krb5-plugin-preauth-pkinit-1.12.5-9.1>t  DH`pY0'/=„\bZ&c\ȼppʚ~9Բ`Di(|Evڷ1u+OK#X" ) ^HaSi+KHb} .z⟾3oR;r_xFo6Im~E.rQ5/qLBlq ߀˫&֫O׿Qž]Թetd0(N0M(#Y?9f8cf821b2e73be77f225b5ab7a53ee86bdae51duY0'/=„$F?(.+^,{O.IYnH;w'~_bAnDcxcBi]tgTsj⩣yd}O%Aj\>x*EWܥE1d֛4 2-xuR$\Gu_4T[Ǎ`lp ˤZ4Vɚ[or%oy.jH\2V) Nޭj|JOn-vQTZaݞ%(MliNml>:Sp?S`d$ ( \04<@S\` y      0DXp\|(8S9S: SFPGP,HP<IPLXPPYPd\P]P^PbQcQdReR!fR&lR(uR<vRLwRxRySzSPCkrb5-plugin-preauth-pkinit1.12.59.1MIT Kerberos5 Implementation--PKINIT preauth PluginKerberos V5 is a trusted-third-party network authentication system, which can improve your network's security by eliminating the insecure practice of cleartext passwords. This package includes a PKINIT plugin.Y/lamb25@openSUSE Leap 42.3openSUSEMIThttp://bugs.opensuse.orgProductivity/Networking/Securityhttp://web.mit.edu/kerberos/www/linuxx86_64@AAAY/Y/Y/Y/792c6dbe4d7a7020692274a02e37bd82rootrootrootrootrootrootrootrootkrb5-1.12.5-9.1.src.rpmkrb5-plugin-preauth-pkinitkrb5-plugin-preauth-pkinit(x86-64)pkinit.so.0()(64bit)pkinit.so.0(HIDDEN)(64bit)pkinit.so.0(pkinit_0_MIT)(64bit)@@@@@@@@@@@@@@@@   libc.so.6()(64bit)libc.so.6(GLIBC_2.14)(64bit)libc.so.6(GLIBC_2.2.5)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libc.so.6(GLIBC_2.8)(64bit)libcom_err.so.2()(64bit)libcrypto.so.1.0.0()(64bit)libdl.so.2()(64bit)libdl.so.2(GLIBC_2.2.5)(64bit)libk5crypto.so.3()(64bit)libk5crypto.so.3(k5crypto_3_MIT)(64bit)libkrb5.so.3()(64bit)libkrb5.so.3(krb5_3_MIT)(64bit)libkrb5support.so.0()(64bit)libkrb5support.so.0(krb5support_0_MIT)(64bit)rpmlib(CompressedFileNames)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsLzma)3.0.4-14.0-14.4.6-14.11.2YY@Y@Y.@WWE@WwW^@V@VwVVA@V0U@U.@U.@TT$T!`SS;@S@S@SK@Ra@R@R@R Q4Q@@Qn@Q@QQU@Q}@Q]k@QZ@QR@QLGQC @Q7/Q4QsP@P}L@P}L@PyWPnO؀OЗOF@OJO'NxNxN=@N=@NHNNS@NP@NNP@MMlM6@L8LeL|L|L@LT@KKŮ@KK"@K@K@KK&(JJ@JY@J&eJ @hguo@suse.comhguo@suse.comhguo@suse.comhguo@suse.comhguo@suse.comhguo@suse.comfoss@grueninger.dehguo@suse.comhguo@suse.comhguo@suse.comhguo@suse.comhguo@suse.comhguo@suse.comvarkoly@suse.comvarkoly@suse.comvarkoly@suse.comvarkoly@suse.comddiss@suse.comvarkoly@suse.comckornacker@suse.comckornacker@suse.comckornacker@suse.comckornacker@suse.comckornacker@suse.comckornacker@suse.comckornacker@suse.comnfbrown@suse.comckornacker@suse.commc@suse.comcrrodriguez@opensuse.orgmc@suse.commc@suse.commc@suse.demc@suse.demc@suse.demc@suse.demc@suse.demc@suse.demc@suse.demc@suse.demc@suse.demc@suse.demc@suse.delchiquitto@suse.comcoolo@suse.comcoolo@suse.comcoolo@suse.commc@suse.decoolo@suse.commc@suse.demc@suse.destefan.bruens@rwth-aachen.demeissner@suse.decoolo@suse.comcoolo@suse.commc@suse.demc@suse.derhafer@suse.demc@suse.demc@suse.demc@novell.commc@novell.commc@suse.demc@suse.demc@suse.demc@suse.demc@suse.demc@suse.demc@suse.demc@suse.delchiquitto@novell.commc@suse.demc@suse.demc@suse.demc@suse.demc@suse.demc@suse.demc@suse.dejengelh@medozas.demc@suse.decoolo@novell.commc@suse.demc@suse.de- Introduce patch 0109-Preserve-GSS-context-on-init-accept-failure.patch to fix CVE-2017-11462 of bsc#1056995.- Set "rdns" and "dns_canonicalize_hostname" to false in krb5.conf in order to improve client security in handling service principle names. (bsc#1054028)- Prevent kadmind.service startup failure caused by absence of LDAP service. (bsc#903543)- Remove main package's dependency on systemd. (bsc#1032680)- Remove unneeded prerequisites from spec file. (bsc#992853)- Fix CVE-2016-3120 (bsc#991088) with patch: 0108-Fix-S4U2Self-KDC-crash-when-anon-is-restricted.patch- Fix build with doxygen 1.8.8 - adding krb5-1.12-doxygen.patch from rev128 of network/krb5 (bsc#982313#c2)- Remove source file ccapi/common/win/OldCC/autolock.hxx that is not needed and does not carry an acceptable license. (bsc#968111)- Introduce patch 0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch to fix CVE-2016-3119 (bsc#971942)- Upgrade from version 1.12.1 to 1.12.5. The new maintenance release brings accumulated defect fixes. - The following patches are now present in the source bundle, thus removed from build individual patch files: * 0001-Fix-krb5_read_message-handling-CVE-2014-5355.patch * 0001-Prevent-requires_preauth-bypass-CVE-2015-2694.patch * 0100-Fix-build_principal-memory-bug-CVE-2015-2697.patch * 0101-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch * 0102-Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch * 0103-Fix-IAKERB-context-export-import-CVE-2015-2698.patch * bnc#912002.diff * krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch * krb5-1.12-CVE-2014-4343-Fix-double-free-in-SPNEGO.patch * krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEGO-acceptor.patch * krb5-1.12-CVE-2014-4345-buffer-overrun-in-kadmind-with-LDAP-backend.patch * krb5-1.12.2-CVE-2014-5353.patch * krb5-1.12.2-CVE-2014-5354.patch * krb5-master-keyring-kdcsync.patch - Line numbers in the following patches are slightly adjusted to fit into this new source version: * krb5-1.6.3-ktutil-manpage.dif * krb5-1.7-doublelog.patch - Remove krb5-mini pieces from spec file. Thus removing pre_checkin.sh - Remove expired macros and other minor clean-ups in spec file. - Use system libverto to substitute built-in libverto. Implement fate#320326- Fix CVE-2015-8629: krb5: xdr_nullstring() doesn't check for terminating null character (bsc#963968) with patch 0104-Verify-decoded-kadmin-C-strings-CVE-2015-8629.patch - Fix CVE-2015-8631: krb5: Memory leak caused by supplying a null principal name in request (bsc#963975) with patch 0105-Fix-leaks-in-kadmin-server-stubs-CVE-2015-8631.patch - Fix CVE-2015-8630: krb5: krb5 doesn't check for null policy when KADM5_POLICY is set in the mask (bsc#963964) with patch 0106-Check-for-null-kadm5-policy-name-CVE-2015-8630.patch- Apply patch 0103-Fix-IAKERB-context-export-import-CVE-2015-2698.patch to fix a memory corruption regression introduced by resolution of CVE-2015-2698. bsc#954204- Make kadmin.local man page available without having to install krb5-client. bsc#948011 - Apply patch 0100-Fix-build_principal-memory-bug-CVE-2015-2697.patch to fix build_principal memory bug [CVE-2015-2697] bsc#952190 - Apply patch 0101-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch to fix IAKERB context aliasing bugs [CVE-2015-2696] bsc#952189 - Apply patch 0102-Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch to fix SPNEGO context aliasing bugs [CVE-2015-2695] bsc#952188 - Fix patch content of bnc#912002.diff that was missing a diff header.- bnc#928978 - (CVE-2015-2694) VUL-0: CVE-2015-2694: krb5: issues in OTP and PKINIT kdcpreauth modules leading to requires_preauth bypass patches: 0001-Prevent-requires_preauth-bypass-CVE-2015-2694.patch- bnc#918595 VUL-0: CVE-2014-5355: krb5: denial of service in krb5_read_message patches: 0001-Fix-krb5_read_message-handling-CVE-2014-5355.patch- bnc#910457: CVE-2014-5353: NULL pointer dereference when using a ticket policy name as password name - bnc#910458: CVE-2014-5354: NULL pointer dereference when using keyless entries patches: krb5-1.12.2-CVE-2014-5353.patch krb5-1.12.2-CVE-2014-5354.patch- bnc#912002 VUL-0: CVE-2014-5352 CVE-2014-9421 CVE-2014-9422 CVE-2014-9423: krb5: Vulnerabilities in kadmind, libgssrpc, gss_process_context_token - added patches: * bnc#912002.diff- Work around replay cache creation race; (bnc#898439). krb5-1.13-work-around-replay-cache-creation-race.patch- bnc#897874 CVE-2014-5351: krb5: current keys returned when randomizing the keys for a service principal - added patches: * bnc#897874-CVE-2014-5351.diff- buffer overrun in kadmind with LDAP backend CVE-2014-4345 (bnc#891082) krb5-1.12-CVE-2014-4345-buffer-overrun-in-kadmind-with-LDAP-backend.patch- Fix double-free in SPNEGO [CVE-2014-4343] (bnc#888697) krb5-1.12-CVE-2014-4343-Fix-double-free-in-SPNEGO.patch Fix null deref in SPNEGO acceptor [CVE-2014-4344] krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEGO-acceptor.patch- denial of service flaws when handling RFC 1964 tokens (bnc#886016) krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch - start krb5kdc after slapd (bnc#886102)- obsolete krb5-plugin-preauth-pkinit-nss (bnc#881674) similar functionality is provided by krb5-plugin-preauth-pkinit- don't deliver SysV init files to systemd distributions- update to version 1.12.1 * Make KDC log service principal names more consistently during some error conditions, instead of "" * Fix several bugs related to building AES-NI support on less common configurations * Fix several bugs related to keyring credential caches - upstream obsoletes: krb5-1.12-copy_context.patch krb5-1.12-enable-NX.patch krb5-1.12-pic-aes-ni.patch krb5-master-no-malloc0.patch krb5-master-ignore-empty-unnecessary-final-token.patch krb5-master-gss_oid_leak.patch krb5-master-keytab_close.patch krb5-master-spnego_error_messages.patch - Fix Get time offsets for all keyring ccaches krb5-master-keyring-kdcsync.patch (RT#7820)- update to version 1.12 * Add GSSAPI extensions for constructing MIC tokens using IOV lists * Add a FAST OTP preauthentication module for the KDC which uses RADIUS to validate OTP token values. * The AES-based encryption types will use AES-NI instructions when possible for improved performance. - revert dependency on libcom_err-mini-devel since it's not yet available - update and rebase patches * krb5-1.10-buildconf.patch -> krb5-1.12-buildconf.patch * krb5-1.11-pam.patch -> krb5-1.12-pam.patch * krb5-1.11-selinux-label.patch -> krb5-1.12-selinux-label.patch * krb5-1.8-api.patch -> krb5-1.12-api.patch * krb5-1.9-ksu-path.patch -> krb5-1.12-ksu-path.patch * krb5-1.9-debuginfo.patch * krb5-1.9-kprop-mktemp.patch * krb5-kvno-230379.patch - added upstream patches - Fix krb5_copy_context * krb5-1.12-copy_context.patch - Mark AESNI files as not needing executable stacks * krb5-1.12-enable-NX.patch * krb5-1.12-pic-aes-ni.patch - Fix memory leak in SPNEGO initiator * krb5-master-gss_oid_leak.patch - Fix SPNEGO one-hop interop against old IIS * krb5-master-ignore-empty-unnecessary-final-token.patch - Fix GSS krb5 acceptor acquire_cred error handling * krb5-master-keytab_close.patch - Avoid malloc(0) in SPNEGO get_input_token * krb5-master-no-malloc0.patch - Test SPNEGO error message in t_s4u.py * krb5-master-spnego_error_messages.patch- Reduce build dependencies for krb5-mini by removing doxygen and changing libcom_err-devel to libcom_err-mini-devel - Small fix to pre_checkin.sh so krb5-mini.spec is correct.- update to version 1.11.4 - Fix a KDC null pointer dereference [CVE-2013-1417] that could affect realms with an uncommon configuration. - Fix a KDC null pointer dereference [CVE-2013-1418] that could affect KDCs that serve multiple realms. - Fix a number of bugs related to KDC master key rollover.- install and enable systemd service files also in -mini package- remove fstack-protector-all from CFLAGS, just use the lighter/fast version already present in %optflags - Use LFS_CFLAGS to build in 32 bit archs.- update to version 1.11.3 - Fix a UDP ping-pong vulnerability in the kpasswd (password changing) service. [CVE-2002-2443] - Improve interoperability with some Windows native PKINIT clients. - install translation files - remove outdated configure options- cleanup systemd files (remove syslog.target)- let krb5-mini conflict with all main packages- add conflicts between krb5-mini and krb5-server- update to version 1.11.2 * Incremental propagation could erroneously act as if a slave's database were current after the slave received a full dump that failed to load. * gss_import_sec_context incorrectly set internal state that identifies whether an imported context is from an interposer mechanism or from the underlying mechanism. - upstream fix obsolete krb5-lookup_etypes-leak.patch- add conflicts between krb5-mini-devel and krb5-devel- add conflicts between krb5-mini and krb5 and krb5-client- enable selinux and set openssl as crypto implementation- fix path to executables in service files (bnc#810926)- update to version 1.11.1 * Improve ASN.1 support code, making it table-driven for decoding as well as encoding * Refactor parts of KDC * Documentation consolidation * build docs in the main package * bugfixing - changes of patches: * bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif: upstream * bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif: upstream * krb5-1.10-gcc47.patch: upstream * krb5-1.10-selinux-label.patch replaced by krb5-1.11-selinux-label.patch * krb5-1.10-spin-loop.patch: upstream * krb5-1.3.5-perlfix.dif: the tool was removed from upstream * krb5-1.8-pam.patch replaced by krb5-1.11-pam.patch- fix PKINIT null pointer deref in pkinit_check_kdc_pkid() CVE-2012-1016 (bnc#807556) bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif- fix PKINIT null pointer deref CVE-2013-1415 (bnc#806715) bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif- package missing file (bnc#794784)- krb5-1.10-spin-loop.patch: fix spin-loop bug in k5_sendto_kdc (bnc#793336)- revert the -p usage in %postun to fix SLE build- buildrequire systemd by pkgconfig provide to get systemd-mini- do not require systemd in krb5-mini- add systemd service files for kadmind, krb5kdc and kpropd - add sysconfig templates for kadmind and krb5kdc- fix %files section for krb5-mini- fix gcc47 issues- update to version 1.10.2 obsolte patches: * krb5-1.7-nodeplibs.patch * krb5-1.9.1-ai_addrconfig.patch * krb5-1.9.1-ai_addrconfig2.patch * krb5-1.9.1-sendto_poll.patch * krb5-1.9-canonicalize-fallback.patch * krb5-1.9-paren.patch * krb5-klist_s.patch * krb5-pkinit-cms2.patch * krb5-trunk-chpw-err.patch * krb5-trunk-gss_delete_sec.patch * krb5-trunk-kadmin-oldproto.patch * krb5-1.9-MITKRB5-SA-2011-006.dif * krb5-1.9-gss_display_status-iakerb.patch * krb5-1.9.1-sendto_poll2.patch * krb5-1.9.1-sendto_poll3.patch * krb5-1.9-MITKRB5-SA-2011-007.dif - Fix an interop issue with Windows Server 2008 R2 Read-Only Domain Controllers. - Update a workaround for a glibc bug that would cause DNS PTR queries to occur even when rdns = false. - Fix a kadmind denial of service issue (null pointer dereference), which could only be triggered by an administrator with the "create" privilege. [CVE-2012-1013] - Fix access controls for KDB string attributes [CVE-2012-1012] - Make the ASN.1 encoding of key version numbers interoperate with Windows Read-Only Domain Controllers - Avoid generating spurious password expiry warnings in cases where the KDC sends an account expiry time without a password expiry time - Make PKINIT work with FAST in the client library. - Add the DIR credential cache type, which can hold a collection of credential caches. - Enhance kinit, klist, and kdestroy to support credential cache collections if the cache type supports it. - Add the kswitch command, which changes the selected default cache within a collection. - Add heuristic support for choosing client credentials based on the service realm. - Add support for $HOME/.k5identity, which allows credential choice based on configured rules.- add autoconf macro to devel subpackage- fix license in krb5-mini- add autoconf as buildrequire to avoid implicit dependency- remove call to suse_update_config, very old work around- fix KDC null pointer dereference in TGS handling (MITKRB5-SA-2011-007, bnc#730393) CVE-2011-1530- fix KDC HA feature introduced with implementing KDC poll (RT#6951, bnc#731648)- fix minor error messages for the IAKERB GSSAPI mechanism (see: http://krbdev.mit.edu/rt/Ticket/Display.html?id=7020)- fix kdc remote denial of service (MITKRB5-SA-2011-006, bnc#719393) CVE-2011-1527, CVE-2011-1528, CVE-2011-1529- use --without-pam to build krb5-mini- add patches from Fedora and upstream - fix init scripts (bnc#689006)- update to version 1.9.1 * obsolete patches: MITKRB5-SA-2010-007-1.8.dif krb5-1.8-MITKRB5-SA-2010-006.dif krb5-1.8-MITKRB5-SA-2011-001.dif krb5-1.8-MITKRB5-SA-2011-002.dif krb5-1.8-MITKRB5-SA-2011-003.dif krb5-1.8-MITKRB5-SA-2011-004.dif krb5-1.4.3-enospc.dif * replace krb5-1.6.1-compile_pie.dif- fix kadmind invalid pointer free() (MITKRB5-SA-2011-004, bnc#687469) CVE-2011-0285- Fix vulnerability to a double-free condition in KDC daemon (MITKRB5-SA-2011-003, bnc#671717) CVE-2011-0284- Fix kpropd denial of service (MITKRB5-SA-2011-001, bnc#662665) CVE-2010-4022 - Fix KDC denial of service attacks with LDAP back end (MITKRB5-SA-2011-002, bnc#663619) CVE-2011-0281, CVE-2011-0282- Fix multiple checksum handling vulnerabilities (MITKRB5-SA-2010-007, bnc#650650) CVE-2010-1324 * krb5 GSS-API applications may accept unkeyed checksums * krb5 application services may accept unkeyed PAC checksums * krb5 KDC may accept low-entropy KrbFastArmoredReq checksums CVE-2010-1323 * krb5 clients may accept unkeyed SAM-2 challenge checksums * krb5 may accept KRB-SAFE checksums with low-entropy derived keys CVE-2010-4020 * krb5 may accept authdata checksums with low-entropy derived keys CVE-2010-4021 * krb5 KDC may issue unrequested tickets due to KrbFastReq forgery- fix csh profile (bnc#649856)- update to krb5-1.8.3 * remove patches which are now upstrem - krb5-1.7-MITKRB5-SA-2010-004.dif - krb5-1.8.1-gssapi-error-table.dif - krb5-MITKRB5-SA-2010-005.dif- change environment variable PATH directly for csh (bnc#642080)- fix a dereference of an uninitialized pointer while processing authorization data. CVE-2010-1322, MITKRB5-SA-2010-006 (bnc#640990)- add correct error table when initializing gss-krb5 (bnc#606584, bnc#608295)- fix GSS-API library null pointer dereference CVE-2010-1321, MITKRB5-SA-2010-005 (bnc#596826)- fix a double free vulnerability in the KDC CVE-2010-1320, MITKRB5-SA-2010-004 (bnc#596002)- update to version 1.8.1 * include krb5-1.8-POST.dif * include MITKRB5-SA-2010-002- update krb5-1.8-POST.dif- fix a bug where an unauthenticated remote attacker could cause a GSS-API application including the Kerberos administration daemon (kadmind) to crash. CVE-2010-0628, MITKRB5-SA-2010-002 (bnc#582557)- add post 1.8 fixes * Add IPv6 support to changepw.c * fix two problems in kadm5_get_principal mask handling * Ignore improperly encoded signedpath AD elements * handle NT_SRV_INST in service principal referrals * dereference options while checking KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT * Fix the kpasswd fallback from the ccache principal name * Document the ticket_lifetime libdefaults setting * Change KRB5_AUTHDATA_SIGNTICKET from 142 to 512- update to version 1.8 * Increase code quality * Move toward improved KDB interface * Investigate and remedy repeatedly-reported performance bottlenecks. * Reduce DNS dependence by implementing an interface that allows client library to track whether a KDC supports service principal referrals. * Disable DES by default * Account lockout for repeated login failures * Bridge layer to allow Heimdal HDB modules to act as KDB backend modules * FAST enhancements * Microsoft Services for User (S4U) compatibility * Anonymous PKINIT - fix KDC denial of service CVE-2010-0283, MITKRB5-SA-2010-001 (bnc#571781) - fix KDC denial of service in cross-realm referral processing CVE-2009-3295, MITKRB5-SA-2009-003 (bnc#561347) - fix integer underflow in AES and RC4 decryption CVE-2009-4212, MITKRB5-SA-2009-004 (bnc#561351) - moved krb5 applications (telnet, ftp, rlogin, ...) to krb5-appl- add baselibs.conf as a source- enhance '$PATH' only if the directories are available and not empty (bnc#544949)- readd lost baselibs.conf- update to final 1.7 release- update to version 1.7 Beta2 * Incremental propagation support for the KDC database. * Flexible Authentication Secure Tunneling (FAST), a preauthentiation framework that can protect the AS exchange from dictionary attack. * Implement client and KDC support for GSS_C_DELEG_POLICY_FLAG, which allows a GSS application to request credential delegation only if permitted by KDC policy. * Fix CVE-2009-0844, CVE-2009-0845, CVE-2009-0846, CVE-2009-0847 -- various vulnerabilities in SPNEGO and ASN.1 code.lamb25 15075368891.12.5-9.11.12.5-9.1krb5pluginspreauthpkinit.so/usr/lib64//usr/lib64/krb5//usr/lib64/krb5/plugins//usr/lib64/krb5/plugins/preauth/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables -fasynchronous-unwind-tables -gobs://build.opensuse.org/openSUSE:Maintenance:7353/openSUSE_Leap_42.3_Update/7428cd2053039be5f16632e5c52fa2d1-krb5.openSUSE_Leap_42.3_Updatecpiolzma5x86_64-suse-linuxdirectoryELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=4d41bd68e1c3c77d7b0907841572b9eb525add8c, strippedPPPR R RR RRRRRR RR RRRRK/5-jVd/?`] crt:bLLDJWi1sL7￴mYKP3(Gw6OFع`nC%V[ 1\Uu^,{eO0'痿StS ܦZ̝n$v|p~xT6~*@ehj / ^DqSd XG4 @n~  9U .;M\ڰi(N˥TH~徉ݯ}ԺPO^lVe`&7E=()lB ZdFpDhԔ?Y J}.:6a. إ vL-iŽ{%> :nV#Od6zibGm*2#bF#.|FPl{6U QdDMh! (0"[[en")z 9we@]QpecIߝ65<ѝ=_jsҙ?I4؎ךA-!^.{C&:G=>GA(zm]Gw1u%v8 _{_h&gی]]햖m1dOqg_S"ߓ1}@2oI/ kB*Ā"K*Hi \,6B*T-Xew%꫽fO|6]T3HWU8*ӈ ;ը̓՘ 8/,,ݟ!61ú;ޗyU%ŕ ܎ gh :<]8#!!S$Dݥm}o*@xy&`A@C@Tp.O܏2 P7Sw37<{ǻjW: Gq#WevQ51&_C5|yQQv{XWL Mů//R{p㲏jۮɺ \4B!ݤghrdAS$O(*Tyv{Tk>YH];LI@j?I[_%..1^ T}`lGr ?֠?gbW!e< &zY^) !l*bֻ|Z~:dB9d o-bAJ3-y:ţs̟廑Qb "_~{=K+!  ǢBV61[vm I+mg !T'5zu-P.];`_nO_`thj}'m<,([?i uegDR\]RjwX7ϓj->ϙ"vu*ٷ,0B,& ueWg&Hza'%v7)d#YY1[]C0u?-)-&hZ2XCl_r XҞ[1 LF Օ%2tSΚXWc:}2Đݝo`C^ooծ3 ȨSC_x%r`뿪06d9Kmfm*7˙k/R7ϰI;m"| |$.2/-uCBi1/ $ ?Wmy ni*DN>@81.cg] iY9&ɥXԯk!/5@B AR쪶dTWU f<Y;"R60L7Vz  .[U#[&kJsa5%h:ϥA`7n=1coTKN p/j=MӇ۸~3NƁ&w+ _\0c.b \*n;qP'X/X# VޣD{t ԯW\u.#IDMC|{UUwg @+ /MNʔsp$l77aMXzj\lB5B$_N˞`6˴7fl#{|%saΦfj_+B&!ȟ= m1 Vxlp-Td+LnJ'hCEOr_ A8 U.G&쾼'3RUSjOϗZ#+LA"q6?ڿ$Vq̤RGwh%?lIб{ei)I*dUoW.FD\'tJ?]3`C&&iirw#XNY-q\9 ސx{`!nמI:c-!L;`/3_ t wXCNS0~Kd@KS{αKT]mGCbθᡃ(4ne!5BF@z4_EUL@OPGKofax"SYI4.tAJ '~Fӎ\՚YN8c߅F!H&=ӄ|Epunh݈,̼q>A9~lU[bΣHyi{~_!/=(,XLMAưv渺 o=u90q`bīXa^Eƛx5:)h ZZ)=RLeW)E{FH'|XEaDpsuKE @q{z!eTɹH$̡67A 5ց9=l/2"!ĹuXq3U1ذYVuk}12kxCFD|"8~GxTD83}È͆^5t<fjzw [aJRQ^sH3-8HZ4EE b$r7Yyg_FD'e@evp.7+ppFV26@8Wn)cC=}FF%>iL/2T𞅈}P)0@HR/=b pvBTi47\-wt t͓B{{:.\eyKڞq kz$%4Q^,d4xX vYO$~cͼ9ҦIҖd,v @`d0p~JZ]YI&DB}3Տ"N #I0J:K.7\U^0sp8j晬٭-!ZC_9n ?[0~ '?@W V]ioWi;j#/Bq>-%7t ɞ= e;.^;AR['}hl"VLKppVY9t}c1y ssK[V*` R:9F+[U~d!)"/W2ݕ;A栃 p$59Ǭ47I>&ܨV s4J 1e2cE4Sr9 e_JoIn#RkWE[P^;򹩣YETb(ɑ2 } oM{Xr ZE.9z#~DmNet%E,iT3/\4~!SshԽmϩQ5H$ m'0!@/2=z&fRxa$s6qh@Z-93}'o9[k;A\/u&dF]2aAf= u7-Q8۹GNC뛅uqY¦5o =M5) _Wڞ#v5uN!?i| \ =mQ4u,J(֖IT92Ϳ28^8g`:j{)>t._J~lM PͫK53L:,dsa8) bh`v=?&qw\\QfUQu|Mwh0r@Yo4%B'ö%),22in1 Z]*5Eh/6[3170oqҮ]$`MBNP hexK9 GWmd6ʊHe *=֜eyPUDn2v436SńlBn }%$*B:P=砍mJ's Jze38)ȓz?&ȖZR7#STU($$;-55;9SSbQܕY` Y>MQ nFz,ÔBSb_N[Z`ľ2 O4e1L^~rX $^$|Z`I^QQ᷋4MIkN P1K+RLe2RY!a ǫ-L :X!s/x99w5t|ӪPvYm}m1_#T߶Y Fra0+,i.Mܻܞ nnX;Q/?5>BvlE]S9S +愑\Pn:*:-=N_OYeX#1eKA }q?aߤ,ϝ\]%x20a~+m>Tu;]کK!.Jv.~Kd#ǰgu~0-Œzc ŤIM㩏=H:D5qX: #F&(޾Ei},Ҍ+xҨ{a6r5HF4mU1Ǡ@%y\u&cNEВ v0lv 14UO!qW&ݫՠH}(.Ђ[evN d.T9xf݁9U:Bq|Yr=}-\(.V VImS$fN<'-M իZ(ˀzvY+2,]X8b*}Ӯ j's'`*^:0*ޢ{Vu_1q+(4j =i+#nLT<,Kh p VtY/W}ΧeJؒ廛\5:h` )vSyCxt*_jfhgm|ը zYTW`,hCKς9p'yN]J$|'F;%?o=`Y*=r*vQ8' yxm4ԌiZIbnW;'312a@Ps  pn͟w%ǒsL2J[t 0< FJ(T9(Gn 17i7j1.B8z8Y>UF`uT7NȵsM .6Tj'O#Ta]9aS]{E'7te~+ܨxo/nIiB(#p(ȸ1Iz=t(˕`۬:e\@yY GHX*-^zKG)]bMw+-+e@0%O2_*)78~c}Lܐ|Zb*¶v[6f7nدmp̓XG"݉AZ!8yݙvhZ\!hP,Q9фa!෴ע:6L(vUgwdyUC'NJ%km&lz|Aקl(Ewϸ82'-VLe_vݧf؋AeL(߷Zx 6h{aeZUt5Q&nÝ| uY7-V@B|OtJrEӝ/kX3JYi/oVaѭy[!})[?ݷf֏G?+2o% N?W0Z´AΩ`P>VLmF\#87i;p?7 . 1q: li2y&DX(LwX;>G.x9eL_"_='5ejeȌ Q6 ~ j~oa@囖18QO *̛8t->O#H%T#G_)"\~EU>1BS0K)0V$ Y_ U=)ޥtS—KڞbF?æE!酫 1֐d1͏p1'STdt"I4xj/4GAj̩%'do4{TrY C]QuE{K觽`-ԁzU$vWWf8!)2 I;frPB&.+Oph  ;]t}ǂiw|a+d=dhh9Ʉ9U:D1#*eyqr* S𕏴ALG1yzѠw\,85 KHIT9&\}aJ}GcQ~z'iޯ+B% WTvހi&HT["J ABc>KxPA׈OQnSƨ h;R;}JhZOKA$R#8,'7P:svedLWr| g7`wnAzފ-3ĞevAG|snIp ]X^ؔ+R'FHʟɱ;"{L$ G8 &<2;Ӗ|j 4?u+vRPv91#rFHbjm`e}x]>N[d蹙 ӷ#ٟ )عt܍Uv߶>=I 0}Nv/|6結%-$Ɗ9ʶ$wVB2A>C-\ʛt kl~vHҔU fڤOp ^t 4fPB劔x&tibeC \^!M8 G٪E tMSԆLY++4KrÐ܌j!K9? oTSuojWۻmMUHaл=?.r\LB=zxMͪU9"nxϼ=1XWVߙ%/)(ȣk(}F>sR7 ,2}:=V4YkkM-7rH"/x6 UaPp}w+˾Wu7- ̮}MotX`x{9}v !$CuTY7$ [~mu.Y`HcR wN xCH1b"du~Kk%)S^g({>=xtm9겛&fgz[:>9crP=/QKeQ3Rdǘ>hKf+ >\-BwmwR}B7_yp'$GPy-MuLv h?KOL)"K,婤I&3>~nKն S@#H锩l/&C/Jɑo5R)xf{~ڽol#`#.;dgd>ĊtΥs65D֓"lw ݧӦu2\vUz߿t_NzV8fAG{n/7݆'q D"۫èqzy} `0;.W괜:W>g;׻ieRyp}_>L=4W'Rx\2C@ *fQ3'ϩȡDZqƣt4vDNqgaת}.疓wniz$&iַ]i~<rѴt= l5QԂ/ oW}8:*A|'W=UXZNWaP<#ǒ~N5P*pjDcnK rf'N..wě#7>u"YV WƗq<0eEvHZ\콪 V56-gFOQIւ ZM}U2SEt ǩyXAاBDo+:fŲ럥ۺpҶx:/-v5@Im3J ʽq;H:!@;qL^o+$/P{BM&J?UKjxd}waaPr1~V_>{@J[k 4X K 见$EmY^|VDiX؛s'j X5RRG _.2mͻx dbO/p_lf=h-,R:*ojWQJftQ!{[B(MT-)sh?WDw'sP®Ixev ϳ ʢX˯2>ѵǂm: ^H?=;d0M Jmn4,QѮDҋF̡Y|E[r FL,tDW_4W)[@r;KĪ3KsNbI]Ev߽Cd&u.-I #tU 0ǭd:Q@l^>Xw8Fvw/Y츩+7o8Z5xcl4#5yε:T2%ָgŹk_bZ~VI5ׇZpf[؟|ckD(ps?C m~NJf>X˓ S Y ?QǿBg vNND4 `R X\%*Vʛ&<92D,SD*tA9, Ӡw'&a7 q=M\{FΥaYIZ\sɾ3rmg!RR&VFBsd%]hi/a$v 3H{4ʭTӪݓS_2܅^j}TtR*sx5\zWw wSdfWz{Ec u9ҽ :G58Z ƭՅg%O64!#?32=[ 黩K3pߵ*mz\A,3C#,7:M8hl7g`T%5Cjvӌ=br nQ XՏ\,tW㚏iҭK ; PgUCZoR('~Vꨆxs~8pH2STc i7ZeX׻?>$0ݠyo _QC%!0j#7tWMhB0BQoO %?cܽ6ݦ>o"=-mR (ͦ*W@ a4۳t!  =OE2,ǜ σQr5E*c&]> =1-`=}%7gSDs8inNLˈ^IJoqgzAyQTT5ҍsnܮ0;CP/9-j="Dxޣ:=BL[YZ%2'M3Tf5_Ab H0ѓ-RljILUx,u :7$L .} E.n30/› 8à=->C* 7y.iI~%gk^tA-j@ W=R(' |9gm@1JyuP`_ԣۆΆ˓jv.1XH$9/"ŰSծ!Һy IO[xP!X1Iƽn*'+l?l0+`sejbI%x4MѨJrv:ŏjJvDi˄MX(<"6^[" sm?.v*On䱦XPk2-|BաnX!NI $d'@m2eZAƬ?#u7+ Ds>ӼŶTeJZDV"\0 rVMTUl!21jy5E fX; ^K'!}q*[s~Ff,±.s;؏Bg"F;ɩ+nهٔ>覝Y 6-=3]]w.SbcZTo!%Ћ*m#>;.q} 8 ޞ9`kG| b_1U ɈbgD|D SWrյ #ȣѵ'" Wl$ίb:jüI)P@@<)cƣ l-<@.?ڒ'<.2ˇo13YÓ2r)c爽lE[Y=)CS4mΫџR[j+M'O,f 쳥 qilu+x=*Bo{yDƴ2&``S HbM% ,U‚#l '2Z3Q $a'u KoՉlq>J/ͪ>]0o=6yx,VzöNi5cOJB{}Trxコ\TԂN6$]|jg]i½^2EFEq;+7|r'pr ZB]ɭyjEMN d%u   Okrx<>`6s<}QKJ ~ҫZ _Y&jy| IaT}we Q^GtE\١KN]޿l=d6z!31" ;,1=ߕ}HaӰϩ5jb4CZT+;A ? -P[=#9SD~F}yxP%wݮiەgh(gΰ ϛufHX7 =msJv|c#<VQ ႄc$|># ïduCTTc>%,m4hǜ "q;=⽣[Gc>a^CBƴ8_\[ ^-هmK%7¬/_aN.X|7,7ɏ-M _a%(ѶYGUPU ʶDS #L* |@*De3B^KmKaqC3*RI.n8`6mhEN[-.VUFA6/jdMWj{u|rXZ  +i/X4h'ɪ(3UCK)#ݘtëH*J9hSjL@?I:p ؎:ZeJL햤2쎎]@%\!MPB~*LYԭcc~-̓Nf!Il +lf4l t]c,[u+I1:9@iav<Cx}˵)OCH5Yev?Up OV牦;x9oN5)xf(6uw~xnoHGur+8>ͯ+s,*rh$rgFkgw|5~+׃hsK}~@C,?VR KB7 <kᣝ2]M9 >8z-7Y<{UOf_ұ>ҷ霬_Sijh2\l,`Tcb@t)PݨcC찖:`E6 A;te ;=i!sFk))V 1|^U+?ʈꄆ:!P}?9 +bH|̕vsbR' kG60BҺcSWgɋ\UtIx(?>ɒS8t/LM/;yh\%KR!D~?bs𧍟ccmOǸq 93 ң,5^IcK{~w:vksZͯeV6V 5ǷޢFz_ׅE8([;Y/?vWg:~8XTPQ 5Qә?1Sy8t.' y#heg3)nr-z\d©Y1+m9+sT R7Ry~2 :UݒZW>Ն \~0c"b˦&\)e ՘|v5gpxM%1 S|텮".Se%Fh#U)VєGu#RQӾ%?()6jv}2cZ^&2nka0{Jyl>^X֎ 4XL NVTEOJ*B",,w²]z gl,(6@FOnkw-*!XΘCV/{,N+u+v'GLrWH~L]>&#aQ,S׬=tq&(QH{$-3i #_.CQvjuux5чglU!Er͛ v=8 3}ϣޏnA BY7[#SBk}Y5)F60*,pՁ&RfUT퀏Y@ûkNZ=OalsKnI!΅*B][Ɗ3O\yXu Bڴ!Wk>x w/{{ oF9d:`E'^ߵ+3xrk0b-aT`猋F򘉯 >j|GjO^? Aa%B^j[k wC,Gɳj3X@9kxwPV;y ?!]ǤKԿeMإӾ@٪' l[i)~AX YDV Lr:]2˱yi ZȿBK<坵H֫>m#prf$Je"[%~kw:|І/atDUBπ$ fwHBAQs吞x/|_%.H\)I'Q\y*r%؊_ecDW|fƪb)KC csHjo?6*n9 d9R䭭GKWdlïu66Er.3B{͟^"+c'xk\+ǩ#9wilyjx~CwcXn۴4u8V`'Rˢ}ʋN Xuq6 ,3@(glɌ9u Gq=`ԿՃ49[k~?3 uN?:Jm-Ơ2ʐ9 a~)S^8 IP`~ Բ罘&/[TKק`QRi eXhjlM7TRNJuKiAK)1?Y?ݘB)Ҵ<2%#)赆{LdC?|XK >jV-84`Hqs/8?i\ߦ ۥ;+ iGڼ'}8W_ҝ߆OǢz#bNڇpS4Y~I*DU)4}w"/H y鰭co`K(@-Y>2dog!_mh8H_*o|@5k 4v]\Hʧqb=,5Og|itkufz3l- ҝf]쵘O[4NjUBc(B+O]m?g\ʹc$M4˕ڱ?o08괷~# vl]|U}*B 膰ZjgBy)C'jעL*XK+ZB~U9x]@g{sEID hhyX4،[<g1y7yzHr$);Ld&;5$SfQZ=J\JVM8aE^Z@MJϏemB WT~;]=38<'7*`o ku j`m&UAےtPí lGb Z}w X0a6BϢFO5XJ\^Q_~u_uBUzv8X~շ CE),!C '"RM";MEMH(-C,AnļM3dlgWgKqV&51D5?ZJ8J6?@rA dވD+N9ձYc<Ce'2cVbcWUm; Kn4 TnG|AOk$?Qmo2qk'+]GC* :a3/ȋc">w=L$ "+i 2 egPC63(<8,BȄY5 ]-WI+Zkq6E&"}*ÉW0tǀ\gu _`!N$,"Q{-T ۥϩYR& 6HJln~ϛQuC+wF:e; #aR c>,hָߢK'=#r,aoeI$&5Ĺs{WT_T{a"=ifGQPur­C7*g.*+g_87`6 `;,*kFa7~rXKvf xK.*tWB T!yGVbuif!Q E$5!DzrsC݀k΄WGZ5wY S`tFXR0D[6Ыz$L7>k!P#?DFW8)-J7I}+"mŊ !?~Dyy6#J;f!w1~h~2I‚%xAB΋鐂k xq?uI=yH0 M}7"'zV8 zÙb/ #vz1>5uI|K'Z3ȶ3_y˷yc#Bx{­ubKԋG}5@YHOXyӃ,P3X%ɞ6n<qfPT4m/%))Zfŋp̾ 1KSG.з& ch?GpEN {VCZT=#hOɭ%QF0S{y*etrP Ql;f=|.:,BbOUC =Ǖi1sr{6q$0pSO{]~(4kv1 չGB2bw? ?2&$uA~*ODu Ep>X$Qk쯫~r}8vfF Yk`e?uqI,\}}Ag61SG<1 m;*H'L9uL12)M-X4.+ugs6L7M_kc<+}M,PQ.-cuJNdB#5Y ?/g JJߎpOWX>|n*lg3>!H8tֿ=YpVRd(k ΁Ea-Z{rn6,TE}vYN& [uV["p~U_,W^GSma(t0N+&S4 0\d=Fj{W6OR~c8!@G IՅ=  G3u"&B3щw%= _2eL2تoN K찳'G;.B_B]q S|H&Vc3JGΠګ'CG^0VFDX"ԀaKkAoCOa3%1V5"AɁuO6R%<+\Wo.%i#_{jKsr>L[^F(VPwvuZ(DGV-YA$9/Lr h7A긙ˎ̛+Fs`eTD-.{#i=C5ǿ?͉uCR7 `Նg#ԝ =%uʉ0u;c.E1@%1<) Pņg :fgpO:wűt8\ Җ̤v۽["+MdomM9LnxYfƳU;FU$}%DDWnx0~"1/8e_GGQ]s8d3YMkSЃ;eRK>?(G`Xx7AF#9b3?w{0D>>sGu]q~oTD1Ohw}XwMr/AҘѝmҏ ;L&/`ӨrjuwKI曠)`0?bd˩ZLh9 tz';Eaά1_Ue5C/!YޚIm_W=@T+%S;37SmW. yo{9Z4-kUxa]QUK@Ӂ*gwxM#]kW5Caΐ;OzFR%-Ixam7m|4΃`g5-R`,QZ@Pvs^W=!p?hq}CH j{=a>bd~U4ev+ᬭ\R6 &Nnkfa [oڠ\"M'^URt[Frݼ=xC/ouo2" ~[Aڧ_)t՘)|w(X|䚷߱Cf F:߽9E쌢jb0U _S'G<"g!r[G7|rQXn /z5vdkA쉁O%V SD'\yu$2Zh7 Jy;ǟcs)_^0U)xZ/x<ŋ>@MOfE(*{C:/9y 8cbߜ\??q G\bd9T2i s ܍35^)HYzQ{uEUMd]˥{-I1 ~asX6(kT1,f=53=8͏aيYi# h5Or{S ~Y=ISd 6sh %6ݨzsr,[ӈeRNg|i^9lxDD+6)BBb)Ok1PV^D2jl L$тk8>b- GZ1Ƣ))Hq a%j#1uۍ^ ]j| \փ J7:Anvx& BҲuS>fїA>.ar\&`%>ν!{4Xb>xNGӵF\]٠m]7P~D gYw'8ksVē} X:PoFKCɷeڨjhY԰Lvhv\SM+q>ĴᑑLj7DMWx8>2 ΚfQ4g:u]JaSЙ]&]wch86*OG΂tRP'jRݽ jX1\=f<"cda@8%Y<ᜰMC=Q̼ eu^ >$jCcEtt,~Hf$Ղ~ѱUW$ﶊs{QuTR͜"  =eƄS|JKhM6ioEXgFr4X3g{rt׌7g# Z08M2)ė'U ṁ8I~d;! Wb"3= ]\‰VaHes]"qVAm} 5jl.>/+~ZK`A{j2)88jDL,K8* z/ZT+sZ1dPNG1}TRChPn"?ޜ h: 4=%=!W?ӥD}琽\_Û7G`i7Il}N]Q a$,cH6R3aɥ0˰F@6 =A8BWA t~ p;8.f=0ɋBWl\| .b΃ O˾ ]A ^%&$򽦆d}H³ TI'S/OquΉꉨ9!˕ҁ_Dp@t$ JĞA3&SHqs"2|=j ]=6/ ^Q |Xp2֔WEۇ. pB$EM8A9%DQ9٘blKn҇K /+ )%P,V+Pb/l?P^]]^\q=܎L S_ndI(O(>:Ȩ_ZP7CJvE7a;J({,k#e>tZ$)ԌP> $3=3R6_؂,@pBwM Ƭ]8̉)ovd/78DwkJ=_~OAPCј"e,JS~JmMLA'|.L1 &7C@7Nsc9 %5M j&[; YdR U)|, ې\aJu%wR|Dj@w-:C Tug,U70nӢD, ͗>-I$1vmEƻ'(~˿؛>HULuX)+zOvǟE~q b_^عNj)n9_eEB*׬V^oRTu@>bGSϛpJ͌87#|A/tW7[$Oe "]KpQa߈)ng !6Z* <@‘ʵ35WEWS+:  9}UabX/WNVcd5g!-dȋ`|Y[ [[.;ލZI_\FEa uH6'p( 9ATZ$DMo  dz7lvg ۯoJ/xH#== #'`Rmz^T `8%1=\ H< YZАZ\isI _ r!K!dfhiݰso0(jґT".p个(4M eOKbʿtA^j=6Qhpr??4O`ㅐZx#^ٕS'L"bWQ )f(p" s4N!V1(0AAN_q *gHtp qf=Ciz4OV5K JP P5qBt驯'd-!!)9b1rv>.f^CȘ)DC#PJj&[-50wT meF*p×=x\*Bhթ9cs$4[v+ /sGǔmm2s݂r#:S-;u-^6j1r7i6̿Gۇdf1MpBcOf5)lZəpq8VJ)zwu=o_[-}KEvF46쥷2ג4(cDu!ZސB},uv/_0!qrc&j~TI穎vŃ/]>;o VYْm2#&.:G8h1ЃXŶ_܍\5_e*L7̳ ^:A ~k_=ˠz&w@q<#̩'h]gpץp{M)Rԫs,TB@ՃDUJBnBq-Ԥ;h̸Ag6>QPlLpI1L:vo(vl>k-O*xcT #ܠ~aK뺎遽w//Yi%mc`N u_$O{l#zn@.Jڲ1]Yj0 XqF"?uhj.f Njq:)< ll_a>ڇ^VKݸQ4ߩ0T:n:DыoM=~Q_3=u$Gc)'v!qY8jkJxXam41d9uGR:qC{LE8h*$3 ]{uVsH10}d.+ -rVg`q|hhP{ȿ-t #oZLpz1 DhկdҪ,[MnEdt۴Ş`4qŨb D@OjW;r|DҬ{հ3|957bK#'NZk,q {T,J =bnifaLwL0!afWrFaHRNކ#U̚zQw " f跧svyjPQ # O>X mSO\rGr%/B`Ш GBleRD"Nm)du6uy/ۨb4}4v<M*Ht]͎9AG:l?q/ſCھ$͆Yi1مx 8h]Qvc?D 0.[h,j .A#àx Tߤe wmݐY@>[."ꍺ4eߏrziO> nŪ(-hP':UMۓ#xHPm'` [{~53-60)߆ C>/XZxŕ0i-7q;k)wѬ&5 RNx$[eo>YaG`FORWZ?w;m! /uaѤ`deg zCC"1l8ݮPvWCf(kOgpj*#,lq=W!`0m+x Ľ4=Fw"E1!ރ)9G(`lPޗy*TyN[C| Պ3[L*6B&)8p;i̋{Ro8Ń:u*]H%7i[w4'jECXùlhKli)=dTcݨQ[i$\hDMǍYWq+u RuoA@ضp%6ԵnVYxٮY[Cs eSt۸e JR)[ѕƕދ ֝b3+g.tMuEЕa+QkW]! Wp!y!/v0G Ӈ ?|[8k"_(yK@](jZ~qul2x?*.ow]YkOn S%G\@>RGsvX͘2&]AX3/;q 6^% ( 5C̗'ՙFukہTV[Ǘɜ+?[S$`L>&CY'#V3bk}iUHZQ0;Ll6h 3 {$!RMfQtwҶ$4:6gN%J@/5jx"سk9Z(pl2' uXMrZi41gPl4;wœouuABICV|`6߿h)pB^r_|6` ]ba!V76$t˖89<㤞ʎ5V't|tQIYxCU1.wh ñl<6f 7X;#|E;fʯH0&M#=Fऽ/"8F.ʱ}; p/tAP:GbȖc<6ba-1kA|vA,6D^CUGQԁ}Fɽ ewy` =&ot%JQTvfآH ^0}ra83Bwq &־Aa[&ZL11WڬV8JOfv:ptU5N|MvrDy@%EkնǍ7EIJlŢ.9i4P.,J׊* Z*`'e?DzbZCOyfQy|VQI{^e/PM+A'f j*7ă}³/L 0`gj^cSn¿O/=$ŠjE&2Ac/)l̩60' uV.. ? %ک_o-)YBI(Gtv4XeB 3b%&o ?dR}{)L8:Nmqjev(GF]P 4^OQ>u(R=X53=b*9n|4,P+t38tXCnP OKג~$pVeT]*ȞjAJK ";wq #'M)"IbgcՏޅnC"?P Jj =v;)iӣ03v"q_HM&zzPˑ]"n QH 5A:FjӸZ D1Z/~Pl^TDQU K#:X_L煛kgXp\KhL͕7ׂE5SP?yW)StN"ӲҴ?>*RH~ <$O^12Pܕ0TTS/`dHf_/rȃu_b %?S%Hu U*ѹ ݏ"?1.O3gE9B; D ǘ[lg>}V. 84`mF ҦNǩܯ*1_~$eǴ̠RTr/%#,eeTے 9vv~gkQݪA1 |msVH%GzwxJFY7%·&5&]kYLmfad6Bu7)u7 wԠ%#LW5 .j_/4V)b/ISQ$^p] @ME#BPr {Q{ Nm vmj.i+v ~9JkMHJjBW1f?ls~m*}iJ??Spp#i1nBAEPم#휼0+DR+-<{JE zB+ ע OuxD`b;[EL^4kxh CǾLI$%BMFdnz>MOH]*"\Y=%`*ֵJ& ۻ}'M86v@P3ek5k~yzeQi*:Q{NY`5tS>kA6d4QC׊H&}w7b>[,L :sxI5c5v,`\q!B׌;p)WtqU9%"V0)XMwܡPaSMG . \<((]G A ȝ, 5xG"\D;`  h~QN$YGL$޽C˰\c:ip8 fI82'M,>1~̨ӒzCK' /0OV򳣗;Kߥxo,OʊIFѻQh$čr#peՇ0>XDkk-?&'e0@xP4x7MJ{" Κ[yJsv4H';S W8Y丹݈7L*-6Q߾uǒtc:קTQdƌOEBlۙH)CnioƼE/cRi]S'|VEhE+?GbnE0Et\%r]og-+#ӆk% LX m"EVYF*Iqel`~Jf6 7GL0!ҭk/4x+"J8™P\$4saLȐV)SBCũLY3܂= JI>$|6S~7P)oXƑme63Mϭ 45Us)y_) LIA^e!B_?fP4Y ,ӷ-T`CҐnObLE}+6n~Qfκk/2ƛh-V_8C-$ ?J_Fh^R2w;Ϸ!P<95x+ bGlH_]0@VV]$S ^ip%R4O%5vEA 7zIp4I}rDxFEe:#İq3/@Y^ BqCbԾizkiWE?\Y]^’0d0Ϸ! sqBGoٰ:B[Zl/R@ڜ$%znrZ}c,w*xihUU H\@no$#!0 I,mU@_@#7x'NkLwa0c^ZVy2zS*#G>@=/^&Ed"r,#ި=/Qw vlǮ f@;Y]vظ^42GQbs$j;ES5uʩs9gR5QGedta#eKLnK zMw#=hn9Mo%u@m5wCʧĹceߒ#YO0zH%Пx[tKs6LF9cٜMY${= Dp7%- ~Vf+I)8\q] gmvn?cH.m QVxqm뺈:y!rAySY,gMbZJB@> >&,ाE vcR6s ߛR#H bVT745uBףU7~F-~ny 2IԳ \%7OKŁΑӟuFَɃM3o":!JiO'C]0X.=|qs |԰,^k@`YJu+XeyׁvРiyBy-72^|1{x.F_k\HORO6 HD^deK4i)ù1} ZsZ狾Z}j >Ir%Y{h0VV+6 !KEް)5E^u5ݱ m&& =cx&BdMV7ɱD3Y#a;Moz('d$cI9! ,aH'C3;5}|^Y$}ρ:PXfM_J8'̠ktD!y;$9No”u!劁y,&z=z$Z'"A-]L$D&@!_Kk(0A+BrHc%:[@dG ppo"m3vZ.bW Bd> yѕz[gѶ$rŠ-<~(:Ѹts *UϹ-(W##)B{a=0%}3믐y-4ŘPÖ+?YBR(O^{~_ej\Ro7͍VxXS̈Hġv|/m7DS?Mlg;1Z T}8l;qUYƠ΁wS4e4Ngj `yn=[Ut>}j[jT7R֎j>]\󀩫 ьJu"nбC(lAJϵjh26+zS5k fX&4NCb#s'PB0~QY+jɛCT\}-+}Eqqvb|vڰYxyפ r??pz]׉2 Nw77rl;fmg7$OKQx)KU8tT{QCNRi x5߱#3PKm*sk !DLvK 1r0"OOazp'Y i˽\LO&mRk$-PV9# jw'9OE nTr1 ѝBQAșg (9 =n-/ 6=3{S3tCOC1niUp;LY/ɵWTh#MCm"vL᥁ 句nD%Bf|d~rM !lI8 3#N=Ls0lPԳݚt ڼnjJhT#m[}mHLwiMVsW6g1N{vΏM K~h ns,ԬWSD P8?%ޏ=.I<ט5HVt<Y Dƫ\|Ht!AM(d qRwoO 3K9srZREJIkIϢw6ydCH:v%H$$?U_< s.@5Li.43E#.ْM0Z.*z*0f;79<:ePN6<[ !]LOO]nk+C)5hyH>xin|k7Bg8_P]غMcy†NɌm3sZ$hXFjMN|%LQCyQǷ JW?>9gʕC)>*熻0W&8v >v#tb̒/Έ[JF+PLX< 7c] ^Fdvip"{WMjP'@>-2f>^!9z>D!Lw'X@FmGgG[LưmO} ƌvyCII<(t&!qjQ_L=B.mWМ$loX}(C,a/ˊǡ冎< 7:+ag~:`M]d~yҦ]?B1CDLĝ(ن"KzŠztؿrG?I>:y".^[!n1gF$H\(.?E9DaYL&ZϫT`CV삤M:AW\1T߽HGUі-V>"ZݪvX8ThEZULmxA7@UBg+9LXqQLkY!YqLXyZϻ*}zZʲK S媬7f7~zz1Q֐Co.[f| 0oxo\:@pȤx )$z'g+pc~$5n ;aabG"2a؈k