shim-15.8-150300.4.20.2<>,ԉf!p9|9$Ch9^/qtvSzMݢeW(0\'c^Set0 PfeOo["F~fUST`0w=NC&9& S?dl|y]WsF\=a?Xwnqf<րGa Ze~j NA ޟRq5>M ~D=4sC{e !2 d]\L#XKteƤXWhlDFE(?q>>@̤?̔d   +  ,2:P             I      ( 8 |9 |:|>G H4 Ih XxYǀ\Ǩ ] ^b bcɣd"e'f*l,u@ vtwʼ x y$(;DHN̐Cshim15.8150300.4.20.2UEFI shim loadershim is a trivial EFI application that, when run, attempts to open and execute another application.f!h02-armsrv2-SUSE Linux Enterprise 15SUSE LLC BSD-2-Clausehttps://www.suse.com/System/Boothttps://github.com/rhboot/shimlinuxaarch64 loader_type=`sed -n \ "/^[^#]*LOADER_TYPE=/{s@.*=\(.*\)@\1@;s@^[\"']@@;s@[\"']\\$@@;p;q}" \ /etc/sysconfig/bootloader \ 2>/dev/null || :` for bl in grub2-efi; do if test "x${bl}" == "x$loader_type"; then mkdir -p /run/update-bootloader/ touch /run/update-bootloader/reinit break fi done # copy from kernel-scriptlets/cert-script is_efi () { local msg rc=0 # The below statement fails if mokutil isn't installed or UEFI is unsupported. # It doesn't fail if UEFI is available but secure boot is off. msg="$(mokutil --sb-state 2>&1)" || rc=$? return $rc } # run mokutil for setting sbat policy to latest mode EFIVARFS=/sys/firmware/efi/efivars SBAT_POLICY="$EFIVARFS/SbatPolicy-605dab50-e046-4300-abb6-3dd810dd8b23" if is_efi; then if [ -w $EFIVARFS ] && \ [ ! -f "$SBAT_POLICY" ] && \ mokutil -h | grep -q "set-sbat-policy"; \ then # Only apply CA check on the kernel package certs (bsc#1173115) mokutil --set-sbat-policy latest fi fi< =  AA큤A큤AA큤$f! f! f! f! f! emf! f! f!f!f! f!f! c315e37690d6847d6603db8c6f7b4c20aae7c89af3bf5e8e41c48416ea1da5b449f2e63f2e7f0cc94dab42932e26ea4160ef96860f6e2cc0f9d72ec12c1b8cbf15edf527919ddcb2f514ab9d16ad07ef219e4bb490e0b79560be510f0c159cc238da9c926413ef1113660a3c0b992f0c9c0b60032ef1088a6b45e0e5ecdd0f22e15d4eb10d5e9b073e9b544df19427432b41111eafd65b44c44f12358af4a4efc315e37690d6847d6603db8c6f7b4c20aae7c89af3bf5e8e41c48416ea1da5b46f5b827bd899efb35077020ab1fbad4a4a97fd53bae9b6aecfaf3125b354aa2eshim-sles.efirootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootshim-15.8-150300.4.20.2.src.rpmshimshim(aarch-64)@      /bin/bash/bin/sh/bin/shmokutilperl-Bootloaderrpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)3.0.4-14.6.0-14.0-15.2-14.14.3f! @eepe@eAee@e e @dbd7d7d3@d!@c@c#@c~ @cwscwscv"@cv"@cs@cs@cs@c5c@b@bbޅb@bUi`#@`ݮ@`@`@`@`9@````q`+`@`@``N@`e@``n@`m`dd@`a@`[)`J@`F` @___@__[@_R,@_C_?@_+_$__*@_X@_X@^0^@^oj@]e@]V\@\r@\}\,@\eX@\N\@n@\Size of reloc section f7a4338 Skip testing msleep() 549d346 Rename 'msecs' to 'usecs' to avoid potential confusion 908c388 Change type of fallback_verbose_wait from int to unsigned long 05eae92 Add SbatLevel_Variable.txt to document the various revocations 243f125 Use -Wno-unused-but-set-variable for Cryptlib and OpenSSL 89d25a1 Add a make rule for compile_commands.json 118ff87 Add gnu-stack notes f132655 test: Make our fake dprintf be a statement. be00279 Remove CentOS 7 test builds. 9964960 Split pe.c up even more. 569270d Test (and fix) ImageAddress() 61e9894 Verify signature before verifying sbat levels 1578b55 Add libFuzzer support for csv.c a0673e3 Fix a 1-byte memory leak in .sbat parsing. e246812 Add libFuzzer support to the .sbat parser. fd43eda Work around ImageAddress() usage mistake 1e985a3 Correctly free memory allocated in handle_image() dbbe3c8 mok: Avoid underflow in maximum variable size calculation 04111d4 Make some of the static analysis tools a little easier to run 7ba7440 compile_commands.json: remove stuff clang doesn't like 66e6579 CVE-2023-40546 mok: fix LogError() invocation f271826 Add primitives for overflow-checked arithmetic operations. 8372147 pe-relocate: Add a fuzzer for read_header() 5a5147d CVE-2023-40551: pe-relocate: Fix bounds check for MZ binaries e912071 pe-relocate: make read_header() use checked arithmetic operations. 93ce255 CVE-2023-40550 pe: Fix an out-of-bound read in verify_buffer_sbat() e7f5fdf pe-relocate: Ensure nothing else implements CVE-2023-40550 afdc503 CVE-2023-40549 Authenticode: verify that the signature header is in bounds. 96dccc2 CVE-2023-40548 Fix integer overflow on SBAT section size on 32-bit system dae82f6 Further mitigations against CVE-2023-40546 as a class ea0f9df Allow SbatLevel data from external binary b078ef2 Always clear SbatLevel when Secure Boot is disabled 7dfb687 BS Variables for bootmgr revocations a967c0e shim should not self revoke 577cedd Print message when refusing to apply SbatLevel e801b0d sbat revocations: check the full section name 0226b56 CVE-2023-40547 - avoid incorrectly trusting HTTP headers 6f0c8d2 Print errors when setting/clearing memory attrs 57c0eed Updated Revocations for January 2024 CVEs 49c6d95 Fix some minor ia32 build issues. be8ff7c post-process-pe: Don't set the NX_COMPAT flag by default after all. 13abd9f pe-relocate: Avoid __builtin_add_overflow() on GCC < 5 c46c975 Suppress "Failed to open <..>\revocations.efi" when file does not exist 30a4f37 Rename "previous" revocations to "automatic" 6f395c2 Build time selectable automatic SBATLevel revocations a23e2f0 netboot read_image() should not hardcode DEFAULT_LOADER 993a345 Try to load revocations.efi even if directory read fails 1770a03 gitmodules: use shim-15.8 for gnu-efi branch 5914984 (HEAD -> main, tag: latest-release, tag: 15.8, origin/main, origin/HEAD) Bump version to 15.8- Generate dbx during build so we don't include binary files in sources- Don't require grub so shim can still be used with systemd-boot- Update shim-install to fix boot failure of ext4 root file system on RAID10 (bsc#1205855) 226c94ca5cfca Use hint in looking for root if possible- Adopt the macros from fde-tpm-helper-macros to update the signature in the sealed key after a bootloader upgrade- Update shim-install to amend full disk encryption support b540061e041b Adopt TPM 2.0 Key File for grub2 TPM 2.0 protector f2e8143ce831 Use the long name to specify the grub2 key protector 72830120e5ea cryptodisk: support TPM authorized policies 49e7a0d307f3 Do not use tpm_record_pcrs unless the command is in command.lst- Sometimes SLE shim signature be Microsoft updated before openSUSE shim signature. When submit request on IBS for updating SLE shim, the submitreq project be generated, but it always be blocked by checking the signature of openSUSE shim. It doesn't make sense checking openSUSE shim signature when building SLE shim on SLE platform, and vice versa. So the following change adds the logic to compare suffix (sles, opensuse) with distro_id (sle, opensuse). When and only when hash mismatch and distro_id match with suffix, stop building. [#] compare suffix (sles, opensuse) with distro_id (sle, opensuse) [#] when hash mismatch and distro_id match with suffix, stop building- Upgrade shim-install for bsc#1210382 After closing Leap-gap project since Leap 15.3, openSUSE Leap direct uses shim from SLE. So the ca_string is 'SUSE Linux Enterprise Secure Boot CA1', not 'openSUSE Secure Boot CA1'. It causes that the update_boot=no, so all files in /boot/efi/EFI/boot are not updated. The 86b73d1 patch added the logic that using ID field in os-release for checking Leap distro and set ca_string to 'SUSE Linux Enterprise Secure Boot CA1'. Then /boot/efi/EFI/boot/* can also be updated. - https://github.com/SUSE/shim-resources (git log --oneline) 86b73d1 Fix that bootx64.efi is not updated on Leap f2e8143 Use the long name to specify the grub2 key protector 7283012 cryptodisk: support TPM authorized policies 49e7a0d Do not use tpm_record_pcrs unless the command is in command.lst 26c6bd5 Have grub take a snapshot of "relevant" TPM PCRs 5c2c3ad Handle different cases of controlling cryptomount volumes during first stage boot a5c5734 Introduce --no-grub-install option- Removed POST_PROCESS_PE_FLAGS=-N from the build command in shim.spec to enable the NX compatibility flag when using post-process-pe after discussed with grub2 experts in mail. It's useful for further development and testing. (bsc#1205588)- Updated shim signature after shim 15.7 of SLE be signed back: signature-sles.x86_64.asc, signature-sles.aarch64.asc (bsc#1198458, CVE-2022-28737)- Removed shim-bsc1198101-opensuse-cert-prompt.patch (bsc#1198101) - Detail discussion is in bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=1198101 - The shim community review and challenge this prompt. No other distro shows prompt (Have checked Fedora 37, CentOS 9 and Ubuntu 22.10). Currently, it blocked the review process of openSUSE shim. - Other distros lock-down kernel when secure boot is enabled. Some of them used different key for signing kernel binary with In-tree kernel module. And their build service does not provide signed Out-off-tree module.- Modified shim-install, add the following Olaf Kirch's patches to support full disk encryption: (jsc#PED-922) a5c57340740c Introduce --no-grub-install option 5c2c3addc51f Handle different cases of controlling cryptomount volumes during first stage boot 26c6bd5df7ae Have grub take a snapshot of "relevant" TPM PCRs- Add POST_PROCESS_PE_FLAGS=-N to the build command in shim.spec to disable the NX compatibility flag when using post-process-pe because grub2 is not ready. (bsc#1205588) - Kernel can boot with the NX compatibility flag since 82e0d6d76a2a7 be merged to v5.19. On the other hand, upstream is working on improve compressed kernel stage for NX: [PATCH v3 00/24] x86_64: Improvements at compressed kernel stage https://www.spinics.net/lists/kernel/msg4599636.html- Add shim-Enable-the-NX-compatibility-flag-by-default.patch to enable the NX compatibility flag by default. (jsc#PED-127)- Drop upstreamed patch: - shim-Enable-TDX-measurement-to-RTMR-register.patch - Enable TDX measurement to RTMR register (jsc#PED-1273) - 4fd484e4c2 15.7- Update to 15.7 (bsc#1198458)(jsc#PED-127) - Patches (git log --oneline --reverse 15.6..15.7) 0eb07e1 Make SBAT variable payload introspectable 092c2b2 Reference MokListRT instead of MokList 8b59b69 Add a link to the test plan in the readme. 4fd484e Enable TDX measurement to RTMR register 14d6339 Discard load-options that start with a NUL 5c537b3 shim: Flush the memory region from i-cache before execution 2d4ebb5 load_cert_file: Fix stack issue ea4911c load_cert_file: Use EFI RT memory function 0cf43ac Add -malign-double to IA32 compiler flags 17f0233 pe: Fix image section entry-point validation 5169769 make-archive: Build reproducible tarball aa1b289 mok: remove MokListTrusted from PCR 7 53509ea CryptoPkg/BaseCryptLib: fix NULL dereference 616c566 More coverity modeling ea0d0a5 Update shim's .sbat to sbat,3 dd8be98 Bump grub's sbat requirement to grub,3 1149161 (HEAD -> main, tag: 15.7, origin/main, origin/HEAD) Update version to 15.7 - 15.7 release note https://github.com/rhboot/shim/releases Make SBAT variable payload introspectable by @chrisccoulson in #483 Reference MokListRT instead of MokList by @esnowberg in #488 Add a link to the test plan in the readme. by @vathpela in #494 [V3] Enable TDX measurement to RTMR register by @kenplusplus in #485 Discard load-options that start with a NUL by @frozencemetery in #505 load_cert_file bugs by @esnowberg in #523 Add -malign-double to IA32 compiler flags by @nicholasbishop in #516 pe: Fix image section entry-point validation by @iokomin in #518 make-archive: Build reproducible tarball by @julian-klode in #527 mok: remove MokListTrusted from PCR 7 by @baloo in #519 - Drop upstreamed patch: - shim-bsc1177789-fix-null-pointer-deref-AuthenticodeVerify.patch - Cryptlib/CryptAuthenticode: fix NULL pointer dereference in AuthenticodeVerify() - 53509eaf22 15.7 - shim-jscPED-127-upgrade-shim-in-SLE15-SP5.patch - For backporting the following patches between 15.6 with aa1b289a1a (jsc#PED-127) - The following patches are merged to 15.7 aa1b289a1a mok: remove MokListTrusted from PCR 7 0cf43ac6d7 Add -malign-double to IA32 compiler flags ea4911c2f3 load_cert_file: Use EFI RT memory function 2d4ebb5a79 load_cert_file: Fix stack issue 5c537b3d0c shim: Flush the memory region from i-cache before execution 14d6339829 Discard load-options that start with a NUL 092c2b2bbe Reference MokListRT instead of MokList 0eb07e11b2 Make SBAT variable payload introspectable- Update shim.changes, added missed shim 15.6-rc1 and 15.6 changelog to the item in Update to 15.6. (bsc#1198458)- Add shim-jscPED-127-upgrade-shim-in-SLE15-SP5.patch for backporting the following patches between 15.6 with aa1b289a1a (jsc#PED-127): aa1b289a1a16774afc3143b8948d97261f0872d0 mok: remove MokListTrusted from PCR 7 0cf43ac6d78c6f47f8b91210639ac1aa63665f0b Add -malign-double to IA32 compiler flags ea4911c2f3ce8f8f703a1476febac86bb16b00fd load_cert_file: Use EFI RT memory function 2d4ebb5a798aafd3b06d2c3cb9c9840c1caa41ef load_cert_file: Fix stack issue 5c537b3d0cf8c393dad2e61d49aade68f3af1401 shim: Flush the memory region from i-cache before execution 14d63398298c8de23036a4cf61594108b7345863 Discard load-options that start with a NUL 092c2b2bbed950727e41cf450b61c794881c33e7 Reference MokListRT instead of MokList 0eb07e11b20680200d3ce9c5bc59299121a75388 Make SBAT variable payload introspectable- Add shim-Enable-TDX-measurement-to-RTMR-register.patch to support enhance shim measurement to TD RTMR. (jsc#PED-1273)- For pushing openSUSE:Factory/shim to SLE15-SP5, sync the shim.spec and shim.changes: (jsc#PED-127) - Add some change log from SLE shim.changes to Factory shim.changes Those messages are added "(sync shim.changes from SLE)" tag. - Add the following changes to shim.spec - only apply Patch100, the shim-bsc1198101-opensuse-cert-prompt.patch on openSUSE. - Enable the AArch64 signature check for SLE: [#] AArch64 signature signature=%{SOURCE13}- shim-install: ensure grub.cfg created is not overwritten after installing grub related files- Add logic to shim.spec to only set sbat policy when efivarfs is writeable. (bsc#1201066)- Add logic to shim.spec for detecting --set-sbat-policy option before using mokutil to set sbat policy. (bsc#1202120)- Change the URL in SBAT section to mail:security@suse.de. (bsc#1193282)- Revoked the change in shim.spec for "use common SBAT values (boo#1193282)" - we need to build openSUSE Tumbleweed's shim on Leap 15.4 because Factory is unstable for building out a stable shim binary for signing. (bsc#1198458) - But the rpm-config-suse package in Leap 15.4 is direct copied from SLE 15.4 because closing-the-leap-gap. So sbat_distro_* variables are SLE version, not for openSUSE. (bsc#1198458)- Update to 15.6 (bsc#1198458) - shim-15.6.tar.bz2 is downloaded from bsc#1198458#c76 which is from upstream grub2.cve_2021_3695.ms keybase channel. - For building 15.6~rc1 aarch64 image (d6eb9c6 Modernize aarch64), objcopy needs to support efi-app-aarch64 target. So we need the following patches in bintuils: - binutils-AArch64-Add-support-for-AArch64-EFI-efi-aarch64.patch b69c9d41e8 AArch64: Add support for AArch64 EFI (efi-*-aarch64). - binutils-Re-AArch64-Add-support-for-AArch64-EFI-efi-aarch64.patch 32384aa396 Re: AArch64: Add support for AArch64 EFI (efi-*-aarch64) - binutils-Re-Add-support-for-AArch64-EFI-efi-aarch64.patch d91c67e873 Re: Add support for AArch64 EFI (efi-*-aarch64) - Patches (git log --oneline --reverse 15.5~..77144e5a4) 448f096 MokManager: removed Locate graphic output protocol fail error message (bsc#1193315, bsc#1198458) a2da05f shim: implement SBAT verification for the shim_lock protocol bda03b8 post-process-pe: Fix a missing return code check af18810 CI: don't cancel testing when one fails ba580f9 CI: remove EOL Fedoras from github actions bfeb4b3 Remove aarch64 build tests before f35 38cc646 CI: Add f36 and centos9 CI build tests. b5185cb post-process-pe: Fix format string warnings on 32-bit platforms 31094e5 tests: also look for system headers in multi-arch directories 4df989a mock-variables.c: fix gcc warning 6aac595 test-str.c: fix gcc warnings with FORTIFY_SOURCE enabled 2670c6a Allow MokListTrusted to be enabled by default 5c44aaf Add code of conduct d6eb9c6 Modernize aarch64 9af50c1 Use ASCII as fallback if Unicode Box Drawing characters fail de87985 make: don't treat cert.S specially 803dc5c shim: use SHIM_DEVEL_VERBOSE when built in devel mode 6402f1f SBAT matching: Break out of the inner sbat loop if we find the entry. bb4b60e Add verify_image acfd48f Abstract out image reading 35d7378 Load additional certs from a signed binary 8ce2832 post-process-pe: there is no 's' argument. 465663e Add some missing PE image flag definitions 226fee2 PE Loader: support and require NX df96f48 Add MokPolicy variable and MOK_POLICY_REQUIRE_NX b104fc4 post-process-pe: set EFI_IMAGE_DLLCHARACTERISTICS_NX_COMPAT f81a7cc SBAT revocation management abe41ab make: unbreak scan-build again for gnu-efi 610a1ac sbat.h: minor reformatting for legibility f28833f peimage.h: make our signature macros force the type 5d789ca Always initialize data/datasize before calling read_image() a50d364 sbat policy: make our policy change actions symbolic 5868789 load_certs: trust dir->Read() slightly less. a78673b mok.c: fix a trivial dead assignment 759f061 Fix preserve_sbat_uefi_variable() logic aa61fdf Give the Coverity scanner some more GCC blinders... 0214cd9 load_cert_file(): don't defererence NULL 1eca363 mok import: handle OOM case 75449bc sbat: Make nth_sbat_field() honor the size limit c0bcd04 shim-15.6~rc1 77144e5 SBAT Policy latest should be a one-shot - 15.5 release note https://github.com/rhboot/shim/releases Broken ia32 relocs and an unimportant submodule change. by @vathpela in #357 mok: allocate MOK config table as BootServicesData by @lcp in #361 Don't call QueryVariableInfo() on EFI 1.10 machines by @vathpela in #364 Relax the check for import_mok_state() by @lcp in #372 SBAT.md: trivial changes by @hallyn in #389 shim: another attempt to fix load options handling by @chrisccoulson in #379 Add tests for our load options parsing. by @vathpela in #390 arm/aa64: fix the size of .rela* sections by @lcp in #383 mok: fix potential buffer overrun in import_mok_state by @jyong2 in #365 mok: relax the maximum variable size check by @lcp in #369 Don't unhook ExitBootServices when EBS protection is disabled by @sforshee in #378 fallback: find_boot_option() needs to return the index for the boot entry in optnum by @jsetje in #396 httpboot: Ignore case when checking HTTP headers by @frozencemetery in #403 Fallback allocation errors by @vathpela in #402 shim: avoid BOOTx64.EFI in message on other architectures by @xypron in #406 str: remove duplicate parameter check by @xypron in #408 fallback: add compile option FALLBACK_NONINTERACTIVE by @xnox in #359 Test mok mirror by @vathpela in #394 Modify sbat.md to help with readability. by @eshiman in #398 csv: detect end of csv file correctly by @xypron in #404 Specify that the .sbat section is ASCII not UTF-8 by @daxtens in #413 tests: add "include-fixed" GCC directory to include directories by @diabonas in #415 pe: simplify generate_hash() by @xypron in #411 Don't make shim abort when TPM log event fails (RHBZ #2002265) by @rmetrich in #414 Fallback to default loader if parsed one does not exist by @julian-klode in #393 fallback: Fix for BootOrder crash when index returned by find_boot_option() is not in current BootOrder list by @rmetrich in #422 Better console checks by @vathpela in #416 docs: update SBAT UEFI variable name by @nicholasbishop in #421 Don't parse load options if invoked from removable media path by @julian-klode in #399 fallback: fix fallback not passing arguments of the first boot option by @martinezjavier in #433 shim: Don't stop forever at "Secure Boot not enabled" notification by @rmetrich in #438 Shim 15.5 coverity by @vathpela in #439 Allocate mokvar table in runtime memory. by @vathpela in #447 Remove post-process-pe on 'make clean' by @vathpela in #448 pe: missing perror argument by @xypron in #443 - 15.6-rc1 release note https://github.com/rhboot/shim/releases MokManager: removed Locate graphic output protocol fail error message by @joeyli in #441 shim: implement SBAT verification for the shim_lock protocol by @chrisccoulson in #456 post-process-pe: Fix a missing return code check by @vathpela in #462 Update github actions matrix to be more useful by @frozencemetery in #469 Add f36 and centos9 CI builds by @vathpela in #470 post-process-pe: Fix format string warnings on 32-bit platforms by @steve-mcintyre in #464 tests: also look for system headers in multi-arch directories by @steve-mcintyre in #466 tests: fix gcc warnings by @akodanev in #463 Allow MokListTrusted to be enabled by default by @esnowberg in #455 Add code of conduct by @frozencemetery in #427 Re-add ARM AArch64 support by @vathpela in #468 Use ASCII as fallback if Unicode Box Drawing characters fail by @vathpela in #428 make: don't treat cert.S specially by @vathpela in #475 shim: use SHIM_DEVEL_VERBOSE when built in devel mode by @vathpela in #474 Break out of the inner sbat loop if we find the entry. by @vathpela in #476 Support loading additional certificates by @esnowberg in #446 Add support for NX (W^X) mitigations. by @vathpela in #459 Misc fixups from scan-build. by @vathpela in #477 Fix preserve_sbat_uefi_variable() logic by @jsetje in #478 - 15.6 release note https://github.com/rhboot/shim/releases MokManager: removed Locate graphic output protocol fail error message by @joeyli in #441 shim: implement SBAT verification for the shim_lock protocol by @chrisccoulson in #456 post-process-pe: Fix a missing return code check by @vathpela in #462 Update github actions matrix to be more useful by @frozencemetery in #469 Add f36 and centos9 CI builds by @vathpela in #470 post-process-pe: Fix format string warnings on 32-bit platforms by @steve-mcintyre in #464 tests: also look for system headers in multi-arch directories by @steve-mcintyre in #466 tests: fix gcc warnings by @akodanev in #463 Allow MokListTrusted to be enabled by default by @esnowberg in #455 Add code of conduct by @frozencemetery in #427 Re-add ARM AArch64 support by @vathpela in #468 Use ASCII as fallback if Unicode Box Drawing characters fail by @vathpela in #428 make: don't treat cert.S specially by @vathpela in #475 shim: use SHIM_DEVEL_VERBOSE when built in devel mode by @vathpela in #474 Break out of the inner sbat loop if we find the entry. by @vathpela in #476 Support loading additional certificates by @esnowberg in #446 Add support for NX (W^X) mitigations. by @vathpela in #459 Misc fixups from scan-build. by @vathpela in #477 Fix preserve_sbat_uefi_variable() logic by @jsetje in #478 SBAT Policy latest should be a one-shot by @jsetje in #481 pe: Fix a buffer overflow when SizeOfRawData > VirtualSize by @chriscoulson pe: Perform image verification earlier when loading grub by @chriscoulson Update advertised sbat generation number for shim by @jsetje Update SBAT generation requirements for 05/24/22 by @jsetje Also avoid CVE-2022-28737 in verify_image() by @vathpela - Drop upstreamed patch: - shim-bsc1184454-allocate-mok-config-table-BS.patch - Allocate MOK config table as BootServicesData to avoid the error message from linux kernel - 4068fd42c8 15.5-rc1~70 - shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch - Handle ignore_db and user_insecure_mode correctly - 822d07ad4f07 15.5-rc1~73 - shim-bsc1185621-relax-max-var-sz-check.patch - Relax the maximum variable size check for u-boot - 3f327f546c219634b2 15.5-rc1~49 - shim-bsc1185261-relax-import_mok_state-check.patch - Relax the check for import_mok_state() when Secure Boot is off - 9f973e4e95b113 15.5-rc1~67 - shim-bsc1185232-relax-loadoptions-length-check.patch - Relax the check for the LoadOptions length - ada7ff69bd8a95 15.5-rc1~52 - shim-fix-aa64-relsz.patch - Fix the size of rela* sections for AArch64 - 34e3ef205c5d65 15.5-rc1~51 - shim-bsc1187260-fix-efi-1.10-machines.patch - Don't call QueryVariableInfo() on EFI 1.10 machines - 493bd940e5 15.5-rc1~69 - shim-bsc1185232-fix-config-table-copying.patch - Avoid buffer overflow when copying the MOK config table - 7501b6bb44 15.5-rc1~50 - shim-bsc1187696-avoid-deleting-rt-variables.patch - Avoid deleting the mirrored RT variables - b1fead0f7c9 15.5-rc1~37 - Add "rm -f *.o" after building MokManager/fallback in shim.spec to make sure all object files gets rebuilt - reference: https://github.com/rhboot/shim/pull/461 - The following fix-CVE-2022-28737-v6 patches against bsc#1198458 are included in shim-15.6.tar.bz2 - shim-bsc1198458-pe-Fix-a-buffer-overflow-when-SizeOfRawData-VirtualS.patch pe: Fix a buffer overflow when SizeOfRawData VirtualSize - shim-bsc1198458-pe-Perform-image-verification-earlier-when-loading-g.patch pe: Perform image verification earlier when loading grub - shim-bsc1198458-Update-advertised-sbat-generation-number-for-shim.patch Update advertised sbat generation number for shim - shim-bsc1198458-Update-SBAT-generation-requirements-for-05-24-22.patch Update SBAT generation requirements for 05/24/22 - shim-bsc1198458-Also-avoid-CVE-2022-28737-in-verify_image.patch Also avoid CVE-2022-28737 in verify_image() - 0006-shim-15.6-rc2.patch - 0007-sbat-add-the-parsed-SBAT-variable-entries-to-the-deb.patch sbat: add the parsed SBAT variable entries to the debug log - 0008-bump-version-to-shim-15.6.patch - Add mokutil command to post script for setting sbat policy to latest mode when the SbatPolicy-605dab50-e046-4300-abb6-3dd810dd8b23 is not created. (bsc#1198458) - Add shim-bsc1198101-opensuse-cert-prompt.patch back to openSUSE shim to show the prompt to ask whether the user trusts openSUSE certificate or not (bsc#1198101) - Updated vendor dbx binary and script (bsc#1198458) - Updated dbx-cert.tar.xz and vendor-dbx-sles.bin for adding SLES-UEFI-SIGN-Certificate-2021-05.crt to vendor dbx list. - Updated dbx-cert.tar.xz and vendor-dbx-opensuse.bin for adding openSUSE-UEFI-SIGN-Certificate-2021-05.crt to vendor dbx list. - Updated vendor-dbx.bin for adding SLES-UEFI-SIGN-Certificate-2021-05.crt and openSUSE-UEFI-SIGN-Certificate-2021-05.crt for testing environment. - Updated generate-vendor-dbx.sh script for generating a vendor-dbx.bin file which includes all .der for testing environment.- use common SBAT values (boo#1193282)- Update the SLE signatures (sync shim.changes from SLE)- Add shim-bsc1187696-avoid-deleting-rt-variables.patch to avoid deleting the mirrored RT variables (bsc#1187696)(sync shim.changes from SLE) - Split the keys in vendor-dbx.bin to vendor-dbx-sles and vendor-dbx-opensuse for shim-sles and shim-opensuse to reduce the size of MokListXRT (bsc#1185261) + Also update generate-vendor-dbx.sh in dbx-cert.tar.xz - Add shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch to handle ignore_db and user_insecure_mode correctly (bsc#1185441, bsc#1187071) - Add shim-bsc1185621-relax-max-var-sz-check.patch to relax the maximum variable size check for u-boot (bsc#1185621) + Also drop AArch64 suse-signed shim since we merged this patch - Add shim-bsc1185261-relax-import_mok_state-check.patch to relax the check for import_mok_state() when Secure Boot is off. (bsc#1185261) - Add shim-bsc1185232-relax-loadoptions-length-check.patch to ignore the odd LoadOptions length (bsc#1185232) - shim-install: reset def_shim_efi to "shim.efi" if the given file doesn't exist - Add shim-fix-aa64-relsz.patch to fix the size of rela sections for AArch64 Fix: https://github.com/rhboot/shim/issues/371 - Add shim-disable-export-vendor-dbx.patch to disable exporting vendor-dbx to MokListXRT since writing a large RT variable could crash some machines (bsc#1185261) - Add shim-bsc1187260-fix-efi-1.10-machines.patch to avoid the potential crash when calling QueryVariableInfo in EFI 1.10 machines (bsc#1187260) - Add shim-bsc1185232-fix-config-table-copying.patch to avoid buffer overflow when copying data to the MOK config table (bsc#1185232)- Add shim-bsc1185232-fix-config-table-copying.patch to avoid buffer overflow when copying data to the MOK config table (bsc#1185232)- Add shim-disable-export-vendor-dbx.patch to disable exporting vendor-dbx to MokListXRT since writing a large RT variable could crash some machines (bsc#1185261) - Add shim-bsc1187260-fix-efi-1.10-machines.patch to avoid the potential crash when calling QueryVariableInfo in EFI 1.10 machines (bsc#1187260)- Add shim-fix-aa64-relsz.patch to fix the size of rela sections for AArch64 Fix: https://github.com/rhboot/shim/issues/371- Add shim-bsc1185232-relax-loadoptions-length-check.patch to ignore the odd LoadOptions length (bsc#1185232)- shim-install: reset def_shim_efi to "shim.efi" if the given file doesn't exist- shim-install: instead of assuming "removable" for Azure, remove fallback.efi from \EFI\Boot and copy grub.efi/cfg to \EFI\Boot to make \EFI\Boot bootable and keep the boot option created by efibootmgr (bsc#1185464, bsc#1185961)- Add shim-bsc1185261-relax-import_mok_state-check.patch to relax the check for import_mok_state() when Secure Boot is off. (bsc#1185261)- shim-install: always assume "removable" for Azure to avoid the endless reset loop (bsc#1185464)- Include suse-signed shim for AArch64 (bsc#1185621) (sync shim.changes from SLE)- Add shim-bsc1185621-relax-max-var-sz-check.patch to relax the maximum variable size check for u-boot (bsc#1185621)- Add shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch to handle ignore_db and user_insecure_mode correctly (bsc#1185441, bsc#1187071)- Split the keys in vendor-dbx.bin to vendor-dbx-sles and vendor-dbx-opensuse for shim-sles and shim-opensuse to reduce the size of MokListXRT (bsc#1185261) + Also update generate-vendor-dbx.sh in dbx-cert.tar.xz- Enable the AArch64 signature check for SLE (sync shim.changes from SLE)- Update the SLE signatures (sync shim.changes from SLE)- Add shim-bsc1184454-allocate-mok-config-table-BS.patch to avoid the error message during linux system boot (bsc#1184454)- Add remove_build_id.patch to prevent the build id being added to the binary. That can cause issues with the signature- Update to 15.4 (bsc#1182057) + Rename the SBAT variable and fix the self-check of SBAT + sbat: add more dprint() + arm/aa64: Swizzle some sections to make old sbsign happier + arm/aa64 targets: put .rel* and .dyn* in .rodata - Drop upstreamed patch: + shim-bsc1182057-sbat-variable-enhancement.patch- Add shim-bsc1182057-sbat-variable-enhancement.patch to change the SBAT variable name and enhance the handling of SBAT (bsc#1182057)- Update to 15.3 for SBAT support (bsc#1182057) + Drop gnu-efi from BuildRequires since upstream pull it into the tar ball. - Generate vender-specific SBAT metadata + Add dos2unix to BuildRequires since Makefile requires it for vendor SBAT - Update dbx-cert.tar.xz and vendor-dbx.bin to block the following sign keys: + SLES-UEFI-SIGN-Certificate-2020-07.crt + openSUSE-UEFI-SIGN-Certificate-2020-07.crt - Refresh patches + shim-arch-independent-names.patch + shim-change-debug-file-path.patch + shim-bsc1177315-verify-eku-codesign.patch - Unified with shim-bsc1177315-fix-buffer-use-after-free.patch - Drop upstreamed fixes + shim-correct-license-in-headers.patch + shim-always-mirror-mok-variables.patch + shim-bsc1175509-more-tpm-fixes.patch + shim-bsc1173411-only-check-efi-var-on-sb.patch + shim-fix-verify-eku.patch + gcc9-fix-warnings.patch + shim-fix-gnu-efi-3.0.11.patch + shim-bsc1177404-fix-a-use-of-strlen.patch + shim-do-not-write-string-literals.patch + shim-VLogError-Avoid-Null-pointer-dereferences.patch + shim-bsc1092000-fallback-menu.patch + shim-bsc1175509-tpm2-fixes.patch + shim-bsc1174512-correct-license-in-headers.patch + shim-bsc1182776-fix-crash-at-exit.patch - Drop shim-opensuse-cert-prompt.patch + All newly released openSUSE kernels enable kernel lockdown and signature verification, so there is no need to add the prompt anymore.- Refresh shim-bsc1182776-fix-crash-at-exit.patch to do the cleanup also when Secure Boot is disabled (bsc#1183213, bsc#1182776) - Merged linker-version.pl into timestamp.pl and add the linker version to signature files accordingly- Add shim-bsc1182776-fix-crash-at-exit.patch to fix the potential crash at Exit() (bsc#1182776)- Update the SLE signature - Exclude some patches from x86_64 to avoid breaking the signature - Add shim-correct-license-in-headers.patch back for x86_64 to match the SLE signature - Add linker-version.pl to modify the EFI/PE header to match the SLE signature- Disable the signature attachment for AArch64 temporarily until we get a real one.- Add shim-bsc1177315-verify-eku-codesign.patch to check CodeSign in the signer's EKU (bsc#1177315) - Add shim-bsc1177789-fix-null-pointer-deref-AuthenticodeVerify.patch to fix NULL pointer dereference in AuthenticodeVerify() (bsc#1177789, CVE-2019-14584) - shim-install: Support changing default shim efi binary in /usr/etc/default/shim and /etc/default/shim (bsc#1177315) - Add shim-bsc1177315-fix-buffer-use-after-free.patch to fix buffer use-after-free at the end of the EKU verification (bsc#1177315)- Add shim-bsc1177404-fix-a-use-of-strlen.patch to fix the length of the option data string to launch the program correctly (bsc#1177404) - Add shim-bsc1175509-more-tpm-fixes.patch to fix the file path in the tpm even log (bsc#1175509)- Add shim-VLogError-Avoid-Null-pointer-dereferences.patch to fix VLogError crash in AArch64 (jsc#SLE-15824) - Add shim-fix-verify-eku.patch to fix the potential crash at verify_eku() (jsc#SLE-15824) - Add shim-do-not-write-string-literals.patch to fix the potential crash when accessing the DEFAULT_LOADER string (jsc#SLE-15824)- Enable build on aarch64- shim-install: install MokManager to \EFI\boot to process the pending MOK request (bsc#1175626, bsc#1175656)- Add shim-bsc1175509-tpm2-fixes.patch to fix the TPM2 measurement (bsc#1175509)- Amend the check of %shim_enforce_ms_signature- Updated openSUSE signature- Replace shim-correct-license-in-headers.patch with the upstream commit: shim-bsc1174512-correct-license-in-headers.patch (bsc#1174512)- Update the path to grub-tpm.efi in shim-install (bsc#1174320)- Use vendor-dbx to block old SUSE/openSUSE signkeys (bsc#1168994) + Add dbx-cert.tar.xz which contains the certificates to block and a script, generate-vendor-dbx.sh, to generate vendor-dbx.bin + Add vendor-dbx.bin as the vendor dbx to block unwanted keys - Drop shim-opensuse-signed.efi + We don't need it anymore- Add shim-bsc1173411-only-check-efi-var-on-sb.patch to only check EFI variable copying when Secure Boot is enabled (bsc#1173411)- Use the full path of efibootmgr to avoid errors when invoking shim-install from packagekitd (bsc#1168104)- Use "suse_version" instead of "sle_version" to avoid shim_lib64_share_compat being set in Tumbleweed forever.- Add shim-fix-gnu-efi-3.0.11.patch to fix the build error caused by the upgrade of gnu-efi- shim-install: add check for btrfs is used as root file system to enable relative path lookup for file. (bsc#1153953)- Fix a typo in shim-install (bsc#1145802)- Add gcc9-fix-warnings.patch (bsc#1121268).- Add shim-opensuse-signed.efi, the openSUSE shim-15+git47 binary (bsc#1113225)- Disable AArch64 build (FATE#325971) + AArch64 machines don't use UEFI CA, at least for now.- Updated shim signature: signature-sles.x86_64.asc (bsc#1120026)- Fix conditions for '/usr/share/efi'-move (FATE#326960)- Amend shim.spec to remove $RPM_BUILD_ROOT- Move 'efi'-executables to '/usr/share/efi' (FATE#326960) (preparing the move to 'noarch' for this package)- Update shim-install to handle the partitioned MD devices (bsc#1119762, bsc#1119763)- Update to 15+git47 (bsc#1120026, FATE#325971) + git commit: b3e4d1f7555aabbf5d54de5ea7cd7e839e7bd83d - Retire the old openSUSE 4096 bit certificate + Those programs are already out of maintenance. - Add shim-always-mirror-mok-variables.patch to mirror MOK variables correctly - Add shim-correct-license-in-headers.patch to correct the license declaration - Refresh patches: + shim-arch-independent-names.patch + shim-change-debug-file-path.patch + shim-bsc1092000-fallback-menu.patch + shim-opensuse-cert-prompt.patch - Drop upstreamed patches: + shim-bsc1088585-handle-mok-allocations-better.patch + shim-httpboot-amend-device-path.patch + shim-httpboot-include-console.h.patch + shim-only-os-name.patch + shim-remove-cryptpem.patch- Update shim-install to specify the target for grub2-install and change the boot efi file name according to the architecture (bsc#1118363, FATE#325971)- Enable AArch64 build (FATE#325971) + Also add the aarch64 signature files and rename the x86_64 signature files- Add shim-bsc1092000-fallback-menu.patch to show a menu before system reset ((bsc#1092000))- Add shim-bsc1088585-handle-mok-allocations-better.patch to avoid double-freeing after enrolling a key from the disk (bsc#1088585) + Also refresh shim-opensuse-cert-prompt.patch due to the change in MokManager.c- Install the certificates with a shim suffix to avoid conflicting with other packages (bsc#1087847)- Add the missing leading backlash to the DEFAULT_LOADER (bsc#1086589)- Add shim-httpboot-amend-device-path.patch to amend the device path matching rule for httpboot (bsc#1065370)- Update to 14 (bsc#1054712) - Adjust make commands in spec - Drop upstreamed fixes + shim-add-fallback-verbose-print.patch + shim-back-to-openssl-1.0.2e.patch + shim-fallback-workaround-masked-ami-variables.patch + shim-fix-fallback-double-free.patch + shim-fix-httpboot-crash.patch + shim-fix-openssl-flags.patch + shim-more-tpm-measurement.patch - Add shim-httpboot-include-console.h.patch to include console.h in httpboot.c to avoid build failure - Add shim-remove-cryptpem.patch to replace functions in CryptPem.c with the null function - Update SUSE/openSUSE specific patches + shim-only-os-name.patch + shim-arch-independent-names.patch + shim-change-debug-file-path.patch + shim-opensuse-cert-prompt.patch- Fix debuginfo + debugsource subpackage generation for RPM 4.14 - Set the RPM groups correctly for debug{info,source} subpackages - Drop deprecated and out of date Authors information in description- Add shim-back-to-openssl-1.0.2e.patch to avoid rejecting some legit certificates (bsc#1054712) - Add the stderr mask back while compiling MokManager.efi since the warnings in Cryptlib is back after reverting the openssl commits.- Add shim-add-fallback-verbose-print.patch to print the debug messages in fallback.efi dynamically - Refresh shim-fallback-workaround-masked-ami-variables.patch - Add shim-more-tpm-measurement.patch to measure more components and support TPM better- Add upstream fixes + shim-fix-httpboot-crash.patch + shim-fix-openssl-flags.patch + shim-fix-fallback-double-free.patch + shim-fallback-workaround-masked-ami-variables.patch - Remove the stderr mask while compiling MokManager.efi since the warnings in Cryptlib were fixed.- Add shim-arch-independent-names.patch to use the Arch-independent names. (bsc#1054712) - Refresh shim-change-debug-file-path.patch - Disable shim-opensuse-cert-prompt.patch automatically in SLE - Diable AArch64 until we have a real user and aarch64 signature- Make build reproducible by avoiding race between find and cp- Update to 12 - Rename the result EFI images due to the upstream name change + shimx64 -> shim + mmx64 -> MokManager + fbx64 -> fallback - Refresh patches: + shim-only-os-name.patch + shim-change-debug-file-path.patch + shim-opensuse-cert-prompt.patch - Drop upstreamed patches: + shim-httpboot-support.patch + shim-bsc973496-mokmanager-no-append-write.patch + shim-bsc991885-fix-sig-length.patch + shim-update-openssl-1.0.2g.patch + shim-update-openssl-1.0.2h.patch- Add the build flag to enable HTTPBoot- shim-install: add option --suse-enable-tpm (fate#315831)- Support %posttrans with marcos provided by update-bootloader-rpm-macros package (bsc#997317)- Add SIGNATURE_UPDATE.txt to state the steps to update signature-*.asc - Update the comment of strip_signature.sh- shim-install : * add option --no-nvram (bsc#999818) * improve removable media and fallback mode handling- shim-install : fix regression of password prompt (bsc#993764)- Add shim-bsc991885-fix-sig-length.patch to fix the signature length passed to Authenticode (bsc#991885)- Update shim-bsc973496-mokmanager-no-append-write.patch to try append write first- Add shim-update-openssl-1.0.2h.patch to update openssl to 1.0.2h - Bump the requirement of gnu-efi due to the HTTPBoot support- Add shim-httpboot-support.patch to support HTTPBoot - Add shim-update-openssl-1.0.2g.patch to update openssl to 1.0.2g and Cryptlib to 5e2318dd37a51948aaf845c7d920b11f47cdcfe6 - Drop patches since they are merged into shim-update-openssl-1.0.2g.patch + shim-update-openssl-1.0.2d.patch + shim-gcc5.patch + shim-bsc950569-fix-cryptlib-va-functions.patch + shim-fix-aarch64.patch - Refresh shim-change-debug-file-path.patch - Add shim-bsc973496-mokmanager-no-append-write.patch to work around the firmware that doesn't support APPEND_WRITE (bsc973496) - shim-install : remove '\n' from the help message (bsc#991188) - shim-install : print a message if there is no valid EFI partition (bsc#991187)- shim-install : support simple MD RAID1 target devices (FATE#314829)- Add shim-fix-aarch64.patch to fix compilation on AArch64 (bsc#978438)- shim-install : fix typing ESC can escape to parent config which is in command mode and cannot return back (bsc#966701) - shim-install : fix no which command for JeOS (bsc#968264)- acquired updated signature from Microsoft- Add shim-bsc950569-fix-cryptlib-va-functions.patch to fix the definition of va functions to avoid the potential crash (bsc#950569) - Update shim-opensuse-cert-prompt.patch to avoid setting NULL to MokListRT (bsc#950801) - Drop shim-fix-mokmanager-sections.patch as we are using the newer binutils now - Refresh shim-change-debug-file-path.patch- acquired updated signature from Microsoft- shim-install : set default GRUB_DISTRIBUTOR from /etc/os-release if it is empty or not set by user (bsc#942519)- Add shim-update-openssl-1.0.2d.patch to update openssl to 1.0.2d - Refresh shim-gcc5.patch and add it back since we really need it - Add shim-change-debug-file-path.patch to change the debug file path in shim.efi + also add the debuginfo and debugsource subpackages - Drop shim-fix-gnu-efi-30w.patch which is not necessary anymore- Update to 0.9 - Refresh patches + shim-fix-gnu-efi-30w.patch + shim-fix-mokmanager-sections.patch + shim-opensuse-cert-prompt.patch - Drop upstreamed patches + shim-bsc920515-fix-fallback-buffer-length.patch + shim-mokx-support.patch + shim-update-cryptlib.patch - Drop shim-bsc919675-uninstall-shim-protocols.patch since upstream fixed the bug in another way. - Drop shim-gcc5.patch which was fixed in another way- Fix tags in the spec file- Add shim-update-cryptlib.patch to update Cryptlib to r16559 and openssl to 0.9.8zf - Add shim-bsc919675-uninstall-shim-protocols.patch to uninstall the shim protocols at Exit (bsc#919675) - Add shim-bsc920515-fix-fallback-buffer-length.patch to adjust the buffer size for the boot options (bsc#920515) - Refresh shim-opensuse-cert-prompt.patch- shim-gcc5.patch: shim needs -std=gnu89 to build with GCC5- shim-install : fix cryptodisk installation (boo#917427)- Add shim-fix-mokmanager-sections.patch to fix the objcopy parameters for the EFI files- Update to 0.8 - Add shim-fix-gnu-efi-30w.patch to adapt the change in gnu-efi-3.0w - Merge shim-signed-unsigned-compares.patch, shim-mokmanager-support-sha-family.patch and shim-bnc863205-mokmanager-fix-hash-delete.patch into shim-mokx-support.patch - Refresh shim-opensuse-cert-prompt.patch - Drop upstreamed patches: shim-update-openssl-0.9.8zb.patch, bug-889332_shim-overflow.patch, and bug-889332_shim-mok-oob.patch - Enable aarch64- Fixed buffer overflow and OOB access in shim trusted code path (bnc#889332, CVE-2014-3675, CVE-2014-3676, CVE-2014-3677) * added bug-889332_shim-mok-oob.patch, bug-889332_shim-overflow.patch - Added new certificate by Microsoft/bin/sh 15.8-150300.4.20.215.8-150300.4.20.2ueficertsBCA4E38E-shim.crtshim-installshimCOPYRIGHTefiaarch64MokManager.efifallback.efishim-sles.dershim-sles.efishim.efi/etc//etc/uefi//etc/uefi/certs//usr/sbin//usr/share/doc/packages//usr/share/doc/packages/shim//usr/share//usr/share/efi//usr/share/efi/aarch64/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:32617/SUSE_SLE-15-SP3_Update/10512b51de6e9b9964e2848322fbcfdb-shim.SUSE_SLE-15-SP3_Updatedrpmxz5aarch64-suse-linuxdirectoryBourne-Again shell script, ASCII text executableASCII textR if test -f /run/update-bootloader/reinit; then rm -f /run/update-bootloader/{reinit,refresh} /sbin/update-bootloader --reinit || : elif test -f /run/update-bootloader/refresh; then rm -f /run/update-bootloader/refresh /sbin/update-bootloader --refresh || : fi/bin/shutf-81d665fd79c2ab943a5a77dd564507657be9232e95d3be04da5286ae93603fd35?7zXZ !t/]"k%jz<^x5kh!cPtd b߶q4dk#t(\ E֧e1)7aVY}0aɺkV+I2\0ݱ)dKĮ:IgfX]_)h7!4H25v)B|5p<>QiX "(wyfY *] 輺.oJK״t,oc1$eaRl Ojot9|DUC1bsk\f''qSj./š`Y{6@WޭSVN<6qxuYUx3Aиڅ{ T \ʻ|#ANē>]+{Wzvަهָ sAaߪhH8 .yͯ0\6",v8KBkn0"Y5 ޾EVI2xz,ZK^s=߁3j kum첋M*Ԯvsle^[9N~aƄfwASb4g&pb$6IU\nO-e4)E>sGf`g%hGN S;5BC8"b霾B<]j:LJ?וɫ-/j;(yo,뽲~(4b 8d"z-fPQ(Cp [ՁD r"-bSWVPAYexE|h;mYpTm/}'6ǂh)~}bqWڠv$arX$ ѝZ~6X(Kj$Cei*,Rvf2ERĻ(dw R m iu®D7MD qctiYOM8 `{8A8v@]`ia> G8 œ]E{BV*24f_ DX(b:je2 yҒ3%H9Uڛs* `sۖ;!FkzMn%t ӗaZ6/SN bFI 271cnW@ܠVBd7@z9.+?wŋz'2ޠ~7cR WޣYQko5!'U) )ۆ3Rr703ZOwF׬ɞZ{GE?75ΙE7ITI.8ibr# ΫJ&k (1N 3/>-Uf,L.)H8Y"isR>Ƽ UJIXvJe FH}dwR$7k?JE5CrdPCq5YY̬M'}`DWK)Ĝ<3討9At60뢾,Ca&6\+}å$ה'*&9#6墈odW?3T=lxz5nSϊ5O^N0Co=Q BcCr@cqжwUġa>r~h| Y{֡ M̛<ն Y9FF`QJC=*@L4p+2ɴiO#}=-K$P䔪l]vɌ2-]J)5'uz-PzǤieͭWwq s. f]1dhhVMtwy/2VWd8R* wt IlSd 5 wwh"!O .@R;[ xŮ%'h~"NhI3e8B˄?!=|J7 ƈh Eh#SOOtn+qjx2]6ߴ$(PkL w[qr;K {u~FU*3KCMl$7lbBQ[ON'yR{QS;nAbvIZZ54ț/{.%Ѯ"B(]L2UJG@RF@V\gr;Xv.UBQ2A6AILGb8Lg) 'uxA|j+KrG+#82*H<nOhVo& zz@k1_},qbm\t/6JE08<ĬyMd,}WҒr:V'W+eYr'q?LP I|HbQ$|d{qbkKaR_41!Խ-sf+n~ucQei eߪ ;<2eH]NGq(&NYv,>BLuz 2 SݔC#,fgw h/.s-&{ A7AwC1 ܕM[ԗ@uFbHYE8aI}3X'6ws7< (O#1*0 jm2נH&De,_hHn 5"n IlNmM#cT.2tQgrd8d&E*8VKbU\7":QĵϳvY 3Vib98(@s A!%;]~׸s@9XMkSbLt[S,i/־;ʥbty6\8$!?gc7V$w4R\\IlPp6J ؐhJ n5Ww#X̅A5% )Ռ/*ZpB_nzQ|P1ax*z+޸jdx1=[dcAJs^zyX03iwƧ?0l̈́W8{:x4~-C AdOY ;ވo4< `qΦ,޴R0O Aۏg(E,ZO3%p2 C cWO긤AW;#b-qs_]|ymh!:%UH1fS#Hsr `OTΈ~i=Y ~o$1B3L~?dQNDD0`pڤ<]ydž PXr8:f/fA5KٓEdXśi2`g[?$ۄVRDNW*5'ׇNj3f,c/DtZ~gזqxiIm%+ckQ΂|-<OVE-v:%L{[!"zĖo O4>]|QjUtڸ?g'~"kQgn=)A@qI=# xǕUn'ca|gS`ʊw "ny:.3w3=cSHx}p"ۼ Uݾ(|kqS)?+TS6Og..5=>6/uy/360 O0Ǻ YGmlw#ΆUX}C40Q8A+?^5h$@’{h~p*̣vδ~qo[p{i}'ۛh(&gcTGLN'FfB;qFWgnIM SY:w$[A-u%fR |5¯b^(ξRϹbmZJes/ Ab$ q{q`}(9r7;Vh?N^:~q16^ ^ޭhЭ\MB{h&&N7K.}O:tK`;m VGZ6WsP$PTјDtCgv2JAN]!s1NmIs.8M8Y|,ڠ^䦫eC7xUwގAT`z+ JGJ^hN+EZ)jR UmLn1ϞXpOumz+J υUys̸&KnRc.%Ȝ2>%AԠAFD쬟Am mȺxK4> aQiԈuGOv6ĸT >S=܏( !Ϝe՞^ `,#-V;Poɵ I6'!]Y2f%oIUjKSX4w-(Pb0*N?_ٷlHTҝ ӀDzmI5Ej3Od~>`'41 >5]% ֹl賊n橎hi.,\6\&cVٽjՋf*ǚB^z"s)Ei( h ^sAH!8`s6 1"fФ|Ie!Bcq}H$ݻZ獐Y,P D9fߜ_uR  C'>ӧ[?[xVl%S{,kJ5z׬#$~yC9^wRJuҒQs@A}POLMa螏ʮ6dITUo>ET+w llcCpb)MEjlRvm>Rjw 'ƥr!~DO9\8l~ˣuR#ǖƔ_֬9Vͼ dm9+n͒Į 뇝{$9H7툿Oizz/)r`Ao_;@^d]!:^z0x1}3Ow_u{XYQ_{VG D]r(Ԭ,"A=0&/ㆮ&ȣD۱1HJu5 ߆R"..<ZZhc¼*ڝNkNCNpMֲr}$ N*th7&.҄.7[\Od/UՓ^ mmMib}Hf152c5\ ~Es,FV6UAsuiinZ?V:D 8:c[ pB`j79]̛Fxjv*;cjP!˃&-? wyvuu!Ot5R>18U נ</ҘD?71%,ϔԧ;7gH 4[xny! ofo%2Rb2gFo7ӟHx`zK+I%(:{%{S(I뇦9Ob *S&$+ Cr*Cy t5Ze(, 0Y+'8 ){]>OreI땹hK*@qUb.S2:Oz^TE˷tڗl?e q,s/N4lC8md1{{ћf`dRr38|,pKP <ifuM+‚')tO#do1^%*V][Tm!{,$Plbf5xXA\[-1Z:3WQ>mP2mRpM"-ZW,ΝTa9CAGdؔiU`w+J4;1t4- >(@wGsm&ϐ.&ONhh1tV"/`;V{9KӪYCVID{Pmi.{HGBGI G%Z{0EE_2iWGi/ѭvzW;_)'-{vG/`H_l.99ç¿eD)8 ob, ٠wXJ0zu!ۣh~4"qw $>Ɏ8֔q$](iF gđ)~ ${sQ~µ6AN!oZn8o4 !ОvtdJ@Mɬ my@V--^@˵.EIj=~Dy[@7([҅( ȽE&u"XB$&'>Ɠ5upTXcHf`UZ[$fu7{K,fv:B{ G>f*~L=dxg'Xi_)h!8]GN|A<CfM ja>rtO}c&UR~3I KzOY**s$|FL!FA`dLzg*1]"3 %V,VpÛbGt4¸o8D8G nLJ6ЯgۓR6f1{ˌ^S1}G&v%z' vcJ-a!C)m]x)`I9QW qi{6kb5%fOI[ Mw,{p6*°-HP߈%^W2v\>nVKM8Wu fF1e.6|+I_Qlײ_!LH.d࿩$9{?E{d],;x&@{<)C6O&4f@8dM5& 2#:}!b)$؀Ť=_s0KMZ}6vP<9L8/\ E5-Y叹((p!q7Ggf!FRlD+1 _5_~Zڭ PuְO.MU"WEћesT^ka2+Bi7l31ҞX5 _ֈF1\:A  agLT8<6 j2U5gshüM^ ';0i=iŧGYh2д3bz,#l{sNp;%~@܍B_HKJ/ԓ,`a2ΩKK}7ׁ PͭGx+!SF.eYGǛMn~+E9|E+4zSȟŖ;Tld 1OȎQπ2Gx*Ł.48G"0#s7 ۯ2 JRXwX?N".E3kBGՖ8&9Xtq&%5Xb ONS A6KA3|ihrFRF -u3׾DX pIcY[ 'UT7B|QDJ,}оYTx膏yxWN3VП>fv ]ޔF:Y!yK!UwNSƘD46/{)m$='j{bqvJj)r 8x/ʢqę4tYM:@A<:uDTN W0Ijf6{Zw`zp@G}}{ I+:沟 @c}OӴlcN?yG|ZvJm a0ȍ 5]$$$/yx7qܛr;}tBRyVk@_˄\1_,}Պnʛ]Nڕ$M P%ʼ(if!8'_-΁9If܍!)X l  f>a#jo *T:]ICU}YupL)s[Uhj U"9`#Pˁٹ3TQXB^\Qj@ڕkwT(C IIR+C$ :) Gbuy E@j<$O(/E?Ad!1eZ2rdG;N٧6ੋg 6l-֔\l5۹Z}6˃Z:sֳC X~ UUek񒭎PXbG/ vl"i N5 zX#GG*;Έ`' B@^fȜ7bHTb7Y]6?RNT-cz/ m&=HA'-KGѹ$jR1׊1Oo'Rh@gcJ)۸FC@y$Hrw !IKo0}Mx ש`zNĖAhO3ʕ WAޤBy6PuxzH$k %=0o-(`bx2dGm]‡DdrqZ o .Sk-nֶf"`z% vQ#W io՗  |U? RS !zsÛ2Y?hknv8cՓ,s{PHs{_pZgScnl`$6vȺj5Zt6z.iv4Z=WqD!4m)ƕpE@?-I.fγ7  j3WbMQBݯ<֐ٍo:`՛];2bHTYS>Z,׈٥| PtGfUqMtZ-?H|j V~Ά;MQyhYGamLa3[wX ,qx'_5^6*B0^Z`c ףV`]Ⱥrx;|v2CPL,dfQ j F|,9U׬H[+U(sQSx'\Z` F@Mѻ8ANKw "f$)+Vj[Cӕ| *^6'}%{G 8p[IOe簿a|oe4| |FSb"Mv8LoP B_ Fڟ]*˽8uֳ'ŞZu^ !6+S@#w^Y |f\\;- Zfڕ2=αmeN!}xQܓEF-chkNۿ?n\ ڸ9+,[xo˼CYY^˒K2̱Fv9XITrˆ~̰<¢"N5& E"=_syeM Q@ HhN1sa+hɣN20ߘnH͑\+4Eu|bY81}ۮsC ]45dt\jiF+"L7,EnyS#߈L9e@lEkc1ŅB k7n[_v\Lٸ|d)Y]f&wACy~TÓ 2<2!Ney(eQlu}KF%;a}$w=#7vTLJ'WA,\ i-QCBwH`yZ;罯I\o!`;IZ@ 2=l˛.;u=p$[Cֵe0O;҃z!]:(y%}^䗄1C`C⨀;EMrP5C|2,od0k8.@HotQ 4εGKq~Mfg' A^XH]]p 6y )z~LxuX&a}b{<[Eʑ ִu׏[2Z _%!1;\CÚD%}7y02yhCM.JW!$O m0J"|9Vi߇8)c~$W8jZ<\4$*Ƴ8q#{lbVXNyg7?,8DnEEsN; e)hh)w_c goLB,%q結^bZW/Vc>2kTG%&rӓb\z+J=-@VN@!ݦĜ|u2*R?y.o-rE'>FpޗlNq_H[>M :Sv5{Qc# b6|/"YGG\7ORCh9iaU`Hڶ[aPuCmFdeڮ@@4D&j+ ڌrn&azIJi.>=fTg\F=/i_yV [}7 䂀RF_?: `" :_ףEmUϴl,49r=F5E?vİzݾvZ#ΝQx.f=G >惠RU 85lp ~I#y%YU|WC\s'/ݶ^o7wWj;oY-~@$Vj9lvA-r&>#A@va>3` [15S'JG5Kk¦0<˥ץV=/yl,2Fz U > BUS?-b;ENj 3|ًvꓯxDuXk7ĖKSIr)2KaIȔxd9ԣa?esDƸח;:?Ĵ;.ph7w7P&vJ6!si% VJL 9I{Ά.P3E("i^x2]ׄR H,N({A0BqHCs %5N]T*im٪ؗh&$!N"$B*(Jxю±tv.s"mK8@s6x>p]R)4 `ڝ(ޝRVvRuMRh#<03%}JVX,'>s`+zf X\[ǒpSvJ|-fP1T?krj8J]M<' 2ټL?/ ߋ VR,5j D6Cd?8L#\3PUMbD951w#L}KLTã(?ωOT$G?3?Tr`Ⱥ"܀V汕5*d\X]}^plQob3xBĿ %.s( Vdt勥yJh~VP.B_g(Eڱmc6z !3_rP+LbBيS7$3Qժ5Eb!SkHnx&b~a;Ar4>g` '4Zz?e|5\΂Ϟ(.ߝxTʯ|&Ca_M:$Tŷ8h6H-PE&+cZ$T5 `+Aʩ9"Q'# ~dw C9&[l!q;iN~eO֤3?/_Wn Uso. Z"ť;vS#8۠1ls痆g%^9s=٫'.;g6fA#c ב8|A>J[w|Ћδ(u؋oW0 { !|;r,FA8f5r?Quv2ռdLY!q!7u4l-&ؚ~JDFi$J ̋d"ܓHcPU'DZ5e#>c"3-H5{`,R2*h"gۛ~L&_xZp,ҴE:":oH uBsNZGwE  q=[ ='T,8" T>ށJ~p[V]#3? v|> <8A9@WYM %$ 2P_1MANaRX [·̫n̛l yM?4Sq @Cp @9vvϚW26C٭Y:1x  A8 ,P뻻$SBvډ_ s{_CjVSDex2)#QEbܭ",,>%uW=ȩ|37Û/-<##9ˡjP81hevI6j;pe+ ^< kc%1ęTa)? bd5 M? ɀlԵ&T1_P?ϐH3^C?-Nⲭ4Fg+CLkף'K0G F}>.ͅ/6$^|9uN&۹oOzs \DQ'*?AMf0)) ':0oҜLt΢4pE^|֗"啒)|E4^~`KF5kuvQ%C/meUSk!$]F"6ěT{,He dKʂG N]<0?益QUŌ3Cƾ-Tzk_G,%.uwuC~Y9Y:Kv؈)Hg3"csE#xIie(AcDjDp8"c|꿓@9Z{, կ+]clq)v zJkG)UX̴*\rZ@&)?}fp88+)8^d|1!;uDE{[qjCxP|[y77ZCD][Qbmnd :Cl!DmIO~~v랫Q_%ډNblu7wݗ<5 t&/0BaxG]ַNReq Q@Ptُ}x:Fx,'gRݱJ7NB1CzHu䦪@dsV؄2WĆHЁe˘lߜԓo~RU6=K>"@fcC{8h͎ؗM4zK7JTbIJr>zB~eiqR}`oti1ŧ.@0HENMY_Ўca,}.lPY6>=uW~7ˇ0f5tET%? hž!Y ﺷk1-n-C沣AYݕ)qZJei؜g9aEULK@}jOIK D,6&5LN3d^ŸM9!6(=YAۺf:?6td\ >#83wv?k дEh_5Oz*77-^/'|f;x讚QgrT"V?jZ-}*m!!- F%G-a-ڱQr2)FOnZ?Y (?m@15D-l5qe_Fݒ͗=./KYF~ߤkevqb6 j[ų[8N6pi\Y{Bk7mgkm/zCB4K Wm;)ږAIp PEsll'P6,[=msK<8`4('wV w Ua׆<4OU`]!;NN<+`m[)'J='.*1)˱ĕ@})5x,Xe$< c [Nl0ՓY̺(aCl!*.$hX~PncESYX/"0TUgY3$lw%pNO4u LF)u`i JE~ffG/j=Qb ekWs:h ePPHJ KP5L} 9w@2'Xo$`qK'oH,bˎiԊ((isKH!F-m5VropRaO;8Cg,. _275|@;S2Bab8Y؀őR)֌*BYWf(Qrt]6kim0]֎y 3 !=l"un̢x"]nhfO2BtJmM@Btګ/VOZպ'5=_BlՅBiI\"66hfL RX Vi)qoZe6#tLDT:e&!X糯!.7PsږPyؔg8ޱ.7u.YScX2၆V_s*L; _ q{ p5xK8d nTs=.Gᣀ8jՋپ)m7=x">nبnUlf/1(S_?97xYq1-1<]̢M2dAV^րя=k:mN6C6lC{g SNuqXeqjώm0e'n@^84Wy I_Xŀ.3,*]ldkn]_)Ik6+=PR8~O*ܠcyӉ*C ڈs"z! XKF:I'0䬸1z^4*RQLy0__&/GdOw n_uIܘ"TXG7@>G][ 0@F\S2`C3xp`v MHP5{g jX 5 &5*'!mE :rx#Jsu" JV_0i_N |Cw9Y%ߕ!}e~ln.&pKjsy"#T~IߡLm΋aQR (ͣ9Ә@#+z8uER%ΡōNH֊~r7­gū[k#楑eS(`yykԙÉAgD ˑ]oX߽ a,"ɢuJU΃I ,-U.rr8긝_z%h@bֆvXU_%NieO@g|Dn?Wix&ޅDaڬ^[SassfQ_(ҧ 혲'RDyǎ 5|۔iܡRc*ZS_nPKG(.8.k³;aQaD4Di }']'tW bOu{OpTi;u&y:EƖ=W|[ `4FvfthGUT- hEЈSmi 0#\moOfMAB1>pP%٦J= 3%3+@;jO <66 ,vl!?^r1*D혪`,H(z|GGs@o  2=<&i4ֺ'f 1\0aY%Xn=_ZX+] ,[,S-*uo[?dKH8ߖ7D`GLzg0M 8U_4)-WdleCerMHg:B! wRdG#ڻՇ@g9:.z{ ob=zi'FO܅ܼvQ"}ƍaϙ/`0O]tJ}3v?#3j詨vrT8V1=։)=؝EO6X4h:s7=u/ztd 4Ȏ_ȵԥgUOsV*ُNixY ;rL_KFi"pgo? qc_ʡIE78Wbn|ֿzGp&EyM\B W-Nx )#]7S6^Sg,BG t{iF|w B-+HTr6mܶe[Ba=vJEQ^Vt,nB#h#t!E@kWI Ue^LGƬr#bk7LQS?H$`.:|wkɳtׄH#(3Kƽ,JI!GY{+#TmQRnup5=kɄKKItXT{j p Z> 'kWТY CG[07vE F{i@%#J }#;Ŵ@3ymnx2SmHԺkȱЮn\$i,ћ<[X3 bj  \ h1B12`yV6^#0MvN(.AB*I"8.UҨ O1%:|AFggRHO%j6&TcYe9DcȽtiQbqY(FϕڦOɰKy:hY\?A$+!{͂n'S,w f> /bU^@fP &Ђ>^Wtg5pu9V_R>D+[--$^yc)z&AHRN7pBh{f!Ezi/lȚEv!҃jxK>su pQh RQ ssePQ>G^Y>JVN1N܈J-'yYĮJU[bD $c%NZл FCÍg-%޸hzNa+5LTr|5`zQ\7GmrFM "/ioi0Y咶6P>hѴr!j]`[qh\T5g6J|NȷE?E>bv8y4P 6a_&gq+L`:9֏լFYW,mn|Fă&_mLM b=Z@+3rj&m&?J<-}9!t3494 .!*3#Ajs3̮ҡuK*ۊ 8IIWjDlG`̃f1!ugp1) 'w1ƒhX󻦂 lRk` 2hd @.N<B?%g7my]h›BUVݠFc`wڛX &՚&Yn*[ۆ+ȷ} }$9m \whԋD )|cZw@e@Dn17}'*Tw_7H& ߑ"ir0/FR9jo!\Z}mG+v!'R78ǾşIsnlBuelOTJ#~`ReE3Z7`芨-;͕WhD K@K ؉;('hπ$qcΌV?E*,I#?.ʬ}څ)qlh=\$T^Βǂŷ$㛭 ,utl*lwu唥%]AixV,8@T|"iC٤OgHuS39>dz1b_HDOW 卧92_W3^gU؋UZET EK:ݯ9-ýݑq-ئFGտPKcsAiRO!Mm00qeӋU( c]/1Gnd@)ޥG*83i ɝ+W`Nl\03L|deI' .L) 3}Էpo8 ZD A a[S{`(X.۠WB!X?-R=/?bh b^MyaUU)ۍ:1%_qL߃.ղamn4۪:+?؁*qpO Eu6#IvʃЃug5$NuXزHx&t}8a+x2,7?%xkYi|jHV_^Hzw0y7}6h)e)'in ښ`%VN3"_żM. V/n:%ݿp{b ౙt=Ho%תXe^0w4z6a2;˕>xV(Jnɑ?Oʳ썹?;kWzAGc KfB UO.ڗ+b 5&[=ďXy8{F_H!+Mlsv$Qq!,#$n#De#͡$;ѡRz:xrdd+ Ys5K$%"}'6OxOt:۹H)Nf7Z.O=;Qd_n5/m&1,?wK^D*NYqM}$Ci_^ |jN[1v<[pt낚5c)GKҧz(9_sR: +ߡjvHKY gmh[-Z!7L<[-Ђ6=6فͶ&NGmLh)>1Kd9ͷn{"FZrARᾅ.nf &%g䈏5(<&1єT#$zaRKZk{4S _ v)ai. gfl~X[FRkcgWAsN]kG_d)EW1Z{w.AџGX'P3?d,P=[MUTx}2[9!d%tg"iv+4{)T|'˓Bw/bsmUMܹ^QTAEB)nZo-SjDE˝W *'3gbd=)NFjO)= 8Eߍ&O"=',|6w|@cŅ"`$b4ٓĊuc i[bfzqDxc[A0PDP3FouCC]1Tjhdȁ"="ӓL|C j\aTe4vQj s(똄T~6]w^r0qS3xYn8\y ((.GW)@gjbk^9zxb^؞sLƑT,'[wJH=FY\V`3i‡33JW'F::4@.!@cB+cqdrI wk(wL W&^d,V"yOM*ԨY0 JZن6i0Gv?Ʊ)(S#S"/B_p]ȬB/ްr"BYѪK  }k4RBKzk dʨ T?b;j6~8,OY5; 79sJ-ր`e:nt:Qy#fU^7 wN.,G;MXuu=4xd-m,(6'썆%au9 -k5$6pdi!Sm8v M6.y["2s9>'hU]ZE8%j?cBXBa'lO[6_/L6 o#?+ByF|k)O#Acp(T1Q-R0|EO#G|mDK43$x1ŕpC#7}7"+ lhںF8`7)gK1|6{  ygl%v]Rl/w@qݣOQ}kxfo)%G+8Iq5(Qh VW81=-zǢD)g нkHT"`@ONr"ru{ZcBXCp#Z w͸+5޾;!@-7N4zfԞ-^@ۍ\|Og~Dy1VyD_xnХg,e Ab,-4T?|hj{kEOi]!-V` KiET 'LQi] 92.4cV_>th1E}E\xXIh#kaCo(4 :QCp vxwh2i! !og%}NQ+}=Sj ?#wza臌Q̊ЎJ~B}6gx~EM,Eviz%.+a'zHL=eT"^Xu&F_(<7%NdgF)gNÀ`yJ ]M"^ǿ4a_rѷ>Y ~a~=CrKǗ~\6ܖ ǮӦT g2X[,iK,ȀiUM˾^!/kcE(mPMЄ8#LdUD3@Ydž $Tuv>[4Dֱ(|ХHѓm !#qj5(nwߠ_Aak~BṾ!QHtM6M&fܩR91xJA/"KbcË$-@t)Nr\곙̶֎:ybx#8CE l.ٸիDu"nڮҕ_8ĄrRhZZYB<ΠN7N+v&,Ks"gdRޙ~N.@|{f=cBȕc>i3 4/!~ߒ?WK%vym"<>LrK4KaocͦXq> N{2rcN2"&۠t8֤;>oKu: EEG,>֬no=njon5[jLdPKA%eu/8 zOo2$=]v T# 퀔ɩY[Y"Ø0]=?'8۔ڛG/û k4T/B.EƯF8g--:],eBiQj7ƅtƢG*~odC\ܝ=u%d8\PS*C4wMyȏ'o$XY0T' UYF%}T8?錽Li$<<Qᗴ(BPo=bpP 5pʬIQ "câA0.Iv8!`oۤw@ݷ֊ D? ( zDǔ^;|iCEl,cP-;Ft~'3RE`cчAd3M|7ҚAUlJ=42E6&8  Z`j"\4AoMݤ [FaDmK\~06 T%1N* ҘϹ!Rli̽@غo[vՁKOV :~ *3E@OڴJbEOTmv-B@ d;5PlЏݶ!݂(i"Ygt1|V; oq(G,vï{&nRe^G@YśaB *^z3 ѻ*_wN4jrD.esfR?$涅]>){Pumrz%SxC$f%ZXr҈ I&QZo71$.uWDв9_| 0oqF!=3@.jc zwLe w*а-0Ꙅw ͅU&2} ure\MN7sˍ|&y(oO f4l;qj5ח$ވ\Y`~ [nՀ|^%^-K`syVk/ q !v"5n%o$-y5 o8ByҾQ"{,tee<lM>y?*av|cԤ‚omد:y_lWqBj816o [BbtzJĪ]-rZ[qºFN> z|6:QnJnQs@)2nh >h5bphAX g 'A3Ӷl-^3^vmˇg@WO/>Q UeF3XgLUp1R*lv;T:T~7،v0F5dzP =іMA Em awS-4sJˋ߽ЌFSm ώفn ,3 ]~wz Irp{^c35\-r{S/[3N GJ%ᢲS'Ư\)ݽ+R$\ `Y]pz$ݯ< @e1?a|xv)k9^9g)qtTx+0yG/]t'GF_lsaTC7uNx*϶0d^18w+'cx>8NkIV8@x=p(鯯MWu] yp^%B%LI)F3cp^zFy/zPZKl?] PF!7 ,YǬ9l@ͽTFo fN9,XLvOe3*{e]G=m&%`pX1V#,关u&Ѥs%/'⬸~toR(X#AKan%BTG0rȥἼj-Mީ-=¢%bsÝ43'q9p`kNX^.$6\^;* x3D mW Ʒ&6u(UQes\d M{hC3*,%@d? A%Nr\LdkLi/`кOf ߴ)|DTHZ;Ι ?Su,"%5P*yS/߰T3\LА?F!' XȈ֪$RF]K75h_мbd]xXAC]$r(K.|Uh>{X*qiU>'S-Q%1vqA}D+7Ub\TR-*^ம2č_VRG,9fEd$SƐ}$ S:ONă/oփK(Y:wF:^i#mU&eB| F>lUkeVTIL`uT;fLSm$>{25C."r$KyN+L 1/FO&)LCZHҷ;rݘJPؔP3ƚ {N6T@*16dMY(?mȔF@?^ pxUvNMlW'9JNM=$/?E1qJ: i/M83Hft[d%0XJ;ґDzJ1 8z}nk $exN8^K:`Ik0̋9c ^_@(az]i'V%D}g(G-]OacS+4iP7jR'aM oJj=gnDlA/^Zƀi.b~ d>m}u~k EgAt3vIa ii̛Hz -:+A.{{db+%touiaq릥KSBkf`Xl&/Yrۗk\ qI`)a'˭ߓ`s?>aCxFlrAq S7Rɉz]~p,s_KS&i%6ybHlelSl/I*x 3/ՔnȡAm@I7QpFt%ݮVU~&vãnަGP=}{ƽ)ȷ<Å\ͤr6V#r)4we>1ѼY9s<NNPI2Od7T'ѕѽLprp!ə V?~pLmǺ̡+[I4m^/گ4(|E.~è1ʟ_WD|Ps֤5q]JB.<;UQnz(ڣjj"BWc-8oNG N9iqou# BzjP8K99^D//^`l<I29-l?qe1[٥HDCf,A\Ij\[ǎH f]:DtNv/$,DՄ>fn0x/^ ζT2$X>Im{</Isφ11^2j仗>d*p:,#Cn3VPulr~Ǖg2\ >\n jXew'WLd́#l|{uE)2^}A0$[v]D6Npu -e+|NTHn<~Z,DªTMjq9D7w`/{ _ SQLX齋 >S3lӈ!L NVXJ1ꛣfVxu mw7,Oyzn1믐$lq &$.?@gU9&qn ЄMU1 cYҮCUZHX,*$}uz'g2ͳCWzhh@;im8a:zqqQ  0x^0%ZRfDY&SD62`wqAjDw9m\I4LIV2  U >hM;ڮtZa8M~e\Pllznhx#+`p卨ysUuVI%,l@ϣ_oU:=6a~ifoWC ـ⧀U*dƐo آ5H'i3H9.m'H^Q:47b9"/o; r@mZ8v+n SV"YU|f"%Cw b8wUA0HZODt2k{VAH Z`ǸSS5ƹ`$YydѶ Q0* lR8W -ER1M;C(\thzwu ꧋,4= *|n6#k,ATu3^(\9:+y$f^rیJ Iիc% )XLof=t!(gSz/ ?G W)(_L, yL^o~HɩiaRnjMעuD TGjP @z cPdOybGy'׼hlw ^ByQ *iKE<4Dpܦ цb辰#=-vX`S#ʽI7`X d!nP_mTŀIxCI䓪l B-joTCxqf]>GMk"dݼ{: XN9ȍOe G{!o4>8@*jl%Fſ2d0|Da@D"jtD 8Y((D]^Tw||X_}-EڵG}a"9ؿXue9ٺe[D|ְR-xk^3%\P@hm?sG" TZ+K QC#q˾wd(eJ'W AWruTh 7!^/XW@ o2F2Sb7+iRu5%#i\ѷm~AB@MA ]#+ĨX7֌z hh_͜c#hG{LPPE?k<>RZP_ HqѾ}];({scEO:*9j|P1[Eu;({XB˧)N ]+mǎkyGTuEsȀfj+UŬv^ |0(}ÓMǖXD|;E& 2vAˉ}b)3dT=$8u-9;~ =7 4tTP|Tj!:sYUKT \`zbΝ9תk2oL4o14V[U&u K>nxCWe@ʐ;'>Hg̮"GKEɷ+]N4Lr(CkT 17GnL-|KRM"F(=J}e3x߮ƛmJm^-j* 0D /ԫy I57`R䷞`Ձ5U~G<7'@ۖ43rZeK6//l]P 7K+=i^.OJ6[CJa;JBq.nIO@/%PpVbE;Q-=@(1>yn%|8(qI"b8 =אGRtَ*ѨUlCE^ 6Tz#4UKH 9f̓먋$Sdlf$ c8޼vp $ 7xn4bRz9ﻻ4ӥ\E ҧÛug&&('SNzX ~s nxg}ǣ' Z􉑳3%| (4]vdDP{87j<-1 nRf(FRn0H$X%٣dIhs[YBi RwY-6d߯-,f_ͻVKgpTl#^=!q VjԀ(?>,LoӄcgB" Kbku8V.UE:TSKzMHg3}] ϗENGϩ戀gu+#ѭ@p瑴U1=M˸[C^dJOa]ke vs-=H\v 3QBpXDW#QHO# dZ <.^L֟]1n^] ?>b<4>d98s®h7>qq8+n.WjpQPte/ڨ(QçIhaHqv>Eufr0|jo2<-1잁mW[[vVw|H)x7v׾,L)z9ʹNC5Kbq+̋ 2 8ʛOt\̚inVNI4@guCRU&?xːLzϲk̞*ֶz7*1Kk$(*l}C>US&UT㉗G!%1TALFdsZҭlNE%gW4XKXKiI'3T\ j/:W5.n8cDa'X nf6Nj "=2ݶI[+UQ8HaUž"|~XcQ1_I^o#m9 ӼpۆN>!$;*#M޶k/n-dFfeM2Ou!>Vi\oV paIsr_ GF13ATOzxMocA 餅S[Us7DA\&H{>;׵ 00y2bNĕQ)(&3}N!؝1Bk7-\pgj#5lX^3bw5uM18``ܲʕQmW .."UOͫ.Ml :|QbZrB,n &YR9 ˴Uw_bQ2$@Ƈe+xz!a{ց^I%=ӤE*;)'=NejZA~*9uLo+Kdpp4u\*2vj+8h}vY)1C5pM?av#\D7k[xj(ivekǿ߳>Ot惔%LGD_ 37A \3-M i[[(NhL} `;v31]{ÑV d^q_*m' á%wCkEB@xQ6 y[g5TH]ca,iiokE]KtjϛSgW֐(Ar 'O=*]cM+͆֞0B,^%eu=MapŊPh"Z3z"Ms'm$g8 pX ِ4̛% ;Dq7J{8yNm*|:AY}bPȂ\^ueMn[y^@hOp.5 vYRL(lvo9BUI <ɺ0aJo-`@<~e~OaJKATZx&Ybȵ6),$Т{9b>z(zOJJ, 7v,p(Ce@kDq*P^ʷk,_Nǻ˿t$6UA=bKFɇKN"R̫(8sk|BYh{2d 4}%T셪u0wyo9s3WT<jrBK@E=ˠ]i;YkQ1dt}Zڼ`$ IݣVkCUSTn'&JsǞIehj}|y7I "Jd+fu2X{%8Z&r sqk7EaF%On~/XY4K n|hNMpjD4:Mlu% .>16[Um^3y(A"T#Dٕ)]h9px8M<K8>5-p^) &g}va d_-O)LtJ=Є7 Ӫ GU7( q:Ya7enR wMq)Wxq`18bPC(5R8u @N}hb豧-0y`b8FuIJ! {)/%x§Aw8KD\2|oWa)`6 :?ǫ;;\xu[K- /. aҽ*:d.5IsX'd%3f&4"q2yLk0dlY@B i?QӅ(OoʩYk1=9J(K-![e$\/YJV@z Ydڵr&`MMrbD ,*I6ӗWXi R4Os88.#g7 x|4Hk!k_)ҞԄfUĒ``Ll2V 3z4~iĚМNN A* ?(SCZcX/Wzq~o[!QJ#/n{,`A٥CwQ_CX[u-ն|"ʪt)YD>;N [u~ܕX3tU,>K|rYl }Hye!L0~Aޅ![;E~ N3ζإBjZGǪ1Cʱ^Y g@h'G`jRUU>AYe#&SMHC(!ko}+0';k-+YK5jG9ܤJҷ8A (]@q-VׅS`{QYkl*]sitK茑X 3;S=b9BeD^ WevIx7̈+yL]^EOʰ95Is!74Q:)Zn -@fuuJJY =lJtn4ytGFPbc =-IOƃ+E0K#hZf6S_mS27{/ T'2&!`v&BӨ;6HG,@+)JeǵwZI sT]ot\ϼ4ɨ6x@MUx Vh845=ƫPEvRQr:3q2pJ qS62*JD6\\ $G 97Z!K>83CJl*VEAYLI"^#]EHMu[T ]DZ|D>*%rv(VK1˙zRncm!h+=K6 "1 v$zTQal RE27W™ϵC[ZͭT^=N`ʍd׼TG1hξy @$v 0Dw/ {Pܭ { <Y\n m`EG.!kGXQvR>ܚ^-9U YFݾBm$v,JSr&u]]5AomLRh%&P9:u1c*(o>뗏k~D_Η)DmPivtY;/QuGqJ‘ƛ\vwb֢F[,ujQVrP9,Յ|.'-#BIyV^`X4[l0KB/3e~i2YŊgyZ;㖍uҝr"V]EqN&jЧ*et ڼ]z z#7 ~<qpx}N5. Σm2뤗4 lε2[ܖ|t6"6btfo2ЍH#WyK b^"`l ]Ԑ+B׽F0QNfϬdp9l5c807L;BQ9* Ԟ2[G*M=0=Je<޼1|׀ B歵a%jbl&'z! 76<$[l4!)enF3,vpPhEй 1S|ЍpwEJ^)El.ӂa"A[B'=q:j~PRXT` yh @D¾>F<[l8-YgDG ЇW~:3׾4g"NV Vm, Nګ4s=יurQ\W/sN=OFgQtCVu<‚Imw#/3rVJ:|T:%ͰUݻto*2_E(2Q/QSg;4G̉ {&uHɖ0i{S^ Tv‰4uc&YV1`B1e =r~GvJRq:ݛݫS"Bˣ':Ah=SĄ nOX񠿌EZIu]MG^^Vy9*h[1QaWׇt"Ѣv[$g*gr@eW\ipv,C˷P.޵iEжV?kS/#[.<&ש4 0t?!8 6c;3$aZFgCD%Fm)ݩBBMd؛MfOƆjzTl" n9 d*~ce`_~+Bo½(8ǣk/}wbjj*鄾B7T""Ԍ֞#q)Vʥ*\j2#FiMP\f5ߚT^&c WEp$gQ3p8)n&fDPX;<2+qDzD Z*{&[TkD-0l $^ȱ93k9};wۓ˓3nF,OgvX^]90Aў-(T`K$p5r7b ,ነ% t8WI2rkPƍy- }$Ĵ "`1-)X>1z*Y,cQt̖Jҟ$G/>6ե/Ԅ?=t@{X?b,4eܺU bhYAs:.jUOC `pFx|OYBT 3pK77;Us*X2TLnKʼnƏ:$ᷥ@L7n1_g{DV {E"xp=~ яŐ79SY8iN{Fk#JMBk J?/%SC! NDwf2!-LHz$(R 6<%8$a@~?g`g)6F[ ~̀`BFfQ+VXM{G|\k4Kz ʒ~CແzcMvCcܩZk޿ d͊{R~ƨ%!VryL=yM,# \/Ҩ;WV.ٵ+M2<>}!H0(MCAPP^,6޼#!8 qq=XJNBv0zeX`x8`XпOP~O(ۢeЇsubW|A1|a,h ăҴh&ptxDfMtOds?i`Gs'd>i“~,˟󠦗2';YKaO rWq8NC6M pF@ɸu@WLYe,iE}5Nd1TYIx:uϲw+[q:'Kr\G ӳ\caIoH,`DZIԱJeWu-ڭ ֗: Q< ٫pcW-H#`L3=+L, F[:4cwrLL&5ΑUDÜ7"n8 Jͣ"l+ڶj\(9`ZLi5cw*t$O %%]1 ? ~}$Qu/|{2lE|-oYDniݲL=dsQ.ץrAg^aT; DvIibfuDҘw6jS4szoXSQbj 1;Ah#Q~mS6vGgY;'$-A+6ܐ__Wc)!٧!Gfhi~ Kn$RCcj)iߺ0[=lh{|:P<7x EBIy S]XAٙ8p/ oitKJݔ:X1J,P-~ډCosЋ7ylIC'd M|" 7}V˘Qf-ڬ6ЗD#"00? )5c*cD2LQ`52maѦ##K-?^m. 1PUPw kƶHA-uH RyY22x|aD6^0HI=Z[-n]_V;xPʁ(c /c+;V:#q`}TD%_WDԟZ01m#:e?o;8kсW^): lf↴&] ])BL, R. i燗RxIb*f ˣS\{-oХs'G`DQlsx('GW+ˡrZ;1{vAyW {`{\`^@d c@n[|k_Gt>acR [-JM`mI-r~1~[B5~(fvIx^;9yYݦ quIH0-T/Ѓ5]Gdf۾ۢ񃏫s*m2?ӊgӹ-˟4JY F!K. 亪Ʃ 9f_I ?/s0c``NrO6Q3^NRySO/AQtó DLox]`.R(M"unp0EɧQ2IHԅ@Vxs됃Ȼ)MVW'm_{:42u}Ra1GHr:Aş<7ȶ+sO;sMXHBޓiM-†"tIDOOhZ * %6 f'f}l `cds11P 鈜o~1PP~Nr^iU $mʈjpNd6n{\mVLᄍ+L86.dxRT!y懮F|5}XDeOhaGH=,pYC{}2P+& ަX=u bh ~8`x #^YE6 9^f#ٞk.P.[+NsGR ՎH*(A+U`4bG qvN%lahC+Xczw8(xTIi)O·^`5^WKjoի̸-Ë?Rq# pA8~# ; &E}mi2o %5*7'8َWˤ4Pک #$@m+y͢ A'YQ8W{޹E-6V9vC@ny;8iS2n|҂,:3 hkSIzaT3֘prVIѿt2#{?\X w⺪oZ6du@˵yMEsXLcSN`z"Gc, Yk=3.oܿba -t`n5rk\J `W L@=U8f!| i!tm:MPxRJ8{\+2<ĕ5/~hWUx{u]'](w2+_ukf$)r08Ngh,\>.T6d,:7LIqn:aJK ]Є'<[bEMC;`#0N+ ؉~n`?/kϿlD&@Ȳ`K lL5tC=`(?S"s~aXr|єngn)YhyfE^|U7꽘IV@L(s씲jӇXbl=}}@C7+` \c9/?/D$(XyY"jW?lCǾp+MtJtWFQ<-@@Ė3-`VWp,*8so \$O- ObexC2loR`&DC0IIV|pbXʓj4[o¤; RIb7*V şiXjVsfV^<] < *Pgd]6&IrgDU̴af}\1ɧ`SPaxub7Vqvo#vsSÜq$-[QrVI&8G,ㆴ- "ْOz}FANppΜBPn@&?+7e|4X?JfjҳL L)Yn 3ItCQø9:6Hmfq:ZZGak#o+G i %Gfⴼz;N"WlE) 4qf5v7-ű"ptT`Y@ϡ/jqu)0ЪYYЍJI(lȚѥ>'GKfT}Gq=-#DG.S5 G d2 ĒenhjPZ],KK1hK&;:҉$+;-z@EKi7JYܔ% 1 楉_Q$7)Y1B?(>OS u \Z]˄Me` JpY 8ɽg]V$)+ 傫 01U/>́'CßOv%@l ~Yg:rm %o|!8hG(OE~?i|<&|L$hz#芻mdp--z]-,(퉝 v  K.9ր}"U-2C0;/ sb%rTk(Z `tXыǙ3lxp^H10&)x#ݑݥSWl qm01^(j&C)xO0޹<5 5G՚&]!Xٲ4ݥ!ir :ގN p}}%/v6{YD+TbfkH9Qs@+|Vga=_XRx֦åN|76g4[g=8+vf};a.+b42 }$fETMTE{a4nl< ѵ{ Ğ"01:N!U߬FB:٤bX|-͝tRZ>2t#5Bw]=8o\'zQx݊ՇT7f)dAsnfh iҚwX|zU1Rexڅ VMa[ZxVNBZgs3W\A)3objCES ($M$$$!Zx:_e$jdW}CQ8v*\9ܝt/ܝj`z!6~Alt6Pc>ԁ͘tMtEyHlL$Z\a$u (.b3\ !NRUK:*>Z&0 f= 5X8!Lwj#d bˆ|BWt[9ci>vǛSε$ QO<7؞ 1cJx~+b>ԕg%Ȯ7udGG;~Iϖ6p1ԝ";| !udyaoޛ)3eyr h_ Œ#a 0<K+M G$zh3֮Z6xJ$Wx#pQYMíw1VNUqɷt!抜 ުj~.IN~6Pra)|)Pzbꭲcpͥuh6;?02# 9U~}\iL`{6Jx"2m۲ BKa/ڬqeϮP)4*ήTPAXBsaWUUd2}Z 4be^ x,A@3Cu22M'a.V82 bx3:_z/n%>P%UVh(9ZQ}-{{8}8hb6D*ET#4{QY]`SމgeSIE;Rߛ-hh11>#Fo{8PZe[J/X(YΤ\l s+toZzq0k`9$~Xhᜐ}%po6O q1EM)xK|UQ#B_qAхiQu>jd)/BY-$XK M"U*ֿ;]]ajIľdDzkt &T7ʲ4'A֒AWلKasB-}%&:ߍՁoy]hK:(Bjbn ?D:2\!z !V 0y,my6=J|~ʁ U%r!Yj}L0} ǰeDCPCc-氾vP~ (,iY!_ \;<}R>thv̀ʹ6 X x94BG ܧl DSK !N=amp3)μW lzS ,f$4`2] sOA5rV1ݛ9n?Axb:i"dY0;PL~ɱ5!pq 2]FnŊ(;" Frکd^̚H Fpܝd|yz*\|$ndtaP0ˍ,)4om:ۏb@9.ip\G^/7W*$1t ct>:~Oeg:ySl^i(<ĺ Րwdr[ȄlG{Dԓu@ W*u $2aRyyv ,`Trh3 ~|eH%-p1b87вx  _U3j< yB4YZhsZuK'-.JEx'G{pJ[3 m%ȸ4nYh*2wZ.mbo<j0\ɶDYDQj;DN4 me_,_]F$FFenl.ܒ.`n|3кmEteš+VHjHuQuOH+1*9 t *2+/(LXhpD$'ЎA+'n!ՠ~*@2R1#ZυKx x&8hDSaAa hs-yu$-"&q9F"ch:\6iA2ALiboCd{j $&Aƙ J'Vրs8QA[z!i7 Ў )}QZVW{cUukS\U9a o5F)*،M fA>t;;OW A«_*{!ut#$U~Z m ]ɯC)+,Ť"<Ґ9PKJi^(-;HZZ7MJ󵐱zJ:@_4bb#- 7KMgyĹm#?{n"g7 тG+tZ?ׄH* wb@1s g{}-o381wP4 qYRXk8".F@豾m)_~%adH+)%dīS־\Scb7|$fiͮDn:Q@ j7Zyqe]"2q8'wo[4XFy0{_=#3ٿ{qT.]" _I B? 6XrxFr}>PkdկɎe!) ]m5c\ c-ђvA1g^nM$=|. L {>=1/zs U/%=ܽc%Q <{\mSdjzA]=0kĚ{RɃ~?}C8OUaBu$GQoEeVN[Eq ^kRp\9n\f Ξ%XC p2\,cAA#/vʰ5WI Vvb17z}aF>A:G yKFGb7TOٗl7sg4ܨq Z1ݳ};- ;늁#3W"#{T 'V.x}9sBz{ϔ2cP:FP`4:>;pȤ EQmz[]ĭd,8mg cތ2": w=*dG-M ǺSZ뺄brA\xC_᭳9^ʰԅB| 7/F.ߌlwIei׬O9'd5`:77eݦ[0Tupz T`+SN6 X0Sl|(:(!7z{.K&\ I# Gc [BZܢc*B@1gbVAogrVHNF]C 3 c2& Y%1N9G]oDW"?z__ X햘_TAs4aĖR8* K(`i%{pLV۰]j1G?J X ;#iM!!ߦv#{Wub|Yhe유)F'}sLN18>Vg 7a淦=Sdvlc^OAGnUGY4QBtOQړ&Nq?<]4"1[0`}h.Qz4C=8{ =`soy(9 TL+,DKւg6aғ FBHIiy]S94BcsQ3Y& UNxy X:ɇs_,BކRDQ|{ԅ2sA** /hU?{ =J|)SE|"oXJԓce_It &,,3vs"Լ[&ǝKC19 7g j1*pCBtœj^iQj]t.g zwoU;/|uefНڈAVK\+%V'i6ٛLZ.5Ϻ 2mƺkdX$FS -"Vy=OB2 2&~,1PsLX#BŁgꦆǥV!*11i EJWznI L ֙av%'S]!nң t'_ يq"fbu58EߺXp:^t[y"'k#ٵe[ǐU",BHrQ:R?mYEWV%FħWﭳH= 1MSzA[{K_JS*s_JG"JC pQ!szՁW*YQ^{rkA^[}N|F3C]+ F%bm-18W^ѳq^"IsUG@꽬['H%4֔7"_;DPХei͵]ll`Ѐ0hAAdX%yy󑟵0ؕ4P2*Ero)ۼ3kFdsBM*yHQ_j\Y(Tv>yQKϢ;'WѸiCEnXG6]F0ȑhn TWFA{4l9$7,nB@::AX9$*aP0O,ݽNR I +D*4Yv3y^˂KNTNr9~)=*ehΌ П<7>;ѕ8]kKt,kgz[k#Ig&4]_^w΋UP0f%[ Z~y±2j |HÎAx Nbc+xn:I$n P(Pcʊ@r-LD.&WBegcZo9xntQor17<8I~eQ?ŬP`ZKj,-1?&yfD3?'}GJtWr 5>5>\.(<I#/u %6r37V k`o:?f # P[vtzҧc"}oIje&T5RxrKtb8)fo_3wCj)qI r0n@[TzrxgXΦ;\$h?&6X-u|U%2j$ >闯IRO\$μ _btN=c$Ps%q6ܔ\#/It4a{Z@y /cTfW/S/biq֩䶟v<},xLR/әy,{D[)xx X^xP@^%rgSpA pFO 8L:b]L1v枦/>XA<D-:3>?8~BdvwE_CvGqA01aCȋcvd5]!)֞iM)oi-]#7 tX cל!<6x뙂 _ҩyp&,&k]#rY S~˒s}ؔd0nP-{Gc|Wh*^FRh0R\NO[ %DCEnӅ@o#8Y!DC -= \ V D8!.P@Gvݬ{Md3A<6? '&&&lM#yMį2t# fшH`|avp۸ZsQ_4R9/A%cc,\?Z@n.]_:l30=s錰gaN@魈qU8ʌ\͜+=jjXV8qUhQ^V3BJG-h>MЙMÛkTyla-4 ѽW' >#^naG6:CsOlܪ kTG/7C )Yo\6[my[2炨(X_S ,Lf%&W] 0-k BA5X|Pa]Kr 6UeS+鶾z,@r8TlkDu|-mpmRm? i%4:<Gc~ٟխ5ﵝMn2֓ DJqqfmp9rvU8F&37=su':+^Bb1%J|Q~p vݍp5s\/F k%chU#Ql./X8TpK%+ pED+u$mkmT13hf(e6.k%@Ʒ eqV\?bg.  d$U!0 6s宴 8L ~O%(iф{^Na Bv]tK >oQg}e>pbG5 Ɯhqh i3S/Lul<+;+@~ǦR)]ɾyw_mGejO]c6s= P$w͘QK=,<'汇AW@R`)_xl u g\9-˴&xNA 䌊TWJ .{v1ԭ4a;x-?z KXv#(r8)GEtZ|O_]gi7Y'sq8ic *C 2:g>7,yhz@Ux&M4ě o n/d 6.ȩee31QvE3_/v0h1S4u+VW!Z"D)bB)Úf>'jϙx]W%a Q/㌓:>X^h>2HYr_OeMOM5>QilS6 nPvƑ}w`1r%ny u2?^bE`lv9ӆؐbI\MMI<{d;O+$0EpB t+~{DEţ}C҈nn$}ˁFĖ ?Ss JNmWn̦D #dl{<=QgRϹ&F7YX:F46/@k,>|IaܫљNlxar|ȸ9pΣzۥI7yna5q$b G-` 2 =Fbli˦sĚ t -:/g5TrMBUuQ+jEIf7Sj. -{͠6BERLWޝÂvq$O?u3(dx6YVNA' VHIX,ےㅸ%",}Os4"mkH}Ye\#6x|(_9& ۘpUA&+PBT"SjߺG2Ĵ3eDh)ɢE!?;ձqJG_/+J # O#C,ENڪ3\9mp3$S2H]w"(ܦaWO )a/p &~׌mN-]e,tӝ~ mFwk>?ΘЇSyR$usR+[`k% Sz4F9b &xFaG NǼ4͘nk띝kZa4ރDh:&@Q06k?Ͻ 7%c˿x3$ȇm|!,*ԲLks{\ɯ0%f$w\$nڨoy2bۣ,7RFlzUiŠI{Q7Wk!jmԅ[[ Ũ*ZDdVc&d ~xU+#C £:T (m|jY9\?яJ7j+8~b4juQxSܣy|K롎l?d$g+"x%^oCk(GXLڙT vt3s/#cP/7ZQ2HzQG̉uu[\UeVo37Sǖ!֭ 38ynDKJÕ֩qKn|&AJ zcG /d¶AWY<|T~ #*9C*`r<|ou䃠%9#m b&%,' jbU>QD&@GS2mN!$9bkH^aK\KtÕ,w:}JHco6ɉ;z_-0l*fh>IO* O&-Y#4 fW@EN"񆋃kKkG ײrRx6 1[ʇ.})몢rL/1/"PL(1a l6 Ex~^xeBE52:EuqCSמirncB+K<*v:""/X0K&l4%?km" ;do%~6uR:DRX%m볙~Zč> Ⱥ6BuI0kFa$0~ϑl={ z4{D,j}6&B2Cp2"Y㏳{)3z3d n3{0e֩D vz/F锊 n,Y[u1~F|;ç-\cLl"E`y- Lu67*?qdH;ODm_sUۤD62*`yOyeƿE9-j aeC970&Tj_ω,KTd>H%0uJ xjY.M96QCuP{bep?zk'e1UeTV5Tyz#aGO",tlVE1N9Nmf1\ z#{,Z<)/P$du5wҕxkpf/}T֔)icVD\@AՇi{>qXj2Iق-QI%yuk |]48=E6Nufnm]~7[LALd%78.|m'w4@% _ ,:)jEDw\"%,Ӳ0աkPK97EB &_>^^jROkyfLbo'b ,;[L’[eT;/C{-A.{v/0ڷc|@MDdFg-KػO_;ꙡ[יYN'*.?z\**@0MFPj'ڹcI3L"+'JJz.tHGQw!R8+8нd"L hU3#$ ,)zJO i:_r9xu s>ӫsKcC?U@J亂́ vy"gIIG( 7%g; ŗGTJ2KbGtQe8}61 uW"G˵%7ل9bOw[8<8+ jM@  es=ƼcN?8sb!k",ٟεmlqʸ9_ 3_ve~Z?Q.r1M] |Ґ듣?l~6mw |e04m> (qb><T:(LU/>yaA|,Z,5bԫfC5>ETS@IbzvyflpG[oa9ҊmB|e94Ǘᇒ\woSAsךGdc'}uP V+jԕʑZ/u^V :RX$"!܈/ v3i!Ss+`4k#._,9ìM)_dx ht E LE:9S$E۟i0B'ʼnw[' #G}'Ul'ƴnj* w G=@As>PT(-3H?%FK- a|4,VBK^0w5$'fQ\^77 j?!/ϳES-,gt2BJʹB n}Ԕj'y2B9)&U qa7ram8CgVd@s4_\RIc<#Q":㳬]'WC>]'Rs ;gX6UZݸKP1fѕSqt~OCHNsw(v$>':ȳBl!]0kSy$ͷlɋOIEA!g}pyeoI֗DT4e6FjxAz,rxˤX~Dﺩd@zŴGv> \bֵsAܘqM>Ֆ N &1\ݘy;Apid^FU hH{p踄yI](o}643 e\R+o$<~U4E ۧ2E?i1 j1$ܖ~^ 2h^oR]u$) m s$TOz:iVi&Z?͓6 {>6]EPDA׿ Ic= 3үMjam ĸbǬF{' AUdSYdD՚mrc0uIjF 33~(7v:xw4B Fnk45$j\yk0Rἃ}esz"mv7I_M[ x_A+jhK?^1>\kpT ̬d!*jN4ךt^p# tOz7Jwaש=b`Rdb@? Y:~xEufz ,bl̓^8aZz+z '}d2D2NNEHGU.s5SU.Jxρ+P7_VcS⽙^z#Caٱ/! ēZU0a\W-WŎqdeҲ 8\o wO#8ƪV~+DT[g{/Dۥ^0}"B؈=ۯ]_l9L:E.QQa>nD{?2T3rh; CU8}/N9팼2p<9{CNuwD'ZuoV =9@|K8>LO%iU‹p-1=Ylf0D88vBsF#^V^hSӌ0tw؅Xҝ7MJ1ee86֧v)lL_ Ү]>_[+ . PdmC]Y~BU =3f~Q~xɭZrTNR_#h)Z(Keֿ}Gm(;^"Z5LJw#)jK2j[tG%Ę*`{s-\TQKOiMrC'<y{DeQ}Pc]p`// Bʇr{-ۤK {10~N4$7Wdiȍhs@76j%C(oM&7 {48AqfrꞋ sl[R!n0RlC/o]|ö]>%݅t=CIMb*$: I®ҸO 2 xOB"HDI${! b4(CŎE2 N*eˉ0fvN4FɠJGK;J!܁) >[R"D{~%2u-0eaL?4W`\zv4vF Ⱥ|P=ԁk#J6 Ѯ$i5&1ZG64Kmyb{5EEU)Xz}r>U\xԻJRH{3L*i +Pqv=Dw9X;GEYQQIa{j#!yDY0jDm{(yCz^T#Vr(@D^x#W)v4C;))o92֣_ZM+vc7Xu8 ӽRFIY*gkD#]ɚߢ&ɲ-"c[(Pe`Zup2v`٥B\Qnc?*2c^&@ΌwMp_ GQ[(Shz7wpeP-6q FSk-{5Tl?lu~)nM ?Fw/-y$֔1 K"V sȼ'㵛̴E{(R|?  8WŽb@J[PH+M. 06K^A䖶)r+:lDd웘ۈ2r|ה DU}ΣE|%?E(uˠ9QDnj Ly^2m}uDIœti {A%4 -9͂߬y(t0 _TcdA^ڹLpG(v2s&ɺ|u)/.v5Zb0$3z9ʇj~&6Eqg5(O bHh\0/fgʱFEk6AWR i_kH>e$r U;'er+1 搱#vu|Ȋ5OW!"{HY~ >ٙPO )DGU\ I4C 2Des7X)350Mb!6.VAlZ yiJm^Tۄ5 5nU; ٮ 5T,g=K9jOAlsMq!KeykDcoXJ E\mRf|/ CJ=k(ZW8I[ꝎlEBL6qp瀻SLc(L佬fpHV wvyQgF۶ xwbT i1Pĭz Gk^}?vyQV~w5jOYk3le:̕t#Wc_8OJɗL=~GFxH&⭬9-hbr3৞*(5+7ڶJ--`D/uc V\* c {)}9əe< AcP\9~f#IA:iV/nwmz>_|au)`t80@Gr.M&/nѡ+OSCSh#m)_%VYg-lb7Ts;§˅EE^(]ɴzCd Y= (#Vr+09 68>nt|!N 9{ +.am]%]fM0B|wj` Z.0+#[3 akVaDؘ ]rƱቪ|X]? UUWt`2$F;&ˆ<+<~8Bf#eS3TW$XXTOU7 JAtTNrAW-\(H5\a~z-6 I#S:j?-q#NF0s%IAO.Ciyʁ6ьQL9J Qʸe 64ER؄j/U2kHxa?L @X(C['HUs*NH_1iy\Y:8ˌ_n0$hѽ621ehL|‹k"Y6;@"z{UqP4NurFtAJpSga+g imkSOc=_= <]vK2/g@z-Nߏ\~VT.7.A"Yʉh6óޢt9;9UT`cBtj%S{+ q(:C骧CZ{50̾E"Oh;2xծINAPA]w,u2mĥ̷Y%b3 cB_ҁBrWwt(fM6ssF-JCʖ bkv,V8S@٭ ٣S` 08n=MOy0ǟSjG񙦾g:tw")b wZT͆3w9zCC>d hsgmZJ|[ 0oa\EpvvXӦ?†h/Bbzæ[\x).Uw`{7>{CqBT E؋3}n,>@H'͖A3[>(lG~* Ɋ9:/:ⰕӸHCtZ+*~Ul׃{t\gH=ֺBٹWƾ\$C0/|S&wv>ۦ&/B 6|s)?^_(,znjR9AQJ߿S!LAm2v6p _^4Br4\TC'nኖ#/pJPqׯ6$azGϺWڲ}ZmU5h O~}Vg _Tx**.nZ'CeNeS7; o1 x/'c$g!ܸo7rw%CF>|WvtCzŝ[73i [d5Gpnn+\,"#ZoE}vWgoL Dm}akXI"W:zhZ-c,,*M{ds+DJfTvSMF:4'pkq4t4Ԍ f\@C) 荂 Hj O 3L 2>\΅; /Lm?9]TU;t?}W~奦vJaD5 &eR9` y q*>m!Uك񳌯ީRwɇpQϵz%eM+<^@)t !mH&+S. of'Ou2MުUyR]9#j`2 y(|-<)x6|}H}|3g `dT 6F%}:cHN'dxo)K•(NfnSL|l3@&6NuN?C e,/2~p}4N NP- `=RpƔDh[&å>dz"KXu9<,Ll~(%~Iu7$۷eB]=.Yfan)KtZ`5o`ɠn,bkFMgBr{4)lqy;.1aֵ%CBznf&5lm j5qa#OXP^3w% ?/+Ǘ(@#0Dtlvׂ[yue)&x"Y|)00cgPV yB) nf؅ )S,J#6 >(cQo*wb/_8*LlU C=u%ʍxNQB:AaV'gΔшStwt>sR*Df++t)` ~ >J NֳŰh@=_NbNQN8-&&% ZIiQҎ֪[E SұKvx:( 'QH42m\PHxY/tZUmԕƓ0iO,F"@|s7VW^Z#K} ID=bx5wc-x-}WQ¦`.Nh] Hog:858 :x JH_& yӠK]yM%&_ 1Uc^CgQЋ*ƞEfl.ا> _sˑ{Mki\Zg7&sp1 |b.LqH> )^kl7-O.%lP-`$iƸͰroB%#Z?׳n{;;iU3s|싰Bvo 4*TAM TaQ .I_ĜN{lFGhnXT|`!b Ƥ%a,I)rn)̈^7PPgͿr$!XeN=i%w-Y 5h?* ?~\*Gob†2؝.M<,  '#0ZR{ơp68u`[]JP,蒬B?xHy6y21Z^SKs-QXFyֵa[T2&2~7??&)2t;_DS{[gK +0;%zlj OB*a&݌Xw5' $ \ȃ _ ?4 Qq}5hW0ODgRg>z?f3ij@MdFU-kvCݷ? Dmo΅cډI"ߣ\WbߚvJNUζ{@C?7ifY#l 16tӳ2fNHNݬYA ur+D$%@)h\̐$$:/LQ>AJZ^y~CÞbqZkl;v|fBY~0= u X_f SQ.>tb/R"߀6T>pPIʀ t`3q2~(Fټ\NM5:_쨔Ю^?$PcKN'k2ehTMK:6-1y!PxH\Y%5)s@v}߯gn&&p;kl[Eo]+Hp>$bt:Jn2URz88KG zjb,&M`ӢƔhBlOec͊n}>q!P @`n-0]yCYn7)cIǙi֗= d%:g.lCa4gٓZF`0Q"{H o%K_?# !3L%TK3`N(#iH 7bmۖ1 ;Mw!9/;9[(Iq&pNH j JܠNcUb%|\w6"H?0x_ԭOu&{Afh@ڝ&3@󎹁4Eu] m>q٦(_ wF SxJg?˻ Oi$g]!jI;/p|kMR=Ut)7Y3Oxz{Tg,'BKM{>T YJ;ݕ96IlK?C~;:bZ*7 imTBo=ρ&jP~$EoU(G!RT3x Rľ[aޗK79wO ՋD-tUPV$`8fD`~kk.,aN#p~rw;L;JDpX {L{LǾȠ|Rv8Mv"o<3E\P gI9 3gcW:KXn[kBZ_ÌbLM*o,(Ѝ*Ósz t ̃{̧?>=xJ _b}G5@ww>v˘e`by7Pm.zw3+QL[Zro3 ﺑ/,l4F;7 XFTR^Qbw_=;"}r i?BVgcZ!d8aQLJ+$?h oYÚ>M%dnzWq*Nm]UQF5bROXJu5C:4>e<4!2x(V UHKD@K^K*Z^ J!O!*EEh]f4V"1C#,i['[*Г/O#;E(%C&oFS]ms&^bAQF'4r)k%[yΜ805ga#XgU )^,1vFN0~4|Nv1 ȥ1w},D'b[o}+o~U74҈op P5v,˧"|q@aJrbo 5uR6A}K~[ %]d8Փ8^^ NѹGEKa˭lq٩٨m~Z S,3.3|5@, AmKC2jͥf Dw!Oijhӝxm.*K/Qk./WOqe+ e9tRj\||g6Mymз&̟ب9~IA֜HiY:a3 QB9x'G!v 5PĴ_5.~zR!{&`L z;q5<2cɷDN69E]O)5p3ʍ3k\>JC<8x{FDn \N9m13`xlOg: J $NM|jF1^1M6ĈVSy37|k^ٰj߀^ ɬhJFsn1דd hdd@j=##&jr ~As Ys}\^ᅌ@ݠPhbqs|/ċvTQ{tc%8V?28M9%v~Ka$đ+Z"hA*{ 0XVpE1lƍ0l5t]$Ԩ_TĢˊ1,@VՒ"(pj}|-PQ5}=YU ގrg }Mwo)VxO!ٝy$ ̓+2e !5'SkXCG%EM M2…6|qp?E봓QYZb Ձ73 }z߾;]{I%Kɹev_C>#B>жxz HzHК`u(Nul: Uy\Ee=\܅ ƼM;Ǩ.%(h\.%oު@ 8x S柬Zݑ2.V>,Ǿg;.;I,ycvh\sX5ntz:5\9Z'&RX ظ}?} %=8nO%g‘x +{%-SQ]0j+F[M_xMȮ]d+_ܒ2_[ذ@?2ZZ5#AXIeMOLJm cΏĭ GkN,Rdƴ֠<%mcitO\#bCt Lr݄k=)G q o8qc'ډ!)F@΄ FNTsF.7*APŽU!7l4LfoGufķ_[(\>H2%t!n~E9 bQE(& ƃ2I>ciW7-XWڈHEq-"\VT~vZv" |wҿm #i3tT^#dQ43ƻ0v 㠉R)VDzRKmZ l 6rHV<9!,$>\sb".ٜt⊐-:ѶR >pmXFp5a _e|)T=WAjq$(*%"lњU_i"8*/nOg4M'_As:[CHĿ|pÖ^-WВv Kڮnnb;6,CQ5BkHmƻ'/Wml4cbx,IY %Cf/2r{|'t| z. bZr:O^l3XC%Hd{x/+maEsϪ0URG(Q4έ\أ~k߾d>vًz-ȸE\FlōIjC^zCs1 &0ykh<pro\|mSHjaW=Ymx,o( 7ɟ&_t]) _|.l flCa#syRN᳛J!#o'UV暘OZC/XTRCZ<,+gՙefUB>nr(a!ttE *[?Gi?q;;!'bK12{LaGHgXO3ęx(Mu ?G8E}LtA0 /O?j˹2^نz -T)B/kAwߵ6_4EbS ehdҁ Y@Õ +=(O{ܙVz8)"kIk l@ky֣: 7[?9}X&uKU襬Z(hJEXQy6v_-Q ŚllMZ j|.Z*뢶e}J;s-erBÂL ٬2G /_TO[ek˳ {0L>;f"ZE6dzjm]pFu Ĵa`g!>Z=D9 $&,SC+P&#zJiߔ o4w E/~xk@1;Y֝ԞJq3V/ᙴk`c⡔zE:[o[hؒWuR1^>u?̕DXǙ*Xɟȫ/TVrTKDWZe]gZFCw)WH1\@F֡!q"f'u UzS.8f/p7d ufH!I+ٵ< hH̙K|hfC(1/COʊ}ѣj3&s`Im?B8iCtKk { q]zKIRgvCm#^h uυfqyA?: dV6d f )0'z]#طs|BFYiU&FWHVGQ7āSEƢ+ URR8Mhmyf"G7bLU=A|efmlwԜؖԱ} [LBfo<,qv|*4GʇpfŘ=. wmQ%8?퇾8{ɴݧ=O;I*FM#ж9Yhrb&0ҧO/6$Jե#I HB@蕥S8h芕rqҏ\q;/j5uTn`9}%$3?sn9y.]Pİ@Yq#+jA%*%[?GV$\  ,y8{';Icd0@ kvnc+̮6Er~5(k6{[y] *QRs}z܉]No ziPÉ/\oqr%sz2ʍsAg>1MS2SʗvJPdѣ~\͐W]xiĨ4?u N>[c%rNQO>f"QEShS蟘̑q!vgUuG22=d ʍMR L.RbT㮪:~qhr 7RE|Y,Y:[dB7sV,{ H߁" h.!oA9I0a'4"*0o \k~s55No_C0 o"bYťW~a802}?0NbK\"74,Ns46HRXIO]]F\}ЏIBbezT/ξ +,qw_Q_ 1ŁvF׾X#oe3d.K+(nY2sBH1akǓ> = BqRD+ x,k=Ϳpx4SUoiWN9Z#gHä8񞐂w{ԙdɹ ]z:DgH -j 6.=!\ DL$$9yi1|M,qbͶD~Tl= Z)L tvI=^-F6 vID+`}eR9`%/%B鋻`[I0,H Y$\|}P`5$^x%.9/Ki3)1pyI?w<05޿(5z?Jkp^+_b87_׊/{/̎fEњoUmP{XP@ZWdqxt3j9uL'piFgh¿ksSOc0Fظ!g܏%9gt󘽘2C2 ˿&)wO<ͪO{< Se!˕:u{ :3$$X#qJ^6XYc;rk^,K~#bI澯75;Ơ=/Wq(,Jo- q\3B6NJRBI},Zz8H9(Jn#%XC9%Y&opԍcp[e^;;6^;`> IG, _rO,`TNC4eS6yl΁]8JkYL:N`R v:b)sY,g=RA" lH;sO]Nm4M,A}-A0>%J%۽OuF~Î/`ռ-k/H Rt ,L[B,}Qfb8C[Gft@_ Xo~4_'koZf >WSCg|Lgyטodϋ%-q3jRqpXLqnr (aB[,_ɇpCz G9VjRGi|ʁ-IN 9P 5+}~ P4uE9vD~/SB.TNuS&(c: : p_ :8\B ʼ(oJ0.*=Ȕc?!q3PXnڮ98?<(RF:'dY{rCKq!n_>(zWj,V^vfel "XSOLO9-l+ц 5^ٽP!^:cZ1{wz;/j!  :AifԷ\Ra_&@D UQBjz?%Ĝqx*ҢrIPE(uJDHڹnfAhp(AUGT39g t#z)u:/U/II/:6ok!1o wy e30fj G|.;A_zd- <өoҒPN#h+bj1Ԩ^(V։xރNn AC4-\;'f* 'w y)IVlڼT#w Tz+!9wCͶݫOCJ%lk6;v\P|JP;f-fkl{/Gr&BT~إE,&\o& Xysfmޣ+n".rDzEp#t`>=[9Z^UJ6qW "VXDNEohMHFBK5;^씃fm~T>wp}J\MM.|!wyW {>fE¶Trtn4ЀHKfzYf^pG` Ѝ]ofer1Yܶ o h'N]i|T=M:TXVƎKyZs#xJ LyU޽B3cH$1uEeE9XG*56gOӠfzyF-~[ R_Bچ{GUJEnW9 wVt٭sO3<$S ۥ. wbwpiwp1ׁ7S2SH?U`&(K^ӹ1 ܽ+N^JSJHwv{K4@ycm7} OvᕥJ3Pjd \HC2PQe<5?TWN.DE"]˓6m\TPY.C 3f#*I']GGmvSNZT0-8G7r…Iy7wiȸөM n9(CB?cg9}dnw1])T8$^+\iGj_(ASm)ڽ*P4!MC[:wV[/,ҕa: PW,$cAsߡ}o,S~2 tqr$1 o' <Nwl(dܐrR$"<Pj9p:s!!Q|:a 2Q3qdBݾGc3˜ p2̿ux9Z.zY[xSMКb{/Ug%?|x{\~jiFl֗5D Acǜ&Rw$Rʼn7' AkBre_ү׋$hdQn&hi>wߛrGz~p[ڶN#,}|] z[ޡ,b\TˁyT&W%oN- CR:jLYNo:GD?6,Y()}*Jcgg_~!. qĘ}>+syAN +]+A7M,JQƻ͟*c8Av±{VϡQ% z޸TfĢ{wTNRv8 'd$sJūd`dt5,{SОw[8Ek_}˜v8p/G1L 5Jv5Y/Iib?ةHA0M0ڗio8m󂰿(N2_Kh`1w߹c6j?~Q<_]\+T;w\ȓ#p\֞ʛM^Zе{-QH՗ݏ&hFń6Vki p0xVzdN $"Ϝx6z=_y2f*uR?NkJM3 )ؖ4Pufu\^N;BD m} E\Zaⶱ=̫FRI>yRmAc_6 !|nh`WA5oit| ]SRQ"׶Cd/%| O@03L]x_pi=H'8sI—뽨^9ډR? vcCBkm*)L3 \~{{̄ QVF~f G6-Am`&XUM+=z (`J +}'Ҟ)#w]# 9wvh^-04չNXuo2d3&<9B$YZ;ydYkI=o*Dtͼp;ֲv+?'4ug0n}M2xDcaZEosO 9U09v"7 jM@}1(G4,3xXX@[ӽF!#}5);0bU$0!>!~ȫ|d]^E" cz(NZׯ64ɾ~(ҹ(fFJn> .=bmLg0M6RYnW:Lxk=UuNH]()2:'9^d⥼z)oFhQGjD˩x2$7v׀MXy (}RVh8|N}PηJsNS^~QA*;Xmӌvkb j&/←m47i(4`NTbaXz 1ABّX21i|Vc?fkUۍ(#GO`Y}&nR6zpNgNay#[D&(~l>P!r w[U9Ih{ g8Q^,ѫq[uJimR'9{%nXmu)z/;kԢR JEW3qB}3<:je>;cmFtd FJje^&;4#+,>henqXV]@$ٗpteu_`}dÞ%e{R9Y#%覟.SvP=ZӪ1 `GI} qu–mk_ں-OV?w 2r%hv"B@;dT>% 4 6cJhꥭop-19i)5x, W3]Ajk{{+UxJlY 镪,7KA*wg)ckY܈+hUٮ(؛DHف%ׇF 2D\/\bx(z*^/a99 uV[9 yS$ۣqH 8鲥mdpG6oaދa,{Ϣct2>4fwzk8p1@W<39ቡMChΠ&sq?Y ]Ńy!XB<_{1'O6.ZOf5XϷ vgk36숢K@޳#C㟼?n[Uzp: =b]g7Ol T3s]F%g9XNc|W3}h};u݀|.>(i<#M۲#TN;ў\z .7ʾ謦 "KJa^l*#}6ܛH\mEQNt鞿"Ȩ)`B|HHPmcƅ4"oۺh LGk19[fJ=0T8x ΍zAp5X gܱnտ.9E@?׳J#4~,XuɘJ=S5mWe0.8y=iЋwD* HבHNi3lL"衄.(5c>Ihy  3 d#aTC@U ~/+ PZ-G `SJ5fAI(I^rCq{2 m/q|. Tx#-&iҔ|װQlr-(HBwte`a4,yk뻨l$s[0׼/ 3R< '#k3iX5r#ȸ.}ep \-]xR%8(7R"YB)=ƴJ2bO;EX%)dNV1Љ CT6A c}L2l+^= XRU/ZRK֋ 5kHjyKvL[|5'}p毥`rѦ"F^ (ߏEBٻ)kā锊A5Yќy5wWڿ%j uu ӊF(sA=q-/bk4};(MϜoe0A+ܑRbxfx+5T0ic2 H~{uA$JԲW&5x| =[{j%B(V>ȄAG糀1PH^e1:DVCbs>"i5.ve DV|^M7Ӽ6iu D$(8ײy z-A2k0'r2c;zbf!߮6[Jlc+q6.[T}$o ZQ)/KĀZI tgFH28[@U,D$q0Wjo]{_1Z@7yo%N*%-GgN vZ!h4Ҭa:tO_UDR/ 1 xܡv'ٜ1J3H;wM*2V?i)+1JlJmӋ):i#yɎq(p0 2.J&.~hMdݩZ״pt ôtq4.`˔?QcE/MJnt1?֌d0p$>sL/f5jF`MS=EFEӆwƻ;٦5AZCvu#1"&q#äXy[\2rZxPiefCҖM,)ܰM pǭ݈s::ue{gқ1Z7t3(و޴1޺_n~+)uSηTl+_èUK`^pN|ܝDz,?҉2d^ܵD(\3zxN70|_ ”H8o9F m~gHΟD\Mle_?ZgExMw*;hLYjv4;p*|*/OaVLJ6>K< R%#u, Ufo^`cLCfQxvY6a1;NAHWa]ijJV wHqy+# Tpp[뒔‚DK:n}!)t>BSGr"@ɬmnl vf?2> 0sf}D'N7TR<**wSmZ~~APS,~Rf>\jI {Jt}5 N?Ma33VBwvbmۀp6ƔgύlÊwHR)wR! &4B Ôm/@Gy-,+g1gv8F_]^l*wpiI !k Cn.9lX!T (PހȨ0Z)xUYFd (T/EaBoNp]Ȃ{n\zI-|D<>qQ_&SYz\Z=J8P"Fi=sX 4dDr cǘ_pzA灬NgN$,C7X7T  ߡ=U+W[o5tg,}i\KQ&%$x,//T_0Kɘ`٫c4C=@Uwx "(C"8<ʟ,R¢BS7ŵ7]L*v&UVDh?g@~tc:bL8ylڇawl9S"8bmDg~kdV@ct'7I+hN*)U ̅܀ek|2)~ 7F{gHty_2Lt oi %uJ1jrY8?ⓝM^0Fk^I֤)x*,RBtFA K%,/"8wEK(E%)vs²aW b}yaR}dDws1)<9F"B2TCX{Zn p(֭mGsۿ` lĵ(*@`db [ 5E$k*M[3:֯_jwhO: ɑìQ"nM09ق} i31]KQ$| [\C +׆QWNT?UHS뤞s g.y涎X9۸]0L^(Ir6l:AFdfҽ|dZk1tmC,[/H`t XĔPΗH$rjM344֘$C(SP;?s3ULͽsKNoSB3y)xlnӖl 믶}J˭\ pUK thxEb{ Z [Rc򴔄[,XBep@UCn(ee}wr>\.E 9]afmX[n~\R _/hРfᓐ4;gL$=ő +O 8)H-{3↴-m")!Lr'.ΟlV?3I5Q$kr ׇ"z㪧pMYb0ph|^ ⿹VԬd;4n%GC=E,)O<bHp_7Y|5)UF Blxd.dVHijZ>e 0K?v͎/BSw)NFވlv+0x#Gqwi>zSe[ 1H̜ fdOOčDNU"2&1hf5ũh<5&odzN5i o>11i+3T~f=Wr0->}Hr6įg;U m~ҫ?qf342,s7ɑuA i~$KO4}oo0 ׺9&[F y*V[k'jl~+z눳5/reo[!ShqOR@ wV|D\!c!u1G(#|;{1WoKB0OMYD=7xQ¢@O؁JXS /h壧,,^1~5:k=\V.|XhT=3AG%}>+tO>Ԅ(Bkf8g~-]2QqE C^VKѷg ΁nvԊVACZCt#zC;'?D̶f"Qe=Df#`E@cq+F ƀ) @3)\#Btlo:Mv PWk Z~٠SO\8uPf,vfb5?&GyO"\V4ro28Fx웥0@훦/%$k`ɏfԹYKyۅۿA'~] 92A*/âϳ .Yh x}_RNvFŸ2+ߣkY*(J& .H ]2*g؍U %3o3V [1Jv/5b=ek7 ߖ23#.jJ74Ry,ftR*cىŕ[@]%!kSt5@ ^KR?}2)%P߀ N鶧- n>Cl:TRfuXn8G;_͍/ԙ}frhN%R"HR4+Odg2,&Lb C0ۄ)M6Lob\ʓY_~ժv=๷zonY+"}aї3B1Ok ]%L5e=-YcS~zX c$.!>|O(ZDZX٠K!_粡Kpu[6 3<*Rde7J ` LrvNʥOfpj&&<7M^/7^,"#bYb~L BZO > \3eN+r)>l K}~Y:WpL lC NY(ޱF:㕞&I\aRXY=QeڽL |A |"{sZhYUzƪD Xz#M$6֎tgژf+;)wKG;gZpv9^z֧TK͔%Zr:QV3Tr^ dXBvmzѥ(c#=/d/{7J"RqYmM:lWGh?]PC&X3 :dVܕr+Ԇ>K>˄msǮ ],j8k")6ڷC|ӤZkggrZl M# ll Ab*<>TٔH|:!tf 8<cΫEj4}/abG|r<b>$BX-|088@)o, `=Ju C1*Ϝ(iH}etkR(K!uh`J>B֣k?k"ޘ0o6 |h iSnXݎ_HVݣ3K@ 8Fɱ#:q V;M5_ԨAoۂ\,} \e0!@*cWT Gȼ&H}$Pd #? Y* n]>qA'R:\ a[uψ)y!T8!wS@2~J@a}m%#N=!~wN-NLz~EpU8[l}+s !G) y="\frc^!cߛҞ*cs[ ʀ^.#KԝpΤl;˯`b>GwoH# t,؈nW97X(w˚a|.c  -C-y;,TůDu{4PŹ.; hiRSRDzW6Z"<X W,$%IXԾ4} ۚwv)`0l6ɇ*lťض;o@ m.r"36Իֻ7iS'{ll P=k A+MklЎzYn:<{~9F/=şZZ D@I; -@sjFadOVk~W=sɗU+d;y`ye}G H?(r%ko=w(lcmRoɼhƂBDɊ)]"xAyZ|!Qpct{e%2b&tጧS?O A{+J51\/܎ 8.hc@uc!&JeF8(qp0ЎYfA,@b?hh#eWaU9e?~f'1\PB.qd#.C66[xcj+7ΛgB_ddF}Tlh'bF=ݑQŪο-ϔ7ޅ%"& 'QO>zg/[ZɰR mPpKVT4 #&V%!ܓ=ƖO0="2r1;+~[h>!bE>$Ŵs: pk+ vi+" f 6+' 4ˮFaeh DٲJP'j<*?; D?$Չ57\\|s$玲9(GY.CqS;XF+]CHGiov_Gۏmt5儐 )e.hCt/10g3i "[d-縢hgD%J8;i;9Y5U>irWxG5uzp-^H{%.:gi/ o٣tZLKW9ixZWy脕bːރL"`(| ?~EĴ"!RWq#x k8\{[җuG~DÚW'YЖ]Ŝ|\FQĜ%IPAaG[T'9\Ed fHF$XAC 3Or06DfF'/&ͻF;W[advdfv[\xRjYw܎RqolU=ޣI?qY Ql":y,˔D]ZL].&R3ߘ]l !'5 {&c yfHptXL`٢Ӂ ;=@˜WR wٜ\I9dׂx䕀#_jH] iE")Ὗji&زcg"=W?.W PðI*ߐ x8 VBlDLjY`֭޺(kcqvMl߇:9QŢuV T' B^ %4)@áV?빜'3 bwDV,/Jr?o%I>(*|5EX Ð{|AkZ9ˉ'Gpۗ6Q47K:[cT~+)Y},_1?`p9q3b8M3ũFw~|dcwGn2Xjn[*&g<@i{ /0 Ps`Fv>hϒDpY= Z!?1("n"0eq{" %d10{#wã݄!-GO ZK< {Q킼b r?$x.RIuo/jPðdz?gq<\ <VVWp~:'ZW6OT[lwƣ.aؤ3;jj[Jp>?'ڥX+B'e8Jz`V(k eS-_jD'oz/jԮs*Ÿ/Ԝ黍2;/״x( Z }̓Q068ĊFx2DMɃev KFwt ‰|xsp@I!Ŕůn]]](Yl quYDˏc?GI0]G/y55x^4L ~ȑ r?BνA猼t~Iho"ևؔ_gND\ 1 ԝol9E#*.%hSJoF?R1z F; /Y7)dpPW~` }Q>TO< />(/Dgv%;vOt`KCD"[dLB|b ]5ӳisTܽR w4 ^̦V$[ :f{o-<-Is&Qf3R#u9l*nH0}pE9%pqKMX"?N/pHT0:Ru\rZ}^Q.((yBG Jb>ݚRCN#PB980HɡWGc1'2?QY|m=bX۫!rVH6h:elB04E'>̊~u0zC;O)D !t6(7Z{=|iCo*"S:vo]%f#1TF^ܼE7#CPo lw*?el3RIEe /ߎA=gb&q!bh>|lv:0͐_3i{p,OP@ĽN @a\}i˞$&Eb@\ =S5wiF6.?w\S|35wu=IH 5iқ+9Ef 瀶=p2۶.C"FPj',11]caJL͚G~Ѝ'2_Sp:1nb,Mb&?v1JϪn8aFp_,?ml sn~1q߃Ŗ6Ҍz vPvH!x!\_:)֮JY5\ukx-.,0awr^v2V)9U@L smS##Kicu. .F@jR`hb`.em5}Mum\g$.ߊEzsRdw/iktevkK}Y(CpC `gTk2=/AԻ̋x?JfAy"O5;P 1ۥB t\[с -Vk`޸/'gVGF},G2"`M:C{}RZ;8 .yصR}sl;F&(7l0- g|T|'Hq#S,rlciS휥Uc\ADb6On^>j{;I!u% sɑ<%Ejl@2G@Q;EΉвPbfz!U V.jfԷjXWEhG]A{nWIT$km\Yj N \݃ߨr_6{zF: ۻ"pSs mVr]m+S/^GPH(A9CA=%&d)Lź~FP+ kcLi'lWMcjiYM`am7t#K-!&gĖdг6 2nf{QodOԌPӰMϾH6k'_[?H97 /Iy6% %%GoEhPqQAz{qm5h4ɫQi+ VڞX3Z("i5k@wсTثIoSJZ +ȵB25IBm|kЛ$#?0b U<LJV Mm>a=ͻDƙ/;MzSEOe*}ݧ* NG=xgrml;%Y8:xyޛ-, Q켦J]$3jqTN\D?ukX e ,?4l =\W@m̚$UT_ŗ4PZjR5H*+L5Iה(뒜Ul\f!N?OE9JVZf6⒐ɒkEQ@?(I:x ^Achp4Cڲ?FFW/!O5޶Y}JEvZ ɔt-BN jH)+T{mX `>]JϱltҦ;b&C\mnxU՝%X1w9䤍HE [ą8A^y-˷E^|bY*j83;?j#^HPsaـhGshYdr;,ˆ"ͩ:=%"&nF;W,ZTVQi~ (Z( X^g};٘#-ԜdTK.R隠y JȔn/%ʝzC~,wIaKDQ Jz,bTթ?/ ën I vd^@*9dJSo0S*,NE*wEĻ#Z"tleH2<\'!uRy=Nel'licGn)g K ⃾"6G"J$.|~*yxh*/JGHwT)bq QX{݇W*[Nb#k=[:ov #c,;; O!0|izY[ُ&a^جW ;@Q57q}i5[ ;9)]1y|.M0&% אe>3Ŝ,elLu5-# Moވj]b6q9r${Pt"E<Xf~b)|vv+nly,M:= sŸJ,A!}{04.3bKIRW'7Z1yۋ=Qbbp&. 3ZU!EȼՎ6T- S!R֏^Ed%D@I0D 8s4cY) Bn_IɆ ,\1cr`y {̲P`]1$3G%hU}Bw,~xVD~>Vخ8CXӋ刎xkM#]n|ANiXЬ$~nbJܚPCF}p:P5 mݷxfGL0tNivE3ި":wb%Mfv!2T{(&{}mM*S:NPHطlrǔ(LWT!+VBzl;iː}HBm+ؓ$}A,ͰFTl]kJk* @m]HF [3:ٽy|e_cdvG0&_Qщ*tN߫ȅY\_vlnMZ7%Go;nn; ]<U"H=ШYX춦 0cl;QJ:*2#5yb(MGfSH-ǣ_5>&iI:{M-KڲkHg-kG5Ui;}!V*IVU|}uS19W(qe6Uh:U-)\@( txʳW*\w9Kt1{dK]. 05x :'c(c؎0\t(*XHRUA@ QU6+uEDݚ q PFzcG/ܙͻlay^7?l }0EUL&FDԉJn03hr{>eM*7ڔ񻒣 CN˝WV+3ROUGe{;̕bB9jsڷ4(vyaGFm-?{S9id˸Q2yįھ+Bq!R bXLAuM 8}4904ٞ5$O !tg{-Z2 z+4[n 3sEmva6Skil[>%ve٨rGW'M KȔqW2fhP C',eSn<&Ënc/c$tє_Q.%nG;U^LM٢' zE,wZ$r126R {XV9H | CgWBxx<c.fJdŞklz[}~] s*[*[)b !h<ًцhJS>Q@ydKF]/PCpE΃|NOB?Pӛ7-4+h4C*g#t%xnJۼ߾j?}<-:G|Up9" 5. G*x;:3ВMZ7 NqdNH>##PXS)S0:~s.XF|B#A8 =_h۠_ ' AGGGH&A@^w[NX xL>$6.Hf/%'(o~)D:HT,ێ+N '-Ƈp,W1 ?iR/ Efy<}MTXN _/T"p1<^5TZ{M];3N`62>m<)X'OJ"@YO* Xsb-&ƶgzY׀˸Z- .xGt,Trfg/lLH]Ki?p MpnH,~Ȉ dzhOrx,~1lئ]` GB@kb>Ad#7QNbP, ǰ<)}0>&5؈| ,, e:wuuŷsrnD n'P[hb#ڞmJ:hU~ K23EAn3ϥ$ID- bQ&eL#A=6l8Ҽ9E0zYI8 z%!Rh"$`vT#L Z^)7|+Mҙc u&X&|&5Cֹ?|P5=b$Y$G:tQ oʢqu;cTݰ.*x|ϢH)A*Ds-V0q#ٻ5Bpi!F]V'`#QT$BCɽRhgb'Gˮ[ Cuc"^a]ȢƱoт AW;|OrE}6CX,//6.sj .۾Vߴ[R(9^L._zP0Qi*t{+*m͂I gZEԀ~4{Sb:bu)5@Aȉ* 7.oA'0j>>[V<ĕ1.s[qjEv '&>$5nTĂikA" *vQJ%ԭ[j"^1N-">OZ4*fڃx5`.Nz_f[$(PӜCu}\JIZ1n4>W҂ɧUņ6Z>ƑW74L>OG oke)Z-4[7Eng{ K~^.VL^*a*8*t3,W(heȰB8WF_aCbE6c~$;!oS F|'8gX?J Dm"B}҆'T+{I$\-J@xl X-ԺEk(MjpZ>D-gE.–1.^w³#A OnDX(QgYLD 6uZ4YPdASSդOx2)9A6៥rq%e YBlɒ"4l$Fpz2$PIL34 k[ێ \2yMC: J TcCENŧã\6f9E6P΃\f>ppKx)Q^: wJ\fxa*KĠXPdu]; _s?FDFϱ ̀%ԭ;֬׿ۈp>ZbYg,Xb|A MwbMZ"^?"ua':vRԙjZ>0f8"_!{΁BNfN:kN.$-^z9luܿ@aFդúmZVf o7{YOXU!q S9(فo@SNbv*.֭ww/*:Wg*zL5[Q3Z8r1R,-d®q.s!sB V< }9ߺ*ji(JL W@P&0~hc4T :;3s\bo?I8*2?D3z쯵m-F_68+M/%A®Z_#Wfhwm*Ou fRv k31rOp)hccDw^rϰ?y%f^n+NY5DllFMFL! mw:A;4=IiC( VxU3?NQ Рp1Z8 43?kYcMU rvNkGHF\B/D0b%2&m叚ڻ%auOPlq!u|Yl&2&{zTJ])oMa߁@=03'&]}ŠhRҞZMa/h\l|m1I޸_ T* DeX`Px!Q(|֍ 2X`lK۬ksݴ|A!KKә!dmq<뤳r3J<'0)ӱ3V'ͫEOwJҴ(c_']}+EʵOB:D0EN$"Qf 7o;TkFV|Qژra6x_z>tz\@.} )HC 12&@`sμ;XnljL قP Yֹn0^CNsz_ѫa~!}18_(\WIx3A"ciyOJ뭚HLIxtŦ'>*Zl{2Y~̢ʀ{C(MZJGn+h+^͍[`qZz3@ X96_.H5x$B@O[CsX;~2)qD7 B9VdyQ&<]b~iD/1}MsL#mLK%ϘwQbH{~?t '9"^h zjNգרx'INnJ[oץȾo%3iĺ!ȫOTM%KjP4-9癊nd\cVPo, P'o g` Z~! s΃ Ϊ [d RdEiv);:D(7 Bd{LRmi(@*[\5Ǫ ^nA|%=F,R\8*>#ZTJ`KpD T .\qX jOL6=}LX'crG!)=7)$ڣm5F4֕ٮǘXF1HpԻvwkkn(!Mf'r<3 w8rLiɻFnaԍZ84Q_@v>*}U՘J`.MYiOyT_ PΈ>@tGL-#'ٕ&av-b=++ ˷2FC m"Ifx42'XRB6 \ߦmTwW7}<nծ~do?-N N/>n ex-iyY- v%YKϯ)#jD(+E#P՟ȥAd *nF/v-⿑ CVp>LbkYt%.2Kf35XLހ22"JۚTIJ\O#?/'b#:[+ p !{7+S޺o?B,uۓPQFez2+An#>v%s<mR'SFӥֶvd!)p/r%f#Wghv$L9b}L<:(jRvPW`Og *Z2n" *y$sWڧ 3q־G|YmŶ o,taL%vMCĽ>LA-\ HȔC?P|A&.] {<'C(z.KpYvJdt U6/~av2J!c$% [ecws B~7,E?)Ո:hJ]f(Bۍz`nut@cE3)m9Ύjɣ޽q+ #[suڟoByc\J:"N J.Spvru̯)+rWYRPma;j%~*h/:Y~sV eevu=(K1.@ N"`QEdF`tDAi#"gT;O+) E$Y/{ۭM wkdʨ_Fssou8'blm ]{γ"uZw\"#"כdjb 8K)E:;R1f+T[z Rwa% %?!Z"1 C< Ysfƀrr 1UHݐt<ٽu9/E] N=LRJ EwE`bQOg1d *1x~yW\n \(L4)ܛ0 O"݉w*? I`d=9 p]-$wO=n-Q-@ 6?Ȋ]!g/-s5& efd8_Y_1bN o`帻]D90+nt#5oI՜C̊DT.PZzXik7tG-Y{ϱP3z-r >C>S[PZuY$r.bb߄i|%ĭI=,Nuыt}xYJ  N1 3{ f5H^U8]?zySh?uh,Kqg!/N*:uJi =>%ٺDKWKblws<"fy$Q̫yF@J %DzjE8C[tH'6{4FL%,`uYڎʮ K@sBxsǕ9Ssyh3!O#PTyq#~|XH~8*zU2PAr?6üq꜑כh"+9Vu|MQ&Z,)@@W^z6;TchLɬ鯁A~8yHh^7gIw5a+r$I5Y5g;fэ9:;{ênSui'W_\ڏANv["+!!_+}ã|~&1^{)z.QZyj[HHXe|z:XæL:+4k8qPQ*ݐ|D=˪ʄ[Ia}tk*{cp[ge\2*F}2 d'Thz=ڿC+:d3fNJvyd"rO򑵈8qt ȷ@J ΈNMMXv;-h| Xݘ+nt JR:*w;V;tHAR2" Й. nU VKB龪nQH+`psΣFPEyҫ/($#~\ɊvN9dRMbc[7Nq |zc6 tV{6*s@d~bRsR&OPd0iFgBuUzqi~D}JO)?ڭ!yrt ENt`[cymL 8,R#e;%/֠ _h;7~H{tyd|\c܅:Y3d '/S K} ⬔?J!JLMDXȟ~ a\ЖQɬU':<?#%[KW~Vrb6`]3W#`vv*lC""cԗthōA]Z0x#Up4kҶ&r.50[oÞeQoc/r, 39҈Jxcp hfyqA-LaNAq_6-,V-y5S]®vAH j%Dtjԣ~bf|-)Qㅙ"Qxn0RRMX# )p |U=W؃zH8l8+oJRHkrQV0o} 57PòWLtYɲs^?2u46{ ԛcG7ׁaq [ RWFK6=tOkb#⼟U//juZ!3矣di|J 督27o"̤J"d uR|{ѓbٍR!$Ygao`W|iw^[.YGY\ ?Ys kd҅V^Z:`C1e^+qȺ"w:0l=&M&k%`MT r۹9͕;lcjy4[Ĩy8Eili:2jשw:l^[(7Xmk3¢#n1]wk].ToaIIxYNW[+aU9I"!Q$73;l=&cXֳvKR6,=_.{^-.ܟ"V_[.MÆ3Q`8T!\,:L=;.$=8?"Eƾ<-!R#0%di'O\~|*o?= eo\4ϓZ(~TM媊ʄm ӆl ^++ksVK7cڑ:pߴV;ʌԱ=A\}aO9LeyC/2w RS!0 ]fI擮Ŋ>g<;ȕn)wxG% kkS{xt?`q$S#Y_E ©[]BW%ekRV7/D=Yf\W`8nLJIIllxMq'OEȯ=JoRT*I8$ D2kuuG ߧw YZ