mozilla-nss-certs-3.19.2-107.1e>UAČHOR#QV ?U$jY#*~^B톍?KSyiO*73P>5-?d ! 9 +18< > @ D e hlqv 0  (8L9,L: VLF^GtHxI|XY\]^bcXdeflz Cmozilla-nss-certs3.19.2107.1CA certificates for NSSThis package contains the integrated CA root certificates from the Mozilla project.Ubuild190openSUSE 11.4openSUSEMPL-2.0http://bugs.opensuse.orgProductivity/Networking/Securityhttp://www.mozilla.org/projects/security/pki/nss/linuxi5860U715893508c1b0cefb79acb66ebdbcbf7rootrootmozilla-nss-3.19.2-107.1.src.rpmlibnssckbi.solibnssckbi.so(NSS_3.1)libnssckbi.so(libnssckbi.so)mozilla-nss-certsmozilla-nss-certs(x86-32)  @@@@@@ rpmlib(PayloadFilesHavePrefix)rpmlib(CompressedFileNames)libc.so.6libc.so.6(GLIBC_2.0)libc.so.6(GLIBC_2.1.3)libnspr4.solibplc4.solibplds4.sorpmlib(PayloadIsLzma)4.0-13.0.4-14.4.6-14.8.0UUJ@UjU`kU8UTTT?@T!`Tk@SSSkqS,)S S@R@RjR@RRFQֵ@Q@QzQ@Qm=@QNQ/FQ@Q P,PZP)P+@OȮO@OF*@O= 4.9- update to 3.15.4 * required for Firefox 27 * regular CA root store update (1.96) * Reordered the cipher suites offered in SSL/TLS client hello messages to match modern best practices. * Improved SSL/TLS false start. In addition to enabling the SSL_ENABLE_FALSE_START option, an application must now register a callback using the SSL_SetCanFalseStartCallback function. * When false start is enabled, libssl will sometimes return unencrypted, unauthenticated data from PR_Recv (CVE-2013-1740, bmo#919877) * MFSA 2014-12/CVE-2014-1490/CVE-2014-1491 NSS ticket handling issues New functionality * Implemented OCSP querying using the HTTP GET method, which is the new default, and will fall back to the HTTP POST method. * Implemented OCSP server functionality for testing purposes (httpserv utility). * Support SHA-1 signatures with TLS 1.2 client authentication. * Added the --empty-password command-line option to certutil, to be used with -N: use an empty password when creating a new database. * Added the -w command-line option to pp: don't wrap long output lines. New functions * CERT_ForcePostMethodForOCSP * CERT_GetSubjectNameDigest * CERT_GetSubjectPublicKeyDigest * SSL_PeerCertificateChain * SSL_RecommendedCanFalseStart * SSL_SetCanFalseStartCallback New types * CERT_REV_M_FORCE_POST_METHOD_FOR_OCSP: When this flag is used, libpkix will never attempt to use the HTTP GET method for OCSP requests; it will always use POST. - removed obsolete char.patch- update to 3.15.3.1 (bnc#854367) * includes certstore update (1.95) (bmo#946351) (explicitely distrust AC DG Tresor SSL)- adapt specfile to ppc64le- update to 3.15.3 (bnc#850148) * CERT_VerifyCert returns SECSuccess (saying certificate is good) even for bad certificates, when the CERTVerifyLog log parameter is given (bmo#910438) * NSS advertises TLS 1.2 ciphersuites in a TLS 1.1 ClientHello (bmo#919677) * fix CVE-2013-5605- update to 3.15.2 (bnc#842979) * Support for AES-GCM ciphersuites that use the SHA-256 PRF * MD2, MD4, and MD5 signatures are no longer accepted for OCSP or CRLs * Add PK11_CipherFinal macro * sizeof() used incorrectly * nssutil_ReadSecmodDB() leaks memory * Allow SSL_HandshakeNegotiatedExtension to be called before the handshake is finished. * Deprecate the SSL cipher policy code * Avoid uninitialized data read in the event of a decryption failure. (CVE-2013-1739)- fix 32bit requirement, it's without () actually- update to 3.15.1 * TLS 1.2 (RFC 5246) is supported. HMAC-SHA256 cipher suites (RFC 5246 and RFC 5289) are supported, allowing TLS to be used without MD5 and SHA-1. Note the following limitations: The hash function used in the signature for TLS 1.2 client authentication must be the hash function of the TLS 1.2 PRF, which is always SHA-256 in NSS 3.15.1. AES GCM cipher suites are not yet supported. * some bugfixes and improvements- require libnssckbi instead of mozilla-nss-certs so p11-kit can conflict with the latter (fate#314991)- update to 3.15 * Packaging + removed obsolete patches * nss-disable-expired-testcerts.patch * bug-834091.patch * New Functionality + Support for OCSP Stapling (RFC 6066, Certificate Status Request) has been added for both client and server sockets. TLS client applications may enable this via a call to SSL_OptionSetDefault(SSL_ENABLE_OCSP_STAPLING, PR_TRUE); + Added function SECITEM_ReallocItemV2. It replaces function SECITEM_ReallocItem, which is now declared as obsolete. + Support for single-operation (eg: not multi-part) symmetric key encryption and decryption, via PK11_Encrypt and PK11_Decrypt. + certutil has been updated to support creating name constraints extensions. * New Functions in ssl.h SSL_PeerStapledOCSPResponse - Returns the server's stapled OCSP response, when used with a TLS client socket that negotiated the status_request extension. SSL_SetStapledOCSPResponses - Set's a stapled OCSP response for a TLS server socket to return when clients send the status_request extension. in ocsp.h CERT_PostOCSPRequest - Primarily intended for testing, permits the sending and receiving of raw OCSP request/responses. in secpkcs7.h SEC_PKCS7VerifyDetachedSignatureAtTime - Verifies a PKCS#7 signature at a specific time other than the present time. in xconst.h CERT_EncodeNameConstraintsExtension - Matching function for CERT_DecodeNameConstraintsExtension, added in NSS 3.10. in secitem.h SECITEM_AllocArray SECITEM_DupArray SECITEM_FreeArray SECITEM_ZfreeArray - Utility functions to handle the allocation and deallocation of SECItemArrays SECITEM_ReallocItemV2 - Replaces SECITEM_ReallocItem, which is now obsolete. SECITEM_ReallocItemV2 better matches caller expectations, in that it updates item->len on allocation. For more details of the issues with SECITEM_ReallocItem, see Bug 298649 and Bug 298938. in pk11pub.h PK11_Decrypt - Performs decryption as a single PKCS#11 operation (eg: not multi-part). This is necessary for AES-GCM. PK11_Encrypt - Performs encryption as a single PKCS#11 operation (eg: not multi-part). This is necessary for AES-GCM. * New Types in secitem.h SECItemArray - Represents a variable-length array of SECItems. * New Macros in ssl.h SSL_ENABLE_OCSP_STAPLING - Used with SSL_OptionSet to configure TLS client sockets to request the certificate_status extension (eg: OCSP stapling) when set to PR_TRUE * Notable changes + SECITEM_ReallocItem is now deprecated. Please consider using SECITEM_ReallocItemV2 in all future code. + The list of root CA certificates in the nssckbi module has been updated. + The default implementation of SSL_AuthCertificate has been updated to add certificate status responses stapled by the TLS server to the OCSP cache. * a lot of bugfixes- Add Source URL, see https://en.opensuse.org/SourceUrls- disable tests with expired certificates (nss-disable-expired-testcerts.patch) - add SEC_PKCS7VerifyDetachedSignatureAtTime using patch from mozilla tree to fulfill Firefox 21 requirements (bug-834091.patch; bmo#834091)- update to 3.14.3 * No new major functionality is introduced in this release. This release is a patch release to address CVE-2013-1620 (bmo#822365) * "certutil -a" was not correctly producing ASCII output as requested. (bmo#840714) * NSS 3.14.2 broke compilation with older versions of sqlite that lacked the SQLITE_FCNTL_TEMPFILENAME file control. NSS 3.14.3 now properly compiles when used with older versions of sqlite (bmo#837799) - remove system-sqlite.patch - add aarch64 support- added system-sqlite.patch (bmo#837799) * do not depend on latest sqlite just for a #define - enable system sqlite usage again- update to 3.14.2 * required for Firefox >= 20 * removed obsolete nssckbi update patch * MFSA 2013-40/CVE-2013-0791 (bmo#629816) Out-of-bounds array read in CERT_DecodeCertPackage - disable system sqlite usage since we depend on 3.7.15 which is not provided in any openSUSE distribution * add nss-sqlitename.patch to avoid any name clash- updated CA database (nssckbi-1.93.patch) * MFSA 2013-20/CVE-2013-0743 (bmo#825022, bnc#796628) revoke mis-issued intermediate certificates from TURKTRUST- update to 3.14.1 RTM * minimal requirement for Gecko 20 * several bugfixes- update to 3.14 RTM * Support for TLS 1.1 (RFC 4346) * Experimental support for DTLS 1.0 (RFC 4347) and DTLS-SRTP (RFC 5764) * Support for AES-CTR, AES-CTS, and AES-GCM * Support for Keying Material Exporters for TLS (RFC 5705) * Support for certificate signatures using the MD5 hash algorithm is now disabled by default * The NSS license has changed to MPL 2.0. Previous releases were released under a MPL 1.1/GPL 2.0/LGPL 2.1 tri-license. For more information about MPL 2.0, please see http://www.mozilla.org/MPL/2.0/FAQ.html. For an additional explanation on GPL/LGPL compatibility, see security/nss/COPYING in the source code. * Export and DES cipher suites are disabled by default. Non-ECC AES and Triple DES cipher suites are enabled by default - disabled OCSP testcases since they need external network (nss-disable-ocsp-test.patch)- update to 3.13.6 RTM * root CA update * other bugfixes- update to 3.13.5 RTM- update to 3.13.4 RTM * fixed some bugs * fixed cert verification regression in PKIX mode (bmo#737802) introduced in 3.13.2- update to 3.13.3 RTM - distrust Trustwave's MITM certificates (bmo#724929) - fix generic blacklisting mechanism (bmo#727204)- update to 3.13.2 RTM * requirement with Gecko >= 11 - removed obsolete patches * ckbi-1.88 * pkcs11n-header-fix.patch- fix spec file syntax for qemu-workaround- Added a patch to fix errors in the pkcs11n.h header file. (bmo#702090)- update to 3.13.1 RTM * better SHA-224 support (bmo#647706) * fixed a regression (causing hangs in some situations) introduced in 3.13 (bmo#693228) - update to 3.13.0 RTM * SSL 2.0 is disabled by default * A defense against the SSL 3.0 and TLS 1.0 CBC chosen plaintext attack demonstrated by Rizzo and Duong (CVE-2011-3389) is enabled by default. Set the SSL_CBC_RANDOM_IV SSL option to PR_FALSE to disable it. * SHA-224 is supported * Ported to iOS. (Requires NSPR 4.9.) * Added PORT_ErrorToString and PORT_ErrorToName to return the error message and symbolic name of an NSS error code * Added NSS_GetVersion to return the NSS version string * Added experimental support of RSA-PSS to the softoken only * NSS_NoDB_Init does not try to open /pkcs11.txt and /secmod.db anymore (bmo#641052, bnc#726096)- explicitely distrust DigiCert Sdn. Bhd (bnc#728520, bmo#698753) - make sure NSS_NoDB_Init does not try to use wrong certificate databases (CVE-2011-3640, bnc#726096, bmo#641052)- Workaround qemu-arm bugs.- explicitely distrust/override DigiNotar certs (bmo#683261) (trustdb version 1.87)- removed DigiNotar root certificate from trusted db (bmo#682927, bnc#714931)- fixed typo in summary of mozilla-nss (libsoftokn3)- update to 3.12.11 RTM * no upstream release notes available- Linux3.0 is the new Linux2.6 (make it build)- Do not include build dates in binaries, messes up build compare- update to 3.12.10 RTM * no changes except internal release information- update to 3.12.10beta1 * root CA changes * filter certain bogus certs (bmo#642815) * fix minor memory leaks * other bugfixes- update to 3.12.9rc0 * fix minor memory leaks (bmo#619268) * fix crash in nss_cms_decoder_work_data (bmo#607058) * fix crash in certutil (bmo#620908) * handle invalid argument in JPAKE (bmo#609068)- update to 3.12.9beta2 * J-PAKE support (API requirement for Firefox >= 4.0b8)- replaced expired PayPal test certificate (fixing testsuite)- update to 3.12.8 RTM release * support TLS false start (needed for Firefox4) (bmo#525092) * fix wildcard matching for IP addresses (bnc#637290, bmo#578697) (CVE-2010-3170) * bugfixes- update to 3.12.7 RTM release * bugfix release * updated root CA list - removed obsolete patches- Disable testsuite on SPARC. Some tests fails, probably due to just bad timing/luck.- Use preloaded empty system database since creating with modutil leaves database in nonusable state- buildrequire pkg-config to fix provides- disabled a test using an expired cert (bmo#557071)- fixed builds for older dists where internal sqlite3 is used (nss-sqlitename.patch was not refreshed correctly) - fixed baselibs.conf as is not a valid identifier- update to 3.12.6 RTM release * added mozilla-nss-sysinit subpackage - change renegotiation behaviour to the old default for a transition phase- split off libsoftokn3 subpackage to allow mixed NSS installation- added mozilla-nss-certs baselibs (bnc#567322)- split mozilla-nss-certs from main package - added rpmlintrc to ignore expected warnings - added baselibs.conf as source- updated builtin certs (version 1.77)- rebased patches to apply w/o fuzz- update to 3.12.4 RTM release- update to recent snapshot (20090806) - libnssdbm3.so has to be signed starting with 3.12.4- update to NSS 3.12.4pre snapshot - rebased existing patches - enable testsuite again (was disabled accidentally before)- update to NSS 3.12.3.1 (upstream use in FF 3.5.1) (bmo#504611) * RNG_SystemInfoForRNG called twice by nsc_CommonInitialize (bmo#489811; other changes are unrelated to Linux) - moved shlibsign to tools package again (as it's not needed at library install time anymore) - use %{_libexecdir} for the tools- Temporary testsuite fix for Factory (bnc#509308) (malloc.patch) - remove the post scriptlet which created the *.chk files and use a RPM feature to create them after debuginfo stuff- updated builtin root certs by updating to NSS_3_12_3_WITH_CKBI_1_75_RTM tag which is supposed to be the base for Firefox 3.5.0 - PreReq coreutils in the main package already as "rm" is used in its %post script - disable testsuite for this moment as it crashes on Factory currently for an unknown reason- renew Paypal certs to fix testsuite errors (bmo#491163)- update to version 3.12.3 RTM * default behaviour changed slightly but can be set up backward compatible using environment variables https://developer.mozilla.org/En/NSS_reference/NSS_environment_variables * New Korean SEED cipher * Some new functions in the nss library: CERT_RFC1485_EscapeAndQuote (see cert.h) CERT_CompareCerts (see cert.h) CERT_RegisterAlternateOCSPAIAInfoCallBack (see ocsp.h) PK11_GetSymKeyHandle (see pk11pqg.h) UTIL_SetForkState (see secoid.h) NSS_GetAlgorithmPolicy (see secoid.h) NSS_SetAlgorithmPolicy (see secoid.h) - created libfreebl3 subpackage and build it w/o nspr and nss deps - added patch to make all ASM noexecstack - create the softokn3 and freebl3 checksums at installation time (moved shlibsign to the main package to achieve that) - applied upstream patch to avoid OSCP test failures (bmo#488646) - applied upstream patch to fix libjar crashes (bmo#485145)build19 1437072817 53.19.2-107.13.19.2-107.1libnssckbi.so/usr/lib/-fomit-frame-pointer -fmessage-length=0 -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables -fasynchronous-unwind-tables -gobs://build.opensuse.org/openSUSE:Evergreen:Maintenance:341/openSUSE_Evergreen_11.4/e2eed42f6e563af65caa82779a40b72c-mozilla-nss.openSUSE_Evergreen_11.4drpmlzma5i586-suse-linuxQ&(#+Xj?]"k%וkH^x5X)K^̇ 6FF FE_Qgؐp2-0í}Ve{u#@ /֤zdJZf3ld(D8L~<@_.K[On#T7^e#!R/1E kL?$N|~( a鳤OK`% GFJJhELfBX 8Md*pU jQ& ɮYQ^l-SʢR)Oz^%L/ֺ)-bu4",NDzE{@!F cOxF+Z Y zc.(wݕdN#mPp ]%C3},Jh=74+^IxԾDv5wvKsت\eәd(mqc?~Eb_&GY~}y3{L0x)2o S]+Q"Egh{ amd;I-~*MCRtr/O{BpdkKHXx)}&*΂ ?2zǹp$휕!0R*!ф\,y%z^pb8ʄrXsS%SЃVyÒPƖ 2 ru(7qL̪U@8L!8uk%%V[SeURJG0KW´n-K&֊Z{\$ 2&d%d g6ӲAO4lG-3FuQw#$;!;j05*GC(T`-(CwuL X~ vPjXhgy~DOX7-S'CPhD3X+e~:8rױEh Z?/glO~2O c̺*9L![ng ߐk- WLy)*|MH-𭃲Si:g;wCkA5’ԣgik`_>Piᴽ 65y[\IlS囎F"EaO3ٴ 겳O ;59->rGd" rAvpgEZDc%ܭdk|ŝ\nơ5%dܐBg#Ǖ*D*aZajd,&)JeUz^:W Ȃ{k9';#5,ll'F,]ciߕ(-wۙ pb9ͼ00%o=7F_qzҫɓqPxE5+WlyIy.i7OjXĬ5fq$;]z]Q#dP9MWhX g@"ű/nT:2W܋\8]8 A6嬐%Њ@_첪RCB\k7avQk(}$TĸcUtdU?K`ITF=tsTg$G]EՉ|kUM1PۆgE#ʓnpHq9>S+u>m0 L{ҋ ,̗?S,?8dh&BguKp4Ygy+j }`Lhjt"r{z=S"t6Mu$_R^l:$Y(VEBCY1ea{6?48foˇb ɓrxIVᲩ곆"#QUc-8A?ջzkԦӳ lY먫VZ}j8Qh+V`sڤ@ڇ!+,j"Kh6M(`iaz-!fRѣnڮ7rđ5(mӵ !"Cp4*ȻPhʩ[mۋ]䶎MyCDjC&$(ڴA0.K-a:^/:h l#3Bguu[~E|lcw0`}{e0(S#HC~$ SlSɌܱ^#5 &h!ppƹ%x椔4L^{C| q0HbDUpnĀ_⛳(!e {NE<;e\1\4IrBk=}m['"wyZ6JQ 7 ND"RmivLhPZXaW1PE2y,6> Wh v{%eLj3OHnRlM($mMUHOKGF!5# {d&+}΀$pubZB ?)GjQ݄J :R3x[kIk-L#K8>yn)6@@.? 9tf{is~M7z+Pg8ɾ$?U[r挩-|w@`YZ":+6y\dzcag%|ʿfous=籦Ru::}|_^$'1&-H=?dCL 1 _0w~"g#g|w#eEpjL\{9RE:>di>$ 칗^R xU^>>&xb1%?BOn$":3{4#~g<_.==G!T5Rro´v']KE\- 9xtlW=Ga0+&Pdg 12 [9"I Bpug{֦Ʋ8 Og$I[ %o)|+Ub ~vK&dUx}C"KCщJz*6|/9d~r#]Iܒ=W oZkh}B6[NRTq6T/]i8S4{B*/ٛa &_)ik6]%WS &~ İcCCk-s]*bIGTΡ4s,(}fv`eR_`ۊOWozpqJtG/hn>?L_3f8В?mj!o"E%fs(%lאǬV_cnPXIܧu1]mElMc ZyΆ}\uuT^tUp2:[]1h$ޓ|Uh(^ʧ^?c{3 )'F ,T(JL Pov<+[0/{Jlμ,$`5؉jgNZڸPwzdG$3y]@aS_w}X#=z5C2ʩV7si%Ѩv;qiG v855W⹯֌nx%^A!&C;ӔE_a"ky{(A^ *cc`暍N$ xi5rǑD ahAyj$wE2dADv),ʁ߈lu>ԧ熼| lT, R0xFݮ%Z14֗Bjy(ڼKsǦ R  մt67d_8gt*k SdQ> ܶkN;NdA,{{fdDfK~!%)A֬N7CrZdw)(ޙee Jʩ93;2-f~6(52Riz@NrdϖV'W4sB"a]8#ғg8^w-mPC^u ),M/x>!2餈QG6ddrf,!%$H-B%!773kP# iRg&uNAָ2QKj?ev&K-`&z" MW.D4`J[Ks?Sp({5?t? F4k0a_,vd6U7/pK!$Al;CFֻ ^8XGlmE_j`gxFY *ˎ䁅c2s>l;ԀFAfJ̗РWE16)Pt~E˃I5Z+qN)MoLMi[fDJ6v7u2Pc\݀Y~!H̥F)Fup~I BTW{xԳ܁cWCpDC|iK:Д:%4 -m.?+aYL[0vc+K'x%K6 Ef1N:ɞ}U^aRhߢ;5;Td!T0g5 s:W )mh?9I9nd!Xεu, ה+4^`L33oBqAɗvTy3Iݕ9x.sÀ ([~0`3c>{ۣ}OJ?Sz]ۓT glw$U `[6 fbI)% Ks_![ڗ,c xVgeI,m"pʭ$zKiIjs4G2dڇmqdH'vDWj2ǥW 'GV ,j\o9yc׸u$QQ;di'K_DE]LS*n돻$^r\U|ӱ$@q XDf)0((, )nE=|9S{Y>lpȀʹ<4 W8$ѷ5\̟qTk`IF'0uo΂')4LwB6VT_kӷ`-;ȥm#t2u_ *Tk6g\(ıvHU0nL|BJ= "Du]7$]$~L@Zs0hI`x{M^C Ev=2 EZޞIʎ8`_ˈ&h%*'+jnFN"*8viPk_^ս{ >KNdU99.Yr?Ӊqd a,գ{v6$JQkRIԮS{us#vFlwq[|BkN*©a]r9BK#}u](%JPۋhѯ 0*`\"| 7p5sZK3_5؛h|jby¶q (*Kyۊ67"|n ߶TS] 19$*%T27Az06Zp 5\$䐳'0S~ iGc5 /E#JL#zJeb|wFhɽ]GӁ,asi4 }X Y?j^ϭG`nr&gzbD╃`l,hafL$>i)ۓf{ErIU/p1L ^JjvǃUO&ُ5:UN.XJ%j?M#Sj䝊#2@rdLt  U0|ք%w埫͙w+G/E4S?V:I2:nHf;z&"<BskYIA~aug W99i"QѓG> ꞣ5GǤ F/DHcSbw0CcLe:Xbz/ "#: r`YQ] T 4_G]sX$ڢO2swd\^2 6G'AjT=g"av2~eH'Q%> ػ$OL#J'.bxйTbKt)IF +E'Yٰ<2oZ[=yP@4k^!j6kgM(Qv/&M1S ٵLdRP[eVvH [Jv:'Cy0n`@w|ISK_"22P CLSۮQLQgs㯝{b aQ(58xYo؍BѾ0]+$`vŎC'~PmR|hG!A{p!JJ-N(8ePwRs`&Q4h&DI>C~켡[O+Kd`: #bVOW|z M&;2䀽&Q֩ V_ZXX 5I2#F}؍{\e'8xqKr`؝jBY#kuc-IP*&lwgC”=jOr0?Ōy4WAK]ae3#&i!á7ḡ%߸R#K[C /e,FUy#"<{"D%}n%V*:.])l DT9hD>ȧ9ѢbzĎ?HTyA\lm*ط&X *u#YTJ찬(GDrKTMږ Q`zW{dX1,>r5p {TA}5+/Πps-~њ_ֲ^`Hnc&D\^8v3%J|RResC?-qrz;8gT]`իhLqٮ9pN"F =TdT{Rp>q^iUkWwŴ䜝'{mEo-kh{yN/ԽNex@CS^h_p- (ǹM̼@ZLtDfjLYAf.9oBsPIf!-FWC<ڞ5>w2{7W#:k~xU*;|\ 9K]y.h֧Ӥge]!d(Qbk ;iyrV }аH@0@̏#hXH,ڻV@|7j{:0p m/E>,<]Q RmRFTR> 6( Ho:9V ł&J#i8)%Y[ㅗJyW{W1i.6"],+kY{BK[ğ<őjVM!qCՂo\?1j]vS$8F }yr*pLg- Qfo1t7[l^!N}m;rw3oL"k_o}$$ 5?yN?F,rv滯H|fB:ƺ.0ﳍr"9]*g(3(BZQ>6͢ȘqZ7Tk ", 9'm)"SL>bR ɡ"wTG^?ڮG;HbVSM}Ɛ+'mT)aBMwd>乞FtPOâ(\3blУQ1źi٬R8EUqOG)p mB8Va}(YP0<ܕB԰2C=Гn)v.aD94}t{koʢ/]2"* +g1X&(ٲYR@IuswX6OPG^Gm|8B8oLRtILzl?d N]gCᳮ;*Y`EW3ba].r6΋_05ʈpBXf=ӛ!'@4>,}>Av0gfDFx9T[h]TQV9 yJ SNb#XZ:ѥuxz:z%CV̈)kXAje Hɪ_ܒIPh~4aP]!yytCIc[S^!O&OO}&-Yq@;n[9+F؜T;Tzϳj^ qx'MGŪۉ1ck _0:F b9M7 z(lJܬsS+Rܐx]XG ug_Fi vzڙ CM3!њ7Gl\5r]vJ^vLvdӔbeމqTKƢ}hX)Zok^*qm0S []QhA_QutOr sNtMi+x\Ƕ`[CLW%IW bUyp"g$g]#2raMr]{0)zZS֞\^͋*#ȋ+U~E;Հ5D?5ȎY-,f01KةQ|薴{xq8Gs&*WLiD@(g o6l3*ҙW5lkrWJjw4@ Pz2F7O9l{vj!&0e YLx"Y[_$MW L9_Ԇ#^5؄ZA2>co" Y~׫_]xkv~b4$lA,ڵyLu @i.R*gOгnBhb8]tjVM%;8w<]!فo2F:Z-0dӤtSy{(xt)5J o7$6b9Ww\h/PkK-pߋ=C[r}5'Wyϥޢ>"<Eb-է6$= c.-(,p2TB D<9W`ce`=owYw3c6$G7ҋMb8] 1hr++1X9(Oo &W͈mDm1&t -8L cn 6s7O)*9q;2Wh5d6FWpócnwtao$dV=*7,YD1܅#FJ:֤0'nTsbWc8ihkG>e{@KٜĴ#ۢwE6xL_!GY){ wɔȚLx}FǏ6 ۟G fJ+*<E 1ɑL[BRGZoRdt[>$rt}i^հb¥])†yVL%}c{)Ƹbc@q EO! Q| Y5g ȶf{HtS=L-_iz$X*EE aoBk?hbŊՈ@캑 0lO$@}Fa [݅$veߩڢSZx'H8ϧc\ =_M'Ue{UHwL;E~L{M"/Ӫc 3F_W~ON 46@ //>B}:2FS|3v,fg_RUp7h_;ƭ=s,rYmS*WV"/ [ ^$J) q]"̜ѥTVj7Ϯ&ͧ,V?w#Dx^xro0eOIi.zlJ*XO4lOό$(ĸ $veuì2U/o"!^O9C4,ϲNK?Q}mF'aw`H#Y$)pjGlܽZ;OSo>ز!..Ӝ,-(0{je¦eΔ_h?d6'nxfʐ+Q3dÔ,L6k=B_bV!ENpc=BEQDE^ݱ&H|cf? N1FؐQq߭8-3^W->c0OQmĶ}dAIOs38&>d;c&6HNEU7&Jd |LqT_NĘ4*ٰ\K'7ڳ(< H1ef ,(QXyB*َ#P!oͲ.3` LZZ]59sBnD-><ы]b{ ^LRy7܋K,>nADt~%<ĥ0CzFM[+= noRTمŨKos_ 7{V؃A#U! e,=ɐVC1}Fr}_w5r`k8;m /L)ڳ@hwYL7cW$o*m'a}u̫B]9xCN%[aj#5 *4JCRTfL'DٿewJ`}^~s1?A5qR\`TVgbBM:޲{i0"9v~j&M1ɸhˢlelLY0obhO!4 *.}l @ GаwΒ8kE[jg]ifbQSF'Ρ9mauؐft(>77&j>f 3ABL0\C F嘴:+ڃ^v!&'E_ixIwJX\2-k[" hs^AHvw.ˤ$W;l]=:Mk^DEUlAKӕH#*l} h:{ M'58&nGaгpݎux *rAtZ;\1z4i 䑫CD<)I2 l'W` j͏]$EޣI TKxl! X:W_0ћs)H/3eMPxWLjJ$er _}>-(xoU.dp3I6i֙غlAne|>昲 xb&+B?]Wh ak݄ڕ wZYZͮeMa&ӰZ>hFQJ r֕=xL.qMXŰj*<#FaiVo㒌{uT9hnF@Bn4K6!ZȗY!r]ri|[