mozilla-nss-certs-3.19.2-107.1e>UAh|cY ?U{$jpf MYO(ƀSPp sn>to(!>5L?<d ! 9 /5<@ B D H i lpuz(H(#8,L9\L: LFGHIXY\]^bcudeflz,Cmozilla-nss-certs3.19.2107.1CA certificates for NSSThis package contains the integrated CA root certificates from the Mozilla project.U{cloud124 0openSUSE 11.4openSUSEMPL-2.0http://bugs.opensuse.orgProductivity/Networking/Securityhttp://www.mozilla.org/projects/security/pki/nss/linuxx86_64 0Urb537ffeea7630cb18813c6583096e675rootrootmozilla-nss-3.19.2-107.1.src.rpmlibnssckbi.so()(64bit)libnssckbi.so(NSS_3.1)(64bit)libnssckbi.so(libnssckbi.so)(64bit)mozilla-nss-certsmozilla-nss-certs(x86-64)  @@@@@ rpmlib(PayloadFilesHavePrefix)rpmlib(CompressedFileNames)libc.so.6()(64bit)libc.so.6(GLIBC_2.2.5)(64bit)libnspr4.so()(64bit)libplc4.so()(64bit)libplds4.so()(64bit)rpmlib(PayloadIsLzma)4.0-13.0.4-14.4.6-14.8.0UUJ@UjU`kU8UTTT?@T!`Tk@SSSkqS,)S S@R@RjR@RRFQֵ@Q@QzQ@Qm=@QNQ/FQ@Q P,PZP)P+@OȮO@OF*@O= 4.9- update to 3.15.4 * required for Firefox 27 * regular CA root store update (1.96) * Reordered the cipher suites offered in SSL/TLS client hello messages to match modern best practices. * Improved SSL/TLS false start. In addition to enabling the SSL_ENABLE_FALSE_START option, an application must now register a callback using the SSL_SetCanFalseStartCallback function. * When false start is enabled, libssl will sometimes return unencrypted, unauthenticated data from PR_Recv (CVE-2013-1740, bmo#919877) * MFSA 2014-12/CVE-2014-1490/CVE-2014-1491 NSS ticket handling issues New functionality * Implemented OCSP querying using the HTTP GET method, which is the new default, and will fall back to the HTTP POST method. * Implemented OCSP server functionality for testing purposes (httpserv utility). * Support SHA-1 signatures with TLS 1.2 client authentication. * Added the --empty-password command-line option to certutil, to be used with -N: use an empty password when creating a new database. * Added the -w command-line option to pp: don't wrap long output lines. New functions * CERT_ForcePostMethodForOCSP * CERT_GetSubjectNameDigest * CERT_GetSubjectPublicKeyDigest * SSL_PeerCertificateChain * SSL_RecommendedCanFalseStart * SSL_SetCanFalseStartCallback New types * CERT_REV_M_FORCE_POST_METHOD_FOR_OCSP: When this flag is used, libpkix will never attempt to use the HTTP GET method for OCSP requests; it will always use POST. - removed obsolete char.patch- update to 3.15.3.1 (bnc#854367) * includes certstore update (1.95) (bmo#946351) (explicitely distrust AC DG Tresor SSL)- adapt specfile to ppc64le- update to 3.15.3 (bnc#850148) * CERT_VerifyCert returns SECSuccess (saying certificate is good) even for bad certificates, when the CERTVerifyLog log parameter is given (bmo#910438) * NSS advertises TLS 1.2 ciphersuites in a TLS 1.1 ClientHello (bmo#919677) * fix CVE-2013-5605- update to 3.15.2 (bnc#842979) * Support for AES-GCM ciphersuites that use the SHA-256 PRF * MD2, MD4, and MD5 signatures are no longer accepted for OCSP or CRLs * Add PK11_CipherFinal macro * sizeof() used incorrectly * nssutil_ReadSecmodDB() leaks memory * Allow SSL_HandshakeNegotiatedExtension to be called before the handshake is finished. * Deprecate the SSL cipher policy code * Avoid uninitialized data read in the event of a decryption failure. (CVE-2013-1739)- fix 32bit requirement, it's without () actually- update to 3.15.1 * TLS 1.2 (RFC 5246) is supported. HMAC-SHA256 cipher suites (RFC 5246 and RFC 5289) are supported, allowing TLS to be used without MD5 and SHA-1. Note the following limitations: The hash function used in the signature for TLS 1.2 client authentication must be the hash function of the TLS 1.2 PRF, which is always SHA-256 in NSS 3.15.1. AES GCM cipher suites are not yet supported. * some bugfixes and improvements- require libnssckbi instead of mozilla-nss-certs so p11-kit can conflict with the latter (fate#314991)- update to 3.15 * Packaging + removed obsolete patches * nss-disable-expired-testcerts.patch * bug-834091.patch * New Functionality + Support for OCSP Stapling (RFC 6066, Certificate Status Request) has been added for both client and server sockets. TLS client applications may enable this via a call to SSL_OptionSetDefault(SSL_ENABLE_OCSP_STAPLING, PR_TRUE); + Added function SECITEM_ReallocItemV2. It replaces function SECITEM_ReallocItem, which is now declared as obsolete. + Support for single-operation (eg: not multi-part) symmetric key encryption and decryption, via PK11_Encrypt and PK11_Decrypt. + certutil has been updated to support creating name constraints extensions. * New Functions in ssl.h SSL_PeerStapledOCSPResponse - Returns the server's stapled OCSP response, when used with a TLS client socket that negotiated the status_request extension. SSL_SetStapledOCSPResponses - Set's a stapled OCSP response for a TLS server socket to return when clients send the status_request extension. in ocsp.h CERT_PostOCSPRequest - Primarily intended for testing, permits the sending and receiving of raw OCSP request/responses. in secpkcs7.h SEC_PKCS7VerifyDetachedSignatureAtTime - Verifies a PKCS#7 signature at a specific time other than the present time. in xconst.h CERT_EncodeNameConstraintsExtension - Matching function for CERT_DecodeNameConstraintsExtension, added in NSS 3.10. in secitem.h SECITEM_AllocArray SECITEM_DupArray SECITEM_FreeArray SECITEM_ZfreeArray - Utility functions to handle the allocation and deallocation of SECItemArrays SECITEM_ReallocItemV2 - Replaces SECITEM_ReallocItem, which is now obsolete. SECITEM_ReallocItemV2 better matches caller expectations, in that it updates item->len on allocation. For more details of the issues with SECITEM_ReallocItem, see Bug 298649 and Bug 298938. in pk11pub.h PK11_Decrypt - Performs decryption as a single PKCS#11 operation (eg: not multi-part). This is necessary for AES-GCM. PK11_Encrypt - Performs encryption as a single PKCS#11 operation (eg: not multi-part). This is necessary for AES-GCM. * New Types in secitem.h SECItemArray - Represents a variable-length array of SECItems. * New Macros in ssl.h SSL_ENABLE_OCSP_STAPLING - Used with SSL_OptionSet to configure TLS client sockets to request the certificate_status extension (eg: OCSP stapling) when set to PR_TRUE * Notable changes + SECITEM_ReallocItem is now deprecated. Please consider using SECITEM_ReallocItemV2 in all future code. + The list of root CA certificates in the nssckbi module has been updated. + The default implementation of SSL_AuthCertificate has been updated to add certificate status responses stapled by the TLS server to the OCSP cache. * a lot of bugfixes- Add Source URL, see https://en.opensuse.org/SourceUrls- disable tests with expired certificates (nss-disable-expired-testcerts.patch) - add SEC_PKCS7VerifyDetachedSignatureAtTime using patch from mozilla tree to fulfill Firefox 21 requirements (bug-834091.patch; bmo#834091)- update to 3.14.3 * No new major functionality is introduced in this release. This release is a patch release to address CVE-2013-1620 (bmo#822365) * "certutil -a" was not correctly producing ASCII output as requested. (bmo#840714) * NSS 3.14.2 broke compilation with older versions of sqlite that lacked the SQLITE_FCNTL_TEMPFILENAME file control. NSS 3.14.3 now properly compiles when used with older versions of sqlite (bmo#837799) - remove system-sqlite.patch - add aarch64 support- added system-sqlite.patch (bmo#837799) * do not depend on latest sqlite just for a #define - enable system sqlite usage again- update to 3.14.2 * required for Firefox >= 20 * removed obsolete nssckbi update patch * MFSA 2013-40/CVE-2013-0791 (bmo#629816) Out-of-bounds array read in CERT_DecodeCertPackage - disable system sqlite usage since we depend on 3.7.15 which is not provided in any openSUSE distribution * add nss-sqlitename.patch to avoid any name clash- updated CA database (nssckbi-1.93.patch) * MFSA 2013-20/CVE-2013-0743 (bmo#825022, bnc#796628) revoke mis-issued intermediate certificates from TURKTRUST- update to 3.14.1 RTM * minimal requirement for Gecko 20 * several bugfixes- update to 3.14 RTM * Support for TLS 1.1 (RFC 4346) * Experimental support for DTLS 1.0 (RFC 4347) and DTLS-SRTP (RFC 5764) * Support for AES-CTR, AES-CTS, and AES-GCM * Support for Keying Material Exporters for TLS (RFC 5705) * Support for certificate signatures using the MD5 hash algorithm is now disabled by default * The NSS license has changed to MPL 2.0. Previous releases were released under a MPL 1.1/GPL 2.0/LGPL 2.1 tri-license. For more information about MPL 2.0, please see http://www.mozilla.org/MPL/2.0/FAQ.html. For an additional explanation on GPL/LGPL compatibility, see security/nss/COPYING in the source code. * Export and DES cipher suites are disabled by default. Non-ECC AES and Triple DES cipher suites are enabled by default - disabled OCSP testcases since they need external network (nss-disable-ocsp-test.patch)- update to 3.13.6 RTM * root CA update * other bugfixes- update to 3.13.5 RTM- update to 3.13.4 RTM * fixed some bugs * fixed cert verification regression in PKIX mode (bmo#737802) introduced in 3.13.2- update to 3.13.3 RTM - distrust Trustwave's MITM certificates (bmo#724929) - fix generic blacklisting mechanism (bmo#727204)- update to 3.13.2 RTM * requirement with Gecko >= 11 - removed obsolete patches * ckbi-1.88 * pkcs11n-header-fix.patch- fix spec file syntax for qemu-workaround- Added a patch to fix errors in the pkcs11n.h header file. (bmo#702090)- update to 3.13.1 RTM * better SHA-224 support (bmo#647706) * fixed a regression (causing hangs in some situations) introduced in 3.13 (bmo#693228) - update to 3.13.0 RTM * SSL 2.0 is disabled by default * A defense against the SSL 3.0 and TLS 1.0 CBC chosen plaintext attack demonstrated by Rizzo and Duong (CVE-2011-3389) is enabled by default. Set the SSL_CBC_RANDOM_IV SSL option to PR_FALSE to disable it. * SHA-224 is supported * Ported to iOS. (Requires NSPR 4.9.) * Added PORT_ErrorToString and PORT_ErrorToName to return the error message and symbolic name of an NSS error code * Added NSS_GetVersion to return the NSS version string * Added experimental support of RSA-PSS to the softoken only * NSS_NoDB_Init does not try to open /pkcs11.txt and /secmod.db anymore (bmo#641052, bnc#726096)- explicitely distrust DigiCert Sdn. Bhd (bnc#728520, bmo#698753) - make sure NSS_NoDB_Init does not try to use wrong certificate databases (CVE-2011-3640, bnc#726096, bmo#641052)- Workaround qemu-arm bugs.- explicitely distrust/override DigiNotar certs (bmo#683261) (trustdb version 1.87)- removed DigiNotar root certificate from trusted db (bmo#682927, bnc#714931)- fixed typo in summary of mozilla-nss (libsoftokn3)- update to 3.12.11 RTM * no upstream release notes available- Linux3.0 is the new Linux2.6 (make it build)- Do not include build dates in binaries, messes up build compare- update to 3.12.10 RTM * no changes except internal release information- update to 3.12.10beta1 * root CA changes * filter certain bogus certs (bmo#642815) * fix minor memory leaks * other bugfixes- update to 3.12.9rc0 * fix minor memory leaks (bmo#619268) * fix crash in nss_cms_decoder_work_data (bmo#607058) * fix crash in certutil (bmo#620908) * handle invalid argument in JPAKE (bmo#609068)- update to 3.12.9beta2 * J-PAKE support (API requirement for Firefox >= 4.0b8)- replaced expired PayPal test certificate (fixing testsuite)- update to 3.12.8 RTM release * support TLS false start (needed for Firefox4) (bmo#525092) * fix wildcard matching for IP addresses (bnc#637290, bmo#578697) (CVE-2010-3170) * bugfixes- update to 3.12.7 RTM release * bugfix release * updated root CA list - removed obsolete patches- Disable testsuite on SPARC. Some tests fails, probably due to just bad timing/luck.- Use preloaded empty system database since creating with modutil leaves database in nonusable state- buildrequire pkg-config to fix provides- disabled a test using an expired cert (bmo#557071)- fixed builds for older dists where internal sqlite3 is used (nss-sqlitename.patch was not refreshed correctly) - fixed baselibs.conf as is not a valid identifier- update to 3.12.6 RTM release * added mozilla-nss-sysinit subpackage - change renegotiation behaviour to the old default for a transition phase- split off libsoftokn3 subpackage to allow mixed NSS installation- added mozilla-nss-certs baselibs (bnc#567322)- split mozilla-nss-certs from main package - added rpmlintrc to ignore expected warnings - added baselibs.conf as source- updated builtin certs (version 1.77)- rebased patches to apply w/o fuzz- update to 3.12.4 RTM release- update to recent snapshot (20090806) - libnssdbm3.so has to be signed starting with 3.12.4- update to NSS 3.12.4pre snapshot - rebased existing patches - enable testsuite again (was disabled accidentally before)- update to NSS 3.12.3.1 (upstream use in FF 3.5.1) (bmo#504611) * RNG_SystemInfoForRNG called twice by nsc_CommonInitialize (bmo#489811; other changes are unrelated to Linux) - moved shlibsign to tools package again (as it's not needed at library install time anymore) - use %{_libexecdir} for the tools- Temporary testsuite fix for Factory (bnc#509308) (malloc.patch) - remove the post scriptlet which created the *.chk files and use a RPM feature to create them after debuginfo stuff- updated builtin root certs by updating to NSS_3_12_3_WITH_CKBI_1_75_RTM tag which is supposed to be the base for Firefox 3.5.0 - PreReq coreutils in the main package already as "rm" is used in its %post script - disable testsuite for this moment as it crashes on Factory currently for an unknown reason- renew Paypal certs to fix testsuite errors (bmo#491163)- update to version 3.12.3 RTM * default behaviour changed slightly but can be set up backward compatible using environment variables https://developer.mozilla.org/En/NSS_reference/NSS_environment_variables * New Korean SEED cipher * Some new functions in the nss library: CERT_RFC1485_EscapeAndQuote (see cert.h) CERT_CompareCerts (see cert.h) CERT_RegisterAlternateOCSPAIAInfoCallBack (see ocsp.h) PK11_GetSymKeyHandle (see pk11pqg.h) UTIL_SetForkState (see secoid.h) NSS_GetAlgorithmPolicy (see secoid.h) NSS_SetAlgorithmPolicy (see secoid.h) - created libfreebl3 subpackage and build it w/o nspr and nss deps - added patch to make all ASM noexecstack - create the softokn3 and freebl3 checksums at installation time (moved shlibsign to the main package to achieve that) - applied upstream patch to avoid OSCP test failures (bmo#488646) - applied upstream patch to fix libjar crashes (bmo#485145)cloud124 14370709713.19.2-107.13.19.2-107.1libnssckbi.so/usr/lib64/-fmessage-length=0 -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables -fasynchronous-unwind-tables -gobs://build.opensuse.org/openSUSE:Evergreen:Maintenance:341/openSUSE_Evergreen_11.4/e2eed42f6e563af65caa82779a40b72c-mozilla-nss.openSUSE_Evergreen_11.4drpmlzma5x86_64-suse-linux(![-g~?]"k%וkH^x5X)K^̇ 6m;8^bĭvUAF#xL/v)K.`{ztKȨʫXEkӶw泄,s>_xBpQ@mTeGL>JF ݑ!Y2+4J 9Tuoi25 fm. sk66Kg heo o!~z+f79cwӓzύΓF1yGe"j3)>qv"YrBj|W–^ e0hB|͏CL x3H&,^){\R6+sY s,w"d;C GfxXq9 N@{xRK1>&jr,1Լƞ1j}JJd= %q0{w i9*+>LN&7rx;+{ZEb1 1̓1}(/姢RAbMxd} <.)562 DM\WK^}2ReJ+7J.Sќ^dZ>gCRwSYgv(}Ri/*.Ljk/+W0jm4^6 E5<bﴆ!y}1y,% uzId.6aafdGIB육[F? Lk>xjքT&m0I"3#] 'zó 횖dj:qc) N)"Ɲѹ\LKZ;Xp@ TpKr'wz{3̿W2d?]a*tSdU P.%@lhPN#4H0uߘآ\;NH<:Z-WB`Y/—riXǧ_8E&<<.cO(y]5S=>x&2jf8Ifq?+W00e<J*l>6qomb>EzWI\7Y( =ap@8_m#dm41Cmzc4Ty-} y2k?sװqvhkj j 6q]NOn>,}MDN5hs~?޽GO"SkWݿ+&B.kOΊve!MCRp?s jLv|zY({2pIH:>;cRj1GƷ0x~KI/EOA#?T?Jưڭ){s2}b&]_l{(VNƠzbv7GkMD aV{3P+ި Dm_^Dg@tG!"WOxr}n՘a@NZ&)GrcG x`"6XYܟ3i:(k!X-'Z?`ځH25Y~6SoT>vnsvwY2IC+x^%"TSԛWדŴ 63\ ƔV4V{|?'b,57趲?Awt.9T+vmK+ad5rSnwחwI6Vә# <Ke#gđ2qxG:Zr$c [zY1rM+S/ԧ'mp.+ ڵm6wpA";q_TTj&|^NC_a}& 1ƋhK&c j?*5<]ؚ{NrFt)j6etSaom8xG$C6glP]|4d@Sm@e{;lq+ٸ>lBˍi޾&]A$tSvQҷ+̫orP UdilzŒMo4 )tې.۪b$Pn:]g 7q%5}>$wZAD|B,fĔF]y $Q;nqXU= IɇvF *0T[ $--aZMu 4hݠMFXrffl(P 83̧IaH(yQ'ͥ5)WAO&<lx6i=R#y 4m n}wv h%ΧաKD[_> P Z1V"hO;ڀ?$ox풨I%dޝ= $Vye׀5d^ ghsinztfyQsLʏ ŭc4H%pd =zHU ̧X?tRYG7!njpn6Xa6kH=D`d@c(~ mw,~鵪?2W'/O>=u= "/_j:b]8H" iY-JRerQ"|h3e͖Q#;r LBµƷwؔj97YZ)mqs`)SdV_iN*-dԛ%S"=|QKHJplܷAT?L=47huu8]Lg6Fm歍p5ŗ]h|7` +P Y# 0r&f`Ee4p4P8wz"qȵsp~X%jo!e;HRsw#zHܵ.[y7MҤc[t_D"^of.Ը[sƙ7 ݭSqt0)9 /rܡYc-LZZ 05W;R[|@PiHydQF.2 3H™k6IS@yrf2иiܵdҢ.:sMj.9VviUߜ; IBZ-L:m@WNѹYKjV!1xť~.ҨBBuz ~_vGe|\%$%nTJ ?|8$aeogNlg{:8ܕ;M,bk,D!WhΕ+e!x9%dɢePT7uJ Nȩ)NwO5&i0ѷq;p`-8 9e^M "RLVp9KˣwJv kf0o.k[p c&HXtux$fZL} @t0`N^/YA:N:+Ih:V#TnmAtS`#韻yְ%ˌsZ2N4CO.FP֧OGIv*zSP~uײY'&3 Rg)YV" #+0[wp'$ DR]О._ 4Ԅ+mtJ- XaAl<9\D!Qܸ4ZL!)],eb4݊5WEbĭդVOHT3jVLq2)HF Y|~yF.`,=ú99%Lq@4w>oiB]#!=]t@ k_p#\@DN,Ж =Ţh''J3U6rq{;U/ lZ ˇiۺw4)fGgM "˳kw,ߺ:r-Ø/X1<\7jʩԦNg}GQF JT(;[emx8-Ыq~`Mؤ7IA(!.‡_L( Q?Al+~_{SaW[sboAX,N4I_]R7= kVwCJ8U]+=g -zOg#pHhZ3ԫs5Xz0e[vkKէݗ{G~NGԪ Q'VUi`x2xN讱-5Odn:=YV޴rOe JS wW'c RzJĹ: soz`!!C:bPv}hKy;ϵM_${'Q1w>̓怾x!)a5q3= XVB1x+@KnLP7>eG?`\x.ȁG$³;KOj6Lij OMl ^;= H# k$gP΅ukXG̢R#0K w8?Z6ժȍ^u*yCIYX-~6 p@&wo Qʗ4Ϙt&cVugڠ brp@eԢ*B_a.? gA'[a0j5!? :>ɫ#Rfd 9 Al;A:ٚʉ Z1@VJ,/)X?(j4SD,6#XYt?yuݛ0/{yjNvy#fnɷݓ7\|0(VQA;+1Rt; _X@c@FkX5Ch}-±|>gr5XJ_Vb"y4@ UFJR*ĠcNKaC(Us,Ē.S~m{3Z~+iܩczDhs*^&mv٬;O٨R6$X†<0) գ,^iRڊD/ 0޻Gl+5tyMPfVd&byB=l~c9?PQoe |L* \'dr`㖀 HQqp}%|0p|<Ψ,Hp|o7 `6b>#ŨШzC8e2cv [HW՜t/yV?ڒ}kT) d~ f04O2"O_i vx*.q76R iGHJkyS0s e c`1NWY\V.{5Yy۷f;\BʦYEָmlEh]"xg#bXx^To38r]6wEot@v-∌{1g=(J"ݕ=BnoKɤɵ,AlB(ЛXx.B ๟UHLoӨ ߩ *"GҕuvR-uFS=k!ɣJ]7*'bb>jO]^ #MO[ϫ̠F9Aٸ5j߿)o x`@_q|4aN3;NU `;/cݮ慈%umV`Xlh\ 0όx$ґM + YŢ3q_Bظ* RN&"]?((Mw*q_5n$ԺDr8fwgW#=Ƚ]_Yjn *l:^jbROtِRa&NcDZFD}ۍ!*FRBB4Y욶H*qae6A_#2uuMTH יl& I5+R|rù{Q;Byt1=.6rAYqU9PHӈL]^i'rlRXAc/fqFr2L&7 H%4{5QQ5i#+ڕYtΙ0YsR|K=u! d8ZJ@49?f/[4.H2_/aDװ|:N PQ乞/r5{O+0oV7TWB&(r׋mh+6yT iJLBaiac|1Uٿ= G zDc-۶aEczK{Ο;D&9N|\ nاhI4![Yz k_wP4ӵ?D3>ĸ&5Oy5PF5aF*#e{+ O*uq0e1A=>ROf>qfhvP.nF7% 11O}å;Wz"x"D~9JĵjRA5X Nİ@ȋ́ 7S fut8 cM͒ U_H<5V\g0&;ޕa*YZhet}x.٩Rl)fVs^vv8ҬCqA_fs!`mV1>U}0I cHW/+2- ȝ'룒M`)hۙ_)WDW7Y#{u<)爛5MKsb8~dLÍexAEs"^=V±'o6mC>ؽIUG qk lӏ)6;"H1 _t9c2DED r{W3@> vHh!8 8H kp=!s&0Go$&"C1:&2#}%!qn1(۬ϓy*Lk.'e HTpu!1opa#q* Soekȷwq>Kh5mPK&Y?r.*ZRZ ᅨ>\,Y̪{ kS@jBX6}z]lVwn 1 r=s86Dǃ< ﷃuS̺x|D?s iSQ'm)@hl+w" 慛93ΉG !"af)?Ҋhs=~lL,MWsʅ&}2fvǞLjcp+6[ƍ(AcK=?so/kdn#_R0A3߻6,U#5ŤaeSV4XSC0@U*/H2^ָ/nyź%XL=<耬W1-gbL+s 9+ԝS!=-N u8gKxLqyIvbwE;uMEmj&|h3o4MKǤL1H3(X#(!jRUL!X6A;qWZ(b$OO"Z=Dὂl@WPiDS"cQ0g@y`&axS3 JleKҳÁ(cB/qLfKHźvF.@[)`q"o~E~F.|Z |17]*f~d m"j+O r`Y)Sz-OrKRh\0>>(iGHRԖ7N0 |@sUvך"4K?߻(!Jv)fA]4ps0 d;8?S&28A9HtB=OY70cJ%{pw3uU.H>}XgfmȜqCԗ6˱ Y"΍b!F["[=I?a" ?22#Vsm>KRc3Du@6]7zST+;v}JDAЫ" /!9g>1eLlbRy>Gv*FnI)$H0HِoB]'uQN9 =vE`HU89$x6 qks-cDCjvl2޽?poG%[nR##JK;e\;7S]Ž˪WZcP@Ev-iZ>WnQ\NZ3 A1j4"|]{cn*(|oZhٔɯԄ9\]'o%qѤ-nTlOF@ vXz) k̃Ž'' iW«[Peg!<6ۍyxk+BzA^%.7nMUGe/##HQxKTg4]sHAVm/~O{HNG5]*LJHm.3$ɝ6 Ǯ{$Ímm2Iz'7w7e&.<#u^d0Rz fRWSԯq_ɀ~ uZeE6>y-021b7ǿoM?i4:> ܄6#Z*-&4h"Vf:=Anʧ0?>Wf_sHTΐ sɝ_ƒl3xZ\`$\2 bXiVC56D f sr=DOvꁏ)p, h "q[CL"/FX‰/66BzQTPq=CNtWY<9}vBr٦Q$!OdAcStZ/TYa Nk XʨV**.$0·iSp`Akw { IDS_A Wug26iˀOfbālin\m{A:0`8>d*