pdns-backend-remote-4.1.8-lp151.2.9.1<>,L_kQt/=„E TL_l oէ.;[k}tEB%<:-P!\6-Jz *_KgKOÂQ%:6ƀN9d+Z +gyq*ZD󨑺E򅦧?xQ&<]mL40IjFLy5kTө@˽ GΑnI55>[Qw{Y:hz/G2Ym^[npr9j{7[&ej!e-\b>>X?Xd ( @ 6Ztz     XI(}829L2: 2FUGUHUIUXUYU\V]V^VbV)cVdW`eWefWhlWjuW|vWwXxXyXzXhXxX|XXCpdns-backend-remote4.1.8lp151.2.9.1Remote backend for pdnsThe PowerDNS Nameserver is a authoritative-only nameserver. It conforms to contemporary DNS standards documents. This package holds the remote backend for pdns._kQtlamb58hopenSUSE Leap 15.1openSUSEGPL-2.0-onlyhttp://bugs.opensuse.orgProductivity/Networking/DNS/Servershttps://www.powerdns.com/linuxx86_64h_kQm9bb41f542b3339da85e38bd91f8af2ed8c62f70f1f2081f0544836b9781e27bfrootrootpdns-4.1.8-lp151.2.9.1.src.rpmlibremotebackend.so()(64bit)pdns-backend-remotepdns-backend-remote(x86-64)@@@@@@@@@@@@@@@@@@    libc.so.6()(64bit)libc.so.6(GLIBC_2.14)(64bit)libc.so.6(GLIBC_2.15)(64bit)libc.so.6(GLIBC_2.2.5)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.4)(64bit)libgcc_s.so.1()(64bit)libgcc_s.so.1(GCC_3.0)(64bit)libstdc++.so.6()(64bit)libstdc++.so.6(CXXABI_1.3)(64bit)libstdc++.so.6(CXXABI_1.3.9)(64bit)libstdc++.so.6(GLIBCXX_3.4)(64bit)libstdc++.so.6(GLIBCXX_3.4.11)(64bit)libstdc++.so.6(GLIBCXX_3.4.15)(64bit)libstdc++.so.6(GLIBCXX_3.4.20)(64bit)libstdc++.so.6(GLIBCXX_3.4.21)(64bit)libstdc++.so.6(GLIBCXX_3.4.9)(64bit)libzmq.so.5()(64bit)pdnsrpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)4.1.83.0.4-14.6.0-14.0-15.2-14.14.1_k8^%@^`]A\@\@\@\[[[@ZZZЛZZZ@Z@YeYY5Y}@YMYMXDX@X~@Xx@Xx@XN@WW@WJVV8UUv@U>$U8TPTи@Tи@Tи@Tto@Ta@T_W@TR(@TO@TO@TO@Adam Majer Adam Majer Vítězslav Čížek Adam Majer Michael Ströder Michael Ströder Michael Ströder Dirk Mueller Michael Ströder amajer@suse.commichael@stroeder.comkbabioch@suse.commrueckert@suse.deadam.majer@suse.demichael@stroeder.comadam.majer@suse.demrueckert@suse.deadam.majer@suse.dejengelh@inai.deadam.majer@suse.devcizek@suse.comwr@rosenauer.orgmichael@stroeder.commichael@stroeder.commrueckert@suse.deadam.majer@suse.demichael@stroeder.comadam.majer@suse.deadam.majer@suse.dedimstar@opensuse.orgmichael@stroeder.commrueckert@suse.demichael@stroeder.commichael@stroeder.commichael@stroeder.commichael@stroeder.commichael@stroeder.commrueckert@suse.demichael@stroeder.commrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.demrueckert@suse.demichael@stroeder.comLed michael@stroeder.commrueckert@suse.demrueckert@suse.demrueckert@suse.de- CVE-2020-17482.patch: fixed an error that can result in leaking of uninitialised memory through crafted zone records (CVE-2020-17482, bsc#1176535)- pdns_maxmind.patch: backport support for MaxMindDB- Build with libmaxminddb instead of the obsolete GeoIP (bsc#1156196)- CVE-2019-10162.patch: fixes a denial of service but when authorized user to cause the server to exit by inserting a crafted record in a MASTER type zone under their control. (bsc#1138582, CVE-2019-10162) - CVE-2019-10163.patch: fixes a denial of service of slave server when an authorized master server sends large number of NOTIFY messages (bsc#1138582, CVE-2019-10163) - CVE-2019-10203.patch: update postgresql schema to address a possible denial of service by an authorized user by inserting a crafted record in a MASTER type zone under their control. (bsc#1142810, CVE-2019-10203) To fix the issue, run the following command against your PostgreSQL pdns database: ALTER TABLE domains ALTER notified_serial TYPE bigint USING CASE WHEN notified_serial >= 0 THEN notified_serial::bigint END;- Update to 4.1.8 * #7604: Correctly interpret an empty AXFR response to an IXFR query, * #7610: Fix replying from ANY address for non-standard port, * #7609: Fix rectify for ENT records in narrow zones, * #7607: Do not compress the root, * #7608: Fix dot stripping in `setcontent()`, * #7605: Fix invalid SOA record in MySQL which prevented the authoritative server from starting, * #7603: Prevent leak of file descriptor if running out of ports for incoming AXFR, * #7602: Fix API search failed with “Commands out of sync; you can’t run this command now”, * #7509: Plug `mysql_thread_init` memory leak, * #7567: EL6: fix `CXXFLAGS` to build with compiler optimizations.- Update to 4.1.7 with a security fix: * Insufficient validation in the HTTP remote backend (bsc#1129734, CVE-2019-3871)- Update to 4.1.6 * Prevent more than one CNAME/SOA record in the same RRset- adjust buildrequires for mariadb 10.2.x on SLES- Update to 4.1.5 * Improvements - Apply alias scopemask after chasing - Release memory in case of error in the openssl ecdsa constructor - Switch to devtoolset 7 for el6 * Bug Fixes - Crafted zone record can cause a denial of service (bsc#1114157, CVE-2018-10851) - Packet cache pollution via crafted query (bsc#1114169, CVE-2018-14626) - Fix compilation with libressl 2.7.0+ - Actually truncate truncated responses- Update to 4.1.4 - Improvements * #6590: Fix warnings reported by gcc 8.1.0. * #6632, #6844, #6842, #6848: Make the gmysql backend future-proof * #6685, #6686: Initialize some missed qtypes. - Bug Fixes * #6780: Avoid concurrent records/comments iteration from running out of sync. * #6816: Fix a crash in the API when adding records. * #4457, #6691: pdns_control notify: handle slave without renotify properly. * #6736, #6738: Reset the TSIG state between queries. * #6857: Remove SOA-check backoff on incoming notify and fix lock handling. * #6858: Fix an issue where updating a record via DNS-UPDATE in a child zone that also exists in the parent zone, we would incorrectly apply the update to the parent zone. * #6676, #6677: Geoipbackend: check geoip_id_by_addr_gl and geoip_id_by_addr_v6_gl return value. (Aki Tuomi)- Use HTTPS links in .spec file like mentioned in PowerDNS announcements - removed obsolete 6370.patch - Update to 4.1.3 - Improvements * #6239, #6559: pdnsutil: use new domain in b2bmigrate (Aki Tuomi) * #6130: Update copyright years to 2018 (Matt Nordhoff) * #6312, #6545: Lower ‘packet too short’ loglevel - Bug Fixes * #6441, #6614: Restrict creation of OPT and TSIG RRsets * #6228, #6370: Fix handling of user-defined axfr filters return values * #6584, #6585, #6608: Prevent the GeoIP backend from copying NetMaskTrees around, fixes slow-downs in certain configurations (Aki Tuomi) * #6654, #6659: Ensure alias answers over TCP have correct name- Update to 4.1.2 - Improvements * API: increase serial after dnssec related updates * Auth: lower ‘packet too short’ loglevel * Make check-zone error on rows that have content but shouldn’t * Auth: avoid an isane amount of new backend connections during an axfr * Report unparseable data in stoul invalid_argument exception * Backport: recheck serial when axfr is done * Backport: add tcp support for alias - Bug Fixes * Auth: allocate new statements after reconnecting to postgresql * Auth-bindbackend: only compare ips in ismaster() (Kees Monshouwer) * Rather than crash, sheepishly report no file/linenum * Document undocumented config vars * Backport #6276 (auth 4.1.x): prevent cname + other data with dnsupdate - misc * Move includes around to avoid boost L conflict * Backport: update edns option code list * Auth: link dnspcap2protobuf against librt when needed * Fix a warning on botan >= 2.5.0 * Auth 4.1.x: unbreak build * Dnsreplay: bail out on a too small outgoing buffer (CVE-2018-1046 bsc#1092540)- add patch for upstream issue #6228 https://patch-diff.githubusercontent.com/raw/PowerDNS/pdns/pull/6370.patch- geoip not available on SLE15 but protobuf support is available.- Update to version 4.1.1: bug-fix only release, with fixes to the LDAP and MySQL backends, the pdnsutil tool, and PDNS internals- Update to version 4.1.0: + Recursor passthrough removal. Migration plans for users of recursor passthrough are in documentation and available at, https://doc.powerdns.com/authoritative/guides/recursion.html + Improved performance: 4x speedup in some scenarios + Crypto API: DNSSEC fully configurable via RESTful API + Database: enhanced reconnection logic solving problems associated with idle disonnection from database servers. + Documentation improvements + Support for TCP Fast Open + Removed deprecated SOA-EDIT values: INCEPTION and INCEPTION-WEEK - pkgconfig(krb5) is now always required for building LDAP backend - pdns-4.0.4_mysql-schema-mariadb.patch: removed, upstreamed- package schema files in ldap subpackage- Update to version 4.0.5: + fixes CVE-2017-15091: Missing check on API operations + Bindbackend: do not corrupt data supplied by other backends in getAllDomains + For create-slave-zone, actually add all slaves, and not only first n times + Check return value for all getTSIGKey calls. + Publish inactive KSK/CSK as CDNSKEY/CDS + Treat requestor’s payload size lower than 512 as equal to 512 + Correctly purge entries from the caches after a transfer + LuaWrapper: Allow embedded NULs in strings received from Lua + Stubresolver: Use only recursor setting if given + mydnsbackend: Add getAllDomains + LuaJIT 2.1: Lua fallback functionality no longer uses Lua namespace + gpgsql: make statement names actually unique + API: prevent sending nameservers list and zone-level NS in rrsets- Ensure descriptions are neutral. Remove ineffective --with-pic. - Do not ignore errors from useradd. - Trim idempotent %if..%endif around %package.- Added pdns.keyring linked from https://dnsdist.org/install.html- Don't BuildRequire Botan 1.x which will be dropped (bsc#1055322) * upstream support for Botan was dropped in favor of OpenSSL, see https://blog.powerdns.com/2016/07/11/powerdns-authoritative-server-4-0-0-released- This makes the schema fit storage requirements of various mysql/mariadb versions. pdns-4.0.4_mysql-schema-mariadb.patch - preset uid and gid in configuration- fixed use of pdns_protobuf- update to 4.0.4 - fixes ed25519 signer. This signer hashed the message before signing, resulting in unverifiable signatures. - send a notification to all slave servers after every dnsupdate for complete list of changes, see https://blog.powerdns.com/2017/06/23/powerdns-authoritative-server-4-0-4-released/- added pdns-4.0.3_allow_dacoverride_in_capset.patch: Adding CAP_DAC_OVERRIDE to fix startup problems with sqlite3 backend- use individual libboost-*-devel packages instead of boost-devel- update to 4.0.3 which obsoletes b854d9f.diff- b854d9f.diff: revert upstream change that caused a regression with multiple-backends- update to 4.0.2: The following security issues were fixed: - 2016-02: Crafted queries can cause abnormal CPU usage (CVE-2016-7068, boo#1018326) - 2016-03: Denial of service via the web server (CVE-2016-7072, boo#1018327) - 2016-04: Insufficient validation of TSIG signatures (CVE-2016-7073, CVE-2016-7074, boo#1018328) - 2016-05: Crafted zone record can cause a denial of service (CVE-2016-2120, boo#1018329) For complete changelog, see https://doc.powerdns.com/md/changelog/#powerdns-authoritative-server-402- BuildRequire pkgconfig(libsystemd) instead of pkgconfig(libsystemd-daemon): these libs were merged in systemd 209 times. The build system is capable of finding either one.- update to 4.0.1 Bug fixes - #4126 Wait for the connection to the carbon server to be established - #4206 Don't try to deallocate empty PG statements - #4245 Send the correct response when queried for an NSEC directly (Kees Monshouwer) - #4252 Don't include bind files if length <= 2 or > sizeof(filename) - #4255 Catch runtime_error when parsing a broken MNAME Improvements - #4044 Make DNSPacket return a ComboAddress for local and remote (Aki Tuomi) - #4056 OpenSSL 1.1.0 support (Christian Hofstaedtler) - #4169 Fix typos in a logmessage and exception (Christian Hofsteadtler) - #4183 pdnsutil: Remove checking of ctime and always diff the changes (Hannu Ylitalo) - #4192 dnsreplay: Only add Client Subnet stamp when asked - #4250 Use toLogString() for ringAccount (Kees Monshouwer) Additions - #4133 Add limits to the size of received {A,I}XFR (CVE-2016-6172) - #4142 Add used filedescriptor statistic (Kees Monshouwer)- update to 4.0.0 https://blog.powerdns.com/2016/07/11/powerdns-authoritative-server-4-0-0-released/ https://blog.powerdns.com/2016/07/11/welcome-to-powerdns-4-0-0/ - packaging changes: - remotebackend split out now - enabled experimental_gss_tsig support - enabled protobuf based stats support - no more xdb and lmdb backend - added odbc backend where supported - drop pdns-3.4.0-no_date_time.patch: replaced with - -enable-reproducible- update to 3.4.9 * use OpenSSL for ECDSA signing where available * allow common signing key * Add a disable-syslog setting * fix SOA caching with multiple backends * whitespace-related zone parsing fixes [ticket #3568] * bindbackend: fix, set domain in list()- update to 3.4.8 * Use AC_SEARCH_LIBS (Ruben Kerkhof) * Check for inet_aton in libresolv (Ruben Kerkhof) * Remove hardcoded -lresolv, -lnsl and -lsocket (Ruben Kerkhof) * pdnssec: don't check disabled records (Pieter Lexis) * pdnssec: check all records (including disabled ones) only in verbose mode (Kees Monshouwer) * traling dot in DNAME content (Kees Monshouwer) * Fix luabackend compilation on FreeBSD i386 (RvdE) * silence g++ 6.0 warnings and error (Kees Monshouwer) * add gcc 5.3 and 6.0 support to boost.m4 (Kees Monshouwer)- update to 3.4.7 Bug fixes: * Ignore invalid/empty TKEY and TSIG records (Christian Hofstaedtler) * Don't reply to truncated queries (Christian Hofstaedtler) * don't log out-of-zone ents during AXFR in (Kees Monshouwer) * Prevent XSS by escaping user input. Thanks to Pierre Jaury and Damien Cauquil at Sysdream for pointing this out. * Handle NULL and boolean properly in gPGSql (Aki Tuomi) * Improve negative caching (Kees Monshouwer) * Do not divide timeout twice (Aki Tuomi) * Correctly sort records with a priority. Improvements: * Direct query answers and correct zone-rectification in the GeoIP backend (Aki Tuomi) * Use token names to identify PKCS#11 keys (Aki Tuomi) * Fix typo in an error message (Arjen Zonneveld) * limit NSEC3 iterations in bindbackend (Kees Monshouwer) * Initialize minbody (Aki Tuomi) New features: * OPENPGPKEY record-type (James Cloos and Kees Monshouwer) * add global soa-edit settings (Kees Monshouwer)- update to 3.4.6 [boo#943078] CVE-2015-5230 Bug fixes: * Avoid superfluous backend recycling * Removal of dnsdist from the authoritative server distribution * Add EDNS unknown version handling and tests EDNS unknown version handling Improvements: * Update YaHTTP to v0.1.7 * Make trailing/leading spaces stand out in pdnssec check_zone * GCC 5.2 support and sync boost.m4 macro with upstream * Log answer packets only if log-dns-details is enabled- update to 3.4.5 Bug fixes: * be careful reading empty lines in our config parser and prevent integer overflow. * prevent crash after --list-modules (Ruben Kerkhof) * Limit the maximum length of a qname Improvements: * Support /etc/default for our debian/ubuntu packages (Aki Tuomi) * Our Boost check doesn't recognize gcc 5.1 yet (Ruben Kerkhof) * Various PKCS#11 fixes and improvements (Aki Tuomi) * Several fixes for building on OpenBSD (Florian Obser) * Fix several issues found by Coverity (Aki Tuomi) * Look for mbedtls before polarssl (Ruben Kerkhof) * Detect Lua on OpenBSD (Ruben Kerkhof) * Let pkg-config determine botan dependency libs (Ruben Kerkhof) * kill some further mallocs and add note to remind us not to add them back * Move remotebackend-unix test socket to testsdir (Aki Tuomi) * Defer launch of coprocess until first question (Aki Tuomi) * pdnssec: check for glue and delegations in parent zones (Kees Monshouwer)- no longer ship dnsdist here, we will ship a new package based on the snapshots from http://dnsdist.org/- update to 3.4.4 with a fix for CVE-2015-1868 (boo# 927569) Bug fixes: - commit ac3ae09: fix rectify-(all)-zones for mixed case domain names - commit 2dea55e, commit 032d565, commit 55f2dbf: fix CVE-2015-1868 - commit 21cdbe5: Blocking IO in busy-wait for remote backend (Wieger Opmeer) - commit cc7b2ac: fix double dot for root MX/SRV in bind slave zone files (Kees Monshouwer) - commit c40307b: Properly lock lmdb database, fixes ticket #1954 (Aki Tuomi) - commit 662e76d: Fix segfault in zone2lmdb (Ruben Kerkhof) New Features: - commit 5ae212e: pdnssec: warn for insecure wildcards in opt-out zones - commits cd3f21c, 8b582f6, 0b7e766, f743af9, dcde3c8 and f12fcf7: TKEY record type (Aki Tuomi) - commits 0fda1d9, 3dd139d, ba146ce, 25109e2, c011a01, 0600350, fc96b5e, 4414468, c163d41, f52c7f6, 8d56a31, 7821417, ea62bd9, c5ababd, 91c8351 and 073ac49: Many PKCS#11 improvements (Aki Tuomi) - commits 6f0d4f1 and 5eb33cb: Introduce xfrBlobNoSpaces and use them for TSIG (Aki Tuomi) Improvements: - commit e4f48ab: allow "pdnssec set-nsec3 ZONE" for insecure zones; this saves on one rectify when securing a NSEC3 zone - commits cce95b9, e2e9243 and e82da97: Improvements to the config-file parsing (Aki Tuomi) - commit 2180e21: postgresql check should not touch LDFLAGS (Ruben Kerkhof) - commit 0481021: Log error when remote cannot do AXFR (Aki Tuomi) - commit 1ecc3a5: Speed improvements when AXFR is disabled (Christian Hofstaedtler) - commits 1f7334e and b17799a: NSEC3 and related RRSIGS are not part of the dnstree (Kees Monshouwer) - commits dd943dd and 58c4834: Change ifdef to check for __GLIBC__ instead of __linux__ to prevent errors with other libc's (James Taylor) - commit c929d50: Try to raise open files before dropping privileges (Aki Tuomi) - commit 69fd3dc: Add newline to carbon error message on auth (Aki Tuomi) - commit 3064f80: Make sure we send servfail on error (Aki Tuomi) - commit b004529: Ship lmdb-example.pl in tarball (Ruben Kerkhof) - commit 9e6b24f: Allocate TCP buffer dynamically, decreasing stack usage - commit 267fdde: throw if getSOA gets non-SOA record- update to 3.4.3 Bug fixes: - [commit ceb49ce] pdns_control: exit 1 on unknown command (Ruben Kerkhof) - [commit 1406891]: evaluate KSK ZSK pairs per algorithm (Kees Monshouwer) - [commit 3ca050f]: always set di.notified_serial in getAllDomains (Kees Monshouwer) - [commit d9d09e1]: pdns_control: don't open socket in /tmp (Ruben Kerkhof) New features: - [commit 2f67952]: Limit who can send us AXFR notify queries (Ruben Kerkhof) Improvements: - [commit d7bec64]: respond REFUSED instead of NOERROR for "unknown zone" situations - [commit ebeb9d7]: Check for Lua 5.3 (Ruben Kerkhof) - [commit d09931d]: Check compiler for relro support instead of linker (Ruben Kerkhof) - [commit c4b0d0c]: Replace PacketHandler with UeberBackend where possible (Christian Hofstaedtler) - [commit 5a85152]: PacketHandler: Share UeberBackend with DNSSECKeeper (Christian Hofstaedtler) - [commit 97bd444]: fix building with GCC 5 Experimental API changes (Christian Hofstaedtler): - [commit ca44706]: API: move shared DomainInfo reader into it's own function - [commit 102602f]: API: allow writing to domains.account field - [commit d82f632]: API: read and expose domain account field - [commit 2b06977]: API: be more strict when parsing record contents - [commit 2f72b7c]: API: Reject unknown types (TYPE0) - [commit d82f632]: API: read and expose domain account field- set $LD for now. this fixes the configure check for relro,now.- remove custom PIE handling. upstream does it for us now.- update to 3.4.2 This is a performance and bugfix update to 3.4.1 and any earlier version. For high traffic setups, including those using DNSSEC, upgrading to 3.4.2 may show tremendous performance increases. A list of changes since 3.4.1 follows. Please see the full clickable changelog at https://doc.powerdns.com/md/changelog/#powerdns-authoritative-server-342 - move man pages to section 1 to follow upstream change- disable botan and geoip on SLE_12 because of missing dependencies.- Fixed broken _localstatedir- fix bashisms in pre script- update to version 3.4.1 Changes since 3.4.0: * commit dcd6524, commit a8750a5, commit 7dc86bf, commit 2fda71f: PowerDNS now polls the security status of a release at startup and periodically. More detail on this feature, and how to turn it off, can be found in Section 2, “Security polling”. * commit 5fe6dc0: API: Replace HTTP Basic auth with static key in custom header (X-API-Key) * commit 4a95ab4: Use transaction for pdnssec increase-serial * commit 6e82a23: Don't empty ordername during pdnssec increase-serial * commit 535f4e3: honor SOA-EDIT while considering "empty IXFR" fallback, fixes ticket 1835. This fixes slaving of signed zones to IXFR-aware slaves like NSD or BIND.- only enable geoip backend on distros newer than 12.3 before the package lacks the pkg-config file and there is no fallback to finding geoip without it.- fix permissions of the home directory- enable some backends that we had forgotten: - pipe (main package) - random (main package) - geoip (new subpackage) - new BR: yaml-cpp-devel and GeoIP-devellamb58 16008687244.1.8-lp151.2.9.14.1.8-lp151.2.9.1libremotebackend.so/usr/lib64/pdns/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.opensuse.org/openSUSE:Maintenance:13121/openSUSE_Leap_15.1_Update/09357eebd4b440097887cd3db35b8206-pdns.openSUSE_Leap_15.1_Updatedrpmxz5x86_64-suse-linuxELF 64-bit LSB shared object, x86-64, version 1 (GNU/Linux), dynamically linked, BuildID[sha1]=3d3bf874c865074fc958dff337b9be51d5f3b02e, strippedPRRRRRRRR R RR R RR RRRRMBEJQdt0utf-80800fbfe28cbb83edf80f6d7d0b6e7de866000257cb488e617307bddda73b933? 7zXZ !t/dR+]"k%y60E<$#]CY_2IJGrX]0N$~멤w?E? T !\KJ|<>%׿=EU=Dr+;I'WHK%"l k銎B1XL]:+v,\+` $ [P 4\d~5*7!B@A_:cLNZ6)׍ Pg~t>C$W2yMCE\2gpkvǤc4-P' ]źTcirIẓZ^gJ7S-+Gv5pġߙH8Y?:Ĺ!x8%aPŢ\d:*mA^g>b]VlnV^>+)d.߻Cʦ C.Z'}oqjɼm|8,{Zbz*,X+ѢE7ԪL0Wg Y*KlZvbuXY  7Jl.J>+hA\DJQ["t֊8YH?Mc/xZ$t#h$ꄵly*|~LtF$A)OO1=kJ)"Y%̑F&29\y4E}t;z=_mfl!$O/$skXo['`[e mfa.X*\FUVvz!U'?o@C@2{Z@ "@P`=-p9!c&S;O]}|Y7ps e}CSmۛsq1ekEM^d$r䰺'j%,0= L4ʃ\ZGZ ObY{TAJU8EY2b8Q~{~z`ފVQI'TE+J.w숚d~r{I? .^{ɓ Lw/>BCֿcSam9 [H!TՍU'nNy.@5]q֊j JH$’^K%GW{֗:k&<M5~[dU*xCw*܊*pi$z ^ [ hUC&ಱUS$b8G%%*b!Wך&;5Hڀ"^GھiKd1y;{X"%P֐ખ#Vi7@pe}ȑ)5 #TҴL ڕw]Y 1ρ=Q -ũuC&#<7R|IP}T퓮8|2Gd-ƫ1ĥ,06aXWy`7ʆhM9Olrg$+jf&%l괱'kNJk`ۦtmA?#L¶+F& {2ʻV9õ0&P;KR\LpRM,lyQ9 2J학o$@fssfRs/ =BnfPfޜ^-pHB;oLGWlEPpzA7Ac9J'@ވE&wRl52$Ry#/q&qϓ~뱁l<"SX("MRǷYH 3(mM%?EZ^4B /N*ύ2}NvXS¶ ս"wpѶXw}Mq:;\mj 1n㵑 YX.aӪ1EEoV"D=!艠~/B2x,GY0oFg9M$lWXWrdqSt]/+uWn'1re{.i0Z"FTY> GXt˱(W}DI.ZƓU,mA)(Oh^s=>5:0myS5'Ơ0:ĚL޳hfh VAl^nEExq mu]86X+C.j?+Ƣ-V FBTWh* /1n$STC`@\uz& çGiE`v,s#$jzA6c"%-!kՃ>dI ߾  EYJ8څt4Og9}I(OMi HhM.с C)gQ.1;.^\ *C&X˔Qmf> !Ը>ߒFw6*<Ì) WU>9fո[)ٻCe̚ʪ& #!5 ^ӂqiD"U&`ǎe&yk_ɼ~5GDq(lH2bFfPcρvt @|6(5FGPX7^&TPɤ j>5Z57+6-:QKju 2]0g8HTGJh6?(;>;=s7 gY嶑軲o MTNh|zvG qۖs& j[yt-bEW97)ܲ[ hhce؂DF8ֵ=RU M^/cTR卄LoEQY0~{=H WrauX*,-@uYY~K9X}{bܖJ̪>s5+OvڹxΘ2W䎀56~E_Yq/i[GX"e> Qxĕ Vqc]ak?gL{9',./}x:ݨYW7B F 1ҿ@) V/Tx <;DDzetMU+Pn}k1V#367: t7%,ḟ>Ӯu=Y<;S Lm"?D2/'ض~:VzS%Bj=b) FB()*a JjeȌEZě-!@avL?u[xw-^4ǩؘ4CWdiP<.g+J>DH k75%1 ,K-?Y˨Wv (cK$ŇWI#_9{ )4yhW4>6A`O覄,g{@ SIо__밲cr5o:Xů7])i2Q)Z`uZ̝ <~ X0>Zr0Ӕ^ q*x"4Vq?W  i:)Lb/&[ "v$x{+:Xf0t[:^bx_ʈ1*x97EX.n;x ]sw#jp!},P"k '|d| +N`bwGrpl׾OB~'h$v./5.# M ?(ShCEM'ϙ|RY0~X[05Eǐ k(]S8IIR.2恉dM2eK!J>?vOLێ;`?L,F|JѦz6qt$tݲdk_4Ɵŋ\2%{^C[ZaCl!w&x B7NvW1%+XyaMgrmZo-pC;&Sv׿"6lxJw3yxK`.nkIe2AP&3-S DPkD>+cҕTzOkJ/FHĎj&l}. "9gI\U:Rcz0-_u9: _l*RlV:249P3Mݳ30*l\҃˅-,6d86MGlA\G=Lf?'829M: et1^4rF@,HA׹!Jbq8?:W&~bPf:gt[,RfוnM %9ga\a_cr}n1v!͑x;S(U6IUc6 0,ql\,&?Ċ':TRG4 _b)uk]|@ՙ] 4{ԵKɗviZCApyR}lgZQw^ Le!pĬX(?[1nJ?'4 >j";!T!X]\8SUXd)y@Jv0c0[#_A Y?&7 2i=2YnLaz5;q A (HhgQFe[%.FlS ,&9HO*a4_J0x{ 45B9ݸ2\y{"@t`c ]mR Z+ᭁs0:f[™hI]s[_0P*A;h?RwbrRn),mZW_r2ec}sc !KΉJns^PQhMD},lX`3 _588mvc~' l!Y{NԞc?O-mUy fޞPɡ"S"v^|z@m׈quF^̒_mlƘiĿg|>%tOe NJu;:|_Fܛli Oq]=JimSؗp+[%c84z4(¡4xNhorTËW'`?~T3=WJ4R;znn1zP4B42]/?0(MfwYqKU뵊SE~4{moNS) >dܴ5Jb޵ǣ<IqP$RLH(2X4r t?'?z4 me42Wvf>u/tSՖ/وփ9eRC=t[d-z*c~J2UO-wR y؛q}H MWvɅX0;\@b| Ą[LB}r@$X(9̡҅R T˂ CV=Ts?`vw$%ljӕI>P7?{,^t?ژ~WX9C#6𠰊̗b~'t_RR K^2[ô8Uh+L9kݢ/jLKͬ[90{[prYF;0*ѺE KXH}v ]\nXgKvog^CPޞڬ0Rq|zxh#RH(B*8^ٍEZ՘:Hs+71;sa[?nn'P wgeL\V CFBB5 X3xFq.>¶`f )T X [uDĊog]C-Us Fײe@ #Yj"9pԢm=Xk@ Bn.)91麮R%E[[nE}e9VO8NJ$P OB Z_&# ˅](g0p%ea: q`mNH# E n Njgi"6j~212ZUu+Ra\)6^I>8 @ϿoGTȮyʀ@1n, `D&Ǻ}֘DE!h2ʮdOwQ?J0*}^EM7DQ꾄md rj !*m;v]V$Vr1r,"֦3o*qgI /{cfH1 "w|QnR;IoqGs!y|Dc0蝙KJ$UkQ|m/ڶzH^6ot#uB Kz,%-|ʿLXB7|/e$Z7 s!; ð+] wus_^&Ix=8]_&p('4WPAiI4kVizK^k/y}h0K m ܠJj=G&l?]*kP-xr]< (J+)sTV#n>?Ӕe]l.?P`R;$"|"Feu}JOJXqLu:>hZGyB$lMf+wsCgH/zUS\%|W!Q yܐ ?7<@}53Νb=6^M[̊+kbG"ʪ/5( (3l$V(y.WhYRI؃}:H~Ʈ$Qs_vY& ,F!A^z#٥[֚kvwS r-LJ)YN@ 6#m.h5O;o>Cb~HD>n- RQNrw@A~e”^i?_t|^taEAgm"Zi;7"1Owߢ[4kGNQB<j C6ĺۓ^eZ%UI?zIڑ `e7Ɨ2U cypY h$ŸVs#)}aޑ"O*1Ԟs}E>4/+i{ &ǃ^,px(@ RrPJ|v'Z?XXif )S"fB ѭnG.I?X7&&ӹ] d&:nEk:g|(;]{ۊ3}쎜W-:bs꥚uF St5ʾBu0f'tqz5şRPS=,tQX[ɱs.wO# ^#:PyPbl D!.}-BtT*+&S17H/=׾@(ޮ'7vzNw6`K',Qmgxmq ʢr<ȗ9bC%hǡL'_9J%0}򍙒|Pć!ywdu7]_hjm"荗I"'9; P1 e6d!+[ķ E֦ה6\]  s@qpl!Wylg& 152#h'k 7yDl凓q}R@ x8:Q '[S3ZEƎxC*0 j{zŮ4F|T%ipJx`n,yYNf$]:i@a+[LnJ'GYԼ?JDŽBڪ$L_\NZ%ɣWwF-&kĆW"lgh%kc%vlRo%wy`=6iCaYkOFLhl|7>Zŀszy_eg'+f@lwߐ\0.ڹq;aE0|=H'H֌w* t R,sͻ\B{M1Lc|Gyo;ߋ$%bIz/Ov P~_A/?b({} uvXˇK/­/7u#ic`xXc2_M Fl1.>&/t6I# c\T}ƛ=3UVI9#&.=h pSiw}&蓍&2wI8= <l [߿pddl~|(%"̴YOB=~7[LɺD 9Cj LgҘIᑟQgX>) D{49QMq]ni( Һ(e r)T;y~mjA\4ƈ~dxU*ZyyFs.'T6?*M<`vcQ-XVtus,D-)PgNb6Q[}t :f̪R^t0-`.QZ& v >KntMSjM:"d9v<@״@Tx+!=ɵpwϷUirWRǐS|& Rt?FLPQM[ɌY>G*${P.R{vwxΖ)AdTlAR*h .f1̻eZvYn3U@}1wld 9Jp2z1*;D VKX0]3Q~ ib)"T.Y-e "ݝ][.qTKt ƩfϚ2#lG-.F13 BwcUbާu%_r h0SSHUM"$u(K܄c$%%y5> o[r \?nI66f|Bx/Of;`(1E'ɉJ1A?r$Ƞv=.}*M.eT<>-I]''; Gƿ&$4a qPJoRdohJqCZuʈS65>$w:Y_e:~оyesׁ+X /V^؟a[~ 5Ҽ0X[9^zfZ\ĚgI6.rh**[z_Cyk6d iT'F!Zidqe.]>HHjT'ٲ+޷ ?U}kEEs?yQts#ѣdg Yob#ئ3ek[(.#*z+J9L]{uԫ-Z0D}{I ? ɵqR >\!h|90rN6GHbL+x 7v9FnT32ַhKzyew<-6l3fӺ9ZSU=Oׇ%ffiT*=d7v^\`1/׬[B6ӟ%j2(%nj\}ޥEǺ֩`E~iF[ty |=z}"58sQ4TF)[0O qѤUUanBDXLܑy %m툓^\ϻ"UӝRyPn;ӷK%@i &ލa]ZlYv)_kw^j?jM6hJjA[µ3Q#+Lx&߳rMvL~B >E-'@s:p_v{tp'mf봋;Z[Mm߇X`kxhSbԡVȧBQ1LD!`S~c8JK Ԙ P>6xV!ŭfoWz)g…|Υiˎ ]I}sO2)5:v 5+%P vr$s*5D\rJ cA=׷LIH,c4ș?<~#jl!Db:pH RT̄>40 = =}̯ai^rq (\l^hm1I>eK8NLW?_瘺K Xі ?+T|ي$(*wR-Q? ^?]8{( #%a%"떦@)W^6IvwPn-D0aE}2E@!~hL}iwQL-6Cmx()&~A"Wa.3%Stȼ8Iq&2*vZC&LnCS͙Qґ=29g@XxFErP y9ɲ&XX< ih$]R#n<*.~g 3΢ ʕG_lRơ Q8?#>k>MJ#} _d#=43)*L 7xILMcE$ @ʋq 1k^z&$SqЫk#FM枰.Ý_~'є]]EzZf6?rp6g.rr)%chL]0{z%$EjGժ=uۯYaCH(欎>ߠPP.s}KP/<\ԧC_>"Q8Nڇ0뺵{5r>UR,YnَYk],-a'kYr=b WĶ_U#Ŏio}t"&P4A(̩lz))JLڴzCHu`s!)|(cniڡP62)#aJ{[MǛDZ`"q;`ޒ˥1얙ߣszx>ke$"P (S,oFJԍƙzqAgd84OјNCoXsME;`jY Hr_p̓`-dYF$ m2*Kcfls( <%Hֆ+!CSe9K&L#v^+$Nd908f>fZ7# ׅϞn|D(MǗg̉qa0`P|mX_C;2 Wmyvk4gi2wM(G4}ݢj {lF[Du^Ei0Ŗʫ8H>Y} 7 e|6q/ {!5BS;2hӻ'PsLkX :r%C0vXCGEDȶSu.wDV̖Tvn5˛M5bRI˟%`"̇Y {7ɕXa~L ]d N#kM-ֿ[OkR:c?=6--r>cз!\wrL-G~o{^ \ {ߍAop w-]>`Zqf%^5mKVҿVc7|tO/&Tb;>㽯[DGW1Z,qY-8Y~ + [JKPE~R;hRBR ebބ ;ﮓJT@&fK19k!Ob*Į=^2nƨةɩj5l^Mnϵ=nھ b!qOT^ KFs@8bBzT@ud_Nˮܱ§0,GN cÛ$$S͐u oк7'͋b| 0@ o/dJ4I<r?xJk;ft;az{Igm|y@֑hM,AIHG8_Oژ| vv'yU"| KӶ\=M[N0,t外^bVn9ڱުêmJZI8%2/=Wn_ڶ1wQ>4+@p+a FJ{,%}>0b|0-T*̄)h$qO˶VaΨІ^ P9%:]czVy(RV9"}t];c sr\en+ld3u Cr}!ʰV2fM*77'9[&sQ6L0[J[ĭu1I(ebFn "FsdY^V"gN9Ai !r@ ^ Gm!TRKwqdt4%/mrSWk#ʮ7x{VJZf:vjWs⺞ENP7ٙP67ֺsg=`inqwLQRZ"VsT4bV];~OZ WGkefW| oUdgK+!F,U_2/zgwsH)-8yiV4K>$k_ʎ- L^zmn%mK6p\Q?}2MS!4ʹg#UG.W?y ײR5lF3ljZ`c=5}Yy=>©ss֭RC LZriJ*}]|4jz3 M1wzP0r 8w7!YUγ&J227&b;|f`xF$@v ZTC$ls\{>O@Vn%F?KBXesV/#]EP5 Y߂#?u;yn;:b7Ti+Ӏ߷r-?b h|xcX6J_[F˯o{qWhH~j]E( EW aPz9FxLn~t )B"J&՞fO{kw22p݂ /m*".| TBTG=V~#M{ ~ei $.Yw),B$OhFu`4PL2{oI[Aon2_.| o$Ą"} /-b:$VƻW0\fVtqͧ'ZFnKMG]ܵ }X.UgovLB*Q 4`0sYtx"F -1l\4 ı|-)~4b L I=z8FuvqڑQh;za pg$t&.TUA4!ԱTyzlO+r:EOS\^*NRhE*:g(8CzVIy_=V7Zmӣ[uEnH / ƖzL8,yztD]7!(_м[1.I @W.v6iD>TRn8W[p 8/'Bi mҡ78<w9bYx ^] s.&wLt͢,MQ罽'0=K5bn588}_e4*K"gpPh#OI\3S^TL7\aAx7ڕ +Ηۿ-| `{ciKľA^ifttvQ/O.ѕ'f6<{\N=< 4 Bavm+q  tl1"NBmΖ1xm crڱ44ylQ\ф$ɚ"M.N% ߵ/h4cBd~Z8SӘ2sTQprr)\X|:&Yb&1$@_QOܵ%}ˀ 񼏯+a/Aw7XW2(It{w_X]0y,[S%Ε` r9r,}8#l wo0%ǚ\ÕAl|J6:%wh%YjYdU Mfp nx_ 3:8u JzAߤ9h YZ