mozilla-nss-certs-x86-3.19.2-107.1e>UAۄKZ^q+;:?U$j?*I.PX%t7Շ͸5>5 ?d % = /5:lx ~      { (8L9L: L>G HI$X(Y<\\]h^~bcHdeflCmozilla-nss-certs-x863.19.2107.1CA certificates for NSSThis package contains the integrated CA root certificates from the Mozilla project.Ubuild190openSUSE 11.4openSUSEMPL-2.0http://bugs.opensuse.orgProductivity/Networking/Securityhttp://www.mozilla.org/projects/security/pki/nss/linuxia64/sbin/ldconfig -r /emul/ia32-linux /sbin/ldconfig0AAUUU715893508c1b0cefb79acb66ebdbcbf7rootrootrootrootrootrootmozilla-nss-3.19.2-107.1.src.rpmlibnssckbi.solibnssckbi.so(NSS_3.1)libnssckbi.so(libnssckbi.so)mozilla-nss-certs-x86mozilla-nss-certs-x86(x86-32)   @@@@@@ glibc-x86ia32el/bin/shrpmlib(PayloadFilesHavePrefix)rpmlib(CompressedFileNames)libc.so.6libc.so.6(GLIBC_2.0)libc.so.6(GLIBC_2.1.3)libnspr4.solibplc4.solibplds4.sorpmlib(PayloadIsLzma)4.0-13.0.4-14.4.6-14.8.0UUJ@UjU`kU8UTTT?@T!`Tk@SSSkqS,)S S@R@RjR@RRFQֵ@Q@QzQ@Qm=@QNQ/FQ@Q P,PZP)P+@OȮO@OF*@O= 4.9- update to 3.15.4 * required for Firefox 27 * regular CA root store update (1.96) * Reordered the cipher suites offered in SSL/TLS client hello messages to match modern best practices. * Improved SSL/TLS false start. In addition to enabling the SSL_ENABLE_FALSE_START option, an application must now register a callback using the SSL_SetCanFalseStartCallback function. * When false start is enabled, libssl will sometimes return unencrypted, unauthenticated data from PR_Recv (CVE-2013-1740, bmo#919877) * MFSA 2014-12/CVE-2014-1490/CVE-2014-1491 NSS ticket handling issues New functionality * Implemented OCSP querying using the HTTP GET method, which is the new default, and will fall back to the HTTP POST method. * Implemented OCSP server functionality for testing purposes (httpserv utility). * Support SHA-1 signatures with TLS 1.2 client authentication. * Added the --empty-password command-line option to certutil, to be used with -N: use an empty password when creating a new database. * Added the -w command-line option to pp: don't wrap long output lines. New functions * CERT_ForcePostMethodForOCSP * CERT_GetSubjectNameDigest * CERT_GetSubjectPublicKeyDigest * SSL_PeerCertificateChain * SSL_RecommendedCanFalseStart * SSL_SetCanFalseStartCallback New types * CERT_REV_M_FORCE_POST_METHOD_FOR_OCSP: When this flag is used, libpkix will never attempt to use the HTTP GET method for OCSP requests; it will always use POST. - removed obsolete char.patch- update to 3.15.3.1 (bnc#854367) * includes certstore update (1.95) (bmo#946351) (explicitely distrust AC DG Tresor SSL)- adapt specfile to ppc64le- update to 3.15.3 (bnc#850148) * CERT_VerifyCert returns SECSuccess (saying certificate is good) even for bad certificates, when the CERTVerifyLog log parameter is given (bmo#910438) * NSS advertises TLS 1.2 ciphersuites in a TLS 1.1 ClientHello (bmo#919677) * fix CVE-2013-5605- update to 3.15.2 (bnc#842979) * Support for AES-GCM ciphersuites that use the SHA-256 PRF * MD2, MD4, and MD5 signatures are no longer accepted for OCSP or CRLs * Add PK11_CipherFinal macro * sizeof() used incorrectly * nssutil_ReadSecmodDB() leaks memory * Allow SSL_HandshakeNegotiatedExtension to be called before the handshake is finished. * Deprecate the SSL cipher policy code * Avoid uninitialized data read in the event of a decryption failure. (CVE-2013-1739)- fix 32bit requirement, it's without () actually- update to 3.15.1 * TLS 1.2 (RFC 5246) is supported. HMAC-SHA256 cipher suites (RFC 5246 and RFC 5289) are supported, allowing TLS to be used without MD5 and SHA-1. Note the following limitations: The hash function used in the signature for TLS 1.2 client authentication must be the hash function of the TLS 1.2 PRF, which is always SHA-256 in NSS 3.15.1. AES GCM cipher suites are not yet supported. * some bugfixes and improvements- require libnssckbi instead of mozilla-nss-certs so p11-kit can conflict with the latter (fate#314991)- update to 3.15 * Packaging + removed obsolete patches * nss-disable-expired-testcerts.patch * bug-834091.patch * New Functionality + Support for OCSP Stapling (RFC 6066, Certificate Status Request) has been added for both client and server sockets. TLS client applications may enable this via a call to SSL_OptionSetDefault(SSL_ENABLE_OCSP_STAPLING, PR_TRUE); + Added function SECITEM_ReallocItemV2. It replaces function SECITEM_ReallocItem, which is now declared as obsolete. + Support for single-operation (eg: not multi-part) symmetric key encryption and decryption, via PK11_Encrypt and PK11_Decrypt. + certutil has been updated to support creating name constraints extensions. * New Functions in ssl.h SSL_PeerStapledOCSPResponse - Returns the server's stapled OCSP response, when used with a TLS client socket that negotiated the status_request extension. SSL_SetStapledOCSPResponses - Set's a stapled OCSP response for a TLS server socket to return when clients send the status_request extension. in ocsp.h CERT_PostOCSPRequest - Primarily intended for testing, permits the sending and receiving of raw OCSP request/responses. in secpkcs7.h SEC_PKCS7VerifyDetachedSignatureAtTime - Verifies a PKCS#7 signature at a specific time other than the present time. in xconst.h CERT_EncodeNameConstraintsExtension - Matching function for CERT_DecodeNameConstraintsExtension, added in NSS 3.10. in secitem.h SECITEM_AllocArray SECITEM_DupArray SECITEM_FreeArray SECITEM_ZfreeArray - Utility functions to handle the allocation and deallocation of SECItemArrays SECITEM_ReallocItemV2 - Replaces SECITEM_ReallocItem, which is now obsolete. SECITEM_ReallocItemV2 better matches caller expectations, in that it updates item->len on allocation. For more details of the issues with SECITEM_ReallocItem, see Bug 298649 and Bug 298938. in pk11pub.h PK11_Decrypt - Performs decryption as a single PKCS#11 operation (eg: not multi-part). This is necessary for AES-GCM. PK11_Encrypt - Performs encryption as a single PKCS#11 operation (eg: not multi-part). This is necessary for AES-GCM. * New Types in secitem.h SECItemArray - Represents a variable-length array of SECItems. * New Macros in ssl.h SSL_ENABLE_OCSP_STAPLING - Used with SSL_OptionSet to configure TLS client sockets to request the certificate_status extension (eg: OCSP stapling) when set to PR_TRUE * Notable changes + SECITEM_ReallocItem is now deprecated. Please consider using SECITEM_ReallocItemV2 in all future code. + The list of root CA certificates in the nssckbi module has been updated. + The default implementation of SSL_AuthCertificate has been updated to add certificate status responses stapled by the TLS server to the OCSP cache. * a lot of bugfixes- Add Source URL, see https://en.opensuse.org/SourceUrls- disable tests with expired certificates (nss-disable-expired-testcerts.patch) - add SEC_PKCS7VerifyDetachedSignatureAtTime using patch from mozilla tree to fulfill Firefox 21 requirements (bug-834091.patch; bmo#834091)- update to 3.14.3 * No new major functionality is introduced in this release. This release is a patch release to address CVE-2013-1620 (bmo#822365) * "certutil -a" was not correctly producing ASCII output as requested. (bmo#840714) * NSS 3.14.2 broke compilation with older versions of sqlite that lacked the SQLITE_FCNTL_TEMPFILENAME file control. NSS 3.14.3 now properly compiles when used with older versions of sqlite (bmo#837799) - remove system-sqlite.patch - add aarch64 support- added system-sqlite.patch (bmo#837799) * do not depend on latest sqlite just for a #define - enable system sqlite usage again- update to 3.14.2 * required for Firefox >= 20 * removed obsolete nssckbi update patch * MFSA 2013-40/CVE-2013-0791 (bmo#629816) Out-of-bounds array read in CERT_DecodeCertPackage - disable system sqlite usage since we depend on 3.7.15 which is not provided in any openSUSE distribution * add nss-sqlitename.patch to avoid any name clash- updated CA database (nssckbi-1.93.patch) * MFSA 2013-20/CVE-2013-0743 (bmo#825022, bnc#796628) revoke mis-issued intermediate certificates from TURKTRUST- update to 3.14.1 RTM * minimal requirement for Gecko 20 * several bugfixes- update to 3.14 RTM * Support for TLS 1.1 (RFC 4346) * Experimental support for DTLS 1.0 (RFC 4347) and DTLS-SRTP (RFC 5764) * Support for AES-CTR, AES-CTS, and AES-GCM * Support for Keying Material Exporters for TLS (RFC 5705) * Support for certificate signatures using the MD5 hash algorithm is now disabled by default * The NSS license has changed to MPL 2.0. Previous releases were released under a MPL 1.1/GPL 2.0/LGPL 2.1 tri-license. For more information about MPL 2.0, please see http://www.mozilla.org/MPL/2.0/FAQ.html. For an additional explanation on GPL/LGPL compatibility, see security/nss/COPYING in the source code. * Export and DES cipher suites are disabled by default. Non-ECC AES and Triple DES cipher suites are enabled by default - disabled OCSP testcases since they need external network (nss-disable-ocsp-test.patch)- update to 3.13.6 RTM * root CA update * other bugfixes- update to 3.13.5 RTM- update to 3.13.4 RTM * fixed some bugs * fixed cert verification regression in PKIX mode (bmo#737802) introduced in 3.13.2- update to 3.13.3 RTM - distrust Trustwave's MITM certificates (bmo#724929) - fix generic blacklisting mechanism (bmo#727204)- update to 3.13.2 RTM * requirement with Gecko >= 11 - removed obsolete patches * ckbi-1.88 * pkcs11n-header-fix.patch- fix spec file syntax for qemu-workaround- Added a patch to fix errors in the pkcs11n.h header file. (bmo#702090)- update to 3.13.1 RTM * better SHA-224 support (bmo#647706) * fixed a regression (causing hangs in some situations) introduced in 3.13 (bmo#693228) - update to 3.13.0 RTM * SSL 2.0 is disabled by default * A defense against the SSL 3.0 and TLS 1.0 CBC chosen plaintext attack demonstrated by Rizzo and Duong (CVE-2011-3389) is enabled by default. Set the SSL_CBC_RANDOM_IV SSL option to PR_FALSE to disable it. * SHA-224 is supported * Ported to iOS. (Requires NSPR 4.9.) * Added PORT_ErrorToString and PORT_ErrorToName to return the error message and symbolic name of an NSS error code * Added NSS_GetVersion to return the NSS version string * Added experimental support of RSA-PSS to the softoken only * NSS_NoDB_Init does not try to open /pkcs11.txt and /secmod.db anymore (bmo#641052, bnc#726096)- explicitely distrust DigiCert Sdn. Bhd (bnc#728520, bmo#698753) - make sure NSS_NoDB_Init does not try to use wrong certificate databases (CVE-2011-3640, bnc#726096, bmo#641052)- Workaround qemu-arm bugs.- explicitely distrust/override DigiNotar certs (bmo#683261) (trustdb version 1.87)- removed DigiNotar root certificate from trusted db (bmo#682927, bnc#714931)- fixed typo in summary of mozilla-nss (libsoftokn3)- update to 3.12.11 RTM * no upstream release notes available- Linux3.0 is the new Linux2.6 (make it build)- Do not include build dates in binaries, messes up build compare- update to 3.12.10 RTM * no changes except internal release information- update to 3.12.10beta1 * root CA changes * filter certain bogus certs (bmo#642815) * fix minor memory leaks * other bugfixes- update to 3.12.9rc0 * fix minor memory leaks (bmo#619268) * fix crash in nss_cms_decoder_work_data (bmo#607058) * fix crash in certutil (bmo#620908) * handle invalid argument in JPAKE (bmo#609068)- update to 3.12.9beta2 * J-PAKE support (API requirement for Firefox >= 4.0b8)- replaced expired PayPal test certificate (fixing testsuite)- update to 3.12.8 RTM release * support TLS false start (needed for Firefox4) (bmo#525092) * fix wildcard matching for IP addresses (bnc#637290, bmo#578697) (CVE-2010-3170) * bugfixes- update to 3.12.7 RTM release * bugfix release * updated root CA list - removed obsolete patches- Disable testsuite on SPARC. Some tests fails, probably due to just bad timing/luck.- Use preloaded empty system database since creating with modutil leaves database in nonusable state- buildrequire pkg-config to fix provides- disabled a test using an expired cert (bmo#557071)- fixed builds for older dists where internal sqlite3 is used (nss-sqlitename.patch was not refreshed correctly) - fixed baselibs.conf as is not a valid identifier- update to 3.12.6 RTM release * added mozilla-nss-sysinit subpackage - change renegotiation behaviour to the old default for a transition phase- split off libsoftokn3 subpackage to allow mixed NSS installation- added mozilla-nss-certs baselibs (bnc#567322)- split mozilla-nss-certs from main package - added rpmlintrc to ignore expected warnings - added baselibs.conf as source- updated builtin certs (version 1.77)- rebased patches to apply w/o fuzz- update to 3.12.4 RTM release- update to recent snapshot (20090806) - libnssdbm3.so has to be signed starting with 3.12.4- update to NSS 3.12.4pre snapshot - rebased existing patches - enable testsuite again (was disabled accidentally before)- update to NSS 3.12.3.1 (upstream use in FF 3.5.1) (bmo#504611) * RNG_SystemInfoForRNG called twice by nsc_CommonInitialize (bmo#489811; other changes are unrelated to Linux) - moved shlibsign to tools package again (as it's not needed at library install time anymore) - use %{_libexecdir} for the tools- Temporary testsuite fix for Factory (bnc#509308) (malloc.patch) - remove the post scriptlet which created the *.chk files and use a RPM feature to create them after debuginfo stuff- updated builtin root certs by updating to NSS_3_12_3_WITH_CKBI_1_75_RTM tag which is supposed to be the base for Firefox 3.5.0 - PreReq coreutils in the main package already as "rm" is used in its %post script - disable testsuite for this moment as it crashes on Factory currently for an unknown reason- renew Paypal certs to fix testsuite errors (bmo#491163)- update to version 3.12.3 RTM * default behaviour changed slightly but can be set up backward compatible using environment variables https://developer.mozilla.org/En/NSS_reference/NSS_environment_variables * New Korean SEED cipher * Some new functions in the nss library: CERT_RFC1485_EscapeAndQuote (see cert.h) CERT_CompareCerts (see cert.h) CERT_RegisterAlternateOCSPAIAInfoCallBack (see ocsp.h) PK11_GetSymKeyHandle (see pk11pqg.h) UTIL_SetForkState (see secoid.h) NSS_GetAlgorithmPolicy (see secoid.h) NSS_SetAlgorithmPolicy (see secoid.h) - created libfreebl3 subpackage and build it w/o nspr and nss deps - added patch to make all ASM noexecstack - create the softokn3 and freebl3 checksums at installation time (moved shlibsign to the main package to achieve that) - applied upstream patch to avoid OSCP test failures (bmo#488646) - applied upstream patch to fix libjar crashes (bmo#485145)/bin/sh 4 4 43.19.2-107.13.19.2-107.1usrliblibnssckbi.so/emul/ia32-linux//emul/ia32-linux/usr//emul/ia32-linux/usr/lib/-fomit-frame-pointer -fmessage-length=0 -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables -fasynchronous-unwind-tables -gobs://build.opensuse.org/openSUSE:Evergreen:Maintenance:341/openSUSE_Evergreen_11.4/e2eed42f6e563af65caa82779a40b72c-mozilla-nss.openSUSE_Evergreen_11.4drpmlzma5ia64-suse-linux?]"k%OR^ȑZ*} he#T3[^8@9,m}gvH%ڭ6/~:91~ X"-[bz_\\1ܳt!9%`GH[C{:p0&Lc)AGI!, Kѩl7jm$¯9l<UF59@|vgVòYFz?rz*})71&-!5/pZ']pFpk9Cb{k2kX#Sr^OػK5؃sn4I]?Z|-#[wsl 2 >f ;?I+Mx6IpaRzXq%O8yޥ$j?\h?D"߯A3~J <, r~ 7>M%`'uWnDMK˄=5ٚzĜOr܏ {zGS4FPi1*#t2S 8I@jPI4ۛq>;|PG#^UNrdSµO1dlYNɔU(ҋđ%DH2 \$63ʡ&NM\(@V.b^vڲP~έP19iTxl>|Oe:ZKL9y { ?A=pLPS,8V˴`&me 1OuJm`"6̥2 eIO>C:_mmPvN&Q;-2tpc0ږێbFk<]n^aC7L^ZnM(_|͞!/e>%BMל ;uz%S60S; .qCl؛lB:Ծ:\F$Z'|m%1$wI~r@W5js''9\#o0_'3,19G'!hr-GA*L.a2%sN4ZkՈY$}n񀏌ŶHF"3Nצ@uMՉo7&=W -\CN8!*xwifz3ƹ$n!{Ou(/q1w0#OZ+S?Mbӛ# ovgg5)S|wkTʋb>yC)+x?PK}7%$sagPTz Xz|B]WFЄ=n>*c=7G֛{_*bˬ9?|4V{#U{/ P$wʱO0 u:_OFUf*>#4_d!]9O@pb[f߲/TiMHBJ=iA)`AwIe ]r 17|:eAO.×;&bmxW X^+9Mڣ^XQ?\ .H. F+pM7^4V=[B!%nM[c7-f7\;aid?oFqɊJm~X7@AyUsT+ GD:uϋ8hCYrۥS [p;5*jdS8aX{%"ltDdrO+~#I& ruI)GGj Z\=K?Iwj~Ƃ.wQSruv!N$=BpDIΟ3=aY)W@Rsx2vXUt{p-MTM9ݴ ndzW't}k]oBiCYW9?Pb4մAk\&XCR#+Me3[ɳ)Yh)[e֩i;Fi>7}[yۍ7WH'k VK""\6? .F!%SnkzΤ{@W ~a3Bֽs"C?ԪOJSJ=sІ0xH"]/2ky+G*;.]BaAs^Tkť9%ЍݼAyr[yi+Eqw~׷o *#r}8CBz~ #W6AjY`JD/,?"g*d'ddow8Gq0&%$7-2S,(١W"?_=U^}ʀDq\zN(vki(,R(9 qyU(}jUWPy^̓``BMPv5\nrkI6l6_U4%܆\)'Q7DNs3<$;c}k+og >BI]4#q`27UwO{g$& p_ q4JHO HDL|fΤ6ܖ Je{7jF-]V:8؀8cT*a/@'fPEc=gV$c6_RPz/*Qopʐ @6Kγ9jDhfpP_ /t33 ݝo}C Wߋ-n+.A8qavn!UdANā4}%:g,m69W},̀Ѡ0^y\NK27ZEXe'jLmm #(<PrhvJT}0X4A7 To;S]*ԣwߋ"&̃ V|sxc*0'LD_Ko!Otֈnٯtv=^qh|w1R0'%5.Ph8Xlc7w]U9r;DՇk!Lшհ"HS(ΫT> +=@NhU!rT Tu'ZҼ ޞMt`jj`L5`3)L.H+׳ xorD:+NPm^Ѿs'ֶŲmjf)~({OobPȮ(">E-(H}j>aJdI:)ҁw3R91r>CW{k N bnb&bАv"‰hUrEK%/6ˌ^/ LB縪ɵ\xfE.`?*~)dArӗ>>]Bs©GU< y3{5 ?~ p@UypI#zUL5 xѧ72{خ||7j <!˥}ds? '] ;^yL/UxшƒN[A~|WԽnu}--mҫA'{WD|Z.itp2eȚRh&n̗ eDaaofF-1!πcmӏ6P-CDy<|HI˼B?%b"N=teA3=alV ܐfr6!5yb7+r rcIx;Z+\s"PR& ]?Tù1bd|#*+Jdult}F tVg.H+Abz,x~w3j֐絉?å!'Ga.=kV<Ӗ` yk$͕50a#"7ګ0 NkWaöp}%0ߞ4*+ .: `kcd0u{8;E/YanB5ƙH8{.D\x֐f>>'ϧUiHљ([&NT,%,\d5ߑyt!Zf.a_JǓt ~c">31j~E|B$n<e-^դ۾^hx VmZ"'<8z~rqv;y?=x;AH Vȑtl 9#.K;_o[B8rOH^$B{84F_lj/%>1$6xzR1ޫr.T[|rwwC΋^z#Ym|\](cT5}`|&K>u鳮C~ff "P3ng>#pnvrnƜ*`KګY<%^'bE⥵+3N ]R~S`R2L ^E|E회{,͵p*Ip[ಱэiǞdB*цƈw.v:4D1et6pF's|d`uF:L߽?x\;p~,8diEEeBÕsM-03a1U&P֋ +iC.]VDҿ@Gׯ{T1q> -AQ]8/i3M\b{N#ۧڵ~gTj/BsF- i/)N/ug*]8'"+`e"2+"hxޖP;vu\Z+7]XE[н @>#"zOrqD75L=:o(JLy{K])ZQ+'.6)L FW'zHl-/)Gh:$}#/.'u&A@ɴ[Ğ4zvy3b0`9LC`ȳ4;~z.Q&XVAQ)%DDFÿ $Y䱢(?leјx6f pd+nٯ˻.:Zqӕ/嬩)s0JF~*s9} DPͲlG8DF{,HͳIwi/A] U$ Қ NHzFX>'t87e``\k+v`($)_gŔR߻K 2mvM.mƢpE8fKlj?k4 MNqpN ˅Vw~5(;m6ǹh gT&$ԖLЃbK6:oH|7i0cfʐV;ų=Tɩ"~N?sukt\kx&Q(:|v'7+TLb,'١jro[s٩v C:R@":Dx嶀;̦geb}p5WIzmT!lRuT%=IzSDcry`t.=@osGLB\lcMjB1ȱ;8ƳF)oTĵ纰 ClO>PX*Qf<'cH:#f|o{Sm]?P X1T65C'i Q;/"(`N×ӺX>` "Z3~_oA7ɽ c Ab}(0yl+/>o7~'Fl~Vɠ]oN5X%dq҉ܼ{C4!cUs @q%Z 6;z5\2?#UH9{Aj?t#'.=*"".]5sm2.`Fq+zdFfgq1^x<ιqȲh/d䪂2:2l%6z%9+K<EgPbjˇEvwq!;PINVߜT iq:[i6KQF*Z#ucؕQ% dz5+x81$5um1"[B(@NM  )V?^`*0q ׃01`)q̔K#L%TX&:dy&?6O4ײ d9$.A"km47ڲ ?Ru.5{־8Nf-n%ے"Oo_F,g@Q=(, PMb# K4*wEf<>Vq Y!x/(}p/U3c},KSKX[8Ϯ,=7b,d3)bRdq}{4%.Yo?E#JgJP-ĥmW>~%;gQӋ(=ӌeH@ljsTXYݜ8E\lwcrƜ<-=LE ؍D1~hpx;ty lt5☑ˠeB'aAK} u ,dZO;֙0b#髓 ]LGa-[lmd1\Z6䗫?3:)^/N_flhte3yL ^o @v2 Oz>qF#rL6׉`)[n>Ld##UwY66픤FE fcnJMc;5'%g !vg"JflݚHZP~}AetbѸlh >7QP-U\baca%ş[`׆}V &,$Xi9/}U(f*aŒ2Ӯv/  .JaINŐΝMnU8)3 BSbDUcU=R[X]$TOK'yל煌>/XhޗU^-8f {(@r1d,klS":Q~RD0x(3',rd8.6 iVyZTXɳ@ւ\/g1Z %I9^Rczn/{G߽&bCWx(WZz'Fb4PE2JvBUM_CΏ͋MB0\UzdTPdsAtx] ӑRPCƾiJz'0sEz[V#`UyEN9~!nT&Ѕ5uZTGfmd§ǧn'Vz@s>$KWr(TW}bu)tRtX$=o 3Q]sN&uFŝ;6aWL祳W2d~(CKUTԙ̭pa=r4ٷLǜJ7Mj϶HrKO"F]n {i޸Fxb0h ]&pbCs79Jxp&Q+2Q B^-R τ#8}/qXf:t]387B>w{APE$[ghu֦Hd wGϥW~KkrJ6P:KbbTjJ7{ 7$ *nSlW |ԺFTE erYRׁgte5N*^;x`q[=E$8F}55jk1#řJ9YݗJ:npI]:qmefyԴsA03^d8raa!&h_k*F+m{S}C}g(MOg=~ImvD}) [3\-n@1s&3VV?tHu=2$\pG 0 ?JSX_53AR,?lQڏD…YߧxAdgٶ6tQ+~Y^P1K \_z #|W)S-7*УA]%#w}_== k&#n'e `1ÙF.!" s,蟅B5Q0v`";%C9q&4%R,my}G@{o@[GVYp5]cGI*zDvbJ+BP|dY[&$ɛи L>2рp/v?hc:,:0J5J7 +o¦n -"GoYٺFΚ忮d5+9?+dpʼn EߦH5NAMeFnw.򃑲#}763OxW@,&6Ev)Nu*|ڮ݂,>l'%KͯnIO|n!ɲVǀ k:y mR1n$PQG|pU,m.dLXoGn+Ek7$ &!\6X]*]U\eTe@: X|h腪N{N;B0NX*7-,U^ WQh&n 2UxHd$UZ<_KR[iI|qУiK%1! M&l+j}~ZCe4Ԡ]seC?wŽfSm٤CX#pLQY-zf=4Hey;6IVo9"6;O1,?L8sqobNx49U@MB=X2mtA?ձ"d+{{p1ݼԔXF#yk Ӏ *ZrP[g)1_qS&`uw"ڼrSU6}ʳBm-S)w [Klн6Qd@’+vDy|Ɩir" 7_l9Ð5>jՁxƤғ-?B*ׁ 8:9)o,+ gd;8dk`'>!κcd!4xS_V`E 7 ƾ4I+ڗP32*ӁEo(SbMCM>(KJSGm ?(LO𱲶2ӳc]1,HcRj g܌ Y9]͋p0(2ڬJ1cҍOˑ%KBgӧ ۍ6NKs1;1ՂImPbŗCi^N//ڊ"I0 xKBR|5vFN;K51ڵ1>Gd_t+[Z=P4kfiX+b$^ 4 +J4o&lZ"yz NHDHh9 zfY9m_&*F\`t?> ǤN5^ UOLX!e&6 %4Nߺy} jd_Bk~87e,<6p6* =5NwEJTUB2OBPE Nɉ@sgcP0@魭zJŀ^F*'j!n,,E)&9Dz֝ IVئa2ܑ-ggl6Cxqr30h:cJ*$y!3xe`Yj,a2.wVcibyMjhл`7lkD^$Ͱl54W lx)IBb1SL0GҾ5ou%=~1qLY@ّΞOGհٲ6&?al:o+Z׊.DI6r\I H]bn$=ŖxyCź-Zw?bdȃ';o=PsׂAL;_ \:ǻp('D|3~&_ F8I&L6Xf^qF/+0p,̰R̮h8\DS4 p -]E5KX'B 5N#^ѐcRh'޿&%1ӗq,4Zx<< >5 d >/bIc쯛zg;6fS YWy?K:*A+H8tD4L "A3["h~;_Shj?Te/kiI$p:TDa(ːn9*nQNcDbtg ,17n;/syX o]f^U]PTxL. 'lpB[M(u?r94u@-LCl靑VֽB'K*f^ԟ!1bkŤ %%FϼP_j< JJccaa,v̧uVP''ɳzʧ8ַA9,*J{ IemCiNQ4f1GOKclPV{㭦`f|c݌ rlS 1dkC]wD98Nvߺ1.^QMtMXaT9&v<HR/>~Fk^\̗O1X+"r3Hli0[4zu?lۚy(M^"QN)e{L3 I JK