj?v5li=a_W /JWOhw >nV;̩ [>ẓ)3ȣ FzvTpH%`W Ujj\+DSYa6٠rATOc#ID#u[ ۲9o > 3lmoldDؿ$(ü\poq@ƟQ}"F-^TV E6zqg CySy5| $x>hVcHSkiz)<1و}uyf&Ku?LZJ^NSAVY٪@.٘g 3|[i{D 5IX(Ե//{o";`n+OivC2e0ð|RhΕ7\q%@.F(:=N=O"m^N4x!p&Cu!#"XR9.t@cv'ppXXS&l|7ZJl_Cd@J^D=+\x-!bϙF+C8'Dj ؽ#'mt}Ff;N/ VDꖘ6 Fgl37QQV!?O9,)QY$$"HfkI ML+[W 7ZׁyZl2qjӨA:F<;8 R7pyE,9wS,bI8̢rA1;VbXɇDUpD/K~!D[Ӆ6@뿳]#uw^?Vn{XJ/ ߎ?xy-F13nߴgJ7`BkOc&tPGZ'Q aChW]r<{N#v Dm|n?_Y] r_K(D0MВ  I)W'/ (#ZuBAB=(z7,]^@Nc#;8lyH , _wTm(ex zHSP2@Hh9]X3@l@ i5^BtK*[0 ^eɬ+qƽ^op# IR,7˃YYk9F<(:8@C@<-Fea$3 `3T/X^D+Lβ }!ZWp3>#ZԂPMtÎhRFAil \Y?zIz%bS<.Aiju칮G|5sCI*Pq:?o_mR;뢮,˶]<<$å -0hR[7ξ\r3=(*R#$xYBXa%IM~ИA $hbE#RSdhNkyp}'ȖؚNq.qn(x-pHnl}2y@m%Kp.N(lzD똗׷EO%3G'yoT`uɸV?h,Ô8p)EՏGsѻ,PŐR @=p͆i/Wxpڎ P $nY4;\࿗+=\{e,CD"HF?;kE PĻ Ѧ'Z1 5TjMxai?lri%ś37U/˴'K <3ϓlGz$}A)l-~ E `hCaΠCxte7* سY P5D,-uYfnÎsHF#H/>E}/SmhL/y Pt3 4K v~{s0MA ?˂ /igc*$z4Ni{ 5)4/ɶy'Oj_Hx?w6?$ZcLh$$#7|%LF_cA)GgODw$-q7:CC􍼨-!EZcs?&p8"F%UѲ "][<,*qWf+-^& dr=>[ۢO x)> 0Y0 D_o36$8o= q~ K۽e`o@;`r6qғ {oum`߆V'6$(mpBޔ@a@}-~1tf`[YNhmF/04Q/{3tT}MT~Q'喕Nzf ԁR'4xYvL ۋG5NWIh˫ry6 aQGg{ڭ! m8a ZF%ȤH% fTn5\T?  nD#bMyQ2qϸSzl/Z x˔,}I d ;pv_cZcEVA"Vm6b󪞟I 9C wҜXҖ [DwUkF2;AS/笑ST#@}!.'|+/S v1# }%y}\'aúWwEC>W8L{5WB_n*Q8/ d[&'&ʦhc#9wP,xȁ%lߛkYo a ۖ_aZԤZsEīz);g ޿}) q]f6X?|r/v%?ۣBS}'Q I7+`($r:,q-$3:OiN;EYaZt,\MIzhT:V<, Y^)T\ۯ ) ф0}Ųz1>>!DfmA?,38ovl=bREs x*.D8j=ū7<ɦ`RQi{++eZS0Zuf^^ @!GU ܰ%_%ZZa[[,Bĵ8nh3ᦳ6Jm )c-Vm"?"I@L8x-AK#"ҲJ8ٲ1y3'{:Qústhg=Bv|οQ 2 C ih= T]G yC)+s {?R]G"냭)cUd>N8BaZgc-?֙#{8Xc2+Џ%ܻqiYr49Ueަ3]O.p lbǔ[[(^CGfo\4uua!^k/-? m"Ƨ"zPw:>~`l L#{>*kPɀoL n<|/ffQ*#g9wei$(tFXk*,)Xu'ß@P_8:f ]1b|k7y2ئj Z#TQێ*:41$ZD:o#.zU*4ϸv"QF J\"&gJ~EYNMk^ֆBYpY>wA3`ضi NʦᐃM}IAZGċkxv1AZ^$bOvFc.r3혉}!^l-kƀI1ё^Uᠸ<=%FxsD<_b(DAC禍crygì4G jK%> ")AsT"I_ݤÉ7͗~_1(EfFIvz%bm# C^hc?BխSks5a_Ty% b&|O  ˡ̦2xVPŽR=$'ő%?!^p2ݠ2\eG^p+z[0`hX*Hb\ұ߰I3Q`soXpF4  oͫ)s7ңLሴ[#껏+Hé`TUtlVhOl塋-qgWڛq3鑓\t eE,[r8y\g]CU }.zōllak~P[ 0 O/yhQreW&L$;^.PZvkitGh2F{ylm|yVb񲠑׺{fZeȀ)8y,W:T$cQSy;q3^^aH.@R 5lw"3GnQy~apĿ ,C6ާeW?ԏ2 iS$y#{+Xһ'Pl2ۉS-;PTAt|] C V{kܼW7&g5D>7X?A9ir^Z׼MPf IT - ;H `cZIn-nܧ:qiyj,M6+,] jj>zteYd^@z;e [2X;dsw8qI tH? ׎wsڰ3u:W0)l"#)kY 3wf)8K=QAr2wݑk%ߋ!)KmMpmIɯu, O8۷z/;x ^~Z NJme+2"\Z,^Hph⷗GՀ, j)4jy& Ozm "ӴkY#oΨF$eGǓXPd̃S^n⣄W䐲],P߆ݍ =a>/I\VQ8_<u J^+dM@?P~s}#{<ïht^gq(׸SroP qg`HKCe)$~-Ci3 Bu喯r;ҼHI=gE=^Iq-N[X]5s@}(YinFL)eԤy Cx0.p/{+;Lnnl]9ÿ4h'k$ *^!4fe}Fٚ 4,yP{S-un!{C;oB&m5xJkz z˼E%!qyZT-Ayi?vPYomkV{  e9[1 lIA7~ٷh㝷>QKqހ1nm~ۃ f'e\zemϘ( x˄QkA͕+!u@%jnUwEfɇ#NOѷ g(jUn W<}M3|bhz1ehErr̉1NN"H0 K 7Vſ(f C3p@B-ni#Dz(,z%A2<0 3Yv0]a|(Zgjz'GeȽ!Wj_1+BP[S^&+<rv EyDqۄSĺ}n&IczZ)E c?&1#=QP6!څA.$-k!e~ z7w5:6 { dW DHҕNm+^=BGJ֥Y*lyn^4;R*aVbW"zpf׸".n^ƍQ>7s˳쌌ǶTl+;Q@ug/l(ʱCEҢ[p|c]oDRTdUc뢆aR~k%7^xe>! b7N^Qbd$'C6GД6wY{L8A-KAX\S|kS8ULR-ve GI]RExQS 71`\6Wr .](տL& hPT6>Aed;b[C.V [FM)U>VuioLI [&o9''r‚Jmbڢp&ddGrw-PoNq\ܚVB1?湜9†]Χ!$^ȩO9۠EOj޼,J1^i]$$Km8ԇ1cksNp0*kl*ʲY,MtXRLgBfQ>j@4]p 0fg*'o]lK945'5\ĝŒZ66:=;1@lSTY M[SܚTeK#a]cO8"THeC:ħ܅MK6M<\~"&0)n围yj(hs3mp}5 :YYt0M-[y@O1|XIW~L˒*ilbvu=FT)Q &XQ[aR Vڕ)>1>xk&|238`8V2Ϫ۳_'N)!yçōx= ,8M_ΦƄ-^}3uVmR˽m#pLJ3y8M51ḿKt-ٌ[,3N`0L ]~)ݙ #}*}Iܪ)6j:-j@ŗ,8Fד_&N(]sK<8Z貛ѺmTWT/=ӞKo"-o`T*)ji/}SPeQ̢3LyfʄA] r/k3uRɽ|Ƴ(7Siy_n 20#R,:cMNLK T;,}Wq-L4kESeB44= τK4̠^rm@;'''fG9"2`S yO\?\Z/<1dԺ*C_]