mozilla-nss-certs-32bit-3.19.2-107.1e>UAġ;9ZR?U$j¼l\ pش@Fau6d/7w}>5C?3d! ' ? /5<LP R T X y |, T  (#8,L9\L: L>GHIXY\]^bc|defl!Cmozilla-nss-certs-32bit3.19.2107.1CA certificates for NSSThis package contains the integrated CA root certificates from the Mozilla project.Ubuild190openSUSE 11.4openSUSEMPL-2.0http://bugs.opensuse.orgProductivity/Networking/Securityhttp://www.mozilla.org/projects/security/pki/nss/linuxx86_64/sbin/ldconfig0U715893508c1b0cefb79acb66ebdbcbf7rootrootmozilla-nss-3.19.2-107.1.src.rpmlibnssckbi.solibnssckbi.so(NSS_3.1)libnssckbi.so(libnssckbi.so)mozilla-nss-certs-32bitmozilla-nss-certs-32bit(x86-32)  @@@@@@ /bin/shrpmlib(PayloadFilesHavePrefix)rpmlib(CompressedFileNames)libc.so.6libc.so.6(GLIBC_2.0)libc.so.6(GLIBC_2.1.3)libnspr4.solibplc4.solibplds4.sorpmlib(PayloadIsLzma)4.0-13.0.4-14.4.6-14.8.0UUJ@UjU`kU8UTTT?@T!`Tk@SSSkqS,)S S@R@RjR@RRFQֵ@Q@QzQ@Qm=@QNQ/FQ@Q P,PZP)P+@OȮO@OF*@O= 4.9- update to 3.15.4 * required for Firefox 27 * regular CA root store update (1.96) * Reordered the cipher suites offered in SSL/TLS client hello messages to match modern best practices. * Improved SSL/TLS false start. In addition to enabling the SSL_ENABLE_FALSE_START option, an application must now register a callback using the SSL_SetCanFalseStartCallback function. * When false start is enabled, libssl will sometimes return unencrypted, unauthenticated data from PR_Recv (CVE-2013-1740, bmo#919877) * MFSA 2014-12/CVE-2014-1490/CVE-2014-1491 NSS ticket handling issues New functionality * Implemented OCSP querying using the HTTP GET method, which is the new default, and will fall back to the HTTP POST method. * Implemented OCSP server functionality for testing purposes (httpserv utility). * Support SHA-1 signatures with TLS 1.2 client authentication. * Added the --empty-password command-line option to certutil, to be used with -N: use an empty password when creating a new database. * Added the -w command-line option to pp: don't wrap long output lines. New functions * CERT_ForcePostMethodForOCSP * CERT_GetSubjectNameDigest * CERT_GetSubjectPublicKeyDigest * SSL_PeerCertificateChain * SSL_RecommendedCanFalseStart * SSL_SetCanFalseStartCallback New types * CERT_REV_M_FORCE_POST_METHOD_FOR_OCSP: When this flag is used, libpkix will never attempt to use the HTTP GET method for OCSP requests; it will always use POST. - removed obsolete char.patch- update to 3.15.3.1 (bnc#854367) * includes certstore update (1.95) (bmo#946351) (explicitely distrust AC DG Tresor SSL)- adapt specfile to ppc64le- update to 3.15.3 (bnc#850148) * CERT_VerifyCert returns SECSuccess (saying certificate is good) even for bad certificates, when the CERTVerifyLog log parameter is given (bmo#910438) * NSS advertises TLS 1.2 ciphersuites in a TLS 1.1 ClientHello (bmo#919677) * fix CVE-2013-5605- update to 3.15.2 (bnc#842979) * Support for AES-GCM ciphersuites that use the SHA-256 PRF * MD2, MD4, and MD5 signatures are no longer accepted for OCSP or CRLs * Add PK11_CipherFinal macro * sizeof() used incorrectly * nssutil_ReadSecmodDB() leaks memory * Allow SSL_HandshakeNegotiatedExtension to be called before the handshake is finished. * Deprecate the SSL cipher policy code * Avoid uninitialized data read in the event of a decryption failure. (CVE-2013-1739)- fix 32bit requirement, it's without () actually- update to 3.15.1 * TLS 1.2 (RFC 5246) is supported. HMAC-SHA256 cipher suites (RFC 5246 and RFC 5289) are supported, allowing TLS to be used without MD5 and SHA-1. Note the following limitations: The hash function used in the signature for TLS 1.2 client authentication must be the hash function of the TLS 1.2 PRF, which is always SHA-256 in NSS 3.15.1. AES GCM cipher suites are not yet supported. * some bugfixes and improvements- require libnssckbi instead of mozilla-nss-certs so p11-kit can conflict with the latter (fate#314991)- update to 3.15 * Packaging + removed obsolete patches * nss-disable-expired-testcerts.patch * bug-834091.patch * New Functionality + Support for OCSP Stapling (RFC 6066, Certificate Status Request) has been added for both client and server sockets. TLS client applications may enable this via a call to SSL_OptionSetDefault(SSL_ENABLE_OCSP_STAPLING, PR_TRUE); + Added function SECITEM_ReallocItemV2. It replaces function SECITEM_ReallocItem, which is now declared as obsolete. + Support for single-operation (eg: not multi-part) symmetric key encryption and decryption, via PK11_Encrypt and PK11_Decrypt. + certutil has been updated to support creating name constraints extensions. * New Functions in ssl.h SSL_PeerStapledOCSPResponse - Returns the server's stapled OCSP response, when used with a TLS client socket that negotiated the status_request extension. SSL_SetStapledOCSPResponses - Set's a stapled OCSP response for a TLS server socket to return when clients send the status_request extension. in ocsp.h CERT_PostOCSPRequest - Primarily intended for testing, permits the sending and receiving of raw OCSP request/responses. in secpkcs7.h SEC_PKCS7VerifyDetachedSignatureAtTime - Verifies a PKCS#7 signature at a specific time other than the present time. in xconst.h CERT_EncodeNameConstraintsExtension - Matching function for CERT_DecodeNameConstraintsExtension, added in NSS 3.10. in secitem.h SECITEM_AllocArray SECITEM_DupArray SECITEM_FreeArray SECITEM_ZfreeArray - Utility functions to handle the allocation and deallocation of SECItemArrays SECITEM_ReallocItemV2 - Replaces SECITEM_ReallocItem, which is now obsolete. SECITEM_ReallocItemV2 better matches caller expectations, in that it updates item->len on allocation. For more details of the issues with SECITEM_ReallocItem, see Bug 298649 and Bug 298938. in pk11pub.h PK11_Decrypt - Performs decryption as a single PKCS#11 operation (eg: not multi-part). This is necessary for AES-GCM. PK11_Encrypt - Performs encryption as a single PKCS#11 operation (eg: not multi-part). This is necessary for AES-GCM. * New Types in secitem.h SECItemArray - Represents a variable-length array of SECItems. * New Macros in ssl.h SSL_ENABLE_OCSP_STAPLING - Used with SSL_OptionSet to configure TLS client sockets to request the certificate_status extension (eg: OCSP stapling) when set to PR_TRUE * Notable changes + SECITEM_ReallocItem is now deprecated. Please consider using SECITEM_ReallocItemV2 in all future code. + The list of root CA certificates in the nssckbi module has been updated. + The default implementation of SSL_AuthCertificate has been updated to add certificate status responses stapled by the TLS server to the OCSP cache. * a lot of bugfixes- Add Source URL, see https://en.opensuse.org/SourceUrls- disable tests with expired certificates (nss-disable-expired-testcerts.patch) - add SEC_PKCS7VerifyDetachedSignatureAtTime using patch from mozilla tree to fulfill Firefox 21 requirements (bug-834091.patch; bmo#834091)- update to 3.14.3 * No new major functionality is introduced in this release. This release is a patch release to address CVE-2013-1620 (bmo#822365) * "certutil -a" was not correctly producing ASCII output as requested. (bmo#840714) * NSS 3.14.2 broke compilation with older versions of sqlite that lacked the SQLITE_FCNTL_TEMPFILENAME file control. NSS 3.14.3 now properly compiles when used with older versions of sqlite (bmo#837799) - remove system-sqlite.patch - add aarch64 support- added system-sqlite.patch (bmo#837799) * do not depend on latest sqlite just for a #define - enable system sqlite usage again- update to 3.14.2 * required for Firefox >= 20 * removed obsolete nssckbi update patch * MFSA 2013-40/CVE-2013-0791 (bmo#629816) Out-of-bounds array read in CERT_DecodeCertPackage - disable system sqlite usage since we depend on 3.7.15 which is not provided in any openSUSE distribution * add nss-sqlitename.patch to avoid any name clash- updated CA database (nssckbi-1.93.patch) * MFSA 2013-20/CVE-2013-0743 (bmo#825022, bnc#796628) revoke mis-issued intermediate certificates from TURKTRUST- update to 3.14.1 RTM * minimal requirement for Gecko 20 * several bugfixes- update to 3.14 RTM * Support for TLS 1.1 (RFC 4346) * Experimental support for DTLS 1.0 (RFC 4347) and DTLS-SRTP (RFC 5764) * Support for AES-CTR, AES-CTS, and AES-GCM * Support for Keying Material Exporters for TLS (RFC 5705) * Support for certificate signatures using the MD5 hash algorithm is now disabled by default * The NSS license has changed to MPL 2.0. Previous releases were released under a MPL 1.1/GPL 2.0/LGPL 2.1 tri-license. For more information about MPL 2.0, please see http://www.mozilla.org/MPL/2.0/FAQ.html. For an additional explanation on GPL/LGPL compatibility, see security/nss/COPYING in the source code. * Export and DES cipher suites are disabled by default. Non-ECC AES and Triple DES cipher suites are enabled by default - disabled OCSP testcases since they need external network (nss-disable-ocsp-test.patch)- update to 3.13.6 RTM * root CA update * other bugfixes- update to 3.13.5 RTM- update to 3.13.4 RTM * fixed some bugs * fixed cert verification regression in PKIX mode (bmo#737802) introduced in 3.13.2- update to 3.13.3 RTM - distrust Trustwave's MITM certificates (bmo#724929) - fix generic blacklisting mechanism (bmo#727204)- update to 3.13.2 RTM * requirement with Gecko >= 11 - removed obsolete patches * ckbi-1.88 * pkcs11n-header-fix.patch- fix spec file syntax for qemu-workaround- Added a patch to fix errors in the pkcs11n.h header file. (bmo#702090)- update to 3.13.1 RTM * better SHA-224 support (bmo#647706) * fixed a regression (causing hangs in some situations) introduced in 3.13 (bmo#693228) - update to 3.13.0 RTM * SSL 2.0 is disabled by default * A defense against the SSL 3.0 and TLS 1.0 CBC chosen plaintext attack demonstrated by Rizzo and Duong (CVE-2011-3389) is enabled by default. Set the SSL_CBC_RANDOM_IV SSL option to PR_FALSE to disable it. * SHA-224 is supported * Ported to iOS. (Requires NSPR 4.9.) * Added PORT_ErrorToString and PORT_ErrorToName to return the error message and symbolic name of an NSS error code * Added NSS_GetVersion to return the NSS version string * Added experimental support of RSA-PSS to the softoken only * NSS_NoDB_Init does not try to open /pkcs11.txt and /secmod.db anymore (bmo#641052, bnc#726096)- explicitely distrust DigiCert Sdn. Bhd (bnc#728520, bmo#698753) - make sure NSS_NoDB_Init does not try to use wrong certificate databases (CVE-2011-3640, bnc#726096, bmo#641052)- Workaround qemu-arm bugs.- explicitely distrust/override DigiNotar certs (bmo#683261) (trustdb version 1.87)- removed DigiNotar root certificate from trusted db (bmo#682927, bnc#714931)- fixed typo in summary of mozilla-nss (libsoftokn3)- update to 3.12.11 RTM * no upstream release notes available- Linux3.0 is the new Linux2.6 (make it build)- Do not include build dates in binaries, messes up build compare- update to 3.12.10 RTM * no changes except internal release information- update to 3.12.10beta1 * root CA changes * filter certain bogus certs (bmo#642815) * fix minor memory leaks * other bugfixes- update to 3.12.9rc0 * fix minor memory leaks (bmo#619268) * fix crash in nss_cms_decoder_work_data (bmo#607058) * fix crash in certutil (bmo#620908) * handle invalid argument in JPAKE (bmo#609068)- update to 3.12.9beta2 * J-PAKE support (API requirement for Firefox >= 4.0b8)- replaced expired PayPal test certificate (fixing testsuite)- update to 3.12.8 RTM release * support TLS false start (needed for Firefox4) (bmo#525092) * fix wildcard matching for IP addresses (bnc#637290, bmo#578697) (CVE-2010-3170) * bugfixes- update to 3.12.7 RTM release * bugfix release * updated root CA list - removed obsolete patches- Disable testsuite on SPARC. Some tests fails, probably due to just bad timing/luck.- Use preloaded empty system database since creating with modutil leaves database in nonusable state- buildrequire pkg-config to fix provides- disabled a test using an expired cert (bmo#557071)- fixed builds for older dists where internal sqlite3 is used (nss-sqlitename.patch was not refreshed correctly) - fixed baselibs.conf as is not a valid identifier- update to 3.12.6 RTM release * added mozilla-nss-sysinit subpackage - change renegotiation behaviour to the old default for a transition phase- split off libsoftokn3 subpackage to allow mixed NSS installation- added mozilla-nss-certs baselibs (bnc#567322)- split mozilla-nss-certs from main package - added rpmlintrc to ignore expected warnings - added baselibs.conf as source- updated builtin certs (version 1.77)- rebased patches to apply w/o fuzz- update to 3.12.4 RTM release- update to recent snapshot (20090806) - libnssdbm3.so has to be signed starting with 3.12.4- update to NSS 3.12.4pre snapshot - rebased existing patches - enable testsuite again (was disabled accidentally before)- update to NSS 3.12.3.1 (upstream use in FF 3.5.1) (bmo#504611) * RNG_SystemInfoForRNG called twice by nsc_CommonInitialize (bmo#489811; other changes are unrelated to Linux) - moved shlibsign to tools package again (as it's not needed at library install time anymore) - use %{_libexecdir} for the tools- Temporary testsuite fix for Factory (bnc#509308) (malloc.patch) - remove the post scriptlet which created the *.chk files and use a RPM feature to create them after debuginfo stuff- updated builtin root certs by updating to NSS_3_12_3_WITH_CKBI_1_75_RTM tag which is supposed to be the base for Firefox 3.5.0 - PreReq coreutils in the main package already as "rm" is used in its %post script - disable testsuite for this moment as it crashes on Factory currently for an unknown reason- renew Paypal certs to fix testsuite errors (bmo#491163)- update to version 3.12.3 RTM * default behaviour changed slightly but can be set up backward compatible using environment variables https://developer.mozilla.org/En/NSS_reference/NSS_environment_variables * New Korean SEED cipher * Some new functions in the nss library: CERT_RFC1485_EscapeAndQuote (see cert.h) CERT_CompareCerts (see cert.h) CERT_RegisterAlternateOCSPAIAInfoCallBack (see ocsp.h) PK11_GetSymKeyHandle (see pk11pqg.h) UTIL_SetForkState (see secoid.h) NSS_GetAlgorithmPolicy (see secoid.h) NSS_SetAlgorithmPolicy (see secoid.h) - created libfreebl3 subpackage and build it w/o nspr and nss deps - added patch to make all ASM noexecstack - create the softokn3 and freebl3 checksums at installation time (moved shlibsign to the main package to achieve that) - applied upstream patch to avoid OSCP test failures (bmo#488646) - applied upstream patch to fix libjar crashes (bmo#485145)/bin/sh 43.19.2-107.13.19.2-107.1libnssckbi.so/usr/lib/-fomit-frame-pointer -fmessage-length=0 -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables -fasynchronous-unwind-tables -gobs://build.opensuse.org/openSUSE:Evergreen:Maintenance:341/openSUSE_Evergreen_11.4/e2eed42f6e563af65caa82779a40b72c-mozilla-nss.openSUSE_Evergreen_11.4drpmlzma5x86_64-suse-linux?]"k%hR^ȑYўebn4fPǖAB,ވd~!F.ƗVl+u:޺Cl cUyq Bs:sIj\8$Sh'EWSGtrg7"#e!JpvmVKꄑ J Ws 9I؝bM4e Ԋlu)#nEe_ ޲5:qJ q 8-=#cF8* nj X<€vӪS.0ȉ,;C̣9D9ByV,,"Woqv#!SʝՎOuF3S?UNy<`fߍfČd\xu  /:{y}*Qv\Y%֑Pxwvvh-_.Y48ObP*@MCwp;NaAK/TFWClT-EC 1ʜHɭIHDzzg9T.4>61U볊({H=|I)"?Q%>w̬N$&j,kNn2CK3{ǧr>-.,cböM;hͥf#۔ >^!k(|h? ^ea}|tEOFۋ^3D1"¶;=EB.9\I= |WZ<>BqߕT^{8 5Ѧ4@l ]K<}bGyCt%ݱ3;bH -gz΋l?B1XfExuM'CjTT^?${;P("a` @Gsd3ֹn\ vfjtx:UGȣr,J8$򋆳bn^1;$@i/"4SD] ۅ)]g"a/VW?^l-՜fkhQ^7xp({۪Βەw/zu[brzWIC&r! ǻŬإK/TN{QD ?vh`zac[1U#Ĩ@SSacȣ g+ڣITŕ;%bXib_oܭ We# U?QZ [^] uTIFꍬXrk Wí|]\Gj;!*ބ@;5(=6l Fm&δ䱗PM'5 !*xq"ZV{0 I|z$`%;'CG*9R*5`؅*0q>PDVp$hwc {oE$=JIF- BJU߰ ygc”z8eao%FĝZ[?ZbZ?L扉E.sڈoR >BR"\V Rإ ;8Z sG$g)ug{鲓%idټe{UIO6F8NGHɌ y7`T*2IPR[A ~ED)'+LJ7A7'TG?b9ZI &8 Q=mw#>,~n7ةOf܆ 1 ]-1s&]_s$b*HseQ=[mcf|r(8W 8 4 6zVKg=F~X fnﯻ@':77i]p/K[ᱝ5U+ ,8SEnM5k;(Oq]A3n yvӰt] I U=~H͔Y -1{j)jcOChr\+~2C:\^sDjuÞ|yq/㛕G5YfhyJu6k%_ ʠ;|ec=(&&5ǝ w 9ɮ0Jsl~a@kB*͓y||H\FZ}Tmi`;kS,1~/_'Ezc&E@ c22j9%/iJ긾ɬyr6\]7Ln$OftWP[jFMUq)M01AMVM^/' )6k/@[GI!,+,1|>xv]:Gφu2m-Ni%,2Tkfa4W;S*W*33Mec4`>$oɩpXsdL\DBAŴ'iCI)F D2._遼!i,%Y.o<2{ H?cEeqrP =.y лl S:Qޟlepz{9:f+ F@a^`_*% kD}XZ]76Z놡sTWۄּɶe2 ܏ M+|'Π;|SM1lH$JѥK~RewdxZ6)]q (T_8iAB0g{{N%c(S^0|3=eGǂ1S8^A׵{ɡ ̓Fgx׻h\OC?Ώㄌ&\^Ir[KԾ{49ݙTpDm m6~; ↦8(4Jo&ʥx~4k-O2c/Eg{b\Ph@GA`v̏gS%s&@vQq~z@݅$!JE%MX)h鳅Wϔ^bHUg!r#)XeM1]b2ft8 aԩi=".,sH譞y0ѵLX#v6] ӎvCԇIq+v(Q&^zSs%ں_\4ٸnruȎe`3YW7+ JPѨɊ\L.'%wsEκk'8 >$.Oe>ߖ"vFV깝wZ:j4=S8Yyrt9G9k c77__Kl{LI#|s^ aί+ŭoҟt$e sK]pUa/tf2ynCIt,!],fv#zkMbF:Hn!9ʷ!<%1D 7mU-R% ׌#Brą=6Yyoh,@$75d$ƠVJĆ'#̬%mmrB@+BGw׀ls| gl0'q`14\L7`']8u+FlT LZ-}sqeEf״4"U}TkY&uYW*e:\o:J_,l? J \7BGbZ6 wC\kx'GsQbb0?9?Uίw_3ME,|ptV^%PTّ %kNlpZԆgxXwx;V5n:a'mjUHХJ+s2,Ҍ`Ń ,oq!>w^lu/poPv~/o7jD]4reMy/.]iH'@!/ 87Bll\0=W&K)@44}VC:P,JpMG8d5~w5; }t 3gPHlI74G1~umy]qKj#29w($|D5f {](6<.ouC^$r&,uFZꤜo^Ce-BTDucɑr%pݠ;QeTwIY7K9F?R9'800,Ĕ1F6]`<|Zա1|(mXr#QPJ:k\=gXw .WI;>'e-[bF20V+ ح{j/|*iolⓜ}ӐzB2nrw$| F2Xat9v- 1u  xuEf[Qy0.Wy4oxcZ4_ed%0l8Ŝ`w)sF][rɮH/yLIkڽLO-Ó Lt͘rZ]6ٯ'3۴8S[I=+tmpg˸.h IBj}xб)@%!_ygc&x_76K^<ɺ!$ƶt$ʏKK\˂D9/1ә mj@VI9qcIjۖ٢r-9[FQ33cf"F(ѳ]nK#+jZ=.,$EYuχ8T^бէ6$wf^L &dߜ;01&ڔS%:o&uxǡ)Z z5j_c3B@*,5 \4 @K- q,ehIDb.}v=WCOHPPFE׆y)_l2I 3-C.3g8+< ek6O(6*;S|Lr qb1}3oUOf]BJLvΉY3͈aLlPd?t6+(?82RD͔٩dLnS'o mA$P]EK\ 7棤 U#6bh>TCLNgS߳,& 09AӦ+[76;{]}B#Ba;&͟B5Ԛ-= %' Ck%װRt/Ro,FU 2ed_K{ B,GΛ9o/|ՃR-p'НE|r\3 2+I^Hh`s2;pymZ촰jޫx\7lO]Lʢ9F?ZH8tj{|NpwHERǼb/9!F3DD)JgvBzkk&`+`ȆgGjt@ Ark:c3egiTg4GtkxP{K%e{I{wY'H64'Ye%8`HʍnC6ܠB]՚0+vБisU5?A% ʙuGx=x\eFwxclr!SB\N4ِHXF?q2O@&U-PnV))+Nf/4Ϯpz$~ᛟ߫w/c䚿 ÇˢမL5 q|?o 4yYlJT!Gln\˿5TKw=/ҚtX2aQcZQEXκ_C^.lrDyqCnZEzPL u)*E RjDć1+ũbZWdo^mP>Gg&g)^sl%BG3)*}#"_R`J_ps譨؞{7W&m H b>CNlʺ/N+-jyO>3ijP$b0m}&jĜ: 9HKlIviA(u|%kZgN6]=#M*Da@VH夣U]WJ>>cpRgC : n(9N+eoRpHvaꮞrA* H•^;^кweE6`Wxb{E=ͻ߼Dy&n3 &b|YMSݨDUOCA!BZ )]kkb`C+I ARVo^hbi2eK4VBcr^-[ƍWWB}a?fnM-0 Fh"{J#P@—5 E!Sǀ1bH*EH&}wJ&e$Xz/pQك 3]l<(yjJV؝< oL{EYWΣ|)5QT&X7|긖C;T:ΐER":M NevL٣˪p?Ҕ x* N,&L~*1+ؠ1 'WȝY*B'I{qF905@5kd7yVĊhS*|j7ΖFCtw 2}=ɦ ]緗H裈f=-l]7<4&qii7ZJF;Kf Se,bCt*Шr3DA"8Aq0|S9ιֆ",%Fn4wco  .˖_u܏>jaM¾ H8O);mp3 rMf;!@|*QR[:ϑiw`DI(z !%Y!${VYKSHJaטK$-lN[ J.qwj٠ந201vR+߀ M6U-wjwr£]\JgDY,0ֱcC Z 2  +ҏjp~⢏E1@V5x$h-vd8qt(-LzKt`&SV "YN܍+ ͭD? I6/I'3˰/&߯6ywm&}UHZ%a ("Bzd-bh8d6լ8]YN8}x4Lx@&.Y<υԨlοu S, /q'Ɋ7g,rVR™.3햂 20junlu"z$?*m֦/Қ,1>&Dn ΅=28] © ך( wC?B3]>-弞tx*1J D*[[ccգXw]1 n Z7~$;#[.-ZGA! q@vk:29~NmH I#uBh˜mӖIEdD_!0:% |VɆL$ce̮@oOz\`tQL oJ[ Æ0SP01m_8a9~O'yzb-y)TYzFlguPČH4ތyv)mfC.nVn[1 'l'A#$#(mU!w1JuU~G<9ZҐW!fwMZEzt^k.-?~mkՕ(WOCn1?]tTsa$OQyCB!k[o+U<`pԛ2u0Zš Z/r< xb]Kvُᲄdk" YUסW|òeR9Oڹ:DZoq߈A=N;U0oģVck[W{~CZW ?Ta+Ô.N3vKbZ{ax,rUT9I lT,yW)UG55P|A6I&sڪ1R!eodOHJfYc@U8 :L %-B۸}m/F\~?Az~oYM U {eyDEI/'3}B$.$83lR }z, :_m[#|jGEKY"Ni̖Δ ǥּ#iY$ C2NU(O#ir\<(WGQ'|ƭ4*ĕ׋YQH_6 gS;h3d|2cqተvsP9.X E0^o4c#vazk}xĎ0>Z:QPH v7$Q#tl9 *VdzcjaJ[Z<`z qN/=x;F/gRiFWKUCLǍdUzP]"1tQ{7ꚯCb 5d_̞0h"ч !E7i6gl@l5^X#N>XJV=_I,ʡ֏;^%F֬`ho'j7Ra>?QbbfNpE_< ,4p&j@8}ãP4FzH>я؟@Dq :ՙ2t~VY«)bM;8 U0~1[DaFHh3#Dՠ ktp3ltcB`ܑ`~1:)1 UlJwW#Ah,gP43n*& y\cDr,a| M3Aŷ$SdՎ[--z !};?mHKqΖ &[\gڢ;gjYbQ̋f۬aV/u` 2oaآn荨`N"WmOUF/ūy؍^W|DƷ`ZʙѢ td8JXcwsgB"AyQRu~)eS%t2m,B{gƠΫۮ(b7NW&\{-o 0s) T I`V(l)E}qdЅq#;FQn: HpgocV`*"ˆVuS6fTA1̥1f\U%d7K8P} { KIEy|,zxQS[n?NG0:]SsNK.X{" 1gtJE+Ϛ>9OL悗D`Y6;LFO@h0sq3Qh`6.EmÞfWYy:7kNw=' Sg$C=N#皋xJ(NDr=& C]_`['!JGGTNX5![So_ 3a\ ̃%rp9t7kw(c$F`k8˥kg1Hq9DڏѨvLa3Md7jN|dfĎg*c0uNklf^Y ! RԂ@S߽eo-Ek3z`c I#ɗJy/Nх/@T[VaN:do`&TdAG\{;ymm^)cgLN鈞D!˛UW -:` &5 MmQL5FiM#VꬣPJp%&ADoC/6Kn--oF1H@Xᷚ VG4^8sDC98Gbce?tjGLHcF_=hoѣD#Vo:=uItF za'{Csž>,(XS2au\CWHyeP252-Jy | G<[pʩHlХrV}kՔ*ET.$^{.&NtDk#\?O!8M.dL (`Rujte}_W!A! {BfTc sX+AT*N<}A]Sz i$U^NRIUd ^7&?{ !8M^*TvAq~8R,uA(5tYͅjk|nnR_‚ agRlZ!ajZIpM8"`{9]nƑ *ic8tN7z , Ig(2'_Lh Rygo !_|i+mT=^RW. D,$mnwWP&_k_9ĭSQф ҧ9eWbٟk VF؉ hv0<nNtM2&QYha AǔY? 1Ȑ0kk:rGV*u~A;EbQ(B=DHJ(+Ǯa~S^e E"(G5L,$R, ADIdۺR@}InqS̱?_6S_醨YzZhj1 W>91`Mt ç@:Fu.- [dVe8|/ ag@(Dc˓LxHrq"u֧K̷!dR>@@"sy}}z:(@x\PH d L6ls3 LIL!p o7\\ 4gsܑ% c$]-\j%n@[\ëJ 1Np&e bao9d2,hȞi0}"T!Ww&n_ ~Xn~=M䁃H*;q2x?w%Pm$P5K4 i$rH۔xk1c(O gmFS-]K70?0zaN)sҠ;SZu~DV!/-RfdixYKmwo8Gqz*O*YP+:>+|#wQjŞRj Ӣ܁Le ?"lR rǰdSZ{Kb/Bp{,=T ͪOJr`r.~N Чr\^y\Q)G)5%=dLbѡ ޅiFXЪB3qrGX+7rJ\W&Еx yC7oJtY)3R`Z5{κD"/~vQ88û?aƻ@ f0H;MjWGCpYȷuv_Z?g,AqeIP'|yXyk>]7]!4ԫx!*+}ryn0Mx^y@jbXT皼]ջ/Z<;}D\T77/[W'r٘x_>̓tB]mTz-.I.Ky5DK;ɕfggQ <a =1Hvw(,0Rz?qgI%r~*{gTrѱ<ٙRp7 r1fI YiCN$coް< gm&ͯ"5Y''[dHYcz|Fa!g^vdfyafitǹ@SΎFmh"QkYa6˪-zҗ\±GDӳ|2P:^3G!'Je D%YfiֹƎKORme؜j4CYŠ m\MbƮ=,|k٫@y9SZ.huP2LMbKUik>RTG*áBbEU(S `_f(KvLar^G= }B^8R3C$SReZwzb3fV4T)CR0ǥ,iYlqt{kdsMLRyr;K)i]E="z>^{c(0hߒ|ç6쏆