pki-base-java-10.5.16-3.el7> H HtxHF]L3 ?*}}$ 9e YhtY&YTcPh8DU10705418ef0510831d57910e46f7e6630a8ee508TC𦌫qWF]L3 ?*}}Y$v[1"MǯoPp)we|H>8?d  B            $' '  '  \'  '  _' H'''j'(8()809:HEG'Hޜ'I8'X`Yd\t']'^b+deflt'u'vw'x,'Cpki-base-java10.5.163.el7Certificate System - Java FrameworkThe PKI Framework contains the common and client libraries and utilities written in Java. This package is a part of the PKI Core used by the Certificate System. This package is a part of the PKI Core used by the Certificate System. ================================== || ABOUT "CERTIFICATE SYSTEM" || ================================== Certificate System (CS) is an enterprise software system designed to manage enterprise Public Key Infrastructure (PKI) deployments. PKI Core contains ALL top-level java-based Tomcat PKI components: * pki-symkey * pki-base * pki-base-python2 (alias for pki-base) * pki-base-python3 * pki-base-java * pki-tools * pki-server * pki-ca * pki-kra * pki-ocsp * pki-tks * pki-tps * pki-javadoc which comprise the following corresponding PKI subsystems: * Certificate Authority (CA) * Key Recovery Authority (KRA) * Online Certificate Status Protocol (OCSP) Manager * Token Key Service (TKS) * Token Processing Service (TPS) Python clients need only install the pki-base package. This package contains the python REST client packages and the client upgrade framework. Java clients should install the pki-base-java package. This package contains the legacy and REST Java client packages. These clients should also consider installing the pki-tools package, which contain native and Java-based PKI tools and utilities. Certificate Server instances require the fundamental classes and modules in pki-base and pki-base-java, as well as the utilities in pki-tools. The main server classes are in pki-server, with subsystem specific Java classes and resources in pki-ca, pki-kra, pki-ocsp etc. Finally, if Certificate System is being deployed as an individual or set of standalone rather than embedded server(s)/service(s), it is strongly recommended (though not explicitly required) to include at least one PKI Theme package: * dogtag-pki-theme (Dogtag Certificate System deployments) * dogtag-pki-server-theme * redhat-pki-server-theme (Red Hat Certificate System deployments) * redhat-pki-server-theme * customized pki theme (Customized Certificate System deployments) * -pki-server-theme NOTE: As a convenience for standalone deployments, top-level meta packages may be provided which bind a particular theme to these certificate server packages.]KZlsl7.fnal.govScientific LinuxScientific LinuxGPLv2Scientific LinuxSystem Environment/Basehttp://pki.fedoraproject.org/linuxnoarch Y?bB !& #-+,).*)&##"!81;8+70#%A큤A큤A]KZF]KZA]KZ>]KZ>]KZ8\4>\4>]KZ8]KZ8]KZ8]KZ8]KZ8]KZ8]KZ8]KZ8]KZ8]KZ8]KZ8]KZ8]KZ8]KZ8]KZ8]KZ8]KZ8]KZ8]KZ8]KZ8]KZ8]KZ8]KZ8]KZ8]KZ8]KZ8]KZ8]KZ8]KZ8]KZ8]KZ8]KZ86a1b95e50a40951139a8b99f39410c4e48c36ce42e5edd328731e32847d04d7ddbcc2d4d94a6b3717282580eabe01afe04aa511a850ee86b39612d6c18b643dce59ccc114fb067549629635f7a1e9c1310358fc905dd09c3df8ac05aeb8a432ffdd8d5ef0c8813c633e77997d6dbe23557a5112937962d5ab7b1053de866027b643b71cec56efdc737a20687bb05ccbba40c3481b2c0e100ccf53331e0fba620/usr/share/java/commons-cli.jar/usr/share/java/commons-codec.jar/usr/share/java/commons-httpclient.jar/usr/share/java/commons-io.jar/usr/share/java/commons-lang.jar/usr/share/java/commons-logging.jar/usr/share/java/httpcomponents/httpclient.jar/usr/share/java/httpcomponents/httpcore.jar/usr/share/java/jackson/jackson-core-asl.jar/usr/share/java/jackson/jackson-jaxrs.jar/usr/share/java/jackson/jackson-mapper-asl.jar/usr/share/java/jackson/jackson-mrbean.jar/usr/share/java/jackson/jackson-smile.jar/usr/share/java/jackson/jackson-xc.jar/usr/share/java/jaxb-api.jar/usr/lib/java/jss4.jar/usr/share/java/ldapjdk.jar/usr/share/java/pki/pki-certsrv.jar/usr/share/java/pki/pki-cmsutil.jar/usr/share/java/pki/pki-nsutil.jar/usr/share/java/pki/pki-tools.jar/usr/share/java/resteasy-base/resteasy-atom-provider.jar/usr/share/java/resteasy-base/resteasy-client.jar/usr/share/java/resteasy-base/resteasy-jackson-provider.jar/usr/share/java/resteasy-base/resteasy-jaxb-provider.jar/usr/share/java/resteasy-base/jaxrs-api.jar/usr/share/java/resteasy-base/resteasy-jaxrs-jandex.jar/usr/share/java/resteasy-base/resteasy-jaxrs.jar/usr/share/java/servlet.jar/usr/share/java/slf4j/slf4j-api.jar/usr/share/java/slf4j/slf4j-jdk14.jarrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootpki-core-10.5.16-3.el7.src.rpmpki-base-java      apache-commons-cliapache-commons-codecapache-commons-ioapache-commons-langapache-commons-loggingjakarta-commons-httpclientjava-1.8.0-openjdk-headlessjavassistjpackage-utilsjssldapjdkpki-baseresteasy-base-atom-providerresteasy-base-clientresteasy-base-jackson-providerresteasy-base-jaxb-providerresteasy-base-jaxrsresteasy-base-jaxrs-apirpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)slf4jxalan-j2xerces-j2xml-commons-apisxml-commons-resolverrpmlib(PayloadIsXz)0:1.7.5-104.4.6-14.19-510.5.16-3.el73.0.6-13.0.6-13.0.6-13.0.6-13.0.6-13.0.6-13.0.4-14.6.0-14.0-15.2-14.11.3] u@\\@\f\T4\R@\\U@\[@[{[l,[`O@[U@[>@[d@[@[o[@ZUZ@Z@ZZxG@Zg#Z.s@Z@Z ZYYY@Y@Y@YoIYlYGY>@Y5GY-^Y$$@Y"Y@Y#@X@XX@XO@X*XRXOX!@X&X2@WWҤ@WίW#W:WWt@W{@Wu WgWV@WV@WV@WV@WV@WV@W 10.5.16-3Dogtag Team 10.5.16-2Dogtag Team 10.5.16-1Dogtag Team 10.5.9-13Dogtag Team 10.5.9-12Dogtag Team 10.5.9-11Dogtag Team 10.5.9-10Dogtag Team 10.5.9-9Dogtag Team 10.5.9-8Dogtag Team 10.5.9-7Dogtag Team 10.5.9-6Dogtag Team 10.5.9-5Dogtag Team 10.5.9-4Dogtag Team 10.5.9-3Dogtag Team 10.5.9-2Dogtag Team 10.5.9-1Dogtag Team 10.5.1-13.1Dogtag Team 10.5.1-13Dogtag Team 10.5.1-12Dogtag Team 10.5.1-11Dogtag Team 10.5.1-10Dogtag Team 10.5.1-9Dogtag Team 10.5.1-8Dogtag Team 10.5.1-7Dogtag Team 10.5.1-6Dogtag Team 10.5.1-5Dogtag Team 10.5.1-4Troy Dawson - 10.5.1-3Dogtag Team 10.5.1-2Dogtag Team 10.5.1-1Dogtag Team 10.5.0-1Dogtag Team 10.4.1-15Dogtag Team 10.4.1-14Dogtag Team 10.4.1-13Dogtag Team 10.4.1-12Dogtag Team 10.4.1-11Dogtag Team 10.4.1-10Dogtag Team 10.4.1-9Dogtag Team 10.4.1-8Dogtag Team 10.4.1-7Dogtag Team 10.4.1-6Dogtag Team 10.4.1-5Dogtag Team 10.4.1-4Dogtag Team 10.4.1-3Dogtag Team 10.4.1-2Dogtag Team 10.4.1-1Dogtag Team 10.4.0-1Dogtag Team 10.3.3-18Dogtag Team 10.3.3-17Dogtag Team 10.3.3-16Dogtag Team 10.3.3-15Dogtag Team 10.3.3-14Dogtag Team 10.3.3-13Dogtag Team 10.3.3-12Dogtag Team 10.3.3-11Dogtag Team 10.3.3-10Dogtag Team 10.3.3-9Dogtag Team 10.3.3-8Dogtag Team 10.3.3-7Dogtag Team 10.3.3-6Dogtag Team 10.3.3-5Dogtag Team 10.3.3-3Dogtag Team 10.3.3-2Dogtag Team 10.3.3-1Dogtag Team 10.3.3-0.1Dogtag Team 10.3.2-5Dogtag Team 10.3.2-4Dogtag Team 10.3.2-3Dogtag Team 10.3.2-2Dogtag Team 10.3.2-1Dogtag Team 10.3.2-0.1Dogtag Team 10.3.1-1Dogtag Team 10.3.0-1Dogtag Team 10.3.0.b1-1Dogtag Team 10.3.0.a2-2Dogtag Team 10.3.0.a2-1Dogtag Team 10.3.0.a1-2Dogtag Team 10.3.0.a1-1Dogtag Team 10.3.0-0.5Dogtag Team 10.3.0-0.4Dogtag Team 10.3.0-0.3Dogtag Team 10.3.0-0.2Dogtag Team 10.3.0-0.1Dogtag Team 10.2.7-0.3Tomas Radej - 10.2.7-0.2Dogtag Team 10.2.7-0.1Dogtag Team 10.2.6-1Dogtag Team 10.2.6-0.3Dogtag Team 10.2.6-0.2Dogtag Team 10.2.6-0.1Dogtag Team 10.2.5-1Dogtag Team 10.2.5-0.2Dogtag Team 10.2.5-0.1Dogtag Team 10.2.4-1Dogtag Team 10.2.4-0.2Dogtag Team 10.2.4-0.1Dogtag Team 10.2.3-1Dogtag Team 10.2.3-0.1Dogtag Team 10.3.0-0.1Dogtag Team 10.2.3-0.1Dogtag Team 10.2.2-1Dogtag Team 10.2.2-0.1Dogtag Team 10.2.1-1Matthew Harmsen - 10.2.1-0.4Ade Lee 10.2.1-0.3Christina Fu 10.2.1-0.2Dogtag Team 10.2.1-0.1Ade Lee 10.2.0-3Matthew Harmsen - 10.2.0-2Dogtag Team 10.2.0-1Matthew Harmsen - 10.2.0-0.10Matthew Harmsen - 10.2.0-0.9Matthew Harmsen - 10.2.0-0.8Fedora Release Engineering - 10.2.0-0.5Jack Magne - 10.2.0-0.7Matthew Harmsen - 10.2.0-0.6Matthew Harmsen - 10.2.0-0.5Ade Lee - 10.2.0-0.4Fedora Release Engineering - 10.2.0-0.3Michael Simacek - 10.2.0-0.2Dogtag Team 10.2.0-0.1Ade Lee 10.1.0-1Ade Lee 10.1.0-0.14Ade Lee 10.1.0-0.13Ade Lee 10.1.0-0.12Ade Lee 10.1.0-0.11Endi S. Dewata 10.1.0-0.10Abhishek Koneru 10.1.0.0.9Abhishek Koneru 10.1.0.0.8Endi S. Dewata 10.1.0-0.7Endi S. Dewata 10.1.0-0.6Endi S. Dewata 10.1.0-0.5Ade Lee 10.1.0-0.4Endi S. Dewata 10.1.0-0.3Matthew Harmsen 10.1.0-0.2Ade Lee 10.1.0-0.1Endi S. Dewata 10.0.2-5Ade Lee 10.0.2-4Ade Lee 10.0.2-3Endi S. Dewata 10.0.2-2Ade Lee 10.0.2-1Ade Lee 10.0.2-0.8Endi S. Dewata 10.0.2-0.7Endi S. Dewata 10.0.2-0.6Ade Lee 10.0.2-0.5Endi S. Dewata 10.0.2-0.4Endi S. Dewata 10.0.2-0.3Endi S. Dewata 10.0.2-0.2Endi S. Dewata 10.0.2-0.1Endi S. Dewata 10.0.1-9Ade Lee 10.0.1-8Endi S. Dewata 10.0.1-7Matthew Harmsen 10.0.1-6Endi S. Dewata 10.0.1-5Endi S. Dewata 10.0.1-4Matthew Harmsen 10.0.1-3Matthew Harmsen 10.0.1-2Ade Lee 10.0.1-1Matthew Harmsen 10.0.0-5Matthew Harmsen 10.0.0-4Ade Lee 10.0.0-3Ade Lee 10.0.0-2Ade Lee 10.0.0-1Matthew Harmsen 10.0.0-0.56.b3Endi S. Dewata 10.0.0-0.55.b3Endi S. Dewata 10.0.0-0.54.b3Ade Lee 10.0.0-0.53.b3Ade Lee 10.0.0-0.52.b3Endi S. Dewata 10.0.0-0.51.b2Endi S. Dewata 10.0.0-0.50.b2Matthew Harmsen 10.0.0-0.49.b2Ade Lee 10.0.0-0.48.b2Matthew Harmsen 10.0.0-0.47.b1Ade Lee 10.0.0-0.46.b1Ade Lee 10.0.0-0.45.b1Ade Lee 10.0.0-0.44.b1Ade Lee 10.0.0-0.43.b1Ade Lee 10.0.0-0.42.b1Ade Lee 10.0.0-0.41.b1Ade Lee 10.0.0-0.40.b1Endi S. Dewata 10.0.0-0.40.a2Endi S. Dewata 10.0.0-0.39.a2Ade Lee 10.0.0-0.38.a2Endi S. Dewata 10.0.0-0.37.a2Ade Lee 10.0.0-0.36.a2Endi S. Dewata 10.0.0-0.36.a1Endi S. Dewata 10.0.0-0.35.a1Endi S. Dewata 10.0.0-0.34.a1Ade Lee 10.0.0-0.33.a1Matthew Harmsen 10.0.0-0.32.a1Endi S. Dewata 10.0.0-0.31.a1Endi S. Dewata 10.0.0-0.30.a1Endi S. Dewata 10.0.0-0.29.a1Endi S. Dewata 10.0.0-0.28.a1Endi S. Dewata 10.0.0-0.27.a1Endi S. Dewata 10.0.0-0.26.a1Endi S. Dewata 10.0.0-0.25.a1Endi S. Dewata 10.0.0-0.24.a1Matthew Harmsen 10.0.0-0.23.a1Endi S. Dewata 10.0.0-0.22.a1Endi S. Dewata 10.0.0-0.21.a1Matthew Harmsen 10.0.0-0.20.a1Matthew Harmsen 10.0.0-0.19.a1Matthew Harmsen 10.0.0-0.18.a1Endi S. Dewata 10.0.0-0.17.a1Matthew Harmsen 10.0.0-0.16.a1Ade Lee 10.0.0-0.15.a1Christina Fu 10.0.0-0.14.a1Endi S. Dewata 10.0.0-0.13.a1Endi S. Dewata 10.0.0-0.12.a1Ade Lee 10.0.0-0.11.a1Matthew Harmsen 10.0.0-0.10.a1Matthew Harmsen 10.0.0-0.9.a1Jack Magne 10.0.0-0.8.a1Matthew Harmsen 10.0.0-0.7.a1Endi S. Dewata 10.0.0-0.6.a1Ade Lee 10.0.0-0.5.a1Endi S. Dewata 10.0.0-0.4.a1Matthew Harmsen 10.0.0-0.3.a1Matthew Harmsen 10.0.0-0.2.a1Nathan Kinder 10.0.0-0.1.a1Ade Lee 9.0.16-3Endi S. Dewata 9.0.16-2Matthew Harmsen 9.0.16-1Matthew Harmsen 9.0.15-1Matthew Harmsen 9.0.14-1Ade Lee 9.0.13-1Matthew Harmsen 9.0.12-1Matthew Harmsen 9.0.11-1Matthew Harmsen 9.0.10-1Matthew Harmsen 9.0.9-1Matthew Harmsen 9.0.8-2Matthew Harmsen 9.0.8-1Matthew Harmsen 9.0.7-1Matthew Harmsen 9.0.6-2Matthew Harmsen 9.0.6-1Matthew Harmsen 9.0.5-2Matthew Harmsen 9.0.5-1Matthew Harmsen 9.0.4-1Matthew Harmsen 9.0.3-2Matthew Harmsen 9.0.3-1Matthew Harmsen 9.0.2-1Matthew Harmsen 9.0.1-3Matthew Harmsen 9.0.1-2Matthew Harmsen 9.0.1-1Matthew Harmsen 9.0.0-3Matthew Harmsen 9.0.0-2Matthew Harmsen 9.0.0-1- ########################################################################## - # RHEL 7.7: - ########################################################################## - Bugzilla Bug #1638379 - PKI startup initialization process should not depend on LDAP operational attributes [ftweedal] - ########################################################################## - # RHCS 9.5: - ########################################################################## - Bugzilla Bug #1633423 - Rebase redhat-pki, redhat-pki-theme, pki-core, and pki-console to 10.5.16 in RHCS 9.5- ########################################################################## - # RHEL 7.7: - ########################################################################## - Bugzilla Bug #1491453 - Need Method to Include SKI in CA Signing Certificate Request [ftweedal] - ########################################################################## - # RHCS 9.5: - ########################################################################## - # Bugzilla Bug #1633423 - Rebase redhat-pki, redhat-pki-theme, pki-core, and- Updated jss dependencies - ########################################################################## - # RHEL 7.7: - ########################################################################## - Bugzilla Bug #1633422 - Rebase pki-core from 10.5.1 to 10.5.16 (RHEL) - ########################################################################## - # RHCS 9.5: - ########################################################################## - # Bugzilla Bug #1633423 - Rebase redhat-pki, redhat-pki-theme, pki-core, and- Updated jss dependencies - ########################################################################## - # RHEL 7.6: - ########################################################################## - Bugzilla Bug #1671245 - CC: unable to verify cert before import [rhel-7.6.z] [manpage] (ascheel) - Bugzilla Bug #1671303 - CC: Upgrade scripts for audit event names (RHEL) [rhel-7.6.z] (edewata) - ########################################################################## - # RHCS 9.4: - ########################################################################## - # Bugzilla Bug #1671586 - CC: Upgrade scripts for audit event names (RHCS)- Updated jss dependencies - ########################################################################## - # RHEL 7.6: - ########################################################################## - Bugzilla Bug #1671245 - CC: unable to verify cert before import [rhel-7.6.z] (ascheel) - Bugzilla Bug #1671303 - CC: Upgrade scripts for audit event names (RHEL) [rhel-7.6.z] (edewata) - ########################################################################## - # RHCS 9.4: - ########################################################################## - # Bugzilla Bug #1671586 - CC: Upgrade scripts for audit event names (RHCS)- Updated jss dependencies - ########################################################################## - # RHEL 7.6: - ########################################################################## - Bugzilla Bug #1671245 - CC: unable to verify cert before import [rhel-7.6.z] (ascheel) - Bugzilla Bug #1671303 - CC: Upgrade scripts for audit event names (RHEL) [rhel-7.6.z] (edewata) - ########################################################################## - # RHCS 9.4: - ########################################################################## - # Bugzilla Bug #1671586 - CC: Upgrade scripts for audit event names (RHCS)- ########################################################################## - # RHEL 7.6: - ########################################################################## - Bugzilla Bug #1659939 - CC: Simplifying Web UI session timeout configuration [rhel-7.6.z] (edewata) - ########################################################################## - # RHCS 9.4: - ########################################################################## - # Bugzilla Bug #1639836 - CC: Identify RHCS version of CA, KRA, - # Added Batch Update Information to Product Version (mharmsen)- ########################################################################## - # RHEL 7.6: - ########################################################################## - Bugzilla Bug #1657922 - CC: CA/OCSP startup fail on SystemCertsVerification if enableOCSP is true [rhel-7.6.z] (jmagne) - ########################################################################## - # RHCS 9.4: - ########################################################################## - # Bugzilla Bug #1639836 - CC: Identify RHCS version of CA, KRA,- ########################################################################## - # RHEL 7.6: - ########################################################################## - Bugzilla Bug #1645262 - pkidestroy may not remove all files [rhel-7.6.z] (dmoluguw) - Bugzilla Bug #1645263 - Auth plugins leave passwords in the access log and audit log using REST [rhel-7.6.z] (dmoluguw) - Bugzilla Bug #1645429 - pkispawn fails due to name collision with /var/log/pki/ [rhel-7.6.z] (dmoluguw) - Bugzilla Bug #1655951 - CC: tools supporting CMC requests output keyID needs to be captured in file [rhel-7.6.z] (cfu) - Bugzilla Bug #1656297 - Unable to install with admin-generated keys [rhel-7.6.z] (edewata) - ########################################################################## - # RHCS 9.4: - ########################################################################## - # Bugzilla Bug #1639836 - CC: Identify RHCS version of CA, KRA,- Require "tomcatjss >= 7.2.1-8" as a build and runtime requirement - ########################################################################## - # RHEL 7.6: - ########################################################################## - Bugzilla Bug #1632116 - CC: missing audit event for CS acting as TLS client [rhel-7.6.z] (cfu) - Bugzilla Bug #1632120 - Unsupported RSA_ ciphers should be removed from the default ciphers list [rhel-7.6.z] (cfu) - Bugzilla Bug #1632615 - Permit certain SHA384 FIPS ciphers to be enabled by default for RSA and ECC . . . [rhel-7.6.z] (cfu) - Bugzilla Bug #1632616 - X500Name.directoryStringEncodingOrder overridden by CSR encoding (coverity changes) [rhel-7.6.z] (mharmsen) - Bugzilla Bug #1633104 - CMC: add config to allow non-clientAuth [rhel-7.6.z] (cfu) - Bugzilla Bug #1636490 - Installation of CA using an existing CA fails [rhel-7.6.z] (edewata) - Bugzilla Bug #1643878 - pki cli command for RHCS doesn't prompt for a password [rhel-7.6.z] (edewata) - Bugzilla Bug #1643879 - CC: Identify version/release of pki-ca, pki-kra, pki-ocsp, pki-tks, and pki-tps remotely [RHEL] [rhel-7.6.z] (cfu, jmagne) - Bugzilla Bug #1643880 - PKI subsystem process is not shutdown when there is no space on the disk to write logs [rhel-7.6.z] (edewata) - ########################################################################## - # RHCS 9.4: - ########################################################################## - # Bugzilla Bug #1639836 - CC: Identify RHCS version of CA, KRA,- Updated nuxwdog dependencies - ########################################################################## - # RHEL 7.6: - ########################################################################## - Bugzilla Bug #673182 - ECC keys not supported for signing audit logs (cfu) - Bugzilla Bug #1593805 - Better understanding of NSS_USE_DECODED_CKA_EC_POINT for ECC (cfu) - Bugzilla Bug #1601071 - Certificate generation happens with partial attributes in CMCRequest file (cfu) - Bugzilla Bug #1601569 - CC: Enable all config audit events (cfu) - Bugzilla Bug #1608375 - CMC Revocations throws exception with same reqIssuer & certissuer (cfu) - ########################################################################## - # RHCS 9.4: - ########################################################################## - # Bugzilla Bug #1557570 - Re-base pki-core from 10.5.1 to- ########################################################################## - # RHEL 7.6: - ########################################################################## - Bugzilla Bug #1596629 - ipa-replica-install --setup-kra broken on DL0 with latest version (abokovoy) - ########################################################################## - # RHCS 9.4: - ########################################################################## - # Bugzilla Bug #1557570 - Re-base pki-core from 10.5.1 to- ########################################################################## - # RHEL 7.6: - ########################################################################## - Bugzilla Bug #1548203 - pki console configurations that involves ldap passwords leave the plain text password in signed audit logs (cfu) - ########################################################################## - # RHCS 9.4: - ########################################################################## - # Bugzilla Bug #1494591 - keyGen fails when only Identity- Re-spin alpha builds- ########################################################################## - # RHEL 7.6: - ########################################################################## - Bugzilla Bug #1471935 - X500Name.directoryStringEncodingOrder overridden by CSR encoding (cfu) - Bugzilla Bug #1538311 - Using a Netmask produces an odd entry in a certificate (ftweedal) - Bugzilla Bug #1540440 - CMC: Audit Events needed for failures in SharedToken scenario's (cfu) - Bugzilla Bug #1550742 - Address ECC profile overrides (cfu) - Bugzilla Bug #1562841 - servlet profileSubmitCMCSimple throws NPE (cfu) - Bugzilla Bug #1572432 - AuditVerify failure due to line breaks (cfu) - Bugzilla Bug #1592961 - Need proper default subjectDN for CMC request authenticated through SharedToken (cfu) - ########################################################################## - # RHCS 9.4: - ########################################################################## - # Bugzilla Bug #1557570 - Re-base pki-core from 10.5.1 to- ########################################################################## - # RHEL 7.6: - ########################################################################## - Bugzilla Bug #1538311 - Using a Netmask produces an odd entry in a certifcate (ftweedal) - Bugzilla Bug #1544843 - ExternalCA: Installation failed during csr generation with ecc (rrelyea, gkapoor) - Bugzilla Bug #1557569 - Re-base pki-core from 10.5.1 to latest upstream 10.5.x (RHEL) (mharmsen) - Bugzilla Bug #1580394 - CMC CRMF requests result in InvalidKeyFormatException when signing algorithm is ECC (cfu) - Bugzilla Bug #1580527 - CVE-2018-1080 pki-core: Mishandled ACL configuration in AAclAuthz.java reverses rules that allow and deny access (ftweedal, cfu) - Bugzilla Bug #1585866 - CRMFPopClient tool - should allow option to do no key archival (cfu) - Bugzilla Bug #1588655 - Cert validation for installation with external CA cert (edewata) - ########################################################################## - # RHCS 9.4: - ########################################################################## - # Bugzilla Bug #1557570 - Re-base pki-core from 10.5.1 to- Rebuild due to build system database problem- ########################################################################## - # RHEL 7.5: - ########################################################################## - Bugzilla Bug #1553068 - Using a Netmask produces an odd entry in a certifcate [rhel-7.5.z] (ftweedal) - Bugzilla Bug #1585945 - CMC CRMF requests result in InvalidKeyFormatException when signing algorithm is ECC [rhel-7.5.z] (cfu) - Bugzilla Bug #1587826 - ExternalCA: Installation failed during csr generation with ecc [rhel-7.5.z] (rrelyea, gkapoor) - Bugzilla Bug #1588944 - Cert validation for installation with external CA cert [rhel-7.5.z] (edewata) - Bugzilla Bug #1588945 - CRMFPopClient tool - should allow option to do no key archival (cfu) - Bugzilla Bug #1589307 - CVE-2018-1080 pki-core: Mishandled ACL configuration in AAclAuthz.java reverses rules that allow and deny access [rhel-7.5.z] (ftweedal, cfu) - ########################################################################## - # RHCS 9.3: - ########################################################################## - # Bugzilla Bug #1471303 - Rebase redhat-pki, redhat-pki-theme, pki-core,- Updated "jss" build and runtime requirements (mharmsen) - ########################################################################## - # RHEL 7.5: - ########################################################################## - Bugzilla Bug #1571582 - [MAN] Missing Man pages for tools CMCRequest, CMCResponse, CMCSharedToken (typos) [rhel-7.5.z] (cfu) - Bugzilla Bug #1572548 - IPA install with external-CA is failing when FIPS mode enabled. [rhel-7.5.z] (edewata) - Bugzilla Bug #1574848 - servlet profileSubmitCMCSimple throws NPE [rhel-7.5.z] (cfu) - Bugzilla Bug #1575521 - subsystem -> subsystem SSL handshake issue with TLS_ECDHE_RSA_* on Thales HSM [rhel-7.5.z] (cfu) - Bugzilla Bug #1581134 - ECC installation for non CA subsystems needs improvement [rhel-7.5.z] (jmagne) - Bugzilla Bug #1581135 - SAN in internal SSL server certificate in pkispawn configuration step [rhel-7.5.z] (cfu) - Bugzilla Bug #1581167 - CC: CMC profiles: Some CMC profiles have wrong input class_id [rhel-7.5.z] (cfu) - Bugzilla Bug #1581382 - ECDSA Certificates Generated by Certificate System 9.3 fail NIST validation test with parameter field. [rhel-7.5.z] (cfu) - ########################################################################## - # RHCS 9.3: - ########################################################################## - # Bugzilla Bug #1471303 - Rebase redhat-pki, redhat-pki-theme, pki-core,- ########################################################################## - # RHEL 7.5: - ########################################################################## - Bugzilla Bug #1554726 - Need ECC-specific Enrollment Profiles for standard conformance [rhel-7.5.z] (cfu) - Bugzilla Bug #1557880 - [MAN] Missing Man pages for tools CMCRequest, CMCResponse, CMCSharedToken [rhel-7.5.z] (cfu) - ########################################################################## - # RHCS 9.3: - ########################################################################## - # Bugzilla Bug #1560233 - libtps does not directly depend on libz- ########################################################################## - # RHEL 7.5: - ########################################################################## - Bugzilla Bug #1550581 - CMCAuth throws org.mozilla.jss.crypto.TokenException: Unable to insert certificate into temporary database [rhel-7.5.z] (cfu) - Bugzilla Bug #1551067 - [MAN] Add --skip-configuration and --skip-installation into pkispawn man page. [rhel-7.5.z] (edewata) - Bugzilla Bug #1552241 - Make sslget aware of TLSv1_2 ciphers [rhel-7.5.z] (cheimes, mharmsen) - Bugzilla Bug #1553068 - Using a Netmask produces an odd entry in a certifcate [rhel-7.5.z] (ftweedal) - Bugzilla Bug #1554726 - Need ECC-specific Enrollment Profiles for standard conformance [rhel-7.5.z] (cfu) - Bugzilla Bug #1554727 - Permit additional FIPS ciphers to be enabled by default for RSA . . . [rhel-7.5.z] (mharmsen, cfu) - Bugzilla Bug #1557880 - [MAN] Missing Man pages for tools CMCRequest, CMCResponse, CMCSharedToken [rhel-7.5.z] (cfu) - Bugzilla Bug #1557883 - Console: Adding ACL from pki-console gives StringIndexOutOfBoundsException [rhel-7.5.z] (ftweedal) - Bugzilla Bug #1558919 - Not able to generate certificate request with ECC using pki client-cert-request [rhel-7.5.z] (akahat) - ########################################################################## - # RHCS 9.3: - ########################################################################## - # Bugzilla Bug #1560233 - libtps does not directly depend on libz- ########################################################################## - # RHEL 7.5: - ########################################################################## - # Bugzilla Bug #1473452 - Rebase pki-core to latest upstream 10.5.x release - Bugzilla Bug #1445532 - CC: Audit Events: Update the default audit event set (RHEL) (edewata) - Bugzilla Bug #1532867 - Inconsistent key ID encoding (edewata) - Bugzilla Bug #1540687 - CC: External OCSP Installation failure with HSM and FIPS (edewata) - ########################################################################## - # RHCS 9.3: - ########################################################################## - # Bugzilla Bug #1471303 - Rebase redhat-pki, redhat-pki-theme, pki-core, - # Bugzilla Bug #1404075 - CC: Audit Events: Update the default audit event- ########################################################################## - # RHEL 7.5: - ########################################################################## - # Bugzilla Bug #1473452 - Rebase pki-core to latest upstream 10.5.x release - Bugzilla Bug #1542210 - pki console configurations that involves ldap passwords leave the plain text password in debug logs (jmagne) - Bugzilla Bug #1543242 - Regression in lightweight CA key replication (ftweedal) - ########################################################################## - # RHCS 9.3: - ########################################################################## - # Bugzilla Bug #1471303 - Rebase redhat-pki, redhat-pki-theme, pki-core,- ########################################################################## - # RHEL 7.5: - ########################################################################## - # Bugzilla Bug #1473452 - Rebase pki-core to latest upstream 10.5.x release - Bugzilla Bug #1445532 - CC: Audit Events: Update the default audit event set (RHEL) (edewata) - Bugzilla Bug #1522938 - CC: Missing faillure resumption detection and audit event logging at startup (jmagne) - Bugzilla Bug #1523410 - Unable to have non "pkiuser" owned CA instance (alee) - Bugzilla Bug #1525306 - CC: missing CMC request and response record (cfu) - Bugzilla Bug #1532933 - Installing subsystems with external CMC certificates in HSM environment shows import error (edewata) - Bugzilla Bug #1535797 - ExternalCA: Failures when installed with hsm (edewata) - Bugzilla Bug #1539125 - restrict default cipher suite to those ciphers permitted in fips mode (mharmsen) - Bugzilla Bug #1539198 - Inconsistent CERT_REQUEST_PROCESSED outcomes. (edewata) - Bugzilla Bug #1540440 - CMC: Audit Events needed for failures in SharedToken scenario's (cfu) - Bugzilla Bug #1541526 - CMC: Revocation works with an unknown revRequest.issuer (cfu) - Bugzilla Bug #1541853 - ProfileService: config values with backslashes have backslashes removed (ftweedal) - ########################################################################## - # RHCS 9.3: - ########################################################################## - # Bugzilla Bug #1471303 - Rebase redhat-pki, redhat-pki-theme, pki-core, - # Bugzilla Bug #1404075 - CC: Audit Events: Update the default audit - # Bugzilla Bug #1501436 - TPS CS.cfg should be reflected with the- Updated jss, nuxwdog, and openssl dependencies - ########################################################################## - # RHEL 7.5: - ########################################################################## - Bugzilla Bug #1473452 - Rebase pki-core to latest upstream 10.5.x release (RHEL) - Bugzilla Bug #1402280 - CA Cloning: Failed to update number range in few cases (ftweedal) - Bugzilla Bug #1428021 - CC: shared token storage and retrieval mechanism (cfu) - Bugzilla Bug #1447145 - CMC: cmc.popLinkWitnessRequired=false would cause error (cfu) - Bugzilla Bug #1498957 - pkidestroy does not work with nuxwdog (alee) - Bugzilla Bug #1520277 - PR_FILE_NOT_FOUND_ERROR during pkispawn (alee) - Bugzilla Bug #1520526 - p12 admin certificate is missing when certificate is signed Externally (edewata) - Bugzilla Bug #1523410 - Unable to have non "pkiuser" owned CA instance (alee) - Bugzilla Bug #1523443 - HAProxy rejects OCSP responses due to missing nextupdate field (ftweedal) - Bugzilla Bug #1526881 - Not able to setup CA with ECC (mharmsen) - Bugzilla Bug #1532759 - pkispawn seems to be leaving our passwords in several different files after installation completes (alee) - ########################################################################## - # RHCS 9.3: - ########################################################################## - # Bugzilla Bug #1471303 - Rebase redhat-pki, redhat-pki-theme, pki-core,- ########################################################################## - # RHEL 7.5: - ########################################################################## - Bugzilla Bug #1473452 - Rebase pki-core to latest upstream 10.5.x release (RHEL) - Bugzilla Bug #1466066 - CC: Secure removal of secret data storage (jmagne) - Bugzilla Bug #1518096 - ExternalCA: Failures in ExternalCA when tried to setup with CMC signed certificates (cfu) - ########################################################################## - # RHCS 9.3: - ########################################################################## - # Bugzilla Bug #1471303 - Rebase redhat-pki, redhat-pki-theme, pki-core, and- ########################################################################## - # RHEL 7.5: - ########################################################################## - Bugzilla Bug #1473452 - Rebase pki-core to latest upstream 10.5.x release (RHEL) - ########################################################################## - # RHCS 9.3: - ########################################################################## - #Bugzilla Bug #1471303 - Rebase redhat-pki, redhat-pki-theme, pki-core, and- dogtagpki Pagure Issue #2853 - Cleanup spec file conditionals- Patch applying check-ins since 10.5.1-1- ########################################################################## - # RHEL 7.5: - ########################################################################## - Bugzilla Bug #1473452 - Rebase pki-core to latest upstream 10.5.x release (RHEL) - ########################################################################## - # RHCS 9.3: - ########################################################################## - #Bugzilla Bug #1471303 - Rebase redhat-pki, redhat-pki-theme, pki-core, and- ########################################################################## - # RHEL 7.5: - ########################################################################## - Bugzilla Bug #1473452 - Rebase pki-core to latest upstream 10.5.x release (RHEL) - ########################################################################## - # RHCS 9.3: - ########################################################################## - #Bugzilla Bug #1471303 - Rebase redhat-pki, redhat-pki-theme, pki-core, and- #Bugzilla Bug #1492560 - ipa-replica-install --setup-kra broken on DL0- #Require "jss >= 4.4.0-8" as a build and runtime requirement - ########################################################################## - # RHEL 7.4: - ########################################################################## - # Resolves: rhbz #1486870,1485833,1487509,1490241,1491332 - # Bugzilla Bug #1486870 - Lightweight CA key replication fails (regressions) - # Bugzilla Bug #1485833 - Missing CN in user signing cert would cause error - # Bugzilla Bug #1487509 - pki-server-upgrade fails when upgrading from - # Bugzilla Bug #1490241 - PKCS12: upgrade to at least AES and SHA2 (FIPS) - # Bugzilla Bug #1491332 - TPS UI: need to display tokenType and tokenOrigin - # dogtagpki Pagure Issue #2764 - py3: pki.key.archive_encrypted_data: - ########################################################################## - # RHCS 9.2: - ########################################################################## - # Resolves: rhbz #1486870,1485833,1487509,1490241,1491332,1482729,1462271 - # Bugzilla Bug #1462271 - TPS incorrectly assigns "tokenOrigin" and - # Bugzilla Bug #1482729 - TPS UI: need to display tokenType and tokenOrigin- Resolves: rhbz #1463350 - ########################################################################## - # RHEL 7.4: - ########################################################################## - # Bugzilla Bug #1463350 - Access banner validation (edewata)- # Resolves: rhbz #1472615,1472617,1469447,1463350,1469449,1472619,1464970,1469437,1469439,1469446 - ########################################################################## - # RHEL 7.4: - ########################################################################## - # Bugzilla Bug #1472615 - CC: allow CA to process pre-signed CMC non-signing - # Bugzilla Bug #1472617 - CMC: cmc.popLinkWitnessRequired=false would cause - # Bugzilla Bug #1469447 - CC: CMC: check HTTPS client authentication cert - # Bugzilla Bug #1463350 - Access banner validation (edewata) - # Bugzilla Bug #1469449 - CC: allow CA to process pre-signed CMC renewal - # Bugzilla Bug #1472619 - Platform Dependent Python Import (mharmsen) - # Bugzilla Bug #1464970 - CC: CMC: replace id-cmc-statusInfo with - # Bugzilla Bug #1469437 - subsystem-cert-update command lacks --cert option - # Bugzilla Bug #1469439 - Fix Key Changeover with HSM to support SCP03 - # Bugzilla Bug #1469446 - CC: need CMC enrollment profiles for system- # Resolves: rhbz #1469432 - ########################################################################## - # RHEL 7.4: - ########################################################################## - # Bugzilla Bug #1469432 - CMC plugin default change - # Resolves CVE-2017-7537 - # Fixes BZ #1470948- ########################################################################## - # RHEL 7.4: - ########################################################################## - Bugzilla Bug #1458043 - Key recovery on token fails with invalid public key error on KRA (alee) - Bugzilla Bug #1460764 - CC: CMC: check HTTPS client authentication cert against CMC signer (cfu) - Bugzilla Bug #1461533 - Unable to find keys in the p12 file after deleting the any of the subsystem certs from it (ftweedal)- ########################################################################## - # RHEL 7.4: - ########################################################################## - Bugzilla Bug #1393633 - Creating symmetric key (sharedSecret) using tkstool is failing when RHEL 7.3 is in FIPS mode. (jmagne) - Bugzilla Bug #1419756 - CC: allow CA to process pre-signed CMC non-signing certificate requests (cfu) - Bugzilla Bug #1419777 - CC: allow CA to process pre-signed CMC revocation non-signing cert requests (cfu) - Bugzilla Bug #1458047 - change the way aes clients refer to aes keysets (alee) - Bugzilla Bug #1458055 - dont reuse IVs in the CMC code (alee) - Bugzilla Bug #1460028 - In keywrap mode, key recovery on KRA with HSM causes KRA to crash (ftweedal)- Require "selinux-policy-targeted >= 3.13.1-159" as a runtime requirement - Require "tomcatjss >= 7.2.1-4" as a build and runtime requirement - ########################################################################## - # RHEL 7.4: - ########################################################################## - Bugzilla Bug #1400149 - pkispawn fails to create CA subsystem on FIPS enabled system (edewata) - Bugzilla Bug #1447144 - CA brought down during separate KRA instance creation (edewata) - Bugzilla Bug #1447762 - pkispawn fails occasionally with this failure ACCESS_SESSION_ESTABLISH_FAILURE (edewata) - Bugzilla Bug #1454450 - SubCA installation failure with 2 step installation in fips enabled mode (edewata) - Bugzilla Bug #1456597 - Certificate import using pki client-cert-import is asking for password when already provided (edewata) - Bugzilla Bug #1456940 - Build failure due to Pylint issues (cheimes) - Bugzilla Bug #1458043 - Key recovery using externalReg fails with java null pointer exception on KRA (alee) - Bugzilla Bug #1458379 - Upgrade script for keepAliveTimeout parameter (edewata) - Bugzilla Bug #1458429 - client-cert-import --ca-cert should import CA cert with trust bits "CT,C,C" (edewata) - ########################################################################## - # RHCS 9.2: - ########################################################################## - Bugzilla Bug #1274086 - [RFE] Add SCP03 support (RHCS) (jmagne)- ########################################################################## - # RHEL 7.4: - ########################################################################## - Bugzilla Bug #1393633 - Creating symmetric key (sharedSecret) using tkstool is failing when RHEL 7.3 is in FIPS mode. (jmagne) - Bugzilla Bug #1445519 - CA Server installation with HSM fails (jmagne) - Bugzilla Bug #1452617 - Unable to create IPA Sub CA (ftweedal) - Bugzilla Bug #1454471 - Enabling all subsystems on startup (edewata) - Bugzilla Bug #1455617 - Key recovery on token fails because key record is not marked encrypted (alee)- Bugzilla Bug #1454603 - Unable to install IPA server due to pkispawn error (mharmsen)- ########################################################################## - # RHEL 7.4: - ########################################################################## - Bugzilla Bug #1419761 - CC: allow CA to process pre-signed CMC renewal non-signing cert requests (cfu) - Bugzilla Bug #1447080 - CC: CMC: allow enrollment key signed (self-signed) CMC with identity proof (cfu) - Bugzilla Bug #1447144 - CA brought down during separate KRA instance creation (mharmsen) - Bugzilla Bug #1448903 - exception Invalid module "--ignore-banner" when defined in ~/.dogtag/pki.conf and run pki pkcs12-import --help (edewata) - Bugzilla Bug #1450143 - CA installation with HSM in FIPS mode fails (jmagne) - Bugzilla Bug #1452123 - CA CS.cfg shows default port (mharmsen) - Bugzilla Bug #1452250 - Inconsistent CERT_REQUEST_PROCESSED event in ConnectorServlet. (edewata) - Bugzilla Bug #1452340 - Ensuring common audit log correctness (edewata) - Bugzilla Bug #1452344 - Adding serial number into CERT_REQUEST_PROCESSED audit event. (edewata)- ########################################################################## - # RHEL 7.4: - ########################################################################## - Bugzilla Bug #1386303 - cannot extract generated private key from KRA when HSM is used. (alee) - Bugzilla Bug #1446364 - pkispawn returns before tomcat is ready (cheimes) - Bugzilla Bug #1447145 - CMC: cmc.popLinkWitnessRequired=false would cause error (cfu) - Bugzilla Bug #1448203 - CAInfoService: retrieve KRA-related values from the KRA (ftweedal) - Bugzilla Bug #1448204 - pkispawn of clone install fails with InvalidBERException (ftweedal) - Bugzilla Bug #1448521 - kra unable to extract symmetric keys generated on thales hsm (alee) - Updated "jss" build and runtime requirements (mharmsen) - ########################################################################## - # RHCS 9.2: - ########################################################################## - Bugzilla Bug #1274086 - [RFE] Add SCP03 support (RHCS) (jmagne)- ############################################################################ - # RHEL 7.4: - ############################################################################ - Bugzilla Bug #1303683 - dogtag should support GSSAPI based auth in conjuction with FreeIPA (ftweedal) - Bugzilla Bug #1385208 - RHCS 9.1 RC5 CA in the certificate profiles the startTime parameter is not working as expected. (jmagne) - Bugzilla Bug #1419756 - CC: allow CA to process pre-signed CMC non-signing certificate requests (cfu) - Bugzilla Bug #1426754 - PKCS12: upgrade to at least AES and SHA2 (ftweedal) - Bugzilla Bug #1445088 - profile modification cannot remove existing config parameters (ftweedal) - Bugzilla Bug #1445535 - CC: Crypto Operation (AES Encryption/Decryption) (RHEL) (alee) - Bugzilla Bug #1446874 - Missing ClientIP and ServerIP in audit log when pki CLI terminates SSL connection (edewata) - Bugzilla Bug #1446875 - Session timeout for PKI console (RHEL) (edewata) - ############################################################################ - # RHCS 9.2: - ############################################################################ - Bugzilla Bug #1404480 - CC: Crypto Operation (AES Encryption/Decryption) (RHCS) (alee)- ############################################################################ - # RHEL 7.4: - ############################################################################ - Bugzilla Bug #1282504 - Installing pki-server in container reports scriptlet failed, exit status 1 (jpazdziora) - Bugzilla Bug #1400149 - pkispawn fails to create CA subsystem on FIPS enabled system (edewata) - Bugzilla Bug #1410650 - [RFE] Add SCP03 support for sc 7 g & d cards (RHEL) (jmagne) - Bugzilla Bug #1437591 - cli authentication using expired cert throws an exception (edewata) - Bugzilla Bug #1437602 - non-CA cli looks for CA in the instance during a request (edewata) - ############################################################################ - # RHCS 9.2: - ############################################################################ - Bugzilla Bug #1274086 - [RFE] Add SCP03 support for sc 7 g & d cards (RHCS) (jmagne) - ############################################################################ - # Common Criteria - ############################################################################ - Bugzilla Bug #1404080 - CC: add audit event: various SSL/TLS failures (edewata) - Bugzilla Bug #1417307 - CC: Audit Review /Searches (edewata) - Bugzilla Bug #1419737 - CC: CMC: id-cmc-popLinkWitnessV2 feature implementation (cfu)- Require "nss >= 3.28.3" as a build and runtime requirement - Require "jss >= 4.4.0-4" as a build and runtime requirement - Require "tomcatjss >= 7.2.1-3" as a build and runtime requirement - dogtagpki Pagure Issue #2612 - Unable to clone due to pki pkcs12-cert-find failure (edewata) - ############################################################################ - Bugzilla Bug #1394309 - Rebase pki-core to 10.4.x in RHEL-7.4 - Bugzilla Bug #1394315 - Rebase redhat-pki, redhat-pki-theme, pki-core, and pki-console to 10.4.x - ############################################################################ - # RHEL 7.4: - ############################################################################ - ############################################################################ - # RHCS 9.2: - ############################################################################ - ############################################################################ - # Common Criteria - ############################################################################ - Bugzilla Bug #1419734 - CC: CMC: id-cmc-identityProofV2 feature implementation (cfu) - Bugzilla Bug #1419742 - CC: CMC: provide Proof of Possession for encryption cert requests (cfu) - Bugzilla Bug #1404080 - CC: add audit event: various SSL/TLS failures (edewata) - Bugzilla Bug #1428020 - CC: CMC feature support: provided issuance protection cert mechanism (cfu)- Require "jss >= 4.4.0-1" as a build and runtime requirement - Require "tomcatjss >= 7.2.1-1" as a build and runtime requirement - ############################################################################ - Bugzilla Bug #1394309 - Rebase pki-core to 10.4.x in RHEL-7.4 - Bugzilla Bug #1394315 - Rebase redhat-pki, redhat-pki-theme, pki-core, and pki-console to 10.4.x - ############################################################################ - # RHEL 7.4: - ############################################################################ - Bugzilla Bug #1222557 - ECDSA Certificates Generated by Certificate System 8.1 fail NIST validation test with parameter field. (cfu) - Bugzilla Bug #1238684 - Generting Symmetric key fails with key-generate when --usages verify (vakwetu) - Bugzilla Bug #1246635 - user-cert-add --serial CLI request to secure port with remote CA shows authentication failure (edewata) - Bugzilla Bug #1249400 - CA EE: Submit caUserCert request without uid does not show proper error message (vakwetu) - Bugzilla Bug #1305993 - Add profile component that copies CN to SAN (ftweedal) - Bugzilla Bug #1316653 - pki ca-cert-request-submit fails presumably because of missing authentication even if it should not require any (edewata) - Bugzilla Bug #1325071 - add options to enable/disable cert or crl publishing. (vakwetu) - Bugzilla Bug #1330800 - Failed to start pki-tomcatd Service ("ipa-cacert-manage renew" failed?) (edewata) - Bugzilla Bug #1368410 - Misleading Logging for HSM (edewata) - Bugzilla Bug #1372052 - Unable to search certificate requests using the latest request ID (edewata) - Bugzilla Bug #1375347 - Typo in comment line of UserPwdDirAuthentication.java (edewata) - Bugzilla Bug #1376226 - IPA replica-prepare failed with error "Profile caIPAserviceCert Not Found" (ftweedal) - Bugzilla Bug #1376488 - pkispawn fails as it is not able to find openssl as a dependency package (mharmsen) - Bugzilla Bug #1378275 - two-step externally-signed CA installation fails due to missing AuthorityID (ftweedal) - Bugzilla Bug #1378277 - Spurious host authority entries created (ftweedal) - Bugzilla Bug #1378527 - Miscellaneous Minor Changes (edewata) - Bugzilla Bug #1381084 - KRA installation failed against externally-signed CA with partial certificate chain (edewata) - Bugzilla Bug #1382066 - Problems with FIPS mode (edewata) - Bugzilla Bug #1386371 - Remove xenroll.dll from pki-core (mharmsen) - Bugzilla Bug #1386424 - Fix packaging duplicates of classes in multiple jar files (edewata) - Bugzilla Bug #1391737 - Changes to target.agent.approve.list parameter is not reflected in the TPS Web UI (RHEL 7) (edewata) - Bugzilla Bug #1392068 - [RFE] add express archivals and retrievals from KRA (vakwetu) - Bugzilla Bug #1395817 - Unable to install subordinate CA with HSM in FIPS mode (edewata) - Bugzilla Bug #1397200 - pkispawn does not change default ecc key size from nistp256 when nistp384 is specified in spawn config (jmagne) - Bugzilla Bug #1399862 - Dogtag 10.3.9 Man Pages (edewata) - Bugzilla Bug #1404881 - TPS throws "err=6" when attempting to format and enroll G&D Cards (jmagne) - Bugzilla Bug #1405654 - Token memory not wiped after key deletion (RHEL) (jmagne) - Bugzilla Bug #1409946 - Request ID undefined for CA signing certificate (vakwetu) - Bugzilla Bug #1409949 - CA Certificate Issuance Date displayed on CA website incorrect (vakwetu) - Bugzilla Bug #1410650 - [RFE] Add SCP03 support (RHEL) (jmagne) - Bugzilla Bug #1411428 - Unable to create a CA clone in FIPS (edewata) - Bugzilla Bug #1412211 - Unable to set up KRA in FIPS (edewata) - Bugzilla Bug #1412681 - update to 7.3 IPA with otpd bugfixes, tomcat will not finish start, hangs (ftweedal) - Bugzilla Bug #1413132 - pki-tomcat for 10+ minutes before generating cert (edewata) - Bugzilla Bug #1413136 - Problem with default AJP hostname in IPv6 environment. (edewata) - ############################################################################ - # RHCS 9.2: - ############################################################################ - Bugzilla Bug #1248553 - TPS Enrollment always goes to "ca1 (cfu) - Bugzilla Bug #1274086 - [RFE] Add SCP03 support (RHCS) (jmagne) - Bugzilla Bug #1274096 - [BUG] Add ability to disallow TPS to enroll a single user on multiple tokens. (jmagne) - Bugzilla Bug #1379379 - Unable to read an encrypted email using renewed tokens (jmagne) - Bugzilla Bug #1379749 - Automatic recovery of encryption cert is not working when a token is physically damaged and a temporary token is issued (jmagne) - Bugzilla Bug #1381375 - Cert/Key recovery is successful when the cert serial number and key id on the ldap user mismatches (cfu) - Bugzilla Bug #1381635 - Token format with external reg fails when op.format.externalRegAddToToken.revokeCert=true (cfu) - Bugzilla Bug #1382762 - PIN_RESET policy is not giving expected results when set on a token (jmagne) - Bugzilla Bug #1386257 - Changes to target.agent.approve.list parameter is not reflected in the TPS Web UI (RHCS 9) (edewata) - Bugzilla Bug #1391207 - Automatic recovery of encryption cert - CA and TPS tokendb shows different certificate status (cfu) - Bugzilla Bug #1395479 - TPS throws "err=6" when attempting to format and enroll G&D Cards (RHCS) (jmagne) - Bugzilla Bug #1404900 - Dogtag 10.3.9 logging properties (edewata) - Bugzilla Bug #1405655 - Token memory not wiped after key deletion (RHCS) (jmagne) - ############################################################################- ## RHEL 7.3.z Batch Update 4 - Bugzilla Bug #1429492 - Add profile component that copies CN to SAN (ftweedal)- ## RHCS 9.1.z Batch Update 3 - Bugzilla Bug #1391207 - Automatic recovery of encryption cert - CA and TPS tokendb shows different certificate status (cfu) - ## RHEL 7.3.z Batch Update 3 - Bugzilla Bug #1417063 - ECDSA Certificates Generated by Certificate System 8.1 fail NIST validation test with parameter field. (cfu) - Bugzilla Bug #1417064 - Unable to search certificate requests using the latest request ID (edewata) - Bugzilla Bug #1417065 - CA Certificate Issuance Date displayed on CA website incorrect (alee) - Bugzilla Bug #1417066 - update to 7.3 IPA with otpd bugfixes, tomcat will not finish start, hangs (ftweedal) - Bugzilla Bug #1417067 - pki-tomcat for 10+ minutes before generating cert (edewata) - Bugzilla Bug #1417190 - Problem with default AJP hostname in IPv6 environment. (edewata)- Separate original patches into RHEL and RHCS portions - ## RHEL 7.3.z Batch Update 2 - Bugzilla Bug #1404176 - logging properties and man pages (edewata) - Bugzilla Bug #1405328 - TPS throws "err=6" when attempting to format and enroll G&D Cards (jmagne) - ## RHCS 9.1.z Batch Update 2 - Bugzilla Bug #1395479 - TPS throws "err=6" when attempting to format and enroll G&D Cards (jmagne) - Bugzilla Bug #1404900 - RHCS logging properties (edewata)- ## RHEL 7.3.z Batch Update 2 - Bugzilla Bug #1404173 - user-cert-add --serial CLI request to secure port with remote CA shows authentication failure (edewata) - Bugzilla Bug #1404175 - pki ca-cert-request-submit fails presumably because of missing authentication even if it should not require any (edewata) - Bugzilla Bug #1404178 - Changes to target.agent.approve.list parameter is not reflected in the TPS Web UI [pki-base] (edewata) - Bugzilla Bug #1404172 - Unable to install subordinate CA with HSM in FIPS mode (edewata) - Bugzilla Bug #1403689 - pkispawn does not change default ecc key size from nistp256 when nistp384 is specified in spawn config (jmagne) - Bugzilla Bug #1404176 - logging properties and man pages (edewata) - ## RHCS 9.1.z Batch Update 2 - Bugzilla Bug #1386257 - Changes to target.agent.approve.list parameter is not reflected in the TPS Web UI [pki-tps] (edewata) - Bugzilla Bug #1391207 - Automatic recovery of encryption cert - CA and TPS tokendb shows different certificate status (cfu) - Bugzilla Bug #1395479 - TPS throws "err=6" when attempting to format and enroll G&D Cards (jmagne)- Marked the following RHCS 9.1.z bug: Bugzilla Bug #1382862 - TPS token enrollment fails to setupSecureChannel when TPS and TKS security db is on fips mode. (jmagne) as a duplicate of RHEL 7.3.z bug: Bugzilla Bug #1389757 - Problems with FIPS mode (edewata) and moved the patch from the RHCS 9.1.z bug to the RHEL 7.3.z bug.- ## RHEL 7.3.z Batch Update 1 - Bugzilla Bug #1389757 - Problems with FIPS mode (edewata) (added KRA key recovery via CLI in FIPS mode) - ## RHCS 9.1.z Batch Update 1 - Reverted patches associated with Bugzilla Bug #1386257 - Changes to target.agent.approve.list parameter is not reflected in the TPS Web UI (edewata)- ## RHEL 7.3.z Batch Update 1 - Bugzilla Bug #1390318 - CA EE: Submit caUserCert request without uid does not show proper error message (alee) - Bugzilla Bug #1390319 - Failed to start pki-tomcatd Service ("ipa-cacert-manage renew" failed?) (edewata) - Bugzilla Bug #1390320 - pkispawn fails as it is not able to find openssl as a dependency package (mharmsen) - Bugzilla Bug #1390321 - two-step externally-signed CA installation fails due to missing AuthorityID (ftweedal) - Bugzilla Bug #1390322 - Spurious host authority entries created (ftweedal) - Bugzilla Bug #1390324 - KRA installation failed against externally-signed CA with partial certificate chain (edewata) - Bugzilla Bug #1389757 - Problems with FIPS mode (edewata) - Bugzilla Bug #1390311 - Fix packaging duplicates of classes in multiple jar files (edewata) - Bugzilla Bug #1390325 - Typo in comment line of UserPwdDirAuthentication.java (edewata) - ## RHCS 9.1.z Batch Update 1 - Bugzilla Bug #1248553 - TPS Enrollment always goes to "ca1" (cfu) - Bugzilla Bug #1274096 - [BUG] Add ability to disallow TPS to enroll a single user on multiple tokens. (jmagne) - Bugzilla Bug #1379379 - Unable to read an encrypted email using renewed tokens (jmagne) - Bugzilla Bug #1379749 - Automatic recovery of encryption cert is not working when a token is physically damaged and a temporary token is issued (jmagne) - Bugzilla Bug #1381375 - Cert/Key recovery is successful when the cert serial number and key id on the ldap user mismatches - Bugzilla Bug #1381635 - Token format with external reg fails when op.format.externalRegAddToToken.revokeCert=true (cfu) - Bugzilla Bug #1382762 - PIN_RESET policy is not giving expected results when set on a token (jmagne) - Bugzilla Bug #1382862 - TPS token enrollment fails to setupSecureChannel when TPS and TKS security db is on fips mode. (jmagne) - Bugzilla Bug #1386257 - Changes to target.agent.approve.list parameter is not reflected in the TPS Web UI (edewata)- PKI TRAC Ticket #1527 - TPS Enrollment always goes to "ca1" (cfu) - PKI TRAC Ticket #1664 - [BUG] Add ability to disallow TPS to enroll a single user on multiple tokens. (jmagne) - PKI TRAC Ticket #2478 - pkispawn fails as it is not able to find openssl as a dependency package (mharmsen) - PKI TRAC Ticket #2483 - Unable to read an encrypted email using renewed tokens (jmagne) - PKI TRAC Ticket #2496 - Cert/Key recovery is successful when the cert serial number and key id on the ldap user mismatches (cfu) - PKI TRAC Ticket #2505 - Fix packaging duplicates of classes in multiple jar files (edewata)- Revert Patch: PKI TRAC Ticket #2449 - Unable to create system certificates in different tokens (edewata) - Resolves: rhbz #1374054 - ipa-replica-install fails setting up certificate - Restores: rhbz #1319557 - pkispawn KRA instance is failing server - Removes from Errata: rhbz #1372041 - Unable to create system certificates in different tokens- PKI TRAC Ticket #1638 - Lightweight CAs: revoke certificate on CA deletion (ftweedal) - PKI TRAC Ticket #2436 - Dogtag 10.3.6: Miscellaneous Enhancements (edewata) - PKI TRAC Ticket #2443 - Prevent deletion of host CA's keys if LWCA entry deleted (ftweedal) - PKI TRAC Ticket #2444 - Authority entry without entryUSN is skipped even if USN plugin enabled (ftweedal) - PKI TRAC Ticket #2446 - pkispawn: make subject_dn defaults unique per instance name (for shared HSM) (cfu) - PKI TRAC Ticket #2447 - CertRequestInfo has incorrect URLs (vakwetu) - PKI TRAC Ticket #2449 - Unable to create system certificates in different tokens (edewata)- PKI TRAC Ticket #1578 - Authentication Instance Id PinDirEnrollment with authType value as SslclientAuth is not working (jmagne) - PKI TRAC TIcket #2414 - pki pkcs12-cert-del shows a successfully deleted message when a wrong nickname is provided (gkapoor) - PKI TRAC Ticket #2423 - pki_ca_signing_token when not specified does not fallback to pki_token_name value (edewata) - PKI TRAC Ticket #2436 - Dogtag 10.3.6: Miscellaneous Enhancements (akasurde) - ticket remains open - PKI TRAC Ticket #2439 - Outdated deployment descriptors in upgraded server(edewata)- PKI TRAC Ticket #690 - [MAN] pki-tools man pages (mharmsen) - CMCEnroll - PKI TRAC Ticket #833 - pki user-mod fullName="" gives an error message "PKIException: LDAP error (21): error result" (edewata) - PKI TRAC Ticket #2431 - Errors noticed during ipa server upgrade. (cheimes, edewata, mharmsen) - PKI TRAC Ticket #2432 - Kra-selftest behavior is not as expected (edewata) - PKI TRAC Ticket #2436 - Dogtag 10.3.6: Miscellaneous Enhancements (edewata, mharmsen) - PKI TRAC Ticket #2437 - TPS UI: while adding certs for users from TPSUI pem format with/without header works while pkcs7 with header is not allowed (edewata) - PKI TRAC Ticket #2440 - Optional CA signing CSR for migration (edewata)- Bugzilla Bug #1366465 - Errata TPS upgrade test fails- PKI TRAC Ticket #978 - TPS connector man page: add revocation routing info (cfu) - PKI TRAC Ticket #1285 - [MAN] Apply 'generateCRMFRequest() removed from Firefox' workarounds to appropriate 'pki' man page (jmagne) - PKI TRAC Ticket #2246 - [MAN] Man Page: AuditVerify (cfu) - PKI TRAC Ticket #2381 - Throws exception while providing invalid module. (edewata) - PKI TRAC Ticket #2383 - CLI :: pki client-cert-request --extractable should accept only boolean value (edewata) - PKI TRAC Ticket #2389 - Installation: subsystem certs could have notAfter beyond CA signing cert in case of external or existing CA (cfu) - PKI TRAC Ticket #2399 - Dogtag 10.3.5: Miscellaneous Enhancements (akasurde, alee, cheimes, edewata, jmagne, mharmsen) - PKI TRAC Ticket #2401 - pkispawn calls dnsdomainname even if it does not rpm-require hostname (mharmsen) - PKI TRAC Ticket #2402 - Conflict in file ownership in pki-base and pki-server (cheimes) - PKI TRAC Ticket #2403 - Deployment problem with RESTEasy 3.0.17 (edewata) - PKI TRAC Ticket #2406 - Make starting CRL Number configurable (jmagne) - PKI TRAC Ticket #2412 - pki client-cert-import --trust option does not apply the specified trust bits (alee) - PKI TRAC Ticket #2418 - [TPS] Some template substitution didn't happen during installation (alee) - PKI TRAC Ticket #2420 - CA subsystem OSCP responder fails when LWCAs are not used (ftweedal) - PKI TRAC Ticket #2421 - Incorrect SELinux contexts Installation/Configuration (edewata) - PKI TRAC Ticket #2424 - ipa-ca-install fails on replica when IPA server is converted from CA-less to CA-full (edewata) - PKI TRAC Ticket #2428 - broken request links for CA's system certs in agent request viewing (cfu) - PKI TRAC Ticket #2430 - CA Agent certificate list is not sorted by serial number in migration case (jmagne) - PKI TRAC Ticket #2431 - Errors noticed during ipa server upgrade. (mharmsen) - PKI TRAC Ticket #2433 - Lightweight CA GET /chain returns bogus PEM data (ftweedal)- PKI TRAC Ticket #691 - [MAN] pki-server man pages (mharmsen) - PKI TRAC Ticket #1114 - [MAN] Generting Symmetric key fails with key-generate when --usages verify is passed (jmagne) - PKI TRAC Ticket #1306 - [RFE] Add granularity to token termination in TPS (cfu) - PKI TRAC Ticket #1308 - [RFE] Provide ability to perform off-card key generation for non-encryption token keys (cfu) - PKI TRAC Ticket #1405 - [MAN] Add additional HSM details to 'pki_default.cfg' & 'pkispawn' man pages (mharmsen) - PKI TRAC Ticket #1607 - [MAN] man pkispawn has inadequate description for shared vs non shared tomcat instance installation (mharmsen) - PKI TRAC Ticket #1664 - [BUG] Add ability to disallow TPS to enroll a single user on multiple tokens. (jmagne) - PKI TRAC Ticket #1711 - CLI :: pki-server ca-cert-request-find throws IOError (edewata, ftweedal) - PKI TRAC Ticket #2285 - freeipa fails to start correctly after pki-core update on upgraded system (ftweedal) - PKI TRAC Ticket #2311 - When pki_token_name=Internal, consider normalizing it to "internal" (mharmsen) - PKI TRAC Ticket #2349 - Separated TPS does not automatically receive shared secret from remote TKS (jmagne) - PKI TRAC Ticket #2364 - CLI :: pki-server ca-cert-request-show throws attribute error (ftweedal) - PKI TRAC Ticket #2368 - pki-server subsystem subcommands throws error with --help option (edewata) - PKI TRAC Ticket #2374 - KRA cloning overwrites CA signing certificate trust flags (edewata) - PKI TRAC Ticket #2380 - Pki-server instance commands throws exception while specifying invalid parameters. (edewata) - PKI TRAC Ticket #2384 - CA installation with HSM prompts for HSM password during silent installation (edewata) - PKI TRAC Ticket #2385 - Upgraded CA lacks ca.sslserver.certreq in CS.cfg (ftweedal) - PKI TRAC Ticket #2387 - Add config for default OCSP URI if none given (ftweedal) - PKI TRAC Ticket #2388 - CA creation responds 500 if certificate issuance fails (ftweedal) - PKI TRAC Ticket #2389 - Installation: subsystem certs could have notAfter beyond CA signing cert in case of external or existing CA (cfu) - PKI TRAC Ticket #2390 - Dogtag 10.3.4: Miscellaneous Enhancements (akasurde, edewata)- PKI TRAC Ticket #2373 - Fedora 25: RestEasy 3.0.6 ==> 3.0.17 breaks pki-core (ftweedal)- Updated release number to 10.3.3-1- Updated version number to 10.3.3-0.1- Provided cleaner runtime dependency separation- Updated tomcatjss version dependencies- Updated 'java', 'java-headless', and 'java-devel' dependencies to 1:1.8.0.- Updated tomcat version dependencies- Updated version number to 10.3.2-1- Updated version number to 10.3.2-0.1- Updated version number to 10.3.1-1 (to allow upgrade from 10.3.0.b1)- Updated version number to 10.3.0-1- Build for F24 beta- PKI TRAC Ticket #2255 - PKCS #12 backup does not contain trust attributes.- Updated build for F24 alpha- PKI TRAC Ticket #1625 - Allow multiple ACLs of same name (union of rules) [ftweedal] - PKI TRAC Ticket #2237 - Add CRL dist points extension to OIDMap unconditionally [edewata] - PKI TRAC Ticket #1803 - Removed unnecessary URL encoding for admin cert request. [edewata] - PKI TRAC Ticket #1742 - Added support for cloning 3rd-party CA certificates. [edewata] - PKI TRAC Ticket #1482 - Added TPS token filter dialog. [edewata] - PKI TRAC Ticket #1808 - Fixed illegal token state transition via TEMP_LOST. [edewata]- Build for F24 alpha- PKI Trac Ticket #1399 - Move java components out of pki-base- PKI TRAC Ticket #1850 - Rename DRMTool --> KRATool- PKI TRAC Ticket #1714 - mod_revocator and mod_nss dependency for tps should be removed- PKI TRAC Ticket #1623 - Runtime dependency on python-nss is missing- Updated version number to 10.3.0-0.1- Added dep on tomcat-servlet-3.1-api [Fedora 23 and later] or dep on tomcat-servlet-3.0-api [Fedora 22 and later] to pki-tools - Updated dep on tomcatjss [Fedora 23 and later]- Updated dep on policycoreutils-python-utils [Fedora 23 and later]- Updated version number to 10.2.7-0.1- Update release number for release build- Remove setup directory and remaining Perl dependencies- Remove ExcludeArch directive- Updated version number to 10.2.6-0.1- Update release number for release build- Resolves rhbz #1230970 - Errata TPS tests for rpm verification failed- Updated version number to 10.2.5-0.1- Update release number for release build- Updated nuxwdog and tomcatjss requirements (alee)- Updated version number to 10.2.4-0.1 - Added nuxwdog systemd files- Update release number for release build- Reverted version number back to 10.2.3-0.1 - Added support for Tomcat 8.- Updated version number to 10.3.0-0.1- Updated version number to 10.2.3-0.1- Update release number for release build- Updated version number to 10.2.2-0.1 - Moved web application deployment locations. - Updated Resteasy and Jackson dependencies. - Added missing python-lxml build dependency.- Update release number for release build- PKI TRAC Ticket #1187 - mod_perl should be removed from requirements for 10.2 - PKI TRAC Ticket #1205 - Outdated selinux-policy dependency. - Removed perl(XML::LibXML), perl-Crypt-SSLeay, and perl-Mozilla-LDAP runtime dependencies- Change resteasy dependencies for F22+- Ticket 1198 Bugzilla 1158410 add TLS range support to server.xml by default and upgrade (cfu) - PKI Trac Ticket #1211 - New release overwrites old source tarball (mharmsen) - up the release number to 0.2- Updated version number to 10.2.1-0.1. - Added CLIs to simplify generating user certificates - Added enhancements to KRA Python API - Added a man page for pki ca-profile commands. - Added python api docs- Disable pylint dependency for RHEL builds - Added jakarta-commons-httpclient requirements - Added tomcat version for RHEL build - Added resteasy-base-client for RHEL build- PKI TRAC Ticket #1130 - Add RHEL/CentOS conditionals to spec- Update release number for release build- PKI TRAC Ticket #1017 - Rename pki-tps-tomcat to pki-tps- Merged jmagne@redhat.com's spec file changes from the stand-alone 'pki-tps-client' package needed to build/run the native 'tpsclient' command line utility into this 'pki-core' spec file under the 'tps' package. - Original tps libararies must be built to support this native utility. - Modifies tps package from 'noarch' into 'architecture-specific' package- PKI TRAC Ticket #1127 - Remove 'pki-ra', 'pki-setup', and 'pki-silent' packages . . .- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild- Respin to include the applet files with the rpm install. No change to spec file needed.- Bugzilla Bug #1120045 - pki-core: Switch to java-headless (build)requires -- drop dependency on java-atk-wrapper - Removed 'java-atk-wrapper' dependency from 'pki-server'- PKI TRAC Ticket #832 - Remove legacy 'systemctl' files . . .- Update rawhide build- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild- Use Requires: java-headless rebuild (#1067528)- Added option to build without server packages. - Replaced Jettison with Jackson. - Added python-nss build requirement - Bugzilla Bug #1057959 - pkispawn requires policycoreutils-python - TRAC Ticket #840 - pkispawn requires policycoreutils-python - Updated requirements for resteasy - Added template files for archive, retrieve and generate key requests to the client package.- Trac Ticket 788 - Clean up spec files - Update release number for release build - Updated requirements for resteasy- Change release number for beta build- Updated requirements for tomcat- Removed additional /var/run, /var/lock references.- Removed delivery of /var/lock and /var/run directories for fedora 20.- Moved Tomcat-based TPS into pki-core.- Listed new packages required during build, due to issues reported by pylint. - Packages added: python-requests, python-ldap, libselinux-python, policycoreutils-python- Added pylint scan to the build process.- Added man pages for upgrade tools.- Cleaned up the code to install man pages.- Reorganized deployment tools.- Bugzilla Bug 973224 - resteasy-base must be split into subpackages to simplify dependencies- Updated dependencies to Java 1.7.- TRAC Ticket 606 - add restart / start at boot info to pkispawn man page - TRAC Ticket 610 - Document limitation in using GUI install - TRAC Ticket 629 - Package ownership of '/usr/share/pki/etc/' directory- Change release number for 10.1 development- Fixed incorrect JNI_JAR_DIR.- TRAC Ticket 605 Junit internal function used in TestRunner, breaks F19 build- TRAC Ticket 604 Added fallback methods for pkispawn tests- Added default pki.conf in /usr/share/pki/etc - Create upgrade tracker on install and remove it on uninstall- Change release number for official release.- Added %pretrans script for f19 - Added java-atk-wrapper dependency- Added pki-server-upgrade script and pki.server module. - Call upgrade scripts in %post for pki-base and pki-server.- Added dependency on commons-io.- Add /var/log/pki and /var/lib/pki directories- Run pki-upgrade on post server installation.- Added dependency on python-lxml.- Added pki-upgrade script.- Updated version number to 10.0.2-0.1.- Renamed base/deploy to base/server. - Moved pki.conf into pki-base. - Removed redundant pki/server folder declaration.- Removed jython dependency- Added minimum python-requests version.- Bugzilla Bug #919476 - pkispawn crashes due to dangling symlink to jss4.jar- Added dependency on python-requests. - Reorganized Python module packaging.- Added dependency on python-ldap.- TRAC Ticket #517 - Clean up theme dependencies - TRAC Ticket #518 - Remove UI dependencies from pkispawn . . .- Removed runtime dependency on 'pki-server-theme' to resolve Bugzilla Bug #916134 - unresolved dependency in pki-server: pki-server-theme- TRAC Ticket 214 - Missing error description for duplicate user - TRAC Ticket 213 - Add nonces for cert revocation - TRAC Ticket 367 - pkidestroy does not remove connector - TRAC Ticket #430 - License for 3rd party code - Bugzilla Bug 839426 - [RFE] ECC CRL support for OCSP - Fix spec file to allow f17 to work with latest tomcatjss - TRAC Ticket 466 - Increase root CA validity to 20 years - TRAC Ticket 469 - Fix tomcatjss issue in spec files - TRAC Ticket 468 - pkispawn throws exception - TRAC Ticket 191 - Mapping HTTP Exceptions to HTTP error codes - TRAC Ticket 271 - Dogtag 10: Fix 'status' command in 'pkidaemon' . . . - TRAC Ticket 437 - Make admin cert p12 file location configurable - TRAC Ticket 393 - pkispawn fails when selinux is disabled - Punctuation and formatting changes in man pages - Revert to using default config file for pkidestroy - Hardcode setting of resteasy-lib for instance - TRAC Ticket 436 - Interpolation for pki_subsystem - TRAC Ticket 433 - Interpolation for paths - TRAC Ticket 435 - Identical instance id and instance name - TRAC Ticket 406 - Replace file dependencies with package dependencies- TRAC Ticket #430 - License for 3rd party code- TRAC Ticket #469 - Dogtag 10: Fix tomcatjss issue in pki-core.spec and dogtag-pki.spec . . . - TRAC Ticket #468 - pkispawn throws exception- Replaced file dependencies with package dependencies- Updated man pages- Update to official release for rc1- TRAC Ticket #315 - Man pages for pkispawn/pkidestroy. - Added place-holders for 'pki.1' and 'pki_default.cfg.5' man pages.- Added system-wide configuration /etc/pki/pki.conf. - Removed redundant lines in %files.- Moved default deployment configuration to /etc/pki.- Cleaned up spec file to provide only support rhel 7+, f17+ - Added resteasy-base dependency for rhel 7 - Update cmake version- Update release to b3- Removed dependency on CA, KRA, OCSP, TKS theme packages.- Renamed pki-common-theme to pki-server-theme.- TRAC Ticket #395 - Dogtag 10: Add a Tomcat 7 runtime requirement to 'pki-server'- Update release to b2- TRAC Ticket #350 - Dogtag 10: Remove version numbers from PKI jar files . . .- Added Obsoletes for pki-selinux- Remove build of pki-selinux for f18, use system policy instead- Update required tomcatjss version - Added net-tools dependency- Update selinux-policy version to fix error from latest policy changes- Fix typo in selinux policy versions- Added build requires for correct version of selinux-policy-devel- Update release to b1- Merged pki-silent into pki-server.- Renamed "shared" folder to "server".- Added required selinux versions for new policy.- Added Provides to packages replacing obsolete packages.- Update release to a2- Modified CMake to use RPM version number- Added VERSION file- Merged pki-setup into pki-server- Added Conflicts for IPA 2.X - Added build requires for zip to work around mock problem- TRAC Ticket #312 - Dogtag 10: Automatically restart any running instances upon RPM "update" . . . - TRAC Ticket #317 - Dogtag 10: Move "pkispawn"/"pkidestroy" from /usr/bin to /usr/sbin . . .- Fixed pki-server to include everything in shared dir.- Added build dependency on redhat-rpm-config.- Merged Javadoc packages.- Added pki-tomcat.jar.- Moved webapp creation code into pkispawn.- Split pki-client.jar into pki-certsrv.jar and pki-tools.jar.- Merged pki-native-tools and pki-java-tools into pki-tools. - Modified pki-server to depend on pki-tools.- Split pki-common into pki-base and pki-server. - Merged pki-util into pki-base. - Merged pki-deploy into pki-server.- Updated release of 'tomcatjss' to rely on Tomcat 7 for Fedora 17 - Changed Dogtag 10 build-time and runtime requirements for 'pki-deploy' - Altered PKI Package Dependency Chain (top-to-bottom): pki-ca, pki-kra, pki-ocsp, pki-tks --> pki-deploy --> pki-common- Added pki-client.jar.- Merged pki-jndi-realm.jar into pki-cmscore.jar.- PKI TRAC Task #254 - Dogtag 10: Fix spec file to build successfully via mock on Fedora 17 . . .- Moved 'pki-jndi-real.jar' link from 'tomcat6' to 'tomcat' (Tomcat 7)- Updated release of 'tomcatjss' to rely on Tomcat 7 for Fedora 18- Added CLI for REST services- Integration of Tomcat 7 - Addition of centralized 'pki-tomcatd' systemd functionality to the PKI Deployment strategy - Removal of 'pki_flavor' attribute- BZ 813075 - selinux denial for file size access- Bug 745278 - [RFE] ECC encryption keys cannot be archived- Replaced candlepin-deps with resteasy- Added option to build without Javadoc- BZ 802396 - Change location of TOMCAT_LOG to match tomcat6 changes - Corrected patch selected for selinux f17 rules- Corrected 'junit' dependency check- Initial attempt at PKI deployment framework described in 'http://pki.fedoraproject.org/wiki/PKI_Instance_Deployment'.- Added support for pki-jndi-realm in tomcat6 in pki-common and pki-kra. - Ticket #69.- For 'mock' purposes, removed platform-specific logic from around the 'patch' files so that ALL 'patch' files will be included in the SRPM.- Removed dependency on OSUtil.- 'pki-selinux' - Added platform-dependent patches for SELinux component - Bugzilla Bug #739708 - Selinux fix for ephemeral ports (F16) - Bugzilla Bug #795966 - pki-selinux policy is kind of a mess (F17)- Added dependency on Apache Commons Codec.- Add '-DSYSTEMD_LIB_INSTALL_DIR' override flag to 'cmake' to address changes in fundamental path structure in Fedora 17 - 'pki-setup' - Hard-code Perl dependencies to protect against bugs such as Bugzilla Bug #772699 - Adapt perl and python fileattrs to changed file 5.10 magics - 'pki-selinux' - Bugzilla Bug #795966 - pki-selinux policy is kind of a mess- Integrated 'pki-kra' into 'pki-core' - Integrated 'pki-ocsp' into 'pki-core' - Integrated 'pki-tks' into 'pki-core' - Bugzilla Bug #788787 - added 'junit'/'junit4' build-time requirements- Updated package version number- Added resteasy-jettison-provider-2.3-RC1.jar to pki-setup- Added JUnit tests- 'pki-setup' - 'pki-symkey' - 'pki-native-tools' - 'pki-util' - Bugzilla Bug #737122 - DRM: during archiving and recovering, wrapping unwrapping keys should be done in the token (cfu) - 'pki-java-tools' - 'pki-common' - Bugzilla Bug #744797 - KRA key recovery (retrieve pkcs#12) fails after the in-place upgrade( CS 8.0->8.1) (cfu) - 'pki-selinux' - 'pki-ca' - Bugzilla Bug #746367 - Typo in the profile name. (jmagne) - Bugzilla Bug #737122 - DRM: during archiving and recovering, wrapping unwrapping keys should be done in the token (cfu) - Bugzilla Bug #749927 - Java class conflicts using Java 7 in Fedora 17 (rawhide) . . . (mharmsen) - Bugzilla Bug #749945 - Installation error reported during CA, DRM, OCSP, and TKS package installation . . . (mharmsen) - 'pki-silent'- Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . . (mharmsen) - Bugzilla Bug #699809 - Convert CS to use systemd (alee) - 'pki-setup' - Bugzilla Bug #730146 - SSL handshake picks non-FIPS ciphers in FIPS mode (cfu) - Bugzilla Bug #737192 - Need script to upgrade proxy configuration (alee) - 'pki-symkey' - Bugzilla Bug #730162 - TPS/TKS token enrollment failure in FIPS mode (hsm+NSS). (jmagne) - 'pki-native-tools' - Bugzilla Bug #730801 - Coverity issues in native-tools area (awnuk) - Bugzilla Bug #730146 - SSL handshake picks non-FIPS ciphers in FIPS mode (cfu) - 'pki-util' - Bugzilla Bug #730146 - SSL handshake picks non-FIPS ciphers in FIPS mode (cfu) - 'pki-java-tools' - 'pki-common' - Bugzilla Bug #730146 - SSL handshake picks non-FIPS ciphers in FIPS mode (cfu) - Bugzilla Bug #737218 - Incorrect request attribute name matching ignores request attributes during request parsing. (awnuk) - Bugzilla Bug #730162 - TPS/TKS token enrollment failure in FIPS mode (hsm+NSS). (jmagne) - 'pki-selinux' - Bugzilla Bug #739708 - pki-selinux lacks rules in F16 (alee) - 'pki-ca' - Bugzilla Bug #712931 - CS requires too many ports to be open in the FW (alee) - Bugzilla Bug #730146 - SSL handshake picks non-FIPS ciphers in FIPS mode (cfu) - 'pki-silent' - Bugzilla Bug #739201 - pkisilent does not take arch into account as Java packages migrated to arch-dependent directories (mharmsen)- 'pki-setup' - Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . . - 'pki-symkey' - Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . . - 'pki-native-tools' - 'pki-util' - Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . . - 'pki-java-tools' - Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . . - 'pki-common' - Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . . - 'pki-selinux' - 'pki-ca' - Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . . - Bugzilla Bug #699809 - Convert CS to use systemd (alee) - 'pki-silent' - Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . .- 'pki-setup' - Bugzilla Bug #699809 - Convert CS to use systemd (alee) - 'pki-ca' - Bugzilla Bug #699809 - Convert CS to use systemd (alee) - 'pki-common' - Bugzilla Bug #699809 - Convert CS to use systemd (alee)- 'pki-setup' - Bugzilla Bug #712931 - CS requires too many ports to be open in the FW (alee) - 'pki-symkey' - 'pki-native-tools' - Bugzilla Bug #717643 - Fopen without NULL check and other Coverity issues (awnuk) - Bugzilla Bug #730801 - Coverity issues in native-tools area (awnuk) - 'pki-util' - 'pki-java-tools' - 'pki-common' - Bugzilla Bug #700522 - pki tomcat6 instances currently running unconfined, allow server to come up when selinux disabled (alee) - Bugzilla Bug #731741 - some CS.cfg nickname parameters not updated correctly when subsystem cloned (using hsm) (alee) - Bugzilla Bug #712931 - CS requires too many ports to be open in the FW (alee) - 'pki-selinux' - Bugzilla Bug #712931 - CS requires too many ports to be open in the FW (alee) - 'pki-ca' - Bugzilla Bug #712931 - CS requires too many ports to be open in the FW (alee) - 'pki-silent'- 'pki-setup' - Bugzilla Bug #689909 - Dogtag installation under IPA takes too much time - remove the inefficient sleeps (alee) - 'pki-symkey' - 'pki-native-tools' - 'pki-util' - 'pki-java-tools' - Bugzilla Bug #724861 - DRMTool: fix duplicate "dn:" records by renumbering "cn=" (mharmsen) - 'pki-common' - Bugzilla Bug #717041 - Improve escaping of some enrollment inputs like (jmagne, awnuk) - Bugzilla Bug #689909 - Dogtag installation under IPA takes too much time - remove the inefficient sleeps (alee) - Bugzilla Bug #708075 - Clone installation does not work over NAT (alee) - Bugzilla Bug #726785 - If replication fails while setting up a clone it will wait forever (alee) - Bugzilla Bug #728332 - xml output has changed on cert requests (awnuk) - Bugzilla Bug #700505 - pki tomcat6 instances currently running unconfined (alee) - 'pki-selinux' - Bugzilla Bug #700505 - pki tomcat6 instances currently running unconfined (alee) - 'pki-ca' - Bugzilla Bug #728605 - RFE: increase default validity from 6mo to 2yrs in IPA profile (awnuk) - 'pki-silent' - Bugzilla Bug #689909 - Dogtag installation under IPA takes too much time - remove the inefficient sleeps (alee)- 'pki-setup' - 'pki-symkey' - 'pki-native-tools' - 'pki-util' - Bugzilla Bug #719007 - Key Constraint keyParameter being ignored using an ECC CA to generate ECC certs from CRMF. (jmagne) - Bugzilla Bug #716307 - rhcs80 - DER shall not include an encoding for any component value which is equal to its default value (alee) - 'pki-java-tools' - 'pki-common' - Bugzilla Bug #720510 - Console: Adding a certificate into nethsm throws Token not found error. (jmagne) - Bugzilla Bug #719007 - Key Constraint keyParameter being ignored using an ECC CA to generate ECC certs from CRMF. (jmagne) - Bugzilla Bug #716307 - rhcs80 - DER shall not include an encoding for any component value which is equal to its default value (alee) - Bugzilla Bug #722989 - Registering an agent when a subsystem is created - does not log AUTHZ_SUCCESS event. (alee) - 'pki-selinux' - 'pki-ca' - Bugzilla Bug #719113 - Add client usage flag to caIPAserviceCert (awnuk) - 'pki-silent'- Updated release of 'jss' - Updated release of 'tomcatjss' for Fedora 15 - 'pki-setup' - Bugzilla Bug #695157 - Auditverify on TPS audit log throws error. (mharmsen) - Bugzilla Bug #693815 - /var/log/tomcat6/catalina.out owned by pkiuser (jdennis) - Bugzilla Bug #694569 - parameter used by pkiremove not updated (alee) - Bugzilla Bug #669226 - Remove Legacy Build System (mharmsen) - 'pki-symkey' - Bugzilla Bug #695157 - Auditverify on TPS audit log throws error. (mharmsen) - Bugzilla Bug #669226 - Remove Legacy Build System (mharmsen) - 'pki-native-tools' - Bugzilla Bug #695157 - Auditverify on TPS audit log throws error. (mharmsen) - Bugzilla Bug #717765 - TPS configuration: logging into security domain from tps does not work with clientauth=want. (alee) - Bugzilla Bug #669226 - Remove Legacy Build System (mharmsen) - 'pki-util' - Bugzilla Bug #695157 - Auditverify on TPS audit log throws error. (mharmsen) - Bugzilla Bug #669226 - Remove Legacy Build System (mharmsen) - 'pki-java-tools' - Bugzilla Bug #695157 - Auditverify on TPS audit log throws error. (mharmsen) - Bugzilla Bug #532548 - Tool to do DRM re-key (mharmsen) - Bugzilla Bug #532548 - Tool to do DRM re-key (config file and record processing) (mharmsen) - Bugzilla Bug #532548 - Tool to do DRM re-key (tweaks) (mharmsen) - Bugzilla Bug #669226 - Remove Legacy Build System (mharmsen) - 'pki-common' - Bugzilla Bug #695157 - Auditverify on TPS audit log throws error. (mharmsen) - Bugzilla Bug #695403 - Editing signedaudit or transaction, system logs throws 'Invalid protocol' for OCSP subsystems (alee) - Bugzilla Bug #694569 - parameter used by pkiremove not updated (alee) - Bugzilla Bug #695015 - Serial No. of a revoked certificate is not populated in the CA signedAudit messages (alee) - Bugzilla Bug #694143 - CA Agent not returning specified request (awnuk) - Bugzilla Bug #695015 - Serial No. of a revoked certificate is not populated in the CA signedAudit messages (jmagne) - Bugzilla Bug #698885 - Race conditions during IPA installation (alee) - Bugzilla Bug #704792 - CC_LAB_EVAL: CA agent interface: SubjectID=$Unidentified$ fails audit evaluation (jmagne) - Bugzilla Bug #705914 - SCEP mishandles nicknames when processing subsequent SCEP requests. (awnuk) - Bugzilla Bug #661142 - Verification should fail when a revoked certificate is added. (jmagne) - Bugzilla Bug #707416 - CC_LAB_EVAL: Security Domain: missing audit msgs for modify/add (alee) - Bugzilla Bug #707416 - additional audit messages for GetCookie (alee) - Bugzilla Bug #707607 - Published certificate summary has list of non-published certificates with succeeded status (jmagne) - Bugzilla Bug #717813 - EV_AUDIT_LOG_SHUTDOWN audit log not generated for tps and ca on server shutdown (jmagne) - Bugzilla Bug #697939 - DRM signed audit log message - operation should be read instead of modify (jmagne) - Bugzilla Bug #718427 - When audit log is full, server continue to function. (alee) - Bugzilla Bug #718607 - CC_LAB_EVAL: No AUTH message is generated in CA's signedaudit log when a directory based user enrollment is performed (jmagne) - Bugzilla Bug #669226 - Remove Legacy Build System (mharmsen) - 'pki-selinux' - Bugzilla Bug #695157 - Auditverify on TPS audit log throws error. (mharmsen) - Bugzilla Bug #720503 - RA and TPS require additional SELinux permissions to run in "Enforcing" mode (alee) - Bugzilla Bug #669226 - Remove Legacy Build System (mharmsen) - 'pki-ca' - Bugzilla Bug #695157 - Auditverify on TPS audit log throws error. (mharmsen) - Bugzilla Bug #693815 - /var/log/tomcat6/catalina.out owned by pkiuser (jdennis) - Bugzilla Bug #699837 - service command is not fully backwards compatible with Dogtag pki subsystems (mharmsen) - Bugzilla Bug #649910 - Console: an auditor or agent can be added to an administrator group. (jmagne) - Bugzilla Bug #707416 - CC_LAB_EVAL: Security Domain: missing audit msgs for modify/add (alee) - Bugzilla Bug #716269 - make ra authenticated profiles non-visible on ee pages (alee) - Bugzilla Bug #718621 - CC_LAB_EVAL: PRIVATE_KEY_ARCHIVE_REQUEST occurs for a revocation invoked by EE user (awnuk) - Bugzilla Bug #669226 - Remove Legacy Build System (mharmsen) - 'pki-silent' - Bugzilla Bug #695157 - Auditverify on TPS audit log throws error. (mharmsen) - Bugzilla Bug #669226 - Remove Legacy Build System (mharmsen)- 'pki-setup' - 'pki-symkey' - 'pki-native-tools' - 'pki-util' - 'pki-java-tools' - Added 'DRMTool.cfg' configuration file to inventory - 'pki-common' - 'pki-selinux' - 'pki-ca' - 'pki-silent'- 'pki-setup' - 'pki-symkey' - 'pki-native-tools' - 'pki-util' - 'pki-java-tools' - Bugzilla Bug #532548 - Tool to do DRM re-key - 'pki-common' - 'pki-selinux' - 'pki-ca' - 'pki-silent'- 'pki-setup' - Bugzilla Bug #693815 - /var/log/tomcat6/catalina.out owned by pkiuser - Bugzilla Bug #694569 - parameter used by pkiremove not updated - 'pki-symkey' - 'pki-native-tools' - 'pki-util' - 'pki-java-tools' - 'pki-common' - Bugzilla Bug #695403 - Editing signedaudit or transaction, system logs throws 'Invalid protocol' for OCSP subsystems - Bugzilla Bug #694569 - parameter used by pkiremove not updated - Bugzilla Bug #695015 - Serial No. of a revoked certificate is not populated in the CA signedAudit messages - Bugzilla Bug #694143 - CA Agent not returning specified request - Bugzilla Bug #695015 - Serial No. of a revoked certificate is not populated in the CA signedAudit messages - Bugzilla Bug #698885 - Race conditions during IPA installation - 'pki-selinux' - 'pki-ca' - Bugzilla Bug #693815 - /var/log/tomcat6/catalina.out owned by pkiuser - Bugzilla Bug #699837 - service command is not fully backwards compatible with Dogtag pki subsystems - 'pki-silent'- Bugzilla Bug #695157 - Auditverify on TPS audit log throws error.- Bugzilla Bug #690950 - Update Dogtag Packages for Fedora 15 (beta) - Bugzilla Bug #693327 - Missing requires: tomcatjss - 'pki-setup' - Bugzilla Bug #690626 - pkiremove removes the registry entry for all instances on a machine - 'pki-symkey' - 'pki-native-tools' - 'pki-util' - 'pki-java-tools' - Bugzilla Bug #689453 - CRMFPopClient request to CA's unsecure port throws file not found exception. - 'pki-common' - Bugzilla Bug #692990 - Audit log messages needed to match CC doc: DRM Recovery audit log messages - 'pki-selinux' - 'pki-ca' - 'pki-silent'- Bugzilla Bug #693327 - Missing requires: tomcatjss- Bugzilla Bug #690950 - Update Dogtag Packages for Fedora 15 (beta) - Require "jss >= 4.2.6-15" as a build and runtime requirement - Require "tomcatjss >= 2.1.1" as a build and runtime requirement for Fedora 15 and later platforms - 'pki-setup' - Bugzilla Bug #688287 - Add "deprecation" notice regarding using "shared ports" in pkicreate -help . . . - Bugzilla Bug #688251 - Dogtag installation under IPA takes too much time - SELinux policy compilation - 'pki-symkey' - 'pki-native-tools' - 'pki-util' - 'pki-java-tools' - Bugzilla Bug #689501 - ExtJoiner tool fails to join the multiple extensions - 'pki-common' - Bugzilla Bug #683581 - CA configuration with ECC(Default EC curve-nistp521) CA fails with 'signing operation failed' - Bugzilla Bug #689662 - ocsp publishing needs to be re-enabled on the EE port - 'pki-selinux' - Bugzilla Bug #684871 - ldaps selinux link change - 'pki-ca' - Bugzilla Bug #683581 - CA configuration with ECC(Default EC curve-nistp521) CA fails with 'signing operation failed' - Bugzilla Bug #684381 - CS.cfg specifies incorrect type of comments - Bugzilla Bug #689453 - CRMFPopClient request to CA's unsecure port throws file not found exception.(profile and CS.cfg only) - 'pki-silent'- Bugzilla Bug #688763 - Rebase updated Dogtag Packages for Fedora 15 (alpha) - Bugzilla Bug #676182 - IPA installation failing - Fails to create CA instance - Bugzilla Bug #675742 - Profile caIPAserviceCert Not Found - 'pki-setup' - Bugzilla Bug #678157 - uninitialized variable warnings from Perl - Bugzilla Bug #679574 - Velocity fails to load all dependent classes - Bugzilla Bug #680420 - xml-commons-apis.jar dependency - Bugzilla Bug #682013 - pkisilent needs xml-commons-apis.jar in it's classpath - Bugzilla Bug #673508 - CS8 64 bit pkicreate script uses wrong library name for SafeNet LunaSA - 'pki-common' - Bugzilla Bug #673638 - Installation within IPA hangs - Bugzilla Bug #678715 - netstat loop fixes needed - Bugzilla Bug #673609 - CC: authorize() call needs to be added to getStats servlet - 'pki-selinux' - Bugzilla Bug #674195: SELinux error message thrown during token enrollment - 'pki-ca' - Bugzilla Bug #673638 - Installation within IPA hangs - Bugzilla Bug #673609 - CC: authorize() call needs to be added to getStats servlet - Bugzilla Bug #676330 - init script cannot start service - 'pki-silent' - Bugzilla Bug #682013 - pkisilent needs xml-commons-apis.jar in it's classpath- 'pki-common' - Bugzilla Bug #676051 - IPA installation failing - Fails to create CA instance - Bugzilla Bug #676182 - IPA installation failing - Fails to create CA instance- 'pki-common' - Bugzilla Bug #674894 - ipactl restart : an annoy output line - Bugzilla Bug #675179 - ipactl restart : an annoy output line- Bugzilla Bug #673233 - Rebase pki-core to pick the latest features and fixes - 'pki-setup' - Bugzilla Bug #673638 - Installation within IPA hangs - 'pki-symkey' - 'pki-native-tools' - 'pki-util' - 'pki-java-tools' - Bugzilla Bug #673614 - CC: Review of cryptographic algorithms provided by 'netscape.security.provider' package - 'pki-common' - Bugzilla Bug #672291 - CA is not publishing certificates issued using "Manual User Dual-Use Certificate Enrollment" - Bugzilla Bug #670337 - CA Clone configuration throws TCP connection error. - Bugzilla Bug #504056 - Completed SCEP requests are assigned to the "begin" state instead of "complete". - Bugzilla Bug #504055 - SCEP requests are not properly populated - Bugzilla Bug #564207 - Searches for completed requests in the agent interface returns zero entries - Bugzilla Bug #672291 - CA is not publishing certificates issued using "Manual User Dual-Use Certificate Enrollment" - - Bugzilla Bug #673614 - CC: Review of cryptographic algorithms provided by 'netscape.security.provider' package - Bugzilla Bug #672920 - CA console: adding policy to a profile throws 'Duplicate policy' error in some cases. - Bugzilla Bug #673199 - init script returns control before web apps have started - Bugzilla Bug #674917 - Restore identification of Tomcat-based PKI subsystem instances - 'pki-selinux' - 'pki-ca' - Bugzilla Bug #504013 - sscep request is rejected due to authentication error if submitted through one time pin router certificate enrollment. - Bugzilla Bug #672111 - CC doc: certServer.usrgrp.administration missing information - Bugzilla Bug #583825 - CC: Obsolete servlets to be removed from web.xml as part of CC interface review - Bugzilla Bug #672333 - Creation of RA agent fails in IPA installation - Bugzilla Bug #674917 - Restore identification of Tomcat-based PKI subsystem instances - 'pki-silent' - Bugzilla Bug #673614 - CC: Review of cryptographic algorithms provided by 'netscape.security.provider' package- Bugzilla Bug #656661 - Please Update Spec File to use 'ghost' on files in /var/run and /var/lock- 'pki-symkey' - Bugzilla Bug #671265 - pki-symkey jar version incorrect - 'pki-common' - Bugzilla Bug #564207 - Searches for completed requests in the agent interface returns zero entries- Allow 'pki-native-tools' to be installed independently of 'pki-setup' - Removed explicit 'pki-setup' requirement from 'pki-ca' (since it already requires 'pki-common') - 'pki-setup' - Bugzilla Bug #223343 - pkicreate: should add 'pkiuser' to nfast group - Bugzilla Bug #629377 - Selinux errors during pkicreate CA, KRA, OCSP and TKS. - Bugzilla Bug #555927 - rhcs80 - AgentRequestFilter servlet and port fowarding for agent services - Bugzilla Bug #632425 - Port to tomcat6 - Bugzilla Bug #606946 - Convert Native Tools to use ldapAPI from OpenLDAP instead of the Mozldap - Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI interface - Bugzilla Bug #643206 - New CMake based build system for Dogtag - Bugzilla Bug #658926 - org.apache.commons.lang class not found on F13 - Bugzilla Bug #661514 - CMAKE build system requires rules to make javadocs - Bugzilla Bug #665388 - jakarta-* jars have been renamed to apache-*, pkicreate fails Fedora 14 and above - Bugzilla Bug #23346 - Two conflicting ACL list definitions in source repository - Bugzilla Bug #656733 - Standardize jar install location and jar names - 'pki-symkey' - Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI interface - Bugzilla Bug #643206 - New CMake based build system for Dogtag - Bugzilla Bug #644056 - CS build contains warnings - 'pki-native-tools' - template change - Bugzilla Bug #606946 - Convert Native Tools to use ldapAPI from OpenLDAP instead of the Mozldap - Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI interface - Bugzilla Bug #643206 - New CMake based build system for Dogtag - Bugzilla Bug #644056 - CS build contains warnings - 'pki-util' - Bugzilla Bug #615814 - rhcs80 - profile policyConstraintsCritical cannot be set to true - Bugzilla Bug #224945 - javadocs has missing descriptions, contains empty packages - Bugzilla Bug #621337 - Limit the received senderNonce value to 16 bytes. - Bugzilla Bug #621338 - Include a server randomly-generated 16 byte senderNonce in all signed SCEP responses. - Bugzilla Bug #621327 - Provide switch disabling algorithm downgrade attack in SCEP - Bugzilla Bug #621334 - Provide an option to set default hash algorithm for signing SCEP response messages. - Bugzilla Bug #635033 - At installation wizard selecting key types other than CA's signing cert will fail - Bugzilla Bug #645874 - rfe ecc - add ecc curve name support in JSS and CS interface - Bugzilla Bug #488253 - com.netscape.cmsutil.ocsp.BasicOCSPResponse ASN.1 encoding/decoding is broken - Bugzilla Bug #551410 - com.netscape.cmsutil.ocsp.TBSRequest ASN.1 encoding/decoding is incomplete - Bugzilla Bug #550331 - com.netscape.cmsutil.ocsp.ResponseData ASN.1 encoding/decoding is incomplete - Bugzilla Bug #623452 - rhcs80 pkiconsole profile policy editor limit policy extension to 5 only - Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI interface - Bugzilla Bug #651977 - turn off ssl2 for java servers (server.xml) - Bugzilla Bug #643206 - New CMake based build system for Dogtag - Bugzilla Bug #661514 - CMAKE build system requires rules to make javadocs - Bugzilla Bug #658188 - remove remaining references to tomcat5 - Bugzilla Bug #656733 - Standardize jar install location and jar names - Bugzilla Bug #223319 - Certificate Status inconsistency between token db and CA - Bugzilla Bug #531137 - RHCS 7.1 - Running out of Java Heap Memory During CRL Generation - 'pki-java-tools' - Bugzilla Bug #224945 - javadocs has missing descriptions, contains empty packages - Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI interface - Bugzilla Bug #659004 - CC: AuditVerify hardcoded with SHA-1 - Bugzilla Bug #643206 - New CMake based build system for Dogtag - Bugzilla Bug #661514 - CMAKE build system requires rules to make javadocs - Bugzilla Bug #662156 - HttpClient is hard-coded to handle only up to 5000 bytes - Bugzilla Bug #656733 - Standardize jar install location and jar names - 'pki-common' - Bugzilla Bug #583822 - CC: ACL issues from CA interface CC doc review - Bugzilla Bug #623745 - SessionTimer with LDAPSecurityDomainSessionTable started before configuration completed - Bugzilla Bug #620925 - CC: auditor needs to be able to download audit logs in the java subsystems - Bugzilla Bug #615827 - rhcs80 - profile policies need more than 5 policy mappings (seem hardcoded) - Bugzilla Bug #224945 - javadocs has missing descriptions, contains empty packages - Bugzilla Bug #548699 - subCA's admin certificate should be generated by itself - Bugzilla Bug #621322 - Provide switch disabling SCEP support in CA - Bugzilla Bug #563386 - rhcs80 ca crash on invalid inputs to profile caAgentServerCert (null cert_request) - Bugzilla Bug #621339 - SCEP one-time PIN can be used an unlimited number of times - Bugzilla Bug #583825 - CC: Obsolete servlets to be removed from web.xml as part of CC interface review - Bugzilla Bug #629677 - TPS: token enrollment fails. - Bugzilla Bug #621350 - Unauthenticated user can decrypt a one-time PIN in a SCEP request - Bugzilla Bug #503838 - rhcs71-80 external publishing ldap connection pools not reliable - improve connections or discovery - Bugzilla Bug #629769 - password decryption logs plain text password - Bugzilla Bug #583823 - CC: Auditing issues found as result of CC - interface review - Bugzilla Bug #632425 - Port to tomcat6 - Bugzilla Bug #586700 - OCSP Server throws fatal error while using OCSP console for renewing SSL Server certificate. - Bugzilla Bug #621337 - Limit the received senderNonce value to 16 bytes. - Bugzilla Bug #621338 - Include a server randomly-generated 16 byte senderNonce in all signed SCEP responses. - Bugzilla Bug #607380 - CC: Make sure Java Console can configure all security relevant config items - Bugzilla Bug #558100 - host challenge of the Secure Channel needs to be generated on TKS instead of TPS. - Bugzilla Bug #489342 - com.netscape.cms.servlet.common.CMCOutputTemplate.java doesn't support EC - Bugzilla Bug #630121 - OCSP responder lacking option to delete or disable a CA that it serves - Bugzilla Bug #634663 - CA CMC response default hard-coded to SHA1 - Bugzilla Bug #621327 - Provide switch disabling algorithm downgrade attack in SCEP - Bugzilla Bug #621334 - Provide an option to set default hash algorithm for signing SCEP response messages. - Bugzilla Bug #635033 - At installation wizard selecting key types other than CA's signing cert will fail - Bugzilla Bug #621341 - Add CA support for new SCEP key pair dedicated for SCEP signing and encryption. - Bugzilla Bug #223336 - ECC: unable to clone a ECC CA - Bugzilla Bug #539781 - rhcs 71 - CRLs Partitioned by Reason Code - onlySomeReasons ? - Bugzilla Bug #637330 - CC feature: Key Management - provide signature verification functions (JAVA subsystems) - Bugzilla Bug #223313 - should do random generated IV param for symmetric keys - Bugzilla Bug #555927 - rhcs80 - AgentRequestFilter servlet and port fowarding for agent services - Bugzilla Bug #630176 - Improve reliability of the LdapAnonConnFactory - Bugzilla Bug #524916 - ECC key constraints plug-ins should be based on ECC curve names (not on key sizes). - Bugzilla Bug #516632 - RHCS 7.1 - CS Incorrectly Issuing Multiple Certificates from the Same Request - Bugzilla Bug #648757 - expose and use updated cert verification function in JSS - Bugzilla Bug #638242 - Installation Wizard: at SizePanel, fix selection of signature algorithm; and for ECC curves - Bugzilla Bug #451874 - RFE - Java console - Certificate Wizard missing e.c. support - Bugzilla Bug #651040 - cloning shoud not include sslserver - Bugzilla Bug #542863 - RHCS8: Default cert audit nickname written to CS.cfg files imcomplete when the cert is stored on a hsm - Bugzilla Bug #360721 - New Feature: Profile Integrity Check . . . - Bugzilla Bug #651916 - kra and ocsp are using incorrect ports to talk to CA and complete configuration in DonePanel - Bugzilla Bug #642359 - CC Feature - need to verify certificate when it is added - Bugzilla Bug #653713 - CC: setting trust on a CIMC cert requires auditing - Bugzilla Bug #489385 - references to rhpki - Bugzilla Bug #499494 - change CA defaults to SHA2 - Bugzilla Bug #623452 - rhcs80 pkiconsole profile policy editor limit policy extension to 5 only - Bugzilla Bug #649910 - Console: an auditor or agent can be added to an administrator group. - Bugzilla Bug #632425 - Port to tomcat6 - Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI interface - Bugzilla Bug #651977 - turn off ssl2 for java servers (server.xml) - Bugzilla Bug #653576 - tomcat5 does not always run filters on servlets as expected - Bugzilla Bug #642357 - CC Feature- Self-Test plugins only check for validity - Bugzilla Bug #643206 - New CMake based build system for Dogtag - Bugzilla Bug #659004 - CC: AuditVerify hardcoded with SHA-1 - Bugzilla Bug #661196 - ECC(with nethsm) subca configuration fails with Key Type RSA Not Matched despite using ECC key pairs for rootCA & subCA. - Bugzilla Bug #661889 - The Servlet TPSRevokeCert of the CA returns an error to TPS even if certificate in question is already revoked. - Bugzilla Bug #663546 - Disable the functionalities that are not exposed in the console - Bugzilla Bug #661514 - CMAKE build system requires rules to make javadocs - Bugzilla Bug #658188 - remove remaining references to tomcat5 - Bugzilla Bug #649343 - Publishing queue should recover from CA crash. - Bugzilla Bug #491183 - rhcs rfe - add rfc 4523 support for pkiUser and pkiCA, obsolete 2252 and 2256 - Bugzilla Bug #640710 - Current SCEP implementation does not support HSMs - Bugzilla Bug #656733 - Standardize jar install location and jar names - Bugzilla Bug #661142 - Verification should fail when a revoked certificate is added - Bugzilla Bug #642741 - CS build uses deprecated functions - Bugzilla Bug #670337 - CA Clone configuration throws TCP connection error - Bugzilla Bug #662127 - CC doc Error: SignedAuditLog expiration time interface is no longer available through console - 'pki-selinux' - Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI interface - Bugzilla Bug #643206 - New CMake based build system for Dogtag - Bugzilla Bug #667153 - store nuxwdog passwords in kernel ring buffer - selinux changes - 'pki-ca' - Bugzilla Bug #583822 - CC: ACL issues from CA interface CC doc review - Bugzilla Bug #620925 - CC: auditor needs to be able to download audit logs in the java subsystems - Bugzilla Bug #621322 - Provide switch disabling SCEP support in CA - Bugzilla Bug #583824 - CC: Duplicate servlet mappings found as part of CC interface doc review - Bugzilla Bug #621602 - pkiconsole: Click on 'Publishing' option with admin privilege throws error "You are not authorized to perform this operation". - Bugzilla Bug #583825 - CC: Obsolete servlets to be removed from web.xml as part of CC interface review - Bugzilla Bug #583823 - CC: Auditing issues found as result of CC - interface review - Bugzilla Bug #519291 - Deleting a CRL Issuing Point after edits throws 'Internal Server Error'. - Bugzilla Bug #586700 - OCSP Server throws fatal error while using OCSP console for renewing SSL Server certificate. - Bugzilla Bug #621337 - Limit the received senderNonce value to 16 bytes. - Bugzilla Bug #621338 - Include a server randomly-generated 16 byte senderNonce in all signed SCEP responses. - Bugzilla Bug #558100 - host challenge of the Secure Channel needs to be generated on TKS instead of TPS. - Bugzilla Bug #630121 - OCSP responder lacking option to delete or disable a CA that it serves - Bugzilla Bug #634663 - CA CMC response default hard-coded to SHA1 - Bugzilla Bug #621327 - Provide switch disabling algorithm downgrade attack in SCEP - Bugzilla Bug #621334 - Provide an option to set default hash algorithm for signing SCEP response messages. - Bugzilla Bug #539781 - rhcs 71 - CRLs Partitioned by Reason Code - onlySomeReasons ? - Bugzilla Bug #637330 - CC feature: Key Management - provide signature verification functions (JAVA subsystems) - Bugzilla Bug #555927 - rhcs80 - AgentRequestFilter servlet and port fowarding for agent services - Bugzilla Bug #524916 - ECC key constraints plug-ins should be based on ECC curve names (not on key sizes). - Bugzilla Bug #516632 - RHCS 7.1 - CS Incorrectly Issuing Multiple Certificates from the Same Request - Bugzilla Bug #638242 - Installation Wizard: at SizePanel, fix selection of signature algorithm; and for ECC curves - Bugzilla Bug #529945 - (Instructions and sample only) CS 8.0 GA release -- DRM and TKS do not seem to have CRL checking enabled - Bugzilla Bug #609641 - CC: need procedure (and possibly tools) to help correctly set up CC environment - Bugzilla Bug #509481 - RFE: support sMIMECapabilities extensions in certificates (RFC 4262) - Bugzilla Bug #651916 - kra and ocsp are using incorrect ports to talk to CA and complete configuration in DonePanel - Bugzilla Bug #511990 - rhcs 7.3, 8.0 - re-activate missing object signing support in RHCS - Bugzilla Bug #651977 - turn off ssl2 for java servers (server.xml) - Bugzilla Bug #489385 - references to rhpki - Bugzilla Bug #499494 - change CA defaults to SHA2 - Bugzilla Bug #623452 - rhcs80 pkiconsole profile policy editor limit policy extension to 5 only - Bugzilla Bug #649910 - Console: an auditor or agent can be added to an administrator group. - Bugzilla Bug #632425 - Port to tomcat6 - Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI interface - Bugzilla Bug #653576 - tomcat5 does not always run filters on servlets as expected - Bugzilla Bug #642357 - CC Feature- Self-Test plugins only check for validity - Bugzilla Bug #643206 - New CMake based build system for Dogtag - Bugzilla Bug #661128 - incorrect CA ports used for revoke, unrevoke certs in TPS - Bugzilla Bug #512496 - RFE rhcs80 - crl updates and scheduling feature - Bugzilla Bug #661196 - ECC(with nethsm) subca configuration fails with Key Type RSA Not Matched despite using ECC key pairs for rootCA & subCA. - Bugzilla Bug #649343 - Publishing queue should recover from CA crash. - Bugzilla Bug #491183 - rhcs rfe - add rfc 4523 support for pkiUser and pkiCA, obsolete 2252 and 2256 - Bugzilla Bug #223346 - Two conflicting ACL list definitions in source repository - Bugzilla Bug #640710 - Current SCEP implementation does not support HSMs - Bugzilla Bug #656733 - Standardize jar install location and jar names - Bugzilla Bug #661142 - Verification should fail when a revoked certificate is added - Bugzilla Bug #668100 - DRM storage cert has OCSP signing extended key usage - Bugzilla Bug #662127 - CC doc Error: SignedAuditLog expiration time interface is no longer available through console - Bugzilla Bug #531137 - RHCS 7.1 - Running out of Java Heap Memory During CRL Generation - 'pki-silent' - Bugzilla Bug #627309 - pkisilent subca configuration fails. - Bugzilla Bug #640091 - pkisilent panels need to match with changed java subsystems - Bugzilla Bug #527322 - pkisilent ConfigureDRM should configure DRM Clone. - Bugzilla Bug #643053 - pkisilent DRM configuration fails - Bugzilla Bug #583754 - pki-silent needs an option to configure signing algorithm for CA certificates - Bugzilla Bug #489385 - references to rhpki - Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI interface - Bugzilla Bug #651977 - turn off ssl2 for java servers (server.xml) - Bugzilla Bug #640042 - TPS Installlation Wizard: need to move Module Panel up to before Security Domain Panel - Bugzilla Bug #643206 - New CMake based build system for Dogtag - Bugzilla Bug #588323 - Failed to enable cipher 0xc001 - Bugzilla Bug #656733 - Standardize jar install location and jar names - Bugzilla Bug #645895 - pkisilent: add ability to select ECC curves, signing algorithm - Bugzilla Bug #658641 - pkisilent doesn't not properly handle passwords with special characters - Bugzilla Bug #642741 - CS build uses deprecated functions- Bugzilla Bug #668839 - Review Request: pki-core - Removed empty "pre" from "pki-ca" - Consolidated directory ownership - Corrected file ownership within subpackages - Removed all versioning from NSS and NSPR packages- Bugzilla Bug #668839 - Review Request: pki-core - Added component versioning comments - Updated JSS from "4.2.6-10" to "4.2.6-12" - Modified installation section to preserve timestamps - Removed sectional comments- Initial revision. (kwright@redhat.com & mharmsen@redhat.com)  !"#$%&'10.5.16-3.el7pkipki-certsrv.jarpki-cmsutil.jarpki-nsutil.jarjavaCACertClientExample.javaCAClientExample.javalibcommons-cli.jarcommons-codec.jarcommons-httpclient.jarcommons-io.jarcommons-lang.jarcommons-logging.jarhttpclient.jarhttpcore.jarjackson-core-asl.jarjackson-jaxrs.jarjackson-mapper-asl.jarjackson-mrbean.jarjackson-smile.jarjackson-xc.jarjaxb-api.jarjss4.jarldapjdk.jarpki-certsrv.jarpki-cmsutil.jarpki-nsutil.jarpki-tools.jarresteasy-atom-provider.jarresteasy-client.jarresteasy-jackson-provider.jarresteasy-jaxb-provider.jarresteasy-jaxrs-api.jarresteasy-jaxrs-jandex.jarresteasy-jaxrs.jarservlet.jarslf4j-api.jarslf4j-jdk14.jar/usr/share/java//usr/share/java/pki//usr/share/pki/examples//usr/share/pki/examples/java//usr/share/pki//usr/share/pki/lib/-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=genericcpioxz9x86_64-redhat-linux-gnudirectoryASCII text, with CRLF line terminators (Zip archive data, at least v2.0 to extract)C source, ASCII text?7zXZ !X] crt:bLL'@ /od3p-H;kaR `U)LAu0ӃQjbLv ]I263G`p_:cxKk_ʢ#Yԁ]lو+OÏf9 o[LE<>;ZDv֜g௤OKMC̃5Cg\ǿ@P3M1 !_[1T(~A.X%-n1. $1ײ>4d̑_4 E$4$Z(2^:;@28SOQzë{Qq1PlOSz۠k=ؕDt]1~*PZ+$e3xD1{˄]9_9d^P;d)sq]VԼaybM-TY;U 5+ė0T?Sqb]>JH9y:nu5~`M|<5!7j8Q$Jx KdTf0nA5M@VA5^*Qr#ZX*Lb3-^Ի4Y~e nQ̜7F9 rK?՘_eE D(@gq8XPIοG-qeK>$?ƛ7fiB.d R6r<>oh͹79p4íց1+z#j&!1,6@ =1y=wOk4aWB3[J; G^*SaqU67].F331x&=-'rSU·" U3_Juo[gWY*X778)wN)Y%$ R~<5A{9pHD!NEl[.RCN%Ok>רN d4Fu؍d,;?zc@T Pᱎ|H$J5C-ge~1RӵcNwQ;i))Gg@r%$A{Zt HC5_9wrY4/M]٪ f zP:GvqHFcG}݈T8Ub vގe,f-Ntի-MvZ] GR07]|Y,kda8oCpW5 ֑W؊%f,cjKujuqqA=V-^-'.FtBAwr+,H9-/nqoUy Aאj6EhgZ!o#I?fpnb:iHb{W?F'܉p[ǜn-W1sP 랤sf2&Տ)9k'iՓ|_Y!=j(}FrECFR?ع r)rE@ !Iͱ1J#}`SI_pN@` O*8TH/oRU-E[ppr痺UaZ,V"o0ŇSh;{)=}A x\mfkzfyj;w EM:f?/kQ:Zxi/QgUJ! l R^LБ2 w5A.@;FZ㩚1P"Tك.{9΀O?Rj8Br!k饢1sľZD0Zvz\N({ա s &}D1?>> }gO9y45Sy$p 4Wz]>E4U;62 4uy?$t|+0$Lrsx2g!aaj!$3<$qϙݡ'`G 𔗅;/|z۵CCE\'Nnm7hd""r #CkuBI8\نƞY(upD 1 Hf4QP"al~eZa[.(,:ɛ{YXGJe2czjĴh85m7 aG$7SZ(6.q5(6t#i.t4ڵ_c_"o z4(S,b⼧#tNQ+tdICJdvt*1 M~T"*e`,Dz߯<3/+,>C$E2IRƻ%:Y.)=ADBQ_ԣ :Ia,5J"d}dEgT/*4"2 iPc+4z&Fjx0dhx:Z5X (hg3"(ƒV9A(i, us2 Ż,kIA܉ž3.uqawŋ6ϙ1m\M4:B1 ECTl/vX2: o]786al=@ؖi5]} 49FHqs1bokc9uxX_n%@=T y飉K l@C#mH?C_+M2lnZg}@W G{eZRF5%QJ U$gпջ!8+`~aJ'4IJM ?Pa1GխRi2^~qb'P 8PuH9 T\נUHZx0 C,ڔzOE^%_Wmh)H͠\w/N\ܧ*^ Ilv q k@qv>~9r4JwwLQN 4h Hr{ӨsɻW7% IGn%+#\C)_9(A"JCUs*D "PHxqxeLKLï8ڨ~ .J"N(b 9׵*lzV׷ sY*E,]g)ij5m>דiB{@e y#BK2omUXѬ;cg*wT:isp&+6APT<1RH4q-dq"+EF9[ dKoj >\]Roi!yZÛñ_XXj:n,E\, V0'Ϗ+mV6DK[0n0b"7ta򿮹{ /G/oWus+_ qDE Wf5b)xU_ܦE\&)uN̏}ٽİaYL,@s kh'[q|#um1o 4Y0w$h F;3ޝSN^R_mlz߭yq\͸'SYޭ8]Ws M=B:'USD/,Z#<]eDS']bH; @ az䖺s"J\oH13 ijǚ$fb }ʣ}E7$u~0"' g7}ݠlX{[8cvdQ7@Sجxُ* ziڐ;,xq6 ` r|V}ܢWr[tz"6gʿ#Ј#jTvg}|~\=0tt|1{q x94j4j:G)vَvo0 I@-ά[[%^ML,TfhA0ayrl4߃{DWZ_j6xB7] %#@Vty ȫ.S'|h&7֍LɳOٲ@ce7ڄ҈?Ͼĸ]?>;Ӓ-aXԓ*mN*ĥ3rh+ٱ%dWHBD~gIXU}ӍB#Cq T]# z-Y<=f8?kwxV*.л(;2w\]#,YIܤ""/1hg:׃S8Tb@Ji% X!GE Q=vY9El_5Ro&D6݆GY~FRvU3ٿx9zWBfT![3@Tl1S$@d;s㟣;D[ֶ.&<;]C`Κ8eX Ázpm"8?lK)EYز0s߮)> y;h+ ֠ z3\kT 9rnn}0ю]qFc$a:ٔhT\pAC/[B嚹Oty" !9c2oC}s%e4ϛ''A{tj#†NxȨۚ\Ӝg'ǔ@[z.pucP7N 2i"= tG?@Uc*8+IZӷR9䞆!>"P PrUtkV`@E+|OAuۮBEpZ 0R^_-Yыd1Vp6  l~_M" WZ0}k| }w y܃9ʧvm&$E\;nid >2\iQb a<؟_x %C 5}Ж+dӉ32e6ϭ!yfu-咅{wʑq0k(MMoSV 9LuG8G8J\J8׏9dB4hBТhWFL;_^ǭ050) տ pZ.1-2Yh^1aXjs% !^t,ϯ糓,JU6 %ï/*jh.kH#mbw1]ɲ ]#Ux膧<=-0۠8@4y%_ST^fzB$ R 26B՟ B|8ZY~iF"A%yN%$hH, $WH#+~2Ks^oW[$uP'-v#GZ:|$ZUǍPysЪgpT1ٳ1_`\=f) sa=kUI=:%^T{.m8mOoX@8_O~cf6X=ig$5F[NUgd2j3LgN0T>Am?!m߸FPY\}l10CȒJi^GU*cJ0,ژ= '5HV:B;e>v2Wή'Kkx z3h:@5=n EP~u:kTA}1A2U8sF=98gF:T:fDU[Ǎ/ \wqeͯXJX7me%mmc>eZ zV Trjϰ"9~=B Rbu.)3 :cQcy ^tLR?.鑉zx0A2+ \Q?F̭Ϸ$KYƮ}Ŷ1co tq8*Y ?Եy 1$zPaz!T6Ds !6s۸,zfg%y݇ U >.^|s} RQMUR& q3>d►%l>tB6h0͐oz;EO 됬ƍɹ%s,>|)|b,>SW{@qjZs;3DiZÕ4%[ tog#⻮珍)U,ov;u-1^&>B)W MZVi:6Lao?vc1iQG)mk  lUށjL&BJlu ?8}Wx]?/km0Qx['^({t<+eEIw:ӊLhy?&b#Llt`sKG[N&PfX]l$' #M9hQ驰Hc*FhNN;0;E3>̑TB$,{xzDx+{nO{m.o(w*)g,&#p+;ZkCQ$0wgs FOO8%{O8fQu p]%D~$C=I83~r%n+LtB"O3}X{^rv'ɱQ"V%?˦C@)s"PLnϋXVrP# hY96YF'`$[D뗳k0RRHqَ&%$,-甠[}B z<4Ƌ\==W^z1 /i4lZvF Ðnebb@gVBvt##v p͋P+HXvɩJ:~2Tе"Nwoolx/2 ɑ6Z斤+ˠ( ߒ)hւy. q+."Ʀq~ O!+: ĵ 9OUwݻ\b@Ҁ{՛ϋ:Tl?&k24~; \ጒ[-\*\sЦ?Wl?6|JX$;Tx'}Ln oV(QcBTMA?roR&4|\a=XDhyI,W_o]PlojIIqZOZW(Єe>Y*xA~\#Nz>#GTk<`kh5'i< b^O3,":7S 2kCխ?Ae<? %Yv!V}PWǚ>]$CPPel8?0LHncK#1#vjNq+Oa|yo5 JmSLKYTw8᝺Ѹxx.ٗls}:dT%vpEcKF``d4 ;LD¯S7J36@!q#Q=<%!=<bQY9L/6J neҧJE%^Kšjgtc鎈΂K~AcW1W!;^)4jQĴ}:DSa`4Iz!OF$-ߖA] z~4ڪg£O"6/}Nnmzu nj̊=|.K?ADumi1{j<`P@qҍ( dp q9c4ZAKg>R׬8D`ɹ> *!bKZj5EG[E9T EeNWe{NP趲PY msɴN7Jm$:,)9aύ7Nzm7MNRN{|:, !65!!? %hڐRtxn4'%i.}NF尜ެdRuUQ&7 ɬGCBa3_^|ukܿ_J"<Fg6?2bu6s e~n!lMxZlVJ2tt[B0twfB?oGI74wLޅ:#w+sFYq; a3jòqjVcUe2Ȝ1䗹uQ=REGE{haM?$)VR}jI[tfROr? Prv'38ф=@Y1r ˁ7(dhdy=F){T+HnO1 A aKJCQ\jOf2A$:'e ޳O47h+'ްok\>Y$|})PH/ ڽ8ֶ-cq)Is=fGnв•b2gMD]+dj ВAj*̾xQrMwS3_TmޙZG(D{(:ӟ 'f]:t%x{8psC,)T%tVCih=5f%ji70h*DIl + es 3\=y5ڙs a$p\0p%z%:`HyWFA?k2j, 9 fz5+|9zY(q.FTNYy^{̐^F&,4A#Y{_&,PH{Y,LX4URT\JAY#\m}?ҕ$sВ&]Uuٓ1{ѦxYp^-Z$3 M[8;|BrH°a@W.~nh]fjXFψ{M:x'|܁KPtE$Inxl~<7ӢlVFxQB͒BBZ.999.+q_}S!r =Rγy0竴k7m?m7fU \Bz@r~L#OcNՕ:ƉFr#zDD`a" %ULf GϮ 3TBS~ TÀ蚜b9q h=TjvI\k\54nktce6*7FRMo:پ`|5(0Gh {IyωHL/E͊H}";mĊ?g7=K/Bsӯٓcm!ŋ ?߾HEH@vYY =~AzK8仭ޑic,}|A^qSNlIUΡu1 ԞE5'6\rEF󺝩TG0% Z QfOճfY_&C?P2N'>N5?HƷMY|B(4{4-ST0!#ǜ!OXD-΀]%e.]4|4p. ]p\O@X%-CAf=dpVbu]qcJw1[e kATڋy;*ﲗk$ک?(\aGA/[ObA&0~T'%I @ =<\OƓuV9^nuQwx^U Q ۚ.qn6^vJ,BJ2bŔY8hyvXݣR|0+S@p@F5GGFaHLYo!w5T/g`-zX% '>&~EFras;R˞}ϗW]=&~5*6bGMnUvo탡aLHm1:alKÒoxTJ>ty!8LF\BhDѐ;o7o5]xF I>E7’ %U'M Fi^ҌPj5|ڧ6y^%4-jq[ `mgG3}[QF˛X]E=iCmb]^`b8q Ll[J<n9[ɧru|eU~kfq te5M/1f‚r ?.G7(=VdIW'(/->?$IZwLnTSn\:=.bAe6p;:U dPىu<1|5p"!ٛU/0 V @iWy .Ӥث&E vxD45O![ЛjEMݦտaGQ+-粸݂4PhAؖwA}>&< <\DUM I+=.~ (Xbp؃0;  q lk;(2!l܉Bvr<C?UzF@q\,h1GU2ҌP%cKAJa 8qN5-hOs8۵cʘ/MbWB/W#kׄ z]D]&]LjTo/A -þb2Kԡd$$?' ϑBvK2j`jl_߃:hH50:F#eqQ4²@Ǫ!*A/7i%Nr$m;hr*oh'ί qA,#,\צzn7ތ0y ftH9Оl[ £Yr0b4Ю)WDƣzbPe <נcwↄ0Yΰk"ZǼ/RS SEMَXl7s-JJ򪍢if۟;p>績X,^U1UFMV,:hӐfZA2?hr[o:j*8Me߃u=p]Zaԇ MhJ?+bt?jhv$ҡjQ! F>~^yu;:䨲i l]rRfw*RS! y{W8U>ǝ#ZZVM2?|UH4%EJgo?h`ݝj&^Ux8K7rϛjy{k1#K \ =G$Bd2fdy}:q'N +2"㎸Z5Hͱ[ Úɘ>OeMUCr)UʎqF*,. _v~fk%gb}5ga? IY}JYHa?w'WJU@2EipAr-iA' NfpD.#E*s# ݩ/R 쑉yÖAJMuZb7evu,*HgR'=ɉuag_%3E/O bݵû a &Vbqt{EhT(X5J^%!%6RQA6Up'"'2{T9{ɜ"+c\;D>Mpi BpB+䋙=e( ݿAx>ΞPhOdb)Wߝ~[XTM(#I.֩ U .J_YM @Get8W5{/P EpZNW8# y4UqA09U%ܦ{(yy0ci^(Lt.lg5Z$c`l:r[0F262++MϨ%pw6W1knGkeLE3T A3lNʫlDYkRzjS@ן%\/ (ic6 `ȚzDM02\?^&k𘍪"E͝I>THzz)rzWYͫPG4ɐ$L ϩ,^C0T1ϞoF ])tŚg# n-OQ4qC\.4 >Ԍ;1i[jp,3!Lj)u[lb@ ѽ.;G+G")bdxf\/0un13AJﵩ=O%ZV HțY>I-Щ"h &3VM %xRx)i^AV|遘ZB-ma_nBrm @K3NV\WCz0iOњyaHh0rr7,o9F~ ~"|]϶ T.[8W 9| 4tm O]e).sެNf'jq%r%P9чNf^Dn2 4O3{|)ojn|c: !Y<ŝZ˔Yo#)*Q@mf]itA" Ð3o 8au9٢U(YDGOަbw[eF,AZY+~b`[L)-,ݫXŕrrίny]vy2a%/wd@| Z<6<å{EA^m9[/t0Y3b.X669f3\j7z4 a 8!ӥp6B $ >Ny}p*"-5~ ,BCɗ\E0_6Cɜv{%ƿT5PerMB\#OCv=4K0%VG,W|b[S\߅#{YE- (K[AY;zCBȾOc _Zv p;M0>+ Y;$XȐA8At@]3!‹jenAW 57LJwj3 Lqy?h@!;żƋF7g KtĻ;{<[K1':<=f`M*a W"Q"˙d]BsbRC& xXJ~+Ib4B韲vP.$~//mM% wmi/ar*UE*P!Qpܪ⒆v&-Ud#\{.d *$>-1'˩>Nq{n`܎U,r5- 8*Hpv cỿOjf*W. j!?uI׈(fǎʥ0btrf27D=5g8xpr"Ѻ $D(M0bmSrΪL|Df~꣋u_z"|NF=Ƀ!+AlC2j`)w $؈,cUbՋL&oj=4f@WwB)Tgڒcz煭qvƩt˃(߲+" 5(VRREۙͤ7~uC^.%A&V$ peR2X{wyD7uowoQ˺ZERcTƬtA!rkx P[E.撚q-hu,*L 2nvIxѥؾg$Em>rԸ /ń_]F sd<4QY:Kb*PQ/c鄩)ǎA#StRb6CެU((&SĨ7;5  Z- |HLįD言[% !UQV*zro#eݬmOt@8 c@Ѫ>I&[ڮ7Pm@s9?cFR 8)y4@d2f . f{b{D/4r͆ͳ%BUSǵc~o") /ftrc k]&i$ TG CpBߙ!Hⲙ=wHW6՘Z$ eA{0vM? Mks*w=$. ,VU6W4N&jyD戇u UZDW3kg4 @ЕIɹ@:Sqq@}8j(uoqS{貐hpY#_lZZ*EDY!2u0v(/$tvIfCD/#Z2XjF|Uvb$'*rp;'^[_6Hwn$lwv?Cѝq`%yKL qstX,Lf.QW̫2!pNyY'vKb472;3S?Gf'.fdObd6н 3y4_>M`6Yڔs!>_ *oWK\6$6bD_; -0H 8@q P Z},km~rB zF$rFh.vz(G+Nt̶//@dvX.#Q>Unm0AbPLRx(ZθDR omAizeQs(=~޴p$ ^(!yԙN_D[<痌N"`hò l(x܍OqN_OwD0<'/2%LW;yIVك$j>yhf{i|hiV⸽0s#[48W4Sw/to #{S`7XbK*GB \;>J4Kbʊ?q|zDZc%mr.h_ FsCւѯW~$'شFrVx04 >M[`OOuQjiΠ}o[K%{I(6և}jCض$b{ᇥzOWډeQ>i5ڊE64k&grkۜJ㡠sť@]-qϷP%(Wђ!4]Zv`?KOv :pӍ|ZOVk PYyCsX%4+*V,(40~r*NH_f:@ɒĴ-`2Q6=x%ȭSc znNНcR>Hhk8kJS=3PQ{ime1RǓ $fBa}EYk*6"}Y|j{up'kRD/ C0FZ6eJq]"ϳV%~ܻ'mu4>[..#hj%>.a!P)f\"ܬ.XtPLZ2]CcQv _ :Dm2gt\-`%܎GƇJ+7ȟ!>XhPT O jcsM~Ojt= x4^BMoy\ Ӏ-)0811a% `f2>՝8="%(9F 責@J71IЇIN3pmeOKfC:3Q^ ;ut{@,P!d+4R ‰4:ŰHC0}ܭG$o8sAbƻ3xҩ |N=U\rO 1gXIpQD.W^(ِ35[ ¾dɣe]07['zSa?RĒvIMQғ<{Zl"ſ`oTĘNvV!˛v[5@JQ#9ڒQl!уK{M$9k   X^*!=+r9׶r.(;ludP\~Li1vE \E'vZֽ.)/ٚ#ɶ)rrgb;l]Jscpa&(!zF,)wQsy=Rg.Pgh\ =+oDd͛.4DQ֨XsbɵT%÷v@h}.q,l1)Sm>P]`J#|/nNY o׿H` އiB`Iچ-'Z;zB6e,^qhfDóMb{{tw6" rsJ5h$#u Qi]dyGƖ¹3dUIRk*z!t*{>]PE> }k!20㽞Q?V!U;z|T\,kSI L0x-9gf1gϏq=P5JsޜG>`Z=$oq|vF"v[݄R]X ^6n߽"-SK'FFߦ|H8 ](*j?/m:V 9cQfӷ={P/aXD]4 Iny"T*mmCjoBo&6VB\3~ZづĎݥt-G171:so~fղq&*4X? 8pMЋݦrJMWRƌ MbI?*?z5ek8~KRb=(êY06ېirCp6RB,cjKx{H[X>a'ν@Jy6FLye+(c>mA;`Z%5O 5ryd?]Hݪ#+m$fy@ύX]jC'ɊŒL:NWKD5]?msG2>nDH  8?s, A1M,U"oyJ5siԻPu>nAX)`R&zgk[6!BIL3}BBWmFܤ9ecss\R?L/eRGwqyd'Gg_W|=~Ggۙ-_E;|V }v{ry o7,WzEv⑥8o\Y?1J+)Ayר[̬^ɮGqݑEY+9bh0zgV?_D]%nWˎF-HAlPPUH81lKwj)=9?Z0zprif>#F|oesxdX>#* 9܃GPaTN Qk.;Wԕ+>y>>ܟ,"LhW}A΀'Q^rEv/ _H暤2VB)rcs,CvzsE4ES">8ty+q" e8ĭY1\cZeΤK.$f wu ߘ+GukX'\CDEgc'WK:û-8E] ijiD‰]/O8 $g}aB}u!.wf(zp+]7mZp:\u4 /,3}ʈ%4*3 .r@ !R7*8)JqClEo! E;>I)pJS{q?]zfm6y܇B_Wb6Nt/OkNX.83N,P9fØyp?1>W ko Aۓǒfa}*o6,j:Y M7Pt465oDkˡy0Sң3S;SsiUŁ:Uosld{ee}W$Cބ4 j5I3ǰYW#o9&Wyi0p_- 㿘׀{knmпۏD`Gɦm_WE_#{nv$z4p7敛ҋCJLUYpW:aUfC(}9jz$4>f ϩ6i+64-ԵG2o`p#MmM-zA-':(=YHd.Q6.cm|;]HjAJaNW&wsY^S]~r ('&Vqg(^iN)&ZEM3kM BpmF ^x" ~ӏi*#}e[[ ,Rh/s8;gRyמ~Ȗ/r0p2 ŗ/-> k YWS[khi^rVIHƤHh]~4t]cv}Osv|4tȑ'&TDD\S wDV>$شQ)bN8q_RQ/ )1RՃ묂5r2l T}WĶo,v&aGwy0s |<Ȟ~}8˯,/r9h#X/O-egѭ8uZf)\nGGx'}AEkUIyiP;D˅nYKa ̖Qwa؄#Dkt=5j217GE˪~vG2Wʩt6` D U ؉;Á;JKR%8?%/5;wO׽+xѡ8ty| g>:{`$㥹w.$%TlSqBmHViьsb#gnRykܴKpsnMq :܉1@Xh+}q9㭎˺sny1\EYY΋A%5JDD;Dἅ~$]VRam&Vȴ=v͆l|,sH[ξGEN`ĿGaO3:QHn(->rF[SD־6lu ovA]=;_!&e#d2HwER~de*%Em]zkkJ@狼q|i\:ZE)"۩m6-p[zO2 Ñ . RUVӶFiS m3#݇C*jm]heKT.j{f`يj^27?0ו ^J]"!ns]t:J6Z;Z >02i0U΃rI@vfz|eco (ns|roR !abU0E J{\wZʏ F PqgτmgyKl2x|VR6 &|FW>鼬{5"X1 <|]dN7کGݫ=pVUqE,{7t}˧$f4}G_,[B 04Q~/R5H勯-G . W+Ôwk" ,2vTk\WB/~mNIb=!a(@1],p6!wW&q:1'u9lV'L;s_?:r!XC(8V-\rRXX c*LIQ)ib~/A*E>ϝ>~~]KkQ 9ݘ {%H~~it^tl, U ֮KXw– VC ATW?`Pt4\5%!>Mhq?&k3 Xn?:b&rA=qưq(3ě' ʡsjͭkN7V9j$vo0Ł?uvc=m^zҒR| 穀N?w/knĩA/`o*/Q}TLM2eYh[\ G1Aޖ o94SATf|=ݏ(r["%ÊkҒL{AvzJS0\Duv>4\Yw@#sioPC٧!ʼnA/e\bDEfTKR{(*o=x3 ?:w_w:54L)~8]Y?svv+t|!"i>5<H4o&G&+1&Oo_GV 5McV9^ HuP*,C0Ua{,MM6*}.m(oZPu]~ !ٍ9 C<~wxUӝ)I1to?JLdzz[:pɒ}{lHʦ2JfvLDaoi:^nT6|ቓbM&{lEwBY[J`% Oe9`D`bQbW47 <cC,]rY)K6OXq80@9@KzGA} l>}Y23ƽŖ\xkOlpgR8P|'&BGK VLӦa_z]c>>WqyP)~ 5"͠M>셋&qN94 c8k(Zj[gBu*uYKS"cc8^^PkR0rfbXj%uw?ܻǘX4Uzqws ZMr0DK7uui{ E"#UD'QGQ ?uɃ1QVjDןV򸰪"HSlEfTft-a25Bn rk@L@Ftk(*evIs"Oqexb.ȟ<(4^b8FGfkk˓{pC9`l'E!;Ήg=^P6ꏨdʀl%q|3`P";}\>#E7M7gpR:q 0+ m arf%yZ>$訴lSc]h!LCJh3J:8]PSCzZ00G& 4ʅHK- 4 `H;"(?b!ZATpD>Ld _@HHNR;,53Zx .[9ݏ*/@unj5|;!*),ȫd) @/m<-Bw}b&am `!}z)MbZt^ڭNVJT֢ pDq Cdc_QrQ\5hS#YfPɿJDHYO6z19*wO(a[V V_u2T*xvQoNS3Vn_ o"hf<5N?Z O5"KBa 5!2rd2IU۶gV 22;殺H *_|B'2~;)HP5?p:0.2,Md6}1eԹwpzs!H]E0D~;.'L20c]taprA-rIp}5/XUޯGS/l:~#ƪ/U-+Dk,y> K}:y!="nOl=g"IV.--a d@]}}jѿ\YشU2aQuN^| rtz4gMѳt,cMHZIV-~A13+T%k Sli{5{| nD`\ºB5B.0a^|z].X ۿ!%%an+9@&ݠ0ie&ďvX*)UWT_5 v%O'o7"3}驝N M~]ݑ0T˵)tu$j'QC!u9^n̟J4LTymAtІ~# \ R<[$5YbY ;"~|F(z*=szMH e 5xFrT$)XH= '`RZ>0}&a1we r"zԡ(nٶ5F"u! Cr`-&bzEUڂ3Lh [-`n@ϋ+zH : 40=Qh#L🦊=)m+k1ojZ@vMr.spLLAa/գQAAX=PE)"\$\%5Qn<\uTWłG J-BJ6F+C@~|Y~ lW-/[xsӢ?E{f_Y-Vh;tWU gFQP m?YymbJ_>~ai x3 }4BGFRR {! >ףbɊDkL_=dtFK2sj 찈_HEp7ae޸Ւt:8In\.ߺPҳڷy1 ̹2G}nzj쵛Ò`dcq4-=KZů?jm%&68D7ĸ1[ [n`tpɓ΄/PVЀY|(2ԅB4O kE:RAv֓EܶWaϭ Zdp zL֩ 'zԿxs57V.Z'}*R8zڕZE70W-K;sJp7v^͘r_YE<0v~Z≢Mǣ/oބVX0 n SKlzj/8I,@\F 80|*T8tJ+3#~ EeE<2nJطs˺>T %X[&G$g6O0K7Dn@&z.rw5QFXS2/Ӽ2{X,|1nßw~D%pcBziu\W??c ıl>Gf#pip$RBa)GQbF] h=ocUe\s!y@ebfאG[jk6eN4jg %D#=9s!(K:[eeֵYL#/ 4;!]h'Ūl3'=Ȋ ݕvΒgzpN9*#,Wûw>Zc UNvꙑ9w@zq߇H72?w1qڛYa sc;Ӈ(P-3#=QjGH>xKf5Uٯ+kыuMr Lagn:x;e`O M oN.1{e{e ӂ!&3U /`*zQNח܃)ϰt&<~;;qOrXHNKL%DrѕcU ={H~C0o.|7; |93zv W$cEUX4N#4?C*ڨЕWoaDx[v0BNjV(. @f0_\a{!h]{malt9 yUग़CT(uN @B'<:prIiEs3#;]V.Զ=ҍZjn r 2)CedAs`x6ʠmfWg콨+QjSʟG4ԸY0`K1OYrm܇;Dմyҳ>()wb?6g"s$V1 @(ҹrP3dSQUP<3G-Iߢ]HL0KFKS>)&$@HFh[0Hij#$򘝙'%7 QG?а_5&FQ57fX9_,Ƃ3bjpRuS})v>.u7>'"33 Za$ZWoIq[jPD2GU:k# 6K h9M{1G<7~[++ޓ4r~N1nL.HYjO nP*N^]X-G)Q?kr'3%熖o oPv>hs6zJ(FS7Oiaʱ6ESb3ۥXھ#lM _cR}\P+%ZCO OW$ 7%;qRH=s?9Z>M J55n|uJXuf>jNeQ^}"q_`xN!yIaiB[2nm4HoNILOgr[`qT].֗#9/x5$F}0S/e-'yMH Xbux@ Nv\dZF$lVfBdq{ؿr8׵qkTyi !5#|lOz7 k/F=>I1'E(9a'H WtyY@ Qx9Gj2oV)zE "d;Hr Jfy]0`EE.coQIBΗ_$o]˔Bc 'emڤCހ)`E2ER*vo[zHHV<;Ea]ўˤDMt)Pd\%f3q(|F;GBԭ疠QƜ&g "EKuÙFi2N6BtwbR|S19H?Uu\DB,Xgj< FYʴoE<ƐN0ׁbcͤu m `)C6ݰm4#ֲ"=?nhx:$-^ZRfR+BP&†iv3,36(nHޢlq3Dvf H2kl%](;95pγ{Z3JB^cޙHatOQI/q^Mrߍaݪ)aiaYx>~UjV$nZ6EdR7v9+'h2evb4ʺJ^=٭* K/ƉmtnJd>(u &;]|D`Y:O]?htج@ghw ?M]%_.YE>ty,[f&kZb3 ndz8C#g] .%@ 2~z0uԜ"s7?$gH%XBixT1Cvˋ`(ތQhnsg/z +Li,GVi ;gk{]jx0V~ -}|y 댙:包3lh+c3'0h%ZL!2:CHJN֏EyԢ$Ǽ;Wl[ g5-`_~p!E;T>%B5=vl-XT>kI ,-tf94#Qd [E\;o2@+x8^. 6+j>KC؋g,}hfS1 f.^VrrLv# b{қ:-٦$DIi=,< JM $Sr?SV0f  ,>7C /f6ivGr,:D`;ă-cy} /u^!{(hv}]y͂SbW@_Հ&}|sq{1ȧ`V!hcD~!5'|fV0*{m~M{ \ uϑoʧ@ױ 幷ɑ&,,83\KU]N;: 3,*OZ4)ȡ`:u飴bZJ k$;Jӎv^1"Q}>Qj/ɬlpVpx[ZrG$w3EZ=VL_kf4յ@HMW1O? G/UD,E 'V'(Ccj)wVM#vgCwc5qC=s\E2jDS-.x5yu+ 14 L:NP^9]1#9GZyRنtg"]`f>R̵].nN (S%*9;A 76mRRW,: Bwjaed/7#F׎!WFPtY*q֦/ ߁nr(rxl+ p__rsW.{X #2Զzή@^Ta/qauD%BW~>1)|!I?t-9Ge %Y2?W4J݂[@d׏&gɌ!g}|ECe2jr7aX{.h;v/ P]3&[/!_\ -3e&E.L?UfꔱΖ$ =72UtUOnG'Çm;% ^rfFbP75c< U JFԴz1$SQn 94K;vX=o5neZ.~g.a܋]D¬65ܮ7f}R Ļ;+&'b1׃a_RʣhU:(mr 3Bcվy#w%4)NBCGc؟2ೃhť̑8bGLI׮^ehoo$QSJ+&}][. AjYɠWԕኬ^K P8rf nA_AhD̓tvw4S`g|9nuz`c+rjCq%C36ؒ.MՐH-iUI~C1A$>[V)~] s,[\E_CV3ub3dG-2n9ԄYˌ&7Bi-V@ :;>Wgu$:Ϗ$m8, UziWsy?OfZ'҆DM'qN}r˂l7Qtm oZ7O]#Bf׌CT<4NuKEeyNpIwdFP\-汎&g9P09~8/;Ef-ӷ Fl]M6P%󄹅HZ#C]N `̠0 B(> 9"P3!'Mc L`ݙA7C Vh ꩮcÄDg׷#ZBl~~Z\9E %~ BfOL帒cD\]&7JFOO}$·m?9 zR"A^ج_pvu.9bs3k9w넷~3Jo%<58=w\rzIuo^[z!1Jn:Ȩ\i᫿tfVL W1F\E86g?xlXw# !afc}JR;9D㔇+gzAB8%/*dK&Wઋa  a r Kjj5z֡. Z҈ͣ>W۵yYc_QO6t~'0rYT#K?Om4azR6G1"Tʴ1bz#0x.r{<=Ltrd ?u,F}&s fV*"=A 8Ÿ7 _"łE=lZSqHG?P]h/bGG3S)PXûށ$įA󯧤+x1퓸Y`ژdbƬC h؍&gQhlpJVoa 45 _m# }R)끫:WHf=p"2nGET?vs+ҿun?Ruz&rPH 8GrMp<2M9:ivǿ&=>ˊN*j 8q̌0_Ynve$kj (Fhvׇ)eo͛p R )\[ǔIV?q,4N&H'T~HCo`Hɛ |8Tt J@stnUz>pUÞ`:/xQuD>1,ePDH%b=e ~.Ք%x㢸]yZUyUmk.!GgT}sxë }%Jؑ$`ܬGCW10Y\:˯LAhV". SezBHpݵ۳;.إ58 '^,9T%'u_&=b[M+B༑ t=K&">PWBD2BH E}A;-_urmDʠ=9U?l\ӡYEsh-l&ȉ Osc PXē\{o'4h;FO<(TYUɔ& ׸K9xůt2:)>('ej"ǿw)E0YwӼ^CI=()&Qt럢H|b,Z@[]x:ү;Ut$(c'/{HS2L)zCE@X1Ppy-A<[x) }N*'Lҩ+=42_cT2iW(-KѴ&z8J/D7w j}]b (`O(ks pv飝,HtiuHwYIRϹ;˘z CDMTqTVPYLيZ U<G#&EfaM;E(!nT#|x. K~% wia,;lC|lݰf;+cZ#I<>C^=M$b1-x3r1+/(]ɝ3gyITf_ 2Mk]/$^sdυ,]&_GHOMrHH?]C}J3ʜ',h٦?D@M2R!kMrK6{w9 gE!늖g+΋q'xmu".(aҦٔ?(} @ g6s$[Э\ $[F(5yv/ij+ gi1Wigb䕰ٞȩf3e(cĶ ,IOAw:7QeK}Vuێ^ 7_DDS&Kw$zNs sD-1N'TU:؂JhݓYbJDJ0t)RJiHDnIN@np:|mKLMT ];iN!-M-,k zL<Ɏeߞp"iX_JC$~.>^E65sR\xvI)[nB|.s X/{%z[ lcrj]ȉ"H!]w_N]74PQ9l(%W̾& rGV6;6$6xjGI>V9Vw#a?}u&ʨsV&Cֆy>z-y27y!Zw#Dx79;xƪpN0`슙K1*JR#W$9^99ֈT~,х?Ǫ$7>?zq0<"̱`e9DBgD ƻQ|HRz9hםm!EC?_7STq87HDZY=R˶ `UnOPYRE5!Zݑqb<0 zM#$AC9OkiDGF0'JPu^Uw 98+#YFƩvQIy< 86 D'!}&`ץ*@7^FOS }>>@˜^3Xݬ ؄%l);Zɻ-rH@k2[ nVq(h|pf(ΏR26uܡ|<1n`օ)a5=bnJ:誂dV/-Q~ 68 9vݰΫ q-Ǝ9}6תf lC 5KC2h;bqyFNvB/39tx>THUënedgP줕~llC{.ii:Y!#.q+V\/Q/yԢZ}ᕷuQgO42z}5^!N3R"MWh~W\ OLJ"\fN^X,fƫ(BEi`6"`N)΂{D"TծCޣ7W2A%{MT+.ـ&7>pzxBXБK/m G { E|.vs iLp4oj˲4%ŃpT:hG G xApdz*]nPna=ij#hc wԤt93'ljI50[ }fCBrPٗ0TILGG 9Y]$CWSd'-X|hjz5Cf!C+⾵|9~Smr;졥O'K7vTieFQ}$lT5rWdj뚉.{U2S Өԏ`,[2<Qj>K[?8_@^:SNv 8.1Fc6HRU7):hs{;nAztw*ӔA&nYH&,{Q)^}k$oha>? NBt<8SIJf2u_hMמ6IaQU.7,3ČE n"ZDk+)'n?p185 "X)Nt]~t.H90y‚ʒ fx nB>@Z\IN&u]Ŵ\QB-N,W'T0V/˻PX -/[x)4tԫe\Y7t# wjt6{s kn=os}#~D"qKprjIYߙZ+bm-žp|f2DaeXA,b)Q?x򰈨+NvB1͉ '}uԑrC >|] uVwDeI"&hYPAh鋽74od}y:3zFT*^ PGV磨[rBNrt$|ѯ>=+g8l[MC0ji7T&2){ָk:܂:. APp[|{$%Ctc=|^UV#b;cLaKXWHYvsO[D\Jt5rP&)Tm(꜓(=Wu G*1%f$O+l+_Ϗ9y 袋bw2y )Ŧb'KfLoVy>瀑J}󁵣S7J wƕ)D886H)J~/I1BrKG("ڽؗ]5.al9FƾqTq$[YƂ jui¤4ꜣ18Z}LP@IB;Y@` 5eJ+ϐ3 +zk-|2|p4'ٗ AګK;M\che3h!@RVʦuEZŏbu/gQsߴF\{h꾒S8lͅuRzϑ{HMf/u'Iً44- v*2=b?Fͭg.0Eu XR c *0X QDSϷW ==[Ͷk %`&N9bE8|yrL߼ƑlG j$9TpXazF>3SLQϫ3O֩ bD;: C[z1Vm1 EeT{njÁ~W\1j+mğȴ c>[ZĀq3k!%QMw:8):ڜ IJp_I/e#|j™Ƀ#Zq;WH~HaGdJn05ba`F{yk]}-j頾0&h`0tC{qkQYU?ʇ@.Pw3W4 XYv] ZNvx}@3B"Zw$!'XSgk!/P,ƪv2lJnDs!a|G TQ췤s͸,/_IvsӐ|Zͩa0xN1W.u|A=sAuř_C/۷mY'dX>R .8v<ЌoMlD]h]@5TXq++uKg[`\lJU=atZZyNh]-gB>&;J5m8m>Ԣj*ާ. !T́JEFM:.sq=ը4PXW8 (@H\M/˚e!*b-v>]H 8kx2@m6,7l5 VH+_Qz6=mF8l g.Pq"% F s>]I҉h^L9؃F+@]TOp/wm|큅>^f=7?Xx?3]7 xCk/M–kBrGԶo {S 1 g.ܡ!q$dOgKU?@{PX+X;>5J p3>;-wdSgÙ{\Qd"y՛n>؏}݇GU ?Ry Z5V&L[ elM@r?9)'ŏ^wv*uċ I.sL]\J%חgG#6&*{h#jD>X$7ZHu!PTi;ikt*o2ΩQ>M^lsőZ?ERn{`bצU.-tZv=GXr|S+(} n@)}leH-US*u2o $"E-l95v 90j=!N/VIj=]~c'Rho-W Zd">.D ds" CEv1LWƞLBr>F !+%drpGo9VA6\*dj )l]uzN h@:6ګu]HCDSp,A@r˘Lߦ#o)+9oxa՜Ǚ-9}5Rhw?VgqeF*$GfH]/O 7,_IzC(i v'TcCrVõ/DW HCBȵ.,.3σ IaMyw |&-iN俚M s*>^CMMNDB_'G͓2vtZf-*M.BiH,6gJ䈥PgjWCs@m(lG ~oܴ jVAVZ~hj@ڼU~\s>6GSːƄU/˪)}%>IlwFՠ5K=C r[g|) ㏳ STԚE}hUȦh amV0l=Xvqӵnb<>Hbٹ'rbPыRϿqD>8x4>+<Ї7$燽KD~'K]rwҪH?jslwo7nv6w.oG iW$. )VVs'c5y|taqo:#Koz;&c߮b`m@h%4/1!͗x8,.JUF_\?۹Q>Pb_#PAdj xMkKGzu|(*kfSQCui8(ū8˷Vs_ eT̕w4S+Gy2x{!k?okkq%)kY*4rMj($D shyiIB~i@ >"|ƮA\XiX WE7-^u<;*tdqxt!)3^~JS`f[y}W=r<6ݐ[o !|e)0TS W!_>@'WB\`nT#FU!}eE,iy9R3.33"=] Ut-y2HKjmwbZ}#u)_'A Ψ)دA&4 9j!tJ5v^\QѰ ĭH3KE'ebȭ i?I aFB?8k%`MHueAj, \L3)4 Ntf(6&Y0Ql.1!Z!@w]mC/ғ&DJ~ t`R 2{԰093o\XjUXoφ h]LGCF%XvZٔL:jǁwP.{ {Eh@oFX:rw-.bHk#+f BνFg+2{<Mtp:"aŽ y;{ef?aU:u1)u$ǛJX{`膘6|E8c%o8 aqMLqg?!B _zVtJH"Uh̆\6&#!HS.i!ޒoo>T韕+Zz^(!?FeOx7)\ ? Z5] }wv4uIK/Cd/Ed6n/nv7wMi"=N@ovUqm^1t m(>PTUVUk5gKcPqc޼F? iH8wJU[9#t$\UEnp/DRRv6y2!dmb.ͫC-S8$IݰMhMcSF}(&BLs غEu)dJ:mH] [)c!(H=&]>s4 6DE_xkúF9Nm^Z71=sOud4vٗx|ܒ&̡kL,>׆6T؍9Eyw{ "2X=c`LP3+*I7@iuAP? [֨Y7- H= B-%bd[O8!"dx* XUfh{$Rv%YZt.# SK1q栞$ֳįExQ D޻~Ő"w&U-hko`*wM`)!c02]m'҂ɮ=pt|c'{ 8~l VUYB.d xԵ|6[heԱX "M41u wK@Tris`, p죆g LsV+%ݖfM=|r{pRNٕɻDH %j}uqة_'>}Qv~:E6}kd )I1<~RHbT@vX;o䷪c- ƽj^,ؓ8MAqpS!>.3me)M-!pQTQ%K~s9ɫk`Vp3Oj4q5+5Hw!ۭb^0sy/J~Tz),wՋIAPNPN3d-.G3@٦61mDe}t#C7#gB~W(Q b\zg؝t8{c}׵GX'>H5`„Ԥ-DyMQC,R[qA`SI3M%[u5@\\4W[MKҖ+JFh[,P5ȟ[/8-JOjߎ ( ct57. )xUc\ݴ%\~lX 0OJh*cxԀON3@!δL(ʄ"dUy#>$]jX=7K?lo۽0Swriˢ ('Ƞlބ%%Xe=JG=! i.zf$)ܐ7{cr#ny/AȒcٽ"du(7%w?KxAg%$#Uݞ- #<[_>gK)3Y+:]zШGNB 5gFc&쓺}c؄qF1W>'m̖{VZY4#J=&hy~4e++v$"%4iڌD1%_h_$aD'iK1Ny5U8Pe[*ZLw|@ ]RϦ9g 96H}o']?LLk;#rR槥ӦD2fqӉŗ_w+`hqb6Nvww 4Oj޹|Z&(TҴc6ֶђ}6,zZTjbXgPU:~C䔷K)뾴kNsλf6'&AbO-E$F#%\`GJ[8F}{eo`a-Kt%"-rštڑ"ւ[MwK FSj Z`?C s' 14D%' 4n,A`晧O6tuMq7J!b!Fo$7q*Phh$+~TY"܍ȎX6mf :b**N0I8.CD]_T{A#JpC"GZ3M_Ime ZW\E,lOKRfM/|KߎScb=@?,?]H9R ]٭mJ#[`e%mj}{(jz=(Vʍ`0~3ef3cIr}Ԙk@6ffl{.t^H g. Adp؟W2ۖ+=*hsx֭xy(#Ftgyj\@(4l5gC%Ӑ ܙg+:&1|WfZ}y6H_qJj@?⍦d}"O°* W:/l#BzVE:'@:/4׶9e #RS>e,L)6gB",Gc8E'%UP wcI;z4 $T^b\xRQGlsk?buDM?m*a\5h BM&\U };HjDA}"QtUdKYc-hUvZR_fk@@譙i{QCuz+Й VI QP|xuMCn<-摇e#K=uPD^[Xսv^^>2N5CVY~lOd$)]v_]xKN۲OWr 3~qYNo'@ ňtT/&+ 8ԛi=KSa_xI{Ɨ[I@17 tI KTp9O2gG~MAj!Zt&YqjaH|B5 W@I:@)]5° t񞷄X5&f "-1/syn!,2oN+=$d"Wh\.h!}?55Lvp)j}`\B$BX^ی|  0͉T҃U/g *9R$Μ46_<(h%u\_. 9i9ݩ:~?E:9b*%!ZÂWӍ$[ R }z--{HZ(4ҲY^v~ JSadb.Nٲj X5o_ cO,(88DR'Fq UT}?¦G˜}8.9vlp:@}xq)Z<-J>Wo[N-\o$RueO: 9%sK9qRG<'8{E- kEk-!<}~n 1tE^iԮ界K4Ò3iS(SlFJ*Ĝ4?O8(yκb4K$3zw#'.;M)1l{ +sX9#lЗ6_7K YmmP}^#k'nMzc!1  ?Q^ÅY&6B J+<ʼn8.CeÁ 7lcye]y1l+qRd2lkWHd Qۼh#i񉑅?x9V`nģkn(H<~Nk%ڸ=C]I]ꊢ2ǚBo)A(`UutK>vj %`"=[dzIm_Y jtTk>zCv0阉y^¼  R j$Fc:Ɇx RcIɷ4/E+ D ]ąT;y| LnjA_">˗"~4PJýܗ%)"D$ʆt[v B Q&qrrU0낆W3% 0%uv|{]xϦ\{vi_,&‘,ImTDC}I^Zxi#^/3A%E>`uxy:*m/j|S2nȡ:.[@)Q8W6 zW94Z%{6XfP)O%KIK8@ f[N{m ̼=B36Q\~*S鞽Ǻk@w3K¡_82C@ ?fNīޑs%բ^RCO6A7;}"E75rik1ԋK|6Y\v`!b6 fϞx ⠸!J-'Gd0؂[iFlJh_@39A4՝Gk-}۽U]Sab[ ig,NCg;BAaP0ƋR)H|cr@S=2?dݨE?݀`&/;6RxGwwnãg蕤vdRjcLo5h,H3x !J+)s?m4g9Ԧ (RdX]&ok C`30$+UؼcbJnD=Uu-&,C Y#Wjsr|zkǧn<n$3y:a 0S8C 㼪Pjk@G4fERoE]7U4g1W2q2NZ>æ*QeK @QO1܃2ia#n䡲:03k\giÓӷ4yHȉmAsc6aLk8-G'Fs>*L!g0!wq5L TTKׂr l|I3VCU:Z<_xJlbNL)XQ?Ti| G;\{f9[)(+vn&r@ne>tU a:,B@2j{-߰`βLZb7'(8P fmR7+[? B 2d,=ꢅrWr(R,V/)_)&fD-8.9SsP?ŃI8Ԅ q![gֈNE[(b!ȑPfTllUL-䑠}^ϙX?cHq;!a9Τ-a3#+oz69ɖ`wּA&oIpc2t4zFi 'Jod?4Z"M ̴9`MRlZ G;֨V(r$ X`~Hrh %*U\;ד_3S0~`\y Y@Ӱ 鶲C!?c<{ Ij#*}SS6u[Ѡ"q*9>qQ[P܃vye(ƱY+y=f 0#}WI.T=!s~-{imxK)z43K(uN, Vm64Ur>-sc&tC`ɫX3 e 4Cfʹ<929oİWf@&}8-}Lw[3:S"{fL8&*$mڼՑQDeppQ㮂+y{q,sgAMO˪D4} wV)+|=b}mSkoHkD'?8SeuzF1bRV&r!^bR]bNbW! ~FR- aL U1zw~,~؞ɠܹ !ҥY(qf$ݷjdN=;$HaKè5!V@.((טs B ,/mVBDkrr@Gi,qb#T ŦleKO2Ƣ-E4q:M P K$6瀇33w buY\hMBAOkRxr(cĨ*u+YI"Nn۟(WmϜ>y_TZi;?+ޤ<^^wT%SÐ :}(mp8|oΗňmwAz.v Sz)?F޹b\)~73x"2)oS%ecr{W L{V_(c #}ⵓYJ3$Y-,*;$~(eme:g3aQv% 5g0OY}[c x!k!s\k]0AyWP7(Z/\x-4_B ˂FjX ? 3V\G>;ƾIH,x]SSl*-Sďhq$p|p/0V 'Vҗj՛߮] ]-hhBaGj  W6m/=o@G'M;Ԛv\@vöf=Yk]^j3=zSY$3B@@Ţ hi K!~hDkdy .ECkMM R43`$ךY3Ds{Byrz,o:_˲# !12'0Mj,cYN{OzIHؐ$zi0y:N'ٸ1ՍOn9,.x36i~jEU@:乖dV@*Ŷԋd2(VµȔ SBnמq#E5+/v.h)fyH;8_7BEx1 pw=0,G[`g OtW|ô%-ȇ9@߰ųNv yZX,`zfa<)kC"w@R"=g7G/+iQm@>nӧ챿rӤ|Ǖ?~vBf"kJuDRabR߻0:ͳ4# =/}Rd46wqP ␉?Gr 㒥tF-G]I 23h[ℙ?*"")t%JH8Fsi̠W{ݸA- K*1NLfAڡm-dq\`lI?0LxX$S6 Cg(V9(nxNE6DXߴXhJ2i])͂d7,`"]g +}Ӑp֔YusX6̄Då3L1pt=!C)<Ž,7UWE$8E O~s.Qqzh>Z fFl;٬4bc?SE?;fo; r5B6BB,!>o$cO|MzC5BҪԱ8k+Z` XsߨyI&6hqYt wqIK:T+`I0  id3*Y>tԷl+߫3=f|:R"l2ȗ54cmj*Ⱦ]7-\`߱3x \>𩥾iw/ ?ϴdx*#d=NwI3BƏD&kcA] xTh L.G~synrᕵn'oj<\NBCо ƃ;@1 s*l*҈a)%ruz޷-}靍Y@(P&Jty5 pn?91^&\ּm<~_i?;eO$B\]RE2%}8#:'4p ӣ*+ <~>Zfl  gss;yRf"dU@!ͨMt~!*>5 (t{* lZce]<J0fp,d) AHhpN MMa Rr 0?!mVwm._Xvz hر2_(#" v `u `؈ʅF kt: /v\,/.ϦFlH ׸~ރk]=.˦oYlM6#wh:Mz3e\>xD K^<$ވNwB7q:۳*+M*{05Y/pvN/a|@ F_'3 doG6 b *Z@IpM=` &fz% [e@6|ᮼӭA&F!3B1\ Y*kt-?]8O~v1LORND׻T{}<QW޹eYG&Nyblv!cVVc~TO<o *WM}5?`yNVI6ùPxΏRVL:C=+nT6V;0hѠ"'f+Bhj4Ks{+UU3K"U~*9r.M#d|%u) D&.Ѷ$b+ͭ&ksuK9r1|=,+v Ԅ;8jAm&%YkED9bY(D 1?H@;)jIݎ-'lg6sҐg?XOn!̀kNAk O$K AMq3q}w!:W.ѫO;ʊ_D D̾6D~LsAnltQh1čӲr dN%Q)7L0Thb5ěB2:Eg^Me/-7tC]>|mVL'®kpMiDЂ2;ǟqg9D38Wm QhO)^w]5xoli΃0b?D@ux\Gk0 yh#<Y/ڗL)/URd {;{zdqœ v0q B1U!/Q ka(2'g5EWÏ&?Z HQSIHkaK!9;@KdR߶>4/.x@둴 ᔹBO%q#n4B:XTLeꅂ=l+gԔQ7_}л*l(`9T/tQ ܍Aq3SVeMX~Y?gސpzbG{Bchm^u,*-?c4bؑۂ^1#q}.z3a"#DZU\ -ذU!Wdl@ba &/'ABmRm=^ `([@x* NW!2;>?5?e/zV9]Gge 7y8Ea|`0^ s[tl;˩DjFElc%"@SW"N%\5+ ~'ja $H)2dּ֍"Jd-'SP XWJ+ lCB joCi N(Vώhj/\F\PK.J;omW, n[PCcgfw~[D͟rF-H G53>ILEmqLX5vFa0mfСy5{rGD;Hk-j7^9#W6  & 71KS˽;Xg7)z~<Ȫ!՟\3,}hD/&(kT#NL+euM[QJ;/Z\8yWÙ /7&52^ƚ6b4WL/,sd"Gغk7 3^sCJ̏ICR4> "idC%^>+h; *?o|!eZEmȨs6`.>EE g:ggowj@;؅4Ba}T#AmzJ P|dcK{`9bMN7>ɢ ;#|x^+R i5ęDЅi&Pl ;ֶNH~bң  ]%;w%"]5HʕI}r2=aGR[k 6e~Ӽw3 <;%UGD?E{8-KZ H{_sCO %x"Zwȥ!W#]8 67<3;"[H3Oqə0Q l 7>pz,qάxJBG%' DW- r2/G ߤTvNn<>Z$9:'&X93 1WTF0fyޤ^l8qQ  X@FǤu;p':yrCPlg}Ϥ?PMM6/RbrZv.e0Xid&Lka4, VY<!MѤ YlʃP_H eAtdM}Z{C_ZOӽH}z7L0$Y zӶ:q/FR9\eJ|kp$Q\Z͹nhoĸ3bŹWn޼.ROch xrʕ7~xgXj/%1gwhs(ZPXY?,/I@|N4T\FL7pdzo8jg kWA8l8-|pksО\eOg1xU3 ^au|{QS+zkL42Z0Y ?3g='a"& CR-vPڈ&Rw )"1[O./󣭊zmt\$=mK+W_hV@I{E!*{ =RZ:+OZ|ѰtJ:vSأCbϣRj^㘇~CbOb24e"-GqA0Ugu-yI["Pǯ|HaAڤ ZjIي{rCKr-qphmV•V?I7琏&693.JSs@,ܘ +'qmJzEtcNP`GJN_KzK[[!3ȳ zUi3V* !û:sD]H8+_*E/.VUaMK4O )snIr;+@iD:Q ;z C;qF/R֠N/JPhjӕwHd((r}8/hێߴ^*1ӑH {[H`hFQoi pήV5_p{E&o3YHa6}Շ uzmSJJX[ZUX,]W ZʡsYXIrA\fcPÍ@^ʁOhs\`As9f2#2T-FڹXY^ʠGs^">DqO1ِ݃elѕ 1%8$NePab^I"T" [킍;ζí~aZ3.YCc3^jU㲙h'?:=ݥecg6\Z-mP=(O{yL8Z)fouNۗŧ~4A]ίfH_Ě[w:hXY >p9WٔzUgTG]qz|mָ&„zR0 trMn2;[Zk@D`GO݁VO<Q0\M@ \ݿ?m[Ku΂yK];vt\U/s`4y`k\?=L"L|zE>T0ZN%1TIK @}}f +X5Ų6[ *nPjȝT=lBX-qM$A\4Rs)Ӏv4w#^v$Hۋsa#C3By; k5,&3D i.5ͮ_/;$ 7?(Oh z aoKEm+^ dXS-D~rW Z6adg6-dgi+ǒ7]/A* 6ۍ9~B')wk+[-?Xj`&oœ1;,Sb a'p7ᐅp3*'ovu &&p,7z7ґ>E &Q2-ʜilD_А,V h'>hx(Bru x)tzUglQA :]>ۺx5Mo(K5NЉ^B5 aAo9x&9Vo1\6LSyXSP<}!KK:nJ\tLXaQbv`EgFS)]yAN!N#h펽CgVRN/\r73ntyk*m' IcM*Ь"J%ނ%a2m6Y$Z_) NJbHZw, V )&|]WО;Xn̋=bR gGilXO0Q]i۪;8/,Tz, ^,⳹Mۣ!Å?:D\?c<`M<}(>_Xz`|'\3)͗0\ Ef¿T)eWnS8zSm|ԜXГVg%#X[؄p l&e'6Nwnm( QUg|Xk.2ˮ*)SRGɋuW/n4B1!qZJ;M gOC%AT+@#E4K2[}DePO l3V<[,WB/D ~CNJu؝qyEI_nXJoTamV]uGE?Lp_{[zs@ϊ|qdN5`x3Nb Ip$ gO≽jLCzJXikO@E8}#8 gt< JKR]Q27014)F !BI@m4F}'vAunNgj)Ȫ0&ۄTXXUs װ@uG%.m7u%89yŬXIda>9i}.Ϝ*ؠYБHS/`M-~ f@1߯*zv<)E fŧְic<ݝy jPFryJyNV"*w3/,Nע|thU20t!.Flhl͏,yf|k18l3z%Q@|,眯W '#9'q0 :v<|AFFw丿眪[kuʴm1-ǨGak?|"KHXL&&"(nƢ՛E,?m8ZF oރGnj_uya|of2_a?.: |Ng@q,%cچ] ̷;^Yj`Vfjkg^L'YrO=4-,&C +W( >}x2C"0Qy_B4ʖ4Fp@89t &d*vRNsq #@[UѴx%(W /f}0ȅ;>fLõVrc\JL;Z#&'9Sy "V,€l<Ʃh>L&MPB !lNA8^D'A .I$.~_WrKs앛-:cdcBb/*u|ҷj+X3EwqC.UHKYFlBIu5kZMT~ʄN4A*NwT<@C-QRxn0N$~u-+d٪pQӿHlc ]~|Zd[)+~ʞ~m\/v<&@FJp2o9nνjiĵ?ę$ ~F[E#l(y+blDg;9B~o3cxGG{EnO` #iY+ǁOph%jt M 0K/No˪P_ ^A&y ~yo>ѷS1K_!/<{NDl,/ӶpǽS;ȱx ~x󜉌1U,orƦ`G4 MծĮm!$gdЊNMGN͘Vnu~70Z:?2E w%8N0zӡ>5++'2K[FcCor]fl+UGq-nAɟ2a/.O5d߭c Ph_v h ,`jy*=˅hWcݻ*"nS).@jQ #/4NYtE u5HѲtExvw!K Ep龮o_G&4IKL ^: 'Uuo|>7 s2t/@Xk*isoxإ s-qD(s)lԾԓrݶ"+ԀFBIym|K[[v^$ɇ |cEME>AހPه^0Вn!ksnE$ׂm~ P56<fh;q?vtLW uO:W݅s eiH]U{W- \M UJ[ܵd2<ӕx[e%-b -͑DI1Ú9W kD Ui"msۇ٢xP"; &@{>8wm9Zꆫ _&Q EQU 2@{7R[^%]oGZ()x/"+Z`F(Э˴8=)SK.œ`20U7Ajr#`F^p3mNLo߮ժQ.nMpY7 Fa;5ki\JZ< ˿PX(t3s͹Z%d5)+iE4X\^$@u%: FmUH鲃|%)􋂌"]fot}8xs'%jΘ^+UrJXJ'p$w Ѳiꉢ ֊,@Z!$ 4Ȇtph̤> }XC^!}==^hJp wנG?vI+-ݘs]sUQ_*߄%KaKW-$4*7f ?,z]5k mk#khnY ,EU ZoUmG1Q>i=MOI"ba9u !FsT񝠿<1j@$_>:7qO!Aܓk#7Z[#BB68m)p;!IM!k^w̦o!@$\T^,lAwWI˅҈EPwiڹ 6p|*o:C\951lp{zoW#g#','Lg07Ayp>bOLwfDEs9VX^q<[[GZy_ 3%WM(53jWw4F>hqL-Vy)RZ{IrfXI4ET*[{k&;/OwNI1TġAcV>yګbwߑOhR| GBJ|wGƛ&6gՒ^_,vr7 OgB,a'8=ioJhU芏>&5O;z eu-|%P/m{TL?@44SFTLWV~F#!3BˤC|9{(q#O8Ceh$=-wOB~DUН*!L[DWEmd7y qCm$|r +c/:kz ]5]ĿH;V)V}lj|Z~e}_Mwk^TA=k%B7X0<P~Lz?  ubKem0_.RSeAIu2gtMy+#-K2vOR S+ly;\g.<.XgDos]>iQa cCMtXuq j[璆~ XiZd}paT:Lw@~_qiȐс[UD[ }j.XI^4:8*ZGh0<,X9?9 #[c,lCMI.@.+.]!T؋&z70i~n= M\ĉ aa'2a%{gB,㫨jT2p.a`Mi[~~ /e=u1F+>ke;{kqn]]]j℅JEo[KZovT=ʪ6398eP;o^3˞s[ Yja*6HeEis$f)A8aj1Pl> ]Yz岠Q@p,h*P_<1ҊJtadg8ͦF?b~qRrj԰ Z,?M6Mzl XZߪŵl4?5![= ~畢Ls4AjB!ۇ|V7ufoe[KCoKZ],'I&O$$uCͤA|J nF8.^TeBfNƟ߻U|(&4탲Tjr 5}#V-:%#હR)ܲEr ^c lP4xt][J70>Q6rP.&'d2߃I~XHZ+>JO338Ƚ4?A]w!RS]J D/_Hr&RH/4EMEs((v>c^#<<9*%CO>Ž۱. y @q|,U[7J} oT02HCet! iXE?]fr K};~j'7(-wuwOTurg!̖^@#wPa #gg:uWesl0ڧ,WF;fA ; { Y{,o>ys}?e&vCbb+"ſNΤ¡ C ob Ct\TJ2٪|ر<Ż8Ω6{5tE'NtY L6t7,߬?xi4w K,ḵ9X- /Zr5$ll-&,J<,OL|^oA^~QRJu )e&F7aSoi&*S,snh- E qȌő2pk/.ʶitāg/ViZ015m_< rT0i9HN)Lj 5.#js-S_N\4!!0wzps/ j`B8GrJ78 /syh$\5 EBUyP Bf(${t9|lWg"ko1fНbnVYj&~W{mt,>OR2ʪo-ӊdI{?|)Qh" bV63>[tꝃ?؃f"3hzV;-x,?aOڅntiLL9_%$?8uNnв_=RIhTOWTO!ќÑnA0M0`&*H2,SQ, ]W:Pϱ)ƞ>&[/Qg2ړc:v/|j6yU]>B(<үLa%ED$t]?r~q/li t2Yr4,9ڦ/NHa6vcuЎ xIk[eOv].| w޺`u׳ ,ΊT{fUb2Ξr\jQATɰ:=dܭݡ_b[ [yi00%[Cc\ cNAAZ L3 $`)Ru Wɸ%:a{$j '4^֋fp%/:>f6~.KD*<>Gޯ.3WseNoIM̬< swedMUP:FQB]@A/$$o;lk\LG̕R U]O0 0hI0fL=XކJ;OzBŐuCs1ӦC드.,FB#C!o(y4f,0)" $GhY.G9Γi#}".gTbꂀotp|L~L150\ݙr0fѶ-뙢tӻ9Ȩj(+d2 # 4}*\A$; 7FfUw&nt (k›b"l_czTݕ(~G@nd\2iGrFgY&Z-D0$gHqO[JqޟQRRZe83K1#};hipCwOMw% F%Q[\-}ys)e* H(vͳ43:bNH^odKGB*x6H7:;'A, n&Wd?}B-<`PR<f\w΢D:I*DZZލ-\i"z|_9GAp3fci&Qr[Р#N6 g>2qp.ΛK}In[AjMks,̧Pw*Tܔ<X0;d NMDbs^y33s`ӥ]20N[sIjVo:A66W>A;Jm/vfUs<]#h.Pw&Z$ӯ R0=&e\$\VzqI. >X΁Ҩ=e)k3VD2*л.V {u!_'оcb D ҭu#%ȞL\ch[-p8732CQ*賹{I-\F`U*d*Q 6,˕Qrg|±~[:Ÿ́1A1zʨMD%j4%NZ4#R@ JuR\u@:Ϩs*wtf u㊈\Ƴ+YpbDHsfXpΔSU#9(j* 3үCr*=0 $+qC{6Vtݱ̬JֻY V)W\u6w|{4Β4egN!EW7dPVԢ"Y71i1A~O+n TUQC\h'r)_h~ԹEYfڎ^,!ܹJiVYRtsΤ~3|$@8ay&4u=!'+|HO?4$Qbw\.Uug?pxX~ y8cJϕ*=1CT$e(]|4iPRXj$Tg/eJ6qű%ŎL2;l̘ۺ#b乿B}T" g<.To7-x{8$, 4 I*1-n+rr7-F N%igqUlaEApTM+{rI^dMp@H< ?")˂A,shu}"ʄްn^xY~i,r'ZL*!05!}|Y3NT;`zOʍzN ;z _̋ 8LuK[PYbg&ӝ"lX7S W-vКǭl?_Hu$~8eܦ;/ ry8t7Q#ws!́(r":j"b;I(uQ9?& Dۡ < }OF2HV 3v=fbэ Z` Vm!u[ cY}Xj#%7WW[|^' 4;[PeE.'\l']=l"@U$5:a08{NyL5YZܔx,'76\0؞5 tmw,׸whʅ$ x!dIQ_L0s<-8Ydzf'a>߭z?$W&J)%\YrOu\R$Ύ&L8RI|Q{:)[0ǃvKMPC= as3Ia tTҀ`+E1sF-#U ˢ֬5gn\B>i@1>0by>2$^+oQsMdQPT ̕ !sdi:mH[&{v%ab!Us~i:f"V_*oH9|UʎzzrnOY^O`GhLSdLxM-!aN,Jƺ&ı0̓HZ**Nq&yקwIFåI`gٖ5B0ĶI<l*7fw/*&/|el%yL!t#LptF %h\d,h6XN(i'Kғ >o2AFP.iiV&|XxcUc#d60J@qO=:cB {1Aac?92? Զӥ)HcXD;Ͽ3ӤI> Xz锢m]O*P(x.:i钞+bC `smV F(F:@G#Emr-P$R5.G<܇Tԙ_F;%Y᷹րp{%X/# ُBXYz<ӆ*.M@{im͠]17YvHdؽ^fwڵ,+5[EV۽`8s׌ʸPn~Su c^Q)D8q\*lj_w;8`S,* px%>6FG)v8Z!i@rc[lz1}ܥk/NYq3F|+a0mm4Aj VΜE5J+Oy +*:N—f: TE~{Vm#v{ONDZN]xXumoЋø"3kJ6ƞDgcv|1HiX6rP?vZpvάcH870cH 5qgPt|H f#S./BB8*Q,iG"zBap$}3OT-ӥ3#[6Uvw=?.8=0L:T]k l2%Ynt{p0*Òk? nu$R/,hb~9b$CE@iӂl-%{eXC|}Zu ?Q (^7GA 32=XgMP1[5z^)Ǎg"398otX`FPKLRq+툭;5h^`He=V ato5&='^Ua?.p|yx=%N|lWҳ-Zÿ1xu{)[<6+M"-'/Ͷ=e6]mhTNa+XހGN av#@)yҨaq~rgow*lKš=7S FH'htT$X]8ijzA`'ӽC_+K(5P 0rEit΋|A֑\섯hO%l'omx|Me'~8ipŜU͒-D| BSp^ؒDv;TRgL ;H}r;,)\$f+ۼD& @bH{k|ZÅ(Qgĵ~ [ 59v<^c:Qɑ%ۊ@JٓW}„B!\/'Eϛ3г@7̰f` ~=vW:SB\^<-Z.QK@*v huxeD$\oY >HX_(3CySvM8%`YjE;v7'F/df)ΤAnTv"n_|V~_atޞ2yc`m@  G$OFӏM}$dkh"an@VN0c1R[scWM X|W xӭ%TGʺw~ '-:wo\VMZJ0OBK: `ϸb-N8"Y3aF{C"rG>^9W^<6JAؒ~凍, b) 1O /8[xBUHU>ؼ5cd^{RD-N`|]>mϒeb7T/A4ONE:X_n%)8ty-x t:Cs}$CwxWX*gJ'*خ'Ro\[8%$LM 4ʤ$}v;RnHJ Cogw|?P O,T>D.nv{u$OSO%~=9eMD#Vl[|;*+%~LݪKՅ&PIl< δ(K$Ɠ{ׄ,\xoxFsw/ ­#i/D z#ig;}-O ' >-piP?j$%be`S`o?pgC"Ywp$SEBK0yUb_ϻs+`;-MߑЗȿ ћ~(ڤOtE(I[)%g<m/2šIY1;}nFWZـ‚*4@AB T!}]Dd41^JLI"*.ЉY]+vt*;99'AT€Wh@?[܌8{J+ЦE.|-i qH&=A47!04Y8ٯM' P&17GBo&PN։DC\ ѿHӽ;syꢉ]o/'bO$sL4)pD@IGWspyJw! fp|GMOSpn/\`L"=m+{C|"BW UiwA{2̽c Nwcu "2`pCw1pM_Fun # sLyT՘d-Ttw٪ 8a%Ѽ?Hi|nBFb<ͯGBL)m56¯OXrP Z)$,۷ W<۟د4xp"Bfڅ(Lk sҦrZ  xڛ|jΤͥc_HL_t\jxEKJ_Hj }$RNtYܯfa*FngomU!hDt[a#D!|߱;> O_/z4돚4Jި Dڨ(ѶzFhPn֢rD8㽛}" 7lCWpҦslP/Ԋ,s)[)MW3% ܲw}7+[9i i 5h{[K\+86p!YLU;ESga- EAƜӈ)VwS6{k8R6ԋFyR?5|€^0o2|'̐iEql扈G3`eqaSHH&<}MV6q@CjGEeVmc_ȆwL',ǟE]cUB (w*\=<й2Y`3.+wۛzȜHbOfo_2J&,k2?hl1r4+vʴj`fC+ٹi<؊(Hz$Ά*O.ZY29tz_W\%3F ,)JFcr{_6oz 1U[PKSqkh;PNV4=vh2h J\ x*UQ狼XkKbfc*$:劉 ?ir'bzN9MŒzO V`9gLWsݪ)9@ *Lv=m!n(@aL;/Kc@Wz\-dy5.ShF6X! .Š//&ͲwS뢽)Y{H=1Ovi 3]1W6IpqWM;`R7N zN< #{rc%/AÈ^8yR.mdHW8KVZ1.+2h{NK. ֓O̚}Z&e$gݛ]$$"w#Fki  Y~] P}.~ doraq\-JpWg%}os;q1_1}|2t ょ׀f]`yN-Ɓ q G닜 +:ķ3yW] V).BxvQQ--3w1t~|^gBZ!X0R# 1#Mh\f K=]%}|%hvGMw2b$T;̤a{+]G%G̎7$"&)« 3x Y?sYEħ߻k}U b ~]d1On׮Ublr WLJ΃N++ E"oWww{i,pUA )$W۰<۵2dK^ms&pn}sqۑ.ɱGfX^+mɓSKq?<O\85rs%v2 )F.[kzٺp~eX֮[XrND+GKN\uzߠeJJz` fLaKq<!xuz!>: Sy$ZEI >C N0z8^۩T?d9l?sߍމ.' A`2[_9Fʄ%+Sh=`Lh݌m^, O^Ͻe&J'(T[aQO6G#ȯh!?Mi1Ac7L,IP'iթjgy {2cQVpVyKJX=E4?z2F:_ôo$$~Ar5AC!GRAi+qKunZ5fYORg@w  :.J!;+ ໺ ~Fg^ J\3b9tF.%ْ1vQ7qUBH!+:/ #gea[6-}MڵTt.`5$pW [AGj 7;o᤮^fl+ p>~HL/p`K:{eCc{ ׋|,d>j B4iD y?1Wճ7.f <9]p%bf!~`_D{: OŎj/ol|R;4M~Q C6UFПebd?&;Ks?0V hQ8p l_fS#x{ pȋ*%Z-}t岆t3EK=R0=ݔJ;:7M N=9A}g(ƭ4CUsr0iCMʴ Z+:zB$[H*Nǧw #WUKnΓv9ן\'Vc+n-LA w"Zb4U`M7{ߙMF8N} y̱*TrYoTÕ?y íyFQAn/%Ԇ'?I?\rzF~(Y;+*P>9\~5c #G7;6lsr3#D܁k#q `xeYaX Y6 c]-RtC1VAgw:[3\ ?"0Yn續/ W@V|wbZ89;_0ݱ+I䈰1੤=[hYWp;2O՚`X s'Ruu.t{]N<phB{eK:^œۧȿ~' Ł|_PC2J+lT*"'vs\="@*E}UӮnDu%Fܢ>J糍-Ԧ6$ks?{ۻE,Ҭ\ZӃNabq OurȦT^%vm."3={8N@b,ZL@\Bk]fqsh6?Y@M뵫 kl@YɺfyaHb.b=9`< KFtÍ DS/p3̖{dSIJ2drZ'ThI g3O&ǩ2l>|cqD*[ ~&TEQHm*paG|cc@Cs _t]+Rt?<}N, q6hdR fhZt}Әpػ!։_|>$1Srhvx&ܲsYqTEЩъ Bl!=W# 1 =Hj>!mp+lI ZP6Ulfl fS#eGE,P5 u*C74fx}z{ ܡdو1RLOU$t`ૡ3-"lP2Xi܉\->B:k/\bP󋰨NZ{t]oa&B!7g}s D}z쬂iE2Rck֥~`M.׆27|ʎ2/>NA|N!]g7?T9^Zо+J?ҝkvZmͧ2Gz@!f)YMêQG ㍖ r< 6*ꌫ:Dye?xsFDqt.V wN1JxIi{_iou R aϧԍ |@+gnXymn<$AA(2ʏSJz2흰<ްN2܎/D{e%rWWsV.;j~>v¡}ۄ"$^&N?*ugg'9I&5SXkӵ) i\sHM12r"r{X=w)~_;]3I# 1/w䰌9pA^!EA =b8]w͕lHi4mW)&{l#E496&/WDn9h~Ri!IE:谣ކ2XPw$D:6ud/#pUqQҕ]8@Bb;:M..k;dz0$jҎSWg>!H/׫ )ζ"=ET^?Du*f FyFQzE|v1CW7gtޢ ;VE7(Î*fLYI-|N'#+*U  crM1sVi%޶? lmEB>Vߓ`fiix @gLozhT*S<݀HR'!Cp퓾ሠ? 7=):먼73Y'HC8'KaRu4нmKO.h00:πM  F%lP~Kn]*eo6\,֠ GEv^^Kf::IQ BMkƊ-^%Ex2gR! [ P2W"yRc]MaWڣ vcto-+k%X=R 'ó&=S~K ÆV>N:lx& Uvw hZ\yh%"ZīZbo=^.%gԎnP0#fGQ4kGۯOX;#!{EyqUyv?؇=AOh{cIKDxƑGПTB:NfK`by N:cLjt.?ٛu 7x"!5.(Ү\xv, *R fGObۡ՝pQXߜ'ԩA]i?6O]bĦ˺X/ yOcψ !~ @MUdf^Nҕ?rZN.-Y~oGHl@F=27fZH `g~B՚jGW?.gI^ֿHk{2P2@$Jm[=Wd((s^ 4դʎ6O]yd ) &~4o,$|)/z,nhUϻmf觚,¯X%gS M 4A_>`,4ul?@ CkpɏbZ&) 8X2nc /cն{}cLjg#Y XJ3NdȮVaSZm>j hbC#(2 0x!ďIJ ńsC" w}$|odKj\kyq#q2pA9 (O !4sG&ZRO%-tTˬFX7vL3׈ Bm@ z}k8&?MX,'omAk;&l˦7~0=2ydz:z\RGqy5؎ ਋H)Fk.xA$;uu2͜K*>w^*z`DǮry;D9cݢ`j+^jp-ީLcFܕ0>>Ğ? <|tJ߉d@6 _A7 7<1p^BvyP{ .ͱYbjR)|'M{W'y/}|M[t\^*'@@p0DmcPp/+C/NN3AD(pʜNN3=.I͂ԃw3IiQUO09.R gn(( zp+14}׽,has] QW|\E>f^--^z]tA1pz譻u%"JtۡL|{ϽJFňP[φ58;KU(yET6lf[**"H|ח>cP +Gk uJc>iA㩍;9sh ;+y͉3[׿~-vkޙGKf >+j# Po+dp{OH8$xD䱄Fzi]C%iq􏸯$a0=9s)%BڃO<>!po1j m6kFH9őb<\{6'xO6a`N>4rBd\A;JuNX؁32VU&iYȧ =(^UFud)TjdžXwKCM òdDXhwΦjl I%t<+%TUGn17BLB=&wQUCx͋W-:!Z,SIa7B918m8SLCΓu`Ck.RE< d?Z1pyq~:VN*`lo q{Xj,cjbnFpE-A18|"S"lUB@N*Kjٱ>eec-0,yh|L13}!Ae-1nN0lշPҲ^TA*㤀Wi+`Ϝ BS/c!~?'G#"3تIdhZU_ˎF?_/A-:f~& Hƀ #̎I5]g}SˮYL3f%^elA~ZIQNH.ֽxem ]1¯&ۖ*P섂/[,80Çjߏ5ꣾQ/.J -,79IwѸS1KS;{u"5$>JSPjAZry`g{R{Wr.z ⑰{|ϸb)ZKTL0"Sz= 岵1Z/b;(p. E;/+@X4neT}yK-88t5[6^>kG4ƇDp拊ϚWeQv17a۔$"W?#iNsz E*y3D b~,/xQr&2{YkQ[)&t9z K%&@ZШd%bZ5^˫2@{lM;3܇<p@_eQ3Sk/=Q:"O4o.j!@NX=bo\xwO مc[y\Y4ƾn'@qoJMUU12rMnS~XF]{[I;p(Ist(iCgI]?4Uk7st\?^n,jb%X ys9S"1~RQwC%"bWYoλX4 !0_KQg X `3\ډ#R9en+3 uez5̽t-Za6[|'tpb]KcơJg+0ObFhY &Ǒ`p~.rZT\ f&!.&*MM/_rx\"ToՕ|F i%yRۂljuWcC%KڷaG>:;vwCvڛeIhՕ2#|59^ҤW# NS'a4qosΠ:&I>RIH뻬5"/Ǟe.#ĽIlb\/]csy<]*D^X<?WY@qy?=|\ݮow]LNB׍z"9Pta ?&٫`8<NE}/: aKYBc +?ypR;ߥEõ$a?YL™R/.ͷZ\&*a9ў+Sl1lǏhEs(0 ٥q͸B5*c+-!I MLg+NǐvT1(;zcυcy-kWZyK<‚9*h:OvzIy`O rhM ++W[guǗiL6e&{JRўzwpZ*7x1lZX}Z"Ѳ?`v,UK?3+< 8nEN]ҒR u?=NjG]Vf0 g4>Į(;e(x9: !L4&]})(|U3,Ż?CZpc GnkdO-]'ى;ɳ;j5-Z'nU=%(:G K-ɣ@Bl75zv| B~2]e[SY'O'^6Hì!Q=3,J*Z"0&ide\Uv9rɡFم5NcD I!1v5!w1^_S ,Z -b)ELאlW4 \J 4EXzJ̇18[Cea@Jyej -T 4epvGfod*Z/M<+G{=} ϷrM/ }-3ȎaAXآ@VTmOgo+_uV ւvXvl9׌/GL&Zj ϕX\7G?( HO. \b;c!Qy*Vk]#] Nj΂!U. =:솳;(+;!,J04fz IQ& :#DUG~82|Z{_uQ'Bw,&2&}^Sez&Qןg:HQ>>c>FNR<EyнA>ZP i) "Tr+fqRnYaF %=Z/@L2#b.PW]'b8R;!ތ7BlHˉ.._6@W|)M>M-Qe<ڍ$g/VzQ"R9PT{A;Qz@3Jg/!'sJ]"M_/*!osuE tuJfߣocS,1 74kQW?1TZW(̄f˪@26L hsgj ?/~IwDI+Ѣ,g$9ǸUm-Ƒ n*6;Lz\PbCCCؖ*[&_bF8T,!m̚FתhŽ}CԊo~ R԰[4ԜߠIg|[J`  0LҎb`)c [ ^1zPNSVJ&ڒAylv녒&o\ϼuf9fFXyxf0^ )Lln?!sNc~Kv89RmaCvݳiy$|sE1!CpoO=mN8T ]oѩ-E"T}.0 vVݱNSrHo/AY:EEUm JDVCߦ \rKJYzN*r] +tIF^xzGM&?/**Zwϔɖv#R{zLm$9o%rDjw%muUk&_ӷ~rijlohmτDA~IV$R)-$? XtXZ ۊړآ}mEm?% N&T!:khG鑁 EKL%aJ}КZJ}-%Wy*WʓvՀWܸD Y7y}\YgØl$ӯb+ GJ73l?#BY7Ho@L w8haPZqЌc8]`WB>Ie3׵C~%Uo%C3z_l%u*ɇJa-Xtܿ,VckZ{/N+쐯fN?odzsEqIʹ"i+I+ЙyAaTr䬠^2ƛVd>R2SЁ2Z:F^|o_ L.Z!~n^gwkuEcF-G3ʡ)bJAr+~uXCaG%d'=0j!wO4QH%+[3Tj.!`LTVT3+H6~*-D=).&Ⱦmc []ob+v~Cn#9f밸_ŝ4omwk32y/'PCKi?\ xmRJ>rhNPwBչgw+ Y dHBXEV\;ٗu ΤXx j$W&tR߳#O(ȁ8"CKt Hn Ek.T,h!#ed:}$\*h0reJh1=+/I`_v%߁^~=C'餓KU>ue)FfgrJ@Q7thUY{1% &zZ3>#Lh$%sc,a%4ҥ- vY^[OؠSUiH=8*]ysRvx{ri;jgGqʷKo7DIk_]1s|y-b('@\r+PQp}5mQmi>U>Eޕc󨼸 ,҅8[VΆ5ՕQI"N N':`,C˟hݻF]jw ߹P2?ur/ALY?$^krQqlbت-GI41##`9ew?Ag="|(-Ẑ~1g﬋I#bKpՃY夂CKNIg& 3tU5 V4mbѠA@y2{X.;k}ͳX #zxY#8X1K4]ގhQ6 O|oӲ b\' |[ck3]f>*Kx޳:(X>3fë^HWMEMIR̿"ի d{6PǛM CQ-!k"P|WwG_^PRˢ'IN+ JlMofRzKlHpLTF*$]rT".pyH{auʐ|"]&C-$&O1ƙ`A〶*$p rI*f𢏬N؋izH_@[YĆ?x^.ܢЊCC9uC ("c>rT'A'W'P=hq\$ܷTD,G8 ͩB3{[_ݕy25e䁩y⋓[l*c5]HȺ6Y<.^ŏ[8WfFӁia[5]ў_K43_)aO$lE%do/APn5ˁ`9klcW;/:-\i*,e9zPxxW|DJ]ԡ ݛܤ>SՖ(*;Z8-4iJ SjiL,kU "Ci[P !?dd30i>t6]ozlsv]xʑ%iQYQZLxpNK's֓?Bk`#nGE5=-Q s3ls>{' ]5h[W$0'~COqd͗<;D92 rVeK"J$wSΐծ)~DdZ' 3jx'Fg'5ۋ1MJ`SPJg|pL e$`֍WLHG@{WOTjPB&AoF߿VeӫH/q+J miC97~Zsr),7`J,UWA. ዁*ʔ'Tie~~YϛfE":3RLY]bOac3QCo@%CAO=%ŜYź^M {MQ'F3]eIz"h>=`!_nϢ Ж} z3LP#+ēUv,. q$ \V<"{<_W3K^TG >_0'>PK^;n<3npضr@ATx ֞U=crZP].dw\>.@L]đ:OT[65fk$t])a #m7-  vR3WAAƕD(`ș'+^F fߊim>>ߖׄ) <vlF)A aF".HX-9rFe.ͭ .n |6,fSj5+f\d3~#n*S$ q778B3k6I炎ݒ 8S,mISNl\jPq_ܺjS s. |c3(q&}zZ/7m)8tʨKuɎ0#&*)3V{f ɽߵ2Ǭ$VE_ pX~{5g "[b?LD_ S@߳fpJVghN^~ona#nxH7U U<jRs(X'\A"}z3sf{>5ۋ[ .N(ͅ<6@.'~t/^rNVC;Tq$p42ervIї$b\7,yh>]EGֳh ׎u$7lTI8/3?-m`Mam z<.Z pGe?xom/ccX$KZeY R٢'46ʕa$Bl?Lbxؖ4Dvر9e‹)M4OSfyhS۷ILDfTR -Dp_]O\X Z6×ʲ)EQmx&Pl ?041O+yֲLǔ^ˏt3O%An]lp}(ɢfO=eÈS\S$yfIϢ7-u:ߌnwc1E°o^GH(|6y`1V1Jef$k4U%8Iڣn"$?odpѡ,O.&p1d|_:@O"y*{F~ X61utMGM]cXOK(JwR KlA}xN%|m,YiPe Z-Nӣ´Q[fԹ{4$RYPa# RsڰFUnnt,gbL~-DVe;W8< LWeWh51 Vm<>.ANh{Zp5nt4$b hh?59(Et"}A˿ll/17QbJӉ?)w #DžsU̝jMz؈Z_yip=:k0{s~C[Me& 2ͦST[ Wev =q߹|pb^Ȗ"jF]m. egA s`^AN#C]v]whiVmVm,\[BrjAS6{:!X0zt19'xwN*ޤ3J ]mڰC4h4ϼωdPB \6֛zOv[(A$7\Z-׳),zYgBV1h:6}aOeY3z>E˙yA1tՈHl&YF-QZ\_% T:cvXLjQ qC_-m?  @r륿7QOvX _}nA|8rGe!m^0qf,,0}˜B+=Y 2vI+u%"2+q2OWc0m4qh6a#O}e$؀KVc9S dMysL& UHd o^z=! f- e 6zu1Y*0^ )Φ9'y~t?>w” oe!LsaPj_@ jw·voq3g {'(Joe:%-.kwݼ읷Yu]b>RGRBEݫ Ia 52? >37r\yd8)mCvea5tT.@f0ܕC ><O\䋆ALq[\+-RXx7o PJ&f +O|#[j[֐4%7b},(fQ@. i_!Z麘2 eĕWy^@EL)&.Q hݠսM qxK M9N=:׽X;@8ZÙ +-b-nl="IE 8mDR[oU$اn|0 7U[A?# Ѻ=z7zӔf+ySR8kX@)T#>Xћg}KÙx}1cDX rXl8{,b@9#ZʏaKy?;+]0ϰGTFq7reɫ|F{m)D# ~v]ŵ9b9`TTwaG,[&G3umefXR]d2yKYWn{0݉wAW:w?>&ML{i |2}.JL#fπC}IKKi ["\cFB nG зn2Lxs Gq,#Hس!!S<q$*,3TSCt [6d +D$n6"{8'f-UFlnJCr9 f{wys>^sEPCYX(k}ki%'ejtEer;#LQ GMr+tUJOX$UX9zH?oƘxDΖ3(uquR֌=FY@S w+s׀oq hU,j5!buRXoMtm[m,Z]9`xؐj'̼kktSn pNǑ~ےž%fյ+$zchۘm!nwJZO ܉6+A*NM*𠷞]Q#wm .5 Nsw#esNW4$V3(P(93AP&l}Bԭ%6?A%L1z5z u~ ݞ.@jҕ#s'G)PA϶5ǽ0uH(w)Ǻi{ 0ȫOŖU4܌ENԣꮶI"dF<")-~bG, < 6cHN8tvb1rV_R9'HޔS\ϺtBR\!\3P[%J3U2J{l̰kQEYVphLJjq^W`(+XhSJgXwݰhC})+ ^P[t险ef, ɋ|l{n5L좲?+Hs*sCY{m$Ob kP_ 520j Y6RcV,S~a+ *C5[}U;Q" ; Y׍NlOH 6)xg5~)'R*0o?Uˑ" )7|S }cʩ ;,2oڬ*xM5;7-[{^W9|] OŽY͏1&*$]n]@^cݗz;-Eꄈ~n)2NoؑG@>%Uݒ)"aD'k*L5)W!EqIsuui8LgMXQ#4_<a#sB8Cj|;zJ*6Wngp"?@Dhq8t (OyyGh S d+j_-2Yk2|-OA7B yOQYvD{g~ŭ" %_A)ZOBS^E $XBxGe>B,zrZZ4zg 6yj[=[0Tι Ng-~E>I83; lLt 2,8)4N&hҚnu+L ӼU|S{DY' 3zT/܅Vc!b"- ?r;anQPa_߶$=U]9(<ꥸ%p\ -?3rB\9"-SoZb)QrS|4JV@ hEQRJu㰋O[KN긭Džt_32ʍ ; Rhzy㋬@z=l [ԐBV%"ܦ^`=[k<UC!?dn1†&v(=ncO ikvIA%[!Œ] Nӄ\\m(_YEO%^7=ç?R}m^pM:0C[GM;0tṂ_đA˝ p]^ĵarJ rCK&kn}ۜ0u;-GUX*M\8~j}ZÛxR kK )[2'II :mtcBiG6/,sg 'b󦃟?iRz_n \U'&,4|s2t3◄y!~4pz5ULf0 6qxM}U"T9:* o;{cv׬(&¯mHH> x~Lt)IEZBhrZw g5=?!|WN?d 멖I3M֗>'^JlS LK{#t)ƣ ˷<֜ =e !GkB)m1mF(ִ@ p w5bUی8l a`c]GEei0GWU)sU|FLog "xQr2Q6G0tYub_N hkD.ԊV><*#L1)4pe_-z ,9n(bqdh}*IoÀ1ؕI3-2iC#R-_j gOfĐou%;-TI(aiPjғ3=<1~^(՘PqbGֳͥ{_u %wH,Ƞ #})?Q`p^.xT0Џ;6*Tތ|x7KDlf%=ԯ'+d<|T%EJLؗݴ _z}ºI!usws)֥{l|_hoKiˉi ”lqهx-FY_ienp#*($9^hrn W .F+Ⱥ^=KN7RJMf[d L9mqґM9mc`Fsv<~eğu[luXTU7W_Lpgc&:9i;UOyﳏ紳Mco/5.AJ5f3jq-GF4a{ avIptuxM5Y#5(BɇB2#2kL;q@`sO b?,T\pPolB6!̔P$Pk YvՠnD]Hrue#|Xfiam¶Ӆޜp'F<gacTld66 064?hê Nfjx²ԊXIKD7]Y@g]KSgP(~Ab?Kއ3s %6?]>=R6ݪ9.֮=~()ԥ:`v?қ_ zE3,}P*2Ov9Ae ~!u7M{MbmA`MDމ*MjJ 氓 6 G_SJ *Z/"1"c`7As s/^e7LL{IH)ti#M]tI4vf %͈I$LK~51.jZKuR^cRqRBU\?ݍX-Q-}(4?.\UGR l;tt$1^lȌ̴+Q`j4mK8w%=tf!!iH)B>KtȇUnbI,L,z?@1}6 6W%2 pGg# DYmx(-w̯_\sͅx] ;ԧrd\kdlmx|y:r{&]LAFPAPX b_$n"JIˊS(AԎ $΅IoZPT٢&o7Su@$4_15 :aivz}lA Ӊ".z73DysDJ`!~dN˳kɆi(QjJ80L\bSMøaČQ?8)9dUir $nZvSzZ.V>` $Z[}h+ @g Ƹ1WiPY!ƗJ+< +4H\UNo3?J0gZ)9 NJthLu?B0ivO;q&Fu?9AWD qq34 8k mKs߅ѿ ɉ?dp95KdtՐO.ICؔ6t$.:U   qSw2aZj7V v ϶;Ŏ_rfgqߗ~^6082{z U8:>MT=, `;W <+zE4KO! ʅV FxVi7^oEڽU$ !1A\Ϫ{RHeI]C, La*!v)87Ee|тW [glž֜o,(Yu EYJfA,RKLb% JGrQ 2ĺp[%/`V Œo`wT 7(_|Hy Tg}VIEZx",1F#)Ջ-%ucvlL ހpȳC'շ DF b[3޸rvY嬐#rrq~g*|Yw,3[rE/tV.h%Ms=ݪ65#U /^\cⓥ ZCN% @L^N7:H}M +#m:kˮ){Q~*^xlcqŶ*KU% ¤ -LtIӕ~4.LՎ8AL2);qC97S19RRƬ< 7Ar 5!4TDw\Sm-='LE[p5"<ᶒx$P $kU }v[(c۽] f[*H,ք'0zӫp NEcM=?&ՄMK!AdIj6$LbMj:)cZB=TZPaJq"(SG=9bD| +Ֆ$6n7ޕV khed ŢƽܙSQӹe }DH̔0C>@l[+5Ii{[|>qi. =œ+P.Qc X^UTOx>Rf~E?ŀįCg-`l{R3Ŝ 1SMYT^=H8Eֵ Ulz@WP90B90ҔWq*l\`}uB 8ް%]"R"<6pcqz(z$hd=jr x. pye"o> /p#pFoLT9/=peX9dqMg "ьwl~o[36XQMj 1Mel9A}:m d[elR@ٰ {+P9XhEgvfpzw ѣǪKM=yr|PJUk`oV K>/y(.vrr'о BLBgŸ6&%5PP, fT;n z)ہe޷_V4hLIOY8fʄ|H xwɭL08hoEZjD6W'pwQi*~C e$5̀v1/!LJb1Ɔǹq`x o  MQ7A-,)N4BݲLs</K` bF2+PEa$_"ѨA5 4$|o$DI|Xп695>Y'@{'p'N+II^Pp;>K/FNT;!)'M^) _x̞*2˞wQgd bԏ_FEQ!f-楫3{TBKfȈ`>oJi}A'\uX2p TYɮQB<؂3$뀨U;Glmwe+Z,IӲ?k' 9[,,wL>͎@N TWH <dC/_᝛|4aiN$@o+ysҸ=mpNF?0`F7?J4BN 0/La%"aE1.X-՞/va'URy͡6],բ;oitaso(L~mdMg q'Sm.wr㈤o;G=ڜ{֌ m VpF,FD1p;g&~~ [l ?Es(O$C!\X#'_7tY9(h529#)aqS~֍<$7̛B֨|*|97xOOK|%k3whKg`7$ZD@Y'9݋bV1 x3f]!TP5y]ǂFp ({ۂ(zP41\XcsXlx!XEzeS;w@ydMr₢~CxJ=ߵ}ɰ""K,ImkM +ungMz%G U+\vrZEDnף:ӍrƗ)xj3Nvju$" {(TmEZ&b>2̱~> B6Ng(D<3UPB5>{b:4Hk_DJW :pzRHPXXKJl jx>VGS.MףJ熱cmkE34i[ Uc{:A6blNeW~᪣uґ'ױguYSO־,~Z:Fi@eXF8'+0Iq|, @3Η}1*`򾞽(~ak)3  kцD<A#ಧH2szbVkʃf:IG]@wя>0=bQ5:1Ziʒ(rqDu*'m ȿH9|oGj.ȫ裒\*?1.5mN6WyDK4:PVU~k>b}@ ^5lH*6"٘`q Z.4oyLY4EJT3 J2H nI񓇑6xvY2b<={H0W5lL,r9aVVd;3n,gEdGNlCL!_fMR~ao\ӝfv9ʊlbgm[Pnhf:ġvѴi0NW>X'r-$duC~ξ5hXM? + Tc?[=7xH׹6TzC;Tac õyhn8GT⾩Q]yCoEgT~RyҶVreyB(KȱwZMX|&u]%lA6L0 K6okkaמPRx{<|h氻ڼO Un<mS8"4\ݦ'P݌5EiL4D>No5$&I:L|/:W,ml% B':@b.$F +vƒ&MnǕP[p̳a2t'$ F7.Vޒ*!'3$5őKhmtդ"AY7Ϸ5wܩ^m,)/U⳵ 3C-َ1=0[㝰: @ U!XsW~"QX|zɚ!׀4py<7{kn;Dtlm`[>,;tAO[ ':Åu `b"ݵKЪYB. >ulOޯ$r1Dc '-Aa&N *7S}"A'\IE_#$hC)戂! & gY%vEuogG\@m68P}7]3kZvp#>pɸ&Ɉ8WtAg 81+tL 8Hc4jke ,-gLRI\ ;q4 tRwde. "~uMK@D|S=D7'VĀ4ݣ_`*Qoi;W~f-È S% % Zκ:JDb K}<4{iqtzx}'V>%R.Lr( k!S{:-jЃ}(q~/cvP *j%--"{"ħk?}%1`=魻ܥkzB%}+WC:Î΍ nNWqw>YJjLTaX+^ErMZt,i@ܑx2e  |ڠW]} r2ݿ41D TFAtd[v9h,񞳖Jí.=B_Ne"M++%L\4*K`N(3L=zV4ԇ>e5|>4w o'yNf >O/T&%R_w{whMV$uUUN;ỜJ*{/Ք1".RCy5vm\\GPdL2 -1s\oKR݅wYBi[\A/zTn7cJ@ Y"Anm.BJXo HV=糗cY )N8:^+J:*Y,c3kw*زk]5jf;NZ|$_,tZRZOLc) wq'Ic| ՝KVs` g3BX??ô[+.-?6 ^$r|Xm̮*t${yC9֑!sIqKO+^%Su db3JZbɐer^< cW֫,k;\X:(6TXEz|٫U/NGh4戮_`C,d8q\LBfF thbܠ~Á̈úS2v RH\ 27Yҟ[ګ%z j(e\S[Z;t}z%aH8~r!J.۽q, t|.BVt2ق?K#N+SꗃZiArw>{~ƈʩkJ#>Zk78J'.< 軷>kT4:#F׍?ڪx gWTt= kaHdM2+SAD5߭P1/?eџ82oc:tՂ 9l@HgU՟'2mn%!jASA~bRDR;ّO> 8M@7H9K& ĵCN7彀TrG0x.J*Ŕ^CrY#P$qPp$mɋ {dqݹ'mia-Qπ\}_9λN*Ίto/4H_AJ Mi)W!5X ʇF"qZE~NfFlPi}y[8"t|TrJH@!Q.<VLRs4W%KSM?Q*0+NNϠFz-Y9d؇EZ\2ZM {Z5Ndן*FENU"qSJPc>(eœi];bОf\hor協fFvt P^+1D,Q5m r=KR-l;5k{hc\#@ɯsĂ+biEr GRDDc\Wg*2;HSvزTlktn\Q֮y|E"9e5ͫKKNg+&TJj_N ij c'=qqB1Arn˧W+Zs 9oU.o)oGE$ c0['Tu=OlG}nX3ܐa+ ~\qu<$hؓwsJW\˅9C=h4LO(ewl1ͦEˇ^|/sjH\ ѳ.!  3Qh м/y~֯inpOihOLȅ"0ks}$(q z T2ߣރy Hk0ȗsƁ~OgyMU+cBukAsAfJ7]j,=7b,TCBԗۯ'f7dI:֩u^U hl;H%NQz'톅dY/Dbӱe$zT)t-|Fӛe_ {sBl_\}(v~Z%Rn1:#IЩȴˤ;9]wjE*;kX}3>dy_JFE? 1z[iR0NH,oZIޝ c=r/bߞ(.߼C]+dV%Zs˯!\q\~~hƸ G_ hM^!E>Yi7)齌dr.V3&R%* ؁.͕ZAmNְ(|H\aO<I~"6]@'Ⲅ?1⡙q9?)CGNt9,Za8TxrC GRR! 8dB'38Rl2qeH?uJbv,VRoԕK{w}bY),; ]Nd㭊}#_bH^WI!![c ?_jV{۱0 [̏TP)\62^nyuF:6"H'.&ߩUX0y1LՠnZ/rT9L%M pW ץ U% 0RVXYwOG$3IZF:"wܲ6Z.BYt{7pP> RxW2b&6Y=50G!k*0]*0.NJ+z Ԍ4F2w(~l)WslVr 1v_=l`uT`gш `O{7is_yBHN~7thDZ᳗|X"PJR$ockH$\˳y<|d>}||oY/w9 6Qጴ'~٦D>@G@ h6Ļq9mp~>MC14XEiܐu/R<8K21FQm 5kIlD~L֩3QjٚG`>#Al]NxNXb;bD Fmj8iCP7t3IF)]~ qFp IצB%a_ N; N blcόIZiCⱐ W~ DcFlrI=87beww22چNw /$` 3:r&Үb+ ZqzTFD+-m(JUh*vf%N.%q0,gKV쪾ǘ^t)VA3UV[uMݡѩf*ik@5X1\DϨѯ灣]G;[A=۞rFon9&Z/$ڦ8 Q 7PL<fA"Gr򠙹_LE`%t rV*"rIݭ?@ؾ*~{LԚݕ=ܮK?xjpE[kARQ a fpݿ`sLTKvEuҸIvy9p7HD[SøQkDw[ʖhe3w2#rr&#11f}#ޘN ptf5p!a[mO(jɚQϏD#4q˷5Ka5 "t@ r(8sWm֌Dٻ٧j g0i⋮OX X车49)rn&2diH;Agt2l9 |~m OwjGE8Ǘ1 Kk oMK IcZ*n˱{9qb{騠/c0 m' ma?-t8 z`O*2Mo5C!B@82}x20h"svxVǽ'sKEs`E&dbw/Im36ZJmNyA_YPeRZ[ f7`e>MaZvJN7QJ5q=ݧ{·]`k paʾIq]??f׌z#u=0eHX&l_cE2qp"eڟ$[ PCL;kBB10*\^Ag2o 2Q%>  ܚ)t}L k+?([{U~;Љ }f]A"^3Pz~:EAB EuF~į<P8{<5/O |k6a[}< J̊Ͻk h˨f%>|cA *C|7f!Zx׏acq",bc( 6:+AEe7+Ed. `T VVdoe8 ͎Ar$G۰Sqj=_ړ6{ UcH#y خ̪^g0 |v]ә֓#%eah9UJfSU:mtpD㗷aV*mQ(ZQhx0у{dqqQ8M:&eX[~/\pQa6KtlEY{q#a{`*IԘ(hĬsG3xȐ= HKOX@| $j<Ї[ @׸Q6 tf!K~CdS9+ۮĴ\Ra b&L7oNҿP=r`C{_]%haWLn]ؚ;|Dxou>FǺ#їcO P @OG` )7NJ$^<wLo(ռ#׭34ڣ sh8̯.Q)/߉4vzPҀ&)-|aP )m56&1o5E-B0G˽YcF2razM3ՌW4y~* z5\؏;0Iw]!e/ MGij}:P1جa u26T֖Q7:/+jO~@eSӠj6оz$ZhS0hXr:;O]!΍m%s(BN$~pCL- YbE׾Sμn4bl`LWLg&Q-\m6x?gZ<ﹰߓ[SimƐ>skzfbCxRƓ i6\t2fv{xU^8UK|$gJ醱xP8Jl15p{܉J 2.>$AuYXQXj@q>2;`JH *1`Uyy2xFe4C9|S8`z݇KVUG[KmPoǍ+1Gw_pt쇭yy gC%P,;}UTH?wϡZd҈HՉ *͜Tw!P+DTM;j%N&>a 5Y=/«Kl*h׍FX -bqBSd:͹ Gjyv {V[tɥeb& nf0nD Ae.YFv8+$_MVȂ-4փ\ԉ\&*B8By3XB6t`;ԁBizY3T#ߋϻnCΎD]V?>.3}]o"c 4Hn1.ՠ~ /E1Caʈm}"Բj hH@2wNYr;[n)Wւ"{A [G#+U;7[FLN:3jfE%^50 m_w֤MTFTK1wliQs`QT2M5+^X.B5M*[OIy4ƆаD@U f-k"jm׀`)9,~[c)<]A CoY@^ZaF̌, H/_D/HΣ}4&e#j_0}k'6͢>yw2FToPžS1 ëշu!"bUI$n䕿BL`п`<9EIy`JVEQdc2^KU獜}&J{GqX0) 652v_IaR/K*S2!%~6[<@2J9 )~p]QN@?t8csHD-e w1k;ޱTKEd٪ޗ׉!g/йqtVUYn> Uam0{UXd{^Rhq nO>%|AD-Ԉ3FX Hq [N҄t .\{5$.㙎AhTgD^; ^?!jlwqw_Ε1J<9q5 rܛ\WI`)gҦ%'$c1XӖ5j'?V~c{9",ӒA v[80cnO76`D=^)/6D ,Z/5Dwx"d` {@fWFyg uQuvyiIpA@kkZ~ jEenV6]R\Ȭkˮ`3?:0mAkڏG+bSCcɮIsHwyH~v A@Cê[X>=d!ۤSsF06"љyx4{UNZa\-LF7ˏ]oB_9"镫w&U x/ i0sőzlj rӺ")r'iZ7Ad'h䩆qnٻ*fԩbm ٞ,1(6I]3-=Rd3Y?…1 ߹TCX|ne޷NS/ߟ4Fx`T "s|*2DWXEgNH/j-Qg.tG;s;t@Yƞ&5t5@j<W6Ѻw7{!c ~tQC&F/ᙐs&O_ 9ӈ3x/ )3a \^&U Wy ilEQ1%&Hxyiּ[Kql0^њމ_ It%>jq#sC&yA:F3U>QOV)X~?VΕ5p\UrlH"P'weJ|rp)վ߮.r "+BUsL75n(4T@;e{~6GA-oL(xu"~T'|?|]Z߮tij-߶O +#)'e/|xWmhĴR}zL:+YFd&g] CK ?"s.i"xXoƜ؍qlK1GqRO3/ wX‡4䙱KȪVIfGuHO @$H&JL1lQR5)Z-9ވݾ lx%zR(2v=(зҦYK  SfR=zi8PhOXbMl\2<+'Ġ{v!ێ\*PYY`coU8C~j#ZS/?7:5̉;/UqZ%Cݙ a6xxaЫ![+k׾ .XWƻ'fI+fOەc VYQ. dhZ{ 0~n7M6={|z55d6QπGDi{s^>aR~'gi\[}'PSNo`M|}V.+ںU’2wDpU@O?wm|\s@[4zz k 0!wvV 1 ޼>I0-xLZ>` LX30nϤxמ9Fdz*^N32j w>!s{@^@oO 垍'0ۯߵ]\Ң8㵱.NFrNn `=YIsS\" ~xGDȶ|,. ї@es1YH~dj~S& EC[-|fi| |e\hm*Eb9rW園(5e 2+b: ]C71=d~CւvB_QEe;70H8~ҹY9w<1vm"tX2Vr},8j b=7ȤGI^lpƳB_o0]2nsB56o\I㎆aϾVoMк7֚x ܨ@cq'6W[F g Im Χz݈7¸ZZ^rW2jnDs5 帪qڧ7i7npzXM^yZdk+E+.O/ap1ZFBkϺW<1dK0Ti'v㎞aD]^|?RۇW,51m_TwՓ%v`:f_TQ%Z 9ʇh.c BE=@v<9UD$P&r&OSѩU:!u[&A knmo΍Z'`N%T(􅠖/ځyy?#i3 Ė? j]MY[Dʢ?.[3{e5as%)olM@@" d lbFCJL\,C'm҃:vw[K0%2<V:Gm#W7LD3g+Tt)L."H^4hذgF=I4AQ3}ښ5k)8UQu02r "ވ;qs-+8JFc'<@aå J3ߠ؈5ҁF2Q[= 7]3u=žPa`yevo6s2¤zU=XOga5kPUf!`EŦ;0![3&X. 2d&Yn6m*+ Ӡݽ?i4{ Š% F:nDw84; 7v0M,FHCG]R>~‘Hr@K*D!n͊Py??s֬ͳ[Ey Uq&ygf+/}h fxwo;RB?b\`O2qiihL/Uiz&wUBu05tOh>L7ɍgcu[U` w).w]dn&xP Z:ηBR N>ўWH2`ڗ!з¼Yo|2ZQa#(@=4ix‰XZGl=[lHrF)$\l[lK`2[r =1@6[X : B)JwCi{~RpM\5HQz)NɫtAۖЈPz,#O7 v\*H#ת[qf(yְ{B%`ҟ>fD#wVݵTm79*N lY̖фٮ^TBb4 [r}KM3 )e6e`c=bY@Px?7(s{mi}?] rK,B5}AH+jݎҎ֡H~6ZoΕ1Uͧ{+"nJ[ì-5):{׽U`ԃ*od{PHa0Ke [!VH !ct-+ ;vmihS *G#Y [-is!цvܬ 6+|6.5XL 7&;ȸ *ٸTG&ÔNZƇD)'Y1,s5eK]LUV14?io;It`(z8ގO)nr`%qx^unmxJJK'7h $!q)5u|O\~VrY&|>62Mdtyqg\uh(q1 E@^xf"MD\6.=sO :Ag4y;XQޕfiaiX>c3= D)aǥOF&:;Ic5M x#ϋj+DK%R8X&e,MYkU(~UYL QexZyٟ5q]O{>{;y)@\ZdJVu`{ɽ{?^(N&Ҕ ə2UZ9h,QcĴpЁ'Z0=.|ɍï;8M典 ":K- Mew Aψ6뉐5=rdC-tjPg9zyV[o%7\ /`H``Mźtio2[^ZZG92ඐ,k |2.`1kͫ@ jիĚiI]ڞ5!:M9 4zvqb`]tALhkS JNExI&w˖dcWrŊ=%-z60[xkAꄊ k8%"9Dz'޽wmP Q{_|iTǖ9* $bcKx.L߭ .:IDB4?rpͯyAc~&R'Bh2`cȵc2` <`P}R "!R r]uYSy[h".eJ/[ x~]XU%bv 0͒pl"+[?eC r83Sy1$3TN$m&Ϙ 3!? ehHoZNcƯ1몍gȦ˕^'0$f=Ϫ|3sr`5v&a4*?Wʹcb#=1|ä\>I"ӖD&*ᫍ(zǚKpaEh],a+{;]&[ B%O/LX7J6p .6z1E_pּC.t'?En 6LXvH"Ĥk&YX5,e Q} !>ԢnС5jܓkW+ɒ(Ƭ9 aۀ%%M;0bSz}X]Xj\¾ڙ*ssEphgeh!+~73ĉ a#;n >G̓9sM+z,s ,'*?h1+6N]{*jOc`1/Q}'z}L7Ad\kH/`C$~jIvҤ{$q=2AC|Y"JH =jdA{$ ⼈B~EX;H.*Y=./‰ 6>p{r6Fpy o=XU Xjʘ. jv#V5x 3bVN-c$\~ӟ 0"iy(w@tFs2Q6y#@N]Ž6=`ipw!*-%f<ݒ*qB+\'" z_p8ljYPe_3|m926#~.qoͰa6 f?hI |;" ahx1U<^kE=3)oXGl09~=c:e.%:H`W<Ћn}j`X!5_RvNp{%\A0SG 2*ˈ& \g.hbafJmP,2"*ٌMF uj0+4-;1PZ4)`.GkkEуL&CeAhL=Mz/F9 5=b'_tMQ|:8>'R8EuU leJD4Ǜ@N 1Yi-_}#'%X΁\URSs "pBE0xhƩAQ25 R^&N#DsT'ʹ;hN/?m_R>LLӎ}TFng8LJvW\KNpz@ =jkU4ZjB\R fk]ț͇^=b:iclӏ"N*fjN)Kw3+ӷjc".TaSZ_V y)2vpLrv7wKrshVuBb7(5Eh >D &|d i˘܅Ul n&Ҷ 1ޤ`«QbSꌟ\FQ˓'m)%9"]adϡ^~X)XꛜtXŲ\KPYKtPAF/r󬍰D .8CBfJ@oLjuG^\ N=SnrkUNo = !J=UL#^{/d/gN[6,G5 e$~}x^&%&:Q%,mB$ *I5RsHV/SASiןxj>h,tlW3eϊ ¬9,yQ>#8Xva&ȈJgμK`(S Ú2MeNvDJCW}okm[.}>4kRѶRצ>C,.) wtP٩&#]3솆*\ l֥z)i dO:)Sr)Y-TdF zt.e㳟+)jq|B-a>';b9"T%{,+Q'9(B 9JQM.#1 k?x*gXx+J+eA\5jg%^iaiҼ@%arBvk!iW#_4ɾ`9G\@.TZ`;|KNla 5ۑD U BZ; '2>Ŷ^MsB;0\J.#< .=mqK/#oHĝrZo&x}I0ŧ5=O^ %؆jbw!JQԏA<( ($=>RȔr-YuGi z˩5ENJ9]8mbȸJQ?|Z bx8w5% /Du7_v|W.E4|9mAOƺBX.X ͂CJݓtSA;*~OX@#zxm75H{L͟x$>ѻCP s-H(8ѸE_ y >, ^AY ֮}<9.'-.p?[BɅF*gO<*yJac4ߍ0*rowvb!gy@ Ȝc'[JxDeG=Dc4BzϝXn#D/'j(jzI۬:#ER ?K,0A8?6Aim-t.>@D5U4ncܯ˵#ʕ${~`x$F *LOf '16f y(6[g  _Jifk"kln6Ka~wBkCܐg $~`jO[^hT΍BMndSQi4ɕ2>C,BRK89|ǁJ4 Egk.EpMm(l拆':`em[5N꿋^_+p6{4!gUGd>S?z2V) cYSS0 #UD1vN'[Ǫ`{BQ#"@^\WɕSX C/M(a];,bAh+/X62Xҥr?SM{{Zdb9$G^ZdY\0THMKSǑW%VL-`PT]BE IN2[˷ Rh4P,nrpK$$ x| Mg3vx3U3_RMpJUa~Ж)aƀ5 ܝ y \^<4,'~V$ 35TMz"w3 E:K:%'ÉѮ6RfL281 mBgwMh 3kC ʍqn">l vO8rlT6D\3 C#pNUH !$Z4賅BӅҶZ}@^=?+HmT'~TadE/Ȝ:@ARҝ{J5O@9l ELb<LIXN6:j,oD^Bߡ!_;Y7܆O֮+̪KPlhnJM(k_v :P\. A0N,8v"Yy9l.@}ֶ:KZ/EvK"AL#VUDcɡQ()Zm:#j7$IqefMR,*J'ݴaWzsZ+qSxZ?}1>L&HVUU:2[~|׽#(3FڵL7 VIBۀ;pxGkBhZZH Oi] ZNԖ#o/Gҁj^:*v(rA5Xӟl܅D:a OoT"Y{ISa"Y5}| aC j% ,IJJ7BGM=C{1Ie7Џ$=S qa}?wS؈*p|(j41[*tS3) 3O[_5SR^xLW~݃P|U֚23x ,M7K]5>Zlx^ ҝXl]23x9"' ;1VV?DǞC`wƝF,Y/RDlCNj ~iYL1<|v>* aP~re{ *9*ƯhAIrM=_:*(ۿB_9'b! QӊLi0~\ ګ)k[š{89%¤dee%MZq?in'lfGeqv~PO*6ͮG)e@^@U`_ΥzQҴ2׌WBItuT2*MEٕ#Xl\]5t{T6(?t(tTl4k@_. 1ڳ/ʖmpT@~+ q}=u~pGsxx8.pҐb0Ir0Iss$IMA/PkcoȊMt RC{{H I6aNN.lH-*:6ow'x߻#\יZS*#^ƹ) ~77<<@|Sp|Z#A7EuKdk2 %P )qfuF' fV&qr*}CQ:54r(OjR.ƒV(G3(X`"C}"V2w~1ȽojK7Ʊ53Xz0o* 1XC;֤ꀏ ] )1 r=&ȕ >enquFJHȌ a~u1t61nIA.F/Оt JF-0 ^Gp}\ ȊW)aC%<nJa;u!SLkbFNn{?H@BV3ƈpMpgu>CX-+ۤϋweS[Nv"'+! Bg@6Ųl:d  ʛvHb ۍ=viJـ́ž`}7D q ̈́w4wҨ"TYL.kj}A0fMw8ϋ}S߭w`KBP{G^7 qO@%YWM-u%bUrK?,r)̿2 U\; fdj#焖qKR<@DxwD;cȸc(" {=:w6ΟA%$V)q Ɓ֛әw5lm{CkUV}67ntJig_si4r7܌ ͋8&A#An ]\+ )6(EagOCYЊtb]t-h7sVk9>P0:ꏆhZŋ.ymQ eźHd0ǽŽf/:i PP$PϠ7$^y^zs>S˹@{aNiq'6œ;ɉO Adl @[kW\J ᢕ P |v;`ѯX^`@u˕KJxs_X&Q&0pD1Hnw+"s{z :`ho(q[nv0X?T?܆7TK̾5/$`HB̫g\~4ߛcƚIhRX3,:vNc%Yfogc]R6NmmE>JP{my*uF^ G{hU:5U.$TҐ({W<u\xK9>xV+{:nEH/2;J>M x4`z.E q3n9ѣh?/Pڹ=,]Ȍ5@b~a|j}b4{;I{EKNSCt/aU8V}mpGS*&O3>X=Vp YJʕ.],iɔB@= c<,CNFՉ3V-B;Xȭ^Aƞ(${vs B,2Hf<ޕ*"L+.9'm{\ db 1Ԕ-Ġű7PfMh!=÷|f1xPNR3B64iL$aNj4ݯIن3$'J%"g:o#;)>RyL%/H[. 7\%3_J$bVUg[ӌ];dL$ Hוlf99g[cW8w<d䄳@;ZN(7_@sO?a:1zGͶB$L2s; 7ħ McPυ@8Ќ6:?z^ FjZsg'S[PM~U?<ϰk^`_\pnwNLVT| !>!JEtnNBwiFS Ǻ.},[۬.(S$|C ’r6 Yulr'CF$QL3QRžjl 걉vׯ- 6ʛ1j_q9 vgA3 0;3wU=}b(e[-\hJk[Z#ҫ̎Il%Ψ] 'H1,seQ`;x`ꖏr%Sl PФ+A2[ja ||+ǝ(~7:HkuEk- ` U]r2hG7|易V]柽i5i Ll(\wDs#O.L*e[+`˾r ,^ūѸ̟옭3]P_t$#`պhQɜ%`j:#Q MCi#ћUCC>)CPkD9A 'u5d@,Pg%`<oF]y:IAY*9-4*E7r1noA,n+$33 S%vl%}Gzf3Z8K7P}y+t!l;}ZRhetBauwSgȯF g1bSza*,L/7cI!Bٲ&-EBD 1h&̨r Ҁ;$.HJ&cfpqrU;I ScmoŃ)!1[ I±+7z=?qZYdk"Yi*,$%n.#|*7X'5j@e4=|S 1 @(f> ʟN5J濣0Lp%#ֿUB_˶e1Yh9ҭ6V]q~mazA9 -7rIAb!ۊz lЛȡiR};-o/]ڵ1 {[`#N 'osc=H3wLBD=rmX͐7eDJ;FW|I(h_C+bxO5ln9. "f$g|u/=nrc1R -0iϕFFxIs7Qr7#u:mNT7,ujY&µa/e)HG| fTb4e- [u]DzJH 0(q~ x8Ln/ ĴeIiߏ?T,LߐE$GOƪH9bQoͥ}bzIg|R&ZR:!/CsߕhmӖ:0"4ձp1_tqxn@W~S+ýԆorŽ9a1aGb;s-xTY=%Y-ydYZw=Y_1kwV39&ڮJ ]5di*iŅSY6*"j%(Gk\T_5lWMo@gI{=!$n j4Iۃc yŒшO줙h+kٷbb}wZkz) N$|$[^rN nTJ me**u]qhqmwW[oI(^ԍ^K7d*h✯%J?%.u(rS+K*925chx6V2_1[zŽ*W-4V΂7A\x;u?' pUYdt]D݉&4C\g(>M;9Xc|8FNdSy }0RX.>GfqafS5=*VO.];\N\WoP#&ĻB9_H9 :)ΊiN