shim-15.8-150300.4.20.2<>,f! p9|(͡"e./YQx*x{9lw;F?tEn-Nn$ƜjP$uה㊩d,BSwQ㦼ω\P$q>VΠ'KՑ6WsrB*&riyF2;7fHLddqpr| NcG6yf< ^iwS^mW?[pxxζm62婛r}2qC*SqJbNo=JkX>@Μ?Όd   +  ,29L   $   J     D  ( 8 |9 |:4|>!G,HtIȼXY\]H^ bʷc`defluvDw̌xy 3<@FΈCshim15.8150300.4.20.2UEFI shim loadershim is a trivial EFI application that, when run, attempts to open and execute another application.f! h04-ch2al=SUSE Linux Enterprise 15SUSE LLC BSD-2-Clausehttps://www.suse.com/System/Boothttps://github.com/rhboot/shimlinuxx86_64 loader_type=`sed -n \ "/^[^#]*LOADER_TYPE=/{s@.*=\(.*\)@\1@;s@^[\"']@@;s@[\"']\\$@@;p;q}" \ /etc/sysconfig/bootloader \ 2>/dev/null || :` for bl in grub2-efi; do if test "x${bl}" == "x$loader_type"; then mkdir -p /run/update-bootloader/ touch /run/update-bootloader/reinit break fi done # copy from kernel-scriptlets/cert-script is_efi () { local msg rc=0 # The below statement fails if mokutil isn't installed or UEFI is unsupported. # It doesn't fail if UEFI is available but secure boot is off. msg="$(mokutil --sb-state 2>&1)" || rc=$? return $rc } # run mokutil for setting sbat policy to latest mode EFIVARFS=/sys/firmware/efi/efivars SBAT_POLICY="$EFIVARFS/SbatPolicy-605dab50-e046-4300-abb6-3dd810dd8b23" if is_efi; then if [ -w $EFIVARFS ] && \ [ ! -f "$SBAT_POLICY" ] && \ mokutil -h | grep -q "set-sbat-policy"; \ then # Only apply CA check on the kernel package certs (bsc#1173115) mokutil --set-sbat-policy latest fi fi%#$$< b( AA큤AA큤AA큤$f! f! f! f! f! f! f! f! f! f! emf! f! f! f! f! f! f! c315e37690d6847d6603db8c6f7b4c20aae7c89af3bf5e8e41c48416ea1da5b449f2e63f2e7f0cc94dab42932e26ea4160ef96860f6e2cc0f9d72ec12c1b8cbf15edf527919ddcb2f514ab9d16ad07ef219e4bb490e0b79560be510f0c159cc276835854721ad33f1a3ac4184ddf05484a3958db5813e28516b16e0d59819a2ec840eb1f5b5e97dad1554d4dcec72ae4fadc65d81500dfb6a15b32f5902002a5c315e37690d6847d6603db8c6f7b4c20aae7c89af3bf5e8e41c48416ea1da5b4a60d256c802849a0a5e23fe5298ddcf7f78445cc71f519b64573dcb61af0e6ff../../share/efi/x86_64/MokManager.efi../../share/efi/x86_64/fallback.efi../../share/efi/x86_64/shim-sles.efi../../share/efi/x86_64/shim-sles.efishim-sles.efirootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootshim-15.8-150300.4.20.2.src.rpmshimshim(x86-64)@      /bin/bash/bin/sh/bin/shmokutilperl-Bootloaderrpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)3.0.4-14.6.0-14.0-15.2-14.14.3f! @eepe@eAee@e e @dbd7d7d3@d!@c@c#@c~ @cwscwscv"@cv"@cs@cs@cs@c5c@b@bbޅb@bUi`#@`ݮ@`@`@`@`9@````q`+`@`@``N@`e@``n@`m`dd@`a@`[)`J@`F` @___@__[@_R,@_C_?@_+_$__*@_X@_X@^0^@^oj@]e@]V\@\r@\}\,@\eX@\N\@n@\Size of reloc section f7a4338 Skip testing msleep() 549d346 Rename 'msecs' to 'usecs' to avoid potential confusion 908c388 Change type of fallback_verbose_wait from int to unsigned long 05eae92 Add SbatLevel_Variable.txt to document the various revocations 243f125 Use -Wno-unused-but-set-variable for Cryptlib and OpenSSL 89d25a1 Add a make rule for compile_commands.json 118ff87 Add gnu-stack notes f132655 test: Make our fake dprintf be a statement. be00279 Remove CentOS 7 test builds. 9964960 Split pe.c up even more. 569270d Test (and fix) ImageAddress() 61e9894 Verify signature before verifying sbat levels 1578b55 Add libFuzzer support for csv.c a0673e3 Fix a 1-byte memory leak in .sbat parsing. e246812 Add libFuzzer support to the .sbat parser. fd43eda Work around ImageAddress() usage mistake 1e985a3 Correctly free memory allocated in handle_image() dbbe3c8 mok: Avoid underflow in maximum variable size calculation 04111d4 Make some of the static analysis tools a little easier to run 7ba7440 compile_commands.json: remove stuff clang doesn't like 66e6579 CVE-2023-40546 mok: fix LogError() invocation f271826 Add primitives for overflow-checked arithmetic operations. 8372147 pe-relocate: Add a fuzzer for read_header() 5a5147d CVE-2023-40551: pe-relocate: Fix bounds check for MZ binaries e912071 pe-relocate: make read_header() use checked arithmetic operations. 93ce255 CVE-2023-40550 pe: Fix an out-of-bound read in verify_buffer_sbat() e7f5fdf pe-relocate: Ensure nothing else implements CVE-2023-40550 afdc503 CVE-2023-40549 Authenticode: verify that the signature header is in bounds. 96dccc2 CVE-2023-40548 Fix integer overflow on SBAT section size on 32-bit system dae82f6 Further mitigations against CVE-2023-40546 as a class ea0f9df Allow SbatLevel data from external binary b078ef2 Always clear SbatLevel when Secure Boot is disabled 7dfb687 BS Variables for bootmgr revocations a967c0e shim should not self revoke 577cedd Print message when refusing to apply SbatLevel e801b0d sbat revocations: check the full section name 0226b56 CVE-2023-40547 - avoid incorrectly trusting HTTP headers 6f0c8d2 Print errors when setting/clearing memory attrs 57c0eed Updated Revocations for January 2024 CVEs 49c6d95 Fix some minor ia32 build issues. be8ff7c post-process-pe: Don't set the NX_COMPAT flag by default after all. 13abd9f pe-relocate: Avoid __builtin_add_overflow() on GCC < 5 c46c975 Suppress "Failed to open <..>\revocations.efi" when file does not exist 30a4f37 Rename "previous" revocations to "automatic" 6f395c2 Build time selectable automatic SBATLevel revocations a23e2f0 netboot read_image() should not hardcode DEFAULT_LOADER 993a345 Try to load revocations.efi even if directory read fails 1770a03 gitmodules: use shim-15.8 for gnu-efi branch 5914984 (HEAD -> main, tag: latest-release, tag: 15.8, origin/main, origin/HEAD) Bump version to 15.8- Generate dbx during build so we don't include binary files in sources- Don't require grub so shim can still be used with systemd-boot- Update shim-install to fix boot failure of ext4 root file system on RAID10 (bsc#1205855) 226c94ca5cfca Use hint in looking for root if possible- Adopt the macros from fde-tpm-helper-macros to update the signature in the sealed key after a bootloader upgrade- Update shim-install to amend full disk encryption support b540061e041b Adopt TPM 2.0 Key File for grub2 TPM 2.0 protector f2e8143ce831 Use the long name to specify the grub2 key protector 72830120e5ea cryptodisk: support TPM authorized policies 49e7a0d307f3 Do not use tpm_record_pcrs unless the command is in command.lst- Sometimes SLE shim signature be Microsoft updated before openSUSE shim signature. When submit request on IBS for updating SLE shim, the submitreq project be generated, but it always be blocked by checking the signature of openSUSE shim. It doesn't make sense checking openSUSE shim signature when building SLE shim on SLE platform, and vice versa. So the following change adds the logic to compare suffix (sles, opensuse) with distro_id (sle, opensuse). When and only when hash mismatch and distro_id match with suffix, stop building. [#] compare suffix (sles, opensuse) with distro_id (sle, opensuse) [#] when hash mismatch and distro_id match with suffix, stop building- Upgrade shim-install for bsc#1210382 After closing Leap-gap project since Leap 15.3, openSUSE Leap direct uses shim from SLE. So the ca_string is 'SUSE Linux Enterprise Secure Boot CA1', not 'openSUSE Secure Boot CA1'. It causes that the update_boot=no, so all files in /boot/efi/EFI/boot are not updated. The 86b73d1 patch added the logic that using ID field in os-release for checking Leap distro and set ca_string to 'SUSE Linux Enterprise Secure Boot CA1'. Then /boot/efi/EFI/boot/* can also be updated. - https://github.com/SUSE/shim-resources (git log --oneline) 86b73d1 Fix that bootx64.efi is not updated on Leap f2e8143 Use the long name to specify the grub2 key protector 7283012 cryptodisk: support TPM authorized policies 49e7a0d Do not use tpm_record_pcrs unless the command is in command.lst 26c6bd5 Have grub take a snapshot of "relevant" TPM PCRs 5c2c3ad Handle different cases of controlling cryptomount volumes during first stage boot a5c5734 Introduce --no-grub-install option- Removed POST_PROCESS_PE_FLAGS=-N from the build command in shim.spec to enable the NX compatibility flag when using post-process-pe after discussed with grub2 experts in mail. It's useful for further development and testing. (bsc#1205588)- Updated shim signature after shim 15.7 of SLE be signed back: signature-sles.x86_64.asc, signature-sles.aarch64.asc (bsc#1198458, CVE-2022-28737)- Removed shim-bsc1198101-opensuse-cert-prompt.patch (bsc#1198101) - Detail discussion is in bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=1198101 - The shim community review and challenge this prompt. No other distro shows prompt (Have checked Fedora 37, CentOS 9 and Ubuntu 22.10). Currently, it blocked the review process of openSUSE shim. - Other distros lock-down kernel when secure boot is enabled. Some of them used different key for signing kernel binary with In-tree kernel module. And their build service does not provide signed Out-off-tree module.- Modified shim-install, add the following Olaf Kirch's patches to support full disk encryption: (jsc#PED-922) a5c57340740c Introduce --no-grub-install option 5c2c3addc51f Handle different cases of controlling cryptomount volumes during first stage boot 26c6bd5df7ae Have grub take a snapshot of "relevant" TPM PCRs- Add POST_PROCESS_PE_FLAGS=-N to the build command in shim.spec to disable the NX compatibility flag when using post-process-pe because grub2 is not ready. (bsc#1205588) - Kernel can boot with the NX compatibility flag since 82e0d6d76a2a7 be merged to v5.19. On the other hand, upstream is working on improve compressed kernel stage for NX: [PATCH v3 00/24] x86_64: Improvements at compressed kernel stage https://www.spinics.net/lists/kernel/msg4599636.html- Add shim-Enable-the-NX-compatibility-flag-by-default.patch to enable the NX compatibility flag by default. (jsc#PED-127)- Drop upstreamed patch: - shim-Enable-TDX-measurement-to-RTMR-register.patch - Enable TDX measurement to RTMR register (jsc#PED-1273) - 4fd484e4c2 15.7- Update to 15.7 (bsc#1198458)(jsc#PED-127) - Patches (git log --oneline --reverse 15.6..15.7) 0eb07e1 Make SBAT variable payload introspectable 092c2b2 Reference MokListRT instead of MokList 8b59b69 Add a link to the test plan in the readme. 4fd484e Enable TDX measurement to RTMR register 14d6339 Discard load-options that start with a NUL 5c537b3 shim: Flush the memory region from i-cache before execution 2d4ebb5 load_cert_file: Fix stack issue ea4911c load_cert_file: Use EFI RT memory function 0cf43ac Add -malign-double to IA32 compiler flags 17f0233 pe: Fix image section entry-point validation 5169769 make-archive: Build reproducible tarball aa1b289 mok: remove MokListTrusted from PCR 7 53509ea CryptoPkg/BaseCryptLib: fix NULL dereference 616c566 More coverity modeling ea0d0a5 Update shim's .sbat to sbat,3 dd8be98 Bump grub's sbat requirement to grub,3 1149161 (HEAD -> main, tag: 15.7, origin/main, origin/HEAD) Update version to 15.7 - 15.7 release note https://github.com/rhboot/shim/releases Make SBAT variable payload introspectable by @chrisccoulson in #483 Reference MokListRT instead of MokList by @esnowberg in #488 Add a link to the test plan in the readme. by @vathpela in #494 [V3] Enable TDX measurement to RTMR register by @kenplusplus in #485 Discard load-options that start with a NUL by @frozencemetery in #505 load_cert_file bugs by @esnowberg in #523 Add -malign-double to IA32 compiler flags by @nicholasbishop in #516 pe: Fix image section entry-point validation by @iokomin in #518 make-archive: Build reproducible tarball by @julian-klode in #527 mok: remove MokListTrusted from PCR 7 by @baloo in #519 - Drop upstreamed patch: - shim-bsc1177789-fix-null-pointer-deref-AuthenticodeVerify.patch - Cryptlib/CryptAuthenticode: fix NULL pointer dereference in AuthenticodeVerify() - 53509eaf22 15.7 - shim-jscPED-127-upgrade-shim-in-SLE15-SP5.patch - For backporting the following patches between 15.6 with aa1b289a1a (jsc#PED-127) - The following patches are merged to 15.7 aa1b289a1a mok: remove MokListTrusted from PCR 7 0cf43ac6d7 Add -malign-double to IA32 compiler flags ea4911c2f3 load_cert_file: Use EFI RT memory function 2d4ebb5a79 load_cert_file: Fix stack issue 5c537b3d0c shim: Flush the memory region from i-cache before execution 14d6339829 Discard load-options that start with a NUL 092c2b2bbe Reference MokListRT instead of MokList 0eb07e11b2 Make SBAT variable payload introspectable- Update shim.changes, added missed shim 15.6-rc1 and 15.6 changelog to the item in Update to 15.6. (bsc#1198458)- Add shim-jscPED-127-upgrade-shim-in-SLE15-SP5.patch for backporting the following patches between 15.6 with aa1b289a1a (jsc#PED-127): aa1b289a1a16774afc3143b8948d97261f0872d0 mok: remove MokListTrusted from PCR 7 0cf43ac6d78c6f47f8b91210639ac1aa63665f0b Add -malign-double to IA32 compiler flags ea4911c2f3ce8f8f703a1476febac86bb16b00fd load_cert_file: Use EFI RT memory function 2d4ebb5a798aafd3b06d2c3cb9c9840c1caa41ef load_cert_file: Fix stack issue 5c537b3d0cf8c393dad2e61d49aade68f3af1401 shim: Flush the memory region from i-cache before execution 14d63398298c8de23036a4cf61594108b7345863 Discard load-options that start with a NUL 092c2b2bbed950727e41cf450b61c794881c33e7 Reference MokListRT instead of MokList 0eb07e11b20680200d3ce9c5bc59299121a75388 Make SBAT variable payload introspectable- Add shim-Enable-TDX-measurement-to-RTMR-register.patch to support enhance shim measurement to TD RTMR. (jsc#PED-1273)- For pushing openSUSE:Factory/shim to SLE15-SP5, sync the shim.spec and shim.changes: (jsc#PED-127) - Add some change log from SLE shim.changes to Factory shim.changes Those messages are added "(sync shim.changes from SLE)" tag. - Add the following changes to shim.spec - only apply Patch100, the shim-bsc1198101-opensuse-cert-prompt.patch on openSUSE. - Enable the AArch64 signature check for SLE: [#] AArch64 signature signature=%{SOURCE13}- shim-install: ensure grub.cfg created is not overwritten after installing grub related files- Add logic to shim.spec to only set sbat policy when efivarfs is writeable. (bsc#1201066)- Add logic to shim.spec for detecting --set-sbat-policy option before using mokutil to set sbat policy. (bsc#1202120)- Change the URL in SBAT section to mail:security@suse.de. (bsc#1193282)- Revoked the change in shim.spec for "use common SBAT values (boo#1193282)" - we need to build openSUSE Tumbleweed's shim on Leap 15.4 because Factory is unstable for building out a stable shim binary for signing. (bsc#1198458) - But the rpm-config-suse package in Leap 15.4 is direct copied from SLE 15.4 because closing-the-leap-gap. So sbat_distro_* variables are SLE version, not for openSUSE. (bsc#1198458)- Update to 15.6 (bsc#1198458) - shim-15.6.tar.bz2 is downloaded from bsc#1198458#c76 which is from upstream grub2.cve_2021_3695.ms keybase channel. - For building 15.6~rc1 aarch64 image (d6eb9c6 Modernize aarch64), objcopy needs to support efi-app-aarch64 target. So we need the following patches in bintuils: - binutils-AArch64-Add-support-for-AArch64-EFI-efi-aarch64.patch b69c9d41e8 AArch64: Add support for AArch64 EFI (efi-*-aarch64). - binutils-Re-AArch64-Add-support-for-AArch64-EFI-efi-aarch64.patch 32384aa396 Re: AArch64: Add support for AArch64 EFI (efi-*-aarch64) - binutils-Re-Add-support-for-AArch64-EFI-efi-aarch64.patch d91c67e873 Re: Add support for AArch64 EFI (efi-*-aarch64) - Patches (git log --oneline --reverse 15.5~..77144e5a4) 448f096 MokManager: removed Locate graphic output protocol fail error message (bsc#1193315, bsc#1198458) a2da05f shim: implement SBAT verification for the shim_lock protocol bda03b8 post-process-pe: Fix a missing return code check af18810 CI: don't cancel testing when one fails ba580f9 CI: remove EOL Fedoras from github actions bfeb4b3 Remove aarch64 build tests before f35 38cc646 CI: Add f36 and centos9 CI build tests. b5185cb post-process-pe: Fix format string warnings on 32-bit platforms 31094e5 tests: also look for system headers in multi-arch directories 4df989a mock-variables.c: fix gcc warning 6aac595 test-str.c: fix gcc warnings with FORTIFY_SOURCE enabled 2670c6a Allow MokListTrusted to be enabled by default 5c44aaf Add code of conduct d6eb9c6 Modernize aarch64 9af50c1 Use ASCII as fallback if Unicode Box Drawing characters fail de87985 make: don't treat cert.S specially 803dc5c shim: use SHIM_DEVEL_VERBOSE when built in devel mode 6402f1f SBAT matching: Break out of the inner sbat loop if we find the entry. bb4b60e Add verify_image acfd48f Abstract out image reading 35d7378 Load additional certs from a signed binary 8ce2832 post-process-pe: there is no 's' argument. 465663e Add some missing PE image flag definitions 226fee2 PE Loader: support and require NX df96f48 Add MokPolicy variable and MOK_POLICY_REQUIRE_NX b104fc4 post-process-pe: set EFI_IMAGE_DLLCHARACTERISTICS_NX_COMPAT f81a7cc SBAT revocation management abe41ab make: unbreak scan-build again for gnu-efi 610a1ac sbat.h: minor reformatting for legibility f28833f peimage.h: make our signature macros force the type 5d789ca Always initialize data/datasize before calling read_image() a50d364 sbat policy: make our policy change actions symbolic 5868789 load_certs: trust dir->Read() slightly less. a78673b mok.c: fix a trivial dead assignment 759f061 Fix preserve_sbat_uefi_variable() logic aa61fdf Give the Coverity scanner some more GCC blinders... 0214cd9 load_cert_file(): don't defererence NULL 1eca363 mok import: handle OOM case 75449bc sbat: Make nth_sbat_field() honor the size limit c0bcd04 shim-15.6~rc1 77144e5 SBAT Policy latest should be a one-shot - 15.5 release note https://github.com/rhboot/shim/releases Broken ia32 relocs and an unimportant submodule change. by @vathpela in #357 mok: allocate MOK config table as BootServicesData by @lcp in #361 Don't call QueryVariableInfo() on EFI 1.10 machines by @vathpela in #364 Relax the check for import_mok_state() by @lcp in #372 SBAT.md: trivial changes by @hallyn in #389 shim: another attempt to fix load options handling by @chrisccoulson in #379 Add tests for our load options parsing. by @vathpela in #390 arm/aa64: fix the size of .rela* sections by @lcp in #383 mok: fix potential buffer overrun in import_mok_state by @jyong2 in #365 mok: relax the maximum variable size check by @lcp in #369 Don't unhook ExitBootServices when EBS protection is disabled by @sforshee in #378 fallback: find_boot_option() needs to return the index for the boot entry in optnum by @jsetje in #396 httpboot: Ignore case when checking HTTP headers by @frozencemetery in #403 Fallback allocation errors by @vathpela in #402 shim: avoid BOOTx64.EFI in message on other architectures by @xypron in #406 str: remove duplicate parameter check by @xypron in #408 fallback: add compile option FALLBACK_NONINTERACTIVE by @xnox in #359 Test mok mirror by @vathpela in #394 Modify sbat.md to help with readability. by @eshiman in #398 csv: detect end of csv file correctly by @xypron in #404 Specify that the .sbat section is ASCII not UTF-8 by @daxtens in #413 tests: add "include-fixed" GCC directory to include directories by @diabonas in #415 pe: simplify generate_hash() by @xypron in #411 Don't make shim abort when TPM log event fails (RHBZ #2002265) by @rmetrich in #414 Fallback to default loader if parsed one does not exist by @julian-klode in #393 fallback: Fix for BootOrder crash when index returned by find_boot_option() is not in current BootOrder list by @rmetrich in #422 Better console checks by @vathpela in #416 docs: update SBAT UEFI variable name by @nicholasbishop in #421 Don't parse load options if invoked from removable media path by @julian-klode in #399 fallback: fix fallback not passing arguments of the first boot option by @martinezjavier in #433 shim: Don't stop forever at "Secure Boot not enabled" notification by @rmetrich in #438 Shim 15.5 coverity by @vathpela in #439 Allocate mokvar table in runtime memory. by @vathpela in #447 Remove post-process-pe on 'make clean' by @vathpela in #448 pe: missing perror argument by @xypron in #443 - 15.6-rc1 release note https://github.com/rhboot/shim/releases MokManager: removed Locate graphic output protocol fail error message by @joeyli in #441 shim: implement SBAT verification for the shim_lock protocol by @chrisccoulson in #456 post-process-pe: Fix a missing return code check by @vathpela in #462 Update github actions matrix to be more useful by @frozencemetery in #469 Add f36 and centos9 CI builds by @vathpela in #470 post-process-pe: Fix format string warnings on 32-bit platforms by @steve-mcintyre in #464 tests: also look for system headers in multi-arch directories by @steve-mcintyre in #466 tests: fix gcc warnings by @akodanev in #463 Allow MokListTrusted to be enabled by default by @esnowberg in #455 Add code of conduct by @frozencemetery in #427 Re-add ARM AArch64 support by @vathpela in #468 Use ASCII as fallback if Unicode Box Drawing characters fail by @vathpela in #428 make: don't treat cert.S specially by @vathpela in #475 shim: use SHIM_DEVEL_VERBOSE when built in devel mode by @vathpela in #474 Break out of the inner sbat loop if we find the entry. by @vathpela in #476 Support loading additional certificates by @esnowberg in #446 Add support for NX (W^X) mitigations. by @vathpela in #459 Misc fixups from scan-build. by @vathpela in #477 Fix preserve_sbat_uefi_variable() logic by @jsetje in #478 - 15.6 release note https://github.com/rhboot/shim/releases MokManager: removed Locate graphic output protocol fail error message by @joeyli in #441 shim: implement SBAT verification for the shim_lock protocol by @chrisccoulson in #456 post-process-pe: Fix a missing return code check by @vathpela in #462 Update github actions matrix to be more useful by @frozencemetery in #469 Add f36 and centos9 CI builds by @vathpela in #470 post-process-pe: Fix format string warnings on 32-bit platforms by @steve-mcintyre in #464 tests: also look for system headers in multi-arch directories by @steve-mcintyre in #466 tests: fix gcc warnings by @akodanev in #463 Allow MokListTrusted to be enabled by default by @esnowberg in #455 Add code of conduct by @frozencemetery in #427 Re-add ARM AArch64 support by @vathpela in #468 Use ASCII as fallback if Unicode Box Drawing characters fail by @vathpela in #428 make: don't treat cert.S specially by @vathpela in #475 shim: use SHIM_DEVEL_VERBOSE when built in devel mode by @vathpela in #474 Break out of the inner sbat loop if we find the entry. by @vathpela in #476 Support loading additional certificates by @esnowberg in #446 Add support for NX (W^X) mitigations. by @vathpela in #459 Misc fixups from scan-build. by @vathpela in #477 Fix preserve_sbat_uefi_variable() logic by @jsetje in #478 SBAT Policy latest should be a one-shot by @jsetje in #481 pe: Fix a buffer overflow when SizeOfRawData > VirtualSize by @chriscoulson pe: Perform image verification earlier when loading grub by @chriscoulson Update advertised sbat generation number for shim by @jsetje Update SBAT generation requirements for 05/24/22 by @jsetje Also avoid CVE-2022-28737 in verify_image() by @vathpela - Drop upstreamed patch: - shim-bsc1184454-allocate-mok-config-table-BS.patch - Allocate MOK config table as BootServicesData to avoid the error message from linux kernel - 4068fd42c8 15.5-rc1~70 - shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch - Handle ignore_db and user_insecure_mode correctly - 822d07ad4f07 15.5-rc1~73 - shim-bsc1185621-relax-max-var-sz-check.patch - Relax the maximum variable size check for u-boot - 3f327f546c219634b2 15.5-rc1~49 - shim-bsc1185261-relax-import_mok_state-check.patch - Relax the check for import_mok_state() when Secure Boot is off - 9f973e4e95b113 15.5-rc1~67 - shim-bsc1185232-relax-loadoptions-length-check.patch - Relax the check for the LoadOptions length - ada7ff69bd8a95 15.5-rc1~52 - shim-fix-aa64-relsz.patch - Fix the size of rela* sections for AArch64 - 34e3ef205c5d65 15.5-rc1~51 - shim-bsc1187260-fix-efi-1.10-machines.patch - Don't call QueryVariableInfo() on EFI 1.10 machines - 493bd940e5 15.5-rc1~69 - shim-bsc1185232-fix-config-table-copying.patch - Avoid buffer overflow when copying the MOK config table - 7501b6bb44 15.5-rc1~50 - shim-bsc1187696-avoid-deleting-rt-variables.patch - Avoid deleting the mirrored RT variables - b1fead0f7c9 15.5-rc1~37 - Add "rm -f *.o" after building MokManager/fallback in shim.spec to make sure all object files gets rebuilt - reference: https://github.com/rhboot/shim/pull/461 - The following fix-CVE-2022-28737-v6 patches against bsc#1198458 are included in shim-15.6.tar.bz2 - shim-bsc1198458-pe-Fix-a-buffer-overflow-when-SizeOfRawData-VirtualS.patch pe: Fix a buffer overflow when SizeOfRawData VirtualSize - shim-bsc1198458-pe-Perform-image-verification-earlier-when-loading-g.patch pe: Perform image verification earlier when loading grub - shim-bsc1198458-Update-advertised-sbat-generation-number-for-shim.patch Update advertised sbat generation number for shim - shim-bsc1198458-Update-SBAT-generation-requirements-for-05-24-22.patch Update SBAT generation requirements for 05/24/22 - shim-bsc1198458-Also-avoid-CVE-2022-28737-in-verify_image.patch Also avoid CVE-2022-28737 in verify_image() - 0006-shim-15.6-rc2.patch - 0007-sbat-add-the-parsed-SBAT-variable-entries-to-the-deb.patch sbat: add the parsed SBAT variable entries to the debug log - 0008-bump-version-to-shim-15.6.patch - Add mokutil command to post script for setting sbat policy to latest mode when the SbatPolicy-605dab50-e046-4300-abb6-3dd810dd8b23 is not created. (bsc#1198458) - Add shim-bsc1198101-opensuse-cert-prompt.patch back to openSUSE shim to show the prompt to ask whether the user trusts openSUSE certificate or not (bsc#1198101) - Updated vendor dbx binary and script (bsc#1198458) - Updated dbx-cert.tar.xz and vendor-dbx-sles.bin for adding SLES-UEFI-SIGN-Certificate-2021-05.crt to vendor dbx list. - Updated dbx-cert.tar.xz and vendor-dbx-opensuse.bin for adding openSUSE-UEFI-SIGN-Certificate-2021-05.crt to vendor dbx list. - Updated vendor-dbx.bin for adding SLES-UEFI-SIGN-Certificate-2021-05.crt and openSUSE-UEFI-SIGN-Certificate-2021-05.crt for testing environment. - Updated generate-vendor-dbx.sh script for generating a vendor-dbx.bin file which includes all .der for testing environment.- use common SBAT values (boo#1193282)- Update the SLE signatures (sync shim.changes from SLE)- Add shim-bsc1187696-avoid-deleting-rt-variables.patch to avoid deleting the mirrored RT variables (bsc#1187696)(sync shim.changes from SLE) - Split the keys in vendor-dbx.bin to vendor-dbx-sles and vendor-dbx-opensuse for shim-sles and shim-opensuse to reduce the size of MokListXRT (bsc#1185261) + Also update generate-vendor-dbx.sh in dbx-cert.tar.xz - Add shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch to handle ignore_db and user_insecure_mode correctly (bsc#1185441, bsc#1187071) - Add shim-bsc1185621-relax-max-var-sz-check.patch to relax the maximum variable size check for u-boot (bsc#1185621) + Also drop AArch64 suse-signed shim since we merged this patch - Add shim-bsc1185261-relax-import_mok_state-check.patch to relax the check for import_mok_state() when Secure Boot is off. (bsc#1185261) - Add shim-bsc1185232-relax-loadoptions-length-check.patch to ignore the odd LoadOptions length (bsc#1185232) - shim-install: reset def_shim_efi to "shim.efi" if the given file doesn't exist - Add shim-fix-aa64-relsz.patch to fix the size of rela sections for AArch64 Fix: https://github.com/rhboot/shim/issues/371 - Add shim-disable-export-vendor-dbx.patch to disable exporting vendor-dbx to MokListXRT since writing a large RT variable could crash some machines (bsc#1185261) - Add shim-bsc1187260-fix-efi-1.10-machines.patch to avoid the potential crash when calling QueryVariableInfo in EFI 1.10 machines (bsc#1187260) - Add shim-bsc1185232-fix-config-table-copying.patch to avoid buffer overflow when copying data to the MOK config table (bsc#1185232)- Add shim-bsc1185232-fix-config-table-copying.patch to avoid buffer overflow when copying data to the MOK config table (bsc#1185232)- Add shim-disable-export-vendor-dbx.patch to disable exporting vendor-dbx to MokListXRT since writing a large RT variable could crash some machines (bsc#1185261) - Add shim-bsc1187260-fix-efi-1.10-machines.patch to avoid the potential crash when calling QueryVariableInfo in EFI 1.10 machines (bsc#1187260)- Add shim-fix-aa64-relsz.patch to fix the size of rela sections for AArch64 Fix: https://github.com/rhboot/shim/issues/371- Add shim-bsc1185232-relax-loadoptions-length-check.patch to ignore the odd LoadOptions length (bsc#1185232)- shim-install: reset def_shim_efi to "shim.efi" if the given file doesn't exist- shim-install: instead of assuming "removable" for Azure, remove fallback.efi from \EFI\Boot and copy grub.efi/cfg to \EFI\Boot to make \EFI\Boot bootable and keep the boot option created by efibootmgr (bsc#1185464, bsc#1185961)- Add shim-bsc1185261-relax-import_mok_state-check.patch to relax the check for import_mok_state() when Secure Boot is off. (bsc#1185261)- shim-install: always assume "removable" for Azure to avoid the endless reset loop (bsc#1185464)- Include suse-signed shim for AArch64 (bsc#1185621) (sync shim.changes from SLE)- Add shim-bsc1185621-relax-max-var-sz-check.patch to relax the maximum variable size check for u-boot (bsc#1185621)- Add shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch to handle ignore_db and user_insecure_mode correctly (bsc#1185441, bsc#1187071)- Split the keys in vendor-dbx.bin to vendor-dbx-sles and vendor-dbx-opensuse for shim-sles and shim-opensuse to reduce the size of MokListXRT (bsc#1185261) + Also update generate-vendor-dbx.sh in dbx-cert.tar.xz- Enable the AArch64 signature check for SLE (sync shim.changes from SLE)- Update the SLE signatures (sync shim.changes from SLE)- Add shim-bsc1184454-allocate-mok-config-table-BS.patch to avoid the error message during linux system boot (bsc#1184454)- Add remove_build_id.patch to prevent the build id being added to the binary. That can cause issues with the signature- Update to 15.4 (bsc#1182057) + Rename the SBAT variable and fix the self-check of SBAT + sbat: add more dprint() + arm/aa64: Swizzle some sections to make old sbsign happier + arm/aa64 targets: put .rel* and .dyn* in .rodata - Drop upstreamed patch: + shim-bsc1182057-sbat-variable-enhancement.patch- Add shim-bsc1182057-sbat-variable-enhancement.patch to change the SBAT variable name and enhance the handling of SBAT (bsc#1182057)- Update to 15.3 for SBAT support (bsc#1182057) + Drop gnu-efi from BuildRequires since upstream pull it into the tar ball. - Generate vender-specific SBAT metadata + Add dos2unix to BuildRequires since Makefile requires it for vendor SBAT - Update dbx-cert.tar.xz and vendor-dbx.bin to block the following sign keys: + SLES-UEFI-SIGN-Certificate-2020-07.crt + openSUSE-UEFI-SIGN-Certificate-2020-07.crt - Refresh patches + shim-arch-independent-names.patch + shim-change-debug-file-path.patch + shim-bsc1177315-verify-eku-codesign.patch - Unified with shim-bsc1177315-fix-buffer-use-after-free.patch - Drop upstreamed fixes + shim-correct-license-in-headers.patch + shim-always-mirror-mok-variables.patch + shim-bsc1175509-more-tpm-fixes.patch + shim-bsc1173411-only-check-efi-var-on-sb.patch + shim-fix-verify-eku.patch + gcc9-fix-warnings.patch + shim-fix-gnu-efi-3.0.11.patch + shim-bsc1177404-fix-a-use-of-strlen.patch + shim-do-not-write-string-literals.patch + shim-VLogError-Avoid-Null-pointer-dereferences.patch + shim-bsc1092000-fallback-menu.patch + shim-bsc1175509-tpm2-fixes.patch + shim-bsc1174512-correct-license-in-headers.patch + shim-bsc1182776-fix-crash-at-exit.patch - Drop shim-opensuse-cert-prompt.patch + All newly released openSUSE kernels enable kernel lockdown and signature verification, so there is no need to add the prompt anymore.- Refresh shim-bsc1182776-fix-crash-at-exit.patch to do the cleanup also when Secure Boot is disabled (bsc#1183213, bsc#1182776) - Merged linker-version.pl into timestamp.pl and add the linker version to signature files accordingly- Add shim-bsc1182776-fix-crash-at-exit.patch to fix the potential crash at Exit() (bsc#1182776)- Update the SLE signature - Exclude some patches from x86_64 to avoid breaking the signature - Add shim-correct-license-in-headers.patch back for x86_64 to match the SLE signature - Add linker-version.pl to modify the EFI/PE header to match the SLE signature- Disable the signature attachment for AArch64 temporarily until we get a real one.- Add shim-bsc1177315-verify-eku-codesign.patch to check CodeSign in the signer's EKU (bsc#1177315) - Add shim-bsc1177789-fix-null-pointer-deref-AuthenticodeVerify.patch to fix NULL pointer dereference in AuthenticodeVerify() (bsc#1177789, CVE-2019-14584) - shim-install: Support changing default shim efi binary in /usr/etc/default/shim and /etc/default/shim (bsc#1177315) - Add shim-bsc1177315-fix-buffer-use-after-free.patch to fix buffer use-after-free at the end of the EKU verification (bsc#1177315)- Add shim-bsc1177404-fix-a-use-of-strlen.patch to fix the length of the option data string to launch the program correctly (bsc#1177404) - Add shim-bsc1175509-more-tpm-fixes.patch to fix the file path in the tpm even log (bsc#1175509)- Add shim-VLogError-Avoid-Null-pointer-dereferences.patch to fix VLogError crash in AArch64 (jsc#SLE-15824) - Add shim-fix-verify-eku.patch to fix the potential crash at verify_eku() (jsc#SLE-15824) - Add shim-do-not-write-string-literals.patch to fix the potential crash when accessing the DEFAULT_LOADER string (jsc#SLE-15824)- Enable build on aarch64- shim-install: install MokManager to \EFI\boot to process the pending MOK request (bsc#1175626, bsc#1175656)- Add shim-bsc1175509-tpm2-fixes.patch to fix the TPM2 measurement (bsc#1175509)- Amend the check of %shim_enforce_ms_signature- Updated openSUSE signature- Replace shim-correct-license-in-headers.patch with the upstream commit: shim-bsc1174512-correct-license-in-headers.patch (bsc#1174512)- Update the path to grub-tpm.efi in shim-install (bsc#1174320)- Use vendor-dbx to block old SUSE/openSUSE signkeys (bsc#1168994) + Add dbx-cert.tar.xz which contains the certificates to block and a script, generate-vendor-dbx.sh, to generate vendor-dbx.bin + Add vendor-dbx.bin as the vendor dbx to block unwanted keys - Drop shim-opensuse-signed.efi + We don't need it anymore- Add shim-bsc1173411-only-check-efi-var-on-sb.patch to only check EFI variable copying when Secure Boot is enabled (bsc#1173411)- Use the full path of efibootmgr to avoid errors when invoking shim-install from packagekitd (bsc#1168104)- Use "suse_version" instead of "sle_version" to avoid shim_lib64_share_compat being set in Tumbleweed forever.- Add shim-fix-gnu-efi-3.0.11.patch to fix the build error caused by the upgrade of gnu-efi- shim-install: add check for btrfs is used as root file system to enable relative path lookup for file. (bsc#1153953)- Fix a typo in shim-install (bsc#1145802)- Add gcc9-fix-warnings.patch (bsc#1121268).- Add shim-opensuse-signed.efi, the openSUSE shim-15+git47 binary (bsc#1113225)- Disable AArch64 build (FATE#325971) + AArch64 machines don't use UEFI CA, at least for now.- Updated shim signature: signature-sles.x86_64.asc (bsc#1120026)- Fix conditions for '/usr/share/efi'-move (FATE#326960)- Amend shim.spec to remove $RPM_BUILD_ROOT- Move 'efi'-executables to '/usr/share/efi' (FATE#326960) (preparing the move to 'noarch' for this package)- Update shim-install to handle the partitioned MD devices (bsc#1119762, bsc#1119763)- Update to 15+git47 (bsc#1120026, FATE#325971) + git commit: b3e4d1f7555aabbf5d54de5ea7cd7e839e7bd83d - Retire the old openSUSE 4096 bit certificate + Those programs are already out of maintenance. - Add shim-always-mirror-mok-variables.patch to mirror MOK variables correctly - Add shim-correct-license-in-headers.patch to correct the license declaration - Refresh patches: + shim-arch-independent-names.patch + shim-change-debug-file-path.patch + shim-bsc1092000-fallback-menu.patch + shim-opensuse-cert-prompt.patch - Drop upstreamed patches: + shim-bsc1088585-handle-mok-allocations-better.patch + shim-httpboot-amend-device-path.patch + shim-httpboot-include-console.h.patch + shim-only-os-name.patch + shim-remove-cryptpem.patch- Update shim-install to specify the target for grub2-install and change the boot efi file name according to the architecture (bsc#1118363, FATE#325971)- Enable AArch64 build (FATE#325971) + Also add the aarch64 signature files and rename the x86_64 signature files- Add shim-bsc1092000-fallback-menu.patch to show a menu before system reset ((bsc#1092000))- Add shim-bsc1088585-handle-mok-allocations-better.patch to avoid double-freeing after enrolling a key from the disk (bsc#1088585) + Also refresh shim-opensuse-cert-prompt.patch due to the change in MokManager.c- Install the certificates with a shim suffix to avoid conflicting with other packages (bsc#1087847)- Add the missing leading backlash to the DEFAULT_LOADER (bsc#1086589)- Add shim-httpboot-amend-device-path.patch to amend the device path matching rule for httpboot (bsc#1065370)- Update to 14 (bsc#1054712) - Adjust make commands in spec - Drop upstreamed fixes + shim-add-fallback-verbose-print.patch + shim-back-to-openssl-1.0.2e.patch + shim-fallback-workaround-masked-ami-variables.patch + shim-fix-fallback-double-free.patch + shim-fix-httpboot-crash.patch + shim-fix-openssl-flags.patch + shim-more-tpm-measurement.patch - Add shim-httpboot-include-console.h.patch to include console.h in httpboot.c to avoid build failure - Add shim-remove-cryptpem.patch to replace functions in CryptPem.c with the null function - Update SUSE/openSUSE specific patches + shim-only-os-name.patch + shim-arch-independent-names.patch + shim-change-debug-file-path.patch + shim-opensuse-cert-prompt.patch- Fix debuginfo + debugsource subpackage generation for RPM 4.14 - Set the RPM groups correctly for debug{info,source} subpackages - Drop deprecated and out of date Authors information in description- Add shim-back-to-openssl-1.0.2e.patch to avoid rejecting some legit certificates (bsc#1054712) - Add the stderr mask back while compiling MokManager.efi since the warnings in Cryptlib is back after reverting the openssl commits.- Add shim-add-fallback-verbose-print.patch to print the debug messages in fallback.efi dynamically - Refresh shim-fallback-workaround-masked-ami-variables.patch - Add shim-more-tpm-measurement.patch to measure more components and support TPM better- Add upstream fixes + shim-fix-httpboot-crash.patch + shim-fix-openssl-flags.patch + shim-fix-fallback-double-free.patch + shim-fallback-workaround-masked-ami-variables.patch - Remove the stderr mask while compiling MokManager.efi since the warnings in Cryptlib were fixed.- Add shim-arch-independent-names.patch to use the Arch-independent names. (bsc#1054712) - Refresh shim-change-debug-file-path.patch - Disable shim-opensuse-cert-prompt.patch automatically in SLE - Diable AArch64 until we have a real user and aarch64 signature- Make build reproducible by avoiding race between find and cp- Update to 12 - Rename the result EFI images due to the upstream name change + shimx64 -> shim + mmx64 -> MokManager + fbx64 -> fallback - Refresh patches: + shim-only-os-name.patch + shim-change-debug-file-path.patch + shim-opensuse-cert-prompt.patch - Drop upstreamed patches: + shim-httpboot-support.patch + shim-bsc973496-mokmanager-no-append-write.patch + shim-bsc991885-fix-sig-length.patch + shim-update-openssl-1.0.2g.patch + shim-update-openssl-1.0.2h.patch- Add the build flag to enable HTTPBoot- shim-install: add option --suse-enable-tpm (fate#315831)- Support %posttrans with marcos provided by update-bootloader-rpm-macros package (bsc#997317)- Add SIGNATURE_UPDATE.txt to state the steps to update signature-*.asc - Update the comment of strip_signature.sh- shim-install : * add option --no-nvram (bsc#999818) * improve removable media and fallback mode handling- shim-install : fix regression of password prompt (bsc#993764)- Add shim-bsc991885-fix-sig-length.patch to fix the signature length passed to Authenticode (bsc#991885)- Update shim-bsc973496-mokmanager-no-append-write.patch to try append write first- Add shim-update-openssl-1.0.2h.patch to update openssl to 1.0.2h - Bump the requirement of gnu-efi due to the HTTPBoot support- Add shim-httpboot-support.patch to support HTTPBoot - Add shim-update-openssl-1.0.2g.patch to update openssl to 1.0.2g and Cryptlib to 5e2318dd37a51948aaf845c7d920b11f47cdcfe6 - Drop patches since they are merged into shim-update-openssl-1.0.2g.patch + shim-update-openssl-1.0.2d.patch + shim-gcc5.patch + shim-bsc950569-fix-cryptlib-va-functions.patch + shim-fix-aarch64.patch - Refresh shim-change-debug-file-path.patch - Add shim-bsc973496-mokmanager-no-append-write.patch to work around the firmware that doesn't support APPEND_WRITE (bsc973496) - shim-install : remove '\n' from the help message (bsc#991188) - shim-install : print a message if there is no valid EFI partition (bsc#991187)- shim-install : support simple MD RAID1 target devices (FATE#314829)- Add shim-fix-aarch64.patch to fix compilation on AArch64 (bsc#978438)- shim-install : fix typing ESC can escape to parent config which is in command mode and cannot return back (bsc#966701) - shim-install : fix no which command for JeOS (bsc#968264)- acquired updated signature from Microsoft- Add shim-bsc950569-fix-cryptlib-va-functions.patch to fix the definition of va functions to avoid the potential crash (bsc#950569) - Update shim-opensuse-cert-prompt.patch to avoid setting NULL to MokListRT (bsc#950801) - Drop shim-fix-mokmanager-sections.patch as we are using the newer binutils now - Refresh shim-change-debug-file-path.patch- acquired updated signature from Microsoft- shim-install : set default GRUB_DISTRIBUTOR from /etc/os-release if it is empty or not set by user (bsc#942519)- Add shim-update-openssl-1.0.2d.patch to update openssl to 1.0.2d - Refresh shim-gcc5.patch and add it back since we really need it - Add shim-change-debug-file-path.patch to change the debug file path in shim.efi + also add the debuginfo and debugsource subpackages - Drop shim-fix-gnu-efi-30w.patch which is not necessary anymore- Update to 0.9 - Refresh patches + shim-fix-gnu-efi-30w.patch + shim-fix-mokmanager-sections.patch + shim-opensuse-cert-prompt.patch - Drop upstreamed patches + shim-bsc920515-fix-fallback-buffer-length.patch + shim-mokx-support.patch + shim-update-cryptlib.patch - Drop shim-bsc919675-uninstall-shim-protocols.patch since upstream fixed the bug in another way. - Drop shim-gcc5.patch which was fixed in another way- Fix tags in the spec file- Add shim-update-cryptlib.patch to update Cryptlib to r16559 and openssl to 0.9.8zf - Add shim-bsc919675-uninstall-shim-protocols.patch to uninstall the shim protocols at Exit (bsc#919675) - Add shim-bsc920515-fix-fallback-buffer-length.patch to adjust the buffer size for the boot options (bsc#920515) - Refresh shim-opensuse-cert-prompt.patch- shim-gcc5.patch: shim needs -std=gnu89 to build with GCC5- shim-install : fix cryptodisk installation (boo#917427)- Add shim-fix-mokmanager-sections.patch to fix the objcopy parameters for the EFI files- Update to 0.8 - Add shim-fix-gnu-efi-30w.patch to adapt the change in gnu-efi-3.0w - Merge shim-signed-unsigned-compares.patch, shim-mokmanager-support-sha-family.patch and shim-bnc863205-mokmanager-fix-hash-delete.patch into shim-mokx-support.patch - Refresh shim-opensuse-cert-prompt.patch - Drop upstreamed patches: shim-update-openssl-0.9.8zb.patch, bug-889332_shim-overflow.patch, and bug-889332_shim-mok-oob.patch - Enable aarch64- Fixed buffer overflow and OOB access in shim trusted code path (bnc#889332, CVE-2014-3675, CVE-2014-3676, CVE-2014-3677) * added bug-889332_shim-mok-oob.patch, bug-889332_shim-overflow.patch - Added new certificate by Microsoft/bin/sh 15.8-150300.4.20.215.8-150300.4.20.2 ueficertsBCA4E38E-shim.crtefiMokManager.efifallback.efishim-sles.efishim.efishim-installshimCOPYRIGHTefix86_64MokManager.efifallback.efishim-sles.dershim-sles.efishim.efi/etc//etc/uefi//etc/uefi/certs//usr/lib64//usr/lib64/efi//usr/sbin//usr/share/doc/packages//usr/share/doc/packages/shim//usr/share//usr/share/efi//usr/share/efi/x86_64/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:32617/SUSE_SLE-15-SP3_Update/10512b51de6e9b9964e2848322fbcfdb-shim.SUSE_SLE-15-SP3_Updatedrpmxz5x86_64-suse-linuxdirectoryBourne-Again shell script, ASCII text executableASCII textR if test -f /run/update-bootloader/reinit; then rm -f /run/update-bootloader/{reinit,refresh} /sbin/update-bootloader --reinit || : elif test -f /run/update-bootloader/refresh; then rm -f /run/update-bootloader/refresh /sbin/update-bootloader --refresh || : fi/bin/shutf-8f9719e6724b515679af17e8048ba41133b2b9e45c578a92a8af73d14845a2851?7zXZ !t/]"k%jz<^x5kh!cPtd bSet* 裉 c٬Nb-hR=d6Ó:^>Dڱl> ֡A֊ +6#Yz7lŧJ e)"mRr]'J~a(˪Gayh}iǩ*6KQCO%iȖALldweupiamN ~D}v{5aXJ#^ӝ:5u&4d/H"Zi@"4b6h4e?F6NUMa?D4Q)'L g8OZM^񕚑8/,faegM_6>.@muAZqt$]bH)xV8%;_rBPVfxDCYk3;;2͗>`キ-8LJ<9 \0Jӓ$1ѐ.PWP<<5ZSLQӂf5 $Hٱ@>O 14٨ÆWi2C2f׶;b7onY%R KWYa>Va qڨ}Og2An0hվf #m lao\ jc\^suIQK;w G(o)}%q5lm~JG415WNyQw8LSֺ]Gr\:؞y남o}C"pV C2~V!+X83r{o{vaʲ+kU_N*m͈P eJ _"]ynUy`C<ԅucDe7#C"NRE U޺ Pˢf{,_b!msn!5yՅy/ƈw:cNulX_92f OQ5K+?}fr҈I3߉L:̠O #CVXZ7/%^Y <{r-=4qxj$m^f0Z h :bGXwE*;[P(%{B> b|/4܇Eƒd ,rRK:J%qN[o&Є!saiiKh49꾠T]A?{M(G+ %%c[Fϣ@ۂhH֗#4{.NLuvv~?ܺ(  F$MD)p3h?Ŏu㮲T(deß'[}@n;S=.d8Gi&Ӑ6#;A!k%!wʜ$qeHP*a15TF' )\㜨A|0(SG~DC2ʚMpA`ܸ̬>&+n=^OE=a&̱YKgߋf@+wh]Y;@,ͮpJ'XmzI|Bͺ^^3/A3=ao7ܳibU25, PA)(RJsg-*Rm_WLeZ!2қY?Md"g[H'1 (ߵ@5v }7.uhվ~(yiΙ.B[ *8bm7v֊߬\j7( `0QB{@I/Kۥ[FG0|ჂWsTO/9gkGSl1nd 5YffZݡU.;̠H-t׍na=6žҚK/wÀI8` jw}DDE\G'G[?¶]a፱]3;*WmY#gKi؆7[t塉gDyI- fOL H|ě: TrLXXe .9.$p &Ԛ^LXAv?ki+U] Py+#O^hw*7)ֲFC3g)6IBmi{PAu>'ed ߟXx\ ` ɦ@FPERXH*sT0U\ (8ˀߠR _;6Z:X1nuWn[[D)F2kMF-e] L# 3rXSF*%vk[dAL 5|y~YP+_vg$ /aQ ;^(,~ybPfkGLKgN܇#ݹeF%tU;墸 ը\nKƯbu%nrЧKfyD3L"=*|{7DVB`Ezyp(|ܿlX[WwhX/>..]{~{Fd@iޢ %YQl?sl'8`B}NȖLE4qSގXfrl_ZMZ"V=x&91t{5ZA ꐚЬ[p 򤷢Ιa.>f %^ 5^_޹ '*=@xr\_R '5x{~T/4^akhɨ t7$xRi3X-_IhgkBdSl *A V0:$RNݕJ@$Ksqӣ&4 +ܣ>r^ZK>jZc@w`FL`u 2|+-f8Ԅ*UatrJF?&\ r#>>#&$5< B 矱aB]$^3 R#;3 }a]<@5HBe|[ 12lD mZ !j6 gʬUC:"l4&\xDD!w9ꯣ]SBim5cS'%Xg; z$Ea0(iXo}D> )fR( @ KU;3:˻_`ިQgz7qmZ S1JmWGTZz>f*}}fE^x*_-W؀7؂.9My&eT!IJ4 a3S[bp.[W$P61*'r*$7<&$\nĐT թ~㱶yv+RC)z&o i)nmPH`#ԩnΥ)rK79 A%Z?'DJ^I@Pat|$T * +Q#F(Kݘu+o4g0{]LVUKYI;Ed  wIdpKdhG|wsCC<Ob4 8f;Ȭ0{2<ӏK{M͋.)&g!4d]uҼd*6H=KY~4v_=rqP`seL3t99b)uYd+p5(E]6-(p!Q|W߾_fP?lAL=,G׫u̐ȓUc'%b<<cr%u>Q~3<ϳfHЍ2q;MvK{{('B%=-_Cc!A[`m^Hc}~ 4s[X!TTI4N'rN ݽ<nG-li^r^s: ?d⢹(4(rJhH![~=UasGIPY%cն >d:Yڍ5:TKۍ,6sOZ!ZaA-F[nZ"iU?N/ߡ^ˏ[[hXn6i|g{ź551Fӻx ZD{ XZ \ZZ*mIsu%6_3IU&t%V\AbFݎDdń|MpvrmFHtCxyˌ Sk(3Sr‰Ew b^AI趚o}M QbMM fdh 4€j->EQYBzC~W@qXvb7bj*!NLe,j}fѡ2Eqq`Rʹs7(tӮ3]]ӜQ g+?ڶ2 ;JܪIڎ(sH\Qb0?]*je[gQ$cj; -wn.*}ڞ(ɽ~^Y)H5Wb6ȳj{mptcN@r.Nݧdu&7h u^w vm7&bÞ2_ěF@r*85b''dX>5l`kz|(1^#0tm5P´mzf-UJYIɃW&g$,/?!rPƆmjrLe$,m6 !&_ b9tetѰȠlw7(<E;X"9%w&tnJsAIʂSya`G.Q4ZQӏ[V}^ [脏y+/ M1µeX2gi>V&49JD̽lꙃ3Er` XF \3ٍ?fNNÍ&i-&g %xK%8ZTCԞ^ݻkn ޥ'>*O y0 dvn oN=֊43wu RϻWIrLyLۻvЉ`"QoYQ?޽5?1!gXzlC/.ƮVȍ99ˑ5v8iLٸε:yOK?9m'm▥B!fժrb@ :~R”>~6n?oi#*ZH{` YEΣfcK%܈yK hٺ,5Qj,Bo܈l޳49K6"5 Hݽ=s6ZaY%,0[@x9t!ʩ ݢkWZFc\/P u'NvuG"tT&F Nt&%_%F?Fk\ːi{3G:۵yo˩:ftpNSbEtĪH5)B ZbWjl$y@ ,'nf<傚!m]PKôNmQ7T_l4ߑo8*2I\&4]Pj1`@TܡKWΛ,[>,8||R}$`%+W UxPF1hH@+]M70-ӑUm4R +~ZjhnGoKTa`:?W){ nBw:%VeEPx#ES@n34ڍtWfUr44_"!W'W3rs(tCm f{GT6r^#+;)v5q䯁_Sq?$-Ap!KU0Θy:uBUEviL#ؾꗽw j4@f19`Cpq>=mi?gR[dr&{oZ*xq0s^i' yGy{1}I*L26{U ?jD7 ԗup / >y0v> zF'R1r"(KKcB\1'U.;\SvB{uӺj +(6ǒv2nqDʍE=9+F|TJ9/K096ˇ󣎊LY3{>UA<SHS0^uHtٳn |ʄ/8t$:2|iBB"j*ŧwJFAx+_`CGuπ=yQ@sk1h|zI4A6d@gF]jbӠ *vs')X^3z2:!՛B(9NE x7oƕqb " ]M6$:%,pba]MLjTI޾E,w,70gE?{ҡ|5Ydy_ H(!ƱjQ3ȋ}>`4OQzm-G3|Mf0X1x$߅Wiܮ-|@8V1BHGNr)t VxFY^XKVdѐl 3ILV6W}8!fa[q3r CFu*B,ˎ-`8"ukϚF5^M")IBȝR'Tlz _Ѷ#*ž,j"V61m7`҃TT_)Q -JAv*H!n\*b.4?}[htUo!@._L~'uNBEHY^z.Jı;:-A? S8ʩZ__#;aZO62 ]Ǵ滼y*s͔쿦Hj$ .`A y@N&1:nzOY,io@h{}@ë5愈K10ez ͅO}I W|xABZc# lMm6A"6w`_CYM#B,_MH4w[O c'T7sRAu Y+mTԈs"PFd_Bt5!W6 >Q{m.YU-z}vv@l-!6PbLBc~Na"2xX?UG ` "XJkz'3vI2̘?,tmE@ۘv}qTil "bM䒱§Ī_S6Dr57yaikvcʌO|X.^(UAgyNeX~"})IдtZ8PڭBWD6~픶?p&E]y0Z{4=cWݺd648w s`VWt37jY:W -"b81ԉuP<5%eO~K~+IS%R?Wކ~p$p ~'0GF즹TcpocC4f^uSi&$B`C"=kpWFe+ ^O/xfQ-ݥXk͔m{nN40N5PS`ҸKZ̢ɛbtLM\qY3(GaF}^ ⺜?[Ԝ?o ֦ҁt [6ehsx\5\FCK[Pǀ$LwZpbJr OcVLFVie^8a|Ma=k`ٸiݼݎ`A3R3 EA -7@s ;WE'_ E3(REP-#8,_bńr\zΑI a|fJ͏\n2ug^Mkf(ț/Q|{V*Nq;_u *|\'V֡A'/Fk d|Ǚ Kz$?!^8 &h7M6/!䪟5Lq5@I U#WcH~JBX6_BZVAzNfkHk(f?eRԝ:$J--_18[Z% -_c!1/Xшm$TUB`:AqPꓣ`܈,JȐ~5.A ;7Z'Y} N4C2!I)X o[#$Y gn3)#UVX3d3gb3^kAd8V/A 47D z0uH{hhAVPzxVQu%}v`P@* r[q0;o{i펝pKИ50.A'5h`&J_!pH-Rzc eZC `90uĺT3 y#|?j.|g\]PKy>TZ!6W$#=HVt^WGe=;ǃ`6g4*HZx޸ilU3yBxzmoC=#G6 )'˱1~qʰ7/ԛ6*@td} 9nT!rj". fh (e:G!'F6(Bۛ0)f)lIIJDIRUHk(ECIg/ `R5FhOFRe83}W$ $Dp U^'%8Qp ΒuAkV nbv;8,d@PЛ pץEJFZE_U4% {8BbU+³cIm\wb1N1Q#aIRb21GxJ@)[lXҀ>Z9&XsL7 UH=Wёf0%{Ðε m1ZW`,%C筙4й"K:x3A0cd9$K%.,7H)qDuϊ9߬A_ h׸(4{^#FuLpq 7)K+Ai{]PԘVEg s%P{1>xzm'ꋒօLgzaxC.]^ZMqE[k}VƸq0]ux CךD!f * IټdqNmBL6!6{&~i(8UwHvdz1\,;TWn+*b &X-m~Zo.3T:QݝfwlœgW]7(ifփYbKcL2;F9=t3eFV} Bn}1gVM>4slQJ9o.(;AiZZl1bf7򻸚KdޑZG*Oik|ZdT:ݪ-v$7X( (u1 C-l[)uO΍\I[^{gn!r uBD-dͧ)X 8[_@({ǂ(,R>מ;.\䮗 #^d]H)ySлg 8xpbf%՚1J=!fa3̺\;l1yL%0eLʷRxp*,> os",:FJLRoVJi~püWȳQ|W?$Kқ}dO3(G. N4:x+yfTų[2ߊ'B?`r\1%gN}0|}_bӔL@\FFϵ:XaBRrԻBoW^كh?eF7g(c$$ry9YWhT&qӁ·cT+aϫ8>K{|$KU v򣉃0fɏ,bsO&[4) ^|?.(rJiE SlaOȞa$7`>T%Y&vQ븇;sY{.3.M`:bP10}7[e8"*Bڨ"fv>ʅǨyۤspE+L |@i7fW-E#'>Ao2, T9)~. d ?m[Vqn LHTx h+5{>NW4iO^x@Uzc۸aכ1 1PE5zXUhe%t|^z%bxRl_&ݿq\^@VJw8||~]k5j$W?w:8ӱ5[4vqTPQN#yNBZ^hJG5 t *9qC$C+{gse;/]#h0iu`pF)w_H&W<'n[1. `U׵R=4yi* \"镝ÒW@jwq+3GIEmJ/t^]y̥9T:SEF֥̫h "ꯦC :౔^|_9RfDL) R35-b0ȹhQD̓u.O@ eyL3Bd%=-HʲF[ HQ  7wՃSlX| PO=:: ^tkh ]O/Q#M:d&!$;{婫qK$Vtz;jqin/8=!:t• -ƺ"ƝH|爯z/veZ ~a,rӉL/-z  ?н$% i*XDא8^VӀNI׹;6߇f $<vz3'5vCثd8zb2Wn&@ѕlz8bdi|܋X vwIΓQ>=݄Cد<ӹTPpHP]<&~fd5xyqJgK<;)4DӸ߷4bH5Kr1uV3/ywAuV!WFLD&X*S3u<PJ)!PboI3GJTeyםs䑨]2nx~Ob R='PrzN@J|Q\-\})'0 Qrۇ]|rIel+XYs 2mIs GGg#(sb4s @u(zQaaf/\3^[`}l!^J*a^x0YIO$}ۿɆGC %/6\Z$P`\NфW+Mp|(i"|C_nDO~?Iwen_n"Eq{GӠ1<^c.dR Ey X%2)BkܯYB3yuHe†8$j|x=x)}lQ]oǍջaYP#JOft19>wL9$(Jwj3co9\hߖe!2%瘟0y븖Tt10蹋n~Nְx6< ; dtԾOx9_ k/)ÀԦ-ƭ{U[`=9||ᤶ"- -dVc(Zvpvܱ2+G6speB.{F"w4hc@^pdN@ʥ&z?HAw)<<)P{M8b:d;ES>LUfjTؿ^F^ы  6爥|Y3j}:+TCͧ)c 4}蟕nŸД&.Iŭڈ z򙫦< 10co tBD"̉ F]15d>Xvi;m EN*KAQpwY22 9ΣH7r0Ht2Ç OQ 7h8h4-`?[JFE˴nh TG!IZ!I`+VY /e\,x ǹg(k m$ixegtM -5{ *Md*'9d1Qz,b%sRgߌ$ٷ,j1 ~$ث4UӨ1l1jq)Sc5dHZSpϧtm.3}>x 0 H{sx`Qh%@P&gmޒܼ7G?,v_` cf^>vR7,ȫc%バ6=AѪu|;F9:wl)vq6):c1aש[32(%"[?mhY㳘ڧ6n=ӷTIl`@wTs#H+D|`Ŗ~ @a !9ޓts0ľA7cPsC> iu֜cbUJ6d't;t!53[ J]x(*QEGG4BV>[,qQgk&Vx+sl{IPX/#j,|Q!s Q+{ͤW8l<}=`ŭlZakG*? f7Nm?n뫥\C)%1/t2!Z)T2ss~}U2'KF n(F/m+Uk~B".2;E,aN9'񻤦~eI,fZ07,7hv"e'5ɪa|GS% C3_N%MtW]* pqD1G 3V":p~ ƚP!ۯיghp6K3f"<}UFiq)>Kxx[_ESIUs(Goj`Py3lD0dps+:狟CEIpƮWpJetKĢIaGɂ!pffLq٤۽e <#G2j8]U}Bc)e4axFek.Wbϓo`@)t ګ7ɞ&>Rfd m:"MG dBC7;vm*11TXJlR;m,(-xReV̞ <̓:v^%N*#+fBD5 X&x[nT nTxT7Ȼi[r1K4Qm^'}x"ܹˉl{*in0ݨkt` s[ad.v-%-E)+:~i=/20س[$g3$s0LO>N{vfL[E-⦒[O-_y&8e+%זEncIH[sn*tW b|wlk(5Q%CBIH/,  wO љoHtQn器je4FcɖRP:L8#5RHz YS3s4Qz+*`ɕF͍]4qj ^' (R+q._UhMY,k*1[fyu8vhKDgl+27Dg RaC`_lLtk8 nNn3/`ߠg|%S3g[+.|B2eF(9WkFnH]tVA `@  zQp0| ZL<ýZV ٸ-m\x!;&g#W~IaoG 毐h=u*iR .]kPhާ$!k`v+.zG M$uRG4H94BC59@Hr"p2%4D\\z * (~ v[[WGUc.~:|2)g -Ca,_@06~ ?~hT5`z:4E%aMŅbTsT}:.hـa_fp_~.HO-DRed:W0Hg3(8`G\h& ;)D{l_{\J`KO8 z)3v"Jcc?6GDřrZ^u$V~vI9s:UbjJ25-ݶ[sMpcuhmOSPF)95'1 ) ȏz6Tݴ} >@!V4Q[$:a/6%>tJnCtePjx[rYb웑ȫTxǦ;eoό`țux'k5YɵY"A᪥'>Qse(Ui0HGY6'hhyg-t"l|I\nPJB*.d ڂ>cqp'b䳇(gPH)/h3t NjR-t|_,$ʒ=>0bw6HU#ךNnwc ZHRjԜdU1 @i橯cP"0y2ɠ8Jy ^+{ C2?mA\M۶qQ^211G_Nx"hoE{jrg 5壸F3CM xB4i1mEF!}[˜A%͸fڽa8eiOO!RStTwuO{M]Q7oMUsAB(uX~kgkrM)L n"AH`&vG~xQgm(+jAIiJwV7=c$% >KYd)dWln2R'  7.Rl(V7DԾYCi]G#di_PxEAmu("oi kȔN:JiQ'5oyZZD[BaϚ\Z9=?# ],|>tnT)ld]8UN~ɖI>4flA{^im`aZ}i,#}gQXe߯Tm2J.~F}.s󣀠7ec#M{mTv!O*[M W1A)U![AW>: GoS%DnByS˴^`:!w Ձ+ھ9}q*ڂ[[3h™lɗNu1|A1ZD-++B EFn^ȍua6[cI皞+*̐=-irr6  |<bշwAJf:o|i8W4U+0"'XoY{b|- E Fdd&fظ԰R5uJAy5yG TϪ~&;7%}_ny6  tsvT,QPFPG"v=|eOl4q* AHoIe W)`dhX5T`l{,LzSo0U-."Dl]ڍa 't\w_hg@A,F6vu/{#1__v>T"Ʌ>7Ds4/G;#ޥ1{Ng7LIrzyLbk".luuHNx'#[vIϐFH&s$pz|h~FI c;99C\cF_إ/r:5R?,4Ylog D0oaֳ7)7 _%: /f[ޱGfgW儘 lEUӟw߱4Ȭ/&Dcu20V l %MK%)NEEܬU}Y ZX[8hXY@Z@桟hG]8 cS.ܜ)aJ:ƴK%DT}9c",sp lz*QĢ #AV@uƵj:$3ʤ*ZT'QcWVZ-Ζ<+5  2)*qR{ 郪 P7Wj[y \3;RUME<\g)> f״W9OH$H/E.Нkvy D'Nz w5Z›ŌGq{ wIht _KH*CUTy J=g27ŷEA<>ݟvq͋n};uiG=qJݤj`15QprJ3#,V.+ꑘz~s:8zd֠ܪF il@G<`~4{a}5֞ŷǒ8_Tk(f]v]VkY ^i]9Q1u#Bҝ&X^٦=&)gA)@9br3XD MH8*9Pd8j{MShŶgc(wR eP<~'[6į3̾-P( S :#tI 2 >7?@KO?2h ,-A򞌷%uqO7C!",ӯ%-4"8)w\²&z 51 qme$p|2_Z2ٖ.[ݘǃs76x2E#wI-?"@GԼƎȅ2^ 3z͉Lh[D$}$'DA0;?vjt PQxuJSy3E`G1%jHm_sN?QJr}UpIy:“RvQhpf|(R4#s#77P]'Zb#HeUK1.,-QyѯHoj%?f=Y0zP4_6&)=叉ەօ>G9-MD_eu Բ"f5[u|Bk-5j{5qO,"v(1je 乿+zR8Z;3t}nH "׆nʿ,+1ǭ8*/z11G(eԹ5E@ l&rwQջRiF[\ `_Yզ8r*xwN`EHTym !nslx$bJfI$km8>|WBnlgnA)\.$?p8,6DݼacǘQH۰r -fQyhb+5[tșNGBQ] &j,ֺvGn[ӎ*[&iKQQv]`9u(?3+:3̛!d53'ۥfu8<'Ys})KBs#*& jP00Vv55@ ,8E r|(sAB~RbvĤ}p06Gi><=gfe7&y~''?_.QWxi$j`F:E8p$^妰~u1^, VZ-G.V&mڭrm-ZPЋ"\Jmu3c;@\JnYX@jX~h枵鱳?K짳-3w"#sgd}pءJ"S:+"AXG8N2' M3,jڨ@a%%nÕ@`[n[7Եp10K|s]:@/+ )1nYZ3Po?L@ͭQz@Wplf5V]oLc];Kx -:J }xGB X~z!:St!Wd_} řIu ?yR۔T^SD%\IM>-U?S35Evh"3ׇh{x "@q;ɧGhwM=jb Ļ2+q&b M{ܤu,D-."J{#@JDbeC|1xruTۇGM4F?Z%)ĒMڰW[MͫWuu^"$ZeTaN!}xD;O!΅8 .4Cݴ񲸄ctPoHV|US)l7&NKJ9N#zqÃqPb{!7gcEDer8vO ߪsIsbVٖW}r\yO` 6QQAΊW )WGō<=RE&L3Z-$YHUKo3mۿ^fjk5OҽM $C[}-=!Ca :i֮ ojVG|Z [GaLK:Ld?.9߸. Q2N♇T_Cp ̅09B8ꇈl2٤֚g<_zz48ֶYSI=T闊1QH6&HX+67^,QybcXJA 9 ] U`ηЗ| Aq6MJ&H\9)!565TCUJsj?EhOX`i'*M m~VmѓYE}*1A;-0npb˜X[ԗ4x녞j>n-! dҡ0,MLIУ:ڃqDuܙD9/VTW3eتm&cTAUkhnPMޠD_>QDۦǗS/ N5+Ť+ 7JAOƏSQt<`N, * "\|!?8<(+vٴk _nF#X"9v<ɨ8Ij)#'KIZ`<}ܟ 8 ~&b UzwG**PF1luX;w~qmW+NB6\G 55"X Wyd ByAE3#W|U:.BߟS]0Nv=YH! 'Ĺj,ǽZ$ONRQGHI :kbP!OaWJdDSU aCzr՞Fr>*|kϠ,Eȹ>p +oVyзj1 sG[-g O6x ghjpm)ŦsOd^a u[9Sz:% 7gY*S!rV x3\_ `nJTi&:{ˊryZv Fww L,43iKp(,"uۡ8UV8?ҜipM֫tRBh0fw'6b,D{sIGbM-}oig=)f$'PIwbfctDYQP0qb10ܶVvӸĠpZ7Ϧr?EE9}T 慓1"J!=3umE/UDyVs۔xAhue0V$D7[JG~ETރKc,#!)o W??e:|]ݤrPY\-`ZCsg4i|J3tSBzmyT^ND (՝%۾|;eO>8)aDݍY @dbc\2ѭ^k *4TY+؍ y:Q auj4I~RBo,,bs :iya͆&-F˗Cwsر>'GC}RS]?DtA^O޲^3rf:nA5D@pp?䥝i&I/@c>^=ٛAw5wǬJkǪ 7-9] X3.u:)B4֨c<>.!b? 'Z䜙aT5?|_EVb(i^7.8Zlz v9գ"Oevx0WN{t?*9uC4X?Ѭ4pHl E4.&nm Dx>^Lzp7uWr'~|4ҀMc^g4CI#iqj +ڽ"( N6Q*8DX_$da)IO C,띏Wc]Ď[*jv>#dgPlR*hikb"q1#$ȟbW ş sX!:^pdx}S /1iG9_pqiM߀y ˷ DLzcjܶoed[TSA OJNto5Af|Dlj@óOAЦnٷ.x>gRT r}|*(aM>p*C-0u gF3{2<0u,c) ,MYkR565oc$&gQߨ*'I

Qh`tNqm1hZRhƁ ;>&PǰH>H;pCg9eUXek +>*\4{!`YڎqPƛ, r rS~]f_</`-ys 8ʯ.]lf&[ɘz{w;c^+vL~fyxм`0J$VLo3T0z4^d@XSLzc+y挹=SӮ73ϥeӺ9pkGiOkn 3H1>۰)~ 5;HpWQQsqɢZI&ɈrVhԛY퉃;LoN7Vf(Q!IJި'DKONn璅TR?/oyHT'q ByC)RFs7/p7d젪l[|b5u@}co?|rH^ #ơn`GtiJvCdSrkKZg>J`VOs'sƮ6^:ʑOxkզzp-/B̼ р(ǡ.X:/ 2ՎB_tOTbPUĎ×GKQog*Dh gTz[ aav -4 8sx%PN,Z”@ޯ [QЪ-Iyi]z҄d 8wJŇY !#9L;+>/Vك^wezID &k$ @%jzQD.V0"RI>F+/Prk/cgOS ы}u 2zHE6Y H0Db:׶0wj)j5OP'n]^RNPeSac; >,k^\a0]zOڼ`3+,(`FXv  _qé/ θaF25jXP%/`Z :w iiJhbUeMEC8ʋTWFI~C?[W!&*u>%.8ǜx<&1'V{@}ujtd18τlUX@$yYe ɀ\`/LSreEtSdspo=QfIyR1rwg[Z?r"[#>9>=;tKqangT d^,J)^/(Bk3!8wݢIȦx / ;P0m& ~\D bƲ:ߕn;tb}=.=eJŠ-v Wί4xչSOY{`e%?$1Q8!^f)g(Ͼҕ8X;ւH\ M; !n7Cv $9VMn:! *֌R͙wa8{-eB aİV vOaje\ b_ɚ,~zn8b޼,· U7o(䔱a^Kՙ!,91Z*a%# &tGN0ݓKM@ZV2DH,`LP+rlcNh%37asLIe,oķ<>g8JeaADgYGuHE1X) [@I785{9axtq8DbY% ]j~˲ A0uI0J}l8"fI78S>Uto%'x$u԰/w|xV'Sqm,\A/tWrky!F#) G`QKMTO.b /'8_" ݙ&6ي}+$;[A:z9wy,ҙw5vK̬D [†2FY Il:wU@0rV}Q4y:?ˡp`Gˆna|9UT(D>)Xi}{[yKߺ595*6e F8&~m}ڙ,N1 Ӑ)#pmM*wpשv)1:ʪo\&0yW>Z hݪwk@9s_nv7uv#ZT944V tڰ*3 8 Ѹ42ɴᅩmX&U=X?ao-+`qՅ2.V<"쏗%Uʌ 7<򚴐k˜ \ɗ=fe>zLAEva~%G#FB2vfg+>nLߵȷwJ!GS u>$g?kbEX9ZkwH@֝!xW G\ :;4[ܹ dԋ7ylՍkV'4Rp]UrָvqNT )NvJcP峡F?:dڇS[cď#N;x-`02ueߏ9l7I_XV<!Hh{. љjI!X5cu5ΖS˘h>G-~^nާuzjq78K KdZa]fiJQN} 8nD{>W_czyTFٶ_4o"EV=P% n:8ldx.IL|D"&ɺ2jú9q< ؗnmй:/usw[l:٣}7H`a{FyyqS1X X6 ]M/"A`쯎}P=<3-K.Q"zLM]KȏiV0P`Hd%ZZPN(%"Mp ټ%Rչҹ2s'b4"^-OHd9881IUv8v.|x-h&(vƚ㫹V!j/-sK⑲_C@eS> A9 >ğw]7N%T7J`.baf|jQOR!!:7E ?k!]b->BO#ZLؾITIu2o= yB@ UIhoP6w&Z@;lO⻠ZT5 He˃D;#: cR3&'ƟPjK\|/C ^с=Ҏ31J,55CS nm<">\`H;f)(jEU]ԱluSo\z`x[]_'O 7C!: P-K'&>B m[.ASQdYf7^;`NP?T!S`hH`d ~}{= E93ȧcïe7}Bz%)kפֿ. z!/VVTmp(S v;m5ga3vȫ>$ )YPlnU8D74QTuyyti#ƕq/5wEi7@3W'i0Yp$[ML~'X}?/åbŀD;PmPbЙ=,Ζ9 snB PEX]ɧBm&u}t~n\2x2Wr7M8M#:,ݙH)Y +lfsJhqoI>`'q;r$8zSj^,1B)+V.&~'2 ȧg|Z^yIPwY*Hek܈fLXD23J{[$n+₩~R&N({ʚZ0Jk4Fxajl(=';KZ4VG#YϚwg$P\,_2M&{(\v_Io*JT,g@S$BekUb@*+ЇaWd>5haFG<Ev^qfՊxRVz&DaKXQ{ &0.̛{\S 5pٌ=x֦"kDJj{::Ifc5B(ҟ'bB q%@y{.̊q;vw2*E)>\l6A)]$Yͻ"Kc0~D^wjt;FLH$ŞZq6~J8v:+)Xu3aKi̍nl, No D:FRı(tȄhEqGAPfx^+g'b[I.ͫDeJ_UsaTys9mv*9ނ2DiK ♄* 4bco* ^$3Z9j3Ҍ)wv}L$[ K *I jL#fNf'5dIƿ\?u܇dsnmX .kה ?ҫ{DsKFS1X_n+4BDE 7ʼӊ)YbHruCj+9zֈBƕ%!RLeŦ<]]av.AF:޽|]]H*^ܩQJ 3c'><1"vd ^F:# z11͟Hx˂'Q?n-y^t}5; l)H'!;~^;iڎ0ifB.pckbnC d8[{\Ѐxmw?YQqM†ſ 5t'K\!~tSy*to갥 ,9ܵb">OʴRVq3_ .[9|uP۠{~_21χ+)O Hi!4 [-bP鹪وGԶ + _e4?)';G1t:.ٍ"XqTeJG8rKZer|*bm])i-'fD]%M,#U㉇;Q)$\ <]0_(3}_ +{GAY1N sx}}Jt_G&Ӿn0ZFF#lZ ~~ocR50XCJoѾY& O>4N&Y[9o=;A_L$u6tqwx}& _8vo`H@]cQxL 3MU*KjV# ˣg HTӚqVS>Ԑ =Y8P4##s'jJ)ji?B;3[Q:Q /]ZI5OsZMNͺ4<{ے WW428|=w;g0(jQ 6iʬ-Jcw{!hJx@2ڱ,.## ]y~&sˠ/1s9SEE|(aSvА7tٟlN/\Iq 韙ػŒ:)FN{KFM,Ҳ="M,:HUD5kJ*+R\f?8 XÆd<.]b"lQf=A^ al)C;g*&Nz.UU-Kbϫ8hP2^}JtKYlp*R1o]47TITH`wg0hͽe`_){īTӊ6vK݀hhG  v(~t|W]:OyTWDXwW3Q}!Ӈ+U@ \}Qw$bܕwjCwVZGD_+BJ}f8!Y?O-3h粿2]z,E8I|cL-@S\Oa Y(ܶ3S"x濛z9-"PA51"0[i*ȃ-If%= 2bdCe)[[#2,J1~VcR%_z)3iZ`khn;`pvED" WR^4Ty)<)u8'Xx7ӂHt2@h~7OE8I^m:t7hdn98 P[>mI1\]mo)$xmjAvOs9>G'5Hy VYoF*_2ri 8ierLu.C; |:#^cy$kf] 哟dy8ClGX7C(4 5nv e. ==8H dZ%| xф5fҒϊ-z3L 6,Ųb,8[{W˿u`bkLV9NkHzd'^aL[βSE<+,R4wiힲsN3YQݿ!e&SրQ]5jP+O'./OuVBٱK!f}5qs#_/*ԭrP{X46z@#&˸=_ȫx߁Cż;ZTzN ;edc4 ebRXofH0 WQ5#85nfuhvKrw֚Ag `=ރ;bw7' .@O*fa>w'鼒ʌq%)#tڕrI %jxizIt~kOE _6s=xbeZNDħhV?ԘJj.^xTop!_Embl[%%(G~ \_oU=ӀQ)}N1G]!L6\L @YaEإtjXAQۆ(#^ᄫ|Hí #:.<Пl~f薎A?@ atsJIϥ$^F͑sBpS/9Mu5HHZɘzX\tčilvkW~:1\pR6MB\QS&0mF46Vt }Tt.۰ ]ɦAG8ڞFgO՜6F-ΝeGV (UD+9igJ*(-R14 سa6|@o +RQƐf&(2gL7iQz7mj5uZp^p[} ~\'u%1 Ux8j.TLahx{NX*Ts;x >bH1vj6_v:UxqﮆZs**DNOE zbt`aU 3fL7k64ρ(`l FD N/X7:DEyT>ڕA>goWV=XI̮ŖdK;;xiBf^qQ? L2`#5 GZmʡ;pXi_Cm2D"~"(OkzO{6`U\Q[y6BVE&g8~.git?,noH_)Fvu I}T"w€40 0O^*Ʀ4KeРÐ"A)gN>}T)H"bhtD?\2QGv;} 0DY^R.λ׃hhyBQY}.ߥ(gle~ g3ؐn!9?\$ sN^YF}]H'NǏ{GܝfA(EWv={UHy{ϲ̦e&3붣ӗqS=lⰣ Nte ΄;愄AJ\: ͋8Cb"4V/$|tvUk;s vb?aԔi]u 4cJ=J^)p3:zA+/jLILLtc!\ؐa15=w;}Te?[Oj]޼xJ[^'Q>$Α O5ܖ̑d ˟۹\OK*̃>$kıf{ /bhlp(5/xb`ް*GEbP.[jtS{l4u9R'(ok\dZ)T4؆wwph-&Do rcӛUgn̞p׶Ϸ{i p`7bXU *C&D$UnC1`5?^"[$ٰO^ [*ঔʒ?۽`ig ٕg*p>w,Ho$^gA=&;!z=5I04)Ѧ6k,H}g{m%{e< i%x2 3=MfʗL[>Tf̃ DOv@1G1L0OQzo*3;i|[9Z<=2Ϙ]t 3 q8\UŴ#V;\N _Ks#'ȻpD8;b+X4G]묌i>OOg߽( 2}|Z~ad>'H;` dI3rjF@܅vNTD8A>U RNgWO~廦h$Z(_jOump%#+b"TrܩȻѨOFcrb]), Qyi6? E''uB0\,%15U3|q+kfC )m8z2<N9)hpa@iRxqf1 P&у#sXn#,wcq!*1?ζ[Pe߻ ~.<ò:w984L9o֜= S/^WlBM;yFf Y5Rۙy/*9~363Q2΍HM 7)8G[KD0/$ߚB&fE'_|7:xpmh~JE{*{K{+8 Jue^a{kf_s|a gEamLpF9Y= {pA<'c~8P8K&{љ|˰V^K[- 7̼8GL:myEYl{UbA5lAE}톺>$P̍yovK; LO!aϨ$+_ih w=UuHK{;>{~ 񝆳wZU{<* ˋu+g<׆UId78N-jOgC6۰䞱 J._ ¼:lQ\2'o{Ƥt )kS8/̴zEq?[,,V3( J_K!" {zsͲ}R0yC%gzБ!M\o"?h E?\$7o\3G&\2uc| E|UE1z+`IH+ˣg";x"*M1՟z ȮJ4s=n߃FFz2!7УYs9 ?K2ҙᛡ]gء2stnՉ΂1 )i[ᇻhry7Q6Y]Voyx}'.{{KU>ȣ07>MhCȻhmGs<ڻ-xDt u8[ 1,xx $?}͌A3n8!E]k楸ԭ]d[NK"#z&Q^0${=[8lv{y~0R)% f21.ZHMJ!,W JկrC>:wô}g82oTq]cgP ~  C̪u ,L1ߞ_kpPhQ͐B/,бnpb Y3ىKNmdĞt>CXޜ nf=t\C| 0O:]DDz=Kz`ܱ!za3@lݹUCh8Ч[3@oӷwtU ”q3[ *#%HbTǺU:K]>q`hi#AFr\W+'{EAIW?G^ɒ㻯܅nՄO]ܩa FL 6O)t.&HCw \x2@ l%ks7,jgF )60*GA`[,,ؗ7K;~̷dXk^d {iibXqilD?$ȒGDmY3;7e?%sݟpUΧa3gTn_^v=qcP2-?ɋUGU? gdx}Tm|s\B"8ib%B6(U5OUtJ# jI7Uuqbgsu5X[_J|Ѡ6SC46sUH'6 H%R)@kTk$" r~ :/JVxv뿣2Q+D/=zus>?:K2Tqи79ok !L܊AV[Qa5BAםVΚН BSĦ![P_!̌V> V:yw'Z* #YĄ'/-G4)z^Baȳ,hQd[BE"),ݥ33΄Xbrd9N> ]WQoRTsTB2䶏P%f򽻄& I ($J,Dj 9Zw\ߨGIq-zs%gt&ce3OD $D5yI.ݸ"H9|u7 꿒SA[ y'4TUG$s獟² y76t^oO+vNu9 ~@Pk]a !<y52A \\]sCd-bWκk3: ȿ s6,= 9 Lw"@d];hJh*L͈(Q;Yji[4ٌ׀b^%B5[= M!q D d [X&&r.{ʁUU[]X6'qЈT·C =%Qq'{/џ(zCԶ.z7/B@^C3cL꟏ʰI 5%P hO229U86rq }Ȯ6UiO9Wr3sZȪ t2Qu;x\Aqw@ wpeTVq-חI{X ՞e(1|5CI`2iA0VanaaV,aIE7ďe5|%"E}ǴxQL(B|PpξUv|Du^1&jC|Zi&sqQOcyy-lNp0Y=qC-~&XmL$@UaXm_I|@RqK}v|>Qo`Q`@%KQJ޻s@B;FEڥ:ؿ^Pp7U3KJK/_jNxҴ-69x[ȍS܃ϒV>痦8z/eՌ)0)?N.^6CZ&[Q;VY,*AUI?5?AWEdn)aX>N!zh׳f&ڇfiZm=r#04Yߜ=OR=aQ6öĺ ԫ1y`+f1 ύl3a@5\t*Wb/P9i쮦F]VcW?r[lƨ2HD0u2n{iqV?MGm-(6yxIO z2`'9nHIl+^g4mZz|}jdL9ǤAsS{qפl9{X; 1Cnڛ3ha:Ȥ)C{s>F!ejѮyMV%oãpҜe8gcq,Нʆ(\ypX6+a"$HC#lVWG%wc [U*gΈV {[{briB䊈Hx{TL ~ rEi,:FŀhE}mc}^) 1Xo41EO䚓sMgl}E{tƭ晝\Z_4O-2}rmzs  1\aZ QqE>۶t (#ߴx<IM 8H #~k j}{ݲ3pM)- P.9虵p84֨٥Ri_nfFhVjsA쏱^v=Ê).b8}^#~_Գ:3|BAw'jO*&<5_`_4~Qz+ƛAk>+%IhS3lKo{C^0[eGjo\6SVFFՊܦ p; X_r6%#Ō?o7|rנ= pvK'\ 4 n_cA*v 'fd]&'.8YSh-9Q6^M_`B[3,t2}+>M--e( Uf vv\p)'f"zX{cͦx"…@YRBNKV+҉\,+DhLF1o_=0s: cǵ>!Ux 65%'t0)47Kk DQm{dN&}3aWGgz%~B1I= >EBw2Y2aOpNy}9{hYY50I{ǣPm3\gZOsE{`.pPA>~ 4Y?CLJ󛺠IޓNٱ::>O+BFco7fc3^ hӑ̺ןŽUK&[uv3% &PsmD}CxyXWb7Lѭ*X͘c̪Fe(@n'YPq"#vOwa%िJq|ƈ (+u>UzU}|V41#sʽshZ@ tt\%n{9"? VD| u,0 -9=Sɤ T-7~/Mh?:st?{LĭDk=.ۥ.~!DϢ$ٺX\Kni !HG@-FHIܟLRl^vI{qʏ7ă 踱͊"?U9s'{o]g\Jgi904!DQٚr?p?X6!`Q>x-^"͖LE ^Dh4Lѐp GXlJ]v ,A>偯|l˸Hk^PZ&"%#/&0q$nk2ȯ\[Avp,Xb\AF)WdįbFԲ O jN$ |v>af XB ڗFNMUPFЂ=#ہPlL L!ܚ(pB2(TNj(*[V7lkm4qtM3OٛWxctnx raL}|gal&uS Y1{uF4#1rLyyL`n((EM5X+EK؄0W3DBW<~ MV.Ȑ;{GNfHdɛ =(4+R_X֫qjy|}ou\#7F} W;,ÂCv㛸=7b˄;8;}0 u!-$/DMbr5’CbhqK-[ƷX]lt  i [ k!!MN00w^#Aּ ]F)llE#r, ̧0E2J'MY#>eIlKz']0 @v\6RVnSP]c)-;a'd?'{,{شS͞8y " w!#70 X_N= ݾ ݊XO Ӯ$3d=lS`1T5@7\A?) q쾄k 3QQiѴ-([ i,l"Kb࢞Sm 0rTLlO +dZ Z1yy<< [,6w$zCEE RGPbA7rsF*R9$SP#!FF'i4M"KmR)bH]U|"ʋ[ $ >w%m3 d3-%ͷ>łwӜ=u E?~y.I$]gqۤ @c_xEj^&~f{4P|QKm$ق N[ Y$2O6 YlC@\F[ZՁ3]YA9 Zv`ĶNc@بx&`IMJ"dc"Ӷ5BplҿŔQi@{(9cux\XW2𱞱R>7 O/r8Br崔SLY&ED 7ǓRd˗Є(*P%5k?5G?JVYOOYeC/A0dA= F&wHD4iR2w :K?qxdy{VrS}d4.cѕ-!vaaע2g?@](Mtr@' g'p(r3FZLhF3%.Qjjx i1-;ehJ>'DB!lWV6RuuAcJ'! wbkDĠ d=fp[Q臋d+ℭjو@YPէ|/0$cĄTaƣ}l&bjb{!ɧ.YkjVF{w '߀M r$16-'/kw:Gիlsj NEq?0fDif/`60@>Y,'d0" 6*]yna+G5ƻT$q'~hq(Tg3 .Mʆ±æ&‡c&9hzpBfe[.&QY6 4LsSavidUҙeB#6ms׎  ܬ>h̾#:%^Dq;dI;Wq[,qY5"C׌jƚĈ%҃yhgLoHJ8 ,wԿRA28\rAʕ[ ?1M,F c82uK[֚;MYbJ5 Y%9$7HxC>6PU3LH4` PXc# N<[ؚg*0:AVxDNܰL#l!qa,5n[(F{KTђ pdIQГ5}^i|qaad$+u̖ RIF0{YP#20cQ |SĜ!Hu$ ܜz.1^ԶWH^M%ӵ(̫zGpn}u-)CЅᇎTȻ<.Iyf5gmAj=ifC* 2p3K]eLЪ#F`Q ;blm[6[3-(Y)z }s:2z%ϔM[.BY {-Vzj4‡`zj@ZvL ~s;URs&s۠k`5IӚ !u\~KmcvW2XpR6Yc,QEJTe-!tTVy" J*ZПmW/m؇صcI掩J_>#]2Xf j~ XrXwP $+N? 2d.6N/&:\pWy`${@6銂vlPEvҡ3r0 nW&Ê9R%iDUVJ`{v 'v \^4t|9T G "`y_IX[:#<%";q,a廮W#XXW|'DxO$m >[~mĔ ZPmA%ϫ^v<خOTjaWu>.P#BȜYV(DF,VC $֜AtilAPY/x @9פz*RE0;ҳaja2D[4ݩ' ;OP~d& TE%S4P^0a{1D-sֿG/Z7y|X#F.6jQ%7Bc$i bK}jQ?^= χ Ӎ\Vk1@QNoB[<,ȆxPe 9%ٳ` 6"Xg ^ǻcW/럖w q̘SufO~ν,t d]zE{֚M=9Fᘻ3Rk(Co7Zw3`3-^{J:s"j=w%ObxX&rVV!6{qQ>OvZIl{*df{C2|>$Puo v{P{/ ^#ۓ7#vpb7x&$^\`<`YT"$$[(5~&{յKRzҋl.ְ4a$!4[ iu Y6Lr(=6F 8EkEIV5X8Tݼ1-uc1sq>m,' B[S`ENmQ,t =lìˈ^oe—ZOjp.rxA ~=#]Fe_LLa6&y<ŽS_"yP6^q@K S@Fpo6pW&i{h6#xUE]8(:7GB!w*̓f~VEXm2U dtWTt+U`Vz-8̄Ѿ ۑ֠xUKf!`#^F>d)9%>D3yj _km辌H3mR'~a&h;u*9S8:jq6zuo`lgH?c"h'i#uYRAķ.Z ᡜt1NL׽2?ӝ52!ۗCXNZ:=a. Znw6HAHz+k&90>/rPw(>.g+er[2@m9 U%ʭM̈LQ pco,.bΖZ~!߳J"oR}ɱDݒl= m}dU'LWŋՄq/=>ܓ*(¿sfrꉺT@ ]yAU[WE=*to,/]2C<nb ӞB(.7}Vp]դ)l'3Ұ\#G@ 5).;1[vDTw+rYK3L<)=cT(7j_(F!*c+>",lHǂA89Q/NT* 6ckRiTMJ5R_? X[ = A:N_l~*K G2a (/?@+ s$ #PP-0V$-UPynCeq5œpnu(l hBJ~Fsm!pvhWrdg_{Std^pi>1xeOӖb>wlo t%$/lg!W )3/C*ܬߓ H`Vh ˖0Im= e@&!`gI$Ų)$ٲ/ Wk"P0{8TzeT%5AylĶ0nl\8{ t/n*>pE}($D2vguql\o?nC^-rwSLcS+o2/v˥)TugC[ Z G}]nO1`otϜvP1Z5nҵ ѥحt (Ee.a? RfG _f Xjl ~fגdqȅY!exL5h$gL`s[bϓI@QSd;>׋ IB ]O'ҦMkb/̑-جd8]A&VFC0V3Lurz>nt'L}m$rGN&ɓtZ--LN̼FHz~?E+bDuDѩ7p$.yU[CA4|_x&0w6هCO0hr"|-\j.ћMw$dT(WQ!f}7uу*cDQTR"ps`rwѸ:ٟϙIYS|\{AmW$RjqeĄfeFby]Pl:ؒ%s$U@IV$,/@ m.?Xe̕q8Fbugb2N!tl2+(f_ڟU73= Z2eU^Mλ֖Ir0nF*RE ٍ]Q507 *P;>|4k3n }MG2@d˚8gEQxU2N_x|Uz "֛,잧>ߎ8 AjHd8ꧥy=6)MLy.̓$P=r(B)o|: CIRgN iK18PPr)RۯQW‘z؀Wzm* m Bkhwཬ Jp[N ϛ 2[rJ\9.>S͹ҍx0O 8m/Vi=u(O~$R%HZQe:d@c6[㡯:>~jCEGahN#m׃!>wۻCQ}MKTM!I^&xr)= rQ۱{jح%Ʋ9ݞFEl r-bMSSQ)t0[_ GX(/A-4g%Y>d%F1hÀ0xl7*GRG|F P=QU=]6>478$:$FG *9wuN&<:;E-C)>M|%-n|WHb`zDonw*^KY \q q)qCj Cgow)Ӽ  -}Zt"-+gv4.=55m @0Up Y$&ߐ3USbSqVpbpLJ8jaDSSpvVȇ9$@[S XAJ= apZW *o1*O f>;2Q;#QJZԘ$x:9Y]]'Ser;+`aR]=bԤHsb*՜2PH*SZpūO% ͂ΞAqb@XGb#!w"<ѽtdyT”E%0L+xjDH}$D ,V;*;|nP=?Y ѿ>moov/OBWLж>ΈEݿ^ \ioL@36TgG:~I>^AbU^Uw{l9h-(1z~FjCKe?T95DМoH3z]p 3d 4'( h֔d~T'1 O<ؖiKqV،x>Y*'Οg@n +-mT r0uaiͯAZ栽͞G`zn}A )=g*V?[mx1"wËrE*{F=hS!U ,.>؇lvw"*Za]Ӟ7;P!gb]$;JSvlrfDiԜcnn /$R?N&ZTS+ c:`emX@8hBnsWѰB?$q+0 @:톡_V(=$m8Τ,(^XFD1/[h0E%o^{'jf@,6EǭP0<@f-R6٣97/!n=`8R>c B[-$m .Fq=zw<>?b]$H4ΞB2Mn,eWdS]쉗]"yiS2cbF]Z-*7N2 = \Y-,Y5"/tD\6//9Ӷ]rЙ:lK V%^2}]NHk2 wd:LnY68;~C+TH)V >n9F,N,Vc9M=i{ch t4j y慛p yuyOSȠȯgpW/_peٙxjL&&(F"=2^XjIq:(HP_^MzL-!/ߴMSnսKMힷy-{Dh*G?ٶ| qv0-M&9'QLj ER- `/ubtA Q3:*EuH"5Y33Vvjmbx|07FW5"W@LpNig̲&U!fx,~B_o|C-{O|*nH5Bc4^03Dq`.C(.쉏aR><76q#(>>fJI_fod湥6aɞĴG} :Cr3"HYZ(9oڲ^S-r?™]}c7|鑲k/`׻YGE*-^Wtyoa"uu]Z]..])\|xHj;WpҖ^y}`6x^r+%I{`u .2Y^%@#l[XsT)>UQt J߹$Œ?b.0 ˵H֝TxVLIc-DV "e:PNpyܭ`T^sd# 8 \ܓǘr|47/"vSqBʀ!z<-'8X jKXIK`Say!{W7]H_.֔V+Fزȴ#T#qT wARu~|Z <܇JS ~u]\^^BJERK#EߍCO;t5:p3p>_};'`(k{=п!z&-m<u_ӑK/Ç.?Xa?7oX 0g}lOQ5yd,a@c#{&UP 7:YCX+6dP̒zV29.E8T qS+a٦cBgU;ۚCs7QR5g!5n& P%&i >&HU|+} 9 WKN.:&%hC醼'rM#YT9=C;M)+bb ;PuƠ荀r9h$טDG]SV x5[;GQf c&z1'^tVgc}HO'g]2ոFpDΦ(Pdf[رy"(t^E(NntԢ7rt;Pnj`laݰ,_H-\[*GiwWB<d"զ⩔2Ht͵vӰx2-^{f/@ !j<*ԑF *k;_ fRꌌum&Bܸe]3Ǩo*Ɋ s\rd׺1E:?b-cKj8hVOFI_~L#C'2qm -2X bތ[SZ6iK!MAW֟M& :GY!/mp`%w2Wn rݰٵ O h9wj]_ªm!v^AF`qLAMϕ 6 C~!krVyo1KW"k$~_5ĥ>X,sxi]_rHo; S2#L}d)pd?.ҽljGIWڸZ‚wg  tj-k}lKZd4 0}I )VH)IjY$K ۑ օё 6Eş=pO%k ' Ҩ^K"$(bgP|y[lw͔ko Ш 9 fhUAmt.Qz:0*dj`I>GxKveL{=r"t>;%Y]17IёQJG>z:͗;H}DY@2ūiK7O}Ŭ,nT}Io11I4 ֻw}pb%7WUf+`R{P-R>z7VRM2tpGEBN?l o*9Ȟ͙oP!EA߶2+ Bk-Up4+h2H}~U~V 6KckZ~z~&izђۉgJ(E4vA0i*0-f4TM@&+{&p.+0slՁh@O<kRSH'Hq{ sS iAL>_ _Jߟ': ũ32;Oc*a?FozɥO@iN>.ѧ5^bbϞ**"63tX0WSVڑ,Ђ5œ Blˋ:9*bRE yGk}AM e<-M NJ>a秔z%RXIGTaOɹ8-mt:d~jMh%Sߗ9nQx0: Ӎ.vK@~!{ _"TH,>\od}_- PGߧSyxh .N ɴ e>krG# ֬(Mib޿&Mђcb}(AtSÊJRjӴ0r*"gݿLB8;,W'hFLNzI8p>حI^RZHGk^@q}E9gR<[eK3&Qm= .i0a=;WGHP؍%ߩN"1󙁾ĥ12D|fDツkdҵ"*^0@V HN$F`)B09KI\9ajz̍q.uߦEFBw򽖬88+/pz{pFL`δ8)άd R=7qg]D|$usMjWS<(;' 6 ZttmFG7gM|l 1roNtQ VG ;  2\L׌0! YZЩm*kA.)j \'ۈ ]=EePR5zs[ 4xRTpGZF~'1h&]F*F|)SZ3SG7 S}جu':[`w6xTh$Y~II*ӎbTI#GdkJguhtq?by!DYfyvd]Z蕌2$CN B!Bz}~Gnn &\+a#:47Żx6ü{I6$wlݶ{P+VFp&ƨ_vCΒ;[zQ"Y:~1n}CjAbRm;Ul#[f4&T3A~OWoTע*Kn5jz?e%Ty %bagz ɠa |BY3 51yUubmٺ 4o">^d+.;rK>=!YBdϢiA[L}Q63Xv2T,뭳0Bn4V,]3{2qM`yZ1QI/9¯PPDJL-&*Q( 7!Syge>t`q3(&Πq縕kXgbFg$VnǷ{OSz&1Y,rWr [l M> 5.K7n(O{faF+)63r,:Gq@ZYE?zWfaŬSw|fB 02V̾k(hOJ$` Δ50phfw9_$D*&H?L`UF Jؖ ESV [G[if R},a8bVEF:gϭE3& jЭW@UZJrtieT8*>&eІsȯU7I'4Rl(^*Ȑ!_$#Vj`lה ;Ukp#lmis?D$۪u_:E%_3d|;Bc34l/ަ4 }9PϴΰءTp fT"5R_AK0;6 :S]J]Kp[*WTX΢]9h'.x2mXaGEb0;Ys*I"N(0 _MMW4CyrQbZ4aow)gqI!AOUnתZpC'..qŚDlqN`poR{)r8Uzbw+7Su>| BkɿSGNݘF΍zD)건W~cD@ו ϽhʩW<<,M2_P?pfSd֤" 8rgL zI6@Cg֮;Fy4TH"$p0S}s r']A't c"wcߚt2\#L@Nb~Hn8B)o715Uwڡj~4 5W'6e^@UՈ wt< s,,Rh{Rz;ml&h3E~JBcOtMc;΋ ̣'4/@?n&Q[θ<9R%1Q]?40 O/)A{igХMmkz p*u#z`a.K~4aJa5oGTí3&AP6󼙛R, ]瀶H uT7gM;}{`Y$K3,̮;XpSc7u]F`h%Cf H^- 3`x 0*%t6wZZjZe\@ŢlAB C%6#UD,eF7YڅЇt,ps\P久ӣ7sqB"Π-{NRT C\LF" JM_xcIdBE+tMĄV7E[μgbORܺ(Fj5TS[ ݷ (7kwɓX=? }'t}ssPPԡhK悇s3)o#\l\@Zz㫗.nPg|n0%FNG3~LF>%G_\|7P8(z9_-3g;[ew^MVۊAcYGE`Uܭ. 2*j#Hm3h>H X{'/Ӱʅ'pn)>ZRw~Ć2f!¿n3>wZ҉3ҵ 1U +w 혆Wx@U!)$Rm4-٭04_nm)&O~#cI;OBN "1kT@<((UMOwHvئc޳- `\X apteSm-~ CK%t ʴK# %&$ɯ =bkkkgbllTxsGZ]cP^嵔\B'RK=Lg{lQ4ʬxzSx 8bsbn2̉G7I ٠|V0$AGGE֤QPvY17ƫHFb7=oTt*oxX9'&v.5stܙd*5IԒ1f󂩻j)|jw5ћSZ4tdz&XTIZN@: X%MT ܜ\sc )Auy,u J! 삷:2?xZ?,OtquMG3^>m&1aVcZ؟O,wWW2JN_Dn9[1e:D/s[4MZ>C(6 &LQ6QݎK;wsǻmsr[h>_bbUV=y@k% W\)տ?:dCu#N7o@),Q+ygζêܪI  Gy\$!t*sȸ@44#̎V4Qhm0b'܆!IO'nsbZ"SԦ.ߧYb'uײENzӆZd%j~vҖTISA%~ar[!3gwZ;iR[YҺ=/@CAf'Q 򻲝5Gbg: Ӟ )M2[oI^SX%˕u<ҹ?LꊬR4G3R&X͏:d hH˿R/h6pIo1]m4!I܏i^1vݜhЕ`UʯmSy4XJ(~vE~Qq74u kk+'p:ׂ1̜V<u٥6Ӥ I9 HxKPɫ[iXK ʥ~VP f8I CzM?EsШ )N2qVh yQT9$ѭ1VXݟb"4FZsN %-"}"IpvG(OM= ~vЧ)IMR$ꛓ# :(PKQ)x[Fd7O/y'qҋ8ӢڭvgA1{ v0+ݧFÄO KWK|%#j1#Q yN/Hb}d3JO*Ƞh&Ф8Yt%d6bNbp5#qs-ó6_]̇щ6^?| 6[N+ܳ8jd׉M~=p#Sn6Ȓ!$}n+_McNbkHqAJrU:hKI ꤥnZ(2fy(ԉtKTCH~Q̙32@7ieHڟϙ/GBWs t,d.k";B^TEƝ4E}OZ(1S/^.8C_~lc!ݓdŧJ@Kh,ٽZjOKRcRZwHft=^Dm z,[8 y|_TȖ6xA\,O@yVj,1v7Rka5i)0xb2νq^J0Ou aWh!€ #L{z@oCY02X-@3" ,Gw.WHvZCipv<SaR?yj'*wŻJϸ~:b&pzmk$D!Aǁpu-Zrx[tÙ} E l|7Wa* 3OP=.[8[*F#_9O4CE]-]zdĴ Ao=6+pn#-&7nRT^) b!`'~Ix-~< V#'U⽸*0T($M!D ȖVEk U<=gX5K~]0M0t=d p_߃;͛@X_" (_$M[CхTF#Po"ҖKlР0Z4x"d0zݨp" V,h_ksD XBnRRsx0(~i@j%5EEttSMM\Ys"HF,s&ի|YkAŹ母mo}NK^\"SN̖bLPS1sfi*76F))mηH~&v%9YR(5Q!}3kOK?-?JIĴٕk"xy\*qgh̪' Q .te\9-!f:l2M(rlF^UDjY- Fur@ &hXq"}a`_~N1qSգ$Œ_5SզbLJb'1flpz3m1$>pf E֨Eg)p3:B)Ԏ0Q$|Nvf=o3lhh>WO(/-ǒEbaNYKj RN%<\;᠗imF㺅~G (YsN!ISbV &Q h(։܎{H^iQUJeBz"r ىr%A7;5t\/]?Y©O(iK^q-5ZDq`z|"Ck'׿ ٝ6޻PW<_W`&jl{ Sqkq, !Lu7vi`RSٲZ߿+N+[*82Ul V;p($ُtsGuJ\bC,v 5ՇWiTx2'HSt렋G _ Wuk_[ȽjI2q# S 0iTv@WwL ݲބ&Nj~,ރL7ݪ$q#4E 5zm-uߜNG(C (Y'XYFE;dM6HǧJfx|Cf$ey(38sɝ Y";*Epq@c Q{K!2c-Du}~!9o^ ?w^p/4QЭTabe۴x %V2}>Exk&X;Z n$rK>m{= "+ bRcGp\:1pdMa}.>lAcYvu(?GguOWhvYNQzIWt0RfnAud}}wңIGSy?K@T/:"i69`۲Y% 7?v ZX: SK'_8fD';F=ГNxG>n~KxaOo8lKC'ϔb/ m^oܬMA)k [SwNbT xF Jn f rNN89H'DÛ!VG?HeY1V(D2Lt-_9q"tLlՂ UoL1t|iy mKi[2$\SjI:d "vjLQ/bz\-Q"3@`asϘ"+K`Ɨo(ױ% Nm i1%r-}!, nc8M+ 3l7ͪ8o4GPx^!| Y:b@k g8StVNvojƊNc03gҪ~#_(+N3 }%"gކ\]ox 1|a,BDVT<0Lj1dPA*-΂+#±RELN2?*9=7>AA`;XrslG5kK]XGq&HtvM@d+%FZ[5b ͽ/,OqjiB˙wmXwKgH A=8]P㊄T[c,1oSyK mΟx/ʗD1; r(s@hM /k]\b[g.-M^rv- k|ZYiO헋d # FLjm#.],-HS&X'_DQ 9<,J˿f.;ҡv k1lUO$D\55eJ~+m2f&QѤ)m߻ZqșOJ2|m( AdyS*&2u5x^e.8Gn VC?[՛ LxUT6aY_õwּr1OQ,voh: 5g! D?{7-Zn'3{Ѫnz]7脅d#%>5{dp#l#๫fUˡeΣ{FXƱ,X^[OD e~4 G@MKk X$S~>Mb'$qa'YΜ%黌1hsF$VUy|$XPJ[J,!G0VeaD//hU%\W֭BotH0B`vOFv5nHIRb޼ 17H1 զ(m*19C4pʉW+ÕLaN!̝AsQ 3c`=U\B52+KVF5Hfl"iT!Ԋ٨I[~#L9j h>&ozp)2 P0 9*@v^4qmL4-yΎ^Ɩq1,6RS]4D gnIaˁ܎B"xhf`n;>dp4cbиEtjLU&%|ÁPn/>/蔥(7Oϩ KŔʌ"8/qzo.":Iu?*$US0+&[x-^3:e!F.Pxd{28nh_;/&ԅ.<+!wF 6+,Yr p >P )a;р}zdpҰV=MjHgjk841US_tK3 C`ϐ9<`|~I OrL7€g$ִJXƲZύs YPrWܶ @s)Q]|cj`DD^҅*w=x񼜽w.C(yĪ%Op!]0\+A\wn[U, e. ۴C*uU"IoST-1 U0Bgr1<#eg_`~QJjdѶ0" "r;QUop<&TwKpC̮k%L@,&x QռN%vB!g;D! ke:EA6Yt-5cz_;N^ջn=~[Gފ83d7nS%SW-7aLy88;Hh{ظHBA ւ%ja1jnĉL|@_HPy&,CΔ"cم"{P] lS(4.̎4%6 Ty4uȄn2r?wԛXɺ/_5S: b}LYN`R10X1%j+Ss&LZ 2Zvӎ`Kx?D K{Cgu_FYZjOƈo"8&0J eMoС&ezlvtQ; 4bo8z{Н{4Px@ߚՀm1Ӄ3ևx )3+jiy*$ZD-\h`A=xӻiXvZl֘|`u4?SAR>qifGn_$Vi 6IjewwqM"gv[IKmm7 cR!=q K&kZ0O6G-,sơ؋ts!Ao4Y/ie@.N^aqUṘm&o\8ΞF>y J*EyȆYKhU%GQnW$}Uј&qZ-t;ypLJ~z욢ӱ4[=j{qE>S0 56[:~a J1f:Z-U+g[Z@ቔ4߇Fxiu JKMv@6M}k5 izf1p#)^DP#k%UH1_ݧ={ <C6`l4. ne|(>*%z)XDhQ-wqnyv%V(,Ķz,AS,0~̴p]F[|ĢbMO諝au[OD=jn}(jPנ"Ed8S B2g辯3i#[:D-g|0z$4,'9hx&'2ŦEvh-Ah5"TsP2w9|0%ҵb;{ l9C /%`#ѩ}d(c?CI?פ}Sv>ǒrH1t$~ޕBb+TWP3ZWY"8_֖UȌ-fPHfo_w-ԟ=Ê,V'n3b([8MsvԿ-#tsw#ţvߡq`D:;RoL}P^ŊJ-< e#?h~xҨ.i @ܫ@$p`BVx2ӯK%JOϻY-L=[X;m[p v6p ^{ˇ#dwPzՓw* e${\vSpqrzī~3rgpx(Ep,w&[+Xu2# -y@ΔUB&(Q-) n(INYOΦHz6˘E8qT#o,[9VpRznDhv\ݧ$re[* ĎgH@G"l-κ'ƝYk鞒Cn~h'Ɵk cM\M,XE!#S@)VhrzB|/<O} = M͖l_/Y6FjB aϘɭfÜX-160؃;o 67h>B(Lo!֧n3`N ;i-8ah=`\TM.Nh֕6YBC9&@*(+"O- {HgIxp`{NQh6gODq1%5 —H!r[-}_$^}cš-B{uB9ǀR|6!ʬeRy``8LlYK<<_XAw״瞠K ak"J〓 p΀kVnqל?u8n(GT_Ǘ~>/Fۈ'߬ R+,=$]<FdY=U^Ubݏ &н PU++ \.M^DarE/0z:;TG#oO^T1e%Ǩ8*Hp,fi9 ~h̑*Uv" H=M#үC {qfCpװD5 ;~Ϋ?7Adca]tD+G&[Jprtʛ= (|A!(@)`O.zϺ\Y9G1=w/WKqz0Ř5GޑWLISx1kAEE=Y\Yg, z!PZ0 蔼jnԵ ک~cfbZ R^2[YuATF1_ yqW^HR'M3'@  S x1.]TH^( Zg*m[ ]JehH},iP􄘅n1TiSZNp t%C{^!| 7N:hiǐG {˃Ylkyj ){ ӥwmr2Y23i_*+CMsg)dr*q<4Ê}^y/'T8s&a{yr`P^:߼ѽD>TBWNuKJ>^2R +&v[W ]RJ惍Lr}C򱈿8$ qT{hJ/T#Fr.5mV,Y+z0EH>K?(F aVc ];{&Ą_;e67ub砫0X0u^yVy[bo{2yr88g[ ߲3 O&N $"\B<**%:BkG&RJF_r(1(Ȉґs_pQT 몼3[e9[)!R}::~Hu vg#|C&RN숤•;)ZxLim"9W`UYD8:F0f#5U&¸n:JuSpK( }b#5j2x_ikVp3@+kK7sh7X^5!>lEd8Ys1\D+Pϔ6wVV\Lwʚs+2/aDעlK i`n %`\зMBA/5t?CZ=cpNЌn5W}.RS |!EhSw gUR%ρOu bk  #-r *Ixi|_ .KUMϾ֦yw$fHV,"\\jr&дh|Ynr둝a)SVpB|k-~8u.[USg:I[ڤxӣO1 R[IoNO\t 2@fФK+6?a*b m*nԙɠMAxο6Ag ߦ P =cTp8,fUa&bn3K07f,me 0_X,ʘdnV"-r e|ZkY:Wv]΄,Yn@cc8y#$yP8PF BF zfuRB3ω086_FTPIJ:VXM/>|1H~=lBߕ#-7"FG_ĉ4,,X bo}y0VEs*SΫ4 È4  uyԆF]v`7|8G8xb%zQp1&jD} Sm~`)g$1mkqSArg&a>Ѱ(_vEՍ D&F<ڈR="fxes"Qak=9@ ĊgFqWDisKRZ*i*亁Q׃EcsӒ=FS  Vۇ:  9DTH̭ *]Vpp2/[=G|,7wfi*kN=rLM 2ܝNE aDuJILVm꒕D14QxoҙkSjh Oeq))N0xCa'|z|i7౜o)NǙuXvFg%.P$ul6K{O'1MvEJ'Qtnlcyk ]S5A_'D\L^翚[rU Iv'=2Q<[QG#Mq#r J\љugsZx YU.41cWzR`DP3aC zD%A*j9;M`/k?[#zBIT/ieT]xian}خ(o/XP!dM[Y 3y785sW4 #:})f |kˮG@[*J'*r3|}N%&XЅs.sǀELm1IM>8`VAFw0T  ݣ7ll5S/74J5yBʌ> 4ȷB9$N>MHIeޤ!.=w4?#krR^]nq񨮦XrsyѠzS?S ?537-ZȭGyхq7[SxnJ# pݻ(3πн" 5e[ _iT:u=q-) 8Dr0\U263ŲkJą͈9v/CI&hɅ6%0 ,NqUʊwVY~e+sl8 t9(>0.\~lavwmcySdn  8P| ul$]Ecw\]*Xdp=mV~? D|dJYCB1Y$.j}m٩K<+ioR- Q {|ZW!D}r M[5pB']JX2SV5mdqMX43aQֆfS3m_%I W;6g՟ݣ1ܤ[(B-Y~m<!,ǟtmTŝv" jN! щco=T6(y)JOHk 9~f=&M*".F;4.d7 +{Qcj_ `'tبz *~ƔB(H)qTU/lX',W&:B%.,^fjוgv GN׎()+m<*]Wr]z"8v}nne&-VR_2N b7HeSZD6iw@?>q* EǾSfGz$ab-{`hĆ4ٻZFytXD|_e)>=I=>DqJɷJG/=8'_YfX)!#h/GґORBz/h5`*^A-!|O A,P?vp oۂs|>hf&5\H}[3`[6V~ɦ!qYW(!3/Xcky_#a" #>1C8HuWi` sfK肩)JΝ(3(fN_ GKD5?u#4ޏ*POYHg@f'1KMTR$qx02lQW(- |-Mޫ4$Ac7 t=9v^A4_RG& gA4ZGRQCv5*p,Z`&ːi6S t(x޾K;WvIp>ipjRgqB[ ]Ix1h(9f RpcY_>=Rd<*j5hUt(-ޥ*a1_~ӧQ~ Ex?WlgPо)?c$7fr/兯IQ :T9up~hhͷx\ bY"GR& 2U ٿޱcsXF~>1 #zNԺXWE8*yצ߅ʼJl)0XVx*r;͉0NS|h^ :t9_s?^Q(&d(듼:$j\fK3Z Wނ; xv>F BUs] Xpxn#6,`hYǗ/|Y|cY1g2h=fI^)\ Z.ֹCw,wm!9" Pzzn3\4Sh:j$+рOrI1Ad)*a֙b-Џxzr겭JȈq]s͙-JTLR,zncC[]{dJkYTbkDNQ@ɻmYi~Y/Rq rrC$ y3V9sTNc/&ES+BA7 t ll19Iy#; #w6`&|XLLiWƤ&|_Ȅr1 wГAǁ0Y3VuppvE=o8*:,2pT N"~5U8g T2.T3.H'}b{BCUom'k*|=HQKHog뱥s쬎"4TNU}9i(8͇H4v`h:D0(C{j d_p;' h_lT ^  mV>:lK➾De)Qx\NĢg I]롦9ıdlQ,aqG–PwuwE+,mdHoFe|/ϩiE"a# 85Ӈu'(-i8il@&m S^eOaOt.n^*P-)9%d ̱q<;FX.˚֏}#rA(!Z1ZYp?DZ}Gg~oh~Ⲟjּ%ה9IAD0I #QalQ'}Zer&o{z} `m$YբΙ1C;pne aDJz֖h~AͶ([%Zwc06&vbg#`"eE͜Ͷ!ie?"z(}Ms7~~9S&vj6CErU7A#F>L%v|$7Cz2^ZݖtX PL)rȚ(#I+,깟+S< ƸAˆ02$i2n]$3ZMFWHhtGsk|lQ)Ce BjU2VؗH>(){z#v9 &3Ԩ*,)u N{W-O2lRό&GWN"\6HIYY{V h<؅zN㑄 E4ܫ쟻?O/r~7*9 0; g'(=JdpRn˫!34`yѱ8Ch|fwYK܁Ř_3!2Qh xy\[ԏgv -B tƄ4#=1j@^jBnF)iٶ0}+ِ@ۭϗ>ޗ40 DE\pU ]&IG>5y)rFu+Z ܐJzeQHk_ZB:4PhۀnFC8.ŖaVf^oZAB٠85pT,5񶠛ñ bI  lHݯW6 PJѺ3 uTEct9w Sl41U=Y@jtWv˿t@-b6aG"er>xJVs4`<"+$SP撑ya7ۅ,ya`ȿ:w,`״)xT }X EnO;>[2 !GɓȥSY]:"+^|B3rC,Z;fנN KQq5g #}A7S'0p|F [mm7(eu<Z;\LÚ=P?p9TvL1q[L%Y=J_G_nA~"f{_jEK - ?@1̻0}Z*7B.juԪzN7Z!T bC 䗿fgA8N_B_>^3`7l9QÐZ4*Ka{ik2/W'}n?\x:#R#QBmZ3fKBg9ТѩTxdB)֋ZB \#MZ.撺1^B.hڥ4u=$B\lݵrF@HW:+jS>ac%g-p 4,*.R¦f MĂq rHуʔ!i"W]*ya3ף/~? =׀.,ݎ{xճqf?*!>H#Y(2HpFE,տ&^) س djIW <x"rHxzD~f9˄ť"oql߫LL eSƴQ/:1 |':1(YiuZ` ;9i=Ԍ*j+rS&d.>g6!z_}fPYd,ELhA'>OG{]-;*M hZjrsp=H;1(@8>%u`cr(xtu_rE%W0NPJ(rj\P%c7ԒZa䌖~lvyoaqK"WpȴՍGOPűԹk|G.Ej_'S~D*GN_ھP^wsy>u[ qS'ajs4G+8>Ho|X⃎ f<1_i}Wxcm/9ѪLkWz!5('I?> \-%c9yABcVYSM,f*3Zs8јɹIt,J9){?NG'6yݚG`CMs1\ʃ*q)֥G‰#Q7f7d|{q40.hÀS_[]({#.bY2<' BL> ɳ:FW$/lU3,*Ν &t⮕,\$KsSz87 1|yQex6j[l=у:"-W|ZEB qۘ-`Ѭv>5#n{T1Um@$rH@y4cP!57 Fq 1$xtde=z 3gjZ+fT srIW~&JcOx; Vơ\V%M峑k>]]u xAx6zNi d\Z2pNTh̟8{?Յ_rr'oP gD;AD*FN%"0KSD>tje''{E3\{<$Q/1C^$[uCs=D),H&0u swG^3L- 7&1]Tχ*1QW,>^劦{C{3,j[M`@2*6@M"Ngzi{kPA-GP@ ?K *[ȃCȯc}2.Y#*jԲUYqo]i?kRÝH8f:ьI?oyKlqq.,*樞VN'QeE Nտ#6[Qm]2[=}&K͈N8]Qﻮ]"  R }QrR3< TdVߴ| 3=c%0;CY_Ti/u0n}ޱ \꓂ft^nQ"kk0CJ^n`t,adlRJNJK|brAHk kθÙY3'.Ȭ eγ{xvL&5kk IQ:΢:Nښo Jݍ7u w(\nnr)ȋ)*P3A{ |`ľ{ֳW-ζ,cemBC^RLhs͕ӘjqWkЏ#@:]bE;/ȥ5w,5H6F3Bm$$CƦNjvCʢ+4eѻgu Bȿ;TܝG4؁4]IQ s2hUK,zz68ߋy *I^+8ĕ뾌RI}HM|Cgd.;ǒcpArlOw&v tM4> FطI;ӒX]8.P8 ZU}+ lP ޽ɠ3W%%S];;?K3ϣ.mi _6II)ZP`k$:; 7O5܈9˂S迩DoOB0~!=]{Y.~*58bVG,L{sMAF]NgD2 NqktߣQ/_k0XY|MgSZǣ g:j-^.)>U͛MGpY`Rוkh ג?t3*nT**Kq2L/GK{h&Ot!͒|!.Ykc"Ff @˓WDTb \қx&1]Xw尿 ~s_VeFS4xlwvyݧ|¨m ɟwFԏ:y7qf/1Ő#}itc@1[Y!b $ .Vӯ ڰp\mY+| R#[aZEr3w77=֖N7I sBE^؞g{YKpd*% I4nQf~!dQA$9BeJ |M)Pikޙ&͇#g^9pjHtǑZi$6LQc@|#v3 ZMq$9*.@t .9Vak,o?etʮ~VV KMցώ7@9#89Bi; Kxz _;R6#LfG&r:d(S+S֐l!`@o nkWy >\_*Rm^UW_ʈUDX23RDRߋV␕]kC8H\h%lŃ՗Z9+yˈ#IQÈ"SfŔdUQ΂dMrl$ ۠=5XjmK^fa!ku`2 s ˢDw& =ZE̗-FCf^5s6~οg(c)]zfߤrMux™:v^D A9~!O6y+=_2 ct8I-S` آm2=ז=][Ums;Pv_П %QvaGνPؔDnr|oׯvUtMur 8#̈$tC羑fU H *t>E2ao[֣߭֠6OJ$G?N\Fn4$r}SsFU T`:1`3XJ<0&WP|}Y~0|Kl< is$\1]# zS-~a3Skm$pLT{b!_0c*v4i5Vx8o$<,NBU~u˓mӋǧ.ٗ-3hpVb ]yhIƅp FXl8p`voCWn$,U@ȧ:eИڡ]@?S3iO[`<'I砦Q3`*bEO2׺jůah_櫂,GI^Âu]KٲKAk&'vW80fLǓU2]eB;~īpqAݠ5>SR/~@ Ƨ["z/Oܺv7숕QQymW;8jN`DxD(ӻ dfp$34s))d=AFD7^uzܫQ({`maKD?U0݄$eѶ7(Ʉ )ծxҧX VTBY&rcn"m?~7{[I8ܪEF%`wfQX pka]|~IVM'fQ`Z~pb:q9мH'n-Kt`Otl4\߬zCE+)5SLъB.3`*0B@TJM5 aP vA3Wף4YT1םU K&A1C i0}ƭe#puz:dĴ`u98b, -kqIZ˴P̦\~@NM e7ͩnDU_ۅY B4 MjvxI նƫ \Ryx_Ijlm'} ¹}Pc߳2cC #C (|Z\2)>DhmzĂH+oҙvx;| qÈ6P{hHi40i_ꞌ5hh{;t + G osU&Whd[P 5iQ]ScA%!bTp-[8Jà&uooK~ǛBUu J:3$ܜ;-1chna!5b A.)ʳYK|_wIv0^c3YIC[d6 _{xo 8:rs*L*rp@nUP*X` LgZs!S1v߶\(ѣTw]P^~bGY3!V#/#O(Rx9rum0?_ f՛)FݢP %HlFcE9]o[ X˝vNTYmu8}\zfSH搲ѪFQ`.]"K60 㩳\}gE .[OdM0A-?Kxp>䀣eQ}Q/{ }w.eϼ?A#%fo잾M~nm:Fi ϟӴ^C؏ۓ\V.Ъ#lLRC^ >wXO6))qvTp [}AX 7)ͩ{!H˯4푆l#p . @F=)ιLŏKK>G4M4_x7atǸڦkG'lU+0^G{>Tr0H20}]+p|23O#hqݑ}gu>m0 PF| ^Ng0E,jFTe0{7T5M*̛-~rwR-(7BbM'_""b%",0 ^dkz06yŸ*A9#gޔ6]Is7V)2٪2e6#Y),(Ƃ9dyˎ@FĒ2t7 pvJǐ +3*9J#Xj4v`nDr|D!iH%yx uV4^5/r'\>oi%ǵz}'3UG3И1M9Ej9)[ڼΎH=Ҕ3J*isa Y X6!oLQ=fi3f}&?Cn]xISV(NLP[/Km9Λ\=K\gW82^Lzf5Htk<“U$7re0_ e~'ov6Ř6O9i2ݴBtvb4YՋ8H8@ꐇR~?OJh钒^Qm8>'ޮe7 htB|-{YSLR-*ȾyQ]3,CZXEt `ѡK̼'eBRD%ڦ}[׹=g mUnhU.sb"22 N}$0-InUM+7To?Hq{1:H!$ȿAkDylҿMED{pVct#s>~ 3ȹ jQϽ{/pg۾uau,y ȹė=H׹XVS3~H[ aw ·,8zblnWx'B߫} SL;ߞ6W;ddY\'gu{[0nOߵҷopN]eHr?Y8PJߧ#MY0.?j.x$ :^1Tl7tn"ï×#q\kJ~ W ]"P+ƍϊkDWBF``T=a߀_'#Xjj(g=tYG"ƢIQt r`7d*o9$7i &aFĄB{̔/ںW]-gKD{fv֣HIGCڲ}syHg?}"'da]y i}㎇0)abTVo]{jX)/"OC\<6`FP3{y4\n߇[ e B*RAA\:YNSsL ed%Kn2x@xju΃;m 1na61Z]x26?$3+IvSYؽVW( SH&M|Qf=jvc&Tr1eDfDد\)|=G~.CTw"74>ϮQoue/ds|_}h]:Ըkw-S6=U5hOsҿ3L@3hl3N^<fj# 'X=?!)V{XiNp%Ri)PeFKCT~fcu|{9N}KrF="9`B ,TMcN5@UH5T\?̡]N s7+5lF, T04n`U/ h ܰ%~uKHU% Ӗvehݗ ` cNylX0l1qG6G1n/ 46Bɱv3eo(pe[8{CoYӵEve[HQbOU#_(&a+s}V#Zf$&UHj S$Fc7/qxE[]w&gYCuB%\۽t 2&9/:?;iVVEw[SB|pJCPxP}ػ+$q~6`?H)oY}s~aky^DfѰI4i阦%6YM'i݀8O̩7O OӇjboǮ6nkգLm?zET}{OJ2 O6vǜD> 湊}R̆>(dnɏ]CCZ֦2O$DY̷ZD*?lF?8lAZʃ2*)d ƶ" 4bR[^M[ {V{+RQΗC&2)$0ϯ~DX~|U+m'9Z7.7,g*SrK(-P_؂OsGa S#κ42{3r&,ibR$?bm',CSv Jʕ\q8ÁQF $mP,!IKۀRI }@LZ6BoLbZ]PWυ V_ĝӄ?(abhc]g3A7Ȉ͛ιc=Xm\cn3Hˣט>W-jgK="}hjc&+F 4D& ;Evi FXr 6HOy_Ҟ oIhvqNY09qOuu?iGs@!?Ee%R F4rKa߫4?@r̞T3DSfI [D֑ld~t uG>,h mGݵ͢ظt8VRmQKr +c3hdR:YXrsG{]r}q6c# Oq/ܭIS8>4ec A'_m˳О㥫@&A#VTo_zkjdqz:')B $l"(beSг)jE9C)O%fͥ(E`^Jq@P [ 逿VnA MZ`5P'~q1TC6)s-8-TafZ 8o1-yi7vȄhC¦nTNG^>h9])0zb.)L SH-n]:ړD2X8o_#8 aAq,Xxc~YukGJ֏;i幦ukQt*tTo4C]`F''3,k+nOD395~5 RⲾg6̘,aKnAwX]I(,1J~Τګyz/?gcf3Pkl1̳#3>'c)cX O?{_v˥}CDN}—FaoEp6z ZdY 8ztMH*`8ӬWb]ã\dN1X{Nm3eM_sEa> :X:cJ#85RʣE!84)) \d$J' _B.?@,\Uރ>0ޢA\#CAJ\B:"2OS~àƭFE+ EVL>s݊vUf=` bzvy33bW JTu@ׂOU%&:$9BZ? S@ Ȟ)l8rK5w2?m^ś]k_HY> M9Pxt)'zrL5Zn 1Z,}c̰Inΰ25ӭ0zЕ"8>{_&\z@$w1u䯋Dp6`Ie ln< +E)E`{C*dAcT(lekc%zZa΀6w%mcW*:"fi1$;C||GWet-c84xY6xá,M^2c|Z7(wZLj9/@pID7-7bQ |̈&lQΦ^}&.+ VMl }dfR]J`޻W6e@ށ0}@-MFC5văe~R7x aǵI}"38I'DD9#07o%E2MxᏲY|wA)|c6"Ѳ8o {Cz1d.#)iv:k>0üfhͰ|nHgn ئ!R<9nd-K ѽm.YRœX#4U$wTj^nޡOHa4w5%L=a?v+\sˠ0!7¥|.<~߫._l,E@ Rg1!l}yB}pohq&:-ƂA V[v9[,- s ]EU,%97vD)UpRttQfydrZ$5*QX<y⛃NKF@454A.E Ό0p>K\P?0 N>Y$'͞AF Oxvk\d !0 晤$ADRtD\BǍS7X.BPPI1 ;zԺW sO qdSo:8fY(NтYf62d )qD @lqMfW =ضuHa 7Qo ?~O/(lcbouZ7!ݏ+ޒIz\GajDlo~tP%Di$Zm*Cɝ֚kGE O5GOj,dQr+9p{)hG9G\B>|ny"D֣+(Q7 V&\~ OFz3 r~P20p2E/k= +sRě` hxe]j磚Lo8-paG:'֩)UQwFטַK{‹ÒCóhu^8'*cMe,Qѐ跣lm Mgٷx18)`E>ABoq!LiőpQv=oD|̨#\ȍ2wu ߗ(о 瑥5bJd Q{?@ ˙%`HcNR|v&qA £K{!x?&t>3q}gɈƃ zF_EYw ?l Ϙf]>Q:ŅjZ[VZ[W0x&禖̅e O6b_jrE zj2\FQ%2zC{{? I]3yb7Ú+ 섙2lT (5g?HD(~~C)0[}-*F CR/;P]gb cΏ/$ $(g"l|ƁϔHX|ailTlFgT#|hf_=:uxOhkOnUdͰuZΚ OqNa|WpYu+-i¬XS҂]ePh.2=Qм#[rrv;:o,8J@firAC=V tA9u9Gz[r/ 4HJ IL"S$QAنغ/T:/еˀ%>_eckKj i".T/C;AЫcӆ.‡޺C,Ӣ8Z;!FY}I@Z&|k5efN+>[_VJz yTq7C35M{e1!ǛNFeWc9y~(8L!.\ vU ^GSJ̤hKMl/bJuݩgZԷycH!$ H\5a7|&+Mz \UTolYW!s\hI 切_g 'EKVHL'>$ZwnZ,~6*+~o~L>%֏fA!\T{ʊL8'͆ EBagAq<Ŋn.Dh#sG /{T) T 2vx3$ye *WM~4v9_ٻDQOW6zYG1Uc'Z0|>+^+:"Kq#E pqh璇`{C/G8ZIUhJRd;L5JWZԢ/(hP;\ K9%`)4ZwBPlTj%s03*o!gB6ThA}ZC9GZy2F_Φk!Pٿu5ɨPb@(ik2e^a;RNpIV<=V<ƞG ceer(gd/W f/@b> 8% eɪ?4@$X=m:Z;/]WSjФCv{ c6DCs?Lq3'N ?GJp{PH`~魹-":={zHo UND "ח[OS77?(8 ԁX+2Ji]C;I=1& G:vq TUՏD)~xx7C]ƾl K޵a<4,0Cp>!]R#^rSaoY s !EF,ɯVЂ)Y| 묽ovB$ʆ&/ޔ7FDJ"-(ḂQWUᘢGtxX`W~LکNi!]J}.{T|G0&5;sШ1=!%JX7eA}G* asxz)z$,Q$kh6#1DGY[ѸƆWSp +. {N&)^O?TrM{q!KVZX]ʜ&, Ou Gs}3)[@(U!ylp c=)nh/0U3Ĩj|EQY&OELl엺]kcWT37ugCzN}|ƾZ0jY*jP7`b+)i)?ݯ;"_K-}%y}Y=E0 l T܉阶bCMՒUm&Wo?6^E,;’y6}8zxX1>O9-&]qo- = 5fô j!dZuYڄ!*\ ˄gBwQ/ -ExNj%NӟpGcq, qKe 6ƛ1c@L~bAj~lrsR &8I04\apV)cc4~7ӧnА4*Pkv^M~V*apd =P['+E++@Z',4nO,Mvm8id6; ]E!)%t Ov\gH Mߤ֜#Xۆ!ֺd,m1sX9^nHjU]$K<:R;|^-h1A2>X_NjW5&efψٯ6oF׎h;a7 xuv)ʘW*En&A}0n3\cӟ]a7FCεp{x?ޭtc:&Z9\tbO>3bO""7+& CJMO 3`2o%<-."Rt@$/%wHc^5`GoN{lR5^S XɖganO~%?89$ r1cD$32}T$ qr3Z y#._Eb.Nb'539i~&r"i|rpJ޵;];DO { @׼W`2Qu42q1\+<,ue9%LB 뫨ɡMF n0K̚r<@ڸ+&һl]3c{@&ͮ=j<}o1!#,XfsZ8W"BmCE\/qi>*Cj.$kvHy3}`ݪ\ȃ,7ϮF?m'8KXg2|a|Fl|l{qFZ{NFyoC`XWM3A~k9 oK~}"KWFl橴&c=4Lj+ 5j}_wA5 WiZF >&Ϲ)6V3?ƦrPslJI. (mrPSjGn}~!FM L n8{v g3?"ސǰY$`6B:#ҏ; Φo#^xwFz9Q|dJfOWgvE2^qbc z PdulVkp{r0*^O+ߔ>x1f>f4wJ#TFf%xmnn;Om(^ 'shR(7g|2Q;wQ2ScqNzL(J#97.%RjCo\O34`2KCh~& #Q#6jtmUa.^C{1URa x^гX%9e! S;3phǍ?ۙeSSc%ْY^g(&S5|ڡި*4F@אn6HzCVJ:o'B8%ZcMxT?X"UIpRB9I=C$CG(K*IĠ5@L!@?ENW 9TOb3Byv!?D$18a^6Mjk jI@߼5IW%sj.P.ǔL27x# :6SszNݾXb,e)_Jy2Zu#^@yoU QY qe[Y JSן=c\ZR(3|Qۺ6 UZ_+9ѦKjJC"Ӟt"}4ZoDeVŬ_`w"?WO˟%UdzR,fvp L fx`oꇓ{> 8m2TőJ^} S%+SIL;Y;j ZJVkA{t,?9K@?vXTVWAN7%oŷU P^|#&%,_WI/Kl}XaQ|AFE !+F &;_ otzKutDg,kytEh3!6g/x碗ݻ]*EOtD݌i6Oy K2D6þg{ Aᯙ.@;~`kI2 Qxk<;jC5t'^ߤB9  /JBE!Lhr̊zWE%sT K1'b`lZ6$93JDM>Н W@9yQ3 fXnL6ѹ`fW@G‹qq-MHhuޝo$$2蒢gCg8!eL>o[3o)&EByLWڌ{/,  }} 5~Oi SLEn@dGIDf#1ݟ\\o~7 e7qψl ;BzdI=?"3z  /sAW OwKUZuqǮ¦,1ATy%eC'8Ƣe10Hk]j1NF*l1Ys&mefIvKJ72,fDt8O_W k{vIt)Rj ]ҊgLLBZ5Nqũ8Q gJ֝`3]/c449GP:x974Ϧpu8Һ\8$1Yy-Ӟ;üe;`l삇_U~#(N_` ;Aه й]s3<Ǎ-F̆^Lu 5Ho)椥>:66 k|ZX$i+\nu b1HQ Sk?$?z3|"bBB?xK:XF`H9/mc>1P';>1rQȜҗG=Q3o3~6`8 a&Œ/a,>}^ A/ !+Pե^(-X=Wɟ& o*汜$ko `lN['9E%4n$q"\esjQiyҾ:AW-ɬ˝quF׬/PG|E~J@䩼 LcL3%RjM^>gP.΋gYR;AqxsH%GAy.8Nj潪5}k{{Ehn P+FH2&_}tkQ.IgOS eU{gݬ6K. #LN5OWxs 0D#{.zMo*<ĜE]OYS#^ׁ*`,k4I}w?]Fyb8<JI%kb҆х\ŕU@E7GtJ}ܧ5CϧݾQg&x@ou߻WJeXV?P>f.Jp+-fU+g<"/Ky*U87m.il..֐y S"eUi 'PCH{?_]O["E5t2=Ih:h1X?G`;OPlmv<;wyd]$g1A#-PV ̇]xoʮ+գ,I;a ֤ gr5vn8X4/!MYgLQύ<1 y\)pq|xu[gAW >) ]lŵ!W'd8  ď%Nh[BLUϘARm ھZӪfVukqABIYA9ə^M]зMدMeBgAGZ=%s+Oleq &uw݋IMP2.~ Qݽ i YPNDC1Yf_>wQԞ"+)f+(^x1FSv Vj m5Dușō^MwZ[$b)C-Y4?rPga Z.F"`-1{ƙxޤ #Kn%JJ$%QdbڽU ? (vG^`>[b8˭˵W糲H%~vK$U9}RBɁFvM S$CJ'РXsl ]ᙟ-J^&BOc:(JShp9-YTɟ8 ?ZyŹwٓ[{3mtt~hfsNJKa.{C/aI+O#4(1=(a7*c4/W6]U2l -%H" adRs! c~fVO~(!EDS=,2^J,r{&Lk?++jc8Ϩ; B$WgQ%t=B((ͧ?4>=]4 cs(aVZ3)qO>#WK.U(\ ;($p&QxD4f@6_4D,ު酎m@l'Ճw -y;oȽ(fq(5g; nufӣ7ͺ=U8fc6rd UkgsMwJ>ʈ*X|D߯uMZ5L,{|iwݬ-Dq52t6oyyg~礈[NxٟtjWu1L=pB ytP0%kpy<"2sTek<̤H6"` "u.vm'jY/9%4SB!mĔ<<9iN{7ũW.ۼL%%a*ɏmPL ErgGϓz]&ŷ^0% J#ep`*q! זJ^K2AZק/X3rB믎k/pޑD#Hyk-`[ٺ]ljS5 ְ?NTyMGB)XF&G ]Xyϫ{pK؛dg?`/Rt8i]Y bpOcۭ0ax?ZY,{&F&#UB-Y]|g~XobzpTGYx9fqN#fp| vwG8-dD/cFK][]LxE^Rިנa%wR@kޘndcjp0 ="x/LsHgCyO`֍Utp,X7):w`B(ʏ)Q@Ii8sWxYRKp=>^xvY7=Y,6us(0k[u4"BsP: a#1QxPύy`1j4\#m怞 ` u`&b;C$i0p۶ YZ